[ Upstream commit 3aa1e96a2b ]
A BE connected to more than one FE, e.g. in a mixer case, can go
through the following transitions.
play FE1 -> BE state is START
pause FE1 -> BE state is PAUSED
play FE2 -> BE state is START
stop FE2 -> BE state is STOP (see note [1] below)
release FE1 -> BE state is START
stop FE1 -> BE state is STOP
play FE1 -> BE state is START
pause FE1 -> BE state is PAUSED
play FE2 -> BE state is START
release FE1 -> BE state is START
stop FE2 -> BE state is START
stop FE1 -> BE state is STOP
play FE1 -> BE state is START
play FE2 -> BE state is START (no change)
pause FE1 -> BE state is START (no change)
pause FE2 -> BE state is PAUSED
release FE1 -> BE state is START
release FE2 -> BE state is START (no change)
stop FE1 -> BE state is START (no change)
stop FE2 -> BE state is STOP
The existing code for PAUSE_RELEASE only allows for the case where the
BE is paused, which clearly would not work in the sequences above.
Extend the allowed states to restart the BE when PAUSE_RELEASE is
received, and increase the refcount if the BE is already in START.
[1] the existing logic does not move the BE state back to PAUSED when
the FE2 is stopped. This patch does not change the logic; it would be
painful to keep a history of changes on the FE side, the state machine
is already rather complicated with transitions based on the last BE
state and the trigger type.
Reported-by: Bard Liao <bard.liao@intel.com>
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Link: https://lore.kernel.org/r/20211207173745.15850-7-pierre-louis.bossart@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Fixes: aa9ff6a495 ("ASoC: soc-compress: Reposition and add pcm_mutex")
Signed-off-by: Yixuan Jiang <yixuanjiang@google.com>
Cc: stable@vger.kernel.org # 5.15+
Bug: 277241308
Link: https://lore.kernel.org/all/20230511120841.2096524-7-yixuanjiang@google.com
Change-Id: I2b5af9448df27082b75365c45357235d2887f33c
Signed-off-by: Yixuan Jiang <yixuanjiang@google.com>
This is a partial revert of commit 085255b984 in order to fix booting
this kernel on devices that don't support FEAT_FGT due to direct
accesses of HFGWTR_EL2 being UNDEFINED. We are retaining the KMI part of
the commit until the next KMI breakage window.
Bug: 282917063
Change-Id: I6c156ef40a5584dc41e4d9d09c80736e30348802
Signed-off-by: Will McVicker <willmcvicker@google.com>
When a broken USB accessory connects to a USB host, usbcore might
keep doing enumeration retries. If the host has a watchdog mechanism,
the kernel panic will happen on the host.
This patch provides an attribute early_stop to limit the numbers of retries
for each port of a hub. If a port was marked with early_stop attribute,
unsuccessful connection attempts will fail quickly. In addition, if an
early_stop port has failed to initialize, it will ignore all future
connection events until early_stop attribute is clear.
Signed-off-by: Ray Chi <raychi@google.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20221107072754.3336357-1-raychi@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 282876796
Change-Id: I48eff1dbbc341ef893c8abc20953b7e9a62244da
(cherry picked from commit 430d57f53e)
Signed-off-by: Ray Chi <raychi@google.com>
commit c1592a8994 upstream.
Toggle deleted anonymous sets as inactive in the next generation, so
users cannot perform any update on it. Clear the generation bitmask
in case the transaction is aborted.
The following KASAN splat shows a set element deletion for a bound
anonymous set that has been already removed in the same transaction.
