binder: protect proc->threads with inner_lock
proc->threads will need to be accessed with higher locks of other processes held so use proc->inner_lock to protect it. proc->tmp_ref now needs to be protected by proc->inner_lock. Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Todd Kjos
Greg Kroah-Hartman
parent
da0fa9e4e8
commit
7bd7b0e639
|
|
@ -469,6 +469,7 @@ enum binder_deferred_state {
|
||||||
* struct binder_proc - binder process bookkeeping
|
* struct binder_proc - binder process bookkeeping
|
||||||
* @proc_node: element for binder_procs list
|
* @proc_node: element for binder_procs list
|
||||||
* @threads: rbtree of binder_threads in this proc
|
* @threads: rbtree of binder_threads in this proc
|
||||||
|
* (protected by @inner_lock)
|
||||||
* @nodes: rbtree of binder nodes associated with
|
* @nodes: rbtree of binder nodes associated with
|
||||||
* this proc ordered by node->ptr
|
* this proc ordered by node->ptr
|
||||||
* (protected by @inner_lock)
|
* (protected by @inner_lock)
|
||||||
|
|
@ -486,6 +487,7 @@ enum binder_deferred_state {
|
||||||
* (protected by binder_deferred_lock)
|
* (protected by binder_deferred_lock)
|
||||||
* @is_dead: process is dead and awaiting free
|
* @is_dead: process is dead and awaiting free
|
||||||
* when outstanding transactions are cleaned up
|
* when outstanding transactions are cleaned up
|
||||||
|
* (protected by @inner_lock)
|
||||||
* @todo: list of work for this process
|
* @todo: list of work for this process
|
||||||
* (protected by @inner_lock)
|
* (protected by @inner_lock)
|
||||||
* @wait: wait queue head to wait for proc work
|
* @wait: wait queue head to wait for proc work
|
||||||
|
|
@ -501,6 +503,7 @@ enum binder_deferred_state {
|
||||||
* @requested_threads_started: number binder threads started
|
* @requested_threads_started: number binder threads started
|
||||||
* @ready_threads: number of threads waiting for proc work
|
* @ready_threads: number of threads waiting for proc work
|
||||||
* @tmp_ref: temporary reference to indicate proc is in use
|
* @tmp_ref: temporary reference to indicate proc is in use
|
||||||
|
* (protected by @inner_lock)
|
||||||
* @default_priority: default scheduler priority
|
* @default_priority: default scheduler priority
|
||||||
* (invariant after initialized)
|
* (invariant after initialized)
|
||||||
* @debugfs_entry: debugfs node
|
* @debugfs_entry: debugfs node
|
||||||
|
|
@ -556,6 +559,7 @@ enum {
|
||||||
* @proc: binder process for this thread
|
* @proc: binder process for this thread
|
||||||
* (invariant after initialization)
|
* (invariant after initialization)
|
||||||
* @rb_node: element for proc->threads rbtree
|
* @rb_node: element for proc->threads rbtree
|
||||||
|
* (protected by @proc->inner_lock)
|
||||||
* @pid: PID for this thread
|
* @pid: PID for this thread
|
||||||
* (invariant after initialization)
|
* (invariant after initialization)
|
||||||
* @looper: bitmap of looping state
|
* @looper: bitmap of looping state
|
||||||
|
|
@ -576,6 +580,7 @@ enum {
|
||||||
* always be acquired)
|
* always be acquired)
|
||||||
* @is_dead: thread is dead and awaiting free
|
* @is_dead: thread is dead and awaiting free
|
||||||
* when outstanding transactions are cleaned up
|
* when outstanding transactions are cleaned up
|
||||||
|
* (protected by @proc->inner_lock)
|
||||||
*
|
*
|
||||||
* Bookkeeping structure for binder threads.
|
* Bookkeeping structure for binder threads.
