94de3b405c8dee0ffc8de5c06b32fbf00fc4e8f9
263 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Carlos Llamas
|
9caa51de34 |
FROMLIST: binder: fix UAF caused by faulty buffer cleanup
In binder_transaction_buffer_release() the 'failed_at' offset indicates
the number of objects to clean up. However, this function was changed by
commit
|
||
|
Carlos Llamas
|
c86e2416fd |
ANDROID: fix use of plain integer as NULL pointer
This patch fixes the following sparse issues:
drivers/android/binder.c:1373:70: sparse: sparse: Using plain integer as NULL pointer
drivers/android/binder.c:2508:41: sparse: sparse: Using plain integer as NULL pointer
Fixes:
|
||
|
Alessandro Astone
|
a2ee0d8df3 |
UPSTREAM: binder: Gracefully handle BINDER_TYPE_FDA objects with num_fds=0
Some android userspace is sending BINDER_TYPE_FDA objects with
num_fds=0. Like the previous patch, this is reproducible when
playing a video.
Before commit 09184ae9b575 BINDER_TYPE_FDA objects with num_fds=0
were 'correctly handled', as in no fixup was performed.
After commit 09184ae9b575 we aggregate fixup and skip regions in
binder_ptr_fixup structs and distinguish between the two by using
the skip_size field: if it's 0, then it's a fixup, otherwise skip.
When processing BINDER_TYPE_FDA objects with num_fds=0 we add a
skip region of skip_size=0, and this causes issues because now
binder_do_deferred_txn_copies will think this was a fixup region.
To address that, return early from binder_translate_fd_array to
avoid adding an empty skip region.
Fixes: 09184ae9b575 ("binder: defer copies of pre-patched txn data")
Acked-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Alessandro Astone <ales.astone@gmail.com>
Link: https://lore.kernel.org/r/20220415120015.52684-1-ales.astone@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 257685302
(cherry picked from commit ef38de9217a04c9077629a24652689d8fdb4c6c6)
Change-Id: I34fab41c0c1beee366a5df4724b263e4385ad13b
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Signed-off-by: Lee Jones <joneslee@google.com>
|
||
|
Alessandro Astone
|
9cdb4e5812 |
UPSTREAM: binder: Address corner cases in deferred copy and fixup
When handling BINDER_TYPE_FDA object we are pushing a parent fixup
with a certain skip_size but no scatter-gather copy object, since
the copy is handled standalone.
If BINDER_TYPE_FDA is the last children the scatter-gather copy
loop will never stop to skip it, thus we are left with an item in
the parent fixup list. This will trigger the BUG_ON().
This is reproducible in android when playing a video.
We receive a transaction that looks like this:
obj[0] BINDER_TYPE_PTR, parent
obj[1] BINDER_TYPE_PTR, child
obj[2] BINDER_TYPE_PTR, child
obj[3] BINDER_TYPE_FDA, child
Fixes: 09184ae9b575 ("binder: defer copies of pre-patched txn data")
Acked-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Alessandro Astone <ales.astone@gmail.com>
Link: https://lore.kernel.org/r/20220415120015.52684-2-ales.astone@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 257685302
(cherry picked from commit 2d1746e3fda0c3612143d7c06f8e1d1830c13e23)
Change-Id: I3963a98dfc48b01d7bb8166aaa90341818bf6416
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Signed-off-by: Lee Jones <joneslee@google.com>
|
||
|
Arnd Bergmann
|
884fec935c |
UPSTREAM: binder: fix pointer cast warning
binder_uintptr_t is not the same as uintptr_t, so converting it into a
pointer requires a second cast:
drivers/android/binder.c: In function 'binder_translate_fd_array':
drivers/android/binder.c:2511:28: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
2511 | sender_ufda_base = (void __user *)sender_uparent->buffer + fda->parent_offset;
| ^
Fixes: 656e01f3ab54 ("binder: read pre-translated fds from sender buffer")
Acked-by: Todd Kjos <tkjos@google.com>
Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20211207122448.1185769-1-arnd@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 257685302
(cherry picked from commit 9a0a930fe2535a76ad70d3f43caeccf0d86a3009)
Change-Id: I1c9b86a90bcf2be81012e59e0c472869f551e61a
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Signed-off-by: Lee Jones <joneslee@google.com>
|
||
|
Todd Kjos
|
0502554803 |
UPSTREAM: binder: defer copies of pre-patched txn data
BINDER_TYPE_PTR objects point to memory areas in the source process to be copied into the target buffer as part of a transaction. This implements a scatter- gather model where non-contiguous memory in a source process is "gathered" into a contiguous region in the target buffer. The data can include pointers that must be fixed up to correctly point to the copied data. To avoid making source process pointers visible to the target process, this patch defers the copy until the fixups are known and then copies and fixeups are done together. There is a special case of BINDER_TYPE_FDA which applies the fixup later in the target process context. In this case the user data is skipped (so no untranslated fds become visible to the target). Reviewed-by: Martijn Coenen <maco@android.com> Signed-off-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20211130185152.437403-5-tkjos@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 137131904 Bug: 257685302 (cherry picked from commit 09184ae9b5756cc469db6fd1d1cfdcffbf627c2d) [cmllamas: fix trivial merge conflict] Change-Id: I6de75b192d1e3b2cc73c8d91077d97b608e8c5a9 Signed-off-by: Carlos Llamas <cmllamas@google.com> Signed-off-by: Lee Jones <joneslee@google.com> |
||
|
Todd Kjos
|
a9afae9aa4 |
UPSTREAM: binder: read pre-translated fds from sender buffer
This patch is to prepare for an up coming patch where we read pre-translated fds from the sender buffer and translate them before copying them to the target. It does not change run time. The patch adds two new parameters to binder_translate_fd_array() to hold the sender buffer and sender buffer parent. These parameters let us call copy_from_user() directly from the sender instead of using binder_alloc_copy_from_buffer() to copy from the target. Also the patch adds some new alignment checks. Previously the alignment checks would have been done in a different place, but this lets us print more useful error messages. Reviewed-by: Martijn Coenen <maco@android.com> Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20211130185152.437403-4-tkjos@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 137131904 Bug: 257685302 (cherry picked from commit 656e01f3ab54afe71bed066996fc2640881e1220) Change-Id: Ib786020e49bd33e35aec88d43965f9d98021fa53 Signed-off-by: Carlos Llamas <cmllamas@google.com> Signed-off-by: Lee Jones <joneslee@google.com> |
