android: binder: Don't get mm from task

Use binder_alloc struct's mm_struct rather than getting
a reference to the mm struct through get_task_mm to
avoid a potential deadlock between lru lock, task lock and
dentry lock, since a thread can be holding the task lock
and the dentry lock while trying to acquire the lru lock.

Acked-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Sherry Yang <sherryy@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

2 files changed, 9 insertions, 14 deletions

diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c
index 064f5e31ec55..e12072b1d507 100644
--- a/drivers/android/binder_alloc.c
+++ b/drivers/android/binder_alloc.c
@@ -215,17 +215,12 @@ static int binder_update_page_range(struct binder_alloc *alloc, int allocate,
                 }
         }
 
-        if (!vma && need_mm)
-                mm = get_task_mm(alloc->tsk);
+        if (!vma && need_mm && mmget_not_zero(alloc->vma_vm_mm))
+                mm = alloc->vma_vm_mm;
 
         if (mm) {
                 down_write(&mm->mmap_sem);
                 vma = alloc->vma;
-                if (vma && mm != alloc->vma_vm_mm) {
-                        pr_err("%d: vma mm and task mm mismatch\n",
-                                alloc->pid);
-                        vma = NULL;
-                }
         }
 
         if (!vma && need_mm) {
@@ -720,6 +715,7 @@ int binder_alloc_mmap_handler(struct binder_alloc *alloc,
         barrier();
         alloc->vma = vma;
         alloc->vma_vm_mm = vma->vm_mm;
+        mmgrab(alloc->vma_vm_mm);
 
         return 0;
 
@@ -795,6 +791,8 @@ void binder_alloc_deferred_release(struct binder_alloc *alloc)
                 vfree(alloc->buffer);
         }
         mutex_unlock(&alloc->mutex);
+        if (alloc->vma_vm_mm)
+                mmdrop(alloc->vma_vm_mm);
 
         binder_alloc_debug(BINDER_DEBUG_OPEN_CLOSE,
                      "%s: %d buffers %d, pages %d\n",
@@ -889,7 +887,6 @@ int binder_alloc_get_allocated_count(struct binder_alloc *alloc)
 void binder_alloc_vma_close(struct binder_alloc *alloc)
 {
         WRITE_ONCE(alloc->vma, NULL);
-        WRITE_ONCE(alloc->vma_vm_mm, NULL);
 }
 
 /**
@@ -926,9 +923,9 @@ enum lru_status binder_alloc_free_page(struct list_head *item,
         page_addr = (uintptr_t)alloc->buffer + index * PAGE_SIZE;
         vma = alloc->vma;
         if (vma) {
-                mm = get_task_mm(alloc->tsk);
-                if (!mm)
-                        goto err_get_task_mm_failed;
+                if (!mmget_not_zero(alloc->vma_vm_mm))
+                        goto err_mmget;
+                mm = alloc->vma_vm_mm;
                 if (!down_write_trylock(&mm->mmap_sem))
                         goto err_down_write_mmap_sem_failed;
         }
@@ -963,7 +960,7 @@ enum lru_status binder_alloc_free_page(struct list_head *item,
 
 err_down_write_mmap_sem_failed:
         mmput_async(mm);
-err_get_task_mm_failed:
+err_mmget:
 err_page_already_freed:
         mutex_unlock(&alloc->mutex);
 err_get_alloc_mutex_failed:
@@ -1002,7 +999,6 @@ struct shrinker binder_shrinker = {
  */
 void binder_alloc_init(struct binder_alloc *alloc)
 {
-        alloc->tsk = current->group_leader;
         alloc->pid = current->group_leader->pid;
         mutex_init(&alloc->mutex);
         INIT_LIST_HEAD(&alloc->buffers);
diff --git a/drivers/android/binder_alloc.h b/drivers/android/binder_alloc.h
index a3a3602c689c..2dd33b6df104 100644
--- a/drivers/android/binder_alloc.h
+++ b/drivers/android/binder_alloc.h
@@ -100,7 +100,6 @@ struct binder_lru_page {
  */
 struct binder_alloc {
         struct mutex mutex;
-        struct task_struct *tsk;
         struct vm_area_struct *vma;
         struct mm_struct *vma_vm_mm;
         void *buffer;