| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20230424223419.6n2z72mocgmcj3aw@revolver>
Date: Mon, 24 Apr 2023 18:34:19 -0400
From: "Liam R. Howlett" <Liam.Howlett@...cle.com>
To: Carlos Llamas <cmllamas@...gle.com>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Arve Hjønnevåg <arve@...roid.com>,
Todd Kjos <tkjos@...roid.com>,
Martijn Coenen <maco@...roid.com>,
Joel Fernandes <joel@...lfernandes.org>,
Christian Brauner <brauner@...nel.org>,
Suren Baghdasaryan <surenb@...gle.com>,
linux-kernel@...r.kernel.org, kernel-team@...roid.com,
linux-mm@...ck.org
Subject: Re: [RFC PATCH 2/3] Revert "android: binder: stop saving a pointer
to the VMA"
Cc linux-mm
* Carlos Llamas <cmllamas@...gle.com> [230424 16:56]:
> This reverts commit a43cfc87caaf46710c8027a8c23b8a55f1078f19.
>
> This patch fixed an issue reported by syzkaller in [1]. However, this
> turned out to be only a band-aid in binder. The root cause, as bisected
> by syzkaller, was fixed by commit 5789151e48ac ("mm/mmap: undo ->mmap()
> when mas_preallocate() fails"). We no longer need the patch for binder.
>
> Reverting such patch allows us to have a lockless access to alloc->vma
> in specific cases where the mmap_lock is not required.
Can you elaborate on the situation where recording a VMA pointer and
later accessing it outside the mmap_lock is okay?
>This approach
> avoids the contention that caused a performance regression.
>
> [1] https://lore.kernel.org/all/0000000000004a0dbe05e1d749e0@google.com
>
> [cmllamas: resolved conflicts with rework of alloc->mm and removal of
> binder_alloc_set_vma() also fixed comment section]
>
> Cc: Liam Howlett <liam.howlett@...cle.com>
> Cc: Suren Baghdasaryan <surenb@...gle.com>
> Signed-off-by: Carlos Llamas <cmllamas@...gle.com>
> ---
> drivers/android/binder_alloc.c | 17 +++++++++--------
> drivers/android/binder_alloc.h | 4 ++--
> drivers/android/binder_alloc_selftest.c | 2 +-
> 3 files changed, 12 insertions(+), 11 deletions(-)
>
> diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c
> index 92c814ec44fe..eb082b33115b 100644
> --- a/drivers/android/binder_alloc.c
> +++ b/drivers/android/binder_alloc.c
> @@ -213,7 +213,7 @@ static int binder_update_page_range(struct binder_alloc *alloc, int allocate,
>
> if (mm) {
> mmap_read_lock(mm);
> - vma = vma_lookup(mm, alloc->vma_addr);
> + vma = alloc->vma;
> }
>
> if (!vma && need_mm) {
> @@ -314,9 +314,11 @@ static inline struct vm_area_struct *binder_alloc_get_vma(
> {
> struct vm_area_struct *vma = NULL;
>
> - if (alloc->vma_addr)
> - vma = vma_lookup(alloc->mm, alloc->vma_addr);
> -
> + if (alloc->vma) {
> + /* Look at description in binder_alloc_set_vma */
> + smp_rmb();
> + vma = alloc->vma;
> + }
> return vma;
> }
>
> @@ -775,7 +777,7 @@ int binder_alloc_mmap_handler(struct binder_alloc *alloc,
> buffer->free = 1;
> binder_insert_free_buffer(alloc, buffer);
> alloc->free_async_space = alloc->buffer_size / 2;
> - alloc->vma_addr = vma->vm_start;
> + alloc->vma = vma;
>
> return 0;
>
> @@ -805,8 +807,7 @@ void binder_alloc_deferred_release(struct binder_alloc *alloc)
>
> buffers = 0;
> mutex_lock(&alloc->mutex);
> - BUG_ON(alloc->vma_addr &&
> - vma_lookup(alloc->mm, alloc->vma_addr));
> + BUG_ON(alloc->vma);
>
> while ((n = rb_first(&alloc->allocated_buffers))) {
> buffer = rb_entry(n, struct binder_buffer, rb_node);
> @@ -958,7 +959,7 @@ int binder_alloc_get_allocated_count(struct binder_alloc *alloc)
> */
> void binder_alloc_vma_close(struct binder_alloc *alloc)
> {
> - alloc->vma_addr = 0;
> + alloc->vma = 0;
> }
>
> /**
> diff --git a/drivers/android/binder_alloc.h b/drivers/android/binder_alloc.h
> index 0f811ac4bcff..138d1d5af9ce 100644
> --- a/drivers/android/binder_alloc.h
> +++ b/drivers/android/binder_alloc.h
> @@ -75,7 +75,7 @@ struct binder_lru_page {
> /**
> * struct binder_alloc - per-binder proc state for binder allocator
> * @mutex: protects binder_alloc fields
> - * @vma_addr: vm_area_struct->vm_start passed to mmap_handler
> + * @vma: vm_area_struct passed to mmap_handler
> * (invariant after mmap)
> * @mm: copy of task->mm (invariant after open)
> * @buffer: base of per-proc address space mapped via mmap
> @@ -99,7 +99,7 @@ struct binder_lru_page {
> */
> struct binder_alloc {
> struct mutex mutex;
> - unsigned long vma_addr;
> + struct vm_area_struct *vma;
> struct mm_struct *mm;
> void __user *buffer;
> struct list_head buffers;
> diff --git a/drivers/android/binder_alloc_selftest.c b/drivers/android/binder_alloc_selftest.c
> index 43a881073a42..c2b323bc3b3a 100644
> --- a/drivers/android/binder_alloc_selftest.c
> +++ b/drivers/android/binder_alloc_selftest.c
> @@ -287,7 +287,7 @@ void binder_selftest_alloc(struct binder_alloc *alloc)
> if (!binder_selftest_run)
> return;
> mutex_lock(&binder_selftest_lock);
> - if (!binder_selftest_run || !alloc->vma_addr)
> + if (!binder_selftest_run || !alloc->vma)
> goto done;
> pr_info("STARTED\n");
> binder_selftest_alloc_offset(alloc, end_offset, 0);
> --
> 2.40.0.634.g4ca3ef3211-goog
>
Powered by blists - more mailing lists