Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 194 +++
1 file changed, 146 insertions(+), 48 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 16288e7..c36e420 100644
--- a/drivers/android/binder.c
+++ b/drivers
This was introduced in the 2015 Nexus devices and should have been
submitted to the kernel then since we keep forward porting it to each
new device.
On Thu, Sep 8, 2016 at 9:12 AM, Todd Kjos wrote:
> In Android systems, the display pipeline relies on low
> latency binder transactions
files is removed since we get it every
time.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 63 +++-
1 file changed, 30 insertions(+), 33 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index fddf76ef5bd6..794
This issue was discovered on a 4.9-based android device, but the
relevant mainline code appears to be the same. The symptom is that
over time the some workloads become sluggish resulting in missed
frames or sluggishness. It appears to be the same issue described in
http://lists.infradead.org/piperm
annot allocate new
fds in the target (probably due to out of file descriptors),
the transaction is discarded with a log message. In the old
implementation this would have been detected in the sender
context and failed prior to sending.
Signed-off-by: Todd Kjos
---
drivers/android/Kconfig
annot allocate new
fds in the target (probably due to out of file descriptors),
the transaction is discarded with a log message. In the old
implementation this would have been detected in the sender
context and failed prior to sending.
Signed-off-by: Todd Kjos
---
v2: use "%zu" printk fo
annot allocate new
fds in the target (probably due to out of file descriptors),
the transaction is discarded with a log message. In the old
implementation this would have been detected in the sender
context and failed prior to sending.
Signed-off-by: Todd Kjos
---
v2: use "%zu" printk fo
Sorry, forgot to bump the version. Ignore this one.
On Tue, Aug 28, 2018 at 1:43 PM Todd Kjos wrote:
>
> Binder uses internal fs interfaces to allocate and install fds:
>
> __alloc_fd
> __fd_install
> __close_fd
> get_files_struct
> put_files_struct
>
> These were
annot allocate new
fds in the target (probably due to out of file descriptors),
the transaction is discarded with a log message. In the old
implementation this would have been detected in the sender
context and failed prior to sending.
Signed-off-by: Todd Kjos
---
v2: use "%zu" printk fo
On Wed, Aug 29, 2018 at 12:00 AM Christoph Hellwig wrote:
>
> > config ANDROID_BINDER_IPC
> > bool "Android Binder IPC Driver"
> > - depends on MMU
> > + depends on MMU && !CPU_CACHE_VIVT
>
> Thats is a purely arm specific symbol which should not be
> used in common code. Nevermind
Looks good to me.
On Tue, Jan 30, 2018 at 11:11 PM, Eric Biggers wrote:
> From: Eric Biggers
>
> If the kzalloc() in binder_get_thread() fails, binder_poll()
> dereferences the resulting NULL pointer.
>
> Fix it by returning POLLERR if the memory allocation failed.
>
> This bug was found by syzk
Vitaly, can you say more about the behavior you observed that led you
to make this change? It is not obvious what workload would cause the
contention on this mutex to make a difference (at least in an Android
environment).
On Mon, Jan 22, 2018 at 7:44 AM, Greg Kroah-Hartman
wrote:
> On Mon, Jan 0
On Mon, Jan 22, 2018 at 7:54 AM, Greg KH wrote:
> On Wed, Jan 10, 2018 at 10:49:05AM +0800, Ganesh Mahendran wrote:
>> VM_IOREMAP is used to access hardware through a mechanism called
>> I/O mapped memory. Android binder is a IPC machanism which will
>> not access I/O memory.
>>
>> And VM_IOREMAP
On Thu, Nov 15, 2018 at 2:54 PM gre...@linuxfoundation.org
wrote:
...
>
> A number of us have talked about this in the plumbers Android track, and
> a different proposal for how to solve this has been made that should be
> much more resiliant. So I will drop this patch from my queue and wait
> fo
+christ...@brauner.io +Martijn Coenen
Christian,
Does this patch work for your container use-cases? If not, please
comment on this thread. Let's discuss at LPC this week.
