Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v5.10 2020-10-17T21:05:30Z 2020-10-17T21:05:30Z Jens Axboe axboe@kernel.dk 2020-10-16T15:02:26Z urn:sha1:91989c707884ecc7cd537281ab1a4b8fb7219da3 A previous commit changed the notification mode from true/false to an int, allowing notify-no, notify-yes, or signal-notify. This was backwards compatible in the sense that any existing true/false user would translate to either 0 (on notification sent) or 1, the latter which mapped to TWA_RESUME. TWA_SIGNAL was assigned a value of 2. Clean this up properly, and define a proper enum for the notification mode. Now we have: - TWA_NONE. This is 0, same as before the original change, meaning no notification requested. - TWA_RESUME. This is 1, same as before the original change, meaning that we use TIF_NOTIFY_RESUME. - TWA_SIGNAL. This uses TIF_SIGPENDING/JOBCTL_TASK_WORK for the notification. Clean up all the callers, switching their 0/1/false/true to using the appropriate TWA_* mode for notifications. Fixes: e91b48162332 ("task_work: teach task_work_add() to do signal_wake_up()") Reviewed-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Jens Axboe <axboe@kernel.dk> 2020-10-10T10:40:52Z Todd Kjos tkjos@google.com 2020-10-09T23:24:55Z urn:sha1:f3277cbfba763cd2826396521b9296de67cf1bbc When releasing a thread todo list when tearing down a binder_proc, the following race was possible which could result in a use-after-free: 1. Thread 1: enter binder_release_work from binder_thread_release 2. Thread 2: binder_update_ref_for_handle() -> binder_dec_node_ilocked() 3. Thread 2: dec nodeA --> 0 (will free node) 4. Thread 1: ACQ inner_proc_lock 5. Thread 2: block on inner_proc_lock 6. Thread 1: dequeue work (BINDER_WORK_NODE, part of nodeA) 7. Thread 1: REL inner_proc_lock 8. Thread 2: ACQ inner_proc_lock 9. Thread 2: todo list cleanup, but work was already dequeued 10. Thread 2: free node 11. Thread 2: REL inner_proc_lock 12. Thread 1: deref w->type (UAF) The problem was that for a BINDER_WORK_NODE, the binder_work element must not be accessed after releasing the inner_proc_lock while processing the todo list elements since another thread might be handling a deref on the node containing the binder_work element leading to the node being freed. Signed-off-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20201009232455.4054810-1-tkjos@google.com Cc: <stable@vger.kernel.org> # 4.14, 4.19, 5.4, 5.8 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-10-05T11:39:16Z Liu Shixin liushixin2@huawei.com 2020-09-29T01:52:16Z urn:sha1:2a3809da6186edacfd16ce4074460c7d0ed32982 Simplify the return expression. Acked-by: Martijn Coenen <maco@android.com> Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Liu Shixin <liushixin2@huawei.com> Link: https://lore.kernel.org/r/20200929015216.1829946-1-liushixin2@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-09-16T15:30:37Z Colin Ian King colin.king@canonical.com 2020-09-10T15:12:21Z urn:sha1:7369fa47c442a6d4268989b64fbc28af48f9126e The pointer n is being initialized with a value that is never read and it is being updated later with a new value. The initialization is redundant and can be removed. Acked-by: Todd Kjos <tkjos@google.com> Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Colin Ian King <colin.king@canonical.com> Link: https://lore.kernel.org/r/20200910151221.751464-1-colin.king@canonical.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-09-03T16:24:41Z Martijn Coenen maco@android.com 2020-08-21T12:25:44Z urn:sha1:261e7818f06ec51e488e007f787ccd7e77272918 The most common cause of the binder transaction buffer filling up is a client rapidly firing oneway transactions into a process, before it has a chance to handle them. Yet the root cause of this is often hard to debug, because either the system or the app will stop, and by that time binder debug information we dump in bugreports is no longer relevant. This change warns as soon as a process dips below 80% of its oneway space (less than 100kB available in the configuration), when any one process is responsible for either more than 50 transactions, or more than 50% of the oneway space. Signed-off-by: Martijn Coenen <maco@android.com> Acked-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20200821122544.1277051-1-maco@android.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-09-03T16:24:39Z Wei Yongjun weiyongjun1@huawei.com 2020-08-18T11:22:45Z urn:sha1:89320020d967e8f7affbc4488b85860b3a64c4c4 The sparse tool complains as follows: drivers/android/binderfs.c:66:32: warning: symbol 'binderfs_fs_parameters' was not declared. Should it be static? This variable is not used outside of binderfs.c, so this commit marks it static. Fixes: 095cf502b31e ("binderfs: port to new mount api") Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com> Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Link: https://lore.kernel.org/r/20200818112245.43891-1-weiyongjun1@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-09-03T16:24:37Z YangHui yanghui.def@gmail.com 2020-08-18T01:34:04Z urn:sha1:4b463822316e2d765191c99dd591a0018ac473e0 The function name should is binder_alloc_new_buf() Signed-off-by: YangHui <yanghui.def@gmail.com> Reviewed-by: Martijn Coenen <maco@android.com> Link: https://lore.kernel.org/r/1597714444-3614-1-git-send-email-yanghui.def@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-09-03T16:21:35Z Jann Horn jannh@google.com 2020-08-06T16:53:59Z urn:sha1:e8b8ae7ce32e17a5c29f0289e9e2a39c7dcaa1b8 While binder transactions with the same binder_proc as sender and recipient are forbidden, transactions with the same task_struct as sender and recipient are possible (even though currently there is a weird check in binder_transaction() that rejects them in the target==0 case). Therefore, task_struct identities can't be used to distinguish whether the caller is running in the context of the sender or the recipient. Since I see no easy way to make this WARN_ON() useful and correct, let's just remove it. Fixes: 44d8047f1d87 ("binder: use standard functions to allocate fds") Reported-by: syzbot+e113a0b970b7b3f394ba@syzkaller.appspotmail.com Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Acked-by: Todd Kjos <tkjos@google.com> Signed-off-by: Jann Horn <jannh@google.com> Link: https://lore.kernel.org/r/20200806165359.2381483-1-jannh@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-07-29T15:05:44Z Mrinal Pandey mrinalmni@gmail.com 2020-07-24T13:14:49Z urn:sha1:7e84522cd089c6ef3e6adc7f1c9a5b2f705ccd9b C source files should have `//` as SPDX comment and not `/**/`. Fix this by running checkpatch on the file. Signed-off-by: Mrinal Pandey <mrinalmni@gmail.com> Link: https://lore.kernel.org/r/20200724131449.zvjutbemg3vqhrzh@mrinalpandey Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-07-29T15:05:44Z Mrinal Pandey mrinalmni@gmail.com 2020-07-24T13:14:33Z urn:sha1:81195f9689ac16c01c894c756b925e28e546b123 Add a blank line after variable declarations as suggested by checkpatch. Signed-off-by: Mrinal Pandey <mrinalmni@gmail.com> Link: https://lore.kernel.org/r/20200724131433.stf3ycooogawyzb3@mrinalpandey Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>