* [PATCH] binder: create node flag to request sender's security context
@ 2019-01-10 18:21 Todd Kjos
2019-01-11 3:07 ` kbuild test robot
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Todd Kjos @ 2019-01-10 18:21 UTC (permalink / raw)
To: tkjos, gregkh, arve, devel, linux-kernel, maco; +Cc: joel, kernel-team
To allow servers to verify client identity, allow a node
flag to be set that causes the sender's security context
to be delivered with the transaction. The BR_TRANSACTION
command is extended in BR_TRANSACTION_SEC_CTX to
contain a pointer to the security context string.
Signed-off-by: Todd Kjos <tkjos@google.com>
---
drivers/android/binder.c | 106 ++++++++++++++++++++++------
include/uapi/linux/android/binder.h | 19 +++++
2 files changed, 102 insertions(+), 23 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index cdfc87629efb8..84551a2f2d71a 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -329,6 +329,8 @@ struct binder_error {
* (invariant after initialized)
* @min_priority: minimum scheduling priority
* (invariant after initialized)
+ * @txn_security_ctx: require sender's security context
+ * (invariant after initialized)
* @async_todo: list of async work items
* (protected by @proc->inner_lock)
*
@@ -365,6 +367,7 @@ struct binder_node {
* invariant after initialization
*/
u8 accept_fds:1;
+ u8 txn_security_ctx:1;
u8 min_priority;
};
bool has_async_transaction;
@@ -615,6 +618,7 @@ struct binder_transaction {
long saved_priority;
kuid_t sender_euid;
struct list_head fd_fixups;
+ binder_uintptr_t security_ctx;
/**
* @lock: protects @from, @to_proc, and @to_thread
*
@@ -1152,6 +1156,7 @@ static struct binder_node *binder_init_node_ilocked(
node->work.type = BINDER_WORK_NODE;
node->min_priority = flags & FLAT_BINDER_FLAG_PRIORITY_MASK;
node->accept_fds = !!(flags & FLAT_BINDER_FLAG_ACCEPTS_FDS);
+ node->txn_security_ctx = !!(flags & FLAT_BINDER_FLAG_TXN_SECURITY_CTX);
spin_lock_init(&node->lock);
INIT_LIST_HEAD(&node->work.entry);
INIT_LIST_HEAD(&node->async_todo);
@@ -2778,6 +2783,8 @@ static void binder_transaction(struct binder_proc *proc,
binder_size_t last_fixup_min_off = 0;
struct binder_context *context = proc->context;
int t_debug_id = atomic_inc_return(&binder_last_id);
+ char *secctx = NULL;
+ u32 secctx_sz = 0;
e = binder_transaction_log_add(&binder_transaction_log);
e->debug_id = t_debug_id;
@@ -3020,6 +3027,20 @@ static void binder_transaction(struct binder_proc *proc,
t->flags = tr->flags;
t->priority = task_nice(current);
+ if (target_node && target_node->txn_security_ctx) {
+ u32 secid;
+
+ security_task_getsecid(proc->tsk, &secid);
+ ret = security_secid_to_secctx(secid, &secctx, &secctx_sz);
+ if (ret) {
+ return_error = BR_FAILED_REPLY;
+ return_error_param = ret;
+ return_error_line = __LINE__;
+ goto err_get_secctx_failed;
+ }
+ extra_buffers_size += ALIGN(secctx_sz, sizeof(u64));
+ }
+
trace_binder_transaction(reply, t, target_node);
t->buffer = binder_alloc_new_buf(&target_proc->alloc, tr->data_size,
@@ -3036,6 +3057,19 @@ static void binder_transaction(struct binder_proc *proc,
t->buffer = NULL;
goto err_binder_alloc_buf_failed;
}
+ if (secctx) {
+ size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) +
+ ALIGN(tr->offsets_size, sizeof(void *)) +
+ ALIGN(extra_buffers_size, sizeof(void *)) -
+ ALIGN(secctx_sz, sizeof(u64));
+ char *kptr = t->buffer->data + buf_offset;
+
+ t->security_ctx = (binder_uintptr_t)kptr +
+ binder_alloc_get_user_buffer_offset(&target_proc->alloc);
+ memcpy(kptr, secctx, secctx_sz);
+ security_release_secctx(secctx, secctx_sz);
+ secctx = NULL;
+ }
t->buffer->debug_id = t->debug_id;
t->buffer->transaction = t;
t->buffer->target_node = target_node;
@@ -3305,6 +3339,9 @@ static void binder_transaction(struct binder_proc *proc,
t->buffer->transaction = NULL;
binder_alloc_free_buf(&target_proc->alloc, t->buffer);
err_binder_alloc_buf_failed:
+ if (secctx)
+ security_release_secctx(secctx, secctx_sz);
+err_get_secctx_failed:
kfree(tcomplete);
binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
err_alloc_tcomplete_failed:
@@ -4036,11 +4073,13 @@ static int binder_thread_read(struct binder_proc *proc,
while (1) {
uint32_t cmd;
- struct binder_transaction_data tr;
+ struct binder_transaction_data_secctx tr;
+ struct binder_transaction_data *trd = &tr.transaction_data;
struct binder_work *w = NULL;
struct list_head *list = NULL;
struct binder_transaction *t = NULL;
struct binder_thread *t_from;
+ size_t trsize = sizeof(*trd);
binder_inner_proc_lock(proc);
if (!binder_worklist_empty_ilocked(&thread->todo))
@@ -4240,8 +4279,8 @@ static int binder_thread_read(struct binder_proc *proc,
if (t->buffer->target_node) {
struct binder_node *target_node = t->buffer->target_node;
- tr.target.ptr = target_node->ptr;
- tr.cookie = target_node->cookie;
+ trd->target.ptr = target_node->ptr;
+ trd->cookie = target_node->cookie;
t->saved_priority = task_nice(current);
if (t->priority < target_node->min_priority &&
!(t->flags & TF_ONE_WAY))
@@ -4251,22 +4290,23 @@ static int binder_thread_read(struct binder_proc *proc,
binder_set_nice(target_node->min_priority);
cmd = BR_TRANSACTION;
} else {
- tr.target.ptr = 0;
- tr.cookie = 0;
+ trd->target.ptr = 0;
+ trd->cookie = 0;
cmd = BR_REPLY;
}
- tr.code = t->code;
- tr.flags = t->flags;
- tr.sender_euid = from_kuid(current_user_ns(), t->sender_euid);
+ trd->code = t->code;
+ trd->flags = t->flags;
+ trd->sender_euid = from_kuid(current_user_ns(), t->sender_euid);
t_from = binder_get_txn_from(t);
if (t_from) {
struct task_struct *sender = t_from->proc->tsk;
- tr.sender_pid = task_tgid_nr_ns(sender,
- task_active_pid_ns(current));
+ trd->sender_pid =
+ task_tgid_nr_ns(sender,
+ task_active_pid_ns(current));
} else {
- tr.sender_pid = 0;
+ trd->sender_pid = 0;
}
ret = binder_apply_fd_fixups(t);
@@ -4297,15 +4337,20 @@ static int binder_thread_read(struct binder_proc *proc,
}
continue;
}
- tr.data_size = t->buffer->data_size;
- tr.offsets_size = t->buffer->offsets_size;
- tr.data.ptr.buffer = (binder_uintptr_t)
+ trd->data_size = t->buffer->data_size;
+ trd->offsets_size = t->buffer->offsets_size;
+ trd->data.ptr.buffer = (binder_uintptr_t)
((uintptr_t)t->buffer->data +
binder_alloc_get_user_buffer_offset(&proc->alloc));
- tr.data.ptr.offsets = tr.data.ptr.buffer +
+ trd->data.ptr.offsets = trd->data.ptr.buffer +
ALIGN(t->buffer->data_size,
sizeof(void *));
+ if (t->security_ctx) {
+ cmd = BR_TRANSACTION_SEC_CTX;
+ tr.secctx = t->security_ctx;
+ trsize = sizeof(tr);
+ }
if (put_user(cmd, (uint32_t __user *)ptr)) {
if (t_from)
binder_thread_dec_tmpref(t_from);
@@ -4316,7 +4361,7 @@ static int binder_thread_read(struct binder_proc *proc,
return -EFAULT;
}
ptr += sizeof(uint32_t);
- if (copy_to_user(ptr, &tr, sizeof(tr))) {
+ if (copy_to_user(ptr, &tr, trsize)) {
if (t_from)
binder_thread_dec_tmpref(t_from);
@@ -4325,7 +4370,7 @@ static int binder_thread_read(struct binder_proc *proc,
return -EFAULT;
}
- ptr += sizeof(tr);
+ ptr += trsize;
trace_binder_transaction_received(t);
binder_stat_br(proc, thread, cmd);
@@ -4333,16 +4378,18 @@ static int binder_thread_read(struct binder_proc *proc,
"%d:%d %s %d %d:%d, cmd %d size %zd-%zd ptr %016llx-%016llx\n",
proc->pid, thread->pid,
(cmd == BR_TRANSACTION) ? "BR_TRANSACTION" :
- "BR_REPLY",
+ (cmd == BR_TRANSACTION_SEC_CTX) ?
