a8b5dc3032
Changes in 5.15.17
KVM: x86/mmu: Fix write-protection of PTs mapped by the TDP MMU
KVM: VMX: switch blocked_vcpu_on_cpu_lock to raw spinlock
HID: Ignore battery for Elan touchscreen on HP Envy X360 15t-dr100
HID: uhid: Fix worker destroying device without any protection
HID: wacom: Reset expected and received contact counts at the same time
HID: wacom: Ignore the confidence flag when a touch is removed
HID: wacom: Avoid using stale array indicies to read contact count
ALSA: core: Fix SSID quirk lookup for subvendor=0
f2fs: fix to do sanity check on inode type during garbage collection
f2fs: fix to do sanity check in is_alive()
f2fs: avoid EINVAL by SBI_NEED_FSCK when pinning a file
nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind()
mtd: rawnand: gpmi: Add ERR007117 protection for nfc_apply_timings
mtd: rawnand: gpmi: Remove explicit default gpmi clock setting for i.MX6
mtd: Fixed breaking list in __mtd_del_partition.
mtd: rawnand: davinci: Don't calculate ECC when reading page
mtd: rawnand: davinci: Avoid duplicated page read
mtd: rawnand: davinci: Rewrite function description
mtd: rawnand: Export nand_read_page_hwecc_oob_first()
mtd: rawnand: ingenic: JZ4740 needs 'oob_first' read page function
riscv: Get rid of MAXPHYSMEM configs
RISC-V: Use common riscv_cpuid_to_hartid_mask() for both SMP=y and SMP=n
riscv: try to allocate crashkern region from 32bit addressible memory
riscv: Don't use va_pa_offset on kdump
riscv: use hart id instead of cpu id on machine_kexec
riscv: mm: fix wrong phys_ram_base value for RV64
x86/gpu: Reserve stolen memory for first integrated Intel GPU
tools/nolibc: x86-64: Fix startup code bug
crypto: x86/aesni - don't require alignment of data
tools/nolibc: i386: fix initial stack alignment
tools/nolibc: fix incorrect truncation of exit code
rtc: cmos: take rtc_lock while reading from CMOS
net: phy: marvell: add Marvell specific PHY loopback
ksmbd: uninitialized variable in create_socket()
ksmbd: fix guest connection failure with nautilus
ksmbd: add support for smb2 max credit parameter
ksmbd: move credit charge deduction under processing request
ksmbd: limits exceeding the maximum allowable outstanding requests
ksmbd: add reserved room in ipc request/response
media: cec: fix a deadlock situation
media: ov8865: Disable only enabled regulators on error path
media: v4l2-ioctl.c: readbuffers depends on V4L2_CAP_READWRITE
media: flexcop-usb: fix control-message timeouts
media: mceusb: fix control-message timeouts
media: em28xx: fix control-message timeouts
media: cpia2: fix control-message timeouts
media: s2255: fix control-message timeouts
media: dib0700: fix undefined behavior in tuner shutdown
media: redrat3: fix control-message timeouts
media: pvrusb2: fix control-message timeouts
media: stk1160: fix control-message timeouts
media: cec-pin: fix interrupt en/disable handling
can: softing_cs: softingcs_probe(): fix memleak on registration failure
mei: hbm: fix client dma reply status
iio: adc: ti-adc081c: Partial revert of removal of ACPI IDs
iio: trigger: Fix a scheduling whilst atomic issue seen on tsc2046
lkdtm: Fix content of section containing lkdtm_rodata_do_nothing()
bus: mhi: pci_generic: Graceful shutdown on freeze
bus: mhi: core: Fix reading wake_capable channel configuration
bus: mhi: core: Fix race while handling SYS_ERR at power up
cxl/pmem: Fix reference counting for delayed work
arm64: errata: Fix exec handling in erratum 1418040 workaround
ARM: dts: at91: update alternate function of signal PD20
iommu/io-pgtable-arm-v7s: Add error handle for page table allocation failure
gpu: host1x: Add back arm_iommu_detach_device()
drm/tegra: Add back arm_iommu_detach_device()
virtio/virtio_mem: handle a possible NULL as a memcpy parameter
dma_fence_array: Fix PENDING_ERROR leak in dma_fence_array_signaled()
PCI: Add function 1 DMA alias quirk for Marvell 88SE9125 SATA controller
mm_zone: add function to check if managed dma zone exists
dma/pool: create dma atomic pool only if dma zone has managed pages
mm/page_alloc.c: do not warn allocation failure on zone DMA if no managed pages
ath11k: add string type to search board data in board-2.bin for WCN6855
shmem: fix a race between shmem_unused_huge_shrink and shmem_evict_inode
drm/ttm: Put BO in its memory manager's lru list
Bluetooth: L2CAP: Fix not initializing sk_peer_pid
drm/bridge: display-connector: fix an uninitialized pointer in probe()
drm: fix null-ptr-deref in drm_dev_init_release()
drm/panel: kingdisplay-kd097d04: Delete panel on attach() failure
drm/panel: innolux-p079zca: Delete panel on attach() failure
drm/rockchip: dsi: Fix unbalanced clock on probe error
drm/rockchip: dsi: Hold pm-runtime across bind/unbind
drm/rockchip: dsi: Disable PLL clock on bind error
drm/rockchip: dsi: Reconfigure hardware on resume()
Bluetooth: virtio_bt: fix memory leak in virtbt_rx_handle()
Bluetooth: cmtp: fix possible panic when cmtp_init_sockets() fails
clk: bcm-2835: Pick the closest clock rate
clk: bcm-2835: Remove rounding up the dividers
drm/vc4: hdmi: Set a default HSM rate
drm/vc4: hdmi: Move the HSM clock enable to runtime_pm
drm/vc4: hdmi: Make sure the controller is powered in detect
drm/vc4: hdmi: Make sure the controller is powered up during bind
drm/vc4: hdmi: Rework the pre_crtc_configure error handling
drm/vc4: crtc: Make sure the HDMI controller is powered when disabling
wcn36xx: ensure pairing of init_scan/finish_scan and start_scan/end_scan
wcn36xx: Indicate beacon not connection loss on MISSED_BEACON_IND
drm/vc4: hdmi: Enable the scrambler on reconnection
libbpf: Free up resources used by inner map definition
wcn36xx: Fix DMA channel enable/disable cycle
wcn36xx: Release DMA channel descriptor allocations
wcn36xx: Put DXE block into reset before freeing memory
wcn36xx: populate band before determining rate on RX
wcn36xx: fix RX BD rate mapping for 5GHz legacy rates
ath11k: Send PPDU_STATS_CFG with proper pdev mask to firmware
bpftool: Fix memory leak in prog_dump()
mtd: hyperbus: rpc-if: Check return value of rpcif_sw_init()
media: videobuf2: Fix the size printk format
media: atomisp: add missing media_device_cleanup() in atomisp_unregister_entities()
media: atomisp: fix punit_ddr_dvfs_enable() argument for mrfld_power up case
media: atomisp: fix inverted logic in buffers_needed()
media: atomisp: do not use err var when checking port validity for ISP2400
media: atomisp: fix inverted error check for ia_css_mipi_is_source_port_valid()
media: atomisp: fix ifdefs in sh_css.c
media: atomisp: add NULL check for asd obtained from atomisp_video_pipe
media: atomisp: fix enum formats logic
media: atomisp: fix uninitialized bug in gmin_get_pmic_id_and_addr()
media: aspeed: fix mode-detect always time out at 2nd run
media: em28xx: fix memory leak in em28xx_init_dev
media: aspeed: Update signal status immediately to ensure sane hw state
arm64: dts: amlogic: meson-g12: Fix GPU operating point table node name
arm64: dts: amlogic: Fix SPI NOR flash node name for ODROID N2/N2+
arm64: dts: meson-gxbb-wetek: fix HDMI in early boot
arm64: dts: meson-gxbb-wetek: fix missing GPIO binding
fs: dlm: don't call kernel_getpeername() in error_report()
memory: renesas-rpc-if: Return error in case devm_ioremap_resource() fails
Bluetooth: stop proccessing malicious adv data
ath11k: Fix ETSI regd with weather radar overlap
ath11k: clear the keys properly via DISABLE_KEY
ath11k: reset RSN/WPA present state for open BSS
spi: hisi-kunpeng: Fix the debugfs directory name incorrect
tee: fix put order in teedev_close_context()
fs: dlm: fix build with CONFIG_IPV6 disabled
drm/dp: Don't read back backlight mode in drm_edp_backlight_enable()
drm/vboxvideo: fix a NULL vs IS_ERR() check
arm64: dts: renesas: cat875: Add rx/tx delays
media: dmxdev: fix UAF when dvb_register_device() fails
crypto: atmel-aes - Reestablish the correct tfm context at dequeue
crypto: qce - fix uaf on qce_aead_register_one
crypto: qce - fix uaf on qce_ahash_register_one
crypto: qce - fix uaf on qce_skcipher_register_one
arm64: dts: qcom: sc7280: Fix incorrect clock name
mtd: hyperbus: rpc-if: fix bug in rpcif_hb_remove
cpufreq: qcom-cpufreq-hw: Update offline CPUs per-cpu thermal pressure
cpufreq: qcom-hw: Fix probable nested interrupt handling
ARM: dts: stm32: fix dtbs_check warning on ili9341 dts binding on stm32f429 disco
libbpf: Fix potential misaligned memory access in btf_ext__new()
libbpf: Fix glob_syms memory leak in bpf_linker
libbpf: Fix using invalidated memory in bpf_linker
crypto: qat - remove unnecessary collision prevention step in PFVF
crypto: qat - make pfvf send message direction agnostic
crypto: qat - fix undetected PFVF timeout in ACK loop
ath11k: Use host CE parameters for CE interrupts configuration
arm64: dts: ti: k3-j721e: correct cache-sets info
tty: serial: atmel: Check return code of dmaengine_submit()
tty: serial: atmel: Call dma_async_issue_pending()
mfd: atmel-flexcom: Remove #ifdef CONFIG_PM_SLEEP
mfd: atmel-flexcom: Use .resume_noirq
bfq: Do not let waker requests skip proper accounting
libbpf: Silence uninitialized warning/error in btf_dump_dump_type_data
media: i2c: imx274: fix s_frame_interval runtime resume not requested
media: i2c: Re-order runtime pm initialisation
media: i2c: ov8865: Fix lockdep error
media: rcar-csi2: Correct the selection of hsfreqrange
media: imx-pxp: Initialize the spinlock prior to using it
media: si470x-i2c: fix possible memory leak in si470x_i2c_probe()
media: mtk-vcodec: call v4l2_m2m_ctx_release first when file is released
media: hantro: Hook up RK3399 JPEG encoder output
media: coda: fix CODA960 JPEG encoder buffer overflow
media: venus: correct low power frequency calculation for encoder
media: venus: core: Fix a potential NULL pointer dereference in an error handling path
media: venus: core: Fix a resource leak in the error handling path of 'venus_probe()'
net: stmmac: Add platform level debug register dump feature
thermal/drivers/imx: Implement runtime PM support
igc: AF_XDP zero-copy metadata adjust breaks SKBs on XDP_PASS
netfilter: bridge: add support for pppoe filtering
powerpc: Avoid discarding flags in system_call_exception()
arm64: dts: qcom: msm8916: fix MMC controller aliases
drm/vmwgfx: Remove the deprecated lower mem limit
drm/vmwgfx: Fail to initialize on broken configs
cgroup: Trace event cgroup id fields should be u64
ACPI: EC: Rework flushing of EC work while suspended to idle
thermal/drivers/imx8mm: Enable ADC when enabling monitor
drm/amdgpu: Fix a NULL pointer dereference in amdgpu_connector_lcd_native_mode()
drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms()
libbpf: Clean gen_loader's attach kind.
crypto: caam - save caam memory to support crypto engine retry mechanism.
arm64: dts: ti: k3-am642: Fix the L2 cache sets
arm64: dts: ti: k3-j7200: Fix the L2 cache sets
arm64: dts: ti: k3-j721e: Fix the L2 cache sets
arm64: dts: ti: k3-j7200: Correct the d-cache-sets info
tty: serial: uartlite: allow 64 bit address
serial: amba-pl011: do not request memory region twice
mtd: core: provide unique name for nvmem device
floppy: Fix hang in watchdog when disk is ejected
staging: rtl8192e: return error code from rtllib_softmac_init()
staging: rtl8192e: rtllib_module: fix error handle case in alloc_rtllib()
Bluetooth: btmtksdio: fix resume failure
bpf: Fix the test_task_vma selftest to support output shorter than 1 kB
sched/fair: Fix detection of per-CPU kthreads waking a task
sched/fair: Fix per-CPU kthread and wakee stacking for asym CPU capacity
bpf: Adjust BTF log size limit.
bpf: Disallow BPF_LOG_KERNEL log level for bpf(BPF_BTF_LOAD)
bpf: Remove config check to enable bpf support for branch records
arm64: clear_page() shouldn't use DC ZVA when DCZID_EL0.DZP == 1
arm64: mte: DC {GVA,GZVA} shouldn't be used when DCZID_EL0.DZP == 1
samples/bpf: Install libbpf headers when building
samples/bpf: Clean up samples/bpf build failes
samples: bpf: Fix xdp_sample_user.o linking with Clang
samples: bpf: Fix 'unknown warning group' build warning on Clang
media: dib8000: Fix a memleak in dib8000_init()
media: saa7146: mxb: Fix a NULL pointer dereference in mxb_attach()
media: si2157: Fix "warm" tuner state detection
wireless: iwlwifi: Fix a double free in iwl_txq_dyn_alloc_dma
sched/rt: Try to restart rt period timer when rt runtime exceeded
ath10k: Fix the MTU size on QCA9377 SDIO
Bluetooth: refactor set_exp_feature with a feature table
Bluetooth: MGMT: Use hci_dev_test_and_{set,clear}_flag
Bluetooth: btusb: Handle download_firmware failure cases
drm/amd/display: Fix bug in debugfs crc_win_update entry
drm/amd/display: Fix out of bounds access on DNC31 stream encoder regs
drm/msm/gpu: Don't allow zero fence_id
drm/msm/dp: displayPort driver need algorithm rational
rcu/exp: Mark current CPU as exp-QS in IPI loop second pass
wcn36xx: Fix max channels retrieval
drm/msm/dsi: fix initialization in the bonded DSI case
mwifiex: Fix possible ABBA deadlock
xfrm: fix a small bug in xfrm_sa_len()
x86/uaccess: Move variable into switch case statement
selftests: clone3: clone3: add case CLONE3_ARGS_NO_TEST
selftests: harness: avoid false negatives if test has no ASSERTs
crypto: stm32/cryp - fix CTR counter carry
crypto: stm32/cryp - fix xts and race condition in crypto_engine requests
crypto: stm32/cryp - check early input data
crypto: stm32/cryp - fix double pm exit
crypto: stm32/cryp - fix lrw chaining mode
crypto: stm32/cryp - fix bugs and crash in tests
crypto: stm32 - Revert broken pm_runtime_resume_and_get changes
crypto: hisilicon/qm - fix incorrect return value of hisi_qm_resume()
ath11k: Fix deleting uninitialized kernel timer during fragment cache flush
spi: Fix incorrect cs_setup delay handling
ARM: dts: gemini: NAS4220-B: fis-index-block with 128 KiB sectors
perf/arm-cmn: Fix CPU hotplug unregistration
media: dw2102: Fix use after free
media: msi001: fix possible null-ptr-deref in msi001_probe()
media: coda/imx-vdoa: Handle dma_set_coherent_mask error codes
ath11k: Fix a NULL pointer dereference in ath11k_mac_op_hw_scan()
net: dsa: hellcreek: Fix insertion of static FDB entries
net: dsa: hellcreek: Add STP forwarding rule
net: dsa: hellcreek: Allow PTP P2P measurements on blocked ports
net: dsa: hellcreek: Add missing PTP via UDP rules
arm64: dts: qcom: c630: Fix soundcard setup
arm64: dts: qcom: ipq6018: Fix gpio-ranges property
drm/msm/dpu: fix safe status debugfs file
drm/bridge: ti-sn65dsi86: Set max register for regmap
gpu: host1x: select CONFIG_DMA_SHARED_BUFFER
drm/tegra: gr2d: Explicitly control module reset
drm/tegra: vic: Fix DMA API misuse
media: hantro: Fix probe func error path
xfrm: interface with if_id 0 should return error
xfrm: state and policy should fail if XFRMA_IF_ID 0
ARM: 9159/1: decompressor: Avoid UNPREDICTABLE NOP encoding
usb: ftdi-elan: fix memory leak on device disconnect
arm64: dts: marvell: cn9130: add GPIO and SPI aliases
arm64: dts: marvell: cn9130: enable CP0 GPIO controllers
ARM: dts: armada-38x: Add generic compatible to UART nodes
mt76: mt7921: drop offload_flags overwritten
wilc1000: fix double free error in probe()
rtw88: add quirk to disable pci caps on HP 250 G7 Notebook PC
rtw88: Disable PCIe ASPM while doing NAPI poll on 8821CE
iwlwifi: mvm: fix 32-bit build in FTM
iwlwifi: mvm: test roc running status bits before removing the sta
iwlwifi: mvm: perform 6GHz passive scan after suspend
iwlwifi: mvm: set protected flag only for NDP ranging
mmc: meson-mx-sdhc: add IRQ check
mmc: meson-mx-sdio: add IRQ check
block: fix error unwinding in device_add_disk
selinux: fix potential memleak in selinux_add_opt()
um: fix ndelay/udelay defines
um: rename set_signals() to um_set_signals()
um: virt-pci: Fix 32-bit compile
lib/logic_iomem: Fix 32-bit build
lib/logic_iomem: Fix operation on 32-bit
um: virtio_uml: Fix time-travel external time propagation
Bluetooth: L2CAP: Fix using wrong mode
bpftool: Enable line buffering for stdout
backlight: qcom-wled: Validate enabled string indices in DT
backlight: qcom-wled: Pass number of elements to read to read_u32_array
backlight: qcom-wled: Fix off-by-one maximum with default num_strings
backlight: qcom-wled: Override default length with qcom,enabled-strings
backlight: qcom-wled: Use cpu_to_le16 macro to perform conversion
backlight: qcom-wled: Respect enabled-strings in set_brightness
software node: fix wrong node passed to find nargs_prop
Bluetooth: hci_qca: Stop IBS timer during BT OFF
x86/boot/compressed: Move CLANG_FLAGS to beginning of KBUILD_CFLAGS
crypto: octeontx2 - prevent underflow in get_cores_bmap()
regulator: qcom-labibb: OCP interrupts are not a failure while disabled
hwmon: (mr75203) fix wrong power-up delay value
x86/mce/inject: Avoid out-of-bounds write when setting flags
io_uring: remove double poll on poll update
serial: 8250_bcm7271: Propagate error codes from brcmuart_probe()
ACPI: scan: Create platform device for BCM4752 and LNV4752 ACPI nodes
pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in __nonstatic_find_io_region()
pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in nonstatic_find_mem_region()
power: reset: mt6397: Check for null res pointer
net/xfrm: IPsec tunnel mode fix inner_ipproto setting in sec_path
net: ethernet: mtk_eth_soc: fix return values and refactor MDIO ops
net: dsa: fix incorrect function pointer check for MRP ring roles
netfilter: ipt_CLUSTERIP: fix refcount leak in clusterip_tg_check()
bpf, sockmap: Fix return codes from tcp_bpf_recvmsg_parser()
bpf, sockmap: Fix double bpf_prog_put on error case in map_link
bpf: Don't promote bogus looking registers after null check.
bpf: Fix verifier support for validation of async callbacks
bpf: Fix SO_RCVBUF/SO_SNDBUF handling in _bpf_setsockopt().
netfilter: nft_payload: do not update layer 4 checksum when mangling fragments
netfilter: nft_set_pipapo: allocate pcpu scratch maps on clone
net: fix SOF_TIMESTAMPING_BIND_PHC to work with multiple sockets
ppp: ensure minimum packet size in ppp_write()
rocker: fix a sleeping in atomic bug
staging: greybus: audio: Check null pointer
fsl/fman: Check for null pointer after calling devm_ioremap
Bluetooth: hci_bcm: Check for error irq
Bluetooth: hci_qca: Fix NULL vs IS_ERR_OR_NULL check in qca_serdev_probe
net/smc: Reset conn->lgr when link group registration fails
usb: dwc3: qcom: Fix NULL vs IS_ERR checking in dwc3_qcom_probe
usb: dwc2: do not gate off the hardware if it does not support clock gating
usb: dwc2: gadget: initialize max_speed from params
usb: gadget: u_audio: Subdevice 0 for capture ctls
HID: hid-uclogic-params: Invalid parameter check in uclogic_params_init
HID: hid-uclogic-params: Invalid parameter check in uclogic_params_get_str_desc
HID: hid-uclogic-params: Invalid parameter check in uclogic_params_huion_init
HID: hid-uclogic-params: Invalid parameter check in uclogic_params_frame_init_v1_buttonpad
debugfs: lockdown: Allow reading debugfs files that are not world readable
drivers/firmware: Add missing platform_device_put() in sysfb_create_simplefb
serial: liteuart: fix MODULE_ALIAS
serial: stm32: move tx dma terminate DMA to shutdown
x86, sched: Fix undefined reference to init_freq_invariance_cppc() build error
net/mlx5e: Fix page DMA map/unmap attributes
net/mlx5e: Fix wrong usage of fib_info_nh when routes with nexthop objects are used
net/mlx5e: Don't block routes with nexthop objects in SW
Revert "net/mlx5e: Block offload of outer header csum for UDP tunnels"
Revert "net/mlx5e: Block offload of outer header csum for GRE tunnel"
net/mlx5e: Fix matching on modified inner ip_ecn bits
net/mlx5: Fix access to sf_dev_table on allocation failure
net/mlx5e: Sync VXLAN udp ports during uplink representor profile change
net/mlx5: Set command entry semaphore up once got index free
lib/mpi: Add the return value check of kcalloc()
Bluetooth: L2CAP: uninitialized variables in l2cap_sock_setsockopt()
mptcp: fix per socket endpoint accounting
mptcp: fix opt size when sending DSS + MP_FAIL
mptcp: fix a DSS option writing error
spi: spi-meson-spifc: Add missing pm_runtime_disable() in meson_spifc_probe
octeontx2-af: Increment ptp refcount before use
ax25: uninitialized variable in ax25_setsockopt()
netrom: fix api breakage in nr_setsockopt()
regmap: Call regmap_debugfs_exit() prior to _init()
net: mscc: ocelot: fix incorrect balancing with down LAG ports
can: mcp251xfd: add missing newline to printed strings
tpm: add request_locality before write TPM_INT_ENABLE
tpm_tis: Fix an error handling path in 'tpm_tis_core_init()'
can: softing: softing_startstop(): fix set but not used variable warning
can: xilinx_can: xcan_probe(): check for error irq
can: rcar_canfd: rcar_canfd_channel_probe(): make sure we free CAN network device
pcmcia: fix setting of kthread task states
net/sched: flow_dissector: Fix matching on zone id for invalid conns
net: openvswitch: Fix matching zone id for invalid conns arriving from tc
net: openvswitch: Fix ct_state nat flags for conns arriving from tc
iwlwifi: mvm: Use div_s64 instead of do_div in iwl_mvm_ftm_rtt_smoothing()
bnxt_en: Refactor coredump functions
bnxt_en: move coredump functions into dedicated file
bnxt_en: use firmware provided max timeout for messages
net: mcs7830: handle usb read errors properly
ext4: avoid trim error on fs with small groups
ASoC: Intel: sof_sdw: fix jack detection on HP Spectre x360 convertible
ALSA: jack: Add missing rwsem around snd_ctl_remove() calls
ALSA: PCM: Add missing rwsem around snd_ctl_remove() calls
ALSA: hda: Add missing rwsem around snd_ctl_remove() calls
ALSA: hda: Fix potential deadlock at codec unbinding
RDMA/bnxt_re: Scan the whole bitmap when checking if "disabling RCFW with pending cmd-bit"
RDMA/hns: Validate the pkey index
scsi: pm80xx: Update WARN_ON check in pm8001_mpi_build_cmd()
clk: renesas: rzg2l: Check return value of pm_genpd_init()
clk: renesas: rzg2l: propagate return value of_genpd_add_provider_simple()
clk: imx8mn: Fix imx8mn_clko1_sels
powerpc/prom_init: Fix improper check of prom_getprop()
ASoC: uniphier: drop selecting non-existing SND_SOC_UNIPHIER_AIO_DMA
ASoC: codecs: wcd938x: add SND_SOC_WCD938_SDW to codec list instead
RDMA/rtrs-clt: Fix the initial value of min_latency
ALSA: hda: Make proper use of timecounter
dt-bindings: thermal: Fix definition of cooling-maps contribution property
powerpc/perf: Fix PMU callbacks to clear pending PMI before resetting an overflown PMC
powerpc/modules: Don't WARN on first module allocation attempt
powerpc/32s: Fix shift-out-of-bounds in KASAN init
clocksource: Avoid accidental unstable marking of clocksources
ALSA: oss: fix compile error when OSS_DEBUG is enabled
ALSA: usb-audio: Drop superfluous '0' in Presonus Studio 1810c's ID
misc: at25: Make driver OF independent again
char/mwave: Adjust io port register size
binder: fix handling of error during copy
binder: avoid potential data leakage when copying txn
openrisc: Add clone3 ABI wrapper
iommu: Extend mutex lock scope in iommu_probe_device()
iommu/io-pgtable-arm: Fix table descriptor paddr formatting
scsi: core: Fix scsi_device_max_queue_depth()
scsi: ufs: Fix race conditions related to driver data
RDMA/qedr: Fix reporting max_{send/recv}_wr attrs
PCI/MSI: Fix pci_irq_vector()/pci_irq_get_affinity()
powerpc/powermac: Add additional missing lockdep_register_key()
iommu/arm-smmu-qcom: Fix TTBR0 read
RDMA/core: Let ib_find_gid() continue search even after empty entry
RDMA/cma: Let cma_resolve_ib_dev() continue search even after empty entry
ASoC: rt5663: Handle device_property_read_u32_array error codes
of: unittest: fix warning on PowerPC frame size warning
of: unittest: 64 bit dma address test requires arch support
clk: stm32: Fix ltdc's clock turn off by clk_disable_unused() after system enter shell
mips: add SYS_HAS_CPU_MIPS64_R5 config for MIPS Release 5 support
mips: fix Kconfig reference to PHYS_ADDR_T_64BIT
dmaengine: pxa/mmp: stop referencing config->slave_id
iommu/amd: Restore GA log/tail pointer on host resume
iommu/amd: X2apic mode: re-enable after resume
iommu/amd: X2apic mode: setup the INTX registers on mask/unmask
iommu/amd: X2apic mode: mask/unmask interrupts on suspend/resume
iommu/amd: Remove useless irq affinity notifier
ASoC: Intel: catpt: Test dmaengine_submit() result before moving on
iommu/iova: Fix race between FQ timeout and teardown
ASoC: mediatek: mt8195: correct default value
of: fdt: Aggregate the processing of "linux,usable-memory-range"
efi: apply memblock cap after memblock_add()
scsi: block: pm: Always set request queue runtime active in blk_post_runtime_resume()
phy: uniphier-usb3ss: fix unintended writing zeros to PHY register
ASoC: mediatek: Check for error clk pointer
powerpc/64s: Mask NIP before checking against SRR0
powerpc/64s: Use EMIT_WARN_ENTRY for SRR debug warnings
phy: cadence: Sierra: Fix to get correct parent for mux clocks
ASoC: samsung: idma: Check of ioremap return value
misc: lattice-ecp3-config: Fix task hung when firmware load failed
ASoC: mediatek: mt8195: correct pcmif BE dai control flow
arm64: tegra: Remove non existent Tegra194 reset
mips: lantiq: add support for clk_set_parent()
mips: bcm63xx: add support for clk_set_parent()
powerpc/xive: Add missing null check after calling kmalloc
ASoC: fsl_mqs: fix MODULE_ALIAS
ALSA: hda/cs8409: Increase delay during jack detection
ALSA: hda/cs8409: Fix Jack detection after resume
RDMA/cxgb4: Set queue pair state when being queried
clk: qcom: gcc-sc7280: Mark gcc_cfg_noc_lpass_clk always enabled
ASoC: imx-card: Need special setting for ak4497 on i.MX8MQ
ASoC: imx-card: Fix mclk calculation issue for akcodec
ASoC: imx-card: improve the sound quality for low rate
ASoC: fsl_asrc: refine the check of available clock divider
clk: bm1880: remove kfrees on static allocations
of: base: Fix phandle argument length mismatch error message
of/fdt: Don't worry about non-memory region overlap for no-map
MIPS: boot/compressed/: add __ashldi3 to target for ZSTD compression
MIPS: compressed: Fix build with ZSTD compression
mailbox: fix gce_num of mt8192 driver data
ARM: dts: omap3-n900: Fix lp5523 for multi color
leds: lp55xx: initialise output direction from dts
Bluetooth: Fix debugfs entry leak in hci_register_dev()
Bluetooth: Fix memory leak of hci device
drm/panel: Delete panel on mipi_dsi_attach() failure
Bluetooth: Fix removing adv when processing cmd complete
fs: dlm: filter user dlm messages for kernel locks
drm/lima: fix warning when CONFIG_DEBUG_SG=y & CONFIG_DMA_API_DEBUG=y
selftests/bpf: Fix memory leaks in btf_type_c_dump() helper
selftests/bpf: Destroy XDP link correctly
selftests/bpf: Fix bpf_object leak in skb_ctx selftest
ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply
drm/bridge: dw-hdmi: handle ELD when DRM_BRIDGE_ATTACH_NO_CONNECTOR
drm/nouveau/pmu/gm200-: avoid touching PMU outside of DEVINIT/PREOS/ACR
media: atomisp: fix try_fmt logic
media: atomisp: set per-device's default mode
media: atomisp-ov2680: Fix ov2680_set_fmt() clobbering the exposure
media: atomisp: check before deference asd variable
ARM: shmobile: rcar-gen2: Add missing of_node_put()
batman-adv: allow netlink usage in unprivileged containers
media: atomisp: handle errors at sh_css_create_isp_params()
ath11k: Fix crash caused by uninitialized TX ring
usb: dwc3: meson-g12a: fix shared reset control use
USB: ehci_brcm_hub_control: Improve port index sanitizing
usb: gadget: f_fs: Use stream_open() for endpoint files
psi: Fix PSI_MEM_FULL state when tasks are in memstall and doing reclaim
drm: panel-orientation-quirks: Add quirk for the Lenovo Yoga Book X91F/L
HID: magicmouse: Report battery level over USB
HID: apple: Do not reset quirks when the Fn key is not found
media: b2c2: Add missing check in flexcop_pci_isr:
libbpf: Accommodate DWARF/compiler bug with duplicated structs
ethernet: renesas: Use div64_ul instead of do_div
EDAC/synopsys: Use the quirk for version instead of ddr version
arm64: dts: qcom: sm8350: Shorten camera-thermal-bottom name
soc: imx: gpcv2: Synchronously suspend MIX domains
ARM: imx: rename DEBUG_IMX21_IMX27_UART to DEBUG_IMX27_UART
drm/amd/display: check top_pipe_to_program pointer
drm/amdgpu/display: set vblank_disable_immediate for DC
soc: ti: pruss: fix referenced node in error message
mlxsw: pci: Add shutdown method in PCI driver
drm/amd/display: add else to avoid double destroy clk_mgr
drm/bridge: megachips: Ensure both bridges are probed before registration
mxser: keep only !tty test in ISR
tty: serial: imx: disable UCR4_OREN in .stop_rx() instead of .shutdown()
gpiolib: acpi: Do not set the IRQ type if the IRQ is already in use
HSI: core: Fix return freed object in hsi_new_client
crypto: jitter - consider 32 LSB for APT
mwifiex: Fix skb_over_panic in mwifiex_usb_recv()
rsi: Fix use-after-free in rsi_rx_done_handler()
rsi: Fix out-of-bounds read in rsi_read_pkt()
ath11k: Avoid NULL ptr access during mgmt tx cleanup
media: venus: avoid calling core_clk_setrate() concurrently during concurrent video sessions
regulator: da9121: Prevent current limit change when enabled
drm/vmwgfx: Release ttm memory if probe fails
drm/vmwgfx: Introduce a new placement for MOB page tables
ACPI / x86: Drop PWM2 device on Lenovo Yoga Book from always present table
ACPI: Change acpi_device_always_present() into acpi_device_override_status()
ACPI / x86: Allow specifying acpi_device_override_status() quirks by path
ACPI / x86: Add not-present quirk for the PCI0.SDHB.BRC1 device on the GPD win
arm64: dts: ti: j7200-main: Fix 'dtbs_check' serdes_ln_ctrl node
arm64: dts: ti: j721e-main: Fix 'dtbs_check' in serdes_ln_ctrl node
usb: uhci: add aspeed ast2600 uhci support
floppy: Add max size check for user space request
x86/mm: Flush global TLB when switching to trampoline page-table
drm: rcar-du: Fix CRTC timings when CMM is used
media: uvcvideo: Increase UVC_CTRL_CONTROL_TIMEOUT to 5 seconds.
