+Hridya Valsaraju
On Mon, Oct 7, 2019 at 1:50 PM Jann Horn wrote:
>
> Hi!
>
> There is a use-after-free read in print_binder_transaction_log_entry()
> on ANDROID_BINDERFS kernels because
> print_binder_transaction_log_entry() prints the char* e->context_name
> as string, and if the transaction
> the name of the binder device instead of stashing a pointer to it.
>
> Reported-by: Jann Horn
> Fixes: 03e2e07e3814 ("binder: Make transaction_log available in binderfs")
> Link:
> https://lore.kernel.org/r/cag48ez14q0-f8lqsvcnbyr2o6gpw8shxsm4u5jmd9mpstem...@mail.gmail.com
On Wed, Oct 9, 2019 at 3:40 AM Christian Brauner
wrote:
>
> On Tue, Oct 08, 2019 at 02:05:16PM -0400, Joel Fernandes wrote:
> > On Tue, Oct 08, 2019 at 03:01:59PM +0200, Christian Brauner wrote:
[...]
> >
> > One more thought, this can be made dependent on CONFIG_BINDERFS since
> > regular
> >
UL);
> *(char*)data_mapping = 1;
> return 0;
> }
>
> Cc: sta...@vger.kernel.org
> Signed-off-by: Jann Horn
Acked-by: Todd Kjos
> ---
> drivers/android/binder.c | 7 ---
> drivers/android/binder_alloc.c | 6 --
> 2 files changed, 4 insertions
On Wed, Jun 10, 2020 at 5:24 AM Frankie Chang
wrote:
>
> From: "Frankie.Chang"
>
> Since the original trace_binder_transaction_received cannot
> precisely present the real finished time of transaction, adding a
> trace_binder_txn_latency_free at the point of free transaction
> may be more close
On Wed, Jun 10, 2020 at 5:34 AM Frankie Chang
wrote:
>
> From: "Frankie.Chang"
>
> Record start/end timestamp for binder transaction.
> When transaction is completed or transaction is free,
> it would be checked if transaction latency over threshold (2 sec),
> if yes, printing related
+Suren Baghdasaryan +Hridya Valsaraju who support the ashmem driver.
On Tue, Jul 14, 2020 at 7:18 AM Michal Hocko wrote:
>
> On Tue 14-07-20 22:08:59, Hillf Danton wrote:
> >
> > On Tue, 14 Jul 2020 10:26:29 +0200 Michal Hocko wrote:
> > > On Tue 14-07-20 13:32:05, Hillf Danton wrote:
> > > >
>
ping
> > with spinlock held. But this patch replaces mmput() with mmput_async() in
> > order not to start __mmput() from shrinker context.
> >
> > [1]
> > https://syzkaller.appspot.com/bug?id=bc9e7303f537c41b2b0cc2dfcea3fc42964c2d45
> >
> > Reported-by: syzbot
>
...@syzkaller.appspotmail.com
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index bc26b5511f0a9..8bf039fdeb918 100644
--- a/drivers/android/binder.c
+++ b/drivers
On Thu, Jun 13, 2019 at 2:56 PM syzbot
wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:d1fdb6d8 Linux 5.2-rc4
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15e5ce1ea0
> kernel config:
Suggested-by: Dan Carpenter
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 153 -
drivers/android/binder_alloc.c | 44 +-
drivers/android/binder_alloc.h | 22 ++---
3 files changed, 126 insertions(+), 93 deletions(-)
diff --git a/drivers/androi
On Tue, Jun 18, 2019 at 10:37 AM Todd Kjos wrote:
>
> On Tue, Jun 18, 2019 at 5:18 AM Dan Carpenter
> wrote:
> >
> > It's weird that that binder_alloc_copy_from_buffer() is a void function.
> > It would be easier to do the error handling at that point, instead of in
in a "normal" binder environment).
On Sat, May 18, 2019 at 12:25 AM Dmitry Vyukov wrote:
>
> On Fri, May 17, 2019 at 8:34 PM Todd Kjos wrote:
> > > On Fri, May 17, 2019 at 5:51 PM Dmitry Vyukov wrote:
> > > > > > >
> > > > > > > Fr
Of these 3 bugs, 1 was seen in mainline in the last week.
