tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master head: 4d41ead6ead97c3730bbd186a601a64828668f01 commit: 4b836a1426cb0f1ef2a6e211d7e553221594f8fc binder: Prevent context manager from incrementing ref 0 date: 4 weeks ago config: openrisc-randconfig-r016-20200830 (attached as .config) compiler: or1k-linux-gcc (GCC) 9.3.0 reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross git checkout 4b836a1426cb0f1ef2a6e211d7e553221594f8fc # save the attached .config to linux build tree COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross ARCH=openrisc
If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <[email protected]> All errors (new ones prefixed by >>): drivers/android/binder.c: Assembler messages: drivers/android/binder.c:3774: Error: unrecognized keyword/register name `l.lwz ?ap,4(r25)' >> drivers/android/binder.c:3779: Error: unrecognized keyword/register name >> `l.addi ?ap,r0,0' # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4b836a1426cb0f1ef2a6e211d7e553221594f8fc git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git git fetch --no-tags linus master git checkout 4b836a1426cb0f1ef2a6e211d7e553221594f8fc vim +3779 drivers/android/binder.c 44d8047f1d87ad drivers/android/binder.c Todd Kjos 2018-08-28 3600 fb07ebc3e82a98 drivers/staging/android/binder.c Bojan Prtvar 2013-09-02 3601 static int binder_thread_write(struct binder_proc *proc, fb07ebc3e82a98 drivers/staging/android/binder.c Bojan Prtvar 2013-09-02 3602 struct binder_thread *thread, da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3603 binder_uintptr_t binder_buffer, size_t size, da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3604 binder_size_t *consumed) 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3605 { 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3606 uint32_t cmd; 342e5c90b60134 drivers/android/binder.c Martijn Coenen 2017-02-03 3607 struct binder_context *context = proc->context; da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3608 void __user *buffer = (void __user *)(uintptr_t)binder_buffer; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3609 void __user *ptr = buffer + *consumed; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3610 void __user *end = buffer + size; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3611 26549d17741035 drivers/android/binder.c Todd Kjos 2017-06-29 3612 while (ptr < end && thread->return_error.cmd == BR_OK) { 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3613 int ret; 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3614 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3615 if (get_user(cmd, (uint32_t __user *)ptr)) 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3616 return -EFAULT; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3617 ptr += sizeof(uint32_t); 975a1ac9a9fe65 drivers/staging/android/binder.c Arve Hjønnevåg 2012-10-16 3618 trace_binder_command(cmd); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3619 if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.bc)) { 0953c7976c36ce drivers/android/binder.c Badhri Jagan Sridharan 2017-06-29 3620 atomic_inc(&binder_stats.bc[_IOC_NR(cmd)]); 0953c7976c36ce drivers/android/binder.c Badhri Jagan Sridharan 2017-06-29 3621 atomic_inc(&proc->stats.bc[_IOC_NR(cmd)]); 0953c7976c36ce drivers/android/binder.c Badhri Jagan Sridharan 2017-06-29 3622 atomic_inc(&thread->stats.bc[_IOC_NR(cmd)]); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3623 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3624 switch (cmd) { 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3625 case BC_INCREFS: 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3626 case BC_ACQUIRE: 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3627 case BC_RELEASE: 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3628 case BC_DECREFS: { 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3629 uint32_t target; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3630 const char *debug_string; 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3631 bool strong = cmd == BC_ACQUIRE || cmd == BC_RELEASE; 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3632 bool increment = cmd == BC_INCREFS || cmd == BC_ACQUIRE; 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3633 struct binder_ref_data rdata; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3634 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3635 if (get_user(target, (uint32_t __user *)ptr)) 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3636 return -EFAULT; c44b1231ff1170 drivers/android/binder.c Todd Kjos 2017-06-29 3637 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3638 ptr += sizeof(uint32_t); 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3639 ret = -1; 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3640 if (increment && !target) { c44b1231ff1170 drivers/android/binder.c Todd Kjos 2017-06-29 3641 struct binder_node *ctx_mgr_node; c44b1231ff1170 drivers/android/binder.c Todd Kjos 2017-06-29 3642 