This is a partial revert of commit
29bc22ac5e5b ("binder: use euid from cred instead of using task").
Setting sender_euid using proc->cred caused some Android system test
regressions that need further investigation. It is a partial
reversion because subsequent patches rely on proc->cred.
Fixes: 29bc22ac5e5b ("binder: use euid from cred instead of using task")
Cc: stable@vger.kernel.org # 4.4+
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: I9b1769a3510fed250bb21859ef8beebabe034c66
Link: https://lore.kernel.org/r/20211112180720.2858135-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 200688826
(cherry picked from commit c21a80ca0684ec2910344d72556c816cb8940c01
git: //git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-linus)
Signed-off-by: Todd Kjos <tkjos@google.com>
Vendor architectures may contain CPUs running on the same clock line
which contain different capacities. Add a tracehook in this path to
allow vendor modules to skip implicit check to prevent crashes.
Bug: 206602617
Change-Id: Ica01a214689607b8d79b370c20bc9a8c44ca2117
Signed-off-by: Shaleen Agrawal <shalagra@codeaurora.org>
commit 32e9f56a96d8d0f23cb2aeb2a3cd18d40393e787 upstream.
When freeing txn buffers, binder_transaction_buffer_release()
attempts to detect whether the current context is the target by
comparing current->group_leader to proc->tsk. This is an unreliable
test. Instead explicitly pass an 'is_failure' boolean.
Detecting the sender was being used as a way to tell if the
transaction failed to be sent. When cleaning up after
failing to send a transaction, there is no need to close
the fds associated with a BINDER_TYPE_FDA object. Now
'is_failure' can be used to accurately detect this case.
Fixes: 44d8047f1d ("binder: use standard functions to allocate fds")
Cc: stable <stable@vger.kernel.org>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20211015233811.3532235-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4d5b5539742d2554591751b4248b0204d20dcc9d upstream.
Use the 'struct cred' saved at binder_open() to lookup
the security ID via security_cred_getsecid(). This
ensures that the security context that opened binder
is the one used to generate the secctx.
Cc: stable@vger.kernel.org # 5.4+
Fixes: ec74136ded ("binder: create node flag to request sender's security context")
Signed-off-by: Todd Kjos <tkjos@google.com>
Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Reported-by: kernel test robot <lkp@intel.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 52f88693378a58094c538662ba652aff0253c4fe upstream.
Since binder was integrated with selinux, it has passed
'struct task_struct' associated with the binder_proc
to represent the source and target of transactions.
The conversion of task to SID was then done in the hook
implementations. It turns out that there are race conditions
which can result in an incorrect security context being used.
Fix by using the 'struct cred' saved during binder_open and pass
it to the selinux subsystem.
Cc: stable@vger.kernel.org # 5.14 (need backport for earlier stables)
Fixes: 79af73079d ("Add security hooks to binder and implement the hooks for SELinux.")
Suggested-by: Jann Horn <jannh@google.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 29bc22ac5e5bc63275e850f0c8fc549e3d0e306b upstream.
Save the 'struct cred' associated with a binder process
at initial open to avoid potential race conditions
when converting to an euid.
Set a transaction's sender_euid from the 'struct cred'
saved at binder_open() instead of looking up the euid
from the binder proc's 'struct task'. This ensures
the euid is associated with the security context that
of the task that opened binder.
Cc: stable@vger.kernel.org # 4.4+
Fixes: 457b9a6f09 ("Staging: android: add binder driver")
Signed-off-by: Todd Kjos <tkjos@google.com>
Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Suggested-by: Jann Horn <jannh@google.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Restricted vendor hook to modify the cpu selected in rto_next_cpu,
which is needed for the implementation of CPU Pause.
Bug: 205164003
Change-Id: I0dc675e54f7f116d538840262fbb0ba6d28246f4
Signed-off-by: Stephen Dickey <quic_dickey@quicinc.com>
It is necessary to update the valid mask to implement CPU Pause
from a vendor module. Introduce a hook to allow this.
