binder.c revision 3dffc8271f778b9ac8eb6985c99f23cef7a753d6
1/* binder.c 2 * 3 * Android IPC Subsystem 4 * 5 * Copyright (C) 2007-2008 Google, Inc. 6 * 7 * This software is licensed under the terms of the GNU General Public 8 * License version 2, as published by the Free Software Foundation, and 9 * may be copied, distributed, and modified under those terms. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 */ 17 18#include <asm/cacheflush.h> 19#include <linux/fdtable.h> 20#include <linux/file.h> 21#include <linux/fs.h> 22#include <linux/list.h> 23#include <linux/miscdevice.h> 24#include <linux/mm.h> 25#include <linux/module.h> 26#include <linux/mutex.h> 27#include <linux/nsproxy.h> 28#include <linux/poll.h> 29#include <linux/proc_fs.h> 30#include <linux/rbtree.h> 31#include <linux/sched.h> 32#include <linux/uaccess.h> 33#include <linux/vmalloc.h> 34#include "binder.h" 35 36static DEFINE_MUTEX(binder_lock); 37static HLIST_HEAD(binder_procs); 38static struct binder_node *binder_context_mgr_node; 39static uid_t binder_context_mgr_uid = -1; 40static int binder_last_id; 41static struct proc_dir_entry *binder_proc_dir_entry_root; 42static struct proc_dir_entry *binder_proc_dir_entry_proc; 43static struct hlist_head binder_dead_nodes; 44static HLIST_HEAD(binder_deferred_list); 45static DEFINE_MUTEX(binder_deferred_lock); 46 47static int binder_read_proc_proc(char *page, char **start, off_t off, 48 int count, int *eof, void *data); 49 50/* This is only defined in include/asm-arm/sizes.h */ 51#ifndef SZ_1K 52#define SZ_1K 0x400 53#endif 54 55#ifndef SZ_4M 56#define SZ_4M 0x400000 57#endif 58 59#define FORBIDDEN_MMAP_FLAGS (VM_WRITE) 60 61#define BINDER_SMALL_BUF_SIZE (PAGE_SIZE * 64) 62 63enum { 64 BINDER_DEBUG_USER_ERROR = 1U << 0, 65 BINDER_DEBUG_FAILED_TRANSACTION = 1U << 1, 66 BINDER_DEBUG_DEAD_TRANSACTION = 1U << 2, 67 BINDER_DEBUG_OPEN_CLOSE = 1U << 3, 68 BINDER_DEBUG_DEAD_BINDER = 1U << 4, 69 BINDER_DEBUG_DEATH_NOTIFICATION = 1U << 5, 70 BINDER_DEBUG_READ_WRITE = 1U << 6, 71 BINDER_DEBUG_USER_REFS = 1U << 7, 72 BINDER_DEBUG_THREADS = 1U << 8, 73 BINDER_DEBUG_TRANSACTION = 1U << 9, 74 BINDER_DEBUG_TRANSACTION_COMPLETE = 1U << 10, 75 BINDER_DEBUG_FREE_BUFFER = 1U << 11, 76 BINDER_DEBUG_INTERNAL_REFS = 1U << 12, 77 BINDER_DEBUG_BUFFER_ALLOC = 1U << 13, 78 BINDER_DEBUG_PRIORITY_CAP = 1U << 14, 79 BINDER_DEBUG_BUFFER_ALLOC_ASYNC = 1U << 15, 80}; 81static uint32_t binder_debug_mask = BINDER_DEBUG_USER_ERROR | 82 BINDER_DEBUG_FAILED_TRANSACTION | BINDER_DEBUG_DEAD_TRANSACTION; 83module_param_named(debug_mask, binder_debug_mask, uint, S_IWUSR | S_IRUGO); 84 85static int binder_debug_no_lock; 86module_param_named(proc_no_lock, binder_debug_no_lock, bool, S_IWUSR | S_IRUGO); 87 88static DECLARE_WAIT_QUEUE_HEAD(binder_user_error_wait); 89static int binder_stop_on_user_error; 90 91static int binder_set_stop_on_user_error(const char *val, 92 struct kernel_param *kp) 93{ 94 int ret; 95 ret = param_set_int(val, kp); 96 if (binder_stop_on_user_error < 2) 97 wake_up(&binder_user_error_wait); 98 return ret; 99} 100module_param_call(stop_on_user_error, binder_set_stop_on_user_error, 101 param_get_int, &binder_stop_on_user_error, S_IWUSR | S_IRUGO); 102 103#define binder_user_error(x...) \ 104 do { \ 105 if (binder_debug_mask & BINDER_DEBUG_USER_ERROR) \ 106 printk(KERN_INFO x); \ 107 if (binder_stop_on_user_error) \ 108 binder_stop_on_user_error = 2; \ 109 } while (0) 110 111enum { 112 BINDER_STAT_PROC, 113 BINDER_STAT_THREAD, 114 BINDER_STAT_NODE, 115 BINDER_STAT_REF, 116 BINDER_STAT_DEATH, 117 BINDER_STAT_TRANSACTION, 118 BINDER_STAT_TRANSACTION_COMPLETE, 119 BINDER_STAT_COUNT 120}; 121 122struct binder_stats { 123 int br[_IOC_NR(BR_FAILED_REPLY) + 1]; 124 int bc[_IOC_NR(BC_DEAD_BINDER_DONE) + 1]; 125 int obj_created[BINDER_STAT_COUNT]; 126 int obj_deleted[BINDER_STAT_COUNT]; 127}; 128 129static struct binder_stats binder_stats; 130 131struct binder_transaction_log_entry { 132 int debug_id; 133 int call_type; 134 int from_proc; 135 int from_thread; 136 int target_handle; 137 int to_proc; 138 int to_thread; 139 int to_node; 140 int data_size; 141 int offsets_size; 142}; 143struct binder_transaction_log { 144 int next; 145 int full; 146 struct binder_transaction_log_entry entry[32]; 147}; 148struct binder_transaction_log binder_transaction_log; 149struct binder_transaction_log binder_transaction_log_failed; 150 151static struct binder_transaction_log_entry *binder_transaction_log_add( 152 struct binder_transaction_log *log) 153{ 154 struct binder_transaction_log_entry *e; 155 e = &log->entry[log->next]; 156 memset(e, 0, sizeof(*e)); 157 log->next++; 158 if (log->next == ARRAY_SIZE(log->entry)) { 159 log->next = 0; 160 log->full = 1; 161 } 162 return e; 163} 164 165struct binder_work { 166 struct list_head entry; 167 enum { 168 BINDER_WORK_TRANSACTION = 1, 169 BINDER_WORK_TRANSACTION_COMPLETE, 170 BINDER_WORK_NODE, 171 BINDER_WORK_DEAD_BINDER, 172 BINDER_WORK_DEAD_BINDER_AND_CLEAR, 173 BINDER_WORK_CLEAR_DEATH_NOTIFICATION, 174 } type; 175}; 176 177struct binder_node { 178 int debug_id; 179 struct binder_work work; 180 union { 181 struct rb_node rb_node; 182 struct hlist_node dead_node; 183 }; 184 struct binder_proc *proc; 185 struct hlist_head refs; 186 int internal_strong_refs; 187 int local_weak_refs; 188 int local_strong_refs; 189 void __user *ptr; 190 void __user *cookie; 191 unsigned has_strong_ref:1; 192 unsigned pending_strong_ref:1; 193 unsigned has_weak_ref:1; 194 unsigned pending_weak_ref:1; 195 unsigned has_async_transaction:1; 196 unsigned accept_fds:1; 197 unsigned min_priority:8; 198 struct list_head async_todo; 199}; 200 201struct binder_ref_death { 202 struct binder_work work; 203 void __user *cookie; 204}; 205 206struct binder_ref { 207 /* Lookups needed: */ 208 /* node + proc => ref (transaction) */ 209 /* desc + proc => ref (transaction, inc/dec ref) */ 210 /* node => refs + procs (proc exit) */ 211 int debug_id; 212 struct rb_node rb_node_desc; 213 struct rb_node rb_node_node; 214 struct hlist_node node_entry; 215 struct binder_proc *proc; 216 struct binder_node *node; 217 uint32_t desc; 218 int strong; 219 int weak; 220 struct binder_ref_death *death; 221}; 222 223struct binder_buffer { 224 struct list_head entry; /* free and allocated entries by addesss */ 225 struct rb_node rb_node; /* free entry by size or allocated entry */ 226 /* by address */ 227 unsigned free:1; 228 unsigned allow_user_free:1; 229 unsigned async_transaction:1; 230 unsigned debug_id:29; 231 232 struct binder_transaction *transaction; 233 234 struct binder_node *target_node; 235 size_t data_size; 236 size_t offsets_size; 237 uint8_t data[0]; 238}; 239 240enum { 241 BINDER_DEFERRED_PUT_FILES = 0x01, 242 BINDER_DEFERRED_FLUSH = 0x02, 243 BINDER_DEFERRED_RELEASE = 0x04, 244}; 245 246struct binder_proc { 247 struct hlist_node proc_node; 248 struct rb_root threads; 249 struct rb_root nodes; 250 struct rb_root refs_by_desc; 251 struct rb_root refs_by_node; 252 int pid; 253 struct vm_area_struct *vma; 254 struct task_struct *tsk; 255 struct files_struct *files; 256 struct hlist_node deferred_work_node; 257 int deferred_work; 258 void *buffer; 259 ptrdiff_t user_buffer_offset; 260 261 struct list_head buffers; 262 struct rb_root free_buffers; 263 struct rb_root allocated_buffers; 264 size_t free_async_space; 265 266 struct page **pages; 267 size_t buffer_size; 268 uint32_t buffer_free; 269 struct list_head todo; 270 wait_queue_head_t wait; 271 struct binder_stats stats; 272 struct list_head delivered_death; 273 int max_threads; 274 int requested_threads; 275 int requested_threads_started; 276 int ready_threads; 277 long default_priority; 278}; 279 280enum { 281 BINDER_LOOPER_STATE_REGISTERED = 0x01, 282 BINDER_LOOPER_STATE_ENTERED = 0x02, 283 BINDER_LOOPER_STATE_EXITED = 0x04, 284 BINDER_LOOPER_STATE_INVALID = 0x08, 285 BINDER_LOOPER_STATE_WAITING = 0x10, 286 BINDER_LOOPER_STATE_NEED_RETURN = 0x20 287}; 288 289struct binder_thread { 290 struct binder_proc *proc; 291 struct rb_node rb_node; 292 int pid; 293 int looper; 294 struct binder_transaction *transaction_stack; 295 struct list_head todo; 296 uint32_t return_error; /* Write failed, return error code in read buf */ 297 uint32_t return_error2; /* Write failed, return error code in read */ 298 /* buffer. Used when sending a reply to a dead process that */ 299 /* we are also waiting on */ 300 wait_queue_head_t wait; 301 struct binder_stats stats; 302}; 303 304struct binder_transaction { 305 int debug_id; 306 struct binder_work work; 307 struct binder_thread *from; 308 struct binder_transaction *from_parent; 309 struct binder_proc *to_proc; 310 struct binder_thread *to_thread; 311 struct binder_transaction *to_parent; 312 unsigned need_reply:1; 313 /* unsigned is_dead:1; */ /* not used at the moment */ 314 315 struct binder_buffer *buffer; 316 unsigned int code; 317 unsigned int flags; 318 long priority; 319 long saved_priority; 320 uid_t sender_euid; 321}; 322 323static void binder_defer_work(struct binder_proc *proc, int defer); 324 325/* 326 * copied from get_unused_fd_flags 327 */ 328int task_get_unused_fd_flags(struct binder_proc *proc, int flags) 329{ 330 struct files_struct *files = proc->files; 331 int fd, error; 332 struct fdtable *fdt; 333 unsigned long rlim_cur; 334 unsigned long irqs; 335 336 if (files == NULL) 337 return -ESRCH; 338 339 error = -EMFILE; 340 spin_lock(&files->file_lock); 341 342repeat: 343 fdt = files_fdtable(files); 344 fd = find_next_zero_bit(fdt->open_fds->fds_bits, fdt->max_fds, 345 files->next_fd); 346 347 /* 348 * N.B. For clone tasks sharing a files structure, this test 349 * will limit the total number of files that can be opened. 350 */ 351 rlim_cur = 0; 352 if (lock_task_sighand(proc->tsk, &irqs)) { 353 rlim_cur = proc->tsk->signal->rlim[RLIMIT_NOFILE].rlim_cur; 354 unlock_task_sighand(proc->tsk, &irqs); 355 } 356 if (fd >= rlim_cur) 357 goto out; 358 359 /* Do we need to expand the fd array or fd set? */ 360 error = expand_files(files, fd); 361 if (error < 0) 362 goto out; 363 364 if (error) { 365 /* 366 * If we needed to expand the fs array we 367 * might have blocked - try again. 368 */ 369 error = -EMFILE; 370 goto repeat; 371 } 372 373 FD_SET(fd, fdt->open_fds); 374 if (flags & O_CLOEXEC) 375 FD_SET(fd, fdt->close_on_exec); 376 else 377 FD_CLR(fd, fdt->close_on_exec); 378 files->next_fd = fd + 1; 379#if 1 380 /* Sanity check */ 381 if (fdt->fd[fd] != NULL) { 382 printk(KERN_WARNING "get_unused_fd: slot %d not NULL!\n", fd); 383 fdt->fd[fd] = NULL; 384 } 385#endif 386 error = fd; 387 388out: 389 spin_unlock(&files->file_lock); 390 return error; 391} 392 393/* 394 * copied from fd_install 395 */ 396static void task_fd_install( 397 struct binder_proc *proc, unsigned int fd, struct file *file) 398{ 399 struct files_struct *files = proc->files; 400 struct fdtable *fdt; 401 402 if (files == NULL) 403 return; 404 405 spin_lock(&files->file_lock); 406 fdt = files_fdtable(files); 407 BUG_ON(fdt->fd[fd] != NULL); 408 rcu_assign_pointer(fdt->fd[fd], file); 409 spin_unlock(&files->file_lock); 410} 411 412/* 413 * copied from __put_unused_fd in open.c 414 */ 415static void __put_unused_fd(struct files_struct *files, unsigned int fd) 416{ 417 struct fdtable *fdt = files_fdtable(files); 418 __FD_CLR(fd, fdt->open_fds); 419 if (fd < files->next_fd) 420 files->next_fd = fd; 421} 422 423/* 424 * copied from sys_close 425 */ 426static long task_close_fd(struct binder_proc *proc, unsigned int fd) 427{ 428 struct file *filp; 429 struct files_struct *files = proc->files; 430 struct fdtable *fdt; 431 int retval; 432 433 if (files == NULL) 434 return -ESRCH; 435 436 spin_lock(&files->file_lock); 437 fdt = files_fdtable(files); 438 if (fd >= fdt->max_fds) 439 goto out_unlock; 440 filp = fdt->fd[fd]; 441 if (!filp) 442 goto out_unlock; 443 rcu_assign_pointer(fdt->fd[fd], NULL); 444 FD_CLR(fd, fdt->close_on_exec); 445 __put_unused_fd(files, fd); 446 spin_unlock(&files->file_lock); 447 retval = filp_close(filp, files); 448 449 /* can't restart close syscall because file table entry was cleared */ 450 if (unlikely(retval == -ERESTARTSYS || 451 retval == -ERESTARTNOINTR || 452 retval == -ERESTARTNOHAND || 453 retval == -ERESTART_RESTARTBLOCK)) 454 retval = -EINTR; 455 456 return retval; 457 458out_unlock: 459 spin_unlock(&files->file_lock); 460 return -EBADF; 461} 462 463static void binder_set_nice(long nice) 464{ 465 long min_nice; 466 if (can_nice(current, nice)) { 467 set_user_nice(current, nice); 468 return; 469 } 470 min_nice = 20 - current->signal->rlim[RLIMIT_NICE].rlim_cur; 471 if (binder_debug_mask & BINDER_DEBUG_PRIORITY_CAP) 472 printk(KERN_INFO "binder: %d: nice value %ld not allowed use " 473 "%ld instead\n", current->pid, nice, min_nice); 474 set_user_nice(current, min_nice); 475 if (min_nice < 20) 476 return; 477 binder_user_error("binder: %d RLIMIT_NICE not set\n", current->pid); 478} 479 480static size_t binder_buffer_size(struct binder_proc *proc, 481 struct binder_buffer *buffer) 482{ 483 if (list_is_last(&buffer->entry, &proc->buffers)) 484 return proc->buffer + proc->buffer_size - (void *)buffer->data; 485 else 486 return (size_t)list_entry(buffer->entry.next, 487 struct binder_buffer, entry) - (size_t)buffer->data; 488} 489 490static void binder_insert_free_buffer(struct binder_proc *proc, 491 struct binder_buffer *new_buffer) 492{ 493 struct rb_node **p = &proc->free_buffers.rb_node; 494 struct rb_node *parent = NULL; 495 struct binder_buffer *buffer; 496 size_t buffer_size; 497 size_t new_buffer_size; 498 499 BUG_ON(!new_buffer->free); 500 501 new_buffer_size = binder_buffer_size(proc, new_buffer); 502 503 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 504 printk(KERN_INFO "binder: %d: add free buffer, size %zd, " 505 "at %p\n", proc->pid, new_buffer_size, new_buffer); 506 507 while (*p) { 508 parent = *p; 509 buffer = rb_entry(parent, struct binder_buffer, rb_node); 510 BUG_ON(!buffer->free); 511 512 buffer_size = binder_buffer_size(proc, buffer); 513 514 if (new_buffer_size < buffer_size) 515 p = &parent->rb_left; 516 else 517 p = &parent->rb_right; 518 } 519 rb_link_node(&new_buffer->rb_node, parent, p); 520 rb_insert_color(&new_buffer->rb_node, &proc->free_buffers); 521} 522 523static void binder_insert_allocated_buffer(struct