binder: back port changes from kernel 4.19 [1/3]
PD#SWPL-8572
Problems:
based on android platfrom, each process may allocate 1MB vmalloc
memory space for IPC. But most process don't use full memory
range of vmalloc space. It's a waste of memory space and may
cause driver can't work normal based on 32bit kernel
Soluton:
On kernel 4.19, google have fixed it, so we need back porting
following changes:
Squashed commit of the following:
commit
b12a56e5342e15e99b0fb07c67dfce0891ba2f6b
Author: Todd Kjos <tkjos@google.com>
Date: Tue Mar 19 09:53:01 2019 -0700
FROMGIT: binder: fix BUG_ON found by selinux-testsuite
The selinux-testsuite found an issue resulting in a BUG_ON()
where a conditional relied on a size_t going negative when
checking the validity of a buffer offset.
(cherry picked from commit
5997da82145bb7c9a56d834894cb81f81f219344
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-linus)
Bug:
67668716
Change-Id: Ib3b408717141deadddcb6b95ad98c0b97d9d98ea
Fixes:
7a67a39320df ("binder: add function to copy binder object from buffer")
Reported-by: Paul Moore <paul@paul-moore.com>
Tested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
commit
5b28e504d93a5f1efc074dd7cdcadc07293bb783
Author: Todd Kjos <tkjos@android.com>
Date: Thu Feb 14 15:22:57 2019 -0800
UPSTREAM: binder: fix handling of misaligned binder object
Fixes crash found by syzbot:
kernel BUG at drivers/android/binder_alloc.c:LINE! (2)
(cherry pick from commit
26528be6720bb40bc8844e97ee73a37e530e9c5e)
Bug:
67668716
Reported-and-tested-by: syzbot+55de1eb4975dec156d8f@syzkaller.appspotmail.com
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Ib8597dd05a158f78503d4affe6c5f46ded16a811
commit
e110c3b44e437bad09f76c2b42f23dcad898f57d
Author: Todd Kjos <tkjos@android.com>
Date: Wed Feb 13 11:48:53 2019 -0800
UPSTREAM: binder: fix sparse issue in binder_alloc_selftest.c
Fixes sparse issues reported by the kbuild test robot running
on https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-testing:
bde4a19fc04f5 ("binder: use userspace pointer as base
of buffer space")
Error output (drivers/android/binder_alloc_selftest.c):
sparse: warning: incorrect type in assignment (different address spaces)
sparse: expected void *page_addr
sparse: got void [noderef] <asn:1> *user_data
sparse: error: subtraction of different types can't work
Fixed by adding necessary "__user" tags.
(cherry pick from commit
36f30937922ce75390c73f99e650e4f2eb56b0e6)
Bug:
67668716
Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Ia0a16d163251381d4bc04f46a44dddbc18b10a85
commit
9f6fd7733286f1af04d153c9d3a050ca2615b3cc
Author: Todd Kjos <tkjos@android.com>
Date: Fri Feb 8 10:35:20 2019 -0800
BACKPORT: binder: use userspace pointer as base of buffer space
Now that alloc->buffer points to the userspace vm_area
rename buffer->data to buffer->user_data and rename
local pointers that hold user addresses. Also use the
"__user" tag to annotate all user pointers so sparse
can flag cases where user pointer vaues are copied to
kernel pointers. Refactor code to use offsets instead
of user pointers.
(cherry pick from commit
bde4a19fc04f5f46298c86b1acb7a4af1d5f138d)
Bug:
67668716
Change-Id: I9d04b844c5994d1f6214da795799e6b373bc9816
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit
194d8606b011657ce30bf0c240a5adcad0691201
Author: Todd Kjos <tkjos@android.com>
Date: Wed Dec 5 15:19:25 2018 -0800
UPSTREAM: binder: fix kerneldoc header for struct binder_buffer
Fix the incomplete kerneldoc header for struct binder_buffer.
(cherry pick from commit
7a2670a5bc917e4e7c9be5274efc004f9bd1216a)
Bug:
67668716
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I6bb942e6a9466b02653349943524462f205af839
commit
55cb58623a60d48678d8eb74e1cabe7744ed62c2
Author: Todd Kjos <tkjos@android.com>
Date: Fri Feb 8 10:35:19 2019 -0800
BACKPORT: binder: remove user_buffer_offset
Remove user_buffer_offset since there is no kernel
buffer pointer anymore.
