mirror of
https://github.com/torvalds/linux.git
synced 2026-06-10 15:42:19 +02:00
1419b69403
This is the merge of the upstream LTS release of 5.10.101 into the android12-5.10 branch. This merge contains the following new commits:c194212a03Merge 5.10.101 into android12-5.10-lts3969aba589Linux 5.10.101cb86e511e7iommu: Fix potential use-after-free during probef6b5d51976perf: Fix list corruption in perf_cgroup_switch()ce3ca12c63arm64: dts: imx8mq: fix lcdif port node759aeacdfescsi: lpfc: Reduce log messages seen after firmware download57c5d7d420scsi: lpfc: Remove NVMe support if kernel has NVME_FC disabled199dab00f0can: isotp: fix error path in isotp_sendmsg() to unlock wait queue3b10ebeb95Makefile.extrawarn: Move -Wunaligned-access to W=1ad53060bdfhwmon: (dell-smm) Speed up setting of fan speed3c75d1017cphy: ti: Fix missing sentinel for clk_div_table6eabe53492speakup-dectlk: Restore pitch setting3836a5ff4bUSB: serial: cp210x: add CPI Bulk Coin Recycler id51b03a9bcdUSB: serial: cp210x: add NCR Retail IO box ida21e6b2e08USB: serial: ch341: add support for GW Instek USB2.0-Serial devices7113440a36USB: serial: option: add ZTE MF286D modemb7ed2f9619USB: serial: ftdi_sio: add support for Brainboxes US-159/235/320e07dde31acusb: raw-gadget: fix handling of dual-direction-capable endpointse9f9b877ebusb: gadget: f_uac2: Define specific wTerminalTypefb4ff0f96dusb: gadget: rndis: check size of RNDIS_MSG_SET command22ec100472USB: gadget: validate interface OS descriptor requests351159167cusb: gadget: udc: renesas_usb3: Fix host to USB_ROLE_NONE transition3bfca38914usb: dwc3: gadget: Prevent core from processing stale TRBs2a17bd9f52usb: ulpi: Call of_node_put correctly8b89a69166usb: ulpi: Move of_node_put to ulpi_dev_release758290defenet: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixupa66a2b17b8Revert "usb: dwc2: drd: fix soft connect when gadget is unconfigured"73961057e9usb: dwc2: drd: fix soft connect when gadget is unconfigureda37960df7eeeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX1b99fe34e2n_tty: wake up poll(POLLRDNORM) on receiving dataf1b2573715vt_ioctl: add array_index_nospec to VT_ACTIVATE778302ca09vt_ioctl: fix array_index_nospec in vt_setactivate22249886dcnet: dsa: mv88e6xxx: fix use-after-free in mv88e6xxx_mdios_unregister3a3c65c487net: mscc: ocelot: fix mutex lock error during ethtool stats read809f030745ice: fix IPIP and SIT TSO offloadcf11949b91ice: fix an error code in ice_cfg_phy_fec()f8edc6feabdpaa2-eth: unregister the netdev before disconnecting from the PHYff6c9e0fcenet: amd-xgbe: disable interrupts during pci removal657aea7828tipc: rate limit warning for received illegal binding updateef5cdae8bcnet: mdio: aspeed: Add missing MODULE_DEVICE_TABLEbf99c14436veth: fix races around rq->rx_notify_masked00e6d6c3bcnet: fix a memleak when uncloning an skb dst and its metadata2e9fd2d0f6net: do not keep the dst cache when uncloning an skb dst and its metadata0bae953d7anfp: flower: fix ida_idx not being released09ac0fcb0aipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table() on failure pathe177d2e85enet: dsa: lantiq_gswip: don't use devres for mdiobus95e5402f94net: dsa: felix: don't use devres for mdiobus2770b79529net: dsa: bcm_sf2: don't use devres for mdiobus475ce5dcf2net: dsa: ar9331: register the mdiobus under devres8ccebe77dfnet: dsa: mv88e6xxx: don't use devres for mdiobus4a384c1e40bonding: pair enable_port with slave_arr_updates1ba45dd326gpio: sifive: use the correct register to read output values48e413087dACPI: PM: s2idle: Cancel wakeup before dispatching EC GPE3b72d3f020drm/panel: simple: Assign data from panel_dpi_probe() correctlybf35639192ixgbevf: Require large buffers for build_skb on 82599VFe5a64f548aarm64: dts: meson-g12b-odroid-n2: fix typo 'dio2133'04fe6569a7netfilter: ctnetlink: disable helper autoassigna5ce7ee5fcmisc: fastrpc: avoid double fput() on failed usercopy21c890ca8edrm/vc4: hdmi: Allow DBLCLK modes even if horz timing is odd.70ea005626gpio: aggregator: Fix calling into sleeping GPIO controllers0042178a69usb: f_fs: Fix use-after-free for epfile5a37fd9fdcARM: dts: imx7ulp: Fix 'assigned-clocks-parents' typo39bf132a6ephy: xilinx: zynqmp: Fix bus width setting for SGMII108868dae2ARM: dts: imx6qdl-udoo: Properly describe the SD card detect0a7b5e8d8cstaging: fbtft: Fix error path in fbtft_driver_module_init()74cd5cb219ARM: dts: meson8b: Fix the UART device-tree schema validation566b558e94ARM: dts: meson8: Fix the UART device-tree schema validation210d70f081ARM: dts: meson: Fix the UART compatible strings88f0e61354ARM: dts: Fix timer regression for beagleboard revision cc943a297ecdrm/rockchip: vop: Correct RK3399 VOP register fieldsa941384fbaPM: s2idle: ACPI: Fix wakeup interrupts handlingfcbac51a64ACPI/IORT: Check node revision for PMCG resources57ede0ce65nvme-tcp: fix bogus request completion when failing to send AER3a669d77e5ARM: socfpga: fix missing RESET_CONTROLLER435e62d566ARM: dts: Fix boot regression on Skomerb217b89e60ARM: dts: imx23-evk: Remove MX23_PAD_SSP1_DETECT from hog group3f9843f2f6riscv: fix build with binutils 2.383aa5c86572KVM: VMX: Set vmcs.PENDING_DBG.BS on #DB in STI/MOVSS blocking shadowbd39fe29bbKVM: SVM: Don't kill SEV guest if SMAP erratum triggers in usermode9efad4cb03KVM: nVMX: Also filter MSR_IA32_VMX_TRUE_PINBASED_CTLS when eVMCSdb58a3d978KVM: nVMX: eVMCS: Filter out VM_EXIT_SAVE_VMX_PREEMPTION_TIMERdc129275a7KVM: eventfd: Fix false positive RCU usage warning87bbd78a2cnet: stmmac: dwmac-sun8i: use return val of readl_poll_timeout()c9b8cc1046nvme-pci: add the IGNORE_DEV_SUBNQN quirk for Intel P4500/P4600 SSDsd0774cf730perf: Always wake the parent eventa117e986e9usb: dwc2: gadget: don't try to disable ep0 in dwc2_hsotg_suspend4607218fdePM: hibernate: Remove register_nosave_region_late()0e42c4a3d7scsi: myrs: Fix crash in error case3bc5b128b9scsi: ufs: Treat link loss as fatal error12cf120803scsi: pm8001: Fix bogus FW crash for maxcpus=187f187e526scsi: qedf: Fix refcount issue when LOGO is received during TMFaa7352aa15scsi: qedf: Add stag_work to all the vports150d448c66scsi: ufs: ufshcd-pltfrm: Check the return value of devm_kstrdup()7dbda616fcscsi: target: iscsi: Make sure the np under each tpg is unique67baac10ddpowerpc/fixmap: Fix VM debug warning on unmap3d0eafd459net: sched: Clarify error message when qdisc kind is unknown9b569faabddrm: panel-orientation-quirks: Add quirk for the 1Netbook OneXPlayer0d6b9d15ecx86/perf: Avoid warning for Arch LBR without XSAVEb37dd03f2fNFSv4 handle port presence in fs_location server string6f2974b52bNFSv4 expose nfs_parse_server_name function5a9c613a29NFSv4 remove zero number of fs_locations entries error check1c79aad118NFSv4.1: Fix uninitialised variable in devicenotifyc5619c510fnfs: nfs4clinet: check the return value of kstrdup()db053bdeceNFSv4 only print the label when its queriede2b4435fd3NFS: change nfs_access_get_cached to only report the maskb4e0c9bcf1tracing: Propagate is_signed to expression5234de6c79drm/amdgpu: Set a suitable dev_info.gart_page_size6215fb4558NFSD: Fix offset type in I/O trace points3a6a2d43e3NFSD: Clamp WRITE offsetsc72f7c2ec3NFS: Fix initialisation of nfs_client cl_flags fieldf47ee3a35fnet: phy: marvell: Fix MDI-x polarity setting in 88e1118-compatible PHYs6a33aa7113net: phy: marvell: Fix RGMII Tx/Rx delays setting in 88e1121-compatible PHYs7b53d2204ccan: isotp: fix potential CAN frame reception race in isotp_rcv()c9cc027c55mmc: sdhci-of-esdhc: Check for error num after setting mask8027ba480cima: Do not print policy rule with inactive LSM labels8171c8a99fima: Allow template selection with ima_template[_fmt]= after ima_hash=0795b7100dima: Remove ima_policy file before directory7fea2e5200integrity: check the return value of audit_log_start()86e6176a42Merge 5.10.100 into android12-5.10-ltsd4f7d322a4Linux 5.10.1003c7e594355tipc: improve size validations for received domain records2951d21689crypto: api - Move cryptomgr soft dependency into algapib62267b8b0KVM: s390: Return error on SIDA memop on normal guestbe93028d30moxart: fix potential use-after-free on remove pathca562bf79cMerge branch 'android12-5.10' into `android12-5.10-lts`c3b53fcd90Merge 5.10.99 into android12-5.10-ltsfb063a6465Linux 5.10.994889d6ee9eselftests: nft_concat_range: add test for reload with no element add/del5577273135cgroup/cpuset: Fix "suspicious RCU usage" lockdep warningf1f7d1a22fnet: dsa: mt7530: make NET_DSA_MT7530 select MEDIATEK_GE_PHY84b76a509cext4: fix incorrect type issue during replay_del_range62e46e0ffcext4: fix error handling in ext4_fc_record_modified_inode()764793b4a5ext4: fix error handling in ext4_restore_inline_data()6c5bd55e36ext4: modify the logic of ext4_mb_new_blocks_simple8d71fc23fcext4: prevent used blocks from being allocated during fast commit replayef2053afd7EDAC/xgene: Fix deferred probing2a12faf55bEDAC/altera: Fix deferred probingdd274cf852x86/perf: Default set FREEZE_ON_SMI for all456f041e03perf/x86/intel/pt: Fix crash with stop filters in single-range mode8c0e6a8a63perf stat: Fix display of grouped aliased events57e8859accfbcon: Add option to enable legacy hardware acceleration460f6b1a23Revert "fbcon: Disable accelerated scrolling"460aa9d873rtc: cmos: Evaluate century appropriate2324f5fcdftools/resolve_btfids: Do not print any commands when building silently1536fafa23selftests: futex: Use variable MAKE instead of make8f0fff8b59selftests/exec: Remove pipe from TEST_GEN_FILES6304a613a9bpf: Use VM_MAP instead of VM_ALLOC for ringbuff744a06404gve: fix the wrong AdminQ buffer queue index check51e88e8922nfsd: nfsd4_setclientid_confirm mistakenly expires confirmed client.ec4334152dscsi: bnx2fc: Make bnx2fc_recv_frame() mp safefd482f2d63pinctrl: bcm2835: Fix a few error paths752d9eafc6pinctrl: intel: fix unexpected interrupt14bc9978b4pinctrl: intel: Fix a glitch when updating IRQ flags on a preconfigured line5a45448ac9ASoC: max9759: fix underflow in speaker_gain_control_put()02f4597198ASoC: cpcap: Check for NULL pointer after calling of_get_child_by_namecb5f1fbd1fASoC: xilinx: xlnx_formatter_pcm: Make buffer bytes multiple of period bytes56e0747d59ASoC: fsl: Add missing error handling in pcm030_fabric_probe3e69837551drm/i915/overlay: Prevent divide by zero bugs in scaling9ea0185361net: stmmac: ensure PTP time register reads are consistent41df2da2c1net: stmmac: dump gmac4 DMA registers correctly114bf93504net: macsec: Verify that send_sci is on when setting Tx sci explicitly2e7f5b6ee1net: macsec: Fix offload support for NETDEV_UNREGISTER event87b1c9fab6net: ieee802154: Return meaningful error codes from the netlink helpers78b3f20c17net: ieee802154: ca8210: Stop leaking skb's0bfe50dc5dnet: ieee802154: mcr20a: Fix lifs/sifs periods75bbda3189net: ieee802154: hwsim: Ensure proper channel selection at probe timee895e067d7spi: uniphier: fix reference count leak in uniphier_spi_probe()ec942d08e0spi: meson-spicc: add IRQ check in meson_spicc_probec2cf65e100spi: mediatek: Avoid NULL pointer crash in interrupt30e05c98b9spi: bcm-qspi: check for valid cs before applying chip select6d226e8afeiommu/amd: Fix loop timeout issue in iommu_ga_log_enable()9d9995b037iommu/vt-d: Fix potential memory leak in intel_setup_irq_remapping()b3958d3151RDMA/mlx4: Don't continue event handler after memory allocation failured3f8b927dfRDMA/siw: Fix broken RDMA Read Fence/Resume logic.c7db20f5beIB/rdmavt: Validate remote_addr during loopback atomic tests75c610212bRDMA/ucma: Protect mc during concurrent multicast leaves371979069aRDMA/cma: Use correct address when leaving multicast groupaa4ecd995fmemcg: charge fs_context and legacy_fs_context080f371d98Revert "ASoC: mediatek: Check for error clk pointer"4a9bd1e678IB/hfi1: Fix AIP early init panic5d40f1bdaddma-buf: heaps: Fix potential spectre v1 gadget30de3bc099block: bio-integrity: Advance seed correctly for larger interval sizes352715593emm/kmemleak: avoid scanning potential huge holes7053188ddbmm/pgtable: define pte_index so that preprocessor could recognize itbce7f5d74dmm/debug_vm_pgtable: remove pte entry from the page table2d83a7463dnvme-fabrics: fix state check in nvmf_ctlr_matches_baseopts()a0c73dbdd1drm/amd/display: Force link_rate as LINK_RATE_RBR2 for 2018 15" Apple Retina panelsf071d9fa85drm/nouveau: fix off by one in BIOS boundary checking32747e0143btrfs: fix deadlock between quota disable and qgroup rescan workeraa5d406153ALSA: hda/realtek: Fix silent output on Gigabyte X570 Aorus Xtreme after reboot from Windowsd4aa3a9859ALSA: hda/realtek: Fix silent output on Gigabyte X570S Aorus Master (newer chipset)3a8a8072e3ALSA: hda/realtek: Add missing fixup-model entry for Gigabyte X570 ALC1220 quirks532cde962fALSA: hda/realtek: Add quirk for ASUS GU603410f231fd7ALSA: hda: realtek: Fix race at concurrent COEF updatesa7de100213ALSA: hda: Fix UAF of leds class devs at unbinding470bbb9cbdALSA: usb-audio: Correct quirk for VF07706877f87579ASoC: ops: Reject out of bounds values in snd_soc_put_xr_sx()038f8b7caaASoC: ops: Reject out of bounds values in snd_soc_put_volsw_sx()a9394f21fbASoC: ops: Reject out of bounds values in snd_soc_put_volsw()0ff6b80506audit: improve audit queue handling when "audit=1" on cmdlinef446089a26selinux: fix double free of cond_list on error paths08942dae64Merge 5.10.98 into android-5.1026d02dc8efMerge 5.10.97 into android12-5.10-ltse33a5b611cRevert "perf: Fix perf_event_read_local() time"0b4470b56eMerge 5.10.96 into android12-5.10-lts12a0a56cbaLinux 5.10.9897a47e2555Revert "drm/vc4: hdmi: Make sure the device is powered with CEC" againe27042060fRevert "drm/vc4: hdmi: Make sure the device is powered with CEC"c8ed22bd97Linux 5.10.97176356550ctcp: add missing tcp_skb_can_collapse() test in tcp_shift_skb_data()32e1799710af_packet: fix data-race in packet_setsockopt / packet_setsockoptaa9e96db31cpuset: Fix the bug that subpart_cpus updated wrongly in update_cpumask()3bbe2019ddrtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink()e7be569263net: sched: fix use-after-free in tc_new_tfilter()7b4741644cfanotify: Fix stale file descriptor in copy_event_to_user()4d3fcfe846net: amd-xgbe: Fix skb data length underflowcadfa7dce5net: amd-xgbe: ensure to reset the tx_timer_active flag77534b114fipheth: fix EOVERFLOW in ipheth_rcvbulk_callbackb4ced7a46dnet/mlx5: E-Switch, Fix uninitialized variable modact502c37b033net/mlx5: Use del_timer_sync in fw reset flow of halting polla01ee1b816net/mlx5e: Fix handling of wrong devices during bond netevent1fc3444cdacgroup-v1: Require capabilities to set release_agentac4ba79bb0drm/vc4: hdmi: Make sure the device is powered with CEC46f919c6bdx86/cpu: Add Xeon Icelake-D to list of CPUs that support PPINfbdbf6743fx86/mce: Add Xeon Sapphire Rapids to list of CPUs that support PPINd4e4e61d4apsi: Fix uaf issue when psi trigger is destroyed while being polled080dbe7e9bKVM: x86: Forcibly leave nested virt when SMM state is toggled063029a882Revert "drivers: bus: simple-pm-bus: Add support for probing simple bus only devices"42fdbf8b7dnet: ipa: prevent concurrent replenishad81380d3anet: ipa: use a bitmap for endpoint replenish_enabled2ed912e3e0net: ipa: fix atomic update in ipa_endpoint_replenish()3b4c966fb1PCI: pciehp: Fix infinite loop in IRQ handler upon power faulta9839858b5Merge 5.10.95 into android12-5.10-ltsf255ac9e87Linux 5.10.96b43e9d2f6fmtd: rawnand: mpc5121: Remove unused variable in ads5121_select_chip()b63e120189block: Fix wrong offset in bio_truncate()0b4e82403cfsnotify: invalidate dcache before IN_DELETE event8bae6db29cusr/include/Makefile: add linux/nfc.h to the compile-test coveragef36554de78dt-bindings: can: tcan4x5x: fix mram-cfg RX FIFO config446ff1fc37net: bridge: vlan: fix memory leak in __allowed_ingressbc58a5bb9eipv4: remove sparse error in ip_neigh_gw4()ebc5b8e471ipv4: tcp: send zero IPID in SYNACK messages58f72918f9ipv4: raw: lock the socket in raw_bind()9ffc94a81bnet: bridge: vlan: fix single net device option dumping869f1704f1Revert "ipv6: Honor all IPv6 PIO Valid Lifetime values"699eef4ed9net: hns3: handle empty unknown interrupt for VFc9c81b393cnet: cpsw: Properly initialise struct page_pool_params729e54636byam: fix a memory leak in yam_siocdevprivate()93a6e920d8drm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc0b7d8db87ddrm/msm/hdmi: Fix missing put_device() call in msm_hdmi_get_phyd1d4616d3evideo: hyperv_fb: Fix validation of screen resolution0a60d04abcibmvnic: don't spin in tasklet55258b5059ibmvnic: init ->running_cap_crqs earlyb469cf91fbipv4: fix ip option filtering for locally generated fragments9b44441972net: ipv4: Fix the warning for dereference2f56c4845dnet: ipv4: Move ip_options_fragment() out of loop55402a4618powerpc/perf: Fix power_pmu_disable to call clear_pmi_irq_pending only if PMI is pending0bdbf93ee2hwmon: (lm90) Mark alert as broken for MAX6654c534287a57efi/libstub: arm64: Fix image check alignment at entry3572205b19rxrpc: Adjust retransmission backoff5067f5699docteontx2-pf: Forward error codes to VFbd024e36f6phylib: fix potential use-after-freea839a79f4dnet: phy: broadcom: hook up soft_reset for BCM54616S57b2f3632bsched/pelt: Relax the sync of util_sum with util_avg91b04e83c7perf: Fix perf_event_read_local() timecffed7e631kernel: delete repeated words in comments1af995c98bnetfilter: conntrack: don't increment invalid counter on NF_REPEAT129c71829dpowerpc64/bpf: Limit 'ldbrx' to processors compliant with ISA v2.067a32824f7aNFS: Ensure the server has an up to date ctime before renaming666f6ab882NFS: Ensure the server has an up to date ctime before hardlinking4cd0ef6215ipv6: annotate accesses to fn->fn_sernum79c0b5287ddrm/msm/dsi: invalid parameter check in msm_dsi_phy_enable3ab44a408bdrm/msm/dsi: Fix missing put_device() call in dsi_get_phy82c310d04bdrm/msm: Fix wrong size calculationf57a99c9a5net-procfs: show net devices bound packet types87880e3803NFSv4: nfs_atomic_open() can race when looking up a non-regular filece8c552b88NFSv4: Handle case where the lookup of a directory failsb48a05cee2hwmon: (lm90) Reduce maximum conversion rate for G781b26fed25e6ipv4: avoid using shared IP generator for connected sockets283aa5a5afping: fix the sk_bound_dev_if match in ping_lookup7bcb0c19abhwmon: (lm90) Mark alert as broken for MAX6680925cbd596ahwmon: (lm90) Mark alert as broken for MAX6646/6647/6649db044d9746net: fix information leakage in /proc/net/ptypefeb770cc00ipv6_tunnel: Rate limit warning messages00849de10fscsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put()fcaf94c49arpmsg: char: Fix race between the release of rpmsg_eptdev and cdev1dbb206730rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev20f6675821usb: roles: fix include/linux/usb/role.h compile issue6aeff8a7c7i40e: fix unsigned stat widthsd2ed5997a9i40e: Fix for failed to init adminq while VF reset768eb705e6i40e: Fix queues reservation for XDP39896710f7i40e: Fix issue when maximum queues is exceeded9068bcb219i40e: Increase delay to 1 s after global EMP resetb4c9b6afa3powerpc/32: Fix boot failure with GCC latent entropy plugin50f5d0a8bdpowerpc/32s: Fix kasan_init_region() for KASAN5d3af1dfdfpowerpc/32s: Allocate one 256k IBAT instead of two consecutives 128k IBATs08f090bb9bx86/MCE/AMD: Allow thresholding interface updates after init791e5d5daasched/membarrier: Fix membarrier-rseq fence command missing from query bitmaskafbde455ebocfs2: fix a deadlock when commit trans97f75e7d4cjbd2: export jbd2_journal_[grab|put]_journal_head3921d081c9ucsi_ccg: Check DEV_INT bit only when starting CCG4598a884c77usb: typec: tcpm: Do not disconnect while receiving VBUS offe3b131e30eUSB: core: Fix hang in usb_kill_urb by adding memory barriers3ca928c824usb: gadget: f_sourcesink: Fix isoc transfer for USB_SPEED_SUPER_PLUS053274bc6busb: common: ulpi: Fix crash in ulpi_match()20c51a4c52usb: xhci-plat: fix crash when suspend if remote wake enable38d1bf67a3usb-storage: Add unusual-devs entry for VL817 USB-SATA bridgee0fcae7bd7tty: Add support for Brainboxes UC cards.7079283d32tty: n_gsm: fix SW flow control encoding/handling2683b0d5d7serial: stm32: fix software flow control transfer4628b26df5serial: 8250: of: Fix mapped region size when using reg-offset property94b23988c3netfilter: nft_payload: do not update layer 4 checksum when mangling fragmentsbf0d4ae5c6arm64: errata: Fix exec handling in erratum1418040workarounde92cac1dd8KVM: x86: Update vCPU's runtime CPUID on write to MSR_IA32_XSS6b55af102bdrm/etnaviv: relax submit size limits7a32d17fb7perf/x86/intel/uncore: Fix CAS_COUNT_WRITE issue for ICXa2c8e1d9e4Revert "KVM: SVM: avoid infinite loop on NPF from bad address"abae88fb37fsnotify: fix fsnotify hooks in pseudo filesystems6ceac38e9bceph: set pool_ns in new inode layout for async createse7be12ca7dceph: properly put ceph_string reference after async create attempt39986696fetracing: Don't inc err_log entry count if entry allocation failsd71b06aa99tracing/histogram: Fix a potential memory leak for kstrdup()561a22d44aPM: wakeup: simplify the output logic of pm_show_wakelocks()b0f1cc093befi: runtime: avoid EFIv2 runtime services on Apple x86 machinesde7cc8bccaudf: Fix NULL ptr deref when converting from inline format0a3cfd2589udf: Restore i_lenAlloc when inode expansion failsf08801252dscsi: zfcp: Fix failed recovery on gone remote port with non-NPIV FCP devicesff6bdc205fbpf: Guard against accessing NULL pt_regs in bpf_get_task_stack()6520fedfces390/hypfs: include z/VM guests with access control group setc10e0627c7s390/module: fix loading modules with a lot of relocationsba7c71a777net: stmmac: skip only stmmac_ptp_register when resume from suspend11191406f2net: sfp: ignore disabled SFP nodee651772adcmedia: venus: core: Drop second v4l2 device unregister83d5196b65Bluetooth: refactor malicious adv data check34fd8cb7e7ANDROID: Fix CRC issue up with xfrm headers in 5.10.94a50b069165Revert "xfrm: rate limit SA mapping change message to user space"67ea95e0e8Revert "clocksource: Reduce clocksource-skew threshold"fae0741a78Revert "clocksource: Avoid accidental unstable marking of clocksources"77656fde3cLinux 5.10.95ae2b20f277drm/vmwgfx: Fix stale file descriptors on failed usercopy11ba2c6dfbselect: Fix indefinitely sleeping task in poll_schedule_timeout()a447d7f786KVM: x86/mmu: Fix write-protection of PTs mapped by the TDP MMU12d3389b7arcu: Tighten rcu_advance_cbs_nowake() checks4d63363c88bnx2x: Invalidate fastpath HSI version for VFsfdcfabd095bnx2x: Utilize firmware 7.13.21.06a6acf9278drm/i915: Flush TLBs before releasing backing store4ec3c2eea5Merge 5.10.94 into android12-5.10-ltsc525532e4fLinux 5.10.94c76c132444scripts: sphinx-pre-install: Fix ctex support on Debian133cef0b61scripts: sphinx-pre-install: add required ctex dependency15ce9329a5ath10k: Fix the MTU size on QCA9377 SDIO25b1a6d330mtd: nand: bbt: Fix corner case in bad block table handling8104e589falib/test_meminit: destroy cache in kmem_cache_alloc_bulk() test6292503700mm/hmm.c: allow VM_MIXEDMAP to work with hmm_range_fault33bb7f027blib82596: Fix IRQ check in sni_82596_probe078b5a4498scripts/dtc: dtx_diff: remove broken example from help text21513c4615dt-bindings: watchdog: Require samsung,syscon-phandle for Exynos723bcf3615bdt-bindings: display: meson-vpu: Add missing amlogic,canvas property66467cc87adt-bindings: display: meson-dw-hdmi: add missing sound-name-prefix property4496e4a427net: mscc: ocelot: fix using match before it is setee64479c9cnet: sfp: fix high power modules without diagnostic monitoring819e76bc57net: ethernet: mtk_eth_soc: fix error checking in mtk_mac_config()4691c9f047bcmgenet: add WOL IRQ check6973b38b9dnet_sched: restore "mpu xxx" handling20949c3816net: bonding: fix bond_xmit_broadcast return value error bug799730d182arm64: dts: qcom: msm8996: drop not documented adreno propertiesf6d4c0e017devlink: Remove misleading internal_flags from health reporter dump2e51a761b7perf probe: Fix ppc64 'perf probe add events failed' case59b44f7760dmaengine: at_xdmac: Fix at_xdmac_lld struct definition0078f05371dmaengine: at_xdmac: Fix lld view setting7ab120636ddmaengine: at_xdmac: Fix concurrency over xfers_listb5b27c5e33dmaengine: at_xdmac: Print debug message after realeasing the lockc536b351a7dmaengine: at_xdmac: Start transfer for cyclic channels in issue_pendingcd22e22e8edmaengine: at_xdmac: Don't start transactions at tx_submit level68a83051c8perf script: Fix hex dump character output7b9d40e9f6libcxgb: Don't accidentally set RTO_ONLINK in cxgb_find_route()cd5c24d223gre: Don't accidentally set RTO_ONLINK in gre_fill_metadata_dst()7f2ca96bd2xfrm: Don't accidentally set RTO_ONLINK in decode_session4()2b1415c60bnetns: add schedule point in ops_exit_list()edc09548ffinet: frags: annotate races around fqdir->dead and fqdir->high_thresh69e7e979edtaskstats: Cleanup the use of task->exit_code56daa21414virtio_ring: mark ring unused on error0c4ebcb00dvdpa/mlx5: Fix wrong configuration of virtio_version_1_0c736ec01a2rtc: pxa: fix null pointer dereference8b8ff4c793HID: vivaldi: fix handling devices not using numbered reportsd7544cf693net: axienet: increase default TX ring size to 128557829d42dnet: axienet: fix for TX busy handling41831d4967net: axienet: fix number of TX ring slots for available check6301f3566anet: axienet: Fix TX ring slot available check7a3d3d7f6dnet: axienet: limit minimum TX ring size2f548489d6net: axienet: add missing memory barriersbcc5d57e60net: axienet: reset core on initialization prior to MDIO access46c0ccaff2net: axienet: Wait for PhyRstCmplt after core reset34942a228anet: axienet: increase reset timeouta66b9bccf7net/smc: Fix hung_task when removing SMC-R devices51b52cf354clk: si5341: Fix clock HW provider cleanupfe40f7aef3clk: Emit a stern warning with writable debugfs enabled38221afa03af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progressa49e402f23f2fs: fix to reserve space for IO align feature39ad058117f2fs: compress: fix potential deadlock of compress filee1840365edparisc: pdc_stable: Fix memory leak in pdcs_register_pathentriesd806eb5f4enet/fsl: xgmac_mdio: Fix incorrect iounmap when removing module38c798384bnet/fsl: xgmac_mdio: Add workaround for erratum A-009885734f4b0f83ipv4: avoid quadratic behavior in netns dismantle86f0587f74ipv4: update fib_info_cnt under spinlock protection10e99ae9b5perf evsel: Override attr->sample_period for non-libpfm4 events58fa3e9002xdp: check prog type before updating BPF link38ee417f59bpftool: Remove inclusion of utilities.mak from Makefiles2bcab471a2block: Fix fsync always failed if once failed5e59f88535powerpc/fsl/dts: Enable WA for erratum A-009885 on fman3l MDIO buses19aaef6519powerpc/cell: Fix clang -Wimplicit-fallthrough warning4cb7aba1e0Revert "net/mlx5: Add retry mechanism to the command entry index allocation"78cf5f63a3dmaengine: stm32-mdma: fix STM32_MDMA_CTBR_TSEL_MASK16ad0aa917RDMA/rxe: Fix a typo in opcode name885860717cRDMA/hns: Modify the mapping attribute of doorbell to device57cd8597c3dmaengine: uniphier-xdmac: Fix type of address variables4fe77b7cd2scsi: core: Show SCMD_LAST in text formb30240911dBluetooth: hci_sync: Fix not setting adv set duration55698d11c8Documentation: fix firewire.rst ABI file path error5d38cbf66dDocumentation: refer to config RANDOMIZE_BASE for kernel address-space randomizationabecf9d748Documentation: ACPI: Fix data node reference documentationd1e85fcd73Documentation: dmaengine: Correctly describe dmatest with channel unsetf6736bd81dmedia: correct MEDIA_TEST_SUPPORT help text55b10b88acdrm/vc4: hdmi: Make sure the device is powered with CEC81ac08a800media: rcar-csi2: Optimize the selection PHTW register0baa3729d2can: mcp251xfd: mcp251xfd_tef_obj_read(): fix typo in error messagef62bf6ee4ffirmware: Update Kconfig help text for Google firmware12224c0d19of: base: Improve argument length mismatch error7bb99c7e13drm/radeon: fix error handling in radeon_driver_open_kms0ca7ec6db2ext4: don't use the orphan list when migrating an inode679fb06532ext4: fix null-ptr-deref in '__ext4_journal_ensure_credits'd60e9daba2ext4: destroy ext4_fc_dentry_cachep kmemcache on module removalf26b24b4c1ext4: fast commit may miss tracking unwritten range during ftruncate04b5627306ext4: use ext4_ext_remove_space() for fast commit replay delete range53998b3f6dext4: Fix BUG_ON in ext4_bread when write quota datada364ab358ext4: set csum seed in tmp inode while migrating to extentse4221629d5ext4: fix fast commit may miss tracking range for FALLOC_FL_ZERO_RANGE720508dd11ext4: initialize err_blk before calling __ext4_get_inode_locf9ed0ea0a9ext4: fix a possible ABBA deadlock due to busy PA115b762b48ext4: make sure quota gets properly shutdown on error762e4c33e9ext4: make sure to reset inode lockdep class when quota enabling failsf8c3ec2e21btrfs: respect the max size in the header when activating swap filee7764bccaebtrfs: check the root node for uptodate before returning it09e0ef287ebtrfs: fix deadlock between quota enable and other quota operations56f974d583xfrm: fix policy lookup for ipv6 gre packets84166c1177PCI: pci-bridge-emul: Set PCI_STATUS_CAP_LIST for PCIe device7aeeb9fe9cPCI: pci-bridge-emul: Correctly set PCIe capabilitiesaf1d0acdacPCI: pci-bridge-emul: Fix definitions of reserved bits0f2ae6691ePCI: pci-bridge-emul: Properly mark reserved PCIe bits in PCI config space2a0d437d8aPCI: pci-bridge-emul: Make expansion ROM Base Address register read-onlydef2825b09PCI: pciehp: Use down_read/write_nested(reset_lock) to fix lockdep errors6cbe8f8debPCI: xgene: Fix IB window setupe09f47e77bpowerpc/64s/radix: Fix huge vmap false positiveeb44b1386aparisc: Fix lpa and lpa_user defines9b78ee2341drm/bridge: analogix_dp: Make PSR-exit block less8cbbf4a6f1drm/nouveau/kms/nv04: use vzalloc for nv04_display605583fcccdrm/etnaviv: limit submit sizes6c1e3d8b1bdevice property: Fix fwnode_graph_devcon_match() fwnode leakecb71f7bd5s390/mm: fix 2KB pgtable release race798754ba48iwlwifi: mvm: Increase the scan timeout guard to 30 secondsc524f4cfb3tracing/kprobes: 'nmissed' not showed correctly for kretprobeb72075e395cputime, cpuacct: Include guest time in user time in cpuacct.stat13518f058fserial: Fix incorrect rs485 polarity on uart open9668cf9e4afuse: Pass correct lend value to filemap_write_and_wait_range()9fbaddd783xen/gntdev: fix unmap notification order67b078d996spi: uniphier: Fix a bug that doesn't point to private data correctly05026c4e94tpm: fix NPE on probe for missing device76006d33f1ubifs: Error path in ubifs_remount_rw() seems to wrongly free write buffers4f0762ac32crypto: caam - replace this_cpu_ptr with raw_cpu_ptr9e6ff2d572crypto: stm32/crc32 - Fix kernel BUG triggered in probe()2031e0246ecrypto: omap-aes - Fix broken pm_runtime_and_get() usage43e94431c3rpmsg: core: Clean up resources on announce_create failure.082ff9e12bphy: mediatek: Fix missing check in mtk_mipi_tx_probeff08cf1e34ASoC: mediatek: mt8183: fix device_node leakf28672eef4ASoC: mediatek: mt8173: fix device_node leak0df5104008scsi: sr: Don't use GFP_DMAde9a936b04MIPS: Octeon: Fix build errors using clangda7df943e2i2c: designware-pci: Fix to change data types of hcnt and lcnt parametersf09f7ccb28irqchip/gic-v4: Disable redistributors' view of the VPE table at boot timebc2d961d82MIPS: OCTEON: add put_device() after of_find_device_by_node()ce34b03a71udf: Fix error handling in udf_new_inode()15be042e7fpowerpc/fadump: Fix inaccurate CPU state info in vmcore generated with panicf2e658d9bdpowerpc: handle kdump appropriately with crash_kexec_post_notifiers option044164b419selftests/powerpc/spectre_v2: Return skip code when miss_percent is high21125e0116powerpc/40x: Map 32Mbytes of memory at startupc330442f46MIPS: Loongson64: Use three arguments for sltiaf8d077350ALSA: seq: Set upper limit of processed events297210783ascsi: lpfc: Trigger SLI4 firmware dump before doing driver cleanupdfde7afed7dm: fix alloc_dax error handling in alloc_dev2e2086f49envmem: core: set size for sysfs bin file4a273a94bdw1: Misuse of get_user()/put_user() reported by sparse87e91d6c6aKVM: PPC: Book3S: Suppress failed alloc warning in H_COPY_TOFROM_GUEST23bb3f01ceKVM: PPC: Book3S: Suppress warnings when allocating too big memory slots03c1595a18powerpc/powermac: Add missing lockdep_register_key()df29c01b9fclk: meson: gxbb: Fix the SDM_EN bit for MPLL0 on GXBB30d35a1abdi2c: mpc: Correct I2C reset procedure4b25aad655powerpc/smp: Move setup_profiling_timer() under CONFIG_PROFILING25714ad6bfi2c: i801: Don't silently correct invalid transfer size75e2cfa5fapowerpc/watchdog: Fix missed watchdog reset due to memory ordering racea83639521apowerpc/btext: add missing of_node_putfc10d8f00apowerpc/cell: add missing of_node_put297ff7d5f1powerpc/powernv: add missing of_node_putc83ba875d7powerpc/6xx: add missing of_node_putd240b08d8ax86/kbuild: Enable CONFIG_KALLSYMS_ALL=y in the defconfigs3681e9f3f0parisc: Avoid calling faulthandler_disabled() twicef2a27dd7a2random: do not throw away excess input to crng_fast_loadf8fdebfb4bserial: core: Keep mctrl register state and cached copy in synca03fd1b198serial: pl010: Drop CR register reset on set_termios40ac338926regulator: qcom_smd: Align probe function with rpmh-regulator3dc751213fnet: gemini: allow any RGMII interface mode1063de8975net: phy: marvell: configure RGMII delays for 88E111800580670b9mlxsw: pci: Avoid flow control for EMAD packetseaf8cffcf5dm space map common: add bounds check to sm_ll_lookup_bitmap()5850bef8e9dm btree: add a defensive bounds check to insert_at()754b663ea9mac80211: allow non-standard VHT MCS-10/11e8da60b3a6net: mdio: Demote probed message to debug print6b22c9824dbtrfs: remove BUG_ON(!eie) in find_parent_nodes623c65bc73btrfs: remove BUG_ON() in find_parent_nodes()44cbd2a16aACPI: battery: Add the ThinkPad "Not Charging" quirk7b6dc07c6eamdgpu/pm: Make sysfs pm attributes as read-only for VFs516e332d6fdrm/amdgpu: fixup bad vram size on gmc v8ee88ff140dACPICA: Hardware: Do not flush CPU cache when entering S4 and S58544074762ACPICA: Fix wrong interpretation of PCC addresse70be17696ACPICA: Executer: Fix the REFCLASS_REFOF case in acpi_ex_opcode_1A_0T_1R()8ea9216d20ACPICA: Utilities: Avoid deleting the same object twice in a rowfcfd8282c5ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitionse3a51d6c90jffs2: GC deadlock reading a page that is used in jffs2_write_begin()e35cb5b122drm/etnaviv: consider completed fence seqno in hang checka0b13335a3xfrm: rate limit SA mapping change message to user space0b7beb2feaBluetooth: vhci: Set HCI_QUIRK_VALID_LE_STATES6ac117edacath11k: Fix napi related hang756a7188b2um: registers: Rename function names to avoid conflicts and build problemsd817d10f7aiwlwifi: pcie: make sure prph_info is set when treating wakeup IRQf266e1c5bfiwlwifi: mvm: Fix calculation of frame length6e44b60054iwlwifi: remove module loading failure messagefebab6b60diwlwifi: fix leaks/bad data after failed firmware load81d2e96abaPM: AVS: qcom-cpr: Use div64_ul instead of do_divc0a1d844e3rtw88: 8822c: update rx settings to prevent potential hw deadlock3ef25f3122ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_streame10de31055usb: hub: Add delay for SuperSpeed hub resume to let links transit to U0282286c632cpufreq: Fix initialization of min and max frequency QoS requests37b25de3afPM: runtime: Add safety net to supplier device release5dfc6fa0b8arm64: tegra: Adjust length of CCPLEX cluster MMIO regionb68c56a149arm64: dts: ls1028a-qds: move rtc node to the correct i2c busb6f7f0ad5aaudit: ensure userspace is penalized the same as the kernel when under pressure5d54ed1550mmc: core: Fixup storing of OCR for MMC_QUIRK_NONSTD_SDIO51a5156bb7media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach()f6bc6b178cmedia: igorplugusb: receiver overflow should be reportedd698e024beHID: quirks: Allow inverting the absolute X/Y values59f0363346bpf: Do not WARN in bpf_warn_invalid_xdp_action()0e8805f73bnet: bonding: debug: avoid printing debug logs when bond is not notifying peers8c72de32ffx86/mce: Mark mce_read_aux() noinstr1ad3e60f1fx86/mce: Mark mce_end() noinstrf21ca973b4x86/mce: Mark mce_panic() noinstrde360d9443x86/mce: Allow instrumentation during task work queueingaf371e0abbath11k: Avoid false DEADLOCK warning reported by lockdepaec69e2f33selftests/ftrace: make kprobe profile testcase description unique07ecabf15agpio: aspeed: Convert aspeed_gpio.lock to raw_spinlock7e09f9d15enet: phy: prefer 1000baseT over 1000baseKX443133330anet-sysfs: update the queue counts in the unregistration path58b4c1ce83ath10k: Fix tx hangingfcba0bce33ath11k: avoid deadlock by change ieee80211_queue_work for regd_update_work93a108d466iwlwifi: mvm: avoid clearing a just saved session protection idec01e0fe21iwlwifi: mvm: synchronize with FW after multicast commandsc1976a4248thunderbolt: Runtime PM activate both ends of the device link830e5d1b43media: m920x: don't use stack on USB readsc33f0f22bfmedia: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach()526b6c9b45media: rcar-vin: Update format alignment constraints74e60c1dcemedia: uvcvideo: Increase UVC_CTRL_CONTROL_TIMEOUT to 5 seconds.d0e3ab637ddrm: rcar-du: Fix CRTC timings when CMM is usede61aa46d0fx86/mm: Flush global TLB when switching to trampoline page-table0946fdd929floppy: Add max size check for user space request409d45bcd3usb: uhci: add aspeed ast2600 uhci supportd0aec428c0arm64: dts: ti: j7200-main: Fix 'dtbs_check' serdes_ln_ctrl nodefcb45ac39fACPI / x86: Add not-present quirk for the PCI0.SDHB.BRC1 device on the GPD winb8b2e74a87ACPI / x86: Allow specifying acpi_device_override_status() quirks by pathcda755506dACPI: Change acpi_device_always_present() into acpi_device_override_status()b029625063ACPI / x86: Drop PWM2 device on Lenovo Yoga Book from always present tablecf3b1a160dmedia: venus: avoid calling core_clk_setrate() concurrently during concurrent video sessionsadbe148672ath11k: Avoid NULL ptr access during mgmt tx cleanupab523ea096rsi: Fix out-of-bounds read in rsi_read_pkt()7525876750rsi: Fix use-after-free in rsi_rx_done_handler()6036500fdfmwifiex: Fix skb_over_panic in mwifiex_usb_recv()8a6371d84ccrypto: jitter - consider 32 LSB for APT240cf5d3cbHSI: core: Fix return freed object in hsi_new_clientf4295b7dcagpiolib: acpi: Do not set the IRQ type if the IRQ is already in usef0653cd4datty: serial: imx: disable UCR4_OREN in .stop_rx() instead of .shutdown()b8d10f601fdrm/bridge: megachips: Ensure both bridges are probed before registration43fc9e267emlxsw: pci: Add shutdown method in PCI driverb2e921fa92soc: ti: pruss: fix referenced node in error message07fbbc4dc7drm/amdgpu/display: set vblank_disable_immediate for DC019fe9723adrm/amd/display: check top_pipe_to_program pointer3c3c0b6c4aARM: imx: rename DEBUG_IMX21_IMX27_UART to DEBUG_IMX27_UARTf54d8cd831EDAC/synopsys: Use the quirk for version instead of ddr version0b85d73fdbmedia: b2c2: Add missing check in flexcop_pci_isr:c978d39a8bHID: apple: Do not reset quirks when the Fn key is not found2df002e327drm: panel-orientation-quirks: Add quirk for the Lenovo Yoga Book X91F/L5aa57672c6usb: gadget: f_fs: Use stream_open() for endpoint files129e8faaeeath11k: Fix crash caused by uninitialized TX ringe8b271f2aamedia: atomisp: handle errors at sh_css_create_isp_params()ebe9c978d9batman-adv: allow netlink usage in unprivileged containersff452db961ARM: shmobile: rcar-gen2: Add missing of_node_put()ff2138d6c2media: atomisp-ov2680: Fix ov2680_set_fmt() clobbering the exposure51ef6582a2media: atomisp: set per-device's default modeac08140677media: atomisp: fix try_fmt logic518e059789drm/nouveau/pmu/gm200-: avoid touching PMU outside of DEVINIT/PREOS/ACRe3ba02b043drm/bridge: dw-hdmi: handle ELD when DRM_BRIDGE_ATTACH_NO_CONNECTOR2f13f10fddar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START replya9d2ccfc7dselftests/bpf: Fix bpf_object leak in skb_ctx selftestb207356933drm/lima: fix warning when CONFIG_DEBUG_SG=y & CONFIG_DMA_API_DEBUG=ydb1e878373fs: dlm: filter user dlm messages for kernel locksf9c9a46efdBluetooth: Fix debugfs entry leak in hci_register_dev()852d7d436fARM: dts: omap3-n900: Fix lp5523 for multi colorb5793aff11of: base: Fix phandle argument length mismatch error messagee16e836d51clk: bm1880: remove kfrees on static allocations36d46e21c9ASoC: fsl_asrc: refine the check of available clock divider5a6864e2e6RDMA/cxgb4: Set queue pair state when being queried80524c8cdfASoC: fsl_mqs: fix MODULE_ALIAS74988d017dpowerpc/xive: Add missing null check after calling kmalloc588e0b81cemips: bcm63xx: add support for clk_set_parent()e3de89d010mips: lantiq: add support for clk_set_parent()8f8468a089arm64: tegra: Remove non existent Tegra194 reset702902fc7farm64: tegra: Fix Tegra194 HDA {clock,reset}-names ordering24b047d72ccounter: stm32-lptimer-cnt: remove iio counter abia394606104misc: lattice-ecp3-config: Fix task hung when firmware load failed696a50abbcASoC: samsung: idma: Check of ioremap return valued491a2c2cfASoC: mediatek: Check for error clk pointerc73ccdd62dphy: uniphier-usb3ss: fix unintended writing zeros to PHY registerd781f4cd8cscsi: block: pm: Always set request queue runtime active in blk_post_runtime_resume()6e2a169544iommu/iova: Fix race between FQ timeout and teardown57bc898575ASoC: Intel: catpt: Test dmaengine_submit() result before moving on676049a3d2iommu/amd: Restore GA log/tail pointer on host resumec2bd7c31deiommu/amd: Remove iommu_init_ga()62ea255f2bdmaengine: pxa/mmp: stop referencing config->slave_id0be9ae1e53mips: fix Kconfig reference to PHYS_ADDR_T_64BIT88d78b25dbmips: add SYS_HAS_CPU_MIPS64_R5 config for MIPS Release 5 support51b8e814bcclk: stm32: Fix ltdc's clock turn off by clk_disable_unused() after system enter shelldff359e042of: unittest: 64 bit dma address test requires arch support918105df78of: unittest: fix warning on PowerPC frame size warning0e04518b1dASoC: rt5663: Handle device_property_read_u32_array error codes7c0d9c815cRDMA/cma: Let cma_resolve_ib_dev() continue search even after empty entry2432d325f9RDMA/core: Let