media: rcar-vin: Update format alignment constraints
media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach()
media: atomisp: fix "variable dereferenced before check 'asd'"
media: m920x: don't use stack on USB reads
thunderbolt: Runtime PM activate both ends of the device link
arm64: dts: renesas: Fix thermal bindings
iwlwifi: mvm: synchronize with FW after multicast commands
iwlwifi: mvm: avoid clearing a just saved session protection id
rcutorture: Avoid soft lockup during cpu stall
ath11k: avoid deadlock by change ieee80211_queue_work for regd_update_work
ath10k: Fix tx hanging
net-sysfs: update the queue counts in the unregistration path
net: phy: prefer 1000baseT over 1000baseKX
gpio: aspeed: Convert aspeed_gpio.lock to raw_spinlock
gpio: aspeed-sgpio: Convert aspeed_sgpio.lock to raw_spinlock
selftests/ftrace: make kprobe profile testcase description unique
ath11k: Avoid false DEADLOCK warning reported by lockdep
ARM: dts: qcom: sdx55: fix IPA interconnect definitions
x86/mce: Allow instrumentation during task work queueing
x86/mce: Mark mce_panic() noinstr
x86/mce: Mark mce_end() noinstr
x86/mce: Mark mce_read_aux() noinstr
net: bonding: debug: avoid printing debug logs when bond is not notifying peers
kunit: Don't crash if no parameters are generated
bpf: Do not WARN in bpf_warn_invalid_xdp_action()
drm/amdkfd: Fix error handling in svm_range_add
HID: quirks: Allow inverting the absolute X/Y values
HID: i2c-hid-of: Expose the touchscreen-inverted properties
media: igorplugusb: receiver overflow should be reported
media: rockchip: rkisp1: use device name for debugfs subdir name
media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach()
mmc: tmio: reinit card irqs in reset routine
mmc: core: Fixup storing of OCR for MMC_QUIRK_NONSTD_SDIO
drm/amd/amdgpu: fix psp tmr bo pin count leak in SRIOV
drm/amd/amdgpu: fix gmc bo pin count leak in SRIOV
audit: ensure userspace is penalized the same as the kernel when under pressure
arm64: dts: ls1028a-qds: move rtc node to the correct i2c bus
arm64: tegra: Adjust length of CCPLEX cluster MMIO region
crypto: ccp - Move SEV_INIT retry for corrupted data
crypto: hisilicon/hpre - fix memory leak in hpre_curve25519_src_init()
PM: runtime: Add safety net to supplier device release
cpufreq: Fix initialization of min and max frequency QoS requests
usb: hub: Add delay for SuperSpeed hub resume to let links transit to U0
mt76: mt7615: fix possible deadlock while mt7615_register_ext_phy()
mt76: do not pass the received frame with decryption error
mt76: mt7615: improve wmm index allocation
ath9k_htc: fix NULL pointer dereference at ath9k_htc_rxep()
ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()
ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream
rtw88: 8822c: update rx settings to prevent potential hw deadlock
PM: AVS: qcom-cpr: Use div64_ul instead of do_div
iwlwifi: fix leaks/bad data after failed firmware load
iwlwifi: remove module loading failure message
iwlwifi: mvm: Fix calculation of frame length
iwlwifi: mvm: fix AUX ROC removal
iwlwifi: pcie: make sure prph_info is set when treating wakeup IRQ
mmc: sdhci-pci-gli: GL9755: Support for CD/WP inversion on OF platforms
block: check minor range in device_add_disk()
um: registers: Rename function names to avoid conflicts and build problems
ath11k: Fix napi related hang
Bluetooth: btintel: Add missing quirks and msft ext for legacy bootloader
Bluetooth: vhci: Set HCI_QUIRK_VALID_LE_STATES
xfrm: rate limit SA mapping change message to user space
drm/etnaviv: consider completed fence seqno in hang check
jffs2: GC deadlock reading a page that is used in jffs2_write_begin()
ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitions
ACPICA: Utilities: Avoid deleting the same object twice in a row
ACPICA: Executer: Fix the REFCLASS_REFOF case in acpi_ex_opcode_1A_0T_1R()
ACPICA: Fix wrong interpretation of PCC address
ACPICA: Hardware: Do not flush CPU cache when entering S4 and S5
mmc: mtk-sd: Use readl_poll_timeout instead of open-coded polling
drm/amdgpu: fixup bad vram size on gmc v8
amdgpu/pm: Make sysfs pm attributes as read-only for VFs
ACPI: battery: Add the ThinkPad "Not Charging" quirk
ACPI: CPPC: Check present CPUs for determining _CPC is valid
btrfs: remove BUG_ON() in find_parent_nodes()
btrfs: remove BUG_ON(!eie) in find_parent_nodes
net: mdio: Demote probed message to debug print
mac80211: allow non-standard VHT MCS-10/11
dm btree: add a defensive bounds check to insert_at()
dm space map common: add bounds check to sm_ll_lookup_bitmap()
bpf/selftests: Fix namespace mount setup in tc_redirect
mlxsw: pci: Avoid flow control for EMAD packets
net: phy: marvell: configure RGMII delays for 88E1118
net: gemini: allow any RGMII interface mode
regulator: qcom_smd: Align probe function with rpmh-regulator
serial: pl010: Drop CR register reset on set_termios
serial: pl011: Drop CR register reset on set_termios
serial: core: Keep mctrl register state and cached copy in sync
random: do not throw away excess input to crng_fast_load
net/mlx5: Update log_max_qp value to FW max capability
net/mlx5e: Unblock setting vid 0 for VF in case PF isn't eswitch manager
parisc: Avoid calling faulthandler_disabled() twice
can: flexcan: allow to change quirks at runtime
can: flexcan: rename RX modes
can: flexcan: add more quirks to describe RX path capabilities
x86/kbuild: Enable CONFIG_KALLSYMS_ALL=y in the defconfigs
powerpc/6xx: add missing of_node_put
powerpc/powernv: add missing of_node_put
powerpc/cell: add missing of_node_put
powerpc/btext: add missing of_node_put
powerpc/watchdog: Fix missed watchdog reset due to memory ordering race
ASoC: imx-hdmi: add put_device() after of_find_device_by_node()
i2c: i801: Don't silently correct invalid transfer size
powerpc/smp: Move setup_profiling_timer() under CONFIG_PROFILING
i2c: mpc: Correct I2C reset procedure
clk: meson: gxbb: Fix the SDM_EN bit for MPLL0 on GXBB
powerpc/powermac: Add missing lockdep_register_key()
KVM: PPC: Book3S: Suppress warnings when allocating too big memory slots
KVM: PPC: Book3S: Suppress failed alloc warning in H_COPY_TOFROM_GUEST
w1: Misuse of get_user()/put_user() reported by sparse
nvmem: core: set size for sysfs bin file
dm: fix alloc_dax error handling in alloc_dev
interconnect: qcom: rpm: Prevent integer overflow in rate
scsi: ufs: Fix a kernel crash during shutdown
scsi: lpfc: Fix leaked lpfc_dmabuf mbox allocations with NPIV
scsi: lpfc: Trigger SLI4 firmware dump before doing driver cleanup
ALSA: seq: Set upper limit of processed events
MIPS: Loongson64: Use three arguments for slti
powerpc/40x: Map 32Mbytes of memory at startup
selftests/powerpc/spectre_v2: Return skip code when miss_percent is high
powerpc: handle kdump appropriately with crash_kexec_post_notifiers option
powerpc/fadump: Fix inaccurate CPU state info in vmcore generated with panic
udf: Fix error handling in udf_new_inode()
MIPS: OCTEON: add put_device() after of_find_device_by_node()
irqchip/gic-v4: Disable redistributors' view of the VPE table at boot time
i2c: designware-pci: Fix to change data types of hcnt and lcnt parameters
selftests/powerpc: Add a test of sigreturning to the kernel
MIPS: Octeon: Fix build errors using clang
scsi: sr: Don't use GFP_DMA
scsi: mpi3mr: Fixes around reply request queues
ASoC: mediatek: mt8192-mt6359: fix device_node leak
phy: phy-mtk-tphy: add support efuse setting
ASoC: mediatek: mt8173: fix device_node leak
ASoC: mediatek: mt8183: fix device_node leak
habanalabs: skip read fw errors if dynamic descriptor invalid
phy: mediatek: Fix missing check in mtk_mipi_tx_probe
mailbox: change mailbox-mpfs compatible string
seg6: export get_srh() for ICMP handling
icmp: ICMPV6: Examine invoking packet for Segment Route Headers.
udp6: Use Segment Routing Header for dest address if present
rpmsg: core: Clean up resources on announce_create failure.
ifcvf/vDPA: fix misuse virtio-net device config size for blk dev
crypto: omap-aes - Fix broken pm_runtime_and_get() usage
crypto: stm32/crc32 - Fix kernel BUG triggered in probe()
crypto: caam - replace this_cpu_ptr with raw_cpu_ptr
ubifs: Error path in ubifs_remount_rw() seems to wrongly free write buffers
tpm: fix potential NULL pointer access in tpm_del_char_device
tpm: fix NPE on probe for missing device
mfd: tps65910: Set PWR_OFF bit during driver probe
spi: uniphier: Fix a bug that doesn't point to private data correctly
xen/gntdev: fix unmap notification order
md: Move alloc/free acct bioset in to personality
HID: magicmouse: Fix an error handling path in magicmouse_probe()
fuse: Pass correct lend value to filemap_write_and_wait_range()
serial: Fix incorrect rs485 polarity on uart open
cputime, cpuacct: Include guest time in user time in cpuacct.stat
sched/cpuacct: Fix user/system in shown cpuacct.usage*
tracing/kprobes: 'nmissed' not showed correctly for kretprobe
tracing: Have syscall trace events use trace_event_buffer_lock_reserve()
remoteproc: imx_rproc: Fix a resource leak in the remove function
iwlwifi: mvm: Increase the scan timeout guard to 30 seconds
s390/mm: fix 2KB pgtable release race
device property: Fix fwnode_graph_devcon_match() fwnode leak
drm/tegra: submit: Add missing pm_runtime_mark_last_busy()
drm/etnaviv: limit submit sizes
drm/amd/display: Fix the uninitialized variable in enable_stream_features()
drm/nouveau/kms/nv04: use vzalloc for nv04_display
drm/bridge: analogix_dp: Make PSR-exit block less
parisc: Fix lpa and lpa_user defines
powerpc/64s/radix: Fix huge vmap false positive
scsi: lpfc: Fix lpfc_force_rscn ndlp kref imbalance
drm/amdgpu: don't do resets on APUs which don't support it
drm/i915/display/ehl: Update voltage swing table
PCI: xgene: Fix IB window setup
PCI: pciehp: Use down_read/write_nested(reset_lock) to fix lockdep errors
PCI: pci-bridge-emul: Make expansion ROM Base Address register read-only
PCI: pci-bridge-emul: Properly mark reserved PCIe bits in PCI config space
PCI: pci-bridge-emul: Fix definitions of reserved bits
PCI: pci-bridge-emul: Correctly set PCIe capabilities
PCI: pci-bridge-emul: Set PCI_STATUS_CAP_LIST for PCIe device
xfrm: fix policy lookup for ipv6 gre packets
xfrm: fix dflt policy check when there is no policy configured
btrfs: fix deadlock between quota enable and other quota operations
btrfs: check the root node for uptodate before returning it
btrfs: respect the max size in the header when activating swap file
ext4: make sure to reset inode lockdep class when quota enabling fails
ext4: make sure quota gets properly shutdown on error
ext4: fix a possible ABBA deadlock due to busy PA
ext4: initialize err_blk before calling __ext4_get_inode_loc
ext4: fix fast commit may miss tracking range for FALLOC_FL_ZERO_RANGE
ext4: set csum seed in tmp inode while migrating to extents
ext4: Fix BUG_ON in ext4_bread when write quota data
ext4: use ext4_ext_remove_space() for fast commit replay delete range
ext4: fast commit may miss tracking unwritten range during ftruncate
ext4: destroy ext4_fc_dentry_cachep kmemcache on module removal
ext4: fix null-ptr-deref in '__ext4_journal_ensure_credits'
ext4: fix an use-after-free issue about data=journal writeback mode
ext4: don't use the orphan list when migrating an inode
tracing/osnoise: Properly unhook events if start_per_cpu_kthreads() fails
ath11k: qmi: avoid error messages when dma allocation fails
drm/radeon: fix error handling in radeon_driver_open_kms
of: base: Improve argument length mismatch error
firmware: Update Kconfig help text for Google firmware
can: mcp251xfd: mcp251xfd_tef_obj_read(): fix typo in error message
media: rcar-csi2: Optimize the selection PHTW register
drm/vc4: hdmi: Make sure the device is powered with CEC
media: correct MEDIA_TEST_SUPPORT help text
Documentation: coresight: Fix documentation issue
Documentation: dmaengine: Correctly describe dmatest with channel unset
Documentation: ACPI: Fix data node reference documentation
Documentation, arch: Remove leftovers from raw device
Documentation, arch: Remove leftovers from CIFS_WEAK_PW_HASH
Documentation: refer to config RANDOMIZE_BASE for kernel address-space randomization
Documentation: fix firewire.rst ABI file path error
Bluetooth: btusb: Return error code when getting patch status failed
net: usb: Correct reset handling of smsc95xx
Bluetooth: hci_sync: Fix not setting adv set duration
scsi: core: Show SCMD_LAST in text form
scsi: ufs: ufs-mediatek: Fix error checking in ufs_mtk_init_va09_pwr_ctrl()
RDMA/cma: Remove open coding of overflow checking for private_data_len
dmaengine: uniphier-xdmac: Fix type of address variables
dmaengine: idxd: fix wq settings post wq disable
RDMA/hns: Modify the mapping attribute of doorbell to device
RDMA/rxe: Fix a typo in opcode name
dmaengine: stm32-mdma: fix STM32_MDMA_CTBR_TSEL_MASK
Revert "net/mlx5: Add retry mechanism to the command entry index allocation"
powerpc/cell: Fix clang -Wimplicit-fallthrough warning
powerpc/fsl/dts: Enable WA for erratum A-009885 on fman3l MDIO buses
block: fix async_depth sysfs interface for mq-deadline
block: Fix fsync always failed if once failed
drm/vc4: crtc: Drop feed_txp from state
drm/vc4: Fix non-blocking commit getting stuck forever
drm/vc4: crtc: Copy assigned channel to the CRTC
bpftool: Remove inclusion of utilities.mak from Makefiles
bpftool: Fix indent in option lists in the documentation
xdp: check prog type before updating BPF link
bpf: Fix mount source show for bpffs
bpf: Mark PTR_TO_FUNC register initially with zero offset
perf evsel: Override attr->sample_period for non-libpfm4 events
ipv4: update fib_info_cnt under spinlock protection
ipv4: avoid quadratic behavior in netns dismantle
mlx5: Don't accidentally set RTO_ONLINK before mlx5e_route_lookup_ipv4_get()
net/fsl: xgmac_mdio: Add workaround for erratum A-009885
net/fsl: xgmac_mdio: Fix incorrect iounmap when removing module
parisc: pdc_stable: Fix memory leak in pdcs_register_pathentries
riscv: dts: microchip: mpfs: Drop empty chosen node
drm/vmwgfx: Remove explicit transparent hugepages support
drm/vmwgfx: Remove unused compile options
f2fs: fix remove page failed in invalidate compress pages
f2fs: fix to avoid panic in is_alive() if metadata is inconsistent
f2fs: compress: fix potential deadlock of compress file
f2fs: fix to reserve space for IO align feature
f2fs: fix to check available space of CP area correctly in update_ckpt_flags()
crypto: octeontx2 - uninitialized variable in kvf_limits_store()
af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress
clk: Emit a stern warning with writable debugfs enabled
clk: si5341: Fix clock HW provider cleanup
pinctrl/rockchip: fix gpio device creation
gpio: mpc8xxx: Fix IRQ check in mpc8xxx_probe
gpio: idt3243x: Fix IRQ check in idt_gpio_probe
net/smc: Fix hung_task when removing SMC-R devices
net: axienet: increase reset timeout
net: axienet: Wait for PhyRstCmplt after core reset
net: axienet: reset core on initialization prior to MDIO access
net: axienet: add missing memory barriers
net: axienet: limit minimum TX ring size
net: axienet: Fix TX ring slot available check
net: axienet: fix number of TX ring slots for available check
net: axienet: fix for TX busy handling
net: axienet: increase default TX ring size to 128
bitops: protect find_first_{,zero}_bit properly
um: gitignore: Add kernel/capflags.c
HID: vivaldi: fix handling devices not using numbered reports
rtc: pxa: fix null pointer dereference
vdpa/mlx5: Fix wrong configuration of virtio_version_1_0
virtio_ring: mark ring unused on error
taskstats: Cleanup the use of task->exit_code
inet: frags: annotate races around fqdir->dead and fqdir->high_thresh
netns: add schedule point in ops_exit_list()
iwlwifi: fix Bz NMI behaviour
xfrm: Don't accidentally set RTO_ONLINK in decode_session4()
vdpa/mlx5: Restore cur_num_vqs in case of failure in change_num_qps()
gre: Don't accidentally set RTO_ONLINK in gre_fill_metadata_dst()
libcxgb: Don't accidentally set RTO_ONLINK in cxgb_find_route()
perf script: Fix hex dump character output
dmaengine: at_xdmac: Don't start transactions at tx_submit level
dmaengine: at_xdmac: Start transfer for cyclic channels in issue_pending
dmaengine: at_xdmac: Print debug message after realeasing the lock
dmaengine: at_xdmac: Fix concurrency over xfers_list
dmaengine: at_xdmac: Fix lld view setting
dmaengine: at_xdmac: Fix at_xdmac_lld struct definition
perf tools: Drop requirement for libstdc++.so for libopencsd check
perf probe: Fix ppc64 'perf probe add events failed' case
devlink: Remove misleading internal_flags from health reporter dump
arm64: dts: qcom: msm8996: drop not documented adreno properties
net: fix sock_timestamping_bind_phc() to release device
net: bonding: fix bond_xmit_broadcast return value error bug
net: ipa: fix atomic update in ipa_endpoint_replenish()
net_sched: restore "mpu xxx" handling
net: mscc: ocelot: don't let phylink re-enable TX PAUSE on the NPI port
bcmgenet: add WOL IRQ check
net: wwan: Fix MRU mismatch issue which may lead to data connection lost
net: ethernet: mtk_eth_soc: fix error checking in mtk_mac_config()
net: ocelot: Fix the call to switchdev_bridge_port_offload
net: sfp: fix high power modules without diagnostic monitoring
net: cpsw: avoid alignment faults by taking NET_IP_ALIGN into account
net: phy: micrel: use kszphy_suspend()/kszphy_resume for irq aware devices
net: mscc: ocelot: fix using match before it is set
dt-bindings: display: meson-dw-hdmi: add missing sound-name-prefix property
dt-bindings: display: meson-vpu: Add missing amlogic,canvas property
dt-bindings: watchdog: Require samsung,syscon-phandle for Exynos7
sch_api: Don't skip qdisc attach on ingress
scripts/dtc: dtx_diff: remove broken example from help text
lib82596: Fix IRQ check in sni_82596_probe
mm/hmm.c: allow VM_MIXEDMAP to work with hmm_range_fault
bonding: Fix extraction of ports from the packet headers
lib/test_meminit: destroy cache in kmem_cache_alloc_bulk() test
scripts: sphinx-pre-install: add required ctex dependency
scripts: sphinx-pre-install: Fix ctex support on Debian
Linux 5.15.17
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I6ddef7c3463bfc127b34c39ebcf5d286d3117931
6239 lines
175 KiB
C
6239 lines
175 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/* binder.c
|
|
*
|
|
* Android IPC Subsystem
|
|
*
|
|
* Copyright (C) 2007-2008 Google, Inc.
|
|
*/
|
|
|
|
/*
|
|
* Locking overview
|
|
*
|
|
* There are 3 main spinlocks which must be acquired in the
|
|
* order shown:
|
|
*
|
|
* 1) proc->outer_lock : protects binder_ref
|
|
* binder_proc_lock() and binder_proc_unlock() are
|
|
* used to acq/rel.
|
|
* 2) node->lock : protects most fields of binder_node.
|
|
* binder_node_lock() and binder_node_unlock() are
|
|
* used to acq/rel
|
|
* 3) proc->inner_lock : protects the thread and node lists
|
|
* (proc->threads, proc->waiting_threads, proc->nodes)
|
|
* and all todo lists associated with the binder_proc
|
|
* (proc->todo, thread->todo, proc->delivered_death and
|
|
* node->async_todo), as well as thread->transaction_stack
|
|
* binder_inner_proc_lock() and binder_inner_proc_unlock()
|
|
* are used to acq/rel
|
|
*
|
|
* Any lock under procA must never be nested under any lock at the same
|
|
* level or below on procB.
|
|
*
|
|
* Functions that require a lock held on entry indicate which lock
|
|
* in the suffix of the function name:
|
|
*
|
|
* foo_olocked() : requires node->outer_lock
|
|
* foo_nlocked() : requires node->lock
|
|
* foo_ilocked() : requires proc->inner_lock
|
|
* foo_oilocked(): requires proc->outer_lock and proc->inner_lock
|
|
* foo_nilocked(): requires node->lock and proc->inner_lock
|
|
* ...
|
|
*/
|
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
|
|
#include <linux/fdtable.h>
|
|
#include <linux/file.h>
|
|
#include <linux/freezer.h>
|
|
#include <linux/fs.h>
|
|
#include <linux/list.h>
|
|
#include <linux/miscdevice.h>
|
|
#include <linux/module.h>
|
|
#include <linux/mutex.h>
|
|
#include <linux/nsproxy.h>
|
|
#include <linux/poll.h>
|
|
#include <linux/debugfs.h>
|
|
#include <linux/rbtree.h>
|
|
#include <linux/sched/signal.h>
|
|
#include <linux/sched/mm.h>
|
|
#include <linux/seq_file.h>
|
|
#include <linux/string.h>
|
|
#include <linux/uaccess.h>
|
|
#include <linux/pid_namespace.h>
|
|
#include <linux/security.h>
|
|
#include <linux/spinlock.h>
|
|
#include <linux/ratelimit.h>
|
|
#include <linux/syscalls.h>
|
|
#include <linux/task_work.h>
|
|
#include <linux/sizes.h>
|
|
#include <linux/android_vendor.h>
|
|
|
|
#include <uapi/linux/sched/types.h>
|
|
#include <uapi/linux/android/binder.h>
|
|
|
|
#include <asm/cacheflush.h>
|
|
|
|
#include "binder_internal.h"
|
|
#include "binder_trace.h"
|
|
#include <trace/hooks/binder.h>
|
|
|
|
static HLIST_HEAD(binder_deferred_list);
|
|
static DEFINE_MUTEX(binder_deferred_lock);
|
|
|
|
static HLIST_HEAD(binder_devices);
|
|
static HLIST_HEAD(binder_procs);
|
|
static DEFINE_MUTEX(binder_procs_lock);
|
|
|
|
static HLIST_HEAD(binder_dead_nodes);
|
|
static DEFINE_SPINLOCK(binder_dead_nodes_lock);
|
|
|
|
static struct dentry *binder_debugfs_dir_entry_root;
|
|
static struct dentry *binder_debugfs_dir_entry_proc;
|
|
static atomic_t binder_last_id;
|
|
|
|
static int proc_show(struct seq_file *m, void *unused);
|
|
DEFINE_SHOW_ATTRIBUTE(proc);
|
|
|
|
#define FORBIDDEN_MMAP_FLAGS (VM_WRITE)
|
|
|
|
enum {
|
|
BINDER_DEBUG_USER_ERROR = 1U << 0,
|
|
BINDER_DEBUG_FAILED_TRANSACTION = 1U << 1,
|
|
BINDER_DEBUG_DEAD_TRANSACTION = 1U << 2,
|
|
BINDER_DEBUG_OPEN_CLOSE = 1U << 3,
|
|
BINDER_DEBUG_DEAD_BINDER = 1U << 4,
|
|
BINDER_DEBUG_DEATH_NOTIFICATION = 1U << 5,
|
|
BINDER_DEBUG_READ_WRITE = 1U << 6,
|
|
BINDER_DEBUG_USER_REFS = 1U << 7,
|
|
BINDER_DEBUG_THREADS = 1U << 8,
|
|
BINDER_DEBUG_TRANSACTION = 1U << 9,
|
|
BINDER_DEBUG_TRANSACTION_COMPLETE = 1U << 10,
|
|
BINDER_DEBUG_FREE_BUFFER = 1U << 11,
|
|
BINDER_DEBUG_INTERNAL_REFS = 1U << 12,
|
|
BINDER_DEBUG_PRIORITY_CAP = 1U << 13,
|
|
BINDER_DEBUG_SPINLOCKS = 1U << 14,
|
|
};
|
|
static uint32_t binder_debug_mask = BINDER_DEBUG_USER_ERROR |
|
|
BINDER_DEBUG_FAILED_TRANSACTION | BINDER_DEBUG_DEAD_TRANSACTION;
|
|
module_param_named(debug_mask, binder_debug_mask, uint, 0644);
|
|
|
|
char *binder_devices_param = CONFIG_ANDROID_BINDER_DEVICES;
|
|
module_param_named(devices, binder_devices_param, charp, 0444);
|
|
|
|
static DECLARE_WAIT_QUEUE_HEAD(binder_user_error_wait);
|
|
static int binder_stop_on_user_error;
|
|
|
|
static int binder_set_stop_on_user_error(const char *val,
|
|
const struct kernel_param *kp)
|
|
{
|
|
int ret;
|
|
|
|
ret = param_set_int(val, kp);
|
|
if (binder_stop_on_user_error < 2)
|
|
wake_up(&binder_user_error_wait);
|
|
return ret;
|
|
}
|
|
module_param_call(stop_on_user_error, binder_set_stop_on_user_error,
|
|
param_get_int, &binder_stop_on_user_error, 0644);
|
|
|
|
#define binder_debug(mask, x...) \
|
|
do { \
|
|
if (binder_debug_mask & mask) \
|
|
pr_info_ratelimited(x); \
|
|
} while (0)
|
|
|
|
#define binder_user_error(x...) \
|
|
do { \
|
|
if (binder_debug_mask & BINDER_DEBUG_USER_ERROR) \
|
|
pr_info_ratelimited(x); \
|
|
if (binder_stop_on_user_error) \
|
|
binder_stop_on_user_error = 2; \
|
|
} while (0)
|
|
|
|
#define to_flat_binder_object(hdr) \
|
|
container_of(hdr, struct flat_binder_object, hdr)
|
|
|
|
#define to_binder_fd_object(hdr) container_of(hdr, struct binder_fd_object, hdr)
|
|
|
|
#define to_binder_buffer_object(hdr) \
|
|
container_of(hdr, struct binder_buffer_object, hdr)
|
|
|
|
#define to_binder_fd_array_object(hdr) \
|
|
container_of(hdr, struct binder_fd_array_object, hdr)
|
|
|
|
static struct binder_stats binder_stats;
|
|
|
|
static inline void binder_stats_deleted(enum binder_stat_types type)
|
|
{
|
|
atomic_inc(&binder_stats.obj_deleted[type]);
|
|
}
|
|
|
|
static inline void binder_stats_created(enum binder_stat_types type)
|
|
{
|
|
atomic_inc(&binder_stats.obj_created[type]);
|
|
}
|
|
|
|
struct binder_transaction_log binder_transaction_log;
|
|
struct binder_transaction_log binder_transaction_log_failed;
|
|
|
|
static struct binder_transaction_log_entry *binder_transaction_log_add(
|
|
struct binder_transaction_log *log)
|
|
{
|
|
struct binder_transaction_log_entry *e;
|
|
unsigned int cur = atomic_inc_return(&log->cur);
|
|
|
|
if (cur >= ARRAY_SIZE(log->entry))
|
|
log->full = true;
|
|
e = &log->entry[cur % ARRAY_SIZE(log->entry)];
|
|
WRITE_ONCE(e->debug_id_done, 0);
|
|
/*
|
|
* write-barrier to synchronize access to e->debug_id_done.
|
|
* We make sure the initialized 0 value is seen before
|
|
* memset() other fields are zeroed by memset.
|
|
*/
|
|
smp_wmb();
|
|
memset(e, 0, sizeof(*e));
|
|
return e;
|
|
}
|
|
|
|
enum binder_deferred_state {
|
|
BINDER_DEFERRED_FLUSH = 0x01,
|
|
BINDER_DEFERRED_RELEASE = 0x02,
|
|
};
|
|
|
|
enum {
|
|
BINDER_LOOPER_STATE_REGISTERED = 0x01,
|
|
BINDER_LOOPER_STATE_ENTERED = 0x02,
|
|
BINDER_LOOPER_STATE_EXITED = 0x04,
|
|
BINDER_LOOPER_STATE_INVALID = 0x08,
|
|
BINDER_LOOPER_STATE_WAITING = 0x10,
|
|
BINDER_LOOPER_STATE_POLL = 0x20,
|
|
};
|
|
|
|
/**
|
|
* binder_proc_lock() - Acquire outer lock for given binder_proc
|
|
* @proc: struct binder_proc to acquire
|
|
*
|
|
* Acquires proc->outer_lock. Used to protect binder_ref
|
|
* structures associated with the given proc.
|
|
*/
|
|
#define binder_proc_lock(proc) _binder_proc_lock(proc, __LINE__)
|
|
static void
|
|
_binder_proc_lock(struct binder_proc *proc, int line)
|
|
__acquires(&proc->outer_lock)
|
|
{
|
|
binder_debug(BINDER_DEBUG_SPINLOCKS,
|
|
"%s: line=%d\n", __func__, line);
|
|
spin_lock(&proc->outer_lock);
|
|
}
|
|
|
|
/**
|
|
* binder_proc_unlock() - Release spinlock for given binder_proc
|
|
* @proc: struct binder_proc to acquire
|
|
*
|
|
* Release lock acquired via binder_proc_lock()
|
|
*/
|
|
#define binder_proc_unlock(_proc) _binder_proc_unlock(_proc, __LINE__)
|
|
static void
|
|
_binder_proc_unlock(struct binder_proc *proc, int line)
|
|
__releases(&proc->outer_lock)
|
|
{
|
|
binder_debug(BINDER_DEBUG_SPINLOCKS,
|
|
"%s: line=%d\n", __func__, line);
|
|
spin_unlock(&proc->outer_lock);
|
|
}
|
|
|
|
/**
|
|
* binder_inner_proc_lock() - Acquire inner lock for given binder_proc
|
|
* @proc: struct binder_proc to acquire
|
|
*
|
|
* Acquires proc->inner_lock. Used to protect todo lists
|
|
*/
|
|
#define binder_inner_proc_lock(proc) _binder_inner_proc_lock(proc, __LINE__)
|
|
static void
|
|
_binder_inner_proc_lock(struct binder_proc *proc, int line)
|
|
__acquires(&proc->inner_lock)
|
|
{
|
|
binder_debug(BINDER_DEBUG_SPINLOCKS,
|
|
"%s: line=%d\n", __func__, line);
|
|
spin_lock(&proc->inner_lock);
|
|
}
|
|
|
|
/**
|
|
* binder_inner_proc_unlock() - Release inner lock for given binder_proc
|
|
* @proc: struct binder_proc to acquire
|
|
*
|
|
* Release lock acquired via binder_inner_proc_lock()
|
|
*/
|
|
#define binder_inner_proc_unlock(proc) _binder_inner_proc_unlock(proc, __LINE__)
|
|
static void
|
|
_binder_inner_proc_unlock(struct binder_proc *proc, int line)
|
|
__releases(&proc->inner_lock)
|
|
{
|
|
binder_debug(BINDER_DEBUG_SPINLOCKS,
|
|
"%s: line=%d\n", __func__, line);
|
|
spin_unlock(&proc->inner_lock);
|
|
}
|
|
|
|
/**
|
|
* binder_node_lock() - Acquire spinlock for given binder_node
|
|
* @node: struct binder_node to acquire
|
|
*
|
|
* Acquires node->lock. Used to protect binder_node fields
|
|
*/
|
|
#define binder_node_lock(node) _binder_node_lock(node, __LINE__)
|
|
static void
|
|
_binder_node_lock(struct binder_node *node, int line)
|
|
__acquires(&node->lock)
|
|
{
|
|
binder_debug(BINDER_DEBUG_SPINLOCKS,
|
|
"%s: line=%d\n", __func__, line);
|
|
spin_lock(&node->lock);
|
|
}
|
|
|
|
/**
|
|
* binder_node_unlock() - Release spinlock for given binder_proc
|
|
* @node: struct binder_node to acquire
|
|
*
|
|
* Release lock acquired via binder_node_lock()
|
|
*/
|
|
#define binder_node_unlock(node) _binder_node_unlock(node, __LINE__)
|
|
static void
|
|
_binder_node_unlock(struct binder_node *node, int line)
|
|
__releases(&node->lock)
|
|
{
|
|
binder_debug(BINDER_DEBUG_SPINLOCKS,
|
|
"%s: line=%d\n", __func__, line);
|
|
spin_unlock(&node->lock);
|
|
}
|
|
|
|
/**
|
|
* binder_node_inner_lock() - Acquire node and inner locks
|
|
* @node: struct binder_node to acquire
|
|
*
|
|
* Acquires node->lock. If node->proc also acquires
|
|
* proc->inner_lock. Used to protect binder_node fields
|
|
*/
|
|
#define binder_node_inner_lock(node) _binder_node_inner_lock(node, __LINE__)
|
|
static void
|
|
_binder_node_inner_lock(struct binder_node *node, int line)
|
|
__acquires(&node->lock) __acquires(&node->proc->inner_lock)
|
|
{
|
|
binder_debug(BINDER_DEBUG_SPINLOCKS,
|
|
"%s: line=%d\n", __func__, line);
|
|
spin_lock(&node->lock);
|
|
if (node->proc)
|
|
binder_inner_proc_lock(node->proc);
|
|
else
|
|
/* annotation for sparse */
|
|
__acquire(&node->proc->inner_lock);
|
|
}
|
|
|
|
/**
|
|
* binder_node_unlock() - Release node and inner locks
|
|
* @node: struct binder_node to acquire
|
|
*
|
|
* Release lock acquired via binder_node_lock()
|
|
*/
|
|
#define binder_node_inner_unlock(node) _binder_node_inner_unlock(node, __LINE__)
|
|
static void
|
|
_binder_node_inner_unlock(struct binder_node *node, int line)
|
|
__releases(&node->lock) __releases(&node->proc->inner_lock)
|
|
{
|
|
struct binder_proc *proc = node->proc;
|
|
|
|
binder_debug(BINDER_DEBUG_SPINLOCKS,
|
|
"%s: line=%d\n", __func__, line);
|
|
if (proc)
|
|
binder_inner_proc_unlock(proc);
|
|
else
|
|
/* annotation for sparse */
|
|
__release(&node->proc->inner_lock);
|
|
spin_unlock(&node->lock);
|
|
}
|
|
|
|
static bool binder_worklist_empty_ilocked(struct list_head *list)
|
|
{
|
|
return list_empty(list);
|
|
}
|
|
|
|
/**
|
|
* binder_worklist_empty() - Check if no items on the work list
|
|
* @proc: binder_proc associated with list
|
|
* @list: list to check
|
|
*
|
|
* Return: true if there are no items on list, else false
|
|
*/
|
|
static bool binder_worklist_empty(struct binder_proc *proc,
|
|
struct list_head *list)
|
|
{
|
|
bool ret;
|
|
|
|
binder_inner_proc_lock(proc);
|
|
ret = binder_worklist_empty_ilocked(list);
|
|
binder_inner_proc_unlock(proc);
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* binder_enqueue_work_ilocked() - Add an item to the work list
|
|
* @work: struct binder_work to add to list
|
|
* @target_list: list to add work to
|
|
*
|
|
* Adds the work to the specified list. Asserts that work
|
|
* is not already on a list.
|
|
*
|
|
* Requires the proc->inner_lock to be held.
|
|
*/
|
|
static void
|
|
binder_enqueue_work_ilocked(struct binder_work *work,
|
|
struct list_head *target_list)
|
|
{
|
|
BUG_ON(target_list == NULL);
|
|
BUG_ON(work->entry.next && !list_empty(&work->entry));
|
|
list_add_tail(&work->entry, target_list);
|
|
}
|
|
|
|
/**
|
|
* binder_enqueue_deferred_thread_work_ilocked() - Add deferred thread work
|
|
* @thread: thread to queue work to
|
|
* @work: struct binder_work to add to list
|
|
*
|
|
* Adds the work to the todo list of the thread. Doesn't set the process_todo
|
|
* flag, which means that (if it wasn't already set) the thread will go to
|
|
* sleep without handling this work when it calls read.
|
|
*
|
|
* Requires the proc->inner_lock to be held.
|
|
*/
|
|
static void
|
|
binder_enqueue_deferred_thread_work_ilocked(struct binder_thread *thread,
|
|
struct binder_work *work)
|
|
{
|
|
WARN_ON(!list_empty(&thread->waiting_thread_node));
|
|
binder_enqueue_work_ilocked(work, &thread->todo);
|
|
}
|
|
|
|
/**
|
|
* binder_enqueue_thread_work_ilocked() - Add an item to the thread work list
|
|
* @thread: thread to queue work to
|
|
* @work: struct binder_work to add to list
|
|
*
|
|
* Adds the work to the todo list of the thread, and enables processing
|
|
* of the todo queue.
|
|
*
|
|
* Requires the proc->inner_lock to be held.
|
|
*/
|
|
static void
|
|
binder_enqueue_thread_work_ilocked(struct binder_thread *thread,
|
|
struct binder_work *work)
|
|
{
|
|
WARN_ON(!list_empty(&thread->waiting_thread_node));
|
|
binder_enqueue_work_ilocked(work, &thread->todo);
|
|
thread->process_todo = true;
|
|
}
|
|
|
|
/**
|
|
* binder_enqueue_thread_work() - Add an item to the thread work list
|
|
* @thread: thread to queue work to
|
|
* @work: struct binder_work to add to list
|
|
*
|
|
* Adds the work to the todo list of the thread, and enables processing
|
|
* of the todo queue.
|
|
*/
|
|
static void
|
|
binder_enqueue_thread_work(struct binder_thread *thread,
|
|
struct binder_work *work)
|
|
{
|
|
binder_inner_proc_lock(thread->proc);
|
|
binder_enqueue_thread_work_ilocked(thread, work);
|
|
binder_inner_proc_unlock(thread->proc);
|
|
}
|
|
|
|
static void
|
|
binder_dequeue_work_ilocked(struct binder_work *work)
|
|
{
|
|
list_del_init(&work->entry);
|
|
}
|
|
|
|
/**
|
|
* binder_dequeue_work() - Removes an item from the work list
|
|
* @proc: binder_proc associated with list
|
|
* @work: struct binder_work to remove from list
|
|
*
|
|
* Removes the specified work item from whatever list it is on.
|
|
* Can safely be called if work is not on any list.
|
|
*/
|
|
static void
|
|
binder_dequeue_work(struct binder_proc *proc, struct binder_work *work)
|
|
{
|
|
binder_inner_proc_lock(proc);
|
|
binder_dequeue_work_ilocked(work);
|
|
binder_inner_proc_unlock(proc);
|
|
}
|
|
|
|
static struct binder_work *binder_dequeue_work_head_ilocked(
|
|
struct list_head *list)
|
|
{
|
|
struct binder_work *w;
|
|
|
|
w = list_first_entry_or_null(list, struct binder_work, entry);
|
|
if (w)
|
|
list_del_init(&w->entry);
|
|
return w;
|
|
}
|
|
|
|
static void
|
|
binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer);
|
|
static void binder_free_thread(struct binder_thread *thread);
|
|
static void binder_free_proc(struct binder_proc *proc);
|
|
static void binder_inc_node_tmpref_ilocked(struct binder_node *node);
|
|
|
|
static bool binder_has_work_ilocked(struct binder_thread *thread,
|
|
bool do_proc_work)
|
|
{
|
|
return thread->process_todo ||
|
|
thread->looper_need_return ||
|
|
(do_proc_work &&
|
|
!binder_worklist_empty_ilocked(&thread->proc->todo));
|
|
}
|
|
|
|
static bool binder_has_work(struct binder_thread *thread, bool do_proc_work)
|
|
{
|
|
bool has_work;
|
|
|
|
binder_inner_proc_lock(thread->proc);
|
|
has_work = binder_has_work_ilocked(thread, do_proc_work);
|
|
binder_inner_proc_unlock(thread->proc);
|
|
|
|
return has_work;
|
|
}
|
|
|
|
static bool binder_available_for_proc_work_ilocked(struct binder_thread *thread)
|
|
{
|
|
return !thread->transaction_stack &&
|
|
binder_worklist_empty_ilocked(&thread->todo) &&
|
|
(thread->looper & (BINDER_LOOPER_STATE_ENTERED |
|
|
BINDER_LOOPER_STATE_REGISTERED));
|
|
}
|
|
|
|
static void binder_wakeup_poll_threads_ilocked(struct binder_proc *proc,
|
|
bool sync)
|
|
{
|
|
struct rb_node *n;
|
|
struct binder_thread *thread;
|
|
|
|
for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) {
|
|
thread = rb_entry(n, struct binder_thread, rb_node);
|
|
if (thread->looper & BINDER_LOOPER_STATE_POLL &&
|
|
binder_available_for_proc_work_ilocked(thread)) {
|
|
trace_android_vh_binder_wakeup_ilocked(thread->task, sync, proc);
|
|
if (sync)
|
|
wake_up_interruptible_sync(&thread->wait);
|
|
else
|
|
wake_up_interruptible(&thread->wait);
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* binder_select_thread_ilocked() - selects a thread for doing proc work.
