LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: kernel test robot <lkp@intel.com>
To: Todd Kjos <tkjos@google.com>,
	gregkh@linuxfoundation.org, christian@brauner.io,
	arve@android.com, devel@driverdev.osuosl.org,
	linux-kernel@vger.kernel.org, maco@google.com
Cc: kbuild-all@lists.01.org, joel@joelfernandes.org, kernel-team@android.com
Subject: Re: [PATCH 1/3] binder: avoid potential data leakage when copying txn
Date: Thu, 25 Nov 2021 20:18:11 +0800	[thread overview]
Message-ID: <202111252042.kCPmeLlY-lkp@intel.com> (raw)
In-Reply-To: <20211123191737.1296541-2-tkjos@google.com>

Hi Todd,

I love your patch! Perhaps something to improve:

[auto build test WARNING on staging/staging-testing]
[also build test WARNING on v5.16-rc2 next-20211125]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Todd-Kjos/binder-Prevent-untranslated-sender-data-from-being-copied-to-target/20211124-031908
base:   https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git 1189d2fb15a4b09b2e8dd01d60a0817d985d933d
config: ia64-randconfig-s032-20211123 (https://download.01.org/0day-ci/archive/20211125/202111252042.kCPmeLlY-lkp@intel.com/config)
compiler: ia64-linux-gcc (GCC) 11.2.0
reproduce:
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # apt-get install sparse
        # sparse version: v0.6.4-dirty
        # https://github.com/0day-ci/linux/commit/d51c5e7a3791e9e748200416f85456c826d3030e
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Todd-Kjos/binder-Prevent-untranslated-sender-data-from-being-copied-to-target/20211124-031908
        git checkout d51c5e7a3791e9e748200416f85456c826d3030e
        # save the config file to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' O=build_dir ARCH=ia64 SHELL=/bin/bash drivers/android/

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>


sparse warnings: (new ones prefixed by >>)
>> drivers/android/binder.c:2707:17: sparse: sparse: cast removes address space '__user' of expression
   drivers/android/binder.c:2716:17: sparse: sparse: cast removes address space '__user' of expression
   drivers/android/binder.c:4507:24: sparse: sparse: incorrect type in return expression (different base types) @@     expected restricted __poll_t @@     got int @@
   drivers/android/binder.c:4507:24: sparse:     expected restricted __poll_t
   drivers/android/binder.c:4507:24: sparse:     got int

vim +/__user +2707 drivers/android/binder.c

512cf465ee01eb drivers/android/binder.c         Todd Kjos             2017-09-29  2457  
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2458  static void binder_transaction(struct binder_proc *proc,
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2459  			       struct binder_thread *thread,
4bfac80af3a63f drivers/android/binder.c         Martijn Coenen        2017-02-03  2460  			       struct binder_transaction_data *tr, int reply,
4bfac80af3a63f drivers/android/binder.c         Martijn Coenen        2017-02-03  2461  			       binder_size_t extra_buffers_size)
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2462  {
a056af42032e56 drivers/android/binder.c         Martijn Coenen        2017-02-03  2463  	int ret;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2464  	struct binder_transaction *t;
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  2465  	struct binder_work *w;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2466  	struct binder_work *tcomplete;
bde4a19fc04f5f drivers/android/binder.c         Todd Kjos             2019-02-08  2467  	binder_size_t buffer_offset = 0;
bde4a19fc04f5f drivers/android/binder.c         Todd Kjos             2019-02-08  2468  	binder_size_t off_start_offset, off_end_offset;
212265e5ad726e drivers/android/binder.c         Arve Hjønnevåg        2016-02-09  2469  	binder_size_t off_min;
bde4a19fc04f5f drivers/android/binder.c         Todd Kjos             2019-02-08  2470  	binder_size_t sg_buf_offset, sg_buf_end_offset;
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2471  	binder_size_t user_offset = 0;
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  2472  	struct binder_proc *target_proc = NULL;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2473  	struct binder_thread *target_thread = NULL;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2474  	struct binder_node *target_node = NULL;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2475  	struct binder_transaction *in_reply_to = NULL;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2476  	struct binder_transaction_log_entry *e;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2477  	uint32_t return_error = 0;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2478  	uint32_t return_error_param = 0;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2479  	uint32_t return_error_line = 0;
db6b0b810bf945 drivers/android/binder.c         Todd Kjos             2019-02-08  2480  	binder_size_t last_fixup_obj_off = 0;
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  2481  	binder_size_t last_fixup_min_off = 0;
342e5c90b60134 drivers/android/binder.c         Martijn Coenen        2017-02-03  2482  	struct binder_context *context = proc->context;
d99c7333ab1c9d drivers/android/binder.c         Todd Kjos             2017-06-29  2483  	int t_debug_id = atomic_inc_return(&binder_last_id);
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  2484  	char *secctx = NULL;
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  2485  	u32 secctx_sz = 0;
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2486  	const void __user *user_buffer = (const void __user *)
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2487  				(uintptr_t)tr->data.ptr.buffer;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2488  
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2489  	e = binder_transaction_log_add(&binder_transaction_log);
d99c7333ab1c9d drivers/android/binder.c         Todd Kjos             2017-06-29  2490  	e->debug_id = t_debug_id;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2491  	e->call_type = reply ? 2 : !!(tr->flags & TF_ONE_WAY);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2492  	e->from_proc = proc->pid;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2493  	e->from_thread = thread->pid;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2494  	e->target_handle = tr->target.handle;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2495  	e->data_size = tr->data_size;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2496  	e->offsets_size = tr->offsets_size;
51d8a7eca67784 drivers/android/binder.c         Christian Brauner     2019-10-08  2497  	strscpy(e->context_name, proc->context->name, BINDERFS_MAX_NAME);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2498  
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2499  	if (reply) {
0b89d69a962588 drivers/android/binder.c         Martijn Coenen        2017-06-29  2500  		binder_inner_proc_lock(proc);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2501  		in_reply_to = thread->transaction_stack;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2502  		if (in_reply_to == NULL) {
0b89d69a962588 drivers/android/binder.c         Martijn Coenen        2017-06-29  2503  			binder_inner_proc_unlock(proc);
56b468fc709b2b drivers/staging/android/binder.c Anmol Sarma           2012-10-30  2504  			binder_user_error("%d:%d got reply transaction with no transaction stack\n",
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2505  					  proc->pid, thread->pid);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2506  			return_error = BR_FAILED_REPLY;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2507  			return_error_param = -EPROTO;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2508  			return_error_line = __LINE__;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2509  			goto err_empty_call_stack;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2510  		}
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2511  		if (in_reply_to->to_thread != thread) {
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  2512  			spin_lock(&in_reply_to->lock);
56b468fc709b2b drivers/staging/android/binder.c Anmol Sarma           2012-10-30  2513  			binder_user_error("%d:%d got reply transaction with bad transaction stack, transaction %d has target %d:%d\n",
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2514  				proc->pid, thread->pid, in_reply_to->debug_id,
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2515  				in_reply_to->to_proc ?
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2516  				in_reply_to->to_proc->pid : 0,
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2517  				in_reply_to->to_thread ?
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2518  				in_reply_to->to_thread->pid : 0);
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  2519  			spin_unlock(&in_reply_to->lock);
0b89d69a962588 drivers/android/binder.c         Martijn Coenen        2017-06-29  2520  			binder_inner_proc_unlock(proc);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2521  			return_error = BR_FAILED_REPLY;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2522  			return_error_param = -EPROTO;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2523  			return_error_line = __LINE__;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2524  			in_reply_to = NULL;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2525  			goto err_bad_call_stack;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2526  		}
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2527  		thread->transaction_stack = in_reply_to->to_parent;
0b89d69a962588 drivers/android/binder.c         Martijn Coenen        2017-06-29  2528  		binder_inner_proc_unlock(proc);
0b89d69a962588 drivers/android/binder.c         Martijn Coenen        2017-06-29  2529  		binder_set_nice(in_reply_to->saved_priority);
0b89d69a962588 drivers/android/binder.c         Martijn Coenen        2017-06-29  2530  		target_thread = binder_get_txn_from_and_acq_inner(in_reply_to);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2531  		if (target_thread == NULL) {
324fa64cf41890 drivers/android/binder.c         Todd Kjos             2018-11-06  2532  			/* annotation for sparse */
324fa64cf41890 drivers/android/binder.c         Todd Kjos             2018-11-06  2533  			__release(&target_thread->proc->inner_lock);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2534  			return_error = BR_DEAD_REPLY;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2535  			return_error_line = __LINE__;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2536  			goto err_dead_binder;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2537  		}
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2538  		if (target_thread->transaction_stack != in_reply_to) {
56b468fc709b2b drivers/staging/android/binder.c Anmol Sarma           2012-10-30  2539  			binder_user_error("%d:%d got reply transaction with bad target transaction stack %d, expected %d\n",
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2540  				proc->pid, thread->pid,
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2541  				target_thread->transaction_stack ?