ib_find_gid() continue search even after empty entryd77916df16powerpc/powermac: Add additional missing lockdep_register_key()8b3783e517PCI/MSI: Fix pci_irq_vector()/pci_irq_get_affinity()7be2a0bcafRDMA/qedr: Fix reporting max_{send/recv}_wr attrse19469468bscsi: ufs: Fix race conditions related to driver dataed43b2e048iommu/io-pgtable-arm: Fix table descriptor paddr formattinge9e4d1fb45openrisc: Add clone3 ABI wrapper551a785c26binder: fix handling of error during copy88ddf033a5char/mwave: Adjust io port register size8937aee4c0ALSA: usb-audio: Drop superfluous '0' in Presonus Studio 1810c's IDbcd533417fALSA: oss: fix compile error when OSS_DEBUG is enabledfd99aeb978clocksource: Avoid accidental unstable marking of clocksourcescacc6c30e3clocksource: Reduce clocksource-skew threshold86ad478c99powerpc/32s: Fix shift-out-of-bounds in KASAN initef798cd035powerpc/perf: Fix PMU callbacks to clear pending PMI before resetting an overflown PMC58014442a9powerpc/irq: Add helper to set regs->softec9ffa84a3bpowerpc/perf: move perf irq/nmi handling details into traps.ca0758b3be4powerpc/perf: MMCR0 control for PMU registers under PMCC=00f4df6db5b0powerpc/64s: Convert some cpu_setup() and cpu_restore() functions to Ca9c9d2ff64dt-bindings: thermal: Fix definition of cooling-maps contribution property2bd8d93795ASoC: uniphier: drop selecting non-existing SND_SOC_UNIPHIER_AIO_DMA5a821af769powerpc/prom_init: Fix improper check of prom_getprop()9ca761ef94clk: imx8mn: Fix imx8mn_clko1_sels999528d8a7scsi: pm80xx: Update WARN_ON check in pm8001_mpi_build_cmd()c5f414d69aRDMA/hns: Validate the pkey index04a032ea24RDMA/bnxt_re: Scan the whole bitmap when checking if "disabling RCFW with pending cmd-bit"84cd5c029dALSA: hda: Add missing rwsem around snd_ctl_remove() calls180e9d7384ALSA: PCM: Add missing rwsem around snd_ctl_remove() calls49d76154baALSA: jack: Add missing rwsem around snd_ctl_remove() callsf871cd8ee0ext4: avoid trim error on fs with small groups99590e820fnet: mcs7830: handle usb read errors properly2b948524aeiwlwifi: mvm: Use div_s64 instead of do_div in iwl_mvm_ftm_rtt_smoothing()04ce9e2aedpcmcia: fix setting of kthread task states5064bfe046can: xilinx_can: xcan_probe(): check for error irqb6dd1577bccan: softing: softing_startstop(): fix set but not used variable warningb9ac866c23tpm_tis: Fix an error handling path in 'tpm_tis_core_init()'fb46223c9ftpm: add request_locality before write TPM_INT_ENABLE20edf903a3can: mcp251xfd: add missing newline to printed stringsd71fca5d01regmap: Call regmap_debugfs_exit() prior to _init()838acddcdfnetrom: fix api breakage in nr_setsockopt()0d04479857ax25: uninitialized variable in ax25_setsockopt()27e9910c45spi: spi-meson-spifc: Add missing pm_runtime_disable() in meson_spifc_probe9d6350cf8eBluetooth: L2CAP: uninitialized variables in l2cap_sock_setsockopt()9defd7d4c0lib/mpi: Add the return value check of kcalloc()e801f81ceenet/mlx5: Set command entry semaphore up once got index freed2b9ce705dRevert "net/mlx5e: Block offload of outer header csum for UDP tunnels"67e1a449a1net/mlx5e: Don't block routes with nexthop objects in SWcc40fa05c0net/mlx5e: Fix page DMA map/unmap attributesb3dda01d1ddebugfs: lockdown: Allow reading debugfs files that are not world readableb9b5da3e18HID: hid-uclogic-params: Invalid parameter check in uclogic_params_frame_init_v1_buttonpad541c3a044bHID: hid-uclogic-params: Invalid parameter check in uclogic_params_huion_initc47f842e0cHID: hid-uclogic-params: Invalid parameter check in uclogic_params_get_str_desccf5ad827eeHID: hid-uclogic-params: Invalid parameter check in uclogic_params_init94177fceccusb: dwc3: qcom: Fix NULL vs IS_ERR checking in dwc3_qcom_probe4579954bf4Bluetooth: hci_qca: Fix NULL vs IS_ERR_OR_NULL check in qca_serdev_probef6bf3d6639Bluetooth: hci_bcm: Check for error irqf5e4f68d57fsl/fman: Check for null pointer after calling devm_ioremap60aca6fdc1staging: greybus: audio: Check null pointera1068bfee4rocker: fix a sleeping in atomic bug2db344725eppp: ensure minimum packet size in ppp_write()45643b1b6cnetfilter: nft_set_pipapo: allocate pcpu scratch maps on clone8772700a9fbpf: Fix SO_RCVBUF/SO_SNDBUF handling in _bpf_setsockopt().342332fb0bbpf: Don't promote bogus looking registers after null check.0036c78c49netfilter: ipt_CLUSTERIP: fix refcount leak in clusterip_tg_check()2e718389b9power: reset: mt6397: Check for null res pointer4210c35fe8pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in nonstatic_find_mem_region()2dee347f35pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in __nonstatic_find_io_region()0f03132191ACPI: scan: Create platform device for BCM4752 and LNV4752 ACPI nodes595e1ec55bx86/mce/inject: Avoid out-of-bounds write when setting flagsdf12681819hwmon: (mr75203) fix wrong power-up delay valueaea5302d9dx86/boot/compressed: Move CLANG_FLAGS to beginning of KBUILD_CFLAGS70eec71f32Bluetooth: hci_qca: Stop IBS timer during BT OFF1d4e722b62software node: fix wrong node passed to find nargs_propf8f3c1720dbacklight: qcom-wled: Respect enabled-strings in set_brightnessde79bcbfafbacklight: qcom-wled: Use cpu_to_le16 macro to perform conversionc79f9b8d8ebacklight: qcom-wled: Override default length with qcom,enabled-stringsbf4daf6153backlight: qcom-wled: Fix off-by-one maximum with default num_strings09aed85e8cbacklight: qcom-wled: Pass number of elements to read to read_u32_arrayf4ed4fc504backlight: qcom-wled: Validate enabled string indices in DTe668ac6506bpftool: Enable line buffering for stdout009bb7ee15Bluetooth: L2CAP: Fix using wrong mode1a2241ad40um: virtio_uml: Fix time-travel external time propagation8411722e56um: fix ndelay/udelay definesb2b1b490bdselinux: fix potential memleak in selinux_add_opt()3253cf0914mmc: meson-mx-sdio: add IRQ checkdecb209954mmc: meson-mx-sdhc: add IRQ checkbdc6c9fc5fiwlwifi: mvm: test roc running status bits before removing the staa750fcd604iwlwifi: mvm: fix 32-bit build in FTM86b0122d26ARM: dts: armada-38x: Add generic compatible to UART nodes1f5428e438arm64: dts: marvell: cn9130: enable CP0 GPIO controllers874b97e862arm64: dts: marvell: cn9130: add GPIO and SPI aliases407ef1db40usb: ftdi-elan: fix memory leak on device disconnect2a65da5a1eARM: 9159/1: decompressor: Avoid UNPREDICTABLE NOP encoding47dd693c94xfrm: state and policy should fail if XFRMA_IF_ID 0db369047e3xfrm: interface with if_id 0 should return error37441ddadcmedia: hantro: Fix probe func error path3849ec830bdrm/tegra: vic: Fix DMA API misuseb230114bc5drm/bridge: ti-sn65dsi86: Set max register for regmapdb97fc2c44drm/msm/dpu: fix safe status debugfs file3580055d1farm64: dts: qcom: ipq6018: Fix gpio-ranges property6f20a5a98aarm64: dts: qcom: c630: Fix soundcard setup394ee480aaath11k: Fix a NULL pointer dereference in ath11k_mac_op_hw_scan()f6e4a6cbdbmedia: coda/imx-vdoa: Handle dma_set_coherent_mask error codes1a8869de32media: msi001: fix possible null-ptr-deref in msi001_probe()a79327bb01media: dw2102: Fix use after free958a8819d4ARM: dts: gemini: NAS4220-B: fis-index-block with 128 KiB sectors3e51460638ath11k: Fix deleting uninitialized kernel timer during fragment cache flushb35263f000crypto: stm32 - Revert broken pm_runtime_resume_and_get changes1f5b81874fcrypto: stm32/cryp - fix bugs and crash in tests1f6151b077crypto: stm32/cryp - fix lrw chaining mode2bd40e3a3acrypto: stm32/cryp - fix double pm exit533af1621dcrypto: stm32/cryp - check early input data5deb24e503crypto: stm32/cryp - fix xts and race condition in crypto_engine requestse9e0dd5da8crypto: stm32/cryp - fix CTR counter carryc40b1bc851crypto: stm32 - Fix last sparse warning in stm32_cryp_check_ctr_counter93033bbbdcselftests: harness: avoid false negatives if test has no ASSERTsf568fd97d7selftests: clone3: clone3: add case CLONE3_ARGS_NO_TESTd21b47c607x86/uaccess: Move variable into switch case statement3e801ea43cxfrm: fix a small bug in xfrm_sa_len()b87034d7a2mwifiex: Fix possible ABBA deadlock0836f94040rcu/exp: Mark current CPU as exp-QS in IPI loop second pass027165c491drm/msm/dp: displayPort driver need algorithm rational268f352456sched/rt: Try to restart rt period timer when rt runtime exceededbb0579ab50wireless: iwlwifi: Fix a double free in iwl_txq_dyn_alloc_dmab4b911b164media: si2157: Fix "warm" tuner state detection7009a5fbc5media: saa7146: mxb: Fix a NULL pointer dereference in mxb_attach()df79d2bf95media: dib8000: Fix a memleak in dib8000_init()f0cb43a2c6arm64: clear_page() shouldn't use DC ZVA when DCZID_EL0.DZP == 188ed31aab4arm64: lib: Annotate {clear, copy}_page() as position-independent69e402a985bpf: Remove config check to enable bpf support for branch records924886fa22bpf: Disallow BPF_LOG_KERNEL log level for bpf(BPF_BTF_LOAD)218d952160bpf: Adjust BTF log size limit.b77ef5b4easched/fair: Fix per-CPU kthread and wakee stacking for asym CPU capacityd7d5b3bc52sched/fair: Fix detection of per-CPU kthreads waking a taskec121517acBluetooth: btmtksdio: fix resume failure2a7edcb3efstaging: rtl8192e: rtllib_module: fix error handle case in alloc_rtllib()49f5cd2b7cstaging: rtl8192e: return error code from rtllib_softmac_init()04fdd426cefloppy: Fix hang in watchdog when disk is ejected45bbe00801serial: amba-pl011: do not request memory region twice8409d2394ctty: serial: uartlite: allow 64 bit addressa001a15ab3arm64: dts: ti: k3-j7200: Correct the d-cache-sets info75919207c1arm64: dts: ti: k3-j721e: Fix the L2 cache sets2dcfa3c765arm64: dts: ti: k3-j7200: Fix the L2 cache setsf277978d6cdrm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms()3ca1b3b82fdrm/amdgpu: Fix a NULL pointer dereference in amdgpu_connector_lcd_native_mode()96e05d2d93thermal/drivers/imx8mm: Enable ADC when enabling monitoref72449e2dACPI: EC: Rework flushing of EC work while suspended to idlec0acd5a097cgroup: Trace event cgroup id fields should be u64e7e178e264arm64: dts: qcom: msm8916: fix MMC controller aliases894d91c633netfilter: bridge: add support for pppoe filtering13f64bbe42thermal/drivers/imx: Implement runtime PM supportc3a59f34e8media: venus: core: Fix a resource leak in the error handling path of 'venus_probe()'50c4244906media: venus: core: Fix a potential NULL pointer dereference in an error handling patheeefa2eae8media: venus: core, venc, vdec: Fix probe dependency error53f65afc26media: venus: pm_helpers: Control core power domain manually89f518b153media: coda: fix CODA960 JPEG encoder buffer overflow1da628d351media: mtk-vcodec: call v4l2_m2m_ctx_release first when file is released2028fb832dmedia: si470x-i2c: fix possible memory leak in si470x_i2c_probe()e8d78f924fmedia: imx-pxp: Initialize the spinlock prior to using it621e8ce75dmedia: rcar-csi2: Correct the selection of hsfreqrangead52b9890bmfd: atmel-flexcom: Use .resume_noirq46d6a23114mfd: atmel-flexcom: Remove #ifdef CONFIG_PM_SLEEPf93c9aa1d3tty: serial: atmel: Call dma_async_issue_pending()755a6c873btty: serial: atmel: Check return code of dmaengine_submit()bd85b2e77aarm64: dts: ti: k3-j721e: correct cache-sets info32e9947e66ath11k: Use host CE parameters for CE interrupts configuration6a49acfacacrypto: qat - fix undetected PFVF timeout in ACK loop475ac5c565crypto: qat - make pfvf send message direction agnosticee1c74c3c9crypto: qat - remove unnecessary collision prevention step in PFVF472f768352crypto: qat - fix spelling mistake: "messge" -> "message"ae766527e6ARM: dts: stm32: fix dtbs_check warning on ili9341 dts binding on stm32f429 discoeab4204588mtd: hyperbus: rpc-if: fix bug in rpcif_hb_remove867d4ace48crypto: qce - fix uaf on qce_skcipher_register_onee19b3c1b57crypto: qce - fix uaf on qce_ahash_register_one5de640f59fmedia: dmxdev: fix UAF when dvb_register_device() fails1d64e2bd22arm64: dts: renesas: cat875: Add rx/tx delaysa33eef23a6drm/vboxvideo: fix a NULL vs IS_ERR() check43220a61e7fs: dlm: fix build with CONFIG_IPV6 disabled0d7c5d10e7tee: fix put order in teedev_close_context()097e601eb8ath11k: reset RSN/WPA present state for open BSSfa51addd39ath11k: clear the keys properly via DISABLE_KEYdf94b37e90ath11k: Fix ETSI regd with weather radar overlapffc9019bd9Bluetooth: stop proccessing malicious adv data3273541fedmemory: renesas-rpc-if: Return error in case devm_ioremap_resource() fails55917db359fs: dlm: don't call kernel_getpeername() in error_report()98923ebb03fs: dlm: use sk->sk_socket instead of con->sock6edd1bd8e3arm64: dts: meson-gxbb-wetek: fix missing GPIO bindingeb1f75fa24arm64: dts: meson-gxbb-wetek: fix HDMI in early boot6f012f2c44arm64: dts: amlogic: Fix SPI NOR flash node name for ODROID N2/N2+96d710b1c6arm64: dts: amlogic: meson-g12: Fix GPU operating point table node name0b57480ed5media: aspeed: Update signal status immediately to ensure sane hw state0ff0ae69d2media: em28xx: fix memory leak in em28xx_init_devb441d94287media: aspeed: fix mode-detect always time out at 2nd run8d132d9dd8media: atomisp: fix uninitialized bug in gmin_get_pmic_id_and_addr()fc2b95e7aemedia: atomisp: fix enum formats logic6e5353238cmedia: atomisp: add NULL check for asd obtained from atomisp_video_pipe6cbabad304media: staging: media: atomisp: pci: Balance braces around conditional statements in file atomisp_cmd.c22b0b68f7dmedia: atomisp: fix ifdefs in sh_css.c0bf5e8af6emedia: atomisp: fix inverted error check for ia_css_mipi_is_source_port_valid()3cb3e66f58media: atomisp: do not use err var when checking port validity for ISP240008e43223fbmedia: atomisp: fix inverted logic in buffers_needed()fb370f6dc7media: atomisp: fix punit_ddr_dvfs_enable() argument for mrfld_power up case1daacf9bb6media: atomisp: add missing media_device_cleanup() in atomisp_unregister_entities()e1da9301cfmedia: videobuf2: Fix the size printk format90807ab437mtd: hyperbus: rpc-if: Check return value of rpcif_sw_init()9bfed11dcfath11k: Send PPDU_STATS_CFG with proper pdev mask to firmware2fe056d979wcn36xx: fix RX BD rate mapping for 5GHz legacy rates22406ed4e3wcn36xx: populate band before determining rate on RX92fea7bd5awcn36xx: Put DXE block into reset before freeing memory0d53c47f6awcn36xx: Release DMA channel descriptor allocations1850195a85wcn36xx: Fix DMA channel enable/disable cycle38a7842889wcn36xx: Indicate beacon not connection loss on MISSED_BEACON_INDfcb267bb95wcn36xx: ensure pairing of init_scan/finish_scan and start_scan/end_scane53ff4dd70drm/vc4: hdmi: Set a default HSM rateb9c2343373clk: bcm-2835: Remove rounding up the dividers836dd37fe2clk: bcm-2835: Pick the closest clock rate88f1b613c3Bluetooth: cmtp: fix possible panic when cmtp_init_sockets() fails9ddfa1c191drm/rockchip: dsi: Reconfigure hardware on resume()58904ed186drm/rockchip: dsi: Disable PLL clock on bind error6215cde020drm/rockchip: dsi: Hold pm-runtime across bind/unbind8ccaafa1cadrm/rockchip: dsi: Fix unbalanced clock on probe error9bc19022aadrm/panel: innolux-p079zca: Delete panel on attach() failureb01b7b8684drm/panel: kingdisplay-kd097d04: Delete panel on attach() failure0499c863a8drm: fix null-ptr-deref in drm_dev_init_release()7798757013drm/bridge: display-connector: fix an uninitialized pointer in probe()cb5813b0e5Bluetooth: L2CAP: Fix not initializing sk_peer_pided0b1fd3ecdrm/ttm: Put BO in its memory manager's lru list7b9fa915a5shmem: fix a race between shmem_unused_huge_shrink and shmem_evict_inode6c6f86bb61mm/page_alloc.c: do not warn allocation failure on zone DMA if no managed pagese04b1dfe15dma/pool: create dma atomic pool only if dma zone has managed pagesd2e5724117mm_zone: add function to check if managed dma zone exists2142a7e9bdPCI: Add function 1 DMA alias quirk for Marvell 88SE9125 SATA controller45c74f4f54dma_fence_array: Fix PENDING_ERROR leak in dma_fence_array_signaled()191a24ceaegpu: host1x: Add back arm_iommu_detach_device()0680674536iommu/io-pgtable-arm-v7s: Add error handle for page table allocation failure3dae11f8e3lkdtm: Fix content of section containing lkdtm_rodata_do_nothing()e4a2c924a1iio: adc: ti-adc081c: Partial revert of removal of ACPI IDs256302cb2fcan: softing_cs: softingcs_probe(): fix memleak on registration failureaa57725e2dmedia: cec-pin: fix interrupt en/disable handling2e566cacc3media: stk1160: fix control-message timeouts1a0ca711dfmedia: pvrusb2: fix control-message timeouts2dbf430eadmedia: redrat3: fix control-message timeouts6e9c120bf9media: dib0700: fix undefined behavior in tuner shutdown5e98ac260dmedia: s2255: fix control-message timeouts09b0b918a6media: cpia2: fix control-message timeoutsd90833106cmedia: em28xx: fix control-message timeouts2182575c83media: mceusb: fix control-message timeouts460525acc9media: flexcop-usb: fix control-message timeouts7cac8a5624media: v4l2-ioctl.c: readbuffers depends on V4L2_CAP_READWRITE1da0b1cd42rtc: cmos: take rtc_lock while reading from CMOS14f6cfe0d7tools/nolibc: fix incorrect truncation of exit code5e258640batools/nolibc: i386: fix initial stack alignment06f7528d64tools/nolibc: x86-64: Fix startup code bug98259dd54ex86/gpu: Reserve stolen memory for first integrated Intel GPUe2a17dcad5mtd: rawnand: davinci: Rewrite function description8933138a66mtd: rawnand: davinci: Avoid duplicated page read677764634bmtd: rawnand: davinci: Don't calculate ECC when reading pagea8a607b004mtd: Fixed breaking list in __mtd_del_partition.ff10cd7bb2mtd: rawnand: gpmi: Remove explicit default gpmi clock setting for i.MX6538a5e208emtd: rawnand: gpmi: Add ERR007117 protection for nfc_apply_timings777a700ccfnfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind()08283b076ff2fs: fix to do sanity check in is_alive()57cfc965e3HID: wacom: Avoid using stale array indicies to read contact count7fd22c99bbHID: wacom: Ignore the confidence flag when a touch is removed9a4800e0f6HID: wacom: Reset expected and received contact counts at the same timec2e39d5df0HID: uhid: Fix worker destroying device without any protectionaa1346113cKVM: VMX: switch blocked_vcpu_on_cpu_lock to raw spinlock0347b16583Merge 5.10.93 into android12-5.10-ltsfd187a4925Linux 5.10.93bed97c9036mtd: fixup CFI on ixp4xxf50803b519powerpc/pseries: Get entry and uaccess flush required bits from H_GET_CPU_CHARACTERISTICS68c1aa82beALSA: hda/realtek: Re-order quirk entries for Lenovo4d15a17d06ALSA: hda/realtek: Add quirk for Legion Y9000X 2020d7b41464f1ALSA: hda: ALC287: Add Lenovo IdeaPad Slim 9i 14ITL5 speaker quirk87246ae94bALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master after reboot from Windows9c27e513fbALSA: hda/realtek: Add speaker fixup for some Yoga 15ITL5 devices4c7fb4d519KVM: x86: remove PMU FIXED_CTR3 from msrs_to_save_all6b8c3a1853firmware: qemu_fw_cfg: fix kobject leak in probe error path889c73305bfirmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entriesff9588cf15firmware: qemu_fw_cfg: fix sysfs information leak358a4b054artlwifi: rtl8192cu: Fix WARNING when calling local_irq_restore() with interrupts enabled93c4506f9fmedia: uvcvideo: fix division by zero at stream start4c3f70be6fvideo: vga16fb: Only probe for EGA and VGA 16 color graphic cards161e43ab8c9p: only copy valid iattrs in 9P2000.L setattr implementation0e6c0f3f40KVM: s390: Clarify SIGP orders versus STOP/RESTART413b427f5fKVM: x86: Register Processor Trace interrupt hook iff PT enabled in guest723acd75a0perf: Protect perf_guest_cbs with RCUeadde287a6vfs: fs_context: fix up param length parsing in legacy_parse_paramc5f3827716remoteproc: qcom: pil_info: Don't memcpy_toio more than is provided5d88e24b23orangefs: Fix the size of a memory allocation in orangefs_bufmap_alloc()0084fefe29devtmpfs regression fix: reconfigure on each mountee40594c95kbuild: Add $(KBUILD_HOSTLDFLAGS) to 'has_libelf' testf45f895af5Merge branch 'android12-5.10' into `android12-5.10-lts`7dd0d263feMerge 5.10.92 into android12-5.10-ltsc982c1a839Linux 5.10.92c0091233f3staging: greybus: fix stack size warning with UBSAN66d21c005ddrm/i915: Avoid bitwise vs logical OR warning in snb_wm_latency_quirk()2d4fda471dstaging: wlan-ng: Avoid bitwise vs logical OR warning in hfa384x_usb_throttlefn()3609fed7acmedia: Revert "media: uvcvideo: Set unique vdev name based in type"9b3c761e78random: fix crash on multiple early calls to add_bootloader_randomness()61cca7d191random: fix data race on crng init time3de9478230random: fix data race on crng_node_pool43c494294fcan: gs_usb: gs_can_start_xmit(): zero-initialize hf->{flags,reserved}45221a57b6can: isotp: convert struct tpcon::{idx,len} to unsigned intbd61ae808bcan: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB dataf68e600017mfd: intel-lpss: Fix too early PM enablement in the ACPI ->probe()5f76445a31veth: Do not record rx queue hint in veth_xmitddfa53825fmmc: sdhci-pci: Add PCI ID for Intel ADL2e691f9894ath11k: Fix buffer overflow when scanning with extraiea87cecf943USB: Fix "slab-out-of-bounds Write" bug in usb_hcd_poll_rh_status15982330b6USB: core: Fix bug in resuming hub's handling of wakeup requests413108ce3bARM: dts: exynos: Fix BCM4330 Bluetooth reset polarity in I9100b6dd070236Bluetooth: bfusb: fix division by zero in send path869e1677a0Bluetooth: btusb: Add support for Foxconn QCA 0xe0d0c20021ce94Bluetooth: btusb: Add support for Foxconn MT7922A8349391838Bluetooth: btusb: Add two more Bluetooth parts for WCN6855294c0dd80dBluetooth: btusb: fix memory leak in btusb_mtk_submit_wmt_recv_urb()35ab8c9085bpf: Fix out of bounds access from invalid *_or_null type verificationc84fbba8a9workqueue: Fix unbind_workers() VS wq_worker_running() racec39d68ab38md: revert io stats accountingd605f2f30dMerge 5.10.91 into android12-5.10-ltsdf395c763bLinux 5.10.91674071c9ebInput: zinitix - make sure the IRQ is allocated before it gets enabledef81f7d406ARM: dts: gpio-ranges property is now requiredf63fa1a0d4ipv6: raw: check passed optlen before readingcf07884e6bdrm/amd/display: Added power down for DCN1010b9ccd067mISDN: change function names to avoid conflictsdd8a09cfbbatlantic: Fix buff_ring OOB in aq_ring_rx_cleanc2f4bb251enet: udp: fix alignment problem in udp4_seq_show()f82b48d1d8ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate8c87a83ef8scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown()b798b677f9usb: mtu3: fix interval value for intr and isoc498d77fc5eipv6: Do cleanup if attribute validation fails in multipath route72b0d14a0aipv6: Continue processing multipath route even if gateway attribute is invalid5a7d650bb1power: bq25890: Enable continuous conversion for ADC at charging4f260ea553phonet: refcount leak in pep_sock_accep6195293460rndis_host: support Hytera digital radios62cbde77d9power: reset: ltc2952: Fix use of floating point literals998d157e3bpower: supply: core: Break capacity loop16d8568378xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocateaa606b82cdnet: ena: Fix error handling when calculating max IO queues numbere7f5480978net: ena: Fix undefined state when tx request id is out of bounds2de3d961f8sch_qfq: prevent shift-out-of-bounds in qfq_init_qdisc4c34d5fd8cbatman-adv: mcast: don't send link-local multicast to mcast routersf403b5f96elwtunnel: Validate RTA_ENCAP_TYPE attribute length48d5adb08dipv6: Check attribute length for RTA_GATEWAY when deleting multipath route173bfa2782ipv6: Check attribute length for RTA_GATEWAY in multipath route914420a2a6ipv4: Check attribute length for RTA_FLOW in multipath routea8fe915be6ipv4: Check attribute length for RTA_GATEWAY in multipath route786a335fefftrace/samples: Add missing prototypes direct functionsc859c4de0bi40e: Fix incorrect netdev's real number of RX/TX queuesd0ad64438fi40e: Fix for displaying message regarding NVM version32845aa602i40e: fix use-after-free in i40e_sync_filters_subtask()f7edb6b943sfc: The RX page_ring is optional2b3f34da0dmac80211: initialize variable have_higher_than_11mbit16e5cad6ecRDMA/uverbs: Check for null return of kmalloc_arraya7c2cae997netrom: fix copying in user data in nr_setsockoptbeeb0fdedaRDMA/core: Don't infoleak GRH fields3ca132e6b0iavf: Fix limit of total number of queues to active queues of VF396e301690i40e: Fix to not show opcode msg on unsuccessful VF MAC change7f13d14e56ieee802154: atusb: fix uninit value in atusb_set_extended_addr7db1e245cbtracing: Tag trace_percpu_buffer as a percpu pointer760c6a6255tracing: Fix check for trace_percpu_buffer validity in get_trace_buf()c1e2da4b3fselftests: x86: fix [-Wstringop-overread] warn in test_process_vm_readv()384111e123f2fs: quota: fix potential deadlocka1bb21475eMerge 5.10.90 into android12-5.10-ltsd3e491a20dLinux 5.10.908c15bfb36abpf: Add kconfig knob for disabling unpriv bpf by defaultd8a5b1377bperf script: Fix CPU filtering of a script's switch events2386e81a1dnet: fix use-after-free in tw_timer_handler34087cf960Input: spaceball - fix parsing of movement data packets9f329d0d6cInput: appletouch - initialize work before device registration2a4f551decscsi: vmw_pvscsi: Set residual data length conditionally1cb8444f31binder: fix async_free_space accounting for empty parcelsa6e26251ddusb: mtu3: set interval of FS intr and isoc endpoint3b6efe0b7busb: mtu3: fix list_head check warningf10b01c48fusb: mtu3: add memory barrier before set GPD's HWO1c4ace3e6busb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.1933fe8ce7xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set.b8553330a0drm/amdgpu: add support for IP discovery gc_info table v228863ffe21drm/amdgpu: When the VCN(1.0) block is suspended, powergating is explicitly enableda0f3ac399euapi: fix linux/nfc.h userspace compilation errors818c9e0a04nfc: uapi: use kernel size_t to fix user-space builds8d31cbab4ci2c: validate user data in compat ioctl51c94d8fbdfsl/fman: Fix missing put_device() call in fman_port_probe920932b20enet/ncsi: check for error return from call to nla_put_u32610af55f9fselftests/net: udpgso_bench_tx: fix dst ip argument78503589b1net/mlx5e: Fix wrong features assignment in case of error6114600808ionic: Initialize the 'lif->dbid_inuse' bitmapb7c9a1427bigc: Fix TX timestamp support for non-MSI-X platformse8a5988a85net/smc: fix kernel panic caused by race of smc_sock97c87c1db9net/smc: don't send CDC/LLC message if link not ready99f19566b1net/smc: improved fix wait on already cleared linke553265ea5NFC: st21nfca: Fix memory leak in device probe and remove8d70dc0eecnet: lantiq_xrx200: fix statistics of received bytes7ef89bd1e8net: ag71xx: Fix a potential double free in error handling paths40d3618691net: usb: pegasus: Do not drop long Ethernet framesa67becdaa8net/smc: fix using of uninitialized completions769d14abd3sctp: use call_rcu to free endpoint13c1bf43b6selftests: Calculate udpgso segment count without header adjustmentabe74fb433udp: using datalen to cap ipv6 udp max gso segments5e6ad649e9net/mlx5e: Fix ICOSQ recovery flow for XSK73665165b6net/mlx5e: Wrap the tx reporter dump callback to extract the sq4cd1da02f0net/mlx5: DR, Fix NULL vs IS_ERR checking in dr_domain_init_resourcesfcb32eb3d0scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write()4833ad4908selinux: initialize proto variable in selinux_ip_postroute_compat()ec941a2277recordmcount.pl: fix typo in s390 mcount regexa0e82d5ef9memblock: fix memblock_phys_alloc() section mismatch error7da855e939platform/x86: apple-gmux: use resource_size() with resd01e9ce1afparisc: Clear stale IIR value on instruction access rights trap0643d9175dtomoyo: use hwight16() in tomoyo_domain_quota_is_ok()e2048a1f91tomoyo: Check exceeded quota early in tomoyo_domain_quota_is_ok().210c7c6908Input: i8042 - enable deferred probe quirk for ASUS UM325UAbb672eff74Input: i8042 - add deferred probe support9b28b48fb3Merge 5.10.89 into android12-5.10-ltseb967e323fLinux 5.10.8952ad5da8e3phonet/pep: refuse to enable an unbound pipe7dd52af1ebhamradio: improve the incomplete fix to avoid NPD450121075ahamradio: defer ax25 kfree after unregister_netdev8e34d07dd4ax25: NPD bug when detaching AX25 device50f78486f9hwmon: (lm90) Do not report 'busy' status bit as alarmec1d222d37hwmom: (lm90) Fix citical alarm status for MAX6680/MAX6681441d387366pinctrl: mediatek: fix global-out-of-bounds issue9c75a9657bASoC: rt5682: fix the wrong jack type detected94caab5af1ASoC: tas2770: Fix setting of high sample ratesc7282790c7Input: goodix - add id->model mapping for the "9111" model3bb3bf50d6Input: elants_i2c - do not check Remark ID on eKTH3900/eKTH5312ee6f34215cmm: mempolicy: fix THP allocations escaping mempolicy restrictions8008fc1d0bKVM: VMX: Fix stale docs for kvm-intel.emulate_invalid_guest_stated91ed251fdusb: gadget: u_ether: fix race in setting MAC address in setup phase6697f29bf5ceph: fix up non-directory creation in SGID directoriesfffb6581a2f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr()ad338d825etee: optee: Fix incorrect page free bug1f20707674mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()ac61b9c6c0mac80211: fix locking in ieee80211_start_ap error path89876d1083ARM: 9169/1: entry: fix Thumb2 bug in iWMMXt exception handlingc3253d3a38mmc: mmci: stm32: clear DLYB_CR after sending tuning command0d66b39521mmc: core: Disable card detect during shutdownc8e366a01cmmc: meson-mx-sdhc: Set MANUAL_STOP for multi-block SDIO commands4af7915361mmc: sdhci-tegra: Fix switch to HS400ES mode9a7ec79797gpio: dln2: Fix interrupts when replugging the devicef5b02912e2pinctrl: stm32: consider the GPIO offset to expose all the GPIO lines28626e76baKVM: VMX: Wake vCPU when delivering posted IRQ even if vCPU == this vCPU7a37f2e370platform/x86: intel_pmc_core: fix memleak on registration failureb57afd1240x86/pkey: Fix undefined behaviour with PKRU_WD_BITc05d8f66ectee: handle lookup of shm with reference count 00ffb9f83e4parisc: Fix mask used to select futex spinlock5deeb9ad59parisc: Correct completer in lws start8b745616baipmi: fix initialization when workqueue allocation fails1f6ab84746ipmi: ssif: initialize ssif_info->client earlya5192f3116ipmi: bail out if init_srcu_struct failsbc674f1b21Input: atmel_mxt_ts - fix double free in mxt_read_info_block30140e252fASoC: meson: aiu: Move AIU_I2S_MISC hold setting to aiu-fifo-i2s2b4c020b70ALSA: hda/realtek: Fix quirk for Clevo NJ51CU7470780f3bALSA: hda/realtek: Add new alc285-hp-amp-init model4cb7dc2e30ALSA: hda/realtek: Amp init fixup for HP ZBook 15 G669e492161cALSA: drivers: opl3: Fix incorrect use of vp->statea96c08e0b4ALSA: jack: Check the return value of kstrdup()51c7b2a7b8hwmon: (lm90) Drop critical attribute support for MAX66542464738d0ehwmon: (lm90) Introduce flag indicating extended temperature support196df56c3dhwmon: (lm90) Add basic support for TI TMP461fa2e149260hwmon: (lm90) Fix usage of CONFIG2 register in detect functionba696b4708pinctrl: bcm2835: Change init order for gpio hogs676c572439Input: elantech - fix stack out of bound access in elantech_change_report_id()2792fde84csfc: falcon: Check null pointer of rx_queue->page_ringd70b4001efsfc: Check null pointer of rx_queue->page_ring75c962f02anet: ks8851: Check for error irq9db0f8d395drivers: net: smc911x: Check for error irqca2a15053bfjes: Check for error irqc6d2754006bonding: fix ad_actor_system option setting to default6809da5185ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module61e6b82e7bigb: fix deadlock caused by taking RTNL in RPM resume pathe00eace232net: skip virtio_net_hdr_set_proto if protocol already seted05e4dcfbnet: accept UFOv6 packages in virtio_net_hdr_to_skb56b0bbba78qlcnic: potential dereference null pointer of rx_queue->page_ring78e49d77e5net: marvell: prestera: fix incorrect return of port_find861b4413e4ARM: dts: imx6qdl-wandboard: Fix Ethernet supportd79f5e0d45netfilter: fix regression in looped (broad|multi)cast's MAC handling579cefef7cRDMA/hns: Replace kfree() with kvfree()7cf6466e00IB/qib: Fix memory leak in qib_user_sdma_queue_pkts()cd9c90682bASoC: meson: aiu: fifo: Add missing dma_coerce_mask_and_coherent()580ecf86e7spi: change clk_disable_unprepare to clk_unprepare93a957bbf4arm64: dts: allwinner: orangepi-zero-plus: fix PHY modeef2dce4325HID: potential dereference of null pointer3110bc5862HID: holtek: fix mouse probing0875873b2aext4: check for inconsistent extents between index and leaf block76366c024fext4: check for out-of-order index extents in ext4_valid_extent_entries()1d4b1c4e8bext4: prevent partial update of the extent blocksf69a47fcbbnet: usb: lan78xx: add Allied Telesis AT29M2-AF8c0059a25carm64: vdso32: require CROSS_COMPILE_COMPAT for gcc+bfdb16b124a42arm64: vdso32: drop -no-integrated-as flagba13eb1927Merge 5.10.88 into android12-5.10-lts856f88f27bLinux 5.10.8888f20cccbexen/netback: don't queue unlimited number of packages525875c410xen/netback: fix rx queue stall detection8fa3a370ccxen/console: harden hvc_xen against event channel stormsd31b337917xen/netfront: harden netfront against event channel storms8ac3b6ee7cxen/blkfront: harden blkfront against event channel storms76ec7fe2d8Revert "xsk: Do not sleep in poll() when need_wakeup set"e24fc89830bus: ti-sysc: Fix variable set but not used warning for reinit_modules70692b0620rcu: Mark accesses to rcu_state.n_force_qsa9078e7914scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select()bdb854f134scsi: scsi_debug: Fix type in min_t to avoid stack OOBaa1f912712scsi: scsi_debug: Don't call kcalloc() if size arg is zero6859985a2fovl: fix warning in ovl_create_real()5fd7d62daafuse: annotate lock in fuse_reverse_inval_entry()b99bdf127amedia: mxl111sf: change mutex_init() location0413f7a1a5xsk: Do not sleep in poll() when need_wakeup set6b8d8ecdd9ARM: dts: imx6ull-pinfunc: Fix CSI_DATA07__ESAI_TX0 pad name8affa1b68dInput: touchscreen - avoid bitwise vs logical OR warningaec5897b27drm/amdgpu: correct register access for RLC_JUMP_TABLE_RESTOREc1d519263dlibata: if T_LENGTH is zero, dma direction should be DMA_NONEa9f2c6af5atimekeeping: Really make sure wall_to_monotonic isn't positive6471ebcd6fserial: 8250_fintek: Fix garbled text for consolea7c8067453iocost: Fix divide-by-zero on donation from low hweight cgroupbcebb8eb19zonefs: add MODULE_ALIAS_FS1c414ff63bbtrfs: fix double free of anon_dev after failure to create subvolume005d9292b5btrfs: fix memory leak in __add_inode_ref()cd98cb5216USB: serial: option: add Telit FN990 compositions5c93584d9aUSB: serial: cp210x: fix CP2105 GPIO registration8f207f1263usb: xhci: Extend support for runtime power management for AMD's Yellow carp.e5949933f3PCI/MSI: Mask MSI-X vectors only on successf8aa09186cPCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on errord17c5a3897usb: dwc2: fix STM ID/VBUS detection startup delay in dwc2_driver_probe2b2edc8fc5USB: NO_LPM quirk Lenovo USB-C to Ethernet Adapher(RTL8153-04)fd623e16b2tty: n_hdlc: make n_hdlc_tty_wakeup() asynchronous9439fabfc3KVM: x86: Drop guest CPUID check for host initiated writes to MSR_IA32_PERF_CAPABILITIES5fe305c6d4Revert "usb: early: convert to readl_poll_timeout_atomic()"2b54f485f2USB: gadget: bRequestType is a bitfield, not a enum151ffac3acpowerpc/85xx: Fix oops when CONFIG_FSL_PMC=nfcf9194d36bpf, selftests: Fix racing issue in btf_skc_cls_ingress test6f46c59e60sit: do not call ipip6_dev_free() from sit_init_net()6e1011cd18net: systemport: Add global locking for descriptor lifecycled1765f984cnet/smc: Prevent smc_release() from long blocking337bb7bf7cnet: Fix double 0x prefix print in SKB dump734a3f3106sfc_ef100: potential dereference of null pointer7da349f07enet/packet: rx_owner_map depends on pg_vec1a34fb9e2bnetdevsim: Zero-initialize memory for new map's value in function nsim_bpf_map_allocd3e1f54508ixgbe: set X550 MDIO speed before talking to PHY48e01e3881ixgbe: Document how to enable NBASE-T support776ed8b366igc: Fix typo in i225 LTR functions74a16e062bigbvf: fix double free in `igbvf_probe`ddac50d04figb: Fix removal of unicast MAC filters of VFs12c1938870soc/tegra: fuse: Fix bitwise vs. logical OR warning451f1eded7mptcp: clear 'kern' flag from fallback sockets222cebd995drm/amd/pm: fix a potential gpu_metrics_table memory leak74dc97dfb2rds: memory leak in __rds_conn_create()67f4362ae2flow_offload: return EOPNOTSUPP for the unsupported mpls action type03fd6ca056mac80211: fix lookup when adding AddBA extension elementbef59d6a83mac80211: agg-tx: don't schedule_and_wake_txq() under sta->lock96bc86cac0drm/ast: potential dereference of null pointercac0fd4b9bselftest/net/forwarding: declare NETIFS p9 p1081fbdd4565net/sched: sch_ets: don't remove idle classes from the round-robin listbe32c8a788dmaengine: st_fdma: fix MODULE_ALIASdfff1d5e85selftests: Fix IPv6 address bind tests08896ecfffselftests: Fix raw socket bind tests with VRF5ba4dfb8b8selftests: Add duplicate config only for MD5 VRF tests12512bc8f2net: hns3: fix use-after-free bug in hclgevf_send_mbx_msg3a4f6dba1einet_diag: fix kernel-infoleak for UDP sockets20ad1ef02fsch_cake: do not call cake_destroy() from cake_init()1208b445a4s390/kexec_file: fix error handling when applying relocationsc058c544e7selftests: net: Correct ping6 expected rc from 2 to 19983425c20virtio/vsock: fix the transport to work with VMADDR_CID_ANY94a01e6fb2soc: imx: Register SoC device only on i.MX boardscc426a91d3clk: Don't parent clks until the parent is fully registered429bb01e4dARM: socfpga: dts: fix qspi node compatible7b4cc168d9ceph: initialize pathlen variable in reconnect_caps_cbe0f06c32afceph: fix duplicate increment of opened_inodes metric640e28d618tee: amdtee: fix an IS_ERR() vs NULL bugeed897a222mac80211: track only QoS data frames for admission control24983f7508arm64: dts: rockchip: fix audio-supply for Rock Pi 449bd597719arm64: dts: rockchip: fix rk3399-leez-p710 vcc3v3-lan supply9fcdbbf396arm64: dts: rockchip: fix rk3308-roc-cc vcc-sd supplyba866840b2arm64: dts: rockchip: remove mmc-hs400-enhanced-strobe from rk3399-khadas-edge3516bc1492arm64: dts: imx8mp-evk: Improve the Ethernet PHY description06294e7e34arm64: dts: imx8m: correct assigned clocks for FEC4cc6badff9audit: improve robustness of the audit queue handling0e21e6cd5edm btree remove: fix use after free in rebalance_children()f5187a9d52recordmcount.pl: look for jgnop instruction as well as bcrl on s39051f6302f81vdpa: check that offsets are within boundse3a1ab5aeavirtio_ring: Fix querying of maximum DMA mapping size for virtio device0612679e48bpf, selftests: Add test case trying to taint map value pointer279e0bf80dbpf: Make 32->64 bounds propagation slightly more robuste2aad0b5f2bpf: Fix signed bounds propagation after mov32f0f484714ffirmware: arm_scpi: Fix string overflow in SCPI genpd driver7fd214fc7fmac80211: validate extended element ID is present0bb50470f1mac80211: send ADDBA requests using the tid/queue of the aggregation session29bb131dbbmac80211: mark TX-during-stop for TX in in_reconfig15640e40e3mac80211: fix regression in SSN handling of addba tx49b7e49692KVM: downgrade two BUG_ONs to WARN_ON_ONCE8d0f56c2edKVM: selftests: Make sure kvm_create_max_vcpus test won't hit RLIMIT_NOFILEc4d08791d9Merge 5.10.87 into android12-5.10-lts272aedd4a3Linux 5.10.878dd559d53barm: ioremap: don't abuse pfn_valid() to check if pfn is in RAM65c578935barm: extend pfn_valid to take into account freed memory map alignment6e634c0e71memblock: ensure there is no overflow in memblock_overlaps_region()74551f13c6memblock: align freed memory map on pageblock boundaries with SPARSEMEMb4b54c7ba1memblock: free_unused_memmap: use pageblock units instead of MAX_ORDERb6a1cbd187perf intel-pt: Fix error timestamp setting on the decoder error path0612aa02c2perf intel-pt: Fix missing 'instruction' events with 'q' option71c795028bperf intel-pt: Fix next 'err' value, walking trace02681dd178perf intel-pt: Fix state setting when receiving overflow (OVF) packetcbed09b44cperf intel-pt: Fix intel_pt_fup_event() assumptions about setting state type3bb7fd4be8perf intel-pt: Fix sync state when a PSB (synchronization) packet is found731ff78841perf intel-pt: Fix some PGE (packet generation enable/control flow packets) usageb23f9252a4perf inject: Fix itrace space allowed for new attributes7c26da3be1ethtool: do not perform operations on net devices being unregistered6992d8c215hwmon: (dell-smm) Fix warning on /proc/i8k creation errorc31470a30cfuse: make sure reclaim doesn't write the inode613725436ebpf: Fix integer overflow in argument calculation for bpf_map_area_alloc9099f35126staging: most: dim2: use device release methodac76adc87aKVM: x86: Ignore sparse banks size for an "all CPUs", non-sparse IPI req6f0d9d3e74tracing: Fix a kmemleak false positive in tracing_mapf35f7f04aadrm/amd/display: add connector type check for CRC source setdd3cea3425drm/amd/display: Fix for the no Audio bug with Tiled Displaysdadce61247net: netlink: af_netlink: Prevent empty skb by adding a check on len.bca6af4325i2c: rk3x: Handle a spurious start completion interrupt flagd6edec8a7bparisc/agp: Annotate parisc agp init functions with __initcf520ccffdALSA: hda/hdmi: fix HDA codec entry table order for ADL-P701a07fd02ALSA: hda: Add Intel DG2 PCI ID and HDMI codec vid6d22a96d12net/mlx4_en: Update reported link modes for 1/10G999069d8b0Revert "tty: serial: fsl_lpuart: drop earlycon entry for i.MX8QXP"27f4ce02b3s390/test_unwind: use raw opcode instead of invalid instruction9eab949e2bKVM: arm64: Save PSTATE early on exit990fd815ecdrm/msm/dsi: set default num_data_lanesc602863ad2nfc: fix segfault in nfc_genl_dump_devices_done4f0b8b90b8Merge 5.10.86 into android12-5.10-lts37050f17f2Linux 5.10.863241449183netfilter: selftest: conntrack_vrf.sh: fix file permissionafc997898eMerge 5.10.85 into android12-5.10-ltse4f2aee661Linux 5.10.8547301c06f6Documentation/Kbuild: Remove references to gcc-plugin.shaf5ba49cf7MAINTAINERS: adjust GCC PLUGINS after gcc-plugin.sh removalad13421fd2doc: gcc-plugins: update gcc-plugins.rst9fc17c3af5kbuild: simplify GCC_PLUGINS enablement in dummy-tools/gccd428e54774bpf: Add selftests to cover packet access corner cases0ec0eda3f3misc: fastrpc: fix improper packet size calculation261d45a4c2irqchip: nvic: Fix offset for Interrupt Priority Offsetscd946f0ebeirqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALLe1c6611f82irqchip/armada-370-xp: Fix support for Multi-MSI