||
|
Greg Kroah-Hartman
|
fda78dabca |
Revert "ANDROID: GKI: Add vendor hook to binder transaction"
This reverts commit
|
||
|
Carlos Llamas
|
d78c536fe7 |
UPSTREAM: binder: fix redefinition of seq_file attributes
The patchset in [1] exported some definitions to binder_internal.h in order to make the debugfs entries such as 'stats' and 'transaction_log' available in a binderfs instance. However, the DEFINE_SHOW_ATTRIBUTE macro expands into a static function/variable pair, which in turn get redefined each time a source file includes this internal header. This problem was made evident after a report from the kernel test robot <lkp@intel.com> where several W=1 build warnings are seen in downstream kernels. See the following example: include/../drivers/android/binder_internal.h:111:23: warning: 'binder_stats_fops' defined but not used [-Wunused-const-variable=] 111 | DEFINE_SHOW_ATTRIBUTE(binder_stats); | ^~~~~~~~~~~~ include/linux/seq_file.h:174:37: note: in definition of macro 'DEFINE_SHOW_ATTRIBUTE' 174 | static const struct file_operations __name ## _fops = { \ | ^~~~~~ This patch fixes the above issues by moving back the definitions into binder.c and instead creates an array of the debugfs entries which is more convenient to share with binderfs and iterate through. [1] https://lore.kernel.org/all/20190903161655.107408-1-hridya@google.com/ Fixes: |
||
|
Carlos Llamas
|
3108843b69 |
ANDROID: binder: fix pending prio state for early exit
When calling binder_do_set_priority() with the same policy and priority
values as the current task, we exit early since there is nothing to do.
However, the BINDER_PRIO_PENDING state might be set and in this case we
fail to update it. A subsequent call to binder_transaction_priority()
will then read an incorrect state and save the wrong priority. Fix this
by setting thread->prio_state to BINDER_PRIO_SET on our way out.
Bug: 199309216
Fixes: cac827f2619b ("ANDROID: binder: fix race in priority restore")
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Change-Id: I21e906cf4b2ebee908af41fe101ecd458ae1991c
(cherry picked from commit 72193be6d4bd9ad29dacd998c14dff97f7a6c6c9)
|
||
|
Carlos Llamas
|
ae3fa5d16a |
FROMLIST: binder: fix UAF of ref->proc caused by race condition
A transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the reference for a node. In this case, the target proc normally releases the failed reference upon close as expected. However, if the target is dying in parallel the call will race with binder_deferred_release(), so the target could have released all of its references by now leaving the cleanup of the new failed reference unhandled. The transaction then ends and the target proc gets released making the ref->proc now a dangling pointer. Later on, ref->node is closed and we attempt to take spin_lock(&ref->proc->inner_lock), which leads to the use-after-free bug reported below. Let's fix this by cleaning up the failed reference on the spot instead of relying on the target to do so. ================================================================== BUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150 Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590 CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10 Hardware name: linux,dummy-virt (DT) Workqueue: events binder_deferred_func Call trace: dump_backtrace.part.0+0x1d0/0x1e0 show_stack+0x18/0x70 dump_stack_lvl+0x68/0x84 print_report+0x2e4/0x61c kasan_report+0xa4/0x110 kasan_check_range+0xfc/0x1a4 __kasan_check_write+0x3c/0x50 _raw_spin_lock+0xa8/0x150 binder_deferred_func+0x5e0/0x9b0 process_one_work+0x38c/0x5f0 worker_thread+0x9c/0x694 kthread+0x188/0x190 ret_from_fork+0x10/0x20 Signed-off-by: Carlos Llamas <cmllamas@google.com> Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org> Bug: 239630375 Link: https://lore.kernel.org/all/20220801182511.3371447-1-cmllamas@google.com/ Signed-off-by: Carlos Llamas <cmllamas@google.com> Change-Id: I5085dd0dc805a780a64c057e5819f82dd8f02868 |
||
|
zhengding chen
|
e107ea9e4d |
ANDROID: vendor_hooks: Add hooks for binder proc transaction
When servicemanager process added service proxy from other process register the service, we want to know the matching relation between handle in the process and service name. When binder transaction happened, We want to know what process calls what method on what service. Bug: 186604985 Signed-off-by: zhengding chen <chenzhengding@oppo.com> Change-Id: I813d1cde10294d8665f899f7fef0d444ec1f1f5e |
||
|
Zhuguangqing
|
254fb1f403 |
ANDROID: Add vendor hooks for binder perf tuning
Add vendor hook to get the binder message for vendor-specific power and performance tuning. Bug: 182496370 Bug: 235925535 Signed-off-by: Zhuguangqing <zhuguangqing@xiaomi.com> Change-Id: Id47e59c4e3ccd07b26eef758ada147b98cd1964e (cherry picked from commit 301e89472f3e00a2f02f1967d77efd051ada37f5) Signed-off-by: heshuai1 <heshuai1@xiaomi.com> Signed-off-by: Carlos Llamas <cmllamas@google.com> [ cmllamas: don't export complete private definition struct binder_alloc in vendor hooks, instead just pass member alloc->free_async_space as implemented by heshuai1 and squashed here ] |
||
|
Li Li
|
ed6b498587 |
FROMGIT: Binder: add TF_UPDATE_TXN to replace outdated txn