[ 64.921510] ==================================================================
[ 64.923123] BUG: KASAN: wild-memory-access in nf_tables_commit+0xa24/0x1490 [nf_tables]
[ 64.924745] Write of size 8 at addr dead000000000122 by task test/890
[ 64.927903] CPU: 3 PID: 890 Comm: test Not tainted 6.3.0+ #253
[ 64.931120] Call Trace:
[ 64.932699] <TASK>
[ 64.934292] dump_stack_lvl+0x33/0x50
[ 64.935908] ? nf_tables_commit+0xa24/0x1490 [nf_tables]
[ 64.937551] kasan_report+0xda/0x120
[ 64.939186] ? nf_tables_commit+0xa24/0x1490 [nf_tables]
[ 64.940814] nf_tables_commit+0xa24/0x1490 [nf_tables]
[ 64.942452] ? __kasan_slab_alloc+0x2d/0x60
[ 64.944070] ? nf_tables_setelem_notify+0x190/0x190 [nf_tables]
[ 64.945710] ? kasan_set_track+0x21/0x30
[ 64.947323] nfnetlink_rcv_batch+0x709/0xd90 [nfnetlink]
[ 64.948898] ? nfnetlink_rcv_msg+0x480/0x480 [nfnetlink]
Bug: 282877000
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I536b7fbec55a5b37a57546023891a3dcfeb2c24b
This change ensures that if configured in the policy, the if_id set in
the policy and secpath states match during the inbound policy check.
Without this, there is potential for ambiguity where entries in the
secpath differing by only the if_id could be mismatched.
Notably, this is checked in the outbound direction when resolving
templates to SAs, but not on the inbound path when matching SAs and
policies.
Test: Tested against Android kernel unit tests & CTS
Signed-off-by: Benedict Wong <benedictwong@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Bug: 279217934
(cherry picked from commit 8680407b6fhttps://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git master)
Change-Id: Ibb97561eaf1a99b7ad239d4d4860bfe5b0ac20ea
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Since we do not enforce symbol lists to be generated using
the ABI tooling; it is possible to have the symbol list
updates with CRLF characters at the end of a line, leading
and trailining white spaces based on how they are manually
edited. The header generation script fails in this case when
it parses these symbols with CRLF or sorting order may not
be correct for symbols with trailing white spaces.
Update the preprocessing of the symbol list to remove any
carriage returns, strip any leading and trailing white spaces
in addition to the other preprocessing.
Bug: 280837072
Test: TH, manual verification
Change-Id: I4b832c28b42f196056c38fc3e2ccd517a03e13fa
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
(cherry picked from commit 6b893a535cfa8a5e9a6cd792e0437fe66cb2296b)
As part of the host deprivilege process, memory regions advertised in
the "pkvm,protected-region" devicetree nodes are unmapped from the
host stage-2 page-table and annotated specially so that the memory can
be used exclusively by hypervisor modules.
Since the state of this memory in the host stage-2 may not be in the
"owned" state (for example, if it corresponds to a "no-map" region),
remove the initial check of the page state and allow unmapping of any
pages from the trusted host.
Bug: 280380533
Cc: Quentin Perret <qperret@google.com>
Fixes: e8cf4c06e1 ("ANDROID: KVM: arm64: Move addr_is_allowed_memory() check into host callback")
Signed-off-by: Will Deacon <willdeacon@google.com>
Change-Id: Ic28a2557d6d515b356645228fd41d3c921826489
Add ramjiyani@ as per-file owner for list of protected
modules for all current & future architectures.
android/gki_*_protected_modules
Bug: 151893768
Test: TH
Change-Id: I0048c99a28cfe24e1ba7c7d6189fd8c7dfdf6f0d
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
Changes in 5.15.110
PCI/ASPM: Remove pcie_aspm_pm_state_change()
selftests/kselftest/runner/run_one(): allow running non-executable files
KVM: arm64: Retry fault if vma_lookup() results become invalid
KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg()
wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()
drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var
bluetooth: Perform careful capability checks in hci_sock_ioctl()
USB: serial: option: add UNISOC vendor and TOZED LT70C product
driver core: Don't require dynamic_debug for initcall_debug probe timing
selftests: mptcp: join: fix "invalid address, ADD_ADDR timeout"
riscv: Move early dtb mapping into the fixmap region
riscv: Do not set initial_boot_params to the linear address of the dtb
riscv: No need to relocate the dtb as it lies in the fixmap region
Linux 5.15.110
Change-Id: I1a4dab8ca13c176a9eda494532a8134a7ed15883
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
pKVM modules may need to enable fine grain traps. To allow this
use-case, expose a function allowing to manipulate HFGWTR_EL2 on the
current CPU. This configuration will be persistent across power
management cycles and such as it is propagated all the way to the
init params per-cpu struct.
