binder.c revision 861a0dcc397f3e94024cc311086799393ec517df
1/* binder.c 2 * 3 * Android IPC Subsystem 4 * 5 * Copyright (C) 2007-2008 Google, Inc. 6 * 7 * This software is licensed under the terms of the GNU General Public 8 * License version 2, as published by the Free Software Foundation, and 9 * may be copied, distributed, and modified under those terms. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 */ 17 18#include <asm/cacheflush.h> 19#include <linux/fdtable.h> 20#include <linux/file.h> 21#include <linux/fs.h> 22#include <linux/list.h> 23#include <linux/miscdevice.h> 24#include <linux/mm.h> 25#include <linux/module.h> 26#include <linux/mutex.h> 27#include <linux/nsproxy.h> 28#include <linux/poll.h> 29#include <linux/proc_fs.h> 30#include <linux/rbtree.h> 31#include <linux/sched.h> 32#include <linux/uaccess.h> 33#include <linux/vmalloc.h> 34#include "binder.h" 35 36static DEFINE_MUTEX(binder_lock); 37static HLIST_HEAD(binder_procs); 38static struct binder_node *binder_context_mgr_node; 39static uid_t binder_context_mgr_uid = -1; 40static int binder_last_id; 41static struct proc_dir_entry *binder_proc_dir_entry_root; 42static struct proc_dir_entry *binder_proc_dir_entry_proc; 43static struct hlist_head binder_dead_nodes; 44static HLIST_HEAD(binder_deferred_list); 45static DEFINE_MUTEX(binder_deferred_lock); 46 47static int binder_read_proc_proc( 48 char *page, char **start, off_t off, int count, int *eof, void *data); 49 50/* This is only defined in include/asm-arm/sizes.h */ 51#ifndef SZ_1K 52#define SZ_1K 0x400 53#endif 54 55#ifndef SZ_4M 56#define SZ_4M 0x400000 57#endif 58 59#define FORBIDDEN_MMAP_FLAGS (VM_WRITE) 60 61#define BINDER_SMALL_BUF_SIZE (PAGE_SIZE * 64) 62 63enum { 64 BINDER_DEBUG_USER_ERROR = 1U << 0, 65 BINDER_DEBUG_FAILED_TRANSACTION = 1U << 1, 66 BINDER_DEBUG_DEAD_TRANSACTION = 1U << 2, 67 BINDER_DEBUG_OPEN_CLOSE = 1U << 3, 68 BINDER_DEBUG_DEAD_BINDER = 1U << 4, 69 BINDER_DEBUG_DEATH_NOTIFICATION = 1U << 5, 70 BINDER_DEBUG_READ_WRITE = 1U << 6, 71 BINDER_DEBUG_USER_REFS = 1U << 7, 72 BINDER_DEBUG_THREADS = 1U << 8, 73 BINDER_DEBUG_TRANSACTION = 1U << 9, 74 BINDER_DEBUG_TRANSACTION_COMPLETE = 1U << 10, 75 BINDER_DEBUG_FREE_BUFFER = 1U << 11, 76 BINDER_DEBUG_INTERNAL_REFS = 1U << 12, 77 BINDER_DEBUG_BUFFER_ALLOC = 1U << 13, 78 BINDER_DEBUG_PRIORITY_CAP = 1U << 14, 79 BINDER_DEBUG_BUFFER_ALLOC_ASYNC = 1U << 15, 80}; 81static uint32_t binder_debug_mask = BINDER_DEBUG_USER_ERROR | 82 BINDER_DEBUG_FAILED_TRANSACTION | BINDER_DEBUG_DEAD_TRANSACTION; 83module_param_named(debug_mask, binder_debug_mask, uint, S_IWUSR | S_IRUGO); 84static int binder_debug_no_lock; 85module_param_named(proc_no_lock, binder_debug_no_lock, bool, S_IWUSR | S_IRUGO); 86static DECLARE_WAIT_QUEUE_HEAD(binder_user_error_wait); 87static int binder_stop_on_user_error; 88static int binder_set_stop_on_user_error( 89 const char *val, struct kernel_param *kp) 90{ 91 int ret; 92 ret = param_set_int(val, kp); 93 if (binder_stop_on_user_error < 2) 94 wake_up(&binder_user_error_wait); 95 return ret; 96} 97module_param_call(stop_on_user_error, binder_set_stop_on_user_error, 98 param_get_int, &binder_stop_on_user_error, S_IWUSR | S_IRUGO); 99 100#define binder_user_error(x...) \ 101 do { \ 102 if (binder_debug_mask & BINDER_DEBUG_USER_ERROR) \ 103 printk(KERN_INFO x); \ 104 if (binder_stop_on_user_error) \ 105 binder_stop_on_user_error = 2; \ 106 } while (0) 107 108enum { 109 BINDER_STAT_PROC, 110 BINDER_STAT_THREAD, 111 BINDER_STAT_NODE, 112 BINDER_STAT_REF, 113 BINDER_STAT_DEATH, 114 BINDER_STAT_TRANSACTION, 115 BINDER_STAT_TRANSACTION_COMPLETE, 116 BINDER_STAT_COUNT 117}; 118 119struct binder_stats { 120 int br[_IOC_NR(BR_FAILED_REPLY) + 1]; 121 int bc[_IOC_NR(BC_DEAD_BINDER_DONE) + 1]; 122 int obj_created[BINDER_STAT_COUNT]; 123 int obj_deleted[BINDER_STAT_COUNT]; 124}; 125 126static struct binder_stats binder_stats; 127 128struct binder_transaction_log_entry { 129 int debug_id; 130 int call_type; 131 int from_proc; 132 int from_thread; 133 int target_handle; 134 int to_proc; 135 int to_thread; 136 int to_node; 137 int data_size; 138 int offsets_size; 139}; 140struct binder_transaction_log { 141 int next; 142 int full; 143 struct binder_transaction_log_entry entry[32]; 144}; 145struct binder_transaction_log binder_transaction_log; 146struct binder_transaction_log binder_transaction_log_failed; 147 148static struct binder_transaction_log_entry *binder_transaction_log_add( 149 struct binder_transaction_log *log) 150{ 151 struct binder_transaction_log_entry *e; 152 e = &log->entry[log->next]; 153 memset(e, 0, sizeof(*e)); 154 log->next++; 155 if (log->next == ARRAY_SIZE(log->entry)) { 156 log->next = 0; 157 log->full = 1; 158 } 159 return e; 160} 161 162struct binder_work { 163 struct list_head entry; 164 enum { 165 BINDER_WORK_TRANSACTION = 1, 166 BINDER_WORK_TRANSACTION_COMPLETE, 167 BINDER_WORK_NODE, 168 BINDER_WORK_DEAD_BINDER, 169 BINDER_WORK_DEAD_BINDER_AND_CLEAR, 170 BINDER_WORK_CLEAR_DEATH_NOTIFICATION, 171 } type; 172}; 173 174struct binder_node { 175 int debug_id; 176 struct binder_work work; 177 union { 178 struct rb_node rb_node; 179 struct hlist_node dead_node; 180 }; 181 struct binder_proc *proc; 182 struct hlist_head refs; 183 int internal_strong_refs; 184 int local_weak_refs; 185 int local_strong_refs; 186 void __user *ptr; 187 void __user *cookie; 188 unsigned has_strong_ref : 1; 189 unsigned pending_strong_ref : 1; 190 unsigned has_weak_ref : 1; 191 unsigned pending_weak_ref : 1; 192 unsigned has_async_transaction : 1; 193 unsigned accept_fds : 1; 194 int min_priority : 8; 195 struct list_head async_todo; 196}; 197 198struct binder_ref_death { 199 struct binder_work work; 200 void __user *cookie; 201}; 202 203struct binder_ref { 204 /* Lookups needed: */ 205 /* node + proc => ref (transaction) */ 206 /* desc + proc => ref (transaction, inc/dec ref) */ 207 /* node => refs + procs (proc exit) */ 208 int debug_id; 209 struct rb_node rb_node_desc; 210 struct rb_node rb_node_node; 211 struct hlist_node node_entry; 212 struct binder_proc *proc; 213 struct binder_node *node; 214 uint32_t desc; 215 int strong; 216 int weak; 217 struct binder_ref_death *death; 218}; 219 220struct binder_buffer { 221 struct list_head entry; /* free and allocated entries by addesss */ 222 struct rb_node rb_node; /* free entry by size or allocated entry */ 223 /* by address */ 224 unsigned free : 1; 225 unsigned allow_user_free : 1; 226 unsigned async_transaction : 1; 227 unsigned debug_id : 29; 228 229 struct binder_transaction *transaction; 230 231 struct binder_node *target_node; 232 size_t data_size; 233 size_t offsets_size; 234 uint8_t data[0]; 235}; 236 237enum { 238 BINDER_DEFERRED_PUT_FILES = 0x01, 239 BINDER_DEFERRED_FLUSH = 0x02, 240 BINDER_DEFERRED_RELEASE = 0x04, 241}; 242 243struct binder_proc { 244 struct hlist_node proc_node; 245 struct rb_root threads; 246 struct rb_root nodes; 247 struct rb_root refs_by_desc; 248 struct rb_root refs_by_node; 249 int pid; 250 struct vm_area_struct *vma; 251 struct task_struct *tsk; 252 struct files_struct *files; 253 struct hlist_node deferred_work_node; 254 int deferred_work; 255 void *buffer; 256 ptrdiff_t user_buffer_offset; 257 258 struct list_head buffers; 259 struct rb_root free_buffers; 260 struct rb_root allocated_buffers; 261 size_t free_async_space; 262 263 struct page **pages; 264 size_t buffer_size; 265 uint32_t buffer_free; 266 struct list_head todo; 267 wait_queue_head_t wait; 268 struct binder_stats stats; 269 struct list_head delivered_death; 270 int max_threads; 271 int requested_threads; 272 int requested_threads_started; 273 int ready_threads; 274 long default_priority; 275}; 276 277enum { 278 BINDER_LOOPER_STATE_REGISTERED = 0x01, 279 BINDER_LOOPER_STATE_ENTERED = 0x02, 280 BINDER_LOOPER_STATE_EXITED = 0x04, 281 BINDER_LOOPER_STATE_INVALID = 0x08, 282 BINDER_LOOPER_STATE_WAITING = 0x10, 283 BINDER_LOOPER_STATE_NEED_RETURN = 0x20 284}; 285 286struct binder_thread { 287 struct binder_proc *proc; 288 struct rb_node rb_node; 289 int pid; 290 int looper; 291 struct binder_transaction *transaction_stack; 292 struct list_head todo; 293 uint32_t return_error; /* Write failed, return error code in read buf */ 294 uint32_t return_error2; /* Write failed, return error code in read */ 295 /* buffer. Used when sending a reply to a dead process that */ 296 /* we are also waiting on */ 297 wait_queue_head_t wait; 298 struct binder_stats stats; 299}; 300 301struct binder_transaction { 302 int debug_id; 303 struct binder_work work; 304 struct binder_thread *from; 305 struct binder_transaction *from_parent; 306 struct binder_proc *to_proc; 307 struct binder_thread *to_thread; 308 struct binder_transaction *to_parent; 309 unsigned need_reply : 1; 310 /*unsigned is_dead : 1;*/ /* not used at the moment */ 311 312 struct binder_buffer *buffer; 313 unsigned int code; 314 unsigned int flags; 315 long priority; 316 long saved_priority; 317 uid_t sender_euid; 318}; 319 320static void binder_defer_work(struct binder_proc *proc, int defer); 321 322/* 323 * copied from get_unused_fd_flags 324 */ 325int task_get_unused_fd_flags(struct binder_proc *proc, int flags) 326{ 327 struct files_struct *files = proc->files; 328 int fd, error; 329 struct fdtable *fdt; 330 unsigned long rlim_cur; 331 unsigned long irqs; 332 333 if (files == NULL) 334 return -ESRCH; 335 336 error = -EMFILE; 337 spin_lock(&files->file_lock); 338 339repeat: 340 fdt = files_fdtable(files); 341 fd = find_next_zero_bit(fdt->open_fds->fds_bits, fdt->max_fds, 342 files->next_fd); 343 344 /* 345 * N.B. For clone tasks sharing a files structure, this test 346 * will limit the total number of files that can be opened. 347 */ 348 rlim_cur = 0; 349 if (lock_task_sighand(proc->tsk, &irqs)) { 350 rlim_cur = proc->tsk->signal->rlim[RLIMIT_NOFILE].rlim_cur; 351 unlock_task_sighand(proc->tsk, &irqs); 352 } 353 if (fd >= rlim_cur) 354 goto out; 355 356 /* Do we need to expand the fd array or fd set? */ 357 error = expand_files(files, fd); 358 if (error < 0) 359 goto out; 360 361 if (error) { 362 /* 363 * If we needed to expand the fs array we 364 * might have blocked - try again. 365 */ 366 error = -EMFILE; 367 goto repeat; 368 } 369 370 FD_SET(fd, fdt->open_fds); 371 if (flags & O_CLOEXEC) 372 FD_SET(fd, fdt->close_on_exec); 373 else 374 FD_CLR(fd, fdt->close_on_exec); 375 files->next_fd = fd + 1; 376#if 1 377 /* Sanity check */ 378 if (fdt->fd[fd] != NULL) { 379 printk(KERN_WARNING "get_unused_fd: slot %d not NULL!\n", fd); 380 fdt->fd[fd] = NULL; 381 } 382#endif 383 error = fd; 384 385out: 386 spin_unlock(&files->file_lock); 387 return error; 388} 389 390/* 391 * copied from fd_install 392 */ 393static void task_fd_install( 394 struct binder_proc *proc, unsigned int fd, struct file *file) 395{ 396 struct files_struct *files = proc->files; 397 struct fdtable *fdt; 398 399 if (files == NULL) 400 return; 401 402 spin_lock(&files->file_lock); 403 fdt = files_fdtable(files); 404 BUG_ON(fdt->fd[fd] != NULL); 405 rcu_assign_pointer(fdt->fd[fd], file); 406 spin_unlock(&files->file_lock); 407} 408 409/* 410 * copied from __put_unused_fd in open.c 411 */ 412static void __put_unused_fd(struct files_struct *files, unsigned int fd) 413{ 414 struct fdtable *fdt = files_fdtable(files); 415 __FD_CLR(fd, fdt->open_fds); 416 if (fd < files->next_fd) 417 files->next_fd = fd; 418} 419 420/* 421 * copied from sys_close 422 */ 423static long task_close_fd(struct binder_proc *proc, unsigned int fd) 424{ 425 struct file *filp; 426 struct files_struct *files = proc->files; 427 struct fdtable *fdt; 428 int retval; 429 430 if (files == NULL) 431 return -ESRCH; 432 433 spin_lock(&files->file_lock); 434 fdt = files_fdtable(files); 435 if (fd >= fdt->max_fds) 436 goto out_unlock; 437 filp = fdt->fd[fd]; 438 if (!filp) 439 goto out_unlock; 440 rcu_assign_pointer(fdt->fd[fd], NULL); 441 FD_CLR(fd, fdt->close_on_exec); 442 __put_unused_fd(files, fd); 443 spin_unlock(&files->file_lock); 444 retval = filp_close(filp, files); 445 446 /* can't restart close syscall because file table entry was cleared */ 447 if (unlikely(retval == -ERESTARTSYS || 448 retval == -ERESTARTNOINTR || 449 retval == -ERESTARTNOHAND || 450 retval == -ERESTART_RESTARTBLOCK)) 451 retval = -EINTR; 452 453 return retval; 454 455out_unlock: 456 spin_unlock(&files->file_lock); 457 return -EBADF; 458} 459 460static void binder_set_nice(long nice) 461{ 462 long min_nice; 463 if (can_nice(current, nice)) { 464 set_user_nice(current, nice); 465 return; 466 } 467 min_nice = 20 - current->signal->rlim[RLIMIT_NICE].rlim_cur; 468 if (binder_debug_mask & BINDER_DEBUG_PRIORITY_CAP) 469 printk(KERN_INFO "binder: %d: nice value %ld not allowed use " 470 "%ld instead\n", current->pid, nice, min_nice); 471 set_user_nice(current, min_nice); 472 if (min_nice < 20) 473 return; 474 binder_user_error("binder: %d RLIMIT_NICE not set\n", current->pid); 475} 476 477static size_t binder_buffer_size( 478 struct binder_proc *proc, struct binder_buffer *buffer) 479{ 480 if (list_is_last(&buffer->entry, &proc->buffers)) 481 return proc->buffer + proc->buffer_size - (void *)buffer->data; 482 else 483 return (size_t)list_entry(buffer->entry.next, 484 struct binder_buffer, entry) - (size_t)buffer->data; 485} 486 487static void binder_insert_free_buffer( 488 struct binder_proc *proc, struct binder_buffer *new_buffer) 489{ 490 struct rb_node **p = &proc->free_buffers.rb_node; 491 struct rb_node *parent = NULL; 492 struct binder_buffer *buffer; 493 size_t buffer_size; 494 size_t new_buffer_size; 495 496 BUG_ON(!new_buffer->free); 497 498 new_buffer_size = binder_buffer_size(proc, new_buffer); 499 500 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 501 printk(KERN_INFO "binder: %d: add free buffer, size %zd, " 502 "at %p\n", proc->pid, new_buffer_size, new_buffer); 503 504 while (*p) { 505 parent = *p; 506 buffer = rb_entry(parent, struct binder_buffer, rb_node); 507 BUG_ON(!buffer->free); 508 509 buffer_size = binder_buffer_size(proc, buffer); 510 511 if (new_buffer_size < buffer_size) 512 p = &parent->rb_left; 513 else 514 p = &parent->rb_right; 515 } 516 rb_link_node(&new_buffer->rb_node, parent, p); 517 