tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Revert "android: binder: stop saving a pointer to the VMA"

This reverts commit a43cfc87caaf46710c8027a8c23b8a55f1078f19.

This patch fixed an issue reported by syzkaller in [1]. However, this
turned out to be only a band-aid in binder. The root cause, as bisected
by syzkaller, was fixed by commit 5789151e48ac ("mm/mmap: undo ->mmap()
when mas_preallocate() fails"). We no longer need the patch for binder.

Reverting such patch allows us to have a lockless access to alloc->vma
in specific cases where the mmap_lock is not required. This approach
avoids the contention that caused a performance regression.

[1] https://lore.kernel.org/all/0000000000004a0dbe05e1d749e0@google.com

[cmllamas: resolved conflicts with rework of alloc->mm and removal of
binder_alloc_set_vma() also fixed comment section]

Fixes: a43cfc87caaf ("android: binder: stop saving a pointer to the VMA")
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20230502201220.1756319-2-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Carlos Llamas and committed by
Greg Kroah-Hartman c0fd2101 b15655b1

+12 -11
+9 -8
drivers/android/binder_alloc.c
··· 213 213 214 214 if (mm) { 215 215 mmap_read_lock(mm); 216 - vma = vma_lookup(mm, alloc->vma_addr); 216 + vma = alloc->vma; 217 217 } 218 218 219 219 if (!vma && need_mm) { ··· 314 314 { 315 315 struct vm_area_struct *vma = NULL; 316 316 317 - if (alloc->vma_addr) 318 - vma = vma_lookup(alloc->mm, alloc->vma_addr); 319 - 317 + if (alloc->vma) { 318 + /* Look at description in binder_alloc_set_vma */ 319 + smp_rmb(); 320 + vma = alloc->vma; 321 + } 320 322 return vma; 321 323 } 322 324 ··· 777 775 buffer->free = 1; 778 776 binder_insert_free_buffer(alloc, buffer); 779 777 alloc->free_async_space = alloc->buffer_size / 2; 780 - alloc->vma_addr = vma->vm_start; 778 + alloc->vma = vma; 781 779 782 780 return 0; 783 781 ··· 807 805 808 806 buffers = 0; 809 807 mutex_lock(&alloc->mutex); 810 - BUG_ON(alloc->vma_addr && 811 - vma_lookup(alloc->mm, alloc->vma_addr)); 808 + BUG_ON(alloc->vma); 812 809 813 810 while ((n = rb_first(&alloc->allocated_buffers))) { 814 811 buffer = rb_entry(n, struct binder_buffer, rb_node); ··· 959 958 */ 960 959 void binder_alloc_vma_close(struct binder_alloc *alloc) 961 960 { 962 - alloc->vma_addr = 0; 961 + alloc->vma = 0; 963 962 } 964 963 965 964 /**
+2 -2
drivers/android/binder_alloc.h
··· 75 75 /** 76 76 * struct binder_alloc - per-binder proc state for binder allocator 77 77 * @mutex: protects binder_alloc fields 78 - * @vma_addr: vm_area_struct->vm_start passed to mmap_handler 78 + * @vma: vm_area_struct passed to mmap_handler 79 79 * (invariant after mmap) 80 80 * @mm: copy of task->mm (invariant after open) 81 81 * @buffer: base of per-proc address space mapped via mmap ··· 99 99 */ 100 100 struct binder_alloc { 101 101 struct mutex mutex; 102 - unsigned long vma_addr; 102 + struct vm_area_struct *vma; 103 103 struct mm_struct *mm; 104 104 void __user *buffer; 105 105 struct list_head buffers;
+1 -1
drivers/android/binder_alloc_selftest.c
··· 287 287 if (!binder_selftest_run) 288 288 return; 289 289 mutex_lock(&binder_selftest_lock); 290 - if (!binder_selftest_run || !alloc->vma_addr) 290 + if (!binder_selftest_run || !alloc->vma) 291 291 goto done; 292 292 pr_info("STARTED\n"); 293 293 binder_selftest_alloc_offset(alloc, end_offset, 0);