interrupts8f3ed9deaairqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc()d530e9943dirqchip/aspeed-scu: Replace update_bits with write_bits.014c2fa5dccsky: fix typo of fpu config macroee86d0bad8iio: accel: kxcjk-1013: Fix possible memory leak in probe and removec10c53419diio: ad7768-1: Call iio_trigger_notify_done() on error0f86c9e818iio: adc: axp20x_adc: fix charging current reporting on AXP22xaf7fbb8c0biio: adc: stm32: fix a current leak by resetting pcsel before disabling vddafff92f3712iio: at91-sama5d2: Fix incorrect sign extensiona2545b147diio: dln2: Check return value of devm_iio_trigger_register()69ae78c1abiio: dln2-adc: Fix lockdep complaint416383999ciio: itg3200: Call iio_trigger_notify_done() on errorbc4d8367ediio: kxsd9: Don't return error code in trigger handler28ea539a31iio: ltr501: Don't return error code in trigger handlerdb12d95085iio: mma8452: Fix trigger reference couting4e78529110iio: stk3310: Don't return error code in interrupt handler5c4a0f307fiio: trigger: stm32-timer: fix MODULE_ALIAS5de9c5b130iio: trigger: Fix reference countingcbc04c0c9aiio: gyro: adxrs290: fix data signednessfee8be5bdexhci: avoid race between disable slot command and host runtime suspend1b43c9b65fusb: core: config: using bit mask instead of individual bits74b6a6a239xhci: Remove CONFIG_USB_DEFAULT_PERSIST to prevent xHCI from runtime suspendingef284f086dusb: core: config: fix validation of wMaxPacketValue entriese4de8ca013USB: gadget: zero allocate endpoint 0 buffers7193ad3e50USB: gadget: detect too-big endpoint 0 requests63fc70bffaselftests/fib_tests: Rework fib_rp_filter_test()126d1897cbnet/qla3xxx: fix an error code in ql_adapter_up()5e663bcd9anet, neigh: clear whole pneigh_entry at alloc timeae67383208net: fec: only clear interrupt of handling queue in fec_enet_rx_queue()83b16b9c44net: altera: set a couple error code in probe()385ffd31ebnet: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero47322fddb4tools build: Remove needless libpython-version feature check that breaks test-all fast path42bea3a1b7dt-bindings: net: Reintroduce PHY no lane swap binding3f57215f74Documentation/locking/locktypes: Update migrate_disable() bits.77d255d28bperf tools: Fix SMT detection fast read path391ca20ea1Revert "PCI: aardvark: Fix support for PCI_ROM_ADDRESS1 on emulated bridge"e5b7fb2198i40e: Fix NULL pointer dereference in i40e_dbg_dump_desc347cc9b4d9mtd: rawnand: fsmc: Fix timing computation0b2e1fccdfmtd: rawnand: fsmc: Take instruction delay into account57f290572fi40e: Fix pre-set max number of queues for VFeb87117c27i40e: Fix failed opcode appearing if handling messages from VF82ed3829c9clk: imx: use module_platform_driver4d12546cf9RDMA/hns: Do not destroy QP resources in the hw resetting phase33f320c35dRDMA/hns: Do not halt commands during reset until later4458938b29ASoC: codecs: wcd934x: return correct value from mixer put1089dac26cASoC: codecs: wcd934x: handle channel mappping list correctly83dae68fc0ASoC: codecs: wsa881x: fix return values from kcontrol put62e4dc5e13ASoC: qdsp6: q6routing: Fix return value from msm_routing_put_audio_mixer2f4764fe36ASoC: rt5682: Fix crash due to out of scope stack varsbdd8129c66PM: runtime: Fix pm_runtime_active() kerneldoc comment661c4412c5qede: validate non LSO skb lengthc4d2d7c935scsi: scsi_debug: Fix buffer size of REPORT ZONES command1e434d2687scsi: pm80xx: Do not call scsi_remove_host() in pm8001_alloc()5dfe611474block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2)5f1f94c26btracefs: Set all files to the same group ownership as the mount option2ba0738f71net: mvpp2: fix XDP rx queues registering47ffefd88aaio: fix use-after-free due to missing POLLFREE handlinge4d19740bcaio: keep poll requests on waitqueue until completedfc2f636ffcsignalfd: use wake_up_pollfree()9f3acee7eabinder: use wake_up_pollfree()8e04c8397bwait: add wake_up_pollfree()2f8eb4c4c8libata: add horkage for ASMedia 1092f76580d82ccan: m_can: Disable and ignore ELO interrupt703dde1120can: pch_can: pch_can_rx_normal: fix use after free2737d0bc21drm/syncobj: Deal with signalled fences in drm_syncobj_find_fence.17edb38e76clk: qcom: regmap-mux: fix parent clock lookup172a982244mmc: renesas_sdhi: initialize variable properly when tuning33204825cctracefs: Have new files inherit the ownership of their parentc520943a00nfsd: Fix nsfd startup race (again)eeb0711801nfsd: fix use-after-free due to delegation race8b4264c27bmd: fix update super 1.0 on rdev size changecaf9b352dcbtrfs: replace the BUG_ON in btrfs_del_root_ref with proper error handling41b3cc57d6btrfs: clear extent buffer uptodate when we fail to write it75490bcbd0scsi: qla2xxx: Format log strings only if needed07977a3f3dALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*()ad45babf78ALSA: pcm: oss: Limit the period size to 16MB02b2b691b7ALSA: pcm: oss: Fix negative period/buffer sizes6760e6ddebALSA: hda/realtek: Fix quirk for TongFang PHxTxX17fe903d354ALSA: hda/realtek - Add headset Mic support for Lenovo ALC897 platform3063ee5164ALSA: ctl: Fix copy of updated id with element read/writec581090228mm: bdi: initialize bdi_min_ratio when bdi is unregistered06368922f3KVM: x86: Wait for IPIs to be delivered when handling Hyper-V TLB flush hypercall2a51edaf5cnet/sched: fq_pie: prevent dismantle issue4b7e90672adevlink: fix netns refcount leak in devlink_nl_cmd_reload()9d683d14f6IB/hfi1: Correct guard on eager buffer deallocation2e2edebb5diavf: Fix reporting when setting descriptor countaada0b3f33iavf: restore MSI state on reset32a329b731netfilter: conntrack: annotate data-races around ct->timeout5e39de85b7udp: using datalen to cap max gso segments666521b385seg6: fix the iif in the IPv6 socket control block484069b5denfp: Fix memory leak in nfp_cpp_area_cache_add()b1830ede16bonding: make tx_rebalance_counter an atomica59df4ea71ice: ignore dropped packets during init349e83c0cfbpf: Fix the off-by-two error in range markingsf26951db84bpf, x86: Fix "no previous prototype" warning74685aaecevrf: don't run conntrack on vrf with !dflt qdiscd5cf399a6dselftests: netfilter: add a vrf+conntrack testcase83ea620a1bnfc: fix potential NULL pointer deref in nfc_genl_dump_ses_donef3d9114ac9drm/amdkfd: fix boot failure when iommu is disabled in Picasso.7508a9aa65drm/amdgpu: init iommu after amdkfd device initac9db04ee3drm/amdgpu: move iommu_resume before ip init/resumefe9dca7ddadrm/amdgpu: add amdgpu_amdkfd_resume_iommu5d191b0976drm/amdkfd: separate kfd_iommu_resume from kfd_resume46dcf66d6edrm/amd/amdkfd: adjust dummy functions' placementdded8d76a7x86/sme: Explicitly map new EFI memmap table as encrypted923f4dc5dfcan: sja1000: fix use after free in ems_pcmcia_add_card()819251da71can: kvaser_pciefd: kvaser_pciefd_rx_error_frame(): increase correct stats->{rx,tx}_errors counter854a2bede1can: kvaser_usb: get CAN clock frequency from device2c08271f4eIB/hfi1: Fix leak of rcvhdrtail_dummy_kvaddrd87c10607bIB/hfi1: Fix early init panicd60dd3685dIB/hfi1: Insure use of smp_processor_id() is preempt disabled05eb0e4a12nft_set_pipapo: Fix bucket load in AVX2 lookup routine for six 8-bit groups89f3edc98fHID: check for valid USB device for many HID drivers889c39113fHID: wacom: fix problems when device is not a valid USB device6272b17001HID: bigbenff: prevent null pointer dereferenced877651afdHID: add USB_HID dependancy on some USB HID driversa7e9c5ddf5HID: add USB_HID dependancy to hid-chicony28989ed4d7HID: add USB_HID dependancy to hid-prodikeys6114432960HID: add hid_is_usb() function to make it simpler for USB detection2298d5edd8HID: google: add eel USB id12362cd3a4HID: quirks: Add quirk for the Microsoft Surface 3 type-covercc97d73215gcc-plugins: fix gcc 11 indigestion with plugins...1eee36a552gcc-plugins: simplify GCC plugin-dev capability test518c3f98e5usb: gadget: uvc: fix multiple opense2aed161fcANDROID: GKI: fix up abi breakage in fib_rules.h1b71a028a2Merge 5.10.84 into android12-5.10-ltsa0582e24d3Linux 5.10.84e6edaf2677ipmi: msghandler: Make symbol 'remove_work_wq' statica8d18fb4d1net/tls: Fix authentication failure in CCM modedbe73dace9parisc: Mark cr16 CPU clocksource unstable on all SMP machines01300d2150iwlwifi: mvm: retry init flow if faileda5d0a72b80serial: 8250: Fix RTS modem control while in rs485 modef9802d7049serial: 8250_pci: rewrite pericom_do_set_divisor()50b06889c8serial: 8250_pci: Fix ACCES entries in pci_serial_quirks arraye1722acf4fserial: core: fix transmit-buffer reset and memleakbda142bbebserial: tegra: Change lower tolerance baud rate limit for tegra20 and tegra30901f7e0aa4serial: pl011: Add ACPI SBSA UART match id946ded2287tty: serial: msm_serial: Deactivate RX DMA for polling support67d08450a0x86/64/mm: Map all kernel memory into trampoline_pgdb3a519b5a5x86/tsc: Disable clocksource watchdog for TSC on qualified platorms1ed4a8fd36x86/tsc: Add a timer to make sure TSC_adjust is always checkeda92f044a9fusb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect6d8c191bf4USB: NO_LPM quirk Lenovo Powered USB-C Travel Hub90c915051cxhci: Fix commad ring abort, write all 64 bits to CRCR register.1235485c63vgacon: Propagate console boot parameters before calling `vc_resize'92b9113c6dparisc: Fix "make install" on newer debian releasesc27a548d3fparisc: Fix KBUILD_IMAGE for self-extracting kernel92f309c838x86/entry: Add a fence for kernel entry SWAPGS in paranoid_entry()4bbbc9c4f3x86/pv: Switch SWAPGS to ALTERNATIVE4d42b7bcf0sched/uclamp: Fix rq->uclamp_max not set on first enqueue2015ffa3a4x86/xen: Add xenpv_restore_regs_and_return_to_usermode()8b9279cad2x86/entry: Use the correct fence macro after swapgs in kernel CR3c8e3411918x86/sev: Fix SEV-ES INS/OUTS instructions for word, dword, and qword64ca109bf8KVM: VMX: Set failure code in prepare_vmcs02()60ce9a7540KVM: x86/pmu: Fix reserved bits for AMD PerfEvtSeln registercfebd5a277atlantic: Remove warn trace message.95f6fae9a0atlantic: Fix statistics logic for production hardware695d9c6bc6Remove Half duplex mode speed capabilities.0c67e7b98fatlantic: Add missing DIDs and fix 115c.ca350298bcatlantic: Fix to display FW bundle version instead of FW mac version.93a4f3f4fdatlatnic: enable Nbase-t speeds with base-t44812111a3atlantic: Increase delay for fw transactions13f290d5aadrm/msm: Do hw_init() before capturing GPU stated646856a60drm/msm/a6xx: Allocate enough space for GMU registersa792b3d564net/smc: Keep smc_close_final rc during active closee226180accnet/rds: correct socket tunable error in rds_tcp_tune()77731fede2net/smc: fix wrong list_del in smc_lgr_cleanup_early9a40a1e0ebipv4: convert fib_num_tclassid_users to atomic_tfa973bf5fdnet: annotate data-races on txq->xmit_lock_ownere26dab79e1dpaa2-eth: destroy workqueue at the end of remove functiondde240695dnet: marvell: mvpp2: Fix the computation of shared CPUs3260b8d120net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ is availableacef1c2b15ALSA: intel-dsp-config: add quirk for CML devices based on ES8336 codec60f0b9c42crxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer()35b40f724crxrpc: Fix rxrpc_peer leak in rxrpc_look_up_bundle()4afb32090aASoC: tegra: Fix kcontrol put callback in AHUBfe4eb5297aASoC: tegra: Fix kcontrol put callback in DSPK256aa15aacASoC: tegra: Fix kcontrol put callback in DMIC1cf1f9a1f3ASoC: tegra: Fix kcontrol put callback in I2S0ee53a1d88ASoC: tegra: Fix kcontrol put callback in ADMAIFe6fb4c3fd3ASoC: tegra: Fix wrong value type in DSPK0265ef0dffASoC: tegra: Fix wrong value type in DMICe66e75fb22ASoC: tegra: Fix wrong value type in I2S6b54c0d845ASoC: tegra: Fix wrong value type in ADMAIF932b338f4emt76: mt7915: fix NULL pointer dereference in mt7915_get_phy_modea0335cda6dselftests: net: Correct case namef1d43efa59net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()59d2dc7710arm64: ftrace: add missing BTIsef55f0f8afsiphash: use _unaligned version by defaultfd52e1f8c0net: mpls: Fix notifications when deleting a device15fa12c119net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()c6f340a331tcp: fix page frag corruption on page faultaa6c393a3cnatsemi: xtensa: fix section mismatch warnings289ee320b5i2c: cbus-gpio: set atomic transfer callback58d5c53f25i2c: stm32f7: stop dma transfer in case of NACKc221244917i2c: stm32f7: recover the bus on access timeout8de6ea757ci2c: stm32f7: flush TX FIFO upon transfer errors1c75779dd9wireguard: ratelimiter: use kvcalloc() instead of kvzalloc()cb2d7c1992wireguard: receive: drop handshakes if queue lock is contended8a29a50dbdwireguard: receive: use ring buffer for incoming handshakese3be118327wireguard: device: reset peer src endpoint when netns exitsf7b6672fabwireguard: selftests: rename DEBUG_PI_LIST to DEBUG_PLIST0584bf51c3wireguard: selftests: actually test for routing loops3d1dc3c677wireguard: allowedips: add missing __rcu annotation to satisfy sparse4caf965f6cwireguard: selftests: increase default dmesg log size3d73021f8dtracing/histograms: String compares should not care about signed valuesd4af6d9749KVM: X86: Use vcpu->arch.walk_mmu for kvm_mmu_invlpg()c71b5f37b5KVM: arm64: Avoid setting the upper 32 bits of TCR_EL2 and CPTR_EL2 to 15f33887a36KVM: x86: Use a stable condition around all VT-d PI paths7722e88505KVM: nVMX: Flush current VPID (L1 vs. L2) for KVM_REQ_TLB_FLUSH_GUEST6a44f200f1KVM: Disallow user memslot with size that exceeds "unsigned long"775191dd4cdrm/amd/display: Allow DSC on supported MST branch devices209d35ee34ipv6: fix memory leak in fib6_rule_suppress16c242b091sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl4a46b2f5dcsata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl4baba6ba56fget: check that the fd still exists after getting a ref to it80bfed369bs390/pci: move pseudo-MMIO to prevent MIO overlap92283c2728cpufreq: Fix get_cpu_device() failure in add_cpu_dev_symlink()f717f29e84ipmi: Move remove_work to dedicated workqueuede4f5eb02crt2x00: do not mark device gone on EPROTO errors during startc200721f8ekprobes: Limit max data_size of the kretprobe instances2a74c13dfevrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit136cabf157ACPI: Add stubs for wakeup handler functionscc443ac5bbnet/smc: Avoid warning of possible recursive lockingff061b5bdaperf report: Fix memory leaks around perf_tip()a4c17ebdd6perf hist: Fix memory leak of a perf_hpp_fmtd9b72274f3perf inject: Fix ARM SPE handling2c15d2a6banet: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock()f059fa40f0net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound4d5968ea06ipv6: check return value of ipv6_skip_exthdr22519eff7dethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port()9a32d3c08data: ahci: Add Green Sardine vendor ID as board_ahci_mobilec746945fb6drm/amd/amdgpu: fix potential memleak74aafe99efdrm/amd/amdkfd: Fix kernel panic when reset failed and been triggered againf0c9f49b0cscsi: iscsi: Unblock session then wake up error handlerbc8c423a28thermal: core: Reset previous low and high trip during thermal zone init8e4d2ac434btrfs: check-integrity: fix a warning on write caching disabled disk0395722905s390/setup: avoid using memblock_enforce_memory_limitfd1e70ef65platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep226b21ad01platform/x86: thinkpad_acpi: Add support for dual fan control3fc88660ednet: return correct error code2c514d2500atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_waitff6eeb6278net/smc: Transfer remaining wait queue entries during fallbacke1a165599amac80211: do not access the IV when it was strippedc386d7aa59drm/sun4i: fix unmet dependency on RESET_CONTROLLER for PHY_SUN6I_MIPI_DPHY57e36973fapowerpc/pseries/ddw: Revert "Extend upper limit for huge DMA window for persistent memory"7b2b7e03e8gfs2: Fix length of holes reported at end-of-file664cceab6fgfs2: release iopen glock early in evictbcce010f92ovl: fix deadlock in splice writedca4f9a581ovl: simplify file splice7774dd934acan: j1939: j1939_tp_cmd_recv(): check the dst address of TP.CM_BAM60ae63ef19NFSv42: Fix pagecache invalidation after COPY/CLONE6e6898e23cANDROID: GKI: update abi_gki_aarch64.xml due to bpf changes in 5.10.83cd1062d64eRevert "net: ipv6: add fib6_nh_release_dsts stub"0bf59ac0b2Revert "net: nexthop: release IPv6 per-cpu dsts when replacing a nexthop group"65836a68d9Revert "mmc: sdhci: Fix ADMA for PAGE_SIZE >= 64KiB"249dae115aMerge 5.10.83 into android-5.10bc8ae0e2afMerge branch 'android12-5.10' into `android12-5.10-lts`a324ad7945Linux 5.10.8345b42cd053drm/amdgpu/gfx9: switch to golden tsc registers for renoir+98b02755d5net: stmmac: platform: fix build warning when with !CONFIG_PM_SLEEPa15261d2a1shm: extend forced shm destroy to support objects from several IPC nsesaa20e966d8s390/mm: validate VMA in PGSTE manipulation functionsa94e4a7b77tty: hvc: replace BUG_ON() with negative return value1c5f722a8fxen/netfront: don't trust the backend response data blindly334b0f2787xen/netfront: disentangle tx_skb_freeliste17ee047eexen/netfront: don't read data from request on the ring pagef5e4937098xen/netfront: read response from backend only once1ffb20f052xen/blkfront: don't trust the backend response data blindly8e147855fcxen/blkfront: don't take local copy of a request from the ring page273f04d5d1xen/blkfront: read response from backend only onceb98284aa3fxen: sync include/xen/interface/io/ring.h with Xen's newest version406f2d5fe3tracing: Check pid filtering when creating events4fd0ad08eevhost/vsock: fix incorrect used length reported to the guestfbc0514e1aiommu/amd: Clarify AMD IOMMUv2 initialization messages5655b8bccbsmb3: do not error on fsync when readonlyc380062d08ceph: properly handle statfs on multifs setups22423c966ef2fs: set SBI_NEED_FSCK flag when inconsistent node block founde6ee7abd6bsched/scs: Reset task stack state in bringup_cpu()71e38a0c7ctcp: correctly handle increased zerocopy args struct size72f2117e45net: mscc: ocelot: correctly report the timestamping RX filters in ethtool73115a2b38net: mscc: ocelot: don't downgrade timestamping RX filters in SIOCSHWTSTAMP62343dadbbnet: hns3: fix VF RSS failed problem after PF enable multi-TCs215167df45net/smc: Don't call clcsock shutdown twice when smc shutdown6e800ee432net: vlan: fix underflow for the real_dev refcntae2659d2c6net/sched: sch_ets: don't peek at classes beyond 'nbands'e3509feb46tls: fix replacing proto_ops22156242b1tls: splice_read: fix record type check3b6c71c097MIPS: use 3-level pgtable for 64KB page size on MIPS_VA_BITS_48a6a5d853f1MIPS: loongson64: fix FTLB configuration5e823dbee2igb: fix netpoll exit with trafficf2a58ff3e3nvmet: use IOCB_NOWAIT only if the filesystem supports it12ceb52f2cnet/smc: Fix loop in smc_listenc94cbd262bnet/smc: Fix NULL pointer dereferencing in smc_vlan_by_tcpsk()3d4937c6a3net: phylink: Force retrigger in case of latched link-fail indicator50162ff3c8net: phylink: Force link down and retrigger resolve on interface change95ba8f0d57lan743x: fix deadlock in lan743x_phy_link_status_change()c5e4316d9ctcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited flows3187623096drm/amd/display: Set plane update flags for all planes in resetf634c755a0PM: hibernate: use correct mode for swsusp_close()440bd9faadnet/ncsi : Add payload to be 32-bit aligned to fix dropped packetsac88cb3c44nvmet-tcp: fix incomplete data digest send8889ff80fdnet: marvell: mvpp2: increase MTU limit when XDP enabled90d0736876mlxsw: spectrum: Protect driver from buggy firmware33d89128a9mlxsw: Verify the accessed index doesn't exceed the array length29e1b57347net/smc: Ensure the active closing peer first closes clcsock77d9c2efa8erofs: fix deadlock when shrink erofs slab9f540c7ffbscsi: scsi_debug: Zero clear zones at reset write pointer725ba12895scsi: core: sysfs: Fix setting device state to SDEV_RUNNINGe65a8707b4ice: avoid bpf_prog refcount underflow1eb5395addice: fix vsi->txq_map sizing26ed13d064net: nexthop: release IPv6 per-cpu dsts when replacing a nexthop group3c40584595net: ipv6: add fib6_nh_release_dsts stubdc2f7e9d8dnet: stmmac: retain PTP clock time during SIOCSHWTSTAMP ioctls79068e6b1cnet: stmmac: fix system hang caused by eee_ctrl_timer during suspend/resumecc301ad312nfp: checking parameter process for rx-usecs/tx-usecs is invalid9b44cb67d3ipv6: fix typos in __ip6_finish_output()6d9e8dabd4firmware: smccc: Fix check for ARCH_SOC_ID not implementedbbd1683e79mptcp: fix delack timer061542815aALSA: intel-dsp-config: add quirk for JSL devices based on ES8336 codecf5af2def7eiavf: Prevent changing static ITR values if adaptive moderation is on5dca8eff46net: marvell: prestera: fix double free issue on err pathb33c5c8281drm/vc4: fix error code in vc4_create_object()2bf9c5a503scsi: mpt3sas: Fix kernel panic during drive powercycle test29ecb4c0f0drm/nouveau/acr: fix a couple NULL vs IS_ERR() checks0effb7f51bARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE86c5adc780NFSv42: Don't fail clone() unless the OP_CLONE operation failedc9ba7864d3firmware: arm_scmi: pm: Propagate return value to caller8730a679c3net: ieee802154: handle iftypes as u322925aadd1fASoC: codecs: wcd934x: return error code correctly from hw_params3a25def06dASoC: topology: Add missing rwsem around snd_ctl_remove() calls4a4f900e04ASoC: qdsp6: q6asm: fix q6asm_dai_prepare error handling9196a68581ASoC: qdsp6: q6routing: Conditionally reset FrontEnd Mixer2be17eca48ARM: dts: bcm2711: Fix PCIe interrupts9db1d4a3c2ARM: dts: BCM5301X: Add interrupt properties to GPIO nodeb2cd6fdcbeARM: dts: BCM5301X: Fix I2C controller interruptb7ef25e8c2netfilter: flowtable: fix IPv6 tunnel addr matchd689176e0enetfilter: ipvs: Fix reuse connection if RS weight is 0994065f6efnetfilter: ctnetlink: do not erase error code with EINVALa3d829e5f3netfilter: ctnetlink: fix filtering with CTA_TUPLE_REPLYa8a917058fproc/vmcore: fix clearing user buffer by properly using clear_user()1f520a0d78PCI: aardvark: Fix link trainingaec0751f61PCI: aardvark: Simplify initialization of rootcap on virtual bridgedf57480988PCI: aardvark: Implement re-issuing config requests on CRS responsee7f2e2c758PCI: aardvark: Update comment about disabling link training2b7bc1c4b2PCI: aardvark: Deduplicate code in advk_pcie_rd_conf()dfe906da9apowerpc/32: Fix hardlockup on vmap stack overflowbf00edd9e6mdio: aspeed: Fix "Link is Down" issue14c3ce30ddmmc: sdhci: Fix ADMA for PAGE_SIZE >= 64KiB63195705b3mmc: sdhci-esdhc-imx: disable CMDQ support092a58f0d9tracing: Fix pid filtering when triggers are attached68fa6bf7f1tracing/uprobe: Fix uprobe_perf_open probes iterationb777c866aaKVM: PPC: Book3S HV: Prevent POWER7/8 TLB flush flushing SLBbfed9c2f2fxen: detect uninitialized xenbus in xenbus_inite1d492c275xen: don't continue xenstore initialization in case of errors8f4d0719f3fuse: release pipe buf after last use8d0163cec7staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect()0bfed81b2cstaging: greybus: Add missing rwsem around snd_ctl_remove() calls146283f16bstaging/fbtft: Fix backlight8fc5e3c7caHID: wacom: Use "Confidence" flag to prevent reporting invalid contacts6ca32e2e77Revert "parisc: Fix backtrace to always include init funtion names"3a4aeb37a7media: cec: copy sequence field for the reply3798218a1aALSA: hda/realtek: Fix LED on HP ProBook 435 G760274e248eALSA: hda/realtek: Add quirk for ASRock NUC Box 1100172167bc8dALSA: ctxfi: Fix out-of-range access4402cf0402binder: fix test regression due to sender_euid changeaea184ae64usb: hub: Fix locking issues with address0_mutex5bf3a0c778usb: hub: Fix usb enumeration issue due to address0 race00f1038c72usb: typec: fusb302: Fix masking of comparator and bc_lvl interrupts56fbab4937usb: chipidea: ci_hdrc_imx: fix potential error pointer dereference in probeb70ff391denet: nexthop: fix null pointer dereference when IPv6 is not enabled0755f3f322usb: dwc3: gadget: Fix null pointer exception140e2df472usb: dwc3: gadget: Check for L1/L2/U3 for Start Transfer3abf746e80usb: dwc3: gadget: Ignore NoStream after End Transfer2b7ab82f51usb: dwc2: hcd_queue: Fix use of floating point literal4b18ccad96usb: dwc2: gadget: Fix ISOC flow for elapsed frames16f1cac8f7USB: serial: option: add Fibocom FM101-GL variantsff72128636USB: serial: option: add Telit LE910S1 0x9200 composition854c14b2a1ACPI: Get acpi_device's parent from the parent field33fe044f6abpf: Fix toctou on read-only map's constant scalar tracking8d21bcc704Merge 5.10.82 into android12-5.10-ltsd5259a9ba6Linux 5.10.82d35250ec5aRevert "perf: Rework perf_event_exit_event()"6718f79c40ALSA: hda: hdac_stream: fix potential locking issue in snd_hdac_stream_assign()f751fb54f2ALSA: hda: hdac_ext_stream: fix potential locking issuesb3ef5051a7x86/Kconfig: Fix an unused variable error in dell-smm-hwmon2ec78af152btrfs: update device path inode time instead of bd_inode9febc9d8d2fs: export an inode_update_time helpercade5d7a28ice: Delete always true check of PF pointerfe65cecd27usb: max-3421: Use driver data instead of maintaining a list of bound devices6186c7b9bdASoC: DAPM: Cover regression by kctl change notification fixb17dd53cacselinux: fix NULL-pointer dereference when hashtab allocation fails1ae0d59c4fRDMA/netlink: Add __maybe_unused to static inline in C file40bc831ab5hugetlbfs: flush TLBs correctly after huge_pmd_unshare86ab0f8ff0scsi: ufs: core: Fix task management completion timeout raceddd4e46cffscsi: ufs: core: Fix task management completion04c586a601drm/amdgpu: fix set scaling mode Full/Full aspect/Center not works on vga and dvi connectors47901b77bfdrm/i915/dp: Ensure sink rate values are always valid82de15ca6bdrm/nouveau: clean up all clients on device removalc81c90fbf5drm/nouveau: use drm_dev_unplug() during device removal9221aff33edrm/nouveau: Add a dedicated mutex for the clients list65517975cbdrm/udl: fix control-message timeout3d68d6ee83drm/amd/display: Update swizzle mode enums7b97b5776dcfg80211: call cfg80211_stop_ap when switch from P2P_GO type1ab297809dparisc/sticon: fix reverse colors6adbc07ebcbtrfs: fix memory ordering between normal and ordered work functions6289b494b3net: stmmac: socfpga: add runtime suspend/resume callback for stratix10 platform5875f87e2fudf: Fix crash after seekdir6b43cf113aKVM: nVMX: don't use vcpu->arch.efer when checking host state on nested state loadcc73242889block: Check ADMIN before NICE for IOPRIO_CLASS_RT63e2f34abcs390/kexec: fix memory leak of ipl report bufferb1cf0d2fc4scsi: qla2xxx: Fix mailbox direction flags in qla2xxx_get_adapter_id()08fd6df8eapowerpc/8xx: Fix pinned TLBs with CONFIG_STRICT_KERNEL_RWX9c177eee11x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup failsb2e2fb6407mm: kmemleak: slob: respect SLAB_NOLEAKTRACE flag99032adf7dipc: WARN if trying to remove ipc object which is absenta7d9162586tipc: check for null after calling kmemdupf5995fcb75hexagon: clean up timer-regs.h0854c9ff21hexagon: export raw I/O routines for modules528971af64tun: fix bonding active backup with arp monitoringaf1d3c437earm64: vdso32: suppress error message for 'make mrproper'97653ba562net: stmmac: dwmac-rk: Fix ethernet on rk3399 based devices4cebe23c03s390/kexec: fix return code handlingd4fb80ae98perf/x86/intel/uncore: Fix IIO event constraints for Skylake Server175135a5eaperf/x86/intel/uncore: Fix filter_tid mask for CHA events on Skylake Server84f64c7c52pinctrl: qcom: sdm845: Enable dual edge errataa8230fb74bKVM: PPC: Book3S HV: Use GLOBAL_TOC for kvmppc_h_set_dabr/xdabr()4e6cce20fbe100: fix device suspend/resume34e54703fbNFC: add NCI_UNREG flag to eliminate the raceb2a60b4a01net: nfc: nci: Change the NCI close sequence73a0d12114NFC: reorder the logic in nfc_{un,}register_devicecb14b196d9NFC: reorganize the functions in nci_request41dc8dcb49i40e: Fix display error code in dmesg028ea7b090i40e: Fix creation of first queue by omitting it if is not power of two69868d7a88i40e: Fix warning message and call stack during rmmod i40e driver20645482d1i40e: Fix ping is lost after configuring ADq on VF6d64743045i40e: Fix changing previously set num_queue_pairs for PFsf866513eadi40e: Fix NULL ptr dereference on VSI filter sync0719488565i40e: Fix correct max_pkt_size on VF RX queue8e6bae950dnet: virtio_net_hdr_to_skb: count transport header in UFO1c4099dc0dnet: dpaa2-eth: fix use-after-free in dpaa2_eth_remove381a30f7e3net: sched: act_mirred: drop dst for the direction from egress to ingressa792e0128dscsi: core: sysfs: Fix hang when device state is set via sysfs4b4302a02bnet/mlx5: E-Switch, return error if encap isn't supported68748ea4d1net/mlx5: E-Switch, Change mode lock from mutex to rw semaphore6190e1a2d4net/mlx5: Lag, update tracker when state change event received471c492890net/mlx5e: nullify cq->dbg pointer in mlx5_debug_cq_remove()d1f8f1e04aplatform/x86: hp_accel: Fix an error handling path in 'lis3lv02d_probe()'da16f907cbmips: lantiq: add support for clk_get_parent()17dfbe1b2fmips: bcm63xx: add support for clk_get_parent()34284b3a2fMIPS: generic/yamon-dt: fix uninitialized variable errora61f90b216iavf: Fix for setting queues to 0a8a1e601c2iavf: Fix for the false positive ASQ/ARQ errors while issuing VF reset77f5ae5441iavf: validate pointersddcc185baaiavf: prevent accidental free of filter structurea420b26128iavf: Fix failure to exit out from last all-multicast mode78638b4713iavf: free q_vectors before queues in iavf_disable_vf84a13bfe27iavf: check for null in iavf_fix_features1555d83ddbiavf: Fix return of set the new channel count09decd0a10net/smc: Make sure the link_id is unique437e21e2c9sock: fix /proc/net/sockstat underflow in sk_clone_lock()4da14ddad1net: reduce indentation level in sk_clone_lock()9c3c2ef6catipc: only accept encrypted MSG_CRYPTO msgs3d59416647bnxt_en: reject indirect blk offload when hw-tc-offload is off4fc060abaanet: bnx2x: fix variable dereferenced before check3ae75cc38anet: ipa: disable HOLB drop when updating timer3984876f91tracing: Add length protection to histogram string copies900ea2f628tcp: Fix uninitialized access in skb frags array for Rx 0cp.d1a6150ca6net-zerocopy: Refactor skb frag fast-forward op.5f7aadf03fnet-zerocopy: Copy straggler unaligned data for TCP Rx. zerocopy.8da80ec6d4drm/nouveau: hdmigv100.c: fix corrupted HDMI Vendor InfoFrameaa31e3fda6perf tests: Remove bash construct from record+zstd_comp_decomp.sh2ada5c0877perf bench futex: Fix memory leak of perf_cpu_map__new()11589d3144perf bpf: Avoid memory leak from perf_env__insert_btf()5b2f2cbbc9tracing/histogram: Do not copy the fixed-size char array field over the field size1d61255327blkcg: Remove extra blkcg_bio_issue_initdadcc935f4perf/x86/vlbr: Add c->flags to vlbr event constraints68fcb52b61sched/core: Mitigate race cpus_share_cache()/update_top_cache_domain()91191d47afmips: BCM63XX: ensure that CPU_SUPPORTS_32BIT_KERNEL is setfbe27d0e1dclk: qcom: gcc-msm8996: Drop (again) gcc_aggre1_pnoc_ahb_clk9b3d3b72beclk/ast2600: Fix soc revision for AHB03bc8ea0aeclk: ingenic: Fix bugs with divided dividers7a5439474ef2fs: fix incorrect return value in f2fs_sanity_check_ckpt()0a17fff6f0f2fs: compress: disallow disabling compress on non-empty compressed file4ce685cc9ash: define __BIG_ENDIAN for math-emu73383f670dsh: math-emu: drop unused functionsf44defd569sh: fix kconfig unmet dependency warning for FRAME_POINTER3d7c5d08a4f2fs: fix to use WHINT_MODEe8bd5e3305f2fs: fix up f2fs_lookup tracepoints5d5bf899e5maple: fix wrong return value of maple_bus_init().8748f08a2fsh: check return code of request_irq29b742690apowerpc/8xx: Fix Oops with STRICT_KERNEL_RWX without DEBUG_RODATA_TESTbc4bc07fb4powerpc/dcr: Use cmplwi instead of 3-argument cmpli1ac6cd87d8ALSA: gus: fix null pointer dereference on pointer block850416beadARM: dts: qcom: fix memory and mdio nodes naming for RB30118c4d9764e7powerpc/5200: dts: fix memory node unit name833ad27927iio: imu: st_lsm6dsx: Avoid potential array overflow in st_lsm6dsx_set_odr()e0fef1c8cdscsi: target: Fix alua_tg_pt_gps_count tracking8176441373scsi: target: Fix ordered tag handling8440377e1ascsi: scsi_debug: Fix out-of-bound read in resp_report_tgtpgs()3e20cb0726scsi: scsi_debug: Fix out-of-bound read in resp_readcap16()9635581aa9MIPS: sni: Fix the build77e9fed330tty: tty_buffer: Fix the softlockup issue in flush_to_ldiscda82a207c4ALSA: ISA: not for M68Kc788ac4750ARM: dts: ls1021a-tsn: use generic "jedec,spi-nor" compatible for flashcbba09f869ARM: dts: ls1021a: move thermal-zones node out of soc/2474eb7fc3usb: host: ohci-tmio: check return value after calling platform_get_resource()02d9ebe0ccARM: dts: omap: fix gpmc,mux-add-data typec6c9bbe7fafirmware_loader: fix pre-allocated buf built-in firmware use02a22911edALSA: intel-dsp-config: add quirk for APL/GLK/TGL devices based on ES8336 codec055eced3edscsi: advansys: Fix kernel pointer leak97f3cbb57bASoC: nau8824: Add DMI quirk mechanism for active-high jack-detectae2207a078clk: imx: imx6ul: Move csi_sel mux to correct base register0c6daf4799ASoC: SOF: Intel: hda-dai: fix potential locking issue19d193c576arm64: dts: freescale: fix arm,sp805 compatible string36446a094aarm64: dts: qcom: ipq6018: Fix qcom,controlled-remotely propertye52fecdd0carm64: dts: qcom: msm8998: Fix CPU/L2 idle state latency and residency568d94c5c9ARM: BCM53016: Specify switch ports for Meraki MR323a53d9ad9bstaging: rtl8723bs: remove possible deadlock when disconnect (v2)3544c33879ARM: dts: ux500: Skomer regulator fixeseff8b76284usb: typec: tipd: Remove WARN_ON in tps6598x_block_read679eee466dusb: musb: tusb6010: check return value after calling platform_get_resource()2492de6f5ebus: ti-sysc: Use context lost quirk for otg5eca1c8412bus: ti-sysc: Add quirk handling for reinit on context lostdcd6eefceeRDMA/bnxt_re: Check if the vlan is valid before reporting4e5bc9fb23arm64: dts: hisilicon: fix arm,sp805 compatible string109a63bb07arm64: dts: rockchip: Disable CDN DP on Pinebook Proc097bd5a59scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq()db90c50783ARM: dts: NSP: Fix mpcore, mmc node names5010df76abstaging: wfx: ensure IRQ is ready before enabling it2651d06e46arm64: dts: allwinner: a100: Fix thermal zone node namefa98ac472earm64: dts: allwinner: h5: Fix GPU thermal zone node nameaed195558fARM: dts: sunxi: Fix OPPs node namee2e1056312arm64: zynqmp: Fix serial compatible string48f154e8b9arm64: zynqmp: Do not duplicate flash partition label property Some minor ABI signatures have changed due to internal structures changing. All of these have been pre-approved already: Leaf changes summary: 3 artifacts changed Changed leaf types summary: 3 leaf types changed Removed/Changed/Added functions summary: 0 Removed, 0 Changed, 0 Added function Removed/Changed/Added variables summary: 0 Removed, 0 Changed, 0 Added variable 'struct bpf_map at bpf.h:146:1' changed: type size hasn't changed there are data member changes: type 'typedef u64' of 'bpf_map::writecnt' changed: typedef name changed from u64 to atomic64_t at types.h:175:1 underlying type 'typedef __u64' at int-ll64.h:31:1 changed: entity changed from 'typedef __u64' to 'struct {s64 counter;}' at types.h:173:1 type size hasn't changed 4790 impacted interfaces 'struct bpf_offloaded_map at bpf.h:229:1' changed (indirectly): type size hasn't changed there are data member changes: type 'struct bpf_map' of 'bpf_offloaded_map::map' changed, as reported earlier 4790 impacted interfaces 'struct fib_rules_ops at fib_rules.h:60:1' changed: type size hasn't changed there are data member changes: type 'typedef bool (fib_rule*, fib_lookup_arg*)*' of 'fib_rules_ops::suppress' changed: pointer type changed from: 'typedef bool (fib_rule*, fib_lookup_arg*)*' to: 'typedef bool (fib_rule*, int, fib_lookup_arg*)*' 4790 impacted interfaces Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Id7f25c9e0edb30698178b138cc1b15a82ca5ef48
6222 lines
175 KiB
C
6222 lines
175 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/* binder.c
|
|
*
|
|
* Android IPC Subsystem
|
|
*
|
|
* Copyright (C) 2007-2008 Google, Inc.
|
|
*/
|
|
|
|
/*
|
|
* Locking overview
|
|
*
|
|
* There are 3 main spinlocks which must be acquired in the
|
|
* order shown:
|
|
*
|
|
* 1) proc->outer_lock : protects binder_ref
|
|
* binder_proc_lock() and binder_proc_unlock() are
|
|
* used to acq/rel.
|
|
* 2) node->lock : protects most fields of binder_node.
|
|
* binder_node_lock() and binder_node_unlock() are
|
|
* used to acq/rel
|
|
* 3) proc->inner_lock : protects the thread and node lists
|
|
* (proc->threads, proc->waiting_threads, proc->nodes)
|
|
* and all todo lists associated with the binder_proc
|
|
* (proc->todo, thread->todo, proc->delivered_death and
|
|
* node->async_todo), as well as thread->transaction_stack
|
|
* binder_inner_proc_lock() and binder_inner_proc_unlock()
|
|
* are used to acq/rel
|
|
*
|
|
* Any lock under procA must never be nested under any lock at the same
|
|
* level or below on procB.
|
|
*
|
|
* Functions that require a lock held on entry indicate which lock
|
|
* in the suffix of the function name:
|
|
*
|
|
* foo_olocked() : requires node->outer_lock
|
|
* foo_nlocked() : requires node->lock
|
|
* foo_ilocked() : requires proc->inner_lock
|
|
* foo_oilocked(): requires proc->outer_lock and proc->inner_lock
|
|
* foo_nilocked(): requires node->lock and proc->inner_lock
|
|
* ...
|
|
*/
|
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
|
|
#include <linux/fdtable.h>
|
|
#include <linux/file.h>
|
|
#include <linux/freezer.h>
|
|
#include <linux/fs.h>
|
|
#include <linux/list.h>
|
|
#include <linux/miscdevice.h>
|
|
#include <linux/module.h>
|
|
#include <linux/mutex.h>
|
|
#include <linux/nsproxy.h>
|
|
#include <linux/poll.h>
|
|
#include <linux/debugfs.h>
|
|
#include <linux/rbtree.h>
|
|
#include <linux/sched/signal.h>
|
|
#include <linux/sched/mm.h>
|
|
#include <linux/seq_file.h>
|
|
#include <linux/string.h>
|
|
#include <linux/uaccess.h>
|
|
#include <linux/pid_namespace.h>
|
|
#include <linux/security.h>
|
|
#include <linux/spinlock.h>
|
|
#include <linux/ratelimit.h>
|
|
#include <linux/syscalls.h>
|
|
#include <linux/task_work.h>
|
|
#include <linux/sizes.h>
|
|
#include <linux/android_vendor.h>
|
|
|
|
#include <uapi/linux/sched/types.h>
|
|
#include <uapi/linux/android/binder.h>
|
|
|
|
#include <asm/cacheflush.h>
|
|
|
|
#include "binder_internal.h"
|
|
#include "binder_trace.h"
|
|
#include <trace/hooks/binder.h>
|
|
|
|
static HLIST_HEAD(binder_deferred_list);
|
|
static DEFINE_MUTEX(binder_deferred_lock);
|
|
|
|
static HLIST_HEAD(binder_devices);
|
|
static HLIST_HEAD(binder_procs);
|
|
static DEFINE_MUTEX(binder_procs_lock);
|
|
|
|
static HLIST_HEAD(binder_dead_nodes);
|
|
static DEFINE_SPINLOCK(binder_dead_nodes_lock);
|
|
|
|
static struct dentry *binder_debugfs_dir_entry_root;
|
|
static struct dentry *binder_debugfs_dir_entry_proc;
|
|
static atomic_t binder_last_id;
|
|
|
|
static int proc_show(struct seq_file *m, void *unused);
|
|
DEFINE_SHOW_ATTRIBUTE(proc);
|
|
|
|
#define FORBIDDEN_MMAP_FLAGS (VM_WRITE)
|
|
|
|
enum {
|
|
BINDER_DEBUG_USER_ERROR = 1U << 0,
|
|
BINDER_DEBUG_FAILED_TRANSACTION = 1U << 1,
|
|
BINDER_DEBUG_DEAD_TRANSACTION = 1U << 2,
|
|
BINDER_DEBUG_OPEN_CLOSE = 1U << 3,
|
|
BINDER_DEBUG_DEAD_BINDER = 1U << 4,
|
|
BINDER_DEBUG_DEATH_NOTIFICATION = 1U << 5,
|
|
BINDER_DEBUG_READ_WRITE = 1U << 6,
|
|
BINDER_DEBUG_USER_REFS = 1U << 7,
|
|
BINDER_DEBUG_THREADS = 1U << 8,
|
|
BINDER_DEBUG_TRANSACTION = 1U << 9,
|
|
BINDER_DEBUG_TRANSACTION_COMPLETE = 1U << 10,
|
|
BINDER_DEBUG_FREE_BUFFER = 1U << 11,
|
|
BINDER_DEBUG_INTERNAL_REFS = 1U << 12,
|
|
BINDER_DEBUG_PRIORITY_CAP = 1U << 13,
|
|
BINDER_DEBUG_SPINLOCKS = 1U << 14,
|
|
};
|
|
static uint32_t binder_debug_mask = BINDER_DEBUG_USER_ERROR |
|
|
BINDER_DEBUG_FAILED_TRANSACTION | BINDER_DEBUG_DEAD_TRANSACTION;
|
|
module_param_named(debug_mask, binder_debug_mask, uint, 0644);
|
|
|
|
char *binder_devices_param = CONFIG_ANDROID_BINDER_DEVICES;
|
|
module_param_named(devices, binder_devices_param, charp, 0444);
|
|
|
|
static DECLARE_WAIT_QUEUE_HEAD(binder_user_error_wait);
|
|
static int binder_stop_on_user_error;
|
|
|
|
static int binder_set_stop_on_user_error(const char *val,
|
|
const struct kernel_param *kp)
|
|
{
|
|
int ret;
|
|
|
|
ret = param_set_int(val, kp);
|
|
if (binder_stop_on_user_error < 2)
|
|
wake_up(&binder_user_error_wait);
|
|
return ret;
|
|
}
|
|
module_param_call(stop_on_user_error, binder_set_stop_on_user_error,
|
|
param_get_int, &binder_stop_on_user_error, 0644);
|
|
|
|
#define binder_debug(mask, x...) \
|
|
do { \
|
|
if (binder_debug_mask & mask) \
|
|
pr_info_ratelimited(x); \
|
|
} while (0)
|
|
|
|
#define binder_user_error(x...) \
|
|
do { \
|
|
if (binder_debug_mask & BINDER_DEBUG_USER_ERROR) \
|
|
pr_info_ratelimited(x); \
|
|
if (binder_stop_on_user_error) \
|
|
binder_stop_on_user_error = 2; \
|
|
} while (0)
|
|
|
|
#define to_flat_binder_object(hdr) \
|
|
container_of(hdr, struct flat_binder_object, hdr)
|
|
|
|
#define to_binder_fd_object(hdr) container_of(hdr, struct binder_fd_object, hdr)
|
|
|
|
#define to_binder_buffer_object(hdr) \
|
|
container_of(hdr, struct binder_buffer_object, hdr)
|
|
|
|
#define to_binder_fd_array_object(hdr) \
|
|
container_of(hdr, struct binder_fd_array_object, hdr)
|
|
|
|
static struct binder_stats binder_stats;
|
|
|
|
static inline void binder_stats_deleted(enum binder_stat_types type)
|
|
{
|
|
atomic_inc(&binder_stats.obj_deleted[type]);
|
|
}
|
|
|
|
static inline void binder_stats_created(enum binder_stat_types type)
|
|
{
|
|
atomic_inc(&binder_stats.obj_created[type]);
|
|
}
|
|
|
|
struct binder_transaction_log binder_transaction_log;
|
|
struct binder_transaction_log binder_transaction_log_failed;
|
|
|
|
static struct binder_transaction_log_entry *binder_transaction_log_add(
|
|
struct binder_transaction_log *log)
|
|
{
|
|
struct binder_transaction_log_entry *e;
|
|
unsigned int cur = atomic_inc_return(&log->cur);
|
|
|
|
if (cur >= ARRAY_SIZE(log->entry))
|
|
log->full = true;
|
|
e = &log->entry[cur % ARRAY_SIZE(log->entry)];
|
|
WRITE_ONCE(e->debug_id_done, 0);
|
|
/*
|
|
* write-barrier to synchronize access to e->debug_id_done.
