1. 18 Aug, 2016 1 commit
  2. 15 Aug, 2016 1 commit
  3. 20 Feb, 2016 1 commit
  4. 11 Feb, 2016 2 commits
    • Riley Andrews's avatar
      android: drivers: Avoid debugfs race in binder · 83050a4e
      Riley Andrews authored
      If a /d/binder/proc/[pid] entry is kept open after linux has
      torn down the associated process, binder_proc_show can deference
      an invalid binder_proc that has been stashed in the debugfs
      inode.  Validate that the binder_proc ptr passed into binder_proc_show
      has not been freed by looking for it within the global process list
      whilst the global lock is held. If the ptr is not valid, print nothing.
      
      Cc: Colin Cross <ccross@android.com>
      Cc: Arve Hjønnevåg <arve@android.com>
      Cc: Dmitry Shmidt <dimitrysh@google.com>
      Cc: Rom Lemarchand <romlem@google.com>
      Cc: Serban Constantinescu <serban.constantinescu@arm.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Android Kernel Team <kernel-team@android.com>
      Signed-off-by: 's avatarDmitry Shmidt <dimitrysh@google.com>
      [jstultz: Minor commit message tweaks]
      Signed-off-by: 's avatarJohn Stultz <john.stultz@linaro.org>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      83050a4e
    • Arve Hjønnevåg's avatar
      android: binder: More offset validation · 212265e5
      Arve Hjønnevåg authored
      Make sure offsets don't point to overlapping flat_binder_object
      structs.
      
      Cc: Colin Cross <ccross@android.com>
      Cc: Arve Hjønnevåg <arve@android.com>
      Cc: Dmitry Shmidt <dimitrysh@google.com>
      Cc: Rom Lemarchand <romlem@google.com>
      Cc: Serban Constantinescu <serban.constantinescu@arm.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Android Kernel Team <kernel-team@android.com>
      Signed-off-by: 's avatarDmitry Shmidt <dimitrysh@google.com>
      Signed-off-by: 's avatarJohn Stultz <john.stultz@linaro.org>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      212265e5
  5. 07 Feb, 2016 1 commit
  6. 10 Sep, 2015 1 commit
  7. 01 Mar, 2015 1 commit
    • Andrey Ryabinin's avatar
      android: binder: fix binder mmap failures · f4c72c70
      Andrey Ryabinin authored
      binder_update_page_range() initializes only addr and size
      fields in 'struct vm_struct tmp_area;' and passes it to
      map_vm_area().
      
      Before 71394fe5 ("mm: vmalloc: add flag preventing guard hole allocation")
      this was because map_vm_area() didn't use any other fields
      in vm_struct except addr and size.
      
      Now get_vm_area_size() (used in map_vm_area()) reads vm_struct's
      flags to determine whether vm area has guard hole or not.
      
      binder_update_page_range() don't initialize flags field, so
      this causes following binder mmap failures:
      -----------[ cut here ]------------
      WARNING: CPU: 0 PID: 1971 at mm/vmalloc.c:130
      vmap_page_range_noflush+0x119/0x144()
      CPU: 0 PID: 1971 Comm: healthd Not tainted 4.0.0-rc1-00399-g7da3fdc-dirty #157
      Hardware name: ARM-Versatile Express
      [<c001246d>] (unwind_backtrace) from [<c000f7f9>] (show_stack+0x11/0x14)
      [<c000f7f9>] (show_stack) from [<c049a221>] (dump_stack+0x59/0x7c)
      [<c049a221>] (dump_stack) from [<c001cf21>] (warn_slowpath_common+0x55/0x84)
      [<c001cf21>] (warn_slowpath_common) from [<c001cfe3>]
      (warn_slowpath_null+0x17/0x1c)
      [<c001cfe3>] (warn_slowpath_null) from [<c00c66c5>]
      (vmap_page_range_noflush+0x119/0x144)
      [<c00c66c5>] (vmap_page_range_noflush) from [<c00c716b>] (map_vm_area+0x27/0x48)
      [<c00c716b>] (map_vm_area) from [<c038ddaf>]
      (binder_update_page_range+0x12f/0x27c)
      [<c038ddaf>] (binder_update_page_range) from [<c038e857>]
      (binder_mmap+0xbf/0x1ac)
      [<c038e857>] (binder_mmap) from [<c00c2dc7>] (mmap_region+0x2eb/0x4d4)
      [<c00c2dc7>] (mmap_region) from [<c00c3197>] (do_mmap_pgoff+0x1e7/0x250)
      [<c00c3197>] (do_mmap_pgoff) from [<c00b35b5>] (vm_mmap_pgoff+0x45/0x60)
      [<c00b35b5>] (vm_mmap_pgoff) from [<c00c1f39>] (SyS_mmap_pgoff+0x5d/0x80)
      [<c00c1f39>] (SyS_mmap_pgoff) from [<c000ce81>] (ret_fast_syscall+0x1/0x5c)
      ---[ end trace 48c2c4b9a1349e54 ]---
      binder: 1982: binder_alloc_buf failed to map page at f0e00000 in kernel
      binder: binder_mmap: 1982 b6bde000-b6cdc000 alloc small buf failed -12
      
      Use map_kernel_range_noflush() instead of map_vm_area() as this is better
      API for binder's purposes and it allows to get rid of 'vm_struct tmp_area' at all.
      
      Fixes: 71394fe5 ("mm: vmalloc: add flag preventing guard hole allocation")
      Signed-off-by: 's avatarAndrey Ryabinin <a.ryabinin@samsung.com>
      Reported-by: 's avatarAmit Pundir <amit.pundir@linaro.org>
      Tested-by: 's avatarAmit Pundir <amit.pundir@linaro.org>
      Acked-by: 's avatarDavid Rientjes <rientjes@google.com>
      Tested-by: 's avatarJohn Stultz <john.stultz@linaro.org>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f4c72c70
  8. 25 Jan, 2015 1 commit
    • Stephen Smalley's avatar
      Add security hooks to binder and implement the hooks for SELinux. · 79af7307
      Stephen Smalley authored
      Add security hooks to the binder and implement the hooks for SELinux.
      The security hooks enable security modules such as SELinux to implement
      controls over binder IPC.  The security hooks include support for
      controlling what process can become the binder context manager
      (binder_set_context_mgr), controlling the ability of a process
      to invoke a binder transaction/IPC to another process (binder_transaction),
      controlling the ability of a process to transfer a binder reference to
      another process (binder_transfer_binder), and controlling the ability
      of a process to transfer an open file to another process (binder_transfer_file).
      
      These hooks have been included in the Android kernel trees since Android 4.3.
      
      (Updated to reflect upstream relocation and changes to the binder driver,
      changes to the LSM audit data structures, coding style cleanups, and
      to add inline documentation for the hooks).
      Signed-off-by: 's avatarStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: 's avatarNick Kralevich <nnk@google.com>
      Acked-by: 's avatarJeffrey Vander Stoep <jeffv@google.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      79af7307
  9. 19 Oct, 2014 2 commits