1 /* binder.c 2 * 3 * Android IPC Subsystem 4 * 5 * Copyright (C) 2007-2008 Google, Inc. 6 * 7 * This software is licensed under the terms of the GNU General Public 8 * License version 2, as published by the Free Software Foundation, and 9 * may be copied, distributed, and modified under those terms. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 */ 17 18 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 19 20 #include <asm/cacheflush.h> 21 #include <linux/fdtable.h> 22 #include <linux/file.h> 23 #include <linux/freezer.h> 24 #include <linux/fs.h> 25 #include <linux/list.h> 26 #include <linux/miscdevice.h> 27 #include <linux/mm.h> 28 #include <linux/module.h> 29 #include <linux/mutex.h> 30 #include <linux/nsproxy.h> 31 #include <linux/poll.h> 32 #include <linux/debugfs.h> 33 #include <linux/rbtree.h> 34 #include <linux/sched.h> 35 #include <linux/seq_file.h> 36 #include <linux/uaccess.h> 37 #include <linux/vmalloc.h> 38 #include <linux/slab.h> 39 #include <linux/pid_namespace.h> 40 #include <linux/security.h> 41 42 #ifdef CONFIG_ANDROID_BINDER_IPC_32BIT 43 #define BINDER_IPC_32BIT 1 44 #endif 45 46 #include <uapi/linux/android/binder.h> 47 #include "binder_trace.h" 48 49 static DEFINE_MUTEX(binder_main_lock); 50 static DEFINE_MUTEX(binder_deferred_lock); 51 static DEFINE_MUTEX(binder_mmap_lock); 52 53 static HLIST_HEAD(binder_procs); 54 static HLIST_HEAD(binder_deferred_list); 55 static HLIST_HEAD(binder_dead_nodes); 56 57 static struct dentry *binder_debugfs_dir_entry_root; 58 static struct dentry *binder_debugfs_dir_entry_proc; 59 static struct binder_node *binder_context_mgr_node; 60 static kuid_t binder_context_mgr_uid = INVALID_UID; 61 static int binder_last_id; 62 63 #define BINDER_DEBUG_ENTRY(name) \ 64 static int binder_##name##_open(struct inode *inode, struct file *file) \ 65 { \ 66 return single_open(file, binder_##name##_show, inode->i_private); \ 67 } \ 68 \ 69 static const struct file_operations binder_##name##_fops = { \ 70 .owner = THIS_MODULE, \ 71 .open = binder_##name##_open, \ 72 .read = seq_read, \ 73 .llseek = seq_lseek, \ 74 .release = single_release, \ 75 } 76 77 static int binder_proc_show(struct seq_file *m, void *unused); 78 BINDER_DEBUG_ENTRY(proc); 79 80 /* This is only defined in include/asm-arm/sizes.h */ 81 #ifndef SZ_1K 82 #define SZ_1K 0x400 83 #endif 84 85 #ifndef SZ_4M 86 #define SZ_4M 0x400000 87 #endif 88 89 #define FORBIDDEN_MMAP_FLAGS (VM_WRITE) 90 91 #define BINDER_SMALL_BUF_SIZE (PAGE_SIZE * 64) 92 93 enum { 94 BINDER_DEBUG_USER_ERROR = 1U << 0, 95 BINDER_DEBUG_FAILED_TRANSACTION = 1U << 1, 96 BINDER_DEBUG_DEAD_TRANSACTION = 1U << 2, 97 BINDER_DEBUG_OPEN_CLOSE = 1U << 3, 98 BINDER_DEBUG_DEAD_BINDER = 1U << 4, 99 BINDER_DEBUG_DEATH_NOTIFICATION = 1U << 5, 100 BINDER_DEBUG_READ_WRITE = 1U << 6, 101 BINDER_DEBUG_USER_REFS = 1U << 7, 102 BINDER_DEBUG_THREADS = 1U << 8, 103 BINDER_DEBUG_TRANSACTION = 1U << 9, 104 BINDER_DEBUG_TRANSACTION_COMPLETE = 1U << 10, 105 BINDER_DEBUG_FREE_BUFFER = 1U << 11, 106 BINDER_DEBUG_INTERNAL_REFS = 1U << 12, 107 BINDER_DEBUG_BUFFER_ALLOC = 1U << 13, 108 BINDER_DEBUG_PRIORITY_CAP = 1U << 14, 109 BINDER_DEBUG_BUFFER_ALLOC_ASYNC = 1U << 15, 110 }; 111 static uint32_t binder_debug_mask = BINDER_DEBUG_USER_ERROR | 112 BINDER_DEBUG_FAILED_TRANSACTION | BINDER_DEBUG_DEAD_TRANSACTION; 113 module_param_named(debug_mask, binder_debug_mask, uint, S_IWUSR | S_IRUGO); 114 115 static bool binder_debug_no_lock; 116 module_param_named(proc_no_lock, binder_debug_no_lock, bool, S_IWUSR | S_IRUGO); 117 118 static DECLARE_WAIT_QUEUE_HEAD(binder_user_error_wait); 119 static int binder_stop_on_user_error; 120 121 static int binder_set_stop_on_user_error(const char *val, 122 struct kernel_param *kp) 123 { 124 int ret; 125 126 ret = param_set_int(val, kp); 127 if (binder_stop_on_user_error < 2) 128 wake_up(&binder_user_error_wait); 129 return ret; 130 } 131 module_param_call(stop_on_user_error, binder_set_stop_on_user_error, 132 param_get_int, &binder_stop_on_user_error, S_IWUSR | S_IRUGO); 133 134 #define binder_debug(mask, x...) \ 135 do { \ 136 if (binder_debug_mask & mask) \ 137 pr_info(x); \ 138 } while (0) 139 140 #define binder_user_error(x...) \ 141 do { \ 142 if (binder_debug_mask & BINDER_DEBUG_USER_ERROR) \ 143 pr_info(x); \ 144 if (binder_stop_on_user_error) \ 145 binder_stop_on_user_error = 2; \ 146 } while (0) 147 148 enum binder_stat_types { 149 BINDER_STAT_PROC, 150 BINDER_STAT_THREAD, 151 BINDER_STAT_NODE, 152 BINDER_STAT_REF, 153 BINDER_STAT_DEATH, 154 BINDER_STAT_TRANSACTION, 155 BINDER_STAT_TRANSACTION_COMPLETE, 156 BINDER_STAT_COUNT 157 }; 158 159 struct binder_stats { 160 int br[_IOC_NR(BR_FAILED_REPLY) + 1]; 161 int bc[_IOC_NR(BC_DEAD_BINDER_DONE) + 1]; 162 int obj_created[BINDER_STAT_COUNT]; 163 int obj_deleted[BINDER_STAT_COUNT]; 164 }; 165 166 static struct binder_stats binder_stats; 167 168 static inline void binder_stats_deleted(enum binder_stat_types type) 169 { 170 binder_stats.obj_deleted[type]++; 171 } 172 173 static inline void binder_stats_created(enum binder_stat_types type) 174 { 175 binder_stats.obj_created[type]++; 176 } 177 178 struct binder_transaction_log_entry { 179 int debug_id; 180 int call_type; 181 int from_proc; 182 int from_thread; 183 int target_handle; 184 int to_proc; 185 int to_thread; 186 int to_node; 187 int data_size; 188 int offsets_size; 189 }; 190 struct binder_transaction_log { 191 int next; 192 int full; 193 struct binder_transaction_log_entry entry[32]; 194 }; 195 static struct binder_transaction_log binder_transaction_log; 196 static struct binder_transaction_log binder_transaction_log_failed; 197 198 static struct binder_transaction_log_entry *binder_transaction_log_add( 199 struct binder_transaction_log *log) 200 { 201 struct binder_transaction_log_entry *e; 202 203 e = &log->entry[log->next]; 204 memset(e, 0, sizeof(*e)); 205 log->next++; 206 if (log->next == ARRAY_SIZE(log->entry)) { 207 log->next = 0; 208 log->full = 1; 209 } 210 return e; 211 } 212 213 struct binder_work { 214 struct list_head entry; 215 enum { 216 BINDER_WORK_TRANSACTION = 1, 217 BINDER_WORK_TRANSACTION_COMPLETE, 218 BINDER_WORK_NODE, 219 BINDER_WORK_DEAD_BINDER, 220 BINDER_WORK_DEAD_BINDER_AND_CLEAR, 221 BINDER_WORK_CLEAR_DEATH_NOTIFICATION, 222 } type; 223 }; 224 225 struct binder_node { 226 int debug_id; 227 struct binder_work work; 228 union { 229 struct rb_node rb_node; 230 struct hlist_node dead_node; 231 }; 232 struct binder_proc *proc; 233 struct hlist_head refs; 234 int internal_strong_refs; 235 int local_weak_refs; 236 int local_strong_refs; 237 binder_uintptr_t ptr; 238 binder_uintptr_t cookie; 239 unsigned has_strong_ref:1; 240 unsigned pending_strong_ref:1; 241 unsigned has_weak_ref:1; 242 unsigned pending_weak_ref:1; 243 unsigned has_async_transaction:1; 244 unsigned accept_fds:1; 245 unsigned min_priority:8; 246 struct list_head async_todo; 247 }; 248 249 struct binder_ref_death { 250 struct binder_work work; 251 binder_uintptr_t cookie; 252 }; 253 254 struct binder_ref { 255 /* Lookups needed: */ 256 /* node + proc => ref (transaction) */ 257 /* desc + proc => ref (transaction, inc/dec ref) */ 258 /* node => refs + procs (proc exit) */ 259 int debug_id; 260 struct rb_node rb_node_desc; 261 struct rb_node rb_node_node; 262 struct hlist_node node_entry; 263 struct binder_proc *proc; 264 struct binder_node *node; 265 uint32_t desc; 266 int strong; 267 int weak; 268 struct binder_ref_death *death; 269 }; 270 271 struct binder_buffer { 272 struct list_head entry; /* free and allocated entries by address */ 273 struct rb_node rb_node; /* free entry by size or allocated entry */ 274 /* by address */ 275 unsigned free:1; 276 unsigned allow_user_free:1; 277 unsigned async_transaction:1; 278 unsigned debug_id:29; 279 280 struct binder_transaction *transaction; 281 282 struct binder_node *target_node; 283 size_t data_size; 284 size_t offsets_size; 285 uint8_t data[0]; 286 }; 287 288 enum binder_deferred_state { 289 BINDER_DEFERRED_PUT_FILES = 0x01, 290 BINDER_DEFERRED_FLUSH = 0x02, 291 BINDER_DEFERRED_RELEASE = 0x04, 292 }; 293 294 struct binder_proc { 295 struct hlist_node proc_node; 296 struct rb_root threads; 297 struct rb_root nodes; 298 struct rb_root refs_by_desc; 299 struct rb_root refs_by_node; 300 int pid; 301 struct vm_area_struct *vma; 302 struct mm_struct *vma_vm_mm; 303 struct task_struct *tsk; 304 struct files_struct *files; 305 struct hlist_node deferred_work_node; 306 int deferred_work; 307 void *buffer; 308 ptrdiff_t user_buffer_offset; 309 310 struct list_head buffers; 311 struct rb_root free_buffers; 312 struct rb_root allocated_buffers; 313 size_t free_async_space; 314 315 struct page **pages; 316 size_t buffer_size; 317 uint32_t buffer_free; 318 struct list_head todo; 319 wait_queue_head_t wait; 320 struct binder_stats stats; 321 struct list_head delivered_death; 322 int max_threads; 323 int requested_threads; 324 int requested_threads_started; 325 int ready_threads; 326 long default_priority; 327 struct dentry *debugfs_entry; 328 }; 329 330 enum { 331 BINDER_LOOPER_STATE_REGISTERED = 0x01, 332 BINDER_LOOPER_STATE_ENTERED = 0x02, 333 BINDER_LOOPER_STATE_EXITED = 0x04, 334 BINDER_LOOPER_STATE_INVALID = 0x08, 335 BINDER_LOOPER_STATE_WAITING = 0x10, 336 BINDER_LOOPER_STATE_NEED_RETURN = 0x20 337 }; 338 339 struct binder_thread { 340 struct binder_proc *proc; 341 struct rb_node rb_node; 342 int pid; 343 int looper; 344 struct binder_transaction *transaction_stack; 345 struct list_head todo; 346 uint32_t return_error; /* Write failed, return error code in read buf */ 347 uint32_t return_error2; /* Write failed, return error code in read */ 348 /* buffer. Used when sending a reply to a dead process that */ 349 /* we are also waiting on */ 350 wait_queue_head_t wait; 351 struct binder_stats stats; 352 }; 353 354 struct binder_transaction { 355 int debug_id; 356 struct binder_work work; 357 struct binder_thread *from; 358 struct binder_transaction *from_parent; 359 struct binder_proc *to_proc; 360 struct binder_thread *to_thread; 361 struct binder_transaction *to_parent; 362 unsigned need_reply:1; 363 /* unsigned is_dead:1; */ /* not used at the moment */ 364 365 struct binder_buffer *buffer; 366 unsigned int code; 367 unsigned int flags; 368 long priority; 369 long saved_priority; 370 kuid_t sender_euid; 371 }; 372 373 static void 374 binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer); 375 376 static int task_get_unused_fd_flags(struct binder_proc *proc, int flags) 377 { 378 struct files_struct *files = proc->files; 379 unsigned long rlim_cur; 380 unsigned long irqs; 381 382 if (files == NULL) 383 return -ESRCH; 384 385 if (!lock_task_sighand(proc->tsk, &irqs)) 386 return -EMFILE; 387 388 rlim_cur = task_rlimit(proc->tsk, RLIMIT_NOFILE); 389 unlock_task_sighand(proc->tsk, &irqs); 390 391 return __alloc_fd(files, 0, rlim_cur, flags); 392 } 393 394 /* 395 * copied from fd_install 396 */ 397 static void task_fd_install( 398 struct binder_proc *proc, unsigned int fd, struct file *file) 399 { 400 if (proc->files) 401 __fd_install(proc->files, fd, file); 402 } 403 404 /* 405 * copied from sys_close 406 */ 407 static long task_close_fd(struct binder_proc *proc, unsigned int fd) 408 { 409 int retval; 410 411 if (proc->files == NULL) 412 return -ESRCH; 413 414 retval = __close_fd(proc->files, fd); 415 /* can't restart close syscall because file table entry was cleared */ 416 if (unlikely(retval == -ERESTARTSYS || 417 retval == -ERESTARTNOINTR || 418 retval == -ERESTARTNOHAND || 419 retval == -ERESTART_RESTARTBLOCK)) 420 retval = -EINTR; 421 422 return retval; 423 } 424 425 static inline void binder_lock(const char *tag) 426 { 427 trace_binder_lock(tag); 428 mutex_lock(&binder_main_lock); 429 trace_binder_locked(tag); 430 } 431 432 static inline void binder_unlock(const char *tag) 433 { 434 trace_binder_unlock(tag); 435 mutex_unlock(&binder_main_lock); 436 } 437 438 static void binder_set_nice(long nice) 439 { 440 long min_nice; 441 442 if (can_nice(current, nice)) { 443 set_user_nice(current, nice); 444 return; 445 } 446 min_nice = rlimit_to_nice(current->signal->rlim[RLIMIT_NICE].rlim_cur); 447 binder_debug(BINDER_DEBUG_PRIORITY_CAP, 448 "%d: nice value %ld not allowed use %ld instead\n", 449 current->pid, nice, min_nice); 450 set_user_nice(current, min_nice); 451 if (min_nice <= MAX_NICE) 452 return; 453 binder_user_error("%d RLIMIT_NICE not set\n", current->pid); 454 } 455 456 static size_t binder_buffer_size(struct binder_proc *proc, 457 struct binder_buffer *buffer) 458 { 459 if (list_is_last(&buffer->entry, &proc->buffers)) 460 return proc->buffer + proc->buffer_size - (void *)buffer->data; 461 return (size_t)list_entry(buffer->entry.next, 462 struct binder_buffer, entry) - (size_t)buffer->data; 463 } 464 465 static void binder_insert_free_buffer(struct binder_proc *proc, 466 struct binder_buffer *new_buffer) 467 { 468 struct rb_node **p = &proc->free_buffers.rb_node; 469 struct rb_node *parent = NULL; 470 struct binder_buffer *buffer; 471 size_t buffer_size; 472 size_t new_buffer_size; 473 474 BUG_ON(!new_buffer->free); 475 476 new_buffer_size = binder_buffer_size(proc, new_buffer); 477 478 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 479 "%d: add free buffer, size %zd, at %p\n", 480 proc->pid, new_buffer_size, new_buffer); 481 482 while (*p) { 483 parent = *p; 484 buffer = rb_entry(parent, struct binder_buffer, rb_node); 485 BUG_ON(!buffer->free); 486 487 buffer_size = binder_buffer_size(proc, buffer); 488 489 if (new_buffer_size < buffer_size) 490 p = &parent->rb_left; 491 else 492 p = &parent->rb_right; 493 } 494 rb_link_node(&new_buffer->rb_node, parent, p); 495 rb_insert_color(&new_buffer->rb_node, &proc->free_buffers); 496 } 497 498 static void binder_insert_allocated_buffer(struct binder_proc *proc, 499 struct binder_buffer *new_buffer) 500 { 501 struct rb_node **p = &proc->allocated_buffers.rb_node; 502 struct rb_node *parent = NULL; 503 struct binder_buffer *buffer; 504 505 BUG_ON(new_buffer->free); 506 507 while (*p) { 508 parent = *p; 509 buffer = rb_entry(parent, struct binder_buffer, rb_node); 