Loading drivers/android/binder.c +36 −20 Original line number Diff line number Diff line Loading @@ -503,6 +503,9 @@ struct binder_priority { * @files files_struct for process * (protected by @files_lock) * @files_lock mutex to protect @files * @cred struct cred associated with the `struct file` * in binder_open() * (invariant after initialized) * @deferred_work_node: element for binder_deferred_list * (protected by binder_deferred_lock) * @deferred_work: bitmap of deferred work to perform Loading Loading @@ -550,6 +553,7 @@ struct binder_proc { struct task_struct *tsk; struct files_struct *files; struct mutex files_lock; const struct cred *cred; struct hlist_node deferred_work_node; int deferred_work; bool is_dead; Loading Loading @@ -2581,7 +2585,7 @@ static int binder_translate_binder(struct flat_binder_object *fp, ret = -EINVAL; goto done; } if (security_binder_transfer_binder(proc->tsk, target_proc->tsk)) { if (security_binder_transfer_binder(proc->cred, target_proc->cred)) { ret = -EPERM; goto done; } Loading Loading @@ -2627,7 +2631,7 @@ static int binder_translate_handle(struct flat_binder_object *fp, proc->pid, thread->pid, fp->handle); return -EINVAL; } if (security_binder_transfer_binder(proc->tsk, target_proc->tsk)) { if (security_binder_transfer_binder(proc->cred, target_proc->cred)) { ret = -EPERM; goto done; } Loading Loading @@ -2711,7 +2715,7 @@ static int binder_translate_fd(int fd, ret = -EBADF; goto err_fget; } ret = security_binder_transfer_file(proc->tsk, target_proc->tsk, file); ret = security_binder_transfer_file(proc->cred, target_proc->cred, file); if (ret < 0) { ret = -EPERM; goto err_security; Loading Loading @@ -3116,8 +3120,14 @@ static void binder_transaction(struct binder_proc *proc, goto err_dead_binder; } e->to_node = target_node->debug_id; if (security_binder_transaction(proc->tsk, target_proc->tsk) < 0) { if (WARN_ON(proc == target_proc)) { return_error = BR_FAILED_REPLY; return_error_param = -EINVAL; return_error_line = __LINE__; goto err_invalid_target_handle; } if (security_binder_transaction(proc->cred, target_proc->cred) < 0) { return_error = BR_FAILED_REPLY; return_error_param = -EPERM; return_error_line = __LINE__; Loading Loading @@ -3208,7 +3218,7 @@ static void binder_transaction(struct binder_proc *proc, t->from = thread; else t->from = NULL; t->sender_euid = task_euid(proc->tsk); t->sender_euid = proc->cred->euid; t->to_proc = target_proc; t->to_thread = target_thread; t->code = tr->code; Loading Loading @@ -3694,10 +3704,17 @@ static int binder_thread_write(struct binder_proc *proc, struct binder_node *ctx_mgr_node; mutex_lock(&context->context_mgr_node_lock); ctx_mgr_node = context->binder_context_mgr_node; if (ctx_mgr_node) if (ctx_mgr_node) { if (ctx_mgr_node->proc == proc) { binder_user_error("%d:%d context manager tried to acquire desc 0\n", proc->pid, thread->pid); mutex_unlock(&context->context_mgr_node_lock); return -EINVAL; } ret = binder_inc_ref_for_node( proc, ctx_mgr_node, strong, NULL, &rdata); } mutex_unlock(&context->context_mgr_node_lock); } if (ret) Loading Loading @@ -4685,6 +4702,7 @@ static void binder_free_proc(struct binder_proc *proc) BUG_ON(!list_empty(&proc->delivered_death)); binder_alloc_deferred_release(&proc->alloc); put_task_struct(proc->tsk); put_cred(proc->cred); binder_stats_deleted(BINDER_STAT_PROC); kfree(proc); } Loading