+ "BR_TRANSACTION_SEC_CTX" : "BR_REPLY",
t->debug_id, t_from ? t_from->proc->pid : 0,
t_from ? t_from->pid : 0, cmd,
t->buffer->data_size, t->buffer->offsets_size,
- (u64)tr.data.ptr.buffer, (u64)tr.data.ptr.offsets);
+ (u64)trd->data.ptr.buffer,
+ (u64)trd->data.ptr.offsets);
if (t_from)
binder_thread_dec_tmpref(t_from);
t->buffer->allow_user_free = 1;
- if (cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)) {
+ if (cmd != BR_REPLY && !(t->flags & TF_ONE_WAY)) {
binder_inner_proc_lock(thread->proc);
t->to_parent = thread->transaction_stack;
t->to_thread = thread;
@@ -4690,7 +4737,8 @@ static int binder_ioctl_write_read(struct file *filp,
return ret;
}
-static int binder_ioctl_set_ctx_mgr(struct file *filp)
+static int binder_ioctl_set_ctx_mgr(struct file *filp,
+ struct flat_binder_object *fbo)
{
int ret = 0;
struct binder_proc *proc = filp->private_data;
@@ -4719,7 +4767,7 @@ static int binder_ioctl_set_ctx_mgr(struct file *filp)
} else {
context->binder_context_mgr_uid = curr_euid;
}
- new_node = binder_new_node(proc, NULL);
+ new_node = binder_new_node(proc, fbo);
if (!new_node) {
ret = -ENOMEM;
goto out;
@@ -4842,8 +4890,20 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
binder_inner_proc_unlock(proc);
break;
}
+ case BINDER_SET_CONTEXT_MGR_EXT: {
+ struct flat_binder_object fbo;
+
+ if (copy_from_user(&fbo, ubuf, sizeof(fbo))) {
+ ret = -EINVAL;
+ goto err;
+ }
+ ret = binder_ioctl_set_ctx_mgr(filp, &fbo);
+ if (ret)
+ goto err;
+ break;
+ }
case BINDER_SET_CONTEXT_MGR:
- ret = binder_ioctl_set_ctx_mgr(filp);
+ ret = binder_ioctl_set_ctx_mgr(filp, NULL);
if (ret)
goto err;
break;
diff --git a/include/uapi/linux/android/binder.h b/include/uapi/linux/android/binder.h
index b9ba520f7e4bb..2832134e53971 100644
--- a/include/uapi/linux/android/binder.h
+++ b/include/uapi/linux/android/binder.h
@@ -41,6 +41,14 @@ enum {
enum {
FLAT_BINDER_FLAG_PRIORITY_MASK = 0xff,
FLAT_BINDER_FLAG_ACCEPTS_FDS = 0x100,
+
+ /**
+ * @FLAT_BINDER_FLAG_TXN_SECURITY_CTX: request security contexts
+ *
+ * Only when set, causes senders to include their security
+ * context
+ */
+ FLAT_BINDER_FLAG_TXN_SECURITY_CTX = 0x1000,
};
#ifdef BINDER_IPC_32BIT
@@ -218,6 +226,7 @@ struct binder_node_info_for_ref {
#define BINDER_VERSION _IOWR('b', 9, struct binder_version)
#define BINDER_GET_NODE_DEBUG_INFO _IOWR('b', 11, struct binder_node_debug_info)
#define BINDER_GET_NODE_INFO_FOR_REF _IOWR('b', 12, struct binder_node_info_for_ref)
+#define BINDER_SET_CONTEXT_MGR_EXT _IOW('b', 13, struct flat_binder_object)
/*
* NOTE: Two special error codes you should check for when calling
@@ -276,6 +285,11 @@ struct binder_transaction_data {
} data;
};
+struct binder_transaction_data_secctx {
+ struct binder_transaction_data transaction_data;
+ binder_uintptr_t secctx;
+};
+
struct binder_transaction_data_sg {
struct binder_transaction_data transaction_data;
binder_size_t buffers_size;
@@ -311,6 +325,11 @@ enum binder_driver_return_protocol {
BR_OK = _IO('r', 1),
/* No parameters! */
+ BR_TRANSACTION_SEC_CTX = _IOR('r', 2,
+ struct binder_transaction_data_secctx),
+ /*
+ * binder_transaction_data_secctx: the received command.
+ */
BR_TRANSACTION = _IOR('r', 2, struct binder_transaction_data),
BR_REPLY = _IOR('r', 3, struct binder_transaction_data),
/*
--
2.20.1.97.g81188d93c3-goog
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] binder: create node flag to request sender's security context
2019-01-10 18:21 [PATCH] binder: create node flag to request sender's security context Todd Kjos
@ 2019-01-11 3:07 ` kbuild test robot
2019-01-11 9:16 ` Greg KH
2019-01-14 8:09 ` Dan Carpenter
2 siblings, 0 replies; 4+ messages in thread
From: kbuild test robot @ 2019-01-11 3:07 UTC (permalink / raw)
To: Todd Kjos
Cc: kbuild-all, tkjos, gregkh, arve, devel, linux-kernel, maco, joel,
kernel-team
[-- Attachment #1: Type: text/plain, Size: 26084 bytes --]
Hi Todd,
I love your patch! Perhaps something to improve:
[auto build test WARNING on linus/master]
[also build test WARNING on v5.0-rc1 next-20190110]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Todd-Kjos/binder-create-node-flag-to-request-sender-s-security-context/20190111-095225
config: i386-randconfig-x009-201901 (attached as .config)
compiler: gcc-7 (Debian 7.3.0-1) 7.3.0
reproduce:
# save the attached .config to linux build tree
make ARCH=i386
All warnings (new ones prefixed by >>):
drivers/android/binder.c: In function 'binder_transaction':
>> drivers/android/binder.c:3067:21: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
t->security_ctx = (binder_uintptr_t)kptr +
^
vim +3067 drivers/android/binder.c
2761
2762 static void binder_transaction(struct binder_proc *proc,
2763 struct binder_thread *thread,
2764 struct binder_transaction_data *tr, int reply,
2765 binder_size_t extra_buffers_size)
2766 {
2767 int ret;
2768 struct binder_transaction *t;
2769 struct binder_work *w;
2770 struct binder_work *tcomplete;
2771 binder_size_t *offp, *off_end, *off_start;
2772 binder_size_t off_min;
2773 u8 *sg_bufp, *sg_buf_end;
2774 struct binder_proc *target_proc = NULL;
2775 struct binder_thread *target_thread = NULL;
2776 struct binder_node *target_node = NULL;
2777 struct binder_transaction *in_reply_to = NULL;
2778 struct binder_transaction_log_entry *e;
2779 uint32_t return_error = 0;
2780 uint32_t return_error_param = 0;
2781 uint32_t return_error_line = 0;
2782 struct binder_buffer_object *last_fixup_obj = NULL;
2783 binder_size_t last_fixup_min_off = 0;
2784 struct binder_context *context = proc->context;
2785 int t_debug_id = atomic_inc_return(&binder_last_id);
2786 char *secctx = NULL;
2787 u32 secctx_sz = 0;
2788
2789 e = binder_transaction_log_add(&binder_transaction_log);
2790 e->debug_id = t_debug_id;
2791 e->call_type = reply ? 2 : !!(tr->flags & TF_ONE_WAY);
2792 e->from_proc = proc->pid;
2793 e->from_thread = thread->pid;
2794 e->target_handle = tr->target.handle;
2795 e->data_size = tr->data_size;
2796 e->offsets_size = tr->offsets_size;
2797 e->context_name = proc->context->name;
2798
2799 if (reply) {
2800 binder_inner_proc_lock(proc);
2801 in_reply_to = thread->transaction_stack;
2802 if (in_reply_to == NULL) {
2803 binder_inner_proc_unlock(proc);
2804 binder_user_error("%d:%d got reply transaction with no transaction stack\n",
2805 proc->pid, thread->pid);
2806 return_error = BR_FAILED_REPLY;
2807 return_error_param = -EPROTO;
2808 return_error_line = __LINE__;
2809 goto err_empty_call_stack;
2810 }
2811 if (in_reply_to->to_thread != thread) {
2812 spin_lock(&in_reply_to->lock);
2813 binder_user_error("%d:%d got reply transaction with bad transaction stack, transaction %d has target %d:%d\n",
2814 proc->pid, thread->pid, in_reply_to->debug_id,
2815 in_reply_to->to_proc ?
2816 in_reply_to->to_proc->pid : 0,
2817 in_reply_to->to_thread ?
