Add support for vendor hooks. Adds include/trace/hooks
directory for trace definition headers where hooks
can be defined and vendor_hook.c for instantiating
and exporting them for vendor modules.
There are two variants of vendor hooks, both based
on tracepoints:
Normal: this uses the DECLARE_HOOK macro
to create a tracepoint function with the name trace_<name>
where <name> is the unique identifier for the trace.
Restricted: restricted hooks are needed for cases like
scheduler hooks where the attached function must be
called even if the cpu is offline or requires a
non-atomic context. Restricted vendor hooks cannot
be detached, so modules that attach to a restricted
hook can never unload. Also, only 1 attachment is
allowed (any other attempts to attach will fail with
-EBUSY).
For either case, modules attach to the hook by using
register_trace_<name>(func_ptr, NULL).
New hooks should be defined in headers in the
include/trace/hooks/ directory using the
DECLARE_HOOK() or DECLARE_RESTRICTED_HOOK()
macros.
New files added to include/trace/hooks should
be #include'd from drivers/android/vendor_hooks.c.
The EXPORT_TRACEPOINT_SYMBOL_GPL() should be
also added to drivers/android/vendor_hooks.c.
For example, if a new hook, 'android_vh_foo(int &ret)'
is added in do_exit() in exit.c, these changes are
needed:
1. create a new header file include/trace/hooks/foo.h
which contains:
#include <trace/hooks/vendor_hooks.h>
...
DECLARE_HOOK(android_vh_foo,
TP_PROTO(int *retp),
TP_ARGS(retp);
2. in exit.c, add
#include <trace/hooks/foo.h>
...
int ret = 0;
...
android_vh_foo(&ret);
if (ret)
return ret;
...
3. in drivers/android/vendor_hooks.c, add
#include <trace/hooks/foo.h>
...
EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_foo);
The hook can then be attached by adding the registration code
to the module:
#include <trace/hooks/sched.h>
...
static void my_foo(int *retp)
{
*retp = 0;
}
...
rc = register_trace_android_vh_sched_exit(my_foo, NULL);
Bug: 156285741
Bug: 149632552
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: I6a7d1c8919dae91c965e2a0450df50eac2d282db
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Changes in 5.4.50
block/bio-integrity: don't free 'buf' if bio_integrity_add_page() failed
enetc: Fix tx rings bitmap iteration range, irq handling
geneve: allow changing DF behavior after creation
ibmveth: Fix max MTU limit
mld: fix memory leak in ipv6_mc_destroy_dev()
mvpp2: ethtool rxtx stats fix
net: bridge: enfore alignment for ethernet address
net: core: reduce recursion limit value
net: Do not clear the sock TX queue in sk_set_socket()
net: fix memleak in register_netdevice()
net: Fix the arp error in some cases
net: increment xmit_recursion level in dev_direct_xmit()
net: usb: ax88179_178a: fix packet alignment padding
openvswitch: take into account de-fragmentation/gso_size in execute_check_pkt_len
rocker: fix incorrect error handling in dma_rings_init
rxrpc: Fix notification call on completion of discarded calls
sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket
tcp: don't ignore ECN CWR on pure ACK
tcp: grow window for OOO packets only for SACK flows
tg3: driver sleeps indefinitely when EEH errors exceed eeh_max_freezes
ip6_gre: fix use-after-free in ip6gre_tunnel_lookup()
net: phy: Check harder for errors in get_phy_id()
ip_tunnel: fix use-after-free in ip_tunnel_lookup()
sch_cake: don't try to reallocate or unshare skb unconditionally
sch_cake: don't call diffserv parsing code when it is not needed
sch_cake: fix a few style nits
tcp_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT
Revert "i2c: tegra: Fix suspending in active runtime PM state"
btrfs: fix a block group ref counter leak after failure to remove block group
net: sched: export __netdev_watchdog_up()
fix a braino in "sparc32: fix register window handling in genregs32_[gs]et()"
ALSA: usb-audio: Fix potential use-after-free of streams
binder: fix null deref of proc->context
USB: ohci-sm501: Add missed iounmap() in remove
usb: dwc2: Postponed gadget registration to the udc class driver
usb: add USB_QUIRK_DELAY_INIT for Logitech C922
USB: ehci: reopen solution for Synopsys HC bug
usb: host: xhci-mtk: avoid runtime suspend when removing hcd
xhci: Poll for U0 after disabling USB2 LPM
usb: host: ehci-exynos: Fix error check in exynos_ehci_probe()
usb: typec: tcpci_rt1711h: avoid screaming irq causing boot hangs
ALSA: usb-audio: Add implicit feedback quirk for SSL2+.
ALSA: usb-audio: add quirk for Denon DCD-1500RE
ALSA: usb-audio: add quirk for Samsung USBC Headset (AKG)
ALSA: usb-audio: Fix OOB access of mixer element list
usb: cdns3: trace: using correct dir value
usb: cdns3: ep0: fix the test mode set incorrectly
usb: cdns3: ep0: add spinlock for cdns3_check_new_setup
scsi: qla2xxx: Keep initiator ports after RSCN
scsi: zfcp: Fix panic on ERP timeout for previously dismissed ERP action
cifs: Fix cached_fid refcnt leak in open_shroot
cifs/smb3: Fix data inconsistent when punch hole
cifs/smb3: Fix data inconsistent when zero file range
xhci: Fix incorrect EP_STATE_MASK
xhci: Fix enumeration issue when setting max packet size for FS devices.
xhci: Return if xHCI doesn't support LPM
cdc-acm: Add DISABLE_ECHO quirk for Microchip/SMSC chip
loop: replace kill_bdev with invalidate_bdev
IB/mad: Fix use after free when destroying MAD agent
IB/hfi1: Fix module use count flaw due to leftover module put calls
bus: ti-sysc: Flush posted write on enable and disable
bus: ti-sysc: Ignore clockactivity unless specified as a quirk
ARM: OMAP2+: Fix legacy mode dss_reset
xfrm: Fix double ESP trailer insertion in IPsec crypto offload.
ASoC: q6asm: handle EOS correctly
efi/tpm: Verify event log header before parsing
efi/esrt: Fix reference count leak in esre_create_sysfs_entry.
ASoc: q6afe: add support to get port direction
ASoC: qcom: common: set correct directions for dailinks
regualtor: pfuze100: correct sw1a/sw2 on pfuze3000
RDMA/siw: Fix pointer-to-int-cast warning in siw_rx_pbl()
ASoC: fsl_ssi: Fix bclk calculation for mono channel
samples/bpf: xdp_redirect_cpu: Set MAX_CPUS according to NR_CPUS
bpf, xdp, samples: Fix null pointer dereference in *_user code
ARM: dts: am335x-pocketbeagle: Fix mmc0 Write Protect
ARM: dts: Fix duovero smsc interrupt for suspend
x86/resctrl: Fix a NULL vs IS_ERR() static checker warning in rdt_cdp_peer_get()
regmap: Fix memory leak from regmap_register_patch
devmap: Use bpf_map_area_alloc() for allocating hash buckets
bpf: Don't return EINVAL from {get,set}sockopt when optlen > PAGE_SIZE
ARM: dts: NSP: Correct FA2 mailbox node
rxrpc: Fix handling of rwind from an ACK packet
RDMA/rvt: Fix potential memory leak caused by rvt_alloc_rq
RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532
RDMA/cma: Protect bind_list and listen_list while finding matching cm id
ASoC: rockchip: Fix a reference count leak.
s390/qeth: fix error handling for isolation mode cmds
RDMA/mad: Fix possible memory leak in ib_mad_post_receive_mads()
selftests/net: report etf errors correctly
iommu/vt-d: Enable PCI ACS for platform opt in hint
iommu/vt-d: Update scalable mode paging structure coherency
net: qed: fix left elements count calculation
net: qed: fix async event callbacks unregistering
net: qede: stop adding events on an already destroyed workqueue
net: qed: fix NVMe login fails over VFs
net: qed: fix excessive QM ILT lines consumption
net: qede: fix PTP initialization on recovery
net: qede: fix use-after-free on recovery and AER handling
cxgb4: move handling L2T ARP failures to caller
ARM: imx5: add missing put_device() call in imx_suspend_alloc_ocram()
scsi: lpfc: Avoid another null dereference in lpfc_sli4_hba_unset()
usb: gadget: udc: Potential Oops in error handling code
usb: renesas_usbhs: getting residue from callback_result
nvme: don't protect ns mutation with ns->head->lock
netfilter: ipset: fix unaligned atomic access
net: bcmgenet: use hardware padding of runt frames
clk: sifive: allocate sufficient memory for struct __prci_data
i2c: fsi: Fix the port number field in status register
i2c: core: check returned size of emulated smbus block read
afs: Fix storage of cell names
sched/deadline: Initialize ->dl_boosted
sched/core: Fix PI boosting between RT and DEADLINE tasks
sata_rcar: handle pm_runtime_get_sync failure cases
ata/libata: Fix usage of page address by page_address in ata_scsi_mode_select_xlat function
drm/amd/display: Use kfree() to free rgb_user in calculate_user_regamma_ramp()
riscv/atomic: Fix sign extension for RV64I
hwrng: ks-sa - Fix runtime PM imbalance on error
ibmvnic: Harden device login requests
net: alx: fix race condition in alx_remove
test_objagg: Fix potential memory leak in error handling
pinctrl: qcom: spmi-gpio: fix warning about irq chip reusage
pinctrl: tegra: Use noirq suspend/resume callbacks
s390/ptrace: pass invalid syscall numbers to tracing
s390/ptrace: fix setting syscall number
s390/vdso: Use $(LD) instead of $(CC) to link vDSO
s390/vdso: fix vDSO clock_getres()
arm64: sve: Fix build failure when ARM64_SVE=y and SYSCTL=n
kbuild: improve cc-option to clean up all temporary files
recordmcount: support >64k sections
kprobes: Suppress the suspicious RCU warning on kprobes
blktrace: break out of blktrace setup on concurrent calls
block: update hctx map when use multiple maps
RISC-V: Don't allow write+exec only page mapping request in mmap
ALSA: hda: Add NVIDIA codec IDs 9a & 9d through a0 to patch table
ALSA: hda/realtek - Add quirk for MSI GE63 laptop
ALSA: hda/realtek: Add mute LED and micmute LED support for HP systems
ACPI: sysfs: Fix pm_profile_attr type
ACPI: configfs: Disallow loading ACPI tables when locked down
erofs: fix partially uninitialized misuse in z_erofs_onlinepage_fixup
KVM: X86: Fix MSR range of APIC registers in X2APIC mode
KVM: nVMX: Plumb L2 GPA through to PML emulation
KVM: VMX: Stop context switching MSR_IA32_UMWAIT_CONTROL
x86/cpu: Use pinning mask for CR4 bits needing to be 0
x86/asm/64: Align start of __clear_user() loop to 16-bytes
btrfs: fix bytes_may_use underflow when running balance and scrub in parallel
btrfs: fix data block group relocation failure due to concurrent scrub
btrfs: check if a log root exists before locking the log_mutex on unlink
btrfs: fix failure of RWF_NOWAIT write into prealloc extent beyond eof
mm/slab: use memzero_explicit() in kzfree()
ocfs2: avoid inode removal while nfsd is accessing it
ocfs2: load global_inode_alloc
ocfs2: fix value of OCFS2_INVALID_SLOT
ocfs2: fix panic on nfs server over ocfs2
mm/memcontrol.c: add missed css_put()
arm64: perf: Report the PC value in REGS_ABI_32 mode
arm64: dts: imx8mm-evk: correct ldo1/ldo2 voltage range
arm64: dts: imx8mn-ddr4-evk: correct ldo1/ldo2 voltage range
tracing: Fix event trigger to accept redundant spaces
ring-buffer: Zero out time extend if it is nested and not absolute
drm/amd: fix potential memleak in err branch
drm: rcar-du: Fix build error
drm/radeon: fix fb_div check in ni_init_smc_spll_table()
drm/amdgpu: add fw release for sdma v5_0
Staging: rtl8723bs: prevent buffer overflow in update_sta_support_rate()
sunrpc: fixed rollback in rpc_gssd_dummy_populate()
SUNRPC: Properly set the @subbuf parameter of xdr_buf_subsegment()
pNFS/flexfiles: Fix list corruption if the mirror count changes
NFSv4 fix CLOSE not waiting for direct IO compeletion
xprtrdma: Fix handling of RDMA_ERROR replies
dm writecache: correct uncommitted_block when discarding uncommitted entry
dm writecache: add cond_resched to loop in persistent_memory_claim()
xfs: add agf freeblocks verify in xfs_agf_verify
Revert "tty: hvc: Fix data abort due to race in hvc_open"
Linux 5.4.50
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I68d8fdc951541cf115447bda262de0d95eafce87
commit d35d3660e0 upstream.
The binder driver makes the assumption proc->context pointer is invariant after
initialization (as documented in the kerneldoc header for struct proc).
However, in commit f0fe2c0f05 ("binder: prevent UAF for binderfs devices II")
proc->context is set to NULL during binder_deferred_release().
Another proc was in the middle of setting up a transaction to the dying
process and crashed on a NULL pointer deref on "context" which is a local
set to &proc->context:
new_ref->data.desc = (node == context->binder_context_mgr_node) ? 0 : 1;
Here's the stack:
[ 5237.855435] Call trace:
[ 5237.855441] binder_get_ref_for_node_olocked+0x100/0x2ec
[ 5237.855446] binder_inc_ref_for_node+0x140/0x280
[ 5237.855451] binder_translate_binder+0x1d0/0x388
[ 5237.855456] binder_transaction+0x2228/0x3730
[ 5237.855461] binder_thread_write+0x640/0x25bc
[ 5237.855466] binder_ioctl_write_read+0xb0/0x464
[ 5237.855471] binder_ioctl+0x30c/0x96c
[ 5237.855477] do_vfs_ioctl+0x3e0/0x700
[ 5237.855482] __arm64_sys_ioctl+0x78/0xa4
[ 5237.855488] el0_svc_common+0xb4/0x194
[ 5237.855493] el0_svc_handler+0x74/0x98
[ 5237.855497] el0_svc+0x8/0xc
The fix is to move the kfree of the binder_device to binder_free_proc()
so the binder_device is freed when we know there are no references
remaining on the binder_proc.
Fixes: f0fe2c0f05 ("binder: prevent UAF for binderfs devices II")
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200622200715.114382-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This is not intended for merging. This patch
contains an example of adding a restricted vendor
hook to the kernel.
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: Ia2534ff6cfd57916cc179e1b45497280c72289ee
This is not intended for merging. This patch
contains an example of adding a vendor hook
to the kernel.
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: I90ff9469ffe2c95f50caa72571d8e31efd088f81
Add support for vendor hooks. Adds include/trace/hooks
directory for trace definition headers where hooks
can be defined and vendor_hook.c for instantiating
and exporting them for vendor modules.
There are two variants of vendor hooks, both based
on tracepoints:
Normal: this uses the standard tracepint DECLARE_TRACE
to create a tracepoint function with the name trace_<name>
where <name> is the unique identifier for the trace.
Restricted: restricted hooks are needed for cases like
scheduler hooks where the attached function must be
called even if the cpu is offline or requires a
non-atomic context. Restricted vendor hooks cannot
be detached, so modules that attach to a restricted
hook can never unload. Also, only 1 attachment is
allowed (any other attempts to attach will fail with
-EBUSY).
For either case, modules attach to the hook by using
register_trace_<name>(func_ptr, NULL).
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: I6a7d1c8919dae91c965e2a0450df50eac2d282db
This reverts commit aefd2d632e.
This patch introduced a race condition reported by Pete Zhang
<pete.zhang@nxp.com> where a thread already selected to handle a
transaction could be selected again by a different client. The signature
was triggering of the WARN_ON() in binder_enqueue_thread_work_ilocked():
static void
binder_enqueue_thread_work_ilocked(...)
{
WARN_ON(!list_empty(&thread->waiting_thread_node));
...
}
which indicates that a thread is unexpectedly enqueued
as a waiting thread when it has been selected and work is
being assigned to it.
There was a 2nd issue introduced by the same patch that could,
at least in theory, cause async transactions to hang.
