1420 					   struct binder_transaction *t)  in binder_pop_transaction_ilocked()  argument
1424 	BUG_ON(target_thread->transaction_stack != t);  in binder_pop_transaction_ilocked()
1428 	t->from = NULL;  in binder_pop_transaction_ilocked()
1495 		struct binder_transaction *t)  in binder_get_txn_from()  argument
1499 	spin_lock(&t->lock);  in binder_get_txn_from()
1500 	from = t->from;  in binder_get_txn_from()
1503 	spin_unlock(&t->lock);  in binder_get_txn_from()
1519 		struct binder_transaction *t)  in binder_get_txn_from_and_acq_inner()  argument
1520 	__acquires(&t->from->proc->inner_lock)  in binder_get_txn_from_and_acq_inner()
1524 	from = binder_get_txn_from(t);  in binder_get_txn_from_and_acq_inner()
1530 	if (t->from) {  in binder_get_txn_from_and_acq_inner()
1531 		BUG_ON(from != t->from);  in binder_get_txn_from_and_acq_inner()
1550 static void binder_free_txn_fixups(struct binder_transaction *t)  in binder_free_txn_fixups()  argument
1554 	list_for_each_entry_safe(fixup, tmp, &t->fd_fixups, fixup_entry) {  in binder_free_txn_fixups()
1563 static void binder_txn_latency_free(struct binder_transaction *t)  in binder_txn_latency_free()  argument
1567 	spin_lock(&t->lock);  in binder_txn_latency_free()
1568 	from_proc = t->from ? t->from->proc->pid : 0;  in binder_txn_latency_free()
1569 	from_thread = t->from ? t->from->pid : 0;  in binder_txn_latency_free()
1570 	to_proc = t->to_proc ? t->to_proc->pid : 0;  in binder_txn_latency_free()
1571 	to_thread = t->to_thread ? t->to_thread->pid : 0;  in binder_txn_latency_free()
1572 	spin_unlock(&t->lock);  in binder_txn_latency_free()
1574 	trace_binder_txn_latency_free(t, from_proc, from_thread, to_proc, to_thread);  in binder_txn_latency_free()
1577 static void binder_free_transaction(struct binder_transaction *t)  in binder_free_transaction()  argument
1579 	struct binder_proc *target_proc = t->to_proc;  in binder_free_transaction()
1589 		if (t->buffer)  in binder_free_transaction()
1590 			t->buffer->transaction = NULL;  in binder_free_transaction()
1594 		binder_txn_latency_free(t);  in binder_free_transaction()
1599 	binder_free_txn_fixups(t);  in binder_free_transaction()
1600 	kfree(t);  in binder_free_transaction()
1604 static void binder_send_failed_reply(struct binder_transaction *t,  in binder_send_failed_reply()  argument
1610 	BUG_ON(t->flags & TF_ONE_WAY);  in binder_send_failed_reply()
1612 		target_thread = binder_get_txn_from_and_acq_inner(t);  in binder_send_failed_reply()
1616 				      t->debug_id,  in binder_send_failed_reply()
1620 			binder_pop_transaction_ilocked(target_thread, t);  in binder_send_failed_reply()
1639 			binder_free_transaction(t);  in binder_send_failed_reply()
1643 		next = t->from_parent;  in binder_send_failed_reply()
1647 			     t->debug_id);  in binder_send_failed_reply()
1649 		binder_free_transaction(t);  in binder_send_failed_reply()
1655 		t = next;  in binder_send_failed_reply()
1658 			      t->debug_id);  in binder_send_failed_reply()
1668 static void binder_cleanup_transaction(struct binder_transaction *t,  in binder_cleanup_transaction()  argument
1672 	if (t->buffer->target_node && !(t->flags & TF_ONE_WAY)) {  in binder_cleanup_transaction()
1673 		binder_send_failed_reply(t, error_code);  in binder_cleanup_transaction()
1677 			t->debug_id, reason);  in binder_cleanup_transaction()
1678 		binder_free_transaction(t);  in binder_cleanup_transaction()
2140 				   struct binder_transaction *t,  in binder_translate_binder()  argument
2145 	struct binder_proc *target_proc = t->to_proc;  in binder_translate_binder()
