binder: protect transaction_stack with inner lock.

 * 3) proc->inner_lock : protects the thread and node lists

 *    (proc->threads, proc->nodes) and all todo lists associated

 *    with the binder_proc (proc->todo, thread->todo,

 *    proc->delivered_death and node->async_todo).

 *    proc->delivered_death and node->async_todo), as well as

 *    thread->transaction_stack

 *    binder_inner_proc_lock() and binder_inner_proc_unlock()

 *    are used to acq/rel

 *

 * @looper_needs_return:  looping thread needs to exit driver

 *                        (no lock needed)

 * @transaction_stack:    stack of in-progress transactions for this thread

 *                        (protected by @proc->inner_lock)

 * @todo:                 list of work to do for this thread

 *                        (protected by @proc->inner_lock)

 * @return_error:         transaction errors reported by this thread

 *                        (only accessed by this thread)

 * @reply_error:          transaction errors reported by target thread

 *                        (protected by @proc->inner_lock)

 * @wait:                 wait queue for thread work

 * @stats:                per-thread statistics

 *                        (atomics, no lock needed)

	return ret;

}

static void binder_pop_transaction(struct binder_thread *target_thread,

static void binder_pop_transaction_ilocked(struct binder_thread *target_thread,

					   struct binder_transaction *t)

{

	BUG_ON(!target_thread);

	BUG_ON(!spin_is_locked(&target_thread->proc->inner_lock));

	BUG_ON(target_thread->transaction_stack != t);

	BUG_ON(target_thread->transaction_stack->from != target_thread);

	target_thread->transaction_stack =

	return from;

}

/**

 * binder_get_txn_from_and_acq_inner() - get t->from and acquire inner lock

 * @t:	binder transaction for t->from

 *

 * Same as binder_get_txn_from() except it also acquires the proc->inner_lock

 * to guarantee that the thread cannot be released while operating on it.

 * The caller must call binder_inner_proc_unlock() to release the inner lock

 * as well as call binder_dec_thread_txn() to release the reference.

 *

 * Return: the value of t->from

 */

static struct binder_thread *binder_get_txn_from_and_acq_inner(

		struct binder_transaction *t)

{

	struct binder_thread *from;

	from = binder_get_txn_from(t);

	if (!from)

		return NULL;

	binder_inner_proc_lock(from->proc);

	if (t->from) {

		BUG_ON(from != t->from);

		return from;

	}

	binder_inner_proc_unlock(from->proc);

	binder_thread_dec_tmpref(from);

	return NULL;

}

static void binder_free_transaction(struct binder_transaction *t)

{

	if (t->buffer)

	BUG_ON(t->flags & TF_ONE_WAY);

	while (1) {

		target_thread = binder_get_txn_from(t);

		target_thread = binder_get_txn_from_and_acq_inner(t);

		if (target_thread) {

			binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,

				     "send failed reply for transaction %d to %d:%d\n",

				      target_thread->proc->pid,

				      target_thread->pid);

			binder_pop_transaction(target_thread, t);

			binder_pop_transaction_ilocked(target_thread, t);

			if (target_thread->reply_error.cmd == BR_OK) {

				target_thread->reply_error.cmd = error_code;

				binder_enqueue_work(

					target_thread->proc,

				binder_enqueue_work_ilocked(

					&target_thread->reply_error.work,

					&target_thread->todo);

				wake_up_interruptible(&target_thread->wait);

				WARN(1, "Unexpected reply error: %u\n",

						target_thread->reply_error.cmd);

			}

			binder_inner_proc_unlock(target_thread->proc);

			binder_thread_dec_tmpref(target_thread);

			binder_free_transaction(t);

			return;

	e->context_name = proc->context->name;

	if (reply) {

		binder_inner_proc_lock(proc);

		in_reply_to = thread->transaction_stack;

		if (in_reply_to == NULL) {

			binder_inner_proc_unlock(proc);

			binder_user_error("%d:%d got reply transaction with no transaction stack\n",

					  proc->pid, thread->pid);

			return_error = BR_FAILED_REPLY;

			return_error_line = __LINE__;

			goto err_empty_call_stack;

		}

		binder_set_nice(in_reply_to->saved_priority);

		if (in_reply_to->to_thread != thread) {

			spin_lock(&in_reply_to->lock);

			binder_user_error("%d:%d got reply transaction with bad transaction stack, transaction %d has target %d:%d\n",

				in_reply_to->to_thread ?

				in_reply_to->to_thread->pid : 0);

			spin_unlock(&in_reply_to->lock);

			binder_inner_proc_unlock(proc);

			return_error = BR_FAILED_REPLY;

			return_error_param = -EPROTO;

			return_error_line = __LINE__;

			goto err_bad_call_stack;