binder_proc *proc, 524 struct binder_buffer *new_buffer) 525{ 526 struct rb_node **p = &proc->allocated_buffers.rb_node; 527 struct rb_node *parent = NULL; 528 struct binder_buffer *buffer; 529 530 BUG_ON(new_buffer->free); 531 532 while (*p) { 533 parent = *p; 534 buffer = rb_entry(parent, struct binder_buffer, rb_node); 535 BUG_ON(buffer->free); 536 537 if (new_buffer < buffer) 538 p = &parent->rb_left; 539 else if (new_buffer > buffer) 540 p = &parent->rb_right; 541 else 542 BUG(); 543 } 544 rb_link_node(&new_buffer->rb_node, parent, p); 545 rb_insert_color(&new_buffer->rb_node, &proc->allocated_buffers); 546} 547 548static struct binder_buffer *binder_buffer_lookup(struct binder_proc *proc, 549 void __user *user_ptr) 550{ 551 struct rb_node *n = proc->allocated_buffers.rb_node; 552 struct binder_buffer *buffer; 553 struct binder_buffer *kern_ptr; 554 555 kern_ptr = user_ptr - proc->user_buffer_offset 556 - offsetof(struct binder_buffer, data); 557 558 while (n) { 559 buffer = rb_entry(n, struct binder_buffer, rb_node); 560 BUG_ON(buffer->free); 561 562 if (kern_ptr < buffer) 563 n = n->rb_left; 564 else if (kern_ptr > buffer) 565 n = n->rb_right; 566 else 567 return buffer; 568 } 569 return NULL; 570} 571 572static int binder_update_page_range(struct binder_proc *proc, int allocate, 573 void *start, void *end, 574 struct vm_area_struct *vma) 575{ 576 void *page_addr; 577 unsigned long user_page_addr; 578 struct vm_struct tmp_area; 579 struct page **page; 580 struct mm_struct *mm; 581 582 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 583 printk(KERN_INFO "binder: %d: %s pages %p-%p\n", 584 proc->pid, allocate ? "allocate" : "free", start, end); 585 586 if (end <= start) 587 return 0; 588 589 if (vma) 590 mm = NULL; 591 else 592 mm = get_task_mm(proc->tsk); 593 594 if (mm) { 595 down_write(&mm->mmap_sem); 596 vma = proc->vma; 597 } 598 599 if (allocate == 0) 600 goto free_range; 601 602 if (vma == NULL) { 603 printk(KERN_ERR "binder: %d: binder_alloc_buf failed to " 604 "map pages in userspace, no vma\n", proc->pid); 605 goto err_no_vma; 606 } 607 608 for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) { 609 int ret; 610 struct page **page_array_ptr; 611 page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE]; 612 613 BUG_ON(*page); 614 *page = alloc_page(GFP_KERNEL | __GFP_ZERO); 615 if (*page == NULL) { 616 printk(KERN_ERR "binder: %d: binder_alloc_buf failed " 617 "for page at %p\n", proc->pid, page_addr); 618 goto err_alloc_page_failed; 619 } 620 tmp_area.addr = page_addr; 621 tmp_area.size = PAGE_SIZE + PAGE_SIZE /* guard page? */; 622 page_array_ptr = page; 623 ret = map_vm_area(&tmp_area, PAGE_KERNEL, &page_array_ptr); 624 if (ret) { 625 printk(KERN_ERR "binder: %d: binder_alloc_buf failed " 626 "to map page at %p in kernel\n", 627 proc->pid, page_addr); 628 goto err_map_kernel_failed; 629 } 630 user_page_addr = 631 (uintptr_t)page_addr + proc->user_buffer_offset; 632 ret = vm_insert_page(vma, user_page_addr, page[0]); 633 if (ret) { 634 printk(KERN_ERR "binder: %d: binder_alloc_buf failed " 635 "to map page at %lx in userspace\n", 636 proc->pid, user_page_addr); 637 goto err_vm_insert_page_failed; 638 } 639 /* vm_insert_page does not seem to increment the refcount */ 640 } 641 if (mm) { 642 up_write(&mm->mmap_sem); 643 mmput(mm); 644 } 645 return 0; 646 647free_range: 648 for (page_addr = end - PAGE_SIZE; page_addr >= start; 649 page_addr -= PAGE_SIZE) { 650 page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE]; 651 if (vma) 652 zap_page_range(vma, (uintptr_t)page_addr + 653 proc->user_buffer_offset, PAGE_SIZE, NULL); 654err_vm_insert_page_failed: 655 unmap_kernel_range((unsigned long)page_addr, PAGE_SIZE); 656err_map_kernel_failed: 657 __free_page(*page); 658 *page = NULL; 659err_alloc_page_failed: 660 ; 661 } 662err_no_vma: 663 if (mm) { 664 up_write(&mm->mmap_sem); 665 mmput(mm); 666 } 667 return -ENOMEM; 668} 669 670static struct binder_buffer *binder_alloc_buf(struct binder_proc *proc, 671 size_t data_size, 672 size_t offsets_size, int is_async) 673{ 674 struct rb_node *n = proc->free_buffers.rb_node; 675 struct binder_buffer *buffer; 676 size_t buffer_size; 677 struct rb_node *best_fit = NULL; 678 void *has_page_addr; 679 void *end_page_addr; 680 size_t size; 681 682 if (proc->vma == NULL) { 683 printk(KERN_ERR "binder: %d: binder_alloc_buf, no vma\n", 684 proc->pid); 685 return NULL; 686 } 687 688 size = ALIGN(data_size, sizeof(void *)) + 689 ALIGN(offsets_size, sizeof(void *)); 690 691 if (size < data_size || size < offsets_size) { 692 binder_user_error("binder: %d: got transaction with invalid " 693 "size %zd-%zd\n", proc->pid, data_size, offsets_size); 694 return NULL; 695 } 696 697 if (is_async && 698 proc->free_async_space < size + sizeof(struct binder_buffer)) { 699 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 700 printk(KERN_ERR 701 "binder: %d: binder_alloc_buf size %zd failed, " 702 "no async space left\n", proc->pid, size); 703 return NULL; 704 } 705 706 while (n) { 707 buffer = rb_entry(n, struct binder_buffer, rb_node); 708 BUG_ON(!buffer->free); 709 buffer_size = binder_buffer_size(proc, buffer); 710 711 if (size < buffer_size) { 712 best_fit = n; 713 n = n->rb_left; 714 } else if (size > buffer_size) 715 n = n->rb_right; 716 else { 717 best_fit = n; 718 break; 719 } 720 } 721 if (best_fit == NULL) { 722 printk(KERN_ERR "binder: %d: binder_alloc_buf size %zd failed, " 723 "no address space\n", proc->pid, size); 724 return NULL; 725 } 726 if (n == NULL) { 727 buffer = rb_entry(best_fit, struct binder_buffer, rb_node); 728 buffer_size = binder_buffer_size(proc, buffer); 729 } 730 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 731 printk(KERN_INFO "binder: %d: binder_alloc_buf size %zd got buff" 732 "er %p size %zd\n", proc->pid, size, buffer, buffer_size); 733 734 has_page_addr = 735 (void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK); 736 if (n == NULL) { 737 if (size + sizeof(struct binder_buffer) + 4 >= buffer_size) 738 buffer_size = size; /* no room for other buffers */ 739 else 740 buffer_size = size + sizeof(struct binder_buffer); 741 } 742 end_page_addr = 743 (void *)PAGE_ALIGN((uintptr_t)buffer->data + buffer_size); 744 if (end_page_addr > has_page_addr) 745 end_page_addr = has_page_addr; 746 if (binder_update_page_range(proc, 1, 747 (void *)PAGE_ALIGN((uintptr_t)buffer->data), end_page_addr, NULL)) 748 return NULL; 749 750 rb_erase(best_fit, &proc->free_buffers); 751 buffer->free = 0; 752 binder_insert_allocated_buffer(proc, buffer); 753 if (buffer_size != size) { 754 struct binder_buffer *new_buffer = (void *)buffer->data + size; 755 list_add(&new_buffer->entry, &buffer->entry); 756 new_buffer->free = 1; 757 binder_insert_free_buffer(proc, new_buffer); 758 } 759 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 760 printk(KERN_INFO "binder: %d: binder_alloc_buf size %zd got " 761 "%p\n", proc->pid, size, buffer); 762 buffer->data_size = data_size; 763 buffer->offsets_size = offsets_size; 764 buffer->async_transaction = is_async; 765 if (is_async) { 766 proc->free_async_space -= size + sizeof(struct binder_buffer); 767 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC_ASYNC) 768 printk(KERN_INFO "binder: %d: binder_alloc_buf size %zd " 769 "async free %zd\n", proc->pid, size, 770 proc->free_async_space); 771 } 772 773 return buffer; 774} 775 776static void *buffer_start_page(struct binder_buffer *buffer) 777{ 778 return (void *)((uintptr_t)buffer & PAGE_MASK); 779} 780 781static void *buffer_end_page(struct binder_buffer *buffer) 782{ 783 return (void *)(((uintptr_t)(buffer + 1) - 1) & PAGE_MASK); 784} 785 786static void binder_delete_free_buffer(struct binder_proc *proc, 787 struct binder_buffer *buffer) 788{ 789 struct binder_buffer *prev, *next = NULL; 790 int free_page_end = 1; 791 int free_page_start = 1; 792 793 BUG_ON(proc->buffers.next == &buffer->entry); 794 prev = list_entry(buffer->entry.prev, struct binder_buffer, entry); 795 BUG_ON(!prev->free); 796 if (buffer_end_page(prev) == buffer_start_page(buffer)) { 797 free_page_start = 0; 798 if (buffer_end_page(prev) == buffer_end_page(buffer)) 799 free_page_end = 0; 800 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 801 printk(KERN_INFO "binder: %d: merge free, buffer %p " 802 "share page with %p\n", proc->pid, buffer, prev); 803 } 804 805 if (!list_is_last(&buffer->entry, &proc->buffers)) { 806 next = list_entry(buffer->entry.next, 807 struct binder_buffer, entry); 808 if (buffer_start_page(next) == buffer_end_page(buffer)) { 809 free_page_end = 0; 810 if (buffer_start_page(next) == 811 buffer_start_page(buffer)) 812 free_page_start = 0; 813 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 814 printk(KERN_INFO "binder: %d: merge free, " 815 "buffer %p share page with %p\n", 816 proc->pid, buffer, prev); 817 } 818 } 819 list_del(&buffer->entry); 820 if (free_page_start || free_page_end) { 821 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 822 printk(KERN_INFO "binder: %d: merge free, buffer %p do " 823 "not share page%s%s with with %p or %p\n", 824 proc->pid, buffer, free_page_start ? "" : " end", 825 free_page_end ? "" : " start", prev, next); 826 binder_update_page_range(proc, 0, free_page_start ? 827 buffer_start_page(buffer) : buffer_end_page(buffer), 828 (free_page_end ? buffer_end_page(buffer) : 829 buffer_start_page(buffer)) + PAGE_SIZE, NULL); 830 } 831} 832 833static void binder_free_buf(struct binder_proc *proc, 834 struct binder_buffer *buffer) 835{ 836 size_t size, buffer_size; 837 838 buffer_size = binder_buffer_size(proc, buffer); 839 840 size = ALIGN(buffer->data_size, sizeof(void *)) + 841 ALIGN(buffer->offsets_size, sizeof(void *)); 842 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 843 printk(KERN_INFO "binder: %d: binder_free_buf %p size %zd buffer" 844 "_size %zd\n", proc->pid, buffer, size, buffer_size); 845 846 BUG_ON(buffer->free); 847 BUG_ON(size > buffer_size); 848 BUG_ON(buffer->transaction != NULL); 849 BUG_ON((void *)buffer < proc->buffer); 850 BUG_ON((void *)buffer > proc->buffer + proc->buffer_size); 851 852 if (buffer->async_transaction) { 853 proc->free_async_space += size + sizeof(struct binder_buffer); 854 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC_ASYNC) 855 printk(KERN_INFO "binder: %d: binder_free_buf size %zd " 856 "async free %zd\n", proc->pid, size, 857 proc->free_async_space); 858 } 859 860 binder_update_page_range(proc, 0, 861 (void *)PAGE_ALIGN((uintptr_t)buffer->data), 862 (void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK), 863 NULL); 864 rb_erase(&buffer->rb_node, &proc->allocated_buffers); 865 buffer->free = 1; 866 if (!list_is_last(&buffer->entry, &proc->buffers)) { 867 struct binder_buffer *next = list_entry(buffer->entry.next, 868 struct binder_buffer, entry); 869 if (next->free) { 870 rb_erase(&next->rb_node, &proc->free_buffers); 871 binder_delete_free_buffer(proc, next); 872 } 873 } 874 if (proc->buffers.next != &buffer->entry) { 875 struct binder_buffer *prev = list_entry(buffer->entry.prev, 876 struct binder_buffer, entry); 877 if (prev->free) { 878 binder_delete_free_buffer(proc, buffer); 879 rb_erase(&prev->rb_node, &proc->free_buffers); 880 buffer = prev; 881 } 882 } 883 binder_insert_free_buffer(proc, buffer); 884} 885 886static struct binder_node *binder_get_node(struct binder_proc *proc, 887 void __user *ptr) 888{ 889 struct rb_node *n = proc->nodes.rb_node; 890 struct binder_node *node; 891 892 while (n) { 893 node = rb_entry(n, struct binder_node, rb_node); 894 895 if (ptr < node->ptr) 896 n = n->rb_left; 897 else if (ptr > node->ptr) 898 n = n->rb_right; 899 else 900 return node; 901 } 902 return NULL; 903} 904 905static struct binder_node *binder_new_node(struct binder_proc *proc, 906 void __user *ptr, 907 void __user *cookie) 908{ 909 struct rb_node **p = &proc->nodes.rb_node; 910 struct rb_node *parent = NULL; 911 struct binder_node *node; 912 913 while (*p) { 914 parent = *p; 915 node = rb_entry(parent, struct binder_node, rb_node); 916 917 if (ptr < node->ptr) 918 p = &(*p)->rb_left; 919 else if (ptr > node->ptr) 920 p = &(*p)->rb_right; 921 else 922 return NULL; 923 } 924 925 node = kzalloc(sizeof(*node), GFP_KERNEL); 926 if (node == NULL) 927 return NULL; 928 binder_stats.obj_created[BINDER_STAT_NODE]++; 929 rb_link_node(&node->rb_node, parent, p); 930 rb_insert_color(&node->rb_node, &proc->nodes); 931 node->debug_id = ++binder_last_id; 932 node->proc = proc; 933 node->ptr = ptr; 934 node->cookie = cookie; 935 node->work.type = BINDER_WORK_NODE; 936 INIT_LIST_HEAD(&node->work.entry); 937 INIT_LIST_HEAD(&node->async_todo); 938 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 939 printk(KERN_INFO "binder: %d:%d node %d u%p c%p created\n", 940 proc->pid, current->pid, node->debug_id, 941 node->ptr, node->cookie); 942 return node; 943} 944 945static int binder_inc_node(struct binder_node *node, int strong, int internal, 946 struct list_head *target_list) 947{ 948 if (strong) { 949 if (internal) { 950 if (target_list == NULL && 951 node->internal_strong_refs == 0 && 952 !