2182 	trace_binder_transaction_node_to_ref(t, node, &rdata);  in binder_translate_binder()
2193 				   struct binder_transaction *t,  in binder_translate_handle()  argument
2197 	struct binder_proc *target_proc = t->to_proc;  in binder_translate_handle()
2233 		trace_binder_transaction_ref_to_node(t, node, &src_rdata);  in binder_translate_handle()
2252 		trace_binder_transaction_ref_to_ref(t, node, &src_rdata,  in binder_translate_handle()
2266 			       struct binder_transaction *t,  in binder_translate_fd()  argument
2271 	struct binder_proc *target_proc = t->to_proc;  in binder_translate_fd()
2280 		target_allows_fd = t->buffer->target_node->accept_fds;  in binder_translate_fd()
2316 	trace_binder_transaction_fd_send(t, fd, fixup->offset);  in binder_translate_fd()
2317 	list_add_tail(&fixup->fixup_entry, &t->fd_fixups);  in binder_translate_fd()
2577 				     struct binder_transaction *t,  in binder_translate_fd_array()  argument
2610 	fda_offset = (parent->buffer - (uintptr_t)t->buffer->user_data) +  in binder_translate_fd_array()
2632 			ret = binder_translate_fd(fd, offset, t, thread,  in binder_translate_fd_array()
2641 			       struct binder_transaction *t,  in binder_fixup_parent()  argument
2650 	struct binder_buffer *b = t->buffer;  in binder_fixup_parent()
2652 	struct binder_proc *target_proc = t->to_proc;  in binder_fixup_parent()
2723 binder_find_outdated_transaction_ilocked(struct binder_transaction *t,  in binder_find_outdated_transaction_ilocked()  argument
2734 		if (binder_can_update_transaction(t_queued, t))  in binder_find_outdated_transaction_ilocked()
2761 static int binder_proc_transaction(struct binder_transaction *t,  in binder_proc_transaction()  argument
2765 	struct binder_node *node = t->buffer->target_node;  in binder_proc_transaction()
2766 	bool oneway = !!(t->flags & TF_ONE_WAY);  in binder_proc_transaction()
2799 		binder_enqueue_thread_work_ilocked(thread, &t->work);  in binder_proc_transaction()
2801 		binder_enqueue_work_ilocked(&t->work, &proc->todo);  in binder_proc_transaction()
2803 		if ((t->flags & TF_UPDATE_TXN) && frozen) {  in binder_proc_transaction()
2804 			t_outdated = binder_find_outdated_transaction_ilocked(t,  in binder_proc_transaction()
2809 					     t->debug_id, t_outdated->debug_id);  in binder_proc_transaction()
2814 		binder_enqueue_work_ilocked(&t->work, &node->async_todo);  in binder_proc_transaction()
2888 static void binder_set_txn_from_error(struct binder_transaction *t, int id,  in binder_set_txn_from_error()  argument
2891 	struct binder_thread *from = binder_get_txn_from_and_acq_inner(t);  in binder_set_txn_from_error()
2912 	struct binder_transaction *t;  in binder_transaction()  local
3149 	t = kzalloc(sizeof(*t), GFP_KERNEL);  in binder_transaction()
3150 	if (t == NULL) {  in binder_transaction()
3158 	INIT_LIST_HEAD(&t->fd_fixups);  in binder_transaction()
3160 	spin_lock_init(&t->lock);  in binder_transaction()
3173 	t->debug_id = t_debug_id;  in binder_transaction()
3174 	t->start_time = t_start_time;  in binder_transaction()
3179 			     proc->pid, thread->pid, t->debug_id,  in binder_transaction()
3188 			     proc->pid, thread->pid, t->debug_id,  in binder_transaction()
3196 		t->from = thread;  in binder_transaction()
3198 		t->from = NULL;  in binder_transaction()
3199 	t->from_pid = proc->pid;  in binder_transaction()
3200 	t->from_tid = thread->pid;  in binder_transaction()
3201 	t->sender_euid = task_euid(proc->tsk);  in binder_transaction()
3202 	t->to_proc = target_proc;  in binder_transaction()
3203 	t->to_thread = target_thread;  in binder_transaction()
3204 	t->code = tr->code;  in binder_transaction()
