binder.c revision dcfadfa4ec5a12404a99ad6426871a6b03a62b37
1/* binder.c 2 * 3 * Android IPC Subsystem 4 * 5 * Copyright (C) 2007-2008 Google, Inc. 6 * 7 * This software is licensed under the terms of the GNU General Public 8 * License version 2, as published by the Free Software Foundation, and 9 * may be copied, distributed, and modified under those terms. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 */ 17 18#include <asm/cacheflush.h> 19#include <linux/fdtable.h> 20#include <linux/file.h> 21#include <linux/fs.h> 22#include <linux/list.h> 23#include <linux/miscdevice.h> 24#include <linux/mm.h> 25#include <linux/module.h> 26#include <linux/mutex.h> 27#include <linux/nsproxy.h> 28#include <linux/poll.h> 29#include <linux/debugfs.h> 30#include <linux/rbtree.h> 31#include <linux/sched.h> 32#include <linux/seq_file.h> 33#include <linux/uaccess.h> 34#include <linux/vmalloc.h> 35#include <linux/slab.h> 36 37#include "binder.h" 38 39static DEFINE_MUTEX(binder_lock); 40static DEFINE_MUTEX(binder_deferred_lock); 41static DEFINE_MUTEX(binder_mmap_lock); 42 43static HLIST_HEAD(binder_procs); 44static HLIST_HEAD(binder_deferred_list); 45static HLIST_HEAD(binder_dead_nodes); 46 47static struct dentry *binder_debugfs_dir_entry_root; 48static struct dentry *binder_debugfs_dir_entry_proc; 49static struct binder_node *binder_context_mgr_node; 50static uid_t binder_context_mgr_uid = -1; 51static int binder_last_id; 52static struct workqueue_struct *binder_deferred_workqueue; 53 54#define BINDER_DEBUG_ENTRY(name) \ 55static int binder_##name##_open(struct inode *inode, struct file *file) \ 56{ \ 57 return single_open(file, binder_##name##_show, inode->i_private); \ 58} \ 59\ 60static const struct file_operations binder_##name##_fops = { \ 61 .owner = THIS_MODULE, \ 62 .open = binder_##name##_open, \ 63 .read = seq_read, \ 64 .llseek = seq_lseek, \ 65 .release = single_release, \ 66} 67 68static int binder_proc_show(struct seq_file *m, void *unused); 69BINDER_DEBUG_ENTRY(proc); 70 71/* This is only defined in include/asm-arm/sizes.h */ 72#ifndef SZ_1K 73#define SZ_1K 0x400 74#endif 75 76#ifndef SZ_4M 77#define SZ_4M 0x400000 78#endif 79 80#define FORBIDDEN_MMAP_FLAGS (VM_WRITE) 81 82#define BINDER_SMALL_BUF_SIZE (PAGE_SIZE * 64) 83 84enum { 85 BINDER_DEBUG_USER_ERROR = 1U << 0, 86 BINDER_DEBUG_FAILED_TRANSACTION = 1U << 1, 87 BINDER_DEBUG_DEAD_TRANSACTION = 1U << 2, 88 BINDER_DEBUG_OPEN_CLOSE = 1U << 3, 89 BINDER_DEBUG_DEAD_BINDER = 1U << 4, 90 BINDER_DEBUG_DEATH_NOTIFICATION = 1U << 5, 91 BINDER_DEBUG_READ_WRITE = 1U << 6, 92 BINDER_DEBUG_USER_REFS = 1U << 7, 93 BINDER_DEBUG_THREADS = 1U << 8, 94 BINDER_DEBUG_TRANSACTION = 1U << 9, 95 BINDER_DEBUG_TRANSACTION_COMPLETE = 1U << 10, 96 BINDER_DEBUG_FREE_BUFFER = 1U << 11, 97 BINDER_DEBUG_INTERNAL_REFS = 1U << 12, 98 BINDER_DEBUG_BUFFER_ALLOC = 1U << 13, 99 BINDER_DEBUG_PRIORITY_CAP = 1U << 14, 100 BINDER_DEBUG_BUFFER_ALLOC_ASYNC = 1U << 15, 101}; 102static uint32_t binder_debug_mask = BINDER_DEBUG_USER_ERROR | 103 BINDER_DEBUG_FAILED_TRANSACTION | BINDER_DEBUG_DEAD_TRANSACTION; 104module_param_named(debug_mask, binder_debug_mask, uint, S_IWUSR | S_IRUGO); 105 106static bool binder_debug_no_lock; 107module_param_named(proc_no_lock, binder_debug_no_lock, bool, S_IWUSR | S_IRUGO); 108 109static DECLARE_WAIT_QUEUE_HEAD(binder_user_error_wait); 110static int binder_stop_on_user_error; 111 112static int binder_set_stop_on_user_error(const char *val, 113 struct kernel_param *kp) 114{ 115 int ret; 116 ret = param_set_int(val, kp); 117 if (binder_stop_on_user_error < 2) 118 wake_up(&binder_user_error_wait); 119 return ret; 120} 121module_param_call(stop_on_user_error, binder_set_stop_on_user_error, 122 param_get_int, &binder_stop_on_user_error, S_IWUSR | S_IRUGO); 123 124#define binder_debug(mask, x...) \ 125 do { \ 126 if (binder_debug_mask & mask) \ 127 pr_info(x); \ 128 } while (0) 129 130#define binder_user_error(x...) \ 131 do { \ 132 if (binder_debug_mask & BINDER_DEBUG_USER_ERROR) \ 133 pr_info(x); \ 134 if (binder_stop_on_user_error) \ 135 binder_stop_on_user_error = 2; \ 136 } while (0) 137 138enum binder_stat_types { 139 BINDER_STAT_PROC, 140 BINDER_STAT_THREAD, 141 BINDER_STAT_NODE, 142 BINDER_STAT_REF, 143 BINDER_STAT_DEATH, 144 BINDER_STAT_TRANSACTION, 145 BINDER_STAT_TRANSACTION_COMPLETE, 146 BINDER_STAT_COUNT 147}; 148 149struct binder_stats { 150 int br[_IOC_NR(BR_FAILED_REPLY) + 1]; 151 int bc[_IOC_NR(BC_DEAD_BINDER_DONE) + 1]; 152 int obj_created[BINDER_STAT_COUNT]; 153 int obj_deleted[BINDER_STAT_COUNT]; 154}; 155 156static struct binder_stats binder_stats; 157 158static inline void binder_stats_deleted(enum binder_stat_types type) 159{ 160 binder_stats.obj_deleted[type]++; 161} 162 163static inline void binder_stats_created(enum binder_stat_types type) 164{ 165 binder_stats.obj_created[type]++; 166} 167 168struct binder_transaction_log_entry { 169 int debug_id; 170 int call_type; 171 int from_proc; 172 int from_thread; 173 int target_handle; 174 int to_proc; 175 int to_thread; 176 int to_node; 177 int data_size; 178 int offsets_size; 179}; 180struct binder_transaction_log { 181 int next; 182 int full; 183 struct binder_transaction_log_entry entry[32]; 184}; 185static struct binder_transaction_log binder_transaction_log; 186static struct binder_transaction_log binder_transaction_log_failed; 187 188static struct binder_transaction_log_entry *binder_transaction_log_add( 189 struct binder_transaction_log *log) 190{ 191 struct binder_transaction_log_entry *e; 192 e = &log->entry[log->next]; 193 memset(e, 0, sizeof(*e)); 194 log->next++; 195 if (log->next == ARRAY_SIZE(log->entry)) { 196 log->next = 0; 197 log->full = 1; 198 } 199 return e; 200} 201 202struct binder_work { 203 struct list_head entry; 204 enum { 205 BINDER_WORK_TRANSACTION = 1, 206 BINDER_WORK_TRANSACTION_COMPLETE, 207 BINDER_WORK_NODE, 208 BINDER_WORK_DEAD_BINDER, 209 BINDER_WORK_DEAD_BINDER_AND_CLEAR, 210 BINDER_WORK_CLEAR_DEATH_NOTIFICATION, 211 } type; 212}; 213 214struct binder_node { 215 int debug_id; 216 struct binder_work work; 217 union { 218 struct rb_node rb_node; 219 struct hlist_node dead_node; 220 }; 221 struct binder_proc *proc; 222 struct hlist_head refs; 223 int internal_strong_refs; 224 int local_weak_refs; 225 int local_strong_refs; 226 void __user *ptr; 227 void __user *cookie; 228 unsigned has_strong_ref:1; 229 unsigned pending_strong_ref:1; 230 unsigned has_weak_ref:1; 231 unsigned pending_weak_ref:1; 232 unsigned has_async_transaction:1; 233 unsigned accept_fds:1; 234 unsigned min_priority:8; 235 struct list_head async_todo; 236}; 237 238struct binder_ref_death { 239 struct binder_work work; 240 void __user *cookie; 241}; 242 243struct binder_ref { 244 /* Lookups needed: */ 245 /* node + proc => ref (transaction) */ 246 /* desc + proc => ref (transaction, inc/dec ref) */ 247 /* node => refs + procs (proc exit) */ 248 int debug_id; 249 struct rb_node rb_node_desc; 250 struct rb_node rb_node_node; 251 struct hlist_node node_entry; 252 struct binder_proc *proc; 253 struct binder_node *node; 254 uint32_t desc; 255 int strong; 256 int weak; 257 struct binder_ref_death *death; 258}; 259 260struct binder_buffer { 261 struct list_head entry; /* free and allocated entries by address */ 262 struct rb_node rb_node; /* free entry by size or allocated entry */ 263 /* by address */ 264 unsigned free:1; 265 unsigned allow_user_free:1; 266 unsigned async_transaction:1; 267 unsigned debug_id:29; 268 269 struct binder_transaction *transaction; 270 271 struct binder_node *target_node; 272 size_t data_size; 273 size_t offsets_size; 274 uint8_t data[0]; 275}; 276 277enum binder_deferred_state { 278 BINDER_DEFERRED_PUT_FILES = 0x01, 279 BINDER_DEFERRED_FLUSH = 0x02, 280 BINDER_DEFERRED_RELEASE = 0x04, 281}; 282 283struct binder_proc { 284 struct hlist_node proc_node; 285 struct rb_root threads; 286 struct rb_root nodes; 287 struct rb_root refs_by_desc; 288 struct rb_root refs_by_node; 289 int pid; 290 struct vm_area_struct *vma; 291 struct mm_struct *vma_vm_mm; 292 struct task_struct *tsk; 293 struct files_struct *files; 294 struct hlist_node deferred_work_node; 295 int deferred_work; 296 void *buffer; 297 ptrdiff_t user_buffer_offset; 298 299 struct list_head buffers; 300 struct rb_root free_buffers; 301 struct rb_root allocated_buffers; 302 size_t free_async_space; 303 304 struct page **pages; 305 size_t buffer_size; 306 uint32_t buffer_free; 307 struct list_head todo; 308 wait_queue_head_t wait; 309 struct binder_stats stats; 310 struct list_head delivered_death; 311 int max_threads; 312 int requested_threads; 313 int requested_threads_started; 314 int ready_threads; 315 long default_priority; 316 struct dentry *debugfs_entry; 317}; 318 319enum { 320 BINDER_LOOPER_STATE_REGISTERED = 0x01, 321 BINDER_LOOPER_STATE_ENTERED = 0x02, 322 BINDER_LOOPER_STATE_EXITED = 0x04, 323 BINDER_LOOPER_STATE_INVALID = 0x08, 324 BINDER_LOOPER_STATE_WAITING = 0x10, 325 BINDER_LOOPER_STATE_NEED_RETURN = 0x20 326}; 327 328struct binder_thread { 329 struct binder_proc *proc; 330 struct rb_node rb_node; 331 int pid; 332 int looper; 333 struct binder_transaction *transaction_stack; 334 struct list_head todo; 335 uint32_t return_error; /* Write failed, return error code in read buf */ 336 uint32_t return_error2; /* Write failed, return error code in read */ 337 /* buffer. Used when sending a reply to a dead process that */ 338 /* we are also waiting on */ 339 wait_queue_head_t wait; 340 struct binder_stats stats; 341}; 342 343struct binder_transaction { 344 int debug_id; 345 struct binder_work work; 346 struct binder_thread *from; 347 struct binder_transaction *from_parent; 348 struct binder_proc *to_proc; 349 struct binder_thread *to_thread; 350 struct binder_transaction *to_parent; 351 unsigned need_reply:1; 352 /* unsigned is_dead:1; */ /* not used at the moment */ 353 354 struct binder_buffer *buffer; 355 unsigned int code; 356 unsigned int flags; 357 long priority; 358 long saved_priority; 359 uid_t sender_euid; 360}; 361 362static void 363binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer); 364 365int task_get_unused_fd_flags(struct binder_proc *proc, int flags) 366{ 367 struct files_struct *files = proc->files; 368 unsigned long rlim_cur; 369 unsigned long irqs; 370 371 if (files == NULL) 372 return -ESRCH; 373 374 if (!lock_task_sighand(proc->tsk, &irqs)) 375 return -EMFILE; 376 377 rlim_cur = task_rlimit(proc->tsk, RLIMIT_NOFILE); 378 unlock_task_sighand(proc->tsk, &irqs); 379 380 return __alloc_fd(files, 0, rlim_cur, flags); 381} 382 383/* 384 * copied from fd_install 385 */ 386static void task_fd_install( 387 struct binder_proc *proc, unsigned int fd, struct file *file) 388{ 389 struct files_struct *files = proc->files; 390 struct fdtable *fdt; 391 392 if (files == NULL) 393 return; 394 395 spin_lock(&files->file_lock); 396 fdt = files_fdtable(files); 397 BUG_ON(fdt->fd[fd] != NULL); 398 rcu_assign_pointer(fdt->fd[fd], file); 399 spin_unlock(&files->file_lock); 400} 401 402/* 403 * copied from __put_unused_fd in open.c 404 */ 405static void __put_unused_fd(struct files_struct *files, unsigned int fd) 406{ 407 struct fdtable *fdt = files_fdtable(files); 408 __clear_open_fd(fd, fdt); 409 if (fd < files->next_fd) 410 files->next_fd = fd; 411} 412 413/* 414 * copied from sys_close 415 */ 416static long task_close_fd(struct binder_proc *proc, unsigned int fd) 417{ 418 struct file *filp; 419 struct files_struct *files = proc->files; 420 struct fdtable *fdt; 421 int retval; 422 423 if (files == NULL) 424 return -ESRCH; 425 426 spin_lock(&files->file_lock); 427 fdt = files_fdtable(files); 428 if (fd >= fdt->max_fds) 429 goto out_unlock; 430 filp = fdt->fd[fd]; 431 if (!filp) 432 goto out_unlock; 433 rcu_assign_pointer(fdt->fd[fd], NULL); 434 __clear_close_on_exec(fd, fdt); 435 __put_unused_fd(files, fd); 436 spin_unlock(&files->file_lock); 437 retval = filp_close(filp, files); 438 439 /* can't restart close syscall because file table entry was cleared */ 440 if (unlikely(retval == -ERESTARTSYS || 441 retval == -ERESTARTNOINTR || 442 retval == -ERESTARTNOHAND || 443 retval == -ERESTART_RESTARTBLOCK)) 444 retval = -EINTR; 445 446 return retval; 447 448out_unlock: 449 spin_unlock(&files->file_lock); 450 return -EBADF; 451} 452 453static void binder_set_nice(long nice) 454{ 455 long min_nice; 456 if (can_nice(current, nice)) { 457 set_user_nice(current, nice); 458 return; 459 } 460 min_nice = 20 - current->signal->rlim[RLIMIT_NICE].rlim_cur; 461 binder_debug(BINDER_DEBUG_PRIORITY_CAP, 462 "binder: %d: nice value %ld not allowed use " 463 "%ld instead\n", current->pid, nice, min_nice); 464 set_user_nice(current, min_nice); 465 if (min_nice < 20) 466 return; 467 binder_user_error("binder: %d RLIMIT_NICE not set\n", current->pid); 468} 469 470static size_t binder_buffer_size(struct binder_proc *proc, 471 struct binder_buffer *buffer) 472{ 473 if (list_is_last(&buffer->entry, &proc->buffers)) 474 return proc->buffer + proc->buffer_size - (void *)buffer->data; 475 else 476 return (size_t)list_entry(buffer->entry.next, 477 struct binder_buffer, entry) - (size_t)buffer->data; 478} 479 480static void binder_insert_free_buffer(struct binder_proc *proc, 481 struct binder_buffer *new_buffer) 482{ 483 struct rb_node **p = &proc->free_buffers.rb_node; 484 struct rb_node *parent = NULL; 485 struct binder_buffer *buffer; 486 size_t buffer_size; 487 size_t new_buffer_size; 488 489 BUG_ON(!new_buffer->free); 490 491 new_buffer_size = binder_buffer_size(proc, new_buffer); 492 493 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 494 "binder: %d: add free buffer, size %zd, " 495 "at %p\n", proc->pid, new_buffer_size, new_buffer); 496 497 while (*p) { 498 parent = *p; 499 buffer = rb_entry(parent, struct binder_buffer, rb_node); 500 BUG_ON(!buffer->free); 501 502 buffer_size = binder_buffer_size(proc, buffer); 503 504 if (new_buffer_size < buffer_size) 505 p = &parent->rb_left; 506 else 507 p = &parent->rb_right; 508 } 509 rb_link_node(&new_buffer->rb_node, parent, p); 510 rb_insert_color(&new_buffer->rb_node, &proc->free_buffers); 511} 512 513static void binder_insert_allocated_buffer(struct binder_proc *proc, 514 struct binder_buffer *new_buffer) 515{ 516 struct rb_node **p = &proc->allocated_buffers.rb_node; 517 struct rb_node *parent = NULL; 518 struct binder_buffer *buffer; 519 520 BUG_ON(new_buffer->free); 521 522 while (*p) { 523 parent = *p; 524 buffer = rb_entry(parent, struct binder_buffer, rb_node); 525 BUG_ON(buffer->free); 526 527 if (new_buffer < buffer) 528 p = &parent->rb_left; 529 else if (new_buffer > buffer) 530 p = &parent->rb_right; 531 else 532 BUG(); 533 } 534 rb_link_node(&new_buffer->rb_node, parent, p); 535 rb_insert_color(&new_buffer->rb_node, &proc->allocated_buffers); 536} 537 538static struct binder_buffer *binder_buffer_lookup(struct binder_proc *proc, 539 void __user *user_ptr) 540{ 541 struct rb_node *n = proc->allocated_buffers.rb_node; 542 struct binder_buffer *buffer; 543 struct binder_buffer *kern_ptr; 544 545 kern_ptr = user_ptr - proc->user_buffer_offset 546 - offsetof(struct binder_buffer, data); 547 548 while (n) { 549 buffer = rb_entry(n, struct binder_buffer, rb_node); 550 BUG_ON(buffer->free); 551 552 if (kern_ptr < buffer) 553 n = n->rb_left; 554 else if (kern_ptr > buffer) 555 n = n->rb_right; 556 else 557 return buffer; 558 } 559 return NULL; 560} 561 562static int binder_update_page_range(struct binder_proc *proc, int allocate, 563 void *start, void *end, 564 struct vm_area_struct *vma) 565{ 566 void *page_addr; 567 unsigned long user_page_addr; 568 struct vm_struct tmp_area; 569 struct page **page; 570 struct mm_struct *mm; 571 572 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 573 "binder: %d: %s pages %p-%p\n", proc->pid, 574 allocate ? "allocate" : "free", start, end); 575 576 if (end <= start) 577 return 0; 578 579 if (vma) 580 mm = NULL; 581 else 582 mm = get_task_mm(proc->tsk); 583 584 if (mm) { 585 down_write(&mm->mmap_sem); 586 vma = proc->vma; 587 if (vma && mm != proc->vma_vm_mm) { 588 pr_err("binder: %d: vma mm and task mm mismatch\n", 589 proc->pid); 590 vma = NULL; 591 } 592 } 593 594 if (allocate == 0) 595 goto free_range; 596 597 if (vma == NULL) { 598 pr_err("binder: %d: binder_alloc_buf failed to " 599 "map pages in userspace, no vma\n", proc->pid); 600 goto err_no_vma; 601 } 602 603 for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) { 604 int ret; 605 struct page **page_array_ptr; 606 page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE]; 607 608 BUG_ON(*page); 609 *page = alloc_page(GFP_KERNEL | __GFP_ZERO); 610 if (*page == NULL) { 611 pr_err("binder: %d: binder_alloc_buf failed " 612 "for page at %p\n", proc->pid, page_addr); 613 goto err_alloc_page_failed; 614 } 615 tmp_area.addr = page_addr; 616 tmp_area.size = PAGE_SIZE + PAGE_SIZE /* guard page? */; 617 page_array_ptr = page; 618 ret = map_vm_area(&tmp_area, PAGE_KERNEL, &page_array_ptr); 619 if (ret) { 620 pr_err("binder: %d: binder_alloc_buf failed " 621 "to map page at %p in kernel\n", 622 proc->pid, page_addr); 623 goto err_map_kernel_failed; 624 } 625 user_page_addr = 626 (uintptr_t)page_addr + proc->user_buffer_offset; 627 ret = vm_insert_page(vma, user_page_addr, page[0]); 628 if (ret) { 629 pr_err("binder: %d: binder_alloc_buf failed " 630 "to map page at %lx in userspace\n", 631 proc->pid, user_page_addr); 632 goto err_vm_insert_page_failed; 633 } 634 /* vm_insert_page does not seem to increment the refcount */ 635 } 636 if (mm) { 637 up_write(&mm->mmap_sem); 638 mmput(mm); 639 } 640 return 0; 641 642free_range: 643 for (page_addr = end - PAGE_SIZE; page_addr >= start; 644 page_addr -= PAGE_SIZE) { 645 page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE]; 646 if (vma) 647 zap_page_range(vma, (uintptr_t)page_addr + 648 proc->user_buffer_offset, PAGE_SIZE, NULL); 649err_vm_insert_page_failed: 650 unmap_kernel_range((unsigned long)page_addr, PAGE_SIZE); 651err_map_kernel_failed: 652 __free_page(*page); 653 *page = NULL; 654err_alloc_page_failed: 655 ; 656 } 657err_no_vma: 658 if (mm) { 659 up_write(&mm->mmap_sem); 660 mmput(mm); 661 } 662 return -ENOMEM; 663} 664 665static struct binder_buffer *binder_alloc_buf(struct binder_proc *proc, 666 size_t data_size, 667 size_t offsets_size, int is_async) 668{ 669 struct rb_node *n = proc->free_buffers.rb_node; 670 struct binder_buffer *buffer; 671 size_t buffer_size; 672 struct rb_node *best_fit = NULL; 673 void *has_page_addr; 674 void *end_page_addr; 675 size_t size; 676 677 if (proc->vma == NULL) { 678 pr_err("binder: %d: binder_alloc_buf, no vma\n", 679 proc->pid); 680 return NULL; 681 } 682 683 size = ALIGN(data_size, sizeof(void *)) + 684 ALIGN(offsets_size, sizeof(void *)); 685 686 if (size < data_size || size < offsets_size) { 687 binder_user_error("binder: %d: got transaction with invalid " 688 "size %zd-%zd\n", proc->pid, data_size, offsets_size); 689 return NULL; 690 } 691 692 if (is_async && 693 proc->free_async_space < size + sizeof(struct binder_buffer)) { 694 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 695 "binder: %d: binder_alloc_buf size %zd" 696 "failed, no async space left\n", proc->pid, size); 697 return NULL; 698 } 699 700 while (n) { 701 buffer = rb_entry(n, struct binder_buffer, rb_node); 702 BUG_ON(!buffer->free); 703 buffer_size = binder_buffer_size(proc, buffer); 704 705 if (size < buffer_size) { 706 best_fit = n; 707 n = n->rb_left; 708 } else if (size > buffer_size) 709 n = n->rb_right; 710 else { 711 best_fit = n; 712 break; 713 } 714 } 715 if (best_fit == NULL) { 716 pr_err("binder: %d: binder_alloc_buf size %zd failed, " 717 "no address space\n", proc->pid, size); 718 return NULL; 719 } 720 if (n == NULL) { 721 buffer = rb_entry(best_fit, struct binder_buffer, rb_node); 722 buffer_size = binder_buffer_size(proc, buffer); 723 } 724 725 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 726 "binder: %d: binder_alloc_buf size %zd got buff" 727 "er %p size %zd\n", proc->pid, size, buffer, buffer_size); 728 729 has_page_addr = 730 (void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK); 731 if (n == NULL) { 732 if (size + sizeof(struct binder_buffer) + 4 >= buffer_size) 733 buffer_size = size; /* no room for other buffers */ 734 else 735 buffer_size = size + sizeof(struct binder_buffer); 736 } 737 end_page_addr = 738 (void *)PAGE_ALIGN((uintptr_t)buffer->data + buffer_size); 739 if (end_page_addr > has_page_addr) 740 end_page_addr = has_page_addr; 741 if (binder_update_page_range(proc, 1, 742 (void *)PAGE_ALIGN((uintptr_t)buffer->data), end_page_addr, NULL)) 743 return NULL; 744 745 rb_erase(best_fit, &proc->free_buffers); 746 buffer->free = 0; 747 binder_insert_allocated_buffer(proc, buffer); 748 if (buffer_size != size) { 749 struct binder_buffer *new_buffer = (void *)buffer->data + size; 750 list_add(&new_buffer->entry, &buffer->entry); 751 new_buffer->free = 1; 752 binder_insert_free_buffer(proc, new_buffer); 753 } 754 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 755 "binder: %d: binder_alloc_buf size %zd got " 756 "%p\n", proc->pid, size, buffer); 757 buffer->data_size = data_size; 758 buffer->offsets_size = offsets_size; 759 buffer->async_transaction = is_async; 760 if (is_async) { 761 proc->free_async_space -= size + sizeof(struct binder_buffer); 762 binder_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC, 763 "binder: %d: binder_alloc_buf size %zd " 764 "async free %zd\n", proc->pid, size, 765 proc->free_async_space); 766 } 767 768 return buffer; 769} 770 771static void *buffer_start_page(struct binder_buffer *buffer) 772{ 773 return (void *)((uintptr_t)buffer & PAGE_MASK); 774} 775 776static void *buffer_end_page(struct binder_buffer *buffer) 777{ 778 return (void *)(((uintptr_t)(buffer + 1) - 1) & PAGE_MASK); 779} 780 781static void binder_delete_free_buffer(struct binder_proc *proc, 782 struct binder_buffer *buffer) 783{ 784 struct binder_buffer *prev, *next = NULL; 785 int free_page_end = 1; 786 int free_page_start = 1; 787 788 BUG_ON(proc->buffers.next == &buffer->entry); 789 prev = list_entry(buffer->entry.prev, struct binder_buffer, entry); 790 BUG_ON(!prev->free); 791 if (buffer_end_page(prev) == buffer_start_page(buffer)) { 792 free_page_start = 0; 793 if (buffer_end_page(prev) == buffer_end_page(buffer)) 794 free_page_end = 0; 795 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 796 "binder: %d: merge free, buffer %p " 797 "share page with %p\n", proc->pid, buffer, prev); 798 } 799 800 if (!list_is_last(&buffer->entry, &proc->buffers)) { 801 next = list_entry(buffer->entry.next, 802 struct binder_buffer, entry); 803 if (buffer_start_page(next) == buffer_end_page(buffer)) { 804 free_page_end = 0; 805 if (buffer_start_page(next) == 806 buffer_start_page(buffer)) 807 free_page_start = 0; 808 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 809 "binder: %d: merge free, buffer" 810 " %p share page with %p\n", proc->pid, 811 buffer, prev); 812 } 813 } 814 list_del(&buffer->entry); 815 if (free_page_start || free_page_end) { 816 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 817 "binder: %d: merge free, buffer %p do " 818 "not share page%s%s with with %p or %p\n", 819 proc->pid, buffer, free_page_start ? "" : " end", 820 free_page_end ? "" : " start", prev, next); 821 binder_update_page_range(proc, 0, free_page_start ? 822 buffer_start_page(buffer) : buffer_end_page(buffer), 823 (free_page_end ? buffer_end_page(buffer) : 824 buffer_start_page(buffer)) + PAGE_SIZE, NULL); 825 } 826} 827 828static void binder_free_buf(struct binder_proc *proc, 829 struct binder_buffer *buffer) 830{ 831 size_t size, buffer_size; 832 833 buffer_size = binder_buffer_size(proc, buffer); 834 835 size = ALIGN(buffer->data_size, sizeof(void *)) + 836 ALIGN(buffer->offsets_size, sizeof(void *)); 837 838 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 839 "binder: %d: binder_free_buf %p size %zd buffer" 840 "_size %zd\n", proc->pid, buffer, size, buffer_size); 841 842 BUG_ON(buffer->free); 843 BUG_ON(size > buffer_size); 844 BUG_ON(buffer->transaction != NULL); 845 BUG_ON((void *)buffer < proc->buffer); 846 BUG_ON((void *)buffer > proc->buffer + proc->buffer_size); 847 848 if (buffer->async_transaction) { 849 proc->free_async_space += size + sizeof(struct binder_buffer); 850 851 binder_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC, 852 "binder: %d: binder_free_buf size %zd " 853 "async free %zd\n", proc->pid, size, 854 proc->free_async_space); 855 } 856 857 binder_update_page_range(proc, 0, 858 (void *)PAGE_ALIGN((uintptr_t)buffer->data), 859 (void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK), 860 NULL); 861 rb_erase(&buffer->rb_node, &proc->allocated_buffers); 862 buffer->free = 1; 863 if (!list_is_last(&buffer->entry, &proc->buffers)) { 864 struct binder_buffer *next = list_entry(buffer->entry.next, 865 struct binder_buffer, entry); 866 if (next->free) { 867 rb_erase(&next->rb_node, &proc->free_buffers); 868 binder_delete_free_buffer(proc, next); 869 } 870 } 871 if (proc->buffers.next != &buffer->entry) { 872 struct binder_buffer *prev = list_entry(buffer->entry.prev, 873 struct binder_buffer, entry); 874 if (prev->free) { 875 binder_delete_free_buffer(proc, buffer); 876 rb_erase(&prev->rb_node, &proc->free_buffers); 877 buffer = prev; 878 } 879 } 880 binder_insert_free_buffer(proc, buffer); 881} 882 883static struct binder_node *binder_get_node(struct binder_proc *proc, 884 void __user *ptr) 885{ 886 struct rb_node *n = proc->nodes.rb_node; 887 struct binder_node *node; 888 889 while (n) { 890 node = rb_entry(n, struct binder_node, rb_node); 891 892 if (ptr < node->ptr) 893 n = n->rb_left; 894 else if (ptr > node->ptr) 895 n = n->rb_right; 896 else 897 return node; 898 } 899 return NULL; 900} 901 902static struct binder_node *binder_new_node(struct binder_proc *proc, 903 void __user *ptr, 904 void __user *cookie) 905{ 906 struct rb_node **p = &proc->nodes.rb_node; 907 struct rb_node *parent = NULL; 908 struct binder_node *node; 909 910 while (*p) { 911 parent = *p; 912 node = rb_entry(parent, struct binder_node, rb_node); 913 914 if (ptr < node->ptr) 915 p = &(*p)->rb_left; 916 else if (ptr > node->ptr) 917 p = &(*p)->rb_right; 918 else 919 return NULL; 920 } 921 922 node = kzalloc(sizeof(*node), GFP_KERNEL); 923 if (node == NULL) 924 return NULL; 925 binder_stats_created(BINDER_STAT_NODE); 926 rb_link_node(&node->rb_node, parent, p); 927 rb_insert_color(&node->rb_node, &proc->nodes); 928 node->debug_id = ++binder_last_id; 929 node->proc = proc; 930 node->ptr = ptr; 931 node->cookie = cookie; 932 node->work.type = BINDER_WORK_NODE; 933 INIT_LIST_HEAD(&node->work.entry); 934 INIT_LIST_HEAD(&node->async_todo); 935 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 936 "binder: %d:%d node %d u%p c%p created\n", 937 proc->pid, current->pid, node->debug_id, 938 node->ptr, node->cookie); 939 return node; 940} 941 942static int binder_inc_node(struct binder_node *node, int strong, int internal, 943 struct list_head *target_list) 944{ 945 if (strong) { 946 if (internal) { 947 if (target_list == NULL && 948 node->internal_strong_refs == 0 && 949 !