(node == binder_context_mgr_node && 953 node->has_strong_ref)) { 954 printk(KERN_ERR "binder: invalid inc strong " 955 "node for %d\n", node->debug_id); 956 return -EINVAL; 957 } 958 node->internal_strong_refs++; 959 } else 960 node->local_strong_refs++; 961 if (!node->has_strong_ref && target_list) { 962 list_del_init(&node->work.entry); 963 list_add_tail(&node->work.entry, target_list); 964 } 965 } else { 966 if (!internal) 967 node->local_weak_refs++; 968 if (!node->has_weak_ref && list_empty(&node->work.entry)) { 969 if (target_list == NULL) { 970 printk(KERN_ERR "binder: invalid inc weak node " 971 "for %d\n", node->debug_id); 972 return -EINVAL; 973 } 974 list_add_tail(&node->work.entry, target_list); 975 } 976 } 977 return 0; 978} 979 980static int binder_dec_node(struct binder_node *node, int strong, int internal) 981{ 982 if (strong) { 983 if (internal) 984 node->internal_strong_refs--; 985 else 986 node->local_strong_refs--; 987 if (node->local_strong_refs || node->internal_strong_refs) 988 return 0; 989 } else { 990 if (!internal) 991 node->local_weak_refs--; 992 if (node->local_weak_refs || !hlist_empty(&node->refs)) 993 return 0; 994 } 995 if (node->proc && (node->has_strong_ref || node->has_weak_ref)) { 996 if (list_empty(&node->work.entry)) { 997 list_add_tail(&node->work.entry, &node->proc->todo); 998 wake_up_interruptible(&node->proc->wait); 999 } 1000 } else { 1001 if (hlist_empty(&node->refs) && !node->local_strong_refs && 1002 !node->local_weak_refs) { 1003 list_del_init(&node->work.entry); 1004 if (node->proc) { 1005 rb_erase(&node->rb_node, &node->proc->nodes); 1006 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 1007 printk(KERN_INFO "binder: refless node %d deleted\n", node->debug_id); 1008 } else { 1009 hlist_del(&node->dead_node); 1010 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 1011 printk(KERN_INFO "binder: dead node %d deleted\n", node->debug_id); 1012 } 1013 kfree(node); 1014 binder_stats.obj_deleted[BINDER_STAT_NODE]++; 1015 } 1016 } 1017 1018 return 0; 1019} 1020 1021 1022static struct binder_ref *binder_get_ref(struct binder_proc *proc, 1023 uint32_t desc) 1024{ 1025 struct rb_node *n = proc->refs_by_desc.rb_node; 1026 struct binder_ref *ref; 1027 1028 while (n) { 1029 ref = rb_entry(n, struct binder_ref, rb_node_desc); 1030 1031 if (desc < ref->desc) 1032 n = n->rb_left; 1033 else if (desc > ref->desc) 1034 n = n->rb_right; 1035 else 1036 return ref; 1037 } 1038 return NULL; 1039} 1040 1041static struct binder_ref *binder_get_ref_for_node(struct binder_proc *proc, 1042 struct binder_node *node) 1043{ 1044 struct rb_node *n; 1045 struct rb_node **p = &proc->refs_by_node.rb_node; 1046 struct rb_node *parent = NULL; 1047 struct binder_ref *ref, *new_ref; 1048 1049 while (*p) { 1050 parent = *p; 1051 ref = rb_entry(parent, struct binder_ref, rb_node_node); 1052 1053 if (node < ref->node) 1054 p = &(*p)->rb_left; 1055 else if (node > ref->node) 1056 p = &(*p)->rb_right; 1057 else 1058 return ref; 1059 } 1060 new_ref = kzalloc(sizeof(*ref), GFP_KERNEL); 1061 if (new_ref == NULL) 1062 return NULL; 1063 binder_stats.obj_created[BINDER_STAT_REF]++; 1064 new_ref->debug_id = ++binder_last_id; 1065 new_ref->proc = proc; 1066 new_ref->node = node; 1067 rb_link_node(&new_ref->rb_node_node, parent, p); 1068 rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node); 1069 1070 new_ref->desc = (node == binder_context_mgr_node) ? 0 : 1; 1071 for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) { 1072 ref = rb_entry(n, struct binder_ref, rb_node_desc); 1073 if (ref->desc > new_ref->desc) 1074 break; 1075 new_ref->desc = ref->desc + 1; 1076 } 1077 1078 p = &proc->refs_by_desc.rb_node; 1079 while (*p) { 1080 parent = *p; 1081 ref = rb_entry(parent, struct binder_ref, rb_node_desc); 1082 1083 if (new_ref->desc < ref->desc) 1084 p = &(*p)->rb_left; 1085 else if (new_ref->desc > ref->desc) 1086 p = &(*p)->rb_right; 1087 else 1088 BUG(); 1089 } 1090 rb_link_node(&new_ref->rb_node_desc, parent, p); 1091 rb_insert_color(&new_ref->rb_node_desc, &proc->refs_by_desc); 1092 if (node) { 1093 hlist_add_head(&new_ref->node_entry, &node->refs); 1094 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 1095 printk(KERN_INFO "binder: %d new ref %d desc %d for " 1096 "node %d\n", proc->pid, new_ref->debug_id, 1097 new_ref->desc, node->debug_id); 1098 } else { 1099 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 1100 printk(KERN_INFO "binder: %d new ref %d desc %d for " 1101 "dead node\n", proc->pid, new_ref->debug_id, 1102 new_ref->desc); 1103 } 1104 return new_ref; 1105} 1106 1107static void binder_delete_ref(struct binder_ref *ref) 1108{ 1109 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 1110 printk(KERN_INFO "binder: %d delete ref %d desc %d for " 1111 "node %d\n", ref->proc->pid, ref->debug_id, 1112 ref->desc, ref->node->debug_id); 1113 rb_erase(&ref->rb_node_desc, &ref->proc->refs_by_desc); 1114 rb_erase(&ref->rb_node_node, &ref->proc->refs_by_node); 1115 if (ref->strong) 1116 binder_dec_node(ref->node, 1, 1); 1117 hlist_del(&ref->node_entry); 1118 binder_dec_node(ref->node, 0, 1); 1119 if (ref->death) { 1120 if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) 1121 printk(KERN_INFO "binder: %d delete ref %d desc %d " 1122 "has death notification\n", ref->proc->pid, 1123 ref->debug_id, ref->desc); 1124 list_del(&ref->death->work.entry); 1125 kfree(ref->death); 1126 binder_stats.obj_deleted[BINDER_STAT_DEATH]++; 1127 } 1128 kfree(ref); 1129 binder_stats.obj_deleted[BINDER_STAT_REF]++; 1130} 1131 1132static int binder_inc_ref(struct binder_ref *ref, int strong, 1133 struct list_head *target_list) 1134{ 1135 int ret; 1136 if (strong) { 1137 if (ref->strong == 0) { 1138 ret = binder_inc_node(ref->node, 1, 1, target_list); 1139 if (ret) 1140 return ret; 1141 } 1142 ref->strong++; 1143 } else { 1144 if (ref->weak == 0) { 1145 ret = binder_inc_node(ref->node, 0, 1, target_list); 1146 if (ret) 1147 return ret; 1148 } 1149 ref->weak++; 1150 } 1151 return 0; 1152} 1153 1154 1155static int binder_dec_ref(struct binder_ref *ref, int strong) 1156{ 1157 if (strong) { 1158 if (ref->strong == 0) { 1159 binder_user_error("binder: %d invalid dec strong, " 1160 "ref %d desc %d s %d w %d\n", 1161 ref->proc->pid, ref->debug_id, 1162 ref->desc, ref->strong, ref->weak); 1163 return -EINVAL; 1164 } 1165 ref->strong--; 1166 if (ref->strong == 0) { 1167 int ret; 1168 ret = binder_dec_node(ref->node, strong, 1); 1169 if (ret) 1170 return ret; 1171 } 1172 } else { 1173 if (ref->weak == 0) { 1174 binder_user_error("binder: %d invalid dec weak, " 1175 "ref %d desc %d s %d w %d\n", 1176 ref->proc->pid, ref->debug_id, 1177 ref->desc, ref->strong, ref->weak); 1178 return -EINVAL; 1179 } 1180 ref->weak--; 1181 } 1182 if (ref->strong == 0 && ref->weak == 0) 1183 binder_delete_ref(ref); 1184 return 0; 1185} 1186 1187static void binder_pop_transaction(struct binder_thread *target_thread, 1188 struct binder_transaction *t) 1189{ 1190 if (target_thread) { 1191 BUG_ON(target_thread->transaction_stack != t); 1192 BUG_ON(target_thread->transaction_stack->from != target_thread); 1193 target_thread->transaction_stack = 1194 target_thread->transaction_stack->from_parent; 1195 t->from = NULL; 1196 } 1197 t->need_reply = 0; 1198 if (t->buffer) 1199 t->buffer->transaction = NULL; 1200 kfree(t); 1201 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION]++; 1202} 1203 1204static void binder_send_failed_reply(struct binder_transaction *t, 1205 uint32_t error_code) 1206{ 1207 struct binder_thread *target_thread; 1208 BUG_ON(t->flags & TF_ONE_WAY); 1209 while (1) { 1210 target_thread = t->from; 1211 if (target_thread) { 1212 if (target_thread->return_error != BR_OK && 1213 target_thread->return_error2 == BR_OK) { 1214 target_thread->return_error2 = 1215 target_thread->return_error; 1216 target_thread->return_error = BR_OK; 1217 } 1218 if (target_thread->return_error == BR_OK) { 1219 if (binder_debug_mask & BINDER_DEBUG_FAILED_TRANSACTION) 1220 printk(KERN_INFO "binder: send failed reply for transaction %d to %d:%d\n", 1221 t->debug_id, target_thread->proc->pid, target_thread->pid); 1222 1223 binder_pop_transaction(target_thread, t); 1224 target_thread->return_error = error_code; 1225 wake_up_interruptible(&target_thread->wait); 1226 } else { 1227 printk(KERN_ERR "binder: reply failed, target " 1228 "thread, %d:%d, has error code %d " 1229 "already\n", target_thread->proc->pid, 1230 target_thread->pid, 1231 target_thread->return_error); 1232 } 1233 return; 1234 } else { 1235 struct binder_transaction *next = t->from_parent; 1236 1237 if (binder_debug_mask & BINDER_DEBUG_FAILED_TRANSACTION) 1238 printk(KERN_INFO "binder: send failed reply " 1239 "for transaction %d, target dead\n", 1240 t->debug_id); 1241 1242 binder_pop_transaction(target_thread, t); 1243 if (next == NULL) { 1244 if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) 1245 printk(KERN_INFO "binder: reply failed," 1246 " no target thread at root\n"); 1247 return; 1248 } 1249 t = next; 1250 if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) 1251 printk(KERN_INFO "binder: reply failed, no targ" 1252 "et thread -- retry %d\n", t->debug_id); 1253 } 1254 } 1255} 1256 1257static void binder_transaction_buffer_release(struct binder_proc *proc, 1258 struct binder_buffer *buffer, 1259 size_t *failed_at); 1260 1261static void binder_transaction(struct binder_proc *proc, 1262 struct binder_thread *thread, 1263 struct binder_transaction_data *tr, int reply) 1264{ 1265 struct binder_transaction *t; 1266 struct binder_work *tcomplete; 1267 size_t *offp, *off_end; 1268 struct binder_proc *target_proc; 1269 struct binder_thread *target_thread = NULL; 1270 struct binder_node *target_node = NULL; 1271 struct list_head *target_list; 1272 wait_queue_head_t *target_wait; 1273 struct binder_transaction *in_reply_to = NULL; 1274 struct binder_transaction_log_entry *e; 1275 uint32_t return_error; 1276 1277 e = binder_transaction_log_add(&binder_transaction_log); 1278 e->call_type = reply ? 2 : !!(tr->flags & TF_ONE_WAY); 1279 e->from_proc = proc->pid; 1280 e->from_thread = thread->pid; 1281 e->target_handle = tr->target.handle; 1282 e->data_size = tr->data_size; 1283 e->offsets_size = tr->offsets_size; 1284 1285 if (reply) { 1286 in_reply_to = thread->transaction_stack; 1287 if (in_reply_to == NULL) { 1288 binder_user_error("binder: %d:%d got reply transaction " 1289 "with no transaction stack\n", 1290 proc->pid, thread->pid); 1291 return_error = BR_FAILED_REPLY; 1292 goto err_empty_call_stack; 1293 } 1294 binder_set_nice(in_reply_to->saved_priority); 1295 if (in_reply_to->to_thread != thread) { 1296 binder_user_error("binder: %d:%d got reply transaction " 1297 "with bad transaction stack," 1298 " transaction %d has target %d:%d\n", 1299 proc->pid, thread->pid, in_reply_to->debug_id, 1300 in_reply_to->to_proc ? 1301 in_reply_to->to_proc->pid : 0, 1302 in_reply_to->to_thread ? 1303 in_reply_to->to_thread->pid : 0); 1304 return_error = BR_FAILED_REPLY; 1305 in_reply_to = NULL; 1306 goto err_bad_call_stack; 1307 } 1308 thread->transaction_stack = in_reply_to->to_parent; 1309 target_thread = in_reply_to->from; 1310 if (target_thread == NULL) { 1311 return_error = BR_DEAD_REPLY; 1312 goto err_dead_binder; 1313 } 1314 if (target_thread->transaction_stack != in_reply_to) { 1315 binder_user_error("binder: %d:%d got reply transaction " 1316 "with bad target transaction stack %d, " 1317 "expected %d\n", 1318 proc->pid, thread->pid, 1319 target_thread->transaction_stack ? 1320 target_thread->transaction_stack->debug_id : 0, 1321 in_reply_to->debug_id); 1322 return_error = BR_FAILED_REPLY; 1323 in_reply_to = NULL; 1324 target_thread = NULL; 1325 goto err_dead_binder; 1326 } 1327 target_proc = target_thread->proc; 1328 } else { 1329 if (tr->target.handle) { 1330 struct binder_ref *ref; 1331 ref = binder_get_ref(proc, tr->target.handle); 1332 if (ref == NULL) { 1333 binder_user_error("binder: %d:%d got " 1334 "transaction to invalid handle\n", 1335 proc->pid, thread->pid); 1336 return_error = BR_FAILED_REPLY; 1337 goto err_invalid_target_handle; 1338 } 1339 target_node = ref->node; 1340 } else { 1341 target_node = binder_context_mgr_node; 1342 if (target_node == NULL) { 1343 return_error = BR_DEAD_REPLY; 1344 goto err_no_context_mgr_node; 1345 } 1346 } 1347 e->to_node = target_node->debug_id; 1348 target_proc = target_node->proc; 1349 if (target_proc == NULL) { 1350 return_error = BR_DEAD_REPLY; 1351 goto err_dead_binder; 1352 } 1353 if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) { 1354 struct binder_transaction *tmp; 1355 tmp = thread->transaction_stack; 1356 if (tmp->to_thread != thread) { 1357 binder_user_error("binder: %d:%d got new " 1358 "transaction with bad transaction stack" 1359 ", transaction %d has target %d:%d\n", 1360 proc->pid, thread->pid, tmp->debug_id, 1361 tmp->to_proc ? tmp->to_proc->pid : 0, 1362 tmp->to_thread ? 1363 tmp->to_thread->pid : 0); 1364 return_error = BR_FAILED_REPLY; 1365 goto err_bad_call_stack; 1366 } 1367 while (tmp) { 1368 if (tmp->from && tmp->from->proc == target_proc) 1369 target_thread = tmp->from; 1370 tmp = tmp->from_parent; 1371 } 1372 } 1373 } 1374 if (target_thread) { 1375 e->to_thread = target_thread->pid; 1376 target_list = &target_thread->todo; 1377 target_wait = &target_thread->wait; 1378 } else { 1379 target_list = &target_proc->todo; 1380 target_wait = &target_proc->wait; 1381 } 1382 e->to_proc = target_proc->pid; 1383 1384 /* TODO: reuse incoming transaction for reply */ 1385 t = kzalloc(sizeof(*t), GFP_KERNEL); 1386 if (t == NULL) { 1387 return_error = BR_FAILED_REPLY; 1388 goto err_alloc_t_failed; 1389 } 1390 binder_stats.obj_created[BINDER_STAT_TRANSACTION]++; 1391 1392 tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL); 1393 if (tcomplete == NULL) { 1394 return_error = BR_FAILED_REPLY; 1395 goto err_alloc_tcomplete_failed; 1396 } 1397 binder_stats.obj_created[BINDER_STAT_TRANSACTION_COMPLETE]++; 1398 1399 t->debug_id = ++binder_last_id; 1400 e->debug_id = t->debug_id; 1401 1402 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) { 1403 if (reply) 1404 printk(KERN_INFO "binder: %d:%d BC_REPLY %d -> %d:%d, " 1405 "data %p-%p size %zd-%zd\n", 1406 proc->pid, thread->pid, t->debug_id, 1407 target_proc->pid, target_thread->pid, 1408 tr->data.ptr.buffer, tr->data.ptr.offsets, 1409 tr->data_size, tr->offsets_size); 1410 else 1411 printk(KERN_INFO "binder: %d:%d BC_TRANSACTION %d -> " 1412 "%d - node %d, data %p-%p size %zd-%zd\n", 1413 proc->pid, thread->pid, t->debug_id, 1414 target_proc->pid, target_node->debug_id, 1415 tr->data.ptr.buffer, tr->data.ptr.offsets, 1416 tr->data_size, tr->offsets_size); 1417 } 1418 1419 if (!reply && !