[PATCH] android: binder: Disable preemption while holding the global binder lock

<riandr...@google.com> Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 194 +++ 1 file changed, 146 insertions(+), 48 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 16288e7..c3

Re: [PATCH] android: binder: Disable preemption while holding the global binder lock

This was introduced in the 2015 Nexus devices and should have been submitted to the kernel then since we keep forward porting it to each new device. On Thu, Sep 8, 2016 at 9:12 AM, Todd Kjos <tk...@google.com> wrote: > In Android systems, the display pipeline relies on low > la

[PATCH] android: binder: Disable preemption while holding the global binder lock

From: Todd Kjos <tk...@android.com> In Android systems, the display pipeline relies on low latency binder transactions and is therefore sensitive to delays caused by contention for the global binder lock. Jank is significantly reduced by disabling preemption while the global binder lock i

Re: [PATCH] android: binder: Disable preemption while holding the global binder lock

On Fri, Sep 9, 2016 at 8:44 AM, Greg KH <gre...@linuxfoundation.org> wrote: > On Fri, Sep 09, 2016 at 08:17:44AM -0700, Todd Kjos wrote: >> From: Todd Kjos <tk...@android.com> >> >> In Android systems, the display pipeline relies on low >> latency binder

Re: [PATCH] android: binder: Disable preemption while holding the global binder lock

> > On Sat, Sep 10, 2016 at 09:16:59AM -0700, Christoph Hellwig wrote: >> > > On Thu, Sep 08, 2016 at 09:12:50AM -0700, Todd Kjos wrote: >> > > > In Android systems, the display pipeline relies on low >> > > > latency binder transactions and is therefore

Re: [PATCH] android: binder: Disable preemption while holding the global binder lock

Thanks Peter. We'll give that patch a try as part of our refactoring. Looking at finer-grained locking and we'll try going back to rt_mutex plus this patch. On Wed, Sep 14, 2016 at 9:55 AM, Peter Zijlstra wrote: > On Wed, Sep 14, 2016 at 06:13:40PM +0200, Peter Zijlstra

Re: [PATCH 02/37] binder: use group leader instead of open thread

I suspect there won't be a respin. I'll ping you later if you don't remember it yourself ;) On Wed, Jul 5, 2017 at 11:47 AM, Greg KH <gre...@linuxfoundation.org> wrote: > On Wed, Jul 05, 2017 at 09:13:16AM -0700, Todd Kjos wrote: >> Yes, this one back to 4.4. 01/37 should

[PATCH 07/37] binder: move binder_alloc to separate file

Move the binder allocator functionality to its own file Continuation of splitting the binder allocator from the binder driver. Split binder_alloc functions from normal binder functions. Add kernel doc comments to functions declared extern in binder_alloc.h Signed-off-by: Todd Kjos <

[PATCH 36/37] binder: fix death race conditions

From: Martijn Coenen A race existed where one thread could register a death notification for a node, while another thread was cleaning up that node and sending out death notifications for its references, causing simultaneous access to ref->death because different locks were

[PATCH 13/37] binder: refactor queue management in binder_thread_read

atomically in 1 pass so it stays consistent with the kernel view. The work item is now dequeued immediately since only 1 pass is needed. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 151 +-- 1 file changed, 94 insertions(

[PATCH 10/37] binder: change binder_stats to atomics

From: Badhri Jagan Sridharan <bad...@google.com> Use atomics for stats to avoid needing to lock for increments/decrements Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 48 1 file changed, 28 inser

[PATCH 33/37] binder: use inner lock to protect thread accounting

Use the inner lock to protect thread accounting fields in proc structure: max_threads, requested_threads, requested_threads_started and ready_threads. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 28 +++- 1 file changed, 23 insertions

[PATCH 35/37] binder: protect against stale pointers in print_binder_transaction

lock. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 60 1 file changed, 40 insertions(+), 20 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index f07f0d488aa4..36ef88d10631

[PATCH 34/37] binder: protect binder_ref with outer lock

off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 133 +-- 1 file changed, 83 insertions(+), 50 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 704540ea3e12..f07f0d488aa4 100644 --- a/drivers/android

[PATCH 29/37] binder: add spinlock to protect binder_node

node->node_lock is used to protect elements of node. No need to acquire for fields that are invariant: debug_id, ptr, cookie. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 220 +++ 1 file changed, 165 insertio

[PATCH 31/37] binder: protect proc->threads with inner_lock

proc->threads will need to be accessed with higher locks of other processes held so use proc->inner_lock to protect it. proc->tmp_ref now needs to be protected by proc->inner_lock. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/and

[PATCH 32/37] binder: protect transaction_stack with inner lock.