(cherry pick from commit
c41358a5f5217abd7c051e8d42397e5b80f3b3ed)
Bug:
67668716
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I399219867704dc5013453a7738193c742fc970ad
commit
3301f77efa9d99e742e5642243b891e014becf17
Author: Todd Kjos <tkjos@android.com>
Date: Fri Feb 8 10:35:18 2019 -0800
UPSTREAM: binder: remove kernel vm_area for buffer space
Remove the kernel's vm_area and the code that maps
buffer pages into it.
(cherry pick from commit
880211667b203dd32724f3be224c44c0400aa0a6)
Bug:
67668716
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I2595bb8416c2bbfcf97ad3d7380ae94e29c209fb
commit
628c27a60665f15984364f6c0a1bda03473b3a78
Author: Todd Kjos <tkjos@android.com>
Date: Fri Feb 8 10:35:17 2019 -0800
UPSTREAM: binder: avoid kernel vm_area for buffer fixups
Refactor the functions to validate and fixup struct
binder_buffer pointer objects to avoid using vm_area
pointers. Instead copy to/from kernel space using
binder_alloc_copy_to_buffer() and
binder_alloc_copy_from_buffer(). The following
functions were refactored:
refactor binder_validate_ptr()
binder_validate_fixup()
binder_fixup_parent()
(cherry pick from commit
db6b0b810bf945d1991917ffce0e93383101f2fa)
Bug:
67668716
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Ic222af9b6c56bf48fd0b65debe981d19a7809e77
commit
ed39057090cc4a95c318bafcd97f418da56e3867
Author: Todd Kjos <tkjos@android.com>
Date: Fri Feb 8 10:35:16 2019 -0800
BACKPORT: binder: add function to copy binder object from buffer
When creating or tearing down a transaction, the binder driver
examines objects in the buffer and takes appropriate action.
To do this without needing to dereference pointers into the
buffer, the local copies of the objects are needed. This patch
introduces a function to validate and copy binder objects
from the buffer to a local structure.
(cherry pick from commit
7a67a39320dfba4b36d3be5dae4581194e650316)
Bug:
67668716
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I42dfe238a2d20bdeff479068ca87a80e4577e64a
commit
01f8f48c56b53faf1c795112f451a032a0d00b75
Author: Todd Kjos <tkjos@android.com>
Date: Fri Feb 8 10:35:15 2019 -0800
BACKPORT: binder: add functions to copy to/from binder buffers
Avoid vm_area when copying to or from binder buffers.
Instead, new copy functions are added that copy from
kernel space to binder buffer space. These use
kmap_atomic() and kunmap_atomic() to create temporary
mappings and then memcpy() is used to copy within
that page.
Also, kmap_atomic() / kunmap_atomic() use the appropriate
cache flushing to support VIVT cache architectures.
Allow binder to build if CPU_CACHE_VIVT is defined.
Several uses of the new functions are added here. More
to follow in subsequent patches.
(cherry picked from commit
8ced0c6231ead26eca8cb416dcb7cc1c2cdd41d8)
Bug:
67668716
Change-Id: I6a93d2396d0a80c352a1d563fc7fb523a753e38c
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit
bfc28d4c046d2a1aea5db66508e7fbb65a31a4a9
Author: Todd Kjos <tkjos@android.com>
Date: Fri Feb 8 10:35:14 2019 -0800
UPSTREAM: binder: create userspace-to-binder-buffer copy function
The binder driver uses a vm_area to map the per-process
binder buffer space. For 32-bit android devices, this is
now taking too much vmalloc space. This patch removes
the use of vm_area when copying the transaction data
from the sender to the buffer space. Instead of using
copy_from_user() for multi-page copies, it now uses
binder_alloc_copy_user_to_buffer() which uses kmap()
and kunmap() to map each page, and uses copy_from_user()
for copying to that page.
(cherry picked from
1a7c3d9bb7a926e88d5f57643e75ad1abfc55013)
Bug:
67668716
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I59ff83455984fce4626476e30601ed8b99858a92
commit
89a1a65d35200d8ca94c865f061f11af41a8ced7
Author: Todd Kjos <tkjos@android.com>
Date: Mon Jan 14 09:10:21 2019 -0800
FROMGIT: binder: create node flag to request sender's security context
To allow servers to verify client identity, allow a node
flag to be set that causes the sender's security context
to be delivered with the transaction. The BR_TRANSACTION
command is extended in BR_TRANSACTION_SEC_CTX to
contain a pointer to the security context string.
