Re: [PATCH] ANDROID: binder: fix binder work return error is wrongly consumed

On Wed, May 2, 2018 at 7:30 AM, wrote: > But there is potential risks in the future, future functional extensions > need to consider nesting issues, maybe extending more methods where we > push to thread->todo. I think that using queueing return error transaction > to the head

Re: [PATCH] ANDROID: binder: fix binder work return error is wrongly consumed

On Wed, May 2, 2018 at 7:30 AM, wrote: > But there is potential risks in the future, future functional extensions > need to consider nesting issues, maybe extending more methods where we > push to thread->todo. I think that using queueing return error transaction > to the head of thread todo

Re: INFO: task hung in fsnotify_mark_destroy_workfn

On Wed, Apr 18, 2018 at 11:36 AM, Jan Kara wrote: > OK, so we are waiting for the grace period on fsnotify_mark_srcu. Seems > like someone is holding fsnotify_mark_srcu too long or srcu period cannot > finish for some other reason. However the reproducer basically contains > only

Re: INFO: task hung in fsnotify_mark_destroy_workfn

On Wed, Apr 18, 2018 at 11:36 AM, Jan Kara wrote: > OK, so we are waiting for the grace period on fsnotify_mark_srcu. Seems > like someone is holding fsnotify_mark_srcu too long or srcu period cannot > finish for some other reason. However the reproducer basically contains > only one binder ioctl

Re: KASAN: use-after-free Read in binder_release_work

On Mon, Apr 23, 2018 at 12:17 PM, Dmitry Vyukov wrote: > syzbot does not extract this info from patch emails. Ok so IIUC, Reported-By tags will only be considered when they are actually part of commits in one of the tested trees - makes sense. So does sending "#syz fix: xyz"

Re: KASAN: use-after-free Read in binder_release_work

On Mon, Apr 23, 2018 at 12:17 PM, Dmitry Vyukov wrote: > syzbot does not extract this info from patch emails. Ok so IIUC, Reported-By tags will only be considered when they are actually part of commits in one of the tested trees - makes sense. So does sending "#syz fix: xyz" cause syzbot to look

Re: KASAN: use-after-free Read in binder_release_work

On Mon, Apr 23, 2018 at 11:49 AM, Dmitry Vyukov wrote: > Since it's already in Greg's queue, it's not worth bothering. We can > fix up things here with these "#syz fix" tags in emails, which > associate fixes with bugs. I meant, when I sent the original patch a month or so

Re: KASAN: use-after-free Read in binder_release_work

On Mon, Apr 23, 2018 at 11:49 AM, Dmitry Vyukov wrote: > Since it's already in Greg's queue, it's not worth bothering. We can > fix up things here with these "#syz fix" tags in emails, which > associate fixes with bugs. I meant, when I sent the original patch a month or so ago, could syzbot have

Re: KASAN: use-after-free Read in binder_release_work

On Mon, Apr 23, 2018 at 11:28 AM, Dmitry Vyukov wrote: > https://syzkaller.appspot.com/bug?extid=09e05aba06723a94d43d > and that happened in binder. But then syzkaller found a reproducer for > it, but it turned out to be in rdma subsystem. It's generally not > possible to

Re: KASAN: use-after-free Read in binder_release_work

On Mon, Apr 23, 2018 at 11:28 AM, Dmitry Vyukov wrote: > https://syzkaller.appspot.com/bug?extid=09e05aba06723a94d43d > and that happened in binder. But then syzkaller found a reproducer for > it, but it turned out to be in rdma subsystem. It's generally not > possible to properly distinguish

Re: KASAN: use-after-free Read in binder_release_work

On Thu, Apr 19, 2018 at 11:35 PM, Eric Biggers wrote: > Martijn, this is going to be fixed by > https://patchwork.kernel.org/patch/10312345/ > ("ANDROID: binder: prevent transactions into own process"), right? > The syzbot bug ID in that patch is for a bug that is already

Re: KASAN: use-after-free Read in binder_release_work

On Thu, Apr 19, 2018 at 11:35 PM, Eric Biggers wrote: > Martijn, this is going to be fixed by > https://patchwork.kernel.org/patch/10312345/ > ("ANDROID: binder: prevent transactions into own process"), right? > The syzbot bug ID in that patch is for a bug that is already closed, > so if it's not

Re: [PATCH v2] ANDROID: binder: prevent transactions into own process.