|
|
* We make sure the initialized 0 value is seen before
|
|
* memset() other fields are zeroed by memset.
|
|
*/
|
|
smp_wmb();
|
|
memset(e, 0, sizeof(*e));
|
|
return e;
|
|
}
|
|
|
|
enum binder_deferred_state {
|
|
BINDER_DEFERRED_FLUSH = 0x01,
|
|
BINDER_DEFERRED_RELEASE = 0x02,
|
|
};
|
|
|
|
enum {
|
|
BINDER_LOOPER_STATE_REGISTERED = 0x01,
|
|
BINDER_LOOPER_STATE_ENTERED = 0x02,
|
|
BINDER_LOOPER_STATE_EXITED = 0x04,
|
|
BINDER_LOOPER_STATE_INVALID = 0x08,
|
|
BINDER_LOOPER_STATE_WAITING = 0x10,
|
|
BINDER_LOOPER_STATE_POLL = 0x20,
|
|
};
|
|
|
|
/**
|
|
* binder_proc_lock() - Acquire outer lock for given binder_proc
|
|
* @proc: struct binder_proc to acquire
|
|
*
|
|
* Acquires proc->outer_lock. Used to protect binder_ref
|
|
* structures associated with the given proc.
|
|
*/
|
|
#define binder_proc_lock(proc) _binder_proc_lock(proc, __LINE__)
|
|
static void
|
|
_binder_proc_lock(struct binder_proc *proc, int line)
|
|
__acquires(&proc->outer_lock)
|
|
{
|
|
binder_debug(BINDER_DEBUG_SPINLOCKS,
|
|
"%s: line=%d\n", __func__, line);
|
|
spin_lock(&proc->outer_lock);
|
|
}
|
|
|
|
/**
|
|
* binder_proc_unlock() - Release spinlock for given binder_proc
|
|
* @proc: struct binder_proc to acquire
|
|
*
|
|
* Release lock acquired via binder_proc_lock()
|
|
*/
|
|
#define binder_proc_unlock(_proc) _binder_proc_unlock(_proc, __LINE__)
|
|
static void
|
|
_binder_proc_unlock(struct binder_proc *proc, int line)
|
|
__releases(&proc->outer_lock)
|
|
{
|
|
binder_debug(BINDER_DEBUG_SPINLOCKS,
|
|
"%s: line=%d\n", __func__, line);
|
|
spin_unlock(&proc->outer_lock);
|
|
}
|
|
|
|
/**
|
|
* binder_inner_proc_lock() - Acquire inner lock for given binder_proc
|
|
* @proc: struct binder_proc to acquire
|
|
*
|
|
* Acquires proc->inner_lock. Used to protect todo lists
|
|
*/
|
|
#define binder_inner_proc_lock(proc) _binder_inner_proc_lock(proc, __LINE__)
|
|
static void
|
|
_binder_inner_proc_lock(struct binder_proc *proc, int line)
|
|
__acquires(&proc->inner_lock)
|
|
{
|
|
binder_debug(BINDER_DEBUG_SPINLOCKS,
|
|
"%s: line=%d\n", __func__, line);
|
|
spin_lock(&proc->inner_lock);
|
|
}
|
|
|
|
/**
|
|
* binder_inner_proc_unlock() - Release inner lock for given binder_proc
|
|
* @proc: struct binder_proc to acquire
|
|
*
|
|
* Release lock acquired via binder_inner_proc_lock()
|
|
*/
|
|
#define binder_inner_proc_unlock(proc) _binder_inner_proc_unlock(proc, __LINE__)
|
|
static void
|
|
_binder_inner_proc_unlock(struct binder_proc *proc, int line)
|
|
__releases(&proc->inner_lock)
|
|
{
|
|
binder_debug(BINDER_DEBUG_SPINLOCKS,
|
|
"%s: line=%d\n", __func__, line);
|
|
spin_unlock(&proc->inner_lock);
|
|
}
|
|
|
|
/**
|
|
* binder_node_lock() - Acquire spinlock for given binder_node
|
|
* @node: struct binder_node to acquire
|
|
*
|
|
* Acquires node->lock. Used to protect binder_node fields
|
|
*/
|
|
#define binder_node_lock(node) _binder_node_lock(node, __LINE__)
|
|
static void
|
|
_binder_node_lock(struct binder_node *node, int line)
|
|
__acquires(&node->lock)
|
|
{
|
|
binder_debug(BINDER_DEBUG_SPINLOCKS,
|
|
"%s: line=%d\n", __func__, line);
|
|
spin_lock(&node->lock);
|
|
}
|
|
|
|
/**
|
|
* binder_node_unlock() - Release spinlock for given binder_proc
|
|
* @node: struct binder_node to acquire
|
|
*
|
|
* Release lock acquired via binder_node_lock()
|
|
*/
|
|
#define binder_node_unlock(node) _binder_node_unlock(node, __LINE__)
|
|
static void
|
|
_binder_node_unlock(struct binder_node *node, int line)
|
|
__releases(&node->lock)
|
|
{
|
|
binder_debug(BINDER_DEBUG_SPINLOCKS,
|
|
"%s: line=%d\n", __func__, line);
|
|
spin_unlock(&node->lock);
|
|
}
|
|
|
|
/**
|
|
* binder_node_inner_lock() - Acquire node and inner locks
|
|
* @node: struct binder_node to acquire
|
|
*
|
|
* Acquires node->lock. If node->proc also acquires
|
|
* proc->inner_lock. Used to protect binder_node fields
|
|
*/
|
|
#define binder_node_inner_lock(node) _binder_node_inner_lock(node, __LINE__)
|
|
static void
|
|
_binder_node_inner_lock(struct binder_node *node, int line)
|
|
__acquires(&node->lock) __acquires(&node->proc->inner_lock)
|
|
{
|
|
binder_debug(BINDER_DEBUG_SPINLOCKS,
|
|
"%s: line=%d\n", __func__, line);
|
|
spin_lock(&node->lock);
|
|
if (node->proc)
|
|
binder_inner_proc_lock(node->proc);
|
|
else
|
|
/* annotation for sparse */
|
|
__acquire(&node->proc->inner_lock);
|
|
}
|
|
|
|
/**
|
|
* binder_node_unlock() - Release node and inner locks
|
|
* @node: struct binder_node to acquire
|
|
*
|
|
* Release lock acquired via binder_node_lock()
|
|
*/
|
|
#define binder_node_inner_unlock(node) _binder_node_inner_unlock(node, __LINE__)
|
|
static void
|
|
_binder_node_inner_unlock(struct binder_node *node, int line)
|
|
__releases(&node->lock) __releases(&node->proc->inner_lock)
|
|
{
|
|
struct binder_proc *proc = node->proc;
|
|
|
|
binder_debug(BINDER_DEBUG_SPINLOCKS,
|
|
"%s: line=%d\n", __func__, line);
|
|
if (proc)
|
|
binder_inner_proc_unlock(proc);
|
|
else
|
|
/* annotation for sparse */
|
|
__release(&node->proc->inner_lock);
|
|
spin_unlock(&node->lock);
|
|
}
|
|
|
|
static bool binder_worklist_empty_ilocked(struct list_head *list)
|
|
{
|
|
return list_empty(list);
|
|
}
|
|
|
|
/**
|
|
* binder_worklist_empty() - Check if no items on the work list
|
|
* @proc: binder_proc associated with list
|
|
* @list: list to check
|
|
*
|
|
* Return: true if there are no items on list, else false
|
|
*/
|
|
static bool binder_worklist_empty(struct binder_proc *proc,
|
|
struct list_head *list)
|
|
{
|
|
bool ret;
|
|
|
|
binder_inner_proc_lock(proc);
|
|
ret = binder_worklist_empty_ilocked(list);
|
|
binder_inner_proc_unlock(proc);
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* binder_enqueue_work_ilocked() - Add an item to the work list
|
|
* @work: struct binder_work to add to list
|
|
* @target_list: list to add work to
|
|
*
|
|
* Adds the work to the specified list. Asserts that work
|
|
* is not already on a list.
|
|
*
|
|
* Requires the proc->inner_lock to be held.
|
|
*/
|
|
static void
|
|
binder_enqueue_work_ilocked(struct binder_work *work,
|
|
struct list_head *target_list)
|
|
{
|
|
BUG_ON(target_list == NULL);
|
|
BUG_ON(work->entry.next && !list_empty(&work->entry));
|
|
list_add_tail(&work->entry, target_list);
|
|
}
|
|
|
|
/**
|
|
* binder_enqueue_deferred_thread_work_ilocked() - Add deferred thread work
|
|
* @thread: thread to queue work to
|
|
* @work: struct binder_work to add to list
|
|
*
|
|
* Adds the work to the todo list of the thread. Doesn't set the process_todo
|
|
* flag, which means that (if it wasn't already set) the thread will go to
|
|
* sleep without handling this work when it calls read.
|
|
*
|
|
* Requires the proc->inner_lock to be held.
|
|
*/
|
|
static void
|
|
binder_enqueue_deferred_thread_work_ilocked(struct binder_thread *thread,
|
|
struct binder_work *work)
|
|
{
|
|
WARN_ON(!list_empty(&thread->waiting_thread_node));
|
|
binder_enqueue_work_ilocked(work, &thread->todo);
|
|
}
|
|
|
|
/**
|
|
* binder_enqueue_thread_work_ilocked() - Add an item to the thread work list
|
|
* @thread: thread to queue work to
|
|
* @work: struct binder_work to add to list
|
|
*
|
|
* Adds the work to the todo list of the thread, and enables processing
|
|
* of the todo queue.
|
|
*
|
|
* Requires the proc->inner_lock to be held.
|
|
*/
|
|
static void
|
|
binder_enqueue_thread_work_ilocked(struct binder_thread *thread,
|
|
struct binder_work *work)
|
|
{
|
|
WARN_ON(!list_empty(&thread->waiting_thread_node));
|
|
binder_enqueue_work_ilocked(work, &thread->todo);
|
|
thread->process_todo = true;
|
|
}
|
|
|
|
/**
|
|
* binder_enqueue_thread_work() - Add an item to the thread work list
|
|
* @thread: thread to queue work to
|
|
* @work: struct binder_work to add to list
|
|
*
|
|
* Adds the work to the todo list of the thread, and enables processing
|
|
* of the todo queue.
|
|
*/
|
|
static void
|
|
binder_enqueue_thread_work(struct binder_thread *thread,
|
|
struct binder_work *work)
|
|
{
|
|
binder_inner_proc_lock(thread->proc);
|
|
binder_enqueue_thread_work_ilocked(thread, work);
|
|
binder_inner_proc_unlock(thread->proc);
|
|
}
|
|
|
|
static void
|
|
binder_dequeue_work_ilocked(struct binder_work *work)
|
|
{
|
|
list_del_init(&work->entry);
|
|
}
|
|
|
|
/**
|
|
* binder_dequeue_work() - Removes an item from the work list
|
|
* @proc: binder_proc associated with list
|
|
* @work: struct binder_work to remove from list
|
|
*
|
|
* Removes the specified work item from whatever list it is on.
|
|
* Can safely be called if work is not on any list.
|
|
*/
|
|
static void
|
|
binder_dequeue_work(struct binder_proc *proc, struct binder_work *work)
|
|
{
|
|
binder_inner_proc_lock(proc);
|
|
binder_dequeue_work_ilocked(work);
|
|
binder_inner_proc_unlock(proc);
|
|
}
|
|
|
|
static struct binder_work *binder_dequeue_work_head_ilocked(
|
|
struct list_head *list)
|
|
{
|
|
struct binder_work *w;
|
|
|
|
w = list_first_entry_or_null(list, struct binder_work, entry);
|
|
if (w)
|
|
list_del_init(&w->entry);
|
|
return w;
|
|
}
|
|
|
|
static void
|
|
binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer);
|
|
static void binder_free_thread(struct binder_thread *thread);
|
|
static void binder_free_proc(struct binder_proc *proc);
|
|
static void binder_inc_node_tmpref_ilocked(struct binder_node *node);
|
|
|
|
static bool binder_has_work_ilocked(struct binder_thread *thread,
|
|
bool do_proc_work)
|
|
{
|
|
int ret = 0;
|
|
|
|
trace_android_vh_binder_has_work_ilocked(thread, do_proc_work, &ret);
|
|
if (ret)
|
|
return true;
|
|
return thread->process_todo ||
|
|
thread->looper_need_return ||
|
|
(do_proc_work &&
|
|
!binder_worklist_empty_ilocked(&thread->proc->todo));
|
|
}
|
|
|
|
static bool binder_has_work(struct binder_thread *thread, bool do_proc_work)
|
|
{
|
|
bool has_work;
|
|
|
|
binder_inner_proc_lock(thread->proc);
|
|
has_work = binder_has_work_ilocked(thread, do_proc_work);
|
|
binder_inner_proc_unlock(thread->proc);
|
|
|
|
return has_work;
|
|
}
|
|
|
|
static bool binder_available_for_proc_work_ilocked(struct binder_thread *thread)
|
|
{
|
|
return !thread->transaction_stack &&
|
|
binder_worklist_empty_ilocked(&thread->todo) &&
|
|
(thread->looper & (BINDER_LOOPER_STATE_ENTERED |
|
|
BINDER_LOOPER_STATE_REGISTERED));
|
|
}
|
|
|
|
static void binder_wakeup_poll_threads_ilocked(struct binder_proc *proc,
|
|
bool sync)
|
|
{
|
|
struct rb_node *n;
|
|
struct binder_thread *thread;
|
|
|
|
for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) {
|
|
thread = rb_entry(n, struct binder_thread, rb_node);
|
|
if (thread->looper & BINDER_LOOPER_STATE_POLL &&
|
|
binder_available_for_proc_work_ilocked(thread)) {
|
|
trace_android_vh_binder_wakeup_ilocked(thread->task, sync, proc);
|
|
if (sync)
|
|
wake_up_interruptible_sync(&thread->wait);
|
|
else
|
|
wake_up_interruptible(&thread->wait);
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* binder_select_thread_ilocked() - selects a thread for doing proc work.
|
|
* @proc: process to select a thread from
|
|
*
|
|
* Note that calling this function moves the thread off the waiting_threads
|
|
* list, so it can only be woken up by the caller of this function, or a
|
|
* signal. Therefore, callers *should* always wake up the thread this function
|
|
* returns.
|
|
*
|
|
* Return: If there's a thread currently waiting for process work,
|
|
* returns that thread. Otherwise returns NULL.
|
|
*/
|
|
static struct binder_thread *
|
|
binder_select_thread_ilocked(struct binder_proc *proc)
|
|
{
|
|
struct binder_thread *thread;
|
|
|
|
assert_spin_locked(&proc->inner_lock);
|
|
thread = list_first_entry_or_null(&proc->waiting_threads,
|
|
struct binder_thread,
|
|
waiting_thread_node);
|
|
|
|
if (thread)
|
|
list_del_init(&thread->waiting_thread_node);
|
|
|
|
return thread;
|
|
}
|
|
|
|
/**
|
|
* binder_wakeup_thread_ilocked() - wakes up a thread for doing proc work.
|
|
* @proc: process to wake up a thread in
|
|
* @thread: specific thread to wake-up (may be NULL)
|
|
* @sync: whether to do a synchronous wake-up
|
|
*
|
|
* This function wakes up a thread in the @proc process.
|
|
* The caller may provide a specific thread to wake-up in
|
|
* the @thread parameter. If @thread is NULL, this function
|
|
* will wake up threads that have called poll().
|
|
*
|
|
* Note that for this function to work as expected, callers
|
|
* should first call binder_select_thread() to find a thread
|
|
* to handle the work (if they don't have a thread already),
|
|
* and pass the result into the @thread parameter.
|
|
*/
|
|
static void binder_wakeup_thread_ilocked(struct binder_proc *proc,
|
|
struct binder_thread *thread,
|
|
bool sync)
|
|
{
|
|
assert_spin_locked(&proc->inner_lock);
|
|
|
|
if (thread) {
|
|
trace_android_vh_binder_wakeup_ilocked(thread->task, sync, proc);
|
|
if (sync)
|
|
wake_up_interruptible_sync(&thread->wait);
|
|
else
|
|
wake_up_interruptible(&thread->wait);
|
|
return;
|
|
}
|
|
|
|
/* Didn't find a thread waiting for proc work; this can happen
|
|
* in two scenarios:
|
|
* 1. All threads are busy handling transactions
|
|
* In that case, one of those threads should call back into
|
|
* the kernel driver soon and pick up this work.
|
|
* 2. Threads are using the (e)poll interface, in which case
|
|
* they may be blocked on the waitqueue without having been
|
|
* added to waiting_threads. For this case, we just iterate
|
|
* over all threads not handling transaction work, and
|
|
* wake them all up. We wake all because we don't know whether
|
|
* a thread that called into (e)poll is handling non-binder
|
|
* work currently.
|
|
*/
|
|
binder_wakeup_poll_threads_ilocked(proc, sync);
|
|
}
|
|
|
|
static void binder_wakeup_proc_ilocked(struct binder_proc *proc)
|
|
{
|
|
struct binder_thread *thread = binder_select_thread_ilocked(proc);
|
|
|
|
binder_wakeup_thread_ilocked(proc, thread, /* sync = */false);
|
|
}
|
|
|
|
static bool is_rt_policy(int policy)
|
|
{
|
|
return policy == SCHED_FIFO || policy == SCHED_RR;
|
|
}
|
|
|
|
static bool is_fair_policy(int policy)
|
|
{
|
|
return policy == SCHED_NORMAL || policy == SCHED_BATCH;
|
|
}
|
|
|
|
static bool binder_supported_policy(int policy)
|
|
{
|
|
return is_fair_policy(policy) || is_rt_policy(policy);
|
|
}
|
|
|
|
static int to_userspace_prio(int policy, int kernel_priority)
|
|
{
|
|
if (is_fair_policy(policy))
|
|
return PRIO_TO_NICE(kernel_priority);
|
|
else
|
|
return MAX_USER_RT_PRIO - 1 - kernel_priority;
|
|
}
|
|
|
|
static int to_kernel_prio(int policy, int user_priority)
|
|
{
|
|
if (is_fair_policy(policy))
|
|
return NICE_TO_PRIO(user_priority);
|
|
else
|
|
return MAX_USER_RT_PRIO - 1 - user_priority;
|
|
}
|
|
|
|
static void binder_do_set_priority(struct task_struct *task,
|
|
struct binder_priority desired,
|
|
bool verify)
|
|
{
|
|
int priority; /* user-space prio value */
|
|
bool has_cap_nice;
|
|
unsigned int policy = desired.sched_policy;
|
|
|
|
if (task->policy == policy && task->normal_prio == desired.prio)
|
|
return;
|
|
|
|
has_cap_nice = has_capability_noaudit(task, CAP_SYS_NICE);
|
|
|
|
priority = to_userspace_prio(policy, desired.prio);
|
|
|
|
if (verify && is_rt_policy(policy) && !has_cap_nice) {
|
|
long max_rtprio = task_rlimit(task, RLIMIT_RTPRIO);
|
|
|
|
if (max_rtprio == 0) {
|
|
policy = SCHED_NORMAL;
|
|
priority = MIN_NICE;
|
|
} else if (priority > max_rtprio) {
|
|
priority = max_rtprio;
|
|
}
|
|
}
|
|
|
|
if (verify && is_fair_policy(policy) && !has_cap_nice) {
|
|
long min_nice = rlimit_to_nice(task_rlimit(task, RLIMIT_NICE));
|
|
|
|
if (min_nice > MAX_NICE) {
|
|
binder_user_error("%d RLIMIT_NICE not set\n",
|
|
task->pid);
|
|
return;
|
|
} else if (priority < min_nice) {
|
|
priority = min_nice;
|
|
}
|
|
}
|
|
|
|
if (policy != desired.sched_policy ||
|
|
to_kernel_prio(policy, priority) != desired.prio)
|
|
binder_debug(BINDER_DEBUG_PRIORITY_CAP,
|
|
"%d: priority %d not allowed, using %d instead\n",
|
|
task->pid, desired.prio,
|
|
to_kernel_prio(policy, priority));
|
|
|
|
trace_binder_set_priority(task->tgid, task->pid, task->normal_prio,
|
|
to_kernel_prio(policy, priority),
|
|
desired.prio);
|
|
|
|
/* Set the actual priority */
|
|
if (task->policy != policy || is_rt_policy(policy)) {
|
|
struct sched_param params;
|
|
|
|
params.sched_priority = is_rt_policy(policy) ? priority : 0;
|
|
|
|
sched_setscheduler_nocheck(task,
|
|
policy | SCHED_RESET_ON_FORK,
|
|
¶ms);
|
|
}
|
|
if (is_fair_policy(policy))
|
|
set_user_nice(task, priority);
|
|
}
|
|
|
|
static void binder_set_priority(struct task_struct *task,
|
|
struct binder_priority desired)
|
|
{
|
|
binder_do_set_priority(task, desired, /* verify = */ true);
|
|
}
|
|
|
|
static void binder_restore_priority(struct task_struct *task,
|
|
struct binder_priority desired)
|
|
{
|
|
binder_do_set_priority(task, desired, /* verify = */ false);
|
|
}
|
|
|
|
static void binder_transaction_priority(struct task_struct *task,
|
|
struct binder_transaction *t,
|
|
struct binder_priority node_prio,
|
|
bool inherit_rt)
|
|
{
|
|
struct binder_priority desired_prio = t->priority;
|
|
bool skip = false;
|
|
|
|
if (t->set_priority_called)
|
|
return;
|
|
|
|
t->set_priority_called = true;
|
|
t->saved_priority.sched_policy = task->policy;
|
|
t->saved_priority.prio = task->normal_prio;
|
|
|
|
trace_android_vh_binder_priority_skip(task, &skip);
|
|
if (skip)
|
|
return;
|
|
|
|
if (!inherit_rt && is_rt_policy(desired_prio.sched_policy)) {
|
|
desired_prio.prio = NICE_TO_PRIO(0);
|
|
desired_prio.sched_policy = SCHED_NORMAL;
|
|
}
|
|
|
|
if (node_prio.prio < t->priority.prio ||
|
|
(node_prio.prio == t->priority.prio &&
|
|
node_prio.sched_policy == SCHED_FIFO)) {
|
|
/*
|
|
* In case the minimum priority on the node is
|
|
* higher (lower value), use that priority. If
|
|
* the priority is the same, but the node uses
|
|
* SCHED_FIFO, prefer SCHED_FIFO, since it can
|
|
* run unbounded, unlike SCHED_RR.
|
|
*/
|
|
desired_prio = node_prio;
|
|
}
|
|
|
|
binder_set_priority(task, desired_prio);
|
|
trace_android_vh_binder_set_priority(t, task);
|
|
}
|
|
|
|
static struct binder_node *binder_get_node_ilocked(struct binder_proc *proc,
|
|
binder_uintptr_t ptr)
|
|
{
|
|
struct rb_node *n = proc->nodes.rb_node;
|
|
struct binder_node *node;
|
|
|
|
assert_spin_locked(&proc->inner_lock);
|
|
|
|
while (n) {
|
|
node = rb_entry(n, struct binder_node, rb_node);
|
|
|
|
if (ptr < node->ptr)
|
|
n = n->rb_left;
|
|
else if (ptr > node->ptr)
|
|
n = n->rb_right;
|
|
else {
|
|
/*
|
|
* take an implicit weak reference
|
|
* to ensure node stays alive until
|
|
* call to binder_put_node()
|
|
*/
|
|
binder_inc_node_tmpref_ilocked(node);
|
|
return node;
|
|
}
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
static struct binder_node *binder_get_node(struct binder_proc *proc,
|
|
binder_uintptr_t ptr)
|
|
{
|
|
struct binder_node *node;
|
|
|
|
binder_inner_proc_lock(proc);
|
|
node = binder_get_node_ilocked(proc, ptr);
|
|
binder_inner_proc_unlock(proc);
|
|
return node;
|
|
}
|
|
|
|
static struct binder_node *binder_init_node_ilocked(
|
|
struct binder_proc *proc,
|
|
struct binder_node *new_node,
|
|
struct flat_binder_object *fp)
|
|
{
|
|
struct rb_node **p = &proc->nodes.rb_node;
|
|
struct rb_node *parent = NULL;
|
|
struct binder_node *node;
|
|
binder_uintptr_t ptr = fp ? fp->binder : 0;
|
|
binder_uintptr_t cookie = fp ? fp->cookie : 0;
|
|
__u32 flags = fp ? fp->flags : 0;
|
|
s8 priority;
|
|
|
|
assert_spin_locked(&proc->inner_lock);
|
|
|
|
while (*p) {
|
|
|
|
parent = *p;
|
|
node = rb_entry(parent, struct binder_node, rb_node);
|
|
|
|
if (ptr < node->ptr)
|
|
p = &(*p)->rb_left;
|
|
else if (ptr > node->ptr)
|
|
p = &(*p)->rb_right;
|
|
else {
|
|
/*
|
|
* A matching node is already in
|
|
* the rb tree. Abandon the init
|
|
* and return it.
|
|
*/
|
|
binder_inc_node_tmpref_ilocked(node);
|
|
return node;
|
|
}
|
|
}
|
|
node = new_node;
|
|
binder_stats_created(BINDER_STAT_NODE);
|
|
node->tmp_refs++;
|
|
rb_link_node(&node->rb_node, parent, p);
|
|
rb_insert_color(&node->rb_node, &proc->nodes);
|
|
node->debug_id = atomic_inc_return(&binder_last_id);
|
|
node->proc = proc;
|
|
node->ptr = ptr;
|
|
node->cookie = cookie;
|
|
node->work.type = BINDER_WORK_NODE;
|
|
priority = flags & FLAT_BINDER_FLAG_PRIORITY_MASK;
|
|
node->sched_policy = (flags & FLAT_BINDER_FLAG_SCHED_POLICY_MASK) >>
|
|
FLAT_BINDER_FLAG_SCHED_POLICY_SHIFT;
|
|
node->min_priority = to_kernel_prio(node->sched_policy, priority);
|
|
node->accept_fds = !!(flags & FLAT_BINDER_FLAG_ACCEPTS_FDS);
|
|
node->inherit_rt = !!(flags & FLAT_BINDER_FLAG_INHERIT_RT);
|
|
node->txn_security_ctx = !!(flags & FLAT_BINDER_FLAG_TXN_SECURITY_CTX);
|
|
spin_lock_init(&node->lock);
|
|
INIT_LIST_HEAD(&node->work.entry);
|
|
INIT_LIST_HEAD(&node->async_todo);
|
|
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
|
|
"%d:%d node %d u%016llx c%016llx created\n",
|
|
proc->pid, current->pid, node->debug_id,
|
|
(u64)node->ptr, (u64)node->cookie);
|
|
|
|
return node;
|
|
}
|
|
|
|
static struct binder_node *binder_new_node(struct binder_proc *proc,
|
|
struct flat_binder_object *fp)
|
|
{
|
|
struct binder_node *node;
|
|
struct binder_node *new_node = kzalloc(sizeof(*node), GFP_KERNEL);
|
|
|
|
if (!new_node)
|
|
return NULL;
|
|
binder_inner_proc_lock(proc);
|
|
node = binder_init_node_ilocked(proc, new_node, fp);
|
|
binder_inner_proc_unlock(proc);
|
|
if (node != new_node)
|
|
/*
|
|
* The node was already added by another thread
|
|
*/
|
|
kfree(new_node);
|
|
|
|
return node;
|
|
}
|
|
|
|
static void binder_free_node(struct binder_node *node)
|
|
{
|
|
kfree(node);
|
|
binder_stats_deleted(BINDER_STAT_NODE);
|
|
}
|
|
|
|
static int binder_inc_node_nilocked(struct binder_node *node, int strong,
|
|
int internal,
|
|
struct list_head *target_list)
|
|
{
|
|
struct binder_proc *proc = node->proc;
|
|
|
|
assert_spin_locked(&node->lock);
|
|
if (proc)
|
|
assert_spin_locked(&proc->inner_lock);
|
|
if (strong) {
|
|
if (internal) {
|
|
if (target_list == NULL &&
|
|
node->internal_strong_refs == 0 &&
|
|
!(node->proc &&
|
|
node == node->proc->context->binder_context_mgr_node &&
|
|
node->has_strong_ref)) {
|
|
pr_err("invalid inc strong node for %d\n",
|
|
node->debug_id);
|
|
return -EINVAL;
|
|
}
|
|
node->internal_strong_refs++;
|
|
} else
|
|
node->local_strong_refs++;
|
|
if (!node->has_strong_ref && target_list) {
|
|
struct binder_thread *thread = container_of(target_list,
|
|
struct binder_thread, todo);
|
|
binder_dequeue_work_ilocked(&node->work);
|
|
BUG_ON(&thread->todo != target_list);
|
|
binder_enqueue_deferred_thread_work_ilocked(thread,
|
|
&node->work);
|
|
}
|
|
} else {
|
|
if (!internal)
|
|
node->local_weak_refs++;
|
|
if (!node->has_weak_ref && list_empty(&node->work.entry)) {
|
|
if (target_list == NULL) {
|
|
pr_err("invalid inc weak node for %d\n",
|
|
node->debug_id);
|
|
return -EINVAL;
|
|
}
|
|
/*
|
|
* See comment above
|
|
*/
|
|
binder_enqueue_work_ilocked(&node->work, target_list);
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static int binder_inc_node(struct binder_node *node, int strong, int internal,
|
|
struct list_head *target_list)
|
|
{
|
|
int ret;
|
|
|
|
binder_node_inner_lock(node);
|
|
ret = binder_inc_node_nilocked(node, strong, internal, target_list);
|
|
binder_node_inner_unlock(node);
|
|
|
|
return ret;
|
|
}
|
|
|
|
static bool binder_dec_node_nilocked(struct binder_node *node,
|
|
int strong, int internal)
|
|
{
|
|
struct binder_proc *proc = node->proc;
|
|
|
|
assert_spin_locked(&node->lock);
|
|
if (proc)
|
|
assert_spin_locked(&proc->inner_lock);
|
|
if (strong) {
|
|
if (internal)
|
|
node->internal_strong_refs--;
|
|
else
|
|
node->local_strong_refs--;
|
|
if (node->local_strong_refs || node->internal_strong_refs)
|
|
return false;
|
|
} else {
|
|
if (!internal)
|
|
node->local_weak_refs--;
|
|
if (node->local_weak_refs || node->tmp_refs ||
|
|
!hlist_empty(&node->refs))
|
|
return false;
|
|
}
|
|
|
|
if (proc && (node->has_strong_ref || node->has_weak_ref)) {
|
|
if (list_empty(&node->work.entry)) {
|
|
binder_enqueue_work_ilocked(&node->work, &proc->todo);
|
|
binder_wakeup_proc_ilocked(proc);
|
|
}
|
|
} else {
|
|
if (hlist_empty(&node->refs) && !node->local_strong_refs &&
|
|
!node->local_weak_refs && !node->tmp_refs) {
|
|
if (proc) {
|
|
binder_dequeue_work_ilocked(&node->work);
|
|
rb_erase(&node->rb_node, &proc->nodes);
|
|
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
|
|
"refless node %d deleted\n",
|
|
node->debug_id);
|
|
} else {
|
|
BUG_ON(!list_empty(&node->work.entry));
|
|
spin_lock(&binder_dead_nodes_lock);
|
|
/*
|
|
* tmp_refs could have changed so
|
|
* check it again
|
|
*/
|
|
if (node->tmp_refs) {
|
|
spin_unlock(&binder_dead_nodes_lock);
|
|
return false;
|
|
}
|
|
hlist_del(&node->dead_node);
|
|
spin_unlock(&binder_dead_nodes_lock);
|
|
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
|
|
"dead node %d deleted\n",
|
|
node->debug_id);
|
|
}
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
|
|
static void binder_dec_node(struct binder_node *node, int strong, int internal)
|
|
{
|
|
bool free_node;
|
|
|
|
binder_node_inner_lock(node);
|
|
free_node = binder_dec_node_nilocked(node, strong, internal);
|
|
binder_node_inner_unlock(node);
|
|
if (free_node)
|
|
binder_free_node(node);
|
|
}
|
|
|
|
static void binder_inc_node_tmpref_ilocked(struct binder_node *node)
|
|
{
|
|
/*
|
|
* No call to binder_inc_node() is needed since we
|
|
* don't need to inform userspace of any changes to
|
|
* tmp_refs
|
|
*/
|
|
node->tmp_refs++;
|
|
}
|
|
|
|
/**
|
|
* binder_inc_node_tmpref() - take a temporary reference on node
|
|
* @node: node to reference
|
|
*
|
|
* Take reference on node to prevent the node from being freed
|
|
* while referenced only by a local variable. The inner lock is
|
|
* needed to serialize with the node work on the queue (which
|
|
* isn't needed after the node is dead). If the node is dead
|
|
* (node->proc is NULL), use binder_dead_nodes_lock to protect
|
|
* node->tmp_refs against dead-node-only cases where the node
|
|
* lock cannot be acquired (eg traversing the dead node list to
|
|
* print nodes)
|
|
*/
|
|
static void binder_inc_node_tmpref(struct binder_node *node)
|
|
{
|
|
binder_node_lock(node);
|
|
if (node->proc)
|
|
binder_inner_proc_lock(node->proc);
|
|
else
|
|
spin_lock(&binder_dead_nodes_lock);
|
|
binder_inc_node_tmpref_ilocked(node);
|
|
if (node->proc)
|
|
binder_inner_proc_unlock(node->proc);
|
|
else
|
|
spin_unlock(&binder_dead_nodes_lock);
|
|
binder_node_unlock(node);
|
|
}
|
|
|
|
/**
|
|
* binder_dec_node_tmpref() - remove a temporary reference on node
|
|
* @node: node to reference
|
|
*
|
|
* Release temporary reference on node taken via binder_inc_node_tmpref()
|
|
*/
|
|
static void binder_dec_node_tmpref(struct binder_node *node)
|
|
{
|
|
bool free_node;
|
|
|
|
binder_node_inner_lock(node);
|
|
if (!node->proc)
|
|
spin_lock(&binder_dead_nodes_lock);
|
|
else
|
|
__acquire(&binder_dead_nodes_lock);
|
|
node->tmp_refs--;
|
|
BUG_ON(node->tmp_refs < 0);
|
|
if (!node->proc)
|
|
spin_unlock(&binder_dead_nodes_lock);
|
|
else
|
|
__release(&binder_dead_nodes_lock);
|
|
/*
|
|
* Call binder_dec_node() to check if all refcounts are 0
|
|
* and cleanup is needed. Calling with strong=0 and internal=1
|
|
* causes no actual reference to be released in binder_dec_node().
|
|
* If that changes, a change is needed here too.
|
|
*/
|
|
free_node = binder_dec_node_nilocked(node, 0, 1);
|
|
binder_node_inner_unlock(node);
|
|
if (free_node)
|
|
binder_free_node(node);
|
|
}
|
|
|
|
static void binder_put_node(struct binder_node *node)
|
|
{
|
|
binder_dec_node_tmpref(node);
|
|
}
|
|
|
|
static struct binder_ref *binder_get_ref_olocked(struct binder_proc *proc,
|
|
u32 desc, bool need_strong_ref)
|
|
{
|
|
struct rb_node *n = proc->refs_by_desc.rb_node;
|
|
struct binder_ref *ref;
|
|
|
|
while (n) {
|
|
ref = rb_entry(n, struct binder_ref, rb_node_desc);
|
|
|
|
if (desc < ref->data.desc) {
|
|
n = n->rb_left;
|
|
} else if (desc > ref->data.desc) {
|
|
n = n->rb_right;
|
|
} else if (need_strong_ref && !ref->data.strong) {
|
|
binder_user_error("tried to use weak ref as strong ref\n");
|
|
return NULL;
|
|
} else {
|
|
return ref;
|
|
}
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
/**
|
|
* binder_get_ref_for_node_olocked() - get the ref associated with given node
|
|
* @proc: binder_proc that owns the ref
|
|
* @node: binder_node of target
|
|
* @new_ref: newly allocated binder_ref to be initialized or %NULL
|
|
*
|
|
* Look up the ref for the given node and return it if it exists
|
|
*
|
|
* If it doesn't exist and the caller provides a newly allocated
|
|
* ref, initialize the fields of the newly allocated ref and insert
|
|
* into the given proc rb_trees and node refs list.
|
|
*
|
|
* Return: the ref for node. It is possible that another thread
|
|
* allocated/initialized the ref first in which case the
|
|
* returned ref would be different than the passed-in
|
|
* new_ref. new_ref must be kfree'd by the caller in
|
|
* this case.
|
|
*/
|
|
static struct binder_ref *binder_get_ref_for_node_olocked(
|
|
struct binder_proc *proc,
|
|
struct binder_node *node,
|
|
struct binder_ref *new_ref)
|
|
{
|
|
struct binder_context *context = proc->context;
|
|
struct rb_node **p = &proc->refs_by_node.rb_node;
|
|
struct rb_node *parent = NULL;
|
|
struct binder_ref *ref;
|
|
struct rb_node *n;
|
|
|
|
while (*p) {
|
|
parent = *p;
|
|
ref = rb_entry(parent, struct binder_ref, rb_node_node);
|
|
|
|
if (node < ref->node)
|
|
p = &(*p)->rb_left;
|
|
else if (node > ref->node)
|
|
p = &(*p)->rb_right;
|
|
else
|
|
return ref;
|
|
}
|
|
if (!new_ref)
|
|
return NULL;
|
|
|
|
binder_stats_created(BINDER_STAT_REF);
|
|
new_ref->data.debug_id = atomic_inc_return(&binder_last_id);
|
|
new_ref->proc = proc;
|
|
new_ref->node = node;
|
|
rb_link_node(&new_ref->rb_node_node, parent, p);
|
|
rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node);
|
|
|
|
new_ref->data.desc = (node == context->binder_context_mgr_node) ? 0 : 1;
|
|
for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) {
|
|
ref = rb_entry(n, struct binder_ref, rb_node_desc);
|
|
if (ref->data.desc > new_ref->data.desc)
|
|
break;
|
|
new_ref->data.desc = ref->data.desc + 1;
|
|
}
|
|
|
|
p = &proc->refs_by_desc.rb_node;
|
|
while (*p) {
|
|
parent = *p;
|
|
ref = rb_entry(parent, struct binder_ref, rb_node_desc);
|
|
|
|
if (new_ref->data.desc < ref->data.desc)
|
|
p = &(*p)->rb_left;
|
|
else if (new_ref->data.desc > ref->data.desc)
|
|
p = &(*p)->rb_right;
|
|
else
|
|
BUG();
|
|
}
|
|
rb_link_node(&new_ref->rb_node_desc, parent, p);
|
|
rb_insert_color(&new_ref->rb_node_desc, &proc->refs_by_desc);
|
|
|
|
binder_node_lock(node);
|
|
hlist_add_head(&new_ref->node_entry, &node->refs);
|
|
|
|
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
|
|
"%d new ref %d desc %d for node %d\n",
|
|
proc->pid, new_ref->data.debug_id, new_ref->data.desc,
|
|
node->debug_id);
|
|
trace_android_vh_binder_new_ref(proc->tsk, new_ref->data.desc, new_ref->node->debug_id);
|
|
binder_node_unlock(node);
|
|
return new_ref;
|
|
}
|
|
|
|
static void binder_cleanup_ref_olocked(struct binder_ref *ref)
|
|
{
|
|
bool delete_node = false;
|
|
|
|
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
|
|
"%d delete ref %d desc %d for node %d\n",
|
|
ref->proc->pid, ref->data.debug_id, ref->data.desc,
|
|
ref->node->debug_id);
|
|
|
|
rb_erase(&ref->rb_node_desc, &ref->proc->refs_by_desc);
|
|
rb_erase(&ref->rb_node_node, &ref->proc->refs_by_node);
|
|
|
|
binder_node_inner_lock(ref->node);
|
|
if (ref->data.strong)
|
|
binder_dec_node_nilocked(ref->node, 1, 1);
|
|
|
|
hlist_del(&ref->node_entry);
|
|
delete_node = binder_dec_node_nilocked(ref->node, 0, 1);
|
|
binder_node_inner_unlock(ref->node);
|
|
/*
|
|
* Clear ref->node unless we want the caller to free the node
|
|
*/
|
|
if (!delete_node) {
|
|
/*
|
|
* The caller uses ref->node to determine
|
|
* whether the node needs to be freed. Clear
|
|
* it since the node is still alive.
|
|
*/
|
|
ref->node = NULL;
|
|
}
|
|
|
|
if (ref->death) {
|
|
binder_debug(BINDER_DEBUG_DEAD_BINDER,
|
|
"%d delete ref %d desc %d has death notification\n",
|
|
ref->proc->pid, ref->data.debug_id,
|
|
ref->data.desc);
|
|
binder_dequeue_work(ref->proc, &ref->death->work);
|
|
binder_stats_deleted(BINDER_STAT_DEATH);
|
|
}
|
|
binder_stats_deleted(BINDER_STAT_REF);
|
|
}
|
|
|
|
/**
|
|
* binder_inc_ref_olocked() - increment the ref for given handle
|
|
* @ref: ref to be incremented
|
|
* @strong: if true, strong increment, else weak
|
|
* @target_list: list to queue node work on
|
|
*
|
|
* Increment the ref. @ref->proc->outer_lock must be held on entry
|
|
*
|
|
* Return: 0, if successful, else errno
|
|
*/
|
|
static int binder_inc_ref_olocked(struct binder_ref *ref, int strong,
|
|
struct list_head *target_list)
|
|
{
|
|
int ret;
|
|
|
|
if (strong) {
|
|
if (ref->data.strong == 0) {
|
|
ret = binder_inc_node(ref->node, 1, 1, target_list);
|
|
if (ret)
|
|
return ret;
|
|
}
|
|
ref->data.strong++;
|
|
} else {
|
|
if (ref->data.weak == 0) {
|
|
ret = binder_inc_node(ref->node, 0, 1, target_list);
|
|
if (ret)
|
|
return ret;
|
|
}
|
|
ref->data.weak++;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* binder_dec_ref() - dec the ref for given handle
|
|
* @ref: ref to be decremented
|
|
* @strong: if true, strong decrement, else weak
|
|
*
|
|
* Decrement the ref.
|
|
*
|
|
* Return: true if ref is cleaned up and ready to be freed
|
|
*/
|
|
static bool binder_dec_ref_olocked(struct binder_ref *ref, int strong)
|
|
{
|
|
if (strong) {
|
|
if (ref->data.strong == 0) {
|
|
binder_user_error("%d invalid dec strong, ref %d desc %d s %d w %d\n",
|
|
ref->proc->pid, ref->data.debug_id,
|
|
ref->data.desc, ref->data.strong,
|
|
ref->data.weak);
|
|
return false;
|
|
}
|
|
ref->data.strong--;
|
|
if (ref->data.strong == 0)
|
|
binder_dec_node(ref->node, strong, 1);
|
|
} else {
|
|
if (ref->data.weak == 0) {
|
|
binder_user_error("%d invalid dec weak, ref %d desc %d s %d w %d\n",
|
|
ref->proc->pid, ref->data.debug_id,
|
|
ref->data.desc, ref->data.strong,
|
|
ref->data.weak);
|
|
return false;
|
|
}
|
|
ref->data.weak--;
|
|
}
|
|
if (ref->data.strong == 0 && ref->data.weak == 0) {
|
|
binder_cleanup_ref_olocked(ref);
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* binder_get_node_from_ref() - get the node from the given proc/desc
|
|
* @proc: proc containing the ref
|
|
* @desc: the handle associated with the ref
|
|
* @need_strong_ref: if true, only return node if ref is strong
|
|
* @rdata: the id/refcount data for the ref
|
|
*
|
|
* Given a proc and ref handle, return the associated binder_node
|
|
*
|
|
* Return: a binder_node or NULL if not found or not strong when strong required
|
|
*/
|
|
static struct binder_node *binder_get_node_from_ref(
|
|
struct binder_proc *proc,
|
|
u32 desc, bool need_strong_ref,
|
|
struct binder_ref_data *rdata)
|
|
{
|
|
struct binder_node *node;
|
|
struct binder_ref *ref;
|
|
|
|
binder_proc_lock(proc);
|
|
ref = binder_get_ref_olocked(proc, desc, need_strong_ref);
|
|
if (!ref)
|
|
goto err_no_ref;
|
|
node = ref->node;
|
|
/*
|
|
* Take an implicit reference on the node to ensure
|
|
* it stays alive until the call to binder_put_node()
|
|
*/
|
|
binder_inc_node_tmpref(node);
|
|
if (rdata)
|
|
*rdata = ref->data;
|
|
binder_proc_unlock(proc);
|
|
|
|
return node;
|
|
|
|
err_no_ref:
|
|
binder_proc_unlock(proc);
|
|
return NULL;
|
|
}
|
|
|
|
/**
|
|
* binder_free_ref() - free the binder_ref
|
|
* @ref: ref to free
|
|
*
|
|
* Free the binder_ref. Free the binder_node indicated by ref->node
|
|
* (if non-NULL) and the binder_ref_death indicated by ref->death.