|
||||||
*/
|
*/
|
||||||
|
|
@ -1667,15 +1672,15 @@ static void binder_thread_dec_tmpref(struct binder_thread *thread)
|
||||||
/*
|
/*
|
||||||
* atomic is used to protect the counter value while
|
* atomic is used to protect the counter value while
|
||||||
* it cannot reach zero or thread->is_dead is false
|
* it cannot reach zero or thread->is_dead is false
|
||||||
*
|
|
||||||
* TODO: future patch adds locking to ensure that the
|
|
||||||
* check of tmp_ref and is_dead is done with a lock held
|
|
||||||
*/
|
*/
|
||||||
|
binder_inner_proc_lock(thread->proc);
|
||||||
atomic_dec(&thread->tmp_ref);
|
atomic_dec(&thread->tmp_ref);
|
||||||
if (thread->is_dead && !atomic_read(&thread->tmp_ref)) {
|
if (thread->is_dead && !atomic_read(&thread->tmp_ref)) {
|
||||||
|
binder_inner_proc_unlock(thread->proc);
|
||||||
binder_free_thread(thread);
|
binder_free_thread(thread);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
binder_inner_proc_unlock(thread->proc);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
@ -1692,12 +1697,15 @@ static void binder_thread_dec_tmpref(struct binder_thread *thread)
|
||||||
*/
|
*/
|
||||||
static void binder_proc_dec_tmpref(struct binder_proc *proc)
|
static void binder_proc_dec_tmpref(struct binder_proc *proc)
|
||||||
{
|
{
|
||||||
|
binder_inner_proc_lock(proc);
|
||||||
proc->tmp_ref--;
|
proc->tmp_ref--;
|
||||||
if (proc->is_dead && RB_EMPTY_ROOT(&proc->threads) &&
|
if (proc->is_dead && RB_EMPTY_ROOT(&proc->threads) &&
|
||||||
!proc->tmp_ref) {
|
!proc->tmp_ref) {
|
||||||
|
binder_inner_proc_unlock(proc);
|
||||||
binder_free_proc(proc);
|
binder_free_proc(proc);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
binder_inner_proc_unlock(proc);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
@ -2480,7 +2488,9 @@ static void binder_transaction(struct binder_proc *proc,
|
||||||
return_error_line = __LINE__;
|
return_error_line = __LINE__;
|
||||||
goto err_dead_binder;
|
goto err_dead_binder;
|
||||||
}
|
}
|
||||||
|
binder_inner_proc_lock(target_proc);
|
||||||
target_proc->tmp_ref++;
|
target_proc->tmp_ref++;
|
||||||
|
binder_inner_proc_unlock(target_proc);
|
||||||
binder_node_unlock(target_node);
|
binder_node_unlock(target_node);
|
||||||
if (security_binder_transaction(proc->tsk,
|
if (security_binder_transaction(proc->tsk,
|
||||||
target_proc->tsk) < 0) {
|
target_proc->tsk) < 0) {
|
||||||
|
|
@ -3854,7 +3864,8 @@ static void binder_release_work(struct binder_proc *proc,
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct binder_thread *binder_get_thread(struct binder_proc *proc)
|
static struct binder_thread *binder_get_thread_ilocked(
|
||||||
|
struct binder_proc *proc, struct binder_thread *new_thread)
|
||||||
{
|
{
|
||||||
struct binder_thread *thread = NULL;
|
struct binder_thread *thread = NULL;
|
||||||
struct rb_node *parent = NULL;
|
struct rb_node *parent = NULL;
|
||||||
|
|
@ -3869,25 +3880,45 @@ static struct binder_thread *binder_get_thread(struct binder_proc *proc)