2818 in_reply_to->to_thread->pid : 0);
2819 spin_unlock(&in_reply_to->lock);
2820 binder_inner_proc_unlock(proc);
2821 return_error = BR_FAILED_REPLY;
2822 return_error_param = -EPROTO;
2823 return_error_line = __LINE__;
2824 in_reply_to = NULL;
2825 goto err_bad_call_stack;
2826 }
2827 thread->transaction_stack = in_reply_to->to_parent;
2828 binder_inner_proc_unlock(proc);
2829 binder_set_nice(in_reply_to->saved_priority);
2830 target_thread = binder_get_txn_from_and_acq_inner(in_reply_to);
2831 if (target_thread == NULL) {
2832 /* annotation for sparse */
2833 __release(&target_thread->proc->inner_lock);
2834 return_error = BR_DEAD_REPLY;
2835 return_error_line = __LINE__;
2836 goto err_dead_binder;
2837 }
2838 if (target_thread->transaction_stack != in_reply_to) {
2839 binder_user_error("%d:%d got reply transaction with bad target transaction stack %d, expected %d\n",
2840 proc->pid, thread->pid,
2841 target_thread->transaction_stack ?
2842 target_thread->transaction_stack->debug_id : 0,
2843 in_reply_to->debug_id);
2844 binder_inner_proc_unlock(target_thread->proc);
2845 return_error = BR_FAILED_REPLY;
2846 return_error_param = -EPROTO;
2847 return_error_line = __LINE__;
2848 in_reply_to = NULL;
2849 target_thread = NULL;
2850 goto err_dead_binder;
2851 }
2852 target_proc = target_thread->proc;
2853 target_proc->tmp_ref++;
2854 binder_inner_proc_unlock(target_thread->proc);
2855 } else {
2856 if (tr->target.handle) {
2857 struct binder_ref *ref;
2858
2859 /*
2860 * There must already be a strong ref
2861 * on this node. If so, do a strong
2862 * increment on the node to ensure it
2863 * stays alive until the transaction is
2864 * done.
2865 */
2866 binder_proc_lock(proc);
2867 ref = binder_get_ref_olocked(proc, tr->target.handle,
2868 true);
2869 if (ref) {
2870 target_node = binder_get_node_refs_for_txn(
2871 ref->node, &target_proc,
2872 &return_error);
2873 } else {
2874 binder_user_error("%d:%d got transaction to invalid handle\n",
2875 proc->pid, thread->pid);
2876 return_error = BR_FAILED_REPLY;
2877 }
2878 binder_proc_unlock(proc);
2879 } else {
2880 mutex_lock(&context->context_mgr_node_lock);
2881 target_node = context->binder_context_mgr_node;
2882 if (target_node)
2883 target_node = binder_get_node_refs_for_txn(
2884 target_node, &target_proc,
2885 &return_error);
2886 else
2887 return_error = BR_DEAD_REPLY;
2888 mutex_unlock(&context->context_mgr_node_lock);
2889 if (target_node && target_proc == proc) {
2890 binder_user_error("%d:%d got transaction to context manager from process owning it\n",
2891 proc->pid, thread->pid);
2892 return_error = BR_FAILED_REPLY;
2893 return_error_param = -EINVAL;
2894 return_error_line = __LINE__;
2895 goto err_invalid_target_handle;
2896 }
2897 }
2898 if (!target_node) {
2899 /*
2900 * return_error is set above
2901 */
2902 return_error_param = -EINVAL;
2903 return_error_line = __LINE__;
2904 goto err_dead_binder;
2905 }
2906 e->to_node = target_node->debug_id;
2907 if (security_binder_transaction(proc->tsk,
2908 target_proc->tsk) < 0) {
2909 return_error = BR_FAILED_REPLY;
2910 return_error_param = -EPERM;
2911 return_error_line = __LINE__;
2912 goto err_invalid_target_handle;
2913 }
2914 binder_inner_proc_lock(proc);
2915
2916 w = list_first_entry_or_null(&thread->todo,
2917 struct binder_work, entry);
2918 if (!(tr->flags & TF_ONE_WAY) && w &&
2919 w->type == BINDER_WORK_TRANSACTION) {
2920 /*
2921 * Do not allow new outgoing transaction from a
2922 * thread that has a transaction at the head of
2923 * its todo list. Only need to check the head
2924 * because binder_select_thread_ilocked picks a
2925 * thread from proc->waiting_threads to enqueue
2926 * the transaction, and nothing is queued to the
2927 * todo list while the thread is on waiting_threads.
2928 */
2929 binder_user_error("%d:%d new transaction not allowed when there is a transaction on thread todo\n",
2930 proc->pid, thread->pid);
2931 binder_inner_proc_unlock(proc);
2932 return_error = BR_FAILED_REPLY;
2933 return_error_param = -EPROTO;
2934 return_error_line = __LINE__;
2935 goto err_bad_todo_list;
2936 }
2937
2938 if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) {
2939 struct binder_transaction *tmp;
2940
2941 tmp = thread->transaction_stack;
2942 if (tmp->to_thread != thread) {
2943 spin_lock(&tmp->lock);
2944 binder_user_error("%d:%d got new transaction with bad transaction stack, transaction %d has target %d:%d\n",
2945 proc->pid, thread->pid, tmp->debug_id,
2946 tmp->to_proc ? tmp->to_proc->pid : 0,
2947 tmp->to_thread ?
2948 tmp->to_thread->pid : 0);
2949 spin_unlock(&tmp->lock);
2950 binder_inner_proc_unlock(proc);
2951 return_error = BR_FAILED_REPLY;
2952 return_error_param = -EPROTO;
2953 return_error_line = __LINE__;
2954 goto err_bad_call_stack;
2955 }
2956 while (tmp) {
2957 struct binder_thread *from;
2958
2959 spin_lock(&tmp->lock);
2960 from = tmp->from;
2961 if (from && from->proc == target_proc) {
2962 atomic_inc(&from->tmp_ref);
2963 target_thread = from;
2964 spin_unlock(&tmp->lock);
2965 break;
2966 }
2967 spin_unlock(&tmp->lock);
2968 tmp = tmp->from_parent;
2969 }
2970 }
2971 binder_inner_proc_unlock(proc);
2972 }
2973 if (target_thread)
2974 e->to_thread = target_thread->pid;
2975 e->to_proc = target_proc->pid;
2976
2977 /* TODO: reuse incoming transaction for reply */
2978 t = kzalloc(sizeof(*t), GFP_KERNEL);
2979 if (t == NULL) {
2980 return_error = BR_FAILED_REPLY;
2981 return_error_param = -ENOMEM;
2982 return_error_line = __LINE__;
2983 goto err_alloc_t_failed;
2984 }
2985 INIT_LIST_HEAD(&t->fd_fixups);
2986 binder_stats_created(BINDER_STAT_TRANSACTION);
2987 spin_lock_init(&t->lock);
2988
2989 tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL);
2990 if (tcomplete == NULL) {
2991 return_error = BR_FAILED_REPLY;
2992 return_error_param = -ENOMEM;
2993 return_error_line = __LINE__;
2994 goto err_alloc_tcomplete_failed;
2995 }
2996 binder_stats_created(BINDER_STAT_TRANSACTION_COMPLETE);
2997
2998 t->debug_id = t_debug_id;
2999
3000 if (reply)
3001 binder_debug(BINDER_DEBUG_TRANSACTION,
3002 "%d:%d BC_REPLY %d -> %d:%d, data %016llx-%016llx size %lld-%lld-%lld\n",
3003 proc->pid, thread->pid, t->debug_id,
3004 target_proc->pid, target_thread->pid,
3005 (u64)tr->data.ptr.buffer,
3006 (u64)tr->data.ptr.offsets,
3007 (u64)tr->data_size, (u64)tr->offsets_size,
3008 (u64)extra_buffers_size);
3009 else
3010 binder_debug(BINDER_DEBUG_TRANSACTION,
3011 "%d:%d BC_TRANSACTION %d -> %d - node %d, data %016llx-%016llx size %lld-%lld-%lld\n",
3012 proc->pid, thread->pid, t->debug_id,
3013 target_proc->pid, target_node->debug_id,
3014 (u64)tr->data.ptr.buffer,
3015 (u64)tr->data.ptr.offsets,
3016 (u64)tr->data_size, (u64)tr->offsets_size,
3017 (u64)extra_buffers_size);
3018
3019 if (!reply && !(tr->flags & TF_ONE_WAY))
3020 t->from = thread;
3021 else
3022 t->from = NULL;
3023 t->sender_euid = task_euid(proc->tsk);
3024 t->to_proc = target_proc;
3025 t->to_thread = target_thread;
3026 t->code = tr->code;
3027 t->flags = tr->flags;
3028 t->priority = task_nice(current);
3029
3030 if (target_node && target_node->txn_security_ctx) {
3031 u32 secid;
3032
3033 security_task_getsecid(proc->tsk, &secid);
3034 ret = security_secid_to_secctx(secid, &secctx, &secctx_sz);
3035 if (ret) {
3036 return_error = BR_FAILED_REPLY;
3037 return_error_param = ret;
3038 return_error_line = __LINE__;
3039 goto err_get_secctx_failed;
3040 }
3041 extra_buffers_size += ALIGN(secctx_sz, sizeof(u64));
3042 }
3043
3044 trace_binder_transaction(reply, t, target_node);
3045
3046 t->buffer = binder_alloc_new_buf(&target_proc->alloc, tr->data_size,
3047 tr->offsets_size, extra_buffers_size,
3048 !reply && (t->flags & TF_ONE_WAY));
3049 if (IS_ERR(t->buffer)) {
3050 /*
3051 * -ESRCH indicates VMA cleared. The target is dying.
