| From foo@baz Sun Dec 12 02:49:35 PM CET 2021 |
| From: Eric Biggers <ebiggers@kernel.org> |
| Date: Fri, 10 Dec 2021 16:28:31 -0800 |
| Subject: binder: use wake_up_pollfree() |
| To: stable@vger.kernel.org |
| Cc: linux-kernel@vger.kernel.org, Linus Torvalds <torvalds@linux-foundation.org> |
| Message-ID: <20211211002832.153742-3-ebiggers@kernel.org> |
| |
| From: Eric Biggers <ebiggers@google.com> |
| |
| commit a880b28a71e39013e357fd3adccd1d8a31bc69a8 upstream. |
| |
| wake_up_poll() uses nr_exclusive=1, so it's not guaranteed to wake up |
| all exclusive waiters. Yet, POLLFREE *must* wake up all waiters. epoll |
| and aio poll are fortunately not affected by this, but it's very |
| fragile. Thus, the new function wake_up_pollfree() has been introduced. |
| |
| Convert binder to use wake_up_pollfree(). |
| |
| Reported-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Fixes: f5cb779ba163 ("ANDROID: binder: remove waitqueue when thread exits.") |
| Cc: stable@vger.kernel.org |
| Link: https://lore.kernel.org/r/20211209010455.42744-3-ebiggers@kernel.org |
| Signed-off-by: Eric Biggers <ebiggers@google.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/android/binder.c | 21 +++++++++------------ |
| 1 file changed, 9 insertions(+), 12 deletions(-) |
| |
| --- a/drivers/android/binder.c |
| +++ b/drivers/android/binder.c |
| @@ -2623,21 +2623,18 @@ static int binder_free_thread(struct bin |
| } |
| |
| /* |
| - * If this thread used poll, make sure we remove the waitqueue |
| - * from any epoll data structures holding it with POLLFREE. |
| - * waitqueue_active() is safe to use here because we're holding |
| - * the global lock. |
| + * If this thread used poll, make sure we remove the waitqueue from any |
| + * poll data structures holding it. |
| */ |
| - if ((thread->looper & BINDER_LOOPER_STATE_POLL) && |
| - waitqueue_active(&thread->wait)) { |
| - wake_up_poll(&thread->wait, POLLHUP | POLLFREE); |
| - } |
| + if (thread->looper & BINDER_LOOPER_STATE_POLL) |
| + wake_up_pollfree(&thread->wait); |
| |
| /* |
| - * This is needed to avoid races between wake_up_poll() above and |
| - * and ep_remove_waitqueue() called for other reasons (eg the epoll file |
| - * descriptor being closed); ep_remove_waitqueue() holds an RCU read |
| - * lock, so we can be sure it's done after calling synchronize_rcu(). |
| + * This is needed to avoid races between wake_up_pollfree() above and |
| + * someone else removing the last entry from the queue for other reasons |
| + * (e.g. ep_remove_wait_queue() being called due to an epoll file |
| + * descriptor being closed). Such other users hold an RCU read lock, so |
| + * we can be sure they're done after we call synchronize_rcu(). |
| */ |
| if (thread->looper & BINDER_LOOPER_STATE_POLL) |
| synchronize_rcu(); |