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2542  				target_thread->transaction_stack->debug_id : 0,
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2543  				in_reply_to->debug_id);
0b89d69a962588 drivers/android/binder.c         Martijn Coenen        2017-06-29  2544  			binder_inner_proc_unlock(target_thread->proc);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2545  			return_error = BR_FAILED_REPLY;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2546  			return_error_param = -EPROTO;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2547  			return_error_line = __LINE__;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2548  			in_reply_to = NULL;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2549  			target_thread = NULL;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2550  			goto err_dead_binder;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2551  		}
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2552  		target_proc = target_thread->proc;
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  2553  		target_proc->tmp_ref++;
0b89d69a962588 drivers/android/binder.c         Martijn Coenen        2017-06-29  2554  		binder_inner_proc_unlock(target_thread->proc);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2555  	} else {
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2556  		if (tr->target.handle) {
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2557  			struct binder_ref *ref;
10f62861b4a2f2 drivers/staging/android/binder.c Seunghun Lee          2014-05-01  2558  
eb34983ba170f2 drivers/android/binder.c         Todd Kjos             2017-06-29  2559  			/*
eb34983ba170f2 drivers/android/binder.c         Todd Kjos             2017-06-29  2560  			 * There must already be a strong ref
eb34983ba170f2 drivers/android/binder.c         Todd Kjos             2017-06-29  2561  			 * on this node. If so, do a strong
eb34983ba170f2 drivers/android/binder.c         Todd Kjos             2017-06-29  2562  			 * increment on the node to ensure it
eb34983ba170f2 drivers/android/binder.c         Todd Kjos             2017-06-29  2563  			 * stays alive until the transaction is
eb34983ba170f2 drivers/android/binder.c         Todd Kjos             2017-06-29  2564  			 * done.
eb34983ba170f2 drivers/android/binder.c         Todd Kjos             2017-06-29  2565  			 */
2c1838dc6817dd drivers/android/binder.c         Todd Kjos             2017-06-29  2566  			binder_proc_lock(proc);
2c1838dc6817dd drivers/android/binder.c         Todd Kjos             2017-06-29  2567  			ref = binder_get_ref_olocked(proc, tr->target.handle,
2c1838dc6817dd drivers/android/binder.c         Todd Kjos             2017-06-29  2568  						     true);
eb34983ba170f2 drivers/android/binder.c         Todd Kjos             2017-06-29  2569  			if (ref) {
512cf465ee01eb drivers/android/binder.c         Todd Kjos             2017-09-29  2570  				target_node = binder_get_node_refs_for_txn(
512cf465ee01eb drivers/android/binder.c         Todd Kjos             2017-09-29  2571  						ref->node, &target_proc,
512cf465ee01eb drivers/android/binder.c         Todd Kjos             2017-09-29  2572  						&return_error);
512cf465ee01eb drivers/android/binder.c         Todd Kjos             2017-09-29  2573  			} else {
1ae14df56cc3e8 drivers/android/binder.c         Ramji Jiyani          2021-08-02  2574  				binder_user_error("%d:%d got transaction to invalid handle, %u\n",
1ae14df56cc3e8 drivers/android/binder.c         Ramji Jiyani          2021-08-02  2575  						  proc->pid, thread->pid, tr->target.handle);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2576  				return_error = BR_FAILED_REPLY;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2577  			}
512cf465ee01eb drivers/android/binder.c         Todd Kjos             2017-09-29  2578  			binder_proc_unlock(proc);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2579  		} else {
c44b1231ff1170 drivers/android/binder.c         Todd Kjos             2017-06-29  2580  			mutex_lock(&context->context_mgr_node_lock);
342e5c90b60134 drivers/android/binder.c         Martijn Coenen        2017-02-03  2581  			target_node = context->binder_context_mgr_node;
512cf465ee01eb drivers/android/binder.c         Todd Kjos             2017-09-29  2582  			if (target_node)
512cf465ee01eb drivers/android/binder.c         Todd Kjos             2017-09-29  2583  				target_node = binder_get_node_refs_for_txn(
512cf465ee01eb drivers/android/binder.c         Todd Kjos             2017-09-29  2584  						target_node, &target_proc,
512cf465ee01eb drivers/android/binder.c         Todd Kjos             2017-09-29  2585  						&return_error);
512cf465ee01eb drivers/android/binder.c         Todd Kjos             2017-09-29  2586  			else
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2587  				return_error = BR_DEAD_REPLY;
c44b1231ff1170 drivers/android/binder.c         Todd Kjos             2017-06-29  2588  			mutex_unlock(&context->context_mgr_node_lock);
49ed96943a8e0c drivers/android/binder.c         Hridya Valsaraju      2019-07-15  2589  			if (target_node && target_proc->pid == proc->pid) {
7aa135fcf26377 drivers/android/binder.c         Martijn Coenen        2018-03-28  2590  				binder_user_error("%d:%d got transaction to context manager from process owning it\n",
7aa135fcf26377 drivers/android/binder.c         Martijn Coenen        2018-03-28  2591  						  proc->pid, thread->pid);
7aa135fcf26377 drivers/android/binder.c         Martijn Coenen        2018-03-28  2592  				return_error = BR_FAILED_REPLY;
7aa135fcf26377 drivers/android/binder.c         Martijn Coenen        2018-03-28  2593  				return_error_param = -EINVAL;
7aa135fcf26377 drivers/android/binder.c         Martijn Coenen        2018-03-28  2594  				return_error_line = __LINE__;
7aa135fcf26377 drivers/android/binder.c         Martijn Coenen        2018-03-28  2595  				goto err_invalid_target_handle;
7aa135fcf26377 drivers/android/binder.c         Martijn Coenen        2018-03-28  2596  			}
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2597  		}
512cf465ee01eb drivers/android/binder.c         Todd Kjos             2017-09-29  2598  		if (!target_node) {
512cf465ee01eb drivers/android/binder.c         Todd Kjos             2017-09-29  2599  			/*
512cf465ee01eb drivers/android/binder.c         Todd Kjos             2017-09-29  2600  			 * return_error is set above
512cf465ee01eb drivers/android/binder.c         Todd Kjos             2017-09-29  2601  			 */
512cf465ee01eb drivers/android/binder.c         Todd Kjos             2017-09-29  2602  			return_error_param = -EINVAL;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2603  			return_error_line = __LINE__;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2604  			goto err_dead_binder;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2605  		}
512cf465ee01eb drivers/android/binder.c         Todd Kjos             2017-09-29  2606  		e->to_node = target_node->debug_id;
4b836a1426cb0f drivers/android/binder.c         Jann Horn             2020-07-27  2607  		if (WARN_ON(proc == target_proc)) {
4b836a1426cb0f drivers/android/binder.c         Jann Horn             2020-07-27  2608  			return_error = BR_FAILED_REPLY;
4b836a1426cb0f drivers/android/binder.c         Jann Horn             2020-07-27  2609  			return_error_param = -EINVAL;
4b836a1426cb0f drivers/android/binder.c         Jann Horn             2020-07-27  2610  			return_error_line = __LINE__;
4b836a1426cb0f drivers/android/binder.c         Jann Horn             2020-07-27  2611  			goto err_invalid_target_handle;
4b836a1426cb0f drivers/android/binder.c         Jann Horn             2020-07-27  2612  		}
52f88693378a58 drivers/android/binder.c         Todd Kjos             2021-10-12  2613  		if (security_binder_transaction(proc->cred,
52f88693378a58 drivers/android/binder.c         Todd Kjos             2021-10-12  2614  						target_proc->cred) < 0) {
79af73079d753b drivers/android/binder.c         Stephen Smalley       2015-01-21  2615  			return_error = BR_FAILED_REPLY;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2616  			return_error_param = -EPERM;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2617  			return_error_line = __LINE__;
79af73079d753b drivers/android/binder.c         Stephen Smalley       2015-01-21  2618  			goto err_invalid_target_handle;
79af73079d753b drivers/android/binder.c         Stephen Smalley       2015-01-21  2619  		}
0b89d69a962588 drivers/android/binder.c         Martijn Coenen        2017-06-29  2620  		binder_inner_proc_lock(proc);
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  2621  
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  2622  		w = list_first_entry_or_null(&thread->todo,
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  2623  					     struct binder_work, entry);
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  2624  		if (!(tr->flags & TF_ONE_WAY) && w &&
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  2625  		    w->type == BINDER_WORK_TRANSACTION) {
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  2626  			/*
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  2627  			 * Do not allow new outgoing transaction from a
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  2628  			 * thread that has a transaction at the head of
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  2629  			 * its todo list. Only need to check the head
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  2630  			 * because binder_select_thread_ilocked picks a
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  2631  			 * thread from proc->waiting_threads to enqueue
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  2632  			 * the transaction, and nothing is queued to the
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  2633  			 * todo list while the thread is on waiting_threads.
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  2634  			 */
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  2635  			binder_user_error("%d:%d new transaction not allowed when there is a transaction on thread todo\n",
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  2636  					  proc->pid, thread->pid);
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  2637  			binder_inner_proc_unlock(proc);
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  2638  			return_error = BR_FAILED_REPLY;
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  2639  			return_error_param = -EPROTO;
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  2640  			return_error_line = __LINE__;
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  2641  			goto err_bad_todo_list;
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  2642  		}
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  2643  
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2644  		if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) {
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2645  			struct binder_transaction *tmp;
10f62861b4a2f2 drivers/staging/android/binder.c Seunghun Lee          2014-05-01  2646  
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2647  			tmp = thread->transaction_stack;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2648  			if (tmp->to_thread != thread) {
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  2649  				spin_lock(&tmp->lock);
56b468fc709b2b drivers/staging/android/binder.c Anmol Sarma           2012-10-30  2650  				binder_user_error("%d:%d got new transaction with bad transaction stack, transaction %d has target %d:%d\n",
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2651  					proc->pid, thread->pid, tmp->debug_id,
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2652  					tmp->to_proc ? tmp->to_proc->pid : 0,
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2653  					tmp->to_thread ?
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2654  					tmp->to_thread->pid : 0);
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  2655  				spin_unlock(&tmp->lock);
0b89d69a962588 drivers/android/binder.c         Martijn Coenen        2017-06-29  2656  				binder_inner_proc_unlock(proc);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2657  				return_error = BR_FAILED_REPLY;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2658  				return_error_param = -EPROTO;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2659  				return_error_line = __LINE__;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2660  				goto err_bad_call_stack;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2661  			}
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2662  			while (tmp) {
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  2663  				struct binder_thread *from;
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  2664  
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  2665  				spin_lock(&tmp->lock);
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  2666  				from = tmp->from;
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  2667  				if (from && from->proc == target_proc) {
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  2668  					atomic_inc(&from->tmp_ref);
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  2669  					target_thread = from;
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  2670  					spin_unlock(&tmp->lock);
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  2671  					break;
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  2672  				}
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  2673  				spin_unlock(&tmp->lock);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2674  				tmp = tmp->from_parent;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2675  			}
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2676  		}
0b89d69a962588 drivers/android/binder.c         Martijn Coenen        2017-06-29  2677  		binder_inner_proc_unlock(proc);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2678  	}
408c68b17aea2f drivers/android/binder.c         Martijn Coenen        2017-08-31  2679  	if (target_thread)
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2680  		e->to_thread = target_thread->pid;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2681  	e->to_proc = target_proc->pid;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2682  
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2683  	/* TODO: reuse incoming transaction for reply */
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2684  	t = kzalloc(sizeof(*t), GFP_KERNEL);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2685  	if (t == NULL) {
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2686  		return_error = BR_FAILED_REPLY;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2687  		return_error_param = -ENOMEM;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2688  		return_error_line = __LINE__;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2689  		goto err_alloc_t_failed;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2690  	}
44d8047f1d87ad drivers/android/binder.c         Todd Kjos             2018-08-28  2691  	INIT_LIST_HEAD(&t->fd_fixups);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2692  	binder_stats_created(BINDER_STAT_TRANSACTION);
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  2693  	spin_lock_init(&t->lock);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2694  
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2695  	tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2696  	if (tcomplete == NULL) {
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2697  		return_error = BR_FAILED_REPLY;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2698  		return_error_param = -ENOMEM;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2699  		return_error_line = __LINE__;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2700  		goto err_alloc_tcomplete_failed;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2701  	}
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2702  	binder_stats_created(BINDER_STAT_TRANSACTION_COMPLETE);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2703  
d99c7333ab1c9d drivers/android/binder.c         Todd Kjos             2017-06-29  2704  	t->debug_id = t_debug_id;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2705  
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2706  	if (reply)
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30 @2707  		binder_debug(BINDER_DEBUG_TRANSACTION,
4bfac80af3a63f drivers/android/binder.c         Martijn Coenen        2017-02-03  2708  			     "%d:%d BC_REPLY %d -> %d:%d, data %016llx-%016llx size %lld-%lld-%lld\n",
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2709  			     proc->pid, thread->pid, t->debug_id,
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2710  			     target_proc->pid, target_thread->pid,
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2711  			     (u64)user_buffer,
da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg        2014-02-21  2712  			     (u64)tr->data.ptr.offsets,
4bfac80af3a63f drivers/android/binder.c         Martijn Coenen        2017-02-03  2713  			     (u64)tr->data_size, (u64)tr->offsets_size,
4bfac80af3a63f drivers/android/binder.c         Martijn Coenen        2017-02-03  2714  			     (u64)extra_buffers_size);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2715  	else
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2716  		binder_debug(BINDER_DEBUG_TRANSACTION,
4bfac80af3a63f drivers/android/binder.c         Martijn Coenen        2017-02-03  2717  			     "%d:%d BC_TRANSACTION %d -> %d - node %d, data %016llx-%016llx size %lld-%lld-%lld\n",
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2718  			     proc->pid, thread->pid, t->debug_id,
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2719  			     target_proc->pid, target_node->debug_id,
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2720  			     (u64)user_buffer,
da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg        2014-02-21  2721  			     (u64)tr->data.ptr.offsets,
4bfac80af3a63f drivers/android/binder.c         Martijn Coenen        2017-02-03  2722  			     (u64)tr->data_size, (u64)tr->offsets_size,
4bfac80af3a63f drivers/android/binder.c         Martijn Coenen        2017-02-03  2723  			     (u64)extra_buffers_size);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2724  
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2725  	if (!reply && !(tr->flags & TF_ONE_WAY))
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2726  		t->from = thread;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2727  	else
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2728  		t->from = NULL;
29bc22ac5e5bc6 drivers/android/binder.c         Todd Kjos             2021-10-12  2729  	t->sender_euid = proc->cred->euid;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2730  	t->to_proc = target_proc;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2731  	t->to_thread = target_thread;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2732  	t->code = tr->code;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2733  	t->flags = tr->flags;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2734  	t->priority = task_nice(current);
975a1ac9a9fe65 drivers/staging/android/binder.c Arve Hjønnevåg        2012-10-16  2735  
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  2736  	if (target_node && target_node->txn_security_ctx) {
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  2737  		u32 secid;
0b0509508beff6 drivers/android/binder.c         Todd Kjos             2019-04-24  2738  		size_t added_size;
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  2739  
4d5b5539742d25 drivers/android/binder.c         Todd Kjos             2021-10-12  2740  		security_cred_getsecid(proc->cred, &secid);
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  2741  		ret = security_secid_to_secctx(secid, &secctx, &secctx_sz);
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  2742  		if (ret) {
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  2743  			return_error = BR_FAILED_REPLY;
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  2744  			return_error_param = ret;
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  2745  			return_error_line = __LINE__;
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  2746  			goto err_get_secctx_failed;
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  2747  		}
0b0509508beff6 drivers/android/binder.c         Todd Kjos             2019-04-24  2748  		added_size = ALIGN(secctx_sz, sizeof(u64));
0b0509508beff6 drivers/android/binder.c         Todd Kjos             2019-04-24  2749  		extra_buffers_size += added_size;
0b0509508beff6 drivers/android/binder.c         Todd Kjos             2019-04-24  2750  		if (extra_buffers_size < added_size) {
0b0509508beff6 drivers/android/binder.c         Todd Kjos             2019-04-24  2751  			/* integer overflow of extra_buffers_size */
0b0509508beff6 drivers/android/binder.c         Todd Kjos             2019-04-24  2752  			return_error = BR_FAILED_REPLY;
88f6c77927e4ae drivers/android/binder.c         Zhang Qilong          2020-10-26  2753  			return_error_param = -EINVAL;
0b0509508beff6 drivers/android/binder.c         Todd Kjos             2019-04-24  2754  			return_error_line = __LINE__;
0b0509508beff6 drivers/android/binder.c         Todd Kjos             2019-04-24  2755  			goto err_bad_extra_size;
0b0509508beff6 drivers/android/binder.c         Todd Kjos             2019-04-24  2756  		}
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  2757  	}
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  2758  
975a1ac9a9fe65 drivers/staging/android/binder.c Arve Hjønnevåg        2012-10-16  2759  	trace_binder_transaction(reply, t, target_node);
975a1ac9a9fe65 drivers/staging/android/binder.c Arve Hjønnevåg        2012-10-16  2760  
19c987241ca121 drivers/android/binder.c         Todd Kjos             2017-06-29  2761  	t->buffer = binder_alloc_new_buf(&target_proc->alloc, tr->data_size,
4bfac80af3a63f drivers/android/binder.c         Martijn Coenen        2017-02-03  2762  		tr->offsets_size, extra_buffers_size,
261e7818f06ec5 drivers/android/binder.c         Martijn Coenen        2020-08-21  2763  		!reply && (t->flags & TF_ONE_WAY), current->tgid);
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2764  	if (IS_ERR(t->buffer)) {
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2765  		/*
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2766  		 * -ESRCH indicates VMA cleared. The target is dying.