3052 */
3053 return_error_param = PTR_ERR(t->buffer);
3054 return_error = return_error_param == -ESRCH ?
3055 BR_DEAD_REPLY : BR_FAILED_REPLY;
3056 return_error_line = __LINE__;
3057 t->buffer = NULL;
3058 goto err_binder_alloc_buf_failed;
3059 }
3060 if (secctx) {
3061 size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) +
3062 ALIGN(tr->offsets_size, sizeof(void *)) +
3063 ALIGN(extra_buffers_size, sizeof(void *)) -
3064 ALIGN(secctx_sz, sizeof(u64));
3065 char *kptr = t->buffer->data + buf_offset;
3066
> 3067 t->security_ctx = (binder_uintptr_t)kptr +
3068 binder_alloc_get_user_buffer_offset(&target_proc->alloc);
3069 memcpy(kptr, secctx, secctx_sz);
3070 security_release_secctx(secctx, secctx_sz);
3071 secctx = NULL;
3072 }
3073 t->buffer->debug_id = t->debug_id;
3074 t->buffer->transaction = t;
3075 t->buffer->target_node = target_node;
3076 trace_binder_transaction_alloc_buf(t->buffer);
3077 off_start = (binder_size_t *)(t->buffer->data +
3078 ALIGN(tr->data_size, sizeof(void *)));
3079 offp = off_start;
3080
3081 if (copy_from_user(t->buffer->data, (const void __user *)(uintptr_t)
3082 tr->data.ptr.buffer, tr->data_size)) {
3083 binder_user_error("%d:%d got transaction with invalid data ptr\n",
3084 proc->pid, thread->pid);
3085 return_error = BR_FAILED_REPLY;
3086 return_error_param = -EFAULT;
3087 return_error_line = __LINE__;
3088 goto err_copy_data_failed;
3089 }
3090 if (copy_from_user(offp, (const void __user *)(uintptr_t)
3091 tr->data.ptr.offsets, tr->offsets_size)) {
3092 binder_user_error("%d:%d got transaction with invalid offsets ptr\n",
3093 proc->pid, thread->pid);
3094 return_error = BR_FAILED_REPLY;
3095 return_error_param = -EFAULT;
3096 return_error_line = __LINE__;
3097 goto err_copy_data_failed;
3098 }
3099 if (!IS_ALIGNED(tr->offsets_size, sizeof(binder_size_t))) {
3100 binder_user_error("%d:%d got transaction with invalid offsets size, %lld\n",
3101 proc->pid, thread->pid, (u64)tr->offsets_size);
3102 return_error = BR_FAILED_REPLY;
3103 return_error_param = -EINVAL;
3104 return_error_line = __LINE__;
3105 goto err_bad_offset;
3106 }
3107 if (!IS_ALIGNED(extra_buffers_size, sizeof(u64))) {
3108 binder_user_error("%d:%d got transaction with unaligned buffers size, %lld\n",
3109 proc->pid, thread->pid,
3110 (u64)extra_buffers_size);
3111 return_error = BR_FAILED_REPLY;
3112 return_error_param = -EINVAL;
3113 return_error_line = __LINE__;
3114 goto err_bad_offset;
3115 }
3116 off_end = (void *)off_start + tr->offsets_size;
3117 sg_bufp = (u8 *)(PTR_ALIGN(off_end, sizeof(void *)));
3118 sg_buf_end = sg_bufp + extra_buffers_size;
3119 off_min = 0;
3120 for (; offp < off_end; offp++) {
3121 struct binder_object_header *hdr;
3122 size_t object_size = binder_validate_object(t->buffer, *offp);
3123
3124 if (object_size == 0 || *offp < off_min) {
3125 binder_user_error("%d:%d got transaction with invalid offset (%lld, min %lld max %lld) or object.\n",
3126 proc->pid, thread->pid, (u64)*offp,
3127 (u64)off_min,
3128 (u64)t->buffer->data_size);
3129 return_error = BR_FAILED_REPLY;
3130 return_error_param = -EINVAL;
3131 return_error_line = __LINE__;
3132 goto err_bad_offset;
3133 }
3134
3135 hdr = (struct binder_object_header *)(t->buffer->data + *offp);
3136 off_min = *offp + object_size;
3137 switch (hdr->type) {
3138 case BINDER_TYPE_BINDER:
3139 case BINDER_TYPE_WEAK_BINDER: {
3140 struct flat_binder_object *fp;
3141
3142 fp = to_flat_binder_object(hdr);
3143 ret = binder_translate_binder(fp, t, thread);
3144 if (ret < 0) {
3145 return_error = BR_FAILED_REPLY;
3146 return_error_param = ret;
3147 return_error_line = __LINE__;
3148 goto err_translate_failed;
3149 }
3150 } break;
3151 case BINDER_TYPE_HANDLE:
3152 case BINDER_TYPE_WEAK_HANDLE: {
3153 struct flat_binder_object *fp;
3154
3155 fp = to_flat_binder_object(hdr);
3156 ret = binder_translate_handle(fp, t, thread);
3157 if (ret < 0) {
3158 return_error = BR_FAILED_REPLY;
3159 return_error_param = ret;
3160 return_error_line = __LINE__;
3161 goto err_translate_failed;
3162 }
3163 } break;
3164
3165 case BINDER_TYPE_FD: {
3166 struct binder_fd_object *fp = to_binder_fd_object(hdr);
3167 int ret = binder_translate_fd(&fp->fd, t, thread,
3168 in_reply_to);
3169
3170 if (ret < 0) {
3171 return_error = BR_FAILED_REPLY;
3172 return_error_param = ret;
3173 return_error_line = __LINE__;
3174 goto err_translate_failed;
3175 }
3176 fp->pad_binder = 0;
3177 } break;
3178 case BINDER_TYPE_FDA: {
3179 struct binder_fd_array_object *fda =
3180 to_binder_fd_array_object(hdr);
3181 struct binder_buffer_object *parent =
3182 binder_validate_ptr(t->buffer, fda->parent,
3183 off_start,
3184 offp - off_start);
3185 if (!parent) {
3186 binder_user_error("%d:%d got transaction with invalid parent offset or type\n",
3187 proc->pid, thread->pid);
3188 return_error = BR_FAILED_REPLY;
3189 return_error_param = -EINVAL;
3190 return_error_line = __LINE__;
3191 goto err_bad_parent;
3192 }
3193 if (!binder_validate_fixup(t->buffer, off_start,
3194 parent, fda->parent_offset,
3195 last_fixup_obj,
3196 last_fixup_min_off)) {
3197 binder_user_error("%d:%d got transaction with out-of-order buffer fixup\n",
3198 proc->pid, thread->pid);
3199 return_error = BR_FAILED_REPLY;
3200 return_error_param = -EINVAL;
3201 return_error_line = __LINE__;
3202 goto err_bad_parent;
3203 }
3204 ret = binder_translate_fd_array(fda, parent, t, thread,
3205 in_reply_to);
3206 if (ret < 0) {
3207 return_error = BR_FAILED_REPLY;
3208 return_error_param = ret;
3209 return_error_line = __LINE__;
3210 goto err_translate_failed;
3211 }
3212 last_fixup_obj = parent;
3213 last_fixup_min_off =
3214 fda->parent_offset + sizeof(u32) * fda->num_fds;
3215 } break;
3216 case BINDER_TYPE_PTR: {
3217 struct binder_buffer_object *bp =
3218 to_binder_buffer_object(hdr);
3219 size_t buf_left = sg_buf_end - sg_bufp;
3220
3221 if (bp->length > buf_left) {
3222 binder_user_error("%d:%d got transaction with too large buffer\n",
3223 proc->pid, thread->pid);
3224 return_error = BR_FAILED_REPLY;
3225 return_error_param = -EINVAL;
3226 return_error_line = __LINE__;
3227 goto err_bad_offset;
3228 }
3229 if (copy_from_user(sg_bufp,
3230 (const void __user *)(uintptr_t)
3231 bp->buffer, bp->length)) {
3232 binder_user_error("%d:%d got transaction with invalid offsets ptr\n",
3233 proc->pid, thread->pid);
3234 return_error_param = -EFAULT;
3235 return_error = BR_FAILED_REPLY;
3236 return_error_line = __LINE__;
3237 goto err_copy_data_failed;
3238 }
3239 /* Fixup buffer pointer to target proc address space */
3240 bp->buffer = (uintptr_t)sg_bufp +
3241 binder_alloc_get_user_buffer_offset(
3242 &target_proc->alloc);
3243 sg_bufp += ALIGN(bp->length, sizeof(u64));
3244
3245 ret = binder_fixup_parent(t, thread, bp, off_start,
3246 offp - off_start,
3247 last_fixup_obj,
3248 last_fixup_min_off);
3249 if (ret < 0) {
3250 return_error = BR_FAILED_REPLY;
3251 return_error_param = ret;
3252 return_error_line = __LINE__;
3253 goto err_translate_failed;
3254 }
3255 last_fixup_obj = bp;
3256 last_fixup_min_off = 0;
3257 } break;
3258 default:
3259 binder_user_error("%d:%d got transaction with invalid object type, %x\n",
3260 proc->pid, thread->pid, hdr->type);
3261 return_error = BR_FAILED_REPLY;
3262 return_error_param = -EINVAL;
3263 return_error_line = __LINE__;
3264 goto err_bad_object_type;
3265 }
3266 }
3267 tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE;
3268 t->work.type = BINDER_WORK_TRANSACTION;
3269
3270 if (reply) {
3271 binder_enqueue_thread_work(thread, tcomplete);
3272 binder_inner_proc_lock(target_proc);
3273 if (target_thread->is_dead) {
3274 binder_inner_proc_unlock(target_proc);
3275 goto err_dead_proc_or_thread;
3276 }
3277 BUG_ON(t->buffer->async_transaction != 0);
3278 binder_pop_transaction_ilocked(target_thread, in_reply_to);
3279 binder_enqueue_thread_work_ilocked(target_thread, &t->work);
3280 binder_inner_proc_unlock(target_proc);
3281 wake_up_interruptible_sync(&target_thread->wait);
3282 binder_free_transaction(in_reply_to);
3283 } else if (!(t->flags & TF_ONE_WAY)) {
3284 BUG_ON(t->buffer->async_transaction != 0);
3285 binder_inner_proc_lock(proc);
3286 /*
3287 * Defer the TRANSACTION_COMPLETE, so we don't return to
3288 * userspace immediately; this allows the target process to
3289 * immediately start processing this transaction, reducing
3290 * latency. We will then return the TRANSACTION_COMPLETE when
3291 * the target replies (or there is an error).
