From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 22 Jan 2024 15:06:19 +0000 (-0800)
Subject: 5.10-stable patches
X-Git-Tag: v4.19.306~106
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1ce64d94492dfe58b2f203b80ca2a8e7300134be;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	binder-fix-async-space-check-for-0-sized-buffers.patch
	binder-fix-unused-alloc-free_async_space.patch
---

diff --git a/queue-5.10/binder-fix-async-space-check-for-0-sized-buffers.patch b/queue-5.10/binder-fix-async-space-check-for-0-sized-buffers.patch
new file mode 100644
index 00000000000..c19c6b482c6
--- /dev/null
+++ b/queue-5.10/binder-fix-async-space-check-for-0-sized-buffers.patch
@@ -0,0 +1,44 @@
+From 3091c21d3e9322428691ce0b7a0cfa9c0b239eeb Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Fri, 1 Dec 2023 17:21:33 +0000
+Subject: binder: fix async space check for 0-sized buffers
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit 3091c21d3e9322428691ce0b7a0cfa9c0b239eeb upstream.
+
+Move the padding of 0-sized buffers to an earlier stage to account for
+this round up during the alloc->free_async_space check.
+
+Fixes: 74310e06be4d ("android: binder: Move buffer out of area shared with user space")
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Link: https://lore.kernel.org/r/20231201172212.1813387-5-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder_alloc.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -415,6 +415,10 @@ static struct binder_buffer *binder_allo
+ 				alloc->pid, extra_buffers_size);
+ 		return ERR_PTR(-EINVAL);
+ 	}
++
++	/* Pad 0-size buffers so they get assigned unique addresses */
++	size = max(size, sizeof(void *));
++
+ 	if (is_async &&
+ 	    alloc->free_async_space < size + sizeof(struct binder_buffer)) {
+ 		binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
+@@ -423,9 +427,6 @@ static struct binder_buffer *binder_allo
+ 		return ERR_PTR(-ENOSPC);
+ 	}
+ 
+-	/* Pad 0-size buffers so they get assigned unique addresses */
+-	size = max(size, sizeof(void *));
+-
+ 	while (n) {
+ 		buffer = rb_entry(n, struct binder_buffer, rb_node);
+ 		BUG_ON(!buffer->free);
diff --git a/queue-5.10/binder-fix-unused-alloc-free_async_space.patch b/queue-5.10/binder-fix-unused-alloc-free_async_space.patch
new file mode 100644
index 00000000000..296d9a5d1a3
--- /dev/null
+++ b/queue-5.10/binder-fix-unused-alloc-free_async_space.patch
@@ -0,0 +1,82 @@
+From c6d05e0762ab276102246d24affd1e116a46aa0c Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Fri, 1 Dec 2023 17:21:34 +0000
+Subject: binder: fix unused alloc->free_async_space
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit c6d05e0762ab276102246d24affd1e116a46aa0c upstream.
+
+Each transaction is associated with a 'struct binder_buffer' that stores
+the metadata about its buffer area. Since commit 74310e06be4d ("android:
+binder: Move buffer out of area shared with user space") this struct is
+no longer embedded within the buffer itself but is instead allocated on
+the heap to prevent userspace access to this driver-exclusive info.
+
+Unfortunately, the space of this struct is still being accounted for in
+the total buffer size calculation, specifically for async transactions.
+This results in an additional 104 bytes added to every async buffer
+request, and this area is never used.
+
+This wasted space can be substantial. If we consider the maximum mmap
+buffer space of SZ_4M, the driver will reserve half of it for async
+transactions, or 0x200000. This area should, in theory, accommodate up
+to 262,144 buffers of the minimum 8-byte size. However, after adding
+the extra 'sizeof(struct binder_buffer)', the total number of buffers
+drops to only 18,724, which is a sad 7.14% of the actual capacity.
+
+This patch fixes the buffer size calculation to enable the utilization
+of the entire async buffer space. This is expected to reduce the number
+of -ENOSPC errors that are seen on the field.
+
+Fixes: 74310e06be4d ("android: binder: Move buffer out of area shared with user space")
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Link: https://lore.kernel.org/r/20231201172212.1813387-6-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder_alloc.c |   11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -359,8 +359,7 @@ static void debug_low_async_space_locked
+ 			continue;
+ 		if (!buffer->async_transaction)
+ 			continue;
+-		total_alloc_size += binder_alloc_buffer_size(alloc, buffer)
+-			+ sizeof(struct binder_buffer);
++		total_alloc_size += binder_alloc_buffer_size(alloc, buffer);
+ 		num_buffers++;
+ 	}
+ 
+@@ -419,8 +418,7 @@ static struct binder_buffer *binder_allo
+ 	/* Pad 0-size buffers so they get assigned unique addresses */
+ 	size = max(size, sizeof(void *));
+ 
+-	if (is_async &&
+-	    alloc->free_async_space < size + sizeof(struct binder_buffer)) {
++	if (is_async && alloc->free_async_space < size) {
+ 		binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
+ 			     "%d: binder_alloc_buf size %zd failed, no async space left\n",
+ 			      alloc->pid, size);
+@@ -527,7 +525,7 @@ static struct binder_buffer *binder_allo
+ 	buffer->extra_buffers_size = extra_buffers_size;
+ 	buffer->pid = pid;
+ 	if (is_async) {
+-		alloc->free_async_space -= size + sizeof(struct binder_buffer);
++		alloc->free_async_space -= size;
+ 		binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC,
+ 			     "%d: binder_alloc_buf size %zd async free %zd\n",
+ 			      alloc->pid, size, alloc->free_async_space);
+@@ -663,8 +661,7 @@ static void binder_free_buf_locked(struc
+ 	BUG_ON(buffer->user_data > alloc->buffer + alloc->buffer_size);
+ 
+ 	if (buffer->async_transaction) {
+-		alloc->free_async_space += buffer_size + sizeof(struct binder_buffer);
+-
++		alloc->free_async_space += buffer_size;
+ 		binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC,
+ 			     "%d: binder_free_buf size %zd async free %zd\n",
+ 			      alloc->pid, size, alloc->free_async_space);
diff --git a/queue-5.10/series b/queue-5.10/series
index a7f8e2727f5..641c443aac0 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -195,3 +195,5 @@ ib-iser-prevent-invalidating-wrong-mr.patch
 of-fix-double-free-in-of_parse_phandle_with_args_map.patch
 of-unittest-fix-of_count_phandle_with_args-expected-.patch
 keys-dns-fix-size-check-of-v1-server-list-header.patch
+binder-fix-async-space-check-for-0-sized-buffers.patch
+binder-fix-unused-alloc-free_async_space.patch