binder.c revision 9279bcc31698842961a30bb05b00aef7236dd728
1/* binder.c 2 * 3 * Android IPC Subsystem 4 * 5 * Copyright (C) 2007-2008 Google, Inc. 6 * 7 * This software is licensed under the terms of the GNU General Public 8 * License version 2, as published by the Free Software Foundation, and 9 * may be copied, distributed, and modified under those terms. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 */ 17 18#include <asm/cacheflush.h> 19#include <linux/fdtable.h> 20#include <linux/file.h> 21#include <linux/fs.h> 22#include <linux/list.h> 23#include <linux/miscdevice.h> 24#include <linux/mm.h> 25#include <linux/module.h> 26#include <linux/mutex.h> 27#include <linux/nsproxy.h> 28#include <linux/poll.h> 29#include <linux/proc_fs.h> 30#include <linux/rbtree.h> 31#include <linux/sched.h> 32#include <linux/uaccess.h> 33#include <linux/vmalloc.h> 34#include "binder.h" 35 36static DEFINE_MUTEX(binder_lock); 37static HLIST_HEAD(binder_procs); 38static struct binder_node *binder_context_mgr_node; 39static uid_t binder_context_mgr_uid = -1; 40static int binder_last_id; 41static struct proc_dir_entry *binder_proc_dir_entry_root; 42static struct proc_dir_entry *binder_proc_dir_entry_proc; 43static struct hlist_head binder_dead_nodes; 44 45static int binder_read_proc_proc( 46 char *page, char **start, off_t off, int count, int *eof, void *data); 47 48/* This is only defined in include/asm-arm/sizes.h */ 49#ifndef SZ_1K 50#define SZ_1K 0x400 51#endif 52 53#ifndef SZ_4M 54#define SZ_4M 0x400000 55#endif 56 57#ifndef __i386__ 58#define FORBIDDEN_MMAP_FLAGS (VM_WRITE | VM_EXEC) 59#else 60#define FORBIDDEN_MMAP_FLAGS (VM_WRITE) 61#endif 62 63#define BINDER_SMALL_BUF_SIZE (PAGE_SIZE * 64) 64 65enum { 66 BINDER_DEBUG_USER_ERROR = 1U << 0, 67 BINDER_DEBUG_FAILED_TRANSACTION = 1U << 1, 68 BINDER_DEBUG_DEAD_TRANSACTION = 1U << 2, 69 BINDER_DEBUG_OPEN_CLOSE = 1U << 3, 70 BINDER_DEBUG_DEAD_BINDER = 1U << 4, 71 BINDER_DEBUG_DEATH_NOTIFICATION = 1U << 5, 72 BINDER_DEBUG_READ_WRITE = 1U << 6, 73 BINDER_DEBUG_USER_REFS = 1U << 7, 74 BINDER_DEBUG_THREADS = 1U << 8, 75 BINDER_DEBUG_TRANSACTION = 1U << 9, 76 BINDER_DEBUG_TRANSACTION_COMPLETE = 1U << 10, 77 BINDER_DEBUG_FREE_BUFFER = 1U << 11, 78 BINDER_DEBUG_INTERNAL_REFS = 1U << 12, 79 BINDER_DEBUG_BUFFER_ALLOC = 1U << 13, 80 BINDER_DEBUG_PRIORITY_CAP = 1U << 14, 81 BINDER_DEBUG_BUFFER_ALLOC_ASYNC = 1U << 15, 82}; 83static uint32_t binder_debug_mask = BINDER_DEBUG_USER_ERROR | 84 BINDER_DEBUG_FAILED_TRANSACTION | BINDER_DEBUG_DEAD_TRANSACTION; 85module_param_named(debug_mask, binder_debug_mask, uint, S_IWUSR | S_IRUGO); 86static int binder_debug_no_lock; 87module_param_named(proc_no_lock, binder_debug_no_lock, bool, S_IWUSR | S_IRUGO); 88static DECLARE_WAIT_QUEUE_HEAD(binder_user_error_wait); 89static int binder_stop_on_user_error; 90static int binder_set_stop_on_user_error( 91 const char *val, struct kernel_param *kp) 92{ 93 int ret; 94 ret = param_set_int(val, kp); 95 if (binder_stop_on_user_error < 2) 96 wake_up(&binder_user_error_wait); 97 return ret; 98} 99module_param_call(stop_on_user_error, binder_set_stop_on_user_error, 100 param_get_int, &binder_stop_on_user_error, S_IWUSR | S_IRUGO); 101 102#define binder_user_error(x...) \ 103 do { \ 104 if (binder_debug_mask & BINDER_DEBUG_USER_ERROR) \ 105 printk(KERN_INFO x); \ 106 if (binder_stop_on_user_error) \ 107 binder_stop_on_user_error = 2; \ 108 } while (0) 109 110enum { 111 BINDER_STAT_PROC, 112 BINDER_STAT_THREAD, 113 BINDER_STAT_NODE, 114 BINDER_STAT_REF, 115 BINDER_STAT_DEATH, 116 BINDER_STAT_TRANSACTION, 117 BINDER_STAT_TRANSACTION_COMPLETE, 118 BINDER_STAT_COUNT 119}; 120 121struct binder_stats { 122 int br[_IOC_NR(BR_FAILED_REPLY) + 1]; 123 int bc[_IOC_NR(BC_DEAD_BINDER_DONE) + 1]; 124 int obj_created[BINDER_STAT_COUNT]; 125 int obj_deleted[BINDER_STAT_COUNT]; 126}; 127 128static struct binder_stats binder_stats; 129 130struct binder_transaction_log_entry { 131 int debug_id; 132 int call_type; 133 int from_proc; 134 int from_thread; 135 int target_handle; 136 int to_proc; 137 int to_thread; 138 int to_node; 139 int data_size; 140 int offsets_size; 141}; 142struct binder_transaction_log { 143 int next; 144 int full; 145 struct binder_transaction_log_entry entry[32]; 146}; 147struct binder_transaction_log binder_transaction_log; 148struct binder_transaction_log binder_transaction_log_failed; 149 150static struct binder_transaction_log_entry *binder_transaction_log_add( 151 struct binder_transaction_log *log) 152{ 153 struct binder_transaction_log_entry *e; 154 e = &log->entry[log->next]; 155 memset(e, 0, sizeof(*e)); 156 log->next++; 157 if (log->next == ARRAY_SIZE(log->entry)) { 158 log->next = 0; 159 log->full = 1; 160 } 161 return e; 162} 163 164struct binder_work { 165 struct list_head entry; 166 enum { 167 BINDER_WORK_TRANSACTION = 1, 168 BINDER_WORK_TRANSACTION_COMPLETE, 169 BINDER_WORK_NODE, 170 BINDER_WORK_DEAD_BINDER, 171 BINDER_WORK_DEAD_BINDER_AND_CLEAR, 172 BINDER_WORK_CLEAR_DEATH_NOTIFICATION, 173 } type; 174}; 175 176struct binder_node { 177 int debug_id; 178 struct binder_work work; 179 union { 180 struct rb_node rb_node; 181 struct hlist_node dead_node; 182 }; 183 struct binder_proc *proc; 184 struct hlist_head refs; 185 int internal_strong_refs; 186 int local_weak_refs; 187 int local_strong_refs; 188 void __user *ptr; 189 void __user *cookie; 190 unsigned has_strong_ref : 1; 191 unsigned pending_strong_ref : 1; 192 unsigned has_weak_ref : 1; 193 unsigned pending_weak_ref : 1; 194 unsigned has_async_transaction : 1; 195 unsigned accept_fds : 1; 196 int min_priority : 8; 197 struct list_head async_todo; 198}; 199 200struct binder_ref_death { 201 struct binder_work work; 202 void __user *cookie; 203}; 204 205struct binder_ref { 206 /* Lookups needed: */ 207 /* node + proc => ref (transaction) */ 208 /* desc + proc => ref (transaction, inc/dec ref) */ 209 /* node => refs + procs (proc exit) */ 210 int debug_id; 211 struct rb_node rb_node_desc; 212 struct rb_node rb_node_node; 213 struct hlist_node node_entry; 214 struct binder_proc *proc; 215 struct binder_node *node; 216 uint32_t desc; 217 int strong; 218 int weak; 219 struct binder_ref_death *death; 220}; 221 222struct binder_buffer { 223 struct list_head entry; /* free and allocated entries by addesss */ 224 struct rb_node rb_node; /* free entry by size or allocated entry */ 225 /* by address */ 226 unsigned free : 1; 227 unsigned allow_user_free : 1; 228 unsigned async_transaction : 1; 229 unsigned debug_id : 29; 230 231 struct binder_transaction *transaction; 232 233 struct binder_node *target_node; 234 size_t data_size; 235 size_t offsets_size; 236 uint8_t data[0]; 237}; 238 239struct binder_proc { 240 struct hlist_node proc_node; 241 struct rb_root threads; 242 struct rb_root nodes; 243 struct rb_root refs_by_desc; 244 struct rb_root refs_by_node; 245 int pid; 246 struct vm_area_struct *vma; 247 struct task_struct *tsk; 248 void *buffer; 249 size_t user_buffer_offset; 250 251 struct list_head buffers; 252 struct rb_root free_buffers; 253 struct rb_root allocated_buffers; 254 size_t free_async_space; 255 256 struct page **pages; 257 size_t buffer_size; 258 uint32_t buffer_free; 259 struct list_head todo; 260 wait_queue_head_t wait; 261 struct binder_stats stats; 262 struct list_head delivered_death; 263 int max_threads; 264 int requested_threads; 265 int requested_threads_started; 266 int ready_threads; 267 long default_priority; 268}; 269 270enum { 271 BINDER_LOOPER_STATE_REGISTERED = 0x01, 272 BINDER_LOOPER_STATE_ENTERED = 0x02, 273 BINDER_LOOPER_STATE_EXITED = 0x04, 274 BINDER_LOOPER_STATE_INVALID = 0x08, 275 BINDER_LOOPER_STATE_WAITING = 0x10, 276 BINDER_LOOPER_STATE_NEED_RETURN = 0x20 277}; 278 279struct binder_thread { 280 struct binder_proc *proc; 281 struct rb_node rb_node; 282 int pid; 283 int looper; 284 struct binder_transaction *transaction_stack; 285 struct list_head todo; 286 uint32_t return_error; /* Write failed, return error code in read buf */ 287 uint32_t return_error2; /* Write failed, return error code in read */ 288 /* buffer. Used when sending a reply to a dead process that */ 289 /* we are also waiting on */ 290 wait_queue_head_t wait; 291 struct binder_stats stats; 292}; 293 294struct binder_transaction { 295 int debug_id; 296 struct binder_work work; 297 struct binder_thread *from; 298 struct binder_transaction *from_parent; 299 struct binder_proc *to_proc; 300 struct binder_thread *to_thread; 301 struct binder_transaction *to_parent; 302 unsigned need_reply : 1; 303 /*unsigned is_dead : 1;*/ /* not used at the moment */ 304 305 struct binder_buffer *buffer; 306 unsigned int code; 307 unsigned int flags; 308 long priority; 309 long saved_priority; 310 uid_t sender_euid; 311}; 312 313/* 314 * copied from get_unused_fd_flags 315 */ 316int task_get_unused_fd_flags(struct task_struct *tsk, int flags) 317{ 318 struct files_struct *files = get_files_struct(tsk); 319 int fd, error; 320 struct fdtable *fdt; 321 unsigned long rlim_cur; 322 323 if (files == NULL) 324 return -ESRCH; 325 326 error = -EMFILE; 327 spin_lock(&files->file_lock); 328 329repeat: 330 fdt = files_fdtable(files); 331 fd = find_next_zero_bit(fdt->open_fds->fds_bits, fdt->max_fds, 332 files->next_fd); 333 334 /* 335 * N.B. For clone tasks sharing a files structure, this test 336 * will limit the total number of files that can be opened. 337 */ 338 rcu_read_lock(); 339 if (tsk->signal) 340 rlim_cur = tsk->signal->rlim[RLIMIT_NOFILE].rlim_cur; 341 else 342 rlim_cur = 0; 343 rcu_read_unlock(); 344 if (fd >= rlim_cur) 345 goto out; 346 347 /* Do we need to expand the fd array or fd set? */ 348 error = expand_files(files, fd); 349 if (error < 0) 350 goto out; 351 352 if (error) { 353 /* 354 * If we needed to expand the fs array we 355 * might have blocked - try again. 356 */ 357 error = -EMFILE; 358 goto repeat; 359 } 360 361 FD_SET(fd, fdt->open_fds); 362 if (flags & O_CLOEXEC) 363 FD_SET(fd, fdt->close_on_exec); 364 else 365 FD_CLR(fd, fdt->close_on_exec); 366 files->next_fd = fd + 1; 367#if 1 368 /* Sanity check */ 369 if (fdt->fd[fd] != NULL) { 370 printk(KERN_WARNING "get_unused_fd: slot %d not NULL!\n", fd); 371 fdt->fd[fd] = NULL; 372 } 373#endif 374 error = fd; 375 376out: 377 spin_unlock(&files->file_lock); 378 put_files_struct(files); 379 return error; 380} 381 382/* 383 * copied from fd_install 384 */ 385static void task_fd_install( 386 struct task_struct *tsk, unsigned int fd, struct file *file) 387{ 388 struct files_struct *files = get_files_struct(tsk); 389 struct fdtable *fdt; 390 391 if (files == NULL) 392 return; 393 394 spin_lock(&files->file_lock); 395 fdt = files_fdtable(files); 396 BUG_ON(fdt->fd[fd] != NULL); 397 rcu_assign_pointer(fdt->fd[fd], file); 398 spin_unlock(&files->file_lock); 399 put_files_struct(files); 400} 401 402/* 403 * copied from __put_unused_fd in open.c 404 */ 405static void __put_unused_fd(struct files_struct *files, unsigned int fd) 406{ 407 struct fdtable *fdt = files_fdtable(files); 408 __FD_CLR(fd, fdt->open_fds); 409 if (fd < files->next_fd) 410 files->next_fd = fd; 411} 412 413/* 414 * copied from sys_close 415 */ 416static long task_close_fd(struct task_struct *tsk, unsigned int fd) 417{ 418 struct file *filp; 419 struct files_struct *files = get_files_struct(tsk); 420 struct fdtable *fdt; 421 int retval; 422 423 if (files == NULL) 424 return -ESRCH; 425 426 spin_lock(&files->file_lock); 427 fdt = files_fdtable(files); 428 if (fd >= fdt->max_fds) 429 goto out_unlock; 430 filp = fdt->fd[fd]; 431 if (!filp) 432 goto out_unlock; 433 rcu_assign_pointer(fdt->fd[fd], NULL); 434 FD_CLR(fd, fdt->close_on_exec); 435 __put_unused_fd(files, fd); 436 spin_unlock(&files->file_lock); 437 retval = filp_close(filp, files); 438 439 /* can't restart close syscall because file table entry was cleared */ 440 if (unlikely(retval == -ERESTARTSYS || 441 retval == -ERESTARTNOINTR || 442 retval == -ERESTARTNOHAND || 443 retval == -ERESTART_RESTARTBLOCK)) 444 retval = -EINTR; 445 446 put_files_struct(files); 447 return retval; 448 449out_unlock: 450 spin_unlock(&files->file_lock); 451 put_files_struct(files); 452 return -EBADF; 453} 454 455static void binder_set_nice(long nice) 456{ 457 long min_nice; 458 if (can_nice(current, nice)) { 459 set_user_nice(current, nice); 460 return; 461 } 462 min_nice = 20 - current->signal->rlim[RLIMIT_NICE].rlim_cur; 463 if (binder_debug_mask & BINDER_DEBUG_PRIORITY_CAP) 464 printk(KERN_INFO "binder: %d: nice value %ld not allowed use " 465 "%ld instead\n", current->pid, nice, min_nice); 466 set_user_nice(current, min_nice); 467 if (min_nice < 20) 468 return; 469 binder_user_error("binder: %d RLIMIT_NICE not set\n", current->pid); 470} 471 472static size_t binder_buffer_size( 473 struct binder_proc *proc, struct binder_buffer *buffer) 474{ 475 if (list_is_last(&buffer->entry, &proc->buffers)) 476 return proc->buffer + proc->buffer_size - (void *)buffer->data; 477 else 478 return (size_t)list_entry(buffer->entry.next, 479 struct binder_buffer, entry) - (size_t)buffer->data; 480} 481 482static void binder_insert_free_buffer( 483 struct binder_proc *proc, struct binder_buffer *new_buffer) 484{ 485 struct rb_node **p = &proc->free_buffers.rb_node; 486 struct rb_node *parent = NULL; 487 struct binder_buffer *buffer; 488 size_t buffer_size; 489 size_t new_buffer_size; 490 491 BUG_ON(!new_buffer->free); 492 493 new_buffer_size = binder_buffer_size(proc, new_buffer); 494 495 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 496 printk(KERN_INFO "binder: %d: add free buffer, size %zd, " 497 "at %p\n", proc->pid, new_buffer_size, new_buffer); 498 499 while (*p) { 500 parent = *p; 501 buffer = rb_entry(parent, struct binder_buffer, rb_node); 502 BUG_ON(!buffer->free); 503 504 buffer_size = binder_buffer_size(proc, buffer); 