|
|
* @proc: process to select a thread from
|
|
*
|
|
* Note that calling this function moves the thread off the waiting_threads
|
|
* list, so it can only be woken up by the caller of this function, or a
|
|
* signal. Therefore, callers *should* always wake up the thread this function
|
|
* returns.
|
|
*
|
|
* Return: If there's a thread currently waiting for process work,
|
|
* returns that thread. Otherwise returns NULL.
|
|
*/
|
|
static struct binder_thread *
|
|
binder_select_thread_ilocked(struct binder_proc *proc)
|
|
{
|
|
struct binder_thread *thread;
|
|
|
|
assert_spin_locked(&proc->inner_lock);
|
|
thread = list_first_entry_or_null(&proc->waiting_threads,
|
|
struct binder_thread,
|
|
waiting_thread_node);
|
|
|
|
if (thread)
|
|
list_del_init(&thread->waiting_thread_node);
|
|
|
|
return thread;
|
|
}
|
|
|
|
/**
|
|
* binder_wakeup_thread_ilocked() - wakes up a thread for doing proc work.
|
|
* @proc: process to wake up a thread in
|
|
* @thread: specific thread to wake-up (may be NULL)
|
|
* @sync: whether to do a synchronous wake-up
|
|
*
|
|
* This function wakes up a thread in the @proc process.
|
|
* The caller may provide a specific thread to wake-up in
|
|
* the @thread parameter. If @thread is NULL, this function
|
|
* will wake up threads that have called poll().
|
|
*
|
|
* Note that for this function to work as expected, callers
|
|
* should first call binder_select_thread() to find a thread
|
|
* to handle the work (if they don't have a thread already),
|
|
* and pass the result into the @thread parameter.
|
|
*/
|
|
static void binder_wakeup_thread_ilocked(struct binder_proc *proc,
|
|
struct binder_thread *thread,
|
|
bool sync)
|
|
{
|
|
assert_spin_locked(&proc->inner_lock);
|
|
|
|
if (thread) {
|
|
trace_android_vh_binder_wakeup_ilocked(thread->task, sync, proc);
|
|
if (sync)
|
|
wake_up_interruptible_sync(&thread->wait);
|
|
else
|
|
wake_up_interruptible(&thread->wait);
|
|
return;
|
|
}
|
|
|
|
/* Didn't find a thread waiting for proc work; this can happen
|
|
* in two scenarios:
|
|
* 1. All threads are busy handling transactions
|
|
* In that case, one of those threads should call back into
|
|
* the kernel driver soon and pick up this work.
|
|
* 2. Threads are using the (e)poll interface, in which case
|
|
* they may be blocked on the waitqueue without having been
|
|
* added to waiting_threads. For this case, we just iterate
|
|
* over all threads not handling transaction work, and
|
|
* wake them all up. We wake all because we don't know whether
|
|
* a thread that called into (e)poll is handling non-binder
|
|
* work currently.
|
|
*/
|
|
binder_wakeup_poll_threads_ilocked(proc, sync);
|
|
}
|
|
|
|
static void binder_wakeup_proc_ilocked(struct binder_proc *proc)
|
|
{
|
|
struct binder_thread *thread = binder_select_thread_ilocked(proc);
|
|
|
|
binder_wakeup_thread_ilocked(proc, thread, /* sync = */false);
|
|
}
|
|
|
|
static bool is_rt_policy(int policy)
|
|
{
|
|
return policy == SCHED_FIFO || policy == SCHED_RR;
|
|
}
|
|
|
|
static bool is_fair_policy(int policy)
|
|
{
|
|
return policy == SCHED_NORMAL || policy == SCHED_BATCH;
|
|
}
|
|
|
|
static bool binder_supported_policy(int policy)
|
|
{
|
|
return is_fair_policy(policy) || is_rt_policy(policy);
|
|
}
|
|
|
|
static int to_userspace_prio(int policy, int kernel_priority)
|
|
{
|
|
if (is_fair_policy(policy))
|
|
return PRIO_TO_NICE(kernel_priority);
|
|
else
|
|
return MAX_RT_PRIO - 1 - kernel_priority;
|
|
}
|
|
|
|
static int to_kernel_prio(int policy, int user_priority)
|
|
{
|
|
if (is_fair_policy(policy))
|
|
return NICE_TO_PRIO(user_priority);
|
|
else
|
|
return MAX_RT_PRIO - 1 - user_priority;
|
|
}
|
|
|
|
static void binder_do_set_priority(struct task_struct *task,
|
|
struct binder_priority desired,
|
|
bool verify)
|
|
{
|
|
int priority; /* user-space prio value */
|
|
bool has_cap_nice;
|
|
unsigned int policy = desired.sched_policy;
|
|
|
|
if (task->policy == policy && task->normal_prio == desired.prio)
|
|
return;
|
|
|
|
has_cap_nice = has_capability_noaudit(task, CAP_SYS_NICE);
|
|
|
|
priority = to_userspace_prio(policy, desired.prio);
|
|
|
|
if (verify && is_rt_policy(policy) && !has_cap_nice) {
|
|
long max_rtprio = task_rlimit(task, RLIMIT_RTPRIO);
|
|
|
|
if (max_rtprio == 0) {
|
|
policy = SCHED_NORMAL;
|
|
priority = MIN_NICE;
|
|
} else if (priority > max_rtprio) {
|
|
priority = max_rtprio;
|
|
}
|
|
}
|
|
|
|
if (verify && is_fair_policy(policy) && !has_cap_nice) {
|
|
long min_nice = rlimit_to_nice(task_rlimit(task, RLIMIT_NICE));
|
|
|
|
if (min_nice > MAX_NICE) {
|
|
binder_user_error("%d RLIMIT_NICE not set\n",
|
|
task->pid);
|
|
return;
|
|
} else if (priority < min_nice) {
|
|
priority = min_nice;
|
|
}
|
|
}
|
|
|
|
if (policy != desired.sched_policy ||
|
|
to_kernel_prio(policy, priority) != desired.prio)
|
|
binder_debug(BINDER_DEBUG_PRIORITY_CAP,
|
|
"%d: priority %d not allowed, using %d instead\n",
|
|
task->pid, desired.prio,
|
|
to_kernel_prio(policy, priority));
|
|
|
|
trace_binder_set_priority(task->tgid, task->pid, task->normal_prio,
|
|
to_kernel_prio(policy, priority),
|
|
desired.prio);
|
|
|
|
/* Set the actual priority */
|
|
if (task->policy != policy || is_rt_policy(policy)) {
|
|
struct sched_param params;
|
|
|
|
params.sched_priority = is_rt_policy(policy) ? priority : 0;
|
|
|
|
sched_setscheduler_nocheck(task,
|
|
policy | SCHED_RESET_ON_FORK,
|
|
¶ms);
|
|
}
|
|
if (is_fair_policy(policy))
|
|
set_user_nice(task, priority);
|
|
}
|
|
|
|
static void binder_set_priority(struct task_struct *task,
|
|
struct binder_priority desired)
|
|
{
|
|
binder_do_set_priority(task, desired, /* verify = */ true);
|
|
}
|
|
|
|
static void binder_restore_priority(struct task_struct *task,
|
|
struct binder_priority desired)
|
|
{
|
|
binder_do_set_priority(task, desired, /* verify = */ false);
|
|
}
|
|
|
|
static void binder_transaction_priority(struct task_struct *task,
|
|
struct binder_transaction *t,
|
|
struct binder_priority node_prio,
|
|
bool inherit_rt)
|
|
{
|
|
struct binder_priority desired_prio = t->priority;
|
|
|
|
if (t->set_priority_called)
|
|
return;
|
|
|
|
t->set_priority_called = true;
|
|
t->saved_priority.sched_policy = task->policy;
|
|
t->saved_priority.prio = task->normal_prio;
|
|
|
|
if (!inherit_rt && is_rt_policy(desired_prio.sched_policy)) {
|
|
desired_prio.prio = NICE_TO_PRIO(0);
|
|
desired_prio.sched_policy = SCHED_NORMAL;
|
|
}
|
|
|
|
if (node_prio.prio < t->priority.prio ||
|
|
(node_prio.prio == t->priority.prio &&
|
|
node_prio.sched_policy == SCHED_FIFO)) {
|
|
/*
|
|
* In case the minimum priority on the node is
|
|
* higher (lower value), use that priority. If
|
|
* the priority is the same, but the node uses
|
|
* SCHED_FIFO, prefer SCHED_FIFO, since it can
|
|
* run unbounded, unlike SCHED_RR.
|
|
*/
|
|
desired_prio = node_prio;
|
|
}
|
|
|
|
binder_set_priority(task, desired_prio);
|
|
trace_android_vh_binder_set_priority(t, task);
|
|
}
|
|
|
|
static struct binder_node *binder_get_node_ilocked(struct binder_proc *proc,
|
|
binder_uintptr_t ptr)
|
|
{
|
|
struct rb_node *n = proc->nodes.rb_node;
|
|
struct binder_node *node;
|
|
|
|
assert_spin_locked(&proc->inner_lock);
|
|
|
|
while (n) {
|
|
node = rb_entry(n, struct binder_node, rb_node);
|
|
|
|
if (ptr < node->ptr)
|
|
n = n->rb_left;
|
|
else if (ptr > node->ptr)
|
|
n = n->rb_right;
|
|
else {
|
|
/*
|
|
* take an implicit weak reference
|
|
* to ensure node stays alive until
|
|
* call to binder_put_node()
|
|
*/
|
|
binder_inc_node_tmpref_ilocked(node);
|
|
return node;
|
|
}
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
static struct binder_node *binder_get_node(struct binder_proc *proc,
|
|
binder_uintptr_t ptr)
|
|
{
|
|
struct binder_node *node;
|
|
|
|
binder_inner_proc_lock(proc);
|
|
node = binder_get_node_ilocked(proc, ptr);
|
|
binder_inner_proc_unlock(proc);
|
|
return node;
|
|
}
|
|
|
|
static struct binder_node *binder_init_node_ilocked(
|
|
struct binder_proc *proc,
|
|
struct binder_node *new_node,
|
|
struct flat_binder_object *fp)
|
|
{
|
|
struct rb_node **p = &proc->nodes.rb_node;
|
|
struct rb_node *parent = NULL;
|
|
struct binder_node *node;
|
|
binder_uintptr_t ptr = fp ? fp->binder : 0;
|
|
binder_uintptr_t cookie = fp ? fp->cookie : 0;
|
|
__u32 flags = fp ? fp->flags : 0;
|
|
s8 priority;
|
|
|
|
assert_spin_locked(&proc->inner_lock);
|
|
|
|
while (*p) {
|
|
|
|
parent = *p;
|
|
node = rb_entry(parent, struct binder_node, rb_node);
|
|
|
|
if (ptr < node->ptr)
|
|
p = &(*p)->rb_left;
|
|
else if (ptr > node->ptr)
|
|
p = &(*p)->rb_right;
|
|
else {
|
|
/*
|
|
* A matching node is already in
|
|
* the rb tree. Abandon the init
|
|
* and return it.
|
|
*/
|
|
binder_inc_node_tmpref_ilocked(node);
|
|
return node;
|
|
}
|
|
}
|
|
node = new_node;
|
|
binder_stats_created(BINDER_STAT_NODE);
|
|
node->tmp_refs++;
|
|
rb_link_node(&node->rb_node, parent, p);
|
|
rb_insert_color(&node->rb_node, &proc->nodes);
|
|
node->debug_id = atomic_inc_return(&binder_last_id);
|
|
node->proc = proc;
|
|
node->ptr = ptr;
|
|
node->cookie = cookie;
|
|
node->work.type = BINDER_WORK_NODE;
|
|
priority = flags & FLAT_BINDER_FLAG_PRIORITY_MASK;
|
|
node->sched_policy = (flags & FLAT_BINDER_FLAG_SCHED_POLICY_MASK) >>
|
|
FLAT_BINDER_FLAG_SCHED_POLICY_SHIFT;
|
|
node->min_priority = to_kernel_prio(node->sched_policy, priority);
|
|
node->accept_fds = !!(flags & FLAT_BINDER_FLAG_ACCEPTS_FDS);
|
|
node->inherit_rt = !!(flags & FLAT_BINDER_FLAG_INHERIT_RT);
|
|
node->txn_security_ctx = !!(flags & FLAT_BINDER_FLAG_TXN_SECURITY_CTX);
|
|
spin_lock_init(&node->lock);
|
|
INIT_LIST_HEAD(&node->work.entry);
|
|
INIT_LIST_HEAD(&node->async_todo);
|
|
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
|
|
"%d:%d node %d u%016llx c%016llx created\n",
|
|
proc->pid, current->pid, node->debug_id,
|
|
(u64)node->ptr, (u64)node->cookie);
|
|
|
|
return node;
|
|
}
|
|
|
|
static struct binder_node *binder_new_node(struct binder_proc *proc,
|
|
struct flat_binder_object *fp)
|
|
{
|
|
struct binder_node *node;
|
|
struct binder_node *new_node = kzalloc(sizeof(*node), GFP_KERNEL);
|
|
|
|
if (!new_node)
|
|
return NULL;
|
|
binder_inner_proc_lock(proc);
|
|
node = binder_init_node_ilocked(proc, new_node, fp);
|
|
binder_inner_proc_unlock(proc);
|
|
if (node != new_node)
|
|
/*
|
|
* The node was already added by another thread
|
|
*/
|
|
kfree(new_node);
|
|
|
|
return node;
|
|
}
|
|
|
|
static void binder_free_node(struct binder_node *node)
|
|
{
|
|
kfree(node);
|
|
binder_stats_deleted(BINDER_STAT_NODE);
|
|
}
|
|
|
|
static int binder_inc_node_nilocked(struct binder_node *node, int strong,
|
|
int internal,
|
|
struct list_head *target_list)
|
|
{
|
|
struct binder_proc *proc = node->proc;
|
|
|
|
assert_spin_locked(&node->lock);
|
|
if (proc)
|
|
assert_spin_locked(&proc->inner_lock);
|
|
if (strong) {
|
|
if (internal) {
|
|
if (target_list == NULL &&
|
|
node->internal_strong_refs == 0 &&
|
|
!(node->proc &&
|
|
node == node->proc->context->binder_context_mgr_node &&
|
|
node->has_strong_ref)) {
|
|
pr_err("invalid inc strong node for %d\n",
|
|
node->debug_id);
|
|
return -EINVAL;
|
|
}
|
|
node->internal_strong_refs++;
|
|
} else
|
|
node->local_strong_refs++;
|
|
if (!node->has_strong_ref && target_list) {
|
|
struct binder_thread *thread = container_of(target_list,
|
|
struct binder_thread, todo);
|
|
binder_dequeue_work_ilocked(&node->work);
|
|
BUG_ON(&thread->todo != target_list);
|
|
binder_enqueue_deferred_thread_work_ilocked(thread,
|
|
&node->work);
|
|
}
|
|
} else {
|
|
if (!internal)
|
|
node->local_weak_refs++;
|
|
if (!node->has_weak_ref && list_empty(&node->work.entry)) {
|
|
if (target_list == NULL) {
|
|
pr_err("invalid inc weak node for %d\n",
|
|
node->debug_id);
|
|
return -EINVAL;
|
|
}
|
|
/*
|
|
* See comment above
|
|
*/
|
|
binder_enqueue_work_ilocked(&node->work, target_list);
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static int binder_inc_node(struct binder_node *node, int strong, int internal,
|
|
struct list_head *target_list)
|
|
{
|
|
int ret;
|
|
|
|
binder_node_inner_lock(node);
|
|
ret = binder_inc_node_nilocked(node, strong, internal, target_list);
|
|
binder_node_inner_unlock(node);
|
|
|
|
return ret;
|
|
}
|
|
|
|
static bool binder_dec_node_nilocked(struct binder_node *node,
|
|
int strong, int internal)
|
|
{
|
|
struct binder_proc *proc = node->proc;
|
|
|
|
assert_spin_locked(&node->lock);
|
|
if (proc)
|
|
assert_spin_locked(&proc->inner_lock);
|
|
if (strong) {
|
|
if (internal)
|
|
node->internal_strong_refs--;
|
|
else
|
|
node->local_strong_refs--;
|
|
if (node->local_strong_refs || node->internal_strong_refs)
|
|
return false;
|
|
} else {
|
|
if (!internal)
|
|
node->local_weak_refs--;
|
|
if (node->local_weak_refs || node->tmp_refs ||
|
|
!hlist_empty(&node->refs))
|
|
return false;
|
|
}
|
|
|
|
if (proc && (node->has_strong_ref || node->has_weak_ref)) {
|
|
if (list_empty(&node->work.entry)) {
|
|
binder_enqueue_work_ilocked(&node->work, &proc->todo);
|
|
binder_wakeup_proc_ilocked(proc);
|
|
}
|
|
} else {
|
|
if (hlist_empty(&node->refs) && !node->local_strong_refs &&
|
|
!node->local_weak_refs && !node->tmp_refs) {
|
|
if (proc) {
|
|
binder_dequeue_work_ilocked(&node->work);
|
|
rb_erase(&node->rb_node, &proc->nodes);
|
|
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
|
|
"refless node %d deleted\n",
|
|
node->debug_id);
|
|
} else {
|
|
BUG_ON(!list_empty(&node->work.entry));
|
|
spin_lock(&binder_dead_nodes_lock);
|
|
/*
|
|
* tmp_refs could have changed so
|
|
* check it again
|
|
*/
|
|
if (node->tmp_refs) {
|
|
spin_unlock(&binder_dead_nodes_lock);
|
|
return false;
|
|
}
|
|
hlist_del(&node->dead_node);
|
|
spin_unlock(&binder_dead_nodes_lock);
|
|
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
|
|
"dead node %d deleted\n",
|
|
node->debug_id);
|
|
}
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
|
|
static void binder_dec_node(struct binder_node *node, int strong, int internal)
|
|
{
|
|
bool free_node;
|
|
|
|
binder_node_inner_lock(node);
|
|
free_node = binder_dec_node_nilocked(node, strong, internal);
|
|
binder_node_inner_unlock(node);
|
|
if (free_node)
|
|
binder_free_node(node);
|
|
}
|
|
|
|
static void binder_inc_node_tmpref_ilocked(struct binder_node *node)
|
|
{
|
|
/*
|
|
* No call to binder_inc_node() is needed since we
|
|
* don't need to inform userspace of any changes to
|
|
* tmp_refs
|
|
*/
|
|
node->tmp_refs++;
|
|
}
|
|
|
|
/**
|
|
* binder_inc_node_tmpref() - take a temporary reference on node
|
|
* @node: node to reference
|
|
*
|
|
* Take reference on node to prevent the node from being freed
|
|
* while referenced only by a local variable. The inner lock is
|
|
* needed to serialize with the node work on the queue (which
|
|
* isn't needed after the node is dead). If the node is dead
|
|
* (node->proc is NULL), use binder_dead_nodes_lock to protect
|
|
* node->tmp_refs against dead-node-only cases where the node
|
|
* lock cannot be acquired (eg traversing the dead node list to
|
|
* print nodes)
|
|
*/
|
|
static void binder_inc_node_tmpref(struct binder_node *node)
|
|
{
|
|
binder_node_lock(node);
|
|
if (node->proc)
|
|
binder_inner_proc_lock(node->proc);
|
|
else
|
|
spin_lock(&binder_dead_nodes_lock);
|
|
binder_inc_node_tmpref_ilocked(node);
|
|
if (node->proc)
|
|
binder_inner_proc_unlock(node->proc);
|
|
else
|
|
spin_unlock(&binder_dead_nodes_lock);
|
|
binder_node_unlock(node);
|
|
}
|
|
|
|
/**
|
|
* binder_dec_node_tmpref() - remove a temporary reference on node
|
|
* @node: node to reference
|
|
*
|
|
* Release temporary reference on node taken via binder_inc_node_tmpref()
|
|
*/
|
|
static void binder_dec_node_tmpref(struct binder_node *node)
|
|
{
|
|
bool free_node;
|
|
|
|
binder_node_inner_lock(node);
|
|
if (!node->proc)
|
|
spin_lock(&binder_dead_nodes_lock);
|
|
else
|
|
__acquire(&binder_dead_nodes_lock);
|
|
node->tmp_refs--;
|
|
BUG_ON(node->tmp_refs < 0);
|
|
if (!node->proc)
|
|
spin_unlock(&binder_dead_nodes_lock);
|
|
else
|
|
__release(&binder_dead_nodes_lock);
|
|
/*
|
|
* Call binder_dec_node() to check if all refcounts are 0
|
|
* and cleanup is needed. Calling with strong=0 and internal=1
|
|
* causes no actual reference to be released in binder_dec_node().
|
|
* If that changes, a change is needed here too.
|
|
*/
|
|
free_node = binder_dec_node_nilocked(node, 0, 1);
|
|
binder_node_inner_unlock(node);
|
|
if (free_node)
|
|
binder_free_node(node);
|
|
}
|
|
|
|
static void binder_put_node(struct binder_node *node)
|
|
{
|
|
binder_dec_node_tmpref(node);
|
|
}
|
|
|
|
static struct binder_ref *binder_get_ref_olocked(struct binder_proc *proc,
|
|
u32 desc, bool need_strong_ref)
|
|
{
|
|
struct rb_node *n = proc->refs_by_desc.rb_node;
|
|
struct binder_ref *ref;
|
|
|
|
while (n) {
|
|
ref = rb_entry(n, struct binder_ref, rb_node_desc);
|
|
|
|
if (desc < ref->data.desc) {
|
|
n = n->rb_left;
|
|
} else if (desc > ref->data.desc) {
|
|
n = n->rb_right;
|
|
} else if (need_strong_ref && !ref->data.strong) {
|
|
binder_user_error("tried to use weak ref as strong ref\n");
|
|
return NULL;
|
|
} else {
|
|
return ref;
|
|
}
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
/**
|
|
* binder_get_ref_for_node_olocked() - get the ref associated with given node
|
|
* @proc: binder_proc that owns the ref
|
|
* @node: binder_node of target
|
|
* @new_ref: newly allocated binder_ref to be initialized or %NULL
|
|
*
|
|
* Look up the ref for the given node and return it if it exists
|
|
*
|
|
* If it doesn't exist and the caller provides a newly allocated
|
|
* ref, initialize the fields of the newly allocated ref and insert
|
|
* into the given proc rb_trees and node refs list.
|
|
*
|
|
* Return: the ref for node. It is possible that another thread
|
|
* allocated/initialized the ref first in which case the
|
|
* returned ref would be different than the passed-in
|
|
* new_ref. new_ref must be kfree'd by the caller in
|
|
* this case.
|
|
*/
|
|
static struct binder_ref *binder_get_ref_for_node_olocked(
|
|
struct binder_proc *proc,
|
|
struct binder_node *node,
|
|
struct binder_ref *new_ref)
|
|
{
|
|
struct binder_context *context = proc->context;
|
|
struct rb_node **p = &proc->refs_by_node.rb_node;
|
|
struct rb_node *parent = NULL;
|
|
struct binder_ref *ref;
|
|
struct rb_node *n;
|
|
|
|
while (*p) {
|
|
parent = *p;
|
|
ref = rb_entry(parent, struct binder_ref, rb_node_node);
|
|
|
|
if (node < ref->node)
|
|
p = &(*p)->rb_left;
|
|
else if (node > ref->node)
|
|
p = &(*p)->rb_right;
|
|
else
|
|
return ref;
|
|
}
|
|
if (!new_ref)
|
|
return NULL;
|
|
|
|
binder_stats_created(BINDER_STAT_REF);
|
|
new_ref->data.debug_id = atomic_inc_return(&binder_last_id);
|
|
new_ref->proc = proc;
|
|
new_ref->node = node;
|
|
rb_link_node(&new_ref->rb_node_node, parent, p);
|
|
rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node);
|
|
|
|
new_ref->data.desc = (node == context->binder_context_mgr_node) ? 0 : 1;
|
|
for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) {
|
|
ref = rb_entry(n, struct binder_ref, rb_node_desc);
|
|
if (ref->data.desc > new_ref->data.desc)
|
|
break;
|
|
new_ref->data.desc = ref->data.desc + 1;
|
|
}
|
|
|
|
p = &proc->refs_by_desc.rb_node;
|
|
while (*p) {
|
|
parent = *p;
|
|
ref = rb_entry(parent, struct binder_ref, rb_node_desc);
|
|
|
|
if (new_ref->data.desc < ref->data.desc)
|
|
p = &(*p)->rb_left;
|
|
else if (new_ref->data.desc > ref->data.desc)
|
|
p = &(*p)->rb_right;
|
|
else
|
|
BUG();
|
|
}
|
|
rb_link_node(&new_ref->rb_node_desc, parent, p);
|
|
rb_insert_color(&new_ref->rb_node_desc, &proc->refs_by_desc);
|
|
|
|
binder_node_lock(node);
|
|
hlist_add_head(&new_ref->node_entry, &node->refs);
|
|
|
|
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
|
|
"%d new ref %d desc %d for node %d\n",
|
|
proc->pid, new_ref->data.debug_id, new_ref->data.desc,
|
|
node->debug_id);
|
|
binder_node_unlock(node);
|
|
return new_ref;
|
|
}
|
|
|
|
static void binder_cleanup_ref_olocked(struct binder_ref *ref)
|
|
{
|
|
bool delete_node = false;
|
|
|
|
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
|
|
"%d delete ref %d desc %d for node %d\n",
|
|
ref->proc->pid, ref->data.debug_id, ref->data.desc,
|
|
ref->node->debug_id);
|
|
|
|
rb_erase(&ref->rb_node_desc, &ref->proc->refs_by_desc);
|
|
rb_erase(&ref->rb_node_node, &ref->proc->refs_by_node);
|
|
|
|
binder_node_inner_lock(ref->node);
|
|
if (ref->data.strong)
|
|
binder_dec_node_nilocked(ref->node, 1, 1);
|
|
|
|
hlist_del(&ref->node_entry);
|
|
delete_node = binder_dec_node_nilocked(ref->node, 0, 1);
|
|
binder_node_inner_unlock(ref->node);
|
|
/*
|
|
* Clear ref->node unless we want the caller to free the node
|
|
*/
|
|
if (!delete_node) {
|
|
/*
|
|
* The caller uses ref->node to determine
|
|
* whether the node needs to be freed. Clear
|
|
* it since the node is still alive.
|
|
*/
|
|
ref->node = NULL;
|
|
}
|
|
|
|
if (ref->death) {
|
|
binder_debug(BINDER_DEBUG_DEAD_BINDER,
|
|
"%d delete ref %d desc %d has death notification\n",
|
|
ref->proc->pid, ref->data.debug_id,
|
|
ref->data.desc);
|
|
binder_dequeue_work(ref->proc, &ref->death->work);
|
|
binder_stats_deleted(BINDER_STAT_DEATH);
|
|
}
|
|
binder_stats_deleted(BINDER_STAT_REF);
|
|
}
|
|
|
|
/**
|
|
* binder_inc_ref_olocked() - increment the ref for given handle
|
|
* @ref: ref to be incremented
|
|
* @strong: if true, strong increment, else weak
|
|
* @target_list: list to queue node work on
|
|
*
|
|
* Increment the ref. @ref->proc->outer_lock must be held on entry
|
|
*
|
|
* Return: 0, if successful, else errno
|
|
*/
|
|
static int binder_inc_ref_olocked(struct binder_ref *ref, int strong,
|
|
struct list_head *target_list)
|
|
{
|
|
int ret;
|
|
|
|
if (strong) {
|
|
if (ref->data.strong == 0) {
|
|
ret = binder_inc_node(ref->node, 1, 1, target_list);
|
|
if (ret)
|
|
return ret;
|
|
}
|
|
ref->data.strong++;
|
|
} else {
|
|
if (ref->data.weak == 0) {
|
|
ret = binder_inc_node(ref->node, 0, 1, target_list);
|
|
if (ret)
|
|
return ret;
|
|
}
|
|
ref->data.weak++;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* binder_dec_ref() - dec the ref for given handle
|
|
* @ref: ref to be decremented
|
|
* @strong: if true, strong decrement, else weak
|
|
*
|
|
* Decrement the ref.
|
|
*
|
|
* Return: true if ref is cleaned up and ready to be freed
|
|
*/
|
|
static bool binder_dec_ref_olocked(struct binder_ref *ref, int strong)
|
|
{
|
|
if (strong) {
|
|
if (ref->data.strong == 0) {
|
|
binder_user_error("%d invalid dec strong, ref %d desc %d s %d w %d\n",
|
|
ref->proc->pid, ref->data.debug_id,
|
|
ref->data.desc, ref->data.strong,
|
|
ref->data.weak);
|
|
return false;
|
|
}
|
|
ref->data.strong--;
|
|
if (ref->data.strong == 0)
|
|
binder_dec_node(ref->node, strong, 1);
|
|
} else {
|
|
if (ref->data.weak == 0) {
|
|
binder_user_error("%d invalid dec weak, ref %d desc %d s %d w %d\n",
|
|
ref->proc->pid, ref->data.debug_id,
|
|
ref->data.desc, ref->data.strong,
|
|
ref->data.weak);
|
|
return false;
|
|
}
|
|
ref->data.weak--;
|
|
}
|
|
if (ref->data.strong == 0 && ref->data.weak == 0) {
|
|
binder_cleanup_ref_olocked(ref);
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* binder_get_node_from_ref() - get the node from the given proc/desc
|
|
* @proc: proc containing the ref
|
|
* @desc: the handle associated with the ref
|
|
* @need_strong_ref: if true, only return node if ref is strong
|
|
* @rdata: the id/refcount data for the ref
|
|
*
|
|
* Given a proc and ref handle, return the associated binder_node
|
|
*
|
|
* Return: a binder_node or NULL if not found or not strong when strong required
|
|
*/
|
|
static struct binder_node *binder_get_node_from_ref(
|
|
struct binder_proc *proc,
|
|
u32 desc, bool need_strong_ref,
|
|
struct binder_ref_data *rdata)
|
|
{
|
|
struct binder_node *node;
|
|
struct binder_ref *ref;
|
|
|
|
binder_proc_lock(proc);
|
|
ref = binder_get_ref_olocked(proc, desc, need_strong_ref);
|
|
if (!ref)
|
|
goto err_no_ref;
|
|
node = ref->node;
|
|
/*
|
|
* Take an implicit reference on the node to ensure
|
|
* it stays alive until the call to binder_put_node()
|
|
*/
|
|
binder_inc_node_tmpref(node);
|
|
if (rdata)
|
|
*rdata = ref->data;
|
|
binder_proc_unlock(proc);
|
|
|
|
return node;
|
|
|
|
err_no_ref:
|
|
binder_proc_unlock(proc);
|
|
return NULL;
|
|
}
|
|
|
|
/**
|
|
* binder_free_ref() - free the binder_ref
|
|
* @ref: ref to free
|
|
*
|
|
* Free the binder_ref. Free the binder_node indicated by ref->node
|
|
* (if non-NULL) and the binder_ref_death indicated by ref->death.
|
|
*/
|
|
static void binder_free_ref(struct binder_ref *ref)
|
|
{
|
|
if (ref->node)
|
|
binder_free_node(ref->node);
|
|
kfree(ref->death);
|
|
kfree(ref);
|
|
}
|
|
|
|
/**
|
|
* binder_update_ref_for_handle() - inc/dec the ref for given handle
|
|
* @proc: proc containing the ref
|
|
* @desc: the handle associated with the ref
|
|
* @increment: true=inc reference, false=dec reference
|
|
* @strong: true=strong reference, false=weak reference
|
|
* @rdata: the id/refcount data for the ref
|
|
*
|
|
* Given a proc and ref handle, increment or decrement the ref
|
|
* according to "increment" arg.
|
|
*
|
|
* Return: 0 if successful, else errno
|
|
*/
|
|
static int binder_update_ref_for_handle(struct binder_proc *proc,
|
|
uint32_t desc, bool increment, bool strong,
|
|
struct binder_ref_data *rdata)
|
|
{
|
|
int ret = 0;
|
|
struct binder_ref *ref;
|
|
bool delete_ref = false;
|
|
|
|
binder_proc_lock(proc);
|
|
ref = binder_get_ref_olocked(proc, desc, strong);
|
|
if (!ref) {
|
|
ret = -EINVAL;
|
|
goto err_no_ref;
|
|
}
|
|
if (increment)
|
|
ret = binder_inc_ref_olocked(ref, strong, NULL);
|
|
else
|
|
delete_ref = binder_dec_ref_olocked(ref, strong);
|
|
|
|
if (rdata)
|
|
*rdata = ref->data;
|
|
binder_proc_unlock(proc);
|
|
|
|
if (delete_ref)
|
|
binder_free_ref(ref);
|
|
return ret;
|
|
|
|
err_no_ref:
|
|
binder_proc_unlock(proc);
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* binder_dec_ref_for_handle() - dec the ref for given handle
|
|
* @proc: proc containing the ref
|
|
* @desc: the handle associated with the ref
|
|
* @strong: true=strong reference, false=weak reference
|
|
* @rdata: the id/refcount data for the ref
|
|
*
|
|
* Just calls binder_update_ref_for_handle() to decrement the ref.
|
|
*
|
|
* Return: 0 if successful, else errno
|
|
*/
|
|
static int binder_dec_ref_for_handle(struct binder_proc *proc,
|
|
uint32_t desc, bool strong, struct binder_ref_data *rdata)
|
|
{
|
|
return binder_update_ref_for_handle(proc, desc, false, strong, rdata);
|
|
}
|
|
|
|
|
|
/**
|
|
* binder_inc_ref_for_node() - increment the ref for given proc/node
|
|
* @proc: proc containing the ref
|
|
* @node: target node
|
|
* @strong: true=strong reference, false=weak reference
|
|
* @target_list: worklist to use if node is incremented
|
|
* @rdata: the id/refcount data for the ref
|
|
*
|
|
* Given a proc and node, increment the ref. Create the ref if it
|
|
* doesn't already exist
|
|
*
|
|
* Return: 0 if successful, else errno
|
|
*/
|
|
static int binder_inc_ref_for_node(struct binder_proc *proc,
|
|
struct binder_node *node,
|
|
bool strong,
|
|
struct list_head *target_list,
|
|
struct binder_ref_data *rdata)
|
|
{
|
|
struct binder_ref *ref;
|
|
struct binder_ref *new_ref = NULL;
|
|
int ret = 0;
|
|
|
|
binder_proc_lock(proc);
|
|
ref = binder_get_ref_for_node_olocked(proc, node, NULL);
|
|
if (!ref) {
|
|
binder_proc_unlock(proc);
|
|
new_ref = kzalloc(sizeof(*ref), GFP_KERNEL);
|
|
if (!new_ref)
|
|
return -ENOMEM;
|
|
binder_proc_lock(proc);
|
|
ref = binder_get_ref_for_node_olocked(proc, node, new_ref);
|
|
}
|
|
ret = binder_inc_ref_olocked(ref, strong, target_list);
|
|
*rdata = ref->data;
|
|
binder_proc_unlock(proc);
|
|
if (new_ref && ref != new_ref)
|
|
/*
|
|
* Another thread created the ref first so
|
|
* free the one we allocated
|
|
*/
|
|
kfree(new_ref);
|
|
return ret;
|
|
}
|
|
|
|
static void binder_pop_transaction_ilocked(struct binder_thread *target_thread,
|
|
struct binder_transaction *t)
|
|
{
|
|
BUG_ON(!target_thread);
|
|
assert_spin_locked(&target_thread->proc->inner_lock);
|
|
BUG_ON(target_thread->transaction_stack != t);
|
|
BUG_ON(target_thread->transaction_stack->from != target_thread);
|
|
target_thread->transaction_stack =
|
|
target_thread->transaction_stack->from_parent;
|
|
t->from = NULL;
|
|
}
|
|
|
|
/**
|
|
* binder_thread_dec_tmpref() - decrement thread->tmp_ref
|
|
* @thread: thread to decrement
|
|
*
|
|
* A thread needs to be kept alive while being used to create or
|
|
* handle a transaction. binder_get_txn_from() is used to safely
|
|
* extract t->from from a binder_transaction and keep the thread
|
|
* indicated by t->from from being freed. When done with that
|
|
* binder_thread, this function is called to decrement the
|
|
* tmp_ref and free if appropriate (thread has been released
|
|
* and no transaction being processed by the driver)
|
|
*/
|
|
static void binder_thread_dec_tmpref(struct binder_thread *thread)
|
|
{
|
|
/*
|
|
* atomic is used to protect the counter value while
|
|
* it cannot reach zero or thread->is_dead is false
|
|
*/
|
|
binder_inner_proc_lock(thread->proc);
|
|
atomic_dec(&thread->tmp_ref);
|
|
if (thread->is_dead && !atomic_read(&thread->tmp_ref)) {
|
|
binder_inner_proc_unlock(thread->proc);
|
|
binder_free_thread(thread);
|
|
return;
|
|
}
|
|
binder_inner_proc_unlock(thread->proc);
|
|
}
|
|
|
|
/**
|
|
* binder_proc_dec_tmpref() - decrement proc->tmp_ref
|
|
* @proc: proc to decrement
|
|
*
|
|
* A binder_proc needs to be kept alive while being used to create or
|
|
* handle a transaction. proc->tmp_ref is incremented when
|
|
* creating a new transaction or the binder_proc is currently in-use
|
|
* by threads that are being released. When done with the binder_proc,
|
|
* this function is called to decrement the counter and free the
|
|
* proc if appropriate (proc has been released, all threads have
|
|
* been released and not currenly in-use to process a transaction).
