Skip to content

Commit 4ffb79f

Browse files
Carlos Llamassmb49
authored andcommitted
Revert "android: binder: stop saving a pointer to the VMA"
BugLink: https://bugs.launchpad.net/bugs/2028979 commit c0fd210 upstream. This reverts commit a43cfc8. This patch fixed an issue reported by syzkaller in [1]. However, this turned out to be only a band-aid in binder. The root cause, as bisected by syzkaller, was fixed by commit 5789151 ("mm/mmap: undo ->mmap() when mas_preallocate() fails"). We no longer need the patch for binder. Reverting such patch allows us to have a lockless access to alloc->vma in specific cases where the mmap_lock is not required. This approach avoids the contention that caused a performance regression. [1] https://lore.kernel.org/all/0000000000004a0dbe05e1d749e0@google.com [cmllamas: resolved conflicts with rework of alloc->mm and removal of binder_alloc_set_vma() also fixed comment section] Fixes: a43cfc8 ("android: binder: stop saving a pointer to the VMA") Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Suren Baghdasaryan <surenb@google.com> Cc: stable@vger.kernel.org Signed-off-by: Carlos Llamas <cmllamas@google.com> Link: https://lore.kernel.org/r/20230502201220.1756319-2-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Kamal Mostafa <kamal@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
1 parent dad8109 commit 4ffb79f

3 files changed

Lines changed: 12 additions & 11 deletions

File tree

drivers/android/binder_alloc.c

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -212,7 +212,7 @@ static int binder_update_page_range(struct binder_alloc *alloc, int allocate,
212212

213213
if (mm) {
214214
mmap_read_lock(mm);
215-
vma = vma_lookup(mm, alloc->vma_addr);
215+
vma = alloc->vma;
216216
}
217217

218218
if (!vma && need_mm) {
@@ -313,9 +313,11 @@ static inline struct vm_area_struct *binder_alloc_get_vma(
313313
{
314314
struct vm_area_struct *vma = NULL;
315315

316-
if (alloc->vma_addr)
317-
vma = vma_lookup(alloc->mm, alloc->vma_addr);
318-
316+
if (alloc->vma) {
317+
/* Look at description in binder_alloc_set_vma */
318+
smp_rmb();
319+
vma = alloc->vma;
320+
}
319321
return vma;
320322
}
321323

@@ -774,7 +776,7 @@ int binder_alloc_mmap_handler(struct binder_alloc *alloc,
774776
buffer->free = 1;
775777
binder_insert_free_buffer(alloc, buffer);
776778
alloc->free_async_space = alloc->buffer_size / 2;
777-
alloc->vma_addr = vma->vm_start;
779+
alloc->vma = vma;
778780

779781
return 0;
780782

@@ -804,8 +806,7 @@ void binder_alloc_deferred_release(struct binder_alloc *alloc)
804806

805807
buffers = 0;
806808
mutex_lock(&alloc->mutex);
807-
BUG_ON(alloc->vma_addr &&
808-
vma_lookup(alloc->mm, alloc->vma_addr));
809+
BUG_ON(alloc->vma);
809810

810811
while ((n = rb_first(&alloc->allocated_buffers))) {
811812
buffer = rb_entry(n, struct binder_buffer, rb_node);
@@ -957,7 +958,7 @@ int binder_alloc_get_allocated_count(struct binder_alloc *alloc)
957958
*/
958959
void binder_alloc_vma_close(struct binder_alloc *alloc)
959960
{
960-
alloc->vma_addr = 0;
961+
alloc->vma = 0;
961962
}
962963

963964
/**

drivers/android/binder_alloc.h

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,7 @@ struct binder_lru_page {
7676
/**
7777
* struct binder_alloc - per-binder proc state for binder allocator
7878
* @mutex: protects binder_alloc fields
79-
* @vma_addr: vm_area_struct->vm_start passed to mmap_handler
79+
* @vma: vm_area_struct passed to mmap_handler
8080
* (invariant after mmap)
8181
* @mm: copy of task->mm (invariant after open)
8282
* @buffer: base of per-proc address space mapped via mmap
@@ -100,7 +100,7 @@ struct binder_lru_page {
100100
*/
101101
struct binder_alloc {
102102
struct mutex mutex;
103-
unsigned long vma_addr;
103+
struct vm_area_struct *vma;
104104
struct mm_struct *mm;
105105
void __user *buffer;
106106
struct list_head buffers;

drivers/android/binder_alloc_selftest.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -287,7 +287,7 @@ void binder_selftest_alloc(struct binder_alloc *alloc)
287287
if (!binder_selftest_run)
288288
return;
289289
mutex_lock(&binder_selftest_lock);
290-
if (!binder_selftest_run || !alloc->vma_addr)
290+
if (!binder_selftest_run || !alloc->vma)
291291
goto done;
292292
pr_info("STARTED\n");
293293
binder_selftest_alloc_offset(alloc, end_offset, 0);

0 commit comments

Comments
 (0)