On Wed, Mar 28, 2018 at 1:34 PM, Martijn Coenen <m...@android.com> wrote: > On Wed, Mar 28, 2018 at 1:28 PM, Greg KH <gre...@linuxfoundation.org> wrote: >> What is different from "v2" you sent before this? No change information >> from v1? Greg, is this in y

Re: [PATCH v2] ANDROID: binder: prevent transactions into own process.

On Wed, Mar 28, 2018 at 1:34 PM, Martijn Coenen wrote: > On Wed, Mar 28, 2018 at 1:28 PM, Greg KH wrote: >> What is different from "v2" you sent before this? No change information >> from v1? Greg, is this in your queue, or should I just send a v3 to clean this up?

Re: [PATCH] ANDROID: binder: prevent transactions into own process.

On Wed, Mar 28, 2018 at 1:29 PM, Greg KH wrote: > I can mark it for stable, and then when you get the "this did not apply > to this tree" email, you can send a backported patch to me so I know to > take that one then. Ack, thanks. > > thanks, > > greg k-h

Re: [PATCH] ANDROID: binder: prevent transactions into own process.

On Wed, Mar 28, 2018 at 1:29 PM, Greg KH wrote: > I can mark it for stable, and then when you get the "this did not apply > to this tree" email, you can send a backported patch to me so I know to > take that one then. Ack, thanks. > > thanks, > > greg k-h

Re: [PATCH v2] ANDROID: binder: prevent transactions into own process.

On Wed, Mar 28, 2018 at 1:28 PM, Greg KH wrote: > What is different from "v2" you sent before this? No change information > from v1? Sorry I messed this up - the first resend did not have "v2" in the subject but did contain v2 change information, the second resend

Re: [PATCH v2] ANDROID: binder: prevent transactions into own process.

On Wed, Mar 28, 2018 at 1:28 PM, Greg KH wrote: > What is different from "v2" you sent before this? No change information > from v1? Sorry I messed this up - the first resend did not have "v2" in the subject but did contain v2 change information, the second resend had the v2 subject and did not

[PATCH v2] ANDROID: binder: prevent transactions into own process.

...@syzkaller.appspotmail.com Signed-off-by: Martijn Coenen <m...@android.com> --- drivers/android/binder.c | 8 1 file changed, 8 insertions(+) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 764b63a5aade..e578eee31589 100644 --- a/drivers/android/binder.c +++ b/d

[PATCH v2] ANDROID: binder: prevent transactions into own process.

...@syzkaller.appspotmail.com Signed-off-by: Martijn Coenen --- drivers/android/binder.c | 8 1 file changed, 8 insertions(+) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 764b63a5aade..e578eee31589 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c

[v2] ANDROID: binder: prevent transactions into own process.

...@syzkaller.appspotmail.com Signed-off-by: Martijn Coenen <m...@android.com> --- Changed in v2: - Use target_proc directly to avoid dereference. drivers/android/binder.c | 8 1 file changed, 8 insertions(+) diff --git a/drivers/android/binder.c b/drivers/android/binder.c

[v2] ANDROID: binder: prevent transactions into own process.

...@syzkaller.appspotmail.com Signed-off-by: Martijn Coenen --- Changed in v2: - Use target_proc directly to avoid dereference. drivers/android/binder.c | 8 1 file changed, 8 insertions(+) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 764b63a5aade..e578eee31589

Re: [PATCH] ANDROID: binder: prevent transactions into own process.

On Wed, Mar 28, 2018 at 10:19 AM, Greg KH wrote: > Does this need to go to older kernels as well? Yes, this should apply cleanly to 4.14 as well. It won't apply to pre-4.14 kernels because of the fine-grained locking changes, but the same issue exists there and I

Re: [PATCH] ANDROID: binder: prevent transactions into own process.

On Wed, Mar 28, 2018 at 10:19 AM, Greg KH wrote: > Does this need to go to older kernels as well? Yes, this should apply cleanly to 4.14 as well. It won't apply to pre-4.14 kernels because of the fine-grained locking changes, but the same issue exists there and I suspect it would cause the same

[PATCH] ANDROID: binder: prevent transactions into own process.

...@syzkaller.appspotmail.com Signed-off-by: Martijn Coenen <m...@android.com> --- drivers/android/binder.c | 8 1 file changed, 8 insertions(+) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index e7e4560e4c6e..57d4ba926ed0 100644 --- a/drivers/android/binder.c +++ b/d

[PATCH] ANDROID: binder: prevent transactions into own process.

