cb4e55266e
* refs/heads/tmp-1984fff:
Revert "ANDROID: staging: android: ion: enable modularizing the ion driver"
Revert "BACKPORT: sched/rt: Make RT capacity-aware"
Revert "ANDROID: GKI: Add devm_thermal_of_virtual_sensor_register API."
Linux 4.19.110
KVM: SVM: fix up incorrect backport
ANDROID: gki_defconfig: Enable USB_CONFIGFS_MASS_STORAGE
UPSTREAM: arm64: memory: Add missing brackets to untagged_addr() macro
UPSTREAM: mm: Avoid creating virtual address aliases in brk()/mmap()/mremap()
ANDROID: Add TPM support and the vTPM proxy to Cuttlefish.
Revert "ANDROID: tty: serdev: Fix broken serial console input"
ANDROID: serdev: restrict claim of platform devices
ANDROID: update the ABI xml representation
ANDROID: GKI: add a USB TypeC vendor field for ABI compat
UPSTREAM: usb: typec: mux: Switch to use fwnode_property_count_uXX()
UPSTREAM: usb: typec: Make sure an alt mode exist before getting its partner
UPSTREAM: usb: typec: Registering real device entries for the muxes
UPSTREAM: usb: typec: mux: remove redundant check on variable match
UPSTREAM: usb: typec: mux: Fix unsigned comparison with less than zero
UPSTREAM: usb: typec: mux: Find the muxes by also matching against the device node
UPSTREAM: usb: typec: Find the ports by also matching against the device node
UPSTREAM: usb: typec: Rationalize the API for the muxes
UPSTREAM: device property: Add helpers to count items in an array
UPSTREAM: platform/x86: intel_cht_int33fe: Remove old style mux connections
UPSTREAM: platform/x86: intel_cht_int33fe: Prepare for better mux naming scheme
UPSTREAM: usb: typec: Prepare alt mode enter/exit reporting for UCSI alt mode support
ANDROID: GKI: Update ABI
ANDROID: GKI: drivers: of: Add API to find ddr device type
UPSTREAM: Input: reset device timestamp on sync
UPSTREAM: Input: allow drivers specify timestamp for input events
ANDROID: GKI: usb: dwc3: Add USB_DR_MODE_DRD as dual role mode
ANDROID: GKI: Add devm_thermal_of_virtual_sensor_register API.
UPSTREAM: crypto: skcipher - Introduce crypto_sync_skcipher
ANDROID: GKI: cfg80211: Add AP stopped interface
UPSTREAM: device connection: Add fwnode member to struct device_connection
FROMGIT: kallsyms: unexport kallsyms_lookup_name() and kallsyms_on_each_symbol()
FROMGIT: samples/hw_breakpoint: drop use of kallsyms_lookup_name()
FROMGIT: samples/hw_breakpoint: drop HW_BREAKPOINT_R when reporting writes
UPSTREAM: fscrypt: don't evict dirty inodes after removing key
ANDROID: gki_defconfig: Enable CONFIG_VM_EVENT_COUNTERS
ANDROID: gki_defconfig: Enable CONFIG_CLEANCACHE
ANDROID: Update ABI representation
ANDROID: gki_defconfig: disable CONFIG_DEBUG_DEVRES
Linux 4.19.109
scsi: pm80xx: Fixed kernel panic during error recovery for SATA drive
dm integrity: fix a deadlock due to offloading to an incorrect workqueue
efi/x86: Handle by-ref arguments covering multiple pages in mixed mode
efi/x86: Align GUIDs to their size in the mixed mode runtime wrapper
powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems
dmaengine: coh901318: Fix a double lock bug in dma_tc_handle()
hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT()
ARM: dts: imx7-colibri: Fix frequency for sd/mmc
ARM: dts: am437x-idk-evm: Fix incorrect OPP node names
ARM: imx: build v7_cpu_resume() unconditionally
IB/hfi1, qib: Ensure RCU is locked when accessing list
RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen()
RDMA/iwcm: Fix iwcm work deallocation
ARM: dts: imx6: phycore-som: fix emmc supply
phy: mapphone-mdm6600: Fix write timeouts with shorter GPIO toggle interval
phy: mapphone-mdm6600: Fix timeouts by adding wake-up handling
drm/sun4i: de2/de3: Remove unsupported VI layer formats
drm/sun4i: Fix DE2 VI layer format support
ASoC: dapm: Correct DAPM handling of active widgets during shutdown
ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path
ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output
dmaengine: imx-sdma: remove dma_slave_config direction usage and leave sdma_event_enable()
ASoC: intel: skl: Fix possible buffer overflow in debug outputs
ASoC: intel: skl: Fix pin debug prints
ASoC: topology: Fix memleak in soc_tplg_manifest_load()
ASoC: topology: Fix memleak in soc_tplg_link_elems_load()
spi: bcm63xx-hsspi: Really keep pll clk enabled
ARM: dts: ls1021a: Restore MDIO compatible to gianfar
dm writecache: verify watermark during resume
dm: report suspended device during destroy
dm cache: fix a crash due to incorrect work item cancelling
dmaengine: tegra-apb: Prevent race conditions of tasklet vs free list
dmaengine: tegra-apb: Fix use-after-free
x86/pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes
media: v4l2-mem2mem.c: fix broken links
vt: selection, push sel_lock up
vt: selection, push console lock down
vt: selection, close sel_buffer race
serial: 8250_exar: add support for ACCES cards
tty:serial:mvebu-uart:fix a wrong return
arm: dts: dra76x: Fix mmc3 max-frequency
fat: fix uninit-memory access for partial initialized inode
mm: fix possible PMD dirty bit lost in set_pmd_migration_entry()
mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa
vgacon: Fix a UAF in vgacon_invert_region
usb: core: port: do error out if usb_autopm_get_interface() fails
usb: core: hub: do error out if usb_autopm_get_interface() fails
usb: core: hub: fix unhandled return by employing a void function
usb: dwc3: gadget: Update chain bit correctly when using sg list
usb: quirks: add NO_LPM quirk for Logitech Screen Share
usb: storage: Add quirk for Samsung Fit flash
cifs: don't leak -EAGAIN for stat() during reconnect
ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master
ALSA: hda/realtek - Add Headset Mic supported
net: thunderx: workaround BGX TX Underflow issue
x86/xen: Distribute switch variables for initialization
ice: Don't tell the OS that link is going down
nvme: Fix uninitialized-variable warning
s390/qdio: fill SL with absolute addresses
x86/boot/compressed: Don't declare __force_order in kaslr_64.c
s390: make 'install' not depend on vmlinux
s390/cio: cio_ignore_proc_seq_next should increase position index
watchdog: da9062: do not ping the hw during stop()
net: ks8851-ml: Fix 16-bit IO operation
net: ks8851-ml: Fix 16-bit data access
net: ks8851-ml: Remove 8-bit bus accessors
net: dsa: b53: Ensure the default VID is untagged
selftests: forwarding: use proto icmp for {gretap, ip6gretap}_mac testing
drm/msm/dsi/pll: call vco set rate explicitly
drm/msm/dsi: save pll state before dsi host is powered off
scsi: megaraid_sas: silence a warning
drm: msm: Fix return type of dsi_mgr_connector_mode_valid for kCFI
drm/msm/mdp5: rate limit pp done timeout warnings
usb: gadget: serial: fix Tx stall after buffer overflow
usb: gadget: ffs: ffs_aio_cancel(): Save/restore IRQ flags
usb: gadget: composite: Support more than 500mA MaxPower
selftests: fix too long argument
serial: ar933x_uart: set UART_CS_{RX,TX}_READY_ORIDE
ALSA: hda: do not override bus codec_mask in link_get()
kprobes: Fix optimize_kprobe()/unoptimize_kprobe() cancellation logic
RDMA/core: Fix use of logical OR in get_new_pps
RDMA/core: Fix pkey and port assignment in get_new_pps
net: dsa: bcm_sf2: Forcibly configure IMP port for 1Gb/sec
ALSA: hda/realtek - Fix a regression for mute led on Lenovo Carbon X1
EDAC/amd64: Set grain per DIMM
ANDROID: Fix kernelci build-break for arm32
ANDROID: enable CONFIG_WATCHDOG_CORE=y
ANDROID: kbuild: align UNUSED_KSYMS_WHITELIST with upstream
FROMLIST: f2fs: fix wrong check on F2FS_IOC_FSSETXATTR
FROMGIT: driver core: Reevaluate dev->links.need_for_probe as suppliers are added
FROMGIT: driver core: Call sync_state() even if supplier has no consumers
FROMGIT: of: property: Add device link support for power-domains and hwlocks
UPSTREAM: binder: prevent UAF for binderfs devices II
UPSTREAM: binder: prevent UAF for binderfs devices
ANDROID: GKI: enable PM_GENERIC_DOMAINS by default
ANDROID: GKI: pci: framework: disable auto suspend link
ANDROID: GKI: gpio: Add support for hierarchical IRQ domains
ANDROID: GKI: of: property: Add device links support for pinctrl-[0-3]
ANDROID: GKI: of: property: Ignore properties that start with "qcom,"
ANDROID: GKI: of: property: Add support for parsing qcom,msm-bus,name property
ANDROID: GKI: genirq: Export symbols to compile irqchip drivers as modules
ANDROID: GKI: of: irq: add helper to remap interrupts to another irqdomain
ANDROID: GKI: genirq/irqdomain: add export symbols for modularizing
ANDROID: GKI: genirq: Introduce irq_chip_get/set_parent_state calls
ANDROID: Update ABI representation
ANDROID: arm64: gki_defconfig: disable CONFIG_ZONE_DMA32
ANDROID: GKI: drivers: thermal: Fix ABI diff for struct thermal_cooling_device
ANDROID: GKI: drivers: thermal: Indicate in DT the trips are for temperature falling
ANDROID: Update ABI representation
ANDROID: Update ABI whitelist for qcom SoCs
ANDROID: gki_defconfig: enable CONFIG_TYPEC
ANDROID: Fix kernelci build-break on !CONFIG_CMA builds
ANDROID: GKI: mm: fix cma accounting in zone_watermark_ok
ANDROID: CC_FLAGS_CFI add -fno-sanitize-blacklist
FROMLIST: lib: test_stackinit.c: XFAIL switch variable init tests
Linux 4.19.108
audit: always check the netlink payload length in audit_receive_msg()
mm, thp: fix defrag setting if newline is not used
mm/huge_memory.c: use head to check huge zero page
netfilter: nf_flowtable: fix documentation
netfilter: nft_tunnel: no need to call htons() when dumping ports
thermal: brcmstb_thermal: Do not use DT coefficients
KVM: x86: Remove spurious clearing of async #PF MSR
KVM: x86: Remove spurious kvm_mmu_unload() from vcpu destruction path
perf hists browser: Restore ESC as "Zoom out" of DSO/thread/etc
pwm: omap-dmtimer: put_device() after of_find_device_by_node()
kprobes: Set unoptimized flag after unoptimizing code
drivers: net: xgene: Fix the order of the arguments of 'alloc_etherdev_mqs()'
perf stat: Fix shadow stats for clock events
perf stat: Use perf_evsel__is_clocki() for clock events
sched/fair: Fix O(nr_cgroups) in the load balancing path
sched/fair: Optimize update_blocked_averages()
KVM: Check for a bad hva before dropping into the ghc slow path
KVM: SVM: Override default MMIO mask if memory encryption is enabled
mwifiex: delete unused mwifiex_get_intf_num()
mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame()
namei: only return -ECHILD from follow_dotdot_rcu()
net: ena: make ena rxfh support ETH_RSS_HASH_NO_CHANGE
net/smc: no peer ID in CLC decline for SMCD
net: atlantic: fix potential error handling
net: atlantic: fix use after free kasan warn
net: netlink: cap max groups which will be considered in netlink_bind()
s390/qeth: vnicc Fix EOPNOTSUPP precedence
usb: charger: assign specific number for enum value
hv_netvsc: Fix unwanted wakeup in netvsc_attach()
drm/i915/gvt: Separate display reset from ALL_ENGINES reset
drm/i915/gvt: Fix orphan vgpu dmabuf_objs' lifetime
i2c: jz4780: silence log flood on txabrt
i2c: altera: Fix potential integer overflow
MIPS: VPE: Fix a double free and a memory leak in 'release_vpe()'
HID: hiddev: Fix race in in hiddev_disconnect()
HID: alps: Fix an error handling path in 'alps_input_configured()'
vhost: Check docket sk_family instead of call getname
amdgpu/gmc_v9: save/restore sdpif regs during S3
Revert "PM / devfreq: Modify the device name as devfreq(X) for sysfs"
tracing: Disable trace_printk() on post poned tests
macintosh: therm_windtunnel: fix regression when instantiating devices
HID: core: increase HID report buffer size to 8KiB
HID: core: fix off-by-one memset in hid_report_raw_event()
HID: ite: Only bind to keyboard USB interface on Acer SW5-012 keyboard dock
KVM: VMX: check descriptor table exits on instruction emulation
ACPI: watchdog: Fix gas->access_width usage
ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro
audit: fix error handling in audit_data_to_entry()
ext4: potential crash on allocation error in ext4_alloc_flex_bg_array()
net/tls: Fix to avoid gettig invalid tls record
qede: Fix race between rdma destroy workqueue and link change event
ipv6: Fix nlmsg_flags when splitting a multipath route
ipv6: Fix route replacement with dev-only route
sctp: move the format error check out of __sctp_sf_do_9_1_abort
nfc: pn544: Fix occasional HW initialization failure
net: sched: correct flower port blocking
net: phy: restore mdio regs in the iproc mdio driver
net: mscc: fix in frame extraction
net: fib_rules: Correctly set table field when table number exceeds 8 bits
sysrq: Remove duplicated sysrq message
sysrq: Restore original console_loglevel when sysrq disabled
cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE
cifs: Fix mode output in debugging statements
net: ena: ena-com.c: prevent NULL pointer dereference
net: ena: ethtool: use correct value for crc32 hash
net: ena: fix incorrectly saving queue numbers when setting RSS indirection table
net: ena: rss: store hash function as values and not bits
net: ena: rss: fix failure to get indirection table
net: ena: fix incorrect default RSS key
net: ena: add missing ethtool TX timestamping indication
net: ena: fix uses of round_jiffies()
net: ena: fix potential crash when rxfh key is NULL
soc/tegra: fuse: Fix build with Tegra194 configuration
ARM: dts: sti: fixup sound frame-inversion for stihxxx-b2120.dtsi
qmi_wwan: unconditionally reject 2 ep interfaces
qmi_wwan: re-add DW5821e pre-production variant
s390/zcrypt: fix card and queue total counter wrap
cfg80211: check wiphy driver existence for drvinfo report
mac80211: consider more elements in parsing CRC
dax: pass NOWAIT flag to iomap_apply
drm/msm: Set dma maximum segment size for mdss
ipmi:ssif: Handle a possible NULL pointer reference
iwlwifi: pcie: fix rb_allocator workqueue allocation
irqchip/gic-v3-its: Fix misuse of GENMASK macro
ANDROID: Update ABI representation
ANDROID: abi_gki_aarch64_whitelist: add module_layout and task_struct
ANDROID: gki_defconfig: disable KPROBES, update ABI
ANDROID: GKI: mm: add cma pcp list
ANDROID: GKI: cma: redirect page allocation to CMA
BACKPORT: mm, compaction: be selective about what pageblocks to clear skip hints
BACKPORT: mm: reclaim small amounts of memory when an external fragmentation event occurs
BACKPORT: mm: move zone watermark accesses behind an accessor
UPSTREAM: mm: use alloc_flags to record if kswapd can wake
UPSTREAM: mm, page_alloc: spread allocations across zones before introducing fragmentation
ANDROID: GKI: update abi for ufshcd changes
ANDROID: Unconditionally create bridge tracepoints
ANDROID: gki_defconfig: Enable MFD_SYSCON on x86
ANDROID: scsi: ufs: allow ufs variants to override sg entry size
ANDROID: Re-add default y for VIRTIO_PCI_LEGACY
ANDROID: GKI: build in HVC_DRIVER
ANDROID: Removed default m for virtual sw crypto device
ANDROID: Remove default y on BRIDGE_IGMP_SNOOPING
ANDROID: GKI: Added missing SND configs
FROMLIST: ufs: fix a bug on printing PRDT
UPSTREAM: sched/uclamp: Reject negative values in cpu_uclamp_write()
ANDROID: gki_defconfig: Disable CONFIG_RT_GROUP_SCHED
ANDROID: GKI: Remove CONFIG_BRIDGE from arm64 config
ANDROID: Add ABI Whitelist for qcom
ANDROID: Enable HID_NINTENDO as y
FROMLIST: HID: nintendo: add nintendo switch controller driver
UPSTREAM: regulator/of_get_regulator: add child path to find the regulator supplier
ANDROID: gki_defconfig: Remove 'BRIDGE_NETFILTER is not set'
BACKPORT: net: disable BRIDGE_NETFILTER by default
ANDROID: kbuild: fix UNUSED_KSYMS_WHITELIST backport
Linux 4.19.107
Revert "char/random: silence a lockdep splat with printk()"
s390/mm: Explicitly compare PAGE_DEFAULT_KEY against zero in storage_key_init_range
xen: Enable interrupts when calling _cond_resched()
ata: ahci: Add shutdown to freeze hardware resources of ahci
rxrpc: Fix call RCU cleanup using non-bh-safe locks
netfilter: xt_hashlimit: limit the max size of hashtable
ALSA: seq: Fix concurrent access to queue current tick/time
ALSA: seq: Avoid concurrent access to queue flags
ALSA: rawmidi: Avoid bit fields for state flags
bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill
genirq/proc: Reject invalid affinity masks (again)
iommu/vt-d: Fix compile warning from intel-svm.h
ecryptfs: replace BUG_ON with error handling code
staging: greybus: use after free in gb_audio_manager_remove_all()
staging: rtl8723bs: fix copy of overlapping memory
usb: dwc2: Fix in ISOC request length checking
usb: gadget: composite: Fix bMaxPower for SuperSpeedPlus
scsi: Revert "target: iscsi: Wait for all commands to finish before freeing a session"
scsi: Revert "RDMA/isert: Fix a recently introduced regression related to logout"
Revert "dmaengine: imx-sdma: Fix memory leak"
Btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents
btrfs: do not check delayed items are empty for single transaction cleanup
btrfs: reset fs_root to NULL on error in open_ctree
btrfs: fix bytes_may_use underflow in prealloc error condtition
KVM: apic: avoid calculating pending eoi from an uninitialized val
KVM: nVMX: handle nested posted interrupts when apicv is disabled for L1
KVM: nVMX: Check IO instruction VM-exit conditions
KVM: nVMX: Refactor IO bitmap checks into helper function
ext4: fix race between writepages and enabling EXT4_EXTENTS_FL
ext4: rename s_journal_flag_rwsem to s_writepages_rwsem
ext4: fix mount failure with quota configured as module
ext4: fix potential race between s_flex_groups online resizing and access
ext4: fix potential race between s_group_info online resizing and access
ext4: fix potential race between online resizing and write operations
ext4: add cond_resched() to __ext4_find_entry()
ext4: fix a data race in EXT4_I(inode)->i_disksize
drm/nouveau/kms/gv100-: Re-set LUT after clearing for modesets
lib/stackdepot.c: fix global out-of-bounds in stack_slabs
tty: serial: qcom_geni_serial: Fix RX cancel command failure
tty: serial: qcom_geni_serial: Remove xfer_mode variable
tty: serial: qcom_geni_serial: Remove set_rfr_wm() and related variables
tty: serial: qcom_geni_serial: Remove use of *_relaxed() and mb()
tty: serial: qcom_geni_serial: Remove interrupt storm
tty: serial: qcom_geni_serial: Fix UART hang
KVM: x86: don't notify userspace IOAPIC on edge-triggered interrupt EOI
KVM: nVMX: Don't emulate instructions in guest mode
xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms
drm/amdgpu/soc15: fix xclk for raven
mm/vmscan.c: don't round up scan size for online memory cgroup
genirq/irqdomain: Make sure all irq domain flags are distinct
nvme-multipath: Fix memory leak with ana_log_buf
mm/memcontrol.c: lost css_put in memcg_expand_shrinker_maps()
Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()"
MAINTAINERS: Update drm/i915 bug filing URL
serdev: ttyport: restore client ops on deregistration
tty: serial: imx: setup the correct sg entry for tx dma
tty/serial: atmel: manage shutdown in case of RS485 or ISO7816 mode
serial: 8250: Check UPF_IRQ_SHARED in advance
x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF
x86/mce/amd: Fix kobject lifetime
x86/mce/amd: Publish the bank pointer only after setup has succeeded
jbd2: fix ocfs2 corrupt when clearing block group bits
powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery
staging: rtl8723bs: Fix potential overuse of kernel memory
staging: rtl8723bs: Fix potential security hole
staging: rtl8188eu: Fix potential overuse of kernel memory
staging: rtl8188eu: Fix potential security hole
usb: dwc3: gadget: Check for IOC/LST bit in TRB->ctrl fields
usb: dwc2: Fix SET/CLEAR_FEATURE and GET_STATUS flows
USB: hub: Fix the broken detection of USB3 device in SMSC hub
USB: hub: Don't record a connect-change event during reset-resume
USB: Fix novation SourceControl XL after suspend
usb: uas: fix a plug & unplug racing
USB: quirks: blacklist duplicate ep on Sound Devices USBPre2
USB: core: add endpoint-blacklist quirk
usb: host: xhci: update event ring dequeue pointer on purpose
xhci: Fix memory leak when caching protocol extended capability PSI tables - take 2
xhci: fix runtime pm enabling for quirky Intel hosts
xhci: Force Maximum Packet size for Full-speed bulk devices to valid range.
staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi.
staging: android: ashmem: Disallow ashmem memory from being remapped
vt: vt_ioctl: fix race in VT_RESIZEX
vt: selection, handle pending signals in paste_selection
vt: fix scrollback flushing on background consoles
floppy: check FDC index for errors before assigning it
USB: misc: iowarrior: add support for the 100 device
USB: misc: iowarrior: add support for the 28 and 28L devices
USB: misc: iowarrior: add support for 2 OEMed devices
thunderbolt: Prevent crash if non-active NVMem file is read
ecryptfs: fix a memory leak bug in ecryptfs_init_messaging()
ecryptfs: fix a memory leak bug in parse_tag_1_packet()
ASoC: sun8i-codec: Fix setting DAI data format
ALSA: hda/realtek - Apply quirk for yet another MSI laptop
ALSA: hda/realtek - Apply quirk for MSI GP63, too
ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs
iommu/qcom: Fix bogus detach logic
UPSTREAM: sched/psi: Fix OOB write when writing 0 bytes to PSI files
UPSTREAM: psi: Fix a division error in psi poll()
UPSTREAM: sched/psi: Fix sampling error and rare div0 crashes with cgroups and high uptime
UPSTREAM: sched/psi: Correct overly pessimistic size calculation
ANDROID: build.config.gki.aarch64: enable symbol trimming
FROMLIST: f2fs: Handle casefolding with Encryption
FROMLIST: fscrypt: Have filesystems handle their d_ops
FROMLIST: ext4: Use generic casefolding support
FROMLIST: f2fs: Use generic casefolding support
FROMLIST: Add standard casefolding support
FROMLIST: unicode: Add utf8_casefold_hash
ANDROID: sdcardfs: fix -ENOENT lookup race issue
ANDROID: gki_defconfig: Enable CONFIG_RD_LZ4
ANDROID: gki: Enable BINFMT_MISC as part of GKI
ANDROID: gki_defconfig: disable CONFIG_CRYPTO_MD4
ANDROID: dm: Add wrapped key support in dm-default-key
ANDROID: dm: add support for passing through derive_raw_secret
ANDROID: block: Prevent crypto fallback for wrapped keys
BACKPORT: FROMLIST: kbuild: generate autoksyms.h early
BACKPORT: FROMLIST: kbuild: split adjust_autoksyms.sh in two parts
BACKPORT: FROMLIST: kbuild: allow symbol whitelisting with TRIM_UNUSED_KSYMS
ANDROID: kbuild: use modules.order in adjust_autoksyms.sh
UPSTREAM: kbuild: source include/config/auto.conf instead of ${KCONFIG_CONFIG}
ANDROID: Disable wq fp check in CFI builds
ANDROID: increase limit on sched-tune boost groups
BACKPORT: nvmem: core: fix regression in of_nvmem_cell_get()
BACKPORT: nvmem: hide unused nvmem_find_cell_by_index function
BACKPORT: nvmem: resolve cells from DT at registration time
Linux 4.19.106
drm/amdgpu/display: handle multiple numbers of fclks in dcn_calcs.c (v2)
mlxsw: spectrum_dpipe: Add missing error path
virtio_balloon: prevent pfn array overflow
cifs: log warning message (once) if out of disk space
help_next should increase position index
NFS: Fix memory leaks
drm/amdgpu/smu10: fix smu10_get_clock_by_type_with_voltage
drm/amdgpu/smu10: fix smu10_get_clock_by_type_with_latency
brd: check and limit max_part par
microblaze: Prevent the overflow of the start
iwlwifi: mvm: Fix thermal zone registration
irqchip/gic-v3-its: Reference to its_invall_cmd descriptor when building INVALL
bcache: explicity type cast in bset_bkey_last()
reiserfs: prevent NULL pointer dereference in reiserfs_insert_item()
lib/scatterlist.c: adjust indentation in __sg_alloc_table
ocfs2: fix a NULL pointer dereference when call ocfs2_update_inode_fsync_trans()
radeon: insert 10ms sleep in dce5_crtc_load_lut
trigger_next should increase position index
ftrace: fpid_next() should increase position index
drm/nouveau/disp/nv50-: prevent oops when no channel method map provided
irqchip/gic-v3: Only provision redistributors that are enabled in ACPI
rbd: work around -Wuninitialized warning
ceph: check availability of mds cluster on mount after wait timeout
bpf: map_seq_next should always increase position index
cifs: fix NULL dereference in match_prepath
iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop
hostap: Adjust indentation in prism2_hostapd_add_sta
ARM: 8951/1: Fix Kexec compilation issue.
jbd2: make sure ESHUTDOWN to be recorded in the journal superblock
jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record
selftests: bpf: Reset global state between reuseport test runs
iommu/vt-d: Remove unnecessary WARN_ON_ONCE()
bcache: cached_dev_free needs to put the sb page
powerpc/sriov: Remove VF eeh_dev state when disabling SR-IOV
drm/nouveau/mmu: fix comptag memory leak
ALSA: hda - Add docking station support for Lenovo Thinkpad T420s
driver core: platform: fix u32 greater or equal to zero comparison
s390/ftrace: generate traced function stack frame
s390: adjust -mpacked-stack support check for clang 10
x86/decoder: Add TEST opcode to Group3-2
kbuild: use -S instead of -E for precise cc-option test in Kconfig
ALSA: hda/hdmi - add retry logic to parse_intel_hdmi()
irqchip/mbigen: Set driver .suppress_bind_attrs to avoid remove problems
remoteproc: Initialize rproc_class before use
module: avoid setting info->name early in case we can fall back to info->mod->name
btrfs: device stats, log when stats are zeroed
btrfs: safely advance counter when looking up bio csums
btrfs: fix possible NULL-pointer dereference in integrity checks
pwm: Remove set but not set variable 'pwm'
ide: serverworks: potential overflow in svwks_set_pio_mode()
cmd64x: potential buffer overflow in cmd64x_program_timings()
pwm: omap-dmtimer: Remove PWM chip in .remove before making it unfunctional
x86/mm: Fix NX bit clearing issue in kernel_map_pages_in_pgd
f2fs: fix memleak of kobject
watchdog/softlockup: Enforce that timestamp is valid on boot
drm/amd/display: fixup DML dependencies
arm64: fix alternatives with LLVM's integrated assembler
scsi: iscsi: Don't destroy session if there are outstanding connections
f2fs: free sysfs kobject
f2fs: set I_LINKABLE early to avoid wrong access by vfs
iommu/arm-smmu-v3: Use WRITE_ONCE() when changing validity of an STE
usb: musb: omap2430: Get rid of musb .set_vbus for omap2430 glue
drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add
drm/nouveau/fault/gv100-: fix memory leak on module unload
drm/nouveau/drm/ttm: Remove set but not used variable 'mem'
drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler
drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read from fw
drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new()
vme: bridges: reduce stack usage
bpf: Return -EBADRQC for invalid map type in __bpf_tx_xdp_map
driver core: Print device when resources present in really_probe()
driver core: platform: Prevent resouce overflow from causing infinite loops
visorbus: fix uninitialized variable access
tty: synclink_gt: Adjust indentation in several functions
tty: synclinkmp: Adjust indentation in several functions
ASoC: atmel: fix build error with CONFIG_SND_ATMEL_SOC_DMA=m
wan: ixp4xx_hss: fix compile-testing on 64-bit
x86/nmi: Remove irq_work from the long duration NMI handler
Input: edt-ft5x06 - work around first register access error
rcu: Use WRITE_ONCE() for assignments to ->pprev for hlist_nulls
efi/x86: Don't panic or BUG() on non-critical error conditions
soc/tegra: fuse: Correct straps' address for older Tegra124 device trees
IB/hfi1: Add software counter for ctxt0 seq drop
staging: rtl8188: avoid excessive stack usage
udf: Fix free space reporting for metadata and virtual partitions
usbip: Fix unsafe unaligned pointer usage
ARM: dts: stm32: Add power-supply for DSI panel on stm32f469-disco
drm: remove the newline for CRC source name.
mlx5: work around high stack usage with gcc
ACPI: button: Add DMI quirk for Razer Blade Stealth 13 late 2019 lid switch
tools lib api fs: Fix gcc9 stringop-truncation compilation error
ALSA: sh: Fix compile warning wrt const
clk: uniphier: Add SCSSI clock gate for each channel
ALSA: sh: Fix unused variable warnings
clk: sunxi-ng: add mux and pll notifiers for A64 CPU clock
RDMA/rxe: Fix error type of mmap_offset
reset: uniphier: Add SCSSI reset control for each channel
pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs
PM / devfreq: rk3399_dmc: Add COMPILE_TEST and HAVE_ARM_SMCCC dependency
x86/vdso: Provide missing include file
crypto: chtls - Fixed memory leak
dmaengine: imx-sdma: Fix memory leak
dmaengine: Store module owner in dma_device struct
selinux: ensure we cleanup the internal AVC counters on error in avc_update()
ARM: dts: r8a7779: Add device node for ARM global timer
drm/mediatek: handle events when enabling/disabling crtc
scsi: aic7xxx: Adjust indentation in ahc_find_syncrate
scsi: ufs: Complete pending requests in host reset and restore path
ACPICA: Disassembler: create buffer fields in ACPI_PARSE_LOAD_PASS1
orinoco: avoid assertion in case of NULL pointer
rtlwifi: rtl_pci: Fix -Wcast-function-type
iwlegacy: Fix -Wcast-function-type
ipw2x00: Fix -Wcast-function-type
b43legacy: Fix -Wcast-function-type
ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status
netfilter: nft_tunnel: add the missing ERSPAN_VERSION nla_policy
fore200e: Fix incorrect checks of NULL pointer dereference
r8169: check that Realtek PHY driver module is loaded
reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling
media: v4l2-device.h: Explicitly compare grp{id,mask} to zero in v4l2_device macros
PCI: Increase D3 delay for AMD Ryzen5/7 XHCI controllers
PCI: Add generic quirk for increasing D3hot delay
media: cx23885: Add support for AVerMedia CE310B
PCI: iproc: Apply quirk_paxc_bridge() for module as well as built-in
ARM: dts: imx6: rdu2: Limit USBH1 to Full Speed
ARM: dts: imx6: rdu2: Disable WP for USDHC2 and USDHC3
arm64: dts: qcom: msm8996: Disable USB2 PHY suspend by core
selinux: ensure we cleanup the internal AVC counters on error in avc_insert()
arm: dts: allwinner: H3: Add PMU node
arm64: dts: allwinner: H6: Add PMU mode
selinux: fall back to ref-walk if audit is required
NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu().
net/wan/fsl_ucc_hdlc: reject muram offsets above 64K
regulator: rk808: Lower log level on optional GPIOs being not available
drm/amdgpu: Ensure ret is always initialized when using SOC15_WAIT_ON_RREG
drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table
clk: qcom: rcg2: Don't crash if our parent can't be found; return an error
kconfig: fix broken dependency in randconfig-generated .config
KVM: s390: ENOTSUPP -> EOPNOTSUPP fixups
nbd: add a flush_workqueue in nbd_start_device
drm/amd/display: Retrain dongles when SINK_COUNT becomes non-zero
ath10k: Correct the DMA direction for management tx buffers
ext4, jbd2: ensure panic when aborting with zero errno
ARM: 8952/1: Disable kmemleak on XIP kernels
tracing: Fix very unlikely race of registering two stat tracers
tracing: Fix tracing_stat return values in error handling paths
powerpc/iov: Move VF pdev fixup into pcibios_fixup_iov()
s390/pci: Fix possible deadlock in recover_store()
pwm: omap-dmtimer: Simplify error handling
x86/sysfb: Fix check for bad VRAM size
jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal
kselftest: Minimise dependency of get_size on C library interfaces
clocksource/drivers/bcm2835_timer: Fix memory leak of timer
usb: dwc2: Fix IN FIFO allocation
usb: gadget: udc: fix possible sleep-in-atomic-context bugs in gr_probe()
uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()
sparc: Add .exit.data section.
MIPS: Loongson: Fix potential NULL dereference in loongson3_platform_init()
efi/x86: Map the entire EFI vendor string before copying it
pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins
media: sti: bdisp: fix a possible sleep-in-atomic-context bug in bdisp_device_run()
char/random: silence a lockdep splat with printk()
iommu/vt-d: Fix off-by-one in PASID allocation
gpio: gpio-grgpio: fix possible sleep-in-atomic-context bugs in grgpio_irq_map/unmap()
powerpc/powernv/iov: Ensure the pdn for VFs always contains a valid PE number
media: i2c: mt9v032: fix enum mbus codes and frame sizes
pxa168fb: Fix the function used to release some memory in an error handling path
pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs
gianfar: Fix TX timestamping with a stacked DSA driver
ALSA: ctl: allow TLV read operation for callback type of element in locked case
ext4: fix ext4_dax_read/write inode locking sequence for IOCB_NOWAIT
leds: pca963x: Fix open-drain initialization
brcmfmac: Fix use after free in brcmf_sdio_readframes()
cpu/hotplug, stop_machine: Fix stop_machine vs hotplug order
drm/gma500: Fixup fbdev stolen size usage evaluation
KVM: nVMX: Use correct root level for nested EPT shadow page tables
Revert "KVM: VMX: Add non-canonical check on writes to RTIT address MSRs"
Revert "KVM: nVMX: Use correct root level for nested EPT shadow page tables"
net/sched: flower: add missing validation of TCA_FLOWER_FLAGS
net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS
net: dsa: tag_qca: Make sure there is headroom for tag
net/smc: fix leak of kernel memory to user space
enic: prevent waking up stopped tx queues over watchdog reset
core: Don't skip generic XDP program execution for cloned SKBs
ANDROID: arm64: update the abi with the new gki_defconfig
ANDROID: arm64: gki_defconfig: disable CONFIG_DEBUG_PREEMPT
ANDROID: GKI: arm64: gki_defconfig: follow-up to removing DRM_MSM driver
ANDROID: drm/msm: Remove Kconfig default
ANDROID: GKI: arm64: gki_defconfig: remove qcom,cmd-db driver
ANDROID: GKI: drivers: qcom: cmd-db: Allow compiling qcom,cmd-db driver as module
ANDROID: GKI: arm64: gki_defconfig: remove qcom,rpmh-rsc driver
ANDROID: GKI: drivers: qcom: rpmh-rsc: Add tristate support for qcom,rpmh-rsc driver
ANDROID: ufs, block: fix crypto power management and move into block layer
ANDROID: rtc: class: support hctosys from modular RTC drivers
ANDROID: Incremental fs: Support xattrs
ANDROID: abi update for 4.19.105
UPSTREAM: random: ignore GRND_RANDOM in getentropy(2)
UPSTREAM: random: add GRND_INSECURE to return best-effort non-cryptographic bytes
UPSTREAM: linux/random.h: Mark CONFIG_ARCH_RANDOM functions __must_check
UPSTREAM: linux/random.h: Use false with bool
UPSTREAM: linux/random.h: Remove arch_has_random, arch_has_random_seed
UPSTREAM: random: remove some dead code of poolinfo
UPSTREAM: random: fix typo in add_timer_randomness()
UPSTREAM: random: Add and use pr_fmt()
UPSTREAM: random: convert to ENTROPY_BITS for better code readability
UPSTREAM: random: remove unnecessary unlikely()
UPSTREAM: random: remove kernel.random.read_wakeup_threshold
UPSTREAM: random: delete code to pull data into pools
UPSTREAM: random: remove the blocking pool
UPSTREAM: random: make /dev/random be almost like /dev/urandom
UPSTREAM: random: Add a urandom_read_nowait() for random APIs that don't warn
UPSTREAM: random: Don't wake crng_init_wait when crng_init == 1
UPSTREAM: char/random: silence a lockdep splat with printk()
BACKPORT: fdt: add support for rng-seed
BACKPORT: arm64: map FDT as RW for early_init_dt_scan()
UPSTREAM: random: fix soft lockup when trying to read from an uninitialized blocking pool
UPSTREAM: random: document get_random_int() family
UPSTREAM: random: move rand_initialize() earlier
UPSTREAM: random: only read from /dev/random after its pool has received 128 bits
UPSTREAM: drivers/char/random.c: make primary_crng static
UPSTREAM: drivers/char/random.c: remove unused stuct poolinfo::poolbits
UPSTREAM: drivers/char/random.c: constify poolinfo_table
ANDROID: clang: update to 10.0.4
Linux 4.19.105
KVM: x86/mmu: Fix struct guest_walker arrays for 5-level paging
jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer
jbd2: move the clearing of b_modified flag to the journal_unmap_buffer()
NFSv4.1 make cachethis=no for writes
hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions.
perf/x86/intel: Fix inaccurate period in context switch for auto-reload
s390/time: Fix clk type in get_tod_clock
RDMA/core: Fix protection fault in get_pkey_idx_qp_list
RDMA/rxe: Fix soft lockup problem due to using tasklets in softirq
RDMA/hfi1: Fix memory leak in _dev_comp_vect_mappings_create
RDMA/core: Fix invalid memory access in spec_filter_size
IB/rdmavt: Reset all QPs when the device is shut down
IB/hfi1: Close window for pq and request coliding
IB/hfi1: Acquire lock to release TID entries when user file is closed
nvme: fix the parameter order for nvme_get_log in nvme_get_fw_slot_info
perf/x86/amd: Add missing L2 misses event spec to AMD Family 17h's event map
KVM: nVMX: Use correct root level for nested EPT shadow page tables
arm64: ssbs: Fix context-switch when SSBS is present on all CPUs
ARM: npcm: Bring back GPIOLIB support
btrfs: log message when rw remount is attempted with unclean tree-log
btrfs: print message when tree-log replay starts
btrfs: ref-verify: fix memory leaks
Btrfs: fix race between using extent maps and merging them
ext4: improve explanation of a mount failure caused by a misconfigured kernel
ext4: add cond_resched() to ext4_protect_reserved_inode
ext4: fix checksum errors with indexed dirs
ext4: fix support for inode sizes > 1024 bytes
ext4: don't assume that mmp_nodename/bdevname have NUL
ALSA: usb-audio: Add clock validity quirk for Denon MC7000/MCX8000
ALSA: usb-audio: sound: usb: usb true/false for bool return type
arm64: nofpsmid: Handle TIF_FOREIGN_FPSTATE flag cleanly
arm64: cpufeature: Set the FP/SIMD compat HWCAP bits properly
ALSA: usb-audio: Apply sample rate quirk for Audioengine D1
ALSA: hda/realtek - Fix silent output on MSI-GL73
ALSA: usb-audio: Fix UAC2/3 effect unit parsing
Input: synaptics - remove the LEN0049 dmi id from topbuttonpad list
Input: synaptics - enable SMBus on ThinkPad L470
Input: synaptics - switch T470s to RMI4 by default
ANDROID: Fix ABI representation after enabling CONFIG_NET_NS
ANDROID: gki_defconfig: Enable CONFIG_NET_NS
ANDROID: gki_defconfig: Enable XDP_SOCKETS
UPSTREAM: sched/topology: Introduce a sysctl for Energy Aware Scheduling
ANDROID: gki_defconfig: Enable MAC80211_RC_MINSTREL
ANDROID: f2fs: remove unused function
ANDROID: virtio: virtio_input: pass _DIRECT only if the device advertises _DIRECT
ANDROID: cf build: Use merge_configs
ANDROID: net: bpf: Allow TC programs to call BPF_FUNC_skb_change_head
ANDROID: gki_defconfig: Disable SDCARD_FS
Linux 4.19.104
padata: fix null pointer deref of pd->pinst
serial: uartps: Move the spinlock after the read of the tx empty
x86/stackframe, x86/ftrace: Add pt_regs frame annotations
x86/stackframe: Move ENCODE_FRAME_POINTER to asm/frame.h
scsi: megaraid_sas: Do not initiate OCR if controller is not in ready state
libertas: make lbs_ibss_join_existing() return error code on rates overflow
libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held
mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv()
mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status()
pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B
media: i2c: adv748x: Fix unsafe macros
crypto: atmel-sha - fix error handling when setting hmac key
crypto: artpec6 - return correct error code for failed setkey()
mtd: sharpslpart: Fix unsigned comparison to zero
mtd: onenand_base: Adjust indentation in onenand_read_ops_nolock
KVM: arm64: pmu: Don't increment SW_INCR if PMCR.E is unset
KVM: arm: Make inject_abt32() inject an external abort instead
KVM: arm: Fix DFSR setting for non-LPAE aarch32 guests
KVM: arm/arm64: Fix young bit from mmu notifier
arm64: ptrace: nofpsimd: Fail FP/SIMD regset operations
arm64: cpufeature: Fix the type of no FP/SIMD capability
ARM: 8949/1: mm: mark free_memmap as __init
KVM: arm/arm64: vgic-its: Fix restoration of unmapped collections
iommu/arm-smmu-v3: Populate VMID field for CMDQ_OP_TLBI_NH_VA
powerpc/pseries: Allow not having ibm, hypertas-functions::hcall-multi-tce for DDW
powerpc/pseries/vio: Fix iommu_table use-after-free refcount warning
tools/power/acpi: fix compilation error
ARM: dts: at91: sama5d3: define clock rate range for tcb1
ARM: dts: at91: sama5d3: fix maximum peripheral clock rates
ARM: dts: am43xx: add support for clkout1 clock
ARM: dts: at91: Reenable UART TX pull-ups
platform/x86: intel_mid_powerbtn: Take a copy of ddata
ARC: [plat-axs10x]: Add missing multicast filter number to GMAC node
rtc: cmos: Stop using shared IRQ
rtc: hym8563: Return -EINVAL if the time is known to be invalid
spi: spi-mem: Fix inverted logic in op sanity check
spi: spi-mem: Add extra sanity checks on the op param
gpio: zynq: Report gpio direction at boot
serial: uartps: Add a timeout to the tx empty wait
NFSv4: try lease recovery on NFS4ERR_EXPIRED
NFS/pnfs: Fix pnfs_generic_prepare_to_resend_writes()
NFS: Revalidate the file size on a fatal write error
nfs: NFS_SWAP should depend on SWAP
PCI: Don't disable bridge BARs when assigning bus resources
PCI/switchtec: Fix vep_vector_number ioread width
ath10k: pci: Only dump ATH10K_MEM_REGION_TYPE_IOREG when safe
PCI/IOV: Fix memory leak in pci_iov_add_virtfn()
scsi: ufs: Fix ufshcd_probe_hba() reture value in case ufshcd_scsi_add_wlus() fails
RDMA/uverbs: Verify MR access flags
RDMA/core: Fix locking in ib_uverbs_event_read
RDMA/netlink: Do not always generate an ACK for some netlink operations
IB/mlx4: Fix memory leak in add_gid error flow
hv_sock: Remove the accept port restriction
ASoC: pcm: update FE/BE trigger order based on the command
ANDROID: gki_defconfig: Add CONFIG_UNICODE
ANDROID: added memory initialization tests to cuttlefish config
ANDROID: gki_defconfig: enable CONFIG_RUNTIME_TESTING_MENU
fs-verity: use u64_to_user_ptr()
fs-verity: use mempool for hash requests
fs-verity: implement readahead of Merkle tree pages
fs-verity: implement readahead for FS_IOC_ENABLE_VERITY
fscrypt: improve format of no-key names
ubifs: allow both hash and disk name to be provided in no-key names
ubifs: don't trigger assertion on invalid no-key filename
fscrypt: clarify what is meant by a per-file key
fscrypt: derive dirhash key for casefolded directories
fscrypt: don't allow v1 policies with casefolding
fscrypt: add "fscrypt_" prefix to fname_encrypt()
fscrypt: don't print name of busy file when removing key
fscrypt: document gfp_flags for bounce page allocation
fscrypt: optimize fscrypt_zeroout_range()
fscrypt: remove redundant bi_status check
fscrypt: Allow modular crypto algorithms
FROMLIST: rename missed uaccess .fixup section
ANDROID: f2fs: fix missing blk-crypto changes
ANDROID: gki_defconfig: enable heap and stack initialization.