(node == binder_context_mgr_node && 950 node->has_strong_ref)) { 951 pr_err("binder: invalid inc strong " 952 "node for %d\n", node->debug_id); 953 return -EINVAL; 954 } 955 node->internal_strong_refs++; 956 } else 957 node->local_strong_refs++; 958 if (!node->has_strong_ref && target_list) { 959 list_del_init(&node->work.entry); 960 list_add_tail(&node->work.entry, target_list); 961 } 962 } else { 963 if (!internal) 964 node->local_weak_refs++; 965 if (!node->has_weak_ref && list_empty(&node->work.entry)) { 966 if (target_list == NULL) { 967 pr_err("binder: invalid inc weak node " 968 "for %d\n", node->debug_id); 969 return -EINVAL; 970 } 971 list_add_tail(&node->work.entry, target_list); 972 } 973 } 974 return 0; 975} 976 977static int binder_dec_node(struct binder_node *node, int strong, int internal) 978{ 979 if (strong) { 980 if (internal) 981 node->internal_strong_refs--; 982 else 983 node->local_strong_refs--; 984 if (node->local_strong_refs || node->internal_strong_refs) 985 return 0; 986 } else { 987 if (!internal) 988 node->local_weak_refs--; 989 if (node->local_weak_refs || !hlist_empty(&node->refs)) 990 return 0; 991 } 992 if (node->proc && (node->has_strong_ref || node->has_weak_ref)) { 993 if (list_empty(&node->work.entry)) { 994 list_add_tail(&node->work.entry, &node->proc->todo); 995 wake_up_interruptible(&node->proc->wait); 996 } 997 } else { 998 if (hlist_empty(&node->refs) && !node->local_strong_refs && 999 !node->local_weak_refs) { 1000 list_del_init(&node->work.entry); 1001 if (node->proc) { 1002 rb_erase(&node->rb_node, &node->proc->nodes); 1003 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1004 "binder: refless node %d deleted\n", 1005 node->debug_id); 1006 } else { 1007 hlist_del(&node->dead_node); 1008 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1009 "binder: dead node %d deleted\n", 1010 node->debug_id); 1011 } 1012 kfree(node); 1013 binder_stats_deleted(BINDER_STAT_NODE); 1014 } 1015 } 1016 1017 return 0; 1018} 1019 1020 1021static struct binder_ref *binder_get_ref(struct binder_proc *proc, 1022 uint32_t desc) 1023{ 1024 struct rb_node *n = proc->refs_by_desc.rb_node; 1025 struct binder_ref *ref; 1026 1027 while (n) { 1028 ref = rb_entry(n, struct binder_ref, rb_node_desc); 1029 1030 if (desc < ref->desc) 1031 n = n->rb_left; 1032 else if (desc > ref->desc) 1033 n = n->rb_right; 1034 else 1035 return ref; 1036 } 1037 return NULL; 1038} 1039 1040static struct binder_ref *binder_get_ref_for_node(struct binder_proc *proc, 1041 struct binder_node *node) 1042{ 1043 struct rb_node *n; 1044 struct rb_node **p = &proc->refs_by_node.rb_node; 1045 struct rb_node *parent = NULL; 1046 struct binder_ref *ref, *new_ref; 1047 1048 while (*p) { 1049 parent = *p; 1050 ref = rb_entry(parent, struct binder_ref, rb_node_node); 1051 1052 if (node < ref->node) 1053 p = &(*p)->rb_left; 1054 else if (node > ref->node) 1055 p = &(*p)->rb_right; 1056 else 1057 return ref; 1058 } 1059 new_ref = kzalloc(sizeof(*ref), GFP_KERNEL); 1060 if (new_ref == NULL) 1061 return NULL; 1062 binder_stats_created(BINDER_STAT_REF); 1063 new_ref->debug_id = ++binder_last_id; 1064 new_ref->proc = proc; 1065 new_ref->node = node; 1066 rb_link_node(&new_ref->rb_node_node, parent, p); 1067 rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node); 1068 1069 new_ref->desc = (node == binder_context_mgr_node) ? 0 : 1; 1070 for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) { 1071 ref = rb_entry(n, struct binder_ref, rb_node_desc); 1072 if (ref->desc > new_ref->desc) 1073 break; 1074 new_ref->desc = ref->desc + 1; 1075 } 1076 1077 p = &proc->refs_by_desc.rb_node; 1078 while (*p) { 1079 parent = *p; 1080 ref = rb_entry(parent, struct binder_ref, rb_node_desc); 1081 1082 if (new_ref->desc < ref->desc) 1083 p = &(*p)->rb_left; 1084 else if (new_ref->desc > ref->desc) 1085 p = &(*p)->rb_right; 1086 else 1087 BUG(); 1088 } 1089 rb_link_node(&new_ref->rb_node_desc, parent, p); 1090 rb_insert_color(&new_ref->rb_node_desc, &proc->refs_by_desc); 1091 if (node) { 1092 hlist_add_head(&new_ref->node_entry, &node->refs); 1093 1094 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1095 "binder: %d new ref %d desc %d for " 1096 "node %d\n", proc->pid, new_ref->debug_id, 1097 new_ref->desc, node->debug_id); 1098 } else { 1099 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1100 "binder: %d new ref %d desc %d for " 1101 "dead node\n", proc->pid, new_ref->debug_id, 1102 new_ref->desc); 1103 } 1104 return new_ref; 1105} 1106 1107static void binder_delete_ref(struct binder_ref *ref) 1108{ 1109 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1110 "binder: %d delete ref %d desc %d for " 1111 "node %d\n", ref->proc->pid, ref->debug_id, 1112 ref->desc, ref->node->debug_id); 1113 1114 rb_erase(&ref->rb_node_desc, &ref->proc->refs_by_desc); 1115 rb_erase(&ref->rb_node_node, &ref->proc->refs_by_node); 1116 if (ref->strong) 1117 binder_dec_node(ref->node, 1, 1); 1118 hlist_del(&ref->node_entry); 1119 binder_dec_node(ref->node, 0, 1); 1120 if (ref->death) { 1121 binder_debug(BINDER_DEBUG_DEAD_BINDER, 1122 "binder: %d delete ref %d desc %d " 1123 "has death notification\n", ref->proc->pid, 1124 ref->debug_id, ref->desc); 1125 list_del(&ref->death->work.entry); 1126 kfree(ref->death); 1127 binder_stats_deleted(BINDER_STAT_DEATH); 1128 } 1129 kfree(ref); 1130 binder_stats_deleted(BINDER_STAT_REF); 1131} 1132 1133static int binder_inc_ref(struct binder_ref *ref, int strong, 1134 struct list_head *target_list) 1135{ 1136 int ret; 1137 if (strong) { 1138 if (ref->strong == 0) { 1139 ret = binder_inc_node(ref->node, 1, 1, target_list); 1140 if (ret) 1141 return ret; 1142 } 1143 ref->strong++; 1144 } else { 1145 if (ref->weak == 0) { 1146 ret = binder_inc_node(ref->node, 0, 1, target_list); 1147 if (ret) 1148 return ret; 1149 } 1150 ref->weak++; 1151 } 1152 return 0; 1153} 1154 1155 1156static int binder_dec_ref(struct binder_ref *ref, int strong) 1157{ 1158 if (strong) { 1159 if (ref->strong == 0) { 1160 binder_user_error("binder: %d invalid dec strong, " 1161 "ref %d desc %d s %d w %d\n", 1162 ref->proc->pid, ref->debug_id, 1163 ref->desc, ref->strong, ref->weak); 1164 return -EINVAL; 1165 } 1166 ref->strong--; 1167 if (ref->strong == 0) { 1168 int ret; 1169 ret = binder_dec_node(ref->node, strong, 1); 1170 if (ret) 1171 return ret; 1172 } 1173 } else { 1174 if (ref->weak == 0) { 1175 binder_user_error("binder: %d invalid dec weak, " 1176 "ref %d desc %d s %d w %d\n", 1177 ref->proc->pid, ref->debug_id, 1178 ref->desc, ref->strong, ref->weak); 1179 return -EINVAL; 1180 } 1181 ref->weak--; 1182 } 1183 if (ref->strong == 0 && ref->weak == 0) 1184 binder_delete_ref(ref); 1185 return 0; 1186} 1187 1188static void binder_pop_transaction(struct binder_thread *target_thread, 1189 struct binder_transaction *t) 1190{ 1191 if (target_thread) { 1192 BUG_ON(target_thread->transaction_stack != t); 1193 BUG_ON(target_thread->transaction_stack->from != target_thread); 1194 target_thread->transaction_stack = 1195 target_thread->transaction_stack->from_parent; 1196 t->from = NULL; 1197 } 1198 t->need_reply = 0; 1199 if (t->buffer) 1200 t->buffer->transaction = NULL; 1201 kfree(t); 1202 binder_stats_deleted(BINDER_STAT_TRANSACTION); 1203} 1204 1205static void binder_send_failed_reply(struct binder_transaction *t, 1206 uint32_t error_code) 1207{ 1208 struct binder_thread *target_thread; 1209 BUG_ON(t->flags & TF_ONE_WAY); 1210 while (1) { 1211 target_thread = t->from; 1212 if (target_thread) { 1213 if (target_thread->return_error != BR_OK && 1214 target_thread->return_error2 == BR_OK) { 1215 target_thread->return_error2 = 1216 target_thread->return_error; 1217 target_thread->return_error = BR_OK; 1218 } 1219 if (target_thread->return_error == BR_OK) { 1220 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 1221 "binder: send failed reply for " 1222 "transaction %d to %d:%d\n", 1223 t->debug_id, target_thread->proc->pid, 1224 target_thread->pid); 1225 1226 binder_pop_transaction(target_thread, t); 1227 target_thread->return_error = error_code; 1228 wake_up_interruptible(&target_thread->wait); 1229 } else { 1230 pr_err("binder: reply failed, target " 1231 "thread, %d:%d, has error code %d " 1232 "already\n", target_thread->proc->pid, 1233 target_thread->pid, 1234 target_thread->return_error); 1235 } 1236 return; 1237 } else { 1238 struct binder_transaction *next = t->from_parent; 1239 1240 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 1241 "binder: send failed reply " 1242 "for transaction %d, target dead\n", 1243 t->debug_id); 1244 1245 binder_pop_transaction(target_thread, t); 1246 if (next == NULL) { 1247 binder_debug(BINDER_DEBUG_DEAD_BINDER, 1248 "binder: reply failed," 1249 " no target thread at root\n"); 1250 return; 1251 } 1252 t = next; 1253 binder_debug(BINDER_DEBUG_DEAD_BINDER, 1254 "binder: reply failed, no target " 1255 "thread -- retry %d\n", t->debug_id); 1256 } 1257 } 1258} 1259 1260static void binder_transaction_buffer_release(struct binder_proc *proc, 1261 struct binder_buffer *buffer, 1262 size_t *failed_at) 1263{ 1264 size_t *offp, *off_end; 1265 int debug_id = buffer->debug_id; 1266 1267 binder_debug(BINDER_DEBUG_TRANSACTION, 1268 "binder: %d buffer release %d, size %zd-%zd, failed at %p\n", 1269 proc->pid, buffer->debug_id, 1270 buffer->data_size, buffer->offsets_size, failed_at); 1271 1272 if (buffer->target_node) 1273 binder_dec_node(buffer->target_node, 1, 0); 1274 1275 offp = (size_t *)(buffer->data + ALIGN(buffer->data_size, sizeof(void *))); 1276 if (failed_at) 1277 off_end = failed_at; 1278 else 1279 off_end = (void *)offp + buffer->offsets_size; 1280 for (; offp < off_end; offp++) { 1281 struct flat_binder_object *fp; 1282 if (*offp > buffer->data_size - sizeof(*fp) || 1283 buffer->data_size < sizeof(*fp) || 1284 !IS_ALIGNED(*offp, sizeof(void *))) { 1285 pr_err("binder: transaction release %d bad" 1286 "offset %zd, size %zd\n", debug_id, 1287 *offp, buffer->data_size); 1288 continue; 1289 } 1290 fp = (struct flat_binder_object *)(buffer->data + *offp); 1291 switch (fp->type) { 1292 case BINDER_TYPE_BINDER: 1293 case BINDER_TYPE_WEAK_BINDER: { 1294 struct binder_node *node = binder_get_node(proc, fp->binder); 1295 if (node == NULL) { 1296 pr_err("binder: transaction release %d" 1297 " bad node %p\n", debug_id, fp->binder); 1298 break; 1299 } 1300 binder_debug(BINDER_DEBUG_TRANSACTION, 1301 " node %d u%p\n", 1302 node->debug_id, node->ptr); 1303 binder_dec_node(node, fp->type == BINDER_TYPE_BINDER, 0); 1304 } break; 1305 case BINDER_TYPE_HANDLE: 1306 case BINDER_TYPE_WEAK_HANDLE: { 1307 struct binder_ref *ref = binder_get_ref(proc, fp->handle); 1308 if (ref == NULL) { 1309 pr_err("binder: transaction release %d" 1310 " bad handle %ld\n", debug_id, 1311 fp->handle); 1312 break; 1313 } 1314 binder_debug(BINDER_DEBUG_TRANSACTION, 1315 " ref %d desc %d (node %d)\n", 1316 ref->debug_id, ref->desc, ref->node->debug_id); 1317 binder_dec_ref(ref, fp->type == BINDER_TYPE_HANDLE); 1318 } break; 1319 1320 case BINDER_TYPE_FD: 1321 binder_debug(BINDER_DEBUG_TRANSACTION, 1322 " fd %ld\n", fp->handle); 1323 if (failed_at) 1324 task_close_fd(proc, fp->handle); 1325 break; 1326 1327 default: 1328 pr_err("binder: transaction release %d bad " 1329 "object type %lx\n", debug_id, fp->type); 1330 break; 1331 } 1332 } 1333} 1334 1335static void binder_transaction(struct binder_proc *proc, 1336 struct binder_thread *thread, 1337 struct binder_transaction_data *tr, int reply) 1338{ 1339 struct binder_transaction *t; 1340 struct binder_work *tcomplete; 1341 size_t *offp, *off_end; 1342 struct binder_proc *target_proc; 1343 struct binder_thread *target_thread = NULL; 1344 struct binder_node *target_node = NULL; 1345 struct list_head *target_list; 1346 wait_queue_head_t *target_wait; 1347 struct binder_transaction *in_reply_to = NULL; 1348 struct binder_transaction_log_entry *e; 1349 uint32_t return_error; 1350 1351 e = binder_transaction_log_add(&binder_transaction_log); 1352 e->call_type = reply ? 2 : !!(tr->flags & TF_ONE_WAY); 1353 e->from_proc = proc->pid; 1354 e->from_thread = thread->pid; 1355 e->target_handle = tr->target.handle; 1356 e->data_size = tr->data_size; 1357 e->offsets_size = tr->offsets_size; 1358 1359 if (reply) { 1360 in_reply_to = thread->transaction_stack; 1361 if (in_reply_to == NULL) { 1362 binder_user_error("binder: %d:%d got reply transaction " 1363 "with no transaction stack\n", 1364 proc->pid, thread->pid); 1365 return_error = BR_FAILED_REPLY; 1366 goto err_empty_call_stack; 1367 } 1368 binder_set_nice(in_reply_to->saved_priority); 1369 if (in_reply_to->to_thread != thread) { 1370 binder_user_error("binder: %d:%d got reply transaction " 1371 "with bad transaction stack," 1372 " transaction %d has target %d:%d\n", 1373 proc->pid, thread->pid, in_reply_to->debug_id, 1374 in_reply_to->to_proc ? 1375 in_reply_to->to_proc->pid : 0, 1376 in_reply_to->to_thread ? 1377 in_reply_to->to_thread->pid : 0); 1378 return_error = BR_FAILED_REPLY; 1379 in_reply_to = NULL; 1380 goto err_bad_call_stack; 1381 } 1382 thread->transaction_stack = in_reply_to->to_parent; 1383 target_thread = in_reply_to->from; 1384 if (target_thread == NULL) { 1385 return_error = BR_DEAD_REPLY; 1386 goto err_dead_binder; 1387 } 1388 if (target_thread->transaction_stack != in_reply_to) { 1389 binder_user_error("binder: %d:%d got reply transaction " 1390 "with bad target transaction stack %d, " 1391 "expected %d\n", 1392 proc->pid, thread->pid, 1393 target_thread->transaction_stack ? 