binder.c revision 2a90957f2cfc2bf0b705a62a97830cf0d42a5a40
1/* binder.c 2 * 3 * Android IPC Subsystem 4 * 5 * Copyright (C) 2007-2008 Google, Inc. 6 * 7 * This software is licensed under the terms of the GNU General Public 8 * License version 2, as published by the Free Software Foundation, and 9 * may be copied, distributed, and modified under those terms. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 */ 17 18#include <asm/cacheflush.h> 19#include <linux/fdtable.h> 20#include <linux/file.h> 21#include <linux/fs.h> 22#include <linux/list.h> 23#include <linux/miscdevice.h> 24#include <linux/mm.h> 25#include <linux/module.h> 26#include <linux/mutex.h> 27#include <linux/nsproxy.h> 28#include <linux/poll.h> 29#include <linux/debugfs.h> 30#include <linux/rbtree.h> 31#include <linux/sched.h> 32#include <linux/seq_file.h> 33#include <linux/uaccess.h> 34#include <linux/vmalloc.h> 35#include <linux/slab.h> 36 37#include "binder.h" 38 39static DEFINE_MUTEX(binder_lock); 40static DEFINE_MUTEX(binder_deferred_lock); 41static DEFINE_MUTEX(binder_mmap_lock); 42 43static HLIST_HEAD(binder_procs); 44static HLIST_HEAD(binder_deferred_list); 45static HLIST_HEAD(binder_dead_nodes); 46 47static struct dentry *binder_debugfs_dir_entry_root; 48static struct dentry *binder_debugfs_dir_entry_proc; 49static struct binder_node *binder_context_mgr_node; 50static uid_t binder_context_mgr_uid = -1; 51static int binder_last_id; 52static struct workqueue_struct *binder_deferred_workqueue; 53 54#define BINDER_DEBUG_ENTRY(name) \ 55static int binder_##name##_open(struct inode *inode, struct file *file) \ 56{ \ 57 return single_open(file, binder_##name##_show, inode->i_private); \ 58} \ 59\ 60static const struct file_operations binder_##name##_fops = { \ 61 .owner = THIS_MODULE, \ 62 .open = binder_##name##_open, \ 63 .read = seq_read, \ 64 .llseek = seq_lseek, \ 65 .release = single_release, \ 66} 67 68static int binder_proc_show(struct seq_file *m, void *unused); 69BINDER_DEBUG_ENTRY(proc); 70 71/* This is only defined in include/asm-arm/sizes.h */ 72#ifndef SZ_1K 73#define SZ_1K 0x400 74#endif 75 76#ifndef SZ_4M 77#define SZ_4M 0x400000 78#endif 79 80#define FORBIDDEN_MMAP_FLAGS (VM_WRITE) 81 82#define BINDER_SMALL_BUF_SIZE (PAGE_SIZE * 64) 83 84enum { 85 BINDER_DEBUG_USER_ERROR = 1U << 0, 86 BINDER_DEBUG_FAILED_TRANSACTION = 1U << 1, 87 BINDER_DEBUG_DEAD_TRANSACTION = 1U << 2, 88 BINDER_DEBUG_OPEN_CLOSE = 1U << 3, 89 BINDER_DEBUG_DEAD_BINDER = 1U << 4, 90 BINDER_DEBUG_DEATH_NOTIFICATION = 1U << 5, 91 BINDER_DEBUG_READ_WRITE = 1U << 6, 92 BINDER_DEBUG_USER_REFS = 1U << 7, 93 BINDER_DEBUG_THREADS = 1U << 8, 94 BINDER_DEBUG_TRANSACTION = 1U << 9, 95 BINDER_DEBUG_TRANSACTION_COMPLETE = 1U << 10, 96 BINDER_DEBUG_FREE_BUFFER = 1U << 11, 97 BINDER_DEBUG_INTERNAL_REFS = 1U << 12, 98 BINDER_DEBUG_BUFFER_ALLOC = 1U << 13, 99 BINDER_DEBUG_PRIORITY_CAP = 1U << 14, 100 BINDER_DEBUG_BUFFER_ALLOC_ASYNC = 1U << 15, 101}; 102static uint32_t binder_debug_mask = BINDER_DEBUG_USER_ERROR | 103 BINDER_DEBUG_FAILED_TRANSACTION | BINDER_DEBUG_DEAD_TRANSACTION; 104module_param_named(debug_mask, binder_debug_mask, uint, S_IWUSR | S_IRUGO); 105 106static bool binder_debug_no_lock; 107module_param_named(proc_no_lock, binder_debug_no_lock, bool, S_IWUSR | S_IRUGO); 108 109static DECLARE_WAIT_QUEUE_HEAD(binder_user_error_wait); 110static int binder_stop_on_user_error; 111 112static int binder_set_stop_on_user_error(const char *val, 113 struct kernel_param *kp) 114{ 115 int ret; 116 ret = param_set_int(val, kp); 117 if (binder_stop_on_user_error < 2) 118 wake_up(&binder_user_error_wait); 119 return ret; 120} 121module_param_call(stop_on_user_error, binder_set_stop_on_user_error, 122 param_get_int, &binder_stop_on_user_error, S_IWUSR | S_IRUGO); 123 124#define binder_debug(mask, x...) \ 125 do { \ 126 if (binder_debug_mask & mask) \ 127 printk(KERN_INFO x); \ 128 } while (0) 129 130#define binder_user_error(x...) \ 131 do { \ 132 if (binder_debug_mask & BINDER_DEBUG_USER_ERROR) \ 133 printk(KERN_INFO x); \ 134 if (binder_stop_on_user_error) \ 135 binder_stop_on_user_error = 2; \ 136 } while (0) 137 138enum binder_stat_types { 139 BINDER_STAT_PROC, 140 BINDER_STAT_THREAD, 141 BINDER_STAT_NODE, 142 BINDER_STAT_REF, 143 BINDER_STAT_DEATH, 144 BINDER_STAT_TRANSACTION, 145 BINDER_STAT_TRANSACTION_COMPLETE, 146 BINDER_STAT_COUNT 147}; 148 149struct binder_stats { 150 int br[_IOC_NR(BR_FAILED_REPLY) + 1]; 151 int bc[_IOC_NR(BC_DEAD_BINDER_DONE) + 1]; 152 int obj_created[BINDER_STAT_COUNT]; 153 int obj_deleted[BINDER_STAT_COUNT]; 154}; 155 156static struct binder_stats binder_stats; 157 158static inline void binder_stats_deleted(enum binder_stat_types type) 159{ 160 binder_stats.obj_deleted[type]++; 161} 162 163static inline void binder_stats_created(enum binder_stat_types type) 164{ 165 binder_stats.obj_created[type]++; 166} 167 168struct binder_transaction_log_entry { 169 int debug_id; 170 int call_type; 171 int from_proc; 172 int from_thread; 173 int target_handle; 174 int to_proc; 175 int to_thread; 176 int to_node; 177 int data_size; 178 int offsets_size; 179}; 180struct binder_transaction_log { 181 int next; 182 int full; 183 struct binder_transaction_log_entry entry[32]; 184}; 185static struct binder_transaction_log binder_transaction_log; 186static struct binder_transaction_log binder_transaction_log_failed; 187 188static struct binder_transaction_log_entry *binder_transaction_log_add( 189 struct binder_transaction_log *log) 190{ 191 struct binder_transaction_log_entry *e; 192 e = &log->entry[log->next]; 193 memset(e, 0, sizeof(*e)); 194 log->next++; 195 if (log->next == ARRAY_SIZE(log->entry)) { 196 log->next = 0; 197 log->full = 1; 198 } 199 return e; 200} 201 202struct binder_work { 203 struct list_head entry; 204 enum { 205 BINDER_WORK_TRANSACTION = 1, 206 BINDER_WORK_TRANSACTION_COMPLETE, 207 BINDER_WORK_NODE, 208 BINDER_WORK_DEAD_BINDER, 209 BINDER_WORK_DEAD_BINDER_AND_CLEAR, 210 BINDER_WORK_CLEAR_DEATH_NOTIFICATION, 211 } type; 212}; 213 214struct binder_node { 215 int debug_id; 216 struct binder_work work; 217 union { 218 struct rb_node rb_node; 219 struct hlist_node dead_node; 220 }; 221 struct binder_proc *proc; 222 struct hlist_head refs; 223 int internal_strong_refs; 224 int local_weak_refs; 225 int local_strong_refs; 226 void __user *ptr; 227 void __user *cookie; 228 unsigned has_strong_ref:1; 229 unsigned pending_strong_ref:1; 230 unsigned has_weak_ref:1; 231 unsigned pending_weak_ref:1; 232 unsigned has_async_transaction:1; 233 unsigned accept_fds:1; 234 unsigned min_priority:8; 235 struct list_head async_todo; 236}; 237 238struct binder_ref_death { 239 struct binder_work work; 240 void __user *cookie; 241}; 242 243struct binder_ref { 244 /* Lookups needed: */ 245 /* node + proc => ref (transaction) */ 246 /* desc + proc => ref (transaction, inc/dec ref) */ 247 /* node => refs + procs (proc exit) */ 248 int debug_id; 249 struct rb_node rb_node_desc; 250 struct rb_node rb_node_node; 251 struct hlist_node node_entry; 252 struct binder_proc *proc; 253 struct binder_node *node; 254 uint32_t desc; 255 int strong; 256 int weak; 257 struct binder_ref_death *death; 258}; 259 260struct binder_buffer { 261 struct list_head entry; /* free and allocated entries by address */ 262 struct rb_node rb_node; /* free entry by size or allocated entry */ 263 /* by address */ 264 unsigned free:1; 265 unsigned allow_user_free:1; 266 unsigned async_transaction:1; 267 unsigned debug_id:29; 268 269 struct binder_transaction *transaction; 270 271 struct binder_node *target_node; 272 size_t data_size; 273 size_t offsets_size; 274 uint8_t data[0]; 275}; 276 277enum binder_deferred_state { 278 BINDER_DEFERRED_PUT_FILES = 0x01, 279 BINDER_DEFERRED_FLUSH = 0x02, 280 BINDER_DEFERRED_RELEASE = 0x04, 281}; 282 283struct binder_proc { 284 struct hlist_node proc_node; 285 struct rb_root threads; 286 struct rb_root nodes; 287 struct rb_root refs_by_desc; 288 struct rb_root refs_by_node; 289 int pid; 290 struct vm_area_struct *vma; 291 struct mm_struct *vma_vm_mm; 292 struct task_struct *tsk; 293 struct files_struct *files; 294 struct hlist_node deferred_work_node; 295 int deferred_work; 296 void *buffer; 297 ptrdiff_t user_buffer_offset; 298 299 struct list_head buffers; 300 struct rb_root free_buffers; 301 struct rb_root allocated_buffers; 302 size_t free_async_space; 303 304 struct page **pages; 305 size_t buffer_size; 306 uint32_t buffer_free; 307 struct list_head todo; 308 wait_queue_head_t wait; 309 struct binder_stats stats; 310 struct list_head delivered_death; 311 int max_threads; 312 int requested_threads; 313 int requested_threads_started; 314 int ready_threads; 315 long default_priority; 316 struct dentry *debugfs_entry; 317}; 318 319enum { 320 BINDER_LOOPER_STATE_REGISTERED = 0x01, 321 BINDER_LOOPER_STATE_ENTERED = 0x02, 322 BINDER_LOOPER_STATE_EXITED = 0x04, 323 BINDER_LOOPER_STATE_INVALID = 0x08, 324 BINDER_LOOPER_STATE_WAITING = 0x10, 325 BINDER_LOOPER_STATE_NEED_RETURN = 0x20 326}; 327 328struct binder_thread { 329 struct binder_proc *proc; 330 struct rb_node rb_node; 331 int pid; 332 int looper; 333 struct binder_transaction *transaction_stack; 334 struct list_head todo; 335 uint32_t return_error; /* Write failed, return error code in read buf */ 336 uint32_t return_error2; /* Write failed, return error code in read */ 337 /* buffer. Used when sending a reply to a dead process that */ 338 /* we are also waiting on */ 339 wait_queue_head_t wait; 340 struct binder_stats stats; 341}; 342 343struct binder_transaction { 344 int debug_id; 345 struct binder_work work; 346 struct binder_thread *from; 347 struct binder_transaction *from_parent; 348 struct binder_proc *to_proc; 349 struct binder_thread *to_thread; 350 struct binder_transaction *to_parent; 351 unsigned need_reply:1; 352 /* unsigned is_dead:1; */ /* not used at the moment */ 353 354 struct binder_buffer *buffer; 355 unsigned int code; 356 unsigned int flags; 357 long priority; 358 long saved_priority; 359 uid_t sender_euid; 360}; 361 362static void 363binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer); 364 365/* 366 * copied from get_unused_fd_flags 367 */ 368int task_get_unused_fd_flags(struct binder_proc *proc, int flags) 369{ 370 struct files_struct *files = proc->files; 371 int fd, error; 372 struct fdtable *fdt; 373 unsigned long rlim_cur; 374 unsigned long irqs; 375 376 if (files == NULL) 377 return -ESRCH; 378 379 error = -EMFILE; 380 spin_lock(&files->file_lock); 381 382repeat: 383 fdt = files_fdtable(files); 384 fd = find_next_zero_bit(fdt->open_fds->fds_bits, fdt->max_fds, 385 files->next_fd); 386 387 /* 388 * N.B. For clone tasks sharing a files structure, this test 389 * will limit the total number of files that can be opened. 390 */ 391 rlim_cur = 0; 392 if (lock_task_sighand(proc->tsk, &irqs)) { 393 rlim_cur = proc->tsk->signal->rlim[RLIMIT_NOFILE].rlim_cur; 394 unlock_task_sighand(proc->tsk, &irqs); 395 } 396 if (fd >= rlim_cur) 397 goto out; 398 399 /* Do we need to expand the fd array or fd set? */ 400 error = expand_files(files, fd); 401 if (error < 0) 402 goto out; 403 404 if (error) { 405 /* 406 * If we needed to expand the fs array we 407 * might have blocked - try again. 408 */ 409 error = -EMFILE; 410 goto repeat; 411 } 412 413 FD_SET(fd, fdt->open_fds); 414 if (flags & O_CLOEXEC) 415 FD_SET(fd, fdt->close_on_exec); 416 else 417 FD_CLR(fd, fdt->close_on_exec); 418 files->next_fd = fd + 1; 419#if 1 420 /* Sanity check */ 421 if (fdt->fd[fd] != NULL) { 422 printk(KERN_WARNING "get_unused_fd: slot %d not NULL!\n", fd); 423 fdt->fd[fd] = NULL; 424 } 425#endif 426 error = fd; 427 428out: 429 spin_unlock(&files->file_lock); 430 return error; 431} 432 433/* 434 * copied from fd_install 435 */ 436static void task_fd_install( 437 struct binder_proc *proc, unsigned int fd, struct file *file) 438{ 439 struct files_struct *files = proc->files; 440 struct fdtable *fdt; 441 442 if (files == NULL) 443 return; 444 445 spin_lock(&files->file_lock); 446 fdt = files_fdtable(files); 447 BUG_ON(fdt->fd[fd] != NULL); 448 rcu_assign_pointer(fdt->fd[fd], file); 449 spin_unlock(&files->file_lock); 450} 451 452/* 453 * copied from __put_unused_fd in open.c 454 */ 455static void __put_unused_fd(struct files_struct *files, unsigned int fd) 456{ 457 struct fdtable *fdt = files_fdtable(files); 458 __FD_CLR(fd, fdt->open_fds); 459 if (fd < files->next_fd) 460 files->next_fd = fd; 461} 462 463/* 464 * copied from sys_close 465 */ 466static long task_close_fd(struct binder_proc *proc, unsigned int fd) 467{ 468 struct file *filp; 469 struct files_struct *files = proc->files; 470 struct fdtable *fdt; 471 int retval; 472 473 if (files == NULL) 474 return -ESRCH; 475 476 spin_lock(&files->file_lock); 477 fdt = files_fdtable(files); 478 if (fd >= fdt->max_fds) 479 goto out_unlock; 480 filp = fdt->fd[fd]; 481 if (!filp) 482 goto out_unlock; 483 rcu_assign_pointer(fdt->fd[fd], NULL); 484 FD_CLR(fd, fdt->close_on_exec); 485 __put_unused_fd(files, fd); 486 spin_unlock(&files->file_lock); 487 retval = filp_close(filp, files); 488 489 /* can't restart close syscall because file table entry was cleared */ 490 if (unlikely(retval == -ERESTARTSYS || 491 retval == -ERESTARTNOINTR || 492 retval == -ERESTARTNOHAND || 493 retval == -ERESTART_RESTARTBLOCK)) 494 retval = -EINTR; 495 496 return retval; 497 498out_unlock: 499 spin_unlock(&files->file_lock); 500 return -EBADF; 501} 502 503static void binder_set_nice(long nice) 504{ 505 long min_nice; 506 if (can_nice(current, nice)) { 507 set_user_nice(current, nice); 508 return; 509 } 510 min_nice = 20 - current->signal->rlim[RLIMIT_NICE].rlim_cur; 511 binder_debug(BINDER_DEBUG_PRIORITY_CAP, 512 "binder: %d: nice value %ld not allowed use " 513 "%ld