Commit Graph

223 Commits

Author SHA1 Message Date
523769c68b Merge 4.19.224 into android-4.19-stable
Changes in 4.19.224
	HID: asus: Add depends on USB_HID to HID_ASUS Kconfig option
	tee: handle lookup of shm with reference count 0
	Input: i8042 - add deferred probe support
	Input: i8042 - enable deferred probe quirk for ASUS UM325UA
	platform/x86: apple-gmux: use resource_size() with res
	recordmcount.pl: fix typo in s390 mcount regex
	selinux: initialize proto variable in selinux_ip_postroute_compat()
	scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write()
	udp: using datalen to cap ipv6 udp max gso segments
	selftests: Calculate udpgso segment count without header adjustment
	sctp: use call_rcu to free endpoint
	net: usb: pegasus: Do not drop long Ethernet frames
	NFC: st21nfca: Fix memory leak in device probe and remove
	net/mlx5e: Fix wrong features assignment in case of error
	selftests/net: udpgso_bench_tx: fix dst ip argument
	fsl/fman: Fix missing put_device() call in fman_port_probe
	i2c: validate user data in compat ioctl
	nfc: uapi: use kernel size_t to fix user-space builds
	uapi: fix linux/nfc.h userspace compilation errors
	xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set.
	usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.
	usb: mtu3: set interval of FS intr and isoc endpoint
	binder: fix async_free_space accounting for empty parcels
	scsi: vmw_pvscsi: Set residual data length conditionally
	Input: appletouch - initialize work before device registration
	Input: spaceball - fix parsing of movement data packets
	net: fix use-after-free in tw_timer_handler
	Linux 4.19.224

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I152e5f7136d00c553192c65298371353418eed41
2022-01-05 13:21:08 +01:00
7c70644026 binder: fix async_free_space accounting for empty parcels
commit cfd0d84ba28c18b531648c9d4a35ecca89ad9901 upstream.

In 4.13, commit 74310e06be ("android: binder: Move buffer out of area shared with user space")
fixed a kernel structure visibility issue. As part of that patch,
sizeof(void *) was used as the buffer size for 0-length data payloads so
the driver could detect abusive clients sending 0-length asynchronous
transactions to a server by enforcing limits on async_free_size.

Unfortunately, on the "free" side, the accounting of async_free_space
did not add the sizeof(void *) back. The result was that up to 8-bytes of
async_free_space were leaked on every async transaction of 8-bytes or
less.  These small transactions are uncommon, so this accounting issue
has gone undetected for several years.

The fix is to use "buffer_size" (the allocated buffer size) instead of
"size" (the logical buffer size) when updating the async_free_space
during the free operation. These are the same except for this
corner case of asynchronous transactions with payloads < 8 bytes.

Fixes: 74310e06be ("android: binder: Move buffer out of area shared with user space")
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable@vger.kernel.org # 4.14+
Link: https://lore.kernel.org/r/20211220190150.2107077-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-01-05 12:34:59 +01:00
965798c6c9 Merge 4.19.221 into android-4.19-stable
Changes in 4.19.221
	HID: google: add eel USB id
	HID: add hid_is_usb() function to make it simpler for USB detection
	HID: add USB_HID dependancy to hid-prodikeys
	HID: add USB_HID dependancy to hid-chicony
	HID: add USB_HID dependancy on some USB HID drivers
	HID: wacom: fix problems when device is not a valid USB device
	HID: check for valid USB device for many HID drivers
	can: kvaser_usb: get CAN clock frequency from device
	can: sja1000: fix use after free in ems_pcmcia_add_card()
	net: core: netlink: add helper refcount dec and lock function
	net: sched: rename qdisc_destroy() to qdisc_put()
	net: sched: extend Qdisc with rcu
	net: sched: add helper function to take reference to Qdisc
	net: sched: use Qdisc rcu API instead of relying on rtnl lock
	nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done
	bpf: Fix the off-by-two error in range markings
	ice: ignore dropped packets during init
	bonding: make tx_rebalance_counter an atomic
	nfp: Fix memory leak in nfp_cpp_area_cache_add()
	seg6: fix the iif in the IPv6 socket control block
	udp: using datalen to cap max gso segments
	IB/hfi1: Correct guard on eager buffer deallocation
	mm: bdi: initialize bdi_min_ratio when bdi is unregistered
	ALSA: ctl: Fix copy of updated id with element read/write
	ALSA: pcm: oss: Fix negative period/buffer sizes
	ALSA: pcm: oss: Limit the period size to 16MB
	ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*()
	tracefs: Have new files inherit the ownership of their parent
	clk: qcom: regmap-mux: fix parent clock lookup
	can: pch_can: pch_can_rx_normal: fix use after free
	can: m_can: Disable and ignore ELO interrupt
	libata: add horkage for ASMedia 1092
	wait: add wake_up_pollfree()
	binder: use wake_up_pollfree()
	signalfd: use wake_up_pollfree()
	aio: keep poll requests on waitqueue until completed
	aio: fix use-after-free due to missing POLLFREE handling
	tracefs: Set all files to the same group ownership as the mount option
	block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2)
	qede: validate non LSO skb length
	ASoC: qdsp6: q6routing: Fix return value from msm_routing_put_audio_mixer
	i40e: Fix pre-set max number of queues for VF
	mtd: rawnand: fsmc: Take instruction delay into account
	tools build: Remove needless libpython-version feature check that breaks test-all fast path
	net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero
	net: altera: set a couple error code in probe()
	net: fec: only clear interrupt of handling queue in fec_enet_rx_queue()
	net, neigh: clear whole pneigh_entry at alloc time
	net/qla3xxx: fix an error code in ql_adapter_up()
	USB: gadget: detect too-big endpoint 0 requests
	USB: gadget: zero allocate endpoint 0 buffers
	usb: core: config: fix validation of wMaxPacketValue entries
	xhci: Remove CONFIG_USB_DEFAULT_PERSIST to prevent xHCI from runtime suspending
	usb: core: config: using bit mask instead of individual bits
	xhci: avoid race between disable slot command and host runtime suspend
	iio: trigger: Fix reference counting
	iio: trigger: stm32-timer: fix MODULE_ALIAS
	iio: stk3310: Don't return error code in interrupt handler
	iio: mma8452: Fix trigger reference couting
	iio: ltr501: Don't return error code in trigger handler
	iio: kxsd9: Don't return error code in trigger handler
	iio: itg3200: Call iio_trigger_notify_done() on error
	iio: dln2-adc: Fix lockdep complaint
	iio: dln2: Check return value of devm_iio_trigger_register()
	iio: at91-sama5d2: Fix incorrect sign extension
	iio: adc: axp20x_adc: fix charging current reporting on AXP22x
	iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove
	irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc()
	irqchip/armada-370-xp: Fix support for Multi-MSI interrupts
	irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL
	irqchip: nvic: Fix offset for Interrupt Priority Offsets
	net_sched: fix a crash in tc_new_tfilter()
	net: sched: make function qdisc_free_cb() static
	Linux 4.19.221

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ie58fef73a6ccfbd581bac4a655548f92816f1cbd
2021-12-14 10:41:13 +01:00
32288f5040 binder: use wake_up_pollfree()
commit a880b28a71e39013e357fd3adccd1d8a31bc69a8 upstream.

wake_up_poll() uses nr_exclusive=1, so it's not guaranteed to wake up
all exclusive waiters.  Yet, POLLFREE *must* wake up all waiters.  epoll
and aio poll are fortunately not affected by this, but it's very
fragile.  Thus, the new function wake_up_pollfree() has been introduced.

Convert binder to use wake_up_pollfree().

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Fixes: f5cb779ba1 ("ANDROID: binder: remove waitqueue when thread exits.")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20211209010455.42744-3-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-12-14 10:18:06 +01:00
c3b9f29fca binder: fix test regression due to sender_euid change
commit c21a80ca0684ec2910344d72556c816cb8940c01 upstream.

This is a partial revert of commit
29bc22ac5e5b ("binder: use euid from cred instead of using task").
Setting sender_euid using proc->cred caused some Android system test
regressions that need further investigation. It is a partial
reversion because subsequent patches rely on proc->cred.

Fixes: 29bc22ac5e5b ("binder: use euid from cred instead of using task")
Cc: stable@vger.kernel.org # 4.4+
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: I9b1769a3510fed250bb21859ef8beebabe034c66
Link: https://lore.kernel.org/r/20211112180720.2858135-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-12-01 09:27:39 +01:00
e82f3f9638 binder: use cred instead of task for selinux checks
commit 52f88693378a58094c538662ba652aff0253c4fe upstream.

Since binder was integrated with selinux, it has passed
'struct task_struct' associated with the binder_proc
to represent the source and target of transactions.
The conversion of task to SID was then done in the hook
implementations. It turns out that there are race conditions
which can result in an incorrect security context being used.

Fix by using the 'struct cred' saved during binder_open and pass
it to the selinux subsystem.

Cc: stable@vger.kernel.org # 5.14 (need backport for earlier stables)
Fixes: 79af73079d ("Add security hooks to binder and implement the hooks for SELinux.")
Suggested-by: Jann Horn <jannh@google.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-11-26 11:35:56 +01:00
5d40061285 binder: use euid from cred instead of using task
commit 29bc22ac5e5bc63275e850f0c8fc549e3d0e306b upstream.

Save the 'struct cred' associated with a binder process
at initial open to avoid potential race conditions
when converting to an euid.

Set a transaction's sender_euid from the 'struct cred'
saved at binder_open() instead of looking up the euid
from the binder proc's 'struct task'. This ensures
the euid is associated with the security context that
of the task that opened binder.

Cc: stable@vger.kernel.org # 4.4+
Fixes: 457b9a6f09 ("Staging: android: add binder driver")
Signed-off-by: Todd Kjos <tkjos@google.com>
Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Suggested-by: Jann Horn <jannh@google.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-11-26 11:35:56 +01:00
7b7aa234a0 UPSTREAM: binder: use cred instead of task for getsecid
commit 4d5b5539742d2554591751b4248b0204d20dcc9d upstream.

Use the 'struct cred' saved at binder_open() to lookup
the security ID via security_cred_getsecid(). This
ensures that the security context that opened binder
is the one used to generate the secctx.

Cc: stable@vger.kernel.org # 5.4+
Fixes: ec74136ded79 ("binder: create node flag to request sender's security context")
Signed-off-by: Todd Kjos <tkjos@google.com>
Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Reported-by: kernel test robot <lkp@intel.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Change-Id: Ia7b59804a0bdbd51191bbcca556414840307c623
Bug: 200688826
Signed-off-by: Todd Kjos <tkjos@google.com>
2021-11-22 09:49:56 -08:00
213d8be2c6 FROMGIT: binder: fix test regression due to sender_euid change
This is a partial revert of commit
29bc22ac5e5b ("binder: use euid from cred instead of using task").
Setting sender_euid using proc->cred caused some Android system test
regressions that need further investigation. It is a partial
reversion because subsequent patches rely on proc->cred.

Fixes: 29bc22ac5e5b ("binder: use euid from cred instead of using task")
Cc: stable@vger.kernel.org # 4.4+
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: I9b1769a3510fed250bb21859ef8beebabe034c66
Link: https://lore.kernel.org/r/20211112180720.2858135-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 200688826
(cherry picked from commit c21a80ca0684ec2910344d72556c816cb8940c01
git: //git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-linus)
Signed-off-by: Todd Kjos <tkjos@google.com>
2021-11-22 09:27:19 -08:00
2a4f6c6295 BACKPORT: binder: use cred instead of task for selinux checks
commit 52f88693378a58094c538662ba652aff0253c4fe upstream.

Since binder was integrated with selinux, it has passed
'struct task_struct' associated with the binder_proc
to represent the source and target of transactions.
The conversion of task to SID was then done in the hook
implementations. It turns out that there are race conditions
which can result in an incorrect security context being used.

Fix by using the 'struct cred' saved during binder_open and pass
it to the selinux subsystem.

Cc: stable@vger.kernel.org # 5.14 (need backport for earlier stables)
Fixes: 79af73079d ("Add security hooks to binder and implement the hooks for SELinux.")
Suggested-by: Jann Horn <jannh@google.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Change-Id: Id7157515d2b08f11683aeb8ad9b8f1da075d34e7
Bug: 200688826
[ tkjos@ fixed minor conflict ]
Signed-off-by: Todd Kjos <tkjos@google.com>
2021-11-22 09:24:46 -08:00
6ada76218a UPSTREAM: binder: use euid from cred instead of using task
commit 29bc22ac5e5bc63275e850f0c8fc549e3d0e306b upstream.

Save the 'struct cred' associated with a binder process
at initial open to avoid potential race conditions
when converting to an euid.

Set a transaction's sender_euid from the 'struct cred'
saved at binder_open() instead of looking up the euid
from the binder proc's 'struct task'. This ensures
the euid is associated with the security context that
of the task that opened binder.

Cc: stable@vger.kernel.org # 4.4+
Fixes: 457b9a6f09 ("Staging: android: add binder driver")
Signed-off-by: Todd Kjos <tkjos@google.com>
Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Suggested-by: Jann Horn <jannh@google.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Change-Id: I91922e7f359df5901749f1b09094c3c68d45aed4
Bug: 200688826
Signed-off-by: Todd Kjos <tkjos@google.com>
2021-11-22 09:24:16 -08:00
d2437b10ba UPSTREAM: binderfs: use refcount for binder control devices too
Binderfs binder-control devices are cleaned up via binderfs_evict_inode
too() which will use refcount_dec_and_test(). However, we missed to set
the refcount for binderfs binder-control devices and so we underflowed
when the binderfs instance got unmounted. Pretty obvious oversight and
should have been part of the more general UAF fix. The good news is that
having test cases (suprisingly) helps.

Technically, we could detect that we're about to cleanup the
binder-control dentry in binderfs_evict_inode() and then simply clean it
up. But that makes the assumption that the binder driver itself will
never make use of a binderfs binder-control device after the binderfs
instance it belongs to has been unmounted and the superblock for it been
destroyed. While it is unlikely to ever come to this let's be on the
safe side. Performance-wise this also really doesn't matter since the
binder-control device is only every really when creating the binderfs
filesystem or creating additional binder devices. Both operations are
pretty rare.

Fixes: f0fe2c0f050d ("binder: prevent UAF for binderfs devices II")
Link: https://lore.kernel.org/r/CA+G9fYusdfg7PMfC9Xce-xLT7NiyKSbgojpK35GOm=Pf9jXXrA@mail.gmail.com
Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Cc: stable@vger.kernel.org
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20200311105309.1742827-1-christian.brauner@ubuntu.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 211b64e4b5b6bd5fdc19cd525c2cc9a90e6b0ec9)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Idb5e9e8945fa95506f3ff4f15bde3efaf65d7c9f
2020-11-16 07:43:08 +01:00
35cc2facc2 binder: fix UAF when releasing todo list
commit f3277cbfba763cd2826396521b9296de67cf1bbc upstream.

When releasing a thread todo list when tearing down
a binder_proc, the following race was possible which
could result in a use-after-free:

1.  Thread 1: enter binder_release_work from binder_thread_release
2.  Thread 2: binder_update_ref_for_handle() -> binder_dec_node_ilocked()
3.  Thread 2: dec nodeA --> 0 (will free node)
4.  Thread 1: ACQ inner_proc_lock
5.  Thread 2: block on inner_proc_lock
6.  Thread 1: dequeue work (BINDER_WORK_NODE, part of nodeA)
7.  Thread 1: REL inner_proc_lock
8.  Thread 2: ACQ inner_proc_lock
9.  Thread 2: todo list cleanup, but work was already dequeued
10. Thread 2: free node
11. Thread 2: REL inner_proc_lock
12. Thread 1: deref w->type (UAF)

The problem was that for a BINDER_WORK_NODE, the binder_work element
must not be accessed after releasing the inner_proc_lock while
processing the todo list elements since another thread might be
handling a deref on the node containing the binder_work element
leading to the node being freed.

Signed-off-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20201009232455.4054810-1-tkjos@google.com
Cc: <stable@vger.kernel.org> # 4.14, 4.19, 5.4, 5.8
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-10-29 09:54:56 +01:00
f75b05ac56 UPSTREAM: binder: fix UAF when releasing todo list
When releasing a thread todo list when tearing down
a binder_proc, the following race was possible which
could result in a use-after-free:

1.  Thread 1: enter binder_release_work from binder_thread_release
2.  Thread 2: binder_update_ref_for_handle() -> binder_dec_node_ilocked()
3.  Thread 2: dec nodeA --> 0 (will free node)
4.  Thread 1: ACQ inner_proc_lock
5.  Thread 2: block on inner_proc_lock
6.  Thread 1: dequeue work (BINDER_WORK_NODE, part of nodeA)
7.  Thread 1: REL inner_proc_lock
8.  Thread 2: ACQ inner_proc_lock
9.  Thread 2: todo list cleanup, but work was already dequeued
10. Thread 2: free node
11. Thread 2: REL inner_proc_lock
12. Thread 1: deref w->type (UAF)

The problem was that for a BINDER_WORK_NODE, the binder_work element
must not be accessed after releasing the inner_proc_lock while
processing the todo list elements since another thread might be
handling a deref on the node containing the binder_work element
leading to the node being freed.

Signed-off-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20201009232455.4054810-1-tkjos@google.com
Cc: <stable@vger.kernel.org> # 4.14, 4.19, 5.4, 5.8
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit f3277cbfba763cd2826396521b9296de67cf1bbc)
Change-Id: I7c1bf0b74824f272664e76206c5dc3b66b9eeaff
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2020-10-17 13:15:39 +02:00
3b165ab697 FROMGIT: binder: print warnings when detecting oneway spamming.
The most common cause of the binder transaction buffer filling up is a
client rapidly firing oneway transactions into a process, before it has
a chance to handle them. Yet the root cause of this is often hard to
debug, because either the system or the app will stop, and by that time
binder debug information we dump in bugreports is no longer relevant.

This change warns as soon as a process dips below 80% of its oneway
space (less than 100kB available in the configuration), when any one
process is responsible for either more than 50 transactions, or more
than 50% of the oneway space.

Signed-off-by: Martijn Coenen <maco@android.com>
Signed-off-by: Martijn Coenen <maco@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20200821122544.1277051-1-maco@android.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 261e7818f06ec51e488e007f787ccd7e77272918
git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git/
char-misc-next)
Signed-off-by: Martijn Coenen <maco@android.com>

Bug: 147795659
Change-Id: Idc2b03ddc779880ca4716fdae47a70df43211f25
2020-09-10 16:54:59 +00:00
a0c68fd8e8 Revert "binder: Prevent context manager from incrementing ref 0"
This reverts commit c5665cafbedd2e2a523fe933e452391a02d3adb3.

This patch was causing display hangs for Qualcomm after the 5.4.58
merge.

Bug: 166779391
Change-Id: Iaf22ede68247422709b00f059e5c4d517f219adf
Signed-off-by: Todd Kjos <tkjos@google.com>
2020-08-28 21:53:36 +00:00
c519a68e3a Merge 4.19.139 into android-4.19-stable
Changes in 4.19.139
	USB: serial: qcserial: add EM7305 QDL product ID
	USB: iowarrior: fix up report size handling for some devices
	usb: xhci: define IDs for various ASMedia host controllers
	usb: xhci: Fix ASMedia ASM1142 DMA addressing
	Revert "ALSA: hda: call runtime_allow() for all hda controllers"
	ALSA: seq: oss: Serialize ioctls
	staging: android: ashmem: Fix lockdep warning for write operation
	Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()
	Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt()
	Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt()
	omapfb: dss: Fix max fclk divider for omap36xx
	binder: Prevent context manager from incrementing ref 0
	vgacon: Fix for missing check in scrollback handling
	mtd: properly check all write ioctls for permissions
	leds: wm831x-status: fix use-after-free on unbind
	leds: da903x: fix use-after-free on unbind
	leds: lm3533: fix use-after-free on unbind
	leds: 88pm860x: fix use-after-free on unbind
	net/9p: validate fds in p9_fd_open
	drm/nouveau/fbcon: fix module unload when fbcon init has failed for some reason
	drm/nouveau/fbcon: zero-initialise the mode_cmd2 structure
	i2c: slave: improve sanity check when registering
	i2c: slave: add sanity check when unregistering
	usb: hso: check for return value in hso_serial_common_create()
	firmware: Fix a reference count leak.
	cfg80211: check vendor command doit pointer before use
	igb: reinit_locked() should be called with rtnl_lock
	atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
	tools lib traceevent: Fix memory leak in process_dynamic_array_len
	Drivers: hv: vmbus: Ignore CHANNELMSG_TL_CONNECT_RESULT(23)
	xattr: break delegations in {set,remove}xattr
	ipv4: Silence suspicious RCU usage warning
	ipv6: fix memory leaks on IPV6_ADDRFORM path
	net: ethernet: mtk_eth_soc: fix MTU warnings
	vxlan: Ensure FDB dump is performed under RCU
	net: lan78xx: replace bogus endpoint lookup
	hv_netvsc: do not use VF device if link is down
	net: gre: recompute gre csum for sctp over gre tunnels
	net: thunderx: use spin_lock_bh in nicvf_set_rx_mode_task()
	openvswitch: Prevent kernel-infoleak in ovs_ct_put_key()
	Revert "vxlan: fix tos value before xmit"
	selftests/net: relax cpu affinity requirement in msg_zerocopy test
	rxrpc: Fix race between recvmsg and sendmsg on immediate call failure
	i40e: add num_vectors checker in iwarp handler
	i40e: Wrong truncation from u16 to u8
	i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c
	i40e: Memory leak in i40e_config_iwarp_qvlist
	Smack: fix use-after-free in smk_write_relabel_self()
	Linux 4.19.139

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: If64996b6bc365365c5f06165ed8c7648336731bf
2020-08-11 17:03:22 +02:00
74e42c22f2 binder: Prevent context manager from incrementing ref 0
commit 4b836a1426cb0f1ef2a6e211d7e553221594f8fc upstream.

Binder is designed such that a binder_proc never has references to
itself. If this rule is violated, memory corruption can occur when a
process sends a transaction to itself; see e.g.
<https://syzkaller.appspot.com/bug?extid=09e05aba06723a94d43d>.

There is a remaining edgecase through which such a transaction-to-self
can still occur from the context of a task with BINDER_SET_CONTEXT_MGR
access:

 - task A opens /dev/binder twice, creating binder_proc instances P1
   and P2
 - P1 becomes context manager
 - P2 calls ACQUIRE on the magic handle 0, allocating index 0 in its
   handle table
 - P1 dies (by closing the /dev/binder fd and waiting a bit)
 - P2 becomes context manager
 - P2 calls ACQUIRE on the magic handle 0, allocating index 1 in its
   handle table
   [this triggers a warning: "binder: 1974:1974 tried to acquire
   reference to desc 0, got 1 instead"]
 - task B opens /dev/binder once, creating binder_proc instance P3
 - P3 calls P2 (via magic handle 0) with (void*)1 as argument (two-way
   transaction)
 - P2 receives the handle and uses it to call P3 (two-way transaction)
 - P3 calls P2 (via magic handle 0) (two-way transaction)
 - P2 calls P2 (via handle 1) (two-way transaction)

And then, if P2 does *NOT* accept the incoming transaction work, but
instead closes the binder fd, we get a crash.

Solve it by preventing the context manager from using ACQUIRE on ref 0.
There shouldn't be any legitimate reason for the context manager to do
that.

Additionally, print a warning if someone manages to find another way to
trigger a transaction-to-self bug in the future.

Cc: stable@vger.kernel.org
Fixes: 457b9a6f09 ("Staging: android: add binder driver")
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Martijn Coenen <maco@android.com>
Link: https://lore.kernel.org/r/20200727120424.1627555-1-jannh@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-11 15:32:31 +02:00
bcf9517454 Merge 4.19.135 into android-4.19-stable
Changes in 4.19.135
	soc: qcom: rpmh: Dirt can only make you dirtier, not cleaner
	gpio: arizona: handle pm_runtime_get_sync failure case
	gpio: arizona: put pm_runtime in case of failure
	pinctrl: amd: fix npins for uart0 in kerncz_groups
	mac80211: allow rx of mesh eapol frames with default rx key
	scsi: scsi_transport_spi: Fix function pointer check
	xtensa: fix __sync_fetch_and_{and,or}_4 declarations
	xtensa: update *pos in cpuinfo_op.next
	drivers/net/wan/lapbether: Fixed the value of hard_header_len
	net: sky2: initialize return of gm_phy_read
	drm/nouveau/i2c/g94-: increase NV_PMGR_DP_AUXCTL_TRANSACTREQ timeout
	drivers/firmware/psci: Fix memory leakage in alloc_init_cpu_groups()
	fuse: fix weird page warning
	irqdomain/treewide: Keep firmware node unconditionally allocated
	SUNRPC reverting d03727b248d0 ("NFSv4 fix CLOSE not waiting for direct IO compeletion")
	spi: spi-fsl-dspi: Exit the ISR with IRQ_NONE when it's not ours
	tipc: clean up skb list lock handling on send path
	IB/umem: fix reference count leak in ib_umem_odp_get()
	uprobes: Change handle_swbp() to send SIGTRAP with si_code=SI_KERNEL, to fix GDB regression
	ALSA: info: Drop WARN_ON() from buffer NULL sanity check
	ASoC: rt5670: Correct RT5670_LDO_SEL_MASK
	btrfs: fix double free on ulist after backref resolution failure
	btrfs: fix mount failure caused by race with umount
	btrfs: fix page leaks after failure to lock page for delalloc
	bnxt_en: Fix race when modifying pause settings.
	fpga: dfl: fix bug in port reset handshake
	hippi: Fix a size used in a 'pci_free_consistent()' in an error handling path
	ax88172a: fix ax88172a_unbind() failures
	net: dp83640: fix SIOCSHWTSTAMP to update the struct with actual configuration
	ieee802154: fix one possible memleak in adf7242_probe
	drm: sun4i: hdmi: Fix inverted HPD result
	net: smc91x: Fix possible memory leak in smc_drv_probe()
	bonding: check error value of register_netdevice() immediately
	mlxsw: destroy workqueue when trap_register in mlxsw_emad_init
	qed: suppress "don't support RoCE & iWARP" flooding on HW init
	ipvs: fix the connection sync failed in some cases
	net: ethernet: ave: Fix error returns in ave_init
	i2c: rcar: always clear ICSAR to avoid side effects
	bonding: check return value of register_netdevice() in bond_newlink()
	serial: exar: Fix GPIO configuration for Sealevel cards based on XR17V35X
	scripts/decode_stacktrace: strip basepath from all paths
	scripts/gdb: fix lx-symbols 'gdb.error' while loading modules
	HID: i2c-hid: add Mediacom FlexBook edge13 to descriptor override
	HID: alps: support devices with report id 2
	HID: steam: fixes race in handling device list.
	HID: apple: Disable Fn-key key-re-mapping on clone keyboards
	dmaengine: tegra210-adma: Fix runtime PM imbalance on error
	Input: add `SW_MACHINE_COVER`
	spi: mediatek: use correct SPI_CFG2_REG MACRO
	regmap: dev_get_regmap_match(): fix string comparison
	hwmon: (aspeed-pwm-tacho) Avoid possible buffer overflow
	dmaengine: ioat setting ioat timeout as module parameter
	Input: synaptics - enable InterTouch for ThinkPad X1E 1st gen
	usb: gadget: udc: gr_udc: fix memleak on error handling path in gr_ep_init()
	hwmon: (adm1275) Make sure we are reading enough data for different chips
	hwmon: (scmi) Fix potential buffer overflow in scmi_hwmon_probe()
	arm64: Use test_tsk_thread_flag() for checking TIF_SINGLESTEP
	x86: math-emu: Fix up 'cmp' insn for clang ias
	RISC-V: Upgrade smp_mb__after_spinlock() to iorw,iorw
	binder: Don't use mmput() from shrinker function.
	usb: xhci-mtk: fix the failure of bandwidth allocation
	usb: xhci: Fix ASM2142/ASM3142 DMA addressing
	Revert "cifs: Fix the target file was deleted when rename failed."
	staging: wlan-ng: properly check endpoint types
	staging: comedi: addi_apci_1032: check INSN_CONFIG_DIGITAL_TRIG shift
	staging: comedi: ni_6527: fix INSN_CONFIG_DIGITAL_TRIG support
	staging: comedi: addi_apci_1500: check INSN_CONFIG_DIGITAL_TRIG shift
	staging: comedi: addi_apci_1564: check INSN_CONFIG_DIGITAL_TRIG shift
	serial: 8250: fix null-ptr-deref in serial8250_start_tx()
	serial: 8250_mtk: Fix high-speed baud rates clamping
	fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
	vt: Reject zero-sized screen buffer size.
	Makefile: Fix GCC_TOOLCHAIN_DIR prefix for Clang cross compilation
	mm/memcg: fix refcount error while moving and swapping
	mm: memcg/slab: synchronize access to kmem_cache dying flag using a spinlock
	mm: memcg/slab: fix memory leak at non-root kmem_cache destroy
	io-mapping: indicate mapping failure
	drm/amdgpu: Fix NULL dereference in dpm sysfs handlers
	drm/amd/powerplay: fix a crash when overclocking Vega M
	parisc: Add atomic64_set_release() define to avoid CPU soft lockups
	x86, vmlinux.lds: Page-align end of ..page_aligned sections
	ASoC: rt5670: Add new gpio1_is_ext_spk_en quirk and enable it on the Lenovo Miix 2 10
	ASoC: qcom: Drop HAS_DMA dependency to fix link failure
	dm integrity: fix integrity recalculation that is improperly skipped
	ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb
	ath9k: Fix regression with Atheros 9271
	Linux 4.19.135

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I0bbcde83e7c810352d998f28d3484efa2b9ede8e
2020-07-29 13:22:30 +02:00
e1e622d0d9 binder: Don't use mmput() from shrinker function.
commit f867c771f98891841c217fa8459244ed0dd28921 upstream.

syzbot is reporting that mmput() from shrinker function has a risk of
deadlock [1], for delayed_uprobe_add() from update_ref_ctr() calls
kzalloc(GFP_KERNEL) with delayed_uprobe_lock held, and
uprobe_clear_state() from __mmput() also holds delayed_uprobe_lock.

Commit a1b2289cef ("android: binder: drop lru lock in isolate
callback") replaced mmput() with mmput_async() in order to avoid sleeping
with spinlock held. But this patch replaces mmput() with mmput_async() in
order not to start __mmput() from shrinker context.

[1] https://syzkaller.appspot.com/bug?id=bc9e7303f537c41b2b0cc2dfcea3fc42964c2d45

Reported-by: syzbot <syzbot+1068f09c44d151250c33@syzkaller.appspotmail.com>
Reported-by: syzbot <syzbot+e5344baa319c9a96edec@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reviewed-by: Michal Hocko <mhocko@suse.com>
Acked-by: Todd Kjos <tkjos@google.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/4ba9adb2-43f5-2de0-22de-f6075c1fab50@i-love.sakura.ne.jp
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-07-29 10:16:54 +02:00
41e863e2ea UPSTREAM: binder: fix null deref of proc->context
commit d35d3660e065b69fdb8bf512f3d899f350afce52 upstream.

The binder driver makes the assumption proc->context pointer is invariant after
initialization (as documented in the kerneldoc header for struct proc).
However, in commit f0fe2c0f050d ("binder: prevent UAF for binderfs devices II")
proc->context is set to NULL during binder_deferred_release().

Another proc was in the middle of setting up a transaction to the dying
process and crashed on a NULL pointer deref on "context" which is a local
set to &proc->context:

    new_ref->data.desc = (node == context->binder_context_mgr_node) ? 0 : 1;

Here's the stack:

[ 5237.855435] Call trace:
[ 5237.855441] binder_get_ref_for_node_olocked+0x100/0x2ec
[ 5237.855446] binder_inc_ref_for_node+0x140/0x280
[ 5237.855451] binder_translate_binder+0x1d0/0x388
[ 5237.855456] binder_transaction+0x2228/0x3730
[ 5237.855461] binder_thread_write+0x640/0x25bc
[ 5237.855466] binder_ioctl_write_read+0xb0/0x464
[ 5237.855471] binder_ioctl+0x30c/0x96c
[ 5237.855477] do_vfs_ioctl+0x3e0/0x700
[ 5237.855482] __arm64_sys_ioctl+0x78/0xa4
[ 5237.855488] el0_svc_common+0xb4/0x194
[ 5237.855493] el0_svc_handler+0x74/0x98
[ 5237.855497] el0_svc+0x8/0xc

The fix is to move the kfree of the binder_device to binder_free_proc()
so the binder_device is freed when we know there are no references
remaining on the binder_proc.

Fixes: f0fe2c0f050d ("binder: prevent UAF for binderfs devices II")
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200622200715.114382-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I933c938ea85889f77fb634bbed29a7cd74527dcc
2020-07-07 00:12:16 +00:00
de1774a9d2 Merge 4.19.120 into android-4.19
Changes in 4.19.120
	remoteproc: Fix wrong rvring index computation
	mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer
	include/uapi/linux/swab.h: fix userspace breakage, use __BITS_PER_LONG for swap
	binder: take read mode of mmap_sem in binder_alloc_free_page()
	usb: dwc3: gadget: Do link recovery for SS and SSP
	usb: gadget: udc: bdc: Remove unnecessary NULL checks in bdc_req_complete
	iio:ad7797: Use correct attribute_group
	ASoC: q6dsp6: q6afe-dai: add missing channels to MI2S DAIs
	ASoC: tas571x: disable regulators on failed probe
	ASoC: wm8960: Fix wrong clock after suspend & resume
	nfsd: memory corruption in nfsd4_lock()
	i2c: altera: use proper variable to hold errno
	rxrpc: Fix DATA Tx to disable nofrag for UDP on AF_INET6 socket
	net/cxgb4: Check the return from t4_query_params properly
	xfs: acquire superblock freeze protection on eofblocks scans
	svcrdma: Fix trace point use-after-free race
	svcrdma: Fix leak of svc_rdma_recv_ctxt objects
	PCI: Avoid ASMedia XHCI USB PME# from D0 defect
	PCI: Move Apex Edge TPU class quirk to fix BAR assignment
	ARM: dts: bcm283x: Disable dsi0 node
	cpumap: Avoid warning when CONFIG_DEBUG_PER_CPU_MAPS is enabled
	net/mlx5: Fix failing fw tracer allocation on s390
	perf/core: fix parent pid/tid in task exit events
	bpf, x86_32: Fix incorrect encoding in BPF_LDX zero-extension
	mm: shmem: disable interrupt when acquiring info->lock in userfaultfd_copy path
	xfs: clear PF_MEMALLOC before exiting xfsaild thread
	bpf, x86: Fix encoding for lower 8-bit registers in BPF_STX BPF_B
	net: fec: set GPR bit on suspend by DT configuration.
	x86: hyperv: report value of misc_features
	xfs: fix partially uninitialized structure in xfs_reflink_remap_extent
	ALSA: hda: Keep the controller initialization even if no codecs found
	ALSA: hda: Explicitly permit using autosuspend if runtime PM is supported
	scsi: target: fix PR IN / READ FULL STATUS for FC
	scsi: target: tcmu: reset_ring should reset TCMU_DEV_BIT_BROKEN
	objtool: Fix CONFIG_UBSAN_TRAP unreachable warnings
	objtool: Support Clang non-section symbols in ORC dump
	xen/xenbus: ensure xenbus_map_ring_valloc() returns proper grant status
	ALSA: hda: call runtime_allow() for all hda controllers
	arm64: Delete the space separator in __emit_inst
	ext4: use matching invalidatepage in ext4_writepage
	ext4: increase wait time needed before reuse of deleted inode numbers
	ext4: convert BUG_ON's to WARN_ON's in mballoc.c
	hwmon: (jc42) Fix name to have no illegal characters
	bpf, x86_32: Fix clobbering of dst for BPF_JSET
	qed: Fix use after free in qed_chain_free
	ext4: check for non-zero journal inum in ext4_calculate_overhead
	propagate_one(): mnt_set_mountpoint() needs mount_lock
	Linux 4.19.120

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ied3c507eb5bd85c39aff278827e534cf150e2cc0
2020-05-03 08:48:02 +02:00
b4b9073a8a binder: take read mode of mmap_sem in binder_alloc_free_page()
commit 60d4885710836595192c42d3e04b27551d30ec91 upstream.

Restore the behavior of locking mmap_sem for reading in
binder_alloc_free_page(), as was first done in commit 3013bf62b67a
("binder: reduce mmap_sem write-side lock"). That change was
inadvertently reverted by commit 5cec2d2e5839 ("binder: fix race between
munmap() and direct reclaim").

In addition, change the name of the label for the error path to
accurately reflect that we're taking the lock for reading.

Backporting note: This fix is only needed when *both* of the commits
mentioned above are applied. That's an unlikely situation since they
both landed during the development of v5.1 but only one of them is
targeted for stable.

Fixes: 5cec2d2e5839 ("binder: fix race between munmap() and direct reclaim")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Todd Kjos <tkjos@android.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-05-02 17:25:48 +02:00
e8281e59c9 UPSTREAM: binder: prevent UAF for binderfs devices II
This is a necessary follow up to the first fix I proposed and we merged
in 2669b8b0c79 ("binder: prevent UAF for binderfs devices"). I have been
overly optimistic that the simple fix I proposed would work. But alas,
ihold() + iput() won't work since the inodes won't survive the
destruction of the superblock.
So all we get with my prior fix is a different race with a tinier
race-window but it doesn't solve the issue. Fwiw, the problem lies with
generic_shutdown_super(). It even has this cozy Al-style comment:

          if (!list_empty(&sb->s_inodes)) {
                  printk("VFS: Busy inodes after unmount of %s. "
                     "Self-destruct in 5 seconds.  Have a nice day...\n",
                     sb->s_id);
          }

On binder_release(), binder_defer_work(proc, BINDER_DEFERRED_RELEASE) is
called which punts the actual cleanup operation to a workqueue. At some
point, binder_deferred_func() will be called which will end up calling
binder_deferred_release() which will retrieve and cleanup the
binder_context attach to this struct binder_proc.

If we trace back where this binder_context is attached to binder_proc we
see that it is set in binder_open() and is taken from the struct
binder_device it is associated with. This obviously assumes that the
struct binder_device that context is attached to is _never_ freed. While
that might be true for devtmpfs binder devices it is most certainly
wrong for binderfs binder devices.

So, assume binder_open() is called on a binderfs binder devices. We now
stash away the struct binder_context associated with that struct
binder_devices:
	proc->context = &binder_dev->context;
	/* binderfs stashes devices in i_private */
	if (is_binderfs_device(nodp)) {
		binder_dev = nodp->i_private;
		info = nodp->i_sb->s_fs_info;
		binder_binderfs_dir_entry_proc = info->proc_log_dir;
	} else {
	.
	.
	.
	proc->context = &binder_dev->context;

Now let's assume that the binderfs instance for that binder devices is
shutdown via umount() and/or the mount namespace associated with it goes
away. As long as there is still an fd open for that binderfs binder
device things are fine. But let's assume we now close the last fd for
that binderfs binder device. Now binder_release() is called and punts to
the workqueue. Assume that the workqueue has quite a bit of stuff to do
and doesn't get to cleaning up the struct binder_proc and the associated
struct binder_context with it for that binderfs binder device right
away. In the meantime, the VFS is killing the super block and is
ultimately calling sb->evict_inode() which means it will call
binderfs_evict_inode() which does:

static void binderfs_evict_inode(struct inode *inode)
{
	struct binder_device *device = inode->i_private;
	struct binderfs_info *info = BINDERFS_I(inode);

	clear_inode(inode);

	if (!S_ISCHR(inode->i_mode) || !device)
		return;

	mutex_lock(&binderfs_minors_mutex);
	--info->device_count;
	ida_free(&binderfs_minors, device->miscdev.minor);
	mutex_unlock(&binderfs_minors_mutex);

	kfree(device->context.name);
	kfree(device);
}

thereby freeing the struct binder_device including struct
binder_context.

Now the workqueue finally has time to get around to cleaning up struct
binder_proc and is now trying to access the associate struct
binder_context. Since it's already freed it will OOPs.

Fix this by introducing a refounct on binder devices.

This is an alternative fix to 51d8a7eca677 ("binder: prevent UAF read in
print_binder_transaction_log_entry()").

Fixes: 3ad20fe393b3 ("binder: implement binderfs")
Fixes: 2669b8b0c798 ("binder: prevent UAF for binderfs devices")
Fixes: 03e2e07e3814 ("binder: Make transaction_log available in binderfs")
Related: 51d8a7eca677 ("binder: prevent UAF read in print_binder_transaction_log_entry()")
Cc: stable@vger.kernel.org
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20200303164340.670054-1-christian.brauner@ubuntu.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit f0fe2c0f050d31babcad7d65f1d550d462a40064)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I54a6c910002bf1077ba0c34c48fb96f4ffbf012e
2020-03-09 19:48:21 +00:00
31ddf99370 UPSTREAM: binder: prevent UAF for binderfs devices
On binder_release(), binder_defer_work(proc, BINDER_DEFERRED_RELEASE) is
called which punts the actual cleanup operation to a workqueue. At some
point, binder_deferred_func() will be called which will end up calling
binder_deferred_release() which will retrieve and cleanup the
binder_context attach to this struct binder_proc.

If we trace back where this binder_context is attached to binder_proc we
see that it is set in binder_open() and is taken from the struct
binder_device it is associated with. This obviously assumes that the
struct binder_device that context is attached to is _never_ freed. While
that might be true for devtmpfs binder devices it is most certainly
wrong for binderfs binder devices.

So, assume binder_open() is called on a binderfs binder devices. We now
stash away the struct binder_context associated with that struct
binder_devices:
	proc->context = &binder_dev->context;
	/* binderfs stashes devices in i_private */
	if (is_binderfs_device(nodp)) {
		binder_dev = nodp->i_private;
		info = nodp->i_sb->s_fs_info;
		binder_binderfs_dir_entry_proc = info->proc_log_dir;
	} else {
	.
	.
	.
	proc->context = &binder_dev->context;

Now let's assume that the binderfs instance for that binder devices is
shutdown via umount() and/or the mount namespace associated with it goes
away. As long as there is still an fd open for that binderfs binder
device things are fine. But let's assume we now close the last fd for
that binderfs binder device. Now binder_release() is called and punts to
the workqueue. Assume that the workqueue has quite a bit of stuff to do
and doesn't get to cleaning up the struct binder_proc and the associated
struct binder_context with it for that binderfs binder device right
away. In the meantime, the VFS is killing the super block and is
ultimately calling sb->evict_inode() which means it will call
binderfs_evict_inode() which does:

static void binderfs_evict_inode(struct inode *inode)
{
	struct binder_device *device = inode->i_private;
	struct binderfs_info *info = BINDERFS_I(inode);

	clear_inode(inode);

	if (!S_ISCHR(inode->i_mode) || !device)
		return;

	mutex_lock(&binderfs_minors_mutex);
	--info->device_count;
	ida_free(&binderfs_minors, device->miscdev.minor);
	mutex_unlock(&binderfs_minors_mutex);

	kfree(device->context.name);
	kfree(device);
}

thereby freeing the struct binder_device including struct
binder_context.

Now the workqueue finally has time to get around to cleaning up struct
binder_proc and is now trying to access the associate struct
binder_context. Since it's already freed it will OOPs.

Fix this by holding an additional reference to the inode that is only
released once the workqueue is done cleaning up struct binder_proc. This
is an easy alternative to introducing separate refcounting on struct
binder_device which we can always do later if it becomes necessary.

This is an alternative fix to 51d8a7eca677 ("binder: prevent UAF read in
print_binder_transaction_log_entry()").

Fixes: 3ad20fe393b3 ("binder: implement binderfs")
Fixes: 03e2e07e3814 ("binder: Make transaction_log available in binderfs")
Related: 51d8a7eca677 ("binder: prevent UAF read in print_binder_transaction_log_entry()")
Cc: stable@vger.kernel.org
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 2669b8b0c798fbe1a31d49e07aa33233d469ad9b)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I047a1e360b4146872bbc1d206dce7a864bb4588b
2020-03-09 19:48:07 +00:00
64b698c15a UPSTREAM: binder: fix incorrect calculation for num_valid
commit 16981742717b04644a41052570fb502682a315d2 upstream.

For BINDER_TYPE_PTR and BINDER_TYPE_FDA transactions, the
num_valid local was calculated incorrectly causing the
range check in binder_validate_ptr() to miss out-of-bounds
offsets.

Fixes: bde4a19fc04f ("binder: use userspace pointer as base of buffer space")
Change-Id: Ida77db13d8e5b726f0b14513f55c2b30277338cd
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191213202531.55010-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 145988638
Signed-off-by: Todd Kjos <tkjos@google.com>
2019-12-18 19:49:13 +00:00
e5312e5d68 Merge 4.19.89 into android-4.19
Changes in 4.19.89
	rsi: release skb if rsi_prepare_beacon fails
	arm64: tegra: Fix 'active-low' warning for Jetson TX1 regulator
	sparc64: implement ioremap_uc
	lp: fix sparc64 LPSETTIMEOUT ioctl
	usb: gadget: u_serial: add missing port entry locking
	tty: serial: fsl_lpuart: use the sg count from dma_map_sg
	tty: serial: msm_serial: Fix flow control
	serial: pl011: Fix DMA ->flush_buffer()
	serial: serial_core: Perform NULL checks for break_ctl ops
	serial: ifx6x60: add missed pm_runtime_disable
	autofs: fix a leak in autofs_expire_indirect()
	RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN
	iwlwifi: pcie: don't consider IV len in A-MSDU
	exportfs_decode_fh(): negative pinned may become positive without the parent locked
	audit_get_nd(): don't unlock parent too early
	NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error
	xfrm: release device reference for invalid state
	Input: cyttsp4_core - fix use after free bug
	sched/core: Avoid spurious lock dependencies
	perf/core: Consistently fail fork on allocation failures
	ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed()
	drm/sun4i: tcon: Set min division of TCON0_DCLK to 1.
	selftests: kvm: fix build with glibc >= 2.30
	rsxx: add missed destroy_workqueue calls in remove
	net: ep93xx_eth: fix mismatch of request_mem_region in remove
	i2c: core: fix use after free in of_i2c_notify
	serial: core: Allow processing sysrq at port unlock time
	cxgb4vf: fix memleak in mac_hlist initialization
	iwlwifi: mvm: synchronize TID queue removal
	iwlwifi: trans: Clear persistence bit when starting the FW
	iwlwifi: mvm: Send non offchannel traffic via AP sta
	ARM: 8813/1: Make aligned 2-byte getuser()/putuser() atomic on ARMv6+
	audit: Embed key into chunk
	netfilter: nf_tables: don't use position attribute on rule replacement
	ARC: IOC: panic if kernel was started with previously enabled IOC
	net/mlx5: Release resource on error flow
	clk: sunxi-ng: a64: Fix gate bit of DSI DPHY
	ice: Fix NVM mask defines
	dlm: fix possible call to kfree() for non-initialized pointer
	ARM: dts: exynos: Fix LDO13 min values on Odroid XU3/XU4/HC1
	extcon: max8997: Fix lack of path setting in USB device mode
	net: ethernet: ti: cpts: correct debug for expired txq skb
	rtc: s3c-rtc: Avoid using broken ALMYEAR register
	rtc: max77686: Fix the returned value in case of error in 'max77686_rtc_read_time()'
	i40e: don't restart nway if autoneg not supported
	virtchnl: Fix off by one error
	clk: rockchip: fix rk3188 sclk_smc gate data
	clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering
	ARM: dts: rockchip: Fix rk3288-rock2 vcc_flash name
	dlm: fix missing idr_destroy for recover_idr
	MIPS: SiByte: Enable ZONE_DMA32 for LittleSur
	net: dsa: mv88e6xxx: Work around mv886e6161 SERDES missing MII_PHYSID2
	scsi: zfcp: update kernel message for invalid FCP_CMND length, it's not the CDB
	scsi: zfcp: drop default switch case which might paper over missing case
	drivers: soc: Allow building the amlogic drivers without ARCH_MESON
	bus: ti-sysc: Fix getting optional clocks in clock_roles
	ARM: dts: imx6: RDU2: fix eGalax touchscreen node
	crypto: ecc - check for invalid values in the key verification test
	crypto: bcm - fix normal/non key hash algorithm failure
	arm64: dts: zynqmp: Fix node names which contain "_"
	pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues
	Staging: iio: adt7316: Fix i2c data reading, set the data field
	firmware: raspberrypi: Fix firmware calls with large buffers
	mm/vmstat.c: fix NUMA statistics updates
	clk: rockchip: fix I2S1 clock gate register for rk3328
	clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328
	sctp: count sk_wmem_alloc by skb truesize in sctp_packet_transmit
	regulator: Fix return value of _set_load() stub
	USB: serial: f81534: fix reading old/new IC config
	xfs: extent shifting doesn't fully invalidate page cache
	net-next/hinic:fix a bug in set mac address
	net-next/hinic: fix a bug in rx data flow
	ice: Fix return value from NAPI poll
	ice: Fix possible NULL pointer de-reference
	iomap: FUA is wrong for DIO O_DSYNC writes into unwritten extents
	iomap: sub-block dio needs to zeroout beyond EOF
	iomap: dio data corruption and spurious errors when pipes fill
	iomap: readpages doesn't zero page tail beyond EOF
	iw_cxgb4: only reconnect with MPAv1 if the peer aborts
	MIPS: OCTEON: octeon-platform: fix typing
	net/smc: use after free fix in smc_wr_tx_put_slot()
	math-emu/soft-fp.h: (_FP_ROUND_ZERO) cast 0 to void to fix warning
	nds32: Fix the items of hwcap_str ordering issue.
	rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()'
	rtc: dt-binding: abx80x: fix resistance scale
	ARM: dts: exynos: Use Samsung SoC specific compatible for DWC2 module
	media: coda: fix memory corruption in case more than 32 instances are opened
	media: pulse8-cec: return 0 when invalidating the logical address
	media: cec: report Vendor ID after initialization
	iwlwifi: fix cfg structs for 22000 with different RF modules
	ravb: Clean up duplex handling
	net/ipv6: re-do dad when interface has IFF_NOARP flag change
	dmaengine: coh901318: Fix a double-lock bug
	dmaengine: coh901318: Remove unused variable
	dmaengine: dw-dmac: implement dma protection control setting
	net: qualcomm: rmnet: move null check on dev before dereferecing it
	selftests/powerpc: Allocate base registers
	selftests/powerpc: Skip test instead of failing
	usb: dwc3: debugfs: Properly print/set link state for HS
	usb: dwc3: don't log probe deferrals; but do log other error codes
	ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion()
	f2fs: fix to account preflush command for noflush_merge mode
	f2fs: fix count of seg_freed to make sec_freed correct
	f2fs: change segment to section in f2fs_ioc_gc_range
	ARM: dts: rockchip: Fix the PMU interrupt number for rv1108
	ARM: dts: rockchip: Assign the proper GPIO clocks for rv1108
	f2fs: fix to allow node segment for GC by ioctl path
	sparc: Fix JIT fused branch convergance.
	sparc: Correct ctx->saw_frame_pointer logic.
	nvme: Free ctrl device name on init failure
	dma-mapping: fix return type of dma_set_max_seg_size()
	slimbus: ngd: Fix build error on x86
	altera-stapl: check for a null key before strcasecmp'ing it
	serial: imx: fix error handling in console_setup
	i2c: imx: don't print error message on probe defer
	clk: meson: Fix GXL HDMI PLL fractional bits width
	gpu: host1x: Fix syncpoint ID field size on Tegra186
	lockd: fix decoding of TEST results
	sctp: increase sk_wmem_alloc when head->truesize is increased
	iommu/amd: Fix line-break in error log reporting
	ASoC: rsnd: tidyup registering method for rsnd_kctrl_new()
	ARM: dts: sun4i: Fix gpio-keys warning
	ARM: dts: sun4i: Fix HDMI output DTC warning
	ARM: dts: sun5i: a10s: Fix HDMI output DTC warning
	ARM: dts: r8a779[01]: Disable unconnected LVDS encoders
	ARM: dts: sun7i: Fix HDMI output DTC warning
	ARM: dts: sun8i: a23/a33: Fix OPP DTC warnings
	ARM: dts: sun8i: v3s: Change pinctrl nodes to avoid warning
	dlm: NULL check before kmem_cache_destroy is not needed
	ARM: debug: enable UART1 for socfpga Cyclone5
	can: xilinx: fix return type of ndo_start_xmit function
	nfsd: fix a warning in __cld_pipe_upcall()
	bpf: btf: implement btf_name_valid_identifier()
	bpf: btf: check name validity for various types
	tools: bpftool: fix a bitfield pretty print issue
	ASoC: au8540: use 64-bit arithmetic instead of 32-bit
	ARM: OMAP1/2: fix SoC name printing
	arm64: dts: meson-gxl-libretech-cc: fix GPIO lines names
	arm64: dts: meson-gxbb-nanopi-k2: fix GPIO lines names
	arm64: dts: meson-gxbb-odroidc2: fix GPIO lines names
	arm64: dts: meson-gxl-khadas-vim: fix GPIO lines names
	net/x25: fix called/calling length calculation in x25_parse_address_block
	net/x25: fix null_x25_address handling
	tools/bpf: make libbpf _GNU_SOURCE friendly
	clk: mediatek: Drop __init from mtk_clk_register_cpumuxes()
	clk: mediatek: Drop more __init markings for driver probe
	soc: renesas: r8a77970-sysc: Correct names of A2DP/A2CN power domains
	soc: renesas: r8a77980-sysc: Correct names of A2DP[01] power domains
	soc: renesas: r8a77980-sysc: Correct A3VIP[012] power domain hierarchy
	kbuild: disable dtc simple_bus_reg warnings by default
	tcp: make tcp_space() aware of socket backlog
	ARM: dts: mmp2: fix the gpio interrupt cell number
	ARM: dts: realview-pbx: Fix duplicate regulator nodes
	tcp: fix off-by-one bug on aborting window-probing socket
	tcp: fix SNMP under-estimation on failed retransmission
	tcp: fix SNMP TCP timeout under-estimation
	modpost: skip ELF local symbols during section mismatch check
	kbuild: fix single target build for external module
	mtd: fix mtd_oobavail() incoherent returned value
	ARM: dts: pxa: clean up USB controller nodes
	clk: meson: meson8b: fix the offset of vid_pll_dco's N value
	clk: sunxi-ng: h3/h5: Fix CSI_MCLK parent
	clk: qcom: Fix MSM8998 resets
	media: cxd2880-spi: fix probe when dvb_attach fails
	ARM: dts: realview: Fix some more duplicate regulator nodes
	dlm: fix invalid cluster name warning
	net/mlx4_core: Fix return codes of unsupported operations
	pstore/ram: Avoid NULL deref in ftrace merging failure path
	powerpc/math-emu: Update macros from GCC
	clk: renesas: r8a77990: Correct parent clock of DU
	clk: renesas: r8a77995: Correct parent clock of DU
	MIPS: OCTEON: cvmx_pko_mem_debug8: use oldest forward compatible definition
	nfsd: Return EPERM, not EACCES, in some SETATTR cases
	media: uvcvideo: Abstract streaming object lifetime
	tty: serial: qcom_geni_serial: Fix softlock
	ARM: dts: sun8i: h3: Fix the system-control register range
	tty: Don't block on IO when ldisc change is pending
	media: stkwebcam: Bugfix for wrong return values
	firmware: qcom: scm: fix compilation error when disabled
	clk: qcom: gcc-msm8998: Disable halt check of UFS clocks
	sctp: frag_point sanity check
	soc: renesas: r8a77990-sysc: Fix initialization order of 3DG-{A,B}
	mlxsw: spectrum_router: Relax GRE decap matching check
	IB/hfi1: Ignore LNI errors before DC8051 transitions to Polling state
	IB/hfi1: Close VNIC sdma_progress sleep window
	mlx4: Use snprintf instead of complicated strcpy
	usb: mtu3: fix dbginfo in qmu_tx_zlp_error_handler
	clk: renesas: rcar-gen3: Set state when registering SD clocks
	ASoC: max9867: Fix power management
	ARM: dts: sunxi: Fix PMU compatible strings
	ARM: dts: am335x-pdu001: Fix polarity of card detection input
	media: vimc: fix start stream when link is disabled
	net: aquantia: fix RSS table and key sizes
	sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision
	fuse: verify nlink
	fuse: verify attributes
	ALSA: hda/realtek - Enable internal speaker of ASUS UX431FLC
	ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop
	ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236
	ALSA: pcm: oss: Avoid potential buffer overflows
	ALSA: hda - Add mute led support for HP ProBook 645 G4
	Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus
	Input: synaptics-rmi4 - re-enable IRQs in f34v7_do_reflash
	Input: synaptics-rmi4 - don't increment rmiaddr for SMBus transfers
	Input: goodix - add upside-down quirk for Teclast X89 tablet
	coresight: etm4x: Fix input validation for sysfs.
	Input: Fix memory leak in psxpad_spi_probe
	x86/mm/32: Sync only to VMALLOC_END in vmalloc_sync_all()
	x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect
	xfrm interface: fix memory leak on creation
	xfrm interface: avoid corruption on changelink
	xfrm interface: fix list corruption for x-netns
	xfrm interface: fix management of phydev
	CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks
	CIFS: Fix SMB2 oplock break processing
	tty: vt: keyboard: reject invalid keycodes
	can: slcan: Fix use-after-free Read in slcan_open
	kernfs: fix ino wrap-around detection
	jbd2: Fix possible overflow in jbd2_log_space_left()
	drm/msm: fix memleak on release
	drm/i810: Prevent underflow in ioctl
	arm64: dts: exynos: Revert "Remove unneeded address space mapping for soc node"
	KVM: arm/arm64: vgic: Don't rely on the wrong pending table
	KVM: x86: do not modify masked bits of shared MSRs
	KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES
	KVM: x86: Grab KVM's srcu lock when setting nested state
	crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr
	crypto: atmel-aes - Fix IV handling when req->nbytes < ivsize
	crypto: af_alg - cast ki_complete ternary op to int
	crypto: ccp - fix uninitialized list head
	crypto: ecdh - fix big endian bug in ECC library
	crypto: user - fix memory leak in crypto_report
	spi: atmel: Fix CS high support
	mwifiex: update set_mac_address logic
	can: ucan: fix non-atomic allocation in completion handler
	RDMA/qib: Validate ->show()/store() callbacks before calling them
	iomap: Fix pipe page leakage during splicing
	thermal: Fix deadlock in thermal thermal_zone_device_check
	vcs: prevent write access to vcsu devices
	binder: Fix race between mmap() and binder_alloc_print_pages()
	binder: Handle start==NULL in binder_update_page_range()
	ALSA: hda - Fix pending unsol events at shutdown
	md/raid0: Fix an error message in raid0_make_request()
	watchdog: aspeed: Fix clock behaviour for ast2600
	perf script: Fix invalid LBR/binary mismatch error
	splice: don't read more than available pipe space
	iomap: partially revert 4721a601099 (simulated directio short read on EFAULT)
	xfs: add missing error check in xfs_prepare_shift()
	ASoC: rsnd: fixup MIX kctrl registration
	KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332)
	net: qrtr: fix memort leak in qrtr_tun_write_iter
	appletalk: Fix potential NULL pointer dereference in unregister_snap_client
	appletalk: Set error code if register_snap_client failed
	Linux 4.19.89

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ie3fa59adde9a7e9a6d4684de0e95de14a8b83d0b
2019-12-13 10:01:10 +01:00
af0174a63c binder: Handle start==NULL in binder_update_page_range()
commit 2a9edd056ed4fbf9d2e797c3fc06335af35bccc4 upstream.

The old loop wouldn't stop when reaching `start` if `start==NULL`, instead
continuing backwards to index -1 and crashing.

Luckily you need to be highly privileged to map things at NULL, so it's not
a big problem.

Fix it by adjusting the loop so that the loop variable is always in bounds.

This patch is deliberately minimal to simplify backporting, but IMO this
function could use a refactor. The jump labels in the second loop body are
horrible (the error gotos should be jumping to free_range instead), and
both loops would look nicer if they just iterated upwards through indices.
And the up_read()+mmput() shouldn't be duplicated like that.

Cc: stable@vger.kernel.org
Fixes: 457b9a6f09 ("Staging: android: add binder driver")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20191018205631.248274-3-jannh@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-12-13 08:52:52 +01:00
fe0d31eddb binder: Fix race between mmap() and binder_alloc_print_pages()
commit 8eb52a1ee37aafd9b796713aa0b3ab9cbc455be3 upstream.

binder_alloc_print_pages() iterates over
alloc->pages[0..alloc->buffer_size-1] under alloc->mutex.
binder_alloc_mmap_handler() writes alloc->pages and alloc->buffer_size
without holding that lock, and even writes them before the last bailout
point.

Unfortunately we can't take the alloc->mutex in the ->mmap() handler
because mmap_sem can be taken while alloc->mutex is held.
So instead, we have to locklessly check whether the binder_alloc has been
fully initialized with binder_alloc_get_vma(), like in
binder_alloc_new_buf_locked().

Fixes: 8ef4665aa1 ("android: binder: Add page usage in binder stats")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20191018205631.248274-1-jannh@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-12-13 08:52:51 +01:00
725ce554a4 UPSTREAM: binder: Add binder_proc logging to binderfs
Currently /sys/kernel/debug/binder/proc contains
the debug data for every binder_proc instance.
This patch makes this information also available
in a binderfs instance mounted with a mount option
"stats=global" in addition to debugfs. The patch does
not affect the presence of the file in debugfs.

If a binderfs instance is mounted at path /dev/binderfs,
this file would be present at /dev/binderfs/binder_logs/proc.
This change provides an alternate way to access this file when debugfs
is not mounted.

Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Link: https://lore.kernel.org/r/20190903161655.107408-5-hridya@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 136497735
(cherry picked from commit 4feb80faf428a02d407a9ea1952004af01308765)
Change-Id: I3aa974979f2d4aebbe79ea9df30ede2813826157
2019-12-08 21:46:53 -08:00
ce106a8de6 UPSTREAM: binder: Make transaction_log available in binderfs
Currently, the binder transaction log files 'transaction_log'
and 'failed_transaction_log' live in debugfs at the following locations:

/sys/kernel/debug/binder/failed_transaction_log
/sys/kernel/debug/binder/transaction_log

This patch makes these files also available in a binderfs instance
mounted with the mount option "stats=global".
It does not affect the presence of these files in debugfs.
If a binderfs instance is mounted at path /dev/binderfs, the location of
these files will be as follows:

/dev/binderfs/binder_logs/failed_transaction_log
/dev/binderfs/binder_logs/transaction_log

This change provides an alternate option to access these files when
debugfs is not mounted.

Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Link: https://lore.kernel.org/r/20190903161655.107408-4-hridya@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 136497735
(cherry picked from commit c31e73121f4c1ec41143423ac6ce3ce6dafdcec1)
Change-Id: I20d9e6c4c7115297f9740cc42a516c315b3a209e
2019-12-08 21:46:47 -08:00
7aeb384a5f UPSTREAM: binder: Add stats, state and transactions files
The following binder stat files currently live in debugfs.

/sys/kernel/debug/binder/state
/sys/kernel/debug/binder/stats
/sys/kernel/debug/binder/transactions

This patch makes these files available in a binderfs instance
mounted with the mount option 'stats=global'. For example, if a binderfs
instance is mounted at path /dev/binderfs, the above files will be
available at the following locations:

/dev/binderfs/binder_logs/state
/dev/binderfs/binder_logs/stats
/dev/binderfs/binder_logs/transactions

This provides a way to access them even when debugfs is not mounted.

Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20190903161655.107408-3-hridya@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 136497735
(cherry picked from commit 0e13e452dafc009049a9a5a4153e2f9e51b23915)
Change-Id: Ieeb666a719fb3195133403054de7b103a358e1ae
2019-12-08 21:46:40 -08:00
2c164059d0 UPSTREAM: binder: add a mount option to show global stats
Currently, all binder state and statistics live in debugfs.
We need this information even when debugfs is not mounted.
This patch adds the mount option 'stats' to enable a binderfs
instance to have binder debug information present in the same.
'stats=global' will enable the global binder statistics. In
the future, 'stats=local' will enable binder statistics local
to the binderfs instance. The two modes 'global' and 'local'
will be mutually exclusive. 'stats=global' option is only available
for a binderfs instance mounted in the initial user namespace.
An attempt to use the option to mount a binderfs instance in
another user namespace will return an EPERM error.

Signed-off-by: Hridya Valsaraju <hridya@google.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20190903161655.107408-2-hridya@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 136497735
(cherry picked from commit f00834518ed3194b866f5f3d63b71e0ed7f6bc00)
Change-Id: I4c9da221e7e19729a6489436ffa6233864eac4f7
2019-12-08 21:46:35 -08:00
b8387dee32 UPSTREAM: binder: Validate the default binderfs device names.
Length of a binderfs device name cannot exceed BINDERFS_MAX_NAME.
This patch adds a check in binderfs_init() to ensure the same
for the default binder devices that will be created in every
binderfs instance.

Co-developed-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Signed-off-by: Hridya Valsaraju <hridya@google.com>

Bug: 136497735
(cherry picked from commit 028fb5822b76bc2e095b5c145d7bd263878d9e27)
Change-Id: I347a427690ae35c792ce15afc90151937b879ef7
2019-12-08 21:46:28 -08:00
5d46bcfa79 UPSTREAM: binder: Add default binder devices through binderfs when configured
Currently, since each binderfs instance needs its own
private binder devices, every time a binderfs instance is
mounted, all the default binder devices need to be created
via the BINDER_CTL_ADD IOCTL. This patch aims to
add a solution to automatically create the default binder
devices for each binderfs instance that gets mounted.
To achieve this goal, when CONFIG_ANDROID_BINDERFS is set,
the default binder devices specified by CONFIG_ANDROID_BINDER_DEVICES
are created in each binderfs instance instead of global devices
being created by the binder driver.

Co-developed-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>

Bug: 136497735
(cherry picked from commit ca2864c6e8965c37df97f11e6f99e83e09806b1c)
Change-Id: I4f6c5d95997ffd3df182d6ec32d467b15d1f0c42
Signed-off-by: Hridya Valsaraju <hridya@google.com>
2019-12-08 21:46:21 -08:00
c30322673b UPSTREAM: binder: fix CONFIG_ANDROID_BINDER_DEVICES
Several users have tried to only rely on binderfs to provide binder devices
and set CONFIG_ANDROID_BINDER_DEVICES="" empty. This is a great use-case of
binderfs and one that was always intended to work. However, this is
currently not possible since setting CONFIG_ANDROID_BINDER_DEVICES="" emtpy
will simply panic the kernel:

kobject: (00000000028c2f79): attempted to be registered with empty name!
WARNING: CPU: 7 PID: 1703 at lib/kobject.c:228 kobject_add_internal+0x288/0x2b0
Modules linked in: binder_linux(+) bridge stp llc ipmi_ssif gpio_ich dcdbas coretemp kvm_intel kvm irqbypass serio_raw input_leds lpc_ich i5100_edac mac_hid ipmi_si ipmi_devintf ipmi_msghandler sch_fq_codel ib_i
CPU: 7 PID: 1703 Comm: modprobe Not tainted 5.0.0-rc2-brauner-binderfs #263
Hardware name: Dell      DCS XS24-SC2          /XS24-SC2              , BIOS S59_3C20 04/07/2011
RIP: 0010:kobject_add_internal+0x288/0x2b0
Code: 12 95 48 c7 c7 78 63 3b 95 e8 77 35 71 ff e9 91 fe ff ff 0f 0b eb a7 0f 0b eb 9a 48 89 de 48 c7 c7 00 63 3b 95 e8 f8 95 6a ff <0f> 0b 41 bc ea ff ff ff e9 6d fe ff ff 41 bc fe ff ff ff e9 62 fe
RSP: 0018:ffff973f84237a30 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8b53e2472010 RCX: 0000000000000006
RDX: 0000000000000007 RSI: 0000000000000086 RDI: ffff8b53edbd63a0
RBP: ffff973f84237a60 R08: 0000000000000342 R09: 0000000000000004
R10: ffff973f84237af0 R11: 0000000000000001 R12: 0000000000000000
R13: ffff8b53e9f1a1e0 R14: 00000000e9f1a1e0 R15: 0000000000a00037
FS:  00007fbac36f7540(0000) GS:ffff8b53edbc0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbac364cfa7 CR3: 00000004a6d48000 CR4: 00000000000406e0
Call Trace:
 kobject_add+0x71/0xd0
 ? _cond_resched+0x19/0x40
 ? mutex_lock+0x12/0x40
 device_add+0x12e/0x6b0
 device_create_groups_vargs+0xe4/0xf0
 device_create_with_groups+0x3f/0x60
 ? _cond_resched+0x19/0x40
 misc_register+0x140/0x180
 binder_init+0x1ed/0x2d4 [binder_linux]
 ? trace_event_define_fields_binder_transaction_fd_send+0x8e/0x8e [binder_linux]
 do_one_initcall+0x4a/0x1c9
 ? _cond_resched+0x19/0x40
 ? kmem_cache_alloc_trace+0x151/0x1c0
 do_init_module+0x5f/0x216
 load_module+0x223d/0x2b20
 __do_sys_finit_module+0xfc/0x120
 ? __do_sys_finit_module+0xfc/0x120
 __x64_sys_finit_module+0x1a/0x20
 do_syscall_64+0x5a/0x120
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7fbac3202839
Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffd1494a908 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000055b629ebec60 RCX: 00007fbac3202839
RDX: 0000000000000000 RSI: 000055b629c20d2e RDI: 0000000000000003
RBP: 000055b629c20d2e R08: 0000000000000000 R09: 000055b629ec2310
R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
R13: 000055b629ebed70 R14: 0000000000040000 R15: 000055b629ebec60

So check for the empty string since strsep() will otherwise return the
emtpy string which will cause kobject_add_internal() to panic when trying
to add a kobject with an emtpy name.

Fixes: ac4812c5ff ("binder: Support multiple /dev instances")
Cc: Martijn Coenen <maco@google.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Acked-by: Todd Kjos <tkjos@google.com>

Bug: 136497735
(cherry picked from commit 793c8232937610ae00bc174b87d7fc324346eaea)
Change-Id: I2ad3e2370596ced6ab2b2b197421182f9f9485e7
Signed-off-by: Hridya Valsaraju <hridya@google.com>
2019-12-08 21:45:58 -08:00
760b8036e6 UPSTREAM: android: binder: use kstrdup instead of open-coding it
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>

Bug: 136497735
Change-Id: I545073facdb76ea12accfc7bfa4738f2e3bf0b28
(cherry picked from commit 6b6642dadd685af885367d6e30f18553e2a23b22)
Signed-off-by: Hridya Valsaraju <hridya@google.com>
2019-12-08 21:45:48 -08:00
8d0719a920 UPSTREAM: binderfs: remove separate device_initcall()
binderfs should not have a separate device_initcall(). When a kernel is
compiled with CONFIG_ANDROID_BINDERFS register the filesystem alongside
CONFIG_ANDROID_IPC. This use-case is especially sensible when users specify
CONFIG_ANDROID_IPC=y, CONFIG_ANDROID_BINDERFS=y and
ANDROID_BINDER_DEVICES="".
When CONFIG_ANDROID_BINDERFS=n then this always succeeds so there's no
regression potential for legacy workloads.

Signed-off-by: Christian Brauner <christian@brauner.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 136497735
(cherry picked from commit 5b9633af298bfd1de650f6774d3fada546543101)
Change-Id: I91892655d9d36df5218189f7874312eec7ae3c46
Signed-off-by: Hridya Valsaraju <hridya@google.com>
2019-12-08 21:45:36 -08:00
7654fff18f UPSTREAM: binderfs: respect limit on binder control creation
We currently adhere to the reserved devices limit when creating new
binderfs devices in binderfs instances not located in the inital ipc
namespace. But it is still possible to rob the host instances of their 4
reserved devices by creating the maximum allowed number of devices in a
single binderfs instance located in a non-initial ipc namespace and then
mounting 4 separate binderfs instances in non-initial ipc namespaces. That
happens because the limit is currently not respected for the creation of
the initial binder-control device node. Block this nonsense by performing
the same check in binderfs_binder_ctl_create() that we perform in
binderfs_binder_device_create().

Fixes: 36bdf3cae09d ("binderfs: reserve devices for initial mount")
Signed-off-by: Christian Brauner <christian@brauner.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 136497735
(cherry picked from commit da8ddba566ff0a883237dbc8c5dadef1ca769e19)
Change-Id: I7e170260ce79fc23a034ce75450d58ff39a7b902
Signed-off-by: Hridya Valsaraju <hridya@google.com>
2019-12-08 21:45:24 -08:00
0c11523bd0 UPSTREAM: binderfs: switch from d_add() to d_instantiate()
In a previous commit we switched from a d_alloc_name() + d_lookup()
combination to setup a new dentry and find potential duplicates to the more
idiomatic lookup_one_len(). As far as I understand, this also means we need
to switch from d_add() to d_instantiate() since lookup_one_len() will
create a new dentry when it doesn't find an existing one and add the new
dentry to the hash queues. So we only need to call d_instantiate() to
connect the dentry to the inode and turn it into a positive dentry.

If we were to use d_add() we sure see stack traces like the following
indicating that adding the same dentry twice over the same inode:

[  744.441889] CPU: 4 PID: 2849 Comm: landscape-sysin Not tainted 5.0.0-rc1-brauner-binderfs #243
[  744.441889] Hardware name: Dell      DCS XS24-SC2          /XS24-SC2              , BIOS S59_3C20 04/07/2011
[  744.441889] RIP: 0010:__d_lookup_rcu+0x76/0x190
[  744.441889] Code: 89 75 c0 49 c1 e9 20 49 89 fd 45 89 ce 41 83 e6 07 42 8d 04 f5 00 00 00 00 89 45 c8 eb 0c 48 8b 1b 48 85 db 0f 84 81 00 00 00 <44> 8b 63 fc 4c 3b 6b 10 75 ea 48 83 7b 08 00 74 e3 41 83 e4 fe 41
[  744.441889] RSP: 0018:ffffb8c984e27ad0 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13
[  744.441889] RAX: 0000000000000038 RBX: ffff9407ef770c08 RCX: ffffb8c980011000
[  744.441889] RDX: ffffb8c984e27b54 RSI: ffffb8c984e27ce0 RDI: ffff9407e6689600
[  744.441889] RBP: ffffb8c984e27b28 R08: ffffb8c984e27ba4 R09: 0000000000000007
[  744.441889] R10: ffff9407e5c4f05c R11: 973f3eb9d84a94e5 R12: 0000000000000002
[  744.441889] R13: ffff9407e6689600 R14: 0000000000000007 R15: 00000007bfef7a13
[  744.441889] FS:  00007f0db13bb740(0000) GS:ffff9407f3b00000(0000) knlGS:0000000000000000
[  744.441889] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  744.441889] CR2: 00007f0dacc51024 CR3: 000000032961a000 CR4: 00000000000006e0
[  744.441889] Call Trace:
[  744.441889]  lookup_fast+0x53/0x300
[  744.441889]  walk_component+0x49/0x350
[  744.441889]  ? inode_permission+0x63/0x1a0
[  744.441889]  link_path_walk.part.33+0x1bc/0x5a0
[  744.441889]  ? path_init+0x190/0x310
[  744.441889]  path_lookupat+0x95/0x210
[  744.441889]  filename_lookup+0xb6/0x190
[  744.441889]  ? __check_object_size+0xb8/0x1b0
[  744.441889]  ? strncpy_from_user+0x50/0x1a0
[  744.441889]  user_path_at_empty+0x36/0x40
[  744.441889]  ? user_path_at_empty+0x36/0x40
[  744.441889]  vfs_statx+0x76/0xe0
[  744.441889]  __do_sys_newstat+0x3d/0x70
[  744.441889]  __x64_sys_newstat+0x16/0x20
[  744.441889]  do_syscall_64+0x5a/0x120
[  744.441889]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  744.441889] RIP: 0033:0x7f0db0ec2775
[  744.441889] Code: 00 00 00 75 05 48 83 c4 18 c3 e8 26 55 02 00 66 0f 1f 44 00 00 83 ff 01 48 89 f0 77 30 48 89 c7 48 89 d6 b8 04 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 03 f3 c3 90 48 8b 15 e1 b6 2d 00 f7 d8 64 89
[  744.441889] RSP: 002b:00007ffc36bc9388 EFLAGS: 00000246 ORIG_RAX: 0000000000000004
[  744.441889] RAX: ffffffffffffffda RBX: 00007ffc36bc9300 RCX: 00007f0db0ec2775
[  744.441889] RDX: 00007ffc36bc9400 RSI: 00007ffc36bc9400 RDI: 00007f0dad26f050
[  744.441889] RBP: 0000000000c0bc60 R08: 0000000000000000 R09: 0000000000000001
[  744.441889] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc36bc9400
[  744.441889] R13: 0000000000000001 R14: 00000000ffffff9c R15: 0000000000c0bc60

Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian@brauner.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 136497735
(cherry picked from commit 01684db950ea2b840531ab9298a8785776b6f6e8)
Change-Id: I5e7cd8df8210943ee59e1297f2eb8f81f5fa2cb5
Signed-off-by: Hridya Valsaraju <hridya@google.com>
2019-12-08 21:45:10 -08:00
2cb9e4c1f1 UPSTREAM: binderfs: drop lock in binderfs_binder_ctl_create
The binderfs_binder_ctl_create() call is a no-op on subsequent calls and
the first call is done before we unlock the suberblock. Hence, there is no
need to take inode_lock() in there. Let's remove it.

Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian@brauner.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 136497735
(cherry picked from commit 29ef1c8e16aed079ac09989d752e38d412b6e1a8)
Change-Id: I7c294796ac7891f62387e09dc34332ca4c3ee67b
Signed-off-by: Hridya Valsaraju <hridya@google.com>
2019-12-08 21:45:00 -08:00
dd9111f9a9 UPSTREAM: binderfs: kill_litter_super() before cleanup
Al pointed out that first calling kill_litter_super() before cleaning up
info is more correct since destroying info doesn't depend on the state of
the dentries and inodes. That the opposite remains true is not guaranteed.

Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian@brauner.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 136497735
(cherry picked from commit 4198479524aeccaf53c3a4cc73784982535573fa)
Change-Id: Ie2dfc2c2f17dde25b4215853b05fa8f21fb6b298
Signed-off-by: Hridya Valsaraju <hridya@google.com>
2019-12-08 21:44:47 -08:00
87c091ea68 UPSTREAM: binderfs: rework binderfs_binder_device_create()
- switch from d_alloc_name() + d_lookup() to lookup_one_len():
  Instead of using d_alloc_name() and then doing a d_lookup() with the
  allocated dentry to find whether a device with the name we're trying to
  create already exists switch to using lookup_one_len().  The latter will
  either return the existing dentry or a new one.

- switch from kmalloc() + strscpy() to kmemdup():
  Use a more idiomatic way to copy the name for the new dentry that
  userspace gave us.

Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian@brauner.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 136497735
(cherry picked from commit 01b3f1fc568352a1ffdcd3ee82a0297f16cc9bd9)
Change-Id: I993a7dfa2f48bc6deb305852ff4085dc8dcaae4d
Signed-off-by: Hridya Valsaraju <hridya@google.com>
2019-12-08 21:44:33 -08:00
34ffb8ef8e UPSTREAM: binderfs: rework binderfs_fill_super()
Al pointed out that on binderfs_fill_super() error
deactivate_locked_super() will call binderfs_kill_super() so all of the
freeing and putting we currently do in binderfs_fill_super() is unnecessary
and buggy. Let's simply return errors and let binderfs_fill_super() take
care of cleaning up on error.

Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian@brauner.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 136497735
(cherry picked from commit 36975fc3e5f241cc4f45df4ab4624d7d5199d9ed)
Change-Id: I89cac3746d67638901e554c3ede6c0f2931e67d4
Signed-off-by: Hridya Valsaraju <hridya@google.com>
2019-12-08 21:43:56 -08:00
65d2e4cb02 UPSTREAM: binderfs: prevent renaming the control dentry
- make binderfs control dentry immutable:
  We don't allow to unlink it since it is crucial for binderfs to be
  useable but if we allow to rename it we make the unlink trivial to
  bypass. So prevent renaming too and simply treat the control dentry as
  immutable.

- add is_binderfs_control_device() helper:
  Take the opportunity and turn the check for the control dentry into a
  separate helper is_binderfs_control_device() since it's now used in two
  places.

- simplify binderfs_rename():
  Instead of hand-rolling our custom version of simple_rename() just dumb
  the whole function down to first check whether we're trying to rename the
  control dentry. If we do EPERM the caller and if not call simple_rename().

Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian@brauner.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 136497735
(cherry picked from commit e98e6fa18636609f14a7f866524950a783cf4fbf)
Change-Id: I44e49a144b624c360ab8a277970625c64511da15
Signed-off-by: Hridya Valsaraju <hridya@google.com>
2019-12-08 21:43:43 -08:00
d1531c57b4 UPSTREAM: binderfs: remove outdated comment
The comment stems from an early version of that patchset and is just
confusing now.

Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian@brauner.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 136497735
(cherry picked from commit 7c4d08fc4d5aca073bd4ebecbb9eda5e4d858b71)
Change-Id: I8d5376e217763d7a6203a54516d4220ccdbe268d
Signed-off-by: Hridya Valsaraju <hridya@google.com>
2019-12-08 21:43:31 -08:00
01408afb08 UPSTREAM: binderfs: fix error return code in binderfs_fill_super()
Fix to return a negative error code -ENOMEM from the new_inode() and
d_make_root() error handling cases instead of 0, as done elsewhere in
this function.

Fixes: 849d540ddfcd ("binderfs: implement "max" mount option")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Reviewed-by: Christian Brauner <christian@brauner.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 136497735
(cherry picked from commit 7e7ca7744a539f1a172e3b81c29d000787e3d774)
Change-Id: If9d120c4abdbc0d5528c85d2515a9d5e40addfdc
Signed-off-by: Hridya Valsaraju <hridya@google.com>
2019-12-08 21:43:19 -08:00
2e2d87cd43 UPSTREAM: binderfs: handle !CONFIG_IPC_NS builds
kbuild reported a build faile in [1]. This is triggered when CONFIG_IPC_NS
is not set. So let's make the use of init_ipc_ns conditional on
CONFIG_IPC_NS being set.

[1]: https://lists.01.org/pipermail/kbuild-all/2019-January/056903.html

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 136497735
(cherry picked from commit 7fefaadd6a962987baac50e7b3c4c3d5ef9b55c6)
Change-Id: I97b0a7a13a82d79d97fe340d4267795e4e6442c7
Signed-off-by: Hridya Valsaraju <hridya@google.com>
2019-12-08 21:43:06 -08:00
cbfaab8aa3 UPSTREAM: binderfs: reserve devices for initial mount
The binderfs instance in the initial ipc namespace will always have a
reserve of 4 binder devices unless explicitly capped by specifying a lower
value via the "max" mount option.
This ensures when binder devices are removed (on accident or on purpose)
they can always be recreated without risking that all minor numbers have
already been used up.

Cc: Todd Kjos <tkjos@google.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 136497735
(cherry picked from commit 36bdf3cae09df891b191f3955c8e54a2e05d67d0)
Change-Id: I001f305659c37e3b631696712332ae2e21464be8
Signed-off-by: Hridya Valsaraju <hridya@google.com>
2019-12-08 21:42:50 -08:00
a482713b5a UPSTREAM: binderfs: rename header to binderfs.h
It doesn't make sense to call the header binder_ctl.h when its sole
existence is tied to binderfs. So give it a sensible name. Users will far
more easily remember binderfs.h than binder_ctl.h.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 136497735
(cherry picked from commit c13295ad219d8bb0e47942d4cfc8251de449a67e)
Change-Id: Ide6275bbbaec2e25df19e11754afb7f1827888b2
Signed-off-by: Hridya Valsaraju <hridya@google.com>
2019-12-08 21:42:38 -08:00