Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v4.4.148 2018-02-28T09:17:23Z 2018-02-28T09:17:23Z Eric Biggers ebiggers@google.com 2018-02-26T18:56:45Z urn:sha1:bf5a6a7256834ad88104d3a99cc935c9ac49b527 When commit 4be5a2810489 ("binder: check for binder_thread allocation failure in binder_poll()") was applied to 4.4-stable and 4.9-stable it was forgotten to release the global binder lock in the new error path. The global binder lock wasn't removed until v4.14, by commit a60b890f607d ("binder: remove global binder lock"). Fix the new error path to release the lock. Reported-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-02-25T10:03:38Z Eric Biggers ebiggers@google.com 2018-01-31T07:11:24Z urn:sha1:83c76f2c50f197d1d827ec057f064bcaf13d22d1 commit f88982679f54f75daa5b8eff3da72508f1e7422f upstream. If the kzalloc() in binder_get_thread() fails, binder_poll() dereferences the resulting NULL pointer. Fix it by returning POLLERR if the memory allocation failed. This bug was found by syzkaller using fault injection. Reported-by: syzbot <syzkaller@googlegroups.com> Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-08-30T08:19:26Z Martijn Coenen maco@android.com 2017-07-28T11:56:08Z urn:sha1:9dac44d5d4b0a7fffe04ad505e0a082e900ad767 commit b2a6d1b999a4c13e5997bb864694e77172d45250 upstream. Commit c4ea41ba195d ("binder: use group leader instead of open thread")' was incomplete and didn't update a check in binder_mmap(), causing all mmap() calls into the binder driver to fail. Signed-off-by: Martijn Coenen <maco@android.com> Tested-by: John Stultz <john.stultz@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-08-30T08:19:26Z Riley Andrews riandrews@google.com 2017-06-29T19:01:37Z urn:sha1:1792d6c17cb282fd8e5cd197a8b33cb78484eb6a commit 00b40d613352c623aaae88a44e5ded7c912909d7 upstream. Use wake_up_interruptible_sync() to hint to the scheduler binder transactions are synchronous wakeups. Disable preemption while waking to avoid ping-ponging on the binder lock. Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Omprakash Dhyade <odhyade@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-08-30T08:19:26Z Todd Kjos tkjos@android.com 2017-06-29T19:01:36Z urn:sha1:596b97ec2e5e24c966b9cb4aa9a9766e53ecdd43 commit c4ea41ba195d01c9af66fb28711a16cc97caa9c5 upstream. The binder allocator assumes that the thread that called binder_open will never die for the lifetime of that proc. That thread is normally the group_leader, however it may not be. Use the group_leader instead of current. Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-11-10T15:36:33Z Arve Hjønnevåg arve@android.com 2016-10-24T13:20:30Z urn:sha1:8910c33882536ba00efc0768748e0846b40addcc commit 4afb604e2d14d429ac9e1fd84b952602853b2df5 upstream. Prevents leaking pointers between processes Signed-off-by: Arve Hjønnevåg <arve@android.com> Signed-off-by: Martijn Coenen <maco@android.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-11-10T15:36:33Z Arve Hjønnevåg arve@android.com 2016-10-24T13:20:29Z urn:sha1:14f09e8e7cd8c9b94a29c8373b3ff983a3ad3722 commit 0a3ffab93fe52530602fe47cd74802cffdb19c05 upstream. Prevent using a binder_ref with only weak references where a strong reference is required. Signed-off-by: Arve Hjønnevåg <arve@android.com> Signed-off-by: Martijn Coenen <maco@android.