1394 target_thread->transaction_stack->debug_id : 0, 1395 in_reply_to->debug_id); 1396 return_error = BR_FAILED_REPLY; 1397 in_reply_to = NULL; 1398 target_thread = NULL; 1399 goto err_dead_binder; 1400 } 1401 target_proc = target_thread->proc; 1402 } else { 1403 if (tr->target.handle) { 1404 struct binder_ref *ref; 1405 ref = binder_get_ref(proc, tr->target.handle); 1406 if (ref == NULL) { 1407 binder_user_error("binder: %d:%d got " 1408 "transaction to invalid handle\n", 1409 proc->pid, thread->pid); 1410 return_error = BR_FAILED_REPLY; 1411 goto err_invalid_target_handle; 1412 } 1413 target_node = ref->node; 1414 } else { 1415 target_node = binder_context_mgr_node; 1416 if (target_node == NULL) { 1417 return_error = BR_DEAD_REPLY; 1418 goto err_no_context_mgr_node; 1419 } 1420 } 1421 e->to_node = target_node->debug_id; 1422 target_proc = target_node->proc; 1423 if (target_proc == NULL) { 1424 return_error = BR_DEAD_REPLY; 1425 goto err_dead_binder; 1426 } 1427 if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) { 1428 struct binder_transaction *tmp; 1429 tmp = thread->transaction_stack; 1430 if (tmp->to_thread != thread) { 1431 binder_user_error("binder: %d:%d got new " 1432 "transaction with bad transaction stack" 1433 ", transaction %d has target %d:%d\n", 1434 proc->pid, thread->pid, tmp->debug_id, 1435 tmp->to_proc ? tmp->to_proc->pid : 0, 1436 tmp->to_thread ? 1437 tmp->to_thread->pid : 0); 1438 return_error = BR_FAILED_REPLY; 1439 goto err_bad_call_stack; 1440 } 1441 while (tmp) { 1442 if (tmp->from && tmp->from->proc == target_proc) 1443 target_thread = tmp->from; 1444 tmp = tmp->from_parent; 1445 } 1446 } 1447 } 1448 if (target_thread) { 1449 e->to_thread = target_thread->pid; 1450 target_list = &target_thread->todo; 1451 target_wait = &target_thread->wait; 1452 } else { 1453 target_list = &target_proc->todo; 1454 target_wait = &target_proc->wait; 1455 } 1456 e->to_proc = target_proc->pid; 1457 1458 /* TODO: reuse incoming transaction for reply */ 1459 t = kzalloc(sizeof(*t), GFP_KERNEL); 1460 if (t == NULL) { 1461 return_error = BR_FAILED_REPLY; 1462 goto err_alloc_t_failed; 1463 } 1464 binder_stats_created(BINDER_STAT_TRANSACTION); 1465 1466 tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL); 1467 if (tcomplete == NULL) { 1468 return_error = BR_FAILED_REPLY; 1469 goto err_alloc_tcomplete_failed; 1470 } 1471 binder_stats_created(BINDER_STAT_TRANSACTION_COMPLETE); 1472 1473 t->debug_id = ++binder_last_id; 1474 e->debug_id = t->debug_id; 1475 1476 if (reply) 1477 binder_debug(BINDER_DEBUG_TRANSACTION, 1478 "binder: %d:%d BC_REPLY %d -> %d:%d, " 1479 "data %p-%p size %zd-%zd\n", 1480 proc->pid, thread->pid, t->debug_id, 1481 target_proc->pid, target_thread->pid, 1482 tr->data.ptr.buffer, tr->data.ptr.offsets, 1483 tr->data_size, tr->offsets_size); 1484 else 1485 binder_debug(BINDER_DEBUG_TRANSACTION, 1486 "binder: %d:%d BC_TRANSACTION %d -> " 1487 "%d - node %d, data %p-%p size %zd-%zd\n", 1488 proc->pid, thread->pid, t->debug_id, 1489 target_proc->pid, target_node->debug_id, 1490 tr->data.ptr.buffer, tr->data.ptr.offsets, 1491 tr->data_size, tr->offsets_size); 1492 1493 if (!reply && !(tr->flags & TF_ONE_WAY)) 1494 t->from = thread; 1495 else 1496 t->from = NULL; 1497 t->sender_euid = proc->tsk->cred->euid; 1498 t->to_proc = target_proc; 1499 t->to_thread = target_thread; 1500 t->code = tr->code; 1501 t->flags = tr->flags; 1502 t->priority = task_nice(current); 1503 t->buffer = binder_alloc_buf(target_proc, tr->data_size, 1504 tr->offsets_size, !reply && (t->flags & TF_ONE_WAY)); 1505 if (t->buffer == NULL) { 1506 return_error = BR_FAILED_REPLY; 1507 goto err_binder_alloc_buf_failed; 1508 } 1509 t->buffer->allow_user_free = 0; 1510 t->buffer->debug_id = t->debug_id; 1511 t->buffer->transaction = t; 1512 t->buffer->target_node = target_node; 1513 if (target_node) 1514 binder_inc_node(target_node, 1, 0, NULL); 1515 1516 offp = (size_t *)(t->buffer->data + ALIGN(tr->data_size, sizeof(void *))); 1517 1518 if (copy_from_user(t->buffer->data, tr->data.ptr.buffer, tr->data_size)) { 1519 binder_user_error("binder: %d:%d got transaction with invalid " 1520 "data ptr\n", proc->pid, thread->pid); 1521 return_error = BR_FAILED_REPLY; 1522 goto err_copy_data_failed; 1523 } 1524 if (copy_from_user(offp, tr->data.ptr.offsets, tr->offsets_size)) { 1525 binder_user_error("binder: %d:%d got transaction with invalid " 1526 "offsets ptr\n", proc->pid, thread->pid); 1527 return_error = BR_FAILED_REPLY; 1528 goto err_copy_data_failed; 1529 } 1530 if (!IS_ALIGNED(tr->offsets_size, sizeof(size_t))) { 1531 binder_user_error("binder: %d:%d got transaction with " 1532 "invalid offsets size, %zd\n", 1533 proc->pid, thread->pid, tr->offsets_size); 1534 return_error = BR_FAILED_REPLY; 1535 goto err_bad_offset; 1536 } 1537 off_end = (void *)offp + tr->offsets_size; 1538 for (; offp < off_end; offp++) { 1539 struct flat_binder_object *fp; 1540 if (*offp > t->buffer->data_size - sizeof(*fp) || 1541 t->buffer->data_size < sizeof(*fp) || 1542 !IS_ALIGNED(*offp, sizeof(void *))) { 1543 binder_user_error("binder: %d:%d got transaction with " 1544 "invalid offset, %zd\n", 1545 proc->pid, thread->pid, *offp); 1546 return_error = BR_FAILED_REPLY; 1547 goto err_bad_offset; 1548 } 1549 fp = (struct flat_binder_object *)(t->buffer->data + *offp); 1550 switch (fp->type) { 1551 case BINDER_TYPE_BINDER: 1552 case BINDER_TYPE_WEAK_BINDER: { 1553 struct binder_ref *ref; 1554 struct binder_node *node = binder_get_node(proc, fp->binder); 1555 if (node == NULL) { 1556 node = binder_new_node(proc, fp->binder, fp->cookie); 1557 if (node == NULL) { 1558 return_error = BR_FAILED_REPLY; 1559 goto err_binder_new_node_failed; 1560 } 1561 node->min_priority = fp->flags & FLAT_BINDER_FLAG_PRIORITY_MASK; 1562 node->accept_fds = !!(fp->flags & FLAT_BINDER_FLAG_ACCEPTS_FDS); 1563 } 1564 if (fp->cookie != node->cookie) { 1565 binder_user_error("binder: %d:%d sending u%p " 1566 "node %d, cookie mismatch %p != %p\n", 1567 proc->pid, thread->pid, 1568 fp->binder, node->debug_id, 1569 fp->cookie, node->cookie); 1570 goto err_binder_get_ref_for_node_failed; 1571 } 1572 ref = binder_get_ref_for_node(target_proc, node); 1573 if (ref == NULL) { 1574 return_error = BR_FAILED_REPLY; 1575 goto err_binder_get_ref_for_node_failed; 1576 } 1577 if (fp->type == BINDER_TYPE_BINDER) 1578 fp->type = BINDER_TYPE_HANDLE; 1579 else 1580 fp->type = BINDER_TYPE_WEAK_HANDLE; 1581 fp->handle = ref->desc; 1582 binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE, 1583 &thread->todo); 1584 1585 binder_debug(BINDER_DEBUG_TRANSACTION, 1586 " node %d u%p -> ref %d desc %d\n", 1587 node->debug_id, node->ptr, ref->debug_id, 1588 ref->desc); 1589 } break; 1590 case BINDER_TYPE_HANDLE: 1591 case BINDER_TYPE_WEAK_HANDLE: { 1592 struct binder_ref *ref = binder_get_ref(proc, fp->handle); 1593 if (ref == NULL) { 1594 binder_user_error("binder: %d:%d got " 1595 "transaction with invalid " 1596 "handle, %ld\n", proc->pid, 1597 thread->pid, fp->handle); 1598 return_error = BR_FAILED_REPLY; 1599 goto err_binder_get_ref_failed; 1600 } 1601 if (ref->node->proc == target_proc) { 1602 if (fp->type == BINDER_TYPE_HANDLE) 1603 fp->type = BINDER_TYPE_BINDER; 1604 else 1605 fp->type = BINDER_TYPE_WEAK_BINDER; 1606 fp->binder = ref->node->ptr; 1607 fp->cookie = ref->node->cookie; 1608 binder_inc_node(ref->node, fp->type == BINDER_TYPE_BINDER, 0, NULL); 1609 binder_debug(BINDER_DEBUG_TRANSACTION, 1610 " ref %d desc %d -> node %d u%p\n", 1611 ref->debug_id, ref->desc, ref->node->debug_id, 1612 ref->node->ptr); 1613 } else { 1614 struct binder_ref *new_ref; 1615 new_ref = binder_get_ref_for_node(target_proc, ref->node); 1616 if (new_ref == NULL) { 1617 return_error = BR_FAILED_REPLY; 1618 goto err_binder_get_ref_for_node_failed; 1619 } 1620 fp->handle = new_ref->desc; 1621 binder_inc_ref(new_ref, fp->type == BINDER_TYPE_HANDLE, NULL); 1622 binder_debug(BINDER_DEBUG_TRANSACTION, 1623 " ref %d desc %d -> ref %d desc %d (node %d)\n", 1624 ref->debug_id, ref->desc, new_ref->debug_id, 1625 new_ref->desc, ref->node->debug_id); 1626 } 1627 } break; 1628 1629 case BINDER_TYPE_FD: { 1630 int target_fd; 1631 struct file *file; 1632 1633 if (reply) { 1634 if (!(in_reply_to->flags & TF_ACCEPT_FDS)) { 1635 binder_user_error("binder: %d:%d got reply with fd, %ld, but target does not allow fds\n", 1636 proc->pid, thread->pid, fp->handle); 1637 return_error = BR_FAILED_REPLY; 1638 goto err_fd_not_allowed; 1639 } 1640 } else if (!target_node->accept_fds) { 1641 binder_user_error("binder: %d:%d got transaction with fd, %ld, but target does not allow fds\n", 1642 proc->pid, thread->pid, fp->handle); 1643 return_error = BR_FAILED_REPLY; 1644 goto err_fd_not_allowed; 1645 } 1646 1647 file = fget(fp->handle); 1648 if (file == NULL) { 1649 binder_user_error("binder: %d:%d got transaction with invalid fd, %ld\n", 1650 proc->pid, thread->pid, fp->handle); 1651 return_error = BR_FAILED_REPLY; 1652 goto err_fget_failed; 1653 } 1654 target_fd = task_get_unused_fd_flags(target_proc, O_CLOEXEC); 1655 if (target_fd < 0) { 1656 fput(file); 1657 return_error = BR_FAILED_REPLY; 1658 goto err_get_unused_fd_failed; 1659 } 1660 task_fd_install(target_proc, target_fd, file); 1661 binder_debug(BINDER_DEBUG_TRANSACTION, 1662 " fd %ld -> %d\n", fp->handle, target_fd); 1663 /* TODO: fput? */ 1664 fp->handle = target_fd; 1665 } break; 1666 1667 default: 1668 binder_user_error("binder: %d:%d got transactio" 1669 "n with invalid object type, %lx\n", 1670 proc->pid, thread->pid, fp->type); 1671 return_error = BR_FAILED_REPLY; 1672 goto err_bad_object_type; 1673 } 1674 } 1675 if (reply) { 1676 BUG_ON(t->buffer->async_transaction != 0); 1677 binder_pop_transaction(target_thread, in_reply_to); 1678 } else if (!(t->flags & TF_ONE_WAY)) { 1679 BUG_ON(t->buffer->async_transaction != 0); 1680 t->need_reply = 1; 1681 t->from_parent = thread->transaction_stack; 1682 thread->transaction_stack = t; 1683 } else { 1684 BUG_ON(target_node == NULL); 1685 BUG_ON(t->buffer->async_transaction != 1); 1686 if (target_node->has_async_transaction) { 1687 target_list = &target_node->async_todo; 1688 target_wait = NULL; 1689 } else 1690 target_node->has_async_transaction = 1; 1691 } 1692 t->work.type = BINDER_WORK_TRANSACTION; 1693 list_add_tail(&t->work.entry, target_list); 1694 tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE; 1695 list_add_tail(&tcomplete->entry, &thread->todo); 1696 if (target_wait) 1697 wake_up_interruptible(target_wait); 1698 return; 1699 1700err_get_unused_fd_failed: 1701err_fget_failed: 1702err_fd_not_allowed: 1703err_binder_get_ref_for_node_failed: 1704err_binder_get_ref_failed: 1705err_binder_new_node_failed: 1706err_bad_object_type: 1707err_bad_offset: 1708err_copy_data_failed: 1709 binder_transaction_buffer_release(target_proc, t->buffer, offp); 1710 t->buffer->transaction = NULL; 1711 binder_free_buf(target_proc, t->buffer); 1712err_binder_alloc_buf_failed: 1713 kfree(tcomplete); 1714 binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); 1715err_alloc_tcomplete_failed: 1716 kfree(t); 1717 binder_stats_deleted(BINDER_STAT_TRANSACTION); 1718err_alloc_t_failed: 1719err_bad_call_stack: 1720err_empty_call_stack: 1721err_dead_binder: 1722err_invalid_target_handle: 1723err_no_context_mgr_node: 1724 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 1725 "binder: %d:%d transaction failed %d, size %zd-%zd\n", 1726 proc->pid, thread->pid, return_error, 1727 tr->data_size, tr->offsets_size); 1728 1729 { 1730 struct binder_transaction_log_entry *fe; 1731 fe = binder_transaction_log_add(&binder_transaction_log_failed); 1732 *fe = *e; 1733 } 1734 1735 BUG_ON(thread->return_error != BR_OK); 1736 if (in_reply_to) { 1737 thread->return_error = BR_TRANSACTION_COMPLETE; 1738 binder_send_failed_reply(in_reply_to, return_error); 1739 } else 1740 thread->return_error = return_error; 1741} 1742 1743int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread, 1744 void __user *buffer, int size, signed long *consumed) 1745{ 1746 uint32_t cmd; 1747 void __user *ptr = buffer + *consumed; 1748 void __user *end = buffer + size; 1749 1750 while (ptr < end && thread->return_error == BR_OK) { 1751 if (get_user(cmd, (uint32_t __user *)ptr)) 1752 return -EFAULT; 1753 ptr += sizeof(uint32_t); 1754 if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.bc)) { 1755 binder_stats.bc[_IOC_NR(cmd)]++; 1756 proc->stats.bc[_IOC_NR(cmd)]++; 1757 thread->stats.bc[_IOC_NR(cmd)]++; 1758 } 1759 switch (cmd) { 1760 case BC_INCREFS: 1761 case BC_ACQUIRE: 1762 case BC_RELEASE: 1763 case BC_DECREFS: { 1764 uint32_t target; 1765 struct binder_ref *ref; 1766 const char *debug_string; 1767 1768 if (get_user(target, (uint32_t __user *)ptr)) 1769 return -EFAULT; 1770 ptr += sizeof(uint32_t); 1771 if (target == 0 && binder_context_mgr_node && 1772 (cmd == BC_INCREFS || cmd == BC_ACQUIRE)) { 1773 ref = binder_get_ref_for_node(proc, 1774 binder_context_mgr_node); 1775 if (ref->desc != target) { 1776 binder_user_error("binder: %d:" 1777 "%d tried to acquire " 1778 "reference to desc 0, " 1779 "got %d instead\n", 1780 proc->pid, thread->pid, 1781 ref->desc); 1782 } 1783 } else 1784 ref = binder_get_ref(proc, target); 1785 if (ref == NULL) { 1786 binder_user_error("binder: %d:%d refcou" 1787 "nt change on invalid ref %d\n", 1788 proc->pid, thread->pid, target); 1789 break; 1790 } 1791 switch (cmd) { 1792 case BC_INCREFS: 1793 debug_string = "IncRefs"; 1794 binder_inc_ref(ref, 0, NULL); 1795 break; 1796 case BC_ACQUIRE: 1797 debug_string = "Acquire"; 1798 binder_inc_ref(ref, 1, NULL); 1799 break; 1800 case BC_RELEASE: 1801 debug_string = "Release"; 1802 binder_dec_ref(ref, 1); 1803 break; 1804 case BC_DECREFS: 1805 default: 1806 debug_string = "DecRefs"; 1807 binder_dec_ref(ref, 0); 1808 break; 1809 } 1810 binder_debug(BINDER_DEBUG_USER_REFS, 1811 "binder: %d:%d %s ref %d desc %d s %d w %d for node %d\n", 1812 proc->pid, thread->pid, debug_string, ref->debug_id, 1813 ref->desc, ref->strong, ref->weak, ref->node->debug_id); 1814 break; 1815 } 1816 case BC_INCREFS_DONE: 1817 case BC_ACQUIRE_DONE: { 1818 void __user *node_ptr; 1819 void *cookie; 1820 struct binder_node *node; 1821 1822 if (get_user(node_ptr, (void * __user *)ptr)) 1823 return -EFAULT; 1824 ptr += sizeof(void *); 1825 if (get_user(cookie, (void * __user *)ptr)) 1826 return -EFAULT; 1827 ptr += sizeof(void *); 1828 node = binder_get_node(proc, node_ptr); 1829 if (node == NULL) { 1830 binder_user_error("binder: %d:%d " 1831 "%s u%p no match\n", 1832 proc->pid, thread->pid, 1833 cmd == BC_INCREFS_DONE ? 