UPSTREAM: binder: create userspace-to-binder-buffer copy function

				      ALIGN(tr->data_size, sizeof(void *)));

	offp = off_start;

	if (copy_from_user(t->buffer->data, (const void __user *)(uintptr_t)

			   tr->data.ptr.buffer, tr->data_size)) {

	if (binder_alloc_copy_user_to_buffer(

				&target_proc->alloc,

				t->buffer, 0,

				(const void __user *)

					(uintptr_t)tr->data.ptr.buffer,

				tr->data_size)) {

		binder_user_error("%d:%d got transaction with invalid data ptr\n",

				proc->pid, thread->pid);

		return_error = BR_FAILED_REPLY;

		return_error_line = __LINE__;

		goto err_copy_data_failed;

	}

	if (copy_from_user(offp, (const void __user *)(uintptr_t)

			   tr->data.ptr.offsets, tr->offsets_size)) {

	if (binder_alloc_copy_user_to_buffer(

				&target_proc->alloc,

				t->buffer,

				ALIGN(tr->data_size, sizeof(void *)),

				(const void __user *)

					(uintptr_t)tr->data.ptr.offsets,

				tr->offsets_size)) {

		binder_user_error("%d:%d got transaction with invalid offsets ptr\n",

				proc->pid, thread->pid);

		return_error = BR_FAILED_REPLY;

			struct binder_buffer_object *bp =

				to_binder_buffer_object(hdr);

			size_t buf_left = sg_buf_end - sg_bufp;

			binder_size_t sg_buf_offset = (uintptr_t)sg_bufp -

				(uintptr_t)t->buffer->data;

			if (bp->length > buf_left) {

				binder_user_error("%d:%d got transaction with too large buffer\n",

				return_error_line = __LINE__;

				goto err_bad_offset;

			}

			if (copy_from_user(sg_bufp,

					   (const void __user *)(uintptr_t)

					   bp->buffer, bp->length)) {

			if (binder_alloc_copy_user_to_buffer(

						&target_proc->alloc,

						t->buffer,

						sg_buf_offset,

						(const void __user *)

							(uintptr_t)bp->buffer,

						bp->length)) {

				binder_user_error("%d:%d got transaction with invalid offsets ptr\n",

						  proc->pid, thread->pid);

				return_error_param = -EFAULT;

#include <linux/slab.h>

#include <linux/sched.h>

#include <linux/list_lru.h>

#include <linux/uaccess.h>

#include <linux/highmem.h>

#include "binder_alloc.h"

#include "binder_trace.h"

	}

	return ret;

}

/**

 * check_buffer() - verify that buffer/offset is safe to access

 * @alloc: binder_alloc for this proc

 * @buffer: binder buffer to be accessed

 * @offset: offset into @buffer data

 * @bytes: bytes to access from offset

 *

 * Check that the @offset/@bytes are within the size of the given

 * @buffer and that the buffer is currently active and not freeable.

 * Offsets must also be multiples of sizeof(u32). The kernel is

 * allowed to touch the buffer in two cases:

 *

 * 1) when the buffer is being created:

 *     (buffer->free == 0 && buffer->allow_user_free == 0)

 * 2) when the buffer is being torn down:

 *     (buffer->free == 0 && buffer->transaction == NULL).

 *

 * Return: true if the buffer is safe to access

 */

static inline bool check_buffer(struct binder_alloc *alloc,

				struct binder_buffer *buffer,

				binder_size_t offset, size_t bytes)

{

	size_t buffer_size = binder_alloc_buffer_size(alloc, buffer);

	return buffer_size >= bytes &&

		offset <= buffer_size - bytes &&

		IS_ALIGNED(offset, sizeof(u32)) &&

		!buffer->free &&

		(!buffer->allow_user_free || !buffer->transaction);

}

/**

 * binder_alloc_get_page() - get kernel pointer for given buffer offset

 * @alloc: binder_alloc for this proc

 * @buffer: binder buffer to be accessed

 * @buffer_offset: offset into @buffer data

 * @pgoffp: address to copy final page offset to

 *

 * Lookup the struct page corresponding to the address

 * at @buffer_offset into @buffer->data. If @pgoffp is not

 * NULL, the byte-offset into the page is written there.

 *

 * The caller is responsible to ensure that the offset points

 * to a valid address within the @buffer and that @buffer is

 * not freeable by the user. Since it can't be freed, we are

 * guaranteed that the corresponding elements of @alloc->pages[]

 * cannot change.

 *

 * Return: struct page

 */

static struct page *binder_alloc_get_page(struct binder_alloc *alloc,

					  struct binder_buffer *buffer,

					  binder_size_t buffer_offset,

					  pgoff_t *pgoffp)

{

	binder_size_t buffer_space_offset = buffer_offset +

		(buffer->data - alloc->buffer);

	pgoff_t pgoff = buffer_space_offset & ~PAGE_MASK;

	size_t index = buffer_space_offset >> PAGE_SHIFT;

	struct binder_lru_page *lru_page;

	lru_page = &alloc->pages[index];

	*pgoffp = pgoff;

	return lru_page->page_ptr;

}

/**

 * binder_alloc_copy_user_to_buffer() - copy src user to tgt user

 * @alloc: binder_alloc for this proc

 * @buffer: binder buffer to be accessed

 * @buffer_offset: offset into @buffer data

 * @from: userspace pointer to source buffer

 * @bytes: bytes to copy

 *

 * Copy bytes from source userspace to target buffer.

 *

 * Return: bytes remaining to be copied

 */

unsigned long

binder_alloc_copy_user_to_buffer(struct binder_alloc *alloc,

				 struct binder_buffer *buffer,

				 binder_size_t buffer_offset,

				 const void __user *from,

				 size_t bytes)

{

	if (!check_buffer(alloc, buffer, buffer_offset, bytes))

		return bytes;

	while (bytes) {

		unsigned long size;

		unsigned long ret;

		struct page *page;

		pgoff_t pgoff;

		void *kptr;

		page = binder_alloc_get_page(alloc, buffer,

					     buffer_offset, &pgoff);

		size = min_t(size_t, bytes, PAGE_SIZE - pgoff);

		kptr = kmap(page) + pgoff;

		ret = copy_from_user(kptr, from, size);

		kunmap(page);

		if (ret)

			return bytes - size + ret;

		bytes -= size;

		from += size;

		buffer_offset += size;

	}

	return 0;

}

#include <linux/vmalloc.h>

#include <linux/slab.h>

#include <linux/list_lru.h>

#include <uapi/linux/android/binder.h>

extern struct list_lru binder_alloc_lru;

struct binder_transaction;

	return alloc->user_buffer_offset;

}

unsigned long

binder_alloc_copy_user_to_buffer(struct binder_alloc *alloc,

				 struct binder_buffer *buffer,

				 binder_size_t buffer_offset,

				 const void __user *from,

				 size_t bytes);

#endif /* _LINUX_BINDER_ALLOC_H */