|
|
*/
|
|
static void binder_free_ref(struct binder_ref *ref)
|
|
{
|
|
trace_android_vh_binder_del_ref(ref->proc ? ref->proc->tsk : 0, ref->data.desc);
|
|
if (ref->node)
|
|
binder_free_node(ref->node);
|
|
kfree(ref->death);
|
|
kfree(ref);
|
|
}
|
|
|
|
/**
|
|
* binder_update_ref_for_handle() - inc/dec the ref for given handle
|
|
* @proc: proc containing the ref
|
|
* @desc: the handle associated with the ref
|
|
* @increment: true=inc reference, false=dec reference
|
|
* @strong: true=strong reference, false=weak reference
|
|
* @rdata: the id/refcount data for the ref
|
|
*
|
|
* Given a proc and ref handle, increment or decrement the ref
|
|
* according to "increment" arg.
|
|
*
|
|
* Return: 0 if successful, else errno
|
|
*/
|
|
static int binder_update_ref_for_handle(struct binder_proc *proc,
|
|
uint32_t desc, bool increment, bool strong,
|
|
struct binder_ref_data *rdata)
|
|
{
|
|
int ret = 0;
|
|
struct binder_ref *ref;
|
|
bool delete_ref = false;
|
|
|
|
binder_proc_lock(proc);
|
|
ref = binder_get_ref_olocked(proc, desc, strong);
|
|
if (!ref) {
|
|
ret = -EINVAL;
|
|
goto err_no_ref;
|
|
}
|
|
if (increment)
|
|
ret = binder_inc_ref_olocked(ref, strong, NULL);
|
|
else
|
|
delete_ref = binder_dec_ref_olocked(ref, strong);
|
|
|
|
if (rdata)
|
|
*rdata = ref->data;
|
|
binder_proc_unlock(proc);
|
|
|
|
if (delete_ref)
|
|
binder_free_ref(ref);
|
|
return ret;
|
|
|
|
err_no_ref:
|
|
binder_proc_unlock(proc);
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* binder_dec_ref_for_handle() - dec the ref for given handle
|
|
* @proc: proc containing the ref
|
|
* @desc: the handle associated with the ref
|
|
* @strong: true=strong reference, false=weak reference
|
|
* @rdata: the id/refcount data for the ref
|
|
*
|
|
* Just calls binder_update_ref_for_handle() to decrement the ref.
|
|
*
|
|
* Return: 0 if successful, else errno
|
|
*/
|
|
static int binder_dec_ref_for_handle(struct binder_proc *proc,
|
|
uint32_t desc, bool strong, struct binder_ref_data *rdata)
|
|
{
|
|
return binder_update_ref_for_handle(proc, desc, false, strong, rdata);
|
|
}
|
|
|
|
|
|
/**
|
|
* binder_inc_ref_for_node() - increment the ref for given proc/node
|
|
* @proc: proc containing the ref
|
|
* @node: target node
|
|
* @strong: true=strong reference, false=weak reference
|
|
* @target_list: worklist to use if node is incremented
|
|
* @rdata: the id/refcount data for the ref
|
|
*
|
|
* Given a proc and node, increment the ref. Create the ref if it
|
|
* doesn't already exist
|
|
*
|
|
* Return: 0 if successful, else errno
|
|
*/
|
|
static int binder_inc_ref_for_node(struct binder_proc *proc,
|
|
struct binder_node *node,
|
|
bool strong,
|
|
struct list_head *target_list,
|
|
struct binder_ref_data *rdata)
|
|
{
|
|
struct binder_ref *ref;
|
|
struct binder_ref *new_ref = NULL;
|
|
int ret = 0;
|
|
|
|
binder_proc_lock(proc);
|
|
ref = binder_get_ref_for_node_olocked(proc, node, NULL);
|
|
if (!ref) {
|
|
binder_proc_unlock(proc);
|
|
new_ref = kzalloc(sizeof(*ref), GFP_KERNEL);
|
|
if (!new_ref)
|
|
return -ENOMEM;
|
|
binder_proc_lock(proc);
|
|
ref = binder_get_ref_for_node_olocked(proc, node, new_ref);
|
|
}
|
|
ret = binder_inc_ref_olocked(ref, strong, target_list);
|
|
*rdata = ref->data;
|
|
binder_proc_unlock(proc);
|
|
if (new_ref && ref != new_ref)
|
|
/*
|
|
* Another thread created the ref first so
|
|
* free the one we allocated
|
|
*/
|
|
kfree(new_ref);
|
|
return ret;
|
|
}
|
|
|
|
static void binder_pop_transaction_ilocked(struct binder_thread *target_thread,
|
|
struct binder_transaction *t)
|
|
{
|
|
BUG_ON(!target_thread);
|
|
assert_spin_locked(&target_thread->proc->inner_lock);
|
|
BUG_ON(target_thread->transaction_stack != t);
|
|
BUG_ON(target_thread->transaction_stack->from != target_thread);
|
|
target_thread->transaction_stack =
|
|
target_thread->transaction_stack->from_parent;
|
|
t->from = NULL;
|
|
}
|
|
|
|
/**
|
|
* binder_thread_dec_tmpref() - decrement thread->tmp_ref
|
|
* @thread: thread to decrement
|
|
*
|
|
* A thread needs to be kept alive while being used to create or
|
|
* handle a transaction. binder_get_txn_from() is used to safely
|
|
* extract t->from from a binder_transaction and keep the thread
|
|
* indicated by t->from from being freed. When done with that
|
|
* binder_thread, this function is called to decrement the
|
|
* tmp_ref and free if appropriate (thread has been released
|
|
* and no transaction being processed by the driver)
|
|
*/
|
|
static void binder_thread_dec_tmpref(struct binder_thread *thread)
|
|
{
|
|
/*
|
|
* atomic is used to protect the counter value while
|
|
* it cannot reach zero or thread->is_dead is false
|
|
*/
|
|
binder_inner_proc_lock(thread->proc);
|
|
atomic_dec(&thread->tmp_ref);
|
|
if (thread->is_dead && !atomic_read(&thread->tmp_ref)) {
|
|
binder_inner_proc_unlock(thread->proc);
|
|
binder_free_thread(thread);
|
|
return;
|
|
}
|
|
binder_inner_proc_unlock(thread->proc);
|
|
}
|
|
|
|
/**
|
|
* binder_proc_dec_tmpref() - decrement proc->tmp_ref
|
|
* @proc: proc to decrement
|
|
*
|
|
* A binder_proc needs to be kept alive while being used to create or
|
|
* handle a transaction. proc->tmp_ref is incremented when
|
|
* creating a new transaction or the binder_proc is currently in-use
|
|
* by threads that are being released. When done with the binder_proc,
|
|
* this function is called to decrement the counter and free the
|
|
* proc if appropriate (proc has been released, all threads have
|
|
* been released and not currenly in-use to process a transaction).
|
|
*/
|
|
static void binder_proc_dec_tmpref(struct binder_proc *proc)
|
|
{
|
|
binder_inner_proc_lock(proc);
|
|
proc->tmp_ref--;
|
|
if (proc->is_dead && RB_EMPTY_ROOT(&proc->threads) &&
|
|
!proc->tmp_ref) {
|
|
binder_inner_proc_unlock(proc);
|
|
binder_free_proc(proc);
|
|
return;
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
}
|
|
|
|
/**
|
|
* binder_get_txn_from() - safely extract the "from" thread in transaction
|
|
* @t: binder transaction for t->from
|
|
*
|
|
* Atomically return the "from" thread and increment the tmp_ref
|
|
* count for the thread to ensure it stays alive until
|
|
* binder_thread_dec_tmpref() is called.
|
|
*
|
|
* Return: the value of t->from
|
|
*/
|
|
static struct binder_thread *binder_get_txn_from(
|
|
struct binder_transaction *t)
|
|
{
|
|
struct binder_thread *from;
|
|
|
|
spin_lock(&t->lock);
|
|
from = t->from;
|
|
if (from)
|
|
atomic_inc(&from->tmp_ref);
|
|
spin_unlock(&t->lock);
|
|
return from;
|
|
}
|
|
|
|
/**
|
|
* binder_get_txn_from_and_acq_inner() - get t->from and acquire inner lock
|
|
* @t: binder transaction for t->from
|
|
*
|
|
* Same as binder_get_txn_from() except it also acquires the proc->inner_lock
|
|
* to guarantee that the thread cannot be released while operating on it.
|
|
* The caller must call binder_inner_proc_unlock() to release the inner lock
|
|
* as well as call binder_dec_thread_txn() to release the reference.
|
|
*
|
|
* Return: the value of t->from
|
|
*/
|
|
static struct binder_thread *binder_get_txn_from_and_acq_inner(
|
|
struct binder_transaction *t)
|
|
__acquires(&t->from->proc->inner_lock)
|
|
{
|
|
struct binder_thread *from;
|
|
|
|
from = binder_get_txn_from(t);
|
|
if (!from) {
|
|
__acquire(&from->proc->inner_lock);
|
|
return NULL;
|
|
}
|
|
binder_inner_proc_lock(from->proc);
|
|
if (t->from) {
|
|
BUG_ON(from != t->from);
|
|
return from;
|
|
}
|
|
binder_inner_proc_unlock(from->proc);
|
|
__acquire(&from->proc->inner_lock);
|
|
binder_thread_dec_tmpref(from);
|
|
return NULL;
|
|
}
|
|
|
|
/**
|
|
* binder_free_txn_fixups() - free unprocessed fd fixups
|
|
* @t: binder transaction for t->from
|
|
*
|
|
* If the transaction is being torn down prior to being
|
|
* processed by the target process, free all of the
|
|
* fd fixups and fput the file structs. It is safe to
|
|
* call this function after the fixups have been
|
|
* processed -- in that case, the list will be empty.
|
|
*/
|
|
static void binder_free_txn_fixups(struct binder_transaction *t)
|
|
{
|
|
struct binder_txn_fd_fixup *fixup, *tmp;
|
|
|
|
list_for_each_entry_safe(fixup, tmp, &t->fd_fixups, fixup_entry) {
|
|
fput(fixup->file);
|
|
list_del(&fixup->fixup_entry);
|
|
kfree(fixup);
|
|
}
|
|
}
|
|
|
|
static void binder_free_transaction(struct binder_transaction *t)
|
|
{
|
|
struct binder_proc *target_proc = t->to_proc;
|
|
|
|
if (target_proc) {
|
|
binder_inner_proc_lock(target_proc);
|
|
target_proc->outstanding_txns--;
|
|
if (target_proc->outstanding_txns < 0)
|
|
pr_warn("%s: Unexpected outstanding_txns %d\n",
|
|
__func__, target_proc->outstanding_txns);
|
|
if (!target_proc->outstanding_txns && target_proc->is_frozen)
|
|
wake_up_interruptible_all(&target_proc->freeze_wait);
|
|
if (t->buffer)
|
|
t->buffer->transaction = NULL;
|
|
binder_inner_proc_unlock(target_proc);
|
|
}
|
|
/*
|
|
* If the transaction has no target_proc, then
|
|
* t->buffer->transaction has already been cleared.
|
|
*/
|
|
binder_free_txn_fixups(t);
|
|
kfree(t);
|
|
binder_stats_deleted(BINDER_STAT_TRANSACTION);
|
|
}
|
|
|
|
static void binder_send_failed_reply(struct binder_transaction *t,
|
|
uint32_t error_code)
|
|
{
|
|
struct binder_thread *target_thread;
|
|
struct binder_transaction *next;
|
|
|
|
BUG_ON(t->flags & TF_ONE_WAY);
|
|
while (1) {
|
|
target_thread = binder_get_txn_from_and_acq_inner(t);
|
|
if (target_thread) {
|
|
binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
|
|
"send failed reply for transaction %d to %d:%d\n",
|
|
t->debug_id,
|
|
target_thread->proc->pid,
|
|
target_thread->pid);
|
|
|
|
binder_pop_transaction_ilocked(target_thread, t);
|
|
if (target_thread->reply_error.cmd == BR_OK) {
|
|
target_thread->reply_error.cmd = error_code;
|
|
binder_enqueue_thread_work_ilocked(
|
|
target_thread,
|
|
&target_thread->reply_error.work);
|
|
wake_up_interruptible(&target_thread->wait);
|
|
} else {
|
|
/*
|
|
* Cannot get here for normal operation, but
|
|
* we can if multiple synchronous transactions
|
|
* are sent without blocking for responses.
|
|
* Just ignore the 2nd error in this case.
|
|
*/
|
|
pr_warn("Unexpected reply error: %u\n",
|
|
target_thread->reply_error.cmd);
|
|
}
|
|
binder_inner_proc_unlock(target_thread->proc);
|
|
binder_thread_dec_tmpref(target_thread);
|
|
binder_free_transaction(t);
|
|
return;
|
|
}
|
|
__release(&target_thread->proc->inner_lock);
|
|
next = t->from_parent;
|
|
|
|
binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
|
|
"send failed reply for transaction %d, target dead\n",
|
|
t->debug_id);
|
|
|
|
binder_free_transaction(t);
|
|
if (next == NULL) {
|
|
binder_debug(BINDER_DEBUG_DEAD_BINDER,
|
|
"reply failed, no target thread at root\n");
|
|
return;
|
|
}
|
|
t = next;
|
|
binder_debug(BINDER_DEBUG_DEAD_BINDER,
|
|
"reply failed, no target thread -- retry %d\n",
|
|
t->debug_id);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* binder_cleanup_transaction() - cleans up undelivered transaction
|
|
* @t: transaction that needs to be cleaned up
|
|
* @reason: reason the transaction wasn't delivered
|
|
* @error_code: error to return to caller (if synchronous call)
|
|
*/
|
|
static void binder_cleanup_transaction(struct binder_transaction *t,
|
|
const char *reason,
|
|
uint32_t error_code)
|
|
{
|
|
if (t->buffer->target_node && !(t->flags & TF_ONE_WAY)) {
|
|
binder_send_failed_reply(t, error_code);
|
|
} else {
|
|
binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
|
|
"undelivered transaction %d, %s\n",
|
|
t->debug_id, reason);
|
|
binder_free_transaction(t);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* binder_get_object() - gets object and checks for valid metadata
|
|
* @proc: binder_proc owning the buffer
|
|
* @buffer: binder_buffer that we're parsing.
|
|
* @offset: offset in the @buffer at which to validate an object.
|
|
* @object: struct binder_object to read into
|
|
*
|
|
* Return: If there's a valid metadata object at @offset in @buffer, the
|
|
* size of that object. Otherwise, it returns zero. The object
|
|
* is read into the struct binder_object pointed to by @object.
|
|
*/
|
|
static size_t binder_get_object(struct binder_proc *proc,
|
|
struct binder_buffer *buffer,
|
|
unsigned long offset,
|
|
struct binder_object *object)
|
|
{
|
|
size_t read_size;
|
|
struct binder_object_header *hdr;
|
|
size_t object_size = 0;
|
|
|
|
read_size = min_t(size_t, sizeof(*object), buffer->data_size - offset);
|
|
if (offset > buffer->data_size || read_size < sizeof(*hdr) ||
|
|
binder_alloc_copy_from_buffer(&proc->alloc, object, buffer,
|
|
offset, read_size))
|
|
return 0;
|
|
|
|
/* Ok, now see if we read a complete object. */
|
|
hdr = &object->hdr;
|
|
switch (hdr->type) {
|
|
case BINDER_TYPE_BINDER:
|
|
case BINDER_TYPE_WEAK_BINDER:
|
|
case BINDER_TYPE_HANDLE:
|
|
case BINDER_TYPE_WEAK_HANDLE:
|
|
object_size = sizeof(struct flat_binder_object);
|
|
break;
|
|
case BINDER_TYPE_FD:
|
|
object_size = sizeof(struct binder_fd_object);
|
|
break;
|
|
case BINDER_TYPE_PTR:
|
|
object_size = sizeof(struct binder_buffer_object);
|
|
break;
|
|
case BINDER_TYPE_FDA:
|
|
object_size = sizeof(struct binder_fd_array_object);
|
|
break;
|
|
default:
|
|
return 0;
|
|
}
|
|
if (offset <= buffer->data_size - object_size &&
|
|
buffer->data_size >= object_size)
|
|
return object_size;
|
|
else
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* binder_validate_ptr() - validates binder_buffer_object in a binder_buffer.
|
|
* @proc: binder_proc owning the buffer
|
|
* @b: binder_buffer containing the object
|
|
* @object: struct binder_object to read into
|
|
* @index: index in offset array at which the binder_buffer_object is
|
|
* located
|
|
* @start_offset: points to the start of the offset array
|
|
* @object_offsetp: offset of @object read from @b
|
|
* @num_valid: the number of valid offsets in the offset array
|
|
*
|
|
* Return: If @index is within the valid range of the offset array
|
|
* described by @start and @num_valid, and if there's a valid
|
|
* binder_buffer_object at the offset found in index @index
|
|
* of the offset array, that object is returned. Otherwise,
|
|
* %NULL is returned.
|
|
* Note that the offset found in index @index itself is not
|
|
* verified; this function assumes that @num_valid elements
|
|
* from @start were previously verified to have valid offsets.
|
|
* If @object_offsetp is non-NULL, then the offset within
|
|
* @b is written to it.
|
|
*/
|
|
static struct binder_buffer_object *binder_validate_ptr(
|
|
struct binder_proc *proc,
|
|
struct binder_buffer *b,
|
|
struct binder_object *object,
|
|
binder_size_t index,
|
|
binder_size_t start_offset,
|
|
binder_size_t *object_offsetp,
|
|
binder_size_t num_valid)
|
|
{
|
|
size_t object_size;
|
|
binder_size_t object_offset;
|
|
unsigned long buffer_offset;
|
|
|
|
if (index >= num_valid)
|
|
return NULL;
|
|
|
|
buffer_offset = start_offset + sizeof(binder_size_t) * index;
|
|
if (binder_alloc_copy_from_buffer(&proc->alloc, &object_offset,
|
|
b, buffer_offset,
|
|
sizeof(object_offset)))
|
|
return NULL;
|
|
object_size = binder_get_object(proc, b, object_offset, object);
|
|
if (!object_size || object->hdr.type != BINDER_TYPE_PTR)
|
|
return NULL;
|
|
if (object_offsetp)
|
|
*object_offsetp = object_offset;
|
|
|
|
return &object->bbo;
|
|
}
|
|
|
|
/**
|
|
* binder_validate_fixup() - validates pointer/fd fixups happen in order.
|
|
* @proc: binder_proc owning the buffer
|
|
* @b: transaction buffer
|
|
* @objects_start_offset: offset to start of objects buffer
|
|
* @buffer_obj_offset: offset to binder_buffer_object in which to fix up
|
|
* @fixup_offset: start offset in @buffer to fix up
|
|
* @last_obj_offset: offset to last binder_buffer_object that we fixed
|
|
* @last_min_offset: minimum fixup offset in object at @last_obj_offset
|
|
*
|
|
* Return: %true if a fixup in buffer @buffer at offset @offset is
|
|
* allowed.
|
|
*
|
|
* For safety reasons, we only allow fixups inside a buffer to happen
|
|
* at increasing offsets; additionally, we only allow fixup on the last
|
|
* buffer object that was verified, or one of its parents.
|
|
*
|
|
* Example of what is allowed:
|
|
*
|
|
* A
|
|
* B (parent = A, offset = 0)
|
|
* C (parent = A, offset = 16)
|
|
* D (parent = C, offset = 0)
|
|
* E (parent = A, offset = 32) // min_offset is 16 (C.parent_offset)
|
|
*
|
|
* Examples of what is not allowed:
|
|
*
|
|
* Decreasing offsets within the same parent:
|
|
* A
|
|
* C (parent = A, offset = 16)
|
|
* B (parent = A, offset = 0) // decreasing offset within A
|
|
*
|
|
* Referring to a parent that wasn't the last object or any of its parents:
|
|
* A
|
|
* B (parent = A, offset = 0)
|
|
* C (parent = A, offset = 0)
|
|
* C (parent = A, offset = 16)
|
|
* D (parent = B, offset = 0) // B is not A or any of A's parents
|
|
*/
|
|
static bool binder_validate_fixup(struct binder_proc *proc,
|
|
struct binder_buffer *b,
|
|
binder_size_t objects_start_offset,
|
|
binder_size_t buffer_obj_offset,
|
|
binder_size_t fixup_offset,
|
|
binder_size_t last_obj_offset,
|
|
binder_size_t last_min_offset)
|
|
{
|
|
if (!last_obj_offset) {
|
|
/* Nothing to fix up in */
|
|
return false;
|
|
}
|
|
|
|
while (last_obj_offset != buffer_obj_offset) {
|
|
unsigned long buffer_offset;
|
|
struct binder_object last_object;
|
|
struct binder_buffer_object *last_bbo;
|
|
size_t object_size = binder_get_object(proc, b, last_obj_offset,
|
|
&last_object);
|
|
if (object_size != sizeof(*last_bbo))
|
|
return false;
|
|
|
|
last_bbo = &last_object.bbo;
|
|
/*
|
|
* Safe to retrieve the parent of last_obj, since it
|
|
* was already previously verified by the driver.
|
|
*/
|
|
if ((last_bbo->flags & BINDER_BUFFER_FLAG_HAS_PARENT) == 0)
|
|
return false;
|
|
last_min_offset = last_bbo->parent_offset + sizeof(uintptr_t);
|
|
buffer_offset = objects_start_offset +
|
|
sizeof(binder_size_t) * last_bbo->parent;
|
|
if (binder_alloc_copy_from_buffer(&proc->alloc,
|
|
&last_obj_offset,
|
|
b, buffer_offset,
|
|
sizeof(last_obj_offset)))
|
|
return false;
|
|
}
|
|
return (fixup_offset >= last_min_offset);
|
|
}
|
|
|
|
/**
|
|
* struct binder_task_work_cb - for deferred close
|
|
*
|
|
* @twork: callback_head for task work
|
|
* @fd: fd to close
|
|
*
|
|
* Structure to pass task work to be handled after
|
|
* returning from binder_ioctl() via task_work_add().
|
|
*/
|
|
struct binder_task_work_cb {
|
|
struct callback_head twork;
|
|
struct file *file;
|
|
};
|
|
|
|
/**
|
|
* binder_do_fd_close() - close list of file descriptors
|
|
* @twork: callback head for task work
|
|
*
|
|
* It is not safe to call ksys_close() during the binder_ioctl()
|
|
* function if there is a chance that binder's own file descriptor
|
|
* might be closed. This is to meet the requirements for using
|
|
* fdget() (see comments for __fget_light()). Therefore use
|
|
* task_work_add() to schedule the close operation once we have
|
|
* returned from binder_ioctl(). This function is a callback
|
|
* for that mechanism and does the actual ksys_close() on the
|
|
* given file descriptor.
|
|
*/
|
|
static void binder_do_fd_close(struct callback_head *twork)
|
|
{
|
|
struct binder_task_work_cb *twcb = container_of(twork,
|
|
struct binder_task_work_cb, twork);
|
|
|
|
fput(twcb->file);
|
|
kfree(twcb);
|
|
}
|
|
|
|
/**
|
|
* binder_deferred_fd_close() - schedule a close for the given file-descriptor
|
|
* @fd: file-descriptor to close
|
|
*
|
|
* See comments in binder_do_fd_close(). This function is used to schedule
|
|
* a file-descriptor to be closed after returning from binder_ioctl().
|
|
*/
|
|
static void binder_deferred_fd_close(int fd)
|
|
{
|
|
struct binder_task_work_cb *twcb;
|
|
|
|
twcb = kzalloc(sizeof(*twcb), GFP_KERNEL);
|
|
if (!twcb)
|
|
return;
|
|
init_task_work(&twcb->twork, binder_do_fd_close);
|
|
__close_fd_get_file(fd, &twcb->file);
|
|
if (twcb->file) {
|
|
filp_close(twcb->file, current->files);
|
|
task_work_add(current, &twcb->twork, TWA_RESUME);
|
|
} else {
|
|
kfree(twcb);
|
|
}
|
|
}
|
|
|
|
static void binder_transaction_buffer_release(struct binder_proc *proc,
|
|
struct binder_thread *thread,
|
|
struct binder_buffer *buffer,
|
|
binder_size_t failed_at,
|
|
bool is_failure)
|
|
{
|
|
int debug_id = buffer->debug_id;
|
|
binder_size_t off_start_offset, buffer_offset, off_end_offset;
|
|
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
"%d buffer release %d, size %zd-%zd, failed at %llx\n",
|
|
proc->pid, buffer->debug_id,
|
|
buffer->data_size, buffer->offsets_size,
|
|
(unsigned long long)failed_at);
|
|
|
|
if (buffer->target_node)
|
|
binder_dec_node(buffer->target_node, 1, 0);
|
|
|
|
off_start_offset = ALIGN(buffer->data_size, sizeof(void *));
|
|
off_end_offset = is_failure && failed_at ? failed_at :
|
|
off_start_offset + buffer->offsets_size;
|
|
for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;
|
|
buffer_offset += sizeof(binder_size_t)) {
|
|
struct binder_object_header *hdr;
|
|
size_t object_size = 0;
|
|
struct binder_object object;
|
|
binder_size_t object_offset;
|
|
|
|
if (!binder_alloc_copy_from_buffer(&proc->alloc, &object_offset,
|
|
buffer, buffer_offset,
|
|
sizeof(object_offset)))
|
|
object_size = binder_get_object(proc, buffer,
|
|
object_offset, &object);
|
|
if (object_size == 0) {
|
|
pr_err("transaction release %d bad object at offset %lld, size %zd\n",
|
|
debug_id, (u64)object_offset, buffer->data_size);
|
|
continue;
|
|
}
|
|
hdr = &object.hdr;
|
|
switch (hdr->type) {
|
|
case BINDER_TYPE_BINDER:
|
|
case BINDER_TYPE_WEAK_BINDER: {
|
|
struct flat_binder_object *fp;
|
|
struct binder_node *node;
|
|
|
|
fp = to_flat_binder_object(hdr);
|
|
node = binder_get_node(proc, fp->binder);
|
|
if (node == NULL) {
|
|
pr_err("transaction release %d bad node %016llx\n",
|
|
debug_id, (u64)fp->binder);
|
|
break;
|
|
}
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
" node %d u%016llx\n",
|
|
node->debug_id, (u64)node->ptr);
|
|
binder_dec_node(node, hdr->type == BINDER_TYPE_BINDER,
|
|
0);
|
|
binder_put_node(node);
|
|
} break;
|
|
case BINDER_TYPE_HANDLE:
|
|
case BINDER_TYPE_WEAK_HANDLE: {
|
|
struct flat_binder_object *fp;
|
|
struct binder_ref_data rdata;
|
|
int ret;
|
|
|
|
fp = to_flat_binder_object(hdr);
|
|
ret = binder_dec_ref_for_handle(proc, fp->handle,
|
|
hdr->type == BINDER_TYPE_HANDLE, &rdata);
|
|
|
|
if (ret) {
|
|
pr_err("transaction release %d bad handle %d, ret = %d\n",
|
|
debug_id, fp->handle, ret);
|
|
break;
|
|
}
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
" ref %d desc %d\n",
|
|
rdata.debug_id, rdata.desc);
|
|
} break;
|
|
|
|
case BINDER_TYPE_FD: {
|
|
/*
|
|
* No need to close the file here since user-space
|
|
* closes it for for successfully delivered
|
|
* transactions. For transactions that weren't
|
|
* delivered, the new fd was never allocated so
|
|
* there is no need to close and the fput on the
|
|
* file is done when the transaction is torn
|
|
* down.
|
|
*/
|
|
} break;
|
|
case BINDER_TYPE_PTR:
|
|
/*
|
|
* Nothing to do here, this will get cleaned up when the
|
|
* transaction buffer gets freed
|
|
*/
|
|
break;
|
|
case BINDER_TYPE_FDA: {
|
|
struct binder_fd_array_object *fda;
|
|
struct binder_buffer_object *parent;
|
|
struct binder_object ptr_object;
|
|
binder_size_t fda_offset;
|
|
size_t fd_index;
|
|
binder_size_t fd_buf_size;
|
|
binder_size_t num_valid;
|
|
|
|
if (is_failure) {
|
|
/*
|
|
* The fd fixups have not been applied so no
|
|
* fds need to be closed.
|
|
*/
|
|
continue;
|
|
}
|
|
|
|
num_valid = (buffer_offset - off_start_offset) /
|
|
sizeof(binder_size_t);
|
|
fda = to_binder_fd_array_object(hdr);
|
|
parent = binder_validate_ptr(proc, buffer, &ptr_object,
|
|
fda->parent,
|
|
off_start_offset,
|
|
NULL,
|
|
num_valid);
|
|
if (!parent) {
|
|
pr_err("transaction release %d bad parent offset\n",
|
|
debug_id);
|
|
continue;
|
|
}
|
|
fd_buf_size = sizeof(u32) * fda->num_fds;
|
|
if (fda->num_fds >= SIZE_MAX / sizeof(u32)) {
|
|
pr_err("transaction release %d invalid number of fds (%lld)\n",
|
|
debug_id, (u64)fda->num_fds);
|
|
continue;
|
|
}
|
|
if (fd_buf_size > parent->length ||
|
|
fda->parent_offset > parent->length - fd_buf_size) {
|
|
/* No space for all file descriptors here. */
|
|
pr_err("transaction release %d not enough space for %lld fds in buffer\n",
|
|
debug_id, (u64)fda->num_fds);
|
|
continue;
|
|
}
|
|
/*
|
|
* the source data for binder_buffer_object is visible
|
|
* to user-space and the @buffer element is the user
|
|
* pointer to the buffer_object containing the fd_array.
|
|
* Convert the address to an offset relative to
|
|
* the base of the transaction buffer.
|
|
*/
|
|
fda_offset =
|
|
(parent->buffer - (uintptr_t)buffer->user_data) +
|
|
fda->parent_offset;
|
|
for (fd_index = 0; fd_index < fda->num_fds;
|
|
fd_index++) {
|
|
u32 fd;
|
|
int err;
|
|
binder_size_t offset = fda_offset +
|
|
fd_index * sizeof(fd);
|
|
|
|
err = binder_alloc_copy_from_buffer(
|
|
&proc->alloc, &fd, buffer,
|
|
offset, sizeof(fd));
|
|
WARN_ON(err);
|
|
if (!err) {
|
|
binder_deferred_fd_close(fd);
|
|
/*
|
|
* Need to make sure the thread goes
|
|
* back to userspace to complete the
|
|
* deferred close
|
|
*/
|
|
if (thread)
|
|
thread->looper_need_return = true;
|
|
}
|
|
}
|
|
} break;
|
|
default:
|
|
pr_err("transaction release %d bad object type %x\n",
|
|
debug_id, hdr->type);
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
static int binder_translate_binder(struct flat_binder_object *fp,
|
|
struct binder_transaction *t,
|
|
struct binder_thread *thread)
|
|
{
|
|
struct binder_node *node;
|
|
struct binder_proc *proc = thread->proc;
|
|
struct binder_proc *target_proc = t->to_proc;
|
|
struct binder_ref_data rdata;
|
|
int ret = 0;
|
|
|
|
node = binder_get_node(proc, fp->binder);
|
|
if (!node) {
|
|
node = binder_new_node(proc, fp);
|
|
if (!node)
|
|
return -ENOMEM;
|
|
}
|
|
if (fp->cookie != node->cookie) {
|
|
binder_user_error("%d:%d sending u%016llx node %d, cookie mismatch %016llx != %016llx\n",
|
|
proc->pid, thread->pid, (u64)fp->binder,
|
|
node->debug_id, (u64)fp->cookie,
|
|
(u64)node->cookie);
|
|
ret = -EINVAL;
|
|
goto done;
|
|
}
|
|
if (security_binder_transfer_binder(binder_get_cred(proc),
|
|
binder_get_cred(target_proc))) {
|
|
ret = -EPERM;
|
|
goto done;
|
|
}
|
|
|
|
ret = binder_inc_ref_for_node(target_proc, node,
|
|
fp->hdr.type == BINDER_TYPE_BINDER,
|
|
&thread->todo, &rdata);
|
|
if (ret)
|
|
goto done;
|
|
|
|
if (fp->hdr.type == BINDER_TYPE_BINDER)
|
|
fp->hdr.type = BINDER_TYPE_HANDLE;
|
|
else
|
|
fp->hdr.type = BINDER_TYPE_WEAK_HANDLE;
|
|
fp->binder = 0;
|
|
fp->handle = rdata.desc;
|
|
fp->cookie = 0;
|
|
|
|
trace_binder_transaction_node_to_ref(t, node, &rdata);
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
" node %d u%016llx -> ref %d desc %d\n",
|
|
node->debug_id, (u64)node->ptr,
|
|
rdata.debug_id, rdata.desc);
|
|
done:
|
|
binder_put_node(node);
|
|
return ret;
|
|
}
|
|
|
|
static int binder_translate_handle(struct flat_binder_object *fp,
|
|
struct binder_transaction *t,
|
|
struct binder_thread *thread)
|
|
{
|
|
struct binder_proc *proc = thread->proc;
|
|
struct binder_proc *target_proc = t->to_proc;
|
|
struct binder_node *node;
|
|
struct binder_ref_data src_rdata;
|
|
int ret = 0;
|
|
|
|
node = binder_get_node_from_ref(proc, fp->handle,
|
|
fp->hdr.type == BINDER_TYPE_HANDLE, &src_rdata);
|
|
if (!node) {
|
|
binder_user_error("%d:%d got transaction with invalid handle, %d\n",
|
|
proc->pid, thread->pid, fp->handle);
|
|
return -EINVAL;
|
|
}
|
|
if (security_binder_transfer_binder(binder_get_cred(proc),
|
|
binder_get_cred(target_proc))) {
|
|
ret = -EPERM;
|
|
goto done;
|
|
}
|
|
|
|
binder_node_lock(node);
|
|
if (node->proc == target_proc) {
|
|
if (fp->hdr.type == BINDER_TYPE_HANDLE)
|
|
fp->hdr.type = BINDER_TYPE_BINDER;
|
|
else
|
|
fp->hdr.type = BINDER_TYPE_WEAK_BINDER;
|
|
fp->binder = node->ptr;
|
|
fp->cookie = node->cookie;
|
|
if (node->proc)
|
|
binder_inner_proc_lock(node->proc);
|
|
else
|
|
__acquire(&node->proc->inner_lock);
|
|
binder_inc_node_nilocked(node,
|
|
fp->hdr.type == BINDER_TYPE_BINDER,
|
|
0, NULL);
|
|
if (node->proc)
|
|
binder_inner_proc_unlock(node->proc);
|
|
else
|
|
__release(&node->proc->inner_lock);
|
|
trace_binder_transaction_ref_to_node(t, node, &src_rdata);
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
" ref %d desc %d -> node %d u%016llx\n",
|
|
src_rdata.debug_id, src_rdata.desc, node->debug_id,
|
|
(u64)node->ptr);
|
|
binder_node_unlock(node);
|
|
} else {
|
|
struct binder_ref_data dest_rdata;
|
|
|
|
binder_node_unlock(node);
|
|
ret = binder_inc_ref_for_node(target_proc, node,
|
|
fp->hdr.type == BINDER_TYPE_HANDLE,
|
|
NULL, &dest_rdata);
|
|
if (ret)
|
|
goto done;
|
|
|
|
fp->binder = 0;
|
|
fp->handle = dest_rdata.desc;
|
|
fp->cookie = 0;
|
|
trace_binder_transaction_ref_to_ref(t, node, &src_rdata,
|
|
&dest_rdata);
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
" ref %d desc %d -> ref %d desc %d (node %d)\n",
|
|
src_rdata.debug_id, src_rdata.desc,
|
|
dest_rdata.debug_id, dest_rdata.desc,
|
|
node->debug_id);
|
|
}
|
|
done:
|
|
binder_put_node(node);
|
|
return ret;
|
|
}
|
|
|
|
static int binder_translate_fd(u32 fd, binder_size_t fd_offset,
|
|
struct binder_transaction *t,
|
|
struct binder_thread *thread,
|
|
struct binder_transaction *in_reply_to)
|
|
{
|
|
struct binder_proc *proc = thread->proc;
|
|
struct binder_proc *target_proc = t->to_proc;
|
|
struct binder_txn_fd_fixup *fixup;
|
|
struct file *file;
|
|
int ret = 0;
|
|
bool target_allows_fd;
|
|
|
|
if (in_reply_to)
|
|
target_allows_fd = !!(in_reply_to->flags & TF_ACCEPT_FDS);
|
|
else
|
|
target_allows_fd = t->buffer->target_node->accept_fds;
|
|
if (!target_allows_fd) {
|
|
binder_user_error("%d:%d got %s with fd, %d, but target does not allow fds\n",
|
|
proc->pid, thread->pid,
|
|
in_reply_to ? "reply" : "transaction",
|
|
fd);
|
|
ret = -EPERM;
|
|
goto err_fd_not_accepted;
|
|
}
|
|
|
|
file = fget(fd);
|
|
if (!file) {
|
|
binder_user_error("%d:%d got transaction with invalid fd, %d\n",
|
|
proc->pid, thread->pid, fd);
|
|
ret = -EBADF;
|
|
goto err_fget;
|
|
}
|
|
ret = security_binder_transfer_file(binder_get_cred(proc),
|
|
binder_get_cred(target_proc), file);
|
|
if (ret < 0) {
|
|
ret = -EPERM;
|
|
goto err_security;
|
|
}
|
|
|
|
/*
|
|
* Add fixup record for this transaction. The allocation
|
|
* of the fd in the target needs to be done from a
|
|
* target thread.
|
|
*/
|
|
fixup = kzalloc(sizeof(*fixup), GFP_KERNEL);
|
|
if (!fixup) {
|
|
ret = -ENOMEM;
|
|
goto err_alloc;
|
|
}
|
|
fixup->file = file;
|
|
fixup->offset = fd_offset;
|
|
trace_binder_transaction_fd_send(t, fd, fixup->offset);
|
|
list_add_tail(&fixup->fixup_entry, &t->fd_fixups);
|
|
|
|
return ret;
|
|
|
|
err_alloc:
|
|
err_security:
|
|
fput(file);
|
|
err_fget:
|
|
err_fd_not_accepted:
|
|
return ret;
|
|
}
|
|
|
|
static int binder_translate_fd_array(struct binder_fd_array_object *fda,
|
|
struct binder_buffer_object *parent,
|
|
struct binder_transaction *t,
|
|
struct binder_thread *thread,
|
|
struct binder_transaction *in_reply_to)
|
|
{
|
|
binder_size_t fdi, fd_buf_size;
|
|
binder_size_t fda_offset;
|
|
struct binder_proc *proc = thread->proc;
|
|
struct binder_proc *target_proc = t->to_proc;
|
|
|
|
fd_buf_size = sizeof(u32) * fda->num_fds;
|
|
if (fda->num_fds >= SIZE_MAX / sizeof(u32)) {
|
|
binder_user_error("%d:%d got transaction with invalid number of fds (%lld)\n",
|
|
proc->pid, thread->pid, (u64)fda->num_fds);
|
|
return -EINVAL;
|
|
}
|
|
if (fd_buf_size > parent->length ||
|
|
fda->parent_offset > parent->length - fd_buf_size) {
|
|
/* No space for all file descriptors here. */
|
|
binder_user_error("%d:%d not enough space to store %lld fds in buffer\n",
|
|
proc->pid, thread->pid, (u64)fda->num_fds);
|
|
return -EINVAL;
|
|
}
|
|
/*
|
|
* the source data for binder_buffer_object is visible
|
|
* to user-space and the @buffer element is the user
|
|
* pointer to the buffer_object containing the fd_array.
|
|
* Convert the address to an offset relative to
|
|
* the base of the transaction buffer.
|
|
*/
|
|
fda_offset = (parent->buffer - (uintptr_t)t->buffer->user_data) +
|
|
fda->parent_offset;
|
|
if (!IS_ALIGNED((unsigned long)fda_offset, sizeof(u32))) {
|
|
binder_user_error("%d:%d parent offset not aligned correctly.\n",
|
|
proc->pid, thread->pid);
|
|
return -EINVAL;
|
|
}
|
|
for (fdi = 0; fdi < fda->num_fds; fdi++) {
|
|
u32 fd;
|
|
int ret;
|
|
binder_size_t offset = fda_offset + fdi * sizeof(fd);
|
|
|
|
ret = binder_alloc_copy_from_buffer(&target_proc->alloc,
|
|
&fd, t->buffer,
|
|
offset, sizeof(fd));
|
|
if (!ret)
|
|
ret = binder_translate_fd(fd, offset, t, thread,
|
|
in_reply_to);
|
|
if (ret)
|
|
return ret > 0 ? -EINVAL : ret;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static int binder_fixup_parent(struct binder_transaction *t,
|
|
struct binder_thread *thread,
|
|
struct binder_buffer_object *bp,
|
|
binder_size_t off_start_offset,
|
|
binder_size_t num_valid,
|
|
binder_size_t last_fixup_obj_off,
|
|
binder_size_t last_fixup_min_off)
|
|
{
|
|
struct binder_buffer_object *parent;
|
|
struct binder_buffer *b = t->buffer;
|
|
struct binder_proc *proc = thread->proc;
|
|
struct binder_proc *target_proc = t->to_proc;
|
|
struct binder_object object;
|
|
binder_size_t buffer_offset;
|
|
binder_size_t parent_offset;
|
|
|
|
if (!(bp->flags & BINDER_BUFFER_FLAG_HAS_PARENT))
|
|
return 0;
|
|
|
|
parent = binder_validate_ptr(target_proc, b, &object, bp->parent,
|
|
off_start_offset, &parent_offset,
|
|
num_valid);
|
|
if (!parent) {
|
|
binder_user_error("%d:%d got transaction with invalid parent offset or type\n",
|
|
proc->pid, thread->pid);
|
|
return -EINVAL;
|
|
}
|
|
|
|
if (!binder_validate_fixup(target_proc, b, off_start_offset,
|
|
parent_offset, bp->parent_offset,
|
|
last_fixup_obj_off,
|
|
last_fixup_min_off)) {
|
|
binder_user_error("%d:%d got transaction with out-of-order buffer fixup\n",
|
|
proc->pid, thread->pid);
|
|
return -EINVAL;
|
|
}
|
|
|
|
if (parent->length < sizeof(binder_uintptr_t) ||
|
|
bp->parent_offset > parent->length - sizeof(binder_uintptr_t)) {
|
|
/* No space for a pointer here! */
|
|
binder_user_error("%d:%d got transaction with invalid parent offset\n",
|
|
proc->pid, thread->pid);
|
|
return -EINVAL;
|
|
}
|
|
buffer_offset = bp->parent_offset +
|
|
(uintptr_t)parent->buffer - (uintptr_t)b->user_data;
|
|
if (binder_alloc_copy_to_buffer(&target_proc->alloc, b, buffer_offset,
|
|
&bp->buffer, sizeof(bp->buffer))) {
|
|
binder_user_error("%d:%d got transaction with invalid parent offset\n",
|
|
proc->pid, thread->pid);
|
|
return -EINVAL;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* binder_proc_transaction() - sends a transaction to a process and wakes it up
|
|
* @t: transaction to send
|
|
* @proc: process to send the transaction to
|
|
* @thread: thread in @proc to send the transaction to (may be NULL)
|
|
*
|
|
* This function queues a transaction to the specified process. It will try
|
|
* to find a thread in the target process to handle the transaction and
|
|
* wake it up. If no thread is found, the work is queued to the proc
|
|
* waitqueue.
|
|
*
|
|
* If the @thread parameter is not NULL, the transaction is always queued
|
|
* to the waitlist of that specific thread.
|
|
*
|
|
* Return: 0 if the transaction was successfully queued
|
|
* BR_DEAD_REPLY if the target process or thread is dead
|
|
* BR_FROZEN_REPLY if the target process or thread is frozen
|
|
*/
|
|
static int binder_proc_transaction(struct binder_transaction *t,
|
|
struct binder_proc *proc,
|
|
struct binder_thread *thread)
|
|
{
|
|
struct binder_node *node = t->buffer->target_node;
|
|
struct binder_priority node_prio;
|
|
bool oneway = !!(t->flags & TF_ONE_WAY);
|
|
bool pending_async = false;
|
|
bool skip = false;
|
|
|
|
BUG_ON(!node);
|
|
binder_node_lock(node);
|
|
node_prio.prio = node->min_priority;
|
|
node_prio.sched_policy = node->sched_policy;
|
|
|
|
if (oneway) {
|
|
BUG_ON(thread);
|
|
if (node->has_async_transaction)
|
|
pending_async = true;
|
|
else
|
|
node->has_async_transaction = true;
|
|
}
|
|
|
|
binder_inner_proc_lock(proc);
|
|
if (proc->is_frozen) {
|
|
proc->sync_recv |= !oneway;
|
|
proc->async_recv |= oneway;
|
|
}
|
|
|
|
if ((proc->is_frozen && !oneway) || proc->is_dead ||
|
|
(thread && thread->is_dead)) {
|
|
binder_inner_proc_unlock(proc);
|
|
binder_node_unlock(node);
|
|
return proc->is_frozen ? BR_FROZEN_REPLY : BR_DEAD_REPLY;
|
|
}
|
|
|
|
trace_android_vh_binder_proc_transaction_entry(proc, t,
|
|
&thread, node->debug_id, pending_async, !oneway, &skip);
|
|
|
|
if (!thread && !pending_async && !skip)
|
|
thread = binder_select_thread_ilocked(proc);
|
|
|
|
trace_android_vh_binder_proc_transaction(current, proc->tsk,
|
|
thread ? thread->task : 0, node->debug_id, t->code, pending_async);
|
|
|
|
if (thread) {
|
|
binder_transaction_priority(thread->task, t, node_prio,
|
|
node->inherit_rt);
|
|
binder_enqueue_thread_work_ilocked(thread, &t->work);
|
|
} else if (!pending_async) {
|
|
binder_enqueue_work_ilocked(&t->work, &proc->todo);
|
|
} else {
|
|
binder_enqueue_work_ilocked(&t->work, &node->async_todo);
|
|
}
|
|
|
|
trace_android_vh_binder_proc_transaction_end(current, proc->tsk,
|
|
thread ? thread->task : NULL, t->code, pending_async, !oneway);
|
|
|
|
if (!pending_async)
|
|
binder_wakeup_thread_ilocked(proc, thread, !oneway /* sync */);
|
|
|
|
proc->outstanding_txns++;
|
|
binder_inner_proc_unlock(proc);
|
|
binder_node_unlock(node);
|
|
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* binder_get_node_refs_for_txn() - Get required refs on node for txn
|
|
* @node: struct binder_node for which to get refs
|
|
* @proc: returns @node->proc if valid
|
|
* @error: if no @proc then returns BR_DEAD_REPLY
|
|
*
|
|
* User-space normally keeps the node alive when creating a transaction
|
|
* since it has a reference to the target. The local strong ref keeps it
|
|
* alive if the sending process dies before the target process processes
|
|
* the transaction. If the source process is malicious or has a reference
|
|
* counting bug, relying on the local strong ref can fail.
|
|
*
|
|
* Since user-space can cause the local strong ref to go away, we also take
|
|
* a tmpref on the node to ensure it survives while we are constructing
|
|
* the transaction. We also need a tmpref on the proc while we are
|
|
* constructing the transaction, so we take that here as well.
|
|
*
|
|
* Return: The target_node with refs taken or NULL if no @node->proc is NULL.
|
|
* Also sets @proc if valid. If the @node->proc is NULL indicating that the
|
|
* target proc has died, @error is set to BR_DEAD_REPLY
|
|
*/
|
|
static struct binder_node *binder_get_node_refs_for_txn(
|
|
struct binder_node *node,
|
|
struct binder_proc **procp,
|
|
uint32_t *error)
|
|
{
|
|
struct binder_node *target_node = NULL;
|
|
|
|
binder_node_inner_lock(node);
|
|
if (node->proc) {
|
|
target_node = node;
|
|
binder_inc_node_nilocked(node, 1, 0, NULL);
|
|
binder_inc_node_tmpref_ilocked(node);
|
|
node->proc->tmp_ref++;
|
|
*procp = node->proc;
|
|
} else
|
|
*error = BR_DEAD_REPLY;
|
|
binder_node_inner_unlock(node);
|
|
|
|
return target_node;
|
|
}
|
|
|
|
static void binder_transaction(struct binder_proc *proc,
|
|
struct binder_thread *thread,
|
|
struct binder_transaction_data *tr, int reply,
|
|
binder_size_t extra_buffers_size)
|
|
{
|
|
int ret;
|
|
struct binder_transaction *t;
|
|
struct binder_work *w;
|
|
struct binder_work *tcomplete;
|
|
binder_size_t buffer_offset = 0;
|
|
binder_size_t off_start_offset, off_end_offset;
|
|
binder_size_t off_min;
|
|
binder_size_t sg_buf_offset, sg_buf_end_offset;
|
|
struct binder_proc *target_proc = NULL;
|
|
struct binder_thread *target_thread = NULL;
|
|
struct binder_node *target_node = NULL;
|
|
struct binder_transaction *in_reply_to = NULL;
|
|
struct binder_transaction_log_entry *e;
|
|
uint32_t return_error = 0;
|
|
uint32_t return_error_param = 0;
|
|
uint32_t return_error_line = 0;
|
|
binder_size_t last_fixup_obj_off = 0;
|
|
binder_size_t last_fixup_min_off = 0;
|
|
struct binder_context *context = proc->context;
|
|
int t_debug_id = atomic_inc_return(&binder_last_id);
|
|
char *secctx = NULL;
|
|
u32 secctx_sz = 0;
|
|
|
|
e = binder_transaction_log_add(&binder_transaction_log);
|
|
e->debug_id = t_debug_id;
|
|
e->call_type = reply ? 2 : !!(tr->flags & TF_ONE_WAY);
|
|
e->from_proc = proc->pid;
|
|
e->from_thread = thread->pid;
|
|
e->target_handle = tr->target.handle;
|
|
e->data_size = tr->data_size;
|
|
e->offsets_size = tr->offsets_size;
|
|
strscpy(e->context_name, proc->context->name, BINDERFS_MAX_NAME);
|
|
|
|
if (reply) {
|
|
binder_inner_proc_lock(proc);
|
|
in_reply_to = thread->transaction_stack;
|
|
if (in_reply_to == NULL) {
|
|
binder_inner_proc_unlock(proc);
|
|
binder_user_error("%d:%d got reply transaction with no transaction stack\n",
|
|
proc->pid, thread->pid);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EPROTO;
|
|
return_error_line = __LINE__;
|
|
goto err_empty_call_stack;
|
|
}
|
|
if (in_reply_to->to_thread != thread) {
|
|
spin_lock(&in_reply_to->lock);
|
|
binder_user_error("%d:%d got reply transaction with bad transaction stack, transaction %d has target %d:%d\n",
|
|
proc->pid, thread->pid, in_reply_to->debug_id,
|
|
in_reply_to->to_proc ?
|
|
in_reply_to->to_proc->pid : 0,
|
|
in_reply_to->to_thread ?
|
|
in_reply_to->to_thread->pid : 0);
|
|
spin_unlock(&in_reply_to->lock);
|
|
binder_inner_proc_unlock(proc);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EPROTO;
|
|
return_error_line = __LINE__;
|
|
in_reply_to = NULL;
|
|
goto err_bad_call_stack;
|
|
}
|
|
thread->transaction_stack = in_reply_to->to_parent;
|
|
binder_inner_proc_unlock(proc);
|
|
target_thread = binder_get_txn_from_and_acq_inner(in_reply_to);
|
|
if (target_thread == NULL) {
|
|
/* annotation for sparse */
|
|
__release(&target_thread->proc->inner_lock);
|
|
return_error = BR_DEAD_REPLY;
|
|
return_error_line = __LINE__;
|
|
goto err_dead_binder;
|
|
}
|
|
if (target_thread->transaction_stack != in_reply_to) {
|
|
binder_user_error("%d:%d got reply transaction with bad target transaction stack %d, expected %d\n",
|
|
proc->pid, thread->pid,
|
|
target_thread->transaction_stack ?
|
|
target_thread->transaction_stack->debug_id : 0,
|
|
in_reply_to->debug_id);
|
|
binder_inner_proc_unlock(target_thread->proc);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EPROTO;
|
|
return_error_line = __LINE__;
|
|
in_reply_to = NULL;
|
|
target_thread = NULL;
|
|
goto err_dead_binder;
|
|
}
|
|
target_proc = target_thread->proc;
|
|
target_proc->tmp_ref++;
|
|
binder_inner_proc_unlock(target_thread->proc);
|
|
trace_android_vh_binder_reply(target_proc, proc, thread, tr);
|
|
} else {
|
|
if (tr->target.handle) {
|
|
struct binder_ref *ref;
|
|
|
|
/*
|
|
* There must already be a strong ref
|
|
* on this node. If so, do a strong
|
|
* increment on the node to ensure it
|
|
* stays alive until the transaction is
|
|
* done.
|
|
*/
|
|
binder_proc_lock(proc);
|
|
ref = binder_get_ref_olocked(proc, tr->target.handle,
|
|
true);
|
|
if (ref) {
|
|
target_node = binder_get_node_refs_for_txn(
|
|
ref->node, &target_proc,
|
|
&return_error);
|
|
} else {
|
|
binder_user_error("%d:%d got transaction to invalid handle, %u\n",
|
|
proc->pid, thread->pid, tr->target.handle);
|
|
return_error = BR_FAILED_REPLY;
|
|
}
|
|
binder_proc_unlock(proc);
|
|
} else {
|
|
mutex_lock(&context->context_mgr_node_lock);
|
|
target_node = context->binder_context_mgr_node;
|
|
if (target_node)
|
|
target_node = binder_get_node_refs_for_txn(
|
|
target_node, &target_proc,
|
|
&return_error);
|
|
else
|
|
return_error = BR_DEAD_REPLY;
|
|
mutex_unlock(&context->context_mgr_node_lock);
|
|
if (target_node && target_proc->pid == proc->pid) {
|
|
binder_user_error("%d:%d got transaction to context manager from process owning it\n",
|
|
proc->pid, thread->pid);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_invalid_target_handle;
|
|
}
|
|
}
|
|
if (!target_node) {
|
|
/*
|
|
* return_error is set above
|
|
*/
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_dead_binder;
|
|
}
|
|
e->to_node = target_node->debug_id;
|
|
trace_android_vh_binder_trans(target_proc, proc, thread, tr);
|
|
if (security_binder_transaction(binder_get_cred(proc),
|
|
binder_get_cred(target_proc)) < 0) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EPERM;
|
|
return_error_line = __LINE__;
|
|
goto err_invalid_target_handle;
|
|
}
|
|
binder_inner_proc_lock(proc);
|
|
|
|
w = list_first_entry_or_null(&thread->todo,
|
|
struct binder_work, entry);
|
|
if (!(tr->flags & TF_ONE_WAY) && w &&
|
|
w->type == BINDER_WORK_TRANSACTION) {
|
|
/*
|
|
* Do not allow new outgoing transaction from a
|
|
* thread that has a transaction at the head of
|
|
* its todo list. Only need to check the head
|
|
* because binder_select_thread_ilocked picks a
|
|
* thread from proc->waiting_threads to enqueue
|
|
* the transaction, and nothing is queued to the
|
|
* todo list while the thread is on waiting_threads.
|
|
*/
|
|
binder_user_error("%d:%d new transaction not allowed when there is a transaction on thread todo\n",
|
|
proc->pid, thread->pid);
|
|
binder_inner_proc_unlock(proc);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EPROTO;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_todo_list;
|
|
}
|
|
|
|
if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) {
|
|
struct binder_transaction *tmp;
|
|
|
|
tmp = thread->transaction_stack;
|
|
if (tmp->to_thread != thread) {
|
|
spin_lock(&tmp->lock);
|
|
binder_user_error("%d:%d got new transaction with bad transaction stack, transaction %d has target %d:%d\n",
|
|
proc->pid, thread->pid, tmp->debug_id,
|
|
tmp->to_proc ? tmp->to_proc->pid : 0,
|
|
tmp->to_thread ?
|
|
tmp->to_thread->pid : 0);
|
|
spin_unlock(&tmp->lock);
|
|
binder_inner_proc_unlock(proc);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EPROTO;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_call_stack;
|
|
}
|
|
while (tmp) {
|
|
struct binder_thread *from;
|
|
|
|
spin_lock(&tmp->lock);
|
|
from = tmp->from;
|
|
if (from && from->proc == target_proc) {
|
|
atomic_inc(&from->tmp_ref);
|
|
target_thread = from;
|
|
spin_unlock(&tmp->lock);
|
|
break;
|
|
}
|
|
spin_unlock(&tmp->lock);
|
|
tmp = tmp->from_parent;
|
|
}
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
}
|
|
if (target_thread)
|
|
e->to_thread = target_thread->pid;
|
|
e->to_proc = target_proc->pid;
|
|
trace_android_rvh_binder_transaction(target_proc, proc, thread, tr);
|
|
|
|
/* TODO: reuse incoming transaction for reply */
|
|
t = kzalloc(sizeof(*t), GFP_KERNEL);
|
|
if (t == NULL) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -ENOMEM;
|
|
return_error_line = __LINE__;
|
|
goto err_alloc_t_failed;
|
|
}
|
|
INIT_LIST_HEAD(&t->fd_fixups);
|
|
binder_stats_created(BINDER_STAT_TRANSACTION);
|
|
spin_lock_init(&t->lock);
|
|
trace_android_vh_binder_transaction_init(t);
|
|
|
|
tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL);
|
|
if (tcomplete == NULL) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -ENOMEM;
|
|
return_error_line = __LINE__;
|
|
goto err_alloc_tcomplete_failed;
|
|
}
|
|
binder_stats_created(BINDER_STAT_TRANSACTION_COMPLETE);
|
|
|
|
t->debug_id = t_debug_id;
|
|
|
|
if (reply)
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
"%d:%d BC_REPLY %d -> %d:%d, data %016llx-%016llx size %lld-%lld-%lld\n",
|
|
proc->pid, thread->pid, t->debug_id,
|
|
target_proc->pid, target_thread->pid,
|
|
(u64)tr->data.ptr.buffer,
|
|
(u64)tr->data.ptr.offsets,
|
|
(u64)tr->data_size, (u64)tr->offsets_size,
|
|
(u64)extra_buffers_size);
|
|
else
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
"%d:%d BC_TRANSACTION %d -> %d - node %d, data %016llx-%016llx size %lld-%lld-%lld\n",
|
|
proc->pid, thread->pid, t->debug_id,
|
|
target_proc->pid, target_node->debug_id,
|
|
(u64)tr->data.ptr.buffer,
|
|
(u64)tr->data.ptr.offsets,
|
|
(u64)tr->data_size, (u64)tr->offsets_size,
|
|
(u64)extra_buffers_size);
|
|
|
|
if (!reply && !(tr->flags & TF_ONE_WAY))
|
|
t->from = thread;
|
|
else
|
|
t->from = NULL;
|
|
t->sender_euid = task_euid(proc->tsk);
|
|
t->to_proc = target_proc;
|
|
t->to_thread = target_thread;
|
|
t->code = tr->code;
|
|
t->flags = tr->flags;
|
|
if (!(t->flags & TF_ONE_WAY) &&
|
|
binder_supported_policy(current->policy)) {
|
|
/* Inherit supported policies for synchronous transactions */
|
|
t->priority.sched_policy = current->policy;
|
|
t->priority.prio = current->normal_prio;
|
|
} else {
|
|
/* Otherwise, fall back to the default priority */
|
|
t->priority = target_proc->default_priority;
|
|
}
|
|
|
|
if (target_node && target_node->txn_security_ctx) {
|
|
u32 secid;
|
|
size_t added_size;
|
|
int max_retries = 100;
|
|
|
|
security_cred_getsecid(binder_get_cred(proc), &secid);
|
|
retry_alloc:
|
|
ret = security_secid_to_secctx(secid, &secctx, &secctx_sz);
|
|
if (ret == -ENOMEM && max_retries-- > 0) {
|
|
struct page *dummy_page;
|
|
|
|
/*
|
|
* security_secid_to_secctx() can fail because of a
|
|
* GFP_ATOMIC allocation in which case -ENOMEM is
|
|
* returned. This needs to be retried, but there is
|
|
* currently no way to tell userspace to retry so we
|
|
* do it here. We make sure there is still available
|
|
* memory first and then retry.
|
|
*/
|
|
dummy_page = alloc_page(GFP_KERNEL);
|
|
if (dummy_page) {
|
|
__free_page(dummy_page);
|
|
goto retry_alloc;
|
|
}
|
|
}
|
|
if (ret) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = ret;
|
|
return_error_line = __LINE__;
|
|
goto err_get_secctx_failed;
|
|
}
|
|
added_size = ALIGN(secctx_sz, sizeof(u64));
|
|
extra_buffers_size += added_size;
|
|
if (extra_buffers_size < added_size) {
|
|
/* integer overflow of extra_buffers_size */
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_extra_size;
|
|
}
|
|
}
|
|
|
|
trace_binder_transaction(reply, t, target_node);
|
|
|
|
t->buffer = binder_alloc_new_buf(&target_proc->alloc, tr->data_size,
|
|
tr->offsets_size, extra_buffers_size,
|
|
!reply && (t->flags & TF_ONE_WAY), current->tgid);
|
|
if (IS_ERR(t->buffer)) {
|
|
/*
|
|
* -ESRCH indicates VMA cleared. The target is dying.
|
|
*/
|
|
return_error_param = PTR_ERR(t->buffer);
|
|
return_error = return_error_param == -ESRCH ?
|
|
BR_DEAD_REPLY : BR_FAILED_REPLY;
|
|
return_error_line = __LINE__;
|
|
t->buffer = NULL;
|
|
goto err_binder_alloc_buf_failed;
|
|
}
|
|
if (secctx) {
|
|
int err;
|
|
size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) +
|
|
ALIGN(tr->offsets_size, sizeof(void *)) +
|
|
ALIGN(extra_buffers_size, sizeof(void *)) -
|
|
ALIGN(secctx_sz, sizeof(u64));
|
|
|
|
t->security_ctx = (uintptr_t)t->buffer->user_data + buf_offset;
|
|
err = binder_alloc_copy_to_buffer(&target_proc->alloc,
|
|
t->buffer, buf_offset,
|
|
secctx, secctx_sz);
|
|
if (err) {
|
|
t->security_ctx = 0;
|
|
WARN_ON(1);
|
|
}
|
|
security_release_secctx(secctx, secctx_sz);
|
|
secctx = NULL;
|
|
}
|
|
t->buffer->debug_id = t->debug_id;
|
|
t->buffer->transaction = t;
|
|
t->buffer->target_node = target_node;
|
|
t->buffer->clear_on_free = !!(t->flags & TF_CLEAR_BUF);
|
|
trace_binder_transaction_alloc_buf(t->buffer);
|
|
|
|
if (binder_alloc_copy_user_to_buffer(
|
|
&target_proc->alloc,
|
|
t->buffer, 0,
|
|
(const void __user *)
|
|
(uintptr_t)tr->data.ptr.buffer,
|
|
tr->data_size)) {
|
|
binder_user_error("%d:%d got transaction with invalid data ptr\n",
|
|
proc->pid, thread->pid);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EFAULT;
|
|
return_error_line = __LINE__;
|
|
goto err_copy_data_failed;
|
|
}
|
|
if (binder_alloc_copy_user_to_buffer(
|
|
&target_proc->alloc,
|
|
t->buffer,
|
|
ALIGN(tr->data_size, sizeof(void *)),
|
|
(const void __user *)
|
|
(uintptr_t)tr->data.ptr.offsets,
|
|
tr->offsets_size)) {
|
|
binder_user_error("%d:%d got transaction with invalid offsets ptr\n",
|
|
proc->pid, thread->pid);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EFAULT;
|
|
return_error_line = __LINE__;
|
|
goto err_copy_data_failed;
|
|
}
|
|
if (!IS_ALIGNED(tr->offsets_size, sizeof(binder_size_t))) {
|
|
binder_user_error("%d:%d got transaction with invalid offsets size, %lld\n",
|
|
proc->pid, thread->pid, (u64)tr->offsets_size);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_offset;
|
|
}
|
|
if (!IS_ALIGNED(extra_buffers_size, sizeof(u64))) {
|
|
binder_user_error("%d:%d got transaction with unaligned buffers size, %lld\n",
|
|
proc->pid, thread->pid,
|
|
(u64)extra_buffers_size);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_offset;
|
|
}
|
|
off_start_offset = ALIGN(tr->data_size, sizeof(void *));
|
|
buffer_offset = off_start_offset;
|
|
off_end_offset = off_start_offset + tr->offsets_size;
|
|
sg_buf_offset = ALIGN(off_end_offset, sizeof(void *));
|
|
sg_buf_end_offset = sg_buf_offset + extra_buffers_size -
|
|
ALIGN(secctx_sz, sizeof(u64));
|
|
off_min = 0;
|
|
for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;
|
|
buffer_offset += sizeof(binder_size_t)) {
|
|
struct binder_object_header *hdr;
|
|
size_t object_size;
|
|
struct binder_object object;
|
|
binder_size_t object_offset;
|
|
|
|
if (binder_alloc_copy_from_buffer(&target_proc->alloc,
|
|
&object_offset,
|
|
t->buffer,
|
|
buffer_offset,
|
|
sizeof(object_offset))) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_offset;
|
|
}
|
|
object_size = binder_get_object(target_proc, t->buffer,
|
|
object_offset, &object);
|
|
if (object_size == 0 || object_offset < off_min) {
|
|
binder_user_error("%d:%d got transaction with invalid offset (%lld, min %lld max %lld) or object.\n",
|
|
proc->pid, thread->pid,
|
|
(u64)object_offset,
|
|
(u64)off_min,
|
|
(u64)t->buffer->data_size);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_offset;
|
|
}
|
|
|
|
hdr = &object.hdr;
|
|
off_min = object_offset + object_size;
|
|
switch (hdr->type) {
|
|
case BINDER_TYPE_BINDER:
|
|
case BINDER_TYPE_WEAK_BINDER: {
|
|
struct flat_binder_object *fp;
|
|
|
|
fp = to_flat_binder_object(hdr);
|
|
ret = binder_translate_binder(fp, t, thread);
|
|
|
|
if (ret < 0 ||
|
|
binder_alloc_copy_to_buffer(&target_proc->alloc,
|
|
t->buffer,
|
|
object_offset,
|
|
fp, sizeof(*fp))) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = ret;
|
|
return_error_line = __LINE__;
|
|
goto err_translate_failed;
|
|
}
|
|
} break;
|
|
case BINDER_TYPE_HANDLE:
|
|
case BINDER_TYPE_WEAK_HANDLE: {
|
|
struct flat_binder_object *fp;
|
|
|
|
fp = to_flat_binder_object(hdr);
|
|
ret = binder_translate_handle(fp, t, thread);
|
|
if (ret < 0 ||
|
|
binder_alloc_copy_to_buffer(&target_proc->alloc,
|
|
t->buffer,
|
|
object_offset,
|
|
fp, sizeof(*fp))) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = ret;
|
|
return_error_line = __LINE__;
|
|
goto err_translate_failed;
|
|
}
|
|
} break;
|
|
|
|
case BINDER_TYPE_FD: {
|
|
struct binder_fd_object *fp = to_binder_fd_object(hdr);
|
|
binder_size_t fd_offset = object_offset +
|
|
(uintptr_t)&fp->fd - (uintptr_t)fp;
|
|
int ret = binder_translate_fd(fp->fd, fd_offset, t,
|
|
thread, in_reply_to);
|
|
|
|
fp->pad_binder = 0;
|
|
if (ret < 0 ||
|
|
binder_alloc_copy_to_buffer(&target_proc->alloc,
|
|
t->buffer,
|
|
object_offset,
|
|
fp, sizeof(*fp))) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = ret;
|
|
return_error_line = __LINE__;
|
|
goto err_translate_failed;
|
|
}
|
|
} break;
|
|
case BINDER_TYPE_FDA: {
|
|
struct binder_object ptr_object;
|
|
binder_size_t parent_offset;
|
|
struct binder_fd_array_object *fda =
|
|
to_binder_fd_array_object(hdr);
|
|
size_t num_valid = (buffer_offset - off_start_offset) /
|
|
sizeof(binder_size_t);
|
|
struct binder_buffer_object *parent =
|
|
binder_validate_ptr(target_proc, t->buffer,
|
|
&ptr_object, fda->parent,
|
|
off_start_offset,
|
|
&parent_offset,
|
|
num_valid);
|
|
if (!parent) {
|
|
binder_user_error("%d:%d got transaction with invalid parent offset or type\n",
|
|
proc->pid, thread->pid);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_parent;
|
|
}
|
|
if (!binder_validate_fixup(target_proc, t->buffer,
|
|
off_start_offset,
|
|
parent_offset,
|
|
fda->parent_offset,
|
|
last_fixup_obj_off,
|
|
last_fixup_min_off)) {
|
|
binder_user_error("%d:%d got transaction with out-of-order buffer fixup\n",
|
|
proc->pid, thread->pid);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_parent;
|
|
}
|
|
ret = binder_translate_fd_array(fda, parent, t, thread,
|
|
in_reply_to);
|
|
if (ret < 0) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = ret;
|
|
return_error_line = __LINE__;
|
|
goto err_translate_failed;
|
|
}
|
|
last_fixup_obj_off = parent_offset;
|
|
last_fixup_min_off =
|
|
fda->parent_offset + sizeof(u32) * fda->num_fds;
|
|
} break;
|
|
case BINDER_TYPE_PTR: {
|
|
struct binder_buffer_object *bp =
|
|
to_binder_buffer_object(hdr);
|
|
size_t buf_left = sg_buf_end_offset - sg_buf_offset;
|
|
size_t num_valid;
|
|
|
|
if (bp->length > buf_left) {
|
|
binder_user_error("%d:%d got transaction with too large buffer\n",
|
|
proc->pid, thread->pid);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_offset;
|
|
}
|
|
if (binder_alloc_copy_user_to_buffer(
|
|
&target_proc->alloc,
|
|
t->buffer,
|
|
sg_buf_offset,
|
|
(const void __user *)
|
|
(uintptr_t)bp->buffer,
|
|
bp->length)) {
|
|
binder_user_error("%d:%d got transaction with invalid offsets ptr\n",
|
|
proc->pid, thread->pid);
|
|
return_error_param = -EFAULT;
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_line = __LINE__;
|
|
goto err_copy_data_failed;
|
|
}
|
|
/* Fixup buffer pointer to target proc address space */
|
|
bp->buffer = (uintptr_t)
|
|
t->buffer->user_data + sg_buf_offset;
|
|
sg_buf_offset += ALIGN(bp->length, sizeof(u64));
|
|
|
|
num_valid = (buffer_offset - off_start_offset) /
|
|
sizeof(binder_size_t);
|
|
ret = binder_fixup_parent(t, thread, bp,
|
|
off_start_offset,
|
|
num_valid,
|
|
last_fixup_obj_off,
|
|
last_fixup_min_off);
|
|
if (ret < 0 ||
|
|
binder_alloc_copy_to_buffer(&target_proc->alloc,
|
|
t->buffer,
|
|
object_offset,
|
|
bp, sizeof(*bp))) {
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = ret;
|
|
return_error_line = __LINE__;
|
|
goto err_translate_failed;
|
|
}
|
|
last_fixup_obj_off = object_offset;
|
|
last_fixup_min_off = 0;
|
|
} break;
|
|
default:
|
|
binder_user_error("%d:%d got transaction with invalid object type, %x\n",
|
|
proc->pid, thread->pid, hdr->type);
|
|
return_error = BR_FAILED_REPLY;
|
|
return_error_param = -EINVAL;
|
|
return_error_line = __LINE__;
|
|
goto err_bad_object_type;
|
|
}
|
|
}
|
|
if (t->buffer->oneway_spam_suspect)
|
|
tcomplete->type = BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT;
|
|
else
|
|
tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE;
|
|
t->work.type = BINDER_WORK_TRANSACTION;
|
|
|
|
if (reply) {
|
|
binder_enqueue_thread_work(thread, tcomplete);
|
|
binder_inner_proc_lock(target_proc);
|
|
if (target_thread->is_dead) {
|
|
return_error = BR_DEAD_REPLY;
|
|
binder_inner_proc_unlock(target_proc);
|
|
goto err_dead_proc_or_thread;
|
|
}
|
|
BUG_ON(t->buffer->async_transaction != 0);
|
|
binder_pop_transaction_ilocked(target_thread, in_reply_to);
|
|
binder_enqueue_thread_work_ilocked(target_thread, &t->work);
|
|
target_proc->outstanding_txns++;
|
|
binder_inner_proc_unlock(target_proc);
|
|
wake_up_interruptible_sync(&target_thread->wait);
|
|
trace_android_vh_binder_restore_priority(in_reply_to, current);
|
|
binder_restore_priority(current, in_reply_to->saved_priority);
|
|
binder_free_transaction(in_reply_to);
|
|
} else if (!(t->flags & TF_ONE_WAY)) {
|
|
BUG_ON(t->buffer->async_transaction != 0);
|
|
binder_inner_proc_lock(proc);
|
|
/*
|
|
* Defer the TRANSACTION_COMPLETE, so we don't return to
|
|
* userspace immediately; this allows the target process to
|
|
* immediately start processing this transaction, reducing
|
|
* latency. We will then return the TRANSACTION_COMPLETE when
|
|
* the target replies (or there is an error).
|
|
*/
|
|
binder_enqueue_deferred_thread_work_ilocked(thread, tcomplete);
|
|
t->need_reply = 1;
|
|
t->from_parent = thread->transaction_stack;
|
|
thread->transaction_stack = t;
|
|
binder_inner_proc_unlock(proc);
|
|
return_error = binder_proc_transaction(t,
|
|
target_proc, target_thread);
|
|
if (return_error) {
|
|
binder_inner_proc_lock(proc);
|
|
binder_pop_transaction_ilocked(thread, t);
|
|
binder_inner_proc_unlock(proc);
|
|
goto err_dead_proc_or_thread;
|
|
}
|
|
} else {
|
|
BUG_ON(target_node == NULL);
|
|
BUG_ON(t->buffer->async_transaction != 1);
|
|
binder_enqueue_thread_work(thread, tcomplete);
|
|
return_error = binder_proc_transaction(t, target_proc, NULL);
|
|
if (return_error)
|
|
goto err_dead_proc_or_thread;
|
|
}
|
|
if (target_thread)
|
|
binder_thread_dec_tmpref(target_thread);
|
|
binder_proc_dec_tmpref(target_proc);
|
|
if (target_node)
|
|
binder_dec_node_tmpref(target_node);
|
|
/*
|
|
* write barrier to synchronize with initialization
|
|
* of log entry
|
|
*/
|
|
smp_wmb();
|
|
WRITE_ONCE(e->debug_id_done, t_debug_id);
|
|
return;
|
|
|
|
err_dead_proc_or_thread:
|
|
return_error_line = __LINE__;
|
|
binder_dequeue_work(proc, tcomplete);
|
|
err_translate_failed:
|
|
err_bad_object_type:
|
|
err_bad_offset:
|
|
err_bad_parent:
|
|
err_copy_data_failed:
|
|
binder_free_txn_fixups(t);
|
|
trace_binder_transaction_failed_buffer_release(t->buffer);
|
|
binder_transaction_buffer_release(target_proc, NULL, t->buffer,
|
|
buffer_offset, true);
|
|
if (target_node)
|
|
binder_dec_node_tmpref(target_node);
|
|
target_node = NULL;
|
|
t->buffer->transaction = NULL;
|
|
binder_alloc_free_buf(&target_proc->alloc, t->buffer);
|
|
err_binder_alloc_buf_failed:
|
|
err_bad_extra_size:
|
|
if (secctx)
|
|
security_release_secctx(secctx, secctx_sz);
|
|
err_get_secctx_failed:
|
|
kfree(tcomplete);
|
|
binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
|
|
err_alloc_tcomplete_failed:
|
|
kfree(t);
|
|
binder_stats_deleted(BINDER_STAT_TRANSACTION);
|
|
err_alloc_t_failed:
|
|
err_bad_todo_list:
|
|
err_bad_call_stack:
|
|
err_empty_call_stack:
|
|
err_dead_binder:
|
|
err_invalid_target_handle:
|
|
if (target_thread)
|
|
binder_thread_dec_tmpref(target_thread);
|
|
if (target_proc)
|
|
binder_proc_dec_tmpref(target_proc);
|
|
if (target_node) {
|
|
binder_dec_node(target_node, 1, 0);
|
|
binder_dec_node_tmpref(target_node);
|
|
}
|
|
|
|
binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
|
|
"%d:%d transaction failed %d/%d, size %lld-%lld line %d\n",
|
|
proc->pid, thread->pid, return_error, return_error_param,
|
|
(u64)tr->data_size, (u64)tr->offsets_size,
|
|
return_error_line);
|
|
|
|
{
|
|
struct binder_transaction_log_entry *fe;
|
|
|
|
e->return_error = return_error;
|
|
e->return_error_param = return_error_param;
|
|
e->return_error_line = return_error_line;
|
|
fe = binder_transaction_log_add(&binder_transaction_log_failed);
|
|
*fe = *e;
|
|
/*
|
|
* write barrier to synchronize with initialization
|
|
* of log entry
|
|
*/
|
|
smp_wmb();
|
|
WRITE_ONCE(e->debug_id_done, t_debug_id);
|
|
WRITE_ONCE(fe->debug_id_done, t_debug_id);
|
|
}
|
|
|
|
BUG_ON(thread->return_error.cmd != BR_OK);
|
|
if (in_reply_to) {
|
|
trace_android_vh_binder_restore_priority(in_reply_to, current);
|
|
binder_restore_priority(current, in_reply_to->saved_priority);
|
|
thread->return_error.cmd = BR_TRANSACTION_COMPLETE;
|
|
binder_enqueue_thread_work(thread, &thread->return_error.work);
|
|
binder_send_failed_reply(in_reply_to, return_error);
|
|
} else {
|
|
thread->return_error.cmd = return_error;
|
|
binder_enqueue_thread_work(thread, &thread->return_error.work);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* binder_free_buf() - free the specified buffer
|
|
* @proc: binder proc that owns buffer
|
|
* @buffer: buffer to be freed
|
|
* @is_failure: failed to send transaction
|
|
*
|
|
* If buffer for an async transaction, enqueue the next async
|
|
* transaction from the node.
|
|
*
|
|
* Cleanup buffer and free it.
|
|
*/
|
|
static void
|
|
binder_free_buf(struct binder_proc *proc,
|
|
struct binder_thread *thread,
|
|
struct binder_buffer *buffer, bool is_failure)
|
|
{
|
|
binder_inner_proc_lock(proc);
|
|
if (buffer->transaction) {
|
|
buffer->transaction->buffer = NULL;
|
|
buffer->transaction = NULL;
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
if (buffer->async_transaction && buffer->target_node) {
|
|
struct binder_node *buf_node;
|
|
struct binder_work *w;
|
|
|
|
buf_node = buffer->target_node;
|
|
binder_node_inner_lock(buf_node);
|
|
BUG_ON(!buf_node->has_async_transaction);
|
|
BUG_ON(buf_node->proc != proc);
|
|
w = binder_dequeue_work_head_ilocked(
|
|
&buf_node->async_todo);
|
|
if (!w) {
|
|
buf_node->has_async_transaction = false;
|
|
} else {
|
|
binder_enqueue_work_ilocked(
|
|
w, &proc->todo);
|
|
binder_wakeup_proc_ilocked(proc);
|
|
}
|
|
binder_node_inner_unlock(buf_node);
|
|
}
|
|
trace_binder_transaction_buffer_release(buffer);
|
|
binder_transaction_buffer_release(proc, thread, buffer, 0, is_failure);
|
|
binder_alloc_free_buf(&proc->alloc, buffer);
|
|
}
|
|
|
|
static int binder_thread_write(struct binder_proc *proc,
|
|
struct binder_thread *thread,
|
|
binder_uintptr_t binder_buffer, size_t size,
|
|
binder_size_t *consumed)
|
|
{
|
|
uint32_t cmd;
|
|
struct binder_context *context = proc->context;
|
|
void __user *buffer = (void __user *)(uintptr_t)binder_buffer;
|
|
void __user *ptr = buffer + *consumed;
|
|
void __user *end = buffer + size;
|
|
|
|
while (ptr < end && thread->return_error.cmd == BR_OK) {
|
|
int ret;
|
|
|
|
if (get_user(cmd, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(uint32_t);
|
|
trace_binder_command(cmd);
|
|
if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.bc)) {
|
|
atomic_inc(&binder_stats.bc[_IOC_NR(cmd)]);
|
|
atomic_inc(&proc->stats.bc[_IOC_NR(cmd)]);
|
|
atomic_inc(&thread->stats.bc[_IOC_NR(cmd)]);
|
|
}
|
|
switch (cmd) {
|
|
case BC_INCREFS:
|
|
case BC_ACQUIRE:
|
|
case BC_RELEASE:
|
|
case BC_DECREFS: {
|
|
uint32_t target;
|
|
const char *debug_string;
|
|
bool strong = cmd == BC_ACQUIRE || cmd == BC_RELEASE;
|
|
bool increment = cmd == BC_INCREFS || cmd == BC_ACQUIRE;
|
|
struct binder_ref_data rdata;
|
|
|
|
if (get_user(target, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
|
|
ptr += sizeof(uint32_t);
|
|
ret = -1;
|
|
if (increment && !target) {
|
|
struct binder_node *ctx_mgr_node;
|
|
mutex_lock(&context->context_mgr_node_lock);
|
|
ctx_mgr_node = context->binder_context_mgr_node;
|
|
if (ctx_mgr_node)
|
|
ret = binder_inc_ref_for_node(
|
|
proc, ctx_mgr_node,
|
|
strong, NULL, &rdata);
|
|
mutex_unlock(&context->context_mgr_node_lock);
|
|
}
|
|
if (ret)
|
|
ret = binder_update_ref_for_handle(
|
|
proc, target, increment, strong,
|
|
&rdata);
|
|
if (!ret && rdata.desc != target) {
|
|
binder_user_error("%d:%d tried to acquire reference to desc %d, got %d instead\n",
|
|
proc->pid, thread->pid,
|
|
target, rdata.desc);
|
|
}
|
|
switch (cmd) {
|
|
case BC_INCREFS:
|
|
debug_string = "IncRefs";
|
|
break;
|
|
case BC_ACQUIRE:
|
|
debug_string = "Acquire";
|
|
break;
|
|
case BC_RELEASE:
|
|
debug_string = "Release";
|
|
break;
|
|
case BC_DECREFS:
|
|
default:
|
|
debug_string = "DecRefs";
|
|
break;
|
|
}
|
|
if (ret) {
|
|
binder_user_error("%d:%d %s %d refcount change on invalid ref %d ret %d\n",
|
|
proc->pid, thread->pid, debug_string,
|
|
strong, target, ret);
|
|
break;
|
|
}
|
|
binder_debug(BINDER_DEBUG_USER_REFS,
|
|
"%d:%d %s ref %d desc %d s %d w %d\n",
|
|
proc->pid, thread->pid, debug_string,
|
|
rdata.debug_id, rdata.desc, rdata.strong,
|
|
rdata.weak);
|
|
break;
|
|
}
|
|
case BC_INCREFS_DONE:
|
|
case BC_ACQUIRE_DONE: {
|
|
binder_uintptr_t node_ptr;
|
|
binder_uintptr_t cookie;
|
|
struct binder_node *node;
|
|
bool free_node;
|
|
|
|
if (get_user(node_ptr, (binder_uintptr_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(binder_uintptr_t);
|
|
if (get_user(cookie, (binder_uintptr_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(binder_uintptr_t);
|
|
node = binder_get_node(proc, node_ptr);
|
|
if (node == NULL) {
|
|
binder_user_error("%d:%d %s u%016llx no match\n",
|
|
proc->pid, thread->pid,
|
|
cmd == BC_INCREFS_DONE ?
|
|
"BC_INCREFS_DONE" :
|
|
"BC_ACQUIRE_DONE",
|
|
(u64)node_ptr);
|
|
break;
|
|
}
|
|
if (cookie != node->cookie) {
|
|
binder_user_error("%d:%d %s u%016llx node %d cookie mismatch %016llx != %016llx\n",
|
|
proc->pid, thread->pid,
|
|
cmd == BC_INCREFS_DONE ?
|
|
"BC_INCREFS_DONE" : "BC_ACQUIRE_DONE",
|
|
(u64)node_ptr, node->debug_id,
|
|
(u64)cookie, (u64)node->cookie);
|
|
binder_put_node(node);
|
|
break;
|
|
}
|
|
binder_node_inner_lock(node);
|
|
if (cmd == BC_ACQUIRE_DONE) {
|
|
if (node->pending_strong_ref == 0) {
|
|
binder_user_error("%d:%d BC_ACQUIRE_DONE node %d has no pending acquire request\n",
|
|
proc->pid, thread->pid,
|
|
node->debug_id);
|
|
binder_node_inner_unlock(node);
|
|
binder_put_node(node);
|
|
break;
|
|
}
|
|
node->pending_strong_ref = 0;
|
|
} else {
|
|
if (node->pending_weak_ref == 0) {
|
|
binder_user_error("%d:%d BC_INCREFS_DONE node %d has no pending increfs request\n",
|
|
proc->pid, thread->pid,
|
|
node->debug_id);
|
|
binder_node_inner_unlock(node);
|
|
binder_put_node(node);
|
|
break;
|
|
}
|
|
node->pending_weak_ref = 0;
|
|
}
|
|
free_node = binder_dec_node_nilocked(node,
|
|
cmd == BC_ACQUIRE_DONE, 0);
|
|
WARN_ON(free_node);
|
|
binder_debug(BINDER_DEBUG_USER_REFS,
|
|
"%d:%d %s node %d ls %d lw %d tr %d\n",
|
|
proc->pid, thread->pid,
|
|
cmd == BC_INCREFS_DONE ? "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE",
|
|
node->debug_id, node->local_strong_refs,
|
|
node->local_weak_refs, node->tmp_refs);
|
|
binder_node_inner_unlock(node);
|
|
binder_put_node(node);
|
|
break;
|
|
}
|
|
case BC_ATTEMPT_ACQUIRE:
|
|
pr_err("BC_ATTEMPT_ACQUIRE not supported\n");
|
|
return -EINVAL;
|
|
case BC_ACQUIRE_RESULT:
|
|
pr_err("BC_ACQUIRE_RESULT not supported\n");
|
|
return -EINVAL;
|
|
|
|
case BC_FREE_BUFFER: {
|
|
binder_uintptr_t data_ptr;
|
|
struct binder_buffer *buffer;
|
|
|
|
if (get_user(data_ptr, (binder_uintptr_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(binder_uintptr_t);
|
|
|
|
buffer = binder_alloc_prepare_to_free(&proc->alloc,
|
|
data_ptr);
|
|
if (IS_ERR_OR_NULL(buffer)) {
|
|
if (PTR_ERR(buffer) == -EPERM) {
|
|
binder_user_error(
|
|
"%d:%d BC_FREE_BUFFER u%016llx matched unreturned or currently freeing buffer\n",
|
|
proc->pid, thread->pid,
|
|
(u64)data_ptr);
|
|
} else {
|
|
binder_user_error(
|
|
"%d:%d BC_FREE_BUFFER u%016llx no match\n",
|
|
proc->pid, thread->pid,
|
|
(u64)data_ptr);
|
|
}
|
|
break;
|
|
}
|
|
binder_debug(BINDER_DEBUG_FREE_BUFFER,
|
|
"%d:%d BC_FREE_BUFFER u%016llx found buffer %d for %s transaction\n",
|
|
proc->pid, thread->pid, (u64)data_ptr,
|
|
buffer->debug_id,
|
|
buffer->transaction ? "active" : "finished");
|
|
binder_free_buf(proc, thread, buffer, false);
|
|
break;
|
|
}
|
|
|
|
case BC_TRANSACTION_SG:
|
|
case BC_REPLY_SG: {
|
|
struct binder_transaction_data_sg tr;
|
|
|
|
if (copy_from_user(&tr, ptr, sizeof(tr)))
|
|
return -EFAULT;
|
|
ptr += sizeof(tr);
|
|
binder_transaction(proc, thread, &tr.transaction_data,
|
|
cmd == BC_REPLY_SG, tr.buffers_size);
|
|
break;
|
|
}
|
|
case BC_TRANSACTION:
|
|
case BC_REPLY: {
|
|
struct binder_transaction_data tr;
|
|
|
|
if (copy_from_user(&tr, ptr, sizeof(tr)))
|
|
return -EFAULT;
|
|
ptr += sizeof(tr);
|
|
binder_transaction(proc, thread, &tr,
|
|
cmd == BC_REPLY, 0);
|
|
break;
|
|
}
|
|
|
|
case BC_REGISTER_LOOPER:
|
|
binder_debug(BINDER_DEBUG_THREADS,
|
|
"%d:%d BC_REGISTER_LOOPER\n",
|
|
proc->pid, thread->pid);
|
|
binder_inner_proc_lock(proc);
|
|
if (thread->looper & BINDER_LOOPER_STATE_ENTERED) {
|
|
thread->looper |= BINDER_LOOPER_STATE_INVALID;
|
|
binder_user_error("%d:%d ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER\n",
|
|
proc->pid, thread->pid);
|
|
} else if (proc->requested_threads == 0) {
|
|
thread->looper |= BINDER_LOOPER_STATE_INVALID;
|
|
binder_user_error("%d:%d ERROR: BC_REGISTER_LOOPER called without request\n",
|
|
proc->pid, thread->pid);
|
|
} else {
|
|
proc->requested_threads--;
|
|
proc->requested_threads_started++;
|
|
}
|
|
thread->looper |= BINDER_LOOPER_STATE_REGISTERED;
|
|
binder_inner_proc_unlock(proc);
|
|
trace_android_vh_binder_looper_state_registered(thread, proc);
|
|
break;
|
|
case BC_ENTER_LOOPER:
|
|
binder_debug(BINDER_DEBUG_THREADS,
|
|
"%d:%d BC_ENTER_LOOPER\n",
|
|
proc->pid, thread->pid);
|
|
if (thread->looper & BINDER_LOOPER_STATE_REGISTERED) {
|
|
thread->looper |= BINDER_LOOPER_STATE_INVALID;
|
|
binder_user_error("%d:%d ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER\n",
|
|
proc->pid, thread->pid);
|
|
}
|
|
thread->looper |= BINDER_LOOPER_STATE_ENTERED;
|
|
break;
|
|
case BC_EXIT_LOOPER:
|
|
binder_debug(BINDER_DEBUG_THREADS,
|
|
"%d:%d BC_EXIT_LOOPER\n",
|
|
proc->pid, thread->pid);
|
|
thread->looper |= BINDER_LOOPER_STATE_EXITED;
|
|
break;
|
|
|
|
case BC_REQUEST_DEATH_NOTIFICATION:
|
|
case BC_CLEAR_DEATH_NOTIFICATION: {
|
|
uint32_t target;
|
|
binder_uintptr_t cookie;
|
|
struct binder_ref *ref;
|
|
struct binder_ref_death *death = NULL;
|
|
|
|
if (get_user(target, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(uint32_t);
|
|
if (get_user(cookie, (binder_uintptr_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(binder_uintptr_t);
|
|
if (cmd == BC_REQUEST_DEATH_NOTIFICATION) {
|
|
/*
|
|
* Allocate memory for death notification
|
|
* before taking lock
|
|
*/
|
|
death = kzalloc(sizeof(*death), GFP_KERNEL);
|
|
if (death == NULL) {
|
|
WARN_ON(thread->return_error.cmd !=
|
|
BR_OK);
|
|
thread->return_error.cmd = BR_ERROR;
|
|
binder_enqueue_thread_work(
|
|
thread,
|
|
&thread->return_error.work);
|
|
binder_debug(
|
|
BINDER_DEBUG_FAILED_TRANSACTION,
|
|
"%d:%d BC_REQUEST_DEATH_NOTIFICATION failed\n",
|
|
proc->pid, thread->pid);
|
|
break;
|
|
}
|
|
}
|
|
binder_proc_lock(proc);
|
|
ref = binder_get_ref_olocked(proc, target, false);
|
|
if (ref == NULL) {
|
|
binder_user_error("%d:%d %s invalid ref %d\n",
|
|
proc->pid, thread->pid,
|
|
cmd == BC_REQUEST_DEATH_NOTIFICATION ?
|
|
"BC_REQUEST_DEATH_NOTIFICATION" :
|
|
"BC_CLEAR_DEATH_NOTIFICATION",
|
|
target);
|
|
binder_proc_unlock(proc);
|
|
kfree(death);
|
|
break;
|
|
}
|
|
|
|
binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION,
|
|
"%d:%d %s %016llx ref %d desc %d s %d w %d for node %d\n",
|
|
proc->pid, thread->pid,
|
|
cmd == BC_REQUEST_DEATH_NOTIFICATION ?