1834 "BC_INCREFS_DONE" : 1835 "BC_ACQUIRE_DONE", 1836 node_ptr); 1837 break; 1838 } 1839 if (cookie != node->cookie) { 1840 binder_user_error("binder: %d:%d %s u%p node %d" 1841 " cookie mismatch %p != %p\n", 1842 proc->pid, thread->pid, 1843 cmd == BC_INCREFS_DONE ? 1844 "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE", 1845 node_ptr, node->debug_id, 1846 cookie, node->cookie); 1847 break; 1848 } 1849 if (cmd == BC_ACQUIRE_DONE) { 1850 if (node->pending_strong_ref == 0) { 1851 binder_user_error("binder: %d:%d " 1852 "BC_ACQUIRE_DONE node %d has " 1853 "no pending acquire request\n", 1854 proc->pid, thread->pid, 1855 node->debug_id); 1856 break; 1857 } 1858 node->pending_strong_ref = 0; 1859 } else { 1860 if (node->pending_weak_ref == 0) { 1861 binder_user_error("binder: %d:%d " 1862 "BC_INCREFS_DONE node %d has " 1863 "no pending increfs request\n", 1864 proc->pid, thread->pid, 1865 node->debug_id); 1866 break; 1867 } 1868 node->pending_weak_ref = 0; 1869 } 1870 binder_dec_node(node, cmd == BC_ACQUIRE_DONE, 0); 1871 binder_debug(BINDER_DEBUG_USER_REFS, 1872 "binder: %d:%d %s node %d ls %d lw %d\n", 1873 proc->pid, thread->pid, 1874 cmd == BC_INCREFS_DONE ? "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE", 1875 node->debug_id, node->local_strong_refs, node->local_weak_refs); 1876 break; 1877 } 1878 case BC_ATTEMPT_ACQUIRE: 1879 pr_err("binder: BC_ATTEMPT_ACQUIRE not supported\n"); 1880 return -EINVAL; 1881 case BC_ACQUIRE_RESULT: 1882 pr_err("binder: BC_ACQUIRE_RESULT not supported\n"); 1883 return -EINVAL; 1884 1885 case BC_FREE_BUFFER: { 1886 void __user *data_ptr; 1887 struct binder_buffer *buffer; 1888 1889 if (get_user(data_ptr, (void * __user *)ptr)) 1890 return -EFAULT; 1891 ptr += sizeof(void *); 1892 1893 buffer = binder_buffer_lookup(proc, data_ptr); 1894 if (buffer == NULL) { 1895 binder_user_error("binder: %d:%d " 1896 "BC_FREE_BUFFER u%p no match\n", 1897 proc->pid, thread->pid, data_ptr); 1898 break; 1899 } 1900 if (!buffer->allow_user_free) { 1901 binder_user_error("binder: %d:%d " 1902 "BC_FREE_BUFFER u%p matched " 1903 "unreturned buffer\n", 1904 proc->pid, thread->pid, data_ptr); 1905 break; 1906 } 1907 binder_debug(BINDER_DEBUG_FREE_BUFFER, 1908 "binder: %d:%d BC_FREE_BUFFER u%p found buffer %d for %s transaction\n", 1909 proc->pid, thread->pid, data_ptr, buffer->debug_id, 1910 buffer->transaction ? "active" : "finished"); 1911 1912 if (buffer->transaction) { 1913 buffer->transaction->buffer = NULL; 1914 buffer->transaction = NULL; 1915 } 1916 if (buffer->async_transaction && buffer->target_node) { 1917 BUG_ON(!buffer->target_node->has_async_transaction); 1918 if (list_empty(&buffer->target_node->async_todo)) 1919 buffer->target_node->has_async_transaction = 0; 1920 else 1921 list_move_tail(buffer->target_node->async_todo.next, &thread->todo); 1922 } 1923 binder_transaction_buffer_release(proc, buffer, NULL); 1924 binder_free_buf(proc, buffer); 1925 break; 1926 } 1927 1928 case BC_TRANSACTION: 1929 case BC_REPLY: { 1930 struct binder_transaction_data tr; 1931 1932 if (copy_from_user(&tr, ptr, sizeof(tr))) 1933 return -EFAULT; 1934 ptr += sizeof(tr); 1935 binder_transaction(proc, thread, &tr, cmd == BC_REPLY); 1936 break; 1937 } 1938 1939 case BC_REGISTER_LOOPER: 1940 binder_debug(BINDER_DEBUG_THREADS, 1941 "binder: %d:%d BC_REGISTER_LOOPER\n", 1942 proc->pid, thread->pid); 1943 if (thread->looper & BINDER_LOOPER_STATE_ENTERED) { 1944 thread->looper |= BINDER_LOOPER_STATE_INVALID; 1945 binder_user_error("binder: %d:%d ERROR:" 1946 " BC_REGISTER_LOOPER called " 1947 "after BC_ENTER_LOOPER\n", 1948 proc->pid, thread->pid); 1949 } else if (proc->requested_threads == 0) { 1950 thread->looper |= BINDER_LOOPER_STATE_INVALID; 1951 binder_user_error("binder: %d:%d ERROR:" 1952 " BC_REGISTER_LOOPER called " 1953 "without request\n", 1954 proc->pid, thread->pid); 1955 } else { 1956 proc->requested_threads--; 1957 proc->requested_threads_started++; 1958 } 1959 thread->looper |= BINDER_LOOPER_STATE_REGISTERED; 1960 break; 1961 case BC_ENTER_LOOPER: 1962 binder_debug(BINDER_DEBUG_THREADS, 1963 "binder: %d:%d BC_ENTER_LOOPER\n", 1964 proc->pid, thread->pid); 1965 if (thread->looper & BINDER_LOOPER_STATE_REGISTERED) { 1966 thread->looper |= BINDER_LOOPER_STATE_INVALID; 1967 binder_user_error("binder: %d:%d ERROR:" 1968 " BC_ENTER_LOOPER called after " 1969 "BC_REGISTER_LOOPER\n", 1970 proc->pid, thread->pid); 1971 } 1972 thread->looper |= BINDER_LOOPER_STATE_ENTERED; 1973 break; 1974 case BC_EXIT_LOOPER: 1975 binder_debug(BINDER_DEBUG_THREADS, 1976 "binder: %d:%d BC_EXIT_LOOPER\n", 1977 proc->pid, thread->pid); 1978 thread->looper |= BINDER_LOOPER_STATE_EXITED; 1979 break; 1980 1981 case BC_REQUEST_DEATH_NOTIFICATION: 1982 case BC_CLEAR_DEATH_NOTIFICATION: { 1983 uint32_t target; 1984 void __user *cookie; 1985 struct binder_ref *ref; 1986 struct binder_ref_death *death; 1987 1988 if (get_user(target, (uint32_t __user *)ptr)) 1989 return -EFAULT; 1990 ptr += sizeof(uint32_t); 1991 if (get_user(cookie, (void __user * __user *)ptr)) 1992 return -EFAULT; 1993 ptr += sizeof(void *); 1994 ref = binder_get_ref(proc, target); 1995 if (ref == NULL) { 1996 binder_user_error("binder: %d:%d %s " 1997 "invalid ref %d\n", 1998 proc->pid, thread->pid, 1999 cmd == BC_REQUEST_DEATH_NOTIFICATION ? 2000 "BC_REQUEST_DEATH_NOTIFICATION" : 2001 "BC_CLEAR_DEATH_NOTIFICATION", 2002 target); 2003 break; 2004 } 2005 2006 binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION, 2007 "binder: %d:%d %s %p ref %d desc %d s %d w %d for node %d\n", 2008 proc->pid, thread->pid, 2009 cmd == BC_REQUEST_DEATH_NOTIFICATION ? 2010 "BC_REQUEST_DEATH_NOTIFICATION" : 2011 "BC_CLEAR_DEATH_NOTIFICATION", 2012 cookie, ref->debug_id, ref->desc, 2013 ref->strong, ref->weak, ref->node->debug_id); 2014 2015 if (cmd == BC_REQUEST_DEATH_NOTIFICATION) { 2016 if (ref->death) { 2017 binder_user_error("binder: %d:%" 2018 "d BC_REQUEST_DEATH_NOTI" 2019 "FICATION death notific" 2020 "ation already set\n", 2021 proc->pid, thread->pid); 2022 break; 2023 } 2024 death = kzalloc(sizeof(*death), GFP_KERNEL); 2025 if (death == NULL) { 2026 thread->return_error = BR_ERROR; 2027 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 2028 "binder: %d:%d " 2029 "BC_REQUEST_DEATH_NOTIFICATION failed\n", 2030 proc->pid, thread->pid); 2031 break; 2032 } 2033 binder_stats_created(BINDER_STAT_DEATH); 2034 INIT_LIST_HEAD(&death->work.entry); 2035 death->cookie = cookie; 2036 ref->death = death; 2037 if (ref->node->proc == NULL) { 2038 ref->death->work.type = BINDER_WORK_DEAD_BINDER; 2039 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2040 list_add_tail(&ref->death->work.entry, &thread->todo); 2041 } else { 2042 list_add_tail(&ref->death->work.entry, &proc->todo); 2043 wake_up_interruptible(&proc->wait); 2044 } 2045 } 2046 } else { 2047 if (ref->death == NULL) { 2048 binder_user_error("binder: %d:%" 2049 "d BC_CLEAR_DEATH_NOTIFI" 2050 "CATION death notificat" 2051 "ion not active\n", 2052 proc->pid, thread->pid); 2053 break; 2054 } 2055 death = ref->death; 2056 if (death->cookie != cookie) { 2057 binder_user_error("binder: %d:%" 2058 "d BC_CLEAR_DEATH_NOTIFI" 2059 "CATION death notificat" 2060 "ion cookie mismatch " 2061 "%p != %p\n", 2062 proc->pid, thread->pid, 2063 death->cookie, cookie); 2064 break; 2065 } 2066 ref->death = NULL; 2067 if (list_empty(&death->work.entry)) { 2068 death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION; 2069 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2070 list_add_tail(&death->work.entry, &thread->todo); 2071 } else { 2072 list_add_tail(&death->work.entry, &proc->todo); 2073 wake_up_interruptible(&proc->wait); 2074 } 2075 } else { 2076 BUG_ON(death->work.type != BINDER_WORK_DEAD_BINDER); 2077 death->work.type = BINDER_WORK_DEAD_BINDER_AND_CLEAR; 2078 } 2079 } 2080 } break; 2081 case BC_DEAD_BINDER_DONE: { 2082 struct binder_work *w; 2083 void __user *cookie; 2084 struct binder_ref_death *death = NULL; 2085 if (get_user(cookie, (void __user * __user *)ptr)) 2086 return -EFAULT; 2087 2088 ptr += sizeof(void *); 2089 list_for_each_entry(w, &proc->delivered_death, entry) { 2090 struct binder_ref_death *tmp_death = container_of(w, struct binder_ref_death, work); 2091 if (tmp_death->cookie == cookie) { 2092 death = tmp_death; 2093 break; 2094 } 2095 } 2096 binder_debug(BINDER_DEBUG_DEAD_BINDER, 2097 "binder: %d:%d BC_DEAD_BINDER_DONE %p found %p\n", 2098 proc->pid, thread->pid, cookie, death); 2099 if (death == NULL) { 2100 binder_user_error("binder: %d:%d BC_DEAD" 2101 "_BINDER_DONE %p not found\n", 2102 proc->pid, thread->pid, cookie); 2103 break; 2104 } 2105 2106 list_del_init(&death->work.entry); 2107 if (death->work.type == BINDER_WORK_DEAD_BINDER_AND_CLEAR) { 2108 death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION; 2109 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2110 list_add_tail(&death->work.entry, &thread->todo); 2111 } else { 2112 list_add_tail(&death->work.entry, &proc->todo); 2113 wake_up_interruptible(&proc->wait); 2114 } 2115 } 2116 } break; 2117 2118 default: 2119 pr_err("binder: %d:%d unknown command %d\n", 2120 proc->pid, thread->pid, cmd); 2121 return -EINVAL; 2122 } 2123 *consumed = ptr - buffer; 2124 } 2125 return 0; 2126} 2127 2128void binder_stat_br(struct binder_proc *proc, struct binder_thread *thread, 2129 uint32_t cmd) 2130{ 2131 if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.br)) { 2132 binder_stats.br[_IOC_NR(cmd)]++; 2133 proc->stats.br[_IOC_NR(cmd)]++; 2134 thread->stats.br[_IOC_NR(cmd)]++; 2135 } 2136} 2137 2138static int binder_has_proc_work(struct binder_proc *proc, 2139 struct binder_thread *thread) 2140{ 2141 return !list_empty(&proc->todo) || 2142 (thread->looper & BINDER_LOOPER_STATE_NEED_RETURN); 2143} 2144 2145static int binder_has_thread_work(struct binder_thread *thread) 2146{ 2147 return !list_empty(&thread->todo) || thread->return_error != BR_OK || 2148 (thread->looper & BINDER_LOOPER_STATE_NEED_RETURN); 2149} 2150 2151static int binder_thread_read(struct binder_proc *proc, 2152 struct binder_thread *thread, 2153 void __user *buffer, int size, 2154 signed long *consumed, int non_block) 2155{ 2156 void __user *ptr = buffer + *consumed; 2157 void __user *end = buffer + size; 2158 2159 int ret = 0; 2160 int wait_for_proc_work; 2161 2162 if (*consumed == 0) { 2163 if (put_user(BR_NOOP, (uint32_t __user *)ptr)) 2164 return -EFAULT; 2165 ptr += sizeof(uint32_t); 2166 } 2167 2168retry: 2169 wait_for_proc_work = thread->transaction_stack == NULL && 2170 list_empty(&thread->todo); 2171 2172 if (thread->return_error != BR_OK && ptr < end) { 2173 if (thread->return_error2 != BR_OK) { 2174 if (put_user(thread->return_error2, (uint32_t __user *)ptr)) 2175 return -EFAULT; 2176 ptr += sizeof(uint32_t); 2177 if (ptr == end) 2178 goto done; 2179 thread->return_error2 = BR_OK; 2180 } 2181 if (put_user(thread->return_error, (uint32_t __user *)ptr)) 2182 return -EFAULT; 2183 ptr += sizeof(uint32_t); 2184 thread->return_error = BR_OK; 2185 goto done; 2186 } 2187 2188 2189 thread->looper |= BINDER_LOOPER_STATE_WAITING; 2190 if (wait_for_proc_work) 2191 proc->ready_threads++; 2192 mutex_unlock(&binder_lock); 2193 if (wait_for_proc_work) { 2194 if (!(thread->looper & (BINDER_LOOPER_STATE_REGISTERED | 2195 BINDER_LOOPER_STATE_ENTERED))) { 2196 binder_user_error("binder: %d:%d ERROR: Thread waiting " 2197 "for process work before calling BC_REGISTER_" 2198 "LOOPER or BC_ENTER_LOOPER (state %x)\n", 2199 proc->pid, thread->pid, thread->looper); 2200 wait_event_interruptible(binder_user_error_wait, 2201 binder_stop_on_user_error < 2); 2202 } 2203 binder_set_nice(proc->default_priority); 2204 if (non_block) { 2205 if (!binder_has_proc_work(proc, thread)) 2206 ret = -EAGAIN; 2207 } else 2208 ret = wait_event_interruptible_exclusive(proc->wait, binder_has_proc_work(proc, thread)); 2209 } else { 2210 if (non_block) { 2211 if (!binder_has_thread_work(thread)) 2212 ret = -EAGAIN; 2213 } else 2214 ret = wait_event_interruptible(thread->wait, binder_has_thread_work(thread)); 2215 } 2216 mutex_lock(&binder_lock); 2217 if (wait_for_proc_work) 2218 proc->ready_threads--; 2219 thread->looper &= ~BINDER_LOOPER_STATE_WAITING; 2220 2221 if (ret) 2222 return ret; 2223 2224 while (1) { 2225 uint32_t cmd; 2226 struct binder_transaction_data tr; 2227 struct binder_work *w; 2228 struct binder_transaction *t = NULL; 2229 2230 if (!list_empty(&thread->todo)) 2231 w = list_first_entry(&thread->todo, struct binder_work, entry); 2232 else if (!list_empty(&proc->todo) && wait_for_proc_work) 2233 w = list_first_entry(&proc->todo, struct binder_work, entry); 2234 else { 2235 if (ptr - buffer == 4 && !