rb_insert_color(&new_buffer->rb_node, &proc->free_buffers); 518} 519 520static void binder_insert_allocated_buffer( 521 struct binder_proc *proc, struct binder_buffer *new_buffer) 522{ 523 struct rb_node **p = &proc->allocated_buffers.rb_node; 524 struct rb_node *parent = NULL; 525 struct binder_buffer *buffer; 526 527 BUG_ON(new_buffer->free); 528 529 while (*p) { 530 parent = *p; 531 buffer = rb_entry(parent, struct binder_buffer, rb_node); 532 BUG_ON(buffer->free); 533 534 if (new_buffer < buffer) 535 p = &parent->rb_left; 536 else if (new_buffer > buffer) 537 p = &parent->rb_right; 538 else 539 BUG(); 540 } 541 rb_link_node(&new_buffer->rb_node, parent, p); 542 rb_insert_color(&new_buffer->rb_node, &proc->allocated_buffers); 543} 544 545static struct binder_buffer *binder_buffer_lookup( 546 struct binder_proc *proc, void __user *user_ptr) 547{ 548 struct rb_node *n = proc->allocated_buffers.rb_node; 549 struct binder_buffer *buffer; 550 struct binder_buffer *kern_ptr; 551 552 kern_ptr = user_ptr - proc->user_buffer_offset 553 - offsetof(struct binder_buffer, data); 554 555 while (n) { 556 buffer = rb_entry(n, struct binder_buffer, rb_node); 557 BUG_ON(buffer->free); 558 559 if (kern_ptr < buffer) 560 n = n->rb_left; 561 else if (kern_ptr > buffer) 562 n = n->rb_right; 563 else 564 return buffer; 565 } 566 return NULL; 567} 568 569static int binder_update_page_range(struct binder_proc *proc, int allocate, 570 void *start, void *end, struct vm_area_struct *vma) 571{ 572 void *page_addr; 573 unsigned long user_page_addr; 574 struct vm_struct tmp_area; 575 struct page **page; 576 struct mm_struct *mm; 577 578 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 579 printk(KERN_INFO "binder: %d: %s pages %p-%p\n", 580 proc->pid, allocate ? "allocate" : "free", start, end); 581 582 if (end <= start) 583 return 0; 584 585 if (vma) 586 mm = NULL; 587 else 588 mm = get_task_mm(proc->tsk); 589 590 if (mm) { 591 down_write(&mm->mmap_sem); 592 vma = proc->vma; 593 } 594 595 if (allocate == 0) 596 goto free_range; 597 598 if (vma == NULL) { 599 printk(KERN_ERR "binder: %d: binder_alloc_buf failed to " 600 "map pages in userspace, no vma\n", proc->pid); 601 goto err_no_vma; 602 } 603 604 for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) { 605 int ret; 606 struct page **page_array_ptr; 607 page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE]; 608 609 BUG_ON(*page); 610 *page = alloc_page(GFP_KERNEL | __GFP_ZERO); 611 if (*page == NULL) { 612 printk(KERN_ERR "binder: %d: binder_alloc_buf failed " 613 "for page at %p\n", proc->pid, page_addr); 614 goto err_alloc_page_failed; 615 } 616 tmp_area.addr = page_addr; 617 tmp_area.size = PAGE_SIZE + PAGE_SIZE /* guard page? */; 618 page_array_ptr = page; 619 ret = map_vm_area(&tmp_area, PAGE_KERNEL, &page_array_ptr); 620 if (ret) { 621 printk(KERN_ERR "binder: %d: binder_alloc_buf failed " 622 "to map page at %p in kernel\n", 623 proc->pid, page_addr); 624 goto err_map_kernel_failed; 625 } 626 user_page_addr = 627 (uintptr_t)page_addr + proc->user_buffer_offset; 628 ret = vm_insert_page(vma, user_page_addr, page[0]); 629 if (ret) { 630 printk(KERN_ERR "binder: %d: binder_alloc_buf failed " 631 "to map page at %lx in userspace\n", 632 proc->pid, user_page_addr); 633 goto err_vm_insert_page_failed; 634 } 635 /* vm_insert_page does not seem to increment the refcount */ 636 } 637 if (mm) { 638 up_write(&mm->mmap_sem); 639 mmput(mm); 640 } 641 return 0; 642 643free_range: 644 for (page_addr = end - PAGE_SIZE; page_addr >= start; 645 page_addr -= PAGE_SIZE) { 646 page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE]; 647 if (vma) 648 zap_page_range(vma, (uintptr_t)page_addr + 649 proc->user_buffer_offset, PAGE_SIZE, NULL); 650err_vm_insert_page_failed: 651 unmap_kernel_range((unsigned long)page_addr, PAGE_SIZE); 652err_map_kernel_failed: 653 __free_page(*page); 654 *page = NULL; 655err_alloc_page_failed: 656 ; 657 } 658err_no_vma: 659 if (mm) { 660 up_write(&mm->mmap_sem); 661 mmput(mm); 662 } 663 return -ENOMEM; 664} 665 666static struct binder_buffer *binder_alloc_buf(struct binder_proc *proc, 667 size_t data_size, size_t offsets_size, int is_async) 668{ 669 struct rb_node *n = proc->free_buffers.rb_node; 670 struct binder_buffer *buffer; 671 size_t buffer_size; 672 struct rb_node *best_fit = NULL; 673 void *has_page_addr; 674 void *end_page_addr; 675 size_t size; 676 677 if (proc->vma == NULL) { 678 printk(KERN_ERR "binder: %d: binder_alloc_buf, no vma\n", 679 proc->pid); 680 return NULL; 681 } 682 683 size = ALIGN(data_size, sizeof(void *)) + 684 ALIGN(offsets_size, sizeof(void *)); 685 686 if (size < data_size || size < offsets_size) { 687 binder_user_error("binder: %d: got transaction with invalid " 688 "size %zd-%zd\n", proc->pid, data_size, offsets_size); 689 return NULL; 690 } 691 692 if (is_async && 693 proc->free_async_space < size + sizeof(struct binder_buffer)) { 694 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 695 printk(KERN_ERR "binder: %d: binder_alloc_buf size %zd f" 696 "ailed, no async space left\n", proc->pid, size); 697 return NULL; 698 } 699 700 while (n) { 701 buffer = rb_entry(n, struct binder_buffer, rb_node); 702 BUG_ON(!buffer->free); 703 buffer_size = binder_buffer_size(proc, buffer); 704 705 if (size < buffer_size) { 706 best_fit = n; 707 n = n->rb_left; 708 } else if (size > buffer_size) 709 n = n->rb_right; 710 else { 711 best_fit = n; 712 break; 713 } 714 } 715 if (best_fit == NULL) { 716 printk(KERN_ERR "binder: %d: binder_alloc_buf size %zd failed, " 717 "no address space\n", proc->pid, size); 718 return NULL; 719 } 720 if (n == NULL) { 721 buffer = rb_entry(best_fit, struct binder_buffer, rb_node); 722 buffer_size = binder_buffer_size(proc, buffer); 723 } 724 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 725 printk(KERN_INFO "binder: %d: binder_alloc_buf size %zd got buff" 726 "er %p size %zd\n", proc->pid, size, buffer, buffer_size); 727 728 has_page_addr = 729 (void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK); 730 if (n == NULL) { 731 if (size + sizeof(struct binder_buffer) + 4 >= buffer_size) 732 buffer_size = size; /* no room for other buffers */ 733 else 734 buffer_size = size + sizeof(struct binder_buffer); 735 } 736 end_page_addr = 737 (void *)PAGE_ALIGN((uintptr_t)buffer->data + buffer_size); 738 if (end_page_addr > has_page_addr) 739 end_page_addr = has_page_addr; 740 if (binder_update_page_range(proc, 1, 741 (void *)PAGE_ALIGN((uintptr_t)buffer->data), end_page_addr, NULL)) 742 return NULL; 743 744 rb_erase(best_fit, &proc->free_buffers); 745 buffer->free = 0; 746 binder_insert_allocated_buffer(proc, buffer); 747 if (buffer_size != size) { 748 struct binder_buffer *new_buffer = (void *)buffer->data + size; 749 list_add(&new_buffer->entry, &buffer->entry); 750 new_buffer->free = 1; 751 binder_insert_free_buffer(proc, new_buffer); 752 } 753 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 754 printk(KERN_INFO "binder: %d: binder_alloc_buf size %zd got " 755 "%p\n", proc->pid, size, buffer); 756 buffer->data_size = data_size; 757 buffer->offsets_size = offsets_size; 758 buffer->async_transaction = is_async; 759 if (is_async) { 760 proc->free_async_space -= size + sizeof(struct binder_buffer); 761 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC_ASYNC) 762 printk(KERN_INFO "binder: %d: binder_alloc_buf size %zd " 763 "async free %zd\n", proc->pid, size, 764 proc->free_async_space); 765 } 766 767 return buffer; 768} 769 770static void *buffer_start_page(struct binder_buffer *buffer) 771{ 772 return (void *)((uintptr_t)buffer & PAGE_MASK); 773} 774 775static void *buffer_end_page(struct binder_buffer *buffer) 776{ 777 return (void *)(((uintptr_t)(buffer + 1) - 1) & PAGE_MASK); 778} 779 780static void binder_delete_free_buffer( 781 struct binder_proc *proc, struct binder_buffer *buffer) 782{ 783 struct binder_buffer *prev, *next = NULL; 784 int free_page_end = 1; 785 int free_page_start = 1; 786 787 BUG_ON(proc->buffers.next == &buffer->entry); 788 prev = list_entry(buffer->entry.prev, struct binder_buffer, entry); 789 BUG_ON(!prev->free); 790 if (buffer_end_page(prev) == buffer_start_page(buffer)) { 791 free_page_start = 0; 792 if (buffer_end_page(prev) == buffer_end_page(buffer)) 793 free_page_end = 0; 794 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 795 printk(KERN_INFO "binder: %d: merge free, buffer %p " 796 "share page with %p\n", proc->pid, buffer, prev); 797 } 798 799 if (!list_is_last(&buffer->entry, &proc->buffers)) { 800 next = list_entry(buffer->entry.next, 801 struct binder_buffer, entry); 802 if (buffer_start_page(next) == buffer_end_page(buffer)) { 803 free_page_end = 0; 804 if (buffer_start_page(next) == 805 buffer_start_page(buffer)) 806 free_page_start = 0; 807 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 808 printk(KERN_INFO "binder: %d: merge free, " 809 "buffer %p share page with %p\n", 810 proc->pid, buffer, prev); 811 } 812 } 813 list_del(&buffer->entry); 814 if (free_page_start || free_page_end) { 815 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 816 printk(KERN_INFO "binder: %d: merge free, buffer %p do " 817 "not share page%s%s with with %p or %p\n", 818 proc->pid, buffer, free_page_start ? "" : " end", 819 free_page_end ? "" : " start", prev, next); 820 binder_update_page_range(proc, 0, free_page_start ? 821 buffer_start_page(buffer) : buffer_end_page(buffer), 822 (free_page_end ? buffer_end_page(buffer) : 823 buffer_start_page(buffer)) + PAGE_SIZE, NULL); 824 } 825} 826 827static void binder_free_buf( 828 struct binder_proc *proc, struct binder_buffer *buffer) 829{ 830 size_t size, buffer_size; 831 832 buffer_size = binder_buffer_size(proc, buffer); 833 834 size = ALIGN(buffer->data_size, sizeof(void *)) + 835 ALIGN(buffer->offsets_size, sizeof(void *)); 836 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 837 printk(KERN_INFO "binder: %d: binder_free_buf %p size %zd buffer" 838 "_size %zd\n", proc->pid, buffer, size, buffer_size); 839 840 BUG_ON(buffer->free); 841 BUG_ON(size > buffer_size); 842 BUG_ON(buffer->transaction != NULL); 843 BUG_ON((void *)buffer < proc->buffer); 844 BUG_ON((void *)buffer > proc->buffer + proc->buffer_size); 845 846 if (buffer->async_transaction) { 847 proc->free_async_space += size + sizeof(struct binder_buffer); 848 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC_ASYNC) 849 printk(KERN_INFO "binder: %d: binder_free_buf size %zd " 850 "async free %zd\n", proc->pid, size, 851 proc->free_async_space); 852 } 853 854 binder_update_page_range(proc, 0, 855 (void *)PAGE_ALIGN((uintptr_t)buffer->data), 856 (void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK), 857 NULL); 858 rb_erase(&buffer->rb_node, &proc->allocated_buffers); 859 buffer->free = 1; 860 if (!list_is_last(&buffer->entry, &proc->buffers)) { 861 struct binder_buffer *next = list_entry(buffer->entry.next, 862 struct binder_buffer, entry); 863 if (next->free) { 864 rb_erase(&next->rb_node, &proc->free_buffers); 865 binder_delete_free_buffer(proc, next); 866 } 867 } 868 if (proc->buffers.next != &buffer->entry) { 869 struct binder_buffer *prev = list_entry(buffer->entry.prev, 870 struct binder_buffer, entry); 871 if (prev->free) { 872 binder_delete_free_buffer(proc, buffer); 873 rb_erase(&prev->rb_node, &proc->free_buffers); 874 buffer = prev; 875 } 876 } 877 binder_insert_free_buffer(proc, buffer); 878} 879 880static struct binder_node * 881binder_get_node(struct binder_proc *proc, void __user *ptr) 882{ 883 struct rb_node *n = proc->nodes.rb_node; 884 struct binder_node *node; 885 886 while (n) { 887 node = rb_entry(n, struct binder_node, rb_node); 888 889 if (ptr < node->ptr) 890 n = n->rb_left; 891 else if (ptr > node->ptr) 892 n = n->rb_right; 893 else 894 return node; 895 } 896 return NULL; 897} 898 899static struct binder_node * 900binder_new_node(struct binder_proc *proc, void __user *ptr, void __user *cookie) 901{ 902 struct rb_node **p = &proc->nodes.rb_node; 903 struct rb_node *parent = NULL; 904 struct binder_node *node; 905 906 while (*p) { 907 parent = *p; 908 node = rb_entry(parent, struct binder_node, rb_node); 909 910 if (ptr < node->ptr) 911 p = &(*p)->rb_left; 912 else if (ptr > node->ptr) 913 p = &(*p)->rb_right; 914 else 915 return NULL; 916 } 917 918 node = kzalloc(sizeof(*node), GFP_KERNEL); 919 if (node == NULL) 920 return NULL; 921 binder_stats.obj_created[BINDER_STAT_NODE]++; 922 rb_link_node(&node->rb_node, parent, p); 923 rb_insert_color(&node->rb_node, &proc->nodes); 924 node->debug_id = ++binder_last_id; 925 node->proc = proc; 926 node->ptr = ptr; 927 node->cookie = cookie; 928 node->work.type = BINDER_WORK_NODE; 929 INIT_LIST_HEAD(&node->work.entry); 930 INIT_LIST_HEAD(&node->async_todo); 931 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 932 printk(KERN_INFO "binder: %d:%d node %d u%p c%p created\n", 933 proc->pid, current->pid, node->debug_id, 934 node->ptr, node->cookie); 935 return node; 936} 937 938static int 939binder_inc_node(struct binder_node *node, int strong, int internal, 940 struct list_head *target_list) 941{ 942 if (strong) { 943 if (internal) { 944 if (target_list == NULL && 945 node->internal_strong_refs == 0 && 946 !