Cherry-pick (and squash) the following commits from wahoo-4.4 master:
* e57c9b42bc ANDROID: binder: eliminate diff between wahoo-4.4 and android-4.4-p
* 7c78280ad5 ANDROID: fix binder change in merge of 4.4.183
* 8c8becfb50 UPSTREAM: ANDROID: binder: correct the cmd print for BINDER_WORK_RETURN_ERROR
* 8d8dba571e UPSTREAM: ANDROID: binder: change down_write to down_read
* 8cfdf78fdf UPSTREAM: ANDROID: binder: re-order some conditions
* f9370f1680 UPSTREAM: ANDROID: binder: prevent transactions into own process.
* a97cdebfdb UPSTREAM: ANDROID: binder: synchronize_rcu() when using POLLFREE.
* 859f6fff3f UPSTREAM: binder: replace "%p" with "%pK"
* 139e6cba1b UPSTREAM: ANDROID: binder: remove WARN() for redundant txn error
* a632667db7 UPSTREAM: android: binder: Use true and false for boolean values
* 7b1d48ac5f UPSTREAM: android: binder: use VM_ALLOC to get vm area
* 6de52ef629 UPSTREAM: android: binder: Prefer __func__ to using hardcoded function name
* 423c3f5c01 UPSTREAM: android: binder: Use octal permissions
* 16cbb23d7b ANDROID: binder: Remove obsolete proc waitqueue.
* 414890c036 UPSTREAM: ANDROID: binder: make binder_alloc_new_buf_locked static and indent its arguments
* 6b044a7d70 UPSTREAM: android: binder: Check for errors in binder_alloc_shrinker_init().
* ce8d66c2cb ANDROID: binder: clarify deferred thread work.
* bfa9d65d0c UPSTREAM: android: binder: fix type mismatch warning
* a140fcd9c9 UPSTREAM: binder: free memory on error
The above commits originate from android-4.4-p common kernel.
They were tested and committed to wahoo-4.4 master first.
Now bringing the same changes to Wahoo QT-QPR2.
Bug: 115649143
Change-Id: If2bd1da782c6d878b6d04e32ca7a553980089ede
Signed-off-by: Petri Gynther <pgynther@google.com>
commit 04f5866e41fb70690e28397487d8bd8eea7d712a upstream.
The core dumping code has always run without holding the mmap_sem for
writing, despite that is the only way to ensure that the entire vma
layout will not change from under it. Only using some signal
serialization on the processes belonging to the mm is not nearly enough.
This was pointed out earlier. For example in Hugh's post from Jul 2017:
https://lkml.kernel.org/r/alpine.LSU.2.11.1707191716030.2055@eggly.anvils
"Not strictly relevant here, but a related note: I was very surprised
to discover, only quite recently, how handle_mm_fault() may be called
without down_read(mmap_sem) - when core dumping. That seems a
misguided optimization to me, which would also be nice to correct"
In particular because the growsdown and growsup can move the
vm_start/vm_end the various loops the core dump does around the vma will
not be consistent if page faults can happen concurrently.
Pretty much all users calling mmget_not_zero()/get_task_mm() and then
taking the mmap_sem had the potential to introduce unexpected side
effects in the core dumping code.
Adding mmap_sem for writing around the ->core_dump invocation is a
viable long term fix, but it requires removing all copy user and page
faults and to replace them with get_dump_page() for all binary formats
which is not suitable as a short term fix.
For the time being this solution manually covers the places that can
confuse the core dump either by altering the vma layout or the vma flags
while it runs. Once ->core_dump runs under mmap_sem for writing the
function mmget_still_valid() can be dropped.
Allowing mmap_sem protected sections to run in parallel with the
coredump provides some minor parallelism advantage to the swapoff code
(which seems to be safe enough by never mangling any vma field and can
keep doing swapins in parallel to the core dumping) and to some other
corner case.
In order to facilitate the backporting I added "Fixes: 86039bd3b4e6"
however the side effect of this same race condition in /proc/pid/mem
should be reproducible since before 2.6.12-rc2 so I couldn't add any
other "Fixes:" because there's no hash beyond the git genesis commit.
Because find_extend_vma() is the only location outside of the process
context that could modify the "mm" structures under mmap_sem for
reading, by adding the mmget_still_valid() check to it, all other cases
that take the mmap_sem for reading don't need the new check after
mmget_not_zero()/get_task_mm(). The expand_stack() in page fault
context also doesn't need the new check, because all tasks under core
dumping are frozen.
Link: http://lkml.kernel.org/r/20190325224949.11068-1-aarcange@redhat.com
Fixes: 86039bd3b4 ("userfaultfd: add new syscall to provide memory externalization")
Bug: 131964235
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Reported-by: Jann Horn <jannh@google.com>
Suggested-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Jann Horn <jannh@google.com>
Acked-by: Jason Gunthorpe <jgg@mellanox.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Joel Fernandes (Google) <joel@joelfernandes.org>
[mhocko@suse.com: stable 4.4 backport
- drop infiniband part because of missing 5f9794dc94f59
- drop userfaultfd_event_wait_completion hunk because of
missing 9cd75c3cd4c3d]
- handle binder_update_page_range because of missing 720c241924046
- handle mlx5_ib_disassociate_ucontext - akaher@vmware.com
]
Signed-off-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[danielmentz@google.com: wahoo 4.4 backport
- binder_update_page_range moved to binder_alloc.c
]
Change-Id: Ia431ab5e2bc7429e8d1411f0cf753cabab93d31e
commit 7bada55ab50697861eee6bb7d60b41e68a961a9c upstream
Malicious code can attempt to free buffers using the BC_FREE_BUFFER
ioctl to binder. There are protections against a user freeing a buffer
while in use by the kernel, however there was a window where
BC_FREE_BUFFER could be used to free a recently allocated buffer that
was not completely initialized. This resulted in a use-after-free
detected by KASAN with a malicious test program.
This window is closed by setting the buffer's allow_user_free attribute
to 0 when the buffer is allocated or when the user has previously freed
it instead of waiting for the caller to set it. The problem was that
when the struct buffer was recycled, allow_user_free was stale and set
to 1 allowing a free to go through.
Bug: 116855682
Change-Id: I0b38089f6fdb1adbf7e1102747e4119c9a05b191
Signed-off-by: Todd Kjos <tkjos@google.com>
Acked-by: Arve Hjønnevåg <arve@android.com>
Cc: stable <stable@vger.kernel.org> # 4.14
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
An munmap() on a binder device causes binder_vma_close() to be called
which clears the alloc->vma pointer.
If direct reclaim causes binder_alloc_free_page() to be called, there
is a race where alloc->vma is read into a local vma pointer and then
used later after the mm->mmap_sem is acquired. This can result in
calling zap_page_range() with an invalid vma which manifests as a
use-after-free in zap_page_range().
The fix is to check alloc->vma after acquiring the mmap_sem (which we
were acquiring anyway) and bail out of binder_alloc_free_page() if it
has changed to NULL.
Bug: 120025196
Change-Id: I9ea0558a57635a747d7a48ed35991d39b860abf6
Signed-off-by: Todd Kjos <tkjos@google.com>
Show the high watermark of the index into the alloc->pages
array, to facilitate sizing the buffer on a per-process
basis.
Change-Id: I2b40cd16628e0ee45216c51dc9b3c5b0c862032e
Signed-off-by: Martijn Coenen <maco@android.com>
(from https://patchwork.kernel.org/patch/9954125/)
Use binder_alloc struct's mm_struct rather than getting
a reference to the mm struct through get_task_mm to
avoid a potential deadlock between lru lock, task lock and
dentry lock, since a thread can be holding the task lock
and the dentry lock while trying to acquire the lru lock.
Test: ran binderLibTest, throughputtest, interfacetest and
mempressure w/lockdep
Bug: 63926541
Change-Id: Icc661404eb7a4a2ecc5234b1bf8f0104665f9b45
Acked-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Sherry Yang <sherryy@android.com>
(from https://patchwork.kernel.org/patch/9954123/)
The vma argument in update_page_range is no longer
used after 74310e06 ("android: binder: Move buffer
out of area shared with user space"), since mmap_handler
no longer calls update_page_range with a vma.
Test: ran binderLibTest, throughputtest, interfacetest and mempressure
Bug: 36007193
Change-Id: Ibd6f24c11750f8f7e6ed56e40dd18c08e02ace25
Acked-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Sherry Yang <sherryy@android.com>
(from https://patchwork.kernel.org/patch/9945123/)
Drop the global lru lock in isolate callback
before calling zap_page_range which calls
cond_resched, and re-acquire the global lru
lock before returning. Also change return
code to LRU_REMOVED_RETRY.
Use mmput_async when fail to acquire mmap sem
in an atomic context.
Fix "BUG: sleeping function called from invalid context"
errors when CONFIG_DEBUG_ATOMIC_SLEEP is enabled.
Bug: 63926541
Change-Id: I45dbada421b715abed9a66d03d30ae2285671ca1
Fixes: f2517eb76f1f2 ("android: binder: Add global lru shrinker to binder")
Reported-by: Kyle Yan <kyan@codeaurora.org>
Acked-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Sherry Yang <sherryy@android.com>
(from https://patchwork.kernel.org/patch/9928611/)
Add the number of active, lru, and free pages for
each binder process in binder stats
Bug: 63926541
Change-Id: I118d3a647c487fab026d2530278ba5cae841dc30
Signed-off-by: Sherry Yang <sherryy@android.com>
(from https://patchwork.kernel.org/patch/9928613/)
Add tracepoints in binder transaction allocator to
record lru hits and alloc/free page.
Bug: 63926541
Change-Id: I6ad27a87cb5670372fa1166678e8bd667f83d307
Signed-off-by: Sherry Yang <sherryy@android.com>
(from https://patchwork.kernel.org/patch/9928615/)
Hold on to the pages allocated and mapped for transaction
buffers until the system is under memory pressure. When
that happens, use linux shrinker to free pages. Without
using shrinker, patch "android: binder: Move buffer out
of area shared with user space" will cause a significant
slow down for small transactions that fit into the first
page because free list buffer header used to be inlined
with buffer data.
In addition to prevent the performance regression for
small transactions, this patch improves the performance
for transactions that take up more than one page.
Modify alloc selftest to work with the shrinker change.
Test: Run memory intensive applications (Chrome and Camera)
to trigger shrinker callbacks. Binder frees memory as expected.
Test: Run binderThroughputTest with high memory pressure
option enabled.
Bug: 63926541
Change-Id: I9503540739a54bef6c7f6d424cd3bfebdece2f7a
Signed-off-by: Sherry Yang <sherryy@android.com>
(from https://patchwork.kernel.org/patch/9928607/)
Binder driver allocates buffer meta data in a region that is mapped
in user space. These meta data contain pointers in the kernel.
This patch allocates buffer meta data on the kernel heap that is
not mapped in user space, and uses a pointer to refer to the data mapped.
Also move alloc->buffers initialization from mmap to init since it's
now used even when mmap failed or was not called.
Bug: 36007193
Change-Id: Ia306b4dec9dab67b2d3c9658375435ba9923ff50
Signed-off-by: Sherry Yang <sherryy@android.com>
(from https://patchwork.kernel.org/patch/9928605/)
Use helper functions buffer_next and buffer_prev instead
of list_entry to get the next and previous buffers.
Bug: 36007193
Change-Id: I1a4b13021e6181a1fb174db57bd291a5e302289e
Signed-off-by: Sherry Yang <sherryy@android.com>
(from https://patchwork.kernel.org/patch/9817815/)
Adds protection against malicious user code freeing
the same buffer at the same time which could cause
a crash. Cannot happen under normal use.
Bug: 36650912
Change-Id: I7e5e9af53cdd27222f7a6c813e25d8abea811bfd
Test: tested manually
Signed-off-by: Todd Kjos <tkjos@google.com>
(from https://patchwork.kernel.org/patch/9817751/)
Add additional information to determine the cause of binder
failures. Adds the following to failed transaction log and
kernel messages:
return_error : value returned for transaction
return_error_param : errno returned by binder allocator
return_error_line : line number where error detected
Also, return BR_DEAD_REPLY if an allocation error indicates
a dead proc (-ESRCH)
Bug: 36406078
Change-Id: I99477a4eb3919b1122caaef922a19600aaa90d9e
Test: tested manually
Signed-off-by: Todd Kjos <tkjos@google.com>
(from https://patchwork.kernel.org/patch/9817753/)
Move the binder allocator functionality to its own file
Continuation of splitting the binder allocator from the binder
driver. Split binder_alloc functions from normal binder functions.
Add kernel doc comments to functions declared extern in
binder_alloc.h
Change-Id: I8f1a967375359078b8e63c7b6b88a752c374a64a
Signed-off-by: Todd Kjos <tkjos@google.com>
Revert all the fine-grained locking and later patches so we can
merge the latest version of the binder driver from upstream
This reverts these commits:
4cb89f9e0f ANDROID: binder: don't enqueue death notifications to thread todo.
ee1eb67d88 ANDROID: binder: Switch binder_deferred_lock to a spinlock.
668537b30e android: binder: Move buffer out of area shared with user space
6a89fb9f7a android: binder: Add allocator selftest
0e9d8599d7 android: binder: Refactor prev and next buffer into a helper function
2410d72197 binder: always allocate/map first BINDER_MIN_ALLOC pages
b37ba51aa9 Add BINDER_GET_NODE_DEBUG_INFO ioctl
a1f38bfe50 ANDROID: binder: call poll_wait() unconditionally.
9359a93d41 ANDROID: binder: don't queue async transactions to thread.
991e8349d2 ANDROID: binder: fix race in thread cleanup.
cc0bec85bc ANDROID: binder: correctly initialize ref to zombie node.
8de4509205 binder: fix rb_insert_color crash
533020a794 binder: add target pid:tid to transaction failed message
6604007441 Revert "binder: clear rb nodes before inserting"
911673a208 ANDROID: binder: don't check prio permissions on restore.
92d6d33a36 ANDROID: binder: fix death race conditions.
b5f8fb6ac0 binder: clear rb nodes before inserting
cd293dbeb8 binder: allow binder_alloc_get_user_buffer_offset when proc dying
3c28d4f40e binder: eliminate possible OOO mutex acq in binder_mmap
a9bd05a7d2 binder: use atomic for transaction_log index
742755f37c ANDROID: binder: improve priority inheritance for oneway.
539760bcea ANDROID: binder: add min sched_policy to node.
1e99fc9c25 ANDROID: binder: Add tracing for binder priority inheritance.
9351657436 ANDROID: binder: do proper priority inheritance checking.
155fa2bb21 ANDROID: binder: blacklist %p kptr_restrict
81013cdd62 binder: protect against stale pointers in print_binder_transaction
eda5c2c85d binder: protect against two threads freeing buffer
4ea3c9accb binder: guarantee txn complete / errors delivered in-order
cccd311546 ANDROID: binder: improve priority inheritance.
47747abe74 ANDROID: binder: push new transactions to waiting threads.
7f27d5bc65 ANDROID: binder: remove proc waitqueue.
777b711e0c binder: add missing locks for transaction_stack and return_error
1bfb0526f6 Merge branch 'android-msm-8998-4.4-common' into android-msm-wahoo-4.4
3c9f33d6b0 binder: allow new refs to zombie nodes if other refs exist
d668aac7f1 binder: make FIFO inheritance a per-context option
333086d0cb binder: add log information for binder transaction failures
00c7cfdff5 binder_alloc: prevent possible OOO mutex acquisition
1c8a9c8183 binder: fix false BUG_ON
3257ab4314 binder: avoid using strong references on nodes for internal refs
88c8126c20 binder: make inc/ref user commands atomic with node state
a790f8b2ad binder: prevent long delays in zombie reaping
bbef697a0b binder: protect enqueuing of death notifications
01228354e4 ANDROID: binder: add more debug info when allocation fails.
7b7c3cb589 binder: read thread sequence number on every iteration when reaping
e98c35d65d binder: make active thread sequence counter 64-bit
aa8bac23d5 binder: prevent new refs to zombie nodes
773fc2f1ee android: binder: use copy_from_user_preempt_disabled
53d223b94f binder: use group leader instead of open thread
e14ae0a106 android: binder: don't change schedpolicy for oneway calls.
7a154d0e3e android: binder: have threads inherit scheduling policy.
e04d752ca7 binder: remove global binder lock
f120798fab binder: ensure binder_node has reference when starting transaction
8b8d920edd binder: fix use-after-free discovered with KASAN
b31b594bd1 binder: return BR_DEAD_REPLY if target proc is dying
6956e166c1 binder: fix possible race with put_files_struct
fade544640 binder: Make sure BR_TRANSACTION_COMPLETE is handled before reply
cfc2155f1b binder: fix thread hangs waiting for proc work
c9c6590330 binder: don't modify thread->looper from other threads
e3ede3cdf6 binder: Fix overly strict assertion in binder_pop_transaction
9cce95e7c6 binder: make sure todo lists are handled in-order
097a1e2bfc binder: fix binder_ref delete-before-add race
7b7208746b binder: fix race condition between delete/add new ref on node
005172f700 binder: add zombie list to cleanup dead refs
902a22e61b binder: add active thread tracking and deferred free
b5fc610f20 binder: add locking for print functions
edbe2b61b9 binder: add spinlocks to protect proc, node, thread, and ref
1f6c11ca4b binder: add spinlocks to protect todo lists
c3eef445f4 binder: use atomics for weak/strong counters
c363358e81 binder: change binder_stats to atomics
fd24ab4afc binder: use mutexes for non-perf cases
ec80df4a97 binder: move binder allocator to separate file
8a990d2ecb binder: use mutex for binder allocator
707d528ce5 binder: separate binder allocator structure from binder proc
Binder driver allocates buffer meta data in a region that is mapped
in user space. These meta data contain pointers in the kernel.
This patch allocates buffer meta data on the kernel heap that is
not mapped in user space, and uses a pointer to refer to the data mapped.
Also move alloc->buffers initialization from mmap to init since it's
now used even when mmap failed or was not called.
Bug: 36007193
Change-Id: I66d4221d257bbb539a5e5f259d383084746e6773
Signed-off-by: Sherry Yang <sherryy@android.com>
binder_alloc_selftest tests that alloc_new_buf handles page allocation and
deallocation properly when allocate and free buffers. The test allocates 5
buffers of various sizes to cover all possible page alignment cases, and
frees the buffers using a list of exhaustive freeing order.
Test: boot the device with ANDROID_BINDER_IPC_SELFTEST config option enabled.
Allocator selftest passes.
Bug: 36007193
Change-Id: I7b903390ac4ba5b59a15b28dff620ea038c86bf7
Signed-off-by: Sherry Yang <sherryy@android.com>
Certain usecases like camera are constantly allocating and freeing
binder buffers beyond the first 4k resulting in mmap_sem contention.
If we expand the allocated range from 4k to something higher, we can
reduce the contention. Tests show that 6 pages is enough to cause very
little update_page_range operations and reduces contention.
Bug: 36727951
Change-Id: I28bc3fb9b33c764c257e28487712fce2a3c1078b
Reported-by: Tim Murray <timmurray@google.com>
Signed-off-by: Joel Fernandes <joelaf@google.com>
Pre-allocate 1 instead of 6 pages as in the original patch,
as we use this pre-allocated page to prevent the first page
from getting unpinned after removing the buffer headers,
rather than pinning pages to speedup larger transactions.
Change-Id: Id027adcfd61b2d6b37f69a3f6009a068e90e84f0
Signed-off-by: Sherry Yang <sherryy@android.com>
binder_mmap is called with mmap_sem held. binder_alloc_mmap_handler
acquires alloc->mutex so the order is mmap_sem --> alloc->mutex.
In other binder_alloc functions, the mmap_sem is acquired with
alloc->mutex held which could lead to a deadlock (though in practice
it may be impossible to hit because mmap runs once for binder
process and the other paths can't be reached unless mmap has run).
Bug: 38397347
Test: tested manually
Change-Id: I1dd926bcc25980301dfc42fa5d830fc05a2efef9
Signed-off-by: Todd Kjos <tkjos@google.com>
Adds protection against malicious user code freeing
the same buffer at the same time which could cause
a crash. Cannot happen under normal use.
Bug: 36650912
Change-Id: I43e078cbf31c0789aaff5ceaf8f1a94c75f79d45
Test: tested manually
Signed-off-by: Todd Kjos <tkjos@google.com>
Add additional information to determine the cause of binder
failures. Adds the following to failed transaction log and
kernel messages:
return_error : value returned for transaction
return_error_param : errno returned by binder allocator
return_error_line : line number where error detected
Bug: 36406078
Change-Id: Ifc8881fa5adfcced3f2d67f9030fbd3efa3e2cab
Test: tested manually
Signed-off-by: Todd Kjos <tkjos@google.com>
Fix possible deadlock:
1. In most binder_alloc paths, the binder_alloc mutex is acquired before
calling into mm functions which can acquire the mmap_sem
2. During address space teardown, the mm system acquires mmap_sem which
can call into binder_alloc_vma_close which acquired the binder_alloc
mutex
Since they are acquired in opposite order, a thread doing #1 can
deadlock with a thread doing #2. There are no known cases where
this was seen, but it is possible.
The binder alloc mutex doesn't need to be acquired in the vma_close
path.
Bug: 36524239
Test: tested manually
Change-Id: I40b077fc3bc01e37b389043f2966257797ee9ce5
Signed-off-by: Todd Kjos <tkjos@google.com>
The binder allocator assumes that the thread that
called binder_open will never die for the lifetime of
that proc. That thread is normally the group_leader,
however it may not be. Use the group_leader instead
of current.
Bug: 35707103
Test: Created test case to open with temporary thread
Change-Id: Id693f74b3591f3524a8c6e9508e70f3e5a80c588
Signed-off-by: Todd Kjos <tkjos@google.com>
No changes in logic. Move binder allocator to separate
binder_alloc.c and binder_alloc.h files.
Bug: 33250092 32225111
Change-Id: I8f1a967375359078b8e63c7b6b88a752c374a64a
Signed-off-by: Todd Kjos <tkjos@google.com>
