| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
It was no longer being used.
Change-Id: I7fc42b76f688a459ad990f59fbd7006b96bb91a6
Signed-off-by: Martijn Coenen <maco@android.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allowing binder to expose the 64-bit API on 32-bit kernels caused a
build warning:
drivers/android/binder.c: In function 'binder_transaction_buffer_release':
drivers/android/binder.c:2220:15: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
fd_array = (u32 *)(parent_buffer + fda->parent_offset);
^
drivers/android/binder.c: In function 'binder_translate_fd_array':
drivers/android/binder.c:2445:13: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
fd_array = (u32 *)(parent_buffer + fda->parent_offset);
^
drivers/android/binder.c: In function 'binder_fixup_parent':
drivers/android/binder.c:2511:18: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
This adds extra type casts to avoid the warning.
However, there is another problem with the Kconfig option: turning
it on or off creates two incompatible ABI versions, a kernel that
has this enabled cannot run user space that was built without it
or vice versa. A better solution might be to leave the option hidden
until the binder code is fixed to deal with both ABI versions.
Fixes: e8d2ed7db7c3 ("Revert "staging: Fix build issues with new binder API"")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 1c363eaece2752c5f8b1b874cb4ae435de06aa66)
Change-Id: Id09185a6f86905926699e92a2b30201b8a5e83e5
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
proc->files cleanup is initiated by binder_vma_close. Therefore
a reference on the binder_proc is not enough to prevent the
files_struct from being released while the binder_proc still has
a reference. This can lead to an attempt to dereference the
stale pointer obtained from proc->files prior to proc->files
cleanup. This has been seen once in task_get_unused_fd_flags()
when __alloc_fd() is called with a stale "files".
The fix is to protect proc->files with a mutex to prevent cleanup
while in use.
Bug: 69164715
Change-Id: I90fc117e004ecefc5336779cd7cd24faad37bd86
Signed-off-by: Todd Kjos <tkjos@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There's no good reason to not use the 64-bit interface
on 32-bit kernels. Android userspace wants to support
generic 32-bit system images, and having to support two
binder interfaces on such a single image is practically
impossible.
Since the majority of deployed Android devices now run
a > 4.4 userspace, this seems like a good time to flip
the default.
Change-Id: I3562784bbee8185cc56bb39809bd677ba27297a3
Signed-off-by: Martijn Coenen <maco@android.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(from https://patchwork.kernel.org/patch/9978801/)
User-space normally keeps the node alive when creating a transaction
since it has a reference to the target. The local strong ref keeps it
alive if the sending process dies before the target process processes
the transaction. If the source process is malicious or has a reference
counting bug, this can fail.
In this case, when we attempt to decrement the node in the failure
path, the node has already been freed.
This is fixed by taking a tmpref on the node while constructing
the transaction. To avoid re-acquiring the node lock and inner
proc lock to increment the proc's tmpref, a helper is used that
does the ref increments on both the node and proc.
Bug: 66899329
Change-Id: Iad40e1e0bccee88234900494fb52a510a37fe8d7
Signed-off-by: Todd Kjos <tkjos@google.com>
|
| |
|
|
|
|
|
|
|
|
| |
In function binder_transaction_priority(), we access
desired_prio before initialzing it.
This patch fix this.
Change-Id: I9d14d50f9a128010476a65b52631630899a44633
Signed-off-by: Ganesh Mahendran <opensource.ganesh@gmail.com>
|
| |
|
|
|
|
|
|
| |
We should use FLAT_BINDER_FLAG_SCHED_POLICY_MASK as
the mask to calculate sched policy.
Change-Id: Ic252fd7c68495830690130d792802c02f99fc8fc
Signed-off-by: Ganesh Mahendran <opensource.ganesh@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
(from https://patchwork.kernel.org/patch/9939409/)
commit 372e3147df70 ("binder: guarantee txn complete / errors delivered
in-order") incorrectly defined a local ret value. This ret value will
be invalid when out of the if block
Change-Id: If7bd963ac7e67d135aa949133263aac27bf15d1a
Signed-off-by: Xu YiPing <xuyiping@hislicon.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(from https://patchwork.kernel.org/patch/9939405/)
commit 7a4408c6bd3e ("binder: make sure accesses to proc/thread are
safe") made a change to enqueue tcomplete to thread->todo before
enqueuing the transaction. However, in err_dead_proc_or_thread case,
the tcomplete is directly freed, without dequeued. It may cause the
thread->todo list to be corrupted.
So, dequeue it before freeing.
Bug: 65333488
Change-Id: Id063a4db18deaa634f4d44aa6ebca47bea32537a
Signed-off-by: Xu YiPing <xuyiping@hisilicon.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new ioctl to binder to control whether FIFO inheritance should happen.
In particular, hwbinder should inherit FIFO priority from callers, but standard
binder threads should not.
Test: boots
bug 36516194
Signed-off-by: Tim Murray <timmurray@google.com>
Change-Id: I8100c4364b7d15d1bf00a8ca5c286e4d4b23ce85
|
| |
|
|
|
| |
Change-Id: I857ef86b2d502293fb8c37398383dceaa21dd29f
Signed-off-by: Mister Oyster <oysterized@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Consider the following sequence of events:
1. Binder thread A1 receive an async transaction T1 and return to
user space to execute
2. Another process's thread A2 request an async transaction T2, T2 and T1 belongs
a same target_node, so it will be place to the async_todo of the target_node
3. A1 execute done the T1 and write a BC_FREE_BUFFER to mOut
4. A1 continue execute the processPendingDerefs and destruct a BBinder B1
5. B1's destruct function request a sync BC_TRANSACTION T3 and
running into binder driver
6. The BC_FREE_BUFFER will be executed first, it move the T2 to A1's todo
7. Then the T3 will be executed, and it add a BR_TRANSACTION_COMPLETE to A1's todo
8. A1 will read the todo after write done, it will got T2 and return to
user space to execute.
