binder.c revision df56cb1f37415f16a187738ee9e3c03e2106e305
1/* binder.c 2 * 3 * Android IPC Subsystem 4 * 5 * Copyright (C) 2007-2008 Google, Inc. 6 * 7 * This software is licensed under the terms of the GNU General Public 8 * License version 2, as published by the Free Software Foundation, and 9 * may be copied, distributed, and modified under those terms. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 */ 17 18#include <asm/cacheflush.h> 19#include <linux/fdtable.h> 20#include <linux/file.h> 21#include <linux/fs.h> 22#include <linux/list.h> 23#include <linux/miscdevice.h> 24#include <linux/mm.h> 25#include <linux/module.h> 26#include <linux/mutex.h> 27#include <linux/nsproxy.h> 28#include <linux/poll.h> 29#include <linux/proc_fs.h> 30#include <linux/rbtree.h> 31#include <linux/sched.h> 32#include <linux/uaccess.h> 33#include <linux/vmalloc.h> 34#include "binder.h" 35 36static DEFINE_MUTEX(binder_lock); 37static HLIST_HEAD(binder_procs); 38static struct binder_node *binder_context_mgr_node; 39static uid_t binder_context_mgr_uid = -1; 40static int binder_last_id; 41static struct proc_dir_entry *binder_proc_dir_entry_root; 42static struct proc_dir_entry *binder_proc_dir_entry_proc; 43static struct hlist_head binder_dead_nodes; 44static HLIST_HEAD(binder_deferred_list); 45static DEFINE_MUTEX(binder_deferred_lock); 46 47static int binder_read_proc_proc(char *page, char **start, off_t off, 48 int count, int *eof, void *data); 49 50/* This is only defined in include/asm-arm/sizes.h */ 51#ifndef SZ_1K 52#define SZ_1K 0x400 53#endif 54 55#ifndef SZ_4M 56#define SZ_4M 0x400000 57#endif 58 59#define FORBIDDEN_MMAP_FLAGS (VM_WRITE) 60 61#define BINDER_SMALL_BUF_SIZE (PAGE_SIZE * 64) 62 63enum { 64 BINDER_DEBUG_USER_ERROR = 1U << 0, 65 BINDER_DEBUG_FAILED_TRANSACTION = 1U << 1, 66 BINDER_DEBUG_DEAD_TRANSACTION = 1U << 2, 67 BINDER_DEBUG_OPEN_CLOSE = 1U << 3, 68 BINDER_DEBUG_DEAD_BINDER = 1U << 4, 69 BINDER_DEBUG_DEATH_NOTIFICATION = 1U << 5, 70 BINDER_DEBUG_READ_WRITE = 1U << 6, 71 BINDER_DEBUG_USER_REFS = 1U << 7, 72 BINDER_DEBUG_THREADS = 1U << 8, 73 BINDER_DEBUG_TRANSACTION = 1U << 9, 74 BINDER_DEBUG_TRANSACTION_COMPLETE = 1U << 10, 75 BINDER_DEBUG_FREE_BUFFER = 1U << 11, 76 BINDER_DEBUG_INTERNAL_REFS = 1U << 12, 77 BINDER_DEBUG_BUFFER_ALLOC = 1U << 13, 78 BINDER_DEBUG_PRIORITY_CAP = 1U << 14, 79 BINDER_DEBUG_BUFFER_ALLOC_ASYNC = 1U << 15, 80}; 81static uint32_t binder_debug_mask = BINDER_DEBUG_USER_ERROR | 82 BINDER_DEBUG_FAILED_TRANSACTION | BINDER_DEBUG_DEAD_TRANSACTION; 83module_param_named(debug_mask, binder_debug_mask, uint, S_IWUSR | S_IRUGO); 84 85static int binder_debug_no_lock; 86module_param_named(proc_no_lock, binder_debug_no_lock, bool, S_IWUSR | S_IRUGO); 87 88static DECLARE_WAIT_QUEUE_HEAD(binder_user_error_wait); 89static int binder_stop_on_user_error; 90 91static int binder_set_stop_on_user_error(const char *val, 92 struct kernel_param *kp) 93{ 94 int ret; 95 ret = param_set_int(val, kp); 96 if (binder_stop_on_user_error < 2) 97 wake_up(&binder_user_error_wait); 98 return ret; 99} 100module_param_call(stop_on_user_error, binder_set_stop_on_user_error, 101 param_get_int, &binder_stop_on_user_error, S_IWUSR | S_IRUGO); 102 103#define binder_debug(mask, x...) \ 104 do { \ 105 if (binder_debug_mask & mask) \ 106 printk(KERN_INFO x); \ 107 } while (0) 108 109#define binder_user_error(x...) \ 110 do { \ 111 if (binder_debug_mask & BINDER_DEBUG_USER_ERROR) \ 112 printk(KERN_INFO x); \ 113 if (binder_stop_on_user_error) \ 114 binder_stop_on_user_error = 2; \ 115 } while (0) 116 117enum { 118 BINDER_STAT_PROC, 119 BINDER_STAT_THREAD, 120 BINDER_STAT_NODE, 121 BINDER_STAT_REF, 122 BINDER_STAT_DEATH, 123 BINDER_STAT_TRANSACTION, 124 BINDER_STAT_TRANSACTION_COMPLETE, 125 BINDER_STAT_COUNT 126}; 127 128struct binder_stats { 129 int br[_IOC_NR(BR_FAILED_REPLY) + 1]; 130 int bc[_IOC_NR(BC_DEAD_BINDER_DONE) + 1]; 131 int obj_created[BINDER_STAT_COUNT]; 132 int obj_deleted[BINDER_STAT_COUNT]; 133}; 134 135static struct binder_stats binder_stats; 136 137struct binder_transaction_log_entry { 138 int debug_id; 139 int call_type; 140 int from_proc; 141 int from_thread; 142 int target_handle; 143 int to_proc; 144 int to_thread; 145 int to_node; 146 int data_size; 147 int offsets_size; 148}; 149struct binder_transaction_log { 150 int next; 151 int full; 152 struct binder_transaction_log_entry entry[32]; 153}; 154struct binder_transaction_log binder_transaction_log; 155struct binder_transaction_log binder_transaction_log_failed; 156 157static struct binder_transaction_log_entry *binder_transaction_log_add( 158 struct binder_transaction_log *log) 159{ 160 struct binder_transaction_log_entry *e; 161 e = &log->entry[log->next]; 162 memset(e, 0, sizeof(*e)); 163 log->next++; 164 if (log->next == ARRAY_SIZE(log->entry)) { 165 log->next = 0; 166 log->full = 1; 167 } 168 return e; 169} 170 171struct binder_work { 172 struct list_head entry; 173 enum { 174 BINDER_WORK_TRANSACTION = 1, 175 BINDER_WORK_TRANSACTION_COMPLETE, 176 BINDER_WORK_NODE, 177 BINDER_WORK_DEAD_BINDER, 178 BINDER_WORK_DEAD_BINDER_AND_CLEAR, 179 BINDER_WORK_CLEAR_DEATH_NOTIFICATION, 180 } type; 181}; 182 183struct binder_node { 184 int debug_id; 185 struct binder_work work; 186 union { 187 struct rb_node rb_node; 188 struct hlist_node dead_node; 189 }; 190 struct binder_proc *proc; 191 struct hlist_head refs; 192 int internal_strong_refs; 193 int local_weak_refs; 194 int local_strong_refs; 195 void __user *ptr; 196 void __user *cookie; 197 unsigned has_strong_ref:1; 198 unsigned pending_strong_ref:1; 199 unsigned has_weak_ref:1; 200 unsigned pending_weak_ref:1; 201 unsigned has_async_transaction:1; 202 unsigned accept_fds:1; 203 unsigned min_priority:8; 204 struct list_head async_todo; 205}; 206 207struct binder_ref_death { 208 struct binder_work work; 209 void __user *cookie; 210}; 211 212struct binder_ref { 213 /* Lookups needed: */ 214 /* node + proc => ref (transaction) */ 215 /* desc + proc => ref (transaction, inc/dec ref) */ 216 /* node => refs + procs (proc exit) */ 217 int debug_id; 218 struct rb_node rb_node_desc; 219 struct rb_node rb_node_node; 220 struct hlist_node node_entry; 221 struct binder_proc *proc; 222 struct binder_node *node; 223 uint32_t desc; 224 int strong; 225 int weak; 226 struct binder_ref_death *death; 227}; 228 229struct binder_buffer { 230 struct list_head entry; /* free and allocated entries by addesss */ 231 struct rb_node rb_node; /* free entry by size or allocated entry */ 232 /* by address */ 233 unsigned free:1; 234 unsigned allow_user_free:1; 235 unsigned async_transaction:1; 236 unsigned debug_id:29; 237 238 struct binder_transaction *transaction; 239 240 struct binder_node *target_node; 241 size_t data_size; 242 size_t offsets_size; 243 uint8_t data[0]; 244}; 245 246enum { 247 BINDER_DEFERRED_PUT_FILES = 0x01, 248 BINDER_DEFERRED_FLUSH = 0x02, 249 BINDER_DEFERRED_RELEASE = 0x04, 250}; 251 252struct binder_proc { 253 struct hlist_node proc_node; 254 struct rb_root threads; 255 struct rb_root nodes; 256 struct rb_root refs_by_desc; 257 struct rb_root refs_by_node; 258 int pid; 259 struct vm_area_struct *vma; 260 struct task_struct *tsk; 261 struct files_struct *files; 262 struct hlist_node deferred_work_node; 263 int deferred_work; 264 void *buffer; 265 ptrdiff_t user_buffer_offset; 266 267 struct list_head