Loading @@ -4756,23 +4774,20 @@ static int binder_thread_release(struct binder_proc *proc, } /* * If this thread used poll, make sure we remove the waitqueue * from any epoll data structures holding it with POLLFREE. * waitqueue_active() is safe to use here because we're holding * the inner lock. * If this thread used poll, make sure we remove the waitqueue from any * poll data structures holding it. */ if ((thread->looper & BINDER_LOOPER_STATE_POLL) && waitqueue_active(&thread->wait)) { wake_up_poll(&thread->wait, POLLHUP | POLLFREE); } if (thread->looper & BINDER_LOOPER_STATE_POLL) wake_up_pollfree(&thread->wait); binder_inner_proc_unlock(thread->proc); /* * This is needed to avoid races between wake_up_poll() above and * and ep_remove_waitqueue() called for other reasons (eg the epoll file * descriptor being closed); ep_remove_waitqueue() holds an RCU read * lock, so we can be sure it's done after calling synchronize_rcu(). * This is needed to avoid races between wake_up_pollfree() above and * someone else removing the last entry from the queue for other reasons * (e.g. ep_remove_wait_queue() being called due to an epoll file * descriptor being closed). Such other users hold an RCU read lock, so * we can be sure they're done after we call synchronize_rcu(). */ if (thread->looper & BINDER_LOOPER_STATE_POLL) synchronize_rcu(); Loading Loading @@ -4890,7 +4905,7 @@ static int binder_ioctl_set_ctx_mgr(struct file *filp, ret = -EBUSY; goto out; } ret = security_binder_set_context_mgr(proc->tsk); ret = security_binder_set_context_mgr(proc->cred); if (ret < 0) goto out; if (uid_valid(context->binder_context_mgr_uid)) { Loading Loading @@ -5212,6 +5227,7 @@ static int binder_open(struct inode *nodp, struct file *filp) get_task_struct(current->group_leader); proc->tsk = current->group_leader; mutex_init(&proc->files_lock); proc->cred = get_cred(filp->f_cred); INIT_LIST_HEAD(&proc->todo); if (binder_supported_policy(current->policy)) { proc->default_priority.sched_policy = current->policy; Loading drivers/gpu/msm/kgsl_drawobj.c +11 −24 Original line number Diff line number Diff line /* Copyright (c) 2016-2019, The Linux Foundation. All rights reserved. /* Copyright (c) 2016-2019,2021, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and Loading Loading @@ -569,6 +569,7 @@ static void add_profiling_buffer(struct kgsl_device *device, { struct kgsl_mem_entry *entry; struct kgsl_drawobj *drawobj = DRAWOBJ(cmdobj); u64 start; if (!(drawobj->flags & KGSL_DRAWOBJ_PROFILING)) return; Loading @@ -585,7 +586,14 @@ static void add_profiling_buffer(struct kgsl_device *device, gpuaddr); if (entry != NULL) { if (!kgsl_gpuaddr_in_memdesc(&entry->memdesc, gpuaddr, size)) { start = id ? (entry->memdesc.gpuaddr + offset) : gpuaddr; /* * Make sure there is enough room in the object to store the * entire profiling buffer object */ if (!kgsl_gpuaddr_in_memdesc(&entry->memdesc, gpuaddr, size) || !kgsl_gpuaddr_in_memdesc(&entry->memdesc, start, sizeof(struct kgsl_drawobj_profiling_buffer))) { kgsl_mem_entry_put(entry); entry = NULL; } Loading @@ -598,28 +606,7 @@ static void add_profiling_buffer(struct kgsl_device *device, return; } if (!id) { cmdobj->profiling_buffer_gpuaddr = gpuaddr; } else { u64 off = offset + sizeof(struct