Add a tracepoint to capture the same details that are being sent through
the generic netlink interface during transaction failures. This provides
a useful debugging tool to observe the events independently from the
netlink listeners.
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20250727182932.2499194-6-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 372832477
(cherry picked from commit 8a61a53b07f23ff12330086b293b6b492d35b8a0
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-next)
Change-Id: I5185383180787d1a237b8f583306055081a9f0d9
[cmllamas: fixed missing t->is_reply]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Introduce a generic netlink multicast event to report binder transaction
failures to userspace. This allows subscribers to monitor these events
and take appropriate actions, such as stopping a misbehaving application
that is spamming a service with huge amount of transactions.
The multicast event contains full details of the failed transactions,
including the sender/target PIDs, payload size and specific error code.
This interface is defined using a YAML spec, from which the UAPI and
kernel headers and source are auto-generated.
Signed-off-by: Li Li <dualli@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20250727182932.2499194-4-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 372832477
(cherry picked from commit 63740349eba78f242bcbf60d5244d7f2b2600853
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-next)
[cmllamas: fix missing t->is_reply, fix ABI header include issue]
Change-Id: I7013f9bba450f7ab3331dd850314a7b62af58818
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Move the allocation of 'struct binder_transaction' to the beginning of
the binder_transaction() function, along with the initialization of all
the members that are known at that time. This minor refactoring helps to
consolidate the usage of transaction information at later points.
This patch is in preparation for binder's generic netlink implementation
and no functional changes are intended.
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20250727182932.2499194-2-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 372832477
(cherry picked from commit 4afc5bf0a1849f0ed3ea1d9fd9d0e79b23a67f96
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-next)
[cmllamas: fix minor conflicts with t->priority]
Change-Id: I588319183f1d69e3694b00341432d6d4eee0a697
Signed-off-by: Carlos Llamas <cmllamas@google.com>
the first one is the lifecycle that they are added to thread pool,
and they are released. another is that the data is readed by thread.
Bug: 333839270
Change-Id: I41d58474aa66533a2104c07aae525bf09e32df4d
Signed-off-by: Muduo Qin <muduo.qin@tcl.corp-partner.google.com>
(cherry picked from commit b98dd52b77f25f724052221c54b4e197692406e7)
Binder defines several seq_files that can be accessed via debugfs or
binderfs. Some of these files (e.g., 'state' and 'transactions')
contain more granular information about binder's internal state that
is helpful for debugging, but they also leak userspace address data
through user-defined 'cookie' or 'ptr' values. Consequently, access
to these files must be heavily restricted.
Add two new files, 'state_hashed' and 'transactions_hashed', that
reproduce the information in the original files but use the kernel's
raw pointer obfuscation to hash any potential user addresses. This
approach allows systems to grant broader access to the new files
without having to change the security policy around the existing ones.
In practice, userspace populates these fields with user addresses, but
within the driver, these values only serve as unique identifiers for
their associated binder objects. Consequently, binder logs can
obfuscate these values and still retain meaning. While this strategy
prevents leaking information about the userspace memory layout in the
existing log files, it also decouples log messages about binder
objects from their user-defined identifiers.
Acked-by: Carlos Llamas <cmllamas@google.com>
Tested-by: Carlos Llamas <cmllamas@google.com>
Signed-off-by: "Tiffany Y. Yang" <ynaffit@google.com>
Link: https://lore.kernel.org/r/20250510013435.1520671-7-ynaffit@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 316970771
(cherry picked from commit 57483a362741e4f0f3f4d2fc82d48f82fd0986d9)
[Resolve conflicts from node prio and special work]
Change-Id: I6a01048c0105a1d6061e95f386e7ee55e2fdc898
Signed-off-by: "Tiffany Yang" <ynaffit@google.com>
The binder driver outputs information about each dead binder node by
iterating over the dead nodes list, and it prints the state of each live
node in the system by traversing each binder_proc's proc->nodes tree.
Both cases require similar logic to maintain the global lock ordering
while accessing each node.
Create a helper function to synchronize around printing binder nodes in
a list. Opportunistically make minor cosmetic changes to binder print
functions.
Acked-by: Carlos Llamas <cmllamas@google.com>
Signed-off-by: "Tiffany Y. Yang" <ynaffit@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20250510013435.1520671-5-ynaffit@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 316970771
(cherry picked from commit 91f1bbaa783d26b379d65ef7b4b2b947c338c749)
Change-Id: Iae546a847ca138ddfffcdc24faf075b325a54640
Signed-off-by: "Tiffany Yang" <ynaffit@google.com>
GKI (arm64) relevant 33 out of 166 changes, affecting 52 files +454/-363
0aaae77be5 ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface() [1 file, +7/-0]
fdf0ae5e9e ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset [1 file, +2/-1]
38d9ca7405 binder: fix offset calculation in debug log [1 file, +1/-1]
f1dfc94584 drm/fdinfo: Protect against driver unbind [1 file, +6/-0]
090c8714ef arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays [1 file, +2/-0]
eb9b72e4fe mm/memblock: pass size instead of end to memblock_set_node() [1 file, +1/-1]