buffers; 268 struct rb_root free_buffers; 269 struct rb_root allocated_buffers; 270 size_t free_async_space; 271 272 struct page **pages; 273 size_t buffer_size; 274 uint32_t buffer_free; 275 struct list_head todo; 276 wait_queue_head_t wait; 277 struct binder_stats stats; 278 struct list_head delivered_death; 279 int max_threads; 280 int requested_threads; 281 int requested_threads_started; 282 int ready_threads; 283 long default_priority; 284}; 285 286enum { 287 BINDER_LOOPER_STATE_REGISTERED = 0x01, 288 BINDER_LOOPER_STATE_ENTERED = 0x02, 289 BINDER_LOOPER_STATE_EXITED = 0x04, 290 BINDER_LOOPER_STATE_INVALID = 0x08, 291 BINDER_LOOPER_STATE_WAITING = 0x10, 292 BINDER_LOOPER_STATE_NEED_RETURN = 0x20 293}; 294 295struct binder_thread { 296 struct binder_proc *proc; 297 struct rb_node rb_node; 298 int pid; 299 int looper; 300 struct binder_transaction *transaction_stack; 301 struct list_head todo; 302 uint32_t return_error; /* Write failed, return error code in read buf */ 303 uint32_t return_error2; /* Write failed, return error code in read */ 304 /* buffer. Used when sending a reply to a dead process that */ 305 /* we are also waiting on */ 306 wait_queue_head_t wait; 307 struct binder_stats stats; 308}; 309 310struct binder_transaction { 311 int debug_id; 312 struct binder_work work; 313 struct binder_thread *from; 314 struct binder_transaction *from_parent; 315 struct binder_proc *to_proc; 316 struct binder_thread *to_thread; 317 struct binder_transaction *to_parent; 318 unsigned need_reply:1; 319 /* unsigned is_dead:1; */ /* not used at the moment */ 320 321 struct binder_buffer *buffer; 322 unsigned int code; 323 unsigned int flags; 324 long priority; 325 long saved_priority; 326 uid_t sender_euid; 327}; 328 329static void binder_defer_work(struct binder_proc *proc, int defer); 330 331/* 332 * copied from get_unused_fd_flags 333 */ 334int task_get_unused_fd_flags(struct binder_proc *proc, int flags) 335{ 336 struct files_struct *files = proc->files; 337 int fd, error; 338 struct fdtable *fdt; 339 unsigned long rlim_cur; 340 unsigned long irqs; 341 342 if (files == NULL) 343 return -ESRCH; 344 345 error = -EMFILE; 346 spin_lock(&files->file_lock); 347 348repeat: 349 fdt = files_fdtable(files); 350 fd = find_next_zero_bit(fdt->open_fds->fds_bits, fdt->max_fds, 351 files->next_fd); 352 353 /* 354 * N.B. For clone tasks sharing a files structure, this test 355 * will limit the total number of files that can be opened. 356 */ 357 rlim_cur = 0; 358 if (lock_task_sighand(proc->tsk, &irqs)) { 359 rlim_cur = proc->tsk->signal->rlim[RLIMIT_NOFILE].rlim_cur; 360 unlock_task_sighand(proc->tsk, &irqs); 361 } 362 if (fd >= rlim_cur) 363 goto out; 364 365 /* Do we need to expand the fd array or fd set? */ 366 error = expand_files(files, fd); 367 if (error < 0) 368 goto out; 369 370 if (error) { 371 /* 372 * If we needed to expand the fs array we 373 * might have blocked - try again. 374 */ 375 error = -EMFILE; 376 goto repeat; 377 } 378 379 FD_SET(fd, fdt->open_fds); 380 if (flags & O_CLOEXEC) 381 FD_SET(fd, fdt->close_on_exec); 382 else 383 FD_CLR(fd, fdt->close_on_exec); 384 files->next_fd = fd + 1; 385#if 1 386 /* Sanity check */ 387 if (fdt->fd[fd] != NULL) { 388 printk(KERN_WARNING "get_unused_fd: slot %d not NULL!\n", fd); 389 fdt->fd[fd] = NULL; 390 } 391#endif 392 error = fd; 393 394out: 395 spin_unlock(&files->file_lock); 396 return error; 397} 398 399/* 400 * copied from fd_install 401 */ 402static void task_fd_install( 403 struct binder_proc *proc, unsigned int fd, struct file *file) 404{ 405 struct files_struct *files = proc->files; 406 struct fdtable *fdt; 407 408 if (files == NULL) 409 return; 410 411 spin_lock(&files->file_lock); 412 fdt = files_fdtable(files); 413 BUG_ON(fdt->fd[fd] != NULL); 414 rcu_assign_pointer(fdt->fd[fd], file); 415 spin_unlock(&files->file_lock); 416} 417 418/* 419 * copied from __put_unused_fd in open.c 420 */ 421static void __put_unused_fd(struct files_struct *files, unsigned int fd) 422{ 423 struct fdtable *fdt = files_fdtable(files); 424 __FD_CLR(fd, fdt->open_fds); 425 if (fd < files->next_fd) 426 files->next_fd = fd; 427} 428 429/* 430 * copied from sys_close 431 */ 432static long task_close_fd(struct binder_proc *proc, unsigned int fd) 433{ 434 struct file *filp; 435 struct files_struct *files = proc->files; 436 struct fdtable *fdt; 437 int retval; 438 439 if (files == NULL) 440 return -ESRCH; 441 442 spin_lock(&files->file_lock); 443 fdt = files_fdtable(files); 444 if (fd >= fdt->max_fds) 445 goto out_unlock; 446 filp = fdt->fd[fd]; 447 if (!filp) 448 goto out_unlock; 449 rcu_assign_pointer(fdt->fd[fd], NULL); 450 FD_CLR(fd, fdt->close_on_exec); 451 __put_unused_fd(files, fd); 452 spin_unlock(&files->file_lock); 453 retval = filp_close(filp, files); 454 455 /* can't restart close syscall because file table entry was cleared */ 456 if (unlikely(retval == -ERESTARTSYS || 457 retval == -ERESTARTNOINTR || 458 retval == -ERESTARTNOHAND || 459 retval == -ERESTART_RESTARTBLOCK)) 460 retval = -EINTR; 461 462 return retval; 463 464out_unlock: 465 spin_unlock(&files->file_lock); 466 return -EBADF; 467} 468 469static void binder_set_nice(long nice) 470{ 471 long min_nice; 472 if (can_nice(current, nice)) { 473 set_user_nice(current, nice); 474 return; 475 } 476 min_nice = 20 - current->signal->rlim[RLIMIT_NICE].rlim_cur; 477 binder_debug(BINDER_DEBUG_PRIORITY_CAP, 478 "binder: %d: nice value %ld not allowed use " 479 "%ld instead\n", current->pid, nice, min_nice); 480 set_user_nice(current, min_nice); 481 if (min_nice < 20) 482 return; 483 binder_user_error("binder: %d RLIMIT_NICE not set\n", current->pid); 484} 485 486static size_t binder_buffer_size(struct binder_proc *proc, 487 struct binder_buffer *buffer) 488{ 489 if (list_is_last(&buffer->entry, &proc->buffers)) 490 return proc->buffer + proc->buffer_size - (void *)buffer->data; 491 else 492 return (size_t)list_entry(buffer->entry.next, 493 struct binder_buffer, entry) - (size_t)buffer->data; 494} 495 496static void binder_insert_free_buffer(struct binder_proc *proc, 497 struct binder_buffer *new_buffer) 498{ 499 struct rb_node **p = &proc->free_buffers.rb_node; 500 struct rb_node *parent = NULL; 501 struct binder_buffer *buffer; 502 size_t buffer_size; 503 size_t new_buffer_size; 504 505 BUG_ON(!new_buffer->free); 506 507 new_buffer_size = binder_buffer_size(proc, new_buffer); 508 509 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 510 "binder: %d: add free buffer, size %zd, " 511 "at %p\n", proc->pid, new_buffer_size, new_buffer); 512 513 while (*p) { 514 parent = *p; 515 buffer = rb_entry(parent, struct binder_buffer, rb_node); 516 BUG_ON(!buffer->free); 517 518 buffer_size = binder_buffer_size(proc, buffer); 519 520 if (new_buffer_size < buffer_size) 521 p = &parent->rb_left; 522 else 523 p = &parent->rb_right; 524 } 525 rb_link_node(&new_buffer->rb_node, parent, p); 526 rb_insert_color(&new_buffer->rb_node, &proc->free_buffers); 527} 528 529static void binder_insert_allocated_buffer(struct binder_proc *proc, 530 struct binder_buffer *new_buffer) 531{ 532 struct rb_node **p = &proc->allocated_buffers.rb_node; 533 struct rb_node *parent = NULL; 534 struct binder_buffer *buffer; 535 536 BUG_ON(new_buffer->free); 537 538 while (*p) { 539 parent = *p; 540 buffer = rb_entry(parent, struct binder_buffer, rb_node); 