-Todd
On Mon, Nov 12, 2018 at 1:38 AM chouryzhou(周威) wrote:
>
> Currently android's binder is not isolated by ipc namespace
On Tue, Nov 13, 2018 at 12:12 AM chouryzhou(周威) wrote:
>
> > I have not received an answer to my questions in the last version of this
> > patch
> > set. Also it would be good if I could be Cc'ed by default. I can't hunt
> > down all
> > patches.
> > I do not know of any kernel entity, specifica
rd functions to allocate fds")
Suggested-by: Jann Horn
Signed-off-by: Todd Kjos
Acked-by: Martijn Coenen
---
v2: added "Fixes:" tag
Should be added to 4.20-final if possible
drivers/android/binder.c | 8
1 file changed, 8 insertions(+)
diff --git a/drivers/andro
Add __acquire()/__release() annnotations to fix warnings
in sparse context checking
There is one case where the warning was due to a lack of
a "default:" case in a switch statement where a lock was
being released in each of the cases, so the default
case was added.
Signed-off-by:
Fix the incomplete kerneldoc header for struct binder_buffer.
Signed-off-by: Todd Kjos
---
v2: no code change. Removed needless "Change-Id:"
There is no dependancy on patch 1/3
drivers/android/binder_alloc.h | 20 ++--
1 file changed, 10 insertions(+), 10 deletion
When dumping out binder transactions via a debug node,
the output is too verbose if a process has many nodes.
Change the output for transaction dumps to only display
nodes with pending async transactions.
Signed-off-by: Todd Kjos
---
v2: no change, just resubmitted as #3 of 3 patches instead of
On Wed, Dec 5, 2018 at 2:00 PM Al Viro wrote:
>
> On Wed, Dec 05, 2018 at 01:16:01PM -0800, Todd Kjos wrote:
> > 44d8047f1d87a ("binder: use standard functions to allocate fds")
> > exposed a pre-existing issue in the binder driver.
> >
> > fdget()
On Wed, Dec 5, 2018 at 4:40 PM Al Viro wrote:
>
> On Wed, Dec 05, 2018 at 04:21:55PM -0800, Todd Kjos wrote:
>
> > > How about grabbing the references to all victims (*before* screwing with
> > > ksys_close()), sticking them into a structure with embedded ca
On Thu, Dec 6, 2018 at 6:51 AM Greg KH wrote:
>
> On Wed, Dec 05, 2018 at 03:19:24PM -0800, Todd Kjos wrote:
> > Add __acquire()/__release() annnotations to fix warnings
> > in sparse context checking
> >
> > There is one case where the warning was due to a lack
On Thu, Dec 6, 2018 at 11:08 PM Greg Kroah-Hartman
wrote:
...
> But I thought I applied this back on November 26:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git/commit/?h=char-misc-testing&id=324fa64cf4189094bc4df744a9e7214a1b81d845
>
> You should have gotten an
On Fri, Nov 30, 2018 at 5:26 PM Yangtao Li wrote:
>
> We already have the DEFINE_SHOW_ATTRIBUTE.There is no need to define
> such a macro,so remove BINDER_DEBUG_ENTRY.
>
> Signed-off-by: Yangtao Li
Acked-by: Todd Kjos
> ---
> drivers/
Fix the incomplete kerneldoc header for struct binder_buffer.
Change-Id: If3ca10cf6d90f605a0c078e4cdce28f02a475877
Signed-off-by: Todd Kjos
---
drivers/android/binder_alloc.h | 20 ++--
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/drivers/android
Add __acquire()/__release() annnotations to fix warnings
in sparse context checking
There is one case where the warning was due to a lack of
a "default:" case in a switch statement where a lock was
being released in each of the cases, so the default
case was added.