mutex_lock(&context->context_mgr_node_lock); c44b1231ff1170 drivers/android/binder.c Todd Kjos 2017-06-29 3643 ctx_mgr_node = context->binder_context_mgr_node; 4b836a1426cb0f drivers/android/binder.c Jann Horn 2020-07-27 3644 if (ctx_mgr_node) { 4b836a1426cb0f drivers/android/binder.c Jann Horn 2020-07-27 3645 if (ctx_mgr_node->proc == proc) { 4b836a1426cb0f drivers/android/binder.c Jann Horn 2020-07-27 3646 binder_user_error("%d:%d context manager tried to acquire desc 0\n", 4b836a1426cb0f drivers/android/binder.c Jann Horn 2020-07-27 3647 proc->pid, thread->pid); 4b836a1426cb0f drivers/android/binder.c Jann Horn 2020-07-27 3648 mutex_unlock(&context->context_mgr_node_lock); 4b836a1426cb0f drivers/android/binder.c Jann Horn 2020-07-27 3649 return -EINVAL; 4b836a1426cb0f drivers/android/binder.c Jann Horn 2020-07-27 3650 } 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3651 ret = binder_inc_ref_for_node( 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3652 proc, ctx_mgr_node, 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3653 strong, NULL, &rdata); 4b836a1426cb0f drivers/android/binder.c Jann Horn 2020-07-27 3654 } c44b1231ff1170 drivers/android/binder.c Todd Kjos 2017-06-29 3655 mutex_unlock(&context->context_mgr_node_lock); c44b1231ff1170 drivers/android/binder.c Todd Kjos 2017-06-29 3656 } 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3657 if (ret) 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3658 ret = binder_update_ref_for_handle( 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3659 proc, target, increment, strong, 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3660 &rdata); 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3661 if (!ret && rdata.desc != target) { 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3662 binder_user_error("%d:%d tried to acquire reference to desc %d, got %d instead\n", 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3663 proc->pid, thread->pid, 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3664 target, rdata.desc); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3665 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3666 switch (cmd) { 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3667 case BC_INCREFS: 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3668 debug_string = "IncRefs"; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3669 break; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3670 case BC_ACQUIRE: 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3671 debug_string = "Acquire"; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3672 break; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3673 case BC_RELEASE: 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3674 debug_string = "Release"; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3675 break; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3676 case BC_DECREFS: 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3677 default: 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3678 debug_string = "DecRefs"; 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3679 break; 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3680 } 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3681 if (ret) { 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3682 binder_user_error("%d:%d %s %d refcount change on invalid ref %d ret %d\n", 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3683 proc->pid, thread->pid, debug_string, 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3684 strong, target, ret); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3685 break; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3686 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3687 binder_debug(BINDER_DEBUG_USER_REFS, 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3688 "%d:%d %s ref %d desc %d s %d w %d\n", 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3689 proc->pid, thread->pid, debug_string, 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3690 rdata.debug_id, rdata.desc, rdata.strong, 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3691 rdata.weak); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3692 break; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3693 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3694 case BC_INCREFS_DONE: 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3695 case BC_ACQUIRE_DONE: { da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3696 binder_uintptr_t node_ptr; da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3697 binder_uintptr_t cookie; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3698 struct binder_node *node; 673068eee8560d drivers/android/binder.c Todd Kjos 2017-06-29 3699 bool free_node; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3700 da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3701 if (get_user(node_ptr, (binder_uintptr_t __user *)ptr)) 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3702 return -EFAULT; da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3703 