|
|
"BC_REQUEST_DEATH_NOTIFICATION" :
|
|
"BC_CLEAR_DEATH_NOTIFICATION",
|
|
(u64)cookie, ref->data.debug_id,
|
|
ref->data.desc, ref->data.strong,
|
|
ref->data.weak, ref->node->debug_id);
|
|
|
|
binder_node_lock(ref->node);
|
|
if (cmd == BC_REQUEST_DEATH_NOTIFICATION) {
|
|
if (ref->death) {
|
|
binder_user_error("%d:%d BC_REQUEST_DEATH_NOTIFICATION death notification already set\n",
|
|
proc->pid, thread->pid);
|
|
binder_node_unlock(ref->node);
|
|
binder_proc_unlock(proc);
|
|
kfree(death);
|
|
break;
|
|
}
|
|
binder_stats_created(BINDER_STAT_DEATH);
|
|
INIT_LIST_HEAD(&death->work.entry);
|
|
death->cookie = cookie;
|
|
ref->death = death;
|
|
if (ref->node->proc == NULL) {
|
|
ref->death->work.type = BINDER_WORK_DEAD_BINDER;
|
|
|
|
binder_inner_proc_lock(proc);
|
|
binder_enqueue_work_ilocked(
|
|
&ref->death->work, &proc->todo);
|
|
binder_wakeup_proc_ilocked(proc);
|
|
binder_inner_proc_unlock(proc);
|
|
}
|
|
} else {
|
|
if (ref->death == NULL) {
|
|
binder_user_error("%d:%d BC_CLEAR_DEATH_NOTIFICATION death notification not active\n",
|
|
proc->pid, thread->pid);
|
|
binder_node_unlock(ref->node);
|
|
binder_proc_unlock(proc);
|
|
break;
|
|
}
|
|
death = ref->death;
|
|
if (death->cookie != cookie) {
|
|
binder_user_error("%d:%d BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch %016llx != %016llx\n",
|
|
proc->pid, thread->pid,
|
|
(u64)death->cookie,
|
|
(u64)cookie);
|
|
binder_node_unlock(ref->node);
|
|
binder_proc_unlock(proc);
|
|
break;
|
|
}
|
|
ref->death = NULL;
|
|
binder_inner_proc_lock(proc);
|
|
if (list_empty(&death->work.entry)) {
|
|
death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION;
|
|
if (thread->looper &
|
|
(BINDER_LOOPER_STATE_REGISTERED |
|
|
BINDER_LOOPER_STATE_ENTERED))
|
|
binder_enqueue_thread_work_ilocked(
|
|
thread,
|
|
&death->work);
|
|
else {
|
|
binder_enqueue_work_ilocked(
|
|
&death->work,
|
|
&proc->todo);
|
|
binder_wakeup_proc_ilocked(
|
|
proc);
|
|
}
|
|
} else {
|
|
BUG_ON(death->work.type != BINDER_WORK_DEAD_BINDER);
|
|
death->work.type = BINDER_WORK_DEAD_BINDER_AND_CLEAR;
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
}
|
|
binder_node_unlock(ref->node);
|
|
binder_proc_unlock(proc);
|
|
} break;
|
|
case BC_DEAD_BINDER_DONE: {
|
|
struct binder_work *w;
|
|
binder_uintptr_t cookie;
|
|
struct binder_ref_death *death = NULL;
|
|
|
|
if (get_user(cookie, (binder_uintptr_t __user *)ptr))
|
|
return -EFAULT;
|
|
|
|
ptr += sizeof(cookie);
|
|
binder_inner_proc_lock(proc);
|
|
list_for_each_entry(w, &proc->delivered_death,
|
|
entry) {
|
|
struct binder_ref_death *tmp_death =
|
|
container_of(w,
|
|
struct binder_ref_death,
|
|
work);
|
|
|
|
if (tmp_death->cookie == cookie) {
|
|
death = tmp_death;
|
|
break;
|
|
}
|
|
}
|
|
binder_debug(BINDER_DEBUG_DEAD_BINDER,
|
|
"%d:%d BC_DEAD_BINDER_DONE %016llx found %pK\n",
|
|
proc->pid, thread->pid, (u64)cookie,
|
|
death);
|
|
if (death == NULL) {
|
|
binder_user_error("%d:%d BC_DEAD_BINDER_DONE %016llx not found\n",
|
|
proc->pid, thread->pid, (u64)cookie);
|
|
binder_inner_proc_unlock(proc);
|
|
break;
|
|
}
|
|
binder_dequeue_work_ilocked(&death->work);
|
|
if (death->work.type == BINDER_WORK_DEAD_BINDER_AND_CLEAR) {
|
|
death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION;
|
|
if (thread->looper &
|
|
(BINDER_LOOPER_STATE_REGISTERED |
|
|
BINDER_LOOPER_STATE_ENTERED))
|
|
binder_enqueue_thread_work_ilocked(
|
|
thread, &death->work);
|
|
else {
|
|
binder_enqueue_work_ilocked(
|
|
&death->work,
|
|
&proc->todo);
|
|
binder_wakeup_proc_ilocked(proc);
|
|
}
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
} break;
|
|
|
|
default:
|
|
pr_err("%d:%d unknown command %d\n",
|
|
proc->pid, thread->pid, cmd);
|
|
return -EINVAL;
|
|
}
|
|
*consumed = ptr - buffer;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static void binder_stat_br(struct binder_proc *proc,
|
|
struct binder_thread *thread, uint32_t cmd)
|
|
{
|
|
trace_binder_return(cmd);
|
|
if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.br)) {
|
|
atomic_inc(&binder_stats.br[_IOC_NR(cmd)]);
|
|
atomic_inc(&proc->stats.br[_IOC_NR(cmd)]);
|
|
atomic_inc(&thread->stats.br[_IOC_NR(cmd)]);
|
|
}
|
|
}
|
|
|
|
static int binder_put_node_cmd(struct binder_proc *proc,
|
|
struct binder_thread *thread,
|
|
void __user **ptrp,
|
|
binder_uintptr_t node_ptr,
|
|
binder_uintptr_t node_cookie,
|
|
int node_debug_id,
|
|
uint32_t cmd, const char *cmd_name)
|
|
{
|
|
void __user *ptr = *ptrp;
|
|
|
|
if (put_user(cmd, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(uint32_t);
|
|
|
|
if (put_user(node_ptr, (binder_uintptr_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(binder_uintptr_t);
|
|
|
|
if (put_user(node_cookie, (binder_uintptr_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(binder_uintptr_t);
|
|
|
|
binder_stat_br(proc, thread, cmd);
|
|
binder_debug(BINDER_DEBUG_USER_REFS, "%d:%d %s %d u%016llx c%016llx\n",
|
|
proc->pid, thread->pid, cmd_name, node_debug_id,
|
|
(u64)node_ptr, (u64)node_cookie);
|
|
|
|
*ptrp = ptr;
|
|
return 0;
|
|
}
|
|
|
|
static int binder_wait_for_work(struct binder_thread *thread,
|
|
bool do_proc_work)
|
|
{
|
|
DEFINE_WAIT(wait);
|
|
struct binder_proc *proc = thread->proc;
|
|
int ret = 0;
|
|
|
|
freezer_do_not_count();
|
|
binder_inner_proc_lock(proc);
|
|
for (;;) {
|
|
prepare_to_wait(&thread->wait, &wait, TASK_INTERRUPTIBLE);
|
|
if (binder_has_work_ilocked(thread, do_proc_work))
|
|
break;
|
|
if (do_proc_work)
|
|
list_add(&thread->waiting_thread_node,
|
|
&proc->waiting_threads);
|
|
trace_android_vh_binder_wait_for_work(do_proc_work, thread, proc);
|
|
binder_inner_proc_unlock(proc);
|
|
schedule();
|
|
binder_inner_proc_lock(proc);
|
|
list_del_init(&thread->waiting_thread_node);
|
|
if (signal_pending(current)) {
|
|
ret = -EINTR;
|
|
break;
|
|
}
|
|
}
|
|
finish_wait(&thread->wait, &wait);
|
|
binder_inner_proc_unlock(proc);
|
|
freezer_count();
|
|
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* binder_apply_fd_fixups() - finish fd translation
|
|
* @proc: binder_proc associated @t->buffer
|
|
* @t: binder transaction with list of fd fixups
|
|
*
|
|
* Now that we are in the context of the transaction target
|
|
* process, we can allocate and install fds. Process the
|
|
* list of fds to translate and fixup the buffer with the
|
|
* new fds.
|
|
*
|
|
* If we fail to allocate an fd, then free the resources by
|
|
* fput'ing files that have not been processed and ksys_close'ing
|
|
* any fds that have already been allocated.
|
|
*/
|
|
static int binder_apply_fd_fixups(struct binder_proc *proc,
|
|
struct binder_transaction *t)
|
|
{
|
|
struct binder_txn_fd_fixup *fixup, *tmp;
|
|
int ret = 0;
|
|
|
|
list_for_each_entry(fixup, &t->fd_fixups, fixup_entry) {
|
|
int fd = get_unused_fd_flags(O_CLOEXEC);
|
|
|
|
if (fd < 0) {
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
"failed fd fixup txn %d fd %d\n",
|
|
t->debug_id, fd);
|
|
ret = -ENOMEM;
|
|
break;
|
|
}
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
"fd fixup txn %d fd %d\n",
|
|
t->debug_id, fd);
|
|
trace_binder_transaction_fd_recv(t, fd, fixup->offset);
|
|
fd_install(fd, fixup->file);
|
|
fixup->file = NULL;
|
|
if (binder_alloc_copy_to_buffer(&proc->alloc, t->buffer,
|
|
fixup->offset, &fd,
|
|
sizeof(u32))) {
|
|
ret = -EINVAL;
|
|
break;
|
|
}
|
|
}
|
|
list_for_each_entry_safe(fixup, tmp, &t->fd_fixups, fixup_entry) {
|
|
if (fixup->file) {
|
|
fput(fixup->file);
|
|
} else if (ret) {
|
|
u32 fd;
|
|
int err;
|
|
|
|
err = binder_alloc_copy_from_buffer(&proc->alloc, &fd,
|
|
t->buffer,
|
|
fixup->offset,
|
|
sizeof(fd));
|
|
WARN_ON(err);
|
|
if (!err)
|
|
binder_deferred_fd_close(fd);
|
|
}
|
|
list_del(&fixup->fixup_entry);
|
|
kfree(fixup);
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
static int binder_thread_read(struct binder_proc *proc,
|
|
struct binder_thread *thread,
|
|
binder_uintptr_t binder_buffer, size_t size,
|
|
binder_size_t *consumed, int non_block)
|
|
{
|
|
void __user *buffer = (void __user *)(uintptr_t)binder_buffer;
|
|
void __user *ptr = buffer + *consumed;
|
|
void __user *end = buffer + size;
|
|
|
|
int ret = 0;
|
|
int wait_for_proc_work;
|
|
|
|
if (*consumed == 0) {
|
|
if (put_user(BR_NOOP, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(uint32_t);
|
|
}
|
|
|
|
retry:
|
|
binder_inner_proc_lock(proc);
|
|
wait_for_proc_work = binder_available_for_proc_work_ilocked(thread);
|
|
binder_inner_proc_unlock(proc);
|
|
|
|
thread->looper |= BINDER_LOOPER_STATE_WAITING;
|
|
|
|
trace_binder_wait_for_work(wait_for_proc_work,
|
|
!!thread->transaction_stack,
|
|
!binder_worklist_empty(proc, &thread->todo));
|
|
if (wait_for_proc_work) {
|
|
if (!(thread->looper & (BINDER_LOOPER_STATE_REGISTERED |
|
|
BINDER_LOOPER_STATE_ENTERED))) {
|
|
binder_user_error("%d:%d ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state %x)\n",
|
|
proc->pid, thread->pid, thread->looper);
|
|
wait_event_interruptible(binder_user_error_wait,
|
|
binder_stop_on_user_error < 2);
|
|
}
|
|
trace_android_vh_binder_restore_priority(NULL, current);
|
|
binder_restore_priority(current, proc->default_priority);
|
|
}
|
|
|
|
if (non_block) {
|
|
if (!binder_has_work(thread, wait_for_proc_work))
|
|
ret = -EAGAIN;
|
|
} else {
|
|
ret = binder_wait_for_work(thread, wait_for_proc_work);
|
|
}
|
|
|
|
thread->looper &= ~BINDER_LOOPER_STATE_WAITING;
|
|
|
|
if (ret)
|
|
return ret;
|
|
|
|
while (1) {
|
|
uint32_t cmd;
|
|
struct binder_transaction_data_secctx tr;
|
|
struct binder_transaction_data *trd = &tr.transaction_data;
|
|
struct binder_work *w = NULL;
|
|
struct list_head *list = NULL;
|
|
struct binder_transaction *t = NULL;
|
|
struct binder_thread *t_from;
|
|
size_t trsize = sizeof(*trd);
|
|
|
|
binder_inner_proc_lock(proc);
|
|
trace_android_vh_binder_select_worklist_ilocked(&list, thread,
|
|
proc, wait_for_proc_work);
|
|
if (list)
|
|
goto skip;
|
|
if (!binder_worklist_empty_ilocked(&thread->todo))
|
|
list = &thread->todo;
|
|
else if (!binder_worklist_empty_ilocked(&proc->todo) &&
|
|
wait_for_proc_work)
|
|
list = &proc->todo;
|
|
else {
|
|
binder_inner_proc_unlock(proc);
|
|
|
|
/* no data added */
|
|
if (ptr - buffer == 4 && !thread->looper_need_return)
|
|
goto retry;
|
|
break;
|
|
}
|
|
skip:
|
|
if (end - ptr < sizeof(tr) + 4) {
|
|
binder_inner_proc_unlock(proc);
|
|
break;
|
|
}
|
|
trace_android_vh_binder_thread_read(&list, proc, thread);
|
|
w = binder_dequeue_work_head_ilocked(list);
|
|
if (binder_worklist_empty_ilocked(&thread->todo))
|
|
thread->process_todo = false;
|
|
|
|
switch (w->type) {
|
|
case BINDER_WORK_TRANSACTION: {
|
|
binder_inner_proc_unlock(proc);
|
|
t = container_of(w, struct binder_transaction, work);
|
|
} break;
|
|
case BINDER_WORK_RETURN_ERROR: {
|
|
struct binder_error *e = container_of(
|
|
w, struct binder_error, work);
|
|
|
|
WARN_ON(e->cmd == BR_OK);
|
|
binder_inner_proc_unlock(proc);
|
|
if (put_user(e->cmd, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
cmd = e->cmd;
|
|
e->cmd = BR_OK;
|
|
ptr += sizeof(uint32_t);
|
|
|
|
binder_stat_br(proc, thread, cmd);
|
|
} break;
|
|
case BINDER_WORK_TRANSACTION_COMPLETE:
|
|
case BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT: {
|
|
if (proc->oneway_spam_detection_enabled &&
|
|
w->type == BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT)
|
|
cmd = BR_ONEWAY_SPAM_SUSPECT;
|
|
else
|
|
cmd = BR_TRANSACTION_COMPLETE;
|
|
binder_inner_proc_unlock(proc);
|
|
kfree(w);
|
|
binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
|
|
if (put_user(cmd, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(uint32_t);
|
|
|
|
binder_stat_br(proc, thread, cmd);
|
|
binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE,
|
|
"%d:%d BR_TRANSACTION_COMPLETE\n",
|
|
proc->pid, thread->pid);
|
|
} break;
|
|
case BINDER_WORK_NODE: {
|
|
struct binder_node *node = container_of(w, struct binder_node, work);
|
|
int strong, weak;
|
|
binder_uintptr_t node_ptr = node->ptr;
|
|
binder_uintptr_t node_cookie = node->cookie;
|
|
int node_debug_id = node->debug_id;
|
|
int has_weak_ref;
|
|
int has_strong_ref;
|
|
void __user *orig_ptr = ptr;
|
|
|
|
BUG_ON(proc != node->proc);
|
|
strong = node->internal_strong_refs ||
|
|
node->local_strong_refs;
|
|
weak = !hlist_empty(&node->refs) ||
|
|
node->local_weak_refs ||
|
|
node->tmp_refs || strong;
|
|
has_strong_ref = node->has_strong_ref;
|
|
has_weak_ref = node->has_weak_ref;
|
|
|
|
if (weak && !has_weak_ref) {
|
|
node->has_weak_ref = 1;
|
|
node->pending_weak_ref = 1;
|
|
node->local_weak_refs++;
|
|
}
|
|
if (strong && !has_strong_ref) {
|
|
node->has_strong_ref = 1;
|
|
node->pending_strong_ref = 1;
|
|
node->local_strong_refs++;
|
|
}
|
|
if (!strong && has_strong_ref)
|
|
node->has_strong_ref = 0;
|
|
if (!weak && has_weak_ref)
|
|
node->has_weak_ref = 0;
|
|
if (!weak && !strong) {
|
|
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
|
|
"%d:%d node %d u%016llx c%016llx deleted\n",
|
|
proc->pid, thread->pid,
|
|
node_debug_id,
|
|
(u64)node_ptr,
|
|
(u64)node_cookie);
|
|
rb_erase(&node->rb_node, &proc->nodes);
|
|
binder_inner_proc_unlock(proc);
|
|
binder_node_lock(node);
|
|
/*
|
|
* Acquire the node lock before freeing the
|
|
* node to serialize with other threads that
|
|
* may have been holding the node lock while
|
|
* decrementing this node (avoids race where
|
|
* this thread frees while the other thread
|
|
* is unlocking the node after the final
|
|
* decrement)
|
|
*/
|
|
binder_node_unlock(node);
|
|
binder_free_node(node);
|
|
} else
|
|
binder_inner_proc_unlock(proc);
|
|
|
|
if (weak && !has_weak_ref)
|
|
ret = binder_put_node_cmd(
|
|
proc, thread, &ptr, node_ptr,
|
|
node_cookie, node_debug_id,
|
|
BR_INCREFS, "BR_INCREFS");
|
|
if (!ret && strong && !has_strong_ref)
|
|
ret = binder_put_node_cmd(
|
|
proc, thread, &ptr, node_ptr,
|
|
node_cookie, node_debug_id,
|
|
BR_ACQUIRE, "BR_ACQUIRE");
|
|
if (!ret && !strong && has_strong_ref)
|
|
ret = binder_put_node_cmd(
|
|
proc, thread, &ptr, node_ptr,
|
|
node_cookie, node_debug_id,
|
|
BR_RELEASE, "BR_RELEASE");
|
|
if (!ret && !weak && has_weak_ref)
|
|
ret = binder_put_node_cmd(
|
|
proc, thread, &ptr, node_ptr,
|
|
node_cookie, node_debug_id,
|
|
BR_DECREFS, "BR_DECREFS");
|
|
if (orig_ptr == ptr)
|
|
binder_debug(BINDER_DEBUG_INTERNAL_REFS,
|
|
"%d:%d node %d u%016llx c%016llx state unchanged\n",
|
|
proc->pid, thread->pid,
|
|
node_debug_id,
|
|
(u64)node_ptr,
|
|
(u64)node_cookie);
|
|
if (ret)
|
|
return ret;
|
|
} break;
|
|
case BINDER_WORK_DEAD_BINDER:
|
|
case BINDER_WORK_DEAD_BINDER_AND_CLEAR:
|
|
case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: {
|
|
struct binder_ref_death *death;
|
|
uint32_t cmd;
|
|
binder_uintptr_t cookie;
|
|
|
|
death = container_of(w, struct binder_ref_death, work);
|
|
if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION)
|
|
cmd = BR_CLEAR_DEATH_NOTIFICATION_DONE;
|
|
else
|
|
cmd = BR_DEAD_BINDER;
|
|
cookie = death->cookie;
|
|
|
|
binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION,
|
|
"%d:%d %s %016llx\n",
|
|
proc->pid, thread->pid,
|
|
cmd == BR_DEAD_BINDER ?
|
|
"BR_DEAD_BINDER" :
|
|
"BR_CLEAR_DEATH_NOTIFICATION_DONE",
|
|
(u64)cookie);
|
|
if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) {
|
|
binder_inner_proc_unlock(proc);
|
|
kfree(death);
|
|
binder_stats_deleted(BINDER_STAT_DEATH);
|
|
} else {
|
|
binder_enqueue_work_ilocked(
|
|
w, &proc->delivered_death);
|
|
binder_inner_proc_unlock(proc);
|
|
}
|
|
if (put_user(cmd, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(uint32_t);
|
|
if (put_user(cookie,
|
|
(binder_uintptr_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(binder_uintptr_t);
|
|
binder_stat_br(proc, thread, cmd);
|
|
if (cmd == BR_DEAD_BINDER)
|
|
goto done; /* DEAD_BINDER notifications can cause transactions */
|
|
} break;
|
|
default:
|
|
binder_inner_proc_unlock(proc);
|
|
pr_err("%d:%d: bad work type %d\n",
|
|
proc->pid, thread->pid, w->type);
|
|
break;
|
|
}
|
|
|
|
if (!t)
|
|
continue;
|
|
|
|
BUG_ON(t->buffer == NULL);
|
|
if (t->buffer->target_node) {
|
|
struct binder_node *target_node = t->buffer->target_node;
|
|
struct binder_priority node_prio;
|
|
|
|
trd->target.ptr = target_node->ptr;
|
|
trd->cookie = target_node->cookie;
|
|
node_prio.sched_policy = target_node->sched_policy;
|
|
node_prio.prio = target_node->min_priority;
|
|
binder_transaction_priority(current, t, node_prio,
|
|
target_node->inherit_rt);
|
|
cmd = BR_TRANSACTION;
|
|
} else {
|
|
trd->target.ptr = 0;
|
|
trd->cookie = 0;
|
|
cmd = BR_REPLY;
|
|
}
|
|
trd->code = t->code;
|
|
trd->flags = t->flags;
|
|
trd->sender_euid = from_kuid(current_user_ns(), t->sender_euid);
|
|
|
|
t_from = binder_get_txn_from(t);
|
|
if (t_from) {
|
|
struct task_struct *sender = t_from->proc->tsk;
|
|
|
|
trd->sender_pid =
|
|
task_tgid_nr_ns(sender,
|
|
task_active_pid_ns(current));
|
|
trace_android_vh_sync_txn_recvd(thread->task, t_from->task);
|
|
} else {
|
|
trd->sender_pid = 0;
|
|
}
|
|
|
|
ret = binder_apply_fd_fixups(proc, t);
|
|
if (ret) {
|
|
struct binder_buffer *buffer = t->buffer;
|
|
bool oneway = !!(t->flags & TF_ONE_WAY);
|
|
int tid = t->debug_id;
|
|
|
|
if (t_from)
|
|
binder_thread_dec_tmpref(t_from);
|
|
buffer->transaction = NULL;
|
|
binder_cleanup_transaction(t, "fd fixups failed",
|
|
BR_FAILED_REPLY);
|
|
binder_free_buf(proc, thread, buffer, true);
|
|
binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
|
|
"%d:%d %stransaction %d fd fixups failed %d/%d, line %d\n",
|
|
proc->pid, thread->pid,
|
|
oneway ? "async " :
|
|
(cmd == BR_REPLY ? "reply " : ""),
|
|
tid, BR_FAILED_REPLY, ret, __LINE__);
|
|
if (cmd == BR_REPLY) {
|
|
cmd = BR_FAILED_REPLY;
|
|
if (put_user(cmd, (uint32_t __user *)ptr))
|
|
return -EFAULT;
|
|
ptr += sizeof(uint32_t);
|
|
binder_stat_br(proc, thread, cmd);
|
|
break;
|
|
}
|
|
continue;
|
|
}
|
|
trd->data_size = t->buffer->data_size;
|
|
trd->offsets_size = t->buffer->offsets_size;
|
|
trd->data.ptr.buffer = (uintptr_t)t->buffer->user_data;
|
|
trd->data.ptr.offsets = trd->data.ptr.buffer +
|
|
ALIGN(t->buffer->data_size,
|
|
sizeof(void *));
|
|
|
|
tr.secctx = t->security_ctx;
|
|
if (t->security_ctx) {
|
|
cmd = BR_TRANSACTION_SEC_CTX;
|
|
trsize = sizeof(tr);
|
|
}
|
|
if (put_user(cmd, (uint32_t __user *)ptr)) {
|
|
if (t_from)
|
|
binder_thread_dec_tmpref(t_from);
|
|
|
|
binder_cleanup_transaction(t, "put_user failed",
|
|
BR_FAILED_REPLY);
|
|
|
|
return -EFAULT;
|
|
}
|
|
ptr += sizeof(uint32_t);
|
|
if (copy_to_user(ptr, &tr, trsize)) {
|
|
if (t_from)
|
|
binder_thread_dec_tmpref(t_from);
|
|
|
|
binder_cleanup_transaction(t, "copy_to_user failed",
|
|
BR_FAILED_REPLY);
|
|
|
|
return -EFAULT;
|
|
}
|
|
ptr += trsize;
|
|
|
|
trace_binder_transaction_received(t);
|
|
binder_stat_br(proc, thread, cmd);
|
|
binder_debug(BINDER_DEBUG_TRANSACTION,
|
|
"%d:%d %s %d %d:%d, cmd %d size %zd-%zd ptr %016llx-%016llx\n",
|
|
proc->pid, thread->pid,
|
|
(cmd == BR_TRANSACTION) ? "BR_TRANSACTION" :
|
|
(cmd == BR_TRANSACTION_SEC_CTX) ?
|
|
"BR_TRANSACTION_SEC_CTX" : "BR_REPLY",
|
|
t->debug_id, t_from ? t_from->proc->pid : 0,
|
|
t_from ? t_from->pid : 0, cmd,
|
|
t->buffer->data_size, t->buffer->offsets_size,
|
|
(u64)trd->data.ptr.buffer,
|
|
(u64)trd->data.ptr.offsets);
|
|
|
|
if (t_from)
|
|
binder_thread_dec_tmpref(t_from);
|
|
t->buffer->allow_user_free = 1;
|
|
if (cmd != BR_REPLY && !(t->flags & TF_ONE_WAY)) {
|
|
binder_inner_proc_lock(thread->proc);
|
|
t->to_parent = thread->transaction_stack;
|
|
t->to_thread = thread;
|
|
thread->transaction_stack = t;
|
|
binder_inner_proc_unlock(thread->proc);
|
|
} else {
|
|
binder_free_transaction(t);
|
|
}
|
|
break;
|
|
}
|
|
|
|
done:
|
|
|
|
*consumed = ptr - buffer;
|
|
binder_inner_proc_lock(proc);
|
|
if (proc->requested_threads == 0 &&
|
|
list_empty(&thread->proc->waiting_threads) &&
|
|
proc->requested_threads_started < proc->max_threads &&
|
|
(thread->looper & (BINDER_LOOPER_STATE_REGISTERED |
|
|
BINDER_LOOPER_STATE_ENTERED)) /* the user-space code fails to */
|
|
/*spawn a new thread if we leave this out */) {
|
|
proc->requested_threads++;
|
|
binder_inner_proc_unlock(proc);
|
|
binder_debug(BINDER_DEBUG_THREADS,
|
|
"%d:%d BR_SPAWN_LOOPER\n",
|
|
proc->pid, thread->pid);
|
|
if (put_user(BR_SPAWN_LOOPER, (uint32_t __user *)buffer))
|
|
return -EFAULT;
|
|
binder_stat_br(proc, thread, BR_SPAWN_LOOPER);
|
|
} else
|
|
binder_inner_proc_unlock(proc);
|
|
return 0;
|
|
}
|
|
|
|
static void binder_release_work(struct binder_proc *proc,
|
|
struct list_head *list)
|
|
{
|
|
struct binder_work *w;
|
|
enum binder_work_type wtype;
|
|
|
|
while (1) {
|
|
binder_inner_proc_lock(proc);
|
|
w = binder_dequeue_work_head_ilocked(list);
|
|
wtype = w ? w->type : 0;
|
|
binder_inner_proc_unlock(proc);
|
|
if (!w)
|
|
return;
|
|
|
|
switch (wtype) {
|
|
case BINDER_WORK_TRANSACTION: {
|
|
struct binder_transaction *t;
|
|
|
|
t = container_of(w, struct binder_transaction, work);
|
|
|
|
binder_cleanup_transaction(t, "process died.",
|
|
BR_DEAD_REPLY);
|
|
} break;
|
|
case BINDER_WORK_RETURN_ERROR: {
|
|
struct binder_error *e = container_of(
|
|
w, struct binder_error, work);
|
|
|
|
binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
|
|
"undelivered TRANSACTION_ERROR: %u\n",
|
|
e->cmd);
|
|
} break;
|
|
case BINDER_WORK_TRANSACTION_COMPLETE: {
|
|
binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
|
|
"undelivered TRANSACTION_COMPLETE\n");
|
|
kfree(w);
|
|
binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
|
|
} break;
|
|
case BINDER_WORK_DEAD_BINDER_AND_CLEAR:
|
|
case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: {
|
|
struct binder_ref_death *death;
|
|
|
|
death = container_of(w, struct binder_ref_death, work);
|
|
binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
|
|
"undelivered death notification, %016llx\n",
|
|
(u64)death->cookie);
|
|
kfree(death);
|
|
binder_stats_deleted(BINDER_STAT_DEATH);
|
|
} break;
|
|
case BINDER_WORK_NODE:
|
|
break;
|
|
default:
|
|
pr_err("unexpected work type, %d, not freed\n",
|
|
wtype);
|
|
break;
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
static struct binder_thread *binder_get_thread_ilocked(
|
|
struct binder_proc *proc, struct binder_thread *new_thread)
|
|
{
|
|
struct binder_thread *thread = NULL;
|
|
struct rb_node *parent = NULL;
|
|
struct rb_node **p = &proc->threads.rb_node;
|
|
|
|
while (*p) {
|
|
parent = *p;
|
|
thread = rb_entry(parent, struct binder_thread, rb_node);
|
|
|
|
if (current->pid < thread->pid)
|
|
p = &(*p)->rb_left;
|
|
else if (current->pid > thread->pid)
|
|
p = &(*p)->rb_right;
|
|
else
|
|
return thread;
|
|
}
|
|
if (!new_thread)
|
|
return NULL;
|
|
thread = new_thread;
|
|
binder_stats_created(BINDER_STAT_THREAD);
|
|
thread->proc = proc;
|
|
thread->pid = current->pid;
|
|
get_task_struct(current);
|
|
thread->task = current;
|
|
atomic_set(&thread->tmp_ref, 0);
|
|
init_waitqueue_head(&thread->wait);
|
|
INIT_LIST_HEAD(&thread->todo);
|
|
rb_link_node(&thread->rb_node, parent, p);
|
|
rb_insert_color(&thread->rb_node, &proc->threads);
|
|
thread->looper_need_return = true;
|
|
thread->return_error.work.type = BINDER_WORK_RETURN_ERROR;
|
|
thread->return_error.cmd = BR_OK;
|
|
thread->reply_error.work.type = BINDER_WORK_RETURN_ERROR;
|
|
thread->reply_error.cmd = BR_OK;
|
|
INIT_LIST_HEAD(&new_thread->waiting_thread_node);
|
|
return thread;
|
|
}
|
|
|
|
static struct binder_thread *binder_get_thread(struct binder_proc *proc)
|
|
{
|
|
struct binder_thread *thread;
|
|
struct binder_thread *new_thread;
|
|
|
|
binder_inner_proc_lock(proc);
|
|
thread = binder_get_thread_ilocked(proc, NULL);
|
|
binder_inner_proc_unlock(proc);
|
|
if (!thread) {
|
|
new_thread = kzalloc(sizeof(*thread), GFP_KERNEL);
|
|
if (new_thread == NULL)
|
|
return NULL;
|
|
binder_inner_proc_lock(proc);
|
|
thread = binder_get_thread_ilocked(proc, new_thread);
|
|
binder_inner_proc_unlock(proc);
|
|
if (thread != new_thread)
|
|
kfree(new_thread);
|
|
}
|
|
return thread;
|
|
}
|
|
|
|
static void binder_free_proc(struct binder_proc *proc)
|
|
{
|
|
struct binder_device *device;
|
|
struct binder_proc_ext *eproc =
|
|
container_of(proc, struct binder_proc_ext, proc);
|
|
|
|
BUG_ON(!list_empty(&proc->todo));
|
|
BUG_ON(!list_empty(&proc->delivered_death));
|
|
if (proc->outstanding_txns)
|
|
pr_warn("%s: Unexpected outstanding_txns %d\n",
|
|
__func__, proc->outstanding_txns);
|
|
device = container_of(proc->context, struct binder_device, context);
|
|
if (refcount_dec_and_test(&device->ref)) {
|
|
kfree(proc->context->name);
|
|
kfree(device);
|
|
}
|
|
binder_alloc_deferred_release(&proc->alloc);
|
|
put_task_struct(proc->tsk);
|
|
put_cred(eproc->cred);
|
|
binder_stats_deleted(BINDER_STAT_PROC);
|
|
trace_android_vh_binder_free_proc(proc);
|
|
kfree(eproc);
|
|
}
|
|
|
|
static void binder_free_thread(struct binder_thread *thread)
|
|
{
|
|
BUG_ON(!list_empty(&thread->todo));
|
|
binder_stats_deleted(BINDER_STAT_THREAD);
|
|
binder_proc_dec_tmpref(thread->proc);
|
|
put_task_struct(thread->task);
|
|
kfree(thread);
|
|
}
|
|
|
|
static int binder_thread_release(struct binder_proc *proc,
|
|
struct binder_thread *thread)
|
|
{
|
|
struct binder_transaction *t;
|
|
struct binder_transaction *send_reply = NULL;
|
|
int active_transactions = 0;
|
|
struct binder_transaction *last_t = NULL;
|
|
|
|
binder_inner_proc_lock(thread->proc);
|
|
/*
|
|
* take a ref on the proc so it survives
|
|
* after we remove this thread from proc->threads.
|
|
* The corresponding dec is when we actually
|
|
* free the thread in binder_free_thread()
|
|
*/
|
|
proc->tmp_ref++;
|
|
/*
|
|
* take a ref on this thread to ensure it
|
|
* survives while we are releasing it
|
|
*/
|
|
atomic_inc(&thread->tmp_ref);
|
|
rb_erase(&thread->rb_node, &proc->threads);
|
|
t = thread->transaction_stack;
|
|
if (t) {
|
|
spin_lock(&t->lock);
|
|
if (t->to_thread == thread)
|
|
send_reply = t;
|
|
} else {
|
|
__acquire(&t->lock);
|
|
}
|
|
thread->is_dead = true;
|
|
|
|
while (t) {
|
|
last_t = t;
|
|
active_transactions++;
|
|
binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
|
|
"release %d:%d transaction %d %s, still active\n",
|
|
proc->pid, thread->pid,
|
|
t->debug_id,
|
|
(t->to_thread == thread) ? "in" : "out");
|
|
|
|
if (t->to_thread == thread) {
|
|
thread->proc->outstanding_txns--;
|
|
t->to_proc = NULL;
|
|
t->to_thread = NULL;
|
|
if (t->buffer) {
|
|
t->buffer->transaction = NULL;
|
|
t->buffer = NULL;
|
|
}
|
|
t = t->to_parent;
|
|
} else if (t->from == thread) {
|
|
t->from = NULL;
|
|
t = t->from_parent;
|
|
} else
|
|
BUG();
|
|
spin_unlock(&last_t->lock);
|
|
if (t)
|
|
spin_lock(&t->lock);
|
|
else
|
|
__acquire(&t->lock);
|
|
}
|
|
/* annotation for sparse, lock not acquired in last iteration above */
|
|
__release(&t->lock);
|
|
|
|
/*
|
|
* If this thread used poll, make sure we remove the waitqueue from any
|
|
* poll data structures holding it.
|
|
*/
|
|
if (thread->looper & BINDER_LOOPER_STATE_POLL)
|
|
wake_up_pollfree(&thread->wait);
|
|
|
|
binder_inner_proc_unlock(thread->proc);
|
|
|
|
/*
|
|
* This is needed to avoid races between wake_up_pollfree() above and
|
|
* someone else removing the last entry from the queue for other reasons
|
|
* (e.g. ep_remove_wait_queue() being called due to an epoll file
|
|
* descriptor being closed). Such other users hold an RCU read lock, so
|
|
* we can be sure they're done after we call synchronize_rcu().
|
|
*/
|
|
if (thread->looper & BINDER_LOOPER_STATE_POLL)
|
|
synchronize_rcu();
|
|
|
|
if (send_reply)
|
|
binder_send_failed_reply(send_reply, BR_DEAD_REPLY);
|
|
binder_release_work(proc, &thread->todo);
|
|
trace_android_vh_binder_thread_release(proc, thread);
|
|
binder_thread_dec_tmpref(thread);
|
|
return active_transactions;
|
|
}
|
|
|
|
static __poll_t binder_poll(struct file *filp,
|
|
struct poll_table_struct *wait)
|
|
{
|
|
struct binder_proc *proc = filp->private_data;
|
|
struct binder_thread *thread = NULL;
|
|
bool wait_for_proc_work;
|
|
|
|
thread = binder_get_thread(proc);
|
|
if (!thread)
|
|
return POLLERR;
|
|
|
|
binder_inner_proc_lock(thread->proc);
|
|
thread->looper |= BINDER_LOOPER_STATE_POLL;
|
|
wait_for_proc_work = binder_available_for_proc_work_ilocked(thread);
|
|
|
|
binder_inner_proc_unlock(thread->proc);
|
|
|
|
poll_wait(filp, &thread->wait, wait);
|
|
|
|
if (binder_has_work(thread, wait_for_proc_work))
|
|
return EPOLLIN;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int binder_ioctl_write_read(struct file *filp,
|
|
unsigned int cmd, unsigned long arg,
|
|
struct binder_thread *thread)
|
|
{
|
|
int ret = 0;
|
|
struct binder_proc *proc = filp->private_data;
|
|
unsigned int size = _IOC_SIZE(cmd);
|
|
void __user *ubuf = (void __user *)arg;
|
|
struct binder_write_read bwr;
|
|
|
|
if (size != sizeof(struct binder_write_read)) {
|
|
ret = -EINVAL;
|
|
goto out;
|
|
}
|
|
if (copy_from_user(&bwr, ubuf, sizeof(bwr))) {
|
|
ret = -EFAULT;
|
|
goto out;
|
|
}
|
|
binder_debug(BINDER_DEBUG_READ_WRITE,
|
|
"%d:%d write %lld at %016llx, read %lld at %016llx\n",
|
|
proc->pid, thread->pid,
|
|
(u64)bwr.write_size, (u64)bwr.write_buffer,
|
|
(u64)bwr.read_size, (u64)bwr.read_buffer);
|
|
|
|
if (bwr.write_size > 0) {
|
|
ret = binder_thread_write(proc, thread,
|
|
bwr.write_buffer,
|
|
bwr.write_size,
|
|
&bwr.write_consumed);
|
|
trace_binder_write_done(ret);
|
|
if (ret < 0) {
|
|
bwr.read_consumed = 0;
|
|
if (copy_to_user(ubuf, &bwr, sizeof(bwr)))
|
|
ret = -EFAULT;
|
|
goto out;
|
|
}
|
|
}
|
|
if (bwr.read_size > 0) {
|
|
ret = binder_thread_read(proc, thread, bwr.read_buffer,
|
|
bwr.read_size,
|
|
&bwr.read_consumed,
|
|
filp->f_flags & O_NONBLOCK);
|
|
trace_binder_read_done(ret);
|
|
binder_inner_proc_lock(proc);
|
|
if (!binder_worklist_empty_ilocked(&proc->todo))
|
|
binder_wakeup_proc_ilocked(proc);
|
|
binder_inner_proc_unlock(proc);
|
|
trace_android_vh_binder_read_done(proc, thread);
|
|
if (ret < 0) {
|
|
if (copy_to_user(ubuf, &bwr, sizeof(bwr)))
|
|
ret = -EFAULT;
|
|
goto out;
|
|
}
|
|
}
|
|
binder_debug(BINDER_DEBUG_READ_WRITE,
|
|
"%d:%d wrote %lld of %lld, read return %lld of %lld\n",
|
|
proc->pid, thread->pid,
|
|
(u64)bwr.write_consumed, (u64)bwr.write_size,
|
|
(u64)bwr.read_consumed, (u64)bwr.read_size);
|
|
if (copy_to_user(ubuf, &bwr, sizeof(bwr))) {
|
|
ret = -EFAULT;
|
|
goto out;
|
|
}
|
|
out:
|
|
return ret;
|
|
}
|
|
|
|
static int binder_ioctl_set_ctx_mgr(struct file *filp,
|
|
struct flat_binder_object *fbo)
|
|
{
|
|
int ret = 0;
|
|
struct binder_proc *proc = filp->private_data;
|
|
struct binder_context *context = proc->context;
|
|
struct binder_node *new_node;
|
|
kuid_t curr_euid = current_euid();
|
|
|
|
mutex_lock(&context->context_mgr_node_lock);
|
|
if (context->binder_context_mgr_node) {
|
|
pr_err("BINDER_SET_CONTEXT_MGR already set\n");
|
|
ret = -EBUSY;
|
|
goto out;
|
|
}
|
|
ret = security_binder_set_context_mgr(binder_get_cred(proc));
|
|
if (ret < 0)
|
|
goto out;
|
|
if (uid_valid(context->binder_context_mgr_uid)) {
|
|
if (!uid_eq(context->binder_context_mgr_uid, curr_euid)) {
|
|
pr_err("BINDER_SET_CONTEXT_MGR bad uid %d != %d\n",
|
|
from_kuid(&init_user_ns, curr_euid),
|
|
from_kuid(&init_user_ns,
|
|
context->binder_context_mgr_uid));
|
|
ret = -EPERM;
|
|
goto out;
|
|
}
|
|
} else {
|
|
context->binder_context_mgr_uid = curr_euid;
|
|
}
|
|
new_node = binder_new_node(proc, fbo);
|
|
if (!new_node) {
|
|
ret = -ENOMEM;
|
|
goto out;
|
|
}
|
|
binder_node_lock(new_node);
|
|
new_node->local_weak_refs++;
|
|
new_node->local_strong_refs++;
|
|
new_node->has_strong_ref = 1;
|
|
new_node->has_weak_ref = 1;
|
|
context->binder_context_mgr_node = new_node;
|
|
binder_node_unlock(new_node);
|
|
binder_put_node(new_node);
|
|
out:
|
|
mutex_unlock(&context->context_mgr_node_lock);
|
|
return ret;
|
|
}
|
|
|
|
static int binder_ioctl_get_node_info_for_ref(struct binder_proc *proc,
|
|
struct binder_node_info_for_ref *info)
|
|
{
|
|
struct binder_node *node;
|
|
struct binder_context *context = proc->context;
|
|
__u32 handle = info->handle;
|
|
|
|
if (info->strong_count || info->weak_count || info->reserved1 ||
|
|
info->reserved2 || info->reserved3) {
|
|
binder_user_error("%d BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero.",
|
|
proc->pid);
|
|
return -EINVAL;
|
|
}
|
|
|
|
/* This ioctl may only be used by the context manager */
|
|
mutex_lock(&context->context_mgr_node_lock);
|
|
if (!context->binder_context_mgr_node ||
|
|
context->binder_context_mgr_node->proc != proc) {
|
|
mutex_unlock(&context->context_mgr_node_lock);
|
|
return -EPERM;
|
|
}
|
|
mutex_unlock(&context->context_mgr_node_lock);
|
|
|
|
node = binder_get_node_from_ref(proc, handle, true, NULL);
|
|
if (!node)
|
|
return -EINVAL;
|
|
|
|
info->strong_count = node->local_strong_refs +
|
|
node->internal_strong_refs;
|
|
info->weak_count = node->local_weak_refs;
|
|
|
|
binder_put_node(node);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int binder_ioctl_get_node_debug_info(struct binder_proc *proc,
|
|
struct binder_node_debug_info *info)
|
|
{
|
|
struct rb_node *n;
|
|
binder_uintptr_t ptr = info->ptr;
|
|
|
|
memset(info, 0, sizeof(*info));
|
|
|
|
binder_inner_proc_lock(proc);
|
|
for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) {
|
|
struct binder_node *node = rb_entry(n, struct binder_node,
|
|
rb_node);
|
|
if (node->ptr > ptr) {
|
|
info->ptr = node->ptr;
|
|
info->cookie = node->cookie;
|
|
info->has_strong_ref = node->has_strong_ref;
|
|
info->has_weak_ref = node->has_weak_ref;
|
|
break;
|
|
}
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static bool binder_txns_pending_ilocked(struct binder_proc *proc)
|
|
{
|
|
struct rb_node *n;
|
|
struct binder_thread *thread;
|
|
|
|
if (proc->outstanding_txns > 0)
|
|
return true;
|
|
|
|
for (n = rb_first(&proc->threads); n; n = rb_next(n)) {
|
|
thread = rb_entry(n, struct binder_thread, rb_node);
|
|
if (thread->transaction_stack)
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
static int binder_ioctl_freeze(struct binder_freeze_info *info,
|
|
struct binder_proc *target_proc)
|
|
{
|
|
int ret = 0;
|
|
|
|
if (!info->enable) {
|
|
binder_inner_proc_lock(target_proc);
|
|
target_proc->sync_recv = false;
|
|
target_proc->async_recv = false;
|
|
target_proc->is_frozen = false;
|
|
binder_inner_proc_unlock(target_proc);
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Freezing the target. Prevent new transactions by
|
|
* setting frozen state. If timeout specified, wait
|
|
* for transactions to drain.
