mirror of
https://github.com/torvalds/linux.git
synced 2026-06-13 09:17:53 +02:00
d43184d461
156 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Todd Kjos
|
f75b05ac56 |
UPSTREAM: binder: fix UAF when releasing todo list
When releasing a thread todo list when tearing down
a binder_proc, the following race was possible which
could result in a use-after-free:
1. Thread 1: enter binder_release_work from binder_thread_release
2. Thread 2: binder_update_ref_for_handle() -> binder_dec_node_ilocked()
3. Thread 2: dec nodeA --> 0 (will free node)
4. Thread 1: ACQ inner_proc_lock
5. Thread 2: block on inner_proc_lock
6. Thread 1: dequeue work (BINDER_WORK_NODE, part of nodeA)
7. Thread 1: REL inner_proc_lock
8. Thread 2: ACQ inner_proc_lock
9. Thread 2: todo list cleanup, but work was already dequeued
10. Thread 2: free node
11. Thread 2: REL inner_proc_lock
12. Thread 1: deref w->type (UAF)
The problem was that for a BINDER_WORK_NODE, the binder_work element
must not be accessed after releasing the inner_proc_lock while
processing the todo list elements since another thread might be
handling a deref on the node containing the binder_work element
leading to the node being freed.
Signed-off-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20201009232455.4054810-1-tkjos@google.com
Cc: <stable@vger.kernel.org> # 4.14, 4.19, 5.4, 5.8
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
|
||
|
Martijn Coenen
|
3b165ab697 |
FROMGIT: binder: print warnings when detecting oneway spamming.
The most common cause of the binder transaction buffer filling up is a
client rapidly firing oneway transactions into a process, before it has
a chance to handle them. Yet the root cause of this is often hard to
debug, because either the system or the app will stop, and by that time
binder debug information we dump in bugreports is no longer relevant.
This change warns as soon as a process dips below 80% of its oneway
space (less than 100kB available in the configuration), when any one
process is responsible for either more than 50 transactions, or more
than 50% of the oneway space.
Signed-off-by: Martijn Coenen <maco@android.com>
Signed-off-by: Martijn Coenen <maco@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20200821122544.1277051-1-maco@android.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
|
||
|
Todd Kjos
|
a0c68fd8e8 |
Revert "binder: Prevent context manager from incrementing ref 0"
This reverts commit c5665cafbedd2e2a523fe933e452391a02d3adb3. This patch was causing display hangs for Qualcomm after the 5.4.58 merge. Bug: 166779391 Change-Id: Iaf22ede68247422709b00f059e5c4d517f219adf Signed-off-by: Todd Kjos <tkjos@google.com> |
||
|
Greg Kroah-Hartman
|
c519a68e3a |
This is the 4.19.139 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl8ynf8ACgkQONu9yGCS
aT7/9hAAoTxKWdbp0peN5sGh6GqDix6M3H9Z5dexW/XIVk9Eg+pzBLOT0BWoM/qB
xnTOxu5yu2pYkMIoYSQc1cTNXeFeHU5qKiltgLmUTFFEolNcEHzWvSOb/uSUcvGR
x6r78cGm30qSyu7PCPcotzu/J95JUtzWraIB4sy1qVeU+rastRIcRDz7ZcUjFQ/b
PhDUusGY+d7ZA6+7vgLlT9LTmIlr/vQQA2kGxCkXZiKRLbJMmwm/IsS0G7NQMKMn
nnMg+qzrveaTDnuKYhsTSSTLn2WOQmYZmevYOZjrrwiBaksCW8ygaq9UGArUcsnq
PLgZGfhhoERmDp0mXxV9kngTkkgZ4OIlXP4sZiVbKiKNTnqTrMxCFPLpBqS2t0Eo
RPoGyjcIkKHGKq1KwnrX5esMyaZb76aYUhO3tFZrgDhIDa193SxH9Znyp7tr5Znz
3b5oH53wIA4k1kBkpA9ibhIhPjYeCDughI/oWC0ExcQAbWkPhIYqbmgWfbfzKVxo
Yq8VBlqfuZply1POmkgoge1oDD0A0LBk2mSLOl6wpzDN1umS0HtQLjWpbdEuugCq
S7wF+zDKJAz+O76ufyqv81KO5vAH4QcVSOBCH/HVGvsPZKwWvnWFQJ3cfXSm5iiA
Uj++z6jI4suc1Y4unjLHmr3EdXEUSSq7Kbi+mXj1GL1gi1qM8rE=
=ZQmS
-----END PGP SIGNATURE-----
Merge 4.19.139 into android-4.19-stable
Changes in 4.19.139
USB: serial: qcserial: add EM7305 QDL product ID
USB: iowarrior: fix up report size handling for some devices
usb: xhci: define IDs for various ASMedia host controllers
usb: xhci: Fix ASMedia ASM1142 DMA addressing
Revert "ALSA: hda: call runtime_allow() for all hda controllers"
ALSA: seq: oss: Serialize ioctls
staging: android: ashmem: Fix lockdep warning for write operation
Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()
Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt()
Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt()
omapfb: dss: Fix max fclk divider for omap36xx
binder: Prevent context manager from incrementing ref 0
vgacon: Fix for missing check in scrollback handling
mtd: properly check all write ioctls for permissions
leds: wm831x-status: fix use-after-free on unbind
leds: da903x: fix use-after-free on unbind
leds: lm3533: fix use-after-free on unbind
leds: 88pm860x: fix use-after-free on unbind
net/9p: validate fds in p9_fd_open
drm/nouveau/fbcon: fix module unload when fbcon init has failed for some reason
drm/nouveau/fbcon: zero-initialise the mode_cmd2 structure
i2c: slave: improve sanity check when registering
i2c: slave: add sanity check when unregistering
usb: hso: check for return value in hso_serial_common_create()
firmware: Fix a reference count leak.
cfg80211: check vendor command doit pointer before use
igb: reinit_locked() should be called with rtnl_lock
atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
tools lib traceevent: Fix memory leak in process_dynamic_array_len
Drivers: hv: vmbus: Ignore CHANNELMSG_TL_CONNECT_RESULT(23)
xattr: break delegations in {set,remove}xattr
ipv4: Silence suspicious RCU usage warning
ipv6: fix memory leaks on IPV6_ADDRFORM path
net: ethernet: mtk_eth_soc: fix MTU warnings
vxlan: Ensure FDB dump is performed under RCU
net: lan78xx: replace bogus endpoint lookup
hv_netvsc: do not use VF device if link is down
net: gre: recompute gre csum for sctp over gre tunnels
net: thunderx: use spin_lock_bh in nicvf_set_rx_mode_task()
openvswitch: Prevent kernel-infoleak in ovs_ct_put_key()
Revert "vxlan: fix tos value before xmit"
selftests/net: relax cpu affinity requirement in msg_zerocopy test
rxrpc: Fix race between recvmsg and sendmsg on immediate call failure
i40e: add num_vectors checker in iwarp handler
i40e: Wrong truncation from u16 to u8
i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c
i40e: Memory leak in i40e_config_iwarp_qvlist
Smack: fix use-after-free in smk_write_relabel_self()
Linux 4.19.139
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: If64996b6bc365365c5f06165ed8c7648336731bf
|
||
|
Jann Horn
|
74e42c22f2 |
binder: Prevent context manager from incrementing ref 0
commit |
||
|
Todd Kjos
|
41e863e2ea |
UPSTREAM: binder: fix null deref of proc->context
commit |
||
|
Christian Brauner
|
e8281e59c9 |
UPSTREAM: binder: prevent UAF for binderfs devices II
This is a necessary follow up to the first fix I proposed and we merged in |
||
|
Christian Brauner
|
31ddf99370 |
UPSTREAM: binder: prevent UAF for binderfs devices
On binder_release(), binder_defer_work(proc, BINDER_DEFERRED_RELEASE) is
called which punts the actual cleanup operation to a workqueue. At some
point, binder_deferred_func() will be called which will end up calling
binder_deferred_release() which will retrieve and cleanup the
binder_context attach to this struct binder_proc.
If we trace back where this binder_context is attached to binder_proc we
see that it is set in binder_open() and is taken from the struct
binder_device it is associated with. This obviously assumes that the
struct binder_device that context is attached to is _never_ freed. While
that might be true for devtmpfs binder devices it is most certainly
wrong for binderfs binder devices.
So, assume binder_open() is called on a binderfs binder devices. We now
stash away the struct binder_context associated with that struct
binder_devices:
proc->context = &binder_dev->context;
/* binderfs stashes devices in i_private */
if (is_binderfs_device(nodp)) {
binder_dev = nodp->i_private;
info = nodp->i_sb->s_fs_info;
binder_binderfs_dir_entry_proc = info->proc_log_dir;
} else {
.
.
.
proc->context = &binder_dev->context;
Now let's assume that the binderfs instance for that binder devices is
shutdown via umount() and/or the mount namespace associated with it goes
away. As long as there is still an fd open for that binderfs binder
device things are fine. But let's assume we now close the last fd for
that binderfs binder device. Now binder_release() is called and punts to
the workqueue. Assume that the workqueue has quite a bit of stuff to do
and doesn't get to cleaning up the struct binder_proc and the associated
struct binder_context with it for that binderfs binder device right
away. In the meantime, the VFS is killing the super block and is
ultimately calling sb->evict_inode() which means it will call
binderfs_evict_inode() which does:
static void binderfs_evict_inode(struct inode *inode)
{
struct binder_device *device = inode->i_private;
struct binderfs_info *info = BINDERFS_I(inode);
clear_inode(inode);
if (!S_ISCHR(inode->i_mode) || !device)
return;
mutex_lock(&binderfs_minors_mutex);
--info->device_count;
ida_free(&binderfs_minors, device->miscdev.minor);
mutex_unlock(&binderfs_minors_mutex);
kfree(device->context.name);
kfree(device);
}
thereby freeing the struct binder_device including struct
binder_context.
Now the workqueue finally has time to get around to cleaning up struct
binder_proc and is now trying to access the associate struct
binder_context. Since it's already freed it will OOPs.
Fix this by holding an additional reference to the inode that is only
released once the workqueue is done cleaning up struct binder_proc. This
is an easy alternative to introducing separate refcounting on struct
binder_device which we can always do later if it becomes necessary.
This is an alternative fix to
|
||
|
Todd Kjos
|
64b698c15a |
UPSTREAM: binder: fix incorrect calculation for num_valid
commit |
||
|
Hridya Valsaraju
|
725ce554a4 |
UPSTREAM: binder: Add binder_proc logging to binderfs
Currently /sys/kernel/debug/binder/proc contains
the debug data for every binder_proc instance.
This patch makes this information also available
in a binderfs instance mounted with a mount option
"stats=global" in addition to debugfs. The patch does
not affect the presence of the file in debugfs.
If a binderfs instance is mounted at path /dev/binderfs,
this file would be present at /dev/binderfs/binder_logs/proc.
This change provides an alternate way to access this file when debugfs
is not mounted.
