From 1d8cbcf5d66b1f23f776a2c10ef9574a338cd109 Mon Sep 17 00:00:00 2001 From: Arve Hjønnevåg Date: Mon, 6 Apr 2009 15:12:53 -0700 Subject: Staging: binder: Remove VM_EXEC check. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Many platforms do not support mappings without VM_EXEC. Signed-off-by: Arve Hjønnevåg Signed-off-by: Greg Kroah-Hartman --- drivers/staging/android/binder.c | 4 ---- 1 file changed, 4 deletions(-) (limited to 'drivers/staging/android/binder.c') diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c index 79e90fed27d3..b62cd2aae874 100644 --- a/drivers/staging/android/binder.c +++ b/drivers/staging/android/binder.c @@ -54,11 +54,7 @@ static int binder_read_proc_proc( #define SZ_4M 0x400000 #endif -#ifndef __i386__ -#define FORBIDDEN_MMAP_FLAGS (VM_WRITE | VM_EXEC) -#else #define FORBIDDEN_MMAP_FLAGS (VM_WRITE) -#endif #define BINDER_SMALL_BUF_SIZE (PAGE_SIZE * 64) -- cgit v1.2.3-59-g8ed1b From 85e0b0cbbfc17e7f7baa9e76f9a937249108fc52 Mon Sep 17 00:00:00 2001 From: Arve Hjønnevåg Date: Mon, 6 Apr 2009 15:12:54 -0700 Subject: Staging: binder: Don't create two proc entries with the same name if the driver is opened twice in one process. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Arve Hjønnevåg Signed-off-by: Greg Kroah-Hartman --- drivers/staging/android/binder.c | 1 + 1 file changed, 1 insertion(+) (limited to 'drivers/staging/android/binder.c') diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c index b62cd2aae874..39871da7ef91 100644 --- a/drivers/staging/android/binder.c +++ b/drivers/staging/android/binder.c @@ -2776,6 +2776,7 @@ static int binder_open(struct inode *nodp, struct file *filp) if (binder_proc_dir_entry_proc) { char strbuf[11]; snprintf(strbuf, sizeof(strbuf), "%u", proc->pid); + remove_proc_entry(strbuf, binder_proc_dir_entry_proc); create_proc_read_entry(strbuf, S_IRUGO, binder_proc_dir_entry_proc, binder_read_proc_proc, proc); } -- cgit v1.2.3-59-g8ed1b From 4ddfc911e39a01f95ad9765d3b9e6f43e14eeff4 Mon Sep 17 00:00:00 2001 From: Arve Hjønnevåg Date: Mon, 6 Apr 2009 15:12:55 -0700 Subject: Staging: binder: mmap fixes. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Only allow a binder file pointer to be mmapped once. The buffer management code cannot deal with more then one area. Also remove leftover mutex_unlock if mmap fails. Signed-off-by: Arve Hjønnevåg Signed-off-by: Greg Kroah-Hartman --- drivers/staging/android/binder.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'drivers/staging/android/binder.c') diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c index 39871da7ef91..761f5d6a9cf2 100644 --- a/drivers/staging/android/binder.c +++ b/drivers/staging/android/binder.c @@ -2694,6 +2694,12 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma) } vma->vm_flags = (vma->vm_flags | VM_DONTCOPY) & ~VM_MAYWRITE; + if (proc->buffer) { + ret = -EBUSY; + failure_string = "already mapped"; + goto err_already_mapped; + } + area = get_vm_area(vma->vm_end - vma->vm_start, VM_IOREMAP); if (area == NULL) { ret = -ENOMEM; @@ -2741,10 +2747,12 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma) err_alloc_small_buf_failed: kfree(proc->pages); + proc->pages = NULL; err_alloc_pages_failed: vfree(proc->buffer); + proc->buffer = NULL; err_get_vm_area_failed: - mutex_unlock(&binder_lock); +err_already_mapped: err_bad_arg: printk(KERN_ERR "binder_mmap: %d %lx-%lx %s failed %d\n", proc->pid, vma->vm_start, vma->vm_end, failure_string, ret); return ret; -- cgit v1.2.3-59-g8ed1b From ea5c4cc68e2b5f4ec41d666376d3606d4d5c3426 Mon Sep 17 00:00:00 2001 From: Arve Hjønnevåg Date: Mon, 6 Apr 2009 15:12:56 -0700 Subject: Staging: binder: Add more offset validation. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Check that datasize is not smaller than one flat_binder_object. Check that offsets are aligned. Check that offsets_size is aligned. Signed-off-by: Arve Hjønnevåg Signed-off-by: Greg Kroah-Hartman --- drivers/staging/android/binder.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) (limited to 'drivers/staging/android/binder.c') diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c index 761f5d6a9cf2..64f95ee8a704 100644 --- a/drivers/staging/android/binder.c +++ b/drivers/staging/android/binder.c @@ -1430,10 +1430,19 @@ binder_transaction(struct binder_proc *proc, struct binder_thread *thread, return_error = BR_FAILED_REPLY; goto err_copy_data_failed; } + if (!IS_ALIGNED(tr->offsets_size, sizeof(size_t))) { + binder_user_error("binder: %d:%d got transaction with " + "invalid offsets size, %zd\n", + proc->pid, thread->pid, tr->offsets_size); + return_error = BR_FAILED_REPLY; + goto err_bad_offset; + } off_end = (void *)offp + tr->offsets_size; for (; offp < off_end; offp++) { struct flat_binder_object *fp; - if (*offp > t->buffer->data_size - sizeof(*fp)) { + if (*offp > t->buffer->data_size - sizeof(*fp) || + t->buffer->data_size < sizeof(*fp) || + !IS_ALIGNED(*offp, sizeof(void *))) { binder_user_error("binder: %d:%d got transaction with " "invalid offset, %zd\n", proc->pid, thread->pid, *offp); @@ -1651,7 +1660,9 @@ binder_transaction_buffer_release(struct binder_proc *proc, struct binder_buffer off_end = (void *)offp + buffer->offsets_size; for (; offp < off_end; offp++) { struct flat_binder_object *fp; - if (*offp > buffer->data_size - sizeof(*fp)) { + if (*offp > buffer->data_size - sizeof(*fp) || + buffer->data_size < sizeof(*fp) || + !IS_ALIGNED(*offp, sizeof(void *))) { printk(KERN_ERR "binder: transaction release %d bad" "offset %zd, size %zd\n", debug_id, *offp, buffer->data_size); continue; -- cgit v1.2.3-59-g8ed1b From 282ca175d4c440ec4d74bc622ee497e5b3530ce5 Mon Sep 17 00:00:00 2001 From: Arve Hjønnevåg Date: Mon, 6 Apr 2009 15:12:57 -0700 Subject: Staging: binder: Keep a reference to the files_struct while the driver is mmapped MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This prevents breaking fget_light if a single threaded application allows incoming file descriptors (in replies or on nodes). Should also prevent inserting a file in the wrong files_struct if the receving process execs in the middle of a transaction (between task_get_unused_fd_flags and task_fd_install). Signed-off-by: Arve Hjønnevåg Signed-off-by: Greg Kroah-Hartman --- drivers/staging/android/binder.c | 79 ++++++++++++++++++++++++++++++++-------- 1 file changed, 63 insertions(+), 16 deletions(-) (limited to 'drivers/staging/android/binder.c') diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c index 64f95ee8a704..09962e87c600 100644 --- a/drivers/staging/android/binder.c +++ b/drivers/staging/android/binder.c @@ -41,6 +41,8 @@ static int binder_last_id; static struct proc_dir_entry *binder_proc_dir_entry_root; static struct proc_dir_entry *binder_proc_dir_entry_proc; static struct hlist_head binder_dead_nodes; +static HLIST_HEAD(binder_release_files_list); +static DEFINE_MUTEX(binder_release_files_lock); static int binder_read_proc_proc( char *page, char **start, off_t off, int count, int *eof, void *data); @@ -241,6 +243,8 @@ struct binder_proc { int pid; struct vm_area_struct *vma; struct task_struct *tsk; + struct files_struct *files; + struct hlist_node release_files_node; void *buffer; size_t user_buffer_offset; @@ -309,9 +313,9 @@ struct binder_transaction { /* * copied from get_unused_fd_flags */ -int task_get_unused_fd_flags(struct task_struct *tsk, int flags) +int task_get_unused_fd_flags(struct binder_proc *proc, int flags) { - struct files_struct *files = get_files_struct(tsk); + struct files_struct *files = proc->files; int fd, error; struct