9c4ddea497 mm/memblock: repeat setting reserved region nid if array is doubled [1 file, +10/-0]
0988dd0263 tracing: Do not take trace_event_sem in print_event_fields() [1 file, +2/-2]
f451082572 dm-bufio: don't schedule in atomic context [1 file, +8/-1]
510aea4ef0 dm: always update the array size in realloc_argv on success [1 file, +3/-2]
2e303d0107 iommu: Fix two issues in iommu_copy_struct_from_user() [1 file, +4/-4]
573b047229 cpufreq: Avoid using inconsistent policy->min and policy->max [1 file, +25/-7]
962d88304c cpufreq: Fix setting policy limits when frequency tables are used [4 files, +73/-41]
1f27a3e93b tracing: Fix oob write in trace_seq_to_buffer() [1 file, +3/-2]
220395054c ASoC: soc-core: Stop using of_property_read_bool() for non-boolean properties [1 file, +13/-19]
29a4a29112 ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence [1 file, +4/-1]
65d3c57061 xsk: Fix race condition in AF_XDP generic RX path [4 files, +6/-6]
fe81c26d2d Bluetooth: hci_conn: Remove alloc from critical section [1 file, +10/-18]
eb8b860e87 Bluetooth: hci_conn: Fix not setting conn_timeout for Broadcast Receiver [6 files, +95/-107]
620810ac1f Bluetooth: hci_conn: Fix not setting timeout for BIG Create Sync [7 files, +88/-109]
432572d536 Bluetooth: L2CAP: copy RX timestamp to new fragments [1 file, +3/-0]
6b1355860d scsi: ufs: core: Remove redundant query_complete trace [1 file, +0/-2]
5ad0b1b554 nvme-pci: fix queue unquiesce check on slot_reset [1 file, +1/-1]
6effe1c0fa net: ipv6: fix UDPv6 GSO segmentation with NAT [1 file, +60/-1]
c0dba059b1 net: use sock_gen_put() when sk_state is TCP_TIME_WAIT [2 files, +2/-2]
e10ec6e32b blk-mq: create correct map for fallback case [1 file, +1/-2]
dab2a13059 mm, slab: clean up slab->obj_exts always [1 file, +7/-20]
0a188c0e19 sch_htb: make htb_qlen_notify() idempotent [1 file, +2/-0]
969d8beaa2 firmware: arm_scmi: Balance device refcount when destroying devices [1 file, +3/-0]
3b41b5efae kernel: param: rename locate_module_kobject [1 file, +3/-3]
69113bf740 kernel: globalize lookup_or_create_module_kobject() [2 files, +3/-1]
e1eea69858 drivers: base: handle module_kobject creation [1 file, +5/-8]
db62809197 dm: fix copying after src array boundaries [1 file, +1/-1]
Changes in 6.12.28
Bluetooth: btusb: add Foxconn 0xe0fc for Qualcomm WCN785x
Bluetooth: btusb: Add one more ID 0x0489:0xe0f3 for Qualcomm WCN785x
Bluetooth: btusb: Add one more ID 0x13d3:0x3623 for Qualcomm WCN785x
Bluetooth: btusb: Add ID 0x2c7c:0x0130 for Qualcomm WCN785x
Bluetooth: btusb: Add new VID/PID for WCN785x
Bluetooth: btusb: Add 13 USB device IDs for Qualcomm WCN785x
Revert "rndis_host: Flag RNDIS modems as WWAN devices"
ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface()
ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset
binder: fix offset calculation in debug log
btrfs: adjust subpage bit start based on sectorsize
btrfs: fix COW handling in run_delalloc_nocow()
cpufreq: intel_pstate: Unchecked MSR aceess in legacy mode
drm/fdinfo: Protect against driver unbind
drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill()
EDAC/altera: Test the correct error reg offset
EDAC/altera: Set DDR and SDMMC interrupt mask before registration
i2c: imx-lpi2c: Fix clock count when probe defers
arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays
parisc: Fix double SIGFPE crash
perf/x86/intel: Only check the group flag for X86 leader
perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value.
amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload
irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs
mm/memblock: pass size instead of end to memblock_set_node()
mm/memblock: repeat setting reserved region nid if array is doubled
mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe
spi: tegra114: Don't fail set_cs_timing when delays are zero
tracing: Do not take trace_event_sem in print_event_fields()
wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()
x86/boot/sev: Support memory acceptance in the EFI stub under SVSM
dm-bufio: don't schedule in atomic context
dm-integrity: fix a warning on invalid table line
dm: always update the array size in realloc_argv on success
drm/amdgpu: Fix offset for HDP remap in nbio v7.11
drm: Select DRM_KMS_HELPER from DRM_DEBUG_DP_MST_TOPOLOGY_REFS
iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid
iommu/arm-smmu-v3: Fix iommu_device_probe bug due to duplicated stream ids
iommu/arm-smmu-v3: Fix pgsize_bit for sva domains
iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57)
iommu: Fix two issues in iommu_copy_struct_from_user()
platform/x86/amd: pmc: Require at least 2.5 seconds between HW sleep cycles
platform/x86/intel-uncore-freq: Fix missing uncore sysfs during CPU hotplug
ksmbd: fix use-after-free in ksmbd_session_rpc_open
ksmbd: fix use-after-free in kerberos authentication
ksmbd: fix use-after-free in session logoff
smb: client: fix zero length for mkdir POSIX create context
cpufreq: Avoid using inconsistent policy->min and policy->max
cpufreq: Fix setting policy limits when frequency tables are used
tracing: Fix oob write in trace_seq_to_buffer()
drm/amd/display: Default IPS to RCG_IN_ACTIVE_IPS2_IN_OFF
ASoC: soc-core: Stop using of_property_read_bool() for non-boolean properties
ASoC: cs-amp-lib-test: Don't select SND_SOC_CS_AMP_LIB
ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence
book3s64/radix : Align section vmemmap start address to PAGE_SIZE
pinctrl: imx: Return NULL if no group is matched and found
powerpc/boot: Check for ld-option support
ASoC: Intel: sof_sdw: Add NULL check in asoc_sdw_rt_dmic_rtd_init()
ALSA: hda/realtek - Enable speaker for HP platform
drm/i915/pxp: fix undefined reference to `intel_pxp_gsccs_is_ready_for_sessions'
wifi: iwlwifi: don't warn if the NIC is gone in resume
wifi: iwlwifi: fix the check for the SCRATCH register upon resume
wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release
