Add security hooks to the binder and implement the hooks for SELinux.
The security hooks enable security modules such as SELinux to implement
controls over binder IPC. The security hooks include support for
controlling what process can become the binder context manager
(binder_set_context_mgr), controlling the ability of a process
to invoke a binder transaction/IPC to another process (binder_transaction),
controlling the ability a process to transfer a binder reference to
another process (binder_transfer_binder), and controlling the ability
of a process to transfer an open file to another process (binder_transfer_file).
This support is used by SE Android, http://selinuxproject.org/page/SEAndroid.
Change-Id: I34266b66320b6a3df9ac01833d7f94daf742920e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Surfaceflinger uses binder heavily to receive/send frames from applications
while compositing the screen. Change the binder mutex to an rt mutex to minimize
instances where high priority surfaceflinger binder work is blocked by lower
priority binder ipc.
Change-Id: If7429040641d6e463f20301ec14f02ecf6b0da36
Signed-off-by: Riley Andrews <riandrews@google.com>
Make sure offsets don't point to overlapping flat_binder_object
structs.
Change-Id: I85c759b9c6395492474b177625dc6b0b289fd6b0
Signed-off-by: Arve Hjønnevåg <arve@android.com>
binder.h isn't needed to just include a uapi file and set a single
define, so move it into binder.c to save a few lines of code.
Change-Id: Idcd0aba576295bbe0ddf5d18c4b1d1e8efdc8c84
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The Android binder code has been "stable" for many years now. No matter
what comes in the future, we are going to have to support this API, so
might as well move it to the "real" part of the kernel as there's no
real work that needs to be done to the existing code.
Change-Id: I36d5c6fc05aff26dd01a227201be18e86c9f9994
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
we should use __packed attribute
Change-Id: I9c74b57799bc6787d54cf6e2563adc96dff666d2
Signed-off-by: Purnendu Kapadia <pro8linux@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Kernel coding style. Remove useless else statement after return.
Changes from v1 and v2: Fix warning for mixed declarations and code.
Declaration of "struct binder_transaction *next" made outside of while.
Changes from v3: Removed initialization to NULL for next variable.
Change-Id: I1ec8b512130595b90098126acf562e58eeca8458
Signed-off-by: Lucas Tanure <tanure@linux.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
binder_ioctl() is quite huge and checkpatch dirty - mostly because of
the amount of code for the BINDER_WRITE_READ and BINDER_SET_CONTEXT_MGR.
Moved that code into the new binder_ioctl_write_read() and
binder_ioctl_set_ctx_mgr()
Change-Id: I9c5cea46a570ca91768e5aa7b11c7178bdbb667d
Signed-off-by: Tair Rzayev <tair.rzayev@gmail.com>
Cc: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
An issue was observed when a userspace task exits.
The page which hits error here is the zero page.
In binder mmap, the whole of vma is not mapped.
On a task crash, when debuggerd reads the binder regions,
the unmapped areas fall to do_anonymous_page in handle_pte_fault,
due to the absence of a vm_fault handler. This results in
zero page being mapped. Later in zap_pte_range, vm_normal_page
returns zero page in the case of VM_MIXEDMAP and it results in the
error.