Bug: 245034629
Change-Id: If9c29849df50847d3a796345927bd51c37c358bc
Signed-off-by: Quentin Perret <qperret@google.com>
pKVM modules may need to enable additional traps on top of what pKVM
already enables. To allow this use-case, expose a function allowing to
manipulate HCR_EL2 on the current CPU. This configuration will be
persistent across power management cycles and such as it is propagated
all the way to the init params per-cpu struct.
Bug: 245034629
Change-Id: I21d596bd1d01f4edc48a188cc3c2eb78dc9a4444
Signed-off-by: Quentin Perret <qperret@google.com>
Converting cfg80211.ko & mac80211.ko as vendor modules
made some symbols cited in the symbol lists for partners
but are no longer available in ksymtab as these features
are disabled in the gki_defconfit to convert them to vendor
modules.
Manually trimmed the symbol lists for builds to succeed.
Bug: 281137343
Test: TH
Change-Id: Ieb60c12ddb4f2b89aa387df2d69c31f8cfee54d8
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
Convert cfg80211.ko and mac80211.ko as vendor modules to
pave a way for merging 802.11be Wi-Fi 7 functionalities
from upstream over the next year without affecting the KMI.
Bug: 281137343
Test: TH
Change-Id: Id1823924a3e5d8d03518599e6b3209e9cdd771d5
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
If an important task is going to sleep through do_futex(),
find out it's futex-owner by the pid comes from userspace,
and boost the owner by some means to shorten the sleep time.
How to boost? Depends on these hooks:
commit 53e8099784 ("ANDROID: vendor_hooks: Add hooks for scheduler")
Bug: 243110112
Signed-off-by: xieliujie <xieliujie@oppo.com>
Change-Id: I9a315cfb414fd34e0ef7a2cf9d57df50d4dd984f
(cherry picked from commit 548da5d23d)
This patch series adds a memory.reclaim proactive reclaim interface.
The rationale behind the interface and how it works are in the first
patch.
This patch (of 4):
Introduce a memcg interface to trigger memory reclaim on a memory cgroup.
Use case: Proactive Reclaim
---------------------------
A userspace proactive reclaimer can continuously probe the memcg to
reclaim a small amount of memory. This gives more accurate and up-to-date
workingset estimation as the LRUs are continuously sorted and can
potentially provide more deterministic memory overcommit behavior. The
memory overcommit controller can provide more proactive response to the
changing behavior of the running applications instead of being reactive.
A userspace reclaimer's purpose in this case is not a complete replacement
for kswapd or direct reclaim, it is to proactively identify memory savings
opportunities and reclaim some amount of cold pages set by the policy to
free up the memory for more demanding jobs or scheduling new jobs.
A user space proactive reclaimer is used in Google data centers.
Additionally, Meta's TMO paper recently referenced a very similar
interface used for user space proactive reclaim:
https://dl.acm.org/doi/pdf/10.1145/3503222.3507731
Benefits of a user space reclaimer:
-----------------------------------
1) More flexible on who should be charged for the cpu of the memory
reclaim. For proactive reclaim, it makes more sense to be centralized.
2) More flexible on dedicating the resources (like cpu). The memory
overcommit controller can balance the cost between the cpu usage and
the memory reclaimed.
3) Provides a way to the applications to keep their LRUs sorted, so,
under memory pressure better reclaim candidates are selected. This
also gives more accurate and uptodate notion of working set for an
application.
Why memory.high is not enough?
------------------------------
- memory.high can be used to trigger reclaim in a memcg and can
potentially be used for proactive reclaim. However there is a big
downside in using memory.high. It can potentially introduce high
reclaim stalls in the target application as the allocations from the
processes or the threads of the application can hit the temporary
memory.high limit.
- Userspace proactive reclaimers usually use feedback loops to decide
how much memory to proactively reclaim from a workload. The metrics
used for this are usually either refaults or PSI, and these metrics will
become messy if the application gets throttled by hitting the high
limit.