(tr->flags & TF_ONE_WAY)) 1420 t->from = thread; 1421 else 1422 t->from = NULL; 1423 t->sender_euid = proc->tsk->cred->euid; 1424 t->to_proc = target_proc; 1425 t->to_thread = target_thread; 1426 t->code = tr->code; 1427 t->flags = tr->flags; 1428 t->priority = task_nice(current); 1429 t->buffer = binder_alloc_buf(target_proc, tr->data_size, 1430 tr->offsets_size, !reply && (t->flags & TF_ONE_WAY)); 1431 if (t->buffer == NULL) { 1432 return_error = BR_FAILED_REPLY; 1433 goto err_binder_alloc_buf_failed; 1434 } 1435 t->buffer->allow_user_free = 0; 1436 t->buffer->debug_id = t->debug_id; 1437 t->buffer->transaction = t; 1438 t->buffer->target_node = target_node; 1439 if (target_node) 1440 binder_inc_node(target_node, 1, 0, NULL); 1441 1442 offp = (size_t *)(t->buffer->data + ALIGN(tr->data_size, sizeof(void *))); 1443 1444 if (copy_from_user(t->buffer->data, tr->data.ptr.buffer, tr->data_size)) { 1445 binder_user_error("binder: %d:%d got transaction with invalid " 1446 "data ptr\n", proc->pid, thread->pid); 1447 return_error = BR_FAILED_REPLY; 1448 goto err_copy_data_failed; 1449 } 1450 if (copy_from_user(offp, tr->data.ptr.offsets, tr->offsets_size)) { 1451 binder_user_error("binder: %d:%d got transaction with invalid " 1452 "offsets ptr\n", proc->pid, thread->pid); 1453 return_error = BR_FAILED_REPLY; 1454 goto err_copy_data_failed; 1455 } 1456 if (!IS_ALIGNED(tr->offsets_size, sizeof(size_t))) { 1457 binder_user_error("binder: %d:%d got transaction with " 1458 "invalid offsets size, %zd\n", 1459 proc->pid, thread->pid, tr->offsets_size); 1460 return_error = BR_FAILED_REPLY; 1461 goto err_bad_offset; 1462 } 1463 off_end = (void *)offp + tr->offsets_size; 1464 for (; offp < off_end; offp++) { 1465 struct flat_binder_object *fp; 1466 if (*offp > t->buffer->data_size - sizeof(*fp) || 1467 t->buffer->data_size < sizeof(*fp) || 1468 !IS_ALIGNED(*offp, sizeof(void *))) { 1469 binder_user_error("binder: %d:%d got transaction with " 1470 "invalid offset, %zd\n", 1471 proc->pid, thread->pid, *offp); 1472 return_error = BR_FAILED_REPLY; 1473 goto err_bad_offset; 1474 } 1475 fp = (struct flat_binder_object *)(t->buffer->data + *offp); 1476 switch (fp->type) { 1477 case BINDER_TYPE_BINDER: 1478 case BINDER_TYPE_WEAK_BINDER: { 1479 struct binder_ref *ref; 1480 struct binder_node *node = binder_get_node(proc, fp->binder); 1481 if (node == NULL) { 1482 node = binder_new_node(proc, fp->binder, fp->cookie); 1483 if (node == NULL) { 1484 return_error = BR_FAILED_REPLY; 1485 goto err_binder_new_node_failed; 1486 } 1487 node->min_priority = fp->flags & FLAT_BINDER_FLAG_PRIORITY_MASK; 1488 node->accept_fds = !!(fp->flags & FLAT_BINDER_FLAG_ACCEPTS_FDS); 1489 } 1490 if (fp->cookie != node->cookie) { 1491 binder_user_error("binder: %d:%d sending u%p " 1492 "node %d, cookie mismatch %p != %p\n", 1493 proc->pid, thread->pid, 1494 fp->binder, node->debug_id, 1495 fp->cookie, node->cookie); 1496 goto err_binder_get_ref_for_node_failed; 1497 } 1498 ref = binder_get_ref_for_node(target_proc, node); 1499 if (ref == NULL) { 1500 return_error = BR_FAILED_REPLY; 1501 goto err_binder_get_ref_for_node_failed; 1502 } 1503 if (fp->type == BINDER_TYPE_BINDER) 1504 fp->type = BINDER_TYPE_HANDLE; 1505 else 1506 fp->type = BINDER_TYPE_WEAK_HANDLE; 1507 fp->handle = ref->desc; 1508 binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE, &thread->todo); 1509 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1510 printk(KERN_INFO " node %d u%p -> ref %d desc %d\n", 1511 node->debug_id, node->ptr, ref->debug_id, ref->desc); 1512 } break; 1513 case BINDER_TYPE_HANDLE: 1514 case BINDER_TYPE_WEAK_HANDLE: { 1515 struct binder_ref *ref = binder_get_ref(proc, fp->handle); 1516 if (ref == NULL) { 1517 binder_user_error("binder: %d:%d got " 1518 "transaction with invalid " 1519 "handle, %ld\n", proc->pid, 1520 thread->pid, fp->handle); 1521 return_error = BR_FAILED_REPLY; 1522 goto err_binder_get_ref_failed; 1523 } 1524 if (ref->node->proc == target_proc) { 1525 if (fp->type == BINDER_TYPE_HANDLE) 1526 fp->type = BINDER_TYPE_BINDER; 1527 else 1528 fp->type = BINDER_TYPE_WEAK_BINDER; 1529 fp->binder = ref->node->ptr; 1530 fp->cookie = ref->node->cookie; 1531 binder_inc_node(ref->node, fp->type == BINDER_TYPE_BINDER, 0, NULL); 1532 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1533 printk(KERN_INFO " ref %d desc %d -> node %d u%p\n", 1534 ref->debug_id, ref->desc, ref->node->debug_id, ref->node->ptr); 1535 } else { 1536 struct binder_ref *new_ref; 1537 new_ref = binder_get_ref_for_node(target_proc, ref->node); 1538 if (new_ref == NULL) { 1539 return_error = BR_FAILED_REPLY; 1540 goto err_binder_get_ref_for_node_failed; 1541 } 1542 fp->handle = new_ref->desc; 1543 binder_inc_ref(new_ref, fp->type == BINDER_TYPE_HANDLE, NULL); 1544 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1545 printk(KERN_INFO " ref %d desc %d -> ref %d desc %d (node %d)\n", 1546 ref->debug_id, ref->desc, new_ref->debug_id, new_ref->desc, ref->node->debug_id); 1547 } 1548 } break; 1549 1550 case BINDER_TYPE_FD: { 1551 int target_fd; 1552 struct file *file; 1553 1554 if (reply) { 1555 if (!(in_reply_to->flags & TF_ACCEPT_FDS)) { 1556 binder_user_error("binder: %d:%d got reply with fd, %ld, but target does not allow fds\n", 1557 proc->pid, thread->pid, fp->handle); 1558 return_error = BR_FAILED_REPLY; 1559 goto err_fd_not_allowed; 1560 } 1561 } else if (!target_node->accept_fds) { 1562 binder_user_error("binder: %d:%d got transaction with fd, %ld, but target does not allow fds\n", 1563 proc->pid, thread->pid, fp->handle); 1564 return_error = BR_FAILED_REPLY; 1565 goto err_fd_not_allowed; 1566 } 1567 1568 file = fget(fp->handle); 1569 if (file == NULL) { 1570 binder_user_error("binder: %d:%d got transaction with invalid fd, %ld\n", 1571 proc->pid, thread->pid, fp->handle); 1572 return_error = BR_FAILED_REPLY; 1573 goto err_fget_failed; 1574 } 1575 target_fd = task_get_unused_fd_flags(target_proc, O_CLOEXEC); 1576 if (target_fd < 0) { 1577 fput(file); 1578 return_error = BR_FAILED_REPLY; 1579 goto err_get_unused_fd_failed; 1580 } 1581 task_fd_install(target_proc, target_fd, file); 1582 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1583 printk(KERN_INFO " fd %ld -> %d\n", fp->handle, target_fd); 1584 /* TODO: fput? */ 1585 fp->handle = target_fd; 1586 } break; 1587 1588 default: 1589 binder_user_error("binder: %d:%d got transactio" 1590 "n with invalid object type, %lx\n", 1591 proc->pid, thread->pid, fp->type); 1592 return_error = BR_FAILED_REPLY; 1593 goto err_bad_object_type; 1594 } 1595 } 1596 if (reply) { 1597 BUG_ON(t->buffer->async_transaction != 0); 1598 binder_pop_transaction(target_thread, in_reply_to); 1599 } else if (!(t->flags & TF_ONE_WAY)) { 1600 BUG_ON(t->buffer->async_transaction != 0); 1601 t->need_reply = 1; 1602 t->from_parent = thread->transaction_stack; 1603 thread->transaction_stack = t; 1604 } else { 1605 BUG_ON(target_node == NULL); 1606 BUG_ON(t->buffer->async_transaction != 1); 1607 if (target_node->has_async_transaction) { 1608 target_list = &target_node->async_todo; 1609 target_wait = NULL; 1610 } else 1611 target_node->has_async_transaction = 1; 1612 } 1613 t->work.type = BINDER_WORK_TRANSACTION; 1614 list_add_tail(&t->work.entry, target_list); 1615 tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE; 1616 list_add_tail(&tcomplete->entry, &thread->todo); 1617 if (target_wait) 1618 wake_up_interruptible(target_wait); 1619 return; 1620 1621err_get_unused_fd_failed: 1622err_fget_failed: 1623err_fd_not_allowed: 1624err_binder_get_ref_for_node_failed: 1625err_binder_get_ref_failed: 1626err_binder_new_node_failed: 1627err_bad_object_type: 1628err_bad_offset: 1629err_copy_data_failed: 1630 binder_transaction_buffer_release(target_proc, t->buffer, offp); 1631 t->buffer->transaction = NULL; 1632 binder_free_buf(target_proc, t->buffer); 1633err_binder_alloc_buf_failed: 1634 kfree(tcomplete); 1635 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION_COMPLETE]++; 1636err_alloc_tcomplete_failed: 1637 kfree(t); 1638 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION]++; 1639err_alloc_t_failed: 1640err_bad_call_stack: 1641err_empty_call_stack: 1642err_dead_binder: 1643err_invalid_target_handle: 1644err_no_context_mgr_node: 1645 if (binder_debug_mask & BINDER_DEBUG_FAILED_TRANSACTION) 1646 printk(KERN_INFO "binder: %d:%d transaction failed %d, size" 1647 "%zd-%zd\n", 1648 proc->pid, thread->pid, return_error, 1649 tr->data_size, tr->offsets_size); 1650 1651 { 1652 struct binder_transaction_log_entry *fe; 1653 fe = binder_transaction_log_add(&binder_transaction_log_failed); 1654 *fe = *e; 1655 } 1656 1657 BUG_ON(thread->return_error != BR_OK); 1658 if (in_reply_to) { 1659 thread->return_error = BR_TRANSACTION_COMPLETE; 1660 binder_send_failed_reply(in_reply_to, return_error); 1661 } else 1662 thread->return_error = return_error; 1663} 1664 1665static void binder_transaction_buffer_release(struct binder_proc *proc, 1666 struct binder_buffer *buffer, 1667 size_t *failed_at) 1668{ 1669 size_t *offp, *off_end; 1670 int debug_id = buffer->debug_id; 1671 1672 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1673 printk(KERN_INFO "binder: %d buffer release %d, size %zd-%zd, failed at %p\n", 1674 proc->pid, buffer->debug_id, 1675 buffer->data_size, buffer->offsets_size, failed_at); 1676 1677 if (buffer->target_node) 1678 binder_dec_node(buffer->target_node, 1, 0); 1679 1680 offp = (size_t *)(buffer->data + ALIGN(buffer->data_size, sizeof(void *))); 1681 if (failed_at) 1682 off_end = failed_at; 1683 else 1684 off_end = (void *)offp + buffer->offsets_size; 1685 for (; offp < off_end; offp++) { 1686 struct flat_binder_object *fp; 1687 if (*offp > buffer->data_size - sizeof(*fp) || 1688 buffer->data_size < sizeof(*fp) || 1689 !IS_ALIGNED(*offp, sizeof(void *))) { 1690 printk(KERN_ERR "binder: transaction release %d bad" 1691 "offset %zd, size %zd\n", debug_id, *offp, buffer->data_size); 1692 continue; 1693 } 1694 fp = (struct flat_binder_object *)(buffer->data + *offp); 1695 switch (fp->type) { 1696 case BINDER_TYPE_BINDER: 1697 case BINDER_TYPE_WEAK_BINDER: { 1698 struct binder_node *node = binder_get_node(proc, fp->binder); 1699 if (node == NULL) { 1700 printk(KERN_ERR "binder: transaction release %d bad node %p\n", debug_id, fp->binder); 1701 break; 1702 } 1703 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1704 printk(KERN_INFO " node %d u%p\n", 1705 node->debug_id, node->ptr); 1706 binder_dec_node(node, fp->type == BINDER_TYPE_BINDER, 0); 1707 } break; 1708 case BINDER_TYPE_HANDLE: 1709 case BINDER_TYPE_WEAK_HANDLE: { 1710 struct binder_ref *ref = binder_get_ref(proc, fp->handle); 1711 if (ref == NULL) { 1712 printk(KERN_ERR "binder: transaction release %d bad handle %ld\n", debug_id, fp->handle); 1713 break; 1714 } 1715 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1716 printk(KERN_INFO " ref %d desc %d (node %d)\n", 1717 ref->debug_id, ref->desc, ref->node->debug_id); 1718 binder_dec_ref(ref, fp->type == BINDER_TYPE_HANDLE); 1719 } break; 1720 1721 case BINDER_TYPE_FD: 1722 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1723 printk(KERN_INFO " fd %ld\n", fp->handle); 1724 if (failed_at) 1725 task_close_fd(proc, fp->handle); 1726 break; 1727 1728 default: 1729 printk(KERN_ERR "binder: transaction release %d bad object type %lx\n", debug_id, fp->type); 1730 break; 1731 } 1732 } 1733} 1734 1735int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread, 1736 void __user *buffer, int size, signed long *consumed) 1737{ 1738 uint32_t cmd; 1739 void __user *ptr = buffer + *consumed; 1740 void __user *end = buffer + size; 1741 1742 while (ptr < end && thread->return_error == BR_OK) { 1743 if (get_user(cmd, (uint32_t __user *)ptr)) 1744 return -EFAULT; 1745 ptr += sizeof(uint32_t); 1746 if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.bc)) { 1747 binder_stats.bc[_IOC_NR(cmd)]++; 1748 proc->stats.bc[_IOC_NR(cmd)]++; 1749 thread->stats.bc[_IOC_NR(cmd)]++; 1750 } 1751 switch (cmd) { 1752 case BC_INCREFS: 1753 case BC_ACQUIRE: 1754 case BC_RELEASE: 1755 case BC_DECREFS: { 1756 uint32_t target; 1757 struct binder_ref *ref; 1758 const char *debug_string; 1759 1760 if (get_user(target, (uint32_t __user *)ptr)) 1761 return -EFAULT; 1762 ptr += sizeof(uint32_t); 1763 if (target == 0 && binder_context_mgr_node && 1764 (cmd == BC_INCREFS || cmd == BC_ACQUIRE)) { 1765 ref = binder_get_ref_for_node(proc, 1766 binder_context_mgr_node); 1767 if (ref->desc != target) { 1768 binder_user_error("binder: %d:" 1769 "%d tried to acquire " 1770 "reference to desc 0, " 1771 "got %d instead\n", 1772 proc->pid, thread->pid, 1773 ref->desc); 1774 } 1775 } else 1776 ref = binder_get_ref(proc, target); 1777 if (ref == NULL) { 1778 binder_user_error("binder: %d:%d refcou" 1779 "nt change on invalid ref %d\n", 1780 proc->pid, thread->pid, target); 1781 break; 1782 } 1783 switch (cmd) { 1784 case BC_INCREFS: 1785 debug_string = "IncRefs"; 1786 binder_inc_ref(ref, 0, NULL); 1787 break; 1788 case BC_ACQUIRE: 1789 debug_string = "Acquire"; 1790 binder_inc_ref(ref, 1, NULL); 1791 break; 1792 case BC_RELEASE: 1793 debug_string = "Release"; 1794 binder_dec_ref(ref, 1); 1795 break; 1796 case BC_DECREFS: 1797 default: 1798 debug_string = "DecRefs"; 1799 binder_dec_ref(ref, 0); 1800 break; 1801 } 1802 if (binder_debug_mask & BINDER_DEBUG_USER_REFS) 1803 printk(KERN_INFO "binder: %d:%d %s ref %d desc %d s %d w %d for node %d\n", 1804 proc->pid, thread->pid, debug_string, ref->debug_id, ref->desc, ref->strong, ref->weak, ref->node->debug_id); 1805 break; 1806 } 1807 case BC_INCREFS_DONE: 1808 case BC_ACQUIRE_DONE: { 1809 void __user *node_ptr; 1810 void *cookie; 1811 struct binder_node *node; 1812 1813 if (get_user(node_ptr, (void * __user *)ptr)) 1814 return -EFAULT; 1815 ptr += sizeof(void *); 1816 if (get_user(cookie, (void * __user *)ptr)) 1817 return -EFAULT; 1818 ptr += sizeof(void *); 1819 node = binder_get_node(proc, node_ptr); 1820 if (node == NULL) { 1821 binder_user_error("binder: %d:%d " 1822 "%s u%p no match\n", 1823 proc->pid, thread->pid, 1824 cmd == BC_INCREFS_DONE ? 1825 "BC_INCREFS_DONE" : 1826 "BC_ACQUIRE_DONE", 1827 node_ptr); 1828 break; 1829 } 1830 if (cookie != node->cookie) { 1831 binder_user_error("binder: %d:%d %s u%p node %d" 1832 " cookie mismatch %p != %p\n", 1833 proc->pid, thread->pid, 1834 cmd == BC_INCREFS_DONE ? 