1 /* binder_alloc.c 2 * 3 * Android IPC Subsystem 4 * 5 * Copyright (C) 2007-2017 Google, Inc. 6 * 7 * This software is licensed under the terms of the GNU General Public 8 * License version 2, as published by the Free Software Foundation, and 9 * may be copied, distributed, and modified under those terms. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 */ 17 18 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 19 20 #include <linux/list.h> 21 #include <linux/sched/mm.h> 22 #include <linux/module.h> 23 #include <linux/rtmutex.h> 24 #include <linux/rbtree.h> 25 #include <linux/seq_file.h> 26 #include <linux/vmalloc.h> 27 #include <linux/slab.h> 28 #include <linux/sched.h> 29 #include <linux/list_lru.h> 30 #include <linux/ratelimit.h> 31 #include <asm/cacheflush.h> 32 #include "binder_alloc.h" 33 #include "binder_trace.h" 34 35 struct list_lru binder_alloc_lru; 36 37 static DEFINE_MUTEX(binder_alloc_mmap_lock); 38 39 enum { 40 BINDER_DEBUG_USER_ERROR = 1U << 0, 41 BINDER_DEBUG_OPEN_CLOSE = 1U << 1, 42 BINDER_DEBUG_BUFFER_ALLOC = 1U << 2, 43 BINDER_DEBUG_BUFFER_ALLOC_ASYNC = 1U << 3, 44 }; 45 static uint32_t binder_alloc_debug_mask = BINDER_DEBUG_USER_ERROR; 46 47 module_param_named(debug_mask, binder_alloc_debug_mask, 48 uint, 0644); 49 50 #define binder_alloc_debug(mask, x...) \ 51 do { \ 52 if (binder_alloc_debug_mask & mask) \ 53 pr_info_ratelimited(x); \ 54 } while (0) 55 56 static struct binder_buffer *binder_buffer_next(struct binder_buffer *buffer) 57 { 58 return list_entry(buffer->entry.next, struct binder_buffer, entry); 59 } 60 61 static struct binder_buffer *binder_buffer_prev(struct binder_buffer *buffer) 62 { 63 return list_entry(buffer->entry.prev, struct binder_buffer, entry); 64 } 65 66 static size_t binder_alloc_buffer_size(struct binder_alloc *alloc, 67 struct binder_buffer *buffer) 68 { 69 if (list_is_last(&buffer->entry, &alloc->buffers)) 70 return (u8 *)alloc->buffer + 71 alloc->buffer_size - (u8 *)buffer->data; 72 return (u8 *)binder_buffer_next(buffer)->data - (u8 *)buffer->data; 73 } 74 75 static void binder_insert_free_buffer(struct binder_alloc *alloc, 76 struct binder_buffer *new_buffer) 77 { 78 struct rb_node **p = &alloc->free_buffers.rb_node; 79 struct rb_node *parent = NULL; 80 struct binder_buffer *buffer; 81 size_t buffer_size; 82 size_t new_buffer_size; 83 84 BUG_ON(!new_buffer->free); 85 86 new_buffer_size = binder_alloc_buffer_size(alloc, new_buffer); 87 88 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 89 "%d: add free buffer, size %zd, at %pK\n", 90 alloc->pid, new_buffer_size, new_buffer); 91 92 while (*p) { 93 parent = *p; 94 buffer = rb_entry(parent, struct binder_buffer, rb_node); 95 BUG_ON(!buffer->free); 96 97 buffer_size = binder_alloc_buffer_size(alloc, buffer); 98 99 if (new_buffer_size < buffer_size) 100 p = &parent->rb_left; 101 else 102 p = &parent->rb_right; 103 } 104 rb_link_node(&new_buffer->rb_node, parent, p); 105 rb_insert_color(&new_buffer->rb_node, &alloc->free_buffers); 106 } 107 108 static void binder_insert_allocated_buffer_locked( 109 struct binder_alloc *alloc, struct binder_buffer *new_buffer) 110 { 111 struct rb_node **p = &alloc->allocated_buffers.rb_node; 112 struct rb_node *parent = NULL; 113 struct binder_buffer *buffer; 114 115 BUG_ON(new_buffer->free); 116 117 while (*p) { 118 parent = *p; 119 buffer = rb_entry(parent, struct binder_buffer, rb_node); 120 BUG_ON(buffer->free); 121 122 if (new_buffer->data < buffer->data) 123 p = &parent->rb_left; 124 else if (new_buffer->data > buffer->data) 125 p = &parent->rb_right; 126 else 127 BUG(); 128 } 129 rb_link_node(&new_buffer->rb_node, parent, p); 130 rb_insert_color(&new_buffer->rb_node, &alloc->allocated_buffers); 131 } 132 133 static struct binder_buffer *binder_alloc_prepare_to_free_locked( 134 struct binder_alloc *alloc, 135 uintptr_t user_ptr) 136 { 137 struct rb_node *n = alloc->allocated_buffers.rb_node; 138 struct binder_buffer *buffer; 139 void *kern_ptr; 140 141 kern_ptr = (void *)(user_ptr - alloc->user_buffer_offset); 142 143 while (n) { 144 buffer = rb_entry(n, struct binder_buffer, rb_node); 145 BUG_ON(buffer->free); 146 147 if (kern_ptr < buffer->data) 148 n = n->rb_left; 149 else if (kern_ptr > buffer->data) 150 n = n->rb_right; 151 else { 152 /* 153 * Guard against user threads attempting to 154 * free the buffer twice 155 */ 156 if (buffer->free_in_progress) { 157 binder_alloc_debug(BINDER_DEBUG_USER_ERROR, 158 "%d:%d FREE_BUFFER u%016llx user freed buffer twice\n", 159 alloc->pid, current->pid, 160 (u64)user_ptr); 161 return NULL; 162 } 163 buffer->free_in_progress = 1; 164 return buffer; 165 } 166 } 167 return NULL; 168 } 169 170 /** 171 * binder_alloc_buffer_lookup() - get buffer given user ptr 172 * @alloc: binder_alloc for this proc 173 * @user_ptr: User pointer to buffer data 174 * 175 * Validate userspace pointer to buffer data and return buffer corresponding to 176 * that user pointer. Search the rb tree for buffer that matches user data 177 * pointer. 178 * 179 * Return: Pointer to buffer or NULL 180 */ 181 struct binder_buffer *binder_alloc_prepare_to_free(struct binder_alloc *alloc, 182 uintptr_t user_ptr) 183 { 184 struct binder_buffer *buffer; 185 186 mutex_lock(&alloc->mutex); 187 buffer = binder_alloc_prepare_to_free_locked(alloc, user_ptr); 188 mutex_unlock(&alloc->mutex); 189 return buffer; 190 } 191 192 static int binder_update_page_range(struct binder_alloc *alloc, int allocate, 193 void *start, void *end) 194 { 195 void *page_addr; 196 unsigned long user_page_addr; 197 struct binder_lru_page *page; 198 struct vm_area_struct *vma = NULL; 199 struct mm_struct *mm = NULL; 200 bool need_mm = false; 201 202 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 203 "%d: %s pages %pK-%pK\n", alloc->pid, 204 allocate ? "allocate" : "free", start, end); 205 206 if (end <= start) 207 return 0; 208 209 trace_binder_update_page_range(alloc, allocate, start, end); 210 211 if (allocate == 0) 212 goto free_range; 213 214 for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) { 215 page = &alloc->pages[(page_addr - alloc->buffer) / PAGE_SIZE]; 216 if (!page->page_ptr) { 217 need_mm = true; 218 break; 219 } 220 } 221 222 if (need_mm && mmget_not_zero(alloc->vma_vm_mm)) 223 mm = alloc->vma_vm_mm; 224 225 if (mm) { 226 down_read(&mm->mmap_sem); 227 vma = alloc->vma; 228 } 229 230 if (!vma && need_mm) { 231 binder_alloc_debug(BINDER_DEBUG_USER_ERROR, 232 "%d: binder_alloc_buf failed to map pages in userspace, no vma\n", 233 alloc->pid); 234 goto err_no_vma; 235 } 236 237 for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) { 238 int ret; 239 bool on_lru; 240 size_t index; 241 242 index = (page_addr - alloc->buffer) / PAGE_SIZE; 243 page = &alloc->pages[index]; 244 245 if (page->page_ptr) { 246 trace_binder_alloc_lru_start(alloc, index); 247 248 on_lru = list_lru_del(&binder_alloc_lru, &page->lru); 249 WARN_ON(!on_lru); 250 251 trace_binder_alloc_lru_end(alloc, index); 252 continue; 253 } 254 255 if (WARN_ON(!vma)) 256 goto err_page_ptr_cleared; 257 258 trace_binder_alloc_page_start(alloc, index); 259 page->page_ptr = alloc_page(GFP_KERNEL | 260 __GFP_HIGHMEM | 261 __GFP_ZERO); 262 if (!page->page_ptr) { 263 pr_err("%d: binder_alloc_buf failed for page at %pK\n", 264 alloc->pid, page_addr); 265 goto err_alloc_page_failed; 266 } 267 page->alloc = alloc; 268 INIT_LIST_HEAD(&page->lru); 269 270 ret = map_kernel_range_noflush((unsigned long)page_addr, 271 PAGE_SIZE, PAGE_KERNEL, 272 &page->page_ptr); 273 flush_cache_vmap((unsigned long)page_addr, 274 (unsigned long)page_addr + PAGE_SIZE); 275 if (ret != 1) { 276 pr_err("%d: binder_alloc_buf failed to map page at %pK in kernel\n", 277 alloc->pid, page_addr); 278 goto err_map_kernel_failed; 279 } 280 user_page_addr = 281 (uintptr_t)page_addr + alloc->user_buffer_offset; 282 ret = vm_insert_page(vma, user_page_addr, page[0].page_ptr); 283 if (ret) { 284 pr_err("%d: binder_alloc_buf failed to map page at %lx in userspace\n", 285 alloc->pid, user_page_addr); 286 goto err_vm_insert_page_failed; 287 } 288 289 if (index + 1 > alloc->pages_high) 290 alloc->pages_high = index + 1; 291 292 trace_binder_alloc_page_end(alloc, index); 293 /* vm_insert_page does not seem to increment the refcount */ 294 } 295 if (mm) { 296 up_read(&mm->mmap_sem); 297 mmput(mm); 298 } 299 return 0; 300 301 free_range: 302 for (page_addr = end - PAGE_SIZE; page_addr >= start; 303 page_addr -= PAGE_SIZE) { 304 bool ret; 305 size_t index; 306 307 index = (page_addr - alloc->buffer) / PAGE_SIZE; 308 page = &alloc->pages[index]; 309 310 trace_binder_free_lru_start(alloc, index); 311 312 ret = list_lru_add(&binder_alloc_lru, &page->lru); 313 WARN_ON(!ret); 314 315 trace_binder_free_lru_end(alloc, index); 316 continue; 317 318 err_vm_insert_page_failed: 319 unmap_kernel_range((unsigned long)page_addr, PAGE_SIZE); 320 err_map_kernel_failed: 321 __free_page(page->page_ptr); 322 page->page_ptr = NULL; 323 err_alloc_page_failed: 324 err_page_ptr_cleared: 325 ; 326 } 327 err_no_vma: 328 if (mm) { 329 up_read(&mm->mmap_sem); 330 mmput(mm); 331 } 332 return vma ? -ENOMEM : -ESRCH; 333 } 334 335 static struct binder_buffer *binder_alloc_new_buf_locked( 336 struct binder_alloc *alloc, 337 size_t data_size, 338 size_t offsets_size, 339 size_t extra_buffers_size, 340 int is_async) 341 { 342 struct rb_node *n = alloc->free_buffers.rb_node; 343 struct binder_buffer *buffer; 344 size_t buffer_size; 345 struct rb_node *best_fit = NULL; 346 void *has_page_addr; 347 void *end_page_addr; 348 size_t size, data_offsets_size; 349 int ret; 350 351 if (alloc->vma == NULL) { 352 binder_alloc_debug(BINDER_DEBUG_USER_ERROR, 353 "%d: binder_alloc_buf, no vma\n", 354 alloc->pid); 355 return ERR_PTR(-ESRCH); 356 } 357 358 data_offsets_size = ALIGN(data_size, sizeof(void *)) + 359 ALIGN(offsets_size, sizeof(void *)); 360 361 if (data_offsets_size < data_size || data_offsets_size < offsets_size) { 362 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 363 "%d: got transaction with invalid size %zd-%zd\n", 364 alloc->pid, data_size, offsets_size); 365 return ERR_PTR(-EINVAL); 366 } 367 size = data_offsets_size + ALIGN(extra_buffers_size, sizeof(void *)); 368 if (size < data_offsets_size || size < extra_buffers_size) { 369 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 370 "%d: got transaction with invalid extra_buffers_size %zd\n", 371 alloc->pid, extra_buffers_size); 372 return ERR_PTR(-EINVAL); 373 } 374 if (is_async && 375 alloc->free_async_space < size + sizeof(struct binder_buffer)) { 376 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 377 "%d: binder_alloc_buf size %zd failed, no async space left\n", 378 alloc->pid, size); 379 return ERR_PTR(-ENOSPC); 380 } 381 382 /* Pad 0-size buffers so they get assigned unique addresses */ 383 size = max(size, sizeof(void *)); 384 385 while (n) { 386 buffer = rb_entry(n, struct binder_buffer, rb_node); 387 BUG_ON(!buffer->free); 388 buffer_size = binder_alloc_buffer_size(alloc, buffer); 389 390 if (size < buffer_size) { 391 best_fit = n; 392 n = n->rb_left; 393 } else if (size > buffer_size) 394 n = n->rb_right; 395 else { 396 best_fit = n; 397 break; 398 } 399 } 400 if (best_fit == NULL) { 401 size_t allocated_buffers = 0; 402 size_t largest_alloc_size = 0; 403 size_t total_alloc_size = 0; 404 size_t free_buffers = 0; 405 size_t largest_free_size = 0; 406 size_t total_free_size = 0; 407 408 for (n = rb_first(&alloc->allocated_buffers); n != NULL; 409 n = rb_next(n)) { 410 buffer = rb_entry(n, struct binder_buffer, rb_node); 411 buffer_size = binder_alloc_buffer_size(alloc, buffer); 412 allocated_buffers++; 413 total_alloc_size += buffer_size; 414 if (buffer_size > largest_alloc_size) 415 largest_alloc_size = buffer_size; 416 } 417 for (n = rb_first(&alloc->free_buffers); n != NULL; 418 n = rb_next(n)) { 419 buffer = rb_entry(n, struct binder_buffer, rb_node); 420 buffer_size = binder_alloc_buffer_size(alloc, buffer); 421 free_buffers++; 422 total_free_size += buffer_size; 423 if (buffer_size > largest_free_size) 424 largest_free_size = buffer_size; 425 } 426 binder_alloc_debug(BINDER_DEBUG_USER_ERROR, 427 "%d: binder_alloc_buf size %zd failed, no address space\n", 428 alloc->pid, size); 429 binder_alloc_debug(BINDER_DEBUG_USER_ERROR, 430 "allocated: %zd (num: %zd largest: %zd), free: %zd (num: %zd largest: %zd)\n", 431 total_alloc_size, allocated_buffers, 432 largest_alloc_size, total_free_size, 433 free_buffers, largest_free_size); 434 return ERR_PTR(-ENOSPC); 435 } 436 if (n == NULL) { 437 buffer = rb_entry(best_fit, struct binder_buffer, rb_node); 438 buffer_size = binder_alloc_buffer_size(alloc, buffer); 439 } 440 441 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 442 "%d: binder_alloc_buf size %zd got buffer %pK size %zd\n", 443 alloc->pid, size, buffer, buffer_size); 444 445 has_page_addr = 446 (void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK); 447 WARN_ON(n && buffer_size != size); 448 end_page_addr = 449 (void *)PAGE_ALIGN((uintptr_t)buffer->data + size); 450 if (end_page_addr > has_page_addr) 451 end_page_addr = has_page_addr; 452 ret = binder_update_page_range(alloc, 1, 453 (void *)PAGE_ALIGN((uintptr_t)buffer->data), end_page_addr); 454 if (ret) 455 return ERR_PTR(ret); 456 457 if (buffer_size != size) { 458 struct binder_buffer *new_buffer; 459 460 new_buffer = kzalloc(sizeof(*buffer), GFP_KERNEL); 461 if (!new_buffer) { 462 pr_err("%s: %d failed to alloc new buffer struct\n", 463 __func__, alloc->pid); 464 goto err_alloc_buf_struct_failed; 465 } 466 new_buffer->data = (u8 *)buffer->data + size; 467 list_add(&new_buffer->entry, &buffer->entry); 468 new_buffer->free = 1; 469 binder_insert_free_buffer(alloc, new_buffer); 470 } 471 472 rb_erase(best_fit, &alloc->free_buffers); 473 buffer->free = 0; 474 buffer->free_in_progress = 0; 475 binder_insert_allocated_buffer_locked(alloc, buffer); 476 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 477 "%d: binder_alloc_buf size %zd got %pK\n", 478 alloc->pid, size, buffer); 479 buffer->data_size = data_size; 480 buffer->offsets_size = offsets_size; 481 buffer->async_transaction = is_async; 482 buffer->extra_buffers_size = extra_buffers_size; 483 if (is_async) { 484 alloc->free_async_space -= size + sizeof(struct binder_buffer); 485 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC, 486 "%d: binder_alloc_buf size %zd async free %zd\n", 487 alloc->pid, size, alloc->free_async_space); 488 } 489 return buffer; 490 491 err_alloc_buf_struct_failed: 492 binder_update_page_range(alloc, 0, 493 (void *)PAGE_ALIGN((uintptr_t)buffer->data), 494 end_page_addr); 495 return ERR_PTR(-ENOMEM); 496 } 497 498 /** 499 * binder_alloc_new_buf() - Allocate a new binder buffer 500 * @alloc: binder_alloc for this proc 501 * @data_size: size of user data buffer 502 * @offsets_size: user specified buffer offset 503 * @extra_buffers_size: size of extra space for meta-data (eg, security context) 504 * @is_async: buffer for async transaction 505 * 506 * Allocate a new buffer given the requested sizes. Returns 507 * the kernel version of the buffer pointer. The size allocated 508 * is the sum of the three given sizes (each rounded up to 509 * pointer-sized boundary) 510 * 511 * Return: The allocated buffer or %NULL if error 512 */ 513 struct binder_buffer *binder_alloc_new_buf(struct binder_alloc *alloc, 514 size_t data_size, 515 size_t offsets_size, 516 size_t extra_buffers_size, 517 int is_async) 518 { 519 struct binder_buffer *buffer; 520 521 mutex_lock(&alloc->mutex); 522 buffer = binder_alloc_new_buf_locked(alloc, data_size, offsets_size, 523 extra_buffers_size, is_async); 524 mutex_unlock(&alloc->mutex); 525 return buffer; 526 } 527 528 static void *buffer_start_page(struct binder_buffer *buffer) 529 { 530 return (void *)((uintptr_t)buffer->data & PAGE_MASK); 531 } 532 533 static void *prev_buffer_end_page(struct binder_buffer *buffer) 534 { 535 return (void *)(((uintptr_t)(buffer->data) - 1) & PAGE_MASK); 536 } 537 538 static void binder_delete_free_buffer(struct binder_alloc *alloc, 539 struct binder_buffer *buffer) 540 { 541 struct binder_buffer *prev, *next = NULL; 542 bool to_free = true; 543 BUG_ON(alloc->buffers.next == &buffer->entry); 544 prev = binder_buffer_prev(buffer); 545 BUG_ON(!prev->free); 546 if (prev_buffer_end_page(prev) == buffer_start_page(buffer)) { 547 to_free = false; 548 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 549 "%d: merge free, buffer %pK share page with %pK\n", 550 alloc->pid, buffer->data, prev->data); 551 } 552 553 if (!list_is_last(&buffer->entry, &alloc->buffers)) { 554 next = binder_buffer_next(buffer); 555 if (buffer_start_page(next) == buffer_start_page(buffer)) { 556 to_free = false; 557 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 558 "%d: merge free, buffer %pK share page with %pK\n", 559 alloc->pid, 560 buffer->data, 561 next->data); 562 } 563 } 564 565 if (PAGE_ALIGNED(buffer->data)) { 566 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 567 "%d: merge free, buffer start %pK is page aligned\n", 568 alloc->pid, buffer->data); 569 to_free = false; 570 } 571 572 if (to_free) { 573 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 574 "%d: merge free, buffer %pK do not share page with %pK or %pK\n", 575 alloc->pid, buffer->data, 576 prev->data, next ? next->data : NULL); 577 binder_update_page_range(alloc, 0, buffer_start_page(buffer), 578 buffer_start_page(buffer) + PAGE_SIZE); 579 } 580 list_del(&buffer->entry); 581 kfree(buffer); 582 } 583 584 static void binder_free_buf_locked(struct binder_alloc *alloc, 585 struct binder_buffer *buffer) 586 { 587 size_t size, buffer_size; 588 589 buffer_size = binder_alloc_buffer_size(alloc, buffer); 590 591 size = ALIGN(buffer->data_size, sizeof(void *)) + 592 ALIGN(buffer->offsets_size, sizeof(void *)) + 593 ALIGN(buffer->extra_buffers_size, sizeof(void *)); 594 595 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 596 "%d: binder_free_buf %pK size %zd buffer_size %zd\n", 597 alloc->pid, buffer, size, buffer_size); 598 599 BUG_ON(buffer->free); 600 BUG_ON(size > buffer_size); 601 BUG_ON(buffer->transaction != NULL); 602 BUG_ON(buffer->data < alloc->buffer); 603 BUG_ON(buffer->data > alloc->buffer + alloc->buffer_size); 604 605 if (buffer->async_transaction) { 606 alloc->free_async_space += size + sizeof(struct binder_buffer); 607 608 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC, 609 "%d: binder_free_buf size %zd async free %zd\n", 610 alloc->pid, size, alloc->free_async_space); 611 } 612 613 binder_update_page_range(alloc, 0, 614 (void *)PAGE_ALIGN((uintptr_t)buffer->data), 615 (void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK)); 616 617 rb_erase(&buffer->rb_node, &alloc->allocated_buffers); 618 buffer->free = 1; 619 if (!list_is_last(&buffer->entry, &alloc->buffers)) { 620 struct binder_buffer *next = binder_buffer_next(buffer); 621 622 if (next->free) { 623 rb_erase(&next->rb_node, &alloc->free_buffers); 624 binder_delete_free_buffer(alloc, next); 625 } 626 } 627 if (alloc->buffers.next != &buffer->entry) { 628 struct binder_buffer *prev = binder_buffer_prev(buffer); 629 630 if (prev->free) { 631 binder_delete_free_buffer(alloc, buffer); 632 rb_erase(&prev->rb_node, &alloc->free_buffers); 633 buffer = prev; 634 } 635 } 636 binder_insert_free_buffer(alloc, buffer); 637 } 638 639 /** 640 * binder_alloc_free_buf() - free a binder buffer 641 * @alloc: binder_alloc for this proc 642 * @buffer: kernel pointer to buffer 643 * 644 * Free the buffer allocated via binder_alloc_new_buffer() 645 */ 646 void binder_alloc_free_buf(struct binder_alloc *alloc, 647 struct binder_buffer *buffer) 648 { 649 mutex_lock(&alloc->mutex); 650 binder_free_buf_locked(alloc, buffer); 651 mutex_unlock(&alloc->mutex); 652 } 653 654 /** 655 * binder_alloc_mmap_handler() - map virtual address space for proc 656 * @alloc: alloc structure for this proc 657 * @vma: vma passed to mmap() 658 * 659 * Called by binder_mmap() to initialize the space specified in 660 * vma for allocating binder buffers 661 * 662 * Return: 663 * 0 = success 664 * -EBUSY = address space already mapped 665 * -ENOMEM = failed to map memory to given address space 666 */ 667 int binder_alloc_mmap_handler(struct binder_alloc *alloc, 668 struct vm_area_struct *vma) 669 { 670 int ret; 671 struct vm_struct *area; 672 const char *failure_string; 673 struct binder_buffer *buffer; 674 675 mutex_lock(&binder_alloc_mmap_lock); 676 if (alloc->buffer) { 677 ret = -EBUSY; 678 failure_string = "already mapped"; 679 goto err_already_mapped; 680 } 681 682 area = get_vm_area(vma->vm_end - vma->vm_start, VM_ALLOC); 683 if (area == NULL) { 684 ret = -ENOMEM; 685 failure_string = "get_vm_area"; 686 goto err_get_vm_area_failed; 687 } 688 alloc->buffer = area->addr; 689 alloc->user_buffer_offset = 690 vma->vm_start - (uintptr_t)alloc->buffer; 691 mutex_unlock(&binder_alloc_mmap_lock); 692 693 #ifdef CONFIG_CPU_CACHE_VIPT 694 if (cache_is_vipt_aliasing()) { 695 while (CACHE_COLOUR( 696 (vma->vm_start ^ (uint32_t)alloc->buffer))) { 697 pr_info("%s: %d %lx-%lx maps %pK bad alignment\n", 698 __func__, alloc->pid, vma->vm_start, 699 vma->vm_end, alloc->buffer); 700 vma->vm_start += PAGE_SIZE; 701 } 702 } 703 #endif 704 alloc->pages = kcalloc((vma->vm_end - vma->vm_start) / PAGE_SIZE, 705 sizeof(alloc->pages[0]), 706 GFP_KERNEL); 707 if (alloc->pages == NULL) { 708 ret = -ENOMEM; 709 failure_string = "alloc page array"; 710 goto err_alloc_pages_failed; 711 } 712 alloc->buffer_size = vma->vm_end - vma->vm_start; 713 714 buffer = kzalloc(sizeof(*buffer), GFP_KERNEL); 715 if (!buffer) { 716 ret = -ENOMEM; 717 failure_string = "alloc buffer struct"; 718 goto err_alloc_buf_struct_failed; 719 } 720 721 buffer->data = alloc->buffer; 722 list_add(&buffer->entry, &alloc->buffers); 723 buffer->free = 1; 724 binder_insert_free_buffer(alloc, buffer); 725 alloc->free_async_space = alloc->buffer_size / 2; 726 barrier(); 727 alloc->vma = vma; 728 alloc->vma_vm_mm = vma->vm_mm; 729 mmgrab(alloc->vma_vm_mm); 730 731 return 0; 732 733 err_alloc_buf_struct_failed: 734 kfree(alloc->pages); 735 alloc->pages = NULL; 736 err_alloc_pages_failed: 737 mutex_lock(&binder_alloc_mmap_lock); 738 vfree(alloc->buffer); 739 alloc->buffer = NULL; 740 err_get_vm_area_failed: 741 err_already_mapped: 742 mutex_unlock(&binder_alloc_mmap_lock); 743 binder_alloc_debug(BINDER_DEBUG_USER_ERROR, 744 "%s: %d %lx-%lx %s failed %d\n", __func__, 745 alloc->pid, vma->vm_start, vma->vm_end, 746 failure_string, ret); 747 return ret; 748 } 749 750 751 void binder_alloc_deferred_release(struct binder_alloc *alloc) 752 { 753 struct rb_node *n; 754 int buffers, page_count; 755 struct binder_buffer *buffer; 756 757 BUG_ON(alloc->vma); 758 759 buffers = 0; 760 mutex_lock(&alloc->mutex); 761 while ((n = rb_first(&alloc->allocated_buffers))) { 762 buffer = rb_entry(n, struct binder_buffer, rb_node); 763 764 /* Transaction should already have been freed */ 765 BUG_ON(buffer->transaction); 766 767 binder_free_buf_locked(alloc, buffer); 768 buffers++; 769 } 770 771 while (!list_empty(&alloc->buffers)) { 772 buffer = list_first_entry(&alloc->buffers, 773 struct binder_buffer, entry); 774 WARN_ON(!buffer->free); 775 776 list_del(&buffer->entry); 777 WARN_ON_ONCE(!list_empty(&alloc->buffers)); 778 kfree(buffer); 779 } 780 781 page_count = 0; 782 if (alloc->pages) { 783 int i; 784 785 for (i = 0; i < alloc->buffer_size / PAGE_SIZE; i++) { 786 void *page_addr; 787 bool on_lru; 788 789 if (!alloc->pages[i].page_ptr) 790 continue; 791 792 on_lru = list_lru_del(&binder_alloc_lru, 793 &alloc->pages[i].lru); 794 page_addr = alloc->buffer + i * PAGE_SIZE; 795 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 796 "%s: %d: page %d at %pK %s\n", 797 __func__, alloc->pid, i, page_addr, 798 on_lru ? "on lru" : "active"); 799 unmap_kernel_range((unsigned long)page_addr, PAGE_SIZE); 800 __free_page(alloc->pages[i].page_ptr); 801 page_count++; 802 } 803 kfree(alloc->pages); 804 vfree(alloc->buffer); 805 } 806 mutex_unlock(&alloc->mutex); 807 if (alloc->vma_vm_mm) 808 mmdrop(alloc->vma_vm_mm); 809 810 binder_alloc_debug(BINDER_DEBUG_OPEN_CLOSE, 811 "%s: %d buffers %d, pages %d\n", 812 __func__, alloc->pid, buffers, page_count); 813 } 814 815 static void print_binder_buffer(struct seq_file *m, const char *prefix, 816 struct binder_buffer *buffer) 817 { 818 seq_printf(m, "%s %d: %pK size %zd:%zd:%zd %s\n", 819 prefix, buffer->debug_id, buffer->data, 820 buffer->data_size, buffer->offsets_size, 821 buffer->extra_buffers_size, 822 buffer->transaction ? "active" : "delivered"); 823 } 824 825 /** 826 * binder_alloc_print_allocated() - print buffer info 827 * @m: seq_file for output via seq_printf() 828 * @alloc: binder_alloc for this proc 829 * 830 * Prints information about every buffer associated with 831 * the binder_alloc state to the given seq_file 832 */ 833 void binder_alloc_print_allocated(struct seq_file *m, 834 struct binder_alloc *alloc) 835 { 836 struct rb_node *n; 837 838 mutex_lock(&alloc->mutex); 839 for (n = rb_first(&alloc->allocated_buffers); n != NULL; n = rb_next(n)) 840 print_binder_buffer(m, " buffer", 841 rb_entry(n, struct binder_buffer, rb_node)); 842 mutex_unlock(&alloc->mutex); 843 } 844 845 /** 846 * binder_alloc_print_pages() - print page usage 847 * @m: seq_file for output via seq_printf() 848 * @alloc: binder_alloc for this proc 849 */ 850 void binder_alloc_print_pages(struct seq_file *m, 851 struct binder_alloc *alloc) 852 { 853 struct binder_lru_page *page; 854 int i; 855 int active = 0; 856 int lru = 0; 857 int free = 0; 858 859 mutex_lock(&alloc->mutex); 860 for (i = 0; i < alloc->buffer_size / PAGE_SIZE; i++) { 861 page = &alloc->pages[i]; 862 if (!page->page_ptr) 863 free++; 864 else if (list_empty(&page->lru)) 865 active++; 866 else 867 lru++; 868 } 869 mutex_unlock(&alloc->mutex); 870 seq_printf(m, " pages: %d:%d:%d\n", active, lru, free); 871 seq_printf(m, " pages high watermark: %zu\n", alloc->pages_high); 872 } 873 874 /** 875 * binder_alloc_get_allocated_count() - return count of buffers 876 * @alloc: binder_alloc for this proc 877 * 878 * Return: count of allocated buffers 879 */ 880 int binder_alloc_get_allocated_count(struct binder_alloc *alloc) 881 { 882 struct rb_node *n; 883 int count = 0; 884 885 mutex_lock(&alloc->mutex); 886 for (n = rb_first(&alloc->allocated_buffers); n != NULL; n = rb_next(n)) 887 count++; 888 mutex_unlock(&alloc->mutex); 889 return count; 890 } 891 892 893 /** 894 * binder_alloc_vma_close() - invalidate address space 895 * @alloc: binder_alloc for this proc 896 * 897 * Called from binder_vma_close() when releasing address space. 898 * Clears alloc->vma to prevent new incoming transactions from 899 * allocating more buffers. 900 */ 901 void binder_alloc_vma_close(struct binder_alloc *alloc) 902 { 903 WRITE_ONCE(alloc->vma, NULL); 904 } 905 906 /** 907 * binder_alloc_free_page() - shrinker callback to free pages 908 * @item: item to free 909 * @lock: lock protecting the item 910 * @cb_arg: callback argument 911 * 912 * Called from list_lru_walk() in binder_shrink_scan() to free 913 * up pages when the system is under memory pressure. 914 */ 915 enum lru_status binder_alloc_free_page(struct list_head *item, 916 struct list_lru_one *lru, 917 spinlock_t *lock, 918 void *cb_arg) 919 { 920 struct mm_struct *mm = NULL; 921 struct binder_lru_page *page = container_of(item, 922 struct binder_lru_page, 923 lru); 924 struct binder_alloc *alloc; 925 uintptr_t page_addr; 926 size_t index; 927 struct vm_area_struct *vma; 928 929 alloc = page->alloc; 930 if (!mutex_trylock(&alloc->mutex)) 931 goto err_get_alloc_mutex_failed; 932 933 if (!page->page_ptr) 934 goto err_page_already_freed; 935 936 index = page - alloc->pages; 937 page_addr = (uintptr_t)alloc->buffer + index * PAGE_SIZE; 938 vma = alloc->vma; 939 if (vma) { 940 if (!mmget_not_zero(alloc->vma_vm_mm)) 941 goto err_mmget; 942 mm = alloc->vma_vm_mm; 943 if (!down_write_trylock(&mm->mmap_sem)) 944 goto err_down_write_mmap_sem_failed; 945 } 946 947 list_lru_isolate(lru, item); 948 spin_unlock(lock); 949 950 if (vma) { 951 trace_binder_unmap_user_start(alloc, index); 952 953 zap_page_range(vma, 954 page_addr + alloc->user_buffer_offset, 955 PAGE_SIZE); 956 957 trace_binder_unmap_user_end(alloc, index); 958 959 up_write(&mm->mmap_sem); 960 mmput(mm); 961 } 962 963 trace_binder_unmap_kernel_start(alloc, index); 964 965 unmap_kernel_range(page_addr, PAGE_SIZE); 966 __free_page(page->page_ptr); 967 page->page_ptr = NULL; 968 969 trace_binder_unmap_kernel_end(alloc, index); 970 971 spin_lock(lock); 972 mutex_unlock(&alloc->mutex); 973 return LRU_REMOVED_RETRY; 974 975 err_down_write_mmap_sem_failed: 976 mmput_async(mm); 977 err_mmget: 978 err_page_already_freed: 979 mutex_unlock(&alloc->mutex); 980 err_get_alloc_mutex_failed: 981 return LRU_SKIP; 982 } 983 984 static unsigned long 985 binder_shrink_count(struct shrinker *shrink, struct shrink_control *sc) 986 { 987 unsigned long ret = list_lru_count(&binder_alloc_lru); 988 return ret; 989 } 990 991 static unsigned long 992 binder_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) 993 { 994 unsigned long ret; 995 996 ret = list_lru_walk(&binder_alloc_lru, binder_alloc_free_page, 997 NULL, sc->nr_to_scan); 998 return ret; 999 } 1000 1001 static struct shrinker binder_shrinker = { 1002 .count_objects = binder_shrink_count, 1003 .scan_objects = binder_shrink_scan, 1004 .seeks = DEFAULT_SEEKS, 1005 }; 1006 1007 /** 1008 * binder_alloc_init() - called by binder_open() for per-proc initialization 1009 * @alloc: binder_alloc for this proc 1010 * 1011 * Called from binder_open() to initialize binder_alloc fields for 1012 * new binder proc 1013 */ 1014 void binder_alloc_init(struct binder_alloc *alloc) 1015 { 1016 alloc->pid = current->group_leader->pid; 1017 mutex_init(&alloc->mutex); 1018 INIT_LIST_HEAD(&alloc->buffers); 1019 } 1020 1021 int binder_alloc_shrinker_init(void) 1022 { 1023 int ret = list_lru_init(&binder_alloc_lru); 1024 1025 if (ret == 0) { 1026 ret = register_shrinker(&binder_shrinker); 1027 if (ret) 1028 list_lru_destroy(&binder_alloc_lru); 1029 } 1030 return ret; 1031 } 1032