Changes in 5.10.154
serial: 8250: Let drivers request full 16550A feature probing
serial: ar933x: Deassert Transmit Enable on ->rs485_config()
KVM: nVMX: Pull KVM L0's desired controls directly from vmcs01
KVM: nVMX: Don't propagate vmcs12's PERF_GLOBAL_CTRL settings to vmcs02
KVM: x86: Trace re-injected exceptions
KVM: x86: Treat #DBs from the emulator as fault-like (code and DR7.GD=1)
x86/topology: Set cpu_die_id only if DIE_TYPE found
x86/topology: Fix multiple packages shown on a single-package system
x86/topology: Fix duplicated core ID within a package
KVM: x86: Protect the unused bits in MSR exiting flags
KVM: x86: Copy filter arg outside kvm_vm_ioctl_set_msr_filter()
KVM: x86: Add compat handler for KVM_X86_SET_MSR_FILTER
RDMA/cma: Use output interface for net_dev check
IB/hfi1: Correctly move list in sc_disable()
NFSv4: Fix a potential state reclaim deadlock
NFSv4.1: Handle RECLAIM_COMPLETE trunking errors
NFSv4.1: We must always send RECLAIM_COMPLETE after a reboot
nfs4: Fix kmemleak when allocate slot failed
net: dsa: Fix possible memory leaks in dsa_loop_init()
RDMA/core: Fix null-ptr-deref in ib_core_cleanup()
RDMA/qedr: clean up work queue on failure in qedr_alloc_resources()
nfc: fdp: drop ftrace-like debugging messages
nfc: fdp: Fix potential memory leak in fdp_nci_send()
NFC: nxp-nci: remove unnecessary labels
nfc: nxp-nci: Fix potential memory leak in nxp_nci_send()
nfc: s3fwrn5: Fix potential memory leak in s3fwrn5_nci_send()
nfc: nfcmrvl: Fix potential memory leak in nfcmrvl_i2c_nci_send()
net: fec: fix improper use of NETDEV_TX_BUSY
ata: pata_legacy: fix pdc20230_set_piomode()
net: sched: Fix use after free in red_enqueue()
net: tun: fix bugs for oversize packet when napi frags enabled
netfilter: nf_tables: release flow rule object from commit path
ipvs: use explicitly signed chars
ipvs: fix WARNING in __ip_vs_cleanup_batch()
ipvs: fix WARNING in ip_vs_app_net_cleanup()
rose: Fix NULL pointer dereference in rose_send_frame()
mISDN: fix possible memory leak in mISDN_register_device()
isdn: mISDN: netjet: fix wrong check of device registration
btrfs: fix inode list leak during backref walking at resolve_indirect_refs()
btrfs: fix inode list leak during backref walking at find_parent_nodes()
btrfs: fix ulist leaks in error paths of qgroup self tests
Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu
Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()
net: mdio: fix undefined behavior in bit shift for __mdiobus_register
net, neigh: Fix null-ptr-deref in neigh_table_clear()
ipv6: fix WARNING in ip6_route_net_exit_late()
drm/msm/hdmi: Remove spurious IRQF_ONESHOT flag
drm/msm/hdmi: fix IRQ lifetime
mmc: sdhci-esdhc-imx: Propagate ESDHC_FLAG_HS400* only on 8bit bus
mmc: sdhci-pci: Avoid comma separated statements
mmc: sdhci-pci-core: Disable ES for ASUS BIOS on Jasper Lake
video/fbdev/stifb: Implement the stifb_fillrect() function
fbdev: stifb: Fall back to cfb_fillrect() on 32-bit HCRX cards
mtd: parsers: bcm47xxpart: print correct offset on read error
mtd: parsers: bcm47xxpart: Fix halfblock reads
xhci-pci: Set runtime PM as default policy on all xHC 1.2 or later devices
s390/boot: add secure boot trailer
media: rkisp1: Initialize color space on resizer sink and source pads
media: rkisp1: Zero v4l2_subdev_format fields in when validating links
media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE
media: cros-ec-cec: limit msg.len to CEC_MAX_MSG_SIZE
media: dvb-frontends/drxk: initialize err to 0
media: meson: vdec: fix possible refcount leak in vdec_probe()
ACPI: APEI: Fix integer overflow in ghes_estatus_pool_init()
scsi: core: Restrict legal sdev_state transitions via sysfs
HID: saitek: add madcatz variant of MMO7 mouse device ID
drm/amdgpu: set vm_update_mode=0 as default for Sienna Cichlid in SRIOV case
i2c: xiic: Add platform module alias
efi/tpm: Pass correct address to memblock_reserve
ARM: dts: imx6qdl-gw59{10,13}: fix user pushbutton GPIO offset
firmware: arm_scmi: Suppress the driver's bind attributes
firmware: arm_scmi: Make Rx chan_setup fail on memory errors
arm64: dts: juno: Add thermal critical trip points
i2c: piix4: Fix adapter not be removed in piix4_remove()
Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM
Bluetooth: L2CAP: Fix attempting to access uninitialized memory
block, bfq: protect 'bfqd->queued' by 'bfqd->lock'
ALSA: usb-audio: Add quirks for MacroSilicon MS2100/MS2106 devices
fscrypt: simplify master key locking
fscrypt: stop using keyrings subsystem for fscrypt_master_key
fscrypt: fix keyring memory leak on mount failure
tcp/udp: Fix memory leak in ipv6_renew_options().
mtd: rawnand: gpmi: Set WAIT_FOR_READY timeout based on program/erase times
memcg: enable accounting of ipc resources
binder: fix UAF of alloc->vma in race with munmap()
coresight: cti: Fix hang in cti_disable_hw()
btrfs: fix type of parameter generation in btrfs_get_dentry
ftrace: Fix use-after-free for dynamic ftrace_ops
tcp/udp: Make early_demux back namespacified.
tracing: kprobe: Fix memory leak in test_gen_kprobe/kretprobe_cmd()
kprobe: reverse kp->flags when arm_kprobe failed
tools/nolibc/string: Fix memcmp() implementation
tracing/histogram: Update document for KEYS_MAX size
capabilities: fix potential memleak on error path from vfs_getxattr_alloc()
fuse: add file_modified() to fallocate
efi: random: reduce seed size to 32 bytes
efi: random: Use 'ACPI reclaim' memory for random seed
perf/x86/intel: Fix pebs event constraints for ICL
perf/x86/intel: Add Cooper Lake stepping to isolation_ucodes[]
parisc: Make 8250_gsc driver dependend on CONFIG_PARISC
parisc: Export iosapic_serial_irq() symbol for serial port driver
parisc: Avoid printing the hardware path twice
ext4: fix warning in 'ext4_da_release_space'
ext4: fix BUG_ON() when directory entry has invalid rec_len
KVM: x86: Mask off reserved bits in CPUID.80000006H
KVM: x86: Mask off reserved bits in CPUID.8000001AH
KVM: x86: Mask off reserved bits in CPUID.80000008H
KVM: x86: Mask off reserved bits in CPUID.80000001H
KVM: x86: emulator: em_sysexit should update ctxt->mode
KVM: x86: emulator: introduce emulator_recalc_and_set_mode
KVM: x86: emulator: update the emulation mode after CR0 write
ext4,f2fs: fix readahead of verity data
drm/rockchip: dsi: Force synchronous probe
drm/i915/sdvo: Filter out invalid outputs more sensibly
drm/i915/sdvo: Setup DDC fully before output init
wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker()
ipc: remove memcg accounting for sops objects in do_semtimedop()
Linux 5.10.154
Change-Id: I6965878bf3bad857fbdbcdeb7dd066cc280aa026
Signed-off-by: Eric Biggers <ebiggers@google.com>
In commit 720c241924 ("ANDROID: binder: change down_write to
down_read") binder assumed the mmap read lock is sufficient to protect
alloc->vma inside binder_update_page_range(). This used to be accurate
until commit dd2283f260 ("mm: mmap: zap pages with read mmap_sem in
munmap"), which now downgrades the mmap_lock after detaching the vma
from the rbtree in munmap(). Then it proceeds to teardown and free the
vma with only the read lock held.
This means that accesses to alloc->vma in binder_update_page_range() now
will race with vm_area_free() in munmap() and can cause a UAF as shown
in the following KASAN trace:
==================================================================
BUG: KASAN: use-after-free in vm_insert_page+0x7c/0x1f0
Read of size 8 at addr ffff16204ad00600 by task server/558
CPU: 3 PID: 558 Comm: server Not tainted 5.10.150-00001-gdc8dcf942daa #1
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x0/0x2a0
show_stack+0x18/0x2c
dump_stack+0xf8/0x164
print_address_description.constprop.0+0x9c/0x538
kasan_report+0x120/0x200
__asan_load8+0xa0/0xc4
vm_insert_page+0x7c/0x1f0
binder_update_page_range+0x278/0x50c
binder_alloc_new_buf+0x3f0/0xba0
binder_transaction+0x64c/0x3040
binder_thread_write+0x924/0x2020
binder_ioctl+0x1610/0x2e5c
__arm64_sys_ioctl+0xd4/0x120
el0_svc_common.constprop.0+0xac/0x270
do_el0_svc+0x38/0xa0
el0_svc+0x1c/0x2c
el0_sync_handler+0xe8/0x114
el0_sync+0x180/0x1c0
Allocated by task 559:
kasan_save_stack+0x38/0x6c
__kasan_kmalloc.constprop.0+0xe4/0xf0
kasan_slab_alloc+0x18/0x2c
kmem_cache_alloc+0x1b0/0x2d0
vm_area_alloc+0x28/0x94
mmap_region+0x378/0x920
do_mmap+0x3f0/0x600
vm_mmap_pgoff+0x150/0x17c
ksys_mmap_pgoff+0x284/0x2dc
__arm64_sys_mmap+0x84/0xa4
el0_svc_common.constprop.0+0xac/0x270
do_el0_svc+0x38/0xa0
el0_svc+0x1c/0x2c
el0_sync_handler+0xe8/0x114
el0_sync+0x180/0x1c0
Freed by task 560:
kasan_save_stack+0x38/0x6c
kasan_set_track+0x28/0x40
kasan_set_free_info+0x24/0x4c
__kasan_slab_free+0x100/0x164
kasan_slab_free+0x14/0x20
kmem_cache_free+0xc4/0x34c
vm_area_free+0x1c/0x2c
remove_vma+0x7c/0x94
__do_munmap+0x358/0x710
__vm_munmap+0xbc/0x130
__arm64_sys_munmap+0x4c/0x64
el0_svc_common.constprop.0+0xac/0x270
do_el0_svc+0x38/0xa0
el0_svc+0x1c/0x2c
el0_sync_handler+0xe8/0x114
el0_sync+0x180/0x1c0
[...]
==================================================================
To prevent the race above, revert back to taking the mmap write lock
inside binder_update_page_range(). One might expect an increase of mmap
lock contention. However, binder already serializes these calls via top
level alloc->mutex. Also, there was no performance impact shown when
running the binder benchmark tests.
Note this patch is specific to stable branches 5.4 and 5.10. Since in
newer kernel releases binder no longer caches a pointer to the vma.
Instead, it has been refactored to use vma_lookup() which avoids the
issue described here. This switch was introduced in commit a43cfc87ca
("android: binder: stop saving a pointer to the VMA").
Fixes: dd2283f260 ("mm: mmap: zap pages with read mmap_sem in munmap")
Reported-by: Jann Horn <jannh@google.com>
Cc: <stable@vger.kernel.org> # 5.10.x
Cc: Minchan Kim <minchan@kernel.org>
Cc: Yang Shi <yang.shi@linux.alibaba.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fix Bug: scheduling while atomic
In these vendor hooks, we will perform schedule due to competion. This will
lead to kernel exception.
To solve this problem, we need to add these restrcted hooks to replace the
former regular vendor hooks.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: I151125a7119a91d1339d4790a68a6a4796d673e3
A vendor hook was recently defined that references
struct page_vma_mapped_walk, but it is only forward-declared
and therefore not fully defined in the KMI. Add inclusion of
linux/rmap.h to vender_hooks.c to add the full definition.
Bug: 233047575
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: I3bbaca92a70e4464e370e987ae4154de19c4fee2
Add a hook in madvise_cold_or_pageout_pte_range() to allow
vendor modules to influence the shared pages reclaim.
Bug: 242678506
Change-Id: I269a385b59f7291c2e96478674bb3d05f94584cb
Signed-off-by: Pavankumar Kondeti <quic_pkondeti@quicinc.com>
There are 2 remaining types directly referenced by vendor
hooks that were not fully-defined in the KMI:
struct gic_chip_data : defined in include/linux/irqchip/arm-gic-v3.h
struct swap_slots_cache : defined include/linux/swap_slots.h
libabigail is not finding definitions based on the instantiation
of the hooks, so force them to be defined by defining dummy exported
symbols.
Update XML with the now visible definitions
Bug: 233047575
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: I521b2a596e1d7361d0f44a87ffe330186896b9f8
struct selinux_state is defined in security/selinux/include/security.h,
however libabigail is not finding its definition based on the
instantiation of the hooks, so force it to be defined by defining a
dummy exported symbol. Since blk_mq_alloc_data is defined in a
subsystem-private header, create a new vendor_hooks.c file in
security/selinux to define the dummy symbol.
Bug: 233047575
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: Ia505c76db2eed339b3815073f847b500535cc954
Renamed trace_android_vh_record_percpu_rwsem_lock_starttime to
trace_android_vh_record_pcpu_rwsem_starttime.
Because the orignal name is too long, which results to the
compile-err of .ko that uses the symbol:
ERROR: modpost:
too long symbol "__tracepoint_android_vh_record_percpu_rwsem_lock_starttime"
There is not any users of the the orignal hooks so that it is safe to
rename it.
Bug: 241191475
Signed-off-by: Peifeng Li <lipeifeng@oppo.com>
Change-Id: Ie246a933414db5e9e28a65a4c280fae3a1cbefe3
This reverts commit dec2f52d08.
The hooks android_vh_alloc_pages_reclaim_bypass and
android_vh_alloc_pages_failure_bypass are not used by any vendor, so
remove it to help with merge issues with future LTS releases.
If this is needed by any real user, it can easily be reverted to add it
back and then the symbol should be added to the abi list at the same
time to prevent it from being removed again later.
Bug: 203756332
Bug: 243629905
Cc: xiaofeng <xiaofeng5@xiaomi.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Id313f6971e0b5437fcfc1ed3f8d4c56706217133
Add hooks for support lookaround in memory reclamation.
add drivers/android/vendor_hooks.c for export tracepoint symbol
Bug: 241079328
Signed-off-by: Peifeng Li <lipeifeng@oppo.com>
Change-Id: Ia6e9fa0ae5708e88fa498c63cf63aad7c55e5f98
commit a0e44c64b6 upstream.
A transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the
reference for a node. In this case, the target proc normally releases
the failed reference upon close as expected. However, if the target is
dying in parallel the call will race with binder_deferred_release(), so
the target could have released all of its references by now leaving the
cleanup of the new failed reference unhandled.
The transaction then ends and the target proc gets released making the
ref->proc now a dangling pointer. Later on, ref->node is closed and we
attempt to take spin_lock(&ref->proc->inner_lock), which leads to the
use-after-free bug reported below. Let's fix this by cleaning up the
failed reference on the spot instead of relying on the target to do so.
==================================================================
BUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150
Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590
CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10
Hardware name: linux,dummy-virt (DT)
Workqueue: events binder_deferred_func
Call trace:
dump_backtrace.part.0+0x1d0/0x1e0
show_stack+0x18/0x70
dump_stack_lvl+0x68/0x84
print_report+0x2e4/0x61c
kasan_report+0xa4/0x110
kasan_check_range+0xfc/0x1a4
__kasan_check_write+0x3c/0x50
_raw_spin_lock+0xa8/0x150
binder_deferred_func+0x5e0/0x9b0
process_one_work+0x38c/0x5f0
worker_thread+0x9c/0x694
kthread+0x188/0x190
ret_from_fork+0x10/0x20
Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Cc: stable <stable@kernel.org> # 4.14+
Link: https://lore.kernel.org/r/20220801182511.3371447-1-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Older kernels lack io_uring POLLFREE handling. As only affected files
are signalfd and android binder the safest option would be to disable
polling those files via io_uring and hope there are no users.
Fixes: 221c5eb233 ("io_uring: add support for IORING_OP_POLL")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts commit e5b4949bfc.
The hook android_vh_tune_memcg_scan_type is not used by any vendor, so
remove it to help with merge issues with future LTS releases.
If this is needed by any real user, it can easily be reverted to add it
back and then the symbol should be added to the abi list at the same
time to prevent it from being removed again later.
Bug: 203756332
Bug: 230450931
Cc: xiaofeng <xiaofeng5@xiaomi.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I0e32c24d67a9ede087eca5005796512a9451c1e2
This reverts commit f06daa5a0b.
The hook android_vh_ra_tuning_max_page is not used by any vendor, so
remove it to help with merge issues with future LTS releases.
If this is needed by any real user, it can easily be reverted to add it
back and then the symbol should be added to the abi list at the same
time to prevent it from being removed again later.
Bug: 203756332
Bug: 229839032
Cc: liang zhang <liang.zhang@transsion.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Id9211dfd9e1fa19d2ccb14302c60f0d55579f59d
This reverts commit 8c3ac02bca.
The hook android_vh_mutex_start_check_new_owner is not used by any
vendor, so remove it to help with merge issues with future LTS releases.
If this is needed by any real user, it can easily be reverted to add it
back and then the symbol should be added to the abi list at the same
time to prevent it from being removed again later.
Bug: 203756332
Bug: 231647361
Cc: Liujie Xie <xieliujie@oppo.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I8c3bf787525d684f64b8d0654d379df78eb7b69e
If an important task is going to sleep through do_futex(),
find out it's futex-owner by the pid comes from userspace,
and boost the owner by some means to shorten the sleep time.
How to boost? Depends on these hooks:
53e8099784 ("ANDROID: vendor_hooks: Add hooks for scheduler")
Bug: 243110112
Signed-off-by: xieliujie <xieliujie@oppo.com>
Change-Id: I9a315cfb414fd34e0ef7a2cf9d57df50d4dd984f
Add vendor hook to thermal to allow vendor to selectively disable
thermal cooling device stats feature based on requirement. It helps
vendor to optimize memory footprint due to this feature especially
for low memory devices.
Bug: 218825214
Change-Id: I2ec72505f03575e09229c54765584614b16a3904
Signed-off-by: Manaf Meethalavalappu Pallikunhi <quic_manafm@quicinc.com>
(cherry picked from commit f6e47fd00f24d5e814d316b03974e970dd87879e)
This reverts commit eb99e6d80e
The hook android_vh_free_pages is deleted, due to the symbol is
not added to the abi list. The symbol is added to the abi list in
patch:2183484. This patch is to add the hook android_vh_free_pages
again.
Bug: 234214858
Bug: 203756332
Cc: Greg Kroah-Hartman <gregkh@google.com>
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: I2c97ea4d310e2004b94d891678127c17f7b07c93
This reverts commit: d0590b99c9
The hooks android_vh_init_swap_info_struct and android_vh_alloc_si
are deleted, due to the symbols are not added to the abi list. The
symbols are added to the abi list in patch:2183484. This patch is to
add the hooks android_vh_init_swap_info_struct and android_vh_alloc_si
again.
Bug: 234214858
Bug: 203756332
Cc: Greg Kroah-Hartman <gregkh@google.com>
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: Id5524a726d213c5eab55570fd28d28da978974e7
This reverts commit 86be1a3d9f
The hook android_vh_si_swapinfo is deleted, due to the symbol
is not added to the abi list. The symbol is added to the abi
list in patch:2183484. This patch is to add the hook
android_vh_si_swapinfo again.
Bug: 234214858
Bug: 203756332
Cc: Greg Kroah-Hartman <gregkh@google.com>
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: Ifd1e05f44ac04b67816618139badd5c2ee786b50
This reverts commit ed2b11d639.
The hook android_vh_si_swapinfo is not used by any vendor, so remove it
to help with merge issues with future LTS releases.
If this is needed by any real user, it can easily be reverted to add it
back and then the symbol should be added to the abi list at the same
time to prevent it from being removed again later.
Bug: 203756332
Bug: 234214858
Cc: Bing Han <bing.han@transsion.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ib474a0911dd97d54d2f086258e9d53ddd3451967
This reverts commit 242b11e574.
The hook android_vh_pidfd_open is not used by any vendor, so remove it
to help with merge issues with future LTS releases.
If this is needed by any real user, it can easily be reverted to add it
back and then the symbol should be added to the abi list at the same
time to prevent it from being removed again later.
Bug: 203756332
Bug: 238725692
Cc: xiaofeng <xiaofeng5@xiaomi.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I77afe002bebc3b3e97ea7a28faae74e9cb8a6718
This reverts commit 667f0d71dc.
The hooks android_vh_init_swap_info_struct and android_vh_alloc_si are
not used by any vendor, so remove it to help with merge issues with
future LTS releases.
If this is needed by any real user, it can easily be reverted to add it
back and then the symbol should be added to the abi list at the same
time to prevent it from being removed again later.
Bug: 203756332
Bug: 234214858
Cc: Bing Han <bing.han@transsion.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: If01c284ebf15e804e7cf34e854b7db0d5b68ae1b
This reverts commit 8b19ed264b.
The hook android_vh_mmput is not used by any vendor, so remove it to
help with merge issues with future LTS releases.
If this is needed by any real user, it can easily be reverted to add it
back and then the symbol should be added to the abi list at the same
time to prevent it from being removed again later.
Bug: 203756332
Bug: 238821038
Cc: xiaofeng <xiaofeng5@xiaomi.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Idd40f231640723d2342a9dbac7e9206a800e82dd
This reverts commit 01680ae117.
The hook android_vh_free_pages is not used by any vendor, so remove it
to help with merge issues with future LTS releases.
If this is needed by any real user, it can easily be reverted to add it
back and then the symbol should be added to the abi list at the same
time to prevent it from being removed again later.
Bug: 203756332
Bug: 234214858
Cc: Bing Han <bing.han@transsion.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I36d4bfb83e1605c6fd1f9ff8dcd39cdbcdef8760
This reverts commit acefa91e51.
The hooks trace_android_vh_binder_proc_transaction_entry and
trace_android_vh_binder_select_worklist_ilocked are not used by any
vendor, so remove it to help with merge issues with future LTS releases.
If this is needed by any real user, it can easily be reverted to add it
back and then the symbol should be added to the abi list at the same
time to prevent it from being removed again later.
Bug: 203756332
Bug: 219898723
Cc: Liujie Xie <xieliujie@oppo.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I2c04e60fa9d6eb6d85be7882d12f1b70956b8e80
Providing vendor hooks to record the start time of holding the lock, which
protects rwsem/mutex locking-process from being preemptedfor a short time
in some cases.
- android_vh_record_mutex_lock_starttime
- android_vh_record_rtmutex_lock_starttime
- android_vh_record_rwsem_lock_starttime
- android_vh_record_percpu_rwsem_lock_starttime
Bug: 241191475
Signed-off-by: Peifeng Li <lipeifeng@oppo.com>
Change-Id: I0e967a1e8b77c32a1ad588acd54028fae2f90c4e
Add hooks to support trylock in rmaplock when reclaiming in kswapd or
direct_reclaim, in order to avoid wait lock for a long time.
- android_vh_handle_failed_page_trylock
- android_vh_page_trylock_set
- android_vh_page_trylock_clear
- android_vh_page_trylock_get_result
- android_vh_do_page_trylock
Bug: 240003372
Signed-off-by: Peifeng Li <lipeifeng@oppo.com>
Change-Id: I0f605b35ae41f15b3ca7bc72cd5f003175c318a5
Support two hooks as follows to protect multi-mapcount pages in kernel:
- trace_android_vh_page_should_be_protect
- trace_android_vh_mapped_page_try_sorthead
Bug: 236578020
Signed-off-by: Peifeng Li <lipeifeng@oppo.com>
Change-Id: I688aceabf17d9de2feac7c3ad7144d307de6ef29
Support five hooks as follows to account
the amount of multi-mapped pages in kernel:
- android_vh_show_mapcount_pages
- android_vh_do_traversal_lruvec
- android_vh_update_page_mapcount
- android_vh_add_page_to_lrulist
- android_vh_del_page_from_lrulist
Bug: 236578020
Signed-off-by: Peifeng Li <lipeifeng@oppo.com>
Change-Id: Ia2c7015aab442be7dbb496b8b630b9dff59ab935
A transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the
reference for a node. In this case, the target proc normally releases
the failed reference upon close as expected. However, if the target is
dying in parallel the call will race with binder_deferred_release(), so
the target could have released all of its references by now leaving the
cleanup of the new failed reference unhandled.
The transaction then ends and the target proc gets released making the
ref->proc now a dangling pointer. Later on, ref->node is closed and we
attempt to take spin_lock(&ref->proc->inner_lock), which leads to the
use-after-free bug reported below. Let's fix this by cleaning up the
failed reference on the spot instead of relying on the target to do so.
==================================================================
BUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150
Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590
CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10
Hardware name: linux,dummy-virt (DT)
Workqueue: events binder_deferred_func
Call trace:
dump_backtrace.part.0+0x1d0/0x1e0
show_stack+0x18/0x70
dump_stack_lvl+0x68/0x84
print_report+0x2e4/0x61c
kasan_report+0xa4/0x110
kasan_check_range+0xfc/0x1a4
__kasan_check_write+0x3c/0x50
_raw_spin_lock+0xa8/0x150
binder_deferred_func+0x5e0/0x9b0
process_one_work+0x38c/0x5f0
worker_thread+0x9c/0x694
kthread+0x188/0x190
ret_from_fork+0x10/0x20
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Bug: 239630375
Link: https://lore.kernel.org/all/20220801182511.3371447-1-cmllamas@google.com/
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Change-Id: I5085dd0dc805a780a64c057e5819f82dd8f02868
(cherry picked from commit ae3fa5d16a02ba7c7b170e0e1ab56d6f0ba33964)
Provide a vendor hook to remove additional fields when remove_vm_area
for slab/vmalloc memory leak debugging.
Bug: 240869642
Signed-off-by: Peifeng Li <lipeifeng@oppo.com>
Change-Id: Iafecd7c6e75cdc2df0e77ae105283590d8852f74
The patchset in [1] exported some definitions to binder_internal.h in
order to make the debugfs entries such as 'stats' and 'transaction_log'
available in a binderfs instance. However, the DEFINE_SHOW_ATTRIBUTE
macro expands into a static function/variable pair, which in turn get
redefined each time a source file includes this internal header.
This problem was made evident after a report from the kernel test robot
<lkp@intel.com> where several W=1 build warnings are seen in downstream
kernels. See the following example:
include/../drivers/android/binder_internal.h:111:23: warning: 'binder_stats_fops' defined but not used [-Wunused-const-variable=]
111 | DEFINE_SHOW_ATTRIBUTE(binder_stats);
| ^~~~~~~~~~~~
include/linux/seq_file.h:174:37: note: in definition of macro 'DEFINE_SHOW_ATTRIBUTE'
174 | static const struct file_operations __name ## _fops = { \
| ^~~~~~
This patch fixes the above issues by moving back the definitions into
binder.c and instead creates an array of the debugfs entries which is
more convenient to share with binderfs and iterate through.
[1] https://lore.kernel.org/all/20190903161655.107408-1-hridya@google.com/
Fixes: 0e13e452da ("binder: Add stats, state and transactions files")
Fixes: 03e2e07e38 ("binder: Make transaction_log available in binderfs")
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20220701182041.2134313-1-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 240404657
(cherry picked from commit b7e241bbff
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-next)
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Change-Id: I7e9ca1ab1f3a5a4a272e50f24d404c17cad55d32
Since android_vh_alloc_pages_slowpath is revert by
commit e09000ee19 ("Revert half of "ANDROID: vendor_hooks: Add hooks
for memory when debug""). re-add hooks here to measure the duration
Bug: 182443489
Signed-off-by: liuhailong <liuhailong@oppo.com>
Change-Id: Ie4534047105d8409623692cc3811b55d9ddbd17d
Add vendor hook when detecting process status through
pidfd_open.
Bug: 238725692
Change-Id: I565988cb8bf6dd44ab4dc15c410c2dcf50703def
Signed-off-by: xiaofeng <xiaofeng5@xiaomi.com>
Add vendor hook android_vh_set_shmem_page_flag in shmem_writepage to
set a flag in page_ext, which indicates that this page is a shmem page,
to be used in android_vh_get_swap_page. The shared page should not be
reclaimed to the extended memory, ie, the specified swap location.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: I33a9007c88b4d8aab3da044c8a05eb45d7e74f3a
When the target process is busy, incoming oneway transactions are
queued in the async_todo list. If the clients continue sending extra
oneway transactions while the target process is frozen, this queue can
become too large to accommodate new transactions. That's why binder
driver introduced ONEWAY_SPAM_DETECTION to detect this situation. It's
helpful to debug the async binder buffer exhausting issue, but the
issue itself isn't solved directly.
