#include <linux/security.h>
#include <linux/spinlock.h>
-#ifdef CONFIG_ANDROID_BINDER_IPC_32BIT
-#define BINDER_IPC_32BIT 1
-#endif
-
#include <uapi/linux/android/binder.h>
+#include <uapi/linux/sched/types.h>
#include "binder_alloc.h"
#include "binder_trace.h"
};
static uint32_t binder_debug_mask = BINDER_DEBUG_USER_ERROR |
BINDER_DEBUG_FAILED_TRANSACTION | BINDER_DEBUG_DEAD_TRANSACTION;
-module_param_named(debug_mask, binder_debug_mask, uint, S_IWUSR | S_IRUGO);
+module_param_named(debug_mask, binder_debug_mask, uint, 0644);
static char *binder_devices_param = CONFIG_ANDROID_BINDER_DEVICES;
module_param_named(devices, binder_devices_param, charp, 0444);
static int binder_stop_on_user_error;
static int binder_set_stop_on_user_error(const char *val,
- struct kernel_param *kp)
+ const struct kernel_param *kp)
{
int ret;
return ret;
}
module_param_call(stop_on_user_error, binder_set_stop_on_user_error,
- param_get_int, &binder_stop_on_user_error, S_IWUSR | S_IRUGO);
+ param_get_int, &binder_stop_on_user_error, 0644);
#define binder_debug(mask, x...) \
do { \
unsigned int cur = atomic_inc_return(&log->cur);
if (cur >= ARRAY_SIZE(log->entry))
- log->full = 1;
+ log->full = true;
e = &log->entry[cur % ARRAY_SIZE(log->entry)];
WRITE_ONCE(e->debug_id_done, 0);
/*
* and by @lock)
* @has_async_transaction: async transaction to node in progress
* (protected by @lock)
+ * @sched_policy: minimum scheduling policy for node
+ * (invariant after initialized)
* @accept_fds: file descriptor operations supported for node
* (invariant after initialized)
* @min_priority: minimum scheduling priority
* (invariant after initialized)
+ * @inherit_rt: inherit RT scheduling policy from caller
+ * @txn_security_ctx: require sender's security context
+ * (invariant after initialized)
* @async_todo: list of async work items
* (protected by @proc->inner_lock)
*
/*
* invariant after initialization
*/
+ u8 sched_policy:2;
+ u8 inherit_rt:1;
u8 accept_fds:1;
+ u8 txn_security_ctx:1;
u8 min_priority;
};
bool has_async_transaction;
BINDER_DEFERRED_RELEASE = 0x04,
};
+/**
+ * struct binder_priority - scheduler policy and priority
+ * @sched_policy scheduler policy
+ * @prio [100..139] for SCHED_NORMAL, [0..99] for FIFO/RT
+ *
+ * The binder driver supports inheriting the following scheduler policies:
+ * SCHED_NORMAL
+ * SCHED_BATCH
+ * SCHED_FIFO
+ * SCHED_RR
+ */
+struct binder_priority {
+ unsigned int sched_policy;
+ int prio;
+};
+
/**
* struct binder_proc - binder process bookkeeping
* @proc_node: element for binder_procs list
* @tsk task_struct for group_leader of process
* (invariant after initialized)
* @files files_struct for process
- * (invariant after initialized)
+ * (protected by @files_lock)
+ * @files_lock mutex to protect @files
* @deferred_work_node: element for binder_deferred_list
* (protected by binder_deferred_lock)
* @deferred_work: bitmap of deferred work to perform
* (protected by @inner_lock)
* @todo: list of work for this process
* (protected by @inner_lock)
- * @wait: wait queue head to wait for proc work
- * (invariant after initialized)
* @stats: per-process binder statistics
* (atomics, no lock needed)
* @delivered_death: list of delivered death notification
* @requested_threads_started: number binder threads started
* (protected by @inner_lock)
* @tmp_ref: temporary reference to indicate proc is in use
- * (protected by @inner_lock)
+ * (atomic since @proc->inner_lock cannot
+ * always be acquired)
* @default_priority: default scheduler priority
* (invariant after initialized)
* @debugfs_entry: debugfs node
int pid;
struct task_struct *tsk;
struct files_struct *files;
+ struct mutex files_lock;
struct hlist_node deferred_work_node;
int deferred_work;
bool is_dead;
struct list_head todo;
- wait_queue_head_t wait;
struct binder_stats stats;
struct list_head delivered_death;
int max_threads;
int requested_threads;
int requested_threads_started;
- int tmp_ref;
- long default_priority;
+ atomic_t tmp_ref;
+ struct binder_priority default_priority;
struct dentry *debugfs_entry;
struct binder_alloc alloc;
struct binder_context *context;
* (protected by @proc->inner_lock)
* @todo: list of work to do for this thread
* (protected by @proc->inner_lock)
+ * @process_todo: whether work in @todo should be processed
+ * (protected by @proc->inner_lock)
* @return_error: transaction errors reported by this thread
* (only accessed by this thread)
* @reply_error: transaction errors reported by target thread
* @is_dead: thread is dead and awaiting free
* when outstanding transactions are cleaned up
* (protected by @proc->inner_lock)
+ * @task: struct task_struct for this thread
*
* Bookkeeping structure for binder threads.
*/
bool looper_need_return; /* can be written by other thread */
struct binder_transaction *transaction_stack;
struct list_head todo;
+ bool process_todo;
struct binder_error return_error;
struct binder_error reply_error;
wait_queue_head_t wait;
struct binder_stats stats;
atomic_t tmp_ref;
bool is_dead;
+ struct task_struct *task;
};
struct binder_transaction {
struct binder_buffer *buffer;
unsigned int code;
unsigned int flags;
- long priority;
- long saved_priority;
+ struct binder_priority priority;
+ struct binder_priority saved_priority;
+ bool set_priority_called;
kuid_t sender_euid;
+ binder_uintptr_t security_ctx;
/**
* @lock: protects @from, @to_proc, and @to_thread
*
spin_unlock(&node->lock);
}
+#ifdef CONFIG_DEBUG_SNAPSHOT_BINDER
+/*
+ * Binder Debug Snapshot
+ */
+static void init_binder_transaction_base(int type, struct trace_binder_transaction_base *base,
+ struct binder_transaction *t, struct binder_thread *from,
+ struct binder_thread *to)
+{
+ struct binder_thread *t_from;
+ struct binder_thread *t_to;
+
+ if (base == NULL)
+ return;
+
+ t_from = t->from ? t->from : (from ? from : NULL);
+ t_to = t->to_thread ? t->to_thread : (to ? to : NULL);
+ base->trace_type = type;
+ base->transaction_id = t->debug_id;
+ base->from_pid = t_from ? t_from->proc->pid : 0;
+ base->from_tid = t_from ? t_from->pid : 0;
+ base->to_pid = t->to_proc ? t->to_proc->pid : 0;
+ base->to_tid = t_to ? t_to->pid : 0;
+ if (t_from) {
+ strncpy(base->from_pid_comm, t_from->proc->tsk->comm, TASK_COMM_LEN);
+ strncpy(base->from_tid_comm, t_from->task->comm, TASK_COMM_LEN);
+ } else {
+ base->from_pid_comm[0] = '\0';
+ base->from_tid_comm[0] = '\0';
+ }
+ if (t->to_proc)
+ strncpy(base->to_pid_comm, t->to_proc->tsk->comm, TASK_COMM_LEN);
+ else
+ base->to_pid_comm[0] = '\0';
+ if (t_to)
+ strncpy(base->to_tid_comm, t_to->task->comm, TASK_COMM_LEN);
+ else
+ base->to_tid_comm[0] = '\0';
+}
+
+static void dss_binder_transaction(int reply, struct binder_transaction *t, struct binder_thread *from, int to_node_id)
+{
+ struct trace_binder_transaction_base base;
+ struct trace_binder_transaction transaction;
+
+ init_binder_transaction_base(TRANSACTION, &base, t, from, NULL);
+ transaction.to_node_id = to_node_id;
+ transaction.reply = reply;
+ transaction.flags = t->flags;
+ transaction.code = t->code;
+
+ dbg_snapshot_binder(&base, &transaction, NULL);
+}
+
+static void dss_binder_transaction_received(struct binder_transaction *t, struct binder_thread *to)
+{
+ struct trace_binder_transaction_base base;
+
+ init_binder_transaction_base(TRANSACTION_DONE, &base, t, NULL, to);
+
+ dbg_snapshot_binder(&base, NULL, NULL);
+}
+
+static void dss_binder_transaction_failed(int reply, struct binder_transaction_log_entry *e,
+ char *from_pid_comm, char *from_tid_comm,
+ unsigned int flags, unsigned int code)
+{
+ struct trace_binder_transaction_base base;
+ struct trace_binder_transaction transaction;
+ struct trace_binder_transaction_error error;
+
+ base.trace_type = TRANSACTION_ERROR;
+ base.transaction_id = e->debug_id;
+ base.from_pid = e->from_proc;
+ base.from_tid = e->from_thread;
+ base.to_pid = e->to_proc;
+ base.to_tid = e->to_thread;
+ strncpy(base.from_pid_comm, from_pid_comm, TASK_COMM_LEN);
+ strncpy(base.from_tid_comm, from_tid_comm, TASK_COMM_LEN);
+ base.to_pid_comm[0] = '\0';
+ base.to_tid_comm[0] = '\0';
+ transaction.to_node_id = e->to_node;
+ transaction.reply = reply;
+ transaction.flags = flags;
+ transaction.code = code;
+ error.return_error = e->return_error;
+ error.return_error_param = e->return_error_param;
+ error.return_error_line = e->return_error_line;
+
+ dbg_snapshot_binder(&base, &transaction, &error);
+}
+#endif /* CONFIG_DEBUG_SNAPSHOT_BINDER */
+
static bool binder_worklist_empty_ilocked(struct list_head *list)
{
return list_empty(list);
return ret;
}
+/**
+ * binder_enqueue_work_ilocked() - Add an item to the work list
+ * @work: struct binder_work to add to list
+ * @target_list: list to add work to
+ *
+ * Adds the work to the specified list. Asserts that work
+ * is not already on a list.
+ *
+ * Requires the proc->inner_lock to be held.
+ */
static void
binder_enqueue_work_ilocked(struct binder_work *work,
struct list_head *target_list)
}
/**
- * binder_enqueue_work() - Add an item to the work list
- * @proc: binder_proc associated with list
+ * binder_enqueue_deferred_thread_work_ilocked() - Add deferred thread work
+ * @thread: thread to queue work to
* @work: struct binder_work to add to list
- * @target_list: list to add work to
*
- * Adds the work to the specified list. Asserts that work
- * is not already on a list.
+ * Adds the work to the todo list of the thread. Doesn't set the process_todo
+ * flag, which means that (if it wasn't already set) the thread will go to
+ * sleep without handling this work when it calls read.
+ *
+ * Requires the proc->inner_lock to be held.