3205 	t->flags = tr->flags;  in binder_transaction()
3206 	t->priority = task_nice(current);  in binder_transaction()
3234 	trace_binder_transaction(reply, t, target_node);  in binder_transaction()
3236 	t->buffer = binder_alloc_new_buf(&target_proc->alloc, tr->data_size,  in binder_transaction()
3238 		!reply && (t->flags & TF_ONE_WAY), current->tgid);  in binder_transaction()
3239 	if (IS_ERR(t->buffer)) {  in binder_transaction()
3242 		ret = PTR_ERR(t->buffer);  in binder_transaction()
3249 		return_error_param = PTR_ERR(t->buffer);  in binder_transaction()
3253 		t->buffer = NULL;  in binder_transaction()
3263 		t->security_ctx = (uintptr_t)t->buffer->user_data + buf_offset;  in binder_transaction()
3265 						  t->buffer, buf_offset,  in binder_transaction()
3268 			t->security_ctx = 0;  in binder_transaction()
3274 	t->buffer->debug_id = t->debug_id;  in binder_transaction()
3275 	t->buffer->transaction = t;  in binder_transaction()
3276 	t->buffer->target_node = target_node;  in binder_transaction()
3277 	t->buffer->clear_on_free = !!(t->flags & TF_CLEAR_BUF);  in binder_transaction()
3278 	trace_binder_transaction_alloc_buf(t->buffer);  in binder_transaction()
3282 				t->buffer,  in binder_transaction()
3328 						  t->buffer,  in binder_transaction()
3348 					t->buffer, user_offset,  in binder_transaction()
3359 				t->buffer, object_offset, &object);  in binder_transaction()
3365 					  (u64)t->buffer->data_size);  in binder_transaction()
3385 			ret = binder_translate_binder(fp, t, thread);  in binder_transaction()
3389 							t->buffer,  in binder_transaction()
3405 			ret = binder_translate_handle(fp, t, thread);  in binder_transaction()
3408 							t->buffer,  in binder_transaction()
3424 			int ret = binder_translate_fd(fp->fd, fd_offset, t,  in binder_transaction()
3430 							t->buffer,  in binder_transaction()
3451 				binder_validate_ptr(target_proc, t->buffer,  in binder_transaction()
3464 			if (!binder_validate_fixup(target_proc, t->buffer,  in binder_transaction()
3482 				binder_get_object(proc, user_buffer, t->buffer,  in binder_transaction()
3496 							&user_object.bbo, t,  in binder_transaction()
3500 								  t->buffer,  in binder_transaction()
3542 				t->buffer->user_data + sg_buf_offset;  in binder_transaction()
3547 			ret = binder_fixup_parent(&pf_head, t,  in binder_transaction()
3555 							t->buffer,  in binder_transaction()
3580 				t->buffer, user_offset,  in binder_transaction()
3591 	ret = binder_do_deferred_txn_copies(&target_proc->alloc, t->buffer,  in binder_transaction()
3601 	if (t->buffer->oneway_spam_suspect)  in binder_transaction()
3605 	t->work.type = BINDER_WORK_TRANSACTION;  in binder_transaction()
3615 		BUG_ON(t->buffer->async_transaction != 0);  in binder_transaction()
3617 		binder_enqueue_thread_work_ilocked(target_thread, &t->work);  in binder_transaction()
3622 	} else if (!(t->flags & TF_ONE_WAY)) {  in binder_transaction()
3623 		BUG_ON(t->buffer->async_transaction != 0);  in binder_transaction()
3633 		t->need_reply = 1;  in binder_transaction()
3634 		t->from_parent = thread->transaction_stack;  in binder_transaction()
3635 		thread->transaction_stack = t;  in binder_transaction()
3637 		return_error = binder_proc_transaction(t,  in binder_transaction()
3641 			binder_pop_transaction_ilocked(thread, t);  in binder_transaction()
3647 		BUG_ON(t->buffer->async_transaction != 1);  in binder_transaction()
3648 		return_error = binder_proc_transaction(t, target_proc, NULL);  in binder_transaction()
3685 	binder_free_txn_fixups(t);  in binder_transaction()