(node == binder_context_mgr_node && 947 node->has_strong_ref)) { 948 printk(KERN_ERR "binder: invalid inc strong " 949 "node for %d\n", node->debug_id); 950 return -EINVAL; 951 } 952 node->internal_strong_refs++; 953 } else 954 node->local_strong_refs++; 955 if (!node->has_strong_ref && target_list) { 956 list_del_init(&node->work.entry); 957 list_add_tail(&node->work.entry, target_list); 958 } 959 } else { 960 if (!internal) 961 node->local_weak_refs++; 962 if (!node->has_weak_ref && list_empty(&node->work.entry)) { 963 if (target_list == NULL) { 964 printk(KERN_ERR "binder: invalid inc weak node " 965 "for %d\n", node->debug_id); 966 return -EINVAL; 967 } 968 list_add_tail(&node->work.entry, target_list); 969 } 970 } 971 return 0; 972} 973 974static int 975binder_dec_node(struct binder_node *node, int strong, int internal) 976{ 977 if (strong) { 978 if (internal) 979 node->internal_strong_refs--; 980 else 981 node->local_strong_refs--; 982 if (node->local_strong_refs || node->internal_strong_refs) 983 return 0; 984 } else { 985 if (!internal) 986 node->local_weak_refs--; 987 if (node->local_weak_refs || !hlist_empty(&node->refs)) 988 return 0; 989 } 990 if (node->proc && (node->has_strong_ref || node->has_weak_ref)) { 991 if (list_empty(&node->work.entry)) { 992 list_add_tail(&node->work.entry, &node->proc->todo); 993 wake_up_interruptible(&node->proc->wait); 994 } 995 } else { 996 if (hlist_empty(&node->refs) && !node->local_strong_refs && 997 !node->local_weak_refs) { 998 list_del_init(&node->work.entry); 999 if (node->proc) { 1000 rb_erase(&node->rb_node, &node->proc->nodes); 1001 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 1002 printk(KERN_INFO "binder: refless node %d deleted\n", node->debug_id); 1003 } else { 1004 hlist_del(&node->dead_node); 1005 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 1006 printk(KERN_INFO "binder: dead node %d deleted\n", node->debug_id); 1007 } 1008 kfree(node); 1009 binder_stats.obj_deleted[BINDER_STAT_NODE]++; 1010 } 1011 } 1012 1013 return 0; 1014} 1015 1016 1017static struct binder_ref * 1018binder_get_ref(struct binder_proc *proc, uint32_t desc) 1019{ 1020 struct rb_node *n = proc->refs_by_desc.rb_node; 1021 struct binder_ref *ref; 1022 1023 while (n) { 1024 ref = rb_entry(n, struct binder_ref, rb_node_desc); 1025 1026 if (desc < ref->desc) 1027 n = n->rb_left; 1028 else if (desc > ref->desc) 1029 n = n->rb_right; 1030 else 1031 return ref; 1032 } 1033 return NULL; 1034} 1035 1036static struct binder_ref * 1037binder_get_ref_for_node(struct binder_proc *proc, struct binder_node *node) 1038{ 1039 struct rb_node *n; 1040 struct rb_node **p = &proc->refs_by_node.rb_node; 1041 struct rb_node *parent = NULL; 1042 struct binder_ref *ref, *new_ref; 1043 1044 while (*p) { 1045 parent = *p; 1046 ref = rb_entry(parent, struct binder_ref, rb_node_node); 1047 1048 if (node < ref->node) 1049 p = &(*p)->rb_left; 1050 else if (node > ref->node) 1051 p = &(*p)->rb_right; 1052 else 1053 return ref; 1054 } 1055 new_ref = kzalloc(sizeof(*ref), GFP_KERNEL); 1056 if (new_ref == NULL) 1057 return NULL; 1058 binder_stats.obj_created[BINDER_STAT_REF]++; 1059 new_ref->debug_id = ++binder_last_id; 1060 new_ref->proc = proc; 1061 new_ref->node = node; 1062 rb_link_node(&new_ref->rb_node_node, parent, p); 1063 rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node); 1064 1065 new_ref->desc = (node == binder_context_mgr_node) ? 0 : 1; 1066 for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) { 1067 ref = rb_entry(n, struct binder_ref, rb_node_desc); 1068 if (ref->desc > new_ref->desc) 1069 break; 1070 new_ref->desc = ref->desc + 1; 1071 } 1072 1073 p = &proc->refs_by_desc.rb_node; 1074 while (*p) { 1075 parent = *p; 1076 ref = rb_entry(parent, struct binder_ref, rb_node_desc); 1077 1078 if (new_ref->desc < ref->desc) 1079 p = &(*p)->rb_left; 1080 else if (new_ref->desc > ref->desc) 1081 p = &(*p)->rb_right; 1082 else 1083 BUG(); 1084 } 1085 rb_link_node(&new_ref->rb_node_desc, parent, p); 1086 rb_insert_color(&new_ref->rb_node_desc, &proc->refs_by_desc); 1087 if (node) { 1088 hlist_add_head(&new_ref->node_entry, &node->refs); 1089 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 1090 printk(KERN_INFO "binder: %d new ref %d desc %d for " 1091 "node %d\n", proc->pid, new_ref->debug_id, 1092 new_ref->desc, node->debug_id); 1093 } else { 1094 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 1095 printk(KERN_INFO "binder: %d new ref %d desc %d for " 1096 "dead node\n", proc->pid, new_ref->debug_id, 1097 new_ref->desc); 1098 } 1099 return new_ref; 1100} 1101 1102static void 1103binder_delete_ref(struct binder_ref *ref) 1104{ 1105 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 1106 printk(KERN_INFO "binder: %d delete ref %d desc %d for " 1107 "node %d\n", ref->proc->pid, ref->debug_id, 1108 ref->desc, ref->node->debug_id); 1109 rb_erase(&ref->rb_node_desc, &ref->proc->refs_by_desc); 1110 rb_erase(&ref->rb_node_node, &ref->proc->refs_by_node); 1111 if (ref->strong) 1112 binder_dec_node(ref->node, 1, 1); 1113 hlist_del(&ref->node_entry); 1114 binder_dec_node(ref->node, 0, 1); 1115 if (ref->death) { 1116 if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) 1117 printk(KERN_INFO "binder: %d delete ref %d desc %d " 1118 "has death notification\n", ref->proc->pid, 1119 ref->debug_id, ref->desc); 1120 list_del(&ref->death->work.entry); 1121 kfree(ref->death); 1122 binder_stats.obj_deleted[BINDER_STAT_DEATH]++; 1123 } 1124 kfree(ref); 1125 binder_stats.obj_deleted[BINDER_STAT_REF]++; 1126} 1127 1128static int 1129binder_inc_ref( 1130 struct binder_ref *ref, int strong, struct list_head *target_list) 1131{ 1132 int ret; 1133 if (strong) { 1134 if (ref->strong == 0) { 1135 ret = binder_inc_node(ref->node, 1, 1, target_list); 1136 if (ret) 1137 return ret; 1138 } 1139 ref->strong++; 1140 } else { 1141 if (ref->weak == 0) { 1142 ret = binder_inc_node(ref->node, 0, 1, target_list); 1143 if (ret) 1144 return ret; 1145 } 1146 ref->weak++; 1147 } 1148 return 0; 1149} 1150 1151 1152static int 1153binder_dec_ref(struct binder_ref *ref, int strong) 1154{ 1155 if (strong) { 1156 if (ref->strong == 0) { 1157 binder_user_error("binder: %d invalid dec strong, " 1158 "ref %d desc %d s %d w %d\n", 1159 ref->proc->pid, ref->debug_id, 1160 ref->desc, ref->strong, ref->weak); 1161 return -EINVAL; 1162 } 1163 ref->strong--; 1164 if (ref->strong == 0) { 1165 int ret; 1166 ret = binder_dec_node(ref->node, strong, 1); 1167 if (ret) 1168 return ret; 1169 } 1170 } else { 1171 if (ref->weak == 0) { 1172 binder_user_error("binder: %d invalid dec weak, " 1173 "ref %d desc %d s %d w %d\n", 1174 ref->proc->pid, ref->debug_id, 1175 ref->desc, ref->strong, ref->weak); 1176 return -EINVAL; 1177 } 1178 ref->weak--; 1179 } 1180 if (ref->strong == 0 && ref->weak == 0) 1181 binder_delete_ref(ref); 1182 return 0; 1183} 1184 1185static void 1186binder_pop_transaction( 1187 struct binder_thread *target_thread, struct binder_transaction *t) 1188{ 1189 if (target_thread) { 1190 BUG_ON(target_thread->transaction_stack != t); 1191 BUG_ON(target_thread->transaction_stack->from != target_thread); 1192 target_thread->transaction_stack = 1193 target_thread->transaction_stack->from_parent; 1194 t->from = NULL; 1195 } 1196 t->need_reply = 0; 1197 if (t->buffer) 1198 t->buffer->transaction = NULL; 1199 kfree(t); 1200 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION]++; 1201} 1202 1203static void 1204binder_send_failed_reply(struct binder_transaction *t, uint32_t error_code) 1205{ 1206 struct binder_thread *target_thread; 1207 BUG_ON(t->flags & TF_ONE_WAY); 1208 while (1) { 1209 target_thread = t->from; 1210 if (target_thread) { 1211 if (target_thread->return_error != BR_OK && 1212 target_thread->return_error2 == BR_OK) { 1213 target_thread->return_error2 = 1214 target_thread->return_error; 1215 target_thread->return_error = BR_OK; 1216 } 1217 if (target_thread->return_error == BR_OK) { 1218 if (binder_debug_mask & BINDER_DEBUG_FAILED_TRANSACTION) 1219 printk(KERN_INFO "binder: send failed reply for transaction %d to %d:%d\n", 1220 t->debug_id, target_thread->proc->pid, target_thread->pid); 1221 1222 binder_pop_transaction(target_thread, t); 1223 target_thread->return_error = error_code; 1224 wake_up_interruptible(&target_thread->wait); 1225 } else { 1226 printk(KERN_ERR "binder: reply failed, target " 1227 "thread, %d:%d, has error code %d " 1228 "already\n", target_thread->proc->pid, 1229 target_thread->pid, 1230 target_thread->return_error); 1231 } 1232 return; 1233 } else { 1234 struct binder_transaction *next = t->from_parent; 1235 1236 if (binder_debug_mask & BINDER_DEBUG_FAILED_TRANSACTION) 1237 printk(KERN_INFO "binder: send failed reply " 1238 "for transaction %d, target dead\n", 1239 t->debug_id); 1240 1241 binder_pop_transaction(target_thread, t); 1242 if (next == NULL) { 1243 if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) 1244 printk(KERN_INFO "binder: reply failed," 1245 " no target thread at root\n"); 1246 return; 1247 } 1248 t = next; 1249 if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) 1250 printk(KERN_INFO "binder: reply failed, no targ" 1251 "et thread -- retry %d\n", t->debug_id); 1252 } 1253 } 1254} 1255 1256static void 1257binder_transaction_buffer_release(struct binder_proc *proc, 1258 struct binder_buffer *buffer, size_t *failed_at); 1259 1260static void 1261binder_transaction(struct binder_proc *proc, struct binder_thread *thread, 1262 struct binder_transaction_data *tr, int reply) 1263{ 1264 struct binder_transaction *t; 1265 struct binder_work *tcomplete; 1266 size_t *offp, *off_end; 1267 struct binder_proc *target_proc; 1268 struct binder_thread *target_thread = NULL; 1269 struct binder_node *target_node = NULL; 1270 struct list_head *target_list; 1271 wait_queue_head_t *target_wait; 1272 struct binder_transaction *in_reply_to = NULL; 1273 struct binder_transaction_log_entry *e; 1274 uint32_t return_error; 1275 1276 e = binder_transaction_log_add(&binder_transaction_log); 1277 e->call_type = reply ? 2 : !!(tr->flags & TF_ONE_WAY); 1278 e->from_proc = proc->pid; 1279 e->from_thread = thread->pid; 1280 e->target_handle = tr->target.handle; 1281 e->data_size = tr->data_size; 1282 e->offsets_size = tr->offsets_size; 1283 1284 if (reply) { 1285 in_reply_to = thread->transaction_stack; 1286 if (in_reply_to == NULL) { 1287 binder_user_error("binder: %d:%d got reply transaction " 1288 "with no transaction stack\n", 1289 proc->pid, thread->pid); 1290 return_error = BR_FAILED_REPLY; 1291 goto err_empty_call_stack; 1292 } 1293 binder_set_nice(in_reply_to->saved_priority); 1294 if (in_reply_to->to_thread != thread) { 1295 binder_user_error("binder: %d:%d got reply transaction " 1296 "with bad transaction stack," 1297 " transaction %d has target %d:%d\n", 1298 proc->pid, thread->pid, in_reply_to->debug_id, 1299 in_reply_to->to_proc ? 1300 in_reply_to->to_proc->pid : 0, 1301 in_reply_to->to_thread ? 1302 in_reply_to->to_thread->pid : 0); 1303 return_error = BR_FAILED_REPLY; 1304 in_reply_to = NULL; 1305 goto err_bad_call_stack; 1306 } 1307 thread->transaction_stack = in_reply_to->to_parent; 1308 target_thread = in_reply_to->from; 1309 if (target_thread == NULL) { 1310 return_error = BR_DEAD_REPLY; 1311 goto err_dead_binder; 1312 } 1313 if (target_thread->transaction_stack != in_reply_to) { 1314 binder_user_error("binder: %d:%d got reply transaction " 1315 "with bad target transaction stack %d, " 1316 "expected %d\n", 1317 proc->pid, thread->pid, 1318 target_thread->transaction_stack ? 1319 target_thread->transaction_stack->debug_id : 0, 1320 in_reply_to->debug_id); 1321 return_error = BR_FAILED_REPLY; 1322 in_reply_to = NULL; 1323 target_thread = NULL; 1324 goto err_dead_binder; 1325 } 1326 target_proc = target_thread->proc; 1327 } else { 1328 if (tr->target.handle) { 1329 struct binder_ref *ref; 1330 ref = binder_get_ref(proc, tr->target.handle); 1331 if (ref == NULL) { 1332 binder_user_error("binder: %d:%d got " 1333 "transaction to invalid handle\n", 1334 proc->pid, thread->pid); 1335 return_error = BR_FAILED_REPLY; 1336 goto err_invalid_target_handle; 1337 } 1338 target_node = ref->node; 1339 } else { 1340 target_node = binder_context_mgr_node; 1341 if (target_node == NULL) { 1342 return_error = BR_DEAD_REPLY; 1343 goto err_no_context_mgr_node; 1344 } 1345 } 1346 e->to_node = target_node->debug_id; 1347 target_proc = target_node->proc; 1348 if (target_proc == NULL) { 1349 return_error = BR_DEAD_REPLY; 1350 goto err_dead_binder; 1351 } 1352 if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) { 1353 struct binder_transaction *tmp; 1354 tmp = thread->transaction_stack; 1355 if (tmp->to_thread != thread) { 1356 binder_user_error("binder: %d:%d got new " 1357 "transaction with bad transaction stack" 1358 ", transaction %d has target %d:%d\n", 1359 proc->pid, thread->pid, tmp->debug_id, 1360 tmp->to_proc ? tmp->to_proc->pid : 0, 1361 tmp->to_thread ? 1362 tmp->to_thread->pid : 0); 1363 return_error = BR_FAILED_REPLY; 1364 goto err_bad_call_stack; 1365 } 1366 while (tmp) { 1367 if (tmp->from && tmp->from->proc == target_proc) 1368 target_thread = tmp->from; 1369 tmp = tmp->from_parent; 1370 } 1371 } 1372 } 1373 if (target_thread) { 1374 e->to_thread = target_thread->pid; 1375 target_list = &target_thread->todo; 1376 target_wait = &target_thread->wait; 1377 } else { 1378 target_list = &target_proc->todo; 1379 target_wait = &target_proc->wait; 1380 } 1381 e->to_proc = target_proc->pid; 1382 1383 /* TODO: reuse incoming transaction for reply */ 1384 t = kzalloc(sizeof(*t), GFP_KERNEL); 1385 if (t == NULL) { 1386 return_error = BR_FAILED_REPLY; 1387 goto err_alloc_t_failed; 1388 } 1389 binder_stats.obj_created[BINDER_STAT_TRANSACTION]++; 1390 1391 tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL); 1392 if (tcomplete == NULL) { 1393 return_error = BR_FAILED_REPLY; 1394 goto err_alloc_tcomplete_failed; 1395 } 1396 binder_stats.obj_created[BINDER_STAT_TRANSACTION_COMPLETE]++; 1397 1398 t->debug_id = ++binder_last_id; 1399 e->debug_id = t->debug_id; 1400 1401 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) { 1402 if (reply) 1403 printk(KERN_INFO "binder: %d:%d BC_REPLY %d -> %d:%d, " 1404 "data %p-%p size %zd-%zd\n", 1405 proc->pid, thread->pid, t->debug_id, 1406 target_proc->pid, target_thread->pid, 1407 tr->data.ptr.buffer, tr->data.ptr.offsets, 1408 tr->data_size, tr->offsets_size); 1409 else 1410 printk(KERN_INFO "binder: %d:%d BC_TRANSACTION %d -> " 1411 "%d - node %d, data %p-%p size %zd-%zd\n", 1412 proc->pid, thread->pid, t->debug_id, 1413 target_proc->pid, target_node->debug_id, 1414 tr->data.ptr.buffer, tr->data.ptr.offsets, 1415 tr->data_size, tr->offsets_size); 1416 } 1417 1418 if (!reply && !