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2767  		 */
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2768  		return_error_param = PTR_ERR(t->buffer);
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2769  		return_error = return_error_param == -ESRCH ?
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2770  			BR_DEAD_REPLY : BR_FAILED_REPLY;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2771  		return_error_line = __LINE__;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2772  		t->buffer = NULL;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2773  		goto err_binder_alloc_buf_failed;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2774  	}
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  2775  	if (secctx) {
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2776  		int err;
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  2777  		size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) +
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  2778  				    ALIGN(tr->offsets_size, sizeof(void *)) +
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  2779  				    ALIGN(extra_buffers_size, sizeof(void *)) -
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  2780  				    ALIGN(secctx_sz, sizeof(u64));
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  2781  
bde4a19fc04f5f drivers/android/binder.c         Todd Kjos             2019-02-08  2782  		t->security_ctx = (uintptr_t)t->buffer->user_data + buf_offset;
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2783  		err = binder_alloc_copy_to_buffer(&target_proc->alloc,
8ced0c6231ead2 drivers/android/binder.c         Todd Kjos             2019-02-08  2784  						  t->buffer, buf_offset,
8ced0c6231ead2 drivers/android/binder.c         Todd Kjos             2019-02-08  2785  						  secctx, secctx_sz);
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2786  		if (err) {
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2787  			t->security_ctx = 0;
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2788  			WARN_ON(1);
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2789  		}
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  2790  		security_release_secctx(secctx, secctx_sz);
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  2791  		secctx = NULL;
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  2792  	}
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2793  	t->buffer->debug_id = t->debug_id;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2794  	t->buffer->transaction = t;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2795  	t->buffer->target_node = target_node;
0f966cba95c780 drivers/android/binder.c         Todd Kjos             2020-11-20  2796  	t->buffer->clear_on_free = !!(t->flags & TF_CLEAR_BUF);
975a1ac9a9fe65 drivers/staging/android/binder.c Arve Hjønnevåg        2012-10-16  2797  	trace_binder_transaction_alloc_buf(t->buffer);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2798  
1a7c3d9bb7a926 drivers/android/binder.c         Todd Kjos             2019-02-08  2799  	if (binder_alloc_copy_user_to_buffer(
1a7c3d9bb7a926 drivers/android/binder.c         Todd Kjos             2019-02-08  2800  				&target_proc->alloc,
1a7c3d9bb7a926 drivers/android/binder.c         Todd Kjos             2019-02-08  2801  				t->buffer,
1a7c3d9bb7a926 drivers/android/binder.c         Todd Kjos             2019-02-08  2802  				ALIGN(tr->data_size, sizeof(void *)),
1a7c3d9bb7a926 drivers/android/binder.c         Todd Kjos             2019-02-08  2803  				(const void __user *)
1a7c3d9bb7a926 drivers/android/binder.c         Todd Kjos             2019-02-08  2804  					(uintptr_t)tr->data.ptr.offsets,
1a7c3d9bb7a926 drivers/android/binder.c         Todd Kjos             2019-02-08  2805  				tr->offsets_size)) {
56b468fc709b2b drivers/staging/android/binder.c Anmol Sarma           2012-10-30  2806  		binder_user_error("%d:%d got transaction with invalid offsets ptr\n",
56b468fc709b2b drivers/staging/android/binder.c Anmol Sarma           2012-10-30  2807  				proc->pid, thread->pid);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2808  		return_error = BR_FAILED_REPLY;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2809  		return_error_param = -EFAULT;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2810  		return_error_line = __LINE__;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2811  		goto err_copy_data_failed;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2812  	}
da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg        2014-02-21  2813  	if (!IS_ALIGNED(tr->offsets_size, sizeof(binder_size_t))) {
da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg        2014-02-21  2814  		binder_user_error("%d:%d got transaction with invalid offsets size, %lld\n",
da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg        2014-02-21  2815  				proc->pid, thread->pid, (u64)tr->offsets_size);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2816  		return_error = BR_FAILED_REPLY;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2817  		return_error_param = -EINVAL;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2818  		return_error_line = __LINE__;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2819  		goto err_bad_offset;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2820  	}
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  2821  	if (!IS_ALIGNED(extra_buffers_size, sizeof(u64))) {
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  2822  		binder_user_error("%d:%d got transaction with unaligned buffers size, %lld\n",
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  2823  				  proc->pid, thread->pid,
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  2824  				  (u64)extra_buffers_size);
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  2825  		return_error = BR_FAILED_REPLY;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2826  		return_error_param = -EINVAL;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2827  		return_error_line = __LINE__;
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  2828  		goto err_bad_offset;
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  2829  	}
bde4a19fc04f5f drivers/android/binder.c         Todd Kjos             2019-02-08  2830  	off_start_offset = ALIGN(tr->data_size, sizeof(void *));
bde4a19fc04f5f drivers/android/binder.c         Todd Kjos             2019-02-08  2831  	buffer_offset = off_start_offset;
bde4a19fc04f5f drivers/android/binder.c         Todd Kjos             2019-02-08  2832  	off_end_offset = off_start_offset + tr->offsets_size;
bde4a19fc04f5f drivers/android/binder.c         Todd Kjos             2019-02-08  2833  	sg_buf_offset = ALIGN(off_end_offset, sizeof(void *));
a56587065094fd drivers/android/binder.c         Martijn Coenen        2019-07-09  2834  	sg_buf_end_offset = sg_buf_offset + extra_buffers_size -
a56587065094fd drivers/android/binder.c         Martijn Coenen        2019-07-09  2835  		ALIGN(secctx_sz, sizeof(u64));
212265e5ad726e drivers/android/binder.c         Arve Hjønnevåg        2016-02-09  2836  	off_min = 0;
bde4a19fc04f5f drivers/android/binder.c         Todd Kjos             2019-02-08  2837  	for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;
bde4a19fc04f5f drivers/android/binder.c         Todd Kjos             2019-02-08  2838  	     buffer_offset += sizeof(binder_size_t)) {
feba3900cabb8e drivers/android/binder.c         Martijn Coenen        2017-02-03  2839  		struct binder_object_header *hdr;
8ced0c6231ead2 drivers/android/binder.c         Todd Kjos             2019-02-08  2840  		size_t object_size;
7a67a39320dfba drivers/android/binder.c         Todd Kjos             2019-02-08  2841  		struct binder_object object;
8ced0c6231ead2 drivers/android/binder.c         Todd Kjos             2019-02-08  2842  		binder_size_t object_offset;
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2843  		binder_size_t copy_size;
10f62861b4a2f2 drivers/staging/android/binder.c Seunghun Lee          2014-05-01  2844  
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2845  		if (binder_alloc_copy_from_buffer(&target_proc->alloc,
8ced0c6231ead2 drivers/android/binder.c         Todd Kjos             2019-02-08  2846  						  &object_offset,
8ced0c6231ead2 drivers/android/binder.c         Todd Kjos             2019-02-08  2847  						  t->buffer,
8ced0c6231ead2 drivers/android/binder.c         Todd Kjos             2019-02-08  2848  						  buffer_offset,
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2849  						  sizeof(object_offset))) {
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2850  			return_error = BR_FAILED_REPLY;
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2851  			return_error_param = -EINVAL;
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2852  			return_error_line = __LINE__;
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2853  			goto err_bad_offset;
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2854  		}
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2855  
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2856  		/*
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2857  		 * Copy the source user buffer up to the next object
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2858  		 * that will be processed.