*/
static void
-binder_enqueue_work(struct binder_proc *proc,
- struct binder_work *work,
- struct list_head *target_list)
+binder_enqueue_deferred_thread_work_ilocked(struct binder_thread *thread,
+ struct binder_work *work)
{
- binder_inner_proc_lock(proc);
- binder_enqueue_work_ilocked(work, target_list);
- binder_inner_proc_unlock(proc);
+ binder_enqueue_work_ilocked(work, &thread->todo);
+}
+
+/**
+ * binder_enqueue_thread_work_ilocked() - Add an item to the thread work list
+ * @thread: thread to queue work to
+ * @work: struct binder_work to add to list
+ *
+ * Adds the work to the todo list of the thread, and enables processing
+ * of the todo queue.
+ *
+ * Requires the proc->inner_lock to be held.
+ */
+static void
+binder_enqueue_thread_work_ilocked(struct binder_thread *thread,
+ struct binder_work *work)
+{
+ binder_enqueue_work_ilocked(work, &thread->todo);
+ thread->process_todo = true;
+}
+
+/**
+ * binder_enqueue_thread_work() - Add an item to the thread work list
+ * @thread: thread to queue work to
+ * @work: struct binder_work to add to list
+ *
+ * Adds the work to the todo list of the thread, and enables processing
+ * of the todo queue.
+ */
+static void
+binder_enqueue_thread_work(struct binder_thread *thread,
+ struct binder_work *work)
+{
+ binder_inner_proc_lock(thread->proc);
+ binder_enqueue_thread_work_ilocked(thread, work);
+ binder_inner_proc_unlock(thread->proc);
}
static void
static int task_get_unused_fd_flags(struct binder_proc *proc, int flags)
{
- struct files_struct *files = proc->files;
unsigned long rlim_cur;
unsigned long irqs;
+ int ret;
- if (files == NULL)
- return -ESRCH;
-
- if (!lock_task_sighand(proc->tsk, &irqs))
- return -EMFILE;
-
+ mutex_lock(&proc->files_lock);
+ if (proc->files == NULL) {
+ ret = -ESRCH;
+ goto err;
+ }
+ if (!lock_task_sighand(proc->tsk, &irqs)) {
+ ret = -EMFILE;
+ goto err;
+ }
rlim_cur = task_rlimit(proc->tsk, RLIMIT_NOFILE);
unlock_task_sighand(proc->tsk, &irqs);
- return __alloc_fd(files, 0, rlim_cur, flags);
+ ret = __alloc_fd(proc->files, 0, rlim_cur, flags);
+err:
+ mutex_unlock(&proc->files_lock);
+ return ret;
}
/*
static void task_fd_install(
struct binder_proc *proc, unsigned int fd, struct file *file)
{
+ mutex_lock(&proc->files_lock);
if (proc->files)
__fd_install(proc->files, fd, file);
+ mutex_unlock(&proc->files_lock);
}
/*
{
int retval;
- if (proc->files == NULL)
- return -ESRCH;
-
+ mutex_lock(&proc->files_lock);
+ if (proc->files == NULL) {
+ retval = -ESRCH;
+ goto err;
+ }
retval = __close_fd(proc->files, fd);
/* can't restart close syscall because file table entry was cleared */
if (unlikely(retval == -ERESTARTSYS ||
retval == -ERESTARTNOHAND ||
retval == -ERESTART_RESTARTBLOCK))
retval = -EINTR;
-
+err:
+ mutex_unlock(&proc->files_lock);
return retval;
}
static bool binder_has_work_ilocked(struct binder_thread *thread,
bool do_proc_work)
{
- return !binder_worklist_empty_ilocked(&thread->todo) ||
+ return thread->process_todo ||
thread->looper_need_return ||
(do_proc_work &&
!binder_worklist_empty_ilocked(&thread->proc->todo));
binder_wakeup_thread_ilocked(proc, thread, /* sync = */false);
}
-static void binder_set_nice(long nice)
+static bool is_rt_policy(int policy)
+{
+ return policy == SCHED_FIFO || policy == SCHED_RR;
+}
+
+static bool is_fair_policy(int policy)
{
- long min_nice;
+ return policy == SCHED_NORMAL || policy == SCHED_BATCH;
+}
- if (can_nice(current, nice)) {
- set_user_nice(current, nice);
+static bool binder_supported_policy(int policy)
+{
+ return is_fair_policy(policy) || is_rt_policy(policy);
+}
+
+static int to_userspace_prio(int policy, int kernel_priority)
+{
+ if (is_fair_policy(policy))
+ return PRIO_TO_NICE(kernel_priority);
+ else
+ return MAX_USER_RT_PRIO - 1 - kernel_priority;
+}
+
+static int to_kernel_prio(int policy, int user_priority)
+{
+ if (is_fair_policy(policy))
+ return NICE_TO_PRIO(user_priority);
+ else
+ return MAX_USER_RT_PRIO - 1 - user_priority;
+}
+
+static void binder_do_set_priority(struct task_struct *task,
+ struct binder_priority desired,
+ bool verify)
+{
+ int priority; /* user-space prio value */
+ bool has_cap_nice;
+ unsigned int policy = desired.sched_policy;
+
+ if (task->policy == policy && task->normal_prio == desired.prio)
return;
+
+ has_cap_nice = has_capability_noaudit(task, CAP_SYS_NICE);
+
+ priority = to_userspace_prio(policy, desired.prio);
+
+ if (verify && is_rt_policy(policy) && !has_cap_nice) {
+ long max_rtprio = task_rlimit(task, RLIMIT_RTPRIO);
+
+ if (max_rtprio == 0) {
+ policy = SCHED_NORMAL;
+ priority = MIN_NICE;
+ } else if (priority > max_rtprio) {
+ priority = max_rtprio;
+ }
+ }
+
+ if (verify && is_fair_policy(policy) && !has_cap_nice) {
+ long min_nice = rlimit_to_nice(task_rlimit(task, RLIMIT_NICE));
+
+ if (min_nice > MAX_NICE) {
+ binder_user_error("%d(%s) RLIMIT_NICE not set\n",
+ task->pid, task->comm);
+ return;
+ } else if (priority < min_nice) {
+ priority = min_nice;
+ }
}
- min_nice = rlimit_to_nice(rlimit(RLIMIT_NICE));
- binder_debug(BINDER_DEBUG_PRIORITY_CAP,
- "%d: nice value %ld not allowed use %ld instead\n",
- current->pid, nice, min_nice);
- set_user_nice(current, min_nice);
- if (min_nice <= MAX_NICE)
+
+ if (policy != desired.sched_policy ||
+ to_kernel_prio(policy, priority) != desired.prio)
+ binder_debug(BINDER_DEBUG_PRIORITY_CAP,
+ "%d(%s): priority %d not allowed, using %d instead\n",
+ task->pid, task->comm, desired.prio,
+ to_kernel_prio(policy, priority));
+
+ trace_binder_set_priority(task->tgid, task->pid, task->normal_prio,
+ to_kernel_prio(policy, priority),
+ desired.prio);
+
+ /* Set the actual priority */
+ if (task->policy != policy || is_rt_policy(policy)) {
+ struct sched_param params;
+
+ params.sched_priority = is_rt_policy(policy) ? priority : 0;
+
+ sched_setscheduler_nocheck(task,
+ policy | SCHED_RESET_ON_FORK,
+ ¶ms);
+ }
+ if (is_fair_policy(policy))
+ set_user_nice(task, priority);
+}
+
+static void binder_set_priority(struct task_struct *task,
+ struct binder_priority desired)
+{
+ binder_do_set_priority(task, desired, /* verify = */ true);
+}
+
+static void binder_restore_priority(struct task_struct *task,
+ struct binder_priority desired)
+{
+ binder_do_set_priority(task, desired, /* verify = */ false);
+}
+
+static void binder_transaction_priority(struct task_struct *task,
+ struct binder_transaction *t,
+ struct binder_priority node_prio,
+ bool inherit_rt)
+{
+ struct binder_priority desired_prio = t->priority;
+
+ if (t->set_priority_called)
return;
- binder_user_error("%d RLIMIT_NICE not set\n", current->pid);
+
+ t->set_priority_called = true;
+ t->saved_priority.sched_policy = task->policy;
+ t->saved_priority.prio = task->normal_prio;
+
+ if (!inherit_rt && is_rt_policy(desired_prio.sched_policy)) {
+ desired_prio.prio = NICE_TO_PRIO(0);
+ desired_prio.sched_policy = SCHED_NORMAL;
+ }
+
+ if (node_prio.prio < t->priority.prio ||
+ (node_prio.prio == t->priority.prio &&
+ node_prio.sched_policy == SCHED_FIFO)) {
+ /*
+ * In case the minimum priority on the node is
+ * higher (lower value), use that priority. If
+ * the priority is the same, but the node uses
+ * SCHED_FIFO, prefer SCHED_FIFO, since it can
+ * run unbounded, unlike SCHED_RR.
+ */
+ desired_prio = node_prio;
+ }
+
+ binder_set_priority(task, desired_prio);
}
static struct binder_node *binder_get_node_ilocked(struct binder_proc *proc,
binder_uintptr_t ptr = fp ? fp->binder : 0;
binder_uintptr_t cookie = fp ? fp->cookie : 0;
__u32 flags = fp ? fp->flags : 0;
+ s8 priority;
assert_spin_locked(&proc->inner_lock);
node->ptr = ptr;
node->cookie = cookie;
node->work.type = BINDER_WORK_NODE;
- node->min_priority = flags & FLAT_BINDER_FLAG_PRIORITY_MASK;
+ priority = flags & FLAT_BINDER_FLAG_PRIORITY_MASK;
+ node->sched_policy = (flags & FLAT_BINDER_FLAG_SCHED_POLICY_MASK) >>
+ FLAT_BINDER_FLAG_SCHED_POLICY_SHIFT;
+ node->min_priority = to_kernel_prio(node->sched_policy, priority);
node->accept_fds = !!(flags & FLAT_BINDER_FLAG_ACCEPTS_FDS);
+ node->inherit_rt = !!(flags & FLAT_BINDER_FLAG_INHERIT_RT);
+ node->txn_security_ctx = !!(flags & FLAT_BINDER_FLAG_TXN_SECURITY_CTX);
spin_lock_init(&node->lock);
INIT_LIST_HEAD(&node->work.entry);
INIT_LIST_HEAD(&node->async_todo);
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
- "%d:%d node %d u%016llx c%016llx created\n",
- proc->pid, current->pid, node->debug_id,
+ "%d:%d(%s:%s) node %d u%016llx c%016llx created\n",
+ proc->pid, current->pid, proc->tsk->comm, current->comm, node->debug_id,
(u64)node->ptr, (u64)node->cookie);
return node;
node->local_strong_refs++;
if (!node->has_strong_ref && target_list) {
binder_dequeue_work_ilocked(&node->work);
+ /*
+ * Note: this function is the only place where we queue
+ * directly to a thread->todo without using the
+ * corresponding binder_enqueue_thread_work() helper
+ * functions; in this case it's ok to not set the
+ * process_todo flag, since we know this node work will
+ * always be followed by other work that starts queue
+ * processing: in case of synchronous transactions, a
+ * BR_REPLY or BR_ERROR; in case of oneway
+ * transactions, a BR_TRANSACTION_COMPLETE.
