#
72196393 |
| 29-Jun-2017 |
Todd Kjos <tkjos@android.com> |
binder: add spinlocks to protect todo lists
The todo lists in the proc, thread, and node structures are accessed by other procs/threads to place work items on the queue.
The todo lists are protecte
binder: add spinlocks to protect todo lists
The todo lists in the proc, thread, and node structures are accessed by other procs/threads to place work items on the queue.
The todo lists are protected by the new proc->inner_lock. No locks should ever be nested under these locks. As the name suggests, an outer lock will be introduced in a later patch.
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
ed29721e |
| 29-Jun-2017 |
Todd Kjos <tkjos@android.com> |
binder: use inner lock to sync work dq and node counts
For correct behavior we need to hold the inner lock when dequeuing and processing node work in binder_thread_read. We now hold the inner lock w
binder: use inner lock to sync work dq and node counts
For correct behavior we need to hold the inner lock when dequeuing and processing node work in binder_thread_read. We now hold the inner lock when we enter the switch statement and release it after processing anything that might be affected by other threads.
We also need to hold the inner lock to protect the node weak/strong ref tracking fields as long as node->proc is non-NULL (if it is NULL then we are guaranteed that we don't have any node work queued).
This means that other functions that manipulate these fields must hold the inner lock. Refactored these functions to use the inner lock.
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
9630fe88 |
| 29-Jun-2017 |
Todd Kjos <tkjos@android.com> |
binder: introduce locking helper functions
There are 3 main spinlocks which must be acquired in this order: 1) proc->outer_lock : protects most fields of binder_proc, binder_thread, and binder_ref
binder: introduce locking helper functions
There are 3 main spinlocks which must be acquired in this order: 1) proc->outer_lock : protects most fields of binder_proc, binder_thread, and binder_ref structures. binder_proc_lock() and binder_proc_unlock() are used to acq/rel. 2) node->lock : protects most fields of binder_node. binder_node_lock() and binder_node_unlock() are used to acq/rel 3) proc->inner_lock : protects the thread and node lists (proc->threads, proc->nodes) and all todo lists associated with the binder_proc (proc->todo, thread->todo, proc->delivered_death and node->async_todo). binder_inner_proc_lock() and binder_inner_proc_unlock() are used to acq/rel
Any lock under procA must never be nested under any lock at the same level or below on procB.
Functions that require a lock held on entry indicate which lock in the suffix of the function name:
foo_olocked() : requires node->outer_lock foo_nlocked() : requires node->lock foo_ilocked() : requires proc->inner_lock foo_iolocked(): requires proc->outer_lock and proc->inner_lock foo_nilocked(): requires node->lock and proc->inner_lock
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
adc18842 |
| 29-Jun-2017 |
Todd Kjos <tkjos@android.com> |
binder: use node->tmp_refs to ensure node safety
When obtaining a node via binder_get_node(), binder_get_node_from_ref() or binder_new_node(), increment node->tmp_refs to take a temporary reference
binder: use node->tmp_refs to ensure node safety
When obtaining a node via binder_get_node(), binder_get_node_from_ref() or binder_new_node(), increment node->tmp_refs to take a temporary reference on the node to ensure the node persists while being used. binder_put_node() must be called to remove the temporary reference.
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
372e3147 |
| 29-Jun-2017 |
Todd Kjos <tkjos@android.com> |
binder: refactor binder ref inc/dec for thread safety
Once locks are added, binder_ref's will only be accessed safely with the proc lock held. Refactor the inc/dec paths to make them atomic with the
binder: refactor binder ref inc/dec for thread safety
Once locks are added, binder_ref's will only be accessed safely with the proc lock held. Refactor the inc/dec paths to make them atomic with the binder_get_ref* paths and node inc/dec. For example, instead of:
ref = binder_get_ref(proc, handle, strong); ... binder_dec_ref(ref, strong);
we now have:
ret = binder_dec_ref_for_handle(proc, handle, strong, &rdata);
Since the actual ref is no longer exposed to callers, a new struct binder_ref_data is introduced which can be used to return a copy of ref state.
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
7a4408c6 |
| 29-Jun-2017 |
Todd Kjos <tkjos@android.com> |
binder: make sure accesses to proc/thread are safe
binder_thread and binder_proc may be accessed by other threads when processing transaction. Therefore they must be prevented from being freed while
binder: make sure accesses to proc/thread are safe
binder_thread and binder_proc may be accessed by other threads when processing transaction. Therefore they must be prevented from being freed while a transaction is in progress that references them.
This is done by introducing a temporary reference counter for threads and procs that indicates that the object is in use and must not be freed. binder_thread_dec_tmpref() and binder_proc_dec_tmpref() are used to decrement the temporary reference.
It is safe to free a binder_thread if there is no reference and it has been released (indicated by thread->is_dead).
It is safe to free a binder_proc if it has no remaining threads and no reference.
A spinlock is added to the binder_transaction to safely access and set references for t->from and for debug code to safely access t->to_thread and t->to_proc.