Bug: 151861772
Change-Id: I0c2bdb4c4a0d57caae1551bcbb4c31a8e09e024b
Signed-off-by: Todd Kjos <tkjos@google.com>
Changes in 5.4.28
locks: fix a potential use-after-free problem when wakeup a waiter
locks: reinstate locks_delete_block optimization
spi: spi-omap2-mcspi: Support probe deferral for DMA channels
drm/mediatek: Find the cursor plane instead of hard coding it
phy: ti: gmii-sel: fix set of copy-paste errors
phy: ti: gmii-sel: do not fail in case of gmii
ARM: dts: dra7-l4: mark timer13-16 as pwm capable
spi: qup: call spi_qup_pm_resume_runtime before suspending
powerpc: Include .BTF section
cifs: fix potential mismatch of UNC paths
cifs: add missing mount option to /proc/mounts
ARM: dts: dra7: Add "dma-ranges" property to PCIe RC DT nodes
spi: pxa2xx: Add CS control clock quirk
spi/zynqmp: remove entry that causes a cs glitch
drm/exynos: dsi: propagate error value and silence meaningless warning
drm/exynos: dsi: fix workaround for the legacy clock name
drm/exynos: hdmi: don't leak enable HDMI_EN regulator if probe fails
drivers/perf: fsl_imx8_ddr: Correct the CLEAR bit definition
drivers/perf: arm_pmu_acpi: Fix incorrect checking of gicc pointer
altera-stapl: altera_get_note: prevent write beyond end of 'key'
dm bio record: save/restore bi_end_io and bi_integrity
dm integrity: use dm_bio_record and dm_bio_restore
riscv: avoid the PIC offset of static percpu data in module beyond 2G limits
ASoC: stm32: sai: manage rebind issue
spi: spi_register_controller(): free bus id on error paths
riscv: Force flat memory model with no-mmu
riscv: Fix range looking for kernel image memblock
drm/amdgpu: clean wptr on wb when gpu recovery
drm/amd/display: Clear link settings on MST disable connector
drm/amd/display: fix dcc swath size calculations on dcn1
xenbus: req->body should be updated before req->state
xenbus: req->err should be updated before req->state
block, bfq: fix overwrite of bfq_group pointer in bfq_find_set_group()
parse-maintainers: Mark as executable
binderfs: use refcount for binder control devices too
Revert "drm/fbdev: Fallback to non tiled mode if all tiles not present"
USB: Disable LPM on WD19's Realtek Hub
usb: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters
USB: serial: option: add ME910G1 ECM composition 0x110b
usb: host: xhci-plat: add a shutdown
USB: serial: pl2303: add device-id for HP LD381
usb: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c
usb: typec: ucsi: displayport: Fix NULL pointer dereference
usb: typec: ucsi: displayport: Fix a potential race during registration
USB: cdc-acm: fix close_delay and closing_wait units in TIOCSSERIAL
USB: cdc-acm: fix rounding error in TIOCSSERIAL
ALSA: line6: Fix endless MIDI read loop
ALSA: hda/realtek - Enable headset mic of Acer X2660G with ALC662
ALSA: hda/realtek - Enable the headset of Acer N50-600 with ALC662
ALSA: seq: virmidi: Fix running status after receiving sysex
ALSA: seq: oss: Fix running status after receiving sysex
ALSA: pcm: oss: Avoid plugin buffer overflow
ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks
tty: fix compat TIOCGSERIAL leaking uninitialized memory
tty: fix compat TIOCGSERIAL checking wrong function ptr
iio: chemical: sps30: fix missing triggered buffer dependency
iio: st_sensors: remap SMO8840 to LIS2DH12
iio: trigger: stm32-timer: disable master mode when stopping
iio: accel: adxl372: Set iio_chan BE
iio: magnetometer: ak8974: Fix negative raw values in sysfs
iio: adc: stm32-dfsdm: fix sleep in atomic context
iio: adc: at91-sama5d2_adc: fix differential channels in triggered mode
iio: light: vcnl4000: update sampling periods for vcnl4200
iio: light: vcnl4000: update sampling periods for vcnl4040
mmc: rtsx_pci: Fix support for speed-modes that relies on tuning
mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2
mmc: sdhci-cadence: set SDHCI_QUIRK2_PRESET_VALUE_BROKEN for UniPhier
CIFS: fiemap: do not return EINVAL if get nothing
kbuild: Disable -Wpointer-to-enum-cast
staging: rtl8188eu: Add device id for MERCUSYS MW150US v2
staging: greybus: loopback_test: fix poll-mask build breakage
staging/speakup: fix get_word non-space look-ahead
intel_th: msu: Fix the unexpected state warning
intel_th: Fix user-visible error codes
intel_th: pci: Add Elkhart Lake CPU support
modpost: move the namespace field in Module.symvers last
rtc: max8907: add missing select REGMAP_IRQ
arm64: compat: Fix syscall number of compat_clock_getres
xhci: Do not open code __print_symbolic() in xhci trace events
btrfs: fix log context list corruption after rename whiteout error
drm/amd/amdgpu: Fix GPR read from debugfs (v2)
drm/lease: fix WARNING in idr_destroy
stm class: sys-t: Fix the use of time_after()
memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event
mm, memcg: fix corruption on 64-bit divisor in memory.high throttling
mm, memcg: throttle allocators based on ancestral memory.high
mm/hotplug: fix hot remove failure in SPARSEMEM|!VMEMMAP case
mm: do not allow MADV_PAGEOUT for CoW pages
epoll: fix possible lost wakeup on epoll_ctl() path
mm: slub: be more careful about the double cmpxchg of freelist
mm, slub: prevent kmalloc_node crashes and memory leaks
page-flags: fix a crash at SetPageError(THP_SWAP)
x86/mm: split vmalloc_sync_all()
futex: Fix inode life-time issue
futex: Unbreak futex hashing
ALSA: hda/realtek: Fix pop noise on ALC225
arm64: smp: fix smp_send_stop() behaviour
arm64: smp: fix crash_smp_send_stop() behaviour
nvmet-tcp: set MSG_MORE only if we actually have more to send
drm/bridge: dw-hdmi: fix AVI frame colorimetry
staging: greybus: loopback_test: fix potential path truncation
staging: greybus: loopback_test: fix potential path truncations
Linux 5.4.28
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I5d9d15d6236d8ab7374205c6ceda7efa7a9abb70
[ Upstream commit 211b64e4b5 ]
Binderfs binder-control devices are cleaned up via binderfs_evict_inode
too() which will use refcount_dec_and_test(). However, we missed to set
the refcount for binderfs binder-control devices and so we underflowed
when the binderfs instance got unmounted. Pretty obvious oversight and
should have been part of the more general UAF fix. The good news is that
having test cases (suprisingly) helps.
Technically, we could detect that we're about to cleanup the
binder-control dentry in binderfs_evict_inode() and then simply clean it
up. But that makes the assumption that the binder driver itself will
never make use of a binderfs binder-control device after the binderfs
instance it belongs to has been unmounted and the superblock for it been
destroyed. While it is unlikely to ever come to this let's be on the
safe side. Performance-wise this also really doesn't matter since the
binder-control device is only every really when creating the binderfs
filesystem or creating additional binder devices. Both operations are
pretty rare.
Fixes: f0fe2c0f05 ("binder: prevent UAF for binderfs devices II")
Link: https://lore.kernel.org/r/CA+G9fYusdfg7PMfC9Xce-xLT7NiyKSbgojpK35GOm=Pf9jXXrA@mail.gmail.com
Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Cc: stable@vger.kernel.org
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20200311105309.1742827-1-christian.brauner@ubuntu.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Changes in 5.4.25
block, bfq: get extra ref to prevent a queue from being freed during a group move
block, bfq: do not insert oom queue into position tree
ALSA: hda/realtek - Fix a regression for mute led on Lenovo Carbon X1
net: dsa: bcm_sf2: Forcibly configure IMP port for 1Gb/sec
net: stmmac: fix notifier registration
dm thin metadata: fix lockdep complaint
RDMA/core: Fix pkey and port assignment in get_new_pps
RDMA/core: Fix use of logical OR in get_new_pps
kbuild: fix 'No such file or directory' warning when cleaning
kprobes: Fix optimize_kprobe()/unoptimize_kprobe() cancellation logic
blktrace: fix dereference after null check
ALSA: hda: do not override bus codec_mask in link_get()
serial: ar933x_uart: set UART_CS_{RX,TX}_READY_ORIDE
selftests: fix too long argument
usb: gadget: composite: Support more than 500mA MaxPower
usb: gadget: ffs: ffs_aio_cancel(): Save/restore IRQ flags
usb: gadget: serial: fix Tx stall after buffer overflow
habanalabs: halt the engines before hard-reset
habanalabs: do not halt CoreSight during hard reset
habanalabs: patched cb equals user cb in device memset
drm/msm/mdp5: rate limit pp done timeout warnings
drm: msm: Fix return type of dsi_mgr_connector_mode_valid for kCFI
drm/modes: Make sure to parse valid rotation value from cmdline
drm/modes: Allow DRM_MODE_ROTATE_0 when applying video mode parameters
scsi: megaraid_sas: silence a warning
drm/msm/dsi: save pll state before dsi host is powered off
drm/msm/dsi/pll: call vco set rate explicitly
selftests: forwarding: use proto icmp for {gretap, ip6gretap}_mac testing
selftests: forwarding: vxlan_bridge_1d: fix tos value
net: atlantic: check rpc result and wait for rpc address
net: ks8851-ml: Remove 8-bit bus accessors
net: ks8851-ml: Fix 16-bit data access
net: ks8851-ml: Fix 16-bit IO operation
net: ethernet: dm9000: Handle -EPROBE_DEFER in dm9000_parse_dt()
watchdog: da9062: do not ping the hw during stop()
s390/cio: cio_ignore_proc_seq_next should increase position index
s390: make 'install' not depend on vmlinux
efi: Only print errors about failing to get certs if EFI vars are found
net/mlx5: DR, Fix matching on vport gvmi
iommu/amd: Disable IOMMU on Stoney Ridge systems
nvme/pci: Add sleep quirk for Samsung and Toshiba drives
nvme-pci: Use single IRQ vector for old Apple models
x86/boot/compressed: Don't declare __force_order in kaslr_64.c
s390/qdio: fill SL with absolute addresses
nvme: Fix uninitialized-variable warning
ice: Don't tell the OS that link is going down
x86/xen: Distribute switch variables for initialization
net: thunderx: workaround BGX TX Underflow issue
csky/mm: Fixup export invalid_pte_table symbol
csky: Set regs->usp to kernel sp, when the exception is from kernel
csky/smp: Fixup boot failed when CONFIG_SMP
csky: Fixup ftrace modify panic
csky: Fixup compile warning for three unimplemented syscalls
arch/csky: fix some Kconfig typos
selftests: forwarding: vxlan_bridge_1d: use more proper tos value
firmware: imx: scu: Ensure sequential TX
binder: prevent UAF for binderfs devices
binder: prevent UAF for binderfs devices II
ALSA: hda/realtek - Add Headset Mic supported
ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1
ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master
ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294
cifs: don't leak -EAGAIN for stat() during reconnect
cifs: fix rename() by ensuring source handle opened with DELETE bit
usb: storage: Add quirk for Samsung Fit flash
usb: quirks: add NO_LPM quirk for Logitech Screen Share
usb: dwc3: gadget: Update chain bit correctly when using sg list
usb: cdns3: gadget: link trb should point to next request
usb: cdns3: gadget: toggle cycle bit before reset endpoint
usb: core: hub: fix unhandled return by employing a void function
usb: core: hub: do error out if usb_autopm_get_interface() fails
usb: core: port: do error out if usb_autopm_get_interface() fails
vgacon: Fix a UAF in vgacon_invert_region
mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa
mm: fix possible PMD dirty bit lost in set_pmd_migration_entry()
mm, hotplug: fix page online with DEBUG_PAGEALLOC compiled but not enabled
fat: fix uninit-memory access for partial initialized inode
btrfs: fix RAID direct I/O reads with alternate csums
arm64: dts: socfpga: agilex: Fix gmac compatible
arm: dts: dra76x: Fix mmc3 max-frequency
tty:serial:mvebu-uart:fix a wrong return
tty: serial: fsl_lpuart: free IDs allocated by IDA
serial: 8250_exar: add support for ACCES cards
vt: selection, close sel_buffer race
vt: selection, push console lock down
vt: selection, push sel_lock up
media: hantro: Fix broken media controller links
media: mc-entity.c: use & to check pad flags, not ==
media: vicodec: process all 4 components for RGB32 formats
media: v4l2-mem2mem.c: fix broken links
perf intel-pt: Fix endless record after being terminated
perf intel-bts: Fix endless record after being terminated
perf cs-etm: Fix endless record after being terminated
perf arm-spe: Fix endless record after being terminated
spi: spidev: Fix CS polarity if GPIO descriptors are used
x86/pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes
s390/pci: Fix unexpected write combine on resource
s390/mm: fix panic in gup_fast on large pud
dmaengine: imx-sdma: fix context cache
dmaengine: imx-sdma: Fix the event id check to include RX event for UART6
dmaengine: tegra-apb: Fix use-after-free
dmaengine: tegra-apb: Prevent race conditions of tasklet vs free list
dm integrity: fix recalculation when moving from journal mode to bitmap mode
dm integrity: fix a deadlock due to offloading to an incorrect workqueue
dm integrity: fix invalid table returned due to argument count mismatch
dm cache: fix a crash due to incorrect work item cancelling
dm: report suspended device during destroy
dm writecache: verify watermark during resume
dm zoned: Fix reference counter initial value of chunk works
dm: fix congested_fn for request-based device
arm64: dts: meson-sm1-sei610: add missing interrupt-names
ARM: dts: ls1021a: Restore MDIO compatible to gianfar
spi: bcm63xx-hsspi: Really keep pll clk enabled
drm/virtio: make resource id workaround runtime switchable.
drm/virtio: fix resource id creation race
ASoC: topology: Fix memleak in soc_tplg_link_elems_load()
ASoC: topology: Fix memleak in soc_tplg_manifest_load()
ASoC: SOF: Fix snd_sof_ipc_stream_posn()
ASoC: intel: skl: Fix pin debug prints
ASoC: intel: skl: Fix possible buffer overflow in debug outputs
powerpc: define helpers to get L1 icache sizes
powerpc: Convert flush_icache_range & friends to C
powerpc/mm: Fix missing KUAP disable in flush_coherent_icache()
ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output
ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path
ASoC: Intel: Skylake: Fix available clock counter incrementation
ASoC: dapm: Correct DAPM handling of active widgets during shutdown
spi: atmel-quadspi: fix possible MMIO window size overrun
drm/panfrost: Don't try to map on error faults
drm: kirin: Revert "Fix for hikey620 display offset problem"
drm/sun4i: Add separate DE3 VI layer formats
drm/sun4i: Fix DE2 VI layer format support
drm/sun4i: de2/de3: Remove unsupported VI layer formats
drm/i915: Program MBUS with rmw during initialization
drm/i915/selftests: Fix return in assert_mmap_offset()
phy: mapphone-mdm6600: Fix timeouts by adding wake-up handling
phy: mapphone-mdm6600: Fix write timeouts with shorter GPIO toggle interval
ARM: dts: imx6: phycore-som: fix emmc supply
arm64: dts: imx8qxp-mek: Remove unexisting Ethernet PHY
firmware: imx: misc: Align imx sc msg structs to 4
firmware: imx: scu-pd: Align imx sc msg structs to 4
firmware: imx: Align imx_sc_msg_req_cpu_start to 4
soc: imx-scu: Align imx sc msg structs to 4
Revert "RDMA/cma: Simplify rdma_resolve_addr() error flow"
RDMA/rw: Fix error flow during RDMA context initialization
RDMA/nldev: Fix crash when set a QP to a new counter but QPN is missing
RDMA/siw: Fix failure handling during device creation
RDMA/iwcm: Fix iwcm work deallocation
RDMA/core: Fix protection fault in ib_mr_pool_destroy
regulator: stm32-vrefbuf: fix a possible overshoot when re-enabling
RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen()
IB/hfi1, qib: Ensure RCU is locked when accessing list
ARM: imx: build v7_cpu_resume() unconditionally
ARM: dts: am437x-idk-evm: Fix incorrect OPP node names
ARM: dts: dra7xx-clocks: Fixup IPU1 mux clock parent source
ARM: dts: imx7-colibri: Fix frequency for sd/mmc
hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT()
dma-buf: free dmabuf->name in dma_buf_release()
dmaengine: coh901318: Fix a double lock bug in dma_tc_handle()
arm64: dts: meson: fix gxm-khadas-vim2 wifi
bus: ti-sysc: Fix 1-wire reset quirk
EDAC/synopsys: Do not print an error with back-to-back snprintf() calls
powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems
efi/x86: Align GUIDs to their size in the mixed mode runtime wrapper
efi/x86: Handle by-ref arguments covering multiple pages in mixed mode
efi: READ_ONCE rng seed size before munmap
block, bfq: get a ref to a group when adding it to a service tree
block, bfq: remove ifdefs from around gets/puts of bfq groups
csky: Implement copy_thread_tls
drm/virtio: module_param_named() requires linux/moduleparam.h
Linux 5.4.25
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I8ba29f273c7a2b02bfa54593f7a9087c34607cd5
commit f0fe2c0f05 upstream.
This is a necessary follow up to the first fix I proposed and we merged
in 2669b8b0c7 ("binder: prevent UAF for binderfs devices"). I have been
overly optimistic that the simple fix I proposed would work. But alas,
ihold() + iput() won't work since the inodes won't survive the
destruction of the superblock.
So all we get with my prior fix is a different race with a tinier
race-window but it doesn't solve the issue. Fwiw, the problem lies with
generic_shutdown_super(). It even has this cozy Al-style comment:
if (!list_empty(&sb->s_inodes)) {
printk("VFS: Busy inodes after unmount of %s. "
"Self-destruct in 5 seconds. Have a nice day...\n",
sb->s_id);
}
On binder_release(), binder_defer_work(proc, BINDER_DEFERRED_RELEASE) is
called which punts the actual cleanup operation to a workqueue. At some
point, binder_deferred_func() will be called which will end up calling
binder_deferred_release() which will retrieve and cleanup the
binder_context attach to this struct binder_proc.
If we trace back where this binder_context is attached to binder_proc we
see that it is set in binder_open() and is taken from the struct
binder_device it is associated with. This obviously assumes that the
struct binder_device that context is attached to is _never_ freed. While
that might be true for devtmpfs binder devices it is most certainly
wrong for binderfs binder devices.
So, assume binder_open() is called on a binderfs binder devices. We now
stash away the struct binder_context associated with that struct
binder_devices:
proc->context = &binder_dev->context;
/* binderfs stashes devices in i_private */
if (is_binderfs_device(nodp)) {
binder_dev = nodp->i_private;
info = nodp->i_sb->s_fs_info;
binder_binderfs_dir_entry_proc = info->proc_log_dir;
} else {
.
.
.
proc->context = &binder_dev->context;
Now let's assume that the binderfs instance for that binder devices is
shutdown via umount() and/or the mount namespace associated with it goes
away. As long as there is still an fd open for that binderfs binder
device things are fine. But let's assume we now close the last fd for
that binderfs binder device. Now binder_release() is called and punts to
the workqueue. Assume that the workqueue has quite a bit of stuff to do
and doesn't get to cleaning up the struct binder_proc and the associated
struct binder_context with it for that binderfs binder device right
away. In the meantime, the VFS is killing the super block and is
ultimately calling sb->evict_inode() which means it will call
binderfs_evict_inode() which does:
static void binderfs_evict_inode(struct inode *inode)
{
struct binder_device *device = inode->i_private;
struct binderfs_info *info = BINDERFS_I(inode);
clear_inode(inode);
if (!S_ISCHR(inode->i_mode) || !device)
return;
mutex_lock(&binderfs_minors_mutex);
--info->device_count;
ida_free(&binderfs_minors, device->miscdev.minor);
mutex_unlock(&binderfs_minors_mutex);
kfree(device->context.name);
kfree(device);
}
thereby freeing the struct binder_device including struct
binder_context.
Now the workqueue finally has time to get around to cleaning up struct
binder_proc and is now trying to access the associate struct
binder_context. Since it's already freed it will OOPs.
Fix this by introducing a refounct on binder devices.
This is an alternative fix to 51d8a7eca6 ("binder: prevent UAF read in
print_binder_transaction_log_entry()").
Fixes: 3ad20fe393 ("binder: implement binderfs")
Fixes: 2669b8b0c7 ("binder: prevent UAF for binderfs devices")
Fixes: 03e2e07e38 ("binder: Make transaction_log available in binderfs")
Related : 51d8a7eca6 ("binder: prevent UAF read in print_binder_transaction_log_entry()")
Cc: stable@vger.kernel.org
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20200303164340.670054-1-christian.brauner@ubuntu.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2669b8b0c7 upstream.
On binder_release(), binder_defer_work(proc, BINDER_DEFERRED_RELEASE) is
called which punts the actual cleanup operation to a workqueue. At some
point, binder_deferred_func() will be called which will end up calling
binder_deferred_release() which will retrieve and cleanup the
binder_context attach to this struct binder_proc.
If we trace back where this binder_context is attached to binder_proc we
see that it is set in binder_open() and is taken from the struct
binder_device it is associated with. This obviously assumes that the
struct binder_device that context is attached to is _never_ freed. While
that might be true for devtmpfs binder devices it is most certainly
wrong for binderfs binder devices.
So, assume binder_open() is called on a binderfs binder devices. We now
stash away the struct binder_context associated with that struct
binder_devices:
proc->context = &binder_dev->context;
/* binderfs stashes devices in i_private */
if (is_binderfs_device(nodp)) {
binder_dev = nodp->i_private;
info = nodp->i_sb->s_fs_info;
binder_binderfs_dir_entry_proc = info->proc_log_dir;
} else {
.
.
.
proc->context = &binder_dev->context;
Now let's assume that the binderfs instance for that binder devices is
shutdown via umount() and/or the mount namespace associated with it goes
away. As long as there is still an fd open for that binderfs binder
device things are fine. But let's assume we now close the last fd for
that binderfs binder device. Now binder_release() is called and punts to
the workqueue. Assume that the workqueue has quite a bit of stuff to do
and doesn't get to cleaning up the struct binder_proc and the associated
struct binder_context with it for that binderfs binder device right
away. In the meantime, the VFS is killing the super block and is
ultimately calling sb->evict_inode() which means it will call
binderfs_evict_inode() which does:
static void binderfs_evict_inode(struct inode *inode)
{
struct binder_device *device = inode->i_private;
struct binderfs_info *info = BINDERFS_I(inode);
clear_inode(inode);
if (!S_ISCHR(inode->i_mode) || !device)
return;
mutex_lock(&binderfs_minors_mutex);
--info->device_count;
ida_free(&binderfs_minors, device->miscdev.minor);
mutex_unlock(&binderfs_minors_mutex);
kfree(device->context.name);
kfree(device);
}
thereby freeing the struct binder_device including struct
binder_context.
Now the workqueue finally has time to get around to cleaning up struct
binder_proc and is now trying to access the associate struct
binder_context. Since it's already freed it will OOPs.
Fix this by holding an additional reference to the inode that is only
released once the workqueue is done cleaning up struct binder_proc. This
is an easy alternative to introducing separate refcounting on struct
binder_device which we can always do later if it becomes necessary.
This is an alternative fix to 51d8a7eca6 ("binder: prevent UAF read in
print_binder_transaction_log_entry()").
Fixes: 3ad20fe393 ("binder: implement binderfs")
Fixes: 03e2e07e38 ("binder: Make transaction_log available in binderfs")
Related : 51d8a7eca6 ("binder: prevent UAF read in print_binder_transaction_log_entry()")
Cc: stable@vger.kernel.org
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Changes in 5.4.17
Bluetooth: btusb: fix non-atomic allocation in completion handler
orinoco_usb: fix interface sanity check
rsi_91x_usb: fix interface sanity check
usb: dwc3: pci: add ID for the Intel Comet Lake -V variant
usb: host: xhci-tegra: set MODULE_FIRMWARE for tegra186
USB: serial: ir-usb: add missing endpoint sanity check
USB: serial: ir-usb: fix link-speed handling
USB: serial: ir-usb: fix IrLAP framing
usb: dwc3: turn off VBUS when leaving host mode
usb: typec: wcove: fix "op-sink-microwatt" default that was in mW
usb: typec: fusb302: fix "op-sink-microwatt" default that was in mW
staging: most: net: fix buffer overflow
staging: wlan-ng: ensure error return is actually returned
staging: vt6656: correct packet types for CTS protect, mode.
staging: vt6656: use NULLFUCTION stack on mac80211
staging: vt6656: Fix false Tx excessive retries reporting.
serial: 8250_bcm2835aux: Fix line mismatch on driver unbind
serial: imx: fix a race condition in receive path
debugfs: Return -EPERM when locked down
component: do not dereference opaque pointer in debugfs
binder: fix log spam for existing debugfs file creation.
mei: hdcp: bind only with i915 on the same PCH
mei: me: add comet point (lake) H device ids
iio: adc: stm32-dfsdm: fix single conversion
iio: st_gyro: Correct data for LSM9DS0 gyro
driver core: Fix test_async_driver_probe if NUMA is disabled
crypto: chelsio - fix writing tfm flags to wrong place
CIFS: Fix task struct use-after-free on reconnect
cifs: set correct max-buffer-size for smb2_ioctl_init()
cifs: Fix memory allocation in __smb2_handle_cancelled_cmd()
ath9k: fix storage endpoint lookup
brcmfmac: fix interface sanity check
rtl8xxxu: fix interface sanity check
zd1211rw: fix storage endpoint lookup
net_sched: ematch: reject invalid TCF_EM_SIMPLE
net_sched: fix ops->bind_class() implementations
net_sched: walk through all child classes in tc_bind_tclass()
net: socionext: fix possible user-after-free in netsec_process_rx
net: socionext: fix xdp_result initialization in netsec_process_rx
udp: segment looped gso packets correctly
mlxsw: minimal: Fix an error handling path in 'mlxsw_m_port_create()'
net: include struct nhmsg size in nh nlmsg size
rxrpc: Fix use-after-free in rxrpc_receive_data()
HID: multitouch: Add LG MELF0410 I2C touchscreen support
arc: eznps: fix allmodconfig kconfig warning
HID: Add quirk for Xin-Mo Dual Controller
HID: ite: Add USB id match for Acer SW5-012 keyboard dock
HID: asus: Ignore Asus vendor-page usage-code 0xff events
HID: Add quirk for incorrect input length on Lenovo Y720
HID: intel-ish-hid: ipc: add CMP device id
HID: wacom: Recognize new MobileStudio Pro PID
ASoC: SOF: fix fault at driver unload after failed probe
ASoC: SOF: Intel: hda: hda-dai: fix oops on hda_link .hw_free
drivers/hid/hid-multitouch.c: fix a possible null pointer access.
phy: qcom-qmp: Increase PHY ready timeout
ASoC: fsl_audmix: add missed pm_runtime_disable
ASoC: topology: Prevent use-after-free in snd_soc_get_pcm_runtime()
phy: cpcap-usb: Prevent USB line glitches from waking up modem
HID: intel-ish-hid: ipc: Add Tiger Lake PCI device ID
watchdog: max77620_wdt: fix potential build errors
watchdog: rn5t618_wdt: fix module aliases
watchdog: orion: fix platform_get_irq() complaints
usb: musb: jz4740: Silence error if code is -EPROBE_DEFER
can: tcan4x5x: tcan4x5x_parse_config(): reset device before register access
spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls
net: Google gve: Remove dma_wmb() before ringing doorbell
drivers/net/b44: Change to non-atomic bit operations on pwol_mask
net: wan: sdla: Fix cast from pointer to integer of different size
gpio: max77620: Add missing dependency on GPIOLIB_IRQCHIP
iommu/dma: fix variable 'cookie' set but not used
drm/amd/display: Reduce HDMI pixel encoding if max clock is exceeded
stmmac: debugfs entry name is not be changed when udev rename device name.
atm: eni: fix uninitialized variable warning
HID: steam: Fix input device disappearing
extcon-intel-cht-wc: Don't reset USB data connection at probe
ASoC: Intel: cht_bsw_rt5645: Add quirk for boards using pmc_plt_clk_0
drm/amdgpu/SRIOV: add navi12 pci id for SRIOV (v2)
libbpf: Fix BTF-defined map's __type macro handling of arrays
staging: mt7621-pci: add quirks for 'E2' revision using 'soc_device_attribute'
platform/x86: dell-laptop: disable kbd backlight on Inspiron 10xx
PCI: Add DMA alias quirk for Intel VCA NTB
media: dvbsky: add support for eyeTV Geniatech T2 lite
bus: ti-sysc: Handle mstandby quirk and use it for musb
bus: ti-sysc: Use swsup quirks also for am335x musb
spi: pxa2xx: Add support for Intel Comet Lake-H
iommu/amd: Support multiple PCI DMA aliases in device table
iommu/amd: Support multiple PCI DMA aliases in IRQ Remapping
perf/imx_ddr: Add enhanced AXI ID filter support
mfd: intel-lpss: Add Intel Comet Lake PCH-H PCI IDs
ARM: config: aspeed-g5: Enable 8250_DW quirks
ARM: OMAP2+: SmartReflex: add omap_sr_pdata definition
mmc: sdhci-pci: Quirk for AMD SDHC Device 0x7906
mmc: sdhci-pci: Add support for Intel JSL
bus: ti-sysc: Add module enable quirk for audio AESS
usb-storage: Disable UAS on JMicron SATA enclosure
ALSA: hda/realtek - Move some alc236 pintbls to fallback table
Bluetooth: Allow combination of BDADDR_PROPERTY and INVALID_BDADDR quirks
Bluetooth: btbcm: Use the BDADDR_PROPERTY quirk
bus: ti-sysc: Fix missing force mstandby quirk handling
rsi: fix use-after-free on failed probe and unbind
rsi: fix use-after-free on probe errors
rsi: fix memory leak on failed URB submission
rsi: fix non-atomic allocation in completion handler
crypto: af_alg - Use bh_lock_sock in sk_destruct
crypto: vmx - reject xts inputs that are too short
crypto: caam - do not reset pointer size from MCFGR register
crypto: pcrypt - Fix user-after-free on module unload
KVM: arm64: Write arch.mdcr_el2 changes since last vcpu_load on VHE
Revert "um: Enable CONFIG_CONSTRUCTORS"
power/supply: ingenic-battery: Don't change scale if there's only one
Linux 5.4.17
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I03dc4a2a426ff7700c26560c294bcbfc66f26e38
commit eb143f8756 upstream.
Since commit 43e23b6c0b ("debugfs: log errors when something goes wrong")
debugfs logs attempts to create existing files.
However binder attempts to create multiple debugfs files with
the same name when a single PID has multiple contexts, this leads
to log spamming during an Android boot (17 such messages during
boot on my system).
Fix this by checking if we already know the PID and only create
the debugfs entry for the first context per PID.
Do the same thing for binderfs for symmetry.
Signed-off-by: Martin Fuzzey <martin.fuzzey@flowbird.group>
Acked-by: Todd Kjos <tkjos@google.com>
Fixes: 43e23b6c0b ("debugfs: log errors when something goes wrong")
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/1578671054-5982-1-git-send-email-martin.fuzzey@flowbird.group
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Changes in 5.4.4
usb: gadget: configfs: Fix missing spin_lock_init()
usb: gadget: pch_udc: fix use after free
nvme: Namepace identification descriptor list is optional
Revert "nvme: Add quirk for Kingston NVME SSD running FW E8FK11.T"
scsi: lpfc: Fix bad ndlp ptr in xri aborted handling
scsi: zfcp: trace channel log even for FCP command responses
scsi: qla2xxx: Do command completion on abort timeout
scsi: qla2xxx: Fix driver unload hang
scsi: qla2xxx: Fix double scsi_done for abort path
scsi: qla2xxx: Fix memory leak when sending I/O fails
compat_ioctl: add compat_ptr_ioctl()
ceph: fix compat_ioctl for ceph_dir_operations
media: venus: remove invalid compat_ioctl32 handler
USB: uas: honor flag to avoid CAPACITY16
USB: uas: heed CAPACITY_HEURISTICS
USB: documentation: flags on usb-storage versus UAS
usb: Allow USB device to be warm reset in suspended state
usb: host: xhci-tegra: Correct phy enable sequence
binder: fix incorrect calculation for num_valid
staging: exfat: fix multiple definition error of `rename_file'
staging: rtl8188eu: fix interface sanity check
staging: rtl8712: fix interface sanity check
staging: vchiq: call unregister_chrdev_region() when driver registration fails
staging: gigaset: fix general protection fault on probe
staging: gigaset: fix illegal free on probe errors
staging: gigaset: add endpoint-type sanity check
usb: xhci: only set D3hot for pci device
xhci: Fix memory leak in xhci_add_in_port()
xhci: fix USB3 device initiated resume race with roothub autosuspend
xhci: Increase STS_HALT timeout in xhci_suspend()
xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour.
xhci: make sure interrupts are restored to correct state
interconnect: qcom: sdm845: Walk the list safely on node removal
interconnect: qcom: qcs404: Walk the list safely on node removal
usb: common: usb-conn-gpio: Don't log an error on probe deferral
ARM: dts: pandora-common: define wl1251 as child node of mmc3
iio: adis16480: Add debugfs_reg_access entry
iio: imu: st_lsm6dsx: fix ODR check in st_lsm6dsx_write_raw
iio: adis16480: Fix scales factors
iio: humidity: hdc100x: fix IIO_HUMIDITYRELATIVE channel reporting
iio: imu: inv_mpu6050: fix temperature reporting using bad unit
iio: adc: ad7606: fix reading unnecessary data from device
iio: adc: ad7124: Enable internal reference
USB: atm: ueagle-atm: add missing endpoint check
USB: idmouse: fix interface sanity checks
USB: serial: io_edgeport: fix epic endpoint lookup
usb: roles: fix a potential use after free
USB: adutux: fix interface sanity check
usb: core: urb: fix URB structure initialization function
usb: mon: Fix a deadlock in usbmon between mmap and read
tpm: add check after commands attribs tab allocation
tpm: Switch to platform_get_irq_optional()
EDAC/altera: Use fast register IO for S10 IRQs
brcmfmac: disable PCIe interrupts before bus reset
mtd: spear_smi: Fix Write Burst mode
mtd: rawnand: Change calculating of position page containing BBM
virt_wifi: fix use-after-free in virt_wifi_newlink()
virtio-balloon: fix managed page counts when migrating pages between zones
usb: dwc3: pci: add ID for the Intel Comet Lake -H variant
usb: dwc3: gadget: Fix logical condition
usb: dwc3: gadget: Clear started flag for non-IOC
usb: dwc3: ep0: Clear started flag on completion
phy: renesas: rcar-gen3-usb2: Fix sysfs interface of "role"
usb: typec: fix use after free in typec_register_port()
iwlwifi: pcie: fix support for transmitting SKBs with fraglist
btrfs: check page->mapping when loading free space cache
btrfs: use btrfs_block_group_cache_done in update_block_group
btrfs: use refcount_inc_not_zero in kill_all_nodes
Btrfs: fix metadata space leak on fixup worker failure to set range as delalloc
Btrfs: fix negative subv_writers counter and data space leak after buffered write
btrfs: Avoid getting stuck during cyclic writebacks
btrfs: Remove btrfs_bio::flags member
Btrfs: send, skip backreference walking for extents with many references
btrfs: record all roots for rename exchange on a subvol
rtlwifi: rtl8192de: Fix missing code to retrieve RX buffer address
rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer
rtlwifi: rtl8192de: Fix missing enable interrupt flag
lib: raid6: fix awk build warnings
ovl: fix lookup failure on multi lower squashfs
ovl: fix corner case of non-unique st_dev;st_ino
ovl: relax WARN_ON() on rename to self
hwrng: omap - Fix RNG wait loop timeout
dm writecache: handle REQ_FUA
dm zoned: reduce overhead of backing device checks
workqueue: Fix spurious sanity check failures in destroy_workqueue()
workqueue: Fix pwq ref leak in rescuer_thread()
ASoC: rt5645: Fixed buddy jack support.
ASoC: rt5645: Fixed typo for buddy jack support.
ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report
ASoC: fsl_audmix: Add spin lock to protect tdms
md: improve handling of bio with REQ_PREFLUSH in md_flush_request()
blk-mq: avoid sysfs buffer overflow with too many CPU cores
cgroup: pids: use atomic64_t for pids->limit
wil6210: check len before memcpy() calls
ar5523: check NULL before memcpy() in ar5523_cmd()
s390/mm: properly clear _PAGE_NOEXEC bit when it is not supported
media: hantro: Fix s_fmt for dynamic resolution changes
media: hantro: Fix motion vectors usage condition
media: hantro: Fix picture order count table enable
media: vimc: sen: remove unused kthread_sen field
media: bdisp: fix memleak on release
media: radio: wl1273: fix interrupt masking on release
media: cec.h: CEC_OP_REC_FLAG_ values were swapped
cpuidle: Do not unset the driver if it is there already
cpuidle: teo: Ignore disabled idle states that are too deep
cpuidle: teo: Rename local variable in teo_select()
cpuidle: teo: Consider hits and misses metrics of disabled states
cpuidle: teo: Fix "early hits" handling for disabled idle states
cpuidle: use first valid target residency as poll time
erofs: zero out when listxattr is called with no xattr
perf tests: Fix out of bounds memory access
drm/panfrost: Open/close the perfcnt BO
powerpc/perf: Disable trace_imc pmu
intel_th: Fix a double put_device() in error path
intel_th: pci: Add Ice Lake CPU support
intel_th: pci: Add Tiger Lake CPU support
PM / devfreq: Lock devfreq in trans_stat_show
cpufreq: powernv: fix stack bloat and hard limit on number of CPUs
ALSA: fireface: fix return value in error path of isochronous resources reservation
ALSA: oxfw: fix return value in error path of isochronous resources reservation
ALSA: hda/realtek - Line-out jack doesn't work on a Dell AIO
ACPI / utils: Move acpi_dev_get_first_match_dev() under CONFIG_ACPI
ACPI: LPSS: Add LNXVIDEO -> BYT I2C7 to lpss_device_links
ACPI: LPSS: Add LNXVIDEO -> BYT I2C1 to lpss_device_links
ACPI: LPSS: Add dmi quirk for skipping _DEP check for some device-links
ACPI / hotplug / PCI: Allocate resources directly under the non-hotplug bridge
ACPI: OSL: only free map once in osl.c
ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data()
ACPI: EC: Rework flushing of pending work
ACPI: PM: Avoid attaching ACPI PM domain to certain devices
pinctrl: rza2: Fix gpio name typos
pinctrl: armada-37xx: Fix irq mask access in armada_37xx_irq_set_type()
pinctrl: samsung: Add of_node_put() before return in error path
pinctrl: samsung: Fix device node refcount leaks in Exynos wakeup controller init
pinctrl: samsung: Fix device node refcount leaks in S3C24xx wakeup controller init
pinctrl: samsung: Fix device node refcount leaks in init code
pinctrl: samsung: Fix device node refcount leaks in S3C64xx wakeup controller init
mmc: host: omap_hsmmc: add code for special init of wl1251 to get rid of pandora_wl1251_init_card
ARM: dts: omap3-tao3530: Fix incorrect MMC card detection GPIO polarity
RDMA/core: Fix ib_dma_max_seg_size()
ppdev: fix PPGETTIME/PPSETTIME ioctls
stm class: Lose the protocol driver when dropping its reference
coresight: Serialize enabling/disabling a link device.
powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB
powerpc/xive: Prevent page fault issues in the machine crash handler
powerpc: Allow flush_icache_range to work across ranges >4GB
powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts
video/hdmi: Fix AVI bar unpack
quota: Check that quota is not dirty before release
ext2: check err when partial != NULL
seccomp: avoid overflow in implicit constant conversion
quota: fix livelock in dquot_writeback_dquots
ext4: Fix credit estimate for final inode freeing
reiserfs: fix extended attributes on the root directory
scsi: qla2xxx: Fix SRB leak on switch command timeout
scsi: qla2xxx: Fix a dma_pool_free() call
Revert "scsi: qla2xxx: Fix memory leak when sending I/O fails"
iio: ad7949: kill pointless "readback"-handling code
iio: ad7949: fix channels mixups
omap: pdata-quirks: revert pandora specific gpiod additions
omap: pdata-quirks: remove openpandora quirks for mmc3 and wl1251
powerpc: Avoid clang warnings around setjmp and longjmp
powerpc: Fix vDSO clock_getres()
mm, memfd: fix COW issue on MAP_PRIVATE and F_SEAL_FUTURE_WRITE mappings
mfd: rk808: Fix RK818 ID template
mm: memcg/slab: wait for !root kmem_cache refcnt killing on root kmem_cache destruction
ext4: work around deleting a file with i_nlink == 0 safely
firmware: qcom: scm: Ensure 'a0' status code is treated as signed
s390/smp,vdso: fix ASCE handling
s390/kaslr: store KASLR offset for early dumps
mm/shmem.c: cast the type of unmap_start to u64
powerpc: Define arch_is_kernel_initmem_freed() for lockdep
USB: dummy-hcd: increase max number of devices to 32
rtc: disable uie before setting time and enable after
splice: only read in as much information as there is pipe buffer space
ext4: fix a bug in ext4_wait_for_tail_page_commit
ext4: fix leak of quota reservations
blk-mq: make sure that line break can be printed
workqueue: Fix missing kfree(rescuer) in destroy_workqueue()
r8169: fix rtl_hw_jumbo_disable for RTL8168evl
EDAC/ghes: Do not warn when incrementing refcount on 0
Linux 5.4.4
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I8949a5fb2fbd836ce34907e70906e3aeb8a58b7c
Changes in 5.4.3
rsi: release skb if rsi_prepare_beacon fails
arm64: tegra: Fix 'active-low' warning for Jetson TX1 regulator
arm64: tegra: Fix 'active-low' warning for Jetson Xavier regulator
perf scripts python: exported-sql-viewer.py: Fix use of TRUE with SQLite
sparc64: implement ioremap_uc
lp: fix sparc64 LPSETTIMEOUT ioctl
time: Zero the upper 32-bits in __kernel_timespec on 32-bit
mailbox: tegra: Fix superfluous IRQ error message
staging/octeon: Use stubs for MIPS && !CAVIUM_OCTEON_SOC
usb: gadget: u_serial: add missing port entry locking
serial: 8250-mtk: Use platform_get_irq_optional() for optional irq
tty: serial: fsl_lpuart: use the sg count from dma_map_sg
tty: serial: msm_serial: Fix flow control
serial: pl011: Fix DMA ->flush_buffer()
serial: serial_core: Perform NULL checks for break_ctl ops
serial: stm32: fix clearing interrupt error flags
serial: 8250_dw: Avoid double error messaging when IRQ absent
serial: ifx6x60: add missed pm_runtime_disable
mwifiex: Re-work support for SDIO HW reset
io_uring: fix dead-hung for non-iter fixed rw
io_uring: transform send/recvmsg() -ERESTARTSYS to -EINTR
fuse: fix leak of fuse_io_priv
fuse: verify nlink
fuse: verify write return
fuse: verify attributes
io_uring: fix missing kmap() declaration on powerpc
io_uring: ensure req->submit is copied when req is deferred
SUNRPC: Avoid RPC delays when exiting suspend
ALSA: hda/realtek - Enable internal speaker of ASUS UX431FLC
ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop
ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236
ALSA: hda/realtek - Fix inverted bass GPIO pin on Acer 8951G
ALSA: pcm: oss: Avoid potential buffer overflows
ALSA: hda - Add mute led support for HP ProBook 645 G4
ALSA: hda: Modify stream stripe mask only when needed
soc: mediatek: cmdq: fixup wrong input order of write api
Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus
Input: synaptics-rmi4 - re-enable IRQs in f34v7_do_reflash
Input: synaptics-rmi4 - don't increment rmiaddr for SMBus transfers
Input: goodix - add upside-down quirk for Teclast X89 tablet
coresight: etm4x: Fix input validation for sysfs.
Input: Fix memory leak in psxpad_spi_probe
media: rc: mark input device as pointing stick
x86/mm/32: Sync only to VMALLOC_END in vmalloc_sync_all()
x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect
CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks
CIFS: Fix SMB2 oplock break processing
tty: vt: keyboard: reject invalid keycodes
can: slcan: Fix use-after-free Read in slcan_open
nfsd: Ensure CLONE persists data and metadata changes to the target file
nfsd: restore NFSv3 ACL support
kernfs: fix ino wrap-around detection
jbd2: Fix possible overflow in jbd2_log_space_left()
drm/msm: fix memleak on release
drm: damage_helper: Fix race checking plane->state->fb
drm/i810: Prevent underflow in ioctl
arm64: Validate tagged addresses in access_ok() called from kernel threads
arm64: dts: exynos: Revert "Remove unneeded address space mapping for soc node"
KVM: PPC: Book3S HV: XIVE: Free previous EQ page when setting up a new one
KVM: PPC: Book3S HV: XIVE: Fix potential page leak on error path
KVM: PPC: Book3S HV: XIVE: Set kvm->arch.xive when VPs are allocated
KVM: nVMX: Always write vmcs02.GUEST_CR3 during nested VM-Enter
KVM: arm/arm64: vgic: Don't rely on the wrong pending table
KVM: x86: do not modify masked bits of shared MSRs
KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES
KVM: x86: Remove a spurious export of a static function
KVM: x86: Grab KVM's srcu lock when setting nested state
crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr
crypto: atmel-aes - Fix IV handling when req->nbytes < ivsize
crypto: af_alg - cast ki_complete ternary op to int
crypto: geode-aes - switch to skcipher for cbc(aes) fallback
crypto: ccp - fix uninitialized list head
crypto: ecdh - fix big endian bug in ECC library
crypto: user - fix memory leak in crypto_report
crypto: user - fix memory leak in crypto_reportstat
spi: spi-fsl-qspi: Clear TDH bits in FLSHCR register
spi: stm32-qspi: Fix kernel oops when unbinding driver
spi: atmel: Fix CS high support
spi: Fix SPI_CS_HIGH setting when using native and GPIO CS
spi: Fix NULL pointer when setting SPI_CS_HIGH for GPIO CS
can: ucan: fix non-atomic allocation in completion handler
RDMA/qib: Validate ->show()/store() callbacks before calling them
rfkill: allocate static minor
bdev: Factor out bdev revalidation into a common helper
bdev: Refresh bdev size for disks without partitioning
iomap: Fix pipe page leakage during splicing
thermal: Fix deadlock in thermal thermal_zone_device_check
vcs: prevent write access to vcsu devices
Revert "serial/8250: Add support for NI-Serial PXI/PXIe+485 devices"
binder: Fix race between mmap() and binder_alloc_print_pages()
binder: Prevent repeated use of ->mmap() via NULL mapping
binder: Handle start==NULL in binder_update_page_range()
KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332)
ALSA: hda - Fix pending unsol events at shutdown
cpufreq: imx-cpufreq-dt: Correct i.MX8MN's default speed grade value
md/raid0: Fix an error message in raid0_make_request()
drm/mcde: Fix an error handling path in 'mcde_probe()'
watchdog: aspeed: Fix clock behaviour for ast2600
EDAC/ghes: Fix locking and memory barrier issues
perf script: Fix invalid LBR/binary mismatch error
kselftest: Fix NULL INSTALL_PATH for TARGETS runlist
Linux 5.4.3
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I4dabe2d29ae191e3c99ade22b1c385f68b5a77d4
commit 2a9edd056e upstream.