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Link: https://lore.kernel.org/r/20190903161655.107408-5-hridya@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 136497735
(cherry picked from commit
|
||
|
Hridya Valsaraju
|
ce106a8de6 |
UPSTREAM: binder: Make transaction_log available in binderfs
Currently, the binder transaction log files 'transaction_log' and 'failed_transaction_log' live in debugfs at the following locations: /sys/kernel/debug/binder/failed_transaction_log /sys/kernel/debug/binder/transaction_log This patch makes these files also available in a binderfs instance mounted with the mount option "stats=global". It does not affect the presence of these files in debugfs. If a binderfs instance is mounted at path /dev/binderfs, the location of these files will be as follows: /dev/binderfs/binder_logs/failed_transaction_log /dev/binderfs/binder_logs/transaction_log This change provides an alternate option to access these files when debugfs is not mounted. Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Hridya Valsaraju <hridya@google.com> Link: https://lore.kernel.org/r/20190903161655.107408-4-hridya@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 136497735 (cherry picked from commit c31e73121f4c1ec41143423ac6ce3ce6dafdcec1) Change-Id: I20d9e6c4c7115297f9740cc42a516c315b3a209e |
||
|
Hridya Valsaraju
|
7aeb384a5f |
UPSTREAM: binder: Add stats, state and transactions files
The following binder stat files currently live in debugfs.
/sys/kernel/debug/binder/state
/sys/kernel/debug/binder/stats
/sys/kernel/debug/binder/transactions
This patch makes these files available in a binderfs instance
mounted with the mount option 'stats=global'. For example, if a binderfs
instance is mounted at path /dev/binderfs, the above files will be
available at the following locations:
/dev/binderfs/binder_logs/state
/dev/binderfs/binder_logs/stats
/dev/binderfs/binder_logs/transactions
This provides a way to access them even when debugfs is not mounted.
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20190903161655.107408-3-hridya@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 136497735
(cherry picked from commit
|
||
|
Hridya Valsaraju
|
5d46bcfa79 |
UPSTREAM: binder: Add default binder devices through binderfs when configured
Currently, since each binderfs instance needs its own
private binder devices, every time a binderfs instance is
mounted, all the default binder devices need to be created
via the BINDER_CTL_ADD IOCTL. This patch aims to
add a solution to automatically create the default binder
devices for each binderfs instance that gets mounted.
To achieve this goal, when CONFIG_ANDROID_BINDERFS is set,
the default binder devices specified by CONFIG_ANDROID_BINDER_DEVICES
are created in each binderfs instance instead of global devices
being created by the binder driver.
Co-developed-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Bug: 136497735
(cherry picked from commit
|
||
|
Christian Brauner
|
c30322673b |
UPSTREAM: binder: fix CONFIG_ANDROID_BINDER_DEVICES
Several users have tried to only rely on binderfs to provide binder devices and set CONFIG_ANDROID_BINDER_DEVICES="" empty. This is a great use-case of binderfs and one that was always intended to work. However, this is currently not possible since setting CONFIG_ANDROID_BINDER_DEVICES="" emtpy will simply panic the kernel: kobject: (00000000028c2f79): attempted to be registered with empty name! WARNING: CPU: 7 PID: 1703 at lib/kobject.c:228 kobject_add_internal+0x288/0x2b0 Modules linked in: binder_linux(+) bridge stp llc ipmi_ssif gpio_ich dcdbas coretemp kvm_intel kvm irqbypass serio_raw input_leds lpc_ich i5100_edac mac_hid ipmi_si ipmi_devintf ipmi_msghandler sch_fq_codel ib_i CPU: 7 PID: 1703 Comm: modprobe Not tainted 5.0.0-rc2-brauner-binderfs #263 Hardware name: Dell DCS XS24-SC2 /XS24-SC2 , BIOS S59_3C20 04/07/2011 RIP: 0010:kobject_add_internal+0x288/0x2b0 Code: 12 95 48 c7 c7 78 63 3b 95 e8 77 35 71 ff e9 91 fe ff ff 0f 0b eb a7 0f 0b eb 9a 48 89 de 48 c7 c7 00 63 3b 95 e8 f8 95 6a ff <0f> 0b 41 bc ea ff ff ff e9 6d fe ff ff 41 bc fe ff ff ff e9 62 fe RSP: 0018:ffff973f84237a30 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8b53e2472010 RCX: 0000000000000006 RDX: 0000000000000007 RSI: 0000000000000086 RDI: ffff8b53edbd63a0 RBP: ffff973f84237a60 R08: 0000000000000342 R09: 0000000000000004 R10: ffff973f84237af0 R11: 0000000000000001 R12: 0000000000000000 R13: ffff8b53e9f1a1e0 R14: 00000000e9f1a1e0 R15: 0000000000a00037 FS: 00007fbac36f7540(0000) GS:ffff8b53edbc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fbac364cfa7 CR3: 00000004a6d48000 CR4: 00000000000406e0 Call Trace: kobject_add+0x71/0xd0 ? _cond_resched+0x19/0x40 ? mutex_lock+0x12/0x40 device_add+0x12e/0x6b0 device_create_groups_vargs+0xe4/0xf0 device_create_with_groups+0x3f/0x60 ? _cond_resched+0x19/0x40 misc_register+0x140/0x180 binder_init+0x1ed/0x2d4 [binder_linux] ? trace_event_define_fields_binder_transaction_fd_send+0x8e/0x8e [binder_linux] do_one_initcall+0x4a/0x1c9 ? _cond_resched+0x19/0x40 ? kmem_cache_alloc_trace+0x151/0x1c0 do_init_module+0x5f/0x216 load_module+0x223d/0x2b20 __do_sys_finit_module+0xfc/0x120 ? __do_sys_finit_module+0xfc/0x120 __x64_sys_finit_module+0x1a/0x20 do_syscall_64+0x5a/0x120 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7fbac3202839 Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffd1494a908 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 000055b629ebec60 RCX: 00007fbac3202839 RDX: 0000000000000000 RSI: 000055b629c20d2e RDI: 0000000000000003 RBP: 000055b629c20d2e R08: 0000000000000000 R09: 000055b629ec2310 R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000 R13: 000055b629ebed70 R14: 0000000000040000 R15: 000055b629ebec60 So check for the empty string since strsep() will otherwise return the emtpy string which will cause kobject_add_internal() to panic when trying to add a kobject with an emtpy name. Fixes: |
||
|
Rasmus Villemoes
|
760b8036e6 |
UPSTREAM: android: binder: use kstrdup instead of open-coding it
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Bug: 136497735
Change-Id: I545073facdb76ea12accfc7bfa4738f2e3bf0b28
(cherry picked from commit
|
||
|
Christian Brauner
|
8d0719a920 |
UPSTREAM: binderfs: remove separate device_initcall()
binderfs should not have a separate device_initcall(). When a kernel is
compiled with CONFIG_ANDROID_BINDERFS register the filesystem alongside
CONFIG_ANDROID_IPC. This use-case is especially sensible when users specify
CONFIG_ANDROID_IPC=y, CONFIG_ANDROID_BINDERFS=y and
ANDROID_BINDER_DEVICES="".
When CONFIG_ANDROID_BINDERFS=n then this always succeeds so there's no
regression potential for legacy workloads.
Signed-off-by: Christian Brauner <christian@brauner.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 136497735
(cherry picked from commit
|
||
|
Christian Brauner
|
3492afe5d5 |
UPSTREAM: binder: implement binderfs
As discussed at Linux Plumbers Conference 2018 in Vancouver [1] this is the
implementation of binderfs.
/* Abstract */
binderfs is a backwards-compatible filesystem for Android's binder ipc
mechanism. Each ipc namespace will mount a new binderfs instance. Mounting
binderfs multiple times at different locations in the same ipc namespace
will not cause a new super block to be allocated and hence it will be the
same filesystem instance.
Each new binderfs mount will have its own set of binder devices only
visible in the ipc namespace it has been mounted in. All devices in a new
binderfs mount will follow the scheme binder%d and numbering will always
start at 0.
/* Backwards compatibility */
Devices requested in the Kconfig via CONFIG_ANDROID_BINDER_DEVICES for the
initial ipc namespace will work as before. They will be registered via
misc_register() and appear in the devtmpfs mount. Specifically, the
standard devices binder, hwbinder, and vndbinder will all appear in their
standard locations in /dev. Mounting or unmounting the binderfs mount in
the initial ipc namespace will have no effect on these devices, i.e. they
will neither show up in the binderfs mount nor will they disappear when the
binderfs mount is gone.
/* binder-control */
Each new binderfs instance comes with a binder-control device. No other
devices will be present at first. The binder-control device can be used to
dynamically allocate binder devices. All requests operate on the binderfs
mount the binder-control device resides in.
Assuming a new instance of binderfs has been mounted at /dev/binderfs
via mount -t binderfs binderfs /dev/binderfs. Then a request to create a
new binder device can be made as illustrated in [2].
Binderfs devices can simply be removed via unlink().
/* Implementation details */
- dynamic major number allocation:
When binderfs is registered as a new filesystem it will dynamically
allocate a new major number. The allocated major number will be returned
in struct binderfs_device when a new binder device is allocated.
- global minor number tracking:
Minor are tracked in a global idr struct that is capped at
BINDERFS_MAX_MINOR. The minor number tracker is protected by a global
mutex. This is the only point of contention between binderfs mounts.
- struct binderfs_info:
Each binderfs super block has its own struct binderfs_info that tracks
specific details about a binderfs instance:
- ipc namespace
- dentry of the binder-control device
- root uid and root gid of the user namespace the binderfs instance
was mounted in
- mountable by user namespace root:
binderfs can be mounted by user namespace root in a non-initial user
namespace. The devices will be owned by user namespace root.
- binderfs binder devices without misc infrastructure:
New binder devices associated with a binderfs mount do not use the
full misc_register() infrastructure.
The misc_register() infrastructure can only create new devices in the
host's devtmpfs mount. binderfs does however only make devices appear
under its own mountpoint and thus allocates new character device nodes
from the inode of the root dentry of the super block. This will have
the side-effect that binderfs specific device nodes do not appear in
sysfs. This behavior is similar to devpts allocated pts devices and
has no effect on the functionality of the ipc mechanism itself.
[1]: https://goo.gl/JL2tfX
[2]: program to allocate a new binderfs binder device:
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include <linux/android/binder_ctl.h>
int main(int argc, char *argv[])
{
int fd, ret, saved_errno;
size_t len;
struct binderfs_device device = { 0 };
if (argc < 2)
exit(EXIT_FAILURE);
len = strlen(argv[1]);
if (len > BINDERFS_MAX_NAME)
exit(EXIT_FAILURE);
memcpy(device.name, argv[1], len);
fd = open("/dev/binderfs/binder-control", O_RDONLY | O_CLOEXEC);
if (fd < 0) {
printf("%s - Failed to open binder-control device\n",
strerror(errno));
exit(EXIT_FAILURE);
}
ret = ioctl(fd, BINDER_CTL_ADD, &device);
saved_errno = errno;
close(fd);
errno = saved_errno;
if (ret < 0) {
printf("%s - Failed to allocate new binder device\n",
strerror(errno));
exit(EXIT_FAILURE);
}
printf("Allocated new binder device with major %d, minor %d, and "
"name %s\n", device.major, device.minor,
device.name);
exit(EXIT_SUCCESS);
}
Cc: Martijn Coenen <maco@android.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 136497735
(cherry picked from commit
|
||
|
Yangtao Li
|
56ed129659 |
UPSTREAM: binder: remove BINDER_DEBUG_ENTRY()
We already have the DEFINE_SHOW_ATTRIBUTE.There is no need to define
such a macro,so remove BINDER_DEBUG_ENTRY.
Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
Reviewed-by: Joey Pabalinas <joeypabalinas@gmail.com>
Acked-by: Todd Kjos <tkjos@android.com>
Bug: 136497735
(cherry picked from commit
|
||
|
Greg Kroah-Hartman
|
44b82a3d1b |
This is the 4.19.85 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl3VfEoACgkQONu9yGCS aT7vHRAAv3fZQ5+Rn0zn0cgYsgG5OGbtHL01aJB99g2Dgf/VmB3OrB2rx+ZF7WVw Uakab5XZp6rLSxG4LNQy7jjIuxADdDab5xWTlhqpEHVydsFC9IOktT91DW2luf8Y Xyr8q7sQIS7eV67NkUnUSqri1IdsRNB5qeWmhC0l6+PSuQrk+WF0y5B4TtrjF5Er GjYTq9RTJh7/luFKUSmxN8+TIwo4uY15b3oqX75LMPObzbH+c5iqp5QiHJh/BQ7/ awf7kxlMay0V/hPRmGomHxX70TgHTF2er0b+HyJwf1OX0zgKycsztWZT+p7qN+DT yjPWwYJ3kGs/7GwZL7HNhk8p/3aDf9HFHFvbVSty63wgZ8dfo4EuXZ9YfWa+lfI8 Kn4wKeynUvrvNLH9iYug/XuEPjXysQeSlBaL4pZTPTWtipu1MP0OpR05l8UzO2cO lqWgf0Y7wsunZBeyCLkWd9TCO7gd1s7csdkJAy37rG7mCjN3p83NeMznLlj+H4I8 MHlcAWdlxlWWitKohi0kr/VYiHmhBVsOZu4rQmuCBWuo++HrWwn7XaGBzYsP8Eku 7ZNaS5oJFAjBzKnQxp8i3mgE8ifODuokgPISImyyRWidedfoHcv6Kr+pdEoQ+gjk nL5xwqKAMsh/vMyxVmetzytULHtvBqJelquzQcfnanyEvBoS46Q= =EUxi -----END PGP SIGNATURE----- Merge 4.19.85 into android-4.19 Changes in 4.19.85 KVM: x86: introduce is_pae_paging MIPS: BCM63XX: fix switch core reset on BCM6368 scsi: core: Handle drivers which set sg_tablesize to zero ax88172a: fix information leak on short answers ipmr: Fix skb headroom in ipmr_get_route(). net: gemini: add missed free_netdev net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules slip: Fix memory leak in slip_open error path ALSA: usb-audio: Fix missing error check at mixer resolution test ALSA: usb-audio: not submit urb for stopped endpoint ALSA: usb-audio: Fix incorrect NULL check in create_yamaha_midi_quirk() ALSA: usb-audio: Fix incorrect size check for processing/extension units Btrfs: fix log context list corruption after rename exchange operation Input: ff-memless - kill timer in destroy() Input: synaptics-rmi4 - fix video buffer size Input: synaptics-rmi4 - disable the relative position IRQ in the F12 driver Input: synaptics-rmi4 - do not consume more data than we have (F11, F12) Input: synaptics-rmi4 - clear IRQ enables for F54 Input: synaptics-rmi4 - destroy F54 poller workqueue when removing IB/hfi1: Ensure full Gen3 speed in a Gen4 system IB/hfi1: Use a common pad buffer for 9B and 16B packets i2c: acpi: Force bus speed to 400KHz if a Silead touchscreen is present ecryptfs_lookup_interpose(): lower_dentry->d_inode is not stable ecryptfs_lookup_interpose(): lower_dentry->d_parent is not stable either net: ethernet: dwmac-sun8i: Use the correct function in exit path iommu/vt-d: Fix QI_DEV_IOTLB_PFSID and QI_DEV_EIOTLB_PFSID macros mm: mempolicy: fix the wrong return value and potential pages leak of mbind mm: memcg: switch to css_tryget() in get_mem_cgroup_from_mm() mm: hugetlb: switch to css_tryget() in hugetlb_cgroup_charge_cgroup() mmc: sdhci-of-at91: fix quirk2 overwrite iio: adc: max9611: explicitly cast gain_selectors tee: optee: take DT status property into account ath10k: fix kernel panic by moving pci flush after napi_disable iio: dac: mcp4922: fix error handling in mcp4922_write_raw clk: sunxi-ng: h6: fix PWM gate/reset offset soundwire: Initialize completion for defer messages soundwire: intel: Fix uninitialized adev deref arm64: dts: allwinner: a64: Orange Pi Win: Fix SD card node arm64: dts: allwinner: a64: Olinuxino: fix DRAM voltage arm64: dts: allwinner: a64: NanoPi-A64: Fix DCDC1 voltage ALSA: pcm: signedness bug in snd_pcm_plug_alloc() soc/tegra: pmc: Fix pad voltage configuration for Tegra186 arm64: dts: tegra210-p2180: Correct sdmmc4 vqmmc-supply y2038: make do_gettimeofday() and get_seconds() inline ARM: dts: rcar: Correct SATA device sizes to 2 MiB ARM: dts: at91/trivial: Fix USART1 definition for at91sam9g45 rtc: sysfs: fix NULL check in rtc_add_groups() rtc: rv8803: fix the rv8803 id in the OF table remoteproc/davinci: Use %zx for formating size_t extcon: cht-wc: Return from default case to avoid warnings cfg80211: Avoid regulatory restore when COUNTRY_IE_IGNORE is set ALSA: seq: Do error checks at creating system ports ath10k: skip resetting rx filter for WCN3990 ath9k: fix tx99 with monitor mode interface wil6210: drop Rx multicast packets that are looped-back to STA wil6210: set edma variables only for Talyn-MB devices wil6210: prevent usage of tx ring 0 for eDMA wil6210: fix invalid memory access for rx_buff_mgmt debugfs ath10k: limit available channels via DT ieee80211-freq-limit ice: Update request resource command to latest specification ice: Prevent control queue operations during reset gfs2: Don't set GFS2_RDF_UPTODATE when the lvb is updated ice: Fix and update driver version string ASoC: dapm: Don't fail creating new DAPM control on NULL pinctrl ASoC: dpcm: Properly initialise hw->rate_max ASoC: meson: axg-fifo: report interrupt request failure ASoC: AMD: Change MCLK to 48Mhz pinctrl: ingenic: Probe driver at subsys_initcall MIPS: BCM47XX: Enable USB power on Netgear WNDR3400v3 ARM: dts: exynos: Use i2c-gpio for HDMI-DDC on Arndale ARM: dts: exynos: Fix HDMI-HPD line handling on Arndale ARM: dts: exynos: Fix sound in Snow-rev5 Chromebook liquidio: fix race condition in instruction completion processing arm64: dts: stratix10: i2c clock running out of spec ARM: dts: exynos: Fix regulators configuration on Peach Pi/Pit Chromebooks i40evf: Validate the number of queues a PF sends i40e: use correct length for strncpy i40evf: set IFF_UNICAST_FLT flag for the VF i40e: Check and correct speed values for link on open i40evf: Don't enable vlan stripping when rx offload is turned on i40e: hold the rtnl lock on clearing interrupt scheme i40evf: cancel workqueue sync for adminq when a VF is removed i40e: Prevent deleting MAC address from VF when set by PF IB/rxe: avoid back-to-back retries IB/rxe: fixes for rdma read retry iwlwifi: drop packets with bad status in CD iwlwifi: don't WARN on trying to dump dead firmware iwlwifi: mvm: avoid sending too many BARs media: vicodec: fix out-of-range values when decoding media: i2c: Fix pm_runtime_get_if_in_use() usage in sensor drivers media: ov772x: Disable clk on error path ARM: dts: pxa: fix the rtc controller ARM: dts: pxa: fix power i2c base address rtl8187: Fix warning generated when strncpy() destination length matches the sixe argument mwifiex: do no submit URB in suspended state mwifex: free rx_cmd skb in suspended state brcmfmac: fix wrong strnchr usage mt76: Fix comparisons with invalid hardware key index soc: imx: gpc: fix PDN delay ASoC: rsnd: ssi: Fix issue in dma data address assignment net: hns3: Fix for multicast failure net: hns3: Fix error of checking used vlan id net: hns3: Fix for loopback selftest failed problem net: hns3: Change the dst mac addr of loopback packet net/mlx5: Fix atomic_mode enum values net: phy: mscc: read 'vsc8531,vddmac' as an u32 net: phy: mscc: read 'vsc8531, edge-slowdown' as an u32 ARM: dts: meson8: fix the clock controller register size ARM: dts: meson8b: fix the clock controller register size mtd: rawnand: marvell: use regmap_update_bits() for syscon access mtd: rawnand: fsl_ifc: check result of SRAM initialization mtd: rawnand: fsl_ifc: fixup SRAM init for newer ctrl versions mtd: rawnand: qcom: don't include dma-direct.h IB/mlx5: Change TX affinity assignment in RoCE LAG mode qxl: fix null-pointer crash during suspend mac80211: fix saving a few HE values cfg80211: validate wmm rule when setting f2fs: avoid wrong decrypted data from disk net: lan78xx: Bail out if lan78xx_get_endpoints fails rtnetlink: move type calculation out of loop ASoC: sgtl5000: avoid division by zero if lo_vag is zero ath10k: avoid possible memory access violation ARM: dts: exynos: Disable pull control for S5M8767 PMIC ath10k: wmi: disable softirq's while calling ieee80211_rx i2c: mediatek: Use DMA safe buffers for i2c transactions IB/mlx5: Don't hold spin lock while checking device state IB/ipoib: Ensure that MTU isn't less than minimum permitted RDMA/core: Rate limit MAD error messages RDMA/core: Follow correct unregister order between sysfs and cgroup mips: txx9: fix iounmap related issue udf: Fix crash during mount ASoC: dapm: Avoid uninitialised variable warning ASoC: Intel: hdac_hdmi: Limit sampling rates at dai creation ata: Disable AHCI ALPM feature for Ampere Computing eMAG SATA of: make PowerMac cache node search conditional on CONFIG_PPC_PMAC ARM: dts: omap3-gta04: give spi_lcd node a label so that we can overwrite in other DTS files ARM: dts: omap3-gta04: fixes for tvout / venc ARM: dts: omap3-gta04: tvout: enable as display1 alias ARM: dts: omap3-gta04: fix touchscreen tsc2007 ARM: dts: omap3-gta04: make NAND partitions compatible with recent U-Boot ARM: dts: omap3-gta04: keep vpll2 always on f2fs: submit bio after shutdown failover: Fix error return code in net_failover_create sched/debug: Explicitly cast sched_feat() to bool sched/debug: Use symbolic names for task state constants firmware: arm_scmi: use strlcpy to ensure NULL-terminated strings arm64: dts: rockchip: Fix VCC5V0_HOST_EN on rk3399-sapphire ARM: dts: exynos: Disable pull control for PMIC IRQ line on Artik5 board usb: mtu3: disable vbus rise/fall interrupts of ltssm dmaengine: dma-jz4780: Don't depend on MACH_JZ4780 dmaengine: dma-jz4780: Further residue status fix EDAC, sb_edac: Return early on ADDRV bit and address type test rtc: mt6397: fix possible race condition rtc: pl030: fix possible race condition ath9k: add back support for using active monitor interfaces for tx99 dmaengine: at_xdmac: remove a stray bottom half unlock RDMA/hns: Fix an error code in hns_roce_v2_init_eq_table() IB/hfi1: Missing return value in error path for user sdma signal: Always ignore SIGKILL and SIGSTOP sent to the global init signal: Properly deliver SIGILL from uprobes signal: Properly deliver SIGSEGV from x86 uprobes f2fs: fix memory leak of write_io in fill_super() f2fs: fix memory leak of percpu counter in fill_super() f2fs: fix setattr project check upon fssetxattr ioctl scsi: qla2xxx: Use correct qpair for ABTS/CMD scsi: qla2xxx: Fix iIDMA error scsi: qla2xxx: Defer chip reset until target mode is enabled scsi: qla2xxx: Terminate Plogi/PRLI if WWN is 0 scsi: qla2xxx: Fix deadlock between ATIO and HW lock scsi: qla2xxx: Increase abort timeout value scsi: qla2xxx: Check for Register disconnect scsi: qla2xxx: Fix port speed display on chip reset scsi: qla2xxx: Fix dropped srb resource. scsi: qla2xxx: Fix duplicate switch's Nport ID entries scsi: lpfc: Fix GFT_ID and PRLI logic for RSCN scsi: lpfc: Correct invalid EQ doorbell write on if_type=6 scsi: lpfc: Fix errors in log messages. scsi: sym53c8xx: fix NULL pointer dereference panic in sym_int_sir() ARM: imx6: register pm_power_off handler if "fsl,pmic-stby-poweroff" is set scsi: pm80xx: Corrected dma_unmap_sg() parameter scsi: pm80xx: Fixed system hang issue during kexec boot kprobes: Don't call BUG_ON() if there is a kprobe in use on free list net: aquantia: fix hw_atl_utils_fw_upload_dwords Drivers: hv: vmbus: Fix synic per-cpu context initialization nvmem: core: return error code instead of NULL from nvmem_device_get media: dt-bindings: adv748x: Fix decimal unit addresses ALSA: hda: Fix implicit definition of pci_iomap() on SH media: fix: media: pci: meye: validate offset to avoid arbitrary access media: dvb: fix compat ioctl translation net: bcmgenet: Fix speed selection for reverse MII arm64: dts: meson: libretech: update board model arm64: dts: meson-axg: use the proper compatible for ethmac ALSA: intel8x0m: Register irq handler after register initializations arm64: dts: renesas: salvator-common: adv748x: Override secondary addresses arm64: dts: renesas: r8a77965: Attach the SYS-DMAC to the IPMMU arm64: dts: renesas: r8a77965: Fix HS-USB compatible arm64: dts: renesas: r8a77965: Fix clock/reset for usb2_phy1 pinctrl: at91-pio4: fix has_config check in atmel_pctl_dt_subnode_to_map() llc: avoid blocking in llc_sap_close() ARM: dts: qcom: ipq4019: fix cpu0's qcom,saw2 reg value soc: qcom: geni: Don't ignore clk_round_rate() errors in geni_se_clk_tbl_get() soc: qcom: geni: geni_se_clk_freq_match() should always accept multiples soc: qcom: wcnss_ctrl: Avoid string overflow soc: qcom: apr: Avoid string overflow drivers: qcom: rpmh-rsc: clear wait_for_compl after use arm64: dts: broadcom: Fix I2C and SPI bus warnings ARM: dts: bcm: Fix SPI bus warnings ARM: dts: aspeed: Fix I2C bus warnings powerpc/vdso: Correct call frame information ARM: dts: socfpga: Fix I2C bus unit-address error ARM: dts: sunxi: Fix I2C bus warnings pinctrl: at91: don't use the same irqchip with multiple gpiochips ARM: dts: sun9i: Fix I2C bus warnings android: binder: no outgoing transaction when thread todo has transaction cxgb4: Fix endianness issue in t4_fwcache() arm64: fix for bad_mode() handler to always result in panic block, bfq: inject other-queue I/O into seeky idle queues on NCQ flash blok, bfq: do not plug I/O if all queues are weight-raised arm64: dts: meson: Fix erroneous SPI bus warnings power: supply: ab8500_fg: silence uninitialized variable warnings power: reset: at91-poweroff: do not procede if at91_shdwc is allocated power: supply: max8998-charger: Fix platform data retrieval component: fix loop condition to call unbind() if bind() fails kernfs: Fix range checks in kernfs_get_target_path ip_gre: fix parsing gre header in ipgre_err scsi: ufshcd: Fix NULL pointer dereference for in ufshcd_init ARM: dts: rockchip: Fix erroneous SPI bus dtc warnings on rk3036 arm64: dts: rockchip: Fix I2C bus unit-address error on rk3399-puma-haikou ACPI / LPSS: Exclude I2C busses shared with PUNIT from pmc_atom_d3_mask netfilter: nf_tables: avoid BUG_ON usage ath9k: Fix a locking bug in ath9k_add_interface() s390/qeth: uninstall IRQ handler on device removal s390/qeth: invoke softirqs after napi_schedule() media: vsp1: Fix vsp1_regs.h license header media: vsp1: Fix YCbCr planar formats pitch calculation media: ov2680: don't register the v4l2 subdevice before checking chip ID PCI/ACPI: Correct error message for ASPM disabling net: socionext: Fix two sleep-in-atomic-context bugs in ave_rxfifo_reset() PCI: mediatek: Fix unchecked return value ARM: dts: xilinx: Fix I2C and SPI bus warnings serial: uartps: Fix suspend functionality serial: samsung: Enable baud clock for UART reset procedure in resume serial: mxs-auart: Fix potential infinite loop tty: serial: qcom_geni_serial: Fix serial when not used as console arm64: dts: ti: k3-am65: Change #address-cells and #size-cells of interconnect to 2 samples/bpf: fix a compilation failure spi/bcm63xx-hsspi: keep pll clk enabled spi: mediatek: Don't modify spi_transfer when transfer. ASoC: rt5682: Fix the boost volume at the begining of playback ipmi_si_pci: fix NULL device in ipmi_si error message ipmi_si: fix potential integer overflow on large shift ipmi:dmi: Ignore IPMI SMBIOS entries with a zero base address ipmi: fix return value of ipmi_set_my_LUN net: hns3: fix return type of ndo_start_xmit function net: cavium: fix return type of ndo_start_xmit function net: ibm: fix return type of ndo_start_xmit function powerpc/iommu: Avoid derefence before pointer check selftests/powerpc: Do not fail with reschedule powerpc/64s/hash: Fix stab_rr off by one initialization powerpc/pseries/memory-hotplug: Only update DT once per memory DLPAR request powerpc/pseries: Disable CPU hotplug across migrations powerpc: Fix duplicate const clang warning in user access code RDMA/i40iw: Fix incorrect iterator type ARM: dts: atmel: Fix I2C and SPI bus warnings OPP: Protect dev_list with opp_table lock of/unittest: Fix I2C bus unit-address error libfdt: Ensure INT_MAX is defined in libfdt_env.h power: supply: twl4030_charger: fix charging current out-of-bounds power: supply: twl4030_charger: disable eoc interrupt on linear charge net: mvpp2: fix the number of queues per cpu for PPv2.2 net: marvell: fix return type of ndo_start_xmit function net: toshiba: fix return type of ndo_start_xmit function net: xilinx: fix return type of ndo_start_xmit function net: broadcom: fix return type of ndo_start_xmit function net: amd: fix return type of ndo_start_xmit function net: sun: fix return type of ndo_start_xmit function net: hns3: Fix for setting speed for phy failed problem net: hns3: Fix cmdq registers initialization issue for vf net: hns3: Clear client pointer when initialize client failed or unintialize finished net: hns3: Fix client initialize state issue when roce client initialize failed net: hns3: Fix parameter type for q_id in hclge_tm_q_to_qs_map_cfg() nfp: provide a better warning when ring allocation fails usb: chipidea: imx: enable OTG overcurrent in case USB subsystem is already started usb: chipidea: Fix otg event handler usb: usbtmc: Fix ioctl USBTMC_IOCTL_ABORT_BULK_OUT s390/zcrypt: enable AP bus scan without a valid default domain s390/vdso: avoid 64-bit vdso mapping for compat tasks s390/vdso: correct CFI annotations of vDSO functions brcmfmac: increase buffer for obtaining firmware capabilities brcmsmac: Use kvmalloc() for ucode allocations mlxsw: spectrum: Init shaper for TCs 8..15 PCI: portdrv: Initialize service drivers directly ARM: dts: am335x-evm: fix number of cpsw ARM: dts: ti: Fix SPI and I2C bus warnings f2fs: avoid infinite loop in f2fs_alloc_nid f2fs: fix to recover inode's uid/gid during POR ARM: dts: ux500: Correct SCU unit address ARM: dts: ux500: Fix LCDA clock line muxing ARM: dts: ste: Fix SPI controller node names spi: pic32: Use proper enum in dmaengine_prep_slave_rg crypto: chacha20 - Fix chacha20_block() keystream alignment (again) cpufeature: avoid warning when compiling with clang crypto: arm/crc32 - avoid warning when compiling with Clang ARM: dts: marvell: Fix SPI and I2C bus warnings x86/mce-inject: Reset injection struct after injection ARM: dts: stm32: enable display on stm32mp157c-ev1 board ARM: dts: clearfog: fix sdhci supply property name ARM: dts: stm32: Fix SPI controller node names bnx2x: Ignore bandwidth attention in single function mode PCI/AER: Take reference on error devices PCI/AER: Don't read upstream ports below fatal errors PCI/ERR: Use slot reset if available samples/bpf: fix compilation failure net: phy: mdio-bcm-unimac: Allow configuring MDIO clock divider net: micrel: fix return type of ndo_start_xmit function net: freescale: fix return type of ndo_start_xmit function x86/CPU: Use correct macros for Cyrix calls x86/CPU: Change query logic so CPUID is enabled before testing EDAC: Correct DIMM capacity unit symbol MIPS: kexec: Relax memory restriction arm64: dts: rockchip: Fix microSD in rk3399 sapphire board mlxsw: Make MLXSW_SP1_FWREV_MINOR a hard requirement media: imx: work around false-positive warning, again media: pci: ivtv: Fix a sleep-in-atomic-context bug in ivtv_yuv_init() media: au0828: Fix incorrect error messages media: davinci: Fix implicit enum conversion warning ARM: dts: rockchip: explicitly set vcc_sd0 pin to gpio on rk3188-radxarock usb: gadget: uvc: configfs: Drop leaked references to config items usb: gadget: uvc: configfs: Prevent format changes after linking header usb: gadget: uvc: configfs: Sort frame intervals upon writing ARM: dts: exynos: Correct audio subsystem parent clock on Peach Chromebooks i2c: aspeed: fix invalid clock parameters for very large divisors gpiolib: Fix gpio_direction_* for single direction GPIOs ARM: at91: pm: call put_device instead of of_node_put in at91_pm_config_ws phy: brcm-sata: allow PHY_BRCM_SATA driver to be built for DSL SoCs phy: renesas: rcar-gen3-usb2: fix vbus_ctrl for role sysfs