Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp4265088pxb; Tue, 31 Aug 2021 00:26:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwDOJlW8lE6v8VmtdhQj4k/rWY2FloGs8/WN7a56sLO80sp6F9A9oyl9JVf4rLRy3ppx5fJ X-Received: by 2002:a05:6602:1210:: with SMTP id y16mr21297097iot.159.1630394760831; Tue, 31 Aug 2021 00:26:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1630394760; cv=none; d=google.com; s=arc-20160816; b=Rv0++k1xmei1KB16cyVunP8yHbSoILZxtdBR8Ipkbf4WyOedjmKS0ZcGDPqgjGLJ1w 7+//rqOnTFXk7fj8ANVGq93vZINtybMnJQmnya1qGGzQoMsAfwpsLmfrSTcHryDP2PyB wEo634u8tVk0NfyZxV5M3qrsdCpqeZDnSftR3lN/gggK/fM6hmAQC1H4G9WxF9K5vXTA a4D9CGFmaA6nGx03ydDk7j2gN/S+7j0CdbKJ6RhfjogVZB5IoPcxlJAZfePOU98S5OTb aNfz0FvFFdljns7YyRMWYbvK2S5w61nhvCkhnuFhYBen11NownUgegMhtLaLocR1KtjI OBGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=HRmn2HSjIyoyl5frN1JOdwhv1jt4tYR/jznN931pQCc=; b=hFN8n19imOY8aINBjtlrbHjpdCg4CLFfyqkvJNt28t0v4JJVSLHehPud9MGKtGDUe7 +WPUAVgclH/zLMq1dFEc10IoOazf6IrH9iuqwEdLStDudSSliB0ToUpjzx7Z/vn6FhRz cn7XVYNpMgYQDDhqASTLp+z2JtRpslZMaUhZRC/xyrQWnPgMdIsYZ8UtFZgRI5t8FTdw snKXCQxDYfZKU77MKNvfnJ5tk3qQkZlwAZckqL+n2XdNyRUskDbgjvBdqLbNkKPaycuf FivSb8oN5MldV8+qGH5kTrBfEgMb6l8Und3sYfmC0cYGHiW71GSl/QYr5NsNH2ZVvwpf 6+OA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@android.com header.s=20210112 header.b=W41bBzEN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=android.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r5si15924617jan.104.2021.08.31.00.25.49; Tue, 31 Aug 2021 00:26:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@android.com header.s=20210112 header.b=W41bBzEN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=android.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239843AbhHaHZr (ORCPT + 99 others); Tue, 31 Aug 2021 03:25:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53622 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239538AbhHaHZr (ORCPT ); Tue, 31 Aug 2021 03:25:47 -0400 Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 67FC5C061575 for ; Tue, 31 Aug 2021 00:24:52 -0700 (PDT) Received: by mail-pl1-x632.google.com with SMTP id x16so8422319pll.2 for ; Tue, 31 Aug 2021 00:24:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=android.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HRmn2HSjIyoyl5frN1JOdwhv1jt4tYR/jznN931pQCc=; b=W41bBzENunWIPZGT70XTQ00/4JnKxG7675YoBNn/BC+6i5PNbLAeodHCYDxybVjcmu qFgp3TB+nSH2E7rmZt0sBiBYw+Y5c4JQ36hyuDIc1JQxwAyuTZwQYlqIswJnTJYUELXD aZf1VLcJ+mWmrLj/QrFDipHMTaroujCrLRBKcLLJHOCPlGHWRS5cmsZ4oHgZgtMgRk54 F7oOCW3GwlVFet1305G9xWZj5Ay6FX8oCjgyYyDJORSk5QTOsQ/53otmyUmx5Z4xyU1C 67+E8kKZzk7vJ9j1kKnLVZY3QpUIim4uXEZ7BN7M9JSu36TBNWiEOfFrg6RGo/phzAVu JgAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HRmn2HSjIyoyl5frN1JOdwhv1jt4tYR/jznN931pQCc=; b=ftUgipEJPdXCNb4vrS5Ta0lqtrJ6l3KSp4AuS5RdEmf2PxYcNupay5irBFyQYsk9bl jco0wRvrWcriUAvSQVEhhjljonxndW+gKpGXejezF/wZXTw7ogX2WuB9ppuOXllYTQdb dozxfuh7NOCVFDXyC+YuQkyvR5wy4rpJAT3Jt1EAJBEw/H+gSfMuGZiC31/VZ3YT4rWh YLSysKsWc+yAaCmeQrXjizryfi/ktkoBvi5bi6f4NJ8R8oKJLAJboc4gmjXtOFsZBZBj LivZyYa35CDaOZWDzw8vfcBrGA5yxt1NUX8I/b2II13jqQUvg3WWOwkqjduAQwYTdErb XIsA== X-Gm-Message-State: AOAM530DskI505BuqrjK2IfLFI7dDrU4r1ARkjmNqPEvOdcUZa0srbUW afBaIbh6kgi5uYQbfqjMNP7C4bLV7OqcXcrRiCeM7Q== X-Received: by 2002:a17:90b:78f:: with SMTP id l15mr3754035pjz.181.1630394691968; Tue, 31 Aug 2021 00:24:51 -0700 (PDT) MIME-Version: 1.0 References: <20210830195146.587206-1-tkjos@google.com> In-Reply-To: <20210830195146.587206-1-tkjos@google.com> From: Martijn Coenen Date: Tue, 31 Aug 2021 09:24:40 +0200 Message-ID: Subject: Re: [PATCH] binder: make sure fd closes complete To: Todd Kjos Cc: Greg KH , Christian Brauner , =?UTF-8?B?QXJ2ZSBIasO4bm5ldsOlZw==?