+ */
binder_enqueue_work_ilocked(&node->work, target_list);
}
} else {
node->debug_id);
return -EINVAL;
}
+ /*
+ * See comment above
+ */
binder_enqueue_work_ilocked(&node->work, target_list);
}
}
hlist_add_head(&new_ref->node_entry, &node->refs);
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
- "%d new ref %d desc %d for node %d\n",
- proc->pid, new_ref->data.debug_id, new_ref->data.desc,
+ "%d(%s) new ref %d desc %d for node %d\n",
+ proc->pid, proc->tsk->comm, new_ref->data.debug_id, new_ref->data.desc,
node->debug_id);
binder_node_unlock(node);
return new_ref;
bool delete_node = false;
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
- "%d delete ref %d desc %d for node %d\n",
- ref->proc->pid, ref->data.debug_id, ref->data.desc,
+ "%d(%s) delete ref %d desc %d for node %d\n",
+ ref->proc->pid, ref->proc->tsk->comm, ref->data.debug_id, ref->data.desc,
ref->node->debug_id);
rb_erase(&ref->rb_node_desc, &ref->proc->refs_by_desc);
if (ref->death) {
binder_debug(BINDER_DEBUG_DEAD_BINDER,
- "%d delete ref %d desc %d has death notification\n",
- ref->proc->pid, ref->data.debug_id,
+ "%d(%s) delete ref %d desc %d has death notification\n",
+ ref->proc->pid, ref->proc->tsk->comm, ref->data.debug_id,
ref->data.desc);
binder_dequeue_work(ref->proc, &ref->death->work);
binder_stats_deleted(BINDER_STAT_DEATH);
{
if (strong) {
if (ref->data.strong == 0) {
- binder_user_error("%d invalid dec strong, ref %d desc %d s %d w %d\n",
- ref->proc->pid, ref->data.debug_id,
+ binder_user_error("%d(%s) invalid dec strong, ref %d desc %d s %d w %d\n",
+ ref->proc->pid, ref->proc->tsk->comm, ref->data.debug_id,
ref->data.desc, ref->data.strong,
ref->data.weak);
return false;
binder_dec_node(ref->node, strong, 1);
} else {
if (ref->data.weak == 0) {
- binder_user_error("%d invalid dec weak, ref %d desc %d s %d w %d\n",
- ref->proc->pid, ref->data.debug_id,
+ binder_user_error("%d(%s) invalid dec weak, ref %d desc %d s %d w %d\n",
+ ref->proc->pid, ref->proc->tsk->comm, ref->data.debug_id,
ref->data.desc, ref->data.strong,
ref->data.weak);
return false;
static void binder_proc_dec_tmpref(struct binder_proc *proc)
{
binder_inner_proc_lock(proc);
- proc->tmp_ref--;
+ atomic_dec(&proc->tmp_ref);
if (proc->is_dead && RB_EMPTY_ROOT(&proc->threads) &&
- !proc->tmp_ref) {
+ !atomic_read(&proc->tmp_ref)) {
binder_inner_proc_unlock(proc);
binder_free_proc(proc);
return;
static void binder_free_transaction(struct binder_transaction *t)
{
- if (t->buffer)
- t->buffer->transaction = NULL;
+ struct binder_proc *target_proc;
+
+ spin_lock(&t->lock);
+ target_proc = t->to_proc;
+ if (target_proc) {
+ atomic_inc(&target_proc->tmp_ref);
+ spin_unlock(&t->lock);
+
+ binder_inner_proc_lock(target_proc);
+ if (t->buffer)
+ t->buffer->transaction = NULL;
+ binder_inner_proc_unlock(target_proc);
+ binder_proc_dec_tmpref(target_proc);
+ } else {
+ /*
+ * If the transaction has no target_proc, then
+ * t->buffer->transaction * has already been cleared.
+ */
+ spin_unlock(&t->lock);
+ }
kfree(t);
binder_stats_deleted(BINDER_STAT_TRANSACTION);
}
target_thread = binder_get_txn_from_and_acq_inner(t);
if (target_thread) {
binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
- "send failed reply for transaction %d to %d:%d\n",
+ "send failed reply for transaction %d to %d:%d(%s:%s)\n",
t->debug_id,
target_thread->proc->pid,
- target_thread->pid);
+ target_thread->pid,
+ target_thread->proc->tsk->comm,
+ target_thread->task->comm);
binder_pop_transaction_ilocked(target_thread, t);
if (target_thread->reply_error.cmd == BR_OK) {
target_thread->reply_error.cmd = error_code;
- binder_enqueue_work_ilocked(
- &target_thread->reply_error.work,
- &target_thread->todo);
+ binder_enqueue_thread_work_ilocked(
+ target_thread,
+ &target_thread->reply_error.work);
wake_up_interruptible(&target_thread->wait);
} else {
- WARN(1, "Unexpected reply error: %u\n",
- target_thread->reply_error.cmd);
+ /*
+ * Cannot get here for normal operation, but
+ * we can if multiple synchronous transactions
+ * are sent without blocking for responses.
+ * Just ignore the 2nd error in this case.
+ */
+ pr_warn("Unexpected reply error: %u\n",
+ target_thread->reply_error.cmd);
}
binder_inner_proc_unlock(target_thread->proc);
binder_thread_dec_tmpref(target_thread);
struct binder_object_header *hdr;
size_t object_size = 0;
- if (offset > buffer->data_size - sizeof(*hdr) ||
- buffer->data_size < sizeof(*hdr) ||
+ if (buffer->data_size < sizeof(*hdr) ||
+ offset > buffer->data_size - sizeof(*hdr) ||
!IS_ALIGNED(offset, sizeof(u32)))
return 0;
int debug_id = buffer->debug_id;
binder_debug(BINDER_DEBUG_TRANSACTION,
- "%d buffer release %d, size %zd-%zd, failed at %p\n",
- proc->pid, buffer->debug_id,
+ "%d(%s) buffer release %d, size %zd-%zd, failed at %pK\n",
+ proc->pid, proc->tsk->comm, buffer->debug_id,
buffer->data_size, buffer->offsets_size, failed_at);
if (buffer->target_node)
return -ENOMEM;
}
if (fp->cookie != node->cookie) {
- binder_user_error("%d:%d sending u%016llx node %d, cookie mismatch %016llx != %016llx\n",
- proc->pid, thread->pid, (u64)fp->binder,
+ binder_user_error("%d:%d(%s:%s) sending u%016llx node %d, cookie mismatch %016llx != %016llx\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm, (u64)fp->binder,
node->debug_id, (u64)fp->cookie,
(u64)node->cookie);
ret = -EINVAL;
node = binder_get_node_from_ref(proc, fp->handle,
fp->hdr.type == BINDER_TYPE_HANDLE, &src_rdata);
if (!node) {
- binder_user_error("%d:%d got transaction with invalid handle, %d\n",
- proc->pid, thread->pid, fp->handle);
+ binder_user_error("%d:%d(%s:%s) got transaction with invalid handle, %d\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm, fp->handle);
return -EINVAL;
}
if (security_binder_transfer_binder(proc->tsk, target_proc->tsk)) {
else
target_allows_fd = t->buffer->target_node->accept_fds;
if (!target_allows_fd) {
- binder_user_error("%d:%d got %s with fd, %d, but target does not allow fds\n",
- proc->pid, thread->pid,
+ binder_user_error("%d:%d(%s:%s) got %s with fd, %d, but target does not allow fds\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
in_reply_to ? "reply" : "transaction",
fd);
ret = -EPERM;
file = fget(fd);
if (!file) {
- binder_user_error("%d:%d got transaction with invalid fd, %d\n",
- proc->pid, thread->pid, fd);
+ binder_user_error("%d:%d(%s:%s) got transaction with invalid fd, %d\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm, fd);
ret = -EBADF;
goto err_fget;
}
fd_buf_size = sizeof(u32) * fda->num_fds;
if (fda->num_fds >= SIZE_MAX / sizeof(u32)) {
- binder_user_error("%d:%d got transaction with invalid number of fds (%lld)\n",
- proc->pid, thread->pid, (u64)fda->num_fds);
+ binder_user_error("%d:%d(%s:%s) got transaction with invalid number of fds (%lld)\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm, (u64)fda->num_fds);
return -EINVAL;
}
if (fd_buf_size > parent->length ||
fda->parent_offset > parent->length - fd_buf_size) {
/* No space for all file descriptors here. */
- binder_user_error("%d:%d not enough space to store %lld fds in buffer\n",
- proc->pid, thread->pid, (u64)fda->num_fds);
+ binder_user_error("%d:%d(%s:%s) not enough space to store %lld fds in buffer\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm, (u64)fda->num_fds);
return -EINVAL;
}
/*
binder_alloc_get_user_buffer_offset(&target_proc->alloc);
fd_array = (u32 *)(parent_buffer + (uintptr_t)fda->parent_offset);
if (!IS_ALIGNED((unsigned long)fd_array, sizeof(u32))) {
- binder_user_error("%d:%d parent offset not aligned correctly.\n",
- proc->pid, thread->pid);
+ binder_user_error("%d:%d(%s:%s) parent offset not aligned correctly.\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm);
return -EINVAL;
}
for (fdi = 0; fdi < fda->num_fds; fdi++) {
parent = binder_validate_ptr(b, bp->parent, off_start, num_valid);
if (!parent) {
- binder_user_error("%d:%d got transaction with invalid parent offset or type\n",
- proc->pid, thread->pid);
+ binder_user_error("%d:%d(%s:%s) got transaction with invalid parent offset or type\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm);
return -EINVAL;
}
parent, bp->parent_offset,
last_fixup_obj,
last_fixup_min_off)) {
- binder_user_error("%d:%d got transaction with out-of-order buffer fixup\n",
- proc->pid, thread->pid);
+ binder_user_error("%d:%d(%s:%s) got transaction with out-of-order buffer fixup\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm);
return -EINVAL;
}
if (parent->length < sizeof(binder_uintptr_t) ||
bp->parent_offset > parent->length - sizeof(binder_uintptr_t)) {
/* No space for a pointer here! */
- binder_user_error("%d:%d got transaction with invalid parent offset\n",
- proc->pid, thread->pid);
+ binder_user_error("%d:%d(%s:%s) got transaction with invalid parent offset\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm);
return -EINVAL;
}
parent_buffer = (u8 *)((uintptr_t)parent->buffer -
struct binder_proc *proc,
struct binder_thread *thread)
{
- struct list_head *target_list = NULL;
struct binder_node *node = t->buffer->target_node;
+ struct binder_priority node_prio;
bool oneway = !!(t->flags & TF_ONE_WAY);
- bool wakeup = true;
+ bool pending_async = false;
BUG_ON(!node);
binder_node_lock(node);
+ node_prio.prio = node->min_priority;
+ node_prio.sched_policy = node->sched_policy;
+
if (oneway) {
BUG_ON(thread);
if (node->has_async_transaction) {
- target_list = &node->async_todo;
- wakeup = false;
+ pending_async = true;
} else {
- node->has_async_transaction = 1;
+ node->has_async_transaction = true;
}
}
return false;
}
- if (!thread && !target_list)
+ if (!thread && !pending_async)
thread = binder_select_thread_ilocked(proc);
- if (thread)
- target_list = &thread->todo;
- else if (!target_list)
- target_list = &proc->todo;
- else
- BUG_ON(target_list != &node->async_todo);
-
- binder_enqueue_work_ilocked(&t->work, target_list);
+ if (thread) {
+ binder_transaction_priority(thread->task, t, node_prio,
+ node->inherit_rt);
+ binder_enqueue_thread_work_ilocked(thread, &t->work);
+ } else if (!pending_async) {
+ binder_enqueue_work_ilocked(&t->work, &proc->todo);
+ } else {
+ binder_enqueue_work_ilocked(&t->work, &node->async_todo);
+ }
- if (wakeup)
+ if (!pending_async)
binder_wakeup_thread_ilocked(proc, thread, !oneway /* sync */);
binder_inner_proc_unlock(proc);
target_node = node;
binder_inc_node_nilocked(node, 1, 0, NULL);
binder_inc_node_tmpref_ilocked(node);
- node->proc->tmp_ref++;
+ atomic_inc(&node->proc->tmp_ref);
*procp = node->proc;
} else
*error = BR_DEAD_REPLY;
binder_size_t last_fixup_min_off = 0;
struct binder_context *context = proc->context;
int t_debug_id = atomic_inc_return(&binder_last_id);
+ char *secctx = NULL;
+ u32 secctx_sz = 0;
e = binder_transaction_log_add(&binder_transaction_log);
e->debug_id = t_debug_id;
in_reply_to = thread->transaction_stack;
if (in_reply_to == NULL) {
binder_inner_proc_unlock(proc);
- binder_user_error("%d:%d got reply transaction with no transaction stack\n",
- proc->pid, thread->pid);
+ binder_user_error("%d:%d(%s:%s) got reply transaction with no transaction stack\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm);
return_error = BR_FAILED_REPLY;
return_error_param = -EPROTO;
return_error_line = __LINE__;
}
if (in_reply_to->to_thread != thread) {
spin_lock(&in_reply_to->lock);
- binder_user_error("%d:%d got reply transaction with bad transaction stack, transaction %d has target %d:%d\n",
- proc->pid, thread->pid, in_reply_to->debug_id,
+ binder_user_error("%d:%d(%s:%s) got reply transaction with bad transaction stack, "\
+ "transaction %d has target %d:%d(%s:%s)\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm, in_reply_to->debug_id,
in_reply_to->to_proc ?
in_reply_to->to_proc->pid : 0,
in_reply_to->to_thread ?
- in_reply_to->to_thread->pid : 0);
+ in_reply_to->to_thread->pid : 0,
+ in_reply_to->to_proc ?
+ in_reply_to->to_proc->tsk->comm : "",
+ in_reply_to->to_thread ?
+ in_reply_to->to_thread->task->comm : "");
spin_unlock(&in_reply_to->lock);
binder_inner_proc_unlock(proc);
return_error = BR_FAILED_REPLY;
}
thread->transaction_stack = in_reply_to->to_parent;
binder_inner_proc_unlock(proc);
- binder_set_nice(in_reply_to->saved_priority);
target_thread = binder_get_txn_from_and_acq_inner(in_reply_to);
if (target_thread == NULL) {
return_error = BR_DEAD_REPLY;
goto err_dead_binder;
}
if (target_thread->transaction_stack != in_reply_to) {
- binder_user_error("%d:%d got reply transaction with bad target transaction stack %d, expected %d\n",
- proc->pid, thread->pid,
+ binder_user_error("%d:%d(%s:%s) got reply transaction with bad target transaction "\
+ "stack %d, expected %d\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
target_thread->transaction_stack ?
target_thread->transaction_stack->debug_id : 0,
in_reply_to->debug_id);
goto err_dead_binder;
}
target_proc = target_thread->proc;
- target_proc->tmp_ref++;
+ atomic_inc(&target_proc->tmp_ref);
binder_inner_proc_unlock(target_thread->proc);
} else {
if (tr->target.handle) {
ref->node, &target_proc,
&return_error);
} else {
- binder_user_error("%d:%d got transaction to invalid handle\n",
- proc->pid, thread->pid);
+ binder_user_error("%d:%d(%s:%s) got transaction to invalid handle\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm);
return_error = BR_FAILED_REPLY;
}
binder_proc_unlock(proc);
else
return_error = BR_DEAD_REPLY;
mutex_unlock(&context->context_mgr_node_lock);
+ if (target_node && target_proc == proc) {
+ binder_user_error("%d:%d got transaction to context manager from process owning it\n",
+ proc->pid, thread->pid);
+ return_error = BR_FAILED_REPLY;
+ return_error_param = -EINVAL;
+ return_error_line = __LINE__;
+ goto err_invalid_target_handle;
+ }
}
if (!target_node) {
/*
tmp = thread->transaction_stack;
if (tmp->to_thread != thread) {
spin_lock(&tmp->lock);
- binder_user_error("%d:%d got new transaction with bad transaction stack, transaction %d has target %d:%d\n",
- proc->pid, thread->pid, tmp->debug_id,
+ binder_user_error("%d:%d(%s:%s) got new transaction with bad transaction stack, "\
+ "transaction %d has target %d:%d(%s:%s)\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm, tmp->debug_id,
tmp->to_proc ? tmp->to_proc->pid : 0,
tmp->to_thread ?
- tmp->to_thread->pid : 0);
+ tmp->to_thread->pid : 0,
+ tmp->to_proc ? tmp->to_proc->tsk->comm : "",
+ tmp->to_thread ? tmp->to_thread->task->comm : "");
spin_unlock(&tmp->lock);
binder_inner_proc_unlock(proc);
return_error = BR_FAILED_REPLY;
}
binder_inner_proc_unlock(proc);
}
- if (target_thread)
+ if (target_thread) {
e->to_thread = target_thread->pid;
+ }
e->to_proc = target_proc->pid;
/* TODO: reuse incoming transaction for reply */
if (reply)
binder_debug(BINDER_DEBUG_TRANSACTION,
- "%d:%d BC_REPLY %d -> %d:%d, data %016llx-%016llx size %lld-%lld-%lld\n",
- proc->pid, thread->pid, t->debug_id,
- target_proc->pid, target_thread->pid,
+ "%d:%d(%s:%s) BC_REPLY %d -> %d:%d (%s:%s), data %016llx-%016llx size %lld-%lld-%lld\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm, t->debug_id,
+ target_proc->pid, target_thread->pid, target_proc->tsk->comm, target_thread->task->comm,
(u64)tr->data.ptr.buffer,
(u64)tr->data.ptr.offsets,
(u64)tr->data_size, (u64)tr->offsets_size,
(u64)extra_buffers_size);
else
binder_debug(BINDER_DEBUG_TRANSACTION,
- "%d:%d BC_TRANSACTION %d -> %d - node %d, data %016llx-%016llx size %lld-%lld-%lld\n",
- proc->pid, thread->pid, t->debug_id,
- target_proc->pid, target_node->debug_id,
+ "%d:%d(%s:%s) BC_TRANSACTION %d -> %d (%s) - node %d, data %016llx-%016llx size %lld-%lld-%lld\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm, t->debug_id,
+ target_proc->pid, target_proc->tsk->comm, target_node->debug_id,
(u64)tr->data.ptr.buffer,
(u64)tr->data.ptr.offsets,
(u64)tr->data_size, (u64)tr->offsets_size,
t->to_thread = target_thread;
t->code = tr->code;
t->flags = tr->flags;
- t->priority = task_nice(current);
+ if (!(t->flags & TF_ONE_WAY) &&
+ binder_supported_policy(current->policy)) {
+ /* Inherit supported policies for synchronous transactions */
+ t->priority.sched_policy = current->policy;
+ t->priority.prio = current->normal_prio;
+ } else {
+ /* Otherwise, fall back to the default priority */
+ t->priority = target_proc->default_priority;
+ }
+ if (target_node && target_node->txn_security_ctx) {
+ u32 secid;
+ size_t added_size;
+
+ security_task_getsecid(proc->tsk, &secid);
+ ret = security_secid_to_secctx(secid, &secctx, &secctx_sz);
+ if (ret) {
+ return_error = BR_FAILED_REPLY;
+ return_error_param = ret;
+ return_error_line = __LINE__;
+ goto err_get_secctx_failed;
+ }
+ added_size = ALIGN(secctx_sz, sizeof(u64));
+ extra_buffers_size += added_size;
+ if (extra_buffers_size < added_size) {
+ /* integer overflow of extra_buffers_size */
+ return_error = BR_FAILED_REPLY;
+ return_error_param = EINVAL;
+ return_error_line = __LINE__;
+ goto err_bad_extra_size;
+ }
+ }
+
+#ifdef CONFIG_DEBUG_SNAPSHOT_BINDER
+ dss_binder_transaction(reply, t, t->from ? t->from : thread, target_node ? target_node->debug_id : 0);
+#endif
trace_binder_transaction(reply, t, target_node);
t->buffer = binder_alloc_new_buf(&target_proc->alloc, tr->data_size,
t->buffer = NULL;
goto err_binder_alloc_buf_failed;
}
- t->buffer->allow_user_free = 0;
+ if (secctx) {
+ size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) +
+ ALIGN(tr->offsets_size, sizeof(void *)) +
+ ALIGN(extra_buffers_size, sizeof(void *)) -
+ ALIGN(secctx_sz, sizeof(u64));
+ char *kptr = t->buffer->data + buf_offset;
+
+ t->security_ctx = (uintptr_t)kptr +
+ binder_alloc_get_user_buffer_offset(&target_proc->alloc);
+ memcpy(kptr, secctx, secctx_sz);
+ security_release_secctx(secctx, secctx_sz);
+ secctx = NULL;
+ }
t->buffer->debug_id = t->debug_id;
t->buffer->transaction = t;
t->buffer->target_node = target_node;
if (copy_from_user(t->buffer->data, (const void __user *)(uintptr_t)
tr->data.ptr.buffer, tr->data_size)) {
- binder_user_error("%d:%d got transaction with invalid data ptr\n",
- proc->pid, thread->pid);
+ binder_user_error("%d:%d(%s:%s) got transaction with invalid data ptr\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm);
return_error = BR_FAILED_REPLY;
return_error_param = -EFAULT;
return_error_line = __LINE__;
}
if (copy_from_user(offp, (const void __user *)(uintptr_t)
tr->data.ptr.offsets, tr->offsets_size)) {
- binder_user_error("%d:%d got transaction with invalid offsets ptr\n",
- proc->pid, thread->pid);
+ binder_user_error("%d:%d(%s:%s) got transaction with invalid offsets ptr\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm);
return_error = BR_FAILED_REPLY;
return_error_param = -EFAULT;
return_error_line = __LINE__;
goto err_copy_data_failed;
}
if (!IS_ALIGNED(tr->offsets_size, sizeof(binder_size_t))) {
- binder_user_error("%d:%d got transaction with invalid offsets size, %lld\n",
- proc->pid, thread->pid, (u64)tr->offsets_size);
+ binder_user_error("%d:%d(%s:%s) got transaction with invalid offsets size, %lld\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm, (u64)tr->offsets_size);
return_error = BR_FAILED_REPLY;
return_error_param = -EINVAL;
return_error_line = __LINE__;
goto err_bad_offset;
}
if (!IS_ALIGNED(extra_buffers_size, sizeof(u64))) {
- binder_user_error("%d:%d got transaction with unaligned buffers size, %lld\n",
- proc->pid, thread->pid,
+ binder_user_error("%d:%d(%s:%s) got transaction with unaligned buffers size, %lld\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
(u64)extra_buffers_size);
return_error = BR_FAILED_REPLY;
return_error_param = -EINVAL;
}
off_end = (void *)off_start + tr->offsets_size;
sg_bufp = (u8 *)(PTR_ALIGN(off_end, sizeof(void *)));
- sg_buf_end = sg_bufp + extra_buffers_size;
+ sg_buf_end = sg_bufp + extra_buffers_size -
+ ALIGN(secctx_sz, sizeof(u64));
off_min = 0;
for (; offp < off_end; offp++) {
struct binder_object_header *hdr;
size_t object_size = binder_validate_object(t->buffer, *offp);
if (object_size == 0 || *offp < off_min) {
- binder_user_error("%d:%d got transaction with invalid offset (%lld, min %lld max %lld) or object.\n",
- proc->pid, thread->pid, (u64)*offp,
+ binder_user_error("%d:%d(%s:%s) got transaction with invalid offset (%lld, min %lld max %lld)"\
+ " or object.\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
+ (u64)*offp,
(u64)off_min,
(u64)t->buffer->data_size);
return_error = BR_FAILED_REPLY;
off_start,
offp - off_start);
if (!parent) {
- binder_user_error("%d:%d got transaction with invalid parent offset or type\n",
- proc->pid, thread->pid);
+ binder_user_error("%d:%d(%s:%s) got transaction with invalid parent offset or type\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm);
return_error = BR_FAILED_REPLY;
return_error_param = -EINVAL;
return_error_line = __LINE__;
parent, fda->parent_offset,
last_fixup_obj,
last_fixup_min_off)) {
- binder_user_error("%d:%d got transaction with out-of-order buffer fixup\n",
- proc->pid, thread->pid);
+ binder_user_error("%d:%d(%s:%s) got transaction with out-of-order buffer fixup\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm);
return_error = BR_FAILED_REPLY;
return_error_param = -EINVAL;
return_error_line = __LINE__;
size_t buf_left = sg_buf_end - sg_bufp;
if (bp->length > buf_left) {
- binder_user_error("%d:%d got transaction with too large buffer\n",
- proc->pid, thread->pid);
+ binder_user_error("%d:%d(%s:%s) got transaction with too large buffer\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm);
return_error = BR_FAILED_REPLY;
return_error_param = -EINVAL;
return_error_line = __LINE__;
if (copy_from_user(sg_bufp,
(const void __user *)(uintptr_t)
bp->buffer, bp->length)) {
- binder_user_error("%d:%d got transaction with invalid offsets ptr\n",
- proc->pid, thread->pid);
+ binder_user_error("%d:%d(%s:%s) got transaction with invalid offsets ptr\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm);
return_error_param = -EFAULT;
return_error = BR_FAILED_REPLY;
return_error_line = __LINE__;
last_fixup_min_off = 0;
} break;
default:
- binder_user_error("%d:%d got transaction with invalid object type, %x\n",
- proc->pid, thread->pid, hdr->type);
+ binder_user_error("%d:%d(%s:%s) got transaction with invalid object type, %x\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm, hdr->type);
return_error = BR_FAILED_REPLY;
return_error_param = -EINVAL;
return_error_line = __LINE__;
}
}
tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE;
- binder_enqueue_work(proc, tcomplete, &thread->todo);
t->work.type = BINDER_WORK_TRANSACTION;
if (reply) {
+ binder_enqueue_thread_work(thread, tcomplete);
binder_inner_proc_lock(target_proc);
if (target_thread->is_dead) {
binder_inner_proc_unlock(target_proc);
}
BUG_ON(t->buffer->async_transaction != 0);
binder_pop_transaction_ilocked(target_thread, in_reply_to);
- binder_enqueue_work_ilocked(&t->work, &target_thread->todo);
+ binder_enqueue_thread_work_ilocked(target_thread, &t->work);
binder_inner_proc_unlock(target_proc);
wake_up_interruptible_sync(&target_thread->wait);
+ binder_restore_priority(current, in_reply_to->saved_priority);
binder_free_transaction(in_reply_to);
} else if (!(t->flags & TF_ONE_WAY)) {
BUG_ON(t->buffer->async_transaction != 0);
binder_inner_proc_lock(proc);
+ /*
+ * Defer the TRANSACTION_COMPLETE, so we don't return to
+ * userspace immediately; this allows the target process to
+ * immediately start processing this transaction, reducing
+ * latency. We will then return the TRANSACTION_COMPLETE when
+ * the target replies (or there is an error).
+ */
+ binder_enqueue_deferred_thread_work_ilocked(thread, tcomplete);
t->need_reply = 1;
t->from_parent = thread->transaction_stack;
thread->transaction_stack = t;
} else {
BUG_ON(target_node == NULL);
BUG_ON(t->buffer->async_transaction != 1);
+ binder_enqueue_thread_work(thread, tcomplete);
if (!binder_proc_transaction(t, target_proc, NULL))
goto err_dead_proc_or_thread;
}
t->buffer->transaction = NULL;
binder_alloc_free_buf(&target_proc->alloc, t->buffer);
err_binder_alloc_buf_failed:
+err_bad_extra_size:
+ if (secctx)
+ security_release_secctx(secctx, secctx_sz);
+err_get_secctx_failed:
kfree(tcomplete);
binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
err_alloc_tcomplete_failed:
}
binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
- "%d:%d transaction failed %d/%d, size %lld-%lld line %d\n",
- proc->pid, thread->pid, return_error, return_error_param,
+ "%d:%d(%s:%s) transaction failed %d/%d, size %lld-%lld line %d\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
+ return_error, return_error_param,
(u64)tr->data_size, (u64)tr->offsets_size,
return_error_line);
e->return_error = return_error;
e->return_error_param = return_error_param;
e->return_error_line = return_error_line;
+#ifdef CONFIG_DEBUG_SNAPSHOT_BINDER
+ dss_binder_transaction_failed(reply, e, proc->tsk->comm, thread->task->comm, tr->flags, tr->code);
+#endif
fe = binder_transaction_log_add(&binder_transaction_log_failed);
*fe = *e;
/*
BUG_ON(thread->return_error.cmd != BR_OK);
if (in_reply_to) {
+ binder_restore_priority(current, in_reply_to->saved_priority);
thread->return_error.cmd = BR_TRANSACTION_COMPLETE;
- binder_enqueue_work(thread->proc,
- &thread->return_error.work,
- &thread->todo);
+ binder_enqueue_thread_work(thread, &thread->return_error.work);
binder_send_failed_reply(in_reply_to, return_error);
} else {
thread->return_error.cmd = return_error;
- binder_enqueue_work(thread->proc,
- &thread->return_error.work,
- &thread->todo);
+ binder_enqueue_thread_work(thread, &thread->return_error.work);
}
}
proc, target, increment, strong,
&rdata);
if (!ret && rdata.desc != target) {
- binder_user_error("%d:%d tried to acquire reference to desc %d, got %d instead\n",
- proc->pid, thread->pid,
+ binder_user_error("%d:%d(%s:%s) tried to acquire reference to"\
+ " desc %d, got %d instead\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
target, rdata.desc);
}
switch (cmd) {
break;
}
if (ret) {
- binder_user_error("%d:%d %s %d refcount change on invalid ref %d ret %d\n",
- proc->pid, thread->pid, debug_string,
- strong, target, ret);
+ binder_user_error("%d:%d(%s:%s) %s %d refcount change on invalid ref %d ret %d\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
+ debug_string, strong, target, ret);
break;
}
binder_debug(BINDER_DEBUG_USER_REFS,
- "%d:%d %s ref %d desc %d s %d w %d\n",
- proc->pid, thread->pid, debug_string,
- rdata.debug_id, rdata.desc, rdata.strong,
+ "%d:%d(%s:%s) %s ref %d desc %d s %d w %d\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
+ debug_string, rdata.debug_id, rdata.desc, rdata.strong,
rdata.weak);
break;
}
ptr += sizeof(binder_uintptr_t);
node = binder_get_node(proc, node_ptr);
if (node == NULL) {
- binder_user_error("%d:%d %s u%016llx no match\n",
- proc->pid, thread->pid,
+ binder_user_error("%d:%d(%s:%s) %s u%016llx no match\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
cmd == BC_INCREFS_DONE ?
"BC_INCREFS_DONE" :
"BC_ACQUIRE_DONE",
break;
}
if (cookie != node->cookie) {
- binder_user_error("%d:%d %s u%016llx node %d cookie mismatch %016llx != %016llx\n",
- proc->pid, thread->pid,
+ binder_user_error("%d:%d(%s:%s) %s u%016llx node %d cookie mismatch"\
+ " %016llx != %016llx\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
cmd == BC_INCREFS_DONE ?
"BC_INCREFS_DONE" : "BC_ACQUIRE_DONE",
(u64)node_ptr, node->debug_id,
binder_node_inner_lock(node);
if (cmd == BC_ACQUIRE_DONE) {
if (node->pending_strong_ref == 0) {
- binder_user_error("%d:%d BC_ACQUIRE_DONE node %d has no pending acquire request\n",
- proc->pid, thread->pid,
+ binder_user_error("%d:%d(%s:%s) BC_ACQUIRE_DONE node %d"\
+ " has no pending acquire request\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
node->debug_id);
binder_node_inner_unlock(node);
binder_put_node(node);
node->pending_strong_ref = 0;
} else {
if (node->pending_weak_ref == 0) {
- binder_user_error("%d:%d BC_INCREFS_DONE node %d has no pending increfs request\n",
- proc->pid, thread->pid,
+ binder_user_error("%d:%d(%s:%s) BC_INCREFS_DONE node %d"\
+ " has no pending increfs request\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
node->debug_id);
binder_node_inner_unlock(node);
binder_put_node(node);
cmd == BC_ACQUIRE_DONE, 0);
WARN_ON(free_node);
binder_debug(BINDER_DEBUG_USER_REFS,
- "%d:%d %s node %d ls %d lw %d tr %d\n",
- proc->pid, thread->pid,
+ "%d:%d(%s:%s) %s node %d ls %d lw %d tr %d\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
cmd == BC_INCREFS_DONE ? "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE",
node->debug_id, node->local_strong_refs,
node->local_weak_refs, node->tmp_refs);
buffer = binder_alloc_prepare_to_free(&proc->alloc,
data_ptr);
- if (buffer == NULL) {
- binder_user_error("%d:%d BC_FREE_BUFFER u%016llx no match\n",
- proc->pid, thread->pid, (u64)data_ptr);
- break;
- }
- if (!buffer->allow_user_free) {
- binder_user_error("%d:%d BC_FREE_BUFFER u%016llx matched unreturned buffer\n",
- proc->pid, thread->pid, (u64)data_ptr);
+ if (IS_ERR_OR_NULL(buffer)) {
+ if (PTR_ERR(buffer) == -EPERM) {
+ binder_user_error(
+ "%d:%d(%s:%s) BC_FREE_BUFFER u%016llx matched unreturned or currently freeing buffer\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
+ (u64)data_ptr);
+ } else {
+ binder_user_error(
+ "%d:%d(%s:%s) BC_FREE_BUFFER u%016llx no match\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
+ (u64)data_ptr);
+ }
break;
}
binder_debug(BINDER_DEBUG_FREE_BUFFER,
- "%d:%d BC_FREE_BUFFER u%016llx found buffer %d for %s transaction\n",
- proc->pid, thread->pid, (u64)data_ptr,
+ "%d:%d(%s:%s) BC_FREE_BUFFER u%016llx found buffer %d for %s transaction\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm, (u64)data_ptr,
buffer->debug_id,
buffer->transaction ? "active" : "finished");
+ binder_inner_proc_lock(proc);
if (buffer->transaction) {
buffer->transaction->buffer = NULL;
buffer->transaction = NULL;
}
+ binder_inner_proc_unlock(proc);
if (buffer->async_transaction && buffer->target_node) {
struct binder_node *buf_node;
struct binder_work *w;
w = binder_dequeue_work_head_ilocked(
&buf_node->async_todo);
if (!w) {
- buf_node->has_async_transaction = 0;
+ buf_node->has_async_transaction = false;
} else {
binder_enqueue_work_ilocked(
w, &proc->todo);
case BC_REGISTER_LOOPER:
binder_debug(BINDER_DEBUG_THREADS,
- "%d:%d BC_REGISTER_LOOPER\n",
- proc->pid, thread->pid);
+ "%d:%d(%s:%s) BC_REGISTER_LOOPER\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm);
binder_inner_proc_lock(proc);
if (thread->looper & BINDER_LOOPER_STATE_ENTERED) {
thread->looper |= BINDER_LOOPER_STATE_INVALID;
- binder_user_error("%d:%d ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER\n",
- proc->pid, thread->pid);
+ binder_user_error("%d:%d(%s:%s) ERROR: BC_REGISTER_LOOPER"\
+ " called after BC_ENTER_LOOPER\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm);
} else if (proc->requested_threads == 0) {
thread->looper |= BINDER_LOOPER_STATE_INVALID;
- binder_user_error("%d:%d ERROR: BC_REGISTER_LOOPER called without request\n",
- proc->pid, thread->pid);
+ binder_user_error("%d:%d(%s:%s) ERROR: BC_REGISTER_LOOPER called without request\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm);
} else {
proc->requested_threads--;
proc->requested_threads_started++;
break;
case BC_ENTER_LOOPER:
binder_debug(BINDER_DEBUG_THREADS,
- "%d:%d BC_ENTER_LOOPER\n",
- proc->pid, thread->pid);
+ "%d:%d(%s:%s) BC_ENTER_LOOPER\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm);
if (thread->looper & BINDER_LOOPER_STATE_REGISTERED) {
thread->looper |= BINDER_LOOPER_STATE_INVALID;
- binder_user_error("%d:%d ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER\n",
- proc->pid, thread->pid);
+ binder_user_error("%d:%d(%s:%s) ERROR: BC_ENTER_LOOPER"\
+ " called after BC_REGISTER_LOOPER\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm);
}
thread->looper |= BINDER_LOOPER_STATE_ENTERED;
break;
case BC_EXIT_LOOPER:
binder_debug(BINDER_DEBUG_THREADS,
- "%d:%d BC_EXIT_LOOPER\n",
- proc->pid, thread->pid);
+ "%d:%d(%s:%s) BC_EXIT_LOOPER\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm);
thread->looper |= BINDER_LOOPER_STATE_EXITED;
break;
WARN_ON(thread->return_error.cmd !=
BR_OK);
thread->return_error.cmd = BR_ERROR;
- binder_enqueue_work(
- thread->proc,
- &thread->return_error.work,
- &thread->todo);
+ binder_enqueue_thread_work(
+ thread,
+ &thread->return_error.work);
binder_debug(
BINDER_DEBUG_FAILED_TRANSACTION,
- "%d:%d BC_REQUEST_DEATH_NOTIFICATION failed\n",
- proc->pid, thread->pid);
+ "%d:%d(%s:%s) BC_REQUEST_DEATH_NOTIFICATION failed\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm);
break;
}
}
binder_proc_lock(proc);
ref = binder_get_ref_olocked(proc, target, false);
if (ref == NULL) {
- binder_user_error("%d:%d %s invalid ref %d\n",
- proc->pid, thread->pid,
+ binder_user_error("%d:%d(%s:%s) %s invalid ref %d\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
cmd == BC_REQUEST_DEATH_NOTIFICATION ?
"BC_REQUEST_DEATH_NOTIFICATION" :
"BC_CLEAR_DEATH_NOTIFICATION",
}
binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION,
- "%d:%d %s %016llx ref %d desc %d s %d w %d for node %d\n",
- proc->pid, thread->pid,
+ "%d:%d(%s:%s) %s %016llx ref %d desc %d s %d w %d for node %d\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
cmd == BC_REQUEST_DEATH_NOTIFICATION ?
"BC_REQUEST_DEATH_NOTIFICATION" :
"BC_CLEAR_DEATH_NOTIFICATION",
binder_node_lock(ref->node);
if (cmd == BC_REQUEST_DEATH_NOTIFICATION) {
if (ref->death) {
- binder_user_error("%d:%d BC_REQUEST_DEATH_NOTIFICATION death notification already set\n",
- proc->pid, thread->pid);
+ binder_user_error("%d:%d(%s:%s) BC_REQUEST_DEATH_NOTIFICATION"\
+ " death notification already set\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm);
binder_node_unlock(ref->node);
binder_proc_unlock(proc);
kfree(death);
}
} else {
if (ref->death == NULL) {
- binder_user_error("%d:%d BC_CLEAR_DEATH_NOTIFICATION death notification not active\n",
- proc->pid, thread->pid);
+ binder_user_error("%d:%d(%s:%s) BC_CLEAR_DEATH_NOTIFICATION"\
+ " death notification not active\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm);
binder_node_unlock(ref->node);
binder_proc_unlock(proc);
break;
}
death = ref->death;
if (death->cookie != cookie) {
- binder_user_error("%d:%d BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch %016llx != %016llx\n",
- proc->pid, thread->pid,
+ binder_user_error("%d:%d(%s:%s) BC_CLEAR_DEATH_NOTIFICATION"\
+ " death notification cookie mismatch %016llx != %016llx\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
(u64)death->cookie,
(u64)cookie);
binder_node_unlock(ref->node);
if (thread->looper &
(BINDER_LOOPER_STATE_REGISTERED |
BINDER_LOOPER_STATE_ENTERED))
- binder_enqueue_work_ilocked(
- &death->work,
- &thread->todo);
+ binder_enqueue_thread_work_ilocked(
+ thread,
+ &death->work);
else {
binder_enqueue_work_ilocked(
&death->work,
}
}
binder_debug(BINDER_DEBUG_DEAD_BINDER,
- "%d:%d BC_DEAD_BINDER_DONE %016llx found %p\n",
- proc->pid, thread->pid, (u64)cookie,
+ "%d:%d(%s:%s) BC_DEAD_BINDER_DONE %016llx found %pK\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm, (u64)cookie,
death);
if (death == NULL) {
- binder_user_error("%d:%d BC_DEAD_BINDER_DONE %016llx not found\n",
- proc->pid, thread->pid, (u64)cookie);
+ binder_user_error("%d:%d(%s:%s) BC_DEAD_BINDER_DONE %016llx not found\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm, (u64)cookie);
binder_inner_proc_unlock(proc);
break;
}
if (thread->looper &
(BINDER_LOOPER_STATE_REGISTERED |
BINDER_LOOPER_STATE_ENTERED))
- binder_enqueue_work_ilocked(
- &death->work, &thread->todo);
+ binder_enqueue_thread_work_ilocked(
+ thread, &death->work);
else {
binder_enqueue_work_ilocked(
&death->work,
} break;
default:
- pr_err("%d:%d unknown command %d\n",
- proc->pid, thread->pid, cmd);
+ pr_err("%d:%d(%s:%s) unknown command %d\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm, cmd);
return -EINVAL;
}
*consumed = ptr - buffer;
ptr += sizeof(binder_uintptr_t);
binder_stat_br(proc, thread, cmd);
- binder_debug(BINDER_DEBUG_USER_REFS, "%d:%d %s %d u%016llx c%016llx\n",
- proc->pid, thread->pid, cmd_name, node_debug_id,
+ binder_debug(BINDER_DEBUG_USER_REFS, "%d:%d(%s:%s) %s %d u%016llx c%016llx\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
+ cmd_name, node_debug_id,
(u64)node_ptr, (u64)node_cookie);
*ptrp = ptr;
if (wait_for_proc_work) {
if (!(thread->looper & (BINDER_LOOPER_STATE_REGISTERED |
BINDER_LOOPER_STATE_ENTERED))) {
- binder_user_error("%d:%d ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state %x)\n",
- proc->pid, thread->pid, thread->looper);
+ binder_user_error("%d:%d(%s:%s) ERROR: Thread waiting for process work"\
+ " before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state %x)\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm, thread->looper);
wait_event_interruptible(binder_user_error_wait,
binder_stop_on_user_error < 2);
}
- binder_set_nice(proc->default_priority);
+ binder_restore_priority(current, proc->default_priority);
}
if (non_block) {
while (1) {
uint32_t cmd;
- struct binder_transaction_data tr;
+ struct binder_transaction_data_secctx tr;
+ struct binder_transaction_data *trd = &tr.transaction_data;
struct binder_work *w = NULL;
struct list_head *list = NULL;
struct binder_transaction *t = NULL;
struct binder_thread *t_from;
+ size_t trsize = sizeof(*trd);
binder_inner_proc_lock(proc);
if (!binder_worklist_empty_ilocked(&thread->todo))
break;
}
w = binder_dequeue_work_head_ilocked(list);
+ if (binder_worklist_empty_ilocked(&thread->todo))
+ thread->process_todo = false;
switch (w->type) {
case BINDER_WORK_TRANSACTION: {
binder_inner_proc_unlock(proc);
if (put_user(e->cmd, (uint32_t __user *)ptr))
return -EFAULT;
+ cmd = e->cmd;
e->cmd = BR_OK;
ptr += sizeof(uint32_t);
binder_stat_br(proc, thread, cmd);
binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE,
- "%d:%d BR_TRANSACTION_COMPLETE\n",
- proc->pid, thread->pid);
+ "%d:%d(%s:%s) BR_TRANSACTION_COMPLETE\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm);
kfree(w);
binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
} break;
node->has_weak_ref = 0;
if (!weak && !strong) {
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
- "%d:%d node %d u%016llx c%016llx deleted\n",
- proc->pid, thread->pid,
+ "%d:%d(%s:%s) node %d u%016llx c%016llx deleted\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
node_debug_id,
(u64)node_ptr,
(u64)node_cookie);
BR_DECREFS, "BR_DECREFS");
if (orig_ptr == ptr)
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
- "%d:%d node %d u%016llx c%016llx state unchanged\n",
- proc->pid, thread->pid,
+ "%d:%d(%s:%s) node %d u%016llx c%016llx state unchanged\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
node_debug_id,
(u64)node_ptr,
(u64)node_cookie);
cookie = death->cookie;
binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION,
- "%d:%d %s %016llx\n",
- proc->pid, thread->pid,
+ "%d:%d(%s:%s) %s %016llx\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
cmd == BR_DEAD_BINDER ?
"BR_DEAD_BINDER" :
"BR_CLEAR_DEATH_NOTIFICATION_DONE",
BUG_ON(t->buffer == NULL);
if (t->buffer->target_node) {
struct binder_node *target_node = t->buffer->target_node;
-
- tr.target.ptr = target_node->ptr;
- tr.cookie = target_node->cookie;
- t->saved_priority = task_nice(current);
- if (t->priority < target_node->min_priority &&
- !(t->flags & TF_ONE_WAY))
- binder_set_nice(t->priority);
- else if (!(t->flags & TF_ONE_WAY) ||
- t->saved_priority > target_node->min_priority)
- binder_set_nice(target_node->min_priority);
+ struct binder_priority node_prio;
+
+ trd->target.ptr = target_node->ptr;
+ trd->cookie = target_node->cookie;
+ node_prio.sched_policy = target_node->sched_policy;
+ node_prio.prio = target_node->min_priority;
+ binder_transaction_priority(current, t, node_prio,
+ target_node->inherit_rt);
cmd = BR_TRANSACTION;
} else {
- tr.target.ptr = 0;
- tr.cookie = 0;
+ trd->target.ptr = 0;
+ trd->cookie = 0;
cmd = BR_REPLY;
}
- tr.code = t->code;
- tr.flags = t->flags;
- tr.sender_euid = from_kuid(current_user_ns(), t->sender_euid);
+ trd->code = t->code;
+ trd->flags = t->flags;
+ trd->sender_euid = from_kuid(current_user_ns(), t->sender_euid);
t_from = binder_get_txn_from(t);
if (t_from) {
struct task_struct *sender = t_from->proc->tsk;
- tr.sender_pid = task_tgid_nr_ns(sender,
- task_active_pid_ns(current));
+ trd->sender_pid =
+ task_tgid_nr_ns(sender,
+ task_active_pid_ns(current));
} else {
- tr.sender_pid = 0;
+ trd->sender_pid = 0;
}
- tr.data_size = t->buffer->data_size;
- tr.offsets_size = t->buffer->offsets_size;
- tr.data.ptr.buffer = (binder_uintptr_t)
+ trd->data_size = t->buffer->data_size;
+ trd->offsets_size = t->buffer->offsets_size;
+ trd->data.ptr.buffer = (binder_uintptr_t)
((uintptr_t)t->buffer->data +
binder_alloc_get_user_buffer_offset(&proc->alloc));
- tr.data.ptr.offsets = tr.data.ptr.buffer +
+ trd->data.ptr.offsets = trd->data.ptr.buffer +
ALIGN(t->buffer->data_size,
sizeof(void *));
+ tr.secctx = t->security_ctx;
+ if (t->security_ctx) {
+ cmd = BR_TRANSACTION_SEC_CTX;
+ trsize = sizeof(tr);
+ }
if (put_user(cmd, (uint32_t __user *)ptr)) {
if (t_from)
binder_thread_dec_tmpref(t_from);
return -EFAULT;
}
ptr += sizeof(uint32_t);
- if (copy_to_user(ptr, &tr, sizeof(tr))) {
+ if (copy_to_user(ptr, &tr, trsize)) {
if (t_from)
binder_thread_dec_tmpref(t_from);
return -EFAULT;
}
- ptr += sizeof(tr);
+ ptr += trsize;
+#ifdef CONFIG_DEBUG_SNAPSHOT_BINDER
+ dss_binder_transaction_received(t, thread);
+#endif
trace_binder_transaction_received(t);
binder_stat_br(proc, thread, cmd);
binder_debug(BINDER_DEBUG_TRANSACTION,
- "%d:%d %s %d %d:%d, cmd %d size %zd-%zd ptr %016llx-%016llx\n",
- proc->pid, thread->pid,
+ "%d:%d(%s:%s) %s %d %d:%d(%s:%s), cmd %d size %zd-%zd ptr %016llx-%016llx\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
(cmd == BR_TRANSACTION) ? "BR_TRANSACTION" :
- "BR_REPLY",
+ (cmd == BR_TRANSACTION_SEC_CTX) ?
+ "BR_TRANSACTION_SEC_CTX" : "BR_REPLY",
t->debug_id, t_from ? t_from->proc->pid : 0,
- t_from ? t_from->pid : 0, cmd,
+ t_from ? t_from->pid : 0,
+ t_from ? t_from->proc->tsk->comm : "",
+ t_from ? t_from->task->comm : "",
+ cmd,
t->buffer->data_size, t->buffer->offsets_size,
- (u64)tr.data.ptr.buffer, (u64)tr.data.ptr.offsets);
+ (u64)trd->data.ptr.buffer,
+ (u64)trd->data.ptr.offsets);
if (t_from)
binder_thread_dec_tmpref(t_from);
t->buffer->allow_user_free = 1;
- if (cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)) {
+ if (cmd != BR_REPLY && !(t->flags & TF_ONE_WAY)) {
binder_inner_proc_lock(thread->proc);
t->to_parent = thread->transaction_stack;
t->to_thread = thread;
proc->requested_threads++;
binder_inner_proc_unlock(proc);
binder_debug(BINDER_DEBUG_THREADS,
- "%d:%d BR_SPAWN_LOOPER\n",
- proc->pid, thread->pid);
+ "%d:%d(%s:%s) BR_SPAWN_LOOPER\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm);
if (put_user(BR_SPAWN_LOOPER, (uint32_t __user *)buffer))
return -EFAULT;
binder_stat_br(proc, thread, BR_SPAWN_LOOPER);
binder_stats_created(BINDER_STAT_THREAD);
thread->proc = proc;
thread->pid = current->pid;
+ get_task_struct(current);
+ thread->task = current;
atomic_set(&thread->tmp_ref, 0);
init_waitqueue_head(&thread->wait);
INIT_LIST_HEAD(&thread->todo);
BUG_ON(!list_empty(&thread->todo));
binder_stats_deleted(BINDER_STAT_THREAD);
binder_proc_dec_tmpref(thread->proc);
+ put_task_struct(thread->task);
kfree(thread);
}
* The corresponding dec is when we actually
* free the thread in binder_free_thread()
*/
- proc->tmp_ref++;
+ atomic_inc(&proc->tmp_ref);
/*
* take a ref on this thread to ensure it
* survives while we are releasing it
last_t = t;
active_transactions++;
binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
- "release %d:%d transaction %d %s, still active\n",
- proc->pid, thread->pid,
+ "release %d:%d(%s:%s) transaction %d %s, still active\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
t->debug_id,
(t->to_thread == thread) ? "in" : "out");
if (t)
spin_lock(&t->lock);
}
+
+ /*
+ * If this thread used poll, make sure we remove the waitqueue
+ * from any epoll data structures holding it with POLLFREE.
+ * waitqueue_active() is safe to use here because we're holding
+ * the inner lock.
+ */
+ if ((thread->looper & BINDER_LOOPER_STATE_POLL) &&
+ waitqueue_active(&thread->wait)) {
+ wake_up_poll(&thread->wait, POLLHUP | POLLFREE);
+ }
+
binder_inner_proc_unlock(thread->proc);
+ /*
+ * This is needed to avoid races between wake_up_poll() above and
+ * and ep_remove_waitqueue() called for other reasons (eg the epoll file
+ * descriptor being closed); ep_remove_waitqueue() holds an RCU read
+ * lock, so we can be sure it's done after calling synchronize_rcu().