kgsl_drawobj_profiling_buffer); /* * Make sure there is enough room in the object to store the * entire profiling buffer object */ if (off < offset || off >= entry->memdesc.size) { dev_err(device->dev, "ignore invalid profile offset ctxt %d id %d offset %lld gpuaddr %llx size %lld\n", drawobj->context->id, id, offset, gpuaddr, size); kgsl_mem_entry_put(entry); return; } cmdobj->profiling_buffer_gpuaddr = entry->memdesc.gpuaddr + offset; } cmdobj->profiling_buffer_gpuaddr = start; cmdobj->profiling_buf_entry = entry; } Loading drivers/usb/gadget/composite.c +13 −1 Original line number Diff line number Diff line Loading @@ -1731,6 +1731,18 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) struct usb_function *f = NULL; u8 endp; if (w_length > USB_COMP_EP0_BUFSIZ) { if (ctrl->bRequestType & USB_DIR_IN) { /* Cast away the const, we are going to overwrite on purpose. */ __le16 *temp = (__le16 *)&ctrl->wLength; *temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ); w_length = USB_COMP_EP0_BUFSIZ; } else { goto done; } } /* partial re-init of the response message; the function or the * gadget might need to intercept e.g. a control-OUT completion * when we delegate to it. Loading Loading @@ -2317,7 +2329,7 @@ int composite_dev_prepare(struct usb_composite_driver *composite, if (!cdev->req) return -ENOMEM; cdev->req->buf = kmalloc(USB_COMP_EP0_BUFSIZ + cdev->req->buf = kzalloc(USB_COMP_EP0_BUFSIZ + (gadget->extra_buf_alloc), GFP_KERNEL); if (!cdev->req->buf) goto fail; Loading drivers/usb/gadget/legacy/dbgp.c +14 −1 Original line number Diff line number Diff line Loading @@ -136,7 +136,7 @@ static int dbgp_enable_ep_req(struct usb_ep *ep) goto fail_1; } req->buf = kmalloc(DBGP_REQ_LEN, GFP_KERNEL); req->buf = kzalloc(DBGP_REQ_LEN, GFP_KERNEL); if (!req->buf) { err = -ENOMEM; stp = 2; Loading Loading @@ -344,6 +344,19 @@ static int dbgp_setup(struct usb_gadget *gadget, void *data = NULL; u16 len = 0; if (length > DBGP_REQ_LEN) { if (ctrl->bRequestType & USB_DIR_IN) { /* Cast away the const, we are going to overwrite on purpose. */ __le16 *temp = (__le16 *)&ctrl->wLength; *temp = cpu_to_le16(DBGP_REQ_LEN); length = DBGP_REQ_LEN; } else { return err; } } if (request == USB_REQ_GET_DESCRIPTOR) { switch (value>>8) { case USB_DT_DEVICE: Loading drivers/usb/gadget/legacy/inode.c +15 −1 Original line number Diff line number Diff line Loading @@ -113,6 +113,8 @@ enum ep0_state { /* enough for the whole queue: most events invalidate others */ #define N_EVENT 5 #define RBUF_SIZE 256 struct dev_data { spinlock_t lock; atomic_t count; Loading Loading @@ -147,7 +149,7 @@ struct dev_data { struct dentry *dentry; /* except this scratch i/o buffer for ep0 */ u8 rbuf [256]; u8 rbuf[RBUF_SIZE]; }; static inline void get_dev (struct dev_data *data) Loading Loading @@ -1336,6 +1338,18 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) u16 w_value = le16_to_cpu(ctrl->wValue); u16 w_length = le16_to_cpu(ctrl->wLength); if (w_length > RBUF_SIZE) { if (ctrl->bRequestType & USB_DIR_IN) { /* Cast away the const, we are going to overwrite on purpose. */ __le16 *temp = (__le16 *)&ctrl->wLength; *temp = cpu_to_le16(RBUF_SIZE); w_length = RBUF_SIZE; } else { return value; } } spin_lock (&dev->lock); dev->setup_abort = 0; if (dev->state == STATE_DEV_UNCONNECTED) { Loading Loading