Signed-off-by:
When dumping out binder transactions via a debug node,
the output is too verbose if a process has many nodes.
Change the output for transaction dumps to only display
nodes with pending async transactions.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 3 +++
1 file changed, 3
the reference count of
task A's /dev/binder to 0 and frees it
11.task A continues processing of the ioctl and accesses some
property of e.g. the binder_proc => KASAN-detectable UAF
Fixed by using get_file() / fput() in binder_ioctl().
Suggested-by: Jann Horn
Signed-off-b
On Fri, Nov 9, 2018 at 4:32 AM Greg KH wrote:
>
> On Tue, Nov 06, 2018 at 03:55:32PM -0800, Todd Kjos wrote:
> > Malicious code can attempt to free buffers using the
> > BC_FREE_BUFFER ioctl to binder. There are protections
> > against a user freeing a buffer while
On Thu, Nov 8, 2018 at 5:02 AM chouryzhou(周威) wrote:
>
> We are working for running android in container, but we found that binder is
> not isolated by ipc namespace. Since binder is a form of IPC and therefore
> should
> be tied to ipc namespace. With this patch, we can run more than one andro
On Fri, Nov 9, 2018 at 10:27 AM Davidlohr Bueso wrote:
>
> On Thu, 08 Nov 2018, chouryzhou(??) wrote:
>
> >+#ifdef CONFIG_ANDROID_BINDER_IPC
> >+ /* next fields are for binder */
> >+ struct mutex binder_procs_lock;
> >+ struct hlist_head binder_procs;
> >+ struct
On Fri, Nov 9, 2018 at 8:43 PM chouryzhou(周威) wrote:
>
> If IPC_NS is disabled, "current-nsporxy->ipc_ns" will also exists, it will
> be a static
> reference of "init_ipc_ns" (in ipc/msgutil.c, not defined in binder.c by me)
> with
> no namespace-ization. You will get the same one in all proce
On Fri, Nov 9, 2018 at 7:09 PM chouryzhou(周威) wrote:
>
> >
> > I still don't understand the dependencies on SYSVIPC or POSIX_MQUEUE.
> > It seems like this mechanism would work even if both are disabled --
> > as long as IPC_NS is enabled. Seems cleaner to change init/Kconfig and
> > allow IPC_NS
On Fri, Nov 9, 2018 at 9:43 PM chouryzhou(周威) wrote:
>
> > >
> > > If IPC_NS is disabled, "current-nsporxy->ipc_ns" will also exists, it
> > > will be a static
> > > reference of "init_ipc_ns" (in ipc/msgutil.c, not defined in binder.c by
> > > me) with
> > > no namespace-ization. You will get
t; 2)
> > > exit(EXIT_FAILURE);
> > >
> > > strncpy(device.name, argv[1], sizeof(device.name));
> > >
> > > fd = open("/dev/binderfs/binder-control", O_RDONLY | O_CLOEXEC);
> > > if
a ("binder: use standard functions to allocate fds")
Suggested-by: Al Viro
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 91 +++-
1 file changed, 81 insertions(+), 10 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/an
I need to make a change to this patch, so please ignore this version.
I'll send a v2 soon.
On Thu, Dec 13, 2018 at 1:04 PM Todd Kjos wrote:
>
> 44d8047f1d8 ("binder: use standard functions to allocate fds")
> exposed a pre-existing issue in the binder driver.
>
>
a ("binder: use standard functions to allocate fds")
Suggested-by: Al Viro
Signed-off-by: Todd Kjos
---
v2:
- simplified code
If possible, please add to 4.20-final
drivers/android/binder.c | 60 ++--
1 file changed, 58 insertions(+), 2 deletions(-)
. The fput() is deferred instead of using ksys_close().