UPSTREAM: lib/test_stackinit: Handle Clang auto-initialization pattern
UPSTREAM: lib: Introduce test_stackinit module
fscrypt: include <linux/ioctl.h> in UAPI header
fscrypt: don't check for ENOKEY from fscrypt_get_encryption_info()
fscrypt: remove fscrypt_is_direct_key_policy()
fscrypt: move fscrypt_valid_enc_modes() to policy.c
fscrypt: check for appropriate use of DIRECT_KEY flag earlier
fscrypt: split up fscrypt_supported_policy() by policy version
fscrypt: introduce fscrypt_needs_contents_encryption()
fscrypt: move fscrypt_d_revalidate() to fname.c
fscrypt: constify inode parameter to filename encryption functions
fscrypt: constify struct fscrypt_hkdf parameter to fscrypt_hkdf_expand()
fscrypt: verify that the crypto_skcipher has the correct ivsize
fscrypt: use crypto_skcipher_driver_name()
fscrypt: support passing a keyring key to FS_IOC_ADD_ENCRYPTION_KEY
keys: Export lookup_user_key to external users
UPSTREAM: dynamic_debug: allow to work if debugfs is disabled
UPSTREAM: lib: dynamic_debug: no need to check return value of debugfs_create functions
ANDROID: ABI/Whitelist: update for Cuttlefish
ANDROID: update ABI representation and GKI whitelist
ANDROID: gki_defconfig: Set CONFIG_ANDROID_BINDERFS=y
Linux 4.19.103
rxrpc: Fix service call disconnection
perf/core: Fix mlock accounting in perf_mmap()
clocksource: Prevent double add_timer_on() for watchdog_timer
x86/apic/msi: Plug non-maskable MSI affinity race
cifs: fail i/o on soft mounts if sessionsetup errors out
mm/page_alloc.c: fix uninitialized memmaps on a partially populated last section
mm: return zero_resv_unavail optimization
mm: zero remaining unavailable struct pages
KVM: Play nice with read-only memslots when querying host page size
KVM: Use vcpu-specific gva->hva translation when querying host page size
KVM: nVMX: vmread should not set rflags to specify success in case of #PF
KVM: VMX: Add non-canonical check on writes to RTIT address MSRs
KVM: x86: Use gpa_t for cr2/gpa to fix TDP support on 32-bit KVM
KVM: x86/mmu: Apply max PA check for MMIO sptes to 32-bit KVM
btrfs: flush write bio if we loop in extent_write_cache_pages
drm/dp_mst: Remove VCPI while disabling topology mgr
drm: atmel-hlcdc: enable clock before configuring timing engine
btrfs: free block groups after free'ing fs trees
btrfs: use bool argument in free_root_pointers()
ext4: fix deadlock allocating crypto bounce page from mempool
net: dsa: b53: Always use dev->vlan_enabled in b53_configure_vlan()
net: macb: Limit maximum GEM TX length in TSO
net: macb: Remove unnecessary alignment check for TSO
net/mlx5: IPsec, fix memory leak at mlx5_fpga_ipsec_delete_sa_ctx
net/mlx5: IPsec, Fix esp modify function attribute
net: systemport: Avoid RBUF stuck in Wake-on-LAN mode
net_sched: fix a resource leak in tcindex_set_parms()
net: mvneta: move rx_dropped and rx_errors in per-cpu stats
net: dsa: bcm_sf2: Only 7278 supports 2Gb/sec IMP port
bonding/alb: properly access headers in bond_alb_xmit()
mfd: rn5t618: Mark ADC control register volatile
mfd: da9062: Fix watchdog compatible string
ubi: Fix an error pointer dereference in error handling code
ubi: fastmap: Fix inverted logic in seen selfcheck
nfsd: Return the correct number of bytes written to the file
nfsd: fix jiffies/time_t mixup in LRU list
nfsd: fix delay timer on 32-bit architectures
IB/core: Fix ODP get user pages flow
IB/mlx5: Fix outstanding_pi index for GSI qps
net: tulip: Adjust indentation in {dmfe, uli526x}_init_module
net: smc911x: Adjust indentation in smc911x_phy_configure
ppp: Adjust indentation into ppp_async_input
NFC: pn544: Adjust indentation in pn544_hci_check_presence
drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable
powerpc/44x: Adjust indentation in ibm4xx_denali_fixup_memsize
ext2: Adjust indentation in ext2_fill_super
phy: qualcomm: Adjust indentation in read_poll_timeout
scsi: ufs: Recheck bkops level if bkops is disabled
scsi: qla4xxx: Adjust indentation in qla4xxx_mem_free
scsi: csiostor: Adjust indentation in csio_device_reset
scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type
percpu: Separate decrypted varaibles anytime encryption can be enabled
drm/amd/dm/mst: Ignore payload update failures
clk: tegra: Mark fuse clock as critical
KVM: s390: do not clobber registers during guest reset/store status
KVM: x86: Free wbinvd_dirty_mask if vCPU creation fails
KVM: x86: Don't let userspace set host-reserved cr4 bits
x86/kvm: Be careful not to clear KVM_VCPU_FLUSH_TLB bit
KVM: PPC: Book3S PR: Free shared page if mmu initialization fails
KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails
KVM: x86: Fix potential put_fpu() w/o load_fpu() on MPX platform
KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks
KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks
KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c
KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks
KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks
KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks
KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks
KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks
KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks
KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks
KVM: x86: Refactor prefix decoding to prevent Spectre-v1/L1TF attacks
KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks
aio: prevent potential eventfd recursion on poll
eventfd: track eventfd_signal() recursion depth
bcache: add readahead cache policy options via sysfs interface
watchdog: fix UAF in reboot notifier handling in watchdog core code
xen/balloon: Support xend-based toolstack take two
tools/kvm_stat: Fix kvm_exit filter name
media: rc: ensure lirc is initialized before registering input device
drm/rect: Avoid division by zero
gfs2: fix O_SYNC write handling
gfs2: move setting current->backing_dev_info
sunrpc: expiry_time should be seconds not timeval
mwifiex: fix unbalanced locking in mwifiex_process_country_ie()
iwlwifi: don't throw error when trying to remove IGTK
ARM: tegra: Enable PLLP bypass during Tegra124 LP1
Btrfs: fix race between adding and putting tree mod seq elements and nodes
btrfs: set trans->drity in btrfs_commit_transaction
Btrfs: fix missing hole after hole punching and fsync when using NO_HOLES
jbd2_seq_info_next should increase position index
NFS: Directory page cache pages need to be locked when read
NFS: Fix memory leaks and corruption in readdir
scsi: qla2xxx: Fix unbound NVME response length
crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill
crypto: api - Fix race condition in crypto_spawn_alg
crypto: atmel-aes - Fix counter overflow in CTR mode
crypto: pcrypt - Do not clear MAY_SLEEP flag in original request
crypto: ccp - set max RSA modulus size for v3 platform devices as well
samples/bpf: Don't try to remove user's homedir on clean
ftrace: Protect ftrace_graph_hash with ftrace_sync
ftrace: Add comment to why rcu_dereference_sched() is open coded
tracing: Annotate ftrace_graph_notrace_hash pointer with __rcu
tracing: Annotate ftrace_graph_hash pointer with __rcu
padata: Remove broken queue flushing
dm writecache: fix incorrect flush sequence when doing SSD mode commit
dm: fix potential for q->make_request_fn NULL pointer
dm crypt: fix benbi IV constructor crash if used in authenticated mode
dm space map common: fix to ensure new block isn't already in use
dm zoned: support zone sizes smaller than 128MiB
of: Add OF_DMA_DEFAULT_COHERENT & select it on powerpc
PM: core: Fix handling of devices deleted during system-wide resume
f2fs: code cleanup for f2fs_statfs_project()
f2fs: fix miscounted block limit in f2fs_statfs_project()
f2fs: choose hardlimit when softlimit is larger than hardlimit in f2fs_statfs_project()
ovl: fix wrong WARN_ON() in ovl_cache_update_ino()
power: supply: ltc2941-battery-gauge: fix use-after-free
scsi: qla2xxx: Fix mtcp dump collection failure
scripts/find-unused-docs: Fix massive false positives
crypto: ccree - fix PM race condition
crypto: ccree - fix pm wrongful error reporting
crypto: ccree - fix backlog memory leak
crypto: api - Check spawn->alg under lock in crypto_drop_spawn
mfd: axp20x: Mark AXP20X_VBUS_IPSOUT_MGMT as volatile
hv_balloon: Balloon up according to request page number
mmc: sdhci-of-at91: fix memleak on clk_get failure
PCI: keystone: Fix link training retries initiation
crypto: geode-aes - convert to skcipher API and make thread-safe
ubifs: Fix deadlock in concurrent bulk-read and writepage
ubifs: Fix FS_IOC_SETFLAGS unexpectedly clearing encrypt flag
ubifs: don't trigger assertion on invalid no-key filename
ubifs: Reject unsupported ioctl flags explicitly
alarmtimer: Unregister wakeup source when module get fails
ACPI / battery: Deal better with neither design nor full capacity not being reported
ACPI / battery: Use design-cap for capacity calculations if full-cap is not available
ACPI / battery: Deal with design or full capacity being reported as -1
ACPI: video: Do not export a non working backlight interface on MSI MS-7721 boards
mmc: spi: Toggle SPI polarity, do not hardcode it
PCI: tegra: Fix return value check of pm_runtime_get_sync()
smb3: fix signing verification of large reads
powerpc/pseries: Advance pfn if section is not present in lmb_is_removable()
powerpc/xmon: don't access ASDR in VMs
s390/mm: fix dynamic pagetable upgrade for hugetlbfs
MIPS: boot: fix typo in 'vmlinux.lzma.its' target
MIPS: fix indentation of the 'RELOCS' message
KVM: arm64: Only sign-extend MMIO up to register width
KVM: arm/arm64: Correct AArch32 SPSR on exception entry
KVM: arm/arm64: Correct CPSR on exception entry
KVM: arm64: Correct PSTATE on exception entry
ALSA: hda: Add Clevo W65_67SB the power_save blacklist
platform/x86: intel_scu_ipc: Fix interrupt support
irqdomain: Fix a memory leak in irq_domain_push_irq()
lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more()
media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments
media: v4l2-core: compat: ignore native command codes
media/v4l2-core: set pages dirty upon releasing DMA buffers
mm: move_pages: report the number of non-attempted pages
mm/memory_hotplug: fix remove_memory() lockdep splat
ALSA: dummy: Fix PCM format loop in proc output
ALSA: usb-audio: Fix endianess in descriptor validation
usb: gadget: f_ecm: Use atomic_t to track in-flight request
usb: gadget: f_ncm: Use atomic_t to track in-flight request
usb: gadget: legacy: set max_speed to super-speed
usb: typec: tcpci: mask event interrupts when remove driver
brcmfmac: Fix memory leak in brcmf_usbdev_qinit
rcu: Avoid data-race in rcu_gp_fqs_check_wake()
tracing: Fix sched switch start/stop refcount racy updates
ipc/msg.c: consolidate all xxxctl_down() functions
mfd: dln2: More sanity checking for endpoints
media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors
rxrpc: Fix NULL pointer deref due to call->conn being cleared on disconnect
rxrpc: Fix missing active use pinning of rxrpc_local object
rxrpc: Fix insufficient receive notification generation
rxrpc: Fix use-after-free in rxrpc_put_local()
tcp: clear tp->segs_{in|out} in tcp_disconnect()
tcp: clear tp->data_segs{in|out} in tcp_disconnect()
tcp: clear tp->delivered in tcp_disconnect()
tcp: clear tp->total_retrans in tcp_disconnect()
bnxt_en: Fix TC queue mapping.
net: stmmac: Delete txtimer in suspend()
net_sched: fix an OOB access in cls_tcindex
net: hsr: fix possible NULL deref in hsr_handle_frame()
l2tp: Allow duplicate session creation with UDP
gtp: use __GFP_NOWARN to avoid memalloc warning
cls_rsvp: fix rsvp_policy
sparc32: fix struct ipc64_perm type definition
iwlwifi: mvm: fix NVM check for 3168 devices
printk: fix exclusive_console replaying
udf: Allow writing to 'Rewritable' partitions
x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR
ocfs2: fix oops when writing cloned file
media: iguanair: fix endpoint sanity check
kernel/module: Fix memleak in module_add_modinfo_attrs()
ovl: fix lseek overflow on 32bit
Revert "drm/sun4i: dsi: Change the start delay calculation"
ANDROID: Revert "ANDROID: gki_defconfig: removed CONFIG_PM_WAKELOCKS"
ANDROID: dm: prevent default-key from being enabled without needed hooks
ANDROID: gki: x86: Enable PCI_MSI, WATCHDOG, HPET
ANDROID: Incremental fs: Fix crash on failed lookup
ANDROID: Incremental fs: Make files writeable
ANDROID: update abi for 4.19.102
ANDROID: Incremental fs: Remove C++-style comments
Linux 4.19.102
mm/migrate.c: also overwrite error when it is bigger than zero
perf report: Fix no libunwind compiled warning break s390 issue
btrfs: do not zero f_bavail if we have available space
net: Fix skb->csum update in inet_proto_csum_replace16().
l2t_seq_next should increase position index
seq_tab_next() should increase position index
net: fsl/fman: rename IF_MODE_XGMII to IF_MODE_10G
net/fsl: treat fsl,erratum-a011043
powerpc/fsl/dts: add fsl,erratum-a011043
qlcnic: Fix CPU soft lockup while collecting firmware dump
ARM: dts: am43x-epos-evm: set data pin directions for spi0 and spi1
r8152: get default setting of WOL before initializing
airo: Add missing CAP_NET_ADMIN check in AIROOLDIOCTL/SIOCDEVPRIVATE
airo: Fix possible info leak in AIROOLDIOCTL/SIOCDEVPRIVATE
tee: optee: Fix compilation issue with nommu
ARM: 8955/1: virt: Relax arch timer version check during early boot
scsi: fnic: do not queue commands during fwreset
xfrm: interface: do not confirm neighbor when do pmtu update
xfrm interface: fix packet tx through bpf_redirect()
vti[6]: fix packet tx through bpf_redirect()
ARM: dts: am335x-boneblack-common: fix memory size
iwlwifi: Don't ignore the cap field upon mcc update
riscv: delete temporary files
bnxt_en: Fix ipv6 RFS filter matching logic.
net: dsa: bcm_sf2: Configure IMP port for 2Gb/sec
netfilter: nft_tunnel: ERSPAN_VERSION must not be null
wireless: wext: avoid gcc -O3 warning
mac80211: Fix TKIP replay protection immediately after key setup
cfg80211: Fix radar event during another phy CAC
wireless: fix enabling channel 12 for custom regulatory domain
parisc: Use proper printk format for resource_size_t
qmi_wwan: Add support for Quectel RM500Q
ASoC: sti: fix possible sleep-in-atomic
platform/x86: GPD pocket fan: Allow somewhat lower/higher temperature limits
igb: Fix SGMII SFP module discovery for 100FX/LX.
ixgbe: Fix calculation of queue with VFs and flow director on interface flap
ixgbevf: Remove limit of 10 entries for unicast filter list
ASoC: rt5640: Fix NULL dereference on module unload
clk: mmp2: Fix the order of timer mux parents
mac80211: mesh: restrict airtime metric to peered established plinks
clk: sunxi-ng: h6-r: Fix AR100/R_APB2 parent order
rseq: Unregister rseq for clone CLONE_VM
tools lib traceevent: Fix memory leakage in filter_event
soc: ti: wkup_m3_ipc: Fix race condition with rproc_boot
ARM: dts: beagle-x15-common: Model 5V0 regulator
ARM: dts: am57xx-beagle-x15/am57xx-idk: Remove "gpios" for endpoint dt nodes
ARM: dts: sun8i: a83t: Correct USB3503 GPIOs polarity
media: si470x-i2c: Move free() past last use of 'radio'
cgroup: Prevent double killing of css when enabling threaded cgroup
Bluetooth: Fix race condition in hci_release_sock()
ttyprintk: fix a potential deadlock in interrupt context issue
tomoyo: Use atomic_t for statistics counter
media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0
media: gspca: zero usb_buf
media: vp7045: do not read uninitialized values if usb transfer fails
media: af9005: uninitialized variable printked
media: digitv: don't continue if remote control state can't be read
reiserfs: Fix memory leak of journal device string
mm/mempolicy.c: fix out of bounds write in mpol_parse_str()
ext4: validate the debug_want_extra_isize mount option at parse time
arm64: kbuild: remove compressed images on 'make ARCH=arm64 (dist)clean'
tools lib: Fix builds when glibc contains strlcpy()
PM / devfreq: Add new name attribute for sysfs
perf c2c: Fix return type for histogram sorting comparision functions
rsi: fix use-after-free on failed probe and unbind
rsi: add hci detach for hibernation and poweroff
crypto: pcrypt - Fix user-after-free on module unload
x86/resctrl: Fix a deadlock due to inaccurate reference
x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup
x86/resctrl: Fix use-after-free when deleting resource groups
vfs: fix do_last() regression
ANDROID: update abi definitions
BACKPORT: clk: core: clarify the check for runtime PM
UPSTREAM: sched/fair/util_est: Implement faster ramp-up EWMA on utilization increases
ANDROID: Re-use SUGOV_RT_MAX_FREQ to control uclamp rt behavior
BACKPORT: sched/fair: Make EAS wakeup placement consider uclamp restrictions
BACKPORT: sched/fair: Make task_fits_capacity() consider uclamp restrictions
ANDROID: sched/core: Move SchedTune task API into UtilClamp wrappers
ANDROID: sched/core: Add a latency-sensitive flag to uclamp
ANDROID: sched/tune: Move SchedTune cpu API into UtilClamp wrappers
ANDROID: init: kconfig: Only allow sched tune if !uclamp
FROMGIT: sched/core: Fix size of rq::uclamp initialization
FROMGIT: sched/uclamp: Fix a bug in propagating uclamp value in new cgroups
FROMGIT: sched/uclamp: Rename uclamp_util_with() into uclamp_rq_util_with()
FROMGIT: sched/uclamp: Make uclamp util helpers use and return UL values
FROMGIT: sched/uclamp: Remove uclamp_util()
BACKPORT: sched/rt: Make RT capacity-aware
UPSTREAM: tools headers UAPI: Sync sched.h with the kernel
UPSTREAM: sched/uclamp: Fix overzealous type replacement
UPSTREAM: sched/uclamp: Fix incorrect condition
UPSTREAM: sched/core: Fix compilation error when cgroup not selected
UPSTREAM: sched/core: Fix uclamp ABI bug, clean up and robustify sched_read_attr() ABI logic and code
UPSTREAM: sched/uclamp: Always use 'enum uclamp_id' for clamp_id values
UPSTREAM: sched/uclamp: Update CPU's refcount on TG's clamp changes
UPSTREAM: sched/uclamp: Use TG's clamps to restrict TASK's clamps
UPSTREAM: sched/uclamp: Propagate system defaults to the root group
UPSTREAM: sched/uclamp: Propagate parent clamps
UPSTREAM: sched/uclamp: Extend CPU's cgroup controller
BACKPORT: sched/uclamp: Add uclamp support to energy_compute()
UPSTREAM: sched/uclamp: Add uclamp_util_with()
BACKPORT: sched/cpufreq, sched/uclamp: Add clamps for FAIR and RT tasks
UPSTREAM: sched/uclamp: Set default clamps for RT tasks
UPSTREAM: sched/uclamp: Reset uclamp values on RESET_ON_FORK
UPSTREAM: sched/uclamp: Extend sched_setattr() to support utilization clamping
UPSTREAM: sched/core: Allow sched_setattr() to use the current policy
UPSTREAM: sched/uclamp: Add system default clamps
UPSTREAM: sched/uclamp: Enforce last task's UCLAMP_MAX
UPSTREAM: sched/uclamp: Add bucket local max tracking
UPSTREAM: sched/uclamp: Add CPU's clamp buckets refcounting
UPSTREAM: cgroup: add cgroup_parse_float()
Linux 4.19.101
KVM: arm64: Write arch.mdcr_el2 changes since last vcpu_load on VHE
block: fix 32 bit overflow in __blkdev_issue_discard()
block: cleanup __blkdev_issue_discard()
random: try to actively add entropy rather than passively wait for it
crypto: af_alg - Use bh_lock_sock in sk_destruct
rsi: fix non-atomic allocation in completion handler
rsi: fix memory leak on failed URB submission
rsi: fix use-after-free on probe errors
sched/fair: Fix insertion in rq->leaf_cfs_rq_list
sched/fair: Add tmp_alone_branch assertion
usb-storage: Disable UAS on JMicron SATA enclosure
ARM: OMAP2+: SmartReflex: add omap_sr_pdata definition
iommu/amd: Support multiple PCI DMA aliases in IRQ Remapping
PCI: Add DMA alias quirk for Intel VCA NTB
platform/x86: dell-laptop: disable kbd backlight on Inspiron 10xx
HID: steam: Fix input device disappearing
atm: eni: fix uninitialized variable warning
gpio: max77620: Add missing dependency on GPIOLIB_IRQCHIP
net: wan: sdla: Fix cast from pointer to integer of different size
drivers/net/b44: Change to non-atomic bit operations on pwol_mask
spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls
watchdog: rn5t618_wdt: fix module aliases
watchdog: max77620_wdt: fix potential build errors
phy: cpcap-usb: Prevent USB line glitches from waking up modem
phy: qcom-qmp: Increase PHY ready timeout
drivers/hid/hid-multitouch.c: fix a possible null pointer access.
HID: Add quirk for incorrect input length on Lenovo Y720
HID: ite: Add USB id match for Acer SW5-012 keyboard dock
HID: Add quirk for Xin-Mo Dual Controller
arc: eznps: fix allmodconfig kconfig warning
HID: multitouch: Add LG MELF0410 I2C touchscreen support
net_sched: fix ops->bind_class() implementations
net_sched: ematch: reject invalid TCF_EM_SIMPLE
zd1211rw: fix storage endpoint lookup
rtl8xxxu: fix interface sanity check
brcmfmac: fix interface sanity check
ath9k: fix storage endpoint lookup
cifs: Fix memory allocation in __smb2_handle_cancelled_cmd()
crypto: chelsio - fix writing tfm flags to wrong place
iio: st_gyro: Correct data for LSM9DS0 gyro
mei: me: add comet point (lake) H device ids
component: do not dereference opaque pointer in debugfs
serial: 8250_bcm2835aux: Fix line mismatch on driver unbind
staging: vt6656: Fix false Tx excessive retries reporting.
staging: vt6656: use NULLFUCTION stack on mac80211
staging: vt6656: correct packet types for CTS protect, mode.
staging: wlan-ng: ensure error return is actually returned
staging: most: net: fix buffer overflow
usb: dwc3: turn off VBUS when leaving host mode
USB: serial: ir-usb: fix IrLAP framing
USB: serial: ir-usb: fix link-speed handling
USB: serial: ir-usb: add missing endpoint sanity check
usb: dwc3: pci: add ID for the Intel Comet Lake -V variant
rsi_91x_usb: fix interface sanity check
orinoco_usb: fix interface sanity check
ANDROID: gki: Removed cf modules from gki_defconfig
ANDROID: Remove default y for VIRTIO_PCI_LEGACY
ANDROID: gki_defconfig: Remove SND_8X0
ANDROID: gki: Fixed some typos in Kconfig.gki
ANDROID: modularize BLK_MQ_VIRTIO
ANDROID: kallsyms: strip hashes from function names with ThinLTO
ANDROID: Incremental fs: Remove unneeded compatibility typedef
ANDROID: Incremental fs: Enable incrementalfs in GKI
ANDROID: Incremental fs: Fix sparse errors
ANDROID: Fixing incremental fs style issues
ANDROID: Make incfs selftests pass
ANDROID: Initial commit of Incremental FS
ANDROID: gki_defconfig: Enable req modules in GKI
ANDROID: gki_defconfig: Set IKHEADERS back to =y
UPSTREAM: UAPI: ndctl: Remove use of PAGE_SIZE
Linux 4.19.100
mm/memory_hotplug: shrink zones when offlining memory
mm/memory_hotplug: fix try_offline_node()
mm/memunmap: don't access uninitialized memmap in memunmap_pages()
drivers/base/node.c: simplify unregister_memory_block_under_nodes()
mm/hotplug: kill is_dev_zone() usage in __remove_pages()
mm/memory_hotplug: remove "zone" parameter from sparse_remove_one_section
mm/memory_hotplug: make unregister_memory_block_under_nodes() never fail
mm/memory_hotplug: remove memory block devices before arch_remove_memory()
mm/memory_hotplug: create memory block devices after arch_add_memory()
drivers/base/memory: pass a block_id to init_memory_block()
mm/memory_hotplug: allow arch_remove_memory() without CONFIG_MEMORY_HOTREMOVE
s390x/mm: implement arch_remove_memory()
mm/memory_hotplug: make __remove_pages() and arch_remove_memory() never fail
powerpc/mm: Fix section mismatch warning
mm/memory_hotplug: make __remove_section() never fail
mm/memory_hotplug: make unregister_memory_section() never fail
mm, memory_hotplug: update a comment in unregister_memory()
drivers/base/memory.c: clean up relics in function parameters
mm/memory_hotplug: release memory resource after arch_remove_memory()
mm, memory_hotplug: add nid parameter to arch_remove_memory
drivers/base/memory.c: remove an unnecessary check on NR_MEM_SECTIONS
mm, sparse: pass nid instead of pgdat to sparse_add_one_section()
mm, sparse: drop pgdat_resize_lock in sparse_add/remove_one_section()
mm/memory_hotplug: make remove_memory() take the device_hotplug_lock
net/x25: fix nonblocking connect
netfilter: nf_tables: add __nft_chain_type_get()
netfilter: ipset: use bitmap infrastructure completely
scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func
media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT
libertas: Fix two buffer overflows at parsing bss descriptor
coresight: tmc-etf: Do not call smp_processor_id from preemptible
coresight: etb10: Do not call smp_processor_id from preemptible
crypto: geode-aes - switch to skcipher for cbc(aes) fallback
sd: Fix REQ_OP_ZONE_REPORT completion handling
tracing: Fix histogram code when expression has same var as value
tracing: Remove open-coding of hist trigger var_ref management
tracing: Use hist trigger's var_ref array to destroy var_refs
net/sonic: Prevent tx watchdog timeout
net/sonic: Fix CAM initialization
net/sonic: Fix command register usage
net/sonic: Quiesce SONIC before re-initializing descriptor memory
net/sonic: Fix receive buffer replenishment
net/sonic: Improve receive descriptor status flag check
net/sonic: Avoid needless receive descriptor EOL flag updates
net/sonic: Fix receive buffer handling
net/sonic: Fix interface error stats collection
net/sonic: Use MMIO accessors
net/sonic: Clear interrupt flags immediately
net/sonic: Add mutual exclusion for accessing shared state
do_last(): fetch directory ->i_mode and ->i_uid before it's too late
tracing: xen: Ordered comparison of function pointers
scsi: RDMA/isert: Fix a recently introduced regression related to logout
hwmon: (nct7802) Fix voltage limits to wrong registers
netfilter: nft_osf: add missing check for DREG attribute
Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register
Input: pegasus_notetaker - fix endpoint sanity check
Input: aiptek - fix endpoint sanity check
Input: gtco - fix endpoint sanity check
Input: sur40 - fix interface sanity checks
Input: pm8xxx-vib - fix handling of separate enable register
Documentation: Document arm64 kpti control
mmc: sdhci: fix minimum clock rate for v3 controller
mmc: tegra: fix SDR50 tuning override
ARM: 8950/1: ftrace/recordmcount: filter relocation types
Revert "Input: synaptics-rmi4 - don't increment rmiaddr for SMBus transfers"
Input: keyspan-remote - fix control-message timeouts
tracing: trigger: Replace unneeded RCU-list traversals
PCI: Mark AMD Navi14 GPU rev 0xc5 ATS as broken
hwmon: (core) Do not use device managed functions for memory allocations
hwmon: (adt7475) Make volt2reg return same reg as reg2volt input
afs: Fix characters allowed into cell names
tun: add mutex_unlock() call and napi.skb clearing in tun_get_user()
tcp: do not leave dangling pointers in tp->highest_sack
tcp_bbr: improve arithmetic division in bbr_update_bw()
Revert "udp: do rmem bulk free even if the rx sk queue is empty"
net: usb: lan78xx: Add .ndo_features_check
net-sysfs: Fix reference count leak
net-sysfs: Call dev_hold always in rx_queue_add_kobject
net-sysfs: Call dev_hold always in netdev_queue_add_kobject
net-sysfs: fix netdev_queue_add_kobject() breakage
net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
net_sched: fix datalen for ematch
net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link()
net, ip_tunnel: fix namespaces move
net, ip6_tunnel: fix namespaces move
net: ip6_gre: fix moving ip6gre between namespaces
net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM
net: bcmgenet: Use netif_tx_napi_add() for TX NAPI
ipv6: sr: remove SKB_GSO_IPXIP6 on End.D* actions
gtp: make sure only SOCK_DGRAM UDP sockets are accepted
firestream: fix memory leaks
can, slip: Protect tty->disc_data in write_wakeup and close with RCU
ANDROID: update abi definitions
UPSTREAM: staging: most: net: fix buffer overflow
ANDROID: gki_defconfig: Enable CONFIG_BTT
ANDROID: gki_defconfig: Temporarily disable CFI
f2fs: fix race conditions in ->d_compare() and ->d_hash()
f2fs: fix dcache lookup of !casefolded directories
f2fs: Add f2fs stats to sysfs
f2fs: delete duplicate information on sysfs nodes
f2fs: change to use rwsem for gc_mutex
f2fs: update f2fs document regarding to fsync_mode
f2fs: add a way to turn off ipu bio cache
f2fs: code cleanup for f2fs_statfs_project()
f2fs: fix miscounted block limit in f2fs_statfs_project()
f2fs: show the CP_PAUSE reason in checkpoint traces
f2fs: fix deadlock allocating bio_post_read_ctx from mempool
f2fs: remove unneeded check for error allocating bio_post_read_ctx
f2fs: convert inline_dir early before starting rename
f2fs: fix memleak of kobject
f2fs: fix to add swap extent correctly
mm: export add_swap_extent()
f2fs: run fsck when getting bad inode during GC
f2fs: support data compression
f2fs: free sysfs kobject
f2fs: declare nested quota_sem and remove unnecessary sems
f2fs: don't put new_page twice in f2fs_rename
f2fs: set I_LINKABLE early to avoid wrong access by vfs
f2fs: don't keep META_MAPPING pages used for moving verity file blocks
f2fs: introduce private bioset
f2fs: cleanup duplicate stats for atomic files
f2fs: set GFP_NOFS when moving inline dentries
f2fs: should avoid recursive filesystem ops
f2fs: keep quota data on write_begin failure
f2fs: call f2fs_balance_fs outside of locked page
f2fs: preallocate DIO blocks when forcing buffered_io
Linux 4.19.99
m68k: Call timer_interrupt() with interrupts disabled
arm64: dts: meson-gxm-khadas-vim2: fix uart_A bluetooth node
serial: stm32: fix clearing interrupt error flags
IB/iser: Fix dma_nents type definition
usb: dwc3: Allow building USB_DWC3_QCOM without EXTCON
samples/bpf: Fix broken xdp_rxq_info due to map order assumptions
arm64: dts: juno: Fix UART frequency
drm/radeon: fix bad DMA from INTERRUPT_CNTL2
dmaengine: ti: edma: fix missed failure handling
afs: Remove set but not used variables 'before', 'after'
affs: fix a memory leak in affs_remount
mmc: core: fix wl1251 sdio quirks
mmc: sdio: fix wl1251 vendor id
i2c: stm32f7: report dma error during probe
packet: fix data-race in fanout_flow_is_huge()
net: neigh: use long type to store jiffies delta
hv_netvsc: flag software created hash value
MIPS: Loongson: Fix return value of loongson_hwmon_init
dpaa_eth: avoid timestamp read on error paths
dpaa_eth: perform DMA unmapping before read
hwrng: omap3-rom - Fix missing clock by probing with device tree
drm: panel-lvds: Potential Oops in probe error handling
afs: Fix large file support
hv_netvsc: Fix send_table offset in case of a host bug
hv_netvsc: Fix offset usage in netvsc_send_table()
net: qca_spi: Move reset_count to struct qcaspi
afs: Fix missing timeout reset
bpf, offload: Unlock on error in bpf_offload_dev_create()
xsk: Fix registration of Rx-only sockets
net: netem: correct the parent's backlog when corrupted packet was dropped
net: netem: fix error path for corrupted GSO frames
arm64: hibernate: check pgd table allocation
firmware: dmi: Fix unlikely out-of-bounds read in save_mem_devices
dmaengine: imx-sdma: fix size check for sdma script_number
vhost/test: stop device before reset
drm/msm/dsi: Implement reset correctly
net/smc: receive pending data after RCV_SHUTDOWN
net/smc: receive returns without data
tcp: annotate lockless access to tcp_memory_pressure
net: add {READ|WRITE}_ONCE() annotations on ->rskq_accept_head
net: avoid possible false sharing in sk_leave_memory_pressure()
act_mirred: Fix mirred_init_module error handling
s390/qeth: Fix initialization of vnicc cmd masks during set online
s390/qeth: Fix error handling during VNICC initialization
sctp: add chunks to sk_backlog when the newsk sk_socket is not set
net: stmmac: fix disabling flexible PPS output
net: stmmac: fix length of PTP clock's name string
ip6erspan: remove the incorrect mtu limit for ip6erspan
llc: fix sk_buff refcounting in llc_conn_state_process()
llc: fix another potential sk_buff leak in llc_ui_sendmsg()
mac80211: accept deauth frames in IBSS mode
rxrpc: Fix trace-after-put looking at the put connection record
net: stmmac: gmac4+: Not all Unicast addresses may be available
nvme: retain split access workaround for capability reads
net: sched: cbs: Avoid division by zero when calculating the port rate
net: ethernet: stmmac: Fix signedness bug in ipq806x_gmac_of_parse()
net: nixge: Fix a signedness bug in nixge_probe()
of: mdio: Fix a signedness bug in of_phy_get_and_connect()
net: axienet: fix a signedness bug in probe
net: stmmac: dwmac-meson8b: Fix signedness bug in probe
net: socionext: Fix a signedness bug in ave_probe()
net: netsec: Fix signedness bug in netsec_probe()
net: broadcom/bcmsysport: Fix signedness in bcm_sysport_probe()
net: hisilicon: Fix signedness bug in hix5hd2_dev_probe()
cxgb4: Signedness bug in init_one()
net: aquantia: Fix aq_vec_isr_legacy() return value
iommu/amd: Wait for completion of IOTLB flush in attach_device
crypto: hisilicon - Matching the dma address for dma_pool_free()
bpf: fix BTF limits
powerpc/mm/mce: Keep irqs disabled during lockless page table walk
clk: actions: Fix factor clk struct member access
mailbox: qcom-apcs: fix max_register value
f2fs: fix to avoid accessing uninitialized field of inode page in is_alive()
bnxt_en: Increase timeout for HWRM_DBG_COREDUMP_XX commands
um: Fix off by one error in IRQ enumeration
net/rds: Fix 'ib_evt_handler_call' element in 'rds_ib_stat_names'
RDMA/cma: Fix false error message
ath10k: adjust skb length in ath10k_sdio_mbox_rx_packet
gpio/aspeed: Fix incorrect number of banks
pinctrl: iproc-gpio: Fix incorrect pinconf configurations
net: sonic: replace dev_kfree_skb in sonic_send_packet
hwmon: (shtc1) fix shtc1 and shtw1 id mask
ixgbe: sync the first fragment unconditionally
btrfs: use correct count in btrfs_file_write_iter()
Btrfs: fix inode cache waiters hanging on path allocation failure
Btrfs: fix inode cache waiters hanging on failure to start caching thread
Btrfs: fix hang when loading existing inode cache off disk
scsi: fnic: fix msix interrupt allocation
f2fs: fix error path of f2fs_convert_inline_page()
f2fs: fix wrong error injection path in inc_valid_block_count()
ARM: dts: logicpd-som-lv: Fix i2c2 and i2c3 Pin mux
rtlwifi: Fix file release memory leak
net: hns3: fix error VF index when setting VLAN offload
net: sonic: return NETDEV_TX_OK if failed to map buffer
led: triggers: Fix dereferencing of null pointer
xsk: avoid store-tearing when assigning umem
xsk: avoid store-tearing when assigning queues
ARM: dts: aspeed-g5: Fixe gpio-ranges upper limit
tty: serial: fsl_lpuart: Use appropriate lpuart32_* I/O funcs
wcn36xx: use dynamic allocation for large variables
ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init
netfilter: ctnetlink: honor IPS_OFFLOAD flag
iio: dac: ad5380: fix incorrect assignment to val
bcache: Fix an error code in bch_dump_read()
usb: typec: tps6598x: Fix build error without CONFIG_REGMAP_I2C
bcma: fix incorrect update of BCMA_CORE_PCI_MDIO_DATA
irqdomain: Add the missing assignment of domain->fwnode for named fwnode
staging: greybus: light: fix a couple double frees
x86, perf: Fix the dependency of the x86 insn decoder selftest
power: supply: Init device wakeup after device_add()
net/sched: cbs: Set default link speed to 10 Mbps in cbs_set_port_rate
hwmon: (lm75) Fix write operations for negative temperatures
Partially revert "kfifo: fix kfifo_alloc() and kfifo_init()"
rxrpc: Fix lack of conn cleanup when local endpoint is cleaned up [ver #2]
ahci: Do not export local variable ahci_em_messages
iommu/mediatek: Fix iova_to_phys PA start for 4GB mode
media: em28xx: Fix exception handling in em28xx_alloc_urbs()
mips: avoid explicit UB in assignment of mips_io_port_base
rtc: pcf2127: bugfix: read rtc disables watchdog
ARM: 8896/1: VDSO: Don't leak kernel addresses
media: atmel: atmel-isi: fix timeout value for stop streaming
i40e: reduce stack usage in i40e_set_fc
mac80211: minstrel_ht: fix per-group max throughput rate initialization
rtc: rv3029: revert error handling patch to rv3029_eeprom_write()
dmaengine: dw: platform: Switch to acpi_dma_controller_register()
ASoC: sun4i-i2s: RX and TX counter registers are swapped
powerpc/64s/radix: Fix memory hot-unplug page table split
signal: Allow cifs and drbd to receive their terminating signals
bnxt_en: Fix handling FRAG_ERR when NVM_INSTALL_UPDATE cmd fails
drm: rcar-du: lvds: Fix bridge_to_rcar_lvds
tools: bpftool: fix format strings and arguments for jsonw_printf()
tools: bpftool: fix arguments for p_err() in do_event_pipe()
net/rds: Add a few missing rds_stat_names entries
ASoC: wm8737: Fix copy-paste error in wm8737_snd_controls
ASoC: cs4349: Use PM ops 'cs4349_runtime_pm'
ASoC: es8328: Fix copy-paste error in es8328_right_line_controls
RDMA/hns: bugfix for slab-out-of-bounds when loading hip08 driver
RDMA/hns: Bugfix for slab-out-of-bounds when unloading hip08 driver
ext4: set error return correctly when ext4_htree_store_dirent fails
crypto: caam - free resources in case caam_rng registration failed
cxgb4: smt: Add lock for atomic_dec_and_test
spi: bcm-qspi: Fix BSPI QUAD and DUAL mode support when using flex mode
net: fix bpf_xdp_adjust_head regression for generic-XDP
iio: tsl2772: Use devm_add_action_or_reset for tsl2772_chip_off
cifs: fix rmmod regression in cifs.ko caused by force_sig changes
net/mlx5: Fix mlx5_ifc_query_lag_out_bits
ARM: dts: stm32: add missing vdda-supply to adc on stm32h743i-eval
tipc: reduce risk of wakeup queue starvation
arm64: dts: renesas: r8a77995: Fix register range of display node
ALSA: aoa: onyx: always initialize register read value
crypto: ccp - Reduce maximum stack usage
x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI
mic: avoid statically declaring a 'struct device'.
media: rcar-vin: Clean up correct notifier in error path
usb: host: xhci-hub: fix extra endianness conversion
qed: reduce maximum stack frame size
libertas_tf: Use correct channel range in lbtf_geo_init
PM: sleep: Fix possible overflow in pm_system_cancel_wakeup()
clk: sunxi-ng: v3s: add the missing PLL_DDR1
drm/panel: make drm_panel.h self-contained
xfrm interface: ifname may be wrong in logs
scsi: libfc: fix null pointer dereference on a null lport
ARM: stm32: use "depends on" instead of "if" after prompt
xdp: fix possible cq entry leak
x86/pgtable/32: Fix LOWMEM_PAGES constant
net/tls: fix socket wmem accounting on fallback with netem
net: pasemi: fix an use-after-free in pasemi_mac_phy_init()
ceph: fix "ceph.dir.rctime" vxattr value
PCI: mobiveil: Fix the valid check for inbound and outbound windows
PCI: mobiveil: Fix devfn check in mobiveil_pcie_valid_device()
PCI: mobiveil: Remove the flag MSI_FLAG_MULTI_PCI_MSI
RDMA/hns: Fixs hw access invalid dma memory error
fsi: sbefifo: Don't fail operations when in SBE IPL state
devres: allow const resource arguments
fsi/core: Fix error paths on CFAM init
ACPI: PM: Introduce "poweroff" callbacks for ACPI PM domain and LPSS
ACPI: PM: Simplify and fix PM domain hibernation callbacks
PM: ACPI/PCI: Resume all devices during hibernation
um: Fix IRQ controller regression on console read
xprtrdma: Fix use-after-free in rpcrdma_post_recvs
rxrpc: Fix uninitialized error code in rxrpc_send_data_packet()
mfd: intel-lpss: Release IDA resources
iommu/amd: Make iommu_disable safer
bnxt_en: Suppress error messages when querying DSCP DCB capabilities.
bnxt_en: Fix ethtool selftest crash under error conditions.
fork,memcg: alloc_thread_stack_node needs to set tsk->stack
backlight: pwm_bl: Fix heuristic to determine number of brightness levels
tools: bpftool: use correct argument in cgroup errors
nvmem: imx-ocotp: Change TIMING calculation to u-boot algorithm
nvmem: imx-ocotp: Ensure WAIT bits are preserved when setting timing
clk: qcom: Fix -Wunused-const-variable
dmaengine: hsu: Revert "set HSU_CH_MTSR to memory width"
perf/ioctl: Add check for the sample_period value
ip6_fib: Don't discard nodes with valid routing information in fib6_locate_1()
drm/msm/a3xx: remove TPL1 regs from snapshot
arm64: dts: allwinner: h6: Pine H64: Add interrupt line for RTC
net/sched: cbs: Fix error path of cbs_module_init
ARM: dts: iwg20d-q7-common: Fix SDHI1 VccQ regularor
rtc: pcf8563: Clear event flags and disable interrupts before requesting irq
rtc: pcf8563: Fix interrupt trigger method
ASoC: ti: davinci-mcasp: Fix slot mask settings when using multiple AXRs
net/af_iucv: always register net_device notifier
net/af_iucv: build proper skbs for HiperTransport
net/udp_gso: Allow TX timestamp with UDP GSO
net: netem: fix backlog accounting for corrupted GSO frames
drm/msm/mdp5: Fix mdp5_cfg_init error return
IB/hfi1: Handle port down properly in pio
bpf: fix the check that forwarding is enabled in bpf_ipv6_fib_lookup
powerpc/pseries/mobility: rebuild cacheinfo hierarchy post-migration
powerpc/cacheinfo: add cacheinfo_teardown, cacheinfo_rebuild
qed: iWARP - fix uninitialized callback
qed: iWARP - Use READ_ONCE and smp_store_release to access ep->state
ASoC: meson: axg-tdmout: right_j is not supported
ASoC: meson: axg-tdmin: right_j is not supported
ntb_hw_switchtec: potential shift wrapping bug in switchtec_ntb_init_sndev()
firmware: arm_scmi: update rate_discrete in clock_describe_rates_get
firmware: arm_scmi: fix bitfield definitions for SENSOR_DESC attributes
phy: usb: phy-brcm-usb: Remove sysfs attributes upon driver removal
iommu/vt-d: Duplicate iommu_resv_region objects per device list
arm64: dts: meson-gxm-khadas-vim2: fix Bluetooth support
arm64: dts: meson-gxm-khadas-vim2: fix gpio-keys-polled node
serial: stm32: fix a recursive locking in stm32_config_rs485
mpls: fix warning with multi-label encap
arm64: dts: renesas: ebisu: Remove renesas, no-ether-link property
crypto: inside-secure - fix queued len computation
crypto: inside-secure - fix zeroing of the request in ahash_exit_inv
media: vivid: fix incorrect assignment operation when setting video mode
clk: sunxi-ng: sun50i-h6-r: Fix incorrect W1 clock gate register
cpufreq: brcmstb-avs-cpufreq: Fix types for voltage/frequency
cpufreq: brcmstb-avs-cpufreq: Fix initial command check
phy: qcom-qusb2: fix missing assignment of ret when calling clk_prepare_enable
net: don't clear sock->sk early to avoid trouble in strparser
RDMA/uverbs: check for allocation failure in uapi_add_elm()
net: core: support XDP generic on stacked devices.
netvsc: unshare skb in VF rx handler
crypto: talitos - fix AEAD processing.
net: hns3: fix a memory leak issue for hclge_map_unmap_ring_to_vf_vector
inet: frags: call inet_frags_fini() after unregister_pernet_subsys()
signal/cifs: Fix cifs_put_tcp_session to call send_sig instead of force_sig
signal/bpfilter: Fix bpfilter_kernl to use send_sig not force_sig
iommu: Use right function to get group for device
iommu: Add missing new line for dma type
misc: sgi-xp: Properly initialize buf in xpc_get_rsvd_page_pa
serial: stm32: fix wakeup source initialization
serial: stm32: Add support of TC bit status check
serial: stm32: fix transmit_chars when tx is stopped
serial: stm32: fix rx data length when parity enabled
serial: stm32: fix rx error handling
serial: stm32: fix word length configuration
crypto: ccp - Fix 3DES complaint from ccp-crypto module
crypto: ccp - fix AES CFB error exposed by new test vectors
spi: spi-fsl-spi: call spi_finalize_current_message() at the end
RDMA/qedr: Fix incorrect device rate.
arm64: dts: meson: libretech-cc: set eMMC as removable
dmaengine: tegra210-adma: Fix crash during probe
clk: meson: axg: spread spectrum is on mpll2
clk: meson: gxbb: no spread spectrum on mpll0
ARM: dts: sun8i-h3: Fix wifi in Beelink X2 DT
afs: Fix double inc of vnode->cb_break
afs: Fix lock-wait/callback-break double locking
afs: Don't invalidate callback if AFS_VNODE_DIR_VALID not set
afs: Fix key leak in afs_release() and afs_evict_inode()
EDAC/mc: Fix edac_mc_find() in case no device is found
thermal: cpu_cooling: Actually trace CPU load in thermal_power_cpu_get_power
thermal: rcar_gen3_thermal: fix interrupt type
backlight: lm3630a: Return 0 on success in update_status functions
netfilter: nf_tables: correct NFT_LOGLEVEL_MAX value
kdb: do a sanity check on the cpu in kdb_per_cpu()
nfp: bpf: fix static check error through tightening shift amount adjustment
ARM: riscpc: fix lack of keyboard interrupts after irq conversion
pwm: meson: Don't disable PWM when setting duty repeatedly
pwm: meson: Consider 128 a valid pre-divider
netfilter: ebtables: CONFIG_COMPAT: reject trailing data after last rule
crypto: caam - fix caam_dump_sg that iterates through scatterlist
platform/x86: alienware-wmi: printing the wrong error code
media: davinci/vpbe: array underflow in vpbe_enum_outputs()
media: omap_vout: potential buffer overflow in vidioc_dqbuf()
ALSA: aica: Fix a long-time build breakage
l2tp: Fix possible NULL pointer dereference
vfio/mdev: Fix aborting mdev child device removal if one fails
vfio/mdev: Follow correct remove sequence
vfio/mdev: Avoid release parent reference during error path
afs: Fix the afs.cell and afs.volume xattr handlers
ath10k: Fix encoding for protected management frames
lightnvm: pblk: fix lock order in pblk_rb_tear_down_check
mmc: core: fix possible use after free of host
watchdog: rtd119x_wdt: Fix remove function
dmaengine: tegra210-adma: restore channel status
net: ena: fix ena_com_fill_hash_function() implementation
net: ena: fix incorrect test of supported hash function
net: ena: fix: Free napi resources when ena_up() fails
net: ena: fix swapped parameters when calling ena_com_indirect_table_fill_entry
iommu/vt-d: Make kernel parameter igfx_off work with vIOMMU
RDMA/rxe: Consider skb reserve space based on netdev of GID
IB/mlx5: Add missing XRC options to QP optional params mask
dwc2: gadget: Fix completed transfer size calculation in DDMA
usb: gadget: fsl: fix link error against usb-gadget module
ASoC: fix valid stream condition
packet: in recvmsg msg_name return at least sizeof sockaddr_ll
ARM: dts: logicpd-som-lv: Fix MMC1 card detect
PCI: iproc: Enable iProc config read for PAXBv2
netfilter: nft_flow_offload: add entry to flowtable after confirmation
KVM: PPC: Book3S HV: Fix lockdep warning when entering the guest
scsi: qla2xxx: Avoid that qlt_send_resp_ctio() corrupts memory
scsi: qla2xxx: Fix error handling in qlt_alloc_qfull_cmd()
scsi: qla2xxx: Fix a format specifier
irqchip/gic-v3-its: fix some definitions of inner cacheability attributes
s390/kexec_file: Fix potential segment overlap in ELF loader
coresight: catu: fix clang build warning
NFS: Don't interrupt file writeout due to fatal errors
afs: Further fix file locking
afs: Fix AFS file locking to allow fine grained locks
ALSA: usb-audio: Handle the error from snd_usb_mixer_apply_create_quirk()
dmaengine: axi-dmac: Don't check the number of frames for alignment
6lowpan: Off by one handling ->nexthdr
media: ov2659: fix unbalanced mutex_lock/unlock
ARM: dts: ls1021: Fix SGMII PCS link remaining down after PHY disconnect
powerpc: vdso: Make vdso32 installation conditional in vdso_install
net: hns3: fix loop condition of hns3_get_tx_timeo_queue_info()
selftests/ipc: Fix msgque compiler warnings
usb: typec: tcpm: Notify the tcpc to start connection-detection for SRPs
tipc: set sysctl_tipc_rmem and named_timeout right range
platform/x86: alienware-wmi: fix kfree on potentially uninitialized pointer
soc: amlogic: meson-gx-pwrc-vpu: Fix power on/off register bitmask
PCI: dwc: Fix dw_pcie_ep_find_capability() to return correct capability offset
staging: android: vsoc: fix copy_from_user overrun
perf/core: Fix the address filtering fix
hwmon: (w83627hf) Use request_muxed_region for Super-IO accesses
net: hns3: fix for vport->bw_limit overflow problem
PCI: rockchip: Fix rockchip_pcie_ep_assert_intx() bitwise operations
ARM: pxa: ssp: Fix "WARNING: invalid free of devm_ allocated data"
brcmfmac: fix leak of mypkt on error return path
scsi: target/core: Fix a race condition in the LUN lookup code
rxrpc: Fix detection of out of order acks
firmware: arm_scmi: fix of_node leak in scmi_mailbox_check
ACPI: button: reinitialize button state upon resume
clk: qcom: Skip halt checks on gcc_pcie_0_pipe_clk for 8998
net/sched: cbs: fix port_rate miscalculation
of: use correct function prototype for of_overlay_fdt_apply()
scsi: qla2xxx: Unregister chrdev if module initialization fails
drm/vmwgfx: Remove set but not used variable 'restart'
bpf: Add missed newline in verifier verbose log
ehea: Fix a copy-paste err in ehea_init_port_res
rtc: mt6397: Don't call irq_dispose_mapping.