instead\n", current->pid, nice, min_nice); 514 set_user_nice(current, min_nice); 515 if (min_nice < 20) 516 return; 517 binder_user_error("binder: %d RLIMIT_NICE not set\n", current->pid); 518} 519 520static size_t binder_buffer_size(struct binder_proc *proc, 521 struct binder_buffer *buffer) 522{ 523 if (list_is_last(&buffer->entry, &proc->buffers)) 524 return proc->buffer + proc->buffer_size - (void *)buffer->data; 525 else 526 return (size_t)list_entry(buffer->entry.next, 527 struct binder_buffer, entry) - (size_t)buffer->data; 528} 529 530static void binder_insert_free_buffer(struct binder_proc *proc, 531 struct binder_buffer *new_buffer) 532{ 533 struct rb_node **p = &proc->free_buffers.rb_node; 534 struct rb_node *parent = NULL; 535 struct binder_buffer *buffer; 536 size_t buffer_size; 537 size_t new_buffer_size; 538 539 BUG_ON(!new_buffer->free); 540 541 new_buffer_size = binder_buffer_size(proc, new_buffer); 542 543 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 544 "binder: %d: add free buffer, size %zd, " 545 "at %p\n", proc->pid, new_buffer_size, new_buffer); 546 547 while (*p) { 548 parent = *p; 549 buffer = rb_entry(parent, struct binder_buffer, rb_node); 550 BUG_ON(!buffer->free); 551 552 buffer_size = binder_buffer_size(proc, buffer); 553 554 if (new_buffer_size < buffer_size) 555 p = &parent->rb_left; 556 else 557 p = &parent->rb_right; 558 } 559 rb_link_node(&new_buffer->rb_node, parent, p); 560 rb_insert_color(&new_buffer->rb_node, &proc->free_buffers); 561} 562 563static void binder_insert_allocated_buffer(struct binder_proc *proc, 564 struct binder_buffer *new_buffer) 565{ 566 struct rb_node **p = &proc->allocated_buffers.rb_node; 567 struct rb_node *parent = NULL; 568 struct binder_buffer *buffer; 569 570 BUG_ON(new_buffer->free); 571 572 while (*p) { 573 parent = *p; 574 buffer = rb_entry(parent, struct binder_buffer, rb_node); 575 BUG_ON(buffer->free); 576 577 if (new_buffer < buffer) 578 p = &parent->rb_left; 579 else if (new_buffer > buffer) 580 p = &parent->rb_right; 581 else 582 BUG(); 583 } 584 rb_link_node(&new_buffer->rb_node, parent, p); 585 rb_insert_color(&new_buffer->rb_node, &proc->allocated_buffers); 586} 587 588static struct binder_buffer *binder_buffer_lookup(struct binder_proc *proc, 589 void __user *user_ptr) 590{ 591 struct rb_node *n = proc->allocated_buffers.rb_node; 592 struct binder_buffer *buffer; 593 struct binder_buffer *kern_ptr; 594 595 kern_ptr = user_ptr - proc->user_buffer_offset 596 - offsetof(struct binder_buffer, data); 597 598 while (n) { 599 buffer = rb_entry(n, struct binder_buffer, rb_node); 600 BUG_ON(buffer->free); 601 602 if (kern_ptr < buffer) 603 n = n->rb_left; 604 else if (kern_ptr > buffer) 605 n = n->rb_right; 606 else 607 return buffer; 608 } 609 return NULL; 610} 611 612static int binder_update_page_range(struct binder_proc *proc, int allocate, 613 void *start, void *end, 614 struct vm_area_struct *vma) 615{ 616 void *page_addr; 617 unsigned long user_page_addr; 618 struct vm_struct tmp_area; 619 struct page **page; 620 struct mm_struct *mm; 621 622 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 623 "binder: %d: %s pages %p-%p\n", proc->pid, 624 allocate ? "allocate" : "free", start, end); 625 626 if (end <= start) 627 return 0; 628 629 if (vma) 630 mm = NULL; 631 else 632 mm = get_task_mm(proc->tsk); 633 634 if (mm) { 635 down_write(&mm->mmap_sem); 636 vma = proc->vma; 637 if (vma && mm != proc->vma_vm_mm) { 638 pr_err("binder: %d: vma mm and task mm mismatch\n", 639 proc->pid); 640 vma = NULL; 641 } 642 } 643 644 if (allocate == 0) 645 goto free_range; 646 647 if (vma == NULL) { 648 printk(KERN_ERR "binder: %d: binder_alloc_buf failed to " 649 "map pages in userspace, no vma\n", proc->pid); 650 goto err_no_vma; 651 } 652 653 for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) { 654 int ret; 655 struct page **page_array_ptr; 656 page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE]; 657 658 BUG_ON(*page); 659 *page = alloc_page(GFP_KERNEL | __GFP_ZERO); 660 if (*page == NULL) { 661 printk(KERN_ERR "binder: %d: binder_alloc_buf failed " 662 "for page at %p\n", proc->pid, page_addr); 663 goto err_alloc_page_failed; 664 } 665 tmp_area.addr = page_addr; 666 tmp_area.size = PAGE_SIZE + PAGE_SIZE /* guard page? */; 667 page_array_ptr = page; 668 ret = map_vm_area(&tmp_area, PAGE_KERNEL, &page_array_ptr); 669 if (ret) { 670 printk(KERN_ERR "binder: %d: binder_alloc_buf failed " 671 "to map page at %p in kernel\n", 672 proc->pid, page_addr); 673 goto err_map_kernel_failed; 674 } 675 user_page_addr = 676 (uintptr_t)page_addr + proc->user_buffer_offset; 677 ret = vm_insert_page(vma, user_page_addr, page[0]); 678 if (ret) { 679 printk(KERN_ERR "binder: %d: binder_alloc_buf failed " 680 "to map page at %lx in userspace\n", 681 proc->pid, user_page_addr); 682 goto err_vm_insert_page_failed; 683 } 684 /* vm_insert_page does not seem to increment the refcount */ 685 } 686 if (mm) { 687 up_write(&mm->mmap_sem); 688 mmput(mm); 689 } 690 return 0; 691 692free_range: 693 for (page_addr = end - PAGE_SIZE; page_addr >= start; 694 page_addr -= PAGE_SIZE) { 695 page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE]; 696 if (vma) 697 zap_page_range(vma, (uintptr_t)page_addr + 698 proc->user_buffer_offset, PAGE_SIZE, NULL); 699err_vm_insert_page_failed: 700 unmap_kernel_range((unsigned long)page_addr, PAGE_SIZE); 701err_map_kernel_failed: 702 __free_page(*page); 703 *page = NULL; 704err_alloc_page_failed: 705 ; 706 } 707err_no_vma: 708 if (mm) { 709 up_write(&mm->mmap_sem); 710 mmput(mm); 711 } 712 return -ENOMEM; 713} 714 715static struct binder_buffer *binder_alloc_buf(struct binder_proc *proc, 716 size_t data_size, 717 size_t offsets_size, int is_async) 718{ 719 struct rb_node *n = proc->free_buffers.rb_node; 720 struct binder_buffer *buffer; 721 size_t buffer_size; 722 struct rb_node *best_fit = NULL; 723 void *has_page_addr; 724 void *end_page_addr; 725 size_t size; 726 727 if (proc->vma == NULL) { 728 printk(KERN_ERR "binder: %d: binder_alloc_buf, no vma\n", 729 proc->pid); 730 return NULL; 731 } 732 733 size = ALIGN(data_size, sizeof(void *)) + 734 ALIGN(offsets_size, sizeof(void *)); 735 736 if (size < data_size || size < offsets_size) { 737 binder_user_error("binder: %d: got transaction with invalid " 738 "size %zd-%zd\n", proc->pid, data_size, offsets_size); 739 return NULL; 740 } 741 742 if (is_async && 743 proc->free_async_space < size + sizeof(struct binder_buffer)) { 744 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 745 "binder: %d: binder_alloc_buf size %zd" 746 "failed, no async space left\n", proc->pid, size); 747 return NULL; 748 } 749 750 while (n) { 751 buffer = rb_entry(n, struct binder_buffer, rb_node); 752 BUG_ON(!buffer->free); 753 buffer_size = binder_buffer_size(proc, buffer); 754 755 if (size < buffer_size) { 756 best_fit = n; 757 n = n->rb_left; 758 } else if (size > buffer_size) 759 n = n->rb_right; 760 else { 761 best_fit = n; 762 break; 763 } 764 } 765 if (best_fit == NULL) { 766 printk(KERN_ERR "binder: %d: binder_alloc_buf size %zd failed, " 767 "no address space\n", proc->pid, size); 768 return NULL; 769 } 770 if (n == NULL) { 771 buffer = rb_entry(best_fit, struct binder_buffer, rb_node); 772 buffer_size = binder_buffer_size(proc, buffer); 773 } 774 775 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 776 "binder: %d: binder_alloc_buf size %zd got buff" 777 "er %p size %zd\n", proc->pid, size, buffer, buffer_size); 778 779 has_page_addr = 780 (void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK); 781 if (n == NULL) { 782 if (size + sizeof(struct binder_buffer) + 4 >= buffer_size) 783 buffer_size = size; /* no room for other buffers */ 784 else 785 buffer_size = size + sizeof(struct binder_buffer); 786 } 787 end_page_addr = 788 (void *)PAGE_ALIGN((uintptr_t)buffer->data + buffer_size); 789 if (end_page_addr > has_page_addr) 790 end_page_addr = has_page_addr; 791 if (binder_update_page_range(proc, 1, 792 (void *)PAGE_ALIGN((uintptr_t)buffer->data), end_page_addr, NULL)) 793 return NULL; 794 795 rb_erase(best_fit, &proc->free_buffers); 796 buffer->free = 0; 797 binder_insert_allocated_buffer(proc, buffer); 798 if (buffer_size != size) { 799 struct binder_buffer *new_buffer = (void *)buffer->data + size; 800 list_add(&new_buffer->entry, &buffer->entry); 801 new_buffer->free = 1; 802 binder_insert_free_buffer(proc, new_buffer); 803 } 804 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 805 "binder: %d: binder_alloc_buf size %zd got " 806 "%p\n", proc->pid, size, buffer); 807 buffer->data_size = data_size; 808 buffer->offsets_size = offsets_size; 809 buffer->async_transaction = is_async; 810 if (is_async) { 811 proc->free_async_space -= size + sizeof(struct binder_buffer); 812 binder_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC, 813 "binder: %d: binder_alloc_buf size %zd " 814 "async free %zd\n", proc->pid, size, 815 proc->free_async_space); 816 } 817 818 return buffer; 819} 820 821static void *buffer_start_page(struct binder_buffer *buffer) 822{ 823 return (void *)((uintptr_t)buffer & PAGE_MASK); 824} 825 826static void *buffer_end_page(struct binder_buffer *buffer) 827{ 828 return (void *)(((uintptr_t)(buffer + 1) - 1) & PAGE_MASK); 829} 830 831static void binder_delete_free_buffer(struct binder_proc *proc, 832 struct binder_buffer *buffer) 833{ 834 struct binder_buffer *prev, *next = NULL; 835 int free_page_end = 1; 836 int free_page_start = 1; 837 838 BUG_ON(proc->buffers.next == &buffer->entry); 839 prev = list_entry(buffer->entry.prev, struct binder_buffer, entry); 840 BUG_ON(!prev->free); 841 if (buffer_end_page(prev) == buffer_start_page(buffer)) { 842 free_page_start = 0; 843 if (buffer_end_page(prev) == buffer_end_page(buffer)) 844 free_page_end = 0; 845 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 846 "binder: %d: merge free, buffer %p " 847 "share page with %p\n", proc->pid, buffer, prev); 848 } 849 850 if (!list_is_last(&buffer->entry, &proc->buffers)) { 851 next = list_entry(buffer->entry.next, 852 struct binder_buffer, entry); 853 if (buffer_start_page(next) == buffer_end_page(buffer)) { 854 free_page_end = 0; 855 if (buffer_start_page(next) == 856 buffer_start_page(buffer)) 857 free_page_start = 0; 858 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 859 "binder: %d: merge free, buffer" 860 " %p share page with %p\n", proc->pid, 861 buffer, prev); 862 } 863 } 864 list_del(&buffer->entry); 865 if (free_page_start || free_page_end) { 866 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 867 "binder: %d: merge free, buffer %p do " 868 "not share page%s%s with with %p or %p\n", 869 proc->pid, buffer, free_page_start ? "" : " end", 870 free_page_end ? "" : " start", prev, next); 871 binder_update_page_range(proc, 0, free_page_start ? 872 buffer_start_page(buffer) : buffer_end_page(buffer), 873 (free_page_end ? buffer_end_page(buffer) : 874 buffer_start_page(buffer)) + PAGE_SIZE, NULL); 875 } 876} 877 878static void binder_free_buf(struct binder_proc *proc, 879 struct binder_buffer *buffer) 880{ 881 size_t size, buffer_size; 882 883 buffer_size = binder_buffer_size(proc, buffer); 884 885 size = ALIGN(buffer->data_size, sizeof(void *)) + 886 ALIGN(buffer->offsets_size, sizeof(void *)); 887 888 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 889 "binder: %d: binder_free_buf %p size %zd buffer" 890 "_size %zd\n", proc->pid, buffer, size, buffer_size); 891 892 BUG_ON(buffer->free); 893 BUG_ON(size > buffer_size); 894 BUG_ON(buffer->transaction != NULL); 895 BUG_ON((void *)buffer < proc->buffer); 896 BUG_ON((void *)buffer > proc->buffer + proc->buffer_size); 897 898 if (buffer->async_transaction) { 899 proc->free_async_space += size + sizeof(struct binder_buffer); 900 901 binder_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC, 902 "binder: %d: binder_free_buf size %zd " 903 "async free %zd\n", proc->pid, size, 904 proc->free_async_space); 905 } 906 907 binder_update_page_range(proc, 0, 908 (void *)PAGE_ALIGN((uintptr_t)buffer->data), 909 (void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK), 910 NULL); 911 rb_erase(&buffer->rb_node, &proc->allocated_buffers); 912 buffer->free = 1; 913 if (!list_is_last(&buffer->entry, &proc->buffers)) { 914 struct binder_buffer *next = list_entry(buffer->entry.next, 915 struct binder_buffer, entry); 916 if (next->free) { 917 rb_erase(&next->rb_node, &proc->free_buffers); 918 binder_delete_free_buffer(proc, next); 919 } 920 } 921 if (proc->buffers.next != &buffer->entry) { 922 struct binder_buffer *prev = list_entry(buffer->entry.prev, 923 struct binder_buffer, entry); 924 if (prev->free) { 925 binder_delete_free_buffer(proc, buffer); 926 rb_erase(&prev->rb_node, &proc->free_buffers); 927 buffer = prev; 928 } 929 } 930 binder_insert_free_buffer(proc, buffer); 931} 932 933static struct binder_node *binder_get_node(struct binder_proc *proc, 934 void __user *ptr) 935{ 936 struct rb_node *n = proc->nodes.rb_node; 937 struct binder_node *node; 938 939 while (n) { 940 node = rb_entry(n, struct binder_node, rb_node); 941 942 if (ptr < node->ptr) 943 n = n->rb_left; 944 else if (ptr > node->ptr) 945 n = n->rb_right; 946 else 947 return node; 948 } 949 return NULL; 950} 951 952static struct binder_node *binder_new_node(struct binder_proc *proc, 953 void __user *ptr, 954 void __user *cookie) 955{ 956 struct rb_node **p = &proc->nodes.rb_node; 957 struct rb_node *parent = NULL; 958 struct binder_node *node; 959 960 while (*p) { 961 parent = *p; 962 node = rb_entry(parent, struct binder_node, rb_node); 963 964 if (ptr < node->ptr) 965 p = &(*p)->rb_left; 966 else if (ptr > node->ptr) 967 p = &(*p)->rb_right; 968 else 969 return NULL; 970 } 971 972 node = kzalloc(sizeof(*node), GFP_KERNEL); 973 if (node == NULL) 974 return NULL; 975 binder_stats_created(BINDER_STAT_NODE); 976 rb_link_node(&node->rb_node, parent, p); 977 rb_insert_color(&node->rb_node, &proc->nodes); 978 node->debug_id = ++binder_last_id; 979 node->proc = proc; 980 node->ptr = ptr; 981 node->cookie = cookie; 982 node->work.type = BINDER_WORK_NODE; 983 INIT_LIST_HEAD(&node->work.entry); 984 INIT_LIST_HEAD(&node->async_todo); 985 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 986 "binder: %d:%d node %d u%p c%p created\n", 987 proc->pid, current->pid, node->debug_id, 988 node->ptr, node->cookie); 989 return node; 990} 991 992static int binder_inc_node(struct binder_node *node, int strong, int internal, 993 struct list_head *target_list) 994{ 995 if (strong) { 996 if (internal) { 997 if (target_list == NULL && 998 node->internal_strong_refs == 0 && 999 !(node == binder_context_mgr_node && 1000 node->has_strong_ref)) { 1001 printk(KERN_ERR "binder: invalid inc strong " 1002 "node for %d\n", node->debug_id); 1003 return -EINVAL; 1004 } 1005 node->internal_strong_refs++; 1006 } else 1007 node->local_strong_refs++; 1008 if (!node->has_strong_ref && target_list) { 1009 list_del_init(&node->work.entry); 1010 list_add_tail(&node->work.entry, target_list); 1011 } 1012 } else { 1013 if (!internal) 1014 node->local_weak_refs++; 1015 if (!node->has_weak_ref && list_empty(&node->work.entry)) { 1016 if (target_list == NULL) { 1017 printk(KERN_ERR "binder: invalid inc weak node " 1018 "for %d\n", node->debug_id); 1019 return -EINVAL; 1020 } 1021 list_add_tail(&node->work.entry, target_list); 1022 } 1023 } 1024 return 0; 1025} 1026 1027static int binder_dec_node(struct binder_node *node, int strong, int internal) 1028{ 1029 if (strong) { 1030 if (internal) 1031 node->internal_strong_refs--; 1032 else 1033 node->local_strong_refs--; 1034 if (node->local_strong_refs || node->internal_strong_refs) 1035 return 0; 1036 } else { 1037 if (!internal) 1038 node->local_weak_refs--; 1039 if (node->local_weak_refs || !hlist_empty(&node->refs)) 1040 return 0; 1041 } 1042 if (node->proc && (node->has_strong_ref || node->has_weak_ref)) { 1043 if (list_empty(&node->work.entry)) { 1044 list_add_tail(&node->work.entry, &node->proc->todo); 1045 wake_up_interruptible(&node->proc->wait); 1046 } 1047 } else { 1048 if (hlist_empty(&node->refs) && !node->local_strong_refs && 1049 !node->local_weak_refs) { 1050 list_del_init(&node->work.entry); 1051 if (node->proc) { 1052 rb_erase(&node->rb_node, &node->proc->nodes); 1053 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1054 "binder: refless node %d deleted\n", 1055 node->debug_id); 1056 } else { 1057 hlist_del(&node->dead_node); 1058 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1059 "binder: dead node %d deleted\n", 1060 node->debug_id); 1061 } 1062 kfree(node); 1063 binder_stats_deleted(BINDER_STAT_NODE); 1064 } 1065 } 1066 1067 return 0; 1068} 1069 1070 1071static struct binder_ref *binder_get_ref(struct binder_proc *proc, 1072 uint32_t desc) 1073{ 1074 struct rb_node *n = proc->refs_by_desc.rb_node; 1075 struct binder_ref *ref; 1076 1077 while (n) { 1078 ref = rb_entry(n, struct binder_ref, rb_node_desc); 1079 1080 if (desc < ref->desc) 1081 n = n->rb_left; 1082 else if (desc > ref->desc) 1083 n = n->rb_right; 1084 else 1085 return ref; 1086 } 1087 return NULL; 1088} 1089 1090static struct binder_ref *binder_get_ref_for_node(struct binder_proc *proc, 1091 struct binder_node *node) 1092{ 1093 struct rb_node *n; 1094 struct rb_node **p = &proc->refs_by_node.rb_node; 1095 struct rb_node *parent = NULL; 1096 struct binder_ref *ref, *new_ref; 1097 1098 while (*p) { 1099 parent = *p; 1100 ref = rb_entry(parent, struct binder_ref, rb_node_node); 1101 1102 if (node < ref->node) 1103 p = &(*p)->rb_left; 1104 else if (node > ref->node) 1105 p = &(*p)->rb_right; 1106 else 1107 return ref; 1108 } 1109 new_ref = kzalloc(sizeof(*ref), GFP_KERNEL); 1110 if (new_ref == NULL) 1111 return NULL; 1112 binder_stats_created(BINDER_STAT_REF); 1113 new_ref->debug_id = ++binder_last_id; 1114 new_ref->proc = proc; 1115 new_ref->node = node; 1116 rb_link_node(&new_ref->rb_node_node, parent, p); 1117 rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node); 1118 1119 new_ref->desc = (node == binder_context_mgr_node) ? 0 : 1; 1120 for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) { 1121 ref = rb_entry(n, struct binder_ref, rb_node_desc); 1122 if (ref->desc > new_ref->desc) 1123 break; 1124 new_ref->desc = ref->desc + 1; 1125 } 1126 1127 p = &proc->refs_by_desc.rb_node; 1128 while (*p) { 1129 parent = *p; 1130 ref = rb_entry(parent, struct binder_ref, rb_node_desc); 1131 1132 if (new_ref->desc < ref->desc) 1133 p = &(*p)->rb_left; 1134 else if (new_ref->desc > ref->desc) 1135 p = &(*p)->rb_right; 1136 else 1137 BUG(); 1138 } 1139 rb_link_node(&new_ref->rb_node_desc, parent, p); 1140 rb_insert_color(&new_ref->rb_node_desc, &proc->refs_by_desc); 1141 if (node) { 1142 hlist_add_head(&new_ref->node_entry, &node->refs); 1143 1144 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1145 "binder: %d new ref %d desc %d for " 1146 "node %d\n", proc->pid, new_ref->debug_id, 1147 new_ref->desc, node->debug_id); 1148 } else { 1149 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1150 "binder: %d new ref %d desc %d for " 1151 "dead node\n", proc->pid, new_ref->debug_id, 1152 new_ref->desc); 1153 } 1154 return new_ref; 1155} 1156 1157static void binder_delete_ref(struct binder_ref *ref) 1158{ 1159 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1160 "binder: %d delete ref %d desc %d for " 1161 "node %d\n", ref->proc->pid, ref->debug_id, 1162 ref->desc, ref->node->debug_id); 1163 1164 rb_erase(&ref->rb_node_desc, &ref->proc->refs_by_desc); 1165 rb_erase(&ref->rb_node_node, &ref->proc->refs_by_node); 1166 if (ref->strong) 1167 binder_dec_node(ref->node, 1, 1); 1168 hlist_del(&ref->node_entry); 1169 binder_dec_node(ref->node, 0, 1); 1170 if (ref->death) { 1171 binder_debug(BINDER_DEBUG_DEAD_BINDER, 1172 "binder: %d delete ref %d desc %d " 1173 "has death notification\n", ref->proc->pid, 1174 ref->debug_id, ref->desc); 1175 list_del(&ref->death->work.entry); 1176 kfree(ref->death); 1177 binder_stats_deleted(BINDER_STAT_DEATH); 1178 } 1179 kfree(ref); 1180 binder_stats_deleted(BINDER_STAT_REF); 1181} 1182 1183static int binder_inc_ref(struct binder_ref *ref, int strong, 1184 struct list_head *target_list) 1185{ 1186 int ret; 1187 if (strong) { 1188 if (ref->strong == 0) { 1189 ret = binder_inc_node(ref->node, 1, 1, target_list); 1190 if (ret) 1191 return ret; 1192 } 1193 ref->strong++; 1194 } else { 1195 if (ref->weak == 0) { 1196 ret = binder_inc_node(ref->node, 0, 1, target_list); 1197 if (ret) 1198 return ret; 1199 } 1200 ref->weak++; 1201 } 1202 return 0; 1203} 1204 1205 1206static int binder_dec_ref(struct binder_ref *ref, int strong) 1207{ 1208 if (strong) { 1209 if (ref->strong == 0) { 1210 binder_user_error("binder: %d invalid dec strong, " 1211 "ref %d desc %d s %d w %d\n", 1212 ref->proc->pid, ref->debug_id, 1213 ref->desc, ref->strong, ref->weak); 1214 return -EINVAL; 1215 } 1216 ref->strong--; 1217 if (ref->strong == 0) { 1218 int ret; 1219 ret = binder_dec_node(ref->node, strong, 1); 1220 if (ret) 1221 return ret; 1222 } 1223 } else { 1224 if (ref->weak == 0) { 1225 binder_user_error("binder: %d invalid dec weak, " 1226 "ref %d desc %d s %d w %d\n", 1227 ref->proc->pid, ref->debug_id, 1228 ref->desc, ref->strong, ref->weak); 1229 return -EINVAL; 1230 } 1231 ref->weak--; 1232 } 1233 if (ref->strong == 0 && ref->weak == 0) 1234 binder_delete_ref(ref); 1235 return 0; 1236} 1237 1238static void binder_pop_transaction(struct binder_thread *target_thread, 1239 struct binder_transaction *t) 1240{ 1241 if (target_thread) { 1242 BUG_ON(target_thread->transaction_stack != t); 1243 BUG_ON(target_thread->transaction_stack->from != target_thread); 1244 target_thread->transaction_stack = 1245 target_thread->transaction_stack->from_parent; 1246 t->from = NULL; 1247 } 1248 t->need_reply = 0; 1249 if (t->buffer) 1250 t->buffer->transaction = NULL; 1251 kfree(t); 1252 binder_stats_deleted(BINDER_STAT_TRANSACTION); 1253} 1254 1255static void binder_send_failed_reply(struct binder_transaction *t, 1256 uint32_t error_code) 1257{ 1258 struct binder_thread *target_thread; 1259 BUG_ON(t->flags & TF_ONE_WAY); 1260 while (1) { 1261 target_thread = t->from; 1262 if (target_thread) { 1263 if (target_thread->return_error != BR_OK && 1264 target_thread->return_error2 == BR_OK) { 1265 target_thread->return_error2 = 1266 target_thread->return_error; 1267 target_thread->return_error = BR_OK; 1268 } 1269 if (target_thread->return_error == BR_OK) { 1270 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 1271 "binder: send failed reply for " 1272 "transaction %d to %d:%d\n", 1273 t->debug_id, target_thread->proc->pid, 1274 target_thread->pid); 1275 1276 binder_pop_transaction(target_thread, t); 1277 target_thread->return_error = error_code; 1278 wake_up_interruptible(&target_thread->wait); 1279 } else { 1280 printk(KERN_ERR "binder: reply failed, target " 1281 "thread, %d:%d, has error code %d " 1282 "already\n", target_thread->proc->pid, 1283 target_thread->pid, 1284 target_thread->return_error); 1285 } 1286 return; 1287 } else { 1288 struct binder_transaction *next = t->from_parent; 1289 1290 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 1291 "binder: send failed reply " 1292 "for transaction %d, target dead\n", 1293 t->debug_id); 1294 1295 binder_pop_transaction(target_thread, t); 1296 if (next == NULL) { 1297 binder_debug(BINDER_DEBUG_DEAD_BINDER, 1298 "binder: reply failed," 1299 " no target thread at root\n"); 1300 return; 1301 } 1302 t = next; 1303 binder_debug(BINDER_DEBUG_DEAD_BINDER, 1304 "binder: reply failed, no target " 1305 "thread -- retry %d\n", t->debug_id); 1306 } 1307 } 1308} 1309 1310static void binder_transaction_buffer_release(struct binder_proc *proc, 1311 struct binder_buffer *buffer, 1312 size_t *failed_at) 1313{ 1314 size_t *offp, *off_end; 1315 int debug_id = buffer->debug_id; 1316 1317 binder_debug(BINDER_DEBUG_TRANSACTION, 1318 "binder: %d buffer release %d, size %zd-%zd, failed at %p\n", 1319 proc->pid, buffer->debug_id, 1320 buffer->data_size, buffer->offsets_size, failed_at); 1321 1322 if (buffer->target_node) 1323 binder_dec_node(buffer->target_node, 1, 0); 1324 1325 offp = (size_t *)(buffer->data + ALIGN(buffer->data_size, sizeof(void *))); 1326 if (failed_at) 1327 off_end = failed_at; 1328 else 1329 off_end = (void *)offp + buffer->offsets_size; 1330 for (; offp < off_end; offp++) { 1331 struct flat_binder_object *fp; 1332 if (*offp > buffer->data_size - sizeof(*fp) || 1333 buffer->data_size < sizeof(*fp) || 1334 !IS_ALIGNED(*offp, sizeof(void *))) { 1335 printk(KERN_ERR "binder: transaction release %d bad" 1336 "offset %zd, size %zd\n", debug_id, 1337 *offp, buffer->data_size); 1338 continue; 1339 } 1340 fp = (struct flat_binder_object *)(buffer->data + *offp); 1341 switch (fp->type) { 1342 case BINDER_TYPE_BINDER: 1343 case BINDER_TYPE_WEAK_BINDER: { 1344 struct binder_node *node = binder_get_node(proc, fp->binder); 1345 if (node == NULL) { 1346 printk(KERN_ERR "binder: transaction release %d" 1347 " bad node %p\n", debug_id, fp->binder); 1348 break; 1349 } 1350 binder_debug(BINDER_DEBUG_TRANSACTION, 1351 " node %d u%p\n", 1352 node->debug_id, node->ptr); 1353 binder_dec_node(node, fp->type == BINDER_TYPE_BINDER, 0); 1354 } break; 1355 case BINDER_TYPE_HANDLE: 1356 case BINDER_TYPE_WEAK_HANDLE: { 1357 struct binder_ref *ref = binder_get_ref(proc, fp->handle); 1358 if (ref == NULL) { 1359 printk(KERN_ERR "binder: transaction release %d" 1360 " bad handle %ld\n", debug_id, 1361 fp->handle); 1362 break; 1363 } 1364 binder_debug(BINDER_DEBUG_TRANSACTION, 1365 " ref %d desc %d (node %d)\n", 1366 ref->debug_id, ref->desc, ref->node->debug_id); 1367 binder_dec_ref(ref, fp->type == BINDER_TYPE_HANDLE); 1368 } break; 1369 1370 case BINDER_TYPE_FD: 1371 binder_debug(BINDER_DEBUG_TRANSACTION, 1372 " fd %ld\n", fp->handle); 1373 if (failed_at) 1374 task_close_fd(proc, fp->handle); 1375 break; 1376 1377 default: 1378 printk(KERN_ERR "binder: transaction release %d bad " 1379 "object type %lx\n", debug_id, fp->type); 1380 break; 1381 } 1382 } 1383} 1384 1385static void binder_transaction(struct binder_proc *proc, 1386 struct binder_thread *thread, 1387 struct binder_transaction_data *tr, int reply) 1388{ 1389 struct binder_transaction *t; 1390 struct binder_work *tcomplete; 1391 size_t *offp, *off_end; 1392 struct binder_proc *target_proc; 1393 struct binder_thread *target_thread = NULL; 1394 struct binder_node *target_node = NULL; 1395 struct list_head *target_list; 1396 wait_queue_head_t *target_wait; 1397 struct binder_transaction *in_reply_to = NULL; 1398 struct binder_transaction_log_entry *e; 1399 uint32_t return_error; 1400 1401 e = binder_transaction_log_add(&binder_transaction_log); 1402 e->call_type = reply ? 2 : !!(tr->flags & TF_ONE_WAY); 1403 e->from_proc = proc->pid; 1404 e->from_thread = thread->pid; 1405 e->target_handle = tr->target.handle; 1406 e->data_size = tr->data_size; 1407 e->offsets_size = tr->offsets_size; 1408 1409 if (reply) { 1410 in_reply_to = thread->transaction_stack; 1411 if (in_reply_to == NULL) { 1412 binder_user_error("binder: %d:%d got reply transaction " 1413 "with no transaction stack\n", 1414 proc->pid, thread->pid); 1415 return_error = BR_FAILED_REPLY; 1416 goto err_empty_call_stack; 1417 } 1418 binder_set_nice(in_reply_to->saved_priority); 1419 if (in_reply_to->to_thread != thread) { 1420 binder_user_error("binder: %d:%d got reply transaction " 1421 "with bad transaction stack," 1422 " transaction %d has target %d:%d\n", 1423 proc->pid, thread->pid, in_reply_to->debug_id, 1424 in_reply_to->to_proc ? 