Fixes: 44d8047f1d87a ("binder: use standard functions to allocate fds")
Suggested-by: Al Viro
Signed-off-by: Todd Kjos
---
v2:
- simplified code
v3:
- implemented Al Viro's suggestion to pass struct file instead of fd
- added
ew binder device\n",
> strerror(errno));
> exit(EXIT_FAILURE);
> }
>
> printf("Allocated new binder device with major %d, minor %d, and "
> "name %s\n", device.major, device.minor,
>
On Fri, Dec 21, 2018 at 8:33 AM Greg KH wrote:
>
> On Fri, Dec 21, 2018 at 04:59:19PM +0100, Christian Brauner wrote:
> > On Fri, Dec 21, 2018 at 04:37:58PM +0100, Greg KH wrote:
> > > On Fri, Dec 21, 2018 at 03:12:42PM +0100, Christian Brauner wrote:
> > > > On Fri, Dec 21, 2018 at 02:55:09PM +01
r devices are removed (on accident or on purpose)
> they can always be recreated without risking that all minor numbers have
> already been used up.
>
> Cc: Todd Kjos
> Cc: Greg Kroah-Hartman
> Signed-off-by: Christian Brauner
> ---
> v1:
> - patch introduced
> v0:
&g
On Thu, Jan 3, 2019 at 12:34 PM Christian Brauner wrote:
>
> On Thu, Jan 03, 2019 at 12:25:24PM -0800, Todd Kjos wrote:
> > On Sun, Dec 23, 2018 at 6:36 AM Christian Brauner
> > wrote:
> > >
> > > The binderfs instance in the initial ipc namespace will alw
On Thu, Jan 3, 2019 at 2:08 PM Christian Brauner wrote:
>
> On Thu, Jan 03, 2019 at 01:47:13PM -0800, Todd Kjos wrote:
> > On Thu, Jan 3, 2019 at 12:34 PM Christian Brauner
> > wrote:
> > >
> > > On Thu, Jan 03, 2019 at 12:25:24PM -0800, Todd Kjos wrote:
>
ndation.org
> Signed-off-by: Joel Fernandes (Google)
> ---
> MAINTAINERS | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 544cac829cf4..d639c4d04438 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -894,6 +894,7 @@ M: Gr
+christ...@brauner.io
On Sun, Oct 28, 2018 at 7:29 PM chouryzhou(周威) wrote:
...
>
> > It's not obvious from this patch where this dependency comes
> > from...why is SYSVIPC required? I'd like to not have to require IPC_NS
> > either for devices.
>
> Yes, the patch is not highly dependent on SYSVI
On Fri, Sep 7, 2018 at 6:38 AM Martijn Coenen wrote:
>
> This allows the context manager to retrieve information about nodes
> that it holds a reference to, such as the current number of
> references to those nodes.
>
> Such information can for example be used to determine whether the
> serviceman
that when the struct
buffer was recycled, allow_user_free was stale
and set to 1 allowing a free to go through.
Signed-off-by: Todd Kjos
Acked-by: Arve Hjønnevåg
---
drivers/android/binder.c | 21 -
drivers/android/binder_alloc.c | 16 ++--
drivers/an
Add __acquire()/__release() annnotations to fix warnings
in sparse context checking
There is one case where the warning was due to a lack of
a "default:" case in a switch statement where a lock was
being released in each of the cases, so the default
case was added.
Signed-off-by:
On Fri, Oct 26, 2018 at 2:20 AM chouryzhou(周威) wrote:
>
> Hi
> We are working for running android in container, but we found that binder is
> not isolated by ipc namespace. Since binder is a form of IPC and therefore
> should
> be tied to ipc namespace. With this patch, we can run more than one
On Tue, Apr 6, 2021 at 9:15 PM Hang Lu wrote:
>
> When async binder buffer got exhausted, some normal oneway transactions
> will also be discarded and may cause system or application failures. By
> that time, the binder debug information we dump may not be relevant to
> the root cause. And this is
Reviewed-by: Todd Kjos
On Tue, Apr 10, 2018 at 6:21 AM, Geert Uytterhoeven
wrote:
> For AMBA devices with unconfigured driver override, the
> "driver_override" sysfs virtual file is empty, while it contains
> "(null)" for platform and PCI devices.