|
|
*/
|
|
static void binder_proc_dec_tmpref(struct binder_proc *proc)
|
|
{
|
|
binder_inner_proc_lock(proc);
|
|
proc->tmp_ref--;
|
|
if (proc->is_dead && RB_EMPTY_ROOT(&proc->threads) &&
|
|
!proc->tmp_ref) {
|
|
binder_inner_proc_unlock(proc);
|
|
binder_free_proc(proc);
|
|
return;
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
}
|
|
|
|
/**
|
|
* binder_get_txn_from() - safely extract the "from" thread in transaction
|
|
* @t: binder transaction for t->from
|
|
*
|
|
* Atomically return the "from" thread and increment the tmp_ref
|
|
* count for the thread to ensure it stays alive until
|
|
* binder_thread_dec_tmpref() is called.
|
|
*
|
|
* Return: the value of t->from
|
|
*/
|
|
static struct binder_thread *binder_get_txn_from(
|
|
struct binder_transaction *t)
|
|
{
|
|
struct binder_thread *from;
|
|
|
|
spin_lock(&t->lock);
|
|
from = t->from;
|
|
if (from)
|
|
atomic_inc(&from->tmp_ref);
|
|
spin_unlock(&t->lock);
|
|
return from;
|
|
}
|
|
|
|
/**
|
|
* binder_get_txn_from_and_acq_inner() - get t->from and acquire inner lock
|
|
* @t: binder transaction for t->from
|
|
*
|
|
* Same as binder_get_txn_from() except it also acquires the proc->inner_lock
|
|
* to guarantee that the thread cannot be released while operating on it.
|
|
* The caller must call binder_inner_proc_unlock() to release the inner lock
|
|
* as well as call binder_dec_thread_txn() to release the reference.
|
|
*
|
|
* Return: the value of t->from
|
|
*/
|
|
static struct binder_thread *binder_get_txn_from_and_acq_inner(
|
|
struct binder_transaction *t)
|
|
__acquires(&t->from->proc->inner_lock)
|
|
{
|
|
struct binder_thread *from;
|
|
|
|
from = binder_get_txn_from(t);
|
|
if (!from) {
|
|
__acquire(&from->proc->inner_lock);
|
|
return NULL;
|
|
}
|
|
binder_inner_proc_lock(from->proc);
|
|
if (t->from) {
|
|
BUG_ON(from != t->from);
|
|
return from;
|
|
}
|
|
binder_inner_proc_unlock(from->proc);
|
|
__acquire(&from->proc->inner_lock);
|
|
binder_thread_dec_tmpref(from);
|
|
return NULL;
|
|
}
|
|
|
|
/**
|
|
* binder_free_txn_fixups() - free unprocessed fd fixups
|
|
* @t: binder transaction for t->from
|
|
*
|
|
* If the transaction is being torn down prior to being
|
|
* processed by the target process, free all of the
|
|
* fd fixups and fput the file structs. It is safe to
|
|
* call this function after the fixups have been
|
|
* processed -- in that case, the list will be empty.
|
|
*/
|
|
static void binder_free_txn_fixups(struct binder_transaction *t)
|
|
{
|
|
struct binder_txn_fd_fixup *fixup, *tmp;
|
|
|
|
list_for_each_entry_safe(fixup, tmp, &t->fd_fixups, fixup_entry) {
|
|
fput(fixup->file);
|
|
list_del(&fixup->fixup_entry);
|
|
kfree(fixup);
|
|
}
|
|
}
|
|
|
|
static void binder_txn_latency_free(struct binder_transaction *t)
|
|
{
|
|
int from_proc, from_thread, to_proc, to_thread;
|
|
|
|
spin_lock(&t->lock);
|
|
from_proc = t->from ? t->from->proc->pid : 0;
|
|
from_thread = t->from ? t->from->pid : 0;
|
|
to_proc = t->to_proc ? t->to_proc->pid : 0;
|
|
to_thread = t->to_thread ? t->to_thread->pid : 0;
|
|
spin_unlock(&t->lock);
|
|
|
|
trace_binder_txn_latency_free(t, from_proc, from_thread, to_proc, to_thread);
|
|
}
|
|
|
|
static void binder_free_transaction(struct binder_transaction *t)
|
|
{
|
|
struct binder_proc *target_proc = t->to_proc;
|
|
|
|
if (target_proc) {
|
|
binder_inner_proc_lock(target_proc);
|
|
target_proc->outstanding_txns--;
|
|
if (target_proc->outstanding_txns < 0)
|
|
pr_warn("%s: Unexpected outstanding_txns %d\n",
|
|
__func__, target_proc->outstanding_txns);
|
|
if (!target_proc->outstanding_txns && target_proc->is_frozen)
|
|
wake_up_interruptible_all(&target_proc->freeze_wait);
|
|
if (t->buffer)
|
|
t->buffer->transaction = NULL;
|
|
binder_inner_proc_unlock(target_proc);
|
|
}
|
|
if (trace_binder_txn_latency_free_enabled())
|
|
binder_txn_latency_free(t);
|
|
/*
|
|
* If the transaction has no target_proc, then
|
|
* t->buffer->transaction has already been cleared.
|
|
*/
|
|
binder_free_txn_fixups(t);
|
|
kfree(t);
|
|
binder_stats_deleted(BINDER_STAT_TRANSACTION);
|
|
}
|
|
|
|
static void binder_send_failed_reply(struct binder_transaction *t,
|
|
uint32_t error_code)
|
|
{
|
|
struct binder_thread *target_thread;
|
|
struct binder_transaction *next;
|
|
|
|
BUG_ON(t->flags & TF_ONE_WAY);
|
|
while (1) {
|
|
target_thread = binder_get_txn_from_and_acq_inner(t);
|
|
if (target_thread) {
|
|
binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
|
|
"send failed reply for transaction %d to %d:%d\n",
|
|
t->debug_id,
|
|
target_thread->proc->pid,
|
|
target_thread->pid);
|
|
|
|
binder_pop_transaction_ilocked(target_thread, t);
|
|
if (target_thread->reply_error.cmd == BR_OK) {
|
|
target_thread->reply_error.cmd = error_code;
|
|
binder_enqueue_thread_work_ilocked(
|
|
target_thread,
|
|
&target_thread->reply_error.work);
|
|
wake_up_interruptible(&target_thread->wait);
|
|
} else {
|
|
/*
|
|
* Cannot get here for normal operation, but
|
|
* we can if multiple synchronous transactions
|
|
* are sent without blocking for responses.
|
|
* Just ignore the 2nd error in this case.
|
|
*/
|
|
pr_warn("Unexpected reply error: %u\n",
|
|
target_thread->reply_error.cmd);
|
|
}
|
|
binder_inner_proc_unlock(target_thread->proc);
|
|
binder_thread_dec_tmpref(target_thread);
|
|
binder_free_transaction(t);
|
|
return;
|
|
}
|
|
__release(&target_thread->proc->inner_lock);
|
|
next = t->from_parent;
|
|
|
|
binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
|
|
"send failed reply for transaction %d, target dead\n",
|
|
t->debug_id);
|
|
|
|
binder_free_transaction(t);
|
|
if (next == NULL) {
|
|
binder_debug(BINDER_DEBUG_DEAD_BINDER,
|
|
"reply failed, no target thread at root\n");
|
|
return;
|
|
}
|
|
t = next;
|
|
binder_debug(BINDER_DEBUG_DEAD_BINDER,
|
|
"reply failed, no target thread -- retry %d\n",
|
|
t->debug_id);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* binder_cleanup_transaction() - cleans up undelivered transaction
|
|
* @t: transaction that needs to be cleaned up
|
|
* @reason: reason the transaction wasn't delivered
|
|
* @error_code: error to return to caller (if synchronous call)
|
|
*/
|
|
static void binder_cleanup_transaction(struct binder_transaction *t,
|
|
const char *reason,
|
|
uint32_t error_code)
|
|
{
|
|
if (t->buffer->target_node && !(t->flags & TF_ONE_WAY)) {
|
|
binder_send_failed_reply(t, error_code);
|
|
} else {
|
|
binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
|
|
"undelivered transaction %d, %s\n",
|
|
t->debug_id, reason);
|
|
binder_free_transaction(t);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* binder_get_object() - gets object and checks for valid metadata
|
|
* @proc: binder_proc owning the buffer
|
|
* @u: sender's user pointer to base of buffer
|
|
* @buffer: binder_buffer that we're parsing.
|
|
* @offset: offset in the @buffer at which to validate an object.
|
|
* @object: struct binder_object to read into
|
|
*
|
|
* Copy the binder object at the given offset into @object. If @u is
|
|
* provided then the copy is from the sender's buffer. If not, then
|
|
* it is copied from the target's @buffer.
|
|
*
|
|
* Return: If there's a valid metadata object at @offset, the
|
|
* size of that object. Otherwise, it returns zero. The object
|
|
* is read into the struct binder_object pointed to by @object.
|
|
*/
|
|
static size_t binder_get_object(struct binder_proc *proc,
|
|
const void __user *u,
|
|
struct binder_buffer *buffer,
|
|
unsigned long offset,
|
|
struct binder_object *object)
|
|
{
|
|
size_t read_size;
|
|
struct binder_object_header *hdr;
|
|
size_t object_size = 0;
|
|
|
|
read_size = min_t(size_t, sizeof(*object), buffer->data_size - offset);
|
|
if (offset > buffer->data_size || read_size < sizeof(*hdr))
|
|
return 0;
|
|
if (u) {
|
|
if (copy_from_user(object, u + offset, read_size))
|
|
return 0;
|
|
} else {
|
|
if (binder_alloc_copy_from_buffer(&proc->alloc, object, buffer,
|
|
offset, read_size))
|
|
return 0;
|
|
}
|
|
|
|
/* Ok, now see if we read a complete object. */
|
|
hdr = &object->hdr;
|
|
switch (hdr->type) {
|
|
case BINDER_TYPE_BINDER:
|
|
case BINDER_TYPE_WEAK_BINDER:
|
|
case BINDER_TYPE_HANDLE:
|
|
case BINDER_TYPE_WEAK_HANDLE:
|
|
object_size = sizeof(struct flat_binder_object);
|
|
break;
|
|
case BINDER_TYPE_FD:
|
|
object_size = sizeof(struct binder_fd_object);
|
|
break;
|
|
case BINDER_TYPE_PTR:
|
|
object_size = sizeof(struct binder_buffer_object);
|
|
break;
|
|
case BINDER_TYPE_FDA:
|
|
object_size = sizeof(struct binder_fd_array_object);
|
|
break;
|
|
default:
|
|
return 0;
|
|
}
|
|
if (offset <= buffer->data_size - object_size &&
|
|
buffer->data_size >= object_size)
|
|
return object_size;
|
|
else
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* binder_validate_ptr() - validates binder_buffer_object in a binder_buffer.
|
|
* @proc: binder_proc owning the buffer
|
|
* @b: binder_buffer containing the object
|
|
* @object: struct binder_object to read into
|
|
* @index: index in offset array at which the binder_buffer_object is
|
|
* located
|
|
* @start_offset: points to the start of the offset array
|
|
* @object_offsetp: offset of @object read from @b
|
|
* @num_valid: the number of valid offsets in the offset array
|
|
*
|
|
* Return: If @index is within the valid range of the offset array
|
|
* described by @start and @num_valid, and if there's a valid
|
|
* binder_buffer_object at the offset found in index @index
|
|
* of the offset array, that object is returned. Otherwise,
|
|
* %NULL is returned.
|
|
* Note that the offset found in index @index itself is not
|
|
* verified; this function assumes that @num_valid elements
|
|
* from @start were previously verified to have valid offsets.
|
|
* If @object_offsetp is non-NULL, then the offset within
|
|
* @b is written to it.
|
|
*/
|
|
static struct binder_buffer_object *binder_validate_ptr(
|
|
struct binder_proc *proc,
|
|
struct binder_buffer *b,
|
|
struct binder_object *object,
|
|
binder_size_t index,
|
|
binder_size_t start_offset,
|
|
binder_size_t *object_offsetp,
|
|
binder_size_t num_valid)
|
|
{
|
|
size_t object_size;
|
|
binder_size_t object_offset;
|
|
unsigned long buffer_offset;
|
|
|
|
if (index >= num_valid)
|
|
return NULL;
|
|
|
|
buffer_offset = start_offset + sizeof(binder_size_t) * index;
|
|
if (binder_alloc_copy_from_buffer(&proc->alloc, &object_offset,
|
|
b, buffer_offset,
|
|
sizeof(object_offset)))
|
|
return NULL;
|
|
object_size = binder_get_object(proc, NULL, b, object_offset, object);
|
|
if (!object_size || object->hdr.type != BINDER_TYPE_PTR)
|
|
return NULL;
|
|
if (object_offsetp)
|
|
*object_offsetp = object_offset;
|
|
|
|
return &object->bbo;
|
|
}
|
|
|
|
/**
|
|
* binder_validate_fixup() - validates pointer/fd fixups happen in order.
|
|
* @proc: binder_proc owning the buffer
|
|
* @b: transaction buffer
|
|
* @objects_start_offset: offset to start of objects buffer
|
|
* @buffer_obj_offset: offset to binder_buffer_object in which to fix up
|
|
* @fixup_offset: start offset in @buffer to fix up
|
|
* @last_obj_offset: offset to last binder_buffer_object that we fixed
|
|
* @last_min_offset: minimum fixup offset in object at @last_obj_offset
|
|
*
|
|
* Return: %true if a fixup in buffer @buffer at offset @offset is
|
|
* allowed.
|
|
*
|
|
* For safety reasons, we only allow fixups inside a buffer to happen
|
|
* at increasing offsets; additionally, we only allow fixup on the last
|
|
* buffer object that was verified, or one of its parents.
|
|
*
|
|
* Example of what is allowed:
|
|
*
|
|
* A
|
|
* B (parent = A, offset = 0)
|
|
* C (parent = A, offset = 16)
|
|
* D (parent = C, offset = 0)
|
|
* E (parent = A, offset = 32) // min_offset is 16 (C.parent_offset)
|
|
*
|
|
* Examples of what is not allowed:
|
|
*
|
|
* Decreasing offsets within the same parent:
|
|
* A
|
|
* C (parent = A, offset = 16)
|
|
* B (parent = A, offset = 0) // decreasing offset within A
|
|
*
|
|
* Referring to a parent that wasn't the last object or any of its parents:
|
|
* A
|
|
* B (parent = A, offset = 0)
|
|
* C (parent = A, offset = 0)
|
|
* C (parent = A, offset = 16)
|
|
* D (parent = B, offset = 0) // B is not A or any of A's parents
|
|
*/
|
|
static bool binder_validate_fixup(struct binder_proc *proc,
|
|
struct binder_buffer *b,
|
|
binder_size_t objects_start_offset,
|
|
binder_size_t buffer_obj_offset,
|
|
binder_size_t fixup_offset,
|
|
binder_size_t last_obj_offset,
|
|
binder_size_t last_min_offset)
|
|
{
|
|
if (!last_obj_offset) {
|
|
/* Nothing to fix up in */
|
|
return false;
|
|
}
|
|
|
|
while (last_obj_offset != buffer_obj_offset) {
|
|
unsigned long buffer_offset;
|
|
struct binder_object last_object;
|
|
struct binder_buffer_object *last_bbo;
|
|
size_t object_size = binder_get_object(proc, NULL, b,
|
|
last_obj_offset,
|
|
&last_object);
|
|
if (object_size != sizeof(*last_bbo))
|
|
return false;
|
|
|
|
last_bbo = &last_object.bbo;
|
|
/*
|
|
* Safe to retrieve the parent of last_obj, since it
|
|
* was already previously verified by the driver.
|
|
*/
|
|
if ((last_bbo->flags & BINDER_BUFFER_FLAG_HAS_PARENT) == 0)
|
|
return false;
|
|
last_min_offset = last_bbo->parent_offset + sizeof(uintptr_t);
|
|
buffer_offset = objects_start_offset +
|
|
sizeof(binder_size_t) * last_bbo->parent;
|
|
if (binder_alloc_copy_from_buffer(&proc->alloc,
|
|
&last_obj_offset,
|
|
b, buffer_offset,
|
|
sizeof(last_obj_offset)))
|
|
return false;
|
|
}
|
|
return (fixup_offset >= last_min_offset);
|
|
}
|
|
|
|
/**
|
|
* struct binder_task_work_cb - for deferred close
|
|
*
|
|
* @twork: callback_head for task work
|
|
* @fd: fd to close
|
|
*
|
|
* Structure to pass task work to be handled after
|
|
* returning from binder_ioctl() via task_work_add().
|
|
*/
|
|
struct binder_task_work_cb {
|
|
struct callback_head twork;
|
|
struct file *file;
|
|
};
|
|
|
|
/**
|
|
* binder_do_fd_close() - close list of file descriptors
|
|
* @twork: callback head for task work
|
|
*
|
|
* It is not safe to call ksys_close() during the binder_ioctl()
|
|
* function if there is a chance that binder's own file descriptor
|
|
* might be closed. This is to meet the requirements for using
|
|
* fdget() (see comments for __fget_light()). Therefore use
|
|
* task_work_add() to schedule the close operation once we have
|
|
* returned from binder_ioctl(). This function is a callback
|
|
* for that mechanism and does the actual ksys_close() on the
|
|
* given file descriptor.
|
|
*/
|
|
static void binder_do_fd_close(struct callback_head *twork)
|
|
{
|
|
struct binder_task_work_cb *twcb = container_of(twork,
|
|
struct binder_task_work_cb, twork);
|
|
|
|
fput(twcb->file);
|
|
kfree(twcb);
|
|
}
|
|
|
|
/**
|
|
* binder_deferred_fd_close() - schedule a close for the given file-descriptor
|
|
* @fd: file-descriptor to close
|
|
*
|
|
* See comments in binder_do_fd_close(). This function is used to schedule
|
|
* a file-descriptor to be closed after returning from binder_ioctl().
|
|
*/
|
|
static void binder_deferred_fd_close(int fd)
|
|
{
|
|
struct binder_task_work_cb *twcb;
|
|
|
|
twcb = kzalloc(sizeof(*twcb), GFP_KERNEL);
|
|
if (!twcb)
|
|
return;
|
|
init_task_work(&twcb->twork, binder_do_fd_close);
|
|
close_fd_get_file(fd, &twcb->file);
|
|
if (twcb->file) {
|
|
filp_close(twcb->file, current->files);
|
|
task_work_add(current, &twcb->twork, TWA_RESUME);
|
|
} else {
|
|
kfree(twcb);
|
|
}
|
|
}
|
|
|
|
static void binder_transaction_buffer_release(struct binder_proc *proc,
|
|
struct binder_thread *thread,
|
|
struct binder_buffer *buffer,
|
|
binder_size_t failed_at,
|
|
bool is_failure)
|
|
{
|
|
int debug_id = buffer->debug_id;
|
|
binder_size_t off_start_offset, buffer_offset, off_end_offset;
|
|
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
"%d buffer release %d, size %zd-%zd, failed at %llx\n",
|
|
proc->pid, buffer->debug_id,
|
|
buffer->data_size, buffer->offsets_size,
|
|
(unsigned long long)failed_at);
|
|
|
|
if (buffer->target_node)
|
|
binder_dec_node(buffer->target_node, 1, 0);
|
|
|
|
off_start_offset = ALIGN(buffer->data_size, sizeof(void *));
|
|
off_end_offset = is_failure && failed_at ? failed_at :
|
|
off_start_offset + buffer->offsets_size;
|
|
for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;
|
|
buffer_offset += sizeof(binder_size_t)) {
|
|
struct binder_object_header *hdr;
|
|
size_t object_size = 0;
|
|
struct binder_object object;
|
|
binder_size_t object_offset;
|
|
|
|
if (!binder_alloc_copy_from_buffer(&proc->alloc, &object_offset,
|
|
buffer, buffer_offset,
|
|
sizeof(object_offset)))
|
|
object_size = binder_get_object(proc, NULL, buffer,
|
|
object_offset, &object);
|
|
if (object_size == 0) {
|
|
pr_err("transaction release %d bad object at offset %lld, size %zd\n",
|
|
debug_id, (u64)object_offset, buffer->data_size);
|
|
continue;
|
|
}
|
|
hdr = &object.hdr;
|
|
switch (hdr->type) {
|
|
case BINDER_TYPE_BINDER:
|
|
case BINDER_TYPE_WEAK_BINDER: {
|
|
struct flat_binder_object *fp;
|
|
struct binder_node *node;
|
|
|
|
fp = to_flat_binder_object(hdr);
|
|
node = binder_get_node(proc, fp->binder);
|
|
if (node == NULL) {
|
|
pr_err("transaction release %d bad node %016llx\n",
|
|
debug_id, (u64)fp->binder);
|
|
break;
|
|
}
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
" node %d u%016llx\n",
|
|
node->debug_id, (u64)node->ptr);
|
|
binder_dec_node(node, hdr->type == BINDER_TYPE_BINDER,
|
|
0);
|
|
binder_put_node(node);
|
|
} break;
|
|
case BINDER_TYPE_HANDLE:
|
|
case BINDER_TYPE_WEAK_HANDLE: {
|
|
struct flat_binder_object *fp;
|
|
struct binder_ref_data rdata;
|
|
int ret;
|
|
|
|
fp = to_flat_binder_object(hdr);
|
|
ret = binder_dec_ref_for_handle(proc, fp->handle,
|
|
hdr->type == BINDER_TYPE_HANDLE, &rdata);
|
|
|
|
if (ret) {
|
|
pr_err("transaction release %d bad handle %d, ret = %d\n",
|
|
debug_id, fp->handle, ret);
|
|
break;
|
|
}
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
" ref %d desc %d\n",
|
|
rdata.debug_id, rdata.desc);
|
|
} break;
|
|
|
|
case BINDER_TYPE_FD: {
|
|
/*
|
|
* No need to close the file here since user-space
|
|
* closes it for for successfully delivered
|
|
* transactions. For transactions that weren't
|
|
* delivered, the new fd was never allocated so
|
|
* there is no need to close and the fput on the
|
|
* file is done when the transaction is torn
|
|
* down.
|
|
*/
|
|
} break;
|
|
case BINDER_TYPE_PTR:
|
|
/*
|
|
* Nothing to do here, this will get cleaned up when the
|
|
* transaction buffer gets freed
|
|
*/
|
|
break;
|
|
case BINDER_TYPE_FDA: {
|
|
struct binder_fd_array_object *fda;
|
|
struct binder_buffer_object *parent;
|
|
struct binder_object ptr_object;
|
|
binder_size_t fda_offset;
|
|
size_t fd_index;
|
|
binder_size_t fd_buf_size;
|
|
binder_size_t num_valid;
|
|
|
|
if (is_failure) {
|
|
/*
|
|
* The fd fixups have not been applied so no
|
|
* fds need to be closed.
|
|
*/
|
|
continue;
|
|
}
|
|
|
|
num_valid = (buffer_offset - off_start_offset) /
|
|
sizeof(binder_size_t);
|
|
fda = to_binder_fd_array_object(hdr);
|
|
parent = binder_validate_ptr(proc, buffer, &ptr_object,
|
|
fda->parent,
|
|
off_start_offset,
|
|
NULL,
|
|
num_valid);
|
|
if (!parent) {
|
|
pr_err("transaction release %d bad parent offset\n",
|
|
debug_id);
|
|
continue;
|
|
}
|
|
fd_buf_size = sizeof(u32) * fda->num_fds;
|
|
if (fda->num_fds >= SIZE_MAX / sizeof(u32)) {
|
|
pr_err("transaction release %d invalid number of fds (%lld)\n",
|
|
debug_id, (u64)fda->num_fds);
|
|
continue;
|
|
}
|
|
if (fd_buf_size > parent->length ||
|
|
fda->parent_offset > parent->length - fd_buf_size) {
|
|
/* No space for all file descriptors here. */
|
|
pr_err("transaction release %d not enough space for %lld fds in buffer\n",
|
|
debug_id, (u64)fda->num_fds);
|
|
continue;
|
|
}
|
|
/*
|
|
* the source data for binder_buffer_object is visible
|
|
* to user-space and the @buffer element is the user
|
|
* pointer to the buffer_object containing the fd_array.
|
|
* Convert the address to an offset relative to
|
|
* the base of the transaction buffer.
|
|
*/
|
|
fda_offset =
|
|
(parent->buffer - (uintptr_t)buffer->user_data) +
|
|
fda->parent_offset;
|
|
for (fd_index = 0; fd_index < fda->num_fds;
|
|
fd_index++) {
|
|
u32 fd;
|
|
int err;
|
|
binder_size_t offset = fda_offset +
|
|
fd_index * sizeof(fd);
|
|
|
|
err = binder_alloc_copy_from_buffer(
|
|
&proc->alloc, &fd, buffer,
|
|
offset, sizeof(fd));
|
|
WARN_ON(err);
|
|
if (!err) {
|
|
binder_deferred_fd_close(fd);
|
|
/*
|
|
* Need to make sure the thread goes
|
|
* back to userspace to complete the
|
|
* deferred close
|
|
*/
|
|
if (thread)
|
|
thread->looper_need_return = true;
|
|
}
|
|
}
|
|
} break;
|
|
default:
|
|
pr_err("transaction release %d bad object type %x\n",
|
|
debug_id, hdr->type);
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
static int binder_translate_binder(struct flat_binder_object *fp,
|
|
struct binder_transaction *t,
|
|
struct binder_thread *thread)
|
|
{
|
|
struct binder_node *node;
|
|
struct binder_proc *proc = thread->proc;
|
|
struct binder_proc *target_proc = t->to_proc;
|
|
struct binder_ref_data rdata;
|
|
int ret = 0;
|
|
|
|
node = binder_get_node(proc, fp->binder);
|
|
if (!node) {
|
|
node = binder_new_node(proc, fp);
|
|
if (!node)
|
|
return -ENOMEM;
|
|
}
|
|
if (fp->cookie != node->cookie) {
|
|
binder_user_error("%d:%d sending u%016llx node %d, cookie mismatch %016llx != %016llx\n",
|
|
proc->pid, thread->pid, (u64)fp->binder,
|
|
node->debug_id, (u64)fp->cookie,
|
|
(u64)node->cookie);
|
|
ret = -EINVAL;
|
|
goto done;
|
|
}
|
|
if (security_binder_transfer_binder(proc->cred, target_proc->cred)) {
|
|
ret = -EPERM;
|
|
goto done;
|
|
}
|
|
|
|
ret = binder_inc_ref_for_node(target_proc, node,
|
|
fp->hdr.type == BINDER_TYPE_BINDER,
|
|
&thread->todo, &rdata);
|
|
if (ret)
|
|
goto done;
|
|
|
|
if (fp->hdr.type == BINDER_TYPE_BINDER)
|
|
fp->hdr.type = BINDER_TYPE_HANDLE;
|
|
else
|
|
fp->hdr.type = BINDER_TYPE_WEAK_HANDLE;
|
|
fp->binder = 0;
|
|
fp->handle = rdata.desc;
|
|
fp->cookie = 0;
|
|
|
|
trace_binder_transaction_node_to_ref(t, node, &rdata);
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
" node %d u%016llx -> ref %d desc %d\n",
|
|
node->debug_id, (u64)node->ptr,
|
|
rdata.debug_id, rdata.desc);
|
|
done:
|
|
binder_put_node(node);
|
|
return ret;
|
|
}
|
|
|
|
static int binder_translate_handle(struct flat_binder_object *fp,
|
|
struct binder_transaction *t,
|
|
struct binder_thread *thread)
|
|
{
|
|
struct binder_proc *proc = thread->proc;
|
|
struct binder_proc *target_proc = t->to_proc;
|
|
struct binder_node *node;
|
|
struct binder_ref_data src_rdata;
|
|
int ret = 0;
|
|
|
|
node = binder_get_node_from_ref(proc, fp->handle,
|
|
fp->hdr.type == BINDER_TYPE_HANDLE, &src_rdata);
|
|
if (!node) {
|
|
binder_user_error("%d:%d got transaction with invalid handle, %d\n",
|
|
proc->pid, thread->pid, fp->handle);
|
|
return -EINVAL;
|
|
}
|
|
if (security_binder_transfer_binder(proc->cred, target_proc->cred)) {
|
|
ret = -EPERM;
|
|
goto done;
|
|
}
|
|
|
|
binder_node_lock(node);
|
|
if (node->proc == target_proc) {
|
|
if (fp->hdr.type == BINDER_TYPE_HANDLE)
|
|
fp->hdr.type = BINDER_TYPE_BINDER;
|
|
else
|
|
fp->hdr.type = BINDER_TYPE_WEAK_BINDER;
|
|
fp->binder = node->ptr;
|
|
fp->cookie = node->cookie;
|
|
if (node->proc)
|
|
binder_inner_proc_lock(node->proc);
|
|
else
|
|
__acquire(&node->proc->inner_lock);
|
|
binder_inc_node_nilocked(node,
|
|
fp->hdr.type == BINDER_TYPE_BINDER,
|
|
0, NULL);
|
|
if (node->proc)
|
|
binder_inner_proc_unlock(node->proc);
|
|
else
|
|
__release(&node->proc->inner_lock);
|
|
trace_binder_transaction_ref_to_node(t, node, &src_rdata);
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
" ref %d desc %d -> node %d u%016llx\n",
|
|
src_rdata.debug_id, src_rdata.desc, node->debug_id,
|
|
(u64)node->ptr);
|
|
binder_node_unlock(node);
|
|
} else {
|
|
struct binder_ref_data dest_rdata;
|
|
|
|
binder_node_unlock(node);
|
|
ret = binder_inc_ref_for_node(target_proc, node,
|
|
fp->hdr.type == BINDER_TYPE_HANDLE,
|
|
NULL, &dest_rdata);
|
|
if (ret)
|
|
goto done;
|
|
|
|
fp->binder = 0;
|
|
fp->handle = dest_rdata.desc;
|
|
fp->cookie = 0;
|
|
trace_binder_transaction_ref_to_ref(t, node, &src_rdata,
|
|
&dest_rdata);
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
" ref %d desc %d -> ref %d desc %d (node %d)\n",
|
|
src_rdata.debug_id, src_rdata.desc,
|
|
dest_rdata.debug_id, dest_rdata.desc,
|
|
node->debug_id);
|
|
}
|
|
done:
|
|
binder_put_node(node);
|
|
return ret;
|
|
}
|
|
|
|
static int binder_translate_fd(u32 fd, binder_size_t fd_offset,
|
|
struct binder_transaction *t,
|
|
struct binder_thread *thread,
|
|
struct binder_transaction *in_reply_to)
|
|
{
|
|
struct binder_proc *proc = thread->proc;
|
|
struct binder_proc *target_proc = t->to_proc;
|
|
struct binder_txn_fd_fixup *fixup;
|
|
struct file *file;
|
|
int ret = 0;
|
|
bool target_allows_fd;
|
|
|
|
if (in_reply_to)
|
|
target_allows_fd = !!(in_reply_to->flags & TF_ACCEPT_FDS);
|
|
else
|
|
target_allows_fd = t->buffer->target_node->accept_fds;
|
|
if (!target_allows_fd) {
|
|
binder_user_error("%d:%d got %s with fd, %d, but target does not allow fds\n",
|
|
proc->pid, thread->pid,
|
|
in_reply_to ? "reply" : "transaction",
|
|
fd);
|
|
ret = -EPERM;
|
|
goto err_fd_not_accepted;
|
|
}
|
|
|
|
file = fget(fd);
|
|
if (!file) {
|
|
binder_user_error("%d:%d got transaction with invalid fd, %d\n",
|
|
proc->pid, thread->pid, fd);
|
|
ret = -EBADF;
|
|
goto err_fget;
|
|
}
|
|
ret = security_binder_transfer_file(proc->cred, target_proc->cred, file);
|
|
if (ret < 0) {
|
|
ret = -EPERM;
|
|
goto err_security;
|
|
}
|
|
|
|
/*
|
|
* Add fixup record for this transaction. The allocation
|
|
* of the fd in the target needs to be done from a
|
|
* target thread.
|
|
*/
|
|
fixup = kzalloc(sizeof(*fixup), GFP_KERNEL);
|
|
if (!fixup) {
|
|
ret = -ENOMEM;
|
|
goto err_alloc;
|
|
}
|
|
fixup->file = file;
|
|
fixup->offset = fd_offset;
|
|
trace_binder_transaction_fd_send(t, fd, fixup->offset);
|
|
list_add_tail(&fixup->fixup_entry, &t->fd_fixups);
|
|
|
|
return ret;
|
|
|
|
err_alloc:
|
|
err_security:
|
|
fput(file);
|
|
err_fget:
|
|
err_fd_not_accepted:
|
|
return ret;
|
|
}
|
|
|
|
static int binder_translate_fd_array(struct binder_fd_array_object *fda,
|
|
struct binder_buffer_object *parent,
|
|
struct binder_transaction *t,
|
|
struct binder_thread *thread,
|
|
struct binder_transaction *in_reply_to)
|
|
{
|
|
binder_size_t fdi, fd_buf_size;
|
|
binder_size_t fda_offset;
|
|
struct binder_proc *proc = thread->proc;
|
|
struct binder_proc *target_proc = t->to_proc;
|
|
|
|
fd_buf_size = sizeof(u32) * fda->num_fds;
|
|
if (fda->num_fds >= SIZE_MAX / sizeof(u32)) {
|
|
binder_user_error("%d:%d got transaction with invalid number of fds (%lld)\n",
|
|
proc->pid, thread->pid, (u64)fda->num_fds);
|
|
return -EINVAL;
|
|
}
|
|
if (fd_buf_size > parent->length ||
|
|
fda->parent_offset > parent->length - fd_buf_size) {
|
|
/* No space for all file descriptors here. */
|
|
binder_user_error("%d:%d not enough space to store %lld fds in buffer\n",
|
|
proc->pid, thread->pid, (u64)fda->num_fds);
|
|
return -EINVAL;
|
|
}
|
|
/*
|
|
* the source data for binder_buffer_object is visible
|
|
* to user-space and the @buffer element is the user
|
|
* pointer to the buffer_object containing the fd_array.
|
|
* Convert the address to an offset relative to
|
|
* the base of the transaction buffer.