phy: phy-twl4030-usb: fix denied runtime access ARM: dts: imx6ull: update vdd_soc voltage for 900MHz operating point usb: gadget: uvc: Factor out video USB request queueing usb: gadget: uvc: Only halt video streaming endpoint in bulk mode coresight: Use ERR_CAST instead of ERR_PTR coresight: Fix handling of sinks coresight: perf: Fix per cpu path management coresight: perf: Disable trace path upon source error coresight: tmc-etr: Handle driver mode specific ETR buffers coresight: etm4x: Configure EL2 exception level when kernel is running in HYP coresight: tmc: Fix byte-address alignment for RRP coresight: dynamic-replicator: Handle multiple connections slimbus: ngd: register ngd driver only once. slimbus: ngd: return proper error code instead of zero silmbus: ngd: register controller after power up. misc: kgdbts: Fix restrict error misc: genwqe: should return proper error value. vmbus: keep pointer to ring buffer page vfio/pci: Fix potential memory leak in vfio_msi_cap_len vfio/pci: Mask buggy SR-IOV VF INTx support iw_cxgb4: Use proper enumerated type in c4iw_bar2_addrs scsi: libsas: always unregister the old device if going to discover new f2fs: fix remount problem of option io_bits phy: lantiq: Fix compile warning arm64: dts: fsl: Fix I2C and SPI bus warnings ARM: dts: imx51-zii-rdu1: Fix the rtc compatible string arm64: tegra: I2C on Tegra194 is not compatible with Tegra114 ARM: dts: tegra30: fix xcvr-setup-use-fuses ARM: dts: tegra20: restore address order ARM: tegra: apalis_t30: fix mmc1 cmd pull-up ARM: tegra: apalis_t30: fix mcp2515 can controller interrupt polarity ARM: tegra: colibri_t30: fix mcp2515 can controller interrupt polarity ARM: dts: paz00: fix wakeup gpio keycode net: smsc: fix return type of ndo_start_xmit function net: faraday: fix return type of ndo_start_xmit function PCI/ERR: Run error recovery callbacks for all affected devices f2fs: update i_size after DIO completion f2fs: fix to recover inode's project id during POR f2fs: mark inode dirty explicitly in recover_inode() RDMA: Fix dependencies for rdma_user_mmap_io EDAC: Raise the maximum number of memory controllers ARM: dts: realview: Fix SPI controller node names firmware: dell_rbu: Make payload memory uncachable Bluetooth: hci_serdev: clear HCI_UART_PROTO_READY to avoid closing proto races Bluetooth: L2CAP: Detect if remote is not able to use the whole MPS Bluetooth: btrsi: fix bt tx timeout issue x86/hyperv: Suppress "PCI: Fatal: No config space access function found" crypto: s5p-sss: Fix race in error handling crypto: s5p-sss: Fix Fix argument list alignment crypto: fix a memory leak in rsa-kcs1pad's encryption mode iwlwifi: dbg: don't crash if the firmware crashes in the middle of a debug dump iwlwifi: fix non_shared_ant for 22000 devices iwlwifi: pcie: read correct prph address for newer devices iwlwifi: api: annotate compressed BA notif array sizes iwlwifi: pcie: gen2: build A-MSDU only for GSO iwlwifi: pcie: fit reclaim msg to MAX_MSG_LEN iwlwifi: mvm: use correct FIFO length iwlwifi: mvm: Allow TKIP for AP mode scsi: NCR5380: Clear all unissued commands on host reset scsi: NCR5380: Have NCR5380_select() return a bool scsi: NCR5380: Withhold disconnect privilege for REQUEST SENSE scsi: NCR5380: Use DRIVER_SENSE to indicate valid sense data scsi: NCR5380: Check for invalid reselection target scsi: NCR5380: Don't clear busy flag when abort fails scsi: NCR5380: Don't call dsprintk() following reselection interrupt scsi: NCR5380: Handle BUS FREE during reselection scsi: NCR5380: Check for bus reset arm64: dts: amd: Fix SPI bus warnings arm64: dts: lg: Fix SPI controller node names ARM: dts: lpc32xx: Fix SPI controller node names rtc: isl1208: avoid possible sysfs race rtc: tx4939: fixup nvmem name and register size rtc: armada38x: fix possible race condition netfilter: masquerade: don't flush all conntracks if only one address deleted on device usb: xhci-mtk: fix ISOC error when interval is zero usb: usbtmc: uninitialized symbol 'actual' in usbtmc_ioctl_clear fuse: use READ_ONCE on congestion_threshold and max_background IB/iser: Fix possible NULL deref at iser_inv_desc() media: ov2680: fix null dereference at power on s390/vdso: correct vdso mapping for compat tasks net: phy: mdio-bcm-unimac: mark PM functions as __maybe_unused memfd: Use radix_tree_deref_slot_protected to avoid the warning. slcan: Fix memory leak in error path Linux 4.19.85 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I0857e66ee2cdd412cd736548a1395bf764a8ab0a |
||
|
Sherry Yang
|
b0cb2d8164 |
android: binder: no outgoing transaction when thread todo has transaction
[ Upstream commit
|
||
|
Greg Kroah-Hartman
|
844ecc4634 |
This is the 4.19.64 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl1GibIACgkQONu9yGCS aT7z2hAAmv8AsH9IG43m7t6zLroJVswr/9594xk7yPBQgcY3/PW2aTFBCFbsdOL4 yXcj2PSwRiq9K6qAJULrvOvncR9fIILHqzWzyXnoaZ30lR/FxaaFmuHZX/5Ix1tB e5EEE/EA49UAEjEDaMLq8g2IvibsReDxmSpnXyBJWoyRAdFIElVnMJ2+zvP/wRhF NKzQj/bj/qecCbis2lUCaVWJFZ6+P/52UbD8lvIwqR3nk2TKsGDcLU6eY3yg4KrB rEHl5T8KIPrkX3KNIEB8EcFREene+rdpZLLVe4fYwf+gOqfiFXSzZZvweauMkplq ehlVHkykvQvlsVM2tjBD379z3C4aasZDuMVNMCbAy2FlruLeBQ7gEn77mCJB9VH5 /n/mlc2yizdoowtARCLWOUMfASpdSbqu2SQ7A/3kwG7l6GrpzKSIU2nQgm+41sUZ QJVtZ3IYsPoYjnU4B3JZzgJnf3M9jcRz/3JegviqhSEbF1gaScJX0cqN8C1idN/v ZAGCJK9S20/EEEsp5jn+bq2grUehvmD4TVDfot4P+5yRYyBIhMFpbM2RpjydOpwy +x8D1Q34LYPFgZfQ0vF62vcSBhMBiJ/7j41rUeo44K+Lg00F3yCOyL6FxK6S8h6j wsD0xLbllMrhV5KRYFizb3QbCHoHYiROIJk76uLvB+Tqq2Jg9VQ= =qIi2 -----END PGP SIGNATURE----- Merge 4.19.64 into android-4.19 Changes in 4.19.64 hv_sock: Add support for delayed close vsock: correct removal of socket from the list NFS: Fix dentry revalidation on NFSv4 lookup NFS: Refactor nfs_lookup_revalidate() NFSv4: Fix lookup revalidate of regular files usb: dwc2: Disable all EP's on disconnect usb: dwc2: Fix disable all EP's on disconnect arm64: compat: Provide definition for COMPAT_SIGMINSTKSZ binder: fix possible UAF when freeing buffer ISDN: hfcsusb: checking idx of ep configuration media: au0828: fix null dereference in error path ath10k: Change the warning message string media: cpia2_usb: first wake up, then free in disconnect media: pvrusb2: use a different format for warnings NFS: Cleanup if nfs_match_client is interrupted media: radio-raremono: change devm_k*alloc to k*alloc iommu/vt-d: Don't queue_iova() if there is no flush queue iommu/iova: Fix compilation error with !CONFIG_IOMMU_IOVA Bluetooth: hci_uart: check for missing tty operations vhost: introduce vhost_exceeds_weight() vhost_net: fix possible infinite loop vhost: vsock: add weight support vhost: scsi: add weight support sched/fair: Don't free p->numa_faults with concurrent readers sched/fair: Use RCU accessors consistently for ->numa_group /proc/<pid>/cmdline: remove all the special cases /proc/<pid>/cmdline: add back the setproctitle() special case drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl Fix allyesconfig output. ceph: hold i_ceph_lock when removing caps for freeing inode block, scsi: Change the preempt-only flag into a counter scsi: core: Avoid that a kernel warning appears during system resume ip_tunnel: allow not to count pkts on tstats by setting skb's dev to NULL Linux 4.19.64 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I3e9055b677bd8ad9d5070307fae0bc765d444e9d |
||
|
Todd Kjos
|
22068d49d0 |
binder: fix possible UAF when freeing buffer
commit
|
||
|
Greg Kroah-Hartman
|
75ff56e1a2 |
This is the 4.19.63 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl1BJrAACgkQONu9yGCS
aT6MpRAAt2nuozm5Z/MshFAuGFzddAwPoYtkIPSy8BiPHYjf7x0+D5Ew4dz5OihS
ElfbA94hMOpvhhXlzBU3ZFJsWZIK78gzV6+LiHyb5R97Jdzj/zT4h40y0kxKw+pS
gghnZ6zx+pGSIXm/EsODW2gg98yTrmhBFpUhXpAGoC/71c1vxVlj3jHcuhd778YK
NRlj2tFWJGIBpmXrApo1Eg7qQRj4tzbOjthfgANWPq+EP68PgiOaxMDMMp7IUwju
KrXEFcXlk5aHvfaJ06FSBRBnn45XMyGXPYV/76HsaqkBNmg1r7o02dZKy/0S84Fn
YXoEFxHt6NFOJ52LiO95z7cQ0xeTSYygNCtYXJ70uyDMnrCPXCrKp7DRyka+vDPs
RCrcpB1QjcCb3xTL//SPkNWM3oZEW9CawpRFh9bmqbw/h7ZjaUEuwNIJnunISulu
2fvOjUmFWfUVIARiwKFVuIkXzgf3cSLYZTtiDFC5/yBpkGVNnXqyO7YtWZwnrMHq
L3DC3pOKuYXMa03KWGEzZoCZEXjtoRhRwCSgV7wbK5o90sZeRj/HC1zXEyDPPD/R
7A1rePTuwlAH3gHCJGhYkmYqULx62ZdvV6IC2N7xNxeTL1Y7OVNBT7ZUqexxY6WC
OG1vVxUKNJIvBLYmc6cmQATgR6XH5/B9H2p1YRBLuAQuqHk+jqo=
=ZQf3
-----END PGP SIGNATURE-----
Merge 4.19.63 into android-4.19
Changes in 4.19.63
hvsock: fix epollout hang from race condition
drm/panel: simple: Fix panel_simple_dsi_probe
iio: adc: stm32-dfsdm: manage the get_irq error case
iio: adc: stm32-dfsdm: missing error case during probe
staging: vt6656: use meaningful error code during buffer allocation
usb: core: hub: Disable hub-initiated U1/U2
tty: max310x: Fix invalid baudrate divisors calculator
pinctrl: rockchip: fix leaked of_node references
tty: serial: cpm_uart - fix init when SMC is relocated
drm/amd/display: Fill prescale_params->scale for RGB565
drm/amdgpu/sriov: Need to initialize the HDP_NONSURFACE_BAStE
drm/amd/display: Disable ABM before destroy ABM struct
drm/amdkfd: Fix a potential memory leak
drm/amdkfd: Fix sdma queue map issue
drm/edid: Fix a missing-check bug in drm_load_edid_firmware()
PCI: Return error if cannot probe VF
drm/bridge: tc358767: read display_props in get_modes()
drm/bridge: sii902x: pixel clock unit is 10kHz instead of 1kHz
gpu: host1x: Increase maximum DMA segment size
drm/crc-debugfs: User irqsafe spinlock in drm_crtc_add_crc_entry
drm/crc-debugfs: Also sprinkle irqrestore over early exits
memstick: Fix error cleanup path of memstick_init
tty/serial: digicolor: Fix digicolor-usart already registered warning
tty: serial: msm_serial: avoid system lockup condition
serial: 8250: Fix TX interrupt handling condition
drm/amd/display: Always allocate initial connector state state
drm/virtio: Add memory barriers for capset cache.