>
> Make
Reviewed-by: Todd Kjos
On Tue, Apr 10, 2018 at 6:21 AM, Geert Uytterhoeven
wrote:
> The driver_override implementation is susceptible to a race condition
> when different threads are reading vs storing a different driver
> override. Add locking to avoid this race condition.
>
&g
Reviewed-by: Todd Kjos
On Tue, Apr 10, 2018 at 6:21 AM, Geert Uytterhoeven
wrote:
> When printing the driver_override parameter when it is 4095 and 4094
> bytes long, the printing code would access invalid memory because we
> need count + 1 bytes for printing.
>
> Cfr. commits 4
Reviewed-by: Todd Kjos
On Tue, Apr 10, 2018 at 6:21 AM, Geert Uytterhoeven
wrote:
> Indentation is one TAB and 7 spaces instead of 2 TABs.
>
> Fixes: 3cf385713460eb2b ("ARM: 8256/1: driver coamba: add device binding path
> 'driver_override'")
>
red. This can result in
calling zap_page_range() with an invalid vma which manifests as a
use-after-free in zap_page_range().
The fix is to check alloc->vma after acquiring the mmap_sem (which we
were acquiring anyway) and skip zap_page_range() if it has changed
to NULL.
Signed-off-b
On Fri, Mar 1, 2019 at 11:57 PM Greg KH wrote:
>
> On Fri, Mar 01, 2019 at 03:06:06PM -0800, Todd Kjos wrote:
> > An munmap() on a binder device causes binder_vma_close() to be called
> > which clears the alloc->vma pointer.
> >
> > If direct reclaim causes bind
When allocating space in the target buffer for the security context,
make sure the extra_buffers_size doesn't overflow. This can only
happen if the given size is invalid, but an overflow can turn it
into a valid size. Fail the transaction if an overflow is detected.
Signed-off-by: Todd
sers specify
> CONFIG_ANDROID_IPC=y, CONFIG_ANDROID_BINDERFS=y and
> ANDROID_BINDER_DEVICES="".
> When CONFIG_ANDROID_BINDERFS=n then this always succeeds so there's no
> regression potential for legacy workloads.
>
> Signed-off-by: Christian Brauner
Acked-by: Todd Kjo
> R13: 55b629ebed70 R14: 0004 R15: 55b629ebec60
>
> So check for the empty string since strsep() will otherwise return the
> emtpy string which will cause kobject_add_internal() to panic when trying
> to add a kobject with an emtpy name.
>
> Fix
On Mon, Jul 27, 2020 at 8:28 PM Frankie Chang
wrote:
>
> From: "Frankie.Chang"
>
> Since the original trace_binder_transaction_received cannot
> precisely present the real finished time of transaction, adding a
> trace_binder_txn_latency_free at the point of free transaction
> may be more close t
On Sun, Aug 2, 2020 at 8:11 PM Frankie Chang wrote:
>
> On Fri, 2020-07-31 at 11:50 -0700, Todd Kjos wrote:
> > On Mon, Jul 27, 2020 at 8:28 PM Frankie Chang
> > wrote:
> > >
> > > From: "Frankie.Chang"
> > >
> > > Since the o
gt; process is responsible for either more than 50 transactions, or more
> than 50% of the oneway space.
>
> Signed-off-by: Martijn Coenen
A few minor comment issues below. When resolved:
Acked-by: Todd Kjos
> ---
> v2: fixed call-site in binder_alloc_selftest
>
> drivers/android
On Thu, Aug 6, 2020 at 9:09 AM Jann Horn wrote:
>
> On Thu, Aug 6, 2020 at 1:19 PM syzbot
> wrote:
> > syzbot suspects this issue was fixed by commit:
> >
> > commit 4b836a1426cb0f1ef2a6e211d7e553221594f8fc
> > Author: Jann Horn
> > Date: Mon Jul 27 12:04:24 2020 +
> >
> > binder: Prev
et's
> just remove it.