541 BUG_ON(buffer->free); 542 543 if (new_buffer < buffer) 544 p = &parent->rb_left; 545 else if (new_buffer > buffer) 546 p = &parent->rb_right; 547 else 548 BUG(); 549 } 550 rb_link_node(&new_buffer->rb_node, parent, p); 551 rb_insert_color(&new_buffer->rb_node, &proc->allocated_buffers); 552} 553 554static struct binder_buffer *binder_buffer_lookup(struct binder_proc *proc, 555 void __user *user_ptr) 556{ 557 struct rb_node *n = proc->allocated_buffers.rb_node; 558 struct binder_buffer *buffer; 559 struct binder_buffer *kern_ptr; 560 561 kern_ptr = user_ptr - proc->user_buffer_offset 562 - offsetof(struct binder_buffer, data); 563 564 while (n) { 565 buffer = rb_entry(n, struct binder_buffer, rb_node); 566 BUG_ON(buffer->free); 567 568 if (kern_ptr < buffer) 569 n = n->rb_left; 570 else if (kern_ptr > buffer) 571 n = n->rb_right; 572 else 573 return buffer; 574 } 575 return NULL; 576} 577 578static int binder_update_page_range(struct binder_proc *proc, int allocate, 579 void *start, void *end, 580 struct vm_area_struct *vma) 581{ 582 void *page_addr; 583 unsigned long user_page_addr; 584 struct vm_struct tmp_area; 585 struct page **page; 586 struct mm_struct *mm; 587 588 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 589 "binder: %d: %s pages %p-%p\n", proc->pid, 590 allocate ? "allocate" : "free", start, end); 591 592 if (end <= start) 593 return 0; 594 595 if (vma) 596 mm = NULL; 597 else 598 mm = get_task_mm(proc->tsk); 599 600 if (mm) { 601 down_write(&mm->mmap_sem); 602 vma = proc->vma; 603 } 604 605 if (allocate == 0) 606 goto free_range; 607 608 if (vma == NULL) { 609 printk(KERN_ERR "binder: %d: binder_alloc_buf failed to " 610 "map pages in userspace, no vma\n", proc->pid); 611 goto err_no_vma; 612 } 613 614 for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) { 615 int ret; 616 struct page **page_array_ptr; 617 page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE]; 618 619 BUG_ON(*page); 620 *page = alloc_page(GFP_KERNEL | __GFP_ZERO); 621 if (*page == NULL) { 622 printk(KERN_ERR "binder: %d: binder_alloc_buf failed " 623 "for page at %p\n", proc->pid, page_addr); 624 goto err_alloc_page_failed; 625 } 626 tmp_area.addr = page_addr; 627 tmp_area.size = PAGE_SIZE + PAGE_SIZE /* guard page? */; 628 page_array_ptr = page; 629 ret = map_vm_area(&tmp_area, PAGE_KERNEL, &page_array_ptr); 630 if (ret) { 631 printk(KERN_ERR "binder: %d: binder_alloc_buf failed " 632 "to map page at %p in kernel\n", 633 proc->pid, page_addr); 634 goto err_map_kernel_failed; 635 } 636 user_page_addr = 637 (uintptr_t)page_addr + proc->user_buffer_offset; 638 ret = vm_insert_page(vma, user_page_addr, page[0]); 639 if (ret) { 640 printk(KERN_ERR "binder: %d: binder_alloc_buf failed " 641 "to map page at %lx in userspace\n", 642 proc->pid, user_page_addr); 643 goto err_vm_insert_page_failed; 644 } 645 /* vm_insert_page does not seem to increment the refcount */ 646 } 647 if (mm) { 648 up_write(&mm->mmap_sem); 649 mmput(mm); 650 } 651 return 0; 652 653free_range: 654 for (page_addr = end - PAGE_SIZE; page_addr >= start; 655 page_addr -= PAGE_SIZE) { 656 page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE]; 657 if (vma) 658 zap_page_range(vma, (uintptr_t)page_addr + 659 proc->user_buffer_offset, PAGE_SIZE, NULL); 660err_vm_insert_page_failed: 661 unmap_kernel_range((unsigned long)page_addr, PAGE_SIZE); 662err_map_kernel_failed: 663 __free_page(*page); 664 *page = NULL; 665err_alloc_page_failed: 666 ; 667 } 668err_no_vma: 669 if (mm) { 670 up_write(&mm->mmap_sem); 671 mmput(mm); 672 } 673 return -ENOMEM; 674} 675 676static struct binder_buffer *binder_alloc_buf(struct binder_proc *proc, 677 size_t data_size, 678 size_t offsets_size, int is_async) 679{ 680 struct rb_node *n = proc->free_buffers.rb_node; 681 struct binder_buffer *buffer; 682 size_t buffer_size; 683 struct rb_node *best_fit = NULL; 684 void *has_page_addr; 685 void *end_page_addr; 686 size_t size; 687 688 if (proc->vma == NULL) { 689 printk(KERN_ERR "binder: %d: binder_alloc_buf, no vma\n", 690 proc->pid); 691 return NULL; 692 } 693 694 size = ALIGN(data_size, sizeof(void *)) + 695 ALIGN(offsets_size, sizeof(void *)); 696 697 if (size < data_size || size < offsets_size) { 698 binder_user_error("binder: %d: got transaction with invalid " 699 "size %zd-%zd\n", proc->pid, data_size, offsets_size); 700 return NULL; 701 } 702 703 if (is_async && 704 proc->free_async_space < size + sizeof(struct binder_buffer)) { 705 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 706 "binder: %d: binder_alloc_buf size %zd" 707 "failed, no async space left\n", proc->pid, size); 708 return NULL; 709 } 710 711 while (n) { 712 buffer = rb_entry(n, struct binder_buffer, rb_node); 713 BUG_ON(!buffer->free); 714 buffer_size = binder_buffer_size(proc, buffer); 715 716 if (size < buffer_size) { 717 best_fit = n; 718 n = n->rb_left; 719 } else if (size > buffer_size) 720 n = n->rb_right; 721 else { 722 best_fit = n; 723 break; 724 } 725 } 726 if (best_fit == NULL) { 727 printk(KERN_ERR "binder: %d: binder_alloc_buf size %zd failed, " 728 "no address space\n", proc->pid, size); 729 return NULL; 730 } 731 if (n == NULL) { 732 buffer = rb_entry(best_fit, struct binder_buffer, rb_node); 733 buffer_size = binder_buffer_size(proc, buffer); 734 } 735 736 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 737 "binder: %d: binder_alloc_buf size %zd got buff" 738 "er %p size %zd\n", proc->pid, size, buffer, buffer_size); 739 740 has_page_addr = 741 (void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK); 742 if (n == NULL) { 743 if (size + sizeof(struct binder_buffer) + 4 >= buffer_size) 744 buffer_size = size; /* no room for other buffers */ 745 else 746 buffer_size = size + sizeof(struct binder_buffer); 747 } 748 end_page_addr = 749 (void *)PAGE_ALIGN((uintptr_t)buffer->data + buffer_size); 750 if (end_page_addr > has_page_addr) 751 end_page_addr = has_page_addr; 752 if (binder_update_page_range(proc, 1, 753 (void *)PAGE_ALIGN((uintptr_t)buffer->data), end_page_addr, NULL)) 754 return NULL; 755 756 rb_erase(best_fit, &proc->free_buffers); 757 buffer->free = 0; 758 binder_insert_allocated_buffer(proc, buffer); 759 if (buffer_size != size) { 760 struct binder_buffer *new_buffer = (void *)buffer->data + size; 761 list_add(&new_buffer->entry, &buffer->entry); 762 new_buffer->free = 1; 763 binder_insert_free_buffer(proc, new_buffer); 764 } 765 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 766 "binder: %d: binder_alloc_buf size %zd got " 767 "%p\n", proc->pid, size, buffer); 768 buffer->data_size = data_size; 769 buffer->offsets_size = offsets_size; 770 buffer->async_transaction = is_async; 771 if (is_async) { 772 proc->free_async_space -= size + sizeof(struct binder_buffer); 773 binder_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC, 774 "binder: %d: binder_alloc_buf size %zd " 775 "async free %zd\n", proc->pid, size, 776 proc->free_async_space); 777 } 778 779 return buffer; 780} 781 782static void *buffer_start_page(struct binder_buffer *buffer) 783{ 784 return (void *)((uintptr_t)buffer & PAGE_MASK); 785} 786 787static void *buffer_end_page(struct binder_buffer *buffer) 788{ 789 return (void *)(((uintptr_t)(buffer + 1) - 1) & PAGE_MASK); 790} 791 792static void binder_delete_free_buffer(struct binder_proc *proc, 793 struct binder_buffer *buffer) 