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-03-03T23:07:10Z Lisa Du cldu@marvell.com 2016-02-17T01:32:52Z urn:sha1:3e908446627523e106c1edc7cf6fe7706924d6d3 commit 7a64cd887fdb97f074c3fda03bee0bfb9faceac3 upstream. There's one point was missed in the patch commit da49889deb34 ("staging: binder: Support concurrent 32 bit and 64 bit processes."). When configure BINDER_IPC_32BIT, the size of binder_uintptr_t was 32bits, but size of void * is 64bit on 64bit system. Correct it here. Signed-off-by: Lisa Du <cldu@marvell.com> Signed-off-by: Nicolas Boichat <drinkcat@chromium.org> Fixes: da49889deb34 ("staging: binder: Support concurrent 32 bit and 64 bit processes.") Acked-by: Olof Johansson <olof@lixom.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-09-10T20:29:01Z Kirill A. Shutemov kirill.shutemov@linux.intel.com 2015-09-09T22:39:26Z urn:sha1:7cbea8dc0127a95226c7722a738ac6534950ef67 With two exceptions (drm/qxl and drm/radeon) all vm_operations_struct structs should be constant. Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Reviewed-by: Oleg Nesterov <oleg@redhat.com> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: Ingo Molnar <mingo@elte.hu> Cc: Minchan Kim <minchan@kernel.org> Cc: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2015-03-02T02:43:51Z Andrey Ryabinin a.ryabinin@samsung.com 2015-02-27T17:44:21Z urn:sha1:f4c72c70308897bd26f2918979d06b429916fd0e binder_update_page_range() initializes only addr and size fields in 'struct vm_struct tmp_area;' and passes it to map_vm_area(). Before 71394fe50146 ("mm: vmalloc: add flag preventing guard hole allocation") this was because map_vm_area() didn't use any other fields in vm_struct except addr and size. Now get_vm_area_size() (used in map_vm_area()) reads vm_struct's flags to determine whether vm area has guard hole or not. binder_update_page_range() don't initialize flags field, so this causes following binder mmap failures: -----------[ cut here ]------------ WARNING: CPU: 0 PID: 1971 at mm/vmalloc.c:130 vmap_page_range_noflush+0x119/0x144() CPU: 0 PID: 1971 Comm: healthd Not tainted 4.0.0-rc1-00399-g7da3fdc-dirty #157 Hardware name: ARM-Versatile Express [<c001246d>] (unwind_backtrace) from [<c000f7f9>] (show_stack+0x11/0x14) [<c000f7f9>] (show_stack) from [<c049a221>] (dump_stack+0x59/0x7c) [<c049a221>] (dump_stack) from [<c001cf21>] (warn_slowpath_common+0x55/0x84) [<c001cf21>] (warn_slowpath_common) from [<c001cfe3>] (warn_slowpath_null+0x17/0x1c) [<c001cfe3>] (warn_slowpath_null) from [<c00c66c5>] (vmap_page_range_noflush+0x119/0x144) [<c00c66c5>] (vmap_page_range_noflush) from [<c00c716b>] (map_vm_area+0x27/0x48) [<c00c716b>] (map_vm_area) from [<c038ddaf>] (binder_update_page_range+0x12f/0x27c) [<c038ddaf>] (binder_update_page_range) from [<c038e857>] (binder_mmap+0xbf/0x1ac) [<c038e857>] (binder_mmap) from [<c00c2dc7>] (mmap_region+0x2eb/0x4d4) [<c00c2dc7>] (mmap_region) from [<c00c3197>] (do_mmap_pgoff+0x1e7/0x250) [<c00c3197>] (do_mmap_pgoff) from [<c00b35b5>] (vm_mmap_pgoff+0x45/0x60) [<c00b35b5>] (vm_mmap_pgoff) from [<c00c1f39>] (SyS_mmap_pgoff+0x5d/0x80) [<c00c1f39>] (SyS_mmap_pgoff) from [<c000ce81>] (ret_fast_syscall+0x1/0x5c) ---[ end trace 48c2c4b9a1349e54 ]--- binder: 1982: binder_alloc_buf failed to map page at f0e00000 in kernel binder: binder_mmap: 1982 b6bde000-b6cdc000 alloc small buf failed -12 Use map_kernel_range_noflush() instead of map_vm_area() as this is better API for binder's purposes and it allows to get rid of 'vm_struct tmp_area' at all. Fixes: 71394fe50146 ("mm: vmalloc: add flag preventing guard hole allocation") Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com> Reported-by: Amit Pundir <amit.pundir@linaro.org> Tested-by: Amit Pundir <amit.pundir@linaro.org> Acked-by: David Rientjes <rientjes@google.com> Tested-by: John Stultz <john.stultz@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>