powerpc/boot: Fix dash warning
vxlan: vnifilter: Fix unlocked deletion of default FDB entry
xsk: Fix race condition in AF_XDP generic RX path
net/mlx5e: Use custom tunnel header for vxlan gbp
net/mlx5: E-Switch, Initialize MAC Address for Default GID
net/mlx5e: TC, Continue the attr process even if encap entry is invalid
net/mlx5e: Fix lock order in mlx5e_tx_reporter_ptpsq_unhealthy_recover
net/mlx5: E-switch, Fix error handling for enabling roce
accel/ivpu: Correct DCT interrupt handling
ASoC: amd: acp: Fix NULL pointer deref in acp_i2s_set_tdm_slot
Bluetooth: hci_conn: Remove alloc from critical section
Bluetooth: hci_conn: Fix not setting conn_timeout for Broadcast Receiver
Bluetooth: hci_conn: Fix not setting timeout for BIG Create Sync
Bluetooth: btintel_pcie: Avoid redundant buffer allocation
Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue()
Bluetooth: btintel_pcie: Add additional to checks to clear TX/RX paths
Bluetooth: L2CAP: copy RX timestamp to new fragments
net: mscc: ocelot: delete PVID VLAN when readding it as non-PVID
octeon_ep_vf: Resolve netdevice usage count issue
bnxt_en: improve TX timestamping FIFO configuration
rtase: Modify the condition used to detect overflow in rtase_calc_time_mitigation
net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll
net: ethernet: mtk-star-emac: rearm interrupts in rx_poll only when advised
net: ethernet: mtk_eth_soc: sync mtk_clks_source_name array
pds_core: make pdsc_auxbus_dev_del() void
pds_core: specify auxiliary_device to be created
pds_core: remove write-after-free of client_id
net_sched: drr: Fix double list add in class with netem as child qdisc
net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc
net_sched: ets: Fix double list add in class with netem as child qdisc
net_sched: qfq: Fix double list add in class with netem as child qdisc
ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr()
idpf: fix offloads support for encapsulated packets
scsi: ufs: core: Remove redundant query_complete trace
ALSA: ump: Fix buffer overflow at UMP SysEx message conversion
nvme-pci: fix queue unquiesce check on slot_reset
drm/tests: shmem: Fix memleak
drm/mipi-dbi: Fix blanking for non-16 bit formats
net: dlink: Correct endianness handling of led_mode
net: mdio: mux-meson-gxl: set reversed bit when using internal phy
idpf: fix potential memory leak on kcalloc() failure
idpf: protect shutdown from reset
igc: fix lock order in igc_ptp_reset
net: ethernet: mtk_eth_soc: fix SER panic with 4GB+ RAM
net: dsa: felix: fix broken taprio gate states after clock jump
net: ipv6: fix UDPv6 GSO segmentation with NAT
ALSA: hda/realtek: Fix built-mic regression on other ASUS models
bnxt_en: Fix error handling path in bnxt_init_chip()
bnxt_en: Fix ethtool selftest output in one of the failure cases
bnxt_en: Add missing skb_mark_for_recycle() in bnxt_rx_vlan()
bnxt_en: call pci_alloc_irq_vectors() after bnxt_reserve_rings()
bnxt_en: Fix coredump logic to free allocated buffer
bnxt_en: Fix out-of-bound memcpy() during ethtool -w
bnxt_en: Fix ethtool -d byte order for 32-bit values
nvme-tcp: fix premature queue removal and I/O failover
nvme-tcp: select CONFIG_TLS from CONFIG_NVME_TCP_TLS
nvmet-tcp: select CONFIG_TLS from CONFIG_NVME_TARGET_TCP_TLS
ASoC: simple-card-utils: Fix pointer check in graph_util_parse_link_direction
bnxt_en: fix module unload sequence
net: use sock_gen_put() when sk_state is TCP_TIME_WAIT
ptp: ocp: Fix NULL dereference in Adva board SMA sysfs operations
net: lan743x: Fix memleak issue when GSO enabled
net: fec: ERR007885 Workaround for conventional TX
octeon_ep: Fix host hang issue during device reboot
net: hns3: store rx VLAN tag offload state for VF
net: hns3: fix an interrupt residual problem
net: hns3: fixed debugfs tm_qset size
net: hns3: defer calling ptp_clock_register()
net: vertexcom: mse102x: Fix possible stuck of SPI interrupt
net: vertexcom: mse102x: Fix LEN_MASK
net: vertexcom: mse102x: Add range check for CMD_RTS
net: vertexcom: mse102x: Fix RX error handling
blk-mq: create correct map for fallback case
mm, slab: clean up slab->obj_exts always
bcachefs: Remove incorrect __counted_by annotation
net: Fix the devmem sock opts and msgs for parisc
accel/ivpu: Make DB_ID and JOB_ID allocations incremental
accel/ivpu: Use xa_alloc_cyclic() instead of custom function
accel/ivpu: Fix a typo
accel/ivpu: Update VPU FW API headers
accel/ivpu: Abort all jobs after command queue unregister
accel/ivpu: Fix locking order in ivpu_job_submit
accel/ivpu: Add handling of VPU_JSM_STATUS_MVNCI_CONTEXT_VIOLATION_HW
sch_htb: make htb_qlen_notify() idempotent
sch_drr: make drr_qlen_notify() idempotent
sch_hfsc: make hfsc_qlen_notify() idempotent
sch_qfq: make qfq_qlen_notify() idempotent
sch_ets: make est_qlen_notify() idempotent
drm/xe: Ensure fixed_slice_mode gets set after ccs_mode change
firmware: arm_scmi: Balance device refcount when destroying devices
firmware: arm_ffa: Skip Rx buffer ownership release if not acquired
arm64: dts: imx95: Correct the range of PCIe app-reg region
ARM: dts: opos6ul: add ksz8081 phy properties
arm64: dts: st: Adjust interrupt-controller for stm32mp25 SoCs
arm64: dts: st: Use 128kB size for aliased GIC400 register access on stm32mp25 SoCs
Revert "drm/meson: vclk: fix calculation of 59.94 fractional rates"
kernel: param: rename locate_module_kobject
kernel: globalize lookup_or_create_module_kobject()
drivers: base: handle module_kobject creation
drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp
drm/amd/display: Fix slab-use-after-free in hdcp
dm: fix copying after src array boundaries
Linux 6.12.28
Change-Id: I79f3d50a10acfe53f329b4b5a4af502f488c61f3
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
The "desired" priority for a transaction can be adjusted depending on
various factors. For instance, it might be set to SCHED_NORMAL 120, when
the caller is RT and the target node has !inherit_rt.