Signed-off-by: Todd Kjos <tkjos@google.com>
Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
ec74136ded792deed80780a2f8baf3521eeb72f9
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
master)
Change-Id: I44496546e2d0dc0022f818a45cd52feb1c1a92cb
Signed-off-by: Todd Kjos <tkjos@google.com>
commit
4afd6d2498ecd54e4211c6e47d8956a686a52ee3
Author: Todd Kjos <tkjos@android.com>
Date: Wed Dec 5 15:19:26 2018 -0800
UPSTREAM: binder: filter out nodes when showing binder procs
When dumping out binder transactions via a debug node,
the output is too verbose if a process has many nodes.
Change the output for transaction dumps to only display
nodes with pending async transactions.
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
ecd589d8f5661dd3a9545079a29b678cd9e3ecf3)
Bug:
112037142
Change-Id: Iaa76ebdc844037ce1ee3bf2e590676790a959cef
commit
72e3c1d60a499bfa547d962a150082f47bfb16af
Author: Todd Kjos <tkjos@android.com>
Date: Tue Nov 6 15:55:32 2018 -0800
binder: fix race that allows malicious free of live buffer
commit
7bada55ab50697861eee6bb7d60b41e68a961a9c upstream.
Malicious code can attempt to free buffers using the BC_FREE_BUFFER
ioctl to binder. There are protections against a user freeing a buffer
while in use by the kernel, however there was a window where
BC_FREE_BUFFER could be used to free a recently allocated buffer that
was not completely initialized. This resulted in a use-after-free
detected by KASAN with a malicious test program.
This window is closed by setting the buffer's allow_user_free attribute
to 0 when the buffer is allocated or when the user has previously freed
it instead of waiting for the caller to set it. The problem was that
when the struct buffer was recycled, allow_user_free was stale and set
to 1 allowing a free to go through.
Signed-off-by: Todd Kjos <tkjos@google.com>
Acked-by: Arve Hjønnevåg <arve@android.com>
Cc: stable <stable@vger.kernel.org> # 4.14
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit
c7940ee7e55f4caec80ab646b7f9d495ee2677c6
Author: Martijn Coenen <maco@android.com>
Date: Sat Aug 25 13:50:56 2018 -0700
UPSTREAM: binder: Add BINDER_GET_NODE_INFO_FOR_REF ioctl.
This allows the context manager to retrieve information about nodes
that it holds a reference to, such as the current number of
references to those nodes.
Such information can for example be used to determine whether the
servicemanager is the only process holding a reference to a node.
This information can then be passed on to the process holding the
node, which can in turn decide whether it wants to shut down to
reduce resource usage.
Bug:
79983843
Change-Id: I21e52ed1ca2137f7bfdc0300365fb1285b7e3d70
Signed-off-by: Martijn Coenen <maco@android.com>
commit
afd02b5ead68a94eb6bf1bf5234271687d7eb461
Author: Minchan Kim <minchan@kernel.org>
Date: Thu Aug 23 14:29:56 2018 +0900
android: binder: fix the race mmap and alloc_new_buf_locked
There is RaceFuzzer report like below because we have no lock to close
below the race between binder_mmap and binder_alloc_new_buf_locked.
To close the race, let's use memory barrier so that if someone see
alloc->vma is not NULL, alloc->vma_vm_mm should be never NULL.
(I didn't add stable mark intentionallybecause standard android
userspace libraries that interact with binder (libbinder & libhwbinder)
prevent the mmap/ioctl race. - from Todd)
"
Thread interleaving:
CPU0 (binder_alloc_mmap_handler) CPU1 (binder_alloc_new_buf_locked)
===== =====
// drivers/android/binder_alloc.c
// #L718 (v4.18-rc3)
alloc->vma = vma;
// drivers/android/binder_alloc.c
// #L346 (v4.18-rc3)
if (alloc->vma == NULL) {
...
// alloc->vma is not NULL at this point
return ERR_PTR(-ESRCH);
}
...