Bug: 205164003
Change-Id: Ic99b74d17f361453b044e115a54698e566db13b6
Signed-off-by: Stephen Dickey <quic_dickey@quicinc.com>
When freeing txn buffers, binder_transaction_buffer_release()
attempts to detect whether the current context is the target by
comparing current->group_leader to proc->tsk. This is an unreliable
test. Instead explicitly pass an 'is_failure' boolean.
Detecting the sender was being used as a way to tell if the
transaction failed to be sent. When cleaning up after
failing to send a transaction, there is no need to close
the fds associated with a BINDER_TYPE_FDA object. Now
'is_failure' can be used to accurately detect this case.
Fixes: 44d8047f1d ("binder: use standard functions to allocate fds")
Cc: stable <stable@vger.kernel.org>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20211015233811.3532235-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 202313000
(cherry picked from commit 32e9f56a96d8d0f23cb2aeb2a3cd18d40393e787)
Change-Id: I35caeceed2631a144a2dcc683b70c03d312fd426
Use the 'struct cred' saved at binder_open() to lookup
the security ID via security_cred_getsecid(). This
ensures that the security context that opened binder
is the one used to generate the secctx.
Cc: stable@vger.kernel.org # 5.4+
Fixes: ec74136ded ("binder: create node flag to request sender's security context")
Signed-off-by: Todd Kjos <tkjos@google.com>
Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Reported-by: kernel test robot <lkp@intel.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Bug: 200688826
(cherry picked from commit 4d5b5539742d2554591751b4248b0204d20dcc9d)
Change-Id: I137ee4ad03a592e77b1eb8e4782a3d12e7851d00
Since binder was integrated with selinux, it has passed
'struct task_struct' associated with the binder_proc
to represent the source and target of transactions.
The conversion of task to SID was then done in the hook
implementations. It turns out that there are race conditions
which can result in an incorrect security context being used.
Fix by using the 'struct cred' saved during binder_open and pass
it to the selinux subsystem.
Cc: stable@vger.kernel.org # 5.14 (need backport for earlier stables)
Fixes: 79af73079d ("Add security hooks to binder and implement the hooks for SELinux.")
Suggested-by: Jann Horn <jannh@google.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Bug: 200688826
(cherry picked from commit 52f88693378a58094c538662ba652aff0253c4fe)
Change-Id: Icf866c08a7407dbd3dea545d57b7b4ae4f5cea1c
Save the 'struct cred' associated with a binder process
at initial open to avoid potential race conditions
when converting to an euid.
Set a transaction's sender_euid from the 'struct cred'
saved at binder_open() instead of looking up the euid
from the binder proc's 'struct task'. This ensures
the euid is associated with the security context that
of the task that opened binder.
Cc: stable@vger.kernel.org # 4.4+
Fixes: 457b9a6f09 ("Staging: android: add binder driver")
Signed-off-by: Todd Kjos <tkjos@google.com>
Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Suggested-by: Jann Horn <jannh@google.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Bug: 200688826
(cherry picked from commit 29bc22ac5e5bc63275e850f0c8fc549e3d0e306b)
Change-Id: I9e21a77d320512e7ba13d5c882a3cfa5032edc4d
Through this vendor hook, we can get the timing to check
current running task for the validation of its credential
and bpf operations.
Bug: 191291287
Signed-off-by: Kuan-Ying Lee <Kuan-Ying.Lee@mediatek.com>
Change-Id: Ie4ed8df7ad66df2486fc7e52a26d9191fc0c176e
(cherry picked from commit 38abaebab7)
Through this vendor hook, we can get the timing to check
current running task for the validation of its credential
and open operation.
Bug: 191291287
Signed-off-by: Kuan-Ying Lee <Kuan-Ying.Lee@mediatek.com>
Change-Id: Ia644ceb02dbc230ee1d25cad3630c2c3f908e41a
(cherry picked from commit a7a3b31d58)
Through this vendor hook, we can get the timing to check
current running task for the validation of its credential
and related operations.