rtc: Fix timestamp value for RTC_TIMESTAMP_BEGIN_1900
arm64/vdso: don't leak kernel addresses
drm/fb-helper: generic: Call drm_client_add() after setup is done
spi: bcm2835aux: fix driver to not allow 65535 (=-1) cs-gpios
soc/fsl/qe: Fix an error code in qe_pin_request()
bus: ti-sysc: Fix sysc_unprepare() when no clocks have been allocated
spi: tegra114: configure dma burst size to fifo trig level
spi: tegra114: flush fifos
spi: tegra114: terminate dma and reset on transfer timeout
spi: tegra114: fix for unpacked mode transfers
spi: tegra114: clear packed bit for unpacked mode
media: tw5864: Fix possible NULL pointer dereference in tw5864_handle_frame
media: davinci-isif: avoid uninitialized variable use
soc: qcom: cmd-db: Fix an error code in cmd_db_dev_probe()
net: dsa: Avoid null pointer when failing to connect to PHY
ARM: OMAP2+: Fix potentially uninitialized return value for _setup_reset()
net: phy: don't clear BMCR in genphy_soft_reset
ARM: dts: sun9i: optimus: Fix fixed-regulators
arm64: dts: allwinner: a64: Add missing PIO clocks
ARM: dts: sun8i: a33: Reintroduce default pinctrl muxing
m68k: mac: Fix VIA timer counter accesses
tipc: tipc clang warning
jfs: fix bogus variable self-initialization
crypto: ccree - reduce kernel stack usage with clang
regulator: tps65086: Fix tps65086_ldoa1_ranges for selector 0xB
media: cx23885: check allocation return
media: wl128x: Fix an error code in fm_download_firmware()
media: cx18: update *pos correctly in cx18_read_pos()
media: ivtv: update *pos correctly in ivtv_read_pos()
soc: amlogic: gx-socinfo: Add mask for each SoC packages
regulator: lp87565: Fix missing register for LP87565_BUCK_0
net: sh_eth: fix a missing check of of_get_phy_mode
net/mlx5e: IPoIB, Fix RX checksum statistics update
net/mlx5: Fix multiple updates of steering rules in parallel
xen, cpu_hotplug: Prevent an out of bounds access
drivers/rapidio/rio_cm.c: fix potential oops in riocm_ch_listen()
nfp: fix simple vNIC mailbox length
scsi: megaraid_sas: reduce module load time
x86/mm: Remove unused variable 'cpu'
nios2: ksyms: Add missing symbol exports
PCI: Fix "try" semantics of bus and slot reset
rbd: clear ->xferred on error from rbd_obj_issue_copyup()
media: dvb/earth-pt1: fix wrong initialization for demod blocks
powerpc/mm: Check secondary hash page table
net: aquantia: fixed instack structure overflow
NFSv4/flexfiles: Fix invalid deref in FF_LAYOUT_DEVID_NODE()
NFS: Add missing encode / decode sequence_maxsz to v4.2 operations
iommu/vt-d: Fix NULL pointer reference in intel_svm_bind_mm()
hwrng: bcm2835 - fix probe as platform device
net: sched: act_csum: Fix csum calc for tagged packets
netfilter: nft_set_hash: bogus element self comparison from deactivation path
netfilter: nft_set_hash: fix lookups with fixed size hash on big endian
ath10k: Fix length of wmi tlv command for protected mgmt frames
regulator: wm831x-dcdc: Fix list of wm831x_dcdc_ilim from mA to uA
ARM: 8849/1: NOMMU: Fix encodings for PMSAv8's PRBAR4/PRLAR4
ARM: 8848/1: virt: Align GIC version check with arm64 counterpart
ARM: 8847/1: pm: fix HYP/SVC mode mismatch when MCPM is used
iommu: Fix IOMMU debugfs fallout
mmc: sdhci-brcmstb: handle mmc_of_parse() errors during probe
NFS/pnfs: Bulk destroy of layouts needs to be safe w.r.t. umount
platform/x86: wmi: fix potential null pointer dereference
clocksource/drivers/exynos_mct: Fix error path in timer resources initialization
clocksource/drivers/sun5i: Fail gracefully when clock rate is unavailable
perf, pt, coresight: Fix address filters for vmas with non-zero offset
perf: Copy parent's address filter offsets on clone
NFS: Fix a soft lockup in the delegation recovery code
powerpc/64s: Fix logic when handling unknown CPU features
staging: rtlwifi: Use proper enum for return in halmac_parse_psd_data_88xx
fs/nfs: Fix nfs_parse_devname to not modify it's argument
net: dsa: fix unintended change of bridge interface STP state
ASoC: qcom: Fix of-node refcount unbalance in apq8016_sbc_parse_of()
driver core: Fix PM-runtime for links added during consumer probe
drm/nouveau: fix missing break in switch statement
drm/nouveau/pmu: don't print reply values if exec is false
drm/nouveau/bios/ramcfg: fix missing parentheses when calculating RON
net/mlx5: Delete unused FPGA QPN variable
net: dsa: qca8k: Enable delay for RGMII_ID mode
regulator: pv88090: Fix array out-of-bounds access
regulator: pv88080: Fix array out-of-bounds access
regulator: pv88060: Fix array out-of-bounds access
brcmfmac: create debugfs files for bus-specific layer
cdc-wdm: pass return value of recover_from_urb_loss
dmaengine: mv_xor: Use correct device for DMA API
staging: r8822be: check kzalloc return or bail
KVM: PPC: Release all hardware TCE tables attached to a group
mdio_bus: Fix PTR_ERR() usage after initialization to constant
hwmon: (pmbus/tps53679) Fix driver info initialization in probe routine
vfio_pci: Enable memory accesses before calling pci_map_rom
media: sh: migor: Include missing dma-mapping header
mt76: usb: fix possible memory leak in mt76u_buf_free
net: dsa: b53: Do not program CPU port's PVID
net: dsa: b53: Properly account for VLAN filtering
net: dsa: b53: Fix default VLAN ID
keys: Timestamp new keys
block: don't use bio->bi_vcnt to figure out segment number
usb: phy: twl6030-usb: fix possible use-after-free on remove
PCI: endpoint: functions: Use memcpy_fromio()/memcpy_toio()
driver core: Fix possible supplier PM-usage counter imbalance
RDMA/mlx5: Fix memory leak in case we fail to add an IB device
pinctrl: sh-pfc: sh73a0: Fix fsic_spdif pin groups
pinctrl: sh-pfc: r8a7792: Fix vin1_data18_b pin group
pinctrl: sh-pfc: r8a7791: Fix scifb2_data_c pin group
pinctrl: sh-pfc: emev2: Add missing pinmux functions
ntb_hw_switchtec: NT req id mapping table register entry number should be 512
ntb_hw_switchtec: debug print 64bit aligned crosslink BAR Numbers
drm/etnaviv: potential NULL dereference
xsk: add missing smp_rmb() in xsk_mmap
ipmi: kcs_bmc: handle devm_kasprintf() failure case
iw_cxgb4: use tos when finding ipv6 routes
iw_cxgb4: use tos when importing the endpoint
fbdev: chipsfb: remove set but not used variable 'size'
rtc: pm8xxx: fix unintended sign extension
rtc: 88pm80x: fix unintended sign extension
rtc: 88pm860x: fix unintended sign extension
net/smc: original socket family in inet_sock_diag
rtc: ds1307: rx8130: Fix alarm handling
net: phy: fixed_phy: Fix fixed_phy not checking GPIO
ath10k: fix dma unmap direction for management frames
arm64: dts: msm8916: remove bogus argument to the cpu clock
thermal: mediatek: fix register index error
rtc: ds1672: fix unintended sign extension
clk: ingenic: jz4740: Fix gating of UDC clock
staging: most: cdev: add missing check for cdev_add failure
iwlwifi: mvm: fix RSS config command
drm/xen-front: Fix mmap attributes for display buffers
ARM: dts: lpc32xx: phy3250: fix SD card regulator voltage
ARM: dts: lpc32xx: fix ARM PrimeCell LCD controller clocks property
ARM: dts: lpc32xx: fix ARM PrimeCell LCD controller variant
ARM: dts: lpc32xx: reparent keypad controller to SIC1
ARM: dts: lpc32xx: add required clocks property to keypad device node
driver core: Do not call rpm_put_suppliers() in pm_runtime_drop_link()
driver core: Fix handling of runtime PM flags in device_link_add()
driver core: Do not resume suppliers under device_links_write_lock()
driver core: Avoid careless re-use of existing device links
driver core: Fix DL_FLAG_AUTOREMOVE_SUPPLIER device link flag handling
crypto: crypto4xx - Fix wrong ppc4xx_trng_probe()/ppc4xx_trng_remove() arguments
driver: uio: fix possible use-after-free in __uio_register_device
driver: uio: fix possible memory leak in __uio_register_device
tty: ipwireless: Fix potential NULL pointer dereference
bus: ti-sysc: Fix timer handling with drop pm_runtime_irq_safe()
iwlwifi: mvm: fix A-MPDU reference assignment
arm64: dts: allwinner: h6: Move GIC device node fix base address ordering
ip_tunnel: Fix route fl4 init in ip_md_tunnel_xmit
net/mlx5: Take lock with IRQs disabled to avoid deadlock
iwlwifi: mvm: avoid possible access out of array.
clk: sunxi-ng: sun8i-a23: Enable PLL-MIPI LDOs when ungating it
ARM: dts: sun8i-a23-a33: Move NAND controller device node to sort by address
net: hns3: fix bug of ethtool_ops.get_channels for VF
spi/topcliff_pch: Fix potential NULL dereference on allocation error
rtc: cmos: ignore bogus century byte
IB/mlx5: Don't override existing ip_protocol
media: tw9910: Unregister subdevice with v4l2-async
net: hns3: fix wrong combined count returned by ethtool -l
IB/iser: Pass the correct number of entries for dma mapped SGL
ASoC: imx-sgtl5000: put of nodes if finding codec fails
crypto: tgr192 - fix unaligned memory access
crypto: brcm - Fix some set-but-not-used warning
kbuild: mark prepare0 as PHONY to fix external module build
media: s5p-jpeg: Correct step and max values for V4L2_CID_JPEG_RESTART_INTERVAL
drm/etnaviv: NULL vs IS_ERR() buf in etnaviv_core_dump()
memory: tegra: Don't invoke Tegra30+ specific memory timing setup on Tegra20
net: phy: micrel: set soft_reset callback to genphy_soft_reset for KSZ9031
RDMA/iw_cxgb4: Fix the unchecked ep dereference
spi: cadence: Correct initialisation of runtime PM
arm64: dts: apq8016-sbc: Increase load on l11 for SDCARD
drm/shmob: Fix return value check in shmob_drm_probe
RDMA/qedr: Fix out of bounds index check in query pkey
RDMA/ocrdma: Fix out of bounds index check in query pkey
IB/usnic: Fix out of bounds index check in query pkey
fork, memcg: fix cached_stacks case
drm/fb-helper: generic: Fix setup error path
drm/etnaviv: fix some off by one bugs
ARM: dts: r8a7743: Remove generic compatible string from iic3
drm: Fix error handling in drm_legacy_addctx
remoteproc: qcom: q6v5-mss: Add missing regulator for MSM8996
remoteproc: qcom: q6v5-mss: Add missing clocks for MSM8996
arm64: defconfig: Re-enable bcm2835-thermal driver
MIPS: BCM63XX: drop unused and broken DSP platform device
clk: dove: fix refcount leak in dove_clk_init()
clk: mv98dx3236: fix refcount leak in mv98dx3236_clk_init()
clk: armada-xp: fix refcount leak in axp_clk_init()
clk: kirkwood: fix refcount leak in kirkwood_clk_init()
clk: armada-370: fix refcount leak in a370_clk_init()
clk: vf610: fix refcount leak in vf610_clocks_init()
clk: imx7d: fix refcount leak in imx7d_clocks_init()
clk: imx6sx: fix refcount leak in imx6sx_clocks_init()
clk: imx6q: fix refcount leak in imx6q_clocks_init()
clk: samsung: exynos4: fix refcount leak in exynos4_get_xom()
clk: socfpga: fix refcount leak
clk: ti: fix refcount leak in ti_dt_clocks_register()
clk: qoriq: fix refcount leak in clockgen_init()
clk: highbank: fix refcount leak in hb_clk_init()
fork,memcg: fix crash in free_thread_stack on memcg charge fail
Input: nomadik-ske-keypad - fix a loop timeout test
vxlan: changelink: Fix handling of default remotes
net: hns3: fix error handling int the hns3_get_vector_ring_chain
pinctrl: sh-pfc: sh7734: Remove bogus IPSR10 value
pinctrl: sh-pfc: sh7269: Add missing PCIOR0 field
pinctrl: sh-pfc: r8a77995: Remove bogus SEL_PWM[0-3]_3 configurations
pinctrl: sh-pfc: sh7734: Add missing IPSR11 field
pinctrl: sh-pfc: r8a77980: Add missing MOD_SEL0 field
pinctrl: sh-pfc: r8a77970: Add missing MOD_SEL0 field
pinctrl: sh-pfc: r8a7794: Remove bogus IPSR9 field
pinctrl: sh-pfc: sh73a0: Add missing TO pin to tpu4_to3 group
pinctrl: sh-pfc: r8a7791: Remove bogus marks from vin1_b_data18 group
pinctrl: sh-pfc: r8a7791: Remove bogus ctrl marks from qspi_data4_b group
pinctrl: sh-pfc: r8a7740: Add missing LCD0 marks to lcd0_data24_1 group
pinctrl: sh-pfc: r8a7740: Add missing REF125CK pin to gether_gmii group
ipv6: add missing tx timestamping on IPPROTO_RAW
switchtec: Remove immediate status check after submitting MRPC command
staging: bcm2835-camera: fix module autoloading
staging: bcm2835-camera: Abort probe if there is no camera
mailbox: ti-msgmgr: Off by one in ti_msgmgr_of_xlate()
IB/rxe: Fix incorrect cache cleanup in error flow
OPP: Fix missing debugfs supply directory for OPPs
IB/hfi1: Correctly process FECN and BECN in packets
net: phy: Fix not to call phy_resume() if PHY is not attached
arm64: dts: renesas: r8a7795-es1: Add missing power domains to IPMMU nodes
arm64: dts: meson-gx: Add hdmi_5v regulator as hdmi tx supply
drm/dp_mst: Skip validating ports during destruction, just ref
net: always initialize pagedlen
drm: rcar-du: Fix vblank initialization
drm: rcar-du: Fix the return value in case of error in 'rcar_du_crtc_set_crc_source()'
exportfs: fix 'passing zero to ERR_PTR()' warning
bus: ti-sysc: Add mcasp optional clocks flag
pinctrl: meson-gxl: remove invalid GPIOX tsin_a pins
ASoC: sun8i-codec: add missing route for ADC
pcrypt: use format specifier in kobject_add
ARM: dts: bcm283x: Correct mailbox register sizes
ASoC: wm97xx: fix uninitialized regmap pointer problem
NTB: ntb_hw_idt: replace IS_ERR_OR_NULL with regular NULL checks
mlxsw: spectrum: Set minimum shaper on MC TCs
mlxsw: reg: QEEC: Add minimum shaper fields
net: hns3: add error handler for hns3_nic_init_vector_data()
drm/sun4i: hdmi: Fix double flag assignation
net: socionext: Add dummy PHY register read in phy_write()
tipc: eliminate message disordering during binding table update
powerpc/kgdb: add kgdb_arch_set/remove_breakpoint()
netfilter: nf_flow_table: do not remove offload when other netns's interface is down
RDMA/bnxt_re: Add missing spin lock initialization
rtlwifi: rtl8821ae: replace _rtl8821ae_mrate_idx_to_arfr_id with generic version
powerpc/pseries/memory-hotplug: Fix return value type of find_aa_index
pwm: lpss: Release runtime-pm reference from the driver's remove callback
netfilter: nft_osf: usage from output path is not valid
staging: comedi: ni_mio_common: protect register write overflow
iwlwifi: nvm: get num of hw addresses from firmware
ALSA: usb-audio: update quirk for B&W PX to remove microphone
of: Fix property name in of_node_get_device_type
drm/msm: fix unsigned comparison with less than zero
mei: replace POLL* with EPOLL* for write queues.
cfg80211: regulatory: make initialization more robust
usb: gadget: fsl_udc_core: check allocation return value and cleanup on failure
usb: dwc3: add EXTCON dependency for qcom
genirq/debugfs: Reinstate full OF path for domain name
IB/hfi1: Add mtu check for operational data VLs
IB/rxe: replace kvfree with vfree
mailbox: mediatek: Add check for possible failure of kzalloc
ASoC: wm9712: fix unused variable warning
signal/ia64: Use the force_sig(SIGSEGV,...) in ia64_rt_sigreturn
signal/ia64: Use the generic force_sigsegv in setup_frame
drm/hisilicon: hibmc: Don't overwrite fb helper surface depth
bridge: br_arp_nd_proxy: set icmp6_router if neigh has NTF_ROUTER
PCI: iproc: Remove PAXC slot check to allow VF support
firmware: coreboot: Let OF core populate platform device
ARM: qcom_defconfig: Enable MAILBOX
apparmor: don't try to replace stale label in ptrace access check
ALSA: hda: fix unused variable warning
apparmor: Fix network performance issue in aa_label_sk_perm
iio: fix position relative kernel version
drm/virtio: fix bounds check in virtio_gpu_cmd_get_capset()
ixgbe: don't clear IPsec sa counters on HW clearing
ARM: dts: at91: nattis: make the SD-card slot work
ARM: dts: at91: nattis: set the PRLUD and HIPOW signals low
drm/sti: do not remove the drm_bridge that was never added
ipmi: Fix memory leak in __ipmi_bmc_register
watchdog: sprd: Fix the incorrect pointer getting from driver data
soc: aspeed: Fix snoop_file_poll()'s return type
perf map: No need to adjust the long name of modules
crypto: sun4i-ss - fix big endian issues
mt7601u: fix bbp version check in mt7601u_wait_bbp_ready
tipc: fix wrong timeout input for tipc_wait_for_cond()
tipc: update mon's self addr when node addr generated
powerpc/archrandom: fix arch_get_random_seed_int()
powerpc/pseries: Enable support for ibm,drc-info property
SUNRPC: Fix svcauth_gss_proxy_init()
mfd: intel-lpss: Add default I2C device properties for Gemini Lake
i2c: i2c-stm32f7: fix 10-bits check in slave free id search loop
i2c: stm32f7: rework slave_id allocation
xfs: Sanity check flags of Q_XQUOTARM call
Revert "efi: Fix debugobjects warning on 'efi_rts_work'"
FROMGIT: ext4: Add EXT4_IOC_FSGETXATTR/EXT4_IOC_FSSETXATTR to compat_ioctl.
ANDROID: gki_defconfig: Set IKHEADERS back to =m
ANDROID: gki_defconfig: enable NVDIMM/PMEM options
UPSTREAM: virtio-pmem: Add virtio pmem driver
UPSTREAM: libnvdimm: nd_region flush callback support
UPSTREAM: libnvdimm/of_pmem: Provide a unique name for bus provider
UPSTREAM: libnvdimm/of_pmem: Fix platform_no_drv_owner.cocci warnings
ANDROID: x86: gki_defconfig: enable LTO and CFI
ANDROID: x86: map CFI jump tables in pti_clone_entry_text
ANDROID: BACKPORT: x86, module: Ignore __typeid__ relocations
ANDROID: BACKPORT: x86, relocs: Ignore __typeid__ relocations
ANDROID: BACKPORT: x86/extable: Do not mark exception callback as CFI
FROMLIST: crypto, x86/sha: Eliminate casts on asm implementations
UPSTREAM: crypto: x86 - Rename functions to avoid conflict with crypto/sha256.h
UPSTREAM: x86/vmlinux: Actually use _etext for the end of the text segment
ANDROID: update ABI following inline crypto changes
ANDROID: gki_defconfig: enable dm-default-key
ANDROID: dm: add dm-default-key target for metadata encryption
ANDROID: dm: enable may_passthrough_inline_crypto on some targets
ANDROID: dm: add support for passing through inline crypto support
ANDROID: block: Introduce passthrough keyslot manager
ANDROID: ext4, f2fs: enable direct I/O with inline encryption
FROMLIST: scsi: ufs: add program_key() variant op
ANDROID: block: export symbols needed for modules to use inline crypto
ANDROID: block: fix some inline crypto bugs
UPSTREAM: mm/page_io.c: annotate refault stalls from swap_readpage
UPSTREAM: lib/test_meminit.c: add bulk alloc/free tests
UPSTREAM: lib/test_meminit: add a kmem_cache_alloc_bulk() test
UPSTREAM: mm/slub.c: init_on_free=1 should wipe freelist ptr for bulk allocations
ANDROID: mm/cma.c: Export symbols
ANDROID: gki_defconfig: Set CONFIG_ION=m
ANDROID: lib/plist: Export symbol plist_add
ANDROID: staging: android: ion: enable modularizing the ion driver
Revert "ANDROID: security,perf: Allow further restriction of perf_event_open"
ANDROID: selinux: modify RTM_GETLINK permission
FROMLIST: security: selinux: allow per-file labelling for binderfs
BACKPORT: tracing: Remove unnecessary DEBUG_FS dependency
BACKPORT: debugfs: Fix !DEBUG_FS debugfs_create_automount
ANDROID: update abi for 4.19.98
Linux 4.19.98
hwmon: (pmbus/ibm-cffps) Switch LEDs to blocking brightness call
regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id
clk: sprd: Use IS_ERR() to validate the return value of syscon_regmap_lookup_by_phandle()
perf probe: Fix wrong address verification
scsi: core: scsi_trace: Use get_unaligned_be*()
scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan
scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI
scsi: target: core: Fix a pr_debug() argument
scsi: bnx2i: fix potential use after free
scsi: qla4xxx: fix double free bug
scsi: esas2r: unlock on error in esas2r_nvram_read_direct()
reiserfs: fix handling of -EOPNOTSUPP in reiserfs_for_each_xattr
drm/nouveau/mmu: qualify vmm during dtor
drm/nouveau/bar/gf100: ensure BAR is mapped
drm/nouveau/bar/nv50: check bar1 vmm return value
mtd: devices: fix mchp23k256 read and write
Revert "arm64: dts: juno: add dma-ranges property"
arm64: dts: marvell: Fix CP110 NAND controller node multi-line comment alignment
tick/sched: Annotate lockless access to last_jiffies_update
cfg80211: check for set_wiphy_params
arm64: dts: meson-gxl-s905x-khadas-vim: fix gpio-keys-polled node
cw1200: Fix a signedness bug in cw1200_load_firmware()
irqchip: Place CONFIG_SIFIVE_PLIC into the menu
tcp: refine rule to allow EPOLLOUT generation under mem pressure
xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk
mlxsw: spectrum_qdisc: Include MC TCs in Qdisc counters
mlxsw: spectrum: Wipe xstats.backlog of down ports
sh_eth: check sh_eth_cpu_data::dual_port when dumping registers
tcp: fix marked lost packets not being retransmitted
r8152: add missing endpoint sanity check
ptp: free ptp device pin descriptors properly
net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info
net: usb: lan78xx: limit size of local TSO packets
net: hns: fix soft lockup when there is not enough memory
net: dsa: tag_qca: fix doubled Tx statistics
hv_netvsc: Fix memory leak when removing rndis device
macvlan: use skb_reset_mac_header() in macvlan_queue_xmit()
batman-adv: Fix DAT candidate selection on little endian systems
NFC: pn533: fix bulk-message timeout
netfilter: nf_tables: fix flowtable list del corruption
netfilter: nf_tables: store transaction list locally while requesting module
netfilter: nf_tables: remove WARN and add NLA_STRING upper limits
netfilter: nft_tunnel: fix null-attribute check
netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct
netfilter: fix a use-after-free in mtype_destroy()
cfg80211: fix page refcount issue in A-MSDU decap
cfg80211: fix memory leak in cfg80211_cqm_rssi_update
cfg80211: fix deadlocks in autodisconnect work
bpf: Fix incorrect verifier simulation of ARSH under ALU32
arm64: dts: agilex/stratix10: fix pmu interrupt numbers
mm/huge_memory.c: thp: fix conflict of above-47bit hint address and PMD alignment
mm/huge_memory.c: make __thp_get_unmapped_area static
net: stmmac: Enable 16KB buffer size
net: stmmac: 16KB buffer must be 16 byte aligned
ARM: dts: imx7: Fix Toradex Colibri iMX7S 256MB NAND flash support
ARM: dts: imx6q-icore-mipi: Use 1.5 version of i.Core MX6DL
ARM: dts: imx6qdl: Add Engicam i.Core 1.5 MX6
mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio()
btrfs: fix memory leak in qgroup accounting
btrfs: do not delete mismatched root refs
btrfs: fix invalid removal of root ref
btrfs: rework arguments of btrfs_unlink_subvol
mm: memcg/slab: call flush_memcg_workqueue() only if memcg workqueue is valid
mm/shmem.c: thp, shmem: fix conflict of above-47bit hint address and PMD alignment
perf report: Fix incorrectly added dimensions as switch perf data file
perf hists: Fix variable name's inconsistency in hists__for_each() macro
x86/resctrl: Fix potential memory leak
drm/i915: Add missing include file <linux/math64.h>
x86/efistub: Disable paging at mixed mode entry
x86/CPU/AMD: Ensure clearing of SME/SEV features is maintained
x86/resctrl: Fix an imbalance in domain_remove_cpu()
usb: core: hub: Improved device recognition on remote wakeup
ptrace: reintroduce usage of subjective credentials in ptrace_has_cap()
LSM: generalize flag passing to security_capable
ARM: dts: am571x-idk: Fix gpios property to have the correct gpio number
block: fix an integer overflow in logical block size
Fix built-in early-load Intel microcode alignment
arm64: dts: allwinner: a64: olinuxino: Fix SDIO supply regulator
ALSA: usb-audio: fix sync-ep altsetting sanity check
ALSA: seq: Fix racy access for queue timer in proc read
ALSA: dice: fix fallback from protocol extension into limited functionality
ARM: dts: imx6q-dhcom: Fix SGTL5000 VDDIO regulator connection
ASoC: msm8916-wcd-analog: Fix MIC BIAS Internal1
ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1
scsi: mptfusion: Fix double fetch bug in ioctl
scsi: fnic: fix invalid stack access
USB: serial: quatech2: handle unbound ports
USB: serial: keyspan: handle unbound ports
USB: serial: io_edgeport: add missing active-port sanity check
USB: serial: io_edgeport: handle unbound ports on URB completion
USB: serial: ch341: handle unbound port at reset_resume
USB: serial: suppress driver bind attributes
USB: serial: option: add support for Quectel RM500Q in QDL mode
USB: serial: opticon: fix control-message timeouts
USB: serial: option: Add support for Quectel RM500Q
USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx
iio: buffer: align the size of scan bytes to size of the largest element
ASoC: msm8916-wcd-digital: Reset RX interpolation path after use
clk: Don't try to enable critical clocks if prepare failed
ARM: dts: imx6q-dhcom: fix rtc compatible
dt-bindings: reset: meson8b: fix duplicate reset IDs
clk: qcom: gcc-sdm845: Add missing flag to votable GDSCs
ARM: dts: meson8: fix the size of the PMU registers
ANDROID: gki: Make GKI specific modules builtins
ANDROID: fscrypt: add support for hardware-wrapped keys
ANDROID: block: add KSM op to derive software secret from wrapped key
ANDROID: block: provide key size as input to inline crypto APIs
ANDROID: ufshcd-crypto: export cap find API
ANDROID: build config for cuttlefish ramdisk
ANDROID: Update ABI representation and whitelist
Linux 4.19.97
ocfs2: call journal flush to mark journal as empty after journal recovery when mount
hexagon: work around compiler crash
hexagon: parenthesize registers in asm predicates
ioat: ioat_alloc_ring() failure handling.
dmaengine: k3dma: Avoid null pointer traversal
drm/arm/mali: make malidp_mw_connector_helper_funcs static
MIPS: Prevent link failure with kcov instrumentation
mips: cacheinfo: report shared CPU map
rseq/selftests: Turn off timeout setting
selftests: firmware: Fix it to do root uid check and skip
scsi: libcxgbi: fix NULL pointer dereference in cxgbi_device_destroy()
gpio: mpc8xxx: Add platform device to gpiochip->parent
rtc: brcmstb-waketimer: add missed clk_disable_unprepare
rtc: msm6242: Fix reading of 10-hour digit
f2fs: fix potential overflow
rtlwifi: Remove unnecessary NULL check in rtl_regd_init
spi: atmel: fix handling of cs_change set on non-last xfer
mtd: spi-nor: fix silent truncation in spi_nor_read_raw()
mtd: spi-nor: fix silent truncation in spi_nor_read()
iommu/mediatek: Correct the flush_iotlb_all callback
media: exynos4-is: Fix recursive locking in isp_video_release()
media: v4l: cadence: Fix how unsued lanes are handled in 'csi2rx_start()'
media: rcar-vin: Fix incorrect return statement in rvin_try_format()
media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support
media: ov6650: Fix some format attributes not under control
media: ov6650: Fix incorrect use of JPEG colorspace
tty: serial: pch_uart: correct usage of dma_unmap_sg
tty: serial: imx: use the sg count from dma_map_sg
powerpc/powernv: Disable native PCIe port management
PCI/PTM: Remove spurious "d" from granularity message
PCI: dwc: Fix find_next_bit() usage
compat_ioctl: handle SIOCOUTQNSD
af_unix: add compat_ioctl support
arm64: dts: apq8096-db820c: Increase load on l21 for SDCARD
scsi: sd: enable compat ioctls for sed-opal
pinctrl: lewisburg: Update pin list according to v1.1v6
pinctl: ti: iodelay: fix error checking on pinctrl_count_index_with_args call
clk: samsung: exynos5420: Preserve CPU clocks configuration during suspend/resume
mei: fix modalias documentation
iio: imu: adis16480: assign bias value only if operation succeeded
NFSv4.x: Drop the slot if nfs4_delegreturn_prepare waits for layoutreturn
NFSv2: Fix a typo in encode_sattr()
crypto: virtio - implement missing support for output IVs
xprtrdma: Fix completion wait during device removal
platform/x86: GPD pocket fan: Use default values when wrong modparams are given
platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0
scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI
scsi: enclosure: Fix stale device oops with hot replug
RDMA/srpt: Report the SCSI residual to the initiator
RDMA/mlx5: Return proper error value
btrfs: simplify inode locking for RWF_NOWAIT
drm/ttm: fix incrementing the page pointer for huge pages
drm/ttm: fix start page for huge page check in ttm_put_pages()
afs: Fix missing cell comparison in afs_test_super()
cifs: Adjust indentation in smb2_open_file
s390/qeth: Fix vnicc_is_in_use if rx_bcast not set
s390/qeth: fix false reporting of VNIC CHAR config failure
hsr: reset network header when supervision frame is created
gpio: Fix error message on out-of-range GPIO in lookup table
iommu: Remove device link to group on failure
gpio: zynq: Fix for bug in zynq_gpio_restore_context API
mtd: onenand: omap2: Pass correct flags for prep_dma_memcpy
ASoC: stm32: spdifrx: fix race condition in irq handler
ASoC: stm32: spdifrx: fix inconsistent lock state
ASoC: soc-core: Set dpcm_playback / dpcm_capture
RDMA/bnxt_re: Fix Send Work Entry state check while polling completions
RDMA/bnxt_re: Avoid freeing MR resources if dereg fails
rtc: mt6397: fix alarm register overwrite
drm/i915: Fix use-after-free when destroying GEM context
dccp: Fix memleak in __feat_register_sp
RDMA: Fix goto target to release the allocated memory
iwlwifi: pcie: fix memory leaks in iwl_pcie_ctxt_info_gen3_init
iwlwifi: dbg_ini: fix memory leak in alloc_sgtable
media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap
f2fs: check if file namelen exceeds max value
f2fs: check memory boundary by insane namelen
f2fs: Move err variable to function scope in f2fs_fill_dentries()
mac80211: Do not send Layer 2 Update frame before authorization
cfg80211/mac80211: make ieee80211_send_layer2_update a public function
fs/select: avoid clang stack usage warning
ethtool: reduce stack usage with clang
HID: hidraw, uhid: Always report EPOLLOUT
HID: hidraw: Fix returning EPOLLOUT from hidraw_poll
hidraw: Return EPOLLOUT from hidraw_poll
ANDROID: update ABI whitelist
ANDROID: update kernel ABI for CONFIG_DUMMY
GKI: enable CONFIG_DUMMY=y
UPSTREAM: kcov: fix struct layout for kcov_remote_arg
UPSTREAM: vhost, kcov: collect coverage from vhost_worker
UPSTREAM: usb, kcov: collect coverage from hub_event
ANDROID: update kernel ABI for kcov changes
UPSTREAM: kcov: remote coverage support
UPSTREAM: kcov: improve CONFIG_ARCH_HAS_KCOV help text
UPSTREAM: kcov: convert kcov.refcount to refcount_t
UPSTREAM: kcov: no need to check return value of debugfs_create functions
GKI: enable CONFIG_NETFILTER_XT_MATCH_QUOTA2_LOG=y
Linux 4.19.96
drm/i915/gen9: Clear residual context state on context switch
netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present
netfilter: conntrack: dccp, sctp: handle null timeout argument
netfilter: arp_tables: init netns pointer in xt_tgchk_param struct
phy: cpcap-usb: Fix flakey host idling and enumerating of devices
phy: cpcap-usb: Fix error path when no host driver is loaded
USB: Fix: Don't skip endpoint descriptors with maxpacket=0
HID: hiddev: fix mess in hiddev_open()
ath10k: fix memory leak
rtl8xxxu: prevent leaking urb
scsi: bfa: release allocated memory in case of error
mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf
mwifiex: fix possible heap overflow in mwifiex_process_country_ie()
tty: always relink the port
tty: link tty and port before configuring it as console
serdev: Don't claim unsupported ACPI serial devices
staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21
staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713
usb: musb: dma: Correct parameter passed to IRQ handler
usb: musb: Disable pullup at init
usb: musb: fix idling for suspend after disconnect interrupt
USB: serial: option: add ZLP support for 0x1bc7/0x9010
staging: vt6656: set usb_set_intfdata on driver fail.
gpiolib: acpi: Add honor_wakeup module-option + quirk mechanism
gpiolib: acpi: Turn dmi_system_id table into a generic quirk table
can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs
can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode
can: gs_usb: gs_usb_probe(): use descriptors of current altsetting
can: kvaser_usb: fix interface sanity check
drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ
drm/fb-helper: Round up bits_per_pixel if possible
drm/sun4i: tcon: Set RGB DCLK min. divider based on hardware model
Input: input_event - fix struct padding on sparc64
Input: add safety guards to input_set_keycode()
HID: hid-input: clear unmapped usages
HID: uhid: Fix returning EPOLLOUT from uhid_char_poll
HID: Fix slab-out-of-bounds read in hid_field_extract
tracing: Change offset type to s32 in preempt/irq tracepoints
tracing: Have stack tracer compile when MCOUNT_INSN_SIZE is not defined
kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail
ALSA: hda/realtek - Add quirk for the bass speaker on Lenovo Yoga X1 7th gen
ALSA: hda/realtek - Set EAPD control to default for ALC222
ALSA: hda/realtek - Add new codec supported for ALCS1200A
ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5
usb: chipidea: host: Disable port power only if previously enabled
i2c: fix bus recovery stop mode timing
chardev: Avoid potential use-after-free in 'chrdev_open()'
ANDROID: Enable HID_STEAM, HID_SONY, JOYSTICK_XPAD as y
ANDROID: gki_defconfig: Enable blk-crypto fallback
BACKPORT: FROMLIST: Update Inline Encryption from v5 to v6 of patch series
docs: fs-verity: mention statx() support
f2fs: support STATX_ATTR_VERITY
ext4: support STATX_ATTR_VERITY
statx: define STATX_ATTR_VERITY
docs: fs-verity: document first supported kernel version
f2fs: add support for IV_INO_LBLK_64 encryption policies
ext4: add support for IV_INO_LBLK_64 encryption policies
fscrypt: add support for IV_INO_LBLK_64 policies
fscrypt: avoid data race on fscrypt_mode::logged_impl_name
fscrypt: zeroize fscrypt_info before freeing
fscrypt: remove struct fscrypt_ctx
fscrypt: invoke crypto API for ESSIV handling
Conflicts:
Documentation/devicetree/bindings
Documentation/devicetree/bindings/bus/ti-sysc.txt
Documentation/devicetree/bindings/thermal/thermal.txt
Documentation/sysctl/vm.txt
arch/arm64/mm/mmu.c
block/blk-crypto-fallback.c
block/blk-merge.c
block/keyslot-manager.c
drivers/char/Kconfig
drivers/clk/qcom/clk-rcg2.c
drivers/gpio/gpiolib.c
drivers/hid/hid-quirks.c
drivers/irqchip/Kconfig
drivers/md/Kconfig
drivers/md/dm-default-key.c
drivers/md/dm.c
drivers/nvmem/core.c
drivers/of/Kconfig
drivers/of/fdt.c
drivers/of/irq.c
drivers/scsi/ufs/ufshcd-crypto.c
drivers/scsi/ufs/ufshcd.c
drivers/scsi/ufs/ufshcd.h
drivers/scsi/ufs/ufshci.h
drivers/usb/dwc3/gadget.c
drivers/usb/gadget/composite.c
drivers/usb/gadget/function/f_fs.c
fs/crypto/bio.c
fs/crypto/fname.c
fs/crypto/fscrypt_private.h
fs/crypto/keyring.c
fs/crypto/keysetup.c
fs/f2fs/data.c
fs/f2fs/file.c
include/crypto/skcipher.h
include/linux/gfp.h
include/linux/keyslot-manager.h
include/linux/of_fdt.h
include/sound/soc.h
kernel/sched/cpufreq_schedutil.c
kernel/sched/fair.c
kernel/sched/psi.c
kernel/sched/rt.c
kernel/sched/sched.h
kernel/sched/topology.c
kernel/sched/tune.h
kernel/sysctl.c
mm/compaction.c
mm/page_alloc.c
mm/vmscan.c
security/commoncap.c
security/selinux/avc.c
Change-Id: I9a08175c4892e533ecde8da847f75dc4874b303a
Signed-off-by: Ivaylo Georgiev <irgeorgiev@codeaurora.org>
6203 lines
178 KiB
C
6203 lines
178 KiB
C
/* binder.c
|
|
*
|
|
* Android IPC Subsystem
|
|
*
|
|
* Copyright (C) 2007-2008 Google, Inc.
|
|
*
|
|
* This software is licensed under the terms of the GNU General Public
|
|
* License version 2, as published by the Free Software Foundation, and
|
|
* may be copied, distributed, and modified under those terms.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
*/
|
|
|
|
/*
|
|
* Locking overview
|
|
*
|
|
* There are 3 main spinlocks which must be acquired in the
|
|
* order shown:
|
|
*
|
|
* 1) proc->outer_lock : protects binder_ref
|
|
* binder_proc_lock() and binder_proc_unlock() are
|
|
* used to acq/rel.
|
|
* 2) node->lock : protects most fields of binder_node.
|
|
* binder_node_lock() and binder_node_unlock() are
|
|
* used to acq/rel
|
|
* 3) proc->inner_lock : protects the thread and node lists
|
|
* (proc->threads, proc->waiting_threads, proc->nodes)
|
|
* and all todo lists associated with the binder_proc
|
|
* (proc->todo, thread->todo, proc->delivered_death and
|
|
* node->async_todo), as well as thread->transaction_stack
|
|
* binder_inner_proc_lock() and binder_inner_proc_unlock()
|
|
* are used to acq/rel
|
|
*
|
|
* Any lock under procA must never be nested under any lock at the same
|
|
* level or below on procB.
|
|
*
|
|
* Functions that require a lock held on entry indicate which lock
|
|
* in the suffix of the function name:
|
|
*
|
|
* foo_olocked() : requires node->outer_lock
|
|
* foo_nlocked() : requires node->lock
|
|
* foo_ilocked() : requires proc->inner_lock
|
|
* foo_oilocked(): requires proc->outer_lock and proc->inner_lock
|
|
* foo_nilocked(): requires node->lock and proc->inner_lock
|
|
* ...
|
|
*/
|
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
|
|
#include <linux/fdtable.h>
|
|
#include <linux/file.h>
|
|
#include <linux/freezer.h>
|
|
#include <linux/fs.h>
|
|
#include <linux/list.h>
|
|
#include <linux/miscdevice.h>
|
|
#include <linux/module.h>
|
|
#include <linux/mutex.h>
|
|
#include <linux/nsproxy.h>
|
|
#include <linux/poll.h>
|
|
#include <linux/debugfs.h>
|
|
#include <linux/rbtree.h>
|
|
#include <linux/sched/signal.h>
|
|
#include <linux/sched/mm.h>
|
|
#include <linux/seq_file.h>
|
|
#include <linux/uaccess.h>
|
|
#include <linux/pid_namespace.h>
|
|
#include <linux/security.h>
|
|
#include <linux/spinlock.h>
|
|
#include <linux/ratelimit.h>
|
|
|
|
#include <uapi/linux/android/binder.h>
|
|
#include <uapi/linux/sched/types.h>
|
|
|
|
#include <asm/cacheflush.h>
|
|
|
|
#include "binder_alloc.h"
|
|
#include "binder_internal.h"
|
|
#include "binder_trace.h"
|
|
|
|
static HLIST_HEAD(binder_deferred_list);
|
|
static DEFINE_MUTEX(binder_deferred_lock);
|
|
|
|
static HLIST_HEAD(binder_devices);
|
|
static HLIST_HEAD(binder_procs);
|
|
static DEFINE_MUTEX(binder_procs_lock);
|
|
|
|
static HLIST_HEAD(binder_dead_nodes);
|
|
static DEFINE_SPINLOCK(binder_dead_nodes_lock);
|
|
|
|
static struct dentry *binder_debugfs_dir_entry_root;
|
|
static struct dentry *binder_debugfs_dir_entry_proc;
|
|
static atomic_t binder_last_id;
|
|
|
|
static int proc_show(struct seq_file *m, void *unused);
|
|
DEFINE_SHOW_ATTRIBUTE(proc);
|
|
|
|
/* This is only defined in include/asm-arm/sizes.h */
|
|
#ifndef SZ_1K
|
|
#define SZ_1K 0x400
|
|
#endif
|
|
|
|
#ifndef SZ_4M
|
|
#define SZ_4M 0x400000
|
|
#endif
|
|
|
|
#define FORBIDDEN_MMAP_FLAGS (VM_WRITE)
|
|
|
|
enum {
|
|
BINDER_DEBUG_USER_ERROR = 1U << 0,
|
|
BINDER_DEBUG_FAILED_TRANSACTION = 1U << 1,
|
|
BINDER_DEBUG_DEAD_TRANSACTION = 1U << 2,
|
|
BINDER_DEBUG_OPEN_CLOSE = 1U << 3,
|
|
BINDER_DEBUG_DEAD_BINDER = 1U << 4,
|
|
BINDER_DEBUG_DEATH_NOTIFICATION = 1U << 5,
|
|
BINDER_DEBUG_READ_WRITE = 1U << 6,
|
|
BINDER_DEBUG_USER_REFS = 1U << 7,
|
|
BINDER_DEBUG_THREADS = 1U << 8,
|
|
BINDER_DEBUG_TRANSACTION = 1U << 9,
|
|
BINDER_DEBUG_TRANSACTION_COMPLETE = 1U << 10,
|
|
BINDER_DEBUG_FREE_BUFFER = 1U << 11,
|
|
BINDER_DEBUG_INTERNAL_REFS = 1U << 12,
|
|
BINDER_DEBUG_PRIORITY_CAP = 1U << 13,
|
|
BINDER_DEBUG_SPINLOCKS = 1U << 14,
|
|
};
|
|
static uint32_t binder_debug_mask = BINDER_DEBUG_USER_ERROR |
|
|
BINDER_DEBUG_FAILED_TRANSACTION | BINDER_DEBUG_DEAD_TRANSACTION;
|
|
module_param_named(debug_mask, binder_debug_mask, uint, 0644);
|
|
|
|
char *binder_devices_param = CONFIG_ANDROID_BINDER_DEVICES;
|
|
module_param_named(devices, binder_devices_param, charp, 0444);
|
|
|
|
static DECLARE_WAIT_QUEUE_HEAD(binder_user_error_wait);
|
|
static int binder_stop_on_user_error;
|
|
|
|
static int binder_set_stop_on_user_error(const char *val,
|
|
const struct kernel_param *kp)
|
|
{
|
|
int ret;
|
|
|
|
ret = param_set_int(val, kp);
|
|
if (binder_stop_on_user_error < 2)
|
|
wake_up(&binder_user_error_wait);
|
|
return ret;
|
|
}
|
|
module_param_call(stop_on_user_error, binder_set_stop_on_user_error,
|
|
param_get_int, &binder_stop_on_user_error, 0644);
|
|
|
|
#define binder_debug(mask, x...) \
|
|
do { \
|
|
if (binder_debug_mask & mask) \
|
|
pr_info_ratelimited(x); \
|
|
} while (0)
|
|
|
|
#define binder_user_error(x...) \
|
|
do { \
|
|
if (binder_debug_mask & BINDER_DEBUG_USER_ERROR) \
|
|
pr_info_ratelimited(x); \
|
|
if (binder_stop_on_user_error) \
|
|
binder_stop_on_user_error = 2; \
|
|
} while (0)
|
|
|
|
#define to_flat_binder_object(hdr) \
|
|
container_of(hdr, struct flat_binder_object, hdr)
|
|
|
|
#define to_binder_fd_object(hdr) container_of(hdr, struct binder_fd_object, hdr)
|
|
|
|
#define to_binder_buffer_object(hdr) \
|
|
container_of(hdr, struct binder_buffer_object, hdr)
|
|
|
|
#define to_binder_fd_array_object(hdr) \
|
|
container_of(hdr, struct binder_fd_array_object, hdr)
|
|
|
|
enum binder_stat_types {
|
|
BINDER_STAT_PROC,
|
|
BINDER_STAT_THREAD,
|
|
BINDER_STAT_NODE,
|
|
BINDER_STAT_REF,
|
|
BINDER_STAT_DEATH,
|
|
BINDER_STAT_TRANSACTION,
|
|
BINDER_STAT_TRANSACTION_COMPLETE,
|
|
BINDER_STAT_COUNT
|
|
};
|
|
|
|
struct binder_stats {
|
|
atomic_t br[_IOC_NR(BR_FAILED_REPLY) + 1];
|
|
atomic_t bc[_IOC_NR(BC_REPLY_SG) + 1];
|
|
atomic_t obj_created[BINDER_STAT_COUNT];
|
|
atomic_t obj_deleted[BINDER_STAT_COUNT];
|
|
};
|
|
|
|
static struct binder_stats binder_stats;
|
|
|
|
static inline void binder_stats_deleted(enum binder_stat_types type)
|
|
{
|
|
atomic_inc(&binder_stats.obj_deleted[type]);
|
|
}
|
|
|
|
static inline void binder_stats_created(enum binder_stat_types type)
|
|
{
|
|
atomic_inc(&binder_stats.obj_created[type]);
|
|
}
|
|
|
|
struct binder_transaction_log binder_transaction_log;
|
|
struct binder_transaction_log binder_transaction_log_failed;
|
|
|
|
static struct binder_transaction_log_entry *binder_transaction_log_add(
|
|
struct binder_transaction_log *log)
|
|
{
|
|
struct binder_transaction_log_entry *e;
|
|
unsigned int cur = atomic_inc_return(&log->cur);
|
|
|
|
if (cur >= ARRAY_SIZE(log->entry))
|
|
log->full = true;
|
|
e = &log->entry[cur % ARRAY_SIZE(log->entry)];
|
|
WRITE_ONCE(e->debug_id_done, 0);
|
|
/*
|
|
* write-barrier to synchronize access to e->debug_id_done.