From: Martijn Coenen This makes future changes to priority inheritance easier, since we want to be able to look at a thread's transaction stack when selecting a thread to inherit priority for. It also allows us to take just a single lock in a few paths, where we used to take

[PATCH 24/37] binder: refactor binder ref inc/dec for thread safety

now have: ret = binder_dec_ref_for_handle(proc, handle, strong, ); Since the actual ref is no longer exposed to callers, a new struct binder_ref_data is introduced which can be used to return a copy of ref state. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/bi

[PATCH 28/37] binder: add spinlocks to protect todo lists

ced in a later patch. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 355 +++ 1 file changed, 269 insertions(+), 86 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 6c741416fa00..5a03897678

[PATCH 37/37] binder: remove global binder lock

Remove global mutex and rely on fine-grained locking Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 46 +++--- 1 file changed, 3 insertions(+), 43 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/bi

[PATCH 18/37] binder: add more debug info when allocation fails.

From: Martijn Coenen Display information about allocated/free space whenever binder buffer allocation fails on synchronous transactions. Signed-off-by: Martijn Coenen Signed-off-by: Siqi Lin --- drivers/android/binder_alloc.c | 31

[PATCH 25/37] binder: use node->tmp_refs to ensure node safety

When obtaining a node via binder_get_node(), binder_get_node_from_ref() or binder_new_node(), increment node->tmp_refs to take a temporary reference on the node to ensure the node persists while being used. binder_put_node() must be called to remove the temporary reference. Signed-off-by: T

[PATCH 15/37] binder: don't modify thread->looper from other threads

to modify a bit, the BINDER_LOOPER_STATE_NEED_RETURN flag is replaced by a separate field in struct binder_thread. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 22 +++--- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/drivers/a

[PATCH 20/37] binder: refactor binder_pop_transaction

-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 30 +++--- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index cb78a4e6872d..d2fcf3cc29a6 100644 --- a/drivers/android/binder.c

[PATCH 00/37] fine-grained locking in binder driver

The binder driver uses a global mutex to serialize access to state in a multi-threaded environment. This global lock has been increasingly problematic as Android devices have scaled to more cores. The problem is not so much contention for the global lock which still remains relatively low, but the

[PATCH 23/37] binder: make sure accesses to proc/thread are safe

roc if it has no remaining threads and no reference. A spinlock is added to the binder_transaction to safely access and set references for t->from and for debug code to safely access t->to_thread and t->to_proc. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/andr

[PATCH 27/37] binder: use inner lock to sync work dq and node counts

ock. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 249 +-- 1 file changed, 198 insertions(+), 51 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 91fece5c067f..6c741416fa

[PATCH 30/37] binder: protect proc->nodes with inner lock

When locks for binder_ref handling are added, proc->nodes will need to be modified while holding the outer lock Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 112 +-- 1 file changed, 89 insertions(+), 23 deletions

[PATCH 26/37] binder: introduce locking helper functions

the suffix of the function name: foo_olocked() : requires node->outer_lock foo_nlocked() : requires node->lock foo_ilocked() : requires proc->inner_lock foo_iolocked(): requires proc->outer_lock and proc->inner_lock foo_nilocked(): requires node->lock and proc->inner_

[PATCH 22/37] binder: make sure target_node has strong ref

When initiating a transaction, the target_node must have a strong ref on it. Then we take a second strong ref to make sure the node survives until the transaction is complete. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 22 +- 1 file chang

[PATCH 19/37] binder: use atomic for transaction_log index

by using "% ARRAY_SIZE(log->entry)" Also added "complete" field to the log entry which is written last to tell the print code whether the entry is complete Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 75 +

[PATCH 05/37] binder: remove unneeded cleanup code

The buffer's transaction has already been freed before binder_deferred_release. No need to do it again. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 11 ++- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/drivers/android/binder.c b/d

[PATCH 02/37] binder: use group leader instead of open thread

The binder allocator assumes that the thread that called binder_open will never die for the lifetime of that proc. That thread is normally the group_leader, however it may not be. Use the group_leader instead of current. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/bi