When the target process is busy, incoming oneway transactions are queued in the async_todo list. If the clients continue sending extra oneway transactions while the target process is frozen, this queue can become too large to accommodate new transactions. That's why binder driver introduced ONEWAY_SPAM_DETECTION to detect this situation. It's helpful to debug the async binder buffer exhausting issue, but the issue itself isn't solved directly. In real cases applications are designed to send oneway transactions repeatedly, delivering updated inforamtion to the target process. Typical examples are Wi-Fi signal strength and some real time sensor data. Even if the apps might only care about the lastet information, all outdated oneway transactions are still accumulated there until the frozen process is thawed later. For this kind of situations, there's no existing method to skip those outdated transactions and deliver the latest one only. This patch introduces a new transaction flag TF_UPDATE_TXN. To use it, use apps can set this new flag along with TF_ONE_WAY. When such an oneway transaction is to be queued into the async_todo list of a frozen process, binder driver will check if any previous pending transactions can be superseded by comparing their code, flags and target node. If such an outdated pending transaction is found, the latest transaction will supersede that outdated one. This effectively prevents the async binder buffer running out and saves unnecessary binder read workloads. Acked-by: Todd Kjos <tkjos@google.com> Signed-off-by: Li Li <dualli@google.com> Link: https://lore.kernel.org/r/20220526220018.3334775-2-dualli@chromium.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 231624308 Test: manually check async binder buffer size of frozen apps Test: stress test with kernel 4.14/4.19/5.10/5.15 (cherry picked from commit 9864bb4801331daa48514face9d0f4861e4d485b git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-next) Change-Id: I1c4bff1eda1ca15aaaad5bf696c8fc00be743176 |
||
|
zhangchuang3
|
8db214e1e2 |
ANDROID: binder: Export binder_txn_latency_free trace point
We use ANDROID_VENDOR_DATA to point to our custom data structure, we need to free it by binder_txn_latency_free Bug: 235773151 Signed-off-by: zhangchuang3 <zhangchuang3@xiaomi.com> Change-Id: Ib6e9af5e52e13a658555908ac46d4b13904b1d0c |
||
|
Liujie Xie
|
d26c0e1c40 |
ANDROID: vendor_hooks: Add hooks to select binder worklist
trace_android_vh_binder_proc_transaction_entry: We need change binder thread so that this work can be added in proc->todo, if we found the binder thread, skip native logic. trace_android_vh_binder_select_worklist_ilocked: we need this because we can't change list point in ”trace_android_vh_binder_thread_read“, otherwise, If a work has beed added in our own defined list before, current may goto retry and loop again and again. Bug: 219898723 Change-Id: Ifdb3429c9ddac521bc75c1d21740ee7cc4b8f143 Signed-off-by: Liujie Xie <xieliujie@oppo.com> (cherry picked from commit acefa91e517b9321295429d3a0e534908e2939c1) Signed-off-by: Carlos Llamas <cmllamas@google.com> |
||
|
Liujie Xie
|
8968875ad6 |
ANDROID: vendor_hooks: Add hooks for binder proc transaction
We need pointers to proc and t, the current hooks in binder_proc_transaction are unable to use. Bug: 208910215 Change-Id: I730964f965a015e5f5a3e237d9b3bd084b5bd0d0 Signed-off-by: Liujie Xie <xieliujie@oppo.com> (cherry picked from commit cb7e10d31bca4f247c34d6791d6db048edf7e7a8) Signed-off-by: Carlos Llamas <cmllamas@google.com> |
||
|
Liujie Xie
|
8d6074509e |
ANDROID: vendor_hooks: Add hooks for binder
We want to add some hooks in the binder module so that we can reduce block time until binder thread is available Here are what new hooks do for: 1、android_vh_binder_looper_state_registered: choose a binder thread(do proc work) as a low-level thread.Only this thread has power to excute background binder transaction. 2、android_vh_binder_thread_read: let binder thread do works which come from our list. 3、android_vh_binder_free_proc: free some pointers and variable. 4、android_vh_binder_thread_release: free the list that we create before. 5、android_vh_binder_has_work_ilocked: to check if our list has work. 6、android_vh_binder_read_done: because of we add hook in binder_has_work_ilocked, 7、android_vh_binder_preset: mark target proc's binder threads. binder_has_work_ilocked may return true, so we try to wake up low-level thread immediately. Bug: 212483521 Change-Id: Ic40f452cc4dcf8fc85422e23e6f1a7ad77547309 Signed-off-by: Liujie Xie <xieliujie@oppo.com> |
||
|
xieliujie
|
c8a2e13615 |
ANDROID: vendor_hooks: Add hook for binder
Add hook to support oem's performance feature. Bug: 186482511 Signed-off-by: xieliujie <xieliujie@oppo.com> Change-Id: Ib495e80e569cc293eaa98d87a050aee8915eb415 (cherry picked from commit 2337b9185a7e8ebf9748c9fa8eacc0e2b995797b) |
||
|
zhang chuang
|
1502f0ea7c |
ANDROID: Add hook to show vendor info for transactions
When watchdog or anr occur, we need to read dev/binderfs/binder_logs/proc/pid or dev/binderfs/binder_logs/state node to know the time-consuming information of the binder call. We need to add the time-consuming information of binder transaction. Bug: 190413570 Signed-off-by: zhang chuang <zhangchuang3@xiaomi.com> Change-Id: I0423d4e821d5cd725a848584133dc7245cbc233a (cherry picked from commit eabe9707f264c859d5b0b5b1740a97f8eef97d67) Signed-off-by: Carlos Llamas <cmllamas@google.com> [cmllamas: fix trivial merge conflict in vendor_hooks.c] |
||
|
Liangliang Li
|
cabca1b98e |
ANDROID: GKI: Add vendor hook to binder transaction
We want to get binder free space information in the binder transaction, but this needs to hold the mutex lock. So we add this restrict hook to do this. Bug: 205648032 Change-Id: Ie1f377018da686bd62f5ac2d1e5421899741e6d5 Signed-off-by: Liangliang Li <liliangliang@vivo.com> (cherry picked from commit 2f3f5731de0536a6a1048ae01e129cebec48e664) |
||
|
Carlos Llamas
|
d1367b5473 |
ANDROID: binder: fix race in priority restore