794{ 795 struct binder_buffer *prev, *next = NULL; 796 int free_page_end = 1; 797 int free_page_start = 1; 798 799 BUG_ON(proc->buffers.next == &buffer->entry); 800 prev = list_entry(buffer->entry.prev, struct binder_buffer, entry); 801 BUG_ON(!prev->free); 802 if (buffer_end_page(prev) == buffer_start_page(buffer)) { 803 free_page_start = 0; 804 if (buffer_end_page(prev) == buffer_end_page(buffer)) 805 free_page_end = 0; 806 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 807 "binder: %d: merge free, buffer %p " 808 "share page with %p\n", proc->pid, buffer, prev); 809 } 810 811 if (!list_is_last(&buffer->entry, &proc->buffers)) { 812 next = list_entry(buffer->entry.next, 813 struct binder_buffer, entry); 814 if (buffer_start_page(next) == buffer_end_page(buffer)) { 815 free_page_end = 0; 816 if (buffer_start_page(next) == 817 buffer_start_page(buffer)) 818 free_page_start = 0; 819 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 820 "binder: %d: merge free, buffer" 821 " %p share page with %p\n", proc->pid, 822 buffer, prev); 823 } 824 } 825 list_del(&buffer->entry); 826 if (free_page_start || free_page_end) { 827 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 828 "binder: %d: merge free, buffer %p do " 829 "not share page%s%s with with %p or %p\n", 830 proc->pid, buffer, free_page_start ? "" : " end", 831 free_page_end ? "" : " start", prev, next); 832 binder_update_page_range(proc, 0, free_page_start ? 833 buffer_start_page(buffer) : buffer_end_page(buffer), 834 (free_page_end ? buffer_end_page(buffer) : 835 buffer_start_page(buffer)) + PAGE_SIZE, NULL); 836 } 837} 838 839static void binder_free_buf(struct binder_proc *proc, 840 struct binder_buffer *buffer) 841{ 842 size_t size, buffer_size; 843 844 buffer_size = binder_buffer_size(proc, buffer); 845 846 size = ALIGN(buffer->data_size, sizeof(void *)) + 847 ALIGN(buffer->offsets_size, sizeof(void *)); 848 849 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 850 "binder: %d: binder_free_buf %p size %zd buffer" 851 "_size %zd\n", proc->pid, buffer, size, buffer_size); 852 853 BUG_ON(buffer->free); 854 BUG_ON(size > buffer_size); 855 BUG_ON(buffer->transaction != NULL); 856 BUG_ON((void *)buffer < proc->buffer); 857 BUG_ON((void *)buffer > proc->buffer + proc->buffer_size); 858 859 if (buffer->async_transaction) { 860 proc->free_async_space += size + sizeof(struct binder_buffer); 861 862 binder_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC, 863 "binder: %d: binder_free_buf size %zd " 864 "async free %zd\n", proc->pid, size, 865 proc->free_async_space); 866 } 867 868 binder_update_page_range(proc, 0, 869 (void *)PAGE_ALIGN((uintptr_t)buffer->data), 870 (void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK), 871 NULL); 872 rb_erase(&buffer->rb_node, &proc->allocated_buffers); 873 buffer->free = 1; 874 if (!list_is_last(&buffer->entry, &proc->buffers)) { 875 struct binder_buffer *next = list_entry(buffer->entry.next, 876 struct binder_buffer, entry); 877 if (next->free) { 878 rb_erase(&next->rb_node, &proc->free_buffers); 879 binder_delete_free_buffer(proc, next); 880 } 881 } 882 if (proc->buffers.next != &buffer->entry) { 883 struct binder_buffer *prev = list_entry(buffer->entry.prev, 884 struct binder_buffer, entry); 885 if (prev->free) { 886 binder_delete_free_buffer(proc, buffer); 887 rb_erase(&prev->rb_node, &proc->free_buffers); 888 buffer = prev; 889 } 890 } 891 binder_insert_free_buffer(proc, buffer); 892} 893 894static struct binder_node *binder_get_node(struct binder_proc *proc, 895 void __user *ptr) 896{ 897 struct rb_node *n = proc->nodes.rb_node; 898 struct binder_node *node; 899 900 while (n) { 901 node = rb_entry(n, struct binder_node, rb_node); 902 903 if (ptr < node->ptr) 904 n = n->rb_left; 905 else if (ptr > node->ptr) 906 n = n->rb_right; 907 else 908 return node; 909 } 910 return NULL; 911} 912 913static struct binder_node *binder_new_node(struct binder_proc *proc, 914 void __user *ptr, 915 void __user *cookie) 916{ 917 struct rb_node **p = &proc->nodes.rb_node; 918 struct rb_node *parent = NULL; 919 struct binder_node *node; 920 921 while (*p) { 922 parent = *p; 923 node = rb_entry(parent, struct binder_node, rb_node); 924 925 if (ptr < node->ptr) 926 p = &(*p)->rb_left; 927 else if (ptr > node->ptr) 928 p = &(*p)->rb_right; 929 else 930 return NULL; 931 } 932 933 node = kzalloc(sizeof(*node), GFP_KERNEL); 934 if (node == NULL) 935 return NULL; 936 binder_stats.obj_created[BINDER_STAT_NODE]++; 937 rb_link_node(&node->rb_node, parent, p); 938 rb_insert_color(&node->rb_node, &proc->nodes); 939 node->debug_id = ++binder_last_id; 940 node->proc = proc; 941 node->ptr = ptr; 942 node->cookie = cookie; 943 node->work.type = BINDER_WORK_NODE; 944 INIT_LIST_HEAD(&node->work.entry); 945 INIT_LIST_HEAD(&node->async_todo); 946 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 947 "binder: %d:%d node %d u%p c%p created\n", 948 proc->pid, current->pid, node->debug_id, 949 node->ptr, node->cookie); 950 return node; 951} 952 953static int binder_inc_node(struct binder_node *node, int strong, int internal, 954 struct list_head *target_list) 955{ 956 if (strong) { 957 if (internal) { 958 if (target_list == NULL && 959 node->internal_strong_refs == 0 && 960 !(node == binder_context_mgr_node && 961 node->has_strong_ref)) { 962 printk(KERN_ERR "binder: invalid inc strong " 963 "node for %d\n", node->debug_id); 964 return -EINVAL; 965 } 966 node->internal_strong_refs++; 967 } else 968 node->local_strong_refs++; 969 if (!node->has_strong_ref && target_list) { 970 list_del_init(&node->work.entry); 971 list_add_tail(&node->work.entry, target_list); 972 } 973 } else { 974 if (!internal) 975 node->local_weak_refs++; 976 if (!node->has_weak_ref && list_empty(&node->work.entry)) { 977 if (target_list == NULL) { 978 printk(KERN_ERR "binder: invalid inc weak node " 979 "for %d\n", node->debug_id); 980 return -EINVAL; 981 } 982 list_add_tail(&node->work.entry, target_list); 983 } 984 } 985 return 0; 986} 987 988static int binder_dec_node(struct binder_node *node, int strong, int internal) 989{ 990 if (strong) { 991 if (internal) 992 node->internal_strong_refs--; 993 else 994 node->local_strong_refs--; 995 if (node->local_strong_refs || node->internal_strong_refs) 996 return 0; 997 } else { 998 if (!internal) 999 node->local_weak_refs--; 1000 if (node->local_weak_refs || !hlist_empty(&node->refs)) 1001 return 0; 1002 } 1003 if (node->proc && (node->has_strong_ref || node->has_weak_ref)) { 1004 if (list_empty(&node->work.entry)) { 1005 list_add_tail(&node->work.entry, &node->proc->todo); 1006 wake_up_interruptible(&node->proc->wait); 1007 } 1008 } else { 1009 if (hlist_empty(&node->refs) && !node->local_strong_refs && 1010 !node->local_weak_refs) { 1011 list_del_init(&node->work.entry); 1012 if (node->proc) { 1013 rb_erase(&node->rb_node, &node->proc->nodes); 1014 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1015 "binder: refless node %d deleted\n", 1016 node->debug_id); 1017 } else { 1018 hlist_del(&node->dead_node); 1019 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1020 "binder: dead node %d deleted\n", 1021 node->debug_id); 1022 } 1023 kfree(node); 1024 binder_stats.obj_deleted[BINDER_STAT_NODE]++; 1025 } 1026 } 1027 1028 return 0; 1029} 1030 1031 1032static struct binder_ref *binder_get_ref(struct