Bug: 191291287
Signed-off-by: Kuan-Ying Lee <Kuan-Ying.Lee@mediatek.com>
Change-Id: If20bd8bb8311ad10a374033734fbdc7ef61a7704
(cherry picked from commit a5543c9cd7)
Add restricted vendor hook for selinux_state, so we can
know if the selinux_state is initialized
Bug: 186363840
Signed-off-by: Kuan-Ying Lee <Kuan-Ying.Lee@mediatek.com>
Change-Id: Ideed051a1d53ed1bce7d7915e38366264a7d77eb
Add vendor hook for module init, so we can get memory type and
use it to do memory type check for architecture
dependent page table setting.
Bug: 181639260
Signed-off-by: Kuan-Ying Lee <Kuan-Ying.Lee@mediatek.com>
Change-Id: I95b70d7a57994f2548fddfb2290d4c9136f58785
Add restricted vendor hook for creds, so we get the cred
information to monitor cred lifetime.
Bug: 181639260
Signed-off-by: Kuan-Ying Lee <Kuan-Ying.Lee@mediatek.com>
Change-Id: I8f254464e07f9c88336995152479ce91deb13c75
Add restricted vendor hook for avc, so we can get avc_node
information to monitor avc lifetime.
Bug: 181639260
Signed-off-by: Kuan-Ying Lee <Kuan-Ying.Lee@mediatek.com>
Change-Id: Idbebeca926c2cb407264f2872b032e1f18462697
Vendor modules would like to register with the binder_transaction_received
trace point to implement features carried in their downstream kernels.
Bug: 174219217
Change-Id: Ica0f90c60964fc845de05169cbdd8a4948adb1cd
Signed-off-by: Satya Durga Srinivasu Prabhala <satyap@codeaurora.org>
Need to update to restricted hook since the module code registering for
this hook needs to take the task lock and walk over the linked
libraries.
Bug: 194431527
Change-Id: I7093b66f95c3b9c473386ade60d8897426ddbb13
Signed-off-by: Shaleen Agrawal <shalagra@codeaurora.org>
When performing memory reclaim, support treating anonymous and
file backed pages equally. Swapping anonymous pages out to memory
can be efficient enough to justify treating anonymous and file backed
pages equally.
Create a vendor hook inside of get_scan_count so that equal reclaim of
anon and file pages can be enabled inside of the trace hook based on
certain conditions.
Bug: 175415908
Change-Id: Idac2f1468371549d20dd3e5652c7382dc3d7d9cf
Signed-off-by: Sudarshan Rajagopalan <sudaraja@codeaurora.org>
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
In Android GKI, CONFIG_FAIR_GROUP_SCHED is enabled [1] to help
prioritize important work. Given that CPU shares of root cgroup
can't be changed, leaving the tasks inside root cgroup will give
them higher share compared to the other tasks inside important
cgroups. This is mitigated by moving all tasks inside root cgroup to
a different cgroup after Android is booted. However, there are many
kernel tasks stuck in the root cgroup after the boot.
It is possible to relax kernel threads and kworkers migrations under
certain scenarios. However the patch [2] posted at upstream is not
accepted. Hence add a restricted vendor hook to notify modules when a
kernel thread is requested for cgroup migration. The modules can relax
the restrictions forced by the kernel and allow the cgroup migration.
[1] f08f049de1
[2] https://lore.kernel.org/lkml/1617714261-18111-1-git-send-email-pkondeti@codeaurora.org
Bug: 184594949
Change-Id: I445a170ba797c8bece3b4b59b7a42cdd85438f1f
Signed-off-by: Pavankumar Kondeti <quic_pkondeti@quicinc.com>
Signed-off-by: Shaleen Agrawal <shalagra@codeaurora.org>
A restricted vendor hook for cpufreq transition. The hook is
invoked per policy after changing the policy->cur and passes
policy as an argument.
Bug: 181889516
Change-Id: I6f89850779fdd63e178e227c293f42b7f66fd78d
Signed-off-by: Pavankumar Kondeti <quic_pkondeti@quicinc.com>
Add vendor hook for iommu_dma_alloc_iova and iommu_dma_free_iova
to allow vendor enhancement.
Bug: 187861158
Change-Id: I2ebe8b24318bd5292edc66a94d7109332d478212
Signed-off-by: Guangming Cao <Guangming.Cao@mediatek.com>
(cherry picked from commit 15acc8fac6)
Add a vendor hook for modules to know when the topology
code has determined the max capacity of cpus.