3292 */
3293 binder_enqueue_deferred_thread_work_ilocked(thread, tcomplete);
3294 t->need_reply = 1;
3295 t->from_parent = thread->transaction_stack;
3296 thread->transaction_stack = t;
3297 binder_inner_proc_unlock(proc);
3298 if (!binder_proc_transaction(t, target_proc, target_thread)) {
3299 binder_inner_proc_lock(proc);
3300 binder_pop_transaction_ilocked(thread, t);
3301 binder_inner_proc_unlock(proc);
3302 goto err_dead_proc_or_thread;
3303 }
3304 } else {
3305 BUG_ON(target_node == NULL);
3306 BUG_ON(t->buffer->async_transaction != 1);
3307 binder_enqueue_thread_work(thread, tcomplete);
3308 if (!binder_proc_transaction(t, target_proc, NULL))
3309 goto err_dead_proc_or_thread;
3310 }
3311 if (target_thread)
3312 binder_thread_dec_tmpref(target_thread);
3313 binder_proc_dec_tmpref(target_proc);
3314 if (target_node)
3315 binder_dec_node_tmpref(target_node);
3316 /*
3317 * write barrier to synchronize with initialization
3318 * of log entry
3319 */
3320 smp_wmb();
3321 WRITE_ONCE(e->debug_id_done, t_debug_id);
3322 return;
3323
3324 err_dead_proc_or_thread:
3325 return_error = BR_DEAD_REPLY;
3326 return_error_line = __LINE__;
3327 binder_dequeue_work(proc, tcomplete);
3328 err_translate_failed:
3329 err_bad_object_type:
3330 err_bad_offset:
3331 err_bad_parent:
3332 err_copy_data_failed:
3333 binder_free_txn_fixups(t);
3334 trace_binder_transaction_failed_buffer_release(t->buffer);
3335 binder_transaction_buffer_release(target_proc, t->buffer, offp);
3336 if (target_node)
3337 binder_dec_node_tmpref(target_node);
3338 target_node = NULL;
3339 t->buffer->transaction = NULL;
3340 binder_alloc_free_buf(&target_proc->alloc, t->buffer);
3341 err_binder_alloc_buf_failed:
3342 if (secctx)
3343 security_release_secctx(secctx, secctx_sz);
3344 err_get_secctx_failed:
3345 kfree(tcomplete);
3346 binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
3347 err_alloc_tcomplete_failed:
3348 kfree(t);
3349 binder_stats_deleted(BINDER_STAT_TRANSACTION);
3350 err_alloc_t_failed:
3351 err_bad_todo_list:
3352 err_bad_call_stack:
3353 err_empty_call_stack:
3354 err_dead_binder:
3355 err_invalid_target_handle:
3356 if (target_thread)
3357 binder_thread_dec_tmpref(target_thread);
3358 if (target_proc)
3359 binder_proc_dec_tmpref(target_proc);
3360 if (target_node) {
3361 binder_dec_node(target_node, 1, 0);
3362 binder_dec_node_tmpref(target_node);
3363 }
3364
3365 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
3366 "%d:%d transaction failed %d/%d, size %lld-%lld line %d\n",
3367 proc->pid, thread->pid, return_error, return_error_param,
3368 (u64)tr->data_size, (u64)tr->offsets_size,
3369 return_error_line);
3370
3371 {
3372 struct binder_transaction_log_entry *fe;
3373
3374 e->return_error = return_error;
3375 e->return_error_param = return_error_param;
3376 e->return_error_line = return_error_line;
3377 fe = binder_transaction_log_add(&binder_transaction_log_failed);
3378 *fe = *e;
3379 /*
3380 * write barrier to synchronize with initialization
3381 * of log entry
3382 */
3383 smp_wmb();
3384 WRITE_ONCE(e->debug_id_done, t_debug_id);
3385 WRITE_ONCE(fe->debug_id_done, t_debug_id);
3386 }
3387
3388 BUG_ON(thread->return_error.cmd != BR_OK);
3389 if (in_reply_to) {
3390 thread->return_error.cmd = BR_TRANSACTION_COMPLETE;
3391 binder_enqueue_thread_work(thread, &thread->return_error.work);
3392 binder_send_failed_reply(in_reply_to, return_error);
3393 } else {
3394 thread->return_error.cmd = return_error;
3395 binder_enqueue_thread_work(thread, &thread->return_error.work);
3396 }
3397 }
3398
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 34379 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] binder: create node flag to request sender's security context
2019-01-10 18:21 [PATCH] binder: create node flag to request sender's security context Todd Kjos
2019-01-11 3:07 ` kbuild test robot
@ 2019-01-11 9:16 ` Greg KH
2019-01-14 8:09 ` Dan Carpenter
2 siblings, 0 replies; 4+ messages in thread
From: Greg KH @ 2019-01-11 9:16 UTC (permalink / raw)
To: Todd Kjos; +Cc: tkjos, arve, devel, linux-kernel, maco, joel, kernel-team
On Thu, Jan 10, 2019 at 10:21:00AM -0800, Todd Kjos wrote:
> To allow servers to verify client identity, allow a node
> flag to be set that causes the sender's security context
> to be delivered with the transaction. The BR_TRANSACTION
> command is extended in BR_TRANSACTION_SEC_CTX to
> contain a pointer to the security context string.