phy: renesas: rcar-gen2: Fix memory leak at error paths
drm/amd/display: fix compilation error
powerpc/pseries/mobility: prevent cpu hotplug during DT update
drm/rockchip: Properly adjust to a true clock in adjusted_mode
serial: imx: fix locking in set_termios()
tty: serial_core: Set port active bit in uart_port_activate
usb: gadget: Zero ffs_io_data
mmc: sdhci: sdhci-pci-o2micro: Check if controller supports 8-bit width
powerpc/pci/of: Fix OF flags parsing for 64bit BARs
drm/msm: Depopulate platform on probe failure
serial: mctrl_gpio: Check if GPIO property exisits before requesting it
PCI: sysfs: Ignore lockdep for remove attribute
i2c: stm32f7: fix the get_irq error cases
kbuild: Add -Werror=unknown-warning-option to CLANG_FLAGS
genksyms: Teach parser about 128-bit built-in types
PCI: xilinx-nwl: Fix Multi MSI data programming
iio: iio-utils: Fix possible incorrect mask calculation
powerpc/cacheflush: fix variable set but not used
powerpc/xmon: Fix disabling tracing while in xmon
recordmcount: Fix spurious mcount entries on powerpc
mfd: madera: Add missing of table registration
mfd: core: Set fwnode for created devices
mfd: arizona: Fix undefined behavior
mfd: hi655x-pmic: Fix missing return value check for devm_regmap_init_mmio_clk
mm/swap: fix release_pages() when releasing devmap pages
um: Silence lockdep complaint about mmap_sem
powerpc/4xx/uic: clear pending interrupt after irq type/pol change
RDMA/i40iw: Set queue pair state when being queried
serial: sh-sci: Terminate TX DMA during buffer flushing
serial: sh-sci: Fix TX DMA buffer flushing and workqueue races
IB/mlx5: Fixed reporting counters on 2nd port for Dual port RoCE
powerpc/mm: Handle page table allocation failures
IB/ipoib: Add child to parent list only if device initialized
arm64: assembler: Switch ESB-instruction with a vanilla nop if !ARM64_HAS_RAS
PCI: mobiveil: Fix PCI base address in MEM/IO outbound windows
PCI: mobiveil: Fix the Class Code field
kallsyms: exclude kasan local symbols on s390
PCI: mobiveil: Initialize Primary/Secondary/Subordinate bus numbers
PCI: mobiveil: Use the 1st inbound window for MEM inbound transactions
perf test mmap-thread-lookup: Initialize variable to suppress memory sanitizer warning
perf stat: Fix use-after-freed pointer detected by the smatch tool
perf top: Fix potential NULL pointer dereference detected by the smatch tool
perf session: Fix potential NULL pointer dereference found by the smatch tool
perf annotate: Fix dereferencing freed memory found by the smatch tool
perf hists browser: Fix potential NULL pointer dereference found by the smatch tool
RDMA/rxe: Fill in wc byte_len with IB_WC_RECV_RDMA_WITH_IMM
PCI: dwc: pci-dra7xx: Fix compilation when !CONFIG_GPIOLIB
powerpc/boot: add {get, put}_unaligned_be32 to xz_config.h
block: init flush rq ref count to 1
f2fs: avoid out-of-range memory access
mailbox: handle failed named mailbox channel request
dlm: check if workqueues are NULL before flushing/destroying
powerpc/eeh: Handle hugepages in ioremap space
block/bio-integrity: fix a memory leak bug
sh: prevent warnings when using iounmap
mm/kmemleak.c: fix check for softirq context
9p: pass the correct prototype to read_cache_page
mm/gup.c: mark undo_dev_pagemap as __maybe_unused
mm/gup.c: remove some BUG_ONs from get_gate_page()
memcg, fsnotify: no oom-kill for remote memcg charging
mm/mmu_notifier: use hlist_add_head_rcu()
proc: use down_read_killable mmap_sem for /proc/pid/smaps_rollup
proc: use down_read_killable mmap_sem for /proc/pid/pagemap
proc: use down_read_killable mmap_sem for /proc/pid/clear_refs
proc: use down_read_killable mmap_sem for /proc/pid/map_files
cxgb4: reduce kernel stack usage in cudbg_collect_mem_region()
proc: use down_read_killable mmap_sem for /proc/pid/maps
locking/lockdep: Fix lock used or unused stats error
mm: use down_read_killable for locking mmap_sem in access_remote_vm
locking/lockdep: Hide unused 'class' variable
usb: wusbcore: fix unbalanced get/put cluster_id
usb: pci-quirks: Correct AMD PLL quirk detection
btrfs: inode: Don't compress if NODATASUM or NODATACOW set
x86/sysfb_efi: Add quirks for some devices with swapped width and height
x86/speculation/mds: Apply more accurate check on hypervisor platform
binder: prevent transactions to context manager from its own process.
fpga-manager: altera-ps-spi: Fix build error
mei: me: add mule creek canyon (EHL) device ids
hpet: Fix division by zero in hpet_time_div()
ALSA: ac97: Fix double free of ac97_codec_device
ALSA: line6: Fix wrong altsetting for LINE6_PODHD500_1
ALSA: hda - Add a conexant codec entry to let mute led work
powerpc/xive: Fix loop exit-condition in xive_find_target_in_mask()
powerpc/tm: Fix oops on sigreturn on systems without TM
libnvdimm/bus: Stop holding nvdimm_bus_list_mutex over __nd_ioctl()
access: avoid the RCU grace period for the temporary subjective credentials
Linux 4.19.63
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ic31529aa6fd283d16d6bfb182187a9402a4db44f
|
||
|
Hridya Valsaraju
|
e907b13144 |
binder: prevent transactions to context manager from its own process.
commit
|
||
|
Martijn Coenen
|
b9079579b0 |
UPSTREAM: binder: Set end of SG buffer area properly.
In case the target node requests a security context, the extra_buffers_size is increased with the size of the security context. But, that size is not available for use by regular scatter-gather buffers; make sure the ending of that buffer is marked correctly. Bug: 136210786 Acked-by: Todd Kjos <tkjos@google.com> Fixes: |
||
|
Greg Kroah-Hartman
|
0f653d9aa3 |
This is the 4.19.59 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl0qx4sACgkQONu9yGCS aT7Wzw/+Ixgza5VeJICnFgLZ80bYEQP5fDDcTD8psGi8fg/yKpUcHM0tv2Fi/ScQ dKNKN1zrWtn8e5bC8HE7V5rVFH3iT9gJXL4tebmFg9IOaBoce9wSaDMaptnv4OEw Ikb8apdrO2cHRWFhyIj9f35d3WE2OWUA4QYhrL17rptyP+k0eBBdyo572qfnheuf 4Yp4X6u8pnSR3fl4sgxzcfNLPXfrF8BMAKEx8/I1YyhUORpeJ/QxZkyFKNLMbUHm OWIHcw0O4Sfqtx9zWzwmpLk/aF8b98rCieJUDxYakVYD/iLsrdkkCx3IHlvMWdZF UtNVQbA26KIIFpXYe5gD1My+56grJaSCxAsO6M+c4PRCZ2BP+e6t+k3eASueadqs Ihq2qZyq1cMBQCeT1Sc3zQZgzwTE7lgzqQLVHiMmMukWv1Sx2xyio3GvN0i51gqz PCIxslzNhQnpmswCnDXgwaSp7W3YlT6+/zpQnzK1spZsfp8Ab/PkB41WyiPCWBtJ /Zx+lkdUd8HU8ZoKBoNMPWErX//MKa3NhKvakliPklVkSUfF12+4aB+Iil9H8vag ie4qmJrGvwg0t5PvRqRqy35fij/kcnJnFJJLlywkzRdTXlFUqqV+09N6hhS0BRgf YJibc8VptLWXgYRQoQD1J/xF87bcmB7HBnC4jBpdDzCkbTEHoI8= =zCPG -----END PGP SIGNATURE----- Merge 4.19.59 into android-4.19 Changes in 4.19.59 crypto: talitos - rename alternative AEAD algos. soc: brcmstb: Fix error path for unsupported CPUs soc: bcm: brcmstb: biuctrl: Register writes require a barrier Input: elantech - enable middle button support on 2 ThinkPads samples, bpf: fix to change the buffer size for read() samples, bpf: suppress compiler warning mac80211: fix rate reporting inside cfg80211_calculate_bitrate_he() bpf: sockmap, fix use after free from sleep in psock backlog workqueue soundwire: stream: fix out of boundary access on port properties staging:iio:ad7150: fix threshold mode config bit mac80211: mesh: fix RCU warning mac80211: free peer keys before vif down in mesh mwifiex: Fix possible buffer overflows at parsing bss descriptor iwlwifi: Fix double-free problems in iwl_req_fw_callback() mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() soundwire: intel: set dai min and max channels correctly dt-bindings: can: mcp251x: add mcp25625 support can: mcp251x: add support for mcp25625 can: m_can: implement errata "Needless activation of MRAF irq" can: af_can: Fix error path of can_init() net: phy: rename Asix Electronics PHY driver ibmvnic: Do not close unopened driver during reset ibmvnic: Refresh device multicast list after reset ibmvnic: Fix unchecked return codes of memory allocations ARM: dts: am335x phytec boards: Fix cd-gpios active level s390/boot: disable address-of-packed-member warning drm/vmwgfx: Honor the sg list segment size limitation drm/vmwgfx: fix a warning due to missing dma_parms riscv: Fix udelay in RV32. Input: imx_keypad - make sure keyboard can always wake up system KVM: arm/arm64: vgic: Fix kvm_device leak in vgic_its_destroy mlxsw: spectrum: Disallow prio-tagged packets when PVID is removed ARM: davinci: da850-evm: call regulator_has_full_constraints() ARM: davinci: da8xx: specify dma_coherent_mask for lcdc mac80211: only warn once on chanctx_conf being NULL mac80211: do not start any work during reconfigure flow bpf, devmap: Fix premature entry free on destroying map bpf, devmap: Add missing bulk queue free bpf, devmap: Add missing RCU read lock on flush bpf, x64: fix stack layout of JITed bpf code qmi_wwan: add support for QMAP padding in the RX path qmi_wwan: avoid RCU stalls on device disconnect when in QMAP mode qmi_wwan: extend permitted QMAP mux_id value range mmc: core: complete HS400 before checking status md: fix for divide error in status_resync bnx2x: Check if transceiver implements DDM before access drm: return -EFAULT if copy_to_user() fails ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL net: lio_core: fix potential sign-extension overflow on large shift scsi: qedi: Check targetname while finding boot target information quota: fix a problem about transfer quota net: dsa: mv88e6xxx: fix shift of FID bits in mv88e6185_g1_vtu_loadpurge() NFS4: Only set creation opendata if O_CREAT net :sunrpc :clnt :Fix xps refcount imbalance on the error path fscrypt: don't set policy for a dead directory udf: Fix incorrect final NOT_ALLOCATED (hole) extent length media: stv0297: fix frequency range limit ALSA: usb-audio: Fix parse of UAC2 Extension Units ALSA: hda/realtek - Headphone Mic can't record after S3 block, bfq: NULL out the bic when it's no longer valid perf pmu: Fix uncore PMU alias list for ARM64 x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg() x86/tls: Fix possible spectre-v1 in do_get_thread_area() Documentation: Add section about CPU vulnerabilities for Spectre Documentation/admin: Remove the vsyscall=native documentation mwifiex: Abort at too short BSS descriptor element mwifiex: Don't abort on small, spec-compliant vendor IEs USB: serial: ftdi_sio: add ID for isodebug v1 USB: serial: option: add support for GosunCn ME3630 RNDIS mode Revert "serial: 8250: Don't service RX FIFO if interrupts are disabled" p54usb: Fix race between disconnect and firmware loading usb: gadget: ether: Fix race between gether_disconnect and rx_submit usb: dwc2: use a longer AHB idle timeout in dwc2_core_reset() usb: renesas_usbhs: add a workaround for a race condition of workqueue drivers/usb/typec/tps6598x.c: fix portinfo width drivers/usb/typec/tps6598x.c: fix 4CC cmd write staging: comedi: dt282x: fix a null pointer deref on interrupt staging: comedi: amplc_pci230: fix null pointer deref on interrupt HID: Add another Primax PIXART OEM mouse quirk lkdtm: support llvm-objcopy binder: fix memory leak in error path carl9170: fix misuse of device driver API VMCI: Fix integer overflow in VMCI handle arrays MIPS: Remove superfluous check for __linux__ staging: fsl-dpaa2/ethsw: fix memory leak of switchdev_work staging: bcm2835-camera: Replace spinlock protecting context_map with mutex staging: bcm2835-camera: Ensure all buffers are returned on disable staging: bcm2835-camera: Remove check of the number of buffers supplied staging: bcm2835-camera: Handle empty EOS buffers whilst streaming staging: rtl8712: reduce stack usage, again Linux 4.19.59 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I650890ad9d984de0fc729677bd29506cd21338be |