During a reply, the target gets woken up and then the priority of the replier is restored. The order is such to allow the target to process the reply ASAP. Otherwise, we risk the sender getting scheduled out before the wakeup happens. This strategy reduces transaction latency. However, a subsequent transaction from the same target could be started before the priority of the replier gets restored. At this point we save the wrong priority and it gets reinstated at the end of the transaction. This patch allows the incoming transaction to detect the race condition and save the correct next priority. Additionally, the replier will abort its pending priority restore which allows the new transaction to always run at the desired priority. Bug: 148101660 Signed-off-by: Carlos Llamas <cmllamas@google.com> Change-Id: I6fec41ae1a1342023f78212ab1f984e26f068221 (cherry picked from commit cac827f2619b280d418e546a09f25da600dafe5a) [cmllamas: fixed trivial merge conflict] |
||
|
Carlos Llamas
|
e8fcc17a57 |
ANDROID: binder: switch task argument for binder_thread
Refactor binder priority functions to take in 'struct binder_thread *' instead of just 'struct task_struct *'. This allows access to other thread fields used in subsequent patches. In any case, the same task reference is still available under thread->task. There is no functional impact from this patch. Bug: 148101660 Signed-off-by: Carlos Llamas <cmllamas@google.com> Change-Id: I67b599884580d957d776500e467827e5035c99f6 (cherry picked from commit 759d98484b5b51932d3d11651fa83c6bb268ce03) |
||
|
Carlos Llamas
|
16c04a2732 |
ANDROID: binder: pass desired priority by reference
Avoid making unnecessary stack copies of struct binder_priority and pass the argument by reference instead. Rename 'desired_prio' to 'desired' to match the usage in other priority functions. There is no functional impact from this patch. Bug: 148101660 Signed-off-by: Carlos Llamas <cmllamas@google.com> Change-Id: I66ff5305296e7b9dba56ed265236f2af518f66e0 (cherry picked from commit 52d85f8a16467ce0bca374f885de24918f017371) |
||
|
Carlos Llamas
|
7da5987f5d |
ANDROID: binder: fold common setup of node_prio
The setup of node_prio is always the same, so just fold this logic into binder_transaction_priority() to avoid duplication. Let's pass the node reference instead, which also gives access to node->inherit_rt. There is no functional impact from this patch. Bug: 148101660 Signed-off-by: Carlos Llamas <cmllamas@google.com> Change-Id: Ib390204556e69c4bc8492cd9cd873773f9cdce42 (cherry picked from commit 498bf715b77c68e54d0289fa66e3f112278f87dc) |
||
|
Greg Kroah-Hartman
|
a8b5dc3032 |
Merge 5.15.17 into android13-5.15
Changes in 5.15.17
KVM: x86/mmu: Fix write-protection of PTs mapped by the TDP MMU
KVM: VMX: switch blocked_vcpu_on_cpu_lock to raw spinlock
HID: Ignore battery for Elan touchscreen on HP Envy X360 15t-dr100
HID: uhid: Fix worker destroying device without any protection
HID: wacom: Reset expected and received contact counts at the same time
HID: wacom: Ignore the confidence flag when a touch is removed
HID: wacom: Avoid using stale array indicies to read contact count
ALSA: core: Fix SSID quirk lookup for subvendor=0
f2fs: fix to do sanity check on inode type during garbage collection
f2fs: fix to do sanity check in is_alive()
f2fs: avoid EINVAL by SBI_NEED_FSCK when pinning a file
nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind()
mtd: rawnand: gpmi: Add ERR007117 protection for nfc_apply_timings
mtd: rawnand: gpmi: Remove explicit default gpmi clock setting for i.MX6
mtd: Fixed breaking list in __mtd_del_partition.
mtd: rawnand: davinci: Don't calculate ECC when reading page
mtd: rawnand: davinci: Avoid duplicated page read
mtd: rawnand: davinci: Rewrite function description
mtd: rawnand: Export nand_read_page_hwecc_oob_first()
mtd: rawnand: ingenic: JZ4740 needs 'oob_first' read page function
riscv: Get rid of MAXPHYSMEM configs
RISC-V: Use common riscv_cpuid_to_hartid_mask() for both SMP=y and SMP=n
riscv: try to allocate crashkern region from 32bit addressible memory
riscv: Don't use va_pa_offset on kdump
riscv: use hart id instead of cpu id on machine_kexec
riscv: mm: fix wrong phys_ram_base value for RV64
x86/gpu: Reserve stolen memory for first integrated Intel GPU
tools/nolibc: x86-64: Fix startup code bug
crypto: x86/aesni - don't require alignment of data
tools/nolibc: i386: fix initial stack alignment
tools/nolibc: fix incorrect truncation of exit code
rtc: cmos: take rtc_lock while reading from CMOS
net: phy: marvell: add Marvell specific PHY loopback
ksmbd: uninitialized variable in create_socket()
ksmbd: fix guest connection failure with nautilus
ksmbd: add support for smb2 max credit parameter
ksmbd: move credit charge deduction under processing request
ksmbd: limits exceeding the maximum allowable outstanding requests
ksmbd: add reserved room in ipc request/response
media: cec: fix a deadlock situation
media: ov8865: Disable only enabled regulators on error path
media: v4l2-ioctl.c: readbuffers depends on V4L2_CAP_READWRITE
media: flexcop-usb: fix control-message timeouts
media: mceusb: fix control-message timeouts
media: em28xx: fix control-message timeouts
media: cpia2: fix control-message timeouts
media: s2255: fix control-message timeouts
media: dib0700: fix undefined behavior in tuner shutdown
media: redrat3: fix control-message timeouts
media: pvrusb2: fix control-message timeouts
media: stk1160: fix control-message timeouts
media: cec-pin: fix interrupt en/disable handling
can: softing_cs: softingcs_probe(): fix memleak on registration failure
mei: hbm: fix client dma reply status
iio: adc: ti-adc081c: Partial revert of removal of ACPI IDs
iio: trigger: Fix a scheduling whilst atomic issue seen on tsc2046
lkdtm: Fix content of section containing lkdtm_rodata_do_nothing()
bus: mhi: pci_generic: Graceful shutdown on freeze
bus: mhi: core: Fix reading wake_capable channel configuration
bus: mhi: core: Fix race while handling SYS_ERR at power up
cxl/pmem: Fix reference counting for delayed work
arm64: errata: Fix exec handling in erratum
|
||
|
Todd Kjos
|
7a9ad4aceb |
binder: avoid potential data leakage when copying txn
[ Upstream commit 6d98eb95b450a75adb4516a1d33652dc78d2b20c ]
Transactions are copied from the sender to the target
first and objects like BINDER_TYPE_PTR and BINDER_TYPE_FDA
are then fixed up. This means there is a short period where
the sender's version of these objects are visible to the
target prior to the fixups.
Instead of copying all of the data first, copy data only
after any needed fixups have been applied.
Fixes:
|
||
|
Todd Kjos
|
f9848823d4 |
binder: fix handling of error during copy
[ Upstream commit fe6b1869243f23a485a106c214bcfdc7aa0ed593 ]
If a memory copy function fails to copy the whole buffer,
a positive integar with the remaining bytes is returned.
In binder_translate_fd_array() this can result in an fd being
skipped due to the failed copy, but the loop continues
processing fds since the early return condition expects a
negative integer on error.
Fix by returning "ret > 0 ? -EINVAL : ret" to handle this case.
Fixes:
|
||
|
Greg Kroah-Hartman
|
1dcc7190fe |
Merge 5.15.8 into android13-5.15
Changes in 5.15.8
usb: gadget: uvc: fix multiple opens
HID: quirks: Add quirk for the Microsoft Surface 3 type-cover
HID: google: add eel USB id
HID: intel-ish-hid: ipc: only enable IRQ wakeup when requested
HID: add hid_is_usb() function to make it simpler for USB detection
HID: add USB_HID dependancy to hid-prodikeys
HID: add USB_HID dependancy to hid-chicony
HID: add USB_HID dependancy on some USB HID drivers
HID: bigbenff: prevent null pointer dereference
HID: wacom: fix problems when device is not a valid USB device
HID: check for valid USB device for many HID drivers
mtd: dataflash: Add device-tree SPI IDs
mmc: spi: Add device-tree SPI IDs
HID: sony: fix error path in probe
HID: Ignore battery for Elan touchscreen on Asus UX550VE
platform/x86/intel: hid: add quirk to support Surface Go 3
nft_set_pipapo: Fix bucket load in AVX2 lookup routine for six 8-bit groups
IB/hfi1: Insure use of smp_processor_id() is preempt disabled
IB/hfi1: Fix early init panic
IB/hfi1: Fix leak of rcvhdrtail_dummy_kvaddr
can: kvaser_usb: get CAN clock frequency from device
can: kvaser_pciefd: kvaser_pciefd_rx_error_frame(): increase correct stats->{rx,tx}_errors counter
can: sja1000: fix use after free in ems_pcmcia_add_card()
can: pch_can: pch_can_rx_normal: fix use after free
can: m_can: m_can_read_fifo: fix memory leak in error branch
can: m_can: pci: fix incorrect reference clock rate
can: m_can: pci: fix iomap_read_fifo() and iomap_write_fifo()
can: m_can: Disable and ignore ELO interrupt
net: dsa: mv88e6xxx: fix "don't use PHY_DETECT on internal PHY's"
net: dsa: mv88e6xxx: allow use of PHYs on CPU and DSA ports
x86/sme: Explicitly map new EFI memmap table as encrypted
platform/x86: amd-pmc: Fix s2idle failures on certain AMD laptops
nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done
selftests: netfilter: add a vrf+conntrack testcase
vrf: don't run conntrack on vrf with !dflt qdisc
bpf, x86: Fix "no previous prototype" warning
bpf, sockmap: Attach map progs to psock early for feature probes
bpf: Make sure bpf_disable_instrumentation() is safe vs preemption.
bpf: Fix the off-by-two error in range markings
ice: ignore dropped packets during init
ethtool: do not perform operations on net devices being unregistered
bonding: make tx_rebalance_counter an atomic
nfp: Fix memory leak in nfp_cpp_area_cache_add()
seg6: fix the iif in the IPv6 socket control block
udp: using datalen to cap max gso segments
netfilter: nft_exthdr: break evaluation if setting TCP option fails
netfilter: conntrack: annotate data-races around ct->timeout
iavf: restore MSI state on reset
iavf: Fix reporting when setting descriptor count
IB/hfi1: Correct guard on eager buffer deallocation
devlink: fix netns refcount leak in devlink_nl_cmd_reload()
net: bcm4908: Handle dma_set_coherent_mask error codes
net: dsa: mv88e6xxx: error handling for serdes_power functions
net: dsa: felix: Fix memory leak in felix_setup_mmio_filtering
net/sched: fq_pie: prevent dismantle issue
net: mvpp2: fix XDP rx queues registering
KVM: x86: Don't WARN if userspace mucks with RCX during string I/O exit
KVM: x86: Ignore sparse banks size for an "all CPUs", non-sparse IPI req
KVM: x86: Wait for IPIs to be delivered when handling Hyper-V TLB flush hypercall
timers: implement usleep_idle_range()
mm/damon/core: fix fake load reports due to uninterruptible sleeps
mm/slub: fix endianness bug for alloc/free_traces attributes
mm: bdi: initialize bdi_min_ratio when bdi is unregistered
ALSA: ctl: Fix copy of updated id with element read/write
ALSA: hda/realtek - Add headset Mic support for Lenovo ALC897 platform
ALSA: hda/realtek: Fix quirk for TongFang PHxTxX1
ALSA: pcm: oss: Fix negative period/buffer sizes
ALSA: pcm: oss: Limit the period size to 16MB
ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*()
cifs: Fix crash on unload of cifs_arc4.ko
scsi: qla2xxx: Format log strings only if needed
btrfs: clear extent buffer uptodate when we fail to write it
btrfs: fix re-dirty process of tree-log nodes
btrfs: replace the BUG_ON in btrfs_del_root_ref with proper error handling
btrfs: free exchange changeset on failures
perf intel-pt: Fix some PGE (packet generation enable/control flow packets) usage
perf intel-pt: Fix sync state when a PSB (synchronization) packet is found
perf intel-pt: Fix intel_pt_fup_event() assumptions about setting state type
perf intel-pt: Fix state setting when receiving overflow (OVF) packet
perf intel-pt: Fix next 'err' value, walking trace
perf intel-pt: Fix missing 'instruction' events with 'q' option
perf intel-pt: Fix error timestamp setting on the decoder error path
md: fix update super 1.0 on rdev size change
nfsd: fix use-after-free due to delegation race
nfsd: Fix nsfd startup race (again)
tracefs: Have new files inherit the ownership of their parent
selftests: KVM: avoid failures due to reserved HyperTransport region
hwmon: (pwm-fan) Ensure the fan going on in .probe()
mmc: renesas_sdhi: initialize variable properly when tuning
clk: qcom: regmap-mux: fix parent clock lookup
thermal: int340x: Fix VCoRefLow MMIO bit offset for TGL
drm/syncobj: Deal with signalled fences in drm_syncobj_find_fence.