505 506 if (new_buffer_size < buffer_size) 507 p = &parent->rb_left; 508 else 509 p = &parent->rb_right; 510 } 511 rb_link_node(&new_buffer->rb_node, parent, p); 512 rb_insert_color(&new_buffer->rb_node, &proc->free_buffers); 513} 514 515static void binder_insert_allocated_buffer( 516 struct binder_proc *proc, struct binder_buffer *new_buffer) 517{ 518 struct rb_node **p = &proc->allocated_buffers.rb_node; 519 struct rb_node *parent = NULL; 520 struct binder_buffer *buffer; 521 522 BUG_ON(new_buffer->free); 523 524 while (*p) { 525 parent = *p; 526 buffer = rb_entry(parent, struct binder_buffer, rb_node); 527 BUG_ON(buffer->free); 528 529 if (new_buffer < buffer) 530 p = &parent->rb_left; 531 else if (new_buffer > buffer) 532 p = &parent->rb_right; 533 else 534 BUG(); 535 } 536 rb_link_node(&new_buffer->rb_node, parent, p); 537 rb_insert_color(&new_buffer->rb_node, &proc->allocated_buffers); 538} 539 540static struct binder_buffer *binder_buffer_lookup( 541 struct binder_proc *proc, void __user *user_ptr) 542{ 543 struct rb_node *n = proc->allocated_buffers.rb_node; 544 struct binder_buffer *buffer; 545 struct binder_buffer *kern_ptr; 546 547 kern_ptr = user_ptr - proc->user_buffer_offset 548 - offsetof(struct binder_buffer, data); 549 550 while (n) { 551 buffer = rb_entry(n, struct binder_buffer, rb_node); 552 BUG_ON(buffer->free); 553 554 if (kern_ptr < buffer) 555 n = n->rb_left; 556 else if (kern_ptr > buffer) 557 n = n->rb_right; 558 else 559 return buffer; 560 } 561 return NULL; 562} 563 564static int binder_update_page_range(struct binder_proc *proc, int allocate, 565 void *start, void *end, struct vm_area_struct *vma) 566{ 567 void *page_addr; 568 unsigned long user_page_addr; 569 struct vm_struct tmp_area; 570 struct page **page; 571 struct mm_struct *mm; 572 573 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 574 printk(KERN_INFO "binder: %d: %s pages %p-%p\n", 575 proc->pid, allocate ? "allocate" : "free", start, end); 576 577 if (end <= start) 578 return 0; 579 580 if (vma) 581 mm = NULL; 582 else 583 mm = get_task_mm(proc->tsk); 584 585 if (mm) { 586 down_write(&mm->mmap_sem); 587 vma = proc->vma; 588 } 589 590 if (allocate == 0) 591 goto free_range; 592 593 if (vma == NULL) { 594 printk(KERN_ERR "binder: %d: binder_alloc_buf failed to " 595 "map pages in userspace, no vma\n", proc->pid); 596 goto err_no_vma; 597 } 598 599 for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) { 600 int ret; 601 struct page **page_array_ptr; 602 page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE]; 603 604 BUG_ON(*page); 605 *page = alloc_page(GFP_KERNEL | __GFP_ZERO); 606 if (*page == NULL) { 607 printk(KERN_ERR "binder: %d: binder_alloc_buf failed " 608 "for page at %p\n", proc->pid, page_addr); 609 goto err_alloc_page_failed; 610 } 611 tmp_area.addr = page_addr; 612 tmp_area.size = PAGE_SIZE + PAGE_SIZE /* guard page? */; 613 page_array_ptr = page; 614 ret = map_vm_area(&tmp_area, PAGE_KERNEL, &page_array_ptr); 615 if (ret) { 616 printk(KERN_ERR "binder: %d: binder_alloc_buf failed " 617 "to map page at %p in kernel\n", 618 proc->pid, page_addr); 619 goto err_map_kernel_failed; 620 } 621 user_page_addr = (size_t)page_addr + proc->user_buffer_offset; 622 ret = vm_insert_page(vma, user_page_addr, page[0]); 623 if (ret) { 624 printk(KERN_ERR "binder: %d: binder_alloc_buf failed " 625 "to map page at %lx in userspace\n", 626 proc->pid, user_page_addr); 627 goto err_vm_insert_page_failed; 628 } 629 /* vm_insert_page does not seem to increment the refcount */ 630 } 631 if (mm) { 632 up_write(&mm->mmap_sem); 633 mmput(mm); 634 } 635 return 0; 636 637free_range: 638 for (page_addr = end - PAGE_SIZE; page_addr >= start; 639 page_addr -= PAGE_SIZE) { 640 page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE]; 641 if (vma) 642 zap_page_range(vma, (size_t)page_addr + 643 proc->user_buffer_offset, PAGE_SIZE, NULL); 644err_vm_insert_page_failed: 645 unmap_kernel_range((unsigned long)page_addr, PAGE_SIZE); 646err_map_kernel_failed: 647 __free_page(*page); 648 *page = NULL; 649err_alloc_page_failed: 650 ; 651 } 652err_no_vma: 653 if (mm) { 654 up_write(&mm->mmap_sem); 655 mmput(mm); 656 } 657 return -ENOMEM; 658} 659 660static struct binder_buffer *binder_alloc_buf(struct binder_proc *proc, 661 size_t data_size, size_t offsets_size, int is_async) 662{ 663 struct rb_node *n = proc->free_buffers.rb_node; 664 struct binder_buffer *buffer; 665 size_t buffer_size; 666 struct rb_node *best_fit = NULL; 667 void *has_page_addr; 668 void *end_page_addr; 669 size_t size; 670 671 if (proc->vma == NULL) { 672 printk(KERN_ERR "binder: %d: binder_alloc_buf, no vma\n", 673 proc->pid); 674 return NULL; 675 } 676 677 size = ALIGN(data_size, sizeof(void *)) + 678 ALIGN(offsets_size, sizeof(void *)); 679 680 if (size < data_size || size < offsets_size) { 681 binder_user_error("binder: %d: got transaction with invalid " 682 "size %zd-%zd\n", proc->pid, data_size, offsets_size); 683 return NULL; 684 } 685 686 if (is_async && 687 proc->free_async_space < size + sizeof(struct binder_buffer)) { 688 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 689 printk(KERN_ERR "binder: %d: binder_alloc_buf size %zd f" 690 "ailed, no async space left\n", proc->pid, size); 691 return NULL; 692 } 693 694 while (n) { 695 buffer = rb_entry(n, struct binder_buffer, rb_node); 696 BUG_ON(!buffer->free); 697 buffer_size = binder_buffer_size(proc, buffer); 698 699 if (size < buffer_size) { 700 best_fit = n; 701 n = n->rb_left; 702 } else if (size > buffer_size) 703 n = n->rb_right; 704 else { 705 best_fit = n; 706 break; 707 } 708 } 709 if (best_fit == NULL) { 710 printk(KERN_ERR "binder: %d: binder_alloc_buf size %zd failed, " 711 "no address space\n", proc->pid, size); 712 return NULL; 713 } 714 if (n == NULL) { 715 buffer = rb_entry(best_fit, struct binder_buffer, rb_node); 716 buffer_size = binder_buffer_size(proc, buffer); 717 } 718 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 719 printk(KERN_INFO "binder: %d: binder_alloc_buf size %zd got buff" 720 "er %p size %zd\n", proc->pid, size, buffer, buffer_size); 721 722 has_page_addr = 723 (void *)(((size_t)buffer->data + buffer_size) & PAGE_MASK); 724 if (n == NULL) { 725 if (size + sizeof(struct binder_buffer) + 4 >= buffer_size) 726 buffer_size = size; /* no room for other buffers */ 727 else 728 buffer_size = size + sizeof(struct binder_buffer); 729 } 730 end_page_addr = (void *)PAGE_ALIGN((size_t)buffer->data + buffer_size); 731 if (end_page_addr > has_page_addr) 732 end_page_addr = has_page_addr; 733 if (binder_update_page_range(proc, 1, 734 (void *)PAGE_ALIGN((size_t)buffer->data), end_page_addr, NULL)) 735 return NULL; 736 737 rb_erase(best_fit, &proc->free_buffers); 738 buffer->free = 0; 739 binder_insert_allocated_buffer(proc, buffer); 740 if (buffer_size != size) { 741 struct binder_buffer *new_buffer = (void *)buffer->data + size; 742 list_add(&new_buffer->entry, &buffer->entry); 743 new_buffer->free = 1; 744 binder_insert_free_buffer(proc, new_buffer); 745 } 746 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 747 printk(KERN_INFO "binder: %d: binder_alloc_buf size %zd got " 748 "%p\n", proc->pid, size, buffer); 749 buffer->data_size = data_size; 750 buffer->offsets_size = offsets_size; 751 buffer->async_transaction = is_async; 752 if (is_async) { 753 proc->free_async_space -= size + sizeof(struct binder_buffer); 754 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC_ASYNC) 755 printk(KERN_INFO "binder: %d: binder_alloc_buf size %zd " 756 "async free %zd\n", proc->pid, size, 757 proc->free_async_space); 758 } 759 760 return buffer; 761} 762 763static void *buffer_start_page(struct binder_buffer *buffer) 764{ 765 return (void *)((size_t)buffer & PAGE_MASK); 766} 767 768static void *buffer_end_page(struct binder_buffer *buffer) 769{ 770 return (void *)(((size_t)(buffer + 1) - 1) & PAGE_MASK); 771} 772 773static void binder_delete_free_buffer( 774 struct binder_proc *proc, struct binder_buffer *buffer) 775{ 776 struct binder_buffer *prev, *next = NULL; 777 int free_page_end = 1; 778 int free_page_start = 1; 779 780 BUG_ON(proc->buffers.next == &buffer->entry); 781 prev = list_entry(buffer->entry.prev, struct binder_buffer, entry); 782 BUG_ON(!prev->free); 783 if (buffer_end_page(prev) == buffer_start_page(buffer)) { 784 free_page_start = 0; 785 if (buffer_end_page(prev) == buffer_end_page(buffer)) 786 free_page_end = 0; 787 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 788 printk(KERN_INFO "binder: %d: merge free, buffer %p " 789 "share page with %p\n", proc->pid, buffer, prev); 790 } 791 792 if (!list_is_last(&buffer->entry, &proc->buffers)) { 793 next = list_entry(buffer->entry.next, 794 struct binder_buffer, entry); 795 if (buffer_start_page(next) == buffer_end_page(buffer)) { 796 free_page_end = 0; 797 if (buffer_start_page(next) == 798 buffer_start_page(buffer)) 799 free_page_start = 0; 800 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 801 printk(KERN_INFO "binder: %d: merge free, " 802 "buffer %p share page with %p\n", 803 proc->pid, buffer, prev); 804 } 805 } 806 list_del(&buffer->entry); 807 if (free_page_start || free_page_end) { 808 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 809 printk(KERN_INFO "binder: %d: merge free, buffer %p do " 810 "not share page%s%s with with %p or %p\n", 811 proc->pid, buffer, free_page_start ? "" : " end", 812 free_page_end ? "" : " start", prev, next); 813 binder_update_page_range(proc, 0, free_page_start ? 814 buffer_start_page(buffer) : buffer_end_page(buffer), 815 (free_page_end ? buffer_end_page(buffer) : 816 buffer_start_page(buffer)) + PAGE_SIZE, NULL); 817 } 818} 819 820static void binder_free_buf( 821 struct binder_proc *proc, struct binder_buffer *buffer) 822{ 823 size_t size, buffer_size; 824 825 buffer_size = binder_buffer_size(proc, buffer); 826 827 size = ALIGN(buffer->data_size, sizeof(void *)) + 828 ALIGN(buffer->offsets_size, sizeof(void *)); 829 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 830 printk(KERN_INFO "binder: %d: binder_free_buf %p size %zd buffer" 831 "_size %zd\n", proc->pid, buffer, size, buffer_size); 832 833 BUG_ON(buffer->free); 834 BUG_ON(size > buffer_size); 835 BUG_ON(buffer->transaction != NULL); 836 BUG_ON((void *)buffer < proc->buffer); 837 BUG_ON((void *)buffer > proc->buffer + proc->buffer_size); 838 839 if (buffer->async_transaction) { 840 proc->free_async_space += size + sizeof(struct binder_buffer); 841 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC_ASYNC) 842 printk(KERN_INFO "binder: %d: binder_free_buf size %zd " 843 "async free %zd\n", proc->pid, size, 844 proc->free_async_space); 845 } 846 847 binder_update_page_range(proc, 0, 848 (void *)PAGE_ALIGN((size_t)buffer->data), 849 (void *)(((size_t)buffer->data + buffer_size) & PAGE_MASK), 850 NULL); 851 rb_erase(&buffer->rb_node, &proc->allocated_buffers); 852 buffer->free = 1; 853 if (!list_is_last(&buffer->entry, &proc->buffers)) { 854 struct binder_buffer *next = list_entry(buffer->entry.next, 855 struct binder_buffer, entry); 856 if (next->free) { 857 rb_erase(&next->rb_node, &proc->free_buffers); 858 binder_delete_free_buffer(proc, next); 859 } 860 } 861 if (proc->buffers.next != &buffer->entry) { 862 struct binder_buffer *prev = list_entry(buffer->entry.prev, 863 struct binder_buffer, entry); 864 if (prev->free) { 865 binder_delete_free_buffer(proc, buffer); 866 rb_erase(&prev->rb_node, &proc->free_buffers); 867 buffer = prev; 868 } 869 } 870 binder_insert_free_buffer(proc, buffer); 871} 872 873static struct binder_node * 874binder_get_node(struct binder_proc *proc, void __user *ptr) 875{ 876 struct rb_node *n = proc->nodes.rb_node; 877 struct binder_node *node; 878 879 while (n) { 880 node = rb_entry(n, struct binder_node, rb_node); 881 882 if (ptr < node->ptr) 883 n = n->rb_left; 884 else if (ptr > node->ptr) 885 n = n->rb_right; 886 else 887 return node; 888 } 889 return NULL; 890} 891 892static struct binder_node * 893binder_new_node(struct binder_proc *proc, void __user *ptr, void __user *cookie) 894{ 895 struct rb_node **p = &proc->nodes.rb_node; 896 struct rb_node *parent = NULL; 897 struct binder_node *node; 898 899 while (*p) { 900 parent = *p; 901 node = rb_entry(parent, struct binder_node, rb_node); 902 903 if (ptr < node->ptr) 904 p = &(*p)->rb_left; 905 else if (ptr > node->ptr) 906 p = &(*p)->rb_right; 907 else 908 return NULL; 909 } 910 911 node = kzalloc(sizeof(*node), GFP_KERNEL); 912 if (node == NULL) 913 return NULL; 914 binder_stats.obj_created[BINDER_STAT_NODE]++; 915 rb_link_node(&node->rb_node, parent, p); 916 rb_insert_color(&node->rb_node, &proc->nodes); 917 node->debug_id = ++binder_last_id; 918 node->proc = proc; 919 node->ptr = ptr; 920 node->cookie = cookie; 921 node->work.type = BINDER_WORK_NODE; 922 INIT_LIST_HEAD(&node->work.entry); 923 INIT_LIST_HEAD(&node->async_todo); 924 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 925 printk(KERN_INFO "binder: %d:%d node %d u%p c%p created\n", 926 proc->pid, current->pid, node->debug_id, 927 node->ptr, node->cookie); 928 return node; 929} 930 931static int 932binder_inc_node(struct binder_node *node, int strong, int internal, 933 struct list_head *target_list) 934{ 935 if (strong) { 936 if (internal) { 937 if (target_list == NULL && 938 node->internal_strong_refs == 0 && 939 !