+ */
+ if (thread->looper & BINDER_LOOPER_STATE_POLL)
+ synchronize_rcu();
+
if (send_reply)
binder_send_failed_reply(send_reply, BR_DEAD_REPLY);
binder_release_work(proc, &thread->todo);
bool wait_for_proc_work;
thread = binder_get_thread(proc);
+ if (!thread)
+ return POLLERR;
binder_inner_proc_lock(thread->proc);
thread->looper |= BINDER_LOOPER_STATE_POLL;
goto out;
}
binder_debug(BINDER_DEBUG_READ_WRITE,
- "%d:%d write %lld at %016llx, read %lld at %016llx\n",
- proc->pid, thread->pid,
+ "%d:%d(%s:%s) write %lld at %016llx, read %lld at %016llx\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
(u64)bwr.write_size, (u64)bwr.write_buffer,
(u64)bwr.read_size, (u64)bwr.read_buffer);
}
}
binder_debug(BINDER_DEBUG_READ_WRITE,
- "%d:%d wrote %lld of %lld, read return %lld of %lld\n",
- proc->pid, thread->pid,
+ "%d:%d(%s:%s) wrote %lld of %lld, read return %lld of %lld\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm,
(u64)bwr.write_consumed, (u64)bwr.write_size,
(u64)bwr.read_consumed, (u64)bwr.read_size);
if (copy_to_user(ubuf, &bwr, sizeof(bwr))) {
return ret;
}
-static int binder_ioctl_set_ctx_mgr(struct file *filp)
+static int binder_ioctl_set_ctx_mgr(struct file *filp,
+ struct flat_binder_object *fbo)
{
int ret = 0;
struct binder_proc *proc = filp->private_data;
} else {
context->binder_context_mgr_uid = curr_euid;
}
- new_node = binder_new_node(proc, NULL);
+ new_node = binder_new_node(proc, fbo);
if (!new_node) {
ret = -ENOMEM;
goto out;
binder_inner_proc_unlock(proc);
break;
}
+ case BINDER_SET_CONTEXT_MGR_EXT: {
+ struct flat_binder_object fbo;
+
+ if (copy_from_user(&fbo, ubuf, sizeof(fbo))) {
+ ret = -EINVAL;
+ goto err;
+ }
+ ret = binder_ioctl_set_ctx_mgr(filp, &fbo);
+ if (ret)
+ goto err;
+ break;
+ }
case BINDER_SET_CONTEXT_MGR:
- ret = binder_ioctl_set_ctx_mgr(filp);
+ ret = binder_ioctl_set_ctx_mgr(filp, NULL);
if (ret)
goto err;
break;
case BINDER_THREAD_EXIT:
- binder_debug(BINDER_DEBUG_THREADS, "%d:%d exit\n",
- proc->pid, thread->pid);
+ binder_debug(BINDER_DEBUG_THREADS, "%d:%d(%s:%s) exit\n",
+ proc->pid, thread->pid, proc->tsk->comm, thread->task->comm);
binder_thread_release(proc, thread);
thread = NULL;
break;
thread->looper_need_return = false;
wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);
if (ret && ret != -ERESTARTSYS)
- pr_info("%d:%d ioctl %x %lx returned %d\n", proc->pid, current->pid, cmd, arg, ret);
+ pr_info("%d:%d(%s:%s) ioctl %x %lx returned %d\n", proc->pid, current->pid,
+ proc->tsk->comm, current->comm, cmd, arg, ret);
err_unlocked:
trace_binder_ioctl_done(ret);
return ret;
struct binder_proc *proc = vma->vm_private_data;
binder_debug(BINDER_DEBUG_OPEN_CLOSE,
- "%d open vm area %lx-%lx (%ld K) vma %lx pagep %lx\n",
- proc->pid, vma->vm_start, vma->vm_end,
+ "%d(%s) open vm area %lx-%lx (%ld K) vma %lx pagep %lx\n",
+ proc->pid, proc->tsk->comm, vma->vm_start, vma->vm_end,
(vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
(unsigned long)pgprot_val(vma->vm_page_prot));
}
struct binder_proc *proc = vma->vm_private_data;
binder_debug(BINDER_DEBUG_OPEN_CLOSE,
- "%d close vm area %lx-%lx (%ld K) vma %lx pagep %lx\n",
- proc->pid, vma->vm_start, vma->vm_end,
+ "%d(%s) close vm area %lx-%lx (%ld K) vma %lx pagep %lx\n",
+ proc->pid, proc->tsk->comm, vma->vm_start, vma->vm_end,
(vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
(unsigned long)pgprot_val(vma->vm_page_prot));
binder_alloc_vma_close(&proc->alloc);
vma->vm_end = vma->vm_start + SZ_4M;
binder_debug(BINDER_DEBUG_OPEN_CLOSE,
- "%s: %d %lx-%lx (%ld K) vma %lx pagep %lx\n",
- __func__, proc->pid, vma->vm_start, vma->vm_end,
+ "%s: %d(%s) %lx-%lx (%ld K) vma %lx pagep %lx\n",
+ __func__, proc->pid, proc->tsk->comm, vma->vm_start, vma->vm_end,
(vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
(unsigned long)pgprot_val(vma->vm_page_prot));
failure_string = "bad vm_flags";
goto err_bad_arg;
}
- vma->vm_flags = (vma->vm_flags | VM_DONTCOPY) & ~VM_MAYWRITE;
+ vma->vm_flags |= VM_DONTCOPY | VM_MIXEDMAP;
+ vma->vm_flags &= ~VM_MAYWRITE;
+
vma->vm_ops = &binder_vm_ops;
vma->vm_private_data = proc;
ret = binder_alloc_mmap_handler(&proc->alloc, vma);
- if (ret)
- return ret;
+ if (ret) {
+ failure_string = "";
+ goto err_bad_arg;
+ }
+ mutex_lock(&proc->files_lock);
proc->files = get_files_struct(current);
+ mutex_unlock(&proc->files_lock);
return 0;
err_bad_arg:
- pr_err("binder_mmap: %d %lx-%lx %s failed %d\n",
- proc->pid, vma->vm_start, vma->vm_end, failure_string, ret);
+ pr_err("%s: %d(%s) %lx-%lx %s failed %d\n", __func__,
+ proc->pid, proc->tsk->comm, vma->vm_start, vma->vm_end, failure_string, ret);
return ret;
}
struct binder_proc *proc;
struct binder_device *binder_dev;
- binder_debug(BINDER_DEBUG_OPEN_CLOSE, "binder_open: %d:%d\n",
- current->group_leader->pid, current->pid);
+ binder_debug(BINDER_DEBUG_OPEN_CLOSE, "%s: %d:%d (%s:%s)\n", __func__,
+ current->group_leader->pid, current->pid,
+ current->group_leader->comm, current->comm);
proc = kzalloc(sizeof(*proc), GFP_KERNEL);
if (proc == NULL)
return -ENOMEM;
spin_lock_init(&proc->inner_lock);
spin_lock_init(&proc->outer_lock);
+ atomic_set(&proc->tmp_ref, 0);
get_task_struct(current->group_leader);
proc->tsk = current->group_leader;
+ mutex_init(&proc->files_lock);
INIT_LIST_HEAD(&proc->todo);
- proc->default_priority = task_nice(current);
+ if (binder_supported_policy(current->policy)) {
+ proc->default_priority.sched_policy = current->policy;
+ proc->default_priority.prio = current->normal_prio;
+ } else {
+ proc->default_priority.sched_policy = SCHED_NORMAL;
+ proc->default_priority.prio = NICE_TO_PRIO(0);
+ }
+
binder_dev = container_of(filp->private_data, struct binder_device,
miscdev);
proc->context = &binder_dev->context;
* anyway print all contexts that a given PID has, so this
* is not a problem.
*/
- proc->debugfs_entry = debugfs_create_file(strbuf, S_IRUGO,
+ proc->debugfs_entry = debugfs_create_file(strbuf, 0444,
binder_debugfs_dir_entry_proc,
(void *)(unsigned long)proc->pid,
&binder_proc_fops);
binder_inner_proc_unlock(proc);
binder_debug(BINDER_DEBUG_OPEN_CLOSE,
- "binder_flush: %d woke %d threads\n", proc->pid,
+ "binder_flush: %d(%s) woke %d threads\n", proc->pid, proc->tsk->comm,
wake_count);
}
if (context->binder_context_mgr_node &&
context->binder_context_mgr_node->proc == proc) {
binder_debug(BINDER_DEBUG_DEAD_BINDER,
- "%s: %d context_mgr_node gone\n",
- __func__, proc->pid);
+ "%s: %d(%s) context_mgr_node gone\n",
+ __func__, proc->pid, proc->tsk->comm);
context->binder_context_mgr_node = NULL;
}
mutex_unlock(&context->context_mgr_node_lock);
* Make sure proc stays alive after we
* remove all the threads
*/
- proc->tmp_ref++;
+ atomic_inc(&proc->tmp_ref);
proc->is_dead = true;
threads = 0;
binder_release_work(proc, &proc->delivered_death);
binder_debug(BINDER_DEBUG_OPEN_CLOSE,
- "%s: %d threads %d, nodes %d (ref %d), refs %d, active transactions %d\n",
- __func__, proc->pid, threads, nodes, incoming_refs,
+ "%s: %d(%s) threads %d, nodes %d (ref %d), refs %d, active transactions %d\n",
+ __func__, proc->pid, proc->tsk->comm, threads, nodes, incoming_refs,
outgoing_refs, active_transactions);
binder_proc_dec_tmpref(proc);
files = NULL;
if (defer & BINDER_DEFERRED_PUT_FILES) {
+ mutex_lock(&proc->files_lock);
files = proc->files;
if (files)
proc->files = NULL;
+ mutex_unlock(&proc->files_lock);
}
if (defer & BINDER_DEFERRED_FLUSH)
spin_lock(&t->lock);
to_proc = t->to_proc;
seq_printf(m,
- "%s %d: %p from %d:%d to %d:%d code %x flags %x pri %ld r%d",
+ "%s %d: %pK from %d:%d(%s:%s) to %d:%d(%s:%s) code %x flags %x pri %d:%d r%d",
prefix, t->debug_id, t,
t->from ? t->from->proc->pid : 0,
t->from ? t->from->pid : 0,
+ t->from ? t->from->proc->tsk->comm : "",
+ t->from ? t->from->task->comm : "",
to_proc ? to_proc->pid : 0,
t->to_thread ? t->to_thread->pid : 0,
- t->code, t->flags, t->priority, t->need_reply);
+ to_proc ? to_proc->tsk->comm : "",
+ t->to_thread ? t->to_thread->task->comm : "",
+ t->code, t->flags, t->priority.sched_policy,
+ t->priority.prio, t->need_reply);
spin_unlock(&t->lock);
if (proc != to_proc) {
}
if (buffer->target_node)
seq_printf(m, " node %d", buffer->target_node->debug_id);
- seq_printf(m, " size %zd:%zd data %p\n",
+ seq_printf(m, " size %zd:%zd data %pK\n",
buffer->data_size, buffer->offsets_size,
buffer->data);
}
size_t start_pos = m->count;
size_t header_pos;
- seq_printf(m, " thread %d: l %02x need_return %d tr %d\n",
- thread->pid, thread->looper,
+ seq_printf(m, " thread %d %s: l %02x need_return %d tr %d\n",
+ thread->pid, thread->task->comm, thread->looper,
thread->looper_need_return,
atomic_read(&thread->tmp_ref));
header_pos = m->count;
hlist_for_each_entry(ref, &node->refs, node_entry)
count++;
- seq_printf(m, " node %d: u%016llx c%016llx hs %d hw %d ls %d lw %d is %d iw %d tr %d",
+ seq_printf(m, " node %d: u%016llx c%016llx pri %d:%d hs %d hw %d ls %d lw %d is %d iw %d tr %d",
node->debug_id, (u64)node->ptr, (u64)node->cookie,
+ node->sched_policy, node->min_priority,
node->has_strong_ref, node->has_weak_ref,
node->local_strong_refs, node->local_weak_refs,
node->internal_strong_refs, count, node->tmp_refs);
if (count) {
seq_puts(m, " proc");
hlist_for_each_entry(ref, &node->refs, node_entry)
- seq_printf(m, " %d", ref->proc->pid);
+ seq_printf(m, " %d %s", ref->proc->pid, ref->proc->tsk->comm);
}
seq_puts(m, "\n");
if (node->proc) {
size_t header_pos;
struct binder_node *last_node = NULL;
- seq_printf(m, "proc %d\n", proc->pid);
+ seq_printf(m, "proc %d %s\n", proc->pid, proc->tsk->comm);
seq_printf(m, "context %s\n", proc->context->name);
header_pos = m->count;
size_t free_async_space =
binder_alloc_get_free_async_space(&proc->alloc);
- seq_printf(m, "proc %d\n", proc->pid);
+ seq_printf(m, "proc %d %s\n", proc->pid, proc->tsk->comm);
seq_printf(m, "context %s\n", proc->context->name);
count = 0;
ready_threads = 0;
struct binder_device *device;
struct hlist_node *tmp;
- binder_alloc_shrinker_init();
+ ret = binder_alloc_shrinker_init();
+ if (ret)
+ return ret;
atomic_set(&binder_transaction_log.cur, ~0U);
atomic_set(&binder_transaction_log_failed.cur, ~0U);
if (binder_debugfs_dir_entry_root) {
debugfs_create_file("state",
- S_IRUGO,
+ 0444,
binder_debugfs_dir_entry_root,
NULL,
&binder_state_fops);
debugfs_create_file("stats",
- S_IRUGO,
+ 0444,
binder_debugfs_dir_entry_root,
NULL,
&binder_stats_fops);
debugfs_create_file("transactions",
- S_IRUGO,
+ 0444,
binder_debugfs_dir_entry_root,
NULL,
&binder_transactions_fops);
debugfs_create_file("transaction_log",
- S_IRUGO,
+ 0444,
binder_debugfs_dir_entry_root,
&binder_transaction_log,
&binder_transaction_log_fops);
debugfs_create_file("failed_transaction_log",
- S_IRUGO,
+ 0444,
binder_debugfs_dir_entry_root,
&binder_transaction_log_failed,
&binder_transaction_log_fops);
projects / GitHub / MotorolaMobilityLLC / kernel-slsi.git / blobdiff