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
eb34983b |
| 29-Jun-2017 |
Todd Kjos <tkjos@android.com> |
binder: make sure target_node has strong ref
When initiating a transaction, the target_node must have a strong ref on it. Then we take a second strong ref to make sure the node survives until the tr
binder: make sure target_node has strong ref
When initiating a transaction, the target_node must have a strong ref on it. Then we take a second strong ref to make sure the node survives until the transaction is complete.
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
26549d17 |
| 29-Jun-2017 |
Todd Kjos <tkjos@android.com> |
binder: guarantee txn complete / errors delivered in-order
Since errors are tracked in the return_error/return_error2 fields of the binder_thread object and BR_TRANSACTION_COMPLETEs can be tracked e
binder: guarantee txn complete / errors delivered in-order
Since errors are tracked in the return_error/return_error2 fields of the binder_thread object and BR_TRANSACTION_COMPLETEs can be tracked either in those fields or via the thread todo work list, it is possible for errors to be reported ahead of the associated txn complete.
Use the thread todo work list for errors to guarantee order. Also changed binder_send_failed_reply to pop the transaction even if it failed to send a reply.
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
b6d282ce |
| 29-Jun-2017 |
Todd Kjos <tkjos@android.com> |
binder: refactor binder_pop_transaction
binder_pop_transaction needs to be split into 2 pieces to to allow the proc lock to be held on entry to dequeue the transaction stack, but no lock when kfree'
binder: refactor binder_pop_transaction
binder_pop_transaction needs to be split into 2 pieces to to allow the proc lock to be held on entry to dequeue the transaction stack, but no lock when kfree'ing the transaction.
Split into binder_pop_transaction_locked and binder_free_transaction (the actual locks are still to be added).
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
d99c7333 |
| 29-Jun-2017 |
Todd Kjos <tkjos@android.com> |
binder: use atomic for transaction_log index
The log->next index for the transaction log was not protected when incremented. This led to a case where log->next++ resulted in an index larger than ARR
binder: use atomic for transaction_log index
The log->next index for the transaction log was not protected when incremented. This led to a case where log->next++ resulted in an index larger than ARRAY_SIZE(log->entry) and eventually a bad access to memory.
Fixed by making the log index an atomic64 and converting to an array by using "% ARRAY_SIZE(log->entry)"
Also added "complete" field to the log entry which is written last to tell the print code whether the entry is complete
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
53d311cf |
| 29-Jun-2017 |
Todd Kjos <tkjos@android.com> |
binder: protect against two threads freeing buffer
Adds protection against malicious user code freeing the same buffer at the same time which could cause a crash. Cannot happen under normal use.
Si
binder: protect against two threads freeing buffer
Adds protection against malicious user code freeing the same buffer at the same time which could cause a crash. Cannot happen under normal use.
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
e4cffcf4 |
| 29-Jun-2017 |
Todd Kjos <tkjos@android.com> |
binder: remove dead code in binder_get_ref_for_node
node is always non-NULL in binder_get_ref_for_node so the conditional and else clause are not needed
Signed-off-by: Todd Kjos <tkjos@google.com>
binder: remove dead code in binder_get_ref_for_node
node is always non-NULL in binder_get_ref_for_node so the conditional and else clause are not needed
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
08dabcee |
| 29-Jun-2017 |
Todd Kjos <tkjos@android.com> |
binder: don't modify thread->looper from other threads
The looper member of struct binder_thread is a bitmask of control bits. All of the existing bits are modified by the affected thread except for
binder: don't modify thread->looper from other threads
The looper member of struct binder_thread is a bitmask of control bits. All of the existing bits are modified by the affected thread except for BINDER_LOOPER_STATE_NEED_RETURN which can be modified in binder_deferred_flush() by another thread.
To avoid adding a spinlock around all read-mod-writes to modify a bit, the BINDER_LOOPER_STATE_NEED_RETURN flag is replaced by a separate field in struct binder_thread.
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
ccae6f67 |
| 29-Jun-2017 |
Todd Kjos <tkjos@android.com> |
binder: avoid race conditions when enqueuing txn
Currently, the transaction complete work item is queued after the transaction. This means that it is possible for the transaction to be handled and a
binder: avoid race conditions when enqueuing txn
Currently, the transaction complete work item is queued after the transaction. This means that it is possible for the transaction to be handled and a reply to be enqueued in the current thread before the transaction complete is enqueued, which violates the protocol with userspace who may not expect the transaction complete. Fixed by always enqueing the transaction complete first.
Also, once the transaction is enqueued, it is unsafe to access since it might be freed. Currently, t->flags is accessed to determine whether a sync wake is needed. Changed to access tr->flags instead.
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
26b47d8a |
| 29-Jun-2017 |
Todd Kjos <tkjos@android.com> |
binder: refactor queue management in binder_thread_read
In binder_thread_read, the BINDER_WORK_NODE command is used to communicate the references on the node to userspace. It can take a couple of it
binder: refactor queue management in binder_thread_read
In binder_thread_read, the BINDER_WORK_NODE command is used to communicate the references on the node to userspace. It can take a couple of iterations in the loop to construct the list of commands for user space. When locking is added, the lock would need to be release on each iteration which means the state could change. The work item is not dequeued during this process which prevents a simpler queue management that can just dequeue up front and handle the work item.
