This project is mirrored from https://github.com/Professor-Berni/android_kernel_sony_msm8994.git. Pull mirroring updated .
  1. 03 Aug, 2021 7 commits
    • threader's avatar
      BINDER: Clean up pick conflict · 7b36094a
      threader authored
      7b36094a
    • Mrinal Pandey's avatar
      drivers: android: Remove braces for a single statement if-else block · c4ce50a3
      Mrinal Pandey authored
      
      
      Remove braces for both if and else block as suggested by checkpatch.
      
      Signed-off-by: default avatarMrinal Pandey <mrinalmni@gmail.com>
      Link: https://lore.kernel.org/r/20200724131403.dahfhdwa3wirzkxj@mrinalpandey
      
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      (cherry picked from commit 8df5b9492202e9cac9917465e945fcf478d55404)
      c4ce50a3
    • Jann Horn's avatar
      binder: Don't modify VMA bounds in ->mmap handler · b39e6c0e
      Jann Horn authored
      
      
      binder_mmap() tries to prevent the creation of overly big binder mappings
      by silently truncating the size of the VMA to 4MiB. However, this violates
      the API contract of mmap(). If userspace attempts to create a large binder
      VMA, and later attempts to unmap that VMA, it will call munmap() on a range
      beyond the end of the VMA, which may have been allocated to another VMA in
      the meantime. This can lead to userspace memory corruption.
      
      The following sequence of calls leads to a segfault without this commit:
      
      int main(void) {
        int binder_fd = open("/dev/binder", O_RDWR);
        if (binder_fd == -1) err(1, "open binder");
        void *binder_mapping = mmap(NULL, 0x800000UL, PROT_READ, MAP_SHARED,
                                    binder_fd, 0);
        if (binder_mapping == MAP_FAILED) err(1, "mmap binder");
        void *data_mapping = mmap(NULL, 0x400000UL, PROT_READ|PROT_WRITE,
                                  MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
        if (data_mapping == MAP_FAILED) err(1, "mmap data");
        munmap(binder_mapping, 0x800000UL);
        *(char*)data_mapping = 1;
        return 0;
      }
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Acked-by: default avatarTodd Kjos <tkjos@google.com>
      Acked-by: default avatarChristian Brauner <christian.brauner@ubuntu.com>
      Link: https://lore.kernel.org/r/20191016150119.154756-1-jannh@google.com
      
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      (cherry picked from commit 45d02f79b539073b76077836871de6b674e36eb4)
      b39e6c0e
    • Yangtao Li's avatar
      binder: remove BINDER_DEBUG_ENTRY() · 1ed959a6
      Yangtao Li authored
      
      
      We already have the DEFINE_SHOW_ATTRIBUTE.There is no need to define
      such a macro,so remove BINDER_DEBUG_ENTRY.
      
      Signed-off-by: default avatarYangtao Li <tiny.windzz@gmail.com>
      Acked-by: default avatarTodd Kjos <tkjos@android.com>
      Reviewed-by: default avatarJoey Pabalinas <joeypabalinas@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      (cherry picked from commit c13e0a5288195aadec1e53af7a48ea8dae971416)
      1ed959a6
    • Jens Axboe's avatar
      fs: move filp_close() outside of __close_fd_get_file() · c1437c6d
      Jens Axboe authored
      
      
      Just one caller of this, and just use filp_close() there manually.
      This is important to allow async close/removal of the fd.
      
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      (cherry picked from commit 6e802a4ba056a6f2f51ac9d54eead3ed6f9829a2)
      c1437c6d
    • Todd Kjos's avatar
      binder: fix use-after-free due to ksys_close() during fdget() · 29043942
      Todd Kjos authored
      
      
      44d8047f1d8 ("binder: use standard functions to allocate fds")
      exposed a pre-existing issue in the binder driver.
      
      fdget() is used in ksys_ioctl() as a performance optimization.
      One of the rules associated with fdget() is that ksys_close() must
      not be called between the fdget() and the fdput(). There is a case
      where this requirement is not met in the binder driver which results
      in the reference count dropping to 0 when the device is still in
      use. This can result in use-after-free or other issues.
      
      If userpace has passed a file-descriptor for the binder driver using
      a BINDER_TYPE_FDA object, then kys_close() is called on it when
      handling a binder_ioctl(BC_FREE_BUFFER) command. This violates
      the assumptions for using fdget().
      
      The problem is fixed by deferring the close using task_work_add(). A
      new variant of __close_fd() was created that returns a struct file
      with a reference. The fput() is deferred instead of using ksys_close().
      
      Fixes: 44d8047f1d87a ("binder: use standard functions to allocate fds")
      Suggested-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarTodd Kjos <tkjos@google.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      (cherry picked from commit 80cd795630d6526ba729a089a435bf74a57af927)
      29043942
    • Todd Kjos's avatar
      binder: fix null deref of proc->context · 91596232
      Todd Kjos authored
      
      
      The binder driver makes the assumption proc->context pointer is invariant after
      initialization (as documented in the kerneldoc header for struct proc).
      However, in commit f0fe2c0f050d ("binder: prevent UAF for binderfs devices II")
      proc->context is set to NULL during binder_deferred_release().
      
      Another proc was in the middle of setting up a transaction to the dying
      process and crashed on a NULL pointer deref on "context" which is a local
      set to &proc->context:
      
          new_ref->data.desc = (node == context->binder_context_mgr_node) ? 0 : 1;
      
      Here's the stack:
      
      [ 5237.855435] Call trace:
      [ 5237.855441] binder_get_ref_for_node_olocked+0x100/0x2ec
      [ 5237.855446] binder_inc_ref_for_node+0x140/0x280
      [ 5237.855451] binder_translate_binder+0x1d0/0x388
      [ 5237.855456] binder_transaction+0x2228/0x3730
      [ 5237.855461] binder_thread_write+0x640/0x25bc
      [ 5237.855466] binder_ioctl_write_read+0xb0/0x464
      [ 5237.855471] binder_ioctl+0x30c/0x96c
      [ 5237.855477] do_vfs_ioctl+0x3e0/0x700
      [ 5237.855482] __arm64_sys_ioctl+0x78/0xa4
      [ 5237.855488] el0_svc_common+0xb4/0x194
      [ 5237.855493] el0_svc_handler+0x74/0x98
      [ 5237.855497] el0_svc+0x8/0xc
      
      The fix is to move the kfree of the binder_device to binder_free_proc()
      so the binder_device is freed when we know there are no references
      remaining on the binder_proc.
      
      Fixes: f0fe2c0f050d ("binder: prevent UAF for binderfs devices II")
      Acked-by: default avatarChristian Brauner <christian.brauner@ubuntu.com>
      Signed-off-by: default avatarTodd Kjos <tkjos@google.com>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200622200715.114382-1-tkjos@google.com
      
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      (cherry picked from commit d35d3660e065b69fdb8bf512f3d899f350afce52)
      91596232
  2. 31 Jul, 2021 33 commits