		}

		thread->transaction_stack = in_reply_to->to_parent;

		target_thread = binder_get_txn_from(in_reply_to);

		binder_inner_proc_unlock(proc);

		binder_set_nice(in_reply_to->saved_priority);

		target_thread = binder_get_txn_from_and_acq_inner(in_reply_to);

		if (target_thread == NULL) {

			return_error = BR_DEAD_REPLY;

			return_error_line = __LINE__;

				target_thread->transaction_stack ?

				target_thread->transaction_stack->debug_id : 0,

				in_reply_to->debug_id);

			binder_inner_proc_unlock(target_thread->proc);

			return_error = BR_FAILED_REPLY;

			return_error_param = -EPROTO;

			return_error_line = __LINE__;

		}

		target_proc = target_thread->proc;

		target_proc->tmp_ref++;

		binder_inner_proc_unlock(target_thread->proc);

	} else {

		if (tr->target.handle) {

			struct binder_ref *ref;

			return_error_line = __LINE__;

			goto err_invalid_target_handle;

		}

		binder_inner_proc_lock(proc);

		if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) {

			struct binder_transaction *tmp;

					tmp->to_thread ?

					tmp->to_thread->pid : 0);

				spin_unlock(&tmp->lock);

				binder_inner_proc_unlock(proc);

				return_error = BR_FAILED_REPLY;

				return_error_param = -EPROTO;

				return_error_line = __LINE__;

				tmp = tmp->from_parent;

			}

		}

		binder_inner_proc_unlock(proc);

	}

	if (target_thread) {

		e->to_thread = target_thread->pid;

	t->work.type = BINDER_WORK_TRANSACTION;

	if (reply) {

		if (target_thread->is_dead)

		binder_inner_proc_lock(target_proc);

		if (target_thread->is_dead) {

			binder_inner_proc_unlock(target_proc);

			goto err_dead_proc_or_thread;

		}

		BUG_ON(t->buffer->async_transaction != 0);

		binder_pop_transaction(target_thread, in_reply_to);

		binder_pop_transaction_ilocked(target_thread, in_reply_to);

		binder_enqueue_work_ilocked(&t->work, target_list);

		binder_inner_proc_unlock(target_proc);

		binder_free_transaction(in_reply_to);

		binder_enqueue_work(target_proc, &t->work, target_list);

	} else if (!(t->flags & TF_ONE_WAY)) {

		BUG_ON(t->buffer->async_transaction != 0);

		binder_inner_proc_lock(proc);

		t->need_reply = 1;

		t->from_parent = thread->transaction_stack;

		thread->transaction_stack = t;

		binder_inner_proc_unlock(proc);

		binder_inner_proc_lock(target_proc);

		if (target_proc->is_dead ||

				(target_thread && target_thread->is_dead)) {

			binder_pop_transaction(thread, t);

			binder_inner_proc_unlock(target_proc);

			binder_inner_proc_lock(proc);

			binder_pop_transaction_ilocked(thread, t);

			binder_inner_proc_unlock(proc);

			goto err_dead_proc_or_thread;

		}

		binder_enqueue_work(target_proc, &t->work, target_list);

		binder_enqueue_work_ilocked(&t->work, target_list);

		binder_inner_proc_unlock(target_proc);

	} else {

		BUG_ON(target_node == NULL);

		BUG_ON(t->buffer->async_transaction != 1);

		 * must be atomic with enqueue on

		 * async_todo

		 */

		binder_inner_proc_lock(target_proc);

		if (target_proc->is_dead ||

				(target_thread && target_thread->is_dead)) {

			binder_inner_proc_unlock(target_proc);

			binder_node_unlock(target_node);

			goto err_dead_proc_or_thread;

		}

		binder_enqueue_work(target_proc, &t->work, target_list);

		binder_enqueue_work_ilocked(&t->work, target_list);

		binder_inner_proc_unlock(target_proc);

		binder_node_unlock(target_node);

	}

	if (target_wait) {

	}

retry:

	binder_inner_proc_lock(proc);

	wait_for_proc_work = thread->transaction_stack == NULL &&

		binder_worklist_empty(proc, &thread->todo);

		binder_worklist_empty_ilocked(&thread->todo);

	binder_inner_proc_unlock(proc);

	thread->looper |= BINDER_LOOPER_STATE_WAITING;

	if (wait_for_proc_work)

			binder_thread_dec_tmpref(t_from);

		t->buffer->allow_user_free = 1;

		if (cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)) {

			binder_inner_proc_lock(thread->proc);

			t->to_parent = thread->transaction_stack;

			t->to_thread = thread;

			thread->transaction_stack = t;

			binder_inner_proc_unlock(thread->proc);

		} else {

			binder_free_transaction(t);

		}

	thread = binder_get_thread(proc);

	binder_inner_proc_lock(thread->proc);

	wait_for_proc_work = thread->transaction_stack == NULL &&

		binder_worklist_empty(proc, &thread->todo);

		binder_worklist_empty_ilocked(&thread->todo);

	binder_inner_proc_unlock(thread->proc);

	binder_unlock(__func__);