>
> Of these 3 bugs, 1 was bisected to a commit from the following person:
>
> Todd Kjos
>
> If you believe a bug is no longer valid, please close the syzbot report by
> sending a '#syz fix', '#syz dup',
On Wed, Jun 12, 2019 at 12:23 PM Eric Biggers wrote:
>
> On Mon, May 20, 2019 at 07:18:06AM -0700, syzbot wrote:
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:72cf0b07 Merge tag 'sound-fix-5.2-rc1' of git://git.kernel..
> > git tree: upstream
> > console
.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 16 ++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 748ac489ef7eb..bc26b5511f0a9 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
On Tue, Jun 18, 2019 at 5:18 AM Dan Carpenter wrote:
>
> It's weird that that binder_alloc_copy_from_buffer() is a void function.
> It would be easier to do the error handling at that point, instead of in
> the callers. It feels like we keep hitting similar bugs to this.
The idea is that if it
On Thu, May 7, 2020 at 1:11 AM Frankie Chang wrote:
>
> From: "Frankie.Chang"
>
> Record start/end timestamp for binder transaction.
> When transaction is completed or transaction is free,
> it would be checked if transaction latency over threshold (2 sec),
If this is a hard-coded threshold,
On Thu, Jul 9, 2020 at 1:18 AM Greg KH wrote:
>
> On Wed, Jul 08, 2020 at 04:12:53PM -0700, Suren Baghdasaryan wrote:
> > Add new maintainers for ashmem driver to handle related issues.
> >
> > Signed-off-by: Suren Baghdasaryan
Acked-by: Todd Kjos
>
> Can I ge
; trigger a transaction-to-self bug in the future.
>
> Cc: sta...@vger.kernel.org
> Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
> Signed-off-by: Jann Horn
Nice catch.
Acked-by: Todd Kjos
> ---
> sending again because I forgot to CC LKML the first time... so
e binder_device to binder_free_proc()
so the binder_device is freed when we know there are no references
remaining on the binder_proc.
Fixes: f0fe2c0f050d ("binder: prevent UAF for binderfs devices II")
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 14 +++---
1 file c
On Mon, Jun 22, 2020 at 1:09 PM Christian Brauner
wrote:
>
> On Mon, Jun 22, 2020 at 01:07:15PM -0700, Todd Kjos wrote:
> > The binder driver makes the assumption proc->context pointer is invariant
> > after
> > initialization (as documented in the kerneldoc header fo
On Mon, Jun 22, 2020 at 1:18 PM Todd Kjos wrote:
>
> On Mon, Jun 22, 2020 at 1:09 PM Christian Brauner
> wrote:
> >
> > On Mon, Jun 22, 2020 at 01:07:15PM -0700, Todd Kjos wrote:
> > > The binder driver makes the assumption proc->context pointer is invariant
e: warning: incorrect type in assignment (different address spaces)
sparse:expected void *page_addr
sparse:got void [noderef] *user_data
sparse: error: subtraction of different types can't work
Fixed by adding necessary "__user" tags.
Reported-by: kbuild test robot
Sign
On Thu, Feb 14, 2019 at 11:45 AM Joel Fernandes wrote:
>
> Hi Todd,
>
> One quick question:
>
> On Fri, Feb 08, 2019 at 10:35:14AM -0800, Todd Kjos wrote:
> > The binder driver uses a vm_area to map the per-process
> > binder buffer space. For 32-bit android devic
On Thu, Feb 14, 2019 at 1:25 PM Joel Fernandes wrote:
>
> On Thu, Feb 14, 2019 at 03:53:54PM -0500, Joel Fernandes wrote:
> > On Thu, Feb 14, 2019 at 3:42 PM Todd Kjos wrote:
> > >
> > > On Thu, Feb 14, 2019 at 11:45 AM Joel Fernandes wrote:
> > [snip]
&
On Thu, Feb 14, 2019 at 3:35 AM syzbot
wrote:
>
> syzbot has found a reproducer for the following crash on:
>
> HEAD commit:b3418f8bddf4 Add linux-next specific files for 20190214
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=161d2048c0
> kernel
Trying again with the correct branch spec...
