From 63780a70979300027c00b213b07dc5aca22654cb Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 22 Jan 2024 07:06:42 -0800
Subject: [PATCH] 5.15-stable patches

added patches:
	binder-fix-async-space-check-for-0-sized-buffers.patch
	binder-fix-unused-alloc-free_async_space.patch
---
 ...sync-space-check-for-0-sized-buffers.patch | 44 ++++++++++
 ...er-fix-unused-alloc-free_async_space.patch | 82 +++++++++++++++++++
 queue-5.15/series                             |  2 +
 3 files changed, 128 insertions(+)
 create mode 100644 queue-5.15/binder-fix-async-space-check-for-0-sized-buffers.patch
 create mode 100644 queue-5.15/binder-fix-unused-alloc-free_async_space.patch

diff --git a/queue-5.15/binder-fix-async-space-check-for-0-sized-buffers.patch b/queue-5.15/binder-fix-async-space-check-for-0-sized-buffers.patch
new file mode 100644
index 00000000000..4c1db2364a2
--- /dev/null
+++ b/queue-5.15/binder-fix-async-space-check-for-0-sized-buffers.patch
@@ -0,0 +1,44 @@
+From 3091c21d3e9322428691ce0b7a0cfa9c0b239eeb Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Fri, 1 Dec 2023 17:21:33 +0000
+Subject: binder: fix async space check for 0-sized buffers
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit 3091c21d3e9322428691ce0b7a0cfa9c0b239eeb upstream.
+
+Move the padding of 0-sized buffers to an earlier stage to account for
+this round up during the alloc->free_async_space check.
+
+Fixes: 74310e06be4d ("android: binder: Move buffer out of area shared with user space")
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Link: https://lore.kernel.org/r/20231201172212.1813387-5-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder_alloc.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -407,6 +407,10 @@ static struct binder_buffer *binder_allo
+ 				alloc->pid, extra_buffers_size);
+ 		return ERR_PTR(-EINVAL);
+ 	}
++
++	/* Pad 0-size buffers so they get assigned unique addresses */
++	size = max(size, sizeof(void *));
++
+ 	if (is_async &&
+ 	    alloc->free_async_space < size + sizeof(struct binder_buffer)) {
+ 		binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
+@@ -415,9 +419,6 @@ static struct binder_buffer *binder_allo
+ 		return ERR_PTR(-ENOSPC);
+ 	}
+ 
+-	/* Pad 0-size buffers so they get assigned unique addresses */
+-	size = max(size, sizeof(void *));
+-
+ 	while (n) {
+ 		buffer = rb_entry(n, struct binder_buffer, rb_node);
+ 		BUG_ON(!buffer->free);
diff --git a/queue-5.15/binder-fix-unused-alloc-free_async_space.patch b/queue-5.15/binder-fix-unused-alloc-free_async_space.patch
new file mode 100644
index 00000000000..e6dcba6eade
--- /dev/null
+++ b/queue-5.15/binder-fix-unused-alloc-free_async_space.patch
@@ -0,0 +1,82 @@
+From c6d05e0762ab276102246d24affd1e116a46aa0c Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Fri, 1 Dec 2023 17:21:34 +0000
+Subject: binder: fix unused alloc->free_async_space
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit c6d05e0762ab276102246d24affd1e116a46aa0c upstream.
+
+Each transaction is associated with a 'struct binder_buffer' that stores
+the metadata about its buffer area. Since commit 74310e06be4d ("android:
+binder: Move buffer out of area shared with user space") this struct is
+no longer embedded within the buffer itself but is instead allocated on
+the heap to prevent userspace access to this driver-exclusive info.
+
+Unfortunately, the space of this struct is still being accounted for in
+the total buffer size calculation, specifically for async transactions.
+This results in an additional 104 bytes added to every async buffer
+request, and this area is never used.
+
+This wasted space can be substantial. If we consider the maximum mmap
+buffer space of SZ_4M, the driver will reserve half of it for async
+transactions, or 0x200000. This area should, in theory, accommodate up
+to 262,144 buffers of the minimum 8-byte size. However, after adding
+the extra 'sizeof(struct binder_buffer)', the total number of buffers
+drops to only 18,724, which is a sad 7.14% of the actual capacity.
+
+This patch fixes the buffer size calculation to enable the utilization
+of the entire async buffer space. This is expected to reduce the number
+of -ENOSPC errors that are seen on the field.
+
+Fixes: 74310e06be4d ("android: binder: Move buffer out of area shared with user space")
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Link: https://lore.kernel.org/r/20231201172212.1813387-6-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder_alloc.c |   11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -344,8 +344,7 @@ static bool debug_low_async_space_locked
+ 			continue;
+ 		if (!buffer->async_transaction)
+ 			continue;
+-		total_alloc_size += binder_alloc_buffer_size(alloc, buffer)
+-			+ sizeof(struct binder_buffer);
++		total_alloc_size += binder_alloc_buffer_size(alloc, buffer);
+ 		num_buffers++;
+ 	}
+ 
+@@ -411,8 +410,7 @@ static struct binder_buffer *binder_allo
+ 	/* Pad 0-size buffers so they get assigned unique addresses */
+ 	size = max(size, sizeof(void *));
+ 
+-	if (is_async &&
+-	    alloc->free_async_space < size + sizeof(struct binder_buffer)) {
++	if (is_async && alloc->free_async_space < size) {
+ 		binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
+ 			     "%d: binder_alloc_buf size %zd failed, no async space left\n",
+ 			      alloc->pid, size);
+@@ -520,7 +518,7 @@ static struct binder_buffer *binder_allo
+ 	buffer->pid = pid;
+ 	buffer->oneway_spam_suspect = false;
+ 	if (is_async) {
+-		alloc->free_async_space -= size + sizeof(struct binder_buffer);
++		alloc->free_async_space -= size;
+ 		binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC,
+ 			     "%d: binder_alloc_buf size %zd async free %zd\n",
+ 			      alloc->pid, size, alloc->free_async_space);
+@@ -658,8 +656,7 @@ static void binder_free_buf_locked(struc
+ 	BUG_ON(buffer->user_data > alloc->buffer + alloc->buffer_size);
+ 
+ 	if (buffer->async_transaction) {
+-		alloc->free_async_space += buffer_size + sizeof(struct binder_buffer);
+-
++		alloc->free_async_space += buffer_size;
+ 		binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC,
+ 			     "%d: binder_free_buf size %zd async free %zd\n",
+ 			      alloc->pid, size, alloc->free_async_space);
diff --git a/queue-5.15/series b/queue-5.15/series
index 29a7f266fc1..4f099238e0c 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -240,3 +240,5 @@ of-fix-double-free-in-of_parse_phandle_with_args_map.patch
 of-unittest-fix-of_count_phandle_with_args-expected-.patch
 selftests-bpf-add-assert-for-user-stacks-in-test_task_stack.patch
 keys-dns-fix-size-check-of-v1-server-list-header.patch
+binder-fix-async-space-check-for-0-sized-buffers.patch
+binder-fix-unused-alloc-free_async_space.patch
-- 
2.47.3