From 9c32e09d98950b7ea8217819b78744ec32657f93 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 20 Sep 2022 19:42:25 +0200
Subject: [PATCH] 5.15-stable patches

added patches:
	binder-remove-inaccurate-mmap_assert_locked.patch
---
 ...remove-inaccurate-mmap_assert_locked.patch | 88 +++++++++++++++++++
 queue-5.15/series                             |  1 +
 2 files changed, 89 insertions(+)
 create mode 100644 queue-5.15/binder-remove-inaccurate-mmap_assert_locked.patch

diff --git a/queue-5.15/binder-remove-inaccurate-mmap_assert_locked.patch b/queue-5.15/binder-remove-inaccurate-mmap_assert_locked.patch
new file mode 100644
index 00000000000..f7d6aeef75a
--- /dev/null
+++ b/queue-5.15/binder-remove-inaccurate-mmap_assert_locked.patch
@@ -0,0 +1,88 @@
+From cmllamas@google.com  Tue Sep 20 19:41:54 2022
+From: Carlos Llamas <cmllamas@google.com>
+Date: Tue, 20 Sep 2022 05:24:43 +0000
+Subject: binder: remove inaccurate mmap_assert_locked()
+To: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>, "Arve Hjønnevåg" <arve@android.com>, "Todd Kjos" <tkjos@android.com>, "Martijn Coenen" <maco@android.com>, "Joel Fernandes" <joel@joelfernandes.org>, "Christian Brauner" <christian@brauner.io>, "Hridya Valsaraju" <hridya@google.com>, "Suren Baghdasaryan" <surenb@google.com>, "Andrew Morton" <akpm@linux-foundation.org>, "Liam Howlett" <liam.howlett@oracle.com>
+Cc: kernel-team@android.com, Carlos Llamas <cmllamas@google.com>, stable@vger.kernel.org, Todd Kjos <tkjos@google.com>
+Message-ID: <20220920052444.2148424-1-cmllamas@google.com>
+
+From: Carlos Llamas <cmllamas@google.com>
+
+Acquiring the mmap_lock during exit_mmap() was only added recently in
+v5.17 by commit 64591e8605d6 ("mm: protect free_pgtables with mmap_lock
+write lock in exit_mmap"). Soon after, asserts for holding this lock
+were added to the binder_alloc_set_vma() callback by the following two
+fix commits in mainline: commit b0cab80ecd54 ("android: binder: fix
+lockdep check on clearing vma") and commit a43cfc87caaf ("android:
+binder: stop saving a pointer to the VMA").
+
+These two fix commits were picked for stable trees including v5.15 were
+unfortunately the mmap_lock is not held during exit_mmap() yet and this
+unmet dependency leads to the following BUG report:
+
+  ------------[ cut here ]------------
+  kernel BUG at include/linux/mmap_lock.h:156!
+  Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
+  Modules linked in:
+  CPU: 3 PID: 437 Comm: binder Not tainted 5.15.68 #5
+  Hardware name: linux,dummy-virt (DT)
+  pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+  pc : binder_alloc_vma_close+0x6c/0x70
+  lr : binder_alloc_vma_close+0x6c/0x70
+  sp : ffff800008687a70
+  x29: ffff800008687a70 x28: ffff02a7ccf89d00 x27: ffff02a7c92f99e8
+  x26: 000000000000012a x25: ffff02a7c6284740 x24: ffff02a7ccf8a360
+  x23: ffff02a7c92f9980 x22: 1ffff000010d0f6c x21: ffff02a7c92f99e8
+  x20: ffff02a7c92f9980 x19: ffff02a7d16b79a8 x18: 0000ffffe1702d20
+  x17: 3334373239343932 x16: 34206e6163735f74 x15: 78656e5f616d756e
+  x14: 0a30303030303030 x13: 7366666f5f6e6163 x12: ffff60550564a12b
+  x11: 1fffe0550564a12a x10: ffff60550564a12a x9 : dfff800000000000
+  x8 : ffff02a82b250957 x7 : 0000000000000001 x6 : ffff60550564a12a
+  x5 : ffff02a82b250950 x4 : dfff800000000000 x3 : 0000000000000000
+  x2 : 0000000000000000 x1 : ffff02a7ccf89d00 x0 : 0000000000000374
+  Call trace:
+   binder_alloc_vma_close+0x6c/0x70
+   binder_vma_close+0x38/0xf4
+   remove_vma+0x4c/0x94
+   exit_mmap+0x14c/0x2bc
+   __mmput+0x70/0x19c
+   mmput+0x68/0x80
+   do_exit+0x484/0xeb0
+   do_group_exit+0x5c/0x100
+   [...]
+
+This patch removes the inaccurate assert specifically from v5.15 since
+it's the only release with such issue. Note the mmap_lock is technically
+not needed here as the mm->mm_users has dropped to zero at this point.
+More context: https://lore.kernel.org/all/YxpQaio7xm3z9TUw@google.com/.
+
+Fixes: b0cab80ecd54 ("android: binder: fix lockdep check on clearing vma")
+Fixes: a43cfc87caaf ("android: binder: stop saving a pointer to the VMA")
+Cc: Liam Howlett <liam.howlett@oracle.com>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: <stable@vger.kernel.org> # v5.15
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder_alloc.c |    7 -------
+ 1 file changed, 7 deletions(-)
+
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -315,16 +315,9 @@ static inline void binder_alloc_set_vma(
+ {
+ 	unsigned long vm_start = 0;
+ 
+-	/*
+-	 * Allow clearing the vma with holding just the read lock to allow
+-	 * munmapping downgrade of the write lock before freeing and closing the
+-	 * file using binder_alloc_vma_close().
+-	 */
+ 	if (vma) {
+ 		vm_start = vma->vm_start;
+ 		mmap_assert_write_locked(alloc->vma_vm_mm);
+-	} else {
+-		mmap_assert_locked(alloc->vma_vm_mm);
+ 	}
+ 
+ 	alloc->vma_addr = vm_start;
diff --git a/queue-5.15/series b/queue-5.15/series
index 8383dbf67f6..a73ce30f9ad 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -24,3 +24,4 @@ tools-include-uapi-fix-asm-errno.h-for-parisc-and-xtensa.patch
 drm-amdgpu-don-t-enable-ltr-if-not-supported.patch
 drm-amdgpu-move-nbio-ih_doorbell_range-into-ih-code-for-vega.patch
 drm-amdgpu-move-nbio-sdma_doorbell_range-into-sdma-code-for-vega.patch
+binder-remove-inaccurate-mmap_assert_locked.patch
-- 
2.47.3