3686 	trace_binder_transaction_failed_buffer_release(t->buffer);  in binder_transaction()
3687 	binder_transaction_buffer_release(target_proc, NULL, t->buffer,  in binder_transaction()
3692 	t->buffer->transaction = NULL;  in binder_transaction()
3693 	binder_alloc_free_buf(&target_proc->alloc, t->buffer);  in binder_transaction()
3703 		binder_txn_latency_free(t);  in binder_transaction()
3704 	kfree(t);  in binder_transaction()
4345 				  struct binder_transaction *t)  in binder_apply_fd_fixups()  argument
4350 	list_for_each_entry(fixup, &t->fd_fixups, fixup_entry) {  in binder_apply_fd_fixups()
4356 				     t->debug_id, fd);  in binder_apply_fd_fixups()
4362 			     t->debug_id, fd);  in binder_apply_fd_fixups()
4363 		trace_binder_transaction_fd_recv(t, fd, fixup->offset);  in binder_apply_fd_fixups()
4365 		if (binder_alloc_copy_to_buffer(&proc->alloc, t->buffer,  in binder_apply_fd_fixups()
4372 	list_for_each_entry_safe(fixup, tmp, &t->fd_fixups, fixup_entry) {  in binder_apply_fd_fixups()
4381 	binder_free_txn_fixups(t);  in binder_apply_fd_fixups()
4442 		struct binder_transaction *t = NULL;  in binder_thread_read()  local
4472 			t = container_of(w, struct binder_transaction, work);  in binder_thread_read()
4645 		if (!t)  in binder_thread_read()
4648 		BUG_ON(t->buffer == NULL);  in binder_thread_read()
4649 		if (t->buffer->target_node) {  in binder_thread_read()
4650 			struct binder_node *target_node = t->buffer->target_node;  in binder_thread_read()
4654 			t->saved_priority = task_nice(current);  in binder_thread_read()
4655 			if (t->priority < target_node->min_priority &&  in binder_thread_read()
4656 			    !(t->flags & TF_ONE_WAY))  in binder_thread_read()
4657 				binder_set_nice(t->priority);  in binder_thread_read()
4658 			else if (!(t->flags & TF_ONE_WAY) ||  in binder_thread_read()
4659 				 t->saved_priority > target_node->min_priority)  in binder_thread_read()
4667 		trd->code = t->code;  in binder_thread_read()
4668 		trd->flags = t->flags;  in binder_thread_read()
4669 		trd->sender_euid = from_kuid(current_user_ns(), t->sender_euid);  in binder_thread_read()
4671 		t_from = binder_get_txn_from(t);  in binder_thread_read()
4682 		ret = binder_apply_fd_fixups(proc, t);  in binder_thread_read()
4684 			struct binder_buffer *buffer = t->buffer;  in binder_thread_read()
4685 			bool oneway = !!(t->flags & TF_ONE_WAY);  in binder_thread_read()
4686 			int tid = t->debug_id;  in binder_thread_read()
4691 			binder_cleanup_transaction(t, "fd fixups failed",  in binder_thread_read()
4710 		trd->data_size = t->buffer->data_size;  in binder_thread_read()
4711 		trd->offsets_size = t->buffer->offsets_size;  in binder_thread_read()
4712 		trd->data.ptr.buffer = (uintptr_t)t->buffer->user_data;  in binder_thread_read()
4714 					ALIGN(t->buffer->data_size,  in binder_thread_read()
4717 		tr.secctx = t->security_ctx;  in binder_thread_read()
4718 		if (t->security_ctx) {  in binder_thread_read()
4726 			binder_cleanup_transaction(t, "put_user failed",  in binder_thread_read()
4736 			binder_cleanup_transaction(t, "copy_to_user failed",  in binder_thread_read()
4743 		trace_binder_transaction_received(t);  in binder_thread_read()
4751 			     t->debug_id, t_from ? t_from->proc->pid : 0,  in binder_thread_read()
4753 			     t->buffer->data_size, t->buffer->offsets_size,  in binder_thread_read()
4759 		t->buffer->allow_user_free = 1;  in binder_thread_read()
4760 		if (cmd != BR_REPLY && !(t->flags & TF_ONE_WAY)) {  in binder_thread_read()
4762 			t->to_parent = thread->transaction_stack;  in binder_thread_read()
4763 			t->to_thread = thread;  in binder_thread_read()