1835 "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE", 1836 node_ptr, node->debug_id, 1837 cookie, node->cookie); 1838 break; 1839 } 1840 if (cmd == BC_ACQUIRE_DONE) { 1841 if (node->pending_strong_ref == 0) { 1842 binder_user_error("binder: %d:%d " 1843 "BC_ACQUIRE_DONE node %d has " 1844 "no pending acquire request\n", 1845 proc->pid, thread->pid, 1846 node->debug_id); 1847 break; 1848 } 1849 node->pending_strong_ref = 0; 1850 } else { 1851 if (node->pending_weak_ref == 0) { 1852 binder_user_error("binder: %d:%d " 1853 "BC_INCREFS_DONE node %d has " 1854 "no pending increfs request\n", 1855 proc->pid, thread->pid, 1856 node->debug_id); 1857 break; 1858 } 1859 node->pending_weak_ref = 0; 1860 } 1861 binder_dec_node(node, cmd == BC_ACQUIRE_DONE, 0); 1862 if (binder_debug_mask & BINDER_DEBUG_USER_REFS) 1863 printk(KERN_INFO "binder: %d:%d %s node %d ls %d lw %d\n", 1864 proc->pid, thread->pid, cmd == BC_INCREFS_DONE ? "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE", node->debug_id, node->local_strong_refs, node->local_weak_refs); 1865 break; 1866 } 1867 case BC_ATTEMPT_ACQUIRE: 1868 printk(KERN_ERR "binder: BC_ATTEMPT_ACQUIRE not supported\n"); 1869 return -EINVAL; 1870 case BC_ACQUIRE_RESULT: 1871 printk(KERN_ERR "binder: BC_ACQUIRE_RESULT not supported\n"); 1872 return -EINVAL; 1873 1874 case BC_FREE_BUFFER: { 1875 void __user *data_ptr; 1876 struct binder_buffer *buffer; 1877 1878 if (get_user(data_ptr, (void * __user *)ptr)) 1879 return -EFAULT; 1880 ptr += sizeof(void *); 1881 1882 buffer = binder_buffer_lookup(proc, data_ptr); 1883 if (buffer == NULL) { 1884 binder_user_error("binder: %d:%d " 1885 "BC_FREE_BUFFER u%p no match\n", 1886 proc->pid, thread->pid, data_ptr); 1887 break; 1888 } 1889 if (!buffer->allow_user_free) { 1890 binder_user_error("binder: %d:%d " 1891 "BC_FREE_BUFFER u%p matched " 1892 "unreturned buffer\n", 1893 proc->pid, thread->pid, data_ptr); 1894 break; 1895 } 1896 if (binder_debug_mask & BINDER_DEBUG_FREE_BUFFER) 1897 printk(KERN_INFO "binder: %d:%d BC_FREE_BUFFER u%p found buffer %d for %s transaction\n", 1898 proc->pid, thread->pid, data_ptr, buffer->debug_id, 1899 buffer->transaction ? "active" : "finished"); 1900 1901 if (buffer->transaction) { 1902 buffer->transaction->buffer = NULL; 1903 buffer->transaction = NULL; 1904 } 1905 if (buffer->async_transaction && buffer->target_node) { 1906 BUG_ON(!buffer->target_node->has_async_transaction); 1907 if (list_empty(&buffer->target_node->async_todo)) 1908 buffer->target_node->has_async_transaction = 0; 1909 else 1910 list_move_tail(buffer->target_node->async_todo.next, &thread->todo); 1911 } 1912 binder_transaction_buffer_release(proc, buffer, NULL); 1913 binder_free_buf(proc, buffer); 1914 break; 1915 } 1916 1917 case BC_TRANSACTION: 1918 case BC_REPLY: { 1919 struct binder_transaction_data tr; 1920 1921 if (copy_from_user(&tr, ptr, sizeof(tr))) 1922 return -EFAULT; 1923 ptr += sizeof(tr); 1924 binder_transaction(proc, thread, &tr, cmd == BC_REPLY); 1925 break; 1926 } 1927 1928 case BC_REGISTER_LOOPER: 1929 if (binder_debug_mask & BINDER_DEBUG_THREADS) 1930 printk(KERN_INFO "binder: %d:%d BC_REGISTER_LOOPER\n", 1931 proc->pid, thread->pid); 1932 if (thread->looper & BINDER_LOOPER_STATE_ENTERED) { 1933 thread->looper |= BINDER_LOOPER_STATE_INVALID; 1934 binder_user_error("binder: %d:%d ERROR:" 1935 " BC_REGISTER_LOOPER called " 1936 "after BC_ENTER_LOOPER\n", 1937 proc->pid, thread->pid); 1938 } else if (proc->requested_threads == 0) { 1939 thread->looper |= BINDER_LOOPER_STATE_INVALID; 1940 binder_user_error("binder: %d:%d ERROR:" 1941 " BC_REGISTER_LOOPER called " 1942 "without request\n", 1943 proc->pid, thread->pid); 1944 } else { 1945 proc->requested_threads--; 1946 proc->requested_threads_started++; 1947 } 1948 thread->looper |= BINDER_LOOPER_STATE_REGISTERED; 1949 break; 1950 case BC_ENTER_LOOPER: 1951 if (binder_debug_mask & BINDER_DEBUG_THREADS) 1952 printk(KERN_INFO "binder: %d:%d BC_ENTER_LOOPER\n", 1953 proc->pid, thread->pid); 1954 if (thread->looper & BINDER_LOOPER_STATE_REGISTERED) { 1955 thread->looper |= BINDER_LOOPER_STATE_INVALID; 1956 binder_user_error("binder: %d:%d ERROR:" 1957 " BC_ENTER_LOOPER called after " 1958 "BC_REGISTER_LOOPER\n", 1959 proc->pid, thread->pid); 1960 } 1961 thread->looper |= BINDER_LOOPER_STATE_ENTERED; 1962 break; 1963 case BC_EXIT_LOOPER: 1964 if (binder_debug_mask & BINDER_DEBUG_THREADS) 1965 printk(KERN_INFO "binder: %d:%d BC_EXIT_LOOPER\n", 1966 proc->pid, thread->pid); 1967 thread->looper |= BINDER_LOOPER_STATE_EXITED; 1968 break; 1969 1970 case BC_REQUEST_DEATH_NOTIFICATION: 1971 case BC_CLEAR_DEATH_NOTIFICATION: { 1972 uint32_t target; 1973 void __user *cookie; 1974 struct binder_ref *ref; 1975 struct binder_ref_death *death; 1976 1977 if (get_user(target, (uint32_t __user *)ptr)) 1978 return -EFAULT; 1979 ptr += sizeof(uint32_t); 1980 if (get_user(cookie, (void __user * __user *)ptr)) 1981 return -EFAULT; 1982 ptr += sizeof(void *); 1983 ref = binder_get_ref(proc, target); 1984 if (ref == NULL) { 1985 binder_user_error("binder: %d:%d %s " 1986 "invalid ref %d\n", 1987 proc->pid, thread->pid, 1988 cmd == BC_REQUEST_DEATH_NOTIFICATION ? 1989 "BC_REQUEST_DEATH_NOTIFICATION" : 1990 "BC_CLEAR_DEATH_NOTIFICATION", 1991 target); 1992 break; 1993 } 1994 1995 if (binder_debug_mask & BINDER_DEBUG_DEATH_NOTIFICATION) 1996 printk(KERN_INFO "binder: %d:%d %s %p ref %d desc %d s %d w %d for node %d\n", 1997 proc->pid, thread->pid, 1998 cmd == BC_REQUEST_DEATH_NOTIFICATION ? 1999 "BC_REQUEST_DEATH_NOTIFICATION" : 2000 "BC_CLEAR_DEATH_NOTIFICATION", 2001 cookie, ref->debug_id, ref->desc, 2002 ref->strong, ref->weak, ref->node->debug_id); 2003 2004 if (cmd == BC_REQUEST_DEATH_NOTIFICATION) { 2005 if (ref->death) { 2006 binder_user_error("binder: %d:%" 2007 "d BC_REQUEST_DEATH_NOTI" 2008 "FICATION death notific" 2009 "ation already set\n", 2010 proc->pid, thread->pid); 2011 break; 2012 } 2013 death = kzalloc(sizeof(*death), GFP_KERNEL); 2014 if (death == NULL) { 2015 thread->return_error = BR_ERROR; 2016 if (binder_debug_mask & BINDER_DEBUG_FAILED_TRANSACTION) 2017 printk(KERN_INFO "binder: %d:%d " 2018 "BC_REQUEST_DEATH_NOTIFICATION failed\n", 2019 proc->pid, thread->pid); 2020 break; 2021 } 2022 binder_stats.obj_created[BINDER_STAT_DEATH]++; 2023 INIT_LIST_HEAD(&death->work.entry); 2024 death->cookie = cookie; 2025 ref->death = death; 2026 if (ref->node->proc == NULL) { 2027 ref->death->work.type = BINDER_WORK_DEAD_BINDER; 2028 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2029 list_add_tail(&ref->death->work.entry, &thread->todo); 2030 } else { 2031 list_add_tail(&ref->death->work.entry, &proc->todo); 2032 wake_up_interruptible(&proc->wait); 2033 } 2034 } 2035 } else { 2036 if (ref->death == NULL) { 2037 binder_user_error("binder: %d:%" 2038 "d BC_CLEAR_DEATH_NOTIFI" 2039 "CATION death notificat" 2040 "ion not active\n", 2041 proc->pid, thread->pid); 2042 break; 2043 } 2044 death = ref->death; 2045 if (death->cookie != cookie) { 2046 binder_user_error("binder: %d:%" 2047 "d BC_CLEAR_DEATH_NOTIFI" 2048 "CATION death notificat" 2049 "ion cookie mismatch " 2050 "%p != %p\n", 2051 proc->pid, thread->pid, 2052 death->cookie, cookie); 2053 break; 2054 } 2055 ref->death = NULL; 2056 if (list_empty(&death->work.entry)) { 2057 death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION; 2058 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2059 list_add_tail(&death->work.entry, &thread->todo); 2060 } else { 2061 list_add_tail(&death->work.entry, &proc->todo); 2062 wake_up_interruptible(&proc->wait); 2063 } 2064 } else { 2065 BUG_ON(death->work.type != BINDER_WORK_DEAD_BINDER); 2066 death->work.type = BINDER_WORK_DEAD_BINDER_AND_CLEAR; 2067 } 2068 } 2069 } break; 2070 case BC_DEAD_BINDER_DONE: { 2071 struct binder_work *w; 2072 void __user *cookie; 2073 struct binder_ref_death *death = NULL; 2074 if (get_user(cookie, (void __user * __user *)ptr)) 2075 return -EFAULT; 2076 2077 ptr += sizeof(void *); 2078 list_for_each_entry(w, &proc->delivered_death, entry) { 2079 struct binder_ref_death *tmp_death = container_of(w, struct binder_ref_death, work); 2080 if (tmp_death->cookie == cookie) { 2081 death = tmp_death; 2082 break; 2083 } 2084 } 2085 if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) 2086 printk(KERN_INFO "binder: %d:%d BC_DEAD_BINDER_DONE %p found %p\n", 2087 proc->pid, thread->pid, cookie, death); 2088 if (death == NULL) { 2089 binder_user_error("binder: %d:%d BC_DEAD" 2090 "_BINDER_DONE %p not found\n", 2091 proc->pid, thread->pid, cookie); 2092 break; 2093 } 2094 2095 list_del_init(&death->work.entry); 2096 if (death->work.type == BINDER_WORK_DEAD_BINDER_AND_CLEAR) { 2097 death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION; 2098 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2099 list_add_tail(&death->work.entry, &thread->todo); 2100 } else { 2101 list_add_tail(&death->work.entry, &proc->todo); 2102 wake_up_interruptible(&proc->wait); 2103 } 2104 } 2105 } break; 2106 2107 default: 2108 printk(KERN_ERR "binder: %d:%d unknown command %d\n", 2109 proc->pid, thread->pid, cmd); 2110 return -EINVAL; 2111 } 2112 *consumed = ptr - buffer; 2113 } 2114 return 0; 2115} 2116 2117void binder_stat_br(struct binder_proc *proc, struct binder_thread *thread, 2118 uint32_t cmd) 2119{ 2120 if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.br)) { 2121 binder_stats.br[_IOC_NR(cmd)]++; 2122 proc->stats.br[_IOC_NR(cmd)]++; 2123 thread->stats.br[_IOC_NR(cmd)]++; 2124 } 2125} 2126 2127static int binder_has_proc_work(struct binder_proc *proc, 2128 struct binder_thread *thread) 2129{ 2130 return !list_empty(&proc->todo) || 2131 (thread->looper & BINDER_LOOPER_STATE_NEED_RETURN); 2132} 2133 2134static int binder_has_thread_work(struct binder_thread *thread) 2135{ 2136 return !list_empty(&thread->todo) || thread->return_error != BR_OK || 2137 (thread->looper & BINDER_LOOPER_STATE_NEED_RETURN); 2138} 2139 2140static int binder_thread_read(struct binder_proc *proc, 2141 struct binder_thread *thread, 2142 void __user *buffer, int size, 2143 signed long *consumed, int non_block) 2144{ 2145 void __user *ptr = buffer + *consumed; 2146 void __user *end = buffer + size; 2147 2148 int ret = 0; 2149 int wait_for_proc_work; 2150 2151 if (*consumed == 0) { 2152 if (put_user(BR_NOOP, (uint32_t __user *)ptr)) 2153 return -EFAULT; 2154 ptr += sizeof(uint32_t); 2155 } 2156 2157retry: 2158 wait_for_proc_work = thread->transaction_stack == NULL && 2159 list_empty(&thread->todo); 2160 2161 if (thread->return_error != BR_OK && ptr < end) { 2162 if (thread->return_error2 != BR_OK) { 2163 if (put_user(thread->return_error2, (uint32_t __user *)ptr)) 2164 return -EFAULT; 2165 ptr += sizeof(uint32_t); 2166 if (ptr == end) 2167 goto done; 2168 thread->return_error2 = BR_OK; 2169 } 2170 if (put_user(thread->return_error, (uint32_t __user *)ptr)) 2171 return -EFAULT; 2172 ptr += sizeof(uint32_t); 2173 thread->return_error = BR_OK; 2174 goto done; 2175 } 2176 2177 2178 thread->looper |= BINDER_LOOPER_STATE_WAITING; 2179 if (wait_for_proc_work) 2180 proc->ready_threads++; 2181 mutex_unlock(&binder_lock); 2182 if (wait_for_proc_work) { 2183 if (!(thread->looper & (BINDER_LOOPER_STATE_REGISTERED | 2184 BINDER_LOOPER_STATE_ENTERED))) { 2185 binder_user_error("binder: %d:%d ERROR: Thread waiting " 2186 "for process work before calling BC_REGISTER_" 2187 "LOOPER or BC_ENTER_LOOPER (state %x)\n", 2188 proc->pid, thread->pid, thread->looper); 2189 wait_event_interruptible(binder_user_error_wait, 2190 binder_stop_on_user_error < 2); 2191 } 2192 binder_set_nice(proc->default_priority); 2193 if (non_block) { 2194 if (!binder_has_proc_work(proc, thread)) 2195 ret = -EAGAIN; 2196 } else 2197 ret = wait_event_interruptible_exclusive(proc->wait, binder_has_proc_work(proc, thread)); 2198 } else { 2199 if (non_block) { 2200 if (!binder_has_thread_work(thread)) 2201 ret = -EAGAIN; 2202 } else 2203 ret = wait_event_interruptible(thread->wait, binder_has_thread_work(thread)); 2204 } 2205 mutex_lock(&binder_lock); 2206 if (wait_for_proc_work) 2207 proc->ready_threads--; 2208 thread->looper &= ~BINDER_LOOPER_STATE_WAITING; 2209 2210 if (ret) 2211 return ret; 2212 2213 while (1) { 2214 uint32_t cmd; 2215 struct binder_transaction_data tr; 2216 struct binder_work *w; 2217 struct binder_transaction *t = NULL; 2218 2219 if (!list_empty(&thread->todo)) 2220 w = list_first_entry(&thread->todo, struct binder_work, entry); 2221 else if (!list_empty(&proc->todo) && wait_for_proc_work) 2222 w = list_first_entry(&proc->todo, struct binder_work, entry); 2223 else { 2224 if (ptr - buffer == 4 && !(thread->looper & BINDER_LOOPER_STATE_NEED_RETURN)) /* no data added */ 2225 goto retry; 2226 break; 2227 } 2228 2229 if (end - ptr < sizeof(tr) + 4) 2230 break; 2231 2232 switch (w->type) { 2233 case BINDER_WORK_TRANSACTION: { 2234 t = container_of(w, struct binder_transaction, work); 2235 } break; 2236 case BINDER_WORK_TRANSACTION_COMPLETE: { 2237 cmd = BR_TRANSACTION_COMPLETE; 2238 if (put_user(cmd, (uint32_t __user *)ptr)) 2239 return -EFAULT; 2240 ptr += sizeof(uint32_t); 2241 2242 binder_stat_br(proc, thread, cmd); 2243 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION_COMPLETE) 2244 printk(KERN_INFO "binder: %d:%d BR_TRANSACTION_COMPLETE\n", 2245 proc->pid, thread->pid); 2246 2247 list_del(&w->entry); 2248 kfree(w); 2249 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION_COMPLETE]++; 2250 } break; 2251 case BINDER_WORK_NODE: { 2252 struct binder_node *node = container_of(w, struct binder_node, work); 2253 uint32_t cmd = BR_NOOP; 2254 const char *cmd_name; 2255 int strong = node->internal_strong_refs || node->local_strong_refs; 2256 int weak = !hlist_empty(&node->refs) || node->local_weak_refs || strong; 2257 if (weak && !node->has_weak_ref) { 2258 cmd = BR_INCREFS; 2259 cmd_name = "BR_INCREFS"; 2260 node->has_weak_ref = 1; 2261 node->pending_weak_ref = 1; 2262 node->local_weak_refs++; 2263 } else if (strong && !node->has_strong_ref) { 2264 cmd = BR_ACQUIRE; 2265 cmd_name = "BR_ACQUIRE"; 2266 node->has_strong_ref = 1; 2267 node->pending_strong_ref = 1; 2268 node->local_strong_refs++; 2269 } else if (!strong && node->has_strong_ref) { 2270 cmd = BR_RELEASE; 2271 cmd_name = "BR_RELEASE"; 2272 node->has_strong_ref = 0; 2273 } else if (!weak && node->has_weak_ref) { 2274 cmd = BR_DECREFS; 2275 cmd_name = "BR_DECREFS"; 2276 node->has_weak_ref = 0; 2277 } 2278 if (cmd != BR_NOOP) { 2279 if (put_user(cmd, (uint32_t __user *)ptr)) 2280 return -EFAULT; 2281 ptr += sizeof(uint32_t); 2282 if (put_user(node->ptr, (void * __user *)ptr)) 2283 return -EFAULT; 2284 ptr += sizeof(void *); 2285 if (put_user(node->cookie, (void * __user *)ptr)) 2286 return -EFAULT; 2287 ptr += sizeof(void *); 2288 2289 binder_stat_br(proc, thread, cmd); 2290 if (binder_debug_mask & BINDER_DEBUG_USER_REFS) 2291 printk(KERN_INFO "binder: %d:%d %s %d u%p c%p\n", 2292 proc->pid, thread->pid, cmd_name, node->debug_id, node->ptr, node->cookie); 2293 } else { 2294 list_del_init(&w->entry); 2295 if (!weak && !strong) { 2296 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 2297 printk(KERN_INFO "binder: %d:%d node %d u%p c%p deleted\n", 2298 proc->pid, thread->pid, node->debug_id, node->ptr, node->cookie); 2299 rb_erase(&node->rb_node, &proc->nodes); 2300 kfree(node); 2301 binder_stats.obj_deleted[BINDER_STAT_NODE]++; 2302 } else { 2303 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 2304 printk(KERN_INFO "binder: %d:%d node %d u%p c%p state unchanged\n", 2305 proc->pid, thread->pid, node->debug_id, node->ptr, node->cookie); 2306 } 2307 } 2308 } break; 2309 case BINDER_WORK_DEAD_BINDER: 2310 case BINDER_WORK_DEAD_BINDER_AND_CLEAR: 2311 case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: { 2312 struct binder_ref_death *death; 2313 uint32_t cmd; 2314 2315 death = container_of(w, struct binder_ref_death, work); 2316 if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) 2317 cmd = BR_CLEAR_DEATH_NOTIFICATION_DONE; 2318 else 2319 cmd = BR_DEAD_BINDER; 2320 if (put_user(cmd, (uint32_t __user *)ptr)) 2321 return -EFAULT; 2322 ptr += sizeof(uint32_t); 2323 if (put_user(death->cookie, (void * __user *)ptr)) 2324 return -EFAULT; 2325 ptr += sizeof(void *); 2326 if (binder_debug_mask & BINDER_DEBUG_DEATH_NOTIFICATION) 2327 printk(KERN_INFO "binder: %d:%d %s %p\n", 2328 proc->pid, thread->pid, 2329 cmd == BR_DEAD_BINDER ? 2330 "BR_DEAD_BINDER" : 2331 "BR_CLEAR_DEATH_NOTIFICATION_DONE", 2332 death->cookie); 2333 2334 if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) { 2335 list_del(&w->entry); 2336 kfree(death); 2337 binder_stats.obj_deleted[BINDER_STAT_DEATH]++; 2338 } else 2339 list_move(&w->entry, &proc->delivered_death); 2340 if (cmd == BR_DEAD_BINDER) 2341 goto done; /* DEAD_BINDER notifications can cause transactions */ 2342 } break; 2343 } 2344 2345 if (!t) 2346 continue; 2347 2348 BUG_ON(t->buffer == NULL); 2349 if (t->buffer->target_node) { 2350 struct binder_node *target_node = t->buffer->target_node; 2351 tr.target.ptr = target_node->ptr; 2352 tr.cookie = target_node->cookie; 2353 t->saved_priority = task_nice(current); 2354 if (t->priority < target_node->min_priority && 2355 !(t->flags & TF_ONE_WAY)) 2356 binder_set_nice(t->priority); 2357 else if (!(t->flags & TF_ONE_WAY) || 2358 t->saved_priority > target_node->min_priority) 2359 binder_set_nice(target_node->min_priority); 2360 cmd = BR_TRANSACTION; 2361 } else { 2362 tr.target.ptr = NULL; 2363 tr.cookie = NULL; 2364 cmd = BR_REPLY; 2365 } 2366 tr.code = t->code; 2367 tr.flags = t->flags; 2368 tr.sender_euid = t->sender_euid; 2369 2370 if (t->from) { 2371 struct task_struct *sender = t->from->proc->tsk; 2372 tr.sender_pid = task_tgid_nr_ns(sender, 2373 current->nsproxy->pid_ns); 2374 } else { 2375 tr.sender_pid = 0; 2376 } 2377 2378 tr.data_size = t->buffer->data_size; 2379 tr.offsets_size = t->buffer->offsets_size; 2380 tr.data.ptr.buffer = (void *)t->buffer->data + 2381 proc->user_buffer_offset; 2382 tr.data.ptr.offsets = tr.data.ptr.buffer + 2383 ALIGN(t->buffer->data_size, 2384 sizeof(void *)); 2385 2386 if (put_user(cmd, (uint32_t __user *)ptr)) 2387 return -EFAULT; 2388 ptr += sizeof(uint32_t); 2389 if (copy_to_user(ptr, &tr, sizeof(tr))) 2390 return -EFAULT; 2391 ptr += sizeof(tr); 2392 2393 binder_stat_br(proc, thread, cmd); 2394 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 2395 printk(KERN_INFO "binder: %d:%d %s %d %d:%d, cmd %d" 2396 "size %zd-%zd ptr %p-%p\n", 2397 proc->pid, thread->pid, 2398 (cmd == BR_TRANSACTION) ? "BR_TRANSACTION" : 2399 "BR_REPLY", 2400 t->debug_id, t->from ? t->from->proc->pid : 0, 2401 t->from ? t->from->pid : 0, cmd, 2402 t->buffer->data_size, t->buffer->offsets_size, 2403 tr.data.ptr.buffer, tr.data.ptr.offsets); 2404 2405 list_del(&t->work.entry); 2406 t->buffer->allow_user_free = 1; 2407 if (cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)) { 2408 t->to_parent = thread->transaction_stack; 2409 t->to_thread = thread; 2410 thread->transaction_stack = t; 2411 } else { 2412 t->buffer->transaction = NULL; 2413 kfree(t); 2414 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION]++; 2415 } 2416 break; 2417 } 2418 2419done: 2420 2421 *consumed = ptr - buffer; 2422 if (proc->requested_threads + proc->ready_threads == 0 && 2423 proc->requested_threads_started < proc->max_threads && 2424 (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | 2425 BINDER_LOOPER_STATE_ENTERED)) /* the user-space code fails to */ 2426 /*spawn a new thread if we leave this out */) { 2427 proc->requested_threads++; 2428 if (binder_debug_mask & BINDER_DEBUG_THREADS) 2429 printk(KERN_INFO "binder: %d:%d BR_SPAWN_LOOPER\n", 2430 proc->pid, thread->pid); 2431 if (put_user(BR_SPAWN_LOOPER, (uint32_t __user *)buffer)) 2432 return -EFAULT; 2433 } 2434 return 0; 2435} 2436 2437static void binder_release_work(struct list_head *list) 2438{ 2439 struct binder_work *w; 2440 while (!list_empty(list)) { 2441 w = list_first_entry(list, struct binder_work, entry); 2442 list_del_init(&w->entry); 2443 switch (w->type) { 2444 case BINDER_WORK_TRANSACTION: { 2445 struct binder_transaction *t; 2446 2447 t = container_of(w, struct binder_transaction, work); 2448 if (t->buffer->target_node && !(t->flags & TF_ONE_WAY)) 2449 binder_send_failed_reply(t, BR_DEAD_REPLY); 2450 } break; 2451 case BINDER_WORK_TRANSACTION_COMPLETE: { 2452 kfree(w); 2453 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION_COMPLETE]++; 2454 } break; 2455 default: 2456 break; 2457 } 2458 } 2459 2460} 2461 2462static struct binder_thread *binder_get_thread(struct binder_proc *proc) 2463{ 2464 struct binder_thread *thread = NULL; 2465 struct rb_node *parent = NULL; 2466 struct rb_node **p = &proc->threads.rb_node; 2467 2468 while (*p) { 2469 parent = *p; 2470 thread = rb_entry(parent, struct binder_thread, rb_node); 2471 2472 if (current->pid < thread->pid) 2473 p = &(*p)->rb_left; 2474 else if (current->pid > thread->pid) 2475 p = &(*p)->rb_right; 2476 else 2477 break; 2478 } 2479 if (*p == NULL) { 2480 thread = kzalloc(sizeof(*thread), GFP_KERNEL); 2481 if (thread == NULL) 2482 return NULL; 2483 binder_stats.obj_created[BINDER_STAT_THREAD]++; 2484 thread->proc = proc; 2485 thread->pid = current->pid; 2486 init_waitqueue_head(&thread->wait); 2487 INIT_LIST_HEAD(&thread->todo); 2488 rb_link_node(&thread->rb_node, parent, p); 2489 rb_insert_color(&thread->rb_node, &proc->threads); 2490 thread->looper |= BINDER_LOOPER_STATE_NEED_RETURN; 2491 thread->return_error = BR_OK; 2492 thread->return_error2 = BR_OK; 2493 } 2494 return thread; 2495} 2496 2497static int binder_free_thread(struct binder_proc *proc, 2498 struct binder_thread *thread) 2499{ 2500 struct binder_transaction *t; 2501 struct binder_transaction *send_reply = NULL; 2502 int active_transactions = 0; 2503 2504 rb_erase(&thread->rb_node, &proc->threads); 2505 t = thread->transaction_stack; 2506 if (t && t->to_thread == thread) 2507 send_reply = t; 2508 while (t) { 2509 active_transactions++; 2510 if (binder_debug_mask & BINDER_DEBUG_DEAD_TRANSACTION) 2511 printk(KERN_INFO "binder: release %d:%d transaction %d " 2512 "%s, still active\n", proc->pid, thread->pid, 2513 t->debug_id, 2514 (t->to_thread == thread) ? "in" : "out"); 2515 if (t->to_thread == thread) { 2516 t->to_proc = NULL; 2517 t->to_thread = NULL; 2518 if (t->buffer) { 2519 t->buffer->transaction = NULL; 2520 t->buffer = NULL; 2521 } 2522 t = t->to_parent; 2523 } else if (t->from == thread) { 2524 t->from = NULL; 2525 t = t->from_parent; 2526 } else 2527 BUG(); 2528 } 2529 if (send_reply) 2530 binder_send_failed_reply(send_reply, BR_DEAD_REPLY); 2531 binder_release_work(&thread->todo); 2532 kfree(thread); 2533 binder_stats.obj_deleted[BINDER_STAT_THREAD]++; 2534 return active_transactions; 2535} 2536 2537static unsigned int binder_poll(struct file *filp, 2538 struct poll_table_struct *wait) 2539{ 2540 struct binder_proc *proc = filp->private_data; 2541 struct binder_thread *thread = NULL; 2542 int wait_for_proc_work; 2543 2544 mutex_lock(&binder_lock); 2545 thread = binder_get_thread(proc); 2546 2547 wait_for_proc_work = thread->transaction_stack == NULL && 2548 list_empty(&thread->todo) && thread->return_error == BR_OK; 2549 mutex_unlock(&binder_lock); 2550 2551 if (wait_for_proc_work) { 2552 if (binder_has_proc_work(proc, thread)) 2553 return POLLIN; 2554 poll_wait(filp, &proc->wait, wait); 2555 if (binder_has_proc_work(proc, thread)) 2556 return POLLIN; 2557 } else { 2558 if (binder_has_thread_work(thread)) 2559 return POLLIN; 2560 poll_wait(filp, &thread->wait, wait); 2561 if (binder_has_thread_work(thread)) 2562 return POLLIN; 2563 } 2564 return 0; 2565} 2566 2567static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 2568{ 2569 int ret; 2570 struct binder_proc *proc = filp->private_data; 2571 struct binder_thread *thread; 2572 unsigned int size = _IOC_SIZE(cmd); 2573 void __user *ubuf = (void __user *)arg; 2574 2575 /*printk(KERN_INFO "binder_ioctl: %d:%d %x %lx\n", proc->pid, current->pid, cmd, arg);*/ 2576 2577 ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); 2578 if (ret) 2579 return ret; 2580 2581 mutex_lock(&binder_lock); 2582 thread = binder_get_thread(proc); 2583 if (thread == NULL) { 2584 ret = -ENOMEM; 2585 goto err; 2586 } 2587 2588 switch (cmd) { 2589 case BINDER_WRITE_READ: { 2590 struct binder_write_read bwr; 2591 if (size != sizeof(struct binder_write_read)) { 2592 ret = -EINVAL; 2593 goto err; 2594 } 2595 if (copy_from_user(&bwr, ubuf, sizeof(bwr))) { 2596 ret = -EFAULT; 2597 goto err; 2598 } 2599 if (binder_debug_mask & BINDER_DEBUG_READ_WRITE) 2600 printk(KERN_INFO "binder: %d:%d write %ld at %08lx, read %ld at %08lx\n", 2601 proc->pid, thread->pid, bwr.write_size, bwr.write_buffer, bwr.read_size, bwr.read_buffer); 2602 if (bwr.write_size > 0) { 2603 ret = binder_thread_write(proc, thread, (void __user *)bwr.write_buffer, bwr.write_size, &bwr.write_consumed); 2604 if (ret < 0) { 2605 bwr.read_consumed = 0; 2606 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) 2607 ret = -EFAULT; 2608 goto err; 2609 } 2610 } 2611 if (bwr.read_size > 0) { 2612 ret = binder_thread_read(proc, thread, (void __user *)bwr.read_buffer, bwr.read_size, &bwr.read_consumed, filp->f_flags & O_NONBLOCK); 2613 if (!list_empty(&proc->todo)) 2614 wake_up_interruptible(&proc->wait); 2615 if (ret < 0) { 2616 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) 2617 ret = -EFAULT; 2618 goto err; 2619 } 2620 } 2621 if (binder_debug_mask & BINDER_DEBUG_READ_WRITE) 2622 printk(KERN_INFO "binder: %d:%d wrote %ld of %ld, read return %ld of %ld\n", 2623 proc->pid, thread->pid, bwr.write_consumed, bwr.write_size, bwr.read_consumed, bwr.read_size); 2624 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) { 2625 ret = -EFAULT; 2626 goto err; 2627 } 2628 break; 2629 } 2630 case BINDER_SET_MAX_THREADS: 2631 if (copy_from_user(&proc->max_threads, ubuf, sizeof(proc->max_threads))) { 2632 ret = -EINVAL; 2633 goto err; 2634 } 2635 break; 2636 case BINDER_SET_CONTEXT_MGR: 2637 if (binder_context_mgr_node != NULL) { 2638 printk(KERN_ERR "binder: BINDER_SET_CONTEXT_MGR already set\n"); 2639 ret = -EBUSY; 2640 goto err; 2641 } 2642 if (binder_context_mgr_uid != -1) { 2643 if (binder_context_mgr_uid != current->cred->euid) { 2644 printk(KERN_ERR "binder: BINDER_SET_" 2645 "CONTEXT_MGR bad uid %d != %d\n", 2646 current->cred->euid, 2647 binder_context_mgr_uid); 2648 ret = -EPERM; 2649 goto err; 2650 } 2651 } else 2652 binder_context_mgr_uid = current->cred->euid; 2653 binder_context_mgr_node = binder_new_node(proc, NULL, NULL); 2654 if (binder_context_mgr_node == NULL) { 2655 ret = -ENOMEM; 2656 goto err; 2657 } 2658 binder_context_mgr_node->local_weak_refs++; 2659 binder_context_mgr_node->local_strong_refs++; 2660 binder_context_mgr_node->has_strong_ref = 1; 2661 binder_context_mgr_node->has_weak_ref = 1; 2662 break; 2663 case BINDER_THREAD_EXIT: 2664 if (binder_debug_mask & BINDER_DEBUG_THREADS) 2665 printk(KERN_INFO "binder: %d:%d exit\n", 2666 proc->pid, thread->pid); 2667 binder_free_thread(proc, thread); 2668 thread = NULL; 2669 break; 2670 case BINDER_VERSION: 2671 if (size != sizeof(struct binder_version)) { 2672 ret = -EINVAL; 2673 goto err; 2674 } 2675 if (put_user(BINDER_CURRENT_PROTOCOL_VERSION, &((struct binder_version *)ubuf)->protocol_version)) { 2676 ret = -EINVAL; 2677 goto err; 2678 } 2679 break; 2680 default: 2681 ret = -EINVAL; 2682 goto err; 2683 } 2684 ret = 0; 2685err: 2686 if (thread) 2687 thread->looper &= ~BINDER_LOOPER_STATE_NEED_RETURN; 2688 mutex_unlock(&binder_lock); 2689 wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); 2690 if (ret && ret != -ERESTARTSYS) 2691 printk(KERN_INFO "binder: %d:%d ioctl %x %lx returned %d\n", proc->pid, current->pid, cmd, arg, ret); 2692 return ret; 2693} 2694 2695static void binder_vma_open(struct vm_area_struct *vma) 2696{ 2697 struct binder_proc *proc = vma->vm_private_data; 2698 if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) 2699 printk(KERN_INFO 2700 "binder: %d open vm area %lx-%lx (%ld K) vma %lx pagep %lx\n", 2701 proc->pid, vma->vm_start, vma->vm_end, 2702 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2703 (unsigned long)pgprot_val(vma->vm_page_prot)); 2704 dump_stack(); 2705} 2706 2707static void binder_vma_close(struct vm_area_struct *vma) 2708{ 2709 struct binder_proc *proc = vma->vm_private_data; 2710 if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) 2711 printk(KERN_INFO 2712 "binder: %d close vm area %lx-%lx (%ld K) vma %lx pagep %lx\n", 2713 proc->pid, vma->vm_start, vma->vm_end, 2714 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2715 (unsigned long)pgprot_val(vma->vm_page_prot)); 2716 proc->vma = NULL; 2717 binder_defer_work(proc, BINDER_DEFERRED_PUT_FILES); 2718} 2719 2720static struct vm_operations_struct binder_vm_ops = { 2721 .open = binder_vma_open, 2722 .close = binder_vma_close, 2723}; 2724 2725static int binder_mmap(struct file *filp, struct vm_area_struct *vma) 2726{ 2727 int ret; 2728 struct vm_struct *area; 2729 struct binder_proc *proc = filp->private_data; 2730 const char *failure_string; 2731 struct binder_buffer *buffer; 2732 2733 if ((vma->vm_end - vma->vm_start) > SZ_4M) 2734 vma->vm_end = vma->vm_start + SZ_4M; 2735 2736 if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) 2737 printk(KERN_INFO 2738 "binder_mmap: %d %lx-%lx (%ld K) vma %lx pagep %lx\n", 2739 proc->pid, vma->vm_start, vma->vm_end, 2740 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2741 (unsigned long)pgprot_val(vma->vm_page_prot)); 2742 2743 if (vma->vm_flags & FORBIDDEN_MMAP_FLAGS) { 2744 ret = -EPERM; 2745 failure_string = "bad vm_flags"; 2746 goto err_bad_arg; 2747 } 2748 vma->vm_flags = (vma->vm_flags | VM_DONTCOPY) & ~VM_MAYWRITE; 2749 2750 if (proc->buffer) { 2751 ret = -EBUSY; 2752 failure_string = "already mapped"; 2753 goto err_already_mapped; 2754 } 2755 2756 area = get_vm_area(vma->vm_end - vma->vm_start, VM_IOREMAP); 2757 if (area == NULL) { 2758 ret = -ENOMEM; 2759 failure_string = "get_vm_area"; 2760 goto err_get_vm_area_failed; 2761 } 2762 proc->buffer = area->addr; 2763 proc->user_buffer_offset = vma->vm_start - (uintptr_t)proc->buffer; 2764 2765#ifdef CONFIG_CPU_CACHE_VIPT 2766 if (cache_is_vipt_aliasing()) { 2767 while (CACHE_COLOUR((vma->vm_start ^ (uint32_t)proc->buffer))) { 2768 printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p bad alignment\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer); 2769 vma->vm_start += PAGE_SIZE; 2770 } 2771 } 2772#endif 2773 proc->pages = kzalloc(sizeof(proc->pages[0]) * ((vma->vm_end - vma->vm_start) / PAGE_SIZE), GFP_KERNEL); 2774 if (proc->pages == NULL) { 2775 ret = -ENOMEM; 2776 failure_string = "alloc page array"; 2777 goto err_alloc_pages_failed; 2778 } 2779 proc->buffer_size = vma->vm_end - vma->vm_start; 2780 2781 vma->vm_ops = &binder_vm_ops; 2782 vma->vm_private_data = proc; 2783 2784 if (binder_update_page_range(proc, 1, proc->buffer, proc->buffer + PAGE_SIZE, vma)) { 2785 ret = -ENOMEM; 2786 failure_string = "alloc small buf"; 2787 goto err_alloc_small_buf_failed; 2788 } 2789 buffer = proc->buffer; 2790 INIT_LIST_HEAD(&proc->buffers); 2791 list_add(&buffer->entry, &proc->buffers); 2792 buffer->free = 1; 2793 binder_insert_free_buffer(proc, buffer); 2794 proc->free_async_space = proc->buffer_size / 2; 2795 barrier(); 2796 proc->files = get_files_struct(current); 2797 proc->vma = vma; 2798 2799 /*printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p\n", 2800 proc->pid, vma->vm_start, vma->vm_end, proc->buffer);*/ 2801 return 0; 2802 2803err_alloc_small_buf_failed: 2804 kfree(proc->pages); 2805 proc->pages = NULL; 2806err_alloc_pages_failed: 2807 vfree(proc->buffer); 2808 proc->buffer = NULL; 2809err_get_vm_area_failed: 2810err_already_mapped: 2811err_bad_arg: 2812 printk(KERN_ERR "binder_mmap: %d %lx-%lx %s failed %d\n", 2813 proc->pid, vma->vm_start, vma->vm_end, failure_string, ret); 2814 return ret; 2815} 2816 2817static int binder_open(struct inode *nodp, struct file *filp) 2818{ 2819 struct binder_proc *proc; 2820 2821 if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) 2822 printk(KERN_INFO "binder_open: %d:%d\n", 2823 current->group_leader->pid, current->pid); 2824 2825 proc = kzalloc(sizeof(*proc), GFP_KERNEL); 2826 if (proc == NULL) 2827 return -ENOMEM; 2828 get_task_struct(current); 2829 proc->tsk = current; 2830 INIT_LIST_HEAD(&proc->todo); 2831 init_waitqueue_head(&proc->wait); 2832 proc->default_priority = task_nice(current); 2833 mutex_lock(&binder_lock); 2834 binder_stats.obj_created[BINDER_STAT_PROC]++; 2835 hlist_add_head(&proc->proc_node, &binder_procs); 2836 proc->pid = current->group_leader->pid; 2837 INIT_LIST_HEAD(&proc->delivered_death); 2838 filp->private_data = proc; 2839 mutex_unlock(&binder_lock); 2840 2841 if (binder_proc_dir_entry_proc) { 2842 char strbuf[11]; 2843 snprintf(strbuf, sizeof(strbuf), "%u", proc->pid); 2844 remove_proc_entry(strbuf, binder_proc_dir_entry_proc); 2845 create_proc_read_entry(strbuf, S_IRUGO, 2846 binder_proc_dir_entry_proc, 2847 binder_read_proc_proc, proc); 2848 } 2849 2850 return 0; 2851} 2852 2853static int binder_flush(struct file *filp, fl_owner_t id) 2854{ 2855 struct binder_proc *proc = filp->private_data; 2856 2857 binder_defer_work(proc, BINDER_DEFERRED_FLUSH); 2858 2859 return 0; 2860} 2861 2862static void binder_deferred_flush(struct binder_proc *proc) 2863{ 2864 struct rb_node *n; 2865 int wake_count = 0; 2866 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) { 2867 struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node); 2868 thread->looper |= BINDER_LOOPER_STATE_NEED_RETURN; 2869 if (thread->looper & BINDER_LOOPER_STATE_WAITING) { 2870 wake_up_interruptible(&thread->wait); 2871 wake_count++; 2872 } 2873 } 2874 wake_up_interruptible_all(&proc->wait); 2875 2876 if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) 2877 printk(KERN_INFO "binder_flush: %d woke %d threads\n", proc->pid, wake_count); 2878} 2879 2880static int binder_release(struct inode *nodp, struct file *filp) 2881{ 2882 struct binder_proc *proc = filp->private_data; 2883 if (binder_proc_dir_entry_proc) { 2884 char strbuf[11]; 2885 snprintf(strbuf, sizeof(strbuf), "%u", proc->pid); 2886 remove_proc_entry(strbuf, binder_proc_dir_entry_proc); 2887 } 2888 2889 binder_defer_work(proc, BINDER_DEFERRED_RELEASE); 2890 2891 return 0; 2892} 2893 2894static void binder_deferred_release(struct binder_proc *proc) 2895{ 2896 struct hlist_node *pos; 2897 struct binder_transaction *t; 2898 struct rb_node *n; 2899 int threads, nodes, incoming_refs, outgoing_refs, buffers, active_transactions, page_count; 2900 2901 BUG_ON(proc->vma); 2902 BUG_ON(proc->files); 2903 2904 hlist_del(&proc->proc_node); 2905 if (binder_context_mgr_node && binder_context_mgr_node->proc == proc) { 2906 if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) 2907 printk(KERN_INFO "binder_release: %d context_mgr_node gone\n", proc->pid); 2908 binder_context_mgr_node = NULL; 2909 } 2910 2911 threads = 0; 2912 active_transactions = 0; 2913 while ((n = rb_first(&proc->threads))) { 2914 struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node); 2915 threads++; 2916 active_transactions += binder_free_thread(proc, thread); 2917 } 2918 nodes = 0; 2919 incoming_refs = 0; 2920 while ((n = rb_first(&proc->nodes))) { 2921 struct binder_node *node = rb_entry(n, struct binder_node, rb_node); 2922 2923 nodes++; 2924 rb_erase(&node->rb_node, &proc->nodes); 2925 list_del_init(&node->work.entry); 2926 if (hlist_empty(&node->refs)) { 2927 kfree(node); 2928 binder_stats.obj_deleted[BINDER_STAT_NODE]++; 2929 } else { 2930 struct binder_ref *ref; 2931 int death = 0; 2932 2933 node->proc = NULL; 2934 node->local_strong_refs = 0; 2935 node->local_weak_refs = 0; 2936 hlist_add_head(&node->dead_node, &binder_dead_nodes); 2937 2938 hlist_for_each_entry(ref, pos, &node->refs, node_entry) { 2939 incoming_refs++; 2940 if (ref->death) { 2941 death++; 2942 if (list_empty(&ref->death->work.entry)) { 2943 ref->death->work.type = BINDER_WORK_DEAD_BINDER; 2944 list_add_tail(&ref->death->work.entry, &ref->proc->todo); 2945 wake_up_interruptible(&ref->proc->wait); 2946 } else 2947 BUG(); 2948 } 2949 } 2950 if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) 2951 printk(KERN_INFO "binder: node %d now dead, " 2952 "refs %d, death %d\n", node->debug_id, 2953 incoming_refs, death); 2954 } 2955 } 2956 outgoing_refs = 0; 2957 while ((n = rb_first(&proc->refs_by_desc))) { 2958 struct binder_ref *ref = rb_entry(n, struct binder_ref, 2959 rb_node_desc); 2960 outgoing_refs++; 2961 binder_delete_ref(ref); 2962 } 2963 binder_release_work(&proc->todo); 2964 buffers = 0; 2965 2966 while ((n = rb_first(&proc->allocated_buffers))) { 2967 struct binder_buffer *buffer = rb_entry(n, struct binder_buffer, 2968 rb_node); 2969 t = buffer->transaction; 2970 if (t) { 2971 t->buffer = NULL; 2972 buffer->transaction = NULL; 2973 printk(KERN_ERR "binder: release proc %d, " 2974 "transaction %d, not freed\n", 2975 proc->pid, t->debug_id); 2976 /*BUG();*/ 2977 } 2978 binder_free_buf(proc, buffer); 2979 buffers++; 2980 } 2981 2982 binder_stats.obj_deleted[BINDER_STAT_PROC]++; 2983 2984 page_count = 0; 2985 if (proc->pages) { 2986 int i; 2987 for (i = 0; i < proc->buffer_size / PAGE_SIZE; i++) { 2988 if (proc->pages[i]) { 2989 if (binder_debug_mask & 2990 BINDER_DEBUG_BUFFER_ALLOC) 2991 printk(KERN_INFO 2992 "binder_release: %d: " 2993 "page %d at %p not freed\n", 2994 proc->pid, i, 2995 proc->buffer + i * PAGE_SIZE); 2996 __free_page(proc->pages[i]); 2997 page_count++; 2998 } 2999 } 3000 kfree(proc->pages); 3001 vfree(proc->buffer); 3002 } 3003 3004 put_task_struct(proc->tsk); 3005 3006 if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) 3007 printk(KERN_INFO 3008 "binder_release: %d threads %d, nodes %d (ref %d), " 3009 "refs %d, active transactions %d, buffers %d, " 3010 "pages %d\n", 3011 proc->pid, threads, nodes, incoming_refs, outgoing_refs, 3012 active_transactions, buffers, page_count); 3013 3014 kfree(proc); 3015} 3016 3017static void binder_deferred_func(struct work_struct *work) 3018{ 3019 struct binder_proc *proc; 3020 struct files_struct *files; 3021 3022 int defer; 3023 do { 3024 mutex_lock(&binder_lock); 3025 mutex_lock(&binder_deferred_lock); 3026 if (!hlist_empty(&binder_deferred_list)) { 3027 proc = hlist_entry(binder_deferred_list.first, 3028 struct binder_proc, deferred_work_node); 3029 hlist_del_init(&proc->deferred_work_node); 3030 defer = proc->deferred_work; 3031 proc->deferred_work = 0; 3032 } else { 3033 proc = NULL; 3034 defer = 0; 3035 } 3036 mutex_unlock(&binder_deferred_lock); 3037 3038 files = NULL; 3039 if (defer & BINDER_DEFERRED_PUT_FILES) { 3040 files = proc->files; 3041 if (files) 3042 proc->files = NULL; 3043 } 3044 3045 if (defer & BINDER_DEFERRED_FLUSH) 3046 binder_deferred_flush(proc); 3047 3048 if (defer & BINDER_DEFERRED_RELEASE) 3049 binder_deferred_release(proc); /* frees proc */ 3050 3051 mutex_unlock(&binder_lock); 3052 if (files) 3053 put_files_struct(files); 3054 } while (proc); 3055} 3056static DECLARE_WORK(binder_deferred_work, binder_deferred_func); 3057 3058static void binder_defer_work(struct binder_proc *proc, int defer) 3059{ 3060 mutex_lock(&binder_deferred_lock); 3061 proc->deferred_work |= defer; 3062 if (hlist_unhashed(&proc->deferred_work_node)) { 3063 hlist_add_head(&proc->deferred_work_node, 3064 &binder_deferred_list); 3065 schedule_work(&binder_deferred_work); 3066 } 3067 mutex_unlock(&binder_deferred_lock); 3068} 3069 3070static char *print_binder_transaction(char *buf, char *end, const char *prefix, 3071 struct binder_transaction *t) 3072{ 3073 buf += snprintf(buf, end - buf, 3074 "%s %d: %p from %d:%d to %d:%d code %x " 3075 "flags %x pri %ld r%d", 3076 prefix, t->debug_id, t, 3077 t->from ? t->from->proc->pid : 0, 3078 t->from ? t->from->pid : 0, 3079 t->to_proc ? t->to_proc->pid : 0, 3080 t->to_thread ? t->to_thread->pid : 0, 3081 t->code, t->flags, t->priority, t->need_reply); 3082 if (buf >= end) 3083 return buf; 3084 if (t->buffer == NULL) { 3085 buf += snprintf(buf, end - buf, " buffer free\n"); 3086 return buf; 3087 } 3088 if (t->buffer->target_node) { 3089 buf += snprintf(buf, end - buf, " node %d", 3090 t->buffer->target_node->debug_id); 3091 if (buf >= end) 3092 return buf; 3093 } 3094 buf += snprintf(buf, end - buf, " size %zd:%zd data %p\n", 3095 t->buffer->data_size, t->buffer->offsets_size, 3096 t->buffer->data); 3097 return buf; 3098} 3099 3100static char *print_binder_buffer(char *buf, char *end, const char *prefix, 3101 struct binder_buffer *buffer) 3102{ 3103 buf += snprintf(buf, end - buf, "%s %d: %p size %zd:%zd %s\n", 3104 prefix, buffer->debug_id, buffer->data, 3105 buffer->data_size, buffer->offsets_size, 3106 buffer->transaction ? "active" : "delivered"); 3107 return buf; 3108} 3109 3110static char *print_binder_work(char *buf, char *end, const char *prefix, 3111 const char *transaction_prefix, 3112 struct binder_work *w) 3113{ 3114 struct binder_node *node; 3115 struct binder_transaction *t; 3116 3117 switch (w->type) { 3118 case BINDER_WORK_TRANSACTION: 3119 t = container_of(w, struct binder_transaction, work); 3120 buf = print_binder_transaction(buf, end, transaction_prefix, t); 3121 break; 3122 case BINDER_WORK_TRANSACTION_COMPLETE: 3123 buf += snprintf(buf, end - buf, 3124 "%stransaction complete\n", prefix); 3125 break; 3126 case BINDER_WORK_NODE: 3127 node = container_of(w, struct binder_node, work); 3128 buf += snprintf(buf, end - buf, "%snode work %d: u%p c%p\n", 3129 prefix, node->debug_id, node->ptr, 3130 node->cookie); 3131 break; 3132 case BINDER_WORK_DEAD_BINDER: 3133 buf += snprintf(buf, end - buf, "%shas dead binder\n", prefix); 3134 break; 3135 case BINDER_WORK_DEAD_BINDER_AND_CLEAR: 3136 buf += snprintf(buf, end - buf, 3137 "%shas cleared dead binder\n", prefix); 3138 break; 3139 case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: 3140 buf += snprintf(buf, end - buf, 3141 "%shas cleared death notification\n", prefix); 3142 break; 3143 default: 3144 buf += snprintf(buf, end - buf, "%sunknown work: type %d\n", 3145 prefix, w->type); 3146 break; 3147 } 3148 return buf; 3149} 3150 3151static char *print_binder_thread(char *buf, char *end, 3152 struct binder_thread *thread, 3153 int print_always) 3154{ 3155 struct binder_transaction *t; 3156 struct binder_work *w; 3157 char *start_buf = buf; 3158 char *header_buf; 3159 3160 buf += snprintf(buf, end - buf, " thread %d: l %02x\n", 3161 thread->pid, thread->looper); 3162 header_buf = buf; 3163 t = thread->transaction_stack; 3164 while (t) { 3165 if (buf >= end) 3166 break; 3167 if (t->from == thread) { 3168 buf = print_binder_transaction(buf, end, 3169 " outgoing transaction", t); 3170 t = t->from_parent; 3171 } else if (t->to_thread == thread) { 3172 buf = print_binder_transaction(buf, end, 3173 " incoming transaction", t); 3174 t = t->to_parent; 3175 } else { 3176 buf = print_binder_transaction(buf, end, 3177 " bad transaction", t); 3178 t = NULL; 3179 } 3180 } 3181 list_for_each_entry(w, &thread->todo, entry) { 3182 if (buf >= end) 3183 break; 3184 buf = print_binder_work(buf, end, " ", 3185 " pending transaction", w); 3186 } 3187 if (!print_always && buf == header_buf) 3188 buf = start_buf; 3189 return buf; 3190} 3191 3192static char *print_binder_node(char *buf, char *end, struct binder_node *node) 3193{ 3194 struct binder_ref *ref; 3195 struct hlist_node *pos; 3196 struct binder_work *w; 3197 int count; 3198 3199 count = 0; 3200 hlist_for_each_entry(ref, pos, &node->refs, node_entry) 3201 count++; 3202 3203 buf += snprintf(buf, end - buf, 3204 " node %d: u%p c%p hs %d hw %d ls %d lw %d " 3205 "is %d iw %d", 3206 node->debug_id, node->ptr, node->cookie, 3207 node->has_strong_ref, node->has_weak_ref, 3208 node->local_strong_refs, node->local_weak_refs, 3209 node->internal_strong_refs, count); 3210 if (buf >= end) 3211 return buf; 3212 if (count) { 3213 buf += snprintf(buf, end - buf, " proc"); 3214 if (buf >= end) 3215 return buf; 3216 hlist_for_each_entry(ref, pos, &node->refs, node_entry) { 3217 buf += snprintf(buf, end - buf, " %d", ref->proc->pid); 3218 if (buf >= end) 3219 return buf; 3220 } 3221 } 3222 buf += snprintf(buf, end - buf, "\n"); 3223 list_for_each_entry(w, &node->async_todo, entry) { 3224 if (buf >= end) 3225 break; 3226 buf = print_binder_work(buf, end, " ", 3227 " pending async transaction", w); 3228 } 3229 return buf; 3230} 3231 3232static char *print_binder_ref(char *buf, char *end, struct binder_ref *ref) 3233{ 3234 buf += snprintf(buf, end - buf, 3235 " ref %d: desc %d %snode %d s %d w %d d %p\n", 3236 ref->debug_id, ref->desc, 3237 ref->node->proc ? "" : "dead ", ref->node->debug_id, 3238 ref->strong, ref->weak, ref->death); 3239 return buf; 3240} 3241 3242static char *print_binder_proc(char *buf, char *end, 3243 struct binder_proc *proc, int print_all) 3244{ 3245 struct binder_work *w; 3246 struct rb_node *n; 3247 char *start_buf = buf; 3248 char *header_buf; 3249 3250 buf += snprintf(buf, end - buf, "proc %d\n", proc->pid); 3251 header_buf = buf; 3252 3253 for (n = rb_first(&proc->threads); 3254 n != NULL && buf < end; 3255 n = rb_next(n)) 3256 buf = print_binder_thread(buf, end, 3257 rb_entry(n, struct binder_thread, 3258 rb_node), print_all); 3259 for (n = rb_first(&proc->nodes); 3260 n != NULL && buf < end; 3261 n = rb_next(n)) { 3262 struct binder_node *node = rb_entry(n, struct binder_node, 3263 rb_node); 3264 if (print_all || node->has_async_transaction) 3265 buf = print_binder_node(buf, end, node); 3266 } 3267 if (print_all) { 3268 for (n = rb_first(&proc->refs_by_desc); 3269 n != NULL && buf < end; 3270 n = rb_next(n)) 3271 buf = print_binder_ref(buf, end, 3272 rb_entry(n, struct binder_ref, 3273 rb_node_desc)); 3274 } 3275 for (n = rb_first(&proc->allocated_buffers); 3276 n != NULL && buf < end; 3277 n = rb_next(n)) 3278 buf = print_binder_buffer(buf, end, " buffer", 3279 rb_entry(n, struct binder_buffer, 3280 rb_node)); 3281 list_for_each_entry(w, &proc->todo, entry) { 3282 if (buf >= end) 3283 break; 3284 buf = print_binder_work(buf, end, " ", 3285 " pending transaction", w); 3286 } 3287 list_for_each_entry(w, &proc->delivered_death, entry) { 3288 if (buf >= end) 3289 break; 3290 buf += snprintf(buf, end - buf, 3291 " has delivered dead binder\n"); 3292 break; 3293 } 3294 if (!print_all && buf == header_buf) 3295 buf = start_buf; 3296 return buf; 3297} 3298 3299static const char *binder_return_strings[] = { 3300 "BR_ERROR", 3301 "BR_OK", 3302 "BR_TRANSACTION", 3303 "BR_REPLY", 3304 "BR_ACQUIRE_RESULT", 3305 "BR_DEAD_REPLY", 3306 "BR_TRANSACTION_COMPLETE", 3307 "BR_INCREFS", 3308 "BR_ACQUIRE", 3309 "BR_RELEASE", 3310 "BR_DECREFS", 3311 "BR_ATTEMPT_ACQUIRE", 3312 "BR_NOOP", 3313 "BR_SPAWN_LOOPER", 3314 "BR_FINISHED", 3315 "BR_DEAD_BINDER", 3316 "BR_CLEAR_DEATH_NOTIFICATION_DONE", 3317 "BR_FAILED_REPLY" 3318}; 3319 3320static const char *binder_command_strings[] = { 3321 "BC_TRANSACTION", 3322 "BC_REPLY", 3323 "BC_ACQUIRE_RESULT", 3324 "BC_FREE_BUFFER", 3325 "BC_INCREFS", 3326 "BC_ACQUIRE", 3327 "BC_RELEASE", 3328 "BC_DECREFS", 3329 "BC_INCREFS_DONE", 3330 "BC_ACQUIRE_DONE", 3331 "BC_ATTEMPT_ACQUIRE", 3332 "BC_REGISTER_LOOPER", 3333 "BC_ENTER_LOOPER", 3334 "BC_EXIT_LOOPER", 3335 "BC_REQUEST_DEATH_NOTIFICATION", 3336 "BC_CLEAR_DEATH_NOTIFICATION", 3337 "BC_DEAD_BINDER_DONE" 3338}; 3339 3340static const char *binder_objstat_strings[] = { 3341 "proc", 3342 "thread", 3343 "node", 3344 "ref", 3345 "death", 3346 "transaction", 3347 "transaction_complete" 3348}; 3349 3350static char *print_binder_stats(char *buf, char *end, const char *prefix, 3351 struct binder_stats *stats) 3352{ 3353 int i; 3354 3355 BUILD_BUG_ON(ARRAY_SIZE(stats->bc) != 3356 ARRAY_SIZE(binder_command_strings)); 3357 for (i = 0; i < ARRAY_SIZE(stats->bc); i++) { 3358 if (stats->bc[i]) 3359 buf += snprintf(buf, end - buf, "%s%s: %d\n", prefix, 3360 binder_command_strings[i], 3361 stats->bc[i]); 3362 if (buf >= end) 3363 return buf; 3364 } 3365 3366 BUILD_BUG_ON(ARRAY_SIZE(stats->br) != 3367 ARRAY_SIZE(binder_return_strings)); 3368 for (i = 0; i < ARRAY_SIZE(stats->br); i++) { 3369 if (stats->br[i]) 3370 buf += snprintf(buf, end - buf, "%s%s: %d\n", prefix, 3371 binder_return_strings[i], stats->br[i]); 3372 if (buf >= end) 3373 return buf; 3374 } 3375 3376 BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) != 3377 ARRAY_SIZE(binder_objstat_strings)); 3378 BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) != 3379 ARRAY_SIZE(stats->obj_deleted)); 3380 for (i = 0; i < ARRAY_SIZE(stats->obj_created); i++) { 3381 if (stats->obj_created[i] || stats->obj_deleted[i]) 3382 buf += snprintf(buf, end - buf, 3383 "%s%s: active %d total %d\n", prefix, 3384 binder_objstat_strings[i], 3385 stats->obj_created[i] - 3386 stats->obj_deleted[i], 3387 stats->obj_created[i]); 3388 if (buf >= end) 3389 return buf; 3390 } 3391 return buf; 3392} 3393 3394static char *print_binder_proc_stats(char *buf, char *end, 3395 struct binder_proc *proc) 3396{ 3397 struct binder_work *w; 3398 struct rb_node *n; 3399 int count, strong, weak; 3400 3401 buf += snprintf(buf, end - buf, "proc %d\n", proc->pid); 3402 if (buf >= end) 3403 return buf; 3404 count = 0; 3405 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) 3406 count++; 3407 buf += snprintf(buf, end - buf, " threads: %d\n", count); 3408 if (buf >= end) 3409 return buf; 3410 buf += snprintf(buf, end - buf, " requested threads: %d+%d/%d\n" 3411 " ready threads %d\n" 3412 " free async space %zd\n", proc->requested_threads, 3413 proc->requested_threads_started, proc->max_threads, 3414 proc->ready_threads, proc->free_async_space); 3415 if (buf >= end) 3416 return buf; 3417 count = 0; 3418 for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) 3419 count++; 3420 buf += snprintf(buf, end - buf, " nodes: %d\n", count); 3421 if (buf >= end) 3422 return buf; 3423 count = 0; 3424 strong = 0; 3425 weak = 0; 3426 for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) { 3427 struct binder_ref *ref = rb_entry(n, struct binder_ref, 3428 rb_node_desc); 3429 count++; 3430 strong += ref->strong; 3431 weak += ref->weak; 3432 } 3433 buf += snprintf(buf, end - buf, " refs: %d s %d w %d\n", 3434 count, strong, weak); 3435 if (buf >= end) 3436 return buf; 3437 3438 count = 0; 3439 for (n = rb_first(&proc->allocated_buffers); n != NULL; n = rb_next(n)) 3440 count++; 3441 buf += snprintf(buf, end - buf, " buffers: %d\n", count); 3442 if (buf >= end) 3443 return buf; 3444 3445 count = 0; 3446 list_for_each_entry(w, &proc->todo, entry) { 3447 switch (w->type) { 3448 case BINDER_WORK_TRANSACTION: 3449 count++; 3450 break; 3451 default: 3452 break; 3453 } 3454 } 3455 buf += snprintf(buf, end - buf, " pending transactions: %d\n", count); 3456 if (buf >= end) 3457 return buf; 3458 3459 buf = print_binder_stats(buf, end, " ", &proc->stats); 3460 3461 return buf; 3462} 3463 3464 3465static int binder_read_proc_state(char *page, char **start, off_t off, 3466 int count, int *eof, void *data) 3467{ 3468 struct binder_proc *proc; 3469 struct hlist_node *pos; 3470 struct binder_node *node; 3471 int len = 0; 3472 char *buf = page; 3473 char *end = page + PAGE_SIZE; 3474 int do_lock = !binder_debug_no_lock; 3475 3476 if (off) 3477 return 0; 3478 3479 if (do_lock) 3480 mutex_lock(&binder_lock); 3481 3482 buf += snprintf(buf, end - buf, "binder state:\n"); 3483 3484 if (!hlist_empty(&binder_dead_nodes)) 3485 buf += snprintf(buf, end - buf, "dead nodes:\n"); 3486 hlist_for_each_entry(node, pos, &binder_dead_nodes, dead_node) { 3487 if (buf >= end) 3488 break; 3489 buf = print_binder_node(buf, end, node); 3490 } 3491 3492 hlist_for_each_entry(proc, pos, &binder_procs, proc_node) { 3493 if (buf >= end) 3494 break; 3495 buf = print_binder_proc(buf, end, proc, 1); 3496 } 3497 if (do_lock) 3498 mutex_unlock(&binder_lock); 3499 if (buf > page + PAGE_SIZE) 3500 buf = page + PAGE_SIZE; 3501 3502 *start = page + off; 3503 3504 len = buf - page; 3505 if (len > off) 3506 len -= off; 3507 else 3508 len = 0; 3509 3510 return len < count ? len : count; 3511} 3512 3513static int binder_read_proc_stats(char *page, char **start, off_t off, 3514 int count, int *eof, void *data) 3515{ 3516 struct binder_proc *proc; 3517 struct hlist_node *pos; 3518 int len = 0; 3519 char *p = page; 3520 int do_lock = !binder_debug_no_lock; 3521 3522 if (off) 3523 return 0; 3524 3525 if (do_lock) 3526 mutex_lock(&binder_lock); 3527 3528 p += snprintf(p, PAGE_SIZE, "binder stats:\n"); 3529 3530 p = print_binder_stats(p, page + PAGE_SIZE, "", &binder_stats); 3531 3532 hlist_for_each_entry(proc, pos, &binder_procs, proc_node) { 3533 if (p >= page + PAGE_SIZE) 3534 break; 3535 p = print_binder_proc_stats(p, page + PAGE_SIZE, proc); 3536 } 3537 if (do_lock) 3538 mutex_unlock(&binder_lock); 3539 if (p > page + PAGE_SIZE) 3540 p = page + PAGE_SIZE; 3541 3542 *start = page + off; 3543 3544 len = p - page; 3545 if (len > off) 3546 len -= off; 3547 else 3548 len = 0; 3549 3550 return len < count ? len : count; 3551} 3552 3553static int binder_read_proc_transactions(char *page, char **start, off_t off, 3554 int count, int *eof, void *data) 3555{ 3556 struct binder_proc *proc; 3557 struct hlist_node *pos; 3558 int len = 0; 3559 char *buf = page; 3560 char *end = page + PAGE_SIZE; 3561 int do_lock = !binder_debug_no_lock; 3562 3563 if (off) 3564 return 0; 3565 3566 if (do_lock) 3567 mutex_lock(&binder_lock); 3568 3569 buf += snprintf(buf, end - buf, "binder transactions:\n"); 3570 hlist_for_each_entry(proc, pos, &binder_procs, proc_node) { 3571 if (buf >= end) 3572 break; 3573 buf = print_binder_proc(buf, end, proc, 0); 3574 } 3575 if (do_lock) 3576 mutex_unlock(&binder_lock); 3577 if (buf > page + PAGE_SIZE) 3578 buf = page + PAGE_SIZE; 3579 3580 *start = page + off; 3581 3582 len = buf - page; 3583 if (len > off) 3584 len -= off; 3585 else 3586 len = 0; 3587 3588 return len < count ? len : count; 3589} 3590 3591static int binder_read_proc_proc(char *page, char **start, off_t off, 3592 int count, int *eof, void *data) 3593{ 3594 struct binder_proc *proc = data; 3595 int len = 0; 3596 char *p = page; 3597 int do_lock = !binder_debug_no_lock; 3598 3599 if (off) 3600 return 0; 3601 3602 if (do_lock) 3603 mutex_lock(&binder_lock); 3604 p += snprintf(p, PAGE_SIZE, "binder proc state:\n"); 3605 p = print_binder_proc(p, page + PAGE_SIZE, proc, 1); 3606 if (do_lock) 3607 mutex_unlock(&binder_lock); 3608 3609 if (p > page + PAGE_SIZE) 3610 p = page + PAGE_SIZE; 3611 *start = page + off; 3612 3613 len = p - page; 3614 if (len > off) 3615 len -= off; 3616 else 3617 len = 0; 3618 3619 return len < count ? len : count; 3620} 3621 3622static char *print_binder_transaction_log_entry(char *buf, char *end, 3623 struct binder_transaction_log_entry *e) 3624{ 3625 buf += snprintf(buf, end - buf, 3626 "%d: %s from %d:%d to %d:%d node %d handle %d " 3627 "size %d:%d\n", 3628 e->debug_id, (e->call_type == 2) ? "reply" : 3629 ((e->call_type == 1) ? "async" : "call "), e->from_proc, 3630 e->from_thread, e->to_proc, e->to_thread, e->to_node, 3631 e->target_handle, e->data_size, e->offsets_size); 3632 return buf; 3633} 3634 3635static int binder_read_proc_transaction_log( 3636 char *page, char **start, off_t off, int count, int *eof, void *data) 3637{ 3638 struct binder_transaction_log *log = data; 3639 int len = 0; 3640 int i; 3641 char *buf = page; 3642 char *end = page + PAGE_SIZE; 3643 3644 if (off) 3645 return 0; 3646 3647 if (log->full) { 3648 for (i = log->next; i < ARRAY_SIZE(log->entry); i++) { 3649 if (buf >= end) 3650 break; 3651 buf = print_binder_transaction_log_entry(buf, end, 3652 &log->entry[i]); 3653 } 3654 } 3655 for (i = 0; i < log->next; i++) { 3656 if (buf >= end) 3657 break; 3658 buf = print_binder_transaction_log_entry(buf, end, 3659 &log->entry[i]); 3660 } 3661 3662 *start = page + off; 3663 3664 len = buf - page; 3665 if (len > off) 3666 len -= off; 3667 else 3668 len = 0; 3669 3670 return len < count ? len : count; 3671} 3672 3673static const struct file_operations binder_fops = { 3674 .owner = THIS_MODULE, 3675 .poll = binder_poll, 3676 .unlocked_ioctl = binder_ioctl, 3677 .mmap = binder_mmap, 3678 .open = binder_open, 3679 .flush = binder_flush, 3680 .release = binder_release, 3681}; 3682 3683static struct miscdevice binder_miscdev = { 3684 .minor = MISC_DYNAMIC_MINOR, 3685 .name = "binder", 3686 .fops = &binder_fops 3687}; 3688 3689static int __init binder_init(void) 3690{ 3691 int ret; 3692 3693 binder_proc_dir_entry_root = proc_mkdir("binder", NULL); 3694 if (binder_proc_dir_entry_root) 3695 binder_proc_dir_entry_proc = proc_mkdir("proc", 3696 binder_proc_dir_entry_root); 3697 ret = misc_register(&binder_miscdev); 3698 if (binder_proc_dir_entry_root) { 3699 create_proc_read_entry("state", 3700 S_IRUGO, 3701 binder_proc_dir_entry_root, 3702 binder_read_proc_state, 3703 NULL); 3704 create_proc_read_entry("stats", 3705 S_IRUGO, 3706 binder_proc_dir_entry_root, 3707 binder_read_proc_stats, 3708 NULL); 3709 create_proc_read_entry("transactions", 3710 S_IRUGO, 3711 binder_proc_dir_entry_root, 3712 binder_read_proc_transactions, 3713 NULL); 3714 create_proc_read_entry("transaction_log", 3715 S_IRUGO, 3716 binder_proc_dir_entry_root, 3717 binder_read_proc_transaction_log, 3718 &binder_transaction_log); 3719 create_proc_read_entry("failed_transaction_log", 3720 S_IRUGO, 3721 binder_proc_dir_entry_root, 3722 binder_read_proc_transaction_log, 3723 &binder_transaction_log_failed); 3724 } 3725 return ret; 3726} 3727 3728device_initcall(binder_init); 3729 3730MODULE_LICENSE("GPL v2"); 3731