>
> Fixes: 44d8047f1d87 ("binder: use standard functions to allocate fds")
> Reported-by: syzbot+e113a0b970b7b3f39...@syzkaller.appspotmail.com
> Signed-off-by: Jann Horn
Acked-by: Todd Kjos
> ---
> drivers/android/binder.c | 2 --
> 1 file chan
+Hridya Valsaraju +Suren Baghdasaryan
On Thu, Dec 17, 2020 at 11:48 PM Huangzhaoyang wrote:
>
> From: Zhaoyang Huang
>
> Add SLAB_RECLAIM_ACCOUNT to ashmem_range cache since it has registered
> shrinker, which make memAvailable more presiced.
>
> Signed-off-by: Zhaoyang H
On Wed, Mar 17, 2021 at 1:17 PM Jann Horn wrote:
>
> On Wed, Mar 17, 2021 at 7:00 PM Christian Brauner
> wrote:
> > On Mon, Mar 15, 2021 at 06:16:27PM -0700, Li Li wrote:
> > > To improve the user experience when switching between recently used
> > > applications, the background applications whic
block the caller until any pending binder transactions toward
> the target process are flushed. Return an error to transactions to
> processes marked as frozen.
>
> Signed-off-by: Marco Ballesio
> Co-developed-by: Todd Kjos
> Signed-off-by: Todd Kjos
> Signed-off-by: Li Li
For th
On Wed, Apr 14, 2021 at 11:11 AM Lee Jones wrote:
>
> Fixes the following W=1 kernel build warning(s):
>
> drivers/staging/android/ashmem.c:189: warning: Function parameter or member
> 'new_range' not described in 'range_alloc'
>
> Cc: Greg Kroah-Hartman
On Thu, Apr 1, 2021 at 1:29 AM Hang Lu wrote:
>
> When async binder buffer got exhausted, some normal oneway transaction
> will also be discarded and finally caused system/app stop.
"...be discarded and may cause system or application failures" ?
> By that time,
> the binder debug information we
+Li Li
On Fri, Apr 9, 2021 at 2:42 AM Hang Lu wrote:
>
> Add BR_FROZEN_REPLY in binder_return_strings to support stat function.
>
> Fixes: ae28c1be1e54 ("binder: BINDER_GET_FROZEN_INFO ioctl")
> Signed-off-by: Hang Lu
Acked-by: Todd Kjos
> ---
> driver
xceeding the threshold (target process
> dips below 80% of its oneway space, and current process is responsible for
> either more than 50 transactions, or more than 50% of the oneway space).
> And the detection will restart when the async buffer has returned to a
> healthy state.
>
&
block the caller until any pending binder transactions toward
> the target process are flushed. Return an error to transactions to
> processes marked as frozen.
>
> Signed-off-by: Marco Ballesio
> Co-developed-by: Todd Kjos
> Signed-off-by: Todd Kjos
> Signed-off
ed to code using
> this API.
>
> Replace this instance of -ERESTARTSYS with -EINTR, which is propagated
> to user space.