||
|
Todd Kjos
|
524ad00e80 |
binder: fix memory leak in error path
commit
|
||
|
Todd Kjos
|
b14fd5b76a |
UPSTREAM: binder: check for overflow when alloc for security context
commit
|
||
|
Todd Kjos
|
1637f8d88b |
ANDROID: binder: remove extra declaration left after backport
When backporting commit
|
||
|
Todd Kjos
|
684e11da1b |
FROMGIT: binder: fix BUG_ON found by selinux-testsuite
The selinux-testsuite found an issue resulting in a BUG_ON() where a conditional relied on a size_t going negative when checking the validity of a buffer offset. (cherry picked from commit |
||
|
Todd Kjos
|
129baead39 |
UPSTREAM: binder: fix handling of misaligned binder object
Fixes crash found by syzbot:
kernel BUG at drivers/android/binder_alloc.c:LINE! (2)
(cherry pick from commit
|
||
|
Todd Kjos
|
3d4f1ad199 |
BACKPORT: binder: use userspace pointer as base of buffer space
Now that alloc->buffer points to the userspace vm_area
rename buffer->data to buffer->user_data and rename
local pointers that hold user addresses. Also use the
"__user" tag to annotate all user pointers so sparse
can flag cases where user pointer vaues are copied to
kernel pointers. Refactor code to use offsets instead
of user pointers.
(cherry pick from commit
|
||
|
Todd Kjos
|
4b468c5960 |
BACKPORT: binder: remove user_buffer_offset
Remove user_buffer_offset since there is no kernel
buffer pointer anymore.
(cherry pick from commit
|
||
|
Todd Kjos
|
baac225c1c |
UPSTREAM: binder: avoid kernel vm_area for buffer fixups
Refactor the functions to validate and fixup struct
binder_buffer pointer objects to avoid using vm_area
pointers. Instead copy to/from kernel space using
binder_alloc_copy_to_buffer() and
binder_alloc_copy_from_buffer(). The following
functions were refactored:
refactor binder_validate_ptr()
binder_validate_fixup()
binder_fixup_parent()
(cherry pick from commit
|
||
|
Todd Kjos
|
a08646b26a |
BACKPORT: binder: add function to copy binder object from buffer
When creating or tearing down a transaction, the binder driver
examines objects in the buffer and takes appropriate action.
To do this without needing to dereference pointers into the
buffer, the local copies of the objects are needed. This patch
introduces a function to validate and copy binder objects
from the buffer to a local structure.
(cherry pick from commit
|
||
|
Todd Kjos
|
06c24270db |
BACKPORT: binder: add functions to copy to/from binder buffers
Avoid vm_area when copying to or from binder buffers.
Instead, new copy functions are added that copy from
kernel space to binder buffer space. These use
kmap_atomic() and kunmap_atomic() to create temporary
mappings and then memcpy() is used to copy within
that page.
Also, kmap_atomic() / kunmap_atomic() use the appropriate
cache flushing to support VIVT cache architectures.
Allow binder to build if CPU_CACHE_VIVT is defined.
Several uses of the new functions are added here. More
to follow in subsequent patches.
(cherry picked from commit
|
||
|
Todd Kjos
|
5f245a9018 |
UPSTREAM: binder: create userspace-to-binder-buffer copy function
The binder driver uses a vm_area to map the per-process
binder buffer space. For 32-bit android devices, this is
now taking too much vmalloc space. This patch removes
the use of vm_area when copying the transaction data
from the sender to the buffer space. Instead of using
copy_from_user() for multi-page copies, it now uses
binder_alloc_copy_user_to_buffer() which uses kmap()
and kunmap() to map each page, and uses copy_from_user()
for copying to that page.
(cherry picked from
|
||
|
Todd Kjos
|
00bac1450b |
FROMGIT: binder: create node flag to request sender's security context
To allow servers to verify client identity, allow a node
flag to be set that causes the sender's security context
to be delivered with the transaction. The BR_TRANSACTION
command is extended in BR_TRANSACTION_SEC_CTX to
contain a pointer to the security context string.
Signed-off-by: Todd Kjos <tkjos@google.com>
Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
|
||
|
Todd Kjos
|
4a7c1aed56 |
UPSTREAM: binder: filter out nodes when showing binder procs
When dumping out binder transactions via a debug node,
the output is too verbose if a process has many nodes.
Change the output for transaction dumps to only display
nodes with pending async transactions.
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
|
||
|
Greg Kroah-Hartman
|
c454ec1e21 |
This is the 4.19.7 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlwIG48ACgkQONu9yGCS
aT7g6Q//RkJ8ZWaRkykcCGaWIvwI6QF1tmKalIEWmToPdndDuQdUDGzWVwfE9G7P
yLcnp3GMlXo4F82BBwG8lFSAm9zaeqaLabnJnXbCc5mZ3xi/2aNqIGHzBY1isNZl
0fTzzcelnAKzjp0Aa/egRLOeraSLgVt/Cp7Ha3FXMP6RNxUMzs1pbQ2IFZ3m+P4G
CAD3Iye6geOaZTu/kXiiooUEUGFQFbV4c3AZ4VW7dZDdrG+ekwtF4YHtkEPseWJQ
Ugtrbr6S0IxYQ91o1Pk77kg4uwUFYo12jrk8Ni4gaPZE6mQCa08tr2Alg2oZkJGw
PdXnt2ASYGRWFYK2JAuTvKzhHrTEJYhiC323dKYCAx7BgfFaqdo5F20oNzYxXFBB
gGA3AzDDtLUD3OOO+lxrDxXMhpwXUx92WXsoJVsaSafdqIDAueq14sH19wqm0gUJ
D1fC2dWTsFrPZKjkU8Z6rJAyO1XZED55h7v1YlqAt2ibjCeDKpjnW3yvUt8Ivpqc
nlnmp8v/Yl2cdY55XtlgUadpknSc2jApFMwhSWetxAaqDCvha2dLQ28YMyPRJzat
ZHOkizM/VUntXvlUzFvVTsqLQiX0sfLG6MKcUkzWehPomNKT+B8XL1wtzytv9QXb
jOY8nRD5PiQo2p35cqdDCskBwqzEwY+WxDe7ji0yHZysBZLxoxQ=
=OiCf
-----END PGP SIGNATURE-----
Merge 4.19.7 into android-4.19
Changes in 4.19.7
mm/huge_memory: rename freeze_page() to unmap_page()
mm/huge_memory: splitting set mapping+index before unfreeze
mm/huge_memory: fix lockdep complaint on 32-bit i_size_read()
mm/khugepaged: collapse_shmem() stop if punched or truncated
mm/khugepaged: fix crashes due to misaccounted holes
mm/khugepaged: collapse_shmem() remember to clear holes
mm/khugepaged: minor reorderings in collapse_shmem()
mm/khugepaged: collapse_shmem() without freezing new_page
mm/khugepaged: collapse_shmem() do not crash on Compound
lan743x: Enable driver to work with LAN7431
lan743x: fix return value for lan743x_tx_napi_poll
net: don't keep lonely packets forever in the gro hash
net: gemini: Fix copy/paste error
net: thunderx: set tso_hdrs pointer to NULL in nicvf_free_snd_queue
packet: copy user buffers before orphan or clone
rapidio/rionet: do not free skb before reading its length
s390/qeth: fix length check in SNMP processing
usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2
net: thunderx: set xdp_prog to NULL if bpf_prog_add fails
net: skb_scrub_packet(): Scrub offload_fwd_mark
virtio-net: disable guest csum during XDP set
virtio-net: fail XDP set if guest csum is negotiated
net/dim: Update DIM start sample after each DIM iteration
tcp: defer SACK compression after DupThresh
net: phy: add workaround for issue where PHY driver doesn't bind to the device
tipc: fix lockdep warning during node delete
x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation
x86/speculation: Apply IBPB more strictly to avoid cross-process data leak
x86/speculation: Propagate information about RSB filling mitigation to sysfs
x86/speculation: Add RETPOLINE_AMD support to the inline asm CALL_NOSPEC variant
x86/retpoline: Make CONFIG_RETPOLINE depend on compiler support
x86/retpoline: Remove minimal retpoline support
x86/speculation: Update the TIF_SSBD comment
x86/speculation: Clean up spectre_v2_parse_cmdline()
x86/speculation: Remove unnecessary ret variable in cpu_show_common()
x86/speculation: Move STIPB/IBPB string conditionals out of cpu_show_common()
x86/speculation: Disable STIBP when enhanced IBRS is in use
x86/speculation: Rename SSBD update functions
x86/speculation: Reorganize speculation control MSRs update
sched/smt: Make sched_smt_present track topology
x86/Kconfig: Select SCHED_SMT if SMP enabled
sched/smt: Expose sched_smt_present static key
x86/speculation: Rework SMT state change
x86/l1tf: Show actual SMT state
x86/speculation: Reorder the spec_v2 code
x86/speculation: Mark string arrays const correctly
x86/speculataion: Mark command line parser data __initdata
x86/speculation: Unify conditional spectre v2 print functions
x86/speculation: Add command line control for indirect branch speculation
x86/speculation: Prepare for per task indirect branch speculation control
x86/process: Consolidate and simplify switch_to_xtra() code
x86/speculation: Avoid __switch_to_xtra() calls
x86/speculation: Prepare for conditional IBPB in switch_mm()
ptrace: Remove unused ptrace_may_access_sched() and MODE_IBRS
x86/speculation: Split out TIF update
x86/speculation: Prevent stale SPEC_CTRL msr content
x86/speculation: Prepare arch_smt_update() for PRCTL mode
x86/speculation: Add prctl() control for indirect branch speculation
x86/speculation: Enable prctl mode for spectre_v2_user
x86/speculation: Add seccomp Spectre v2 user space protection mode
x86/speculation: Provide IBPB always command line options
userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas
kvm: mmu: Fix race in emulated page table writes
kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb
KVM: nVMX/nSVM: Fix bug which sets vcpu->arch.tsc_offset to L1 tsc_offset
KVM: x86: Fix kernel info-leak in KVM_HC_CLOCK_PAIRING hypercall
KVM: LAPIC: Fix pv ipis use-before-initialization
KVM: X86: Fix scan ioapic use-before-initialization
KVM: VMX: re-add ple_gap module parameter
xtensa: enable coprocessors that are being flushed
xtensa: fix coprocessor context offset definitions
xtensa: fix coprocessor part of ptrace_{get,set}xregs
udf: Allow mounting volumes with incorrect identification strings
btrfs: Always try all copies when reading extent buffers
Btrfs: ensure path name is null terminated at btrfs_control_ioctl
Btrfs: fix rare chances for data loss when doing a fast fsync
Btrfs: fix race between enabling quotas and subvolume creation
btrfs: relocation: set trans to be NULL after ending transaction
PCI: layerscape: Fix wrong invocation of outbound window disable accessor
PCI: dwc: Fix MSI-X EP framework address calculation bug
PCI: Fix incorrect value returned from pcie_get_speed_cap()
arm64: dts: rockchip: Fix PCIe reset polarity for rk3399-puma-haikou.