|
|
* We make sure the initialized 0 value is seen before
|
|
* memset() other fields are zeroed by memset.
|
|
*/
|
|
smp_wmb();
|
|
memset(e, 0, sizeof(*e));
|
|
return e;
|
|
}
|
|
|
|
/**
|
|
* struct binder_work - work enqueued on a worklist
|
|
* @entry: node enqueued on list
|
|
* @type: type of work to be performed
|
|
*
|
|
* There are separate work lists for proc, thread, and node (async).
|
|
*/
|
|
struct binder_work {
|
|
struct list_head entry;
|
|
|
|
enum {
|
|
BINDER_WORK_TRANSACTION = 1,
|
|
BINDER_WORK_TRANSACTION_COMPLETE,
|
|
BINDER_WORK_RETURN_ERROR,
|
|
BINDER_WORK_NODE,
|
|
BINDER_WORK_DEAD_BINDER,
|
|
BINDER_WORK_DEAD_BINDER_AND_CLEAR,
|
|
BINDER_WORK_CLEAR_DEATH_NOTIFICATION,
|
|
} type;
|
|
};
|
|
|
|
struct binder_error {
|
|
struct binder_work work;
|
|
uint32_t cmd;
|
|
};
|
|
|
|
/**
|
|
* struct binder_node - binder node bookkeeping
|
|
* @debug_id: unique ID for debugging
|
|
* (invariant after initialized)
|
|
* @lock: lock for node fields
|
|
* @work: worklist element for node work
|
|
* (protected by @proc->inner_lock)
|
|
* @rb_node: element for proc->nodes tree
|
|
* (protected by @proc->inner_lock)
|
|
* @dead_node: element for binder_dead_nodes list
|
|
* (protected by binder_dead_nodes_lock)
|
|
* @proc: binder_proc that owns this node
|
|
* (invariant after initialized)
|
|
* @refs: list of references on this node
|
|
* (protected by @lock)
|
|
* @internal_strong_refs: used to take strong references when
|
|
* initiating a transaction
|
|
* (protected by @proc->inner_lock if @proc
|
|
* and by @lock)
|
|
* @local_weak_refs: weak user refs from local process
|
|
* (protected by @proc->inner_lock if @proc
|
|
* and by @lock)
|
|
* @local_strong_refs: strong user refs from local process
|
|
* (protected by @proc->inner_lock if @proc
|
|
* and by @lock)
|
|
* @tmp_refs: temporary kernel refs
|
|
* (protected by @proc->inner_lock while @proc
|
|
* is valid, and by binder_dead_nodes_lock
|
|
* if @proc is NULL. During inc/dec and node release
|
|
* it is also protected by @lock to provide safety
|
|
* as the node dies and @proc becomes NULL)
|
|
* @ptr: userspace pointer for node
|
|
* (invariant, no lock needed)
|
|
* @cookie: userspace cookie for node
|
|
* (invariant, no lock needed)
|
|
* @has_strong_ref: userspace notified of strong ref
|
|
* (protected by @proc->inner_lock if @proc
|
|
* and by @lock)
|
|
* @pending_strong_ref: userspace has acked notification of strong ref
|
|
* (protected by @proc->inner_lock if @proc
|
|
* and by @lock)
|
|
* @has_weak_ref: userspace notified of weak ref
|
|
* (protected by @proc->inner_lock if @proc
|
|
* and by @lock)
|
|
* @pending_weak_ref: userspace has acked notification of weak ref
|
|
* (protected by @proc->inner_lock if @proc
|
|
* and by @lock)
|
|
* @has_async_transaction: async transaction to node in progress
|
|
* (protected by @lock)
|
|
* @sched_policy: minimum scheduling policy for node
|
|
* (invariant after initialized)
|
|
* @accept_fds: file descriptor operations supported for node
|
|
* (invariant after initialized)
|
|
* @min_priority: minimum scheduling priority
|
|
* (invariant after initialized)
|
|
* @inherit_rt: inherit RT scheduling policy from caller
|
|
* @txn_security_ctx: require sender's security context
|
|
* (invariant after initialized)
|
|
* @async_todo: list of async work items
|
|
* (protected by @proc->inner_lock)
|
|
*
|
|
* Bookkeeping structure for binder nodes.
|
|
*/
|
|
struct binder_node {
|
|
int debug_id;
|
|
spinlock_t lock;
|
|
struct binder_work work;
|
|
union {
|
|
struct rb_node rb_node;
|
|
struct hlist_node dead_node;
|
|
};
|
|
struct binder_proc *proc;
|
|
struct hlist_head refs;
|
|
int internal_strong_refs;
|
|
int local_weak_refs;
|
|
int local_strong_refs;
|
|
int tmp_refs;
|
|
binder_uintptr_t ptr;
|
|
binder_uintptr_t cookie;
|
|
struct {
|
|
/*
|
|
* bitfield elements protected by
|
|
* proc inner_lock
|
|
*/
|
|
u8 has_strong_ref:1;
|
|
u8 pending_strong_ref:1;
|
|
u8 has_weak_ref:1;
|
|
u8 pending_weak_ref:1;
|
|
};
|
|
struct {
|
|
/*
|
|
* invariant after initialization
|
|
*/
|
|
u8 sched_policy:2;
|
|
u8 inherit_rt:1;
|
|
u8 accept_fds:1;
|
|
u8 txn_security_ctx:1;
|
|
u8 min_priority;
|
|
};
|
|
bool has_async_transaction;
|
|
struct list_head async_todo;
|
|
};
|
|
|
|
struct binder_ref_death {
|
|
/**
|
|
* @work: worklist element for death notifications
|
|
* (protected by inner_lock of the proc that
|
|
* this ref belongs to)
|
|
*/
|
|
struct binder_work work;
|
|
binder_uintptr_t cookie;
|
|
};
|
|
|
|
/**
|
|
* struct binder_ref_data - binder_ref counts and id
|
|
* @debug_id: unique ID for the ref
|
|
* @desc: unique userspace handle for ref
|
|
* @strong: strong ref count (debugging only if not locked)
|
|
* @weak: weak ref count (debugging only if not locked)
|
|
*
|
|
* Structure to hold ref count and ref id information. Since
|
|
* the actual ref can only be accessed with a lock, this structure
|
|
* is used to return information about the ref to callers of
|
|
* ref inc/dec functions.
|
|
*/
|
|
struct binder_ref_data {
|
|
int debug_id;
|
|
uint32_t desc;
|
|
int strong;
|
|
int weak;
|
|
};
|
|
|
|
/**
|
|
* struct binder_ref - struct to track references on nodes
|
|
* @data: binder_ref_data containing id, handle, and current refcounts
|
|
* @rb_node_desc: node for lookup by @data.desc in proc's rb_tree
|
|
* @rb_node_node: node for lookup by @node in proc's rb_tree
|
|
* @node_entry: list entry for node->refs list in target node
|
|
* (protected by @node->lock)
|
|
* @proc: binder_proc containing ref
|
|
* @node: binder_node of target node. When cleaning up a
|
|
* ref for deletion in binder_cleanup_ref, a non-NULL
|
|
* @node indicates the node must be freed
|
|
* @death: pointer to death notification (ref_death) if requested
|
|
* (protected by @node->lock)
|
|
*
|
|
* Structure to track references from procA to target node (on procB). This
|
|
* structure is unsafe to access without holding @proc->outer_lock.
|
|
*/
|
|
struct binder_ref {
|
|
/* Lookups needed: */
|
|
/* node + proc => ref (transaction) */
|
|
/* desc + proc => ref (transaction, inc/dec ref) */
|
|
/* node => refs + procs (proc exit) */
|
|
struct binder_ref_data data;
|
|
struct rb_node rb_node_desc;
|
|
struct rb_node rb_node_node;
|
|
struct hlist_node node_entry;
|
|
struct binder_proc *proc;
|
|
struct binder_node *node;
|
|
struct binder_ref_death *death;
|
|
};
|
|
|
|
enum binder_deferred_state {
|
|
BINDER_DEFERRED_PUT_FILES = 0x01,
|
|
BINDER_DEFERRED_FLUSH = 0x02,
|
|
BINDER_DEFERRED_RELEASE = 0x04,
|
|
};
|
|
|
|
/**
|
|
* struct binder_priority - scheduler policy and priority
|
|
* @sched_policy scheduler policy
|
|
* @prio [100..139] for SCHED_NORMAL, [0..99] for FIFO/RT
|
|
*
|
|
* The binder driver supports inheriting the following scheduler policies:
|
|
* SCHED_NORMAL
|
|
* SCHED_BATCH
|
|
* SCHED_FIFO
|
|
* SCHED_RR
|
|
*/
|
|
struct binder_priority {
|
|
unsigned int sched_policy;
|
|
int prio;
|
|
};
|
|
|
|
/**
|
|
* struct binder_proc - binder process bookkeeping
|
|
* @proc_node: element for binder_procs list
|
|
* @threads: rbtree of binder_threads in this proc
|
|
* (protected by @inner_lock)
|
|
* @nodes: rbtree of binder nodes associated with
|
|
* this proc ordered by node->ptr
|
|
* (protected by @inner_lock)
|
|
* @refs_by_desc: rbtree of refs ordered by ref->desc
|
|
* (protected by @outer_lock)
|
|
* @refs_by_node: rbtree of refs ordered by ref->node
|
|
* (protected by @outer_lock)
|
|
* @waiting_threads: threads currently waiting for proc work
|
|
* (protected by @inner_lock)
|
|
* @pid PID of group_leader of process
|
|
* (invariant after initialized)
|
|
* @tsk task_struct for group_leader of process
|
|
* (invariant after initialized)
|
|
* @files files_struct for process
|
|
* (protected by @files_lock)
|
|
* @files_lock mutex to protect @files
|
|
* @deferred_work_node: element for binder_deferred_list
|
|
* (protected by binder_deferred_lock)
|
|
* @deferred_work: bitmap of deferred work to perform
|
|
* (protected by binder_deferred_lock)
|
|
* @is_dead: process is dead and awaiting free
|
|
* when outstanding transactions are cleaned up
|
|
* (protected by @inner_lock)
|
|
* @todo: list of work for this process
|
|
* (protected by @inner_lock)
|
|
* @stats: per-process binder statistics
|
|
* (atomics, no lock needed)
|
|
* @delivered_death: list of delivered death notification
|
|
* (protected by @inner_lock)
|
|
* @max_threads: cap on number of binder threads
|
|
* (protected by @inner_lock)
|
|
* @requested_threads: number of binder threads requested but not
|
|
* yet started. In current implementation, can
|
|
* only be 0 or 1.
|
|
* (protected by @inner_lock)
|
|
* @requested_threads_started: number binder threads started
|
|
* (protected by @inner_lock)
|
|
* @tmp_ref: temporary reference to indicate proc is in use
|
|
* (protected by @inner_lock)
|
|
* @default_priority: default scheduler priority
|
|
* (invariant after initialized)
|
|
* @debugfs_entry: debugfs node
|
|
* @alloc: binder allocator bookkeeping
|
|
* @context: binder_context for this proc
|
|
* (invariant after initialized)
|
|
* @inner_lock: can nest under outer_lock and/or node lock
|
|
* @outer_lock: no nesting under innor or node lock
|
|
* Lock order: 1) outer, 2) node, 3) inner
|
|
* @binderfs_entry: process-specific binderfs log file
|
|
*
|
|
* Bookkeeping structure for binder processes
|
|
*/
|
|
struct binder_proc {
|
|
struct hlist_node proc_node;
|
|
struct rb_root threads;
|
|
struct rb_root nodes;
|
|
struct rb_root refs_by_desc;
|
|
struct rb_root refs_by_node;
|
|
struct list_head waiting_threads;
|
|
int pid;
|
|
struct task_struct *tsk;
|
|
struct files_struct *files;
|
|
struct mutex files_lock;
|
|
struct hlist_node deferred_work_node;
|
|
int deferred_work;
|
|
bool is_dead;
|
|
|
|
struct list_head todo;
|
|
struct binder_stats stats;
|
|
struct list_head delivered_death;
|
|
int max_threads;
|
|
int requested_threads;
|
|
int requested_threads_started;
|
|
int tmp_ref;
|
|
struct binder_priority default_priority;
|
|
struct dentry *debugfs_entry;
|
|
struct binder_alloc alloc;
|
|
struct binder_context *context;
|
|
spinlock_t inner_lock;
|
|
spinlock_t outer_lock;
|
|
struct dentry *binderfs_entry;
|
|
};
|
|
|
|
enum {
|
|
BINDER_LOOPER_STATE_REGISTERED = 0x01,
|
|
BINDER_LOOPER_STATE_ENTERED = 0x02,
|
|
BINDER_LOOPER_STATE_EXITED = 0x04,
|
|
BINDER_LOOPER_STATE_INVALID = 0x08,
|
|
BINDER_LOOPER_STATE_WAITING = 0x10,
|
|
BINDER_LOOPER_STATE_POLL = 0x20,
|
|
};
|
|
|
|
/**
|
|
* struct binder_thread - binder thread bookkeeping
|
|
* @proc: binder process for this thread
|
|
* (invariant after initialization)
|
|
* @rb_node: element for proc->threads rbtree
|
|
* (protected by @proc->inner_lock)
|
|
* @waiting_thread_node: element for @proc->waiting_threads list
|
|
* (protected by @proc->inner_lock)
|
|
* @pid: PID for this thread
|
|
* (invariant after initialization)
|
|
* @looper: bitmap of looping state
|
|
* (only accessed by this thread)
|
|
* @looper_needs_return: looping thread needs to exit driver
|
|
* (no lock needed)
|
|
* @transaction_stack: stack of in-progress transactions for this thread
|
|
* (protected by @proc->inner_lock)
|
|
* @todo: list of work to do for this thread
|
|
* (protected by @proc->inner_lock)
|
|
* @process_todo: whether work in @todo should be processed
|
|
* (protected by @proc->inner_lock)
|
|
* @return_error: transaction errors reported by this thread
|
|
* (only accessed by this thread)
|
|
* @reply_error: transaction errors reported by target thread
|
|
* (protected by @proc->inner_lock)
|
|
* @wait: wait queue for thread work
|
|
* @stats: per-thread statistics
|
|
* (atomics, no lock needed)
|
|
* @tmp_ref: temporary reference to indicate thread is in use
|
|
* (atomic since @proc->inner_lock cannot
|
|
* always be acquired)
|
|
* @is_dead: thread is dead and awaiting free
|
|
* when outstanding transactions are cleaned up
|
|
* (protected by @proc->inner_lock)
|
|
* @task: struct task_struct for this thread
|
|
*
|
|
* Bookkeeping structure for binder threads.
|
|
*/
|
|
struct binder_thread {
|
|
struct binder_proc *proc;
|
|
struct rb_node rb_node;
|
|
struct list_head waiting_thread_node;
|
|
int pid;
|
|
int looper; /* only modified by this thread */
|
|
bool looper_need_return; /* can be written by other thread */
|
|
struct binder_transaction *transaction_stack;
|
|
struct list_head todo;
|
|
bool process_todo;
|
|
struct binder_error return_error;
|
|
struct binder_error reply_error;
|
|
wait_queue_head_t wait;
|
|
struct binder_stats stats;
|
|
atomic_t tmp_ref;
|
|
bool is_dead;
|
|
struct task_struct *task;
|
|
};
|
|
|
|
struct binder_transaction {
|
|
int debug_id;
|
|
struct binder_work work;
|
|
struct binder_thread *from;
|
|
struct binder_transaction *from_parent;
|
|
struct binder_proc *to_proc;
|
|
struct binder_thread *to_thread;
|
|
struct binder_transaction *to_parent;
|
|
unsigned need_reply:1;
|
|
/* unsigned is_dead:1; */ /* not used at the moment */
|
|
|
|
struct binder_buffer *buffer;
|
|
unsigned int code;
|
|
unsigned int flags;
|
|
struct binder_priority priority;
|
|
struct binder_priority saved_priority;
|
|
bool set_priority_called;
|
|
kuid_t sender_euid;
|
|
binder_uintptr_t security_ctx;
|
|
/**
|
|
* @lock: protects @from, @to_proc, and @to_thread
|
|
*
|
|
* @from, @to_proc, and @to_thread can be set to NULL
|
|
* during thread teardown
|
|
*/
|
|
spinlock_t lock;
|
|
};
|
|
|
|
/**
|
|
* struct binder_object - union of flat binder object types
|
|
* @hdr: generic object header
|
|
* @fbo: binder object (nodes and refs)
|
|
* @fdo: file descriptor object
|
|
* @bbo: binder buffer pointer
|
|
* @fdao: file descriptor array
|
|
*
|
|
* Used for type-independent object copies
|
|
*/
|
|
struct binder_object {
|
|
union {
|
|
struct binder_object_header hdr;
|
|
struct flat_binder_object fbo;
|
|
struct binder_fd_object fdo;
|
|
struct binder_buffer_object bbo;
|
|
struct binder_fd_array_object fdao;
|
|
};
|
|
};
|
|
|
|
/**
|
|
* binder_proc_lock() - Acquire outer lock for given binder_proc
|
|
* @proc: struct binder_proc to acquire
|
|
*
|
|
* Acquires proc->outer_lock. Used to protect binder_ref
|
|
* structures associated with the given proc.
|
|
*/
|
|
#define binder_proc_lock(proc) _binder_proc_lock(proc, __LINE__)
|
|
static void
|
|
_binder_proc_lock(struct binder_proc *proc, int line)
|
|
{
|
|
binder_debug(BINDER_DEBUG_SPINLOCKS,
|
|
"%s: line=%d\n", __func__, line);
|
|
spin_lock(&proc->outer_lock);
|
|
}
|
|
|
|
/**
|
|
* binder_proc_unlock() - Release spinlock for given binder_proc
|
|
* @proc: struct binder_proc to acquire
|
|
*
|
|
* Release lock acquired via binder_proc_lock()
|
|
*/
|
|
#define binder_proc_unlock(_proc) _binder_proc_unlock(_proc, __LINE__)
|
|
static void
|
|
_binder_proc_unlock(struct binder_proc *proc, int line)
|
|
{
|
|
binder_debug(BINDER_DEBUG_SPINLOCKS,
|
|
"%s: line=%d\n", __func__, line);
|
|
spin_unlock(&proc->outer_lock);
|
|
}
|
|
|
|
/**
|
|
* binder_inner_proc_lock() - Acquire inner lock for given binder_proc
|
|
* @proc: struct binder_proc to acquire
|
|
*
|
|
* Acquires proc->inner_lock. Used to protect todo lists
|
|
*/
|
|
#define binder_inner_proc_lock(proc) _binder_inner_proc_lock(proc, __LINE__)
|
|
static void
|
|
_binder_inner_proc_lock(struct binder_proc *proc, int line)
|
|
{
|
|
binder_debug(BINDER_DEBUG_SPINLOCKS,
|
|
"%s: line=%d\n", __func__, line);
|
|
spin_lock(&proc->inner_lock);
|
|
}
|
|
|
|
/**
|
|
* binder_inner_proc_unlock() - Release inner lock for given binder_proc
|
|
* @proc: struct binder_proc to acquire
|
|
*
|
|
* Release lock acquired via binder_inner_proc_lock()
|
|
*/
|
|
#define binder_inner_proc_unlock(proc) _binder_inner_proc_unlock(proc, __LINE__)
|
|
static void
|
|
_binder_inner_proc_unlock(struct binder_proc *proc, int line)
|
|
{
|
|
binder_debug(BINDER_DEBUG_SPINLOCKS,
|
|
"%s: line=%d\n", __func__, line);
|
|
spin_unlock(&proc->inner_lock);
|
|
}
|
|
|
|
/**
|
|
* binder_node_lock() - Acquire spinlock for given binder_node
|
|
* @node: struct binder_node to acquire
|
|
*
|
|
* Acquires node->lock. Used to protect binder_node fields
|
|
*/
|
|
#define binder_node_lock(node) _binder_node_lock(node, __LINE__)
|
|
static void
|
|
_binder_node_lock(struct binder_node *node, int line)
|
|
{
|
|
binder_debug(BINDER_DEBUG_SPINLOCKS,
|
|
"%s: line=%d\n", __func__, line);
|
|
spin_lock(&node->lock);
|
|
}
|
|
|
|
/**
|
|
* binder_node_unlock() - Release spinlock for given binder_proc
|
|
* @node: struct binder_node to acquire
|
|
*
|
|
* Release lock acquired via binder_node_lock()
|
|
*/
|
|
#define binder_node_unlock(node) _binder_node_unlock(node, __LINE__)
|
|
static void
|
|
_binder_node_unlock(struct binder_node *node, int line)
|
|
{
|
|
binder_debug(BINDER_DEBUG_SPINLOCKS,
|
|
"%s: line=%d\n", __func__, line);
|
|
spin_unlock(&node->lock);
|
|
}
|
|
|
|
/**
|
|
* binder_node_inner_lock() - Acquire node and inner locks
|
|
* @node: struct binder_node to acquire
|
|
*
|
|
* Acquires node->lock. If node->proc also acquires
|
|
* proc->inner_lock. Used to protect binder_node fields
|
|
*/
|
|
#define binder_node_inner_lock(node) _binder_node_inner_lock(node, __LINE__)
|
|
static void
|
|
_binder_node_inner_lock(struct binder_node *node, int line)
|
|
{
|
|
binder_debug(BINDER_DEBUG_SPINLOCKS,
|
|
"%s: line=%d\n", __func__, line);
|
|
spin_lock(&node->lock);
|
|
if (node->proc)
|
|
binder_inner_proc_lock(node->proc);
|
|
}
|
|
|
|
/**
|
|
* binder_node_unlock() - Release node and inner locks
|
|
* @node: struct binder_node to acquire
|
|
*
|
|
* Release lock acquired via binder_node_lock()
|
|
*/
|
|
#define binder_node_inner_unlock(node) _binder_node_inner_unlock(node, __LINE__)
|
|
static void
|
|
_binder_node_inner_unlock(struct binder_node *node, int line)
|
|
{
|
|
struct binder_proc *proc = node->proc;
|
|
|
|
binder_debug(BINDER_DEBUG_SPINLOCKS,
|
|
"%s: line=%d\n", __func__, line);
|
|
if (proc)
|
|
binder_inner_proc_unlock(proc);
|
|
spin_unlock(&node->lock);
|
|
}
|
|
|
|
static bool binder_worklist_empty_ilocked(struct list_head *list)
|
|
{
|
|
return list_empty(list);
|
|
}
|
|
|
|
/**
|
|
* binder_worklist_empty() - Check if no items on the work list
|
|
* @proc: binder_proc associated with list
|
|
* @list: list to check
|
|
*
|
|
* Return: true if there are no items on list, else false
|
|
*/
|
|
static bool binder_worklist_empty(struct binder_proc *proc,
|
|
struct list_head *list)
|
|
{
|
|
bool ret;
|
|
|
|
binder_inner_proc_lock(proc);
|
|
ret = binder_worklist_empty_ilocked(list);
|
|
binder_inner_proc_unlock(proc);
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* binder_enqueue_work_ilocked() - Add an item to the work list
|
|
* @work: struct binder_work to add to list
|
|
* @target_list: list to add work to
|
|
*
|
|
* Adds the work to the specified list. Asserts that work
|
|
* is not already on a list.
|
|
*
|
|
* Requires the proc->inner_lock to be held.
|
|
*/
|
|
static void
|
|
binder_enqueue_work_ilocked(struct binder_work *work,
|
|
struct list_head *target_list)
|
|
{
|
|
BUG_ON(target_list == NULL);
|
|
BUG_ON(work->entry.next && !list_empty(&work->entry));
|
|
list_add_tail(&work->entry, target_list);
|
|
}
|
|
|
|
/**
|
|
* binder_enqueue_deferred_thread_work_ilocked() - Add deferred thread work
|
|
* @thread: thread to queue work to
|
|
* @work: struct binder_work to add to list
|
|
*
|
|
* Adds the work to the todo list of the thread. Doesn't set the process_todo
|
|
* flag, which means that (if it wasn't already set) the thread will go to
|
|
* sleep without handling this work when it calls read.
|
|
*
|
|
* Requires the proc->inner_lock to be held.
|
|
*/
|
|
static void
|
|
binder_enqueue_deferred_thread_work_ilocked(struct binder_thread *thread,
|
|
struct binder_work *work)
|
|
{
|
|
WARN_ON(!list_empty(&thread->waiting_thread_node));
|
|
binder_enqueue_work_ilocked(work, &thread->todo);
|
|
}
|
|
|
|
/**
|
|
* binder_enqueue_thread_work_ilocked() - Add an item to the thread work list
|
|
* @thread: thread to queue work to
|
|
* @work: struct binder_work to add to list
|
|
*
|
|
* Adds the work to the todo list of the thread, and enables processing
|
|
* of the todo queue.
|
|
*
|
|
* Requires the proc->inner_lock to be held.
|
|
*/
|
|
static void
|
|
binder_enqueue_thread_work_ilocked(struct binder_thread *thread,
|
|
struct binder_work *work)
|
|
{
|
|
WARN_ON(!list_empty(&thread->waiting_thread_node));
|
|
binder_enqueue_work_ilocked(work, &thread->todo);
|
|
thread->process_todo = true;
|
|
}
|
|
|
|
/**
|
|
* binder_enqueue_thread_work() - Add an item to the thread work list
|
|
* @thread: thread to queue work to
|
|
* @work: struct binder_work to add to list
|
|
*
|
|
* Adds the work to the todo list of the thread, and enables processing
|
|
* of the todo queue.
|
|
*/
|
|
static void
|
|
binder_enqueue_thread_work(struct binder_thread *thread,
|
|
struct binder_work *work)
|
|
{
|
|
binder_inner_proc_lock(thread->proc);
|
|
binder_enqueue_thread_work_ilocked(thread, work);
|
|
binder_inner_proc_unlock(thread->proc);
|
|
}
|
|
|
|
static void
|
|
binder_dequeue_work_ilocked(struct binder_work *work)
|
|
{
|
|
list_del_init(&work->entry);
|
|
}
|
|
|
|
/**
|
|
* binder_dequeue_work() - Removes an item from the work list
|
|
* @proc: binder_proc associated with list
|
|
* @work: struct binder_work to remove from list
|
|
*
|
|
* Removes the specified work item from whatever list it is on.
|
|
* Can safely be called if work is not on any list.
|
|
*/
|
|
static void
|
|
binder_dequeue_work(struct binder_proc *proc, struct binder_work *work)
|
|
{
|
|
binder_inner_proc_lock(proc);
|
|
binder_dequeue_work_ilocked(work);
|
|
binder_inner_proc_unlock(proc);
|
|
}
|
|
|
|
static struct binder_work *binder_dequeue_work_head_ilocked(
|
|
struct list_head *list)
|
|
{
|
|
struct binder_work *w;
|
|
|
|
w = list_first_entry_or_null(list, struct binder_work, entry);
|
|
if (w)
|
|
list_del_init(&w->entry);
|
|
return w;
|
|
}
|
|
|
|
/**
|
|
* binder_dequeue_work_head() - Dequeues the item at head of list
|
|
* @proc: binder_proc associated with list
|
|
* @list: list to dequeue head
|
|
*
|
|
* Removes the head of the list if there are items on the list
|
|
*
|
|
* Return: pointer dequeued binder_work, NULL if list was empty
|
|
*/
|
|
static struct binder_work *binder_dequeue_work_head(
|
|
struct binder_proc *proc,
|
|
struct list_head *list)
|
|
{
|
|
struct binder_work *w;
|
|
|
|
binder_inner_proc_lock(proc);
|
|
w = binder_dequeue_work_head_ilocked(list);
|
|
binder_inner_proc_unlock(proc);
|
|
return w;
|
|
}
|
|
|
|
static void
|
|
binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer);
|
|
static void binder_free_thread(struct binder_thread *thread);
|
|
static void binder_free_proc(struct binder_proc *proc);
|
|
static void binder_inc_node_tmpref_ilocked(struct binder_node *node);
|
|
|
|
static int task_get_unused_fd_flags(struct binder_proc *proc, int flags)
|
|
{
|
|
unsigned long rlim_cur;
|
|
unsigned long irqs;
|
|
int ret;
|
|
|
|
mutex_lock(&proc->files_lock);
|
|
if (proc->files == NULL) {
|
|
ret = -ESRCH;
|
|
goto err;
|
|
}
|
|
if (!lock_task_sighand(proc->tsk, &irqs)) {
|
|
ret = -EMFILE;
|
|
goto err;
|
|
}
|
|
rlim_cur = task_rlimit(proc->tsk, RLIMIT_NOFILE);
|
|
unlock_task_sighand(proc->tsk, &irqs);
|
|
|
|
ret = __alloc_fd(proc->files, 0, rlim_cur, flags);
|
|
err:
|
|
mutex_unlock(&proc->files_lock);
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* copied from fd_install
|
|
*/
|
|
static void task_fd_install(
|
|
struct binder_proc *proc, unsigned int fd, struct file *file)
|
|
{
|
|
mutex_lock(&proc->files_lock);
|
|
if (proc->files)
|
|
__fd_install(proc->files, fd, file);
|
|
mutex_unlock(&proc->files_lock);
|
|
}
|
|
|
|
/*
|
|
* copied from sys_close
|
|
*/
|
|
static long task_close_fd(struct binder_proc *proc, unsigned int fd)
|
|
{
|
|
int retval;
|
|
|
|
mutex_lock(&proc->files_lock);
|
|
if (proc->files == NULL) {
|
|
retval = -ESRCH;
|
|
goto err;
|
|
}
|
|
retval = __close_fd(proc->files, fd);
|
|
/* can't restart close syscall because file table entry was cleared */
|
|
if (unlikely(retval == -ERESTARTSYS ||
|
|
retval == -ERESTARTNOINTR ||
|
|
retval == -ERESTARTNOHAND ||
|
|
retval == -ERESTART_RESTARTBLOCK))
|
|
retval = -EINTR;
|
|
err:
|
|
mutex_unlock(&proc->files_lock);
|
|
return retval;
|
|
}
|
|
|
|
static bool binder_has_work_ilocked(struct binder_thread *thread,
|
|
bool do_proc_work)
|
|
{
|
|
return thread->process_todo ||
|
|
thread->looper_need_return ||
|
|
(do_proc_work &&
|
|
!binder_worklist_empty_ilocked(&thread->proc->todo));
|
|
}
|
|
|
|
static bool binder_has_work(struct binder_thread *thread, bool do_proc_work)
|
|
{
|
|
bool has_work;
|
|
|
|
binder_inner_proc_lock(thread->proc);
|
|
has_work = binder_has_work_ilocked(thread, do_proc_work);
|
|
binder_inner_proc_unlock(thread->proc);
|
|
|
|
return has_work;
|
|
}
|
|
|
|
static bool binder_available_for_proc_work_ilocked(struct binder_thread *thread)
|
|
{
|
|
return !thread->transaction_stack &&
|
|
binder_worklist_empty_ilocked(&thread->todo) &&
|
|
(thread->looper & (BINDER_LOOPER_STATE_ENTERED |
|
|
BINDER_LOOPER_STATE_REGISTERED));
|
|
}
|
|
|
|
static void binder_wakeup_poll_threads_ilocked(struct binder_proc *proc,
|
|
bool sync)
|
|
{
|
|
struct rb_node *n;
|
|
struct binder_thread *thread;
|
|
|
|
for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) {
|
|
thread = rb_entry(n, struct binder_thread, rb_node);
|
|
if (thread->looper & BINDER_LOOPER_STATE_POLL &&
|
|
binder_available_for_proc_work_ilocked(thread)) {
|
|
if (sync)
|
|
wake_up_interruptible_sync(&thread->wait);
|
|
else
|
|
wake_up_interruptible(&thread->wait);
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* binder_select_thread_ilocked() - selects a thread for doing proc work.
|
|
* @proc: process to select a thread from
|
|
*
|
|
* Note that calling this function moves the thread off the waiting_threads
|
|
* list, so it can only be woken up by the caller of this function, or a
|
|
* signal. Therefore, callers *should* always wake up the thread this function
|
|
* returns.
|
|
*
|
|
* Return: If there's a thread currently waiting for process work,
|
|
* returns that thread. Otherwise returns NULL.
|
|
*/
|
|
static struct binder_thread *
|
|
binder_select_thread_ilocked(struct binder_proc *proc)
|
|
{
|
|
struct binder_thread *thread;
|
|
|
|
assert_spin_locked(&proc->inner_lock);
|
|
thread = list_first_entry_or_null(&proc->waiting_threads,
|
|
struct binder_thread,
|
|
waiting_thread_node);
|
|
|
|
if (thread)
|
|
list_del_init(&thread->waiting_thread_node);
|
|
|
|
return thread;
|
|
}
|
|
|
|
/**
|
|
* binder_wakeup_thread_ilocked() - wakes up a thread for doing proc work.
|
|
* @proc: process to wake up a thread in
|
|
* @thread: specific thread to wake-up (may be NULL)
|
|
* @sync: whether to do a synchronous wake-up
|
|
*
|
|
* This function wakes up a thread in the @proc process.
|
|
* The caller may provide a specific thread to wake-up in
|
|
* the @thread parameter. If @thread is NULL, this function
|
|
* will wake up threads that have called poll().
|
|
*
|
|
* Note that for this function to work as expected, callers
|
|
* should first call binder_select_thread() to find a thread
|
|
* to handle the work (if they don't have a thread already),
|
|
* and pass the result into the @thread parameter.
|
|
*/
|
|
static void binder_wakeup_thread_ilocked(struct binder_proc *proc,
|
|
struct binder_thread *thread,
|
|
bool sync)
|
|
{
|
|
assert_spin_locked(&proc->inner_lock);
|
|
|
|
if (thread) {
|
|
if (sync)
|
|
wake_up_interruptible_sync(&thread->wait);
|
|
else
|
|
wake_up_interruptible(&thread->wait);
|
|
return;
|
|
}
|
|
|
|
/* Didn't find a thread waiting for proc work; this can happen
|
|
* in two scenarios:
|
|
* 1. All threads are busy handling transactions
|
|
* In that case, one of those threads should call back into
|
|
* the kernel driver soon and pick up this work.
|
|
* 2. Threads are using the (e)poll interface, in which case
|
|
* they may be blocked on the waitqueue without having been
|
|
* added to waiting_threads. For this case, we just iterate
|
|
* over all threads not handling transaction work, and
|
|
* wake them all up. We wake all because we don't know whether
|
|
* a thread that called into (e)poll is handling non-binder
|
|
* work currently.
|
|
*/
|
|
binder_wakeup_poll_threads_ilocked(proc, sync);
|
|
}
|
|
|
|
static void binder_wakeup_proc_ilocked(struct binder_proc *proc)
|
|
{
|
|
struct binder_thread *thread = binder_select_thread_ilocked(proc);
|
|
|
|
binder_wakeup_thread_ilocked(proc, thread, /* sync = */false);
|
|
}
|
|
|
|
static bool is_rt_policy(int policy)
|
|
{
|
|
return policy == SCHED_FIFO || policy == SCHED_RR;
|
|
}
|
|
|
|
static bool is_fair_policy(int policy)
|
|
{
|
|
return policy == SCHED_NORMAL || policy == SCHED_BATCH;
|
|
}
|
|
|
|
static bool binder_supported_policy(int policy)
|
|
{
|
|
return is_fair_policy(policy) || is_rt_policy(policy);
|
|
}
|
|
|
|
static int to_userspace_prio(int policy, int kernel_priority)
|
|
{
|
|
if (is_fair_policy(policy))
|
|
return PRIO_TO_NICE(kernel_priority);
|
|
else
|
|
return MAX_USER_RT_PRIO - 1 - kernel_priority;
|
|
}
|
|
|
|
static int to_kernel_prio(int policy, int user_priority)
|
|
{
|
|
if (is_fair_policy(policy))
|
|
return NICE_TO_PRIO(user_priority);
|
|
else
|
|
return MAX_USER_RT_PRIO - 1 - user_priority;
|
|
}
|
|
|
|
static void binder_do_set_priority(struct task_struct *task,
|
|
struct binder_priority desired,
|
|
bool verify)
|
|
{
|
|
int priority; /* user-space prio value */
|
|
bool has_cap_nice;
|
|
unsigned int policy = desired.sched_policy;
|
|
|
|
if (task->policy == policy && task->normal_prio == desired.prio)
|
|
return;
|
|
|
|
has_cap_nice = has_capability_noaudit(task, CAP_SYS_NICE);
|
|
|
|
priority = to_userspace_prio(policy, desired.prio);
|
|
|
|
if (verify && is_rt_policy(policy) && !has_cap_nice) {
|
|
long max_rtprio = task_rlimit(task, RLIMIT_RTPRIO);
|
|
|
|
if (max_rtprio == 0) {
|
|
policy = SCHED_NORMAL;
|
|
priority = MIN_NICE;
|
|
} else if (priority > max_rtprio) {
|
|
priority = max_rtprio;
|
|
}
|
|
}
|
|
|
|
if (verify && is_fair_policy(policy) && !has_cap_nice) {
|
|
long min_nice = rlimit_to_nice(task_rlimit(task, RLIMIT_NICE));
|
|
|
|
if (min_nice > MAX_NICE) {
|
|
binder_user_error("%d RLIMIT_NICE not set\n",
|
|
task->pid);
|
|
return;
|
|
} else if (priority < min_nice) {
|
|
priority = min_nice;
|
|
}
|
|
}
|
|
|
|
if (policy != desired.sched_policy ||
|
|
to_kernel_prio(policy, priority) != desired.prio)
|
|
binder_debug(BINDER_DEBUG_PRIORITY_CAP,
|
|
"%d: priority %d not allowed, using %d instead\n",
|
|
task->pid, desired.prio,
|
|
to_kernel_prio(policy, priority));
|
|
|
|
trace_binder_set_priority(task->tgid, task->pid, task->normal_prio,
|
|
to_kernel_prio(policy, priority),
|
|
desired.prio);
|
|
|
|
/* Set the actual priority */
|
|
if (task->policy != policy || is_rt_policy(policy)) {
|
|
struct sched_param params;
|
|
|
|
params.sched_priority = is_rt_policy(policy) ? priority : 0;
|
|
|
|
sched_setscheduler_nocheck(task,
|
|
policy | SCHED_RESET_ON_FORK,
|
|
¶ms);
|
|
}
|
|
if (is_fair_policy(policy))
|
|
set_user_nice(task, priority);
|
|
}
|
|
|
|
static void binder_set_priority(struct task_struct *task,
|
|
struct binder_priority desired)
|
|
{
|
|
binder_do_set_priority(task, desired, /* verify = */ true);
|
|
}
|
|
|
|
static void binder_restore_priority(struct task_struct *task,
|
|
struct binder_priority desired)
|
|
{
|
|
binder_do_set_priority(task, desired, /* verify = */ false);
|
|
}
|
|
|
|
static void binder_transaction_priority(struct task_struct *task,
|
|
struct binder_transaction *t,
|
|
struct binder_priority node_prio,
|
|
bool inherit_rt)
|
|
{
|
|
struct binder_priority desired_prio = t->priority;
|
|
|
|
if (t->set_priority_called)
|
|
return;
|
|
|
|
t->set_priority_called = true;
|
|
t->saved_priority.sched_policy = task->policy;
|
|
t->saved_priority.prio = task->normal_prio;
|
|
|
|
if (!inherit_rt && is_rt_policy(desired_prio.sched_policy)) {
|
|
desired_prio.prio = NICE_TO_PRIO(0);
|
|
desired_prio.sched_policy = SCHED_NORMAL;
|
|
}
|
|
|
|
if (node_prio.prio < t->priority.prio ||
|
|
(node_prio.prio == t->priority.prio &&
|
|
node_prio.sched_policy == SCHED_FIFO)) {
|
|
/*
|
|
* In case the minimum priority on the node is
|
|
* higher (lower value), use that priority. If
|
|
* the priority is the same, but the node uses
|
|
* SCHED_FIFO, prefer SCHED_FIFO, since it can
|
|
* run unbounded, unlike SCHED_RR.
|
|
*/
|
|
desired_prio = node_prio;
|
|
}
|
|
|
|
binder_set_priority(task, desired_prio);
|
|
}
|
|
|
|
static struct binder_node *binder_get_node_ilocked(struct binder_proc *proc,
|
|
binder_uintptr_t ptr)
|
|
{
|
|
struct rb_node *n = proc->nodes.rb_node;
|
|
struct binder_node *node;
|
|
|
|
assert_spin_locked(&proc->inner_lock);
|
|
|
|
while (n) {
|
|
node = rb_entry(n, struct binder_node, rb_node);
|
|
|
|
if (ptr < node->ptr)
|
|
n = n->rb_left;
|
|
else if (ptr > node->ptr)
|
|
n = n->rb_right;
|
|
else {
|
|
/*
|
|
* take an implicit weak reference
|
|
* to ensure node stays alive until
|
|
* call to binder_put_node()
|
|
*/
|
|
binder_inc_node_tmpref_ilocked(node);
|
|
return node;
|
|
}
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
static struct binder_node *binder_get_node(struct binder_proc *proc,
|
|
binder_uintptr_t ptr)
|
|
{
|
|
struct binder_node *node;
|
|
|
|
binder_inner_proc_lock(proc);
|
|
node = binder_get_node_ilocked(proc, ptr);
|
|
binder_inner_proc_unlock(proc);
|
|
return node;
|
|
}
|
|
|
|
static struct binder_node *binder_init_node_ilocked(
|
|
struct binder_proc *proc,
|
|
struct binder_node *new_node,
|
|
struct flat_binder_object *fp)
|
|
{
|
|
struct rb_node **p = &proc->nodes.rb_node;
|
|
struct rb_node *parent = NULL;
|
|
struct binder_node *node;
|
|
binder_uintptr_t ptr = fp ? fp->binder : 0;
|
|
binder_uintptr_t cookie = fp ? fp->cookie : 0;
|
|
__u32 flags = fp ? fp->flags : 0;
|
|
s8 priority;
|
|
|
|
assert_spin_locked(&proc->inner_lock);
|
|
|
|
while (*p) {
|
|
|
|
parent = *p;
|
|
node = rb_entry(parent, struct binder_node, rb_node);
|
|
|
|
if (ptr < node->ptr)
|
|
p = &(*p)->rb_left;
|
|
else if (ptr > node->ptr)
|
|
p = &(*p)->rb_right;
|
|
else {
|
|
/*
|
|
* A matching node is already in
|
|
* the rb tree. Abandon the init
|
|
* and return it.