However, instead of using these adjustments, the existing logic compares
the minimum node priority against the original transaction priority.
If the transaction priority is "higher", then the minimum node priority
is ignored. This is particularly a problem when the "desired" priority
has been changed to SCHED_NORMAL.
This patch corrects the logic, comparing the minimum node priority
against the (potentially adjusted) "desired" priority. This guarantees
that the node's minimum priority is honored.
Bug: 417382411
Cc: Martijn Coenen <maco@google.com>
Fixes: c46810c23565 ("ANDROID: binder: add RT inheritance flag to node.")
Change-Id: I813073241b996c1c38c29f20849b247023697102
Signed-off-by: zhanghao56 <zhanghao56@xiaomi.corp-partner.google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Add vendor hook to record binder transaction information and
support oem's print binder transaction info.
Our function is to help locate whether the problem is caused by binder
blocking when ANR or watchdog occurs;So we need to add timestamps,
synchronous or asynchronous process information to the binder_procs
node, and create our own file node to readbinder_procs,
binder_transaction_log and binder_transaction_log_failed,
and output them in the format we need.
On kernel 6.6, we implement this with an OGKI patch, now we want
to achieve this by adding this vendor hook (also helps to reduce
our OGKI patches).This is a custom function, which will affect
performance. I turn this unction on or off according to different
products. It is not available for all OEMs, so it is not available
upstream.
Bug: 409484697
Change-Id: I36109e9045e284cc8be8dbffb79fc5b509a67c06
Signed-off-by: zhengwei <zhengwei2@honor.com>
When servicemanager process added service proxy from other process
register the service, we want to know the matching relation between
handle in the process and service name.
Bug: 186604985
Change-Id: I466ae200cf17bc821c61bd92544a8fbe6b220a25
Signed-off-by: zhengding chen <chenzhengding@oppo.com>
Signed-off-by: shenshen mao <maoshenshen@oppo.com>
Signed-off-by: xiaosa liang <liangxiaosa@oppo.com>
The binder.impl parameter currently controls whether C Binder is loaded
or not, even if no Rust Binder driver is present. This patch changes it
so that C Binder always gets loaded even if binder.impl=rust is set. To
actually load a different Binder driver, it must explicitly ask C Binder
to unload itself.
This ensures that:
1. If binder.impl=rust is set on a device without Rust Binder available,
it will boot normally with C Binder instead of failing to boot.
2. By not listing unload_binder in the symbol list, we ensure that
Binder can only be loaded as a GKI module, not as a vendor module.
Bug: 388786466
Change-Id: I791154e8f10abd5c470bb697b5e1035c33af897f
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
When servicemanager process added service proxy from other process
register the service, we want to know the matching relation between
handle in the process and service name. When binder transaction
happened, We want to know what process calls what method on what service.
Patch 3482670 was uploaded in this patchset to avoid conflict.
Bug: 186604985
Bug: 395737475
Signed-off-by: zhengding chen <chenzhengding@oppo.com>
Change-Id: I813d1cde10294d8665f899f7fef0d444ec1f1f5e
Signed-off-by: shenshen mao <maoshenshen@oppo.com>
Signed-off-by: xiaosa liang <liangxiaosa@oppo.com>
binder_proc->fg_todo list
1. The implementation logic of this feature
1) In trace_android_vh_binder_list_add_work, record the sequence of work, work->android_oem_data1 = atomic64_inc_return(&binder_work_seq).
2) In the binder_proc_transaction() function, for special synchronized
binders, if a thread is not found, t->work will be added to proc->fg_todo in trace_android_vh_binder_special_task().
3) binder_thread_read() -> trace_android_vh_binder_select_special_worklist()
will select work to execute from proc->fg_todo according to a specific
algorithm, such as selecting the thread->todo first, then selecting two
proc->fg_todo works, and then one proc->todo work, while taking into account the sequence of work (work->android_oem_data1).
proc->ANDROID_OEM_DATA(1) is used to generate proc->fg_todo list, and it
was committed in the id 8a3740893d9957783493364b118282daa71695cc by other colleagues.
2. trace_android_vh_binder_list_add_work: record the sequence of work.
3. trace_android_vh_binder_has_proc_work_ilocked: Check if there is work
in proc->fg_todo list, and if so, then binder_wakeup_proc_ilocked.
4. trace_android_vh_binder_check_special_work: release the work on
proc->fg_todo list, and print the binder work on fg_list.
Bug: 334746237
Bug: 395737475
Change-Id: I855618ee129fe1bb5925b169d24eb2301ad90664
Signed-off-by: Fuchun Liao <lfc@oppo.com>
Add some hooks in the binder module so that we can do task dependency analysis and statistical work in OEM's module for further optimization.
Bug: 235925535
Bug: 281920779
Signed-off-by: Zhuguangqing <zhuguangqing@xiaomi.com>
Change-Id: Id47e59c4e3ccd07b26eef758ada147b98cd1964e
Signed-off-by: heshuai1 <heshuai1@xiaomi.com>
This introduces a new binder.impl parameter for the kernel commandline.
The parameter controls whether the device should use the C or Rust
implementation of Binder.
This patch does not contain the Rust portion of this logic as Rust
Binder will be a DDK module for this kernel version. binder_use_rust is
exported so that the module can access it when loaded to check whether
the driver should be enabled. Note that Rust Binder must be a
vendor-boot module for the init sequence to work right.
The parameter has already been hooked up to Android userspace. This
means that the commands
adb shell setprop kcmdline.binder c
adb shell setprop kcmdline.binder rust
will cause Android to set binder.impl on the kernel commandline next
time the phone is rebooted.
Since it's infeasible to change the Binder driver used by a running
system, this parameter cannot be changed once a Binder driver is loaded.
Bug: 388786466
Change-Id: I2ea11cd4110ee86f88ca606c55bb9cc2924d576a
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
commit 1db76ec2b4b206ff943e292a0b55e68ff3443598 upstream.