(node == binder_context_mgr_node && 940 node->has_strong_ref)) { 941 printk(KERN_ERR "binder: invalid inc strong " 942 "node for %d\n", node->debug_id); 943 return -EINVAL; 944 } 945 node->internal_strong_refs++; 946 } else 947 node->local_strong_refs++; 948 if (!node->has_strong_ref && target_list) { 949 list_del_init(&node->work.entry); 950 list_add_tail(&node->work.entry, target_list); 951 } 952 } else { 953 if (!internal) 954 node->local_weak_refs++; 955 if (!node->has_weak_ref && list_empty(&node->work.entry)) { 956 if (target_list == NULL) { 957 printk(KERN_ERR "binder: invalid inc weak node " 958 "for %d\n", node->debug_id); 959 return -EINVAL; 960 } 961 list_add_tail(&node->work.entry, target_list); 962 } 963 } 964 return 0; 965} 966 967static int 968binder_dec_node(struct binder_node *node, int strong, int internal) 969{ 970 if (strong) { 971 if (internal) 972 node->internal_strong_refs--; 973 else 974 node->local_strong_refs--; 975 if (node->local_strong_refs || node->internal_strong_refs) 976 return 0; 977 } else { 978 if (!internal) 979 node->local_weak_refs--; 980 if (node->local_weak_refs || !hlist_empty(&node->refs)) 981 return 0; 982 } 983 if (node->proc && (node->has_strong_ref || node->has_weak_ref)) { 984 if (list_empty(&node->work.entry)) { 985 list_add_tail(&node->work.entry, &node->proc->todo); 986 wake_up_interruptible(&node->proc->wait); 987 } 988 } else { 989 if (hlist_empty(&node->refs) && !node->local_strong_refs && 990 !node->local_weak_refs) { 991 list_del_init(&node->work.entry); 992 if (node->proc) { 993 rb_erase(&node->rb_node, &node->proc->nodes); 994 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 995 printk(KERN_INFO "binder: refless node %d deleted\n", node->debug_id); 996 } else { 997 hlist_del(&node->dead_node); 998 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 999 printk(KERN_INFO "binder: dead node %d deleted\n", node->debug_id); 1000 } 1001 kfree(node); 1002 binder_stats.obj_deleted[BINDER_STAT_NODE]++; 1003 } 1004 } 1005 1006 return 0; 1007} 1008 1009 1010static struct binder_ref * 1011binder_get_ref(struct binder_proc *proc, uint32_t desc) 1012{ 1013 struct rb_node *n = proc->refs_by_desc.rb_node; 1014 struct binder_ref *ref; 1015 1016 while (n) { 1017 ref = rb_entry(n, struct binder_ref, rb_node_desc); 1018 1019 if (desc < ref->desc) 1020 n = n->rb_left; 1021 else if (desc > ref->desc) 1022 n = n->rb_right; 1023 else 1024 return ref; 1025 } 1026 return NULL; 1027} 1028 1029static struct binder_ref * 1030binder_get_ref_for_node(struct binder_proc *proc, struct binder_node *node) 1031{ 1032 struct rb_node *n; 1033 struct rb_node **p = &proc->refs_by_node.rb_node; 1034 struct rb_node *parent = NULL; 1035 struct binder_ref *ref, *new_ref; 1036 1037 while (*p) { 1038 parent = *p; 1039 ref = rb_entry(parent, struct binder_ref, rb_node_node); 1040 1041 if (node < ref->node) 1042 p = &(*p)->rb_left; 1043 else if (node > ref->node) 1044 p = &(*p)->rb_right; 1045 else 1046 return ref; 1047 } 1048 new_ref = kzalloc(sizeof(*ref), GFP_KERNEL); 1049 if (new_ref == NULL) 1050 return NULL; 1051 binder_stats.obj_created[BINDER_STAT_REF]++; 1052 new_ref->debug_id = ++binder_last_id; 1053 new_ref->proc = proc; 1054 new_ref->node = node; 1055 rb_link_node(&new_ref->rb_node_node, parent, p); 1056 rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node); 1057 1058 new_ref->desc = (node == binder_context_mgr_node) ? 0 : 1; 1059 for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) { 1060 ref = rb_entry(n, struct binder_ref, rb_node_desc); 1061 if (ref->desc > new_ref->desc) 1062 break; 1063 new_ref->desc = ref->desc + 1; 1064 } 1065 1066 p = &proc->refs_by_desc.rb_node; 1067 while (*p) { 1068 parent = *p; 1069 ref = rb_entry(parent, struct binder_ref, rb_node_desc); 1070 1071 if (new_ref->desc < ref->desc) 1072 p = &(*p)->rb_left; 1073 else if (new_ref->desc > ref->desc) 1074 p = &(*p)->rb_right; 1075 else 1076 BUG(); 1077 } 1078 rb_link_node(&new_ref->rb_node_desc, parent, p); 1079 rb_insert_color(&new_ref->rb_node_desc, &proc->refs_by_desc); 1080 if (node) { 1081 hlist_add_head(&new_ref->node_entry, &node->refs); 1082 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 1083 printk(KERN_INFO "binder: %d new ref %d desc %d for " 1084 "node %d\n", proc->pid, new_ref->debug_id, 1085 new_ref->desc, node->debug_id); 1086 } else { 1087 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 1088 printk(KERN_INFO "binder: %d new ref %d desc %d for " 1089 "dead node\n", proc->pid, new_ref->debug_id, 1090 new_ref->desc); 1091 } 1092 return new_ref; 1093} 1094 1095static void 1096binder_delete_ref(struct binder_ref *ref) 1097{ 1098 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 1099 printk(KERN_INFO "binder: %d delete ref %d desc %d for " 1100 "node %d\n", ref->proc->pid, ref->debug_id, 1101 ref->desc, ref->node->debug_id); 1102 rb_erase(&ref->rb_node_desc, &ref->proc->refs_by_desc); 1103 rb_erase(&ref->rb_node_node, &ref->proc->refs_by_node); 1104 if (ref->strong) 1105 binder_dec_node(ref->node, 1, 1); 1106 hlist_del(&ref->node_entry); 1107 binder_dec_node(ref->node, 0, 1); 1108 if (ref->death) { 1109 if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) 1110 printk(KERN_INFO "binder: %d delete ref %d desc %d " 1111 "has death notification\n", ref->proc->pid, 1112 ref->debug_id, ref->desc); 1113 list_del(&ref->death->work.entry); 1114 kfree(ref->death); 1115 binder_stats.obj_deleted[BINDER_STAT_DEATH]++; 1116 } 1117 kfree(ref); 1118 binder_stats.obj_deleted[BINDER_STAT_REF]++; 1119} 1120 1121static int 1122binder_inc_ref( 1123 struct binder_ref *ref, int strong, struct list_head *target_list) 1124{ 1125 int ret; 1126 if (strong) { 1127 if (ref->strong == 0) { 1128 ret = binder_inc_node(ref->node, 1, 1, target_list); 1129 if (ret) 1130 return ret; 1131 } 1132 ref->strong++; 1133 } else { 1134 if (ref->weak == 0) { 1135 ret = binder_inc_node(ref->node, 0, 1, target_list); 1136 if (ret) 1137 return ret; 1138 } 1139 ref->weak++; 1140 } 1141 return 0; 1142} 1143 1144 1145static int 1146binder_dec_ref(struct binder_ref *ref, int strong) 1147{ 1148 if (strong) { 1149 if (ref->strong == 0) { 1150 binder_user_error("binder: %d invalid dec strong, " 1151 "ref %d desc %d s %d w %d\n", 1152 ref->proc->pid, ref->debug_id, 1153 ref->desc, ref->strong, ref->weak); 1154 return -EINVAL; 1155 } 1156 ref->strong--; 1157 if (ref->strong == 0) { 1158 int ret; 1159 ret = binder_dec_node(ref->node, strong, 1); 1160 if (ret) 1161 return ret; 1162 } 1163 } else { 1164 if (ref->weak == 0) { 1165 binder_user_error("binder: %d invalid dec weak, " 1166 "ref %d desc %d s %d w %d\n", 1167 ref->proc->pid, ref->debug_id, 1168 ref->desc, ref->strong, ref->weak); 1169 return -EINVAL; 1170 } 1171 ref->weak--; 1172 } 1173 if (ref->strong == 0 && ref->weak == 0) 1174 binder_delete_ref(ref); 1175 return 0; 1176} 1177 1178static void 1179binder_pop_transaction( 1180 struct binder_thread *target_thread, struct binder_transaction *t) 1181{ 1182 if (target_thread) { 1183 BUG_ON(target_thread->transaction_stack != t); 1184 BUG_ON(target_thread->transaction_stack->from != target_thread); 1185 target_thread->transaction_stack = 1186 target_thread->transaction_stack->from_parent; 1187 t->from = NULL; 1188 } 1189 t->need_reply = 0; 1190 if (t->buffer) 1191 t->buffer->transaction = NULL; 1192 kfree(t); 1193 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION]++; 1194} 1195 1196static void 1197binder_send_failed_reply(struct binder_transaction *t, uint32_t error_code) 1198{ 1199 struct binder_thread *target_thread; 1200 BUG_ON(t->flags & TF_ONE_WAY); 1201 while (1) { 1202 target_thread = t->from; 1203 if (target_thread) { 1204 if (target_thread->return_error != BR_OK && 1205 target_thread->return_error2 == BR_OK) { 1206 target_thread->return_error2 = 1207 target_thread->return_error; 1208 target_thread->return_error = BR_OK; 1209 } 1210 if (target_thread->return_error == BR_OK) { 1211 if (binder_debug_mask & BINDER_DEBUG_FAILED_TRANSACTION) 1212 printk(KERN_INFO "binder: send failed reply for transaction %d to %d:%d\n", 1213 t->debug_id, target_thread->proc->pid, target_thread->pid); 1214 1215 binder_pop_transaction(target_thread, t); 1216 target_thread->return_error = error_code; 1217 wake_up_interruptible(&target_thread->wait); 1218 } else { 1219 printk(KERN_ERR "binder: reply failed, target " 1220 "thread, %d:%d, has error code %d " 1221 "already\n", target_thread->proc->pid, 1222 target_thread->pid, 1223 target_thread->return_error); 1224 } 1225 return; 1226 } else { 1227 struct binder_transaction *next = t->from_parent; 1228 1229 if (binder_debug_mask & BINDER_DEBUG_FAILED_TRANSACTION) 1230 printk(KERN_INFO "binder: send failed reply " 1231 "for transaction %d, target dead\n", 1232 t->debug_id); 1233 1234 binder_pop_transaction(target_thread, t); 1235 if (next == NULL) { 1236 if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) 1237 printk(KERN_INFO "binder: reply failed," 1238 " no target thread at root\n"); 1239 return; 1240 } 1241 t = next; 1242 if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) 1243 printk(KERN_INFO "binder: reply failed, no targ" 1244 "et thread -- retry %d\n", t->debug_id); 1245 } 1246 } 1247} 1248 1249static void 1250binder_transaction_buffer_release(struct binder_proc *proc, 1251 struct binder_buffer *buffer, size_t *failed_at); 1252 1253static void 1254binder_transaction(struct binder_proc *proc, struct binder_thread *thread, 1255 struct binder_transaction_data *tr, int reply) 1256{ 1257 struct binder_transaction *t; 1258 struct binder_work *tcomplete; 1259 size_t *offp, *off_end; 1260 struct binder_proc *target_proc; 1261 struct binder_thread *target_thread = NULL; 1262 struct binder_node *target_node = NULL; 1263 struct list_head *target_list; 1264 wait_queue_head_t *target_wait; 1265 struct binder_transaction *in_reply_to = NULL; 1266 struct binder_transaction_log_entry *e; 1267 uint32_t return_error; 1268 1269 e = binder_transaction_log_add(&binder_transaction_log); 1270 e->call_type = reply ? 2 : !!(tr->flags & TF_ONE_WAY); 1271 e->from_proc = proc->pid; 1272 e->from_thread = thread->pid; 1273 e->target_handle = tr->target.handle; 1274 e->data_size = tr->data_size; 1275 e->offsets_size = tr->offsets_size; 1276 1277 if (reply) { 1278 in_reply_to = thread->transaction_stack; 1279 if (in_reply_to == NULL) { 1280 binder_user_error("binder: %d:%d got reply transaction " 1281 "with no transaction stack\n", 1282 proc->pid, thread->pid); 1283 return_error = BR_FAILED_REPLY; 1284 goto err_empty_call_stack; 1285 } 1286 binder_set_nice(in_reply_to->saved_priority); 1287 if (in_reply_to->to_thread != thread) { 1288 binder_user_error("binder: %d:%d got reply transaction " 1289 "with bad transaction stack," 1290 " transaction %d has target %d:%d\n", 1291 proc->pid, thread->pid, in_reply_to->debug_id, 1292 in_reply_to->to_proc ? 1293 in_reply_to->to_proc->pid : 0, 1294 in_reply_to->to_thread ? 1295 in_reply_to->to_thread->pid : 0); 1296 return_error = BR_FAILED_REPLY; 1297 in_reply_to = NULL; 1298 goto err_bad_call_stack; 1299 } 1300 thread->transaction_stack = in_reply_to->to_parent; 1301 target_thread = in_reply_to->from; 1302 if (target_thread == NULL) { 1303 return_error = BR_DEAD_REPLY; 1304 goto err_dead_binder; 1305 } 1306 if (target_thread->transaction_stack != in_reply_to) { 1307 binder_user_error("binder: %d:%d got reply transaction " 1308 "with bad target transaction stack %d, " 1309 "expected %d\n", 1310 proc->pid, thread->pid, 1311 target_thread->transaction_stack ? 1312 target_thread->transaction_stack->debug_id : 0, 1313 in_reply_to->debug_id); 1314 return_error = BR_FAILED_REPLY; 1315 in_reply_to = NULL; 1316 target_thread = NULL; 1317 goto err_dead_binder; 1318 } 1319 target_proc = target_thread->proc; 1320 } else { 1321 if (tr->target.handle) { 1322 struct binder_ref *ref; 1323 ref = binder_get_ref(proc, tr->target.handle); 1324 if (ref == NULL) { 1325 binder_user_error("binder: %d:%d got " 1326 "transaction to invalid handle\n", 1327 proc->pid, thread->pid); 1328 return_error = BR_FAILED_REPLY; 1329 goto err_invalid_target_handle; 1330 } 1331 target_node = ref->node; 1332 } else { 1333 target_node = binder_context_mgr_node; 1334 if (target_node == NULL) { 1335 return_error = BR_DEAD_REPLY; 1336 goto err_no_context_mgr_node; 1337 } 1338 } 1339 e->to_node = target_node->debug_id; 1340 target_proc = target_node->proc; 1341 if (target_proc == NULL) { 1342 return_error = BR_DEAD_REPLY; 1343 goto err_dead_binder; 1344 } 1345 if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) { 1346 struct binder_transaction *tmp; 1347 tmp = thread->transaction_stack; 1348 while (tmp) { 1349 if (tmp->from && tmp->from->proc == target_proc) 1350 target_thread = tmp->from; 1351 tmp = tmp->from_parent; 1352 } 1353 } 1354 } 1355 if (target_thread) { 1356 e->to_thread = target_thread->pid; 1357 target_list = &target_thread->todo; 1358 target_wait = &target_thread->wait; 1359 } else { 1360 target_list = &target_proc->todo; 1361 target_wait = &target_proc->wait; 1362 } 1363 e->to_proc = target_proc->pid; 1364 1365 /* TODO: reuse incoming transaction for reply */ 1366 t = kzalloc(sizeof(*t), GFP_KERNEL); 1367 if (t == NULL) { 1368 return_error = BR_FAILED_REPLY; 1369 goto err_alloc_t_failed; 1370 } 1371 binder_stats.obj_created[BINDER_STAT_TRANSACTION]++; 1372 1373 tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL); 1374 if (tcomplete == NULL) { 1375 return_error = BR_FAILED_REPLY; 1376 goto err_alloc_tcomplete_failed; 1377 } 1378 binder_stats.obj_created[BINDER_STAT_TRANSACTION_COMPLETE]++; 1379 1380 t->debug_id = ++binder_last_id; 1381 e->debug_id = t->debug_id; 1382 1383 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) { 1384 if (reply) 1385 printk(KERN_INFO "binder: %d:%d BC_REPLY %d -> %d:%d, " 1386 "data %p-%p size %zd-%zd\n", 1387 proc->pid, thread->pid, t->debug_id, 1388 target_proc->pid, target_thread->pid, 1389 tr->data.ptr.buffer, tr->data.ptr.offsets, 1390 tr->data_size, tr->offsets_size); 1391 else 1392 printk(KERN_INFO "binder: %d:%d BC_TRANSACTION %d -> " 1393 "%d - node %d, data %p-%p size %zd-%zd\n", 1394 proc->pid, thread->pid, t->debug_id, 1395 target_proc->pid, target_node->debug_id, 1396 tr->data.ptr.buffer, tr->data.ptr.offsets, 1397 tr->data_size, tr->offsets_size); 1398 } 1399 1400 if (!reply && !