|
|
*/
|
|
binder_inc_node_tmpref_ilocked(node);
|
|
return node;
|
|
}
|
|
}
|
|
node = new_node;
|
|
binder_stats_created(BINDER_STAT_NODE);
|
|
node->tmp_refs++;
|
|
rb_link_node(&node->rb_node, parent, p);
|
|
rb_insert_color(&node->rb_node, &proc->nodes);
|
|
node->debug_id = atomic_inc_return(&binder_last_id);
|
|
node->proc = proc;
|
|
node->ptr = ptr;
|
|
node->cookie = cookie;
|
|
node->work.type = BINDER_WORK_NODE;
|
|
priority = flags & FLAT_BINDER_FLAG_PRIORITY_MASK;
|
|
node->sched_policy = (flags & FLAT_BINDER_FLAG_SCHED_POLICY_MASK) >>
|
|
FLAT_BINDER_FLAG_SCHED_POLICY_SHIFT;
|
|
node->min_priority = to_kernel_prio(node->sched_policy, priority);
|
|
node->accept_fds = !!(flags & FLAT_BINDER_FLAG_ACCEPTS_FDS);
|
|
node->inherit_rt = !!(flags & FLAT_BINDER_FLAG_INHERIT_RT);
|
|
node->txn_security_ctx = !!(flags & FLAT_BINDER_FLAG_TXN_SECURITY_CTX);
|
|
spin_lock_init(&node->lock);
|
|
INIT_LIST_HEAD(&node->work.entry);
|
|
INIT_LIST_HEAD(&node->async_todo);
|
|
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
|
|
"%d:%d node %d u%016llx c%016llx created\n",
|
|
proc->pid, current->pid, node->debug_id,
|
|
(u64)node->ptr, (u64)node->cookie);
|
|
|
|
return node;
|
|
}
|
|
|
|
static struct binder_node *binder_new_node(struct binder_proc *proc,
|
|
struct flat_binder_object *fp)
|
|
{
|
|
struct binder_node *node;
|
|
struct binder_node *new_node = kzalloc(sizeof(*node), GFP_KERNEL);
|
|
|
|
if (!new_node)
|
|
return NULL;
|
|
binder_inner_proc_lock(proc);
|
|
node = binder_init_node_ilocked(proc, new_node, fp);
|
|
binder_inner_proc_unlock(proc);
|
|
if (node != new_node)
|
|
/*
|
|
* The node was already added by another thread
|
|
*/
|
|
kfree(new_node);
|
|
|
|
return node;
|
|
}
|
|
|
|
static void binder_free_node(struct binder_node *node)
|
|
{
|
|
kfree(node);
|
|
binder_stats_deleted(BINDER_STAT_NODE);
|
|
}
|
|
|
|
static int binder_inc_node_nilocked(struct binder_node *node, int strong,
|
|
int internal,
|
|
struct list_head *target_list)
|
|
{
|
|
struct binder_proc *proc = node->proc;
|
|
|
|
assert_spin_locked(&node->lock);
|
|
if (proc)
|
|
assert_spin_locked(&proc->inner_lock);
|
|
if (strong) {
|
|
if (internal) {
|
|
if (target_list == NULL &&
|
|
node->internal_strong_refs == 0 &&
|
|
!(node->proc &&
|
|
node == node->proc->context->binder_context_mgr_node &&
|
|
node->has_strong_ref)) {
|
|
pr_err("invalid inc strong node for %d\n",
|
|
node->debug_id);
|
|
return -EINVAL;
|
|
}
|
|
node->internal_strong_refs++;
|
|
} else
|
|
node->local_strong_refs++;
|
|
if (!node->has_strong_ref && target_list) {
|
|
struct binder_thread *thread = container_of(target_list,
|
|
struct binder_thread, todo);
|
|
binder_dequeue_work_ilocked(&node->work);
|
|
BUG_ON(&thread->todo != target_list);
|
|
binder_enqueue_deferred_thread_work_ilocked(thread,
|
|
&node->work);
|
|
}
|
|
} else {
|
|
if (!internal)
|
|
node->local_weak_refs++;
|
|
if (!node->has_weak_ref && list_empty(&node->work.entry)) {
|
|
if (target_list == NULL) {
|
|
pr_err("invalid inc weak node for %d\n",
|
|
node->debug_id);
|
|
return -EINVAL;
|
|
}
|
|
/*
|
|
* See comment above
|
|
*/
|
|
binder_enqueue_work_ilocked(&node->work, target_list);
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static int binder_inc_node(struct binder_node *node, int strong, int internal,
|
|
struct list_head *target_list)
|
|
{
|
|
int ret;
|
|
|
|
binder_node_inner_lock(node);
|
|
ret = binder_inc_node_nilocked(node, strong, internal, target_list);
|
|
binder_node_inner_unlock(node);
|
|
|
|
return ret;
|
|
}
|
|
|
|
static bool binder_dec_node_nilocked(struct binder_node *node,
|
|
int strong, int internal)
|
|
{
|
|
struct binder_proc *proc = node->proc;
|
|
|
|
assert_spin_locked(&node->lock);
|
|
if (proc)
|
|
assert_spin_locked(&proc->inner_lock);
|
|
if (strong) {
|
|
if (internal)
|
|
node->internal_strong_refs--;
|
|
else
|
|
node->local_strong_refs--;
|
|
if (node->local_strong_refs || node->internal_strong_refs)
|
|
return false;
|
|
} else {
|
|
if (!internal)
|
|
node->local_weak_refs--;
|
|
if (node->local_weak_refs || node->tmp_refs ||
|
|
!hlist_empty(&node->refs))
|
|
return false;
|
|
}
|
|
|
|
if (proc && (node->has_strong_ref || node->has_weak_ref)) {
|
|
if (list_empty(&node->work.entry)) {
|
|
binder_enqueue_work_ilocked(&node->work, &proc->todo);
|
|
binder_wakeup_proc_ilocked(proc);
|
|
}
|
|
} else {
|
|
if (hlist_empty(&node->refs) && !node->local_strong_refs &&
|
|
!node->local_weak_refs && !node->tmp_refs) {
|
|
if (proc) {
|
|
binder_dequeue_work_ilocked(&node->work);
|
|
rb_erase(&node->rb_node, &proc->nodes);
|
|
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
|
|
"refless node %d deleted\n",
|
|
node->debug_id);
|
|
} else {
|
|
BUG_ON(!list_empty(&node->work.entry));
|
|
spin_lock(&binder_dead_nodes_lock);
|
|
/*
|
|
* tmp_refs could have changed so
|
|
* check it again
|
|
*/
|
|
if (node->tmp_refs) {
|
|
spin_unlock(&binder_dead_nodes_lock);
|
|
return false;
|
|
}
|
|
hlist_del(&node->dead_node);
|
|
spin_unlock(&binder_dead_nodes_lock);
|
|
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
|
|
"dead node %d deleted\n",
|
|
node->debug_id);
|
|
}
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
|
|
static void binder_dec_node(struct binder_node *node, int strong, int internal)
|
|
{
|
|
bool free_node;
|
|
|
|
binder_node_inner_lock(node);
|
|
free_node = binder_dec_node_nilocked(node, strong, internal);
|
|
binder_node_inner_unlock(node);
|
|
if (free_node)
|
|
binder_free_node(node);
|
|
}
|
|
|
|
static void binder_inc_node_tmpref_ilocked(struct binder_node *node)
|
|
{
|
|
/*
|
|
* No call to binder_inc_node() is needed since we
|
|
* don't need to inform userspace of any changes to
|
|
* tmp_refs
|
|
*/
|
|
node->tmp_refs++;
|
|
}
|
|
|
|
/**
|
|
* binder_inc_node_tmpref() - take a temporary reference on node
|
|
* @node: node to reference
|
|
*
|
|
* Take reference on node to prevent the node from being freed
|
|
* while referenced only by a local variable. The inner lock is
|
|
* needed to serialize with the node work on the queue (which
|
|
* isn't needed after the node is dead). If the node is dead
|
|
* (node->proc is NULL), use binder_dead_nodes_lock to protect
|
|
* node->tmp_refs against dead-node-only cases where the node
|
|
* lock cannot be acquired (eg traversing the dead node list to
|
|
* print nodes)
|
|
*/
|
|
static void binder_inc_node_tmpref(struct binder_node *node)
|
|
{
|
|
binder_node_lock(node);
|
|
if (node->proc)
|
|
binder_inner_proc_lock(node->proc);
|
|
else
|
|
spin_lock(&binder_dead_nodes_lock);
|
|
binder_inc_node_tmpref_ilocked(node);
|
|
if (node->proc)
|
|
binder_inner_proc_unlock(node->proc);
|
|
else
|
|
spin_unlock(&binder_dead_nodes_lock);
|
|
binder_node_unlock(node);
|
|
}
|
|
|
|
/**
|
|
* binder_dec_node_tmpref() - remove a temporary reference on node
|
|
* @node: node to reference
|
|
*
|
|
* Release temporary reference on node taken via binder_inc_node_tmpref()
|
|
*/
|
|
static void binder_dec_node_tmpref(struct binder_node *node)
|
|
{
|
|
bool free_node;
|
|
|
|
binder_node_inner_lock(node);
|
|
if (!node->proc)
|
|
spin_lock(&binder_dead_nodes_lock);
|
|
node->tmp_refs--;
|
|
BUG_ON(node->tmp_refs < 0);
|
|
if (!node->proc)
|
|
spin_unlock(&binder_dead_nodes_lock);
|
|
/*
|
|
* Call binder_dec_node() to check if all refcounts are 0
|
|
* and cleanup is needed. Calling with strong=0 and internal=1
|
|
* causes no actual reference to be released in binder_dec_node().
|
|
* If that changes, a change is needed here too.
|
|
*/
|
|
free_node = binder_dec_node_nilocked(node, 0, 1);
|
|
binder_node_inner_unlock(node);
|
|
if (free_node)
|
|
binder_free_node(node);
|
|
}
|
|
|
|
static void binder_put_node(struct binder_node *node)
|
|
{
|
|
binder_dec_node_tmpref(node);
|
|
}
|
|
|
|
static struct binder_ref *binder_get_ref_olocked(struct binder_proc *proc,
|
|
u32 desc, bool need_strong_ref)
|
|
{
|
|
struct rb_node *n = proc->refs_by_desc.rb_node;
|
|
struct binder_ref *ref;
|
|
|
|
while (n) {
|
|
ref = rb_entry(n, struct binder_ref, rb_node_desc);
|
|
|
|
if (desc < ref->data.desc) {
|
|
n = n->rb_left;
|
|
} else if (desc > ref->data.desc) {
|
|
n = n->rb_right;
|
|
} else if (need_strong_ref && !ref->data.strong) {
|
|
binder_user_error("tried to use weak ref as strong ref\n");
|
|
return NULL;
|
|
} else {
|
|
return ref;
|
|
}
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
/**
|
|
* binder_get_ref_for_node_olocked() - get the ref associated with given node
|
|
* @proc: binder_proc that owns the ref
|
|
* @node: binder_node of target
|
|
* @new_ref: newly allocated binder_ref to be initialized or %NULL
|
|
*
|
|
* Look up the ref for the given node and return it if it exists
|
|
*
|
|
* If it doesn't exist and the caller provides a newly allocated
|
|
* ref, initialize the fields of the newly allocated ref and insert
|
|
* into the given proc rb_trees and node refs list.
|
|
*
|
|
* Return: the ref for node. It is possible that another thread
|
|
* allocated/initialized the ref first in which case the
|
|
* returned ref would be different than the passed-in
|
|
* new_ref. new_ref must be kfree'd by the caller in
|
|
* this case.
|
|
*/
|
|
static struct binder_ref *binder_get_ref_for_node_olocked(
|
|
struct binder_proc *proc,
|
|
struct binder_node *node,
|
|
struct binder_ref *new_ref)
|
|
{
|
|
struct binder_context *context = proc->context;
|
|
struct rb_node **p = &proc->refs_by_node.rb_node;
|
|
struct rb_node *parent = NULL;
|
|
struct binder_ref *ref;
|
|
struct rb_node *n;
|
|
|
|
while (*p) {
|
|
parent = *p;
|
|
ref = rb_entry(parent, struct binder_ref, rb_node_node);
|
|
|
|
if (node < ref->node)
|
|
p = &(*p)->rb_left;
|
|
else if (node > ref->node)
|
|
p = &(*p)->rb_right;
|
|
else
|
|
return ref;
|
|
}
|
|
if (!new_ref)
|
|
return NULL;
|
|
|
|
binder_stats_created(BINDER_STAT_REF);
|
|
new_ref->data.debug_id = atomic_inc_return(&binder_last_id);
|
|
new_ref->proc = proc;
|
|
new_ref->node = node;
|
|
rb_link_node(&new_ref->rb_node_node, parent, p);
|
|
rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node);
|
|
|
|
new_ref->data.desc = (node == context->binder_context_mgr_node) ? 0 : 1;
|
|
for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) {
|
|
ref = rb_entry(n, struct binder_ref, rb_node_desc);
|
|
if (ref->data.desc > new_ref->data.desc)
|
|
break;
|
|
new_ref->data.desc = ref->data.desc + 1;
|
|
}
|
|
|
|
p = &proc->refs_by_desc.rb_node;
|
|
while (*p) {
|
|
parent = *p;
|
|
ref = rb_entry(parent, struct binder_ref, rb_node_desc);
|
|
|
|
if (new_ref->data.desc < ref->data.desc)
|
|
p = &(*p)->rb_left;
|
|
else if (new_ref->data.desc > ref->data.desc)
|
|
p = &(*p)->rb_right;
|
|
else
|
|
BUG();
|
|
}
|
|
rb_link_node(&new_ref->rb_node_desc, parent, p);
|
|
rb_insert_color(&new_ref->rb_node_desc, &proc->refs_by_desc);
|
|
|
|
binder_node_lock(node);
|
|
hlist_add_head(&new_ref->node_entry, &node->refs);
|
|
|
|
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
|
|
"%d new ref %d desc %d for node %d\n",
|
|
proc->pid, new_ref->data.debug_id, new_ref->data.desc,
|
|
node->debug_id);
|
|
binder_node_unlock(node);
|
|
return new_ref;
|
|
}
|
|
|
|
static void binder_cleanup_ref_olocked(struct binder_ref *ref)
|
|
{
|
|
bool delete_node = false;
|
|
|
|
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
|
|
"%d delete ref %d desc %d for node %d\n",
|
|
ref->proc->pid, ref->data.debug_id, ref->data.desc,
|
|
ref->node->debug_id);
|
|
|
|
rb_erase(&ref->rb_node_desc, &ref->proc->refs_by_desc);
|
|
rb_erase(&ref->rb_node_node, &ref->proc->refs_by_node);
|
|
|
|
binder_node_inner_lock(ref->node);
|
|
if (ref->data.strong)
|
|
binder_dec_node_nilocked(ref->node, 1, 1);
|
|
|
|
hlist_del(&ref->node_entry);
|
|
delete_node = binder_dec_node_nilocked(ref->node, 0, 1);
|
|
binder_node_inner_unlock(ref->node);
|
|
/*
|
|
* Clear ref->node unless we want the caller to free the node
|
|
*/
|
|
if (!delete_node) {
|
|
/*
|
|
* The caller uses ref->node to determine
|
|
* whether the node needs to be freed. Clear
|
|
* it since the node is still alive.
|
|
*/
|
|
ref->node = NULL;
|
|
}
|
|
|
|
if (ref->death) {
|
|
binder_debug(BINDER_DEBUG_DEAD_BINDER,
|
|
"%d delete ref %d desc %d has death notification\n",
|
|
ref->proc->pid, ref->data.debug_id,
|
|
ref->data.desc);
|
|
binder_dequeue_work(ref->proc, &ref->death->work);
|
|
binder_stats_deleted(BINDER_STAT_DEATH);
|
|
}
|
|
binder_stats_deleted(BINDER_STAT_REF);
|
|
}
|
|
|
|
/**
|
|
* binder_inc_ref_olocked() - increment the ref for given handle
|
|
* @ref: ref to be incremented
|
|
* @strong: if true, strong increment, else weak
|
|
* @target_list: list to queue node work on
|
|
*
|
|
* Increment the ref. @ref->proc->outer_lock must be held on entry
|
|
*
|
|
* Return: 0, if successful, else errno
|
|
*/
|
|
static int binder_inc_ref_olocked(struct binder_ref *ref, int strong,
|
|
struct list_head *target_list)
|
|
{
|
|
int ret;
|
|
|
|
if (strong) {
|
|
if (ref->data.strong == 0) {
|
|
ret = binder_inc_node(ref->node, 1, 1, target_list);
|
|
if (ret)
|
|
return ret;
|
|
}
|
|
ref->data.strong++;
|
|
} else {
|
|
if (ref->data.weak == 0) {
|
|
ret = binder_inc_node(ref->node, 0, 1, target_list);
|
|
if (ret)
|
|
return ret;
|
|
}
|
|
ref->data.weak++;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* binder_dec_ref() - dec the ref for given handle
|
|
* @ref: ref to be decremented
|
|
* @strong: if true, strong decrement, else weak
|
|
*
|
|
* Decrement the ref.
|
|
*
|
|
* Return: true if ref is cleaned up and ready to be freed
|
|
*/
|
|
static bool binder_dec_ref_olocked(struct binder_ref *ref, int strong)
|
|
{
|
|
if (strong) {
|
|
if (ref->data.strong == 0) {
|
|
binder_user_error("%d invalid dec strong, ref %d desc %d s %d w %d\n",
|
|
ref->proc->pid, ref->data.debug_id,
|
|
ref->data.desc, ref->data.strong,
|
|
ref->data.weak);
|
|
return false;
|
|
}
|
|
ref->data.strong--;
|
|
if (ref->data.strong == 0)
|
|
binder_dec_node(ref->node, strong, 1);
|
|
} else {
|
|
if (ref->data.weak == 0) {
|
|
binder_user_error("%d invalid dec weak, ref %d desc %d s %d w %d\n",
|
|
ref->proc->pid, ref->data.debug_id,
|
|
ref->data.desc, ref->data.strong,
|
|
ref->data.weak);
|
|
return false;
|
|
}
|
|
ref->data.weak--;
|
|
}
|
|
if (ref->data.strong == 0 && ref->data.weak == 0) {
|
|
binder_cleanup_ref_olocked(ref);
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* binder_get_node_from_ref() - get the node from the given proc/desc
|
|
* @proc: proc containing the ref
|
|
* @desc: the handle associated with the ref
|
|
* @need_strong_ref: if true, only return node if ref is strong
|
|
* @rdata: the id/refcount data for the ref
|
|
*
|
|
* Given a proc and ref handle, return the associated binder_node
|
|
*
|
|
* Return: a binder_node or NULL if not found or not strong when strong required
|
|
*/
|
|
static struct binder_node *binder_get_node_from_ref(
|
|
struct binder_proc *proc,
|
|
u32 desc, bool need_strong_ref,
|
|
struct binder_ref_data *rdata)
|
|
{
|
|
struct binder_node *node;
|
|
struct binder_ref *ref;
|
|
|
|
binder_proc_lock(proc);
|
|
ref = binder_get_ref_olocked(proc, desc, need_strong_ref);
|
|
if (!ref)
|
|
goto err_no_ref;
|
|
node = ref->node;
|
|
/*
|
|
* Take an implicit reference on the node to ensure
|
|
* it stays alive until the call to binder_put_node()
|
|
*/
|
|
binder_inc_node_tmpref(node);
|
|
if (rdata)
|
|
*rdata = ref->data;
|
|
binder_proc_unlock(proc);
|
|
|
|
return node;
|
|
|
|
err_no_ref:
|
|
binder_proc_unlock(proc);
|
|
return NULL;
|
|
}
|
|
|
|
/**
|
|
* binder_free_ref() - free the binder_ref
|
|
* @ref: ref to free
|
|
*
|
|
* Free the binder_ref. Free the binder_node indicated by ref->node
|
|
* (if non-NULL) and the binder_ref_death indicated by ref->death.
|
|
*/
|
|
static void binder_free_ref(struct binder_ref *ref)
|
|
{
|
|
if (ref->node)
|
|
binder_free_node(ref->node);
|
|
kfree(ref->death);
|
|
kfree(ref);
|
|
}
|
|
|
|
/**
|
|
* binder_update_ref_for_handle() - inc/dec the ref for given handle
|
|
* @proc: proc containing the ref
|
|
* @desc: the handle associated with the ref
|
|
* @increment: true=inc reference, false=dec reference
|
|
* @strong: true=strong reference, false=weak reference
|
|
* @rdata: the id/refcount data for the ref
|
|
*
|
|
* Given a proc and ref handle, increment or decrement the ref
|
|
* according to "increment" arg.
|
|
*
|
|
* Return: 0 if successful, else errno
|
|
*/
|
|
static int binder_update_ref_for_handle(struct binder_proc *proc,
|
|
uint32_t desc, bool increment, bool strong,
|
|
struct binder_ref_data *rdata)
|
|
{
|
|
int ret = 0;
|
|
struct binder_ref *ref;
|
|
bool delete_ref = false;
|
|
|
|
binder_proc_lock(proc);
|
|
ref = binder_get_ref_olocked(proc, desc, strong);
|
|
if (!ref) {
|
|
ret = -EINVAL;
|
|
goto err_no_ref;
|
|
}
|
|
if (increment)
|
|
ret = binder_inc_ref_olocked(ref, strong, NULL);
|
|
else
|
|
delete_ref = binder_dec_ref_olocked(ref, strong);
|
|
|
|
if (rdata)
|
|
*rdata = ref->data;
|
|
binder_proc_unlock(proc);
|
|
|
|
if (delete_ref)
|
|
binder_free_ref(ref);
|
|
return ret;
|
|
|
|
err_no_ref:
|
|
binder_proc_unlock(proc);
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* binder_dec_ref_for_handle() - dec the ref for given handle
|
|
* @proc: proc containing the ref
|
|
* @desc: the handle associated with the ref
|
|
* @strong: true=strong reference, false=weak reference
|
|
* @rdata: the id/refcount data for the ref
|
|
*
|
|
* Just calls binder_update_ref_for_handle() to decrement the ref.
|
|
*
|
|
* Return: 0 if successful, else errno
|
|
*/
|
|
static int binder_dec_ref_for_handle(struct binder_proc *proc,
|
|
uint32_t desc, bool strong, struct binder_ref_data *rdata)
|
|
{
|
|
return binder_update_ref_for_handle(proc, desc, false, strong, rdata);
|
|
}
|
|
|
|
|
|
/**
|
|
* binder_inc_ref_for_node() - increment the ref for given proc/node
|
|
* @proc: proc containing the ref
|
|
* @node: target node
|
|
* @strong: true=strong reference, false=weak reference
|
|
* @target_list: worklist to use if node is incremented
|
|
* @rdata: the id/refcount data for the ref
|
|
*
|
|
* Given a proc and node, increment the ref. Create the ref if it
|
|
* doesn't already exist
|
|
*
|
|
* Return: 0 if successful, else errno
|
|
*/
|
|
static int binder_inc_ref_for_node(struct binder_proc *proc,
|
|
struct binder_node *node,
|
|
bool strong,
|
|
struct list_head *target_list,
|
|
struct binder_ref_data *rdata)
|
|
{
|
|
struct binder_ref *ref;
|
|
struct binder_ref *new_ref = NULL;
|
|
int ret = 0;
|
|
|
|
binder_proc_lock(proc);
|
|
ref = binder_get_ref_for_node_olocked(proc, node, NULL);
|
|
if (!ref) {
|
|
binder_proc_unlock(proc);
|
|
new_ref = kzalloc(sizeof(*ref), GFP_KERNEL);
|
|
if (!new_ref)
|
|
return -ENOMEM;
|
|
binder_proc_lock(proc);
|
|
ref = binder_get_ref_for_node_olocked(proc, node, new_ref);
|
|
}
|
|
ret = binder_inc_ref_olocked(ref, strong, target_list);
|
|
*rdata = ref->data;
|
|
binder_proc_unlock(proc);
|
|
if (new_ref && ref != new_ref)
|
|
/*
|
|
* Another thread created the ref first so
|
|
* free the one we allocated
|
|
*/
|
|
kfree(new_ref);
|
|
return ret;
|
|
}
|
|
|
|
static void binder_pop_transaction_ilocked(struct binder_thread *target_thread,
|
|
struct binder_transaction *t)
|
|
{
|
|
BUG_ON(!target_thread);
|
|
assert_spin_locked(&target_thread->proc->inner_lock);
|
|
BUG_ON(target_thread->transaction_stack != t);
|
|
BUG_ON(target_thread->transaction_stack->from != target_thread);
|
|
target_thread->transaction_stack =
|
|
target_thread->transaction_stack->from_parent;
|
|
t->from = NULL;
|
|
}
|
|
|
|
/**
|
|
* binder_thread_dec_tmpref() - decrement thread->tmp_ref
|
|
* @thread: thread to decrement
|
|
*
|
|
* A thread needs to be kept alive while being used to create or
|
|
* handle a transaction. binder_get_txn_from() is used to safely
|
|
* extract t->from from a binder_transaction and keep the thread
|
|
* indicated by t->from from being freed. When done with that
|
|
* binder_thread, this function is called to decrement the
|
|
* tmp_ref and free if appropriate (thread has been released
|
|
* and no transaction being processed by the driver)
|
|
*/
|
|
static void binder_thread_dec_tmpref(struct binder_thread *thread)
|
|
{
|
|
/*
|
|
* atomic is used to protect the counter value while
|
|
* it cannot reach zero or thread->is_dead is false
|
|
*/
|
|
binder_inner_proc_lock(thread->proc);
|
|
atomic_dec(&thread->tmp_ref);
|
|
if (thread->is_dead && !atomic_read(&thread->tmp_ref)) {
|
|
binder_inner_proc_unlock(thread->proc);
|
|
binder_free_thread(thread);
|
|
return;
|
|
}
|
|
binder_inner_proc_unlock(thread->proc);
|
|
}
|
|
|
|
/**
|
|
* binder_proc_dec_tmpref() - decrement proc->tmp_ref
|
|
* @proc: proc to decrement
|
|
*
|
|
* A binder_proc needs to be kept alive while being used to create or
|
|
* handle a transaction. proc->tmp_ref is incremented when
|
|
* creating a new transaction or the binder_proc is currently in-use
|
|
* by threads that are being released. When done with the binder_proc,
|
|
* this function is called to decrement the counter and free the
|
|
* proc if appropriate (proc has been released, all threads have
|
|
* been released and not currenly in-use to process a transaction).
|
|
*/
|
|
static void binder_proc_dec_tmpref(struct binder_proc *proc)
|
|
{
|
|
binder_inner_proc_lock(proc);
|
|
proc->tmp_ref--;
|
|
if (proc->is_dead && RB_EMPTY_ROOT(&proc->threads) &&
|
|
!proc->tmp_ref) {
|
|
binder_inner_proc_unlock(proc);
|
|
binder_free_proc(proc);
|
|
return;
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
}
|
|
|
|
/**
|
|
* binder_get_txn_from() - safely extract the "from" thread in transaction
|
|
* @t: binder transaction for t->from
|
|
*
|
|
* Atomically return the "from" thread and increment the tmp_ref
|
|
* count for the thread to ensure it stays alive until
|
|
* binder_thread_dec_tmpref() is called.
|
|
*
|
|
* Return: the value of t->from
|
|
*/
|
|
static struct binder_thread *binder_get_txn_from(
|
|
struct binder_transaction *t)
|
|
{
|
|
struct binder_thread *from;
|
|
|
|
spin_lock(&t->lock);
|
|
from = t->from;
|
|
if (from)
|
|
atomic_inc(&from->tmp_ref);
|
|
spin_unlock(&t->lock);
|
|
return from;
|
|
}
|
|
|
|
/**
|
|
* binder_get_txn_from_and_acq_inner() - get t->from and acquire inner lock
|
|
* @t: binder transaction for t->from
|
|
*
|
|
* Same as binder_get_txn_from() except it also acquires the proc->inner_lock
|
|
* to guarantee that the thread cannot be released while operating on it.
|
|
* The caller must call binder_inner_proc_unlock() to release the inner lock
|
|
* as well as call binder_dec_thread_txn() to release the reference.
|
|
*
|
|
* Return: the value of t->from
|
|
*/
|
|
static struct binder_thread *binder_get_txn_from_and_acq_inner(
|
|
struct binder_transaction *t)
|
|
{
|
|
struct binder_thread *from;
|
|
|
|
from = binder_get_txn_from(t);
|
|
if (!from)
|
|
return NULL;
|
|
binder_inner_proc_lock(from->proc);
|
|
if (t->from) {
|
|
BUG_ON(from != t->from);
|
|
return from;
|
|
}
|
|
binder_inner_proc_unlock(from->proc);
|
|
binder_thread_dec_tmpref(from);
|
|
return NULL;
|
|
}
|
|
|
|
static void binder_free_transaction(struct binder_transaction *t)
|
|
{
|
|
struct binder_proc *target_proc = t->to_proc;
|
|
|
|
if (target_proc) {
|
|
binder_inner_proc_lock(target_proc);
|
|
if (t->buffer)
|
|
t->buffer->transaction = NULL;
|
|
binder_inner_proc_unlock(target_proc);
|
|
}
|
|
/*
|
|
* If the transaction has no target_proc, then
|
|
* t->buffer->transaction has already been cleared.
|
|
*/
|
|
kfree(t);
|
|
binder_stats_deleted(BINDER_STAT_TRANSACTION);
|
|
}
|
|
|
|
static void binder_send_failed_reply(struct binder_transaction *t,
|
|
uint32_t error_code)
|
|
{
|
|
struct binder_thread *target_thread;
|
|
struct binder_transaction *next;
|
|
|
|
BUG_ON(t->flags & TF_ONE_WAY);
|
|
while (1) {
|
|
target_thread = binder_get_txn_from_and_acq_inner(t);
|
|
if (target_thread) {
|
|
binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
|
|
"send failed reply for transaction %d to %d:%d\n",
|
|
t->debug_id,
|
|
target_thread->proc->pid,
|
|
target_thread->pid);
|
|
|
|
binder_pop_transaction_ilocked(target_thread, t);
|
|
if (target_thread->reply_error.cmd == BR_OK) {
|
|
target_thread->reply_error.cmd = error_code;
|
|
binder_enqueue_thread_work_ilocked(
|
|
target_thread,
|
|
&target_thread->reply_error.work);
|
|
wake_up_interruptible(&target_thread->wait);
|
|
} else {
|
|
/*
|
|
* Cannot get here for normal operation, but
|
|
* we can if multiple synchronous transactions
|
|
* are sent without blocking for responses.
|
|
* Just ignore the 2nd error in this case.
|
|
*/
|
|
pr_warn("Unexpected reply error: %u\n",
|
|
target_thread->reply_error.cmd);
|
|
}
|
|
binder_inner_proc_unlock(target_thread->proc);
|
|
binder_thread_dec_tmpref(target_thread);
|
|
binder_free_transaction(t);
|
|
return;
|
|
}
|
|
next = t->from_parent;
|
|
|
|
binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
|
|
"send failed reply for transaction %d, target dead\n",
|
|
t->debug_id);
|
|
|
|
binder_free_transaction(t);
|
|
if (next == NULL) {
|
|
binder_debug(BINDER_DEBUG_DEAD_BINDER,
|
|
"reply failed, no target thread at root\n");
|
|
return;
|
|
}
|
|
t = next;
|
|
binder_debug(BINDER_DEBUG_DEAD_BINDER,
|
|
"reply failed, no target thread -- retry %d\n",
|
|
t->debug_id);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* binder_cleanup_transaction() - cleans up undelivered transaction
|
|
* @t: transaction that needs to be cleaned up
|
|
* @reason: reason the transaction wasn't delivered
|
|
* @error_code: error to return to caller (if synchronous call)
|
|
*/
|
|
static void binder_cleanup_transaction(struct binder_transaction *t,
|
|
const char *reason,
|
|
uint32_t error_code)
|
|
{
|
|
if (t->buffer->target_node && !(t->flags & TF_ONE_WAY)) {
|
|
binder_send_failed_reply(t, error_code);
|
|
} else {
|
|
binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
|
|
"undelivered transaction %d, %s\n",
|
|
t->debug_id, reason);
|
|
binder_free_transaction(t);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* binder_get_object() - gets object and checks for valid metadata
|
|
* @proc: binder_proc owning the buffer
|
|
* @buffer: binder_buffer that we're parsing.
|
|
* @offset: offset in the @buffer at which to validate an object.
|
|
* @object: struct binder_object to read into
|
|
*
|
|
* Return: If there's a valid metadata object at @offset in @buffer, the
|
|
* size of that object. Otherwise, it returns zero. The object
|
|
* is read into the struct binder_object pointed to by @object.
|
|
*/
|
|
static size_t binder_get_object(struct binder_proc *proc,
|
|
struct binder_buffer *buffer,
|
|
unsigned long offset,
|
|
struct binder_object *object)
|
|
{
|
|
size_t read_size;
|
|
struct binder_object_header *hdr;
|
|
size_t object_size = 0;
|
|
|
|
read_size = min_t(size_t, sizeof(*object), buffer->data_size - offset);
|
|
if (offset > buffer->data_size || read_size < sizeof(*hdr) ||
|
|
!IS_ALIGNED(offset, sizeof(u32)))
|
|
return 0;
|
|
binder_alloc_copy_from_buffer(&proc->alloc, object, buffer,
|
|
offset, read_size);
|
|
|
|
/* Ok, now see if we read a complete object. */
|
|
hdr = &object->hdr;
|
|
switch (hdr->type) {
|
|
case BINDER_TYPE_BINDER:
|
|
case BINDER_TYPE_WEAK_BINDER:
|
|
case BINDER_TYPE_HANDLE:
|
|
case BINDER_TYPE_WEAK_HANDLE:
|
|
object_size = sizeof(struct flat_binder_object);
|
|
break;
|
|
case BINDER_TYPE_FD:
|
|
object_size = sizeof(struct binder_fd_object);
|
|
break;
|
|
case BINDER_TYPE_PTR:
|
|
object_size = sizeof(struct binder_buffer_object);
|
|
break;
|
|
case BINDER_TYPE_FDA:
|
|
object_size = sizeof(struct binder_fd_array_object);
|
|
break;
|
|
default:
|
|
return 0;
|
|
}
|
|
if (offset <= buffer->data_size - object_size &&
|
|
buffer->data_size >= object_size)
|
|
return object_size;
|
|
else
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* binder_validate_ptr() - validates binder_buffer_object in a binder_buffer.
|
|
* @proc: binder_proc owning the buffer
|
|
* @b: binder_buffer containing the object
|
|
* @object: struct binder_object to read into
|
|
* @index: index in offset array at which the binder_buffer_object is
|
|
* located
|
|
* @start_offset: points to the start of the offset array
|
|
* @object_offsetp: offset of @object read from @b
|
|
* @num_valid: the number of valid offsets in the offset array
|
|
*
|
|
* Return: If @index is within the valid range of the offset array
|
|
* described by @start and @num_valid, and if there's a valid
|
|
* binder_buffer_object at the offset found in index @index
|
|
* of the offset array, that object is returned. Otherwise,
|
|
* %NULL is returned.
|
|
* Note that the offset found in index @index itself is not
|
|
* verified; this function assumes that @num_valid elements
|
|
* from @start were previously verified to have valid offsets.
|
|
* If @object_offsetp is non-NULL, then the offset within
|
|
* @b is written to it.
|
|
*/
|
|
static struct binder_buffer_object *binder_validate_ptr(
|
|
struct binder_proc *proc,
|
|
struct binder_buffer *b,
|
|
struct binder_object *object,
|
|
binder_size_t index,
|
|
binder_size_t start_offset,
|
|
binder_size_t *object_offsetp,
|
|
binder_size_t num_valid)
|
|
{
|
|
size_t object_size;
|
|
binder_size_t object_offset;
|
|
unsigned long buffer_offset;
|
|
|
|
if (index >= num_valid)
|
|
return NULL;
|
|
|
|
buffer_offset = start_offset + sizeof(binder_size_t) * index;
|
|
binder_alloc_copy_from_buffer(&proc->alloc, &object_offset,
|
|
b, buffer_offset, sizeof(object_offset));
|
|
object_size = binder_get_object(proc, b, object_offset, object);
|
|
if (!object_size || object->hdr.type != BINDER_TYPE_PTR)
|
|
return NULL;
|
|
if (object_offsetp)
|
|
*object_offsetp = object_offset;
|
|
|
|
return &object->bbo;
|
|
}
|
|
|
|
/**
|
|
* binder_validate_fixup() - validates pointer/fd fixups happen in order.
|
|
* @proc: binder_proc owning the buffer
|
|
* @b: transaction buffer
|
|
* @objects_start_offset: offset to start of objects buffer
|
|
* @buffer_obj_offset: offset to binder_buffer_object in which to fix up
|
|
* @fixup_offset: start offset in @buffer to fix up
|
|
* @last_obj_offset: offset to last binder_buffer_object that we fixed
|
|
* @last_min_offset: minimum fixup offset in object at @last_obj_offset
|
|
*
|
|
* Return: %true if a fixup in buffer @buffer at offset @offset is
|
|
* allowed.
|
|
*
|
|
* For safety reasons, we only allow fixups inside a buffer to happen
|
|
* at increasing offsets; additionally, we only allow fixup on the last
|
|
* buffer object that was verified, or one of its parents.
|
|
*
|
|
* Example of what is allowed:
|
|
*
|
|
* A
|
|
* B (parent = A, offset = 0)
|
|
* C (parent = A, offset = 16)
|
|
* D (parent = C, offset = 0)
|
|
* E (parent = A, offset = 32) // min_offset is 16 (C.parent_offset)
|
|
*
|
|
* Examples of what is not allowed:
|
|
*
|
|
* Decreasing offsets within the same parent:
|
|
* A
|
|
* C (parent = A, offset = 16)
|
|
* B (parent = A, offset = 0) // decreasing offset within A
|
|
*
|
|
* Referring to a parent that wasn't the last object or any of its parents:
|
|
* A
|
|
* B (parent = A, offset = 0)
|
|
* C (parent = A, offset = 0)
|
|
* C (parent = A, offset = 16)
|
|
* D (parent = B, offset = 0) // B is not A or any of A's parents
|
|
*/
|
|
static bool binder_validate_fixup(struct binder_proc *proc,
|
|
struct binder_buffer *b,
|
|
binder_size_t objects_start_offset,
|
|
binder_size_t buffer_obj_offset,
|
|
binder_size_t fixup_offset,
|
|
binder_size_t last_obj_offset,
|
|
binder_size_t last_min_offset)
|
|
{
|
|
if (!last_obj_offset) {
|
|
/* Nothing to fix up in */
|
|
return false;
|
|
}
|
|
|
|
while (last_obj_offset != buffer_obj_offset) {
|
|
unsigned long buffer_offset;
|
|
struct binder_object last_object;
|
|
struct binder_buffer_object *last_bbo;
|
|
size_t object_size = binder_get_object(proc, b, last_obj_offset,
|
|
&last_object);
|
|
if (object_size != sizeof(*last_bbo))
|
|
return false;
|
|
|
|
last_bbo = &last_object.bbo;
|
|
/*
|
|
* Safe to retrieve the parent of last_obj, since it
|
|
* was already previously verified by the driver.
|
|
*/
|
|
if ((last_bbo->flags & BINDER_BUFFER_FLAG_HAS_PARENT) == 0)
|
|
return false;
|
|
last_min_offset = last_bbo->parent_offset + sizeof(uintptr_t);
|
|
buffer_offset = objects_start_offset +
|
|
sizeof(binder_size_t) * last_bbo->parent,
|
|
binder_alloc_copy_from_buffer(&proc->alloc, &last_obj_offset,
|
|
b, buffer_offset,
|
|
sizeof(last_obj_offset));
|
|
}
|
|
return (fixup_offset >= last_min_offset);
|
|
}
|
|
|
|
static void binder_transaction_buffer_release(struct binder_proc *proc,
|
|
struct binder_buffer *buffer,
|
|
binder_size_t failed_at,
|
|
bool is_failure)
|
|
{
|
|
int debug_id = buffer->debug_id;
|
|
binder_size_t off_start_offset, buffer_offset, off_end_offset;
|
|
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
"%d buffer release %d, size %zd-%zd, failed at %llx\n",
|
|
proc->pid, buffer->debug_id,
|
|
buffer->data_size, buffer->offsets_size,
|
|
(unsigned long long)failed_at);
|
|
|
|
if (buffer->target_node)
|
|
binder_dec_node(buffer->target_node, 1, 0);
|
|
|
|
off_start_offset = ALIGN(buffer->data_size, sizeof(void *));
|
|
off_end_offset = is_failure ? failed_at :
|
|
off_start_offset + buffer->offsets_size;
|
|
for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;
|
|
buffer_offset += sizeof(binder_size_t)) {
|
|
struct binder_object_header *hdr;
|
|
size_t object_size;
|
|
struct binder_object object;
|
|
binder_size_t object_offset;
|
|
|
|
binder_alloc_copy_from_buffer(&proc->alloc, &object_offset,
|
|
buffer, buffer_offset,
|
|
sizeof(object_offset));
|
|
object_size = binder_get_object(proc, buffer,
|
|
object_offset, &object);
|
|
if (object_size == 0) {
|
|
pr_err("transaction release %d bad object at offset %lld, size %zd\n",
|
|
debug_id, (u64)object_offset, buffer->data_size);
|
|
continue;
|
|
}
|
|
hdr = &object.hdr;
|
|
switch (hdr->type) {
|
|
case BINDER_TYPE_BINDER:
|
|
case BINDER_TYPE_WEAK_BINDER: {
|
|
struct flat_binder_object *fp;
|
|
struct binder_node *node;
|
|
|
|
fp = to_flat_binder_object(hdr);
|
|
node = binder_get_node(proc, fp->binder);
|
|
if (node == NULL) {
|
|
pr_err("transaction release %d bad node %016llx\n",
|
|
debug_id, (u64)fp->binder);
|
|
break;
|
|
}
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
" node %d u%016llx\n",
|
|
node->debug_id, (u64)node->ptr);
|
|
binder_dec_node(node, hdr->type == BINDER_TYPE_BINDER,
|
|
0);
|
|
binder_put_node(node);
|
|
} break;
|
|
case BINDER_TYPE_HANDLE:
|
|
case BINDER_TYPE_WEAK_HANDLE: {
|
|
struct flat_binder_object *fp;
|
|
struct binder_ref_data rdata;
|
|
int ret;
|
|
|
|
fp = to_flat_binder_object(hdr);
|
|
ret = binder_dec_ref_for_handle(proc, fp->handle,
|
|
hdr->type == BINDER_TYPE_HANDLE, &rdata);
|
|
|
|
if (ret) {
|
|
pr_err("transaction release %d bad handle %d, ret = %d\n",
|
|
debug_id, fp->handle, ret);
|
|
break;
|
|
}
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
" ref %d desc %d\n",
|
|
rdata.debug_id, rdata.desc);
|
|
} break;
|
|
|
|
case BINDER_TYPE_FD: {
|
|
struct binder_fd_object *fp = to_binder_fd_object(hdr);
|
|
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
" fd %d\n", fp->fd);
|
|
if (failed_at)
|
|
task_close_fd(proc, fp->fd);
|
|
} break;
|
|
case BINDER_TYPE_PTR:
|
|
/*
|
|
* Nothing to do here, this will get cleaned up when the
|
|
* transaction buffer gets freed
|
|
*/
|
|
break;
|
|
case BINDER_TYPE_FDA: {
|
|
struct binder_fd_array_object *fda;
|
|
struct binder_buffer_object *parent;
|
|
struct binder_object ptr_object;
|
|
binder_size_t fda_offset;
|
|
size_t fd_index;
|
|
binder_size_t fd_buf_size;
|
|
binder_size_t num_valid;
|
|
|
|
num_valid = (buffer_offset - off_start_offset) /
|
|
sizeof(binder_size_t);
|
|
fda = to_binder_fd_array_object(hdr);
|
|
parent = binder_validate_ptr(proc, buffer, &ptr_object,
|
|
fda->parent,
|
|
off_start_offset,
|
|
NULL,
|
|
num_valid);
|
|
if (!parent) {
|
|
pr_err("transaction release %d bad parent offset\n",
|
|
debug_id);
|
|
continue;
|
|
}
|
|
fd_buf_size = sizeof(u32) * fda->num_fds;
|
|
if (fda->num_fds >= SIZE_MAX / sizeof(u32)) {
|
|
pr_err("transaction release %d invalid number of fds (%lld)\n",
|
|
debug_id, (u64)fda->num_fds);
|
|
continue;
|
|
}
|
|
if (fd_buf_size > parent->length ||
|
|
fda->parent_offset > parent->length - fd_buf_size) {
|
|
/* No space for all file descriptors here. */
|
|
pr_err("transaction release %d not enough space for %lld fds in buffer\n",
|
|
debug_id, (u64)fda->num_fds);
|
|
continue;
|
|
}
|
|
/*
|
|
* the source data for binder_buffer_object is visible
|
|
* to user-space and the @buffer element is the user
|
|
* pointer to the buffer_object containing the fd_array.
|
|
* Convert the address to an offset relative to
|
|
* the base of the transaction buffer.