drivers/android/binder.c +36 −20 Original line number Diff line number Diff line Loading @@ -503,6 +503,9 @@ struct binder_priority { * @files files_struct for process * (protected by @files_lock) * @files_lock mutex to protect @files * @cred struct cred associated with the `struct file` * in binder_open() * (invariant after initialized) * @deferred_work_node: element for binder_deferred_list * (protected by binder_deferred_lock) * @deferred_work: bitmap of deferred work to perform Loading Loading @@ -550,6 +553,7 @@ struct binder_proc { struct task_struct *tsk; struct files_struct *files; struct mutex files_lock; const struct cred *cred; struct hlist_node deferred_work_node; int deferred_work; bool is_dead; Loading Loading @@ -2581,7 +2585,7 @@ static int binder_translate_binder(struct flat_binder_object *fp, ret = -EINVAL; goto done; } if (security_binder_transfer_binder(proc->tsk, target_proc->tsk)) { if (security_binder_transfer_binder(proc->cred, target_proc->cred)) { ret = -EPERM; goto done; } Loading Loading @@ -2627,7 +2631,7 @@ static int binder_translate_handle(struct flat_binder_object *fp, proc->pid, thread->pid, fp->handle); return -EINVAL; } if (security_binder_transfer_binder(proc->tsk, target_proc->tsk)) { if (security_binder_transfer_binder(proc->cred, target_proc->cred)) { ret = -EPERM; goto done; } Loading Loading @@ -2711,7 +2715,7 @@ static int binder_translate_fd(int fd, ret = -EBADF; goto err_fget; } ret = security_binder_transfer_file(proc->tsk, target_proc->tsk, file); ret = security_binder_transfer_file(proc->cred, target_proc->cred, file); if (ret < 0) { ret = -EPERM; goto err_security; Loading Loading @@ -3116,8 +3120,14 @@ static void binder_transaction(struct binder_proc *proc, goto err_dead_binder; } e->to_node = target_node->debug_id; if (security_binder_transaction(proc->tsk, target_proc->tsk) < 0) { if (WARN_ON(proc == target_proc)) { return_error = BR_FAILED_REPLY; return_error_param = -EINVAL; return_error_line = __LINE__; goto err_invalid_target_handle; } if (security_binder_transaction(proc->cred, target_proc->cred) < 0) { return_error = BR_FAILED_REPLY; return_error_param = -EPERM; return_error_line = __LINE__; Loading Loading @@ -3208,7 +3218,7 @@ static void binder_transaction(struct binder_proc *proc, t->from = thread; else t->from = NULL; t->sender_euid = task_euid(proc->tsk); t->sender_euid = proc->cred->euid; t->to_proc = target_proc; t->to_thread = target_thread; t->code = tr->code; Loading Loading @@ -3694,10 +3704,17 @@ static int binder_thread_write(struct binder_proc *proc, struct binder_node *ctx_mgr_node; mutex_lock(&context->context_mgr_node_lock); ctx_mgr_node = context->binder_context_mgr_node; if (ctx_mgr_node) if (ctx_mgr_node) { if (ctx_mgr_node->proc == proc) { binder_user_error("%d:%d context manager tried to acquire desc 0\n", proc->pid, thread->pid); mutex_unlock(&context->context_mgr_node_lock); return -EINVAL; } ret = binder_inc_ref_for_node( proc, ctx_mgr_node, strong, NULL, &rdata); } mutex_unlock(&context->context_mgr_node_lock); } if (ret) Loading Loading @@ -4685,6 +4702,7 @@ static void binder_free_proc(struct binder_proc *proc) BUG_ON(!list_empty(&proc->delivered_death)); binder_alloc_deferred_release(&proc->alloc); put_task_struct(proc->tsk); put_cred(proc->cred); binder_stats_deleted(BINDER_STAT_PROC); kfree(proc); } Loading