From: Carlos Llamas <cmllamas@google.com>
To: Liam Howlett <liam.howlett@oracle.com>
Cc: "linux-mm@kvack.org" <linux-mm@kvack.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
syzbot <syzbot+a7b60a176ec13cafb793@syzkaller.appspotmail.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Ondrej Mosnacek" <omosnace@redhat.com>,
"syzkaller-bugs@googlegroups.com"
<syzkaller-bugs@googlegroups.com>,
"Minchan Kim" <minchan@kernel.org>,
"Christian Brauner" <brauner@kernel.org>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Hridya Valsaraju" <hridya@google.com>,
"Joel Fernandes" <joel@joelfernandes.org>,
"Martijn Coenen" <maco@android.com>,
"Suren Baghdasaryan" <surenb@google.com>,
"Todd Kjos" <tkjos@android.com>,
"Matthew Wilcox" <willy@infradead.org>,
"Arve Hjønnevåg" <arve@android.com>
Subject: Re: [PATCH] binder_alloc: Add missing mmap_lock calls when using the VMA
Date: Tue, 9 Aug 2022 18:49:07 +0000 [thread overview]
Message-ID: <YvKsI5pMbgQ5Irup@google.com> (raw)
In-Reply-To: <20220809160618.1052539-1-Liam.Howlett@oracle.com>
On Tue, Aug 09, 2022 at 04:06:31PM +0000, Liam Howlett wrote:
> Take the mmap_read_lock() when using the VMA in
> binder_alloc_print_pages() and when checking for a VMA in
> binder_alloc_new_buf_locked().
>
> It is worth noting binder_alloc_new_buf_locked() drops the VMA read lock
> after it verifies a VMA exists, but may be taken again deeper in the
> call stack, if necessary.
>
> Reported-by: Ondrej Mosnacek <omosnace@redhat.com>
> Reported-by: syzbot+a7b60a176ec13cafb793@syzkaller.appspotmail.com
> Fixes: a43cfc87caaf (android: binder: stop saving a pointer to the VMA)
> Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
> ---
> drivers/android/binder_alloc.c | 29 +++++++++++++++++++----------
> 1 file changed, 19 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c
> index f555eebceef6..c23cad7fe313 100644
> --- a/drivers/android/binder_alloc.c
> +++ b/drivers/android/binder_alloc.c
> @@ -395,12 +395,15 @@ static struct binder_buffer *binder_alloc_new_buf_locked(
> size_t size, data_offsets_size;
> int ret;
>
> + mmap_read_lock(alloc->vma_vm_mm);
> if (!binder_alloc_get_vma(alloc)) {
> + mmap_read_unlock(alloc->vma_vm_mm);
> binder_alloc_debug(BINDER_DEBUG_USER_ERROR,
> "%d: binder_alloc_buf, no vma\n",
> alloc->pid);
> return ERR_PTR(-ESRCH);
> }
> + mmap_read_unlock(alloc->vma_vm_mm);
>
> data_offsets_size = ALIGN(data_size, sizeof(void *)) +
> ALIGN(offsets_size, sizeof(void *));
> @@ -922,17 +925,23 @@ void binder_alloc_print_pages(struct seq_file *m,
> * Make sure the binder_alloc is fully initialized, otherwise we might
> * read inconsistent state.
> */
> - if (binder_alloc_get_vma(alloc) != NULL) {
> - for (i = 0; i < alloc->buffer_size / PAGE_SIZE; i++) {
> - page = &alloc->pages[i];
> - if (!page->page_ptr)
> - free++;
> - else if (list_empty(&page->lru))
> - active++;
> - else
> - lru++;
> - }
> +
> + mmap_read_lock(alloc->vma_vm_mm);
> + if (binder_alloc_get_vma(alloc) == NULL)
> + goto uninitialized;
> +
> + for (i = 0; i < alloc->buffer_size / PAGE_SIZE; i++) {
do we need to hold on to the lock while we loop through the pages here?
> + page = &alloc->pages[i];
> + if (!page->page_ptr)
> + free++;
> + else if (list_empty(&page->lru))
> + active++;
> + else
> + lru++;
> }
> +
> +uninitialized:
> + mmap_read_unlock(alloc->vma_vm_mm);
> mutex_unlock(&alloc->mutex);
> seq_printf(m, " pages: %d:%d:%d\n", active, lru, free);
> seq_printf(m, " pages high watermark: %zu\n", alloc->pages_high);
> --
> 2.35.1
next prev parent reply other threads:[~2022-08-09 18:49 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-09 16:06 [PATCH] binder_alloc: Add missing mmap_lock calls when using the VMA Liam Howlett
2022-08-09 18:49 ` Carlos Llamas [this message]
2022-08-09 19:02 ` Liam Howlett
2022-08-09 21:01 ` Carlos Llamas
2022-08-10 1:30 ` Andrew Morton
2022-08-10 2:04 ` Liam Howlett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YvKsI5pMbgQ5Irup@google.com \
--to=cmllamas@google.com \
--cc=akpm@linux-foundation.org \
--cc=arve@android.com \
--cc=brauner@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=hridya@google.com \
--cc=joel@joelfernandes.org \
--cc=liam.howlett@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=maco@android.com \
--cc=minchan@kernel.org \
--cc=omosnace@redhat.com \
--cc=surenb@google.com \
--cc=syzbot+a7b60a176ec13cafb793@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tkjos@android.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.