9. T3's BR_REPLY be place to A1's todo,now the A1's todo has two BR,
first one is BR_TRANSACTION_COMPLETE,another one is BR_REPLY
10. T2 in execute process will request an async transaction T4 and
running into binder driver
11. A1 will place the T4 to target list and add a BR_TRANSACTION_COMPLETE
to the self's todo,now the A1's todo has three BR,first one is
BR_TRANSACTION_COMPLETE,second one is BR_REPLY,the third one is
BR_TRANSACTION_COMPLETE
12. A1 will read the todo after write done. it will got BR_TRANSACTION_COMPLETE
and BR_REPLY,then return to the user space to execute,because the T4 is an
async transaction so it will consume a BR_TRANSACTION_COMPLETE and exit
the waitForResponse,then return to the T3's waitForResponse
13. T3 will consume a BR_REPLY and exit the waitForResponse,because it is
a sync transaction, now the A1's todo still have a BR_TRANSACTION_COMPLETE
14. A1 continue execute the getAndExecuteCommand and talkWithDriver,it will
got a BR_TRANSACTION_COMPLETE and return to user space to execute
15. A1 continue execute executeCommand, it will running into the
default label of the switch and return an UNKNOWN_ERROR
16. A1 will check the results of the getAndExecuteCommand,if the
UNKNOWN_ERROR occurs it will abort self.
So we should move the async transaction to proc's todo when execute the
BC_FREE_BUFFER to avoid the BAD CMD issue caused by sync transactions nested
async transactions, move to the proc's todo will make the binder thread
load balancing, and enhance the parallel capacity, the current binder
thread will be execute it if the proc's todo have other transaction and
the async transaction will be move to the tail of the proc's todo and
waiting for execute of the other binder thread or current binder thread,
so always only one binder thread to execute the async transactions, if
another binder thread to got the async transaction to execute the current
binder thread will idle, if no one another thread to got the async
transction, the current thread will got it in the binder_thread_read
after binder_thread_write execute done.
https://code.google.com/p/android/issues/detail?id=228385
Signed-off-by: songjinshi <songjinshi@xiaomi.com>
|
| | |
|
| |
|
|
|
|
| |
../../../../../../kernel/meizu/m2note/drivers/android/binder.c:63:14:
warning: 'system_server_pid' defined but not used [-Wunused-variable]
static pid_t system_server_pid;
|
| |
|
|
|
|
|
|
|
|
| |
Temporary change to avoid watchdog bark because of
excessive failed transaction logging
CRs-Fixed: 572081
Change-Id: Id664d65ab9e78627991f8b7d4f4e5e126908c214
Signed-off-by: Uma Maheshwari Bhiram <ubhira@codeaurora.org>
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Change-Id: I371072175a298282254a21ea69503b9d75633dc5
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Mister Oyster <oysterized@gmail.com>
|
| |
|
|
|
|
|
|
| |
Duplicate errors can be returned to userspace when the thread
error code is left set when the read buffer runs out of space.
Change-Id: I921effcb6a7d620841177741a5ad5784acc7a907
Signed-off-by: Riley Andrews <riandrews@google.com>
|
| |
|
|
| |
Signed-off-by: Mister Oyster <oysterized@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The binder allocator assumes that the thread that
called binder_open will never die for the lifetime of
that proc. That thread is normally the group_leader,
however it may not be. Use the group_leader instead
of current.
Bug: 35707103
Test: Created test case to open with temporary thread
Change-Id: Id693f74b3591f3524a8c6e9508e70f3e5a80c588
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Martijn Coenen <maco@android.com>
|
| |
|
|
|
|
|
|
|
| |
Bug: 31495231
Change-Id: Iebc150f6bc939b56e021424ee44fb30ce8d732fd
[d-cagle@codeaurora.org: Applied to correct file location]
Git-repo: https://android.googlesource.com/kernel/msm.git
Git-commit: 0804d7840364fc1a93652632bd43a93c055c658e
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
[Detail] db_flag is not included in CONFIG_MTK_AEE_FEATURE macro define.
[Solution] Add CONFIG_MTK_AEE_FEATURE macro define to db_flag
[Feature] Binder
MTK-Commit-Id: 7c2be71301a506592b997e575103a29f8352ba6c
Change-Id: I5bca795883c63980384ab5ce50edd64562acc511
Signed-off-by: mtk09083 <ian.hou@mediatek.com>
CR-Id: ALPS02319875
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If a /d/binder/proc/[pid] entry is kept open after linux has
torn down the associated process, binder_proc_show can deference
an invalid binder_proc that has been stashed in the debugfs
inode. Validate that the binder_proc ptr passed into binder_proc_show
has not been freed by looking for it within the global process list
whilst the global lock is held. If the ptr is not valid, print nothing.
Bug 19587483
Change-Id: Ice878c171db51ef9a4879c2f9299a2deb873d255
Signed-off-by: Riley Andrews <riandrews@android.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
struct
Prevents leaking pointers between processes
BUG: 30768347
Change-Id: Id898076926f658a1b8b27a3ccb848756b36de4ca
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Ticket: PORRIDGE-499
|
| |
|
|
|
|
|
|
| |
Works in conjunction with kptr_restrict.
Bug: 30143283
Change-Id: I2b3ce22f4e206e74614d51453a1d59b7080ab05a
(cherry picked from commit 7905a759cc685b58078483013cc584dc8327d118)
|
| |
|