...@syzkaller.appspotmail.com Signed-off-by: Martijn Coenen --- drivers/android/binder.c | 8 1 file changed, 8 insertions(+) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index e7e4560e4c6e..57d4ba926ed0 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c

Re: [PATCH] ANDROID: binder: change down_write to down_read

in bider_mmap time which is > already hold a mmap_sem as down_write so binder_update_page_range > doesn't need to hold a mmap_sem as down_write. > > Android suffers from mmap_sem contention so let's reduce mmap_sem > down_write. > > Cc: Martijn Coenen <m...@android.com> > Cc:

Re: [PATCH] ANDROID: binder: change down_write to down_read

is > already hold a mmap_sem as down_write so binder_update_page_range > doesn't need to hold a mmap_sem as down_write. > > Android suffers from mmap_sem contention so let's reduce mmap_sem > down_write. > > Cc: Martijn Coenen > Cc: Todd Kjos > Cc: Greg Kroah-Hartman > Sign

Re: KASAN: use-after-free Read in __list_del_entry_valid (3)

On Tue, Mar 6, 2018 at 9:30 AM, syzbot wrote: > Hello, > > syzbot hit the following crash on upstream commit > 094b58e1040a44f991d7ab628035e69c4d6b79c9 (Mon Mar 5 19:57:06 2018 +) > Merge tag 'linux-kselftest-4.16-rc5' of >

Re: KASAN: use-after-free Read in __list_del_entry_valid (3)

On Tue, Mar 6, 2018 at 9:30 AM, syzbot wrote: > Hello, > > syzbot hit the following crash on upstream commit > 094b58e1040a44f991d7ab628035e69c4d6b79c9 (Mon Mar 5 19:57:06 2018 +) > Merge tag 'linux-kselftest-4.16-rc5' of > git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest

Re: [PATCH] ANDROID: binder: synchronize_rcu() when using POLLFREE.

Greg, This is for 4.14 LTS and 4.16. Thanks, Martijn On Fri, Feb 16, 2018 at 9:47 AM, Martijn Coenen <m...@android.com> wrote: > To prevent races with ep_remove_waitqueue() removing the > waitqueue at the same time. > > Reported-by: syzbot+a2a3c4909716e2714...@syzkaller.appspo

Re: [PATCH] ANDROID: binder: synchronize_rcu() when using POLLFREE.

Greg, This is for 4.14 LTS and 4.16. Thanks, Martijn On Fri, Feb 16, 2018 at 9:47 AM, Martijn Coenen wrote: > To prevent races with ep_remove_waitqueue() removing the > waitqueue at the same time. > > Reported-by: syzbot+a2a3c4909716e2714...@syzkaller.appspotmail.com > Signed-

[PATCH] ANDROID: binder: synchronize_rcu() when using POLLFREE.

To prevent races with ep_remove_waitqueue() removing the waitqueue at the same time. Reported-by: syzbot+a2a3c4909716e2714...@syzkaller.appspotmail.com Signed-off-by: Martijn Coenen <m...@android.com> --- drivers/android/binder.c | 9 + 1 file changed, 9 insertions(+) diff

[PATCH] ANDROID: binder: synchronize_rcu() when using POLLFREE.

To prevent races with ep_remove_waitqueue() removing the waitqueue at the same time. Reported-by: syzbot+a2a3c4909716e2714...@syzkaller.appspotmail.com Signed-off-by: Martijn Coenen --- drivers/android/binder.c | 9 + 1 file changed, 9 insertions(+) diff --git a/drivers/android

Re: KASAN: use-after-free Read in remove_wait_queue

On Mon, Feb 12, 2018 at 7:31 PM, Al Viro wrote: > Any chance of bisecting it? Perhaps my fix introduced another (related) problem, I'm looking into it.

Re: KASAN: use-after-free Read in remove_wait_queue

On Mon, Feb 12, 2018 at 7:31 PM, Al Viro wrote: > Any chance of bisecting it? Perhaps my fix introduced another (related) problem, I'm looking into it.

