Cc linux-mm * Carlos Llamas <cmllamas@xxxxxxxxxx> [230424 16:56]: > This reverts commit a43cfc87caaf46710c8027a8c23b8a55f1078f19. > > This patch fixed an issue reported by syzkaller in [1]. However, this > turned out to be only a band-aid in binder. The root cause, as bisected > by syzkaller, was fixed by commit 5789151e48ac ("mm/mmap: undo ->mmap() > when mas_preallocate() fails"). We no longer need the patch for binder. > > Reverting such patch allows us to have a lockless access to alloc->vma > in specific cases where the mmap_lock is not required. Can you elaborate on the situation where recording a VMA pointer and later accessing it outside the mmap_lock is okay? >This approach > avoids the contention that caused a performance regression. > > [1] https://lore.kernel.org/all/0000000000004a0dbe05e1d749e0@xxxxxxxxxx > > [cmllamas: resolved conflicts with rework of alloc->mm and removal of > binder_alloc_set_vma() also fixed comment section] > > Cc: Liam Howlett <liam.howlett@xxxxxxxxxx> > Cc: Suren Baghdasaryan <surenb@xxxxxxxxxx> > Signed-off-by: Carlos Llamas <cmllamas@xxxxxxxxxx> > --- > drivers/android/binder_alloc.c | 17 +++++++++-------- > drivers/android/binder_alloc.h | 4 ++-- > drivers/android/binder_alloc_selftest.c | 2 +- > 3 files changed, 12 insertions(+), 11 deletions(-) > > diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c > index 92c814ec44fe..eb082b33115b 100644 > --- a/drivers/android/binder_alloc.c > +++ b/drivers/android/binder_alloc.c > @@ -213,7 +213,7 @@ static int binder_update_page_range(struct binder_alloc *alloc, int allocate, > > if (mm) { > mmap_read_lock(mm); > - vma = vma_lookup(mm, alloc->vma_addr); > + vma = alloc->vma; > } > > if (!vma && need_mm) { > @@ -314,9 +314,11 @@ static inline struct vm_area_struct *binder_alloc_get_vma( > { > struct vm_area_struct *vma = NULL; > > - if (alloc->vma_addr) > - vma = vma_lookup(alloc->mm, alloc->vma_addr); > - > + if (alloc->vma) { > + /* Look at description in binder_alloc_set_vma */ > + smp_rmb(); > + vma = alloc->vma; > + } > return vma; > } > > @@ -775,7 +777,7 @@ int binder_alloc_mmap_handler(struct binder_alloc *alloc, > buffer->free = 1; > binder_insert_free_buffer(alloc, buffer); > alloc->free_async_space = alloc->buffer_size / 2; > - alloc->vma_addr = vma->vm_start; > + alloc->vma = vma; > > return 0; > > @@ -805,8 +807,7 @@ void binder_alloc_deferred_release(struct binder_alloc *alloc) > > buffers = 0; > mutex_lock(&alloc->mutex); > - BUG_ON(alloc->vma_addr && > - vma_lookup(alloc->mm, alloc->vma_addr)); > + BUG_ON(alloc->vma); > > while ((n = rb_first(&alloc->allocated_buffers))) { > buffer = rb_entry(n, struct binder_buffer, rb_node); > @@ -958,7 +959,7 @@ int binder_alloc_get_allocated_count(struct binder_alloc *alloc) > */ > void binder_alloc_vma_close(struct binder_alloc *alloc) > { > - alloc->vma_addr = 0; > + alloc->vma = 0; > } > > /** > diff --git a/drivers/android/binder_alloc.h b/drivers/android/binder_alloc.h > index 0f811ac4bcff..138d1d5af9ce 100644 > --- a/drivers/android/binder_alloc.h > +++ b/drivers/android/binder_alloc.h > @@ -75,7 +75,7 @@ struct binder_lru_page { > /** > * struct binder_alloc - per-binder proc state for binder allocator > * @mutex: protects binder_alloc fields > - * @vma_addr: vm_area_struct->vm_start passed to mmap_handler > + * @vma: vm_area_struct passed to mmap_handler > * (invariant after mmap) > * @mm: copy of task->mm (invariant after open) > * @buffer: base of per-proc address space mapped via mmap > @@ -99,7 +99,7 @@ struct binder_lru_page { > */ > struct binder_alloc { > struct mutex mutex; > - unsigned long vma_addr; > + struct vm_area_struct *vma; > struct mm_struct *mm; > void __user *buffer; > struct list_head buffers; > diff --git a/drivers/android/binder_alloc_selftest.c b/drivers/android/binder_alloc_selftest.c > index 43a881073a42..c2b323bc3b3a 100644 > --- a/drivers/android/binder_alloc_selftest.c > +++ b/drivers/android/binder_alloc_selftest.c > @@ -287,7 +287,7 @@ void binder_selftest_alloc(struct binder_alloc *alloc) > if (!binder_selftest_run) > return; > mutex_lock(&binder_selftest_lock); > - if (!binder_selftest_run || !alloc->vma_addr) > + if (!binder_selftest_run || !alloc->vma) > goto done; > pr_info("STARTED\n"); > binder_selftest_alloc_offset(alloc, end_offset, 0); > -- > 2.40.0.634.g4ca3ef3211-goog >