Commit b5ce7a5c authored by Alice Ryhl's avatar Alice Ryhl Committed by Greg Kroah-Hartman
Browse files

rust_binder: report freeze notification only when fully frozen 



Binder only sends out freeze notifications when ioctl_freeze() completes
and the process has become fully frozen. However, if a freeze
notification is registered during the freeze operation, then it
registers an initial state of 'frozen'. This is a problem because if
the freeze operation fails, then the listener is not told about that
state change, leading to lost updates.

Signed-off-by: default avatarAlice Ryhl <aliceryhl@google.com>
Acked-by: default avatarCarlos Llamas <cmllamas@google.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 99559e5b

drivers/android/binder/freeze.rs

+2 −2
Original line number Diff line number Diff line
@@ -121,7 +121,7 @@ fn do_work( 
            writer.write_payload(&self.cookie.0)?;

            Ok(true)

        } else {

            let is_frozen = freeze.node.owner.inner.lock().is_frozen;

            let is_frozen = freeze.node.owner.inner.lock().is_frozen.is_fully_frozen();

            if freeze.last_is_frozen == Some(is_frozen) {

                return Ok(true);

            }
@@ -254,7 +254,7 @@ pub(crate) fn freeze_notif_done(self: &Arc<Self>, reader: &mut UserSliceReader) 
                );

                return Err(EINVAL);

            }

            let is_frozen = freeze.node.owner.inner.lock().is_frozen;

            let is_frozen = freeze.node.owner.inner.lock().is_frozen.is_fully_frozen();

            if freeze.is_clearing || freeze.last_is_frozen != Some(is_frozen) {

                // Immediately send another FreezeMessage.

                clear_msg = Some(FreezeMessage::init(alloc, cookie));

drivers/android/binder/process.rs

+37 −9
Original line number Diff line number Diff line
@@ -72,6 +72,33 @@ fn new(address: usize, size: usize) -> Self { 
const PROC_DEFER_FLUSH: u8 = 1;

const PROC_DEFER_RELEASE: u8 = 2;



#[derive(Copy, Clone)]

pub(crate) enum IsFrozen {

    Yes,

    No,

    InProgress,

}



impl IsFrozen {

    /// Whether incoming transactions should be rejected due to freeze.

    pub(crate) fn is_frozen(self) -> bool {

        match self {

            IsFrozen::Yes => true,

            IsFrozen::No => false,

            IsFrozen::InProgress => true,

        }

    }



    /// Whether freeze notifications consider this process frozen.

    pub(crate) fn is_fully_frozen(self) -> bool {

        match self {

            IsFrozen::Yes => true,

            IsFrozen::No => false,

            IsFrozen::InProgress => false,

        }

    }

}



/// The fields of `Process` protected by the spinlock.

pub(crate) struct ProcessInner {

    is_manager: bool,
@@ -98,7 +125,7 @@ pub(crate) struct ProcessInner { 
    /// are woken up.

    outstanding_txns: u32,

    /// Process is frozen and unable to service binder transactions.

    pub(crate) is_frozen: bool,

    pub(crate) is_frozen: IsFrozen,

    /// Process received sync transactions since last frozen.

    pub(crate) sync_recv: bool,

    /// Process received async transactions since last frozen.
@@ -124,7 +151,7 @@ fn new() -> Self { 
            started_thread_count: 0,

            defer_work: 0,

            outstanding_txns: 0,

            is_frozen: false,

            is_frozen: IsFrozen::No,

            sync_recv: false,

            async_recv: false,

            binderfs_file: None,
@@ -1260,7 +1287,7 @@ fn deferred_release(self: Arc<Self>) { 
        let is_manager = {

            let mut inner = self.inner.lock();

            inner.is_dead = true;

            inner.is_frozen = false;

            inner.is_frozen = IsFrozen::No;

            inner.sync_recv = false;

            inner.async_recv = false;

            inner.is_manager
@@ -1367,7 +1394,7 @@ pub(crate) fn drop_outstanding_txn(&self) { 
                return;

            }

            inner.outstanding_txns -= 1;

            inner.is_frozen && inner.outstanding_txns == 0

            inner.is_frozen.is_frozen() && inner.outstanding_txns == 0

        };



        if wake {
@@ -1381,7 +1408,7 @@ pub(crate) fn ioctl_freeze(&self, info: &BinderFreezeInfo) -> Result { 
            let mut inner = self.inner.lock();

            inner.sync_recv = false;

            inner.async_recv = false;

            inner.is_frozen = false;

            inner.is_frozen = IsFrozen::No;

            drop(inner);

            msgs.send_messages();

            return Ok(());
@@ -1390,7 +1417,7 @@ pub(crate) fn ioctl_freeze(&self, info: &BinderFreezeInfo) -> Result { 
        let mut inner = self.inner.lock();

        inner.sync_recv = false;

        inner.async_recv = false;

        inner.is_frozen = true;

        inner.is_frozen = IsFrozen::InProgress;



        if info.timeout_ms > 0 {

            let mut jiffies = kernel::time::msecs_to_jiffies(info.timeout_ms);
@@ -1404,7 +1431,7 @@ pub(crate) fn ioctl_freeze(&self, info: &BinderFreezeInfo) -> Result { 
                    .wait_interruptible_timeout(&mut inner, jiffies)

                {

                    CondVarTimeoutResult::Signal { .. } => {

                        inner.is_frozen = false;

                        inner.is_frozen = IsFrozen::No;

                        return Err(ERESTARTSYS);

                    }

                    CondVarTimeoutResult::Woken { jiffies: remaining } => {
@@ -1418,17 +1445,18 @@ pub(crate) fn ioctl_freeze(&self, info: &BinderFreezeInfo) -> Result { 
        }



        if inner.txns_pending_locked() {

            inner.is_frozen = false;

            inner.is_frozen = IsFrozen::No;

            Err(EAGAIN)

        } else {

            drop(inner);

            match self.prepare_freeze_messages() {

                Ok(batch) => {

                    self.inner.lock().is_frozen = IsFrozen::Yes;

                    batch.send_messages();

                    Ok(())

                }

                Err(kernel::alloc::AllocError) => {

                    self.inner.lock().is_frozen = false;

                    self.inner.lock().is_frozen = IsFrozen::No;

                    Err(ENOMEM)

                }

            }

drivers/android/binder/transaction.rs

+3 −3
Original line number Diff line number Diff line
@@ -249,7 +249,7 @@ pub(crate) fn submit(self: DLArc<Self>) -> BinderResult { 


        if oneway {

            if let Some(target_node) = self.target_node.clone() {

                if process_inner.is_frozen {

                if process_inner.is_frozen.is_frozen() {

                    process_inner.async_recv = true;

                    if self.flags & TF_UPDATE_TXN != 0 {

                        if let Some(t_outdated) =
@@ -270,7 +270,7 @@ pub(crate) fn submit(self: DLArc<Self>) -> BinderResult { 
                    }

                }



                if process_inner.is_frozen {

                if process_inner.is_frozen.is_frozen() {

                    return Err(BinderError::new_frozen_oneway());

                } else {

                    return Ok(());
@@ -280,7 +280,7 @@ pub(crate) fn submit(self: DLArc<Self>) -> BinderResult { 
            }

        }



        if process_inner.is_frozen {

        if process_inner.is_frozen.is_frozen() {

            process_inner.sync_recv = true;

            return Err(BinderError::new_frozen());

        }