ANDROID: binder: don't enqueue death notifications to thread todo.

This allows userspace to request death notifications without having to worry about getting an immediate callback on the same thread; one scenario where this would be problematic is if the death recipient handler grabs a lock that was already taken earlier (eg as part of a nested transaction). Signed-off-by: Martijn Coenen <maco@android.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Martijn Coenen <maco@android.com> 2017-08-31 04:04:28 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-09-01 03:22:50 -0400
commit: bb74562a7f8398231be20a5c9d36225301a9be31 (patch)
tree: 9a7aa97bc73f96d5a72cd286d9a47905dbe1d8f1
parent: 858b2719686ddd0ab5fc77479a46d16f90e6b7da (diff)
1 files changed, 6 insertions, 16 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index afe6ac37e1ca..b0f039500d80 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -3499,22 +3499,12 @@ static int binder_thread_write(struct binder_proc *proc,
                                ref->death = death;
                                if (ref->node->proc == NULL) {
                                        ref->death->work.type = BINDER_WORK_DEAD_BINDER;
-                                        if (thread->looper &
-                                            (BINDER_LOOPER_STATE_REGISTERED |
+                                        binder_inner_proc_lock(proc);
-                                             BINDER_LOOPER_STATE_ENTERED))
+                                        binder_enqueue_work_ilocked(
-                                                binder_enqueue_work(
+                                                &ref->death->work, &proc->todo);
-                                                        proc,
+                                        binder_wakeup_proc_ilocked(proc);
-                                                        &ref->death->work,
+                                        binder_inner_proc_unlock(proc);
-                                                        &thread->todo);
-                                        else {
-                                                binder_inner_proc_lock(proc);
-                                                binder_enqueue_work_ilocked(
-                                                        &ref->death->work,
-                                                        &proc->todo);
-                                                binder_wakeup_proc_ilocked(
-                                                        proc);
-                                                binder_inner_proc_unlock(proc);
-                                        }
                                }
                        } else {
                                if (ref->death == NULL) {
author	Martijn Coenen <maco@android.com>	2017-08-31 04:04:28 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-09-01 03:22:50 -0400
commit	bb74562a7f8398231be20a5c9d36225301a9be31 (patch)
tree	9a7aa97bc73f96d5a72cd286d9a47905dbe1d8f1
parent	858b2719686ddd0ab5fc77479a46d16f90e6b7da (diff)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c index afe6ac37e1ca..b0f039500d80 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c
@@ -3499,22 +3499,12 @@ static int binder_thread_write(struct binder_proc *proc,
3499	ref->death = death;	3499	ref->death = death;
3500	if (ref->node->proc == NULL) {	3500	if (ref->node->proc == NULL) {
3501	ref->death->work.type = BINDER_WORK_DEAD_BINDER;	3501	ref->death->work.type = BINDER_WORK_DEAD_BINDER;
3502	if (thread->looper &	3502
3503	(BINDER_LOOPER_STATE_REGISTERED \|	3503	binder_inner_proc_lock(proc);
3504	BINDER_LOOPER_STATE_ENTERED))	3504	binder_enqueue_work_ilocked(
3505	binder_enqueue_work(	3505	&ref->death->work, &proc->todo);
3506	proc,	3506	binder_wakeup_proc_ilocked(proc);
3507	&ref->death->work,	3507	binder_inner_proc_unlock(proc);
3508	&thread->todo);
3509	else {
3510	binder_inner_proc_lock(proc);
3511	binder_enqueue_work_ilocked(
3512	&ref->death->work,
3513	&proc->todo);
3514	binder_wakeup_proc_ilocked(
3515	proc);
3516	binder_inner_proc_unlock(proc);
3517	}
3518	}	3508	}
3519	} else {	3509	} else {
3520	if (ref->death == NULL) {	3510	if (ref->death == NULL) {