If a freeze notification is cleared with BC_CLEAR_FREEZE_NOTIFICATION
before calling binder_freeze_notification_done(), then it is detached
from its reference (e.g. ref->freeze) but the work remains queued in
proc->delivered_freeze. This leads to a memory leak when the process
exits as any pending entries in proc->delivered_freeze are not freed:
unreferenced object 0xffff38e8cfa36180 (size 64):
comm "binder-util", pid 655, jiffies 4294936641
hex dump (first 32 bytes):
b8 e9 9e c8 e8 38 ff ff b8 e9 9e c8 e8 38 ff ff .....8.......8..
0b 00 00 00 00 00 00 00 3c 1f 4b 00 00 00 00 00 ........<.K.....
backtrace (crc 95983b32):
[<000000000d0582cf>] kmemleak_alloc+0x34/0x40
[<000000009c99a513>] __kmalloc_cache_noprof+0x208/0x280
[<00000000313b1704>] binder_thread_write+0xdec/0x439c
[<000000000cbd33bb>] binder_ioctl+0x1b68/0x22cc
[<000000002bbedeeb>] __arm64_sys_ioctl+0x124/0x190
[<00000000b439adee>] invoke_syscall+0x6c/0x254
[<00000000173558fc>] el0_svc_common.constprop.0+0xac/0x230
[<0000000084f72311>] do_el0_svc+0x40/0x58
[<000000008b872457>] el0_svc+0x38/0x78
[<00000000ee778653>] el0t_64_sync_handler+0x120/0x12c
[<00000000a8ec61bf>] el0t_64_sync+0x190/0x194
This patch fixes the leak by ensuring that any pending entries in
proc->delivered_freeze are freed during binder_deferred_release().
Fixes: d579b04a52 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-8-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 830d7db744b42c693bf1db7e94db86d7efd91f0e upstream.
The BINDER_WORK_FROZEN_BINDER type is not handled in the binder_logs
entries and it shows up as "unknown work" when logged:
proc 649
context binder-test
thread 649: l 00 need_return 0 tr 0
ref 13: desc 1 node 8 s 1 w 0 d 0000000053c4c0c3
unknown work: type 10
This patch add the freeze work type and is now logged as such:
proc 637
context binder-test
thread 637: l 00 need_return 0 tr 0
ref 8: desc 1 node 3 s 1 w 0 d 00000000dc39e9c6
has frozen binder
Fixes: d579b04a52 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-5-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7e20434cbca814cb91a0a261ca0106815ef48e5f upstream.
When a binder reference is cleaned up, any freeze work queued in the
associated process should also be removed. Otherwise, the reference is
freed while its ref->freeze.work is still queued in proc->work leading
to a use-after-free issue as shown by the following KASAN report:
==================================================================
BUG: KASAN: slab-use-after-free in binder_release_work+0x398/0x3d0
Read of size 8 at addr ffff31600ee91488 by task kworker/5:1/211
CPU: 5 UID: 0 PID: 211 Comm: kworker/5:1 Not tainted 6.11.0-rc7-00382-gfc6c92196396 #22
Hardware name: linux,dummy-virt (DT)
Workqueue: events binder_deferred_func
Call trace:
binder_release_work+0x398/0x3d0
binder_deferred_func+0xb60/0x109c
process_one_work+0x51c/0xbd4
worker_thread+0x608/0xee8
Allocated by task 703:
__kmalloc_cache_noprof+0x130/0x280
binder_thread_write+0xdb4/0x42a0
binder_ioctl+0x18f0/0x25ac
__arm64_sys_ioctl+0x124/0x190
invoke_syscall+0x6c/0x254
Freed by task 211:
kfree+0xc4/0x230
binder_deferred_func+0xae8/0x109c
process_one_work+0x51c/0xbd4
worker_thread+0x608/0xee8
==================================================================
This commit fixes the issue by ensuring any queued freeze work is removed
when cleaning up a binder reference.
Fixes: d579b04a52 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Acked-by: Todd Kjos <tkjos@android.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-4-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 011e69a1b23011c0db3af4b8293fdd4522cc97b0 upstream.
In binder_add_freeze_work() we iterate over the proc->nodes with the
proc->inner_lock held. However, this lock is temporarily dropped to
acquire the node->lock first (lock nesting order). This can race with
binder_deferred_release() which removes the nodes from the proc->nodes
rbtree and adds them into binder_dead_nodes list. This leads to a broken
iteration in binder_add_freeze_work() as rb_next() will use data from
binder_dead_nodes, triggering an out-of-bounds access:
==================================================================
BUG: KASAN: global-out-of-bounds in rb_next+0xfc/0x124
Read of size 8 at addr ffffcb84285f7170 by task freeze/660
CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #18
Hardware name: linux,dummy-virt (DT)
Call trace:
rb_next+0xfc/0x124
binder_add_freeze_work+0x344/0x534
binder_ioctl+0x1e70/0x25ac
__arm64_sys_ioctl+0x124/0x190
The buggy address belongs to the variable:
binder_dead_nodes+0x10/0x40
[...]
==================================================================
This is possible because proc->nodes (rbtree) and binder_dead_nodes
(list) share entries in binder_node through a union:
struct binder_node {
[...]
union {
struct rb_node rb_node;
struct hlist_node dead_node;
};
Fix the race by checking that the proc is still alive. If not, simply
break out of the iteration.
Fixes: d579b04a52 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-3-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit dc8aea47b928cc153b591b3558829ce42f685074 upstream.