ptr += sizeof(binder_uintptr_t); da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3704 if (get_user(cookie, (binder_uintptr_t __user *)ptr)) 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3705 return -EFAULT; da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3706 ptr += sizeof(binder_uintptr_t); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3707 node = binder_get_node(proc, node_ptr); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3708 if (node == NULL) { da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3709 binder_user_error("%d:%d %s u%016llx no match\n", 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3710 proc->pid, thread->pid, 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3711 cmd == BC_INCREFS_DONE ? 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3712 "BC_INCREFS_DONE" : 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3713 "BC_ACQUIRE_DONE", da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3714 (u64)node_ptr); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3715 break; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3716 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3717 if (cookie != node->cookie) { da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3718 binder_user_error("%d:%d %s u%016llx node %d cookie mismatch %016llx != %016llx\n", 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3719 proc->pid, thread->pid, 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3720 cmd == BC_INCREFS_DONE ? 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3721 "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE", da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3722 (u64)node_ptr, node->debug_id, da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3723 (u64)cookie, (u64)node->cookie); adc1884222276d drivers/android/binder.c Todd Kjos 2017-06-29 3724 binder_put_node(node); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3725 break; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3726 } 673068eee8560d drivers/android/binder.c Todd Kjos 2017-06-29 3727 binder_node_inner_lock(node); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3728 if (cmd == BC_ACQUIRE_DONE) { 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3729 if (node->pending_strong_ref == 0) { 56b468fc709b2b drivers/staging/android/binder.c Anmol Sarma 2012-10-30 3730 binder_user_error("%d:%d BC_ACQUIRE_DONE node %d has no pending acquire request\n", 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3731 proc->pid, thread->pid, 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3732 node->debug_id); 673068eee8560d drivers/android/binder.c Todd Kjos 2017-06-29 3733 binder_node_inner_unlock(node); adc1884222276d drivers/android/binder.c Todd Kjos 2017-06-29 3734 binder_put_node(node); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3735 break; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3736 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3737 node->pending_strong_ref = 0; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3738 } else { 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3739 if (node->pending_weak_ref == 0) { 56b468fc709b2b drivers/staging/android/binder.c Anmol Sarma 2012-10-30 3740 binder_user_error("%d:%d BC_INCREFS_DONE node %d has no pending increfs request\n", 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3741 proc->pid, thread->pid, 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3742 node->debug_id); 673068eee8560d drivers/android/binder.c Todd Kjos 2017-06-29 3743 binder_node_inner_unlock(node); adc1884222276d drivers/android/binder.c Todd Kjos 2017-06-29 3744 binder_put_node(node); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3745 break; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3746 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3747 node->pending_weak_ref = 0; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3748 } 673068eee8560d drivers/android/binder.c Todd Kjos 2017-06-29 3749 free_node = binder_dec_node_nilocked(node, 673068eee8560d drivers/android/binder.c Todd Kjos 2017-06-29 3750 cmd == BC_ACQUIRE_DONE, 0); 673068eee8560d drivers/android/binder.c Todd Kjos 2017-06-29 3751 WARN_ON(free_node); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3752 binder_debug(BINDER_DEBUG_USER_REFS, adc1884222276d drivers/android/binder.c Todd Kjos 2017-06-29 3753 "%d:%d %s node %d ls %d lw %d tr %d\n", 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3754 proc->pid, thread->pid, 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3755 cmd == BC_INCREFS_DONE ? "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE", adc1884222276d drivers/android/binder.c Todd Kjos 2017-06-29 3756 node->debug_id, node->local_strong_refs, adc1884222276d drivers/android/binder.c Todd Kjos 2017-06-29 3757 node->local_weak_refs, node->tmp_refs); 673068eee8560d drivers/android/binder.c Todd Kjos 2017-06-29 3758 binder_node_inner_unlock(node); adc1884222276d drivers/android/binder.c Todd Kjos 2017-06-29 3759 