BUG: Bad page map in process mediaserver pte:9dff379f pmd:9bfbd831
page:c0ed8e60 count:1 mapcount:-1 mapping: (null) index:0x0
page flags: 0x404(referenced|reserved)
addr:40c3f000 vm_flags:10220051 anon_vma: (null) mapping:d9fe0764 index:fd
vma->vm_ops->fault: (null)
vma->vm_file->f_op->mmap: binder_mmap+0x0/0x274
CPU: 0 PID: 1463 Comm: mediaserver Tainted: G W 3.10.17+ #1
[<c001549c>] (unwind_backtrace+0x0/0x11c) from [<c001200c>] (show_stack+0x10/0x14)
[<c001200c>] (show_stack+0x10/0x14) from [<c0103d78>] (print_bad_pte+0x158/0x190)
[<c0103d78>] (print_bad_pte+0x158/0x190) from [<c01055f0>] (unmap_single_vma+0x2e4/0x598)
[<c01055f0>] (unmap_single_vma+0x2e4/0x598) from [<c010618c>] (unmap_vmas+0x34/0x50)
[<c010618c>] (unmap_vmas+0x34/0x50) from [<c010a9e4>] (exit_mmap+0xc8/0x1e8)
[<c010a9e4>] (exit_mmap+0xc8/0x1e8) from [<c00520f0>] (mmput+0x54/0xd0)
[<c00520f0>] (mmput+0x54/0xd0) from [<c005972c>] (do_exit+0x360/0x990)
[<c005972c>] (do_exit+0x360/0x990) from [<c0059ef0>] (do_group_exit+0x84/0xc0)
[<c0059ef0>] (do_group_exit+0x84/0xc0) from [<c0066de0>] (get_signal_to_deliver+0x4d4/0x548)
[<c0066de0>] (get_signal_to_deliver+0x4d4/0x548) from [<c0011500>] (do_signal+0xa8/0x3b8)
Add a vm_fault handler which returns VM_FAULT_SIGBUS, and prevents the
wrong fallback to do_anonymous_page.
Change-Id: I43c227e489f74f4907f199caf99f571b61883064
Signed-off-by: Vinayak Menon <vinayakm.list@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
As per checkpatch warning, removed an unnecessary else statement
proceeding an if statement with a return.
Change-Id: I718d9ece6c8bac128c10ecaf904721410d701b60
Signed-off-by: Karthik Nayak <karthik.188@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Instead of getting the reference to whole credential structure, use
task_euid() and current_euid() to get it.
Change-Id: Id5b9d0305b5f90023415863e569988023aaae290
Signed-off-by: Tair Rzayev <tair.rzayev@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fix the error path when a cookie mismatch is detected. In that case the
function jumps to the exit label without setting the uninitialized, local
variable 'return_error'. Detected by Coverity - CID 201453.
Change-Id: I6c960b7d3ad0adb28fad106a9a0b8cb934013987
Signed-off-by: Christian Engelmayer <cengelma@gmx.at>
Acked-by: Arve <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch fixes "Missing a blank line after declarations" warnings.
Change-Id: Iede8a80f003eba36fd1f8d3ec8135d9d35c16ee9
Signed-off-by: Seunghun Lee <waydi1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Add __user to binder_version to correct sparse warning.
Reduce line size to fit to coding style.
Change-Id: I8694fb5a082721c69d1596b2853c5d4899f6536b
Signed-off-by: Mathieu Maret <mathieu.maret@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
For 64bit systems we want to use the same binder interface for 32bit and
64bit processes. Thus the size and the layout of the structures passed
between the kernel and the userspace has to be the same for both 32 and
64bit processes.
This change replaces all the uses of void* and size_t with
binder_uintptr_t and binder_size_t. These are then typedefed to specific
sizes depending on the use of the interface, as follows:
* __u32 - on legacy 32bit only userspace
* __u64 - on mixed 32/64bit userspace where all processes use the same
interface.
This change also increments the BINDER_CURRENT_PROTOCOL_VERSION to 8 and
hooks the compat_ioctl entry for the mixed 32/64bit Android userspace.
This patch also provides a CONFIG_ANDROID_BINDER_IPC_32BIT option for
compatability, which if set which enables the old protocol, setting
BINDER_CURRENT_PROTOCOL_VERSION to 7, on 32 bit systems.
Please note that all 64bit kernels will use the 64bit Binder ABI.
Change-Id: If54f075787a6bb261012eb73295eb4f83a8c91c9
Cc: Colin Cross <ccross@android.com>
Cc: Arve Hjønnevåg <arve@android.com>
Cc: Serban Constantinescu <serban.constantinescu@arm.com>
Cc: Android Kernel Team <kernel-team@android.com>
Signed-off-by: Arve Hjønnevåg <arve@android.com>
[jstultz: Merged with upstream type changes. Various whitespace fixes
and longer Kconfig description for checkpatch. Included improved commit
message from Serban (with a few tweaks).]
