binder.c revision 5249f4883045de494916db7b1a6d6e1e422e9a0b
1/* binder.c 2 * 3 * Android IPC Subsystem 4 * 5 * Copyright (C) 2007-2008 Google, Inc. 6 * 7 * This software is licensed under the terms of the GNU General Public 8 * License version 2, as published by the Free Software Foundation, and 9 * may be copied, distributed, and modified under those terms. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 */ 17 18#include <asm/cacheflush.h> 19#include <linux/fdtable.h> 20#include <linux/file.h> 21#include <linux/fs.h> 22#include <linux/list.h> 23#include <linux/miscdevice.h> 24#include <linux/mm.h> 25#include <linux/module.h> 26#include <linux/mutex.h> 27#include <linux/nsproxy.h> 28#include <linux/poll.h> 29#include <linux/proc_fs.h> 30#include <linux/rbtree.h> 31#include <linux/sched.h> 32#include <linux/seq_file.h> 33#include <linux/uaccess.h> 34#include <linux/vmalloc.h> 35#include <linux/slab.h> 36 37#include "binder.h" 38 39static DEFINE_MUTEX(binder_lock); 40static DEFINE_MUTEX(binder_deferred_lock); 41 42static HLIST_HEAD(binder_procs); 43static HLIST_HEAD(binder_deferred_list); 44static HLIST_HEAD(binder_dead_nodes); 45 46static struct proc_dir_entry *binder_proc_dir_entry_root; 47static struct proc_dir_entry *binder_proc_dir_entry_proc; 48static struct binder_node *binder_context_mgr_node; 49static uid_t binder_context_mgr_uid = -1; 50static int binder_last_id; 51 52#define BINDER_DEBUG_ENTRY(name) \ 53static int binder_##name##_open(struct inode *inode, struct file *file) \ 54{ \ 55 return single_open(file, binder_##name##_show, PDE(inode)->data); \ 56} \ 57\ 58static const struct file_operations binder_##name##_fops = { \ 59 .owner = THIS_MODULE, \ 60 .open = binder_##name##_open, \ 61 .read = seq_read, \ 62 .llseek = seq_lseek, \ 63 .release = single_release, \ 64} 65 66static int binder_proc_show(struct seq_file *m, void *unused); 67BINDER_DEBUG_ENTRY(proc); 68 69/* This is only defined in include/asm-arm/sizes.h */ 70#ifndef SZ_1K 71#define SZ_1K 0x400 72#endif 73 74#ifndef SZ_4M 75#define SZ_4M 0x400000 76#endif 77 78#define FORBIDDEN_MMAP_FLAGS (VM_WRITE) 79 80#define BINDER_SMALL_BUF_SIZE (PAGE_SIZE * 64) 81 82enum { 83 BINDER_DEBUG_USER_ERROR = 1U << 0, 84 BINDER_DEBUG_FAILED_TRANSACTION = 1U << 1, 85 BINDER_DEBUG_DEAD_TRANSACTION = 1U << 2, 86 BINDER_DEBUG_OPEN_CLOSE = 1U << 3, 87 BINDER_DEBUG_DEAD_BINDER = 1U << 4, 88 BINDER_DEBUG_DEATH_NOTIFICATION = 1U << 5, 89 BINDER_DEBUG_READ_WRITE = 1U << 6, 90 BINDER_DEBUG_USER_REFS = 1U << 7, 91 BINDER_DEBUG_THREADS = 1U << 8, 92 BINDER_DEBUG_TRANSACTION = 1U << 9, 93 BINDER_DEBUG_TRANSACTION_COMPLETE = 1U << 10, 94 BINDER_DEBUG_FREE_BUFFER = 1U << 11, 95 BINDER_DEBUG_INTERNAL_REFS = 1U << 12, 96 BINDER_DEBUG_BUFFER_ALLOC = 1U << 13, 97 BINDER_DEBUG_PRIORITY_CAP = 1U << 14, 98 BINDER_DEBUG_BUFFER_ALLOC_ASYNC = 1U << 15, 99}; 100static uint32_t binder_debug_mask = BINDER_DEBUG_USER_ERROR | 101 BINDER_DEBUG_FAILED_TRANSACTION | BINDER_DEBUG_DEAD_TRANSACTION; 102module_param_named(debug_mask, binder_debug_mask, uint, S_IWUSR | S_IRUGO); 103 104static int binder_debug_no_lock; 105module_param_named(proc_no_lock, binder_debug_no_lock, bool, S_IWUSR | S_IRUGO); 106 107static DECLARE_WAIT_QUEUE_HEAD(binder_user_error_wait); 108static int binder_stop_on_user_error; 109 110static int binder_set_stop_on_user_error(const char *val, 111 struct kernel_param *kp) 112{ 113 int ret; 114 ret = param_set_int(val, kp); 115 if (binder_stop_on_user_error < 2) 116 wake_up(&binder_user_error_wait); 117 return ret; 118} 119module_param_call(stop_on_user_error, binder_set_stop_on_user_error, 120 param_get_int, &binder_stop_on_user_error, S_IWUSR | S_IRUGO); 121 122#define binder_debug(mask, x...) \ 123 do { \ 124 if (binder_debug_mask & mask) \ 125 printk(KERN_INFO x); \ 126 } while (0) 127 128#define binder_user_error(x...) \ 129 do { \ 130 if (binder_debug_mask & BINDER_DEBUG_USER_ERROR) \ 131 printk(KERN_INFO x); \ 132 if (binder_stop_on_user_error) \ 133 binder_stop_on_user_error = 2; \ 134 } while (0) 135 136enum binder_stat_types { 137 BINDER_STAT_PROC, 138 BINDER_STAT_THREAD, 139 BINDER_STAT_NODE, 140 BINDER_STAT_REF, 141 BINDER_STAT_DEATH, 142 BINDER_STAT_TRANSACTION, 143 BINDER_STAT_TRANSACTION_COMPLETE, 144 BINDER_STAT_COUNT 145}; 146 147struct binder_stats { 148 int br[_IOC_NR(BR_FAILED_REPLY) + 1]; 149 int bc[_IOC_NR(BC_DEAD_BINDER_DONE) + 1]; 150 int obj_created[BINDER_STAT_COUNT]; 151 int obj_deleted[BINDER_STAT_COUNT]; 152}; 153 154static struct binder_stats binder_stats; 155 156static inline void binder_stats_deleted(enum binder_stat_types type) 157{ 158 binder_stats.obj_deleted[type]++; 159} 160 161static inline void binder_stats_created(enum binder_stat_types type) 162{ 163 binder_stats.obj_created[type]++; 164} 165 166struct binder_transaction_log_entry { 167 int debug_id; 168 int call_type; 169 int from_proc; 170 int from_thread; 171 int target_handle; 172 int to_proc; 173 int to_thread; 174 int to_node; 175 int data_size; 176 int offsets_size; 177}; 178struct binder_transaction_log { 179 int next; 180 int full; 181 struct binder_transaction_log_entry entry[32]; 182}; 183static struct binder_transaction_log binder_transaction_log; 184static struct binder_transaction_log binder_transaction_log_failed; 185 186static struct binder_transaction_log_entry *binder_transaction_log_add( 187 struct binder_transaction_log *log) 188{ 189 struct binder_transaction_log_entry *e; 190 e = &log->entry[log->next]; 191 memset(e, 0, sizeof(*e)); 192 log->next++; 193 if (log->next == ARRAY_SIZE(log->entry)) { 194 log->next = 0; 195 log->full = 1; 196 } 197 return e; 198} 199 200struct binder_work { 201 struct list_head entry; 202 enum { 203 BINDER_WORK_TRANSACTION = 1, 204 BINDER_WORK_TRANSACTION_COMPLETE, 205 BINDER_WORK_NODE, 206 BINDER_WORK_DEAD_BINDER, 207 BINDER_WORK_DEAD_BINDER_AND_CLEAR, 208 BINDER_WORK_CLEAR_DEATH_NOTIFICATION, 209 } type; 210}; 211 212struct binder_node { 213 int debug_id; 214 struct binder_work work; 215 union { 216 struct rb_node rb_node; 217 struct hlist_node dead_node; 218 }; 219 struct binder_proc *proc; 220 struct hlist_head refs; 221 int internal_strong_refs; 222 int local_weak_refs; 223 int local_strong_refs; 224 void __user *ptr; 225 void __user *cookie; 226 unsigned has_strong_ref:1; 227 unsigned pending_strong_ref:1; 228 unsigned has_weak_ref:1; 229 unsigned pending_weak_ref:1; 230 unsigned has_async_transaction:1; 231 unsigned accept_fds:1; 232 unsigned min_priority:8; 233 struct list_head async_todo; 234}; 235 236struct binder_ref_death { 237 struct binder_work work; 238 void __user *cookie; 239}; 240 241struct binder_ref { 242 /* Lookups needed: */ 243 /* node + proc => ref (transaction) */ 244 /* desc + proc => ref (transaction, inc/dec ref) */ 245 /* node => refs + procs (proc exit) */ 246 int debug_id; 247 struct rb_node rb_node_desc; 248 struct rb_node rb_node_node; 249 struct hlist_node node_entry; 250 struct binder_proc *proc; 251 struct binder_node *node; 252 uint32_t desc; 253 int strong; 254 int weak; 255 struct binder_ref_death *death; 256}; 257 258struct binder_buffer { 259 struct list_head entry; /* free and allocated entries by addesss */ 260 struct rb_node rb_node; /* free entry by size or allocated entry */ 261 /* by address */ 262 unsigned free:1; 263 unsigned allow_user_free:1; 264 unsigned async_transaction:1; 265 unsigned debug_id:29; 266 267 struct binder_transaction *transaction; 268 269 struct binder_node *target_node; 270 size_t data_size; 271 size_t offsets_size; 272 uint8_t data[0]; 273}; 274 275enum binder_deferred_state { 276 BINDER_DEFERRED_PUT_FILES = 0x01, 277 BINDER_DEFERRED_FLUSH = 0x02, 278 BINDER_DEFERRED_RELEASE = 0x04, 279}; 280 281struct binder_proc { 282 struct hlist_node proc_node; 283 struct rb_root threads; 284 struct rb_root nodes; 285 struct rb_root refs_by_desc; 286 struct rb_root refs_by_node; 287 int pid; 288 struct vm_area_struct *vma; 289 struct task_struct *tsk; 290 struct files_struct *files; 291 struct hlist_node deferred_work_node; 292 int deferred_work; 293 void *buffer; 294 ptrdiff_t user_buffer_offset; 295 296 struct list_head buffers; 297 struct rb_root free_buffers; 298 struct rb_root allocated_buffers; 299 size_t free_async_space; 300 301 struct page **pages; 302 size_t buffer_size; 303 uint32_t buffer_free; 304 struct list_head todo; 305 wait_queue_head_t wait; 306 struct binder_stats stats; 307 struct list_head delivered_death; 308 int max_threads; 309 int requested_threads; 310 int requested_threads_started; 311 int ready_threads; 312 long default_priority; 313}; 314 315enum { 316 BINDER_LOOPER_STATE_REGISTERED = 0x01, 317 BINDER_LOOPER_STATE_ENTERED = 0x02, 318 BINDER_LOOPER_STATE_EXITED = 0x04, 319 BINDER_LOOPER_STATE_INVALID = 0x08, 320 BINDER_LOOPER_STATE_WAITING = 0x10, 321 BINDER_LOOPER_STATE_NEED_RETURN = 0x20 322}; 323 324struct binder_thread { 325 struct binder_proc *proc; 326 struct rb_node rb_node; 327 int pid; 328 int looper; 329 struct binder_transaction *transaction_stack; 330 struct list_head todo; 331 uint32_t return_error; /* Write failed, return error code in read buf */ 332 uint32_t return_error2; /* Write failed, return error code in read */ 333 /* buffer. Used when sending a reply to a dead process that */ 334 /* we are also waiting on */ 335 wait_queue_head_t wait; 336 struct binder_stats stats; 337}; 338 339struct binder_transaction { 340 int debug_id; 341 struct binder_work work; 342 struct binder_thread *from; 343 struct binder_transaction *from_parent; 344 struct binder_proc *to_proc; 345 struct binder_thread *to_thread; 346 struct binder_transaction *to_parent; 347 unsigned need_reply:1; 348 /* unsigned is_dead:1; */ /* not used at the moment */ 349 350 struct binder_buffer *buffer; 351 unsigned int code; 352 unsigned int flags; 353 long priority; 354 long saved_priority; 355 uid_t sender_euid; 356}; 357 358static void 359binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer); 360 361/* 362 * copied from get_unused_fd_flags 363 */ 364int task_get_unused_fd_flags(struct binder_proc *proc, int flags) 365{ 366 struct files_struct *files = proc->files; 367 int fd, error; 368 struct fdtable *fdt; 369 unsigned long rlim_cur; 370 unsigned long irqs; 371 372 if (files == NULL) 373 return -ESRCH; 374 375 error = -EMFILE; 376 spin_lock(&files->file_lock); 377 378repeat: 379 fdt = files_fdtable(files); 380 fd = find_next_zero_bit(fdt->open_fds->fds_bits, fdt->max_fds, 381 files->next_fd); 382 383 /* 384 * N.B. For clone tasks sharing a files structure, this test 385 * will limit the total number of files that can be opened. 386 */ 387 rlim_cur = 0; 388 if (lock_task_sighand(proc->tsk, &irqs)) { 389 rlim_cur = proc->tsk->signal->rlim[RLIMIT_NOFILE].rlim_cur; 390 unlock_task_sighand(proc->tsk, &irqs); 391 } 392 if (fd >= rlim_cur) 393 goto out; 394 395 /* Do we need to expand the fd array or fd set? */ 396 error = expand_files(files, fd); 397 if (error < 0) 398 goto out; 399 400 if (error) { 401 /* 402 * If we needed to expand the fs array we 403 * might have blocked - try again. 404 */ 405 error = -EMFILE; 406 goto repeat; 407 } 408 409 FD_SET(fd, fdt->open_fds); 410 if (flags & O_CLOEXEC) 411 FD_SET(fd, fdt->close_on_exec); 412 else 413 FD_CLR(fd, fdt->close_on_exec); 414 files->next_fd = fd + 1; 415#if 1 416 /* Sanity check */ 417 if (fdt->fd[fd] != NULL) { 418 printk(KERN_WARNING "get_unused_fd: slot %d not NULL!\n", fd); 419 fdt->fd[fd] = NULL; 420 } 421#endif 422 error = fd; 423 424out: 425 spin_unlock(&files->file_lock); 426 return error; 427} 428 429/* 430 * copied from fd_install 431 */ 432static void task_fd_install( 433 struct binder_proc *proc, unsigned int fd, struct file *file) 434{ 435 struct files_struct *files = proc->files; 436 struct fdtable *fdt; 437 438 if (files == NULL) 439 return; 440 441 spin_lock(&files->file_lock); 442 fdt = files_fdtable(files); 443 BUG_ON(fdt->fd[fd] != NULL); 444 rcu_assign_pointer(fdt->fd[fd], file); 445 spin_unlock(&files->file_lock); 446} 447 448/* 449 * copied from __put_unused_fd in open.c 450 */ 451static void __put_unused_fd(struct files_struct *files, unsigned int fd) 452{ 453 struct fdtable *fdt = files_fdtable(files); 454 __FD_CLR(fd, fdt->open_fds); 455 if (fd < files->next_fd) 456 files->next_fd = fd; 457} 458 459/* 460 * copied from sys_close 461 */ 462static long task_close_fd(struct binder_proc *proc, unsigned int fd) 463{ 464 struct file *filp; 465 struct files_struct *files = proc->files; 466 struct fdtable *fdt; 467 int retval; 468 469 if (files == NULL) 470 return -ESRCH; 471 472 spin_lock(&files->file_lock); 473 fdt = files_fdtable(files); 474 if (fd >= fdt->max_fds) 475 goto out_unlock; 476 filp = fdt->fd[fd]; 477 if (!filp) 478 goto out_unlock; 479 rcu_assign_pointer(fdt->fd[fd], NULL); 480 FD_CLR(fd, fdt->close_on_exec); 481 __put_unused_fd(files, fd); 482 spin_unlock(&files->file_lock); 483 retval = filp_close(filp, files); 484 485 /* can't restart close syscall because file table entry was cleared */ 486 if (unlikely(retval == -ERESTARTSYS || 487 retval == -ERESTARTNOINTR || 488 retval == -ERESTARTNOHAND || 489 retval == -ERESTART_RESTARTBLOCK)) 490 retval = -EINTR; 491 492 return retval; 493 494out_unlock: 495 spin_unlock(&files->file_lock); 496 return -EBADF; 497} 498 499static void binder_set_nice(long nice) 500{ 501 long min_nice; 502 if (can_nice(current, nice)) { 503 set_user_nice(current, nice); 504 return; 505 } 506 min_nice = 20 - current->signal->rlim[RLIMIT_NICE].rlim_cur; 507 binder_debug(BINDER_DEBUG_PRIORITY_CAP, 508 "binder: %d: nice value %ld not allowed use " 509 "%ld instead\n", current->pid, nice, min_nice); 510 set_user_nice(current, min_nice); 511 if (min_nice < 20) 512 return; 513 binder_user_error("binder: %d RLIMIT_NICE not set\n", current->pid); 514} 515 516static size_t binder_buffer_size(struct binder_proc *proc, 517 struct binder_buffer *buffer) 518{ 519 if (list_is_last(&buffer->entry, &proc->buffers)) 520 return proc->buffer + proc->buffer_size - (void *)buffer->data; 521 else 522 return (size_t)list_entry(buffer->entry.next, 523 struct binder_buffer, entry) - (size_t)buffer->data; 524} 525 526static void binder_insert_free_buffer(struct binder_proc *proc, 527 struct binder_buffer *new_buffer) 528{ 529 struct rb_node **p = &proc->free_buffers.rb_node; 530 struct rb_node *parent = NULL; 531 struct binder_buffer *buffer; 532 size_t buffer_size; 533 size_t new_buffer_size; 534 535 BUG_ON(!new_buffer->free); 536 537 new_buffer_size = binder_buffer_size(proc, new_buffer); 538 539 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 540 "binder: %d: add free buffer, size %zd, " 541 "at %p\n", proc->pid, new_buffer_size, new_buffer); 542 543 while (*p) { 544 parent = *p; 545 buffer = rb_entry(parent, struct binder_buffer, rb_node); 546 BUG_ON(!buffer->free); 547 548 buffer_size = binder_buffer_size(proc, buffer); 549 550 if (new_buffer_size < buffer_size) 551 p = &parent->rb_left; 552 else 553 p = &parent->rb_right; 554 } 555 rb_link_node(&new_buffer->rb_node, parent, p); 556 rb_insert_color(&new_buffer->rb_node, &proc->free_buffers); 557} 558 559static void binder_insert_allocated_buffer(struct binder_proc *proc, 560 struct binder_buffer *new_buffer) 561{ 562 struct rb_node **p = &proc->allocated_buffers.rb_node; 563 struct rb_node *parent = NULL; 564 struct binder_buffer *buffer; 565 566 BUG_ON(new_buffer->free); 567 568 while (*p) { 569 parent = *p; 570 buffer = rb_entry(parent, struct binder_buffer, rb_node); 571 BUG_ON(buffer->free); 572 573 if (new_buffer < buffer) 574 p = &parent->rb_left; 575 else if (new_buffer > buffer) 576 p = &parent->rb_right; 577 else 578 BUG(); 579 } 580 rb_link_node(&new_buffer->rb_node, parent, p); 581 rb_insert_color(&new_buffer->rb_node, &proc->allocated_buffers); 582} 583 584static struct binder_buffer *binder_buffer_lookup(struct binder_proc *proc, 585 void __user *user_ptr) 586{ 587 struct rb_node *n = proc->allocated_buffers.rb_node; 588 struct binder_buffer *buffer; 589 struct binder_buffer *kern_ptr; 590 591 kern_ptr = user_ptr - proc->user_buffer_offset 592 - offsetof(struct binder_buffer, data); 593 594 while (n) { 595 buffer = rb_entry(n, struct binder_buffer, rb_node); 596 BUG_ON(buffer->free); 597 598 if (kern_ptr < buffer) 599 n = n->rb_left; 600 else if (kern_ptr > buffer) 601 n = n->rb_right; 602 else 603 return buffer; 604 } 605 return NULL; 606} 607 608static int binder_update_page_range(struct binder_proc *proc, int allocate, 609 void *start, void *end, 610 struct vm_area_struct *vma) 611{ 612 void *page_addr; 613 unsigned long user_page_addr; 614 struct vm_struct tmp_area; 615 struct page **page; 616 struct mm_struct *mm; 617 618 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 619 "binder: %d: %s pages %p-%p\n", proc->pid, 620 allocate ? "allocate" : "free", start, end); 621 622 if (end <= start) 623 return 0; 624 625 if (vma) 626 mm = NULL; 627 else 628 mm = get_task_mm(proc->tsk); 629 630 if (mm) { 631 down_write(&mm->mmap_sem); 632 vma = proc->vma; 633 } 634 635 if (allocate == 0) 636 goto free_range; 637 638 if (vma == NULL) { 639 printk(KERN_ERR "binder: %d: binder_alloc_buf failed to " 640 "map pages in userspace, no vma\n", proc->pid); 641 goto err_no_vma; 642 } 643 644 for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) { 645 int ret; 646 struct page **page_array_ptr; 647 page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE]; 648 649 BUG_ON(*page); 650 *page = alloc_page(GFP_KERNEL | __GFP_ZERO); 651 if (*page == NULL) { 652 printk(KERN_ERR "binder: %d: binder_alloc_buf failed " 653 "for page at %p\n", proc->pid, page_addr); 654 goto err_alloc_page_failed; 655 } 656 tmp_area.addr = page_addr; 657 tmp_area.size = PAGE_SIZE + PAGE_SIZE /* guard page? */; 658 page_array_ptr = page; 659 ret = map_vm_area(&tmp_area, PAGE_KERNEL, &page_array_ptr); 660 if (ret) { 661 printk(KERN_ERR "binder: %d: binder_alloc_buf failed " 662 "to map page at %p in kernel\n", 663 proc->pid, page_addr); 664 goto err_map_kernel_failed; 665 } 666 user_page_addr = 667 (uintptr_t)page_addr + proc->user_buffer_offset; 668 ret = vm_insert_page(vma, user_page_addr, page[0]); 669 if (ret) { 670 printk(KERN_ERR "binder: %d: binder_alloc_buf failed " 671 "to map page at %lx in userspace\n", 672 proc->pid, user_page_addr); 673 goto err_vm_insert_page_failed; 674 } 675 /* vm_insert_page does not seem to increment the refcount */ 676 } 677 if (mm) { 678 up_write(&mm->mmap_sem); 679 mmput(mm); 680 } 681 return 0; 682 683free_range: 684 for (page_addr = end - PAGE_SIZE; page_addr >= start; 685 page_addr -= PAGE_SIZE) { 686 page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE]; 687 if (vma) 688 zap_page_range(vma, (uintptr_t)page_addr + 689 proc->user_buffer_offset, PAGE_SIZE, NULL); 690err_vm_insert_page_failed: 691 unmap_kernel_range((unsigned long)page_addr, PAGE_SIZE); 692err_map_kernel_failed: 693 __free_page(*page); 694 *page = NULL; 695err_alloc_page_failed: 696 ; 697 } 698err_no_vma: 699 if (mm) { 700 up_write(&mm->mmap_sem); 701 mmput(mm); 702 } 703 return -ENOMEM; 704} 705 706static struct binder_buffer *binder_alloc_buf(struct binder_proc *proc, 707 size_t data_size, 708 size_t offsets_size, int is_async) 709{ 710 struct rb_node *n = proc->free_buffers.rb_node; 711 struct binder_buffer *buffer; 712 size_t buffer_size; 713 struct rb_node *best_fit = NULL; 714 void *has_page_addr; 715 void *end_page_addr; 716 size_t size; 717 718 if (proc->vma == NULL) { 719 printk(KERN_ERR "binder: %d: binder_alloc_buf, no vma\n", 720 proc->pid); 721 return NULL; 722 } 723 724 size = ALIGN(data_size, sizeof(void *)) + 725 ALIGN(offsets_size, sizeof(void *)); 726 727 if (size < data_size || size < offsets_size) { 728 binder_user_error("binder: %d: got transaction with invalid " 729 "size %zd-%zd\n", proc->pid, data_size, offsets_size); 730 return NULL; 731 } 732 733 if (is_async && 734 proc->free_async_space < size + sizeof(struct binder_buffer)) { 735 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 736 "binder: %d: binder_alloc_buf size %zd" 737 "failed, no async space left\n", proc->pid, size); 738 return NULL; 739 } 740 741 while (n) { 742 buffer = rb_entry(n, struct binder_buffer, rb_node); 743 BUG_ON(!buffer->free); 744 buffer_size = binder_buffer_size(proc, buffer); 745 746 if (size < buffer_size) { 747 best_fit = n; 748 n = n->rb_left; 749 } else if (size > buffer_size) 750 n = n->rb_right; 751 else { 752 best_fit = n; 753 break; 754 } 755 } 756 if (best_fit == NULL) { 757 printk(KERN_ERR "binder: %d: binder_alloc_buf size %zd failed, " 758 "no address space\n", proc->pid, size); 759 return NULL; 760 } 761 if (n == NULL) { 762 buffer = rb_entry(best_fit, struct binder_buffer, rb_node); 763 buffer_size = binder_buffer_size(proc, buffer); 764 } 765 766 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 767 "binder: %d: binder_alloc_buf size %zd got buff" 768 "er %p size %zd\n", proc->pid, size, buffer, buffer_size); 769 770 has_page_addr = 771 (void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK); 772 if (n == NULL) { 773 if (size + sizeof(struct binder_buffer) + 4 >= buffer_size) 774 buffer_size = size; /* no room for other buffers */ 775 else 776 buffer_size = size + sizeof(struct binder_buffer); 777 } 778 end_page_addr = 779 (void *)PAGE_ALIGN((uintptr_t)buffer->data + buffer_size); 780 if (end_page_addr > has_page_addr) 781 end_page_addr = has_page_addr; 782 if (binder_update_page_range(proc, 1, 783 (void *)PAGE_ALIGN((uintptr_t)buffer->data), end_page_addr, NULL)) 784 return NULL; 785 786 rb_erase(best_fit, &proc->free_buffers); 787 buffer->free = 0; 788 binder_insert_allocated_buffer(proc, buffer); 789 if (buffer_size != size) { 790 struct binder_buffer *new_buffer = (void *)buffer->data + size; 791 list_add(&new_buffer->entry, &buffer->entry); 792 new_buffer->free = 1; 793 binder_insert_free_buffer(proc, new_buffer); 794 } 795 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 796 "binder: %d: binder_alloc_buf size %zd got " 797 "%p\n", proc->pid, size, buffer); 798 buffer->data_size = data_size; 799 buffer->offsets_size = offsets_size; 800 buffer->async_transaction = is_async; 801 if (is_async) { 802 proc->free_async_space -= size + sizeof(struct binder_buffer); 803 binder_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC, 804 "binder: %d: binder_alloc_buf size %zd " 805 "async free %zd\n", proc->pid, size, 806 proc->free_async_space); 807 } 808 809 return buffer; 810} 811 812static void *buffer_start_page(struct binder_buffer *buffer) 813{ 814 return (void *)((uintptr_t)buffer & PAGE_MASK); 815} 816 817static void *buffer_end_page(struct binder_buffer *buffer) 818{ 819 return (void *)(((uintptr_t)(buffer + 1) - 1) & PAGE_MASK); 820} 821 822static void binder_delete_free_buffer(struct binder_proc *proc, 823 struct binder_buffer *buffer) 824{ 825 struct binder_buffer *prev, *next = NULL; 826 int free_page_end = 1; 827 int free_page_start = 1; 828 829 BUG_ON(proc->buffers.next == &buffer->entry); 830 prev = list_entry(buffer->entry.prev, struct binder_buffer, entry); 831 BUG_ON(!prev->free); 832 if (buffer_end_page(prev) == buffer_start_page(buffer)) { 833 free_page_start = 0; 834 if (buffer_end_page(prev) == buffer_end_page(buffer)) 835 free_page_end = 0; 836 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 837 "binder: %d: merge free, buffer %p " 838 "share page with %p\n", proc->pid, buffer, prev); 839 } 840 841 if (!list_is_last(&buffer->entry, &proc->buffers)) { 842 next = list_entry(buffer->entry.next, 843 struct binder_buffer, entry); 844 if (buffer_start_page(next) == buffer_end_page(buffer)) { 845 free_page_end = 0; 846 if (buffer_start_page(next) == 847 buffer_start_page(buffer)) 848 free_page_start = 0; 849 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 850 "binder: %d: merge free, buffer" 851 " %p share page with %p\n", proc->pid, 852 buffer, prev); 853 } 854 } 855 list_del(&buffer->entry); 856 if (free_page_start || free_page_end) { 857 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 858 "binder: %d: merge free, buffer %p do " 859 "not share page%s%s with with %p or %p\n", 860 proc->pid, buffer, free_page_start ? "" : " end", 861 free_page_end ? "" : " start", prev, next); 862 binder_update_page_range(proc, 0, free_page_start ? 863 buffer_start_page(buffer) : buffer_end_page(buffer), 864 (free_page_end ? buffer_end_page(buffer) : 865 buffer_start_page(buffer)) + PAGE_SIZE, NULL); 866 } 867} 868 869static void binder_free_buf(struct binder_proc *proc, 870 struct binder_buffer *buffer) 871{ 872 size_t size, buffer_size; 873 874 buffer_size = binder_buffer_size(proc, buffer); 875 876 size = ALIGN(buffer->data_size, sizeof(void *)) + 877 ALIGN(buffer->offsets_size, sizeof(void *)); 878 879 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 880 "binder: %d: binder_free_buf %p size %zd buffer" 881 "_size %zd\n", proc->pid, buffer, size, buffer_size); 882 883 BUG_ON(buffer->free); 884 BUG_ON(size > buffer_size); 885 BUG_ON(buffer->transaction != NULL); 886 BUG_ON((void *)buffer < proc->buffer); 887 BUG_ON((void *)buffer > proc->buffer + proc->buffer_size); 888 889 if (buffer->async_transaction) { 890 proc->free_async_space += size + sizeof(struct binder_buffer); 891 892 binder_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC, 893 "binder: %d: binder_free_buf size %zd " 894 "async free %zd\n", proc->pid, size, 895 proc->free_async_space); 896 } 897 898 binder_update_page_range(proc, 0, 899 (void *)PAGE_ALIGN((uintptr_t)buffer->data), 900 (void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK), 901 NULL); 902 rb_erase(&buffer->rb_node, &proc->allocated_buffers); 903 buffer->free = 1; 904 if (!list_is_last(&buffer->entry, &proc->buffers)) { 905 struct binder_buffer *next = list_entry(buffer->entry.next, 906 struct binder_buffer, entry); 907 if (next->free) { 908 rb_erase(&next->rb_node, &proc->free_buffers); 909 binder_delete_free_buffer(proc, next); 910 } 911 } 912 if (proc->buffers.next != &buffer->entry) { 913 struct binder_buffer *prev = list_entry(buffer->entry.prev, 914 struct binder_buffer, entry); 915 if (prev->free) { 916 binder_delete_free_buffer(proc, buffer); 917 rb_erase(&prev->rb_node, &proc->free_buffers); 918 buffer = prev; 919 } 920 } 921 binder_insert_free_buffer(proc, buffer); 922} 923 924static struct binder_node *binder_get_node(struct binder_proc *proc, 925 void __user *ptr) 926{ 927 struct rb_node *n = proc->nodes.rb_node; 928 struct binder_node *node; 929 930 while (n) { 931 node = rb_entry(n, struct binder_node, rb_node); 932 933 if (ptr < node->ptr) 934 n = n->rb_left; 935 else if (ptr > node->ptr) 936 n = n->rb_right; 937 else 938 return node; 939 } 940 return NULL; 941} 942 943static struct binder_node *binder_new_node(struct binder_proc *proc, 944 void __user *ptr, 945 void __user *cookie) 946{ 947 struct rb_node **p = &proc->nodes.rb_node; 948 struct rb_node *parent = NULL; 949 struct binder_node *node; 950 951 while (*p) { 952 parent = *p; 953 node = rb_entry(parent, struct binder_node, rb_node); 954 955 if (ptr < node->ptr) 956 p = &(*p)->rb_left; 957 else if (ptr > node->ptr) 958 p = &(*p)->rb_right; 959 else 960 return NULL; 961 } 962 963 node = kzalloc(sizeof(*node), GFP_KERNEL); 964 if (node == NULL) 965 return NULL; 966 binder_stats_created(BINDER_STAT_NODE); 967 rb_link_node(&node->rb_node, parent, p); 968 rb_insert_color(&node->rb_node, &proc->nodes); 969 node->debug_id = ++binder_last_id; 970 node->proc = proc; 971 node->ptr = ptr; 972 node->cookie = cookie; 973 node->work.type = BINDER_WORK_NODE; 974 INIT_LIST_HEAD(&node->work.entry); 975 INIT_LIST_HEAD(&node->async_todo); 976 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 977 "binder: %d:%d node %d u%p c%p created\n", 978 proc->pid, current->pid, node->debug_id, 979 node->ptr, node->cookie); 980 return node; 981} 982 983static int binder_inc_node(struct binder_node *node, int strong, int internal, 984 struct list_head *target_list) 985{ 986 if (strong) { 987 if (internal) { 988 if (target_list == NULL && 989 node->internal_strong_refs == 0 && 990 !