binder_proc *proc, 1033 uint32_t desc) 1034{ 1035 struct rb_node *n = proc->refs_by_desc.rb_node; 1036 struct binder_ref *ref; 1037 1038 while (n) { 1039 ref = rb_entry(n, struct binder_ref, rb_node_desc); 1040 1041 if (desc < ref->desc) 1042 n = n->rb_left; 1043 else if (desc > ref->desc) 1044 n = n->rb_right; 1045 else 1046 return ref; 1047 } 1048 return NULL; 1049} 1050 1051static struct binder_ref *binder_get_ref_for_node(struct binder_proc *proc, 1052 struct binder_node *node) 1053{ 1054 struct rb_node *n; 1055 struct rb_node **p = &proc->refs_by_node.rb_node; 1056 struct rb_node *parent = NULL; 1057 struct binder_ref *ref, *new_ref; 1058 1059 while (*p) { 1060 parent = *p; 1061 ref = rb_entry(parent, struct binder_ref, rb_node_node); 1062 1063 if (node < ref->node) 1064 p = &(*p)->rb_left; 1065 else if (node > ref->node) 1066 p = &(*p)->rb_right; 1067 else 1068 return ref; 1069 } 1070 new_ref = kzalloc(sizeof(*ref), GFP_KERNEL); 1071 if (new_ref == NULL) 1072 return NULL; 1073 binder_stats.obj_created[BINDER_STAT_REF]++; 1074 new_ref->debug_id = ++binder_last_id; 1075 new_ref->proc = proc; 1076 new_ref->node = node; 1077 rb_link_node(&new_ref->rb_node_node, parent, p); 1078 rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node); 1079 1080 new_ref->desc = (node == binder_context_mgr_node) ? 0 : 1; 1081 for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) { 1082 ref = rb_entry(n, struct binder_ref, rb_node_desc); 1083 if (ref->desc > new_ref->desc) 1084 break; 1085 new_ref->desc = ref->desc + 1; 1086 } 1087 1088 p = &proc->refs_by_desc.rb_node; 1089 while (*p) { 1090 parent = *p; 1091 ref = rb_entry(parent, struct binder_ref, rb_node_desc); 1092 1093 if (new_ref->desc < ref->desc) 1094 p = &(*p)->rb_left; 1095 else if (new_ref->desc > ref->desc) 1096 p = &(*p)->rb_right; 1097 else 1098 BUG(); 1099 } 1100 rb_link_node(&new_ref->rb_node_desc, parent, p); 1101 rb_insert_color(&new_ref->rb_node_desc, &proc->refs_by_desc); 1102 if (node) { 1103 hlist_add_head(&new_ref->node_entry, &node->refs); 1104 1105 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1106 "binder: %d new ref %d desc %d for " 1107 "node %d\n", proc->pid, new_ref->debug_id, 1108 new_ref->desc, node->debug_id); 1109 } else { 1110 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1111 "binder: %d new ref %d desc %d for " 1112 "dead node\n", proc->pid, new_ref->debug_id, 1113 new_ref->desc); 1114 } 1115 return new_ref; 1116} 1117 1118static void binder_delete_ref(struct binder_ref *ref) 1119{ 1120 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1121 "binder: %d delete ref %d desc %d for " 1122 "node %d\n", ref->proc->pid, ref->debug_id, 1123 ref->desc, ref->node->debug_id); 1124 1125 rb_erase(&ref->rb_node_desc, &ref->proc->refs_by_desc); 1126 rb_erase(&ref->rb_node_node, &ref->proc->refs_by_node); 1127 if (ref->strong) 1128 binder_dec_node(ref->node, 1, 1); 1129 hlist_del(&ref->node_entry); 1130 binder_dec_node(ref->node, 0, 1); 1131 if (ref->death) { 1132 binder_debug(BINDER_DEBUG_DEAD_BINDER, 1133 "binder: %d delete ref %d desc %d " 1134 "has death notification\n", ref->proc->pid, 1135 ref->debug_id, ref->desc); 1136 list_del(&ref->death->work.entry); 1137 kfree(ref->death); 1138 binder_stats.obj_deleted[BINDER_STAT_DEATH]++; 1139 } 1140 kfree(ref); 1141 binder_stats.obj_deleted[BINDER_STAT_REF]++; 1142} 1143 1144static int binder_inc_ref(struct binder_ref *ref, int strong, 1145 struct list_head *target_list) 1146{ 1147 int ret; 1148 if (strong) { 1149 if (ref->strong == 0) { 1150 ret = binder_inc_node(ref->node, 1, 1, target_list); 1151 if (ret) 1152 return ret; 1153 } 1154 ref->strong++; 1155 } else { 1156 if (ref->weak == 0) { 1157 ret = binder_inc_node(ref->node, 0, 1, target_list); 1158 if (ret) 1159 return ret; 1160 } 1161 ref->weak++; 1162 } 1163 return 0; 1164} 1165 1166 1167static int binder_dec_ref(struct binder_ref *ref, int strong) 1168{ 1169 if (strong) { 1170 if (ref->strong == 0) { 1171 binder_user_error("binder: %d invalid dec strong, " 1172 "ref %d desc %d s %d w %d\n", 1173 ref->proc->pid, ref->debug_id, 1174 ref->desc, ref->strong, ref->weak); 1175 return -EINVAL; 1176 } 1177 ref->strong--; 1178 if (ref->strong == 0) { 1179 int ret; 1180 ret = binder_dec_node(ref->node, strong, 1); 1181 if (ret) 1182 return ret; 1183 } 1184 } else { 1185 if (ref->weak == 0) { 1186 binder_user_error("binder: %d invalid dec weak, " 1187 "ref %d desc %d s %d w %d\n", 1188 ref->proc->pid, ref->debug_id, 1189 ref->desc, ref->strong, ref->weak); 1190 return -EINVAL; 1191 } 1192 ref->weak--; 1193 } 1194 if (ref->strong == 0 && ref->weak == 0) 1195 binder_delete_ref(ref); 1196 return 0; 1197} 1198 1199static void binder_pop_transaction(struct binder_thread *target_thread, 1200 struct binder_transaction *t) 1201{ 1202 if (target_thread) { 1203 BUG_ON(target_thread->transaction_stack != t); 1204 BUG_ON(target_thread->transaction_stack->from != target_thread); 1205 target_thread->transaction_stack = 1206 target_thread->transaction_stack->from_parent; 1207 t->from = NULL; 1208 } 1209 t->need_reply = 0; 1210 if (t->buffer) 1211 t->buffer->transaction = NULL; 1212 kfree(t); 1213 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION]++; 1214} 1215 1216static void binder_send_failed_reply(struct binder_transaction *t, 1217 uint32_t error_code) 1218{ 1219 struct binder_thread *target_thread; 1220 BUG_ON(t->flags & TF_ONE_WAY); 1221 while (1) { 1222 target_thread = t->from; 1223 if (target_thread) { 1224 if (target_thread->return_error != BR_OK && 1225 target_thread->return_error2 == BR_OK) { 1226 target_thread->return_error2 = 1227 target_thread->return_error; 1228 target_thread->return_error = BR_OK; 1229 } 1230 if (target_thread->return_error == BR_OK) { 1231 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 1232 "binder: send failed reply for " 1233 "transaction %d to %d:%d\n", 1234 t->debug_id, target_thread->proc->pid, 1235 target_thread->pid); 1236 1237 binder_pop_transaction(target_thread, t); 1238 target_thread->return_error = error_code; 1239 wake_up_interruptible(&target_thread->wait); 1240 } else { 1241 printk(KERN_ERR "binder: reply failed, target " 1242 "thread, %d:%d, has error code %d " 1243 "already\n", target_thread->proc->pid, 1244 target_thread->pid, 1245 target_thread->return_error); 1246 } 1247 return; 1248 } else { 1249 struct binder_transaction *next = t->from_parent; 1250 1251 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 1252 "binder: send failed reply " 1253 "for transaction %d, target dead\n", 1254 t->debug_id); 1255 1256 binder_pop_transaction(target_thread, t); 1257 if (next == NULL) { 1258 binder_debug(BINDER_DEBUG_DEAD_BINDER, 1259 "binder: reply failed," 1260 " no target thread at root\n"); 1261 return; 1262 } 1263 t = next; 1264 binder_debug(BINDER_DEBUG_DEAD_BINDER, 1265 "binder: reply failed, no target " 1266 "thread -- retry %d\n", t->debug_id); 1267 } 1268 } 1269} 1270 1271static void binder_transaction_buffer_release(struct binder_proc *proc, 1272 struct binder_buffer *buffer, 1273 size_t *failed_at); 1274 1275static void binder_transaction(struct binder_proc *proc, 1276 struct binder_thread *thread, 1277 struct binder_transaction_data *tr, int reply) 1278{ 1279 struct binder_transaction *t; 1280 struct binder_work *tcomplete; 1281 size_t *offp, *off_end; 1282 struct binder_proc *target_proc; 1283 struct binder_thread *target_thread = NULL; 1284 struct binder_node *target_node = NULL; 1285 struct list_head *target_list; 1286 wait_queue_head_t *target_wait; 1287 struct binder_transaction *in_reply_to = NULL; 1288 struct binder_transaction_log_entry *e; 1289 uint32_t return_error; 1290 1291 e = binder_transaction_log_add(&binder_transaction_log); 1292 e->call_type = reply ? 