[PATCH 11/37] binder: make binder_last_id an atomic

Use an atomic for binder_last_id to avoid locking it Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index cd4191d027e1..25f30d81c7d0

[PATCH 06/37] binder: separate out binder_alloc functions

Continuation of splitting the binder allocator from the binder driver. Separate binder_alloc functions from normal binder functions. Protect the allocator with a separate mutex. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c

[PATCH 12/37] binder: add log information for binder transaction failures

where error detected Also, return BR_DEAD_REPLY if an allocation error indicates a dead proc (-ESRCH) Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 87 +- drivers/android/binder_alloc.c | 20 +- 2 files chang

[PATCH 09/37] binder: add protection for non-perf cases

Add binder_dead_nodes_lock, binder_procs_lock, and binder_context_mgr_node_lock to protect the associated global lists Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 81 +--- 1 file changed, 63 insertions(+), 18 del

[PATCH 04/37] binder: separate binder allocator structure from binder proc

The binder allocator is logically separate from the rest of the binder drivers. Separating the data structures to prepare for splitting into separate file with separate locking. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c

[PATCH 03/37] binder: Use wake up hint for synchronous transactions.

From: Riley Andrews <riandr...@google.com> Use wake_up_interruptible_sync() to hint to the scheduler binder transactions are synchronous wakeups. Disable preemption while waking to avoid ping-ponging on the binder lock. Signed-off-by: Todd Kjos <tk...@google.com> Signed-off-by: Ompr

[PATCH 01/37] Revert "android: binder: Sanity check at binder ioctl"

This reverts commit a906d6931f3ccaf7de805643190765ddd7378e27. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 5 - 1 file changed, 5 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index aae4d8d4be36..157bd3e49ff4 100644 --- a/d

[PATCH 21/37] binder: guarantee txn complete / errors delivered in-order

work list for errors to guarantee order. Also changed binder_send_failed_reply to pop the transaction even if it failed to send a reply. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 127 +++ 1 file changed, 73 insertions(

[PATCH 16/37] binder: remove dead code in binder_get_ref_for_node

node is always non-NULL in binder_get_ref_for_node so the conditional and else clause are not needed Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 16 +--- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/drivers/android/binder.c b/d

[PATCH 08/37] binder: remove binder_debug_no_lock mechanism

. Removing it. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 31 --- 1 file changed, 8 insertions(+), 23 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 0512971cfc53..10fda7ab9fa5 100644 --- a/drivers/a

[PATCH 17/37] binder: protect against two threads freeing buffer

Adds protection against malicious user code freeing the same buffer at the same time which could cause a crash. Cannot happen under normal use. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 4 ++-- drivers/android/binder_alloc.

[PATCH 14/37] binder: avoid race conditions when enqueuing txn

ed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index f17d1dfa5b02..71faf548482d 100644 --- a/drivers/android/binder.c +++ b/drivers/andr

[PATCH 01/37] Revert "android: binder: Sanity check at binder ioctl"

This reverts commit a906d6931f3ccaf7de805643190765ddd7378e27. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 5 - 1 file changed, 5 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index aae4d8d4be36..157bd3e49ff4 100644 --- a/d

[PATCH v2 01/37] Revert "android: binder: Sanity check at binder ioctl"

e original patch should be reverted. The reversion is being done as part of the fine-grained locking patchset since the patch would need to be refactored when proc->vmm_vm_mm is removed from struct binder_proc and added in the binder allocator. Also needs reversion in 4.9 LTS Signed-off-by:

[PATCH] binder: fix incorrect cmd to binder_stat_br

n initialized. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 9f95d7093f32..f34fcb513c64 100644 --- a/drivers/android/binder.c +++ b/drive

Re: [PATCH v3 3/6] android: binder: Move buffer out of area shared with user space

I just went back through it -- turns out my email bounced back from linux-kernel@vger.kernel.org (reason was "may contain a virus"). Sorry I didn't notice that and resend. On Wed, Aug 30, 2017 at 1:20 PM, Dan Carpenter wrote: > On Wed, Aug 30, 2017 at 01:04:31PM -0700,

Re: [PATCH] binder: fix memory corruption in binder_transaction binder

with no issues (used hikey-linaro 4.9 kernel which has this patch). -Todd > On Mon, Sep 11, 2017 at 5:18 AM, Amit Pundir <amit.pun...@linaro.org> wrote: >> >> On 5 September 2017 at 22:51, Todd Kjos <tk...@android.com> wrote: >> > From: Xu YiPing <xuyip...@hisil