In binder_add_freeze_work() we iterate over the proc->nodes with the
proc->inner_lock held. However, this lock is temporarily dropped in
order to acquire the node->lock first (lock nesting order). This can
race with binder_node_release() and trigger a use-after-free:
==================================================================
BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c
Write of size 4 at addr ffff53c04c29dd04 by task freeze/640
CPU: 5 UID: 0 PID: 640 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #17
Hardware name: linux,dummy-virt (DT)
Call trace:
_raw_spin_lock+0xe4/0x19c
binder_add_freeze_work+0x148/0x478
binder_ioctl+0x1e70/0x25ac
__arm64_sys_ioctl+0x124/0x190
Allocated by task 637:
__kmalloc_cache_noprof+0x12c/0x27c
binder_new_node+0x50/0x700
binder_transaction+0x35ac/0x6f74
binder_thread_write+0xfb8/0x42a0
binder_ioctl+0x18f0/0x25ac
__arm64_sys_ioctl+0x124/0x190
Freed by task 637:
kfree+0xf0/0x330
binder_thread_read+0x1e88/0x3a68
binder_ioctl+0x16d8/0x25ac
__arm64_sys_ioctl+0x124/0x190
==================================================================
Fix the race by taking a temporary reference on the node before
releasing the proc->inner lock. This ensures the node remains alive
while in use.
Fixes: d579b04a52 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-2-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
If a freeze notification is cleared with BC_CLEAR_FREEZE_NOTIFICATION
before calling binder_freeze_notification_done(), then it is detached
from its reference (e.g. ref->freeze) but the work remains queued in
proc->delivered_freeze. This leads to a memory leak when the process
exits as any pending entries in proc->delivered_freeze are not freed:
unreferenced object 0xffff38e8cfa36180 (size 64):
comm "binder-util", pid 655, jiffies 4294936641
hex dump (first 32 bytes):
b8 e9 9e c8 e8 38 ff ff b8 e9 9e c8 e8 38 ff ff .....8.......8..
0b 00 00 00 00 00 00 00 3c 1f 4b 00 00 00 00 00 ........<.K.....
backtrace (crc 95983b32):
[<000000000d0582cf>] kmemleak_alloc+0x34/0x40
[<000000009c99a513>] __kmalloc_cache_noprof+0x208/0x280
[<00000000313b1704>] binder_thread_write+0xdec/0x439c
[<000000000cbd33bb>] binder_ioctl+0x1b68/0x22cc
[<000000002bbedeeb>] __arm64_sys_ioctl+0x124/0x190
[<00000000b439adee>] invoke_syscall+0x6c/0x254
[<00000000173558fc>] el0_svc_common.constprop.0+0xac/0x230
[<0000000084f72311>] do_el0_svc+0x40/0x58
[<000000008b872457>] el0_svc+0x38/0x78
[<00000000ee778653>] el0t_64_sync_handler+0x120/0x12c
[<00000000a8ec61bf>] el0t_64_sync+0x190/0x194
This patch fixes the leak by ensuring that any pending entries in
proc->delivered_freeze are freed during binder_deferred_release().
Fixes: d579b04a52 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-8-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 366003708
(cherry picked from commit 1db76ec2b4b206ff943e292a0b55e68ff3443598)
Change-Id: Iafdec3421c521b4b591b94455deba7ee5102c8ca
Signed-off-by: Carlos Llamas <cmllamas@google.com>
The BINDER_WORK_FROZEN_BINDER type is not handled in the binder_logs
entries and it shows up as "unknown work" when logged:
proc 649
context binder-test
thread 649: l 00 need_return 0 tr 0
ref 13: desc 1 node 8 s 1 w 0 d 0000000053c4c0c3
unknown work: type 10
This patch add the freeze work type and is now logged as such:
proc 637
context binder-test
thread 637: l 00 need_return 0 tr 0
ref 8: desc 1 node 3 s 1 w 0 d 00000000dc39e9c6
has frozen binder
Fixes: d579b04a52 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-5-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 366003708
(cherry picked from commit 830d7db744b42c693bf1db7e94db86d7efd91f0e)
Change-Id: I06f888aa5218db19eeda79e315385506af09d9d5
Signed-off-by: Carlos Llamas <cmllamas@google.com>
When a binder reference is cleaned up, any freeze work queued in the
associated process should also be removed. Otherwise, the reference is
freed while its ref->freeze.work is still queued in proc->work leading
to a use-after-free issue as shown by the following KASAN report:
==================================================================
BUG: KASAN: slab-use-after-free in binder_release_work+0x398/0x3d0
Read of size 8 at addr ffff31600ee91488 by task kworker/5:1/211
CPU: 5 UID: 0 PID: 211 Comm: kworker/5:1 Not tainted 6.11.0-rc7-00382-gfc6c92196396 #22
Hardware name: linux,dummy-virt (DT)
Workqueue: events binder_deferred_func
Call trace:
binder_release_work+0x398/0x3d0
binder_deferred_func+0xb60/0x109c
process_one_work+0x51c/0xbd4
worker_thread+0x608/0xee8
Allocated by task 703:
__kmalloc_cache_noprof+0x130/0x280
binder_thread_write+0xdb4/0x42a0
binder_ioctl+0x18f0/0x25ac
__arm64_sys_ioctl+0x124/0x190
invoke_syscall+0x6c/0x254
Freed by task 211:
kfree+0xc4/0x230
binder_deferred_func+0xae8/0x109c
process_one_work+0x51c/0xbd4
worker_thread+0x608/0xee8
==================================================================
This commit fixes the issue by ensuring any queued freeze work is removed
when cleaning up a binder reference.
Fixes: d579b04a52 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Acked-by: Todd Kjos <tkjos@android.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-4-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 366003708
(cherry picked from commit 7e20434cbca814cb91a0a261ca0106815ef48e5f)
Change-Id: Icc40e7dd6157981f4adbea7243e55be118552321
Signed-off-by: Carlos Llamas <cmllamas@google.com>
In binder_add_freeze_work() we iterate over the proc->nodes with the
proc->inner_lock held. However, this lock is temporarily dropped to
acquire the node->lock first (lock nesting order). This can race with
binder_deferred_release() which removes the nodes from the proc->nodes
rbtree and adds them into binder_dead_nodes list. This leads to a broken
iteration in binder_add_freeze_work() as rb_next() will use data from
binder_dead_nodes, triggering an out-of-bounds access:
==================================================================
BUG: KASAN: global-out-of-bounds in rb_next+0xfc/0x124
Read of size 8 at addr ffffcb84285f7170 by task freeze/660
CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #18
Hardware name: linux,dummy-virt (DT)
Call trace:
rb_next+0xfc/0x124
binder_add_freeze_work+0x344/0x534
binder_ioctl+0x1e70/0x25ac
__arm64_sys_ioctl+0x124/0x190
The buggy address belongs to the variable:
binder_dead_nodes+0x10/0x40
[...]