- memory.high is a stateful interface, if the userspace proactive
reclaimer crashes for any reason while triggering reclaim it can leave
the application in a bad state.
- If a workload is rapidly expanding, setting memory.high to proactively
reclaim memory can result in actually reclaiming more memory than
intended.
The benefits of such interface and shortcomings of existing interface were
further discussed in this RFC thread:
https://lore.kernel.org/linux-mm/5df21376-7dd1-bf81-8414-32a73cea45dd@google.com/
Interface:
----------
Introducing a very simple memcg interface 'echo 10M > memory.reclaim' to
trigger reclaim in the target memory cgroup.
The interface is introduced as a nested-keyed file to allow for future
optional arguments to be easily added to configure the behavior of
reclaim.
Possible Extensions:
--------------------
- This interface can be extended with an additional parameter or flags
to allow specifying one or more types of memory to reclaim from (e.g.
file, anon, ..).
- The interface can also be extended with a node mask to reclaim from
specific nodes. This has use cases for reclaim-based demotion in memory
tiering systens.
- A similar per-node interface can also be added to support proactive
reclaim and reclaim-based demotion in systems without memcg.
- Add a timeout parameter to make it easier for user space to call the
interface without worrying about being blocked for an undefined amount
of time.
For now, let's keep things simple by adding the basic functionality.
[yosryahmed@google.com: worked on versions v2 onwards, refreshed to
current master, updated commit message based on recent
discussions and use cases]
Link: https://lkml.kernel.org/r/20220425190040.2475377-1-yosryahmed@google.com
Link: https://lkml.kernel.org/r/20220425190040.2475377-2-yosryahmed@google.com
Change-Id: Idaaac964dd5169376fcceca35f0676f847069bce
Signed-off-by: Shakeel Butt <shakeelb@google.com>
Co-developed-by: Yosry Ahmed <yosryahmed@google.com>
Signed-off-by: Yosry Ahmed <yosryahmed@google.com>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Wei Xu <weixugc@google.com>
Acked-by: Roman Gushchin <roman.gushchin@linux.dev>
Acked-by: David Rientjes <rientjes@google.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Zefan Li <lizefan.x@bytedance.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Yu Zhao <yuzhao@google.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: Chen Wandun <chenwandun@huawei.com>
Cc: Vaibhav Jain <vaibhav@linux.ibm.com>
Cc: "Michal Koutn" <mkoutny@suse.com>
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
(cherry picked from commit 94968384dd)
Bug: 280056627
Signed-off-by: T.J. Mercier <tjmercier@google.com>
This reverts commit 937164e07b8e56fa2e34bf05ee956ac4fe6a6b47.
It was perserving the ABI, but that is not needed anymore at this point
in time.
Change-Id: Ie7aaed3a99ce91258f7eae8683ea27b4d807b7b4
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit be0a0feb8e627f2f2f5324c65e5f91f921d4c1b8.
It was perserving the ABI, but that is not needed anymore at this point
in time.
Change-Id: I8913de3e6e83876a2b2ed4460c935c3adb2a0721
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 16ed1a1dc35911c07b5978781cc4dd54d86a73b1.
It was perserving the ABI, but that is not needed anymore at this point
in time.
Change-Id: If9b195f46c800a362857e91a349ed3aad4606030
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 4c150ff0cc193b3b1fc6f0f68a4d79f9aac4f338.
It was perserving the ABI, but that is not needed anymore at this point
in time.
Change-Id: Ibae2a63d0d9287f4cbcae1e34b467bdf5c82576b
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit fcaf5d8a67.
It was perserving the ABI, but that is not needed anymore at this point
in time.
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I97c5ce73a4a6b6bcfc009547bb557141d21d4dd4
The pKVM hypervisor uses the module_ops struct as a way to expose
services to loadable modules. It doesn't however allow fine-grained
definition of the license for each export, and doesn't have a way to
check the license of the loaded module (yet). As such, the assumption
is that said module is proprietary, and must NOT be allowed to use GPL
symbols.