[PATCH] binder: fix an ret value override

From: Xu YiPing <xuyip...@hisilicon.com> commit 372e3147df70 ("binder: guarantee txn complete / errors delivered in-order") incorrectly defined a local ret value. This ret value will be invalid when out of the if block Signed-off-by: Xu YiPing <xuyip...@hislicon.com> Si

[PATCH] binder: fix memory corruption in binder_transaction binder

d, without dequeued. It may cause the thread->todo list to be corrupted. So, dequeue it before freeing. Signed-off-by: Xu YiPing <xuyip...@hisilicon.com> Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/

Re: [PATCH] binder: fix memory corruption in binder_transaction binder

org> wrote: > Hi Todd, > > On 11 September 2017 at 21:10, Todd Kjos <tk...@google.com> wrote: >> (resend in plain-text mode -- sorry about that) >> >> Amit, >> >> Are you sure this patch is the culprit? That is pretty surprising >> since this c

[PATCH] binder: fix use-after-free in binder_transaction()

is used that does the ref increments on both the node and proc. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 93 ++-- 1 file changed, 66 insertions(+), 27 deletions(-) diff --git a/drivers/android/binder.c b/drivers/a

[PATCH] binder: fix proc->files use-after-free

files is removed since we get it every time. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 63 +++- 1 file changed, 30 insertions(+), 33 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c inde

[PATCH v3] binder: fix proc->files use-after-free

prior to proc->files cleanup. This has been seen once in task_get_unused_fd_flags() when __alloc_fd() is called with a stale "files". The fix is to protect proc->files with a mutex to prevent cleanup while in use. Signed-off-by: Todd Kjos <tk...@google.com> --- v2: declare binde

Re: [PATCH v2] binder: fix proc->files use-after-free

Al, thanks for the detailed feedback. I didn't know about these rules (are they written down somewhere?). I'll rework this and post a compliant v3. On Fri, Nov 17, 2017 at 11:31 AM, Al Viro <v...@zeniv.linux.org.uk> wrote: > On Thu, Nov 16, 2017 at 09:56:50AM -0800, Todd Kjos wrote: >

Re: [PATCH] binder: fix proc->files use-after-free

> @@ -875,22 +871,34 @@ static void binder_free_thread(struct binder_thread > *thread); > static void binder_free_proc(struct binder_proc *proc); > static void binder_inc_node_tmpref_ilocked(struct binder_node *node); > > +struct files_struct *binder_get_files_struct(struct binder_proc *proc)

[PATCH v2] binder: fix proc->files use-after-free

files is removed since we get it every time. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 63 +++- 1 file changed, 30 insertions(+), 33 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c inde

Re: [PATCH v2] binder: fix proc->files use-after-free

Sorry about that, do you want a v3 with correct annotations? On Thu, Nov 16, 2017 at 12:27 PM, Greg KH <gre...@linuxfoundation.org> wrote: > On Thu, Nov 16, 2017 at 09:56:50AM -0800, Todd Kjos wrote: >> proc->files cleanup is initiated by binder_vma_close. Theref

Re: [PATCH 1/2] sched: force update of blocked load of idle cpus

> @@ -8683,6 +8692,10 @@ static void nohz_balancer_kick(void) > > if (test_and_set_bit(NOHZ_BALANCE_KICK, nohz_flags(ilb_cpu))) > return; > + > + if (only_update) > + set_bit(NOHZ_STATS_KICK, nohz_flags(ilb_cpu)); Should there be an "else

Re: [PATCH v3] binder: fix proc->files use-after-free

Greg- when this is in, we'll want it in 4.14 as well. On Mon, Nov 27, 2017 at 9:32 AM, Todd Kjos <tk...@android.com> wrote: > proc->files cleanup is initiated by binder_vma_close. Therefore > a reference on the binder_proc is not enough to prevent the > files_struct from be

Re: [PATCH] ANDROID: binder: correct the cmd print for BINDER_WORK_RETURN_ERROR

On Wed, May 9, 2018 at 12:31 AM 宋金时 wrote: > In case of the BINDER_WORK_RETURN_ERROR the cmd is no assignment, > so it's value will be old value or dirty value, before modifying > e->cmd, assign the value of the e->cmd to cmd to ensure the correct > print of

Re: [PATCH] binder: check for binder_thread allocation failure in binder_poll()