2 : !!(tr->flags & TF_ONE_WAY); 1293 e->from_proc = proc->pid; 1294 e->from_thread = thread->pid; 1295 e->target_handle = tr->target.handle; 1296 e->data_size = tr->data_size; 1297 e->offsets_size = tr->offsets_size; 1298 1299 if (reply) { 1300 in_reply_to = thread->transaction_stack; 1301 if (in_reply_to == NULL) { 1302 binder_user_error("binder: %d:%d got reply transaction " 1303 "with no transaction stack\n", 1304 proc->pid, thread->pid); 1305 return_error = BR_FAILED_REPLY; 1306 goto err_empty_call_stack; 1307 } 1308 binder_set_nice(in_reply_to->saved_priority); 1309 if (in_reply_to->to_thread != thread) { 1310 binder_user_error("binder: %d:%d got reply transaction " 1311 "with bad transaction stack," 1312 " transaction %d has target %d:%d\n", 1313 proc->pid, thread->pid, in_reply_to->debug_id, 1314 in_reply_to->to_proc ? 1315 in_reply_to->to_proc->pid : 0, 1316 in_reply_to->to_thread ? 1317 in_reply_to->to_thread->pid : 0); 1318 return_error = BR_FAILED_REPLY; 1319 in_reply_to = NULL; 1320 goto err_bad_call_stack; 1321 } 1322 thread->transaction_stack = in_reply_to->to_parent; 1323 target_thread = in_reply_to->from; 1324 if (target_thread == NULL) { 1325 return_error = BR_DEAD_REPLY; 1326 goto err_dead_binder; 1327 } 1328 if (target_thread->transaction_stack != in_reply_to) { 1329 binder_user_error("binder: %d:%d got reply transaction " 1330 "with bad target transaction stack %d, " 1331 "expected %d\n", 1332 proc->pid, thread->pid, 1333 target_thread->transaction_stack ? 1334 target_thread->transaction_stack->debug_id : 0, 1335 in_reply_to->debug_id); 1336 return_error = BR_FAILED_REPLY; 1337 in_reply_to = NULL; 1338 target_thread = NULL; 1339 goto err_dead_binder; 1340 } 1341 target_proc = target_thread->proc; 1342 } else { 1343 if (tr->target.handle) { 1344 struct binder_ref *ref; 1345 ref = binder_get_ref(proc, tr->target.handle); 1346 if (ref == NULL) { 1347 binder_user_error("binder: %d:%d got " 1348 "transaction to invalid handle\n", 1349 proc->pid, thread->pid); 1350 return_error = BR_FAILED_REPLY; 1351 goto err_invalid_target_handle; 1352 } 1353 target_node = ref->node; 1354 } else { 1355 target_node = binder_context_mgr_node; 1356 if (target_node == NULL) { 1357 return_error = BR_DEAD_REPLY; 1358 goto err_no_context_mgr_node; 1359 } 1360 } 1361 e->to_node = target_node->debug_id; 1362 target_proc = target_node->proc; 1363 if (target_proc == NULL) { 1364 return_error = BR_DEAD_REPLY; 1365 goto err_dead_binder; 1366 } 1367 if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) { 1368 struct binder_transaction *tmp; 1369 tmp = thread->transaction_stack; 1370 if (tmp->to_thread != thread) { 1371 binder_user_error("binder: %d:%d got new " 1372 "transaction with bad transaction stack" 1373 ", transaction %d has target %d:%d\n", 1374 proc->pid, thread->pid, tmp->debug_id, 1375 tmp->to_proc ? tmp->to_proc->pid : 0, 1376 tmp->to_thread ? 1377 tmp->to_thread->pid : 0); 1378 return_error = BR_FAILED_REPLY; 1379 goto err_bad_call_stack; 1380 } 1381 while (tmp) { 1382 if (tmp->from && tmp->from->proc == target_proc) 1383 target_thread = tmp->from; 1384 tmp = tmp->from_parent; 1385 } 1386 } 1387 } 1388 if (target_thread) { 1389 e->to_thread = target_thread->pid; 1390 target_list = &target_thread->todo; 1391 target_wait = &target_thread->wait; 1392 } else { 1393 target_list = &target_proc->todo; 1394 target_wait = &target_proc->wait; 1395 } 1396 e->to_proc = target_proc->pid; 1397 1398 /* TODO: reuse incoming transaction for reply */ 1399 t = kzalloc(sizeof(*t), GFP_KERNEL); 1400 if (t == NULL) { 1401 return_error = BR_FAILED_REPLY; 1402 goto err_alloc_t_failed; 1403 } 1404 binder_stats.obj_created[BINDER_STAT_TRANSACTION]++; 1405 1406 tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL); 1407 if (tcomplete == NULL) { 1408 return_error = BR_FAILED_REPLY; 1409 goto err_alloc_tcomplete_failed; 1410 } 1411 binder_stats.obj_created[BINDER_STAT_TRANSACTION_COMPLETE]++; 1412 1413 t->debug_id = ++binder_last_id; 1414 e->debug_id = t->debug_id; 1415 1416 if (reply) 1417 binder_debug(BINDER_DEBUG_TRANSACTION, 1418 "binder: %d:%d BC_REPLY %d -> %d:%d, " 1419 "data %p-%p size %zd-%zd\n", 1420 proc->pid, thread->pid, t->debug_id, 1421 target_proc->pid, target_thread->pid, 1422 tr->data.ptr.buffer, tr->data.ptr.offsets, 1423 tr->data_size, tr->offsets_size); 1424 else 1425 binder_debug(BINDER_DEBUG_TRANSACTION, 1426 "binder: %d:%d BC_TRANSACTION %d -> " 1427 "%d - node %d, data %p-%p size %zd-%zd\n", 1428 proc->pid, thread->pid, t->debug_id, 1429 target_proc->pid, target_node->debug_id, 1430 tr->data.ptr.buffer, tr->data.ptr.offsets, 1431 tr->data_size, tr->offsets_size); 1432 1433 if (!reply && !(tr->flags & TF_ONE_WAY)) 1434 t->from = thread; 1435 else 1436 t->from = NULL; 1437 t->sender_euid = proc->tsk->cred->euid; 1438 t->to_proc = target_proc; 1439 t->to_thread = target_thread; 1440 t->code = tr->code; 1441 t->flags = tr->flags; 1442 t->priority = task_nice(current); 1443 t->buffer = binder_alloc_buf(target_proc, tr->data_size, 1444 tr->offsets_size, !reply && (t->flags & TF_ONE_WAY)); 1445 if (t->buffer == NULL) { 1446 return_error = BR_FAILED_REPLY; 1447 goto err_binder_alloc_buf_failed; 1448 } 1449 t->buffer->allow_user_free = 0; 1450 t->buffer->debug_id = t->debug_id; 1451 t->buffer->transaction = t; 1452 t->buffer->target_node = target_node; 1453 if (target_node) 1454 binder_inc_node(target_node, 1, 0, NULL); 1455 1456 offp = (size_t *)(t->buffer->data + ALIGN(tr->data_size, sizeof(void *))); 1457 1458 if (copy_from_user(t->buffer->data, tr->data.ptr.buffer, tr->data_size)) { 1459 binder_user_error("binder: %d:%d got transaction with invalid " 1460 "data ptr\n", proc->pid, thread->pid); 1461 return_error = BR_FAILED_REPLY; 1462 goto err_copy_data_failed; 1463 } 1464 if (copy_from_user(offp, tr->data.ptr.offsets, tr->offsets_size)) { 1465 binder_user_error("binder: %d:%d got transaction with invalid " 1466 "offsets ptr\n", proc->pid, thread->pid); 1467 return_error = BR_FAILED_REPLY; 1468 goto err_copy_data_failed; 1469 } 1470 if (!IS_ALIGNED(tr->offsets_size, sizeof(size_t))) { 1471 binder_user_error("binder: %d:%d got transaction with " 1472 "invalid offsets size, %zd\n", 1473 proc->pid, thread->pid, tr->offsets_size); 1474 return_error = BR_FAILED_REPLY; 1475 goto err_bad_offset; 1476 } 1477 off_end = (void *)offp + tr->offsets_size; 1478 for (; offp < off_end; offp++) { 1479 struct flat_binder_object *fp; 1480 if (*offp > t->buffer->data_size - sizeof(*fp) || 1481 t->buffer->data_size < sizeof(*fp) || 1482 !IS_ALIGNED(*offp, sizeof(void *))) { 1483 binder_user_error("binder: %d:%d got transaction with " 1484 "invalid offset, %zd\n", 1485 proc->pid, thread->pid, *offp); 1486 return_error = BR_FAILED_REPLY; 1487 goto err_bad_offset; 1488 } 1489 fp = (struct flat_binder_object *)(t->buffer->data + *offp); 1490 switch (fp->type) { 1491 case BINDER_TYPE_BINDER: 1492 case BINDER_TYPE_WEAK_BINDER: { 1493 struct binder_ref *ref; 1494 struct binder_node *node = binder_get_node(proc, fp->binder); 1495 if (node == NULL) { 1496 node = binder_new_node(proc, fp->binder, fp->cookie); 1497 if (node == NULL) { 1498 return_error = BR_FAILED_REPLY; 1499 goto err_binder_new_node_failed; 1500 } 1501 node->min_priority = fp->flags & FLAT_BINDER_FLAG_PRIORITY_MASK; 1502 node->accept_fds = !!