android: binder: Don't get mm from task

Use binder_alloc struct's mm_struct rather than getting a reference to the mm struct through get_task_mm to avoid a potential deadlock between lru lock, task lock and dentry lock, since a thread can be holding the task lock and the dentry lock while trying to acquire the lru lock. Acked-by: Arve Hjønnevåg <arve@android.com> Signed-off-by: Sherry Yang <sherryy@android.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Sherry Yang <sherryy@android.com> 2017-10-20 20:58:58 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-10-21 04:14:20 -0400
commit: a0c2baaf81bd53dc76fccdddc721ba7dbb62be21 (patch)
tree: 0104ebfb31019168be252bc006e4689674cd8dcf /drivers/android/binder_alloc.c
parent: 9d35593b4f0b89ab0c194349c7d357b3b159e99a (diff)
1 files changed, 9 insertions, 13 deletions
diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c
index 064f5e31ec55..e12072b1d507 100644
--- a/drivers/android/binder_alloc.c
+++ b/drivers/android/binder_alloc.c
@@ -215,17 +215,12 @@ static int binder_update_page_range(struct binder_alloc *alloc, int allocate,
                }
        }
-        if (!vma && need_mm)
+        if (!vma && need_mm && mmget_not_zero(alloc->vma_vm_mm))
-                mm = get_task_mm(alloc->tsk);
+                mm = alloc->vma_vm_mm;
        if (mm) {
                down_write(&mm->mmap_sem);
                vma = alloc->vma;
-                if (vma && mm != alloc->vma_vm_mm) {
-                        pr_err("%d: vma mm and task mm mismatch\n",
-                                alloc->pid);
-                        vma = NULL;
-                }
        }
        if (!vma && need_mm) {
@@ -720,6 +715,7 @@ int binder_alloc_mmap_handler(struct binder_alloc *alloc,
        barrier();
        alloc->vma = vma;
        alloc->vma_vm_mm = vma->vm_mm;
+        mmgrab(alloc->vma_vm_mm);
        return 0;
@@ -795,6 +791,8 @@ void binder_alloc_deferred_release(struct binder_alloc *alloc)
                vfree(alloc->buffer);
        }
        mutex_unlock(&alloc->mutex);
+        if (alloc->vma_vm_mm)
+                mmdrop(alloc->vma_vm_mm);
        binder_alloc_debug(BINDER_DEBUG_OPEN_CLOSE,
                     "%s: %d buffers %d, pages %d\n",
@@ -889,7 +887,6 @@ int binder_alloc_get_allocated_count(struct binder_alloc *alloc)
 void binder_alloc_vma_close(struct binder_alloc *alloc)
 {
        WRITE_ONCE(alloc->vma, NULL);
-        WRITE_ONCE(alloc->vma_vm_mm, NULL);
 }
 /**
@@ -926,9 +923,9 @@ enum lru_status binder_alloc_free_page(struct list_head *item,
        page_addr = (uintptr_t)alloc->buffer + index * PAGE_SIZE;
        vma = alloc->vma;
        if (vma) {
-                mm = get_task_mm(alloc->tsk);
+                if (!mmget_not_zero(alloc->vma_vm_mm))
-                if (!mm)
+                        goto err_mmget;
-                        goto err_get_task_mm_failed;
+                mm = alloc->vma_vm_mm;
                if (!down_write_trylock(&mm->mmap_sem))
                        goto err_down_write_mmap_sem_failed;
        }
@@ -963,7 +960,7 @@ enum lru_status binder_alloc_free_page(struct list_head *item,
 err_down_write_mmap_sem_failed:
        mmput_async(mm);
-err_get_task_mm_failed:
+err_mmget:
 err_page_already_freed:
        mutex_unlock(&alloc->mutex);
 err_get_alloc_mutex_failed:
@@ -1002,7 +999,6 @@ struct shrinker binder_shrinker = {
 */
 void binder_alloc_init(struct binder_alloc *alloc)
 {
-        alloc->tsk = current->group_leader;
        alloc->pid = current->group_leader->pid;
        mutex_init(&alloc->mutex);
        INIT_LIST_HEAD(&alloc->buffers);
author	Sherry Yang <sherryy@android.com>	2017-10-20 20:58:58 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-10-21 04:14:20 -0400
commit	a0c2baaf81bd53dc76fccdddc721ba7dbb62be21 (patch)
tree	0104ebfb31019168be252bc006e4689674cd8dcf /drivers/android/binder_alloc.c
parent	9d35593b4f0b89ab0c194349c7d357b3b159e99a (diff)