(tr->flags & TF_ONE_WAY)) 1401 t->from = thread; 1402 else 1403 t->from = NULL; 1404 t->sender_euid = proc->tsk->cred->euid; 1405 t->to_proc = target_proc; 1406 t->to_thread = target_thread; 1407 t->code = tr->code; 1408 t->flags = tr->flags; 1409 t->priority = task_nice(current); 1410 t->buffer = binder_alloc_buf(target_proc, tr->data_size, 1411 tr->offsets_size, !reply && (t->flags & TF_ONE_WAY)); 1412 if (t->buffer == NULL) { 1413 return_error = BR_FAILED_REPLY; 1414 goto err_binder_alloc_buf_failed; 1415 } 1416 t->buffer->allow_user_free = 0; 1417 t->buffer->debug_id = t->debug_id; 1418 t->buffer->transaction = t; 1419 t->buffer->target_node = target_node; 1420 if (target_node) 1421 binder_inc_node(target_node, 1, 0, NULL); 1422 1423 offp = (size_t *)(t->buffer->data + ALIGN(tr->data_size, sizeof(void *))); 1424 1425 if (copy_from_user(t->buffer->data, tr->data.ptr.buffer, tr->data_size)) { 1426 binder_user_error("binder: %d:%d got transaction with invalid " 1427 "data ptr\n", proc->pid, thread->pid); 1428 return_error = BR_FAILED_REPLY; 1429 goto err_copy_data_failed; 1430 } 1431 if (copy_from_user(offp, tr->data.ptr.offsets, tr->offsets_size)) { 1432 binder_user_error("binder: %d:%d got transaction with invalid " 1433 "offsets ptr\n", proc->pid, thread->pid); 1434 return_error = BR_FAILED_REPLY; 1435 goto err_copy_data_failed; 1436 } 1437 off_end = (void *)offp + tr->offsets_size; 1438 for (; offp < off_end; offp++) { 1439 struct flat_binder_object *fp; 1440 if (*offp > t->buffer->data_size - sizeof(*fp)) { 1441 binder_user_error("binder: %d:%d got transaction with " 1442 "invalid offset, %zd\n", 1443 proc->pid, thread->pid, *offp); 1444 return_error = BR_FAILED_REPLY; 1445 goto err_bad_offset; 1446 } 1447 fp = (struct flat_binder_object *)(t->buffer->data + *offp); 1448 switch (fp->type) { 1449 case BINDER_TYPE_BINDER: 1450 case BINDER_TYPE_WEAK_BINDER: { 1451 struct binder_ref *ref; 1452 struct binder_node *node = binder_get_node(proc, fp->binder); 1453 if (node == NULL) { 1454 node = binder_new_node(proc, fp->binder, fp->cookie); 1455 if (node == NULL) { 1456 return_error = BR_FAILED_REPLY; 1457 goto err_binder_new_node_failed; 1458 } 1459 node->min_priority = fp->flags & FLAT_BINDER_FLAG_PRIORITY_MASK; 1460 node->accept_fds = !!(fp->flags & FLAT_BINDER_FLAG_ACCEPTS_FDS); 1461 } 1462 if (fp->cookie != node->cookie) { 1463 binder_user_error("binder: %d:%d sending u%p " 1464 "node %d, cookie mismatch %p != %p\n", 1465 proc->pid, thread->pid, 1466 fp->binder, node->debug_id, 1467 fp->cookie, node->cookie); 1468 goto err_binder_get_ref_for_node_failed; 1469 } 1470 ref = binder_get_ref_for_node(target_proc, node); 1471 if (ref == NULL) { 1472 return_error = BR_FAILED_REPLY; 1473 goto err_binder_get_ref_for_node_failed; 1474 } 1475 if (fp->type == BINDER_TYPE_BINDER) 1476 fp->type = BINDER_TYPE_HANDLE; 1477 else 1478 fp->type = BINDER_TYPE_WEAK_HANDLE; 1479 fp->handle = ref->desc; 1480 binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE, &thread->todo); 1481 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1482 printk(KERN_INFO " node %d u%p -> ref %d desc %d\n", 1483 node->debug_id, node->ptr, ref->debug_id, ref->desc); 1484 } break; 1485 case BINDER_TYPE_HANDLE: 1486 case BINDER_TYPE_WEAK_HANDLE: { 1487 struct binder_ref *ref = binder_get_ref(proc, fp->handle); 1488 if (ref == NULL) { 1489 binder_user_error("binder: %d:%d got " 1490 "transaction with invalid " 1491 "handle, %ld\n", proc->pid, 1492 thread->pid, fp->handle); 1493 return_error = BR_FAILED_REPLY; 1494 goto err_binder_get_ref_failed; 1495 } 1496 if (ref->node->proc == target_proc) { 1497 if (fp->type == BINDER_TYPE_HANDLE) 1498 fp->type = BINDER_TYPE_BINDER; 1499 else 1500 fp->type = BINDER_TYPE_WEAK_BINDER; 1501 fp->binder = ref->node->ptr; 1502 fp->cookie = ref->node->cookie; 1503 binder_inc_node(ref->node, fp->type == BINDER_TYPE_BINDER, 0, NULL); 1504 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1505 printk(KERN_INFO " ref %d desc %d -> node %d u%p\n", 1506 ref->debug_id, ref->desc, ref->node->debug_id, ref->node->ptr); 1507 } else { 1508 struct binder_ref *new_ref; 1509 new_ref = binder_get_ref_for_node(target_proc, ref->node); 1510 if (new_ref == NULL) { 1511 return_error = BR_FAILED_REPLY; 1512 goto err_binder_get_ref_for_node_failed; 1513 } 1514 fp->handle = new_ref->desc; 1515 binder_inc_ref(new_ref, fp->type == BINDER_TYPE_HANDLE, NULL); 1516 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1517 printk(KERN_INFO " ref %d desc %d -> ref %d desc %d (node %d)\n", 1518 ref->debug_id, ref->desc, new_ref->debug_id, new_ref->desc, ref->node->debug_id); 1519 } 1520 } break; 1521 1522 case BINDER_TYPE_FD: { 1523 int target_fd; 1524 struct file *file; 1525 1526 if (reply) { 1527 if (!(in_reply_to->flags & TF_ACCEPT_FDS)) { 1528 binder_user_error("binder: %d:%d got reply with fd, %ld, but target does not allow fds\n", 1529 proc->pid, thread->pid, fp->handle); 1530 return_error = BR_FAILED_REPLY; 1531 goto err_fd_not_allowed; 1532 } 1533 } else if (!target_node->accept_fds) { 1534 binder_user_error("binder: %d:%d got transaction with fd, %ld, but target does not allow fds\n", 1535 proc->pid, thread->pid, fp->handle); 1536 return_error = BR_FAILED_REPLY; 1537 goto err_fd_not_allowed; 1538 } 1539 1540 file = fget(fp->handle); 1541 if (file == NULL) { 1542 binder_user_error("binder: %d:%d got transaction with invalid fd, %ld\n", 1543 proc->pid, thread->pid, fp->handle); 1544 return_error = BR_FAILED_REPLY; 1545 goto err_fget_failed; 1546 } 1547 target_fd = task_get_unused_fd_flags(target_proc->tsk, O_CLOEXEC); 1548 if (target_fd < 0) { 1549 fput(file); 1550 return_error = BR_FAILED_REPLY; 1551 goto err_get_unused_fd_failed; 1552 } 1553 task_fd_install(target_proc->tsk, target_fd, file); 1554 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1555 printk(KERN_INFO " fd %ld -> %d\n", fp->handle, target_fd); 1556 /* TODO: fput? */ 1557 fp->handle = target_fd; 1558 } break; 1559 1560 default: 1561 binder_user_error("binder: %d:%d got transactio" 1562 "n with invalid object type, %lx\n", 1563 proc->pid, thread->pid, fp->type); 1564 return_error = BR_FAILED_REPLY; 1565 goto err_bad_object_type; 1566 } 1567 } 1568 if (reply) { 1569 BUG_ON(t->buffer->async_transaction != 0); 1570 binder_pop_transaction(target_thread, in_reply_to); 1571 } else if (!(t->flags & TF_ONE_WAY)) { 1572 BUG_ON(t->buffer->async_transaction != 0); 1573 t->need_reply = 1; 1574 t->from_parent = thread->transaction_stack; 1575 thread->transaction_stack = t; 1576 } else { 1577 BUG_ON(target_node == NULL); 1578 BUG_ON(t->buffer->async_transaction != 1); 1579 if (target_node->has_async_transaction) { 1580 target_list = &target_node->async_todo; 1581 target_wait = NULL; 1582 } else 1583 target_node->has_async_transaction = 1; 1584 } 1585 t->work.type = BINDER_WORK_TRANSACTION; 1586 list_add_tail(&t->work.entry, target_list); 1587 tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE; 1588 list_add_tail(&tcomplete->entry, &thread->todo); 1589 if (target_wait) 1590 wake_up_interruptible(target_wait); 1591 return; 1592 1593err_get_unused_fd_failed: 1594err_fget_failed: 1595err_fd_not_allowed: 1596err_binder_get_ref_for_node_failed: 1597err_binder_get_ref_failed: 1598err_binder_new_node_failed: 1599err_bad_object_type: 1600err_bad_offset: 1601err_copy_data_failed: 1602 binder_transaction_buffer_release(target_proc, t->buffer, offp); 1603 t->buffer->transaction = NULL; 1604 binder_free_buf(target_proc, t->buffer); 1605err_binder_alloc_buf_failed: 1606 kfree(tcomplete); 1607 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION_COMPLETE]++; 1608err_alloc_tcomplete_failed: 1609 kfree(t); 1610 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION]++; 1611err_alloc_t_failed: 1612err_bad_call_stack: 1613err_empty_call_stack: 1614err_dead_binder: 1615err_invalid_target_handle: 1616err_no_context_mgr_node: 1617 if (binder_debug_mask & BINDER_DEBUG_FAILED_TRANSACTION) 1618 printk(KERN_INFO "binder: %d:%d transaction failed %d, size" 1619 "%zd-%zd\n", 1620 proc->pid, thread->pid, return_error, 1621 tr->data_size, tr->offsets_size); 1622 1623 { 1624 struct binder_transaction_log_entry *fe; 1625 fe = binder_transaction_log_add(&binder_transaction_log_failed); 1626 *fe = *e; 1627 } 1628 1629 BUG_ON(thread->return_error != BR_OK); 1630 if (in_reply_to) { 1631 thread->return_error = BR_TRANSACTION_COMPLETE; 1632 binder_send_failed_reply(in_reply_to, return_error); 1633 } else 1634 thread->return_error = return_error; 1635} 1636 1637static void 1638binder_transaction_buffer_release(struct binder_proc *proc, struct binder_buffer *buffer, size_t *failed_at) 1639{ 1640 size_t *offp, *off_end; 1641 int debug_id = buffer->debug_id; 1642 1643 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1644 printk(KERN_INFO "binder: %d buffer release %d, size %zd-%zd, failed at %p\n", 1645 proc->pid, buffer->debug_id, 1646 buffer->data_size, buffer->offsets_size, failed_at); 1647 1648 if (buffer->target_node) 1649 binder_dec_node(buffer->target_node, 1, 0); 1650 1651 offp = (size_t *)(buffer->data + ALIGN(buffer->data_size, sizeof(void *))); 1652 if (failed_at) 1653 off_end = failed_at; 1654 else 1655 off_end = (void *)offp + buffer->offsets_size; 1656 for (; offp < off_end; offp++) { 1657 struct flat_binder_object *fp; 1658 if (*offp > buffer->data_size - sizeof(*fp)) { 1659 printk(KERN_ERR "binder: transaction release %d bad" 1660 "offset %zd, size %zd\n", debug_id, *offp, buffer->data_size); 1661 continue; 1662 } 1663 fp = (struct flat_binder_object *)(buffer->data + *offp); 1664 switch (fp->type) { 1665 case BINDER_TYPE_BINDER: 1666 case BINDER_TYPE_WEAK_BINDER: { 1667 struct binder_node *node = binder_get_node(proc, fp->binder); 1668 if (node == NULL) { 1669 printk(KERN_ERR "binder: transaction release %d bad node %p\n", debug_id, fp->binder); 1670 break; 1671 } 1672 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1673 printk(KERN_INFO " node %d u%p\n", 1674 node->debug_id, node->ptr); 1675 binder_dec_node(node, fp->type == BINDER_TYPE_BINDER, 0); 1676 } break; 1677 case BINDER_TYPE_HANDLE: 1678 case BINDER_TYPE_WEAK_HANDLE: { 1679 struct binder_ref *ref = binder_get_ref(proc, fp->handle); 1680 if (ref == NULL) { 1681 printk(KERN_ERR "binder: transaction release %d bad handle %ld\n", debug_id, fp->handle); 1682 break; 1683 } 1684 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1685 printk(KERN_INFO " ref %d desc %d (node %d)\n", 1686 ref->debug_id, ref->desc, ref->node->debug_id); 1687 binder_dec_ref(ref, fp->type == BINDER_TYPE_HANDLE); 1688 } break; 1689 1690 case BINDER_TYPE_FD: 1691 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 1692 printk(KERN_INFO " fd %ld\n", fp->handle); 1693 if (failed_at) 1694 task_close_fd(proc->tsk, fp->handle); 1695 break; 1696 1697 default: 1698 printk(KERN_ERR "binder: transaction release %d bad object type %lx\n", debug_id, fp->type); 1699 break; 1700 } 1701 } 1702} 1703 1704int 1705binder_thread_write(struct binder_proc *proc, struct binder_thread *thread, 1706 void __user *buffer, int size, signed long *consumed) 1707{ 1708 uint32_t cmd; 1709 void __user *ptr = buffer + *consumed; 1710 void __user *end = buffer + size; 1711 1712 while (ptr < end && thread->return_error == BR_OK) { 1713 if (get_user(cmd, (uint32_t __user *)ptr)) 1714 return -EFAULT; 1715 ptr += sizeof(uint32_t); 1716 if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.bc)) { 1717 binder_stats.bc[_IOC_NR(cmd)]++; 1718 proc->stats.bc[_IOC_NR(cmd)]++; 1719 thread->stats.bc[_IOC_NR(cmd)]++; 1720 } 1721 switch (cmd) { 1722 case BC_INCREFS: 1723 case BC_ACQUIRE: 1724 case BC_RELEASE: 1725 case BC_DECREFS: { 1726 uint32_t target; 1727 struct binder_ref *ref; 1728 const char *debug_string; 1729 1730 if (get_user(target, (uint32_t __user *)ptr)) 1731 return -EFAULT; 1732 ptr += sizeof(uint32_t); 1733 if (target == 0 && binder_context_mgr_node && 1734 (cmd == BC_INCREFS || cmd == BC_ACQUIRE)) { 1735 ref = binder_get_ref_for_node(proc, 1736 binder_context_mgr_node); 1737 if (ref->desc != target) { 1738 binder_user_error("binder: %d:" 1739 "%d tried to acquire " 1740 "reference to desc 0, " 1741 "got %d instead\n", 1742 proc->pid, thread->pid, 1743 ref->desc); 1744 } 1745 } else 1746 ref = binder_get_ref(proc, target); 1747 if (ref == NULL) { 1748 binder_user_error("binder: %d:%d refcou" 1749 "nt change on invalid ref %d\n", 1750 proc->pid, thread->pid, target); 1751 break; 1752 } 1753 switch (cmd) { 1754 case BC_INCREFS: 1755 debug_string = "IncRefs"; 1756 binder_inc_ref(ref, 0, NULL); 1757 break; 1758 case BC_ACQUIRE: 1759 debug_string = "Acquire"; 1760 binder_inc_ref(ref, 1, NULL); 1761 break; 1762 case BC_RELEASE: 1763 debug_string = "Release"; 1764 binder_dec_ref(ref, 1); 1765 break; 1766 case BC_DECREFS: 1767 default: 1768 debug_string = "DecRefs"; 1769 binder_dec_ref(ref, 0); 1770 break; 1771 } 1772 if (binder_debug_mask & BINDER_DEBUG_USER_REFS) 1773 printk(KERN_INFO "binder: %d:%d %s ref %d desc %d s %d w %d for node %d\n", 1774 proc->pid, thread->pid, debug_string, ref->debug_id, ref->desc, ref->strong, ref->weak, ref->node->debug_id); 1775 break; 1776 } 1777 case BC_INCREFS_DONE: 1778 case BC_ACQUIRE_DONE: { 1779 void __user *node_ptr; 1780 void *cookie; 1781 struct binder_node *node; 1782 1783 if (get_user(node_ptr, (void * __user *)ptr)) 1784 return -EFAULT; 1785 ptr += sizeof(void *); 1786 if (get_user(cookie, (void * __user *)ptr)) 1787 return -EFAULT; 1788 ptr += sizeof(void *); 1789 node = binder_get_node(proc, node_ptr); 1790 if (node == NULL) { 1791 binder_user_error("binder: %d:%d " 1792 "%s u%p no match\n", 1793 proc->pid, thread->pid, 1794 cmd == BC_INCREFS_DONE ? 