Merge tag 'char-misc-6.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc

	} else {

		if (!internal)

			node->local_weak_refs++;

		if (!node->has_weak_ref && list_empty(&node->work.entry)) {

			if (target_list == NULL) {

				pr_err("invalid inc weak node for %d\n",

					node->debug_id);

				return -EINVAL;

			}

			/*

			 * See comment above

			 */

		if (!node->has_weak_ref && target_list && list_empty(&node->work.entry))

			binder_enqueue_work_ilocked(&node->work, target_list);

	}

	}

	return 0;

}

/**

 * struct binder_ptr_fixup - data to be fixed-up in target buffer

 * @offset	offset in target buffer to fixup

 * @skip_size	bytes to skip in copy (fixup will be written later)

 * @fixup_data	data to write at fixup offset

 * @node	list node

 * @offset:      offset in target buffer to fixup

 * @skip_size:   bytes to skip in copy (fixup will be written later)

 * @fixup_data:  data to write at fixup offset

 * @node:        list node

 *

 * This is used for the pointer fixup list (pf) which is created and consumed

 * during binder_transaction() and is only accessed locally. No

/**

 * struct binder_sg_copy - scatter-gather data to be copied

 * @offset		offset in target buffer

 * @sender_uaddr	user address in source buffer

 * @length		bytes to copy

 * @node		list node

 * @offset:        offset in target buffer

 * @sender_uaddr:  user address in source buffer

 * @length:        bytes to copy

 * @node:          list node

 *

 * This is used for the sg copy list (sgc) which is created and consumed

 * during binder_transaction() and is only accessed locally. No

/**

 * binder_free_buf() - free the specified buffer

 * @proc:       binder proc that owns buffer

 * @thread:     binder thread performing the buffer release

 * @buffer:     buffer to be freed

 * @is_failure: failed to send transaction

 *

 * If buffer for an async transaction, enqueue the next async

 * If the buffer is for an async transaction, enqueue the next async

 * transaction from the node.

 *

 * Cleanup buffer and free it.

 * Cleanup the buffer and free it.

 */

static void

binder_free_buf(struct binder_proc *proc,

            return Ok(true);

        }

        if freeze.is_clearing {

            kernel::warn_on!(freeze.num_cleared_duplicates != 0);

            if freeze.num_pending_duplicates > 0 {

                // The primary freeze listener was deleted, so convert a pending duplicate back

                // into the primary one.

                freeze.num_pending_duplicates -= 1;

                freeze.is_pending = true;

                freeze.is_clearing = true;

            } else {

                _removed_listener = freeze_entry.remove_node();

            }

            drop(node_refs);

            writer.write_code(BR_CLEAR_FREEZE_NOTIFICATION_DONE)?;

            writer.write_payload(&self.cookie.0)?;

            Ok(true)

        } else {

            let is_frozen = freeze.node.owner.inner.lock().is_frozen;

            let is_frozen = freeze.node.owner.inner.lock().is_frozen.is_fully_frozen();

            if freeze.last_is_frozen == Some(is_frozen) {

                return Ok(true);

            }

                );

                return Err(EINVAL);

            }

            if freeze.is_clearing {

                // Immediately send another FreezeMessage for BR_CLEAR_FREEZE_NOTIFICATION_DONE.

            let is_frozen = freeze.node.owner.inner.lock().is_frozen.is_fully_frozen();

            if freeze.is_clearing || freeze.last_is_frozen != Some(is_frozen) {

                // Immediately send another FreezeMessage.

                clear_msg = Some(FreezeMessage::init(alloc, cookie));

            }

            freeze.is_pending = false;

            );

        }

        if inner.freeze_list.is_empty() {

            _unused_capacity = mem::replace(&mut inner.freeze_list, KVVec::new());

            _unused_capacity = mem::take(&mut inner.freeze_list);

        }

    }

const PROC_DEFER_FLUSH: u8 = 1;

const PROC_DEFER_RELEASE: u8 = 2;

#[derive(Copy, Clone)]

pub(crate) enum IsFrozen {

    Yes,

    No,

    InProgress,

}

impl IsFrozen {

    /// Whether incoming transactions should be rejected due to freeze.

    pub(crate) fn is_frozen(self) -> bool {

        match self {

            IsFrozen::Yes => true,

            IsFrozen::No => false,

            IsFrozen::InProgress => true,

        }

    }

    /// Whether freeze notifications consider this process frozen.

    pub(crate) fn is_fully_frozen(self) -> bool {

        match self {

            IsFrozen::Yes => true,

            IsFrozen::No => false,

            IsFrozen::InProgress => false,

        }

    }

}

/// The fields of `Process` protected by the spinlock.

pub(crate) struct ProcessInner {

    is_manager: bool,

    /// are woken up.

    outstanding_txns: u32,

    /// Process is frozen and unable to service binder transactions.

    pub(crate) is_frozen: bool,

    pub(crate) is_frozen: IsFrozen,

    /// Process received sync transactions since last frozen.

    pub(crate) sync_recv: bool,

    /// Process received async transactions since last frozen.

            started_thread_count: 0,

            defer_work: 0,

            outstanding_txns: 0,

            is_frozen: false,

            is_frozen: IsFrozen::No,

            sync_recv: false,

            async_recv: false,

            binderfs_file: None,

        let is_manager = {

            let mut inner = self.inner.lock();

            inner.is_dead = true;

            inner.is_frozen = false;

            inner.is_frozen = IsFrozen::No;

            inner.sync_recv = false;

            inner.async_recv = false;

            inner.is_manager

                .alloc

                .take_for_each(|offset, size, debug_id, odata| {

                    let ptr = offset + address;

                    pr_warn!(

                        "{}: removing orphan mapping {offset}:{size}\n",

                        self.pid_in_current_ns()

                    );

                    let mut alloc =

                        Allocation::new(self.clone(), debug_id, offset, size, ptr, false);

                    if let Some(data) = odata {

                return;

            }

            inner.outstanding_txns -= 1;

            inner.is_frozen && inner.outstanding_txns == 0

            inner.is_frozen.is_frozen() && inner.outstanding_txns == 0

        };

        if wake {

            let mut inner = self.inner.lock();

            inner.sync_recv = false;

            inner.async_recv = false;

            inner.is_frozen = false;

            inner.is_frozen = IsFrozen::No;

            drop(inner);

            msgs.send_messages();

            return Ok(());

        let mut inner = self.inner.lock();

        inner.sync_recv = false;

        inner.async_recv = false;

        inner.is_frozen = true;

        inner.is_frozen = IsFrozen::InProgress;

        if info.timeout_ms > 0 {

            let mut jiffies = kernel::time::msecs_to_jiffies(info.timeout_ms);

                    .wait_interruptible_timeout(&mut inner, jiffies)

                {

                    CondVarTimeoutResult::Signal { .. } => {

                        inner.is_frozen = false;

                        inner.is_frozen = IsFrozen::No;

                        return Err(ERESTARTSYS);

                    }

                    CondVarTimeoutResult::Woken { jiffies: remaining } => {

        }

        if inner.txns_pending_locked() {

            inner.is_frozen = false;

            inner.is_frozen = IsFrozen::No;

            Err(EAGAIN)

        } else {

            drop(inner);

            match self.prepare_freeze_messages() {

                Ok(batch) => {

                    self.inner.lock().is_frozen = IsFrozen::Yes;

                    batch.send_messages();

                    Ok(())

                }

                Err(kernel::alloc::AllocError) => {

                    self.inner.lock().is_frozen = false;

                    self.inner.lock().is_frozen = IsFrozen::No;

                    Err(ENOMEM)

                }

            }

        if oneway {

            if let Some(target_node) = self.target_node.clone() {

                if process_inner.is_frozen {

                if process_inner.is_frozen.is_frozen() {

                    process_inner.async_recv = true;

                    if self.flags & TF_UPDATE_TXN != 0 {

                        if let Some(t_outdated) =

                    }

                }

                if process_inner.is_frozen {

                if process_inner.is_frozen.is_frozen() {

                    return Err(BinderError::new_frozen_oneway());

                } else {

                    return Ok(());

            }

        }

        if process_inner.is_frozen {

        if process_inner.is_frozen.is_frozen() {

            process_inner.sync_recv = true;

            return Err(BinderError::new_frozen());

        }