Merge char-misc-next into staging-next

This resolves the merge issues and confusions people were having with the goldfish drivers due to changes for them showing up in two different trees. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-02-22 17:46:24 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-02-22 17:46:24 -0500
commit: bb27d4998a9e8767674e8eda225c82cc149e5bc8 (patch)
tree: dcabb8b8cc510003637323b30ed414b1a1ec86f6 /drivers/android
parent: 9676e84dfd641e3366a41f2c45ac5c55dbac820f (diff)
parent: 35bf7692e765c2275bf93fe573f7ca868ab73453 (diff)
1 files changed, 22 insertions, 4 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index f080a8b7659b..796301a7c4fb 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -1321,6 +1321,7 @@ static void binder_transaction(struct binder_proc *proc,
        struct binder_transaction *t;
        struct binder_work *tcomplete;
        binder_size_t *offp, *off_end;
+        binder_size_t off_min;
        struct binder_proc *target_proc;
        struct binder_thread *target_thread = NULL;
        struct binder_node *target_node = NULL;
@@ -1522,18 +1523,24 @@ static void binder_transaction(struct binder_proc *proc,
                goto err_bad_offset;
        }
        off_end = (void *)offp + tr->offsets_size;
+        off_min = 0;
        for (; offp < off_end; offp++) {
                struct flat_binder_object *fp;
                if (*offp > t->buffer->data_size - sizeof(*fp) ||
+                    *offp < off_min ||
                    t->buffer->data_size < sizeof(*fp) ||
                    !IS_ALIGNED(*offp, sizeof(u32))) {
-                        binder_user_error("%d:%d got transaction with invalid offset, %lld\n",
+                        binder_user_error("%d:%d got transaction with invalid offset, %lld (min %lld, max %lld)\n",
-                                          proc->pid, thread->pid, (u64)*offp);
+                                          proc->pid, thread->pid, (u64)*offp,
+                                          (u64)off_min,
+                                          (u64)(t->buffer->data_size -
+                                          sizeof(*fp)));
                        return_error = BR_FAILED_REPLY;
                        goto err_bad_offset;
                }
                fp = (struct flat_binder_object *)(t->buffer->data + *offp);
+                off_min = *offp + sizeof(struct flat_binder_object);
                switch (fp->type) {
                case BINDER_TYPE_BINDER:
                case BINDER_TYPE_WEAK_BINDER: {
@@ -3598,13 +3605,24 @@ static int binder_transactions_show(struct seq_file *m, void *unused)
 static int binder_proc_show(struct seq_file *m, void *unused)
 {
+        struct binder_proc *itr;
        struct binder_proc *proc = m->private;
        int do_lock = !binder_debug_no_lock;
+        bool valid_proc = false;
        if (do_lock)
                binder_lock(__func__);
-        seq_puts(m, "binder proc state:\n");
-        print_binder_proc(m, proc, 1);
+        hlist_for_each_entry(itr, &binder_procs, proc_node) {
+                if (itr == proc) {
+                        valid_proc = true;
+                        break;
+                }
+        }
+        if (valid_proc) {
+                seq_puts(m, "binder proc state:\n");
+                print_binder_proc(m, proc, 1);
+        }
        if (do_lock)
                binder_unlock(__func__);
        return 0;
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2016-02-22 17:46:24 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2016-02-22 17:46:24 -0500