(node == binder_context_mgr_node && 991 node->has_strong_ref)) { 992 printk(KERN_ERR "binder: invalid inc strong " 993 "node for %d\n", node->debug_id); 994 return -EINVAL; 995 } 996 node->internal_strong_refs++; 997 } else 998 node->local_strong_refs++; 999 if (!node->has_strong_ref && target_list) { 1000 list_del_init(&node->work.entry); 1001 list_add_tail(&node->work.entry, target_list); 1002 } 1003 } else { 1004 if (!internal) 1005 node->local_weak_refs++; 1006 if (!node->has_weak_ref && list_empty(&node->work.entry)) { 1007 if (target_list == NULL) { 1008 printk(KERN_ERR "binder: invalid inc weak node " 1009 "for %d\n", node->debug_id); 1010 return -EINVAL; 1011 } 1012 list_add_tail(&node->work.entry, target_list); 1013 } 1014 } 1015 return 0; 1016} 1017 1018static int binder_dec_node(struct binder_node *node, int strong, int internal) 1019{ 1020 if (strong) { 1021 if (internal) 1022 node->internal_strong_refs--; 1023 else 1024 node->local_strong_refs--; 1025 if (node->local_strong_refs || node->internal_strong_refs) 1026 return 0; 1027 } else { 1028 if (!internal) 1029 node->local_weak_refs--; 1030 if (node->local_weak_refs || !hlist_empty(&node->refs)) 1031 return 0; 1032 } 1033 if (node->proc && (node->has_strong_ref || node->has_weak_ref)) { 1034 if (list_empty(&node->work.entry)) { 1035 list_add_tail(&node->work.entry, &node->proc->todo); 1036 wake_up_interruptible(&node->proc->wait); 1037 } 1038 } else { 1039 if (hlist_empty(&node->refs) && !node->local_strong_refs && 1040 !node->local_weak_refs) { 1041 list_del_init(&node->work.entry); 1042 if (node->proc) { 1043 rb_erase(&node->rb_node, &node->proc->nodes); 1044 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1045 "binder: refless node %d deleted\n", 1046 node->debug_id); 1047 } else { 1048 hlist_del(&node->dead_node); 1049 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1050 "binder: dead node %d deleted\n", 1051 node->debug_id); 1052 } 1053 kfree(node); 1054 binder_stats_deleted(BINDER_STAT_NODE); 1055 } 1056 } 1057 1058 return 0; 1059} 1060 1061 1062static struct binder_ref *binder_get_ref(struct binder_proc *proc, 1063 uint32_t desc) 1064{ 1065 struct rb_node *n = proc->refs_by_desc.rb_node; 1066 struct binder_ref *ref; 1067 1068 while (n) { 1069 ref = rb_entry(n, struct binder_ref, rb_node_desc); 1070 1071 if (desc < ref->desc) 1072 n = n->rb_left; 1073 else if (desc > ref->desc) 1074 n = n->rb_right; 1075 else 1076 return ref; 1077 } 1078 return NULL; 1079} 1080 1081static struct binder_ref *binder_get_ref_for_node(struct binder_proc *proc, 1082 struct binder_node *node) 1083{ 1084 struct rb_node *n; 1085 struct rb_node **p = &proc->refs_by_node.rb_node; 1086 struct rb_node *parent = NULL; 1087 struct binder_ref *ref, *new_ref; 1088 1089 while (*p) { 1090 parent = *p; 1091 ref = rb_entry(parent, struct binder_ref, rb_node_node); 1092 1093 if (node < ref->node) 1094 p = &(*p)->rb_left; 1095 else if (node > ref->node) 1096 p = &(*p)->rb_right; 1097 else 1098 return ref; 1099 } 1100 new_ref = kzalloc(sizeof(*ref), GFP_KERNEL); 1101 if (new_ref == NULL) 1102 return NULL; 1103 binder_stats_created(BINDER_STAT_REF); 1104 new_ref->debug_id = ++binder_last_id; 1105 new_ref->proc = proc; 1106 new_ref->node = node; 1107 rb_link_node(&new_ref->rb_node_node, parent, p); 1108 rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node); 1109 1110 new_ref->desc = (node == binder_context_mgr_node) ? 0 : 1; 1111 for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) { 1112 ref = rb_entry(n, struct binder_ref, rb_node_desc); 1113 if (ref->desc > new_ref->desc) 1114 break; 1115 new_ref->desc = ref->desc + 1; 1116 } 1117 1118 p = &proc->refs_by_desc.rb_node; 1119 while (*p) { 1120 parent = *p; 1121 ref = rb_entry(parent, struct binder_ref, rb_node_desc); 1122 1123 if (new_ref->desc < ref->desc) 1124 p = &(*p)->rb_left; 1125 else if (new_ref->desc > ref->desc) 1126 p = &(*p)->rb_right; 1127 else 1128 BUG(); 1129 } 1130 rb_link_node(&new_ref->rb_node_desc, parent, p); 1131 rb_insert_color(&new_ref->rb_node_desc, &proc->refs_by_desc); 1132 if (node) { 1133 hlist_add_head(&new_ref->node_entry, &node->refs); 1134 1135 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1136 "binder: %d new ref %d desc %d for " 1137 "node %d\n", proc->pid, new_ref->debug_id, 1138 new_ref->desc, node->debug_id); 1139 } else { 1140 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1141 "binder: %d new ref %d desc %d for " 1142 "dead node\n", proc->pid, new_ref->debug_id, 1143 new_ref->desc); 1144 } 1145 return new_ref; 1146} 1147 1148static void binder_delete_ref(struct binder_ref *ref) 1149{ 1150 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1151 "binder: %d delete ref %d desc %d for " 1152 "node %d\n", ref->proc->pid, ref->debug_id, 1153 ref->desc, ref->node->debug_id); 1154 1155 rb_erase(&ref->rb_node_desc, &ref->proc->refs_by_desc); 1156 rb_erase(&ref->rb_node_node, &ref->proc->refs_by_node); 1157 if (ref->strong) 1158 binder_dec_node(ref->node, 1, 1); 1159 hlist_del(&ref->node_entry); 1160 binder_dec_node(ref->node, 0, 1); 1161 if (ref->death) { 1162 binder_debug(BINDER_DEBUG_DEAD_BINDER, 1163 "binder: %d delete ref %d desc %d " 1164 "has death notification\n", ref->proc->pid, 1165 ref->debug_id, ref->desc); 1166 list_del(&ref->death->work.entry); 1167 kfree(ref->death); 1168 binder_stats_deleted(BINDER_STAT_DEATH); 1169 } 1170 kfree(ref); 1171 binder_stats_deleted(BINDER_STAT_REF); 1172} 1173 1174static int binder_inc_ref(struct binder_ref *ref, int strong, 1175 struct list_head *target_list) 1176{ 1177 int ret; 1178 if (strong) { 1179 if (ref->strong == 0) { 1180 ret = binder_inc_node(ref->node, 1, 1, target_list); 1181 if (ret) 1182 return ret; 1183 } 1184 ref->strong++; 1185 } else { 1186 if (ref->weak == 0) { 1187 ret = binder_inc_node(ref->node, 0, 1, target_list); 1188 if (ret) 1189 return ret; 1190 } 1191 ref->weak++; 1192 } 1193 return 0; 1194} 1195 1196 1197static int binder_dec_ref(struct binder_ref *ref, int strong) 1198{ 1199 if (strong) { 1200 if (ref->strong == 0) { 1201 binder_user_error("binder: %d invalid dec strong, " 1202 "ref %d desc %d s %d w %d\n", 1203 ref->proc->pid, ref->debug_id, 1204 ref->desc, ref->strong, ref->weak); 1205 return -EINVAL; 1206 } 1207 ref->strong--; 1208 if (ref->strong == 0) { 1209 int ret; 1210 ret = binder_dec_node(ref->node, strong, 1); 1211 if (ret) 1212 return ret; 1213 } 1214 } else { 1215 if (ref->weak == 0) { 1216 binder_user_error("binder: %d invalid dec weak, " 1217 "ref %d desc %d s %d w %d\n", 1218 ref->proc->pid, ref->debug_id, 1219 ref->desc, ref->strong, ref->weak); 1220 return -EINVAL; 1221 } 1222 ref->weak--; 1223 } 1224 if (ref->strong == 0 && ref->weak == 0) 1225 binder_delete_ref(ref); 1226 return 0; 1227} 1228 1229static void binder_pop_transaction(struct binder_thread *target_thread, 1230 struct binder_transaction *t) 1231{ 1232 if (target_thread) { 1233 BUG_ON(target_thread->transaction_stack != t); 1234 BUG_ON(target_thread->transaction_stack->from != target_thread); 1235 target_thread->transaction_stack = 1236 target_thread->transaction_stack->from_parent; 1237 t->from = NULL; 1238 } 1239 t->need_reply = 0; 1240 if (t->buffer) 1241 t->buffer->transaction = NULL; 1242 kfree(t); 1243 binder_stats_deleted(BINDER_STAT_TRANSACTION); 1244} 1245 1246static void binder_send_failed_reply(struct binder_transaction *t, 1247 uint32_t error_code) 1248{ 1249 struct binder_thread *target_thread; 1250 BUG_ON(t->flags & TF_ONE_WAY); 1251 while (1) { 1252 target_thread = t->from; 1253 if (target_thread) { 1254 if (target_thread->return_error != BR_OK && 1255 target_thread->return_error2 == BR_OK) { 1256 target_thread->return_error2 = 1257 target_thread->return_error; 1258 target_thread->return_error = BR_OK; 1259 } 1260 if (target_thread->return_error == BR_OK) { 1261 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 1262 "binder: send failed reply for " 1263 "transaction %d to %d:%d\n", 1264 t->debug_id, target_thread->proc->pid, 1265 target_thread->pid); 1266 1267 binder_pop_transaction(target_thread, t); 1268 target_thread->return_error = error_code; 1269 wake_up_interruptible(&target_thread->wait); 1270 } else { 1271 printk(KERN_ERR "binder: reply failed, target " 1272 "thread, %d:%d, has error code %d " 1273 "already\n", target_thread->proc->pid, 1274 target_thread->pid, 1275 target_thread->return_error); 1276 } 1277 return; 1278 } else { 1279 struct binder_transaction *next = t->from_parent; 1280 1281 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 1282 "binder: send failed reply " 1283 "for transaction %d, target dead\n", 1284 t->debug_id); 1285 1286 binder_pop_transaction(target_thread, t); 1287 if (next == NULL) { 1288 binder_debug(BINDER_DEBUG_DEAD_BINDER, 1289 "binder: reply failed," 1290 " no target thread at root\n"); 1291 return; 1292 } 1293 t = next; 1294 binder_debug(BINDER_DEBUG_DEAD_BINDER, 1295 "binder: reply failed, no target " 1296 "thread -- retry %d\n", t->debug_id); 1297 } 1298 } 1299} 1300 1301static void binder_transaction_buffer_release(struct binder_proc *proc, 1302 struct binder_buffer *buffer, 1303 size_t *failed_at) 1304{ 1305 size_t *offp, *off_end; 1306 int debug_id = buffer->debug_id; 1307 1308 binder_debug(BINDER_DEBUG_TRANSACTION, 1309 "binder: %d buffer release %d, size %zd-%zd, failed at %p\n", 1310 proc->pid, buffer->debug_id, 1311 buffer->data_size, buffer->offsets_size, failed_at); 1312 1313 if (buffer->target_node) 1314 binder_dec_node(buffer->target_node, 1, 0); 1315 1316 offp = (size_t *)(buffer->data + ALIGN(buffer->data_size, sizeof(void *))); 1317 if (failed_at) 1318 off_end = failed_at; 1319 else 1320 off_end = (void *)offp + buffer->offsets_size; 1321 for (; offp < off_end; offp++) { 1322 struct flat_binder_object *fp; 1323 if (*offp > buffer->data_size - sizeof(*fp) || 1324 buffer->data_size < sizeof(*fp) || 1325 !IS_ALIGNED(*offp, sizeof(void *))) { 1326 printk(KERN_ERR "binder: transaction release %d bad" 1327 "offset %zd, size %zd\n", debug_id, 1328 *offp, buffer->data_size); 1329 continue; 1330 } 1331 fp = (struct flat_binder_object *)(buffer->data + *offp); 1332 switch (fp->type) { 1333 case BINDER_TYPE_BINDER: 1334 case BINDER_TYPE_WEAK_BINDER: { 1335 struct binder_node *node = binder_get_node(proc, fp->binder); 1336 if (node == NULL) { 1337 printk(KERN_ERR "binder: transaction release %d" 1338 " bad node %p\n", debug_id, fp->binder); 1339 break; 1340 } 1341 binder_debug(BINDER_DEBUG_TRANSACTION, 1342 " node %d u%p\n", 1343 node->debug_id, node->ptr); 1344 binder_dec_node(node, fp->type == BINDER_TYPE_BINDER, 0); 1345 } break; 1346 case BINDER_TYPE_HANDLE: 1347 case BINDER_TYPE_WEAK_HANDLE: { 1348 struct binder_ref *ref = binder_get_ref(proc, fp->handle); 1349 if (ref == NULL) { 1350 printk(KERN_ERR "binder: transaction release %d" 1351 " bad handle %ld\n", debug_id, 1352 fp->handle); 1353 break; 1354 } 1355 binder_debug(BINDER_DEBUG_TRANSACTION, 1356 " ref %d desc %d (node %d)\n", 1357 ref->debug_id, ref->desc, ref->node->debug_id); 1358 binder_dec_ref(ref, fp->type == BINDER_TYPE_HANDLE); 1359 } break; 1360 1361 case BINDER_TYPE_FD: 1362 binder_debug(BINDER_DEBUG_TRANSACTION, 1363 " fd %ld\n", fp->handle); 1364 if (failed_at) 1365 task_close_fd(proc, fp->handle); 1366 break; 1367 1368 default: 1369 printk(KERN_ERR "binder: transaction release %d bad " 1370 "object type %lx\n", debug_id, fp->type); 1371 break; 1372 } 1373 } 1374} 1375 1376static void binder_transaction(struct binder_proc *proc, 1377 struct binder_thread *thread, 1378 struct binder_transaction_data *tr, int reply) 1379{ 1380 struct binder_transaction *t; 1381 struct binder_work *tcomplete; 1382 size_t *offp, *off_end; 1383 struct binder_proc *target_proc; 1384 struct binder_thread *target_thread = NULL; 1385 struct binder_node *target_node = NULL; 1386 struct list_head *target_list; 1387 wait_queue_head_t *target_wait; 1388 struct binder_transaction *in_reply_to = NULL; 1389 struct binder_transaction_log_entry *e; 1390 uint32_t return_error; 1391 1392 e = binder_transaction_log_add(&binder_transaction_log); 1393 e->call_type = reply ? 2 : !!(tr->flags & TF_ONE_WAY); 1394 e->from_proc = proc->pid; 1395 e->from_thread = thread->pid; 1396 e->target_handle = tr->target.handle; 1397 e->data_size = tr->data_size; 1398 e->offsets_size = tr->offsets_size; 1399 1400 if (reply) { 1401 in_reply_to = thread->transaction_stack; 1402 if (in_reply_to == NULL) { 1403 binder_user_error("binder: %d:%d got reply transaction " 1404 "with no transaction stack\n", 1405 proc->pid, thread->pid); 1406 return_error = BR_FAILED_REPLY; 1407 goto err_empty_call_stack; 1408 } 1409 binder_set_nice(in_reply_to->saved_priority); 1410 if (in_reply_to->to_thread != thread) { 1411 binder_user_error("binder: %d:%d got reply transaction " 1412 "with bad transaction stack," 1413 " transaction %d has target %d:%d\n", 1414 proc->pid, thread->pid, in_reply_to->debug_id, 1415 in_reply_to->to_proc ? 