|
|
*/
|
|
fda_offset = (parent->buffer - (uintptr_t)t->buffer->user_data) +
|
|
fda->parent_offset;
|
|
if (!IS_ALIGNED((unsigned long)fda_offset, sizeof(u32))) {
|
|
binder_user_error("%d:%d parent offset not aligned correctly.\n",
|
|
proc->pid, thread->pid);
|
|
return -EINVAL;
|
|
}
|
|
for (fdi = 0; fdi < fda->num_fds; fdi++) {
|
|
u32 fd;
|
|
int ret;
|
|
binder_size_t offset = fda_offset + fdi * sizeof(fd);
|
|
|
|
ret = binder_alloc_copy_from_buffer(&target_proc->alloc,
|
|
&fd, t->buffer,
|
|
offset, sizeof(fd));
|
|
if (!ret)
|
|
ret = binder_translate_fd(fd, offset, t, thread,
|
|
in_reply_to);
|
|
if (ret)
|
|
return ret > 0 ? -EINVAL : ret;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static int binder_fixup_parent(struct binder_transaction *t,
|
|
struct binder_thread *thread,
|
|
struct binder_buffer_object *bp,
|
|
binder_size_t off_start_offset,
|
|
binder_size_t num_valid,
|
|
binder_size_t last_fixup_obj_off,
|
|
binder_size_t last_fixup_min_off)
|
|
{
|
|
struct binder_buffer_object *parent;
|
|
struct binder_buffer *b = t->buffer;
|
|
struct binder_proc *proc = thread->proc;
|
|
struct binder_proc *target_proc = t->to_proc;
|
|
struct binder_object object;
|
|
binder_size_t buffer_offset;
|
|
binder_size_t parent_offset;
|
|
|
|
if (!(bp->flags & BINDER_BUFFER_FLAG_HAS_PARENT))
|
|
return 0;
|
|
|
|
parent = binder_validate_ptr(target_proc, b, &object, bp->parent,
|
|
off_start_offset, &parent_offset,
|
|
num_valid);
|
|
if (!parent) {
|
|
binder_user_error("%d:%d got transaction with invalid parent offset or type\n",
|
|
proc->pid, thread->pid);
|
|
return -EINVAL;
|
|
}
|
|
|
|
if (!binder_validate_fixup(target_proc, b, off_start_offset,
|
|
parent_offset, bp->parent_offset,
|
|
last_fixup_obj_off,
|
|
last_fixup_min_off)) {
|
|
binder_user_error("%d:%d got transaction with out-of-order buffer fixup\n",
|
|
proc->pid, thread->pid);
|
|
return -EINVAL;
|
|
}
|
|
|
|
if (parent->length < sizeof(binder_uintptr_t) ||
|
|
bp->parent_offset > parent->length - sizeof(binder_uintptr_t)) {
|
|
/* No space for a pointer here! */
|
|
binder_user_error("%d:%d got transaction with invalid parent offset\n",
|
|
proc->pid, thread->pid);
|
|
return -EINVAL;
|
|
}
|
|
buffer_offset = bp->parent_offset +
|
|
(uintptr_t)parent->buffer - (uintptr_t)b->user_data;
|
|
if (binder_alloc_copy_to_buffer(&target_proc->alloc, b, buffer_offset,
|
|
&bp->buffer, sizeof(bp->buffer))) {
|
|
binder_user_error("%d:%d got transaction with invalid parent offset\n",
|
|
proc->pid, thread->pid);
|
|
return -EINVAL;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* binder_proc_transaction() - sends a transaction to a process and wakes it up
|
|
* @t: transaction to send
|
|
* @proc: process to send the transaction to
|
|
* @thread: thread in @proc to send the transaction to (may be NULL)
|
|
*
|
|
* This function queues a transaction to the specified process. It will try
|
|
* to find a thread in the target process to handle the transaction and
|
|
* wake it up. If no thread is found, the work is queued to the proc
|
|
* waitqueue.
|
|
*
|
|
* If the @thread parameter is not NULL, the transaction is always queued
|
|
* to the waitlist of that specific thread.
|
|
*
|
|
* Return: 0 if the transaction was successfully queued
|
|
* BR_DEAD_REPLY if the target process or thread is dead
|
|
* BR_FROZEN_REPLY if the target process or thread is frozen
|
|
*/
|
|
static int binder_proc_transaction(struct binder_transaction *t,
|
|
struct binder_proc *proc,
|
|
struct binder_thread *thread)
|
|
{
|
|
struct binder_node *node = t->buffer->target_node;
|
|
struct binder_priority node_prio;
|
|
bool oneway = !!(t->flags & TF_ONE_WAY);
|
|
bool pending_async = false;
|
|
|
|
BUG_ON(!node);
|
|
binder_node_lock(node);
|
|
node_prio.prio = node->min_priority;
|
|
node_prio.sched_policy = node->sched_policy;
|
|
|
|
if (oneway) {
|
|
BUG_ON(thread);
|
|
if (node->has_async_transaction)
|
|
pending_async = true;
|
|
else
|
|
node->has_async_transaction = true;
|
|
}
|
|
|
|
binder_inner_proc_lock(proc);
|
|
if (proc->is_frozen) {
|
|
proc->sync_recv |= !oneway;
|
|
proc->async_recv |= oneway;
|
|
}
|
|
|
|
if ((proc->is_frozen && !oneway) || proc->is_dead ||
|
|
(thread && thread->is_dead)) {
|
|
binder_inner_proc_unlock(proc);
|
|
binder_node_unlock(node);
|
|
return proc->is_frozen ? BR_FROZEN_REPLY : BR_DEAD_REPLY;
|
|
}
|
|
|
|
if (!thread && !pending_async)
|
|
thread = binder_select_thread_ilocked(proc);
|
|
|
|
if (thread) {
|
|
binder_transaction_priority(thread->task, t, node_prio,
|
|
node->inherit_rt);
|
|
binder_enqueue_thread_work_ilocked(thread, &t->work);
|
|
} else if (!pending_async) {
|
|
binder_enqueue_work_ilocked(&t->work, &proc->todo);
|
|
} else {
|
|
binder_enqueue_work_ilocked(&t->work, &node->async_todo);
|
|
}
|
|
|
|
if (!pending_async)
|
|
binder_wakeup_thread_ilocked(proc, thread, !oneway /* sync */);
|
|
|
|
proc->outstanding_txns++;
|
|
binder_inner_proc_unlock(proc);
|
|
binder_node_unlock(node);
|
|
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* binder_get_node_refs_for_txn() - Get required refs on node for txn
|
|
* @node: struct binder_node for which to get refs
|
|
* @proc: returns @node->proc if valid
|
|
* @error: if no @proc then returns BR_DEAD_REPLY
|
|
*
|
|
* User-space normally keeps the node alive when creating a transaction
|
|
* since it has a reference to the target. The local strong ref keeps it
|
|
* alive if the sending process dies before the target process processes
|
|
* the transaction. If the source process is malicious or has a reference
|
|
* counting bug, relying on the local strong ref can fail.
|
|
*
|
|
* Since user-space can cause the local strong ref to go away, we also take
|
|
* a tmpref on the node to ensure it survives while we are constructing
|
|
* the transaction. We also need a tmpref on the proc while we are
|
|
* constructing the transaction, so we take that here as well.
|
|
*
|
|
* Return: The target_node with refs taken or NULL if no @node->proc is NULL.
|
|
* Also sets @proc if valid. If the @node->proc is NULL indicating that the
|
|
* target proc has died, @error is set to BR_DEAD_REPLY
|
|
*/
|
|
static struct binder_node *binder_get_node_refs_for_txn(
|
|
struct binder_node *node,
|
|
struct binder_proc **procp,
|
|
uint32_t *error)
|
|
{
|
|
struct binder_node *target_node = NULL;
|
|
|
|
binder_node_inner_lock(node);
|
|
if (node->proc) {
|
|
target_node = node;
|
|
binder_inc_node_nilocked(node, 1, 0, NULL);
|
|
binder_inc_node_tmpref_ilocked(node);
|
|
node->proc->tmp_ref++;
|
|
*procp = node->proc;
|
|
} else
|
|
*error = BR_DEAD_REPLY;
|
|
binder_node_inner_unlock(node);
|
|
|
|
return target_node;
|
|
}
|
|
|
|
static void binder_transaction(struct binder_proc *proc,
|
|
struct binder_thread *thread,
|
|
struct binder_transaction_data *tr, int reply,
|
|
binder_size_t extra_buffers_size)
|
|
{
|
|
int ret;
|
|
struct binder_transaction *t;
|
|
struct binder_work *w;
|
|
struct binder_work *tcomplete;
|
|
binder_size_t buffer_offset = 0;
|
|
binder_size_t off_start_offset, off_end_offset;
|
|
binder_size_t off_min;
|
|
binder_size_t sg_buf_offset, sg_buf_end_offset;
|
|
binder_size_t user_offset = 0;
|
|
struct binder_proc *target_proc = NULL;
|
|
struct binder_thread *target_thread = NULL;
|
|
struct binder_node *target_node = NULL;
|
|
struct binder_transaction *in_reply_to = NULL;
|
|
struct binder_transaction_log_entry *e;
|
|
uint32_t return_error = 0;
|
|
uint32_t return_error_param = 0;
|
|
uint32_t return_error_line = 0;
|
|
binder_size_t last_fixup_obj_off = 0;
|
|
binder_size_t last_fixup_min_off = 0;
|
|
struct binder_context *context = proc->context;
|
|
int t_debug_id = atomic_inc_return(&binder_last_id);
|
|
char *secctx = NULL;
|
|
u32 secctx_sz = 0;
|
|
const void __user *user_buffer = (const void __user *)
|
|
(uintptr_t)tr->data.ptr.buffer;
|
|
|
|
e = binder_transaction_log_add(&binder_transaction_log);
|
|
e->debug_id = t_debug_id;
|
|
e->call_type = reply ? 2 : !!(tr->flags & TF_ONE_WAY);
|
|
e->from_proc = proc->pid;
|
|
e->from_thread = thread->pid;
|
|
e->target_handle = tr->target.handle;
|
|
e->data_size = tr->data_size;
|
|
e->offsets_size = tr->offsets_size;
|
|
strscpy(e->context_name, proc->context->name, BINDERFS_MAX_NAME);
|
|
|
|
if (reply) {
|
|
binder_inner_proc_lock(proc);
|
|
in_reply_to = thread->transaction_stack;
|
|
if (in_reply_to == NULL) {
|
|
binder_inner_proc_unlock(proc);
|
|
binder_user_error("%d:%d got reply transaction with no transaction stack\n",
|
|
proc->pid, thread->pid);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EPROTO;
|
|
return_error_line = __LINE__;
|
|
goto err_empty_call_stack;
|
|
}
|
|
if (in_reply_to->to_thread != thread) {
|
|
spin_lock(&in_reply_to->lock);
|
|
binder_user_error("%d:%d got reply transaction with bad transaction stack, transaction %d has target %d:%d\n",
|
|
proc->pid, thread->pid, in_reply_to->debug_id,
|
|
in_reply_to->to_proc ?
|
|
in_reply_to->to_proc->pid : 0,
|
|
in_reply_to->to_thread ?
|
|
in_reply_to->to_thread->pid : 0);
|
|
spin_unlock(&in_reply_to->lock);
|
|
binder_inner_proc_unlock(proc);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EPROTO;
|
|
return_error_line = __LINE__;
|
|
in_reply_to = NULL;
|
|
goto err_bad_call_stack;
|
|
}
|
|
thread->transaction_stack = in_reply_to->to_parent;
|
|
binder_inner_proc_unlock(proc);
|
|
target_thread = binder_get_txn_from_and_acq_inner(in_reply_to);
|
|
if (target_thread == NULL) {
|
|
/* annotation for sparse */
|
|
__release(&target_thread->proc->inner_lock);
|
|
return_error = BR_DEAD_REPLY;
|
|
return_error_line = __LINE__;
|
|
goto err_dead_binder;
|
|
}
|
|
if (target_thread->transaction_stack != in_reply_to) {
|
|
binder_user_error("%d:%d got reply transaction with bad target transaction stack %d, expected %d\n",
|
|
proc->pid, thread->pid,
|
|
target_thread->transaction_stack ?
|
|
target_thread->transaction_stack->debug_id : 0,
|
|
in_reply_to->debug_id);
|
|
binder_inner_proc_unlock(target_thread->proc);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EPROTO;
|
|
return_error_line = __LINE__;
|
|
in_reply_to = NULL;
|
|
target_thread = NULL;
|
|
goto err_dead_binder;
|
|
}
|
|
target_proc = target_thread->proc;
|
|
target_proc->tmp_ref++;
|
|
binder_inner_proc_unlock(target_thread->proc);
|
|
} else {
|
|
if (tr->target.handle) {
|
|
struct binder_ref *ref;
|
|
|
|
/*
|
|
* There must already be a strong ref
|
|
* on this node. If so, do a strong
|
|
* increment on the node to ensure it
|
|
* stays alive until the transaction is
|
|
* done.
|
|
*/
|
|
binder_proc_lock(proc);
|
|
ref = binder_get_ref_olocked(proc, tr->target.handle,
|
|
true);
|
|
if (ref) {
|
|
target_node = binder_get_node_refs_for_txn(
|
|
ref->node, &target_proc,
|
|
&return_error);
|
|
} else {
|
|
binder_user_error("%d:%d got transaction to invalid handle, %u\n",
|
|
proc->pid, thread->pid, tr->target.handle);
|
|
return_error = BR_FAILED_REPLY;
|
|
}
|
|
binder_proc_unlock(proc);
|
|
} else {
|
|
mutex_lock(&context->context_mgr_node_lock);
|
|
target_node = context->binder_context_mgr_node;
|
|
if (target_node)
|
|
target_node = binder_get_node_refs_for_txn(
|
|
target_node, &target_proc,
|
|
&return_error);
|
|
else
|
|
return_error = BR_DEAD_REPLY;
|
|
mutex_unlock(&context->context_mgr_node_lock);
|
|
if (target_node && target_proc->pid == proc->pid) {
|
|
binder_user_error("%d:%d got transaction to context manager from process owning it\n",
|
|
proc->pid, thread->pid);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_invalid_target_handle;
|
|
}
|
|
}
|
|
if (!target_node) {
|
|
/*
|
|
* return_error is set above
|
|
*/
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_dead_binder;
|
|
}
|
|
e->to_node = target_node->debug_id;
|
|
if (WARN_ON(proc == target_proc)) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_invalid_target_handle;
|
|
}
|
|
if (security_binder_transaction(proc->cred,
|
|
target_proc->cred) < 0) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EPERM;
|
|
return_error_line = __LINE__;
|
|
goto err_invalid_target_handle;
|
|
}
|
|
binder_inner_proc_lock(proc);
|
|
|
|
w = list_first_entry_or_null(&thread->todo,
|
|
struct binder_work, entry);
|
|
if (!(tr->flags & TF_ONE_WAY) && w &&
|
|
w->type == BINDER_WORK_TRANSACTION) {
|
|
/*
|
|
* Do not allow new outgoing transaction from a
|
|
* thread that has a transaction at the head of
|
|
* its todo list. Only need to check the head
|
|
* because binder_select_thread_ilocked picks a
|
|
* thread from proc->waiting_threads to enqueue
|
|
* the transaction, and nothing is queued to the
|
|
* todo list while the thread is on waiting_threads.
|
|
*/
|
|
binder_user_error("%d:%d new transaction not allowed when there is a transaction on thread todo\n",
|
|
proc->pid, thread->pid);
|
|
binder_inner_proc_unlock(proc);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EPROTO;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_todo_list;
|
|
}
|
|
|
|
if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) {
|
|
struct binder_transaction *tmp;
|
|
|
|
tmp = thread->transaction_stack;
|
|
if (tmp->to_thread != thread) {
|
|
spin_lock(&tmp->lock);
|
|
binder_user_error("%d:%d got new transaction with bad transaction stack, transaction %d has target %d:%d\n",
|
|
proc->pid, thread->pid, tmp->debug_id,
|
|
tmp->to_proc ? tmp->to_proc->pid : 0,
|
|
tmp->to_thread ?
|
|
tmp->to_thread->pid : 0);
|
|
spin_unlock(&tmp->lock);
|
|
binder_inner_proc_unlock(proc);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EPROTO;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_call_stack;
|
|
}
|
|
while (tmp) {
|
|
struct binder_thread *from;
|
|
|
|
spin_lock(&tmp->lock);
|
|
from = tmp->from;
|
|
if (from && from->proc == target_proc) {
|
|
atomic_inc(&from->tmp_ref);
|
|
target_thread = from;
|
|
spin_unlock(&tmp->lock);
|
|
break;
|
|
}
|
|
spin_unlock(&tmp->lock);
|
|
tmp = tmp->from_parent;
|
|
}
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
}
|
|
if (target_thread)
|
|
e->to_thread = target_thread->pid;
|
|
e->to_proc = target_proc->pid;
|
|
|
|
/* TODO: reuse incoming transaction for reply */
|
|
t = kzalloc(sizeof(*t), GFP_KERNEL);
|
|
if (t == NULL) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -ENOMEM;
|
|
return_error_line = __LINE__;
|
|
goto err_alloc_t_failed;
|
|
}
|
|
INIT_LIST_HEAD(&t->fd_fixups);
|
|
binder_stats_created(BINDER_STAT_TRANSACTION);
|
|
spin_lock_init(&t->lock);
|
|
trace_android_vh_binder_transaction_init(t);
|
|
|
|
tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL);
|
|
if (tcomplete == NULL) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -ENOMEM;
|
|
return_error_line = __LINE__;
|
|
goto err_alloc_tcomplete_failed;
|
|
}
|
|
binder_stats_created(BINDER_STAT_TRANSACTION_COMPLETE);
|
|
|
|
t->debug_id = t_debug_id;
|
|
|
|
if (reply)
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
"%d:%d BC_REPLY %d -> %d:%d, data %016llx-%016llx size %lld-%lld-%lld\n",
|
|
proc->pid, thread->pid, t->debug_id,
|
|
target_proc->pid, target_thread->pid,
|
|
(u64)tr->data.ptr.buffer,
|
|
(u64)tr->data.ptr.offsets,
|
|
(u64)tr->data_size, (u64)tr->offsets_size,
|
|
(u64)extra_buffers_size);
|
|
else
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
"%d:%d BC_TRANSACTION %d -> %d - node %d, data %016llx-%016llx size %lld-%lld-%lld\n",
|
|
proc->pid, thread->pid, t->debug_id,
|
|
target_proc->pid, target_node->debug_id,
|
|
(u64)tr->data.ptr.buffer,
|
|
(u64)tr->data.ptr.offsets,
|
|
(u64)tr->data_size, (u64)tr->offsets_size,
|
|
(u64)extra_buffers_size);
|
|
|
|
if (!reply && !(tr->flags & TF_ONE_WAY))
|
|
t->from = thread;
|
|
else
|
|
t->from = NULL;
|
|
t->sender_euid = task_euid(proc->tsk);
|
|
t->to_proc = target_proc;
|
|
t->to_thread = target_thread;
|
|
t->code = tr->code;
|
|
t->flags = tr->flags;
|
|
if (!(t->flags & TF_ONE_WAY) &&
|
|
binder_supported_policy(current->policy)) {
|
|
/* Inherit supported policies for synchronous transactions */
|
|
t->priority.sched_policy = current->policy;
|
|
t->priority.prio = current->normal_prio;
|
|
} else {
|
|
/* Otherwise, fall back to the default priority */
|
|
t->priority = target_proc->default_priority;
|
|
}
|
|
|
|
if (target_node && target_node->txn_security_ctx) {
|
|
u32 secid;
|
|
size_t added_size;
|
|
|
|
security_cred_getsecid(proc->cred, &secid);
|
|
ret = security_secid_to_secctx(secid, &secctx, &secctx_sz);
|
|
if (ret) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = ret;
|
|
return_error_line = __LINE__;
|
|
goto err_get_secctx_failed;
|
|
}
|
|
added_size = ALIGN(secctx_sz, sizeof(u64));
|
|
extra_buffers_size += added_size;
|
|
if (extra_buffers_size < added_size) {
|
|
/* integer overflow of extra_buffers_size */
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_extra_size;
|
|
}
|
|
}
|
|
|
|
trace_binder_transaction(reply, t, target_node);
|
|
|
|
t->buffer = binder_alloc_new_buf(&target_proc->alloc, tr->data_size,
|
|
tr->offsets_size, extra_buffers_size,
|
|
!reply && (t->flags & TF_ONE_WAY), current->tgid);
|
|
if (IS_ERR(t->buffer)) {
|
|
/*
|
|
* -ESRCH indicates VMA cleared. The target is dying.
|
|
*/
|
|
return_error_param = PTR_ERR(t->buffer);
|
|
return_error = return_error_param == -ESRCH ?
|
|
BR_DEAD_REPLY : BR_FAILED_REPLY;
|
|
return_error_line = __LINE__;
|
|
t->buffer = NULL;
|
|
goto err_binder_alloc_buf_failed;
|
|
}
|
|
if (secctx) {
|
|
int err;
|
|
size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) +
|
|
ALIGN(tr->offsets_size, sizeof(void *)) +
|
|
ALIGN(extra_buffers_size, sizeof(void *)) -
|
|
ALIGN(secctx_sz, sizeof(u64));
|
|
|
|
t->security_ctx = (uintptr_t)t->buffer->user_data + buf_offset;
|
|
err = binder_alloc_copy_to_buffer(&target_proc->alloc,
|
|
t->buffer, buf_offset,
|
|
secctx, secctx_sz);
|
|
if (err) {
|
|
t->security_ctx = 0;
|
|
WARN_ON(1);
|
|
}
|
|
security_release_secctx(secctx, secctx_sz);
|
|
secctx = NULL;
|
|
}
|
|
t->buffer->debug_id = t->debug_id;
|
|
t->buffer->transaction = t;
|
|
t->buffer->target_node = target_node;
|
|
t->buffer->clear_on_free = !!(t->flags & TF_CLEAR_BUF);
|
|
trace_binder_transaction_alloc_buf(t->buffer);
|
|
|
|
if (binder_alloc_copy_user_to_buffer(
|
|
&target_proc->alloc,
|
|
t->buffer,
|
|
ALIGN(tr->data_size, sizeof(void *)),
|
|
(const void __user *)
|
|
(uintptr_t)tr->data.ptr.offsets,
|
|
tr->offsets_size)) {
|
|
binder_user_error("%d:%d got transaction with invalid offsets ptr\n",
|
|
proc->pid, thread->pid);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EFAULT;
|
|
return_error_line = __LINE__;
|
|
goto err_copy_data_failed;
|
|
}
|
|
if (!IS_ALIGNED(tr->offsets_size, sizeof(binder_size_t))) {
|
|
binder_user_error("%d:%d got transaction with invalid offsets size, %lld\n",
|
|
proc->pid, thread->pid, (u64)tr->offsets_size);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_offset;
|
|
}
|
|
if (!IS_ALIGNED(extra_buffers_size, sizeof(u64))) {
|
|
binder_user_error("%d:%d got transaction with unaligned buffers size, %lld\n",
|
|
proc->pid, thread->pid,
|
|
(u64)extra_buffers_size);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_offset;
|
|
}
|
|
off_start_offset = ALIGN(tr->data_size, sizeof(void *));
|
|
buffer_offset = off_start_offset;
|
|
off_end_offset = off_start_offset + tr->offsets_size;
|
|
sg_buf_offset = ALIGN(off_end_offset, sizeof(void *));
|
|
sg_buf_end_offset = sg_buf_offset + extra_buffers_size -
|
|
ALIGN(secctx_sz, sizeof(u64));
|
|
off_min = 0;
|
|
for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;
|
|
buffer_offset += sizeof(binder_size_t)) {
|
|
struct binder_object_header *hdr;
|
|
size_t object_size;
|
|
struct binder_object object;
|
|
binder_size_t object_offset;
|
|
binder_size_t copy_size;
|
|
|
|
if (binder_alloc_copy_from_buffer(&target_proc->alloc,
|
|
&object_offset,
|
|
t->buffer,
|
|
buffer_offset,
|
|
sizeof(object_offset))) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_offset;
|
|
}
|
|
|
|
/*
|
|
* Copy the source user buffer up to the next object
|
|
* that will be processed.
|
|
*/
|
|
copy_size = object_offset - user_offset;
|
|
if (copy_size && (user_offset > object_offset ||
|
|
binder_alloc_copy_user_to_buffer(
|
|
&target_proc->alloc,
|
|
t->buffer, user_offset,
|
|
user_buffer + user_offset,
|
|
copy_size))) {
|
|
binder_user_error("%d:%d got transaction with invalid data ptr\n",
|
|
proc->pid, thread->pid);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EFAULT;
|
|
return_error_line = __LINE__;
|
|
goto err_copy_data_failed;
|
|
}
|
|
object_size = binder_get_object(target_proc, user_buffer,
|
|
t->buffer, object_offset, &object);
|
|
if (object_size == 0 || object_offset < off_min) {
|
|
binder_user_error("%d:%d got transaction with invalid offset (%lld, min %lld max %lld) or object.\n",
|
|
proc->pid, thread->pid,
|
|
(u64)object_offset,
|
|
(u64)off_min,
|
|
(u64)t->buffer->data_size);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_offset;
|
|
}
|
|
/*
|
|
* Set offset to the next buffer fragment to be
|
|
* copied
|
|
*/
|
|
user_offset = object_offset + object_size;
|
|
|
|
hdr = &object.hdr;
|
|
off_min = object_offset + object_size;
|
|
switch (hdr->type) {
|
|
case BINDER_TYPE_BINDER:
|
|
case BINDER_TYPE_WEAK_BINDER: {
|
|
struct flat_binder_object *fp;
|
|
|
|
fp = to_flat_binder_object(hdr);
|
|
ret = binder_translate_binder(fp, t, thread);
|
|
|
|
if (ret < 0 ||
|
|
binder_alloc_copy_to_buffer(&target_proc->alloc,
|
|
t->buffer,
|
|
object_offset,
|
|
fp, sizeof(*fp))) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = ret;
|
|
return_error_line = __LINE__;
|
|
goto err_translate_failed;
|
|
}
|
|
} break;
|
|
case BINDER_TYPE_HANDLE:
|
|
case BINDER_TYPE_WEAK_HANDLE: {
|
|
struct flat_binder_object *fp;
|
|
|
|
fp = to_flat_binder_object(hdr);
|
|
ret = binder_translate_handle(fp, t, thread);
|
|
if (ret < 0 ||
|
|
binder_alloc_copy_to_buffer(&target_proc->alloc,
|
|
t->buffer,
|
|
object_offset,
|
|
fp, sizeof(*fp))) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = ret;
|
|
return_error_line = __LINE__;
|
|
goto err_translate_failed;
|
|
}
|
|
} break;
|
|
|
|
case BINDER_TYPE_FD: {
|
|
struct binder_fd_object *fp = to_binder_fd_object(hdr);
|
|
binder_size_t fd_offset = object_offset +
|
|
(uintptr_t)&fp->fd - (uintptr_t)fp;
|
|
int ret = binder_translate_fd(fp->fd, fd_offset, t,
|
|
thread, in_reply_to);
|
|
|
|
fp->pad_binder = 0;
|
|
if (ret < 0 ||
|
|
binder_alloc_copy_to_buffer(&target_proc->alloc,
|
|
t->buffer,
|
|
object_offset,
|
|
fp, sizeof(*fp))) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = ret;
|
|
return_error_line = __LINE__;
|
|
goto err_translate_failed;
|
|
}
|
|
} break;
|
|
case BINDER_TYPE_FDA: {
|
|
struct binder_object ptr_object;
|
|
binder_size_t parent_offset;
|
|
struct binder_fd_array_object *fda =
|
|
to_binder_fd_array_object(hdr);
|
|
size_t num_valid = (buffer_offset - off_start_offset) /
|
|
sizeof(binder_size_t);
|
|
struct binder_buffer_object *parent =
|
|
binder_validate_ptr(target_proc, t->buffer,
|
|
&ptr_object, fda->parent,
|
|
off_start_offset,
|
|
&parent_offset,
|
|
num_valid);
|
|
if (!parent) {
|
|
binder_user_error("%d:%d got transaction with invalid parent offset or type\n",
|
|
proc->pid, thread->pid);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_parent;
|
|
}
|
|
if (!binder_validate_fixup(target_proc, t->buffer,
|
|
off_start_offset,
|
|
parent_offset,
|
|
fda->parent_offset,
|
|
last_fixup_obj_off,
|
|
last_fixup_min_off)) {
|
|
binder_user_error("%d:%d got transaction with out-of-order buffer fixup\n",
|
|
proc->pid, thread->pid);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_parent;
|
|
}
|
|
ret = binder_translate_fd_array(fda, parent, t, thread,
|
|
in_reply_to);
|
|
if (!ret)
|
|
ret = binder_alloc_copy_to_buffer(&target_proc->alloc,
|
|
t->buffer,
|
|
object_offset,
|
|
fda, sizeof(*fda));
|
|
if (ret) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = ret > 0 ? -EINVAL : ret;
|
|
return_error_line = __LINE__;
|
|
goto err_translate_failed;
|
|
}
|
|
last_fixup_obj_off = parent_offset;
|
|
last_fixup_min_off =
|
|
fda->parent_offset + sizeof(u32) * fda->num_fds;
|
|
} break;
|
|
case BINDER_TYPE_PTR: {
|
|
struct binder_buffer_object *bp =
|
|
to_binder_buffer_object(hdr);
|
|
size_t buf_left = sg_buf_end_offset - sg_buf_offset;
|
|
size_t num_valid;
|
|
|
|
if (bp->length > buf_left) {
|
|
binder_user_error("%d:%d got transaction with too large buffer\n",
|
|
proc->pid, thread->pid);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_offset;
|
|
}
|
|
if (binder_alloc_copy_user_to_buffer(
|
|
&target_proc->alloc,
|
|
t->buffer,
|
|
sg_buf_offset,
|
|
(const void __user *)
|
|
(uintptr_t)bp->buffer,
|
|
bp->length)) {
|
|
binder_user_error("%d:%d got transaction with invalid offsets ptr\n",
|
|
proc->pid, thread->pid);
|
|
return_error_param = -EFAULT;
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_line = __LINE__;
|
|
goto err_copy_data_failed;
|
|
}
|
|
/* Fixup buffer pointer to target proc address space */
|
|
bp->buffer = (uintptr_t)
|
|
t->buffer->user_data + sg_buf_offset;
|
|
sg_buf_offset += ALIGN(bp->length, sizeof(u64));
|
|
|
|
num_valid = (buffer_offset - off_start_offset) /
|
|
sizeof(binder_size_t);
|
|
ret = binder_fixup_parent(t, thread, bp,
|
|
off_start_offset,
|
|
num_valid,
|
|
last_fixup_obj_off,
|
|
last_fixup_min_off);
|
|
if (ret < 0 ||
|
|
binder_alloc_copy_to_buffer(&target_proc->alloc,
|
|
t->buffer,
|
|
object_offset,
|
|
bp, sizeof(*bp))) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = ret;
|
|
return_error_line = __LINE__;
|
|
goto err_translate_failed;
|
|
}
|
|
last_fixup_obj_off = object_offset;
|
|
last_fixup_min_off = 0;
|
|
} break;
|
|
default:
|
|
binder_user_error("%d:%d got transaction with invalid object type, %x\n",
|
|
proc->pid, thread->pid, hdr->type);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_object_type;
|
|
}
|
|
}
|
|
/* Done processing objects, copy the rest of the buffer */
|
|
if (binder_alloc_copy_user_to_buffer(
|
|
&target_proc->alloc,
|
|
t->buffer, user_offset,
|
|
user_buffer + user_offset,
|
|
tr->data_size - user_offset)) {
|
|
binder_user_error("%d:%d got transaction with invalid data ptr\n",
|
|
proc->pid, thread->pid);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EFAULT;
|
|
return_error_line = __LINE__;
|
|
goto err_copy_data_failed;
|
|
}
|
|
if (t->buffer->oneway_spam_suspect)
|
|
tcomplete->type = BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT;
|
|
else
|
|
tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE;
|
|
t->work.type = BINDER_WORK_TRANSACTION;
|
|
|
|
if (reply) {
|
|
binder_enqueue_thread_work(thread, tcomplete);
|
|
binder_inner_proc_lock(target_proc);
|
|
if (target_thread->is_dead) {
|
|
return_error = BR_DEAD_REPLY;
|
|
binder_inner_proc_unlock(target_proc);
|
|
goto err_dead_proc_or_thread;
|
|
}
|
|
BUG_ON(t->buffer->async_transaction != 0);
|
|
binder_pop_transaction_ilocked(target_thread, in_reply_to);
|
|
binder_enqueue_thread_work_ilocked(target_thread, &t->work);
|
|
target_proc->outstanding_txns++;
|
|
binder_inner_proc_unlock(target_proc);
|
|
wake_up_interruptible_sync(&target_thread->wait);
|
|
trace_android_vh_binder_restore_priority(in_reply_to, current);
|
|
binder_restore_priority(current, in_reply_to->saved_priority);
|
|
binder_free_transaction(in_reply_to);
|
|
} else if (!(t->flags & TF_ONE_WAY)) {
|
|
BUG_ON(t->buffer->async_transaction != 0);
|
|
binder_inner_proc_lock(proc);
|
|
/*
|
|
* Defer the TRANSACTION_COMPLETE, so we don't return to
|
|
* userspace immediately; this allows the target process to
|
|
* immediately start processing this transaction, reducing
|
|
* latency. We will then return the TRANSACTION_COMPLETE when
|
|
* the target replies (or there is an error).
|
|
*/
|
|
binder_enqueue_deferred_thread_work_ilocked(thread, tcomplete);
|
|
t->need_reply = 1;
|
|
t->from_parent = thread->transaction_stack;
|
|
thread->transaction_stack = t;
|
|
binder_inner_proc_unlock(proc);
|
|
return_error = binder_proc_transaction(t,
|
|
target_proc, target_thread);
|
|
if (return_error) {
|
|
binder_inner_proc_lock(proc);
|
|
binder_pop_transaction_ilocked(thread, t);
|
|
binder_inner_proc_unlock(proc);
|
|
goto err_dead_proc_or_thread;
|
|
}
|
|
} else {
|
|
BUG_ON(target_node == NULL);
|
|
BUG_ON(t->buffer->async_transaction != 1);
|
|
binder_enqueue_thread_work(thread, tcomplete);
|
|
return_error = binder_proc_transaction(t, target_proc, NULL);
|
|
if (return_error)
|
|
goto err_dead_proc_or_thread;
|
|
}
|
|
if (target_thread)
|
|
binder_thread_dec_tmpref(target_thread);
|
|
binder_proc_dec_tmpref(target_proc);
|
|
if (target_node)
|
|
binder_dec_node_tmpref(target_node);
|
|
/*
|
|
* write barrier to synchronize with initialization
|
|
* of log entry
|
|
*/
|
|
smp_wmb();
|
|
WRITE_ONCE(e->debug_id_done, t_debug_id);
|
|
return;
|
|
|
|
err_dead_proc_or_thread:
|
|
return_error_line = __LINE__;
|
|
binder_dequeue_work(proc, tcomplete);
|
|
err_translate_failed:
|
|
err_bad_object_type:
|
|
err_bad_offset:
|
|
err_bad_parent:
|
|
err_copy_data_failed:
|
|
binder_free_txn_fixups(t);
|
|
trace_binder_transaction_failed_buffer_release(t->buffer);
|
|
binder_transaction_buffer_release(target_proc, NULL, t->buffer,
|
|
buffer_offset, true);
|
|
if (target_node)
|
|
binder_dec_node_tmpref(target_node);
|
|
target_node = NULL;
|
|
t->buffer->transaction = NULL;
|
|
binder_alloc_free_buf(&target_proc->alloc, t->buffer);
|
|
err_binder_alloc_buf_failed:
|
|
err_bad_extra_size:
|
|
if (secctx)
|
|
security_release_secctx(secctx, secctx_sz);
|
|
err_get_secctx_failed:
|
|
kfree(tcomplete);
|
|
binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
|
|
err_alloc_tcomplete_failed:
|
|
if (trace_binder_txn_latency_free_enabled())
|
|
binder_txn_latency_free(t);
|
|
kfree(t);
|
|
binder_stats_deleted(BINDER_STAT_TRANSACTION);
|
|
err_alloc_t_failed:
|
|
err_bad_todo_list:
|
|
err_bad_call_stack:
|
|
err_empty_call_stack:
|
|
err_dead_binder:
|
|
err_invalid_target_handle:
|
|
if (target_thread)
|
|
binder_thread_dec_tmpref(target_thread);
|
|
if (target_proc)
|
|
binder_proc_dec_tmpref(target_proc);
|
|
if (target_node) {
|
|
binder_dec_node(target_node, 1, 0);
|
|
binder_dec_node_tmpref(target_node);
|
|
}
|
|
|
|
binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
|
|
"%d:%d transaction failed %d/%d, size %lld-%lld line %d\n",
|
|
proc->pid, thread->pid, return_error, return_error_param,
|
|
(u64)tr->data_size, (u64)tr->offsets_size,
|
|
return_error_line);
|
|
|
|
{
|
|
struct binder_transaction_log_entry *fe;
|
|
|
|
e->return_error = return_error;
|
|
e->return_error_param = return_error_param;
|
|
e->return_error_line = return_error_line;
|
|
fe = binder_transaction_log_add(&binder_transaction_log_failed);
|
|
*fe = *e;
|
|
/*
|
|
* write barrier to synchronize with initialization
|
|
* of log entry
|
|
*/
|
|
smp_wmb();
|
|
WRITE_ONCE(e->debug_id_done, t_debug_id);
|
|
WRITE_ONCE(fe->debug_id_done, t_debug_id);
|
|
}
|
|
|
|
BUG_ON(thread->return_error.cmd != BR_OK);
|
|
if (in_reply_to) {
|
|
trace_android_vh_binder_restore_priority(in_reply_to, current);
|
|
binder_restore_priority(current, in_reply_to->saved_priority);
|
|
thread->return_error.cmd = BR_TRANSACTION_COMPLETE;
|
|
binder_enqueue_thread_work(thread, &thread->return_error.work);
|
|
binder_send_failed_reply(in_reply_to, return_error);
|
|
} else {
|
|
thread->return_error.cmd = return_error;
|
|
binder_enqueue_thread_work(thread, &thread->return_error.work);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* binder_free_buf() - free the specified buffer
|
|
* @proc: binder proc that owns buffer
|
|
* @buffer: buffer to be freed
|
|
* @is_failure: failed to send transaction
|
|
*
|
|
* If buffer for an async transaction, enqueue the next async
|
|
* transaction from the node.
|
|
*
|
|
* Cleanup buffer and free it.
|
|
*/
|
|
static void
|
|
binder_free_buf(struct binder_proc *proc,
|
|
struct binder_thread *thread,
|
|
struct binder_buffer *buffer, bool is_failure)
|
|
{
|
|
binder_inner_proc_lock(proc);
|
|
if (buffer->transaction) {
|
|
buffer->transaction->buffer = NULL;
|
|
buffer->transaction = NULL;
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
if (buffer->async_transaction && buffer->target_node) {
|
|
struct binder_node *buf_node;
|
|
struct binder_work *w;
|
|
|
|
buf_node = buffer->target_node;
|
|
binder_node_inner_lock(buf_node);
|
|
BUG_ON(!buf_node->has_async_transaction);
|
|
BUG_ON(buf_node->proc != proc);
|
|
w = binder_dequeue_work_head_ilocked(
|
|
&buf_node->async_todo);
|
|
if (!w) {
|
|
buf_node->has_async_transaction = false;
|
|
} else {
|
|
binder_enqueue_work_ilocked(
|
|
w, &proc->todo);
|
|
binder_wakeup_proc_ilocked(proc);
|
|
}
|
|
binder_node_inner_unlock(buf_node);
|
|
}
|
|
trace_binder_transaction_buffer_release(buffer);
|
|
binder_transaction_buffer_release(proc, thread, buffer, 0, is_failure);
|
|
binder_alloc_free_buf(&proc->alloc, buffer);
|
|
}
|
|
|
|
static int binder_thread_write(struct binder_proc *proc,
|
|
struct binder_thread *thread,
|
|
binder_uintptr_t binder_buffer, size_t size,
|
|
binder_size_t *consumed)
|
|
{
|
|
uint32_t cmd;
|
|
struct binder_context *context = proc->context;
|
|
void __user *buffer = (void __user *)(uintptr_t)binder_buffer;
|
|
void __user *ptr = buffer + *consumed;
|
|
void __user *end = buffer + size;
|
|
|
|
while (ptr < end && thread->return_error.cmd == BR_OK) {
|
|
int ret;
|
|
|
|
if (get_user(cmd, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(uint32_t);
|
|
trace_binder_command(cmd);
|
|
if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.bc)) {
|
|
atomic_inc(&binder_stats.bc[_IOC_NR(cmd)]);
|
|
atomic_inc(&proc->stats.bc[_IOC_NR(cmd)]);
|
|
atomic_inc(&thread->stats.bc[_IOC_NR(cmd)]);
|
|
}
|
|
switch (cmd) {
|
|
case BC_INCREFS:
|
|
case BC_ACQUIRE:
|
|
case BC_RELEASE:
|
|
case BC_DECREFS: {
|
|
uint32_t target;
|
|
const char *debug_string;
|
|
bool strong = cmd == BC_ACQUIRE || cmd == BC_RELEASE;
|
|
bool increment = cmd == BC_INCREFS || cmd == BC_ACQUIRE;
|
|
struct binder_ref_data rdata;
|
|
|
|
if (get_user(target, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
|
|
ptr += sizeof(uint32_t);
|
|
ret = -1;
|
|
if (increment && !target) {
|
|
struct binder_node *ctx_mgr_node;
|
|
|
|
mutex_lock(&context->context_mgr_node_lock);
|
|
ctx_mgr_node = context->binder_context_mgr_node;
|
|
if (ctx_mgr_node) {
|
|
if (ctx_mgr_node->proc == proc) {
|
|
binder_user_error("%d:%d context manager tried to acquire desc 0\n",
|
|
proc->pid, thread->pid);
|
|
mutex_unlock(&context->context_mgr_node_lock);
|
|
return -EINVAL;
|
|
}
|
|
ret = binder_inc_ref_for_node(
|
|
proc, ctx_mgr_node,
|
|
strong, NULL, &rdata);
|
|
}
|
|
mutex_unlock(&context->context_mgr_node_lock);
|
|
}
|
|
if (ret)
|
|
ret = binder_update_ref_for_handle(
|
|
proc, target, increment, strong,
|
|
&rdata);
|
|
if (!ret && rdata.desc != target) {
|
|
binder_user_error("%d:%d tried to acquire reference to desc %d, got %d instead\n",
|
|
proc->pid, thread->pid,
|
|
target, rdata.desc);
|
|
}
|
|
switch (cmd) {
|
|
case BC_INCREFS:
|
|
debug_string = "IncRefs";
|
|
break;
|
|
case BC_ACQUIRE:
|
|
debug_string = "Acquire";
|
|
break;
|
|
case BC_RELEASE:
|
|
debug_string = "Release";
|
|
break;
|
|
case BC_DECREFS:
|
|
default:
|
|
debug_string = "DecRefs";
|
|
break;
|
|
}
|
|
if (ret) {
|
|
binder_user_error("%d:%d %s %d refcount change on invalid ref %d ret %d\n",
|
|
proc->pid, thread->pid, debug_string,
|
|
strong, target, ret);
|
|
break;
|
|
}
|
|
binder_debug(BINDER_DEBUG_USER_REFS,
|
|
"%d:%d %s ref %d desc %d s %d w %d\n",
|
|
proc->pid, thread->pid, debug_string,
|
|
rdata.debug_id, rdata.desc, rdata.strong,
|
|
rdata.weak);
|
|
break;
|
|
}
|
|
case BC_INCREFS_DONE:
|
|
case BC_ACQUIRE_DONE: {
|
|
binder_uintptr_t node_ptr;
|
|
binder_uintptr_t cookie;
|
|
struct binder_node *node;
|
|
bool free_node;
|
|
|
|
if (get_user(node_ptr, (binder_uintptr_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(binder_uintptr_t);
|
|
if (get_user(cookie, (binder_uintptr_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(binder_uintptr_t);
|
|
node = binder_get_node(proc, node_ptr);
|
|
if (node == NULL) {
|
|
binder_user_error("%d:%d %s u%016llx no match\n",
|
|
proc->pid, thread->pid,
|
|
cmd == BC_INCREFS_DONE ?
|
|
"BC_INCREFS_DONE" :
|
|
"BC_ACQUIRE_DONE",
|
|
(u64)node_ptr);
|
|
break;
|
|
}
|
|
if (cookie != node->cookie) {
|
|
binder_user_error("%d:%d %s u%016llx node %d cookie mismatch %016llx != %016llx\n",
|
|
proc->pid, thread->pid,
|
|
cmd == BC_INCREFS_DONE ?
|
|
"BC_INCREFS_DONE" : "BC_ACQUIRE_DONE",
|
|
(u64)node_ptr, node->debug_id,
|
|
(u64)cookie, (u64)node->cookie);
|
|
binder_put_node(node);
|
|
break;
|
|
}
|
|
binder_node_inner_lock(node);
|
|
if (cmd == BC_ACQUIRE_DONE) {
|
|
if (node->pending_strong_ref == 0) {
|
|
binder_user_error("%d:%d BC_ACQUIRE_DONE node %d has no pending acquire request\n",
|
|
proc->pid, thread->pid,
|
|
node->debug_id);
|
|
binder_node_inner_unlock(node);
|
|
binder_put_node(node);
|
|
break;
|
|
}
|
|
node->pending_strong_ref = 0;
|
|
} else {
|
|
if (node->pending_weak_ref == 0) {
|
|
binder_user_error("%d:%d BC_INCREFS_DONE node %d has no pending increfs request\n",
|
|
proc->pid, thread->pid,
|
|
node->debug_id);
|
|
binder_node_inner_unlock(node);
|
|
binder_put_node(node);
|
|
break;
|
|
}
|
|
node->pending_weak_ref = 0;
|
|
}
|
|
free_node = binder_dec_node_nilocked(node,
|
|
cmd == BC_ACQUIRE_DONE, 0);
|
|
WARN_ON(free_node);
|
|
binder_debug(BINDER_DEBUG_USER_REFS,
|
|
"%d:%d %s node %d ls %d lw %d tr %d\n",
|
|
proc->pid, thread->pid,
|
|
cmd == BC_INCREFS_DONE ? "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE",
|
|
node->debug_id, node->local_strong_refs,
|
|
node->local_weak_refs, node->tmp_refs);
|
|
binder_node_inner_unlock(node);
|
|
binder_put_node(node);
|
|
break;
|
|
}
|
|
case BC_ATTEMPT_ACQUIRE:
|
|
pr_err("BC_ATTEMPT_ACQUIRE not supported\n");
|
|
return -EINVAL;
|
|
case BC_ACQUIRE_RESULT:
|
|
pr_err("BC_ACQUIRE_RESULT not supported\n");
|
|
return -EINVAL;
|
|
|
|
case BC_FREE_BUFFER: {
|
|
binder_uintptr_t data_ptr;
|
|
struct binder_buffer *buffer;
|
|
|
|
if (get_user(data_ptr, (binder_uintptr_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(binder_uintptr_t);
|
|
|
|
buffer = binder_alloc_prepare_to_free(&proc->alloc,
|
|
data_ptr);
|
|
if (IS_ERR_OR_NULL(buffer)) {
|
|
if (PTR_ERR(buffer) == -EPERM) {
|
|
binder_user_error(
|
|
"%d:%d BC_FREE_BUFFER u%016llx matched unreturned or currently freeing buffer\n",
|
|
proc->pid, thread->pid,
|
|
(u64)data_ptr);
|
|
} else {
|
|
binder_user_error(
|
|
"%d:%d BC_FREE_BUFFER u%016llx no match\n",
|
|
proc->pid, thread->pid,
|
|
(u64)data_ptr);
|
|
}
|
|
break;
|
|
}
|
|
binder_debug(BINDER_DEBUG_FREE_BUFFER,
|
|
"%d:%d BC_FREE_BUFFER u%016llx found buffer %d for %s transaction\n",
|
|
proc->pid, thread->pid, (u64)data_ptr,
|
|
buffer->debug_id,
|
|
buffer->transaction ? "active" : "finished");
|
|
binder_free_buf(proc, thread, buffer, false);
|
|
break;
|
|
}
|
|
|
|
case BC_TRANSACTION_SG:
|
|
case BC_REPLY_SG: {
|
|
struct binder_transaction_data_sg tr;
|
|
|
|
if (copy_from_user(&tr, ptr, sizeof(tr)))
|
|
return -EFAULT;
|
|
ptr += sizeof(tr);
|
|
binder_transaction(proc, thread, &tr.transaction_data,
|
|
cmd == BC_REPLY_SG, tr.buffers_size);
|
|
break;
|
|
}
|
|
case BC_TRANSACTION:
|
|
case BC_REPLY: {
|
|
struct binder_transaction_data tr;
|
|
|
|
if (copy_from_user(&tr, ptr, sizeof(tr)))
|
|
return -EFAULT;
|
|
ptr += sizeof(tr);
|
|
binder_transaction(proc, thread, &tr,
|
|
cmd == BC_REPLY, 0);
|
|
break;
|
|
}
|
|
|
|
case BC_REGISTER_LOOPER:
|
|
binder_debug(BINDER_DEBUG_THREADS,
|
|
"%d:%d BC_REGISTER_LOOPER\n",
|
|
proc->pid, thread->pid);
|
|
binder_inner_proc_lock(proc);
|
|
if (thread->looper & BINDER_LOOPER_STATE_ENTERED) {
|
|
thread->looper |= BINDER_LOOPER_STATE_INVALID;
|
|
binder_user_error("%d:%d ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER\n",
|
|
proc->pid, thread->pid);
|
|
} else if (proc->requested_threads == 0) {
|
|
thread->looper |= BINDER_LOOPER_STATE_INVALID;
|
|
binder_user_error("%d:%d ERROR: BC_REGISTER_LOOPER called without request\n",
|
|
proc->pid, thread->pid);
|
|
} else {
|
|
proc->requested_threads--;
|
|
proc->requested_threads_started++;
|
|
}
|
|
thread->looper |= BINDER_LOOPER_STATE_REGISTERED;
|
|
binder_inner_proc_unlock(proc);
|
|
break;
|
|
case BC_ENTER_LOOPER:
|
|
binder_debug(BINDER_DEBUG_THREADS,
|
|
"%d:%d BC_ENTER_LOOPER\n",
|
|
proc->pid, thread->pid);
|
|
if (thread->looper & BINDER_LOOPER_STATE_REGISTERED) {
|
|
thread->looper |= BINDER_LOOPER_STATE_INVALID;
|
|
binder_user_error("%d:%d ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER\n",
|
|
proc->pid, thread->pid);
|
|
}
|
|
thread->looper |= BINDER_LOOPER_STATE_ENTERED;
|
|
break;
|
|
case BC_EXIT_LOOPER:
|
|
binder_debug(BINDER_DEBUG_THREADS,
|
|
"%d:%d BC_EXIT_LOOPER\n",
|
|
proc->pid, thread->pid);
|
|
thread->looper |= BINDER_LOOPER_STATE_EXITED;
|
|
break;
|
|
|
|
case BC_REQUEST_DEATH_NOTIFICATION:
|
|
case BC_CLEAR_DEATH_NOTIFICATION: {
|
|
uint32_t target;
|
|
binder_uintptr_t cookie;
|
|
struct binder_ref *ref;
|
|
struct binder_ref_death *death = NULL;
|
|
|
|
if (get_user(target, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(uint32_t);
|
|
if (get_user(cookie, (binder_uintptr_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(binder_uintptr_t);
|
|
if (cmd == BC_REQUEST_DEATH_NOTIFICATION) {
|
|
/*
|
|
* Allocate memory for death notification
|
|
* before taking lock
|
|
*/
|
|
death = kzalloc(sizeof(*death), GFP_KERNEL);
|
|
if (death == NULL) {
|
|
WARN_ON(thread->return_error.cmd !=
|
|
BR_OK);
|
|
thread->return_error.cmd = BR_ERROR;
|
|
binder_enqueue_thread_work(
|
|
thread,
|
|
&thread->return_error.work);
|
|
binder_debug(
|
|
BINDER_DEBUG_FAILED_TRANSACTION,
|
|
"%d:%d BC_REQUEST_DEATH_NOTIFICATION failed\n",
|
|
proc->pid, thread->pid);
|
|
break;
|
|
}
|
|
}
|
|
binder_proc_lock(proc);
|
|
ref = binder_get_ref_olocked(proc, target, false);
|
|
if (ref == NULL) {
|
|
binder_user_error("%d:%d %s invalid ref %d\n",
|
|
proc->pid, thread->pid,
|
|
cmd == BC_REQUEST_DEATH_NOTIFICATION ?
|
|
"BC_REQUEST_DEATH_NOTIFICATION" :
|
|
"BC_CLEAR_DEATH_NOTIFICATION",
|
|
target);
|
|
binder_proc_unlock(proc);
|
|
kfree(death);
|
|
break;
|
|
}
|
|
|
|
binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION,
|
|
"%d:%d %s %016llx ref %d desc %d s %d w %d for node %d\n",
|
|
proc->pid, thread->pid,
|
|
cmd == BC_REQUEST_DEATH_NOTIFICATION ?
|
|
"BC_REQUEST_DEATH_NOTIFICATION" :
|
|
"BC_CLEAR_DEATH_NOTIFICATION",
|
|
(u64)cookie, ref->data.debug_id,
|
|
ref->data.desc, ref->data.strong,
|
|
ref->data.weak, ref->node->debug_id);
|
|
|
|
binder_node_lock(ref->node);
|
|
if (cmd == BC_REQUEST_DEATH_NOTIFICATION) {
|
|
if (ref->death) {
|
|
binder_user_error("%d:%d BC_REQUEST_DEATH_NOTIFICATION death notification already set\n",
|
|
proc->pid, thread->pid);
|
|
binder_node_unlock(ref->node);
|
|
binder_proc_unlock(proc);
|
|
kfree(death);
|
|
break;
|
|
}
|
|
binder_stats_created(BINDER_STAT_DEATH);
|
|
INIT_LIST_HEAD(&death->work.entry);
|
|
death->cookie = cookie;
|
|
ref->death = death;
|
|
if (ref->node->proc == NULL) {
|
|
ref->death->work.type = BINDER_WORK_DEAD_BINDER;
|
|
|
|
binder_inner_proc_lock(proc);
|
|
binder_enqueue_work_ilocked(
|
|
&ref->death->work, &proc->todo);
|
|
binder_wakeup_proc_ilocked(proc);
|
|
binder_inner_proc_unlock(proc);
|
|
}
|
|
} else {
|
|
if (ref->death == NULL) {
|
|
binder_user_error("%d:%d BC_CLEAR_DEATH_NOTIFICATION death notification not active\n",
|
|
proc->pid, thread->pid);
|
|
binder_node_unlock(ref->node);
|
|
binder_proc_unlock(proc);
|
|
break;
|
|
}
|
|
death = ref->death;
|
|
if (death->cookie != cookie) {
|
|
binder_user_error("%d:%d BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch %016llx != %016llx\n",
|
|
proc->pid, thread->pid,
|
|
(u64)death->cookie,
|
|
(u64)cookie);
|
|
binder_node_unlock(ref->node);
|
|
binder_proc_unlock(proc);
|
|
break;
|
|
}
|
|
ref->death = NULL;
|
|
binder_inner_proc_lock(proc);
|
|
if (list_empty(&death->work.entry)) {
|
|
death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION;
|
|
if (thread->looper &
|
|
(BINDER_LOOPER_STATE_REGISTERED |
|
|
BINDER_LOOPER_STATE_ENTERED))
|
|
binder_enqueue_thread_work_ilocked(
|
|
thread,
|
|
&death->work);
|
|
else {
|
|
binder_enqueue_work_ilocked(
|
|
&death->work,
|
|
&proc->todo);
|
|
binder_wakeup_proc_ilocked(
|
|
proc);
|
|
}
|
|
} else {
|
|
BUG_ON(death->work.type != BINDER_WORK_DEAD_BINDER);
|
|
death->work.type = BINDER_WORK_DEAD_BINDER_AND_CLEAR;
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
}
|
|
binder_node_unlock(ref->node);
|
|
binder_proc_unlock(proc);
|
|
} break;
|
|
case BC_DEAD_BINDER_DONE: {
|
|
struct binder_work *w;
|
|
binder_uintptr_t cookie;
|
|
struct binder_ref_death *death = NULL;
|
|
|
|
if (get_user(cookie, (binder_uintptr_t __user *)ptr))
|
|
return -EFAULT;
|
|
|
|
ptr += sizeof(cookie);
|
|
binder_inner_proc_lock(proc);
|
|
list_for_each_entry(w, &proc->delivered_death,
|
|
entry) {
|
|
struct binder_ref_death *tmp_death =
|
|
container_of(w,
|
|
struct binder_ref_death,
|
|
work);
|
|
|
|
if (tmp_death->cookie == cookie) {
|
|
death = tmp_death;
|
|
break;
|
|
}
|
|
}
|
|
binder_debug(BINDER_DEBUG_DEAD_BINDER,
|
|
"%d:%d BC_DEAD_BINDER_DONE %016llx found %pK\n",
|
|
proc->pid, thread->pid, (u64)cookie,
|
|
death);
|
|
if (death == NULL) {
|
|
binder_user_error("%d:%d BC_DEAD_BINDER_DONE %016llx not found\n",
|
|
proc->pid, thread->pid, (u64)cookie);
|
|
binder_inner_proc_unlock(proc);
|
|
break;
|
|
}
|
|
binder_dequeue_work_ilocked(&death->work);
|
|
if (death->work.type == BINDER_WORK_DEAD_BINDER_AND_CLEAR) {
|
|
death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION;
|
|
if (thread->looper &
|
|
(BINDER_LOOPER_STATE_REGISTERED |
|
|
BINDER_LOOPER_STATE_ENTERED))
|
|
binder_enqueue_thread_work_ilocked(
|
|
thread, &death->work);
|
|
else {
|
|
binder_enqueue_work_ilocked(
|
|
&death->work,
|
|
&proc->todo);
|
|
binder_wakeup_proc_ilocked(proc);
|
|
}
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
} break;
|
|
|
|
default:
|
|
pr_err("%d:%d unknown command %d\n",
|
|
proc->pid, thread->pid, cmd);
|
|
return -EINVAL;
|
|
}
|
|
*consumed = ptr - buffer;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static void binder_stat_br(struct binder_proc *proc,
|
|
struct binder_thread *thread, uint32_t cmd)
|
|
{
|
|
trace_binder_return(cmd);
|
|
if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.br)) {
|
|
atomic_inc(&binder_stats.br[_IOC_NR(cmd)]);
|
|
atomic_inc(&proc->stats.br[_IOC_NR(cmd)]);
|
|
atomic_inc(&thread->stats.br[_IOC_NR(cmd)]);
|
|
}
|
|
}
|
|
|
|
static int binder_put_node_cmd(struct binder_proc *proc,
|
|
struct binder_thread *thread,
|
|
void __user **ptrp,
|
|
binder_uintptr_t node_ptr,
|
|
binder_uintptr_t node_cookie,
|
|
int node_debug_id,
|
|
uint32_t cmd, const char *cmd_name)
|
|
{
|
|
void __user *ptr = *ptrp;
|
|
|
|
if (put_user(cmd, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(uint32_t);
|
|
|
|
if (put_user(node_ptr, (binder_uintptr_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(binder_uintptr_t);
|
|
|
|
if (put_user(node_cookie, (binder_uintptr_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(binder_uintptr_t);
|
|
|
|
binder_stat_br(proc, thread, cmd);
|
|
binder_debug(BINDER_DEBUG_USER_REFS, "%d:%d %s %d u%016llx c%016llx\n",
|
|
proc->pid, thread->pid, cmd_name, node_debug_id,
|
|
(u64)node_ptr, (u64)node_cookie);
|
|
|
|
*ptrp = ptr;
|
|
return 0;
|
|
}
|
|
|
|
static int binder_wait_for_work(struct binder_thread *thread,
|
|
bool do_proc_work)
|
|
{
|
|
DEFINE_WAIT(wait);
|
|
struct binder_proc *proc = thread->proc;
|
|
int ret = 0;
|
|
|
|
freezer_do_not_count();
|
|
binder_inner_proc_lock(proc);
|
|
for (;;) {
|
|
prepare_to_wait(&thread->wait, &wait, TASK_INTERRUPTIBLE);
|
|
if (binder_has_work_ilocked(thread, do_proc_work))
|
|
break;
|
|
if (do_proc_work)
|
|
list_add(&thread->waiting_thread_node,
|
|
&proc->waiting_threads);
|
|
trace_android_vh_binder_wait_for_work(do_proc_work, thread, proc);
|
|
binder_inner_proc_unlock(proc);
|
|
schedule();
|
|
binder_inner_proc_lock(proc);
|
|
list_del_init(&thread->waiting_thread_node);
|
|
if (signal_pending(current)) {
|
|
ret = -EINTR;
|
|
break;
|
|
}
|
|
}
|
|
finish_wait(&thread->wait, &wait);
|
|
binder_inner_proc_unlock(proc);
|
|
freezer_count();
|
|
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* binder_apply_fd_fixups() - finish fd translation
|
|
* @proc: binder_proc associated @t->buffer
|
|
* @t: binder transaction with list of fd fixups
|
|
*
|
|
* Now that we are in the context of the transaction target
|
|
* process, we can allocate and install fds. Process the
|
|
* list of fds to translate and fixup the buffer with the
|
|
* new fds.
|
|
*
|
|
* If we fail to allocate an fd, then free the resources by
|
|
* fput'ing files that have not been processed and ksys_close'ing
|
|
* any fds that have already been allocated.
|
|
*/
|
|
static int binder_apply_fd_fixups(struct binder_proc *proc,
|
|
struct binder_transaction *t)
|
|
{
|
|
struct binder_txn_fd_fixup *fixup, *tmp;
|
|
int ret = 0;
|
|
|
|
list_for_each_entry(fixup, &t->fd_fixups, fixup_entry) {
|
|
int fd = get_unused_fd_flags(O_CLOEXEC);
|
|
|
|
if (fd < 0) {
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
"failed fd fixup txn %d fd %d\n",
|
|
t->debug_id, fd);
|
|
ret = -ENOMEM;
|
|
break;
|
|
}
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
"fd fixup txn %d fd %d\n",
|
|
t->debug_id, fd);
|
|
trace_binder_transaction_fd_recv(t, fd, fixup->offset);
|
|
fd_install(fd, fixup->file);
|
|
fixup->file = NULL;
|
|
if (binder_alloc_copy_to_buffer(&proc->alloc, t->buffer,
|
|
fixup->offset, &fd,
|
|
sizeof(u32))) {
|
|
ret = -EINVAL;
|
|
break;
|
|
}
|
|
}
|
|
list_for_each_entry_safe(fixup, tmp, &t->fd_fixups, fixup_entry) {
|
|
if (fixup->file) {
|
|
fput(fixup->file);
|
|
} else if (ret) {
|
|
u32 fd;
|
|
int err;
|
|
|
|
err = binder_alloc_copy_from_buffer(&proc->alloc, &fd,
|
|
t->buffer,
|
|
fixup->offset,
|
|
sizeof(fd));
|
|
WARN_ON(err);
|
|
if (!err)
|
|
binder_deferred_fd_close(fd);
|
|
}
|
|
list_del(&fixup->fixup_entry);
|
|
kfree(fixup);
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
static int binder_thread_read(struct binder_proc *proc,
|
|
struct binder_thread *thread,
|
|
binder_uintptr_t binder_buffer, size_t size,
|
|
binder_size_t *consumed, int non_block)
|
|
{
|
|
void __user *buffer = (void __user *)(uintptr_t)binder_buffer;
|
|
void __user *ptr = buffer + *consumed;
|
|
void __user *end = buffer + size;
|
|
|
|
int ret = 0;
|
|
int wait_for_proc_work;
|
|
|
|
if (*consumed == 0) {
|
|
if (put_user(BR_NOOP, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(uint32_t);
|
|
}
|
|
|
|
retry:
|
|
binder_inner_proc_lock(proc);
|
|
wait_for_proc_work = binder_available_for_proc_work_ilocked(thread);
|
|
binder_inner_proc_unlock(proc);
|
|
|
|
thread->looper |= BINDER_LOOPER_STATE_WAITING;
|
|
|
|
trace_binder_wait_for_work(wait_for_proc_work,
|
|
!!thread->transaction_stack,
|
|
!binder_worklist_empty(proc, &thread->todo));
|
|
if (wait_for_proc_work) {
|
|
if (!(thread->looper & (BINDER_LOOPER_STATE_REGISTERED |
|
|
BINDER_LOOPER_STATE_ENTERED))) {
|
|
binder_user_error("%d:%d ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state %x)\n",
|
|
proc->pid, thread->pid, thread->looper);
|
|
wait_event_interruptible(binder_user_error_wait,
|
|
binder_stop_on_user_error < 2);
|
|
}
|
|
trace_android_vh_binder_restore_priority(NULL, current);
|
|
binder_restore_priority(current, proc->default_priority);
|
|
}
|
|
|
|
if (non_block) {
|
|
if (!binder_has_work(thread, wait_for_proc_work))
|
|
ret = -EAGAIN;
|
|
} else {
|
|
ret = binder_wait_for_work(thread, wait_for_proc_work);
|
|
}
|
|
|
|
thread->looper &= ~BINDER_LOOPER_STATE_WAITING;
|
|
|
|
if (ret)
|
|
return ret;
|
|
|
|
while (1) {
|
|
uint32_t cmd;
|
|
struct binder_transaction_data_secctx tr;
|
|
struct binder_transaction_data *trd = &tr.transaction_data;
|
|
struct binder_work *w = NULL;
|
|
struct list_head *list = NULL;
|
|
struct binder_transaction *t = NULL;
|
|
struct binder_thread *t_from;
|
|
size_t trsize = sizeof(*trd);
|
|
|
|
binder_inner_proc_lock(proc);
|
|
if (!binder_worklist_empty_ilocked(&thread->todo))
|
|
list = &thread->todo;
|
|
else if (!binder_worklist_empty_ilocked(&proc->todo) &&
|
|
wait_for_proc_work)
|
|
list = &proc->todo;
|
|
else {
|
|
binder_inner_proc_unlock(proc);
|
|
|
|
/* no data added */
|
|
if (ptr - buffer == 4 && !thread->looper_need_return)
|
|
goto retry;
|
|
break;
|
|
}
|
|
|
|
if (end - ptr < sizeof(tr) + 4) {
|
|
binder_inner_proc_unlock(proc);
|
|
break;
|
|
}
|
|
w = binder_dequeue_work_head_ilocked(list);
|
|
if (binder_worklist_empty_ilocked(&thread->todo))
|
|
thread->process_todo = false;
|
|
|
|
switch (w->type) {
|
|
case BINDER_WORK_TRANSACTION: {
|
|
binder_inner_proc_unlock(proc);
|
|
t = container_of(w, struct binder_transaction, work);
|
|
} break;
|
|
case BINDER_WORK_RETURN_ERROR: {
|
|
struct binder_error *e = container_of(
|
|
w, struct binder_error, work);
|
|
|
|
WARN_ON(e->cmd == BR_OK);
|
|
binder_inner_proc_unlock(proc);
|
|
if (put_user(e->cmd, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
cmd = e->cmd;
|
|
e->cmd = BR_OK;
|
|
ptr += sizeof(uint32_t);
|
|
|
|
binder_stat_br(proc, thread, cmd);
|
|
} break;
|
|
case BINDER_WORK_TRANSACTION_COMPLETE:
|
|
case BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT: {
|
|
if (proc->oneway_spam_detection_enabled &&
|
|
w->type == BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT)
|
|
cmd = BR_ONEWAY_SPAM_SUSPECT;
|
|
else
|
|
cmd = BR_TRANSACTION_COMPLETE;
|
|
binder_inner_proc_unlock(proc);
|
|
kfree(w);
|
|
binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
|
|
if (put_user(cmd, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(uint32_t);
|
|
|
|
binder_stat_br(proc, thread, cmd);
|
|
binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE,
|
|
"%d:%d BR_TRANSACTION_COMPLETE\n",
|
|
proc->pid, thread->pid);
|
|
} break;
|
|
case BINDER_WORK_NODE: {
|
|
struct binder_node *node = container_of(w, struct binder_node, work);
|
|
int strong, weak;
|
|
binder_uintptr_t node_ptr = node->ptr;
|
|
binder_uintptr_t node_cookie = node->cookie;
|
|
int node_debug_id = node->debug_id;
|
|
int has_weak_ref;
|
|
int has_strong_ref;
|
|
void __user *orig_ptr = ptr;
|
|
|
|
BUG_ON(proc != node->proc);
|
|
strong = node->internal_strong_refs ||
|
|
node->local_strong_refs;
|
|
weak = !hlist_empty(&node->refs) ||
|
|
node->local_weak_refs ||
|
|
node->tmp_refs || strong;
|
|
has_strong_ref = node->has_strong_ref;
|
|
has_weak_ref = node->has_weak_ref;
|
|
|
|
if (weak && !has_weak_ref) {
|
|
node->has_weak_ref = 1;
|
|
node->pending_weak_ref = 1;
|
|
node->local_weak_refs++;
|
|
}
|
|
if (strong && !has_strong_ref) {
|
|
node->has_strong_ref = 1;
|
|
node->pending_strong_ref = 1;
|
|
node->local_strong_refs++;
|
|
}
|
|
if (!strong && has_strong_ref)
|
|
node->has_strong_ref = 0;
|
|
if (!weak && has_weak_ref)
|
|
node->has_weak_ref = 0;
|
|
if (!weak && !strong) {
|
|
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
|
|
"%d:%d node %d u%016llx c%016llx deleted\n",
|
|
proc->pid, thread->pid,
|
|
node_debug_id,
|
|
(u64)node_ptr,
|
|
(u64)node_cookie);
|
|
rb_erase(&node->rb_node, &proc->nodes);
|
|
binder_inner_proc_unlock(proc);
|
|
binder_node_lock(node);
|
|
/*
|
|
* Acquire the node lock before freeing the
|
|
* node to serialize with other threads that
|
|
* may have been holding the node lock while
|
|
* decrementing this node (avoids race where
|
|
* this thread frees while the other thread
|
|
* is unlocking the node after the final
|
|
* decrement)
|
|
*/
|
|
binder_node_unlock(node);
|
|
binder_free_node(node);
|
|
} else
|
|
binder_inner_proc_unlock(proc);
|
|
|
|
if (weak && !has_weak_ref)
|
|
ret = binder_put_node_cmd(
|
|
proc, thread, &ptr, node_ptr,
|
|
node_cookie, node_debug_id,
|
|
BR_INCREFS, "BR_INCREFS");
|
|
if (!ret && strong && !has_strong_ref)
|
|
ret = binder_put_node_cmd(
|
|
proc, thread, &ptr, node_ptr,
|
|
node_cookie, node_debug_id,
|
|
BR_ACQUIRE, "BR_ACQUIRE");
|
|
if (!ret && !strong && has_strong_ref)
|
|
ret = binder_put_node_cmd(
|
|
proc, thread, &ptr, node_ptr,
|
|
node_cookie, node_debug_id,
|
|
BR_RELEASE, "BR_RELEASE");
|
|
if (!ret && !weak && has_weak_ref)
|
|
ret = binder_put_node_cmd(
|
|
proc, thread, &ptr, node_ptr,
|
|
node_cookie, node_debug_id,
|
|
BR_DECREFS, "BR_DECREFS");
|
|
if (orig_ptr == ptr)
|
|
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
|
|
"%d:%d node %d u%016llx c%016llx state unchanged\n",
|
|
proc->pid, thread->pid,
|
|
node_debug_id,
|
|
(u64)node_ptr,
|
|
(u64)node_cookie);
|
|
if (ret)
|
|
return ret;
|
|
} break;
|
|
case BINDER_WORK_DEAD_BINDER:
|
|
case BINDER_WORK_DEAD_BINDER_AND_CLEAR:
|
|
case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: {
|
|
struct binder_ref_death *death;
|
|
uint32_t cmd;
|
|
binder_uintptr_t cookie;
|
|
|
|
death = container_of(w, struct binder_ref_death, work);
|
|
if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION)
|
|
cmd = BR_CLEAR_DEATH_NOTIFICATION_DONE;
|
|
else
|
|
cmd = BR_DEAD_BINDER;
|
|
cookie = death->cookie;
|
|
|
|
binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION,
|
|
"%d:%d %s %016llx\n",
|
|
proc->pid, thread->pid,
|
|
cmd == BR_DEAD_BINDER ?