(thread->looper & BINDER_LOOPER_STATE_NEED_RETURN)) /* no data added */ 2236 goto retry; 2237 break; 2238 } 2239 2240 if (end - ptr < sizeof(tr) + 4) 2241 break; 2242 2243 switch (w->type) { 2244 case BINDER_WORK_TRANSACTION: { 2245 t = container_of(w, struct binder_transaction, work); 2246 } break; 2247 case BINDER_WORK_TRANSACTION_COMPLETE: { 2248 cmd = BR_TRANSACTION_COMPLETE; 2249 if (put_user(cmd, (uint32_t __user *)ptr)) 2250 return -EFAULT; 2251 ptr += sizeof(uint32_t); 2252 2253 binder_stat_br(proc, thread, cmd); 2254 binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE, 2255 "binder: %d:%d BR_TRANSACTION_COMPLETE\n", 2256 proc->pid, thread->pid); 2257 2258 list_del(&w->entry); 2259 kfree(w); 2260 binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); 2261 } break; 2262 case BINDER_WORK_NODE: { 2263 struct binder_node *node = container_of(w, struct binder_node, work); 2264 uint32_t cmd = BR_NOOP; 2265 const char *cmd_name; 2266 int strong = node->internal_strong_refs || node->local_strong_refs; 2267 int weak = !hlist_empty(&node->refs) || node->local_weak_refs || strong; 2268 if (weak && !node->has_weak_ref) { 2269 cmd = BR_INCREFS; 2270 cmd_name = "BR_INCREFS"; 2271 node->has_weak_ref = 1; 2272 node->pending_weak_ref = 1; 2273 node->local_weak_refs++; 2274 } else if (strong && !node->has_strong_ref) { 2275 cmd = BR_ACQUIRE; 2276 cmd_name = "BR_ACQUIRE"; 2277 node->has_strong_ref = 1; 2278 node->pending_strong_ref = 1; 2279 node->local_strong_refs++; 2280 } else if (!strong && node->has_strong_ref) { 2281 cmd = BR_RELEASE; 2282 cmd_name = "BR_RELEASE"; 2283 node->has_strong_ref = 0; 2284 } else if (!weak && node->has_weak_ref) { 2285 cmd = BR_DECREFS; 2286 cmd_name = "BR_DECREFS"; 2287 node->has_weak_ref = 0; 2288 } 2289 if (cmd != BR_NOOP) { 2290 if (put_user(cmd, (uint32_t __user *)ptr)) 2291 return -EFAULT; 2292 ptr += sizeof(uint32_t); 2293 if (put_user(node->ptr, (void * __user *)ptr)) 2294 return -EFAULT; 2295 ptr += sizeof(void *); 2296 if (put_user(node->cookie, (void * __user *)ptr)) 2297 return -EFAULT; 2298 ptr += sizeof(void *); 2299 2300 binder_stat_br(proc, thread, cmd); 2301 binder_debug(BINDER_DEBUG_USER_REFS, 2302 "binder: %d:%d %s %d u%p c%p\n", 2303 proc->pid, thread->pid, cmd_name, node->debug_id, node->ptr, node->cookie); 2304 } else { 2305 list_del_init(&w->entry); 2306 if (!weak && !strong) { 2307 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 2308 "binder: %d:%d node %d u%p c%p deleted\n", 2309 proc->pid, thread->pid, node->debug_id, 2310 node->ptr, node->cookie); 2311 rb_erase(&node->rb_node, &proc->nodes); 2312 kfree(node); 2313 binder_stats_deleted(BINDER_STAT_NODE); 2314 } else { 2315 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 2316 "binder: %d:%d node %d u%p c%p state unchanged\n", 2317 proc->pid, thread->pid, node->debug_id, node->ptr, 2318 node->cookie); 2319 } 2320 } 2321 } break; 2322 case BINDER_WORK_DEAD_BINDER: 2323 case BINDER_WORK_DEAD_BINDER_AND_CLEAR: 2324 case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: { 2325 struct binder_ref_death *death; 2326 uint32_t cmd; 2327 2328 death = container_of(w, struct binder_ref_death, work); 2329 if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) 2330 cmd = BR_CLEAR_DEATH_NOTIFICATION_DONE; 2331 else 2332 cmd = BR_DEAD_BINDER; 2333 if (put_user(cmd, (uint32_t __user *)ptr)) 2334 return -EFAULT; 2335 ptr += sizeof(uint32_t); 2336 if (put_user(death->cookie, (void * __user *)ptr)) 2337 return -EFAULT; 2338 ptr += sizeof(void *); 2339 binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION, 2340 "binder: %d:%d %s %p\n", 2341 proc->pid, thread->pid, 2342 cmd == BR_DEAD_BINDER ? 2343 "BR_DEAD_BINDER" : 2344 "BR_CLEAR_DEATH_NOTIFICATION_DONE", 2345 death->cookie); 2346 2347 if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) { 2348 list_del(&w->entry); 2349 kfree(death); 2350 binder_stats_deleted(BINDER_STAT_DEATH); 2351 } else 2352 list_move(&w->entry, &proc->delivered_death); 2353 if (cmd == BR_DEAD_BINDER) 2354 goto done; /* DEAD_BINDER notifications can cause transactions */ 2355 } break; 2356 } 2357 2358 if (!t) 2359 continue; 2360 2361 BUG_ON(t->buffer == NULL); 2362 if (t->buffer->target_node) { 2363 struct binder_node *target_node = t->buffer->target_node; 2364 tr.target.ptr = target_node->ptr; 2365 tr.cookie = target_node->cookie; 2366 t->saved_priority = task_nice(current); 2367 if (t->priority < target_node->min_priority && 2368 !(t->flags & TF_ONE_WAY)) 2369 binder_set_nice(t->priority); 2370 else if (!(t->flags & TF_ONE_WAY) || 2371 t->saved_priority > target_node->min_priority) 2372 binder_set_nice(target_node->min_priority); 2373 cmd = BR_TRANSACTION; 2374 } else { 2375 tr.target.ptr = NULL; 2376 tr.cookie = NULL; 2377 cmd = BR_REPLY; 2378 } 2379 tr.code = t->code; 2380 tr.flags = t->flags; 2381 tr.sender_euid = t->sender_euid; 2382 2383 if (t->from) { 2384 struct task_struct *sender = t->from->proc->tsk; 2385 tr.sender_pid = task_tgid_nr_ns(sender, 2386 current->nsproxy->pid_ns); 2387 } else { 2388 tr.sender_pid = 0; 2389 } 2390 2391 tr.data_size = t->buffer->data_size; 2392 tr.offsets_size = t->buffer->offsets_size; 2393 tr.data.ptr.buffer = (void *)t->buffer->data + 2394 proc->user_buffer_offset; 2395 tr.data.ptr.offsets = tr.data.ptr.buffer + 2396 ALIGN(t->buffer->data_size, 2397 sizeof(void *)); 2398 2399 if (put_user(cmd, (uint32_t __user *)ptr)) 2400 return -EFAULT; 2401 ptr += sizeof(uint32_t); 2402 if (copy_to_user(ptr, &tr, sizeof(tr))) 2403 return -EFAULT; 2404 ptr += sizeof(tr); 2405 2406 binder_stat_br(proc, thread, cmd); 2407 binder_debug(BINDER_DEBUG_TRANSACTION, 2408 "binder: %d:%d %s %d %d:%d, cmd %d" 2409 "size %zd-%zd ptr %p-%p\n", 2410 proc->pid, thread->pid, 2411 (cmd == BR_TRANSACTION) ? "BR_TRANSACTION" : 2412 "BR_REPLY", 2413 t->debug_id, t->from ? t->from->proc->pid : 0, 2414 t->from ? t->from->pid : 0, cmd, 2415 t->buffer->data_size, t->buffer->offsets_size, 2416 tr.data.ptr.buffer, tr.data.ptr.offsets); 2417 2418 list_del(&t->work.entry); 2419 t->buffer->allow_user_free = 1; 2420 if (cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)) { 2421 t->to_parent = thread->transaction_stack; 2422 t->to_thread = thread; 2423 thread->transaction_stack = t; 2424 } else { 2425 t->buffer->transaction = NULL; 2426 kfree(t); 2427 binder_stats_deleted(BINDER_STAT_TRANSACTION); 2428 } 2429 break; 2430 } 2431 2432done: 2433 2434 *consumed = ptr - buffer; 2435 if (proc->requested_threads + proc->ready_threads == 0 && 2436 proc->requested_threads_started < proc->max_threads && 2437 (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | 2438 BINDER_LOOPER_STATE_ENTERED)) /* the user-space code fails to */ 2439 /*spawn a new thread if we leave this out */) { 2440 proc->requested_threads++; 2441 binder_debug(BINDER_DEBUG_THREADS, 2442 "binder: %d:%d BR_SPAWN_LOOPER\n", 2443 proc->pid, thread->pid); 2444 if (put_user(BR_SPAWN_LOOPER, (uint32_t __user *)buffer)) 2445 return -EFAULT; 2446 } 2447 return 0; 2448} 2449 2450static void binder_release_work(struct list_head *list) 2451{ 2452 struct binder_work *w; 2453 while (!list_empty(list)) { 2454 w = list_first_entry(list, struct binder_work, entry); 2455 list_del_init(&w->entry); 2456 switch (w->type) { 2457 case BINDER_WORK_TRANSACTION: { 2458 struct binder_transaction *t; 2459 2460 t = container_of(w, struct binder_transaction, work); 2461 if (t->buffer->target_node && !(t->flags & TF_ONE_WAY)) 2462 binder_send_failed_reply(t, BR_DEAD_REPLY); 2463 } break; 2464 case BINDER_WORK_TRANSACTION_COMPLETE: { 2465 kfree(w); 2466 binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); 2467 } break; 2468 default: 2469 break; 2470 } 2471 } 2472 2473} 2474 2475static struct binder_thread *binder_get_thread(struct binder_proc *proc) 2476{ 2477 struct binder_thread *thread = NULL; 2478 struct rb_node *parent = NULL; 2479 struct rb_node **p = &proc->threads.rb_node; 2480 2481 while (*p) { 2482 parent = *p; 2483 thread = rb_entry(parent, struct binder_thread, rb_node); 2484 2485 if (current->pid < thread->pid) 2486 p = &(*p)->rb_left; 2487 else if (current->pid > thread->pid) 2488 p = &(*p)->rb_right; 2489 else 2490 break; 2491 } 2492 if (*p == NULL) { 2493 thread = kzalloc(sizeof(*thread), GFP_KERNEL); 2494 if (thread == NULL) 2495 return NULL; 2496 binder_stats_created(BINDER_STAT_THREAD); 2497 thread->proc = proc; 2498 thread->pid = current->pid; 2499 init_waitqueue_head(&thread->wait); 2500 INIT_LIST_HEAD(&thread->todo); 2501 rb_link_node(&thread->rb_node, parent, p); 2502 rb_insert_color(&thread->rb_node, &proc->threads); 2503 thread->looper |= BINDER_LOOPER_STATE_NEED_RETURN; 2504 thread->return_error = BR_OK; 2505 thread->return_error2 = BR_OK; 2506 } 2507 return thread; 2508} 2509 2510static int binder_free_thread(struct binder_proc *proc, 2511 struct binder_thread *thread) 2512{ 2513 struct binder_transaction *t; 2514 struct binder_transaction *send_reply = NULL; 2515 int active_transactions = 0; 2516 2517 rb_erase(&thread->rb_node, &proc->threads); 2518 t = thread->transaction_stack; 2519 if (t && t->to_thread == thread) 2520 send_reply = t; 2521 while (t) { 2522 active_transactions++; 2523 binder_debug(BINDER_DEBUG_DEAD_TRANSACTION, 2524 "binder: release %d:%d transaction %d " 2525 "%s, still active\n", proc->pid, thread->pid, 2526 t->debug_id, 2527 (t->to_thread == thread) ? "in" : "out"); 2528 2529 if (t->to_thread == thread) { 2530 t->to_proc = NULL; 2531 t->to_thread = NULL; 2532 if (t->buffer) { 2533 t->buffer->transaction = NULL; 2534 t->buffer = NULL; 2535 } 2536 t = t->to_parent; 2537 } else if (t->from == thread) { 2538 t->from = NULL; 2539 t = t->from_parent; 2540 } else 2541 BUG(); 2542 } 2543 if (send_reply) 2544 binder_send_failed_reply(send_reply, BR_DEAD_REPLY); 2545 binder_release_work(&thread->todo); 2546 kfree(thread); 2547 binder_stats_deleted(BINDER_STAT_THREAD); 2548 return active_transactions; 2549} 2550 2551static unsigned int binder_poll(struct file *filp, 2552 struct poll_table_struct *wait) 2553{ 2554 struct binder_proc *proc = filp->private_data; 2555 struct binder_thread *thread = NULL; 2556 int wait_for_proc_work; 2557 2558 mutex_lock(&binder_lock); 2559 thread = binder_get_thread(proc); 2560 2561 wait_for_proc_work = thread->transaction_stack == NULL && 2562 list_empty(&thread->todo) && thread->return_error == BR_OK; 2563 mutex_unlock(&binder_lock); 2564 2565 if (wait_for_proc_work) { 2566 if (binder_has_proc_work(proc, thread)) 2567 return POLLIN; 2568 poll_wait(filp, &proc->wait, wait); 2569 if (binder_has_proc_work(proc, thread)) 2570 return POLLIN; 2571 } else { 2572 if (binder_has_thread_work(thread)) 2573 return POLLIN; 2574 poll_wait(filp, &thread->wait, wait); 2575 if (binder_has_thread_work(thread)) 2576 return POLLIN; 2577 } 2578 return 0; 2579} 2580 2581static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 2582{ 2583 int ret; 2584 struct binder_proc *proc = filp->private_data; 2585 struct binder_thread *thread; 2586 unsigned int size = _IOC_SIZE(cmd); 2587 void __user *ubuf = (void __user *)arg; 2588 2589 /*pr_info("binder_ioctl: %d:%d %x %lx\n", proc->pid, current->pid, cmd, arg);*/ 2590 2591 ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); 2592 if (ret) 2593 return ret; 2594 2595 mutex_lock(&binder_lock); 2596 thread = binder_get_thread(proc); 2597 if (thread == NULL) { 2598 ret = -ENOMEM; 2599 goto err; 2600 } 2601 2602 switch (cmd) { 2603 case BINDER_WRITE_READ: { 2604 struct binder_write_read bwr; 2605 if (size != sizeof(struct binder_write_read)) { 2606 ret = -EINVAL; 2607 goto err; 2608 } 2609 if (copy_from_user(&bwr, ubuf, sizeof(bwr))) { 2610 ret = -EFAULT; 2611 goto err; 2612 } 2613 binder_debug(BINDER_DEBUG_READ_WRITE, 2614 "binder: %d:%d write %ld at %08lx, read %ld at %08lx\n", 2615 proc->pid, thread->pid, bwr.write_size, bwr.write_buffer, 2616 bwr.read_size, bwr.read_buffer); 2617 2618 if (bwr.write_size > 0) { 2619 ret = binder_thread_write(proc, thread, (void __user *)bwr.write_buffer, bwr.write_size, &bwr.write_consumed); 2620 if (ret < 0) { 2621 bwr.read_consumed = 0; 2622 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) 2623 ret = -EFAULT; 2624 goto err; 2625 } 2626 } 2627 if (bwr.read_size > 0) { 2628 ret = binder_thread_read(proc, thread, (void __user *)bwr.read_buffer, bwr.read_size, &bwr.read_consumed, filp->f_flags & O_NONBLOCK); 2629 if (!list_empty(&proc->todo)) 2630 wake_up_interruptible(&proc->wait); 2631 if (ret < 0) { 2632 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) 2633 ret = -EFAULT; 2634 goto err; 2635 } 2636 } 2637 binder_debug(BINDER_DEBUG_READ_WRITE, 2638 "binder: %d:%d wrote %ld of %ld, read return %ld of %ld\n", 2639 proc->pid, thread->pid, bwr.write_consumed, bwr.write_size, 2640 bwr.read_consumed, bwr.read_size); 2641 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) { 2642 ret = -EFAULT; 2643 goto err; 2644 } 2645 break; 2646 } 2647 case BINDER_SET_MAX_THREADS: 2648 if (copy_from_user(&proc->max_threads, ubuf, sizeof(proc->max_threads))) { 2649 ret = -EINVAL; 2650 goto err; 2651 } 2652 break; 2653 case BINDER_SET_CONTEXT_MGR: 2654 if (binder_context_mgr_node != NULL) { 2655 pr_err("binder: BINDER_SET_CONTEXT_MGR already set\n"); 2656 ret = -EBUSY; 2657 goto err; 2658 } 2659 if (binder_context_mgr_uid != -1) { 2660 if (binder_context_mgr_uid != current->cred->euid) { 2661 pr_err("binder: BINDER_SET_" 2662 "CONTEXT_MGR bad uid %d != %d\n", 2663 current->cred->euid, 2664 binder_context_mgr_uid); 2665 ret = -EPERM; 2666 goto err; 2667 } 2668 } else 2669 binder_context_mgr_uid = current->cred->euid; 2670 binder_context_mgr_node = binder_new_node(proc, NULL, NULL); 2671 if (binder_context_mgr_node == NULL) { 2672 ret = -ENOMEM; 2673 goto err; 2674 } 2675 binder_context_mgr_node->local_weak_refs++; 2676 binder_context_mgr_node->local_strong_refs++; 2677 binder_context_mgr_node->has_strong_ref = 1; 2678 binder_context_mgr_node->has_weak_ref = 1; 2679 break; 2680 case BINDER_THREAD_EXIT: 2681 binder_debug(BINDER_DEBUG_THREADS, "binder: %d:%d exit\n", 2682 proc->pid, thread->pid); 2683 binder_free_thread(proc, thread); 2684 thread = NULL; 2685 break; 2686 case BINDER_VERSION: 2687 if (size != sizeof(struct binder_version)) { 2688 ret = -EINVAL; 2689 goto err; 2690 } 2691 if (put_user(BINDER_CURRENT_PROTOCOL_VERSION, &((struct binder_version *)ubuf)->protocol_version)) { 2692 ret = -EINVAL; 2693 goto err; 2694 } 2695 break; 2696 default: 2697 ret = -EINVAL; 2698 goto err; 2699 } 2700 ret = 0; 2701err: 2702 if (thread) 2703 thread->looper &= ~BINDER_LOOPER_STATE_NEED_RETURN; 2704 mutex_unlock(&binder_lock); 2705 wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); 2706 if (ret && ret != -ERESTARTSYS) 2707 pr_info("binder: %d:%d ioctl %x %lx returned %d\n", proc->pid, current->pid, cmd, arg, ret); 2708 return ret; 2709} 2710 2711static void binder_vma_open(struct vm_area_struct *vma) 2712{ 2713 struct binder_proc *proc = vma->vm_private_data; 2714 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 2715 "binder: %d open vm area %lx-%lx (%ld K) vma %lx pagep %lx\n", 2716 proc->pid, vma->vm_start, vma->vm_end, 2717 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2718 (unsigned long)pgprot_val(vma->vm_page_prot)); 2719} 2720 2721static void binder_vma_close(struct vm_area_struct *vma) 2722{ 2723 struct binder_proc *proc = vma->vm_private_data; 2724 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 2725 "binder: %d close vm area %lx-%lx (%ld K) vma %lx pagep %lx\n", 2726 proc->pid, vma->vm_start, vma->vm_end, 2727 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2728 (unsigned long)pgprot_val(vma->vm_page_prot)); 2729 proc->vma = NULL; 2730 proc->vma_vm_mm = NULL; 2731 binder_defer_work(proc, BINDER_DEFERRED_PUT_FILES); 2732} 2733 2734static struct vm_operations_struct binder_vm_ops = { 2735 .open = binder_vma_open, 2736 .close = binder_vma_close, 2737}; 2738 2739static int binder_mmap(struct file *filp, struct vm_area_struct *vma) 2740{ 2741 int ret; 2742 struct vm_struct *area; 2743 struct binder_proc *proc = filp->private_data; 2744 const char *failure_string; 2745 struct binder_buffer *buffer; 2746 2747 if (proc->tsk != current) 2748 return -EINVAL; 2749 2750 if ((vma->vm_end - vma->vm_start) > SZ_4M) 2751 vma->vm_end = vma->vm_start + SZ_4M; 2752 2753 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 2754 "binder_mmap: %d %lx-%lx (%ld K) vma %lx pagep %lx\n", 2755 proc->pid, vma->vm_start, vma->vm_end, 2756 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2757 (unsigned long)pgprot_val(vma->vm_page_prot)); 2758 2759 if (vma->vm_flags & FORBIDDEN_MMAP_FLAGS) { 2760 ret = -EPERM; 2761 failure_string = "bad vm_flags"; 2762 goto err_bad_arg; 2763 } 2764 vma->vm_flags = (vma->vm_flags | VM_DONTCOPY) & ~VM_MAYWRITE; 2765 2766 mutex_lock(&binder_mmap_lock); 2767 if (proc->buffer) { 2768 ret = -EBUSY; 2769 failure_string = "already mapped"; 2770 goto err_already_mapped; 2771 } 2772 2773 area = get_vm_area(vma->vm_end - vma->vm_start, VM_IOREMAP); 2774 if (area == NULL) { 2775 ret = -ENOMEM; 2776 failure_string = "get_vm_area"; 2777 goto err_get_vm_area_failed; 2778 } 2779 proc->buffer = area->addr; 2780 proc->user_buffer_offset = vma->vm_start - (uintptr_t)proc->buffer; 2781 mutex_unlock(&binder_mmap_lock); 2782 2783#ifdef CONFIG_CPU_CACHE_VIPT 2784 if (cache_is_vipt_aliasing()) { 2785 while (CACHE_COLOUR((vma->vm_start ^ (uint32_t)proc->buffer))) { 2786 pr_info("binder_mmap: %d %lx-%lx maps %p bad alignment\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer); 2787 vma->vm_start += PAGE_SIZE; 2788 } 2789 } 2790#endif 2791 proc->pages = kzalloc(sizeof(proc->pages[0]) * ((vma->vm_end - vma->vm_start) / PAGE_SIZE), GFP_KERNEL); 2792 if (proc->pages == NULL) { 2793 ret = -ENOMEM; 2794 failure_string = "alloc page array"; 2795 goto err_alloc_pages_failed; 2796 } 2797 proc->buffer_size = vma->vm_end - vma->vm_start; 2798 2799 vma->vm_ops = &binder_vm_ops; 2800 vma->vm_private_data = proc; 2801 2802 if (binder_update_page_range(proc, 1, proc->buffer, proc->buffer + PAGE_SIZE, vma)) { 2803 ret = -ENOMEM; 2804 failure_string = "alloc small buf"; 2805 goto err_alloc_small_buf_failed; 2806 } 2807 buffer = proc->buffer; 2808 INIT_LIST_HEAD(&proc->buffers); 2809 list_add(&buffer->entry, &proc->buffers); 2810 buffer->free = 1; 2811 binder_insert_free_buffer(proc, buffer); 2812 proc->free_async_space = proc->buffer_size / 2; 2813 barrier(); 2814 proc->files = get_files_struct(current); 2815 proc->vma = vma; 2816 proc->vma_vm_mm = vma->vm_mm; 2817 2818 /*pr_info("binder_mmap: %d %lx-%lx maps %p\n", 2819 proc->pid, vma->vm_start, vma->vm_end, proc->buffer);*/ 2820 return 0; 2821 2822err_alloc_small_buf_failed: 2823 kfree(proc->pages); 2824 proc->pages = NULL; 2825err_alloc_pages_failed: 2826 mutex_lock(&binder_mmap_lock); 2827 vfree(proc->buffer); 2828 proc->buffer = NULL; 2829err_get_vm_area_failed: 2830err_already_mapped: 2831 mutex_unlock(&binder_mmap_lock); 2832err_bad_arg: 2833 pr_err("binder_mmap: %d %lx-%lx %s failed %d\n", 2834 proc->pid, vma->vm_start, vma->vm_end, failure_string, ret); 2835 return ret; 2836} 2837 2838static int binder_open(struct inode *nodp, struct file *filp) 2839{ 2840 struct binder_proc *proc; 2841 2842 binder_debug(BINDER_DEBUG_OPEN_CLOSE, "binder_open: %d:%d\n", 2843 current->group_leader->pid, current->pid); 2844 2845 proc = kzalloc(sizeof(*proc), GFP_KERNEL); 2846 if (proc == NULL) 2847 return -ENOMEM; 2848 get_task_struct(current); 2849 proc->tsk = current; 2850 INIT_LIST_HEAD(&proc->todo); 2851 init_waitqueue_head(&proc->wait); 2852 proc->default_priority = task_nice(current); 2853 mutex_lock(&binder_lock); 2854 binder_stats_created(BINDER_STAT_PROC); 2855 hlist_add_head(&proc->proc_node, &binder_procs); 2856 proc->pid = current->group_leader->pid; 2857 INIT_LIST_HEAD(&proc->delivered_death); 2858 filp->private_data = proc; 2859 mutex_unlock(&binder_lock); 2860 2861 if (binder_debugfs_dir_entry_proc) { 2862 char strbuf[11]; 2863 snprintf(strbuf, sizeof(strbuf), "%u", proc->pid); 2864 proc->debugfs_entry = debugfs_create_file(strbuf, S_IRUGO, 2865 binder_debugfs_dir_entry_proc, proc, &binder_proc_fops); 2866 } 2867 2868 return 0; 2869} 2870 2871static int binder_flush(struct file *filp, fl_owner_t id) 2872{ 2873 struct binder_proc *proc = filp->private_data; 2874 2875 binder_defer_work(proc, BINDER_DEFERRED_FLUSH); 2876 2877 return 0; 2878} 2879 2880static void binder_deferred_flush(struct binder_proc *proc) 2881{ 2882 struct rb_node *n; 2883 int wake_count = 0; 2884 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) { 2885 struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node); 2886 thread->looper |= BINDER_LOOPER_STATE_NEED_RETURN; 2887 if (thread->looper & BINDER_LOOPER_STATE_WAITING) { 2888 wake_up_interruptible(&thread->wait); 2889 wake_count++; 2890 } 2891 } 2892 wake_up_interruptible_all(&proc->wait); 2893 2894 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 2895 "binder_flush: %d woke %d threads\n", proc->pid, 2896 wake_count); 2897} 2898 2899static int binder_release(struct inode *nodp, struct file *filp) 2900{ 2901 struct binder_proc *proc = filp->private_data; 2902 debugfs_remove(proc->debugfs_entry); 2903 binder_defer_work(proc, BINDER_DEFERRED_RELEASE); 2904 2905 return 0; 2906} 2907 2908static void binder_deferred_release(struct binder_proc *proc) 2909{ 2910 struct hlist_node *pos; 2911 struct binder_transaction *t; 2912 struct rb_node *n; 2913 int threads, nodes, incoming_refs, outgoing_refs, buffers, active_transactions, page_count; 2914 2915 BUG_ON(proc->vma); 2916 BUG_ON(proc->files); 2917 2918 hlist_del(&proc->proc_node); 2919 if (binder_context_mgr_node && binder_context_mgr_node->proc == proc) { 2920 binder_debug(BINDER_DEBUG_DEAD_BINDER, 2921 "binder_release: %d context_mgr_node gone\n", 2922 proc->pid); 2923 binder_context_mgr_node = NULL; 2924 } 2925 2926 threads = 0; 2927 active_transactions = 0; 2928 while ((n = rb_first(&proc->threads))) { 2929 struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node); 2930 threads++; 2931 active_transactions += binder_free_thread(proc, thread); 2932 } 2933 nodes = 0; 2934 incoming_refs = 0; 2935 while ((n = rb_first(&proc->nodes))) { 2936 struct binder_node *node = rb_entry(n, struct binder_node, rb_node); 2937 2938 nodes++; 2939 rb_erase(&node->rb_node, &proc->nodes); 2940 list_del_init(&node->work.entry); 2941 if (hlist_empty(&node->refs)) { 2942 kfree(node); 2943 binder_stats_deleted(BINDER_STAT_NODE); 2944 } else { 2945 struct binder_ref *ref; 2946 int death = 0; 2947 2948 node->proc = NULL; 2949 node->local_strong_refs = 0; 2950 node->local_weak_refs = 0; 2951 hlist_add_head(&node->dead_node, &binder_dead_nodes); 2952 2953 hlist_for_each_entry(ref, pos, &node->refs, node_entry) { 2954 incoming_refs++; 2955 if (ref->death) { 2956 death++; 2957 if (list_empty(&ref->death->work.entry)) { 2958 ref->death->work.type = BINDER_WORK_DEAD_BINDER; 2959 list_add_tail(&ref->death->work.entry, &ref->proc->todo); 2960 wake_up_interruptible(&ref->proc->wait); 2961 } else 2962 BUG(); 2963 } 2964 } 2965 binder_debug(BINDER_DEBUG_DEAD_BINDER, 2966 "binder: node %d now dead, " 2967 "refs %d, death %d\n", node->debug_id, 2968 incoming_refs, death); 2969 } 2970 } 2971 outgoing_refs = 0; 2972 while ((n = rb_first(&proc->refs_by_desc))) { 2973 struct binder_ref *ref = rb_entry(n, struct binder_ref, 2974 rb_node_desc); 2975 outgoing_refs++; 2976 binder_delete_ref(ref); 2977 } 2978 binder_release_work(&proc->todo); 2979 buffers = 0; 2980 2981 while ((n = rb_first(&proc->allocated_buffers))) { 2982 struct binder_buffer *buffer = rb_entry(n, struct binder_buffer, 2983 rb_node); 2984 t = buffer->transaction; 2985 if (t) { 2986 t->buffer = NULL; 2987 buffer->transaction = NULL; 2988 pr_err("binder: release proc %d, " 2989 "transaction %d, not freed\n", 2990 proc->pid, t->debug_id); 2991 /*BUG();*/ 2992 } 2993 binder_free_buf(proc, buffer); 2994 buffers++; 2995 } 2996 2997 binder_stats_deleted(BINDER_STAT_PROC); 2998 2999 page_count = 0; 3000 if (proc->pages) { 3001 int i; 3002 for (i = 0; i < proc->buffer_size / PAGE_SIZE; i++) { 3003 if (proc->pages[i]) { 3004 void *page_addr = proc->buffer + i * PAGE_SIZE; 3005 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 3006 "binder_release: %d: " 3007 "page %d at %p not freed\n", 3008 proc->pid, i, 3009 page_addr); 3010 unmap_kernel_range((unsigned long)page_addr, 3011 PAGE_SIZE); 3012 __free_page(proc->pages[i]); 3013 page_count++; 3014 } 3015 } 3016 kfree(proc->pages); 3017 vfree(proc->buffer); 3018 } 3019 3020 put_task_struct(proc->tsk); 3021 3022 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 3023 "binder_release: %d threads %d, nodes %d (ref %d), " 3024 "refs %d, active transactions %d, buffers %d, " 3025 "pages %d\n", 3026 proc->pid, threads, nodes, incoming_refs, outgoing_refs, 3027 active_transactions, buffers, page_count); 3028 3029 kfree(proc); 3030} 3031 3032static void binder_deferred_func(struct work_struct *work) 3033{ 3034 struct binder_proc *proc; 3035 struct files_struct *files; 3036 3037 int defer; 3038 do { 3039 mutex_lock(&binder_lock); 3040 mutex_lock(&binder_deferred_lock); 3041 if (!hlist_empty(&binder_deferred_list)) { 3042 proc = hlist_entry(binder_deferred_list.first, 3043 struct binder_proc, deferred_work_node); 3044 hlist_del_init(&proc->deferred_work_node); 3045 defer = proc->deferred_work; 3046 proc->deferred_work = 0; 3047 } else { 3048 proc = NULL; 3049 defer = 0; 3050 } 3051 mutex_unlock(&binder_deferred_lock); 3052 3053 files = NULL; 3054 if (defer & BINDER_DEFERRED_PUT_FILES) { 3055 files = proc->files; 3056 if (files) 3057 proc->files = NULL; 3058 } 3059 3060 if (defer & BINDER_DEFERRED_FLUSH) 3061 binder_deferred_flush(proc); 3062 3063 if (defer & BINDER_DEFERRED_RELEASE) 3064 binder_deferred_release(proc); /* frees proc */ 3065 3066 mutex_unlock(&binder_lock); 3067 if (files) 3068 put_files_struct(files); 3069 } while (proc); 3070} 3071static DECLARE_WORK(binder_deferred_work, binder_deferred_func); 3072 3073static void 3074binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer) 3075{ 3076 mutex_lock(&binder_deferred_lock); 3077 proc->deferred_work |= defer; 3078 if (hlist_unhashed(&proc->deferred_work_node)) { 3079 hlist_add_head(&proc->deferred_work_node, 3080 &binder_deferred_list); 3081 queue_work(binder_deferred_workqueue, &binder_deferred_work); 3082 } 3083 mutex_unlock(&binder_deferred_lock); 3084} 3085 3086static void print_binder_transaction(struct seq_file *m, const char *prefix, 3087 struct binder_transaction *t) 3088{ 3089 seq_printf(m, 3090 "%s %d: %p from %d:%d to %d:%d code %x flags %x pri %ld r%d", 3091 prefix, t->debug_id, t, 3092 t->from ? t->from->proc->pid : 0, 3093 t->from ? t->from->pid : 0, 3094 t->to_proc ? t->to_proc->pid : 0, 3095 t->to_thread ? t->to_thread->pid : 0, 3096 t->code, t->flags, t->priority, t->need_reply); 3097 if (t->buffer == NULL) { 3098 seq_puts(m, " buffer free\n"); 3099 return; 3100 } 3101 if (t->buffer->target_node) 3102 seq_printf(m, " node %d", 3103 t->buffer->target_node->debug_id); 3104 seq_printf(m, " size %zd:%zd data %p\n", 3105 t->buffer->data_size, t->buffer->offsets_size, 3106 t->buffer->data); 