|
|
*/
|
|
binder_inner_proc_lock(target_proc);
|
|
target_proc->sync_recv = false;
|
|
target_proc->async_recv = false;
|
|
target_proc->is_frozen = true;
|
|
binder_inner_proc_unlock(target_proc);
|
|
|
|
if (info->timeout_ms > 0)
|
|
ret = wait_event_interruptible_timeout(
|
|
target_proc->freeze_wait,
|
|
(!target_proc->outstanding_txns),
|
|
msecs_to_jiffies(info->timeout_ms));
|
|
|
|
/* Check pending transactions that wait for reply */
|
|
if (ret >= 0) {
|
|
binder_inner_proc_lock(target_proc);
|
|
if (binder_txns_pending_ilocked(target_proc))
|
|
ret = -EAGAIN;
|
|
binder_inner_proc_unlock(target_proc);
|
|
}
|
|
|
|
if (ret < 0) {
|
|
binder_inner_proc_lock(target_proc);
|
|
target_proc->is_frozen = false;
|
|
binder_inner_proc_unlock(target_proc);
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
static int binder_ioctl_get_freezer_info(
|
|
struct binder_frozen_status_info *info)
|
|
{
|
|
struct binder_proc *target_proc;
|
|
bool found = false;
|
|
__u32 txns_pending;
|
|
|
|
info->sync_recv = 0;
|
|
info->async_recv = 0;
|
|
|
|
mutex_lock(&binder_procs_lock);
|
|
hlist_for_each_entry(target_proc, &binder_procs, proc_node) {
|
|
if (target_proc->pid == info->pid) {
|
|
found = true;
|
|
binder_inner_proc_lock(target_proc);
|
|
txns_pending = binder_txns_pending_ilocked(target_proc);
|
|
info->sync_recv |= target_proc->sync_recv |
|
|
(txns_pending << 1);
|
|
info->async_recv |= target_proc->async_recv;
|
|
binder_inner_proc_unlock(target_proc);
|
|
}
|
|
}
|
|
mutex_unlock(&binder_procs_lock);
|
|
|
|
if (!found)
|
|
return -EINVAL;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|
{
|
|
int ret;
|
|
struct binder_proc *proc = filp->private_data;
|
|
struct binder_thread *thread;
|
|
unsigned int size = _IOC_SIZE(cmd);
|
|
void __user *ubuf = (void __user *)arg;
|
|
|
|
/*pr_info("binder_ioctl: %d:%d %x %lx\n",
|
|
proc->pid, current->pid, cmd, arg);*/
|
|
|
|
binder_selftest_alloc(&proc->alloc);
|
|
|
|
trace_binder_ioctl(cmd, arg);
|
|
|
|
ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);
|
|
if (ret)
|
|
goto err_unlocked;
|
|
|
|
thread = binder_get_thread(proc);
|
|
if (thread == NULL) {
|
|
ret = -ENOMEM;
|
|
goto err;
|
|
}
|
|
|
|
switch (cmd) {
|
|
case BINDER_WRITE_READ:
|
|
ret = binder_ioctl_write_read(filp, cmd, arg, thread);
|
|
if (ret)
|
|
goto err;
|
|
break;
|
|
case BINDER_SET_MAX_THREADS: {
|
|
int max_threads;
|
|
|
|
if (copy_from_user(&max_threads, ubuf,
|
|
sizeof(max_threads))) {
|
|
ret = -EINVAL;
|
|
goto err;
|
|
}
|
|
binder_inner_proc_lock(proc);
|
|
proc->max_threads = max_threads;
|
|
binder_inner_proc_unlock(proc);
|
|
break;
|
|
}
|
|
case BINDER_SET_CONTEXT_MGR_EXT: {
|
|
struct flat_binder_object fbo;
|
|
|
|
if (copy_from_user(&fbo, ubuf, sizeof(fbo))) {
|
|
ret = -EINVAL;
|
|
goto err;
|
|
}
|
|
ret = binder_ioctl_set_ctx_mgr(filp, &fbo);
|
|
if (ret)
|
|
goto err;
|
|
break;
|
|
}
|
|
case BINDER_SET_CONTEXT_MGR:
|
|
ret = binder_ioctl_set_ctx_mgr(filp, NULL);
|
|
if (ret)
|
|
goto err;
|
|
break;
|
|
case BINDER_THREAD_EXIT:
|
|
binder_debug(BINDER_DEBUG_THREADS, "%d:%d exit\n",
|
|
proc->pid, thread->pid);
|
|
binder_thread_release(proc, thread);
|
|
thread = NULL;
|
|
break;
|
|
case BINDER_VERSION: {
|
|
struct binder_version __user *ver = ubuf;
|
|
|
|
if (size != sizeof(struct binder_version)) {
|
|
ret = -EINVAL;
|
|
goto err;
|
|
}
|
|
if (put_user(BINDER_CURRENT_PROTOCOL_VERSION,
|
|
&ver->protocol_version)) {
|
|
ret = -EINVAL;
|
|
goto err;
|
|
}
|
|
break;
|
|
}
|
|
case BINDER_GET_NODE_INFO_FOR_REF: {
|
|
struct binder_node_info_for_ref info;
|
|
|
|
if (copy_from_user(&info, ubuf, sizeof(info))) {
|
|
ret = -EFAULT;
|
|
goto err;
|
|
}
|
|
|
|
ret = binder_ioctl_get_node_info_for_ref(proc, &info);
|
|
if (ret < 0)
|
|
goto err;
|
|
|
|
if (copy_to_user(ubuf, &info, sizeof(info))) {
|
|
ret = -EFAULT;
|
|
goto err;
|
|
}
|
|
|
|
break;
|
|
}
|
|
case BINDER_GET_NODE_DEBUG_INFO: {
|
|
struct binder_node_debug_info info;
|
|
|
|
if (copy_from_user(&info, ubuf, sizeof(info))) {
|
|
ret = -EFAULT;
|
|
goto err;
|
|
}
|
|
|
|
ret = binder_ioctl_get_node_debug_info(proc, &info);
|
|
if (ret < 0)
|
|
goto err;
|
|
|
|
if (copy_to_user(ubuf, &info, sizeof(info))) {
|
|
ret = -EFAULT;
|
|
goto err;
|
|
}
|
|
break;
|
|
}
|
|
case BINDER_FREEZE: {
|
|
struct binder_freeze_info info;
|
|
struct binder_proc **target_procs = NULL, *target_proc;
|
|
int target_procs_count = 0, i = 0;
|
|
|
|
ret = 0;
|
|
|
|
if (copy_from_user(&info, ubuf, sizeof(info))) {
|
|
ret = -EFAULT;
|
|
goto err;
|
|
}
|
|
|
|
mutex_lock(&binder_procs_lock);
|
|
hlist_for_each_entry(target_proc, &binder_procs, proc_node) {
|
|
if (target_proc->pid == info.pid)
|
|
target_procs_count++;
|
|
}
|
|
|
|
if (target_procs_count == 0) {
|
|
mutex_unlock(&binder_procs_lock);
|
|
ret = -EINVAL;
|
|
goto err;
|
|
}
|
|
|
|
target_procs = kcalloc(target_procs_count,
|
|
sizeof(struct binder_proc *),
|
|
GFP_KERNEL);
|
|
|
|
if (!target_procs) {
|
|
mutex_unlock(&binder_procs_lock);
|
|
ret = -ENOMEM;
|
|
goto err;
|
|
}
|
|
|
|
hlist_for_each_entry(target_proc, &binder_procs, proc_node) {
|
|
if (target_proc->pid != info.pid)
|
|
continue;
|
|
|
|
binder_inner_proc_lock(target_proc);
|
|
target_proc->tmp_ref++;
|
|
binder_inner_proc_unlock(target_proc);
|
|
|
|
target_procs[i++] = target_proc;
|
|
}
|
|
mutex_unlock(&binder_procs_lock);
|
|
|
|
for (i = 0; i < target_procs_count; i++) {
|
|
if (ret >= 0)
|
|
ret = binder_ioctl_freeze(&info,
|
|
target_procs[i]);
|
|
|
|
binder_proc_dec_tmpref(target_procs[i]);
|
|
}
|
|
|
|
kfree(target_procs);
|
|
|
|
if (ret < 0)
|
|
goto err;
|
|
break;
|
|
}
|
|
case BINDER_GET_FROZEN_INFO: {
|
|
struct binder_frozen_status_info info;
|
|
|
|
if (copy_from_user(&info, ubuf, sizeof(info))) {
|
|
ret = -EFAULT;
|
|
goto err;
|
|
}
|
|
|
|
ret = binder_ioctl_get_freezer_info(&info);
|
|
if (ret < 0)
|
|
goto err;
|
|
|
|
if (copy_to_user(ubuf, &info, sizeof(info))) {
|
|
ret = -EFAULT;
|
|
goto err;
|
|
}
|
|
break;
|
|
}
|
|
case BINDER_ENABLE_ONEWAY_SPAM_DETECTION: {
|
|
uint32_t enable;
|
|
|
|
if (copy_from_user(&enable, ubuf, sizeof(enable))) {
|
|
ret = -EFAULT;
|
|
goto err;
|
|
}
|
|
binder_inner_proc_lock(proc);
|
|
proc->oneway_spam_detection_enabled = (bool)enable;
|
|
binder_inner_proc_unlock(proc);
|
|
break;
|
|
}
|
|
default:
|
|
ret = -EINVAL;
|
|
goto err;
|
|
}
|
|
ret = 0;
|
|
err:
|
|
if (thread)
|
|
thread->looper_need_return = false;
|
|
wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);
|
|
if (ret && ret != -EINTR)
|
|
pr_info("%d:%d ioctl %x %lx returned %d\n", proc->pid, current->pid, cmd, arg, ret);
|
|
err_unlocked:
|
|
trace_binder_ioctl_done(ret);
|
|
return ret;
|
|
}
|
|
|
|
static void binder_vma_open(struct vm_area_struct *vma)
|
|
{
|
|
struct binder_proc *proc = vma->vm_private_data;
|
|
|
|
binder_debug(BINDER_DEBUG_OPEN_CLOSE,
|
|
"%d open vm area %lx-%lx (%ld K) vma %lx pagep %lx\n",
|
|
proc->pid, vma->vm_start, vma->vm_end,
|
|
(vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
|
|
(unsigned long)pgprot_val(vma->vm_page_prot));
|
|
}
|
|
|
|
static void binder_vma_close(struct vm_area_struct *vma)
|
|
{
|
|
struct binder_proc *proc = vma->vm_private_data;
|
|
|
|
binder_debug(BINDER_DEBUG_OPEN_CLOSE,
|
|
"%d close vm area %lx-%lx (%ld K) vma %lx pagep %lx\n",
|
|
proc->pid, vma->vm_start, vma->vm_end,
|
|
(vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
|
|
(unsigned long)pgprot_val(vma->vm_page_prot));
|
|
binder_alloc_vma_close(&proc->alloc);
|
|
}
|
|
|
|
static vm_fault_t binder_vm_fault(struct vm_fault *vmf)
|
|
{
|
|
return VM_FAULT_SIGBUS;
|
|
}
|
|
|
|
static const struct vm_operations_struct binder_vm_ops = {
|
|
.open = binder_vma_open,
|
|
.close = binder_vma_close,
|
|
.fault = binder_vm_fault,
|
|
};
|
|
|
|
static int binder_mmap(struct file *filp, struct vm_area_struct *vma)
|
|
{
|
|
struct binder_proc *proc = filp->private_data;
|
|
|
|
if (proc->tsk != current->group_leader)
|
|
return -EINVAL;
|
|
|
|
binder_debug(BINDER_DEBUG_OPEN_CLOSE,
|
|
"%s: %d %lx-%lx (%ld K) vma %lx pagep %lx\n",
|
|
__func__, proc->pid, vma->vm_start, vma->vm_end,
|
|
(vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
|
|
(unsigned long)pgprot_val(vma->vm_page_prot));
|
|
|
|
if (vma->vm_flags & FORBIDDEN_MMAP_FLAGS) {
|
|
pr_err("%s: %d %lx-%lx %s failed %d\n", __func__,
|
|
proc->pid, vma->vm_start, vma->vm_end, "bad vm_flags", -EPERM);
|
|
return -EPERM;
|
|
}
|
|
vma->vm_flags |= VM_DONTCOPY | VM_MIXEDMAP;
|
|
vma->vm_flags &= ~VM_MAYWRITE;
|
|
|
|
vma->vm_ops = &binder_vm_ops;
|
|
vma->vm_private_data = proc;
|
|
|
|
return binder_alloc_mmap_handler(&proc->alloc, vma);
|
|
}
|
|
|
|
static int binder_open(struct inode *nodp, struct file *filp)
|
|
{
|
|
struct binder_proc *proc, *itr;
|
|
struct binder_proc_ext *eproc;
|
|
struct binder_device *binder_dev;
|
|
struct binderfs_info *info;
|
|
struct dentry *binder_binderfs_dir_entry_proc = NULL;
|
|
bool existing_pid = false;
|
|
|
|
binder_debug(BINDER_DEBUG_OPEN_CLOSE, "%s: %d:%d\n", __func__,
|
|
current->group_leader->pid, current->pid);
|
|
|
|
eproc = kzalloc(sizeof(*eproc), GFP_KERNEL);
|
|
proc = &eproc->proc;
|
|
if (proc == NULL)
|
|
return -ENOMEM;
|
|
spin_lock_init(&proc->inner_lock);
|
|
spin_lock_init(&proc->outer_lock);
|
|
get_task_struct(current->group_leader);
|
|
proc->tsk = current->group_leader;
|
|
eproc->cred = get_cred(filp->f_cred);
|
|
INIT_LIST_HEAD(&proc->todo);
|
|
init_waitqueue_head(&proc->freeze_wait);
|
|
if (binder_supported_policy(current->policy)) {
|
|
proc->default_priority.sched_policy = current->policy;
|
|
proc->default_priority.prio = current->normal_prio;
|
|
} else {
|
|
proc->default_priority.sched_policy = SCHED_NORMAL;
|
|
proc->default_priority.prio = NICE_TO_PRIO(0);
|
|
}
|
|
|
|
/* binderfs stashes devices in i_private */
|
|
if (is_binderfs_device(nodp)) {
|
|
binder_dev = nodp->i_private;
|
|
info = nodp->i_sb->s_fs_info;
|
|
binder_binderfs_dir_entry_proc = info->proc_log_dir;
|
|
} else {
|
|
binder_dev = container_of(filp->private_data,
|
|
struct binder_device, miscdev);
|
|
}
|
|
refcount_inc(&binder_dev->ref);
|
|
proc->context = &binder_dev->context;
|
|
binder_alloc_init(&proc->alloc);
|
|
|
|
binder_stats_created(BINDER_STAT_PROC);
|
|
proc->pid = current->group_leader->pid;
|
|
INIT_LIST_HEAD(&proc->delivered_death);
|
|
INIT_LIST_HEAD(&proc->waiting_threads);
|
|
filp->private_data = proc;
|
|
|
|
mutex_lock(&binder_procs_lock);
|
|
hlist_for_each_entry(itr, &binder_procs, proc_node) {
|
|
if (itr->pid == proc->pid) {
|
|
existing_pid = true;
|
|
break;
|
|
}
|
|
}
|
|
hlist_add_head(&proc->proc_node, &binder_procs);
|
|
mutex_unlock(&binder_procs_lock);
|
|
trace_android_vh_binder_preset(&binder_procs, &binder_procs_lock);
|
|
if (binder_debugfs_dir_entry_proc && !existing_pid) {
|
|
char strbuf[11];
|
|
|
|
snprintf(strbuf, sizeof(strbuf), "%u", proc->pid);
|
|
/*
|
|
* proc debug entries are shared between contexts.
|
|
* Only create for the first PID to avoid debugfs log spamming
|
|
* The printing code will anyway print all contexts for a given
|
|
* PID so this is not a problem.
|
|
*/
|
|
proc->debugfs_entry = debugfs_create_file(strbuf, 0444,
|
|
binder_debugfs_dir_entry_proc,
|
|
(void *)(unsigned long)proc->pid,
|
|
&proc_fops);
|
|
}
|
|
|
|
if (binder_binderfs_dir_entry_proc && !existing_pid) {
|
|
char strbuf[11];
|
|
struct dentry *binderfs_entry;
|
|
|
|
snprintf(strbuf, sizeof(strbuf), "%u", proc->pid);
|
|
/*
|
|
* Similar to debugfs, the process specific log file is shared
|
|
* between contexts. Only create for the first PID.
|
|
* This is ok since same as debugfs, the log file will contain
|
|
* information on all contexts of a given PID.
|
|
*/
|
|
binderfs_entry = binderfs_create_file(binder_binderfs_dir_entry_proc,
|
|
strbuf, &proc_fops, (void *)(unsigned long)proc->pid);
|
|
if (!IS_ERR(binderfs_entry)) {
|
|
proc->binderfs_entry = binderfs_entry;
|
|
} else {
|
|
int error;
|
|
|
|
error = PTR_ERR(binderfs_entry);
|
|
pr_warn("Unable to create file %s in binderfs (error %d)\n",
|
|
strbuf, error);
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int binder_flush(struct file *filp, fl_owner_t id)
|
|
{
|
|
struct binder_proc *proc = filp->private_data;
|
|
|
|
binder_defer_work(proc, BINDER_DEFERRED_FLUSH);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void binder_deferred_flush(struct binder_proc *proc)
|
|
{
|
|
struct rb_node *n;
|
|
int wake_count = 0;
|
|
|
|
binder_inner_proc_lock(proc);
|
|
for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) {
|
|
struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node);
|
|
|
|
thread->looper_need_return = true;
|
|
if (thread->looper & BINDER_LOOPER_STATE_WAITING) {
|
|
wake_up_interruptible(&thread->wait);
|
|
wake_count++;
|
|
}
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
|
|
binder_debug(BINDER_DEBUG_OPEN_CLOSE,
|
|
"binder_flush: %d woke %d threads\n", proc->pid,
|
|
wake_count);
|
|
}
|
|
|
|
static int binder_release(struct inode *nodp, struct file *filp)
|
|
{
|
|
struct binder_proc *proc = filp->private_data;
|
|
|
|
debugfs_remove(proc->debugfs_entry);
|
|
|
|
if (proc->binderfs_entry) {
|
|
binderfs_remove_file(proc->binderfs_entry);
|
|
proc->binderfs_entry = NULL;
|
|
}
|
|
|
|
binder_defer_work(proc, BINDER_DEFERRED_RELEASE);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int binder_node_release(struct binder_node *node, int refs)
|
|
{
|
|
struct binder_ref *ref;
|
|
int death = 0;
|
|
struct binder_proc *proc = node->proc;
|
|
|
|
binder_release_work(proc, &node->async_todo);
|
|
|
|
binder_node_lock(node);
|
|
binder_inner_proc_lock(proc);
|
|
binder_dequeue_work_ilocked(&node->work);
|
|
/*
|
|
* The caller must have taken a temporary ref on the node,
|
|
*/
|
|
BUG_ON(!node->tmp_refs);
|
|
if (hlist_empty(&node->refs) && node->tmp_refs == 1) {
|
|
binder_inner_proc_unlock(proc);
|
|
binder_node_unlock(node);
|
|
binder_free_node(node);
|
|
|
|
return refs;
|
|
}
|
|
|
|
node->proc = NULL;
|
|
node->local_strong_refs = 0;
|
|
node->local_weak_refs = 0;
|
|
binder_inner_proc_unlock(proc);
|
|
|
|
spin_lock(&binder_dead_nodes_lock);
|
|
hlist_add_head(&node->dead_node, &binder_dead_nodes);
|
|
spin_unlock(&binder_dead_nodes_lock);
|
|
|
|
hlist_for_each_entry(ref, &node->refs, node_entry) {
|
|
refs++;
|
|
/*
|
|
* Need the node lock to synchronize
|
|
* with new notification requests and the
|
|
* inner lock to synchronize with queued
|
|
* death notifications.
|
|
*/
|
|
binder_inner_proc_lock(ref->proc);
|
|
if (!ref->death) {
|
|
binder_inner_proc_unlock(ref->proc);
|
|
continue;
|
|
}
|
|
|
|
death++;
|
|
|
|
BUG_ON(!list_empty(&ref->death->work.entry));
|
|
ref->death->work.type = BINDER_WORK_DEAD_BINDER;
|
|
binder_enqueue_work_ilocked(&ref->death->work,
|
|
&ref->proc->todo);
|
|
binder_wakeup_proc_ilocked(ref->proc);
|
|
binder_inner_proc_unlock(ref->proc);
|
|
}
|
|
|
|
binder_debug(BINDER_DEBUG_DEAD_BINDER,
|
|
"node %d now dead, refs %d, death %d\n",
|
|
node->debug_id, refs, death);
|
|
binder_node_unlock(node);
|
|
binder_put_node(node);
|
|
|
|
return refs;
|
|
}
|
|
|
|
static void binder_deferred_release(struct binder_proc *proc)
|
|
{
|
|
struct binder_context *context = proc->context;
|
|
struct rb_node *n;
|
|
int threads, nodes, incoming_refs, outgoing_refs, active_transactions;
|
|
|
|
mutex_lock(&binder_procs_lock);
|
|
hlist_del(&proc->proc_node);
|
|
mutex_unlock(&binder_procs_lock);
|
|
|
|
mutex_lock(&context->context_mgr_node_lock);
|
|
if (context->binder_context_mgr_node &&
|
|
context->binder_context_mgr_node->proc == proc) {
|
|
binder_debug(BINDER_DEBUG_DEAD_BINDER,
|
|
"%s: %d context_mgr_node gone\n",
|
|
__func__, proc->pid);
|
|
context->binder_context_mgr_node = NULL;
|
|
}
|
|
mutex_unlock(&context->context_mgr_node_lock);
|
|
binder_inner_proc_lock(proc);
|
|
/*
|
|
* Make sure proc stays alive after we
|
|
* remove all the threads
|
|
*/
|
|
proc->tmp_ref++;
|
|
|
|
proc->is_dead = true;
|
|
proc->is_frozen = false;
|
|
proc->sync_recv = false;
|
|
proc->async_recv = false;
|
|
threads = 0;
|
|
active_transactions = 0;
|
|
while ((n = rb_first(&proc->threads))) {
|
|
struct binder_thread *thread;
|
|
|
|
thread = rb_entry(n, struct binder_thread, rb_node);
|
|
binder_inner_proc_unlock(proc);
|
|
threads++;
|
|
active_transactions += binder_thread_release(proc, thread);
|
|
binder_inner_proc_lock(proc);
|
|
}
|
|
|
|
nodes = 0;
|
|
incoming_refs = 0;
|
|
while ((n = rb_first(&proc->nodes))) {
|
|
struct binder_node *node;
|
|
|
|
node = rb_entry(n, struct binder_node, rb_node);
|
|
nodes++;
|
|
/*
|
|
* take a temporary ref on the node before
|
|
* calling binder_node_release() which will either
|
|
* kfree() the node or call binder_put_node()
|
|
*/
|
|
binder_inc_node_tmpref_ilocked(node);
|
|
rb_erase(&node->rb_node, &proc->nodes);
|
|
binder_inner_proc_unlock(proc);
|
|
incoming_refs = binder_node_release(node, incoming_refs);
|
|
binder_inner_proc_lock(proc);
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
|
|
outgoing_refs = 0;
|
|
binder_proc_lock(proc);
|
|
while ((n = rb_first(&proc->refs_by_desc))) {
|
|
struct binder_ref *ref;
|
|
|
|
ref = rb_entry(n, struct binder_ref, rb_node_desc);
|
|
outgoing_refs++;
|
|
binder_cleanup_ref_olocked(ref);
|
|
binder_proc_unlock(proc);
|
|
binder_free_ref(ref);
|
|
binder_proc_lock(proc);
|
|
}
|
|
binder_proc_unlock(proc);
|
|
|
|
binder_release_work(proc, &proc->todo);
|
|
binder_release_work(proc, &proc->delivered_death);
|
|
|
|
binder_debug(BINDER_DEBUG_OPEN_CLOSE,
|
|
"%s: %d threads %d, nodes %d (ref %d), refs %d, active transactions %d\n",
|
|
__func__, proc->pid, threads, nodes, incoming_refs,
|
|
outgoing_refs, active_transactions);
|
|
|
|
binder_proc_dec_tmpref(proc);
|
|
}
|
|
|
|
static void binder_deferred_func(struct work_struct *work)
|
|
{
|
|
struct binder_proc *proc;
|
|
|
|
int defer;
|
|
|
|
do {
|
|
mutex_lock(&binder_deferred_lock);
|
|
if (!hlist_empty(&binder_deferred_list)) {
|
|
proc = hlist_entry(binder_deferred_list.first,
|
|
struct binder_proc, deferred_work_node);
|
|
hlist_del_init(&proc->deferred_work_node);
|
|
defer = proc->deferred_work;
|
|
proc->deferred_work = 0;
|
|
} else {
|
|
proc = NULL;
|
|
defer = 0;
|
|
}
|
|
mutex_unlock(&binder_deferred_lock);
|
|
|
|
if (defer & BINDER_DEFERRED_FLUSH)
|
|
binder_deferred_flush(proc);
|
|
|
|
if (defer & BINDER_DEFERRED_RELEASE)
|
|
binder_deferred_release(proc); /* frees proc */
|
|
} while (proc);
|
|
}
|
|
static DECLARE_WORK(binder_deferred_work, binder_deferred_func);
|
|
|
|
static void
|
|
binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer)
|
|
{
|
|
mutex_lock(&binder_deferred_lock);
|
|
proc->deferred_work |= defer;
|
|
if (hlist_unhashed(&proc->deferred_work_node)) {
|
|
hlist_add_head(&proc->deferred_work_node,
|
|
&binder_deferred_list);
|
|
schedule_work(&binder_deferred_work);
|
|
}
|
|
mutex_unlock(&binder_deferred_lock);
|
|
}
|
|
|
|
static void print_binder_transaction_ilocked(struct seq_file *m,
|
|
struct binder_proc *proc,
|
|
const char *prefix,
|
|
struct binder_transaction *t)
|
|
{
|
|
struct binder_proc *to_proc;
|
|
struct binder_buffer *buffer = t->buffer;
|
|
|
|
spin_lock(&t->lock);
|
|
trace_android_vh_binder_print_transaction_info(m, proc, prefix, t);
|
|
to_proc = t->to_proc;
|
|
seq_printf(m,
|
|
"%s %d: %pK from %d:%d to %d:%d code %x flags %x pri %d:%d r%d",
|
|
prefix, t->debug_id, t,
|
|
t->from ? t->from->proc->pid : 0,
|
|
t->from ? t->from->pid : 0,
|
|
to_proc ? to_proc->pid : 0,
|
|
t->to_thread ? t->to_thread->pid : 0,
|
|
t->code, t->flags, t->priority.sched_policy,
|
|
t->priority.prio, t->need_reply);
|
|
spin_unlock(&t->lock);
|
|
|
|
if (proc != to_proc) {
|
|
/*
|
|
* Can only safely deref buffer if we are holding the
|
|
* correct proc inner lock for this node
|
|
*/
|
|
seq_puts(m, "\n");
|
|
return;
|
|
}
|
|
|
|
if (buffer == NULL) {
|
|
seq_puts(m, " buffer free\n");
|
|
return;
|
|
}
|
|
if (buffer->target_node)
|
|
seq_printf(m, " node %d", buffer->target_node->debug_id);
|
|
seq_printf(m, " size %zd:%zd data %pK\n",
|
|
buffer->data_size, buffer->offsets_size,
|
|
buffer->user_data);
|
|
}
|
|
|
|
static void print_binder_work_ilocked(struct seq_file *m,
|
|
struct binder_proc *proc,
|
|
const char *prefix,
|
|
const char *transaction_prefix,
|
|
struct binder_work *w)
|
|
{
|
|
struct binder_node *node;
|
|
struct binder_transaction *t;
|
|
|
|
switch (w->type) {
|
|
case BINDER_WORK_TRANSACTION:
|
|
t = container_of(w, struct binder_transaction, work);
|
|
print_binder_transaction_ilocked(
|
|
m, proc, transaction_prefix, t);
|
|
break;
|
|
case BINDER_WORK_RETURN_ERROR: {
|
|
struct binder_error *e = container_of(
|
|
w, struct binder_error, work);
|
|
|
|
seq_printf(m, "%stransaction error: %u\n",
|
|
prefix, e->cmd);
|
|
} break;
|
|
case BINDER_WORK_TRANSACTION_COMPLETE:
|
|
seq_printf(m, "%stransaction complete\n", prefix);
|
|
break;
|
|
case BINDER_WORK_NODE:
|
|
node = container_of(w, struct binder_node, work);
|
|
seq_printf(m, "%snode work %d: u%016llx c%016llx\n",
|
|
prefix, node->debug_id,
|
|
(u64)node->ptr, (u64)node->cookie);
|
|
break;
|
|
case BINDER_WORK_DEAD_BINDER:
|
|
seq_printf(m, "%shas dead binder\n", prefix);
|
|
break;
|
|
case BINDER_WORK_DEAD_BINDER_AND_CLEAR:
|
|
seq_printf(m, "%shas cleared dead binder\n", prefix);
|
|
break;
|
|
case BINDER_WORK_CLEAR_DEATH_NOTIFICATION:
|
|
seq_printf(m, "%shas cleared death notification\n", prefix);
|
|
break;
|
|
default:
|
|
seq_printf(m, "%sunknown work: type %d\n", prefix, w->type);
|
|
break;
|
|
}
|
|
}
|
|
|
|
static void print_binder_thread_ilocked(struct seq_file *m,
|
|
struct binder_thread *thread,
|
|
int print_always)
|
|
{
|
|
struct binder_transaction *t;
|
|
struct binder_work *w;
|
|
size_t start_pos = m->count;
|
|
size_t header_pos;
|
|
|
|
seq_printf(m, " thread %d: l %02x need_return %d tr %d\n",
|
|
thread->pid, thread->looper,
|
|
thread->looper_need_return,
|
|
atomic_read(&thread->tmp_ref));
|
|
header_pos = m->count;
|
|
t = thread->transaction_stack;
|
|
while (t) {
|
|
if (t->from == thread) {
|
|
print_binder_transaction_ilocked(m, thread->proc,
|
|
" outgoing transaction", t);
|
|
t = t->from_parent;
|
|
} else if (t->to_thread == thread) {
|
|
print_binder_transaction_ilocked(m, thread->proc,
|
|
" incoming transaction", t);
|
|
t = t->to_parent;
|
|
} else {
|
|
print_binder_transaction_ilocked(m, thread->proc,
|
|
" bad transaction", t);
|
|
t = NULL;
|
|
}
|
|
}
|
|
list_for_each_entry(w, &thread->todo, entry) {
|
|
print_binder_work_ilocked(m, thread->proc, " ",
|
|
" pending transaction", w);
|
|
}
|
|
if (!print_always && m->count == header_pos)
|
|
m->count = start_pos;
|
|
}
|
|
|
|
static void print_binder_node_nilocked(struct seq_file *m,
|
|
struct binder_node *node)
|
|
{
|
|
struct binder_ref *ref;
|
|
struct binder_work *w;
|
|
int count;
|
|
|
|
count = 0;
|
|
hlist_for_each_entry(ref, &node->refs, node_entry)
|
|
count++;
|
|
|
|
seq_printf(m, " node %d: u%016llx c%016llx pri %d:%d hs %d hw %d ls %d lw %d is %d iw %d tr %d",
|
|
node->debug_id, (u64)node->ptr, (u64)node->cookie,
|
|
node->sched_policy, node->min_priority,
|
|
node->has_strong_ref, node->has_weak_ref,
|
|
node->local_strong_refs, node->local_weak_refs,
|
|
node->internal_strong_refs, count, node->tmp_refs);
|
|
if (count) {
|
|
seq_puts(m, " proc");
|
|
hlist_for_each_entry(ref, &node->refs, node_entry)
|
|
seq_printf(m, " %d", ref->proc->pid);
|
|
}
|
|
seq_puts(m, "\n");
|
|
if (node->proc) {
|
|
list_for_each_entry(w, &node->async_todo, entry)
|
|
print_binder_work_ilocked(m, node->proc, " ",
|
|
" pending async transaction", w);
|
|
}
|
|
}
|
|
|
|
static void print_binder_ref_olocked(struct seq_file *m,
|
|
struct binder_ref *ref)
|
|
{
|
|
binder_node_lock(ref->node);
|
|
seq_printf(m, " ref %d: desc %d %snode %d s %d w %d d %pK\n",
|
|
ref->data.debug_id, ref->data.desc,
|
|
ref->node->proc ? "" : "dead ",
|
|
ref->node->debug_id, ref->data.strong,
|
|
ref->data.weak, ref->death);
|
|
binder_node_unlock(ref->node);
|
|
}
|
|
|
|
static void print_binder_proc(struct seq_file *m,
|
|
struct binder_proc *proc, int print_all)
|
|
{
|
|
struct binder_work *w;
|
|
struct rb_node *n;
|
|
size_t start_pos = m->count;
|
|
size_t header_pos;
|
|
struct binder_node *last_node = NULL;
|
|
|
|
seq_printf(m, "proc %d\n", proc->pid);
|
|
seq_printf(m, "context %s\n", proc->context->name);
|
|
header_pos = m->count;
|
|
|
|
binder_inner_proc_lock(proc);
|
|
for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n))
|
|
print_binder_thread_ilocked(m, rb_entry(n, struct binder_thread,
|
|
rb_node), print_all);
|
|
|
|
for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) {
|
|
struct binder_node *node = rb_entry(n, struct binder_node,
|
|
rb_node);
|
|
if (!print_all && !node->has_async_transaction)
|
|
continue;
|
|
|
|
/*
|
|
* take a temporary reference on the node so it
|
|
* survives and isn't removed from the tree
|
|
* while we print it.
|
|
*/
|
|
binder_inc_node_tmpref_ilocked(node);
|
|
/* Need to drop inner lock to take node lock */
|
|
binder_inner_proc_unlock(proc);
|
|
if (last_node)
|
|
binder_put_node(last_node);
|
|
binder_node_inner_lock(node);
|
|
print_binder_node_nilocked(m, node);
|
|
binder_node_inner_unlock(node);
|
|
last_node = node;
|
|
binder_inner_proc_lock(proc);
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
if (last_node)
|
|
binder_put_node(last_node);
|
|
|
|
if (print_all) {
|
|
binder_proc_lock(proc);
|
|
for (n = rb_first(&proc->refs_by_desc);
|
|
n != NULL;
|
|
n = rb_next(n))
|
|
print_binder_ref_olocked(m, rb_entry(n,
|
|
struct binder_ref,
|
|
rb_node_desc));
|
|
binder_proc_unlock(proc);
|
|
}
|
|
binder_alloc_print_allocated(m, &proc->alloc);
|
|
binder_inner_proc_lock(proc);
|
|
list_for_each_entry(w, &proc->todo, entry)
|
|
print_binder_work_ilocked(m, proc, " ",
|
|
" pending transaction", w);
|
|
list_for_each_entry(w, &proc->delivered_death, entry) {
|
|
seq_puts(m, " has delivered dead binder\n");
|
|
break;
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
if (!print_all && m->count == header_pos)
|
|
m->count = start_pos;
|
|
}
|
|
|
|
static const char * const binder_return_strings[] = {
|
|
"BR_ERROR",
|
|
"BR_OK",
|
|
"BR_TRANSACTION",
|
|
"BR_REPLY",
|
|
"BR_ACQUIRE_RESULT",
|
|
"BR_DEAD_REPLY",
|
|
"BR_TRANSACTION_COMPLETE",
|
|
"BR_INCREFS",
|
|
"BR_ACQUIRE",
|
|
"BR_RELEASE",
|
|
"BR_DECREFS",
|
|
"BR_ATTEMPT_ACQUIRE",
|
|
"BR_NOOP",
|
|
"BR_SPAWN_LOOPER",
|
|
"BR_FINISHED",
|
|
"BR_DEAD_BINDER",
|
|
"BR_CLEAR_DEATH_NOTIFICATION_DONE",
|
|
"BR_FAILED_REPLY",
|
|
"BR_FROZEN_REPLY",
|
|
"BR_ONEWAY_SPAM_SUSPECT",
|
|
};
|
|
|
|
static const char * const binder_command_strings[] = {
|
|
"BC_TRANSACTION",
|
|
"BC_REPLY",
|
|
"BC_ACQUIRE_RESULT",
|
|
"BC_FREE_BUFFER",
|
|
"BC_INCREFS",
|
|
"BC_ACQUIRE",
|
|
"BC_RELEASE",
|
|
"BC_DECREFS",
|
|
"BC_INCREFS_DONE",
|
|
"BC_ACQUIRE_DONE",
|
|
"BC_ATTEMPT_ACQUIRE",
|
|
"BC_REGISTER_LOOPER",
|
|
"BC_ENTER_LOOPER",
|
|
"BC_EXIT_LOOPER",
|
|
"BC_REQUEST_DEATH_NOTIFICATION",
|
|
"BC_CLEAR_DEATH_NOTIFICATION",
|
|
"BC_DEAD_BINDER_DONE",
|
|
"BC_TRANSACTION_SG",
|
|
"BC_REPLY_SG",
|
|
};
|
|
|
|
static const char * const binder_objstat_strings[] = {
|
|
"proc",
|
|
"thread",
|
|
"node",
|
|
"ref",
|
|
"death",
|
|
"transaction",
|
|
"transaction_complete"
|
|
};
|
|
|
|
static void print_binder_stats(struct seq_file *m, const char *prefix,
|
|
struct binder_stats *stats)
|
|
{
|
|
int i;
|
|
|
|
BUILD_BUG_ON(ARRAY_SIZE(stats->bc) !=
|
|
ARRAY_SIZE(binder_command_strings));
|
|
for (i = 0; i < ARRAY_SIZE(stats->bc); i++) {
|
|
int temp = atomic_read(&stats->bc[i]);
|
|
|
|
if (temp)
|
|
seq_printf(m, "%s%s: %d\n", prefix,
|
|
binder_command_strings[i], temp);
|
|
}
|
|
|
|
BUILD_BUG_ON(ARRAY_SIZE(stats->br) !=
|
|
ARRAY_SIZE(binder_return_strings));
|
|
for (i = 0; i < ARRAY_SIZE(stats->br); i++) {
|
|
int temp = atomic_read(&stats->br[i]);
|
|
|
|
if (temp)
|
|
seq_printf(m, "%s%s: %d\n", prefix,
|
|
binder_return_strings[i], temp);
|
|
}
|
|
|
|
BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) !=
|
|
ARRAY_SIZE(binder_objstat_strings));
|
|
BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) !=
|
|
ARRAY_SIZE(stats->obj_deleted));
|
|
for (i = 0; i < ARRAY_SIZE(stats->obj_created); i++) {
|
|
int created = atomic_read(&stats->obj_created[i]);
|
|
int deleted = atomic_read(&stats->obj_deleted[i]);
|
|
|
|
if (created || deleted)
|
|
seq_printf(m, "%s%s: active %d total %d\n",
|
|
prefix,
|
|
binder_objstat_strings[i],
|
|
created - deleted,
|
|
created);
|
|
}
|
|
}
|
|
|
|
static void print_binder_proc_stats(struct seq_file *m,
|
|
struct binder_proc *proc)
|
|
{
|
|
struct binder_work *w;
|
|
struct binder_thread *thread;
|
|
struct rb_node *n;
|
|
int count, strong, weak, ready_threads;
|
|
size_t free_async_space =
|
|
binder_alloc_get_free_async_space(&proc->alloc);
|
|
|
|
seq_printf(m, "proc %d\n", proc->pid);
|
|
seq_printf(m, "context %s\n", proc->context->name);
|
|
count = 0;
|
|
ready_threads = 0;
|
|
binder_inner_proc_lock(proc);
|
|
for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n))
|
|
count++;
|
|
|
|
list_for_each_entry(thread, &proc->waiting_threads, waiting_thread_node)
|
|
ready_threads++;
|
|
|
|
seq_printf(m, " threads: %d\n", count);
|
|
seq_printf(m, " requested threads: %d+%d/%d\n"
|
|
" ready threads %d\n"
|
|
" free async space %zd\n", proc->requested_threads,
|
|
proc->requested_threads_started, proc->max_threads,
|
|
ready_threads,
|
|
free_async_space);
|
|
count = 0;
|
|
for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n))
|
|
count++;
|
|
binder_inner_proc_unlock(proc);
|
|
seq_printf(m, " nodes: %d\n", count);
|
|
count = 0;
|
|
strong = 0;
|
|
weak = 0;
|
|
binder_proc_lock(proc);
|
|
for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) {
|
|
struct binder_ref *ref = rb_entry(n, struct binder_ref,
|
|
rb_node_desc);
|
|
count++;
|
|
strong += ref->data.strong;
|
|
weak += ref->data.weak;
|
|
}
|
|
binder_proc_unlock(proc);
|
|
seq_printf(m, " refs: %d s %d w %d\n", count, strong, weak);
|
|
|
|
count = binder_alloc_get_allocated_count(&proc->alloc);
|
|
seq_printf(m, " buffers: %d\n", count);
|
|
|
|
binder_alloc_print_pages(m, &proc->alloc);
|
|
|
|
count = 0;
|
|
binder_inner_proc_lock(proc);
|
|
list_for_each_entry(w, &proc->todo, entry) {
|
|
if (w->type == BINDER_WORK_TRANSACTION)
|
|
count++;
|
|
}
|
|
binder_inner_proc_unlock(proc);
|
|
seq_printf(m, " pending transactions: %d\n", count);
|
|
|
|
print_binder_stats(m, " ", &proc->stats);
|
|
}
|
|
|
|
|
|
int binder_state_show(struct seq_file *m, void *unused)
|
|
{
|
|
struct binder_proc *proc;
|
|
struct binder_node *node;
|
|
struct binder_node *last_node = NULL;
|
|
|
|
seq_puts(m, "binder state:\n");
|
|
|
|
spin_lock(&binder_dead_nodes_lock);
|
|
if (!hlist_empty(&binder_dead_nodes))
|
|
seq_puts(m, "dead nodes:\n");
|
|
hlist_for_each_entry(node, &binder_dead_nodes, dead_node) {
|
|
/*
|
|
* take a temporary reference on the node so it
|
|
* survives and isn't removed from the list
|
|
* while we print it.
|
|
*/
|
|
node->tmp_refs++;
|
|
spin_unlock(&binder_dead_nodes_lock);
|
|
if (last_node)
|
|
binder_put_node(last_node);
|
|
binder_node_lock(node);
|
|
print_binder_node_nilocked(m, node);
|
|
binder_node_unlock(node);
|
|
last_node = node;
|
|
spin_lock(&binder_dead_nodes_lock);
|
|
}
|
|
spin_unlock(&binder_dead_nodes_lock);
|
|
if (last_node)
|
|
binder_put_node(last_node);
|
|
|
|
mutex_lock(&binder_procs_lock);
|
|
hlist_for_each_entry(proc, &binder_procs, proc_node)
|
|
print_binder_proc(m, proc, 1);
|
|
mutex_unlock(&binder_procs_lock);
|
|
|
|
return 0;
|
|
}
|
|
|
|
int binder_stats_show(struct seq_file *m, void *unused)
|
|
{
|
|
struct binder_proc *proc;
|
|
|
|
seq_puts(m, "binder stats:\n");
|
|
|
|
print_binder_stats(m, "", &binder_stats);
|
|
|
|
mutex_lock(&binder_procs_lock);
|
|
hlist_for_each_entry(proc, &binder_procs, proc_node)
|
|
print_binder_proc_stats(m, proc);
|
|
mutex_unlock(&binder_procs_lock);
|
|
|
|
return 0;
|
|
}
|
|
|
|
int binder_transactions_show(struct seq_file *m, void *unused)
|
|
{
|
|
struct binder_proc *proc;
|
|
|
|
seq_puts(m, "binder transactions:\n");
|
|
mutex_lock(&binder_procs_lock);
|
|
hlist_for_each_entry(proc, &binder_procs, proc_node)
|
|
print_binder_proc(m, proc, 0);
|
|
mutex_unlock(&binder_procs_lock);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int proc_show(struct seq_file *m, void *unused)
|
|
{
|
|
struct binder_proc *itr;
|
|
int pid = (unsigned long)m->private;
|
|
|
|
mutex_lock(&binder_procs_lock);
|
|
hlist_for_each_entry(itr, &binder_procs, proc_node) {
|
|
if (itr->pid == pid) {
|
|
seq_puts(m, "binder proc state:\n");
|
|
print_binder_proc(m, itr, 1);
|
|
}
|
|
}
|
|
mutex_unlock(&binder_procs_lock);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void print_binder_transaction_log_entry(struct seq_file *m,
|
|
struct binder_transaction_log_entry *e)
|
|
{
|
|
int debug_id = READ_ONCE(e->debug_id_done);
|
|
/*
|
|
* read barrier to guarantee debug_id_done read before
|
|
* we print the log values
|
|
*/
|
|
smp_rmb();
|
|
seq_printf(m,
|
|
"%d: %s from %d:%d to %d:%d context %s node %d handle %d size %d:%d ret %d/%d l=%d",
|
|
e->debug_id, (e->call_type == 2) ? "reply" :
|
|
((e->call_type == 1) ? "async" : "call "), e->from_proc,
|
|
e->from_thread, e->to_proc, e->to_thread, e->context_name,
|
|
e->to_node, e->target_handle, e->data_size, e->offsets_size,
|
|
e->return_error, e->return_error_param,
|
|
e->return_error_line);
|
|
/*
|
|
* read-barrier to guarantee read of debug_id_done after
|
|
* done printing the fields of the entry
|
|
*/
|
|
smp_rmb();
|
|
seq_printf(m, debug_id && debug_id == READ_ONCE(e->debug_id_done) ?
|
|
"\n" : " (incomplete)\n");
|
|
}
|
|
|
|
int binder_transaction_log_show(struct seq_file *m, void *unused)
|
|
{
|
|
struct binder_transaction_log *log = m->private;
|
|
unsigned int log_cur = atomic_read(&log->cur);
|
|
unsigned int count;
|
|
unsigned int cur;
|
|
int i;
|
|
|
|
count = log_cur + 1;
|
|
cur = count < ARRAY_SIZE(log->entry) && !log->full ?
|
|
0 : count % ARRAY_SIZE(log->entry);
|
|
if (count > ARRAY_SIZE(log->entry) || log->full)
|
|
count = ARRAY_SIZE(log->entry);
|
|
for (i = 0; i < count; i++) {
|
|
unsigned int index = cur++ % ARRAY_SIZE(log->entry);
|
|
|
|
print_binder_transaction_log_entry(m, &log->entry[index]);
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
const struct file_operations binder_fops = {
|
|
.owner = THIS_MODULE,
|
|
.poll = binder_poll,
|
|
.unlocked_ioctl = binder_ioctl,
|
|
.compat_ioctl = compat_ptr_ioctl,
|
|
.mmap = binder_mmap,
|
|
.open = binder_open,
|
|
.flush = binder_flush,
|
|
.release = binder_release,
|
|
};
|
|
|
|
static int __init init_binder_device(const char *name)
|
|
{
|
|
int ret;
|
|
struct binder_device *binder_device;
|
|
|
|
binder_device = kzalloc(sizeof(*binder_device), GFP_KERNEL);
|
|
if (!binder_device)
|
|
return -ENOMEM;
|
|
|
|
binder_device->miscdev.fops = &binder_fops;
|
|
binder_device->miscdev.minor = MISC_DYNAMIC_MINOR;
|
|
binder_device->miscdev.name = name;
|
|
|
|
refcount_set(&binder_device->ref, 1);
|
|
binder_device->context.binder_context_mgr_uid = INVALID_UID;
|
|
binder_device->context.name = name;
|
|
mutex_init(&binder_device->context.context_mgr_node_lock);
|
|
|
|
ret = misc_register(&binder_device->miscdev);
|
|
if (ret < 0) {
|
|
kfree(binder_device);
|
|
return ret;
|
|
}
|
|
|
|
hlist_add_head(&binder_device->hlist, &binder_devices);
|
|
|
|
return ret;
|
|
}
|
|
|
|
static int __init binder_init(void)
|
|
{
|
|
int ret;
|
|
char *device_name, *device_tmp;
|
|
struct binder_device *device;
|
|
struct hlist_node *tmp;
|
|
char *device_names = NULL;
|
|
|
|
ret = binder_alloc_shrinker_init();
|
|
if (ret)
|
|
return ret;
|
|
|
|
atomic_set(&binder_transaction_log.cur, ~0U);
|
|
atomic_set(&binder_transaction_log_failed.cur, ~0U);
|
|
|
|
binder_debugfs_dir_entry_root = debugfs_create_dir("binder", NULL);
|
|
if (binder_debugfs_dir_entry_root)
|
|
binder_debugfs_dir_entry_proc = debugfs_create_dir("proc",
|
|
binder_debugfs_dir_entry_root);
|
|
|
|
if (binder_debugfs_dir_entry_root) {
|
|
debugfs_create_file("state",
|
|
0444,
|
|
binder_debugfs_dir_entry_root,
|
|
NULL,
|
|
&binder_state_fops);
|
|
debugfs_create_file("stats",
|
|
0444,
|
|
binder_debugfs_dir_entry_root,
|
|
NULL,
|
|
&binder_stats_fops);
|
|
debugfs_create_file("transactions",
|
|
0444,
|
|
binder_debugfs_dir_entry_root,
|
|
NULL,
|
|
&binder_transactions_fops);
|
|
debugfs_create_file("transaction_log",
|
|
0444,
|
|
binder_debugfs_dir_entry_root,
|
|
&binder_transaction_log,
|
|
&binder_transaction_log_fops);
|
|
debugfs_create_file("failed_transaction_log",
|
|
0444,
|
|
binder_debugfs_dir_entry_root,
|
|
&binder_transaction_log_failed,
|
|
&binder_transaction_log_fops);
|
|
}
|
|
|
|
if (!IS_ENABLED(CONFIG_ANDROID_BINDERFS) &&
|
|
strcmp(binder_devices_param, "") != 0) {
|
|
/*
|
|
* Copy the module_parameter string, because we don't want to
|
|
* tokenize it in-place.
|
|
*/
|
|
device_names = kstrdup(binder_devices_param, GFP_KERNEL);
|
|
if (!device_names) {
|
|
ret = -ENOMEM;
|
|
goto err_alloc_device_names_failed;
|
|
}
|
|
|
|
device_tmp = device_names;
|
|
while ((device_name = strsep(&device_tmp, ","))) {
|
|
ret = init_binder_device(device_name);
|
|
if (ret)
|
|
goto err_init_binder_device_failed;
|
|
}
|
|
}
|
|
|
|
ret = init_binderfs();
|
|
if (ret)
|
|
goto err_init_binder_device_failed;
|
|
|
|
return ret;
|
|
|
|
err_init_binder_device_failed:
|
|
hlist_for_each_entry_safe(device, tmp, &binder_devices, hlist) {
|
|
misc_deregister(&device->miscdev);
|
|
hlist_del(&device->hlist);
|
|
kfree(device);
|
|
}
|
|
|
|
kfree(device_names);
|
|
|
|
err_alloc_device_names_failed:
|
|
debugfs_remove_recursive(binder_debugfs_dir_entry_root);
|
|
|
|
return ret;
|
|
}
|
|
|
|
device_initcall(binder_init);
|
|
|
|
#define CREATE_TRACE_POINTS
|
|
#include "binder_trace.h"
|
|
EXPORT_TRACEPOINT_SYMBOL_GPL(binder_transaction_received);
|
|
|
|
MODULE_LICENSE("GPL v2");
|