|
||||||
else if (current->pid > thread->pid)
|
else if (current->pid > thread->pid)
|
||||||
p = &(*p)->rb_right;
|
p = &(*p)->rb_right;
|
||||||
else
|
else
|
||||||
break;
|
return thread;
|
||||||
}
|
}
|
||||||
if (*p == NULL) {
|
if (!new_thread)
|
||||||
thread = kzalloc(sizeof(*thread), GFP_KERNEL);
|
return NULL;
|
||||||
if (thread == NULL)
|
thread = new_thread;
|
||||||
|
binder_stats_created(BINDER_STAT_THREAD);
|
||||||
|
thread->proc = proc;
|
||||||
|
thread->pid = current->pid;
|
||||||
|
atomic_set(&thread->tmp_ref, 0);
|
||||||
|
init_waitqueue_head(&thread->wait);
|
||||||
|
INIT_LIST_HEAD(&thread->todo);
|
||||||
|
rb_link_node(&thread->rb_node, parent, p);
|
||||||
|
rb_insert_color(&thread->rb_node, &proc->threads);
|
||||||
|
thread->looper_need_return = true;
|
||||||
|
thread->return_error.work.type = BINDER_WORK_RETURN_ERROR;
|
||||||
|
thread->return_error.cmd = BR_OK;
|
||||||
|
thread->reply_error.work.type = BINDER_WORK_RETURN_ERROR;
|
||||||
|
thread->reply_error.cmd = BR_OK;
|
||||||
|
|
||||||
|
return thread;
|
||||||
|
}
|
||||||
|
|
||||||
|
static struct binder_thread *binder_get_thread(struct binder_proc *proc)
|
||||||
|
{
|
||||||
|
struct binder_thread *thread;
|
||||||
|
struct binder_thread *new_thread;
|
||||||
|
|
||||||
|
binder_inner_proc_lock(proc);
|
||||||
|
thread = binder_get_thread_ilocked(proc, NULL);
|
||||||
|
binder_inner_proc_unlock(proc);
|
||||||
|
if (!thread) {
|
||||||
|
new_thread = kzalloc(sizeof(*thread), GFP_KERNEL);
|
||||||
|
if (new_thread == NULL)
|
||||||
return NULL;
|
return NULL;
|
||||||
binder_stats_created(BINDER_STAT_THREAD);
|
binder_inner_proc_lock(proc);
|
||||||
thread->proc = proc;
|
thread = binder_get_thread_ilocked(proc, new_thread);
|
||||||
thread->pid = current->pid;
|
binder_inner_proc_unlock(proc);
|
||||||
atomic_set(&thread->tmp_ref, 0);
|
if (thread != new_thread)
|
||||||
init_waitqueue_head(&thread->wait);
|
kfree(new_thread);
|
||||||
INIT_LIST_HEAD(&thread->todo);
|
|
||||||
rb_link_node(&thread->rb_node, parent, p);
|
|
||||||
rb_insert_color(&thread->rb_node, &proc->threads);
|
|
||||||
thread->looper_need_return = true;
|
|
||||||
thread->return_error.work.type = BINDER_WORK_RETURN_ERROR;
|
|
||||||
thread->return_error.cmd = BR_OK;
|
|
||||||
thread->reply_error.work.type = BINDER_WORK_RETURN_ERROR;
|
|
||||||
thread->reply_error.cmd = BR_OK;
|
|
||||||
}
|
}
|
||||||
return thread;
|
return thread;
|
||||||
}
|
}
|
||||||
|
|
@ -3918,6 +3949,7 @@ static int binder_thread_release(struct binder_proc *proc,
|
||||||
int active_transactions = 0;
|
int active_transactions = 0;
|
||||||
struct binder_transaction *last_t = NULL;
|
struct binder_transaction *last_t = NULL;
|
||||||
|
|
||||||
|
binder_inner_proc_lock(thread->proc);
|
||||||
/*
|
/*
|
||||||
* take a ref on the proc so it survives
|
* take a ref on the proc so it survives
|
||||||
* after we remove this thread from proc->threads.
|
* after we remove this thread from proc->threads.