(fp->flags & FLAT_BINDER_FLAG_ACCEPTS_FDS); 1503 } 1504 if (fp->cookie != node->cookie) { 1505 binder_user_error("binder: %d:%d sending u%p " 1506 "node %d, cookie mismatch %p != %p\n", 1507 proc->pid, thread->pid, 1508 fp->binder, node->debug_id, 1509 fp->cookie, node->cookie); 1510 goto err_binder_get_ref_for_node_failed; 1511 } 1512 ref = binder_get_ref_for_node(target_proc, node); 1513 if (ref == NULL) { 1514 return_error = BR_FAILED_REPLY; 1515 goto err_binder_get_ref_for_node_failed; 1516 } 1517 if (fp->type == BINDER_TYPE_BINDER) 1518 fp->type = BINDER_TYPE_HANDLE; 1519 else 1520 fp->type = BINDER_TYPE_WEAK_HANDLE; 1521 fp->handle = ref->desc; 1522 binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE, &thread->todo); 1523 1524 binder_debug(BINDER_DEBUG_TRANSACTION, 1525 " node %d u%p -> ref %d desc %d\n", 1526 node->debug_id, node->ptr, ref->debug_id, 1527 ref->desc); 1528 } break; 1529 case BINDER_TYPE_HANDLE: 1530 case BINDER_TYPE_WEAK_HANDLE: { 1531 struct binder_ref *ref = binder_get_ref(proc, fp->handle); 1532 if (ref == NULL) { 1533 binder_user_error("binder: %d:%d got " 1534 "transaction with invalid " 1535 "handle, %ld\n", proc->pid, 1536 thread->pid, fp->handle); 1537 return_error = BR_FAILED_REPLY; 1538 goto err_binder_get_ref_failed; 1539 } 1540 if (ref->node->proc == target_proc) { 1541 if (fp->type == BINDER_TYPE_HANDLE) 1542 fp->type = BINDER_TYPE_BINDER; 1543 else 1544 fp->type = BINDER_TYPE_WEAK_BINDER; 1545 fp->binder = ref->node->ptr; 1546 fp->cookie = ref->node->cookie; 1547 binder_inc_node(ref->node, fp->type == BINDER_TYPE_BINDER, 0, NULL); 1548 binder_debug(BINDER_DEBUG_TRANSACTION, 1549 " ref %d desc %d -> node %d u%p\n", 1550 ref->debug_id, ref->desc, ref->node->debug_id, 1551 ref->node->ptr); 1552 } else { 1553 struct binder_ref *new_ref; 1554 new_ref = binder_get_ref_for_node(target_proc, ref->node); 1555 if (new_ref == NULL) { 1556 return_error = BR_FAILED_REPLY; 1557 goto err_binder_get_ref_for_node_failed; 1558 } 1559 fp->handle = new_ref->desc; 1560 binder_inc_ref(new_ref, fp->type == BINDER_TYPE_HANDLE, NULL); 1561 binder_debug(BINDER_DEBUG_TRANSACTION, 1562 " ref %d desc %d -> ref %d desc %d (node %d)\n", 1563 ref->debug_id, ref->desc, new_ref->debug_id, 1564 new_ref->desc, ref->node->debug_id); 1565 } 1566 } break; 1567 1568 case BINDER_TYPE_FD: { 1569 int target_fd; 1570 struct file *file; 1571 1572 if (reply) { 1573 if (!(in_reply_to->flags & TF_ACCEPT_FDS)) { 1574 binder_user_error("binder: %d:%d got reply with fd, %ld, but target does not allow fds\n", 1575 proc->pid, thread->pid, fp->handle); 1576 return_error = BR_FAILED_REPLY; 1577 goto err_fd_not_allowed; 1578 } 1579 } else if (!target_node->accept_fds) { 1580 binder_user_error("binder: %d:%d got transaction with fd, %ld, but target does not allow fds\n", 1581 proc->pid, thread->pid, fp->handle); 1582 return_error = BR_FAILED_REPLY; 1583 goto err_fd_not_allowed; 1584 } 1585 1586 file = fget(fp->handle); 1587 if (file == NULL) { 1588 binder_user_error("binder: %d:%d got transaction with invalid fd, %ld\n", 1589 proc->pid, thread->pid, fp->handle); 1590 return_error = BR_FAILED_REPLY; 1591 goto err_fget_failed; 1592 } 1593 target_fd = task_get_unused_fd_flags(target_proc, O_CLOEXEC); 1594 if (target_fd < 0) { 1595 fput(file); 1596 return_error = BR_FAILED_REPLY; 1597 goto err_get_unused_fd_failed; 1598 } 1599 task_fd_install(target_proc, target_fd, file); 1600 binder_debug(BINDER_DEBUG_TRANSACTION, 1601 " fd %ld -> %d\n", fp->handle, target_fd); 1602 /* TODO: fput? */ 1603 fp->handle = target_fd; 1604 } break; 1605 1606 default: 1607 binder_user_error("binder: %d:%d got transactio" 1608 "n with invalid object type, %lx\n", 1609 proc->pid, thread->pid, fp->type); 1610 return_error = BR_FAILED_REPLY; 1611 goto err_bad_object_type; 1612 } 1613 } 1614 if (reply) { 1615 BUG_ON(t->buffer->async_transaction != 0); 1616 binder_pop_transaction(target_thread, in_reply_to); 1617 } else if (!(t->flags & TF_ONE_WAY)) { 1618 BUG_ON(t->buffer->async_transaction != 0); 1619 t->need_reply = 1; 1620 t->from_parent = thread->transaction_stack; 1621 thread->transaction_stack = t; 1622 } else { 1623 BUG_ON(target_node == NULL); 1624 BUG_ON(t->buffer->async_transaction != 1); 1625 if (target_node->has_async_transaction) { 1626 target_list = &target_node->async_todo; 1627 target_wait = NULL; 1628 } else 1629 target_node->has_async_transaction = 1; 1630 } 1631 t->work.type = BINDER_WORK_TRANSACTION; 1632 list_add_tail(&t->work.entry, target_list); 1633 tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE; 1634 list_add_tail(&tcomplete->entry, &thread->todo); 1635 if (target_wait) 1636 wake_up_interruptible(target_wait); 1637 return; 1638 1639err_get_unused_fd_failed: 1640err_fget_failed: 1641err_fd_not_allowed: 1642err_binder_get_ref_for_node_failed: 1643err_binder_get_ref_failed: 1644err_binder_new_node_failed: 1645err_bad_object_type: 1646err_bad_offset: 1647err_copy_data_failed: 1648 binder_transaction_buffer_release(target_proc, t->buffer, offp); 1649 t->buffer->transaction = NULL; 1650 binder_free_buf(target_proc, t->buffer); 1651err_binder_alloc_buf_failed: 1652 kfree(tcomplete); 1653 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION_COMPLETE]++; 1654err_alloc_tcomplete_failed: 1655 kfree(t); 1656 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION]++; 1657err_alloc_t_failed: 1658err_bad_call_stack: 1659err_empty_call_stack: 1660err_dead_binder: 1661err_invalid_target_handle: 1662err_no_context_mgr_node: 1663 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 1664 "binder: %d:%d transaction failed %d, size %zd-%zd\n", 1665 proc->pid, thread->pid, return_error, 1666 tr->data_size, tr->offsets_size); 1667 1668 { 1669 struct binder_transaction_log_entry *fe; 1670 fe = binder_transaction_log_add(&binder_transaction_log_failed); 1671 *fe = *e; 1672 } 1673 1674 BUG_ON(thread->return_error != BR_OK); 1675 if (in_reply_to) { 1676 thread->return_error = BR_TRANSACTION_COMPLETE; 1677 binder_send_failed_reply(in_reply_to, return_error); 1678 } else 1679 thread->return_error = return_error; 1680} 1681 1682static void binder_transaction_buffer_release(struct binder_proc *proc, 1683 struct binder_buffer *buffer, 1684 size_t *failed_at) 1685{ 1686 size_t *offp, *off_end; 1687 int debug_id = buffer->debug_id; 1688 1689 binder_debug(BINDER_DEBUG_TRANSACTION, 1690 "binder: %d buffer release %d, size %zd-%zd, failed at %p\n", 1691 proc->pid, buffer->debug_id, 1692 buffer->data_size, buffer->offsets_size, failed_at); 1693 1694 if (buffer->target_node) 1695 binder_dec_node(buffer->target_node, 1, 0); 1696 1697 offp = (size_t *)(buffer->data + ALIGN(buffer->data_size, sizeof(void *))); 1698 if (failed_at) 1699 off_end = failed_at; 1700 else 1701 off_end = (void *)offp + buffer->offsets_size; 1702 for (; offp < off_end; offp++) { 1703 struct flat_binder_object *fp; 1704 if (*offp > buffer->data_size - sizeof(*fp) || 1705 buffer->data_size < sizeof(*fp) || 