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This fixes the following sparse warnings
drivers/staging/android/binder.c:1703:5: warning: symbol 'binder_thread_write' was not declared. Should it be static?
drivers/staging/android/binder.c:2058:6: warning: symbol 'binder_stat_br' was not declared. Should it be static?
Change-Id: Ib3fadafe30b5ffa3776270574809823e898caac3
Signed-off-by: Bojan Prtvar <prtvar.b@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
It is not correct to boost all the cpus when tunable boost
parameters are changed. It also does not need to boost the
cpus which is already boosted.
Signed-off-by: Lianwei Wang <a22439@motorola.com>
When __cpufreq_driver_target() in speedchange_task failed for some reason, the
policy->cur could be lower than the target_freq. The governor misses to change
the target_freq if the target_freq is equal to the next_freq at the next sample
time.
Added a check to prevent the CPU to stay at the speed that is lower than the
target_freq for long duration.
Change-Id: Ibfdcd193b8280390b8f8374a63218aa31267f310
Signed-off-by: Minsung Kim <ms925.kim@samsung.com>
Surfaceflinger uses binder heavily to receive/send frames from applications
while compositing the screen. Change the binder mutex to an rt mutex to minimize
instances where high priority surfaceflinger binder work is blocked by lower
priority binder ipc.
Signed-off-by: Riley Andrews <riandrews@google.com>
Change-Id: I086a715267648448f0c5f62b037a3093d1079a79
Extends the last_resume_reason to log suspend abort reason. The abort
reasons will have "Abort:" appended at the start to distinguish itself
from the resume reason.
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
Change-Id: I3207f1844e3d87c706dfc298fb10e1c648814c5f
The change is to compile on kernels where cpufreq stats are compiled as
a module (CONFIG_CPU_FREQ_STAT=m), because total_cpus is not exported for
module use.
Reported-By: Emilio López <elopez93@gmail.com>
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
Change-Id: I4f3c74f0fac5e8d9449655b26bf3b407b0fe4290
Currently DL aggregation is supported in RNDIS driver and is set to
3 by default. And there is no support to change downlink maximum
packets per transfer at runtime through module parameter. Hence add
module parameter for DL maximum packets per transfer to change it at
runtime.
echo 6 > /sys/module/g_android/parameters/rndis_dl_max_pkt_per_xfer
To disable DL aggregation during runtime,
echo 1 > /sys/module/g_android/parameters/rndis_dl_max_pkt_per_xfer
Change-Id: I3a1d0bc97358e2b6f233df7ae8725fb507de50db
Signed-off-by: Xerox Lin <xerox_lin@htc.com>
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
This change adds module param which allows to disable RNDIS
Multi-packet Feature (Aggregation support in Downlink path)
as this feature is enabled by default.
To disable use this param before moving to RNDIS Composition:
echo 1 > /sys/module/g_android/parameters/rndis_multipacket_dl_disable
Also counts errors as Rx errors if received RNDIS packets are
not following RNDIS message format as those packets are being
discarded.
Change-Id: I764430da78f2204af92e14bb279c11b24c7e4c67
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
Add data aggregation support using RNDIS Multi Packet feature
to achieve better UDP Downlink throughput. Max 3 RNDIS Packets
aggregated into one RNDIS Packet with this implementation.
With this change, seeing UDP Downlink throughput increase
from 90 Mbps to above 100 Mbps when using Iperf and sending
data more than 100 Mbps.
Change-Id: I21c39482718944bb1b1068bdd02f626531e58f08
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
Signed-off-by: Rajkumar Raghupathy <raghup@codeaurora.org>
For dual speed gadget, with current no. of request(10), there is
possibility of corner case occurence where all 10 reuqests are queued
to HW without setting IOC bit, which could lead to data stall in
RNDIS tethering and RNDIS local networking.