|
|
*/
|
|
fda_offset =
|
|
(parent->buffer - (uintptr_t)buffer->user_data) +
|
|
fda->parent_offset;
|
|
for (fd_index = 0; fd_index < fda->num_fds;
|
|
fd_index++) {
|
|
u32 fd;
|
|
binder_size_t offset = fda_offset +
|
|
fd_index * sizeof(fd);
|
|
|
|
binder_alloc_copy_from_buffer(&proc->alloc,
|
|
&fd,
|
|
buffer,
|
|
offset,
|
|
sizeof(fd));
|
|
task_close_fd(proc, fd);
|
|
}
|
|
} break;
|
|
default:
|
|
pr_err("transaction release %d bad object type %x\n",
|
|
debug_id, hdr->type);
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
static int binder_translate_binder(struct flat_binder_object *fp,
|
|
struct binder_transaction *t,
|
|
struct binder_thread *thread)
|
|
{
|
|
struct binder_node *node;
|
|
struct binder_proc *proc = thread->proc;
|
|
struct binder_proc *target_proc = t->to_proc;
|
|
struct binder_ref_data rdata;
|
|
int ret = 0;
|
|
|
|
node = binder_get_node(proc, fp->binder);
|
|
if (!node) {
|
|
node = binder_new_node(proc, fp);
|
|
if (!node)
|
|
return -ENOMEM;
|
|
}
|
|
if (fp->cookie != node->cookie) {
|
|
binder_user_error("%d:%d sending u%016llx node %d, cookie mismatch %016llx != %016llx\n",
|
|
proc->pid, thread->pid, (u64)fp->binder,
|
|
node->debug_id, (u64)fp->cookie,
|
|
(u64)node->cookie);
|
|
ret = -EINVAL;
|
|
goto done;
|
|
}
|
|
if (security_binder_transfer_binder(proc->tsk, target_proc->tsk)) {
|
|
ret = -EPERM;
|
|
goto done;
|
|
}
|
|
|
|
ret = binder_inc_ref_for_node(target_proc, node,
|
|
fp->hdr.type == BINDER_TYPE_BINDER,
|
|
&thread->todo, &rdata);
|
|
if (ret)
|
|
goto done;
|
|
|
|
if (fp->hdr.type == BINDER_TYPE_BINDER)
|
|
fp->hdr.type = BINDER_TYPE_HANDLE;
|
|
else
|
|
fp->hdr.type = BINDER_TYPE_WEAK_HANDLE;
|
|
fp->binder = 0;
|
|
fp->handle = rdata.desc;
|
|
fp->cookie = 0;
|
|
|
|
trace_binder_transaction_node_to_ref(t, node, &rdata);
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
" node %d u%016llx -> ref %d desc %d\n",
|
|
node->debug_id, (u64)node->ptr,
|
|
rdata.debug_id, rdata.desc);
|
|
done:
|
|
binder_put_node(node);
|
|
return ret;
|
|
}
|
|
|
|
static int binder_translate_handle(struct flat_binder_object *fp,
|
|
struct binder_transaction *t,
|
|
struct binder_thread *thread)
|
|
{
|
|
struct binder_proc *proc = thread->proc;
|
|
struct binder_proc *target_proc = t->to_proc;
|
|
struct binder_node *node;
|
|
struct binder_ref_data src_rdata;
|
|
int ret = 0;
|
|
|
|
node = binder_get_node_from_ref(proc, fp->handle,
|
|
fp->hdr.type == BINDER_TYPE_HANDLE, &src_rdata);
|
|
if (!node) {
|
|
binder_user_error("%d:%d got transaction with invalid handle, %d\n",
|
|
proc->pid, thread->pid, fp->handle);
|
|
return -EINVAL;
|
|
}
|
|
if (security_binder_transfer_binder(proc->tsk, target_proc->tsk)) {
|
|
ret = -EPERM;
|
|
goto done;
|
|
}
|
|
|
|
binder_node_lock(node);
|
|
if (node->proc == target_proc) {
|
|
if (fp->hdr.type == BINDER_TYPE_HANDLE)
|
|
fp->hdr.type = BINDER_TYPE_BINDER;
|
|
else
|
|
fp->hdr.type = BINDER_TYPE_WEAK_BINDER;
|
|
fp->binder = node->ptr;
|
|
fp->cookie = node->cookie;
|
|
if (node->proc)
|
|
binder_inner_proc_lock(node->proc);
|
|
binder_inc_node_nilocked(node,
|
|
fp->hdr.type == BINDER_TYPE_BINDER,
|
|
0, NULL);
|
|
if (node->proc)
|
|
binder_inner_proc_unlock(node->proc);
|
|
trace_binder_transaction_ref_to_node(t, node, &src_rdata);
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
" ref %d desc %d -> node %d u%016llx\n",
|
|
src_rdata.debug_id, src_rdata.desc, node->debug_id,
|
|
(u64)node->ptr);
|
|
binder_node_unlock(node);
|
|
} else {
|
|
struct binder_ref_data dest_rdata;
|
|
|
|
binder_node_unlock(node);
|
|
ret = binder_inc_ref_for_node(target_proc, node,
|
|
fp->hdr.type == BINDER_TYPE_HANDLE,
|
|
NULL, &dest_rdata);
|
|
if (ret)
|
|
goto done;
|
|
|
|
fp->binder = 0;
|
|
fp->handle = dest_rdata.desc;
|
|
fp->cookie = 0;
|
|
trace_binder_transaction_ref_to_ref(t, node, &src_rdata,
|
|
&dest_rdata);
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
" ref %d desc %d -> ref %d desc %d (node %d)\n",
|
|
src_rdata.debug_id, src_rdata.desc,
|
|
dest_rdata.debug_id, dest_rdata.desc,
|
|
node->debug_id);
|
|
}
|
|
done:
|
|
binder_put_node(node);
|
|
return ret;
|
|
}
|
|
|
|
static int binder_translate_fd(int fd,
|
|
struct binder_transaction *t,
|
|
struct binder_thread *thread,
|
|
struct binder_transaction *in_reply_to)
|
|
{
|
|
struct binder_proc *proc = thread->proc;
|
|
struct binder_proc *target_proc = t->to_proc;
|
|
int target_fd;
|
|
struct file *file;
|
|
int ret;
|
|
bool target_allows_fd;
|
|
|
|
if (in_reply_to)
|
|
target_allows_fd = !!(in_reply_to->flags & TF_ACCEPT_FDS);
|
|
else
|
|
target_allows_fd = t->buffer->target_node->accept_fds;
|
|
if (!target_allows_fd) {
|
|
binder_user_error("%d:%d got %s with fd, %d, but target does not allow fds\n",
|
|
proc->pid, thread->pid,
|
|
in_reply_to ? "reply" : "transaction",
|
|
fd);
|
|
ret = -EPERM;
|
|
goto err_fd_not_accepted;
|
|
}
|
|
|
|
file = fget(fd);
|
|
if (!file) {
|
|
binder_user_error("%d:%d got transaction with invalid fd, %d\n",
|
|
proc->pid, thread->pid, fd);
|
|
ret = -EBADF;
|
|
goto err_fget;
|
|
}
|
|
ret = security_binder_transfer_file(proc->tsk, target_proc->tsk, file);
|
|
if (ret < 0) {
|
|
ret = -EPERM;
|
|
goto err_security;
|
|
}
|
|
|
|
target_fd = task_get_unused_fd_flags(target_proc, O_CLOEXEC);
|
|
if (target_fd < 0) {
|
|
ret = -ENOMEM;
|
|
goto err_get_unused_fd;
|
|
}
|
|
task_fd_install(target_proc, target_fd, file);
|
|
trace_binder_transaction_fd(t, fd, target_fd);
|
|
binder_debug(BINDER_DEBUG_TRANSACTION, " fd %d -> %d\n",
|
|
fd, target_fd);
|
|
|
|
return target_fd;
|
|
|
|
err_get_unused_fd:
|
|
err_security:
|
|
fput(file);
|
|
err_fget:
|
|
err_fd_not_accepted:
|
|
return ret;
|
|
}
|
|
|
|
static int binder_translate_fd_array(struct binder_fd_array_object *fda,
|
|
struct binder_buffer_object *parent,
|
|
struct binder_transaction *t,
|
|
struct binder_thread *thread,
|
|
struct binder_transaction *in_reply_to)
|
|
{
|
|
binder_size_t fdi, fd_buf_size, num_installed_fds;
|
|
binder_size_t fda_offset;
|
|
int target_fd;
|
|
struct binder_proc *proc = thread->proc;
|
|
struct binder_proc *target_proc = t->to_proc;
|
|
|
|
fd_buf_size = sizeof(u32) * fda->num_fds;
|
|
if (fda->num_fds >= SIZE_MAX / sizeof(u32)) {
|
|
binder_user_error("%d:%d got transaction with invalid number of fds (%lld)\n",
|
|
proc->pid, thread->pid, (u64)fda->num_fds);
|
|
return -EINVAL;
|
|
}
|
|
if (fd_buf_size > parent->length ||
|
|
fda->parent_offset > parent->length - fd_buf_size) {
|
|
/* No space for all file descriptors here. */
|
|
binder_user_error("%d:%d not enough space to store %lld fds in buffer\n",
|
|
proc->pid, thread->pid, (u64)fda->num_fds);
|
|
return -EINVAL;
|
|
}
|
|
/*
|
|
* the source data for binder_buffer_object is visible
|
|
* to user-space and the @buffer element is the user
|
|
* pointer to the buffer_object containing the fd_array.
|
|
* Convert the address to an offset relative to
|
|
* the base of the transaction buffer.
|
|
*/
|
|
fda_offset = (parent->buffer - (uintptr_t)t->buffer->user_data) +
|
|
fda->parent_offset;
|
|
if (!IS_ALIGNED((unsigned long)fda_offset, sizeof(u32))) {
|
|
binder_user_error("%d:%d parent offset not aligned correctly.\n",
|
|
proc->pid, thread->pid);
|
|
return -EINVAL;
|
|
}
|
|
for (fdi = 0; fdi < fda->num_fds; fdi++) {
|
|
u32 fd;
|
|
|
|
binder_size_t offset = fda_offset + fdi * sizeof(fd);
|
|
|
|
binder_alloc_copy_from_buffer(&target_proc->alloc,
|
|
&fd, t->buffer,
|
|
offset, sizeof(fd));
|
|
target_fd = binder_translate_fd(fd, t, thread, in_reply_to);
|
|
if (target_fd < 0)
|
|
goto err_translate_fd_failed;
|
|
binder_alloc_copy_to_buffer(&target_proc->alloc,
|
|
t->buffer, offset,
|
|
&target_fd, sizeof(fd));
|
|
}
|
|
return 0;
|
|
|
|
err_translate_fd_failed:
|
|
/*
|
|
* Failed to allocate fd or security error, free fds
|
|
* installed so far.
|
|
*/
|
|
num_installed_fds = fdi;
|
|
for (fdi = 0; fdi < num_installed_fds; fdi++) {
|
|
u32 fd;
|
|
binder_size_t offset = fda_offset + fdi * sizeof(fd);
|
|
binder_alloc_copy_from_buffer(&target_proc->alloc,
|
|
&fd, t->buffer,
|
|
offset, sizeof(fd));
|
|
task_close_fd(target_proc, fd);
|
|
}
|
|
return target_fd;
|
|
}
|
|
|
|
static int binder_fixup_parent(struct binder_transaction *t,
|
|
struct binder_thread *thread,
|
|
struct binder_buffer_object *bp,
|
|
binder_size_t off_start_offset,
|
|
binder_size_t num_valid,
|
|
binder_size_t last_fixup_obj_off,
|
|
binder_size_t last_fixup_min_off)
|
|
{
|
|
struct binder_buffer_object *parent;
|
|
struct binder_buffer *b = t->buffer;
|
|
struct binder_proc *proc = thread->proc;
|
|
struct binder_proc *target_proc = t->to_proc;
|
|
struct binder_object object;
|
|
binder_size_t buffer_offset;
|
|
binder_size_t parent_offset;
|
|
|
|
if (!(bp->flags & BINDER_BUFFER_FLAG_HAS_PARENT))
|
|
return 0;
|
|
|
|
parent = binder_validate_ptr(target_proc, b, &object, bp->parent,
|
|
off_start_offset, &parent_offset,
|
|
num_valid);
|
|
if (!parent) {
|
|
binder_user_error("%d:%d got transaction with invalid parent offset or type\n",
|
|
proc->pid, thread->pid);
|
|
return -EINVAL;
|
|
}
|
|
|
|
if (!binder_validate_fixup(target_proc, b, off_start_offset,
|
|
parent_offset, bp->parent_offset,
|
|
last_fixup_obj_off,
|
|
last_fixup_min_off)) {
|
|
binder_user_error("%d:%d got transaction with out-of-order buffer fixup\n",
|
|
proc->pid, thread->pid);
|
|
return -EINVAL;
|
|
}
|
|
|
|
if (parent->length < sizeof(binder_uintptr_t) ||
|
|
bp->parent_offset > parent->length - sizeof(binder_uintptr_t)) {
|
|
/* No space for a pointer here! */
|
|
binder_user_error("%d:%d got transaction with invalid parent offset\n",
|
|
proc->pid, thread->pid);
|
|
return -EINVAL;
|
|
}
|
|
buffer_offset = bp->parent_offset +
|
|
(uintptr_t)parent->buffer - (uintptr_t)b->user_data;
|
|
binder_alloc_copy_to_buffer(&target_proc->alloc, b, buffer_offset,
|
|
&bp->buffer, sizeof(bp->buffer));
|
|
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* binder_proc_transaction() - sends a transaction to a process and wakes it up
|
|
* @t: transaction to send
|
|
* @proc: process to send the transaction to
|
|
* @thread: thread in @proc to send the transaction to (may be NULL)
|
|
*
|
|
* This function queues a transaction to the specified process. It will try
|
|
* to find a thread in the target process to handle the transaction and
|
|
* wake it up. If no thread is found, the work is queued to the proc
|
|
* waitqueue.
|
|
*
|
|
* If the @thread parameter is not NULL, the transaction is always queued
|
|
* to the waitlist of that specific thread.
|
|
*
|
|
* Return: true if the transactions was successfully queued
|
|
* false if the target process or thread is dead
|
|
*/
|
|
static bool binder_proc_transaction(struct binder_transaction *t,
|
|
struct binder_proc *proc,
|
|
struct binder_thread *thread)
|
|
{
|
|
struct binder_node *node = t->buffer->target_node;
|
|
struct binder_priority node_prio;
|
|
bool oneway = !!(t->flags & TF_ONE_WAY);
|
|
bool pending_async = false;
|
|
|
|
BUG_ON(!node);
|
|
binder_node_lock(node);
|
|
node_prio.prio = node->min_priority;
|
|
node_prio.sched_policy = node->sched_policy;
|
|
|
|
if (oneway) {
|
|
BUG_ON(thread);
|
|
if (node->has_async_transaction) {
|
|
pending_async = true;
|
|
} else {
|
|
node->has_async_transaction = true;
|
|
}
|
|
}
|
|
|
|
binder_inner_proc_lock(proc);
|
|
|
|
if (proc->is_dead || (thread && thread->is_dead)) {
|
|
binder_inner_proc_unlock(proc);
|
|
binder_node_unlock(node);
|
|
return false;
|
|
}
|
|
|
|
if (!thread && !pending_async)
|
|
thread = binder_select_thread_ilocked(proc);
|
|
|
|
if (thread) {
|
|
binder_transaction_priority(thread->task, t, node_prio,
|
|
node->inherit_rt);
|
|
binder_enqueue_thread_work_ilocked(thread, &t->work);
|
|
} else if (!pending_async) {
|
|
binder_enqueue_work_ilocked(&t->work, &proc->todo);
|
|
} else {
|
|
binder_enqueue_work_ilocked(&t->work, &node->async_todo);
|
|
}
|
|
|
|
if (!pending_async)
|
|
binder_wakeup_thread_ilocked(proc, thread, !oneway /* sync */);
|
|
|
|
binder_inner_proc_unlock(proc);
|
|
binder_node_unlock(node);
|
|
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* binder_get_node_refs_for_txn() - Get required refs on node for txn
|
|
* @node: struct binder_node for which to get refs
|
|
* @proc: returns @node->proc if valid
|
|
* @error: if no @proc then returns BR_DEAD_REPLY
|
|
*
|
|
* User-space normally keeps the node alive when creating a transaction
|
|
* since it has a reference to the target. The local strong ref keeps it
|
|
* alive if the sending process dies before the target process processes
|
|
* the transaction. If the source process is malicious or has a reference
|
|
* counting bug, relying on the local strong ref can fail.
|
|
*
|
|
* Since user-space can cause the local strong ref to go away, we also take
|
|
* a tmpref on the node to ensure it survives while we are constructing
|
|
* the transaction. We also need a tmpref on the proc while we are
|
|
* constructing the transaction, so we take that here as well.
|
|
*
|
|
* Return: The target_node with refs taken or NULL if no @node->proc is NULL.
|
|
* Also sets @proc if valid. If the @node->proc is NULL indicating that the
|
|
* target proc has died, @error is set to BR_DEAD_REPLY
|
|
*/
|
|
static struct binder_node *binder_get_node_refs_for_txn(
|
|
struct binder_node *node,
|
|
struct binder_proc **procp,
|
|
uint32_t *error)
|
|
{
|
|
struct binder_node *target_node = NULL;
|
|
|
|
binder_node_inner_lock(node);
|
|
if (node->proc) {
|
|
target_node = node;
|
|
binder_inc_node_nilocked(node, 1, 0, NULL);
|
|
binder_inc_node_tmpref_ilocked(node);
|
|
node->proc->tmp_ref++;
|
|
*procp = node->proc;
|
|
} else
|
|
*error = BR_DEAD_REPLY;
|
|
binder_node_inner_unlock(node);
|
|
|
|
return target_node;
|
|
}
|
|
|
|
static void binder_transaction(struct binder_proc *proc,
|
|
struct binder_thread *thread,
|
|
struct binder_transaction_data *tr, int reply,
|
|
binder_size_t extra_buffers_size)
|
|
{
|
|
int ret;
|
|
struct binder_transaction *t;
|
|
struct binder_work *w;
|
|
struct binder_work *tcomplete;
|
|
binder_size_t buffer_offset = 0;
|
|
binder_size_t off_start_offset, off_end_offset;
|
|
binder_size_t off_min;
|
|
binder_size_t sg_buf_offset, sg_buf_end_offset;
|
|
struct binder_proc *target_proc = NULL;
|
|
struct binder_thread *target_thread = NULL;
|
|
struct binder_node *target_node = NULL;
|
|
struct binder_transaction *in_reply_to = NULL;
|
|
struct binder_transaction_log_entry *e;
|
|
uint32_t return_error = 0;
|
|
uint32_t return_error_param = 0;
|
|
uint32_t return_error_line = 0;
|
|
binder_size_t last_fixup_obj_off = 0;
|
|
binder_size_t last_fixup_min_off = 0;
|
|
struct binder_context *context = proc->context;
|
|
int t_debug_id = atomic_inc_return(&binder_last_id);
|
|
char *secctx = NULL;
|
|
u32 secctx_sz = 0;
|
|
|
|
e = binder_transaction_log_add(&binder_transaction_log);
|
|
e->debug_id = t_debug_id;
|
|
e->call_type = reply ? 2 : !!(tr->flags & TF_ONE_WAY);
|
|
e->from_proc = proc->pid;
|
|
e->from_thread = thread->pid;
|
|
e->target_handle = tr->target.handle;
|
|
e->data_size = tr->data_size;
|
|
e->offsets_size = tr->offsets_size;
|
|
e->context_name = proc->context->name;
|
|
|
|
if (reply) {
|
|
binder_inner_proc_lock(proc);
|
|
in_reply_to = thread->transaction_stack;
|
|
if (in_reply_to == NULL) {
|
|
binder_inner_proc_unlock(proc);
|
|
binder_user_error("%d:%d got reply transaction with no transaction stack\n",
|
|
proc->pid, thread->pid);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EPROTO;
|
|
return_error_line = __LINE__;
|
|
goto err_empty_call_stack;
|
|
}
|
|
if (in_reply_to->to_thread != thread) {
|
|
spin_lock(&in_reply_to->lock);
|
|
binder_user_error("%d:%d got reply transaction with bad transaction stack, transaction %d has target %d:%d\n",
|
|
proc->pid, thread->pid, in_reply_to->debug_id,
|
|
in_reply_to->to_proc ?
|
|
in_reply_to->to_proc->pid : 0,
|
|
in_reply_to->to_thread ?
|
|
in_reply_to->to_thread->pid : 0);
|
|
spin_unlock(&in_reply_to->lock);
|
|
binder_inner_proc_unlock(proc);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EPROTO;
|
|
return_error_line = __LINE__;
|
|
in_reply_to = NULL;
|
|
goto err_bad_call_stack;
|
|
}
|
|
thread->transaction_stack = in_reply_to->to_parent;
|
|
binder_inner_proc_unlock(proc);
|
|
target_thread = binder_get_txn_from_and_acq_inner(in_reply_to);
|
|
if (target_thread == NULL) {
|
|
return_error = BR_DEAD_REPLY;
|
|
return_error_line = __LINE__;
|
|
goto err_dead_binder;
|
|
}
|
|
if (target_thread->transaction_stack != in_reply_to) {
|
|
binder_user_error("%d:%d got reply transaction with bad target transaction stack %d, expected %d\n",
|
|
proc->pid, thread->pid,
|
|
target_thread->transaction_stack ?
|
|
target_thread->transaction_stack->debug_id : 0,
|
|
in_reply_to->debug_id);
|
|
binder_inner_proc_unlock(target_thread->proc);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EPROTO;
|
|
return_error_line = __LINE__;
|
|
in_reply_to = NULL;
|
|
target_thread = NULL;
|
|
goto err_dead_binder;
|
|
}
|
|
target_proc = target_thread->proc;
|
|
target_proc->tmp_ref++;
|
|
binder_inner_proc_unlock(target_thread->proc);
|
|
} else {
|
|
if (tr->target.handle) {
|
|
struct binder_ref *ref;
|
|
|
|
/*
|
|
* There must already be a strong ref
|
|
* on this node. If so, do a strong
|
|
* increment on the node to ensure it
|
|
* stays alive until the transaction is
|
|
* done.
|
|
*/
|
|
binder_proc_lock(proc);
|
|
ref = binder_get_ref_olocked(proc, tr->target.handle,
|
|
true);
|
|
if (ref) {
|
|
target_node = binder_get_node_refs_for_txn(
|
|
ref->node, &target_proc,
|
|
&return_error);
|
|
} else {
|
|
binder_user_error("%d:%d got transaction to invalid handle\n",
|
|
proc->pid, thread->pid);
|
|
return_error = BR_FAILED_REPLY;
|
|
}
|
|
binder_proc_unlock(proc);
|
|
} else {
|
|
mutex_lock(&context->context_mgr_node_lock);
|
|
target_node = context->binder_context_mgr_node;
|
|
if (target_node)
|
|
target_node = binder_get_node_refs_for_txn(
|
|
target_node, &target_proc,
|
|
&return_error);
|
|
else
|
|
return_error = BR_DEAD_REPLY;
|
|
mutex_unlock(&context->context_mgr_node_lock);
|
|
if (target_node && target_proc->pid == proc->pid) {
|
|
binder_user_error("%d:%d got transaction to context manager from process owning it\n",
|
|
proc->pid, thread->pid);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_invalid_target_handle;
|
|
}
|
|
}
|
|
if (!target_node) {
|
|
/*
|
|
* return_error is set above
|
|
*/
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_dead_binder;
|
|
}
|
|
e->to_node = target_node->debug_id;
|
|
if (security_binder_transaction(proc->tsk,
|
|
target_proc->tsk) < 0) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EPERM;
|
|
return_error_line = __LINE__;
|
|
goto err_invalid_target_handle;
|
|
}
|
|
binder_inner_proc_lock(proc);
|
|
|
|
w = list_first_entry_or_null(&thread->todo,
|
|
struct binder_work, entry);
|
|
if (!(tr->flags & TF_ONE_WAY) && w &&
|
|
w->type == BINDER_WORK_TRANSACTION) {
|
|
/*
|
|
* Do not allow new outgoing transaction from a
|
|
* thread that has a transaction at the head of
|
|
* its todo list. Only need to check the head
|
|
* because binder_select_thread_ilocked picks a
|
|
* thread from proc->waiting_threads to enqueue
|
|
* the transaction, and nothing is queued to the
|
|
* todo list while the thread is on waiting_threads.
|
|
*/
|
|
binder_user_error("%d:%d new transaction not allowed when there is a transaction on thread todo\n",
|
|
proc->pid, thread->pid);
|
|
binder_inner_proc_unlock(proc);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EPROTO;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_todo_list;
|
|
}
|
|
|
|
if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) {
|
|
struct binder_transaction *tmp;
|
|
|
|
tmp = thread->transaction_stack;
|
|
if (tmp->to_thread != thread) {
|
|
spin_lock(&tmp->lock);
|
|
binder_user_error("%d:%d got new transaction with bad transaction stack, transaction %d has target %d:%d\n",
|
|
proc->pid, thread->pid, tmp->debug_id,
|
|
tmp->to_proc ? tmp->to_proc->pid : 0,
|
|
tmp->to_thread ?
|
|
tmp->to_thread->pid : 0);
|
|
spin_unlock(&tmp->lock);
|
|
binder_inner_proc_unlock(proc);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EPROTO;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_call_stack;
|
|
}
|
|
while (tmp) {
|
|
struct binder_thread *from;
|
|
|
|
spin_lock(&tmp->lock);
|
|
from = tmp->from;
|
|
if (from && from->proc == target_proc) {
|
|
atomic_inc(&from->tmp_ref);
|
|
target_thread = from;
|
|
spin_unlock(&tmp->lock);
|
|
break;
|
|
}
|
|
spin_unlock(&tmp->lock);
|
|
tmp = tmp->from_parent;
|
|
}
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
}
|
|
if (target_thread)
|
|
e->to_thread = target_thread->pid;
|
|
e->to_proc = target_proc->pid;
|
|
|
|
/* TODO: reuse incoming transaction for reply */
|
|
t = kzalloc(sizeof(*t), GFP_KERNEL);
|
|
if (t == NULL) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -ENOMEM;
|
|
return_error_line = __LINE__;
|
|
goto err_alloc_t_failed;
|
|
}
|
|
binder_stats_created(BINDER_STAT_TRANSACTION);
|
|
spin_lock_init(&t->lock);
|
|
|
|
tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL);
|
|
if (tcomplete == NULL) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -ENOMEM;
|
|
return_error_line = __LINE__;
|
|
goto err_alloc_tcomplete_failed;
|
|
}
|
|
binder_stats_created(BINDER_STAT_TRANSACTION_COMPLETE);
|
|
|
|
t->debug_id = t_debug_id;
|
|
|
|
if (reply)
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
"%d:%d BC_REPLY %d -> %d:%d, data %016llx-%016llx size %lld-%lld-%lld\n",
|
|
proc->pid, thread->pid, t->debug_id,
|
|
target_proc->pid, target_thread->pid,
|
|
(u64)tr->data.ptr.buffer,
|
|
(u64)tr->data.ptr.offsets,
|
|
(u64)tr->data_size, (u64)tr->offsets_size,
|
|
(u64)extra_buffers_size);
|
|
else
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
"%d:%d BC_TRANSACTION %d -> %d - node %d, data %016llx-%016llx size %lld-%lld-%lld\n",
|
|
proc->pid, thread->pid, t->debug_id,
|
|
target_proc->pid, target_node->debug_id,
|
|
(u64)tr->data.ptr.buffer,
|
|
(u64)tr->data.ptr.offsets,
|
|
(u64)tr->data_size, (u64)tr->offsets_size,
|
|
(u64)extra_buffers_size);
|
|
|
|
if (!reply && !(tr->flags & TF_ONE_WAY))
|
|
t->from = thread;
|
|
else
|
|
t->from = NULL;
|
|
t->sender_euid = task_euid(proc->tsk);
|
|
t->to_proc = target_proc;
|
|
t->to_thread = target_thread;
|
|
t->code = tr->code;
|
|
t->flags = tr->flags;
|
|
if (!(t->flags & TF_ONE_WAY) &&
|
|
binder_supported_policy(current->policy)) {
|
|
/* Inherit supported policies for synchronous transactions */
|
|
t->priority.sched_policy = current->policy;
|
|
t->priority.prio = current->normal_prio;
|
|
} else {
|
|
/* Otherwise, fall back to the default priority */
|
|
t->priority = target_proc->default_priority;
|
|
}
|
|
|
|
if (target_node && target_node->txn_security_ctx) {
|
|
u32 secid;
|
|
size_t added_size;
|
|
|
|
security_task_getsecid(proc->tsk, &secid);
|
|
ret = security_secid_to_secctx(secid, &secctx, &secctx_sz);
|
|
if (ret) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = ret;
|
|
return_error_line = __LINE__;
|
|
goto err_get_secctx_failed;
|
|
}
|
|
added_size = ALIGN(secctx_sz, sizeof(u64));
|
|
extra_buffers_size += added_size;
|
|
if (extra_buffers_size < added_size) {
|
|
/* integer overflow of extra_buffers_size */
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_extra_size;
|
|
}
|
|
}
|
|
|
|
trace_binder_transaction(reply, t, target_node);
|
|
|
|
t->buffer = binder_alloc_new_buf(&target_proc->alloc, tr->data_size,
|
|
tr->offsets_size, extra_buffers_size,
|
|
!reply && (t->flags & TF_ONE_WAY));
|
|
if (IS_ERR(t->buffer)) {
|
|
/*
|
|
* -ESRCH indicates VMA cleared. The target is dying.
|
|
*/
|
|
return_error_param = PTR_ERR(t->buffer);
|
|
return_error = return_error_param == -ESRCH ?
|
|
BR_DEAD_REPLY : BR_FAILED_REPLY;
|
|
return_error_line = __LINE__;
|
|
t->buffer = NULL;
|
|
goto err_binder_alloc_buf_failed;
|
|
}
|
|
if (secctx) {
|
|
size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) +
|
|
ALIGN(tr->offsets_size, sizeof(void *)) +
|
|
ALIGN(extra_buffers_size, sizeof(void *)) -
|
|
ALIGN(secctx_sz, sizeof(u64));
|
|
|
|
t->security_ctx = (uintptr_t)t->buffer->user_data + buf_offset;
|
|
binder_alloc_copy_to_buffer(&target_proc->alloc,
|
|
t->buffer, buf_offset,
|
|
secctx, secctx_sz);
|
|
security_release_secctx(secctx, secctx_sz);
|
|
secctx = NULL;
|
|
}
|
|
t->buffer->debug_id = t->debug_id;
|
|
t->buffer->transaction = t;
|
|
t->buffer->target_node = target_node;
|
|
trace_binder_transaction_alloc_buf(t->buffer);
|
|
|
|
if (binder_alloc_copy_user_to_buffer(
|
|
&target_proc->alloc,
|
|
t->buffer, 0,
|
|
(const void __user *)
|
|
(uintptr_t)tr->data.ptr.buffer,
|
|
tr->data_size)) {
|
|
binder_user_error("%d:%d got transaction with invalid data ptr\n",
|
|
proc->pid, thread->pid);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EFAULT;
|
|
return_error_line = __LINE__;
|
|
goto err_copy_data_failed;
|
|
}
|
|
if (binder_alloc_copy_user_to_buffer(
|
|
&target_proc->alloc,
|
|
t->buffer,
|
|
ALIGN(tr->data_size, sizeof(void *)),
|
|
(const void __user *)
|
|
(uintptr_t)tr->data.ptr.offsets,
|
|
tr->offsets_size)) {
|
|
binder_user_error("%d:%d got transaction with invalid offsets ptr\n",
|
|
proc->pid, thread->pid);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EFAULT;
|
|
return_error_line = __LINE__;
|
|
goto err_copy_data_failed;
|
|
}
|
|
if (!IS_ALIGNED(tr->offsets_size, sizeof(binder_size_t))) {
|
|
binder_user_error("%d:%d got transaction with invalid offsets size, %lld\n",
|
|
proc->pid, thread->pid, (u64)tr->offsets_size);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_offset;
|
|
}
|
|
if (!IS_ALIGNED(extra_buffers_size, sizeof(u64))) {
|
|
binder_user_error("%d:%d got transaction with unaligned buffers size, %lld\n",
|
|
proc->pid, thread->pid,
|
|
(u64)extra_buffers_size);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_offset;
|
|
}
|
|
off_start_offset = ALIGN(tr->data_size, sizeof(void *));
|
|
buffer_offset = off_start_offset;
|
|
off_end_offset = off_start_offset + tr->offsets_size;
|
|
sg_buf_offset = ALIGN(off_end_offset, sizeof(void *));
|
|
sg_buf_end_offset = sg_buf_offset + extra_buffers_size -
|
|
ALIGN(secctx_sz, sizeof(u64));
|
|
off_min = 0;
|
|
for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;
|
|
buffer_offset += sizeof(binder_size_t)) {
|
|
struct binder_object_header *hdr;
|
|
size_t object_size;
|
|
struct binder_object object;
|
|
binder_size_t object_offset;
|
|
|
|
binder_alloc_copy_from_buffer(&target_proc->alloc,
|
|
&object_offset,
|
|
t->buffer,
|
|
buffer_offset,
|
|
sizeof(object_offset));
|
|
object_size = binder_get_object(target_proc, t->buffer,
|
|
object_offset, &object);
|
|
if (object_size == 0 || object_offset < off_min) {
|
|
binder_user_error("%d:%d got transaction with invalid offset (%lld, min %lld max %lld) or object.\n",
|
|
proc->pid, thread->pid,
|
|
(u64)object_offset,
|
|
(u64)off_min,
|
|
(u64)t->buffer->data_size);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_offset;
|
|
}
|
|
|
|
hdr = &object.hdr;
|
|
off_min = object_offset + object_size;
|
|
switch (hdr->type) {
|
|
case BINDER_TYPE_BINDER:
|
|
case BINDER_TYPE_WEAK_BINDER: {
|
|
struct flat_binder_object *fp;
|
|
|
|
fp = to_flat_binder_object(hdr);
|
|
ret = binder_translate_binder(fp, t, thread);
|
|
if (ret < 0) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = ret;
|
|
return_error_line = __LINE__;
|
|
goto err_translate_failed;
|
|
}
|
|
binder_alloc_copy_to_buffer(&target_proc->alloc,
|
|
t->buffer, object_offset,
|
|
fp, sizeof(*fp));
|
|
} break;
|
|
case BINDER_TYPE_HANDLE:
|
|
case BINDER_TYPE_WEAK_HANDLE: {
|
|
struct flat_binder_object *fp;
|
|
|
|
fp = to_flat_binder_object(hdr);
|
|
ret = binder_translate_handle(fp, t, thread);
|
|
if (ret < 0) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = ret;
|
|
return_error_line = __LINE__;
|
|
goto err_translate_failed;
|
|
}
|
|
binder_alloc_copy_to_buffer(&target_proc->alloc,
|
|
t->buffer, object_offset,
|
|
fp, sizeof(*fp));
|
|
} break;
|
|
|
|
case BINDER_TYPE_FD: {
|
|
struct binder_fd_object *fp = to_binder_fd_object(hdr);
|
|
int target_fd = binder_translate_fd(fp->fd, t, thread,
|
|
in_reply_to);
|
|
|
|
if (target_fd < 0) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = target_fd;
|
|
return_error_line = __LINE__;
|
|
goto err_translate_failed;
|
|
}
|
|
fp->pad_binder = 0;
|
|
fp->fd = target_fd;
|
|
binder_alloc_copy_to_buffer(&target_proc->alloc,
|
|
t->buffer, object_offset,
|
|
fp, sizeof(*fp));
|
|
} break;
|
|
case BINDER_TYPE_FDA: {
|
|
struct binder_object ptr_object;
|
|
binder_size_t parent_offset;
|
|
struct binder_fd_array_object *fda =
|
|
to_binder_fd_array_object(hdr);
|
|
size_t num_valid = (buffer_offset - off_start_offset) /
|
|
sizeof(binder_size_t);
|
|
struct binder_buffer_object *parent =
|
|
binder_validate_ptr(target_proc, t->buffer,
|
|
&ptr_object, fda->parent,
|
|
off_start_offset,
|
|
&parent_offset,
|
|
num_valid);
|
|
if (!parent) {
|
|
binder_user_error("%d:%d got transaction with invalid parent offset or type\n",
|
|
proc->pid, thread->pid);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_parent;
|
|
}
|
|
if (!binder_validate_fixup(target_proc, t->buffer,
|
|
off_start_offset,
|
|
parent_offset,
|
|
fda->parent_offset,
|
|
last_fixup_obj_off,
|
|
last_fixup_min_off)) {
|
|
binder_user_error("%d:%d got transaction with out-of-order buffer fixup\n",
|
|
proc->pid, thread->pid);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_parent;
|
|
}
|
|
ret = binder_translate_fd_array(fda, parent, t, thread,
|
|
in_reply_to);
|
|
if (ret < 0) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = ret;
|
|
return_error_line = __LINE__;
|
|
goto err_translate_failed;
|
|
}
|
|
last_fixup_obj_off = parent_offset;
|
|
last_fixup_min_off =
|
|
fda->parent_offset + sizeof(u32) * fda->num_fds;
|
|
} break;
|
|
case BINDER_TYPE_PTR: {
|
|
struct binder_buffer_object *bp =
|
|
to_binder_buffer_object(hdr);
|
|
size_t buf_left = sg_buf_end_offset - sg_buf_offset;
|
|
size_t num_valid;
|
|
|
|
if (bp->length > buf_left) {
|
|
binder_user_error("%d:%d got transaction with too large buffer\n",
|
|
proc->pid, thread->pid);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_offset;
|
|
}
|
|
if (binder_alloc_copy_user_to_buffer(
|
|
&target_proc->alloc,
|
|
t->buffer,
|
|
sg_buf_offset,
|
|
(const void __user *)
|
|
(uintptr_t)bp->buffer,
|
|
bp->length)) {
|
|
binder_user_error("%d:%d got transaction with invalid offsets ptr\n",
|
|
proc->pid, thread->pid);
|
|
return_error_param = -EFAULT;
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_line = __LINE__;
|
|
goto err_copy_data_failed;
|
|
}
|
|
/* Fixup buffer pointer to target proc address space */
|
|
bp->buffer = (uintptr_t)
|
|
t->buffer->user_data + sg_buf_offset;
|
|
sg_buf_offset += ALIGN(bp->length, sizeof(u64));
|
|
|
|
num_valid = (buffer_offset - off_start_offset) /
|
|
sizeof(binder_size_t);
|
|
ret = binder_fixup_parent(t, thread, bp,
|
|
off_start_offset,
|
|
num_valid,
|
|
last_fixup_obj_off,
|
|
last_fixup_min_off);
|
|
if (ret < 0) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = ret;
|
|
return_error_line = __LINE__;
|
|
goto err_translate_failed;
|
|
}
|
|
binder_alloc_copy_to_buffer(&target_proc->alloc,
|
|
t->buffer, object_offset,
|
|
bp, sizeof(*bp));
|
|
last_fixup_obj_off = object_offset;
|
|
last_fixup_min_off = 0;
|
|
} break;
|
|
default:
|
|
binder_user_error("%d:%d got transaction with invalid object type, %x\n",
|
|
proc->pid, thread->pid, hdr->type);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_object_type;
|
|
}
|
|
}
|
|
tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE;
|
|
t->work.type = BINDER_WORK_TRANSACTION;
|
|
|
|
if (reply) {
|
|
binder_enqueue_thread_work(thread, tcomplete);
|
|
binder_inner_proc_lock(target_proc);
|
|
if (target_thread->is_dead) {
|
|
binder_inner_proc_unlock(target_proc);
|
|
goto err_dead_proc_or_thread;
|
|
}
|
|
BUG_ON(t->buffer->async_transaction != 0);
|
|
binder_pop_transaction_ilocked(target_thread, in_reply_to);
|
|
binder_enqueue_thread_work_ilocked(target_thread, &t->work);
|
|
binder_inner_proc_unlock(target_proc);
|
|
wake_up_interruptible_sync(&target_thread->wait);
|
|
binder_restore_priority(current, in_reply_to->saved_priority);
|
|
binder_free_transaction(in_reply_to);
|
|
} else if (!(t->flags & TF_ONE_WAY)) {
|
|
BUG_ON(t->buffer->async_transaction != 0);
|
|
binder_inner_proc_lock(proc);
|
|
/*
|
|
* Defer the TRANSACTION_COMPLETE, so we don't return to
|
|
* userspace immediately; this allows the target process to
|
|
* immediately start processing this transaction, reducing
|
|
* latency. We will then return the TRANSACTION_COMPLETE when
|
|
* the target replies (or there is an error).
|
|
*/
|
|
binder_enqueue_deferred_thread_work_ilocked(thread, tcomplete);
|
|
t->need_reply = 1;
|
|
t->from_parent = thread->transaction_stack;
|
|
thread->transaction_stack = t;
|
|
binder_inner_proc_unlock(proc);
|
|
if (!binder_proc_transaction(t, target_proc, target_thread)) {
|
|
binder_inner_proc_lock(proc);
|
|
binder_pop_transaction_ilocked(thread, t);
|
|
binder_inner_proc_unlock(proc);
|
|
goto err_dead_proc_or_thread;
|
|
}
|
|
} else {
|
|
BUG_ON(target_node == NULL);
|
|
BUG_ON(t->buffer->async_transaction != 1);
|
|
binder_enqueue_thread_work(thread, tcomplete);
|
|
if (!binder_proc_transaction(t, target_proc, NULL))
|
|
goto err_dead_proc_or_thread;
|
|
}
|
|
if (target_thread)
|
|
binder_thread_dec_tmpref(target_thread);
|
|
binder_proc_dec_tmpref(target_proc);
|
|
if (target_node)
|
|
binder_dec_node_tmpref(target_node);
|
|
/*
|
|
* write barrier to synchronize with initialization
|
|
* of log entry
|
|
*/
|
|
smp_wmb();
|
|
WRITE_ONCE(e->debug_id_done, t_debug_id);
|
|
return;
|
|
|
|
err_dead_proc_or_thread:
|
|
return_error = BR_DEAD_REPLY;
|
|
return_error_line = __LINE__;
|
|
binder_dequeue_work(proc, tcomplete);
|
|
err_translate_failed:
|
|
err_bad_object_type:
|
|
err_bad_offset:
|
|
err_bad_parent:
|
|
err_copy_data_failed:
|
|
trace_binder_transaction_failed_buffer_release(t->buffer);
|
|
binder_transaction_buffer_release(target_proc, t->buffer,
|
|
buffer_offset, true);
|
|
if (target_node)
|
|
binder_dec_node_tmpref(target_node);
|
|
target_node = NULL;
|
|
t->buffer->transaction = NULL;
|
|
binder_alloc_free_buf(&target_proc->alloc, t->buffer);
|
|
err_binder_alloc_buf_failed:
|
|
err_bad_extra_size:
|
|
if (secctx)
|
|
security_release_secctx(secctx, secctx_sz);
|
|
err_get_secctx_failed:
|
|
kfree(tcomplete);
|
|
binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
|
|
err_alloc_tcomplete_failed:
|
|
kfree(t);
|
|
binder_stats_deleted(BINDER_STAT_TRANSACTION);
|
|
err_alloc_t_failed:
|
|
err_bad_todo_list:
|
|
err_bad_call_stack:
|
|
err_empty_call_stack:
|
|
err_dead_binder:
|
|
err_invalid_target_handle:
|
|
if (target_thread)
|
|
binder_thread_dec_tmpref(target_thread);
|
|
if (target_proc)
|
|
binder_proc_dec_tmpref(target_proc);
|
|
if (target_node) {
|
|
binder_dec_node(target_node, 1, 0);
|
|
binder_dec_node_tmpref(target_node);
|
|
}
|
|
|
|
binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
|
|
"%d:%d transaction failed %d/%d, size %lld-%lld line %d\n",
|
|
proc->pid, thread->pid, return_error, return_error_param,
|
|
(u64)tr->data_size, (u64)tr->offsets_size,
|
|
return_error_line);
|
|
|
|
{
|
|
struct binder_transaction_log_entry *fe;
|
|
|
|
e->return_error = return_error;
|
|
e->return_error_param = return_error_param;
|
|
e->return_error_line = return_error_line;
|
|
fe = binder_transaction_log_add(&binder_transaction_log_failed);
|
|
*fe = *e;
|
|
/*
|
|
* write barrier to synchronize with initialization
|
|
* of log entry
|
|
*/
|
|
smp_wmb();
|
|
WRITE_ONCE(e->debug_id_done, t_debug_id);
|
|
WRITE_ONCE(fe->debug_id_done, t_debug_id);
|
|
}
|
|
|
|
BUG_ON(thread->return_error.cmd != BR_OK);
|
|
if (in_reply_to) {
|
|
binder_restore_priority(current, in_reply_to->saved_priority);
|
|
thread->return_error.cmd = BR_TRANSACTION_COMPLETE;
|
|
binder_enqueue_thread_work(thread, &thread->return_error.work);
|
|
binder_send_failed_reply(in_reply_to, return_error);
|
|
} else {
|
|
thread->return_error.cmd = return_error;
|
|
binder_enqueue_thread_work(thread, &thread->return_error.work);
|
|
}
|
|
}
|
|
|
|
static int binder_thread_write(struct binder_proc *proc,
|
|
struct binder_thread *thread,
|
|
binder_uintptr_t binder_buffer, size_t size,
|
|
binder_size_t *consumed)
|
|
{
|
|
uint32_t cmd;
|
|
struct binder_context *context = proc->context;
|
|
void __user *buffer = (void __user *)(uintptr_t)binder_buffer;
|
|
void __user *ptr = buffer + *consumed;
|
|
void __user *end = buffer + size;
|
|
|
|
while (ptr < end && thread->return_error.cmd == BR_OK) {
|
|
int ret;
|
|
|
|
if (get_user(cmd, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(uint32_t);
|
|
trace_binder_command(cmd);
|
|
if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.bc)) {
|
|
atomic_inc(&binder_stats.bc[_IOC_NR(cmd)]);
|
|
atomic_inc(&proc->stats.bc[_IOC_NR(cmd)]);
|
|
atomic_inc(&thread->stats.bc[_IOC_NR(cmd)]);
|
|
}
|
|
switch (cmd) {
|
|
case BC_INCREFS:
|
|
case BC_ACQUIRE:
|
|
case BC_RELEASE:
|
|
case BC_DECREFS: {
|
|
uint32_t target;
|
|
const char *debug_string;
|
|
bool strong = cmd == BC_ACQUIRE || cmd == BC_RELEASE;
|
|
bool increment = cmd == BC_INCREFS || cmd == BC_ACQUIRE;
|
|
struct binder_ref_data rdata;
|
|
|
|
if (get_user(target, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
|
|
ptr += sizeof(uint32_t);
|
|
ret = -1;
|
|
if (increment && !target) {
|
|
struct binder_node *ctx_mgr_node;
|
|
mutex_lock(&context->context_mgr_node_lock);
|
|
ctx_mgr_node = context->binder_context_mgr_node;
|
|
if (ctx_mgr_node)
|
|
ret = binder_inc_ref_for_node(
|
|
proc, ctx_mgr_node,
|
|
strong, NULL, &rdata);
|
|
mutex_unlock(&context->context_mgr_node_lock);
|
|
}
|
|
if (ret)
|
|
ret = binder_update_ref_for_handle(
|
|
proc, target, increment, strong,
|
|
&rdata);
|
|
if (!ret && rdata.desc != target) {
|
|
binder_user_error("%d:%d tried to acquire reference to desc %d, got %d instead\n",
|
|
proc->pid, thread->pid,
|
|
target, rdata.desc);
|
|
}
|
|
switch (cmd) {
|
|
case BC_INCREFS:
|
|
debug_string = "IncRefs";
|
|
break;
|
|
case BC_ACQUIRE:
|
|
debug_string = "Acquire";
|
|
break;
|
|
case BC_RELEASE:
|
|
debug_string = "Release";
|
|
break;
|
|
case BC_DECREFS:
|
|
default:
|
|
debug_string = "DecRefs";
|
|
break;
|
|
}
|
|
if (ret) {
|
|
binder_user_error("%d:%d %s %d refcount change on invalid ref %d ret %d\n",
|
|
proc->pid, thread->pid, debug_string,
|
|
strong, target, ret);
|
|
break;
|
|
}
|
|
binder_debug(BINDER_DEBUG_USER_REFS,
|
|
"%d:%d %s ref %d desc %d s %d w %d\n",
|
|
proc->pid, thread->pid, debug_string,
|
|
rdata.debug_id, rdata.desc, rdata.strong,
|
|
rdata.weak);
|
|
break;
|
|
}
|
|
case BC_INCREFS_DONE:
|
|
case BC_ACQUIRE_DONE: {
|
|
binder_uintptr_t node_ptr;
|
|
binder_uintptr_t cookie;
|
|
struct binder_node *node;
|
|
bool free_node;
|
|
|
|
if (get_user(node_ptr, (binder_uintptr_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(binder_uintptr_t);
|
|
if (get_user(cookie, (binder_uintptr_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(binder_uintptr_t);
|
|
node = binder_get_node(proc, node_ptr);
|
|
if (node == NULL) {
|
|
binder_user_error("%d:%d %s u%016llx no match\n",
|
|
proc->pid, thread->pid,
|
|
cmd == BC_INCREFS_DONE ?
|
|
"BC_INCREFS_DONE" :
|
|
"BC_ACQUIRE_DONE",
|
|
(u64)node_ptr);
|
|
break;
|
|
}
|
|
if (cookie != node->cookie) {
|
|
binder_user_error("%d:%d %s u%016llx node %d cookie mismatch %016llx != %016llx\n",
|
|
proc->pid, thread->pid,
|
|
cmd == BC_INCREFS_DONE ?