1416 in_reply_to->to_proc->pid : 0, 1417 in_reply_to->to_thread ? 1418 in_reply_to->to_thread->pid : 0); 1419 return_error = BR_FAILED_REPLY; 1420 in_reply_to = NULL; 1421 goto err_bad_call_stack; 1422 } 1423 thread->transaction_stack = in_reply_to->to_parent; 1424 target_thread = in_reply_to->from; 1425 if (target_thread == NULL) { 1426 return_error = BR_DEAD_REPLY; 1427 goto err_dead_binder; 1428 } 1429 if (target_thread->transaction_stack != in_reply_to) { 1430 binder_user_error("binder: %d:%d got reply transaction " 1431 "with bad target transaction stack %d, " 1432 "expected %d\n", 1433 proc->pid, thread->pid, 1434 target_thread->transaction_stack ? 1435 target_thread->transaction_stack->debug_id : 0, 1436 in_reply_to->debug_id); 1437 return_error = BR_FAILED_REPLY; 1438 in_reply_to = NULL; 1439 target_thread = NULL; 1440 goto err_dead_binder; 1441 } 1442 target_proc = target_thread->proc; 1443 } else { 1444 if (tr->target.handle) { 1445 struct binder_ref *ref; 1446 ref = binder_get_ref(proc, tr->target.handle); 1447 if (ref == NULL) { 1448 binder_user_error("binder: %d:%d got " 1449 "transaction to invalid handle\n", 1450 proc->pid, thread->pid); 1451 return_error = BR_FAILED_REPLY; 1452 goto err_invalid_target_handle; 1453 } 1454 target_node = ref->node; 1455 } else { 1456 target_node = binder_context_mgr_node; 1457 if (target_node == NULL) { 1458 return_error = BR_DEAD_REPLY; 1459 goto err_no_context_mgr_node; 1460 } 1461 } 1462 e->to_node = target_node->debug_id; 1463 target_proc = target_node->proc; 1464 if (target_proc == NULL) { 1465 return_error = BR_DEAD_REPLY; 1466 goto err_dead_binder; 1467 } 1468 if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) { 1469 struct binder_transaction *tmp; 1470 tmp = thread->transaction_stack; 1471 if (tmp->to_thread != thread) { 1472 binder_user_error("binder: %d:%d got new " 1473 "transaction with bad transaction stack" 1474 ", transaction %d has target %d:%d\n", 1475 proc->pid, thread->pid, tmp->debug_id, 1476 tmp->to_proc ? tmp->to_proc->pid : 0, 1477 tmp->to_thread ? 1478 tmp->to_thread->pid : 0); 1479 return_error = BR_FAILED_REPLY; 1480 goto err_bad_call_stack; 1481 } 1482 while (tmp) { 1483 if (tmp->from && tmp->from->proc == target_proc) 1484 target_thread = tmp->from; 1485 tmp = tmp->from_parent; 1486 } 1487 } 1488 } 1489 if (target_thread) { 1490 e->to_thread = target_thread->pid; 1491 target_list = &target_thread->todo; 1492 target_wait = &target_thread->wait; 1493 } else { 1494 target_list = &target_proc->todo; 1495 target_wait = &target_proc->wait; 1496 } 1497 e->to_proc = target_proc->pid; 1498 1499 /* TODO: reuse incoming transaction for reply */ 1500 t = kzalloc(sizeof(*t), GFP_KERNEL); 1501 if (t == NULL) { 1502 return_error = BR_FAILED_REPLY; 1503 goto err_alloc_t_failed; 1504 } 1505 binder_stats_created(BINDER_STAT_TRANSACTION); 1506 1507 tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL); 1508 if (tcomplete == NULL) { 1509 return_error = BR_FAILED_REPLY; 1510 goto err_alloc_tcomplete_failed; 1511 } 1512 binder_stats_created(BINDER_STAT_TRANSACTION_COMPLETE); 1513 1514 t->debug_id = ++binder_last_id; 1515 e->debug_id = t->debug_id; 1516 1517 if (reply) 1518 binder_debug(BINDER_DEBUG_TRANSACTION, 1519 "binder: %d:%d BC_REPLY %d -> %d:%d, " 1520 "data %p-%p size %zd-%zd\n", 1521 proc->pid, thread->pid, t->debug_id, 1522 target_proc->pid, target_thread->pid, 1523 tr->data.ptr.buffer, tr->data.ptr.offsets, 1524 tr->data_size, tr->offsets_size); 1525 else 1526 binder_debug(BINDER_DEBUG_TRANSACTION, 1527 "binder: %d:%d BC_TRANSACTION %d -> " 1528 "%d - node %d, data %p-%p size %zd-%zd\n", 1529 proc->pid, thread->pid, t->debug_id, 1530 target_proc->pid, target_node->debug_id, 1531 tr->data.ptr.buffer, tr->data.ptr.offsets, 1532 tr->data_size, tr->offsets_size); 1533 1534 if (!reply && !(tr->flags & TF_ONE_WAY)) 1535 t->from = thread; 1536 else 1537 t->from = NULL; 1538 t->sender_euid = proc->tsk->cred->euid; 1539 t->to_proc = target_proc; 1540 t->to_thread = target_thread; 1541 t->code = tr->code; 1542 t->flags = tr->flags; 1543 t->priority = task_nice(current); 1544 t->buffer = binder_alloc_buf(target_proc, tr->data_size, 1545 tr->offsets_size, !reply && (t->flags & TF_ONE_WAY)); 1546 if (t->buffer == NULL) { 1547 return_error = BR_FAILED_REPLY; 1548 goto err_binder_alloc_buf_failed; 1549 } 1550 t->buffer->allow_user_free = 0; 1551 t->buffer->debug_id = t->debug_id; 1552 t->buffer->transaction = t; 1553 t->buffer->target_node = target_node; 1554 if (target_node) 1555 binder_inc_node(target_node, 1, 0, NULL); 1556 1557 offp = (size_t *)(t->buffer->data + ALIGN(tr->data_size, sizeof(void *))); 1558 1559 if (copy_from_user(t->buffer->data, tr->data.ptr.buffer, tr->data_size)) { 1560 binder_user_error("binder: %d:%d got transaction with invalid " 1561 "data ptr\n", proc->pid, thread->pid); 1562 return_error = BR_FAILED_REPLY; 1563 goto err_copy_data_failed; 1564 } 1565 if (copy_from_user(offp, tr->data.ptr.offsets, tr->offsets_size)) { 1566 binder_user_error("binder: %d:%d got transaction with invalid " 1567 "offsets ptr\n", proc->pid, thread->pid); 1568 return_error = BR_FAILED_REPLY; 1569 goto err_copy_data_failed; 1570 } 1571 if (!IS_ALIGNED(tr->offsets_size, sizeof(size_t))) { 1572 binder_user_error("binder: %d:%d got transaction with " 1573 "invalid offsets size, %zd\n", 1574 proc->pid, thread->pid, tr->offsets_size); 1575 return_error = BR_FAILED_REPLY; 1576 goto err_bad_offset; 1577 } 1578 off_end = (void *)offp + tr->offsets_size; 1579 for (; offp < off_end; offp++) { 1580 struct flat_binder_object *fp; 1581 if (*offp > t->buffer->data_size - sizeof(*fp) || 1582 t->buffer->data_size < sizeof(*fp) || 1583 !IS_ALIGNED(*offp, sizeof(void *))) { 1584 binder_user_error("binder: %d:%d got transaction with " 1585 "invalid offset, %zd\n", 1586 proc->pid, thread->pid, *offp); 1587 return_error = BR_FAILED_REPLY; 1588 goto err_bad_offset; 1589 } 1590 fp = (struct flat_binder_object *)(t->buffer->data + *offp); 1591 switch (fp->type) { 1592 case BINDER_TYPE_BINDER: 1593 case BINDER_TYPE_WEAK_BINDER: { 1594 struct binder_ref *ref; 1595 struct binder_node *node = binder_get_node(proc, fp->binder); 1596 if (node == NULL) { 1597 node = binder_new_node(proc, fp->binder, fp->cookie); 1598 if (node == NULL) { 1599 return_error = BR_FAILED_REPLY; 1600 goto err_binder_new_node_failed; 1601 } 1602 node->min_priority = fp->flags & FLAT_BINDER_FLAG_PRIORITY_MASK; 1603 node->accept_fds = !!(fp->flags & FLAT_BINDER_FLAG_ACCEPTS_FDS); 1604 } 1605 if (fp->cookie != node->cookie) { 1606 binder_user_error("binder: %d:%d sending u%p " 1607 "node %d, cookie mismatch %p != %p\n", 1608 proc->pid, thread->pid, 1609 fp->binder, node->debug_id, 1610 fp->cookie, node->cookie); 1611 goto err_binder_get_ref_for_node_failed; 1612 } 1613 ref = binder_get_ref_for_node(target_proc, node); 1614 if (ref == NULL) { 1615 return_error = BR_FAILED_REPLY; 1616 goto err_binder_get_ref_for_node_failed; 1617 } 1618 if (fp->type == BINDER_TYPE_BINDER) 1619 fp->type = BINDER_TYPE_HANDLE; 1620 else 1621 fp->type = BINDER_TYPE_WEAK_HANDLE; 1622 fp->handle = ref->desc; 1623 binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE, 1624 &thread->todo); 1625 1626 binder_debug(BINDER_DEBUG_TRANSACTION, 1627 " node %d u%p -> ref %d desc %d\n", 1628 node->debug_id, node->ptr, ref->debug_id, 1629 ref->desc); 1630 } break; 1631 case BINDER_TYPE_HANDLE: 1632 case BINDER_TYPE_WEAK_HANDLE: { 1633 struct binder_ref *ref = binder_get_ref(proc, fp->handle); 1634 if (ref == NULL) { 1635 binder_user_error("binder: %d:%d got " 1636 "transaction with invalid " 1637 "handle, %ld\n", proc->pid, 1638 thread->pid, fp->handle); 1639 return_error = BR_FAILED_REPLY; 1640 goto err_binder_get_ref_failed; 1641 } 1642 if (ref->node->proc == target_proc) { 1643 if (fp->type == BINDER_TYPE_HANDLE) 1644 fp->type = BINDER_TYPE_BINDER; 1645 else 1646 fp->type = BINDER_TYPE_WEAK_BINDER; 1647 fp->binder = ref->node->ptr; 1648 fp->cookie = ref->node->cookie; 1649 binder_inc_node(ref->node, fp->type == BINDER_TYPE_BINDER, 0, NULL); 1650 binder_debug(BINDER_DEBUG_TRANSACTION, 1651 " ref %d desc %d -> node %d u%p\n", 1652 ref->debug_id, ref->desc, ref->node->debug_id, 1653 ref->node->ptr); 1654 } else { 1655 struct binder_ref *new_ref; 1656 new_ref = binder_get_ref_for_node(target_proc, ref->node); 1657 if (new_ref == NULL) { 1658 return_error = BR_FAILED_REPLY; 1659 goto err_binder_get_ref_for_node_failed; 1660 } 1661 fp->handle = new_ref->desc; 1662 binder_inc_ref(new_ref, fp->type == BINDER_TYPE_HANDLE, NULL); 1663 binder_debug(BINDER_DEBUG_TRANSACTION, 1664 " ref %d desc %d -> ref %d desc %d (node %d)\n", 1665 ref->debug_id, ref->desc, new_ref->debug_id, 1666 new_ref->desc, ref->node->debug_id); 1667 } 1668 } break; 1669 1670 case BINDER_TYPE_FD: { 1671 int target_fd; 1672 struct file *file; 1673 1674 if (reply) { 1675 if (!(in_reply_to->flags & TF_ACCEPT_FDS)) { 1676 binder_user_error("binder: %d:%d got reply with fd, %ld, but target does not allow fds\n", 1677 proc->pid, thread->pid, fp->handle); 1678 return_error = BR_FAILED_REPLY; 1679 goto err_fd_not_allowed; 1680 } 1681 } else if (!target_node->accept_fds) { 1682 binder_user_error("binder: %d:%d got transaction with fd, %ld, but target does not allow fds\n", 1683 proc->pid, thread->pid, fp->handle); 1684 return_error = BR_FAILED_REPLY; 1685 goto err_fd_not_allowed; 1686 } 1687 1688 file = fget(fp->handle); 1689 if (file == NULL) { 1690 binder_user_error("binder: %d:%d got transaction with invalid fd, %ld\n", 1691 proc->pid, thread->pid, fp->handle); 1692 return_error = BR_FAILED_REPLY; 1693 goto err_fget_failed; 1694 } 1695 target_fd = task_get_unused_fd_flags(target_proc, O_CLOEXEC); 1696 if (target_fd < 0) { 1697 fput(file); 1698 return_error = BR_FAILED_REPLY; 1699 goto err_get_unused_fd_failed; 1700 } 1701 task_fd_install(target_proc, target_fd, file); 1702 binder_debug(BINDER_DEBUG_TRANSACTION, 1703 " fd %ld -> %d\n", fp->handle, target_fd); 1704 /* TODO: fput? */ 1705 fp->handle = target_fd; 1706 } break; 1707 1708 default: 1709 binder_user_error("binder: %d:%d got transactio" 1710 "n with invalid object type, %lx\n", 1711 proc->pid, thread->pid, fp->type); 1712 return_error = BR_FAILED_REPLY; 1713 goto err_bad_object_type; 1714 } 1715 } 1716 if (reply) { 1717 BUG_ON(t->buffer->async_transaction != 0); 1718 binder_pop_transaction(target_thread, in_reply_to); 1719 } else if (!(t->flags & TF_ONE_WAY)) { 1720 BUG_ON(t->buffer->async_transaction != 0); 1721 t->need_reply = 1; 1722 t->from_parent = thread->transaction_stack; 1723 thread->transaction_stack = t; 1724 } else { 1725 BUG_ON(target_node == NULL); 1726 BUG_ON(t->buffer->async_transaction != 1); 1727 if (target_node->has_async_transaction) { 1728 target_list = &target_node->async_todo; 1729 target_wait = NULL; 1730 } else 1731 target_node->has_async_transaction = 1; 1732 } 1733 t->work.type = BINDER_WORK_TRANSACTION; 1734 list_add_tail(&t->work.entry, target_list); 1735 tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE; 1736 list_add_tail(&tcomplete->entry, &thread->todo); 1737 if (target_wait) 1738 wake_up_interruptible(target_wait); 1739 return; 1740 1741err_get_unused_fd_failed: 1742err_fget_failed: 1743err_fd_not_allowed: 1744err_binder_get_ref_for_node_failed: 1745err_binder_get_ref_failed: 1746err_binder_new_node_failed: 1747err_bad_object_type: 1748err_bad_offset: 1749err_copy_data_failed: 1750 binder_transaction_buffer_release(target_proc, t->buffer, offp); 1751 t->buffer->transaction = NULL; 1752 binder_free_buf(target_proc, t->buffer); 1753err_binder_alloc_buf_failed: 1754 kfree(tcomplete); 1755 binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); 1756err_alloc_tcomplete_failed: 1757 kfree(t); 1758 binder_stats_deleted(BINDER_STAT_TRANSACTION); 1759err_alloc_t_failed: 1760err_bad_call_stack: 1761err_empty_call_stack: 1762err_dead_binder: 1763err_invalid_target_handle: 1764err_no_context_mgr_node: 1765 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 1766 "binder: %d:%d transaction failed %d, size %zd-%zd\n", 1767 proc->pid, thread->pid, return_error, 1768 tr->data_size, tr->offsets_size); 1769 1770 { 1771 struct binder_transaction_log_entry *fe; 1772 fe = binder_transaction_log_add(&binder_transaction_log_failed); 1773 *fe = *e; 1774 } 1775 1776 BUG_ON(thread->return_error != BR_OK); 1777 if (in_reply_to) { 1778 thread->return_error = BR_TRANSACTION_COMPLETE; 1779 binder_send_failed_reply(in_reply_to, return_error); 1780 } else 1781 thread->return_error = return_error; 1782} 1783 1784int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread, 1785 void __user *buffer, int size, signed long *consumed) 1786{ 1787 uint32_t cmd; 1788 void __user *ptr = buffer + *consumed; 1789 void __user *end = buffer + size; 1790 1791 while (ptr < end && thread->return_error == BR_OK) { 1792 if (get_user(cmd, (uint32_t __user *)ptr)) 1793 return -EFAULT; 1794 ptr += sizeof(uint32_t); 1795 if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.bc)) { 1796 binder_stats.bc[_IOC_NR(cmd)]++; 1797 proc->stats.bc[_IOC_NR(cmd)]++; 1798 thread->stats.bc[_IOC_NR(cmd)]++; 1799 } 1800 switch (cmd) { 1801 case BC_INCREFS: 1802 case BC_ACQUIRE: 1803 case BC_RELEASE: 1804 case BC_DECREFS: { 1805 uint32_t target; 1806 struct binder_ref *ref; 1807 const char *debug_string; 1808 1809 if (get_user(target, (uint32_t __user *)ptr)) 1810 return -EFAULT; 1811 ptr += sizeof(uint32_t); 1812 if (target == 0 && binder_context_mgr_node && 1813 (cmd == BC_INCREFS || cmd == BC_ACQUIRE)) { 1814 ref = binder_get_ref_for_node(proc, 1815 binder_context_mgr_node); 1816 if (ref->desc != target) { 1817 binder_user_error("binder: %d:" 1818 "%d tried to acquire " 1819 "reference to desc 0, " 1820 "got %d instead\n", 1821 proc->pid, thread->pid, 1822 ref->desc); 1823 } 1824 } else 1825 ref = binder_get_ref(proc, target); 1826 if (ref == NULL) { 1827 binder_user_error("binder: %d:%d refcou" 1828 "nt change on invalid ref %d\n", 1829 proc->pid, thread->pid, target); 1830 break; 1831 } 1832 switch (cmd) { 1833 case BC_INCREFS: 1834 debug_string = "IncRefs"; 1835 binder_inc_ref(ref, 0, NULL); 1836 break; 1837 case BC_ACQUIRE: 1838 debug_string = "Acquire"; 1839 binder_inc_ref(ref, 1, NULL); 1840 break; 1841 case BC_RELEASE: 1842 debug_string = "Release"; 1843 binder_dec_ref(ref, 1); 1844 break; 1845 case BC_DECREFS: 1846 default: 1847 debug_string = "DecRefs"; 1848 binder_dec_ref(ref, 0); 1849 break; 1850 } 1851 binder_debug(BINDER_DEBUG_USER_REFS, 1852 "binder: %d:%d %s ref %d desc %d s %d w %d for node %d\n", 1853 proc->pid, thread->pid, debug_string, ref->debug_id, 1854 ref->desc, ref->strong, ref->weak, ref->node->debug_id); 1855 break; 1856 } 1857 case BC_INCREFS_DONE: 1858 case BC_ACQUIRE_DONE: { 1859 void __user *node_ptr; 1860 void *cookie; 1861 struct binder_node *node; 1862 1863 if (get_user(node_ptr, (void * __user *)ptr)) 1864 return -EFAULT; 1865 ptr += sizeof(void *); 1866 if (get_user(cookie, (void * __user *)ptr)) 1867 return -EFAULT; 1868 ptr += sizeof(void *); 1869 node = binder_get_node(proc, node_ptr); 1870 if (node == NULL) { 1871 binder_user_error("binder: %d:%d " 1872 "%s u%p no match\n", 1873 proc->pid, thread->pid, 1874 cmd == BC_INCREFS_DONE ? 