With this patch, counter will be incremented before queueing request to
HW and sets IOC bit for every nth request due to which the corner case
of all requests queued to HW without IOC bit set will be avoided.
Change-Id: I26515bfd9bbc8f7af38be7835692143f7093118a
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
On windows 7 platform, previously allocated ip address is maintained.
However, Host MAC address of 'usb0' interface is changed when the
tethering driver re-enumerated. Thus, the tethering network driver
can't be allocated ip address from dhcp. It causes connection delay
between host and phone for usb tethering.
This patch prevents from changing Host MAC address of 'usb0' interface.
In other words, this patch maintains the Host MAC address allocated when
first tethering driver although the driver is re-enumerated. However,
after reboot, the Host MAC address can be changed.
Change-Id: I43add9925e9d6d90c56cffbd3ed999104448f818
Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
u_ether driver passes rx data to network layer and resubmits the
request back to usb hardware in interrupt context. Network layer
processes rx data by scheduling tasklet. For high throughput
scenarios on rx data path driver is spending lot of time in interrupt
context due to rx data processing by tasklet and continuous completion
and re-submission of the usb requests which results in watchdog bark.
Hence move the rx data processing and usb request submission to a
workqueue bottom half handler.
Change-Id: I316de8e267997137ac189a8b7b2846fa325f4a5a
Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
From: Cylen Yao <cylen.yao@mediatek.com>
common_tunables should be static.
Change-Id: I502ee3062bece5082fea7861eff2f6237e25cede
Signed-off-by: Todd Poynor <toddpoynor@google.com>
This patch adds support for advertising optional CPU features over udev
using the modalias, and for declaring compatibility with/dependency upon
such a feature in a module.
The mapping between feature numbers and actual features should be provided
by the architecture in a file called <asm/cpufeature.h> which exports the
following functions/macros:
- cpu_feature(FEAT), a preprocessor macro that maps token FEAT to a
numeric index;
- bool cpu_have_feature(n), returning whether this CPU has support for
feature #n;
- MAX_CPU_FEATURES, an upper bound for 'n' in the previous function.
The feature can then be enabled by setting CONFIG_GENERIC_CPU_AUTOPROBE
for the architecture.
For instance, a module that registers its module init function using
module_cpu_feature_match(FEAT_X, module_init_function)
will be probed automatically when the CPU's support for the 'FEAT_X'
feature is advertised over udev, and will only allow the module to be
loaded by hand if the 'FEAT_X' feature is supported.
Change-Id: Icae8e3ff347235fc72a5b41279f0afdb34fb161a
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
RNDIS protocol supports data aggregation on uplink and can help
reduce mips by reducing number of interrupts on device. Throughput
also improved by 20-30%. Aggregation is disabled by setting
aggregation packet size to 1. To help better UL throughput, set
as ul aggregation support to 3 rndis packets by default. It can be
configured via module parameter: rndis_ul_max_pkt_per_xfer.
Change-Id: I0b62a21a5c3ceb6b04933d0d6da33301dbafe493
Signed-off-by: Vamsi Krishna <vskrishn@codeaurora.org>
Signed-off-by: Xerox Lin <xerox_lin@htc.com>
When rndis data transfer is in progress, some Windows7 Host PC is not
sending the GET_ENCAPSULATED_RESPONSE command for receiving the response
for the previous SEND_ENCAPSULATED_COMMAND processed.
The rndis function driver appends each response for the
SEND_ENCAPSULATED_COMMAND in a queue. As the above process got corrupted,
the Host sends a REMOTE_NDIS_RESET_MSG command to do a soft-reset.
As the rndis response queue is not freed, the previous response is sent
as a part of this REMOTE_NDIS_RESET_MSG's reset response and the Host
blocks any more Rndis transfers.
Hence free the rndis response queue as a part of this soft-reset so that
the current response for REMOTE_NDIS_RESET_MSG is sent properly during the
response command.