1795 "BC_INCREFS_DONE" : 1796 "BC_ACQUIRE_DONE", 1797 node_ptr); 1798 break; 1799 } 1800 if (cookie != node->cookie) { 1801 binder_user_error("binder: %d:%d %s u%p node %d" 1802 " cookie mismatch %p != %p\n", 1803 proc->pid, thread->pid, 1804 cmd == BC_INCREFS_DONE ? 1805 "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE", 1806 node_ptr, node->debug_id, 1807 cookie, node->cookie); 1808 break; 1809 } 1810 if (cmd == BC_ACQUIRE_DONE) { 1811 if (node->pending_strong_ref == 0) { 1812 binder_user_error("binder: %d:%d " 1813 "BC_ACQUIRE_DONE node %d has " 1814 "no pending acquire request\n", 1815 proc->pid, thread->pid, 1816 node->debug_id); 1817 break; 1818 } 1819 node->pending_strong_ref = 0; 1820 } else { 1821 if (node->pending_weak_ref == 0) { 1822 binder_user_error("binder: %d:%d " 1823 "BC_INCREFS_DONE node %d has " 1824 "no pending increfs request\n", 1825 proc->pid, thread->pid, 1826 node->debug_id); 1827 break; 1828 } 1829 node->pending_weak_ref = 0; 1830 } 1831 binder_dec_node(node, cmd == BC_ACQUIRE_DONE, 0); 1832 if (binder_debug_mask & BINDER_DEBUG_USER_REFS) 1833 printk(KERN_INFO "binder: %d:%d %s node %d ls %d lw %d\n", 1834 proc->pid, thread->pid, cmd == BC_INCREFS_DONE ? "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE", node->debug_id, node->local_strong_refs, node->local_weak_refs); 1835 break; 1836 } 1837 case BC_ATTEMPT_ACQUIRE: 1838 printk(KERN_ERR "binder: BC_ATTEMPT_ACQUIRE not supported\n"); 1839 return -EINVAL; 1840 case BC_ACQUIRE_RESULT: 1841 printk(KERN_ERR "binder: BC_ACQUIRE_RESULT not supported\n"); 1842 return -EINVAL; 1843 1844 case BC_FREE_BUFFER: { 1845 void __user *data_ptr; 1846 struct binder_buffer *buffer; 1847 1848 if (get_user(data_ptr, (void * __user *)ptr)) 1849 return -EFAULT; 1850 ptr += sizeof(void *); 1851 1852 buffer = binder_buffer_lookup(proc, data_ptr); 1853 if (buffer == NULL) { 1854 binder_user_error("binder: %d:%d " 1855 "BC_FREE_BUFFER u%p no match\n", 1856 proc->pid, thread->pid, data_ptr); 1857 break; 1858 } 1859 if (!buffer->allow_user_free) { 1860 binder_user_error("binder: %d:%d " 1861 "BC_FREE_BUFFER u%p matched " 1862 "unreturned buffer\n", 1863 proc->pid, thread->pid, data_ptr); 1864 break; 1865 } 1866 if (binder_debug_mask & BINDER_DEBUG_FREE_BUFFER) 1867 printk(KERN_INFO "binder: %d:%d BC_FREE_BUFFER u%p found buffer %d for %s transaction\n", 1868 proc->pid, thread->pid, data_ptr, buffer->debug_id, 1869 buffer->transaction ? "active" : "finished"); 1870 1871 if (buffer->transaction) { 1872 buffer->transaction->buffer = NULL; 1873 buffer->transaction = NULL; 1874 } 1875 if (buffer->async_transaction && buffer->target_node) { 1876 BUG_ON(!buffer->target_node->has_async_transaction); 1877 if (list_empty(&buffer->target_node->async_todo)) 1878 buffer->target_node->has_async_transaction = 0; 1879 else 1880 list_move_tail(buffer->target_node->async_todo.next, &thread->todo); 1881 } 1882 binder_transaction_buffer_release(proc, buffer, NULL); 1883 binder_free_buf(proc, buffer); 1884 break; 1885 } 1886 1887 case BC_TRANSACTION: 1888 case BC_REPLY: { 1889 struct binder_transaction_data tr; 1890 1891 if (copy_from_user(&tr, ptr, sizeof(tr))) 1892 return -EFAULT; 1893 ptr += sizeof(tr); 1894 binder_transaction(proc, thread, &tr, cmd == BC_REPLY); 1895 break; 1896 } 1897 1898 case BC_REGISTER_LOOPER: 1899 if (binder_debug_mask & BINDER_DEBUG_THREADS) 1900 printk(KERN_INFO "binder: %d:%d BC_REGISTER_LOOPER\n", 1901 proc->pid, thread->pid); 1902 if (thread->looper & BINDER_LOOPER_STATE_ENTERED) { 1903 thread->looper |= BINDER_LOOPER_STATE_INVALID; 1904 binder_user_error("binder: %d:%d ERROR:" 1905 " BC_REGISTER_LOOPER called " 1906 "after BC_ENTER_LOOPER\n", 1907 proc->pid, thread->pid); 1908 } else if (proc->requested_threads == 0) { 1909 thread->looper |= BINDER_LOOPER_STATE_INVALID; 1910 binder_user_error("binder: %d:%d ERROR:" 1911 " BC_REGISTER_LOOPER called " 1912 "without request\n", 1913 proc->pid, thread->pid); 1914 } else { 1915 proc->requested_threads--; 1916 proc->requested_threads_started++; 1917 } 1918 thread->looper |= BINDER_LOOPER_STATE_REGISTERED; 1919 break; 1920 case BC_ENTER_LOOPER: 1921 if (binder_debug_mask & BINDER_DEBUG_THREADS) 1922 printk(KERN_INFO "binder: %d:%d BC_ENTER_LOOPER\n", 1923 proc->pid, thread->pid); 1924 if (thread->looper & BINDER_LOOPER_STATE_REGISTERED) { 1925 thread->looper |= BINDER_LOOPER_STATE_INVALID; 1926 binder_user_error("binder: %d:%d ERROR:" 1927 " BC_ENTER_LOOPER called after " 1928 "BC_REGISTER_LOOPER\n", 1929 proc->pid, thread->pid); 1930 } 1931 thread->looper |= BINDER_LOOPER_STATE_ENTERED; 1932 break; 1933 case BC_EXIT_LOOPER: 1934 if (binder_debug_mask & BINDER_DEBUG_THREADS) 1935 printk(KERN_INFO "binder: %d:%d BC_EXIT_LOOPER\n", 1936 proc->pid, thread->pid); 1937 thread->looper |= BINDER_LOOPER_STATE_EXITED; 1938 break; 1939 1940 case BC_REQUEST_DEATH_NOTIFICATION: 1941 case BC_CLEAR_DEATH_NOTIFICATION: { 1942 uint32_t target; 1943 void __user *cookie; 1944 struct binder_ref *ref; 1945 struct binder_ref_death *death; 1946 1947 if (get_user(target, (uint32_t __user *)ptr)) 1948 return -EFAULT; 1949 ptr += sizeof(uint32_t); 1950 if (get_user(cookie, (void __user * __user *)ptr)) 1951 return -EFAULT; 1952 ptr += sizeof(void *); 1953 ref = binder_get_ref(proc, target); 1954 if (ref == NULL) { 1955 binder_user_error("binder: %d:%d %s " 1956 "invalid ref %d\n", 1957 proc->pid, thread->pid, 1958 cmd == BC_REQUEST_DEATH_NOTIFICATION ? 1959 "BC_REQUEST_DEATH_NOTIFICATION" : 1960 "BC_CLEAR_DEATH_NOTIFICATION", 1961 target); 1962 break; 1963 } 1964 1965 if (binder_debug_mask & BINDER_DEBUG_DEATH_NOTIFICATION) 1966 printk(KERN_INFO "binder: %d:%d %s %p ref %d desc %d s %d w %d for node %d\n", 1967 proc->pid, thread->pid, 1968 cmd == BC_REQUEST_DEATH_NOTIFICATION ? 1969 "BC_REQUEST_DEATH_NOTIFICATION" : 1970 "BC_CLEAR_DEATH_NOTIFICATION", 1971 cookie, ref->debug_id, ref->desc, 1972 ref->strong, ref->weak, ref->node->debug_id); 1973 1974 if (cmd == BC_REQUEST_DEATH_NOTIFICATION) { 1975 if (ref->death) { 1976 binder_user_error("binder: %d:%" 1977 "d BC_REQUEST_DEATH_NOTI" 1978 "FICATION death notific" 1979 "ation already set\n", 1980 proc->pid, thread->pid); 1981 break; 1982 } 1983 death = kzalloc(sizeof(*death), GFP_KERNEL); 1984 if (death == NULL) { 1985 thread->return_error = BR_ERROR; 1986 if (binder_debug_mask & BINDER_DEBUG_FAILED_TRANSACTION) 1987 printk(KERN_INFO "binder: %d:%d " 1988 "BC_REQUEST_DEATH_NOTIFICATION failed\n", 1989 proc->pid, thread->pid); 1990 break; 1991 } 1992 binder_stats.obj_created[BINDER_STAT_DEATH]++; 1993 INIT_LIST_HEAD(&death->work.entry); 1994 death->cookie = cookie; 1995 ref->death = death; 1996 if (ref->node->proc == NULL) { 1997 ref->death->work.type = BINDER_WORK_DEAD_BINDER; 1998 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 1999 list_add_tail(&ref->death->work.entry, &thread->todo); 2000 } else { 2001 list_add_tail(&ref->death->work.entry, &proc->todo); 2002 wake_up_interruptible(&proc->wait); 2003 } 2004 } 2005 } else { 2006 if (ref->death == NULL) { 2007 binder_user_error("binder: %d:%" 2008 "d BC_CLEAR_DEATH_NOTIFI" 2009 "CATION death notificat" 2010 "ion not active\n", 2011 proc->pid, thread->pid); 2012 break; 2013 } 2014 death = ref->death; 2015 if (death->cookie != cookie) { 2016 binder_user_error("binder: %d:%" 2017 "d BC_CLEAR_DEATH_NOTIFI" 2018 "CATION death notificat" 2019 "ion cookie mismatch " 2020 "%p != %p\n", 2021 proc->pid, thread->pid, 2022 death->cookie, cookie); 2023 break; 2024 } 2025 ref->death = NULL; 2026 if (list_empty(&death->work.entry)) { 2027 death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION; 2028 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2029 list_add_tail(&death->work.entry, &thread->todo); 2030 } else { 2031 list_add_tail(&death->work.entry, &proc->todo); 2032 wake_up_interruptible(&proc->wait); 2033 } 2034 } else { 2035 BUG_ON(death->work.type != BINDER_WORK_DEAD_BINDER); 2036 death->work.type = BINDER_WORK_DEAD_BINDER_AND_CLEAR; 2037 } 2038 } 2039 } break; 2040 case BC_DEAD_BINDER_DONE: { 2041 struct binder_work *w; 2042 void __user *cookie; 2043 struct binder_ref_death *death = NULL; 2044 if (get_user(cookie, (void __user * __user *)ptr)) 2045 return -EFAULT; 2046 2047 ptr += sizeof(void *); 2048 list_for_each_entry(w, &proc->delivered_death, entry) { 2049 struct binder_ref_death *tmp_death = container_of(w, struct binder_ref_death, work); 2050 if (tmp_death->cookie == cookie) { 2051 death = tmp_death; 2052 break; 2053 } 2054 } 2055 if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) 2056 printk(KERN_INFO "binder: %d:%d BC_DEAD_BINDER_DONE %p found %p\n", 2057 proc->pid, thread->pid, cookie, death); 2058 if (death == NULL) { 2059 binder_user_error("binder: %d:%d BC_DEAD" 2060 "_BINDER_DONE %p not found\n", 2061 proc->pid, thread->pid, cookie); 2062 break; 2063 } 2064 2065 list_del_init(&death->work.entry); 2066 if (death->work.type == BINDER_WORK_DEAD_BINDER_AND_CLEAR) { 2067 death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION; 2068 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2069 list_add_tail(&death->work.entry, &thread->todo); 2070 } else { 2071 list_add_tail(&death->work.entry, &proc->todo); 2072 wake_up_interruptible(&proc->wait); 2073 } 2074 } 2075 } break; 2076 2077 default: 2078 printk(KERN_ERR "binder: %d:%d unknown command %d\n", proc->pid, thread->pid, cmd); 2079 return -EINVAL; 2080 } 2081 *consumed = ptr - buffer; 2082 } 2083 return 0; 2084} 2085 2086void 2087binder_stat_br(struct binder_proc *proc, struct binder_thread *thread, uint32_t cmd) 2088{ 2089 if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.br)) { 2090 binder_stats.br[_IOC_NR(cmd)]++; 2091 proc->stats.br[_IOC_NR(cmd)]++; 2092 thread->stats.br[_IOC_NR(cmd)]++; 2093 } 2094} 2095 2096static int 2097binder_has_proc_work(struct binder_proc *proc, struct binder_thread *thread) 2098{ 2099 return !list_empty(&proc->todo) || (thread->looper & BINDER_LOOPER_STATE_NEED_RETURN); 2100} 2101 2102static int 2103binder_has_thread_work(struct binder_thread *thread) 2104{ 2105 return !list_empty(&thread->todo) || thread->return_error != BR_OK || 2106 (thread->looper & BINDER_LOOPER_STATE_NEED_RETURN); 2107} 2108 2109static int 2110binder_thread_read(struct binder_proc *proc, struct binder_thread *thread, 2111 void __user *buffer, int size, signed long *consumed, int non_block) 2112{ 2113 void __user *ptr = buffer + *consumed; 2114 void __user *end = buffer + size; 2115 2116 int ret = 0; 2117 int wait_for_proc_work; 2118 2119 if (*consumed == 0) { 2120 if (put_user(BR_NOOP, (uint32_t __user *)ptr)) 2121 return -EFAULT; 2122 ptr += sizeof(uint32_t); 2123 } 2124 2125retry: 2126 wait_for_proc_work = thread->transaction_stack == NULL && list_empty(&thread->todo); 2127 2128 if (thread->return_error != BR_OK && ptr < end) { 2129 if (thread->return_error2 != BR_OK) { 2130 if (put_user(thread->return_error2, (uint32_t __user *)ptr)) 2131 return -EFAULT; 2132 ptr += sizeof(uint32_t); 2133 if (ptr == end) 2134 goto done; 2135 thread->return_error2 = BR_OK; 2136 } 2137 if (put_user(thread->return_error, (uint32_t __user *)ptr)) 2138 return -EFAULT; 2139 ptr += sizeof(uint32_t); 2140 thread->return_error = BR_OK; 2141 goto done; 2142 } 2143 2144 2145 thread->looper |= BINDER_LOOPER_STATE_WAITING; 2146 if (wait_for_proc_work) 2147 proc->ready_threads++; 2148 mutex_unlock(&binder_lock); 2149 if (wait_for_proc_work) { 2150 if (!(thread->looper & (BINDER_LOOPER_STATE_REGISTERED | 2151 BINDER_LOOPER_STATE_ENTERED))) { 2152 binder_user_error("binder: %d:%d ERROR: Thread waiting " 2153 "for process work before calling BC_REGISTER_" 2154 "LOOPER or BC_ENTER_LOOPER (state %x)\n", 2155 proc->pid, thread->pid, thread->looper); 2156 wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); 2157 } 2158 binder_set_nice(proc->default_priority); 2159 if (non_block) { 2160 if (!binder_has_proc_work(proc, thread)) 2161 ret = -EAGAIN; 2162 } else 2163 ret = wait_event_interruptible_exclusive(proc->wait, binder_has_proc_work(proc, thread)); 2164 } else { 2165 if (non_block) { 2166 if (!binder_has_thread_work(thread)) 2167 ret = -EAGAIN; 2168 } else 2169 ret = wait_event_interruptible(thread->wait, binder_has_thread_work(thread)); 2170 } 2171 mutex_lock(&binder_lock); 2172 if (wait_for_proc_work) 2173 proc->ready_threads--; 2174 thread->looper &= ~BINDER_LOOPER_STATE_WAITING; 2175 2176 if (ret) 2177 return ret; 2178 2179 while (1) { 2180 uint32_t cmd; 2181 struct binder_transaction_data tr; 2182 struct binder_work *w; 2183 struct binder_transaction *t = NULL; 2184 2185 if (!list_empty(&thread->todo)) 2186 w = list_first_entry(&thread->todo, struct binder_work, entry); 2187 else if (!list_empty(&proc->todo) && wait_for_proc_work) 2188 w = list_first_entry(&proc->todo, struct binder_work, entry); 2189 else { 2190 if (ptr - buffer == 4 && !