libata: add horkage for ASMedia 1092
io_uring: ensure task_work gets run as part of cancelations
wait: add wake_up_pollfree()
binder: use wake_up_pollfree()
signalfd: use wake_up_pollfree()
aio: keep poll requests on waitqueue until completed
aio: fix use-after-free due to missing POLLFREE handling
tracefs: Set all files to the same group ownership as the mount option
i2c: mpc: Use atomic read and fix break condition
block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2)
scsi: pm80xx: Do not call scsi_remove_host() in pm8001_alloc()
scsi: scsi_debug: Fix buffer size of REPORT ZONES command
ALSA: usb-audio: Reorder snd_djm_devices[] entries
qede: validate non LSO skb length
PM: runtime: Fix pm_runtime_active() kerneldoc comment
ASoC: rt5682: Fix crash due to out of scope stack vars
ASoC: qdsp6: q6routing: Fix return value from msm_routing_put_audio_mixer
ASoC: codecs: wsa881x: fix return values from kcontrol put
ASoC: codecs: wcd934x: handle channel mappping list correctly
ASoC: codecs: wcd934x: return correct value from mixer put
RDMA/hns: Do not halt commands during reset until later
RDMA/hns: Do not destroy QP resources in the hw resetting phase
hwmon: (dell-smm) Fix warning on /proc/i8k creation error
clk: imx: use module_platform_driver
clk: qcom: clk-alpha-pll: Don't reconfigure running Trion
i40e: Fix failed opcode appearing if handling messages from VF
i40e: Fix pre-set max number of queues for VF
mtd: rawnand: fsmc: Take instruction delay into account
mtd: rawnand: fsmc: Fix timing computation
bpf, sockmap: Re-evaluate proto ops when psock is removed from sockmap
i40e: Fix NULL pointer dereference in i40e_dbg_dump_desc
Revert "PCI: aardvark: Fix support for PCI_ROM_ADDRESS1 on emulated bridge"
drm/amd/display: Fix DPIA outbox timeout after S3/S4/reset
perf tools: Fix SMT detection fast read path
Documentation/locking/locktypes: Update migrate_disable() bits.
dt-bindings: net: Reintroduce PHY no lane swap binding
tools build: Remove needless libpython-version feature check that breaks test-all fast path
net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero
net: altera: set a couple error code in probe()
net: fec: only clear interrupt of handling queue in fec_enet_rx_queue()
net, neigh: clear whole pneigh_entry at alloc time
net/qla3xxx: fix an error code in ql_adapter_up()
selftests/fib_tests: Rework fib_rp_filter_test()
USB: gadget: detect too-big endpoint 0 requests
USB: gadget: zero allocate endpoint 0 buffers
Revert "usb: dwc3: dwc3-qcom: Enable tx-fifo-resize property by default"
usb: core: config: fix validation of wMaxPacketValue entries
xhci: Remove CONFIG_USB_DEFAULT_PERSIST to prevent xHCI from runtime suspending
usb: core: config: using bit mask instead of individual bits
xhci: avoid race between disable slot command and host runtime suspend
iio: gyro: adxrs290: fix data signedness
iio: trigger: Fix reference counting
iio: trigger: stm32-timer: fix MODULE_ALIAS
iio: stk3310: Don't return error code in interrupt handler
iio: mma8452: Fix trigger reference couting
iio: ltr501: Don't return error code in trigger handler
iio: kxsd9: Don't return error code in trigger handler
iio: itg3200: Call iio_trigger_notify_done() on error
iio: dln2-adc: Fix lockdep complaint
iio: dln2: Check return value of devm_iio_trigger_register()
iio: at91-sama5d2: Fix incorrect sign extension
iio: adc: stm32: fix a current leak by resetting pcsel before disabling vdda
iio: adc: axp20x_adc: fix charging current reporting on AXP22x
iio: ad7768-1: Call iio_trigger_notify_done() on error
iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove
misc: rtsx: Avoid mangling IRQ during runtime PM
nvmem: eeprom: at25: fix FRAM byte_len
bus: mhi: pci_generic: Fix device recovery failed issue
bus: mhi: core: Add support for forced PM resume
csky: fix typo of fpu config macro
irqchip/aspeed-scu: Replace update_bits with write_bits.
irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc()
irqchip/armada-370-xp: Fix support for Multi-MSI interrupts
aio: Fix incorrect usage of eventfd_signal_allowed()
irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL
irqchip: nvic: Fix offset for Interrupt Priority Offsets
misc: fastrpc: fix improper packet size calculation
clocksource/drivers/dw_apb_timer_of: Fix probe failure
bpf: Add selftests to cover packet access corner cases
Linux 5.15.8
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I4d543d6826c20e322ce477fe82c462791dc36ce4
|
||
|
Eric Biggers
|
f12d997683 |
binder: use wake_up_pollfree()
commit a880b28a71e39013e357fd3adccd1d8a31bc69a8 upstream.
wake_up_poll() uses nr_exclusive=1, so it's not guaranteed to wake up
all exclusive waiters. Yet, POLLFREE *must* wake up all waiters. epoll
and aio poll are fortunately not affected by this, but it's very
fragile. Thus, the new function wake_up_pollfree() has been introduced.
