From: Tiffany Yang ynaffit@google.com
[ Upstream commit bea3e7bfa2957d986683543cbf57092715f9a91b ]
The binder allocator selftest was only checking the last page of buffers that ended on a page boundary. Correct the page indexing to account for buffers that are not page-aligned.
Signed-off-by: Tiffany Yang ynaffit@google.com Acked-by: Carlos Llamas cmllamas@google.com Link: https://lore.kernel.org/r/20250714185321.2417234-2-ynaffit@google.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
**Backport Status: YES**
This commit fixes a genuine bug in the binder allocator selftest that causes incorrect page boundary checking. The bug is an off-by-one error in the page indexing calculation.
**Detailed Analysis:**
1. **Bug Description**: The original code uses `i < end / PAGE_SIZE` which misses checking the last page when buffers end exactly on a page boundary. For example: - If `end = 8192` (exactly 2 pages), `end / PAGE_SIZE = 2`, so the loop checks pages 0 and 1 - However, when a buffer ends at byte 8192, it actually spans into the third page (pages 0, 1, and 2) - The fix `i <= (end - 1) / PAGE_SIZE` correctly calculates the last page index
2. **Impact**: This bug causes the selftest to skip validation of the last page for buffers that end on page boundaries, potentially missing memory allocation issues that the selftest is designed to catch.
3. **Fix Quality**: The fix is minimal (single line change), mathematically correct, and focused solely on fixing the indexing bug without introducing new functionality.
4. **Backport Criteria Met**: - **Bug fix**: Yes - fixes incorrect test coverage - **Small and contained**: Yes - single line change in selftest code - **No architectural changes**: Yes - simple indexing fix - **Minimal regression risk**: Yes - only affects selftest code, not production binder functionality - **Clear benefit**: Yes - ensures proper testing coverage for memory allocation
5. **Additional Evidence**: - The commit is acked by Carlos Llamas, a binder maintainer - The fix is in selftest code, which has lower risk than production code changes - The mathematical correction is straightforward and verifiable
This is an ideal candidate for stable backporting as it fixes a testing gap that could allow memory allocation bugs to go undetected in stable kernels.
drivers/android/binder_alloc_selftest.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/android/binder_alloc_selftest.c b/drivers/android/binder_alloc_selftest.c index c88735c54848..486af3ec3c02 100644 --- a/drivers/android/binder_alloc_selftest.c +++ b/drivers/android/binder_alloc_selftest.c @@ -142,12 +142,12 @@ static void binder_selftest_free_buf(struct binder_alloc *alloc, for (i = 0; i < BUFFER_NUM; i++) binder_alloc_free_buf(alloc, buffers[seq[i]]);
- for (i = 0; i < end / PAGE_SIZE; i++) { /** * Error message on a free page can be false positive * if binder shrinker ran during binder_alloc_free_buf * calls above. */ + for (i = 0; i <= (end - 1) / PAGE_SIZE; i++) { if (list_empty(page_to_lru(alloc->pages[i]))) { pr_err_size_seq(sizes, seq); pr_err("expect lru but is %s at page index %d\n",