Looks good to me. On Tue, Jan 30, 2018 at 11:11 PM, Eric Biggers wrote: > From: Eric Biggers > > If the kzalloc() in binder_get_thread() fails, binder_poll() > dereferences the resulting NULL pointer. > > Fix it by returning POLLERR if the memory

[PATCH] ANDROID: binder: remove WARN() for redundant txn error

chronous transaction to complete. If it ever does check, it will see an error. Changed the WARN() to a pr_warn(). Signed-off-by: Todd Kjos <tk...@android.com> Reported-by: syzbot <syzkal...@googlegroups.com> --- drivers/android/binder.c | 10 -- 1 file changed, 8 insertion

[PATCH] binder: replace "%p" with "%pK"

The format specifier "%p" can leak kernel addresses. Use "%pK" instead. There were 4 remaining cases in binder.c. Signed-off-by: Todd Kjos <tk...@google.com> --- drivers/android/binder.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/

Re: KASAN: use-after-free Read in remove_wait_queue

On Mon, Feb 12, 2018 at 7:57 AM, Dmitry Vyukov wrote: > > On Mon, Feb 12, 2018 at 4:54 PM, syzbot > wrote: > > Hello, > > > > syzbot hit the following crash on upstream commit > > f1517df8701c9f12dae9ce7f43a5d300a6917619

[RFC] vruntime updated incorrectly when rt_mutex boots prio?

This issue was discovered on a 4.9-based android device, but the relevant mainline code appears to be the same. The symptom is that over time the some workloads become sluggish resulting in missed frames or sluggishness. It appears to be the same issue described in

[PATCH] binder: use standard functions to allocate fds

allocate new fds in the target (probably due to out of file descriptors), the transaction is discarded with a log message. In the old implementation this would have been detected in the sender context and failed prior to sending. Signed-off-by: Todd Kjos --- drivers/android/Kconfig| 2

[PATCH] binder: use standard functions to allocate fds

allocate new fds in the target (probably due to out of file descriptors), the transaction is discarded with a log message. In the old implementation this would have been detected in the sender context and failed prior to sending. Signed-off-by: Todd Kjos --- v2: use "%zu" printk format

Re: [PATCH v2] binder: use standard functions to allocate fds

Sorry, forgot to bump the version. Ignore this one. On Tue, Aug 28, 2018 at 1:43 PM Todd Kjos wrote: > > Binder uses internal fs interfaces to allocate and install fds: > > __alloc_fd > __fd_install > __close_fd > get_files_struct > put_files_struct > > These we

[PATCH v2] binder: use standard functions to allocate fds

allocate new fds in the target (probably due to out of file descriptors), the transaction is discarded with a log message. In the old implementation this would have been detected in the sender context and failed prior to sending. Signed-off-by: Todd Kjos --- v2: use "%zu" printk format

[PATCH v2] binder: use standard functions to allocate fds

allocate new fds in the target (probably due to out of file descriptors), the transaction is discarded with a log message. In the old implementation this would have been detected in the sender context and failed prior to sending. Signed-off-by: Todd Kjos --- v2: use "%zu" printk format

Re: [PATCH] binder: use standard functions to allocate fds

On Wed, Aug 29, 2018 at 12:00 AM Christoph Hellwig wrote: > > > config ANDROID_BINDER_IPC > > bool "Android Binder IPC Driver" > > - depends on MMU > > + depends on MMU && !CPU_CACHE_VIVT > > Thats is a purely arm specific symbol which should not be > used in common code.

Re: [PATCH] binder: use lockless list for deferred_work

Vitaly, can you say more about the behavior you observed that led you to make this change? It is not obvious what workload would cause the contention on this mutex to make a difference (at least in an Android environment). On Mon, Jan 22, 2018 at 7:44 AM, Greg Kroah-Hartman

Re: [PATCH v3] android: binder: use VM_ALLOC to get vm area

On Mon, Jan 22, 2018 at 7:54 AM, Greg KH wrote: > On Wed, Jan 10, 2018 at 10:49:05AM +0800, Ganesh Mahendran wrote: >> VM_IOREMAP is used to access hardware through a mechanism called >> I/O mapped memory. Android binder is a IPC machanism which will >> not access I/O

Re: [PATCH v2 2/4] ARM: amba: Fix race condition with driver_override

Reviewed-by: Todd Kjos <tk...@android.com> On Tue, Apr 10, 2018 at 6:21 AM, Geert Uytterhoeven <geert+rene...@glider.be> wrote: > The driver_override implementation is susceptible to a race condition > when different threads are reading vs storing a different driver > o