binder_put_node(node); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3760 break; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3761 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3762 case BC_ATTEMPT_ACQUIRE: 56b468fc709b2b drivers/staging/android/binder.c Anmol Sarma 2012-10-30 3763 pr_err("BC_ATTEMPT_ACQUIRE not supported\n"); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3764 return -EINVAL; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3765 case BC_ACQUIRE_RESULT: 56b468fc709b2b drivers/staging/android/binder.c Anmol Sarma 2012-10-30 3766 pr_err("BC_ACQUIRE_RESULT not supported\n"); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3767 return -EINVAL; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3768 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3769 case BC_FREE_BUFFER: { da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3770 binder_uintptr_t data_ptr; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3771 struct binder_buffer *buffer; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3772 da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3773 if (get_user(data_ptr, (binder_uintptr_t __user *)ptr)) 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 @3774 return -EFAULT; da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3775 ptr += sizeof(binder_uintptr_t); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3776 53d311cfa19ad3 drivers/android/binder.c Todd Kjos 2017-06-29 3777 buffer = binder_alloc_prepare_to_free(&proc->alloc, 19c987241ca121 drivers/android/binder.c Todd Kjos 2017-06-29 3778 data_ptr); 7bada55ab50697 drivers/android/binder.c Todd Kjos 2018-11-06 @3779 if (IS_ERR_OR_NULL(buffer)) { 7bada55ab50697 drivers/android/binder.c Todd Kjos 2018-11-06 3780 if (PTR_ERR(buffer) == -EPERM) { 7bada55ab50697 drivers/android/binder.c Todd Kjos 2018-11-06 3781 binder_user_error( 7bada55ab50697 drivers/android/binder.c Todd Kjos 2018-11-06 3782 "%d:%d BC_FREE_BUFFER u%016llx matched unreturned or currently freeing buffer\n", 7bada55ab50697 drivers/android/binder.c Todd Kjos 2018-11-06 3783 proc->pid, thread->pid, 7bada55ab50697 drivers/android/binder.c Todd Kjos 2018-11-06 3784 (u64)data_ptr); 7bada55ab50697 drivers/android/binder.c Todd Kjos 2018-11-06 3785 } else { 7bada55ab50697 drivers/android/binder.c Todd Kjos 2018-11-06 3786 binder_user_error( 7bada55ab50697 drivers/android/binder.c Todd Kjos 2018-11-06 3787 "%d:%d BC_FREE_BUFFER u%016llx no match\n", 7bada55ab50697 drivers/android/binder.c Todd Kjos 2018-11-06 3788 proc->pid, thread->pid, 7bada55ab50697 drivers/android/binder.c Todd Kjos 2018-11-06 3789 (u64)data_ptr); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3790 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3791 break; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3792 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3793 binder_debug(BINDER_DEBUG_FREE_BUFFER, da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3794 "%d:%d BC_FREE_BUFFER u%016llx found buffer %d for %s transaction\n", da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3795 proc->pid, thread->pid, (u64)data_ptr, da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3796 buffer->debug_id, 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3797 buffer->transaction ? "active" : "finished"); 44d8047f1d87ad drivers/android/binder.c Todd Kjos 2018-08-28 3798 binder_free_buf(proc, buffer); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3799 break; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3800 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3801 7980240b6d63e0 drivers/android/binder.c Martijn Coenen 2017-02-03 3802 case BC_TRANSACTION_SG: 7980240b6d63e0 drivers/android/binder.c Martijn Coenen 2017-02-03 3803 case BC_REPLY_SG: { 7980240b6d63e0 drivers/android/binder.c Martijn Coenen 2017-02-03 3804 struct binder_transaction_data_sg tr; 7980240b6d63e0 drivers/android/binder.c Martijn Coenen 2017-02-03 3805 7980240b6d63e0 drivers/android/binder.c Martijn Coenen 2017-02-03 3806 if (copy_from_user(&tr, ptr, sizeof(tr))) 7980240b6d63e0 drivers/android/binder.c Martijn Coenen 2017-02-03 3807 return -EFAULT; 7980240b6d63e0 drivers/android/binder.c Martijn Coenen 2017-02-03 3808 ptr += sizeof(tr); 7980240b6d63e0 drivers/android/binder.c Martijn Coenen 2017-02-03 3809 binder_transaction(proc, thread, &tr.transaction_data, 7980240b6d63e0 drivers/android/binder.c Martijn Coenen 2017-02-03 3810 cmd == BC_REPLY_SG, tr.buffers_size); 7980240b6d63e0 drivers/android/binder.c Martijn Coenen 2017-02-03 3811 break; 7980240b6d63e0 drivers/android/binder.c Martijn Coenen 2017-02-03 3812 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3813 case BC_TRANSACTION: 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3814 case BC_REPLY: { 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3815 struct binder_transaction_data tr; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3816 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3817 if (copy_from_user(&tr, ptr, sizeof(tr))) 