Re: [PATCH v3] android: binder: use VM_ALLOC to get vm area

On Mon, Jan 22, 2018 at 4:54 PM, Greg KH wrote: > Martijn and Todd, any objections to this patch? Looks good to me. > > thanks, > > greg k-h

Re: [PATCH v3] android: binder: use VM_ALLOC to get vm area

On Mon, Jan 22, 2018 at 4:54 PM, Greg KH wrote: > Martijn and Todd, any objections to this patch? Looks good to me. > > thanks, > > greg k-h

Re: [PATCH] ANDROID: binder: remove waitqueue when thread exits.

On Fri, Jan 5, 2018 at 1:20 PM, Greg KH wrote: > Should this be a 4.15-final thing, as well as backported to any range of > older kernels? This was found by syzkaller and wouldn't be hit in normal code paths, so I think it's not critical for 4.15. This code was

Re: [PATCH] ANDROID: binder: remove waitqueue when thread exits.

On Fri, Jan 5, 2018 at 1:20 PM, Greg KH wrote: > Should this be a 4.15-final thing, as well as backported to any range of > older kernels? This was found by syzkaller and wouldn't be hit in normal code paths, so I think it's not critical for 4.15. This code was introduced in 4.14, so it should

[PATCH] ANDROID: binder: remove waitqueue when thread exits.

oll cleanup code tries to access the waitlist, which results in a use-after-free. Prevent this by using POLLFREE when the thread exits. Signed-off-by: Martijn Coenen <m...@android.com> Reported-by: syzbot <syzkal...@googlegroups.com> --- drivers/android/binder.c | 12 1 f

[PATCH] ANDROID: binder: remove waitqueue when thread exits.

oll cleanup code tries to access the waitlist, which results in a use-after-free. Prevent this by using POLLFREE when the thread exits. Signed-off-by: Martijn Coenen Reported-by: syzbot --- drivers/android/binder.c | 12 1 file changed, 12 insertions(+) diff --git a/drivers/android/binde

[PATCH] ANDROID: binder: Remove obsolete proc waitqueue.

It was no longer being used. Signed-off-by: Martijn Coenen <m...@android.com> --- drivers/android/binder.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 778caed570c6..06067636 100644 --- a/drivers/android/binder.c

[PATCH] ANDROID: binder: Remove obsolete proc waitqueue.

It was no longer being used. Signed-off-by: Martijn Coenen --- drivers/android/binder.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 778caed570c6..06067636 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c

[PATCH v2] MAINTAINERS: update Android driver maintainers.

Add Todd Kjos and myself, remove Riley (who no longer works at Google). Signed-off-by: Martijn Coenen <m...@android.com> --- Changes in v2: adds commit message. MAINTAINERS | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index aa71ab

[PATCH v2] MAINTAINERS: update Android driver maintainers.

Add Todd Kjos and myself, remove Riley (who no longer works at Google). Signed-off-by: Martijn Coenen --- Changes in v2: adds commit message. MAINTAINERS | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index aa71ab52fd76..da8264fc09d4 100644

[PATCH] MAINTAINERS: update Android driver maintainers.

Signed-off-by: Martijn Coenen <m...@android.com> --- MAINTAINERS | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index aa71ab52fd76..da8264fc09d4 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -859,7 +859,8 @@ F: kernel/configs/android* A

[PATCH] MAINTAINERS: update Android driver maintainers.

Signed-off-by: Martijn Coenen --- MAINTAINERS | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index aa71ab52fd76..da8264fc09d4 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -859,7 +859,8 @@ F: kernel/configs/android* ANDROID DRIVERS M: Greg

Re: [PATCH v3 1/6] ANDROID: binder: add support for RT prio inheritance.

On Thu, Nov 16, 2017 at 4:10 PM, Peter Zijlstra wrote: > Well, I go by the one described in all the real-time computing texts; > also found on Wikipedia FWIW: > > https://en.wikipedia.org/wiki/Priority_inheritance Guess I was taking inheritance too literally :-) > >>

Re: [PATCH v3 1/6] ANDROID: binder: add support for RT prio inheritance.

On Thu, Nov 16, 2017 at 4:10 PM, Peter Zijlstra wrote: > Well, I go by the one described in all the real-time computing texts; > also found on Wikipedia FWIW: > > https://en.wikipedia.org/wiki/Priority_inheritance Guess I was taking inheritance too literally :-) > >> This behavior is also

Re: [PATCH v3 1/6] ANDROID: binder: add support for RT prio inheritance.