Bug: 200103201
Change-Id: Ia3e22479059d2e57500cbdd46504aa4773af6e4a
Signed-off-by: Abhijeet Dharmapurikar <adharmap@codeaurora.org>
Signed-off-by: Ashay Jaiswal <quic_ashayj@quicinc.com>
Add a restricted vendor hook to notify that a cpu controller
cgroup is online.
Bug: 200103201
Change-Id: I7d37f38c24ce146eabb4716a959aee703d71926e
Signed-off-by: Pavankumar Kondeti <quic_pkondeti@quicinc.com>
Signed-off-by: Ashay Jaiswal <quic_ashayj@quicinc.com>
At present, EAS gets disabled when on ASYM Capacity systems
if all BIG or Little CPUs gets hot-plugged. Instead of disabling
EAS by default, add trace hook and let vendor decide if EAS should
be disabled or not.
Bug: 200103201
Change-Id: I583272cc89d44f3e3a4b1c43e3f75d731092ebf6
Signed-off-by: Satya Durga Srinivasu Prabhala <satyap@codeaurora.org>
Signed-off-by: Ashay Jaiswal <quic_ashayj@quicinc.com>
There are few vendor hooks available for binder wakeup related
functionality. As they both essentially do the same thing, we can
consolidate them into one.
Bug: 200103201
Change-Id: I44b472e7564eecbe8236ad2eb88b0433195f14d8
Signed-off-by: Satya Durga Srinivasu Prabhala <satyap@codeaurora.org>
Signed-off-by: Ashay Jaiswal <ashayj@codeaurora.org>
This reverts commit 627a494ef3.
Reverting commit to add the vendor hooks back, this is to facilitate
various scheduler value adds.
Bug: 200103201
Change-Id: Ifbd7d235f863e01848c22b8185c4ec94da8c862c
Signed-off-by: Ashay Jaiswal <quic_ashayj@quicinc.com>
During BC_FREE_BUFFER processing, the BINDER_TYPE_FDA object
cleanup may close 1 or more fds. The close operations are
completed using the task work mechanism -- which means the thread
needs to return to userspace or the file object may never be
dereferenced -- which can lead to hung processes.
Force the binder thread back to userspace if an fd is closed during
BC_FREE_BUFFER handling.
Fixes: 80cd795630 ("binder: fix use-after-free due to ksys_close() during fdget()")
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Martijn Coenen <maco@android.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20210830195146.587206-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Currently cgroup freezer is used to freeze the application threads, and
BINDER_FREEZE is used to freeze the corresponding binder interface.
There's already a mechanism in ioctl(BINDER_FREEZE) to wait for any
existing transactions to drain out before actually freezing the binder
interface.
But freezing an app requires 2 steps, freezing the binder interface with
ioctl(BINDER_FREEZE) and then freezing the application main threads with
cgroupfs. This is not an atomic operation. The following race issue
might happen.
1) Binder interface is frozen by ioctl(BINDER_FREEZE);
2) Main thread A initiates a new sync binder transaction to process B;
3) Main thread A is frozen by "echo 1 > cgroup.freeze";
4) The response from process B reaches the frozen thread, which will
unexpectedly fail.
This patch provides a mechanism to check if there's any new pending
transaction happening between ioctl(BINDER_FREEZE) and freezing the
main thread. If there's any, the main thread freezing operation can
be rolled back to finish the pending transaction.
Furthermore, the response might reach the binder driver before the
rollback actually happens. That will still cause failed transaction.
As the other process doesn't wait for another response of the response,
the response transaction failure can be fixed by treating the response
transaction like an oneway/async one, allowing it to reach the frozen
thread. And it will be consumed when the thread gets unfrozen later.
NOTE: This patch reuses the existing definition of struct
binder_frozen_status_info but expands the bit assignments of __u32
member sync_recv.
To ensure backward compatibility, bit 0 of sync_recv still indicates
there's an outstanding sync binder transaction. This patch adds new
information to bit 1 of sync_recv, indicating the binder transaction
happens exactly when there's a race.