(thread->looper & BINDER_LOOPER_STATE_NEED_RETURN)) /* no data added */ 2191 goto retry; 2192 break; 2193 } 2194 2195 if (end - ptr < sizeof(tr) + 4) 2196 break; 2197 2198 switch (w->type) { 2199 case BINDER_WORK_TRANSACTION: { 2200 t = container_of(w, struct binder_transaction, work); 2201 } break; 2202 case BINDER_WORK_TRANSACTION_COMPLETE: { 2203 cmd = BR_TRANSACTION_COMPLETE; 2204 if (put_user(cmd, (uint32_t __user *)ptr)) 2205 return -EFAULT; 2206 ptr += sizeof(uint32_t); 2207 2208 binder_stat_br(proc, thread, cmd); 2209 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION_COMPLETE) 2210 printk(KERN_INFO "binder: %d:%d BR_TRANSACTION_COMPLETE\n", 2211 proc->pid, thread->pid); 2212 2213 list_del(&w->entry); 2214 kfree(w); 2215 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION_COMPLETE]++; 2216 } break; 2217 case BINDER_WORK_NODE: { 2218 struct binder_node *node = container_of(w, struct binder_node, work); 2219 uint32_t cmd = BR_NOOP; 2220 const char *cmd_name; 2221 int strong = node->internal_strong_refs || node->local_strong_refs; 2222 int weak = !hlist_empty(&node->refs) || node->local_weak_refs || strong; 2223 if (weak && !node->has_weak_ref) { 2224 cmd = BR_INCREFS; 2225 cmd_name = "BR_INCREFS"; 2226 node->has_weak_ref = 1; 2227 node->pending_weak_ref = 1; 2228 node->local_weak_refs++; 2229 } else if (strong && !node->has_strong_ref) { 2230 cmd = BR_ACQUIRE; 2231 cmd_name = "BR_ACQUIRE"; 2232 node->has_strong_ref = 1; 2233 node->pending_strong_ref = 1; 2234 node->local_strong_refs++; 2235 } else if (!strong && node->has_strong_ref) { 2236 cmd = BR_RELEASE; 2237 cmd_name = "BR_RELEASE"; 2238 node->has_strong_ref = 0; 2239 } else if (!weak && node->has_weak_ref) { 2240 cmd = BR_DECREFS; 2241 cmd_name = "BR_DECREFS"; 2242 node->has_weak_ref = 0; 2243 } 2244 if (cmd != BR_NOOP) { 2245 if (put_user(cmd, (uint32_t __user *)ptr)) 2246 return -EFAULT; 2247 ptr += sizeof(uint32_t); 2248 if (put_user(node->ptr, (void * __user *)ptr)) 2249 return -EFAULT; 2250 ptr += sizeof(void *); 2251 if (put_user(node->cookie, (void * __user *)ptr)) 2252 return -EFAULT; 2253 ptr += sizeof(void *); 2254 2255 binder_stat_br(proc, thread, cmd); 2256 if (binder_debug_mask & BINDER_DEBUG_USER_REFS) 2257 printk(KERN_INFO "binder: %d:%d %s %d u%p c%p\n", 2258 proc->pid, thread->pid, cmd_name, node->debug_id, node->ptr, node->cookie); 2259 } else { 2260 list_del_init(&w->entry); 2261 if (!weak && !strong) { 2262 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 2263 printk(KERN_INFO "binder: %d:%d node %d u%p c%p deleted\n", 2264 proc->pid, thread->pid, node->debug_id, node->ptr, node->cookie); 2265 rb_erase(&node->rb_node, &proc->nodes); 2266 kfree(node); 2267 binder_stats.obj_deleted[BINDER_STAT_NODE]++; 2268 } else { 2269 if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS) 2270 printk(KERN_INFO "binder: %d:%d node %d u%p c%p state unchanged\n", 2271 proc->pid, thread->pid, node->debug_id, node->ptr, node->cookie); 2272 } 2273 } 2274 } break; 2275 case BINDER_WORK_DEAD_BINDER: 2276 case BINDER_WORK_DEAD_BINDER_AND_CLEAR: 2277 case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: { 2278 struct binder_ref_death *death = container_of(w, struct binder_ref_death, work); 2279 uint32_t cmd; 2280 if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) 2281 cmd = BR_CLEAR_DEATH_NOTIFICATION_DONE; 2282 else 2283 cmd = BR_DEAD_BINDER; 2284 if (put_user(cmd, (uint32_t __user *)ptr)) 2285 return -EFAULT; 2286 ptr += sizeof(uint32_t); 2287 if (put_user(death->cookie, (void * __user *)ptr)) 2288 return -EFAULT; 2289 ptr += sizeof(void *); 2290 if (binder_debug_mask & BINDER_DEBUG_DEATH_NOTIFICATION) 2291 printk(KERN_INFO "binder: %d:%d %s %p\n", 2292 proc->pid, thread->pid, 2293 cmd == BR_DEAD_BINDER ? 2294 "BR_DEAD_BINDER" : 2295 "BR_CLEAR_DEATH_NOTIFICATION_DONE", 2296 death->cookie); 2297 2298 if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) { 2299 list_del(&w->entry); 2300 kfree(death); 2301 binder_stats.obj_deleted[BINDER_STAT_DEATH]++; 2302 } else 2303 list_move(&w->entry, &proc->delivered_death); 2304 if (cmd == BR_DEAD_BINDER) 2305 goto done; /* DEAD_BINDER notifications can cause transactions */ 2306 } break; 2307 } 2308 2309 if (!t) 2310 continue; 2311 2312 BUG_ON(t->buffer == NULL); 2313 if (t->buffer->target_node) { 2314 struct binder_node *target_node = t->buffer->target_node; 2315 tr.target.ptr = target_node->ptr; 2316 tr.cookie = target_node->cookie; 2317 t->saved_priority = task_nice(current); 2318 if (t->priority < target_node->min_priority && 2319 !(t->flags & TF_ONE_WAY)) 2320 binder_set_nice(t->priority); 2321 else if (!(t->flags & TF_ONE_WAY) || 2322 t->saved_priority > target_node->min_priority) 2323 binder_set_nice(target_node->min_priority); 2324 cmd = BR_TRANSACTION; 2325 } else { 2326 tr.target.ptr = NULL; 2327 tr.cookie = NULL; 2328 cmd = BR_REPLY; 2329 } 2330 tr.code = t->code; 2331 tr.flags = t->flags; 2332 tr.sender_euid = t->sender_euid; 2333 2334 if (t->from) { 2335 struct task_struct *sender = t->from->proc->tsk; 2336 tr.sender_pid = task_tgid_nr_ns(sender, current->nsproxy->pid_ns); 2337 } else { 2338 tr.sender_pid = 0; 2339 } 2340 2341 tr.data_size = t->buffer->data_size; 2342 tr.offsets_size = t->buffer->offsets_size; 2343 tr.data.ptr.buffer = (void *)((void *)t->buffer->data + proc->user_buffer_offset); 2344 tr.data.ptr.offsets = tr.data.ptr.buffer + ALIGN(t->buffer->data_size, sizeof(void *)); 2345 2346 if (put_user(cmd, (uint32_t __user *)ptr)) 2347 return -EFAULT; 2348 ptr += sizeof(uint32_t); 2349 if (copy_to_user(ptr, &tr, sizeof(tr))) 2350 return -EFAULT; 2351 ptr += sizeof(tr); 2352 2353 binder_stat_br(proc, thread, cmd); 2354 if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) 2355 printk(KERN_INFO "binder: %d:%d %s %d %d:%d, cmd %d" 2356 "size %zd-%zd ptr %p-%p\n", 2357 proc->pid, thread->pid, 2358 (cmd == BR_TRANSACTION) ? "BR_TRANSACTION" : "BR_REPLY", 2359 t->debug_id, t->from ? t->from->proc->pid : 0, 2360 t->from ? t->from->pid : 0, cmd, 2361 t->buffer->data_size, t->buffer->offsets_size, 2362 tr.data.ptr.buffer, tr.data.ptr.offsets); 2363 2364 list_del(&t->work.entry); 2365 t->buffer->allow_user_free = 1; 2366 if (cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)) { 2367 t->to_parent = thread->transaction_stack; 2368 t->to_thread = thread; 2369 thread->transaction_stack = t; 2370 } else { 2371 t->buffer->transaction = NULL; 2372 kfree(t); 2373 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION]++; 2374 } 2375 break; 2376 } 2377 2378done: 2379 2380 *consumed = ptr - buffer; 2381 if (proc->requested_threads + proc->ready_threads == 0 && 2382 proc->requested_threads_started < proc->max_threads && 2383 (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | 2384 BINDER_LOOPER_STATE_ENTERED)) /* the user-space code fails to */ 2385 /*spawn a new thread if we leave this out */) { 2386 proc->requested_threads++; 2387 if (binder_debug_mask & BINDER_DEBUG_THREADS) 2388 printk(KERN_INFO "binder: %d:%d BR_SPAWN_LOOPER\n", 2389 proc->pid, thread->pid); 2390 if (put_user(BR_SPAWN_LOOPER, (uint32_t __user *)buffer)) 2391 return -EFAULT; 2392 } 2393 return 0; 2394} 2395 2396static void binder_release_work(struct list_head *list) 2397{ 2398 struct binder_work *w; 2399 while (!list_empty(list)) { 2400 w = list_first_entry(list, struct binder_work, entry); 2401 list_del_init(&w->entry); 2402 switch (w->type) { 2403 case BINDER_WORK_TRANSACTION: { 2404 struct binder_transaction *t = container_of(w, struct binder_transaction, work); 2405 if (t->buffer->target_node && !(t->flags & TF_ONE_WAY)) 2406 binder_send_failed_reply(t, BR_DEAD_REPLY); 2407 } break; 2408 case BINDER_WORK_TRANSACTION_COMPLETE: { 2409 kfree(w); 2410 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION_COMPLETE]++; 2411 } break; 2412 default: 2413 break; 2414 } 2415 } 2416 2417} 2418 2419static struct binder_thread *binder_get_thread(struct binder_proc *proc) 2420{ 2421 struct binder_thread *thread = NULL; 2422 struct rb_node *parent = NULL; 2423 struct rb_node **p = &proc->threads.rb_node; 2424 2425 while (*p) { 2426 parent = *p; 2427 thread = rb_entry(parent, struct binder_thread, rb_node); 2428 2429 if (current->pid < thread->pid) 2430 p = &(*p)->rb_left; 2431 else if (current->pid > thread->pid) 2432 p = &(*p)->rb_right; 2433 else 2434 break; 2435 } 2436 if (*p == NULL) { 2437 thread = kzalloc(sizeof(*thread), GFP_KERNEL); 2438 if (thread == NULL) 2439 return NULL; 2440 binder_stats.obj_created[BINDER_STAT_THREAD]++; 2441 thread->proc = proc; 2442 thread->pid = current->pid; 2443 init_waitqueue_head(&thread->wait); 2444 INIT_LIST_HEAD(&thread->todo); 2445 rb_link_node(&thread->rb_node, parent, p); 2446 rb_insert_color(&thread->rb_node, &proc->threads); 2447 thread->looper |= BINDER_LOOPER_STATE_NEED_RETURN; 2448 thread->return_error = BR_OK; 2449 thread->return_error2 = BR_OK; 2450 } 2451 return thread; 2452} 2453 2454static int binder_free_thread(struct binder_proc *proc, struct binder_thread *thread) 2455{ 2456 struct binder_transaction *t; 2457 struct binder_transaction *send_reply = NULL; 2458 int active_transactions = 0; 2459 2460 rb_erase(&thread->rb_node, &proc->threads); 2461 t = thread->transaction_stack; 2462 if (t && t->to_thread == thread) 2463 send_reply = t; 2464 while (t) { 2465 active_transactions++; 2466 if (binder_debug_mask & BINDER_DEBUG_DEAD_TRANSACTION) 2467 printk(KERN_INFO "binder: release %d:%d transaction %d %s, still active\n", 2468 proc->pid, thread->pid, t->debug_id, (t->to_thread == thread) ? "in" : "out"); 2469 if (t->to_thread == thread) { 2470 t->to_proc = NULL; 2471 t->to_thread = NULL; 2472 if (t->buffer) { 2473 t->buffer->transaction = NULL; 2474 t->buffer = NULL; 2475 } 2476 t = t->to_parent; 2477 } else if (t->from == thread) { 2478 t->from = NULL; 2479 t = t->from_parent; 2480 } else 2481 BUG(); 2482 } 2483 if (send_reply) 2484 binder_send_failed_reply(send_reply, BR_DEAD_REPLY); 2485 binder_release_work(&thread->todo); 2486 kfree(thread); 2487 binder_stats.obj_deleted[BINDER_STAT_THREAD]++; 2488 return active_transactions; 2489} 2490 2491static unsigned int binder_poll(struct file *filp, struct poll_table_struct *wait) 2492{ 2493 struct binder_proc *proc = filp->private_data; 2494 struct binder_thread *thread = NULL; 2495 int wait_for_proc_work; 2496 2497 mutex_lock(&binder_lock); 2498 thread = binder_get_thread(proc); 2499 2500 wait_for_proc_work = thread->transaction_stack == NULL && 2501 list_empty(&thread->todo) && thread->return_error == BR_OK; 2502 mutex_unlock(&binder_lock); 2503 2504 if (wait_for_proc_work) { 2505 if (binder_has_proc_work(proc, thread)) 2506 return POLLIN; 2507 poll_wait(filp, &proc->wait, wait); 2508 if (binder_has_proc_work(proc, thread)) 2509 return POLLIN; 2510 } else { 2511 if (binder_has_thread_work(thread)) 2512 return POLLIN; 2513 poll_wait(filp, &thread->wait, wait); 2514 if (binder_has_thread_work(thread)) 2515 return POLLIN; 2516 } 2517 return 0; 2518} 2519 2520static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 2521{ 2522 int ret; 2523 struct binder_proc *proc = filp->private_data; 2524 struct binder_thread *thread; 2525 unsigned int size = _IOC_SIZE(cmd); 2526 void __user *ubuf = (void __user *)arg; 2527 2528 /*printk(KERN_INFO "binder_ioctl: %d:%d %x %lx\n", proc->pid, current->pid, cmd, arg);*/ 2529 2530 ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); 2531 if (ret) 2532 return ret; 2533 2534 mutex_lock(&binder_lock); 2535 thread = binder_get_thread(proc); 2536 if (thread == NULL) { 2537 ret = -ENOMEM; 2538 goto err; 2539 } 2540 2541 switch (cmd) { 2542 case BINDER_WRITE_READ: { 2543 struct binder_write_read bwr; 2544 if (size != sizeof(struct binder_write_read)) { 2545 ret = -EINVAL; 2546 goto err; 2547 } 2548 if (copy_from_user(&bwr, ubuf, sizeof(bwr))) { 2549 ret = -EFAULT; 2550 goto err; 2551 } 2552 if (binder_debug_mask & BINDER_DEBUG_READ_WRITE) 2553 printk(KERN_INFO "binder: %d:%d write %ld at %08lx, read %ld at %08lx\n", 2554 proc->pid, thread->pid, bwr.write_size, bwr.write_buffer, bwr.read_size, bwr.read_buffer); 2555 if (bwr.write_size > 0) { 2556 ret = binder_thread_write(proc, thread, (void __user *)bwr.write_buffer, bwr.write_size, &bwr.write_consumed); 2557 if (ret < 0) { 2558 bwr.read_consumed = 0; 2559 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) 2560 ret = -EFAULT; 2561 goto err; 2562 } 2563 } 2564 if (bwr.read_size > 0) { 2565 ret = binder_thread_read(proc, thread, (void __user *)bwr.read_buffer, bwr.read_size, &bwr.read_consumed, filp->f_flags & O_NONBLOCK); 2566 if (!list_empty(&proc->todo)) 2567 wake_up_interruptible(&proc->wait); 2568 if (ret < 0) { 2569 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) 2570 ret = -EFAULT; 2571 goto err; 2572 } 2573 } 2574 if (binder_debug_mask & BINDER_DEBUG_READ_WRITE) 2575 printk(KERN_INFO "binder: %d:%d wrote %ld of %ld, read return %ld of %ld\n", 2576 proc->pid, thread->pid, bwr.write_consumed, bwr.write_size, bwr.read_consumed, bwr.read_size); 2577 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) { 2578 ret = -EFAULT; 2579 goto err; 2580 } 2581 break; 2582 } 2583 case BINDER_SET_MAX_THREADS: 2584 if (copy_from_user(&proc->max_threads, ubuf, sizeof(proc->max_threads))) { 2585 ret = -EINVAL; 2586 goto err; 2587 } 2588 break; 2589 case BINDER_SET_CONTEXT_MGR: 2590 if (binder_context_mgr_node != NULL) { 2591 printk(KERN_ERR "binder: BINDER_SET_CONTEXT_MGR already set\n"); 2592 ret = -EBUSY; 2593 goto err; 2594 } 2595 if (binder_context_mgr_uid != -1) { 2596 if (binder_context_mgr_uid != current->cred->euid) { 2597 printk(KERN_ERR "binder: BINDER_SET_" 2598 "CONTEXT_MGR bad uid %d != %d\n", 2599 current->cred->euid, 2600 binder_context_mgr_uid); 2601 ret = -EPERM; 2602 goto err; 2603 } 2604 } else 2605 binder_context_mgr_uid = current->cred->euid; 2606 binder_context_mgr_node = binder_new_node(proc, NULL, NULL); 2607 if (binder_context_mgr_node == NULL) { 2608 ret = -ENOMEM; 2609 goto err; 2610 } 2611 binder_context_mgr_node->local_weak_refs++; 2612 binder_context_mgr_node->local_strong_refs++; 2613 binder_context_mgr_node->has_strong_ref = 1; 2614 binder_context_mgr_node->has_weak_ref = 1; 2615 break; 2616 case BINDER_THREAD_EXIT: 2617 if (binder_debug_mask & BINDER_DEBUG_THREADS) 2618 printk(KERN_INFO "binder: %d:%d exit\n", 2619 proc->pid, thread->pid); 2620 binder_free_thread(proc, thread); 2621 thread = NULL; 2622 break; 2623 case BINDER_VERSION: 2624 if (size != sizeof(struct binder_version)) { 2625 ret = -EINVAL; 2626 goto err; 2627 } 2628 if (put_user(BINDER_CURRENT_PROTOCOL_VERSION, &((struct binder_version *)ubuf)->protocol_version)) { 