// #L438
binder_update_page_range(alloc, 0,
(void *)PAGE_ALIGN((uintptr_t)buffer->data),
end_page_addr);
// In binder_update_page_range() #L218
// But still alloc->vma_vm_mm is NULL here
if (need_mm && mmget_not_zero(alloc->vma_vm_mm))
alloc->vma_vm_mm = vma->vm_mm;
Crash Log:
==================================================================
BUG: KASAN: null-ptr-deref in __atomic_add_unless include/asm-generic/atomic-instrumented.h:89 [inline]
BUG: KASAN: null-ptr-deref in atomic_add_unless include/linux/atomic.h:533 [inline]
BUG: KASAN: null-ptr-deref in mmget_not_zero include/linux/sched/mm.h:75 [inline]
BUG: KASAN: null-ptr-deref in binder_update_page_range+0xece/0x18e0 drivers/android/binder_alloc.c:218
Write of size 4 at addr
0000000000000058 by task syz-executor0/11184
CPU: 1 PID: 11184 Comm: syz-executor0 Not tainted 4.18.0-rc3 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x16e/0x22c lib/dump_stack.c:113
kasan_report_error mm/kasan/report.c:352 [inline]
kasan_report+0x163/0x380 mm/kasan/report.c:412
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x140/0x1a0 mm/kasan/kasan.c:267
kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278
__atomic_add_unless include/asm-generic/atomic-instrumented.h:89 [inline]
atomic_add_unless include/linux/atomic.h:533 [inline]
mmget_not_zero include/linux/sched/mm.h:75 [inline]
binder_update_page_range+0xece/0x18e0 drivers/android/binder_alloc.c:218
binder_alloc_new_buf_locked drivers/android/binder_alloc.c:443 [inline]
binder_alloc_new_buf+0x467/0xc30 drivers/android/binder_alloc.c:513
binder_transaction+0x125b/0x4fb0 drivers/android/binder.c:2957
binder_thread_write+0xc08/0x2770 drivers/android/binder.c:3528
binder_ioctl_write_read.isra.39+0x24f/0x8e0 drivers/android/binder.c:4456
binder_ioctl+0xa86/0xf34 drivers/android/binder.c:4596
vfs_ioctl fs/ioctl.c:46 [inline]
do_vfs_ioctl+0x154/0xd40 fs/ioctl.c:686
ksys_ioctl+0x94/0xb0 fs/ioctl.c:701
__do_sys_ioctl fs/ioctl.c:708 [inline]
__se_sys_ioctl fs/ioctl.c:706 [inline]
__x64_sys_ioctl+0x43/0x50 fs/ioctl.c:706
do_syscall_64+0x167/0x4b0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
"
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Minchan Kim <minchan@kernel.org>
Reviewed-by: Martijn Coenen <maco@android.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit
3ed5fd0f095e9d6fe5f33f909165a8cd596e8b46
Author: Sherry Yang <sherryy@android.com>
Date: Tue Aug 7 12:57:13 2018 -0700
android: binder: Rate-limit debug and userspace triggered err msgs
Use rate-limited debug messages where userspace can trigger
excessive log spams.
Acked-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Sherry Yang <sherryy@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit
8129fb3ee7af23a888383aa23647c9d576ecdfef
Author: Sherry Yang <sherryy@android.com>
Date: Thu Jul 26 17:17:17 2018 -0700
android: binder: Show extra_buffers_size in trace
Add extra_buffers_size to the binder_transaction_alloc_buf tracepoint.
Acked-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Sherry Yang <sherryy@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit
3b0bbcb65457ddec6fbee72bb26002e2bba16089
Author: Guenter Roeck <linux@roeck-us.net>
Date: Mon Jul 23 14:41:38 2018 -0700
android: binder: Include asm/cacheflush.h after linux/ include files
If asm/cacheflush.h is included first, the following build warnings are
seen with sparc32 builds.
In file included from arch/sparc/include/asm/cacheflush.h:11:0,
from drivers/android/binder.c:54:
arch/sparc/include/asm/cacheflush_32.h:40:37: warning:
'struct page' declared inside parameter list will not be visible
outside of this definition or declaration
Moving the asm/ include after linux/ includes solves the problem.
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit
e8a4948f49629c6ab122339f46908884d55ca7e9
Author: Guenter Roeck <linux@roeck-us.net>
Date: Mon Jul 23 14:47:23 2018 -0700
android: binder_alloc: Include asm/cacheflush.h after linux/ include files
If asm/cacheflush.h is included first, the following build warnings are
seen with sparc32 builds.
In file included from ./arch/sparc/include/asm/cacheflush.h:11:0,
from drivers/android/binder_alloc.c:20:
./arch/sparc/include/asm/cacheflush_32.h:40:37: warning:
'struct page' declared inside parameter list
Moving the asm/ include after linux/ includes fixes the problem.
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit
8cae6730ef318700ab3a0db3ef43ee6a5e5856c8
Author: Geert Uytterhoeven <geert@linux-m68k.org>
Date: Wed Jun 6 14:40:56 2018 +0200
android: binder: Drop dependency on !M68K
As of commit
7124330dabe5b3cb ("m68k/uaccess: Revive 64-bit
get_user()"), the 64-bit Android binder interface builds fine on m68k.
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
verify:
p212
Change-Id: I1bac2c5345bcac64a3890f1688c1ecc4a3654a79
Signed-off-by: Tao Zeng <tao.zeng@amlogic.com>