In real cases applications are designed to send oneway transactions
repeatedly, delivering updated inforamtion to the target process.
Typical examples are Wi-Fi signal strength and some real time sensor
data. Even if the apps might only care about the lastet information,
all outdated oneway transactions are still accumulated there until the
frozen process is thawed later. For this kind of situations, there's
no existing method to skip those outdated transactions and deliver the
latest one only.
This patch introduces a new transaction flag TF_UPDATE_TXN. To use it,
use apps can set this new flag along with TF_ONE_WAY. When such an
oneway transaction is to be queued into the async_todo list of a frozen
process, binder driver will check if any previous pending transactions
can be superseded by comparing their code, flags and target node. If
such an outdated pending transaction is found, the latest transaction
will supersede that outdated one. This effectively prevents the async
binder buffer running out and saves unnecessary binder read workloads.
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Li Li <dualli@google.com>
Link: https://lore.kernel.org/r/20220526220018.3334775-2-dualli@chromium.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 231624308
Test: manually check async binder buffer size of frozen apps
Test: stress test with kernel 4.14/4.19/5.10/5.15
(cherry picked from commit 9864bb4801
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-next)
Change-Id: I1c4bff1eda1ca15aaaad5bf696c8fc00be743176
Provide a vendor hook android_vh_free_pages to clear the
information in struct page_ext, when the page is freed.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: Iac8e3a72f59f8d3ae16dbc93d94034fe4b627d61
Provide a vendor hook android_vh_swap_slot_cache_active to
pass the active status of swap_slots_cache. This status
will be used in the process of reclaiming the pages that
is required to be reclaimed to a specified swap location.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: I8211760e0f37fe4a514f6ceaae9993925da8cd6d
Three vendor hooks are provided to extend struct swap_slots_cache.
The extended data are used to record the information of the
specified reclaimed swap location:
1) android_vh_alloc_swap_slot_cache, replace the function
alloc_swap_slot_cache adding allocation of the extension
of struct swap_slots_cache;
2) android_vh_drain_slots_cache_cpu, replace the function
drain_slots_cache_cpu adding the initialization of the
extension of struct swap_slots_cache;
3) android_vh_get_swap_page, replace the function get_swap_page,
according to the reclaimed location information of the page,
get the the swap page from the specified swap location;
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: I3bce6e8cf255df1d879b7c4022d54981cce7c273
Provide a vendor hook android_vh_si_swapinf to replace the
process of updating nr_to_be_unused. When the page is swapped
to a specified swap location, nr_to_be_unused should not be
updated. Because the specified swap is regarded as a reserved
extended memory.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: Ie41caec345658589bf908fb0f96d038d1fba21f3
Two vendor hooks are added to extend the struct swap_info_struct:
android_vh_alloc_si, extend the allocation of struct swap_info_struct,
adding data to record the information of specified reclaimed location;
android_vh_init_swap_info_struct, adding initializing the extension of
struct swap_info_struct;
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: I0e1d8e38ba7dfd52b609b1c14eb78f8b0ef0f9e6
When the page is unused, a vendor hook android_vh_unuse_swap_page
should be called to specify that the page should not be swapped
to the specified swap location any more.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: I3fc3675020517f7cc69c76a06150dfb2380dae21
Provide a vendor hook to replace the function free_swap_slot,
adding the free_swap_slot process of pages swapped to the
specified swap location(i.e., the reserved expended memory)
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: Idd6d0007e64d56d556d1234a8b931fce06031809
The specified swap is regarded as reserved extended memory.
So nr_swap_pages and total_swap_pages should not be affected
by the specified swap.
Provide a vendor hook android_vh_account_swap_pages to replace
the updating process of nr_swap_pages and total_swap_pages.
When the page is swapped to the specified swap location,
nr_swap_pages and total_swap_pages should not be updated.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: Ib8dfb355d190399a037b9d9eda478a81c436e224
Add android_vh_page_referenced_one_end at the end of function
page_referenced_one to update the status that whether the page
need to be reclaimed to a specified swap location.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: Ia06a229956328ef776da5d163708dcb011a327fb