>
> Signed-off-by: Todd Kjos <tkjos@google.com>
> ---
> drivers/android/binder.c | 106 ++++++++++++++++++++++------
> include/uapi/linux/android/binder.h | 19 +++++
> 2 files changed, 102 insertions(+), 23 deletions(-)
Can you fix up the issue found by 0-day and resend?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] binder: create node flag to request sender's security context
2019-01-10 18:21 [PATCH] binder: create node flag to request sender's security context Todd Kjos
2019-01-11 3:07 ` kbuild test robot
2019-01-11 9:16 ` Greg KH
@ 2019-01-14 8:09 ` Dan Carpenter
2 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2019-01-14 8:09 UTC (permalink / raw)
To: kbuild, Todd Kjos
Cc: kbuild-all, tkjos, gregkh, arve, devel, linux-kernel, maco, joel,
kernel-team
Hi Todd,
url: https://github.com/0day-ci/linux/commits/Todd-Kjos/binder-create-node-flag-to-request-sender-s-security-context/20190111-095225
New smatch warnings:
drivers/android/binder.c:4364 binder_thread_read() warn: check that 'tr.secctx' doesn't leak information
# https://github.com/0day-ci/linux/commit/17c44224a75b813d0f0e29430f77576e8453d174
git remote add linux-review https://github.com/0day-ci/linux
git remote update linux-review
git checkout 17c44224a75b813d0f0e29430f77576e8453d174
vim +4364 drivers/android/binder.c
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4022
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4023 static int binder_thread_read(struct binder_proc *proc,
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4024 struct binder_thread *thread,
da49889de drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 4025 binder_uintptr_t binder_buffer, size_t size,
da49889de drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 4026 binder_size_t *consumed, int non_block)
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4027 {
da49889de drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 4028 void __user *buffer = (void __user *)(uintptr_t)binder_buffer;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4029 void __user *ptr = buffer + *consumed;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4030 void __user *end = buffer + size;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4031
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4032 int ret = 0;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4033 int wait_for_proc_work;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4034
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4035 if (*consumed == 0) {
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4036 if (put_user(BR_NOOP, (uint32_t __user *)ptr))
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4037 return -EFAULT;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4038 ptr += sizeof(uint32_t);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4039 }
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4040
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4041 retry:
0b89d69a9 drivers/android/binder.c Martijn Coenen 2017-06-29 4042 binder_inner_proc_lock(proc);
1b77e9dcc drivers/android/binder.c Martijn Coenen 2017-08-31 4043 wait_for_proc_work = binder_available_for_proc_work_ilocked(thread);
0b89d69a9 drivers/android/binder.c Martijn Coenen 2017-06-29 4044 binder_inner_proc_unlock(proc);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4045
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4046 thread->looper |= BINDER_LOOPER_STATE_WAITING;
975a1ac9a drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4047
975a1ac9a drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4048 trace_binder_wait_for_work(wait_for_proc_work,
975a1ac9a drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4049 !!thread->transaction_stack,
72196393a drivers/android/binder.c Todd Kjos 2017-06-29 4050 !binder_worklist_empty(proc, &thread->todo));
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4051 if (wait_for_proc_work) {
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4052 if (!(thread->looper & (BINDER_LOOPER_STATE_REGISTERED |
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4053 BINDER_LOOPER_STATE_ENTERED))) {
56b468fc7 drivers/staging/android/binder.c Anmol Sarma 2012-10-30 4054 binder_user_error("%d:%d ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state %x)\n",
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4055 proc->pid, thread->pid, thread->looper);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4056 wait_event_interruptible(binder_user_error_wait,
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4057 binder_stop_on_user_error < 2);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4058 }
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4059 binder_set_nice(proc->default_priority);
1b77e9dcc drivers/android/binder.c Martijn Coenen 2017-08-31 4060 }
1b77e9dcc drivers/android/binder.c Martijn Coenen 2017-08-31 4061
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4062 if (non_block) {
1b77e9dcc drivers/android/binder.c Martijn Coenen 2017-08-31 4063 if (!binder_has_work(thread, wait_for_proc_work))
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4064 ret = -EAGAIN;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4065 } else {
1b77e9dcc drivers/android/binder.c Martijn Coenen 2017-08-31 4066 ret = binder_wait_for_work(thread, wait_for_proc_work);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4067 }
975a1ac9a drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4068
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4069 thread->looper &= ~BINDER_LOOPER_STATE_WAITING;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4070
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4071 if (ret)
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4072 return ret;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4073
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4074 while (1) {
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4075 uint32_t cmd;
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4076 struct binder_transaction_data_secctx tr;
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4077 struct binder_transaction_data *trd = &tr.transaction_data;
72196393a drivers/android/binder.c Todd Kjos 2017-06-29 4078 struct binder_work *w = NULL;
72196393a drivers/android/binder.c Todd Kjos 2017-06-29 4079 struct list_head *list = NULL;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4080 struct binder_transaction *t = NULL;
7a4408c6b drivers/android/binder.c Todd Kjos 2017-06-29 4081 struct binder_thread *t_from;
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4082 size_t trsize = sizeof(*trd);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4083
ed29721e2 drivers/android/binder.c Todd Kjos 2017-06-29 4084 binder_inner_proc_lock(proc);
72196393a drivers/android/binder.c Todd Kjos 2017-06-29 4085 if (!binder_worklist_empty_ilocked(&thread->todo))
72196393a drivers/android/binder.c Todd Kjos 2017-06-29 4086 list = &thread->todo;
72196393a drivers/android/binder.c Todd Kjos 2017-06-29 4087 else if (!binder_worklist_empty_ilocked(&proc->todo) &&
72196393a drivers/android/binder.c Todd Kjos 2017-06-29 4088 wait_for_proc_work)
72196393a drivers/android/binder.c Todd Kjos 2017-06-29 4089 list = &proc->todo;
72196393a drivers/android/binder.c Todd Kjos 2017-06-29 4090 else {
72196393a drivers/android/binder.c Todd Kjos 2017-06-29 4091 binder_inner_proc_unlock(proc);
72196393a drivers/android/binder.c Todd Kjos 2017-06-29 4092
395262a9e drivers/staging/android/binder.c Dmitry Voytik 2014-09-08 4093 /* no data added */
08dabceef drivers/android/binder.c Todd Kjos 2017-06-29 4094 if (ptr - buffer == 4 && !thread->looper_need_return)
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4095 goto retry;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4096 break;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4097 }
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4098
ed29721e2 drivers/android/binder.c Todd Kjos 2017-06-29 4099 if (end - ptr < sizeof(tr) + 4) {
ed29721e2 drivers/android/binder.c Todd Kjos 2017-06-29 4100 binder_inner_proc_unlock(proc);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4101 break;
ed29721e2 drivers/android/binder.c Todd Kjos 2017-06-29 4102 }
72196393a drivers/android/binder.c Todd Kjos 2017-06-29 4103 w = binder_dequeue_work_head_ilocked(list);
148ade2c4 drivers/android/binder.c Martijn Coenen 2017-11-15 4104 if (binder_worklist_empty_ilocked(&thread->todo))
148ade2c4 drivers/android/binder.c Martijn Coenen 2017-11-15 4105 thread->process_todo = false;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4106
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4107 switch (w->type) {
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4108 case BINDER_WORK_TRANSACTION: {
ed29721e2 drivers/android/binder.c Todd Kjos 2017-06-29 4109 binder_inner_proc_unlock(proc);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4110 t = container_of(w, struct binder_transaction, work);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4111 } break;
26549d177 drivers/android/binder.c Todd Kjos 2017-06-29 4112 case BINDER_WORK_RETURN_ERROR: {
26549d177 drivers/android/binder.c Todd Kjos 2017-06-29 4113 struct binder_error *e = container_of(
26549d177 drivers/android/binder.c Todd Kjos 2017-06-29 4114 w, struct binder_error, work);
26549d177 drivers/android/binder.c Todd Kjos 2017-06-29 4115
26549d177 drivers/android/binder.c Todd Kjos 2017-06-29 4116 WARN_ON(e->cmd == BR_OK);
ed29721e2 drivers/android/binder.c Todd Kjos 2017-06-29 4117 binder_inner_proc_unlock(proc);
26549d177 drivers/android/binder.c Todd Kjos 2017-06-29 4118 if (put_user(e->cmd, (uint32_t __user *)ptr))
26549d177 drivers/android/binder.c Todd Kjos 2017-06-29 4119 return -EFAULT;
838d55656 drivers/android/binder.c 宋金时 2018-05-10 4120 cmd = e->cmd;
26549d177 drivers/android/binder.c Todd Kjos 2017-06-29 4121 e->cmd = BR_OK;
26549d177 drivers/android/binder.c Todd Kjos 2017-06-29 4122 ptr += sizeof(uint32_t);
26549d177 drivers/android/binder.c Todd Kjos 2017-06-29 4123
838d55656 drivers/android/binder.c 宋金时 2018-05-10 4124 binder_stat_br(proc, thread, cmd);
26549d177 drivers/android/binder.c Todd Kjos 2017-06-29 4125 } break;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4126 case BINDER_WORK_TRANSACTION_COMPLETE: {
ed29721e2 drivers/android/binder.c Todd Kjos 2017-06-29 4127 binder_inner_proc_unlock(proc);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4128 cmd = BR_TRANSACTION_COMPLETE;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4129 if (put_user(cmd, (uint32_t __user *)ptr))
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4130 return -EFAULT;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4131 ptr += sizeof(uint32_t);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4132
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4133 binder_stat_br(proc, thread, cmd);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4134 binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE,
56b468fc7 drivers/staging/android/binder.c Anmol Sarma 2012-10-30 4135 "%d:%d BR_TRANSACTION_COMPLETE\n",
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4136 proc->pid, thread->pid);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4137 kfree(w);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4138 binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4139 } break;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4140 case BINDER_WORK_NODE: {
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4141 struct binder_node *node = container_of(w, struct binder_node, work);
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4142 int strong, weak;
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4143 binder_uintptr_t node_ptr = node->ptr;
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4144 binder_uintptr_t node_cookie = node->cookie;
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4145 int node_debug_id = node->debug_id;
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4146 int has_weak_ref;
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4147 int has_strong_ref;