= , "open list:ANDROID DRIVERS" , LKML , Martijn Coenen , Joel Fernandes , kernel-team@android.com Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Aug 30, 2021 at 9:51 PM 'Todd Kjos' via kernel-team wrote: > > During BC_FREE_BUFFER processing, the BINDER_TYPE_FDA object > cleanup may close 1 or more fds. The close operations are > completed using the task work mechanism -- which means the thread > needs to return to userspace or the file object may never be > dereferenced -- which can lead to hung processes. > > Force the binder thread back to userspace if an fd is closed during > BC_FREE_BUFFER handling. > > Signed-off-by: Todd Kjos Reviewed-by: Martijn Coenen > --- > drivers/android/binder.c | 23 +++++++++++++++++------ > 1 file changed, 17 insertions(+), 6 deletions(-) > > diff --git a/drivers/android/binder.c b/drivers/android/binder.c > index bcec598b89f2..c2823f0d588f 100644 > --- a/drivers/android/binder.c > +++ b/drivers/android/binder.c > @@ -1852,6 +1852,7 @@ static void binder_deferred_fd_close(int fd) > } > > static void binder_transaction_buffer_release(struct binder_proc *proc, > + struct binder_thread *thread, > struct binder_buffer *buffer, > binder_size_t failed_at, > bool is_failure) > @@ -2011,8 +2012,16 @@ static void binder_transaction_buffer_release(struct binder_proc *proc, > &proc->alloc, &fd, buffer, > offset, sizeof(fd)); > WARN_ON(err); > - if (!err) > + if (!err) { > binder_deferred_fd_close(fd); > + /* > + * Need to make sure the thread goes > + * back to userspace to complete the > + * deferred close > + */ > + if (thread) > + thread->looper_need_return = true; > + } > } > } break; > default: > @@ -3105,7 +3114,7 @@ static void binder_transaction(struct binder_proc *proc, > err_copy_data_failed: > binder_free_txn_fixups(t); > trace_binder_transaction_failed_buffer_release(t->buffer); > - binder_transaction_buffer_release(target_proc, t->buffer, > + binder_transaction_buffer_release(target_proc, NULL, t->buffer, > buffer_offset, true); > if (target_node) > binder_dec_node_tmpref(target_node); > @@ -3184,7 +3193,9 @@ static void binder_transaction(struct binder_proc *proc, > * Cleanup buffer and free it. > */ > static void > -binder_free_buf(struct binder_proc *proc, struct binder_buffer *buffer) > +binder_free_buf(struct binder_proc *proc, > + struct binder_thread *thread, > + struct binder_buffer *buffer) > { > binder_inner_proc_lock(proc); > if (buffer->transaction) { > @@ -3212,7 +3223,7 @@ binder_free_buf(struct binder_proc *proc, struct binder_buffer *buffer) > binder_node_inner_unlock(buf_node); > } > trace_binder_transaction_buffer_release(buffer); > - binder_transaction_buffer_release(proc, buffer, 0, false); > + binder_transaction_buffer_release(proc, thread, buffer, 0, false); > binder_alloc_free_buf(&proc->alloc, buffer); > } > > @@ -3414,7 +3425,7 @@ static int binder_thread_write(struct binder_proc *proc, > proc->pid, thread->pid, (u64)data_ptr, > buffer->debug_id, > buffer->transaction ? "active" : "finished"); > - binder_free_buf(proc, buffer); > + binder_free_buf(proc, thread, buffer); > break; > } > > @@ -4107,7 +4118,7 @@ static int binder_thread_read(struct binder_proc *proc, > buffer->transaction = NULL; > binder_cleanup_transaction(t, "fd fixups failed", > BR_FAILED_REPLY); > - binder_free_buf(proc, buffer); > + binder_free_buf(proc, thread, buffer); > binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, > "%d:%d %stransaction %d fd fixups failed %d/%d, line %d\n", > proc->pid, thread->pid, > -- > 2.33.0.259.gc128427fd7-goog > >