Change-Id: I8eff3849db452fe01b7d1fe4140ef1f1ad3f4fd4
Signed-off-by: Rajkumar Raghupathy <raghup@codeaurora.org>
Signed-off-by: Xerox Lin <xerox_lin@htc.com>
Got the following oops just before reboot:
Unable to handle kernel NULL pointer dereference at virtual address 00000000
[<8028d300>] (__list_del_entry+0x44/0xac)
[<802e3320>] (__fw_load_abort.part.13+0x1c/0x50)
[<802e337c>] (fw_shutdown_notify+0x28/0x50)
[<80034f80>] (notifier_call_chain.isra.1+0x5c/0x9c)
[<800350ec>] (__blocking_notifier_call_chain+0x44/0x58)
[<80035114>] (blocking_notifier_call_chain+0x14/0x18)
[<80035d64>] (kernel_restart_prepare+0x14/0x38)
[<80035d94>] (kernel_restart+0xc/0x50)
The following race condition triggers here:
_request_firmware_load()
device_create_file(...)
kobject_uevent(...)
(schedule)
(resume)
firmware_loading_store(1)
firmware_loading_store(0)
list_del_init(&buf->pending_list)
(schedule)
(resume)
list_add(&buf->pending_list, &pending_fw_head);
wait_for_completion(&buf->completion);
causing an oops later when walking pending_list after the firmware has
been released.
The proposed fix is to move the list_add() before sysfs attribute
creation.
Signed-off-by: Maxime Bizon <mbizon@freebox.fr>
Acked-by: Ming Lei <ming.lei@canonical.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
When a system goes to reboot/shutdown, it tries to disable the
usermode helper via usermodehelper_disable(). This might be blocked
when a driver tries to load a firmware beforehand and it's stuck by
some reason. For example, dell_rbu driver loads the firmware in
non-hotplug mode and waits for user-space clearing the loading sysfs
flag. If user-space doesn't clear the flag, it waits forever, thus
blocks the reboot, too.
As a workaround, in this patch, the firmware class driver registers a
reboot notifier so that it can abort all pending f/w bufs before
issuing usermodehelper_disable().
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Acked-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Conflicts:
drivers/base/firmware_class.c
Change-Id: I7ff6c198cd34090e55845b9d4035b1e5dc86226b
Fixed Android Issue #56549.
When both Vendor Class and Audio Class are activated for AOA 2.0,
the baInterfaceNr of the AudioControl Interface Descriptor points
to wrong interface numbers. They should be pointing to
Audio Control Device and Audio Streaming interfaces.
Replaced baInterfaceNr with the correct value.
Change-Id: Iaa083f3d97c1f0fc9481bf87852b2b51278a6351
Signed-off-by: Anson Jacob <ansonkuzhumbil@gmail.com>
Re-applying from
eb4c9d2db8
Most USB-AUDIO devices are limited to 256 byte for max iso buffer size.
If a IN_EP_MAX_PACKET_SIZE is bigger than a USB-AUDIO device's max iso
buffer size, it will cause noise. This patch will prevent this case as
possibe by reducing packet size. When using 44.1khz, 2ch, 16bit audio
data, if max packet size is bigger than 176 bytes, it's no problem.
Credits to: Iliyan Malchev <malchev@google.com>
Change-Id: Ic2a1c19ea65d5fb42bf12926b51b255b465d7215
Signed-off-by: Anson Jacob <ansonkuzhumbil@gmail.com>
If a sw_sync timeline was created by ADF (for drivers that do not implement
ops->complete_fence) we should clean it up when the ADF device is
destroyed.
Change-Id: Idd90180fcae56a87111f7d12bdd80190756a6b80
Signed-off-by: Jonathan Hamilton <jonathan.hamilton@imgtec.com>
A HID device could send a malicious output report that would cause the
picolcd HID driver to trigger a NULL dereference during attr file writing.
[jkosina@suse.cz: changed
report->maxfield < 1
to
report->maxfield != 1
as suggested by Bruno].
CVE-2013-2899
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@kernel.org
Reviewed-by: Bruno Prémont <bonbons@linux-vserver.org>
Acked-by: Bruno Prémont <bonbons@linux-vserver.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
