binder.c revision 85e0b0cbbfc17e7f7baa9e76f9a937249108fc52
1/* binder.c 2 * 3 * Android IPC Subsystem 4 * 5 * Copyright (C) 2007-2008 Google, Inc. 6 * 7 * This software is licensed under the terms of the GNU General Public 8 * License version 2, as published by the Free Software Foundation, and 9 * may be copied, distributed, and modified under those terms. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 */ 17 18#include <asm/cacheflush.h> 19#include <linux/fdtable.h> 20#include <linux/file.h> 21#include <linux/fs.h> 22#include <linux/list.h> 23#include <linux/miscdevice.h> 24#include <linux/mm.h> 25#include <linux/module.h> 26#include <linux/mutex.h> 27#include <linux/nsproxy.h> 28#include <linux/poll.h> 29#include <linux/proc_fs.h> 30#include <linux/rbtree.h> 31#include <linux/sched.h> 32#include <linux/uaccess.h> 33#include <linux/vmalloc.h> 34#include "binder.h" 35 36static DEFINE_MUTEX(binder_lock); 37static HLIST_HEAD(binder_procs); 38static struct binder_node *binder_context_mgr_node; 39static uid_t binder_context_mgr_uid = -1; 40static int binder_last_id; 41static struct proc_dir_entry *binder_proc_dir_entry_root; 42static struct proc_dir_entry *binder_proc_dir_entry_proc; 43static struct hlist_head binder_dead_nodes; 44 45static int binder_read_proc_proc( 46 char *page, char **start, off_t off, int count, int *eof, void *data); 47 48/* This is only defined in include/asm-arm/sizes.h */ 49#ifndef SZ_1K 50#define SZ_1K 0x400 51#endif 52 53#ifndef SZ_4M 54#define SZ_4M 0x400000 55#endif 56 57#define FORBIDDEN_MMAP_FLAGS (VM_WRITE) 58 59#define BINDER_SMALL_BUF_SIZE (PAGE_SIZE * 64) 60 61enum { 62 BINDER_DEBUG_USER_ERROR = 1U << 0, 63 BINDER_DEBUG_FAILED_TRANSACTION = 1U << 1, 64 BINDER_DEBUG_DEAD_TRANSACTION = 1U << 2, 65 BINDER_DEBUG_OPEN_CLOSE = 1U << 3, 66 BINDER_DEBUG_DEAD_BINDER = 1U << 4, 67 BINDER_DEBUG_DEATH_NOTIFICATION = 1U << 5, 68 BINDER_DEBUG_READ_WRITE = 1U << 6, 69 BINDER_DEBUG_USER_REFS = 1U << 7, 70 BINDER_DEBUG_THREADS = 1U << 8, 71 BINDER_DEBUG_TRANSACTION = 1U << 9, 72 BINDER_DEBUG_TRANSACTION_COMPLETE = 1U << 10, 73 BINDER_DEBUG_FREE_BUFFER = 1U << 11, 74 BINDER_DEBUG_INTERNAL_REFS = 1U << 12, 75 BINDER_DEBUG_BUFFER_ALLOC = 1U << 13, 76 BINDER_DEBUG_PRIORITY_CAP = 1U << 14, 77 BINDER_DEBUG_BUFFER_ALLOC_ASYNC = 1U << 15, 78}; 79static uint32_t binder_debug_mask = BINDER_DEBUG_USER_ERROR | 80 BINDER_DEBUG_FAILED_TRANSACTION | BINDER_DEBUG_DEAD_TRANSACTION; 81module_param_named(debug_mask, binder_debug_mask, uint, S_IWUSR | S_IRUGO); 82static int binder_debug_no_lock; 83module_param_named(proc_no_lock, binder_debug_no_lock, bool, S_IWUSR | S_IRUGO); 84static DECLARE_WAIT_QUEUE_HEAD(binder_user_error_wait); 85static int binder_stop_on_user_error; 86static int binder_set_stop_on_user_error( 87 const char *val, struct kernel_param *kp) 88{ 89 int ret; 90 ret = param_set_int(val, kp); 91 if (binder_stop_on_user_error < 2) 92 wake_up(&binder_user_error_wait); 93 return ret; 94} 95module_param_call(stop_on_user_error, binder_set_stop_on_user_error, 96 param_get_int, &binder_stop_on_user_error, S_IWUSR | S_IRUGO); 97 98#define binder_user_error(x...) \ 99 do { \ 100 if (binder_debug_mask & BINDER_DEBUG_USER_ERROR) \ 101 printk(KERN_INFO x); \ 102 if (binder_stop_on_user_error) \ 103 binder_stop_on_user_error = 2; \ 104 } while (0) 105 106enum { 107 BINDER_STAT_PROC, 108 BINDER_STAT_THREAD, 109 BINDER_STAT_NODE, 110 BINDER_STAT_REF, 111 BINDER_STAT_DEATH, 112 BINDER_STAT_TRANSACTION, 113 BINDER_STAT_TRANSACTION_COMPLETE, 114 BINDER_STAT_COUNT 115}; 116 117struct binder_stats { 118 int br[_IOC_NR(BR_FAILED_REPLY) + 1]; 119 int bc[_IOC_NR(BC_DEAD_BINDER_DONE) + 1]; 120 int obj_created[BINDER_STAT_COUNT]; 121 int obj_deleted[BINDER_STAT_COUNT]; 122}; 123 124static struct binder_stats binder_stats; 125 126struct binder_transaction_log_entry { 127 int debug_id; 128 int call_type; 129 int from_proc; 130 int from_thread; 131 int target_handle; 132 int to_proc; 133 int to_thread; 134 int to_node; 135 int data_size; 136 int offsets_size; 137}; 138struct binder_transaction_log { 139 int next; 140 int full; 141 struct binder_transaction_log_entry entry[32]; 142}; 143struct binder_transaction_log binder_transaction_log; 144struct binder_transaction_log binder_transaction_log_failed; 145 146static struct binder_transaction_log_entry *binder_transaction_log_add( 147 struct binder_transaction_log *log) 148{ 149 struct binder_transaction_log_entry *e; 150 e = &log->entry[log->next]; 151 memset(e, 0, sizeof(*e)); 152 log->next++; 153 if (log->next == ARRAY_SIZE(log->entry)) { 154 log->next = 0; 155 log->full = 1; 156 } 157 return e; 158} 159 160struct binder_work { 161 struct list_head entry; 162 enum { 163 BINDER_WORK_TRANSACTION = 1, 164 BINDER_WORK_TRANSACTION_COMPLETE, 165 BINDER_WORK_NODE, 166 BINDER_WORK_DEAD_BINDER, 167 BINDER_WORK_DEAD_BINDER_AND_CLEAR, 168 BINDER_WORK_CLEAR_DEATH_NOTIFICATION, 169 } type; 170}; 171 172struct binder_node { 173 int debug_id; 174 struct binder_work work; 175 union { 176 struct rb_node rb_node; 177 struct hlist_node dead_node; 178 }; 179 struct binder_proc *proc; 180 struct hlist_head refs; 181 int internal_strong_refs; 182 int local_weak_refs; 183 int local_strong_refs; 184 void __user *ptr; 185 void __user *cookie; 186 unsigned has_strong_ref : 1; 187 unsigned pending_strong_ref : 1; 188 unsigned has_weak_ref : 1; 189 unsigned pending_weak_ref : 1; 190 unsigned has_async_transaction : 1; 191 unsigned accept_fds : 1; 192 int min_priority : 8; 193 struct list_head async_todo; 194}; 195 196struct binder_ref_death { 197 struct binder_work work; 198 void __user *cookie; 199}; 200 201struct binder_ref { 202 /* Lookups needed: */ 203 /* node + proc => ref (transaction) */ 204 /* desc + proc => ref (transaction, inc/dec ref) */ 205 /* node => refs + procs (proc exit) */ 206 int debug_id; 207 struct rb_node rb_node_desc; 208 struct rb_node rb_node_node; 209 struct hlist_node node_entry; 210 struct binder_proc *proc; 211 struct binder_node *node; 212 uint32_t desc; 213 int strong; 214 int weak; 215 struct binder_ref_death *death; 216}; 217 218struct binder_buffer { 219 struct list_head entry; /* free and allocated entries by addesss */ 220 struct rb_node rb_node; /* free entry by size or allocated entry */ 221 /* by address */ 222 unsigned free : 1; 223 unsigned allow_user_free : 1; 224 unsigned async_transaction : 1; 225 unsigned debug_id : 29; 226 227 struct binder_transaction *transaction; 228 229 struct binder_node *target_node; 230 size_t data_size; 231 size_t offsets_size; 232 uint8_t data[0]; 233}; 234 235struct binder_proc { 236 struct hlist_node proc_node; 237 struct rb_root threads; 238 struct rb_root nodes; 239 struct rb_root refs_by_desc; 240 struct rb_root refs_by_node; 241 int pid; 242 struct vm_area_struct *vma; 243 struct task_struct *tsk; 244 void *buffer; 245 size_t user_buffer_offset; 246 247 struct list_head buffers; 248 struct rb_root free_buffers; 249 struct rb_root allocated_buffers; 250 size_t free_async_space; 251 252 struct page **pages; 253 size_t buffer_size; 254 uint32_t buffer_free; 255 struct list_head todo; 256 wait_queue_head_t wait; 257 struct binder_stats stats; 258 struct list_head delivered_death; 259 int max_threads; 260 int requested_threads; 261 int requested_threads_started; 262 int ready_threads; 263 long default_priority; 264}; 265 266enum { 267 BINDER_LOOPER_STATE_REGISTERED = 0x01, 268 BINDER_LOOPER_STATE_ENTERED = 0x02, 269 BINDER_LOOPER_STATE_EXITED = 0x04, 270 BINDER_LOOPER_STATE_INVALID = 0x08, 271 BINDER_LOOPER_STATE_WAITING = 0x10, 272 BINDER_LOOPER_STATE_NEED_RETURN = 0x20 273}; 274 275struct binder_thread { 276 struct binder_proc *proc; 277 struct rb_node rb_node; 278 int pid; 279 int looper; 280 struct binder_transaction *transaction_stack; 281 struct list_head todo; 282 uint32_t return_error; /* Write failed, return error code in read buf */ 283 uint32_t return_error2; /* Write failed, return error code in read */ 284 /* buffer. Used when sending a reply to a dead process that */ 285 /* we are also waiting on */ 286 wait_queue_head_t wait; 287 struct binder_stats stats; 288}; 289 290struct binder_transaction { 291 int debug_id; 292 struct binder_work work; 293 struct binder_thread *from; 294 struct binder_transaction *from_parent; 295 struct binder_proc *to_proc; 296 struct binder_thread *to_thread; 297 struct binder_transaction *to_parent; 298 unsigned need_reply : 1; 299 /*unsigned is_dead : 1;*/ /* not used at the moment */ 300 301 struct binder_buffer *buffer; 302 unsigned int code; 303 unsigned int flags; 304 long priority; 305 long saved_priority; 306 uid_t sender_euid; 307}; 308 309/* 310 * copied from get_unused_fd_flags 311 */ 312int task_get_unused_fd_flags(struct task_struct *tsk, int flags) 313{ 314 struct files_struct *files = get_files_struct(tsk); 315 int fd, error; 316 struct fdtable *fdt; 317 unsigned long rlim_cur; 318 unsigned long irqs; 319 320 if (files == NULL) 321 return -ESRCH; 322 323 error = -EMFILE; 324 spin_lock(&files->file_lock); 325 326repeat: 327 fdt = files_fdtable(files); 328 fd = find_next_zero_bit(fdt->open_fds->fds_bits, fdt->max_fds, 329 files->next_fd); 330 331 /* 332 * N.B. For clone tasks sharing a files structure, this test 333 * will limit the total number of files that can be opened. 334 */ 335 rlim_cur = 0; 336 if (lock_task_sighand(tsk, &irqs)) { 337 rlim_cur = tsk->signal->rlim[RLIMIT_NOFILE].rlim_cur; 338 unlock_task_sighand(tsk, &irqs); 339 } 340 if (fd >= rlim_cur) 341 goto out; 342 343 /* Do we need to expand the fd array or fd set? */ 344 error = expand_files(files, fd); 345 if (error < 0) 346 goto out; 347 348 if (error) { 349 /* 350 * If we needed to expand the fs array we 351 * might have blocked - try again. 352 */ 353 error = -EMFILE; 354 goto repeat; 355 } 356 357 FD_SET(fd, fdt->open_fds); 358 if (flags & O_CLOEXEC) 359 FD_SET(fd, fdt->close_on_exec); 360 else 361 FD_CLR(fd, fdt->close_on_exec); 362 files->next_fd = fd + 1; 363#if 1 364 /* Sanity check */ 365 if (fdt->fd[fd] != NULL) { 366 printk(KERN_WARNING "get_unused_fd: slot %d not NULL!\n", fd); 367 fdt->fd[fd] = NULL; 368 } 369#endif 370 error = fd; 371 372out: 373 spin_unlock(&files->file_lock); 374 put_files_struct(files); 375 return error; 376} 377 378/* 379 * copied from fd_install 380 */ 381static void task_fd_install( 382 struct task_struct *tsk, unsigned int fd, struct file *file) 383{ 384 struct files_struct *files = get_files_struct(tsk); 385 struct fdtable *fdt; 386 387 if (files == NULL) 388 return; 389 390 spin_lock(&files->file_lock); 391 fdt = files_fdtable(files); 392 BUG_ON(fdt->fd[fd] != NULL); 393 rcu_assign_pointer(fdt->fd[fd], file); 394 spin_unlock(&files->file_lock); 395 put_files_struct(files); 396} 397 398/* 399 * copied from __put_unused_fd in open.c 400 */ 401static void __put_unused_fd(struct files_struct *files, unsigned int fd) 402{ 403 struct fdtable *fdt = files_fdtable(files); 404 __FD_CLR(fd, fdt->open_fds); 405 if (fd < files->next_fd) 406 files->next_fd = fd; 407} 408 409/* 410 * copied from sys_close 411 */ 412static long task_close_fd(struct task_struct *tsk, unsigned int fd) 413{ 414 struct file *filp; 415 struct files_struct *files = get_files_struct(tsk); 416 struct fdtable *fdt; 417 int retval; 418 419 if (files == NULL) 420 return -ESRCH; 421 422 spin_lock(&files->file_lock); 423 fdt = files_fdtable(files); 424 if (fd >= fdt->max_fds) 425 goto out_unlock; 426 filp = fdt->fd[fd]; 427 if (!filp) 428 goto out_unlock; 429 rcu_assign_pointer(fdt->fd[fd], NULL); 430 FD_CLR(fd, fdt->close_on_exec); 431 __put_unused_fd(files, fd); 432 spin_unlock(&files->file_lock); 433 retval = filp_close(filp, files); 434 435 /* can't restart close syscall because file table entry was cleared */ 436 if (unlikely(retval == -ERESTARTSYS || 437 retval == -ERESTARTNOINTR || 438 retval == -ERESTARTNOHAND || 439 retval == -ERESTART_RESTARTBLOCK)) 440 retval = -EINTR; 441 442 put_files_struct(files); 443 return retval; 444 445out_unlock: 446 spin_unlock(&files->file_lock); 447 put_files_struct(files); 448 return -EBADF; 449} 450 451static void binder_set_nice(long nice) 452{ 453 long min_nice; 454 if (can_nice(current, nice)) { 455 set_user_nice(current, nice); 456 return; 457 } 458 min_nice = 20 - current->signal->rlim[RLIMIT_NICE].rlim_cur; 459 if (binder_debug_mask & BINDER_DEBUG_PRIORITY_CAP) 460 printk(KERN_INFO "binder: %d: nice value %ld not allowed use " 461 "%ld instead\n", current->pid, nice, min_nice); 462 set_user_nice(current, min_nice); 463 if (min_nice < 20) 464 return; 465 binder_user_error("binder: %d RLIMIT_NICE not set\n", current->pid); 466} 467 468static size_t binder_buffer_size( 469 struct binder_proc *proc, struct binder_buffer *buffer) 470{ 471 if (list_is_last(&buffer->entry, &proc->buffers)) 472 return proc->buffer + proc->buffer_size - (void *)buffer->data; 473 else 474 return (size_t)list_entry(buffer->entry.next, 475 struct binder_buffer, entry) - (size_t)buffer->data; 476} 477 478static void binder_insert_free_buffer( 479 struct binder_proc *proc, struct binder_buffer *new_buffer) 480{ 481 struct rb_node **p = &proc->free_buffers.rb_node; 482 struct rb_node *parent = NULL; 483 struct binder_buffer *buffer; 484 size_t buffer_size; 485 size_t new_buffer_size; 486 487 BUG_ON(!new_buffer->free); 488 489 new_buffer_size = binder_buffer_size(proc, new_buffer); 490 491 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 492 printk(KERN_INFO "binder: %d: add free buffer, size %zd, " 493 "at %p\n", proc->pid, new_buffer_size, new_buffer); 494 495 while (*p) { 496 parent = *p; 497 buffer = rb_entry(parent, struct binder_buffer, rb_node); 498 BUG_ON(!buffer->free); 499 500 buffer_size = binder_buffer_size(proc, buffer); 501 502 if (new_buffer_size < buffer_size) 503 p = &parent->rb_left; 504 else 505 p = &parent->rb_right; 506 } 507 rb_link_node(&new_buffer->rb_node, parent, p); 508 rb_insert_color(&new_buffer->rb_node, &proc->free_buffers); 509} 510 511static void binder_insert_allocated_buffer( 512 struct binder_proc *proc, struct binder_buffer *new_buffer) 513{ 514 struct rb_node **p = &proc->allocated_buffers.rb_node; 515 struct rb_node *parent = NULL; 516 struct binder_buffer *buffer; 517 518 BUG_ON(new_buffer->free); 519 520 while (*p) { 521 parent = *p; 522 buffer = rb_entry(parent, struct binder_buffer, rb_node); 523 BUG_ON(buffer->free); 524 525 if (new_buffer < buffer) 526 p = &parent->rb_left; 527 else if (new_buffer > buffer) 528 p = &parent->rb_right; 529 else 530 BUG(); 531 } 532 rb_link_node(&new_buffer->rb_node, parent, p); 533 rb_insert_color(&new_buffer->rb_node, &proc->allocated_buffers); 534} 535 536static struct binder_buffer *binder_buffer_lookup( 537 struct binder_proc *proc, void __user *user_ptr) 538{ 539 struct rb_node *n = proc->allocated_buffers.rb_node; 540 struct binder_buffer *buffer; 541 struct binder_buffer *kern_ptr; 542 543 kern_ptr = user_ptr - proc->user_buffer_offset 544 - offsetof(struct binder_buffer, data); 545 546 while (n) { 547 buffer = rb_entry(n, struct binder_buffer, rb_node); 548 BUG_ON(buffer->free); 549 550 if (kern_ptr < buffer) 551 n = n->rb_left; 552 else if (kern_ptr > buffer) 553 n = n->rb_right; 554 else 555 return buffer; 556 } 557 return NULL; 558} 559 560static int binder_update_page_range(struct binder_proc *proc, int allocate, 561 void *start, void *end, struct vm_area_struct *vma) 562{ 563 void *page_addr; 564 unsigned long user_page_addr; 565 struct vm_struct tmp_area; 566 struct page **page; 567 struct mm_struct *mm; 568 569 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 570 printk(KERN_INFO "binder: %d: %s pages %p-%p\n", 571 proc->pid, allocate ? "allocate" : "free", start, end); 572 573 if (end <= start) 574 return 0; 575 576 if (vma) 577 mm = NULL; 578 else 579 mm = get_task_mm(proc->tsk); 580 581 if (mm) { 582 down_write(&mm->mmap_sem); 583 vma = proc->vma; 584 } 585 586 if (allocate == 0) 587 goto free_range; 588 589 if (vma == NULL) { 590 printk(KERN_ERR "binder: %d: binder_alloc_buf failed to " 591 "map pages in userspace, no vma\n", proc->pid); 592 goto err_no_vma; 593 } 594 595 for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) { 596 int ret; 597 struct page **page_array_ptr; 598 page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE]; 599 600 BUG_ON(*page); 601 *page = alloc_page(GFP_KERNEL | __GFP_ZERO); 602 if (*page == NULL) { 603 printk(KERN_ERR "binder: %d: binder_alloc_buf failed " 604 "for page at %p\n", proc->pid, page_addr); 605 goto err_alloc_page_failed; 606 } 607 tmp_area.addr = page_addr; 608 tmp_area.size = PAGE_SIZE + PAGE_SIZE /* guard page? */; 609 page_array_ptr = page; 610 ret = map_vm_area(&tmp_area, PAGE_KERNEL, &page_array_ptr); 611 if (ret) { 612 printk(KERN_ERR "binder: %d: binder_alloc_buf failed " 613 "to map page at %p in kernel\n", 614 proc->pid, page_addr); 615 goto err_map_kernel_failed; 616 } 617 user_page_addr = (size_t)page_addr + proc->user_buffer_offset; 618 ret = vm_insert_page(vma, user_page_addr, page[0]); 619 if (ret) { 620 printk(KERN_ERR "binder: %d: binder_alloc_buf failed " 621 "to map page at %lx in userspace\n", 622 proc->pid, user_page_addr); 623 goto err_vm_insert_page_failed; 624 } 625 /* vm_insert_page does not seem to increment the refcount */ 626 } 627 if (mm) { 628 up_write(&mm->mmap_sem); 629 mmput(mm); 630 } 631 return 0; 632 633free_range: 634 for (page_addr = end - PAGE_SIZE; page_addr >= start; 635 page_addr -= PAGE_SIZE) { 636 page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE]; 637 if (vma) 638 zap_page_range(vma, (size_t)page_addr + 639 proc->user_buffer_offset, PAGE_SIZE, NULL); 640err_vm_insert_page_failed: 641 unmap_kernel_range((unsigned long)page_addr, PAGE_SIZE); 642err_map_kernel_failed: 643 __free_page(*page); 644 *page = NULL; 645err_alloc_page_failed: 646 ; 647 } 648err_no_vma: 649 if (mm) { 650 up_write(&mm->mmap_sem); 651 mmput(mm); 652 } 653 return -ENOMEM; 654} 655 656static struct binder_buffer *binder_alloc_buf(struct binder_proc *proc, 657 size_t data_size, size_t offsets_size, int is_async) 658{ 659 struct rb_node *n = proc->free_buffers.rb_node; 660 struct binder_buffer *buffer; 661 size_t buffer_size; 662 struct rb_node *best_fit = NULL; 663 void *has_page_addr; 664 void *end_page_addr; 665 size_t size; 666 667 if (proc->vma == NULL) { 668 printk(KERN_ERR "binder: %d: binder_alloc_buf, no vma\n", 669 proc->pid); 670 return NULL; 671 } 672 673 size = ALIGN(data_size, sizeof(void *)) + 674 ALIGN(offsets_size, sizeof(void *)); 675 676 if (size < data_size || size < offsets_size) { 677 binder_user_error("binder: %d: got transaction with invalid " 678 "size %zd-%zd\n", proc->pid, data_size, offsets_size); 679 return NULL; 680 } 681 682 if (is_async && 683 proc->free_async_space < size + sizeof(struct binder_buffer)) { 684 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 685 printk(KERN_ERR "binder: %d: binder_alloc_buf size %zd f" 686 "ailed, no async space left\n", proc->pid, size); 687 return NULL; 688 } 689 690 while (n) { 691 buffer = rb_entry(n, struct binder_buffer, rb_node); 692 BUG_ON(!buffer->free); 693 buffer_size = binder_buffer_size(proc, buffer); 694 695 if (size < buffer_size) { 696 best_fit = n; 697 n = n->rb_left; 698 } else if (size > buffer_size) 699 n = n->rb_right; 700 else { 701 best_fit = n; 702 break; 703 } 704 } 705 if (best_fit == NULL) { 706 printk(KERN_ERR "binder: %d: binder_alloc_buf size %zd failed, " 707 "no address space\n", proc->pid, size); 708 return NULL; 709 } 710 if (n == NULL) { 711 buffer = rb_entry(best_fit, struct binder_buffer, rb_node); 712 buffer_size = binder_buffer_size(proc, buffer); 713 } 714 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 715 printk(KERN_INFO "binder: %d: binder_alloc_buf size %zd got buff" 716 "er %p size %zd\n", proc->pid, size, buffer, buffer_size); 717 718 has_page_addr = 719 (void *)(((size_t)buffer->data + buffer_size) & PAGE_MASK); 720 if (n == NULL) { 721 if (size + sizeof(struct binder_buffer) + 4 >= buffer_size) 722 buffer_size = size; /* no room for other buffers */ 723 else 724 buffer_size = size + sizeof(struct binder_buffer); 725 } 726 end_page_addr = (void *)PAGE_ALIGN((size_t)buffer->data + buffer_size); 727 if (end_page_addr > has_page_addr) 728 end_page_addr = has_page_addr; 729 if (binder_update_page_range(proc, 1, 730 (void *)PAGE_ALIGN((size_t)buffer->data), end_page_addr, NULL)) 731 return NULL; 732 733 rb_erase(best_fit, &proc->free_buffers); 734 buffer->free = 0; 735 binder_insert_allocated_buffer(proc, buffer); 736 if (buffer_size != size) { 737 struct binder_buffer *new_buffer = (void *)buffer->data + size; 738 list_add(&new_buffer->entry, &buffer->entry); 739 new_buffer->free = 1; 740 binder_insert_free_buffer(proc, new_buffer); 741 } 742 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 743 printk(KERN_INFO "binder: %d: binder_alloc_buf size %zd got " 744 "%p\n", proc->pid, size, buffer); 745 buffer->data_size = data_size; 746 buffer->offsets_size = offsets_size; 747 buffer->async_transaction = is_async; 748 if (is_async) { 749 proc->free_async_space -= size + sizeof(struct binder_buffer); 750 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC_ASYNC) 751 printk(KERN_INFO "binder: %d: binder_alloc_buf size %zd " 752 "async free %zd\n", proc->pid, size, 753 proc->free_async_space); 754 } 755 756 return buffer; 757} 758 759static void *buffer_start_page(struct binder_buffer *buffer) 760{ 761 return (void *)((size_t)buffer & PAGE_MASK); 762} 763 764static void *buffer_end_page(struct binder_buffer *buffer) 765{ 766 return (void *)(((size_t)(buffer + 1) - 1) & PAGE_MASK); 767} 768 769static void binder_delete_free_buffer( 770 struct binder_proc *proc, struct binder_buffer *buffer) 771{ 772 struct binder_buffer *prev, *next = NULL; 773 int free_page_end = 1; 774 int free_page_start = 1; 775 776 BUG_ON(proc->buffers.next == &buffer->entry); 777 prev = list_entry(buffer->entry.prev, struct binder_buffer, entry); 778 BUG_ON(!prev->free); 779 if (buffer_end_page(prev) == buffer_start_page(buffer)) { 780 free_page_start = 0; 781 if (buffer_end_page(prev) == buffer_end_page(buffer)) 782 free_page_end = 0; 783 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 784 printk(KERN_INFO "binder: %d: merge free, buffer %p " 785 "share page with %p\n", proc->pid, buffer, prev); 786 } 787 788 if (!list_is_last(&buffer->entry, &proc->buffers)) { 789 next = list_entry(buffer->entry.next, 790 struct binder_buffer, entry); 791 if (buffer_start_page(next) == buffer_end_page(buffer)) { 792 free_page_end = 0; 793 if (buffer_start_page(next) == 794 buffer_start_page(buffer)) 795 free_page_start = 0; 796 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 797 printk(KERN_INFO "binder: %d: merge free, " 798 "buffer %p share page with %p\n", 799 proc->pid, buffer, prev); 800 } 801 } 802 list_del(&buffer->entry); 803 if (free_page_start || free_page_end) { 804 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 805 printk(KERN_INFO "binder: %d: merge free, buffer %p do " 806 "not share page%s%s with with %p or %p\n", 807 proc->pid, buffer, free_page_start ? "" : " end", 808 free_page_end ? "" : " start", prev, next); 809 binder_update_page_range(proc, 0, free_page_start ? 810 buffer_start_page(buffer) : buffer_end_page(buffer), 811 (free_page_end ? buffer_end_page(buffer) : 812 buffer_start_page(buffer)) + PAGE_SIZE, NULL); 813 } 814} 815 816static void binder_free_buf( 817 struct binder_proc *proc, struct binder_buffer *buffer) 818{ 819 size_t size, buffer_size; 820 821 buffer_size = binder_buffer_size(proc, buffer); 822 823 size = ALIGN(buffer->data_size, sizeof(void *)) + 824 ALIGN(buffer->offsets_size, sizeof(void *)); 825 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 826 printk(KERN_INFO "binder: %d: binder_free_buf %p size %zd buffer" 827 "_size %zd\n", proc->pid, buffer, size, buffer_size); 828 829 BUG_ON(buffer->free); 830 BUG_ON(size > buffer_size); 831 BUG_ON(buffer->transaction != NULL); 832 BUG_ON((void *)buffer < proc->buffer); 833 BUG_ON((void *)buffer > proc->buffer + proc->buffer_size); 834 835 if (buffer->async_transaction) { 836 proc->free_async_space += size + sizeof(struct binder_buffer); 837 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC_ASYNC) 838 printk(KERN_INFO "binder: %d: binder_free_buf size %zd " 839 "async free %zd\n", proc->pid, size, 840 proc->free_async_space); 841 } 842 843 binder_update_page_range(proc, 0, 844 (void *)PAGE_ALIGN((size_t)buffer->data), 845 (void *)(((size_t)buffer->data + buffer_size) & PAGE_MASK), 846 NULL); 847 rb_erase(&buffer->rb_node, &proc->allocated_buffers); 848 buffer->free = 1; 849 if (!list_is_last(&buffer->entry, &proc->buffers)) { 850 struct binder_buffer *next = list_entry(buffer->entry.next, 851 struct binder_buffer, entry); 852 if (next->free) { 853 rb_erase(&next->rb_node, &proc->free_buffers); 854 binder_delete_free_buffer(proc, next); 855 } 856 } 857 if (proc->buffers.next != &buffer->entry) { 858 struct binder_buffer *prev = list_entry(buffer->entry.prev, 859 struct binder_buffer, entry); 860 if (prev->free) { 861 binder_delete_free_buffer(proc, buffer); 862 rb_erase(&prev->rb_node, &proc->free_buffers); 863 buffer = prev; 864 } 865 } 866 binder_insert_free_buffer(proc, buffer); 867} 868 869static struct binder_node * 870binder_get_node(struct binder_proc *proc, void __user *ptr) 871{ 872 struct rb_node *n = proc->nodes.rb_node; 873 struct binder_node *node; 874 875 while (n) { 876 node = rb_entry(n, struct binder_node, rb_node); 877 878 if (ptr < node->ptr) 879 n = n->rb_left; 880 else if (ptr > node->ptr) 881 n = n->rb_right; 882 else 883 return node; 884 } 885 return NULL; 886} 887 888static struct binder_node * 889binder_new_node(struct binder_proc *proc, void __user *ptr, void __user *cookie) 890{ 891 struct rb_node **p = &proc->nodes.rb_node; 892 struct rb_node *parent = NULL; 893 struct binder_node *node; 894 895 while (*p) { 896 parent = *p; 897 node = rb_entry(parent, struct binder_node, rb_node); 898 899 if (ptr < node->ptr) 900 p = &(*p)->rb_left; 901 else if (ptr > node->ptr) 902 p = &(*p)->rb_right; 903 else 904 return NULL; 905 } 906 907 node = kzalloc(sizeof(*node), GFP_KERNEL); 908 if (node == NULL) 909 return NULL; 910 binder_stats.obj_created[BINDER_STAT_NODE]++; 911 rb_link_node(&node->rb_node, parent, p); 912 rb_insert_color(&node->rb_node, &proc->nodes); 913 node->debug_id = ++binder_last_id; 914 node->proc = proc; 915 node->ptr = ptr; 916 node->cookie = cookie; 917 node->work.type = BINDER_WORK_NODE; 918 INIT_LIST_HEAD(&node->work.entry); 919 INIT_LIST_HEAD(&node->async_todo); 920 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 921 printk(KERN_INFO "binder: %d:%d node %d u%p c%p created\n", 922 proc->pid, current->pid, node->debug_id, 923 node->ptr, node->cookie); 924 return node; 925} 926 927static int 928binder_inc_node(struct binder_node *node, int strong, int internal, 929 struct list_head *target_list) 930{ 931 if (strong) { 932 if (internal) { 933 if (target_list == NULL && 934 node->internal_strong_refs == 0 && 935 !(node == binder_context_mgr_node && 936 node->has_strong_ref)) { 937 printk(KERN_ERR "binder: invalid inc strong " 938 "node for %d\n", node->debug_id); 939 return -EINVAL; 940 } 941 node->internal_strong_refs++; 942 } else 943 node->local_strong_refs++; 944 if (!node->has_strong_ref && target_list) { 945 list_del_init(&node->work.entry); 946 list_add_tail(&node->work.entry, target_list); 947 } 948 } else { 949 if (!internal) 950 node->local_weak_refs++; 951 if (!node->has_weak_ref && list_empty(&node->work.entry)) { 952 if (target_list == NULL) { 953 printk(KERN_ERR "binder: invalid inc weak node " 954 "for %d\n", node->debug_id); 955 return -EINVAL; 956 } 957 list_add_tail(&node->work.entry, target_list); 958 } 959 } 960 return 0; 961} 962 963static int 964binder_dec_node(struct binder_node *node, int strong, int internal) 965{ 966 if (strong) { 967 if (internal) 968 node->internal_strong_refs--; 969 else 970 node->local_strong_refs--; 971 if (node->local_strong_refs || node->internal_strong_refs) 972 return 0; 973 } else { 974 if (!internal) 975 node->local_weak_refs--; 976 if (node->local_weak_refs || !hlist_empty(&node->refs)) 977 return 0; 978 } 979 if (node->proc && (node->has_strong_ref || node->has_weak_ref)) { 980 if (list_empty(&node->work.entry)) { 981 list_add_tail(&node->work.entry, &node->proc->todo); 982 wake_up_interruptible(&node->proc->wait); 983 } 984 } else { 985 if (hlist_empty(&node->refs) && !node->local_strong_refs && 986 !node->local_weak_refs) { 987 list_del_init(&node->work.entry); 988 if (node->proc) { 989 rb_erase(&node->rb_node, &node->proc->nodes); 990 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 991 printk(KERN_INFO "binder: refless node %d deleted\n", node->debug_id); 992 } else { 993 hlist_del(&node->dead_node); 994 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 995 printk(KERN_INFO "binder: dead node %d deleted\n", node->debug_id); 996 } 997 kfree(node); 998 binder_stats.obj_deleted[BINDER_STAT_NODE]++; 999 } 1000 } 1001 1002 return 0; 1003} 1004 1005 1006static struct binder_ref * 1007binder_get_ref(struct binder_proc *proc, uint32_t desc) 1008{ 1009 struct rb_node *n = proc->refs_by_desc.rb_node; 1010 struct binder_ref *ref; 1011 1012 while (n) { 1013 ref = rb_entry(n, struct binder_ref, rb_node_desc); 1014 1015 if (desc < ref->desc) 1016 n = n->rb_left; 1017 else if (desc > ref->desc) 1018 n = n->rb_right; 1019 else 1020 return ref; 1021 } 1022 return NULL; 1023} 1024 1025static struct binder_ref * 1026binder_get_ref_for_node(struct binder_proc *proc, struct binder_node *node) 1027{ 1028 struct rb_node *n; 1029 struct rb_node **p = &proc->refs_by_node.rb_node; 1030 struct rb_node *parent = NULL; 1031 struct binder_ref *ref, *new_ref; 1032 1033 while (*p) { 1034 parent = *p; 1035 ref = rb_entry(parent, struct binder_ref, rb_node_node); 1036 1037 if (node < ref->node) 1038 p = &(*p)->rb_left; 1039 else if (node > ref->node) 1040 p = &(*p)->rb_right; 1041 else 1042 return ref; 1043 } 1044 new_ref = kzalloc(sizeof(*ref), GFP_KERNEL); 1045 if (new_ref == NULL) 1046 return NULL; 1047 binder_stats.obj_created[BINDER_STAT_REF]++; 1048 new_ref->debug_id = ++binder_last_id; 1049 new_ref->proc = proc; 1050 new_ref->node = node; 1051 rb_link_node(&new_ref->rb_node_node, parent, p); 1052 rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node); 1053 1054 new_ref->desc = (node == binder_context_mgr_node) ? 0 : 1; 1055 for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) { 1056 ref = rb_entry(n, struct binder_ref, rb_node_desc); 1057 if (ref->desc > new_ref->desc) 1058 break; 1059 new_ref->desc = ref->desc + 1; 1060 } 1061 1062 p = &proc->refs_by_desc.rb_node; 1063 while (*p) { 1064 parent = *p; 1065 ref = rb_entry(parent, struct binder_ref, rb_node_desc); 1066 1067 if (new_ref->desc < ref->desc) 1068 p = &(*p)->rb_left; 1069 else if (new_ref->desc > ref->desc) 1070 p = &(*p)->rb_right; 1071 else 1072 BUG(); 1073 } 1074 rb_link_node(&new_ref->rb_node_desc, parent, p); 1075 rb_insert_color(&new_ref->rb_node_desc, &proc->refs_by_desc); 1076 if (node) { 1077 hlist_add_head(&new_ref->node_entry, &node->refs); 1078 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 1079 printk(KERN_INFO "binder: %d new ref %d desc %d for " 1080 "node %d\n", proc->pid, new_ref->debug_id, 1081 new_ref->desc, node->debug_id); 1082 } else { 1083 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 1084 printk(KERN_INFO "binder: %d new ref %d desc %d for " 1085 "dead node\n", proc->pid, new_ref->debug_id, 1086 new_ref->desc); 1087 } 1088 return new_ref; 1089} 1090 1091static void 1092binder_delete_ref(struct binder_ref *ref) 1093{ 1094 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 1095 printk(KERN_INFO "binder: %d delete ref %d desc %d for " 1096 "node %d\n", ref->proc->pid, ref->debug_id, 1097 ref->desc, ref->node->debug_id); 1098 rb_erase(&ref->rb_node_desc, &ref->proc->refs_by_desc); 1099 rb_erase(&ref->rb_node_node, &ref->proc->refs_by_node); 1100 if (ref->strong) 1101 binder_dec_node(ref->node, 1, 1); 1102 hlist_del(&ref->node_entry); 1103 binder_dec_node(ref->node, 0, 1); 1104 if (ref->death) { 1105 if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) 1106 printk(KERN_INFO "binder: %d delete ref %d desc %d " 1107 "has death notification\n", ref->proc->pid, 1108 ref->debug_id, ref->desc); 1109 list_del(&ref->death->work.entry); 1110 kfree(ref->death); 1111 binder_stats.obj_deleted[BINDER_STAT_DEATH]++; 1112 } 1113 kfree(ref); 1114 binder_stats.obj_deleted[BINDER_STAT_REF]++; 1115} 1116 1117static int 1118binder_inc_ref( 1119 struct binder_ref *ref, int strong, struct list_head *target_list) 1120{ 1121 int ret; 1122 if (strong) { 1123 if (ref->strong == 0) { 1124 ret = binder_inc_node(ref->node, 1, 1, target_list); 1125 if (ret) 1126 return ret; 1127 } 1128 ref->strong++; 1129 } else { 1130 if (ref->weak == 0) { 1131 ret = binder_inc_node(ref->node, 0, 1, target_list); 1132 if (ret) 1133 return ret; 1134 } 1135 ref->weak++; 1136 } 1137 return 0; 1138} 1139 1140 1141static int 1142binder_dec_ref(struct binder_ref *ref, int strong) 1143{ 1144 if (strong) { 1145 if (ref->strong == 0) { 1146 binder_user_error("binder: %d invalid dec strong, " 1147 "ref %d desc %d s %d w %d\n", 1148 ref->proc->pid, ref->debug_id, 1149 ref->desc, ref->strong, ref->weak); 1150 return -EINVAL; 1151 } 1152 ref->strong--; 1153 if (ref->strong == 0) { 1154 int ret; 1155 ret = binder_dec_node(ref->node, strong, 1); 1156 if (ret) 1157 return ret; 1158 } 1159 } else { 1160 if (ref->weak == 0) { 1161 binder_user_error("binder: %d invalid dec weak, " 1162 "ref %d desc %d s %d w %d\n", 1163 ref->proc->pid, ref->debug_id, 1164 ref->desc, ref->strong, ref->weak); 1165 return -EINVAL; 1166 } 1167 ref->weak--; 1168 } 1169 if (ref->strong == 0 && ref->weak == 0) 1170 binder_delete_ref(ref); 1171 return 0; 1172} 1173 1174static void 1175binder_pop_transaction( 1176 struct binder_thread *target_thread, struct binder_transaction *t) 1177{ 1178 if (target_thread) { 1179 BUG_ON(target_thread->transaction_stack != t); 1180 BUG_ON(target_thread->transaction_stack->from != target_thread); 1181 target_thread->transaction_stack = 1182 target_thread->transaction_stack->from_parent; 1183 t->from = NULL; 1184 } 1185 t->need_reply = 0; 1186 if (t->buffer) 1187 t->buffer->transaction = NULL; 1188 kfree(t); 1189 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION]++; 1190} 1191 1192static void 1193binder_send_failed_reply(struct binder_transaction *t, uint32_t error_code) 1194{ 1195 struct binder_thread *target_thread; 1196 BUG_ON(t->flags & TF_ONE_WAY); 1197 while (1) { 1198 target_thread = t->from; 1199 if (target_thread) { 1200 if (target_thread->return_error != BR_OK && 1201 target_thread->return_error2 == BR_OK) { 1202 target_thread->return_error2 = 1203 target_thread->return_error; 1204 target_thread->return_error = BR_OK; 1205 } 1206 if (target_thread->return_error == BR_OK) { 1207 if (binder_debug_mask & BINDER_DEBUG_FAILED_TRANSACTION) 1208 printk(KERN_INFO "binder: send failed reply for transaction %d to %d:%d\n", 1209 t->debug_id, target_thread->proc->pid, target_thread->pid); 1210 1211 binder_pop_transaction(target_thread, t); 1212 target_thread->return_error = error_code; 1213 wake_up_interruptible(&target_thread->wait); 1214 } else { 1215 printk(KERN_ERR "binder: reply failed, target " 1216 "thread, %d:%d, has error code %d " 1217 "already\n", target_thread->proc->pid, 1218 target_thread->pid, 1219 target_thread->return_error); 1220 } 1221 return; 1222 } else { 1223 struct binder_transaction *next = t->from_parent; 1224 1225 if (binder_debug_mask & BINDER_DEBUG_FAILED_TRANSACTION) 1226 printk(KERN_INFO "binder: send failed reply " 1227 "for transaction %d, target dead\n", 1228 t->debug_id); 1229 1230 binder_pop_transaction(target_thread, t); 1231 if (next == NULL) { 1232 if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) 1233 printk(KERN_INFO "binder: reply failed," 1234 " no target thread at root\n"); 1235 return; 1236 } 1237 t = next; 1238 if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) 1239 printk(KERN_INFO "binder: reply failed, no targ" 1240 "et thread -- retry %d\n", t->debug_id); 1241 } 1242 } 1243} 1244 1245static void 1246binder_transaction_buffer_release(struct binder_proc *proc, 1247 struct binder_buffer *buffer, size_t *failed_at); 1248 1249static void 1250binder_transaction(struct binder_proc *proc, struct binder_thread *thread, 1251 struct binder_transaction_data *tr, int reply) 1252{ 1253 struct binder_transaction *t; 1254 struct binder_work *tcomplete; 1255 size_t *offp, *off_end; 1256 struct binder_proc *target_proc; 1257 struct binder_thread *target_thread = NULL; 1258 struct binder_node *target_node = NULL; 1259 struct list_head *target_list; 1260 wait_queue_head_t *target_wait; 1261 struct binder_transaction *in_reply_to = NULL; 1262 struct binder_transaction_log_entry *e; 1263 uint32_t return_error; 1264 1265 e = binder_transaction_log_add(&binder_transaction_log); 1266 e->call_type = reply ? 2 : !!(tr->flags & TF_ONE_WAY); 1267 e->from_proc = proc->pid; 1268 e->from_thread = thread->pid; 1269 e->target_handle = tr->target.handle; 1270 e->data_size = tr->data_size; 1271 e->offsets_size = tr->offsets_size; 1272 1273 if (reply) { 1274 in_reply_to = thread->transaction_stack; 1275 if (in_reply_to == NULL) { 1276 binder_user_error("binder: %d:%d got reply transaction " 1277 "with no transaction stack\n", 1278 proc->pid, thread->pid); 1279 return_error = BR_FAILED_REPLY; 1280 goto err_empty_call_stack; 1281 } 1282 binder_set_nice(in_reply_to->saved_priority); 1283 if (in_reply_to->to_thread != thread) { 1284 binder_user_error("binder: %d:%d got reply transaction " 1285 "with bad transaction stack," 1286 " transaction %d has target %d:%d\n", 1287 proc->pid, thread->pid, in_reply_to->debug_id, 1288 in_reply_to->to_proc ? 1289 in_reply_to->to_proc->pid : 0, 1290 in_reply_to->to_thread ? 1291 in_reply_to->to_thread->pid : 0); 1292 return_error = BR_FAILED_REPLY; 1293 in_reply_to = NULL; 1294 goto err_bad_call_stack; 1295 } 1296 thread->transaction_stack = in_reply_to->to_parent; 1297 target_thread = in_reply_to->from; 1298 if (target_thread == NULL) { 1299 return_error = BR_DEAD_REPLY; 1300 goto err_dead_binder; 1301 } 1302 if (target_thread->transaction_stack != in_reply_to) { 1303 binder_user_error("binder: %d:%d got reply transaction " 1304 "with bad target transaction stack %d, " 1305 "expected %d\n", 1306 proc->pid, thread->pid, 1307 target_thread->transaction_stack ? 1308 target_thread->transaction_stack->debug_id : 0, 1309 in_reply_to->debug_id); 1310 return_error = BR_FAILED_REPLY; 1311 in_reply_to = NULL; 1312 target_thread = NULL; 1313 goto err_dead_binder; 1314 } 1315 target_proc = target_thread->proc; 1316 } else { 1317 if (tr->target.handle) { 1318 struct binder_ref *ref; 1319 ref = binder_get_ref(proc, tr->target.handle); 1320 if (ref == NULL) { 1321 binder_user_error("binder: %d:%d got " 1322 "transaction to invalid handle\n", 1323 proc->pid, thread->pid); 1324 return_error = BR_FAILED_REPLY; 1325 goto err_invalid_target_handle; 1326 } 1327 target_node = ref->node; 1328 } else { 1329 target_node = binder_context_mgr_node; 1330 if (target_node == NULL) { 1331 return_error = BR_DEAD_REPLY; 1332 goto err_no_context_mgr_node; 1333 } 1334 } 1335 e->to_node = target_node->debug_id; 1336 target_proc = target_node->proc; 1337 if (target_proc == NULL) { 1338 return_error = BR_DEAD_REPLY; 1339 goto err_dead_binder; 1340 } 1341 if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) { 1342 struct binder_transaction *tmp; 1343 tmp = thread->transaction_stack; 1344 while (tmp) { 1345 if (tmp->from && tmp->from->proc == target_proc) 1346 target_thread = tmp->from; 1347 tmp = tmp->from_parent; 1348 } 1349 } 1350 } 1351 if (target_thread) { 1352 e->to_thread = target_thread->pid; 1353 target_list = &target_thread->todo; 1354 target_wait = &target_thread->wait; 1355 } else { 1356 target_list = &target_proc->todo; 1357 target_wait = &target_proc->wait; 1358 } 1359 e->to_proc = target_proc->pid; 1360 1361 /* TODO: reuse incoming transaction for reply */ 1362 t = kzalloc(sizeof(*t), GFP_KERNEL); 1363 if (t == NULL) { 1364 return_error = BR_FAILED_REPLY; 1365 goto err_alloc_t_failed; 1366 } 1367 binder_stats.obj_created[BINDER_STAT_TRANSACTION]++; 1368 1369 tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL); 1370 if (tcomplete == NULL) { 1371 return_error = BR_FAILED_REPLY; 1372 goto err_alloc_tcomplete_failed; 1373 } 1374 binder_stats.obj_created[BINDER_STAT_TRANSACTION_COMPLETE]++; 1375 1376 t->debug_id = ++binder_last_id; 1377 e->debug_id = t->debug_id; 1378 1379 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) { 1380 if (reply) 1381 printk(KERN_INFO "binder: %d:%d BC_REPLY %d -> %d:%d, " 1382 "data %p-%p size %zd-%zd\n", 1383 proc->pid, thread->pid, t->debug_id, 1384 target_proc->pid, target_thread->pid, 1385 tr->data.ptr.buffer, tr->data.ptr.offsets, 1386 tr->data_size, tr->offsets_size); 1387 else 1388 printk(KERN_INFO "binder: %d:%d BC_TRANSACTION %d -> " 1389 "%d - node %d, data %p-%p size %zd-%zd\n", 1390 proc->pid, thread->pid, t->debug_id, 1391 target_proc->pid, target_node->debug_id, 1392 tr->data.ptr.buffer, tr->data.ptr.offsets, 1393 tr->data_size, tr->offsets_size); 1394 } 1395 1396 if (!reply && !(tr->flags & TF_ONE_WAY)) 1397 t->from = thread; 1398 else 1399 t->from = NULL; 1400 t->sender_euid = proc->tsk->cred->euid; 1401 t->to_proc = target_proc; 1402 t->to_thread = target_thread; 1403 t->code = tr->code; 1404 t->flags = tr->flags; 1405 t->priority = task_nice(current); 1406 t->buffer = binder_alloc_buf(target_proc, tr->data_size, 1407 tr->offsets_size, !reply && (t->flags & TF_ONE_WAY)); 1408 if (t->buffer == NULL) { 1409 return_error = BR_FAILED_REPLY; 1410 goto err_binder_alloc_buf_failed; 1411 } 1412 t->buffer->allow_user_free = 0; 1413 t->buffer->debug_id = t->debug_id; 1414 t->buffer->transaction = t; 1415 t->buffer->target_node = target_node; 1416 if (target_node) 1417 binder_inc_node(target_node, 1, 0, NULL); 1418 1419 offp = (size_t *)(t->buffer->data + ALIGN(tr->data_size, sizeof(void *))); 1420 1421 if (copy_from_user(t->buffer->data, tr->data.ptr.buffer, tr->data_size)) { 1422 binder_user_error("binder: %d:%d got transaction with invalid " 1423 "data ptr\n", proc->pid, thread->pid); 1424 return_error = BR_FAILED_REPLY; 1425 goto err_copy_data_failed; 1426 } 1427 if (copy_from_user(offp, tr->data.ptr.offsets, tr->offsets_size)) { 1428 binder_user_error("binder: %d:%d got transaction with invalid " 1429 "offsets ptr\n", proc->pid, thread->pid); 1430 return_error = BR_FAILED_REPLY; 1431 goto err_copy_data_failed; 1432 } 1433 off_end = (void *)offp + tr->offsets_size; 1434 for (; offp < off_end; offp++) { 1435 struct flat_binder_object *fp; 1436 if (*offp > t->buffer->data_size - sizeof(*fp)) { 1437 binder_user_error("binder: %d:%d got transaction with " 1438 "invalid offset, %zd\n", 1439 proc->pid, thread->pid, *offp); 1440 return_error = BR_FAILED_REPLY; 1441 goto err_bad_offset; 1442 } 1443 fp = (struct flat_binder_object *)(t->buffer->data + *offp); 1444 switch (fp->type) { 1445 case BINDER_TYPE_BINDER: 1446 case BINDER_TYPE_WEAK_BINDER: { 1447 struct binder_ref *ref; 1448 struct binder_node *node = binder_get_node(proc, fp->binder); 1449 if (node == NULL) { 1450 node = binder_new_node(proc, fp->binder, fp->cookie); 1451 if (node == NULL) { 1452 return_error = BR_FAILED_REPLY; 1453 goto err_binder_new_node_failed; 1454 } 1455 node->min_priority = fp->flags & FLAT_BINDER_FLAG_PRIORITY_MASK; 1456 node->accept_fds = !!(fp->flags & FLAT_BINDER_FLAG_ACCEPTS_FDS); 1457 } 1458 if (fp->cookie != node->cookie) { 1459 binder_user_error("binder: %d:%d sending u%p " 1460 "node %d, cookie mismatch %p != %p\n", 1461 proc->pid, thread->pid, 1462 fp->binder, node->debug_id, 1463 fp->cookie, node->cookie); 1464 goto err_binder_get_ref_for_node_failed; 1465 } 1466 ref = binder_get_ref_for_node(target_proc, node); 1467 if (ref == NULL) { 1468 return_error = BR_FAILED_REPLY; 1469 goto err_binder_get_ref_for_node_failed; 1470 } 1471 if (fp->type == BINDER_TYPE_BINDER) 1472 fp->type = BINDER_TYPE_HANDLE; 1473 else 1474 fp->type = BINDER_TYPE_WEAK_HANDLE; 1475 fp->handle = ref->desc; 1476 binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE, &thread->todo); 1477 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1478 printk(KERN_INFO " node %d u%p -> ref %d desc %d\n", 1479 node->debug_id, node->ptr, ref->debug_id, ref->desc); 1480 } break; 1481 case BINDER_TYPE_HANDLE: 1482 case BINDER_TYPE_WEAK_HANDLE: { 1483 struct binder_ref *ref = binder_get_ref(proc, fp->handle); 1484 if (ref == NULL) { 1485 binder_user_error("binder: %d:%d got " 1486 "transaction with invalid " 1487 "handle, %ld\n", proc->pid, 1488 thread->pid, fp->handle); 1489 return_error = BR_FAILED_REPLY; 1490 goto err_binder_get_ref_failed; 1491 } 1492 if (ref->node->proc == target_proc) { 1493 if (fp->type == BINDER_TYPE_HANDLE) 1494 fp->type = BINDER_TYPE_BINDER; 1495 else 1496 fp->type = BINDER_TYPE_WEAK_BINDER; 1497 fp->binder = ref->node->ptr; 1498 fp->cookie = ref->node->cookie; 1499 binder_inc_node(ref->node, fp->type == BINDER_TYPE_BINDER, 0, NULL); 1500 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1501 printk(KERN_INFO " ref %d desc %d -> node %d u%p\n", 1502 ref->debug_id, ref->desc, ref->node->debug_id, ref->node->ptr); 1503 } else { 1504 struct binder_ref *new_ref; 1505 new_ref = binder_get_ref_for_node(target_proc, ref->node); 1506 if (new_ref == NULL) { 1507 return_error = BR_FAILED_REPLY; 1508 goto err_binder_get_ref_for_node_failed; 1509 } 1510 fp->handle = new_ref->desc; 1511 binder_inc_ref(new_ref, fp->type == BINDER_TYPE_HANDLE, NULL); 1512 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1513 printk(KERN_INFO " ref %d desc %d -> ref %d desc %d (node %d)\n", 1514 ref->debug_id, ref->desc, new_ref->debug_id, new_ref->desc, ref->node->debug_id); 1515 } 1516 } break; 1517 1518 case BINDER_TYPE_FD: { 1519 int target_fd; 1520 struct file *file; 1521 1522 if (reply) { 1523 if (!(in_reply_to->flags & TF_ACCEPT_FDS)) { 1524 binder_user_error("binder: %d:%d got reply with fd, %ld, but target does not allow fds\n", 1525 proc->pid, thread->pid, fp->handle); 1526 return_error = BR_FAILED_REPLY; 1527 goto err_fd_not_allowed; 1528 } 1529 } else if (!target_node->accept_fds) { 1530 binder_user_error("binder: %d:%d got transaction with fd, %ld, but target does not allow fds\n", 1531 proc->pid, thread->pid, fp->handle); 1532 return_error = BR_FAILED_REPLY; 1533 goto err_fd_not_allowed; 1534 } 1535 1536 file = fget(fp->handle); 1537 if (file == NULL) { 1538 binder_user_error("binder: %d:%d got transaction with invalid fd, %ld\n", 1539 proc->pid, thread->pid, fp->handle); 1540 return_error = BR_FAILED_REPLY; 1541 goto err_fget_failed; 1542 } 1543 target_fd = task_get_unused_fd_flags(target_proc->tsk, O_CLOEXEC); 1544 if (target_fd < 0) { 1545 fput(file); 1546 return_error = BR_FAILED_REPLY; 1547 goto err_get_unused_fd_failed; 1548 } 1549 task_fd_install(target_proc->tsk, target_fd, file); 1550 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1551 printk(KERN_INFO " fd %ld -> %d\n", fp->handle, target_fd); 1552 /* TODO: fput? */ 1553 fp->handle = target_fd; 1554 } break; 1555 1556 default: 1557 binder_user_error("binder: %d:%d got transactio" 1558 "n with invalid object type, %lx\n", 1559 proc->pid, thread->pid, fp->type); 1560 return_error = BR_FAILED_REPLY; 1561 goto err_bad_object_type; 1562 } 1563 } 1564 if (reply) { 1565 BUG_ON(t->buffer->async_transaction != 0); 1566 binder_pop_transaction(target_thread, in_reply_to); 1567 } else if (!(t->flags & TF_ONE_WAY)) { 1568 BUG_ON(t->buffer->async_transaction != 0); 1569 t->need_reply = 1; 1570 t->from_parent = thread->transaction_stack; 1571 thread->transaction_stack = t; 1572 } else { 1573 BUG_ON(target_node == NULL); 1574 BUG_ON(t->buffer->async_transaction != 1); 1575 if (target_node->has_async_transaction) { 1576 target_list = &target_node->async_todo; 1577 target_wait = NULL; 1578 } else 1579 target_node->has_async_transaction = 1; 1580 } 1581 t->work.type = BINDER_WORK_TRANSACTION; 1582 list_add_tail(&t->work.entry, target_list); 1583 tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE; 1584 list_add_tail(&tcomplete->entry, &thread->todo); 1585 if (target_wait) 1586 wake_up_interruptible(target_wait); 1587 return; 1588 1589err_get_unused_fd_failed: 1590err_fget_failed: 1591err_fd_not_allowed: 1592err_binder_get_ref_for_node_failed: 1593err_binder_get_ref_failed: 1594err_binder_new_node_failed: 1595err_bad_object_type: 1596err_bad_offset: 1597err_copy_data_failed: 1598 binder_transaction_buffer_release(target_proc, t->buffer, offp); 1599 t->buffer->transaction = NULL; 1600 binder_free_buf(target_proc, t->buffer); 1601err_binder_alloc_buf_failed: 1602 kfree(tcomplete); 1603 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION_COMPLETE]++; 1604err_alloc_tcomplete_failed: 1605 kfree(t); 1606 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION]++; 1607err_alloc_t_failed: 1608err_bad_call_stack: 1609err_empty_call_stack: 1610err_dead_binder: 1611err_invalid_target_handle: 1612err_no_context_mgr_node: 1613 if (binder_debug_mask & BINDER_DEBUG_FAILED_TRANSACTION) 1614 printk(KERN_INFO "binder: %d:%d transaction failed %d, size" 1615 "%zd-%zd\n", 1616 proc->pid, thread->pid, return_error, 1617 tr->data_size, tr->offsets_size); 1618 1619 { 1620 struct binder_transaction_log_entry *fe; 1621 fe = binder_transaction_log_add(&binder_transaction_log_failed); 1622 *fe = *e; 1623 } 1624 1625 BUG_ON(thread->return_error != BR_OK); 1626 if (in_reply_to) { 1627 thread->return_error = BR_TRANSACTION_COMPLETE; 1628 binder_send_failed_reply(in_reply_to, return_error); 1629 } else 1630 thread->return_error = return_error; 1631} 1632 1633static void 1634binder_transaction_buffer_release(struct binder_proc *proc, struct binder_buffer *buffer, size_t *failed_at) 1635{ 1636 size_t *offp, *off_end; 1637 int debug_id = buffer->debug_id; 1638 1639 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1640 printk(KERN_INFO "binder: %d buffer release %d, size %zd-%zd, failed at %p\n", 1641 proc->pid, buffer->debug_id, 1642 buffer->data_size, buffer->offsets_size, failed_at); 1643 1644 if (buffer->target_node) 1645 binder_dec_node(buffer->target_node, 1, 0); 1646 1647 offp = (size_t *)(buffer->data + ALIGN(buffer->data_size, sizeof(void *))); 1648 if (failed_at) 1649 off_end = failed_at; 1650 else 1651 off_end = (void *)offp + buffer->offsets_size; 1652 for (; offp < off_end; offp++) { 1653 struct flat_binder_object *fp; 1654 if (*offp > buffer->data_size - sizeof(*fp)) { 1655 printk(KERN_ERR "binder: transaction release %d bad" 1656 "offset %zd, size %zd\n", debug_id, *offp, buffer->data_size); 1657 continue; 1658 } 1659 fp = (struct flat_binder_object *)(buffer->data + *offp); 1660 switch (fp->type) { 1661 case BINDER_TYPE_BINDER: 1662 case BINDER_TYPE_WEAK_BINDER: { 1663 struct binder_node *node = binder_get_node(proc, fp->binder); 1664 if (node == NULL) { 1665 printk(KERN_ERR "binder: transaction release %d bad node %p\n", debug_id, fp->binder); 1666 break; 1667 } 1668 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1669 printk(KERN_INFO " node %d u%p\n", 1670 node->debug_id, node->ptr); 1671 binder_dec_node(node, fp->type == BINDER_TYPE_BINDER, 0); 1672 } break; 1673 case BINDER_TYPE_HANDLE: 1674 case BINDER_TYPE_WEAK_HANDLE: { 1675 struct binder_ref *ref = binder_get_ref(proc, fp->handle); 1676 if (ref == NULL) { 1677 printk(KERN_ERR "binder: transaction release %d bad handle %ld\n", debug_id, fp->handle); 1678 break; 1679 } 1680 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1681 printk(KERN_INFO " ref %d desc %d (node %d)\n", 1682 ref->debug_id, ref->desc, ref->node->debug_id); 1683 binder_dec_ref(ref, fp->type == BINDER_TYPE_HANDLE); 1684 } break; 1685 1686 case BINDER_TYPE_FD: 1687 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1688 printk(KERN_INFO " fd %ld\n", fp->handle); 1689 if (failed_at) 1690 task_close_fd(proc->tsk, fp->handle); 1691 break; 1692 1693 default: 1694 printk(KERN_ERR "binder: transaction release %d bad object type %lx\n", debug_id, fp->type); 1695 break; 1696 } 1697 } 1698} 1699 1700int 1701binder_thread_write(struct binder_proc *proc, struct binder_thread *thread, 1702 void __user *buffer, int size, signed long *consumed) 1703{ 1704 uint32_t cmd; 1705 void __user *ptr = buffer + *consumed; 1706 void __user *end = buffer + size; 1707 1708 while (ptr < end && thread->return_error == BR_OK) { 1709 if (get_user(cmd, (uint32_t __user *)ptr)) 1710 return -EFAULT; 1711 ptr += sizeof(uint32_t); 1712 if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.bc)) { 1713 binder_stats.bc[_IOC_NR(cmd)]++; 1714 proc->stats.bc[_IOC_NR(cmd)]++; 1715 thread->stats.bc[_IOC_NR(cmd)]++; 1716 } 1717 switch (cmd) { 1718 case BC_INCREFS: 1719 case BC_ACQUIRE: 1720 case BC_RELEASE: 1721 case BC_DECREFS: { 1722 uint32_t target; 1723 struct binder_ref *ref; 1724 const char *debug_string; 1725 1726 if (get_user(target, (uint32_t __user *)ptr)) 1727 return -EFAULT; 1728 ptr += sizeof(uint32_t); 1729 if (target == 0 && binder_context_mgr_node && 1730 (cmd == BC_INCREFS || cmd == BC_ACQUIRE)) { 1731 ref = binder_get_ref_for_node(proc, 1732 binder_context_mgr_node); 1733 if (ref->desc != target) { 1734 binder_user_error("binder: %d:" 1735 "%d tried to acquire " 1736 "reference to desc 0, " 1737 "got %d instead\n", 1738 proc->pid, thread->pid, 1739 ref->desc); 1740 } 1741 } else 1742 ref = binder_get_ref(proc, target); 1743 if (ref == NULL) { 1744 binder_user_error("binder: %d:%d refcou" 1745 "nt change on invalid ref %d\n", 1746 proc->pid, thread->pid, target); 1747 break; 1748 } 1749 switch (cmd) { 1750 case BC_INCREFS: 1751 debug_string = "IncRefs"; 1752 binder_inc_ref(ref, 0, NULL); 1753 break; 1754 case BC_ACQUIRE: 1755 debug_string = "Acquire"; 1756 binder_inc_ref(ref, 1, NULL); 1757 break; 1758 case BC_RELEASE: 1759 debug_string = "Release"; 1760 binder_dec_ref(ref, 1); 1761 break; 1762 case BC_DECREFS: 1763 default: 1764 debug_string = "DecRefs"; 1765 binder_dec_ref(ref, 0); 1766 break; 1767 } 1768 if (binder_debug_mask & BINDER_DEBUG_USER_REFS) 1769 printk(KERN_INFO "binder: %d:%d %s ref %d desc %d s %d w %d for node %d\n", 1770 proc->pid, thread->pid, debug_string, ref->debug_id, ref->desc, ref->strong, ref->weak, ref->node->debug_id); 1771 break; 1772 } 1773 case BC_INCREFS_DONE: 1774 case BC_ACQUIRE_DONE: { 1775 void __user *node_ptr; 1776 void *cookie; 1777 struct binder_node *node; 1778 1779 if (get_user(node_ptr, (void * __user *)ptr)) 1780 return -EFAULT; 1781 ptr += sizeof(void *); 1782 if (get_user(cookie, (void * __user *)ptr)) 1783 return -EFAULT; 1784 ptr += sizeof(void *); 1785 node = binder_get_node(proc, node_ptr); 1786 if (node == NULL) { 1787 binder_user_error("binder: %d:%d " 1788 "%s u%p no match\n", 1789 proc->pid, thread->pid, 1790 cmd == BC_INCREFS_DONE ? 1791 "BC_INCREFS_DONE" : 1792 "BC_ACQUIRE_DONE", 1793 node_ptr); 1794 break; 1795 } 1796 if (cookie != node->cookie) { 1797 binder_user_error("binder: %d:%d %s u%p node %d" 1798 " cookie mismatch %p != %p\n", 1799 proc->pid, thread->pid, 1800 cmd == BC_INCREFS_DONE ? 1801 "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE", 1802 node_ptr, node->debug_id, 1803 cookie, node->cookie); 1804 break; 1805 } 1806 if (cmd == BC_ACQUIRE_DONE) { 1807 if (node->pending_strong_ref == 0) { 1808 binder_user_error("binder: %d:%d " 1809 "BC_ACQUIRE_DONE node %d has " 1810 "no pending acquire request\n", 1811 proc->pid, thread->pid, 1812 node->debug_id); 1813 break; 1814 } 1815 node->pending_strong_ref = 0; 1816 } else { 1817 if (node->pending_weak_ref == 0) { 1818 binder_user_error("binder: %d:%d " 1819 "BC_INCREFS_DONE node %d has " 1820 "no pending increfs request\n", 1821 proc->pid, thread->pid, 1822 node->debug_id); 1823 break; 1824 } 1825 node->pending_weak_ref = 0; 1826 } 1827 binder_dec_node(node, cmd == BC_ACQUIRE_DONE, 0); 1828 if (binder_debug_mask & BINDER_DEBUG_USER_REFS) 1829 printk(KERN_INFO "binder: %d:%d %s node %d ls %d lw %d\n", 1830 proc->pid, thread->pid, cmd == BC_INCREFS_DONE ? "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE", node->debug_id, node->local_strong_refs, node->local_weak_refs); 1831 break; 1832 } 1833 case BC_ATTEMPT_ACQUIRE: 1834 printk(KERN_ERR "binder: BC_ATTEMPT_ACQUIRE not supported\n"); 1835 return -EINVAL; 1836 case BC_ACQUIRE_RESULT: 1837 printk(KERN_ERR "binder: BC_ACQUIRE_RESULT not supported\n"); 1838 return -EINVAL; 1839 1840 case BC_FREE_BUFFER: { 1841 void __user *data_ptr; 1842 struct binder_buffer *buffer; 1843 1844 if (get_user(data_ptr, (void * __user *)ptr)) 1845 return -EFAULT; 1846 ptr += sizeof(void *); 1847 1848 buffer = binder_buffer_lookup(proc, data_ptr); 1849 if (buffer == NULL) { 1850 binder_user_error("binder: %d:%d " 1851 "BC_FREE_BUFFER u%p no match\n", 1852 proc->pid, thread->pid, data_ptr); 1853 break; 1854 } 1855 if (!buffer->allow_user_free) { 1856 binder_user_error("binder: %d:%d " 1857 "BC_FREE_BUFFER u%p matched " 1858 "unreturned buffer\n", 1859 proc->pid, thread->pid, data_ptr); 1860 break; 1861 } 1862 if (binder_debug_mask & BINDER_DEBUG_FREE_BUFFER) 1863 printk(KERN_INFO "binder: %d:%d BC_FREE_BUFFER u%p found buffer %d for %s transaction\n", 1864 proc->pid, thread->pid, data_ptr, buffer->debug_id, 1865 buffer->transaction ? "active" : "finished"); 1866 1867 if (buffer->transaction) { 1868 buffer->transaction->buffer = NULL; 1869 buffer->transaction = NULL; 1870 } 1871 if (buffer->async_transaction && buffer->target_node) { 1872 BUG_ON(!buffer->target_node->has_async_transaction); 1873 if (list_empty(&buffer->target_node->async_todo)) 1874 buffer->target_node->has_async_transaction = 0; 1875 else 1876 list_move_tail(buffer->target_node->async_todo.next, &thread->todo); 1877 } 1878 binder_transaction_buffer_release(proc, buffer, NULL); 1879 binder_free_buf(proc, buffer); 1880 break; 1881 } 1882 1883 case BC_TRANSACTION: 1884 case BC_REPLY: { 1885 struct binder_transaction_data tr; 1886 1887 if (copy_from_user(&tr, ptr, sizeof(tr))) 1888 return -EFAULT; 1889 ptr += sizeof(tr); 1890 binder_transaction(proc, thread, &tr, cmd == BC_REPLY); 1891 break; 1892 } 1893 1894 case BC_REGISTER_LOOPER: 1895 if (binder_debug_mask & BINDER_DEBUG_THREADS) 1896 printk(KERN_INFO "binder: %d:%d BC_REGISTER_LOOPER\n", 1897 proc->pid, thread->pid); 1898 if (thread->looper & BINDER_LOOPER_STATE_ENTERED) { 1899 thread->looper |= BINDER_LOOPER_STATE_INVALID; 1900 binder_user_error("binder: %d:%d ERROR:" 1901 " BC_REGISTER_LOOPER called " 1902 "after BC_ENTER_LOOPER\n", 1903 proc->pid, thread->pid); 1904 } else if (proc->requested_threads == 0) { 1905 thread->looper |= BINDER_LOOPER_STATE_INVALID; 1906 binder_user_error("binder: %d:%d ERROR:" 1907 " BC_REGISTER_LOOPER called " 1908 "without request\n", 1909 proc->pid, thread->pid); 1910 } else { 1911 proc->requested_threads--; 1912 proc->requested_threads_started++; 1913 } 1914 thread->looper |= BINDER_LOOPER_STATE_REGISTERED; 1915 break; 1916 case BC_ENTER_LOOPER: 1917 if (binder_debug_mask & BINDER_DEBUG_THREADS) 1918 printk(KERN_INFO "binder: %d:%d BC_ENTER_LOOPER\n", 1919 proc->pid, thread->pid); 1920 if (thread->looper & BINDER_LOOPER_STATE_REGISTERED) { 1921 thread->looper |= BINDER_LOOPER_STATE_INVALID; 1922 binder_user_error("binder: %d:%d ERROR:" 1923 " BC_ENTER_LOOPER called after " 1924 "BC_REGISTER_LOOPER\n", 1925 proc->pid, thread->pid); 1926 } 1927 thread->looper |= BINDER_LOOPER_STATE_ENTERED; 1928 break; 1929 case BC_EXIT_LOOPER: 1930 if (binder_debug_mask & BINDER_DEBUG_THREADS) 1931 printk(KERN_INFO "binder: %d:%d BC_EXIT_LOOPER\n", 1932 proc->pid, thread->pid); 1933 thread->looper |= BINDER_LOOPER_STATE_EXITED; 1934 break; 1935 1936 case BC_REQUEST_DEATH_NOTIFICATION: 1937 case BC_CLEAR_DEATH_NOTIFICATION: { 1938 uint32_t target; 1939 void __user *cookie; 1940 struct binder_ref *ref; 1941 struct binder_ref_death *death; 1942 1943 if (get_user(target, (uint32_t __user *)ptr)) 1944 return -EFAULT; 1945 ptr += sizeof(uint32_t); 1946 if (get_user(cookie, (void __user * __user *)ptr)) 1947 return -EFAULT; 1948 ptr += sizeof(void *); 1949 ref = binder_get_ref(proc, target); 1950 if (ref == NULL) { 1951 binder_user_error("binder: %d:%d %s " 1952 "invalid ref %d\n", 1953 proc->pid, thread->pid, 1954 cmd == BC_REQUEST_DEATH_NOTIFICATION ? 1955 "BC_REQUEST_DEATH_NOTIFICATION" : 1956 "BC_CLEAR_DEATH_NOTIFICATION", 1957 target); 1958 break; 1959 } 1960 1961 if (binder_debug_mask & BINDER_DEBUG_DEATH_NOTIFICATION) 1962 printk(KERN_INFO "binder: %d:%d %s %p ref %d desc %d s %d w %d for node %d\n", 1963 proc->pid, thread->pid, 1964 cmd == BC_REQUEST_DEATH_NOTIFICATION ? 1965 "BC_REQUEST_DEATH_NOTIFICATION" : 1966 "BC_CLEAR_DEATH_NOTIFICATION", 1967 cookie, ref->debug_id, ref->desc, 1968 ref->strong, ref->weak, ref->node->debug_id); 1969 1970 if (cmd == BC_REQUEST_DEATH_NOTIFICATION) { 1971 if (ref->death) { 1972 binder_user_error("binder: %d:%" 1973 "d BC_REQUEST_DEATH_NOTI" 1974 "FICATION death notific" 1975 "ation already set\n", 1976 proc->pid, thread->pid); 1977 break; 1978 } 1979 death = kzalloc(sizeof(*death), GFP_KERNEL); 1980 if (death == NULL) { 1981 thread->return_error = BR_ERROR; 1982 if (binder_debug_mask & BINDER_DEBUG_FAILED_TRANSACTION) 1983 printk(KERN_INFO "binder: %d:%d " 1984 "BC_REQUEST_DEATH_NOTIFICATION failed\n", 1985 proc->pid, thread->pid); 1986 break; 1987 } 1988 binder_stats.obj_created[BINDER_STAT_DEATH]++; 1989 INIT_LIST_HEAD(&death->work.entry); 1990 death->cookie = cookie; 1991 ref->death = death; 1992 if (ref->node->proc == NULL) { 1993 ref->death->work.type = BINDER_WORK_DEAD_BINDER; 1994 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 1995 list_add_tail(&ref->death->work.entry, &thread->todo); 1996 } else { 1997 list_add_tail(&ref->death->work.entry, &proc->todo); 1998 wake_up_interruptible(&proc->wait); 1999 } 2000 } 2001 } else { 2002 if (ref->death == NULL) { 2003 binder_user_error("binder: %d:%" 2004 "d BC_CLEAR_DEATH_NOTIFI" 2005 "CATION death notificat" 2006 "ion not active\n", 2007 proc->pid, thread->pid); 2008 break; 2009 } 2010 death = ref->death; 2011 if (death->cookie != cookie) { 2012 binder_user_error("binder: %d:%" 2013 "d BC_CLEAR_DEATH_NOTIFI" 2014 "CATION death notificat" 2015 "ion cookie mismatch " 2016 "%p != %p\n", 2017 proc->pid, thread->pid, 2018 death->cookie, cookie); 2019 break; 2020 } 2021 ref->death = NULL; 2022 if (list_empty(&death->work.entry)) { 2023 death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION; 2024 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2025 list_add_tail(&death->work.entry, &thread->todo); 2026 } else { 2027 list_add_tail(&death->work.entry, &proc->todo); 2028 wake_up_interruptible(&proc->wait); 2029 } 2030 } else { 2031 BUG_ON(death->work.type != BINDER_WORK_DEAD_BINDER); 2032 death->work.type = BINDER_WORK_DEAD_BINDER_AND_CLEAR; 2033 } 2034 } 2035 } break; 2036 case BC_DEAD_BINDER_DONE: { 2037 struct binder_work *w; 2038 void __user *cookie; 2039 struct binder_ref_death *death = NULL; 2040 if (get_user(cookie, (void __user * __user *)ptr)) 2041 return -EFAULT; 2042 2043 ptr += sizeof(void *); 2044 list_for_each_entry(w, &proc->delivered_death, entry) { 2045 struct binder_ref_death *tmp_death = container_of(w, struct binder_ref_death, work); 2046 if (tmp_death->cookie == cookie) { 2047 death = tmp_death; 2048 break; 2049 } 2050 } 2051 if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) 2052 printk(KERN_INFO "binder: %d:%d BC_DEAD_BINDER_DONE %p found %p\n", 2053 proc->pid, thread->pid, cookie, death); 2054 if (death == NULL) { 2055 binder_user_error("binder: %d:%d BC_DEAD" 2056 "_BINDER_DONE %p not found\n", 2057 proc->pid, thread->pid, cookie); 2058 break; 2059 } 2060 2061 list_del_init(&death->work.entry); 2062 if (death->work.type == BINDER_WORK_DEAD_BINDER_AND_CLEAR) { 2063 death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION; 2064 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2065 list_add_tail(&death->work.entry, &thread->todo); 2066 } else { 2067 list_add_tail(&death->work.entry, &proc->todo); 2068 wake_up_interruptible(&proc->wait); 2069 } 2070 } 2071 } break; 2072 2073 default: 2074 printk(KERN_ERR "binder: %d:%d unknown command %d\n", proc->pid, thread->pid, cmd); 2075 return -EINVAL; 2076 } 2077 *consumed = ptr - buffer; 2078 } 2079 return 0; 2080} 2081 2082void 2083binder_stat_br(struct binder_proc *proc, struct binder_thread *thread, uint32_t cmd) 2084{ 2085 if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.br)) { 2086 binder_stats.br[_IOC_NR(cmd)]++; 2087 proc->stats.br[_IOC_NR(cmd)]++; 2088 thread->stats.br[_IOC_NR(cmd)]++; 2089 } 2090} 2091 2092static int 2093binder_has_proc_work(struct binder_proc *proc, struct binder_thread *thread) 2094{ 2095 return !list_empty(&proc->todo) || (thread->looper & BINDER_LOOPER_STATE_NEED_RETURN); 2096} 2097 2098static int 2099binder_has_thread_work(struct binder_thread *thread) 2100{ 2101 return !list_empty(&thread->todo) || thread->return_error != BR_OK || 2102 (thread->looper & BINDER_LOOPER_STATE_NEED_RETURN); 2103} 2104 2105static int 2106binder_thread_read(struct binder_proc *proc, struct binder_thread *thread, 2107 void __user *buffer, int size, signed long *consumed, int non_block) 2108{ 2109 void __user *ptr = buffer + *consumed; 2110 void __user *end = buffer + size; 2111 2112 int ret = 0; 2113 int wait_for_proc_work; 2114 2115 if (*consumed == 0) { 2116 if (put_user(BR_NOOP, (uint32_t __user *)ptr)) 2117 return -EFAULT; 2118 ptr += sizeof(uint32_t); 2119 } 2120 2121retry: 2122 wait_for_proc_work = thread->transaction_stack == NULL && list_empty(&thread->todo); 2123 2124 if (thread->return_error != BR_OK && ptr < end) { 2125 if (thread->return_error2 != BR_OK) { 2126 if (put_user(thread->return_error2, (uint32_t __user *)ptr)) 2127 return -EFAULT; 2128 ptr += sizeof(uint32_t); 2129 if (ptr == end) 2130 goto done; 2131 thread->return_error2 = BR_OK; 2132 } 2133 if (put_user(thread->return_error, (uint32_t __user *)ptr)) 2134 return -EFAULT; 2135 ptr += sizeof(uint32_t); 2136 thread->return_error = BR_OK; 2137 goto done; 2138 } 2139 2140 2141 thread->looper |= BINDER_LOOPER_STATE_WAITING; 2142 if (wait_for_proc_work) 2143 proc->ready_threads++; 2144 mutex_unlock(&binder_lock); 2145 if (wait_for_proc_work) { 2146 if (!(thread->looper & (BINDER_LOOPER_STATE_REGISTERED | 2147 BINDER_LOOPER_STATE_ENTERED))) { 2148 binder_user_error("binder: %d:%d ERROR: Thread waiting " 2149 "for process work before calling BC_REGISTER_" 2150 "LOOPER or BC_ENTER_LOOPER (state %x)\n", 2151 proc->pid, thread->pid, thread->looper); 2152 wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); 2153 } 2154 binder_set_nice(proc->default_priority); 2155 if (non_block) { 2156 if (!binder_has_proc_work(proc, thread)) 2157 ret = -EAGAIN; 2158 } else 2159 ret = wait_event_interruptible_exclusive(proc->wait, binder_has_proc_work(proc, thread)); 2160 } else { 2161 if (non_block) { 2162 if (!binder_has_thread_work(thread)) 2163 ret = -EAGAIN; 2164 } else 2165 ret = wait_event_interruptible(thread->wait, binder_has_thread_work(thread)); 2166 } 2167 mutex_lock(&binder_lock); 2168 if (wait_for_proc_work) 2169 proc->ready_threads--; 2170 thread->looper &= ~BINDER_LOOPER_STATE_WAITING; 2171 2172 if (ret) 2173 return ret; 2174 2175 while (1) { 2176 uint32_t cmd; 2177 struct binder_transaction_data tr; 2178 struct binder_work *w; 2179 struct binder_transaction *t = NULL; 2180 2181 if (!list_empty(&thread->todo)) 2182 w = list_first_entry(&thread->todo, struct binder_work, entry); 2183 else if (!list_empty(&proc->todo) && wait_for_proc_work) 2184 w = list_first_entry(&proc->todo, struct binder_work, entry); 2185 else { 2186 if (ptr - buffer == 4 && !(thread->looper & BINDER_LOOPER_STATE_NEED_RETURN)) /* no data added */ 2187 goto retry; 2188 break; 2189 } 2190 2191 if (end - ptr < sizeof(tr) + 4) 2192 break; 2193 2194 switch (w->type) { 2195 case BINDER_WORK_TRANSACTION: { 2196 t = container_of(w, struct binder_transaction, work); 2197 } break; 2198 case BINDER_WORK_TRANSACTION_COMPLETE: { 2199 cmd = BR_TRANSACTION_COMPLETE; 2200 if (put_user(cmd, (uint32_t __user *)ptr)) 2201 return -EFAULT; 2202 ptr += sizeof(uint32_t); 2203 2204 binder_stat_br(proc, thread, cmd); 2205 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION_COMPLETE) 2206 printk(KERN_INFO "binder: %d:%d BR_TRANSACTION_COMPLETE\n", 2207 proc->pid, thread->pid); 2208 2209 list_del(&w->entry); 2210 kfree(w); 2211 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION_COMPLETE]++; 2212 } break; 2213 case BINDER_WORK_NODE: { 2214 struct binder_node *node = container_of(w, struct binder_node, work); 2215 uint32_t cmd = BR_NOOP; 2216 const char *cmd_name; 2217 int strong = node->internal_strong_refs || node->local_strong_refs; 2218 int weak = !hlist_empty(&node->refs) || node->local_weak_refs || strong; 2219 if (weak && !node->has_weak_ref) { 2220 cmd = BR_INCREFS; 2221 cmd_name = "BR_INCREFS"; 2222 node->has_weak_ref = 1; 2223 node->pending_weak_ref = 1; 2224 node->local_weak_refs++; 2225 } else if (strong && !node->has_strong_ref) { 2226 cmd = BR_ACQUIRE; 2227 cmd_name = "BR_ACQUIRE"; 2228 node->has_strong_ref = 1; 2229 node->pending_strong_ref = 1; 2230 node->local_strong_refs++; 2231 } else if (!strong && node->has_strong_ref) { 2232 cmd = BR_RELEASE; 2233 cmd_name = "BR_RELEASE"; 2234 node->has_strong_ref = 0; 2235 } else if (!weak && node->has_weak_ref) { 2236 cmd = BR_DECREFS; 2237 cmd_name = "BR_DECREFS"; 2238 node->has_weak_ref = 0; 2239 } 2240 if (cmd != BR_NOOP) { 2241 if (put_user(cmd, (uint32_t __user *)ptr)) 2242 return -EFAULT; 2243 ptr += sizeof(uint32_t); 2244 if (put_user(node->ptr, (void * __user *)ptr)) 2245 return -EFAULT; 2246 ptr += sizeof(void *); 2247 if (put_user(node->cookie, (void * __user *)ptr)) 2248 return -EFAULT; 2249 ptr += sizeof(void *); 2250 2251 binder_stat_br(proc, thread, cmd); 2252 if (binder_debug_mask & BINDER_DEBUG_USER_REFS) 2253 printk(KERN_INFO "binder: %d:%d %s %d u%p c%p\n", 2254 proc->pid, thread->pid, cmd_name, node->debug_id, node->ptr, node->cookie); 2255 } else { 2256 list_del_init(&w->entry); 2257 if (!weak && !strong) { 2258 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 2259 printk(KERN_INFO "binder: %d:%d node %d u%p c%p deleted\n", 2260 proc->pid, thread->pid, node->debug_id, node->ptr, node->cookie); 2261 rb_erase(&node->rb_node, &proc->nodes); 2262 kfree(node); 2263 binder_stats.obj_deleted[BINDER_STAT_NODE]++; 2264 } else { 2265 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 2266 printk(KERN_INFO "binder: %d:%d node %d u%p c%p state unchanged\n", 2267 proc->pid, thread->pid, node->debug_id, node->ptr, node->cookie); 2268 } 2269 } 2270 } break; 2271 case BINDER_WORK_DEAD_BINDER: 2272 case BINDER_WORK_DEAD_BINDER_AND_CLEAR: 2273 case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: { 2274 struct binder_ref_death *death = container_of(w, struct binder_ref_death, work); 2275 uint32_t cmd; 2276 if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) 2277 cmd = BR_CLEAR_DEATH_NOTIFICATION_DONE; 2278 else 2279 cmd = BR_DEAD_BINDER; 2280 if (put_user(cmd, (uint32_t __user *)ptr)) 2281 return -EFAULT; 2282 ptr += sizeof(uint32_t); 2283 if (put_user(death->cookie, (void * __user *)ptr)) 2284 return -EFAULT; 2285 ptr += sizeof(void *); 2286 if (binder_debug_mask & BINDER_DEBUG_DEATH_NOTIFICATION) 2287 printk(KERN_INFO "binder: %d:%d %s %p\n", 2288 proc->pid, thread->pid, 2289 cmd == BR_DEAD_BINDER ? 2290 "BR_DEAD_BINDER" : 2291 "BR_CLEAR_DEATH_NOTIFICATION_DONE", 2292 death->cookie); 2293 2294 if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) { 2295 list_del(&w->entry); 2296 kfree(death); 2297 binder_stats.obj_deleted[BINDER_STAT_DEATH]++; 2298 } else 2299 list_move(&w->entry, &proc->delivered_death); 2300 if (cmd == BR_DEAD_BINDER) 2301 goto done; /* DEAD_BINDER notifications can cause transactions */ 2302 } break; 2303 } 2304 2305 if (!t) 2306 continue; 2307 2308 BUG_ON(t->buffer == NULL); 2309 if (t->buffer->target_node) { 2310 struct binder_node *target_node = t->buffer->target_node; 2311 tr.target.ptr = target_node->ptr; 2312 tr.cookie = target_node->cookie; 2313 t->saved_priority = task_nice(current); 2314 if (t->priority < target_node->min_priority && 2315 !(t->flags & TF_ONE_WAY)) 2316 binder_set_nice(t->priority); 2317 else if (!(t->flags & TF_ONE_WAY) || 2318 t->saved_priority > target_node->min_priority) 2319 binder_set_nice(target_node->min_priority); 2320 cmd = BR_TRANSACTION; 2321 } else { 2322 tr.target.ptr = NULL; 2323 tr.cookie = NULL; 2324 cmd = BR_REPLY; 2325 } 2326 tr.code = t->code; 2327 tr.flags = t->flags; 2328 tr.sender_euid = t->sender_euid; 2329 2330 if (t->from) { 2331 struct task_struct *sender = t->from->proc->tsk; 2332 tr.sender_pid = task_tgid_nr_ns(sender, current->nsproxy->pid_ns); 2333 } else { 2334 tr.sender_pid = 0; 2335 } 2336 2337 tr.data_size = t->buffer->data_size; 2338 tr.offsets_size = t->buffer->offsets_size; 2339 tr.data.ptr.buffer = (void *)((void *)t->buffer->data + proc->user_buffer_offset); 2340 tr.data.ptr.offsets = tr.data.ptr.buffer + ALIGN(t->buffer->data_size, sizeof(void *)); 2341 2342 if (put_user(cmd, (uint32_t __user *)ptr)) 2343 return -EFAULT; 2344 ptr += sizeof(uint32_t); 2345 if (copy_to_user(ptr, &tr, sizeof(tr))) 2346 return -EFAULT; 2347 ptr += sizeof(tr); 2348 2349 binder_stat_br(proc, thread, cmd); 2350 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 2351 printk(KERN_INFO "binder: %d:%d %s %d %d:%d, cmd %d" 2352 "size %zd-%zd ptr %p-%p\n", 2353 proc->pid, thread->pid, 2354 (cmd == BR_TRANSACTION) ? "BR_TRANSACTION" : "BR_REPLY", 2355 t->debug_id, t->from ? t->from->proc->pid : 0, 2356 t->from ? t->from->pid : 0, cmd, 2357 t->buffer->data_size, t->buffer->offsets_size, 2358 tr.data.ptr.buffer, tr.data.ptr.offsets); 2359 2360 list_del(&t->work.entry); 2361 t->buffer->allow_user_free = 1; 2362 if (cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)) { 2363 t->to_parent = thread->transaction_stack; 2364 t->to_thread = thread; 2365 thread->transaction_stack = t; 2366 } else { 2367 t->buffer->transaction = NULL; 2368 kfree(t); 2369 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION]++; 2370 } 2371 break; 2372 } 2373 2374done: 2375 2376 *consumed = ptr - buffer; 2377 if (proc->requested_threads + proc->ready_threads == 0 && 2378 proc->requested_threads_started < proc->max_threads && 2379 (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | 2380 BINDER_LOOPER_STATE_ENTERED)) /* the user-space code fails to */ 2381 /*spawn a new thread if we leave this out */) { 2382 proc->requested_threads++; 2383 if (binder_debug_mask & BINDER_DEBUG_THREADS) 2384 printk(KERN_INFO "binder: %d:%d BR_SPAWN_LOOPER\n", 2385 proc->pid, thread->pid); 2386 if (put_user(BR_SPAWN_LOOPER, (uint32_t __user *)buffer)) 2387 return -EFAULT; 2388 } 2389 return 0; 2390} 2391 2392static void binder_release_work(struct list_head *list) 2393{ 2394 struct binder_work *w; 2395 while (!list_empty(list)) { 2396 w = list_first_entry(list, struct binder_work, entry); 2397 list_del_init(&w->entry); 2398 switch (w->type) { 2399 case BINDER_WORK_TRANSACTION: { 2400 struct binder_transaction *t = container_of(w, struct binder_transaction, work); 2401 if (t->buffer->target_node && !(t->flags & TF_ONE_WAY)) 2402 binder_send_failed_reply(t, BR_DEAD_REPLY); 2403 } break; 2404 case BINDER_WORK_TRANSACTION_COMPLETE: { 2405 kfree(w); 2406 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION_COMPLETE]++; 2407 } break; 2408 default: 2409 break; 2410 } 2411 } 2412 2413} 2414 2415static struct binder_thread *binder_get_thread(struct binder_proc *proc) 2416{ 2417 struct binder_thread *thread = NULL; 2418 struct rb_node *parent = NULL; 2419 struct rb_node **p = &proc->threads.rb_node; 2420 2421 while (*p) { 2422 parent = *p; 2423 thread = rb_entry(parent, struct binder_thread, rb_node); 2424 2425 if (current->pid < thread->pid) 2426 p = &(*p)->rb_left; 2427 else if (current->pid > thread->pid) 2428 p = &(*p)->rb_right; 2429 else 2430 break; 2431 } 2432 if (*p == NULL) { 2433 thread = kzalloc(sizeof(*thread), GFP_KERNEL); 2434 if (thread == NULL) 2435 return NULL; 2436 binder_stats.obj_created[BINDER_STAT_THREAD]++; 2437 thread->proc = proc; 2438 thread->pid = current->pid; 2439 init_waitqueue_head(&thread->wait); 2440 INIT_LIST_HEAD(&thread->todo); 2441 rb_link_node(&thread->rb_node, parent, p); 2442 rb_insert_color(&thread->rb_node, &proc->threads); 2443 thread->looper |= BINDER_LOOPER_STATE_NEED_RETURN; 2444 thread->return_error = BR_OK; 2445 thread->return_error2 = BR_OK; 2446 } 2447 return thread; 2448} 2449 2450static int binder_free_thread(struct binder_proc *proc, struct binder_thread *thread) 2451{ 2452 struct binder_transaction *t; 2453 struct binder_transaction *send_reply = NULL; 2454 int active_transactions = 0; 2455 2456 rb_erase(&thread->rb_node, &proc->threads); 2457 t = thread->transaction_stack; 2458 if (t && t->to_thread == thread) 2459 send_reply = t; 2460 while (t) { 2461 active_transactions++; 2462 if (binder_debug_mask & BINDER_DEBUG_DEAD_TRANSACTION) 2463 printk(KERN_INFO "binder: release %d:%d transaction %d %s, still active\n", 2464 proc->pid, thread->pid, t->debug_id, (t->to_thread == thread) ? "in" : "out"); 2465 if (t->to_thread == thread) { 2466 t->to_proc = NULL; 2467 t->to_thread = NULL; 2468 if (t->buffer) { 2469 t->buffer->transaction = NULL; 2470 t->buffer = NULL; 2471 } 2472 t = t->to_parent; 2473 } else if (t->from == thread) { 2474 t->from = NULL; 2475 t = t->from_parent; 2476 } else 2477 BUG(); 2478 } 2479 if (send_reply) 2480 binder_send_failed_reply(send_reply, BR_DEAD_REPLY); 2481 binder_release_work(&thread->todo); 2482 kfree(thread); 2483 binder_stats.obj_deleted[BINDER_STAT_THREAD]++; 2484 return active_transactions; 2485} 2486 2487static unsigned int binder_poll(struct file *filp, struct poll_table_struct *wait) 2488{ 2489 struct binder_proc *proc = filp->private_data; 2490 struct binder_thread *thread = NULL; 2491 int wait_for_proc_work; 2492 2493 mutex_lock(&binder_lock); 2494 thread = binder_get_thread(proc); 2495 2496 wait_for_proc_work = thread->transaction_stack == NULL && 2497 list_empty(&thread->todo) && thread->return_error == BR_OK; 2498 mutex_unlock(&binder_lock); 2499 2500 if (wait_for_proc_work) { 2501 if (binder_has_proc_work(proc, thread)) 2502 return POLLIN; 2503 poll_wait(filp, &proc->wait, wait); 2504 if (binder_has_proc_work(proc, thread)) 2505 return POLLIN; 2506 } else { 2507 if (binder_has_thread_work(thread)) 2508 return POLLIN; 2509 poll_wait(filp, &thread->wait, wait); 2510 if (binder_has_thread_work(thread)) 2511 return POLLIN; 2512 } 2513 return 0; 2514} 2515 2516static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 2517{ 2518 int ret; 2519 struct binder_proc *proc = filp->private_data; 2520 struct binder_thread *thread; 2521 unsigned int size = _IOC_SIZE(cmd); 2522 void __user *ubuf = (void __user *)arg; 2523 2524 /*printk(KERN_INFO "binder_ioctl: %d:%d %x %lx\n", proc->pid, current->pid, cmd, arg);*/ 2525 2526 ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); 2527 if (ret) 2528 return ret; 2529 2530 mutex_lock(&binder_lock); 2531 thread = binder_get_thread(proc); 2532 if (thread == NULL) { 2533 ret = -ENOMEM; 2534 goto err; 2535 } 2536 2537 switch (cmd) { 2538 case BINDER_WRITE_READ: { 2539 struct binder_write_read bwr; 2540 if (size != sizeof(struct binder_write_read)) { 2541 ret = -EINVAL; 2542 goto err; 2543 } 2544 if (copy_from_user(&bwr, ubuf, sizeof(bwr))) { 2545 ret = -EFAULT; 2546 goto err; 2547 } 2548 if (binder_debug_mask & BINDER_DEBUG_READ_WRITE) 2549 printk(KERN_INFO "binder: %d:%d write %ld at %08lx, read %ld at %08lx\n", 2550 proc->pid, thread->pid, bwr.write_size, bwr.write_buffer, bwr.read_size, bwr.read_buffer); 2551 if (bwr.write_size > 0) { 2552 ret = binder_thread_write(proc, thread, (void __user *)bwr.write_buffer, bwr.write_size, &bwr.write_consumed); 2553 if (ret < 0) { 2554 bwr.read_consumed = 0; 2555 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) 2556 ret = -EFAULT; 2557 goto err; 2558 } 2559 } 2560 if (bwr.read_size > 0) { 2561 ret = binder_thread_read(proc, thread, (void __user *)bwr.read_buffer, bwr.read_size, &bwr.read_consumed, filp->f_flags & O_NONBLOCK); 2562 if (!list_empty(&proc->todo)) 2563 wake_up_interruptible(&proc->wait); 2564 if (ret < 0) { 2565 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) 2566 ret = -EFAULT; 2567 goto err; 2568 } 2569 } 2570 if (binder_debug_mask & BINDER_DEBUG_READ_WRITE) 2571 printk(KERN_INFO "binder: %d:%d wrote %ld of %ld, read return %ld of %ld\n", 2572 proc->pid, thread->pid, bwr.write_consumed, bwr.write_size, bwr.read_consumed, bwr.read_size); 2573 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) { 2574 ret = -EFAULT; 2575 goto err; 2576 } 2577 break; 2578 } 2579 case BINDER_SET_MAX_THREADS: 2580 if (copy_from_user(&proc->max_threads, ubuf, sizeof(proc->max_threads))) { 2581 ret = -EINVAL; 2582 goto err; 2583 } 2584 break; 2585 case BINDER_SET_CONTEXT_MGR: 2586 if (binder_context_mgr_node != NULL) { 2587 printk(KERN_ERR "binder: BINDER_SET_CONTEXT_MGR already set\n"); 2588 ret = -EBUSY; 2589 goto err; 2590 } 2591 if (binder_context_mgr_uid != -1) { 2592 if (binder_context_mgr_uid != current->cred->euid) { 2593 printk(KERN_ERR "binder: BINDER_SET_" 2594 "CONTEXT_MGR bad uid %d != %d\n", 2595 current->cred->euid, 2596 binder_context_mgr_uid); 2597 ret = -EPERM; 2598 goto err; 2599 } 2600 } else 2601 binder_context_mgr_uid = current->cred->euid; 2602 binder_context_mgr_node = binder_new_node(proc, NULL, NULL); 2603 if (binder_context_mgr_node == NULL) { 2604 ret = -ENOMEM; 2605 goto err; 2606 } 2607 binder_context_mgr_node->local_weak_refs++; 2608 binder_context_mgr_node->local_strong_refs++; 2609 binder_context_mgr_node->has_strong_ref = 1; 2610 binder_context_mgr_node->has_weak_ref = 1; 2611 break; 2612 case BINDER_THREAD_EXIT: 2613 if (binder_debug_mask & BINDER_DEBUG_THREADS) 2614 printk(KERN_INFO "binder: %d:%d exit\n", 2615 proc->pid, thread->pid); 2616 binder_free_thread(proc, thread); 2617 thread = NULL; 2618 break; 2619 case BINDER_VERSION: 2620 if (size != sizeof(struct binder_version)) { 2621 ret = -EINVAL; 2622 goto err; 2623 } 2624 if (put_user(BINDER_CURRENT_PROTOCOL_VERSION, &((struct binder_version *)ubuf)->protocol_version)) { 2625 ret = -EINVAL; 2626 goto err; 2627 } 2628 break; 2629 default: 2630 ret = -EINVAL; 2631 goto err; 2632 } 2633 ret = 0; 2634err: 2635 if (thread) 2636 thread->looper &= ~BINDER_LOOPER_STATE_NEED_RETURN; 2637 mutex_unlock(&binder_lock); 2638 wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); 2639 if (ret && ret != -ERESTARTSYS) 2640 printk(KERN_INFO "binder: %d:%d ioctl %x %lx returned %d\n", proc->pid, current->pid, cmd, arg, ret); 2641 return ret; 2642} 2643 2644static void binder_vma_open(struct vm_area_struct *vma) 2645{ 2646 struct binder_proc *proc = vma->vm_private_data; 2647 if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) 2648 printk(KERN_INFO 2649 "binder: %d open vm area %lx-%lx (%ld K) vma %lx pagep %lx\n", 2650 proc->pid, vma->vm_start, vma->vm_end, 2651 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2652 (unsigned long)pgprot_val(vma->vm_page_prot)); 2653 dump_stack(); 2654} 2655static void binder_vma_close(struct vm_area_struct *vma) 2656{ 2657 struct binder_proc *proc = vma->vm_private_data; 2658 if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) 2659 printk(KERN_INFO 2660 "binder: %d close vm area %lx-%lx (%ld K) vma %lx pagep %lx\n", 2661 proc->pid, vma->vm_start, vma->vm_end, 2662 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2663 (unsigned long)pgprot_val(vma->vm_page_prot)); 2664 proc->vma = NULL; 2665} 2666 2667static struct vm_operations_struct binder_vm_ops = { 2668 .open = binder_vma_open, 2669 .close = binder_vma_close, 2670}; 2671 2672static int binder_mmap(struct file *filp, struct vm_area_struct *vma) 2673{ 2674 int ret; 2675 struct vm_struct *area; 2676 struct binder_proc *proc = filp->private_data; 2677 const char *failure_string; 2678 struct binder_buffer *buffer; 2679 2680 if ((vma->vm_end - vma->vm_start) > SZ_4M) 2681 vma->vm_end = vma->vm_start + SZ_4M; 2682 2683 if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) 2684 printk(KERN_INFO 2685 "binder_mmap: %d %lx-%lx (%ld K) vma %lx pagep %lx\n", 2686 proc->pid, vma->vm_start, vma->vm_end, 2687 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2688 (unsigned long)pgprot_val(vma->vm_page_prot)); 2689 2690 if (vma->vm_flags & FORBIDDEN_MMAP_FLAGS) { 2691 ret = -EPERM; 2692 failure_string = "bad vm_flags"; 2693 goto err_bad_arg; 2694 } 2695 vma->vm_flags = (vma->vm_flags | VM_DONTCOPY) & ~VM_MAYWRITE; 2696 2697 area = get_vm_area(vma->vm_end - vma->vm_start, VM_IOREMAP); 2698 if (area == NULL) { 2699 ret = -ENOMEM; 2700 failure_string = "get_vm_area"; 2701 goto err_get_vm_area_failed; 2702 } 2703 proc->buffer = area->addr; 2704 proc->user_buffer_offset = vma->vm_start - (size_t)proc->buffer; 2705 2706#ifdef CONFIG_CPU_CACHE_VIPT 2707 if (cache_is_vipt_aliasing()) { 2708 while (CACHE_COLOUR((vma->vm_start ^ (uint32_t)proc->buffer))) { 2709 printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p bad alignment\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer); 2710 vma->vm_start += PAGE_SIZE; 2711 } 2712 } 2713#endif 2714 proc->pages = kzalloc(sizeof(proc->pages[0]) * ((vma->vm_end - vma->vm_start) / PAGE_SIZE), GFP_KERNEL); 2715 if (proc->pages == NULL) { 2716 ret = -ENOMEM; 2717 failure_string = "alloc page array"; 2718 goto err_alloc_pages_failed; 2719 } 2720 proc->buffer_size = vma->vm_end - vma->vm_start; 2721 2722 vma->vm_ops = &binder_vm_ops; 2723 vma->vm_private_data = proc; 2724 2725 if (binder_update_page_range(proc, 1, proc->buffer, proc->buffer + PAGE_SIZE, vma)) { 2726 ret = -ENOMEM; 2727 failure_string = "alloc small buf"; 2728 goto err_alloc_small_buf_failed; 2729 } 2730 buffer = proc->buffer; 2731 INIT_LIST_HEAD(&proc->buffers); 2732 list_add(&buffer->entry, &proc->buffers); 2733 buffer->free = 1; 2734 binder_insert_free_buffer(proc, buffer); 2735 proc->free_async_space = proc->buffer_size / 2; 2736 barrier(); 2737 proc->vma = vma; 2738 2739 /*printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer);*/ 2740 return 0; 2741 2742err_alloc_small_buf_failed: 2743 kfree(proc->pages); 2744err_alloc_pages_failed: 2745 vfree(proc->buffer); 2746err_get_vm_area_failed: 2747 mutex_unlock(&binder_lock); 2748err_bad_arg: 2749 printk(KERN_ERR "binder_mmap: %d %lx-%lx %s failed %d\n", proc->pid, vma->vm_start, vma->vm_end, failure_string, ret); 2750 return ret; 2751} 2752 2753static int binder_open(struct inode *nodp, struct file *filp) 2754{ 2755 struct binder_proc *proc; 2756 2757 if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) 2758 printk(KERN_INFO "binder_open: %d:%d\n", current->group_leader->pid, current->pid); 2759 2760 proc = kzalloc(sizeof(*proc), GFP_KERNEL); 2761 if (proc == NULL) 2762 return -ENOMEM; 2763 get_task_struct(current); 2764 proc->tsk = current; 2765 INIT_LIST_HEAD(&proc->todo); 2766 init_waitqueue_head(&proc->wait); 2767 proc->default_priority = task_nice(current); 2768 mutex_lock(&binder_lock); 2769 binder_stats.obj_created[BINDER_STAT_PROC]++; 2770 hlist_add_head(&proc->proc_node, &binder_procs); 2771 proc->pid = current->group_leader->pid; 2772 INIT_LIST_HEAD(&proc->delivered_death); 2773 filp->private_data = proc; 2774 mutex_unlock(&binder_lock); 2775 2776 if (binder_proc_dir_entry_proc) { 2777 char strbuf[11]; 2778 snprintf(strbuf, sizeof(strbuf), "%u", proc->pid); 2779 remove_proc_entry(strbuf, binder_proc_dir_entry_proc); 2780 create_proc_read_entry(strbuf, S_IRUGO, binder_proc_dir_entry_proc, binder_read_proc_proc, proc); 2781 } 2782 2783 return 0; 2784} 2785 2786static int binder_flush(struct file *filp, fl_owner_t id) 2787{ 2788 struct rb_node *n; 2789 struct binder_proc *proc = filp->private_data; 2790 int wake_count = 0; 2791 2792 mutex_lock(&binder_lock); 2793 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) { 2794 struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node); 2795 thread->looper |= BINDER_LOOPER_STATE_NEED_RETURN; 2796 if (thread->looper & BINDER_LOOPER_STATE_WAITING) { 2797 wake_up_interruptible(&thread->wait); 2798 wake_count++; 2799 } 2800 } 2801 wake_up_interruptible_all(&proc->wait); 2802 mutex_unlock(&binder_lock); 2803 2804 if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) 2805 printk(KERN_INFO "binder_flush: %d woke %d threads\n", proc->pid, wake_count); 2806 2807 return 0; 2808} 2809 2810static int binder_release(struct inode *nodp, struct file *filp) 2811{ 2812 struct hlist_node *pos; 2813 struct binder_transaction *t; 2814 struct rb_node *n; 2815 struct binder_proc *proc = filp->private_data; 2816 int threads, nodes, incoming_refs, outgoing_refs, buffers, active_transactions, page_count; 2817 2818 if (binder_proc_dir_entry_proc) { 2819 char strbuf[11]; 2820 snprintf(strbuf, sizeof(strbuf), "%u", proc->pid); 2821 remove_proc_entry(strbuf, binder_proc_dir_entry_proc); 2822 } 2823 mutex_lock(&binder_lock); 2824 hlist_del(&proc->proc_node); 2825 if (binder_context_mgr_node && binder_context_mgr_node->proc == proc) { 2826 if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) 2827 printk(KERN_INFO "binder_release: %d context_mgr_node gone\n", proc->pid); 2828 binder_context_mgr_node = NULL; 2829 } 2830 2831 threads = 0; 2832 active_transactions = 0; 2833 while ((n = rb_first(&proc->threads))) { 2834 struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node); 2835 threads++; 2836 active_transactions += binder_free_thread(proc, thread); 2837 } 2838 nodes = 0; 2839 incoming_refs = 0; 2840 while ((n = rb_first(&proc->nodes))) { 2841 struct binder_node *node = rb_entry(n, struct binder_node, rb_node); 2842 2843 nodes++; 2844 rb_erase(&node->rb_node, &proc->nodes); 2845 list_del_init(&node->work.entry); 2846 if (hlist_empty(&node->refs)) { 2847 kfree(node); 2848 binder_stats.obj_deleted[BINDER_STAT_NODE]++; 2849 } else { 2850 struct binder_ref *ref; 2851 int death = 0; 2852 2853 node->proc = NULL; 2854 node->local_strong_refs = 0; 2855 node->local_weak_refs = 0; 2856 hlist_add_head(&node->dead_node, &binder_dead_nodes); 2857 2858 hlist_for_each_entry(ref, pos, &node->refs, node_entry) { 2859 incoming_refs++; 2860 if (ref->death) { 2861 death++; 2862 if (list_empty(&ref->death->work.entry)) { 2863 ref->death->work.type = BINDER_WORK_DEAD_BINDER; 2864 list_add_tail(&ref->death->work.entry, &ref->proc->todo); 2865 wake_up_interruptible(&ref->proc->wait); 2866 } else 2867 BUG(); 2868 } 2869 } 2870 if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) 2871 printk(KERN_INFO "binder: node %d now dead, refs %d, death %d\n", node->debug_id, incoming_refs, death); 2872 } 2873 } 2874 outgoing_refs = 0; 2875 while ((n = rb_first(&proc->refs_by_desc))) { 2876 struct binder_ref *ref = rb_entry(n, struct binder_ref, rb_node_desc); 2877 outgoing_refs++; 2878 binder_delete_ref(ref); 2879 } 2880 binder_release_work(&proc->todo); 2881 buffers = 0; 2882 2883 while ((n = rb_first(&proc->allocated_buffers))) { 2884 struct binder_buffer *buffer = rb_entry(n, struct binder_buffer, rb_node); 2885 t = buffer->transaction; 2886 if (t) { 2887 t->buffer = NULL; 2888 buffer->transaction = NULL; 2889 printk(KERN_ERR "binder: release proc %d, transaction %d, not freed\n", proc->pid, t->debug_id); 2890 /*BUG();*/ 2891 } 2892 binder_free_buf(proc, buffer); 2893 buffers++; 2894 } 2895 2896 binder_stats.obj_deleted[BINDER_STAT_PROC]++; 2897 mutex_unlock(&binder_lock); 2898 2899 page_count = 0; 2900 if (proc->pages) { 2901 int i; 2902 for (i = 0; i < proc->buffer_size / PAGE_SIZE; i++) { 2903 if (proc->pages[i]) { 2904 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 2905 printk(KERN_INFO "binder_release: %d: page %d at %p not freed\n", proc->pid, i, proc->buffer + i * PAGE_SIZE); 2906 __free_page(proc->pages[i]); 2907 page_count++; 2908 } 2909 } 2910 kfree(proc->pages); 2911 vfree(proc->buffer); 2912 } 2913 2914 put_task_struct(proc->tsk); 2915 2916 if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) 2917 printk(KERN_INFO "binder_release: %d threads %d, nodes %d (ref %d), refs %d, active transactions %d, buffers %d, pages %d\n", 2918 proc->pid, threads, nodes, incoming_refs, outgoing_refs, active_transactions, buffers, page_count); 2919 2920 kfree(proc); 2921 return 0; 2922} 2923 2924static char *print_binder_transaction(char *buf, char *end, const char *prefix, struct binder_transaction *t) 2925{ 2926 buf += snprintf(buf, end - buf, "%s %d: %p from %d:%d to %d:%d code %x flags %x pri %ld r%d", 2927 prefix, t->debug_id, t, t->from ? t->from->proc->pid : 0, 2928 t->from ? t->from->pid : 0, 2929 t->to_proc ? t->to_proc->pid : 0, 2930 t->to_thread ? t->to_thread->pid : 0, 2931 t->code, t->flags, t->priority, t->need_reply); 2932 if (buf >= end) 2933 return buf; 2934 if (t->buffer == NULL) { 2935 buf += snprintf(buf, end - buf, " buffer free\n"); 2936 return buf; 2937 } 2938 if (t->buffer->target_node) { 2939 buf += snprintf(buf, end - buf, " node %d", 2940 t->buffer->target_node->debug_id); 2941 if (buf >= end) 2942 return buf; 2943 } 2944 buf += snprintf(buf, end - buf, " size %zd:%zd data %p\n", 2945 t->buffer->data_size, t->buffer->offsets_size, 2946 t->buffer->data); 2947 return buf; 2948} 2949 2950static char *print_binder_buffer(char *buf, char *end, const char *prefix, struct binder_buffer *buffer) 2951{ 2952 buf += snprintf(buf, end - buf, "%s %d: %p size %zd:%zd %s\n", 2953 prefix, buffer->debug_id, buffer->data, 2954 buffer->data_size, buffer->offsets_size, 2955 buffer->transaction ? "active" : "delivered"); 2956 return buf; 2957} 2958 2959static char *print_binder_work(char *buf, char *end, const char *prefix, 2960 const char *transaction_prefix, struct binder_work *w) 2961{ 2962 struct binder_node *node; 2963 struct binder_transaction *t; 2964 2965 switch (w->type) { 2966 case BINDER_WORK_TRANSACTION: 2967 t = container_of(w, struct binder_transaction, work); 2968 buf = print_binder_transaction(buf, end, transaction_prefix, t); 2969 break; 2970 case BINDER_WORK_TRANSACTION_COMPLETE: 2971 buf += snprintf(buf, end - buf, 2972 "%stransaction complete\n", prefix); 2973 break; 2974 case BINDER_WORK_NODE: 2975 node = container_of(w, struct binder_node, work); 2976 buf += snprintf(buf, end - buf, "%snode work %d: u%p c%p\n", 2977 prefix, node->debug_id, node->ptr, node->cookie); 2978 break; 2979 case BINDER_WORK_DEAD_BINDER: 2980 buf += snprintf(buf, end - buf, "%shas dead binder\n", prefix); 2981 break; 2982 case BINDER_WORK_DEAD_BINDER_AND_CLEAR: 2983 buf += snprintf(buf, end - buf, 2984 "%shas cleared dead binder\n", prefix); 2985 break; 2986 case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: 2987 buf += snprintf(buf, end - buf, 2988 "%shas cleared death notification\n", prefix); 2989 break; 2990 default: 2991 buf += snprintf(buf, end - buf, "%sunknown work: type %d\n", 2992 prefix, w->type); 2993 break; 2994 } 2995 return buf; 2996} 2997 2998static char *print_binder_thread(char *buf, char *end, struct binder_thread *thread, int print_always) 2999{ 3000 struct binder_transaction *t; 3001 struct binder_work *w; 3002 char *start_buf = buf; 3003 char *header_buf; 3004 3005 buf += snprintf(buf, end - buf, " thread %d: l %02x\n", thread->pid, thread->looper); 3006 header_buf = buf; 3007 t = thread->transaction_stack; 3008 while (t) { 3009 if (buf >= end) 3010 break; 3011 if (t->from == thread) { 3012 buf = print_binder_transaction(buf, end, " outgoing transaction", t); 3013 t = t->from_parent; 3014 } else if (t->to_thread == thread) { 3015 buf = print_binder_transaction(buf, end, " incoming transaction", t); 3016 t = t->to_parent; 3017 } else { 3018 buf = print_binder_transaction(buf, end, " bad transaction", t); 3019 t = NULL; 3020 } 3021 } 3022 list_for_each_entry(w, &thread->todo, entry) { 3023 if (buf >= end) 3024 break; 3025 buf = print_binder_work(buf, end, " ", 3026 " pending transaction", w); 3027 } 3028 if (!print_always && buf == header_buf) 3029 buf = start_buf; 3030 return buf; 3031} 3032 3033static char *print_binder_node(char *buf, char *end, struct binder_node *node) 3034{ 3035 struct binder_ref *ref; 3036 struct hlist_node *pos; 3037 struct binder_work *w; 3038 int count; 3039 count = 0; 3040 hlist_for_each_entry(ref, pos, &node->refs, node_entry) 3041 count++; 3042 3043 buf += snprintf(buf, end - buf, " node %d: u%p c%p hs %d hw %d ls %d lw %d is %d iw %d", 3044 node->debug_id, node->ptr, node->cookie, 3045 node->has_strong_ref, node->has_weak_ref, 3046 node->local_strong_refs, node->local_weak_refs, 3047 node->internal_strong_refs, count); 3048 if (buf >= end) 3049 return buf; 3050 if (count) { 3051 buf += snprintf(buf, end - buf, " proc"); 3052 if (buf >= end) 3053 return buf; 3054 hlist_for_each_entry(ref, pos, &node->refs, node_entry) { 3055 buf += snprintf(buf, end - buf, " %d", ref->proc->pid); 3056 if (buf >= end) 3057 return buf; 3058 } 3059 } 3060 buf += snprintf(buf, end - buf, "\n"); 3061 list_for_each_entry(w, &node->async_todo, entry) { 3062 if (buf >= end) 3063 break; 3064 buf = print_binder_work(buf, end, " ", 3065 " pending async transaction", w); 3066 } 3067 return buf; 3068} 3069 3070static char *print_binder_ref(char *buf, char *end, struct binder_ref *ref) 3071{ 3072 buf += snprintf(buf, end - buf, " ref %d: desc %d %snode %d s %d w %d d %p\n", 3073 ref->debug_id, ref->desc, ref->node->proc ? "" : "dead ", 3074 ref->node->debug_id, ref->strong, ref->weak, ref->death); 3075 return buf; 3076} 3077 3078static char *print_binder_proc(char *buf, char *end, struct binder_proc *proc, int print_all) 3079{ 3080 struct binder_work *w; 3081 struct rb_node *n; 3082 char *start_buf = buf; 3083 char *header_buf; 3084 3085 buf += snprintf(buf, end - buf, "proc %d\n", proc->pid); 3086 header_buf = buf; 3087 3088 for (n = rb_first(&proc->threads); n != NULL && buf < end; n = rb_next(n)) 3089 buf = print_binder_thread(buf, end, rb_entry(n, struct binder_thread, rb_node), print_all); 3090 for (n = rb_first(&proc->nodes); n != NULL && buf < end; n = rb_next(n)) { 3091 struct binder_node *node = rb_entry(n, struct binder_node, rb_node); 3092 if (print_all || node->has_async_transaction) 3093 buf = print_binder_node(buf, end, node); 3094 } 3095 if (print_all) { 3096 for (n = rb_first(&proc->refs_by_desc); n != NULL && buf < end; n = rb_next(n)) 3097 buf = print_binder_ref(buf, end, rb_entry(n, struct binder_ref, rb_node_desc)); 3098 } 3099 for (n = rb_first(&proc->allocated_buffers); n != NULL && buf < end; n = rb_next(n)) 3100 buf = print_binder_buffer(buf, end, " buffer", rb_entry(n, struct binder_buffer, rb_node)); 3101 list_for_each_entry(w, &proc->todo, entry) { 3102 if (buf >= end) 3103 break; 3104 buf = print_binder_work(buf, end, " ", 3105 " pending transaction", w); 3106 } 3107 list_for_each_entry(w, &proc->delivered_death, entry) { 3108 if (buf >= end) 3109 break; 3110 buf += snprintf(buf, end - buf, " has delivered dead binder\n"); 3111 break; 3112 } 3113 if (!print_all && buf == header_buf) 3114 buf = start_buf; 3115 return buf; 3116} 3117 3118static const char *binder_return_strings[] = { 3119 "BR_ERROR", 3120 "BR_OK", 3121 "BR_TRANSACTION", 3122 "BR_REPLY", 3123 "BR_ACQUIRE_RESULT", 3124 "BR_DEAD_REPLY", 3125 "BR_TRANSACTION_COMPLETE", 3126 "BR_INCREFS", 3127 "BR_ACQUIRE", 3128 "BR_RELEASE", 3129 "BR_DECREFS", 3130 "BR_ATTEMPT_ACQUIRE", 3131 "BR_NOOP", 3132 "BR_SPAWN_LOOPER", 3133 "BR_FINISHED", 3134 "BR_DEAD_BINDER", 3135 "BR_CLEAR_DEATH_NOTIFICATION_DONE", 3136 "BR_FAILED_REPLY" 3137}; 3138 3139static const char *binder_command_strings[] = { 3140 "BC_TRANSACTION", 3141 "BC_REPLY", 3142 "BC_ACQUIRE_RESULT", 3143 "BC_FREE_BUFFER", 3144 "BC_INCREFS", 3145 "BC_ACQUIRE", 3146 "BC_RELEASE", 3147 "BC_DECREFS", 3148 "BC_INCREFS_DONE", 3149 "BC_ACQUIRE_DONE", 3150 "BC_ATTEMPT_ACQUIRE", 3151 "BC_REGISTER_LOOPER", 3152 "BC_ENTER_LOOPER", 3153 "BC_EXIT_LOOPER", 3154 "BC_REQUEST_DEATH_NOTIFICATION", 3155 "BC_CLEAR_DEATH_NOTIFICATION", 3156 "BC_DEAD_BINDER_DONE" 3157}; 3158 3159static const char *binder_objstat_strings[] = { 3160 "proc", 3161 "thread", 3162 "node", 3163 "ref", 3164 "death", 3165 "transaction", 3166 "transaction_complete" 3167}; 3168 3169static char *print_binder_stats(char *buf, char *end, const char *prefix, struct binder_stats *stats) 3170{ 3171 int i; 3172 3173 BUILD_BUG_ON(ARRAY_SIZE(stats->bc) != ARRAY_SIZE(binder_command_strings)); 3174 for (i = 0; i < ARRAY_SIZE(stats->bc); i++) { 3175 if (stats->bc[i]) 3176 buf += snprintf(buf, end - buf, "%s%s: %d\n", prefix, 3177 binder_command_strings[i], stats->bc[i]); 3178 if (buf >= end) 3179 return buf; 3180 } 3181 3182 BUILD_BUG_ON(ARRAY_SIZE(stats->br) != ARRAY_SIZE(binder_return_strings)); 3183 for (i = 0; i < ARRAY_SIZE(stats->br); i++) { 3184 if (stats->br[i]) 3185 buf += snprintf(buf, end - buf, "%s%s: %d\n", prefix, 3186 binder_return_strings[i], stats->br[i]); 3187 if (buf >= end) 3188 return buf; 3189 } 3190 3191 BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) != ARRAY_SIZE(binder_objstat_strings)); 3192 BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) != ARRAY_SIZE(stats->obj_deleted)); 3193 for (i = 0; i < ARRAY_SIZE(stats->obj_created); i++) { 3194 if (stats->obj_created[i] || stats->obj_deleted[i]) 3195 buf += snprintf(buf, end - buf, "%s%s: active %d total %d\n", prefix, 3196 binder_objstat_strings[i], 3197 stats->obj_created[i] - stats->obj_deleted[i], 3198 stats->obj_created[i]); 3199 if (buf >= end) 3200 return buf; 3201 } 3202 return buf; 3203} 3204 3205static char *print_binder_proc_stats(char *buf, char *end, struct binder_proc *proc) 3206{ 3207 struct binder_work *w; 3208 struct rb_node *n; 3209 int count, strong, weak; 3210 3211 buf += snprintf(buf, end - buf, "proc %d\n", proc->pid); 3212 if (buf >= end) 3213 return buf; 3214 count = 0; 3215 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) 3216 count++; 3217 buf += snprintf(buf, end - buf, " threads: %d\n", count); 3218 if (buf >= end) 3219 return buf; 3220 buf += snprintf(buf, end - buf, " requested threads: %d+%d/%d\n" 3221 " ready threads %d\n" 3222 " free async space %zd\n", proc->requested_threads, 3223 proc->requested_threads_started, proc->max_threads, 3224 proc->ready_threads, proc->free_async_space); 3225 if (buf >= end) 3226 return buf; 3227 count = 0; 3228 for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) 3229 count++; 3230 buf += snprintf(buf, end - buf, " nodes: %d\n", count); 3231 if (buf >= end) 3232 return buf; 3233 count = 0; 3234 strong = 0; 3235 weak = 0; 3236 for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) { 3237 struct binder_ref *ref = rb_entry(n, struct binder_ref, rb_node_desc); 3238 count++; 3239 strong += ref->strong; 3240 weak += ref->weak; 3241 } 3242 buf += snprintf(buf, end - buf, " refs: %d s %d w %d\n", count, strong, weak); 3243 if (buf >= end) 3244 return buf; 3245 3246 count = 0; 3247 for (n = rb_first(&proc->allocated_buffers); n != NULL; n = rb_next(n)) 3248 count++; 3249 buf += snprintf(buf, end - buf, " buffers: %d\n", count); 3250 if (buf >= end) 3251 return buf; 3252 3253 count = 0; 3254 list_for_each_entry(w, &proc->todo, entry) { 3255 switch (w->type) { 3256 case BINDER_WORK_TRANSACTION: 3257 count++; 3258 break; 3259 default: 3260 break; 3261 } 3262 } 3263 buf += snprintf(buf, end - buf, " pending transactions: %d\n", count); 3264 if (buf >= end) 3265 return buf; 3266 3267 buf = print_binder_stats(buf, end, " ", &proc->stats); 3268 3269 return buf; 3270} 3271 3272 3273static int binder_read_proc_state( 3274 char *page, char **start, off_t off, int count, int *eof, void *data) 3275{ 3276 struct binder_proc *proc; 3277 struct hlist_node *pos; 3278 struct binder_node *node; 3279 int len = 0; 3280 char *buf = page; 3281 char *end = page + PAGE_SIZE; 3282 int do_lock = !binder_debug_no_lock; 3283 3284 if (off) 3285 return 0; 3286 3287 if (do_lock) 3288 mutex_lock(&binder_lock); 3289 3290 buf += snprintf(buf, end - buf, "binder state:\n"); 3291 3292 if (!hlist_empty(&binder_dead_nodes)) 3293 buf += snprintf(buf, end - buf, "dead nodes:\n"); 3294 hlist_for_each_entry(node, pos, &binder_dead_nodes, dead_node) { 3295 if (buf >= end) 3296 break; 3297 buf = print_binder_node(buf, end, node); 3298 } 3299 3300 hlist_for_each_entry(proc, pos, &binder_procs, proc_node) { 3301 if (buf >= end) 3302 break; 3303 buf = print_binder_proc(buf, end, proc, 1); 3304 } 3305 if (do_lock) 3306 mutex_unlock(&binder_lock); 3307 if (buf > page + PAGE_SIZE) 3308 buf = page + PAGE_SIZE; 3309 3310 *start = page + off; 3311 3312 len = buf - page; 3313 if (len > off) 3314 len -= off; 3315 else 3316 len = 0; 3317 3318 return len < count ? len : count; 3319} 3320 3321static int binder_read_proc_stats( 3322 char *page, char **start, off_t off, int count, int *eof, void *data) 3323{ 3324 struct binder_proc *proc; 3325 struct hlist_node *pos; 3326 int len = 0; 3327 char *p = page; 3328 int do_lock = !binder_debug_no_lock; 3329 3330 if (off) 3331 return 0; 3332 3333 if (do_lock) 3334 mutex_lock(&binder_lock); 3335 3336 p += snprintf(p, PAGE_SIZE, "binder stats:\n"); 3337 3338 p = print_binder_stats(p, page + PAGE_SIZE, "", &binder_stats); 3339 3340 hlist_for_each_entry(proc, pos, &binder_procs, proc_node) { 3341 if (p >= page + PAGE_SIZE) 3342 break; 3343 p = print_binder_proc_stats(p, page + PAGE_SIZE, proc); 3344 } 3345 if (do_lock) 3346 mutex_unlock(&binder_lock); 3347 if (p > page + PAGE_SIZE) 3348 p = page + PAGE_SIZE; 3349 3350 *start = page + off; 3351 3352 len = p - page; 3353 if (len > off) 3354 len -= off; 3355 else 3356 len = 0; 3357 3358 return len < count ? len : count; 3359} 3360 3361static int binder_read_proc_transactions( 3362 char *page, char **start, off_t off, int count, int *eof, void *data) 3363{ 3364 struct binder_proc *proc; 3365 struct hlist_node *pos; 3366 int len = 0; 3367 char *buf = page; 3368 char *end = page + PAGE_SIZE; 3369 int do_lock = !binder_debug_no_lock; 3370 3371 if (off) 3372 return 0; 3373 3374 if (do_lock) 3375 mutex_lock(&binder_lock); 3376 3377 buf += snprintf(buf, end - buf, "binder transactions:\n"); 3378 hlist_for_each_entry(proc, pos, &binder_procs, proc_node) { 3379 if (buf >= end) 3380 break; 3381 buf = print_binder_proc(buf, end, proc, 0); 3382 } 3383 if (do_lock) 3384 mutex_unlock(&binder_lock); 3385 if (buf > page + PAGE_SIZE) 3386 buf = page + PAGE_SIZE; 3387 3388 *start = page + off; 3389 3390 len = buf - page; 3391 if (len > off) 3392 len -= off; 3393 else 3394 len = 0; 3395 3396 return len < count ? len : count; 3397} 3398 3399static int binder_read_proc_proc( 3400 char *page, char **start, off_t off, int count, int *eof, void *data) 3401{ 3402 struct binder_proc *proc = data; 3403 int len = 0; 3404 char *p = page; 3405 int do_lock = !binder_debug_no_lock; 3406 3407 if (off) 3408 return 0; 3409 3410 if (do_lock) 3411 mutex_lock(&binder_lock); 3412 p += snprintf(p, PAGE_SIZE, "binder proc state:\n"); 3413 p = print_binder_proc(p, page + PAGE_SIZE, proc, 1); 3414 if (do_lock) 3415 mutex_unlock(&binder_lock); 3416 3417 if (p > page + PAGE_SIZE) 3418 p = page + PAGE_SIZE; 3419 *start = page + off; 3420 3421 len = p - page; 3422 if (len > off) 3423 len -= off; 3424 else 3425 len = 0; 3426 3427 return len < count ? len : count; 3428} 3429 3430static char *print_binder_transaction_log_entry(char *buf, char *end, struct binder_transaction_log_entry *e) 3431{ 3432 buf += snprintf(buf, end - buf, "%d: %s from %d:%d to %d:%d node %d handle %d size %d:%d\n", 3433 e->debug_id, (e->call_type == 2) ? "reply" : 3434 ((e->call_type == 1) ? "async" : "call "), e->from_proc, 3435 e->from_thread, e->to_proc, e->to_thread, e->to_node, 3436 e->target_handle, e->data_size, e->offsets_size); 3437 return buf; 3438} 3439 3440static int binder_read_proc_transaction_log( 3441 char *page, char **start, off_t off, int count, int *eof, void *data) 3442{ 3443 struct binder_transaction_log *log = data; 3444 int len = 0; 3445 int i; 3446 char *buf = page; 3447 char *end = page + PAGE_SIZE; 3448 3449 if (off) 3450 return 0; 3451 3452 if (log->full) { 3453 for (i = log->next; i < ARRAY_SIZE(log->entry); i++) { 3454 if (buf >= end) 3455 break; 3456 buf = print_binder_transaction_log_entry(buf, end, &log->entry[i]); 3457 } 3458 } 3459 for (i = 0; i < log->next; i++) { 3460 if (buf >= end) 3461 break; 3462 buf = print_binder_transaction_log_entry(buf, end, &log->entry[i]); 3463 } 3464 3465 *start = page + off; 3466 3467 len = buf - page; 3468 if (len > off) 3469 len -= off; 3470 else 3471 len = 0; 3472 3473 return len < count ? len : count; 3474} 3475 3476static struct file_operations binder_fops = { 3477 .owner = THIS_MODULE, 3478 .poll = binder_poll, 3479 .unlocked_ioctl = binder_ioctl, 3480 .mmap = binder_mmap, 3481 .open = binder_open, 3482 .flush = binder_flush, 3483 .release = binder_release, 3484}; 3485 3486static struct miscdevice binder_miscdev = { 3487 .minor = MISC_DYNAMIC_MINOR, 3488 .name = "binder", 3489 .fops = &binder_fops 3490}; 3491 3492static int __init binder_init(void) 3493{ 3494 int ret; 3495 3496 binder_proc_dir_entry_root = proc_mkdir("binder", NULL); 3497 if (binder_proc_dir_entry_root) 3498 binder_proc_dir_entry_proc = proc_mkdir("proc", binder_proc_dir_entry_root); 3499 ret = misc_register(&binder_miscdev); 3500 if (binder_proc_dir_entry_root) { 3501 create_proc_read_entry("state", S_IRUGO, binder_proc_dir_entry_root, binder_read_proc_state, NULL); 3502 create_proc_read_entry("stats", S_IRUGO, binder_proc_dir_entry_root, binder_read_proc_stats, NULL); 3503 create_proc_read_entry("transactions", S_IRUGO, binder_proc_dir_entry_root, binder_read_proc_transactions, NULL); 3504 create_proc_read_entry("transaction_log", S_IRUGO, binder_proc_dir_entry_root, binder_read_proc_transaction_log, &binder_transaction_log); 3505 create_proc_read_entry("failed_transaction_log", S_IRUGO, binder_proc_dir_entry_root, binder_read_proc_transaction_log, &binder_transaction_log_failed); 3506 } 3507 return ret; 3508} 3509 3510device_initcall(binder_init); 3511 3512MODULE_LICENSE("GPL v2"); 3513