|
|
"BR_DEAD_BINDER" :
|
|
"BR_CLEAR_DEATH_NOTIFICATION_DONE",
|
|
(u64)cookie);
|
|
if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) {
|
|
binder_inner_proc_unlock(proc);
|
|
kfree(death);
|
|
binder_stats_deleted(BINDER_STAT_DEATH);
|
|
} else {
|
|
binder_enqueue_work_ilocked(
|
|
w, &proc->delivered_death);
|
|
binder_inner_proc_unlock(proc);
|
|
}
|
|
if (put_user(cmd, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(uint32_t);
|
|
if (put_user(cookie,
|
|
(binder_uintptr_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(binder_uintptr_t);
|
|
binder_stat_br(proc, thread, cmd);
|
|
if (cmd == BR_DEAD_BINDER)
|
|
goto done; /* DEAD_BINDER notifications can cause transactions */
|
|
} break;
|
|
default:
|
|
binder_inner_proc_unlock(proc);
|
|
pr_err("%d:%d: bad work type %d\n",
|
|
proc->pid, thread->pid, w->type);
|
|
break;
|
|
}
|
|
|
|
if (!t)
|
|
continue;
|
|
|
|
BUG_ON(t->buffer == NULL);
|
|
if (t->buffer->target_node) {
|
|
struct binder_node *target_node = t->buffer->target_node;
|
|
struct binder_priority node_prio;
|
|
|
|
trd->target.ptr = target_node->ptr;
|
|
trd->cookie = target_node->cookie;
|
|
node_prio.sched_policy = target_node->sched_policy;
|
|
node_prio.prio = target_node->min_priority;
|
|
binder_transaction_priority(current, t, node_prio,
|
|
target_node->inherit_rt);
|
|
cmd = BR_TRANSACTION;
|
|
} else {
|
|
trd->target.ptr = 0;
|
|
trd->cookie = 0;
|
|
cmd = BR_REPLY;
|
|
}
|
|
trd->code = t->code;
|
|
trd->flags = t->flags;
|
|
trd->sender_euid = from_kuid(current_user_ns(), t->sender_euid);
|
|
|
|
t_from = binder_get_txn_from(t);
|
|
if (t_from) {
|
|
struct task_struct *sender = t_from->proc->tsk;
|
|
|
|
trd->sender_pid =
|
|
task_tgid_nr_ns(sender,
|
|
task_active_pid_ns(current));
|
|
trace_android_vh_sync_txn_recvd(thread->task, t_from->task);
|
|
} else {
|
|
trd->sender_pid = 0;
|
|
}
|
|
|
|
ret = binder_apply_fd_fixups(proc, t);
|
|
if (ret) {
|
|
struct binder_buffer *buffer = t->buffer;
|
|
bool oneway = !!(t->flags & TF_ONE_WAY);
|
|
int tid = t->debug_id;
|
|
|
|
if (t_from)
|
|
binder_thread_dec_tmpref(t_from);
|
|
buffer->transaction = NULL;
|
|
binder_cleanup_transaction(t, "fd fixups failed",
|
|
BR_FAILED_REPLY);
|
|
binder_free_buf(proc, thread, buffer, true);
|
|
binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
|
|
"%d:%d %stransaction %d fd fixups failed %d/%d, line %d\n",
|
|
proc->pid, thread->pid,
|
|
oneway ? "async " :
|
|
(cmd == BR_REPLY ? "reply " : ""),
|
|
tid, BR_FAILED_REPLY, ret, __LINE__);
|
|
if (cmd == BR_REPLY) {
|
|
cmd = BR_FAILED_REPLY;
|
|
if (put_user(cmd, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(uint32_t);
|
|
binder_stat_br(proc, thread, cmd);
|
|
break;
|
|
}
|
|
continue;
|
|
}
|
|
trd->data_size = t->buffer->data_size;
|
|
trd->offsets_size = t->buffer->offsets_size;
|
|
trd->data.ptr.buffer = (uintptr_t)t->buffer->user_data;
|
|
trd->data.ptr.offsets = trd->data.ptr.buffer +
|
|
ALIGN(t->buffer->data_size,
|
|
sizeof(void *));
|
|
|
|
tr.secctx = t->security_ctx;
|
|
if (t->security_ctx) {
|
|
cmd = BR_TRANSACTION_SEC_CTX;
|
|
trsize = sizeof(tr);
|
|
}
|
|
if (put_user(cmd, (uint32_t __user *)ptr)) {
|
|
if (t_from)
|
|
binder_thread_dec_tmpref(t_from);
|
|
|
|
binder_cleanup_transaction(t, "put_user failed",
|
|
BR_FAILED_REPLY);
|
|
|
|
return -EFAULT;
|
|
}
|
|
ptr += sizeof(uint32_t);
|
|
if (copy_to_user(ptr, &tr, trsize)) {
|
|
if (t_from)
|
|
binder_thread_dec_tmpref(t_from);
|
|
|
|
binder_cleanup_transaction(t, "copy_to_user failed",
|
|
BR_FAILED_REPLY);
|
|
|
|
return -EFAULT;
|
|
}
|
|
ptr += trsize;
|
|
|
|
trace_binder_transaction_received(t);
|
|
binder_stat_br(proc, thread, cmd);
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
"%d:%d %s %d %d:%d, cmd %d size %zd-%zd ptr %016llx-%016llx\n",
|
|
proc->pid, thread->pid,
|
|
(cmd == BR_TRANSACTION) ? "BR_TRANSACTION" :
|
|
(cmd == BR_TRANSACTION_SEC_CTX) ?
|
|
"BR_TRANSACTION_SEC_CTX" : "BR_REPLY",
|
|
t->debug_id, t_from ? t_from->proc->pid : 0,
|
|
t_from ? t_from->pid : 0, cmd,
|
|
t->buffer->data_size, t->buffer->offsets_size,
|
|
(u64)trd->data.ptr.buffer,
|
|
(u64)trd->data.ptr.offsets);
|
|
|
|
if (t_from)
|
|
binder_thread_dec_tmpref(t_from);
|
|
t->buffer->allow_user_free = 1;
|
|
if (cmd != BR_REPLY && !(t->flags & TF_ONE_WAY)) {
|
|
binder_inner_proc_lock(thread->proc);
|
|
t->to_parent = thread->transaction_stack;
|
|
t->to_thread = thread;
|
|
thread->transaction_stack = t;
|
|
binder_inner_proc_unlock(thread->proc);
|
|
} else {
|
|
binder_free_transaction(t);
|
|
}
|
|
break;
|
|
}
|
|
|
|
done:
|
|
|
|
*consumed = ptr - buffer;
|
|
binder_inner_proc_lock(proc);
|
|
if (proc->requested_threads == 0 &&
|
|
list_empty(&thread->proc->waiting_threads) &&
|
|
proc->requested_threads_started < proc->max_threads &&
|
|
(thread->looper & (BINDER_LOOPER_STATE_REGISTERED |
|
|
BINDER_LOOPER_STATE_ENTERED)) /* the user-space code fails to */
|
|
/*spawn a new thread if we leave this out */) {
|
|
proc->requested_threads++;
|
|
binder_inner_proc_unlock(proc);
|
|
binder_debug(BINDER_DEBUG_THREADS,
|
|
"%d:%d BR_SPAWN_LOOPER\n",
|
|
proc->pid, thread->pid);
|
|
if (put_user(BR_SPAWN_LOOPER, (uint32_t __user *)buffer))
|
|
return -EFAULT;
|
|
binder_stat_br(proc, thread, BR_SPAWN_LOOPER);
|
|
} else
|
|
binder_inner_proc_unlock(proc);
|
|
return 0;
|
|
}
|
|
|
|
static void binder_release_work(struct binder_proc *proc,
|
|
struct list_head *list)
|
|
{
|
|
struct binder_work *w;
|
|
enum binder_work_type wtype;
|
|
|
|
while (1) {
|
|
binder_inner_proc_lock(proc);
|
|
w = binder_dequeue_work_head_ilocked(list);
|
|
wtype = w ? w->type : 0;
|
|
binder_inner_proc_unlock(proc);
|
|
if (!w)
|
|
return;
|
|
|
|
switch (wtype) {
|
|
case BINDER_WORK_TRANSACTION: {
|
|
struct binder_transaction *t;
|
|
|
|
t = container_of(w, struct binder_transaction, work);
|
|
|
|
binder_cleanup_transaction(t, "process died.",
|
|
BR_DEAD_REPLY);
|
|
} break;
|
|
case BINDER_WORK_RETURN_ERROR: {
|
|
struct binder_error *e = container_of(
|
|
w, struct binder_error, work);
|
|
|
|
binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
|
|
"undelivered TRANSACTION_ERROR: %u\n",
|
|
e->cmd);
|
|
} break;
|
|
case BINDER_WORK_TRANSACTION_COMPLETE: {
|
|
binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
|
|
"undelivered TRANSACTION_COMPLETE\n");
|
|
kfree(w);
|
|
binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
|
|
} break;
|
|
case BINDER_WORK_DEAD_BINDER_AND_CLEAR:
|
|
case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: {
|
|
struct binder_ref_death *death;
|
|
|
|
death = container_of(w, struct binder_ref_death, work);
|
|
binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
|
|
"undelivered death notification, %016llx\n",
|
|
(u64)death->cookie);
|
|
kfree(death);
|
|
binder_stats_deleted(BINDER_STAT_DEATH);
|
|
} break;
|
|
case BINDER_WORK_NODE:
|
|
break;
|
|
default:
|
|
pr_err("unexpected work type, %d, not freed\n",
|
|
wtype);
|
|
break;
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
static struct binder_thread *binder_get_thread_ilocked(
|
|
struct binder_proc *proc, struct binder_thread *new_thread)
|
|
{
|
|
struct binder_thread *thread = NULL;
|
|
struct rb_node *parent = NULL;
|
|
struct rb_node **p = &proc->threads.rb_node;
|
|
|
|
while (*p) {
|
|
parent = *p;
|
|
thread = rb_entry(parent, struct binder_thread, rb_node);
|
|
|
|
if (current->pid < thread->pid)
|
|
p = &(*p)->rb_left;
|
|
else if (current->pid > thread->pid)
|
|
p = &(*p)->rb_right;
|
|
else
|
|
return thread;
|
|
}
|
|
if (!new_thread)
|
|
return NULL;
|
|
thread = new_thread;
|
|
binder_stats_created(BINDER_STAT_THREAD);
|
|
thread->proc = proc;
|
|
thread->pid = current->pid;
|
|
get_task_struct(current);
|
|
thread->task = current;
|
|
atomic_set(&thread->tmp_ref, 0);
|
|
init_waitqueue_head(&thread->wait);
|
|
INIT_LIST_HEAD(&thread->todo);
|
|
rb_link_node(&thread->rb_node, parent, p);
|
|
rb_insert_color(&thread->rb_node, &proc->threads);
|
|
thread->looper_need_return = true;
|
|
thread->return_error.work.type = BINDER_WORK_RETURN_ERROR;
|
|
thread->return_error.cmd = BR_OK;
|
|
thread->reply_error.work.type = BINDER_WORK_RETURN_ERROR;
|
|
thread->reply_error.cmd = BR_OK;
|
|
INIT_LIST_HEAD(&new_thread->waiting_thread_node);
|
|
return thread;
|
|
}
|
|
|
|
static struct binder_thread *binder_get_thread(struct binder_proc *proc)
|
|
{
|
|
struct binder_thread *thread;
|
|
struct binder_thread *new_thread;
|
|
|
|
binder_inner_proc_lock(proc);
|
|
thread = binder_get_thread_ilocked(proc, NULL);
|
|
binder_inner_proc_unlock(proc);
|
|
if (!thread) {
|
|
new_thread = kzalloc(sizeof(*thread), GFP_KERNEL);
|
|
if (new_thread == NULL)
|
|
return NULL;
|
|
binder_inner_proc_lock(proc);
|
|
thread = binder_get_thread_ilocked(proc, new_thread);
|
|
binder_inner_proc_unlock(proc);
|
|
if (thread != new_thread)
|
|
kfree(new_thread);
|
|
}
|
|
return thread;
|
|
}
|
|
|
|
static void binder_free_proc(struct binder_proc *proc)
|
|
{
|
|
struct binder_device *device;
|
|
|
|
BUG_ON(!list_empty(&proc->todo));
|
|
BUG_ON(!list_empty(&proc->delivered_death));
|
|
if (proc->outstanding_txns)
|
|
pr_warn("%s: Unexpected outstanding_txns %d\n",
|
|
__func__, proc->outstanding_txns);
|
|
device = container_of(proc->context, struct binder_device, context);
|
|
if (refcount_dec_and_test(&device->ref)) {
|
|
kfree(proc->context->name);
|
|
kfree(device);
|
|
}
|
|
binder_alloc_deferred_release(&proc->alloc);
|
|
put_task_struct(proc->tsk);
|
|
put_cred(proc->cred);
|
|
binder_stats_deleted(BINDER_STAT_PROC);
|
|
kfree(proc);
|
|
}
|
|
|
|
static void binder_free_thread(struct binder_thread *thread)
|
|
{
|
|
BUG_ON(!list_empty(&thread->todo));
|
|
binder_stats_deleted(BINDER_STAT_THREAD);
|
|
binder_proc_dec_tmpref(thread->proc);
|
|
put_task_struct(thread->task);
|
|
kfree(thread);
|
|
}
|
|
|
|
static int binder_thread_release(struct binder_proc *proc,
|
|
struct binder_thread *thread)
|
|
{
|
|
struct binder_transaction *t;
|
|
struct binder_transaction *send_reply = NULL;
|
|
int active_transactions = 0;
|
|
struct binder_transaction *last_t = NULL;
|
|
|
|
binder_inner_proc_lock(thread->proc);
|
|
/*
|
|
* take a ref on the proc so it survives
|
|
* after we remove this thread from proc->threads.
|
|
* The corresponding dec is when we actually
|
|
* free the thread in binder_free_thread()
|
|
*/
|
|
proc->tmp_ref++;
|
|
/*
|
|
* take a ref on this thread to ensure it
|
|
* survives while we are releasing it
|
|
*/
|
|
atomic_inc(&thread->tmp_ref);
|
|
rb_erase(&thread->rb_node, &proc->threads);
|
|
t = thread->transaction_stack;
|
|
if (t) {
|
|
spin_lock(&t->lock);
|
|
if (t->to_thread == thread)
|
|
send_reply = t;
|
|
} else {
|
|
__acquire(&t->lock);
|
|
}
|
|
thread->is_dead = true;
|
|
|
|
while (t) {
|
|
last_t = t;
|
|
active_transactions++;
|
|
binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
|
|
"release %d:%d transaction %d %s, still active\n",
|
|
proc->pid, thread->pid,
|
|
t->debug_id,
|
|
(t->to_thread == thread) ? "in" : "out");
|
|
|
|
if (t->to_thread == thread) {
|
|
thread->proc->outstanding_txns--;
|
|
t->to_proc = NULL;
|
|
t->to_thread = NULL;
|
|
if (t->buffer) {
|
|
t->buffer->transaction = NULL;
|
|
t->buffer = NULL;
|
|
}
|
|
t = t->to_parent;
|
|
} else if (t->from == thread) {
|
|
t->from = NULL;
|
|
t = t->from_parent;
|
|
} else
|
|
BUG();
|
|
spin_unlock(&last_t->lock);
|
|
if (t)
|
|
spin_lock(&t->lock);
|
|
else
|
|
__acquire(&t->lock);
|
|
}
|
|
/* annotation for sparse, lock not acquired in last iteration above */
|
|
__release(&t->lock);
|
|
|
|
/*
|
|
* If this thread used poll, make sure we remove the waitqueue from any
|
|
* poll data structures holding it.
|
|
*/
|
|
if (thread->looper & BINDER_LOOPER_STATE_POLL)
|
|
wake_up_pollfree(&thread->wait);
|
|
|
|
binder_inner_proc_unlock(thread->proc);
|
|
|
|
/*
|
|
* This is needed to avoid races between wake_up_pollfree() above and
|
|
* someone else removing the last entry from the queue for other reasons
|
|
* (e.g. ep_remove_wait_queue() being called due to an epoll file
|
|
* descriptor being closed). Such other users hold an RCU read lock, so
|
|
* we can be sure they're done after we call synchronize_rcu().
|
|
*/
|
|
if (thread->looper & BINDER_LOOPER_STATE_POLL)
|
|
synchronize_rcu();
|
|
|
|
if (send_reply)
|
|
binder_send_failed_reply(send_reply, BR_DEAD_REPLY);
|
|
binder_release_work(proc, &thread->todo);
|
|
binder_thread_dec_tmpref(thread);
|
|
return active_transactions;
|
|
}
|
|
|
|
static __poll_t binder_poll(struct file *filp,
|
|
struct poll_table_struct *wait)
|
|
{
|
|
struct binder_proc *proc = filp->private_data;
|
|
struct binder_thread *thread = NULL;
|
|
bool wait_for_proc_work;
|
|
|
|
thread = binder_get_thread(proc);
|
|
if (!thread)
|
|
return POLLERR;
|
|
|
|
binder_inner_proc_lock(thread->proc);
|
|
thread->looper |= BINDER_LOOPER_STATE_POLL;
|
|
wait_for_proc_work = binder_available_for_proc_work_ilocked(thread);
|
|
|
|
binder_inner_proc_unlock(thread->proc);
|
|
|
|
poll_wait(filp, &thread->wait, wait);
|
|
|
|
if (binder_has_work(thread, wait_for_proc_work))
|
|
return EPOLLIN;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int binder_ioctl_write_read(struct file *filp,
|
|
unsigned int cmd, unsigned long arg,
|
|
struct binder_thread *thread)
|
|
{
|
|
int ret = 0;
|
|
struct binder_proc *proc = filp->private_data;
|
|
unsigned int size = _IOC_SIZE(cmd);
|
|
void __user *ubuf = (void __user *)arg;
|
|
struct binder_write_read bwr;
|
|
|
|
if (size != sizeof(struct binder_write_read)) {
|
|
ret = -EINVAL;
|
|
goto out;
|
|
}
|
|
if (copy_from_user(&bwr, ubuf, sizeof(bwr))) {
|
|
ret = -EFAULT;
|
|
goto out;
|
|
}
|
|
binder_debug(BINDER_DEBUG_READ_WRITE,
|
|
"%d:%d write %lld at %016llx, read %lld at %016llx\n",
|
|
proc->pid, thread->pid,
|
|
(u64)bwr.write_size, (u64)bwr.write_buffer,
|
|
(u64)bwr.read_size, (u64)bwr.read_buffer);
|
|
|
|
if (bwr.write_size > 0) {
|
|
ret = binder_thread_write(proc, thread,
|
|
bwr.write_buffer,
|
|
bwr.write_size,
|
|
&bwr.write_consumed);
|
|
trace_binder_write_done(ret);
|
|
if (ret < 0) {
|
|
bwr.read_consumed = 0;
|
|
if (copy_to_user(ubuf, &bwr, sizeof(bwr)))
|
|
ret = -EFAULT;
|
|
goto out;
|
|
}
|
|
}
|
|
if (bwr.read_size > 0) {
|
|
ret = binder_thread_read(proc, thread, bwr.read_buffer,
|
|
bwr.read_size,
|
|
&bwr.read_consumed,
|
|
filp->f_flags & O_NONBLOCK);
|
|
trace_binder_read_done(ret);
|
|
binder_inner_proc_lock(proc);
|
|
if (!binder_worklist_empty_ilocked(&proc->todo))
|
|
binder_wakeup_proc_ilocked(proc);
|
|
binder_inner_proc_unlock(proc);
|
|
if (ret < 0) {
|
|
if (copy_to_user(ubuf, &bwr, sizeof(bwr)))
|
|
ret = -EFAULT;
|
|
goto out;
|
|
}
|
|
}
|
|
binder_debug(BINDER_DEBUG_READ_WRITE,
|
|
"%d:%d wrote %lld of %lld, read return %lld of %lld\n",
|
|
proc->pid, thread->pid,
|
|
(u64)bwr.write_consumed, (u64)bwr.write_size,
|
|
(u64)bwr.read_consumed, (u64)bwr.read_size);
|
|
if (copy_to_user(ubuf, &bwr, sizeof(bwr))) {
|
|
ret = -EFAULT;
|
|
goto out;
|
|
}
|
|
out:
|
|
return ret;
|
|
}
|
|
|
|
static int binder_ioctl_set_ctx_mgr(struct file *filp,
|
|
struct flat_binder_object *fbo)
|
|
{
|
|
int ret = 0;
|
|
struct binder_proc *proc = filp->private_data;
|
|
struct binder_context *context = proc->context;
|
|
struct binder_node *new_node;
|
|
kuid_t curr_euid = current_euid();
|
|
|
|
mutex_lock(&context->context_mgr_node_lock);
|
|
if (context->binder_context_mgr_node) {
|
|
pr_err("BINDER_SET_CONTEXT_MGR already set\n");
|
|
ret = -EBUSY;
|
|
goto out;
|
|
}
|
|
ret = security_binder_set_context_mgr(proc->cred);
|
|
if (ret < 0)
|
|
goto out;
|
|
if (uid_valid(context->binder_context_mgr_uid)) {
|
|
if (!uid_eq(context->binder_context_mgr_uid, curr_euid)) {
|
|
pr_err("BINDER_SET_CONTEXT_MGR bad uid %d != %d\n",
|
|
from_kuid(&init_user_ns, curr_euid),
|
|
from_kuid(&init_user_ns,
|
|
context->binder_context_mgr_uid));
|
|
ret = -EPERM;
|
|
goto out;
|
|
}
|
|
} else {
|
|
context->binder_context_mgr_uid = curr_euid;
|
|
}
|
|
new_node = binder_new_node(proc, fbo);
|
|
if (!new_node) {
|
|
ret = -ENOMEM;
|
|
goto out;
|
|
}
|
|
binder_node_lock(new_node);
|
|
new_node->local_weak_refs++;
|
|
new_node->local_strong_refs++;
|
|
new_node->has_strong_ref = 1;
|
|
new_node->has_weak_ref = 1;
|
|
context->binder_context_mgr_node = new_node;
|
|
binder_node_unlock(new_node);
|
|
binder_put_node(new_node);
|
|
out:
|
|
mutex_unlock(&context->context_mgr_node_lock);
|
|
return ret;
|
|
}
|
|
|
|
static int binder_ioctl_get_node_info_for_ref(struct binder_proc *proc,
|
|
struct binder_node_info_for_ref *info)
|
|
{
|
|
struct binder_node *node;
|
|
struct binder_context *context = proc->context;
|
|
__u32 handle = info->handle;
|
|
|
|
if (info->strong_count || info->weak_count || info->reserved1 ||
|
|
info->reserved2 || info->reserved3) {
|
|
binder_user_error("%d BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero.",
|
|
proc->pid);
|
|
return -EINVAL;
|
|
}
|
|
|
|
/* This ioctl may only be used by the context manager */
|
|
mutex_lock(&context->context_mgr_node_lock);
|
|
if (!context->binder_context_mgr_node ||
|
|
context->binder_context_mgr_node->proc != proc) {
|
|
mutex_unlock(&context->context_mgr_node_lock);
|
|
return -EPERM;
|
|
}
|
|
mutex_unlock(&context->context_mgr_node_lock);
|
|
|
|
node = binder_get_node_from_ref(proc, handle, true, NULL);
|
|
if (!node)
|
|
return -EINVAL;
|
|
|
|
info->strong_count = node->local_strong_refs +
|
|
node->internal_strong_refs;
|
|
info->weak_count = node->local_weak_refs;
|
|
|
|
binder_put_node(node);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int binder_ioctl_get_node_debug_info(struct binder_proc *proc,
|
|
struct binder_node_debug_info *info)
|
|
{
|
|
struct rb_node *n;
|
|
binder_uintptr_t ptr = info->ptr;
|
|
|
|
memset(info, 0, sizeof(*info));
|
|
|
|
binder_inner_proc_lock(proc);
|
|
for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) {
|
|
struct binder_node *node = rb_entry(n, struct binder_node,
|
|
rb_node);
|
|
if (node->ptr > ptr) {
|
|
info->ptr = node->ptr;
|
|
info->cookie = node->cookie;
|
|
info->has_strong_ref = node->has_strong_ref;
|
|
info->has_weak_ref = node->has_weak_ref;
|
|
break;
|
|
}
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static bool binder_txns_pending_ilocked(struct binder_proc *proc)
|
|
{
|
|
struct rb_node *n;
|
|
struct binder_thread *thread;
|
|
|
|
if (proc->outstanding_txns > 0)
|
|
return true;
|
|
|
|
for (n = rb_first(&proc->threads); n; n = rb_next(n)) {
|
|
thread = rb_entry(n, struct binder_thread, rb_node);
|
|
if (thread->transaction_stack)
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
static int binder_ioctl_freeze(struct binder_freeze_info *info,
|
|
struct binder_proc *target_proc)
|
|
{
|
|
int ret = 0;
|
|
|
|
if (!info->enable) {
|
|
binder_inner_proc_lock(target_proc);
|
|
target_proc->sync_recv = false;
|
|
target_proc->async_recv = false;
|
|
target_proc->is_frozen = false;
|
|
binder_inner_proc_unlock(target_proc);
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Freezing the target. Prevent new transactions by
|
|
* setting frozen state. If timeout specified, wait
|
|
* for transactions to drain.
|
|
*/
|
|
binder_inner_proc_lock(target_proc);
|
|
target_proc->sync_recv = false;
|
|
target_proc->async_recv = false;
|
|
target_proc->is_frozen = true;
|
|
binder_inner_proc_unlock(target_proc);
|
|
|
|
if (info->timeout_ms > 0)
|
|
ret = wait_event_interruptible_timeout(
|
|
target_proc->freeze_wait,
|
|
(!target_proc->outstanding_txns),
|
|
msecs_to_jiffies(info->timeout_ms));
|
|
|
|
/* Check pending transactions that wait for reply */
|
|
if (ret >= 0) {
|
|
binder_inner_proc_lock(target_proc);
|
|
if (binder_txns_pending_ilocked(target_proc))
|
|
ret = -EAGAIN;
|
|
binder_inner_proc_unlock(target_proc);
|
|
}
|
|
|
|
if (ret < 0) {
|
|
binder_inner_proc_lock(target_proc);
|
|
target_proc->is_frozen = false;
|
|
binder_inner_proc_unlock(target_proc);
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
static int binder_ioctl_get_freezer_info(
|
|
struct binder_frozen_status_info *info)
|
|
{
|
|
struct binder_proc *target_proc;
|
|
bool found = false;
|
|
__u32 txns_pending;
|
|
|
|
info->sync_recv = 0;
|
|
info->async_recv = 0;
|
|
|
|
mutex_lock(&binder_procs_lock);
|
|
hlist_for_each_entry(target_proc, &binder_procs, proc_node) {
|
|
if (target_proc->pid == info->pid) {
|
|
found = true;
|
|
binder_inner_proc_lock(target_proc);
|
|
txns_pending = binder_txns_pending_ilocked(target_proc);
|
|
info->sync_recv |= target_proc->sync_recv |
|
|
(txns_pending << 1);
|
|
info->async_recv |= target_proc->async_recv;
|
|
binder_inner_proc_unlock(target_proc);
|
|
}
|
|
}
|
|
mutex_unlock(&binder_procs_lock);
|
|
|
|
if (!found)
|
|
return -EINVAL;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|
{
|
|
int ret;
|
|
struct binder_proc *proc = filp->private_data;
|
|
struct binder_thread *thread;
|
|
unsigned int size = _IOC_SIZE(cmd);
|
|
void __user *ubuf = (void __user *)arg;
|
|
|
|
/*pr_info("binder_ioctl: %d:%d %x %lx\n",
|
|
proc->pid, current->pid, cmd, arg);*/
|
|
|
|
binder_selftest_alloc(&proc->alloc);
|
|
|
|
trace_binder_ioctl(cmd, arg);
|
|
|
|
ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);
|
|
if (ret)
|
|
goto err_unlocked;
|
|
|
|
thread = binder_get_thread(proc);
|
|
if (thread == NULL) {
|
|
ret = -ENOMEM;
|
|
goto err;
|
|
}
|
|
|
|
switch (cmd) {
|
|
case BINDER_WRITE_READ:
|
|
ret = binder_ioctl_write_read(filp, cmd, arg, thread);
|
|
if (ret)
|
|
goto err;
|
|
break;
|
|
case BINDER_SET_MAX_THREADS: {
|
|
int max_threads;
|
|
|
|
if (copy_from_user(&max_threads, ubuf,
|
|
sizeof(max_threads))) {
|
|
ret = -EINVAL;
|
|
goto err;
|
|
}
|
|
binder_inner_proc_lock(proc);
|
|
proc->max_threads = max_threads;
|
|
binder_inner_proc_unlock(proc);
|
|
break;
|
|
}
|
|
case BINDER_SET_CONTEXT_MGR_EXT: {
|
|
struct flat_binder_object fbo;
|
|
|
|
if (copy_from_user(&fbo, ubuf, sizeof(fbo))) {
|
|
ret = -EINVAL;
|
|
goto err;
|
|
}
|
|
ret = binder_ioctl_set_ctx_mgr(filp, &fbo);
|
|
if (ret)
|
|
goto err;
|
|
break;
|
|
}
|
|
case BINDER_SET_CONTEXT_MGR:
|
|
ret = binder_ioctl_set_ctx_mgr(filp, NULL);
|
|
if (ret)
|
|
goto err;
|
|
break;
|
|
case BINDER_THREAD_EXIT:
|
|
binder_debug(BINDER_DEBUG_THREADS, "%d:%d exit\n",
|
|
proc->pid, thread->pid);
|
|
binder_thread_release(proc, thread);
|
|
thread = NULL;
|
|
break;
|
|
case BINDER_VERSION: {
|
|
struct binder_version __user *ver = ubuf;
|
|
|
|
if (size != sizeof(struct binder_version)) {
|
|
ret = -EINVAL;
|
|
goto err;
|
|
}
|
|
if (put_user(BINDER_CURRENT_PROTOCOL_VERSION,
|
|
&ver->protocol_version)) {
|
|
ret = -EINVAL;
|
|
goto err;
|
|
}
|
|
break;
|
|
}
|
|
case BINDER_GET_NODE_INFO_FOR_REF: {
|
|
struct binder_node_info_for_ref info;
|
|
|
|
if (copy_from_user(&info, ubuf, sizeof(info))) {
|
|
ret = -EFAULT;
|
|
goto err;
|
|
}
|
|
|
|
ret = binder_ioctl_get_node_info_for_ref(proc, &info);
|
|
if (ret < 0)
|
|
goto err;
|
|
|
|
if (copy_to_user(ubuf, &info, sizeof(info))) {
|
|
ret = -EFAULT;
|
|
goto err;
|
|
}
|
|
|
|
break;
|
|
}
|
|
case BINDER_GET_NODE_DEBUG_INFO: {
|
|
struct binder_node_debug_info info;
|
|
|
|
if (copy_from_user(&info, ubuf, sizeof(info))) {
|
|
ret = -EFAULT;
|
|
goto err;
|
|
}
|
|
|
|
ret = binder_ioctl_get_node_debug_info(proc, &info);
|
|
if (ret < 0)
|
|
goto err;
|
|
|
|
if (copy_to_user(ubuf, &info, sizeof(info))) {
|
|
ret = -EFAULT;
|
|
goto err;
|
|
}
|
|
break;
|
|
}
|
|
case BINDER_FREEZE: {
|
|
struct binder_freeze_info info;
|
|
struct binder_proc **target_procs = NULL, *target_proc;
|
|
int target_procs_count = 0, i = 0;
|
|
|
|
ret = 0;
|
|
|
|
if (copy_from_user(&info, ubuf, sizeof(info))) {
|
|
ret = -EFAULT;
|
|
goto err;
|
|
}
|
|
|
|
mutex_lock(&binder_procs_lock);
|
|
hlist_for_each_entry(target_proc, &binder_procs, proc_node) {
|
|
if (target_proc->pid == info.pid)
|
|
target_procs_count++;
|
|
}
|
|
|
|
if (target_procs_count == 0) {
|
|
mutex_unlock(&binder_procs_lock);
|
|
ret = -EINVAL;
|
|
goto err;
|
|
}
|
|
|
|
target_procs = kcalloc(target_procs_count,
|
|
sizeof(struct binder_proc *),
|
|
GFP_KERNEL);
|
|
|
|
if (!target_procs) {
|
|
mutex_unlock(&binder_procs_lock);
|
|
ret = -ENOMEM;
|
|
goto err;
|
|
}
|
|
|
|
hlist_for_each_entry(target_proc, &binder_procs, proc_node) {
|
|
if (target_proc->pid != info.pid)
|
|
continue;
|
|
|
|
binder_inner_proc_lock(target_proc);
|
|
target_proc->tmp_ref++;
|
|
binder_inner_proc_unlock(target_proc);
|
|
|
|
target_procs[i++] = target_proc;
|
|
}
|
|
mutex_unlock(&binder_procs_lock);
|
|
|
|
for (i = 0; i < target_procs_count; i++) {
|
|
if (ret >= 0)
|
|
ret = binder_ioctl_freeze(&info,
|
|
target_procs[i]);
|
|
|
|
binder_proc_dec_tmpref(target_procs[i]);
|
|
}
|
|
|
|
kfree(target_procs);
|
|
|
|
if (ret < 0)
|
|
goto err;
|
|
break;
|
|
}
|
|
case BINDER_GET_FROZEN_INFO: {
|
|
struct binder_frozen_status_info info;
|
|
|
|
if (copy_from_user(&info, ubuf, sizeof(info))) {
|
|
ret = -EFAULT;
|
|
goto err;
|
|
}
|
|
|
|
ret = binder_ioctl_get_freezer_info(&info);
|
|
if (ret < 0)
|
|
goto err;
|
|
|
|
if (copy_to_user(ubuf, &info, sizeof(info))) {
|
|
ret = -EFAULT;
|
|
goto err;
|
|
}
|
|
break;
|
|
}
|
|
case BINDER_ENABLE_ONEWAY_SPAM_DETECTION: {
|
|
uint32_t enable;
|
|
|
|
if (copy_from_user(&enable, ubuf, sizeof(enable))) {
|
|
ret = -EFAULT;
|
|
goto err;
|
|
}
|
|
binder_inner_proc_lock(proc);
|
|
proc->oneway_spam_detection_enabled = (bool)enable;
|
|
binder_inner_proc_unlock(proc);
|
|
break;
|
|
}
|
|
default:
|
|
ret = -EINVAL;
|
|
goto err;
|
|
}
|
|
ret = 0;
|
|
err:
|
|
if (thread)
|
|
thread->looper_need_return = false;
|
|
wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);
|
|
if (ret && ret != -EINTR)
|
|
pr_info("%d:%d ioctl %x %lx returned %d\n", proc->pid, current->pid, cmd, arg, ret);
|
|
err_unlocked:
|
|
trace_binder_ioctl_done(ret);
|
|
return ret;
|
|
}
|
|
|
|
static void binder_vma_open(struct vm_area_struct *vma)
|
|
{
|
|
struct binder_proc *proc = vma->vm_private_data;
|
|
|
|
binder_debug(BINDER_DEBUG_OPEN_CLOSE,
|
|
"%d open vm area %lx-%lx (%ld K) vma %lx pagep %lx\n",
|
|
proc->pid, vma->vm_start, vma->vm_end,
|
|
(vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
|
|
(unsigned long)pgprot_val(vma->vm_page_prot));
|
|
}
|
|
|
|
static void binder_vma_close(struct vm_area_struct *vma)
|
|
{
|
|
struct binder_proc *proc = vma->vm_private_data;
|
|
|
|
binder_debug(BINDER_DEBUG_OPEN_CLOSE,
|
|
"%d close vm area %lx-%lx (%ld K) vma %lx pagep %lx\n",
|
|
proc->pid, vma->vm_start, vma->vm_end,
|
|
(vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
|
|
(unsigned long)pgprot_val(vma->vm_page_prot));
|
|
binder_alloc_vma_close(&proc->alloc);
|
|
}
|
|
|
|
static vm_fault_t binder_vm_fault(struct vm_fault *vmf)
|
|
{
|
|
return VM_FAULT_SIGBUS;
|
|
}
|
|
|
|
static const struct vm_operations_struct binder_vm_ops = {
|
|
.open = binder_vma_open,
|
|
.close = binder_vma_close,
|
|
.fault = binder_vm_fault,
|
|
};
|
|
|
|
static int binder_mmap(struct file *filp, struct vm_area_struct *vma)
|
|
{
|
|
struct binder_proc *proc = filp->private_data;
|
|
|
|
if (proc->tsk != current->group_leader)
|
|
return -EINVAL;
|
|
|
|
binder_debug(BINDER_DEBUG_OPEN_CLOSE,
|
|
"%s: %d %lx-%lx (%ld K) vma %lx pagep %lx\n",
|
|
__func__, proc->pid, vma->vm_start, vma->vm_end,
|
|
(vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
|
|
(unsigned long)pgprot_val(vma->vm_page_prot));
|
|
|
|
if (vma->vm_flags & FORBIDDEN_MMAP_FLAGS) {
|
|
pr_err("%s: %d %lx-%lx %s failed %d\n", __func__,
|
|
proc->pid, vma->vm_start, vma->vm_end, "bad vm_flags", -EPERM);
|
|
return -EPERM;
|
|
}
|
|
vma->vm_flags |= VM_DONTCOPY | VM_MIXEDMAP;
|
|
vma->vm_flags &= ~VM_MAYWRITE;
|
|
|
|
vma->vm_ops = &binder_vm_ops;
|
|
vma->vm_private_data = proc;
|
|
|
|
return binder_alloc_mmap_handler(&proc->alloc, vma);
|
|
}
|
|
|
|
static int binder_open(struct inode *nodp, struct file *filp)
|
|
{
|
|
struct binder_proc *proc, *itr;
|
|
struct binder_device *binder_dev;
|
|
struct binderfs_info *info;
|
|
struct dentry *binder_binderfs_dir_entry_proc = NULL;
|
|
bool existing_pid = false;
|
|
|
|
binder_debug(BINDER_DEBUG_OPEN_CLOSE, "%s: %d:%d\n", __func__,
|
|
current->group_leader->pid, current->pid);
|
|
|
|
proc = kzalloc(sizeof(*proc), GFP_KERNEL);
|
|
if (proc == NULL)
|
|
return -ENOMEM;
|
|
spin_lock_init(&proc->inner_lock);
|
|
spin_lock_init(&proc->outer_lock);
|
|
get_task_struct(current->group_leader);
|
|
proc->tsk = current->group_leader;
|
|
proc->cred = get_cred(filp->f_cred);
|
|
INIT_LIST_HEAD(&proc->todo);
|
|
init_waitqueue_head(&proc->freeze_wait);
|
|
if (binder_supported_policy(current->policy)) {
|
|
proc->default_priority.sched_policy = current->policy;
|
|
proc->default_priority.prio = current->normal_prio;
|
|
} else {
|
|
proc->default_priority.sched_policy = SCHED_NORMAL;
|
|
proc->default_priority.prio = NICE_TO_PRIO(0);
|
|
}
|
|
|
|
/* binderfs stashes devices in i_private */
|
|
if (is_binderfs_device(nodp)) {
|
|
binder_dev = nodp->i_private;
|
|
info = nodp->i_sb->s_fs_info;
|
|
binder_binderfs_dir_entry_proc = info->proc_log_dir;
|
|
} else {
|
|
binder_dev = container_of(filp->private_data,
|
|
struct binder_device, miscdev);
|
|
}
|
|
refcount_inc(&binder_dev->ref);
|
|
proc->context = &binder_dev->context;
|
|
binder_alloc_init(&proc->alloc);
|
|
|
|
binder_stats_created(BINDER_STAT_PROC);
|
|
proc->pid = current->group_leader->pid;
|
|
INIT_LIST_HEAD(&proc->delivered_death);
|
|
INIT_LIST_HEAD(&proc->waiting_threads);
|
|
filp->private_data = proc;
|
|
|
|
mutex_lock(&binder_procs_lock);
|
|
hlist_for_each_entry(itr, &binder_procs, proc_node) {
|
|
if (itr->pid == proc->pid) {
|
|
existing_pid = true;
|
|
break;
|
|
}
|
|
}
|
|
hlist_add_head(&proc->proc_node, &binder_procs);
|
|
mutex_unlock(&binder_procs_lock);
|
|
|
|
if (binder_debugfs_dir_entry_proc && !existing_pid) {
|
|
char strbuf[11];
|
|
|
|
snprintf(strbuf, sizeof(strbuf), "%u", proc->pid);
|
|
/*
|
|
* proc debug entries are shared between contexts.