>
> Test: built, booted, interrupted a worker thread within
> binder_wait_for_work
> Signed-off-by: Marco Ballesio
> Signed-off-by: Li Li
Acked-by:
d-off-by: Marco Ballesio
> Signed-off-by: Li Li
Acked-by: Todd Kjos
> ---
> drivers/android/binder.c| 55 +
> drivers/android/binder_internal.h | 6
> include/uapi/linux/android/binder.h | 7
> 3 files changed, 68 insertions(+)
Add a per-transaction flag to indicate that the buffer
must be cleared when the transaction is complete to
prevent copies of sensitive data from being preserved
in memory.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c| 1 +
drivers/android/binder_alloc.c | 48
On Fri, Nov 20, 2020 at 11:14 PM Greg KH wrote:
>
> On Fri, Nov 20, 2020 at 03:37:43PM -0800, Todd Kjos wrote:
> > Add a per-transaction flag to indicate that the buffer
> > must be cleared when the transaction is complete to
> > prevent copies of sensitive data from being
On Mon, Feb 11, 2019 at 8:57 AM Christoph Hellwig wrote:
>
> On Fri, Feb 08, 2019 at 10:35:13AM -0800, Todd Kjos wrote:
> > Binder buffers have always been mapped into kernel space
> > via map_kernel_range_noflush() to allow the binder driver
> > to modify the buffer bef
+Alistair Strachan
On Mon, Feb 11, 2019 at 9:11 AM Greg KH wrote:
>
> On Mon, Feb 11, 2019 at 10:15:18PM +0530, Souptick Joarder wrote:
> > On Mon, Feb 11, 2019 at 9:27 PM Greg KH wrote:
> > >
> > > On Mon, Feb 11, 2019 at 09:21:19PM +0530, Souptick Joarder wrote:
> > > > On Mon, Feb 11, 2019 at
t; >
> > This change provides an alternate option to access these files when
> > debugfs is not mounted.
> >
> > Signed-off-by: Hridya Valsaraju
>
> Acked-by: Christian Brauner
Acked-by: Todd Kjos
>
> > ---
> > drivers/android
uf
> files per-process without doing it in binder_open() but it has worked
> fine for a long time with debugfs.
>
> Also, one minor question below. Otherwise
>
> Acked-by: Christian Brauner
Acked-by: Todd Kjos
>
> > ---
> > drivers/android/binder.c
+Hridya Valsaraju
On Mon, Oct 7, 2019 at 1:50 PM Jann Horn wrote:
>
> Hi!
>
> There is a use-after-free read in print_binder_transaction_log_entry()
> on ANDROID_BINDERFS kernels because
> print_binder_transaction_log_entry() prints the char* e->context_name
> as string, and if the transaction o
ying
> the name of the binder device instead of stashing a pointer to it.
>
> Reported-by: Jann Horn
> Fixes: 03e2e07e3814 ("binder: Make transaction_log available in binderfs")
> Link:
> https://lore.kernel.org/r/cag48ez14q0-f8lqsvcnbyr2o6gpw8shxsm4u5jmd9mpstem...@mail.gmai
On Wed, Oct 9, 2019 at 3:40 AM Christian Brauner
wrote:
>
> On Tue, Oct 08, 2019 at 02:05:16PM -0400, Joel Fernandes wrote:
> > On Tue, Oct 08, 2019 at 03:01:59PM +0200, Christian Brauner wrote:
[...]
> >
> > One more thought, this can be made dependent on CONFIG_BINDERFS since
> > regular
> >
e binder device again and uses the new fd to send
> a transaction to the context manager.
>
> Reported-by: syzbot+8b3c354d33c4ac78b...@syzkaller.appspotmail.com
> Signed-off-by: Hridya Valsaraju
Acked-by: Todd Kjos
> ---
> drivers/android/binder.c | 2 +-
> 1 file changed, 1
+Hridya Valsaraju
Fix posted:
https://lkml.kernel.org/lkml/20190715191804.112933-1-hri...@google.com/
On Wed, Jun 12, 2019 at 1:14 PM Todd Kjos wrote:
>
> On Wed, Jun 12, 2019 at 12:23 PM Eric Biggers wrote:
> >
> > On Mon, May 20, 2019 at 07:18:06AM -0700, syzbot
UL);
> *(char*)data_mapping = 1;
> return 0;
> }
>
> Cc: sta...@vger.kernel.org
> Signed-off-by: Jann Horn
Acked-by: Todd Kjos
> ---
> drivers/android/binder.c | 7 ---
> drivers/android/binder_alloc.c | 6 --
> 2 files changed, 4 insertions
On Thu, Feb 14, 2019 at 11:45 AM Joel Fernandes wrote:
>
> Hi Todd,
>
> One quick question:
>
> On Fri, Feb 08, 2019 at 10:35:14AM -0800, Todd Kjos wrote:
> > The binder driver uses a vm_area to map the per-process
> > binder buffer space. For 32-bit android devic
On Thu, Feb 14, 2019 at 1:25 PM Joel Fernandes wrote:
>
> On Thu, Feb 14, 2019 at 03:53:54PM -0500, Joel Fernandes wrote:
> > On Thu, Feb 14, 2019 at 3:42 PM Todd Kjos wrote:
> > >
> > > On Thu, Feb 14, 2019 at 11:45 AM Joel Fernandes wrote:
> > [snip]
> &
On Thu, Feb 14, 2019 at 3:35 AM syzbot
wrote:
>
> syzbot has found a reproducer for the following crash on:
>
> HEAD commit:b3418f8bddf4 Add linux-next specific files for 20190214
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=161d2048c0
> kernel c
Trying again with the correct branch spec...
On Thu, Feb 14, 2019 at 2:34 PM Todd Kjos wrote:
>
> On Thu, Feb 14, 2019 at 3:35 AM syzbot
> wrote:
> >
> > syzbot has found a reproducer for the following crash on:
> >
> > HEAD commit:b3418f8bddf4 Add linux
Fixes crash found by syzbot:
kernel BUG at drivers/android/binder_alloc.c:LINE! (2)
Reported-by: syzbot+55de1eb4975dec156...@syzkaller.appspotmail.com
Signed-off-by: Todd Kjos
---
Applies to linux-next
drivers/android/binder.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a
t address space of the process. However, right lock to
> > > release pages is down_read, not down_write because page table lock
> > > already protects the race for parallel freeing.
> > >
> > > Please do not use mmap_sem write-side lock which is well known
> &g
On Fri, Feb 8, 2019 at 3:26 AM Greg KH wrote:
>
> On Wed, Jan 30, 2019 at 02:46:48PM -0800, Todd Kjos wrote:
> > Binder buffers have always been mapped into kernel space
> > via map_kernel_range_noflush() to allow the binder driver
> > to modify the buffer before
systems, there is a risk of running out of
vmalloc space.
This patch set removes the persistent mapping of the
binder buffers into kernel space. Instead, the binder
driver creates temporary mappings with kmap() or
kmap_atomic() to copy to or from the buffer only when
necessary.
Todd Kjos (7
multi-page copies, it now uses
binder_alloc_copy_user_to_buffer() which uses kmap()
and kunmap() to map each page, and uses copy_from_user()
for copying to that page.
Signed-off-by: Todd Kjos
---
v2: remove casts as suggested by Dan Carpenter
drivers/android/binder.c | 29 +++--
drivers
Remove the kernel's vm_area and the code that maps
buffer pages into it.
Signed-off-by: Todd Kjos
---
drivers/android/binder_alloc.c | 40 ++
1 file changed, 2 insertions(+), 38 deletions(-)
diff --git a/drivers/android/binder_alloc.c b/drivers/an
binder_validate_ptr()
binder_validate_fixup()
binder_fixup_parent()
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 146 ++-
1 file changed, 97 insertions(+), 49 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index
pointers. Refactor code to use offsets instead
of user pointers.
Signed-off-by: Todd Kjos
---
v2: remove casts as suggested by Dan Carpenter
v3: fix build-break when CONFIG_ANDROID_BINDER_IPC_SELFTEST enabled
drivers/android/binder.c| 118 ++--
drivers/and
1 - 100 of 227 matches
Mail list logo