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3818 return -EFAULT; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3819 ptr += sizeof(tr); 4bfac80af3a63f drivers/android/binder.c Martijn Coenen 2017-02-03 3820 binder_transaction(proc, thread, &tr, 4bfac80af3a63f drivers/android/binder.c Martijn Coenen 2017-02-03 3821 cmd == BC_REPLY, 0); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3822 break; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3823 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3824 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3825 case BC_REGISTER_LOOPER: 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3826 binder_debug(BINDER_DEBUG_THREADS, 56b468fc709b2b drivers/staging/android/binder.c Anmol Sarma 2012-10-30 3827 "%d:%d BC_REGISTER_LOOPER\n", 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3828 proc->pid, thread->pid); b3e6861283790d drivers/android/binder.c Todd Kjos 2017-06-29 3829 binder_inner_proc_lock(proc); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3830 if (thread->looper & BINDER_LOOPER_STATE_ENTERED) { 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3831 thread->looper |= BINDER_LOOPER_STATE_INVALID; 56b468fc709b2b drivers/staging/android/binder.c Anmol Sarma 2012-10-30 3832 binder_user_error("%d:%d ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER\n", 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3833 proc->pid, thread->pid); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3834 } else if (proc->requested_threads == 0) { 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3835 thread->looper |= BINDER_LOOPER_STATE_INVALID; 56b468fc709b2b drivers/staging/android/binder.c Anmol Sarma 2012-10-30 3836 binder_user_error("%d:%d ERROR: BC_REGISTER_LOOPER called without request\n", 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3837 proc->pid, thread->pid); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3838 } else { 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3839 proc->requested_threads--; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3840 proc->requested_threads_started++; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3841 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3842 thread->looper |= BINDER_LOOPER_STATE_REGISTERED; b3e6861283790d drivers/android/binder.c Todd Kjos 2017-06-29 3843 binder_inner_proc_unlock(proc); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3844 break; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3845 case BC_ENTER_LOOPER: 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3846 binder_debug(BINDER_DEBUG_THREADS, 56b468fc709b2b drivers/staging/android/binder.c Anmol Sarma 2012-10-30 3847 "%d:%d BC_ENTER_LOOPER\n", 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3848 proc->pid, thread->pid); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3849 if (thread->looper & BINDER_LOOPER_STATE_REGISTERED) { 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3850 thread->looper |= BINDER_LOOPER_STATE_INVALID; 56b468fc709b2b drivers/staging/android/binder.c Anmol Sarma 2012-10-30 3851 binder_user_error("%d:%d ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER\n", 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3852 proc->pid, thread->pid); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3853 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3854 thread->looper |= BINDER_LOOPER_STATE_ENTERED; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3855 break; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3856 case BC_EXIT_LOOPER: 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3857 binder_debug(BINDER_DEBUG_THREADS, 56b468fc709b2b drivers/staging/android/binder.c Anmol Sarma 2012-10-30 3858 "%d:%d BC_EXIT_LOOPER\n", 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3859 proc->pid, thread->pid); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3860 thread->looper |= BINDER_LOOPER_STATE_EXITED; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3861 break; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3862 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3863 case BC_REQUEST_DEATH_NOTIFICATION: 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3864 case BC_CLEAR_DEATH_NOTIFICATION: { 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3865 uint32_t target; da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3866 binder_uintptr_t cookie; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3867 struct binder_ref *ref; 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3868 struct binder_ref_death *death = NULL; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3869 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3870 if (get_user(target, (uint32_t __user *)ptr)) 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3871 return -EFAULT; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3872 ptr += sizeof(uint32_t); da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3873 if (get_user(cookie, (binder_uintptr_t __user *)ptr)) 