|
||||||
|
|
@ -3965,6 +3997,7 @@ static int binder_thread_release(struct binder_proc *proc,
|
||||||
if (t)
|
if (t)
|
||||||
spin_lock(&t->lock);
|
spin_lock(&t->lock);
|
||||||
}
|
}
|
||||||
|
binder_inner_proc_unlock(thread->proc);
|
||||||
|
|
||||||
if (send_reply)
|
if (send_reply)
|
||||||
binder_send_failed_reply(send_reply, BR_DEAD_REPLY);
|
binder_send_failed_reply(send_reply, BR_DEAD_REPLY);
|
||||||
|
|
@ -4338,6 +4371,7 @@ static void binder_deferred_flush(struct binder_proc *proc)
|
||||||
struct rb_node *n;
|
struct rb_node *n;
|
||||||
int wake_count = 0;
|
int wake_count = 0;
|
||||||
|
|
||||||
|
binder_inner_proc_lock(proc);
|
||||||
for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) {
|
for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) {
|
||||||
struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node);
|
struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node);
|
||||||
|
|
||||||
|
|
@ -4347,6 +4381,7 @@ static void binder_deferred_flush(struct binder_proc *proc)
|
||||||
wake_count++;
|
wake_count++;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
binder_inner_proc_unlock(proc);
|
||||||
wake_up_interruptible_all(&proc->wait);
|
wake_up_interruptible_all(&proc->wait);
|
||||||
|
|
||||||
binder_debug(BINDER_DEBUG_OPEN_CLOSE,
|
binder_debug(BINDER_DEBUG_OPEN_CLOSE,
|
||||||
|
|
@ -4445,6 +4480,7 @@ static void binder_deferred_release(struct binder_proc *proc)
|
||||||
context->binder_context_mgr_node = NULL;
|
context->binder_context_mgr_node = NULL;
|
||||||
}
|
}
|
||||||
mutex_unlock(&context->context_mgr_node_lock);
|
mutex_unlock(&context->context_mgr_node_lock);
|
||||||
|
binder_inner_proc_lock(proc);
|
||||||
/*
|
/*
|
||||||
* Make sure proc stays alive after we
|
* Make sure proc stays alive after we
|
||||||
* remove all the threads
|
* remove all the threads
|
||||||
|
|
@ -4458,13 +4494,14 @@ static void binder_deferred_release(struct binder_proc *proc)
|
||||||
struct binder_thread *thread;
|
struct binder_thread *thread;
|
||||||
|
|
||||||
thread = rb_entry(n, struct binder_thread, rb_node);
|
thread = rb_entry(n, struct binder_thread, rb_node);
|
||||||
|
binder_inner_proc_unlock(proc);
|
||||||
threads++;
|
threads++;
|
||||||
active_transactions += binder_thread_release(proc, thread);
|
active_transactions += binder_thread_release(proc, thread);
|
||||||
|
binder_inner_proc_lock(proc);
|
||||||
}
|
}
|
||||||
|
|
||||||
nodes = 0;
|
nodes = 0;
|
||||||
incoming_refs = 0;
|
incoming_refs = 0;
|
||||||
binder_inner_proc_lock(proc);
|
|
||||||
while ((n = rb_first(&proc->nodes))) {
|
while ((n = rb_first(&proc->nodes))) {
|
||||||
struct binder_node *node;
|
struct binder_node *node;
|
||||||
|
|
||||||
|
|
@ -4872,10 +4909,13 @@ static void print_binder_proc_stats(struct seq_file *m,
|
||||||
struct binder_work *w;
|
struct binder_work *w;
|
||||||
struct rb_node *n;
|
struct rb_node *n;
|
||||||
int count, strong, weak;
|
int count, strong, weak;
|
||||||
|
size_t free_async_space =
|
||||||
|
binder_alloc_get_free_async_space(&proc->alloc);
|
||||||
|
|
||||||
seq_printf(m, "proc %d\n", proc->pid);
|
seq_printf(m, "proc %d\n", proc->pid);
|
||||||
seq_printf(m, "context %s\n", proc->context->name);
|
seq_printf(m, "context %s\n", proc->context->name);
|
||||||
count = 0;
|
count = 0;
|
||||||
|
binder_inner_proc_lock(proc);
|
||||||
for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n))
|
for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n))
|
||||||
count++;
|
count++;
|
||||||
seq_printf(m, " threads: %d\n", count);
|
seq_printf(m, " threads: %d\n", count);
|
||||||
|
|
@ -4884,9 +4924,8 @@ static void print_binder_proc_stats(struct seq_file *m,
|
||||||
" free async space %zd\n", proc->requested_threads,
|
" free async space %zd\n", proc->requested_threads,
|
||||||
proc->requested_threads_started, proc->max_threads,
|
proc->requested_threads_started, proc->max_threads,
|
||||||
proc->ready_threads,
|
proc->ready_threads,
|
||||||
binder_alloc_get_free_async_space(&proc->alloc));
|
free_async_space);
|
||||||
count = 0;
|
count = 0;
|
||||||
binder_inner_proc_lock(proc);
|
|
||||||
for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n))
|
for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n))
|
||||||
count++;
|
count++;
|
||||||
binder_inner_proc_unlock(proc);
|
binder_inner_proc_unlock(proc);
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue