Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4076753imu;
        Mon, 28 Jan 2019 16:52:30 -0800 (PST)
X-Google-Smtp-Source: ALg8bN6tmJ1A1mGbenDN0H1IxFiUc0cua+QBXlgL7jA5SmJ4CDVJzSeTd7a46ixCG1VA/kaw94Sl
X-Received: by 2002:a17:902:59c8:: with SMTP id d8mr23979890plj.116.1548723150214;
        Mon, 28 Jan 2019 16:52:30 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1548723150; cv=none;
        d=google.com; s=arc-20160816;
        b=IV45Vv9sZuxY5cn5RvLmNfdVKwKNZytKnC4A9jVbRHbGMltPDcjyTIFcqbx6yMzuuF
         rtakalK2116eG0ihsnOmUtQ84Gb7moshwJ0WpkRSsHrsgsICrlNDmAvnN7kze912acZ3
         vxgAwpStCZz/9cdl36DASPUGi6feBUKNecTk2eoSUgBETK38uLVyLSgn7elMD+cdVz3D
         QRf7rN6SOxs1nhG+ej1a+S2RIViI86D4iPiRt7qDVbv1GepHlM+ShQqdTeQGcnLet/Wy
         v9R8WnmjlK8a2N2/QNi9aV4Pizi81ouKXkSuZ3gZgNmwKDustdRE8K3ac7eEclLyZBGu
         gwYg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=mwJFsPrQ8Tfx+sEMp0LbDaSQGrC/2Igxr0RHoK8xdGw=;
        b=SjHThPIq+i4FdaRilncEbi52tZJYWx/Qjk43Lq+rsWGW3gclSgoN9gJu6N3+kau3N9
         GDo96xcBnOCjqaO2hQBYA1zxYHZ1W52Hg7TGUR8TIVlqzs7j1XvAQ3LkLlG+FJWiWPl0
         43FsV3jpCQ1CWOqMmk353sJ1FhjGfcckPnwmVmtjlt9fx3yDpfybSE+S2qBp/OafoDMf
         u+3icYz8RVw8kps7K0GD0zsODXrnBxiJLjyKN7KsaxDxfi0k5a453DgcWxpcmBVHQfe1
         Zm4yZxGqIxVZWGVto0n5WC1wzCjuzhG8NETiO6f5VNSdYNudpK1dbIubJrFlALEmDiQx
         E4tQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@android.com header.s=20161025 header.b=aFwqEivi;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a12si37307903pll.112.2019.01.28.16.52.15;
        Mon, 28 Jan 2019 16:52:30 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@android.com header.s=20161025 header.b=aFwqEivi;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727604AbfA2AuJ (ORCPT <rfc822;kernelgary@gmail.com>
        + 99 others); Mon, 28 Jan 2019 19:50:09 -0500
Received: from mail-pf1-f194.google.com ([209.85.210.194]:32898 "EHLO
        mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726803AbfA2AuJ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 28 Jan 2019 19:50:09 -0500
Received: by mail-pf1-f194.google.com with SMTP id c123so8845121pfb.0
        for <linux-kernel@vger.kernel.org>; Mon, 28 Jan 2019 16:50:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=android.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=mwJFsPrQ8Tfx+sEMp0LbDaSQGrC/2Igxr0RHoK8xdGw=;
        b=aFwqEivizdFPYkqaMHgLoQSa47WxQeJUmM7Gzv9X2xfAUPf3aGG11ZKUOWs44WnPXH
         0Y2PsY3VadpQCsEaavk3buTfqzXZACuKr5r8wfF4cKXEn5misEa8Krdob0eiw1md/Jji
         ZoTuNHgDVkC2sWE9Y6mkBf7tlFI/28N4t09oPQFGjF67Fs0WKeNnpDvIQD7/4EMdmf3W
         YNu5CorybcRbSmn89oDweqkQDDCKACC8e8yvGuHERIwty++iGc0SHVb0UnhZgVHCaaXQ
         aQjXmDRvnfBv6IuPc3OoUEv9vakV22bcII4KKO7GtoWaH22Dtbpwbk88LNEsp15gV7Y6
         2Wew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=mwJFsPrQ8Tfx+sEMp0LbDaSQGrC/2Igxr0RHoK8xdGw=;
        b=TxkxxuFGhuBUnc7d1/MugOhoNq47/fo27Osylof2FkKm5DVAN0AS6KKJuPb7eR0gQi
         ZO5eW8c8/kc4+MWCWr5G1ScZWB0Tty78qOROI+cx/uCbSjOMr3uh5zn/y6mfqBd0DdsI
         +YB2SyoRZaMcthqZW0iEEJlT5lo+aygi3xM02iaAERVYSCYCjH/yqiz6+AIsSHoMrmCi
         Rfa1qE1/3FZMYAE6p9L2UBUbD83bTOln5kUK5ZkQ7lxGBbacM+diA7gJbNtUMZquE7br
         ip8j7FsymoROPuQoqrvBLL5eEn59KVKuOXTX6eJyT+dYPCOTGuMvRJwKdgl/xUTame8p
         jUag==
X-Gm-Message-State: AJcUukcS0yluz9GmDoRPk+ct+V8kPQH8cg2mZ8O6jfonRK8rchla43cs
        L4nZFUxK9bqBhTtvKqaC2PtX6Q==
X-Received: by 2002:a63:e344:: with SMTP id o4mr21486149pgj.158.1548723008328;
        Mon, 28 Jan 2019 16:50:08 -0800 (PST)
Received: from ava-linux2.mtv.corp.google.com ([2620:0:1000:1601:6cc0:d41d:b970:fd7])
        by smtp.googlemail.com with ESMTPSA id g3sm52090792pfe.37.2019.01.28.16.50.07
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 28 Jan 2019 16:50:07 -0800 (PST)
From:   Todd Kjos <tkjos@android.com>
X-Google-Original-From: Todd Kjos <tkjos@google.com>
To:     tkjos@google.com, gregkh@linuxfoundation.org, arve@android.com,
        devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org,
        maco@google.com
Cc:     joel@joelfernandes.org, kernel-team@android.com
Subject: [PATCH 1/7] binder: create userspace-to-binder-buffer copy function
Date:   Mon, 28 Jan 2019 16:49:28 -0800
Message-Id: <20190129004934.85885-2-tkjos@google.com>
X-Mailer: git-send-email 2.20.1.495.gaa96b0ce6b-goog
In-Reply-To: <20190129004934.85885-1-tkjos@google.com>
References: <20190129004934.85885-1-tkjos@google.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The binder driver uses a vm_area to map the per-process
binder buffer space. For 32-bit android devices, this is
now taking too much vmalloc space. This patch removes
the use of vm_area when copying the transaction data
from the sender to the buffer space. Instead of using
copy_from_user() for multi-page copies, it now uses
binder_alloc_copy_user_to_buffer() which uses kmap()
and kunmap() to map each page, and uses copy_from_user()
for copying to that page.

Signed-off-by: Todd Kjos <tkjos@google.com>
---
 drivers/android/binder.c       |  29 +++++++--
 drivers/android/binder_alloc.c | 114 +++++++++++++++++++++++++++++++++
 drivers/android/binder_alloc.h |   8 +++
 3 files changed, 144 insertions(+), 7 deletions(-)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 5f6ef5e63b91e..ab0b3eec363bc 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -3078,8 +3078,12 @@ static void binder_transaction(struct binder_proc *proc,
 				      ALIGN(tr->data_size, sizeof(void *)));
 	offp = off_start;
 
-	if (copy_from_user(t->buffer->data, (const void __user *)(uintptr_t)
-			   tr->data.ptr.buffer, tr->data_size)) {
+	if (binder_alloc_copy_user_to_buffer(
+				&target_proc->alloc,
+				t->buffer, 0,
+				(const void __user *)
+					(uintptr_t)tr->data.ptr.buffer,
+				tr->data_size)) {
 		binder_user_error("%d:%d got transaction with invalid data ptr\n",
 				proc->pid, thread->pid);
 		return_error = BR_FAILED_REPLY;
@@ -3087,8 +3091,13 @@ static void binder_transaction(struct binder_proc *proc,
 		return_error_line = __LINE__;
 		goto err_copy_data_failed;
 	}
-	if (copy_from_user(offp, (const void __user *)(uintptr_t)
-			   tr->data.ptr.offsets, tr->offsets_size)) {
+	if (binder_alloc_copy_user_to_buffer(
+				&target_proc->alloc,
+				t->buffer,
+				ALIGN(tr->data_size, sizeof(void *)),
+				(const void __user *)
+					(uintptr_t)tr->data.ptr.offsets,
+				tr->offsets_size)) {
 		binder_user_error("%d:%d got transaction with invalid offsets ptr\n",
 				proc->pid, thread->pid);
 		return_error = BR_FAILED_REPLY;
@@ -3217,6 +3226,8 @@ static void binder_transaction(struct binder_proc *proc,
 			struct binder_buffer_object *bp =
 				to_binder_buffer_object(hdr);
 			size_t buf_left = sg_buf_end - sg_bufp;
+			binder_size_t sg_buf_offset = (uintptr_t)sg_bufp -
+				(uintptr_t)t->buffer->data;
 
 			if (bp->length > buf_left) {
 				binder_user_error("%d:%d got transaction with too large buffer\n",
@@ -3226,9 +3237,13 @@ static void binder_transaction(struct binder_proc *proc,
 				return_error_line = __LINE__;
 				goto err_bad_offset;
 			}
-			if (copy_from_user(sg_bufp,
-					   (const void __user *)(uintptr_t)
-					   bp->buffer, bp->length)) {
+			if (binder_alloc_copy_user_to_buffer(
+						&target_proc->alloc,
+						t->buffer,
+						sg_buf_offset,
+						(const void __user *)
+							(uintptr_t)bp->buffer,
+						bp->length)) {
 				binder_user_error("%d:%d got transaction with invalid offsets ptr\n",
 						  proc->pid, thread->pid);
 				return_error_param = -EFAULT;
diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c
index 022cd80e80cc3..255fa71911e5e 100644
--- a/drivers/android/binder_alloc.c
+++ b/drivers/android/binder_alloc.c
@@ -29,6 +29,8 @@
 #include <linux/list_lru.h>
 #include <linux/ratelimit.h>
 #include <asm/cacheflush.h>
+#include <linux/uaccess.h>
+#include <linux/highmem.h>
 #include "binder_alloc.h"
 #include "binder_trace.h"
 
@@ -1053,3 +1055,115 @@ int binder_alloc_shrinker_init(void)
 	}
 	return ret;
 }
+
+/**
+ * check_buffer() - verify that buffer/offset is safe to access
+ * @alloc: binder_alloc for this proc
+ * @buffer: binder buffer to be accessed
+ * @offset: offset into @buffer data
+ * @bytes: bytes to access from offset
+ *
+ * Check that the @offset/@bytes are within the size of the given
+ * @buffer and that the buffer is currently active and not freeable.
+ * Offsets must also be multiples of sizeof(u32). The kernel is
+ * allowed to touch the buffer in two cases:
+ *
+ * 1) when the buffer is being created:
+ *     (buffer->free == 0 && buffer->allow_user_free == 0)
+ * 2) when the buffer is being torn down:
+ *     (buffer->free == 0 && buffer->transaction == NULL).
+ *
+ * Return: true if the buffer is safe to access
+ */
+static inline bool check_buffer(struct binder_alloc *alloc,
+				struct binder_buffer *buffer,
+				binder_size_t offset, size_t bytes)
+{
+	size_t buffer_size = binder_alloc_buffer_size(alloc, buffer);
+
+	return buffer_size >= bytes &&
+		offset <= buffer_size - bytes &&
+		IS_ALIGNED(offset, sizeof(u32)) &&
+		!buffer->free &&
+		(!buffer->allow_user_free || !buffer->transaction);
+}
+
+/**
+ * binder_alloc_get_page() - get kernel pointer for given buffer offset
+ * @alloc: binder_alloc for this proc
+ * @buffer: binder buffer to be accessed
+ * @buffer_offset: offset into @buffer data
+ * @pgoffp: address to copy final page offset to
+ *
+ * Lookup the struct page corresponding to the address
+ * at @buffer_offset into @buffer->data. If @pgoffp is not
+ * NULL, the byte-offset into the page is written there.
+ *
+ * The caller is responsible to ensure that the offset points
+ * to a valid address within the @buffer and that @buffer is
+ * not freeable by the user. Since it can't be freed, we are
+ * guaranteed that the corresponding elements of @alloc->pages[]
+ * cannot change.
+ *
+ * Return: struct page
+ */
+static struct page *binder_alloc_get_page(struct binder_alloc *alloc,
+					  struct binder_buffer *buffer,
+					  binder_size_t buffer_offset,
+					  pgoff_t *pgoffp)
+{
+	binder_size_t buffer_space_offset = buffer_offset +
+		((uintptr_t)buffer->data - (uintptr_t)alloc->buffer);
+	pgoff_t pgoff = buffer_space_offset & ~PAGE_MASK;
+	size_t index = buffer_space_offset >> PAGE_SHIFT;
+	struct binder_lru_page *lru_page;
+
+	lru_page = &alloc->pages[index];
+	*pgoffp = pgoff;
+	return lru_page->page_ptr;
+}
+
+/**
+ * binder_alloc_copy_user_to_buffer() - copy src user to tgt user
+ * @alloc: binder_alloc for this proc
+ * @buffer: binder buffer to be accessed
+ * @buffer_offset: offset into @buffer data
+ * @from: userspace pointer to source buffer
+ * @bytes: bytes to copy
+ *
+ * Copy bytes from source userspace to target buffer.
+ *
+ * Return: bytes remaining to be copied
+ */
+unsigned long
+binder_alloc_copy_user_to_buffer(struct binder_alloc *alloc,
+				 struct binder_buffer *buffer,
+				 binder_size_t buffer_offset,
+				 const void __user *from,
+				 size_t bytes)
+{
+	if (!check_buffer(alloc, buffer, buffer_offset, bytes))
+		return bytes;
+
+	while (bytes) {
+		unsigned long size;
+		unsigned long ret;
+		struct page *page;
+		pgoff_t pgoff;
+		void *kptr;
+
+		page = binder_alloc_get_page(alloc, buffer,
+					     buffer_offset, &pgoff);
+		size = min(bytes, (size_t)(PAGE_SIZE - pgoff));
+		kptr = (void *)((uintptr_t)kmap(page) + pgoff);
+		ret = copy_from_user(kptr, (const void __user *)(uintptr_t)from,
+				     size);
+		kunmap(page);
+		if (ret)
+			return bytes - size + ret;
+		bytes -= size;
+		from = (void __user *)(uintptr_t)from + size;
+		buffer_offset += size;
+	}
+	return 0;
+}
diff --git a/drivers/android/binder_alloc.h b/drivers/android/binder_alloc.h
index c0aadbbf7f193..995155f31dbd4 100644
--- a/drivers/android/binder_alloc.h
+++ b/drivers/android/binder_alloc.h
@@ -22,6 +22,7 @@
 #include <linux/vmalloc.h>
 #include <linux/slab.h>
 #include <linux/list_lru.h>
+#include <uapi/linux/android/binder.h>
 
 extern struct list_lru binder_alloc_lru;
 struct binder_transaction;
@@ -183,5 +184,12 @@ binder_alloc_get_user_buffer_offset(struct binder_alloc *alloc)
 	return alloc->user_buffer_offset;
 }
 
+unsigned long
+binder_alloc_copy_user_to_buffer(struct binder_alloc *alloc,
+				 struct binder_buffer *buffer,
+				 binder_size_t buffer_offset,
+				 const void __user *from,
+				 size_t bytes);
+
 #endif /* _LINUX_BINDER_ALLOC_H */
 
-- 
2.20.1.495.gaa96b0ce6b-goog