==================================================================
This is possible because proc->nodes (rbtree) and binder_dead_nodes
(list) share entries in binder_node through a union:
struct binder_node {
[...]
union {
struct rb_node rb_node;
struct hlist_node dead_node;
};
Fix the race by checking that the proc is still alive. If not, simply
break out of the iteration.
Fixes: d579b04a52 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-3-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 366003708
(cherry picked from commit 011e69a1b23011c0db3af4b8293fdd4522cc97b0)
Change-Id: I5ec9d49277a23b864862665b52213460750c535e
Signed-off-by: Carlos Llamas <cmllamas@google.com>
In binder_add_freeze_work() we iterate over the proc->nodes with the
proc->inner_lock held. However, this lock is temporarily dropped in
order to acquire the node->lock first (lock nesting order). This can
race with binder_node_release() and trigger a use-after-free:
==================================================================
BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c
Write of size 4 at addr ffff53c04c29dd04 by task freeze/640
CPU: 5 UID: 0 PID: 640 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #17
Hardware name: linux,dummy-virt (DT)
Call trace:
_raw_spin_lock+0xe4/0x19c
binder_add_freeze_work+0x148/0x478
binder_ioctl+0x1e70/0x25ac
__arm64_sys_ioctl+0x124/0x190
Allocated by task 637:
__kmalloc_cache_noprof+0x12c/0x27c
binder_new_node+0x50/0x700
binder_transaction+0x35ac/0x6f74
binder_thread_write+0xfb8/0x42a0
binder_ioctl+0x18f0/0x25ac
__arm64_sys_ioctl+0x124/0x190
Freed by task 637:
kfree+0xf0/0x330
binder_thread_read+0x1e88/0x3a68
binder_ioctl+0x16d8/0x25ac
__arm64_sys_ioctl+0x124/0x190
==================================================================
Fix the race by taking a temporary reference on the node before
releasing the proc->inner lock. This ensures the node remains alive
while in use.
Fixes: d579b04a52 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-2-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 366003708
(cherry picked from commit dc8aea47b928cc153b591b3558829ce42f685074)
Change-Id: I47b053532dd4cd3424d35d6f254ca4d00c426411
Signed-off-by: Carlos Llamas <cmllamas@google.com>
1) Check if it is a specific task in trace_android_vh_alloc_oem_binder_struct() and store the flag to t->android_vendor_data1
2) If it is a specific binder task and binder_thread selected, raise the scheduling priority of binder_thread->task in trace_android_vh_binder_proc_transaction_finish().
3) If it is a specific binder task but no binder_thread selected (e.g pending_async or no free threads), insert t->work to the appropriate position in the list in trace_android_vh_binder_special_task().
4) Some states are cleared in trace_android_vh_binder_transaction_received(). On the other hand, if no thread is selected in binder_proc_transaction() for async binders, the scheduling priority will be boosted here.
5) Restore the scheduling priority when BC_FREE_BUFFER in trace_android_vh_binder_buffer_release().
Bug: 329740751
Bug: 325855598
Change-Id: Iab4939fe4a4881b31961aaa2fef500b51c944743
Signed-off-by: Fuchun Liao <lfc@oppo.com>
Signed-off-by: Liujie Xie <xieliujie@oppo.com>
- To apply vendor's performance tune for blocked binder transaction,
add the hook on the begin/end of transaction.
- ANDROID_VENDOR_DATA added to binder_transaction.
Bug: 319399115
Signed-off-by: JianMin Liu <jian-min.liu@mediatek.com>
Signed-off-by: Guanwun Chen <guan-wun.chen@mediatek.com>
Change-Id: If60870623ce2669200238172737dd8455ac34b02
Steps on the way to 6.12-rc1
Bug: 367265496
Change-Id: I1ece105acb05b97d8cd9299ed0ee6a81a74fd353
Signed-off-by: Matthias Maennich <maennich@google.com>
Binder objects are processed and copied individually into the target
buffer during transactions. Any raw data in-between these objects is
copied as well. However, this raw data copy lacks an out-of-bounds
check. If the raw data exceeds the data section size then the copy
overwrites the offsets section. This eventually triggers an error that
attempts to unwind the processed objects. However, at this point the
offsets used to index these objects are now corrupted.
Unwinding with corrupted offsets can result in decrements of arbitrary
nodes and lead to their premature release. Other users of such nodes are
left with a dangling pointer triggering a use-after-free. This issue is
made evident by the following KASAN report (trimmed):
==================================================================
BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c
Write of size 4 at addr ffff47fc91598f04 by task binder-util/743
CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1
Hardware name: linux,dummy-virt (DT)
Call trace:
_raw_spin_lock+0xe4/0x19c
binder_free_buf+0x128/0x434
binder_thread_write+0x8a4/0x3260
binder_ioctl+0x18f0/0x258c
[...]
Allocated by task 743:
__kmalloc_cache_noprof+0x110/0x270
binder_new_node+0x50/0x700
binder_transaction+0x413c/0x6da8
binder_thread_write+0x978/0x3260
binder_ioctl+0x18f0/0x258c
[...]
Freed by task 745:
kfree+0xbc/0x208
binder_thread_read+0x1c5c/0x37d4
binder_ioctl+0x16d8/0x258c
[...]
==================================================================
To avoid this issue, let's check that the raw data copy is within the
boundaries of the data section.