510 BUG_ON(buffer->free); 511 512 if (new_buffer < buffer) 513 p = &parent->rb_left; 514 else if (new_buffer > buffer) 515 p = &parent->rb_right; 516 else 517 BUG(); 518 } 519 rb_link_node(&new_buffer->rb_node, parent, p); 520 rb_insert_color(&new_buffer->rb_node, &proc->allocated_buffers); 521 } 522 523 static struct binder_buffer *binder_buffer_lookup(struct binder_proc *proc, 524 uintptr_t user_ptr) 525 { 526 struct rb_node *n = proc->allocated_buffers.rb_node; 527 struct binder_buffer *buffer; 528 struct binder_buffer *kern_ptr; 529 530 kern_ptr = (struct binder_buffer *)(user_ptr - proc->user_buffer_offset 531 - offsetof(struct binder_buffer, data)); 532 533 while (n) { 534 buffer = rb_entry(n, struct binder_buffer, rb_node); 535 BUG_ON(buffer->free); 536 537 if (kern_ptr < buffer) 538 n = n->rb_left; 539 else if (kern_ptr > buffer) 540 n = n->rb_right; 541 else 542 return buffer; 543 } 544 return NULL; 545 } 546 547 static int binder_update_page_range(struct binder_proc *proc, int allocate, 548 void *start, void *end, 549 struct vm_area_struct *vma) 550 { 551 void *page_addr; 552 unsigned long user_page_addr; 553 struct page **page; 554 struct mm_struct *mm; 555 556 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 557 "%d: %s pages %p-%p\n", proc->pid, 558 allocate ? "allocate" : "free", start, end); 559 560 if (end <= start) 561 return 0; 562 563 trace_binder_update_page_range(proc, allocate, start, end); 564 565 if (vma) 566 mm = NULL; 567 else 568 mm = get_task_mm(proc->tsk); 569 570 if (mm) { 571 down_write(&mm->mmap_sem); 572 vma = proc->vma; 573 if (vma && mm != proc->vma_vm_mm) { 574 pr_err("%d: vma mm and task mm mismatch\n", 575 proc->pid); 576 vma = NULL; 577 } 578 } 579 580 if (allocate == 0) 581 goto free_range; 582 583 if (vma == NULL) { 584 pr_err("%d: binder_alloc_buf failed to map pages in userspace, no vma\n", 585 proc->pid); 586 goto err_no_vma; 587 } 588 589 for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) { 590 int ret; 591 592 page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE]; 593 594 BUG_ON(*page); 595 *page = alloc_page(GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO); 596 if (*page == NULL) { 597 pr_err("%d: binder_alloc_buf failed for page at %p\n", 598 proc->pid, page_addr); 599 goto err_alloc_page_failed; 600 } 601 ret = map_kernel_range_noflush((unsigned long)page_addr, 602 PAGE_SIZE, PAGE_KERNEL, page); 603 flush_cache_vmap((unsigned long)page_addr, 604 (unsigned long)page_addr + PAGE_SIZE); 605 if (ret != 1) { 606 pr_err("%d: binder_alloc_buf failed to map page at %p in kernel\n", 607 proc->pid, page_addr); 608 goto err_map_kernel_failed; 609 } 610 user_page_addr = 611 (uintptr_t)page_addr + proc->user_buffer_offset; 612 ret = vm_insert_page(vma, user_page_addr, page[0]); 613 if (ret) { 614 pr_err("%d: binder_alloc_buf failed to map page at %lx in userspace\n", 615 proc->pid, user_page_addr); 616 goto err_vm_insert_page_failed; 617 } 618 /* vm_insert_page does not seem to increment the refcount */ 619 } 620 if (mm) { 621 up_write(&mm->mmap_sem); 622 mmput(mm); 623 } 624 return 0; 625 626 free_range: 627 for (page_addr = end - PAGE_SIZE; page_addr >= start; 628 page_addr -= PAGE_SIZE) { 629 page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE]; 630 if (vma) 631 zap_page_range(vma, (uintptr_t)page_addr + 632 proc->user_buffer_offset, PAGE_SIZE, NULL); 633 err_vm_insert_page_failed: 634 unmap_kernel_range((unsigned long)page_addr, PAGE_SIZE); 635 err_map_kernel_failed: 636 __free_page(*page); 637 *page = NULL; 638 err_alloc_page_failed: 639 ; 640 } 641 err_no_vma: 642 if (mm) { 643 up_write(&mm->mmap_sem); 644 mmput(mm); 645 } 646 return -ENOMEM; 647 } 648 649 static struct binder_buffer *binder_alloc_buf(struct binder_proc *proc, 650 size_t data_size, 651 size_t offsets_size, int is_async) 652 { 653 struct rb_node *n = proc->free_buffers.rb_node; 654 struct binder_buffer *buffer; 655 size_t buffer_size; 656 struct rb_node *best_fit = NULL; 657 void *has_page_addr; 658 void *end_page_addr; 659 size_t size; 660 661 if (proc->vma == NULL) { 662 pr_err("%d: binder_alloc_buf, no vma\n", 663 proc->pid); 664 return NULL; 665 } 666 667 size = ALIGN(data_size, sizeof(void *)) + 668 ALIGN(offsets_size, sizeof(void *)); 669 670 if (size < data_size || size < offsets_size) { 671 binder_user_error("%d: got transaction with invalid size %zd-%zd\n", 672 proc->pid, data_size, offsets_size); 673 return NULL; 674 } 675 676 if (is_async && 677 proc->free_async_space < size + sizeof(struct binder_buffer)) { 678 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 679 "%d: binder_alloc_buf size %zd failed, no async space left\n", 680 proc->pid, size); 681 return NULL; 682 } 683 684 while (n) { 685 buffer = rb_entry(n, struct binder_buffer, rb_node); 686 BUG_ON(!buffer->free); 687 buffer_size = binder_buffer_size(proc, buffer); 688 689 if (size < buffer_size) { 690 best_fit = n; 691 n = n->rb_left; 692 } else if (size > buffer_size) 693 n = n->rb_right; 694 else { 695 best_fit = n; 696 break; 697 } 698 } 699 if (best_fit == NULL) { 700 pr_err("%d: binder_alloc_buf size %zd failed, no address space\n", 701 proc->pid, size); 702 return NULL; 703 } 704 if (n == NULL) { 705 buffer = rb_entry(best_fit, struct binder_buffer, rb_node); 706 buffer_size = binder_buffer_size(proc, buffer); 707 } 708 709 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 710 "%d: binder_alloc_buf size %zd got buffer %p size %zd\n", 711 proc->pid, size, buffer, buffer_size); 712 713 has_page_addr = 714 (void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK); 715 if (n == NULL) { 716 if (size + sizeof(struct binder_buffer) + 4 >= buffer_size) 717 buffer_size = size; /* no room for other buffers */ 718 else 719 buffer_size = size + sizeof(struct binder_buffer); 720 } 721 end_page_addr = 722 (void *)PAGE_ALIGN((uintptr_t)buffer->data + buffer_size); 723 if (end_page_addr > has_page_addr) 724 end_page_addr = has_page_addr; 725 if (binder_update_page_range(proc, 1, 726 (void *)PAGE_ALIGN((uintptr_t)buffer->data), end_page_addr, NULL)) 727 return NULL; 728 729 rb_erase(best_fit, &proc->free_buffers); 730 buffer->free = 0; 731 binder_insert_allocated_buffer(proc, buffer); 732 if (buffer_size != size) { 733 struct binder_buffer *new_buffer = (void *)buffer->data + size; 734 735 list_add(&new_buffer->entry, &buffer->entry); 736 new_buffer->free = 1; 737 binder_insert_free_buffer(proc, new_buffer); 738 } 739 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 740 "%d: binder_alloc_buf size %zd got %p\n", 741 proc->pid, size, buffer); 742 buffer->data_size = data_size; 743 buffer->offsets_size = offsets_size; 744 buffer->async_transaction = is_async; 745 if (is_async) { 746 proc->free_async_space -= size + sizeof(struct binder_buffer); 747 binder_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC, 748 "%d: binder_alloc_buf size %zd async free %zd\n", 749 proc->pid, size, proc->free_async_space); 750 } 751 752 return buffer; 753 } 754 755 static void *buffer_start_page(struct binder_buffer *buffer) 756 { 757 return (void *)((uintptr_t)buffer & PAGE_MASK); 758 } 759 760 static void *buffer_end_page(struct binder_buffer *buffer) 761 { 762 return (void *)(((uintptr_t)(buffer + 1) - 1) & PAGE_MASK); 763 } 764 765 static void binder_delete_free_buffer(struct binder_proc *proc, 766 struct binder_buffer *buffer) 767 { 768 struct binder_buffer *prev, *next = NULL; 769 int free_page_end = 1; 770 int free_page_start = 1; 771 772 BUG_ON(proc->buffers.next == &buffer->entry); 773 prev = list_entry(buffer->entry.prev, struct binder_buffer, entry); 774 BUG_ON(!prev->free); 775 if (buffer_end_page(prev) == buffer_start_page(buffer)) { 776 free_page_start = 0; 777 if (buffer_end_page(prev) == buffer_end_page(buffer)) 778 free_page_end = 0; 779 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 780 "%d: merge free, buffer %p share page with %p\n", 781 proc->pid, buffer, prev); 782 } 783 784 if (!list_is_last(&buffer->entry, &proc->buffers)) { 785 next = list_entry(buffer->entry.next, 786 struct binder_buffer, entry); 787 if (buffer_start_page(next) == buffer_end_page(buffer)) { 788 free_page_end = 0; 789 if (buffer_start_page(next) == 790 buffer_start_page(buffer)) 791 free_page_start = 0; 792 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 793 "%d: merge free, buffer %p share page with %p\n", 794 proc->pid, buffer, prev); 795 } 796 } 797 list_del(&buffer->entry); 798 if (free_page_start || free_page_end) { 799 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 800 "%d: merge free, buffer %p do not share page%s%s with %p or %p\n", 801 proc->pid, buffer, free_page_start ? "" : " end", 802 free_page_end ? "" : " start", prev, next); 803 binder_update_page_range(proc, 0, free_page_start ? 804 buffer_start_page(buffer) : buffer_end_page(buffer), 805 (free_page_end ? buffer_end_page(buffer) : 806 buffer_start_page(buffer)) + PAGE_SIZE, NULL); 807 } 808 } 809 810 static void binder_free_buf(struct binder_proc *proc, 811 struct binder_buffer *buffer) 812 { 813 size_t size, buffer_size; 814 815 buffer_size = binder_buffer_size(proc, buffer); 816 817 size = ALIGN(buffer->data_size, sizeof(void *)) + 818 ALIGN(buffer->offsets_size, sizeof(void *)); 819 820 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 821 "%d: binder_free_buf %p size %zd buffer_size %zd\n", 822 proc->pid, buffer, size, buffer_size); 823 824 BUG_ON(buffer->free); 825 BUG_ON(size > buffer_size); 826 BUG_ON(buffer->transaction != NULL); 827 BUG_ON((void *)buffer < proc->buffer); 828 BUG_ON((void *)buffer > proc->buffer + proc->buffer_size); 829 830 if (buffer->async_transaction) { 831 proc->free_async_space += size + sizeof(struct binder_buffer); 832 833 binder_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC, 834 "%d: binder_free_buf size %zd async free %zd\n", 835 proc->pid, size, proc->free_async_space); 836 } 837 838 binder_update_page_range(proc, 0, 839 (void *)PAGE_ALIGN((uintptr_t)buffer->data), 840 (void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK), 841 NULL); 842 rb_erase(&buffer->rb_node, &proc->allocated_buffers); 843 buffer->free = 1; 844 if (!list_is_last(&buffer->entry, &proc->buffers)) { 845 struct binder_buffer *next = list_entry(buffer->entry.next, 846 struct binder_buffer, entry); 847 848 if (next->free) { 849 rb_erase(&next->rb_node, &proc->free_buffers); 850 binder_delete_free_buffer(proc, next); 851 } 852 } 853 if (proc->buffers.next != &buffer->entry) { 854 struct binder_buffer *prev = list_entry(buffer->entry.prev, 855 struct binder_buffer, entry); 856 857 if (prev->free) { 858 binder_delete_free_buffer(proc, buffer); 859 rb_erase(&prev->rb_node, &proc->free_buffers); 860 buffer = prev; 861 } 862 } 863 binder_insert_free_buffer(proc, buffer); 864 } 865 866 static struct binder_node *binder_get_node(struct binder_proc *proc, 867 binder_uintptr_t ptr) 868 { 869 struct rb_node *n = proc->nodes.rb_node; 870 struct binder_node *node; 871 872 while (n) { 873 node = rb_entry(n, struct binder_node, rb_node); 874 875 if (ptr < node->ptr) 876 n = n->rb_left; 877 else if (ptr > node->ptr) 878 n = n->rb_right; 879 else 880 return node; 881 } 882 return NULL; 883 } 884 885 static struct binder_node *binder_new_node(struct binder_proc *proc, 886 binder_uintptr_t ptr, 887 binder_uintptr_t cookie) 888 { 889 struct rb_node **p = &proc->nodes.rb_node; 890 struct rb_node *parent = NULL; 891 struct binder_node *node; 892 893 while (*p) { 894 parent = *p; 895 node = rb_entry(parent, struct binder_node, rb_node); 896 897 if (ptr < node->ptr) 898 p = &(*p)->rb_left; 899 else if (ptr > node->ptr) 900 p = &(*p)->rb_right; 901 else 902 return NULL; 903 } 904 905 node = kzalloc(sizeof(*node), GFP_KERNEL); 906 if (node == NULL) 907 return NULL; 908 binder_stats_created(BINDER_STAT_NODE); 909 rb_link_node(&node->rb_node, parent, p); 910 rb_insert_color(&node->rb_node, &proc->nodes); 911 node->debug_id = ++binder_last_id; 912 node->proc = proc; 913 node->ptr = ptr; 914 node->cookie = cookie; 915 node->work.type = BINDER_WORK_NODE; 916 INIT_LIST_HEAD(&node->work.entry); 917 INIT_LIST_HEAD(&node->async_todo); 918 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 919 "%d:%d node %d u%016llx c%016llx created\n", 920 proc->pid, current->pid, node->debug_id, 921 (u64)node->ptr, (u64)node->cookie); 922 return node; 923 } 924 925 static int binder_inc_node(struct binder_node *node, int strong, int internal, 926 struct list_head *target_list) 927 { 928 if (strong) { 929 if (internal) { 930 if (target_list == NULL && 931 node->internal_strong_refs == 0 && 932 !(node == binder_context_mgr_node && 933 node->has_strong_ref)) { 934 pr_err("invalid inc strong node for %d\n", 935 node->debug_id); 936 return -EINVAL; 937 } 938 node->internal_strong_refs++; 939 } else 940 node->local_strong_refs++; 941 if (!node->has_strong_ref && target_list) { 942 list_del_init(&node->work.entry); 943 list_add_tail(&node->work.entry, target_list); 944 } 945 } else { 946 if (!internal) 947 node->local_weak_refs++; 948 if (!node->has_weak_ref && list_empty(&node->work.entry)) { 949 if (target_list == NULL) { 950 pr_err("invalid inc weak node for %d\n", 951 node->debug_id); 952 return -EINVAL; 953 } 954 list_add_tail(&node->work.entry, target_list); 955 } 956 } 957 return 0; 958 } 959 960 static int binder_dec_node(struct binder_node *node, int strong, int internal) 961 { 962 if (strong) { 963 if (internal) 964 node->internal_strong_refs--; 965 else 966 node->local_strong_refs--; 967 if (node->local_strong_refs || node->internal_strong_refs) 968 return 0; 969 } else { 970 if (!internal) 971 node->local_weak_refs--; 972 if (node->local_weak_refs || !hlist_empty(&node->refs)) 973 return 0; 974 } 975 if (node->proc && (node->has_strong_ref || node->has_weak_ref)) { 976 if (list_empty(&node->work.entry)) { 977 list_add_tail(&node->work.entry, &node->proc->todo); 978 wake_up_interruptible(&node->proc->wait); 979 } 980 } else { 981 if (hlist_empty(&node->refs) && !node->local_strong_refs && 982 !node->local_weak_refs) { 983 list_del_init(&node->work.entry); 984 if (node->proc) { 985 rb_erase(&node->rb_node, &node->proc->nodes); 986 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 987 "refless node %d deleted\n", 988 node->debug_id); 989 } else { 990 hlist_del(&node->dead_node); 991 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 992 "dead node %d deleted\n", 993 node->debug_id); 994 } 995 kfree(node); 996 binder_stats_deleted(BINDER_STAT_NODE); 997 } 998 } 999 1000 return 0; 1001 } 1002 1003 1004 static struct binder_ref *binder_get_ref(struct binder_proc *proc, 1005 uint32_t desc) 1006 { 1007 struct rb_node *n = proc->refs_by_desc.rb_node; 1008 struct binder_ref *ref; 1009 1010 while (n) { 1011 ref = rb_entry(n, struct binder_ref, rb_node_desc); 1012 1013 if (desc < ref->desc) 1014 n = n->rb_left; 1015 else if (desc > ref->desc) 1016 n = n->rb_right; 1017 else 1018 return ref; 1019 } 1020 return NULL; 1021 } 1022 1023 static struct binder_ref *binder_get_ref_for_node(struct binder_proc *proc, 1024 struct binder_node *node) 1025 { 1026 struct rb_node *n; 1027 struct rb_node **p = &proc->refs_by_node.rb_node; 1028 struct rb_node *parent = NULL; 1029 struct binder_ref *ref, *new_ref; 1030 1031 while (*p) { 1032 parent = *p; 1033 ref = rb_entry(parent, struct binder_ref, rb_node_node); 1034 1035 if (node < ref->node) 1036 p = &(*p)->rb_left; 1037 else if (node > ref->node) 1038 p = &(*p)->rb_right; 1039 else 1040 return ref; 1041 } 1042 new_ref = kzalloc(sizeof(*ref), GFP_KERNEL); 1043 if (new_ref == NULL) 1044 return NULL; 1045 binder_stats_created(BINDER_STAT_REF); 1046 new_ref->debug_id = ++binder_last_id; 1047 new_ref->proc = proc; 1048 new_ref->node = node; 1049 rb_link_node(&new_ref->rb_node_node, parent, p); 1050 rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node); 1051 1052 new_ref->desc = (node == binder_context_mgr_node) ? 0 : 1; 1053 for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) { 1054 ref = rb_entry(n, struct binder_ref, rb_node_desc); 1055 if (ref->desc > new_ref->desc) 1056 break; 1057 new_ref->desc = ref->desc + 1; 1058 } 1059 1060 p = &proc->refs_by_desc.rb_node; 1061 while (*p) { 1062 parent = *p; 1063 ref = rb_entry(parent, struct binder_ref, rb_node_desc); 1064 1065 if (new_ref->desc < ref->desc) 1066 p = &(*p)->rb_left; 1067 else if (new_ref->desc > ref->desc) 1068 p = &(*p)->rb_right; 1069 else 1070 BUG(); 1071 } 1072 rb_link_node(&new_ref->rb_node_desc, parent, p); 1073 rb_insert_color(&new_ref->rb_node_desc, &proc->refs_by_desc); 1074 if (node) { 1075 hlist_add_head(&new_ref->node_entry, &node->refs); 1076 1077 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1078 "%d new ref %d desc %d for node %d\n", 1079 proc->pid, new_ref->debug_id, new_ref->desc, 1080 node->debug_id); 1081 } else { 1082 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1083 "%d new ref %d desc %d for dead node\n", 1084 proc->pid, new_ref->debug_id, new_ref->desc); 1085 } 1086 return new_ref; 1087 } 1088 1089 static void binder_delete_ref(struct binder_ref *ref) 1090 { 1091 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1092 "%d delete ref %d desc %d for node %d\n", 1093 ref->proc->pid, ref->debug_id, ref->desc, 1094 ref->node->debug_id); 1095 1096 rb_erase(&ref->rb_node_desc, &ref->proc->refs_by_desc); 1097 rb_erase(&ref->rb_node_node, &ref->proc->refs_by_node); 1098 if (ref->strong) 1099 binder_dec_node(ref->node, 1, 1); 1100 hlist_del(&ref->node_entry); 1101 binder_dec_node(ref->node, 0, 1); 1102 if (ref->death) { 1103 binder_debug(BINDER_DEBUG_DEAD_BINDER, 1104 "%d delete ref %d desc %d has death notification\n", 1105 ref->proc->pid, ref->debug_id, ref->desc); 1106 list_del(&ref->death->work.entry); 1107 kfree(ref->death); 1108 binder_stats_deleted(BINDER_STAT_DEATH); 1109 } 1110 kfree(ref); 1111 binder_stats_deleted(BINDER_STAT_REF); 1112 } 1113 1114 static int binder_inc_ref(struct binder_ref *ref, int strong, 1115 struct list_head *target_list) 1116 { 1117 int ret; 1118 1119 if (strong) { 1120 if (ref->strong == 0) { 1121 ret = binder_inc_node(ref->node, 1, 1, target_list); 1122 if (ret) 1123 return ret; 1124 } 1125 ref->strong++; 1126 } else { 1127 if (ref->weak == 0) { 1128 ret = binder_inc_node(ref->node, 0, 1, target_list); 1129 if (ret) 1130 return ret; 1131 } 1132 ref->weak++; 1133 } 1134 return 0; 1135 } 1136 1137 1138 static int binder_dec_ref(struct binder_ref *ref, int strong) 1139 { 1140 if (strong) { 1141 if (ref->strong == 0) { 1142 binder_user_error("%d invalid dec strong, ref %d desc %d s %d w %d\n", 1143 ref->proc->pid, ref->debug_id, 1144 ref->desc, ref->strong, ref->weak); 1145 return -EINVAL; 1146 } 1147 ref->strong--; 1148 if (ref->strong == 0) { 1149 int ret; 1150 1151 ret = binder_dec_node(ref->node, strong, 1); 1152 if (ret) 1153 return ret; 1154 } 1155 } else { 1156 if (ref->weak == 0) { 1157 binder_user_error("%d invalid dec weak, ref %d desc %d s %d w %d\n", 1158 ref->proc->pid, ref->debug_id, 1159 ref->desc, ref->strong, ref->weak); 1160 return -EINVAL; 1161 } 1162 ref->weak--; 1163 } 1164 if (ref->strong == 0 && ref->weak == 0) 1165 binder_delete_ref(ref); 1166 return 0; 1167 } 1168 1169 static void binder_pop_transaction(struct binder_thread *target_thread, 1170 struct binder_transaction *t) 1171 { 1172 if (target_thread) { 1173 BUG_ON(target_thread->transaction_stack != t); 1174 BUG_ON(target_thread->transaction_stack->from != target_thread); 1175 target_thread->transaction_stack = 1176 target_thread->transaction_stack->from_parent; 1177 t->from = NULL; 1178 } 1179 t->need_reply = 0; 1180 if (t->buffer) 1181 t->buffer->transaction = NULL; 1182 kfree(t); 1183 binder_stats_deleted(BINDER_STAT_TRANSACTION); 1184 } 1185 1186 static void binder_send_failed_reply(struct binder_transaction *t, 1187 uint32_t error_code) 1188 { 1189 struct binder_thread *target_thread; 1190 struct binder_transaction *next; 1191 1192 BUG_ON(t->flags & TF_ONE_WAY); 1193 while (1) { 1194 target_thread = t->from; 1195 if (target_thread) { 1196 if (target_thread->return_error != BR_OK && 1197 target_thread->return_error2 == BR_OK) { 1198 target_thread->return_error2 = 1199 target_thread->return_error; 1200 target_thread->return_error = BR_OK; 1201 } 1202 if (target_thread->return_error == BR_OK) { 1203 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 1204 "send failed reply for transaction %d to %d:%d\n", 1205 t->debug_id, 1206 target_thread->proc->pid, 1207 target_thread->pid); 1208 1209 binder_pop_transaction(target_thread, t); 1210 target_thread->return_error = error_code; 1211 wake_up_interruptible(&target_thread->wait); 1212 } else { 1213 pr_err("reply failed, target thread, %d:%d, has error code %d already\n", 1214 target_thread->proc->pid, 1215 target_thread->pid, 1216 target_thread->return_error); 1217 } 1218 return; 1219 } 1220 next = t->from_parent; 1221 1222 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 1223 "send failed reply for transaction %d, target dead\n", 1224 t->debug_id); 1225 1226 binder_pop_transaction(target_thread, t); 1227 if (next == NULL) { 1228 binder_debug(BINDER_DEBUG_DEAD_BINDER, 1229 "reply failed, no target thread at root\n"); 1230 return; 1231 } 1232 t = next; 1233 binder_debug(BINDER_DEBUG_DEAD_BINDER, 1234 "reply failed, no target thread -- retry %d\n", 1235 t->debug_id); 1236 } 1237 } 1238 1239 static void binder_transaction_buffer_release(struct binder_proc *proc, 1240 struct binder_buffer *buffer, 1241 binder_size_t *failed_at) 1242 { 1243 binder_size_t *offp, *off_end; 1244 int debug_id = buffer->debug_id; 1245 1246 binder_debug(BINDER_DEBUG_TRANSACTION, 1247 "%d buffer release %d, size %zd-%zd, failed at %p\n", 1248 proc->pid, buffer->debug_id, 1249 buffer->data_size, buffer->offsets_size, failed_at); 1250 1251 if (buffer->target_node) 1252 binder_dec_node(buffer->target_node, 1, 0); 1253 1254 offp = (binder_size_t *)(buffer->data + 1255 ALIGN(buffer->data_size, sizeof(void *))); 1256 if (failed_at) 1257 off_end = failed_at; 1258 else 1259 off_end = (void *)offp + buffer->offsets_size; 1260 for (; offp < off_end; offp++) { 1261 struct flat_binder_object *fp; 1262 1263 if (*offp > buffer->data_size - sizeof(*fp) || 1264 buffer->data_size < sizeof(*fp) || 1265 !IS_ALIGNED(*offp, sizeof(u32))) { 1266 pr_err("transaction release %d bad offset %lld, size %zd\n", 1267 debug_id, (u64)*offp, buffer->data_size); 1268 continue; 1269 } 1270 fp = (struct flat_binder_object *)(buffer->data + *offp); 1271 switch (fp->type) { 1272 case BINDER_TYPE_BINDER: 1273 case BINDER_TYPE_WEAK_BINDER: { 1274 struct binder_node *node = binder_get_node(proc, fp->binder); 1275 1276 if (node == NULL) { 1277 pr_err("transaction release %d bad node %016llx\n", 1278 debug_id, (u64)fp->binder); 1279 break; 1280 } 1281 binder_debug(BINDER_DEBUG_TRANSACTION, 1282 " node %d u%016llx\n", 1283 node->debug_id, (u64)node->ptr); 1284 binder_dec_node(node, fp->type == BINDER_TYPE_BINDER, 0); 1285 } break; 1286 case BINDER_TYPE_HANDLE: 1287 case BINDER_TYPE_WEAK_HANDLE: { 1288 struct binder_ref *ref = binder_get_ref(proc, fp->handle); 1289 1290 if (ref == NULL) { 1291 pr_err("transaction release %d bad handle %d\n", 1292 debug_id, fp->handle); 1293 break; 1294 } 1295 binder_debug(BINDER_DEBUG_TRANSACTION, 1296 " ref %d desc %d (node %d)\n", 1297 ref->debug_id, ref->desc, ref->node->debug_id); 1298 binder_dec_ref(ref, fp->type == BINDER_TYPE_HANDLE); 1299 } break; 1300 1301 case BINDER_TYPE_FD: 1302 binder_debug(BINDER_DEBUG_TRANSACTION, 1303 " fd %d\n", fp->handle); 1304 if (failed_at) 1305 task_close_fd(proc, fp->handle); 1306 break; 1307 1308 default: 1309 pr_err("transaction release %d bad object type %x\n", 1310 debug_id, fp->type); 1311 break; 1312 } 1313 } 1314 } 1315 1316 static void binder_transaction(struct binder_proc *proc, 1317 struct binder_thread *thread, 1318 struct binder_transaction_data *tr, int reply) 1319 { 1320 struct binder_transaction *t; 1321 struct binder_work *tcomplete; 1322 binder_size_t *offp, *off_end; 1323 binder_size_t off_min; 1324 struct binder_proc *target_proc; 1325 struct binder_thread *target_thread = NULL; 1326 struct binder_node *target_node = NULL; 1327 struct list_head *target_list; 1328 wait_queue_head_t *target_wait; 1329 struct binder_transaction *in_reply_to = NULL; 1330 struct binder_transaction_log_entry *e; 1331 uint32_t return_error; 1332 1333 e = binder_transaction_log_add(&binder_transaction_log); 1334 e->call_type = reply ? 2 : !!(tr->flags & TF_ONE_WAY); 1335 e->from_proc = proc->pid; 1336 e->from_thread = thread->pid; 1337 e->target_handle = tr->target.handle; 1338 e->data_size = tr->data_size; 1339 e->offsets_size = tr->offsets_size; 1340 1341 if (reply) { 1342 in_reply_to = thread->transaction_stack; 1343 if (in_reply_to == NULL) { 1344 binder_user_error("%d:%d got reply transaction with no transaction stack\n", 1345 proc->pid, thread->pid); 1346 return_error = BR_FAILED_REPLY; 1347 goto err_empty_call_stack; 1348 } 1349 binder_set_nice(in_reply_to->saved_priority); 1350 if (in_reply_to->to_thread != thread) { 1351 binder_user_error("%d:%d got reply transaction with bad transaction stack, transaction %d has target %d:%d\n", 1352 proc->pid, thread->pid, in_reply_to->debug_id, 1353 in_reply_to->to_proc ? 1354 in_reply_to->to_proc->pid : 0, 1355 in_reply_to->to_thread ? 1356 in_reply_to->to_thread->pid : 0); 1357 return_error = BR_FAILED_REPLY; 1358 in_reply_to = NULL; 1359 goto err_bad_call_stack; 1360 } 1361 thread->transaction_stack = in_reply_to->to_parent; 1362 target_thread = in_reply_to->from; 1363 if (target_thread == NULL) { 1364 return_error = BR_DEAD_REPLY; 1365 goto err_dead_binder; 1366 } 1367 if (target_thread->transaction_stack != in_reply_to) { 1368 binder_user_error("%d:%d got reply transaction with bad target transaction stack %d, expected %d\n", 1369 proc->pid, thread->pid, 1370 target_thread->transaction_stack ? 1371 target_thread->transaction_stack->debug_id : 0, 1372 in_reply_to->debug_id); 1373 return_error = BR_FAILED_REPLY; 1374 in_reply_to = NULL; 1375 target_thread = NULL; 1376 goto err_dead_binder; 1377 } 1378 target_proc = target_thread->proc; 1379 } else { 1380 if (tr->target.handle) { 1381 struct binder_ref *ref; 1382 1383 ref = binder_get_ref(proc, tr->target.handle); 1384 if (ref == NULL) { 1385 binder_user_error("%d:%d got transaction to invalid handle\n", 1386 proc->pid, thread->pid); 1387 return_error = BR_FAILED_REPLY; 1388 goto err_invalid_target_handle; 1389 } 1390 target_node = ref->node; 1391 } else { 1392 target_node = binder_context_mgr_node; 1393 if (target_node == NULL) { 1394 return_error = BR_DEAD_REPLY; 1395 goto err_no_context_mgr_node; 1396 } 1397 } 1398 e->to_node = target_node->debug_id; 1399 target_proc = target_node->proc; 1400 if (target_proc == NULL) { 1401 return_error = BR_DEAD_REPLY; 1402 goto err_dead_binder; 1403 } 1404 if (security_binder_transaction(proc->tsk, 1405 target_proc->tsk) < 0) { 1406 return_error = BR_FAILED_REPLY; 1407 goto err_invalid_target_handle; 1408 } 1409 if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) { 1410 struct binder_transaction *tmp; 1411 1412 tmp = thread->transaction_stack; 1413 if (tmp->to_thread != thread) { 1414 binder_user_error("%d:%d got new transaction with bad transaction stack, transaction %d has target %d:%d\n", 1415 proc->pid, thread->pid, tmp->debug_id, 1416 tmp->to_proc ? tmp->to_proc->pid : 0, 1417 tmp->to_thread ? 1418 tmp->to_thread->pid : 0); 1419 return_error = BR_FAILED_REPLY; 1420 goto err_bad_call_stack; 1421 } 1422 while (tmp) { 1423 if (tmp->from && tmp->from->proc == target_proc) 1424 target_thread = tmp->from; 1425 tmp = tmp->from_parent; 1426 } 1427 } 1428 } 1429 if (target_thread) { 1430 e->to_thread = target_thread->pid; 1431 target_list = &target_thread->todo; 1432 target_wait = &target_thread->wait; 1433 } else { 1434 target_list = &target_proc->todo; 1435 target_wait = &target_proc->wait; 1436 } 1437 e->to_proc = target_proc->pid; 1438 1439 /* TODO: reuse incoming transaction for reply */ 1440 t = kzalloc(sizeof(*t), GFP_KERNEL); 1441 if (t == NULL) { 1442 return_error = BR_FAILED_REPLY; 1443 goto err_alloc_t_failed; 1444 } 1445 binder_stats_created(BINDER_STAT_TRANSACTION); 1446 1447 tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL); 1448 if (tcomplete == NULL) { 1449 return_error = BR_FAILED_REPLY; 1450 goto err_alloc_tcomplete_failed; 1451 } 1452 binder_stats_created(BINDER_STAT_TRANSACTION_COMPLETE); 1453 1454 t->debug_id = ++binder_last_id; 1455 e->debug_id = t->debug_id; 1456 1457 if (reply) 1458 binder_debug(BINDER_DEBUG_TRANSACTION, 1459 "%d:%d BC_REPLY %d -> %d:%d, data %016llx-%016llx size %lld-%lld\n", 1460 proc->pid, thread->pid, t->debug_id, 1461 target_proc->pid, target_thread->pid, 1462 (u64)tr->data.ptr.buffer, 1463 (u64)tr->data.ptr.offsets, 1464 (u64)tr->data_size, (u64)tr->offsets_size); 1465 else 1466 binder_debug(BINDER_DEBUG_TRANSACTION, 1467 "%d:%d BC_TRANSACTION %d -> %d - node %d, data %016llx-%016llx size %lld-%lld\n", 1468 proc->pid, thread->pid, t->debug_id, 1469 target_proc->pid, target_node->debug_id, 1470 (u64)tr->data.ptr.buffer, 1471 (u64)tr->data.ptr.offsets, 1472 (u64)tr->data_size, (u64)tr->offsets_size); 1473 1474 if (!reply && !(tr->flags & TF_ONE_WAY)) 1475 t->from = thread; 1476 else 1477 t->from = NULL; 1478 t->sender_euid = task_euid(proc->tsk); 1479 t->to_proc = target_proc; 1480 t->to_thread = target_thread; 1481 t->code = tr->code; 1482 t->flags = tr->flags; 1483 t->priority = task_nice(current); 1484 1485 trace_binder_transaction(reply, t, target_node); 1486 1487 t->buffer = binder_alloc_buf(target_proc, tr->data_size, 1488 tr->offsets_size, !reply && (t->flags & TF_ONE_WAY)); 1489 if (t->buffer == NULL) { 1490 return_error = BR_FAILED_REPLY; 1491 goto err_binder_alloc_buf_failed; 1492 } 1493 t->buffer->allow_user_free = 0; 1494 t->buffer->debug_id = t->debug_id; 1495 t->buffer->transaction = t; 1496 t->buffer->target_node = target_node; 1497 trace_binder_transaction_alloc_buf(t->buffer); 1498 if (target_node) 1499 binder_inc_node(target_node, 1, 0, NULL); 1500 1501 offp = (binder_size_t *)(t->buffer->data + 1502 ALIGN(tr->data_size, sizeof(void *))); 1503 1504 if (copy_from_user(t->buffer->data, (const void __user *)(uintptr_t) 1505 tr->data.ptr.buffer, tr->data_size)) { 1506 binder_user_error("%d:%d got transaction with invalid data ptr\n", 1507 proc->pid, thread->pid); 1508 return_error = BR_FAILED_REPLY; 1509 goto err_copy_data_failed; 1510 } 1511 if (copy_from_user(offp, (const void __user *)(uintptr_t) 1512 tr->data.ptr.offsets, tr->offsets_size)) { 1513 binder_user_error("%d:%d got transaction with invalid offsets ptr\n", 1514 proc->pid, thread->pid); 1515 return_error = BR_FAILED_REPLY; 1516 goto err_copy_data_failed; 1517 } 1518 if (!IS_ALIGNED(tr->offsets_size, sizeof(binder_size_t))) { 1519 binder_user_error("%d:%d got transaction with invalid offsets size, %lld\n", 1520 proc->pid, thread->pid, (u64)tr->offsets_size); 1521 return_error = BR_FAILED_REPLY; 1522 goto err_bad_offset; 1523 } 1524 off_end = (void *)offp + tr->offsets_size; 1525 off_min = 0; 1526 for (; offp < off_end; offp++) { 1527 struct flat_binder_object *fp; 1528 1529 if (*offp > t->buffer->data_size - sizeof(*fp) || 1530 *offp < off_min || 1531 t->buffer->data_size < sizeof(*fp) || 1532 !IS_ALIGNED(*offp, sizeof(u32))) { 1533 binder_user_error("%d:%d got transaction with invalid offset, %lld (min %lld, max %lld)\n", 1534 proc->pid, thread->pid, (u64)*offp, 1535 (u64)off_min, 1536 (u64)(t->buffer->data_size - 1537 sizeof(*fp))); 1538 return_error = BR_FAILED_REPLY; 1539 goto err_bad_offset; 1540 } 1541 fp = (struct flat_binder_object *)(t->buffer->data + *offp); 1542 off_min = *offp + sizeof(struct flat_binder_object); 1543 switch (fp->type) { 1544 case BINDER_TYPE_BINDER: 1545 case BINDER_TYPE_WEAK_BINDER: { 1546 struct binder_ref *ref; 1547 struct binder_node *node = binder_get_node(proc, fp->binder); 1548 1549 if (node == NULL) { 1550 node = binder_new_node(proc, fp->binder, fp->cookie); 1551 if (node == NULL) { 1552 return_error = BR_FAILED_REPLY; 1553 goto err_binder_new_node_failed; 1554 } 1555 node->min_priority = fp->flags & FLAT_BINDER_FLAG_PRIORITY_MASK; 1556 node->accept_fds = !!(fp->flags & FLAT_BINDER_FLAG_ACCEPTS_FDS); 1557 } 1558 if (fp->cookie != node->cookie) { 1559 binder_user_error("%d:%d sending u%016llx node %d, cookie mismatch %016llx != %016llx\n", 1560 proc->pid, thread->pid, 1561 (u64)fp->binder, node->debug_id, 1562 (u64)fp->cookie, (u64)node->cookie); 1563 return_error = BR_FAILED_REPLY; 1564 goto err_binder_get_ref_for_node_failed; 1565 } 1566 if (security_binder_transfer_binder(proc->tsk, 1567 target_proc->tsk)) { 1568 return_error = BR_FAILED_REPLY; 1569 goto err_binder_get_ref_for_node_failed; 1570 } 1571 ref = binder_get_ref_for_node(target_proc, node); 1572 if (ref == NULL) { 1573 return_error = BR_FAILED_REPLY; 1574 goto err_binder_get_ref_for_node_failed; 1575 } 1576 if (fp->type == BINDER_TYPE_BINDER) 1577 fp->type = BINDER_TYPE_HANDLE; 1578 else 1579 fp->type = BINDER_TYPE_WEAK_HANDLE; 1580 fp->handle = ref->desc; 1581 binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE, 1582 &thread->todo); 1583 1584 trace_binder_transaction_node_to_ref(t, node, ref); 1585 binder_debug(BINDER_DEBUG_TRANSACTION, 1586 " node %d u%016llx -> ref %d desc %d\n", 1587 node->debug_id, (u64)node->ptr, 1588 ref->debug_id, ref->desc); 1589 } break; 1590 case BINDER_TYPE_HANDLE: 1591 case BINDER_TYPE_WEAK_HANDLE: { 1592 struct binder_ref *ref = binder_get_ref(proc, fp->handle); 1593 1594 if (ref == NULL) { 1595 binder_user_error("%d:%d got transaction with invalid handle, %d\n", 1596 proc->pid, 1597 thread->pid, fp->handle); 1598 return_error = BR_FAILED_REPLY; 1599 goto err_binder_get_ref_failed; 1600 } 1601 if (security_binder_transfer_binder(proc->tsk, 1602 target_proc->tsk)) { 1603 return_error = BR_FAILED_REPLY; 1604 goto err_binder_get_ref_failed; 1605 } 1606 if (ref->node->proc == target_proc) { 1607 if (fp->type == BINDER_TYPE_HANDLE) 1608 fp->type = BINDER_TYPE_BINDER; 1609 else 1610 fp->type = BINDER_TYPE_WEAK_BINDER; 1611 fp->binder = ref->node->ptr; 1612 fp->cookie = ref->node->cookie; 1613 binder_inc_node(ref->node, fp->type == BINDER_TYPE_BINDER, 0, NULL); 1614 trace_binder_transaction_ref_to_node(t, ref); 1615 binder_debug(BINDER_DEBUG_TRANSACTION, 1616 " ref %d desc %d -> node %d u%016llx\n", 1617 ref->debug_id, ref->desc, ref->node->debug_id, 1618 (u64)ref->node->ptr); 1619 } else { 1620 struct binder_ref *new_ref; 1621 1622 new_ref = binder_get_ref_for_node(target_proc, ref->node); 1623 if (new_ref == NULL) { 1624 return_error = BR_FAILED_REPLY; 1625 goto err_binder_get_ref_for_node_failed; 1626 } 1627 fp->handle = new_ref->desc; 1628 binder_inc_ref(new_ref, fp->type == BINDER_TYPE_HANDLE, NULL); 1629 trace_binder_transaction_ref_to_ref(t, ref, 1630 new_ref); 1631 binder_debug(BINDER_DEBUG_TRANSACTION, 1632 " ref %d desc %d -> ref %d desc %d (node %d)\n", 1633 ref->debug_id, ref->desc, new_ref->debug_id, 1634 new_ref->desc, ref->node->debug_id); 1635 } 1636 } break; 1637 1638 case BINDER_TYPE_FD: { 1639 int target_fd; 1640 struct file *file; 1641 1642 if (reply) { 1643 if (!(in_reply_to->flags & TF_ACCEPT_FDS)) { 1644 binder_user_error("%d:%d got reply with fd, %d, but target does not allow fds\n", 1645 proc->pid, thread->pid, fp->handle); 1646 return_error = BR_FAILED_REPLY; 1647 goto err_fd_not_allowed; 1648 } 1649 } else if (!target_node->accept_fds) { 1650 binder_user_error("%d:%d got transaction with fd, %d, but target does not allow fds\n", 1651 proc->pid, thread->pid, fp->handle); 1652 return_error = BR_FAILED_REPLY; 1653 goto err_fd_not_allowed; 1654 } 1655 1656 file = fget(fp->handle); 1657 if (file == NULL) { 1658 binder_user_error("%d:%d got transaction with invalid fd, %d\n", 1659 proc->pid, thread->pid, fp->handle); 1660 return_error = BR_FAILED_REPLY; 1661 goto err_fget_failed; 1662 } 1663 if (security_binder_transfer_file(proc->tsk, 1664 target_proc->tsk, 1665 file) < 0) { 1666 fput(file); 1667 return_error = BR_FAILED_REPLY; 1668 goto err_get_unused_fd_failed; 1669 } 1670 target_fd = task_get_unused_fd_flags(target_proc, O_CLOEXEC); 1671 if (target_fd < 0) { 1672 fput(file); 1673 return_error = BR_FAILED_REPLY; 1674 goto err_get_unused_fd_failed; 1675 } 1676 task_fd_install(target_proc, target_fd, file); 1677 trace_binder_transaction_fd(t, fp->handle, target_fd); 1678 binder_debug(BINDER_DEBUG_TRANSACTION, 1679 " fd %d -> %d\n", fp->handle, target_fd); 1680 /* TODO: fput? */ 1681 fp->handle = target_fd; 1682 } break; 1683 1684 default: 1685 binder_user_error("%d:%d got transaction with invalid object type, %x\n", 1686 proc->pid, thread->pid, fp->type); 1687 return_error = BR_FAILED_REPLY; 1688 goto err_bad_object_type; 1689 } 1690 } 1691 if (reply) { 1692 BUG_ON(t->buffer->async_transaction != 0); 1693 binder_pop_transaction(target_thread, in_reply_to); 1694 } else if (!(t->flags & TF_ONE_WAY)) { 1695 BUG_ON(t->buffer->async_transaction != 0); 1696 t->need_reply = 1; 1697 t->from_parent = thread->transaction_stack; 1698 thread->transaction_stack = t; 1699 } else { 1700 BUG_ON(target_node == NULL); 1701 BUG_ON(t->buffer->async_transaction != 1); 1702 if (target_node->has_async_transaction) { 1703 target_list = &target_node->async_todo; 1704 target_wait = NULL; 1705 } else 1706 target_node->has_async_transaction = 1; 1707 } 1708 t->work.type = BINDER_WORK_TRANSACTION; 1709 list_add_tail(&t->work.entry, target_list); 1710 tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE; 1711 list_add_tail(&tcomplete->entry, &thread->todo); 1712 if (target_wait) 1713 wake_up_interruptible(target_wait); 1714 return; 1715 1716 err_get_unused_fd_failed: 1717 err_fget_failed: 1718 err_fd_not_allowed: 1719 err_binder_get_ref_for_node_failed: 1720 err_binder_get_ref_failed: 1721 err_binder_new_node_failed: 1722 err_bad_object_type: 1723 err_bad_offset: 1724 err_copy_data_failed: 1725 trace_binder_transaction_failed_buffer_release(t->buffer); 1726 binder_transaction_buffer_release(target_proc, t->buffer, offp); 1727 t->buffer->transaction = NULL; 1728 binder_free_buf(target_proc, t->buffer); 1729 err_binder_alloc_buf_failed: 1730 kfree(tcomplete); 1731 binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); 1732 err_alloc_tcomplete_failed: 1733 kfree(t); 1734 binder_stats_deleted(BINDER_STAT_TRANSACTION); 1735 err_alloc_t_failed: 1736 err_bad_call_stack: 1737 err_empty_call_stack: 1738 err_dead_binder: 1739 err_invalid_target_handle: 1740 err_no_context_mgr_node: 1741 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 1742 "%d:%d transaction failed %d, size %lld-%lld\n", 1743 proc->pid, thread->pid, return_error, 1744 (u64)tr->data_size, (u64)tr->offsets_size); 1745 1746 { 1747 struct binder_transaction_log_entry *fe; 1748 1749 fe = binder_transaction_log_add(&binder_transaction_log_failed); 1750 *fe = *e; 1751 } 1752 1753 BUG_ON(thread->return_error != BR_OK); 1754 if (in_reply_to) { 1755 thread->return_error = BR_TRANSACTION_COMPLETE; 1756 binder_send_failed_reply(in_reply_to, return_error); 1757 } else 1758 thread->return_error = return_error; 1759 } 1760 1761 static int binder_thread_write(struct binder_proc *proc, 1762 struct binder_thread *thread, 1763 binder_uintptr_t binder_buffer, size_t size, 1764 binder_size_t *consumed) 1765 { 1766 uint32_t cmd; 1767 void __user *buffer = (void __user *)(uintptr_t)binder_buffer; 1768 void __user *ptr = buffer + *consumed; 1769 void __user *end = buffer + size; 1770 1771 while (ptr < end && thread->return_error == BR_OK) { 1772 if (get_user(cmd, (uint32_t __user *)ptr)) 1773 return -EFAULT; 1774 ptr += sizeof(uint32_t); 1775 trace_binder_command(cmd); 1776 if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.bc)) { 1777 binder_stats.bc[_IOC_NR(cmd)]++; 1778 proc->stats.bc[_IOC_NR(cmd)]++; 1779 thread->stats.bc[_IOC_NR(cmd)]++; 1780 } 1781 switch (cmd) { 1782 case BC_INCREFS: 1783 case BC_ACQUIRE: 1784 case BC_RELEASE: 1785 case BC_DECREFS: { 1786 uint32_t target; 1787 struct binder_ref *ref; 1788 const char *debug_string; 1789 1790 if (get_user(target, (uint32_t __user *)ptr)) 1791 return -EFAULT; 1792 ptr += sizeof(uint32_t); 1793 if (target == 0 && binder_context_mgr_node && 1794 (cmd == BC_INCREFS || cmd == BC_ACQUIRE)) { 1795 ref = binder_get_ref_for_node(proc, 1796 binder_context_mgr_node); 1797 if (ref->desc != target) { 1798 binder_user_error("%d:%d tried to acquire reference to desc 0, got %d instead\n", 1799 proc->pid, thread->pid, 1800 ref->desc); 1801 } 1802 } else 1803 ref = binder_get_ref(proc, target); 1804 if (ref == NULL) { 1805 binder_user_error("%d:%d refcount change on invalid ref %d\n", 1806 proc->pid, thread->pid, target); 1807 break; 1808 } 1809 switch (cmd) { 1810 case BC_INCREFS: 1811 debug_string = "IncRefs"; 1812 binder_inc_ref(ref, 0, NULL); 1813 break; 1814 case BC_ACQUIRE: 1815 debug_string = "Acquire"; 1816 binder_inc_ref(ref, 1, NULL); 1817 break; 1818 case BC_RELEASE: 1819 debug_string = "Release"; 1820 binder_dec_ref(ref, 1); 1821 break; 1822 case BC_DECREFS: 1823 default: 1824 debug_string = "DecRefs"; 1825 binder_dec_ref(ref, 0); 1826 break; 1827 } 1828 binder_debug(BINDER_DEBUG_USER_REFS, 1829 "%d:%d %s ref %d desc %d s %d w %d for node %d\n", 1830 proc->pid, thread->pid, debug_string, ref->debug_id, 1831 ref->desc, ref->strong, ref->weak, ref->node->debug_id); 1832 break; 1833 } 1834 case BC_INCREFS_DONE: 1835 case BC_ACQUIRE_DONE: { 1836 binder_uintptr_t node_ptr; 1837 binder_uintptr_t cookie; 1838 struct binder_node *node; 1839 1840 if (get_user(node_ptr, (binder_uintptr_t __user *)ptr)) 1841 return -EFAULT; 1842 ptr += sizeof(binder_uintptr_t); 1843 if (get_user(cookie, (binder_uintptr_t __user *)ptr)) 1844 return -EFAULT; 1845 ptr += sizeof(binder_uintptr_t); 1846 node = binder_get_node(proc, node_ptr); 1847 if (node == NULL) { 1848 binder_user_error("%d:%d %s u%016llx no match\n", 1849 proc->pid, thread->pid, 1850 cmd == BC_INCREFS_DONE ? 1851 "BC_INCREFS_DONE" : 1852 "BC_ACQUIRE_DONE", 1853 (u64)node_ptr); 1854 break; 1855 } 1856 if (cookie != node->cookie) { 1857 binder_user_error("%d:%d %s u%016llx node %d cookie mismatch %016llx != %016llx\n", 1858 proc->pid, thread->pid, 1859 cmd == BC_INCREFS_DONE ? 1860 "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE", 1861 (u64)node_ptr, node->debug_id, 1862 (u64)cookie, (u64)node->cookie); 1863 break; 1864 } 1865 if (cmd == BC_ACQUIRE_DONE) { 1866 if (node->pending_strong_ref == 0) { 1867 binder_user_error("%d:%d BC_ACQUIRE_DONE node %d has no pending acquire request\n", 1868 proc->pid, thread->pid, 1869 node->debug_id); 1870 break; 1871 } 1872 node->pending_strong_ref = 0; 1873 } else { 1874 if (node->pending_weak_ref == 0) { 1875 binder_user_error("%d:%d BC_INCREFS_DONE node %d has no pending increfs request\n", 1876 proc->pid, thread->pid, 1877 node->debug_id); 1878 break; 1879 } 1880 node->pending_weak_ref = 0; 1881 } 1882 binder_dec_node(node, cmd == BC_ACQUIRE_DONE, 0); 1883 binder_debug(BINDER_DEBUG_USER_REFS, 1884 "%d:%d %s node %d ls %d lw %d\n", 1885 proc->pid, thread->pid, 1886 cmd == BC_INCREFS_DONE ? "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE", 1887 node->debug_id, node->local_strong_refs, node->local_weak_refs); 1888 break; 1889 } 1890 case BC_ATTEMPT_ACQUIRE: 1891 pr_err("BC_ATTEMPT_ACQUIRE not supported\n"); 1892 return -EINVAL; 1893 case BC_ACQUIRE_RESULT: 1894 pr_err("BC_ACQUIRE_RESULT not supported\n"); 1895 return -EINVAL; 1896 1897 case BC_FREE_BUFFER: { 1898 binder_uintptr_t data_ptr; 1899 struct binder_buffer *buffer; 1900 1901 if (get_user(data_ptr, (binder_uintptr_t __user *)ptr)) 1902 return -EFAULT; 1903 ptr += sizeof(binder_uintptr_t); 1904 1905 buffer = binder_buffer_lookup(proc, data_ptr); 1906 if (buffer == NULL) { 1907 binder_user_error("%d:%d BC_FREE_BUFFER u%016llx no match\n", 1908 proc->pid, thread->pid, (u64)data_ptr); 1909 break; 1910 } 1911 if (!buffer->allow_user_free) { 1912 binder_user_error("%d:%d BC_FREE_BUFFER u%016llx matched unreturned buffer\n", 1913 proc->pid, thread->pid, (u64)data_ptr); 1914 break; 1915 } 1916 binder_debug(BINDER_DEBUG_FREE_BUFFER, 1917 "%d:%d BC_FREE_BUFFER u%016llx found buffer %d for %s transaction\n", 1918 proc->pid, thread->pid, (u64)data_ptr, 1919 buffer->debug_id, 1920 buffer->transaction ? "active" : "finished"); 1921 1922 if (buffer->transaction) { 1923 buffer->transaction->buffer = NULL; 1924 buffer->transaction = NULL; 1925 } 1926 if (buffer->async_transaction && buffer->target_node) { 1927 BUG_ON(!buffer->target_node->has_async_transaction); 1928 if (list_empty(&buffer->target_node->async_todo)) 1929 buffer->target_node->has_async_transaction = 0; 1930 else 1931 list_move_tail(buffer->target_node->async_todo.next, &thread->todo); 1932 } 1933 trace_binder_transaction_buffer_release(buffer); 1934 binder_transaction_buffer_release(proc, buffer, NULL); 1935 binder_free_buf(proc, buffer); 1936 break; 1937 } 1938 1939 case BC_TRANSACTION: 1940 case BC_REPLY: { 1941 struct binder_transaction_data tr; 1942 1943 if (copy_from_user(&tr, ptr, sizeof(tr))) 1944 return -EFAULT; 1945 ptr += sizeof(tr); 1946 binder_transaction(proc, thread, &tr, cmd == BC_REPLY); 1947 break; 1948 } 1949 1950 case BC_REGISTER_LOOPER: 1951 binder_debug(BINDER_DEBUG_THREADS, 1952 "%d:%d BC_REGISTER_LOOPER\n", 1953 proc->pid, thread->pid); 1954 if (thread->looper & BINDER_LOOPER_STATE_ENTERED) { 1955 thread->looper |= BINDER_LOOPER_STATE_INVALID; 1956 binder_user_error("%d:%d ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER\n", 1957 proc->pid, thread->pid); 1958 } else if (proc->requested_threads == 0) { 1959 thread->looper |= BINDER_LOOPER_STATE_INVALID; 1960 binder_user_error("%d:%d ERROR: BC_REGISTER_LOOPER called without request\n", 1961 proc->pid, thread->pid); 1962 } else { 1963 proc->requested_threads--; 1964 proc->requested_threads_started++; 1965 } 1966 thread->looper |= BINDER_LOOPER_STATE_REGISTERED; 1967 break; 1968 case BC_ENTER_LOOPER: 1969 binder_debug(BINDER_DEBUG_THREADS, 1970 "%d:%d BC_ENTER_LOOPER\n", 1971 proc->pid, thread->pid); 1972 if (thread->looper & BINDER_LOOPER_STATE_REGISTERED) { 1973 thread->looper |= BINDER_LOOPER_STATE_INVALID; 1974 binder_user_error("%d:%d ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER\n", 1975 proc->pid, thread->pid); 1976 } 1977 thread->looper |= BINDER_LOOPER_STATE_ENTERED; 1978 break; 1979 case BC_EXIT_LOOPER: 1980 binder_debug(BINDER_DEBUG_THREADS, 1981 "%d:%d BC_EXIT_LOOPER\n", 1982 proc->pid, thread->pid); 1983 thread->looper |= BINDER_LOOPER_STATE_EXITED; 1984 break; 1985 1986 case BC_REQUEST_DEATH_NOTIFICATION: 1987 case BC_CLEAR_DEATH_NOTIFICATION: { 1988 uint32_t target; 1989 binder_uintptr_t cookie; 1990 struct binder_ref *ref; 1991 struct binder_ref_death *death; 1992 1993 if (get_user(target, (uint32_t __user *)ptr)) 1994 return -EFAULT; 1995 ptr += sizeof(uint32_t); 1996 if (get_user(cookie, (binder_uintptr_t __user *)ptr)) 1997 return -EFAULT; 1998 ptr += sizeof(binder_uintptr_t); 1999 ref = binder_get_ref(proc, target); 2000 if (ref == NULL) { 2001 binder_user_error("%d:%d %s invalid ref %d\n", 2002 proc->pid, thread->pid, 2003 cmd == BC_REQUEST_DEATH_NOTIFICATION ? 2004 "BC_REQUEST_DEATH_NOTIFICATION" : 2005 "BC_CLEAR_DEATH_NOTIFICATION", 2006 target); 2007 break; 2008 } 2009 2010 binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION, 2011 "%d:%d %s %016llx ref %d desc %d s %d w %d for node %d\n", 2012 proc->pid, thread->pid, 2013 cmd == BC_REQUEST_DEATH_NOTIFICATION ? 2014 "BC_REQUEST_DEATH_NOTIFICATION" : 2015 "BC_CLEAR_DEATH_NOTIFICATION", 2016 (u64)cookie, ref->debug_id, ref->desc, 2017 ref->strong, ref->weak, ref->node->debug_id); 2018 2019 if (cmd == BC_REQUEST_DEATH_NOTIFICATION) { 2020 if (ref->death) { 2021 binder_user_error("%d:%d BC_REQUEST_DEATH_NOTIFICATION death notification already set\n", 2022 proc->pid, thread->pid); 2023 break; 2024 } 2025 death = kzalloc(sizeof(*death), GFP_KERNEL); 2026 if (death == NULL) { 2027 thread->return_error = BR_ERROR; 2028 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 2029 "%d:%d BC_REQUEST_DEATH_NOTIFICATION failed\n", 2030 proc->pid, thread->pid); 2031 break; 2032 } 2033 binder_stats_created(BINDER_STAT_DEATH); 2034 INIT_LIST_HEAD(&death->work.entry); 2035 death->cookie = cookie; 2036 ref->death = death; 2037 if (ref->node->proc == NULL) { 2038 ref->death->work.type = BINDER_WORK_DEAD_BINDER; 2039 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2040 list_add_tail(&ref->death->work.entry, &thread->todo); 2041 } else { 2042 list_add_tail(&ref->death->work.entry, &proc->todo); 2043 wake_up_interruptible(&proc->wait); 2044 } 2045 } 2046 } else { 2047 if (ref->death == NULL) { 2048 binder_user_error("%d:%d BC_CLEAR_DEATH_NOTIFICATION death notification not active\n", 2049 proc->pid, thread->pid); 2050 break; 2051 } 2052 death = ref->death; 2053 if (death->cookie != cookie) { 2054 binder_user_error("%d:%d BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch %016llx != %016llx\n", 2055 proc->pid, thread->pid, 2056 (u64)death->cookie, 2057 (u64)cookie); 2058 break; 2059 } 2060 ref->death = NULL; 2061 if (list_empty(&death->work.entry)) { 2062 death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION; 2063 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2064 list_add_tail(&death->work.entry, &thread->todo); 2065 } else { 2066 list_add_tail(&death->work.entry, &proc->todo); 2067 wake_up_interruptible(&proc->wait); 2068 } 2069 } else { 2070 BUG_ON(death->work.type != BINDER_WORK_DEAD_BINDER); 2071 death->work.type = BINDER_WORK_DEAD_BINDER_AND_CLEAR; 2072 } 2073 } 2074 } break; 2075 case BC_DEAD_BINDER_DONE: { 2076 struct binder_work *w; 2077 binder_uintptr_t cookie; 2078 struct binder_ref_death *death = NULL; 2079 2080 if (get_user(cookie, (binder_uintptr_t __user *)ptr)) 2081 return -EFAULT; 2082 2083 ptr += sizeof(cookie); 2084 list_for_each_entry(w, &proc->delivered_death, entry) { 2085 struct binder_ref_death *tmp_death = container_of(w, struct binder_ref_death, work); 2086 2087 if (tmp_death->cookie == cookie) { 2088 death = tmp_death; 2089 break; 2090 } 2091 } 2092 binder_debug(BINDER_DEBUG_DEAD_BINDER, 2093 "%d:%d BC_DEAD_BINDER_DONE %016llx found %p\n", 2094 proc->pid, thread->pid, (u64)cookie, 2095 death); 2096 if (death == NULL) { 2097 binder_user_error("%d:%d BC_DEAD_BINDER_DONE %016llx not found\n", 2098 proc->pid, thread->pid, (u64)cookie); 2099 break; 2100 } 2101 2102 list_del_init(&death->work.entry); 2103 if (death->work.type == BINDER_WORK_DEAD_BINDER_AND_CLEAR) { 2104 death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION; 2105 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2106 list_add_tail(&death->work.entry, &thread->todo); 2107 } else { 2108 list_add_tail(&death->work.entry, &proc->todo); 2109 wake_up_interruptible(&proc->wait); 2110 } 2111 } 2112 } break; 2113 2114 default: 2115 pr_err("%d:%d unknown command %d\n", 2116 proc->pid, thread->pid, cmd); 2117 return -EINVAL; 2118 } 2119 *consumed = ptr - buffer; 2120 } 2121 return 0; 2122 } 2123 2124 static void binder_stat_br(struct binder_proc *proc, 2125 struct binder_thread *thread, uint32_t cmd) 2126 { 2127 trace_binder_return(cmd); 2128 if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.br)) { 2129 binder_stats.br[_IOC_NR(cmd)]++; 2130 proc->stats.br[_IOC_NR(cmd)]++; 2131 thread->stats.br[_IOC_NR(cmd)]++; 2132 } 2133 } 2134 2135 static int binder_has_proc_work(struct binder_proc *proc, 2136 struct binder_thread *thread) 2137 { 2138 return !list_empty(&proc->todo) || 2139 (thread->looper & BINDER_LOOPER_STATE_NEED_RETURN); 2140 } 2141 2142 static int binder_has_thread_work(struct binder_thread *thread) 2143 { 2144 return !list_empty(&thread->todo) || thread->return_error != BR_OK || 2145 (thread->looper & BINDER_LOOPER_STATE_NEED_RETURN); 2146 } 2147 2148 static int binder_thread_read(struct binder_proc *proc, 2149 struct binder_thread *thread, 2150 binder_uintptr_t binder_buffer, size_t size, 2151 binder_size_t *consumed, int non_block) 2152 { 2153 void __user *buffer = (void __user *)(uintptr_t)binder_buffer; 2154 void __user *ptr = buffer + *consumed; 2155 void __user *end = buffer + size; 2156 2157 int ret = 0; 2158 int wait_for_proc_work; 2159 2160 if (*consumed == 0) { 2161 if (put_user(BR_NOOP, (uint32_t __user *)ptr)) 2162 return -EFAULT; 2163 ptr += sizeof(uint32_t); 2164 } 2165 2166 retry: 2167 wait_for_proc_work = thread->transaction_stack == NULL && 2168 list_empty(&thread->todo); 2169 2170 if (thread->return_error != BR_OK && ptr < end) { 2171 if (thread->return_error2 != BR_OK) { 2172 if (put_user(thread->return_error2, (uint32_t __user *)ptr)) 2173 return -EFAULT; 2174 ptr += sizeof(uint32_t); 2175 binder_stat_br(proc, thread, thread->return_error2); 2176 if (ptr == end) 2177 goto done; 2178 thread->return_error2 = BR_OK; 2179 } 2180 if (put_user(thread->return_error, (uint32_t __user *)ptr)) 2181 return -EFAULT; 2182 ptr += sizeof(uint32_t); 2183 binder_stat_br(proc, thread, thread->return_error); 2184 thread->return_error = BR_OK; 2185 goto done; 2186 } 2187 2188 2189 thread->looper |= BINDER_LOOPER_STATE_WAITING; 2190 if (wait_for_proc_work) 2191 proc->ready_threads++; 2192 2193 binder_unlock(__func__); 2194 2195 trace_binder_wait_for_work(wait_for_proc_work, 2196 !!thread->transaction_stack, 2197 !list_empty(&thread->todo)); 2198 if (wait_for_proc_work) { 2199 if (!(thread->looper & (BINDER_LOOPER_STATE_REGISTERED | 2200 BINDER_LOOPER_STATE_ENTERED))) { 2201 binder_user_error("%d:%d ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state %x)\n", 2202 proc->pid, thread->pid, thread->looper); 2203 wait_event_interruptible(binder_user_error_wait, 2204 binder_stop_on_user_error < 2); 2205 } 2206 binder_set_nice(proc->default_priority); 2207 if (non_block) { 2208 if (!binder_has_proc_work(proc, thread)) 2209 ret = -EAGAIN; 2210 } else 2211 ret = wait_event_freezable_exclusive(proc->wait, binder_has_proc_work(proc, thread)); 2212 } else { 2213 if (non_block) { 2214 if (!binder_has_thread_work(thread)) 2215 ret = -EAGAIN; 2216 } else 2217 ret = wait_event_freezable(thread->wait, binder_has_thread_work(thread)); 2218 } 2219 2220 binder_lock(__func__); 2221 2222 if (wait_for_proc_work) 2223 proc->ready_threads--; 2224 thread->looper &= ~BINDER_LOOPER_STATE_WAITING; 2225 2226 if (ret) 2227 return ret; 2228 2229 while (1) { 2230 uint32_t cmd; 2231 struct binder_transaction_data tr; 2232 struct binder_work *w; 2233 struct binder_transaction *t = NULL; 2234 2235 if (!list_empty(&thread->todo)) { 2236 w = list_first_entry(&thread->todo, struct binder_work, 2237 entry); 2238 } else if (!list_empty(&proc->todo) && wait_for_proc_work) { 2239 w = list_first_entry(&proc->todo, struct binder_work, 2240 entry); 2241 } else { 2242 /* no data added */ 2243 if (ptr - buffer == 4 && 2244 !(thread->looper & BINDER_LOOPER_STATE_NEED_RETURN)) 2245 goto retry; 2246 break; 2247 } 2248 2249 if (end - ptr < sizeof(tr) + 4) 2250 break; 2251 2252 switch (w->type) { 2253 case BINDER_WORK_TRANSACTION: { 2254 t = container_of(w, struct binder_transaction, work); 2255 } break; 2256 case BINDER_WORK_TRANSACTION_COMPLETE: { 2257 cmd = BR_TRANSACTION_COMPLETE; 2258 if (put_user(cmd, (uint32_t __user *)ptr)) 2259 return -EFAULT; 2260 ptr += sizeof(uint32_t); 2261 2262 binder_stat_br(proc, thread, cmd); 2263 binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE, 2264 "%d:%d BR_TRANSACTION_COMPLETE\n", 2265 proc->pid, thread->pid); 2266 2267 list_del(&w->entry); 2268 kfree(w); 2269 binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); 2270 } break; 2271 case BINDER_WORK_NODE: { 2272 struct binder_node *node = container_of(w, struct binder_node, work); 2273 uint32_t cmd = BR_NOOP; 2274 const char *cmd_name; 2275 int strong = node->internal_strong_refs || node->local_strong_refs; 2276 int weak = !hlist_empty(&node->refs) || node->local_weak_refs || strong; 2277 2278 if (weak && !node->has_weak_ref) { 2279 cmd = BR_INCREFS; 2280 cmd_name = "BR_INCREFS"; 2281 node->has_weak_ref = 1; 2282 node->pending_weak_ref = 1; 2283 node->local_weak_refs++; 2284 } else if (strong && !node->has_strong_ref) { 2285 cmd = BR_ACQUIRE; 2286 cmd_name = "BR_ACQUIRE"; 2287 node->has_strong_ref = 1; 2288 node->pending_strong_ref = 1; 2289 node->local_strong_refs++; 2290 } else if (!strong && node->has_strong_ref) { 2291 cmd = BR_RELEASE; 2292 cmd_name = "BR_RELEASE"; 2293 node->has_strong_ref = 0; 2294 } else if (!weak && node->has_weak_ref) { 2295 cmd = BR_DECREFS; 2296 cmd_name = "BR_DECREFS"; 2297 node->has_weak_ref = 0; 2298 } 2299 if (cmd != BR_NOOP) { 2300 if (put_user(cmd, (uint32_t __user *)ptr)) 2301 return -EFAULT; 2302 ptr += sizeof(uint32_t); 2303 if (put_user(node->ptr, 2304 (binder_uintptr_t __user *)ptr)) 2305 return -EFAULT; 2306 ptr += sizeof(binder_uintptr_t); 2307 if (put_user(node->cookie, 2308 (binder_uintptr_t __user *)ptr)) 2309 return -EFAULT; 2310 ptr += sizeof(binder_uintptr_t); 2311 2312 binder_stat_br(proc, thread, cmd); 2313 binder_debug(BINDER_DEBUG_USER_REFS, 2314 "%d:%d %s %d u%016llx c%016llx\n", 2315 proc->pid, thread->pid, cmd_name, 2316 node->debug_id, 2317 (u64)node->ptr, (u64)node->cookie); 2318 } else { 2319 list_del_init(&w->entry); 2320 if (!weak && !strong) { 2321 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 2322 "%d:%d node %d u%016llx c%016llx deleted\n", 2323 proc->pid, thread->pid, 2324 node->debug_id, 2325 (u64)node->ptr, 2326 (u64)node->cookie); 2327 rb_erase(&node->rb_node, &proc->nodes); 2328 kfree(node); 2329 binder_stats_deleted(BINDER_STAT_NODE); 2330 } else { 2331 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 2332 "%d:%d node %d u%016llx c%016llx state unchanged\n", 2333 proc->pid, thread->pid, 2334 node->debug_id, 2335 (u64)node->ptr, 2336 (u64)node->cookie); 2337 } 2338 } 2339 } break; 2340 case BINDER_WORK_DEAD_BINDER: 2341 case BINDER_WORK_DEAD_BINDER_AND_CLEAR: 2342 case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: { 2343 struct binder_ref_death *death; 2344 uint32_t cmd; 2345 2346 death = container_of(w, struct binder_ref_death, work); 2347 if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) 2348 cmd = BR_CLEAR_DEATH_NOTIFICATION_DONE; 2349 else 2350 cmd = BR_DEAD_BINDER; 2351 if (put_user(cmd, (uint32_t __user *)ptr)) 2352 return -EFAULT; 2353 ptr += sizeof(uint32_t); 2354 if (put_user(death->cookie, 2355 (binder_uintptr_t __user *)ptr)) 2356 return -EFAULT; 2357 ptr += sizeof(binder_uintptr_t); 2358 binder_stat_br(proc, thread, cmd); 2359 binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION, 2360 "%d:%d %s %016llx\n", 2361 proc->pid, thread->pid, 2362 cmd == BR_DEAD_BINDER ? 2363 "BR_DEAD_BINDER" : 2364 "BR_CLEAR_DEATH_NOTIFICATION_DONE", 2365 (u64)death->cookie); 2366 2367 if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) { 2368 list_del(&w->entry); 2369 kfree(death); 2370 binder_stats_deleted(BINDER_STAT_DEATH); 2371 } else 2372 list_move(&w->entry, &proc->delivered_death); 2373 if (cmd == BR_DEAD_BINDER) 2374 goto done; /* DEAD_BINDER notifications can cause transactions */ 2375 } break; 2376 } 2377 2378 if (!t) 2379 continue; 2380 2381 BUG_ON(t->buffer == NULL); 2382 if (t->buffer->target_node) { 2383 struct binder_node *target_node = t->buffer->target_node; 2384 2385 tr.target.ptr = target_node->ptr; 2386 tr.cookie = target_node->cookie; 2387 t->saved_priority = task_nice(current); 2388 if (t->priority < target_node->min_priority && 2389 !(t->flags & TF_ONE_WAY)) 2390 binder_set_nice(t->priority); 2391 else if (!(t->flags & TF_ONE_WAY) || 2392 t->saved_priority > target_node->min_priority) 2393 binder_set_nice(target_node->min_priority); 2394 cmd = BR_TRANSACTION; 2395 } else { 2396 tr.target.ptr = 0; 2397 tr.cookie = 0; 2398 cmd = BR_REPLY; 2399 } 2400 tr.code = t->code; 2401 tr.flags = t->flags; 2402 tr.sender_euid = from_kuid(current_user_ns(), t->sender_euid); 2403 2404 if (t->from) { 2405 struct task_struct *sender = t->from->proc->tsk; 2406 2407 tr.sender_pid = task_tgid_nr_ns(sender, 2408 task_active_pid_ns(current)); 2409 } else { 2410 tr.sender_pid = 0; 2411 } 2412 2413 tr.data_size = t->buffer->data_size; 2414 tr.offsets_size = t->buffer->offsets_size; 2415 tr.data.ptr.buffer = (binder_uintptr_t)( 2416 (uintptr_t)t->buffer->data + 2417 proc->user_buffer_offset); 2418 tr.data.ptr.offsets = tr.data.ptr.buffer + 2419 ALIGN(t->buffer->data_size, 2420 sizeof(void *)); 2421 2422 if (put_user(cmd, (uint32_t __user *)ptr)) 2423 return -EFAULT; 2424 ptr += sizeof(uint32_t); 2425 if (copy_to_user(ptr, &tr, sizeof(tr))) 2426 return -EFAULT; 2427 ptr += sizeof(tr); 2428 2429 trace_binder_transaction_received(t); 2430 binder_stat_br(proc, thread, cmd); 2431 binder_debug(BINDER_DEBUG_TRANSACTION, 2432 "%d:%d %s %d %d:%d, cmd %d size %zd-%zd ptr %016llx-%016llx\n", 2433 proc->pid, thread->pid, 2434 (cmd == BR_TRANSACTION) ? "BR_TRANSACTION" : 2435 "BR_REPLY", 2436 t->debug_id, t->from ? t->from->proc->pid : 0, 2437 t->from ? t->from->pid : 0, cmd, 2438 t->buffer->data_size, t->buffer->offsets_size, 2439 (u64)tr.data.ptr.buffer, (u64)tr.data.ptr.offsets); 2440 2441 list_del(&t->work.entry); 2442 t->buffer->allow_user_free = 1; 2443 if (cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)) { 2444 t->to_parent = thread->transaction_stack; 2445 t->to_thread = thread; 2446 thread->transaction_stack = t; 2447 } else { 2448 t->buffer->transaction = NULL; 2449 kfree(t); 2450 binder_stats_deleted(BINDER_STAT_TRANSACTION); 2451 } 2452 break; 2453 } 2454 2455 done: 2456 2457 *consumed = ptr - buffer; 2458 if (proc->requested_threads + proc->ready_threads == 0 && 2459 proc->requested_threads_started < proc->max_threads && 2460 (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | 2461 BINDER_LOOPER_STATE_ENTERED)) /* the user-space code fails to */ 2462 /*spawn a new thread if we leave this out */) { 2463 proc->requested_threads++; 2464 binder_debug(BINDER_DEBUG_THREADS, 2465 "%d:%d BR_SPAWN_LOOPER\n", 2466 proc->pid, thread->pid); 2467 if (put_user(BR_SPAWN_LOOPER, (uint32_t __user *)buffer)) 2468 return -EFAULT; 2469 binder_stat_br(proc, thread, BR_SPAWN_LOOPER); 2470 } 2471 return 0; 2472 } 2473 2474 static void binder_release_work(struct list_head *list) 2475 { 2476 struct binder_work *w; 2477 2478 while (!list_empty(list)) { 2479 w = list_first_entry(list, struct binder_work, entry); 2480 list_del_init(&w->entry); 2481 switch (w->type) { 2482 case BINDER_WORK_TRANSACTION: { 2483 struct binder_transaction *t; 2484 2485 t = container_of(w, struct binder_transaction, work); 2486 if (t->buffer->target_node && 2487 !(t->flags & TF_ONE_WAY)) { 2488 binder_send_failed_reply(t, BR_DEAD_REPLY); 2489 } else { 2490 binder_debug(BINDER_DEBUG_DEAD_TRANSACTION, 2491 "undelivered transaction %d\n", 2492 t->debug_id); 2493 t->buffer->transaction = NULL; 2494 kfree(t); 2495 binder_stats_deleted(BINDER_STAT_TRANSACTION); 2496 } 2497 } break; 2498 case BINDER_WORK_TRANSACTION_COMPLETE: { 2499 binder_debug(BINDER_DEBUG_DEAD_TRANSACTION, 2500 "undelivered TRANSACTION_COMPLETE\n"); 2501 kfree(w); 2502 binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); 2503 } break; 2504 case BINDER_WORK_DEAD_BINDER_AND_CLEAR: 2505 case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: { 2506 struct binder_ref_death *death; 2507 2508 death = container_of(w, struct binder_ref_death, work); 2509 binder_debug(BINDER_DEBUG_DEAD_TRANSACTION, 2510 "undelivered death notification, %016llx\n", 2511 (u64)death->cookie); 2512 kfree(death); 2513 binder_stats_deleted(BINDER_STAT_DEATH); 2514 } break; 2515 default: 2516 pr_err("unexpected work type, %d, not freed\n", 2517 w->type); 2518 break; 2519 } 2520 } 2521 2522 } 2523 2524 static struct binder_thread *binder_get_thread(struct binder_proc *proc) 2525 { 2526 struct binder_thread *thread = NULL; 2527 struct rb_node *parent = NULL; 2528 struct rb_node **p = &proc->threads.rb_node; 2529 2530 while (*p) { 2531 parent = *p; 2532 thread = rb_entry(parent, struct binder_thread, rb_node); 2533 2534 if (current->pid < thread->pid) 2535 p = &(*p)->rb_left; 2536 else if (current->pid > thread->pid) 2537 p = &(*p)->rb_right; 2538 else 2539 break; 2540 } 2541 if (*p == NULL) { 2542 thread = kzalloc(sizeof(*thread), GFP_KERNEL); 2543 if (thread == NULL) 2544 return NULL; 2545 binder_stats_created(BINDER_STAT_THREAD); 2546 thread->proc = proc; 2547 thread->pid = current->pid; 2548 init_waitqueue_head(&thread->wait); 2549 INIT_LIST_HEAD(&thread->todo); 2550 rb_link_node(&thread->rb_node, parent, p); 2551 rb_insert_color(&thread->rb_node, &proc->threads); 2552 thread->looper |= BINDER_LOOPER_STATE_NEED_RETURN; 2553 thread->return_error = BR_OK; 2554 thread->return_error2 = BR_OK; 2555 } 2556 return thread; 2557 } 2558 2559 static int binder_free_thread(struct binder_proc *proc, 2560 struct binder_thread *thread) 2561 { 2562 struct binder_transaction *t; 2563 struct binder_transaction *send_reply = NULL; 2564 int active_transactions = 0; 2565 2566 rb_erase(&thread->rb_node, &proc->threads); 2567 t = thread->transaction_stack; 2568 if (t && t->to_thread == thread) 2569 send_reply = t; 2570 while (t) { 2571 active_transactions++; 2572 binder_debug(BINDER_DEBUG_DEAD_TRANSACTION, 2573 "release %d:%d transaction %d %s, still active\n", 2574 proc->pid, thread->pid, 2575 t->debug_id, 2576 (t->to_thread == thread) ? "in" : "out"); 2577 2578 if (t->to_thread == thread) { 2579 t->to_proc = NULL; 2580 t->to_thread = NULL; 2581 if (t->buffer) { 2582 t->buffer->transaction = NULL; 2583 t->buffer = NULL; 2584 } 2585 t = t->to_parent; 2586 } else if (t->from == thread) { 2587 t->from = NULL; 2588 t = t->from_parent; 2589 } else 2590 BUG(); 2591 } 2592 if (send_reply) 2593 binder_send_failed_reply(send_reply, BR_DEAD_REPLY); 2594 binder_release_work(&thread->todo); 2595 kfree(thread); 2596 binder_stats_deleted(BINDER_STAT_THREAD); 2597 return active_transactions; 2598 } 2599 2600 static unsigned int binder_poll(struct file *filp, 2601 struct poll_table_struct *wait) 2602 { 2603 struct binder_proc *proc = filp->private_data; 2604 struct binder_thread *thread = NULL; 2605 int wait_for_proc_work; 2606 2607 binder_lock(__func__); 2608 2609 thread = binder_get_thread(proc); 2610 2611 wait_for_proc_work = thread->transaction_stack == NULL && 2612 list_empty(&thread->todo) && thread->return_error == BR_OK; 2613 2614 binder_unlock(__func__); 2615 2616 if (wait_for_proc_work) { 2617 if (binder_has_proc_work(proc, thread)) 2618 return POLLIN; 2619 poll_wait(filp, &proc->wait, wait); 2620 if (binder_has_proc_work(proc, thread)) 2621 return POLLIN; 2622 } else { 2623 if (binder_has_thread_work(thread)) 2624 return POLLIN; 2625 poll_wait(filp, &thread->wait, wait); 2626 if (binder_has_thread_work(thread)) 2627 return POLLIN; 2628 } 2629 return 0; 2630 } 2631 2632 static int binder_ioctl_write_read(struct file *filp, 2633 unsigned int cmd, unsigned long arg, 2634 struct binder_thread *thread) 2635 { 2636 int ret = 0; 2637 struct binder_proc *proc = filp->private_data; 2638 unsigned int size = _IOC_SIZE(cmd); 2639 void __user *ubuf = (void __user *)arg; 2640 struct binder_write_read bwr; 2641 2642 if (size != sizeof(struct binder_write_read)) { 2643 ret = -EINVAL; 2644 goto out; 2645 } 2646 if (copy_from_user(&bwr, ubuf, sizeof(bwr))) { 2647 ret = -EFAULT; 2648 goto out; 2649 } 2650 binder_debug(BINDER_DEBUG_READ_WRITE, 2651 "%d:%d write %lld at %016llx, read %lld at %016llx\n", 2652 proc->pid, thread->pid, 2653 (u64)bwr.write_size, (u64)bwr.write_buffer, 2654 (u64)bwr.read_size, (u64)bwr.read_buffer); 2655 2656 if (bwr.write_size > 0) { 2657 ret = binder_thread_write(proc, thread, 2658 bwr.write_buffer, 2659 bwr.write_size, 2660 &bwr.write_consumed); 2661 trace_binder_write_done(ret); 2662 if (ret < 0) { 2663 bwr.read_consumed = 0; 2664 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) 2665 ret = -EFAULT; 2666 goto out; 2667 } 2668 } 2669 if (bwr.read_size > 0) { 2670 ret = binder_thread_read(proc, thread, bwr.read_buffer, 2671 bwr.read_size, 2672 &bwr.read_consumed, 2673 filp->f_flags & O_NONBLOCK); 2674 trace_binder_read_done(ret); 2675 if (!list_empty(&proc->todo)) 2676 wake_up_interruptible(&proc->wait); 2677 if (ret < 0) { 2678 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) 2679 ret = -EFAULT; 2680 goto out; 2681 } 2682 } 2683 binder_debug(BINDER_DEBUG_READ_WRITE, 2684 "%d:%d wrote %lld of %lld, read return %lld of %lld\n", 2685 proc->pid, thread->pid, 2686 (u64)bwr.write_consumed, (u64)bwr.write_size, 2687 (u64)bwr.read_consumed, (u64)bwr.read_size); 2688 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) { 2689 ret = -EFAULT; 2690 goto out; 2691 } 2692 out: 2693 return ret; 2694 } 2695 2696 static int binder_ioctl_set_ctx_mgr(struct file *filp) 2697 { 2698 int ret = 0; 2699 struct binder_proc *proc = filp->private_data; 2700 kuid_t curr_euid = current_euid(); 2701 2702 if (binder_context_mgr_node != NULL) { 2703 pr_err("BINDER_SET_CONTEXT_MGR already set\n"); 2704 ret = -EBUSY; 2705 goto out; 2706 } 2707 ret = security_binder_set_context_mgr(proc->tsk); 2708 if (ret < 0) 2709 goto out; 2710 if (uid_valid(binder_context_mgr_uid)) { 2711 if (!uid_eq(binder_context_mgr_uid, curr_euid)) { 2712 pr_err("BINDER_SET_CONTEXT_MGR bad uid %d != %d\n", 2713 from_kuid(&init_user_ns, curr_euid), 2714 from_kuid(&init_user_ns, 2715 binder_context_mgr_uid)); 2716 ret = -EPERM; 2717 goto out; 2718 } 2719 } else { 2720 binder_context_mgr_uid = curr_euid; 2721 } 2722 binder_context_mgr_node = binder_new_node(proc, 0, 0); 2723 if (binder_context_mgr_node == NULL) { 2724 ret = -ENOMEM; 2725 goto out; 2726 } 2727 binder_context_mgr_node->local_weak_refs++; 2728 binder_context_mgr_node->local_strong_refs++; 2729 binder_context_mgr_node->has_strong_ref = 1; 2730 binder_context_mgr_node->has_weak_ref = 1; 2731 out: 2732 return ret; 2733 } 2734 2735 static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 2736 { 2737 int ret; 2738 struct binder_proc *proc = filp->private_data; 2739 struct binder_thread *thread; 2740 unsigned int size = _IOC_SIZE(cmd); 2741 void __user *ubuf = (void __user *)arg; 2742 2743 /*pr_info("binder_ioctl: %d:%d %x %lx\n", 2744 proc->pid, current->pid, cmd, arg);*/ 2745 2746 if (unlikely(current->mm != proc->vma_vm_mm)) { 2747 pr_err("current mm mismatch proc mm\n"); 2748 return -EINVAL; 2749 } 2750 trace_binder_ioctl(cmd, arg); 2751 2752 ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); 2753 if (ret) 2754 goto err_unlocked; 2755 2756 