x86/MCE/AMD: Fix the thresholding machinery initialization order
x86/fpu: Disable bottom halves while loading FPU registers
perf/x86/intel: Move branch tracing setup to the Intel-specific source file
perf/x86/intel: Add generic branch tracing check to intel_pmu_has_bts()
perf/x86/intel: Disallow precise_ip on BTS events
fs: fix lost error code in dio_complete
ALSA: wss: Fix invalid snd_free_pages() at error path
ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write
ALSA: control: Fix race between adding and removing a user element
ALSA: sparc: Fix invalid snd_free_pages() at error path
ALSA: hda: Add ASRock N68C-S UCC the power_save blacklist
ALSA: hda/realtek - Support ALC300
ALSA: hda/realtek - fix headset mic detection for MSI MS-B171
ALSA: hda/realtek - fix the pop noise on headphone for lenovo laptops
ALSA: hda/realtek - Add auto-mute quirk for HP Spectre x360 laptop
function_graph: Create function_graph_enter() to consolidate architecture code
ARM: function_graph: Simplify with function_graph_enter()
microblaze: function_graph: Simplify with function_graph_enter()
x86/function_graph: Simplify with function_graph_enter()
nds32: function_graph: Simplify with function_graph_enter()
powerpc/function_graph: Simplify with function_graph_enter()
sh/function_graph: Simplify with function_graph_enter()
sparc/function_graph: Simplify with function_graph_enter()
parisc: function_graph: Simplify with function_graph_enter()
riscv/function_graph: Simplify with function_graph_enter()
s390/function_graph: Simplify with function_graph_enter()
arm64: function_graph: Simplify with function_graph_enter()
MIPS: function_graph: Simplify with function_graph_enter()
function_graph: Make ftrace_push_return_trace() static
function_graph: Use new curr_ret_depth to manage depth instead of curr_ret_stack
function_graph: Have profiler use curr_ret_stack and not depth
function_graph: Move return callback before update of curr_ret_stack
function_graph: Reverse the order of pushing the ret_stack and the callback
binder: fix race that allows malicious free of live buffer
ext2: initialize opts.s_mount_opt as zero before using it
ext2: fix potential use after free
ASoC: intel: cht_bsw_max98090_ti: Add quirk for boards using pmc_plt_clk_0
ASoC: pcm186x: Fix device reset-registers trigger value
ARM: dts: rockchip: Remove @0 from the veyron memory node
dmaengine: at_hdmac: fix memory leak in at_dma_xlate()
dmaengine: at_hdmac: fix module unloading
staging: most: use format specifier "%s" in snprintf
staging: vchiq_arm: fix compat VCHIQ_IOC_AWAIT_COMPLETION
staging: mt7621-dma: fix potentially dereferencing uninitialized 'tx_desc'
staging: mt7621-pinctrl: fix uninitialized variable ngroups
staging: rtl8723bs: Fix incorrect sense of ether_addr_equal
staging: rtl8723bs: Add missing return for cfg80211_rtw_get_station
USB: usb-storage: Add new IDs to ums-realtek
usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series
Revert "usb: dwc3: gadget: skip Set/Clear Halt when invalid"
iio/hid-sensors: Fix IIO_CHAN_INFO_RAW returning wrong values for signed numbers
iio:st_magn: Fix enable device after trigger
lib/test_kmod.c: fix rmmod double free
mm: cleancache: fix corruption on missed inode invalidation
mm: use swp_offset as key in shmem_replace_page()
Drivers: hv: vmbus: check the creation_status in vmbus_establish_gpadl()
misc: mic/scif: fix copy-paste error in scif_create_remote_lookup
Linux 4.19.7
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Todd Kjos
|
553927d6aa |
binder: fix race that allows malicious free of live buffer
commit
|
||
|
Martijn Coenen
|
ce388e00bb |
ANDROID: binder: add support for RT prio inheritance.
Adds support for SCHED_BATCH/SCHED_FIFO/SCHED_RR
priority inheritance.
Bug: 34461621
Bug: 37293077
Bug: 120446518
Change-Id: I71f356e476be2933713a0ecfa2cc31aa141e2dc6
Signed-off-by: Martijn Coenen <maco@google.com>
[AmitP: Include <uapi/linux/sched/types.h> for struct sched_param]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
[astrachan: Folded the following changes into this patch:
69308b3b07dd ("ANDROID: binder: add min sched_policy to node.")
7a6edeb62d86 ("ANDROID: binder: improve priority inheritance.")
22b061b17679 ("ANDROID: binder: don't check prio permissions on restore.")
67cf97141d81 ("ANDROID: binder: Add tracing for binder priority inheritance.")
fb92c34f7ba3 ("ANDROID: binder: add RT inheritance flag to node.")
c847b48f8cda ("ANDROID: binder: init desired_prio.sched_policy before use it")]
Signed-off-by: Alistair Strachan <astrachan@google.com>
|
||
|
Martijn Coenen
|
4bc6ad96c9 |
UPSTREAM: binder: Add BINDER_GET_NODE_INFO_FOR_REF ioctl.
This allows the context manager to retrieve information about nodes that it holds a reference to, such as the current number of references to those nodes. Such information can for example be used to determine whether the servicemanager is the only process holding a reference to a node. This information can then be passed on to the process holding the node, which can in turn decide whether it wants to shut down to reduce resource usage. Bug: 79983843 Change-Id: I21e52ed1ca2137f7bfdc0300365fb1285b7e3d70 Signed-off-by: Martijn Coenen <maco@android.com> |
||
|
Sherry Yang
|
128f380410 |
android: binder: Rate-limit debug and userspace triggered err msgs
Use rate-limited debug messages where userspace can trigger excessive log spams. Acked-by: Arve Hjønnevåg <arve@android.com> Signed-off-by: Sherry Yang <sherryy@android.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Guenter Roeck
|
f371a7c17a |
android: binder: Include asm/cacheflush.h after linux/ include files
If asm/cacheflush.h is included first, the following build warnings are
seen with sparc32 builds.
In file included from arch/sparc/include/asm/cacheflush.h:11:0,
from drivers/android/binder.c:54:
arch/sparc/include/asm/cacheflush_32.h:40:37: warning:
'struct page' declared inside parameter list will not be visible
outside of this definition or declaration
Moving the asm/ include after linux/ includes solves the problem.
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Souptick Joarder
|
e19f70aa02 |
android: binder: Change return type to vm_fault_t
Use new return type vm_fault_t for fault handler in
struct vm_operations_struct. For now, this is just
documenting that the function returns a VM_FAULT
value rather than an errno. Once all instances are
converted, vm_fault_t will become a distinct type.
Reference id ->
|
||
|
Minchan Kim
|
720c241924 |
ANDROID: binder: change down_write to down_read
binder_update_page_range needs down_write of mmap_sem because vm_insert_page need to change vma->vm_flags to VM_MIXEDMAP unless it is set. However, when I profile binder working, it seems every binder buffers should be mapped in advance by binder_mmap. It means we could set VM_MIXEDMAP in binder_mmap time which is already hold a mmap_sem as down_write so binder_update_page_range doesn't need to hold a mmap_sem as down_write. Please use proper API down_read. It would help mmap_sem contention problem as well as fixing down_write abuse. Ganesh Mahendran tested app launching and binder throughput test and he said he couldn't find any problem and I did binder latency test per Greg KH request(Thanks Martijn to teach me how I can do) I cannot find any problem, too. Cc: Ganesh Mahendran <opensource.ganesh@gmail.com> Cc: Joe Perches <joe@perches.com> Cc: Arve Hjønnevåg <arve@android.com> Cc: Todd Kjos <tkjos@google.com> Reviewed-by: Martijn Coenen <maco@android.com> Signed-off-by: Minchan Kim <minchan@kernel.org> Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
宋金时
|
838d556566 |
ANDROID: binder: correct the cmd print for BINDER_WORK_RETURN_ERROR
When to execute binder_stat_br the e->cmd has been modifying as BR_OK instead of the original return error cmd, in fact we want to know the original return error, such as BR_DEAD_REPLY or BR_FAILED_REPLY, etc. instead of always BR_OK, in order to avoid the value of the e->cmd is always BR_OK, so we need assign the value of the e->cmd to cmd before e->cmd = BR_OK. Signed-off-by: songjinshi <songjinshi@xiaomi.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Martijn Coenen
|
1190b4e38f |
ANDROID: binder: remove 32-bit binder interface.
New devices launching with Android P need to use the 64-bit binder interface, even on 32-bit SoCs [0]. This change removes the Kconfig option to select the 32-bit binder interface. We don't think this will affect existing userspace for the following reasons: 1) The latest Android common tree is 4.14, so we don't believe any Android devices are on kernels >4.14. 2) Android devices launch on an LTS release and stick with it, so we wouldn't expect devices running on <= 4.14 now to upgrade to 4.17 or later. But even if they did, they'd rebuild the world (kernel + userspace) anyway. 3) Other userspaces like 'anbox' are already using the 64-bit interface. Note that this change doesn't remove the 32-bit UAPI itself; the reason for that is that Android userspace always uses the latest UAPI headers from upstream, and userspace retains 32-bit support for devices that are upgrading. This will be removed as well in 2-3 years, at which point we can remove the code from the UAPI as well. Finally, this change introduces build errors on archs where 64-bit get_user/put_user is not supported, so make binder unavailable on m68k (which wouldn't want it anyway). [0]: https://android-review.googlesource.com/c/platform/build/+/595193 Signed-off-by: Martijn Coenen <maco@android.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
720d690e36 |
Merge 4.17-rc3 into char-misc-next
We want the fixes in here as well. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |