All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH v2 2/2] binder: Gracefully handle BINDER_TYPE_FDA objects with num_fds=0
@ 2022-04-15 12:00 Alessandro Astone
  2022-04-15 12:00 ` [PATCH v2 1/2] binder: Address corner cases in deferred copy and fixup Alessandro Astone
  2022-04-19 18:48 ` [PATCH v2 2/2] binder: Gracefully handle BINDER_TYPE_FDA objects with num_fds=0 Todd Kjos
  0 siblings, 2 replies; 4+ messages in thread
From: Alessandro Astone @ 2022-04-15 12:00 UTC (permalink / raw)
  To: tkjos, gregkh, brauner, arve, linux-kernel, maco
  Cc: Alessandro Astone, Joel Fernandes, Hridya Valsaraju, Suren Baghdasaryan

Some android userspace is sending BINDER_TYPE_FDA objects with
num_fds=0. Like the previous patch, this is reproducible when
playing a video.

Before commit 09184ae9b575 BINDER_TYPE_FDA objects with num_fds=0
were 'correctly handled', as in no fixup was performed.

After commit 09184ae9b575 we aggregate fixup and skip regions in
binder_ptr_fixup structs and distinguish between the two by using
the skip_size field: if it's 0, then it's a fixup, otherwise skip.
When processing BINDER_TYPE_FDA objects with num_fds=0 we add a
skip region of skip_size=0, and this causes issues because now
binder_do_deferred_txn_copies will think this was a fixup region.

To address that, return early from binder_translate_fd_array to
avoid adding an empty skip region.

Fixes: 09184ae9b575 ("binder: defer copies of pre-patched txn data")
Signed-off-by: Alessandro Astone <ales.astone@gmail.com>
---
 drivers/android/binder.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 31176edb1069..f3b639e89dd8 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2491,6 +2491,9 @@ static int binder_translate_fd_array(struct list_head *pf_head,
 	struct binder_proc *proc = thread->proc;
 	int ret;
 
+	if (fda->num_fds == 0)
+		return 0;
+
 	fd_buf_size = sizeof(u32) * fda->num_fds;
 	if (fda->num_fds >= SIZE_MAX / sizeof(u32)) {
 		binder_user_error("%d:%d got transaction with invalid number of fds (%lld)\n",
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH v2 1/2] binder: Address corner cases in deferred copy and fixup
  2022-04-15 12:00 [PATCH v2 2/2] binder: Gracefully handle BINDER_TYPE_FDA objects with num_fds=0 Alessandro Astone
@ 2022-04-15 12:00 ` Alessandro Astone
  2022-04-19 18:48   ` Todd Kjos
  2022-04-19 18:48 ` [PATCH v2 2/2] binder: Gracefully handle BINDER_TYPE_FDA objects with num_fds=0 Todd Kjos
  1 sibling, 1 reply; 4+ messages in thread
From: Alessandro Astone @ 2022-04-15 12:00 UTC (permalink / raw)
  To: tkjos, gregkh, brauner, arve, linux-kernel, maco
  Cc: Alessandro Astone, Joel Fernandes, Hridya Valsaraju, Suren Baghdasaryan

When handling BINDER_TYPE_FDA object we are pushing a parent fixup
with a certain skip_size but no scatter-gather copy object, since
the copy is handled standalone.
If BINDER_TYPE_FDA is the last children the scatter-gather copy
loop will never stop to skip it, thus we are left with an item in
the parent fixup list. This will trigger the BUG_ON().

This is reproducible in android when playing a video.
We receive a transaction that looks like this:
    obj[0] BINDER_TYPE_PTR, parent
    obj[1] BINDER_TYPE_PTR, child
    obj[2] BINDER_TYPE_PTR, child
    obj[3] BINDER_TYPE_FDA, child

Fixes: 09184ae9b575 ("binder: defer copies of pre-patched txn data")
Signed-off-by: Alessandro Astone <ales.astone@gmail.com>
---
 drivers/android/binder.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 8351c5638880..31176edb1069 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2295,6 +2295,7 @@ static int binder_do_deferred_txn_copies(struct binder_alloc *alloc,
 {
 	int ret = 0;
 	struct binder_sg_copy *sgc, *tmpsgc;
+	struct binder_ptr_fixup *tmppf;
 	struct binder_ptr_fixup *pf =
 		list_first_entry_or_null(pf_head, struct binder_ptr_fixup,
 					 node);
@@ -2349,7 +2350,11 @@ static int binder_do_deferred_txn_copies(struct binder_alloc *alloc,
 		list_del(&sgc->node);
 		kfree(sgc);
 	}
-	BUG_ON(!list_empty(pf_head));
+	list_for_each_entry_safe(pf, tmppf, pf_head, node) {
+		BUG_ON(pf->skip_size == 0);
+		list_del(&pf->node);
+		kfree(pf);
+	}
 	BUG_ON(!list_empty(sgc_head));
 
 	return ret > 0 ? -EINVAL : ret;
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH v2 2/2] binder: Gracefully handle BINDER_TYPE_FDA objects with num_fds=0
  2022-04-15 12:00 [PATCH v2 2/2] binder: Gracefully handle BINDER_TYPE_FDA objects with num_fds=0 Alessandro Astone
  2022-04-15 12:00 ` [PATCH v2 1/2] binder: Address corner cases in deferred copy and fixup Alessandro Astone
@ 2022-04-19 18:48 ` Todd Kjos
  1 sibling, 0 replies; 4+ messages in thread
From: Todd Kjos @ 2022-04-19 18:48 UTC (permalink / raw)
  To: Alessandro Astone
  Cc: tkjos, gregkh, brauner, arve, linux-kernel, maco, Joel Fernandes,
	Hridya Valsaraju, Suren Baghdasaryan

On Fri, Apr 15, 2022 at 5:00 AM Alessandro Astone <ales.astone@gmail.com> wrote:
>
> Some android userspace is sending BINDER_TYPE_FDA objects with
> num_fds=0. Like the previous patch, this is reproducible when
> playing a video.
>
> Before commit 09184ae9b575 BINDER_TYPE_FDA objects with num_fds=0
> were 'correctly handled', as in no fixup was performed.
>
> After commit 09184ae9b575 we aggregate fixup and skip regions in
> binder_ptr_fixup structs and distinguish between the two by using
> the skip_size field: if it's 0, then it's a fixup, otherwise skip.
> When processing BINDER_TYPE_FDA objects with num_fds=0 we add a
> skip region of skip_size=0, and this causes issues because now
> binder_do_deferred_txn_copies will think this was a fixup region.
>
> To address that, return early from binder_translate_fd_array to
> avoid adding an empty skip region.
>
> Fixes: 09184ae9b575 ("binder: defer copies of pre-patched txn data")
> Signed-off-by: Alessandro Astone <ales.astone@gmail.com>

Acked-by: Todd Kjos <tkjos@google.com>

> ---
>  drivers/android/binder.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> index 31176edb1069..f3b639e89dd8 100644
> --- a/drivers/android/binder.c
> +++ b/drivers/android/binder.c
> @@ -2491,6 +2491,9 @@ static int binder_translate_fd_array(struct list_head *pf_head,
>         struct binder_proc *proc = thread->proc;
>         int ret;
>
> +       if (fda->num_fds == 0)
> +               return 0;
> +
>         fd_buf_size = sizeof(u32) * fda->num_fds;
>         if (fda->num_fds >= SIZE_MAX / sizeof(u32)) {
>                 binder_user_error("%d:%d got transaction with invalid number of fds (%lld)\n",
> --
> 2.35.1
>

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH v2 1/2] binder: Address corner cases in deferred copy and fixup
  2022-04-15 12:00 ` [PATCH v2 1/2] binder: Address corner cases in deferred copy and fixup Alessandro Astone
@ 2022-04-19 18:48   ` Todd Kjos
  0 siblings, 0 replies; 4+ messages in thread
From: Todd Kjos @ 2022-04-19 18:48 UTC (permalink / raw)
  To: Alessandro Astone
  Cc: tkjos, gregkh, brauner, arve, linux-kernel, maco, Joel Fernandes,
	Hridya Valsaraju, Suren Baghdasaryan

On Fri, Apr 15, 2022 at 5:00 AM Alessandro Astone <ales.astone@gmail.com> wrote:
>
> When handling BINDER_TYPE_FDA object we are pushing a parent fixup
> with a certain skip_size but no scatter-gather copy object, since
> the copy is handled standalone.
> If BINDER_TYPE_FDA is the last children the scatter-gather copy
> loop will never stop to skip it, thus we are left with an item in
> the parent fixup list. This will trigger the BUG_ON().
>
> This is reproducible in android when playing a video.
> We receive a transaction that looks like this:
>     obj[0] BINDER_TYPE_PTR, parent
>     obj[1] BINDER_TYPE_PTR, child
>     obj[2] BINDER_TYPE_PTR, child
>     obj[3] BINDER_TYPE_FDA, child
>
> Fixes: 09184ae9b575 ("binder: defer copies of pre-patched txn data")
> Signed-off-by: Alessandro Astone <ales.astone@gmail.com>

Acked-by: Todd Kjos <tkjos@google.com>


> ---
>  drivers/android/binder.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> index 8351c5638880..31176edb1069 100644
> --- a/drivers/android/binder.c
> +++ b/drivers/android/binder.c
> @@ -2295,6 +2295,7 @@ static int binder_do_deferred_txn_copies(struct binder_alloc *alloc,
>  {
>         int ret = 0;
>         struct binder_sg_copy *sgc, *tmpsgc;
> +       struct binder_ptr_fixup *tmppf;
>         struct binder_ptr_fixup *pf =
>                 list_first_entry_or_null(pf_head, struct binder_ptr_fixup,
>                                          node);
> @@ -2349,7 +2350,11 @@ static int binder_do_deferred_txn_copies(struct binder_alloc *alloc,
>                 list_del(&sgc->node);
>                 kfree(sgc);
>         }
> -       BUG_ON(!list_empty(pf_head));
> +       list_for_each_entry_safe(pf, tmppf, pf_head, node) {
> +               BUG_ON(pf->skip_size == 0);
> +               list_del(&pf->node);
> +               kfree(pf);
> +       }
>         BUG_ON(!list_empty(sgc_head));
>
>         return ret > 0 ? -EINVAL : ret;
> --
> 2.35.1
>

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-04-19 18:48 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-15 12:00 [PATCH v2 2/2] binder: Gracefully handle BINDER_TYPE_FDA objects with num_fds=0 Alessandro Astone
2022-04-15 12:00 ` [PATCH v2 1/2] binder: Address corner cases in deferred copy and fixup Alessandro Astone
2022-04-19 18:48   ` Todd Kjos
2022-04-19 18:48 ` [PATCH v2 2/2] binder: Gracefully handle BINDER_TYPE_FDA objects with num_fds=0 Todd Kjos

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.