On Thu, Nov 16, 2017 at 12:27 PM, Peter Zijlstra wrote: >> On Wed, Nov 15, 2017 at 2:01 PM, Peter Zijlstra wrote: >> >> + * 1) binder supports a "minimum node priority", meaning that all >> >> transactions >> >> + *into a node must run at this

Re: [PATCH v3 1/6] ANDROID: binder: add support for RT prio inheritance.

On Thu, Nov 16, 2017 at 12:27 PM, Peter Zijlstra wrote: >> On Wed, Nov 15, 2017 at 2:01 PM, Peter Zijlstra wrote: >> >> + * 1) binder supports a "minimum node priority", meaning that all >> >> transactions >> >> + *into a node must run at this priority at a minimum. This means >> >> that

Re: [PATCH v3 4/6] ANDROID: binder: add RT inheritance flag to node.

On Wed, Nov 15, 2017 at 2:05 PM, Peter Zijlstra <pet...@infradead.org> wrote: > On Thu, Oct 26, 2017 at 04:07:48PM +0200, Martijn Coenen wrote: >> Allows a binder node to specify whether it wants to >> inherit real-time scheduling policy from a caller. This >>

Re: [PATCH v3 4/6] ANDROID: binder: add RT inheritance flag to node.

On Wed, Nov 15, 2017 at 2:05 PM, Peter Zijlstra wrote: > On Thu, Oct 26, 2017 at 04:07:48PM +0200, Martijn Coenen wrote: >> Allows a binder node to specify whether it wants to >> inherit real-time scheduling policy from a caller. This >> inheritance may not always be d

Re: [PATCH v3 3/6] ANDROID: binder: improve priority inheritance.

On Wed, Nov 15, 2017 at 2:03 PM, Peter Zijlstra <pet...@infradead.org> wrote: > On Thu, Oct 26, 2017 at 04:07:47PM +0200, Martijn Coenen wrote: >> By raising the priority of a thread selected for >> a transaction *before* we wake it up. >> >> Delay restorin

Re: [PATCH v3 3/6] ANDROID: binder: improve priority inheritance.

On Wed, Nov 15, 2017 at 2:03 PM, Peter Zijlstra wrote: > On Thu, Oct 26, 2017 at 04:07:47PM +0200, Martijn Coenen wrote: >> By raising the priority of a thread selected for >> a transaction *before* we wake it up. >> >> Delay restoring the priority when doing a repl

Re: [PATCH v3 2/6] ANDROID: binder: add min sched_policy to node.

On Wed, Nov 15, 2017 at 2:02 PM, Peter Zijlstra wrote: >> Internally, we use the priority map that the kernel >> uses, e.g. [0..99] for real-time policies and [100..139] >> for the SCHED_NORMAL/SCHED_BATCH policies. > > I will break that without consideration if I have to.

Re: [PATCH v3 2/6] ANDROID: binder: add min sched_policy to node.

On Wed, Nov 15, 2017 at 2:02 PM, Peter Zijlstra wrote: >> Internally, we use the priority map that the kernel >> uses, e.g. [0..99] for real-time policies and [100..139] >> for the SCHED_NORMAL/SCHED_BATCH policies. > > I will break that without consideration if I have to. That really isn't >

Re: [PATCH v3 1/6] ANDROID: binder: add support for RT prio inheritance.

Thanks Peter for looking at this, more inline. On Wed, Nov 15, 2017 at 2:01 PM, Peter Zijlstra wrote: >> + * 1) binder supports a "minimum node priority", meaning that all >> transactions >> + *into a node must run at this priority at a minimum. This means that >> the

Re: [PATCH v3 1/6] ANDROID: binder: add support for RT prio inheritance.

Thanks Peter for looking at this, more inline. On Wed, Nov 15, 2017 at 2:01 PM, Peter Zijlstra wrote: >> + * 1) binder supports a "minimum node priority", meaning that all >> transactions >> + *into a node must run at this priority at a minimum. This means that >> the >> + *desired

[PATCH] ANDROID: binder: Add thread->process_todo flag.

411 BM_sendVec_binderize/1024 43119 ns 17357 ns 40432 Signed-off-by: Martijn Coenen <m...@android.com> --- drivers/android/binder.c | 151 +-- 1 file changed, 107 insertions(+), 44 deletions(-) diff --git a/drivers/android/binder.c b/driver

[PATCH] ANDROID: binder: Add thread->process_todo flag.

411 BM_sendVec_binderize/1024 43119 ns 17357 ns 40432 Signed-off-by: Martijn Coenen --- drivers/android/binder.c | 151 +-- 1 file changed, 107 insertions(+), 44 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c in

Re: [PATCH] ANDROID: binder: show high watermark of alloc->pages.

On Mon, Nov 13, 2017 at 10:49 AM, Greg KH wrote: > Who can use this? A userspace tool? Or something else? The output is part of Android bugreports, it's not parsed automatically but the information is very useful even to manually look at. Since Treble, we have more

Re: [PATCH] ANDROID: binder: show high watermark of alloc->pages.

On Mon, Nov 13, 2017 at 10:49 AM, Greg KH wrote: > Who can use this? A userspace tool? Or something else? The output is part of Android bugreports, it's not parsed automatically but the information is very useful even to manually look at. Since Treble, we have more processes using binder, and

Re: [PATCH] ANDROID: binder: fix transaction leak.

On Mon, Nov 13, 2017 at 10:49 AM, Greg KH wrote: > Is this relevant for 4.14 and any older kernels as well? The problem was introduced with fine-grained locking, which is 4.14 and up only. Thanks, Martijn

Re: [PATCH] ANDROID: binder: fix transaction leak.

On Mon, Nov 13, 2017 at 10:49 AM, Greg KH wrote: > Is this relevant for 4.14 and any older kernels as well? The problem was introduced with fine-grained locking, which is 4.14 and up only. Thanks, Martijn

[PATCH] ANDROID: binder: show high watermark of alloc->pages.

Show the high watermark of the index into the alloc->pages array, to facilitate sizing the buffer on a per-process basis. Signed-off-by: Martijn Coenen <m...@android.com> --- drivers/android/binder_alloc.c | 4 drivers/android/binder_alloc.h | 2 ++ 2 files changed, 6 insertions

[PATCH] ANDROID: binder: show high watermark of alloc->pages.

Show the high watermark of the index into the alloc->pages array, to facilitate sizing the buffer on a per-process basis. Signed-off-by: Martijn Coenen --- drivers/android/binder_alloc.c | 4 drivers/android/binder_alloc.h | 2 ++ 2 files changed, 6 insertions(+) diff --git a/driv

[PATCH] ANDROID: binder: fix transaction leak.

If a call to put_user() fails, we failed to properly free a transaction and send a failed reply (if necessary). Signed-off-by: Martijn Coenen <m...@android.com> --- drivers/android/binder.c | 40 +++- 1 file changed, 31 insertions(+), 9 deletions(-)

[PATCH] ANDROID: binder: fix transaction leak.

If a call to put_user() fails, we failed to properly free a transaction and send a failed reply (if necessary). Signed-off-by: Martijn Coenen --- drivers/android/binder.c | 40 +++- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/drivers

[PATCH v3 3/6] ANDROID: binder: improve priority inheritance.

By raising the priority of a thread selected for a transaction *before* we wake it up. Delay restoring the priority when doing a reply until after we wake-up the process receiving the reply. Signed-off-by: Martijn Coenen <m...@android.com> --- drivers/android/binder.

[PATCH v3 3/6] ANDROID: binder: improve priority inheritance.

By raising the priority of a thread selected for a transaction *before* we wake it up. Delay restoring the priority when doing a reply until after we wake-up the process receiving the reply. Signed-off-by: Martijn Coenen --- drivers/android/binder.c | 74

[PATCH v3 4/6] ANDROID: binder: add RT inheritance flag to node.

Allows a binder node to specify whether it wants to inherit real-time scheduling policy from a caller. This inheritance may not always be desirable, for example in cases where the binder call runs untrusted and therefore potentially unbounded code. Signed-off-by: Martijn Coenen <m...@android.

[PATCH v3 2/6] ANDROID: binder: add min sched_policy to node.

] for the SCHED_NORMAL/SCHED_BATCH policies. Signed-off-by: Martijn Coenen <m...@android.com> --- drivers/android/binder.c| 28 + include/uapi/linux/android/binder.h | 41 - 2 files changed, 60 insertions(+), 9 del

[PATCH v3 4/6] ANDROID: binder: add RT inheritance flag to node.

Allows a binder node to specify whether it wants to inherit real-time scheduling policy from a caller. This inheritance may not always be desirable, for example in cases where the binder call runs untrusted and therefore potentially unbounded code. Signed-off-by: Martijn Coenen --- drivers

[PATCH v3 2/6] ANDROID: binder: add min sched_policy to node.

] for the SCHED_NORMAL/SCHED_BATCH policies. Signed-off-by: Martijn Coenen --- drivers/android/binder.c| 28 + include/uapi/linux/android/binder.h | 41 - 2 files changed, 60 insertions(+), 9 deletions(-) diff --git a/drivers

[PATCH v3 5/6] ANDROID: binder: don't check prio permissions on restore.

CAP_SYS_NICE or RLIMIT_RT_PRIO, for now it seems reasonable to not check permissions on the restore path. Signed-off-by: Martijn Coenen <m...@android.com> --- drivers/android/binder.c | 30 ++ 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/drivers/a

[PATCH v3 5/6] ANDROID: binder: don't check prio permissions on restore.

CAP_SYS_NICE or RLIMIT_RT_PRIO, for now it seems reasonable to not check permissions on the restore path. Signed-off-by: Martijn Coenen --- drivers/android/binder.c | 30 ++ 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/drivers/android/binder.c b/drivers

[PATCH v3 6/6] ANDROID: binder: Add tracing for binder priority inheritance.

This allows to easily trace and visualize priority inheritance in the binder driver. Signed-off-by: Martijn Coenen <m...@android.com> --- drivers/android/binder.c | 4 drivers/android/binder_trace.h | 24 2 files changed, 28 insertions(+) diff

[PATCH v3 6/6] ANDROID: binder: Add tracing for binder priority inheritance.

This allows to easily trace and visualize priority inheritance in the binder driver. Signed-off-by: Martijn Coenen --- drivers/android/binder.c | 4 drivers/android/binder_trace.h | 24 2 files changed, 28 insertions(+) diff --git a/drivers/android/binder.c

[PATCH v3 0/6] ANDROID: binder: RT priority inheritance

een reviewed by Android engineers and are merged in Android's common kernel trees. Martijn Coenen (6): ANDROID: binder: add support for RT prio inheritance. ANDROID: binder: add min sched_policy to node. ANDROID: binder: improve priority inheritance. ANDROID: binder: add RT inheritance flag to nod

[PATCH v3 1/6] ANDROID: binder: add support for RT prio inheritance.

the priority of T2 *before* waking it up. Signed-off-by: Martijn Coenen <m...@android.com> --- drivers/android/binder.c | 217 --- 1 file changed, 188 insertions(+), 29 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c

[PATCH v3 0/6] ANDROID: binder: RT priority inheritance

trees. Martijn Coenen (6): ANDROID: binder: add support for RT prio inheritance. ANDROID: binder: add min sched_policy to node. ANDROID: binder: improve priority inheritance. ANDROID: binder: add RT inheritance flag to node. ANDROID: binder: don't check prio permissions on restore. ANDROID

[PATCH v3 1/6] ANDROID: binder: add support for RT prio inheritance.

the priority of T2 *before* waking it up. Signed-off-by: Martijn Coenen --- drivers/android/binder.c | 217 --- 1 file changed, 188 insertions(+), 29 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 95a96a254e5d

Re: [PATCH] ANDROID: binder: call poll_wait() unconditionally.

On Mon, Oct 9, 2017 at 2:37 PM, Greg KH wrote: > Does this need to get into 4.14-final, or is 4.15-rc1 ok? I'm a bit > lost as to which patches I applied to what tree... This fixes a race that is somewhat hard to hit, I've only ever seen it with test code that

Re: [PATCH] ANDROID: binder: call poll_wait() unconditionally.

On Mon, Oct 9, 2017 at 2:37 PM, Greg KH wrote: > Does this need to get into 4.14-final, or is 4.15-rc1 ok? I'm a bit > lost as to which patches I applied to what tree... This fixes a race that is somewhat hard to hit, I've only ever seen it with test code that creates the right conditions. But

[PATCH] ANDROID: binder: call poll_wait() unconditionally.

Because we're not guaranteed that subsequent calls to poll() will have a poll_table_struct parameter with _qproc set. When _qproc is not set, poll_wait() is a noop, and we won't be woken up correctly. Signed-off-by: Martijn Coenen <m...@android.com> --- drivers/android/binder.

[PATCH] ANDROID: binder: call poll_wait() unconditionally.