Loading @@ -4756,23 +4774,20 @@ static int binder_thread_release(struct binder_proc *proc, } /* * If this thread used poll, make sure we remove the waitqueue * from any epoll data structures holding it with POLLFREE. * waitqueue_active() is safe to use here because we're holding * the inner lock. * If this thread used poll, make sure we remove the waitqueue from any * poll data structures holding it. */ if ((thread->looper & BINDER_LOOPER_STATE_POLL) && waitqueue_active(&thread->wait)) { wake_up_poll(&thread->wait, POLLHUP | POLLFREE); } if (thread->looper & BINDER_LOOPER_STATE_POLL) wake_up_pollfree(&thread->wait); binder_inner_proc_unlock(thread->proc); /* * This is needed to avoid races between wake_up_poll() above and * and ep_remove_waitqueue() called for other reasons (eg the epoll file * descriptor being closed); ep_remove_waitqueue() holds an RCU read * lock, so we can be sure it's done after calling synchronize_rcu(). * This is needed to avoid races between wake_up_pollfree() above and * someone else removing the last entry from the queue for other reasons * (e.g. ep_remove_wait_queue() being called due to an epoll file * descriptor being closed). Such other users hold an RCU read lock, so * we can be sure they're done after we call synchronize_rcu(). */ if (thread->looper & BINDER_LOOPER_STATE_POLL) synchronize_rcu(); Loading Loading @@ -4890,7 +4905,7 @@ static int binder_ioctl_set_ctx_mgr(struct file *filp, ret = -EBUSY; goto out; } ret = security_binder_set_context_mgr(proc->tsk); ret = security_binder_set_context_mgr(proc->cred); if (ret < 0) goto out; if (uid_valid(context->binder_context_mgr_uid)) { Loading Loading @@ -5212,6 +5227,7 @@ static int binder_open(struct inode *nodp, struct file *filp) get_task_struct(current->group_leader); proc->tsk = current->group_leader; mutex_init(&proc->files_lock); proc->cred = get_cred(filp->f_cred); INIT_LIST_HEAD(&proc->todo); if (binder_supported_policy(current->policy)) { proc->default_priority.sched_policy = current->policy; Loading
drivers/gpu/msm/kgsl_drawobj.c +11 −24 Original line number Diff line number Diff line /* Copyright (c) 2016-2019, The Linux Foundation. All rights reserved. /* Copyright (c) 2016-2019,2021, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and Loading Loading @@ -569,6 +569,7 @@ static void add_profiling_buffer(struct kgsl_device *device, { struct kgsl_mem_entry *entry; struct kgsl_drawobj *drawobj = DRAWOBJ(cmdobj); u64 start; if (!(drawobj->flags & KGSL_DRAWOBJ_PROFILING)) return; Loading @@ -585,7 +586,14 @@ static void add_profiling_buffer(struct kgsl_device *device, gpuaddr); if (entry != NULL) { if (!kgsl_gpuaddr_in_memdesc(&entry->memdesc, gpuaddr, size)) { start = id ? (entry->memdesc.gpuaddr + offset) : gpuaddr; /* * Make sure there is enough room in the object to store the * entire profiling buffer object */ if (!kgsl_gpuaddr_in_memdesc(&entry->memdesc, gpuaddr, size) || !kgsl_gpuaddr_in_memdesc(&entry->memdesc, start, sizeof(struct kgsl_drawobj_profiling_buffer))) { kgsl_mem_entry_put(entry); entry = NULL; } Loading @@ -598,28 +606,7 @@ static void add_profiling_buffer(struct kgsl_device *device, return; } if (!id) { cmdobj->profiling_buffer_gpuaddr = gpuaddr; } else { u64 off = offset + sizeof(struct