Convert binder to use wake_up_pollfree().
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Fixes:
|
||
|
Liujie Xie
|
f4450be6e7 |
ANDROID: vendor_hooks: Add hooks for improving binder trans
Recognize important binder proc & binder thread and improve their sched lantency. Bug: 182952552 Change-Id: I174949bf90a4215a6d27f24abbc7d324a321e662 Signed-off-by: Liujie Xie <xieliujie@oppo.com> Signed-off-by: Shaleen Agrawal <quic_shalagra@quicinc.com> |
||
|
Todd Kjos
|
849d86e859 |
binder: fix test regression due to sender_euid change
commit c21a80ca0684ec2910344d72556c816cb8940c01 upstream.
This is a partial revert of commit
29bc22ac5e5b ("binder: use euid from cred instead of using task").
Setting sender_euid using proc->cred caused some Android system test
regressions that need further investigation. It is a partial
reversion because subsequent patches rely on proc->cred.
Fixes: 29bc22ac5e5b ("binder: use euid from cred instead of using task")
Cc: stable@vger.kernel.org # 4.4+
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: I9b1769a3510fed250bb21859ef8beebabe034c66
Link: https://lore.kernel.org/r/20211112180720.2858135-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Todd Kjos
|
8488267949 |
FROMGIT: binder: fix test regression due to sender_euid change
This is a partial revert of commit
29bc22ac5e5b ("binder: use euid from cred instead of using task").
Setting sender_euid using proc->cred caused some Android system test
regressions that need further investigation. It is a partial
reversion because subsequent patches rely on proc->cred.
Fixes: 29bc22ac5e5b ("binder: use euid from cred instead of using task")
Cc: stable@vger.kernel.org # 4.4+
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: I9b1769a3510fed250bb21859ef8beebabe034c66
Link: https://lore.kernel.org/r/20211112180720.2858135-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 200688826
(cherry picked from commit c21a80ca0684ec2910344d72556c816cb8940c01
git: //git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-linus)
Signed-off-by: Todd Kjos <tkjos@google.com>
|
||
|
Todd Kjos
|
5e57d171e2 |
binder: don't detect sender/target during buffer cleanup
commit 32e9f56a96d8d0f23cb2aeb2a3cd18d40393e787 upstream.
When freeing txn buffers, binder_transaction_buffer_release()
attempts to detect whether the current context is the target by
comparing current->group_leader to proc->tsk. This is an unreliable
test. Instead explicitly pass an 'is_failure' boolean.
Detecting the sender was being used as a way to tell if the
transaction failed to be sent. When cleaning up after
failing to send a transaction, there is no need to close
the fds associated with a BINDER_TYPE_FDA object. Now
'is_failure' can be used to accurately detect this case.
Fixes:
|
||
|
Todd Kjos
|
6e8813eadf |
binder: use cred instead of task for getsecid
commit 4d5b5539742d2554591751b4248b0204d20dcc9d upstream.
Use the 'struct cred' saved at binder_open() to lookup
the security ID via security_cred_getsecid(). This
ensures that the security context that opened binder
is the one used to generate the secctx.
Cc: stable@vger.kernel.org # 5.4+
Fixes:
|
||
|
Todd Kjos
|
3f3c31dd0f |
binder: use cred instead of task for selinux checks
commit 52f88693378a58094c538662ba652aff0253c4fe upstream.
Since binder was integrated with selinux, it has passed
'struct task_struct' associated with the binder_proc
to represent the source and target of transactions.
The conversion of task to SID was then done in the hook
implementations. It turns out that there are race conditions
which can result in an incorrect security context being used.
Fix by using the 'struct cred' saved during binder_open and pass
it to the selinux subsystem.
Cc: stable@vger.kernel.org # 5.14 (need backport for earlier stables)
Fixes:
|
||
|
Todd Kjos
|
ff1bd01f49 |
binder: use euid from cred instead of using task
commit 29bc22ac5e5bc63275e850f0c8fc549e3d0e306b upstream.
Save the 'struct cred' associated with a binder process
at initial open to avoid potential race conditions
when converting to an euid.
Set a transaction's sender_euid from the 'struct cred'
saved at binder_open() instead of looking up the euid
from the binder proc's 'struct task'. This ensures
the euid is associated with the security context that
of the task that opened binder.
Cc: stable@vger.kernel.org # 4.4+
Fixes:
|
||
|
Todd Kjos
|
48efccfcf7 |
UPSTREAM: binder: don't detect sender/target during buffer cleanup
When freeing txn buffers, binder_transaction_buffer_release()
attempts to detect whether the current context is the target by
comparing current->group_leader to proc->tsk. This is an unreliable
test. Instead explicitly pass an 'is_failure' boolean.
Detecting the sender was being used as a way to tell if the
transaction failed to be sent. When cleaning up after
failing to send a transaction, there is no need to close
the fds associated with a BINDER_TYPE_FDA object. Now
'is_failure' can be used to accurately detect this case.
Fixes:
|
||
|
Todd Kjos
|
fa35d5b512 |
UPSTREAM: binder: use cred instead of task for getsecid
Use the 'struct cred' saved at binder_open() to lookup
the security ID via security_cred_getsecid(). This
ensures that the security context that opened binder
is the one used to generate the secctx.
Cc: stable@vger.kernel.org # 5.4+
Fixes:
|
||
|
Todd Kjos
|
e4e961fc53 |
UPSTREAM: binder: use cred instead of task for selinux checks
Since binder was integrated with selinux, it has passed
'struct task_struct' associated with the binder_proc
to represent the source and target of transactions.