|
|
* Only create for the first PID to avoid debugfs log spamming
|
|
* The printing code will anyway print all contexts for a given
|
|
* PID so this is not a problem.
|
|
*/
|
|
proc->debugfs_entry = debugfs_create_file(strbuf, 0444,
|
|
binder_debugfs_dir_entry_proc,
|
|
(void *)(unsigned long)proc->pid,
|
|
&proc_fops);
|
|
}
|
|
|
|
if (binder_binderfs_dir_entry_proc && !existing_pid) {
|
|
char strbuf[11];
|
|
struct dentry *binderfs_entry;
|
|
|
|
snprintf(strbuf, sizeof(strbuf), "%u", proc->pid);
|
|
/*
|
|
* Similar to debugfs, the process specific log file is shared
|
|
* between contexts. Only create for the first PID.
|
|
* This is ok since same as debugfs, the log file will contain
|
|
* information on all contexts of a given PID.
|
|
*/
|
|
binderfs_entry = binderfs_create_file(binder_binderfs_dir_entry_proc,
|
|
strbuf, &proc_fops, (void *)(unsigned long)proc->pid);
|
|
if (!IS_ERR(binderfs_entry)) {
|
|
proc->binderfs_entry = binderfs_entry;
|
|
} else {
|
|
int error;
|
|
|
|
error = PTR_ERR(binderfs_entry);
|
|
pr_warn("Unable to create file %s in binderfs (error %d)\n",
|
|
strbuf, error);
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int binder_flush(struct file *filp, fl_owner_t id)
|
|
{
|
|
struct binder_proc *proc = filp->private_data;
|
|
|
|
binder_defer_work(proc, BINDER_DEFERRED_FLUSH);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void binder_deferred_flush(struct binder_proc *proc)
|
|
{
|
|
struct rb_node *n;
|
|
int wake_count = 0;
|
|
|
|
binder_inner_proc_lock(proc);
|
|
for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) {
|
|
struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node);
|
|
|
|
thread->looper_need_return = true;
|
|
if (thread->looper & BINDER_LOOPER_STATE_WAITING) {
|
|
wake_up_interruptible(&thread->wait);
|
|
wake_count++;
|
|
}
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
|
|
binder_debug(BINDER_DEBUG_OPEN_CLOSE,
|
|
"binder_flush: %d woke %d threads\n", proc->pid,
|
|
wake_count);
|
|
}
|
|
|
|
static int binder_release(struct inode *nodp, struct file *filp)
|
|
{
|
|
struct binder_proc *proc = filp->private_data;
|
|
|
|
debugfs_remove(proc->debugfs_entry);
|
|
|
|
if (proc->binderfs_entry) {
|
|
binderfs_remove_file(proc->binderfs_entry);
|
|
proc->binderfs_entry = NULL;
|
|
}
|
|
|
|
binder_defer_work(proc, BINDER_DEFERRED_RELEASE);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int binder_node_release(struct binder_node *node, int refs)
|
|
{
|
|
struct binder_ref *ref;
|
|
int death = 0;
|
|
struct binder_proc *proc = node->proc;
|
|
|
|
binder_release_work(proc, &node->async_todo);
|
|
|
|
binder_node_lock(node);
|
|
binder_inner_proc_lock(proc);
|
|
binder_dequeue_work_ilocked(&node->work);
|
|
/*
|
|
* The caller must have taken a temporary ref on the node,
|
|
*/
|
|
BUG_ON(!node->tmp_refs);
|
|
if (hlist_empty(&node->refs) && node->tmp_refs == 1) {
|
|
binder_inner_proc_unlock(proc);
|
|
binder_node_unlock(node);
|
|
binder_free_node(node);
|
|
|
|
return refs;
|
|
}
|
|
|
|
node->proc = NULL;
|
|
node->local_strong_refs = 0;
|
|
node->local_weak_refs = 0;
|
|
binder_inner_proc_unlock(proc);
|
|
|
|
spin_lock(&binder_dead_nodes_lock);
|
|
hlist_add_head(&node->dead_node, &binder_dead_nodes);
|
|
spin_unlock(&binder_dead_nodes_lock);
|
|
|
|
hlist_for_each_entry(ref, &node->refs, node_entry) {
|
|
refs++;
|
|
/*
|
|
* Need the node lock to synchronize
|
|
* with new notification requests and the
|
|
* inner lock to synchronize with queued
|
|
* death notifications.
|
|
*/
|
|
binder_inner_proc_lock(ref->proc);
|
|
if (!ref->death) {
|
|
binder_inner_proc_unlock(ref->proc);
|
|
continue;
|
|
}
|
|
|
|
death++;
|
|
|
|
BUG_ON(!list_empty(&ref->death->work.entry));
|
|
ref->death->work.type = BINDER_WORK_DEAD_BINDER;
|
|
binder_enqueue_work_ilocked(&ref->death->work,
|
|
&ref->proc->todo);
|
|
binder_wakeup_proc_ilocked(ref->proc);
|
|
binder_inner_proc_unlock(ref->proc);
|
|
}
|
|
|
|
binder_debug(BINDER_DEBUG_DEAD_BINDER,
|
|
"node %d now dead, refs %d, death %d\n",
|
|
node->debug_id, refs, death);
|
|
binder_node_unlock(node);
|
|
binder_put_node(node);
|
|
|
|
return refs;
|
|
}
|
|
|
|
static void binder_deferred_release(struct binder_proc *proc)
|
|
{
|
|
struct binder_context *context = proc->context;
|
|
struct rb_node *n;
|
|
int threads, nodes, incoming_refs, outgoing_refs, active_transactions;
|
|
|
|
mutex_lock(&binder_procs_lock);
|
|
hlist_del(&proc->proc_node);
|
|
mutex_unlock(&binder_procs_lock);
|
|
|
|
mutex_lock(&context->context_mgr_node_lock);
|
|
if (context->binder_context_mgr_node &&
|
|
context->binder_context_mgr_node->proc == proc) {
|
|
binder_debug(BINDER_DEBUG_DEAD_BINDER,
|
|
"%s: %d context_mgr_node gone\n",
|
|
__func__, proc->pid);
|
|
context->binder_context_mgr_node = NULL;
|
|
}
|
|
mutex_unlock(&context->context_mgr_node_lock);
|
|
binder_inner_proc_lock(proc);
|
|
/*
|
|
* Make sure proc stays alive after we
|
|
* remove all the threads
|
|
*/
|
|
proc->tmp_ref++;
|
|
|
|
proc->is_dead = true;
|
|
proc->is_frozen = false;
|
|
proc->sync_recv = false;
|
|
proc->async_recv = false;
|
|
threads = 0;
|
|
active_transactions = 0;
|
|
while ((n = rb_first(&proc->threads))) {
|
|
struct binder_thread *thread;
|
|
|
|
thread = rb_entry(n, struct binder_thread, rb_node);
|
|
binder_inner_proc_unlock(proc);
|
|
threads++;
|
|
active_transactions += binder_thread_release(proc, thread);
|
|
binder_inner_proc_lock(proc);
|
|
}
|
|
|
|
nodes = 0;
|
|
incoming_refs = 0;
|
|
while ((n = rb_first(&proc->nodes))) {
|
|
struct binder_node *node;
|
|
|
|
node = rb_entry(n, struct binder_node, rb_node);
|
|
nodes++;
|
|
/*
|
|
* take a temporary ref on the node before
|
|
* calling binder_node_release() which will either
|
|
* kfree() the node or call binder_put_node()
|
|
*/
|
|
binder_inc_node_tmpref_ilocked(node);
|
|
rb_erase(&node->rb_node, &proc->nodes);
|
|
binder_inner_proc_unlock(proc);
|
|
incoming_refs = binder_node_release(node, incoming_refs);
|
|
binder_inner_proc_lock(proc);
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
|
|
outgoing_refs = 0;
|
|
binder_proc_lock(proc);
|
|
while ((n = rb_first(&proc->refs_by_desc))) {
|
|
struct binder_ref *ref;
|
|
|
|
ref = rb_entry(n, struct binder_ref, rb_node_desc);
|
|
outgoing_refs++;
|
|
binder_cleanup_ref_olocked(ref);
|
|
binder_proc_unlock(proc);
|
|
binder_free_ref(ref);
|
|
binder_proc_lock(proc);
|
|
}
|
|
binder_proc_unlock(proc);
|
|
|
|
binder_release_work(proc, &proc->todo);
|
|
binder_release_work(proc, &proc->delivered_death);
|
|
|
|
binder_debug(BINDER_DEBUG_OPEN_CLOSE,
|
|
"%s: %d threads %d, nodes %d (ref %d), refs %d, active transactions %d\n",
|
|
__func__, proc->pid, threads, nodes, incoming_refs,
|
|
outgoing_refs, active_transactions);
|
|
|
|
binder_proc_dec_tmpref(proc);
|
|
}
|
|
|
|
static void binder_deferred_func(struct work_struct *work)
|
|
{
|
|
struct binder_proc *proc;
|
|
|
|
int defer;
|
|
|
|
do {
|
|
mutex_lock(&binder_deferred_lock);
|
|
if (!hlist_empty(&binder_deferred_list)) {
|
|
proc = hlist_entry(binder_deferred_list.first,
|
|
struct binder_proc, deferred_work_node);
|
|
hlist_del_init(&proc->deferred_work_node);
|
|
defer = proc->deferred_work;
|
|
proc->deferred_work = 0;
|
|
} else {
|
|
proc = NULL;
|
|
defer = 0;
|
|
}
|
|
mutex_unlock(&binder_deferred_lock);
|
|
|
|
if (defer & BINDER_DEFERRED_FLUSH)
|
|
binder_deferred_flush(proc);
|
|
|
|
if (defer & BINDER_DEFERRED_RELEASE)
|
|
binder_deferred_release(proc); /* frees proc */
|
|
} while (proc);
|
|
}
|
|
static DECLARE_WORK(binder_deferred_work, binder_deferred_func);
|
|
|
|
static void
|
|
binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer)
|
|
{
|
|
mutex_lock(&binder_deferred_lock);
|
|
proc->deferred_work |= defer;
|
|
if (hlist_unhashed(&proc->deferred_work_node)) {
|
|
hlist_add_head(&proc->deferred_work_node,
|
|
&binder_deferred_list);
|
|
schedule_work(&binder_deferred_work);
|
|
}
|
|
mutex_unlock(&binder_deferred_lock);
|
|
}
|
|
|
|
static void print_binder_transaction_ilocked(struct seq_file *m,
|
|
struct binder_proc *proc,
|
|
const char *prefix,
|
|
struct binder_transaction *t)
|
|
{
|
|
struct binder_proc *to_proc;
|
|
struct binder_buffer *buffer = t->buffer;
|
|
|
|
spin_lock(&t->lock);
|
|
to_proc = t->to_proc;
|
|
seq_printf(m,
|
|
"%s %d: %pK from %d:%d to %d:%d code %x flags %x pri %d:%d r%d",
|
|
prefix, t->debug_id, t,
|
|
t->from ? t->from->proc->pid : 0,
|
|
t->from ? t->from->pid : 0,
|
|
to_proc ? to_proc->pid : 0,
|
|
t->to_thread ? t->to_thread->pid : 0,
|
|
t->code, t->flags, t->priority.sched_policy,
|
|
t->priority.prio, t->need_reply);
|
|
spin_unlock(&t->lock);
|
|
|
|
if (proc != to_proc) {
|
|
/*
|
|
* Can only safely deref buffer if we are holding the
|
|
* correct proc inner lock for this node
|
|
*/
|
|
seq_puts(m, "\n");
|
|
return;
|
|
}
|
|
|
|
if (buffer == NULL) {
|
|
seq_puts(m, " buffer free\n");
|
|
return;
|
|
}
|
|
if (buffer->target_node)
|
|
seq_printf(m, " node %d", buffer->target_node->debug_id);
|
|
seq_printf(m, " size %zd:%zd data %pK\n",
|
|
buffer->data_size, buffer->offsets_size,
|
|
buffer->user_data);
|
|
}
|
|
|
|
static void print_binder_work_ilocked(struct seq_file *m,
|
|
struct binder_proc *proc,
|
|
const char *prefix,
|
|
const char *transaction_prefix,
|
|
struct binder_work *w)
|
|
{
|
|
struct binder_node *node;
|
|
struct binder_transaction *t;
|
|
|
|
switch (w->type) {
|
|
case BINDER_WORK_TRANSACTION:
|
|
t = container_of(w, struct binder_transaction, work);
|
|
print_binder_transaction_ilocked(
|
|
m, proc, transaction_prefix, t);
|
|
break;
|
|
case BINDER_WORK_RETURN_ERROR: {
|
|
struct binder_error *e = container_of(
|
|
w, struct binder_error, work);
|
|
|
|
seq_printf(m, "%stransaction error: %u\n",
|
|
prefix, e->cmd);
|
|
} break;
|
|
case BINDER_WORK_TRANSACTION_COMPLETE:
|
|
seq_printf(m, "%stransaction complete\n", prefix);
|
|
break;
|
|
case BINDER_WORK_NODE:
|
|
node = container_of(w, struct binder_node, work);
|
|
seq_printf(m, "%snode work %d: u%016llx c%016llx\n",
|
|
prefix, node->debug_id,
|
|
(u64)node->ptr, (u64)node->cookie);
|
|
break;
|
|
case BINDER_WORK_DEAD_BINDER:
|
|
seq_printf(m, "%shas dead binder\n", prefix);
|
|
break;
|
|
case BINDER_WORK_DEAD_BINDER_AND_CLEAR:
|
|
seq_printf(m, "%shas cleared dead binder\n", prefix);
|
|
break;
|
|
case BINDER_WORK_CLEAR_DEATH_NOTIFICATION:
|
|
seq_printf(m, "%shas cleared death notification\n", prefix);
|
|
break;
|
|
default:
|
|
seq_printf(m, "%sunknown work: type %d\n", prefix, w->type);
|
|
break;
|
|
}
|
|
}
|
|
|
|
static void print_binder_thread_ilocked(struct seq_file *m,
|
|
struct binder_thread *thread,
|
|
int print_always)
|
|
{
|
|
struct binder_transaction *t;
|
|
struct binder_work *w;
|
|
size_t start_pos = m->count;
|
|
size_t header_pos;
|
|
|
|
seq_printf(m, " thread %d: l %02x need_return %d tr %d\n",
|
|
thread->pid, thread->looper,
|
|
thread->looper_need_return,
|
|
atomic_read(&thread->tmp_ref));
|
|
header_pos = m->count;
|
|
t = thread->transaction_stack;
|
|
while (t) {
|
|
if (t->from == thread) {
|
|
print_binder_transaction_ilocked(m, thread->proc,
|
|
" outgoing transaction", t);
|
|
t = t->from_parent;
|
|
} else if (t->to_thread == thread) {
|
|
print_binder_transaction_ilocked(m, thread->proc,
|
|
" incoming transaction", t);
|
|
t = t->to_parent;
|
|
} else {
|
|
print_binder_transaction_ilocked(m, thread->proc,
|
|
" bad transaction", t);
|
|
t = NULL;
|
|
}
|
|
}
|
|
list_for_each_entry(w, &thread->todo, entry) {
|
|
print_binder_work_ilocked(m, thread->proc, " ",
|
|
" pending transaction", w);
|
|
}
|
|
if (!print_always && m->count == header_pos)
|
|
m->count = start_pos;
|
|
}
|
|
|
|
static void print_binder_node_nilocked(struct seq_file *m,
|
|
struct binder_node *node)
|
|
{
|
|
struct binder_ref *ref;
|
|
struct binder_work *w;
|
|
int count;
|
|
|
|
count = 0;
|
|
hlist_for_each_entry(ref, &node->refs, node_entry)
|
|
count++;
|
|
|
|
seq_printf(m, " node %d: u%016llx c%016llx pri %d:%d hs %d hw %d ls %d lw %d is %d iw %d tr %d",
|
|
node->debug_id, (u64)node->ptr, (u64)node->cookie,
|
|
node->sched_policy, node->min_priority,
|
|
node->has_strong_ref, node->has_weak_ref,
|
|
node->local_strong_refs, node->local_weak_refs,
|
|
node->internal_strong_refs, count, node->tmp_refs);
|
|
if (count) {
|
|
seq_puts(m, " proc");
|
|
hlist_for_each_entry(ref, &node->refs, node_entry)
|
|
seq_printf(m, " %d", ref->proc->pid);
|
|
}
|
|
seq_puts(m, "\n");
|
|
if (node->proc) {
|
|
list_for_each_entry(w, &node->async_todo, entry)
|
|
print_binder_work_ilocked(m, node->proc, " ",
|
|
" pending async transaction", w);
|
|
}
|
|
}
|
|
|
|
static void print_binder_ref_olocked(struct seq_file *m,
|
|
struct binder_ref *ref)
|
|
{
|
|
binder_node_lock(ref->node);
|
|
seq_printf(m, " ref %d: desc %d %snode %d s %d w %d d %pK\n",
|
|
ref->data.debug_id, ref->data.desc,
|
|
ref->node->proc ? "" : "dead ",
|
|
ref->node->debug_id, ref->data.strong,
|
|
ref->data.weak, ref->death);
|
|
binder_node_unlock(ref->node);
|
|
}
|
|
|
|
static void print_binder_proc(struct seq_file *m,
|
|
struct binder_proc *proc, int print_all)
|
|
{
|
|
struct binder_work *w;
|
|
struct rb_node *n;
|
|
size_t start_pos = m->count;
|
|
size_t header_pos;
|
|
struct binder_node *last_node = NULL;
|
|
|
|
seq_printf(m, "proc %d\n", proc->pid);
|
|
seq_printf(m, "context %s\n", proc->context->name);
|
|
header_pos = m->count;
|
|
|
|
binder_inner_proc_lock(proc);
|
|
for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n))
|
|
print_binder_thread_ilocked(m, rb_entry(n, struct binder_thread,
|
|
rb_node), print_all);
|
|
|
|
for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) {
|
|
struct binder_node *node = rb_entry(n, struct binder_node,
|
|
rb_node);
|
|
if (!print_all && !node->has_async_transaction)
|
|
continue;
|
|
|
|
/*
|
|
* take a temporary reference on the node so it
|
|
* survives and isn't removed from the tree
|
|
* while we print it.
|
|
*/
|
|
binder_inc_node_tmpref_ilocked(node);
|
|
/* Need to drop inner lock to take node lock */
|
|
binder_inner_proc_unlock(proc);
|
|
if (last_node)
|
|
binder_put_node(last_node);
|
|
binder_node_inner_lock(node);
|
|
print_binder_node_nilocked(m, node);
|
|
binder_node_inner_unlock(node);
|
|
last_node = node;
|
|
binder_inner_proc_lock(proc);
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
if (last_node)
|
|
binder_put_node(last_node);
|
|
|
|
if (print_all) {
|
|
binder_proc_lock(proc);
|
|
for (n = rb_first(&proc->refs_by_desc);
|
|
n != NULL;
|
|
n = rb_next(n))
|
|
print_binder_ref_olocked(m, rb_entry(n,
|
|
struct binder_ref,
|
|
rb_node_desc));
|
|
binder_proc_unlock(proc);
|
|
}
|
|
binder_alloc_print_allocated(m, &proc->alloc);
|
|
binder_inner_proc_lock(proc);
|
|
list_for_each_entry(w, &proc->todo, entry)
|
|
print_binder_work_ilocked(m, proc, " ",
|
|
" pending transaction", w);
|
|
list_for_each_entry(w, &proc->delivered_death, entry) {
|
|
seq_puts(m, " has delivered dead binder\n");
|
|
break;
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
if (!print_all && m->count == header_pos)
|
|
m->count = start_pos;
|
|
}
|
|
|
|
static const char * const binder_return_strings[] = {
|
|
"BR_ERROR",
|
|
"BR_OK",
|
|
"BR_TRANSACTION",
|
|
"BR_REPLY",
|
|
"BR_ACQUIRE_RESULT",
|
|
"BR_DEAD_REPLY",
|
|
"BR_TRANSACTION_COMPLETE",
|
|
"BR_INCREFS",
|
|
"BR_ACQUIRE",
|
|
"BR_RELEASE",
|
|
"BR_DECREFS",
|
|
"BR_ATTEMPT_ACQUIRE",
|
|
"BR_NOOP",
|
|
"BR_SPAWN_LOOPER",
|
|
"BR_FINISHED",
|
|
"BR_DEAD_BINDER",
|
|
"BR_CLEAR_DEATH_NOTIFICATION_DONE",
|
|
"BR_FAILED_REPLY",
|
|
"BR_FROZEN_REPLY",
|
|
"BR_ONEWAY_SPAM_SUSPECT",
|
|
};
|
|
|
|
static const char * const binder_command_strings[] = {
|
|
"BC_TRANSACTION",
|
|
"BC_REPLY",
|
|
"BC_ACQUIRE_RESULT",
|
|
"BC_FREE_BUFFER",
|
|
"BC_INCREFS",
|
|
"BC_ACQUIRE",
|
|
"BC_RELEASE",
|
|
"BC_DECREFS",
|
|
"BC_INCREFS_DONE",
|
|
"BC_ACQUIRE_DONE",
|
|
"BC_ATTEMPT_ACQUIRE",
|
|
"BC_REGISTER_LOOPER",
|
|
"BC_ENTER_LOOPER",
|
|
"BC_EXIT_LOOPER",
|
|
"BC_REQUEST_DEATH_NOTIFICATION",
|
|
"BC_CLEAR_DEATH_NOTIFICATION",
|
|
"BC_DEAD_BINDER_DONE",
|
|
"BC_TRANSACTION_SG",
|
|
"BC_REPLY_SG",
|
|
};
|
|
|
|
static const char * const binder_objstat_strings[] = {
|
|
"proc",
|
|
"thread",
|
|
"node",
|
|
"ref",
|
|
"death",
|
|
"transaction",
|
|
"transaction_complete"
|
|
};
|
|
|
|
static void print_binder_stats(struct seq_file *m, const char *prefix,
|
|
struct binder_stats *stats)
|
|
{
|
|
int i;
|
|
|
|
BUILD_BUG_ON(ARRAY_SIZE(stats->bc) !=
|
|
ARRAY_SIZE(binder_command_strings));
|
|
for (i = 0; i < ARRAY_SIZE(stats->bc); i++) {
|
|
int temp = atomic_read(&stats->bc[i]);
|
|
|
|
if (temp)
|
|
seq_printf(m, "%s%s: %d\n", prefix,
|
|
binder_command_strings[i], temp);
|
|
}
|
|
|
|
BUILD_BUG_ON(ARRAY_SIZE(stats->br) !=
|
|
ARRAY_SIZE(binder_return_strings));
|
|
for (i = 0; i < ARRAY_SIZE(stats->br); i++) {
|
|
int temp = atomic_read(&stats->br[i]);
|
|
|
|
if (temp)
|
|
seq_printf(m, "%s%s: %d\n", prefix,
|
|
binder_return_strings[i], temp);
|
|
}
|
|
|
|
BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) !=
|
|
ARRAY_SIZE(binder_objstat_strings));
|
|
BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) !=
|
|
ARRAY_SIZE(stats->obj_deleted));
|
|
for (i = 0; i < ARRAY_SIZE(stats->obj_created); i++) {
|
|
int created = atomic_read(&stats->obj_created[i]);
|
|
int deleted = atomic_read(&stats->obj_deleted[i]);
|
|
|
|
if (created || deleted)
|
|
seq_printf(m, "%s%s: active %d total %d\n",
|
|
prefix,
|
|
binder_objstat_strings[i],
|
|
created - deleted,
|
|
created);
|
|
}
|
|
}
|
|
|
|
static void print_binder_proc_stats(struct seq_file *m,
|
|
struct binder_proc *proc)
|
|
{
|
|
struct binder_work *w;
|
|
struct binder_thread *thread;
|
|
struct rb_node *n;
|
|
int count, strong, weak, ready_threads;
|
|
size_t free_async_space =
|
|
binder_alloc_get_free_async_space(&proc->alloc);
|
|
|
|
seq_printf(m, "proc %d\n", proc->pid);
|
|
seq_printf(m, "context %s\n", proc->context->name);
|
|
count = 0;
|
|
ready_threads = 0;
|
|
binder_inner_proc_lock(proc);
|
|
for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n))
|
|
count++;
|
|
|
|
list_for_each_entry(thread, &proc->waiting_threads, waiting_thread_node)
|
|
ready_threads++;
|
|
|
|
seq_printf(m, " threads: %d\n", count);
|
|
seq_printf(m, " requested threads: %d+%d/%d\n"
|
|
" ready threads %d\n"
|
|
" free async space %zd\n", proc->requested_threads,
|
|
proc->requested_threads_started, proc->max_threads,
|
|
ready_threads,
|
|
free_async_space);
|
|
count = 0;
|
|
for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n))
|
|
count++;
|
|
binder_inner_proc_unlock(proc);
|
|
seq_printf(m, " nodes: %d\n", count);
|
|
count = 0;
|
|
strong = 0;
|
|
weak = 0;
|
|
binder_proc_lock(proc);
|
|
for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) {
|
|
struct binder_ref *ref = rb_entry(n, struct binder_ref,
|
|
rb_node_desc);
|
|
count++;
|
|
strong += ref->data.strong;
|
|
weak += ref->data.weak;
|
|
}
|
|
binder_proc_unlock(proc);
|
|
seq_printf(m, " refs: %d s %d w %d\n", count, strong, weak);
|
|
|
|
count = binder_alloc_get_allocated_count(&proc->alloc);
|
|
seq_printf(m, " buffers: %d\n", count);
|
|
|
|
binder_alloc_print_pages(m, &proc->alloc);
|
|
|
|
count = 0;
|
|
binder_inner_proc_lock(proc);
|
|
list_for_each_entry(w, &proc->todo, entry) {
|
|
if (w->type == BINDER_WORK_TRANSACTION)
|
|
count++;
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
seq_printf(m, " pending transactions: %d\n", count);
|
|
|
|
print_binder_stats(m, " ", &proc->stats);
|
|
}
|
|
|
|
|
|
int binder_state_show(struct seq_file *m, void *unused)
|
|
{
|
|
struct binder_proc *proc;
|
|
struct binder_node *node;
|
|
struct binder_node *last_node = NULL;
|
|
|
|
seq_puts(m, "binder state:\n");
|
|
|
|
spin_lock(&binder_dead_nodes_lock);
|
|
if (!hlist_empty(&binder_dead_nodes))
|
|
seq_puts(m, "dead nodes:\n");
|
|
hlist_for_each_entry(node, &binder_dead_nodes, dead_node) {
|
|
/*
|
|
* take a temporary reference on the node so it
|
|
* survives and isn't removed from the list
|
|
* while we print it.
|
|
*/
|
|
node->tmp_refs++;
|
|
spin_unlock(&binder_dead_nodes_lock);
|
|
if (last_node)
|
|
binder_put_node(last_node);
|
|
binder_node_lock(node);
|
|
print_binder_node_nilocked(m, node);
|
|
binder_node_unlock(node);
|
|
last_node = node;
|
|
spin_lock(&binder_dead_nodes_lock);
|
|
}
|
|
spin_unlock(&binder_dead_nodes_lock);
|
|
if (last_node)
|
|
binder_put_node(last_node);
|
|
|
|
mutex_lock(&binder_procs_lock);
|
|
hlist_for_each_entry(proc, &binder_procs, proc_node)
|
|
print_binder_proc(m, proc, 1);
|
|
mutex_unlock(&binder_procs_lock);
|
|
|
|
return 0;
|
|
}
|
|
|
|
int binder_stats_show(struct seq_file *m, void *unused)
|
|
{
|
|
struct binder_proc *proc;
|
|
|
|
seq_puts(m, "binder stats:\n");
|
|
|
|
print_binder_stats(m, "", &binder_stats);
|
|
|
|
mutex_lock(&binder_procs_lock);
|
|
hlist_for_each_entry(proc, &binder_procs, proc_node)
|
|
print_binder_proc_stats(m, proc);
|
|
mutex_unlock(&binder_procs_lock);
|
|
|
|
return 0;
|
|
}
|
|
|
|
int binder_transactions_show(struct seq_file *m, void *unused)
|
|
{
|
|
struct binder_proc *proc;
|
|
|
|
seq_puts(m, "binder transactions:\n");
|
|
mutex_lock(&binder_procs_lock);
|
|
hlist_for_each_entry(proc, &binder_procs, proc_node)
|
|
print_binder_proc(m, proc, 0);
|
|
mutex_unlock(&binder_procs_lock);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int proc_show(struct seq_file *m, void *unused)
|
|
{
|
|
struct binder_proc *itr;
|
|
int pid = (unsigned long)m->private;
|
|
|
|
mutex_lock(&binder_procs_lock);
|
|
hlist_for_each_entry(itr, &binder_procs, proc_node) {
|
|
if (itr->pid == pid) {
|
|
seq_puts(m, "binder proc state:\n");
|
|
print_binder_proc(m, itr, 1);
|
|
}
|
|
}
|
|
mutex_unlock(&binder_procs_lock);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void print_binder_transaction_log_entry(struct seq_file *m,
|
|
struct binder_transaction_log_entry *e)
|
|
{
|
|
int debug_id = READ_ONCE(e->debug_id_done);
|
|
/*
|
|
* read barrier to guarantee debug_id_done read before
|
|
* we print the log values
|
|
*/
|
|
smp_rmb();
|
|
seq_printf(m,
|
|
"%d: %s from %d:%d to %d:%d context %s node %d handle %d size %d:%d ret %d/%d l=%d",
|
|
e->debug_id, (e->call_type == 2) ? "reply" :
|
|
((e->call_type == 1) ? "async" : "call "), e->from_proc,
|
|
e->from_thread, e->to_proc, e->to_thread, e->context_name,
|
|
e->to_node, e->target_handle, e->data_size, e->offsets_size,
|
|
e->return_error, e->return_error_param,
|
|
e->return_error_line);
|
|
/*
|
|
* read-barrier to guarantee read of debug_id_done after
|
|
* done printing the fields of the entry
|
|
*/
|
|
smp_rmb();
|
|
seq_printf(m, debug_id && debug_id == READ_ONCE(e->debug_id_done) ?
|
|
"\n" : " (incomplete)\n");
|
|
}
|
|
|
|
int binder_transaction_log_show(struct seq_file *m, void *unused)
|
|
{
|
|
struct binder_transaction_log *log = m->private;
|
|
unsigned int log_cur = atomic_read(&log->cur);
|
|
unsigned int count;
|
|
unsigned int cur;
|
|
int i;
|
|
|
|
count = log_cur + 1;
|
|
cur = count < ARRAY_SIZE(log->entry) && !log->full ?
|
|
0 : count % ARRAY_SIZE(log->entry);
|
|
if (count > ARRAY_SIZE(log->entry) || log->full)
|
|
count = ARRAY_SIZE(log->entry);
|
|
for (i = 0; i < count; i++) {
|
|
unsigned int index = cur++ % ARRAY_SIZE(log->entry);
|
|
|
|
print_binder_transaction_log_entry(m, &log->entry[index]);
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
const struct file_operations binder_fops = {
|
|
.owner = THIS_MODULE,
|
|
.poll = binder_poll,
|
|
.unlocked_ioctl = binder_ioctl,
|
|
.compat_ioctl = compat_ptr_ioctl,
|
|
.mmap = binder_mmap,
|
|
.open = binder_open,
|
|
.flush = binder_flush,
|
|
.release = binder_release,
|
|
};
|
|
|
|
static int __init init_binder_device(const char *name)
|
|
{
|
|
int ret;
|
|
struct binder_device *binder_device;
|
|
|
|
binder_device = kzalloc(sizeof(*binder_device), GFP_KERNEL);
|
|
if (!binder_device)
|
|
return -ENOMEM;
|
|
|
|
binder_device->miscdev.fops = &binder_fops;
|
|
binder_device->miscdev.minor = MISC_DYNAMIC_MINOR;
|
|
binder_device->miscdev.name = name;
|
|
|
|
refcount_set(&binder_device->ref, 1);
|
|
binder_device->context.binder_context_mgr_uid = INVALID_UID;
|
|
binder_device->context.name = name;
|
|
mutex_init(&binder_device->context.context_mgr_node_lock);
|
|
|
|
ret = misc_register(&binder_device->miscdev);
|
|
if (ret < 0) {
|
|
kfree(binder_device);
|
|
return ret;
|
|
}
|
|
|
|
hlist_add_head(&binder_device->hlist, &binder_devices);
|
|
|
|
return ret;
|
|
}
|
|
|
|
static int __init binder_init(void)
|
|
{
|
|
int ret;
|
|
char *device_name, *device_tmp;
|
|
struct binder_device *device;
|
|
struct hlist_node *tmp;
|
|
char *device_names = NULL;
|
|
|
|
ret = binder_alloc_shrinker_init();
|
|
if (ret)
|
|
return ret;
|
|
|
|
atomic_set(&binder_transaction_log.cur, ~0U);
|
|
atomic_set(&binder_transaction_log_failed.cur, ~0U);
|
|
|
|
binder_debugfs_dir_entry_root = debugfs_create_dir("binder", NULL);
|
|
if (binder_debugfs_dir_entry_root)
|
|
binder_debugfs_dir_entry_proc = debugfs_create_dir("proc",
|
|
binder_debugfs_dir_entry_root);
|
|
|
|
if (binder_debugfs_dir_entry_root) {
|
|
debugfs_create_file("state",
|
|
0444,
|
|
binder_debugfs_dir_entry_root,
|
|
NULL,
|
|
&binder_state_fops);
|
|
debugfs_create_file("stats",
|
|
0444,
|
|
binder_debugfs_dir_entry_root,
|
|
NULL,
|
|
&binder_stats_fops);
|
|
debugfs_create_file("transactions",
|
|
0444,
|
|
binder_debugfs_dir_entry_root,
|
|
NULL,
|
|
&binder_transactions_fops);
|
|
debugfs_create_file("transaction_log",
|
|
0444,
|
|
binder_debugfs_dir_entry_root,
|
|
&binder_transaction_log,
|
|
&binder_transaction_log_fops);
|
|
debugfs_create_file("failed_transaction_log",
|
|
0444,
|
|
binder_debugfs_dir_entry_root,
|
|
&binder_transaction_log_failed,
|
|
&binder_transaction_log_fops);
|
|
}
|
|
|
|
if (!IS_ENABLED(CONFIG_ANDROID_BINDERFS) &&
|
|
strcmp(binder_devices_param, "") != 0) {
|
|
/*
|
|
* Copy the module_parameter string, because we don't want to
|
|
* tokenize it in-place.
|
|
*/
|
|
device_names = kstrdup(binder_devices_param, GFP_KERNEL);
|
|
if (!device_names) {
|
|
ret = -ENOMEM;
|
|
goto err_alloc_device_names_failed;
|
|
}
|
|
|
|
device_tmp = device_names;
|
|
while ((device_name = strsep(&device_tmp, ","))) {
|
|
ret = init_binder_device(device_name);
|
|
if (ret)
|
|
goto err_init_binder_device_failed;
|
|
}
|
|
}
|
|
|
|
ret = init_binderfs();
|
|
if (ret)
|
|
goto err_init_binder_device_failed;
|
|
|
|
return ret;
|
|
|
|
err_init_binder_device_failed:
|
|
hlist_for_each_entry_safe(device, tmp, &binder_devices, hlist) {
|
|
misc_deregister(&device->miscdev);
|
|
hlist_del(&device->hlist);
|
|
kfree(device);
|
|
}
|
|
|
|
kfree(device_names);
|
|
|
|
err_alloc_device_names_failed:
|
|
debugfs_remove_recursive(binder_debugfs_dir_entry_root);
|
|
|
|
return ret;
|
|
}
|
|
|
|
device_initcall(binder_init);
|
|
|
|
#define CREATE_TRACE_POINTS
|
|
#include "binder_trace.h"
|
|
EXPORT_TRACEPOINT_SYMBOL_GPL(binder_transaction_received);
|
|
|
|
MODULE_LICENSE("GPL v2");
|