(tr->flags & TF_ONE_WAY)) 1419 t->from = thread; 1420 else 1421 t->from = NULL; 1422 t->sender_euid = proc->tsk->cred->euid; 1423 t->to_proc = target_proc; 1424 t->to_thread = target_thread; 1425 t->code = tr->code; 1426 t->flags = tr->flags; 1427 t->priority = task_nice(current); 1428 t->buffer = binder_alloc_buf(target_proc, tr->data_size, 1429 tr->offsets_size, !reply && (t->flags & TF_ONE_WAY)); 1430 if (t->buffer == NULL) { 1431 return_error = BR_FAILED_REPLY; 1432 goto err_binder_alloc_buf_failed; 1433 } 1434 t->buffer->allow_user_free = 0; 1435 t->buffer->debug_id = t->debug_id; 1436 t->buffer->transaction = t; 1437 t->buffer->target_node = target_node; 1438 if (target_node) 1439 binder_inc_node(target_node, 1, 0, NULL); 1440 1441 offp = (size_t *)(t->buffer->data + ALIGN(tr->data_size, sizeof(void *))); 1442 1443 if (copy_from_user(t->buffer->data, tr->data.ptr.buffer, tr->data_size)) { 1444 binder_user_error("binder: %d:%d got transaction with invalid " 1445 "data ptr\n", proc->pid, thread->pid); 1446 return_error = BR_FAILED_REPLY; 1447 goto err_copy_data_failed; 1448 } 1449 if (copy_from_user(offp, tr->data.ptr.offsets, tr->offsets_size)) { 1450 binder_user_error("binder: %d:%d got transaction with invalid " 1451 "offsets ptr\n", proc->pid, thread->pid); 1452 return_error = BR_FAILED_REPLY; 1453 goto err_copy_data_failed; 1454 } 1455 if (!IS_ALIGNED(tr->offsets_size, sizeof(size_t))) { 1456 binder_user_error("binder: %d:%d got transaction with " 1457 "invalid offsets size, %zd\n", 1458 proc->pid, thread->pid, tr->offsets_size); 1459 return_error = BR_FAILED_REPLY; 1460 goto err_bad_offset; 1461 } 1462 off_end = (void *)offp + tr->offsets_size; 1463 for (; offp < off_end; offp++) { 1464 struct flat_binder_object *fp; 1465 if (*offp > t->buffer->data_size - sizeof(*fp) || 1466 t->buffer->data_size < sizeof(*fp) || 1467 !IS_ALIGNED(*offp, sizeof(void *))) { 1468 binder_user_error("binder: %d:%d got transaction with " 1469 "invalid offset, %zd\n", 1470 proc->pid, thread->pid, *offp); 1471 return_error = BR_FAILED_REPLY; 1472 goto err_bad_offset; 1473 } 1474 fp = (struct flat_binder_object *)(t->buffer->data + *offp); 1475 switch (fp->type) { 1476 case BINDER_TYPE_BINDER: 1477 case BINDER_TYPE_WEAK_BINDER: { 1478 struct binder_ref *ref; 1479 struct binder_node *node = binder_get_node(proc, fp->binder); 1480 if (node == NULL) { 1481 node = binder_new_node(proc, fp->binder, fp->cookie); 1482 if (node == NULL) { 1483 return_error = BR_FAILED_REPLY; 1484 goto err_binder_new_node_failed; 1485 } 1486 node->min_priority = fp->flags & FLAT_BINDER_FLAG_PRIORITY_MASK; 1487 node->accept_fds = !!(fp->flags & FLAT_BINDER_FLAG_ACCEPTS_FDS); 1488 } 1489 if (fp->cookie != node->cookie) { 1490 binder_user_error("binder: %d:%d sending u%p " 1491 "node %d, cookie mismatch %p != %p\n", 1492 proc->pid, thread->pid, 1493 fp->binder, node->debug_id, 1494 fp->cookie, node->cookie); 1495 goto err_binder_get_ref_for_node_failed; 1496 } 1497 ref = binder_get_ref_for_node(target_proc, node); 1498 if (ref == NULL) { 1499 return_error = BR_FAILED_REPLY; 1500 goto err_binder_get_ref_for_node_failed; 1501 } 1502 if (fp->type == BINDER_TYPE_BINDER) 1503 fp->type = BINDER_TYPE_HANDLE; 1504 else 1505 fp->type = BINDER_TYPE_WEAK_HANDLE; 1506 fp->handle = ref->desc; 1507 binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE, &thread->todo); 1508 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1509 printk(KERN_INFO " node %d u%p -> ref %d desc %d\n", 1510 node->debug_id, node->ptr, ref->debug_id, ref->desc); 1511 } break; 1512 case BINDER_TYPE_HANDLE: 1513 case BINDER_TYPE_WEAK_HANDLE: { 1514 struct binder_ref *ref = binder_get_ref(proc, fp->handle); 1515 if (ref == NULL) { 1516 binder_user_error("binder: %d:%d got " 1517 "transaction with invalid " 1518 "handle, %ld\n", proc->pid, 1519 thread->pid, fp->handle); 1520 return_error = BR_FAILED_REPLY; 1521 goto err_binder_get_ref_failed; 1522 } 1523 if (ref->node->proc == target_proc) { 1524 if (fp->type == BINDER_TYPE_HANDLE) 1525 fp->type = BINDER_TYPE_BINDER; 1526 else 1527 fp->type = BINDER_TYPE_WEAK_BINDER; 1528 fp->binder = ref->node->ptr; 1529 fp->cookie = ref->node->cookie; 1530 binder_inc_node(ref->node, fp->type == BINDER_TYPE_BINDER, 0, NULL); 1531 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1532 printk(KERN_INFO " ref %d desc %d -> node %d u%p\n", 1533 ref->debug_id, ref->desc, ref->node->debug_id, ref->node->ptr); 1534 } else { 1535 struct binder_ref *new_ref; 1536 new_ref = binder_get_ref_for_node(target_proc, ref->node); 1537 if (new_ref == NULL) { 1538 return_error = BR_FAILED_REPLY; 1539 goto err_binder_get_ref_for_node_failed; 1540 } 1541 fp->handle = new_ref->desc; 1542 binder_inc_ref(new_ref, fp->type == BINDER_TYPE_HANDLE, NULL); 1543 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1544 printk(KERN_INFO " ref %d desc %d -> ref %d desc %d (node %d)\n", 1545 ref->debug_id, ref->desc, new_ref->debug_id, new_ref->desc, ref->node->debug_id); 1546 } 1547 } break; 1548 1549 case BINDER_TYPE_FD: { 1550 int target_fd; 1551 struct file *file; 1552 1553 if (reply) { 1554 if (!(in_reply_to->flags & TF_ACCEPT_FDS)) { 1555 binder_user_error("binder: %d:%d got reply with fd, %ld, but target does not allow fds\n", 1556 proc->pid, thread->pid, fp->handle); 1557 return_error = BR_FAILED_REPLY; 1558 goto err_fd_not_allowed; 1559 } 1560 } else if (!target_node->accept_fds) { 1561 binder_user_error("binder: %d:%d got transaction with fd, %ld, but target does not allow fds\n", 1562 proc->pid, thread->pid, fp->handle); 1563 return_error = BR_FAILED_REPLY; 1564 goto err_fd_not_allowed; 1565 } 1566 1567 file = fget(fp->handle); 1568 if (file == NULL) { 1569 binder_user_error("binder: %d:%d got transaction with invalid fd, %ld\n", 1570 proc->pid, thread->pid, fp->handle); 1571 return_error = BR_FAILED_REPLY; 1572 goto err_fget_failed; 1573 } 1574 target_fd = task_get_unused_fd_flags(target_proc, O_CLOEXEC); 1575 if (target_fd < 0) { 1576 fput(file); 1577 return_error = BR_FAILED_REPLY; 1578 goto err_get_unused_fd_failed; 1579 } 1580 task_fd_install(target_proc, target_fd, file); 1581 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1582 printk(KERN_INFO " fd %ld -> %d\n", fp->handle, target_fd); 1583 /* TODO: fput? */ 1584 fp->handle = target_fd; 1585 } break; 1586 1587 default: 1588 binder_user_error("binder: %d:%d got transactio" 1589 "n with invalid object type, %lx\n", 1590 proc->pid, thread->pid, fp->type); 1591 return_error = BR_FAILED_REPLY; 1592 goto err_bad_object_type; 1593 } 1594 } 1595 if (reply) { 1596 BUG_ON(t->buffer->async_transaction != 0); 1597 binder_pop_transaction(target_thread, in_reply_to); 1598 } else if (!(t->flags & TF_ONE_WAY)) { 1599 BUG_ON(t->buffer->async_transaction != 0); 1600 t->need_reply = 1; 1601 t->from_parent = thread->transaction_stack; 1602 thread->transaction_stack = t; 1603 } else { 1604 BUG_ON(target_node == NULL); 1605 BUG_ON(t->buffer->async_transaction != 1); 1606 if (target_node->has_async_transaction) { 1607 target_list = &target_node->async_todo; 1608 target_wait = NULL; 1609 } else 1610 target_node->has_async_transaction = 1; 1611 } 1612 t->work.type = BINDER_WORK_TRANSACTION; 1613 list_add_tail(&t->work.entry, target_list); 1614 tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE; 1615 list_add_tail(&tcomplete->entry, &thread->todo); 1616 if (target_wait) 1617 wake_up_interruptible(target_wait); 1618 return; 1619 1620err_get_unused_fd_failed: 1621err_fget_failed: 1622err_fd_not_allowed: 1623err_binder_get_ref_for_node_failed: 1624err_binder_get_ref_failed: 1625err_binder_new_node_failed: 1626err_bad_object_type: 1627err_bad_offset: 1628err_copy_data_failed: 1629 binder_transaction_buffer_release(target_proc, t->buffer, offp); 1630 t->buffer->transaction = NULL; 1631 binder_free_buf(target_proc, t->buffer); 1632err_binder_alloc_buf_failed: 1633 kfree(tcomplete); 1634 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION_COMPLETE]++; 1635err_alloc_tcomplete_failed: 1636 kfree(t); 1637 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION]++; 1638err_alloc_t_failed: 1639err_bad_call_stack: 1640err_empty_call_stack: 1641err_dead_binder: 1642err_invalid_target_handle: 1643err_no_context_mgr_node: 1644 if (binder_debug_mask & BINDER_DEBUG_FAILED_TRANSACTION) 1645 printk(KERN_INFO "binder: %d:%d transaction failed %d, size" 1646 "%zd-%zd\n", 1647 proc->pid, thread->pid, return_error, 1648 tr->data_size, tr->offsets_size); 1649 1650 { 1651 struct binder_transaction_log_entry *fe; 1652 fe = binder_transaction_log_add(&binder_transaction_log_failed); 1653 *fe = *e; 1654 } 1655 1656 BUG_ON(thread->return_error != BR_OK); 1657 if (in_reply_to) { 1658 thread->return_error = BR_TRANSACTION_COMPLETE; 1659 binder_send_failed_reply(in_reply_to, return_error); 1660 } else 1661 thread->return_error = return_error; 1662} 1663 1664static void 1665binder_transaction_buffer_release(struct binder_proc *proc, struct binder_buffer *buffer, size_t *failed_at) 1666{ 1667 size_t *offp, *off_end; 1668 int debug_id = buffer->debug_id; 1669 1670 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1671 printk(KERN_INFO "binder: %d buffer release %d, size %zd-%zd, failed at %p\n", 1672 proc->pid, buffer->debug_id, 1673 buffer->data_size, buffer->offsets_size, failed_at); 1674 1675 if (buffer->target_node) 1676 binder_dec_node(buffer->target_node, 1, 0); 1677 1678 offp = (size_t *)(buffer->data + ALIGN(buffer->data_size, sizeof(void *))); 1679 if (failed_at) 1680 off_end = failed_at; 1681 else 1682 off_end = (void *)offp + buffer->offsets_size; 1683 for (; offp < off_end; offp++) { 1684 struct flat_binder_object *fp; 1685 if (*offp > buffer->data_size - sizeof(*fp) || 1686 buffer->data_size < sizeof(*fp) || 1687 !IS_ALIGNED(*offp, sizeof(void *))) { 1688 printk(KERN_ERR "binder: transaction release %d bad" 1689 "offset %zd, size %zd\n", debug_id, *offp, buffer->data_size); 1690 continue; 1691 } 1692 fp = (struct flat_binder_object *)(buffer->data + *offp); 1693 switch (fp->type) { 1694 case BINDER_TYPE_BINDER: 1695 case BINDER_TYPE_WEAK_BINDER: { 1696 struct binder_node *node = binder_get_node(proc, fp->binder); 1697 if (node == NULL) { 1698 printk(KERN_ERR "binder: transaction release %d bad node %p\n", debug_id, fp->binder); 1699 break; 1700 } 1701 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1702 printk(KERN_INFO " node %d u%p\n", 1703 node->debug_id, node->ptr); 1704 binder_dec_node(node, fp->type == BINDER_TYPE_BINDER, 0); 1705 } break; 1706 case BINDER_TYPE_HANDLE: 1707 case BINDER_TYPE_WEAK_HANDLE: { 1708 struct binder_ref *ref = binder_get_ref(proc, fp->handle); 1709 if (ref == NULL) { 1710 printk(KERN_ERR "binder: transaction release %d bad handle %ld\n", debug_id, fp->handle); 1711 break; 1712 } 1713 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1714 printk(KERN_INFO " ref %d desc %d (node %d)\n", 1715 ref->debug_id, ref->desc, ref->node->debug_id); 1716 binder_dec_ref(ref, fp->type == BINDER_TYPE_HANDLE); 1717 } break; 1718 1719 case BINDER_TYPE_FD: 1720 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1721 printk(KERN_INFO " fd %ld\n", fp->handle); 1722 if (failed_at) 1723 task_close_fd(proc, fp->handle); 1724 break; 1725 1726 default: 1727 printk(KERN_ERR "binder: transaction release %d bad object type %lx\n", debug_id, fp->type); 1728 break; 1729 } 1730 } 1731} 1732 1733int 1734binder_thread_write(struct binder_proc *proc, struct binder_thread *thread, 1735 void __user *buffer, int size, signed long *consumed) 1736{ 1737 uint32_t cmd; 1738 void __user *ptr = buffer + *consumed; 1739 void __user *end = buffer + size; 1740 1741 while (ptr < end && thread->return_error == BR_OK) { 1742 if (get_user(cmd, (uint32_t __user *)ptr)) 1743 return -EFAULT; 1744 ptr += sizeof(uint32_t); 1745 if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.bc)) { 1746 binder_stats.bc[_IOC_NR(cmd)]++; 1747 proc->stats.bc[_IOC_NR(cmd)]++; 1748 thread->stats.bc[_IOC_NR(cmd)]++; 1749 } 1750 switch (cmd) { 1751 case BC_INCREFS: 1752 case BC_ACQUIRE: 1753 case BC_RELEASE: 1754 case BC_DECREFS: { 1755 uint32_t target; 1756 struct binder_ref *ref; 1757 const char *debug_string; 1758 1759 if (get_user(target, (uint32_t __user *)ptr)) 1760 return -EFAULT; 1761 ptr += sizeof(uint32_t); 1762 if (target == 0 && binder_context_mgr_node && 1763 (cmd == BC_INCREFS || cmd == BC_ACQUIRE)) { 1764 ref = binder_get_ref_for_node(proc, 1765 binder_context_mgr_node); 1766 if (ref->desc != target) { 1767 binder_user_error("binder: %d:" 1768 "%d tried to acquire " 1769 "reference to desc 0, " 1770 "got %d instead\n", 1771 proc->pid, thread->pid, 1772 ref->desc); 1773 } 1774 } else 1775 ref = binder_get_ref(proc, target); 1776 if (ref == NULL) { 1777 binder_user_error("binder: %d:%d refcou" 1778 "nt change on invalid ref %d\n", 1779 proc->pid, thread->pid, target); 1780 break; 1781 } 1782 switch (cmd) { 1783 case BC_INCREFS: 1784 debug_string = "IncRefs"; 1785 binder_inc_ref(ref, 0, NULL); 1786 break; 1787 case BC_ACQUIRE: 1788 debug_string = "Acquire"; 1789 binder_inc_ref(ref, 1, NULL); 1790 break; 1791 case BC_RELEASE: 1792 debug_string = "Release"; 1793 binder_dec_ref(ref, 1); 1794 break; 1795 case BC_DECREFS: 1796 default: 1797 debug_string = "DecRefs"; 1798 binder_dec_ref(ref, 0); 1799 break; 1800 } 1801 if (binder_debug_mask & BINDER_DEBUG_USER_REFS) 1802 printk(KERN_INFO "binder: %d:%d %s ref %d desc %d s %d w %d for node %d\n", 1803 proc->pid, thread->pid, debug_string, ref->debug_id, ref->desc, ref->strong, ref->weak, ref->node->debug_id); 1804 break; 1805 } 1806 case BC_INCREFS_DONE: 1807 case BC_ACQUIRE_DONE: { 1808 void __user *node_ptr; 1809 void *cookie; 1810 struct binder_node *node; 1811 1812 if (get_user(node_ptr, (void * __user *)ptr)) 1813 return -EFAULT; 1814 ptr += sizeof(void *); 1815 if (get_user(cookie, (void * __user *)ptr)) 1816 return -EFAULT; 1817 ptr += sizeof(void *); 1818 node = binder_get_node(proc, node_ptr); 1819 if (node == NULL) { 1820 binder_user_error("binder: %d:%d " 1821 "%s u%p no match\n", 1822 proc->pid, thread->pid, 1823 cmd == BC_INCREFS_DONE ? 1824 "BC_INCREFS_DONE" : 1825 "BC_ACQUIRE_DONE", 1826 node_ptr); 1827 break; 1828 } 1829 if (cookie != node->cookie) { 1830 binder_user_error("binder: %d:%d %s u%p node %d" 1831 " cookie mismatch %p != %p\n", 1832 proc->pid, thread->pid, 1833 cmd == BC_INCREFS_DONE ? 1834 "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE", 1835 node_ptr, node->debug_id, 1836 cookie, node->cookie); 1837 break; 1838 } 1839 if (cmd == BC_ACQUIRE_DONE) { 1840 if (node->pending_strong_ref == 0) { 1841 binder_user_error("binder: %d:%d " 1842 "BC_ACQUIRE_DONE node %d has " 1843 "no pending acquire request\n", 1844 proc->pid, thread->pid, 1845 node->debug_id); 1846 break; 1847 } 1848 node->pending_strong_ref = 0; 1849 } else { 1850 if (node->pending_weak_ref == 0) { 1851 binder_user_error("binder: %d:%d " 1852 "BC_INCREFS_DONE node %d has " 1853 "no pending increfs request\n", 1854 proc->pid, thread->pid, 1855 node->debug_id); 1856 break; 1857 } 1858 node->pending_weak_ref = 0; 1859 } 1860 binder_dec_node(node, cmd == BC_ACQUIRE_DONE, 0); 1861 if (binder_debug_mask & BINDER_DEBUG_USER_REFS) 1862 printk(KERN_INFO "binder: %d:%d %s node %d ls %d lw %d\n", 1863 proc->pid, thread->pid, cmd == BC_INCREFS_DONE ? "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE", node->debug_id, node->local_strong_refs, node->local_weak_refs); 1864 break; 1865 } 1866 case BC_ATTEMPT_ACQUIRE: 1867 printk(KERN_ERR "binder: BC_ATTEMPT_ACQUIRE not supported\n"); 1868 return -EINVAL; 1869 case BC_ACQUIRE_RESULT: 1870 printk(KERN_ERR "binder: BC_ACQUIRE_RESULT not supported\n"); 1871 return -EINVAL; 1872 1873 case BC_FREE_BUFFER: { 1874 void __user *data_ptr; 1875 struct binder_buffer *buffer; 1876 1877 if (get_user(data_ptr, (void * __user *)ptr)) 1878 return -EFAULT; 1879 ptr += sizeof(void *); 1880 1881 buffer = binder_buffer_lookup(proc, data_ptr); 1882 if (buffer == NULL) { 1883 binder_user_error("binder: %d:%d " 1884 "BC_FREE_BUFFER u%p no match\n", 1885 proc->pid, thread->pid, data_ptr); 1886 break; 1887 } 1888 if (!buffer->allow_user_free) { 1889 binder_user_error("binder: %d:%d " 1890 "BC_FREE_BUFFER u%p matched " 1891 "unreturned buffer\n", 1892 proc->pid, thread->pid, data_ptr); 1893 break; 1894 } 1895 if (binder_debug_mask & BINDER_DEBUG_FREE_BUFFER) 1896 printk(KERN_INFO "binder: %d:%d BC_FREE_BUFFER u%p found buffer %d for %s transaction\n", 1897 proc->pid, thread->pid, data_ptr, buffer->debug_id, 1898 buffer->transaction ? "active" : "finished"); 1899 1900 if (buffer->transaction) { 1901 buffer->transaction->buffer = NULL; 1902 buffer->transaction = NULL; 1903 } 1904 if (buffer->async_transaction && buffer->target_node) { 1905 BUG_ON(!buffer->target_node->has_async_transaction); 1906 if (list_empty(&buffer->target_node->async_todo)) 1907 buffer->target_node->has_async_transaction = 0; 1908 else 1909 list_move_tail(buffer->target_node->async_todo.next, &thread->todo); 1910 } 1911 binder_transaction_buffer_release(proc, buffer, NULL); 1912 binder_free_buf(proc, buffer); 1913 break; 1914 } 1915 1916 case BC_TRANSACTION: 1917 case BC_REPLY: { 1918 struct binder_transaction_data tr; 1919 1920 if (copy_from_user(&tr, ptr, sizeof(tr))) 1921 return -EFAULT; 1922 ptr += sizeof(tr); 1923 binder_transaction(proc, thread, &tr, cmd == BC_REPLY); 1924 break; 1925 } 1926 1927 case BC_REGISTER_LOOPER: 1928 if (binder_debug_mask & BINDER_DEBUG_THREADS) 1929 printk(KERN_INFO "binder: %d:%d BC_REGISTER_LOOPER\n", 1930 proc->pid, thread->pid); 1931 if (thread->looper & BINDER_LOOPER_STATE_ENTERED) { 1932 thread->looper |= BINDER_LOOPER_STATE_INVALID; 1933 binder_user_error("binder: %d:%d ERROR:" 1934 " BC_REGISTER_LOOPER called " 1935 "after BC_ENTER_LOOPER\n", 1936 proc->pid, thread->pid); 1937 } else if (proc->requested_threads == 0) { 1938 thread->looper |= BINDER_LOOPER_STATE_INVALID; 1939 binder_user_error("binder: %d:%d ERROR:" 1940 " BC_REGISTER_LOOPER called " 1941 "without request\n", 1942 proc->pid, thread->pid); 1943 } else { 1944 proc->requested_threads--; 1945 proc->requested_threads_started++; 1946 } 1947 thread->looper |= BINDER_LOOPER_STATE_REGISTERED; 1948 break; 1949 case BC_ENTER_LOOPER: 1950 if (binder_debug_mask & BINDER_DEBUG_THREADS) 1951 printk(KERN_INFO "binder: %d:%d BC_ENTER_LOOPER\n", 1952 proc->pid, thread->pid); 1953 if (thread->looper & BINDER_LOOPER_STATE_REGISTERED) { 1954 thread->looper |= BINDER_LOOPER_STATE_INVALID; 1955 binder_user_error("binder: %d:%d ERROR:" 1956 " BC_ENTER_LOOPER called after " 1957 "BC_REGISTER_LOOPER\n", 1958 proc->pid, thread->pid); 1959 } 1960 thread->looper |= BINDER_LOOPER_STATE_ENTERED; 1961 break; 1962 case BC_EXIT_LOOPER: 1963 if (binder_debug_mask & BINDER_DEBUG_THREADS) 1964 printk(KERN_INFO "binder: %d:%d BC_EXIT_LOOPER\n", 1965 proc->pid, thread->pid); 1966 thread->looper |= BINDER_LOOPER_STATE_EXITED; 1967 break; 1968 1969 case BC_REQUEST_DEATH_NOTIFICATION: 1970 case BC_CLEAR_DEATH_NOTIFICATION: { 1971 uint32_t target; 1972 void __user *cookie; 1973 struct binder_ref *ref; 1974 struct binder_ref_death *death; 1975 1976 if (get_user(target, (uint32_t __user *)ptr)) 1977 return -EFAULT; 1978 ptr += sizeof(uint32_t); 1979 if (get_user(cookie, (void __user * __user *)ptr)) 1980 return -EFAULT; 1981 ptr += sizeof(void *); 1982 ref = binder_get_ref(proc, target); 1983 if (ref == NULL) { 1984 binder_user_error("binder: %d:%d %s " 1985 "invalid ref %d\n", 1986 proc->pid, thread->pid, 1987 cmd == BC_REQUEST_DEATH_NOTIFICATION ? 1988 "BC_REQUEST_DEATH_NOTIFICATION" : 1989 "BC_CLEAR_DEATH_NOTIFICATION", 1990 target); 1991 break; 1992 } 1993 1994 if (binder_debug_mask & BINDER_DEBUG_DEATH_NOTIFICATION) 1995 printk(KERN_INFO "binder: %d:%d %s %p ref %d desc %d s %d w %d for node %d\n", 1996 proc->pid, thread->pid, 1997 cmd == BC_REQUEST_DEATH_NOTIFICATION ? 1998 "BC_REQUEST_DEATH_NOTIFICATION" : 1999 "BC_CLEAR_DEATH_NOTIFICATION", 2000 cookie, ref->debug_id, ref->desc, 2001 ref->strong, ref->weak, ref->node->debug_id); 2002 2003 if (cmd == BC_REQUEST_DEATH_NOTIFICATION) { 2004 if (ref->death) { 2005 binder_user_error("binder: %d:%" 2006 "d BC_REQUEST_DEATH_NOTI" 2007 "FICATION death notific" 2008 "ation already set\n", 2009 proc->pid, thread->pid); 2010 break; 2011 } 2012 death = kzalloc(sizeof(*death), GFP_KERNEL); 2013 if (death == NULL) { 2014 thread->return_error = BR_ERROR; 2015 if (binder_debug_mask & BINDER_DEBUG_FAILED_TRANSACTION) 2016 printk(KERN_INFO "binder: %d:%d " 2017 "BC_REQUEST_DEATH_NOTIFICATION failed\n", 2018 proc->pid, thread->pid); 2019 break; 2020 } 2021 binder_stats.obj_created[BINDER_STAT_DEATH]++; 2022 INIT_LIST_HEAD(&death->work.entry); 2023 death->cookie = cookie; 2024 ref->death = death; 2025 if (ref->node->proc == NULL) { 2026 ref->death->work.type = BINDER_WORK_DEAD_BINDER; 2027 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2028 list_add_tail(&ref->death->work.entry, &thread->todo); 2029 } else { 2030 list_add_tail(&ref->death->work.entry, &proc->todo); 2031 wake_up_interruptible(&proc->wait); 2032 } 2033 } 2034 } else { 2035 if (ref->death == NULL) { 2036 binder_user_error("binder: %d:%" 2037 "d BC_CLEAR_DEATH_NOTIFI" 2038 "CATION death notificat" 2039 "ion not active\n", 2040 proc->pid, thread->pid); 2041 break; 2042 } 2043 death = ref->death; 2044 if (death->cookie != cookie) { 2045 binder_user_error("binder: %d:%" 2046 "d BC_CLEAR_DEATH_NOTIFI" 2047 "CATION death notificat" 2048 "ion cookie mismatch " 2049 "%p != %p\n", 2050 proc->pid, thread->pid, 2051 death->cookie, cookie); 2052 break; 2053 } 2054 ref->death = NULL; 2055 if (list_empty(&death->work.entry)) { 2056 death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION; 2057 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2058 list_add_tail(&death->work.entry, &thread->todo); 2059 } else { 2060 list_add_tail(&death->work.entry, &proc->todo); 2061 wake_up_interruptible(&proc->wait); 2062 } 2063 } else { 2064 BUG_ON(death->work.type != BINDER_WORK_DEAD_BINDER); 2065 death->work.type = BINDER_WORK_DEAD_BINDER_AND_CLEAR; 2066 } 2067 } 2068 } break; 2069 case BC_DEAD_BINDER_DONE: { 2070 struct binder_work *w; 2071 void __user *cookie; 2072 struct binder_ref_death *death = NULL; 2073 if (get_user(cookie, (void __user * __user *)ptr)) 2074 return -EFAULT; 2075 2076 ptr += sizeof(void *); 2077 list_for_each_entry(w, &proc->delivered_death, entry) { 2078 struct binder_ref_death *tmp_death = container_of(w, struct binder_ref_death, work); 2079 if (tmp_death->cookie == cookie) { 2080 death = tmp_death; 2081 break; 2082 } 2083 } 2084 if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) 2085 printk(KERN_INFO "binder: %d:%d BC_DEAD_BINDER_DONE %p found %p\n", 2086 proc->pid, thread->pid, cookie, death); 2087 if (death == NULL) { 2088 binder_user_error("binder: %d:%d BC_DEAD" 2089 "_BINDER_DONE %p not found\n", 2090 proc->pid, thread->pid, cookie); 2091 break; 2092 } 2093 2094 list_del_init(&death->work.entry); 2095 if (death->work.type == BINDER_WORK_DEAD_BINDER_AND_CLEAR) { 2096 death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION; 2097 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2098 list_add_tail(&death->work.entry, &thread->todo); 2099 } else { 2100 list_add_tail(&death->work.entry, &proc->todo); 2101 wake_up_interruptible(&proc->wait); 2102 } 2103 } 2104 } break; 2105 2106 default: 2107 printk(KERN_ERR "binder: %d:%d unknown command %d\n", proc->pid, thread->pid, cmd); 2108 return -EINVAL; 2109 } 2110 *consumed = ptr - buffer; 2111 } 2112 return 0; 2113} 2114 2115void 2116binder_stat_br(struct binder_proc *proc, struct binder_thread *thread, uint32_t cmd) 2117{ 2118 if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.br)) { 2119 binder_stats.br[_IOC_NR(cmd)]++; 2120 proc->stats.br[_IOC_NR(cmd)]++; 2121 thread->stats.br[_IOC_NR(cmd)]++; 2122 } 2123} 2124 2125static int 2126binder_has_proc_work(struct binder_proc *proc, struct binder_thread *thread) 2127{ 2128 return !list_empty(&proc->todo) || (thread->looper & BINDER_LOOPER_STATE_NEED_RETURN); 2129} 2130 2131static int 2132binder_has_thread_work(struct binder_thread *thread) 2133{ 2134 return !list_empty(&thread->todo) || thread->return_error != BR_OK || 2135 (thread->looper & BINDER_LOOPER_STATE_NEED_RETURN); 2136} 2137 2138static int 2139binder_thread_read(struct binder_proc *proc, struct binder_thread *thread, 2140 void __user *buffer, int size, signed long *consumed, int non_block) 2141{ 2142 void __user *ptr = buffer + *consumed; 2143 void __user *end = buffer + size; 2144 2145 int ret = 0; 2146 int wait_for_proc_work; 2147 2148 if (*consumed == 0) { 2149 if (put_user(BR_NOOP, (uint32_t __user *)ptr)) 2150 return -EFAULT; 2151 ptr += sizeof(uint32_t); 2152 } 2153 2154retry: 2155 wait_for_proc_work = thread->transaction_stack == NULL && list_empty(&thread->todo); 2156 2157 if (thread->return_error != BR_OK && ptr < end) { 2158 if (thread->return_error2 != BR_OK) { 2159 if (put_user(thread->return_error2, (uint32_t __user *)ptr)) 2160 return -EFAULT; 2161 ptr += sizeof(uint32_t); 2162 if (ptr == end) 2163 goto done; 2164 thread->return_error2 = BR_OK; 2165 } 2166 if (put_user(thread->return_error, (uint32_t __user *)ptr)) 2167 return -EFAULT; 2168 ptr += sizeof(uint32_t); 2169 thread->return_error = BR_OK; 2170 goto done; 2171 } 2172 2173 2174 thread->looper |= BINDER_LOOPER_STATE_WAITING; 2175 if (wait_for_proc_work) 2176 proc->ready_threads++; 2177 mutex_unlock(&binder_lock); 2178 if (wait_for_proc_work) { 2179 if (!(thread->looper & (BINDER_LOOPER_STATE_REGISTERED | 2180 BINDER_LOOPER_STATE_ENTERED))) { 2181 binder_user_error("binder: %d:%d ERROR: Thread waiting " 2182 "for process work before calling BC_REGISTER_" 2183 "LOOPER or BC_ENTER_LOOPER (state %x)\n", 2184 proc->pid, thread->pid, thread->looper); 2185 wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); 2186 } 2187 binder_set_nice(proc->default_priority); 2188 if (non_block) { 2189 if (!binder_has_proc_work(proc, thread)) 2190 ret = -EAGAIN; 2191 } else 2192 ret = wait_event_interruptible_exclusive(proc->wait, binder_has_proc_work(proc, thread)); 2193 } else { 2194 if (non_block) { 2195 if (!binder_has_thread_work(thread)) 2196 ret = -EAGAIN; 2197 } else 2198 ret = wait_event_interruptible(thread->wait, binder_has_thread_work(thread)); 2199 } 2200 mutex_lock(&binder_lock); 2201 if (wait_for_proc_work) 2202 proc->ready_threads--; 2203 thread->looper &= ~BINDER_LOOPER_STATE_WAITING; 2204 2205 if (ret) 2206 return ret; 2207 2208 while (1) { 2209 uint32_t cmd; 2210 struct binder_transaction_data tr; 2211 struct binder_work *w; 2212 struct binder_transaction *t = NULL; 2213 2214 if (!list_empty(&thread->todo)) 2215 w = list_first_entry(&thread->todo, struct binder_work, entry); 2216 else if (!list_empty(&proc->todo) && wait_for_proc_work) 2217 w = list_first_entry(&proc->todo, struct binder_work, entry); 2218 else { 2219 if (ptr - buffer == 4 && !(thread->looper & BINDER_LOOPER_STATE_NEED_RETURN)) /* no data added */ 2220 goto retry; 2221 break; 2222 } 2223 2224 if (end - ptr < sizeof(tr) + 4) 2225 break; 2226 2227 switch (w->type) { 2228 case BINDER_WORK_TRANSACTION: { 2229 t = container_of(w, struct binder_transaction, work); 2230 } break; 2231 case BINDER_WORK_TRANSACTION_COMPLETE: { 2232 cmd = BR_TRANSACTION_COMPLETE; 2233 if (put_user(cmd, (uint32_t __user *)ptr)) 2234 return -EFAULT; 2235 ptr += sizeof(uint32_t); 2236 2237 binder_stat_br(proc, thread, cmd); 2238 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION_COMPLETE) 2239 printk(KERN_INFO "binder: %d:%d BR_TRANSACTION_COMPLETE\n", 2240 proc->pid, thread->pid); 2241 2242 list_del(&w->entry); 2243 kfree(w); 2244 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION_COMPLETE]++; 2245 } break; 2246 case BINDER_WORK_NODE: { 2247 struct binder_node *node = container_of(w, struct binder_node, work); 2248 uint32_t cmd = BR_NOOP; 2249 const char *cmd_name; 2250 int strong = node->internal_strong_refs || node->local_strong_refs; 2251 int weak = !hlist_empty(&node->refs) || node->local_weak_refs || strong; 2252 if (weak && !node->has_weak_ref) { 2253 cmd = BR_INCREFS; 2254 cmd_name = "BR_INCREFS"; 2255 node->has_weak_ref = 1; 2256 node->pending_weak_ref = 1; 2257 node->local_weak_refs++; 2258 } else if (strong && !node->has_strong_ref) { 2259 cmd = BR_ACQUIRE; 2260 cmd_name = "BR_ACQUIRE"; 2261 node->has_strong_ref = 1; 2262 node->pending_strong_ref = 1; 2263 node->local_strong_refs++; 2264 } else if (!strong && node->has_strong_ref) { 2265 cmd = BR_RELEASE; 2266 cmd_name = "BR_RELEASE"; 2267 node->has_strong_ref = 0; 2268 } else if (!weak && node->has_weak_ref) { 2269 cmd = BR_DECREFS; 2270 cmd_name = "BR_DECREFS"; 2271 node->has_weak_ref = 0; 2272 } 2273 if (cmd != BR_NOOP) { 2274 if (put_user(cmd, (uint32_t __user *)ptr)) 2275 return -EFAULT; 2276 ptr += sizeof(uint32_t); 2277 if (put_user(node->ptr, (void * __user *)ptr)) 2278 return -EFAULT; 2279 ptr += sizeof(void *); 2280 if (put_user(node->cookie, (void * __user *)ptr)) 2281 return -EFAULT; 2282 ptr += sizeof(void *); 2283 2284 binder_stat_br(proc, thread, cmd); 2285 if (binder_debug_mask & BINDER_DEBUG_USER_REFS) 2286 printk(KERN_INFO "binder: %d:%d %s %d u%p c%p\n", 2287 proc->pid, thread->pid, cmd_name, node->debug_id, node->ptr, node->cookie); 2288 } else { 2289 list_del_init(&w->entry); 2290 if (!weak && !strong) { 2291 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 2292 printk(KERN_INFO "binder: %d:%d node %d u%p c%p deleted\n", 2293 proc->pid, thread->pid, node->debug_id, node->ptr, node->cookie); 2294 rb_erase(&node->rb_node, &proc->nodes); 2295 kfree(node); 2296 binder_stats.obj_deleted[BINDER_STAT_NODE]++; 2297 } else { 2298 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 2299 printk(KERN_INFO "binder: %d:%d node %d u%p c%p state unchanged\n", 2300 proc->pid, thread->pid, node->debug_id, node->ptr, node->cookie); 2301 } 2302 } 2303 } break; 2304 case BINDER_WORK_DEAD_BINDER: 2305 case BINDER_WORK_DEAD_BINDER_AND_CLEAR: 2306 case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: { 2307 struct binder_ref_death *death = container_of(w, struct binder_ref_death, work); 2308 uint32_t cmd; 2309 if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) 2310 cmd = BR_CLEAR_DEATH_NOTIFICATION_DONE; 2311 else 2312 cmd = BR_DEAD_BINDER; 2313 if (put_user(cmd, (uint32_t __user *)ptr)) 2314 return -EFAULT; 2315 ptr += sizeof(uint32_t); 2316 if (put_user(death->cookie, (void * __user *)ptr)) 2317 return -EFAULT; 2318 ptr += sizeof(void *); 2319 if (binder_debug_mask & BINDER_DEBUG_DEATH_NOTIFICATION) 2320 printk(KERN_INFO "binder: %d:%d %s %p\n", 2321 proc->pid, thread->pid, 2322 cmd == BR_DEAD_BINDER ? 2323 "BR_DEAD_BINDER" : 2324 "BR_CLEAR_DEATH_NOTIFICATION_DONE", 2325 death->cookie); 2326 2327 if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) { 2328 list_del(&w->entry); 2329 kfree(death); 2330 binder_stats.obj_deleted[BINDER_STAT_DEATH]++; 2331 } else 2332 list_move(&w->entry, &proc->delivered_death); 2333 if (cmd == BR_DEAD_BINDER) 2334 goto done; /* DEAD_BINDER notifications can cause transactions */ 2335 } break; 2336 } 2337 2338 if (!t) 2339 continue; 2340 2341 BUG_ON(t->buffer == NULL); 2342 if (t->buffer->target_node) { 2343 struct binder_node *target_node = t->buffer->target_node; 2344 tr.target.ptr = target_node->ptr; 2345 tr.cookie = target_node->cookie; 2346 t->saved_priority = task_nice(current); 2347 if (t->priority < target_node->min_priority && 2348 !(t->flags & TF_ONE_WAY)) 2349 binder_set_nice(t->priority); 2350 else if (!(t->flags & TF_ONE_WAY) || 2351 t->saved_priority > target_node->min_priority) 2352 binder_set_nice(target_node->min_priority); 2353 cmd = BR_TRANSACTION; 2354 } else { 2355 tr.target.ptr = NULL; 2356 tr.cookie = NULL; 2357 cmd = BR_REPLY; 2358 } 2359 tr.code = t->code; 2360 tr.flags = t->flags; 2361 tr.sender_euid = t->sender_euid; 2362 2363 if (t->from) { 2364 struct task_struct *sender = t->from->proc->tsk; 2365 tr.sender_pid = task_tgid_nr_ns(sender, current->nsproxy->pid_ns); 2366 } else { 2367 tr.sender_pid = 0; 2368 } 2369 2370 tr.data_size = t->buffer->data_size; 2371 tr.offsets_size = t->buffer->offsets_size; 2372 tr.data.ptr.buffer = (void *)t->buffer->data + proc->user_buffer_offset; 2373 tr.data.ptr.offsets = tr.data.ptr.buffer + ALIGN(t->buffer->data_size, sizeof(void *)); 2374 2375 if (put_user(cmd, (uint32_t __user *)ptr)) 2376 return -EFAULT; 2377 ptr += sizeof(uint32_t); 2378 if (copy_to_user(ptr, &tr, sizeof(tr))) 2379 return -EFAULT; 2380 ptr += sizeof(tr); 2381 2382 binder_stat_br(proc, thread, cmd); 2383 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 2384 printk(KERN_INFO "binder: %d:%d %s %d %d:%d, cmd %d" 2385 "size %zd-%zd ptr %p-%p\n", 2386 proc->pid, thread->pid, 2387 (cmd == BR_TRANSACTION) ? "BR_TRANSACTION" : "BR_REPLY", 2388 t->debug_id, t->from ? t->from->proc->pid : 0, 2389 t->from ? t->from->pid : 0, cmd, 2390 t->buffer->data_size, t->buffer->offsets_size, 2391 tr.data.ptr.buffer, tr.data.ptr.offsets); 2392 2393 list_del(&t->work.entry); 2394 t->buffer->allow_user_free = 1; 2395 if (cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)) { 2396 t->to_parent = thread->transaction_stack; 2397 t->to_thread = thread; 2398 thread->transaction_stack = t; 2399 } else { 2400 t->buffer->transaction = NULL; 2401 kfree(t); 2402 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION]++; 2403 } 2404 break; 2405 } 2406 2407done: 2408 2409 *consumed = ptr - buffer; 2410 if (proc->requested_threads + proc->ready_threads == 0 && 2411 proc->requested_threads_started < proc->max_threads && 2412 (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | 2413 BINDER_LOOPER_STATE_ENTERED)) /* the user-space code fails to */ 2414 /*spawn a new thread if we leave this out */) { 2415 proc->requested_threads++; 2416 if (binder_debug_mask & BINDER_DEBUG_THREADS) 2417 printk(KERN_INFO "binder: %d:%d BR_SPAWN_LOOPER\n", 2418 proc->pid, thread->pid); 2419 if (put_user(BR_SPAWN_LOOPER, (uint32_t __user *)buffer)) 2420 return -EFAULT; 2421 } 2422 return 0; 2423} 2424 2425static void binder_release_work(struct list_head *list) 2426{ 2427 struct binder_work *w; 2428 while (!list_empty(list)) { 2429 w = list_first_entry(list, struct binder_work, entry); 2430 list_del_init(&w->entry); 2431 switch (w->type) { 2432 case BINDER_WORK_TRANSACTION: { 2433 struct binder_transaction *t = container_of(w, struct binder_transaction, work); 2434 if (t->buffer->target_node && !(t->flags & TF_ONE_WAY)) 2435 binder_send_failed_reply(t, BR_DEAD_REPLY); 2436 } break; 2437 case BINDER_WORK_TRANSACTION_COMPLETE: { 2438 kfree(w); 2439 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION_COMPLETE]++; 2440 } break; 2441 default: 2442 break; 2443 } 2444 } 2445 2446} 2447 2448static struct binder_thread *binder_get_thread(struct binder_proc *proc) 2449{ 2450 struct binder_thread *thread = NULL; 2451 struct rb_node *parent = NULL; 2452 struct rb_node **p = &proc->threads.rb_node; 2453 2454 while (*p) { 2455 parent = *p; 2456 thread = rb_entry(parent, struct binder_thread, rb_node); 2457 2458 if (current->pid < thread->pid) 2459 p = &(*p)->rb_left; 2460 else if (current->pid > thread->pid) 2461 p = &(*p)->rb_right; 2462 else 2463 break; 2464 } 2465 if (*p == NULL) { 2466 thread = kzalloc(sizeof(*thread), GFP_KERNEL); 2467 if (thread == NULL) 2468 return NULL; 2469 binder_stats.obj_created[BINDER_STAT_THREAD]++; 2470 thread->proc = proc; 2471 thread->pid = current->pid; 2472 init_waitqueue_head(&thread->wait); 2473 INIT_LIST_HEAD(&thread->todo); 2474 rb_link_node(&thread->rb_node, parent, p); 2475 rb_insert_color(&thread->rb_node, &proc->threads); 2476 thread->looper |= BINDER_LOOPER_STATE_NEED_RETURN; 2477 thread->return_error = BR_OK; 2478 thread->return_error2 = BR_OK; 2479 } 2480 return thread; 2481} 2482 2483static int binder_free_thread(struct binder_proc *proc, struct binder_thread *thread) 2484{ 2485 struct binder_transaction *t; 2486 struct binder_transaction *send_reply = NULL; 2487 int active_transactions = 0; 2488 2489 rb_erase(&thread->rb_node, &proc->threads); 2490 t = thread->transaction_stack; 2491 if (t && t->to_thread == thread) 2492 send_reply = t; 2493 while (t) { 2494 active_transactions++; 2495 if (binder_debug_mask & BINDER_DEBUG_DEAD_TRANSACTION) 2496 printk(KERN_INFO "binder: release %d:%d transaction %d %s, still active\n", 2497 proc->pid, thread->pid, t->debug_id, (t->to_thread == thread) ? "in" : "out"); 2498 if (t->to_thread == thread) { 2499 t->to_proc = NULL; 2500 t->to_thread = NULL; 2501 if (t->buffer) { 2502 t->buffer->transaction = NULL; 2503 t->buffer = NULL; 2504 } 2505 t = t->to_parent; 2506 } else if (t->from == thread) { 2507 t->from = NULL; 2508 t = t->from_parent; 2509 } else 2510 BUG(); 2511 } 2512 if (send_reply) 2513 binder_send_failed_reply(send_reply, BR_DEAD_REPLY); 2514 binder_release_work(&thread->todo); 2515 kfree(thread); 2516 binder_stats.obj_deleted[BINDER_STAT_THREAD]++; 2517 return active_transactions; 2518} 2519 2520static unsigned int binder_poll(struct file *filp, struct poll_table_struct *wait) 2521{ 2522 struct binder_proc *proc = filp->private_data; 2523 struct binder_thread *thread = NULL; 2524 int wait_for_proc_work; 2525 2526 mutex_lock(&binder_lock); 2527 thread = binder_get_thread(proc); 2528 2529 wait_for_proc_work = thread->transaction_stack == NULL && 2530 list_empty(&thread->todo) && thread->return_error == BR_OK; 2531 mutex_unlock(&binder_lock); 2532 2533 if (wait_for_proc_work) { 2534 if (binder_has_proc_work(proc, thread)) 2535 return POLLIN; 2536 poll_wait(filp, &proc->wait, wait); 2537 if (binder_has_proc_work(proc, thread)) 2538 return POLLIN; 2539 } else { 2540 if (binder_has_thread_work(thread)) 2541 return POLLIN; 2542 poll_wait(filp, &thread->wait, wait); 2543 if (binder_has_thread_work(thread)) 2544 return POLLIN; 2545 } 2546 return 0; 2547} 2548 2549static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 2550{ 2551 int ret; 2552 struct binder_proc *proc = filp->private_data; 2553 struct binder_thread *thread; 2554 unsigned int size = _IOC_SIZE(cmd); 2555 void __user *ubuf = (void __user *)arg; 2556 2557 /*printk(KERN_INFO "binder_ioctl: %d:%d %x %lx\n", proc->pid, current->pid, cmd, arg);*/ 2558 2559 ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); 2560 if (ret) 2561 return ret; 2562 2563 mutex_lock(&binder_lock); 2564 thread = binder_get_thread(proc); 2565 if (thread == NULL) { 2566 ret = -ENOMEM; 2567 goto err; 2568 } 2569 2570 switch (cmd) { 2571 case BINDER_WRITE_READ: { 2572 struct binder_write_read bwr; 2573 if (size != sizeof(struct binder_write_read)) { 2574 ret = -EINVAL; 2575 goto err; 2576 } 2577 if (copy_from_user(&bwr, ubuf, sizeof(bwr))) { 2578 ret = -EFAULT; 2579 goto err; 2580 } 2581 if (binder_debug_mask & BINDER_DEBUG_READ_WRITE) 2582 printk(KERN_INFO "binder: %d:%d write %ld at %08lx, read %ld at %08lx\n", 2583 proc->pid, thread->pid, bwr.write_size, bwr.write_buffer, bwr.read_size, bwr.read_buffer); 2584 if (bwr.write_size > 0) { 2585 ret = binder_thread_write(proc, thread, (void __user *)bwr.write_buffer, bwr.write_size, &bwr.write_consumed); 2586 if (ret < 0) { 2587 bwr.read_consumed = 0; 2588 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) 2589 ret = -EFAULT; 2590 goto err; 2591 } 2592 } 2593 if (bwr.read_size > 0) { 2594 ret = binder_thread_read(proc, thread, (void __user *)bwr.read_buffer, bwr.read_size, &bwr.read_consumed, filp->f_flags & O_NONBLOCK); 2595 if (!list_empty(&proc->todo)) 2596 wake_up_interruptible(&proc->wait); 2597 if (ret < 0) { 2598 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) 2599 ret = -EFAULT; 2600 goto err; 2601 } 2602 } 2603 if (binder_debug_mask & BINDER_DEBUG_READ_WRITE) 2604 printk(KERN_INFO "binder: %d:%d wrote %ld of %ld, read return %ld of %ld\n", 2605 proc->pid, thread->pid, bwr.write_consumed, bwr.write_size, bwr.read_consumed, bwr.read_size); 2606 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) { 2607 ret = -EFAULT; 2608 goto err; 2609 } 2610 break; 2611 } 2612 case BINDER_SET_MAX_THREADS: 2613 if (copy_from_user(&proc->max_threads, ubuf, sizeof(proc->max_threads))) { 2614 ret = -EINVAL; 2615 goto err; 2616 } 2617 break; 2618 case BINDER_SET_CONTEXT_MGR: 2619 if (binder_context_mgr_node != NULL) { 2620 printk(KERN_ERR "binder: BINDER_SET_CONTEXT_MGR already set\n"); 2621 ret = -EBUSY; 2622 goto err; 2623 } 2624 if (binder_context_mgr_uid != -1) { 2625 if (binder_context_mgr_uid != current->cred->euid) { 2626 printk(KERN_ERR "binder: BINDER_SET_" 2627 "CONTEXT_MGR bad uid %d != %d\n", 2628 current->cred->euid, 2629 binder_context_mgr_uid); 2630 ret = -EPERM; 2631 goto err; 2632 } 2633 } else 2634 binder_context_mgr_uid = current->cred->euid; 2635 binder_context_mgr_node = binder_new_node(proc, NULL, NULL); 2636 if (binder_context_mgr_node == NULL) { 2637 ret = -ENOMEM; 2638 goto err; 2639 } 2640 binder_context_mgr_node->local_weak_refs++; 2641 binder_context_mgr_node->local_strong_refs++; 2642 binder_context_mgr_node->has_strong_ref = 1; 2643 binder_context_mgr_node->has_weak_ref = 1; 2644 break; 2645 case BINDER_THREAD_EXIT: 2646 if (binder_debug_mask & BINDER_DEBUG_THREADS) 2647 printk(KERN_INFO "binder: %d:%d exit\n", 2648 proc->pid, thread->pid); 2649 binder_free_thread(proc, thread); 2650 thread = NULL; 2651 break; 2652 case BINDER_VERSION: 2653 if (size != sizeof(struct binder_version)) { 2654 ret = -EINVAL; 2655 goto err; 2656 } 2657 if (put_user(BINDER_CURRENT_PROTOCOL_VERSION, &((struct binder_version *)ubuf)->protocol_version)) { 2658 ret = -EINVAL; 2659 goto err; 2660 } 2661 break; 2662 default: 2663 ret = -EINVAL; 2664 goto err; 2665 } 2666 ret = 0; 2667err: 2668 if (thread) 2669 thread->looper &= ~BINDER_LOOPER_STATE_NEED_RETURN; 2670 mutex_unlock(&binder_lock); 2671 wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); 2672 if (ret && ret != -ERESTARTSYS) 2673 printk(KERN_INFO "binder: %d:%d ioctl %x %lx returned %d\n", proc->pid, current->pid, cmd, arg, ret); 2674 return ret; 2675} 2676 2677static void binder_vma_open(struct vm_area_struct *vma) 2678{ 2679 struct binder_proc *proc = vma->vm_private_data; 2680 if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) 2681 printk(KERN_INFO 2682 "binder: %d open vm area %lx-%lx (%ld K) vma %lx pagep %lx\n", 2683 proc->pid, vma->vm_start, vma->vm_end, 2684 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2685 (unsigned long)pgprot_val(vma->vm_page_prot)); 2686 dump_stack(); 2687} 2688 2689static void binder_vma_close(struct vm_area_struct *vma) 2690{ 2691 struct binder_proc *proc = vma->vm_private_data; 2692 if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) 2693 printk(KERN_INFO 2694 "binder: %d close vm area %lx-%lx (%ld K) vma %lx pagep %lx\n", 2695 proc->pid, vma->vm_start, vma->vm_end, 2696 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2697 (unsigned long)pgprot_val(vma->vm_page_prot)); 2698 proc->vma = NULL; 2699 binder_defer_work(proc, BINDER_DEFERRED_PUT_FILES); 2700} 2701 2702static struct vm_operations_struct binder_vm_ops = { 2703 .open = binder_vma_open, 2704 .close = binder_vma_close, 2705}; 2706 2707static int binder_mmap(struct file *filp, struct vm_area_struct *vma) 2708{ 2709 int ret; 2710 struct vm_struct *area; 2711 struct binder_proc *proc = filp->private_data; 2712 const char *failure_string; 2713 struct binder_buffer *buffer; 2714 2715 if ((vma->vm_end - vma->vm_start) > SZ_4M) 2716 vma->vm_end = vma->vm_start + SZ_4M; 2717 2718 if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) 2719 printk(KERN_INFO 2720 "binder_mmap: %d %lx-%lx (%ld K) vma %lx pagep %lx\n", 2721 proc->pid, vma->vm_start, vma->vm_end, 2722 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2723 (unsigned long)pgprot_val(vma->vm_page_prot)); 2724 2725 if (vma->vm_flags & FORBIDDEN_MMAP_FLAGS) { 2726 ret = -EPERM; 2727 failure_string = "bad vm_flags"; 2728 goto err_bad_arg; 2729 } 2730 vma->vm_flags = (vma->vm_flags | VM_DONTCOPY) & ~VM_MAYWRITE; 2731 2732 if (proc->buffer) { 2733 ret = -EBUSY; 2734 failure_string = "already mapped"; 2735 goto err_already_mapped; 2736 } 2737 2738 area = get_vm_area(vma->vm_end - vma->vm_start, VM_IOREMAP); 2739 if (area == NULL) { 2740 ret = -ENOMEM; 2741 failure_string = "get_vm_area"; 2742 goto err_get_vm_area_failed; 2743 } 2744 proc->buffer = area->addr; 2745 proc->user_buffer_offset = vma->vm_start - (uintptr_t)proc->buffer; 2746 2747#ifdef CONFIG_CPU_CACHE_VIPT 2748 if (cache_is_vipt_aliasing()) { 2749 while (CACHE_COLOUR((vma->vm_start ^ (uint32_t)proc->buffer))) { 2750 printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p bad alignment\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer); 2751 vma->vm_start += PAGE_SIZE; 2752 } 2753 } 2754#endif 2755 proc->pages = kzalloc(sizeof(proc->pages[0]) * ((vma->vm_end - vma->vm_start) / PAGE_SIZE), GFP_KERNEL); 2756 if (proc->pages == NULL) { 2757 ret = -ENOMEM; 2758 failure_string = "alloc page array"; 2759 goto err_alloc_pages_failed; 2760 } 2761 proc->buffer_size = vma->vm_end - vma->vm_start; 2762 2763 vma->vm_ops = &binder_vm_ops; 2764 vma->vm_private_data = proc; 2765 2766 if (binder_update_page_range(proc, 1, proc->buffer, proc->buffer + PAGE_SIZE, vma)) { 2767 ret = -ENOMEM; 2768 failure_string = "alloc small buf"; 2769 goto err_alloc_small_buf_failed; 2770 } 2771 buffer = proc->buffer; 2772 INIT_LIST_HEAD(&proc->buffers); 2773 list_add(&buffer->entry, &proc->buffers); 2774 buffer->free = 1; 2775 binder_insert_free_buffer(proc, buffer); 2776 proc->free_async_space = proc->buffer_size / 2; 2777 barrier(); 2778 proc->files = get_files_struct(current); 2779 proc->vma = vma; 2780 2781 /*printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer);*/ 2782 return 0; 2783 2784err_alloc_small_buf_failed: 2785 kfree(proc->pages); 2786 proc->pages = NULL; 2787err_alloc_pages_failed: 2788 vfree(proc->buffer); 2789 proc->buffer = NULL; 2790err_get_vm_area_failed: 2791err_already_mapped: 2792err_bad_arg: 2793 printk(KERN_ERR "binder_mmap: %d %lx-%lx %s failed %d\n", proc->pid, vma->vm_start, vma->vm_end, failure_string, ret); 2794 return ret; 2795} 2796 2797static int binder_open(struct inode *nodp, struct file *filp) 2798{ 2799 struct binder_proc *proc; 2800 2801 if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) 2802 printk(KERN_INFO "binder_open: %d:%d\n", current->group_leader->pid, current->pid); 2803 2804 proc = kzalloc(sizeof(*proc), GFP_KERNEL); 2805 if (proc == NULL) 2806 return -ENOMEM; 2807 get_task_struct(current); 2808 proc->tsk = current; 2809 INIT_LIST_HEAD(&proc->todo); 2810 init_waitqueue_head(&proc->wait); 2811 proc->default_priority = task_nice(current); 2812 mutex_lock(&binder_lock); 2813 binder_stats.obj_created[BINDER_STAT_PROC]++; 2814 hlist_add_head(&proc->proc_node, &binder_procs); 2815 proc->pid = current->group_leader->pid; 2816 INIT_LIST_HEAD(&proc->delivered_death); 2817 filp->private_data = proc; 2818 mutex_unlock(&binder_lock); 2819 2820 if (binder_proc_dir_entry_proc) { 2821 char strbuf[11]; 2822 snprintf(strbuf, sizeof(strbuf), "%u", proc->pid); 2823 remove_proc_entry(strbuf, binder_proc_dir_entry_proc); 2824 create_proc_read_entry(strbuf, S_IRUGO, binder_proc_dir_entry_proc, binder_read_proc_proc, proc); 2825 } 2826 2827 return 0; 2828} 2829 2830static int binder_flush(struct file *filp, fl_owner_t id) 2831{ 2832 struct binder_proc *proc = filp->private_data; 2833 2834 binder_defer_work(proc, BINDER_DEFERRED_FLUSH); 2835 2836 return 0; 2837} 2838 2839static void binder_deferred_flush(struct binder_proc *proc) 2840{ 2841 struct rb_node *n; 2842 int wake_count = 0; 2843 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) { 2844 struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node); 2845 thread->looper |= BINDER_LOOPER_STATE_NEED_RETURN; 2846 if (thread->looper & BINDER_LOOPER_STATE_WAITING) { 2847 wake_up_interruptible(&thread->wait); 2848 wake_count++; 2849 } 2850 } 2851 wake_up_interruptible_all(&proc->wait); 2852 2853 if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) 2854 printk(KERN_INFO "binder_flush: %d woke %d threads\n", proc->pid, wake_count); 2855} 2856 2857static int binder_release(struct inode *nodp, struct file *filp) 2858{ 2859 struct binder_proc *proc = filp->private_data; 2860 if (binder_proc_dir_entry_proc) { 2861 char strbuf[11]; 2862 snprintf(strbuf, sizeof(strbuf), "%u", proc->pid); 2863 remove_proc_entry(strbuf, binder_proc_dir_entry_proc); 2864 } 2865 2866 binder_defer_work(proc, BINDER_DEFERRED_RELEASE); 2867 2868 return 0; 2869} 2870 2871static void binder_deferred_release(struct binder_proc *proc) 2872{ 2873 struct hlist_node *pos; 2874 struct binder_transaction *t; 2875 struct rb_node *n; 2876 int threads, nodes, incoming_refs, outgoing_refs, buffers, active_transactions, page_count; 2877 2878 BUG_ON(proc->vma); 2879 BUG_ON(proc->files); 2880 2881 hlist_del(&proc->proc_node); 2882 if (binder_context_mgr_node && binder_context_mgr_node->proc == proc) { 2883 if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) 2884 printk(KERN_INFO "binder_release: %d context_mgr_node gone\n", proc->pid); 2885 binder_context_mgr_node = NULL; 2886 } 2887 2888 threads = 0; 2889 active_transactions = 0; 2890 while ((n = rb_first(&proc->threads))) { 2891 struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node); 2892 threads++; 2893 active_transactions += binder_free_thread(proc, thread); 2894 } 2895 nodes = 0; 2896 incoming_refs = 0; 2897 while ((n = rb_first(&proc->nodes))) { 2898 struct binder_node *node = rb_entry(n, struct binder_node, rb_node); 2899 2900 nodes++; 2901 rb_erase(&node->rb_node, &proc->nodes); 2902 list_del_init(&node->work.entry); 2903 if (hlist_empty(&node->refs)) { 2904 kfree(node); 2905 binder_stats.obj_deleted[BINDER_STAT_NODE]++; 2906 } else { 2907 struct binder_ref *ref; 2908 int death = 0; 2909 2910 node->proc = NULL; 2911 node->local_strong_refs = 0; 2912 node->local_weak_refs = 0; 2913 hlist_add_head(&node->dead_node, &binder_dead_nodes); 2914 2915 hlist_for_each_entry(ref, pos, &node->refs, node_entry) { 2916 incoming_refs++; 2917 if (ref->death) { 2918 death++; 2919 if (list_empty(&ref->death->work.entry)) { 2920 ref->death->work.type = BINDER_WORK_DEAD_BINDER; 2921 list_add_tail(&ref->death->work.entry, &ref->proc->todo); 2922 wake_up_interruptible(&ref->proc->wait); 2923 } else 2924 BUG(); 2925 } 2926 } 2927 if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) 2928 printk(KERN_INFO "binder: node %d now dead, refs %d, death %d\n", node->debug_id, incoming_refs, death); 2929 } 2930 } 2931 outgoing_refs = 0; 2932 while ((n = rb_first(&proc->refs_by_desc))) { 2933 struct binder_ref *ref = rb_entry(n, struct binder_ref, rb_node_desc); 2934 outgoing_refs++; 2935 binder_delete_ref(ref); 2936 } 2937 binder_release_work(&proc->todo); 2938 buffers = 0; 2939 2940 while ((n = rb_first(&proc->allocated_buffers))) { 2941 struct binder_buffer *buffer = rb_entry(n, struct binder_buffer, rb_node); 2942 t = buffer->transaction; 2943 if (t) { 2944 t->buffer = NULL; 2945 buffer->transaction = NULL; 2946 printk(KERN_ERR "binder: release proc %d, transaction %d, not freed\n", proc->pid, t->debug_id); 2947 /*BUG();*/ 2948 } 2949 binder_free_buf(proc, buffer); 2950 buffers++; 2951 } 2952 2953 binder_stats.obj_deleted[BINDER_STAT_PROC]++; 2954 2955 page_count = 0; 2956 if (proc->pages) { 2957 int i; 2958 for (i = 0; i < proc->buffer_size / PAGE_SIZE; i++) { 2959 if (proc->pages[i]) { 2960 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 2961 printk(KERN_INFO "binder_release: %d: page %d at %p not freed\n", proc->pid, i, proc->buffer + i * PAGE_SIZE); 2962 __free_page(proc->pages[i]); 2963 page_count++; 2964 } 2965 } 2966 kfree(proc->pages); 2967 vfree(proc->buffer); 2968 } 2969 2970 put_task_struct(proc->tsk); 2971 2972 if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) 2973 printk(KERN_INFO "binder_release: %d threads %d, nodes %d (ref %d), refs %d, active transactions %d, buffers %d, pages %d\n", 2974 proc->pid, threads, nodes, incoming_refs, outgoing_refs, active_transactions, buffers, page_count); 2975 2976 kfree(proc); 2977} 2978 2979static void binder_deferred_func(struct work_struct *work) 2980{ 2981 struct binder_proc *proc; 2982 struct files_struct *files; 2983 2984 int defer; 2985 do { 2986 mutex_lock(&binder_lock); 2987 mutex_lock(&binder_deferred_lock); 2988 if (!hlist_empty(&binder_deferred_list)) { 2989 proc = hlist_entry(binder_deferred_list.first, 2990 struct binder_proc, deferred_work_node); 2991 hlist_del_init(&proc->deferred_work_node); 2992 defer = proc->deferred_work; 2993 proc->deferred_work = 0; 2994 } else { 2995 proc = NULL; 2996 defer = 0; 2997 } 2998 mutex_unlock(&binder_deferred_lock); 2999 3000 files = NULL; 3001 if (defer & BINDER_DEFERRED_PUT_FILES) 3002 if ((files = proc->files)) 3003 proc->files = NULL; 3004 3005 if (defer & BINDER_DEFERRED_FLUSH) 3006 binder_deferred_flush(proc); 3007 3008 if (defer & BINDER_DEFERRED_RELEASE) 3009 binder_deferred_release(proc); /* frees proc */ 3010 3011 mutex_unlock(&binder_lock); 3012 if (files) 3013 put_files_struct(files); 3014 } while (proc); 3015} 3016static DECLARE_WORK(binder_deferred_work, binder_deferred_func); 3017 3018static void binder_defer_work(struct binder_proc *proc, int defer) 3019{ 3020 mutex_lock(&binder_deferred_lock); 3021 proc->deferred_work |= defer; 3022 if (hlist_unhashed(&proc->deferred_work_node)) { 3023 hlist_add_head(&proc->deferred_work_node, 3024 &binder_deferred_list); 3025 schedule_work(&binder_deferred_work); 3026 } 3027 mutex_unlock(&binder_deferred_lock); 3028} 3029 3030static char *print_binder_transaction(char *buf, char *end, const char *prefix, struct binder_transaction *t) 3031{ 3032 buf += snprintf(buf, end - buf, "%s %d: %p from %d:%d to %d:%d code %x flags %x pri %ld r%d", 3033 prefix, t->debug_id, t, t->from ? t->from->proc->pid : 0, 3034 t->from ? t->from->pid : 0, 3035 t->to_proc ? t->to_proc->pid : 0, 3036 t->to_thread ? t->to_thread->pid : 0, 3037 t->code, t->flags, t->priority, t->need_reply); 3038 if (buf >= end) 3039 return buf; 3040 if (t->buffer == NULL) { 3041 buf += snprintf(buf, end - buf, " buffer free\n"); 3042 return buf; 3043 } 3044 if (t->buffer->target_node) { 3045 buf += snprintf(buf, end - buf, " node %d", 3046 t->buffer->target_node->debug_id); 3047 if (buf >= end) 3048 return buf; 3049 } 3050 buf += snprintf(buf, end - buf, " size %zd:%zd data %p\n", 3051 t->buffer->data_size, t->buffer->offsets_size, 3052 t->buffer->data); 3053 return buf; 3054} 3055 3056static char *print_binder_buffer(char *buf, char *end, const char *prefix, struct binder_buffer *buffer) 3057{ 3058 buf += snprintf(buf, end - buf, "%s %d: %p size %zd:%zd %s\n", 3059 prefix, buffer->debug_id, buffer->data, 3060 buffer->data_size, buffer->offsets_size, 3061 buffer->transaction ? "active" : "delivered"); 3062 return buf; 3063} 3064 3065static char *print_binder_work(char *buf, char *end, const char *prefix, 3066 const char *transaction_prefix, struct binder_work *w) 3067{ 3068 struct binder_node *node; 3069 struct binder_transaction *t; 3070 3071 switch (w->type) { 3072 case BINDER_WORK_TRANSACTION: 3073 t = container_of(w, struct binder_transaction, work); 3074 buf = print_binder_transaction(buf, end, transaction_prefix, t); 3075 break; 3076 case BINDER_WORK_TRANSACTION_COMPLETE: 3077 buf += snprintf(buf, end - buf, 3078 "%stransaction complete\n", prefix); 3079 break; 3080 case BINDER_WORK_NODE: 3081 node = container_of(w, struct binder_node, work); 3082 buf += snprintf(buf, end - buf, "%snode work %d: u%p c%p\n", 3083 prefix, node->debug_id, node->ptr, node->cookie); 3084 break; 3085 case BINDER_WORK_DEAD_BINDER: 3086 buf += snprintf(buf, end - buf, "%shas dead binder\n", prefix); 3087 break; 3088 case BINDER_WORK_DEAD_BINDER_AND_CLEAR: 3089 buf += snprintf(buf, end - buf, 3090 "%shas cleared dead binder\n", prefix); 3091 break; 3092 case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: 3093 buf += snprintf(buf, end - buf, 3094 "%shas cleared death notification\n", prefix); 3095 break; 3096 default: 3097 buf += snprintf(buf, end - buf, "%sunknown work: type %d\n", 3098 prefix, w->type); 3099 break; 3100 } 3101 return buf; 3102} 3103 3104static char *print_binder_thread(char *buf, char *end, struct binder_thread *thread, int print_always) 3105{ 3106 struct binder_transaction *t; 3107 struct binder_work *w; 3108 char *start_buf = buf; 3109 char *header_buf; 3110 3111 buf += snprintf(buf, end - buf, " thread %d: l %02x\n", thread->pid, thread->looper); 3112 header_buf = buf; 3113 t = thread->transaction_stack; 3114 while (t) { 3115 if (buf >= end) 3116 break; 3117 if (t->from == thread) { 3118 buf = print_binder_transaction(buf, end, " outgoing transaction", t); 3119 t = t->from_parent; 3120 } else if (t->to_thread == thread) { 3121 buf = print_binder_transaction(buf, end, " incoming transaction", t); 3122 t = t->to_parent; 3123 } else { 3124 buf = print_binder_transaction(buf, end, " bad transaction", t); 3125 t = NULL; 3126 } 3127 } 3128 list_for_each_entry(w, &thread->todo, entry) { 3129 if (buf >= end) 3130 break; 3131 buf = print_binder_work(buf, end, " ", 3132 " pending transaction", w); 3133 } 3134 if (!print_always && buf == header_buf) 3135 buf = start_buf; 3136 return buf; 3137} 3138 3139static char *print_binder_node(char *buf, char *end, struct binder_node *node) 3140{ 3141 struct binder_ref *ref; 3142 struct hlist_node *pos; 3143 struct binder_work *w; 3144 int count; 3145 count = 0; 3146 hlist_for_each_entry(ref, pos, &node->refs, node_entry) 3147 count++; 3148 3149 buf += snprintf(buf, end - buf, " node %d: u%p c%p hs %d hw %d ls %d lw %d is %d iw %d", 3150 node->debug_id, node->ptr, node->cookie, 3151 node->has_strong_ref, node->has_weak_ref, 3152 node->local_strong_refs, node->local_weak_refs, 3153 node->internal_strong_refs, count); 3154 if (buf >= end) 3155 return buf; 3156 if (count) { 3157 buf += snprintf(buf, end - buf, " proc"); 3158 if (buf >= end) 3159 return buf; 3160 hlist_for_each_entry(ref, pos, &node->refs, node_entry) { 3161 buf += snprintf(buf, end - buf, " %d", ref->proc->pid); 3162 if (buf >= end) 3163 return buf; 3164 } 3165 } 3166 buf += snprintf(buf, end - buf, "\n"); 3167 list_for_each_entry(w, &node->async_todo, entry) { 3168 if (buf >= end) 3169 break; 3170 buf = print_binder_work(buf, end, " ", 3171 " pending async transaction", w); 3172 } 3173 return buf; 3174} 3175 3176static char *print_binder_ref(char *buf, char *end, struct binder_ref *ref) 3177{ 3178 buf += snprintf(buf, end - buf, " ref %d: desc %d %snode %d s %d w %d d %p\n", 3179 ref->debug_id, ref->desc, ref->node->proc ? "" : "dead ", 3180 ref->node->debug_id, ref->strong, ref->weak, ref->death); 3181 return buf; 3182} 3183 3184static char *print_binder_proc(char *buf, char *end, struct binder_proc *proc, int print_all) 3185{ 3186 struct binder_work *w; 3187 struct rb_node *n; 3188 char *start_buf = buf; 3189 char *header_buf; 3190 3191 buf += snprintf(buf, end - buf, "proc %d\n", proc->pid); 3192 header_buf = buf; 3193 3194 for (n = rb_first(&proc->threads); n != NULL && buf < end; n = rb_next(n)) 3195 buf = print_binder_thread(buf, end, rb_entry(n, struct binder_thread, rb_node), print_all); 3196 for (n = rb_first(&proc->nodes); n != NULL && buf < end; n = rb_next(n)) { 3197 struct binder_node *node = rb_entry(n, struct binder_node, rb_node); 3198 if (print_all || node->has_async_transaction) 3199 buf = print_binder_node(buf, end, node); 3200 } 3201 if (print_all) { 3202 for (n = rb_first(&proc->refs_by_desc); n != NULL && buf < end; n = rb_next(n)) 3203 buf = print_binder_ref(buf, end, rb_entry(n, struct binder_ref, rb_node_desc)); 3204 } 3205 for (n = rb_first(&proc->allocated_buffers); n != NULL && buf < end; n = rb_next(n)) 3206 buf = print_binder_buffer(buf, end, " buffer", rb_entry(n, struct binder_buffer, rb_node)); 3207 list_for_each_entry(w, &proc->todo, entry) { 3208 if (buf >= end) 3209 break; 3210 buf = print_binder_work(buf, end, " ", 3211 " pending transaction", w); 3212 } 3213 list_for_each_entry(w, &proc->delivered_death, entry) { 3214 if (buf >= end) 3215 break; 3216 buf += snprintf(buf, end - buf, " has delivered dead binder\n"); 3217 break; 3218 } 3219 if (!print_all && buf == header_buf) 3220 buf = start_buf; 3221 return buf; 3222} 3223 3224static const char *binder_return_strings[] = { 3225 "BR_ERROR", 3226 "BR_OK", 3227 "BR_TRANSACTION", 3228 "BR_REPLY", 3229 "BR_ACQUIRE_RESULT", 3230 "BR_DEAD_REPLY", 3231 "BR_TRANSACTION_COMPLETE", 3232 "BR_INCREFS", 3233 "BR_ACQUIRE", 3234 "BR_RELEASE", 3235 "BR_DECREFS", 3236 "BR_ATTEMPT_ACQUIRE", 3237 "BR_NOOP", 3238 "BR_SPAWN_LOOPER", 3239 "BR_FINISHED", 3240 "BR_DEAD_BINDER", 3241 "BR_CLEAR_DEATH_NOTIFICATION_DONE", 3242 "BR_FAILED_REPLY" 3243}; 3244 3245static const char *binder_command_strings[] = { 3246 "BC_TRANSACTION", 3247 "BC_REPLY", 3248 "BC_ACQUIRE_RESULT", 3249 "BC_FREE_BUFFER", 3250 "BC_INCREFS", 3251 "BC_ACQUIRE", 3252 "BC_RELEASE", 3253 "BC_DECREFS", 3254 "BC_INCREFS_DONE", 3255 "BC_ACQUIRE_DONE", 3256 "BC_ATTEMPT_ACQUIRE", 3257 "BC_REGISTER_LOOPER", 3258 "BC_ENTER_LOOPER", 3259 "BC_EXIT_LOOPER", 3260 "BC_REQUEST_DEATH_NOTIFICATION", 3261 "BC_CLEAR_DEATH_NOTIFICATION", 3262 "BC_DEAD_BINDER_DONE" 3263}; 3264 3265static const char *binder_objstat_strings[] = { 3266 "proc", 3267 "thread", 3268 "node", 3269 "ref", 3270 "death", 3271 "transaction", 3272 "transaction_complete" 3273}; 3274 3275static char *print_binder_stats(char *buf, char *end, const char *prefix, struct binder_stats *stats) 3276{ 3277 int i; 3278 3279 BUILD_BUG_ON(ARRAY_SIZE(stats->bc) != ARRAY_SIZE(binder_command_strings)); 3280 for (i = 0; i < ARRAY_SIZE(stats->bc); i++) { 3281 if (stats->bc[i]) 3282 buf += snprintf(buf, end - buf, "%s%s: %d\n", prefix, 3283 binder_command_strings[i], stats->bc[i]); 3284 if (buf >= end) 3285 return buf; 3286 } 3287 3288 BUILD_BUG_ON(ARRAY_SIZE(stats->br) != ARRAY_SIZE(binder_return_strings)); 3289 for (i = 0; i < ARRAY_SIZE(stats->br); i++) { 3290 if (stats->br[i]) 3291 buf += snprintf(buf, end - buf, "%s%s: %d\n", prefix, 3292 binder_return_strings[i], stats->br[i]); 3293 if (buf >= end) 3294 return buf; 3295 } 3296 3297 BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) != ARRAY_SIZE(binder_objstat_strings)); 3298 BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) != ARRAY_SIZE(stats->obj_deleted)); 3299 for (i = 0; i < ARRAY_SIZE(stats->obj_created); i++) { 3300 if (stats->obj_created[i] || stats->obj_deleted[i]) 3301 buf += snprintf(buf, end - buf, "%s%s: active %d total %d\n", prefix, 3302 binder_objstat_strings[i], 3303 stats->obj_created[i] - stats->obj_deleted[i], 3304 stats->obj_created[i]); 3305 if (buf >= end) 3306 return buf; 3307 } 3308 return buf; 3309} 3310 3311static char *print_binder_proc_stats(char *buf, char *end, struct binder_proc *proc) 3312{ 3313 struct binder_work *w; 3314 struct rb_node *n; 3315 int count, strong, weak; 3316 3317 buf += snprintf(buf, end - buf, "proc %d\n", proc->pid); 3318 if (buf >= end) 3319 return buf; 3320 count = 0; 3321 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) 3322 count++; 3323 buf += snprintf(buf, end - buf, " threads: %d\n", count); 3324 if (buf >= end) 3325 return buf; 3326 buf += snprintf(buf, end - buf, " requested threads: %d+%d/%d\n" 3327 " ready threads %d\n" 3328 " free async space %zd\n", proc->requested_threads, 3329 proc->requested_threads_started, proc->max_threads, 3330 proc->ready_threads, proc->free_async_space); 3331 if (buf >= end) 3332 return buf; 3333 count = 0; 3334 for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) 3335 count++; 3336 buf += snprintf(buf, end - buf, " nodes: %d\n", count); 3337 if (buf >= end) 3338 return buf; 3339 count = 0; 3340 strong = 0; 3341 weak = 0; 3342 for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) { 3343 struct binder_ref *ref = rb_entry(n, struct binder_ref, rb_node_desc); 3344 count++; 3345 strong += ref->strong; 3346 weak += ref->weak; 3347 } 3348 buf += snprintf(buf, end - buf, " refs: %d s %d w %d\n", count, strong, weak); 3349 if (buf >= end) 3350 return buf; 3351 3352 count = 0; 3353 for (n = rb_first(&proc->allocated_buffers); n != NULL; n = rb_next(n)) 3354 count++; 3355 buf += snprintf(buf, end - buf, " buffers: %d\n", count); 3356 if (buf >= end) 3357 return buf; 3358 3359 count = 0; 3360 list_for_each_entry(w, &proc->todo, entry) { 3361 switch (w->type) { 3362 case BINDER_WORK_TRANSACTION: 3363 count++; 3364 break; 3365 default: 3366 break; 3367 } 3368 } 3369 buf += snprintf(buf, end - buf, " pending transactions: %d\n", count); 3370 if (buf >= end) 3371 return buf; 3372 3373 buf = print_binder_stats(buf, end, " ", &proc->stats); 3374 3375 return buf; 3376} 3377 3378 3379static int binder_read_proc_state( 3380 char *page, char **start, off_t off, int count, int *eof, void *data) 3381{ 3382 struct binder_proc *proc; 3383 struct hlist_node *pos; 3384 struct binder_node *node; 3385 int len = 0; 3386 char *buf = page; 3387 char *end = page + PAGE_SIZE; 3388 int do_lock = !binder_debug_no_lock; 3389 3390 if (off) 3391 return 0; 3392 3393 if (do_lock) 3394 mutex_lock(&binder_lock); 3395 3396 buf += snprintf(buf, end - buf, "binder state:\n"); 3397 3398 if (!hlist_empty(&binder_dead_nodes)) 3399 buf += snprintf(buf, end - buf, "dead nodes:\n"); 3400 hlist_for_each_entry(node, pos, &binder_dead_nodes, dead_node) { 3401 if (buf >= end) 3402 break; 3403 buf = print_binder_node(buf, end, node); 3404 } 3405 3406 hlist_for_each_entry(proc, pos, &binder_procs, proc_node) { 3407 if (buf >= end) 3408 break; 3409 buf = print_binder_proc(buf, end, proc, 1); 3410 } 3411 if (do_lock) 3412 mutex_unlock(&binder_lock); 3413 if (buf > page + PAGE_SIZE) 3414 buf = page + PAGE_SIZE; 3415 3416 *start = page + off; 3417 3418 len = buf - page; 3419 if (len > off) 3420 len -= off; 3421 else 3422 len = 0; 3423 3424 return len < count ? len : count; 3425} 3426 3427static int binder_read_proc_stats( 3428 char *page, char **start, off_t off, int count, int *eof, void *data) 3429{ 3430 struct binder_proc *proc; 3431 struct hlist_node *pos; 3432 int len = 0; 3433 char *p = page; 3434 int do_lock = !binder_debug_no_lock; 3435 3436 if (off) 3437 return 0; 3438 3439 if (do_lock) 3440 mutex_lock(&binder_lock); 3441 3442 p += snprintf(p, PAGE_SIZE, "binder stats:\n"); 3443 3444 p = print_binder_stats(p, page + PAGE_SIZE, "", &binder_stats); 3445 3446 hlist_for_each_entry(proc, pos, &binder_procs, proc_node) { 3447 if (p >= page + PAGE_SIZE) 3448 break; 3449 p = print_binder_proc_stats(p, page + PAGE_SIZE, proc); 3450 } 3451 if (do_lock) 3452 mutex_unlock(&binder_lock); 3453 if (p > page + PAGE_SIZE) 3454 p = page + PAGE_SIZE; 3455 3456 *start = page + off; 3457 3458 len = p - page; 3459 if (len > off) 3460 len -= off; 3461 else 3462 len = 0; 3463 3464 return len < count ? len : count; 3465} 3466 3467static int binder_read_proc_transactions( 3468 char *page, char **start, off_t off, int count, int *eof, void *data) 3469{ 3470 struct binder_proc *proc; 3471 struct hlist_node *pos; 3472 int len = 0; 3473 char *buf = page; 3474 char *end = page + PAGE_SIZE; 3475 int do_lock = !binder_debug_no_lock; 3476 3477 if (off) 3478 return 0; 3479 3480 if (do_lock) 3481 mutex_lock(&binder_lock); 3482 3483 buf += snprintf(buf, end - buf, "binder transactions:\n"); 3484 hlist_for_each_entry(proc, pos, &binder_procs, proc_node) { 3485 if (buf >= end) 3486 break; 3487 buf = print_binder_proc(buf, end, proc, 0); 3488 } 3489 if (do_lock) 3490 mutex_unlock(&binder_lock); 3491 if (buf > page + PAGE_SIZE) 3492 buf = page + PAGE_SIZE; 3493 3494 *start = page + off; 3495 3496 len = buf - page; 3497 if (len > off) 3498 len -= off; 3499 else 3500 len = 0; 3501 3502 return len < count ? len : count; 3503} 3504 3505static int binder_read_proc_proc( 3506 char *page, char **start, off_t off, int count, int *eof, void *data) 3507{ 3508 struct binder_proc *proc = data; 3509 int len = 0; 3510 char *p = page; 3511 int do_lock = !binder_debug_no_lock; 3512 3513 if (off) 3514 return 0; 3515 3516 if (do_lock) 3517 mutex_lock(&binder_lock); 3518 p += snprintf(p, PAGE_SIZE, "binder proc state:\n"); 3519 p = print_binder_proc(p, page + PAGE_SIZE, proc, 1); 3520 if (do_lock) 3521 mutex_unlock(&binder_lock); 3522 3523 if (p > page + PAGE_SIZE) 3524 p = page + PAGE_SIZE; 3525 *start = page + off; 3526 3527 len = p - page; 3528 if (len > off) 3529 len -= off; 3530 else 3531 len = 0; 3532 3533 return len < count ? len : count; 3534} 3535 3536static char *print_binder_transaction_log_entry(char *buf, char *end, struct binder_transaction_log_entry *e) 3537{ 3538 buf += snprintf(buf, end - buf, "%d: %s from %d:%d to %d:%d node %d handle %d size %d:%d\n", 3539 e->debug_id, (e->call_type == 2) ? "reply" : 3540 ((e->call_type == 1) ? "async" : "call "), e->from_proc, 3541 e->from_thread, e->to_proc, e->to_thread, e->to_node, 3542 e->target_handle, e->data_size, e->offsets_size); 3543 return buf; 3544} 3545 3546static int binder_read_proc_transaction_log( 3547 char *page, char **start, off_t off, int count, int *eof, void *data) 3548{ 3549 struct binder_transaction_log *log = data; 3550 int len = 0; 3551 int i; 3552 char *buf = page; 3553 char *end = page + PAGE_SIZE; 3554 3555 if (off) 3556 return 0; 3557 3558 if (log->full) { 3559 for (i = log->next; i < ARRAY_SIZE(log->entry); i++) { 3560 if (buf >= end) 3561 break; 3562 buf = print_binder_transaction_log_entry(buf, end, &log->entry[i]); 3563 } 3564 } 3565 for (i = 0; i < log->next; i++) { 3566 if (buf >= end) 3567 break; 3568 buf = print_binder_transaction_log_entry(buf, end, &log->entry[i]); 3569 } 3570 3571 *start = page + off; 3572 3573 len = buf - page; 3574 if (len > off) 3575 len -= off; 3576 else 3577 len = 0; 3578 3579 return len < count ? len : count; 3580} 3581 3582static struct file_operations binder_fops = { 3583 .owner = THIS_MODULE, 3584 .poll = binder_poll, 3585 .unlocked_ioctl = binder_ioctl, 3586 .mmap = binder_mmap, 3587 .open = binder_open, 3588 .flush = binder_flush, 3589 .release = binder_release, 3590}; 3591 3592static struct miscdevice binder_miscdev = { 3593 .minor = MISC_DYNAMIC_MINOR, 3594 .name = "binder", 3595 .fops = &binder_fops 3596}; 3597 3598static int __init binder_init(void) 3599{ 3600 int ret; 3601 3602 binder_proc_dir_entry_root = proc_mkdir("binder", NULL); 3603 if (binder_proc_dir_entry_root) 3604 binder_proc_dir_entry_proc = proc_mkdir("proc", binder_proc_dir_entry_root); 3605 ret = misc_register(&binder_miscdev); 3606 if (binder_proc_dir_entry_root) { 3607 create_proc_read_entry("state", S_IRUGO, binder_proc_dir_entry_root, binder_read_proc_state, NULL); 3608 create_proc_read_entry("stats", S_IRUGO, binder_proc_dir_entry_root, binder_read_proc_stats, NULL); 3609 create_proc_read_entry("transactions", S_IRUGO, binder_proc_dir_entry_root, binder_read_proc_transactions, NULL); 3610 create_proc_read_entry("transaction_log", S_IRUGO, binder_proc_dir_entry_root, binder_read_proc_transaction_log, &binder_transaction_log); 3611 create_proc_read_entry("failed_transaction_log", S_IRUGO, binder_proc_dir_entry_root, binder_read_proc_transaction_log, &binder_transaction_log_failed); 3612 } 3613 return ret; 3614} 3615 3616device_initcall(binder_init); 3617 3618MODULE_LICENSE("GPL v2"); 3619