DivestOS/Patches/Linux_CVEs/CVE-2016-8402/3.4/0001.patch
2017-11-07 17:32:46 -05:00

395 lines
16 KiB
Diff

From 8e145d45fdff30cb6471b7cc9717c30b21a0ec6b Mon Sep 17 00:00:00 2001
From: Nick Desaulniers <ndesaulniers@google.com>
Date: Thu, 16 Feb 2017 18:59:44 +0530
Subject: binder: blacklist %p kptr_restrict
Bug: 31495231
Change-Id: Iebc150f6bc939b56e021424ee44fb30ce8d732fd
Git-repo: https://android.googlesource.com/kernel/msm
Git-commit: 0804d7840364fc1a93652632bd43a93c055c658e
Signed-off-by: Rahul Sharma <sharah@codeaurora.org>
---
drivers/staging/android/binder.c | 92 ++++++++++++++++++++--------------------
1 file changed, 46 insertions(+), 46 deletions(-)
(limited to 'drivers')
diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c
index 38d47e7..5ae7c13 100644
--- a/drivers/staging/android/binder.c
+++ b/drivers/staging/android/binder.c
@@ -556,7 +556,7 @@ static void binder_insert_free_buffer(struct binder_proc *proc,
binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
"binder: %d: add free buffer, size %zd, "
- "at %p\n", proc->pid, new_buffer_size, new_buffer);
+ "at %pK\n", proc->pid, new_buffer_size, new_buffer);
while (*p) {
parent = *p;
@@ -634,7 +634,7 @@ static int binder_update_page_range(struct binder_proc *proc, int allocate,
struct mm_struct *mm;
binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
- "binder: %d: %s pages %p-%p\n", proc->pid,
+ "binder: %d: %s pages %pK-%pK\n", proc->pid,
allocate ? "allocate" : "free", start, end);
if (end <= start)
@@ -675,7 +675,7 @@ static int binder_update_page_range(struct binder_proc *proc, int allocate,
*page = alloc_page(GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO);
if (*page == NULL) {
printk(KERN_ERR "binder: %d: binder_alloc_buf failed "
- "for page at %p\n", proc->pid, page_addr);
+ "for page at %pK\n", proc->pid, page_addr);
goto err_alloc_page_failed;
}
tmp_area.addr = page_addr;
@@ -684,7 +684,7 @@ static int binder_update_page_range(struct binder_proc *proc, int allocate,
ret = map_vm_area(&tmp_area, PAGE_KERNEL, &page_array_ptr);
if (ret) {
printk(KERN_ERR "binder: %d: binder_alloc_buf failed "
- "to map page at %p in kernel\n",
+ "to map page at %pK in kernel\n",
proc->pid, page_addr);
goto err_map_kernel_failed;
}
@@ -790,7 +790,7 @@ static struct binder_buffer *binder_alloc_buf(struct binder_proc *proc,
binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
"binder: %d: binder_alloc_buf size %zd got buff"
- "er %p size %zd\n", proc->pid, size, buffer, buffer_size);
+ "er %pK size %zd\n", proc->pid, size, buffer, buffer_size);
has_page_addr =
(void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK);
@@ -819,7 +819,7 @@ static struct binder_buffer *binder_alloc_buf(struct binder_proc *proc,
}
binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
"binder: %d: binder_alloc_buf size %zd got "
- "%p\n", proc->pid, size, buffer);
+ "%pK\n", proc->pid, size, buffer);
buffer->data_size = data_size;
buffer->offsets_size = offsets_size;
buffer->async_transaction = is_async;
@@ -859,8 +859,8 @@ static void binder_delete_free_buffer(struct binder_proc *proc,
if (buffer_end_page(prev) == buffer_end_page(buffer))
free_page_end = 0;
binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
- "binder: %d: merge free, buffer %p "
- "share page with %p\n", proc->pid, buffer, prev);
+ "binder: %d: merge free, buffer %pK "
+ "share page with %pK\n", proc->pid, buffer, prev);
}
if (!list_is_last(&buffer->entry, &proc->buffers)) {
@@ -873,15 +873,15 @@ static void binder_delete_free_buffer(struct binder_proc *proc,
free_page_start = 0;
binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
"binder: %d: merge free, buffer"
- " %p share page with %p\n", proc->pid,
+ " %pK share page with %pK\n", proc->pid,
buffer, prev);
}
}
list_del(&buffer->entry);
if (free_page_start || free_page_end) {
binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
- "binder: %d: merge free, buffer %p do "
- "not share page%s%s with with %p or %p\n",
+ "binder: %d: merge free, buffer %pK do "
+ "not share page%s%s with with %pK or %pK\n",
proc->pid, buffer, free_page_start ? "" : " end",
free_page_end ? "" : " start", prev, next);
binder_update_page_range(proc, 0, free_page_start ?
@@ -902,7 +902,7 @@ static void binder_free_buf(struct binder_proc *proc,
ALIGN(buffer->offsets_size, sizeof(void *));
binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
- "binder: %d: binder_free_buf %p size %zd buffer"
+ "binder: %d: binder_free_buf %pK size %zd buffer"
"_size %zd\n", proc->pid, buffer, size, buffer_size);
BUG_ON(buffer->free);
@@ -999,7 +999,7 @@ static struct binder_node *binder_new_node(struct binder_proc *proc,
INIT_LIST_HEAD(&node->work.entry);
INIT_LIST_HEAD(&node->async_todo);
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
- "binder: %d:%d node %d u%p c%p created\n",
+ "binder: %d:%d node %d u%pK c%pK created\n",
proc->pid, current->pid, node->debug_id,
node->ptr, node->cookie);
return node;
@@ -1335,7 +1335,7 @@ static void binder_transaction_buffer_release(struct binder_proc *proc,
int debug_id = buffer->debug_id;
binder_debug(BINDER_DEBUG_TRANSACTION,
- "binder: %d buffer release %d, size %zd-%zd, failed at %p\n",
+ "binder: %d buffer release %d, size %zd-%zd, failed at %pK\n",
proc->pid, buffer->debug_id,
buffer->data_size, buffer->offsets_size, failed_at);
@@ -1364,11 +1364,11 @@ static void binder_transaction_buffer_release(struct binder_proc *proc,
struct binder_node *node = binder_get_node(proc, fp->binder);
if (node == NULL) {
printk(KERN_ERR "binder: transaction release %d"
- " bad node %p\n", debug_id, fp->binder);
+ " bad node %pK\n", debug_id, fp->binder);
break;
}
binder_debug(BINDER_DEBUG_TRANSACTION,
- " node %d u%p\n",
+ " node %d u%pK\n",
node->debug_id, node->ptr);
binder_dec_node(node, fp->type == BINDER_TYPE_BINDER, 0);
} break;
@@ -1552,7 +1552,7 @@ static void binder_transaction(struct binder_proc *proc,
if (reply)
binder_debug(BINDER_DEBUG_TRANSACTION,
"binder: %d:%d BC_REPLY %d -> %d:%d, "
- "data %p-%p size %zd-%zd\n",
+ "data %pK-%pK size %zd-%zd\n",
proc->pid, thread->pid, t->debug_id,
target_proc->pid, target_thread->pid,
tr->data.ptr.buffer, tr->data.ptr.offsets,
@@ -1560,7 +1560,7 @@ static void binder_transaction(struct binder_proc *proc,
else
binder_debug(BINDER_DEBUG_TRANSACTION,
"binder: %d:%d BC_TRANSACTION %d -> "
- "%d - node %d, data %p-%p size %zd-%zd\n",
+ "%d - node %d, data %pK-%pK size %zd-%zd\n",
proc->pid, thread->pid, t->debug_id,
target_proc->pid, target_node->debug_id,
tr->data.ptr.buffer, tr->data.ptr.offsets,
@@ -1647,8 +1647,8 @@ static void binder_transaction(struct binder_proc *proc,
node->accept_fds = !!(fp->flags & FLAT_BINDER_FLAG_ACCEPTS_FDS);
}
if (fp->cookie != node->cookie) {
- binder_user_error("binder: %d:%d sending u%p "
- "node %d, cookie mismatch %p != %p\n",
+ binder_user_error("binder: %d:%d sending u%pK "
+ "node %d, cookie mismatch %pK != %pK\n",
proc->pid, thread->pid,
fp->binder, node->debug_id,
fp->cookie, node->cookie);
@@ -1675,7 +1675,7 @@ static void binder_transaction(struct binder_proc *proc,
trace_binder_transaction_node_to_ref(t, node, ref);
binder_debug(BINDER_DEBUG_TRANSACTION,
- " node %d u%p -> ref %d desc %d\n",
+ " node %d u%pK -> ref %d desc %d\n",
node->debug_id, node->ptr, ref->debug_id,
ref->desc);
} break;
@@ -1705,7 +1705,7 @@ static void binder_transaction(struct binder_proc *proc,
binder_inc_node(ref->node, fp->type == BINDER_TYPE_BINDER, 0, NULL);
trace_binder_transaction_ref_to_node(t, ref);
binder_debug(BINDER_DEBUG_TRANSACTION,
- " ref %d desc %d -> node %d u%p\n",
+ " ref %d desc %d -> node %d u%pK\n",
ref->debug_id, ref->desc, ref->node->debug_id,
ref->node->ptr);
} else {
@@ -1941,7 +1941,7 @@ int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread,
node = binder_get_node(proc, node_ptr);
if (node == NULL) {
binder_user_error("binder: %d:%d "
- "%s u%p no match\n",
+ "%s u%pK no match\n",
proc->pid, thread->pid,
cmd == BC_INCREFS_DONE ?
"BC_INCREFS_DONE" :
@@ -1950,8 +1950,8 @@ int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread,
break;
}
if (cookie != node->cookie) {
- binder_user_error("binder: %d:%d %s u%p node %d"
- " cookie mismatch %p != %p\n",
+ binder_user_error("binder: %d:%d %s u%pK node %d"
+ " cookie mismatch %pK != %pK\n",
proc->pid, thread->pid,
cmd == BC_INCREFS_DONE ?
"BC_INCREFS_DONE" : "BC_ACQUIRE_DONE",
@@ -2006,19 +2006,19 @@ int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread,
buffer = binder_buffer_lookup(proc, data_ptr);
if (buffer == NULL) {
binder_user_error("binder: %d:%d "
- "BC_FREE_BUFFER u%p no match\n",
+ "BC_FREE_BUFFER u%pK no match\n",
proc->pid, thread->pid, data_ptr);
break;
}
if (!buffer->allow_user_free) {
binder_user_error("binder: %d:%d "
- "BC_FREE_BUFFER u%p matched "
+ "BC_FREE_BUFFER u%pK matched "
"unreturned buffer\n",
proc->pid, thread->pid, data_ptr);
break;
}
binder_debug(BINDER_DEBUG_FREE_BUFFER,
- "binder: %d:%d BC_FREE_BUFFER u%p found buffer %d for %s transaction\n",
+ "binder: %d:%d BC_FREE_BUFFER u%pK found buffer %d for %s transaction\n",
proc->pid, thread->pid, data_ptr, buffer->debug_id,
buffer->transaction ? "active" : "finished");
@@ -2118,7 +2118,7 @@ int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread,
}
binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION,
- "binder: %d:%d %s %p ref %d desc %d s %d w %d for node %d\n",
+ "binder: %d:%d %s %pK ref %d desc %d s %d w %d for node %d\n",
proc->pid, thread->pid,
cmd == BC_REQUEST_DEATH_NOTIFICATION ?
"BC_REQUEST_DEATH_NOTIFICATION" :
@@ -2172,7 +2172,7 @@ int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread,
"d BC_CLEAR_DEATH_NOTIFI"
"CATION death notificat"
"ion cookie mismatch "
- "%p != %p\n",
+ "%pK != %pK\n",
proc->pid, thread->pid,
death->cookie, cookie);
break;
@@ -2208,11 +2208,11 @@ int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread,
}
}
binder_debug(BINDER_DEBUG_DEAD_BINDER,
- "binder: %d:%d BC_DEAD_BINDER_DONE %p found %p\n",
+ "binder: %d:%d BC_DEAD_BINDER_DONE %pK found %pK\n",
proc->pid, thread->pid, cookie, death);
if (death == NULL) {
binder_user_error("binder: %d:%d BC_DEAD"
- "_BINDER_DONE %p not found\n",
+ "_BINDER_DONE %pK not found\n",
proc->pid, thread->pid, cookie);
break;
}
@@ -2423,13 +2423,13 @@ retry:
binder_stat_br(proc, thread, cmd);
binder_debug(BINDER_DEBUG_USER_REFS,
- "binder: %d:%d %s %d u%p c%p\n",
+ "binder: %d:%d %s %d u%pK c%pK\n",
proc->pid, thread->pid, cmd_name, node->debug_id, node->ptr, node->cookie);
} else {
list_del_init(&w->entry);
if (!weak && !strong) {
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
- "binder: %d:%d node %d u%p c%p deleted\n",
+ "binder: %d:%d node %d u%pK c%pK deleted\n",
proc->pid, thread->pid, node->debug_id,
node->ptr, node->cookie);
rb_erase(&node->rb_node, &proc->nodes);
@@ -2437,7 +2437,7 @@ retry:
binder_stats_deleted(BINDER_STAT_NODE);
} else {
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
- "binder: %d:%d node %d u%p c%p state unchanged\n",
+ "binder: %d:%d node %d u%pK c%pK state unchanged\n",
proc->pid, thread->pid, node->debug_id, node->ptr,
node->cookie);
}
@@ -2462,7 +2462,7 @@ retry:
ptr += sizeof(void *);
binder_stat_br(proc, thread, cmd);
binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION,
- "binder: %d:%d %s %p\n",
+ "binder: %d:%d %s %pK\n",
proc->pid, thread->pid,
cmd == BR_DEAD_BINDER ?
"BR_DEAD_BINDER" :
@@ -2532,7 +2532,7 @@ retry:
binder_stat_br(proc, thread, cmd);
binder_debug(BINDER_DEBUG_TRANSACTION,
"binder: %d:%d %s %d %d:%d, cmd %d"
- "size %zd-%zd ptr %p-%p\n",
+ "size %zd-%zd ptr %pK-%pK\n",
proc->pid, thread->pid,
(cmd == BR_TRANSACTION) ? "BR_TRANSACTION" :
"BR_REPLY",
@@ -2609,7 +2609,7 @@ static void binder_release_work(struct list_head *list)
death = container_of(w, struct binder_ref_death, work);
binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
- "binder: undelivered death notification, %p\n",
+ "binder: undelivered death notification, %pK\n",
death->cookie);
kfree(death);
binder_stats_deleted(BINDER_STAT_DEATH);
@@ -2942,7 +2942,7 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma)
#ifdef CONFIG_CPU_CACHE_VIPT
if (cache_is_vipt_aliasing()) {
while (CACHE_COLOUR((vma->vm_start ^ (uint32_t)proc->buffer))) {
- printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p bad alignment\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer);
+ printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %pK bad alignment\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer);
vma->vm_start += PAGE_SIZE;
}
}
@@ -2974,7 +2974,7 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma)
proc->vma = vma;
proc->vma_vm_mm = vma->vm_mm;
- /*printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p\n",
+ /*printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %pK\n",
proc->pid, vma->vm_start, vma->vm_end, proc->buffer);*/
return 0;
@@ -3168,7 +3168,7 @@ static void binder_deferred_release(struct binder_proc *proc)
void *page_addr = proc->buffer + i * PAGE_SIZE;
binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
"binder_release: %d: "
- "page %d at %p not freed\n",
+ "page %d at %pK not freed\n",
proc->pid, i,
page_addr);
unmap_kernel_range((unsigned long)page_addr,
@@ -3251,7 +3251,7 @@ static void print_binder_transaction(struct seq_file *m, const char *prefix,
struct binder_transaction *t)
{
seq_printf(m,
- "%s %d: %p from %d:%d to %d:%d code %x flags %x pri %ld r%d",
+ "%s %d: %pK from %d:%d to %d:%d code %x flags %x pri %ld r%d",
prefix, t->debug_id, t,
t->from ? t->from->proc->pid : 0,
t->from ? t->from->pid : 0,
@@ -3265,7 +3265,7 @@ static void print_binder_transaction(struct seq_file *m, const char *prefix,
if (t->buffer->target_node)
seq_printf(m, " node %d",
t->buffer->target_node->debug_id);
- seq_printf(m, " size %zd:%zd data %p\n",
+ seq_printf(m, " size %zd:%zd data %pK\n",
t->buffer->data_size, t->buffer->offsets_size,
t->buffer->data);
}
@@ -3273,7 +3273,7 @@ static void print_binder_transaction(struct seq_file *m, const char *prefix,
static void print_binder_buffer(struct seq_file *m, const char *prefix,
struct binder_buffer *buffer)
{
- seq_printf(m, "%s %d: %p size %zd:%zd %s\n",
+ seq_printf(m, "%s %d: %pK size %zd:%zd %s\n",
prefix, buffer->debug_id, buffer->data,
buffer->data_size, buffer->offsets_size,
buffer->transaction ? "active" : "delivered");
@@ -3296,7 +3296,7 @@ static void print_binder_work(struct seq_file *m, const char *prefix,
break;
case BINDER_WORK_NODE:
node = container_of(w, struct binder_node, work);
- seq_printf(m, "%snode work %d: u%p c%p\n",
+ seq_printf(m, "%snode work %d: u%pK c%pK\n",
prefix, node->debug_id, node->ptr, node->cookie);
break;
case BINDER_WORK_DEAD_BINDER:
@@ -3358,7 +3358,7 @@ static void print_binder_node(struct seq_file *m, struct binder_node *node)
hlist_for_each_entry(ref, pos, &node->refs, node_entry)
count++;
- seq_printf(m, " node %d: u%p c%p hs %d hw %d ls %d lw %d is %d iw %d",
+ seq_printf(m, " node %d: u%pK c%pK hs %d hw %d ls %d lw %d is %d iw %d",
node->debug_id, node->ptr, node->cookie,
node->has_strong_ref, node->has_weak_ref,
node->local_strong_refs, node->local_weak_refs,
--
cgit v1.1