1875 "BC_INCREFS_DONE" : 1876 "BC_ACQUIRE_DONE", 1877 node_ptr); 1878 break; 1879 } 1880 if (cookie != node->cookie) { 1881 binder_user_error("binder: %d:%d %s u%p node %d" 1882 " cookie mismatch %p != %p\n", 1883 proc->pid, thread->pid, 1884 cmd == BC_INCREFS_DONE ? 1885 "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE", 1886 node_ptr, node->debug_id, 1887 cookie, node->cookie); 1888 break; 1889 } 1890 if (cmd == BC_ACQUIRE_DONE) { 1891 if (node->pending_strong_ref == 0) { 1892 binder_user_error("binder: %d:%d " 1893 "BC_ACQUIRE_DONE node %d has " 1894 "no pending acquire request\n", 1895 proc->pid, thread->pid, 1896 node->debug_id); 1897 break; 1898 } 1899 node->pending_strong_ref = 0; 1900 } else { 1901 if (node->pending_weak_ref == 0) { 1902 binder_user_error("binder: %d:%d " 1903 "BC_INCREFS_DONE node %d has " 1904 "no pending increfs request\n", 1905 proc->pid, thread->pid, 1906 node->debug_id); 1907 break; 1908 } 1909 node->pending_weak_ref = 0; 1910 } 1911 binder_dec_node(node, cmd == BC_ACQUIRE_DONE, 0); 1912 binder_debug(BINDER_DEBUG_USER_REFS, 1913 "binder: %d:%d %s node %d ls %d lw %d\n", 1914 proc->pid, thread->pid, 1915 cmd == BC_INCREFS_DONE ? "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE", 1916 node->debug_id, node->local_strong_refs, node->local_weak_refs); 1917 break; 1918 } 1919 case BC_ATTEMPT_ACQUIRE: 1920 printk(KERN_ERR "binder: BC_ATTEMPT_ACQUIRE not supported\n"); 1921 return -EINVAL; 1922 case BC_ACQUIRE_RESULT: 1923 printk(KERN_ERR "binder: BC_ACQUIRE_RESULT not supported\n"); 1924 return -EINVAL; 1925 1926 case BC_FREE_BUFFER: { 1927 void __user *data_ptr; 1928 struct binder_buffer *buffer; 1929 1930 if (get_user(data_ptr, (void * __user *)ptr)) 1931 return -EFAULT; 1932 ptr += sizeof(void *); 1933 1934 buffer = binder_buffer_lookup(proc, data_ptr); 1935 if (buffer == NULL) { 1936 binder_user_error("binder: %d:%d " 1937 "BC_FREE_BUFFER u%p no match\n", 1938 proc->pid, thread->pid, data_ptr); 1939 break; 1940 } 1941 if (!buffer->allow_user_free) { 1942 binder_user_error("binder: %d:%d " 1943 "BC_FREE_BUFFER u%p matched " 1944 "unreturned buffer\n", 1945 proc->pid, thread->pid, data_ptr); 1946 break; 1947 } 1948 binder_debug(BINDER_DEBUG_FREE_BUFFER, 1949 "binder: %d:%d BC_FREE_BUFFER u%p found buffer %d for %s transaction\n", 1950 proc->pid, thread->pid, data_ptr, buffer->debug_id, 1951 buffer->transaction ? "active" : "finished"); 1952 1953 if (buffer->transaction) { 1954 buffer->transaction->buffer = NULL; 1955 buffer->transaction = NULL; 1956 } 1957 if (buffer->async_transaction && buffer->target_node) { 1958 BUG_ON(!buffer->target_node->has_async_transaction); 1959 if (list_empty(&buffer->target_node->async_todo)) 1960 buffer->target_node->has_async_transaction = 0; 1961 else 1962 list_move_tail(buffer->target_node->async_todo.next, &thread->todo); 1963 } 1964 binder_transaction_buffer_release(proc, buffer, NULL); 1965 binder_free_buf(proc, buffer); 1966 break; 1967 } 1968 1969 case BC_TRANSACTION: 1970 case BC_REPLY: { 1971 struct binder_transaction_data tr; 1972 1973 if (copy_from_user(&tr, ptr, sizeof(tr))) 1974 return -EFAULT; 1975 ptr += sizeof(tr); 1976 binder_transaction(proc, thread, &tr, cmd == BC_REPLY); 1977 break; 1978 } 1979 1980 case BC_REGISTER_LOOPER: 1981 binder_debug(BINDER_DEBUG_THREADS, 1982 "binder: %d:%d BC_REGISTER_LOOPER\n", 1983 proc->pid, thread->pid); 1984 if (thread->looper & BINDER_LOOPER_STATE_ENTERED) { 1985 thread->looper |= BINDER_LOOPER_STATE_INVALID; 1986 binder_user_error("binder: %d:%d ERROR:" 1987 " BC_REGISTER_LOOPER called " 1988 "after BC_ENTER_LOOPER\n", 1989 proc->pid, thread->pid); 1990 } else if (proc->requested_threads == 0) { 1991 thread->looper |= BINDER_LOOPER_STATE_INVALID; 1992 binder_user_error("binder: %d:%d ERROR:" 1993 " BC_REGISTER_LOOPER called " 1994 "without request\n", 1995 proc->pid, thread->pid); 1996 } else { 1997 proc->requested_threads--; 1998 proc->requested_threads_started++; 1999 } 2000 thread->looper |= BINDER_LOOPER_STATE_REGISTERED; 2001 break; 2002 case BC_ENTER_LOOPER: 2003 binder_debug(BINDER_DEBUG_THREADS, 2004 "binder: %d:%d BC_ENTER_LOOPER\n", 2005 proc->pid, thread->pid); 2006 if (thread->looper & BINDER_LOOPER_STATE_REGISTERED) { 2007 thread->looper |= BINDER_LOOPER_STATE_INVALID; 2008 binder_user_error("binder: %d:%d ERROR:" 2009 " BC_ENTER_LOOPER called after " 2010 "BC_REGISTER_LOOPER\n", 2011 proc->pid, thread->pid); 2012 } 2013 thread->looper |= BINDER_LOOPER_STATE_ENTERED; 2014 break; 2015 case BC_EXIT_LOOPER: 2016 binder_debug(BINDER_DEBUG_THREADS, 2017 "binder: %d:%d BC_EXIT_LOOPER\n", 2018 proc->pid, thread->pid); 2019 thread->looper |= BINDER_LOOPER_STATE_EXITED; 2020 break; 2021 2022 case BC_REQUEST_DEATH_NOTIFICATION: 2023 case BC_CLEAR_DEATH_NOTIFICATION: { 2024 uint32_t target; 2025 void __user *cookie; 2026 struct binder_ref *ref; 2027 struct binder_ref_death *death; 2028 2029 if (get_user(target, (uint32_t __user *)ptr)) 2030 return -EFAULT; 2031 ptr += sizeof(uint32_t); 2032 if (get_user(cookie, (void __user * __user *)ptr)) 2033 return -EFAULT; 2034 ptr += sizeof(void *); 2035 ref = binder_get_ref(proc, target); 2036 if (ref == NULL) { 2037 binder_user_error("binder: %d:%d %s " 2038 "invalid ref %d\n", 2039 proc->pid, thread->pid, 2040 cmd == BC_REQUEST_DEATH_NOTIFICATION ? 2041 "BC_REQUEST_DEATH_NOTIFICATION" : 2042 "BC_CLEAR_DEATH_NOTIFICATION", 2043 target); 2044 break; 2045 } 2046 2047 binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION, 2048 "binder: %d:%d %s %p ref %d desc %d s %d w %d for node %d\n", 2049 proc->pid, thread->pid, 2050 cmd == BC_REQUEST_DEATH_NOTIFICATION ? 2051 "BC_REQUEST_DEATH_NOTIFICATION" : 2052 "BC_CLEAR_DEATH_NOTIFICATION", 2053 cookie, ref->debug_id, ref->desc, 2054 ref->strong, ref->weak, ref->node->debug_id); 2055 2056 if (cmd == BC_REQUEST_DEATH_NOTIFICATION) { 2057 if (ref->death) { 2058 binder_user_error("binder: %d:%" 2059 "d BC_REQUEST_DEATH_NOTI" 2060 "FICATION death notific" 2061 "ation already set\n", 2062 proc->pid, thread->pid); 2063 break; 2064 } 2065 death = kzalloc(sizeof(*death), GFP_KERNEL); 2066 if (death == NULL) { 2067 thread->return_error = BR_ERROR; 2068 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 2069 "binder: %d:%d " 2070 "BC_REQUEST_DEATH_NOTIFICATION failed\n", 2071 proc->pid, thread->pid); 2072 break; 2073 } 2074 binder_stats_created(BINDER_STAT_DEATH); 2075 INIT_LIST_HEAD(&death->work.entry); 2076 death->cookie = cookie; 2077 ref->death = death; 2078 if (ref->node->proc == NULL) { 2079 ref->death->work.type = BINDER_WORK_DEAD_BINDER; 2080 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2081 list_add_tail(&ref->death->work.entry, &thread->todo); 2082 } else { 2083 list_add_tail(&ref->death->work.entry, &proc->todo); 2084 wake_up_interruptible(&proc->wait); 2085 } 2086 } 2087 } else { 2088 if (ref->death == NULL) { 2089 binder_user_error("binder: %d:%" 2090 "d BC_CLEAR_DEATH_NOTIFI" 2091 "CATION death notificat" 2092 "ion not active\n", 2093 proc->pid, thread->pid); 2094 break; 2095 } 2096 death = ref->death; 2097 if (death->cookie != cookie) { 2098 binder_user_error("binder: %d:%" 2099 "d BC_CLEAR_DEATH_NOTIFI" 2100 "CATION death notificat" 2101 "ion cookie mismatch " 2102 "%p != %p\n", 2103 proc->pid, thread->pid, 2104 death->cookie, cookie); 2105 break; 2106 } 2107 ref->death = NULL; 2108 if (list_empty(&death->work.entry)) { 2109 death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION; 2110 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2111 list_add_tail(&death->work.entry, &thread->todo); 2112 } else { 2113 list_add_tail(&death->work.entry, &proc->todo); 2114 wake_up_interruptible(&proc->wait); 2115 } 2116 } else { 2117 BUG_ON(death->work.type != BINDER_WORK_DEAD_BINDER); 2118 death->work.type = BINDER_WORK_DEAD_BINDER_AND_CLEAR; 2119 } 2120 } 2121 } break; 2122 case BC_DEAD_BINDER_DONE: { 2123 struct binder_work *w; 2124 void __user *cookie; 2125 struct binder_ref_death *death = NULL; 2126 if (get_user(cookie, (void __user * __user *)ptr)) 2127 return -EFAULT; 2128 2129 ptr += sizeof(void *); 2130 list_for_each_entry(w, &proc->delivered_death, entry) { 2131 struct binder_ref_death *tmp_death = container_of(w, struct binder_ref_death, work); 2132 if (tmp_death->cookie == cookie) { 2133 death = tmp_death; 2134 break; 2135 } 2136 } 2137 binder_debug(BINDER_DEBUG_DEAD_BINDER, 2138 "binder: %d:%d BC_DEAD_BINDER_DONE %p found %p\n", 2139 proc->pid, thread->pid, cookie, death); 2140 if (death == NULL) { 2141 binder_user_error("binder: %d:%d BC_DEAD" 2142 "_BINDER_DONE %p not found\n", 2143 proc->pid, thread->pid, cookie); 2144 break; 2145 } 2146 2147 list_del_init(&death->work.entry); 2148 if (death->work.type == BINDER_WORK_DEAD_BINDER_AND_CLEAR) { 2149 death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION; 2150 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2151 list_add_tail(&death->work.entry, &thread->todo); 2152 } else { 2153 list_add_tail(&death->work.entry, &proc->todo); 2154 wake_up_interruptible(&proc->wait); 2155 } 2156 } 2157 } break; 2158 2159 default: 2160 printk(KERN_ERR "binder: %d:%d unknown command %d\n", 2161 proc->pid, thread->pid, cmd); 2162 return -EINVAL; 2163 } 2164 *consumed = ptr - buffer; 2165 } 2166 return 0; 2167} 2168 2169void binder_stat_br(struct binder_proc *proc, struct binder_thread *thread, 2170 uint32_t cmd) 2171{ 2172 if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.br)) { 2173 binder_stats.br[_IOC_NR(cmd)]++; 2174 proc->stats.br[_IOC_NR(cmd)]++; 2175 thread->stats.br[_IOC_NR(cmd)]++; 2176 } 2177} 2178 2179static int binder_has_proc_work(struct binder_proc *proc, 2180 struct binder_thread *thread) 2181{ 2182 return !list_empty(&proc->todo) || 2183 (thread->looper & BINDER_LOOPER_STATE_NEED_RETURN); 2184} 2185 2186static int binder_has_thread_work(struct binder_thread *thread) 2187{ 2188 return !list_empty(&thread->todo) || thread->return_error != BR_OK || 2189 (thread->looper & BINDER_LOOPER_STATE_NEED_RETURN); 2190} 2191 2192static int binder_thread_read(struct binder_proc *proc, 2193 struct binder_thread *thread, 2194 void __user *buffer, int size, 2195 signed long *consumed, int non_block) 2196{ 2197 void __user *ptr = buffer + *consumed; 2198 void __user *end = buffer + size; 2199 2200 int ret = 0; 2201 int wait_for_proc_work; 2202 2203 if (*consumed == 0) { 2204 if (put_user(BR_NOOP, (uint32_t __user *)ptr)) 2205 return -EFAULT; 2206 ptr += sizeof(uint32_t); 2207 } 2208 2209retry: 2210 wait_for_proc_work = thread->transaction_stack == NULL && 2211 list_empty(&thread->todo); 2212 2213 if (thread->return_error != BR_OK && ptr < end) { 2214 if (thread->return_error2 != BR_OK) { 2215 if (put_user(thread->return_error2, (uint32_t __user *)ptr)) 2216 return -EFAULT; 2217 ptr += sizeof(uint32_t); 2218 if (ptr == end) 2219 goto done; 2220 thread->return_error2 = BR_OK; 2221 } 2222 if (put_user(thread->return_error, (uint32_t __user *)ptr)) 2223 return -EFAULT; 2224 ptr += sizeof(uint32_t); 2225 thread->return_error = BR_OK; 2226 goto done; 2227 } 2228 2229 2230 thread->looper |= BINDER_LOOPER_STATE_WAITING; 2231 if (wait_for_proc_work) 2232 proc->ready_threads++; 2233 mutex_unlock(&binder_lock); 2234 if (wait_for_proc_work) { 2235 if (!(thread->looper & (BINDER_LOOPER_STATE_REGISTERED | 2236 BINDER_LOOPER_STATE_ENTERED))) { 2237 binder_user_error("binder: %d:%d ERROR: Thread waiting " 2238 "for process work before calling BC_REGISTER_" 2239 "LOOPER or BC_ENTER_LOOPER (state %x)\n", 2240 proc->pid, thread->pid, thread->looper); 2241 wait_event_interruptible(binder_user_error_wait, 2242 binder_stop_on_user_error < 2); 2243 } 2244 binder_set_nice(proc->default_priority); 2245 if (non_block) { 2246 if (!binder_has_proc_work(proc, thread)) 2247 ret = -EAGAIN; 2248 } else 2249 ret = wait_event_interruptible_exclusive(proc->wait, binder_has_proc_work(proc, thread)); 2250 } else { 2251 if (non_block) { 2252 if (!binder_has_thread_work(thread)) 2253 ret = -EAGAIN; 2254 } else 2255 ret = wait_event_interruptible(thread->wait, binder_has_thread_work(thread)); 2256 } 2257 mutex_lock(&binder_lock); 2258 if (wait_for_proc_work) 2259 proc->ready_threads--; 2260 thread->looper &= ~BINDER_LOOPER_STATE_WAITING; 2261 2262 if (ret) 2263 return ret; 2264 2265 while (1) { 2266 uint32_t cmd; 2267 struct binder_transaction_data tr; 2268 struct binder_work *w; 2269 struct binder_transaction *t = NULL; 2270 2271 if (!list_empty(&thread->todo)) 2272 w = list_first_entry(&thread->todo, struct binder_work, entry); 2273 else if (!list_empty(&proc->todo) && wait_for_proc_work) 2274 w = list_first_entry(&proc->todo, struct binder_work, entry); 2275 else { 2276 if (ptr - buffer == 4 && !