The conversion of task to SID was then done in the hook
implementations. It turns out that there are race conditions
which can result in an incorrect security context being used.
Fix by using the 'struct cred' saved during binder_open and pass
it to the selinux subsystem.
Cc: stable@vger.kernel.org # 5.14 (need backport for earlier stables)
Fixes:
|
||
|
Todd Kjos
|
b7107929ca |
UPSTREAM: binder: use euid from cred instead of using task
Save the 'struct cred' associated with a binder process
at initial open to avoid potential race conditions
when converting to an euid.
Set a transaction's sender_euid from the 'struct cred'
saved at binder_open() instead of looking up the euid
from the binder proc's 'struct task'. This ensures
the euid is associated with the security context that
of the task that opened binder.
Cc: stable@vger.kernel.org # 4.4+
Fixes:
|
||
|
Satya Durga Srinivasu Prabhala
|
c9760ef713 |
ANDROID: binder: Export binder_transaction_received trace point
Vendor modules would like to register with the binder_transaction_received trace point to implement features carried in their downstream kernels. Bug: 174219217 Change-Id: Ica0f90c60964fc845de05169cbdd8a4948adb1cd Signed-off-by: Satya Durga Srinivasu Prabhala <satyap@codeaurora.org> |
||
|
Greg Kroah-Hartman
|
2de4b10131 |
Merge tag 'v5.15-rc3' into 'android-mainline'
Linux 5.15-rc3 Resolves merge issue with: drivers/scsi/ufs/ufshcd.c Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I1f712bc222c47c2229df00deeddaf5233c69034d |
||
|
Satya Durga Srinivasu Prabhala
|
de3955742d |
ANDROID: binder: consolidate wakeup vendor hooks into one
There are few vendor hooks available for binder wakeup related functionality. As they both essentially do the same thing, we can consolidate them into one. Bug: 200103201 Change-Id: I44b472e7564eecbe8236ad2eb88b0433195f14d8 Signed-off-by: Satya Durga Srinivasu Prabhala <satyap@codeaurora.org> Signed-off-by: Ashay Jaiswal <ashayj@codeaurora.org> |
||
|
Todd Kjos
|
5fdb55c1ac |
binder: make sure fd closes complete
During BC_FREE_BUFFER processing, the BINDER_TYPE_FDA object
cleanup may close 1 or more fds. The close operations are
completed using the task work mechanism -- which means the thread
needs to return to userspace or the file object may never be
dereferenced -- which can lead to hung processes.
Force the binder thread back to userspace if an fd is closed during
BC_FREE_BUFFER handling.
Fixes:
|
||
|
Li Li
|
b564171ade |
binder: fix freeze race
Currently cgroup freezer is used to freeze the application threads, and
BINDER_FREEZE is used to freeze the corresponding binder interface.
There's already a mechanism in ioctl(BINDER_FREEZE) to wait for any
existing transactions to drain out before actually freezing the binder
interface.
But freezing an app requires 2 steps, freezing the binder interface with
ioctl(BINDER_FREEZE) and then freezing the application main threads with
cgroupfs. This is not an atomic operation. The following race issue
might happen.
1) Binder interface is frozen by ioctl(BINDER_FREEZE);
2) Main thread A initiates a new sync binder transaction to process B;
3) Main thread A is frozen by "echo 1 > cgroup.freeze";
4) The response from process B reaches the frozen thread, which will
unexpectedly fail.
This patch provides a mechanism to check if there's any new pending
transaction happening between ioctl(BINDER_FREEZE) and freezing the
main thread. If there's any, the main thread freezing operation can
be rolled back to finish the pending transaction.
Furthermore, the response might reach the binder driver before the
rollback actually happens. That will still cause failed transaction.
As the other process doesn't wait for another response of the response,
the response transaction failure can be fixed by treating the response
transaction like an oneway/async one, allowing it to reach the frozen
thread. And it will be consumed when the thread gets unfrozen later.
NOTE: This patch reuses the existing definition of struct
binder_frozen_status_info but expands the bit assignments of __u32
member sync_recv.
To ensure backward compatibility, bit 0 of sync_recv still indicates
there's an outstanding sync binder transaction. This patch adds new
information to bit 1 of sync_recv, indicating the binder transaction
happens exactly when there's a race.
If an existing userspace app runs on a new kernel, a sync binder call
will set bit 0 of sync_recv so ioctl(BINDER_GET_FROZEN_INFO) still
return the expected value (true). The app just doesn't check bit 1
intentionally so it doesn't have the ability to tell if there's a race.
This behavior is aligned with what happens on an old kernel which
doesn't set bit 1 at all.
A new userspace app can 1) check bit 0 to know if there's a sync binder
transaction happened when being frozen - same as before; and 2) check
bit 1 to know if that sync binder transaction happened exactly when
there's a race - a new information for rollback decision.
the same time, confirmed the pending transactions succeeded.
Fixes:
|
||
|
Greg Kroah-Hartman
|
2b044265a1 |
Merge ba1dc7f273 ("Merge tag 'char-misc-5.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc") into android-mainline
Steps on the way to 5.15-rc1 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ic043c79dd57cd64ee963fcfb77dde2ff398052a5 |
||
|
Todd Kjos
|
d1c6df6dc8 |
Revert "Revert "binder: Prevent context manager from incrementing ref 0""
This reverts commit
|
||
|
Ramji Jiyani
|
1ae14df56c |
binder: Add invalid handle info in user error log
In the case of a failed transaction, only the thread and process id are logged. Add the handle info for the reference to the target node in user error log to aid debugging. Acked-by: Todd Kjos <tkjos@google.com> Signed-off-by: Ramji Jiyani <ramjiyani@google.com> Link: https://lore.kernel.org/r/20210802220446.1938347-1-ramjiyani@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
e774e906a1 |
Merge 50f09a3dd5 ("Merge tag 'char-misc-5.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc") into android-mainline
Steps on the way to 5.13-rc3 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I971e724b3283ba3dbb7398443f481887102f8972 |