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4148 void __user *orig_ptr = ptr;
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4149
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4150 BUG_ON(proc != node->proc);
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4151 strong = node->internal_strong_refs ||
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4152 node->local_strong_refs;
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4153 weak = !hlist_empty(&node->refs) ||
adc188422 drivers/android/binder.c Todd Kjos 2017-06-29 4154 node->local_weak_refs ||
adc188422 drivers/android/binder.c Todd Kjos 2017-06-29 4155 node->tmp_refs || strong;
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4156 has_strong_ref = node->has_strong_ref;
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4157 has_weak_ref = node->has_weak_ref;
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4158
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4159 if (weak && !has_weak_ref) {
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4160 node->has_weak_ref = 1;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4161 node->pending_weak_ref = 1;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4162 node->local_weak_refs++;
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4163 }
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4164 if (strong && !has_strong_ref) {
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4165 node->has_strong_ref = 1;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4166 node->pending_strong_ref = 1;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4167 node->local_strong_refs++;
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4168 }
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4169 if (!strong && has_strong_ref)
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4170 node->has_strong_ref = 0;
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4171 if (!weak && has_weak_ref)
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4172 node->has_weak_ref = 0;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4173 if (!weak && !strong) {
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4174 binder_debug(BINDER_DEBUG_INTERNAL_REFS,
da49889de drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 4175 "%d:%d node %d u%016llx c%016llx deleted\n",
da49889de drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 4176 proc->pid, thread->pid,
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4177 node_debug_id,
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4178 (u64)node_ptr,
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4179 (u64)node_cookie);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4180 rb_erase(&node->rb_node, &proc->nodes);
ed29721e2 drivers/android/binder.c Todd Kjos 2017-06-29 4181 binder_inner_proc_unlock(proc);
673068eee drivers/android/binder.c Todd Kjos 2017-06-29 4182 binder_node_lock(node);
673068eee drivers/android/binder.c Todd Kjos 2017-06-29 4183 /*
673068eee drivers/android/binder.c Todd Kjos 2017-06-29 4184 * Acquire the node lock before freeing the
673068eee drivers/android/binder.c Todd Kjos 2017-06-29 4185 * node to serialize with other threads that
673068eee drivers/android/binder.c Todd Kjos 2017-06-29 4186 * may have been holding the node lock while
673068eee drivers/android/binder.c Todd Kjos 2017-06-29 4187 * decrementing this node (avoids race where
673068eee drivers/android/binder.c Todd Kjos 2017-06-29 4188 * this thread frees while the other thread
673068eee drivers/android/binder.c Todd Kjos 2017-06-29 4189 * is unlocking the node after the final
673068eee drivers/android/binder.c Todd Kjos 2017-06-29 4190 * decrement)
673068eee drivers/android/binder.c Todd Kjos 2017-06-29 4191 */
673068eee drivers/android/binder.c Todd Kjos 2017-06-29 4192 binder_node_unlock(node);
ed29721e2 drivers/android/binder.c Todd Kjos 2017-06-29 4193 binder_free_node(node);
ed29721e2 drivers/android/binder.c Todd Kjos 2017-06-29 4194 } else
ed29721e2 drivers/android/binder.c Todd Kjos 2017-06-29 4195 binder_inner_proc_unlock(proc);
ed29721e2 drivers/android/binder.c Todd Kjos 2017-06-29 4196
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4197 if (weak && !has_weak_ref)
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4198 ret = binder_put_node_cmd(
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4199 proc, thread, &ptr, node_ptr,
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4200 node_cookie, node_debug_id,
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4201 BR_INCREFS, "BR_INCREFS");
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4202 if (!ret && strong && !has_strong_ref)
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4203 ret = binder_put_node_cmd(
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4204 proc, thread, &ptr, node_ptr,
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4205 node_cookie, node_debug_id,
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4206 BR_ACQUIRE, "BR_ACQUIRE");
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4207 if (!ret && !strong && has_strong_ref)
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4208 ret = binder_put_node_cmd(
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4209 proc, thread, &ptr, node_ptr,
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4210 node_cookie, node_debug_id,
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4211 BR_RELEASE, "BR_RELEASE");
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4212 if (!ret && !weak && has_weak_ref)
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4213 ret = binder_put_node_cmd(
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4214 proc, thread, &ptr, node_ptr,
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4215 node_cookie, node_debug_id,
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4216 BR_DECREFS, "BR_DECREFS");
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4217 if (orig_ptr == ptr)
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4218 binder_debug(BINDER_DEBUG_INTERNAL_REFS,
da49889de drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 4219 "%d:%d node %d u%016llx c%016llx state unchanged\n",
da49889de drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 4220 proc->pid, thread->pid,
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4221 node_debug_id,
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4222 (u64)node_ptr,
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4223 (u64)node_cookie);
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4224 if (ret)
26b47d8a1 drivers/android/binder.c Todd Kjos 2017-06-29 4225 return ret;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4226 } break;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4227 case BINDER_WORK_DEAD_BINDER:
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4228 case BINDER_WORK_DEAD_BINDER_AND_CLEAR:
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4229 case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: {
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4230 struct binder_ref_death *death;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4231 uint32_t cmd;
ab51ec6bd drivers/android/binder.c Martijn Coenen 2017-06-29 4232 binder_uintptr_t cookie;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4233
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4234 death = container_of(w, struct binder_ref_death, work);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4235 if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION)
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4236 cmd = BR_CLEAR_DEATH_NOTIFICATION_DONE;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4237 else
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4238 cmd = BR_DEAD_BINDER;
ab51ec6bd drivers/android/binder.c Martijn Coenen 2017-06-29 4239 cookie = death->cookie;
ab51ec6bd drivers/android/binder.c Martijn Coenen 2017-06-29 4240
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4241 binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION,
da49889de drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 4242 "%d:%d %s %016llx\n",
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4243 proc->pid, thread->pid,
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4244 cmd == BR_DEAD_BINDER ?
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4245 "BR_DEAD_BINDER" :
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4246 "BR_CLEAR_DEATH_NOTIFICATION_DONE",
ab51ec6bd drivers/android/binder.c Martijn Coenen 2017-06-29 4247 (u64)cookie);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4248 if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) {
ab51ec6bd drivers/android/binder.c Martijn Coenen 2017-06-29 4249 binder_inner_proc_unlock(proc);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4250 kfree(death);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4251 binder_stats_deleted(BINDER_STAT_DEATH);
ed29721e2 drivers/android/binder.c Todd Kjos 2017-06-29 4252 } else {
72196393a drivers/android/binder.c Todd Kjos 2017-06-29 4253 binder_enqueue_work_ilocked(
72196393a drivers/android/binder.c Todd Kjos 2017-06-29 4254 w, &proc->delivered_death);
ed29721e2 drivers/android/binder.c Todd Kjos 2017-06-29 4255 binder_inner_proc_unlock(proc);
ed29721e2 drivers/android/binder.c Todd Kjos 2017-06-29 4256 }
ab51ec6bd drivers/android/binder.c Martijn Coenen 2017-06-29 4257 if (put_user(cmd, (uint32_t __user *)ptr))
ab51ec6bd drivers/android/binder.c Martijn Coenen 2017-06-29 4258 return -EFAULT;
ab51ec6bd drivers/android/binder.c Martijn Coenen 2017-06-29 4259 ptr += sizeof(uint32_t);
ab51ec6bd drivers/android/binder.c Martijn Coenen 2017-06-29 4260 if (put_user(cookie,
ab51ec6bd drivers/android/binder.c Martijn Coenen 2017-06-29 4261 (binder_uintptr_t __user *)ptr))
ab51ec6bd drivers/android/binder.c Martijn Coenen 2017-06-29 4262 return -EFAULT;
ab51ec6bd drivers/android/binder.c Martijn Coenen 2017-06-29 4263 ptr += sizeof(binder_uintptr_t);
ab51ec6bd drivers/android/binder.c Martijn Coenen 2017-06-29 4264 binder_stat_br(proc, thread, cmd);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4265 if (cmd == BR_DEAD_BINDER)
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4266 goto done; /* DEAD_BINDER notifications can cause transactions */
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4267 } break;
324fa64cf drivers/android/binder.c Todd Kjos 2018-11-06 4268 default:
324fa64cf drivers/android/binder.c Todd Kjos 2018-11-06 4269 binder_inner_proc_unlock(proc);
324fa64cf drivers/android/binder.c Todd Kjos 2018-11-06 4270 pr_err("%d:%d: bad work type %d\n",
324fa64cf drivers/android/binder.c Todd Kjos 2018-11-06 4271 proc->pid, thread->pid, w->type);
324fa64cf drivers/android/binder.c Todd Kjos 2018-11-06 4272 break;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4273 }
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4274
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4275 if (!t)
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4276 continue;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4277
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4278 BUG_ON(t->buffer == NULL);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4279 if (t->buffer->target_node) {
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4280 struct binder_node *target_node = t->buffer->target_node;
10f62861b drivers/staging/android/binder.c Seunghun Lee 2014-05-01 4281
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4282 trd->target.ptr = target_node->ptr;
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4283 trd->cookie = target_node->cookie;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4284 t->saved_priority = task_nice(current);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4285 if (t->priority < target_node->min_priority &&
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4286 !(t->flags & TF_ONE_WAY))
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4287 binder_set_nice(t->priority);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4288 else if (!(t->flags & TF_ONE_WAY) ||