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2859  		 */
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2860  		copy_size = object_offset - user_offset;
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2861  		if (copy_size && (user_offset > object_offset ||
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2862  				binder_alloc_copy_user_to_buffer(
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2863  					&target_proc->alloc,
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2864  					t->buffer, user_offset,
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2865  					user_buffer + user_offset,
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2866  					copy_size))) {
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2867  			binder_user_error("%d:%d got transaction with invalid data ptr\n",
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2868  					proc->pid, thread->pid);
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2869  			return_error = BR_FAILED_REPLY;
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2870  			return_error_param = -EFAULT;
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2871  			return_error_line = __LINE__;
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2872  			goto err_copy_data_failed;
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2873  		}
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2874  		object_size = binder_get_object(target_proc, user_buffer,
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2875  				t->buffer, object_offset, &object);
8ced0c6231ead2 drivers/android/binder.c         Todd Kjos             2019-02-08  2876  		if (object_size == 0 || object_offset < off_min) {
feba3900cabb8e drivers/android/binder.c         Martijn Coenen        2017-02-03  2877  			binder_user_error("%d:%d got transaction with invalid offset (%lld, min %lld max %lld) or object.\n",
8ced0c6231ead2 drivers/android/binder.c         Todd Kjos             2019-02-08  2878  					  proc->pid, thread->pid,
8ced0c6231ead2 drivers/android/binder.c         Todd Kjos             2019-02-08  2879  					  (u64)object_offset,
212265e5ad726e drivers/android/binder.c         Arve Hjønnevåg        2016-02-09  2880  					  (u64)off_min,
feba3900cabb8e drivers/android/binder.c         Martijn Coenen        2017-02-03  2881  					  (u64)t->buffer->data_size);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2882  			return_error = BR_FAILED_REPLY;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2883  			return_error_param = -EINVAL;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2884  			return_error_line = __LINE__;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2885  			goto err_bad_offset;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2886  		}
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2887  		/*
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2888  		 * Set offset to the next buffer fragment to be
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2889  		 * copied
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2890  		 */
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2891  		user_offset = object_offset + object_size;
feba3900cabb8e drivers/android/binder.c         Martijn Coenen        2017-02-03  2892  
7a67a39320dfba drivers/android/binder.c         Todd Kjos             2019-02-08  2893  		hdr = &object.hdr;
8ced0c6231ead2 drivers/android/binder.c         Todd Kjos             2019-02-08  2894  		off_min = object_offset + object_size;
feba3900cabb8e drivers/android/binder.c         Martijn Coenen        2017-02-03  2895  		switch (hdr->type) {
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2896  		case BINDER_TYPE_BINDER:
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2897  		case BINDER_TYPE_WEAK_BINDER: {
feba3900cabb8e drivers/android/binder.c         Martijn Coenen        2017-02-03  2898  			struct flat_binder_object *fp;
10f62861b4a2f2 drivers/staging/android/binder.c Seunghun Lee          2014-05-01  2899  
feba3900cabb8e drivers/android/binder.c         Martijn Coenen        2017-02-03  2900  			fp = to_flat_binder_object(hdr);
a056af42032e56 drivers/android/binder.c         Martijn Coenen        2017-02-03  2901  			ret = binder_translate_binder(fp, t, thread);
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2902  
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2903  			if (ret < 0 ||
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2904  			    binder_alloc_copy_to_buffer(&target_proc->alloc,
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2905  							t->buffer,
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2906  							object_offset,
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2907  							fp, sizeof(*fp))) {
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2908  				return_error = BR_FAILED_REPLY;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2909  				return_error_param = ret;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2910  				return_error_line = __LINE__;
a056af42032e56 drivers/android/binder.c         Martijn Coenen        2017-02-03  2911  				goto err_translate_failed;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2912  			}
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2913  		} break;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2914  		case BINDER_TYPE_HANDLE:
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2915  		case BINDER_TYPE_WEAK_HANDLE: {
feba3900cabb8e drivers/android/binder.c         Martijn Coenen        2017-02-03  2916  			struct flat_binder_object *fp;
0a3ffab93fe525 drivers/android/binder.c         Arve Hjønnevåg        2016-10-24  2917  
feba3900cabb8e drivers/android/binder.c         Martijn Coenen        2017-02-03  2918  			fp = to_flat_binder_object(hdr);
a056af42032e56 drivers/android/binder.c         Martijn Coenen        2017-02-03  2919  			ret = binder_translate_handle(fp, t, thread);
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2920  			if (ret < 0 ||
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2921  			    binder_alloc_copy_to_buffer(&target_proc->alloc,
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2922  							t->buffer,
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2923  							object_offset,
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2924  							fp, sizeof(*fp))) {
79af73079d753b drivers/android/binder.c         Stephen Smalley       2015-01-21  2925  				return_error = BR_FAILED_REPLY;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2926  				return_error_param = ret;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2927  				return_error_line = __LINE__;
a056af42032e56 drivers/android/binder.c         Martijn Coenen        2017-02-03  2928  				goto err_translate_failed;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2929  			}
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2930  		} break;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2931  
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2932  		case BINDER_TYPE_FD: {
feba3900cabb8e drivers/android/binder.c         Martijn Coenen        2017-02-03  2933  			struct binder_fd_object *fp = to_binder_fd_object(hdr);
8ced0c6231ead2 drivers/android/binder.c         Todd Kjos             2019-02-08  2934  			binder_size_t fd_offset = object_offset +
8ced0c6231ead2 drivers/android/binder.c         Todd Kjos             2019-02-08  2935  				(uintptr_t)&fp->fd - (uintptr_t)fp;
8ced0c6231ead2 drivers/android/binder.c         Todd Kjos             2019-02-08  2936  			int ret = binder_translate_fd(fp->fd, fd_offset, t,
8ced0c6231ead2 drivers/android/binder.c         Todd Kjos             2019-02-08  2937  						      thread, in_reply_to);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2938  
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2939  			fp->pad_binder = 0;
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2940  			if (ret < 0 ||
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2941  			    binder_alloc_copy_to_buffer(&target_proc->alloc,
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2942  							t->buffer,
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2943  							object_offset,
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  2944  							fp, sizeof(*fp))) {
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2945  				return_error = BR_FAILED_REPLY;
44d8047f1d87ad drivers/android/binder.c         Todd Kjos             2018-08-28  2946  				return_error_param = ret;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2947  				return_error_line = __LINE__;
a056af42032e56 drivers/android/binder.c         Martijn Coenen        2017-02-03  2948  				goto err_translate_failed;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2949  			}
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  2950  		} break;
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  2951  		case BINDER_TYPE_FDA: {
db6b0b810bf945 drivers/android/binder.c         Todd Kjos             2019-02-08  2952  			struct binder_object ptr_object;
db6b0b810bf945 drivers/android/binder.c         Todd Kjos             2019-02-08  2953  			binder_size_t parent_offset;
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  2954  			struct binder_fd_array_object *fda =
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  2955  				to_binder_fd_array_object(hdr);
16981742717b04 drivers/android/binder.c         Todd Kjos             2019-12-13  2956  			size_t num_valid = (buffer_offset - off_start_offset) /
bde4a19fc04f5f drivers/android/binder.c         Todd Kjos             2019-02-08  2957  						sizeof(binder_size_t);
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  2958  			struct binder_buffer_object *parent =
db6b0b810bf945 drivers/android/binder.c         Todd Kjos             2019-02-08  2959  				binder_validate_ptr(target_proc, t->buffer,
db6b0b810bf945 drivers/android/binder.c         Todd Kjos             2019-02-08  2960  						    &ptr_object, fda->parent,
db6b0b810bf945 drivers/android/binder.c         Todd Kjos             2019-02-08  2961  						    off_start_offset,
db6b0b810bf945 drivers/android/binder.c         Todd Kjos             2019-02-08  2962  						    &parent_offset,
bde4a19fc04f5f drivers/android/binder.c         Todd Kjos             2019-02-08  2963  						    num_valid);
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  2964  			if (!parent) {
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  2965  				binder_user_error("%d:%d got transaction with invalid parent offset or type\n",
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  2966  						  proc->pid, thread->pid);
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  2967  				return_error = BR_FAILED_REPLY;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2968  				return_error_param = -EINVAL;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2969  				return_error_line = __LINE__;
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  2970  				goto err_bad_parent;
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  2971  			}
db6b0b810bf945 drivers/android/binder.c         Todd Kjos             2019-02-08  2972  			if (!binder_validate_fixup(target_proc, t->buffer,
db6b0b810bf945 drivers/android/binder.c         Todd Kjos             2019-02-08  2973  						   off_start_offset,
db6b0b810bf945 drivers/android/binder.c         Todd Kjos             2019-02-08  2974  						   parent_offset,
db6b0b810bf945 drivers/android/binder.c         Todd Kjos             2019-02-08  2975  						   fda->parent_offset,
db6b0b810bf945 drivers/android/binder.c         Todd Kjos             2019-02-08  2976  						   last_fixup_obj_off,
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  2977  						   last_fixup_min_off)) {
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  2978  				binder_user_error("%d:%d got transaction with out-of-order buffer fixup\n",
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  2979  						  proc->pid, thread->pid);
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  2980  				return_error = BR_FAILED_REPLY;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2981  				return_error_param = -EINVAL;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2982  				return_error_line = __LINE__;
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  2983  				goto err_bad_parent;
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  2984  			}
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  2985  			ret = binder_translate_fd_array(fda, parent, t, thread,
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  2986  							in_reply_to);
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2987  			if (ret < 0 ||
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2988  			    binder_alloc_copy_to_buffer(&target_proc->alloc,
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2989  							t->buffer,
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2990  							object_offset,
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  2991  							fda, sizeof(*fda))) {
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  2992  				return_error = BR_FAILED_REPLY;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2993  				return_error_param = ret;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  2994  				return_error_line = __LINE__;
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  2995  				goto err_translate_failed;
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  2996  			}
db6b0b810bf945 drivers/android/binder.c         Todd Kjos             2019-02-08  2997  			last_fixup_obj_off = parent_offset;
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  2998  			last_fixup_min_off =
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  2999  				fda->parent_offset + sizeof(u32) * fda->num_fds;
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  3000  		} break;
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  3001  		case BINDER_TYPE_PTR: {
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  3002  			struct binder_buffer_object *bp =
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  3003  				to_binder_buffer_object(hdr);
bde4a19fc04f5f drivers/android/binder.c         Todd Kjos             2019-02-08  3004  			size_t buf_left = sg_buf_end_offset - sg_buf_offset;
bde4a19fc04f5f drivers/android/binder.c         Todd Kjos             2019-02-08  3005  			size_t num_valid;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3006  
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  3007  			if (bp->length > buf_left) {
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  3008  				binder_user_error("%d:%d got transaction with too large buffer\n",
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  3009  						  proc->pid, thread->pid);
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  3010  				return_error = BR_FAILED_REPLY;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  3011  				return_error_param = -EINVAL;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  3012  				return_error_line = __LINE__;
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  3013  				goto err_bad_offset;
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  3014  			}
1a7c3d9bb7a926 drivers/android/binder.c         Todd Kjos             2019-02-08  3015  			if (binder_alloc_copy_user_to_buffer(
1a7c3d9bb7a926 drivers/android/binder.c         Todd Kjos             2019-02-08  3016  						&target_proc->alloc,
1a7c3d9bb7a926 drivers/android/binder.c         Todd Kjos             2019-02-08  3017  						t->buffer,
1a7c3d9bb7a926 drivers/android/binder.c         Todd Kjos             2019-02-08  3018  						sg_buf_offset,
1a7c3d9bb7a926 drivers/android/binder.c         Todd Kjos             2019-02-08  3019  						(const void __user *)
1a7c3d9bb7a926 drivers/android/binder.c         Todd Kjos             2019-02-08  3020  							(uintptr_t)bp->buffer,
1a7c3d9bb7a926 drivers/android/binder.c         Todd Kjos             2019-02-08  3021  						bp->length)) {
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  3022  				binder_user_error("%d:%d got transaction with invalid offsets ptr\n",
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  3023  						  proc->pid, thread->pid);
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  3024  				return_error_param = -EFAULT;
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  3025  				return_error = BR_FAILED_REPLY;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  3026  				return_error_line = __LINE__;
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  3027  				goto err_copy_data_failed;
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  3028  			}
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  3029  			/* Fixup buffer pointer to target proc address space */
bde4a19fc04f5f drivers/android/binder.c         Todd Kjos             2019-02-08  3030  			bp->buffer = (uintptr_t)
bde4a19fc04f5f drivers/android/binder.c         Todd Kjos             2019-02-08  3031  				t->buffer->user_data + sg_buf_offset;
bde4a19fc04f5f drivers/android/binder.c         Todd Kjos             2019-02-08  3032  			sg_buf_offset += ALIGN(bp->length, sizeof(u64));
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  3033  
16981742717b04 drivers/android/binder.c         Todd Kjos             2019-12-13  3034  			num_valid = (buffer_offset - off_start_offset) /
bde4a19fc04f5f drivers/android/binder.c         Todd Kjos             2019-02-08  3035  					sizeof(binder_size_t);
db6b0b810bf945 drivers/android/binder.c         Todd Kjos             2019-02-08  3036  			ret = binder_fixup_parent(t, thread, bp,
db6b0b810bf945 drivers/android/binder.c         Todd Kjos             2019-02-08  3037  						  off_start_offset,
bde4a19fc04f5f drivers/android/binder.c         Todd Kjos             2019-02-08  3038  						  num_valid,
db6b0b810bf945 drivers/android/binder.c         Todd Kjos             2019-02-08  3039  						  last_fixup_obj_off,
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  3040  						  last_fixup_min_off);
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  3041  			if (ret < 0 ||
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  3042  			    binder_alloc_copy_to_buffer(&target_proc->alloc,
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  3043  							t->buffer,
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  3044  							object_offset,
bb4a2e48d5100e drivers/android/binder.c         Todd Kjos             2019-06-28  3045  							bp, sizeof(*bp))) {
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  3046  				return_error = BR_FAILED_REPLY;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  3047  				return_error_param = ret;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  3048  				return_error_line = __LINE__;
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  3049  				goto err_translate_failed;
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  3050  			}
db6b0b810bf945 drivers/android/binder.c         Todd Kjos             2019-02-08  3051  			last_fixup_obj_off = object_offset;
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  3052  			last_fixup_min_off = 0;
7980240b6d63e0 drivers/android/binder.c         Martijn Coenen        2017-02-03  3053  		} break;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3054  		default:
64dcfe6b84d410 drivers/staging/android/binder.c Serban Constantinescu 2013-07-04  3055  			binder_user_error("%d:%d got transaction with invalid object type, %x\n",
feba3900cabb8e drivers/android/binder.c         Martijn Coenen        2017-02-03  3056  				proc->pid, thread->pid, hdr->type);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3057  			return_error = BR_FAILED_REPLY;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  3058  			return_error_param = -EINVAL;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  3059  			return_error_line = __LINE__;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3060  			goto err_bad_object_type;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3061  		}
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3062  	}
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  3063  	/* Done processing objects, copy the rest of the buffer */
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  3064  	if (binder_alloc_copy_user_to_buffer(
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  3065  				&target_proc->alloc,
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  3066  				t->buffer, user_offset,
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  3067  				user_buffer + user_offset,
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  3068  				tr->data_size - user_offset)) {
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  3069  		binder_user_error("%d:%d got transaction with invalid data ptr\n",
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  3070  				proc->pid, thread->pid);
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  3071  		return_error = BR_FAILED_REPLY;
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  3072  		return_error_param = -EFAULT;
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  3073  		return_error_line = __LINE__;
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  3074  		goto err_copy_data_failed;
d51c5e7a3791e9 drivers/android/binder.c         Todd Kjos             2021-11-23  3075  	}
a7dc1e6f99df59 drivers/android/binder.c         Hang Lu               2021-04-09  3076  	if (t->buffer->oneway_spam_suspect)
a7dc1e6f99df59 drivers/android/binder.c         Hang Lu               2021-04-09  3077  		tcomplete->type = BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT;
a7dc1e6f99df59 drivers/android/binder.c         Hang Lu               2021-04-09  3078  	else
ccae6f676001d0 drivers/android/binder.c         Todd Kjos             2017-06-29  3079  		tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE;
673068eee8560d drivers/android/binder.c         Todd Kjos             2017-06-29  3080  	t->work.type = BINDER_WORK_TRANSACTION;
ccae6f676001d0 drivers/android/binder.c         Todd Kjos             2017-06-29  3081  
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3082  	if (reply) {
148ade2c4d4f46 drivers/android/binder.c         Martijn Coenen        2017-11-15  3083  		binder_enqueue_thread_work(thread, tcomplete);
0b89d69a962588 drivers/android/binder.c         Martijn Coenen        2017-06-29  3084  		binder_inner_proc_lock(target_proc);
b564171ade7057 drivers/android/binder.c         Li Li                 2021-09-10  3085  		if (target_thread->is_dead) {
b564171ade7057 drivers/android/binder.c         Li Li                 2021-09-10  3086  			return_error = BR_DEAD_REPLY;
0b89d69a962588 drivers/android/binder.c         Martijn Coenen        2017-06-29  3087  			binder_inner_proc_unlock(target_proc);
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  3088  			goto err_dead_proc_or_thread;
0b89d69a962588 drivers/android/binder.c         Martijn Coenen        2017-06-29  3089  		}
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3090  		BUG_ON(t->buffer->async_transaction != 0);
0b89d69a962588 drivers/android/binder.c         Martijn Coenen        2017-06-29  3091  		binder_pop_transaction_ilocked(target_thread, in_reply_to);
148ade2c4d4f46 drivers/android/binder.c         Martijn Coenen        2017-11-15  3092  		binder_enqueue_thread_work_ilocked(target_thread, &t->work);
432ff1e91694e4 drivers/android/binder.c         Marco Ballesio        2021-03-15  3093  		target_proc->outstanding_txns++;
0b89d69a962588 drivers/android/binder.c         Martijn Coenen        2017-06-29  3094  		binder_inner_proc_unlock(target_proc);
408c68b17aea2f drivers/android/binder.c         Martijn Coenen        2017-08-31  3095  		wake_up_interruptible_sync(&target_thread->wait);
b6d282cea3f3ed drivers/android/binder.c         Todd Kjos             2017-06-29  3096  		binder_free_transaction(in_reply_to);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3097  	} else if (!(t->flags & TF_ONE_WAY)) {
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3098  		BUG_ON(t->buffer->async_transaction != 0);
0b89d69a962588 drivers/android/binder.c         Martijn Coenen        2017-06-29  3099  		binder_inner_proc_lock(proc);
148ade2c4d4f46 drivers/android/binder.c         Martijn Coenen        2017-11-15  3100  		/*
148ade2c4d4f46 drivers/android/binder.c         Martijn Coenen        2017-11-15  3101  		 * Defer the TRANSACTION_COMPLETE, so we don't return to
148ade2c4d4f46 drivers/android/binder.c         Martijn Coenen        2017-11-15  3102  		 * userspace immediately; this allows the target process to
148ade2c4d4f46 drivers/android/binder.c         Martijn Coenen        2017-11-15  3103  		 * immediately start processing this transaction, reducing
148ade2c4d4f46 drivers/android/binder.c         Martijn Coenen        2017-11-15  3104  		 * latency. We will then return the TRANSACTION_COMPLETE when
148ade2c4d4f46 drivers/android/binder.c         Martijn Coenen        2017-11-15  3105  		 * the target replies (or there is an error).
148ade2c4d4f46 drivers/android/binder.c         Martijn Coenen        2017-11-15  3106  		 */
148ade2c4d4f46 drivers/android/binder.c         Martijn Coenen        2017-11-15  3107  		binder_enqueue_deferred_thread_work_ilocked(thread, tcomplete);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3108  		t->need_reply = 1;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3109  		t->from_parent = thread->transaction_stack;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3110  		thread->transaction_stack = t;
0b89d69a962588 drivers/android/binder.c         Martijn Coenen        2017-06-29  3111  		binder_inner_proc_unlock(proc);
432ff1e91694e4 drivers/android/binder.c         Marco Ballesio        2021-03-15  3112  		return_error = binder_proc_transaction(t,
432ff1e91694e4 drivers/android/binder.c         Marco Ballesio        2021-03-15  3113  				target_proc, target_thread);
432ff1e91694e4 drivers/android/binder.c         Marco Ballesio        2021-03-15  3114  		if (return_error) {
0b89d69a962588 drivers/android/binder.c         Martijn Coenen        2017-06-29  3115  			binder_inner_proc_lock(proc);
0b89d69a962588 drivers/android/binder.c         Martijn Coenen        2017-06-29  3116  			binder_pop_transaction_ilocked(thread, t);
0b89d69a962588 drivers/android/binder.c         Martijn Coenen        2017-06-29  3117  			binder_inner_proc_unlock(proc);
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  3118  			goto err_dead_proc_or_thread;
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  3119  		}
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3120  	} else {
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3121  		BUG_ON(target_node == NULL);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3122  		BUG_ON(t->buffer->async_transaction != 1);
148ade2c4d4f46 drivers/android/binder.c         Martijn Coenen        2017-11-15  3123  		binder_enqueue_thread_work(thread, tcomplete);
432ff1e91694e4 drivers/android/binder.c         Marco Ballesio        2021-03-15  3124  		return_error = binder_proc_transaction(t, target_proc, NULL);
432ff1e91694e4 drivers/android/binder.c         Marco Ballesio        2021-03-15  3125  		if (return_error)
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  3126  			goto err_dead_proc_or_thread;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3127  	}
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  3128  	if (target_thread)
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  3129  		binder_thread_dec_tmpref(target_thread);
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  3130  	binder_proc_dec_tmpref(target_proc);
512cf465ee01eb drivers/android/binder.c         Todd Kjos             2017-09-29  3131  	if (target_node)
512cf465ee01eb drivers/android/binder.c         Todd Kjos             2017-09-29  3132  		binder_dec_node_tmpref(target_node);
d99c7333ab1c9d drivers/android/binder.c         Todd Kjos             2017-06-29  3133  	/*
d99c7333ab1c9d drivers/android/binder.c         Todd Kjos             2017-06-29  3134  	 * write barrier to synchronize with initialization
d99c7333ab1c9d drivers/android/binder.c         Todd Kjos             2017-06-29  3135  	 * of log entry
d99c7333ab1c9d drivers/android/binder.c         Todd Kjos             2017-06-29  3136  	 */
d99c7333ab1c9d drivers/android/binder.c         Todd Kjos             2017-06-29  3137  	smp_wmb();
d99c7333ab1c9d drivers/android/binder.c         Todd Kjos             2017-06-29  3138  	WRITE_ONCE(e->debug_id_done, t_debug_id);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3139  	return;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3140  
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  3141  err_dead_proc_or_thread:
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  3142  	return_error_line = __LINE__;
d53bebdf4d7794 drivers/android/binder.c         Xu YiPing             2017-09-05  3143  	binder_dequeue_work(proc, tcomplete);
a056af42032e56 drivers/android/binder.c         Martijn Coenen        2017-02-03  3144  err_translate_failed:
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3145  err_bad_object_type:
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3146  err_bad_offset:
def95c73567dfa drivers/android/binder.c         Martijn Coenen        2017-02-03  3147  err_bad_parent:
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3148  err_copy_data_failed:
44d8047f1d87ad drivers/android/binder.c         Todd Kjos             2018-08-28  3149  	binder_free_txn_fixups(t);
975a1ac9a9fe65 drivers/staging/android/binder.c Arve Hjønnevåg        2012-10-16  3150  	trace_binder_transaction_failed_buffer_release(t->buffer);
5fdb55c1ac9585 drivers/android/binder.c         Todd Kjos             2021-08-30  3151  	binder_transaction_buffer_release(target_proc, NULL, t->buffer,
bde4a19fc04f5f drivers/android/binder.c         Todd Kjos             2019-02-08  3152  					  buffer_offset, true);
512cf465ee01eb drivers/android/binder.c         Todd Kjos             2017-09-29  3153  	if (target_node)
512cf465ee01eb drivers/android/binder.c         Todd Kjos             2017-09-29  3154  		binder_dec_node_tmpref(target_node);
eb34983ba170f2 drivers/android/binder.c         Todd Kjos             2017-06-29  3155  	target_node = NULL;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3156  	t->buffer->transaction = NULL;
19c987241ca121 drivers/android/binder.c         Todd Kjos             2017-06-29  3157  	binder_alloc_free_buf(&target_proc->alloc, t->buffer);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3158  err_binder_alloc_buf_failed:
0b0509508beff6 drivers/android/binder.c         Todd Kjos             2019-04-24  3159  err_bad_extra_size:
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  3160  	if (secctx)
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  3161  		security_release_secctx(secctx, secctx_sz);
ec74136ded792d drivers/android/binder.c         Todd Kjos             2019-01-14  3162  err_get_secctx_failed:
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3163  	kfree(tcomplete);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3164  	binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3165  err_alloc_tcomplete_failed:
1987f112f1425c drivers/android/binder.c         Frankie.Chang         2020-11-11  3166  	if (trace_binder_txn_latency_free_enabled())
1987f112f1425c drivers/android/binder.c         Frankie.Chang         2020-11-11  3167  		binder_txn_latency_free(t);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3168  	kfree(t);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3169  	binder_stats_deleted(BINDER_STAT_TRANSACTION);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3170  err_alloc_t_failed:
44b73962cb25f1 drivers/android/binder.c         Sherry Yang           2018-08-13  3171  err_bad_todo_list:
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3172  err_bad_call_stack:
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3173  err_empty_call_stack:
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3174  err_dead_binder:
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3175  err_invalid_target_handle:
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  3176  	if (target_thread)
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  3177  		binder_thread_dec_tmpref(target_thread);
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  3178  	if (target_proc)
7a4408c6bd3eb1 drivers/android/binder.c         Todd Kjos             2017-06-29  3179  		binder_proc_dec_tmpref(target_proc);
512cf465ee01eb drivers/android/binder.c         Todd Kjos             2017-09-29  3180  	if (target_node) {
eb34983ba170f2 drivers/android/binder.c         Todd Kjos             2017-06-29  3181  		binder_dec_node(target_node, 1, 0);
512cf465ee01eb drivers/android/binder.c         Todd Kjos             2017-09-29  3182  		binder_dec_node_tmpref(target_node);
512cf465ee01eb drivers/android/binder.c         Todd Kjos             2017-09-29  3183  	}
eb34983ba170f2 drivers/android/binder.c         Todd Kjos             2017-06-29  3184  
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3185  	binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  3186  		     "%d:%d transaction failed %d/%d, size %lld-%lld line %d\n",
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  3187  		     proc->pid, thread->pid, return_error, return_error_param,
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  3188  		     (u64)tr->data_size, (u64)tr->offsets_size,
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  3189  		     return_error_line);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3190  
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3191  	{
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3192  		struct binder_transaction_log_entry *fe;
10f62861b4a2f2 drivers/staging/android/binder.c Seunghun Lee          2014-05-01  3193  
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  3194  		e->return_error = return_error;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  3195  		e->return_error_param = return_error_param;
57ada2fb2250ea drivers/android/binder.c         Todd Kjos             2017-06-29  3196  		e->return_error_line = return_error_line;
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3197  		fe = binder_transaction_log_add(&binder_transaction_log_failed);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3198  		*fe = *e;
d99c7333ab1c9d drivers/android/binder.c         Todd Kjos             2017-06-29  3199  		/*
d99c7333ab1c9d drivers/android/binder.c         Todd Kjos             2017-06-29  3200  		 * write barrier to synchronize with initialization
d99c7333ab1c9d drivers/android/binder.c         Todd Kjos             2017-06-29  3201  		 * of log entry
d99c7333ab1c9d drivers/android/binder.c         Todd Kjos             2017-06-29  3202  		 */
d99c7333ab1c9d drivers/android/binder.c         Todd Kjos             2017-06-29  3203  		smp_wmb();
d99c7333ab1c9d drivers/android/binder.c         Todd Kjos             2017-06-29  3204  		WRITE_ONCE(e->debug_id_done, t_debug_id);
d99c7333ab1c9d drivers/android/binder.c         Todd Kjos             2017-06-29  3205  		WRITE_ONCE(fe->debug_id_done, t_debug_id);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3206  	}
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3207  
26549d17741035 drivers/android/binder.c         Todd Kjos             2017-06-29  3208  	BUG_ON(thread->return_error.cmd != BR_OK);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3209  	if (in_reply_to) {
26549d17741035 drivers/android/binder.c         Todd Kjos             2017-06-29  3210  		thread->return_error.cmd = BR_TRANSACTION_COMPLETE;
148ade2c4d4f46 drivers/android/binder.c         Martijn Coenen        2017-11-15  3211  		binder_enqueue_thread_work(thread, &thread->return_error.work);
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3212  		binder_send_failed_reply(in_reply_to, return_error);
26549d17741035 drivers/android/binder.c         Todd Kjos             2017-06-29  3213  	} else {
26549d17741035 drivers/android/binder.c         Todd Kjos             2017-06-29  3214  		thread->return_error.cmd = return_error;
148ade2c4d4f46 drivers/android/binder.c         Martijn Coenen        2017-11-15  3215  		binder_enqueue_thread_work(thread, &thread->return_error.work);
26549d17741035 drivers/android/binder.c         Todd Kjos             2017-06-29  3216  	}
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3217  }
355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman    2011-11-30  3218  

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

  parent reply	other threads:[~2021-11-25 12:24 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-23 19:17 [PATCH 0/3] binder: Prevent untranslated sender data from being copied to target Todd Kjos
2021-11-23 19:17 ` [PATCH 1/3] binder: avoid potential data leakage when copying txn Todd Kjos
2021-11-24  7:50   ` Martijn Coenen
2021-11-24 13:01   ` Dan Carpenter
2021-11-24 20:11     ` Todd Kjos
2021-11-25  2:05   ` kernel test robot
2021-11-25 12:18   ` kernel test robot [this message]
2021-11-23 19:17 ` [PATCH 2/3] binder: read pre-translated fds from sender buffer Todd Kjos
2021-11-24  7:50   ` Martijn Coenen
2021-11-24 12:37   ` Dan Carpenter
2021-11-24 20:33     ` Todd Kjos
2021-11-25  6:37       ` Dan Carpenter
2021-11-23 19:17 ` [PATCH 3/3] binder: defer copies of pre-patched txn data Todd Kjos
2021-11-24  7:50   ` Martijn Coenen
2021-11-24 11:09   ` Dan Carpenter
2021-11-24 20:39     ` Todd Kjos
2021-11-24 12:43   ` Dan Carpenter
2021-11-24 20:37     ` Todd Kjos
2021-11-24  8:08 ` [PATCH 0/3] binder: Prevent untranslated sender data from being copied to target Greg KH
2021-11-24 15:54   ` Todd Kjos

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202111252042.kCPmeLlY-lkp@intel.com \
    --to=lkp@intel.com \
    --cc=arve@android.com \
    --cc=christian@brauner.io \
    --cc=devel@driverdev.osuosl.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=joel@joelfernandes.org \
    --cc=kbuild-all@lists.01.org \
    --cc=kernel-team@android.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=maco@google.com \
    --cc=tkjos@google.com \
    --subject='Re: [PATCH 1/3] binder: avoid potential data leakage when copying txn' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).