Re: [PATCH v2 3/4] ARM: amba: Don't read past the end of sysfs "driver_override" buffer

Reviewed-by: Todd Kjos <tk...@android.com> On Tue, Apr 10, 2018 at 6:21 AM, Geert Uytterhoeven <geert+rene...@glider.be> wrote: > When printing the driver_override parameter when it is 4095 and 4094 > bytes long, the printing code would access invalid memory because we >

Re: [PATCH v2 1/4] ARM: amba: Make driver_override output consistent with other buses

Reviewed-by: Todd Kjos <tk...@google.com> On Tue, Apr 10, 2018 at 6:21 AM, Geert Uytterhoeven <geert+rene...@glider.be> wrote: > For AMBA devices with unconfigured driver override, the > "driver_override" sysfs virtual file is empty, while it contains > "

Re: [PATCH v2 4/4] ARM: amba: Fix wrong indentation in driver_override_store()

Reviewed-by: Todd Kjos <tk...@android.com> On Tue, Apr 10, 2018 at 6:21 AM, Geert Uytterhoeven <geert+rene...@glider.be> wrote: > Indentation is one TAB and 7 spaces instead of 2 TABs. > > Fixes: 3cf385713460eb2b ("ARM: 8256/1: driver coamba: add device bindin

Re: [PATCH 2/4] ARM: amba: Fix race condition with driver_override

+stable what is the status of this patch? We'd like to get it into the android common branches to fix possible double free. On Fri, Jan 19, 2018 at 7:24 AM, Geert Uytterhoeven wrote: > The driver_override implementation is susceptible to a race condition > when

Re: [PATCH v2] staging: android: ashmem: Fix lockdep issue during llseek

p_sem (try to acquire) >>> >>> There is a lock ordering created between mmap_sem and inode->i_rwsem >>> causing a lockdep splat [2] during a syzcaller test, this patch fixes >>> the issue by unlocking the mutex earlier. Functionally that's Ok since >>

Re: [PATCH v2] ANDROID: binder: Add BINDER_GET_NODE_INFO_FOR_REF ioctl.

On Fri, Sep 7, 2018 at 6:38 AM Martijn Coenen wrote: > > This allows the context manager to retrieve information about nodes > that it holds a reference to, such as the current number of > references to those nodes. > > Such information can for example be used to determine whether the >

Re: [PATCH] binder: ipc namespace support for android binder

+christ...@brauner.io On Sun, Oct 28, 2018 at 7:29 PM chouryzhou(周威) wrote: ... > > > It's not obvious from this patch where this dependency comes > > from...why is SYSVIPC required? I'd like to not have to require IPC_NS > > either for devices. > > Yes, the patch is not highly dependent on

Re: [PATCH] binder: ipc namespace support for android binder

On Fri, Oct 26, 2018 at 2:20 AM chouryzhou(周威) wrote: > > Hi > We are working for running android in container, but we found that binder is > not isolated by ipc namespace. Since binder is a form of IPC and therefore > should > be tied to ipc namespace. With this patch, we can run more than

[PATCH] binder: fix race that allows malicious free of live buffer

was that when the struct buffer was recycled, allow_user_free was stale and set to 1 allowing a free to go through. Signed-off-by: Todd Kjos Acked-by: Arve Hjønnevåg --- drivers/android/binder.c | 21 - drivers/android/binder_alloc.c | 16 ++-- drivers/android

[PATCH] binder: fix sparse warnings on locking context

Add __acquire()/__release() annnotations to fix warnings in sparse context checking There is one case where the warning was due to a lack of a "default:" case in a switch statement where a lock was being released in each of the cases, so the default case was added. Signed-off-by:

Re: Re: [PATCH V3] binder: ipc namespace support for android binder(Internet mail)

On Fri, Nov 9, 2018 at 8:43 PM chouryzhou(周威) wrote: > > If IPC_NS is disabled, "current-nsporxy->ipc_ns" will also exists, it will > be a static > reference of "init_ipc_ns" (in ipc/msgutil.c, not defined in binder.c by me) > with > no namespace-ization. You will get the same one in all

