Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.18.18 2018-05-14T14:06:48+00:00 2018-05-14T14:06:48+00:00 Souptick Joarder jrdr.linux@gmail.com 2018-04-23T16:24:00+00:00 urn:sha1:e19f70aa02f34abd4c5740f761f4694e9a7c8b3d Use new return type vm_fault_t for fault handler in struct vm_operations_struct. For now, this is just documenting that the function returns a VM_FAULT value rather than an errno. Once all instances are converted, vm_fault_t will become a distinct type. Reference id -> 1c8f422059ae ("mm: change return type to vm_fault_t") Signed-off-by: Souptick Joarder <jrdr.linux@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-05-14T14:06:48+00:00 Minchan Kim minchan@kernel.org 2018-05-07T14:15:37+00:00 urn:sha1:720c241924046aff83f5f2323232f34a30a4c281 binder_update_page_range needs down_write of mmap_sem because vm_insert_page need to change vma->vm_flags to VM_MIXEDMAP unless it is set. However, when I profile binder working, it seems every binder buffers should be mapped in advance by binder_mmap. It means we could set VM_MIXEDMAP in binder_mmap time which is already hold a mmap_sem as down_write so binder_update_page_range doesn't need to hold a mmap_sem as down_write. Please use proper API down_read. It would help mmap_sem contention problem as well as fixing down_write abuse. Ganesh Mahendran tested app launching and binder throughput test and he said he couldn't find any problem and I did binder latency test per Greg KH request(Thanks Martijn to teach me how I can do) I cannot find any problem, too. Cc: Ganesh Mahendran <opensource.ganesh@gmail.com> Cc: Joe Perches <joe@perches.com> Cc: Arve Hjønnevåg <arve@android.com> Cc: Todd Kjos <tkjos@google.com> Reviewed-by: Martijn Coenen <maco@android.com> Signed-off-by: Minchan Kim <minchan@kernel.org> Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-05-14T14:06:48+00:00 宋金时 songjinshi@xiaomi.com 2018-05-10T02:05:03+00:00 urn:sha1:838d5565669aa5bb7deb605684a5970d51d5eaf6 When to execute binder_stat_br the e->cmd has been modifying as BR_OK instead of the original return error cmd, in fact we want to know the original return error, such as BR_DEAD_REPLY or BR_FAILED_REPLY, etc. instead of always BR_OK, in order to avoid the value of the e->cmd is always BR_OK, so we need assign the value of the e->cmd to cmd before e->cmd = BR_OK. Signed-off-by: songjinshi <songjinshi@xiaomi.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-05-14T14:06:48+00:00 Martijn Coenen maco@google.com 2018-05-11T08:45:24+00:00 urn:sha1:1190b4e38f97023154e6b3bef61b251aa5f970d0 New devices launching with Android P need to use the 64-bit binder interface, even on 32-bit SoCs [0]. This change removes the Kconfig option to select the 32-bit binder interface. We don't think this will affect existing userspace for the following reasons: 1) The latest Android common tree is 4.14, so we don't believe any Android devices are on kernels >4.14. 2) Android devices launch on an LTS release and stick with it, so we wouldn't expect devices running on <= 4.14 now to upgrade to 4.17 or later. But even if they did, they'd rebuild the world (kernel + userspace) anyway. 3) Other userspaces like 'anbox' are already using the 64-bit interface. Note that this change doesn't remove the 32-bit UAPI itself; the reason for that is that Android userspace always uses the latest UAPI headers from upstream, and userspace retains 32-bit support for devices that are upgrading. This will be removed as well in 2-3 years, at which point we can remove the code from the UAPI as well. Finally, this change introduces build errors on archs where 64-bit get_user/put_user is not supported, so make binder unavailable on m68k (which wouldn't want it anyway). [0]: https://android-review.googlesource.com/c/platform/build/+/595193 Signed-off-by: Martijn Coenen <maco@android.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-04-30T12:05:54+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2018-04-30T12:05:54+00:00 urn:sha1:720d690e3680d8ae5fcf86f8614c1a10b4ee7605 We want the fixes in here as well. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-04-23T10:14:37+00:00 Dan Carpenter dan.carpenter@oracle.com 2018-03-29T09:14:40+00:00 urn:sha1:361f2ddbb0c9f9b4f336025a7bd0212cea4a34f0 It doesn't make any difference to runtime but I've switched these two checks to make my static checker happy. The problem is that "buffer->data_size" is user controlled and if it's less than "sizeo(*hdr)" then that means "offset" can be more than "buffer->data_size". It's just cleaner to check it in the other order. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Martijn Coenen <maco@android.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-04-23T10:12:41+00:00 Martijn Coenen maco@android.com 2018-03-28T09:14:50+00:00 urn:sha1:7aa135fcf26377f92dc0680a57566b4c7f3e281b This can't happen with normal nodes (because you can't get a ref to a node you own), but it could happen with the context manager; to make the behavior consistent with regular nodes, reject transactions into the context manager by the process owning it. Reported-by: syzbot+09e05aba06723a94d43d@syzkaller.appspotmail.com Signed-off-by: Martijn Coenen <maco@android.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-02-16T10:16:38+00:00 Martijn Coenen maco@android.com 2018-02-16T08:47:15+00:00 urn:sha1:5eeb2ca02a2f6084fc57ae5c244a38baab07033a To prevent races with ep_remove_waitqueue() removing the waitqueue at the same time. Reported-by: syzbot+a2a3c4909716e271487e@syzkaller.appspotmail.com Signed-off-by: Martijn Coenen <maco@android.com> Cc: stable <stable@vger.kernel.org> # 4.14+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-02-16T10:16:38+00:00 Todd Kjos tkjos@android.com 2018-02-07T21:57:37+00:00 urn:sha1:8ca86f1639ec5890d400fff9211aca22d0a392eb The format specifier "%p" can leak kernel addresses. Use "%pK" instead. There were 4 remaining cases in binder.c. Signed-off-by: Todd Kjos <tkjos@google.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-02-16T10:15:45+00:00 Todd Kjos tkjos@android.com 2018-02-07T20:38:47+00:00 urn:sha1:e46a3b3ba7509cb7fda0e07bc7c63a2cd90f579b binder_send_failed_reply() is called when a synchronous transaction fails. It reports an error to the thread that is waiting for the completion. Given that the transaction is synchronous, there should never be more than 1 error response to that thread -- this was being asserted with a WARN(). However, when exercising the driver with syzbot tests, cases were observed where multiple "synchronous" requests were sent without waiting for responses, so it is possible that multiple errors would be reported to the thread. This testing was conducted with panic_on_warn set which forced the crash. This is easily reproduced by sending back-to-back "synchronous" transactions without checking for any response (eg, set read_size to 0): bwr.write_buffer = (uintptr_t)&bc1; bwr.write_size = sizeof(bc1); bwr.read_buffer = (uintptr_t)&br; bwr.read_size = 0; ioctl(fd, BINDER_WRITE_READ, &bwr); sleep(1); bwr2.write_buffer = (uintptr_t)&bc2; bwr2.write_size = sizeof(bc2); bwr2.read_buffer = (uintptr_t)&br; bwr2.read_size = 0; ioctl(fd, BINDER_WRITE_READ, &bwr2); sleep(1); The first transaction is sent to the servicemanager and the reply fails because no VMA is set up by this client. After binder_send_failed_reply() is called, the BINDER_WORK_RETURN_ERROR is sitting on the thread's todo list since the read_size was 0 and the client is not waiting for a response. The 2nd transaction is sent and the BINDER_WORK_RETURN_ERROR has not been consumed, so the thread's reply_error.cmd is still set (normally cleared when the BINDER_WORK_RETURN_ERROR is handled). Therefore when the servicemanager attempts to reply to the 2nd failed transaction, the error is already set and it triggers this warning. This is a user error since it is not waiting for the synchronous transaction to complete. If it ever does check, it will see an error. Changed the WARN() to a pr_warn(). Signed-off-by: Todd Kjos <tkjos@android.com> Reported-by: syzbot <syzkaller@googlegroups.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>