linux-stable.git/drivers/staging/android/binder.c, branch v3.3.4 Linux kernel stable tree Staging: android: binder: Fix crashes when sharing a binder file between processes 2012-02-08T22:14:13+00:00 Arve Hjønnevåg arve@android.com 2012-02-01T23:29:13+00:00 bd1eff9741af27378b241b347041c724bb28e857 Opening the binder driver and sharing the file returned with other processes (e.g. by calling fork) can crash the kernel. Prevent these crashes with the following changes: - Add a mutex to protect against two processes mmapping the same binder_proc. - After locking mmap_sem, check that the vma we want to access (still) points to the same mm_struct. - Use proc->tsk instead of current to get the files struct since this is where we get the rlimit from. Signed-off-by: Arve Hjønnevåg <arve@android.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Opening the binder driver and sharing the file returned with
other processes (e.g. by calling fork) can crash the kernel.
Prevent these crashes with the following changes:
- Add a mutex to protect against two processes mmapping the
  same binder_proc.
- After locking mmap_sem, check that the vma we want to access
  (still) points to the same mm_struct.
- Use proc->tsk instead of current to get the files struct since
  this is where we get the rlimit from.

Signed-off-by: Arve Hjønnevåg <arve@android.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Staging: android: binder: Don't call dump_stack in binder_vma_open 2012-02-08T22:14:13+00:00 Arve Hjønnevåg arve@android.com 2012-01-21T03:56:21+00:00 3c1b86f17068cf6476fb2d022b9c8b44dedea2e5 If user-space partially unmaps the driver, binder_vma_open would dump the kernel stack. This is not a kernel bug however and will be treated as if the whole area was unmapped once binder_vma_close gets called. Signed-off-by: Arve Hjønnevåg <arve@android.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
If user-space partially unmaps the driver, binder_vma_open
would dump the kernel stack. This is not a kernel bug however
and will be treated as if the whole area was unmapped once
binder_vma_close gets called.

Signed-off-by: Arve Hjønnevåg <arve@android.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
staging: binder: Fix memory corruption via page aliasing 2011-11-30T11:51:37+00:00 Christopher Lais chris+android@zenthought.org 2010-05-01T20:51:48+00:00 58526090ece3582516e62779739a7d665a74708c binder_deferred_release was not unmapping the page from the buffer before freeing it, causing memory corruption. This only happened when page(s) had not been freed by binder_update_page_range, which properly unmaps the pages. This only happens on architectures with VIPT aliasing. To reproduce, create a program which opens, mmaps, munmaps, then closes the binder very quickly. This should leave a page allocated when the binder is released. When binder_deferrred_release is called on the close, the page will remain mapped to the address in the linear proc->buffer. Later, we may map the same physical page to a different virtual address that has different coloring, and this may cause aliasing to occur. PAGE_POISONING will greatly increase your chances of noticing any problems. Signed-off-by: Christopher Lais <chris+android@zenthought.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
binder_deferred_release was not unmapping the page from the buffer
before freeing it, causing memory corruption.  This only happened
when page(s) had not been freed by binder_update_page_range, which
properly unmaps the pages.

This only happens on architectures with VIPT aliasing.

To reproduce, create a program which opens, mmaps, munmaps, then closes
the binder very quickly.  This should leave a page allocated when the
binder is released.  When binder_deferrred_release is called on the
close, the page will remain mapped to the address in the linear
proc->buffer.  Later, we may map the same physical page to a different
virtual address that has different coloring, and this may cause
aliasing to occur.

PAGE_POISONING will greatly increase your chances of noticing any
problems.

Signed-off-by: Christopher Lais <chris+android@zenthought.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Staging: android: binder: Create dedicated workqueue for binder deferred work 2011-11-30T11:51:36+00:00 Arve Hjønnevåg arve@android.com 2010-04-22T22:53:23+00:00 3c762a49b12073c96f6a55b4dfc8b6a2a45fedff Some drivers flush the global workqueue when closed. This would deadlock if the last reference to the file was released from the binder. Signed-off-by: Arve Hjønnevåg <arve@android.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
Some drivers flush the global workqueue when closed. This would deadlock if
the last reference to the file was released from the binder.

Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
staging: android: binder: Move debugging information from procfs to debugfs 2011-11-30T11:49:07+00:00 Arve Hjønnevåg arve@android.com 2009-04-29T03:57:50+00:00 16b665543864904714f028b1d349f5d905f39afb Signed-off-by: Arve Hjønnevåg <arve@android.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
binder: Use seq_file for debug interface. 2011-11-30T11:40:06+00:00 Arve Hjønnevåg arve@android.com 2009-04-29T03:57:50+00:00 5249f4883045de494916db7b1a6d6e1e422e9a0b Signed-off-by: Arve Hjønnevåg <arve@android.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
android-common: Fix slab.h includes for 2.6.34-rc4 2011-11-30T11:30:14+00:00 Colin Cross ccross@android.com 2010-04-15T22:21:51+00:00 c11a166cd4c19664355e0e3d9c04cfa7ee4aa9f4 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Revert "Staging: android: delete android drivers" 2011-11-30T11:18:14+00:00 Greg Kroah-Hartman gregkh@suse.de 2011-11-30T11:18:14+00:00 355b0502f6efea0ff9492753888772c96972d2a3 This reverts commit b0a0ccfad85b3657fe999805df65f5cfe634ab8a. Turns out I was wrong, we want these in the tree. Note, I've disabled the drivers from the build at the moment, so other patches can be applied to fix some build issues due to internal api changes since the code was removed from the tree. Cc: Arve Hjønnevåg <arve@android.com> Cc: Brian Swetland <swetland@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
This reverts commit b0a0ccfad85b3657fe999805df65f5cfe634ab8a.

Turns out I was wrong, we want these in the tree.

Note, I've disabled the drivers from the build at the moment, so other
patches can be applied to fix some build issues due to internal api
changes since the code was removed from the tree.

Cc: Arve Hjønnevåg <arve@android.com>
Cc: Brian Swetland <swetland@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Staging: android: delete android drivers 2009-12-11T20:23:21+00:00 Greg Kroah-Hartman gregkh@suse.de 2009-10-05T23:29:29+00:00 b0a0ccfad85b3657fe999805df65f5cfe634ab8a These drivers are no longer being developed and the original authors seem to have abandonded them and hence, do not want them in the mainline kernel tree. So sad :( Cc: Brian Swetland <swetland@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
These drivers are no longer being developed and the original authors
seem to have abandonded them and hence, do not want them in the mainline
kernel tree.

So sad :(

Cc: Brian Swetland <swetland@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
staging: Make some structures static 2009-09-15T19:02:24+00:00 Julia Lawall julia@diku.dk 2009-08-14T20:10:00+00:00 a5ca2dfc4ebd33e18f981f562833c39efdc2585c This was done using a semantic patch (http://coccinelle.lip6.fr/) that checks that the declaration is not inside a function definition, that the defined variable is not exported using EXPORTED_SYMBOL, etc, and that the defined variable does not occur in any other file. If these conditions hold, static is added before the declaration. Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
This was done using a semantic patch (http://coccinelle.lip6.fr/) that
checks that the declaration is not inside a function definition, that the
defined variable is not exported using EXPORTED_SYMBOL, etc, and that the
defined variable does not occur in any other file.  If these conditions
hold, static is added before the declaration.

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>