Fix the incomplete kerneldoc header for struct binder_buffer.
Signed-off-by: Todd Kjos
---
v2: no code change. Removed needless "Change-Id:"
There is no dependancy on patch 1/3
drivers/android/binder_alloc.h | 20 ++--
1 file changed, 10 insertions(+), 10 deletion
On Wed, Dec 5, 2018 at 2:00 PM Al Viro wrote:
>
> On Wed, Dec 05, 2018 at 01:16:01PM -0800, Todd Kjos wrote:
> > 44d8047f1d87a ("binder: use standard functions to allocate fds")
> > exposed a pre-existing issue in the binder driver.
> >
> > fdget()
te fds")
Suggested-by: Jann Horn
Signed-off-by: Todd Kjos
Acked-by: Martijn Coenen
---
v2: added "Fixes:" tag
Should be added to 4.20-final if possible
drivers/android/binder.c | 8
1 file changed, 8 insertions(+)
diff --git a/drivers/android/binder.c b/drivers/and
On Thu, Dec 6, 2018 at 11:08 PM Greg Kroah-Hartman
wrote:
...
> But I thought I applied this back on November 26:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git/commit/?h=char-misc-testing=324fa64cf4189094bc4df744a9e7214a1b81d845
>
> You should have gotten an
On Fri, Nov 30, 2018 at 5:26 PM Yangtao Li wrote:
>
> We already have the DEFINE_SHOW_ATTRIBUTE.There is no need to define
> such a macro,so remove BINDER_DEBUG_ENTRY.
>
> Signed-off-by: Yangtao Li
Acked-by: Todd Kjos
> ---
> drivers/
Fix the incomplete kerneldoc header for struct binder_buffer.
Change-Id: If3ca10cf6d90f605a0c078e4cdce28f02a475877
Signed-off-by: Todd Kjos
---
drivers/android/binder_alloc.h | 20 ++--
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/drivers/android
Add __acquire()/__release() annnotations to fix warnings
in sparse context checking
There is one case where the warning was due to a lack of
a "default:" case in a switch statement where a lock was
being released in each of the cases, so the default
case was added.
Signed-off-by:
When dumping out binder transactions via a debug node,
the output is too verbose if a process has many nodes.
Change the output for transaction dumps to only display
nodes with pending async transactions.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 3 +++
1 file changed, 3
of
task A's /dev/binder to 0 and frees it
11.task A continues processing of the ioctl and accesses some
property of e.g. the binder_proc => KASAN-detectable UAF
Fixed by using get_file() / fput() in binder_ioctl().
Suggested-by: Jann Horn
Signed-off-by: Todd Kjos
Acked-by: M
On Wed, Dec 5, 2018 at 4:40 PM Al Viro wrote:
>
> On Wed, Dec 05, 2018 at 04:21:55PM -0800, Todd Kjos wrote:
>
> > > How about grabbing the references to all victims (*before* screwing with
> > > ksys_close()), sticking them into a structure with embedded ca
On Thu, Dec 6, 2018 at 6:51 AM Greg KH wrote:
>
> On Wed, Dec 05, 2018 at 03:19:24PM -0800, Todd Kjos wrote:
> > Add __acquire()/__release() annnotations to fix warnings
> > in sparse context checking
> >
> > There is one case where the warning was due to a
Reviewed-by: Todd Kjos
On Tue, Apr 10, 2018 at 6:21 AM, Geert Uytterhoeven
wrote:
> For AMBA devices with unconfigured driver override, the
> "driver_override" sysfs virtual file is empty, while it contains
> "(null)" for platform and PCI devices.
>
> Ma
Reviewed-by: Todd Kjos
On Tue, Apr 10, 2018 at 6:21 AM, Geert Uytterhoeven
wrote:
> The driver_override implementation is susceptible to a race condition
> when different threads are reading vs storing a different driver
> override. Add locking to avoid this race condition.
>
&g
Reviewed-by: Todd Kjos
On Tue, Apr 10, 2018 at 6:21 AM, Geert Uytterhoeven
wrote:
> When printing the driver_override parameter when it is 4095 and 4094
> bytes long, the printing code would access invalid memory because we
> need count + 1 bytes for printing.
>
> Cfr. commits 4
Reviewed-by: Todd Kjos
On Tue, Apr 10, 2018 at 6:21 AM, Geert Uytterhoeven
wrote:
> Indentation is one TAB and 7 spaces instead of 2 TABs.
