diff options
Diffstat (limited to 'drivers/android')
-rw-r--r-- | drivers/android/binder.c | 34 | ||||
-rw-r--r-- | drivers/android/binder_alloc.c | 22 | ||||
-rw-r--r-- | drivers/android/binder_internal.h | 2 |
3 files changed, 20 insertions, 38 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c index f3b639e89dd8..5ffdad274301 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -1481,6 +1481,8 @@ static void binder_free_txn_fixups(struct binder_transaction *t) list_for_each_entry_safe(fixup, tmp, &t->fd_fixups, fixup_entry) { fput(fixup->file); + if (fixup->target_fd >= 0) + put_unused_fd(fixup->target_fd); list_del(&fixup->fixup_entry); kfree(fixup); } @@ -2220,6 +2222,7 @@ static int binder_translate_fd(u32 fd, binder_size_t fd_offset, } fixup->file = file; fixup->offset = fd_offset; + fixup->target_fd = -1; trace_binder_transaction_fd_send(t, fd, fixup->offset); list_add_tail(&fixup->fixup_entry, &t->fd_fixups); @@ -4075,10 +4078,9 @@ static int binder_wait_for_work(struct binder_thread *thread, * Now that we are in the context of the transaction target * process, we can allocate and install fds. Process the * list of fds to translate and fixup the buffer with the - * new fds. + * new fds first and only then install the files. * - * If we fail to allocate an fd, then free the resources by - * fput'ing files that have not been processed and ksys_close'ing + * If we fail to allocate an fd, skip the install and release * any fds that have already been allocated. */ static int binder_apply_fd_fixups(struct binder_proc *proc, @@ -4095,41 +4097,31 @@ static int binder_apply_fd_fixups(struct binder_proc *proc, "failed fd fixup txn %d fd %d\n", t->debug_id, fd); ret = -ENOMEM; - break; + goto err; } binder_debug(BINDER_DEBUG_TRANSACTION, "fd fixup txn %d fd %d\n", t->debug_id, fd); trace_binder_transaction_fd_recv(t, fd, fixup->offset); - fd_install(fd, fixup->file); - fixup->file = NULL; + fixup->target_fd = fd; if (binder_alloc_copy_to_buffer(&proc->alloc, t->buffer, fixup->offset, &fd, sizeof(u32))) { ret = -EINVAL; - break; + goto err; } } list_for_each_entry_safe(fixup, tmp, &t->fd_fixups, fixup_entry) { - if (fixup->file) { - fput(fixup->file); - } else if (ret) { - u32 fd; - int err; - - err = binder_alloc_copy_from_buffer(&proc->alloc, &fd, - t->buffer, - fixup->offset, - sizeof(fd)); - WARN_ON(err); - if (!err) - binder_deferred_fd_close(fd); - } + fd_install(fixup->target_fd, fixup->file); list_del(&fixup->fixup_entry); kfree(fixup); } return ret; + +err: + binder_free_txn_fixups(t); + return ret; } static int binder_thread_read(struct binder_proc *proc, diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c index 2ac1008a5f39..5649a0371a1f 100644 --- a/drivers/android/binder_alloc.c +++ b/drivers/android/binder_alloc.c @@ -1175,14 +1175,11 @@ static void binder_alloc_clear_buf(struct binder_alloc *alloc, unsigned long size; struct page *page; pgoff_t pgoff; - void *kptr; page = binder_alloc_get_page(alloc, buffer, buffer_offset, &pgoff); size = min_t(size_t, bytes, PAGE_SIZE - pgoff); - kptr = kmap(page) + pgoff; - memset(kptr, 0, size); - kunmap(page); + memset_page(page, pgoff, 0, size); bytes -= size; buffer_offset += size; } @@ -1220,9 +1217,9 @@ binder_alloc_copy_user_to_buffer(struct binder_alloc *alloc, page = binder_alloc_get_page(alloc, buffer, buffer_offset, &pgoff); size = min_t(size_t, bytes, PAGE_SIZE - pgoff); - kptr = kmap(page) + pgoff; + kptr = kmap_local_page(page) + pgoff; ret = copy_from_user(kptr, from, size); - kunmap(page); + kunmap_local(kptr); if (ret) return bytes - size + ret; bytes -= size; @@ -1247,23 +1244,14 @@ static int binder_alloc_do_buffer_copy(struct binder_alloc *alloc, unsigned long size; struct page *page; pgoff_t pgoff; - void *tmpptr; - void *base_ptr; page = binder_alloc_get_page(alloc, buffer, buffer_offset, &pgoff); size = min_t(size_t, bytes, PAGE_SIZE - pgoff); - base_ptr = kmap_atomic(page); - tmpptr = base_ptr + pgoff; if (to_buffer) - memcpy(tmpptr, ptr, size); + memcpy_to_page(page, pgoff, ptr, size); else - memcpy(ptr, tmpptr, size); - /* - * kunmap_atomic() takes care of flushing the cache - * if this device has VIVT cache arch - */ - kunmap_atomic(base_ptr); + memcpy_from_page(ptr, page, pgoff, size); bytes -= size; pgoff = 0; ptr = ptr + size; diff --git a/drivers/android/binder_internal.h b/drivers/android/binder_internal.h index d6b6b8cb7346..cf70a104594d 100644 --- a/drivers/android/binder_internal.h +++ b/drivers/android/binder_internal.h @@ -515,6 +515,7 @@ struct binder_thread { * @fixup_entry: list entry * @file: struct file to be associated with new fd * @offset: offset in buffer data to this fixup + * @target_fd: fd to use by the target to install @file * * List element for fd fixups in a transaction. Since file * descriptors need to be allocated in the context of the @@ -525,6 +526,7 @@ struct binder_txn_fd_fixup { struct list_head fixup_entry; struct file *file; size_t offset; + int target_fd; }; struct binder_transaction { |