Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v5.19 2022-06-06T00:14:03Z 2022-06-06T00:14:03Z Linus Torvalds torvalds@linux-foundation.org 2022-06-06T00:14:03Z urn:sha1:6684cf42906ff5f44580e16a1f898e89c19aabd5 Pull file descriptor fix from Al Viro: "Fix for breakage in #work.fd this window" * tag 'pull-work.fd-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: fix the breakage in close_fd_get_file() calling conventions change 2022-06-05T19:03:03Z Al Viro viro@zeniv.linux.org.uk 2022-06-05T18:01:42Z urn:sha1:40a1926022d128057376d35167128a7c74e3dca4 It used to grab an extra reference to struct file rather than just transferring to caller the one it had removed from descriptor table. New variant doesn't, and callers need to be adjusted. Reported-and-tested-by: syzbot+47dd250f527cb7bebf24@syzkaller.appspotmail.com Fixes: 6319194ec57b ("Unify the primitives for file descriptor closing") Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2022-06-05T01:52:00Z Linus Torvalds torvalds@linux-foundation.org 2022-06-05T01:52:00Z urn:sha1:dbe0ee46614016146c1b3e1fc063b44333bb2401 Pull file descriptor updates from Al Viro. - Descriptor handling cleanups * tag 'pull-18-rc1-work.fd' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: Unify the primitives for file descriptor closing fs: remove fget_many and fput_many interface io_uring_enter(): don't leave f.flags uninitialized 2022-05-19T16:41:33Z Schspa Shi schspa@gmail.com 2022-05-18T01:17:54Z urn:sha1:aed86f8add0e3f63a033861f247c9ae956b72c92 binder_inner_proc_lock(thread->proc) is a spin lock, copy_to_user can't be called with in this lock. Copy it as a local variable to fix it. Fixes: bd32889e841c ("binder: add BINDER_GET_EXTENDED_ERROR ioctl") Reported-by: syzbot+46fff6434a7f968ecb39@syzkaller.appspotmail.com Reviewed-by: Carlos Llamas <cmllamas@google.com> Signed-off-by: Schspa Shi <schspa@gmail.com> Link: https://lore.kernel.org/r/20220518011754.49348-1-schspa@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-05-19T16:41:26Z Carlos Llamas cmllamas@google.com 2022-05-17T18:58:17Z urn:sha1:dafa5e9ab8b5b31d64c0ded188d95f8bb6be9746 Commit 9474be34a727 ("binder: add failed transaction logging info") dereferences target_{proc,thread} after they have been potentially freed by binder_proc_dec_tmpref() and binder_thread_dec_tmpref(). This patch delays the release of the two references after their last usage. Fixes the following two errors reported by smatch: drivers/android/binder.c:3562 binder_transaction() error: dereferencing freed memory 'target_proc' drivers/android/binder.c:3563 binder_transaction() error: dereferencing freed memory 'target_thread' Fixes: 9474be34a727 ("binder: add failed transaction logging info") Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Todd Kjos <tkjos@google.com> Signed-off-by: Carlos Llamas <cmllamas@google.com> Link: https://lore.kernel.org/r/20220517185817.598872-1-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-05-19T16:41:11Z Carlos Llamas cmllamas@google.com 2022-05-09T23:19:01Z urn:sha1:da4864962d768b33e3bc31cd233270af6226686d Make sure we use unsigned format specifier %u for binder commands as most of them are encoded above INT_MAX. This prevents negative values when logging them as in the following case: [ 211.895781] binder: 8668:8668 BR_REPLY 258949 0:0, cmd -2143260157 size 0-0 ptr 0000006e766a8000-0000006e766a8000 Acked-by: Todd Kjos <tkjos@google.com> Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org> Signed-off-by: Carlos Llamas <cmllamas@google.com> Link: https://lore.kernel.org/r/20220509231901.3852573-1-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-05-14T22:49:01Z Al Viro viro@zeniv.linux.org.uk 2022-05-12T21:08:03Z urn:sha1:6319194ec57b0452dcda4589d24c4e7db299c5bf Currently we have 3 primitives for removing an opened file from descriptor table - pick_file(), __close_fd_get_file() and close_fd_get_file(). Their calling conventions are rather odd and there's a code duplication for no good reason. They can be unified - 1) have __range_close() cap max_fd in the very beginning; that way we don't need separate way for pick_file() to report being past the end of descriptor table. 2) make {__,}close_fd_get_file() return file (or NULL) directly, rather than returning it via struct file ** argument. Don't bother with (bogus) return value - nobody wants that -ENOENT. 3) make pick_file() return NULL on unopened descriptor - the only caller that used to care about the distinction between descriptor past the end of descriptor table and finding NULL in descriptor table doesn't give a damn after (1). 4) lift ->files_lock out of pick_file() That actually simplifies the callers, as well as the primitives themselves. Code duplication is also gone... Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2022-05-09T13:43:24Z Carlos Llamas cmllamas@google.com 2022-04-29T23:56:44Z urn:sha1:a15dac8b228677daf8ad7f9855d38734ffa0e7d9 Log readable and specific error messages whenever a transaction failure happens. This will ensure better context is given to regular users about these unique error cases, without having to decode a cryptic log. Acked-by: Todd Kjos <tkjos@google.com> Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org> Signed-off-by: Carlos Llamas <cmllamas@google.com> Link: https://lore.kernel.org/r/20220429235644.697372-6-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-05-09T13:43:24Z Carlos Llamas cmllamas@google.com 2022-04-29T23:56:43Z urn:sha1:06a3494ef61a9c67a5be068a74bc5d3ab9d72a4c Converting binder_debug() and binder_user_error() macros into functions reduces the overall object size by 16936 bytes when cross-compiled with aarch64-linux-gnu-gcc 11.2.0: $ size drivers/android/binder.o.{old,new} text data bss dec hex filename 77935 6168 20264 104367 197af drivers/android/binder.o.old 65551 1616 20264 87431 15587 drivers/android/binder.o.new This is particularly beneficial to functions binder_transaction() and binder_thread_write() which repeatedly use these macros and are both part of the critical path for all binder transactions. $ nm --size vmlinux.{old,new} |grep ' binder_transaction$' 0000000000002f60 t binder_transaction 0000000000002358 t binder_transaction $ nm --size vmlinux.{old,new} |grep binder_thread_write 0000000000001c54 t binder_thread_write 00000000000014a8 t binder_thread_write Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org> Acked-by: Todd Kjos <tkjos@google.com> Signed-off-by: Carlos Llamas <cmllamas@google.com> Link: https://lore.kernel.org/r/20220429235644.697372-5-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-05-09T13:43:24Z Carlos Llamas cmllamas@google.com 2022-04-29T23:56:41Z urn:sha1:bd32889e841c12533d09a1bd02bba932baa9ed8f Provide a userspace mechanism to pull precise error information upon failed operations. Extending the current error codes returned by the interfaces allows userspace to better determine the course of action. This could be for instance, retrying a failed transaction at a later point and thus offloading the error handling from the driver. Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org> Acked-by: Todd Kjos <tkjos@google.com> Signed-off-by: Carlos Llamas <cmllamas@google.com> Link: https://lore.kernel.org/r/20220429235644.697372-3-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>