fdtable *fdt; unsigned long rlim_cur; @@ -333,9 +337,9 @@ repeat: * will limit the total number of files that can be opened. */ rlim_cur = 0; - if (lock_task_sighand(tsk, &irqs)) { - rlim_cur = tsk->signal->rlim[RLIMIT_NOFILE].rlim_cur; - unlock_task_sighand(tsk, &irqs); + if (lock_task_sighand(proc->tsk, &irqs)) { + rlim_cur = proc->tsk->signal->rlim[RLIMIT_NOFILE].rlim_cur; + unlock_task_sighand(proc->tsk, &irqs); } if (fd >= rlim_cur) goto out; @@ -371,7 +375,6 @@ repeat: out: spin_unlock(&files->file_lock); - put_files_struct(files); return error; } @@ -379,9 +382,9 @@ out: * copied from fd_install */ static void task_fd_install( - struct task_struct *tsk, unsigned int fd, struct file *file) + struct binder_proc *proc, unsigned int fd, struct file *file) { - struct files_struct *files = get_files_struct(tsk); + struct files_struct *files = proc->files; struct fdtable *fdt; if (files == NULL) @@ -392,7 +395,6 @@ static void task_fd_install( BUG_ON(fdt->fd[fd] != NULL); rcu_assign_pointer(fdt->fd[fd], file); spin_unlock(&files->file_lock); - put_files_struct(files); } /* @@ -409,10 +411,10 @@ static void __put_unused_fd(struct files_struct *files, unsigned int fd) /* * copied from sys_close */ -static long task_close_fd(struct task_struct *tsk, unsigned int fd) +static long task_close_fd(struct binder_proc *proc, unsigned int fd) { struct file *filp; - struct files_struct *files = get_files_struct(tsk); + struct files_struct *files = proc->files; struct fdtable *fdt; int retval; @@ -439,12 +441,10 @@ static long task_close_fd(struct task_struct *tsk, unsigned int fd) retval == -ERESTART_RESTARTBLOCK)) retval = -EINTR; - put_files_struct(files); return retval; out_unlock: spin_unlock(&files->file_lock); - put_files_struct(files); return -EBADF; } @@ -1549,13 +1549,13 @@ binder_transaction(struct binder_proc *proc, struct binder_thread *thread, return_error = BR_FAILED_REPLY; goto err_fget_failed; } - target_fd = task_get_unused_fd_flags(target_proc->tsk, O_CLOEXEC); + target_fd = task_get_unused_fd_flags(target_proc, O_CLOEXEC); if (target_fd < 0) { fput(file); return_error = BR_FAILED_REPLY; goto err_get_unused_fd_failed; } - task_fd_install(target_proc->tsk, target_fd, file); + task_fd_install(target_proc, target_fd, file); if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) printk(KERN_INFO " fd %ld -> %d\n", fp->handle, target_fd); /* TODO: fput? */ @@ -1698,7 +1698,7 @@ binder_transaction_buffer_release(struct binder_proc *proc, struct binder_buffer if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) printk(KERN_INFO " fd %ld\n", fp->handle); if (failed_at) - task_close_fd(proc->tsk, fp->handle); + task_close_fd(proc, fp->handle); break; default: @@ -2663,6 +2663,34 @@ static void binder_vma_open(struct vm_area_struct *vma) (unsigned long)pgprot_val(vma->vm_page_prot)); dump_stack(); } + +static void binder_release_files(struct work_struct *work) +{ + struct binder_proc *proc; + struct files_struct *files; + do { + mutex_lock(&binder_lock); + mutex_lock(&binder_release_files_lock); + if (!hlist_empty(&binder_release_files_list)) { + proc = hlist_entry(binder_release_files_list.first, + struct binder_proc, release_files_node); + hlist_del_init(&proc->release_files_node); + files = proc->files; + if (files) + proc->files = NULL; + } else { + proc = NULL; + files = NULL; + } + mutex_unlock(&binder_release_files_lock); + mutex_unlock(&binder_lock); + if (files) + put_files_struct(files); + } while (proc); +} + +static DECLARE_WORK(binder_release_files_work, binder_release_files); + static void binder_vma_close(struct vm_area_struct *vma) { struct binder_proc *proc = vma->vm_private_data; @@ -2673,6 +2701,13 @@ static void binder_vma_close(struct vm_area_struct *vma) (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, (unsigned long)pgprot_val(vma->vm_page_prot)); proc->vma = NULL; + mutex_lock(&binder_release_files_lock); + if (proc->files) { + hlist_add_head(&proc->release_files_node, + &binder_release_files_list); + schedule_work(&binder_release_files_work); + } + mutex_unlock(&binder_release_files_lock); } static struct vm_operations_struct binder_vm_ops = { @@ -2751,6 +2786,7 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma) binder_insert_free_buffer(proc, buffer); proc->free_async_space = proc->buffer_size / 2; barrier(); + proc->files = get_files_struct(current); proc->vma = vma; /*printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer);*/ @@ -2831,6 +2867,7 @@ static int binder_release(struct inode *nodp, struct file *filp) struct hlist_node *pos; struct binder_transaction *t; struct rb_node *n; + struct files_struct *files; struct binder_proc *proc = filp->private_data; int threads, nodes, incoming_refs, outgoing_refs, buffers, active_transactions, page_count; @@ -2840,6 +2877,14 @@ static int binder_release(struct inode *nodp, struct file *filp) remove_proc_entry(strbuf, binder_proc_dir_entry_proc); } mutex_lock(&binder_lock); + mutex_lock(&binder_release_files_lock); + if (!hlist_unhashed(&proc->release_files_node)) + hlist_del(&proc->release_files_node); + files = proc->files; + if (files) + proc->files = NULL; + mutex_unlock(&binder_release_files_lock); + hlist_del(&proc->proc_node); if (binder_context_mgr_node && binder_context_mgr_node->proc == proc) { if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) @@ -2937,6 +2982,8 @@ static int binder_release(struct inode *nodp, struct file *filp) proc->pid, threads, nodes, incoming_refs, outgoing_refs, active_transactions, buffers, page_count); kfree(proc); + if (files) + put_files_struct(files); return 0; } -- cgit v1.2.3-59-g8ed1b From 7af7467efa64affc6505375ceac97d68cfb58e94 Mon Sep 17 00:00:00 2001 From: Arve Hjønnevåg Date: Mon, 6 Apr 2009 15:12:58 -0700 Subject: Staging: binder: Cast to uintptr_t instead of size_t when aligning pointers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Arve Hjønnevåg Signed-off-by: Greg Kroah-Hartman --- drivers/staging/android/binder.c | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) (limited to 'drivers/staging/android/binder.c') diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c index 09962e87c600..91a96292e6bb 100644 --- a/drivers/staging/android/binder.c +++ b/drivers/staging/android/binder.c @@ -246,7 +246,7 @@ struct binder_proc { struct files_struct *files; struct hlist_node release_files_node; void *buffer; - size_t user_buffer_offset; + ptrdiff_t user_buffer_offset; struct list_head buffers; struct rb_root free_buffers; @@ -614,7 +614,8 @@ static int binder_update_page_range(struct binder_proc *proc, int allocate, proc->pid, page_addr); goto err_map_kernel_failed; } - user_page_addr = (size_t)page_addr + proc->user_buffer_offset; + user_page_addr = + (uintptr_t)page_addr + proc->user_buffer_offset; ret = vm_insert_page(vma, user_page_addr, page[0]); if (ret) { printk(KERN_ERR "binder: %d: binder_alloc_buf failed " @@ -635,7 +636,7 @@ free_range: page_addr -= PAGE_SIZE) { page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE]; if (vma) - zap_page_range(vma, (size_t)page_addr + + zap_page_range(vma, (uintptr_t)page_addr + proc->user_buffer_offset, PAGE_SIZE, NULL); err_vm_insert_page_failed: unmap_kernel_range((unsigned long)page_addr, PAGE_SIZE); @@ -716,18 +717,19 @@ static struct binder_buffer *binder_alloc_buf(struct binder_proc *proc, "er %p size %zd\n", proc->pid, size, buffer, buffer_size); has_page_addr = - (void *)(((size_t)buffer->data + buffer_size) & PAGE_MASK); + (void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK); if (n == NULL) { if (size + sizeof(struct binder_buffer) + 4 >= buffer_size) buffer_size = size; /* no room for other buffers */ else buffer_size = size + sizeof(struct binder_buffer); } - end_page_addr = (void *)PAGE_ALIGN((size_t)buffer->data + buffer_size); + end_page_addr = + (void *)PAGE_ALIGN((uintptr_t)buffer->data + buffer_size); if (end_page_addr > has_page_addr) end_page_addr = has_page_addr; if (binder_update_page_range(proc, 1, - (void *)PAGE_ALIGN((size_t)buffer->data), end_page_addr, NULL)) + (void *)PAGE_ALIGN((uintptr_t)buffer->data), end_page_addr, NULL)) return NULL; rb_erase(best_fit, &proc->free_buffers); @@ -758,12 +760,12 @@ static struct binder_buffer *binder_alloc_buf(struct binder_proc *proc, static void *buffer_start_page(struct binder_buffer *buffer) { - return (void *)((size_t)buffer & PAGE_MASK); + return (void *)((uintptr_t)buffer & PAGE_MASK); } static void *buffer_end_page(struct binder_buffer *buffer) { - return (void *)(((size_t)(buffer + 1) - 1) & PAGE_MASK); + return (void *)(((uintptr_t)(buffer + 1) - 1) & PAGE_MASK); } static void binder_delete_free_buffer( @@ -841,8 +843,8 @@ static void binder_free_buf( } binder_update_page_range(proc, 0, - (void *)PAGE_ALIGN((size_t)buffer->data), - (void *)(((size_t)buffer->data + buffer_size) & PAGE_MASK), + (void *)PAGE_ALIGN((uintptr_t)buffer->data), + (void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK), NULL); rb_erase(&buffer->rb_node, &proc->allocated_buffers); buffer->free = 1; @@ -2347,7 +2349,7 @@ retry: tr.data_size = t->buffer->data_size; tr.offsets_size = t->buffer->offsets_size; - tr.data.ptr.buffer = (void *)((void *)t->buffer->data + proc->user_buffer_offset); + tr.data.ptr.buffer = (void *)t->buffer->data + proc->user_buffer_offset; tr.data.ptr.offsets = tr.data.ptr.buffer + ALIGN(t->buffer->data_size, sizeof(void *)); if (put_user(cmd, (uint32_t __user *)ptr)) @@ -2753,7 +2755,7 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma) goto err_get_vm_area_failed; } proc->buffer = area->addr; - proc->user_buffer_offset = vma->vm_start - (size_t)proc->buffer; + proc->user_buffer_offset = vma->vm_start - (uintptr_t)proc->buffer; #ifdef CONFIG_CPU_CACHE_VIPT if (cache_is_vipt_aliasing()) { -- cgit v1.2.3-59-g8ed1b From 0cf24a7dc9123ddf63c413b6d4b38017b19db713 Mon Sep 17 00:00:00 2001 From: Arve Hjønnevåg Date: Mon, 6 Apr 2009 15:12:59 -0700 Subject: Staging: binder: Prevent the wrong thread from adding a transaction to the stack. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If a thread is part of a transaction stack, it is only allowed to make another call if it was the target of the top transaction on the stack. Signed-off-by: Arve Hjønnevåg Signed-off-by: Greg Kroah-Hartman --- drivers/staging/android/binder.c | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'drivers/staging/android/binder.c') diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c index 91a96292e6bb..b0127a3290d0 100644 --- a/drivers/staging/android/binder.c +++ b/drivers/staging/android/binder.c @@ -1343,6 +1343,17 @@ binder_transaction(struct binder_proc *proc, struct binder_thread *thread, if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) { struct binder_transaction *tmp; tmp = thread->transaction_stack; + if (tmp->to_thread != thread) { + binder_user_error("binder: %d:%d got new " + "transaction with bad transaction stack" + ", transaction %d has target %d:%d\n", + proc->pid, thread->pid, tmp->debug_id, + tmp->to_proc ? tmp->to_proc->pid : 0, + tmp->to_thread ? + tmp->to_thread->pid : 0); + return_error = BR_FAILED_REPLY; + goto err_bad_call_stack; + } while (tmp) { if (tmp->from && tmp->from->proc == target_proc) target_thread = tmp->from; -- cgit v1.2.3-59-g8ed1b From 861a0dcc397f3e94024cc311086799393ec517df Mon Sep 17 00:00:00 2001 From: Arve Hjønnevåg Date: Mon, 6 Apr 2009 15:13:00 -0700 Subject: Staging: binder: Defer flush and release operations to avoid deadlocks. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If a transaction that contains a file descriptor fails on a later object, the new file descriptor needs to be closed. If this is a binder file descriptor we would deadlock in flush. If there were no other references to the file at this point release would also be called. Signed-off-by: Arve Hjønnevåg Signed-off-by: Greg Kroah-Hartman --- drivers/staging/android/binder.c | 149 +++++++++++++++++++++++---------------- 1 file changed, 88 insertions(+), 61 deletions(-) (limited to 'drivers/staging/android/binder.c') diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c index b0127a3290d0..299d29d1dadb 100644 --- a/drivers/staging/android/binder.c +++ b/drivers/staging/android/binder.c @@ -41,8 +41,8 @@ static int binder_last_id; static struct proc_dir_entry *binder_proc_dir_entry_root; static struct proc_dir_entry *binder_proc_dir_entry_proc; static struct hlist_head binder_dead_nodes; -static HLIST_HEAD(binder_release_files_list); -static DEFINE_MUTEX(binder_release_files_lock); +static HLIST_HEAD(binder_deferred_list); +static DEFINE_MUTEX(binder_deferred_lock); static int binder_read_proc_proc( char *page, char **start, off_t off, int count, int *eof, void *data); @@ -234,6 +234,12 @@ struct binder_buffer { uint8_t data[0]; }; +enum { + BINDER_DEFERRED_PUT_FILES = 0x01, + BINDER_DEFERRED_FLUSH = 0x02, + BINDER_DEFERRED_RELEASE = 0x04, +}; + struct binder_proc { struct hlist_node proc_node; struct rb_root threads; @@ -244,7 +250,8 @@ struct binder_proc { struct vm_area_struct *vma; struct task_struct *tsk; struct files_struct *files; - struct hlist_node release_files_node; + struct hlist_node deferred_work_node; + int deferred_work; void *buffer; ptrdiff_t user_buffer_offset; @@ -310,6 +317,8 @@ struct binder_transaction { uid_t sender_euid; }; +static void binder_defer_work(struct binder_proc *proc, int defer); + /* * copied from get_unused_fd_flags */ @@ -2677,33 +2686,6 @@ static void binder_vma_open(struct vm_area_struct *vma) dump_stack(); } -static void binder_release_files(struct work_struct *work) -{ - struct binder_proc *proc; - struct files_struct *files; - do { - mutex_lock(&binder_lock); - mutex_lock(&binder_release_files_lock); - if (!hlist_empty(&binder_release_files_list)) { - proc = hlist_entry(binder_release_files_list.first, - struct binder_proc, release_files_node); - hlist_del_init(&proc->release_files_node); - files = proc->files; - if (files) - proc->files = NULL; - } else { - proc = NULL; - files = NULL; - } - mutex_unlock(&binder_release_files_lock); - mutex_unlock(&binder_lock); - if (files) - put_files_struct(files); - } while (proc); -} - -static DECLARE_WORK(binder_release_files_work, binder_release_files); - static void binder_vma_close(struct vm_area_struct *vma) { struct binder_proc *proc = vma->vm_private_data; @@ -2714,13 +2696,7 @@ static void binder_vma_close(struct vm_area_struct *vma) (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, (unsigned long)pgprot_val(vma->vm_page_prot)); proc->vma = NULL; - mutex_lock(&binder_release_files_lock); - if (proc->files) { - hlist_add_head(&proc->release_files_node, - &binder_release_files_list); - schedule_work(&binder_release_files_work); - } - mutex_unlock(&binder_release_files_lock); + binder_defer_work(proc, BINDER_DEFERRED_PUT_FILES); } static struct vm_operations_struct binder_vm_ops = { @@ -2853,11 +2829,17 @@ static int binder_open(struct inode *nodp, struct file *filp) static int binder_flush(struct file *filp, fl_owner_t id) { - struct rb_node *n; struct binder_proc *proc = filp->private_data; - int wake_count = 0; - mutex_lock(&binder_lock); + binder_defer_work(proc, BINDER_DEFERRED_FLUSH); + + return 0; +} + +static void binder_deferred_flush(struct binder_proc *proc) +{ + struct rb_node *n; + int wake_count = 0; for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) { struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node); thread->looper |= BINDER_LOOPER_STATE_NEED_RETURN; @@ -2867,36 +2849,34 @@ static int binder_flush(struct file *filp, fl_owner_t id) } } wake_up_interruptible_all(&proc->wait); - mutex_unlock(&binder_lock); if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) printk(KERN_INFO "binder_flush: %d woke %d threads\n", proc->pid, wake_count); - - return 0; } static int binder_release(struct inode *nodp, struct file *filp) { - struct hlist_node *pos; - struct binder_transaction *t; - struct rb_node *n; - struct files_struct *files; struct binder_proc *proc = filp->private_data; - int threads, nodes, incoming_refs, outgoing_refs, buffers, active_transactions, page_count; - if (binder_proc_dir_entry_proc) { char strbuf[11]; snprintf(strbuf, sizeof(strbuf), "%u", proc->pid); remove_proc_entry(strbuf, binder_proc_dir_entry_proc); } - mutex_lock(&binder_lock); - mutex_lock(&binder_release_files_lock); - if (!hlist_unhashed(&proc->release_files_node)) - hlist_del(&proc->release_files_node); - files = proc->files; - if (files) - proc->files = NULL; - mutex_unlock(&binder_release_files_lock); + + binder_defer_work(proc, BINDER_DEFERRED_RELEASE); + + return 0; +} + +static void binder_deferred_release(struct binder_proc *proc) +{ + struct hlist_node *pos; + struct binder_transaction *t; + struct rb_node *n; + int threads, nodes, incoming_refs, outgoing_refs, buffers, active_transactions, page_count; + + BUG_ON(proc->vma); + BUG_ON(proc->files); hlist_del(&proc->proc_node); if (binder_context_mgr_node && binder_context_mgr_node->proc == proc) { @@ -2971,7 +2951,6 @@ static int binder_release(struct inode *nodp, struct file *filp) } binder_stats.obj_deleted[BINDER_STAT_PROC]++; - mutex_unlock(&binder_lock); page_count = 0; if (proc->pages) { @@ -2995,9 +2974,57 @@ static int binder_release(struct inode *nodp, struct file *filp) proc->pid, threads, nodes, incoming_refs, outgoing_refs, active_transactions, buffers, page_count); kfree(proc); - if (files) - put_files_struct(files); - return 0; +} + +static void binder_deferred_func(struct work_struct *work) +{ + struct binder_proc *proc; + struct files_struct *files; + + int defer; + do { + mutex_lock(&binder_lock); + mutex_lock(&binder_deferred_lock); + if (!hlist_empty(&binder_deferred_list)) { + proc = hlist_entry(binder_deferred_list.first, + struct binder_proc, deferred_work_node); + hlist_del_init(&proc->deferred_work_node); + defer = proc->deferred_work; + proc->deferred_work = 0; + } else { + proc = NULL; + defer = 0; + } + mutex_unlock(&binder_deferred_lock); + + files = NULL; + if (defer & BINDER_DEFERRED_PUT_FILES) + if ((files = proc->files)) + proc->files = NULL; + + if (defer & BINDER_DEFERRED_FLUSH) + binder_deferred_flush(proc); + + if (defer & BINDER_DEFERRED_RELEASE) + binder_deferred_release(proc); /* frees proc */ + + mutex_unlock(&binder_lock); + if (files) + put_files_struct(files); + } while (proc); +} +static DECLARE_WORK(binder_deferred_work, binder_deferred_func); + +static void binder_defer_work(struct binder_proc *proc, int defer) +{ + mutex_lock(&binder_deferred_lock); + proc->deferred_work |= defer; + if (hlist_unhashed(&proc->deferred_work_node)) { + hlist_add_head(&proc->deferred_work_node, + &binder_deferred_list); + schedule_work(&binder_deferred_work); + } + mutex_unlock(&binder_deferred_lock); } static char *print_binder_transaction(char *buf, char *end, const char *prefix, struct binder_transaction *t) -- cgit v1.2.3-59-g8ed1b