Even though symbols such as __pkvm_load_el2_module are currently
exported as GPL, these exports only apply to the kernel part of the
module, which is usually only a proxy to load the hyp module, which
may be built separately.
Given the lack of license enforcement at load time, let's seek GPL
compliance by preventing the accidental export of GPL symbols to hyp
modules via pKVM's module_ops struct. To do so, add a build time check
for the absence of such symbols from the KVM nvhe code entirely.
In the future (Android 15+ and upstream), we should consider expanding
the pKVM module loader to allow finer grained licensing of exports.
This would allow exposing internal pKVM functions as GPL only for e.g.
selftests and such w/o risking exports to proprietary modules.
Bug: 263340138
Bug: 267430896
Change-Id: I09b81bfe322c0d2746c0349c5f217a5a76b6e33d
Signed-off-by: Quentin Perret <qperret@google.com>
... so it can be read by Bazel @kernel_toolchain_info
later.
Test: TH
Bug: 272164611
Change-Id: I04648f8fb28537544287797673810946dedb58f3
Signed-off-by: Yifan Hong <elsk@google.com>
In one of the SMMU faults (NULL Pointer derefernce) the following
race condition was observed and func->interfaces_nums was being
accessed for f_fs interface after it was unbinded resulting in a
crash.
Thread-1 Thread-2
ffs_func_req_match+0x68/0xc8
drain_workqueue+0xac
gsi_unbind[usb_f_gsi]+0x64
purge_configs_funcs+0xb4
configfs_composite_unbind+0xac
usb_gadget_remove_driver+0xac
usb_gadget_unregister_driver+0xd8
gadget_dev_desc_UDC_store+0x114
android_setup+0x164/0x2a8
dwc3_ep0_inspect_setup+0x100/0x440
dwc3_ep0_interrupt+0xac/0x300
dwc3_process_event_entry+0x80/0x724
dwc3_process_event_buf+0x80/0x434
dwc3_thread_interrupt+0x60/0x124
irq_thread_fn+0x54/0xe4
irq_thread+0x3a4/0x6ec
kthread+0x188/0x1ec
ret_from_fork+0x10/0x20
The events happened in order are as follows:
We got a setup packet for ffs interface and was passed to android
setup callback from ep0.c. As part of the delegate request, the
dwc->lock is released.
At this instant a composition switch occurred and as per traces
and crash dumps:
1. UDC Stop was done successfully. So run stop is set to '0'
2. Composite disconnect was done and ep disable for all ep's is done
gadget->connected = FALSE
3. Async callbacks disabled
dwc->aysnc_callbacks = FALSE
4. composite unbind is going on and the ffs interface in question is
unbinded
udc->driver != NULL
(as per crash dump indicating that unbind is in progress)
5. Purge configs was ongoing because as per crash dumps:
otg_desc[0] = NULL;
cdev->os_desc_req->buf is not NULL
(configfs_composite_unbind is going on, but composite_dev_cleanup
not yet done)
As per the traces:
23.794712: dwc3_event event=49216 ep0state=1 str=
23.794909: dwc3_ctrl_req bRequestType=161 bRequest=1 wValue=0
wIndex=2 wLength=4096
23.799740: usb_gadget_disconnect speed=5 max_speed=6 state=7
mA=0 deactivated=0 connected=0 ret=0
This indicated that android setup came first followed by composite
disconnect. Since the dwc->lock was released by delegate_request,
soft disconnect gets unblocked and runs parallel to composite setup.
After this, there is no check in path of composite setup
indicating unbind happened and bail out is necessary instead of
executing any function ops.
Protect composite_setup (as part of android_setup) in a spinlock
to block composite_disconnect/unbind running in parallel.
Moreover, in the configfs counterpart of android_setup (configfs_
composite_stetup), the composite_setup call is done with spinlock
held.
It is only the android_setup missing this lock.
Bug: 280548269
Fixes: 7a160e2b96 ("ANDROID: usb: gadget: configfs: Add Uevent to notify userspace")
Change-Id: Id245e9f72801541689fcb185ba0459824bfb3904
Signed-off-by: Krishna Kurapati <quic_kriskura@quicinc.com>
(cherry picked from commit 9ad803f257a8eb50a52c19a4cf33690cf1b85575)
cfg80211 & mac80211 are being converted to vendor modules.