|
|
"BC_INCREFS_DONE" : "BC_ACQUIRE_DONE",
|
|
(u64)node_ptr, node->debug_id,
|
|
(u64)cookie, (u64)node->cookie);
|
|
binder_put_node(node);
|
|
break;
|
|
}
|
|
binder_node_inner_lock(node);
|
|
if (cmd == BC_ACQUIRE_DONE) {
|
|
if (node->pending_strong_ref == 0) {
|
|
binder_user_error("%d:%d BC_ACQUIRE_DONE node %d has no pending acquire request\n",
|
|
proc->pid, thread->pid,
|
|
node->debug_id);
|
|
binder_node_inner_unlock(node);
|
|
binder_put_node(node);
|
|
break;
|
|
}
|
|
node->pending_strong_ref = 0;
|
|
} else {
|
|
if (node->pending_weak_ref == 0) {
|
|
binder_user_error("%d:%d BC_INCREFS_DONE node %d has no pending increfs request\n",
|
|
proc->pid, thread->pid,
|
|
node->debug_id);
|
|
binder_node_inner_unlock(node);
|
|
binder_put_node(node);
|
|
break;
|
|
}
|
|
node->pending_weak_ref = 0;
|
|
}
|
|
free_node = binder_dec_node_nilocked(node,
|
|
cmd == BC_ACQUIRE_DONE, 0);
|
|
WARN_ON(free_node);
|
|
binder_debug(BINDER_DEBUG_USER_REFS,
|
|
"%d:%d %s node %d ls %d lw %d tr %d\n",
|
|
proc->pid, thread->pid,
|
|
cmd == BC_INCREFS_DONE ? "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE",
|
|
node->debug_id, node->local_strong_refs,
|
|
node->local_weak_refs, node->tmp_refs);
|
|
binder_node_inner_unlock(node);
|
|
binder_put_node(node);
|
|
break;
|
|
}
|
|
case BC_ATTEMPT_ACQUIRE:
|
|
pr_err("BC_ATTEMPT_ACQUIRE not supported\n");
|
|
return -EINVAL;
|
|
case BC_ACQUIRE_RESULT:
|
|
pr_err("BC_ACQUIRE_RESULT not supported\n");
|
|
return -EINVAL;
|
|
|
|
case BC_FREE_BUFFER: {
|
|
binder_uintptr_t data_ptr;
|
|
struct binder_buffer *buffer;
|
|
|
|
if (get_user(data_ptr, (binder_uintptr_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(binder_uintptr_t);
|
|
|
|
buffer = binder_alloc_prepare_to_free(&proc->alloc,
|
|
data_ptr);
|
|
if (IS_ERR_OR_NULL(buffer)) {
|
|
if (PTR_ERR(buffer) == -EPERM) {
|
|
binder_user_error(
|
|
"%d:%d BC_FREE_BUFFER u%016llx matched unreturned or currently freeing buffer\n",
|
|
proc->pid, thread->pid,
|
|
(u64)data_ptr);
|
|
} else {
|
|
binder_user_error(
|
|
"%d:%d BC_FREE_BUFFER u%016llx no match\n",
|
|
proc->pid, thread->pid,
|
|
(u64)data_ptr);
|
|
}
|
|
break;
|
|
}
|
|
binder_debug(BINDER_DEBUG_FREE_BUFFER,
|
|
"%d:%d BC_FREE_BUFFER u%016llx found buffer %d for %s transaction\n",
|
|
proc->pid, thread->pid, (u64)data_ptr,
|
|
buffer->debug_id,
|
|
buffer->transaction ? "active" : "finished");
|
|
|
|
binder_inner_proc_lock(proc);
|
|
if (buffer->transaction) {
|
|
buffer->transaction->buffer = NULL;
|
|
buffer->transaction = NULL;
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
if (buffer->async_transaction && buffer->target_node) {
|
|
struct binder_node *buf_node;
|
|
struct binder_work *w;
|
|
|
|
buf_node = buffer->target_node;
|
|
binder_node_inner_lock(buf_node);
|
|
BUG_ON(!buf_node->has_async_transaction);
|
|
BUG_ON(buf_node->proc != proc);
|
|
w = binder_dequeue_work_head_ilocked(
|
|
&buf_node->async_todo);
|
|
if (!w) {
|
|
buf_node->has_async_transaction = false;
|
|
} else {
|
|
binder_enqueue_work_ilocked(
|
|
w, &proc->todo);
|
|
binder_wakeup_proc_ilocked(proc);
|
|
}
|
|
binder_node_inner_unlock(buf_node);
|
|
}
|
|
trace_binder_transaction_buffer_release(buffer);
|
|
binder_transaction_buffer_release(proc, buffer, 0, false);
|
|
binder_alloc_free_buf(&proc->alloc, buffer);
|
|
break;
|
|
}
|
|
|
|
case BC_TRANSACTION_SG:
|
|
case BC_REPLY_SG: {
|
|
struct binder_transaction_data_sg tr;
|
|
|
|
if (copy_from_user(&tr, ptr, sizeof(tr)))
|
|
return -EFAULT;
|
|
ptr += sizeof(tr);
|
|
binder_transaction(proc, thread, &tr.transaction_data,
|
|
cmd == BC_REPLY_SG, tr.buffers_size);
|
|
break;
|
|
}
|
|
case BC_TRANSACTION:
|
|
case BC_REPLY: {
|
|
struct binder_transaction_data tr;
|
|
|
|
if (copy_from_user(&tr, ptr, sizeof(tr)))
|
|
return -EFAULT;
|
|
ptr += sizeof(tr);
|
|
binder_transaction(proc, thread, &tr,
|
|
cmd == BC_REPLY, 0);
|
|
break;
|
|
}
|
|
|
|
case BC_REGISTER_LOOPER:
|
|
binder_debug(BINDER_DEBUG_THREADS,
|
|
"%d:%d BC_REGISTER_LOOPER\n",
|
|
proc->pid, thread->pid);
|
|
binder_inner_proc_lock(proc);
|
|
if (thread->looper & BINDER_LOOPER_STATE_ENTERED) {
|
|
thread->looper |= BINDER_LOOPER_STATE_INVALID;
|
|
binder_user_error("%d:%d ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER\n",
|
|
proc->pid, thread->pid);
|
|
} else if (proc->requested_threads == 0) {
|
|
thread->looper |= BINDER_LOOPER_STATE_INVALID;
|
|
binder_user_error("%d:%d ERROR: BC_REGISTER_LOOPER called without request\n",
|
|
proc->pid, thread->pid);
|
|
} else {
|
|
proc->requested_threads--;
|
|
proc->requested_threads_started++;
|
|
}
|
|
thread->looper |= BINDER_LOOPER_STATE_REGISTERED;
|
|
binder_inner_proc_unlock(proc);
|
|
break;
|
|
case BC_ENTER_LOOPER:
|
|
binder_debug(BINDER_DEBUG_THREADS,
|
|
"%d:%d BC_ENTER_LOOPER\n",
|
|
proc->pid, thread->pid);
|
|
if (thread->looper & BINDER_LOOPER_STATE_REGISTERED) {
|
|
thread->looper |= BINDER_LOOPER_STATE_INVALID;
|
|
binder_user_error("%d:%d ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER\n",
|
|
proc->pid, thread->pid);
|
|
}
|
|
thread->looper |= BINDER_LOOPER_STATE_ENTERED;
|
|
break;
|
|
case BC_EXIT_LOOPER:
|
|
binder_debug(BINDER_DEBUG_THREADS,
|
|
"%d:%d BC_EXIT_LOOPER\n",
|
|
proc->pid, thread->pid);
|
|
thread->looper |= BINDER_LOOPER_STATE_EXITED;
|
|
break;
|
|
|
|
case BC_REQUEST_DEATH_NOTIFICATION:
|
|
case BC_CLEAR_DEATH_NOTIFICATION: {
|
|
uint32_t target;
|
|
binder_uintptr_t cookie;
|
|
struct binder_ref *ref;
|
|
struct binder_ref_death *death = NULL;
|
|
|
|
if (get_user(target, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(uint32_t);
|
|
if (get_user(cookie, (binder_uintptr_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(binder_uintptr_t);
|
|
if (cmd == BC_REQUEST_DEATH_NOTIFICATION) {
|
|
/*
|
|
* Allocate memory for death notification
|
|
* before taking lock
|
|
*/
|
|
death = kzalloc(sizeof(*death), GFP_KERNEL);
|
|
if (death == NULL) {
|
|
WARN_ON(thread->return_error.cmd !=
|
|
BR_OK);
|
|
thread->return_error.cmd = BR_ERROR;
|
|
binder_enqueue_thread_work(
|
|
thread,
|
|
&thread->return_error.work);
|
|
binder_debug(
|
|
BINDER_DEBUG_FAILED_TRANSACTION,
|
|
"%d:%d BC_REQUEST_DEATH_NOTIFICATION failed\n",
|
|
proc->pid, thread->pid);
|
|
break;
|
|
}
|
|
}
|
|
binder_proc_lock(proc);
|
|
ref = binder_get_ref_olocked(proc, target, false);
|
|
if (ref == NULL) {
|
|
binder_user_error("%d:%d %s invalid ref %d\n",
|
|
proc->pid, thread->pid,
|
|
cmd == BC_REQUEST_DEATH_NOTIFICATION ?
|
|
"BC_REQUEST_DEATH_NOTIFICATION" :
|
|
"BC_CLEAR_DEATH_NOTIFICATION",
|
|
target);
|
|
binder_proc_unlock(proc);
|
|
kfree(death);
|
|
break;
|
|
}
|
|
|
|
binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION,
|
|
"%d:%d %s %016llx ref %d desc %d s %d w %d for node %d\n",
|
|
proc->pid, thread->pid,
|
|
cmd == BC_REQUEST_DEATH_NOTIFICATION ?
|
|
"BC_REQUEST_DEATH_NOTIFICATION" :
|
|
"BC_CLEAR_DEATH_NOTIFICATION",
|
|
(u64)cookie, ref->data.debug_id,
|
|
ref->data.desc, ref->data.strong,
|
|
ref->data.weak, ref->node->debug_id);
|
|
|
|
binder_node_lock(ref->node);
|
|
if (cmd == BC_REQUEST_DEATH_NOTIFICATION) {
|
|
if (ref->death) {
|
|
binder_user_error("%d:%d BC_REQUEST_DEATH_NOTIFICATION death notification already set\n",
|
|
proc->pid, thread->pid);
|
|
binder_node_unlock(ref->node);
|
|
binder_proc_unlock(proc);
|
|
kfree(death);
|
|
break;
|
|
}
|
|
binder_stats_created(BINDER_STAT_DEATH);
|
|
INIT_LIST_HEAD(&death->work.entry);
|
|
death->cookie = cookie;
|
|
ref->death = death;
|
|
if (ref->node->proc == NULL) {
|
|
ref->death->work.type = BINDER_WORK_DEAD_BINDER;
|
|
|
|
binder_inner_proc_lock(proc);
|
|
binder_enqueue_work_ilocked(
|
|
&ref->death->work, &proc->todo);
|
|
binder_wakeup_proc_ilocked(proc);
|
|
binder_inner_proc_unlock(proc);
|
|
}
|
|
} else {
|
|
if (ref->death == NULL) {
|
|
binder_user_error("%d:%d BC_CLEAR_DEATH_NOTIFICATION death notification not active\n",
|
|
proc->pid, thread->pid);
|
|
binder_node_unlock(ref->node);
|
|
binder_proc_unlock(proc);
|
|
break;
|
|
}
|
|
death = ref->death;
|
|
if (death->cookie != cookie) {
|
|
binder_user_error("%d:%d BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch %016llx != %016llx\n",
|
|
proc->pid, thread->pid,
|
|
(u64)death->cookie,
|
|
(u64)cookie);
|
|
binder_node_unlock(ref->node);
|
|
binder_proc_unlock(proc);
|
|
break;
|
|
}
|
|
ref->death = NULL;
|
|
binder_inner_proc_lock(proc);
|
|
if (list_empty(&death->work.entry)) {
|
|
death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION;
|
|
if (thread->looper &
|
|
(BINDER_LOOPER_STATE_REGISTERED |
|
|
BINDER_LOOPER_STATE_ENTERED))
|
|
binder_enqueue_thread_work_ilocked(
|
|
thread,
|
|
&death->work);
|
|
else {
|
|
binder_enqueue_work_ilocked(
|
|
&death->work,
|
|
&proc->todo);
|
|
binder_wakeup_proc_ilocked(
|
|
proc);
|
|
}
|
|
} else {
|
|
BUG_ON(death->work.type != BINDER_WORK_DEAD_BINDER);
|
|
death->work.type = BINDER_WORK_DEAD_BINDER_AND_CLEAR;
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
}
|
|
binder_node_unlock(ref->node);
|
|
binder_proc_unlock(proc);
|
|
} break;
|
|
case BC_DEAD_BINDER_DONE: {
|
|
struct binder_work *w;
|
|
binder_uintptr_t cookie;
|
|
struct binder_ref_death *death = NULL;
|
|
|
|
if (get_user(cookie, (binder_uintptr_t __user *)ptr))
|
|
return -EFAULT;
|
|
|
|
ptr += sizeof(cookie);
|
|
binder_inner_proc_lock(proc);
|
|
list_for_each_entry(w, &proc->delivered_death,
|
|
entry) {
|
|
struct binder_ref_death *tmp_death =
|
|
container_of(w,
|
|
struct binder_ref_death,
|
|
work);
|
|
|
|
if (tmp_death->cookie == cookie) {
|
|
death = tmp_death;
|
|
break;
|
|
}
|
|
}
|
|
binder_debug(BINDER_DEBUG_DEAD_BINDER,
|
|
"%d:%d BC_DEAD_BINDER_DONE %016llx found %pK\n",
|
|
proc->pid, thread->pid, (u64)cookie,
|
|
death);
|
|
if (death == NULL) {
|
|
binder_user_error("%d:%d BC_DEAD_BINDER_DONE %016llx not found\n",
|
|
proc->pid, thread->pid, (u64)cookie);
|
|
binder_inner_proc_unlock(proc);
|
|
break;
|
|
}
|
|
binder_dequeue_work_ilocked(&death->work);
|
|
if (death->work.type == BINDER_WORK_DEAD_BINDER_AND_CLEAR) {
|
|
death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION;
|
|
if (thread->looper &
|
|
(BINDER_LOOPER_STATE_REGISTERED |
|
|
BINDER_LOOPER_STATE_ENTERED))
|
|
binder_enqueue_thread_work_ilocked(
|
|
thread, &death->work);
|
|
else {
|
|
binder_enqueue_work_ilocked(
|
|
&death->work,
|
|
&proc->todo);
|
|
binder_wakeup_proc_ilocked(proc);
|
|
}
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
} break;
|
|
|
|
default:
|
|
pr_err("%d:%d unknown command %d\n",
|
|
proc->pid, thread->pid, cmd);
|
|
return -EINVAL;
|
|
}
|
|
*consumed = ptr - buffer;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static void binder_stat_br(struct binder_proc *proc,
|
|
struct binder_thread *thread, uint32_t cmd)
|
|
{
|
|
trace_binder_return(cmd);
|
|
if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.br)) {
|
|
atomic_inc(&binder_stats.br[_IOC_NR(cmd)]);
|
|
atomic_inc(&proc->stats.br[_IOC_NR(cmd)]);
|
|
atomic_inc(&thread->stats.br[_IOC_NR(cmd)]);
|
|
}
|
|
}
|
|
|
|
static int binder_put_node_cmd(struct binder_proc *proc,
|
|
struct binder_thread *thread,
|
|
void __user **ptrp,
|
|
binder_uintptr_t node_ptr,
|
|
binder_uintptr_t node_cookie,
|
|
int node_debug_id,
|
|
uint32_t cmd, const char *cmd_name)
|
|
{
|
|
void __user *ptr = *ptrp;
|
|
|
|
if (put_user(cmd, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(uint32_t);
|
|
|
|
if (put_user(node_ptr, (binder_uintptr_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(binder_uintptr_t);
|
|
|
|
if (put_user(node_cookie, (binder_uintptr_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(binder_uintptr_t);
|
|
|
|
binder_stat_br(proc, thread, cmd);
|
|
binder_debug(BINDER_DEBUG_USER_REFS, "%d:%d %s %d u%016llx c%016llx\n",
|
|
proc->pid, thread->pid, cmd_name, node_debug_id,
|
|
(u64)node_ptr, (u64)node_cookie);
|
|
|
|
*ptrp = ptr;
|
|
return 0;
|
|
}
|
|
|
|
static int binder_wait_for_work(struct binder_thread *thread,
|
|
bool do_proc_work)
|
|
{
|
|
DEFINE_WAIT(wait);
|
|
struct binder_proc *proc = thread->proc;
|
|
int ret = 0;
|
|
|
|
freezer_do_not_count();
|
|
binder_inner_proc_lock(proc);
|
|
for (;;) {
|
|
prepare_to_wait(&thread->wait, &wait, TASK_INTERRUPTIBLE);
|
|
if (binder_has_work_ilocked(thread, do_proc_work))
|
|
break;
|
|
if (do_proc_work)
|
|
list_add(&thread->waiting_thread_node,
|
|
&proc->waiting_threads);
|
|
binder_inner_proc_unlock(proc);
|
|
schedule();
|
|
binder_inner_proc_lock(proc);
|
|
list_del_init(&thread->waiting_thread_node);
|
|
if (signal_pending(current)) {
|
|
ret = -ERESTARTSYS;
|
|
break;
|
|
}
|
|
}
|
|
finish_wait(&thread->wait, &wait);
|
|
binder_inner_proc_unlock(proc);
|
|
freezer_count();
|
|
|
|
return ret;
|
|
}
|
|
|
|
static int binder_thread_read(struct binder_proc *proc,
|
|
struct binder_thread *thread,
|
|
binder_uintptr_t binder_buffer, size_t size,
|
|
binder_size_t *consumed, int non_block)
|
|
{
|
|
void __user *buffer = (void __user *)(uintptr_t)binder_buffer;
|
|
void __user *ptr = buffer + *consumed;
|
|
void __user *end = buffer + size;
|
|
|
|
int ret = 0;
|
|
int wait_for_proc_work;
|
|
|
|
if (*consumed == 0) {
|
|
if (put_user(BR_NOOP, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(uint32_t);
|
|
}
|
|
|
|
retry:
|
|
binder_inner_proc_lock(proc);
|
|
wait_for_proc_work = binder_available_for_proc_work_ilocked(thread);
|
|
binder_inner_proc_unlock(proc);
|
|
|
|
thread->looper |= BINDER_LOOPER_STATE_WAITING;
|
|
|
|
trace_binder_wait_for_work(wait_for_proc_work,
|
|
!!thread->transaction_stack,
|
|
!binder_worklist_empty(proc, &thread->todo));
|
|
if (wait_for_proc_work) {
|
|
if (!(thread->looper & (BINDER_LOOPER_STATE_REGISTERED |
|
|
BINDER_LOOPER_STATE_ENTERED))) {
|
|
binder_user_error("%d:%d ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state %x)\n",
|
|
proc->pid, thread->pid, thread->looper);
|
|
wait_event_interruptible(binder_user_error_wait,
|
|
binder_stop_on_user_error < 2);
|
|
}
|
|
binder_restore_priority(current, proc->default_priority);
|
|
}
|
|
|
|
if (non_block) {
|
|
if (!binder_has_work(thread, wait_for_proc_work))
|
|
ret = -EAGAIN;
|
|
} else {
|
|
ret = binder_wait_for_work(thread, wait_for_proc_work);
|
|
}
|
|
|
|
thread->looper &= ~BINDER_LOOPER_STATE_WAITING;
|
|
|
|
if (ret)
|
|
return ret;
|
|
|
|
while (1) {
|
|
uint32_t cmd;
|
|
struct binder_transaction_data_secctx tr;
|
|
struct binder_transaction_data *trd = &tr.transaction_data;
|
|
struct binder_work *w = NULL;
|
|
struct list_head *list = NULL;
|
|
struct binder_transaction *t = NULL;
|
|
struct binder_thread *t_from;
|
|
size_t trsize = sizeof(*trd);
|
|
|
|
binder_inner_proc_lock(proc);
|
|
if (!binder_worklist_empty_ilocked(&thread->todo))
|
|
list = &thread->todo;
|
|
else if (!binder_worklist_empty_ilocked(&proc->todo) &&
|
|
wait_for_proc_work)
|
|
list = &proc->todo;
|
|
else {
|
|
binder_inner_proc_unlock(proc);
|
|
|
|
/* no data added */
|
|
if (ptr - buffer == 4 && !thread->looper_need_return)
|
|
goto retry;
|
|
break;
|
|
}
|
|
|
|
if (end - ptr < sizeof(tr) + 4) {
|
|
binder_inner_proc_unlock(proc);
|
|
break;
|
|
}
|
|
w = binder_dequeue_work_head_ilocked(list);
|
|
if (binder_worklist_empty_ilocked(&thread->todo))
|
|
thread->process_todo = false;
|
|
|
|
switch (w->type) {
|
|
case BINDER_WORK_TRANSACTION: {
|
|
binder_inner_proc_unlock(proc);
|
|
t = container_of(w, struct binder_transaction, work);
|
|
} break;
|
|
case BINDER_WORK_RETURN_ERROR: {
|
|
struct binder_error *e = container_of(
|
|
w, struct binder_error, work);
|
|
|
|
WARN_ON(e->cmd == BR_OK);
|
|
binder_inner_proc_unlock(proc);
|
|
if (put_user(e->cmd, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
cmd = e->cmd;
|
|
e->cmd = BR_OK;
|
|
ptr += sizeof(uint32_t);
|
|
|
|
binder_stat_br(proc, thread, cmd);
|
|
} break;
|
|
case BINDER_WORK_TRANSACTION_COMPLETE: {
|
|
binder_inner_proc_unlock(proc);
|
|
cmd = BR_TRANSACTION_COMPLETE;
|
|
kfree(w);
|
|
binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
|
|
if (put_user(cmd, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(uint32_t);
|
|
|
|
binder_stat_br(proc, thread, cmd);
|
|
binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE,
|
|
"%d:%d BR_TRANSACTION_COMPLETE\n",
|
|
proc->pid, thread->pid);
|
|
} break;
|
|
case BINDER_WORK_NODE: {
|
|
struct binder_node *node = container_of(w, struct binder_node, work);
|
|
int strong, weak;
|
|
binder_uintptr_t node_ptr = node->ptr;
|
|
binder_uintptr_t node_cookie = node->cookie;
|
|
int node_debug_id = node->debug_id;
|
|
int has_weak_ref;
|
|
int has_strong_ref;
|
|
void __user *orig_ptr = ptr;
|
|
|
|
BUG_ON(proc != node->proc);
|
|
strong = node->internal_strong_refs ||
|
|
node->local_strong_refs;
|
|
weak = !hlist_empty(&node->refs) ||
|
|
node->local_weak_refs ||
|
|
node->tmp_refs || strong;
|
|
has_strong_ref = node->has_strong_ref;
|
|
has_weak_ref = node->has_weak_ref;
|
|
|
|
if (weak && !has_weak_ref) {
|
|
node->has_weak_ref = 1;
|
|
node->pending_weak_ref = 1;
|
|
node->local_weak_refs++;
|
|
}
|
|
if (strong && !has_strong_ref) {
|
|
node->has_strong_ref = 1;
|
|
node->pending_strong_ref = 1;
|
|
node->local_strong_refs++;
|
|
}
|
|
if (!strong && has_strong_ref)
|
|
node->has_strong_ref = 0;
|
|
if (!weak && has_weak_ref)
|
|
node->has_weak_ref = 0;
|
|
if (!weak && !strong) {
|
|
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
|
|
"%d:%d node %d u%016llx c%016llx deleted\n",
|
|
proc->pid, thread->pid,
|
|
node_debug_id,
|
|
(u64)node_ptr,
|
|
(u64)node_cookie);
|
|
rb_erase(&node->rb_node, &proc->nodes);
|
|
binder_inner_proc_unlock(proc);
|
|
binder_node_lock(node);
|
|
/*
|
|
* Acquire the node lock before freeing the
|
|
* node to serialize with other threads that
|
|
* may have been holding the node lock while
|
|
* decrementing this node (avoids race where
|
|
* this thread frees while the other thread
|
|
* is unlocking the node after the final
|
|
* decrement)
|
|
*/
|
|
binder_node_unlock(node);
|
|
binder_free_node(node);
|
|
} else
|
|
binder_inner_proc_unlock(proc);
|
|
|
|
if (weak && !has_weak_ref)
|
|
ret = binder_put_node_cmd(
|
|
proc, thread, &ptr, node_ptr,
|
|
node_cookie, node_debug_id,
|
|
BR_INCREFS, "BR_INCREFS");
|
|
if (!ret && strong && !has_strong_ref)
|
|
ret = binder_put_node_cmd(
|
|
proc, thread, &ptr, node_ptr,
|
|
node_cookie, node_debug_id,
|
|
BR_ACQUIRE, "BR_ACQUIRE");
|
|
if (!ret && !strong && has_strong_ref)
|
|
ret = binder_put_node_cmd(
|
|
proc, thread, &ptr, node_ptr,
|
|
node_cookie, node_debug_id,
|
|
BR_RELEASE, "BR_RELEASE");
|
|
if (!ret && !weak && has_weak_ref)
|
|
ret = binder_put_node_cmd(
|
|
proc, thread, &ptr, node_ptr,
|
|
node_cookie, node_debug_id,
|
|
BR_DECREFS, "BR_DECREFS");
|
|
if (orig_ptr == ptr)
|
|
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
|
|
"%d:%d node %d u%016llx c%016llx state unchanged\n",
|
|
proc->pid, thread->pid,
|
|
node_debug_id,
|
|
(u64)node_ptr,
|
|
(u64)node_cookie);
|
|
if (ret)
|
|
return ret;
|
|
} break;
|
|
case BINDER_WORK_DEAD_BINDER:
|
|
case BINDER_WORK_DEAD_BINDER_AND_CLEAR:
|
|
case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: {
|
|
struct binder_ref_death *death;
|
|
uint32_t cmd;
|
|
binder_uintptr_t cookie;
|
|
|
|
death = container_of(w, struct binder_ref_death, work);
|
|
if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION)
|
|
cmd = BR_CLEAR_DEATH_NOTIFICATION_DONE;
|
|
else
|
|
cmd = BR_DEAD_BINDER;
|
|
cookie = death->cookie;
|
|
|
|
binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION,
|
|
"%d:%d %s %016llx\n",
|
|
proc->pid, thread->pid,
|
|
cmd == BR_DEAD_BINDER ?
|
|
"BR_DEAD_BINDER" :
|
|
"BR_CLEAR_DEATH_NOTIFICATION_DONE",
|
|
(u64)cookie);
|
|
if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) {
|
|
binder_inner_proc_unlock(proc);
|
|
kfree(death);
|
|
binder_stats_deleted(BINDER_STAT_DEATH);
|
|
} else {
|
|
binder_enqueue_work_ilocked(
|
|
w, &proc->delivered_death);
|
|
binder_inner_proc_unlock(proc);
|
|
}
|
|
if (put_user(cmd, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(uint32_t);
|
|
if (put_user(cookie,
|
|
(binder_uintptr_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(binder_uintptr_t);
|
|
binder_stat_br(proc, thread, cmd);
|
|
if (cmd == BR_DEAD_BINDER)
|
|
goto done; /* DEAD_BINDER notifications can cause transactions */
|
|
} break;
|
|
}
|
|
|
|
if (!t)
|
|
continue;
|
|
|
|
BUG_ON(t->buffer == NULL);
|
|
if (t->buffer->target_node) {
|
|
struct binder_node *target_node = t->buffer->target_node;
|
|
struct binder_priority node_prio;
|
|
|
|
trd->target.ptr = target_node->ptr;
|
|
trd->cookie = target_node->cookie;
|
|
node_prio.sched_policy = target_node->sched_policy;
|
|
node_prio.prio = target_node->min_priority;
|
|
binder_transaction_priority(current, t, node_prio,
|
|
target_node->inherit_rt);
|
|
cmd = BR_TRANSACTION;
|
|
} else {
|
|
trd->target.ptr = 0;
|
|
trd->cookie = 0;
|
|
cmd = BR_REPLY;
|
|
}
|
|
trd->code = t->code;
|
|
trd->flags = t->flags;
|
|
trd->sender_euid = from_kuid(current_user_ns(), t->sender_euid);
|
|
|
|
t_from = binder_get_txn_from(t);
|
|
if (t_from) {
|
|
struct task_struct *sender = t_from->proc->tsk;
|
|
|
|
trd->sender_pid =
|
|
task_tgid_nr_ns(sender,
|
|
task_active_pid_ns(current));
|
|
} else {
|
|
trd->sender_pid = 0;
|
|
}
|
|
|
|
trd->data_size = t->buffer->data_size;
|
|
trd->offsets_size = t->buffer->offsets_size;
|
|
trd->data.ptr.buffer = (uintptr_t)t->buffer->user_data;
|
|
trd->data.ptr.offsets = trd->data.ptr.buffer +
|
|
ALIGN(t->buffer->data_size,
|
|
sizeof(void *));
|
|
|
|
tr.secctx = t->security_ctx;
|
|
if (t->security_ctx) {
|
|
cmd = BR_TRANSACTION_SEC_CTX;
|
|
trsize = sizeof(tr);
|
|
}
|
|
if (put_user(cmd, (uint32_t __user *)ptr)) {
|
|
if (t_from)
|
|
binder_thread_dec_tmpref(t_from);
|
|
|
|
binder_cleanup_transaction(t, "put_user failed",
|
|
BR_FAILED_REPLY);
|
|
|
|
return -EFAULT;
|
|
}
|
|
ptr += sizeof(uint32_t);
|
|
if (copy_to_user(ptr, &tr, trsize)) {
|
|
if (t_from)
|
|
binder_thread_dec_tmpref(t_from);
|
|
|
|
binder_cleanup_transaction(t, "copy_to_user failed",
|
|
BR_FAILED_REPLY);
|
|
|
|
return -EFAULT;
|
|
}
|
|
ptr += trsize;
|
|
|
|
trace_binder_transaction_received(t);
|
|
binder_stat_br(proc, thread, cmd);
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
"%d:%d %s %d %d:%d, cmd %d size %zd-%zd ptr %016llx-%016llx\n",
|
|
proc->pid, thread->pid,
|
|
(cmd == BR_TRANSACTION) ? "BR_TRANSACTION" :
|
|
(cmd == BR_TRANSACTION_SEC_CTX) ?
|
|
"BR_TRANSACTION_SEC_CTX" : "BR_REPLY",
|
|
t->debug_id, t_from ? t_from->proc->pid : 0,
|
|
t_from ? t_from->pid : 0, cmd,
|
|
t->buffer->data_size, t->buffer->offsets_size,
|
|
(u64)trd->data.ptr.buffer,
|
|
(u64)trd->data.ptr.offsets);
|
|
|
|
if (t_from)
|
|
binder_thread_dec_tmpref(t_from);
|
|
t->buffer->allow_user_free = 1;
|
|
if (cmd != BR_REPLY && !(t->flags & TF_ONE_WAY)) {
|
|
binder_inner_proc_lock(thread->proc);
|
|
t->to_parent = thread->transaction_stack;
|
|
t->to_thread = thread;
|
|
thread->transaction_stack = t;
|
|
binder_inner_proc_unlock(thread->proc);
|
|
} else {
|
|
binder_free_transaction(t);
|
|
}
|
|
break;
|
|
}
|
|
|
|
done:
|
|
|
|
*consumed = ptr - buffer;
|
|
binder_inner_proc_lock(proc);
|
|
if (proc->requested_threads == 0 &&
|
|
list_empty(&thread->proc->waiting_threads) &&
|
|
proc->requested_threads_started < proc->max_threads &&
|
|
(thread->looper & (BINDER_LOOPER_STATE_REGISTERED |
|
|
BINDER_LOOPER_STATE_ENTERED)) /* the user-space code fails to */
|
|
/*spawn a new thread if we leave this out */) {
|
|
proc->requested_threads++;
|
|
binder_inner_proc_unlock(proc);
|
|
binder_debug(BINDER_DEBUG_THREADS,
|
|
"%d:%d BR_SPAWN_LOOPER\n",
|
|
proc->pid, thread->pid);
|
|
if (put_user(BR_SPAWN_LOOPER, (uint32_t __user *)buffer))
|
|
return -EFAULT;
|
|
binder_stat_br(proc, thread, BR_SPAWN_LOOPER);
|
|
} else
|
|
binder_inner_proc_unlock(proc);
|
|
return 0;
|
|
}
|
|
|
|
static void binder_release_work(struct binder_proc *proc,
|
|
struct list_head *list)
|
|
{
|
|
struct binder_work *w;
|
|
|
|
while (1) {
|
|
w = binder_dequeue_work_head(proc, list);
|
|
if (!w)
|
|
return;
|
|
|
|
switch (w->type) {
|
|
case BINDER_WORK_TRANSACTION: {
|
|
struct binder_transaction *t;
|
|
|
|
t = container_of(w, struct binder_transaction, work);
|
|
|
|
binder_cleanup_transaction(t, "process died.",
|
|
BR_DEAD_REPLY);
|
|
} break;
|
|
case BINDER_WORK_RETURN_ERROR: {
|
|
struct binder_error *e = container_of(
|
|
w, struct binder_error, work);
|
|
|
|
binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
|
|
"undelivered TRANSACTION_ERROR: %u\n",
|
|
e->cmd);
|
|
} break;
|
|
case BINDER_WORK_TRANSACTION_COMPLETE: {
|
|
binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
|
|
"undelivered TRANSACTION_COMPLETE\n");
|
|
kfree(w);
|
|
binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
|
|
} break;
|
|
case BINDER_WORK_DEAD_BINDER_AND_CLEAR:
|
|
case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: {
|
|
struct binder_ref_death *death;
|
|
|
|
death = container_of(w, struct binder_ref_death, work);
|
|
binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
|
|
"undelivered death notification, %016llx\n",
|
|
(u64)death->cookie);
|
|
kfree(death);
|
|
binder_stats_deleted(BINDER_STAT_DEATH);
|
|
} break;
|
|
default:
|
|
pr_err("unexpected work type, %d, not freed\n",
|
|
w->type);
|
|
break;
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
static struct binder_thread *binder_get_thread_ilocked(
|
|
struct binder_proc *proc, struct binder_thread *new_thread)
|
|
{
|
|
struct binder_thread *thread = NULL;
|
|
struct rb_node *parent = NULL;
|
|
struct rb_node **p = &proc->threads.rb_node;
|
|
|
|
while (*p) {
|
|
parent = *p;
|
|
thread = rb_entry(parent, struct binder_thread, rb_node);
|
|
|
|
if (current->pid < thread->pid)
|
|
p = &(*p)->rb_left;
|
|
else if (current->pid > thread->pid)
|
|
p = &(*p)->rb_right;
|
|
else
|
|
return thread;
|
|
}
|
|
if (!new_thread)
|
|
return NULL;
|
|
thread = new_thread;
|
|
binder_stats_created(BINDER_STAT_THREAD);
|
|
thread->proc = proc;
|
|
thread->pid = current->pid;
|
|
get_task_struct(current);
|
|
thread->task = current;
|
|
atomic_set(&thread->tmp_ref, 0);
|
|
init_waitqueue_head(&thread->wait);
|
|
INIT_LIST_HEAD(&thread->todo);
|
|
rb_link_node(&thread->rb_node, parent, p);
|
|
rb_insert_color(&thread->rb_node, &proc->threads);
|
|
thread->looper_need_return = true;
|
|
thread->return_error.work.type = BINDER_WORK_RETURN_ERROR;
|
|
thread->return_error.cmd = BR_OK;
|
|
thread->reply_error.work.type = BINDER_WORK_RETURN_ERROR;
|
|
thread->reply_error.cmd = BR_OK;
|
|
INIT_LIST_HEAD(&new_thread->waiting_thread_node);
|
|
return thread;
|
|
}
|
|
|
|
static struct binder_thread *binder_get_thread(struct binder_proc *proc)
|
|
{
|
|
struct binder_thread *thread;
|
|
struct binder_thread *new_thread;
|
|
|
|
binder_inner_proc_lock(proc);
|
|
thread = binder_get_thread_ilocked(proc, NULL);
|
|
binder_inner_proc_unlock(proc);
|
|
if (!thread) {
|
|
new_thread = kzalloc(sizeof(*thread), GFP_KERNEL);
|
|
if (new_thread == NULL)
|
|
return NULL;
|
|
binder_inner_proc_lock(proc);
|
|
thread = binder_get_thread_ilocked(proc, new_thread);
|
|
binder_inner_proc_unlock(proc);
|
|
if (thread != new_thread)
|
|
kfree(new_thread);
|
|
}
|
|
return thread;
|
|
}
|
|
|
|
static void binder_free_proc(struct binder_proc *proc)
|
|
{
|
|
BUG_ON(!list_empty(&proc->todo));
|
|
BUG_ON(!list_empty(&proc->delivered_death));
|
|
binder_alloc_deferred_release(&proc->alloc);
|
|
put_task_struct(proc->tsk);
|
|
binder_stats_deleted(BINDER_STAT_PROC);
|
|
kfree(proc);
|
|
}
|
|
|
|
static void binder_free_thread(struct binder_thread *thread)
|
|
{
|
|
BUG_ON(!list_empty(&thread->todo));
|
|
binder_stats_deleted(BINDER_STAT_THREAD);
|
|
binder_proc_dec_tmpref(thread->proc);
|
|
put_task_struct(thread->task);
|
|
kfree(thread);
|
|
}
|
|
|
|
static int binder_thread_release(struct binder_proc *proc,
|
|
struct binder_thread *thread)
|
|
{
|
|
struct binder_transaction *t;
|
|
struct binder_transaction *send_reply = NULL;
|
|
int active_transactions = 0;
|
|
struct binder_transaction *last_t = NULL;
|
|
|
|
binder_inner_proc_lock(thread->proc);
|
|
/*
|
|
* take a ref on the proc so it survives
|
|
* after we remove this thread from proc->threads.
|
|
* The corresponding dec is when we actually
|
|
* free the thread in binder_free_thread()
|
|
*/
|
|
proc->tmp_ref++;
|
|
/*
|
|
* take a ref on this thread to ensure it
|
|
* survives while we are releasing it
|
|
*/
|
|
atomic_inc(&thread->tmp_ref);
|
|
rb_erase(&thread->rb_node, &proc->threads);
|
|
t = thread->transaction_stack;
|
|
if (t) {
|
|
spin_lock(&t->lock);
|
|
if (t->to_thread == thread)
|
|
send_reply = t;
|
|
}
|
|
thread->is_dead = true;
|
|
|
|
while (t) {
|
|
last_t = t;
|
|
active_transactions++;
|
|
binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
|
|
"release %d:%d transaction %d %s, still active\n",
|
|
proc->pid, thread->pid,
|
|
t->debug_id,
|
|
(t->to_thread == thread) ? "in" : "out");
|
|
|
|
if (t->to_thread == thread) {
|
|
t->to_proc = NULL;
|
|
t->to_thread = NULL;
|
|
if (t->buffer) {
|
|
t->buffer->transaction = NULL;
|
|
t->buffer = NULL;
|
|
}
|
|
t = t->to_parent;
|
|
} else if (t->from == thread) {
|
|
t->from = NULL;
|
|
t = t->from_parent;
|
|
} else
|
|
BUG();
|
|
spin_unlock(&last_t->lock);
|
|
if (t)
|
|
spin_lock(&t->lock);
|
|
}
|
|
|
|
/*
|
|
* If this thread used poll, make sure we remove the waitqueue
|
|
* from any epoll data structures holding it with POLLFREE.
|
|
* waitqueue_active() is safe to use here because we're holding
|
|
* the inner lock.
|
|
*/
|
|
if ((thread->looper & BINDER_LOOPER_STATE_POLL) &&
|
|
waitqueue_active(&thread->wait)) {
|
|
wake_up_poll(&thread->wait, EPOLLHUP | POLLFREE);
|
|
}
|
|
|
|
binder_inner_proc_unlock(thread->proc);
|
|
|
|
/*
|
|
* This is needed to avoid races between wake_up_poll() above and
|
|
* and ep_remove_waitqueue() called for other reasons (eg the epoll file
|
|
* descriptor being closed); ep_remove_waitqueue() holds an RCU read
|
|
* lock, so we can be sure it's done after calling synchronize_rcu().
