tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'char-misc-4.14-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc

Pull char/misc driver fixes from Greg KH:
"Here are four small fixes for 4.14-rc6.

Three of them are binder driver fixes for reported issues, and the
last one is a hyperv driver bugfix. Nothing major, but good fixes to
get into 4.14-final.

All of these have been in linux-next with no reported issues"

* tag 'char-misc-4.14-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
android: binder: Fix null ptr dereference in debug msg
android: binder: Don't get mm from task
vmbus: hvsock: add proper sync for vmbus_hvsock_device_unregister()
binder: call poll_wait() unconditionally.

Linus Torvalds 17e7637f 58059921

+15 -26
+1 -10
drivers/android/binder.c
··· 3662 3662 } 3663 3663 } 3664 3664 3665 - static int binder_has_thread_work(struct binder_thread *thread) 3666 - { 3667 - return !binder_worklist_empty(thread->proc, &thread->todo) || 3668 - thread->looper_need_return; 3669 - } 3670 - 3671 3665 static int binder_put_node_cmd(struct binder_proc *proc, 3672 3666 struct binder_thread *thread, 3673 3667 void __user **ptrp, ··· 4291 4297 4292 4298 binder_inner_proc_unlock(thread->proc); 4293 4299 4294 - if (binder_has_work(thread, wait_for_proc_work)) 4295 - return POLLIN; 4296 - 4297 4300 poll_wait(filp, &thread->wait, wait); 4298 4301 4299 - if (binder_has_thread_work(thread)) 4302 + if (binder_has_work(thread, wait_for_proc_work)) 4300 4303 return POLLIN; 4301 4304 4302 4305 return 0;
+10 -14
drivers/android/binder_alloc.c
··· 215 215 } 216 216 } 217 217 218 - if (!vma && need_mm) 219 - mm = get_task_mm(alloc->tsk); 218 + if (!vma && need_mm && mmget_not_zero(alloc->vma_vm_mm)) 219 + mm = alloc->vma_vm_mm; 220 220 221 221 if (mm) { 222 222 down_write(&mm->mmap_sem); 223 223 vma = alloc->vma; 224 - if (vma && mm != alloc->vma_vm_mm) { 225 - pr_err("%d: vma mm and task mm mismatch\n", 226 - alloc->pid); 227 - vma = NULL; 228 - } 229 224 } 230 225 231 226 if (!vma && need_mm) { ··· 560 565 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 561 566 "%d: merge free, buffer %pK do not share page with %pK or %pK\n", 562 567 alloc->pid, buffer->data, 563 - prev->data, next->data); 568 + prev->data, next ? next->data : NULL); 564 569 binder_update_page_range(alloc, 0, buffer_start_page(buffer), 565 570 buffer_start_page(buffer) + PAGE_SIZE, 566 571 NULL); ··· 715 720 barrier(); 716 721 alloc->vma = vma; 717 722 alloc->vma_vm_mm = vma->vm_mm; 723 + mmgrab(alloc->vma_vm_mm); 718 724 719 725 return 0; 720 726 ··· 791 795 vfree(alloc->buffer); 792 796 } 793 797 mutex_unlock(&alloc->mutex); 798 + if (alloc->vma_vm_mm) 799 + mmdrop(alloc->vma_vm_mm); 794 800 795 801 binder_alloc_debug(BINDER_DEBUG_OPEN_CLOSE, 796 802 "%s: %d buffers %d, pages %d\n", ··· 887 889 void binder_alloc_vma_close(struct binder_alloc *alloc) 888 890 { 889 891 WRITE_ONCE(alloc->vma, NULL); 890 - WRITE_ONCE(alloc->vma_vm_mm, NULL); 891 892 } 892 893 893 894 /** ··· 923 926 page_addr = (uintptr_t)alloc->buffer + index * PAGE_SIZE; 924 927 vma = alloc->vma; 925 928 if (vma) { 926 - mm = get_task_mm(alloc->tsk); 927 - if (!mm) 928 - goto err_get_task_mm_failed; 929 + if (!mmget_not_zero(alloc->vma_vm_mm)) 930 + goto err_mmget; 931 + mm = alloc->vma_vm_mm; 929 932 if (!down_write_trylock(&mm->mmap_sem)) 930 933 goto err_down_write_mmap_sem_failed; 931 934 } ··· 960 963 961 964 err_down_write_mmap_sem_failed: 962 965 mmput_async(mm); 963 - err_get_task_mm_failed: 966 + err_mmget: 964 967 err_page_already_freed: 965 968 mutex_unlock(&alloc->mutex); 966 969 err_get_alloc_mutex_failed: ··· 999 1002 */ 1000 1003 void binder_alloc_init(struct binder_alloc *alloc) 1001 1004 { 1002 - alloc->tsk = current->group_leader; 1003 1005 alloc->pid = current->group_leader->pid; 1004 1006 mutex_init(&alloc->mutex); 1005 1007 INIT_LIST_HEAD(&alloc->buffers);
-1
drivers/android/binder_alloc.h
··· 100 100 */ 101 101 struct binder_alloc { 102 102 struct mutex mutex; 103 - struct task_struct *tsk; 104 103 struct vm_area_struct *vma; 105 104 struct mm_struct *vma_vm_mm; 106 105 void *buffer;
+4 -1
drivers/hv/channel_mgmt.c
··· 937 937 { 938 938 BUG_ON(!is_hvsock_channel(channel)); 939 939 940 - channel->rescind = true; 940 + /* We always get a rescind msg when a connection is closed. */ 941 + while (!READ_ONCE(channel->probe_done) || !READ_ONCE(channel->rescind)) 942 + msleep(1); 943 + 941 944 vmbus_device_unregister(channel->device_obj); 942 945 } 943 946 EXPORT_SYMBOL_GPL(vmbus_hvsock_device_unregister);