The old loop wouldn't stop when reaching `start` if `start==NULL`, instead
continuing backwards to index -1 and crashing.
Luckily you need to be highly privileged to map things at NULL, so it's not
a big problem.
Fix it by adjusting the loop so that the loop variable is always in bounds.
This patch is deliberately minimal to simplify backporting, but IMO this
function could use a refactor. The jump labels in the second loop body are
horrible (the error gotos should be jumping to free_range instead), and
both loops would look nicer if they just iterated upwards through indices.
And the up_read()+mmput() shouldn't be duplicated like that.
Cc: stable@vger.kernel.org
Fixes: 457b9a6f09 ("Staging: android: add binder driver")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20191018205631.248274-3-jannh@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a7a74d7ff5 upstream.
binder_alloc_mmap_handler() attempts to detect the use of ->mmap() on a
binder_proc whose binder_alloc has already been initialized by checking
whether alloc->buffer is non-zero.
Before commit 880211667b ("binder: remove kernel vm_area for buffer
space"), alloc->buffer was a kernel mapping address, which is always
non-zero, but since that commit, it is a userspace mapping address.
A sufficiently privileged user can map /dev/binder at NULL, tricking
binder_alloc_mmap_handler() into assuming that the binder_proc has not been
mapped yet. This leads to memory unsafety.
Luckily, no context on Android has such privileges, and on a typical Linux
desktop system, you need to be root to do that.
Fix it by using the mapping size instead of the mapping address to
distinguish the mapped case. A valid VMA can't have size zero.
Fixes: 880211667b ("binder: remove kernel vm_area for buffer space")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20191018205631.248274-2-jannh@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8eb52a1ee3 upstream.
binder_alloc_print_pages() iterates over
alloc->pages[0..alloc->buffer_size-1] under alloc->mutex.
binder_alloc_mmap_handler() writes alloc->pages and alloc->buffer_size
without holding that lock, and even writes them before the last bailout
point.
Unfortunately we can't take the alloc->mutex in the ->mmap() handler
because mmap_sem can be taken while alloc->mutex is held.
So instead, we have to locklessly check whether the binder_alloc has been
fully initialized with binder_alloc_get_vma(), like in
binder_alloc_new_buf_locked().
Fixes: 8ef4665aa1 ("android: binder: Add page usage in binder stats")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20191018205631.248274-1-jannh@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
When changing a thread's scheduling priority, binder calls
sched_setscheduler_nocheck() while holding the node lock and
proc inner lock. This was safe until v5.3 when a change was
introduced where cpuset_read_lock() is called in this path
which can sleep: commit 710da3c8ea ("sched/core: Prevent
race condition between cpuset and __sched_setscheduler()").
Refactored binder_proc_transaction() to avoid holding a lock
when calling binder_transaction_priority().
Bug: 143627611
Change-Id: I405c76b4813777905090ccc33e4f048b37700068
Fixes: e00eb41c0c ("ANDROID: binder: add support for RT prio inheritance.")
Signed-off-by: Todd Kjos <tkjos@google.com>
binder_mmap() tries to prevent the creation of overly big binder mappings
by silently truncating the size of the VMA to 4MiB. However, this violates
the API contract of mmap(). If userspace attempts to create a large binder
VMA, and later attempts to unmap that VMA, it will call munmap() on a range
beyond the end of the VMA, which may have been allocated to another VMA in
the meantime. This can lead to userspace memory corruption.
The following sequence of calls leads to a segfault without this commit:
int main(void) {
int binder_fd = open("/dev/binder", O_RDWR);
if (binder_fd == -1) err(1, "open binder");
void *binder_mapping = mmap(NULL, 0x800000UL, PROT_READ, MAP_SHARED,
binder_fd, 0);
if (binder_mapping == MAP_FAILED) err(1, "mmap binder");
void *data_mapping = mmap(NULL, 0x400000UL, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
if (data_mapping == MAP_FAILED) err(1, "mmap data");
munmap(binder_mapping, 0x800000UL);
*(char*)data_mapping = 1;
return 0;
}
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20191016150119.154756-1-jannh@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This merges Linus's tree as of commit b41dae061b ("Merge tag
'xfs-5.4-merge-7' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux")
into android-mainline.
This "early" merge makes it easier to test and handle merge conflicts
instead of having to wait until the "end" of the merge window and handle
all 10000+ commits at once.
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I6bebf55e5e2353f814e3c87f5033607b1ae5d812
Currently /sys/kernel/debug/binder/proc contains
the debug data for every binder_proc instance.
This patch makes this information also available
in a binderfs instance mounted with a mount option
"stats=global" in addition to debugfs. The patch does
not affect the presence of the file in debugfs.
If a binderfs instance is mounted at path /dev/binderfs,
this file would be present at /dev/binderfs/binder_logs/proc.
This change provides an alternate way to access this file when debugfs
is not mounted.
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Link: https://lore.kernel.org/r/20190903161655.107408-5-hridya@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Currently, the binder transaction log files 'transaction_log'
and 'failed_transaction_log' live in debugfs at the following locations:
/sys/kernel/debug/binder/failed_transaction_log
/sys/kernel/debug/binder/transaction_log
This patch makes these files also available in a binderfs instance
mounted with the mount option "stats=global".
It does not affect the presence of these files in debugfs.
If a binderfs instance is mounted at path /dev/binderfs, the location of
these files will be as follows:
/dev/binderfs/binder_logs/failed_transaction_log
/dev/binderfs/binder_logs/transaction_log
This change provides an alternate option to access these files when
debugfs is not mounted.
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Link: https://lore.kernel.org/r/20190903161655.107408-4-hridya@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The following binder stat files currently live in debugfs.
/sys/kernel/debug/binder/state
/sys/kernel/debug/binder/stats
/sys/kernel/debug/binder/transactions
This patch makes these files available in a binderfs instance
mounted with the mount option 'stats=global'. For example, if a binderfs
instance is mounted at path /dev/binderfs, the above files will be
available at the following locations:
/dev/binderfs/binder_logs/state
/dev/binderfs/binder_logs/stats
/dev/binderfs/binder_logs/transactions
This provides a way to access them even when debugfs is not mounted.
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20190903161655.107408-3-hridya@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Currently, all binder state and statistics live in debugfs.
We need this information even when debugfs is not mounted.
This patch adds the mount option 'stats' to enable a binderfs
instance to have binder debug information present in the same.
'stats=global' will enable the global binder statistics. In
the future, 'stats=local' will enable binder statistics local
to the binderfs instance. The two modes 'global' and 'local'
will be mutually exclusive. 'stats=global' option is only available
for a binderfs instance mounted in the initial user namespace.
An attempt to use the option to mount a binderfs instance in
another user namespace will return an EPERM error.
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20190903161655.107408-2-hridya@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The buffer copy functions assumed the caller would ensure
correct alignment and that the memory to be copied was
completely within the binder buffer. There have been
a few cases discovered by syzkallar where a malformed
transaction created by a user could violated the
assumptions and resulted in a BUG_ON.
The fix is to remove the BUG_ON and always return the
error to be handled appropriately by the caller.
Acked-by: Martijn Coenen <maco@android.com>
Reported-by: syzbot+3ae18325f96190606754@syzkaller.appspotmail.com
Fixes: bde4a19fc0 ("binder: use userspace pointer as base of buffer space")
Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
syzkallar found a 32-byte memory leak in a rarely executed error
case. The transaction complete work item was not freed if put_user()
failed when writing the BR_TRANSACTION_COMPLETE to the user command
buffer. Fixed by freeing it before put_user() is called.
Reported-by: syzbot+182ce46596c3f2e1eb24@syzkaller.appspotmail.com
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
There is a race between the binder driver cleaning
up a completed transaction via binder_free_transaction()
and a user calling binder_ioctl(BC_FREE_BUFFER) to
release a buffer. It doesn't matter which is first but
they need to be protected against running concurrently
which can result in a UAF.
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Based on 1 normalized pattern(s):
this software is licensed under the terms of the gnu general public
license version 2 as published by the free software foundation and
may be copied distributed and modified under those terms this
program is distributed in the hope that it will be useful but
without any warranty without even the implied warranty of
merchantability or fitness for a particular purpose see the gnu
general public license for more details
extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-only
has been chosen to replace the boilerplate/reference in 285 file(s).
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Alexios Zavras <alexios.zavras@intel.com>
Reviewed-by: Allison Randal <allison@lohutok.net>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190529141900.642774971@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Add SPDX license identifiers to all Make/Kconfig files which:
- Have no license information of any form
These files fall under the project license, GPL v2 only. The resulting SPDX
license identifier is:
GPL-2.0-only
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