(thread->looper & BINDER_LOOPER_STATE_NEED_RETURN)) /* no data added */ 2277 goto retry; 2278 break; 2279 } 2280 2281 if (end - ptr < sizeof(tr) + 4) 2282 break; 2283 2284 switch (w->type) { 2285 case BINDER_WORK_TRANSACTION: { 2286 t = container_of(w, struct binder_transaction, work); 2287 } break; 2288 case BINDER_WORK_TRANSACTION_COMPLETE: { 2289 cmd = BR_TRANSACTION_COMPLETE; 2290 if (put_user(cmd, (uint32_t __user *)ptr)) 2291 return -EFAULT; 2292 ptr += sizeof(uint32_t); 2293 2294 binder_stat_br(proc, thread, cmd); 2295 binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE, 2296 "binder: %d:%d BR_TRANSACTION_COMPLETE\n", 2297 proc->pid, thread->pid); 2298 2299 list_del(&w->entry); 2300 kfree(w); 2301 binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); 2302 } break; 2303 case BINDER_WORK_NODE: { 2304 struct binder_node *node = container_of(w, struct binder_node, work); 2305 uint32_t cmd = BR_NOOP; 2306 const char *cmd_name; 2307 int strong = node->internal_strong_refs || node->local_strong_refs; 2308 int weak = !hlist_empty(&node->refs) || node->local_weak_refs || strong; 2309 if (weak && !node->has_weak_ref) { 2310 cmd = BR_INCREFS; 2311 cmd_name = "BR_INCREFS"; 2312 node->has_weak_ref = 1; 2313 node->pending_weak_ref = 1; 2314 node->local_weak_refs++; 2315 } else if (strong && !node->has_strong_ref) { 2316 cmd = BR_ACQUIRE; 2317 cmd_name = "BR_ACQUIRE"; 2318 node->has_strong_ref = 1; 2319 node->pending_strong_ref = 1; 2320 node->local_strong_refs++; 2321 } else if (!strong && node->has_strong_ref) { 2322 cmd = BR_RELEASE; 2323 cmd_name = "BR_RELEASE"; 2324 node->has_strong_ref = 0; 2325 } else if (!weak && node->has_weak_ref) { 2326 cmd = BR_DECREFS; 2327 cmd_name = "BR_DECREFS"; 2328 node->has_weak_ref = 0; 2329 } 2330 if (cmd != BR_NOOP) { 2331 if (put_user(cmd, (uint32_t __user *)ptr)) 2332 return -EFAULT; 2333 ptr += sizeof(uint32_t); 2334 if (put_user(node->ptr, (void * __user *)ptr)) 2335 return -EFAULT; 2336 ptr += sizeof(void *); 2337 if (put_user(node->cookie, (void * __user *)ptr)) 2338 return -EFAULT; 2339 ptr += sizeof(void *); 2340 2341 binder_stat_br(proc, thread, cmd); 2342 binder_debug(BINDER_DEBUG_USER_REFS, 2343 "binder: %d:%d %s %d u%p c%p\n", 2344 proc->pid, thread->pid, cmd_name, node->debug_id, node->ptr, node->cookie); 2345 } else { 2346 list_del_init(&w->entry); 2347 if (!weak && !strong) { 2348 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 2349 "binder: %d:%d node %d u%p c%p deleted\n", 2350 proc->pid, thread->pid, node->debug_id, 2351 node->ptr, node->cookie); 2352 rb_erase(&node->rb_node, &proc->nodes); 2353 kfree(node); 2354 binder_stats_deleted(BINDER_STAT_NODE); 2355 } else { 2356 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 2357 "binder: %d:%d node %d u%p c%p state unchanged\n", 2358 proc->pid, thread->pid, node->debug_id, node->ptr, 2359 node->cookie); 2360 } 2361 } 2362 } break; 2363 case BINDER_WORK_DEAD_BINDER: 2364 case BINDER_WORK_DEAD_BINDER_AND_CLEAR: 2365 case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: { 2366 struct binder_ref_death *death; 2367 uint32_t cmd; 2368 2369 death = container_of(w, struct binder_ref_death, work); 2370 if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) 2371 cmd = BR_CLEAR_DEATH_NOTIFICATION_DONE; 2372 else 2373 cmd = BR_DEAD_BINDER; 2374 if (put_user(cmd, (uint32_t __user *)ptr)) 2375 return -EFAULT; 2376 ptr += sizeof(uint32_t); 2377 if (put_user(death->cookie, (void * __user *)ptr)) 2378 return -EFAULT; 2379 ptr += sizeof(void *); 2380 binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION, 2381 "binder: %d:%d %s %p\n", 2382 proc->pid, thread->pid, 2383 cmd == BR_DEAD_BINDER ? 2384 "BR_DEAD_BINDER" : 2385 "BR_CLEAR_DEATH_NOTIFICATION_DONE", 2386 death->cookie); 2387 2388 if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) { 2389 list_del(&w->entry); 2390 kfree(death); 2391 binder_stats_deleted(BINDER_STAT_DEATH); 2392 } else 2393 list_move(&w->entry, &proc->delivered_death); 2394 if (cmd == BR_DEAD_BINDER) 2395 goto done; /* DEAD_BINDER notifications can cause transactions */ 2396 } break; 2397 } 2398 2399 if (!t) 2400 continue; 2401 2402 BUG_ON(t->buffer == NULL); 2403 if (t->buffer->target_node) { 2404 struct binder_node *target_node = t->buffer->target_node; 2405 tr.target.ptr = target_node->ptr; 2406 tr.cookie = target_node->cookie; 2407 t->saved_priority = task_nice(current); 2408 if (t->priority < target_node->min_priority && 2409 !(t->flags & TF_ONE_WAY)) 2410 binder_set_nice(t->priority); 2411 else if (!(t->flags & TF_ONE_WAY) || 2412 t->saved_priority > target_node->min_priority) 2413 binder_set_nice(target_node->min_priority); 2414 cmd = BR_TRANSACTION; 2415 } else { 2416 tr.target.ptr = NULL; 2417 tr.cookie = NULL; 2418 cmd = BR_REPLY; 2419 } 2420 tr.code = t->code; 2421 tr.flags = t->flags; 2422 tr.sender_euid = t->sender_euid; 2423 2424 if (t->from) { 2425 struct task_struct *sender = t->from->proc->tsk; 2426 tr.sender_pid = task_tgid_nr_ns(sender, 2427 current->nsproxy->pid_ns); 2428 } else { 2429 tr.sender_pid = 0; 2430 } 2431 2432 tr.data_size = t->buffer->data_size; 2433 tr.offsets_size = t->buffer->offsets_size; 2434 tr.data.ptr.buffer = (void *)t->buffer->data + 2435 proc->user_buffer_offset; 2436 tr.data.ptr.offsets = tr.data.ptr.buffer + 2437 ALIGN(t->buffer->data_size, 2438 sizeof(void *)); 2439 2440 if (put_user(cmd, (uint32_t __user *)ptr)) 2441 return -EFAULT; 2442 ptr += sizeof(uint32_t); 2443 if (copy_to_user(ptr, &tr, sizeof(tr))) 2444 return -EFAULT; 2445 ptr += sizeof(tr); 2446 2447 binder_stat_br(proc, thread, cmd); 2448 binder_debug(BINDER_DEBUG_TRANSACTION, 2449 "binder: %d:%d %s %d %d:%d, cmd %d" 2450 "size %zd-%zd ptr %p-%p\n", 2451 proc->pid, thread->pid, 2452 (cmd == BR_TRANSACTION) ? "BR_TRANSACTION" : 2453 "BR_REPLY", 2454 t->debug_id, t->from ? t->from->proc->pid : 0, 2455 t->from ? t->from->pid : 0, cmd, 2456 t->buffer->data_size, t->buffer->offsets_size, 2457 tr.data.ptr.buffer, tr.data.ptr.offsets); 2458 2459 list_del(&t->work.entry); 2460 t->buffer->allow_user_free = 1; 2461 if (cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)) { 2462 t->to_parent = thread->transaction_stack; 2463 t->to_thread = thread; 2464 thread->transaction_stack = t; 2465 } else { 2466 t->buffer->transaction = NULL; 2467 kfree(t); 2468 binder_stats_deleted(BINDER_STAT_TRANSACTION); 2469 } 2470 break; 2471 } 2472 2473done: 2474 2475 *consumed = ptr - buffer; 2476 if (proc->requested_threads + proc->ready_threads == 0 && 2477 proc->requested_threads_started < proc->max_threads && 2478 (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | 2479 BINDER_LOOPER_STATE_ENTERED)) /* the user-space code fails to */ 2480 /*spawn a new thread if we leave this out */) { 2481 proc->requested_threads++; 2482 binder_debug(BINDER_DEBUG_THREADS, 2483 "binder: %d:%d BR_SPAWN_LOOPER\n", 2484 proc->pid, thread->pid); 2485 if (put_user(BR_SPAWN_LOOPER, (uint32_t __user *)buffer)) 2486 return -EFAULT; 2487 } 2488 return 0; 2489} 2490 2491static void binder_release_work(struct list_head *list) 2492{ 2493 struct binder_work *w; 2494 while (!list_empty(list)) { 2495 w = list_first_entry(list, struct binder_work, entry); 2496 list_del_init(&w->entry); 2497 switch (w->type) { 2498 case BINDER_WORK_TRANSACTION: { 2499 struct binder_transaction *t; 2500 2501 t = container_of(w, struct binder_transaction, work); 2502 if (t->buffer->target_node && !(t->flags & TF_ONE_WAY)) 2503 binder_send_failed_reply(t, BR_DEAD_REPLY); 2504 } break; 2505 case BINDER_WORK_TRANSACTION_COMPLETE: { 2506 kfree(w); 2507 binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); 2508 } break; 2509 default: 2510 break; 2511 } 2512 } 2513 2514} 2515 2516static struct binder_thread *binder_get_thread(struct binder_proc *proc) 2517{ 2518 struct binder_thread *thread = NULL; 2519 struct rb_node *parent = NULL; 2520 struct rb_node **p = &proc->threads.rb_node; 2521 2522 while (*p) { 2523 parent = *p; 2524 thread = rb_entry(parent, struct binder_thread, rb_node); 2525 2526 if (current->pid < thread->pid) 2527 p = &(*p)->rb_left; 2528 else if (current->pid > thread->pid) 2529 p = &(*p)->rb_right; 2530 else 2531 break; 2532 } 2533 if (*p == NULL) { 2534 thread = kzalloc(sizeof(*thread), GFP_KERNEL); 2535 if (thread == NULL) 2536 return NULL; 2537 binder_stats_created(BINDER_STAT_THREAD); 2538 thread->proc = proc; 2539 thread->pid = current->pid; 2540 init_waitqueue_head(&thread->wait); 2541 INIT_LIST_HEAD(&thread->todo); 2542 rb_link_node(&thread->rb_node, parent, p); 2543 rb_insert_color(&thread->rb_node, &proc->threads); 2544 thread->looper |= BINDER_LOOPER_STATE_NEED_RETURN; 2545 thread->return_error = BR_OK; 2546 thread->return_error2 = BR_OK; 2547 } 2548 return thread; 2549} 2550 2551static int binder_free_thread(struct binder_proc *proc, 2552 struct binder_thread *thread) 2553{ 2554 struct binder_transaction *t; 2555 struct binder_transaction *send_reply = NULL; 2556 int active_transactions = 0; 2557 2558 rb_erase(&thread->rb_node, &proc->threads); 2559 t = thread->transaction_stack; 2560 if (t && t->to_thread == thread) 2561 send_reply = t; 2562 while (t) { 2563 active_transactions++; 2564 binder_debug(BINDER_DEBUG_DEAD_TRANSACTION, 2565 "binder: release %d:%d transaction %d " 2566 "%s, still active\n", proc->pid, thread->pid, 2567 t->debug_id, 2568 (t->to_thread == thread) ? "in" : "out"); 2569 2570 if (t->to_thread == thread) { 2571 t->to_proc = NULL; 2572 t->to_thread = NULL; 2573 if (t->buffer) { 2574 t->buffer->transaction = NULL; 2575 t->buffer = NULL; 2576 } 2577 t = t->to_parent; 2578 } else if (t->from == thread) { 2579 t->from = NULL; 2580 t = t->from_parent; 2581 } else 2582 BUG(); 2583 } 2584 if (send_reply) 2585 binder_send_failed_reply(send_reply, BR_DEAD_REPLY); 2586 binder_release_work(&thread->todo); 2587 kfree(thread); 2588 binder_stats_deleted(BINDER_STAT_THREAD); 2589 return active_transactions; 2590} 2591 2592static unsigned int binder_poll(struct file *filp, 2593 struct poll_table_struct *wait) 2594{ 2595 struct binder_proc *proc = filp->private_data; 2596 struct binder_thread *thread = NULL; 2597 int wait_for_proc_work; 2598 2599 mutex_lock(&binder_lock); 2600 thread = binder_get_thread(proc); 2601 2602 wait_for_proc_work = thread->transaction_stack == NULL && 2603 list_empty(&thread->todo) && thread->return_error == BR_OK; 2604 mutex_unlock(&binder_lock); 2605 2606 if (wait_for_proc_work) { 2607 if (binder_has_proc_work(proc, thread)) 2608 return POLLIN; 2609 poll_wait(filp, &proc->wait, wait); 2610 if (binder_has_proc_work(proc, thread)) 2611 return POLLIN; 2612 } else { 2613 if (binder_has_thread_work(thread)) 2614 return POLLIN; 2615 poll_wait(filp, &thread->wait, wait); 2616 if (binder_has_thread_work(thread)) 2617 return POLLIN; 2618 } 2619 return 0; 2620} 2621 2622static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 2623{ 2624 int ret; 2625 struct binder_proc *proc = filp->private_data; 2626 struct binder_thread *thread; 2627 unsigned int size = _IOC_SIZE(cmd); 2628 void __user *ubuf = (void __user *)arg; 2629 2630 /*printk(KERN_INFO "binder_ioctl: %d:%d %x %lx\n", proc->pid, current->pid, cmd, arg);*/ 2631 2632 ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); 2633 if (ret) 2634 return ret; 2635 2636 mutex_lock(&binder_lock); 2637 thread = binder_get_thread(proc); 2638 if (thread == NULL) { 2639 ret = -ENOMEM; 2640 goto err; 2641 } 2642 2643 switch (cmd) { 2644 case BINDER_WRITE_READ: { 2645 struct binder_write_read bwr; 2646 if (size != sizeof(struct binder_write_read)) { 2647 ret = -EINVAL; 2648 goto err; 2649 } 2650 if (copy_from_user(&bwr, ubuf, sizeof(bwr))) { 2651 ret = -EFAULT; 2652 goto err; 2653 } 2654 binder_debug(BINDER_DEBUG_READ_WRITE, 2655 "binder: %d:%d write %ld at %08lx, read %ld at %08lx\n", 2656 proc->pid, thread->pid, bwr.write_size, bwr.write_buffer, 2657 bwr.read_size, bwr.read_buffer); 2658 2659 if (bwr.write_size > 0) { 2660 ret = binder_thread_write(proc, thread, (void __user *)bwr.write_buffer, bwr.write_size, &bwr.write_consumed); 2661 if (ret < 0) { 2662 bwr.read_consumed = 0; 2663 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) 2664 ret = -EFAULT; 2665 goto err; 2666 } 2667 } 2668 if (bwr.read_size > 0) { 2669 ret = binder_thread_read(proc, thread, (void __user *)bwr.read_buffer, bwr.read_size, &bwr.read_consumed, filp->f_flags & O_NONBLOCK); 2670 if (!list_empty(&proc->todo)) 2671 wake_up_interruptible(&proc->wait); 2672 if (ret < 0) { 2673 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) 2674 ret = -EFAULT; 2675 goto err; 2676 } 2677 } 2678 binder_debug(BINDER_DEBUG_READ_WRITE, 2679 "binder: %d:%d wrote %ld of %ld, read return %ld of %ld\n", 2680 proc->pid, thread->pid, bwr.write_consumed, bwr.write_size, 2681 bwr.read_consumed, bwr.read_size); 2682 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) { 2683 ret = -EFAULT; 2684 goto err; 2685 } 2686 break; 2687 } 2688 case BINDER_SET_MAX_THREADS: 2689 if (copy_from_user(&proc->max_threads, ubuf, sizeof(proc->max_threads))) { 2690 ret = -EINVAL; 2691 goto err; 2692 } 2693 break; 2694 