On Thu, Feb 14, 2019 at 2:34 PM Todd Kjos wrote:
>
> On Thu, Feb 14, 2019 at 3:35 AM syzbot
> wrote:
> >
> > syzbot has found a reproducer for the following crash on:
> >
> > HEAD commit:b3418f8bddf4 Add linux
Fixes crash found by syzbot:
kernel BUG at drivers/android/binder_alloc.c:LINE! (2)
Reported-by: syzbot+55de1eb4975dec156...@syzkaller.appspotmail.com
Signed-off-by: Todd Kjos
---
Applies to linux-next
drivers/android/binder.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
> R13: 55b629ebed70 R14: 0004 R15: 55b629ebec60
>
> So check for the empty string since strsep() will otherwise return the
> emtpy string which will cause kobject_add_internal() to panic when trying
> to add a kobject with an emtpy name.
>
> Fix
systems, there is a risk of running out of
vmalloc space.
This patch set removes the persistent mapping of the
binder buffers into kernel space. Instead, the binder
driver creates temporary mappings with kmap() or
kmap_atomic() to copy to or from the buffer only when
necessary.
Todd Kjos (7
() for multi-page copies, it now uses
binder_alloc_copy_user_to_buffer() which uses kmap()
and kunmap() to map each page, and uses copy_from_user()
for copying to that page.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 29 +++--
drivers/android/binder_alloc.c | 114
() / kunmap_atomic() use the appropriate
cache flushing to support VIVT cache architectures.
Allow binder to build if CPU_CACHE_VIVT is defined.
Several uses of the new functions are added here. More
to follow in subsequent patches.
Signed-off-by: Todd Kjos
---
drivers/android/Kconfig| 2
pointers. Refactor code to use offsets instead
of user pointers.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 120 +++--
drivers/android/binder_alloc.c | 89
drivers/android/binder_alloc.h | 6 +-
drivers/android/binder_trace.
objects
from the buffer to a local structure.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 75 +++-
1 file changed, 58 insertions(+), 17 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 74d0c1ff874e2..1563b9b60a0a3
Remove user_buffer_offset since there is no kernel
buffer pointer anymore.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 38 +++---
drivers/android/binder_alloc.c | 16 ++
drivers/android/binder_alloc.h | 23
3 files
Remove the kernel's vm_area and the code that maps
buffer pages into it.
Signed-off-by: Todd Kjos
---
drivers/android/binder_alloc.c | 40 ++
1 file changed, 2 insertions(+), 38 deletions(-)
diff --git a/drivers/android/binder_alloc.c b/drivers/android
()
binder_validate_fixup()
binder_fixup_parent()
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 146 ++-
1 file changed, 97 insertions(+), 49 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 1563b9b60a0a3
To allow servers to verify client identity, allow a node
flag to be set that causes the sender's security context
to be delivered with the transaction. The BR_TRANSACTION
command is extended in BR_TRANSACTION_SEC_CTX to
contain a pointer to the security context string.
Signed-off-by: Todd Kjos
On Mon, Jan 14, 2019 at 10:33 AM Joel Fernandes wrote:
>
> On Mon, Jan 14, 2019 at 09:10:21AM -0800, Todd Kjos wrote:
> > To allow servers to verify client identity, allow a node
> > flag to be set that causes the sender's security context
> > to be delive
sers specify
> CONFIG_ANDROID_IPC=y, CONFIG_ANDROID_BINDERFS=y and
> ANDROID_BINDER_DEVICES="".
> When CONFIG_ANDROID_BINDERFS=n then this always succeeds so there's no
> regression potential for legacy workloads.
>
> Signed-off-by: Christian Brauner
Acked-by: Todd Kjo
On Fri, Feb 8, 2019 at 3:26 AM Greg KH wrote:
>
> On Wed, Jan 30, 2019 at 02:46:48PM -0800, Todd Kjos wrote:
> > Binder buffers have always been mapped into kernel space
> > via map_kernel_range_noflush() to allow the binder driver
> > to modify the buffer bef
systems, there is a risk of running out of
vmalloc space.
This patch set removes the persistent mapping of the
binder buffers into kernel space. Instead, the binder
driver creates temporary mappings with kmap() or
kmap_atomic() to copy to or from the buffer only when
necessary.
Todd Kjos (7
() for multi-page copies, it now uses
binder_alloc_copy_user_to_buffer() which uses kmap()
and kunmap() to map each page, and uses copy_from_user()
for copying to that page.
Signed-off-by: Todd Kjos
---
v2: remove casts as suggested by Dan Carpenter
drivers/android/binder.c | 29 +++--
drivers
Remove the kernel's vm_area and the code that maps
buffer pages into it.
Signed-off-by: Todd Kjos
---
drivers/android/binder_alloc.c | 40 ++
1 file changed, 2 insertions(+), 38 deletions(-)
diff --git a/drivers/android/binder_alloc.c b/drivers/android
binder_validate_ptr()
binder_validate_fixup()
binder_fixup_parent()
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 146 ++-
1 file changed, 97 insertions(+), 49 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index
pointers. Refactor code to use offsets instead
of user pointers.
Signed-off-by: Todd Kjos
---
v2: remove casts as suggested by Dan Carpenter
v3: fix build-break when CONFIG_ANDROID_BINDER_IPC_SELFTEST enabled
drivers/android/binder.c| 118 ++--
drivers/and
Remove user_buffer_offset since there is no kernel
buffer pointer anymore.
Signed-off-by: Todd Kjos
---
v2: remove casts as suggested by Dan Carpenter
drivers/android/binder.c | 39 ++
drivers/android/binder_alloc.c | 16 ++
drivers/android
objects
from the buffer to a local structure.
Signed-off-by: Todd Kjos
---
v2: remove casts as suggested by Dan Carpenter
drivers/android/binder.c | 75 +++-
1 file changed, 58 insertions(+), 17 deletions(-)
diff --git a/drivers/android/binder.c b/drivers
() / kunmap_atomic() use the appropriate
cache flushing to support VIVT cache architectures.
Allow binder to build if CPU_CACHE_VIVT is defined.
Several uses of the new functions are added here. More
to follow in subsequent patches.
Signed-off-by: Todd Kjos
---
v2: remove casts as suggested by Dan Carpenter
On Tue, Jan 29, 2019 at 12:12 AM Dan Carpenter wrote:
>
> On Mon, Jan 28, 2019 at 04:49:28PM -0800, Todd Kjos wrote:
> > +/**
> > + * binder_alloc_copy_user_to_buffer() - copy src user to tgt user
> > + * @alloc: binder_alloc for this proc
> > + * @buffer
Remove the kernel's vm_area and the code that maps
buffer pages into it.
Signed-off-by: Todd Kjos
---
drivers/android/binder_alloc.c | 40 ++
1 file changed, 2 insertions(+), 38 deletions(-)
diff --git a/drivers/android/binder_alloc.c b/drivers/android
()
binder_validate_fixup()
binder_fixup_parent()
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 146 ++-
1 file changed, 97 insertions(+), 49 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 8063b405e4fa
objects
from the buffer to a local structure.
Signed-off-by: Todd Kjos
---
v2: remove casts as suggested by Dan Carpenter
drivers/android/binder.c | 75 +++-
1 file changed, 58 insertions(+), 17 deletions(-)
diff --git a/drivers/android/binder.c b/drivers
() / kunmap_atomic() use the appropriate
cache flushing to support VIVT cache architectures.
Allow binder to build if CPU_CACHE_VIVT is defined.
Several uses of the new functions are added here. More
to follow in subsequent patches.
Signed-off-by: Todd Kjos
---
v2: remove casts as suggested by Dan Carpenter
() for multi-page copies, it now uses
binder_alloc_copy_user_to_buffer() which uses kmap()
and kunmap() to map each page, and uses copy_from_user()
for copying to that page.
Signed-off-by: Todd Kjos
---
v2: remove casts as suggested by Dan Carpenter
drivers/android/binder.c | 29 +++--
drivers
systems, there is a risk of running out of
vmalloc space.
This patch set removes the persistent mapping of the
binder buffers into kernel space. Instead, the binder
driver creates temporary mappings with kmap() or
kmap_atomic() to copy to or from the buffer only when
necessary.
Todd Kjos (7
Remove user_buffer_offset since there is no kernel
buffer pointer anymore.
Signed-off-by: Todd Kjos
---
v2: removed casts as suggested by Dan Carpenter
drivers/android/binder.c | 39 ++
drivers/android/binder_alloc.c | 16 ++
drivers/android
pointers. Refactor code to use offsets instead
of user pointers.
Signed-off-by: Todd Kjos
---
v2: removed casts as suggested by Dan Carpenter
drivers/android/binder.c | 118 +++--
drivers/android/binder_alloc.c | 87
drivers/android/b
a ("binder: use standard functions to allocate fds")
Suggested-by: Al Viro
Signed-off-by: Todd Kjos
---
v2:
- simplified code
If possible, please add to 4.20-final
drivers/android/binder.c | 60 ++--
1 file changed, 58 insertions(+), 2 deletions(-)
. The fput() is deferred instead of using ksys_close().
Fixes: 44d8047f1d87a ("binder: use standard functions to allocate fds")
Suggested-by: Al Viro
Signed-off-by: Todd Kjos
---
v2:
- simplified code
v3:
- implemented Al Viro's suggestion to pass struct file instead of fd
- added
+christ...@brauner.io +Martijn Coenen
Christian,
Does this patch work for your container use-cases? If not, please
comment on this thread. Let's discuss at LPC this week.
-Todd
On Mon, Nov 12, 2018 at 1:38 AM chouryzhou(周威) wrote:
>
> Currently android's binder is not isolated by ipc
On Tue, Nov 13, 2018 at 12:12 AM chouryzhou(周威) wrote:
>
> > I have not received an answer to my questions in the last version of this
> > patch
> > set. Also it would be good if I could be Cc'ed by default. I can't hunt
> > down all
> > patches.
> > I do not know of any kernel entity,
gt; > > exit(EXIT_FAILURE);
> > >
> > > strncpy(device.name, argv[1], sizeof(device.name));
> > >
> > > fd = open("/dev/binderfs/binder-control", O_RDONLY | O_CLOEXEC);
> > > if (fd < 0) {
> > &
a ("binder: use standard functions to allocate fds")
Suggested-by: Al Viro
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 91 +++-
1 file changed, 81 insertions(+), 10 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/an
I need to make a change to this patch, so please ignore this version.
I'll send a v2 soon.
On Thu, Dec 13, 2018 at 1:04 PM Todd Kjos wrote:
>
> 44d8047f1d8 ("binder: use standard functions to allocate fds")
> exposed a pre-existing issue in the binder driver.
>
> fdge
On Fri, Oct 26, 2018 at 2:20 AM chouryzhou(周威) wrote:
>
> Hi
> We are working for running android in container, but we found that binder is
> not isolated by ipc namespace. Since binder is a form of IPC and therefore
> should
> be tied to ipc namespace. With this patch, we can run more than
+christ...@brauner.io
On Sun, Oct 28, 2018 at 7:29 PM chouryzhou(周威) wrote:
...
>
> > It's not obvious from this patch where this dependency comes
> > from...why is SYSVIPC required? I'd like to not have to require IPC_NS
> > either for devices.
>
> Yes, the patch is not highly dependent on
strerror(errno));
> exit(EXIT_FAILURE);
> }
>
> printf("Allocated new binder device with major %d, minor %d, and "
> "name %s\n", device.major, device.minor,
> device.name)
te fds")
Suggested-by: Jann Horn
Signed-off-by: Todd Kjos
Acked-by: Martijn Coenen
---
v2: added "Fixes:" tag
Should be added to 4.20-final if possible
drivers/android/binder.c | 8
1 file changed, 8 insertions(+)
diff --git a/drivers/android/binder.c b/drivers/and
Add __acquire()/__release() annnotations to fix warnings
in sparse context checking
There is one case where the warning was due to a lack of
a "default:" case in a switch statement where a lock was
being released in each of the cases, so the default
case was added.
Signed-off-by:
Fix the incomplete kerneldoc header for struct binder_buffer.
Signed-off-by: Todd Kjos
---
v2: no code change. Removed needless "Change-Id:"
There is no dependancy on patch 1/3
drivers/android/binder_alloc.h | 20 ++--
1 file changed, 10 insertions(+), 10 deletion
When dumping out binder transactions via a debug node,
the output is too verbose if a process has many nodes.
Change the output for transaction dumps to only display
nodes with pending async transactions.
Signed-off-by: Todd Kjos
---
v2: no change, just resubmitted as #3 of 3 patches instead
On Wed, Dec 5, 2018 at 2:00 PM Al Viro wrote:
>
> On Wed, Dec 05, 2018 at 01:16:01PM -0800, Todd Kjos wrote:
> > 44d8047f1d87a ("binder: use standard functions to allocate fds")
> > exposed a pre-existing issue in the binder driver.
> >
> > fdget()
On Wed, Dec 5, 2018 at 4:40 PM Al Viro wrote:
>
> On Wed, Dec 05, 2018 at 04:21:55PM -0800, Todd Kjos wrote:
>
> > > How about grabbing the references to all victims (*before* screwing with
> > > ksys_close()), sticking them into a structure with embedded ca
On Thu, Dec 6, 2018 at 6:51 AM Greg KH wrote:
>
> On Wed, Dec 05, 2018 at 03:19:24PM -0800, Todd Kjos wrote:
> > Add __acquire()/__release() annnotations to fix warnings
> > in sparse context checking
> >
> > There is one case where the warning was due to a
On Fri, Sep 7, 2018 at 6:38 AM Martijn Coenen wrote:
>
> This allows the context manager to retrieve information about nodes
> that it holds a reference to, such as the current number of
> references to those nodes.
>
> Such information can for example be used to determine whether the
>
allocate new
fds in the target (probably due to out of file descriptors),
the transaction is discarded with a log message. In the old
implementation this would have been detected in the sender
context and failed prior to sending.
Signed-off-by: Todd Kjos
---
drivers/android/Kconfig| 2
allocate new
fds in the target (probably due to out of file descriptors),
the transaction is discarded with a log message. In the old
implementation this would have been detected in the sender
context and failed prior to sending.
Signed-off-by: Todd Kjos
---
v2: use "%zu" printk format
allocate new
fds in the target (probably due to out of file descriptors),
the transaction is discarded with a log message. In the old
implementation this would have been detected in the sender
context and failed prior to sending.
Signed-off-by: Todd Kjos
---
v2: use "%zu" printk format
Sorry, forgot to bump the version. Ignore this one.
On Tue, Aug 28, 2018 at 1:43 PM Todd Kjos wrote:
>
> Binder uses internal fs interfaces to allocate and install fds:
>
> __alloc_fd
> __fd_install
> __close_fd
> get_files_struct
> put_files_struct
>
> These we
allocate new
fds in the target (probably due to out of file descriptors),
the transaction is discarded with a log message. In the old
implementation this would have been detected in the sender
context and failed prior to sending.
Signed-off-by: Todd Kjos
---
v2: use "%zu" printk format
On Wed, Aug 29, 2018 at 12:00 AM Christoph Hellwig wrote:
>
> > config ANDROID_BINDER_IPC
> > bool "Android Binder IPC Driver"
> > - depends on MMU
> > + depends on MMU && !CPU_CACHE_VIVT
>
> Thats is a purely arm specific symbol which should not be
> used in common code.
+Joel Fernandes
On Thu, Sep 20, 2018 at 2:11 PM Andrew Morton wrote:
>
>
> Thanks. Let's cc the ashmem folks.
>
> On Thu, 20 Sep 2018 14:04:05 -0700 syzbot
> wrote:
>
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:a0cb0cabe4bb Add linux-next specific files for
This issue was discovered on a 4.9-based android device, but the
relevant mainline code appears to be the same. The symptom is that
over time the some workloads become sluggish resulting in missed
frames or sluggishness. It appears to be the same issue described in
When allocating space in the target buffer for the security context,
make sure the extra_buffers_size doesn't overflow. This can only
happen if the given size is invalid, but an overflow can turn it
into a valid size. Fail the transaction if an overflow is detected.
Signed-off-by: Todd Kjos
of the commits
> mentioned above are applied. That's an unlikely situation since they
> both landed during the development of v5.1 but only one of them is
> targeted for stable.
>
> Fixes: 5cec2d2e5839 ("binder: fix race between munmap() and direct reclaim")
> Signed-off-by:
Fernandes, LKML, Martijn Coenen, syzkaller-bugs,
Todd Kjos , Todd Kjos
> On Fri, Mar 29, 2019 at 10:55 AM syzbot
> wrote:
> >
> > Hello,
> >
> > syzbot has tested the proposed patch and the reproducer did not trigger
> > crash:
> >
> > Repo
From: Dmitry Vyukov
Date: Fri, May 17, 2019 at 3:26 AM
To: Greg Kroah-Hartman, Arve Hjønnevåg, Todd Kjos, Martijn Coenen,
Joel Fernandes, Christian Brauner, open list:ANDROID DRIVERS, LKML
Cc: syzkaller
> Hi,
>
> I have 2 questions re drivers/android/binder.c stress testing.
>
> 1
On Fri, May 17, 2019 at 8:33 AM Dmitry Vyukov wrote:
>
> On Fri, May 17, 2019 at 5:26 PM Todd Kjos wrote:
> >
> > Yes (and syzbot seemed to confirm the fix). I didn't realize I needed
> > to manually close the issue. I guess you closed it yesterday.
>
> This is
On Fri, May 17, 2019 at 8:55 AM Dmitry Vyukov wrote:
>
> On Fri, May 17, 2019 at 5:51 PM Dmitry Vyukov wrote:
> > > > >
> > > > > From: Dmitry Vyukov
> > > > > Date: Fri, May 17, 2019 at 3:26 AM
> > > > > To: Greg Kroah-
re
Signed-off-by: Todd Kjos
---
Please add to 5.1 (fixes problem introduced in 5.1-rc1)
drivers/android/binder.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 8685882da64cd..4b9c7ca492e6d 100644
--- a/drivers/androi
om.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
From d49c95c944c15732ef57f1c876e24838b2ddf34b Mon Sep 17 00
On Thu, Mar 28, 2019 at 12:27 PM syzbot
wrote:
>
> Hello,
>
> syzbot tried to test the proposed patch but build/boot failed:
>
> patch is already applied
>
>
> Tested on:
>
> commit: 0532a1b0 virt: vbox: Implement passing requestor info to t..
> git tree:
>
-misc.git
> char-misc-linus
> kernel config: https://syzkaller.appspot.com/x/.config?x=8dcdce25ea72bedf
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>
From d49c95c944c15732ef57f1c876e24838b2ddf34b Mon Sep 17 00:00:00 2001
From: Todd Kjos
Date: Tue, 19 Mar 2019 09:53:01 -0700
t address space of the process. However, right lock to
> > > release pages is down_read, not down_write because page table lock
> > > already protects the race for parallel freeing.
> > >
> > > Please do not use mmap_sem write-side lock which is well known
> &g
acquired. This can result in
calling zap_page_range() with an invalid vma which manifests as a
use-after-free in zap_page_range().
The fix is to check alloc->vma after acquiring the mmap_sem (which we
were acquiring anyway) and skip zap_page_range() if it has changed
to NULL.
Signed-off-b
On Fri, Mar 1, 2019 at 11:57 PM Greg KH wrote:
>
> On Fri, Mar 01, 2019 at 03:06:06PM -0800, Todd Kjos wrote:
> > An munmap() on a binder device causes binder_vma_close() to be called
> > which clears the alloc->vma pointer.
> >
> > If direct reclaim causes bind
On Mon, Feb 11, 2019 at 8:57 AM Christoph Hellwig wrote:
>
> On Fri, Feb 08, 2019 at 10:35:13AM -0800, Todd Kjos wrote:
> > Binder buffers have always been mapped into kernel space
> > via map_kernel_range_noflush() to allow the binder driver
> > to modify the buffer bef
+Alistair Strachan
On Mon, Feb 11, 2019 at 9:11 AM Greg KH wrote:
>
> On Mon, Feb 11, 2019 at 10:15:18PM +0530, Souptick Joarder wrote:
> > On Mon, Feb 11, 2019 at 9:27 PM Greg KH wrote:
> > >
> > > On Mon, Feb 11, 2019 at 09:21:19PM +0530, Souptick Joarder wrote:
> > > > On Mon, Feb 11, 2019
201 - 300 of 338 matches
Mail list logo