Fixed by changing the BINDER_WORK_NODE algorithm in binder_thread_read to determine which commands to send to userspace atomically in 1 pass so it stays consistent with the kernel view.
The work item is now dequeued immediately since only 1 pass is needed.
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
57ada2fb |
| 29-Jun-2017 |
Todd Kjos <tkjos@android.com> |
binder: add log information for binder transaction failures
Add additional information to determine the cause of binder failures. Adds the following to failed transaction log and kernel messages: r
binder: add log information for binder transaction failures
Add additional information to determine the cause of binder failures. Adds the following to failed transaction log and kernel messages: return_error : value returned for transaction return_error_param : errno returned by binder allocator return_error_line : line number where error detected
Also, return BR_DEAD_REPLY if an allocation error indicates a dead proc (-ESRCH)
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
656a800a |
| 29-Jun-2017 |
Todd Kjos <tkjos@android.com> |
binder: make binder_last_id an atomic
Use an atomic for binder_last_id to avoid locking it
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
#
0953c797 |
| 29-Jun-2017 |
Badhri Jagan Sridharan <Badhri@google.com> |
binder: change binder_stats to atomics
Use atomics for stats to avoid needing to lock for increments/decrements
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh
binder: change binder_stats to atomics
Use atomics for stats to avoid needing to lock for increments/decrements
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
c44b1231 |
| 29-Jun-2017 |
Todd Kjos <tkjos@android.com> |
binder: add protection for non-perf cases
Add binder_dead_nodes_lock, binder_procs_lock, and binder_context_mgr_node_lock to protect the associated global lists
Signed-off-by: Todd Kjos <tkjos@goog
binder: add protection for non-perf cases
Add binder_dead_nodes_lock, binder_procs_lock, and binder_context_mgr_node_lock to protect the associated global lists
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
1cf29cf4 |
| 29-Jun-2017 |
Todd Kjos <tkjos@android.com> |
binder: remove binder_debug_no_lock mechanism
With the global lock, there was a mechanism to access binder driver debugging information with the global lock disabled to debug deadlocks or other issu
binder: remove binder_debug_no_lock mechanism
With the global lock, there was a mechanism to access binder driver debugging information with the global lock disabled to debug deadlocks or other issues. This mechanism is rarely (if ever) used anymore and wasn't needed during the development of fine-grained locking in the binder driver. Removing it.
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
0c972a05 |
| 29-Jun-2017 |
Todd Kjos <tkjos@android.com> |
binder: move binder_alloc to separate file
Move the binder allocator functionality to its own file
Continuation of splitting the binder allocator from the binder driver. Split binder_alloc function
binder: move binder_alloc to separate file
Move the binder allocator functionality to its own file
Continuation of splitting the binder allocator from the binder driver. Split binder_alloc functions from normal binder functions.
Add kernel doc comments to functions declared extern in binder_alloc.h
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
19c98724 |
| 29-Jun-2017 |
Todd Kjos <tkjos@android.com> |
binder: separate out binder_alloc functions
Continuation of splitting the binder allocator from the binder driver. Separate binder_alloc functions from normal binder functions. Protect the allocator
binder: separate out binder_alloc functions
Continuation of splitting the binder allocator from the binder driver. Separate binder_alloc functions from normal binder functions. Protect the allocator with a separate mutex.
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
7c03f0d6 |
| 29-Jun-2017 |
Todd Kjos <tkjos@android.com> |
binder: remove unneeded cleanup code
The buffer's transaction has already been freed before binder_deferred_release. No need to do it again.
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-b
binder: remove unneeded cleanup code
The buffer's transaction has already been freed before binder_deferred_release. No need to do it again.
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
fdfb4a99 |
| 29-Jun-2017 |
Todd Kjos <tkjos@android.com> |
binder: separate binder allocator structure from binder proc
The binder allocator is logically separate from the rest of the binder drivers. Separating the data structures to prepare for splitting i
binder: separate binder allocator structure from binder proc
The binder allocator is logically separate from the rest of the binder drivers. Separating the data structures to prepare for splitting into separate file with separate locking.
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
00b40d61 |
| 29-Jun-2017 |
Riley Andrews <riandrews@google.com> |
binder: Use wake up hint for synchronous transactions.
Use wake_up_interruptible_sync() to hint to the scheduler binder transactions are synchronous wakeups. Disable preemption while waking to avoid
binder: Use wake up hint for synchronous transactions.
Use wake_up_interruptible_sync() to hint to the scheduler binder transactions are synchronous wakeups. Disable preemption while waking to avoid ping-ponging on the binder lock.
Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Omprakash Dhyade <odhyade@codeaurora.org> Cc: stable <stable@vger.kernel.org> # 4.4+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|