>
> Fixes: 3cf385713460eb2b ("ARM: 8256/1: driver coamba: add device binding path
> 'driver_override'")
> Signed-o
On Wed, May 9, 2018 at 12:31 AM 宋金时 wrote:
> In case of the BINDER_WORK_RETURN_ERROR the cmd is no assignment,
> so it's value will be old value or dirty value, before modifying
> e->cmd, assign the value of the e->cmd to cmd to ensure the correct
> print of binder_stat_br.
That's not the
I just went back through it -- turns out my email bounced back from
linux-kernel@vger.kernel.org (reason was "may contain a virus"). Sorry
I didn't notice that and resend.
On Wed, Aug 30, 2017 at 1:20 PM, Dan Carpenter wrote:
> On Wed, Aug 30, 2017 at 01:04:31PM -0700, Arve Hjønnevåg wrote:
>>
is used that
does the ref increments on both the node and proc.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 93 ++--
1 file changed, 66 insertions(+), 27 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index
prior to proc->files
cleanup. This has been seen once in task_get_unused_fd_flags()
when __alloc_fd() is called with a stale "files".
The fix is to protect proc->files with a mutex to prevent cleanup
while in use.
Signed-off-by: Todd Kjos
---
v2: declare binder_get_files_struc
files is removed since we get it every
time.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 63 +++-
1 file changed, 30 insertions(+), 33 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index fddf76ef5bd
> @@ -8683,6 +8692,10 @@ static void nohz_balancer_kick(void)
>
> if (test_and_set_bit(NOHZ_BALANCE_KICK, nohz_flags(ilb_cpu)))
> return;
> +
> + if (only_update)
> + set_bit(NOHZ_STATS_KICK, nohz_flags(ilb_cpu));
Should there be an "else
Al, thanks for the detailed feedback. I didn't know about these rules
(are they written down somewhere?). I'll rework this and post a
compliant v3.
On Fri, Nov 17, 2017 at 11:31 AM, Al Viro wrote:
> On Thu, Nov 16, 2017 at 09:56:50AM -0800, Todd Kjos wrote:
>
>> +static struct
n initialized.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 9f95d7093f32..f34fcb513c64 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -3
se the
thread->todo list to be corrupted.
So, dequeue it before freeing.
Signed-off-by: Xu YiPing
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index d055b3f2a207..96cc28afa383 1006
From: Xu YiPing
commit 372e3147df70 ("binder: guarantee txn complete / errors delivered
in-order") incorrectly defined a local ret value. This ret value will
be invalid when out of the if block
Signed-off-by: Xu YiPing
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 1
+stable
what is the status of this patch? We'd like to get it into the android
common branches to fix possible double free.
On Fri, Jan 19, 2018 at 7:24 AM, Geert Uytterhoeven
wrote:
> The driver_override implementation is susceptible to a race condition
> when different threads are reading vs
a lock ordering created between mmap_sem and inode->i_rwsem
>>> causing a lockdep splat [2] during a syzcaller test, this patch fixes
>>> the issue by unlocking the mutex earlier. Functionally that's Ok since
>>> we don't need to protect vfs_llseek.
>>>
On Mon, Feb 12, 2018 at 7:57 AM, Dmitry Vyukov wrote:
>
> On Mon, Feb 12, 2018 at 4:54 PM, syzbot
> wrote:
> > Hello,
> >
> > syzbot hit the following crash on upstream commit
> > f1517df8701c9f12dae9ce7f43a5d300a6917619 (Thu Feb 8 23:18:32 2018 +)
> > Merge tag 'nfsd-4.16' of
I suspect there won't be a respin. I'll ping you later if you don't
remember it yourself ;)
On Wed, Jul 5, 2017 at 11:47 AM, Greg KH wrote:
> On Wed, Jul 05, 2017 at 09:13:16AM -0700, Todd Kjos wrote:
>> Yes, this one back to 4.4. 01/37 should go to 4.9 (its not in 4.4).
>
> Grea
The binder driver uses a global mutex to serialize access to state in a
multi-threaded environment. This global lock has been increasingly
problematic as Android devices have scaled to more cores. The problem is
not so much contention for the global lock which still remains relatively
low, but the
This reverts commit a906d6931f3ccaf7de805643190765ddd7378e27.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 5 -
1 file changed, 5 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index aae4d8d4be36..157bd3e49ff4 100644
--- a/drivers/android/binder.c
The binder allocator is logically separate from the rest
of the binder drivers. Separating the data structures
to prepare for splitting into separate file with separate
locking.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 212 +
drivers
From: Riley Andrews
Use wake_up_interruptible_sync() to hint to the scheduler binder
transactions are synchronous wakeups. Disable preemption while waking
to avoid ping-ponging on the binder lock.
Signed-off-by: Todd Kjos
Signed-off-by: Omprakash Dhyade
---
drivers/android/binder.c | 8
Continuation of splitting the binder allocator from the binder
driver. Separate binder_alloc functions from normal binder
functions. Protect the allocator with a separate mutex.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 649 +
drivers
where error detected
Also, return BR_DEAD_REPLY if an allocation error indicates
a dead proc (-ESRCH)
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 87 +-
drivers/android/binder_alloc.c | 20 +-
2 files changed, 88 insertions(+), 19
Add binder_dead_nodes_lock, binder_procs_lock, and
binder_context_mgr_node_lock to protect the associated global lists
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 81 +---
1 file changed, 63 insertions(+), 18 deletions(-)
diff --git
atomically in 1 pass so it stays consistent
with the kernel view.
The work item is now dequeued immediately since only
1 pass is needed.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 151 +--
1 file changed, 94 insertions(+), 57 deletions
From: Badhri Jagan Sridharan
Use atomics for stats to avoid needing to lock for
increments/decrements
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 48
1 file changed, 28 insertions(+), 20 deletions(-)
diff --git a/drivers/android
Move the binder allocator functionality to its own file
Continuation of splitting the binder allocator from the binder
driver. Split binder_alloc functions from normal binder functions.
Add kernel doc comments to functions declared extern in
binder_alloc.h
Signed-off-by: Todd Kjos
---
drivers
Use the inner lock to protect thread accounting fields in
proc structure: max_threads, requested_threads,
requested_threads_started and ready_threads.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 28 +++-
1 file changed, 23 insertions(+), 5 deletions(-)
diff
lock.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 60
1 file changed, 40 insertions(+), 20 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index f07f0d488aa4..36ef88d10631 100644
--- a/drivers/android
From: Martijn Coenen
A race existed where one thread could register
a death notification for a node, while another
thread was cleaning up that node and sending
out death notifications for its references,
causing simultaneous access to ref->death
because different locks were held.
Signed-off-by:
ced in
a later patch.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 355 +++
1 file changed, 269 insertions(+), 86 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 6c741416fa00..5a0389767843 100644
--- a/drivers/andr
Remove global mutex and rely on fine-grained locking
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 46 +++---
1 file changed, 3 insertions(+), 43 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 1e50b034d49a
off-by: Todd Kjos
---
drivers/android/binder.c | 133 +--
1 file changed, 83 insertions(+), 50 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 704540ea3e12..f07f0d488aa4 100644
--- a/drivers/android/binder.c
+++ b/driv
node->node_lock is used to protect elements of node. No
need to acquire for fields that are invariant: debug_id,
ptr, cookie.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 220 +++
1 file changed, 165 insertions(+), 55 deletions(-)
d
proc->threads will need to be accessed with higher
locks of other processes held so use proc->inner_lock
to protect it. proc->tmp_ref now needs to be protected
by proc->inner_lock.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 87 +++
From: Martijn Coenen
This makes future changes to priority inheritance
easier, since we want to be able to look at a thread's
transaction stack when selecting a thread to inherit
priority for.
It also allows us to take just a single lock in a
few paths, where we used to take two in succession.
now have:
ret = binder_dec_ref_for_handle(proc, handle, strong, );
Since the actual ref is no longer exposed to callers, a
new struct binder_ref_data is introduced which can be used
to return a copy of ref state.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 484
When locks for binder_ref handling are added, proc->nodes
will need to be modified while holding the outer lock
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 112 +--
1 file changed, 89 insertions(+), 23 deletions(-)
diff --git a/driv
roc if it has no
remaining threads and no reference.
A spinlock is added to the binder_transaction
to safely access and set references for t->from
and for debug code to safely access t->to_thread
and t->to_proc.
Signed-off-by: Todd Kjos
---
drivers/android/bi
the suffix of the function name:
foo_olocked() : requires node->outer_lock
foo_nlocked() : requires node->lock
foo_ilocked() : requires proc->inner_lock
foo_iolocked(): requires proc->outer_lock and proc->inner_lock
foo_nilocked(): requires node->lock and proc->inner_lock
Signed-
When initiating a transaction, the target_node must
have a strong ref on it. Then we take a second
strong ref to make sure the node survives until the
transaction is complete.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 22 +-
1 file changed, 17 insertions(+), 5
ock.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 249 +--
1 file changed, 198 insertions(+), 51 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 91fece5c067f..6c741416fa00 100644
--- a/drivers/andr
From: Martijn Coenen
Display information about allocated/free space whenever
binder buffer allocation fails on synchronous
transactions.
Signed-off-by: Martijn Coenen
Signed-off-by: Siqi Lin
---
drivers/android/binder_alloc.c | 31 ++-
1 file changed, 30
When obtaining a node via binder_get_node(),
binder_get_node_from_ref() or binder_new_node(),
increment node->tmp_refs to take a
temporary reference on the node to ensure the node
persists while being used. binder_put_node() must
be called to remove the temporary reference.
Signed-off-by: T
to
modify a bit, the BINDER_LOOPER_STATE_NEED_RETURN flag
is replaced by a separate field in struct binder_thread.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 22 +++---
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/drivers/android/binder.c b/drivers
-off-by: Todd Kjos
---
drivers/android/binder.c | 30 +++---
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index cb78a4e6872d..d2fcf3cc29a6 100644
--- a/drivers/android/binder.c
+++ b/drivers/android
Use an atomic for binder_last_id to avoid locking it
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index cd4191d027e1..25f30d81c7d0 100644
--- a/drivers
The buffer's transaction has already been freed before
binder_deferred_release. No need to do it again.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 11 ++-
1 file changed, 2 insertions(+), 9 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index
by using "% ARRAY_SIZE(log->entry)"
Also added "complete" field to the log entry which is
written last to tell the print code whether the
entry is complete
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 75 +---
1 file changed
The binder allocator assumes that the thread that
called binder_open will never die for the lifetime of
that proc. That thread is normally the group_leader,
however it may not be. Use the group_leader instead
of current.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 4 ++--
1 file
node is always non-NULL in binder_get_ref_for_node so the
conditional and else clause are not needed
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 16 +---
1 file changed, 5 insertions(+), 11 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
.
Removing it.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 31 ---
1 file changed, 8 insertions(+), 23 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 0512971cfc53..10fda7ab9fa5 100644
--- a/drivers/android/binder.c
+++ b/drivers
Adds protection against malicious user code freeing
the same buffer at the same time which could cause
a crash. Cannot happen under normal use.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 4 ++--
drivers/android/binder_alloc.c | 22 +-
drivers/android
ed-off-by: Todd Kjos
---
drivers/android/binder.c | 7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index f17d1dfa5b02..71faf548482d 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -1799,6 +
work list for errors to guarantee
order. Also changed binder_send_failed_reply to pop
the transaction even if it failed to send a reply.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 127 +++
1 file changed, 73 insertions(+), 54 deletions
This reverts commit a906d6931f3ccaf7de805643190765ddd7378e27.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 5 -
1 file changed, 5 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index aae4d8d4be36..157bd3e49ff4 100644
--- a/drivers/android/binder.c
e original patch should be reverted.
The reversion is being done as part of the fine-grained locking
patchset since the patch would need to be refactored when
proc->vmm_vm_mm is removed from struct binder_proc and added
in the binder allocator.
Also needs reversion in 4.9 LTS
Signed-off-
Greg- when this is in, we'll want it in 4.14 as well.
On Mon, Nov 27, 2017 at 9:32 AM, Todd Kjos wrote:
> proc->files cleanup is initiated by binder_vma_close. Therefore
> a reference on the binder_proc is not enough to prevent the
> files_struct from being released while the binde
with
no issues (used hikey-linaro 4.9 kernel which has this patch).
-Todd
> On Mon, Sep 11, 2017 at 5:18 AM, Amit Pundir wrote:
>>
>> On 5 September 2017 at 22:51, Todd Kjos wrote:
>> > From: Xu YiPing
>> >
>> > commit 7a4408c6bd3e ("binder: make su
gt; On 11 September 2017 at 21:10, Todd Kjos wrote:
>> (resend in plain-text mode -- sorry about that)
>>
>> Amit,
>>
>> Are you sure this patch is the culprit? That is pretty surprising
>> since this change can only be hit in a uncommon case (the t
On Tue, Aug 4, 2020 at 6:59 AM Frankie Chang wrote:
>
> From: "Frankie.Chang"
>
> Moving all structs to header file makes module more
> extendable, and makes all these structs to be defined
> in the same file.
>
> Signed-off-by: Frankie.Chang
Acked-by: To
nsaction
> may be more close to it.
>
> Signed-off-by: Frankie.Chang
Acked-by: Todd Kjos
> ---
> drivers/android/binder.c | 18 ++
> drivers/android/binder_trace.h | 29 +
> 2 files changed, 47 insertions(+)
>
>
.
>
> - The reason why printing the related information to
> kernel information log but not trace buffer is that
> some abnormal transactions may be pending for a long
> time ago, they could not be recorded due to buffer
> limited.
>
> Signed-off-by: Frankie.Chang
g a deref on the node containing the binder_work element
leading to the node being freed.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 35 ++-
1 file changed, 10 insertions(+), 25 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android
On Fri, Oct 9, 2020 at 4:24 PM Todd Kjos wrote:
>
> When releasing a thread todo list when tearing down
> a binder_proc, the following race was possible which
> could result in a use-after-free:
>
> 1. Thread 1: enter binder_release_work from binder_thread_rele
On Mon, Jul 27, 2020 at 8:28 PM Frankie Chang
wrote:
>
> From: "Frankie.Chang"
>
> Since the original trace_binder_transaction_received cannot
> precisely present the real finished time of transaction, adding a
> trace_binder_txn_latency_free at the point of free transaction
> may be more close
On Sun, Aug 2, 2020 at 8:11 PM Frankie Chang wrote:
>
> On Fri, 2020-07-31 at 11:50 -0700, Todd Kjos wrote:
> > On Mon, Jul 27, 2020 at 8:28 PM Frankie Chang
> > wrote:
> > >
> > > From: "Frankie.Chang"
> > >
> > > Since the o
Coverity: ("Unused value")
> Signed-off-by: Colin Ian King
Acked-by: Todd Kjos
> ---
> drivers/android/binder_alloc.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c
> index 91
+Hridya Valsaraju +Suren Baghdasaryan
On Thu, Dec 17, 2020 at 11:48 PM Huangzhaoyang wrote:
>
> From: Zhaoyang Huang
>
> Add SLAB_RECLAIM_ACCOUNT to ashmem_range cache since it has registered
> shrinker, which make memAvailable more presiced.
>
> Signed-off-by: Zhaoyang H
Add a per-transaction flag to indicate that the buffer
must be cleared when the transaction is complete to
prevent copies of sensitive data from being preserved
in memory.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c| 1 +
drivers/android/binder_alloc.c | 48
On Fri, Nov 20, 2020 at 11:14 PM Greg KH wrote:
>
> On Fri, Nov 20, 2020 at 03:37:43PM -0800, Todd Kjos wrote:
> > Add a per-transaction flag to indicate that the buffer
> > must be cleared when the transaction is complete to
> > prevent copies of sensitive data from being
On Wed, Jun 12, 2019 at 10:41 PM Greg KH wrote:
>
> On Wed, Jun 12, 2019 at 01:29:27PM -0700, Todd Kjos wrote:
> > There is a race between the binder driver cleaning
> > up a completed transaction via binder_free_transaction()
> > and a user calling binder_ioctl(BC_FRE
ne
> process is responsible for either more than 50 transactions, or more
> than 50% of the oneway space.
>
> Signed-off-by: Martijn Coenen
A few minor comment issues below. When resolved:
Acked-by: Todd Kjos
> ---
> v2: fixed call-site in binder_alloc_selftest
>
> drivers/android
ne
> process is responsible for either more than 50 transactions, or more
> than 50% of the oneway space.
>
> Signed-off-by: Martijn Coenen
Acked-by: Todd Kjos
> ---
> v2: fixed call-site in binder_alloc_selftest
>
> v3: include size of struct binder_buffer in calc
On Thu, Aug 6, 2020 at 9:09 AM Jann Horn wrote:
>
> On Thu, Aug 6, 2020 at 1:19 PM syzbot
> wrote:
> > syzbot suspects this issue was fixed by commit:
> >
> > commit 4b836a1426cb0f1ef2a6e211d7e553221594f8fc
> > Author: Jann Horn
> > Date: Mon Jul 27 12:04:24 2020 +
> >
> > binder:
> just remove it.
>
> Fixes: 44d8047f1d87 ("binder: use standard functions to allocate fds")
> Reported-by: syzbot+e113a0b970b7b3f39...@syzkaller.appspotmail.com
> Signed-off-by: Jann Horn
Acked-by: Todd Kjos
> ---
> drivers/android/binder.c | 2 --
> 1 file changed, 2 del
e binder device again and uses the new fd to send
> a transaction to the context manager.
>
> Reported-by: syzbot+8b3c354d33c4ac78b...@syzkaller.appspotmail.com
> Signed-off-by: Hridya Valsaraju
Acked-by: Todd Kjos
> ---
> drivers/android/binder.c | 2 +-
> 1 file changed, 1
+Hridya Valsaraju
Fix posted:
https://lkml.kernel.org/lkml/20190715191804.112933-1-hri...@google.com/
On Wed, Jun 12, 2019 at 1:14 PM Todd Kjos wrote:
>
> On Wed, Jun 12, 2019 at 12:23 PM Eric Biggers wrote:
> >
> > On Mon, May 20, 2019 at 07:18:06AM -0700, syzbot
Vitaly, can you say more about the behavior you observed that led you
to make this change? It is not obvious what workload would cause the
contention on this mutex to make a difference (at least in an Android
environment).
On Mon, Jan 22, 2018 at 7:44 AM, Greg Kroah-Hartman
wrote:
> On Mon, Jan
On Mon, Jan 22, 2018 at 7:54 AM, Greg KH wrote:
> On Wed, Jan 10, 2018 at 10:49:05AM +0800, Ganesh Mahendran wrote:
>> VM_IOREMAP is used to access hardware through a mechanism called
>> I/O mapped memory. Android binder is a IPC machanism which will
>> not access I/O memory.
>>
>> And VM_IOREMAP
Looks good to me.
On Tue, Jan 30, 2018 at 11:11 PM, Eric Biggers wrote:
> From: Eric Biggers
>
> If the kzalloc() in binder_get_thread() fails, binder_poll()
> dereferences the resulting NULL pointer.
>
> Fix it by returning POLLERR if the memory allocation failed.
>
> This bug was found by
files is removed since we get it every
time.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 63 +++-
1 file changed, 30 insertions(+), 33 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index fddf76ef5bd
> @@ -875,22 +871,34 @@ static void binder_free_thread(struct binder_thread
> *thread);
> static void binder_free_proc(struct binder_proc *proc);
> static void binder_inc_node_tmpref_ilocked(struct binder_node *node);
>
> +struct files_struct *binder_get_files_struct(struct binder_proc *proc)
Sorry about that, do you want a v3 with correct annotations?
On Thu, Nov 16, 2017 at 12:27 PM, Greg KH wrote:
> On Thu, Nov 16, 2017 at 09:56:50AM -0800, Todd Kjos wrote:
>> proc->files cleanup is initiated by binder_vma_close. Therefore
>> a reference on the binder_proc is not
chronous
transaction to complete. If it ever does check, it will see an
error.
Changed the WARN() to a pr_warn().
Signed-off-by: Todd Kjos
Reported-by: syzbot
---
drivers/android/binder.c | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/android/binder
The format specifier "%p" can leak kernel addresses. Use
"%pK" instead. There were 4 remaining cases in binder.c.
Signed-off-by: Todd Kjos
---
drivers/android/binder.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/android/binder.c b/driv
is change provides an alternate option to access these files when
> > debugfs is not mounted.
> >
> > Signed-off-by: Hridya Valsaraju
>
> Acked-by: Christian Brauner
Acked-by: Todd Kjos
>
> > ---
> > drivers/android/binder.c |
les per-process without doing it in binder_open() but it has worked
> fine for a long time with debugfs.
>
> Also, one minor question below. Otherwise
>
> Acked-by: Christian Brauner
Acked-by: Todd Kjos
>
> > ---
> > drivers/android/binder.c |
101 - 200 of 338 matches
Mail list logo