2629 ret = -EINVAL; 2630 goto err; 2631 } 2632 break; 2633 default: 2634 ret = -EINVAL; 2635 goto err; 2636 } 2637 ret = 0; 2638err: 2639 if (thread) 2640 thread->looper &= ~BINDER_LOOPER_STATE_NEED_RETURN; 2641 mutex_unlock(&binder_lock); 2642 wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); 2643 if (ret && ret != -ERESTARTSYS) 2644 printk(KERN_INFO "binder: %d:%d ioctl %x %lx returned %d\n", proc->pid, current->pid, cmd, arg, ret); 2645 return ret; 2646} 2647 2648static void binder_vma_open(struct vm_area_struct *vma) 2649{ 2650 struct binder_proc *proc = vma->vm_private_data; 2651 if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) 2652 printk(KERN_INFO "binder: %d open vm area %lx-%lx (%ld K) vma %lx pagep %lx\n", proc->pid, vma->vm_start, vma->vm_end, (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, vma->vm_page_prot); 2653 dump_stack(); 2654} 2655static void binder_vma_close(struct vm_area_struct *vma) 2656{ 2657 struct binder_proc *proc = vma->vm_private_data; 2658 if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) 2659 printk(KERN_INFO "binder: %d close vm area %lx-%lx (%ld K) vma %lx pagep %lx\n", proc->pid, vma->vm_start, vma->vm_end, (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, vma->vm_page_prot); 2660 proc->vma = NULL; 2661} 2662 2663static struct vm_operations_struct binder_vm_ops = { 2664 .open = binder_vma_open, 2665 .close = binder_vma_close, 2666}; 2667 2668static int binder_mmap(struct file *filp, struct vm_area_struct *vma) 2669{ 2670 int ret; 2671 struct vm_struct *area; 2672 struct binder_proc *proc = filp->private_data; 2673 const char *failure_string; 2674 struct binder_buffer *buffer; 2675 2676 if ((vma->vm_end - vma->vm_start) > SZ_4M) 2677 vma->vm_end = vma->vm_start + SZ_4M; 2678 2679 if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) 2680 printk(KERN_INFO "binder_mmap: %d %lx-%lx (%ld K) vma %lx pagep %lx\n", proc->pid, vma->vm_start, vma->vm_end, (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, vma->vm_page_prot); 2681 2682 if (vma->vm_flags & FORBIDDEN_MMAP_FLAGS) { 2683 ret = -EPERM; 2684 failure_string = "bad vm_flags"; 2685 goto err_bad_arg; 2686 } 2687 vma->vm_flags = (vma->vm_flags | VM_DONTCOPY) & ~VM_MAYWRITE; 2688 2689 area = get_vm_area(vma->vm_end - vma->vm_start, VM_IOREMAP); 2690 if (area == NULL) { 2691 ret = -ENOMEM; 2692 failure_string = "get_vm_area"; 2693 goto err_get_vm_area_failed; 2694 } 2695 proc->buffer = area->addr; 2696 proc->user_buffer_offset = vma->vm_start - (size_t)proc->buffer; 2697 2698#ifdef CONFIG_CPU_CACHE_VIPT 2699 if (cache_is_vipt_aliasing()) { 2700 while (CACHE_COLOUR((vma->vm_start ^ (uint32_t)proc->buffer))) { 2701 printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p bad alignment\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer); 2702 vma->vm_start += PAGE_SIZE; 2703 } 2704 } 2705#endif 2706 proc->pages = kzalloc(sizeof(proc->pages[0]) * ((vma->vm_end - vma->vm_start) / PAGE_SIZE), GFP_KERNEL); 2707 if (proc->pages == NULL) { 2708 ret = -ENOMEM; 2709 failure_string = "alloc page array"; 2710 goto err_alloc_pages_failed; 2711 } 2712 proc->buffer_size = vma->vm_end - vma->vm_start; 2713 2714 vma->vm_ops = &binder_vm_ops; 2715 vma->vm_private_data = proc; 2716 2717 if (binder_update_page_range(proc, 1, proc->buffer, proc->buffer + PAGE_SIZE, vma)) { 2718 ret = -ENOMEM; 2719 failure_string = "alloc small buf"; 2720 goto err_alloc_small_buf_failed; 2721 } 2722 buffer = proc->buffer; 2723 INIT_LIST_HEAD(&proc->buffers); 2724 list_add(&buffer->entry, &proc->buffers); 2725 buffer->free = 1; 2726 binder_insert_free_buffer(proc, buffer); 2727 proc->free_async_space = proc->buffer_size / 2; 2728 barrier(); 2729 proc->vma = vma; 2730 2731 /*printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer);*/ 2732 return 0; 2733 2734err_alloc_small_buf_failed: 2735 kfree(proc->pages); 2736err_alloc_pages_failed: 2737 vfree(proc->buffer); 2738err_get_vm_area_failed: 2739 mutex_unlock(&binder_lock); 2740err_bad_arg: 2741 printk(KERN_ERR "binder_mmap: %d %lx-%lx %s failed %d\n", proc->pid, vma->vm_start, vma->vm_end, failure_string, ret); 2742 return ret; 2743} 2744 2745static int binder_open(struct inode *nodp, struct file *filp) 2746{ 2747 struct binder_proc *proc; 2748 2749 if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) 2750 printk(KERN_INFO "binder_open: %d:%d\n", current->group_leader->pid, current->pid); 2751 2752 proc = kzalloc(sizeof(*proc), GFP_KERNEL); 2753 if (proc == NULL) 2754 return -ENOMEM; 2755 get_task_struct(current); 2756 proc->tsk = current; 2757 INIT_LIST_HEAD(&proc->todo); 2758 init_waitqueue_head(&proc->wait); 2759 proc->default_priority = task_nice(current); 2760 mutex_lock(&binder_lock); 2761 binder_stats.obj_created[BINDER_STAT_PROC]++; 2762 hlist_add_head(&proc->proc_node, &binder_procs); 2763 proc->pid = current->group_leader->pid; 2764 INIT_LIST_HEAD(&proc->delivered_death); 2765 filp->private_data = proc; 2766 mutex_unlock(&binder_lock); 2767 2768 if (binder_proc_dir_entry_proc) { 2769 char strbuf[11]; 2770 snprintf(strbuf, sizeof(strbuf), "%u", proc->pid); 2771 create_proc_read_entry(strbuf, S_IRUGO, binder_proc_dir_entry_proc, binder_read_proc_proc, proc); 2772 } 2773 2774 return 0; 2775} 2776 2777static int binder_flush(struct file *filp, fl_owner_t id) 2778{ 2779 struct rb_node *n; 2780 struct binder_proc *proc = filp->private_data; 2781 int wake_count = 0; 2782 2783 mutex_lock(&binder_lock); 2784 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) { 2785 struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node); 2786 thread->looper |= BINDER_LOOPER_STATE_NEED_RETURN; 2787 if (thread->looper & BINDER_LOOPER_STATE_WAITING) { 2788 wake_up_interruptible(&thread->wait); 2789 wake_count++; 2790 } 2791 } 2792 wake_up_interruptible_all(&proc->wait); 2793 mutex_unlock(&binder_lock); 2794 2795 if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) 2796 printk(KERN_INFO "binder_flush: %d woke %d threads\n", proc->pid, wake_count); 2797 2798 return 0; 2799} 2800 2801static int binder_release(struct inode *nodp, struct file *filp) 2802{ 2803 struct hlist_node *pos; 2804 struct binder_transaction *t; 2805 struct rb_node *n; 2806 struct binder_proc *proc = filp->private_data; 2807 int threads, nodes, incoming_refs, outgoing_refs, buffers, active_transactions, page_count; 2808 2809 if (binder_proc_dir_entry_proc) { 2810 char strbuf[11]; 2811 snprintf(strbuf, sizeof(strbuf), "%u", proc->pid); 2812 remove_proc_entry(strbuf, binder_proc_dir_entry_proc); 2813 } 2814 mutex_lock(&binder_lock); 2815 hlist_del(&proc->proc_node); 2816 if (binder_context_mgr_node && binder_context_mgr_node->proc == proc) { 2817 if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) 2818 printk(KERN_INFO "binder_release: %d context_mgr_node gone\n", proc->pid); 2819 binder_context_mgr_node = NULL; 2820 } 2821 2822 threads = 0; 2823 active_transactions = 0; 2824 while ((n = rb_first(&proc->threads))) { 2825 struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node); 2826 threads++; 2827 active_transactions += binder_free_thread(proc, thread); 2828 } 2829 nodes = 0; 2830 incoming_refs = 0; 2831 while ((n = rb_first(&proc->nodes))) { 2832 struct binder_node *node = rb_entry(n, struct binder_node, rb_node); 2833 2834 nodes++; 2835 rb_erase(&node->rb_node, &proc->nodes); 2836 list_del_init(&node->work.entry); 2837 if (hlist_empty(&node->refs)) { 2838 kfree(node); 2839 binder_stats.obj_deleted[BINDER_STAT_NODE]++; 2840 } else { 2841 struct binder_ref *ref; 2842 int death = 0; 2843 2844 node->proc = NULL; 2845 node->local_strong_refs = 0; 2846 node->local_weak_refs = 0; 2847 hlist_add_head(&node->dead_node, &binder_dead_nodes); 2848 2849 hlist_for_each_entry(ref, pos, &node->refs, node_entry) { 2850 incoming_refs++; 2851 if (ref->death) { 2852 death++; 2853 if (list_empty(&ref->death->work.entry)) { 2854 ref->death->work.type = BINDER_WORK_DEAD_BINDER; 2855 list_add_tail(&ref->death->work.entry, &ref->proc->todo); 2856 wake_up_interruptible(&ref->proc->wait); 2857 } else 2858 BUG(); 2859 } 2860 } 2861 if (binder_debug_mask & BINDER_DEBUG_DEAD_BINDER) 2862 printk(KERN_INFO "binder: node %d now dead, refs %d, death %d\n", node->debug_id, incoming_refs, death); 2863 } 2864 } 2865 outgoing_refs = 0; 2866 while ((n = rb_first(&proc->refs_by_desc))) { 2867 struct binder_ref *ref = rb_entry(n, struct binder_ref, rb_node_desc); 2868 outgoing_refs++; 2869 binder_delete_ref(ref); 2870 } 2871 binder_release_work(&proc->todo); 2872 buffers = 0; 2873 2874 while ((n = rb_first(&proc->allocated_buffers))) { 2875 struct binder_buffer *buffer = rb_entry(n, struct binder_buffer, rb_node); 2876 t = buffer->transaction; 2877 if (t) { 2878 t->buffer = NULL; 2879 buffer->transaction = NULL; 2880 printk(KERN_ERR "binder: release proc %d, transaction %d, not freed\n", proc->pid, t->debug_id); 2881 /*BUG();*/ 2882 } 2883 binder_free_buf(proc, buffer); 2884 buffers++; 2885 } 2886 2887 binder_stats.obj_deleted[BINDER_STAT_PROC]++; 2888 mutex_unlock(&binder_lock); 2889 2890 page_count = 0; 2891 if (proc->pages) { 2892 int i; 2893 for (i = 0; i < proc->buffer_size / PAGE_SIZE; i++) { 2894 if (proc->pages[i]) { 2895 if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC) 2896 printk(KERN_INFO "binder_release: %d: page %d at %p not freed\n", proc->pid, i, proc->buffer + i * PAGE_SIZE); 2897 __free_page(proc->pages[i]); 2898 page_count++; 2899 } 2900 } 2901 kfree(proc->pages); 2902 vfree(proc->buffer); 2903 } 2904 2905 put_task_struct(proc->tsk); 2906 2907 if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE) 2908 printk(KERN_INFO "binder_release: %d threads %d, nodes %d (ref %d), refs %d, active transactions %d, buffers %d, pages %d\n", 2909 proc->pid, threads, nodes, incoming_refs, outgoing_refs, active_transactions, buffers, page_count); 2910 2911 kfree(proc); 2912 return 0; 2913} 2914 2915static char *print_binder_transaction(char *buf, char *end, const char *prefix, struct binder_transaction *t) 2916{ 2917 buf += snprintf(buf, end - buf, "%s %d: %p from %d:%d to %d:%d code %x flags %x pri %ld r%d", 2918 prefix, t->debug_id, t, t->from ? t->from->proc->pid : 0, 2919 t->from ? t->from->pid : 0, 2920 t->to_proc ? t->to_proc->pid : 0, 2921 t->to_thread ? t->to_thread->pid : 0, 2922 t->code, t->flags, t->priority, t->need_reply); 2923 if (buf >= end) 2924 return buf; 2925 if (t->buffer == NULL) { 2926 buf += snprintf(buf, end - buf, " buffer free\n"); 2927 return buf; 2928 } 2929 if (t->buffer->target_node) { 2930 buf += snprintf(buf, end - buf, " node %d", 2931 t->buffer->target_node->debug_id); 2932 if (buf >= end) 2933 return buf; 2934 } 2935 buf += snprintf(buf, end - buf, " size %zd:%zd data %p\n", 2936 t->buffer->data_size, t->buffer->offsets_size, 2937 t->buffer->data); 2938 return buf; 2939} 2940 2941static char *print_binder_buffer(char *buf, char *end, const char *prefix, struct binder_buffer *buffer) 2942{ 2943 buf += snprintf(buf, end - buf, "%s %d: %p size %zd:%zd %s\n", 2944 prefix, buffer->debug_id, buffer->data, 2945 buffer->data_size, buffer->offsets_size, 2946 buffer->transaction ? "active" : "delivered"); 2947 return buf; 2948} 2949 2950static char *print_binder_work(char *buf, char *end, const char *prefix, 2951 const char *transaction_prefix, struct binder_work *w) 2952{ 2953 struct binder_node *node; 2954 struct binder_transaction *t; 2955 2956 switch (w->type) { 2957 case BINDER_WORK_TRANSACTION: 2958 t = container_of(w, struct binder_transaction, work); 2959 buf = print_binder_transaction(buf, end, transaction_prefix, t); 2960 break; 2961 case BINDER_WORK_TRANSACTION_COMPLETE: 2962 buf += snprintf(buf, end - buf, 2963 "%stransaction complete\n", prefix); 2964 break; 2965 case BINDER_WORK_NODE: 2966 node = container_of(w, struct binder_node, work); 2967 buf += snprintf(buf, end - buf, "%snode work %d: u%p c%p\n", 2968 prefix, node->debug_id, node->ptr, node->cookie); 2969 break; 2970 case BINDER_WORK_DEAD_BINDER: 2971 buf += snprintf(buf, end - buf, "%shas dead binder\n", prefix); 2972 break; 2973 case BINDER_WORK_DEAD_BINDER_AND_CLEAR: 2974 buf += snprintf(buf, end - buf, 2975 "%shas cleared dead binder\n", prefix); 2976 break; 2977 case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: 2978 buf += snprintf(buf, end - buf, 2979 "%shas cleared death notification\n", prefix); 2980 break; 2981 default: 2982 buf += snprintf(buf, end - buf, "%sunknown work: type %d\n", 2983 prefix, w->type); 2984 break; 2985 } 2986 return buf; 2987} 2988 2989static char *print_binder_thread(char *buf, char *end, struct binder_thread *thread, int print_always) 2990{ 2991 struct binder_transaction *t; 2992 struct binder_work *w; 2993 char *start_buf = buf; 2994 char *header_buf; 2995 2996 buf += snprintf(buf, end - buf, " thread %d: l %02x\n", thread->pid, thread->looper); 2997 header_buf = buf; 2998 t = thread->transaction_stack; 2999 while (t) { 3000 if (buf >= end) 3001 break; 3002 if (t->from == thread) { 3003 buf = print_binder_transaction(buf, end, " outgoing transaction", t); 3004 t = t->from_parent; 3005 } else if (t->to_thread == thread) { 3006 buf = print_binder_transaction(buf, end, " incoming transaction", t); 3007 t = t->to_parent; 3008 } else { 3009 buf = print_binder_transaction(buf, end, " bad transaction", t); 3010 t = NULL; 3011 } 3012 } 3013 list_for_each_entry(w, &thread->todo, entry) { 3014 if (buf >= end) 3015 break; 3016 buf = print_binder_work(buf, end, " ", 3017 " pending transaction", w); 3018 } 3019 if (!print_always && buf == header_buf) 3020 buf = start_buf; 3021 return buf; 3022} 3023 3024static char *print_binder_node(char *buf, char *end, struct binder_node *node) 3025{ 3026 struct binder_ref *ref; 3027 struct hlist_node *pos; 3028 struct binder_work *w; 3029 int count; 3030 count = 0; 3031 hlist_for_each_entry(ref, pos, &node->refs, node_entry) 3032 count++; 3033 3034 buf += snprintf(buf, end - buf, " node %d: u%p c%p hs %d hw %d ls %d lw %d is %d iw %d", 3035 node->debug_id, node->ptr, node->cookie, 3036 node->has_strong_ref, node->has_weak_ref, 3037 node->local_strong_refs, node->local_weak_refs, 3038 node->internal_strong_refs, count); 3039 if (buf >= end) 3040 return buf; 3041 if (count) { 3042 buf += snprintf(buf, end - buf, " proc"); 3043 if (buf >= end) 3044 return buf; 3045 hlist_for_each_entry(ref, pos, &node->refs, node_entry) { 3046 buf += snprintf(buf, end - buf, " %d", ref->proc->pid); 3047 if (buf >= end) 3048 return buf; 3049 } 3050 } 3051 buf += snprintf(buf, end - buf, "\n"); 3052 list_for_each_entry(w, &node->async_todo, entry) { 3053 if (buf >= end) 3054 break; 3055 buf = print_binder_work(buf, end, " ", 3056 " pending async transaction", w); 3057 } 3058 return buf; 3059} 3060 3061static char *print_binder_ref(char *buf, char *end, struct binder_ref *ref) 3062{ 3063 buf += snprintf(buf, end - buf, " ref %d: desc %d %snode %d s %d w %d d %p\n", 3064 ref->debug_id, ref->desc, ref->node->proc ? "" : "dead ", 3065 ref->node->debug_id, ref->strong, ref->weak, ref->death); 3066 return buf; 3067} 3068 3069static char *print_binder_proc(char *buf, char *end, struct binder_proc *proc, int print_all) 3070{ 3071 struct binder_work *w; 3072 struct rb_node *n; 3073 char *start_buf = buf; 3074 char *header_buf; 3075 3076 buf += snprintf(buf, end - buf, "proc %d\n", proc->pid); 3077 header_buf = buf; 3078 3079 for (n = rb_first(&proc->threads); n != NULL && buf < end; n = rb_next(n)) 3080 buf = print_binder_thread(buf, end, rb_entry(n, struct binder_thread, rb_node), print_all); 3081 for (n = rb_first(&proc->nodes); n != NULL && buf < end; n = rb_next(n)) { 3082 struct binder_node *node = rb_entry(n, struct binder_node, rb_node); 3083 if (print_all || node->has_async_transaction) 3084 buf = print_binder_node(buf, end, node); 3085 } 3086 if (print_all) { 3087 for (n = rb_first(&proc->refs_by_desc); n != NULL && buf < end; n = rb_next(n)) 3088 buf = print_binder_ref(buf, end, rb_entry(n, struct binder_ref, rb_node_desc)); 3089 } 3090 for (n = rb_first(&proc->allocated_buffers); n != NULL && buf < end; n = rb_next(n)) 3091 buf = print_binder_buffer(buf, end, " buffer", rb_entry(n, struct binder_buffer, rb_node)); 3092 list_for_each_entry(w, &proc->todo, entry) { 3093 if (buf >= end) 3094 break; 3095 buf = print_binder_work(buf, end, " ", 3096 " pending transaction", w); 3097 } 3098 list_for_each_entry(w, &proc->delivered_death, entry) { 3099 if (buf >= end) 3100 break; 3101 buf += snprintf(buf, end - buf, " has delivered dead binder\n"); 3102 break; 3103 } 3104 if (!print_all && buf == header_buf) 3105 buf = start_buf; 3106 return buf; 3107} 3108 3109static const char *binder_return_strings[] = { 3110 "BR_ERROR", 3111 "BR_OK", 3112 "BR_TRANSACTION", 3113 "BR_REPLY", 3114 "BR_ACQUIRE_RESULT", 3115 "BR_DEAD_REPLY", 3116 "BR_TRANSACTION_COMPLETE", 3117 "BR_INCREFS", 3118 "BR_ACQUIRE", 3119 "BR_RELEASE", 3120 "BR_DECREFS", 3121 "BR_ATTEMPT_ACQUIRE", 3122 "BR_NOOP", 3123 "BR_SPAWN_LOOPER", 3124 "BR_FINISHED", 3125 "BR_DEAD_BINDER", 3126 "BR_CLEAR_DEATH_NOTIFICATION_DONE", 3127 "BR_FAILED_REPLY" 3128}; 3129 3130static const char *binder_command_strings[] = { 3131 "BC_TRANSACTION", 3132 "BC_REPLY", 3133 "BC_ACQUIRE_RESULT", 3134 "BC_FREE_BUFFER", 3135 "BC_INCREFS", 3136 "BC_ACQUIRE", 3137 "BC_RELEASE", 3138 "BC_DECREFS", 3139 "BC_INCREFS_DONE", 3140 "BC_ACQUIRE_DONE", 3141 "BC_ATTEMPT_ACQUIRE", 3142 "BC_REGISTER_LOOPER", 3143 "BC_ENTER_LOOPER", 3144 "BC_EXIT_LOOPER", 3145 "BC_REQUEST_DEATH_NOTIFICATION", 3146 "BC_CLEAR_DEATH_NOTIFICATION", 3147 "BC_DEAD_BINDER_DONE" 3148}; 3149 3150static const char *binder_objstat_strings[] = { 3151 "proc", 3152 "thread", 3153 "node", 3154 "ref", 3155 "death", 3156 "transaction", 3157 "transaction_complete" 3158}; 3159 3160static char *print_binder_stats(char *buf, char *end, const char *prefix, struct binder_stats *stats) 3161{ 3162 int i; 3163 3164 BUILD_BUG_ON(ARRAY_SIZE(stats->bc) != ARRAY_SIZE(binder_command_strings)); 3165 for (i = 0; i < ARRAY_SIZE(stats->bc); i++) { 3166 if (stats->bc[i]) 3167 buf += snprintf(buf, end - buf, "%s%s: %d\n", prefix, 3168 binder_command_strings[i], stats->bc[i]); 3169 if (buf >= end) 3170 return buf; 3171 } 3172 3173 BUILD_BUG_ON(ARRAY_SIZE(stats->br) != ARRAY_SIZE(binder_return_strings)); 3174 for (i = 0; i < ARRAY_SIZE(stats->br); i++) { 3175 if (stats->br[i]) 3176 buf += snprintf(buf, end - buf, "%s%s: %d\n", prefix, 3177 binder_return_strings[i], stats->br[i]); 3178 if (buf >= end) 3179 return buf; 3180 } 3181 3182 BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) != ARRAY_SIZE(binder_objstat_strings)); 3183 BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) != ARRAY_SIZE(stats->obj_deleted)); 3184 for (i = 0; i < ARRAY_SIZE(stats->obj_created); i++) { 3185 if (stats->obj_created[i] || stats->obj_deleted[i]) 3186 buf += snprintf(buf, end - buf, "%s%s: active %d total %d\n", prefix, 3187 binder_objstat_strings[i], 3188 stats->obj_created[i] - stats->obj_deleted[i], 3189 stats->obj_created[i]); 3190 if (buf >= end) 3191 return buf; 3192 } 3193 return buf; 3194} 3195 3196static char *print_binder_proc_stats(char *buf, char *end, struct binder_proc *proc) 3197{ 3198 struct binder_work *w; 3199 struct rb_node *n; 3200 int count, strong, weak; 3201 3202 buf += snprintf(buf, end - buf, "proc %d\n", proc->pid); 3203 if (buf >= end) 3204 return buf; 3205 count = 0; 3206 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) 3207 count++; 3208 buf += snprintf(buf, end - buf, " threads: %d\n", count); 3209 if (buf >= end) 3210 return buf; 3211 buf += snprintf(buf, end - buf, " requested threads: %d+%d/%d\n" 3212 " ready threads %d\n" 3213 " free async space %zd\n", proc->requested_threads, 3214 proc->requested_threads_started, proc->max_threads, 3215 proc->ready_threads, proc->free_async_space); 3216 if (buf >= end) 3217 return buf; 3218 count = 0; 3219 for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) 3220 count++; 3221 buf += snprintf(buf, end - buf, " nodes: %d\n", count); 3222 if (buf >= end) 3223 return buf; 3224 count = 0; 3225 strong = 0; 3226 weak = 0; 3227 for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) { 3228 struct binder_ref *ref = rb_entry(n, struct binder_ref, rb_node_desc); 3229 count++; 3230 strong += ref->strong; 3231 weak += ref->weak; 3232 } 3233 buf += snprintf(buf, end - buf, " refs: %d s %d w %d\n", count, strong, weak); 3234 if (buf >= end) 3235 return buf; 3236 3237 count = 0; 3238 for (n = rb_first(&proc->allocated_buffers); n != NULL; n = rb_next(n)) 3239 count++; 3240 buf += snprintf(buf, end - buf, " buffers: %d\n", count); 3241 if (buf >= end) 3242 return buf; 3243 3244 count = 0; 3245 list_for_each_entry(w, &proc->todo, entry) { 3246 switch (w->type) { 3247 case BINDER_WORK_TRANSACTION: 3248 count++; 3249 break; 3250 default: 3251 break; 3252 } 3253 } 3254 buf += snprintf(buf, end - buf, " pending transactions: %d\n", count); 3255 if (buf >= end) 3256 return buf; 3257 3258 buf = print_binder_stats(buf, end, " ", &proc->stats); 3259 3260 return buf; 3261} 3262 3263 3264static int binder_read_proc_state( 3265 char *page, char **start, off_t off, int count, int *eof, void *data) 3266{ 3267 struct binder_proc *proc; 3268 struct hlist_node *pos; 3269 struct binder_node *node; 3270 int len = 0; 3271 char *buf = page; 3272 char *end = page + PAGE_SIZE; 3273 int do_lock = !binder_debug_no_lock; 3274 3275 if (off) 3276 return 0; 3277 3278 if (do_lock) 3279 mutex_lock(&binder_lock); 3280 3281 buf += snprintf(buf, end - buf, "binder state:\n"); 3282 3283 if (!hlist_empty(&binder_dead_nodes)) 3284 buf += snprintf(buf, end - buf, "dead nodes:\n"); 3285 hlist_for_each_entry(node, pos, &binder_dead_nodes, dead_node) { 3286 if (buf >= end) 3287 break; 3288 buf = print_binder_node(buf, end, node); 3289 } 3290 3291 hlist_for_each_entry(proc, pos, &binder_procs, proc_node) { 3292 if (buf >= end) 3293 break; 3294 buf = print_binder_proc(buf, end, proc, 1); 3295 } 3296 if (do_lock) 3297 mutex_unlock(&binder_lock); 3298 if (buf > page + PAGE_SIZE) 3299 buf = page + PAGE_SIZE; 3300 3301 *start = page + off; 3302 3303 len = buf - page; 3304 if (len > off) 3305 len -= off; 3306 else 3307 len = 0; 3308 3309 return len < count ? len : count; 3310} 3311 3312static int binder_read_proc_stats( 3313 char *page, char **start, off_t off, int count, int *eof, void *data) 3314{ 3315 struct binder_proc *proc; 3316 struct hlist_node *pos; 3317 int len = 0; 3318 char *p = page; 3319 int do_lock = !binder_debug_no_lock; 3320 3321 if (off) 3322 return 0; 3323 3324 if (do_lock) 3325 mutex_lock(&binder_lock); 3326 3327 p += snprintf(p, PAGE_SIZE, "binder stats:\n"); 3328 3329 p = print_binder_stats(p, page + PAGE_SIZE, "", &binder_stats); 3330 3331 hlist_for_each_entry(proc, pos, &binder_procs, proc_node) { 3332 if (p >= page + PAGE_SIZE) 3333 break; 3334 p = print_binder_proc_stats(p, page + PAGE_SIZE, proc); 3335 } 3336 if (do_lock) 3337 mutex_unlock(&binder_lock); 3338 if (p > page + PAGE_SIZE) 3339 p = page + PAGE_SIZE; 3340 3341 *start = page + off; 3342 3343 len = p - page; 3344 if (len > off) 3345 len -= off; 3346 else 3347 len = 0; 3348 3349 return len < count ? len : count; 3350} 3351 3352static int binder_read_proc_transactions( 3353 char *page, char **start, off_t off, int count, int *eof, void *data) 3354{ 3355 struct binder_proc *proc; 3356 struct hlist_node *pos; 3357 int len = 0; 3358 char *buf = page; 3359 char *end = page + PAGE_SIZE; 3360 int do_lock = !binder_debug_no_lock; 3361 3362 if (off) 3363 return 0; 3364 3365 if (do_lock) 3366 mutex_lock(&binder_lock); 3367 3368 buf += snprintf(buf, end - buf, "binder transactions:\n"); 3369 hlist_for_each_entry(proc, pos, &binder_procs, proc_node) { 3370 if (buf >= end) 3371 break; 3372 buf = print_binder_proc(buf, end, proc, 0); 3373 } 3374 if (do_lock) 3375 mutex_unlock(&binder_lock); 3376 if (buf > page + PAGE_SIZE) 3377 buf = page + PAGE_SIZE; 3378 3379 *start = page + off; 3380 3381 len = buf - page; 3382 if (len > off) 3383 len -= off; 3384 else 3385 len = 0; 3386 3387 return len < count ? len : count; 3388} 3389 3390static int binder_read_proc_proc( 3391 char *page, char **start, off_t off, int count, int *eof, void *data) 3392{ 3393 struct binder_proc *proc = data; 3394 int len = 0; 3395 char *p = page; 3396 int do_lock = !binder_debug_no_lock; 3397 3398 if (off) 3399 return 0; 3400 3401 if (do_lock) 3402 mutex_lock(&binder_lock); 3403 p += snprintf(p, PAGE_SIZE, "binder proc state:\n"); 3404 p = print_binder_proc(p, page + PAGE_SIZE, proc, 1); 3405 if (do_lock) 3406 mutex_unlock(&binder_lock); 3407 3408 if (p > page + PAGE_SIZE) 3409 p = page + PAGE_SIZE; 3410 *start = page + off; 3411 3412 len = p - page; 3413 if (len > off) 3414 len -= off; 3415 else 3416 len = 0; 3417 3418 return len < count ? len : count; 3419} 3420 3421static char *print_binder_transaction_log_entry(char *buf, char *end, struct binder_transaction_log_entry *e) 3422{ 3423 buf += snprintf(buf, end - buf, "%d: %s from %d:%d to %d:%d node %d handle %d size %d:%d\n", 3424 e->debug_id, (e->call_type == 2) ? "reply" : 3425 ((e->call_type == 1) ? "async" : "call "), e->from_proc, 3426 e->from_thread, e->to_proc, e->to_thread, e->to_node, 3427 e->target_handle, e->data_size, e->offsets_size); 3428 return buf; 3429} 3430 3431static int binder_read_proc_transaction_log( 3432 char *page, char **start, off_t off, int count, int *eof, void *data) 3433{ 3434 struct binder_transaction_log *log = data; 3435 int len = 0; 3436 int i; 3437 char *buf = page; 3438 char *end = page + PAGE_SIZE; 3439 3440 if (off) 3441 return 0; 3442 3443 if (log->full) { 3444 for (i = log->next; i < ARRAY_SIZE(log->entry); i++) { 3445 if (buf >= end) 3446 break; 3447 buf = print_binder_transaction_log_entry(buf, end, &log->entry[i]); 3448 } 3449 } 3450 for (i = 0; i < log->next; i++) { 3451 if (buf >= end) 3452 break; 3453 buf = print_binder_transaction_log_entry(buf, end, &log->entry[i]); 3454 } 3455 3456 *start = page + off; 3457 3458 len = buf - page; 3459 if (len > off) 3460 len -= off; 3461 else 3462 len = 0; 3463 3464 return len < count ? len : count; 3465} 3466 3467static struct file_operations binder_fops = { 3468 .owner = THIS_MODULE, 3469 .poll = binder_poll, 3470 .unlocked_ioctl = binder_ioctl, 3471 .mmap = binder_mmap, 3472 .open = binder_open, 3473 .flush = binder_flush, 3474 .release = binder_release, 3475}; 3476 3477static struct miscdevice binder_miscdev = { 3478 .minor = MISC_DYNAMIC_MINOR, 3479 .name = "binder", 3480 .fops = &binder_fops 3481}; 3482 3483static int __init binder_init(void) 3484{ 3485 int ret; 3486 3487 binder_proc_dir_entry_root = proc_mkdir("binder", NULL); 3488 if (binder_proc_dir_entry_root) 3489 binder_proc_dir_entry_proc = proc_mkdir("proc", binder_proc_dir_entry_root); 3490 ret = misc_register(&binder_miscdev); 3491 if (binder_proc_dir_entry_root) { 3492 create_proc_read_entry("state", S_IRUGO, binder_proc_dir_entry_root, binder_read_proc_state, NULL); 3493 create_proc_read_entry("stats", S_IRUGO, binder_proc_dir_entry_root, binder_read_proc_stats, NULL); 3494 create_proc_read_entry("transactions", S_IRUGO, binder_proc_dir_entry_root, binder_read_proc_transactions, NULL); 3495 create_proc_read_entry("transaction_log", S_IRUGO, binder_proc_dir_entry_root, binder_read_proc_transaction_log, &binder_transaction_log); 3496 create_proc_read_entry("failed_transaction_log", S_IRUGO, binder_proc_dir_entry_root, binder_read_proc_transaction_log, &binder_transaction_log_failed); 3497 } 3498 return ret; 3499} 3500 3501device_initcall(binder_init); 3502 3503