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3874 return -EFAULT; da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3875 ptr += sizeof(binder_uintptr_t); 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3876 if (cmd == BC_REQUEST_DEATH_NOTIFICATION) { 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3877 /* 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3878 * Allocate memory for death notification 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3879 * before taking lock 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3880 */ 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3881 death = kzalloc(sizeof(*death), GFP_KERNEL); 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3882 if (death == NULL) { 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3883 WARN_ON(thread->return_error.cmd != 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3884 BR_OK); 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3885 thread->return_error.cmd = BR_ERROR; 148ade2c4d4f46 drivers/android/binder.c Martijn Coenen 2017-11-15 3886 binder_enqueue_thread_work( 148ade2c4d4f46 drivers/android/binder.c Martijn Coenen 2017-11-15 3887 thread, 148ade2c4d4f46 drivers/android/binder.c Martijn Coenen 2017-11-15 3888 &thread->return_error.work); 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3889 binder_debug( 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3890 BINDER_DEBUG_FAILED_TRANSACTION, 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3891 "%d:%d BC_REQUEST_DEATH_NOTIFICATION failed\n", 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3892 proc->pid, thread->pid); 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3893 break; 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3894 } 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3895 } 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3896 binder_proc_lock(proc); 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3897 ref = binder_get_ref_olocked(proc, target, false); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3898 if (ref == NULL) { 56b468fc709b2b drivers/staging/android/binder.c Anmol Sarma 2012-10-30 3899 binder_user_error("%d:%d %s invalid ref %d\n", 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3900 proc->pid, thread->pid, 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3901 cmd == BC_REQUEST_DEATH_NOTIFICATION ? 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3902 "BC_REQUEST_DEATH_NOTIFICATION" : 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3903 "BC_CLEAR_DEATH_NOTIFICATION", 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3904 target); 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3905 binder_proc_unlock(proc); 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3906 kfree(death); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3907 break; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3908 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3909 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3910 binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION, da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3911 "%d:%d %s %016llx ref %d desc %d s %d w %d for node %d\n", 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3912 proc->pid, thread->pid, 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3913 cmd == BC_REQUEST_DEATH_NOTIFICATION ? 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3914 "BC_REQUEST_DEATH_NOTIFICATION" : 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3915 "BC_CLEAR_DEATH_NOTIFICATION", 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3916 (u64)cookie, ref->data.debug_id, 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3917 ref->data.desc, ref->data.strong, 372e3147df7016 drivers/android/binder.c Todd Kjos 2017-06-29 3918 ref->data.weak, ref->node->debug_id); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3919 ab51ec6bdf0b7a drivers/android/binder.c Martijn Coenen 2017-06-29 3920 binder_node_lock(ref->node); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3921 if (cmd == BC_REQUEST_DEATH_NOTIFICATION) { 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3922 if (ref->death) { 56b468fc709b2b drivers/staging/android/binder.c Anmol Sarma 2012-10-30 3923 binder_user_error("%d:%d BC_REQUEST_DEATH_NOTIFICATION death notification already set\n", 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3924 proc->pid, thread->pid); ab51ec6bdf0b7a drivers/android/binder.c Martijn Coenen 2017-06-29 3925 binder_node_unlock(ref->node); 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3926 binder_proc_unlock(proc); 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3927 kfree(death); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3928 break; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3929 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3930 binder_stats_created(BINDER_STAT_DEATH); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3931 INIT_LIST_HEAD(&death->work.entry); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3932 death->cookie = cookie; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3933 ref->death = death; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3934 if (ref->node->proc == NULL) { 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3935 ref->death->work.type = BINDER_WORK_DEAD_BINDER; bb74562a7f8398 drivers/android/binder.c Martijn Coenen 2017-08-31 3936 1b77e9dcc3da93 drivers/android/binder.c Martijn Coenen 2017-08-31 3937 binder_inner_proc_lock(proc); 1b77e9dcc3da93 drivers/android/binder.c Martijn Coenen 2017-08-31 3938 binder_enqueue_work_ilocked( bb74562a7f8398 drivers/android/binder.c Martijn Coenen 2017-08-31 3939 &ref->death->work, &proc->todo); bb74562a7f8398 drivers/android/binder.c Martijn Coenen 2017-08-31 3940 binder_wakeup_proc_ilocked(proc); 1b77e9dcc3da93 drivers/android/binder.c Martijn Coenen 2017-08-31 3941 binder_inner_proc_unlock(proc); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3942 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3943 } else { 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3944 if (ref->death == NULL) { 56b468fc709b2b drivers/staging/android/binder.c Anmol Sarma 2012-10-30 3945 binder_user_error("%d:%d BC_CLEAR_DEATH_NOTIFICATION death notification not active\n", 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3946 proc->pid, thread->pid); 673068eee8560d drivers/android/binder.c Todd Kjos 2017-06-29 3947 binder_node_unlock(ref->node); 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3948 binder_proc_unlock(proc); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3949 break; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3950 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3951 death = ref->death; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3952 if (death->cookie != cookie) { da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3953 binder_user_error("%d:%d BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch %016llx != %016llx\n", 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3954 proc->pid, thread->pid, da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3955 (u64)death->cookie, da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3956 (u64)cookie); 673068eee8560d drivers/android/binder.c Todd Kjos 2017-06-29 3957 binder_node_unlock(ref->node); 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3958 binder_proc_unlock(proc); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3959 break; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3960 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3961 ref->death = NULL; 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 3962 binder_inner_proc_lock(proc); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3963 if (list_empty(&death->work.entry)) { 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3964 death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION; 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 3965 if (thread->looper & 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 3966 (BINDER_LOOPER_STATE_REGISTERED | 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 3967 BINDER_LOOPER_STATE_ENTERED)) 148ade2c4d4f46 drivers/android/binder.c Martijn Coenen 2017-11-15 3968 binder_enqueue_thread_work_ilocked( 148ade2c4d4f46 drivers/android/binder.c Martijn Coenen 2017-11-15 3969 thread, 148ade2c4d4f46 drivers/android/binder.c Martijn Coenen 2017-11-15 3970 &death->work); 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 3971 else { 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 3972 binder_enqueue_work_ilocked( 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 3973 &death->work, 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 3974 &proc->todo); 1b77e9dcc3da93 drivers/android/binder.c Martijn Coenen 2017-08-31 3975 binder_wakeup_proc_ilocked( 408c68b17aea2f drivers/android/binder.c Martijn Coenen 2017-08-31 3976 proc); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3977 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3978 } else { 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3979 BUG_ON(death->work.type != BINDER_WORK_DEAD_BINDER); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3980 death->work.type = BINDER_WORK_DEAD_BINDER_AND_CLEAR; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3981 } 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 3982 binder_inner_proc_unlock(proc); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3983 } ab51ec6bdf0b7a drivers/android/binder.c Martijn Coenen 2017-06-29 3984 binder_node_unlock(ref->node); 2c1838dc6817dd drivers/android/binder.c Todd Kjos 2017-06-29 3985 binder_proc_unlock(proc); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3986 } break; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3987 case BC_DEAD_BINDER_DONE: { 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3988 struct binder_work *w; da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3989 binder_uintptr_t cookie; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3990 