case BINDER_SET_CONTEXT_MGR: 2695 if (binder_context_mgr_node != NULL) { 2696 printk(KERN_ERR "binder: BINDER_SET_CONTEXT_MGR already set\n"); 2697 ret = -EBUSY; 2698 goto err; 2699 } 2700 if (binder_context_mgr_uid != -1) { 2701 if (binder_context_mgr_uid != current->cred->euid) { 2702 printk(KERN_ERR "binder: BINDER_SET_" 2703 "CONTEXT_MGR bad uid %d != %d\n", 2704 current->cred->euid, 2705 binder_context_mgr_uid); 2706 ret = -EPERM; 2707 goto err; 2708 } 2709 } else 2710 binder_context_mgr_uid = current->cred->euid; 2711 binder_context_mgr_node = binder_new_node(proc, NULL, NULL); 2712 if (binder_context_mgr_node == NULL) { 2713 ret = -ENOMEM; 2714 goto err; 2715 } 2716 binder_context_mgr_node->local_weak_refs++; 2717 binder_context_mgr_node->local_strong_refs++; 2718 binder_context_mgr_node->has_strong_ref = 1; 2719 binder_context_mgr_node->has_weak_ref = 1; 2720 break; 2721 case BINDER_THREAD_EXIT: 2722 binder_debug(BINDER_DEBUG_THREADS, "binder: %d:%d exit\n", 2723 proc->pid, thread->pid); 2724 binder_free_thread(proc, thread); 2725 thread = NULL; 2726 break; 2727 case BINDER_VERSION: 2728 if (size != sizeof(struct binder_version)) { 2729 ret = -EINVAL; 2730 goto err; 2731 } 2732 if (put_user(BINDER_CURRENT_PROTOCOL_VERSION, &((struct binder_version *)ubuf)->protocol_version)) { 2733 ret = -EINVAL; 2734 goto err; 2735 } 2736 break; 2737 default: 2738 ret = -EINVAL; 2739 goto err; 2740 } 2741 ret = 0; 2742err: 2743 if (thread) 2744 thread->looper &= ~BINDER_LOOPER_STATE_NEED_RETURN; 2745 mutex_unlock(&binder_lock); 2746 wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); 2747 if (ret && ret != -ERESTARTSYS) 2748 printk(KERN_INFO "binder: %d:%d ioctl %x %lx returned %d\n", proc->pid, current->pid, cmd, arg, ret); 2749 return ret; 2750} 2751 2752static void binder_vma_open(struct vm_area_struct *vma) 2753{ 2754 struct binder_proc *proc = vma->vm_private_data; 2755 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 2756 "binder: %d open vm area %lx-%lx (%ld K) vma %lx pagep %lx\n", 2757 proc->pid, vma->vm_start, vma->vm_end, 2758 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2759 (unsigned long)pgprot_val(vma->vm_page_prot)); 2760 dump_stack(); 2761} 2762 2763static void binder_vma_close(struct vm_area_struct *vma) 2764{ 2765 struct binder_proc *proc = vma->vm_private_data; 2766 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 2767 "binder: %d close vm area %lx-%lx (%ld K) vma %lx pagep %lx\n", 2768 proc->pid, vma->vm_start, vma->vm_end, 2769 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2770 (unsigned long)pgprot_val(vma->vm_page_prot)); 2771 proc->vma = NULL; 2772 binder_defer_work(proc, BINDER_DEFERRED_PUT_FILES); 2773} 2774 2775static struct vm_operations_struct binder_vm_ops = { 2776 .open = binder_vma_open, 2777 .close = binder_vma_close, 2778}; 2779 2780static int binder_mmap(struct file *filp, struct vm_area_struct *vma) 2781{ 2782 int ret; 2783 struct vm_struct *area; 2784 struct binder_proc *proc = filp->private_data; 2785 const char *failure_string; 2786 struct binder_buffer *buffer; 2787 2788 if ((vma->vm_end - vma->vm_start) > SZ_4M) 2789 vma->vm_end = vma->vm_start + SZ_4M; 2790 2791 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 2792 "binder_mmap: %d %lx-%lx (%ld K) vma %lx pagep %lx\n", 2793 proc->pid, vma->vm_start, vma->vm_end, 2794 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2795 (unsigned long)pgprot_val(vma->vm_page_prot)); 2796 2797 if (vma->vm_flags & FORBIDDEN_MMAP_FLAGS) { 2798 ret = -EPERM; 2799 failure_string = "bad vm_flags"; 2800 goto err_bad_arg; 2801 } 2802 vma->vm_flags = (vma->vm_flags | VM_DONTCOPY) & ~VM_MAYWRITE; 2803 2804 if (proc->buffer) { 2805 ret = -EBUSY; 2806 failure_string = "already mapped"; 2807 goto err_already_mapped; 2808 } 2809 2810 area = get_vm_area(vma->vm_end - vma->vm_start, VM_IOREMAP); 2811 if (area == NULL) { 2812 ret = -ENOMEM; 2813 failure_string = "get_vm_area"; 2814 goto err_get_vm_area_failed; 2815 } 2816 proc->buffer = area->addr; 2817 proc->user_buffer_offset = vma->vm_start - (uintptr_t)proc->buffer; 2818 2819#ifdef CONFIG_CPU_CACHE_VIPT 2820 if (cache_is_vipt_aliasing()) { 2821 while (CACHE_COLOUR((vma->vm_start ^ (uint32_t)proc->buffer))) { 2822 printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p bad alignment\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer); 2823 vma->vm_start += PAGE_SIZE; 2824 } 2825 } 2826#endif 2827 proc->pages = kzalloc(sizeof(proc->pages[0]) * ((vma->vm_end - vma->vm_start) / PAGE_SIZE), GFP_KERNEL); 2828 if (proc->pages == NULL) { 2829 ret = -ENOMEM; 2830 failure_string = "alloc page array"; 2831 goto err_alloc_pages_failed; 2832 } 2833 proc->buffer_size = vma->vm_end - vma->vm_start; 2834 2835 vma->vm_ops = &binder_vm_ops; 2836 vma->vm_private_data = proc; 2837 2838 if (binder_update_page_range(proc, 1, proc->buffer, proc->buffer + PAGE_SIZE, vma)) { 2839 ret = -ENOMEM; 2840 failure_string = "alloc small buf"; 2841 goto err_alloc_small_buf_failed; 2842 } 2843 buffer = proc->buffer; 2844 INIT_LIST_HEAD(&proc->buffers); 2845 list_add(&buffer->entry, &proc->buffers); 2846 buffer->free = 1; 2847 binder_insert_free_buffer(proc, buffer); 2848 proc->free_async_space = proc->buffer_size / 2; 2849 barrier(); 2850 proc->files = get_files_struct(current); 2851 proc->vma = vma; 2852 2853 /*printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p\n", 2854 proc->pid, vma->vm_start, vma->vm_end, proc->buffer);*/ 2855 return 0; 2856 2857err_alloc_small_buf_failed: 2858 kfree(proc->pages); 2859 proc->pages = NULL; 2860err_alloc_pages_failed: 2861 vfree(proc->buffer); 2862 proc->buffer = NULL; 2863err_get_vm_area_failed: 2864err_already_mapped: 2865err_bad_arg: 2866 printk(KERN_ERR "binder_mmap: %d %lx-%lx %s failed %d\n", 2867 proc->pid, vma->vm_start, vma->vm_end, failure_string, ret); 2868 return ret; 2869} 2870 2871static int binder_open(struct inode *nodp, struct file *filp) 2872{ 2873 struct binder_proc *proc; 2874 2875 binder_debug(BINDER_DEBUG_OPEN_CLOSE, "binder_open: %d:%d\n", 2876 current->group_leader->pid, current->pid); 2877 2878 proc = kzalloc(sizeof(*proc), GFP_KERNEL); 2879 if (proc == NULL) 2880 return -ENOMEM; 2881 get_task_struct(current); 2882 proc->tsk = current; 2883 INIT_LIST_HEAD(&proc->todo); 2884 init_waitqueue_head(&proc->wait); 2885 proc->default_priority = task_nice(current); 2886 mutex_lock(&binder_lock); 2887 binder_stats_created(BINDER_STAT_PROC); 2888 hlist_add_head(&proc->proc_node, &binder_procs); 2889 proc->pid = current->group_leader->pid; 2890 INIT_LIST_HEAD(&proc->delivered_death); 2891 filp->private_data = proc; 2892 mutex_unlock(&binder_lock); 2893 2894 if (binder_proc_dir_entry_proc) { 2895 char strbuf[11]; 2896 snprintf(strbuf, sizeof(strbuf), "%u", proc->pid); 2897 remove_proc_entry(strbuf, binder_proc_dir_entry_proc); 2898 proc_create_data(strbuf, S_IRUGO, 2899 binder_proc_dir_entry_proc, 2900 &binder_proc_fops, proc); 2901 } 2902 2903 return 0; 2904} 2905 2906static int binder_flush(struct file *filp, fl_owner_t id) 2907{ 2908 struct binder_proc *proc = filp->private_data; 2909 2910 binder_defer_work(proc, BINDER_DEFERRED_FLUSH); 2911 2912 return 0; 2913} 2914 2915static void binder_deferred_flush(struct binder_proc *proc) 2916{ 2917 struct rb_node *n; 2918 int wake_count = 0; 2919 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) { 2920 struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node); 2921 thread->looper |= BINDER_LOOPER_STATE_NEED_RETURN; 2922 if (thread->looper & BINDER_LOOPER_STATE_WAITING) { 2923 wake_up_interruptible(&thread->wait); 2924 wake_count++; 2925 } 2926 } 2927 wake_up_interruptible_all(&proc->wait); 2928 2929 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 2930 "binder_flush: %d woke %d threads\n", proc->pid, 2931 wake_count); 2932} 2933 2934static int binder_release(struct inode *nodp, struct file *filp) 2935{ 2936 struct binder_proc *proc = filp->private_data; 2937 if (binder_proc_dir_entry_proc) { 2938 char strbuf[11]; 2939 snprintf(strbuf, sizeof(strbuf), "%u", proc->pid); 2940 remove_proc_entry(strbuf, binder_proc_dir_entry_proc); 2941 } 2942 2943 binder_defer_work(proc, BINDER_DEFERRED_RELEASE); 2944 2945 return 0; 2946} 2947 2948static void binder_deferred_release(struct binder_proc *proc) 2949{ 2950 struct hlist_node *pos; 2951 struct binder_transaction *t; 2952 struct rb_node *n; 2953 int threads, nodes, incoming_refs, outgoing_refs, buffers, active_transactions, page_count; 2954 2955 BUG_ON(proc->vma); 2956 BUG_ON(proc->files); 2957 2958 hlist_del(&proc->proc_node); 2959 if (binder_context_mgr_node && binder_context_mgr_node->proc == proc) { 2960 binder_debug(BINDER_DEBUG_DEAD_BINDER, 2961 "binder_release: %d context_mgr_node gone\n", 2962 proc->pid); 2963 binder_context_mgr_node = NULL; 2964 } 2965 2966 threads = 0; 2967 active_transactions = 0; 2968 while ((n = rb_first(&proc->threads))) { 2969 struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node); 2970 threads++; 2971 active_transactions += binder_free_thread(proc, thread); 2972 } 2973 nodes = 0; 2974 incoming_refs = 0; 2975 while ((n = rb_first(&proc->nodes))) { 2976 struct binder_node *node = rb_entry(n, struct binder_node, rb_node); 2977 2978 nodes++; 2979 rb_erase(&node->rb_node, &proc->nodes); 2980 list_del_init(&node->work.entry); 2981 if (hlist_empty(&node->refs)) { 2982 kfree(node); 2983 binder_stats_deleted(BINDER_STAT_NODE); 2984 } else { 2985 struct binder_ref *ref; 2986 int death = 0; 2987 2988 node->proc = NULL; 2989 node->local_strong_refs = 0; 2990 node->local_weak_refs = 0; 2991 hlist_add_head(&node->dead_node, &binder_dead_nodes); 2992 2993 hlist_for_each_entry(ref, pos, &node->refs, node_entry) { 2994 incoming_refs++; 2995 if (ref->death) { 2996 death++; 2997 if (list_empty(&ref->death->work.entry)) { 2998 ref->death->work.type = BINDER_WORK_DEAD_BINDER; 2999 list_add_tail(&ref->death->work.entry, &ref->proc->todo); 3000 wake_up_interruptible(&ref->proc->wait); 3001 } else 3002 BUG(); 3003 } 3004 } 3005 binder_debug(BINDER_DEBUG_DEAD_BINDER, 3006 "binder: node %d now dead, " 3007 "refs %d, death %d\n", node->debug_id, 3008 incoming_refs, death); 3009 } 3010 } 3011 outgoing_refs = 0; 3012 while ((n = rb_first(&proc->refs_by_desc))) { 3013 struct binder_ref *ref = rb_entry(n, struct binder_ref, 3014 rb_node_desc); 3015 outgoing_refs++; 3016 binder_delete_ref(ref); 3017 } 3018 binder_release_work(&proc->todo); 3019 buffers = 0; 3020 3021 while ((n = rb_first(&proc->allocated_buffers))) { 3022 struct binder_buffer *buffer = rb_entry(n, struct binder_buffer, 3023 rb_node); 3024 t = buffer->transaction; 3025 if (t) { 3026 t->buffer = NULL; 3027 buffer->transaction = NULL; 3028 printk(KERN_ERR "binder: release proc %d, " 3029 "transaction %d, not freed\n", 3030 proc->pid, t->debug_id); 3031 /*BUG();*/ 3032 } 3033 binder_free_buf(proc, buffer); 3034 buffers++; 3035 } 3036 3037 binder_stats_deleted(BINDER_STAT_PROC); 3038 3039 page_count = 0; 3040 if (proc->pages) { 3041 int i; 3042 for (i = 0; i < proc->buffer_size / PAGE_SIZE; i++) { 3043 if (proc->pages[i]) { 3044 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 3045 "binder_release: %d: " 3046 "page %d at %p not freed\n", 3047 proc->pid, i, 3048 proc->buffer + i * PAGE_SIZE); 3049 __free_page(proc->pages[i]); 3050 page_count++; 3051 } 3052 } 3053 kfree(proc->pages); 3054 vfree(proc->buffer); 3055 } 3056 3057 put_task_struct(proc->tsk); 3058 3059 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 3060 "binder_release: %d threads %d, nodes %d (ref %d), " 3061 "refs %d, active transactions %d, buffers %d, " 3062 "pages %d\n", 3063 proc->pid, threads, nodes, incoming_refs, outgoing_refs, 3064 active_transactions, buffers, page_count); 3065 3066 kfree(proc); 3067} 3068 3069static void binder_deferred_func(struct work_struct *work) 3070{ 3071 struct binder_proc *proc; 3072 struct files_struct *files; 3073 3074 int defer; 3075 do { 3076 mutex_lock(&binder_lock); 3077 mutex_lock(&binder_deferred_lock); 3078 if (!hlist_empty(&binder_deferred_list)) { 3079 proc = hlist_entry(binder_deferred_list.first, 3080 struct binder_proc, deferred_work_node); 3081 hlist_del_init(&proc->deferred_work_node); 3082 defer = proc->deferred_work; 3083 proc->deferred_work = 0; 3084 } else { 3085 proc = NULL; 3086 defer = 0; 3087 } 3088 mutex_unlock(&binder_deferred_lock); 3089 3090 files = NULL; 3091 if (defer & BINDER_DEFERRED_PUT_FILES) { 3092 files = proc->files; 3093 if (files) 3094 proc->files = NULL; 3095 } 3096 3097 if (defer & BINDER_DEFERRED_FLUSH) 3098 binder_deferred_flush(proc); 3099 3100 if (defer & BINDER_DEFERRED_RELEASE) 3101 binder_deferred_release(proc); /* frees proc */ 3102 3103 mutex_unlock(&binder_lock); 3104 if (files) 3105 put_files_struct(files); 3106 } while (proc); 3107} 3108static DECLARE_WORK(binder_deferred_work, binder_deferred_func); 3109 3110static void 3111binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer) 3112{ 3113 mutex_lock(&binder_deferred_lock); 3114 proc->deferred_work |= defer; 3115 if (hlist_unhashed(&proc->deferred_work_node)) { 3116 hlist_add_head(&proc->deferred_work_node, 3117 &binder_deferred_list); 3118 schedule_work(&binder_deferred_work); 3119 } 3120 mutex_unlock(&binder_deferred_lock); 3121} 3122 3123static void print_binder_transaction(struct seq_file *m, const char *prefix, 3124 struct binder_transaction *t) 3125{ 3126 seq_printf(m, 3127 "%s %d: %p from %d:%d to %d:%d code %x flags %x pri %ld r%d", 3128 prefix, t->debug_id, t, 3129 t->from ? t->from->proc->pid : 0, 3130 t->from ? t->from->pid : 0, 3131 t->to_proc ? t->to_proc->pid : 0, 3132 t->to_thread ? t->to_thread->pid : 0, 3133 