1425 in_reply_to->to_proc->pid : 0, 1426 in_reply_to->to_thread ? 1427 in_reply_to->to_thread->pid : 0); 1428 return_error = BR_FAILED_REPLY; 1429 in_reply_to = NULL; 1430 goto err_bad_call_stack; 1431 } 1432 thread->transaction_stack = in_reply_to->to_parent; 1433 target_thread = in_reply_to->from; 1434 if (target_thread == NULL) { 1435 return_error = BR_DEAD_REPLY; 1436 goto err_dead_binder; 1437 } 1438 if (target_thread->transaction_stack != in_reply_to) { 1439 binder_user_error("binder: %d:%d got reply transaction " 1440 "with bad target transaction stack %d, " 1441 "expected %d\n", 1442 proc->pid, thread->pid, 1443 target_thread->transaction_stack ? 1444 target_thread->transaction_stack->debug_id : 0, 1445 in_reply_to->debug_id); 1446 return_error = BR_FAILED_REPLY; 1447 in_reply_to = NULL; 1448 target_thread = NULL; 1449 goto err_dead_binder; 1450 } 1451 target_proc = target_thread->proc; 1452 } else { 1453 if (tr->target.handle) { 1454 struct binder_ref *ref; 1455 ref = binder_get_ref(proc, tr->target.handle); 1456 if (ref == NULL) { 1457 binder_user_error("binder: %d:%d got " 1458 "transaction to invalid handle\n", 1459 proc->pid, thread->pid); 1460 return_error = BR_FAILED_REPLY; 1461 goto err_invalid_target_handle; 1462 } 1463 target_node = ref->node; 1464 } else { 1465 target_node = binder_context_mgr_node; 1466 if (target_node == NULL) { 1467 return_error = BR_DEAD_REPLY; 1468 goto err_no_context_mgr_node; 1469 } 1470 } 1471 e->to_node = target_node->debug_id; 1472 target_proc = target_node->proc; 1473 if (target_proc == NULL) { 1474 return_error = BR_DEAD_REPLY; 1475 goto err_dead_binder; 1476 } 1477 if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) { 1478 struct binder_transaction *tmp; 1479 tmp = thread->transaction_stack; 1480 if (tmp->to_thread != thread) { 1481 binder_user_error("binder: %d:%d got new " 1482 "transaction with bad transaction stack" 1483 ", transaction %d has target %d:%d\n", 1484 proc->pid, thread->pid, tmp->debug_id, 1485 tmp->to_proc ? tmp->to_proc->pid : 0, 1486 tmp->to_thread ? 1487 tmp->to_thread->pid : 0); 1488 return_error = BR_FAILED_REPLY; 1489 goto err_bad_call_stack; 1490 } 1491 while (tmp) { 1492 if (tmp->from && tmp->from->proc == target_proc) 1493 target_thread = tmp->from; 1494 tmp = tmp->from_parent; 1495 } 1496 } 1497 } 1498 if (target_thread) { 1499 e->to_thread = target_thread->pid; 1500 target_list = &target_thread->todo; 1501 target_wait = &target_thread->wait; 1502 } else { 1503 target_list = &target_proc->todo; 1504 target_wait = &target_proc->wait; 1505 } 1506 e->to_proc = target_proc->pid; 1507 1508 /* TODO: reuse incoming transaction for reply */ 1509 t = kzalloc(sizeof(*t), GFP_KERNEL); 1510 if (t == NULL) { 1511 return_error = BR_FAILED_REPLY; 1512 goto err_alloc_t_failed; 1513 } 1514 binder_stats_created(BINDER_STAT_TRANSACTION); 1515 1516 tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL); 1517 if (tcomplete == NULL) { 1518 return_error = BR_FAILED_REPLY; 1519 goto err_alloc_tcomplete_failed; 1520 } 1521 binder_stats_created(BINDER_STAT_TRANSACTION_COMPLETE); 1522 1523 t->debug_id = ++binder_last_id; 1524 e->debug_id = t->debug_id; 1525 1526 if (reply) 1527 binder_debug(BINDER_DEBUG_TRANSACTION, 1528 "binder: %d:%d BC_REPLY %d -> %d:%d, " 1529 "data %p-%p size %zd-%zd\n", 1530 proc->pid, thread->pid, t->debug_id, 1531 target_proc->pid, target_thread->pid, 1532 tr->data.ptr.buffer, tr->data.ptr.offsets, 1533 tr->data_size, tr->offsets_size); 1534 else 1535 binder_debug(BINDER_DEBUG_TRANSACTION, 1536 "binder: %d:%d BC_TRANSACTION %d -> " 1537 "%d - node %d, data %p-%p size %zd-%zd\n", 1538 proc->pid, thread->pid, t->debug_id, 1539 target_proc->pid, target_node->debug_id, 1540 tr->data.ptr.buffer, tr->data.ptr.offsets, 1541 tr->data_size, tr->offsets_size); 1542 1543 if (!reply && !(tr->flags & TF_ONE_WAY)) 1544 t->from = thread; 1545 else 1546 t->from = NULL; 1547 t->sender_euid = proc->tsk->cred->euid; 1548 t->to_proc = target_proc; 1549 t->to_thread = target_thread; 1550 t->code = tr->code; 1551 t->flags = tr->flags; 1552 t->priority = task_nice(current); 1553 t->buffer = binder_alloc_buf(target_proc, tr->data_size, 1554 tr->offsets_size, !reply && (t->flags & TF_ONE_WAY)); 1555 if (t->buffer == NULL) { 1556 return_error = BR_FAILED_REPLY; 1557 goto err_binder_alloc_buf_failed; 1558 } 1559 t->buffer->allow_user_free = 0; 1560 t->buffer->debug_id = t->debug_id; 1561 t->buffer->transaction = t; 1562 t->buffer->target_node = target_node; 1563 if (target_node) 1564 binder_inc_node(target_node, 1, 0, NULL); 1565 1566 offp = (size_t *)(t->buffer->data + ALIGN(tr->data_size, sizeof(void *))); 1567 1568 if (copy_from_user(t->buffer->data, tr->data.ptr.buffer, tr->data_size)) { 1569 binder_user_error("binder: %d:%d got transaction with invalid " 1570 "data ptr\n", proc->pid, thread->pid); 1571 return_error = BR_FAILED_REPLY; 1572 goto err_copy_data_failed; 1573 } 1574 if (copy_from_user(offp, tr->data.ptr.offsets, tr->offsets_size)) { 1575 binder_user_error("binder: %d:%d got transaction with invalid " 1576 "offsets ptr\n", proc->pid, thread->pid); 1577 return_error = BR_FAILED_REPLY; 1578 goto err_copy_data_failed; 1579 } 1580 if (!IS_ALIGNED(tr->offsets_size, sizeof(size_t))) { 1581 binder_user_error("binder: %d:%d got transaction with " 1582 "invalid offsets size, %zd\n", 1583 proc->pid, thread->pid, tr->offsets_size); 1584 return_error = BR_FAILED_REPLY; 1585 goto err_bad_offset; 1586 } 1587 off_end = (void *)offp + tr->offsets_size; 1588 for (; offp < off_end; offp++) { 1589 struct flat_binder_object *fp; 1590 if (*offp > t->buffer->data_size - sizeof(*fp) || 1591 t->buffer->data_size < sizeof(*fp) || 1592 !IS_ALIGNED(*offp, sizeof(void *))) { 1593 binder_user_error("binder: %d:%d got transaction with " 1594 "invalid offset, %zd\n", 1595 proc->pid, thread->pid, *offp); 1596 return_error = BR_FAILED_REPLY; 1597 goto err_bad_offset; 1598 } 1599 fp = (struct flat_binder_object *)(t->buffer->data + *offp); 1600 switch (fp->type) { 1601 case BINDER_TYPE_BINDER: 1602 case BINDER_TYPE_WEAK_BINDER: { 1603 struct binder_ref *ref; 1604 struct binder_node *node = binder_get_node(proc, fp->binder); 1605 if (node == NULL) { 1606 node = binder_new_node(proc, fp->binder, fp->cookie); 1607 if (node == NULL) { 1608 return_error = BR_FAILED_REPLY; 1609 goto err_binder_new_node_failed; 1610 } 1611 node->min_priority = fp->flags & FLAT_BINDER_FLAG_PRIORITY_MASK; 1612 node->accept_fds = !!(fp->flags & FLAT_BINDER_FLAG_ACCEPTS_FDS); 1613 } 1614 if (fp->cookie != node->cookie) { 1615 binder_user_error("binder: %d:%d sending u%p " 1616 "node %d, cookie mismatch %p != %p\n", 1617 proc->pid, thread->pid, 1618 fp->binder, node->debug_id, 1619 fp->cookie, node->cookie); 1620 goto err_binder_get_ref_for_node_failed; 1621 } 1622 ref = binder_get_ref_for_node(target_proc, node); 1623 if (ref == NULL) { 1624 return_error = BR_FAILED_REPLY; 1625 goto err_binder_get_ref_for_node_failed; 1626 } 1627 if (fp->type == BINDER_TYPE_BINDER) 1628 fp->type = BINDER_TYPE_HANDLE; 1629 else 1630 fp->type = BINDER_TYPE_WEAK_HANDLE; 1631 fp->handle = ref->desc; 1632 binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE, 1633 &thread->todo); 1634 1635 binder_debug(BINDER_DEBUG_TRANSACTION, 1636 " node %d u%p -> ref %d desc %d\n", 1637 node->debug_id, node->ptr, ref->debug_id, 1638 ref->desc); 1639 } break; 1640 case BINDER_TYPE_HANDLE: 1641 case BINDER_TYPE_WEAK_HANDLE: { 1642 struct binder_ref *ref = binder_get_ref(proc, fp->handle); 1643 if (ref == NULL) { 1644 binder_user_error("binder: %d:%d got " 1645 "transaction with invalid " 1646 "handle, %ld\n", proc->pid, 1647 thread->pid, fp->handle); 1648 return_error = BR_FAILED_REPLY; 1649 goto err_binder_get_ref_failed; 1650 } 1651 if (ref->node->proc == target_proc) { 1652 if (fp->type == BINDER_TYPE_HANDLE) 1653 fp->type = BINDER_TYPE_BINDER; 1654 else 1655 fp->type = BINDER_TYPE_WEAK_BINDER; 1656 fp->binder = ref->node->ptr; 1657 fp->cookie = ref->node->cookie; 1658 binder_inc_node(ref->node, fp->type == BINDER_TYPE_BINDER, 0, NULL); 1659 binder_debug(BINDER_DEBUG_TRANSACTION, 1660 " ref %d desc %d -> node %d u%p\n", 1661 ref->debug_id, ref->desc, ref->node->debug_id, 1662 ref->node->ptr); 1663 } else { 1664 struct binder_ref *new_ref; 1665 new_ref = binder_get_ref_for_node(target_proc, ref->node); 1666 if (new_ref == NULL) { 1667 return_error = BR_FAILED_REPLY; 1668 goto err_binder_get_ref_for_node_failed; 1669 } 1670 fp->handle = new_ref->desc; 1671 binder_inc_ref(new_ref, fp->type == BINDER_TYPE_HANDLE, NULL); 1672 binder_debug(BINDER_DEBUG_TRANSACTION, 1673 " ref %d desc %d -> ref %d desc %d (node %d)\n", 1674 ref->debug_id, ref->desc, new_ref->debug_id, 1675 new_ref->desc, ref->node->debug_id); 1676 } 1677 } break; 1678 1679 case BINDER_TYPE_FD: { 1680 int target_fd; 1681 struct file *file; 1682 1683 if (reply) { 1684 if (!(in_reply_to->flags & TF_ACCEPT_FDS)) { 1685 binder_user_error("binder: %d:%d got reply with fd, %ld, but target does not allow fds\n", 1686 proc->pid, thread->pid, fp->handle); 1687 return_error = BR_FAILED_REPLY; 1688 goto err_fd_not_allowed; 1689 } 1690 } else if (!target_node->accept_fds) { 1691 binder_user_error("binder: %d:%d got transaction with fd, %ld, but target does not allow fds\n", 1692 proc->pid, thread->pid, fp->handle); 1693 return_error = BR_FAILED_REPLY; 1694 goto err_fd_not_allowed; 1695 } 1696 1697 file = fget(fp->handle); 1698 if (file == NULL) { 1699 binder_user_error("binder: %d:%d got transaction with invalid fd, %ld\n", 1700 proc->pid, thread->pid, fp->handle); 1701 return_error = BR_FAILED_REPLY; 1702 goto err_fget_failed; 1703 } 1704 target_fd = task_get_unused_fd_flags(target_proc, O_CLOEXEC); 1705 if (target_fd < 0) { 1706 fput(file); 1707 return_error = BR_FAILED_REPLY; 1708 goto err_get_unused_fd_failed; 1709 } 1710 task_fd_install(target_proc, target_fd, file); 1711 binder_debug(BINDER_DEBUG_TRANSACTION, 1712 " fd %ld -> %d\n", fp->handle, target_fd); 1713 /* TODO: fput? */ 1714 fp->handle = target_fd; 1715 } break; 1716 1717 default: 1718 binder_user_error("binder: %d:%d got transactio" 1719 "n with invalid object type, %lx\n", 1720 proc->pid, thread->pid, fp->type); 1721 return_error = BR_FAILED_REPLY; 1722 goto err_bad_object_type; 1723 } 1724 } 1725 if (reply) { 1726 BUG_ON(t->buffer->async_transaction != 0); 1727 binder_pop_transaction(target_thread, in_reply_to); 1728 } else if (!(t->flags & TF_ONE_WAY)) { 1729 BUG_ON(t->buffer->async_transaction != 0); 1730 t->need_reply = 1; 1731 t->from_parent = thread->transaction_stack; 1732 thread->transaction_stack = t; 1733 } else { 1734 BUG_ON(target_node == NULL); 1735 BUG_ON(t->buffer->async_transaction != 1); 1736 if (target_node->has_async_transaction) { 1737 target_list = &target_node->async_todo; 1738 target_wait = NULL; 1739 } else 1740 target_node->has_async_transaction = 1; 1741 } 1742 t->work.type = BINDER_WORK_TRANSACTION; 1743 list_add_tail(&t->work.entry, target_list); 1744 tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE; 1745 list_add_tail(&tcomplete->entry, &thread->todo); 1746 if (target_wait) 1747 wake_up_interruptible(target_wait); 1748 return; 1749 1750err_get_unused_fd_failed: 1751err_fget_failed: 1752err_fd_not_allowed: 1753err_binder_get_ref_for_node_failed: 1754err_binder_get_ref_failed: 1755err_binder_new_node_failed: 1756err_bad_object_type: 1757err_bad_offset: 1758err_copy_data_failed: 1759 binder_transaction_buffer_release(target_proc, t->buffer, offp); 1760 t->buffer->transaction = NULL; 1761 binder_free_buf(target_proc, t->buffer); 1762err_binder_alloc_buf_failed: 1763 kfree(tcomplete); 1764 binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); 1765err_alloc_tcomplete_failed: 1766 kfree(t); 1767 binder_stats_deleted(BINDER_STAT_TRANSACTION); 1768err_alloc_t_failed: 1769err_bad_call_stack: 1770err_empty_call_stack: 1771err_dead_binder: 1772err_invalid_target_handle: 1773err_no_context_mgr_node: 1774 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 1775 "binder: %d:%d transaction failed %d, size %zd-%zd\n", 1776 proc->pid, thread->pid, return_error, 1777 tr->data_size, tr->offsets_size); 1778 1779 { 1780 struct binder_transaction_log_entry *fe; 1781 fe = binder_transaction_log_add(&binder_transaction_log_failed); 1782 *fe = *e; 1783 } 1784 1785 BUG_ON(thread->return_error != BR_OK); 1786 if (in_reply_to) { 1787 thread->return_error = BR_TRANSACTION_COMPLETE; 1788 binder_send_failed_reply(in_reply_to, return_error); 1789 } else 1790 thread->return_error = return_error; 1791} 1792 1793int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread, 1794 void __user *buffer, int size, signed long *consumed) 1795{ 1796 uint32_t cmd; 1797 void __user *ptr = buffer + *consumed; 1798 void __user *end = buffer + size; 1799 1800 while (ptr < end && thread->return_error == BR_OK) { 1801 if (get_user(cmd, (uint32_t __user *)ptr)) 1802 return -EFAULT; 1803 ptr += sizeof(uint32_t); 1804 if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.bc)) { 1805 binder_stats.bc[_IOC_NR(cmd)]++; 1806 proc->stats.bc[_IOC_NR(cmd)]++; 1807 thread->stats.bc[_IOC_NR(cmd)]++; 1808 } 1809 switch (cmd) { 1810 case BC_INCREFS: 1811 case BC_ACQUIRE: 1812 case BC_RELEASE: 1813 case BC_DECREFS: { 1814 uint32_t target; 1815 struct binder_ref *ref; 1816 const char *debug_string; 1817 1818 if (get_user(target, (uint32_t __user *)ptr)) 1819 return -EFAULT; 1820 ptr += sizeof(uint32_t); 1821 if (target == 0 && binder_context_mgr_node && 1822 (cmd == BC_INCREFS || cmd == BC_ACQUIRE)) { 1823 ref = binder_get_ref_for_node(proc, 1824 binder_context_mgr_node); 1825 if (ref->desc != target) { 1826 binder_user_error("binder: %d:" 1827 "%d tried to acquire " 1828 "reference to desc 0, " 1829 "got %d instead\n", 1830 proc->pid, thread->pid, 1831 ref->desc); 1832 } 1833 } else 1834 ref = binder_get_ref(proc, target); 1835 if (ref == NULL) { 1836 binder_user_error("binder: %d:%d refcou" 1837 "nt change on invalid ref %d\n", 1838 proc->pid, thread->pid, target); 1839 break; 1840 } 1841 switch (cmd) { 1842 case BC_INCREFS: 1843 debug_string = "IncRefs"; 1844 binder_inc_ref(ref, 0, NULL); 1845 break; 1846 case BC_ACQUIRE: 1847 debug_string = "Acquire"; 1848 binder_inc_ref(ref, 1, NULL); 1849 break; 1850 case BC_RELEASE: 1851 debug_string = "Release"; 1852 binder_dec_ref(ref, 1); 1853 break; 1854 case BC_DECREFS: 1855 default: 1856 debug_string = "DecRefs"; 1857 binder_dec_ref(ref, 0); 1858 break; 1859 } 1860 binder_debug(BINDER_DEBUG_USER_REFS, 1861 "binder: %d:%d %s ref %d desc %d s %d w %d for node %d\n", 1862 proc->pid, thread->pid, debug_string, ref->debug_id, 1863 ref->desc, ref->strong, ref->weak, ref->node->debug_id); 1864 break; 1865 } 1866 case BC_INCREFS_DONE: 1867 case BC_ACQUIRE_DONE: { 1868 void __user *node_ptr; 1869 void *cookie; 1870 struct binder_node *node; 1871 1872 if (get_user(node_ptr, (void * __user *)ptr)) 1873 return -EFAULT; 1874 ptr += sizeof(void *); 1875 if (get_user(cookie, (void * __user *)ptr)) 1876 return -EFAULT; 1877 ptr += sizeof(void *); 1878 node = binder_get_node(proc, node_ptr); 1879 if (node == NULL) { 1880 binder_user_error("binder: %d:%d " 1881 "%s u%p no match\n", 1882 proc->pid, thread->pid, 1883 cmd == BC_INCREFS_DONE ? 1884 "BC_INCREFS_DONE" : 1885 "BC_ACQUIRE_DONE", 1886 node_ptr); 1887 break; 1888 } 1889 if (cookie != node->cookie) { 1890 binder_user_error("binder: %d:%d %s u%p node %d" 1891 " cookie mismatch %p != %p\n", 1892 proc->pid, thread->pid, 1893 cmd == BC_INCREFS_DONE ? 1894 "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE", 1895 node_ptr, node->debug_id, 1896 cookie, node->cookie); 1897 break; 1898 } 1899 if (cmd == BC_ACQUIRE_DONE) { 1900 if (node->pending_strong_ref == 0) { 1901 binder_user_error("binder: %d:%d " 1902 "BC_ACQUIRE_DONE node %d has " 1903 "no pending acquire request\n", 1904 proc->pid, thread->pid, 1905 node->debug_id); 1906 break; 1907 } 1908 node->pending_strong_ref = 0; 1909 } else { 1910 if (node->pending_weak_ref == 0) { 1911 binder_user_error("binder: %d:%d " 1912 "BC_INCREFS_DONE node %d has " 1913 "no pending increfs request\n", 1914 proc->pid, thread->pid, 1915 node->debug_id); 1916 break; 1917 } 1918 node->pending_weak_ref = 0; 1919 } 1920 binder_dec_node(node, cmd == BC_ACQUIRE_DONE, 0); 1921 binder_debug(BINDER_DEBUG_USER_REFS, 1922 "binder: %d:%d %s node %d ls %d lw %d\n", 1923 proc->pid, thread->pid, 1924 cmd == BC_INCREFS_DONE ? "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE", 1925 node->debug_id, node->local_strong_refs, node->local_weak_refs); 1926 break; 1927 } 1928 case BC_ATTEMPT_ACQUIRE: 1929 printk(KERN_ERR "binder: BC_ATTEMPT_ACQUIRE not supported\n"); 1930 return -EINVAL; 1931 case BC_ACQUIRE_RESULT: 1932 printk(KERN_ERR "binder: BC_ACQUIRE_RESULT not supported\n"); 1933 return -EINVAL; 1934 1935 case BC_FREE_BUFFER: { 1936 void __user *data_ptr; 1937 struct binder_buffer *buffer; 1938 1939 if (get_user(data_ptr, (void * __user *)ptr)) 1940 return -EFAULT; 1941 ptr += sizeof(void *); 1942 1943 buffer = binder_buffer_lookup(proc, data_ptr); 1944 if (buffer == NULL) { 1945 binder_user_error("binder: %d:%d " 1946 "BC_FREE_BUFFER u%p no match\n", 1947 proc->pid, thread->pid, data_ptr); 1948 break; 1949 } 1950 if (!buffer->allow_user_free) { 1951 binder_user_error("binder: %d:%d " 1952 "BC_FREE_BUFFER u%p matched " 1953 "unreturned buffer\n", 1954 proc->pid, thread->pid, data_ptr); 1955 break; 1956 } 1957 binder_debug(BINDER_DEBUG_FREE_BUFFER, 1958 "binder: %d:%d BC_FREE_BUFFER u%p found buffer %d for %s transaction\n", 1959 proc->pid, thread->pid, data_ptr, buffer->debug_id, 1960 buffer->transaction ? "active" : "finished"); 1961 1962 if (buffer->transaction) { 1963 buffer->transaction->buffer = NULL; 1964 buffer->transaction = NULL; 1965 } 1966 if (buffer->async_transaction && buffer->target_node) { 1967 BUG_ON(!buffer->target_node->has_async_transaction); 1968 if (list_empty(&buffer->target_node->async_todo)) 1969 buffer->target_node->has_async_transaction = 0; 1970 else 1971 list_move_tail(buffer->target_node->async_todo.next, &thread->todo); 1972 } 1973 binder_transaction_buffer_release(proc, buffer, NULL); 1974 binder_free_buf(proc, buffer); 1975 break; 1976 } 1977 1978 case BC_TRANSACTION: 1979 case BC_REPLY: { 1980 struct binder_transaction_data tr; 1981 1982 if (copy_from_user(&tr, ptr, sizeof(tr))) 1983 return -EFAULT; 1984 ptr += sizeof(tr); 1985 binder_transaction(proc, thread, &tr, cmd == BC_REPLY); 1986 break; 1987 } 1988 1989 case BC_REGISTER_LOOPER: 1990 binder_debug(BINDER_DEBUG_THREADS, 1991 "binder: %d:%d BC_REGISTER_LOOPER\n", 1992 proc->pid, thread->pid); 1993 if (thread->looper & BINDER_LOOPER_STATE_ENTERED) { 1994 thread->looper |= BINDER_LOOPER_STATE_INVALID; 1995 binder_user_error("binder: %d:%d ERROR:" 1996 " BC_REGISTER_LOOPER called " 1997 "after BC_ENTER_LOOPER\n", 1998 proc->pid, thread->pid); 1999 } else if (proc->requested_threads == 0) { 2000 thread->looper |= BINDER_LOOPER_STATE_INVALID; 2001 binder_user_error("binder: %d:%d ERROR:" 2002 " BC_REGISTER_LOOPER called " 2003 "without request\n", 2004 proc->pid, thread->pid); 2005 } else { 2006 proc->requested_threads--; 2007 proc->requested_threads_started++; 2008 } 2009 thread->looper |= BINDER_LOOPER_STATE_REGISTERED; 2010 break; 2011 case BC_ENTER_LOOPER: 2012 binder_debug(BINDER_DEBUG_THREADS, 2013 "binder: %d:%d BC_ENTER_LOOPER\n", 2014 proc->pid, thread->pid); 2015 if (thread->looper & BINDER_LOOPER_STATE_REGISTERED) { 2016 thread->looper |= BINDER_LOOPER_STATE_INVALID; 2017 binder_user_error("binder: %d:%d ERROR:" 2018 " BC_ENTER_LOOPER called after " 2019 "BC_REGISTER_LOOPER\n", 2020 proc->pid, thread->pid); 2021 } 2022 thread->looper |= BINDER_LOOPER_STATE_ENTERED; 2023 break; 2024 case BC_EXIT_LOOPER: 2025 binder_debug(BINDER_DEBUG_THREADS, 2026 "binder: %d:%d BC_EXIT_LOOPER\n", 2027 proc->pid, thread->pid); 2028 thread->looper |= BINDER_LOOPER_STATE_EXITED; 2029 break; 2030 2031 case BC_REQUEST_DEATH_NOTIFICATION: 2032 case BC_CLEAR_DEATH_NOTIFICATION: { 2033 uint32_t target; 2034 void __user *cookie; 2035 struct binder_ref *ref; 2036 struct binder_ref_death *death; 2037 2038 if (get_user(target, (uint32_t __user *)ptr)) 2039 return -EFAULT; 2040 ptr += sizeof(uint32_t); 2041 if (get_user(cookie, (void __user * __user *)ptr)) 2042 return -EFAULT; 2043 ptr += sizeof(void *); 2044 ref = binder_get_ref(proc, target); 2045 if (ref == NULL) { 2046 binder_user_error("binder: %d:%d %s " 2047 "invalid ref %d\n", 2048 proc->pid, thread->pid, 2049 cmd == BC_REQUEST_DEATH_NOTIFICATION ? 2050 "BC_REQUEST_DEATH_NOTIFICATION" : 2051 "BC_CLEAR_DEATH_NOTIFICATION", 2052 target); 2053 break; 2054 } 2055 2056 binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION, 2057 "binder: %d:%d %s %p ref %d desc %d s %d w %d for node %d\n", 2058 proc->pid, thread->pid, 2059 cmd == BC_REQUEST_DEATH_NOTIFICATION ? 2060 "BC_REQUEST_DEATH_NOTIFICATION" : 2061 "BC_CLEAR_DEATH_NOTIFICATION", 2062 cookie, ref->debug_id, ref->desc, 2063 ref->strong, ref->weak, ref->node->debug_id); 2064 2065 if (cmd == BC_REQUEST_DEATH_NOTIFICATION) { 2066 if (ref->death) { 2067 binder_user_error("binder: %d:%" 2068 "d BC_REQUEST_DEATH_NOTI" 2069 "FICATION death notific" 2070 "ation already set\n", 2071 proc->pid, thread->pid); 2072 break; 2073 } 2074 death = kzalloc(sizeof(*death), GFP_KERNEL); 2075 if (death == NULL) { 2076 thread->return_error = BR_ERROR; 2077 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 2078 "binder: %d:%d " 2079 "BC_REQUEST_DEATH_NOTIFICATION failed\n", 2080 proc->pid, thread->pid); 2081 break; 2082 } 2083 binder_stats_created(BINDER_STAT_DEATH); 2084 INIT_LIST_HEAD(&death->work.entry); 2085 death->cookie = cookie; 2086 ref->death = death; 2087 if (ref->node->proc == NULL) { 2088 ref->death->work.type = BINDER_WORK_DEAD_BINDER; 2089 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2090 list_add_tail(&ref->death->work.entry, &thread->todo); 2091 } else { 2092 list_add_tail(&ref->death->work.entry, &proc->todo); 2093 wake_up_interruptible(&proc->wait); 2094 } 2095 } 2096 } else { 2097 if (ref->death == NULL) { 2098 binder_user_error("binder: %d:%" 2099 "d BC_CLEAR_DEATH_NOTIFI" 2100 "CATION death notificat" 2101 "ion not active\n", 2102 proc->pid, thread->pid); 2103 break; 2104 } 2105 death = ref->death; 2106 if (death->cookie != cookie) { 2107 binder_user_error("binder: %d:%" 2108 "d BC_CLEAR_DEATH_NOTIFI" 2109 "CATION death notificat" 2110 "ion cookie mismatch " 2111 "%p != %p\n", 2112 proc->pid, thread->pid, 2113 death->cookie, cookie); 2114 break; 2115 } 2116 ref->death = NULL; 2117 if (list_empty(&death->work.entry)) { 2118 death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION; 2119 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2120 list_add_tail(&death->work.entry, &thread->todo); 2121 } else { 2122 list_add_tail(&death->work.entry, &proc->todo); 2123 wake_up_interruptible(&proc->wait); 2124 } 2125 } else { 2126 BUG_ON(death->work.type != BINDER_WORK_DEAD_BINDER); 2127 death->work.type = BINDER_WORK_DEAD_BINDER_AND_CLEAR; 2128 } 2129 } 2130 } break; 2131 case BC_DEAD_BINDER_DONE: { 2132 struct binder_work *w; 2133 void __user *cookie; 2134 struct binder_ref_death *death = NULL; 2135 if (get_user(cookie, (void __user * __user *)ptr)) 2136 return -EFAULT; 2137 2138 ptr += sizeof(void *); 2139 list_for_each_entry(w, &proc->delivered_death, entry) { 2140 struct binder_ref_death *tmp_death = container_of(w, struct binder_ref_death, work); 2141 if (tmp_death->cookie == cookie) { 2142 death = tmp_death; 2143 break; 2144 } 2145 } 2146 binder_debug(BINDER_DEBUG_DEAD_BINDER, 2147 "binder: %d:%d BC_DEAD_BINDER_DONE %p found %p\n", 2148 proc->pid, thread->pid, cookie, death); 2149 if (death == NULL) { 2150 binder_user_error("binder: %d:%d BC_DEAD" 2151 "_BINDER_DONE %p not found\n", 2152 proc->pid, thread->pid, cookie); 2153 break; 2154 } 2155 2156 list_del_init(&death->work.entry); 2157 if (death->work.type == BINDER_WORK_DEAD_BINDER_AND_CLEAR) { 2158 death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION; 2159 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2160 list_add_tail(&death->work.entry, &thread->todo); 2161 } else { 2162 list_add_tail(&death->work.entry, &proc->todo); 2163 wake_up_interruptible(&proc->wait); 2164 } 2165 } 2166 } break; 2167 2168 default: 2169 printk(KERN_ERR "binder: %d:%d unknown command %d\n", 2170 proc->pid, thread->pid, cmd); 2171 return -EINVAL; 2172 } 2173 *consumed = ptr - buffer; 2174 } 2175 return 0; 2176} 2177 2178void binder_stat_br(struct binder_proc *proc, struct binder_thread *thread, 2179 uint32_t cmd) 2180{ 2181 if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.br)) { 2182 binder_stats.br[_IOC_NR(cmd)]++; 2183 proc->stats.br[_IOC_NR(cmd)]++; 2184 thread->stats.br[_IOC_NR(cmd)]++; 2185 } 2186} 2187 2188static int binder_has_proc_work(struct binder_proc *proc, 2189 struct binder_thread *thread) 2190{ 2191 return !list_empty(&proc->todo) || 2192 (thread->looper & BINDER_LOOPER_STATE_NEED_RETURN); 2193} 2194 2195static int binder_has_thread_work(struct binder_thread *thread) 2196{ 2197 return !list_empty(&thread->todo) || thread->return_error != BR_OK || 2198 (thread->looper & BINDER_LOOPER_STATE_NEED_RETURN); 2199} 2200 2201static int binder_thread_read(struct binder_proc *proc, 2202 struct binder_thread *thread, 2203 void __user *buffer, int size, 2204 signed long *consumed, int non_block) 2205{ 2206 void __user *ptr = buffer + *consumed; 2207 void __user *end = buffer + size; 2208 2209 int ret = 0; 2210 int wait_for_proc_work; 2211 2212 if (*consumed == 0) { 2213 if (put_user(BR_NOOP, (uint32_t __user *)ptr)) 2214 return -EFAULT; 2215 ptr += sizeof(uint32_t); 2216 } 2217 2218retry: 2219 wait_for_proc_work = thread->transaction_stack == NULL && 2220 list_empty(&thread->todo); 2221 2222 if (thread->return_error != BR_OK && ptr < end) { 2223 if (thread->return_error2 != BR_OK) { 2224 if (put_user(thread->return_error2, (uint32_t __user *)ptr)) 2225 return -EFAULT; 2226 ptr += sizeof(uint32_t); 2227 if (ptr == end) 2228 goto done; 2229 thread->return_error2 = BR_OK; 2230 } 2231 if (put_user(thread->return_error, (uint32_t __user *)ptr)) 2232 return -EFAULT; 2233 ptr += sizeof(uint32_t); 2234 thread->return_error = BR_OK; 2235 goto done; 2236 } 2237 2238 2239 thread->looper |= BINDER_LOOPER_STATE_WAITING; 2240 if (wait_for_proc_work) 2241 proc->ready_threads++; 2242 mutex_unlock(&binder_lock); 2243 if (wait_for_proc_work) { 2244 if (!(thread->looper & (BINDER_LOOPER_STATE_REGISTERED | 2245 BINDER_LOOPER_STATE_ENTERED))) { 2246 binder_user_error("binder: %d:%d ERROR: Thread waiting " 2247 "for process work before calling BC_REGISTER_" 2248 "LOOPER or BC_ENTER_LOOPER (state %x)\n", 2249 proc->pid, thread->pid, thread->looper); 2250 wait_event_interruptible(binder_user_error_wait, 2251 binder_stop_on_user_error < 2); 2252 } 2253 binder_set_nice(proc->default_priority); 2254 if (non_block) { 2255 if (!binder_has_proc_work(proc, thread)) 2256 ret = -EAGAIN; 2257 } else 2258 ret = wait_event_interruptible_exclusive(proc->wait, binder_has_proc_work(proc, thread)); 2259 } else { 2260 if (non_block) { 2261 if (!binder_has_thread_work(thread)) 2262 ret = -EAGAIN; 2263 } else 2264 ret = wait_event_interruptible(thread->wait, binder_has_thread_work(thread)); 2265 } 2266 mutex_lock(&binder_lock); 2267 if (wait_for_proc_work) 2268 proc->ready_threads--; 2269 thread->looper &= ~BINDER_LOOPER_STATE_WAITING; 2270 2271 if (ret) 2272 return ret; 2273 2274 while (1) { 2275 uint32_t cmd; 2276 struct binder_transaction_data tr; 2277 struct binder_work *w; 2278 struct binder_transaction *t = NULL; 2279 2280 if (!list_empty(&thread->todo)) 2281 w = list_first_entry(&thread->todo, struct binder_work, entry); 2282 else if (!list_empty(&proc->todo) && wait_for_proc_work) 2283 w = list_first_entry(&proc->todo, struct binder_work, entry); 2284 else { 2285 if (ptr - buffer == 4 && !(thread->looper & BINDER_LOOPER_STATE_NEED_RETURN)) /* no data added */ 2286 goto retry; 2287 break; 2288 } 2289 2290 if (end - ptr < sizeof(tr) + 4) 2291 break; 2292 2293 switch (w->type) { 2294 case BINDER_WORK_TRANSACTION: { 2295 t = container_of(w, struct binder_transaction, work); 2296 } break; 2297 case BINDER_WORK_TRANSACTION_COMPLETE: { 2298 cmd = BR_TRANSACTION_COMPLETE; 2299 if (put_user(cmd, (uint32_t __user *)ptr)) 2300 return -EFAULT; 2301 ptr += sizeof(uint32_t); 2302 2303 binder_stat_br(proc, thread, cmd); 2304 binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE, 2305 "binder: %d:%d BR_TRANSACTION_COMPLETE\n", 2306 proc->pid, thread->pid); 2307 2308 list_del(&w->entry); 2309 kfree(w); 2310 binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); 2311 } break; 2312 case BINDER_WORK_NODE: { 2313 struct binder_node *node = container_of(w, struct binder_node, work); 2314 uint32_t cmd = BR_NOOP; 2315 const char *cmd_name; 2316 int strong = node->internal_strong_refs || node->local_strong_refs; 2317 int weak = !hlist_empty(&node->refs) || node->local_weak_refs || strong; 2318 if (weak && !node->has_weak_ref) { 2319 cmd = BR_INCREFS; 2320 cmd_name = "BR_INCREFS"; 2321 node->has_weak_ref = 1; 2322 node->pending_weak_ref = 1; 2323 node->local_weak_refs++; 2324 } else if (strong && !node->has_strong_ref) { 2325 cmd = BR_ACQUIRE; 2326 cmd_name = "BR_ACQUIRE"; 2327 node->has_strong_ref = 1; 2328 node->pending_strong_ref = 1; 2329 node->local_strong_refs++; 2330 } else if (!strong && node->has_strong_ref) { 2331 cmd = BR_RELEASE; 2332 cmd_name = "BR_RELEASE"; 2333 node->has_strong_ref = 0; 2334 } else if (!weak && node->has_weak_ref) { 2335 cmd = BR_DECREFS; 2336 cmd_name = "BR_DECREFS"; 2337 node->has_weak_ref = 0; 2338 } 2339 if (cmd != BR_NOOP) { 2340 if (put_user(cmd, (uint32_t __user *)ptr)) 2341 return -EFAULT; 2342 ptr += sizeof(uint32_t); 2343 if (put_user(node->ptr, (void * __user *)ptr)) 2344 return -EFAULT; 2345 ptr += sizeof(void *); 2346 if (put_user(node->cookie, (void * __user *)ptr)) 2347 return -EFAULT; 2348 ptr += sizeof(void *); 2349 2350 binder_stat_br(proc, thread, cmd); 2351 binder_debug(BINDER_DEBUG_USER_REFS, 2352 "binder: %d:%d %s %d u%p c%p\n", 2353 proc->pid, thread->pid, cmd_name, node->debug_id, node->ptr, node->cookie); 2354 } else { 2355 list_del_init(&w->entry); 2356 if (!weak && !strong) { 2357 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 2358 "binder: %d:%d node %d u%p c%p deleted\n", 2359 proc->pid, thread->pid, node->debug_id, 2360 node->ptr, node->cookie); 2361 rb_erase(&node->rb_node, &proc->nodes); 2362 kfree(node); 2363 binder_stats_deleted(BINDER_STAT_NODE); 2364 } else { 2365 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 2366 "binder: %d:%d node %d u%p c%p state unchanged\n", 2367 proc->pid, thread->pid, node->debug_id, node->ptr, 2368 node->cookie); 2369 } 2370 } 2371 } break; 2372 case BINDER_WORK_DEAD_BINDER: 2373 case BINDER_WORK_DEAD_BINDER_AND_CLEAR: 2374 case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: { 2375 struct binder_ref_death *death; 2376 uint32_t cmd; 2377 2378 death = container_of(w, struct binder_ref_death, work); 2379 if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) 2380 cmd = BR_CLEAR_DEATH_NOTIFICATION_DONE; 2381 else 2382 cmd = BR_DEAD_BINDER; 2383 if (put_user(cmd, (uint32_t __user *)ptr)) 2384 return -EFAULT; 2385 ptr += sizeof(uint32_t); 2386 if (put_user(death->cookie, (void * __user *)ptr)) 2387 return -EFAULT; 2388 ptr += sizeof(void *); 2389 binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION, 2390 "binder: %d:%d %s %p\n", 2391 proc->pid, thread->pid, 2392 cmd == BR_DEAD_BINDER ? 2393 "BR_DEAD_BINDER" : 2394 "BR_CLEAR_DEATH_NOTIFICATION_DONE", 2395 death->cookie); 2396 2397 if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) { 2398 list_del(&w->entry); 2399 kfree(death); 2400 binder_stats_deleted(BINDER_STAT_DEATH); 2401 } else 2402 list_move(&w->entry, &proc->delivered_death); 2403 if (cmd == BR_DEAD_BINDER) 2404 goto done; /* DEAD_BINDER notifications can cause transactions */ 2405 } break; 2406 } 2407 2408 if (!t) 2409 continue; 2410 2411 BUG_ON(t->buffer == NULL); 2412 if (t->buffer->target_node) { 2413 struct binder_node *target_node = t->buffer->target_node; 2414 tr.target.ptr = target_node->ptr; 2415 tr.cookie = target_node->cookie; 2416 t->saved_priority = task_nice(current); 2417 if (t->priority < target_node->min_priority && 2418 !(t->flags & TF_ONE_WAY)) 2419 binder_set_nice(t->priority); 2420 else if (!(t->flags & TF_ONE_WAY) || 2421 t->saved_priority > target_node->min_priority) 2422 binder_set_nice(target_node->min_priority); 2423 cmd = BR_TRANSACTION; 2424 } else { 2425 tr.target.ptr = NULL; 2426 tr.cookie = NULL; 2427 cmd = BR_REPLY; 2428 } 2429 tr.code = t->code; 2430 tr.flags = t->flags; 2431 tr.sender_euid = t->sender_euid; 2432 2433 if (t->from) { 2434 struct task_struct *sender = t->from->proc->tsk; 2435 tr.sender_pid = task_tgid_nr_ns(sender, 2436 current->nsproxy->pid_ns); 2437 } else { 2438 tr.sender_pid = 0; 2439 } 2440 2441 tr.data_size = t->buffer->data_size; 2442 tr.offsets_size = t->buffer->offsets_size; 2443 tr.data.ptr.buffer = (void *)t->buffer->data + 2444 proc->user_buffer_offset; 2445 tr.data.ptr.offsets = tr.data.ptr.buffer + 2446 ALIGN(t->buffer->data_size, 2447 sizeof(void *)); 2448 2449 if (put_user(cmd, (uint32_t __user *)ptr)) 2450 return -EFAULT; 2451 ptr += sizeof(uint32_t); 2452 if (copy_to_user(ptr, &tr, sizeof(tr))) 2453 return -EFAULT; 2454 ptr += sizeof(tr); 2455 2456 binder_stat_br(proc, thread, cmd); 2457 binder_debug(BINDER_DEBUG_TRANSACTION, 2458 "binder: %d:%d %s %d %d:%d, cmd %d" 2459 "size %zd-%zd ptr %p-%p\n", 2460 proc->pid, thread->pid, 2461 (cmd == BR_TRANSACTION) ? "BR_TRANSACTION" : 2462 "BR_REPLY", 2463 t->debug_id, t->from ? t->from->proc->pid : 0, 2464 t->from ? t->from->pid : 0, cmd, 2465 t->buffer->data_size, t->buffer->offsets_size, 2466 tr.data.ptr.buffer, tr.data.ptr.offsets); 2467 2468 list_del(&t->work.entry); 2469 t->buffer->allow_user_free = 1; 2470 if (cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)) { 2471 t->to_parent = thread->transaction_stack; 2472 t->to_thread = thread; 2473 thread->transaction_stack = t; 2474 } else { 2475 t->buffer->transaction = NULL; 2476 kfree(t); 2477 binder_stats_deleted(BINDER_STAT_TRANSACTION); 2478 } 2479 break; 2480 } 2481 2482done: 2483 2484 *consumed = ptr - buffer; 2485 if (proc->requested_threads + proc->ready_threads == 0 && 2486 proc->requested_threads_started < proc->max_threads && 2487 (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | 2488 BINDER_LOOPER_STATE_ENTERED)) /* the user-space code fails to */ 2489 /*spawn a new thread if we leave this out */) { 2490 proc->requested_threads++; 2491 binder_debug(BINDER_DEBUG_THREADS, 2492 "binder: %d:%d BR_SPAWN_LOOPER\n", 2493 proc->pid, thread->pid); 2494 if (put_user(BR_SPAWN_LOOPER, (uint32_t __user *)buffer)) 2495 return -EFAULT; 2496 } 2497 return 0; 2498} 2499 2500static void binder_release_work(struct list_head *list) 2501{ 2502 struct binder_work *w; 2503 while (!list_empty(list)) { 2504 w = list_first_entry(list, struct binder_work, entry); 2505 list_del_init(&w->entry); 2506 switch (w->type) { 2507 case BINDER_WORK_TRANSACTION: { 2508 struct binder_transaction *t; 2509 2510 t = container_of(w, struct binder_transaction, work); 2511 if (t->buffer->target_node && !(t->flags & TF_ONE_WAY)) 2512 binder_send_failed_reply(t, BR_DEAD_REPLY); 2513 } break; 2514 case BINDER_WORK_TRANSACTION_COMPLETE: { 2515 kfree(w); 2516 binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); 2517 } break; 2518 default: 2519 break; 2520 } 2521 } 2522 2523} 2524 2525static struct binder_thread *binder_get_thread(struct binder_proc *proc) 2526{ 2527 struct binder_thread *thread = NULL; 2528 struct rb_node *parent = NULL; 2529 struct rb_node **p = &proc->threads.rb_node; 2530 2531 while (*p) { 2532 parent = *p; 2533 thread = rb_entry(parent, struct binder_thread, rb_node); 2534 2535 if (current->pid < thread->pid) 2536 p = &(*p)->rb_left; 2537 else if (current->pid > thread->pid) 2538 p = &(*p)->rb_right; 2539 else 2540 break; 2541 } 2542 if (*p == NULL) { 2543 thread = kzalloc(sizeof(*thread), GFP_KERNEL); 2544 if (thread == NULL) 2545 return NULL; 2546 binder_stats_created(BINDER_STAT_THREAD); 2547 thread->proc = proc; 2548 thread->pid = current->pid; 2549 init_waitqueue_head(&thread->wait); 2550 INIT_LIST_HEAD(&thread->todo); 2551 rb_link_node(&thread->rb_node, parent, p); 2552 rb_insert_color(&thread->rb_node, &proc->threads); 2553 thread->looper |= BINDER_LOOPER_STATE_NEED_RETURN; 2554 thread->return_error = BR_OK; 2555 thread->return_error2 = BR_OK; 2556 } 2557 return thread; 2558} 2559 2560static int binder_free_thread(struct binder_proc *proc, 2561 struct binder_thread *thread) 2562{ 2563 struct binder_transaction *t; 2564 struct binder_transaction *send_reply = NULL; 2565 int active_transactions = 0; 2566 2567 rb_erase(&thread->rb_node, &proc->threads); 2568 t = thread->transaction_stack; 2569 if (t && t->to_thread == thread) 2570 send_reply = t; 2571 while (t) { 2572 active_transactions++; 2573 binder_debug(BINDER_DEBUG_DEAD_TRANSACTION, 2574 "binder: release %d:%d transaction %d " 2575 "%s, still active\n", proc->pid, thread->pid, 2576 t->debug_id, 2577 (t->to_thread == thread) ? "in" : "out"); 2578 2579 if (t->to_thread == thread) { 2580 t->to_proc = NULL; 2581 t->to_thread = NULL; 2582 if (t->buffer) { 2583 t->buffer->transaction = NULL; 2584 t->buffer = NULL; 2585 } 2586 t = t->to_parent; 2587 } else if (t->from == thread) { 2588 t->from = NULL; 2589 t = t->from_parent; 2590 } else 2591 BUG(); 2592 } 2593 if (send_reply) 2594 binder_send_failed_reply(send_reply, BR_DEAD_REPLY); 2595 binder_release_work(&thread->todo); 2596 kfree(thread); 2597 binder_stats_deleted(BINDER_STAT_THREAD); 2598 return active_transactions; 2599} 2600 2601static unsigned int binder_poll(struct file *filp, 2602 struct poll_table_struct *wait) 2603{ 2604 struct binder_proc *proc = filp->private_data; 2605 struct binder_thread *thread = NULL; 2606 int wait_for_proc_work; 2607 2608 mutex_lock(&binder_lock); 2609 thread = binder_get_thread(proc); 2610 2611 wait_for_proc_work = thread->transaction_stack == NULL && 2612 list_empty(&thread->todo) && thread->return_error == BR_OK; 2613 mutex_unlock(&binder_lock); 2614 2615 if (wait_for_proc_work) { 2616 if (binder_has_proc_work(proc, thread)) 2617 return POLLIN; 2618 poll_wait(filp, &proc->wait, wait); 2619 if (binder_has_proc_work(proc, thread)) 2620 return POLLIN; 2621 } else { 2622 if (binder_has_thread_work(thread)) 2623 return POLLIN; 2624 poll_wait(filp, &thread->wait, wait); 2625 if (binder_has_thread_work(thread)) 2626 return POLLIN; 2627 } 2628 return 0; 2629} 2630 2631static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 2632{ 2633 int ret; 2634 struct binder_proc *proc = filp->private_data; 2635 struct binder_thread *thread; 2636 unsigned int size = _IOC_SIZE(cmd); 2637 void __user *ubuf = (void __user *)arg; 2638 2639 /*printk(KERN_INFO "binder_ioctl: %d:%d %x %lx\n", proc->pid, current->pid, cmd, arg);*/ 2640 2641 ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); 2642 if (ret) 2643 return ret; 2644 2645 mutex_lock(&binder_lock); 2646 thread = binder_get_thread(proc); 2647 if (thread == NULL) { 2648 ret = -ENOMEM; 2649 goto err; 2650 } 2651 2652 switch (cmd) { 2653 case BINDER_WRITE_READ: { 2654 struct binder_write_read bwr; 2655 if (size != sizeof(struct binder_write_read)) { 2656 ret = -EINVAL; 2657 goto err; 2658 } 2659 if (copy_from_user(&bwr, ubuf, sizeof(bwr))) { 2660 ret = -EFAULT; 2661 goto err; 2662 } 2663 binder_debug(BINDER_DEBUG_READ_WRITE, 2664 "binder: %d:%d write %ld at %08lx, read %ld at %08lx\n", 2665 proc->pid, thread->pid, bwr.write_size, bwr.write_buffer, 2666 bwr.read_size, bwr.read_buffer); 2667 2668 if (bwr.write_size > 0) { 2669 ret = binder_thread_write(proc, thread, (void __user *)bwr.write_buffer, bwr.write_size, &bwr.write_consumed); 2670 if (ret < 0) { 2671 bwr.read_consumed = 0; 2672 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) 2673 ret = -EFAULT; 2674 goto err; 2675 } 2676 } 2677 if (bwr.read_size > 0) { 2678 ret = binder_thread_read(proc, thread, (void __user *)bwr.read_buffer, bwr.read_size, &bwr.read_consumed, filp->f_flags & O_NONBLOCK); 2679 if (!list_empty(&proc->todo)) 2680 wake_up_interruptible(&proc->wait); 2681 if (ret < 0) { 2682 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) 2683 ret = -EFAULT; 2684 goto err; 2685 } 2686 } 2687 binder_debug(BINDER_DEBUG_READ_WRITE, 2688 "binder: %d:%d wrote %ld of %ld, read return %ld of %ld\n", 2689 proc->pid, thread->pid, bwr.write_consumed, bwr.write_size, 2690 bwr.read_consumed, bwr.read_size); 2691 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) { 2692 ret = -EFAULT; 2693 goto err; 2694 } 2695 break; 2696 } 2697 case BINDER_SET_MAX_THREADS: 2698 if (copy_from_user(&proc->max_threads, ubuf, sizeof(proc->max_threads))) { 2699 ret = -EINVAL; 2700 goto err; 2701 } 2702 break; 2703 case BINDER_SET_CONTEXT_MGR: 2704 if (binder_context_mgr_node != NULL) { 2705 printk(KERN_ERR "binder: BINDER_SET_CONTEXT_MGR already set\n"); 2706 ret = -EBUSY; 2707 goto err; 2708 } 2709 if (binder_context_mgr_uid != -1) { 2710 if (binder_context_mgr_uid != current->cred->euid) { 2711 printk(KERN_ERR "binder: BINDER_SET_" 2712 "CONTEXT_MGR bad uid %d != %d\n", 2713 current->cred->euid, 2714 binder_context_mgr_uid); 2715 ret = -EPERM; 2716 goto err; 2717 } 2718 } else 2719 binder_context_mgr_uid = current->cred->euid; 2720 binder_context_mgr_node = binder_new_node(proc, NULL, NULL); 2721 if (binder_context_mgr_node == NULL) { 2722 ret = -ENOMEM; 2723 goto err; 2724 } 2725 binder_context_mgr_node->local_weak_refs++; 2726 binder_context_mgr_node->local_strong_refs++; 2727 binder_context_mgr_node->has_strong_ref = 1; 2728 binder_context_mgr_node->has_weak_ref = 1; 2729 break; 2730 case BINDER_THREAD_EXIT: 2731 binder_debug(BINDER_DEBUG_THREADS, "binder: %d:%d exit\n", 2732 proc->pid, thread->pid); 2733 binder_free_thread(proc, thread); 2734 thread = NULL; 2735 break; 2736 case BINDER_VERSION: 2737 if (size != sizeof(struct binder_version)) { 2738 ret = -EINVAL; 2739 goto err; 2740 } 2741 if (put_user(BINDER_CURRENT_PROTOCOL_VERSION, &((struct binder_version *)ubuf)->protocol_version)) { 2742 ret = -EINVAL; 2743 goto err; 2744 } 2745 break; 2746 default: 2747 ret = -EINVAL; 2748 goto err; 2749 } 2750 ret = 0; 2751err: 2752 if (thread) 2753 thread->looper &= ~BINDER_LOOPER_STATE_NEED_RETURN; 2754 mutex_unlock(&binder_lock); 2755 wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); 2756 if (ret && ret != -ERESTARTSYS) 2757 printk(KERN_INFO "binder: %d:%d ioctl %x %lx returned %d\n", proc->pid, current->pid, cmd, arg, ret); 2758 return ret; 2759} 2760 2761static void binder_vma_open(struct vm_area_struct *vma) 2762{ 2763 struct binder_proc *proc = vma->vm_private_data; 2764 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 2765 "binder: %d open vm area %lx-%lx (%ld K) vma %lx pagep %lx\n", 2766 proc->pid, vma->vm_start, vma->vm_end, 2767 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2768 (unsigned long)pgprot_val(vma->vm_page_prot)); 2769} 2770 2771static void binder_vma_close(struct vm_area_struct *vma) 2772{ 2773 struct binder_proc *proc = vma->vm_private_data; 2774 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 2775 "binder: %d close vm area %lx-%lx (%ld K) vma %lx pagep %lx\n", 2776 proc->pid, vma->vm_start, vma->vm_end, 2777 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2778 (unsigned long)pgprot_val(vma->vm_page_prot)); 2779 proc->vma = NULL; 2780 proc->vma_vm_mm = NULL; 2781 binder_defer_work(proc, BINDER_DEFERRED_PUT_FILES); 2782} 2783 2784static struct vm_operations_struct binder_vm_ops = { 2785 .open = binder_vma_open, 2786 .close = binder_vma_close, 2787}; 2788 2789static int binder_mmap(struct file *filp, struct vm_area_struct *vma) 2790{ 2791 int ret; 2792 struct vm_struct *area; 2793 struct binder_proc *proc = filp->private_data; 2794 const char *failure_string; 2795 struct binder_buffer *buffer; 2796 2797 if ((vma->vm_end - vma->vm_start) > SZ_4M) 2798 vma->vm_end = vma->vm_start + SZ_4M; 2799 2800 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 2801 "binder_mmap: %d %lx-%lx (%ld K) vma %lx pagep %lx\n", 2802 proc->pid, vma->vm_start, vma->vm_end, 2803 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2804 (unsigned long)pgprot_val(vma->vm_page_prot)); 2805 2806 if (vma->vm_flags & FORBIDDEN_MMAP_FLAGS) { 2807 ret = -EPERM; 2808 failure_string = "bad vm_flags"; 2809 goto err_bad_arg; 2810 } 2811 vma->vm_flags = (vma->vm_flags | VM_DONTCOPY) & ~VM_MAYWRITE; 2812 2813 mutex_lock(&binder_mmap_lock); 2814 if (proc->buffer) { 2815 ret = -EBUSY; 2816 failure_string = "already mapped"; 2817 goto err_already_mapped; 2818 } 2819 2820 area = get_vm_area(vma->vm_end - vma->vm_start, VM_IOREMAP); 2821 if (area == NULL) { 2822 ret = -ENOMEM; 2823 failure_string = "get_vm_area"; 2824 goto err_get_vm_area_failed; 2825 } 2826 proc->buffer = area->addr; 2827 proc->user_buffer_offset = vma->vm_start - (uintptr_t)proc->buffer; 2828 mutex_unlock(&binder_mmap_lock); 2829 2830#ifdef CONFIG_CPU_CACHE_VIPT 2831 if (cache_is_vipt_aliasing()) { 2832 while (CACHE_COLOUR((vma->vm_start ^ (uint32_t)proc->buffer))) { 2833 printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p bad alignment\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer); 2834 vma->vm_start += PAGE_SIZE; 2835 } 2836 } 2837#endif 2838 proc->pages = kzalloc(sizeof(proc->pages[0]) * ((vma->vm_end - vma->vm_start) / PAGE_SIZE), GFP_KERNEL); 2839 if (proc->pages == NULL) { 2840 ret = -ENOMEM; 2841 failure_string = "alloc page array"; 2842 goto err_alloc_pages_failed; 2843 } 2844 proc->buffer_size = vma->vm_end - vma->vm_start; 2845 2846 vma->vm_ops = &binder_vm_ops; 2847 vma->vm_private_data = proc; 2848 2849 if (binder_update_page_range(proc, 1, proc->buffer, proc->buffer + PAGE_SIZE, vma)) { 2850 ret = -ENOMEM; 2851 failure_string = "alloc small buf"; 2852 goto err_alloc_small_buf_failed; 2853 } 2854 buffer = proc->buffer; 2855 INIT_LIST_HEAD(&proc->buffers); 2856 list_add(&buffer->entry, &proc->buffers); 2857 buffer->free = 1; 2858 binder_insert_free_buffer(proc, buffer); 2859 proc->free_async_space = proc->buffer_size / 2; 2860 barrier(); 2861 proc->files = get_files_struct(proc->tsk); 2862 proc->vma = vma; 2863 proc->vma_vm_mm = vma->vm_mm; 2864 2865 /*printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p\n", 2866 proc->pid, vma->vm_start, vma->vm_end, proc->buffer);*/ 2867 return 0; 2868 2869err_alloc_small_buf_failed: 2870 kfree(proc->pages); 2871 proc->pages = NULL; 2872err_alloc_pages_failed: 2873 mutex_lock(&binder_mmap_lock); 2874 vfree(proc->buffer); 2875 proc->buffer = NULL; 2876err_get_vm_area_failed: 2877err_already_mapped: 2878 mutex_unlock(&binder_mmap_lock); 2879err_bad_arg: 2880 printk(KERN_ERR "binder_mmap: %d %lx-%lx %s failed %d\n", 2881 proc->pid, vma->vm_start, vma->vm_end, failure_string, ret); 2882 return ret; 2883} 2884 2885static int binder_open(struct inode *nodp, struct file *filp) 2886{ 2887 struct binder_proc *proc; 2888 2889 binder_debug(BINDER_DEBUG_OPEN_CLOSE, "binder_open: %d:%d\n", 2890 current->group_leader->pid, current->pid); 2891 2892 proc = kzalloc(sizeof(*proc), GFP_KERNEL); 2893 if (proc == NULL) 2894 return -ENOMEM; 2895 get_task_struct(current); 2896 proc->tsk = current; 2897 INIT_LIST_HEAD(&proc->todo); 2898 init_waitqueue_head(&proc->wait); 2899 proc->default_priority = task_nice(current); 2900 mutex_lock(&binder_lock); 2901 binder_stats_created(BINDER_STAT_PROC); 2902 hlist_add_head(&proc->proc_node, &binder_procs); 2903 proc->pid = current->group_leader->pid; 2904 INIT_LIST_HEAD(&proc->delivered_death); 2905 filp->private_data = proc; 2906 mutex_unlock(&binder_lock); 2907 2908 if (binder_debugfs_dir_entry_proc) { 2909 char strbuf[11]; 2910 snprintf(strbuf, sizeof(strbuf), "%u", proc->pid); 2911 proc->debugfs_entry = debugfs_create_file(strbuf, S_IRUGO, 2912 binder_debugfs_dir_entry_proc, proc, &binder_proc_fops); 2913 } 2914 2915 return 0; 2916} 2917 2918static int binder_flush(struct file *filp, fl_owner_t id) 2919{ 2920 struct binder_proc *proc = filp->private_data; 2921 2922 binder_defer_work(proc, BINDER_DEFERRED_FLUSH); 2923 2924 return 0; 2925} 2926 2927static void binder_deferred_flush(struct binder_proc *proc) 2928{ 2929 struct rb_node *n; 2930 int wake_count = 0; 2931 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) { 2932 struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node); 2933 thread->looper |= BINDER_LOOPER_STATE_NEED_RETURN; 2934 if (thread->looper & BINDER_LOOPER_STATE_WAITING) { 2935 wake_up_interruptible(&thread->wait); 2936 wake_count++; 2937 } 2938 } 2939 wake_up_interruptible_all(&proc->wait); 2940 2941 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 2942 "binder_flush: %d woke %d threads\n", proc->pid, 2943 wake_count); 2944} 2945 2946static int binder_release(struct inode *nodp, struct file *filp) 2947{ 2948 struct binder_proc *proc = filp->private_data; 2949 debugfs_remove(proc->debugfs_entry); 2950 binder_defer_work(proc, BINDER_DEFERRED_RELEASE); 2951 2952 return 0; 2953} 2954 2955static void binder_deferred_release(struct binder_proc *proc) 2956{ 2957 struct hlist_node *pos; 2958 struct binder_transaction *t; 2959 struct rb_node *n; 2960 int threads, nodes, incoming_refs, outgoing_refs, buffers, active_transactions, page_count; 2961 2962 BUG_ON(proc->vma); 2963 BUG_ON(proc->files); 2964 2965 hlist_del(&proc->proc_node); 2966 if (binder_context_mgr_node && binder_context_mgr_node->proc == proc) { 2967 binder_debug(BINDER_DEBUG_DEAD_BINDER, 2968 "binder_release: %d context_mgr_node gone\n", 2969 proc->pid); 2970 binder_context_mgr_node = NULL; 2971 } 2972 2973 threads = 0; 2974 active_transactions = 0; 2975 while ((n = rb_first(&proc->threads))) { 2976 struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node); 2977 threads++; 2978 active_transactions += binder_free_thread(proc, thread); 2979 } 2980 nodes = 0; 2981 incoming_refs = 0; 2982 while ((n = rb_first(&proc->nodes))) { 2983 struct binder_node *node = rb_entry(n, struct binder_node, rb_node); 2984 2985 nodes++; 2986 rb_erase(&node->rb_node, &proc->nodes); 2987 list_del_init(&node->work.entry); 2988 if (hlist_empty(&node->refs)) { 2989 kfree(node); 2990 binder_stats_deleted(BINDER_STAT_NODE); 2991 } else { 2992 struct binder_ref *ref; 2993 int death = 0; 2994 2995 node->proc = NULL; 2996 node->local_strong_refs = 0; 2997 node->local_weak_refs = 0; 2998 hlist_add_head(&node->dead_node, &binder_dead_nodes); 2999 3000 hlist_for_each_entry(ref, pos, &node->refs, node_entry) { 3001 incoming_refs++; 3002 if (ref->death) { 3003 death++; 3004 if (list_empty(&ref->death->work.entry)) { 3005 ref->death->work.type = BINDER_WORK_DEAD_BINDER; 3006 list_add_tail(&ref->death->work.entry, &ref->proc->todo); 3007 wake_up_interruptible(&ref->proc->wait); 3008 } else 3009 BUG(); 3010 } 3011 } 3012 binder_debug(BINDER_DEBUG_DEAD_BINDER, 3013 "binder: node %d now dead, " 3014 "refs %d, death %d\n", node->debug_id, 3015 incoming_refs, death); 3016 } 3017 } 3018 outgoing_refs = 0; 3019 while ((n = rb_first(&proc->refs_by_desc))) { 3020 struct binder_ref *ref = rb_entry(n, struct binder_ref, 3021 rb_node_desc); 3022 outgoing_refs++; 3023 binder_delete_ref(ref); 3024 } 3025 binder_release_work(&proc->todo); 3026 buffers = 0; 3027 3028 while ((n = rb_first(&proc->allocated_buffers))) { 3029 struct binder_buffer *buffer = rb_entry(n, struct binder_buffer, 3030 rb_node); 3031 t = buffer->transaction; 3032 if (t) { 3033 t->buffer = NULL; 3034 buffer->transaction = NULL; 3035 printk(KERN_ERR "binder: release proc %d, " 3036 "transaction %d, not freed\n", 3037 proc->pid, t->debug_id); 3038 /*BUG();*/ 3039 } 3040 binder_free_buf(proc, buffer); 3041 buffers++; 3042 } 3043 3044 binder_stats_deleted(BINDER_STAT_PROC); 3045 3046 page_count = 0; 3047 if (proc->pages) { 3048 int i; 3049 for (i = 0; i < proc->buffer_size / PAGE_SIZE; i++) { 3050 if (proc->pages[i]) { 3051 void *page_addr = proc->buffer + i * PAGE_SIZE; 3052 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 3053 "binder_release: %d: " 3054 "page %d at %p not freed\n", 3055 proc->pid, i, 3056 page_addr); 3057 unmap_kernel_range((unsigned long)page_addr, 3058 PAGE_SIZE); 3059 __free_page(proc->pages[i]); 3060 page_count++; 3061 } 3062 } 3063 kfree(proc->pages); 3064 vfree(proc->buffer); 3065 } 3066 3067 put_task_struct(proc->tsk); 3068 3069 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 3070 "binder_release: %d threads %d, nodes %d (ref %d), " 3071 "refs %d, active transactions %d, buffers %d, " 3072 "pages %d\n", 3073 proc->pid, threads, nodes, incoming_refs, outgoing_refs, 3074 active_transactions, buffers, page_count); 3075 3076 kfree(proc); 3077} 3078 3079static void binder_deferred_func(struct work_struct *work) 3080{ 3081 struct binder_proc *proc; 3082 struct files_struct *files; 3083 3084 int defer; 3085 do { 3086 mutex_lock(&binder_lock); 3087 mutex_lock(&binder_deferred_lock); 3088 if (!hlist_empty(&binder_deferred_list)) { 3089 proc = hlist_entry(binder_deferred_list.first, 3090 struct binder_proc, deferred_work_node); 3091 hlist_del_init(&proc->deferred_work_node); 3092 defer = proc->deferred_work; 3093 proc->deferred_work = 0; 3094 } else { 3095 proc = NULL; 3096 defer = 0; 3097 } 3098 mutex_unlock(&binder_deferred_lock); 3099 3100 files = NULL; 3101 if (defer & BINDER_DEFERRED_PUT_FILES) { 3102 files = proc->files; 3103 if (files) 3104 proc->files = NULL; 3105 } 3106 3107 if (defer & BINDER_DEFERRED_FLUSH) 3108 binder_deferred_flush(proc); 3109 3110 if (defer & BINDER_DEFERRED_RELEASE) 3111 binder_deferred_release(proc); /* frees proc */ 3112 3113 mutex_unlock(&binder_lock); 3114 if (files) 3115 put_files_struct(files); 3116 } while (proc); 3117} 3118static DECLARE_WORK(binder_deferred_work, binder_deferred_func); 3119 3120static void 3121binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer) 3122{ 3123 mutex_lock(&binder_deferred_lock); 3124 proc->deferred_work |= defer; 3125 if (hlist_unhashed(&proc->deferred_work_node)) { 3126 hlist_add_head(&proc->deferred_work_node, 3127 &binder_deferred_list); 3128 queue_work(binder_deferred_workqueue, &binder_deferred_work); 3129 } 3130 mutex_unlock(&binder_deferred_lock); 3131} 3132 3133static void print_binder_transaction(struct seq_file *m, const char *prefix, 3134 struct binder_transaction *t) 3135{ 3136 seq_printf(m, 3137 "%s %d: %p from %d:%d to %d:%d code %x flags %x pri %ld r%d", 3138 prefix, t->debug_id, t, 3139 t->from ? t->from->proc->pid : 0, 3140 t->from ? t->from->pid : 0, 3141 t->to_proc ? t->to_proc->pid : 0, 3142 t->to_thread ? t->to_thread->pid : 0, 3143 t->code, t->flags, t->priority, t->need_reply); 3144 if (t->buffer == NULL) { 3145 seq_puts(m, " buffer free\n"); 3146 return; 3147 } 3148 if (t->buffer->target_node) 3149 seq_printf(m, " node %d", 3150 t->buffer->target_node->debug_id); 3151 seq_printf(m, " size %zd:%zd data %p\n", 3152 t->buffer->data_size, t->buffer->offsets_size, 3153 t->buffer->data); 3154} 3155 3156static void print_binder_buffer(struct seq_file *m, const char *prefix, 3157 struct binder_buffer *buffer) 3158{ 3159 seq_printf(m, "%s %d: %p size %zd:%zd %s\n", 3160 prefix, buffer->debug_id, buffer->data, 3161 buffer->data_size, buffer->offsets_size, 3162 buffer->transaction ? "active" : "delivered"); 3163} 3164 3165static void print_binder_work(struct seq_file *m, const char *prefix, 3166 const char *transaction_prefix, 3167 struct binder_work *w) 3168{ 3169 struct binder_node *node; 3170 struct binder_transaction *t; 3171 3172 switch (w->type) { 3173 case BINDER_WORK_TRANSACTION: 3174 t = container_of(w, struct binder_transaction, work); 3175 print_binder_transaction(m, transaction_prefix, t); 3176 break; 3177 case BINDER_WORK_TRANSACTION_COMPLETE: 3178 seq_printf(m, "%stransaction complete\n", prefix); 3179 break; 3180 case BINDER_WORK_NODE: 3181 node = container_of(w, struct binder_node, work); 3182 seq_printf(m, "%snode work %d: u%p c%p\n", 3183 prefix, node->debug_id, node->ptr, node->cookie); 3184 break; 3185 case BINDER_WORK_DEAD_BINDER: 3186 seq_printf(m, "%shas dead binder\n", prefix); 3187 break; 3188 case BINDER_WORK_DEAD_BINDER_AND_CLEAR: 3189 seq_printf(m, "%shas cleared dead binder\n", prefix); 3190 break; 3191 case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: 3192 seq_printf(m, "%shas cleared death notification\n", prefix); 3193 break; 3194 default: 3195 seq_printf(m, "%sunknown work: type %d\n", prefix, w->type); 3196 break; 3197 } 3198} 3199 3200static void print_binder_thread(struct seq_file *m, 3201 struct binder_thread *thread, 3202 int print_always) 3203{ 3204 struct binder_transaction *t; 3205 struct binder_work *w; 3206 size_t start_pos = m->count; 3207 size_t header_pos; 3208 3209 seq_printf(m, " thread %d: l %02x\n", thread->pid, thread->looper); 3210 header_pos = m->count; 3211 t = thread->transaction_stack; 3212 while (t) { 3213 if (t->from == thread) { 3214 print_binder_transaction(m, 3215 " outgoing transaction", t); 3216 t = t->from_parent; 3217 } else if (t->to_thread == thread) { 3218 print_binder_transaction(m, 3219 " incoming transaction", t); 3220 t = t->to_parent; 3221 } else { 3222 print_binder_transaction(m, " bad transaction", t); 3223 t = NULL; 3224 } 3225 } 3226 list_for_each_entry(w, &thread->todo, entry) { 3227 print_binder_work(m, " ", " pending transaction", w); 3228 } 3229 if (!print_always && m->count == header_pos) 3230 m->count = start_pos; 3231} 3232 3233static void print_binder_node(struct seq_file *m, struct binder_node *node) 3234{ 3235 struct binder_ref *ref; 3236 struct hlist_node *pos; 3237 struct binder_work *w; 3238 int count; 3239 3240 count = 0; 3241 hlist_for_each_entry(ref, pos, &node->refs, node_entry) 3242 count++; 3243 3244 seq_printf(m, " node %d: u%p c%p hs %d hw %d ls %d lw %d is %d iw %d", 3245 node->debug_id, node->ptr, node->cookie, 3246 node->has_strong_ref, node->has_weak_ref, 3247 node->local_strong_refs, node->local_weak_refs, 3248 node->internal_strong_refs, count); 3249 if (count) { 3250 seq_puts(m, " proc"); 3251 hlist_for_each_entry(ref, pos, &node->refs, node_entry) 3252 seq_printf(m, " %d", ref->proc->pid); 3253 } 3254 seq_puts(m, "\n"); 3255 list_for_each_entry(w, &node->async_todo, entry) 3256 print_binder_work(m, " ", 3257 " pending async transaction", w); 3258} 3259 3260static void print_binder_ref(struct seq_file *m, struct binder_ref *ref) 3261{ 3262 seq_printf(m, " ref %d: desc %d %snode %d s %d w %d d %p\n", 3263 ref->debug_id, ref->desc, ref->node->proc ? "" : "dead ", 3264 ref->node->debug_id, ref->strong, ref->weak, ref->death); 3265} 3266 3267static void print_binder_proc(struct seq_file *m, 3268 struct binder_proc *proc, int print_all) 3269{ 3270 struct binder_work *w; 3271 struct rb_node *n; 3272 size_t start_pos = m->count; 3273 size_t header_pos; 3274 3275 seq_printf(m, "proc %d\n", proc->pid); 3276 header_pos = m->count; 3277 3278 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) 3279 print_binder_thread(m, rb_entry(n, struct binder_thread, 3280 rb_node), print_all); 3281 for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) { 3282 struct binder_node *node = rb_entry(n, struct binder_node, 3283 rb_node); 3284 if (print_all || node->has_async_transaction) 3285 print_binder_node(m, node); 3286 } 3287 if (print_all) { 3288 for (n = rb_first(&proc->refs_by_desc); 3289 n != NULL; 3290 n = rb_next(n)) 3291 print_binder_ref(m, rb_entry(n, struct binder_ref, 3292 rb_node_desc)); 3293 } 3294 for (n = rb_first(&proc->allocated_buffers); n != NULL; n = rb_next(n)) 3295 print_binder_buffer(m, " buffer", 3296 rb_entry(n, struct binder_buffer, rb_node)); 3297 list_for_each_entry(w, &proc->todo, entry) 3298 print_binder_work(m, " ", " pending transaction", w); 3299 list_for_each_entry(w, &proc->delivered_death, entry) { 3300 seq_puts(m, " has delivered dead binder\n"); 3301 break; 3302 } 3303 if (!print_all && m->count == header_pos) 3304 m->count = start_pos; 3305} 3306 3307static const char *binder_return_strings[] = { 3308 "BR_ERROR", 3309 "BR_OK", 3310 "BR_TRANSACTION", 3311 "BR_REPLY", 3312 "BR_ACQUIRE_RESULT", 3313 "BR_DEAD_REPLY", 3314 "BR_TRANSACTION_COMPLETE", 3315 "BR_INCREFS", 3316 "BR_ACQUIRE", 3317 "BR_RELEASE", 3318 "BR_DECREFS", 3319 "BR_ATTEMPT_ACQUIRE", 3320 "BR_NOOP", 3321 "BR_SPAWN_LOOPER", 3322 "BR_FINISHED", 3323 "BR_DEAD_BINDER", 3324 "BR_CLEAR_DEATH_NOTIFICATION_DONE", 3325 "BR_FAILED_REPLY" 3326}; 3327 3328static const char *binder_command_strings[] = { 3329 "BC_TRANSACTION", 3330 "BC_REPLY", 3331 "BC_ACQUIRE_RESULT", 3332 "BC_FREE_BUFFER", 3333 "BC_INCREFS", 3334 "BC_ACQUIRE", 3335 "BC_RELEASE", 3336 "BC_DECREFS", 3337 "BC_INCREFS_DONE", 3338 "BC_ACQUIRE_DONE", 3339 "BC_ATTEMPT_ACQUIRE", 3340 "BC_REGISTER_LOOPER", 3341 "BC_ENTER_LOOPER", 3342 "BC_EXIT_LOOPER", 3343 "BC_REQUEST_DEATH_NOTIFICATION", 3344 "BC_CLEAR_DEATH_NOTIFICATION", 3345 "BC_DEAD_BINDER_DONE" 3346}; 3347 3348static const char *binder_objstat_strings[] = { 3349 "proc", 3350 "thread", 3351 "node", 3352 "ref", 3353 "death", 3354 "transaction", 3355 "transaction_complete" 3356}; 3357 3358static void print_binder_stats(struct seq_file *m, const char *prefix, 3359 struct binder_stats *stats) 3360{ 3361 int i; 3362 3363 BUILD_BUG_ON(ARRAY_SIZE(stats->bc) != 3364 ARRAY_SIZE(binder_command_strings)); 3365 for (i = 0; i < ARRAY_SIZE(stats->bc); i++) { 3366 if (stats->bc[i]) 3367 seq_printf(m, "%s%s: %d\n", prefix, 3368 binder_command_strings[i], stats->bc[i]); 3369 } 3370 3371 BUILD_BUG_ON(ARRAY_SIZE(stats->br) != 3372 ARRAY_SIZE(binder_return_strings)); 3373 for (i = 0; i < ARRAY_SIZE(stats->br); i++) { 3374 if (stats->br[i]) 3375 seq_printf(m, "%s%s: %d\n", prefix, 3376 binder_return_strings[i], stats->br[i]); 3377 } 3378 3379 BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) != 3380 ARRAY_SIZE(binder_objstat_strings)); 3381 BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) != 3382 ARRAY_SIZE(stats->obj_deleted)); 3383 for (i = 0; i < ARRAY_SIZE(stats->obj_created); i++) { 3384 if (stats->obj_created[i] || stats->obj_deleted[i]) 3385 seq_printf(m, "%s%s: active %d total %d\n", prefix, 3386 binder_objstat_strings[i], 3387 stats->obj_created[i] - stats->obj_deleted[i], 3388 stats->obj_created[i]); 3389 } 3390} 3391 3392static void print_binder_proc_stats(struct seq_file *m, 3393 struct binder_proc *proc) 3394{ 3395 struct binder_work *w; 3396 struct rb_node *n; 3397 int count, strong, weak; 3398 3399 seq_printf(m, "proc %d\n", proc->pid); 3400 count = 0; 3401 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) 3402 count++; 3403 seq_printf(m, " threads: %d\n", count); 3404 seq_printf(m, " requested threads: %d+%d/%d\n" 3405 " ready threads %d\n" 3406 " free async space %zd\n", proc->requested_threads, 3407 proc->requested_threads_started, proc->max_threads, 3408 proc->ready_threads, proc->free_async_space); 3409 count = 0; 3410 for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) 3411 count++; 3412 seq_printf(m, " nodes: %d\n", count); 3413 count = 0; 3414 strong = 0; 3415 weak = 0; 3416 for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) { 3417 struct binder_ref *ref = rb_entry(n, struct binder_ref, 3418 rb_node_desc); 3419 count++; 3420 strong += ref->strong; 3421 weak += ref->weak; 3422 } 3423 seq_printf(m, " refs: %d s %d w %d\n", count, strong, weak); 3424 3425 count = 0; 3426 for (n = rb_first(&proc->allocated_buffers); n != NULL; n = rb_next(n)) 3427 count++; 3428 seq_printf(m, " buffers: %d\n", count); 3429 3430 count = 0; 3431 list_for_each_entry(w, &proc->todo, entry) { 3432 switch (w->type) { 3433 case BINDER_WORK_TRANSACTION: 3434 count++; 3435 break; 3436 default: 3437 break; 3438 } 3439 } 3440 seq_printf(m, " pending transactions: %d\n", count); 3441 3442 print_binder_stats(m, " ", &proc->stats); 3443} 3444 3445 3446static int binder_state_show(struct seq_file *m, void *unused) 3447{ 3448 struct binder_proc *proc; 3449 struct hlist_node *pos; 3450 struct binder_node *node; 3451 int do_lock = !binder_debug_no_lock; 3452 3453 if (do_lock) 3454 mutex_lock(&binder_lock); 3455 3456 seq_puts(m, "binder state:\n"); 3457 3458 if (!hlist_empty(&binder_dead_nodes)) 3459 seq_puts(m, "dead nodes:\n"); 3460 hlist_for_each_entry(node, pos, &binder_dead_nodes, dead_node) 3461 print_binder_node(m, node); 3462 3463 hlist_for_each_entry(proc, pos, &binder_procs, proc_node) 3464 print_binder_proc(m, proc, 1); 3465 if (do_lock) 3466 mutex_unlock(&binder_lock); 3467 return 0; 3468} 3469 3470static int binder_stats_show(struct seq_file *m, void *unused) 3471{ 3472 struct binder_proc *proc; 3473 struct hlist_node *pos; 3474 int do_lock = !binder_debug_no_lock; 3475 3476 if (do_lock) 3477 mutex_lock(&binder_lock); 3478 3479 seq_puts(m, "binder stats:\n"); 3480 3481 print_binder_stats(m, "", &binder_stats); 3482 3483 hlist_for_each_entry(proc, pos, &binder_procs, proc_node) 3484 print_binder_proc_stats(m, proc); 3485 if (do_lock) 3486 mutex_unlock(&binder_lock); 3487 return 0; 3488} 3489 3490static int binder_transactions_show(struct seq_file *m, void *unused) 3491{ 3492 struct binder_proc *proc; 3493 struct hlist_node *pos; 3494 int do_lock = !binder_debug_no_lock; 3495 3496 if (do_lock) 3497 mutex_lock(&binder_lock); 3498 3499 seq_puts(m, "binder transactions:\n"); 3500 hlist_for_each_entry(proc, pos, &binder_procs, proc_node) 3501 print_binder_proc(m, proc, 0); 3502 if (do_lock) 3503 mutex_unlock(&binder_lock); 3504 return 0; 3505} 3506 3507static int binder_proc_show(struct seq_file *m, void *unused) 3508{ 3509 struct binder_proc *proc = m->private; 3510 int do_lock = !binder_debug_no_lock; 3511 3512 if (do_lock) 3513 mutex_lock(&binder_lock); 3514 seq_puts(m, "binder proc state:\n"); 3515 print_binder_proc(m, proc, 1); 3516 if (do_lock) 3517 mutex_unlock(&binder_lock); 3518 return 0; 3519} 3520 3521static void print_binder_transaction_log_entry(struct seq_file *m, 3522 struct binder_transaction_log_entry *e) 3523{ 3524 seq_printf(m, 3525 "%d: %s from %d:%d to %d:%d node %d handle %d size %d:%d\n", 3526 e->debug_id, (e->call_type == 2) ? "reply" : 3527 ((e->call_type == 1) ? "async" : "call "), e->from_proc, 3528 e->from_thread, e->to_proc, e->to_thread, e->to_node, 3529 e->target_handle, e->data_size, e->offsets_size); 3530} 3531 3532static int binder_transaction_log_show(struct seq_file *m, void *unused) 3533{ 3534 struct binder_transaction_log *log = m->private; 3535 int i; 3536 3537 if (log->full) { 3538 for (i = log->next; i < ARRAY_SIZE(log->entry); i++) 3539 print_binder_transaction_log_entry(m, &log->entry[i]); 3540 } 3541 for (i = 0; i < log->next; i++) 3542 print_binder_transaction_log_entry(m, &log->entry[i]); 3543 return 0; 3544} 3545 3546static const struct file_operations binder_fops = { 3547 .owner = THIS_MODULE, 3548 .poll = binder_poll, 3549 .unlocked_ioctl = binder_ioctl, 3550 .mmap = binder_mmap, 3551 .open = binder_open, 3552 .flush = binder_flush, 3553 .release = binder_release, 3554}; 3555 3556static struct miscdevice binder_miscdev = { 3557 .minor = MISC_DYNAMIC_MINOR, 3558 .name = "binder", 3559 .fops = &binder_fops 3560}; 3561 3562BINDER_DEBUG_ENTRY(state); 3563BINDER_DEBUG_ENTRY(stats); 3564BINDER_DEBUG_ENTRY(transactions); 3565BINDER_DEBUG_ENTRY(transaction_log); 3566 3567static int __init binder_init(void) 3568{ 3569 int ret; 3570 3571 binder_deferred_workqueue = create_singlethread_workqueue("binder"); 3572 if (!binder_deferred_workqueue) 3573 return -ENOMEM; 3574 3575 binder_debugfs_dir_entry_root = debugfs_create_dir("binder", NULL); 3576 if (binder_debugfs_dir_entry_root) 3577 binder_debugfs_dir_entry_proc = debugfs_create_dir("proc", 3578 binder_debugfs_dir_entry_root); 3579 ret = misc_register(&binder_miscdev); 3580 if (binder_debugfs_dir_entry_root) { 3581 debugfs_create_file("state", 3582 S_IRUGO, 3583 binder_debugfs_dir_entry_root, 3584 NULL, 3585 &binder_state_fops); 3586 debugfs_create_file("stats", 3587 S_IRUGO, 3588 binder_debugfs_dir_entry_root, 3589 NULL, 3590 &binder_stats_fops); 3591 debugfs_create_file("transactions", 3592 S_IRUGO, 3593 binder_debugfs_dir_entry_root, 3594 NULL, 3595 &binder_transactions_fops); 3596 debugfs_create_file("transaction_log", 3597 S_IRUGO, 3598 binder_debugfs_dir_entry_root, 3599 &binder_transaction_log, 3600 &binder_transaction_log_fops); 3601 debugfs_create_file("failed_transaction_log", 3602 S_IRUGO, 3603 binder_debugfs_dir_entry_root, 3604 &binder_transaction_log_failed, 3605 &binder_transaction_log_fops); 3606 } 3607 return ret; 3608} 3609 3610device_initcall(binder_init); 3611 3612MODULE_LICENSE("GPL v2"); 3613