New issue
Advanced search Search tips

Issue 767131 link

Starred by 1 user
Status: Fixed
Owner:
groeck@chromium.org
Closed: Sep 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

Pull pending binder patches into chromeos-4.12

Project Member Reported by groeck@chromium.org, Sep 20 2017 
Queued in -next:

d53bebdf4d77 binder: fix memory corruption in binder_transaction binder
52b81611f209 binder: fix an ret value override
1c363eaece27 android: binder: fix type mismatch warning

from git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-linus
Project Member

Comment 1 by bugdroid1@chromium.org, Sep 20 2017

Labels: merge-merged-chromeos-4.12
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/072f8483703bbb7adb1891f1b85c5d78a7412412

commit 072f8483703bbb7adb1891f1b85c5d78a7412412
Author: Arnd Bergmann <arnd@arndb.de>
Date: Wed Sep 20 23:37:53 2017

FROMGIT: android: binder: fix type mismatch warning

Allowing binder to expose the 64-bit API on 32-bit kernels caused a
build warning:

drivers/android/binder.c: In function 'binder_transaction_buffer_release':
drivers/android/binder.c:2220:15: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
    fd_array = (u32 *)(parent_buffer + fda->parent_offset);
               ^
drivers/android/binder.c: In function 'binder_translate_fd_array':
drivers/android/binder.c:2445:13: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
  fd_array = (u32 *)(parent_buffer + fda->parent_offset);
             ^
drivers/android/binder.c: In function 'binder_fixup_parent':
drivers/android/binder.c:2511:18: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]

This adds extra type casts to avoid the warning.

However, there is another problem with the Kconfig option: turning
it on or off creates two incompatible ABI versions, a kernel that
has this enabled cannot run user space that was built without it
or vice versa. A better solution might be to leave the option hidden
until the binder code is fixed to deal with both ABI versions.

BUG= chromium:767131 
TEST=Build and run

Change-Id: Ib84ebcacb06e5b47184690b068d70186b7c893be
Fixes: e8d2ed7db7c3 ("Revert "staging: Fix build issues with new binder API"")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 1c363eaece27
 git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
 char-misc-linus)
Reviewed-on: https://chromium-review.googlesource.com/675771
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/072f8483703bbb7adb1891f1b85c5d78a7412412/drivers/android/binder.c
Project Member

Comment 2 by bugdroid1@chromium.org, Sep 20 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/6cd5652ecf5f5be464ff7e4989902ec971503b0c

commit 6cd5652ecf5f5be464ff7e4989902ec971503b0c
Author: Xu YiPing <xuyiping@hisilicon.com>
Date: Wed Sep 20 23:37:54 2017

FROMGIT: binder: fix an ret value override

commit 372e3147df70 ("binder: guarantee txn complete / errors delivered
in-order") incorrectly defined a local ret value.  This ret value will
be invalid when out of the if block

BUG= chromium:767131 
TEST=Build and run

Change-Id: If28c80d1da73a0eabf49b896e31bb298c1aee068
Fixes: 372e3147df70 ("binder: refactor binder ref inc/dec for thread safety")
Signed-off-by: Xu YiPing <xuyiping@hislicon.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 52b81611f209
 git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
 char-misc-linus)
Reviewed-on: https://chromium-review.googlesource.com/675772
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/6cd5652ecf5f5be464ff7e4989902ec971503b0c/drivers/android/binder.c
Project Member

Comment 3 by bugdroid1@chromium.org, Sep 20 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/0821466c83f7ea3e78ea345ae3e2f4e344ec2346

commit 0821466c83f7ea3e78ea345ae3e2f4e344ec2346
Author: Xu YiPing <xuyiping@hisilicon.com>
Date: Wed Sep 20 23:37:56 2017

FROMGIT: binder: fix memory corruption in binder_transaction binder

commit 7a4408c6bd3e ("binder: make sure accesses to proc/thread are
safe") made a change to enqueue tcomplete to thread->todo before
enqueuing the transaction. However, in err_dead_proc_or_thread case,
the tcomplete is directly freed, without dequeued. It may cause the
thread->todo list to be corrupted.

So, dequeue it before freeing.

BUG= chromium:767131 
TEST=Build and run

Change-Id: I0914f1469ea2e0eaea4f554e26a88ffe55a4cfaf
Fixes: 7a4408c6bd3e ("binder: make sure accesses to proc/thread are safe")
Signed-off-by: Xu YiPing <xuyiping@hisilicon.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit d53bebdf4d77
 git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
  char-misc-linus)
Reviewed-on: https://chromium-review.googlesource.com/675773
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/0821466c83f7ea3e78ea345ae3e2f4e344ec2346/drivers/android/binder.c

Comment 4 by groeck@chromium.org, Sep 21 2017

Status: Fixed (was: Started)

Sign in to add a comment