Fixes: 6d98eb95b4 ("binder: avoid potential data leakage when copying txn")
Cc: Todd Kjos <tkjos@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20240822182353.2129600-1-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Binder objects are processed and copied individually into the target
buffer during transactions. Any raw data in-between these objects is
copied as well. However, this raw data copy lacks an out-of-bounds
check. If the raw data exceeds the data section size then the copy
overwrites the offsets section. This eventually triggers an error that
attempts to unwind the processed objects. However, at this point the
offsets used to index these objects are now corrupted.
Unwinding with corrupted offsets can result in decrements of arbitrary
nodes and lead to their premature release. Other users of such nodes are
left with a dangling pointer triggering a use-after-free. This issue is
made evident by the following KASAN report (trimmed):
==================================================================
BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c
Write of size 4 at addr ffff47fc91598f04 by task binder-util/743
CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1
Hardware name: linux,dummy-virt (DT)
Call trace:
_raw_spin_lock+0xe4/0x19c
binder_free_buf+0x128/0x434
binder_thread_write+0x8a4/0x3260
binder_ioctl+0x18f0/0x258c
[...]
Allocated by task 743:
__kmalloc_cache_noprof+0x110/0x270
binder_new_node+0x50/0x700
binder_transaction+0x413c/0x6da8
binder_thread_write+0x978/0x3260
binder_ioctl+0x18f0/0x258c
[...]
Freed by task 745:
kfree+0xbc/0x208
binder_thread_read+0x1c5c/0x37d4
binder_ioctl+0x16d8/0x258c
[...]
==================================================================
To avoid this issue, let's check that the raw data copy is within the
boundaries of the data section.
Fixes: 6d98eb95b4 ("binder: avoid potential data leakage when copying txn")
Cc: Todd Kjos <tkjos@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Bug: 352520660
Link: https://lore.kernel.org/all/20240822182353.2129600-1-cmllamas@google.com/
Change-Id: I1b2dd8403b63e5eeb58904558b7b542141c83fc2
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Frozen processes present a significant challenge in binder transactions.
When a process is frozen, it cannot, by design, accept and/or respond to
binder transactions. As a result, the sender needs to adjust its
behavior, such as postponing transactions until the peer process
unfreezes. However, there is currently no way to subscribe to these
state change events, making it impossible to implement frozen-aware
behaviors efficiently.
Introduce a binder API for subscribing to frozen state change events.
This allows programs to react to changes in peer process state,
mitigating issues related to binder transactions sent to frozen
processes.
Implementation details:
For a given binder_ref, the state of frozen notification can be one of
the followings:
1. Userspace doesn't want a notification. binder_ref->freeze is null.
2. Userspace wants a notification but none is in flight.
list_empty(&binder_ref->freeze->work.entry) = true
3. A notification is in flight and waiting to be read by userspace.
binder_ref_freeze.sent is false.
4. A notification was read by userspace and kernel is waiting for an ack.
binder_ref_freeze.sent is true.
When a notification is in flight, new state change events are coalesced into
the existing binder_ref_freeze struct. If userspace hasn't picked up the
notification yet, the driver simply rewrites the state. Otherwise, the
notification is flagged as requiring a resend, which will be performed
once userspace acks the original notification that's inflight.
See https://r.android.com/3070045 for how userspace is going to use this
feature.
Signed-off-by: Yu-Ting Tseng <yutingtseng@google.com>
Acked-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20240709070047.4055369-4-yutingtseng@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
In commit 15d9da3f81 ("binder: use bitmap for faster descriptor
lookup"), it was incorrectly assumed that references to the context
manager node should always get descriptor zero assigned to them.
However, if the context manager dies and a new process takes its place,
then assigning descriptor zero to the new context manager might lead to
collisions, as there could still be references to the older node. This
issue was reported by syzbot with the following trace:
kernel BUG at drivers/android/binder.c:1173!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 447 Comm: binder-util Not tainted 6.10.0-rc6-00348-g31643d84b8c3 #10
Hardware name: linux,dummy-virt (DT)
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : binder_inc_ref_for_node+0x500/0x544
lr : binder_inc_ref_for_node+0x1e4/0x544
sp : ffff80008112b940
x29: ffff80008112b940 x28: ffff0e0e40310780 x27: 0000000000000000
x26: 0000000000000001 x25: ffff0e0e40310738 x24: ffff0e0e4089ba34
x23: ffff0e0e40310b00 x22: ffff80008112bb50 x21: ffffaf7b8f246970
x20: ffffaf7b8f773f08 x19: ffff0e0e4089b800 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 000000002de4aa60
x14: 0000000000000000 x13: 2de4acf000000000 x12: 0000000000000020
x11: 0000000000000018 x10: 0000000000000020 x9 : ffffaf7b90601000
x8 : ffff0e0e48739140 x7 : 0000000000000000 x6 : 000000000000003f
x5 : ffff0e0e40310b28 x4 : 0000000000000000 x3 : ffff0e0e40310720
x2 : ffff0e0e40310728 x1 : 0000000000000000 x0 : ffff0e0e40310710
Call trace:
binder_inc_ref_for_node+0x500/0x544
binder_transaction+0xf68/0x2620
binder_thread_write+0x5bc/0x139c
binder_ioctl+0xef4/0x10c8
[...]
This patch adds back the previous behavior of assigning the next
non-zero descriptor if references to previous context managers still
exist. It amends both strategies, the newer dbitmap code and also the
legacy slow_desc_lookup_olocked(), by allowing them to start looking
for available descriptors at a given offset.
Fixes: 15d9da3f81 ("binder: use bitmap for faster descriptor lookup")
Cc: stable@vger.kernel.org
Reported-and-tested-by: syzbot+3dae065ca76952a67257@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/000000000000c1c0a0061d1e6979@google.com/
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20240722150512.4192473-1-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Carlos Llamas
Li Li
Muduo Qin
Greg Kroah-Hartman
Tiffany Y. Yang
zhanghao56
zhengwei
zhengding chen
Alice Ryhl
Fuchun Liao
Zhuguangqing
Liujie Xie
JianMin Liu
Matthias Maennich
Ba Jing
Greg Kroah-Hartman
Ruffalo Lavoisier
Lee Jones
Will McVicker
Yu-Ting Tseng