If an existing userspace app runs on a new kernel, a sync binder call
will set bit 0 of sync_recv so ioctl(BINDER_GET_FROZEN_INFO) still
return the expected value (true). The app just doesn't check bit 1
intentionally so it doesn't have the ability to tell if there's a race.
This behavior is aligned with what happens on an old kernel which
doesn't set bit 1 at all.
A new userspace app can 1) check bit 0 to know if there's a sync binder
transaction happened when being frozen - same as before; and 2) check
bit 1 to know if that sync binder transaction happened exactly when
there's a race - a new information for rollback decision.
the same time, confirmed the pending transactions succeeded.
Fixes: 432ff1e916 ("binder: BINDER_FREEZE ioctl")
Acked-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Li Li <dualli@google.com>
Test: stress test with apps being frozen and initiating binder calls at
Link: https://lore.kernel.org/r/20210910164210.2282716-2-dualli@chromium.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts portions of commit 9ad8ff902e
The mutex code is rewritten in 5.15-rc1, so hooks like this are no
longer in the correct location, if even needed at all. So remove them
for now, if vendors still need them, they can add them back in.
Signed-off-by: Sangmoon Kim <sangmoon.kim@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ib85c108e5bb306faea4fef5e0ca3b617a7f8f5c6
This reverts commit e289faa9f1.
The mutex code is rewritten in 5.15-rc1, so hooks like this are no
longer in the correct location, if even needed at all. So remove them
for now, if vendors still need them, they can add them back in.
Cc: JINHO LIM <jordan.lim@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Idceef90a86c8794008e2f013d6ff958142661572
In order to debug critical domain and device power issues, it may be
necessary to disallow certain idle states at runtime. Enable a vendor
hook to check if a domain idle state is allowed for powering down the
domain.
Bug: 175718935
Bug: 195914333
Change-Id: I403c0c7d272439fb338bbf54a346861559385047
Signed-off-by: Lina Iyer <ilina@codeaurora.org>
Signed-off-by: Maulik Shah <mkshah@codeaurora.org>
Since we're expecting timers more precisely in short period, add
a vendor hook to calc_index when adding timers. Then we can modify
the index this timer used to make it accurate.
Bug: 178758017
Signed-off-by: Huang Yiwei <hyiwei@codeaurora.org>
Change-Id: Ie0e6493ae7ad53b0cc57eb1bbcf8a0a11f652828
This reverts commit f0416df755.
Reason for revert: This was a "temporary" reversion to workaround what is believed to be a user-space issue.
Change-Id: I5322aecfe57cd8237e6657525eb33975c4840059
Bug: 166779391
Signed-off-by: Todd Kjos <tkjos@google.com>
Provide userspace with a mechanism to discover features supported by
the binder driver to refrain from using any unsupported ones in the
first place. Starting with "oneway_spam_detection" only new features
are to be listed under binderfs and all previous ones are assumed to
be supported.
Assuming an instance of binderfs has been mounted at /dev/binderfs,
binder feature files can be found under /dev/binderfs/features/.
Usage example:
$ mkdir /dev/binderfs
$ mount -t binder binder /dev/binderfs
$ cat /dev/binderfs/features/oneway_spam_detection
1
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20210715031805.1725878-1-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
android_vh_ptype_head:
To add a debugging chain to ptype list
android_vh_kfree_skb
To sniff the dropped packet at kernel network
Bug: 163716381
Signed-off-by: Bae Soukjin <soukjin.bae@samsung.com>
Change-Id: Ide80bf0a129da31a1824d4a33026ac42be327361
(cherry picked from commit d88b2969cf)
(cherry picked from commit a8021ba684)
Add vendor hook for arch_setup_dma_ops to allow vendor enhancement. This
hook can be used to setup vendor-specific DMA ops for certain IOMMU
clients based on their IOMMU configuration.
Bug: 179291683
Change-Id: Ie847a14d6536eb151cbd0a93452f6895ee451930
Signed-off-by: Patrick Daly <pdaly@codeaurora.org>
Signed-off-by: Chris Goldsworthy <cgoldswo@codeaurora.org>
(cherry picked from commit 575ad9a263)
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