binder_lock(__func__); 2757 thread = binder_get_thread(proc); 2758 if (thread == NULL) { 2759 ret = -ENOMEM; 2760 goto err; 2761 } 2762 2763 switch (cmd) { 2764 case BINDER_WRITE_READ: 2765 ret = binder_ioctl_write_read(filp, cmd, arg, thread); 2766 if (ret) 2767 goto err; 2768 break; 2769 case BINDER_SET_MAX_THREADS: 2770 if (copy_from_user(&proc->max_threads, ubuf, sizeof(proc->max_threads))) { 2771 ret = -EINVAL; 2772 goto err; 2773 } 2774 break; 2775 case BINDER_SET_CONTEXT_MGR: 2776 ret = binder_ioctl_set_ctx_mgr(filp); 2777 if (ret) 2778 goto err; 2779 break; 2780 case BINDER_THREAD_EXIT: 2781 binder_debug(BINDER_DEBUG_THREADS, "%d:%d exit\n", 2782 proc->pid, thread->pid); 2783 binder_free_thread(proc, thread); 2784 thread = NULL; 2785 break; 2786 case BINDER_VERSION: { 2787 struct binder_version __user *ver = ubuf; 2788 2789 if (size != sizeof(struct binder_version)) { 2790 ret = -EINVAL; 2791 goto err; 2792 } 2793 if (put_user(BINDER_CURRENT_PROTOCOL_VERSION, 2794 &ver->protocol_version)) { 2795 ret = -EINVAL; 2796 goto err; 2797 } 2798 break; 2799 } 2800 default: 2801 ret = -EINVAL; 2802 goto err; 2803 } 2804 ret = 0; 2805 err: 2806 if (thread) 2807 thread->looper &= ~BINDER_LOOPER_STATE_NEED_RETURN; 2808 binder_unlock(__func__); 2809 wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); 2810 if (ret && ret != -ERESTARTSYS) 2811 pr_info("%d:%d ioctl %x %lx returned %d\n", proc->pid, current->pid, cmd, arg, ret); 2812 err_unlocked: 2813 trace_binder_ioctl_done(ret); 2814 return ret; 2815 } 2816 2817 static void binder_vma_open(struct vm_area_struct *vma) 2818 { 2819 struct binder_proc *proc = vma->vm_private_data; 2820 2821 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 2822 "%d open vm area %lx-%lx (%ld K) vma %lx pagep %lx\n", 2823 proc->pid, vma->vm_start, vma->vm_end, 2824 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2825 (unsigned long)pgprot_val(vma->vm_page_prot)); 2826 } 2827 2828 static void binder_vma_close(struct vm_area_struct *vma) 2829 { 2830 struct binder_proc *proc = vma->vm_private_data; 2831 2832 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 2833 "%d close vm area %lx-%lx (%ld K) vma %lx pagep %lx\n", 2834 proc->pid, vma->vm_start, vma->vm_end, 2835 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2836 (unsigned long)pgprot_val(vma->vm_page_prot)); 2837 proc->vma = NULL; 2838 proc->vma_vm_mm = NULL; 2839 binder_defer_work(proc, BINDER_DEFERRED_PUT_FILES); 2840 } 2841 2842 static int binder_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf) 2843 { 2844 return VM_FAULT_SIGBUS; 2845 } 2846 2847 static const struct vm_operations_struct binder_vm_ops = { 2848 .open = binder_vma_open, 2849 .close = binder_vma_close, 2850 .fault = binder_vm_fault, 2851 }; 2852 2853 static int binder_mmap(struct file *filp, struct vm_area_struct *vma) 2854 { 2855 int ret; 2856 struct vm_struct *area; 2857 struct binder_proc *proc = filp->private_data; 2858 const char *failure_string; 2859 struct binder_buffer *buffer; 2860 2861 if (proc->tsk != current) 2862 return -EINVAL; 2863 2864 if ((vma->vm_end - vma->vm_start) > SZ_4M) 2865 vma->vm_end = vma->vm_start + SZ_4M; 2866 2867 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 2868 "binder_mmap: %d %lx-%lx (%ld K) vma %lx pagep %lx\n", 2869 proc->pid, vma->vm_start, vma->vm_end, 2870 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2871 (unsigned long)pgprot_val(vma->vm_page_prot)); 2872 2873 if (vma->vm_flags & FORBIDDEN_MMAP_FLAGS) { 2874 ret = -EPERM; 2875 failure_string = "bad vm_flags"; 2876 goto err_bad_arg; 2877 } 2878 vma->vm_flags = (vma->vm_flags | VM_DONTCOPY) & ~VM_MAYWRITE; 2879 2880 mutex_lock(&binder_mmap_lock); 2881 if (proc->buffer) { 2882 ret = -EBUSY; 2883 failure_string = "already mapped"; 2884 goto err_already_mapped; 2885 } 2886 2887 area = get_vm_area(vma->vm_end - vma->vm_start, VM_IOREMAP); 2888 if (area == NULL) { 2889 ret = -ENOMEM; 2890 failure_string = "get_vm_area"; 2891 goto err_get_vm_area_failed; 2892 } 2893 proc->buffer = area->addr; 2894 proc->user_buffer_offset = vma->vm_start - (uintptr_t)proc->buffer; 2895 mutex_unlock(&binder_mmap_lock); 2896 2897 #ifdef CONFIG_CPU_CACHE_VIPT 2898 if (cache_is_vipt_aliasing()) { 2899 while (CACHE_COLOUR((vma->vm_start ^ (uint32_t)proc->buffer))) { 2900 pr_info("binder_mmap: %d %lx-%lx maps %p bad alignment\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer); 2901 vma->vm_start += PAGE_SIZE; 2902 } 2903 } 2904 #endif 2905 proc->pages = kzalloc(sizeof(proc->pages[0]) * ((vma->vm_end - vma->vm_start) / PAGE_SIZE), GFP_KERNEL); 2906 if (proc->pages == NULL) { 2907 ret = -ENOMEM; 2908 failure_string = "alloc page array"; 2909 goto err_alloc_pages_failed; 2910 } 2911 proc->buffer_size = vma->vm_end - vma->vm_start; 2912 2913 vma->vm_ops = &binder_vm_ops; 2914 vma->vm_private_data = proc; 2915 2916 if (binder_update_page_range(proc, 1, proc->buffer, proc->buffer + PAGE_SIZE, vma)) { 2917 ret = -ENOMEM; 2918 failure_string = "alloc small buf"; 2919 goto err_alloc_small_buf_failed; 2920 } 2921 buffer = proc->buffer; 2922 INIT_LIST_HEAD(&proc->buffers); 2923 list_add(&buffer->entry, &proc->buffers); 2924 buffer->free = 1; 2925 binder_insert_free_buffer(proc, buffer); 2926 proc->free_async_space = proc->buffer_size / 2; 2927 barrier(); 2928 proc->files = get_files_struct(current); 2929 proc->vma = vma; 2930 proc->vma_vm_mm = vma->vm_mm; 2931 2932 /*pr_info("binder_mmap: %d %lx-%lx maps %p\n", 2933 proc->pid, vma->vm_start, vma->vm_end, proc->buffer);*/ 2934 return 0; 2935 2936 err_alloc_small_buf_failed: 2937 kfree(proc->pages); 2938 proc->pages = NULL; 2939 err_alloc_pages_failed: 2940 mutex_lock(&binder_mmap_lock); 2941 vfree(proc->buffer); 2942 proc->buffer = NULL; 2943 err_get_vm_area_failed: 2944 err_already_mapped: 2945 mutex_unlock(&binder_mmap_lock); 2946 err_bad_arg: 2947 pr_err("binder_mmap: %d %lx-%lx %s failed %d\n", 2948 proc->pid, vma->vm_start, vma->vm_end, failure_string, ret); 2949 return ret; 2950 } 2951 2952 static int binder_open(struct inode *nodp, struct file *filp) 2953 { 2954 struct binder_proc *proc; 2955 2956 binder_debug(BINDER_DEBUG_OPEN_CLOSE, "binder_open: %d:%d\n", 2957 current->group_leader->pid, current->pid); 2958 2959 proc = kzalloc(sizeof(*proc), GFP_KERNEL); 2960 if (proc == NULL) 2961 return -ENOMEM; 2962 get_task_struct(current); 2963 proc->tsk = current; 2964 proc->vma_vm_mm = current->mm; 2965 INIT_LIST_HEAD(&proc->todo); 2966 init_waitqueue_head(&proc->wait); 2967 proc->default_priority = task_nice(current); 2968 2969 binder_lock(__func__); 2970 2971 binder_stats_created(BINDER_STAT_PROC); 2972 hlist_add_head(&proc->proc_node, &binder_procs); 2973 proc->pid = current->group_leader->pid; 2974 INIT_LIST_HEAD(&proc->delivered_death); 2975 filp->private_data = proc; 2976 2977 binder_unlock(__func__); 2978 2979 if (binder_debugfs_dir_entry_proc) { 2980 char strbuf[11]; 2981 2982 snprintf(strbuf, sizeof(strbuf), "%u", proc->pid); 2983 proc->debugfs_entry = debugfs_create_file(strbuf, S_IRUGO, 2984 binder_debugfs_dir_entry_proc, proc, &binder_proc_fops); 2985 } 2986 2987 return 0; 2988 } 2989 2990 static int binder_flush(struct file *filp, fl_owner_t id) 2991 { 2992 struct binder_proc *proc = filp->private_data; 2993 2994 binder_defer_work(proc, BINDER_DEFERRED_FLUSH); 2995 2996 return 0; 2997 } 2998 2999 static void binder_deferred_flush(struct binder_proc *proc) 3000 { 3001 struct rb_node *n; 3002 int wake_count = 0; 3003 3004 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) { 3005 struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node); 3006 3007 thread->looper |= BINDER_LOOPER_STATE_NEED_RETURN; 3008 if (thread->looper & BINDER_LOOPER_STATE_WAITING) { 3009 wake_up_interruptible(&thread->wait); 3010 wake_count++; 3011 } 3012 } 3013 wake_up_interruptible_all(&proc->wait); 3014 3015 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 3016 "binder_flush: %d woke %d threads\n", proc->pid, 3017 wake_count); 3018 } 3019 3020 static int binder_release(struct inode *nodp, struct file *filp) 3021 { 3022 struct binder_proc *proc = filp->private_data; 3023 3024 debugfs_remove(proc->debugfs_entry); 3025 binder_defer_work(proc, BINDER_DEFERRED_RELEASE); 3026 3027 return 0; 3028 } 3029 3030 static int binder_node_release(struct binder_node *node, int refs) 3031 { 3032 struct binder_ref *ref; 3033 int death = 0; 3034 3035 list_del_init(&node->work.entry); 3036 binder_release_work(&node->async_todo); 3037 3038 if (hlist_empty(&node->refs)) { 3039 kfree(node); 3040 binder_stats_deleted(BINDER_STAT_NODE); 3041 3042 return refs; 3043 } 3044 3045 node->proc = NULL; 3046 node->local_strong_refs = 0; 3047 node->local_weak_refs = 0; 3048 hlist_add_head(&node->dead_node, &binder_dead_nodes); 3049 3050 hlist_for_each_entry(ref, &node->refs, node_entry) { 3051 refs++; 3052 3053 if (!ref->death) 3054 continue; 3055 3056 death++; 3057 3058 if (list_empty(&ref->death->work.entry)) { 3059 ref->death->work.type = BINDER_WORK_DEAD_BINDER; 3060 list_add_tail(&ref->death->work.entry, 3061 &ref->proc->todo); 3062 wake_up_interruptible(&ref->proc->wait); 3063 } else 3064 BUG(); 3065 } 3066 3067 binder_debug(BINDER_DEBUG_DEAD_BINDER, 3068 "node %d now dead, refs %d, death %d\n", 3069 node->debug_id, refs, death); 3070 3071 return refs; 3072 } 3073 3074 static void binder_deferred_release(struct binder_proc *proc) 3075 { 3076 struct binder_transaction *t; 3077 struct rb_node *n; 3078 int threads, nodes, incoming_refs, outgoing_refs, buffers, 3079 active_transactions, page_count; 3080 3081 BUG_ON(proc->vma); 3082 BUG_ON(proc->files); 3083 3084 hlist_del(&proc->proc_node); 3085 3086 if (binder_context_mgr_node && binder_context_mgr_node->proc == proc) { 3087 binder_debug(BINDER_DEBUG_DEAD_BINDER, 3088 "%s: %d context_mgr_node gone\n", 3089 __func__, proc->pid); 3090 binder_context_mgr_node = NULL; 3091 } 3092 3093 threads = 0; 3094 active_transactions = 0; 3095 while ((n = rb_first(&proc->threads))) { 3096 struct binder_thread *thread; 3097 3098 thread = rb_entry(n, struct binder_thread, rb_node); 3099 threads++; 3100 active_transactions += binder_free_thread(proc, thread); 3101 } 3102 3103 nodes = 0; 3104 incoming_refs = 0; 3105 while ((n = rb_first(&proc->nodes))) { 3106 struct binder_node *node; 3107 3108 node = rb_entry(n, struct binder_node, rb_node); 3109 nodes++; 3110 rb_erase(&node->rb_node, &proc->nodes); 3111 incoming_refs = binder_node_release(node, incoming_refs); 3112 } 3113 3114 outgoing_refs = 0; 3115 while ((n = rb_first(&proc->refs_by_desc))) { 3116 struct binder_ref *ref; 3117 3118 ref = rb_entry(n, struct binder_ref, rb_node_desc); 3119 outgoing_refs++; 3120 binder_delete_ref(ref); 3121 } 3122 3123 binder_release_work(&proc->todo); 3124 binder_release_work(&proc->delivered_death); 3125 3126 buffers = 0; 3127 while ((n = rb_first(&proc->allocated_buffers))) { 3128 struct binder_buffer *buffer; 3129 3130 buffer = rb_entry(n, struct binder_buffer, rb_node); 3131 3132 t = buffer->transaction; 3133 if (t) { 3134 t->buffer = NULL; 3135 buffer->transaction = NULL; 3136 pr_err("release proc %d, transaction %d, not freed\n", 3137 proc->pid, t->debug_id); 3138 /*BUG();*/ 3139 } 3140 3141 binder_free_buf(proc, buffer); 3142 buffers++; 3143 } 3144 3145 binder_stats_deleted(BINDER_STAT_PROC); 3146 3147 page_count = 0; 3148 if (proc->pages) { 3149 int i; 3150 3151 for (i = 0; i < proc->buffer_size / PAGE_SIZE; i++) { 3152 void *page_addr; 3153 3154 if (!proc->pages[i]) 3155 continue; 3156 3157 page_addr = proc->buffer + i * PAGE_SIZE; 3158 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 3159 "%s: %d: page %d at %p not freed\n", 3160 __func__, proc->pid, i, page_addr); 3161 unmap_kernel_range((unsigned long)page_addr, PAGE_SIZE); 3162 __free_page(proc->pages[i]); 3163 page_count++; 3164 } 3165 kfree(proc->pages); 3166 vfree(proc->buffer); 3167 } 3168 3169 put_task_struct(proc->tsk); 3170 3171 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 3172 "%s: %d threads %d, nodes %d (ref %d), refs %d, active transactions %d, buffers %d, pages %d\n", 3173 __func__, proc->pid, threads, nodes, incoming_refs, 3174 outgoing_refs, active_transactions, buffers, page_count); 3175 3176 kfree(proc); 3177 } 3178 3179 static void binder_deferred_func(struct work_struct *work) 3180 { 3181 struct binder_proc *proc; 3182 struct files_struct *files; 3183 3184 int defer; 3185 3186 do { 3187 binder_lock(__func__); 3188 mutex_lock(&binder_deferred_lock); 3189 if (!hlist_empty(&binder_deferred_list)) { 3190 proc = hlist_entry(binder_deferred_list.first, 3191 struct binder_proc, deferred_work_node); 3192 hlist_del_init(&proc->deferred_work_node); 3193 defer = proc->deferred_work; 3194 proc->deferred_work = 0; 3195 } else { 3196 proc = NULL; 3197 defer = 0; 3198 } 3199 mutex_unlock(&binder_deferred_lock); 3200 3201 files = NULL; 3202 if (defer & BINDER_DEFERRED_PUT_FILES) { 3203 files = proc->files; 3204 if (files) 3205 proc->files = NULL; 3206 } 3207 3208 if (defer & BINDER_DEFERRED_FLUSH) 3209 binder_deferred_flush(proc); 3210 3211 if (defer & BINDER_DEFERRED_RELEASE) 3212 binder_deferred_release(proc); /* frees proc */ 3213 3214 binder_unlock(__func__); 3215 if (files) 3216 put_files_struct(files); 3217 } while (proc); 3218 } 3219 static DECLARE_WORK(binder_deferred_work, binder_deferred_func); 3220 3221 static void 3222 binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer) 3223 { 3224 mutex_lock(&binder_deferred_lock); 3225 proc->deferred_work |= defer; 3226 if (hlist_unhashed(&proc->deferred_work_node)) { 3227 hlist_add_head(&proc->deferred_work_node, 3228 &binder_deferred_list); 3229 schedule_work(&binder_deferred_work); 3230 } 3231 mutex_unlock(&binder_deferred_lock); 3232 } 3233 3234 static void print_binder_transaction(struct seq_file *m, const char *prefix, 3235 struct binder_transaction *t) 3236 { 3237 seq_printf(m, 3238 "%s %d: %p from %d:%d to %d:%d code %x flags %x pri %ld r%d", 3239 prefix, t->debug_id, t, 3240 t->from ? t->from->proc->pid : 0, 3241 t->from ? t->from->pid : 0, 3242 t->to_proc ? t->to_proc->pid : 0, 3243 t->to_thread ? t->to_thread->pid : 0, 3244 t->code, t->flags, t->priority, t->need_reply); 3245 if (t->buffer == NULL) { 3246 seq_puts(m, " buffer free\n"); 3247 return; 3248 } 3249 if (t->buffer->target_node) 3250 seq_printf(m, " node %d", 3251 t->buffer->target_node->debug_id); 3252 seq_printf(m, " size %zd:%zd data %p\n", 3253 t->buffer->data_size, t->buffer->offsets_size, 3254 t->buffer->data); 3255 } 3256 3257 static void print_binder_buffer(struct seq_file *m, const char *prefix, 3258 struct binder_buffer *buffer) 3259 { 3260 seq_printf(m, "%s %d: %p size %zd:%zd %s\n", 3261 prefix, buffer->debug_id, buffer->data, 3262 buffer->data_size, buffer->offsets_size, 3263 buffer->transaction ? "active" : "delivered"); 3264 } 3265 3266 static void print_binder_work(struct seq_file *m, const char *prefix, 3267 const char *transaction_prefix, 3268 struct binder_work *w) 3269 { 3270 struct binder_node *node; 3271 struct binder_transaction *t; 3272 3273 switch (w->type) { 3274 case BINDER_WORK_TRANSACTION: 3275 t = container_of(w, struct binder_transaction, work); 3276 print_binder_transaction(m, transaction_prefix, t); 3277 break; 3278 case BINDER_WORK_TRANSACTION_COMPLETE: 3279 seq_printf(m, "%stransaction complete\n", prefix); 3280 break; 3281 case BINDER_WORK_NODE: 3282 node = container_of(w, struct binder_node, work); 3283 seq_printf(m, "%snode work %d: u%016llx c%016llx\n", 3284 prefix, node->debug_id, 3285 (u64)node->ptr, (u64)node->cookie); 3286 break; 3287 case BINDER_WORK_DEAD_BINDER: 3288 seq_printf(m, "%shas dead binder\n", prefix); 3289 break; 3290 case BINDER_WORK_DEAD_BINDER_AND_CLEAR: 3291 seq_printf(m, "%shas cleared dead binder\n", prefix); 3292 break; 3293 case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: 3294 seq_printf(m, "%shas cleared death notification\n", prefix); 3295 break; 3296 default: 3297 seq_printf(m, "%sunknown work: type %d\n", prefix, w->type); 3298 break; 3299 } 3300 } 3301 3302 static void print_binder_thread(struct seq_file *m, 3303 struct binder_thread *thread, 3304 int print_always) 3305 { 3306 struct binder_transaction *t; 3307 struct binder_work *w; 3308 size_t start_pos = m->count; 3309 size_t header_pos; 3310 3311 seq_printf(m, " thread %d: l %02x\n", thread->pid, thread->looper); 3312 header_pos = m->count; 3313 t = thread->transaction_stack; 3314 while (t) { 3315 if (t->from == thread) { 3316 print_binder_transaction(m, 3317 " outgoing transaction", t); 3318 t = t->from_parent; 3319 } else if (t->to_thread == thread) { 3320 print_binder_transaction(m, 3321 " incoming transaction", t); 3322 t = t->to_parent; 3323 } else { 3324 print_binder_transaction(m, " bad transaction", t); 3325 t = NULL; 3326 } 3327 } 3328 list_for_each_entry(w, &thread->todo, entry) { 3329 print_binder_work(m, " ", " pending transaction", w); 3330 } 3331 if (!print_always && m->count == header_pos) 3332 m->count = start_pos; 3333 } 3334 3335 static void print_binder_node(struct seq_file *m, struct binder_node *node) 3336 { 3337 struct binder_ref *ref; 3338 struct binder_work *w; 3339 int count; 3340 3341 count = 0; 3342 hlist_for_each_entry(ref, &node->refs, node_entry) 3343 count++; 3344 3345 seq_printf(m, " node %d: u%016llx c%016llx hs %d hw %d ls %d lw %d is %d iw %d", 3346 node->debug_id, (u64)node->ptr, (u64)node->cookie, 3347 node->has_strong_ref, node->has_weak_ref, 3348 node->local_strong_refs, node->local_weak_refs, 3349 node->internal_strong_refs, count); 3350 if (count) { 3351 seq_puts(m, " proc"); 3352 hlist_for_each_entry(ref, &node->refs, node_entry) 3353 seq_printf(m, " %d", ref->proc->pid); 3354 } 3355 seq_puts(m, "\n"); 3356 list_for_each_entry(w, &node->async_todo, entry) 3357 print_binder_work(m, " ", 3358 " pending async transaction", w); 3359 } 3360 3361 static void print_binder_ref(struct seq_file *m, struct binder_ref *ref) 3362 { 3363 seq_printf(m, " ref %d: desc %d %snode %d s %d w %d d %p\n", 3364 ref->debug_id, ref->desc, ref->node->proc ? "" : "dead ", 3365 ref->node->debug_id, ref->strong, ref->weak, ref->death); 3366 } 3367 3368 static void print_binder_proc(struct seq_file *m, 3369 struct binder_proc *proc, int print_all) 3370 { 3371 struct binder_work *w; 3372 struct rb_node *n; 3373 size_t start_pos = m->count; 3374 size_t header_pos; 3375 3376 seq_printf(m, "proc %d\n", proc->pid); 3377 header_pos = m->count; 3378 3379 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) 3380 print_binder_thread(m, rb_entry(n, struct binder_thread, 3381 rb_node), print_all); 3382 for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) { 3383 struct binder_node *node = rb_entry(n, struct binder_node, 3384 rb_node); 3385 if (print_all || node->has_async_transaction) 3386 print_binder_node(m, node); 3387 } 3388 if (print_all) { 3389 for (n = rb_first(&proc->refs_by_desc); 3390 n != NULL; 3391 n = rb_next(n)) 3392 print_binder_ref(m, rb_entry(n, struct binder_ref, 3393 rb_node_desc)); 3394 } 3395 for (n = rb_first(&proc->allocated_buffers); n != NULL; n = rb_next(n)) 3396 print_binder_buffer(m, " buffer", 3397 rb_entry(n, struct binder_buffer, rb_node)); 3398 list_for_each_entry(w, &proc->todo, entry) 3399 print_binder_work(m, " ", " pending transaction", w); 3400 list_for_each_entry(w, &proc->delivered_death, entry) { 3401 seq_puts(m, " has delivered dead binder\n"); 3402 break; 3403 } 3404 if (!print_all && m->count == header_pos) 3405 m->count = start_pos; 3406 } 3407 3408 static const char * const binder_return_strings[] = { 3409 "BR_ERROR", 3410 "BR_OK", 3411 "BR_TRANSACTION", 3412 "BR_REPLY", 3413 "BR_ACQUIRE_RESULT", 3414 "BR_DEAD_REPLY", 3415 "BR_TRANSACTION_COMPLETE", 3416 "BR_INCREFS", 3417 "BR_ACQUIRE", 3418 "BR_RELEASE", 3419 "BR_DECREFS", 3420 "BR_ATTEMPT_ACQUIRE", 3421 "BR_NOOP", 3422 "BR_SPAWN_LOOPER", 3423 "BR_FINISHED", 3424 "BR_DEAD_BINDER", 3425 "BR_CLEAR_DEATH_NOTIFICATION_DONE", 3426 "BR_FAILED_REPLY" 3427 }; 3428 3429 static const char * const binder_command_strings[] = { 3430 "BC_TRANSACTION", 3431 "BC_REPLY", 3432 "BC_ACQUIRE_RESULT", 3433 "BC_FREE_BUFFER", 3434 "BC_INCREFS", 3435 "BC_ACQUIRE", 3436 "BC_RELEASE", 3437 "BC_DECREFS", 3438 "BC_INCREFS_DONE", 3439 "BC_ACQUIRE_DONE", 3440 "BC_ATTEMPT_ACQUIRE", 3441 "BC_REGISTER_LOOPER", 3442 "BC_ENTER_LOOPER", 3443 "BC_EXIT_LOOPER", 3444 "BC_REQUEST_DEATH_NOTIFICATION", 3445 "BC_CLEAR_DEATH_NOTIFICATION", 3446 "BC_DEAD_BINDER_DONE" 3447 }; 3448 3449 static const char * const binder_objstat_strings[] = { 3450 "proc", 3451 "thread", 3452 "node", 3453 "ref", 3454 "death", 3455 "transaction", 3456 "transaction_complete" 3457 }; 3458 3459 static void print_binder_stats(struct seq_file *m, const char *prefix, 3460 struct binder_stats *stats) 3461 { 3462 int i; 3463 3464 BUILD_BUG_ON(ARRAY_SIZE(stats->bc) != 3465 ARRAY_SIZE(binder_command_strings)); 3466 for (i = 0; i < ARRAY_SIZE(stats->bc); i++) { 3467 if (stats->bc[i]) 3468 seq_printf(m, "%s%s: %d\n", prefix, 3469 binder_command_strings[i], stats->bc[i]); 3470 } 3471 3472 BUILD_BUG_ON(ARRAY_SIZE(stats->br) != 3473 ARRAY_SIZE(binder_return_strings)); 3474 for (i = 0; i < ARRAY_SIZE(stats->br); i++) { 3475 if (stats->br[i]) 3476 seq_printf(m, "%s%s: %d\n", prefix, 3477 binder_return_strings[i], stats->br[i]); 3478 } 3479 3480 BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) != 3481 ARRAY_SIZE(binder_objstat_strings)); 3482 BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) != 3483 ARRAY_SIZE(stats->obj_deleted)); 3484 for (i = 0; i < ARRAY_SIZE(stats->obj_created); i++) { 3485 if (stats->obj_created[i] || stats->obj_deleted[i]) 3486 seq_printf(m, "%s%s: active %d total %d\n", prefix, 3487 binder_objstat_strings[i], 3488 stats->obj_created[i] - stats->obj_deleted[i], 3489 stats->obj_created[i]); 3490 } 3491 } 3492 3493 static void print_binder_proc_stats(struct seq_file *m, 3494 struct binder_proc *proc) 3495 { 3496 struct binder_work *w; 3497 struct rb_node *n; 3498 int count, strong, weak; 3499 3500 seq_printf(m, "proc %d\n", proc->pid); 3501 count = 0; 3502 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) 3503 count++; 3504 seq_printf(m, " threads: %d\n", count); 3505 seq_printf(m, " requested threads: %d+%d/%d\n" 3506 " ready threads %d\n" 3507 " free async space %zd\n", proc->requested_threads, 3508 proc->requested_threads_started, proc->max_threads, 3509 proc->ready_threads, proc->free_async_space); 3510 count = 0; 3511 for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) 3512 count++; 3513 seq_printf(m, " nodes: %d\n", count); 3514 count = 0; 3515 strong = 0; 3516 weak = 0; 3517 for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) { 3518 struct binder_ref *ref = rb_entry(n, struct binder_ref, 3519 rb_node_desc); 3520 count++; 3521 strong += ref->strong; 3522 weak += ref->weak; 3523 } 3524 seq_printf(m, " refs: %d s %d w %d\n", count, strong, weak); 3525 3526 count = 0; 3527 for (n = rb_first(&proc->allocated_buffers); n != NULL; n = rb_next(n)) 3528 count++; 3529 seq_printf(m, " buffers: %d\n", count); 3530 3531 count = 0; 3532 list_for_each_entry(w, &proc->todo, entry) { 3533 switch (w->type) { 3534 case BINDER_WORK_TRANSACTION: 3535 count++; 3536 break; 3537 default: 3538 break; 3539 } 3540 } 3541 seq_printf(m, " pending transactions: %d\n", count); 3542 3543 print_binder_stats(m, " ", &proc->stats); 3544 } 3545 3546 3547 static int binder_state_show(struct seq_file *m, void *unused) 3548 { 3549 struct binder_proc *proc; 3550 struct binder_node *node; 3551 int do_lock = !binder_debug_no_lock; 3552 3553 if (do_lock) 3554 binder_lock(__func__); 3555 3556 seq_puts(m, "binder state:\n"); 3557 3558 if (!hlist_empty(&binder_dead_nodes)) 3559 seq_puts(m, "dead nodes:\n"); 3560 hlist_for_each_entry(node, &binder_dead_nodes, dead_node) 3561 print_binder_node(m, node); 3562 3563 hlist_for_each_entry(proc, &binder_procs, proc_node) 3564 print_binder_proc(m, proc, 1); 3565 if (do_lock) 3566 binder_unlock(__func__); 3567 return 0; 3568 } 3569 3570 static int binder_stats_show(struct seq_file *m, void *unused) 3571 { 3572 struct binder_proc *proc; 3573 int do_lock = !binder_debug_no_lock; 3574 3575 if (do_lock) 3576 binder_lock(__func__); 3577 3578 seq_puts(m, "binder stats:\n"); 3579 3580 print_binder_stats(m, "", &binder_stats); 3581 3582 hlist_for_each_entry(proc, &binder_procs, proc_node) 3583 print_binder_proc_stats(m, proc); 3584 if (do_lock) 3585 binder_unlock(__func__); 3586 return 0; 3587 } 3588 3589 static int binder_transactions_show(struct seq_file *m, void *unused) 3590 { 3591 struct binder_proc *proc; 3592 int do_lock = !binder_debug_no_lock; 3593 3594 if (do_lock) 3595 binder_lock(__func__); 3596 3597 seq_puts(m, "binder transactions:\n"); 3598 hlist_for_each_entry(proc, &binder_procs, proc_node) 3599 print_binder_proc(m, proc, 0); 3600 if (do_lock) 3601 binder_unlock(__func__); 3602 return 0; 3603 } 3604 3605 static int binder_proc_show(struct seq_file *m, void *unused) 3606 { 3607 struct binder_proc *itr; 3608 struct binder_proc *proc = m->private; 3609 int do_lock = !binder_debug_no_lock; 3610 bool valid_proc = false; 3611 3612 if (do_lock) 3613 binder_lock(__func__); 3614 3615 hlist_for_each_entry(itr, &binder_procs, proc_node) { 3616 if (itr == proc) { 3617 valid_proc = true; 3618 break; 3619 } 3620 } 3621 if (valid_proc) { 3622 seq_puts(m, "binder proc state:\n"); 3623 print_binder_proc(m, proc, 1); 3624 } 3625 if (do_lock) 3626 binder_unlock(__func__); 3627 return 0; 3628 } 3629 3630 static void print_binder_transaction_log_entry(struct seq_file *m, 3631 struct binder_transaction_log_entry *e) 3632 { 3633 seq_printf(m, 3634 "%d: %s from %d:%d to %d:%d node %d handle %d size %d:%d\n", 3635 e->debug_id, (e->call_type == 2) ? "reply" : 3636 ((e->call_type == 1) ? "async" : "call "), e->from_proc, 3637 e->from_thread, e->to_proc, e->to_thread, e->to_node, 3638 e->target_handle, e->data_size, e->offsets_size); 3639 } 3640 3641 static int binder_transaction_log_show(struct seq_file *m, void *unused) 3642 { 3643 struct binder_transaction_log *log = m->private; 3644 int i; 3645 3646 if (log->full) { 3647 for (i = log->next; i < ARRAY_SIZE(log->entry); i++) 3648 print_binder_transaction_log_entry(m, &log->entry[i]); 3649 } 3650 for (i = 0; i < log->next; i++) 3651 print_binder_transaction_log_entry(m, &log->entry[i]); 3652 return 0; 3653 } 3654 3655 static const struct file_operations binder_fops = { 3656 .owner = THIS_MODULE, 3657 .poll = binder_poll, 3658 .unlocked_ioctl = binder_ioctl, 3659 .compat_ioctl = binder_ioctl, 3660 .mmap = binder_mmap, 3661 .open = binder_open, 3662 .flush = binder_flush, 3663 .release = binder_release, 3664 }; 3665 3666 static struct miscdevice binder_miscdev = { 3667 .minor = MISC_DYNAMIC_MINOR, 3668 .name = "binder", 3669 .fops = &binder_fops 3670 }; 3671 3672 BINDER_DEBUG_ENTRY(state); 3673 BINDER_DEBUG_ENTRY(stats); 3674 BINDER_DEBUG_ENTRY(transactions); 3675 BINDER_DEBUG_ENTRY(transaction_log); 3676 3677 static int __init binder_init(void) 3678 { 3679 int ret; 3680 3681 binder_debugfs_dir_entry_root = debugfs_create_dir("binder", NULL); 3682 if (binder_debugfs_dir_entry_root) 3683 binder_debugfs_dir_entry_proc = debugfs_create_dir("proc", 3684 binder_debugfs_dir_entry_root); 3685 ret = misc_register(&binder_miscdev); 3686 if (binder_debugfs_dir_entry_root) { 3687 debugfs_create_file("state", 3688 S_IRUGO, 3689 binder_debugfs_dir_entry_root, 3690 NULL, 3691 &binder_state_fops); 3692 debugfs_create_file("stats", 3693 S_IRUGO, 3694 binder_debugfs_dir_entry_root, 3695 NULL, 3696 &binder_stats_fops); 3697 debugfs_create_file("transactions", 3698 S_IRUGO, 3699 binder_debugfs_dir_entry_root, 3700 NULL, 3701 &binder_transactions_fops); 3702 debugfs_create_file("transaction_log", 3703 S_IRUGO, 3704 binder_debugfs_dir_entry_root, 3705 &binder_transaction_log, 3706 &binder_transaction_log_fops); 3707 debugfs_create_file("failed_transaction_log", 3708 S_IRUGO, 3709 binder_debugfs_dir_entry_root, 3710 &binder_transaction_log_failed, 3711 &binder_transaction_log_fops); 3712 } 3713 return ret; 3714 } 3715 3716 device_initcall(binder_init); 3717 3718 #define CREATE_TRACE_POINTS 3719 #include "binder_trace.h" 3720 3721 MODULE_LICENSE("GPL v2"); 3722