kgsl_drawobj_profiling_buffer); /* * Make sure there is enough room in the object to store the * entire profiling buffer object */ if (off < offset || off >= entry->memdesc.size) { dev_err(device->dev, "ignore invalid profile offset ctxt %d id %d offset %lld gpuaddr %llx size %lld\n", drawobj->context->id, id, offset, gpuaddr, size); kgsl_mem_entry_put(entry); return; } cmdobj->profiling_buffer_gpuaddr = entry->memdesc.gpuaddr + offset; } cmdobj->profiling_buffer_gpuaddr = start; cmdobj->profiling_buf_entry = entry; } Loading
drivers/usb/gadget/composite.c +13 −1 Original line number Diff line number Diff line Loading @@ -1731,6 +1731,18 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) struct usb_function *f = NULL; u8 endp; if (w_length > USB_COMP_EP0_BUFSIZ) { if (ctrl->bRequestType & USB_DIR_IN) { /* Cast away the const, we are going to overwrite on purpose. */ __le16 *temp = (__le16 *)&ctrl->wLength; *temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ); w_length = USB_COMP_EP0_BUFSIZ; } else { goto done; } } /* partial re-init of the response message; the function or the * gadget might need to intercept e.g. a control-OUT completion * when we delegate to it. Loading Loading @@ -2317,7 +2329,7 @@ int composite_dev_prepare(struct usb_composite_driver *composite, if (!cdev->req) return -ENOMEM; cdev->req->buf = kmalloc(USB_COMP_EP0_BUFSIZ + cdev->req->buf = kzalloc(USB_COMP_EP0_BUFSIZ + (gadget->extra_buf_alloc), GFP_KERNEL); if (!cdev->req->buf) goto fail; Loading
drivers/usb/gadget/legacy/dbgp.c +14 −1 Original line number Diff line number Diff line Loading @@ -136,7 +136,7 @@ static int dbgp_enable_ep_req(struct usb_ep *ep) goto fail_1; } req->buf = kmalloc(DBGP_REQ_LEN, GFP_KERNEL); req->buf = kzalloc(DBGP_REQ_LEN, GFP_KERNEL); if (!req->buf) { err = -ENOMEM; stp = 2; Loading Loading @@ -344,6 +344,19 @@ static int dbgp_setup(struct usb_gadget *gadget, void *data = NULL; u16 len = 0; if (length > DBGP_REQ_LEN) { if (ctrl->bRequestType & USB_DIR_IN) { /* Cast away the const, we are going to overwrite on purpose. */ __le16 *temp = (__le16 *)&ctrl->wLength; *temp = cpu_to_le16(DBGP_REQ_LEN); length = DBGP_REQ_LEN; } else { return err; } } if (request == USB_REQ_GET_DESCRIPTOR) { switch (value>>8) { case USB_DT_DEVICE: Loading
drivers/usb/gadget/legacy/inode.c +15 −1 Original line number Diff line number Diff line Loading @@ -113,6 +113,8 @@ enum ep0_state { /* enough for the whole queue: most events invalidate others */ #define N_EVENT 5 #define RBUF_SIZE 256 struct dev_data { spinlock_t lock; atomic_t count; Loading Loading @@ -147,7 +149,7 @@ struct dev_data { struct dentry *dentry; /* except this scratch i/o buffer for ep0 */ u8 rbuf [256]; u8 rbuf[RBUF_SIZE]; }; static inline void get_dev (struct dev_data *data) Loading Loading @@ -1336,6 +1338,18 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) u16 w_value = le16_to_cpu(ctrl->wValue); u16 w_length = le16_to_cpu(ctrl->wLength); if (w_length > RBUF_SIZE) { if (ctrl->bRequestType & USB_DIR_IN) { /* Cast away the const, we are going to overwrite on purpose. */ __le16 *temp = (__le16 *)&ctrl->wLength; *temp = cpu_to_le16(RBUF_SIZE); w_length = RBUF_SIZE; } else { return value; } } spin_lock (&dev->lock); dev->setup_abort = 0; if (dev->state == STATE_DEV_UNCONNECTED) { Loading
