Linux 5.15.2 updated security.h security_binder_* functions (like security_binder_transfer_binder(), so it uses struct cred* instead of struct task_struct*)
Over the last years, many fixes and changes have been applied to
Binder in the Linux kernel, but these fixes were never backported
to anbox-modules. The meant that the version of Binder in anbox-modules
was very outdated.
With this commit, Binder has been update to the latest state from
the Linux kernel. This should also fix the compile on kernel 5.12
and later.
With kernel 5.8, the return value of map_kernel_range_noflush()
was changed. This function now returns 0 on success (instead of
the number of successfully mapped pages).
This commit adjusts binder accordingly.
With the commit 64fe66e8a95e in the Linux kernel, the member "mmap_sem" in the
struct mm_struct was renamed to "mmap_lock". This patch fixes the resulting
compile errors.
On kernel 5.7 and later, kallsyms_lookup_name() can no longer be called from a kernel
module for reasons described here: https://lwn.net/Articles/813350/
As binder really needs to use kallsysms_lookup_name() to access some kernel
functions that otherwise wouldn't be accessible, KProbes are used on later
kernels to get the address of kallsysms_lookup_name(). The function is
afterwards used just as before. This is a very dirty hack though and the much
better solution would be if all the functions that are currently resolved
with kallsysms_lookup_name() would get an EXPORT_SYMBOL() annotation to
make them directly accessible to kernel modules.
Amit Pundir and Youling in parallel reported crashes with recent
mainline kernels running Android:
F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
F DEBUG : Build fingerprint: 'Android/db410c32_only/db410c32_only:Q/OC-MR1/102:userdebug/test-key
F DEBUG : Revision: '0'
F DEBUG : ABI: 'arm'
F DEBUG : pid: 2261, tid: 2261, name: zygote >>> zygote <<<
F DEBUG : signal 7 (SIGBUS), code 2 (BUS_ADRERR), fault addr 0xec00008
... <snip> ...
F DEBUG : backtrace:
F DEBUG : #00 pc 00001c04 /system/lib/libc.so (memset+48)
F DEBUG : #01 pc 0010c513 /system/lib/libart.so (create_mspace_with_base+82)
F DEBUG : #02 pc 0015c601 /system/lib/libart.so (art::gc::space::DlMallocSpace::CreateMspace(void*, unsigned int, unsigned int)+40)
F DEBUG : #03 pc 0015c3ed /system/lib/libart.so (art::gc::space::DlMallocSpace::CreateFromMemMap(art::MemMap*, std::__1::basic_string<char, std::__ 1::char_traits<char>, std::__1::allocator<char>> const&, unsigned int, unsigned int, unsigned int, unsigned int, bool)+36)
...
This was bisected back to commit bfd40eaff5ab ("mm: fix
vma_is_anonymous() false-positives").
create_mspace_with_base() in the trace above, utilizes ashmem, and with
ashmem, for shared mappings we use shmem_zero_setup(), which sets the
vma->vm_ops to &shmem_vm_ops. But for private ashmem mappings nothing
sets the vma->vm_ops.
Looking at the problematic patch, it seems to add a requirement that one
call vma_set_anonymous() on a vma, otherwise the dummy_vm_ops will be
used. Using the dummy_vm_ops seem to triggger SIGBUS when traversing
unmapped pages.
Thus, this patch adds a call to vma_set_anonymous() for ashmem private
mappings and seems to avoid the reported problem.
Fixes: bfd40eaff5ab ("mm: fix vma_is_anonymous() false-positives")
Cc: Kirill Shutemov <kirill.shutemov@linux.intel.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: Joel Fernandes <joelaf@google.com>
Cc: Colin Cross <ccross@google.com>
Cc: Matthew Wilcox <willy@infradead.org>
Reported-by: Amit Pundir <amit.pundir@linaro.org>
Reported-by: Youling 257 <youling257@gmail.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>