Re: Re: [PATCH V3] binder: ipc namespace support for android binder

On Fri, Nov 9, 2018 at 7:09 PM chouryzhou(周威) wrote: > > > > > I still don't understand the dependencies on SYSVIPC or POSIX_MQUEUE. > > It seems like this mechanism would work even if both are disabled -- > > as long as IPC_NS is enabled. Seems cleaner to change init/Kconfig and > > allow IPC_NS

Re: Re: [PATCH V3] binder: ipc namespace support for android binder(Internet mail)

On Fri, Nov 9, 2018 at 9:43 PM chouryzhou(周威) wrote: > > > > > > > If IPC_NS is disabled, "current-nsporxy->ipc_ns" will also exists, it > > > will be a static > > > reference of "init_ipc_ns" (in ipc/msgutil.c, not defined in binder.c by > > > me) with > > > no namespace-ization. You will get

Re: [PATCH V4] binder: ipc namespace support for android binder

On Tue, Nov 13, 2018 at 12:12 AM chouryzhou(周威) wrote: > > > I have not received an answer to my questions in the last version of this > > patch > > set. Also it would be good if I could be Cc'ed by default. I can't hunt > > down all > > patches. > > I do not know of any kernel entity,

Re: [PATCH] binder: fix race that allows malicious free of live buffer

On Fri, Nov 9, 2018 at 4:32 AM Greg KH wrote: > > On Tue, Nov 06, 2018 at 03:55:32PM -0800, Todd Kjos wrote: > > Malicious code can attempt to free buffers using the > > BC_FREE_BUFFER ioctl to binder. There are protections > > against a user freeing a buffer while

Re: [PATCH V4] binder: ipc namespace support for android binder

+christ...@brauner.io +Martijn Coenen Christian, Does this patch work for your container use-cases? If not, please comment on this thread. Let's discuss at LPC this week. -Todd On Mon, Nov 12, 2018 at 1:38 AM chouryzhou(周威) wrote: > > Currently android's binder is not isolated by ipc

Re: [PATCH V3] binder: ipc namespace support for android binder

On Fri, Nov 9, 2018 at 10:27 AM Davidlohr Bueso wrote: > > On Thu, 08 Nov 2018, chouryzhou(??) wrote: > > >+#ifdef CONFIG_ANDROID_BINDER_IPC > >+ /* next fields are for binder */ > >+ struct mutex binder_procs_lock; > >+ struct hlist_head binder_procs; > >+ struct

Re: [PATCH V3] binder: ipc namespace support for android binder

On Thu, Nov 8, 2018 at 5:02 AM chouryzhou(周威) wrote: > > We are working for running android in container, but we found that binder is > not isolated by ipc namespace. Since binder is a form of IPC and therefore > should > be tied to ipc namespace. With this patch, we can run more than one

Re: [PATCH] MAINTAINERS: Add me to Android drivers

ndation.org > Signed-off-by: Joel Fernandes (Google) > --- > MAINTAINERS | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/MAINTAINERS b/MAINTAINERS > index 544cac829cf4..d639c4d04438 100644 > --- a/MAINTAINERS > +++ b/MAINTAINERS > @@ -894,6 +894,7 @@ M: Gr

Re: possible deadlock in __do_page_fault

+Joel Fernandes On Thu, Sep 20, 2018 at 2:11 PM Andrew Morton wrote: > > > Thanks. Let's cc the ashmem folks. > > On Thu, 20 Sep 2018 14:04:05 -0700 syzbot > wrote: > > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit:a0cb0cabe4bb Add linux-next specific files for

Re: [PATCH V4] binder: ipc namespace support for android binder

On Thu, Nov 15, 2018 at 2:54 PM gre...@linuxfoundation.org wrote: ... > > A number of us have talked about this in the plumbers Android track, and > a different proposal for how to solve this has been made that should be > much more resiliant. So I will drop this patch from my queue and wait >

[PATCH 3/3] binder: filter out nodes when showing binder procs

When dumping out binder transactions via a debug node, the output is too verbose if a process has many nodes. Change the output for transaction dumps to only display nodes with pending async transactions. Signed-off-by: Todd Kjos --- v2: no change, just resubmitted as #3 of 3 patches instead

[PATCH v2 1/3] binder: fix sparse warnings on locking context

Add __acquire()/__release() annnotations to fix warnings in sparse context checking There is one case where the warning was due to a lack of a "default:" case in a switch statement where a lock was being released in each of the cases, so the default case was added. Signed-off-by:

  1   2   3   4   >