4764 			thread->transaction_stack = t;  in binder_thread_read()
4767 			binder_free_transaction(t);  in binder_thread_read()
4811 			struct binder_transaction *t;  in binder_release_work()  local
4813 			t = container_of(w, struct binder_transaction, work);  in binder_release_work()
4815 			binder_cleanup_transaction(t, "process died.",  in binder_release_work()
4948 	struct binder_transaction *t;  in binder_thread_release()  local
4967 	t = thread->transaction_stack;  in binder_thread_release()
4968 	if (t) {  in binder_thread_release()
4969 		spin_lock(&t->lock);  in binder_thread_release()
4970 		if (t->to_thread == thread)  in binder_thread_release()
4971 			send_reply = t;  in binder_thread_release()
4973 		__acquire(&t->lock);  in binder_thread_release()
4977 	while (t) {  in binder_thread_release()
4978 		last_t = t;  in binder_thread_release()
4983 			     t->debug_id,  in binder_thread_release()
4984 			     (t->to_thread == thread) ? "in" : "out");  in binder_thread_release()
4986 		if (t->to_thread == thread) {  in binder_thread_release()
4988 			t->to_proc = NULL;  in binder_thread_release()
4989 			t->to_thread = NULL;  in binder_thread_release()
4990 			if (t->buffer) {  in binder_thread_release()
4991 				t->buffer->transaction = NULL;  in binder_thread_release()
4992 				t->buffer = NULL;  in binder_thread_release()
4994 			t = t->to_parent;  in binder_thread_release()
4995 		} else if (t->from == thread) {  in binder_thread_release()
4996 			t->from = NULL;  in binder_thread_release()
4997 			t = t->from_parent;  in binder_thread_release()
5001 		if (t)  in binder_thread_release()
5002 			spin_lock(&t->lock);  in binder_thread_release()
5004 			__acquire(&t->lock);  in binder_thread_release()
5007 	__release(&t->lock);  in binder_thread_release()
5961 					     struct binder_transaction *t)  in print_binder_transaction_ilocked()  argument
5964 	struct binder_buffer *buffer = t->buffer;  in print_binder_transaction_ilocked()
5967 	spin_lock(&t->lock);  in print_binder_transaction_ilocked()
5968 	to_proc = t->to_proc;  in print_binder_transaction_ilocked()
5971 		   prefix, t->debug_id, t,  in print_binder_transaction_ilocked()
5972 		   t->from_pid,  in print_binder_transaction_ilocked()
5973 		   t->from_tid,  in print_binder_transaction_ilocked()
5975 		   t->to_thread ? t->to_thread->pid : 0,  in print_binder_transaction_ilocked()
5976 		   t->code, t->flags, t->priority, t->need_reply,  in print_binder_transaction_ilocked()
5977 		   ktime_ms_delta(current_time, t->start_time));  in print_binder_transaction_ilocked()
5978 	spin_unlock(&t->lock);  in print_binder_transaction_ilocked()
6007 	struct binder_transaction *t;  in print_binder_work_ilocked()  local
6011 		t = container_of(w, struct binder_transaction, work);  in print_binder_work_ilocked()
6013 				m, proc, transaction_prefix, t);  in print_binder_work_ilocked()
6050 	struct binder_transaction *t;  in print_binder_thread_ilocked()  local
6060 	t = thread->transaction_stack;  in print_binder_thread_ilocked()
6061 	while (t) {  in print_binder_thread_ilocked()
6062 		if (t->from == thread) {  in print_binder_thread_ilocked()
6064 					"    outgoing transaction", t);  in print_binder_thread_ilocked()
6065 			t = t->from_parent;  in print_binder_thread_ilocked()
6066 		} else if (t->to_thread == thread) {  in print_binder_thread_ilocked()
6068 						 "    incoming transaction", t);  in print_binder_thread_ilocked()
6069 			t = t->to_parent;  in print_binder_thread_ilocked()
6072 					"    bad transaction", t);  in print_binder_thread_ilocked()
6073 			t = NULL;  in print_binder_thread_ilocked()