3107} 3108 3109static void print_binder_buffer(struct seq_file *m, const char *prefix, 3110 struct binder_buffer *buffer) 3111{ 3112 seq_printf(m, "%s %d: %p size %zd:%zd %s\n", 3113 prefix, buffer->debug_id, buffer->data, 3114 buffer->data_size, buffer->offsets_size, 3115 buffer->transaction ? "active" : "delivered"); 3116} 3117 3118static void print_binder_work(struct seq_file *m, const char *prefix, 3119 const char *transaction_prefix, 3120 struct binder_work *w) 3121{ 3122 struct binder_node *node; 3123 struct binder_transaction *t; 3124 3125 switch (w->type) { 3126 case BINDER_WORK_TRANSACTION: 3127 t = container_of(w, struct binder_transaction, work); 3128 print_binder_transaction(m, transaction_prefix, t); 3129 break; 3130 case BINDER_WORK_TRANSACTION_COMPLETE: 3131 seq_printf(m, "%stransaction complete\n", prefix); 3132 break; 3133 case BINDER_WORK_NODE: 3134 node = container_of(w, struct binder_node, work); 3135 seq_printf(m, "%snode work %d: u%p c%p\n", 3136 prefix, node->debug_id, node->ptr, node->cookie); 3137 break; 3138 case BINDER_WORK_DEAD_BINDER: 3139 seq_printf(m, "%shas dead binder\n", prefix); 3140 break; 3141 case BINDER_WORK_DEAD_BINDER_AND_CLEAR: 3142 seq_printf(m, "%shas cleared dead binder\n", prefix); 3143 break; 3144 case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: 3145 seq_printf(m, "%shas cleared death notification\n", prefix); 3146 break; 3147 default: 3148 seq_printf(m, "%sunknown work: type %d\n", prefix, w->type); 3149 break; 3150 } 3151} 3152 3153static void print_binder_thread(struct seq_file *m, 3154 struct binder_thread *thread, 3155 int print_always) 3156{ 3157 struct binder_transaction *t; 3158 struct binder_work *w; 3159 size_t start_pos = m->count; 3160 size_t header_pos; 3161 3162 seq_printf(m, " thread %d: l %02x\n", thread->pid, thread->looper); 3163 header_pos = m->count; 3164 t = thread->transaction_stack; 3165 while (t) { 3166 if (t->from == thread) { 3167 print_binder_transaction(m, 3168 " outgoing transaction", t); 3169 t = t->from_parent; 3170 } else if (t->to_thread == thread) { 3171 print_binder_transaction(m, 3172 " incoming transaction", t); 3173 t = t->to_parent; 3174 } else { 3175 print_binder_transaction(m, " bad transaction", t); 3176 t = NULL; 3177 } 3178 } 3179 list_for_each_entry(w, &thread->todo, entry) { 3180 print_binder_work(m, " ", " pending transaction", w); 3181 } 3182 if (!print_always && m->count == header_pos) 3183 m->count = start_pos; 3184} 3185 3186static void print_binder_node(struct seq_file *m, struct binder_node *node) 3187{ 3188 struct binder_ref *ref; 3189 struct hlist_node *pos; 3190 struct binder_work *w; 3191 int count; 3192 3193 count = 0; 3194 hlist_for_each_entry(ref, pos, &node->refs, node_entry) 3195 count++; 3196 3197 seq_printf(m, " node %d: u%p c%p hs %d hw %d ls %d lw %d is %d iw %d", 3198 node->debug_id, node->ptr, node->cookie, 3199 node->has_strong_ref, node->has_weak_ref, 3200 node->local_strong_refs, node->local_weak_refs, 3201 node->internal_strong_refs, count); 3202 if (count) { 3203 seq_puts(m, " proc"); 3204 hlist_for_each_entry(ref, pos, &node->refs, node_entry) 3205 seq_printf(m, " %d", ref->proc->pid); 3206 } 3207 seq_puts(m, "\n"); 3208 list_for_each_entry(w, &node->async_todo, entry) 3209 print_binder_work(m, " ", 3210 " pending async transaction", w); 3211} 3212 3213static void print_binder_ref(struct seq_file *m, struct binder_ref *ref) 3214{ 3215 seq_printf(m, " ref %d: desc %d %snode %d s %d w %d d %p\n", 3216 ref->debug_id, ref->desc, ref->node->proc ? "" : "dead ", 3217 ref->node->debug_id, ref->strong, ref->weak, ref->death); 3218} 3219 3220static void print_binder_proc(struct seq_file *m, 3221 struct binder_proc *proc, int print_all) 3222{ 3223 struct binder_work *w; 3224 struct rb_node *n; 3225 size_t start_pos = m->count; 3226 size_t header_pos; 3227 3228 seq_printf(m, "proc %d\n", proc->pid); 3229 header_pos = m->count; 3230 3231 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) 3232 print_binder_thread(m, rb_entry(n, struct binder_thread, 3233 rb_node), print_all); 3234 for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) { 3235 struct binder_node *node = rb_entry(n, struct binder_node, 3236 rb_node); 3237 if (print_all || node->has_async_transaction) 3238 print_binder_node(m, node); 3239 } 3240 if (print_all) { 3241 for (n = rb_first(&proc->refs_by_desc); 3242 n != NULL; 3243 n = rb_next(n)) 3244 print_binder_ref(m, rb_entry(n, struct binder_ref, 3245 rb_node_desc)); 3246 } 3247 for (n = rb_first(&proc->allocated_buffers); n != NULL; n = rb_next(n)) 3248 print_binder_buffer(m, " buffer", 3249 rb_entry(n, struct binder_buffer, rb_node)); 3250 list_for_each_entry(w, &proc->todo, entry) 3251 print_binder_work(m, " ", " pending transaction", w); 3252 list_for_each_entry(w, &proc->delivered_death, entry) { 3253 seq_puts(m, " has delivered dead binder\n"); 3254 break; 3255 } 3256 if (!print_all && m->count == header_pos) 3257 m->count = start_pos; 3258} 3259 3260static const char *binder_return_strings[] = { 3261 "BR_ERROR", 3262 "BR_OK", 3263 "BR_TRANSACTION", 3264 "BR_REPLY", 3265 "BR_ACQUIRE_RESULT", 3266 "BR_DEAD_REPLY", 3267 "BR_TRANSACTION_COMPLETE", 3268 "BR_INCREFS", 3269 "BR_ACQUIRE", 3270 "BR_RELEASE", 3271 "BR_DECREFS", 3272 "BR_ATTEMPT_ACQUIRE", 3273 "BR_NOOP", 3274 "BR_SPAWN_LOOPER", 3275 "BR_FINISHED", 3276 "BR_DEAD_BINDER", 3277 "BR_CLEAR_DEATH_NOTIFICATION_DONE", 3278 "BR_FAILED_REPLY" 3279}; 3280 3281static const char *binder_command_strings[] = { 3282 "BC_TRANSACTION", 3283 "BC_REPLY", 3284 "BC_ACQUIRE_RESULT", 3285 "BC_FREE_BUFFER", 3286 "BC_INCREFS", 3287 "BC_ACQUIRE", 3288 "BC_RELEASE", 3289 "BC_DECREFS", 3290 "BC_INCREFS_DONE", 3291 "BC_ACQUIRE_DONE", 3292 "BC_ATTEMPT_ACQUIRE", 3293 "BC_REGISTER_LOOPER", 3294 "BC_ENTER_LOOPER", 3295 "BC_EXIT_LOOPER", 3296 "BC_REQUEST_DEATH_NOTIFICATION", 3297 "BC_CLEAR_DEATH_NOTIFICATION", 3298 "BC_DEAD_BINDER_DONE" 3299}; 3300 3301static const char *binder_objstat_strings[] = { 3302 "proc", 3303 "thread", 3304 "node", 3305 "ref", 3306 "death", 3307 "transaction", 3308 "transaction_complete" 3309}; 3310 3311static void print_binder_stats(struct seq_file *m, const char *prefix, 3312 struct binder_stats *stats) 3313{ 3314 int i; 3315 3316 BUILD_BUG_ON(ARRAY_SIZE(stats->bc) != 3317 ARRAY_SIZE(binder_command_strings)); 3318 for (i = 0; i < ARRAY_SIZE(stats->bc); i++) { 3319 if (stats->bc[i]) 3320 seq_printf(m, "%s%s: %d\n", prefix, 3321 binder_command_strings[i], stats->bc[i]); 3322 } 3323 3324 BUILD_BUG_ON(ARRAY_SIZE(stats->br) != 3325 ARRAY_SIZE(binder_return_strings)); 3326 for (i = 0; i < ARRAY_SIZE(stats->br); i++) { 3327 if (stats->br[i]) 3328 seq_printf(m, "%s%s: %d\n", prefix, 3329 binder_return_strings[i], stats->br[i]); 3330 } 3331 3332 BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) != 3333 ARRAY_SIZE(binder_objstat_strings)); 3334 BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) != 3335 ARRAY_SIZE(stats->obj_deleted)); 3336 for (i = 0; i < ARRAY_SIZE(stats->obj_created); i++) { 3337 if (stats->obj_created[i] || stats->obj_deleted[i]) 3338 seq_printf(m, "%s%s: active %d total %d\n", prefix, 3339 binder_objstat_strings[i], 3340 stats->obj_created[i] - stats->obj_deleted[i], 3341 stats->obj_created[i]); 3342 } 3343} 3344 3345static void print_binder_proc_stats(struct seq_file *m, 3346 struct binder_proc *proc) 3347{ 3348 struct binder_work *w; 3349 struct rb_node *n; 3350 int count, strong, weak; 3351 3352 seq_printf(m, "proc %d\n", proc->pid); 3353 count = 0; 3354 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) 3355 count++; 3356 seq_printf(m, " threads: %d\n", count); 3357 seq_printf(m, " requested threads: %d+%d/%d\n" 3358 " ready threads %d\n" 3359 " free async space %zd\n", proc->requested_threads, 3360 proc->requested_threads_started, proc->max_threads, 3361 proc->ready_threads, proc->free_async_space); 3362 count = 0; 3363 for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) 3364 count++; 3365 seq_printf(m, " nodes: %d\n", count); 3366 count = 0; 3367 strong = 0; 3368 weak = 0; 3369 for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) { 3370 struct binder_ref *ref = rb_entry(n, struct binder_ref, 3371 rb_node_desc); 3372 count++; 3373 strong += ref->strong; 3374 weak += ref->weak; 3375 } 3376 seq_printf(m, " refs: %d s %d w %d\n", count, strong, weak); 3377 3378 count = 0; 3379 for (n = rb_first(&proc->allocated_buffers); n != NULL; n = rb_next(n)) 3380 count++; 3381 seq_printf(m, " buffers: %d\n", count); 3382 3383 count = 0; 3384 list_for_each_entry(w, &proc->todo, entry) { 3385 switch (w->type) { 3386 case BINDER_WORK_TRANSACTION: 3387 count++; 3388 break; 3389 default: 3390 break; 3391 } 3392 } 3393 seq_printf(m, " pending transactions: %d\n", count); 3394 3395 print_binder_stats(m, " ", &proc->stats); 3396} 3397 3398 3399static int binder_state_show(struct seq_file *m, void *unused) 3400{ 3401 struct binder_proc *proc; 3402 struct hlist_node *pos; 3403 struct binder_node *node; 3404 int do_lock = !binder_debug_no_lock; 3405 3406 if (do_lock) 3407 mutex_lock(&binder_lock); 3408 3409 seq_puts(m, "binder state:\n"); 3410 3411 if (!hlist_empty(&binder_dead_nodes)) 3412 seq_puts(m, "dead nodes:\n"); 3413 hlist_for_each_entry(node, pos, &binder_dead_nodes, dead_node) 3414 print_binder_node(m, node); 3415 3416 hlist_for_each_entry(proc, pos, &binder_procs, proc_node) 3417 print_binder_proc(m, proc, 1); 3418 if (do_lock) 3419 mutex_unlock(&binder_lock); 3420 return 0; 3421} 3422 3423static int binder_stats_show(struct seq_file *m, void *unused) 3424{ 3425 struct binder_proc *proc; 3426 struct hlist_node *pos; 3427 int do_lock = !binder_debug_no_lock; 3428 3429 if (do_lock) 3430 mutex_lock(&binder_lock); 3431 3432 seq_puts(m, "binder stats:\n"); 3433 3434 print_binder_stats(m, "", &binder_stats); 3435 3436 hlist_for_each_entry(proc, pos, &binder_procs, proc_node) 3437 print_binder_proc_stats(m, proc); 3438 if (do_lock) 3439 mutex_unlock(&binder_lock); 3440 return 0; 3441} 3442 3443static int binder_transactions_show(struct seq_file *m, void *unused) 3444{ 3445 struct binder_proc *proc; 3446 struct hlist_node *pos; 3447 int do_lock = !binder_debug_no_lock; 3448 3449 if (do_lock) 3450 mutex_lock(&binder_lock); 3451 3452 seq_puts(m, "binder transactions:\n"); 3453 hlist_for_each_entry(proc, pos, &binder_procs, proc_node) 3454 print_binder_proc(m, proc, 0); 3455 if (do_lock) 3456 mutex_unlock(&binder_lock); 3457 return 0; 3458} 3459 3460static int binder_proc_show(struct seq_file *m, void *unused) 3461{ 3462 struct binder_proc *proc = m->private; 3463 int do_lock = !binder_debug_no_lock; 3464 3465 if (do_lock) 3466 mutex_lock(&binder_lock); 3467 seq_puts(m, "binder proc state:\n"); 3468 print_binder_proc(m, proc, 1); 3469 if (do_lock) 3470 mutex_unlock(&binder_lock); 3471 return 0; 3472} 3473 3474static void print_binder_transaction_log_entry(struct seq_file *m, 3475 struct binder_transaction_log_entry *e) 3476{ 3477 seq_printf(m, 3478 "%d: %s from %d:%d to %d:%d node %d handle %d size %d:%d\n", 3479 e->debug_id, (e->call_type == 2) ? "reply" : 3480 ((e->call_type == 1) ? "async" : "call "), e->from_proc, 3481 e->from_thread, e->to_proc, e->to_thread, e->to_node, 3482 e->target_handle, e->data_size, e->offsets_size); 3483} 3484 3485static int binder_transaction_log_show(struct seq_file *m, void *unused) 3486{ 3487 struct binder_transaction_log *log = m->private; 3488 int i; 3489 3490 if (log->full) { 3491 for (i = log->next; i < ARRAY_SIZE(log->entry); i++) 3492 print_binder_transaction_log_entry(m, &log->entry[i]); 3493 } 3494 for (i = 0; i < log->next; i++) 3495 print_binder_transaction_log_entry(m, &log->entry[i]); 3496 return 0; 3497} 3498 3499static const struct file_operations binder_fops = { 3500 .owner = THIS_MODULE, 3501 .poll = binder_poll, 3502 .unlocked_ioctl = binder_ioctl, 3503 .mmap = binder_mmap, 3504 .open = binder_open, 3505 .flush = binder_flush, 3506 .release = binder_release, 3507}; 3508 3509static struct miscdevice binder_miscdev = { 3510 .minor = MISC_DYNAMIC_MINOR, 3511 .name = "binder", 3512 .fops = &binder_fops 3513}; 3514 3515BINDER_DEBUG_ENTRY(state); 3516BINDER_DEBUG_ENTRY(stats); 3517BINDER_DEBUG_ENTRY(transactions); 3518BINDER_DEBUG_ENTRY(transaction_log); 3519 3520static int __init binder_init(void) 3521{ 3522 int ret; 3523 3524 binder_deferred_workqueue = create_singlethread_workqueue("binder"); 3525 if (!binder_deferred_workqueue) 3526 return -ENOMEM; 3527 3528 binder_debugfs_dir_entry_root = debugfs_create_dir("binder", NULL); 3529 if (binder_debugfs_dir_entry_root) 3530 binder_debugfs_dir_entry_proc = debugfs_create_dir("proc", 3531 binder_debugfs_dir_entry_root); 3532 ret = misc_register(&binder_miscdev); 3533 if (binder_debugfs_dir_entry_root) { 3534 debugfs_create_file("state", 3535 S_IRUGO, 3536 binder_debugfs_dir_entry_root, 3537 NULL, 3538 &binder_state_fops); 3539 debugfs_create_file("stats", 3540 S_IRUGO, 3541 binder_debugfs_dir_entry_root, 3542 NULL, 3543 &binder_stats_fops); 3544 debugfs_create_file("transactions", 3545 S_IRUGO, 3546 binder_debugfs_dir_entry_root, 3547 NULL, 3548 &binder_transactions_fops); 3549 debugfs_create_file("transaction_log", 3550 S_IRUGO, 3551 binder_debugfs_dir_entry_root, 3552 &binder_transaction_log, 3553 &binder_transaction_log_fops); 3554 debugfs_create_file("failed_transaction_log", 3555 S_IRUGO, 3556 binder_debugfs_dir_entry_root, 3557 &binder_transaction_log_failed, 3558 &binder_transaction_log_fops); 3559 } 3560 return ret; 3561} 3562 3563device_initcall(binder_init); 3564 3565MODULE_LICENSE("GPL v2"); 3566