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4289 t->saved_priority > target_node->min_priority)
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4290 binder_set_nice(target_node->min_priority);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4291 cmd = BR_TRANSACTION;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4292 } else {
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4293 trd->target.ptr = 0;
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4294 trd->cookie = 0;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4295 cmd = BR_REPLY;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4296 }
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4297 trd->code = t->code;
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4298 trd->flags = t->flags;
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4299 trd->sender_euid = from_kuid(current_user_ns(), t->sender_euid);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4300
7a4408c6b drivers/android/binder.c Todd Kjos 2017-06-29 4301 t_from = binder_get_txn_from(t);
7a4408c6b drivers/android/binder.c Todd Kjos 2017-06-29 4302 if (t_from) {
7a4408c6b drivers/android/binder.c Todd Kjos 2017-06-29 4303 struct task_struct *sender = t_from->proc->tsk;
10f62861b drivers/staging/android/binder.c Seunghun Lee 2014-05-01 4304
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4305 trd->sender_pid =
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4306 task_tgid_nr_ns(sender,
17cf22c33 drivers/staging/android/binder.c Eric W. Biederman 2010-03-02 4307 task_active_pid_ns(current));
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4308 } else {
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4309 trd->sender_pid = 0;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4310 }
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4311
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4312 ret = binder_apply_fd_fixups(t);
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4313 if (ret) {
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4314 struct binder_buffer *buffer = t->buffer;
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4315 bool oneway = !!(t->flags & TF_ONE_WAY);
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4316 int tid = t->debug_id;
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4317
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4318 if (t_from)
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4319 binder_thread_dec_tmpref(t_from);
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4320 buffer->transaction = NULL;
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4321 binder_cleanup_transaction(t, "fd fixups failed",
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4322 BR_FAILED_REPLY);
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4323 binder_free_buf(proc, buffer);
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4324 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4325 "%d:%d %stransaction %d fd fixups failed %d/%d, line %d\n",
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4326 proc->pid, thread->pid,
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4327 oneway ? "async " :
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4328 (cmd == BR_REPLY ? "reply " : ""),
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4329 tid, BR_FAILED_REPLY, ret, __LINE__);
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4330 if (cmd == BR_REPLY) {
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4331 cmd = BR_FAILED_REPLY;
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4332 if (put_user(cmd, (uint32_t __user *)ptr))
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4333 return -EFAULT;
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4334 ptr += sizeof(uint32_t);
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4335 binder_stat_br(proc, thread, cmd);
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4336 break;
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4337 }
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4338 continue;
44d8047f1 drivers/android/binder.c Todd Kjos 2018-08-28 4339 }
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4340 trd->data_size = t->buffer->data_size;
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4341 trd->offsets_size = t->buffer->offsets_size;
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4342 trd->data.ptr.buffer = (binder_uintptr_t)
19c987241 drivers/android/binder.c Todd Kjos 2017-06-29 4343 ((uintptr_t)t->buffer->data +
19c987241 drivers/android/binder.c Todd Kjos 2017-06-29 4344 binder_alloc_get_user_buffer_offset(&proc->alloc));
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4345 trd->data.ptr.offsets = trd->data.ptr.buffer +
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4346 ALIGN(t->buffer->data_size,
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4347 sizeof(void *));
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4348
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4349 if (t->security_ctx) {
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4350 cmd = BR_TRANSACTION_SEC_CTX;
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4351 tr.secctx = t->security_ctx;
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4352 trsize = sizeof(tr);
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4353 }
7a4408c6b drivers/android/binder.c Todd Kjos 2017-06-29 4354 if (put_user(cmd, (uint32_t __user *)ptr)) {
7a4408c6b drivers/android/binder.c Todd Kjos 2017-06-29 4355 if (t_from)
7a4408c6b drivers/android/binder.c Todd Kjos 2017-06-29 4356 binder_thread_dec_tmpref(t_from);
fb2c44527 drivers/android/binder.c Martijn Coenen 2017-11-13 4357
fb2c44527 drivers/android/binder.c Martijn Coenen 2017-11-13 4358 binder_cleanup_transaction(t, "put_user failed",
fb2c44527 drivers/android/binder.c Martijn Coenen 2017-11-13 4359 BR_FAILED_REPLY);
fb2c44527 drivers/android/binder.c Martijn Coenen 2017-11-13 4360
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4361 return -EFAULT;
7a4408c6b drivers/android/binder.c Todd Kjos 2017-06-29 4362 }
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4363 ptr += sizeof(uint32_t);
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 @4364 if (copy_to_user(ptr, &tr, trsize)) {
7a4408c6b drivers/android/binder.c Todd Kjos 2017-06-29 4365 if (t_from)
7a4408c6b drivers/android/binder.c Todd Kjos 2017-06-29 4366 binder_thread_dec_tmpref(t_from);
fb2c44527 drivers/android/binder.c Martijn Coenen 2017-11-13 4367
fb2c44527 drivers/android/binder.c Martijn Coenen 2017-11-13 4368 binder_cleanup_transaction(t, "copy_to_user failed",
fb2c44527 drivers/android/binder.c Martijn Coenen 2017-11-13 4369 BR_FAILED_REPLY);
fb2c44527 drivers/android/binder.c Martijn Coenen 2017-11-13 4370
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4371 return -EFAULT;
7a4408c6b drivers/android/binder.c Todd Kjos 2017-06-29 4372 }
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4373 ptr += trsize;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4374
975a1ac9a drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4375 trace_binder_transaction_received(t);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4376 binder_stat_br(proc, thread, cmd);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4377 binder_debug(BINDER_DEBUG_TRANSACTION,
da49889de drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 4378 "%d:%d %s %d %d:%d, cmd %d size %zd-%zd ptr %016llx-%016llx\n",
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4379 proc->pid, thread->pid,
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4380 (cmd == BR_TRANSACTION) ? "BR_TRANSACTION" :
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4381 (cmd == BR_TRANSACTION_SEC_CTX) ?
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4382 "BR_TRANSACTION_SEC_CTX" : "BR_REPLY",
7a4408c6b drivers/android/binder.c Todd Kjos 2017-06-29 4383 t->debug_id, t_from ? t_from->proc->pid : 0,
7a4408c6b drivers/android/binder.c Todd Kjos 2017-06-29 4384 t_from ? t_from->pid : 0, cmd,
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4385 t->buffer->data_size, t->buffer->offsets_size,
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4386 (u64)trd->data.ptr.buffer,
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4387 (u64)trd->data.ptr.offsets);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4388
7a4408c6b drivers/android/binder.c Todd Kjos 2017-06-29 4389 if (t_from)
7a4408c6b drivers/android/binder.c Todd Kjos 2017-06-29 4390 binder_thread_dec_tmpref(t_from);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4391 t->buffer->allow_user_free = 1;
17c44224a drivers/android/binder.c Todd Kjos 2019-01-10 4392 if (cmd != BR_REPLY && !(t->flags & TF_ONE_WAY)) {
0b89d69a9 drivers/android/binder.c Martijn Coenen 2017-06-29 4393 binder_inner_proc_lock(thread->proc);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4394 t->to_parent = thread->transaction_stack;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4395 t->to_thread = thread;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4396 thread->transaction_stack = t;
0b89d69a9 drivers/android/binder.c Martijn Coenen 2017-06-29 4397 binder_inner_proc_unlock(thread->proc);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4398 } else {
b6d282cea drivers/android/binder.c Todd Kjos 2017-06-29 4399 binder_free_transaction(t);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4400 }
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4401 break;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4402 }
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4403
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4404 done:
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4405
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4406 *consumed = ptr - buffer;
b3e686128 drivers/android/binder.c Todd Kjos 2017-06-29 4407 binder_inner_proc_lock(proc);
1b77e9dcc drivers/android/binder.c Martijn Coenen 2017-08-31 4408 if (proc->requested_threads == 0 &&
1b77e9dcc drivers/android/binder.c Martijn Coenen 2017-08-31 4409 list_empty(&thread->proc->waiting_threads) &&
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4410 proc->requested_threads_started < proc->max_threads &&
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4411 (thread->looper & (BINDER_LOOPER_STATE_REGISTERED |
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4412 BINDER_LOOPER_STATE_ENTERED)) /* the user-space code fails to */
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4413 /*spawn a new thread if we leave this out */) {
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4414 proc->requested_threads++;
b3e686128 drivers/android/binder.c Todd Kjos 2017-06-29 4415 binder_inner_proc_unlock(proc);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4416 binder_debug(BINDER_DEBUG_THREADS,
56b468fc7 drivers/staging/android/binder.c Anmol Sarma 2012-10-30 4417 "%d:%d BR_SPAWN_LOOPER\n",
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4418 proc->pid, thread->pid);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4419 if (put_user(BR_SPAWN_LOOPER, (uint32_t __user *)buffer))
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4420 return -EFAULT;
89334ab4d drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 4421 binder_stat_br(proc, thread, BR_SPAWN_LOOPER);
b3e686128 drivers/android/binder.c Todd Kjos 2017-06-29 4422 } else
b3e686128 drivers/android/binder.c Todd Kjos 2017-06-29 4423 binder_inner_proc_unlock(proc);
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4424 return 0;
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4425 }
355b0502f drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4426
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-01-14 8:11 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-10 18:21 [PATCH] binder: create node flag to request sender's security context Todd Kjos
2019-01-11 3:07 ` kbuild test robot
2019-01-11 9:16 ` Greg KH
2019-01-14 8:09 ` Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).