To be consistent for both arm64 & x86_64 remove them
from protected to unprotected; so they can be converted
to vendor modules for x86_64 as well.
This also helps keep things simpler for virtual_device;
so it doesn't have to maintain seperate list for these
architectures w.r.t. these modules.
Bug: 281137343
Test: TH
Change-Id: Ica028593f30528c361a6ab30da8cb5be5187d067
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
Add ramjiyani@ as per-file owner for:
android/abi_gki_protected_exports_*
android/gki_aarch64_protected_modules
android/gki_x86_64_protected_modules
Update required due to addition of multi arch support
caused renaming of these files with arch name in them.
Bug: 151893768
Test: TH
Change-Id: Ice5c054f90b3fc4f91bfe73f680082dc129c0310
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
In binder_transaction_buffer_release() the 'failed_at' offset indicates
the number of objects to clean up. However, this function was changed by
commit 44d8047f1d ("binder: use standard functions to allocate fds"),
to release all the objects in the buffer when 'failed_at' is zero.
This introduced an issue when a transaction buffer is released without
any objects having been processed so far. In this case, 'failed_at' is
indeed zero yet it is misinterpreted as releasing the entire buffer.
This leads to use-after-free errors where nodes are incorrectly freed
and subsequently accessed. Such is the case in the following KASAN
report:
==================================================================
BUG: KASAN: slab-use-after-free in binder_thread_read+0xc40/0x1f30
Read of size 8 at addr ffff4faf037cfc58 by task poc/474
CPU: 6 PID: 474 Comm: poc Not tainted 6.3.0-12570-g7df047b3f0aa #5
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec
show_stack+0x18/0x24
dump_stack_lvl+0x48/0x60
print_report+0xf8/0x5b8
kasan_report+0xb8/0xfc
__asan_load8+0x9c/0xb8
binder_thread_read+0xc40/0x1f30
binder_ioctl+0xd9c/0x1768
__arm64_sys_ioctl+0xd4/0x118
invoke_syscall+0x60/0x188
[...]
Allocated by task 474:
kasan_save_stack+0x3c/0x64
kasan_set_track+0x2c/0x40
kasan_save_alloc_info+0x24/0x34
__kasan_kmalloc+0xb8/0xbc
kmalloc_trace+0x48/0x5c
binder_new_node+0x3c/0x3a4
binder_transaction+0x2b58/0x36f0
binder_thread_write+0x8e0/0x1b78
binder_ioctl+0x14a0/0x1768
__arm64_sys_ioctl+0xd4/0x118
invoke_syscall+0x60/0x188
[...]
Freed by task 475:
kasan_save_stack+0x3c/0x64
kasan_set_track+0x2c/0x40
kasan_save_free_info+0x38/0x5c
__kasan_slab_free+0xe8/0x154
__kmem_cache_free+0x128/0x2bc
kfree+0x58/0x70
binder_dec_node_tmpref+0x178/0x1fc
binder_transaction_buffer_release+0x430/0x628
binder_transaction+0x1954/0x36f0
binder_thread_write+0x8e0/0x1b78
binder_ioctl+0x14a0/0x1768
__arm64_sys_ioctl+0xd4/0x118
invoke_syscall+0x60/0x188
[...]
==================================================================
In order to avoid these issues, let's always calculate the intended
'failed_at' offset beforehand. This is renamed and wrapped in a helper
function to make it clear and convenient.
Fixes: 32e9f56a96 ("binder: don't detect sender/target during buffer cleanup")
Reported-by: Zi Fan Tan <zifantan@google.com>
Link: https://b.corp.google.com/issues/275041864
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Bug: 275041864
Link: https://lore.kernel.org/all/20230505203020.4101154-1-cmllamas@google.com
Change-Id: I4bcc8bde77a8118872237d100cccb5caf95d99a1
Signed-off-by: Carlos Llamas <cmllamas@google.com>