|
|
*/
|
|
if (thread->looper & BINDER_LOOPER_STATE_POLL)
|
|
synchronize_rcu();
|
|
|
|
if (send_reply)
|
|
binder_send_failed_reply(send_reply, BR_DEAD_REPLY);
|
|
binder_release_work(proc, &thread->todo);
|
|
binder_thread_dec_tmpref(thread);
|
|
return active_transactions;
|
|
}
|
|
|
|
static __poll_t binder_poll(struct file *filp,
|
|
struct poll_table_struct *wait)
|
|
{
|
|
struct binder_proc *proc = filp->private_data;
|
|
struct binder_thread *thread = NULL;
|
|
bool wait_for_proc_work;
|
|
|
|
thread = binder_get_thread(proc);
|
|
if (!thread)
|
|
return POLLERR;
|
|
|
|
binder_inner_proc_lock(thread->proc);
|
|
thread->looper |= BINDER_LOOPER_STATE_POLL;
|
|
wait_for_proc_work = binder_available_for_proc_work_ilocked(thread);
|
|
|
|
binder_inner_proc_unlock(thread->proc);
|
|
|
|
poll_wait(filp, &thread->wait, wait);
|
|
|
|
if (binder_has_work(thread, wait_for_proc_work))
|
|
return EPOLLIN;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int binder_ioctl_write_read(struct file *filp,
|
|
unsigned int cmd, unsigned long arg,
|
|
struct binder_thread *thread)
|
|
{
|
|
int ret = 0;
|
|
struct binder_proc *proc = filp->private_data;
|
|
unsigned int size = _IOC_SIZE(cmd);
|
|
void __user *ubuf = (void __user *)arg;
|
|
struct binder_write_read bwr;
|
|
|
|
if (size != sizeof(struct binder_write_read)) {
|
|
ret = -EINVAL;
|
|
goto out;
|
|
}
|
|
if (copy_from_user(&bwr, ubuf, sizeof(bwr))) {
|
|
ret = -EFAULT;
|
|
goto out;
|
|
}
|
|
binder_debug(BINDER_DEBUG_READ_WRITE,
|
|
"%d:%d write %lld at %016llx, read %lld at %016llx\n",
|
|
proc->pid, thread->pid,
|
|
(u64)bwr.write_size, (u64)bwr.write_buffer,
|
|
(u64)bwr.read_size, (u64)bwr.read_buffer);
|
|
|
|
if (bwr.write_size > 0) {
|
|
ret = binder_thread_write(proc, thread,
|
|
bwr.write_buffer,
|
|
bwr.write_size,
|
|
&bwr.write_consumed);
|
|
trace_binder_write_done(ret);
|
|
if (ret < 0) {
|
|
bwr.read_consumed = 0;
|
|
if (copy_to_user(ubuf, &bwr, sizeof(bwr)))
|
|
ret = -EFAULT;
|
|
goto out;
|
|
}
|
|
}
|
|
if (bwr.read_size > 0) {
|
|
ret = binder_thread_read(proc, thread, bwr.read_buffer,
|
|
bwr.read_size,
|
|
&bwr.read_consumed,
|
|
filp->f_flags & O_NONBLOCK);
|
|
trace_binder_read_done(ret);
|
|
binder_inner_proc_lock(proc);
|
|
if (!binder_worklist_empty_ilocked(&proc->todo))
|
|
binder_wakeup_proc_ilocked(proc);
|
|
binder_inner_proc_unlock(proc);
|
|
if (ret < 0) {
|
|
if (copy_to_user(ubuf, &bwr, sizeof(bwr)))
|
|
ret = -EFAULT;
|
|
goto out;
|
|
}
|
|
}
|
|
binder_debug(BINDER_DEBUG_READ_WRITE,
|
|
"%d:%d wrote %lld of %lld, read return %lld of %lld\n",
|
|
proc->pid, thread->pid,
|
|
(u64)bwr.write_consumed, (u64)bwr.write_size,
|
|
(u64)bwr.read_consumed, (u64)bwr.read_size);
|
|
if (copy_to_user(ubuf, &bwr, sizeof(bwr))) {
|
|
ret = -EFAULT;
|
|
goto out;
|
|
}
|
|
out:
|
|
return ret;
|
|
}
|
|
|
|
static int binder_ioctl_set_ctx_mgr(struct file *filp,
|
|
struct flat_binder_object *fbo)
|
|
{
|
|
int ret = 0;
|
|
struct binder_proc *proc = filp->private_data;
|
|
struct binder_context *context = proc->context;
|
|
struct binder_node *new_node;
|
|
kuid_t curr_euid = current_euid();
|
|
|
|
mutex_lock(&context->context_mgr_node_lock);
|
|
if (context->binder_context_mgr_node) {
|
|
pr_err("BINDER_SET_CONTEXT_MGR already set\n");
|
|
ret = -EBUSY;
|
|
goto out;
|
|
}
|
|
ret = security_binder_set_context_mgr(proc->tsk);
|
|
if (ret < 0)
|
|
goto out;
|
|
if (uid_valid(context->binder_context_mgr_uid)) {
|
|
if (!uid_eq(context->binder_context_mgr_uid, curr_euid)) {
|
|
pr_err("BINDER_SET_CONTEXT_MGR bad uid %d != %d\n",
|
|
from_kuid(&init_user_ns, curr_euid),
|
|
from_kuid(&init_user_ns,
|
|
context->binder_context_mgr_uid));
|
|
ret = -EPERM;
|
|
goto out;
|
|
}
|
|
} else {
|
|
context->binder_context_mgr_uid = curr_euid;
|
|
}
|
|
new_node = binder_new_node(proc, fbo);
|
|
if (!new_node) {
|
|
ret = -ENOMEM;
|
|
goto out;
|
|
}
|
|
binder_node_lock(new_node);
|
|
new_node->local_weak_refs++;
|
|
new_node->local_strong_refs++;
|
|
new_node->has_strong_ref = 1;
|
|
new_node->has_weak_ref = 1;
|
|
context->binder_context_mgr_node = new_node;
|
|
binder_node_unlock(new_node);
|
|
binder_put_node(new_node);
|
|
out:
|
|
mutex_unlock(&context->context_mgr_node_lock);
|
|
return ret;
|
|
}
|
|
|
|
static int binder_ioctl_get_node_info_for_ref(struct binder_proc *proc,
|
|
struct binder_node_info_for_ref *info)
|
|
{
|
|
struct binder_node *node;
|
|
struct binder_context *context = proc->context;
|
|
__u32 handle = info->handle;
|
|
|
|
if (info->strong_count || info->weak_count || info->reserved1 ||
|
|
info->reserved2 || info->reserved3) {
|
|
binder_user_error("%d BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero.",
|
|
proc->pid);
|
|
return -EINVAL;
|
|
}
|
|
|
|
/* This ioctl may only be used by the context manager */
|
|
mutex_lock(&context->context_mgr_node_lock);
|
|
if (!context->binder_context_mgr_node ||
|
|
context->binder_context_mgr_node->proc != proc) {
|
|
mutex_unlock(&context->context_mgr_node_lock);
|
|
return -EPERM;
|
|
}
|
|
mutex_unlock(&context->context_mgr_node_lock);
|
|
|
|
node = binder_get_node_from_ref(proc, handle, true, NULL);
|
|
if (!node)
|
|
return -EINVAL;
|
|
|
|
info->strong_count = node->local_strong_refs +
|
|
node->internal_strong_refs;
|
|
info->weak_count = node->local_weak_refs;
|
|
|
|
binder_put_node(node);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int binder_ioctl_get_node_debug_info(struct binder_proc *proc,
|
|
struct binder_node_debug_info *info)
|
|
{
|
|
struct rb_node *n;
|
|
binder_uintptr_t ptr = info->ptr;
|
|
|
|
memset(info, 0, sizeof(*info));
|
|
|
|
binder_inner_proc_lock(proc);
|
|
for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) {
|
|
struct binder_node *node = rb_entry(n, struct binder_node,
|
|
rb_node);
|
|
if (node->ptr > ptr) {
|
|
info->ptr = node->ptr;
|
|
info->cookie = node->cookie;
|
|
info->has_strong_ref = node->has_strong_ref;
|
|
info->has_weak_ref = node->has_weak_ref;
|
|
break;
|
|
}
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|
{
|
|
int ret;
|
|
struct binder_proc *proc = filp->private_data;
|
|
struct binder_thread *thread;
|
|
unsigned int size = _IOC_SIZE(cmd);
|
|
void __user *ubuf = (void __user *)arg;
|
|
|
|
/*pr_info("binder_ioctl: %d:%d %x %lx\n",
|
|
proc->pid, current->pid, cmd, arg);*/
|
|
|
|
binder_selftest_alloc(&proc->alloc);
|
|
|
|
trace_binder_ioctl(cmd, arg);
|
|
|
|
ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);
|
|
if (ret)
|
|
goto err_unlocked;
|
|
|
|
thread = binder_get_thread(proc);
|
|
if (thread == NULL) {
|
|
ret = -ENOMEM;
|
|
goto err;
|
|
}
|
|
|
|
switch (cmd) {
|
|
case BINDER_WRITE_READ:
|
|
ret = binder_ioctl_write_read(filp, cmd, arg, thread);
|
|
if (ret)
|
|
goto err;
|
|
break;
|
|
case BINDER_SET_MAX_THREADS: {
|
|
int max_threads;
|
|
|
|
if (copy_from_user(&max_threads, ubuf,
|
|
sizeof(max_threads))) {
|
|
ret = -EINVAL;
|
|
goto err;
|
|
}
|
|
binder_inner_proc_lock(proc);
|
|
proc->max_threads = max_threads;
|
|
binder_inner_proc_unlock(proc);
|
|
break;
|
|
}
|
|
case BINDER_SET_CONTEXT_MGR_EXT: {
|
|
struct flat_binder_object fbo;
|
|
|
|
if (copy_from_user(&fbo, ubuf, sizeof(fbo))) {
|
|
ret = -EINVAL;
|
|
goto err;
|
|
}
|
|
ret = binder_ioctl_set_ctx_mgr(filp, &fbo);
|
|
if (ret)
|
|
goto err;
|
|
break;
|
|
}
|
|
case BINDER_SET_CONTEXT_MGR:
|
|
ret = binder_ioctl_set_ctx_mgr(filp, NULL);
|
|
if (ret)
|
|
goto err;
|
|
break;
|
|
case BINDER_THREAD_EXIT:
|
|
binder_debug(BINDER_DEBUG_THREADS, "%d:%d exit\n",
|
|
proc->pid, thread->pid);
|
|
binder_thread_release(proc, thread);
|
|
thread = NULL;
|
|
break;
|
|
case BINDER_VERSION: {
|
|
struct binder_version __user *ver = ubuf;
|
|
|
|
if (size != sizeof(struct binder_version)) {
|
|
ret = -EINVAL;
|
|
goto err;
|
|
}
|
|
if (put_user(BINDER_CURRENT_PROTOCOL_VERSION,
|
|
&ver->protocol_version)) {
|
|
ret = -EINVAL;
|
|
goto err;
|
|
}
|
|
break;
|
|
}
|
|
case BINDER_GET_NODE_INFO_FOR_REF: {
|
|
struct binder_node_info_for_ref info;
|
|
|
|
if (copy_from_user(&info, ubuf, sizeof(info))) {
|
|
ret = -EFAULT;
|
|
goto err;
|
|
}
|
|
|
|
ret = binder_ioctl_get_node_info_for_ref(proc, &info);
|
|
if (ret < 0)
|
|
goto err;
|
|
|
|
if (copy_to_user(ubuf, &info, sizeof(info))) {
|
|
ret = -EFAULT;
|
|
goto err;
|
|
}
|
|
|
|
break;
|
|
}
|
|
case BINDER_GET_NODE_DEBUG_INFO: {
|
|
struct binder_node_debug_info info;
|
|
|
|
if (copy_from_user(&info, ubuf, sizeof(info))) {
|
|
ret = -EFAULT;
|
|
goto err;
|
|
}
|
|
|
|
ret = binder_ioctl_get_node_debug_info(proc, &info);
|
|
if (ret < 0)
|
|
goto err;
|
|
|
|
if (copy_to_user(ubuf, &info, sizeof(info))) {
|
|
ret = -EFAULT;
|
|
goto err;
|
|
}
|
|
break;
|
|
}
|
|
default:
|
|
ret = -EINVAL;
|
|
goto err;
|
|
}
|
|
ret = 0;
|
|
err:
|
|
if (thread)
|
|
thread->looper_need_return = false;
|
|
wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);
|
|
if (ret && ret != -ERESTARTSYS)
|
|
pr_info("%d:%d ioctl %x %lx returned %d\n", proc->pid, current->pid, cmd, arg, ret);
|
|
err_unlocked:
|
|
trace_binder_ioctl_done(ret);
|
|
return ret;
|
|
}
|
|
|
|
static void binder_vma_open(struct vm_area_struct *vma)
|
|
{
|
|
struct binder_proc *proc = vma->vm_private_data;
|
|
|
|
binder_debug(BINDER_DEBUG_OPEN_CLOSE,
|
|
"%d open vm area %lx-%lx (%ld K) vma %lx pagep %lx\n",
|
|
proc->pid, vma->vm_start, vma->vm_end,
|
|
(vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
|
|
(unsigned long)pgprot_val(vma->vm_page_prot));
|
|
}
|
|
|
|
static void binder_vma_close(struct vm_area_struct *vma)
|
|
{
|
|
struct binder_proc *proc = vma->vm_private_data;
|
|
|
|
binder_debug(BINDER_DEBUG_OPEN_CLOSE,
|
|
"%d close vm area %lx-%lx (%ld K) vma %lx pagep %lx\n",
|
|
proc->pid, vma->vm_start, vma->vm_end,
|
|
(vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
|
|
(unsigned long)pgprot_val(vma->vm_page_prot));
|
|
binder_alloc_vma_close(&proc->alloc);
|
|
binder_defer_work(proc, BINDER_DEFERRED_PUT_FILES);
|
|
}
|
|
|
|
static vm_fault_t binder_vm_fault(struct vm_fault *vmf)
|
|
{
|
|
return VM_FAULT_SIGBUS;
|
|
}
|
|
|
|
static const struct vm_operations_struct binder_vm_ops = {
|
|
.open = binder_vma_open,
|
|
.close = binder_vma_close,
|
|
.fault = binder_vm_fault,
|
|
};
|
|
|
|
static int binder_mmap(struct file *filp, struct vm_area_struct *vma)
|
|
{
|
|
int ret;
|
|
struct binder_proc *proc = filp->private_data;
|
|
const char *failure_string;
|
|
|
|
if (proc->tsk != current->group_leader)
|
|
return -EINVAL;
|
|
|
|
if ((vma->vm_end - vma->vm_start) > SZ_4M)
|
|
vma->vm_end = vma->vm_start + SZ_4M;
|
|
|
|
binder_debug(BINDER_DEBUG_OPEN_CLOSE,
|
|
"%s: %d %lx-%lx (%ld K) vma %lx pagep %lx\n",
|
|
__func__, proc->pid, vma->vm_start, vma->vm_end,
|
|
(vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
|
|
(unsigned long)pgprot_val(vma->vm_page_prot));
|
|
|
|
if (vma->vm_flags & FORBIDDEN_MMAP_FLAGS) {
|
|
ret = -EPERM;
|
|
failure_string = "bad vm_flags";
|
|
goto err_bad_arg;
|
|
}
|
|
vma->vm_flags |= VM_DONTCOPY | VM_MIXEDMAP;
|
|
vma->vm_flags &= ~VM_MAYWRITE;
|
|
|
|
vma->vm_ops = &binder_vm_ops;
|
|
vma->vm_private_data = proc;
|
|
|
|
ret = binder_alloc_mmap_handler(&proc->alloc, vma);
|
|
if (ret)
|
|
return ret;
|
|
mutex_lock(&proc->files_lock);
|
|
proc->files = get_files_struct(current);
|
|
mutex_unlock(&proc->files_lock);
|
|
return 0;
|
|
|
|
err_bad_arg:
|
|
pr_err("%s: %d %lx-%lx %s failed %d\n", __func__,
|
|
proc->pid, vma->vm_start, vma->vm_end, failure_string, ret);
|
|
return ret;
|
|
}
|
|
|
|
static int binder_open(struct inode *nodp, struct file *filp)
|
|
{
|
|
struct binder_proc *proc;
|
|
struct binder_device *binder_dev;
|
|
struct binderfs_info *info;
|
|
struct dentry *binder_binderfs_dir_entry_proc = NULL;
|
|
|
|
binder_debug(BINDER_DEBUG_OPEN_CLOSE, "%s: %d:%d\n", __func__,
|
|
current->group_leader->pid, current->pid);
|
|
|
|
proc = kzalloc(sizeof(*proc), GFP_KERNEL);
|
|
if (proc == NULL)
|
|
return -ENOMEM;
|
|
spin_lock_init(&proc->inner_lock);
|
|
spin_lock_init(&proc->outer_lock);
|
|
get_task_struct(current->group_leader);
|
|
proc->tsk = current->group_leader;
|
|
mutex_init(&proc->files_lock);
|
|
INIT_LIST_HEAD(&proc->todo);
|
|
if (binder_supported_policy(current->policy)) {
|
|
proc->default_priority.sched_policy = current->policy;
|
|
proc->default_priority.prio = current->normal_prio;
|
|
} else {
|
|
proc->default_priority.sched_policy = SCHED_NORMAL;
|
|
proc->default_priority.prio = NICE_TO_PRIO(0);
|
|
}
|
|
|
|
/* binderfs stashes devices in i_private */
|
|
if (is_binderfs_device(nodp)) {
|
|
binder_dev = nodp->i_private;
|
|
info = nodp->i_sb->s_fs_info;
|
|
binder_binderfs_dir_entry_proc = info->proc_log_dir;
|
|
} else {
|
|
binder_dev = container_of(filp->private_data,
|
|
struct binder_device, miscdev);
|
|
}
|
|
refcount_inc(&binder_dev->ref);
|
|
proc->context = &binder_dev->context;
|
|
binder_alloc_init(&proc->alloc);
|
|
|
|
binder_stats_created(BINDER_STAT_PROC);
|
|
proc->pid = current->group_leader->pid;
|
|
INIT_LIST_HEAD(&proc->delivered_death);
|
|
INIT_LIST_HEAD(&proc->waiting_threads);
|
|
filp->private_data = proc;
|
|
|
|
mutex_lock(&binder_procs_lock);
|
|
hlist_add_head(&proc->proc_node, &binder_procs);
|
|
mutex_unlock(&binder_procs_lock);
|
|
|
|
if (binder_debugfs_dir_entry_proc) {
|
|
char strbuf[11];
|
|
|
|
snprintf(strbuf, sizeof(strbuf), "%u", proc->pid);
|
|
/*
|
|
* proc debug entries are shared between contexts, so
|
|
* this will fail if the process tries to open the driver
|
|
* again with a different context. The priting code will
|
|
* anyway print all contexts that a given PID has, so this
|
|
* is not a problem.
|
|
*/
|
|
proc->debugfs_entry = debugfs_create_file(strbuf, 0444,
|
|
binder_debugfs_dir_entry_proc,
|
|
(void *)(unsigned long)proc->pid,
|
|
&proc_fops);
|
|
}
|
|
|
|
if (binder_binderfs_dir_entry_proc) {
|
|
char strbuf[11];
|
|
struct dentry *binderfs_entry;
|
|
|
|
snprintf(strbuf, sizeof(strbuf), "%u", proc->pid);
|
|
/*
|
|
* Similar to debugfs, the process specific log file is shared
|
|
* between contexts. If the file has already been created for a
|
|
* process, the following binderfs_create_file() call will
|
|
* fail with error code EEXIST if another context of the same
|
|
* process invoked binder_open(). This is ok since same as
|
|
* debugfs, the log file will contain information on all
|
|
* contexts of a given PID.
|
|
*/
|
|
binderfs_entry = binderfs_create_file(binder_binderfs_dir_entry_proc,
|
|
strbuf, &proc_fops, (void *)(unsigned long)proc->pid);
|
|
if (!IS_ERR(binderfs_entry)) {
|
|
proc->binderfs_entry = binderfs_entry;
|
|
} else {
|
|
int error;
|
|
|
|
error = PTR_ERR(binderfs_entry);
|
|
if (error != -EEXIST) {
|
|
pr_warn("Unable to create file %s in binderfs (error %d)\n",
|
|
strbuf, error);
|
|
}
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int binder_flush(struct file *filp, fl_owner_t id)
|
|
{
|
|
struct binder_proc *proc = filp->private_data;
|
|
|
|
binder_defer_work(proc, BINDER_DEFERRED_FLUSH);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void binder_deferred_flush(struct binder_proc *proc)
|
|
{
|
|
struct rb_node *n;
|
|
int wake_count = 0;
|
|
|
|
binder_inner_proc_lock(proc);
|
|
for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) {
|
|
struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node);
|
|
|
|
thread->looper_need_return = true;
|
|
if (thread->looper & BINDER_LOOPER_STATE_WAITING) {
|
|
wake_up_interruptible(&thread->wait);
|
|
wake_count++;
|
|
}
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
|
|
binder_debug(BINDER_DEBUG_OPEN_CLOSE,
|
|
"binder_flush: %d woke %d threads\n", proc->pid,
|
|
wake_count);
|
|
}
|
|
|
|
static int binder_release(struct inode *nodp, struct file *filp)
|
|
{
|
|
struct binder_proc *proc = filp->private_data;
|
|
|
|
debugfs_remove(proc->debugfs_entry);
|
|
|
|
if (proc->binderfs_entry) {
|
|
binderfs_remove_file(proc->binderfs_entry);
|
|
proc->binderfs_entry = NULL;
|
|
}
|
|
|
|
binder_defer_work(proc, BINDER_DEFERRED_RELEASE);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int binder_node_release(struct binder_node *node, int refs)
|
|
{
|
|
struct binder_ref *ref;
|
|
int death = 0;
|
|
struct binder_proc *proc = node->proc;
|
|
|
|
binder_release_work(proc, &node->async_todo);
|
|
|
|
binder_node_lock(node);
|
|
binder_inner_proc_lock(proc);
|
|
binder_dequeue_work_ilocked(&node->work);
|
|
/*
|
|
* The caller must have taken a temporary ref on the node,
|
|
*/
|
|
BUG_ON(!node->tmp_refs);
|
|
if (hlist_empty(&node->refs) && node->tmp_refs == 1) {
|
|
binder_inner_proc_unlock(proc);
|
|
binder_node_unlock(node);
|
|
binder_free_node(node);
|
|
|
|
return refs;
|
|
}
|
|
|
|
node->proc = NULL;
|
|
node->local_strong_refs = 0;
|
|
node->local_weak_refs = 0;
|
|
binder_inner_proc_unlock(proc);
|
|
|
|
spin_lock(&binder_dead_nodes_lock);
|
|
hlist_add_head(&node->dead_node, &binder_dead_nodes);
|
|
spin_unlock(&binder_dead_nodes_lock);
|
|
|
|
hlist_for_each_entry(ref, &node->refs, node_entry) {
|
|
refs++;
|
|
/*
|
|
* Need the node lock to synchronize
|
|
* with new notification requests and the
|
|
* inner lock to synchronize with queued
|
|
* death notifications.
|
|
*/
|
|
binder_inner_proc_lock(ref->proc);
|
|
if (!ref->death) {
|
|
binder_inner_proc_unlock(ref->proc);
|
|
continue;
|
|
}
|
|
|
|
death++;
|
|
|
|
BUG_ON(!list_empty(&ref->death->work.entry));
|
|
ref->death->work.type = BINDER_WORK_DEAD_BINDER;
|
|
binder_enqueue_work_ilocked(&ref->death->work,
|
|
&ref->proc->todo);
|
|
binder_wakeup_proc_ilocked(ref->proc);
|
|
binder_inner_proc_unlock(ref->proc);
|
|
}
|
|
|
|
binder_debug(BINDER_DEBUG_DEAD_BINDER,
|
|
"node %d now dead, refs %d, death %d\n",
|
|
node->debug_id, refs, death);
|
|
binder_node_unlock(node);
|
|
binder_put_node(node);
|
|
|
|
return refs;
|
|
}
|
|
|
|
static void binder_deferred_release(struct binder_proc *proc)
|
|
{
|
|
struct binder_context *context = proc->context;
|
|
struct binder_device *device;
|
|
struct rb_node *n;
|
|
int threads, nodes, incoming_refs, outgoing_refs, active_transactions;
|
|
|
|
BUG_ON(proc->files);
|
|
|
|
mutex_lock(&binder_procs_lock);
|
|
hlist_del(&proc->proc_node);
|
|
mutex_unlock(&binder_procs_lock);
|
|
|
|
mutex_lock(&context->context_mgr_node_lock);
|
|
if (context->binder_context_mgr_node &&
|
|
context->binder_context_mgr_node->proc == proc) {
|
|
binder_debug(BINDER_DEBUG_DEAD_BINDER,
|
|
"%s: %d context_mgr_node gone\n",
|
|
__func__, proc->pid);
|
|
context->binder_context_mgr_node = NULL;
|
|
}
|
|
mutex_unlock(&context->context_mgr_node_lock);
|
|
device = container_of(proc->context, struct binder_device, context);
|
|
if (refcount_dec_and_test(&device->ref)) {
|
|
kfree(context->name);
|
|
kfree(device);
|
|
}
|
|
proc->context = NULL;
|
|
binder_inner_proc_lock(proc);
|
|
/*
|
|
* Make sure proc stays alive after we
|
|
* remove all the threads
|
|
*/
|
|
proc->tmp_ref++;
|
|
|
|
proc->is_dead = true;
|
|
threads = 0;
|
|
active_transactions = 0;
|
|
while ((n = rb_first(&proc->threads))) {
|
|
struct binder_thread *thread;
|
|
|
|
thread = rb_entry(n, struct binder_thread, rb_node);
|
|
binder_inner_proc_unlock(proc);
|
|
threads++;
|
|
active_transactions += binder_thread_release(proc, thread);
|
|
binder_inner_proc_lock(proc);
|
|
}
|
|
|
|
nodes = 0;
|
|
incoming_refs = 0;
|
|
while ((n = rb_first(&proc->nodes))) {
|
|
struct binder_node *node;
|
|
|
|
node = rb_entry(n, struct binder_node, rb_node);
|
|
nodes++;
|
|
/*
|
|
* take a temporary ref on the node before
|
|
* calling binder_node_release() which will either
|
|
* kfree() the node or call binder_put_node()
|
|
*/
|
|
binder_inc_node_tmpref_ilocked(node);
|
|
rb_erase(&node->rb_node, &proc->nodes);
|
|
binder_inner_proc_unlock(proc);
|
|
incoming_refs = binder_node_release(node, incoming_refs);
|
|
binder_inner_proc_lock(proc);
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
|
|
outgoing_refs = 0;
|
|
binder_proc_lock(proc);
|
|
while ((n = rb_first(&proc->refs_by_desc))) {
|
|
struct binder_ref *ref;
|
|
|
|
ref = rb_entry(n, struct binder_ref, rb_node_desc);
|
|
outgoing_refs++;
|
|
binder_cleanup_ref_olocked(ref);
|
|
binder_proc_unlock(proc);
|
|
binder_free_ref(ref);
|
|
binder_proc_lock(proc);
|
|
}
|
|
binder_proc_unlock(proc);
|
|
|
|
binder_release_work(proc, &proc->todo);
|
|
binder_release_work(proc, &proc->delivered_death);
|
|
|
|
binder_debug(BINDER_DEBUG_OPEN_CLOSE,
|
|
"%s: %d threads %d, nodes %d (ref %d), refs %d, active transactions %d\n",
|
|
__func__, proc->pid, threads, nodes, incoming_refs,
|
|
outgoing_refs, active_transactions);
|
|
|
|
binder_proc_dec_tmpref(proc);
|
|
}
|
|
|
|
static void binder_deferred_func(struct work_struct *work)
|
|
{
|
|
struct binder_proc *proc;
|
|
struct files_struct *files;
|
|
|
|
int defer;
|
|
|
|
do {
|
|
mutex_lock(&binder_deferred_lock);
|
|
if (!hlist_empty(&binder_deferred_list)) {
|
|
proc = hlist_entry(binder_deferred_list.first,
|
|
struct binder_proc, deferred_work_node);
|
|
hlist_del_init(&proc->deferred_work_node);
|
|
defer = proc->deferred_work;
|
|
proc->deferred_work = 0;
|
|
} else {
|
|
proc = NULL;
|
|
defer = 0;
|
|
}
|
|
mutex_unlock(&binder_deferred_lock);
|
|
|
|
files = NULL;
|
|
if (defer & BINDER_DEFERRED_PUT_FILES) {
|
|
mutex_lock(&proc->files_lock);
|
|
files = proc->files;
|
|
if (files)
|
|
proc->files = NULL;
|
|
mutex_unlock(&proc->files_lock);
|
|
}
|
|
|
|
if (defer & BINDER_DEFERRED_FLUSH)
|
|
binder_deferred_flush(proc);
|
|
|
|
if (defer & BINDER_DEFERRED_RELEASE)
|
|
binder_deferred_release(proc); /* frees proc */
|
|
|
|
if (files)
|
|
put_files_struct(files);
|
|
} while (proc);
|
|
}
|
|
static DECLARE_WORK(binder_deferred_work, binder_deferred_func);
|
|
|
|
static void
|
|
binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer)
|
|
{
|
|
mutex_lock(&binder_deferred_lock);
|
|
proc->deferred_work |= defer;
|
|
if (hlist_unhashed(&proc->deferred_work_node)) {
|
|
hlist_add_head(&proc->deferred_work_node,
|
|
&binder_deferred_list);
|
|
schedule_work(&binder_deferred_work);
|
|
}
|
|
mutex_unlock(&binder_deferred_lock);
|
|
}
|
|
|
|
static void print_binder_transaction_ilocked(struct seq_file *m,
|
|
struct binder_proc *proc,
|
|
const char *prefix,
|
|
struct binder_transaction *t)
|
|
{
|
|
struct binder_proc *to_proc;
|
|
struct binder_buffer *buffer = t->buffer;
|
|
|
|
spin_lock(&t->lock);
|
|
to_proc = t->to_proc;
|
|
seq_printf(m,
|
|
"%s %d: %pK from %d:%d to %d:%d code %x flags %x pri %d:%d r%d",
|
|
prefix, t->debug_id, t,
|
|
t->from ? t->from->proc->pid : 0,
|
|
t->from ? t->from->pid : 0,
|
|
to_proc ? to_proc->pid : 0,
|
|
t->to_thread ? t->to_thread->pid : 0,
|
|
t->code, t->flags, t->priority.sched_policy,
|
|
t->priority.prio, t->need_reply);
|
|
spin_unlock(&t->lock);
|
|
|
|
if (proc != to_proc) {
|
|
/*
|
|
* Can only safely deref buffer if we are holding the
|
|
* correct proc inner lock for this node
|
|
*/
|
|
seq_puts(m, "\n");
|
|
return;
|
|
}
|
|
|
|
if (buffer == NULL) {
|
|
seq_puts(m, " buffer free\n");
|
|
return;
|
|
}
|
|
if (buffer->target_node)
|
|
seq_printf(m, " node %d", buffer->target_node->debug_id);
|
|
seq_printf(m, " size %zd:%zd data %pK\n",
|
|
buffer->data_size, buffer->offsets_size,
|
|
buffer->user_data);
|
|
}
|
|
|
|
static void print_binder_work_ilocked(struct seq_file *m,
|
|
struct binder_proc *proc,
|
|
const char *prefix,
|
|
const char *transaction_prefix,
|
|
struct binder_work *w)
|
|
{
|
|
struct binder_node *node;
|
|
struct binder_transaction *t;
|
|
|
|
switch (w->type) {
|
|
case BINDER_WORK_TRANSACTION:
|
|
t = container_of(w, struct binder_transaction, work);
|
|
print_binder_transaction_ilocked(
|
|
m, proc, transaction_prefix, t);
|
|
break;
|
|
case BINDER_WORK_RETURN_ERROR: {
|
|
struct binder_error *e = container_of(
|
|
w, struct binder_error, work);
|
|
|
|
seq_printf(m, "%stransaction error: %u\n",
|
|
prefix, e->cmd);
|
|
} break;
|
|
case BINDER_WORK_TRANSACTION_COMPLETE:
|
|
seq_printf(m, "%stransaction complete\n", prefix);
|
|
break;
|
|
case BINDER_WORK_NODE:
|
|
node = container_of(w, struct binder_node, work);
|
|
seq_printf(m, "%snode work %d: u%016llx c%016llx\n",
|
|
prefix, node->debug_id,
|
|
(u64)node->ptr, (u64)node->cookie);
|
|
break;
|
|
case BINDER_WORK_DEAD_BINDER:
|
|
seq_printf(m, "%shas dead binder\n", prefix);
|
|
break;
|
|
case BINDER_WORK_DEAD_BINDER_AND_CLEAR:
|
|
seq_printf(m, "%shas cleared dead binder\n", prefix);
|
|
break;
|
|
case BINDER_WORK_CLEAR_DEATH_NOTIFICATION:
|
|
seq_printf(m, "%shas cleared death notification\n", prefix);
|
|
break;
|
|
default:
|
|
seq_printf(m, "%sunknown work: type %d\n", prefix, w->type);
|
|
break;
|
|
}
|
|
}
|
|
|
|
static void print_binder_thread_ilocked(struct seq_file *m,
|
|
struct binder_thread *thread,
|
|
int print_always)
|
|
{
|
|
struct binder_transaction *t;
|
|
struct binder_work *w;
|
|
size_t start_pos = m->count;
|
|
size_t header_pos;
|
|
|
|
seq_printf(m, " thread %d: l %02x need_return %d tr %d\n",
|
|
thread->pid, thread->looper,
|
|
thread->looper_need_return,
|
|
atomic_read(&thread->tmp_ref));
|
|
header_pos = m->count;
|
|
t = thread->transaction_stack;
|
|
while (t) {
|
|
if (t->from == thread) {
|
|
print_binder_transaction_ilocked(m, thread->proc,
|
|
" outgoing transaction", t);
|
|
t = t->from_parent;
|
|
} else if (t->to_thread == thread) {
|
|
print_binder_transaction_ilocked(m, thread->proc,
|
|
" incoming transaction", t);
|
|
t = t->to_parent;
|
|
} else {
|
|
print_binder_transaction_ilocked(m, thread->proc,
|
|
" bad transaction", t);
|
|
t = NULL;
|
|
}
|
|
}
|
|
list_for_each_entry(w, &thread->todo, entry) {
|
|
print_binder_work_ilocked(m, thread->proc, " ",
|
|
" pending transaction", w);
|
|
}
|
|
if (!print_always && m->count == header_pos)
|
|
m->count = start_pos;
|
|
}
|
|
|
|
static void print_binder_node_nilocked(struct seq_file *m,
|
|
struct binder_node *node)
|
|
{
|
|
struct binder_ref *ref;
|
|
struct binder_work *w;
|
|
int count;
|
|
|
|
count = 0;
|
|
hlist_for_each_entry(ref, &node->refs, node_entry)
|
|
count++;
|
|
|
|
seq_printf(m, " node %d: u%016llx c%016llx pri %d:%d hs %d hw %d ls %d lw %d is %d iw %d tr %d",
|
|
node->debug_id, (u64)node->ptr, (u64)node->cookie,
|
|
node->sched_policy, node->min_priority,
|
|
node->has_strong_ref, node->has_weak_ref,
|
|
node->local_strong_refs, node->local_weak_refs,
|
|
node->internal_strong_refs, count, node->tmp_refs);
|
|
if (count) {
|
|
seq_puts(m, " proc");
|
|
hlist_for_each_entry(ref, &node->refs, node_entry)
|
|
seq_printf(m, " %d", ref->proc->pid);
|
|
}
|
|
seq_puts(m, "\n");
|
|
if (node->proc) {
|
|
list_for_each_entry(w, &node->async_todo, entry)
|
|
print_binder_work_ilocked(m, node->proc, " ",
|
|
" pending async transaction", w);
|
|
}
|
|
}
|
|
|
|
static void print_binder_ref_olocked(struct seq_file *m,
|
|
struct binder_ref *ref)
|
|
{
|
|
binder_node_lock(ref->node);
|
|
seq_printf(m, " ref %d: desc %d %snode %d s %d w %d d %pK\n",
|
|
ref->data.debug_id, ref->data.desc,
|
|
ref->node->proc ? "" : "dead ",
|
|
ref->node->debug_id, ref->data.strong,
|
|
ref->data.weak, ref->death);
|
|
binder_node_unlock(ref->node);
|
|
}
|
|
|
|
static void print_binder_proc(struct seq_file *m,
|
|
struct binder_proc *proc, int print_all)
|
|
{
|
|
struct binder_work *w;
|
|
struct rb_node *n;
|
|
size_t start_pos = m->count;
|
|
size_t header_pos;
|
|
struct binder_node *last_node = NULL;
|
|
|
|
seq_printf(m, "proc %d\n", proc->pid);
|
|
seq_printf(m, "context %s\n", proc->context->name);
|
|
header_pos = m->count;
|
|
|
|
binder_inner_proc_lock(proc);
|
|
for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n))
|
|
print_binder_thread_ilocked(m, rb_entry(n, struct binder_thread,
|
|
rb_node), print_all);
|
|
|
|
for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) {
|
|
struct binder_node *node = rb_entry(n, struct binder_node,
|
|
rb_node);
|
|
if (!print_all && !node->has_async_transaction)
|
|
continue;
|
|
|
|
/*
|
|
* take a temporary reference on the node so it
|
|
* survives and isn't removed from the tree
|
|
* while we print it.
|
|
*/
|
|
binder_inc_node_tmpref_ilocked(node);
|
|
/* Need to drop inner lock to take node lock */
|
|
binder_inner_proc_unlock(proc);
|
|
if (last_node)
|
|
binder_put_node(last_node);
|
|
binder_node_inner_lock(node);
|
|
print_binder_node_nilocked(m, node);
|
|
binder_node_inner_unlock(node);
|
|
last_node = node;
|
|
binder_inner_proc_lock(proc);
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
if (last_node)
|
|
binder_put_node(last_node);
|
|
|
|
if (print_all) {
|
|
binder_proc_lock(proc);
|
|
for (n = rb_first(&proc->refs_by_desc);
|
|
n != NULL;
|
|
n = rb_next(n))
|
|
print_binder_ref_olocked(m, rb_entry(n,
|
|
struct binder_ref,
|
|
rb_node_desc));
|
|
binder_proc_unlock(proc);
|
|
}
|
|
binder_alloc_print_allocated(m, &proc->alloc);
|
|
binder_inner_proc_lock(proc);
|
|
list_for_each_entry(w, &proc->todo, entry)
|
|
print_binder_work_ilocked(m, proc, " ",
|
|
" pending transaction", w);
|
|
list_for_each_entry(w, &proc->delivered_death, entry) {
|
|
seq_puts(m, " has delivered dead binder\n");
|
|
break;
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
if (!print_all && m->count == header_pos)
|
|
m->count = start_pos;
|
|
}
|
|
|
|
static const char * const binder_return_strings[] = {
|
|
"BR_ERROR",
|
|
"BR_OK",
|
|
"BR_TRANSACTION",
|
|
"BR_REPLY",
|
|
"BR_ACQUIRE_RESULT",
|
|
"BR_DEAD_REPLY",
|
|
"BR_TRANSACTION_COMPLETE",
|
|
"BR_INCREFS",
|
|
"BR_ACQUIRE",
|
|
"BR_RELEASE",
|
|
"BR_DECREFS",
|
|
"BR_ATTEMPT_ACQUIRE",
|
|
"BR_NOOP",
|
|
"BR_SPAWN_LOOPER",
|
|
"BR_FINISHED",
|
|
"BR_DEAD_BINDER",
|
|
"BR_CLEAR_DEATH_NOTIFICATION_DONE",
|
|
"BR_FAILED_REPLY"
|
|
};
|
|
|
|
static const char * const binder_command_strings[] = {
|
|
"BC_TRANSACTION",
|
|
"BC_REPLY",
|
|
"BC_ACQUIRE_RESULT",
|
|
"BC_FREE_BUFFER",
|
|
"BC_INCREFS",
|
|
"BC_ACQUIRE",
|
|
"BC_RELEASE",
|
|
"BC_DECREFS",
|
|
"BC_INCREFS_DONE",
|
|
"BC_ACQUIRE_DONE",
|
|
"BC_ATTEMPT_ACQUIRE",
|
|
"BC_REGISTER_LOOPER",
|
|
"BC_ENTER_LOOPER",
|
|
"BC_EXIT_LOOPER",
|
|
"BC_REQUEST_DEATH_NOTIFICATION",
|
|
"BC_CLEAR_DEATH_NOTIFICATION",
|
|
"BC_DEAD_BINDER_DONE",
|
|
"BC_TRANSACTION_SG",
|
|
"BC_REPLY_SG",
|
|
};
|
|
|
|
static const char * const binder_objstat_strings[] = {
|
|
"proc",
|
|
"thread",
|
|
"node",
|
|
"ref",
|
|
"death",
|
|
"transaction",
|
|
"transaction_complete"
|
|
};
|
|
|
|
static void print_binder_stats(struct seq_file *m, const char *prefix,
|
|
struct binder_stats *stats)
|
|
{
|
|
int i;
|
|
|
|
BUILD_BUG_ON(ARRAY_SIZE(stats->bc) !=
|
|
ARRAY_SIZE(binder_command_strings));
|
|
for (i = 0; i < ARRAY_SIZE(stats->bc); i++) {
|
|
int temp = atomic_read(&stats->bc[i]);
|
|
|
|
if (temp)
|
|
seq_printf(m, "%s%s: %d\n", prefix,
|
|
binder_command_strings[i], temp);
|
|
}
|
|
|
|
BUILD_BUG_ON(ARRAY_SIZE(stats->br) !=
|
|
ARRAY_SIZE(binder_return_strings));
|
|
for (i = 0; i < ARRAY_SIZE(stats->br); i++) {
|
|
int temp = atomic_read(&stats->br[i]);
|
|
|
|
if (temp)
|
|
seq_printf(m, "%s%s: %d\n", prefix,
|
|
binder_return_strings[i], temp);
|
|
}
|
|
|
|
BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) !=
|
|
ARRAY_SIZE(binder_objstat_strings));
|
|
BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) !=
|
|
ARRAY_SIZE(stats->obj_deleted));
|
|
for (i = 0; i < ARRAY_SIZE(stats->obj_created); i++) {
|
|
int created = atomic_read(&stats->obj_created[i]);
|
|
int deleted = atomic_read(&stats->obj_deleted[i]);
|
|
|
|
if (created || deleted)
|
|
seq_printf(m, "%s%s: active %d total %d\n",
|
|
prefix,
|
|
binder_objstat_strings[i],
|
|
created - deleted,
|
|
created);
|
|
}
|
|
}
|
|
|
|
static void print_binder_proc_stats(struct seq_file *m,
|
|
struct binder_proc *proc)
|
|
{
|
|
struct binder_work *w;
|
|
struct binder_thread *thread;
|
|
struct rb_node *n;
|
|
int count, strong, weak, ready_threads;
|
|
size_t free_async_space =
|
|
binder_alloc_get_free_async_space(&proc->alloc);
|
|
|
|
seq_printf(m, "proc %d\n", proc->pid);
|
|
seq_printf(m, "context %s\n", proc->context->name);
|
|
count = 0;
|
|
ready_threads = 0;
|
|
binder_inner_proc_lock(proc);
|
|
for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n))
|
|
count++;
|
|
|
|
list_for_each_entry(thread, &proc->waiting_threads, waiting_thread_node)
|
|
ready_threads++;
|
|
|
|
seq_printf(m, " threads: %d\n", count);
|
|
seq_printf(m, " requested threads: %d+%d/%d\n"
|
|
" ready threads %d\n"
|
|
" free async space %zd\n", proc->requested_threads,
|
|
proc->requested_threads_started, proc->max_threads,
|
|
ready_threads,
|
|
free_async_space);
|
|
count = 0;
|
|
for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n))
|
|
count++;
|
|
binder_inner_proc_unlock(proc);
|
|
seq_printf(m, " nodes: %d\n", count);
|
|
count = 0;
|
|
strong = 0;
|
|
weak = 0;
|
|
binder_proc_lock(proc);
|
|
for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) {
|
|
struct binder_ref *ref = rb_entry(n, struct binder_ref,
|
|
rb_node_desc);
|
|
count++;
|
|
strong += ref->data.strong;
|
|
weak += ref->data.weak;
|
|
}
|
|
binder_proc_unlock(proc);
|
|
seq_printf(m, " refs: %d s %d w %d\n", count, strong, weak);
|
|
|
|
count = binder_alloc_get_allocated_count(&proc->alloc);
|
|
seq_printf(m, " buffers: %d\n", count);
|
|
|
|
binder_alloc_print_pages(m, &proc->alloc);
|
|
|
|
count = 0;
|
|
binder_inner_proc_lock(proc);
|
|
list_for_each_entry(w, &proc->todo, entry) {
|
|
if (w->type == BINDER_WORK_TRANSACTION)
|
|
count++;
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
seq_printf(m, " pending transactions: %d\n", count);
|
|
|
|
print_binder_stats(m, " ", &proc->stats);
|
|
}
|
|
|
|
|
|
int binder_state_show(struct seq_file *m, void *unused)
|
|
{
|
|
struct binder_proc *proc;
|
|
struct binder_node *node;
|
|
struct binder_node *last_node = NULL;
|
|
|
|
seq_puts(m, "binder state:\n");
|
|
|
|
spin_lock(&binder_dead_nodes_lock);
|
|
if (!hlist_empty(&binder_dead_nodes))
|
|
seq_puts(m, "dead nodes:\n");
|
|
hlist_for_each_entry(node, &binder_dead_nodes, dead_node) {
|
|
/*
|
|
* take a temporary reference on the node so it
|
|
* survives and isn't removed from the list
|
|
* while we print it.
|
|
*/
|
|
node->tmp_refs++;
|
|
spin_unlock(&binder_dead_nodes_lock);
|
|
if (last_node)
|
|
binder_put_node(last_node);
|
|
binder_node_lock(node);
|
|
print_binder_node_nilocked(m, node);
|
|
binder_node_unlock(node);
|
|
last_node = node;
|
|
spin_lock(&binder_dead_nodes_lock);
|
|
}
|
|
spin_unlock(&binder_dead_nodes_lock);
|
|
if (last_node)
|
|
binder_put_node(last_node);
|
|
|
|
mutex_lock(&binder_procs_lock);
|
|
hlist_for_each_entry(proc, &binder_procs, proc_node)
|
|
print_binder_proc(m, proc, 1);
|
|
mutex_unlock(&binder_procs_lock);
|
|
|
|
return 0;
|
|
}
|
|
|
|
int binder_stats_show(struct seq_file *m, void *unused)
|
|
{
|
|
struct binder_proc *proc;
|
|
|
|
seq_puts(m, "binder stats:\n");
|
|
|
|
print_binder_stats(m, "", &binder_stats);
|
|
|
|
mutex_lock(&binder_procs_lock);
|
|
hlist_for_each_entry(proc, &binder_procs, proc_node)
|
|
print_binder_proc_stats(m, proc);
|
|
mutex_unlock(&binder_procs_lock);
|
|
|
|
return 0;
|
|
}
|
|
|
|
int binder_transactions_show(struct seq_file *m, void *unused)
|
|
{
|
|
struct binder_proc *proc;
|
|
|
|
seq_puts(m, "binder transactions:\n");
|
|
mutex_lock(&binder_procs_lock);
|
|
hlist_for_each_entry(proc, &binder_procs, proc_node)
|
|
print_binder_proc(m, proc, 0);
|
|
mutex_unlock(&binder_procs_lock);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int proc_show(struct seq_file *m, void *unused)
|
|
{
|
|
struct binder_proc *itr;
|
|
int pid = (unsigned long)m->private;
|
|
|
|
mutex_lock(&binder_procs_lock);
|
|
hlist_for_each_entry(itr, &binder_procs, proc_node) {
|
|
if (itr->pid == pid) {
|
|
seq_puts(m, "binder proc state:\n");
|
|
print_binder_proc(m, itr, 1);
|
|
}
|
|
}
|
|
mutex_unlock(&binder_procs_lock);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void print_binder_transaction_log_entry(struct seq_file *m,
|
|
struct binder_transaction_log_entry *e)
|
|
{
|
|
int debug_id = READ_ONCE(e->debug_id_done);
|
|
/*
|
|
* read barrier to guarantee debug_id_done read before
|
|
* we print the log values
|
|
*/
|
|
smp_rmb();
|
|
seq_printf(m,
|
|
"%d: %s from %d:%d to %d:%d context %s node %d handle %d size %d:%d ret %d/%d l=%d",
|
|
e->debug_id, (e->call_type == 2) ? "reply" :
|
|
((e->call_type == 1) ? "async" : "call "), e->from_proc,
|
|
e->from_thread, e->to_proc, e->to_thread, e->context_name,
|
|
e->to_node, e->target_handle, e->data_size, e->offsets_size,
|
|
e->return_error, e->return_error_param,
|
|
e->return_error_line);
|
|
/*
|
|
* read-barrier to guarantee read of debug_id_done after
|
|
* done printing the fields of the entry
|
|
*/
|
|
smp_rmb();
|
|
seq_printf(m, debug_id && debug_id == READ_ONCE(e->debug_id_done) ?
|
|
"\n" : " (incomplete)\n");
|
|
}
|
|
|
|
int binder_transaction_log_show(struct seq_file *m, void *unused)
|
|
{
|
|
struct binder_transaction_log *log = m->private;
|
|
unsigned int log_cur = atomic_read(&log->cur);
|
|
unsigned int count;
|
|
unsigned int cur;
|
|
int i;
|
|
|
|
count = log_cur + 1;
|
|
cur = count < ARRAY_SIZE(log->entry) && !log->full ?
|
|
0 : count % ARRAY_SIZE(log->entry);
|
|
if (count > ARRAY_SIZE(log->entry) || log->full)
|
|
count = ARRAY_SIZE(log->entry);
|
|
for (i = 0; i < count; i++) {
|
|
unsigned int index = cur++ % ARRAY_SIZE(log->entry);
|
|
|
|
print_binder_transaction_log_entry(m, &log->entry[index]);
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
const struct file_operations binder_fops = {
|
|
.owner = THIS_MODULE,
|
|
.poll = binder_poll,
|
|
.unlocked_ioctl = binder_ioctl,
|
|
.compat_ioctl = binder_ioctl,
|
|
.mmap = binder_mmap,
|
|
.open = binder_open,
|
|
.flush = binder_flush,
|
|
.release = binder_release,
|
|
};
|
|
|
|
static int __init init_binder_device(const char *name)
|
|
{
|
|
int ret;
|
|
struct binder_device *binder_device;
|
|
|
|
binder_device = kzalloc(sizeof(*binder_device), GFP_KERNEL);
|
|
if (!binder_device)
|
|
return -ENOMEM;
|
|
|
|
binder_device->miscdev.fops = &binder_fops;
|
|
binder_device->miscdev.minor = MISC_DYNAMIC_MINOR;
|
|
binder_device->miscdev.name = name;
|
|
|
|
refcount_set(&binder_device->ref, 1);
|
|
binder_device->context.binder_context_mgr_uid = INVALID_UID;
|
|
binder_device->context.name = name;
|
|
mutex_init(&binder_device->context.context_mgr_node_lock);
|
|
|
|
ret = misc_register(&binder_device->miscdev);
|
|
if (ret < 0) {
|
|
kfree(binder_device);
|
|
return ret;
|
|
}
|
|
|
|
hlist_add_head(&binder_device->hlist, &binder_devices);
|
|
|
|
return ret;
|
|
}
|
|
|
|
static int __init binder_init(void)
|
|
{
|
|
int ret;
|
|
char *device_name, *device_tmp;
|
|
struct binder_device *device;
|
|
struct hlist_node *tmp;
|
|
char *device_names = NULL;
|
|
|
|
ret = binder_alloc_shrinker_init();
|
|
if (ret)
|
|
return ret;
|
|
|
|
atomic_set(&binder_transaction_log.cur, ~0U);
|
|
atomic_set(&binder_transaction_log_failed.cur, ~0U);
|
|
|
|
binder_debugfs_dir_entry_root = debugfs_create_dir("binder", NULL);
|
|
if (binder_debugfs_dir_entry_root)
|
|
binder_debugfs_dir_entry_proc = debugfs_create_dir("proc",
|
|
binder_debugfs_dir_entry_root);
|
|
|
|
if (binder_debugfs_dir_entry_root) {
|
|
debugfs_create_file("state",
|
|
0444,
|
|
binder_debugfs_dir_entry_root,
|
|
NULL,
|
|
&binder_state_fops);
|
|
debugfs_create_file("stats",
|
|
0444,
|
|
binder_debugfs_dir_entry_root,
|
|
NULL,
|
|
&binder_stats_fops);
|
|
debugfs_create_file("transactions",
|
|
0444,
|
|
binder_debugfs_dir_entry_root,
|
|
NULL,
|
|
&binder_transactions_fops);
|
|
debugfs_create_file("transaction_log",
|
|
0444,
|
|
binder_debugfs_dir_entry_root,
|
|
&binder_transaction_log,
|
|
&binder_transaction_log_fops);
|
|
debugfs_create_file("failed_transaction_log",
|
|
0444,
|
|
binder_debugfs_dir_entry_root,
|
|
&binder_transaction_log_failed,
|
|
&binder_transaction_log_fops);
|
|
}
|
|
|
|
if (!IS_ENABLED(CONFIG_ANDROID_BINDERFS) &&
|
|
strcmp(binder_devices_param, "") != 0) {
|
|
/*
|
|
* Copy the module_parameter string, because we don't want to
|
|
* tokenize it in-place.
|
|
*/
|
|
device_names = kstrdup(binder_devices_param, GFP_KERNEL);
|
|
if (!device_names) {
|
|
ret = -ENOMEM;
|
|
goto err_alloc_device_names_failed;
|
|
}
|
|
|
|
device_tmp = device_names;
|
|
while ((device_name = strsep(&device_tmp, ","))) {
|
|
ret = init_binder_device(device_name);
|
|
if (ret)
|
|
goto err_init_binder_device_failed;
|
|
}
|
|
}
|
|
|
|
ret = init_binderfs();
|
|
if (ret)
|
|
goto err_init_binder_device_failed;
|
|
|
|
return ret;
|
|
|
|
err_init_binder_device_failed:
|
|
hlist_for_each_entry_safe(device, tmp, &binder_devices, hlist) {
|
|
misc_deregister(&device->miscdev);
|
|
hlist_del(&device->hlist);
|
|
kfree(device);
|
|
}
|
|
|
|
kfree(device_names);
|
|
|
|
err_alloc_device_names_failed:
|
|
debugfs_remove_recursive(binder_debugfs_dir_entry_root);
|
|
|
|
return ret;
|
|
}
|
|
|
|
device_initcall(binder_init);
|
|
|
|
#define CREATE_TRACE_POINTS
|
|
#include "binder_trace.h"
|
|
|
|
MODULE_LICENSE("GPL v2");
|