commit	bb27d4998a9e8767674e8eda225c82cc149e5bc8 (patch)
tree	dcabb8b8cc510003637323b30ed414b1a1ec86f6 /drivers/android
parent	9676e84dfd641e3366a41f2c45ac5c55dbac820f (diff)
parent	35bf7692e765c2275bf93fe573f7ca868ab73453 (diff)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c index f080a8b7659b..796301a7c4fb 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c
@@ -1321,6 +1321,7 @@ static void binder_transaction(struct binder_proc *proc,
1321	struct binder_transaction *t;	1321	struct binder_transaction *t;
1322	struct binder_work *tcomplete;	1322	struct binder_work *tcomplete;
1323	binder_size_t offp, off_end;	1323	binder_size_t offp, off_end;
		1324	binder_size_t off_min;
1324	struct binder_proc *target_proc;	1325	struct binder_proc *target_proc;
1325	struct binder_thread *target_thread = NULL;	1326	struct binder_thread *target_thread = NULL;
1326	struct binder_node *target_node = NULL;	1327	struct binder_node *target_node = NULL;
@@ -1522,18 +1523,24 @@ static void binder_transaction(struct binder_proc *proc,
1522	goto err_bad_offset;	1523	goto err_bad_offset;
1523	}	1524	}
1524	off_end = (void *)offp + tr->offsets_size;	1525	off_end = (void *)offp + tr->offsets_size;
		1526	off_min = 0;
1525	for (; offp < off_end; offp++) {	1527	for (; offp < off_end; offp++) {
1526	struct flat_binder_object *fp;	1528	struct flat_binder_object *fp;
1527		1529
1528	if (offp > t->buffer->data_size - sizeof(fp) \|\|	1530	if (offp > t->buffer->data_size - sizeof(fp) \|\|
		1531	*offp < off_min \|\|
1529	t->buffer->data_size < sizeof(*fp) \|\|	1532	t->buffer->data_size < sizeof(*fp) \|\|
1530	!IS_ALIGNED(*offp, sizeof(u32))) {	1533	!IS_ALIGNED(*offp, sizeof(u32))) {
1531	binder_user_error("%d:%d got transaction with invalid offset, %lld\n",	1534	binder_user_error("%d:%d got transaction with invalid offset, %lld (min %lld, max %lld)\n",
1532	proc->pid, thread->pid, (u64)*offp);	1535	proc->pid, thread->pid, (u64)*offp,
		1536	(u64)off_min,
		1537	(u64)(t->buffer->data_size -
		1538	sizeof(*fp)));
1533	return_error = BR_FAILED_REPLY;	1539	return_error = BR_FAILED_REPLY;
1534	goto err_bad_offset;	1540	goto err_bad_offset;
1535	}	1541	}
1536	fp = (struct flat_binder_object )(t->buffer->data + offp);	1542	fp = (struct flat_binder_object )(t->buffer->data + offp);
		1543	off_min = *offp + sizeof(struct flat_binder_object);
1537	switch (fp->type) {	1544	switch (fp->type) {
1538	case BINDER_TYPE_BINDER:	1545	case BINDER_TYPE_BINDER:
1539	case BINDER_TYPE_WEAK_BINDER: {	1546	case BINDER_TYPE_WEAK_BINDER: {
@@ -3598,13 +3605,24 @@ static int binder_transactions_show(struct seq_file m, void unused)
3598		3605
3599	static int binder_proc_show(struct seq_file m, void unused)	3606	static int binder_proc_show(struct seq_file m, void unused)
3600	{	3607	{
		3608	struct binder_proc *itr;
3601	struct binder_proc *proc = m->private;	3609	struct binder_proc *proc = m->private;
3602	int do_lock = !binder_debug_no_lock;	3610	int do_lock = !binder_debug_no_lock;
		3611	bool valid_proc = false;
3603		3612
3604	if (do_lock)	3613	if (do_lock)
3605	binder_lock(__func__);	3614	binder_lock(__func__);
3606	seq_puts(m, "binder proc state:\n");	3615
3607	print_binder_proc(m, proc, 1);	3616	hlist_for_each_entry(itr, &binder_procs, proc_node) {
		3617	if (itr == proc) {
		3618	valid_proc = true;
		3619	break;
		3620	}
		3621	}
		3622	if (valid_proc) {
		3623	seq_puts(m, "binder proc state:\n");
		3624	print_binder_proc(m, proc, 1);
		3625	}
3608	if (do_lock)	3626	if (do_lock)
3609	binder_unlock(__func__);	3627	binder_unlock(__func__);
3610	return 0;	3628	return 0;