struct binder_ref_death *death = NULL; 10f62861b4a2f2 drivers/staging/android/binder.c Seunghun Lee 2014-05-01 3991 da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 3992 if (get_user(cookie, (binder_uintptr_t __user *)ptr)) 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3993 return -EFAULT; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 3994 7a64cd887fdb97 drivers/android/binder.c Lisa Du 2016-02-17 3995 ptr += sizeof(cookie); 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 3996 binder_inner_proc_lock(proc); 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 3997 list_for_each_entry(w, &proc->delivered_death, 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 3998 entry) { 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 3999 struct binder_ref_death *tmp_death = 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 4000 container_of(w, 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 4001 struct binder_ref_death, 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 4002 work); 10f62861b4a2f2 drivers/staging/android/binder.c Seunghun Lee 2014-05-01 4003 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4004 if (tmp_death->cookie == cookie) { 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4005 death = tmp_death; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4006 break; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4007 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4008 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4009 binder_debug(BINDER_DEBUG_DEAD_BINDER, 8ca86f1639ec58 drivers/android/binder.c Todd Kjos 2018-02-07 4010 "%d:%d BC_DEAD_BINDER_DONE %016llx found %pK\n", da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 4011 proc->pid, thread->pid, (u64)cookie, da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 4012 death); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4013 if (death == NULL) { da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 4014 binder_user_error("%d:%d BC_DEAD_BINDER_DONE %016llx not found\n", da49889deb34d3 drivers/staging/android/binder.c Arve Hjønnevåg 2014-02-21 4015 proc->pid, thread->pid, (u64)cookie); 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 4016 binder_inner_proc_unlock(proc); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4017 break; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4018 } 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 4019 binder_dequeue_work_ilocked(&death->work); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4020 if (death->work.type == BINDER_WORK_DEAD_BINDER_AND_CLEAR) { 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4021 death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION; 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 4022 if (thread->looper & 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 4023 (BINDER_LOOPER_STATE_REGISTERED | 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 4024 BINDER_LOOPER_STATE_ENTERED)) 148ade2c4d4f46 drivers/android/binder.c Martijn Coenen 2017-11-15 4025 binder_enqueue_thread_work_ilocked( 148ade2c4d4f46 drivers/android/binder.c Martijn Coenen 2017-11-15 4026 thread, &death->work); 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 4027 else { 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 4028 binder_enqueue_work_ilocked( 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 4029 &death->work, 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 4030 &proc->todo); 408c68b17aea2f drivers/android/binder.c Martijn Coenen 2017-08-31 4031 binder_wakeup_proc_ilocked(proc); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4032 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4033 } 72196393a5e3d2 drivers/android/binder.c Todd Kjos 2017-06-29 4034 binder_inner_proc_unlock(proc); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4035 } break; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4036 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4037 default: 56b468fc709b2b drivers/staging/android/binder.c Anmol Sarma 2012-10-30 4038 pr_err("%d:%d unknown command %d\n", 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4039 proc->pid, thread->pid, cmd); 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4040 return -EINVAL; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4041 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4042 *consumed = ptr - buffer; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4043 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4044 return 0; 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4045 } 355b0502f6efea drivers/staging/android/binder.c Greg Kroah-Hartman 2011-11-30 4046 :::::: The code at line 3779 was first introduced by commit :::::: 7bada55ab50697861eee6bb7d60b41e68a961a9c binder: fix race that allows malicious free of live buffer :::::: TO: Todd Kjos <[email protected]> :::::: CC: Greg Kroah-Hartman <[email protected]> --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/[email protected]
.config.gz
Description: application/gzip