Because we're not guaranteed that subsequent calls to poll() will have a poll_table_struct parameter with _qproc set. When _qproc is not set, poll_wait() is a noop, and we won't be woken up correctly. Signed-off-by: Martijn Coenen --- drivers/android/binder.c | 11 +-- 1 file changed, 1

Re: [PATCH v2 03/13] ANDROID: binder: add support for RT prio inheritance.

On Fri, Sep 1, 2017 at 9:24 AM, Greg KH wrote: > > I've now applied patches 1, 2, 7, 9, 11, and 12 from this series to my > tree, so feel free to rebase on it for the next round of these patches. Thanks Greg. You should also be able to apply patch 10 from this series

Re: [PATCH v2 03/13] ANDROID: binder: add support for RT prio inheritance.

On Fri, Sep 1, 2017 at 9:24 AM, Greg KH wrote: > > I've now applied patches 1, 2, 7, 9, 11, and 12 from this series to my > tree, so feel free to rebase on it for the next round of these patches. Thanks Greg. You should also be able to apply patch 10 from this series ("ANDROID: binder: call

Re: [PATCH] android: binder: fix type mismatch warning

On Fri, Sep 22, 2017 at 11:12 AM, Arnd Bergmann wrote: > How would waiting help? Once P drops support for v7, all P userspaces (including containerized ones) need to be v8. After a while, the number of non-Android userspaces < P with v7 would become practically zero. But it's

Re: [PATCH] android: binder: fix type mismatch warning

On Fri, Sep 22, 2017 at 11:12 AM, Arnd Bergmann wrote: > How would waiting help? Once P drops support for v7, all P userspaces (including containerized ones) need to be v8. After a while, the number of non-Android userspaces < P with v7 would become practically zero. But it's really hard to draw

Re: [PATCH] android: binder: fix type mismatch warning

On Wed, Sep 20, 2017 at 3:37 PM, Arnd Bergmann wrote: > I'm not really worried about shipping Android products, for those > there is no big problem using the compile-time option as they build > everything together. Ack. > The case that gets interesting is a any kind of user that

Re: [PATCH] android: binder: fix type mismatch warning

On Wed, Sep 20, 2017 at 3:37 PM, Arnd Bergmann wrote: > I'm not really worried about shipping Android products, for those > there is no big problem using the compile-time option as they build > everything together. Ack. > The case that gets interesting is a any kind of user that wants to > run

Re: [PATCH] android: binder: fix type mismatch warning

On Wed, Sep 20, 2017 at 11:58 AM, Arnd Bergmann wrote: > - On stable mainline kernels (unlike android-common), the v8 > interface has never been available as a build option, and making > it user-selectable will required additional patches to make it > actually build on 32-bit

Re: [PATCH] android: binder: fix type mismatch warning

On Wed, Sep 20, 2017 at 11:58 AM, Arnd Bergmann wrote: > - On stable mainline kernels (unlike android-common), the v8 > interface has never been available as a build option, and making > it user-selectable will required additional patches to make it > actually build on 32-bit ARM. This is

Re: [PATCH] android: binder: fix type mismatch warning

On Mon, Sep 18, 2017 at 9:49 PM, Arnd Bergmann wrote: > The current Kconfig comment says that v7 of the ABI is also > incompatible with Android 4.5 and later user space. Can someone > confirm that? That is not actually true - v7 does work with all versions of Android (up to and

Re: [PATCH] android: binder: fix type mismatch warning

On Mon, Sep 18, 2017 at 9:49 PM, Arnd Bergmann wrote: > The current Kconfig comment says that v7 of the ABI is also > incompatible with Android 4.5 and later user space. Can someone > confirm that? That is not actually true - v7 does work with all versions of Android (up to and including Oreo).

Re: [PATCH] binder: fix memory corruption in binder_transaction binder

Hi Amit, Can you try with the patch I sent to LKML recently, "[PATCH v2 10/13] ANDROID: binder: call poll_wait() unconditionally."? This fixes a problem in binder's poll() implementation that only causes issues under certain racy conditions. I'm not sure why it would only trigger now, as this

Re: [PATCH] binder: fix memory corruption in binder_transaction binder

Hi Amit, Can you try with the patch I sent to LKML recently, "[PATCH v2 10/13] ANDROID: binder: call poll_wait() unconditionally."? This fixes a problem in binder's poll() implementation that only causes issues under certain racy conditions. I'm not sure why it would only trigger now, as this

<    1   2   3   4   >