t->code, t->flags, t->priority, t->need_reply); 3134 if (t->buffer == NULL) { 3135 seq_puts(m, " buffer free\n"); 3136 return; 3137 } 3138 if (t->buffer->target_node) 3139 seq_printf(m, " node %d", 3140 t->buffer->target_node->debug_id); 3141 seq_printf(m, " size %zd:%zd data %p\n", 3142 t->buffer->data_size, t->buffer->offsets_size, 3143 t->buffer->data); 3144} 3145 3146static void print_binder_buffer(struct seq_file *m, const char *prefix, 3147 struct binder_buffer *buffer) 3148{ 3149 seq_printf(m, "%s %d: %p size %zd:%zd %s\n", 3150 prefix, buffer->debug_id, buffer->data, 3151 buffer->data_size, buffer->offsets_size, 3152 buffer->transaction ? "active" : "delivered"); 3153} 3154 3155static void print_binder_work(struct seq_file *m, const char *prefix, 3156 const char *transaction_prefix, 3157 struct binder_work *w) 3158{ 3159 struct binder_node *node; 3160 struct binder_transaction *t; 3161 3162 switch (w->type) { 3163 case BINDER_WORK_TRANSACTION: 3164 t = container_of(w, struct binder_transaction, work); 3165 print_binder_transaction(m, transaction_prefix, t); 3166 break; 3167 case BINDER_WORK_TRANSACTION_COMPLETE: 3168 seq_printf(m, "%stransaction complete\n", prefix); 3169 break; 3170 case BINDER_WORK_NODE: 3171 node = container_of(w, struct binder_node, work); 3172 seq_printf(m, "%snode work %d: u%p c%p\n", 3173 prefix, node->debug_id, node->ptr, node->cookie); 3174 break; 3175 case BINDER_WORK_DEAD_BINDER: 3176 seq_printf(m, "%shas dead binder\n", prefix); 3177 break; 3178 case BINDER_WORK_DEAD_BINDER_AND_CLEAR: 3179 seq_printf(m, "%shas cleared dead binder\n", prefix); 3180 break; 3181 case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: 3182 seq_printf(m, "%shas cleared death notification\n", prefix); 3183 break; 3184 default: 3185 seq_printf(m, "%sunknown work: type %d\n", prefix, w->type); 3186 break; 3187 } 3188} 3189 3190static void print_binder_thread(struct seq_file *m, 3191 struct binder_thread *thread, 3192 int print_always) 3193{ 3194 struct binder_transaction *t; 3195 struct binder_work *w; 3196 size_t start_pos = m->count; 3197 size_t header_pos; 3198 3199 seq_printf(m, " thread %d: l %02x\n", thread->pid, thread->looper); 3200 header_pos = m->count; 3201 t = thread->transaction_stack; 3202 while (t) { 3203 if (t->from == thread) { 3204 print_binder_transaction(m, 3205 " outgoing transaction", t); 3206 t = t->from_parent; 3207 } else if (t->to_thread == thread) { 3208 print_binder_transaction(m, 3209 " incoming transaction", t); 3210 t = t->to_parent; 3211 } else { 3212 print_binder_transaction(m, " bad transaction", t); 3213 t = NULL; 3214 } 3215 } 3216 list_for_each_entry(w, &thread->todo, entry) { 3217 print_binder_work(m, " ", " pending transaction", w); 3218 } 3219 if (!print_always && m->count == header_pos) 3220 m->count = start_pos; 3221} 3222 3223static void print_binder_node(struct seq_file *m, struct binder_node *node) 3224{ 3225 struct binder_ref *ref; 3226 struct hlist_node *pos; 3227 struct binder_work *w; 3228 int count; 3229 3230 count = 0; 3231 hlist_for_each_entry(ref, pos, &node->refs, node_entry) 3232 count++; 3233 3234 seq_printf(m, " node %d: u%p c%p hs %d hw %d ls %d lw %d is %d iw %d", 3235 node->debug_id, node->ptr, node->cookie, 3236 node->has_strong_ref, node->has_weak_ref, 3237 node->local_strong_refs, node->local_weak_refs, 3238 node->internal_strong_refs, count); 3239 if (count) { 3240 seq_puts(m, " proc"); 3241 hlist_for_each_entry(ref, pos, &node->refs, node_entry) 3242 seq_printf(m, " %d", ref->proc->pid); 3243 } 3244 seq_puts(m, "\n"); 3245 list_for_each_entry(w, &node->async_todo, entry) 3246 print_binder_work(m, " ", 3247 " pending async transaction", w); 3248} 3249 3250static void print_binder_ref(struct seq_file *m, struct binder_ref *ref) 3251{ 3252 seq_printf(m, " ref %d: desc %d %snode %d s %d w %d d %p\n", 3253 ref->debug_id, ref->desc, ref->node->proc ? "" : "dead ", 3254 ref->node->debug_id, ref->strong, ref->weak, ref->death); 3255} 3256 3257static void print_binder_proc(struct seq_file *m, 3258 struct binder_proc *proc, int print_all) 3259{ 3260 struct binder_work *w; 3261 struct rb_node *n; 3262 size_t start_pos = m->count; 3263 size_t header_pos; 3264 3265 seq_printf(m, "proc %d\n", proc->pid); 3266 header_pos = m->count; 3267 3268 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) 3269 print_binder_thread(m, rb_entry(n, struct binder_thread, 3270 rb_node), print_all); 3271 for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) { 3272 struct binder_node *node = rb_entry(n, struct binder_node, 3273 rb_node); 3274 if (print_all || node->has_async_transaction) 3275 print_binder_node(m, node); 3276 } 3277 if (print_all) { 3278 for (n = rb_first(&proc->refs_by_desc); 3279 n != NULL; 3280 n = rb_next(n)) 3281 print_binder_ref(m, rb_entry(n, struct binder_ref, 3282 rb_node_desc)); 3283 } 3284 for (n = rb_first(&proc->allocated_buffers); n != NULL; n = rb_next(n)) 3285 print_binder_buffer(m, " buffer", 3286 rb_entry(n, struct binder_buffer, rb_node)); 3287 list_for_each_entry(w, &proc->todo, entry) 3288 print_binder_work(m, " ", " pending transaction", w); 3289 list_for_each_entry(w, &proc->delivered_death, entry) { 3290 seq_puts(m, " has delivered dead binder\n"); 3291 break; 3292 } 3293 if (!print_all && m->count == header_pos) 3294 m->count = start_pos; 3295} 3296 3297static const char *binder_return_strings[] = { 3298 "BR_ERROR", 3299 "BR_OK", 3300 "BR_TRANSACTION", 3301 "BR_REPLY", 3302 "BR_ACQUIRE_RESULT", 3303 "BR_DEAD_REPLY", 3304 "BR_TRANSACTION_COMPLETE", 3305 "BR_INCREFS", 3306 "BR_ACQUIRE", 3307 "BR_RELEASE", 3308 "BR_DECREFS", 3309 "BR_ATTEMPT_ACQUIRE", 3310 "BR_NOOP", 3311 "BR_SPAWN_LOOPER", 3312 "BR_FINISHED", 3313 "BR_DEAD_BINDER", 3314 "BR_CLEAR_DEATH_NOTIFICATION_DONE", 3315 "BR_FAILED_REPLY" 3316}; 3317 3318static const char *binder_command_strings[] = { 3319 "BC_TRANSACTION", 3320 "BC_REPLY", 3321 "BC_ACQUIRE_RESULT", 3322 "BC_FREE_BUFFER", 3323 "BC_INCREFS", 3324 "BC_ACQUIRE", 3325 "BC_RELEASE", 3326 "BC_DECREFS", 3327 "BC_INCREFS_DONE", 3328 "BC_ACQUIRE_DONE", 3329 "BC_ATTEMPT_ACQUIRE", 3330 "BC_REGISTER_LOOPER", 3331 "BC_ENTER_LOOPER", 3332 "BC_EXIT_LOOPER", 3333 "BC_REQUEST_DEATH_NOTIFICATION", 3334 "BC_CLEAR_DEATH_NOTIFICATION", 3335 "BC_DEAD_BINDER_DONE" 3336}; 3337 3338static const char *binder_objstat_strings[] = { 3339 "proc", 3340 "thread", 3341 "node", 3342 "ref", 3343 "death", 3344 "transaction", 3345 "transaction_complete" 3346}; 3347 3348static void print_binder_stats(struct seq_file *m, const char *prefix, 3349 struct binder_stats *stats) 3350{ 3351 int i; 3352 3353 BUILD_BUG_ON(ARRAY_SIZE(stats->bc) != 3354 ARRAY_SIZE(binder_command_strings)); 3355 for (i = 0; i < ARRAY_SIZE(stats->bc); i++) { 3356 if (stats->bc[i]) 3357 seq_printf(m, "%s%s: %d\n", prefix, 3358 binder_command_strings[i], stats->bc[i]); 3359 } 3360 3361 BUILD_BUG_ON(ARRAY_SIZE(stats->br) != 3362 ARRAY_SIZE(binder_return_strings)); 3363 for (i = 0; i < ARRAY_SIZE(stats->br); i++) { 3364 if (stats->br[i]) 3365 seq_printf(m, "%s%s: %d\n", prefix, 3366 binder_return_strings[i], stats->br[i]); 3367 } 3368 3369 BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) != 3370 ARRAY_SIZE(binder_objstat_strings)); 3371 BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) != 3372 ARRAY_SIZE(stats->obj_deleted)); 3373 for (i = 0; i < ARRAY_SIZE(stats->obj_created); i++) { 3374 if (stats->obj_created[i] || stats->obj_deleted[i]) 3375 seq_printf(m, "%s%s: active %d total %d\n", prefix, 3376 binder_objstat_strings[i], 3377 stats->obj_created[i] - stats->obj_deleted[i], 3378 stats->obj_created[i]); 3379 } 3380} 3381 3382static void print_binder_proc_stats(struct seq_file *m, 3383 struct binder_proc *proc) 3384{ 3385 struct binder_work *w; 3386 struct rb_node *n; 3387 int count, strong, weak; 3388 3389 seq_printf(m, "proc %d\n", proc->pid); 3390 count = 0; 3391 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) 3392 count++; 3393 seq_printf(m, " threads: %d\n", count); 3394 seq_printf(m, " requested threads: %d+%d/%d\n" 3395 " ready threads %d\n" 3396 " free async space %zd\n", proc->requested_threads, 3397 proc->requested_threads_started, proc->max_threads, 3398 proc->ready_threads, proc->free_async_space); 3399 count = 0; 3400 for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) 3401 count++; 3402 seq_printf(m, " nodes: %d\n", count); 3403 count = 0; 3404 strong = 0; 3405 weak = 0; 3406 for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) { 3407 struct binder_ref *ref = rb_entry(n, struct binder_ref, 3408 rb_node_desc); 3409 count++; 3410 strong += ref->strong; 3411 weak += ref->weak; 3412 } 3413 seq_printf(m, " refs: %d s %d w %d\n", count, strong, weak); 3414 3415 count = 0; 3416 for (n = rb_first(&proc->allocated_buffers); n != NULL; n = rb_next(n)) 3417 count++; 3418 seq_printf(m, " buffers: %d\n", count); 3419 3420 count = 0; 3421 list_for_each_entry(w, &proc->todo, entry) { 3422 switch (w->type) { 3423 case BINDER_WORK_TRANSACTION: 3424 count++; 3425 break; 3426 default: 3427 break; 3428 } 3429 } 3430 seq_printf(m, " pending transactions: %d\n", count); 3431 3432 print_binder_stats(m, " ", &proc->stats); 3433} 3434 3435 3436static int binder_state_show(struct seq_file *m, void *unused) 3437{ 3438 struct binder_proc *proc; 3439 struct hlist_node *pos; 3440 struct binder_node *node; 3441 int do_lock = !binder_debug_no_lock; 3442 3443 if (do_lock) 3444 mutex_lock(&binder_lock); 3445 3446 seq_puts(m, "binder state:\n"); 3447 3448 if (!hlist_empty(&binder_dead_nodes)) 3449 seq_puts(m, "dead nodes:\n"); 3450 hlist_for_each_entry(node, pos, &binder_dead_nodes, dead_node) 3451 print_binder_node(m, node); 3452 3453 hlist_for_each_entry(proc, pos, &binder_procs, proc_node) 3454 print_binder_proc(m, proc, 1); 3455 if (do_lock) 3456 mutex_unlock(&binder_lock); 3457 return 0; 3458} 3459 3460static int binder_stats_show(struct seq_file *m, void *unused) 3461{ 3462 struct binder_proc *proc; 3463 struct hlist_node *pos; 3464 int do_lock = !binder_debug_no_lock; 3465 3466 if (do_lock) 3467 mutex_lock(&binder_lock); 3468 3469 seq_puts(m, "binder stats:\n"); 3470 3471 print_binder_stats(m, "", &binder_stats); 3472 3473 hlist_for_each_entry(proc, pos, &binder_procs, proc_node) 3474 print_binder_proc_stats(m, proc); 3475 if (do_lock) 3476 mutex_unlock(&binder_lock); 3477 return 0; 3478} 3479 3480static int binder_transactions_show(struct seq_file *m, void *unused) 3481{ 3482 struct binder_proc *proc; 3483 struct hlist_node *pos; 3484 int do_lock = !binder_debug_no_lock; 3485 3486 if (do_lock) 3487 mutex_lock(&binder_lock); 3488 3489 seq_puts(m, "binder transactions:\n"); 3490 hlist_for_each_entry(proc, pos, &binder_procs, proc_node) 3491 print_binder_proc(m, proc, 0); 3492 if (do_lock) 3493 mutex_unlock(&binder_lock); 3494 return 0; 3495} 3496 3497static int binder_proc_show(struct seq_file *m, void *unused) 3498{ 3499 struct binder_proc *proc = m->private; 3500 int do_lock = !binder_debug_no_lock; 3501 3502 if (do_lock) 3503 mutex_lock(&binder_lock); 3504 seq_puts(m, "binder proc state:\n"); 3505 print_binder_proc(m, proc, 1); 3506 if (do_lock) 3507 mutex_unlock(&binder_lock); 3508 return 0; 3509} 3510 3511static void print_binder_transaction_log_entry(struct seq_file *m, 3512 struct binder_transaction_log_entry *e) 3513{ 3514 seq_printf(m, 3515 "%d: %s from %d:%d to %d:%d node %d handle %d size %d:%d\n", 3516 e->debug_id, (e->call_type == 2) ? "reply" : 3517 ((e->call_type == 1) ? "async" : "call "), e->from_proc, 3518 e->from_thread, e->to_proc, e->to_thread, e->to_node, 3519 e->target_handle, e->data_size, e->offsets_size); 3520} 3521 3522static int binder_transaction_log_show(struct seq_file *m, void *unused) 3523{ 3524 struct binder_transaction_log *log = m->private; 3525 int i; 3526 3527 if (log->full) { 3528 for (i = log->next; i < ARRAY_SIZE(log->entry); i++) 3529 print_binder_transaction_log_entry(m, &log->entry[i]); 3530 } 3531 for (i = 0; i < log->next; i++) 3532 print_binder_transaction_log_entry(m, &log->entry[i]); 3533 return 0; 3534} 3535 3536static const struct file_operations binder_fops = { 3537 .owner = THIS_MODULE, 3538 .poll = binder_poll, 3539 .unlocked_ioctl = binder_ioctl, 3540 .mmap = binder_mmap, 3541 .open = binder_open, 3542 .flush = binder_flush, 3543 .release = binder_release, 3544}; 3545 3546static struct miscdevice binder_miscdev = { 3547 .minor = MISC_DYNAMIC_MINOR, 3548 .name = "binder", 3549 .fops = &binder_fops 3550}; 3551 3552BINDER_DEBUG_ENTRY(state); 3553BINDER_DEBUG_ENTRY(stats); 3554BINDER_DEBUG_ENTRY(transactions); 3555BINDER_DEBUG_ENTRY(transaction_log); 3556 3557static int __init binder_init(void) 3558{ 3559 int ret; 3560 3561 binder_proc_dir_entry_root = proc_mkdir("binder", NULL); 3562 if (binder_proc_dir_entry_root) 3563 binder_proc_dir_entry_proc = proc_mkdir("proc", 3564 binder_proc_dir_entry_root); 3565 ret = misc_register(&binder_miscdev); 3566 if (binder_proc_dir_entry_root) { 3567 proc_create("state", 3568 S_IRUGO, 3569 binder_proc_dir_entry_root, 3570 &binder_state_fops); 3571 proc_create("stats", 3572 S_IRUGO, 3573 binder_proc_dir_entry_root, 3574 &binder_stats_fops); 3575 proc_create("transactions", 3576 S_IRUGO, 3577 binder_proc_dir_entry_root, 3578 &binder_transactions_fops); 3579 proc_create_data("transaction_log", 3580 S_IRUGO, 3581 binder_proc_dir_entry_root, 3582 &binder_transaction_log_fops, 3583 &binder_transaction_log); 3584 proc_create_data("failed_transaction_log", 3585 S_IRUGO, 3586 binder_proc_dir_entry_root, 3587 &binder_transaction_log_fops, 3588 &binder_transaction_log_failed); 3589 } 3590 return ret; 3591} 3592 3593device_initcall(binder_init); 3594 3595MODULE_LICENSE("GPL v2"); 3596