- 05 Dec, 2023 20 commits
-
-
Carlos Llamas authored
The debug information in this statement is already logged earlier in the same function. We can get rid of this duplicate log. Signed-off-by:
Carlos Llamas <cmllamas@google.com> Reviewed-by:
Alice Ryhl <aliceryhl@google.com> Link: https://lore.kernel.org/r/20231201172212.1813387-21-cmllamas@google.comSigned-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
Carlos Llamas authored
Split out the insertion of pages to be outside of the alloc->mutex in a separate binder_install_buffer_pages() routine. Since this is no longer serialized, we must look at the full range of pages used by the buffers. The installation is protected with mmap_sem in write mode since multiple tasks might race to install the same page. Besides avoiding unnecessary nested locking this helps in preparation of switching the alloc->mutex into a spinlock_t in subsequent patches. Signed-off-by:
-
Carlos Llamas authored
Rather than repeatedly initializing some of the binder_lru_page members during binder_alloc_new_buf(), perform this initialization just once in binder_alloc_mmap_handler(), after the pages have been created. Reviewed-by:
-
Carlos Llamas authored
Preallocate new_buffer before acquiring the alloc->mutex and hand it down to binder_alloc_new_buf_locked(). The new buffer will be used in the vast majority of requests (measured at 98.2% in field data). The buffer is discarded otherwise. This change is required in preparation for transitioning alloc->mutex into a spinlock in subsequent commits. Signed-off-by:
-
Carlos Llamas authored
Instead of looping through the page range twice to first determine if the mmap lock is required, simply do it per-page as needed. Split out all this logic into a separate binder_install_single_page() function. Reviewed-by:
-
Carlos Llamas authored
Move this function up along with binder_alloc_get_page() so that their prototypes aren't necessary. No functional change in this patch. Reviewed-by:
-
Carlos Llamas authored
Move the low async space calculation to debug_low_async_space_locked(). This logic not only fits better here but also offloads some of the many tasks currently done in binder_alloc_new_buf_locked(). No functional change in this patch. Reviewed-by:
-
Carlos Llamas authored
Move the no-space debugging logic into a separate function. Lets also mark this branch as unlikely in binder_alloc_new_buf_locked() as most requests will fit without issue. Also add a few cosmetic changes and suggestions from checkpatch. Reviewed-by:
-
Carlos Llamas authored
Binder attributes the buffer allocation to the current->tgid everytime. There is no need to pass this as a parameter so drop it. Also add a few touchups to follow the coding guidelines. No functional changes are introduced in this patch. Reviewed-by:
-
Carlos Llamas authored
Extract non-critical sections from binder_alloc_new_buf_locked() that don't require holding the alloc->mutex. While we are here, consolidate the checks for size overflow and zero-sized padding into a separate sanitized_size() helper function. Also add a few touchups to follow the coding guidelines. Signed-off-by:
-
Carlos Llamas authored
The binder_update_page_range() function performs both allocation and freeing of binder pages. However, these two operations are unrelated and have no common logic. In fact, when a free operation is requested, the allocation logic is skipped entirely. This behavior makes the error path unnecessarily complex. To improve readability of the code, this patch splits the allocation and freeing operations into separate functions. No functional changes are introduced by this patch. Reviewed-by:
-
Carlos Llamas authored
The vma addresses in binder are currently stored as void __user *. This requires casting back and forth between the mm/ api which uses unsigned long. Since we also do internal arithmetic on these addresses we end up having to cast them _again_ to an integer type. Lets stop all the unnecessary casting which kills code readability and store the virtual addresses as the native unsigned long from mm/. Note that this approach is preferred over uintptr_t as Linus explains in [1]. Opportunistically add a few cosmetic touchups. Link: https://lore.kernel.org/all/CAHk-=wj2OHy-5e+srG1fy+ZU00TmZ1NFp6kFLbVLMXHe7A1d-g@mail.gmail.com/ [1] Signed-off-by:
-
Carlos Llamas authored
The kernel coding style does not require 'extern' in function prototypes in .h files, so remove them from drivers/android/binder_alloc.h as they are not needed. No functional changes in this patch. Reviewed-by:
-
Carlos Llamas authored
Update the comments of binder_alloc_new_buf() to reflect that the return value of the function is now ERR_PTR(-errno) on failure. No functional changes in this patch. Cc: stable@vger.kernel.org Fixes: 57ada2fb ("binder: add log information for binder transaction failures") Reviewed-by:
-
Carlos Llamas authored
Fix minor misspelling of the function in the comment section. No functional changes in this patch. Cc: stable@vger.kernel.org Fixes: 0f966cba ("binder: add flag to clear buffer on txn complete") Reviewed-by:
-
Carlos Llamas authored
Each transaction is associated with a 'struct binder_buffer' that stores the metadata about its buffer area. Since commit 74310e06 ("android: binder: Move buffer out of area shared with user space") this struct is no longer embedded within the buffer itself but is instead allocated on the heap to prevent userspace access to this driver-exclusive info. Unfortunately, the space of this struct is still being accounted for in the total buffer size calculation, specifically for async transactions. This results in an additional 104 bytes added to every async buffer request, and this area is never used. This wasted space can be substantial. If we consider the maximum mmap buffer space of SZ_4M, the driver will reserve half of it for async transactions, or 0x200000. This area should, in theory, accommodate up to 262,144 buffers of the minimum 8-byte size. However, after adding the extra 'sizeof(struct binder_buffer)', the total number of buffers drops to only 18,724, which is a sad 7.14% of the actual capacity. This patch fixes the buffer size calculation to enable the utilization of the entire async buffer space. This is expected to reduce the number of -ENOSPC errors that are seen on the field. Fixes: 74310e06 ("android: binder: Move buffer out of area shared with user space") Signed-off-by:
-
Carlos Llamas authored
Move the padding of 0-sized buffers to an earlier stage to account for this round up during the alloc->free_async_space check. Fixes: 74310e06 ("android: binder: Move buffer out of area shared with user space") Reviewed-by:
-
Carlos Llamas authored
Task A calls binder_update_page_range() to allocate and insert pages on a remote address space from Task B. For this, Task A pins the remote mm via mmget_not_zero() first. This can race with Task B do_exit() and the final mmput() refcount decrement will come from Task A. Task A | Task B ------------------+------------------ mmget_not_zero() | | do_exit() | exit_mm() | mmput() mmput() | exit_mmap() | remove_vma() | fput() | In this case, the work of ____fput() from Task B is queued up in Task A as TWA_RESUME. So in theory, Task A returns to userspace and the cleanup work gets executed. However, Task A instead sleep, waiting for a reply from Task B that never comes (it's dead). This means the binder_deferred_release() is blocked until an unrelated binder event forces Task A to go back to userspace. All the associated death notifications will also be delayed until then. In order to fix this use mmput_async() that will schedule the work in the corresponding mm->async_put_work WQ instead of Task A. Fixes: 457b9a6f ("Staging: android: add binder driver") Reviewed-by: -
Carlos Llamas authored
The mmap read lock is used during the shrinker's callback, which means that using alloc->vma pointer isn't safe as it can race with munmap(). As of commit dd2283f2 ("mm: mmap: zap pages with read mmap_sem in munmap") the mmap lock is downgraded after the vma has been isolated. I was able to reproduce this issue by manually adding some delays and triggering page reclaiming through the shrinker's debug sysfs. The following KASAN report confirms the UAF: ================================================================== BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8 Read of size 8 at addr ffff356ed50e50f0 by task bash/478 CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3-dirty #70 Hardware name: linux,dummy-virt (DT) Call trace: zap_page_range_single+0x470/0x4b8 binder_alloc_free_page+0x608/0xadc __list_lru_walk_one+0x130/0x3b0 list_lru_walk_node+0xc4/0x22c binder_shrink_scan+0x108/0x1dc shrinker_debugfs_scan_write+0x2b4/0x500 full_proxy_write+0xd4/0x140 vfs_write+0x1ac/0x758 ksys_write+0xf0/0x1dc __arm64_sys_write+0x6c/0x9c Allocated by task 492: kmem_cache_alloc+0x130/0x368 vm_area_alloc+0x2c/0x190 mmap_region+0x258/0x18bc do_mmap+0x694/0xa60 vm_mmap_pgoff+0x170/0x29c ksys_mmap_pgoff+0x290/0x3a0 __arm64_sys_mmap+0xcc/0x144 Freed by task 491: kmem_cache_free+0x17c/0x3c8 vm_area_free_rcu_cb+0x74/0x98 rcu_core+0xa38/0x26d4 rcu_core_si+0x10/0x1c __do_softirq+0x2fc/0xd24 Last potentially related work creation: __call_rcu_common.constprop.0+0x6c/0xba0 call_rcu+0x10/0x1c vm_area_free+0x18/0x24 remove_vma+0xe4/0x118 do_vmi_align_munmap.isra.0+0x718/0xb5c do_vmi_munmap+0xdc/0x1fc __vm_munmap+0x10c/0x278 __arm64_sys_munmap+0x58/0x7c Fix this issue by performing instead a vma_lookup() which will fail to find the vma that was isolated before the mmap lock downgrade. Note that this option has better performance than upgrading to a mmap write lock which would increase contention. Plus, mmap_write_trylock() has been recently removed anyway. Fixes: dd2283f2 ("mm: mmap: zap pages with read mmap_sem in munmap") Cc: stable@vger.kernel.org Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Minchan Kim <minchan@kernel.org> Reviewed-by:
-
Carlos Llamas authored
Use EPOLLERR instead of POLLERR to make sure it is cast to the correct __poll_t type. This fixes the following sparse issue: drivers/android/binder.c:5030:24: warning: incorrect type in return expression (different base types) drivers/android/binder.c:5030:24: expected restricted __poll_t drivers/android/binder.c:5030:24: got int Fixes: f8898267 ("binder: check for binder_thread allocation failure in binder_poll()") Cc: stable@vger.kernel.org Cc: Eric Biggers <ebiggers@google.com> Reviewed-by:
-
- 30 Nov, 2023 1 commit
-
-
Babis Chalios authored
We receive an ACPI notification every time the VM Generation ID changes and use the new ID as fresh randomness added to the entropy pool. This commits emits a uevent every time we receive the ACPI notification, as a means to notify the user space that it now is in a new VM. Signed-off-by:
Babis Chalios <bchalios@amazon.es> Reviewed-by:
Alexander Graf <graf@amazon.com> Reviewed-by:
Lennart Poettering <mzxreary@0pointer.de> Link: https://lore.kernel.org/r/20230531095119.11202-2-bchalios@amazon.esSigned-off-by:
-
- 28 Nov, 2023 3 commits
-
-
Alexander Graf authored
When running Linux inside a Nitro Enclave, the hypervisor provides a special virtio device called "Nitro Security Module" (NSM). This device has 3 main functions: 1) Provide attestation reports 2) Modify PCR state 3) Provide entropy This patch adds a driver for NSM that exposes a /dev/nsm device node which user space can issue an ioctl on this device with raw NSM CBOR formatted commands to request attestation documents, influence PCR states, read entropy and enumerate status of the device. In addition, the driver implements a hwrng backend. Originally-by:
Petre Eftime <petre.eftime@gmail.com> Signed-off-by:
Arnd Bergmann <arnd@arndb.de> Link: https://lore.kernel.org/r/20231011213522.51781-1-graf@amazon.comSigned-off-by:
-
Lukas Bulwahn authored
Commit e9e3300b ("vgacon: rework Kconfig dependencies") turns the dependencies into a positive list of supported architectures, which includes the IA64 architecture, but in the meantime, this architecture is removed in commit cf8e8658 ("arch: Remove Itanium (IA-64) architecture"). Drop the reference to IA64 architecture in the dependency list of the VGA_CONSOLE config definition. Signed-off-by:
Lukas Bulwahn <lukas.bulwahn@gmail.com> Acked-by:
Javier Martinez Canillas <javierm@redhat.com> Link: https://lore.kernel.org/r/20231110114400.30882-1-lukas.bulwahn@gmail.comSigned-off-by:
-
Uwe Kleine-König authored
The .remove() callback for a platform driver returns an int which makes many driver authors wrongly assume it's possible to do error handling by returning an error code. However the value returned is ignored (apart from emitting a warning) and this typically results in resource leaks. To improve here there is a quest to make the remove callback return void. In the first step of this quest all drivers are converted to .remove_new(), which already returns void. Eventually after all drivers are converted, .remove_new() will be renamed to .remove(). Trivially convert this driver from always returning zero in the remove callback to the void returning variant. Signed-off-by:
Uwe Kleine-König <u.kleine-koenig@pengutronix.de> Link: https://lore.kernel.org/r/20231112000029.151117-2-u.kleine-koenig@pengutronix.deSigned-off-by:
-
- 27 Nov, 2023 6 commits
-
-
Li kunyu authored
rc is assigned first, so it does not need to initialize the assignment. Signed-off-by:
Li kunyu <kunyu@nfschina.com> Acked-by:
Andrew Donnellan <ajd@linux.ibm.com> Link: https://lore.kernel.org/r/20231113015229.12074-1-kunyu@nfschina.comSigned-off-by:
-
Li zeming authored
The link pointer does not need to cast the type. Signed-off-by:
Li zeming <zeming@nfschina.com> Acked-by:
Frederic Barrat <fbarrat@linux.ibm.com> Acked-by:
-
Li zeming authored
The irq pointer does not need to cast the type. Signed-off-by:
-
Li zeming authored
The ctx pointer does not need to cast the type. Signed-off-by:
-
Linus Torvalds authored
-
git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-traceLinus Torvalds authored
Pull tracing fixes from Steven Rostedt:: "Eventfs fixes: - With the usage of simple_recursive_remove() recommended by Al Viro, the code should not be calling "d_invalidate()" itself. Doing so is causing crashes. The code was calling d_invalidate() on the race of trying to look up a file while the parent was being deleted. This was detected, and the added dentry was having d_invalidate() called on it, but the deletion of the directory was also calling d_invalidate() on that same dentry. - A fix to not free the eventfs_inode (ei) until the last dput() was called on its ei->dentry made the ei->dentry exist even after it was marked for free by setting the ei->is_freed. But code elsewhere still was checking if ei->dentry was NULL if ei->is_freed is set and would trigger WARN_ON if that was the case. That's no longer true and there should not be any warnings when it is true. - Use GFP_NOFS for allocations done under eventfs_mutex. The eventfs_mutex can be taken on file system reclaim, make sure that allocations done under that mutex do not trigger file system reclaim. - Clean up code by moving the taking of inode_lock out of the helper functions and into where they are needed, and not use the parameter to know to take it or not. It must always be held but some callers of the helper function have it taken when they were called. - Warn if the inode_lock is not held in the helper functions. - Warn if eventfs_start_creating() is called without a parent. As eventfs is underneath tracefs, all files created will have a parent (the top one will have a tracefs parent). Tracing update: - Add Mathieu Desnoyers as an official reviewer of the tracing subsystem" * tag 'trace-v6.7-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: MAINTAINERS: TRACING: Add Mathieu Desnoyers as Reviewer eventfs: Make sure that parent->d_inode is locked in creating files/dirs eventfs: Do not allow NULL parent to eventfs_start_creating() eventfs: Move taking of inode_lock into dcache_dir_open_wrapper() eventfs: Use GFP_NOFS for allocation when eventfs_mutex is held eventfs: Do not invalidate dentry in create_file/dir_dentry() eventfs: Remove expectation that ei->is_freed means ei->dentry == NULL
-
- 26 Nov, 2023 6 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linuxLinus Torvalds authored
Pull parisc architecture fixes from Helge Deller: "This patchset fixes and enforces correct section alignments for the ex_table, altinstructions, parisc_unwind, jump_table and bug_table which are created by inline assembly. Due to not being correctly aligned at link & load time they can trigger unnecessarily the kernel unaligned exception handler at runtime. While at it, I switched the bug table to use relative addresses which reduces the size of the table by half on 64-bit. We still had the ENOSYM and EREMOTERELEASE errno symbols as left-overs from HP-UX, which now trigger build-issues with glibc. We can simply remove them. Most of the patches are tagged for stable kernel series. Summary: - Drop HP-UX ENOSYM and EREMOTERELEASE return codes to avoid glibc build issues - Fix section alignments for ex_table, altinstructions, parisc unwind table, jump_table and bug_table - Reduce size of bug_table on 64-bit kernel by using relative pointers" * tag 'parisc-for-6.7-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux: parisc: Reduce size of the bug_table on 64-bit kernel by half parisc: Drop the HP-UX ENOSYM and EREMOTERELEASE error codes parisc: Use natural CPU alignment for bug_table parisc: Ensure 32-bit alignment on parisc unwind section parisc: Mark lock_aligned variables 16-byte aligned on SMP parisc: Mark jump_table naturally aligned parisc: Mark altinstructions read-only and 32-bit aligned parisc: Mark ex_table entries 32-bit aligned in uaccess.h parisc: Mark ex_table entries 32-bit aligned in assembly.h -
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tipLinus Torvalds authored
Pull x86 microcode fixes from Ingo Molnar: "Fix/enhance x86 microcode version reporting: fix the bootup log spam, and remove the driver version announcement to avoid version confusion when distros backport fixes" * tag 'x86-urgent-2023-11-26' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/microcode: Rework early revisions reporting x86/microcode: Remove the driver announcement and version
-
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tipLinus Torvalds authored
Pull x86 perf event fix from Ingo Molnar: "Fix a bug in the Intel hybrid CPUs hardware-capabilities enumeration code resulting in non-working events on those platforms" * tag 'perf-urgent-2023-11-26' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf/x86/intel: Correct incorrect 'or' operation for PMU capabilities
-
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tipLinus Torvalds authored
Pull locking fix from Ingo Molnar: "Fix lockdep block chain corruption resulting in KASAN warnings" * tag 'locking-urgent-2023-11-26' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: lockdep: Fix block chain corruption
-
git://git.samba.org/sfrench/cifs-2.6Linus Torvalds authored
Pull smb client fixes from Steve French: - use after free fix in releasing multichannel interfaces - fixes for special file types (report char, block, FIFOs properly when created e.g. by NFS to Windows) - fixes for reporting various special file types and symlinks properly when using SMB1 * tag '6.7-rc2-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6: smb: client: introduce cifs_sfu_make_node() smb: client: set correct file type from NFS reparse points smb: client: introduce ->parse_reparse_point() smb: client: implement ->query_reparse_point() for SMB1 cifs: fix use after free for iface while disabling secondary channels
-
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usbLinus Torvalds authored
Pull USB / PHY / Thunderbolt fixes from Greg KH: "Here are a number of reverts, fixes, and new device ids for 6.7-rc3 for the USB, PHY, and Thunderbolt driver subsystems. Include in here are: - reverts of some PHY drivers that went into 6.7-rc1 that shouldn't have been merged yet, the author is reworking them based on review comments as they were using older apis that shouldn't be used anymore for newer drivers - small thunderbolt driver fixes for reported issues - USB driver fixes for a variety of small issues in dwc3, typec, xhci, and other smaller drivers. - new device ids for usb-serial and onboard_usb_hub drivers. All of these have been in linux-next with no reported issues" * tag 'usb-6.7-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (33 commits) USB: serial: option: add Luat Air72*U series products USB: dwc3: qcom: fix ACPI platform device leak USB: dwc3: qcom: fix software node leak on probe errors USB: dwc3: qcom: fix resource leaks on probe deferral USB: dwc3: qcom: simplify wakeup interrupt setup USB: dwc3: qcom: fix wakeup after probe deferral dt-bindings: usb: qcom,dwc3: fix example wakeup interrupt types usb: misc: onboard-hub: add support for Microchip USB5744 dt-bindings: usb: microchip,usb5744: Add second supply usb: misc: ljca: Fix enumeration error on Dell Latitude 9420 USB: serial: option: add Fibocom L7xx modules USB: xhci-plat: fix legacy PHY double init usb: typec: tipd: Supply also I2C driver data usb: xhci-mtk: fix in-ep's start-split check failure usb: dwc3: set the dma max_seg_size usb: config: fix iteration issue in 'usb_get_bos_descriptor()' usb: dwc3: add missing of_node_put and platform_device_put USB: dwc2: write HCINT with INTMASK applied usb: misc: ljca: Drop _ADR support to get ljca children devices usb: cdnsp: Fix deadlock issue during using NCM gadget ...
-
- 25 Nov, 2023 4 commits
-
-
git://git.kernel.org/pub/scm/fs/xfs/xfs-linuxLinus Torvalds authored
Pull xfs fix from Chandan Babu: - Validate quota records recovered from the log before writing them to the disk. * tag 'xfs-6.7-fixes-3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux: xfs: dquot recovery does not validate the recovered dquot xfs: clean up dqblk extraction
-
git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linuxLinus Torvalds authored
Pull arm64 fixes from Catalin Marinas: - Fix "rodata=on" not disabling "rodata=full" on arm64 - Add arm64 make dependency between vmlinuz.efi and Image, leading to occasional build failures previously (with parallel building) - Add newline to the output formatting of the za-fork kselftest * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: add dependency between vmlinuz.efi and Image kselftest/arm64: Fix output formatting for za-fork arm64: mm: Fix "rodata=on" when CONFIG_RODATA_FULL_DEFAULT_ENABLED=y
-
git://git.kernel.org/pub/scm/linux/kernel/git/xen/tipLinus Torvalds authored
Pull xen fixes from Juergen Gross: - A small cleanup patch for the Xen privcmd driver - A fix for the swiotlb-xen driver which was missing the advertising of the maximum mapping length - A fix for Xen on Arm for a longstanding bug, which happened to occur only recently: a structure in percpu memory crossed a page boundary, which was rejected by the hypervisor * tag 'for-linus-6.7a-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: arm/xen: fix xen_vcpu_info allocation alignment xen: privcmd: Replace zero-length array with flex-array member and use __counted_by swiotlb-xen: provide the "max_mapping_size" method
-
Helge Deller authored
Enable GENERIC_BUG_RELATIVE_POINTERS which will store 32-bit relative offsets to the bug address and the source file name instead of 64-bit absolute addresses. This effectively reduces the size of the bug_table[] array by half on 64-bit kernels. Signed-off-by:Helge Deller <deller@gmx.de>
-