1706 !IS_ALIGNED(*offp, sizeof(void *))) { 1707 printk(KERN_ERR "binder: transaction release %d bad" 1708 "offset %zd, size %zd\n", debug_id, *offp, buffer->data_size); 1709 continue; 1710 } 1711 fp = (struct flat_binder_object *)(buffer->data + *offp); 1712 switch (fp->type) { 1713 case BINDER_TYPE_BINDER: 1714 case BINDER_TYPE_WEAK_BINDER: { 1715 struct binder_node *node = binder_get_node(proc, fp->binder); 1716 if (node == NULL) { 1717 printk(KERN_ERR "binder: transaction release %d bad node %p\n", debug_id, fp->binder); 1718 break; 1719 } 1720 binder_debug(BINDER_DEBUG_TRANSACTION, 1721 " node %d u%p\n", 1722 node->debug_id, node->ptr); 1723 binder_dec_node(node, fp->type == BINDER_TYPE_BINDER, 0); 1724 } break; 1725 case BINDER_TYPE_HANDLE: 1726 case BINDER_TYPE_WEAK_HANDLE: { 1727 struct binder_ref *ref = binder_get_ref(proc, fp->handle); 1728 if (ref == NULL) { 1729 printk(KERN_ERR "binder: transaction release %d bad handle %ld\n", debug_id, fp->handle); 1730 break; 1731 } 1732 binder_debug(BINDER_DEBUG_TRANSACTION, 1733 " ref %d desc %d (node %d)\n", 1734 ref->debug_id, ref->desc, ref->node->debug_id); 1735 binder_dec_ref(ref, fp->type == BINDER_TYPE_HANDLE); 1736 } break; 1737 1738 case BINDER_TYPE_FD: 1739 binder_debug(BINDER_DEBUG_TRANSACTION, 1740 " fd %ld\n", fp->handle); 1741 if (failed_at) 1742 task_close_fd(proc, fp->handle); 1743 break; 1744 1745 default: 1746 printk(KERN_ERR "binder: transaction release %d bad object type %lx\n", debug_id, fp->type); 1747 break; 1748 } 1749 } 1750} 1751 1752int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread, 1753 void __user *buffer, int size, signed long *consumed) 1754{ 1755 uint32_t cmd; 1756 void __user *ptr = buffer + *consumed; 1757 void __user *end = buffer + size; 1758 1759 while (ptr < end && thread->return_error == BR_OK) { 1760 if (get_user(cmd, (uint32_t __user *)ptr)) 1761 return -EFAULT; 1762 ptr += sizeof(uint32_t); 1763 if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.bc)) { 1764 binder_stats.bc[_IOC_NR(cmd)]++; 1765 proc->stats.bc[_IOC_NR(cmd)]++; 1766 thread->stats.bc[_IOC_NR(cmd)]++; 1767 } 1768 switch (cmd) { 1769 case BC_INCREFS: 1770 case BC_ACQUIRE: 1771 case BC_RELEASE: 1772 case BC_DECREFS: { 1773 uint32_t target; 1774 struct binder_ref *ref; 1775 const char *debug_string; 1776 1777 if (get_user(target, (uint32_t __user *)ptr)) 1778 return -EFAULT; 1779 ptr += sizeof(uint32_t); 1780 if (target == 0 && binder_context_mgr_node && 1781 (cmd == BC_INCREFS || cmd == BC_ACQUIRE)) { 1782 ref = binder_get_ref_for_node(proc, 1783 binder_context_mgr_node); 1784 if (ref->desc != target) { 1785 binder_user_error("binder: %d:" 1786 "%d tried to acquire " 1787 "reference to desc 0, " 1788 "got %d instead\n", 1789 proc->pid, thread->pid, 1790 ref->desc); 1791 } 1792 } else 1793 ref = binder_get_ref(proc, target); 1794 if (ref == NULL) { 1795 binder_user_error("binder: %d:%d refcou" 1796 "nt change on invalid ref %d\n", 1797 proc->pid, thread->pid, target); 1798 break; 1799 } 1800 switch (cmd) { 1801 case BC_INCREFS: 1802 debug_string = "IncRefs"; 1803 binder_inc_ref(ref, 0, NULL); 1804 break; 1805 case BC_ACQUIRE: 1806 debug_string = "Acquire"; 1807 binder_inc_ref(ref, 1, NULL); 1808 break; 1809 case BC_RELEASE: 1810 debug_string = "Release"; 1811 binder_dec_ref(ref, 1); 1812 break; 1813 case BC_DECREFS: 1814 default: 1815 debug_string = "DecRefs"; 1816 binder_dec_ref(ref, 0); 1817 break; 1818 } 1819 binder_debug(BINDER_DEBUG_USER_REFS, 1820 "binder: %d:%d %s ref %d desc %d s %d w %d for node %d\n", 1821 proc->pid, thread->pid, debug_string, ref->debug_id, 1822 ref->desc, ref->strong, ref->weak, ref->node->debug_id); 1823 break; 1824 } 1825 case BC_INCREFS_DONE: 1826 case BC_ACQUIRE_DONE: { 1827 void __user *node_ptr; 1828 void *cookie; 1829 struct binder_node *node; 1830 1831 if (get_user(node_ptr, (void * __user *)ptr)) 1832 return -EFAULT; 1833 ptr += sizeof(void *); 1834 if (get_user(cookie, (void * __user *)ptr)) 1835 return -EFAULT; 1836 ptr += sizeof(void *); 1837 node = binder_get_node(proc, node_ptr); 1838 if (node == NULL) { 1839 binder_user_error("binder: %d:%d " 1840 "%s u%p no match\n", 1841 proc->pid, thread->pid, 1842 cmd == BC_INCREFS_DONE ? 1843 "BC_INCREFS_DONE" : 1844 "BC_ACQUIRE_DONE", 1845 node_ptr); 1846 break; 1847 } 1848 if (cookie != node->cookie) { 1849 binder_user_error("binder: %d:%d %s u%p node %d" 1850 " cookie mismatch %p != %p\n", 1851 proc->pid, thread->pid, 1852 cmd == BC_INCREFS_DONE ? 1853 "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE", 1854 node_ptr, node->debug_id, 1855 cookie, node->cookie); 1856 break; 1857 } 1858 if (cmd == BC_ACQUIRE_DONE) { 1859 if (node->pending_strong_ref == 0) { 1860 binder_user_error("binder: %d:%d " 1861 "BC_ACQUIRE_DONE node %d has " 1862 "no pending acquire request\n", 1863 proc->pid, thread->pid, 1864 node->debug_id); 1865 break; 1866 } 1867 node->pending_strong_ref = 0; 1868 } else { 1869 if (node->pending_weak_ref == 0) { 1870 binder_user_error("binder: %d:%d " 1871 "BC_INCREFS_DONE node %d has " 1872 "no pending increfs request\n", 1873 proc->pid, thread->pid, 1874 node->debug_id); 1875 break; 1876 } 1877 node->pending_weak_ref = 0; 1878 } 1879 binder_dec_node(node, cmd == BC_ACQUIRE_DONE, 0); 1880 binder_debug(BINDER_DEBUG_USER_REFS, 1881 "binder: %d:%d %s node %d ls %d lw %d\n", 1882 proc->pid, thread->pid, 1883 cmd == BC_INCREFS_DONE ? "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE", 1884 node->debug_id, node->local_strong_refs, node->local_weak_refs); 1885 break; 1886 } 1887 case BC_ATTEMPT_ACQUIRE: 1888 printk(KERN_ERR "binder: BC_ATTEMPT_ACQUIRE not supported\n"); 1889 return -EINVAL; 1890 case BC_ACQUIRE_RESULT: 1891 printk(KERN_ERR "binder: BC_ACQUIRE_RESULT not supported\n"); 1892 return -EINVAL; 1893 1894 case BC_FREE_BUFFER: { 1895 void __user *data_ptr; 1896 struct binder_buffer *buffer; 1897 1898 if (get_user(data_ptr, (void * __user *)ptr)) 1899 return -EFAULT; 1900 ptr += sizeof(void *); 1901 1902 buffer = binder_buffer_lookup(proc, data_ptr); 1903 if (buffer == NULL) { 1904 binder_user_error("binder: %d:%d " 1905 "BC_FREE_BUFFER u%p no match\n", 1906 proc->pid, thread->pid, data_ptr); 1907 break; 1908 } 1909 if (!buffer->allow_user_free) { 1910 binder_user_error("binder: %d:%d " 1911 "BC_FREE_BUFFER u%p matched " 1912 "unreturned buffer\n", 1913 proc->pid, thread->pid, data_ptr); 1914 break; 1915 } 1916 binder_debug(BINDER_DEBUG_FREE_BUFFER, 1917 "binder: %d:%d BC_FREE_BUFFER u%p found buffer %d for %s transaction\n", 1918 proc->pid, thread->pid, data_ptr, buffer->debug_id, 1919 buffer->transaction ? "active" : "finished"); 1920 1921 if (buffer->transaction) { 1922 buffer->transaction->buffer = NULL; 1923 buffer->transaction = NULL; 1924 } 1925 if (buffer->async_transaction && buffer->target_node) { 1926 BUG_ON(!buffer->target_node->has_async_transaction); 1927 if (list_empty(&buffer->target_node->async_todo)) 1928 buffer->target_node->has_async_transaction = 0; 1929 else 1930 list_move_tail(buffer->target_node->async_todo.next, &thread->todo); 1931 } 1932 binder_transaction_buffer_release(proc, buffer, NULL); 1933 binder_free_buf(proc, buffer); 1934 break; 1935 } 1936 1937 case BC_TRANSACTION: 1938 case BC_REPLY: { 1939 struct binder_transaction_data tr; 1940 1941 if (copy_from_user(&tr, ptr, sizeof(tr))) 1942 return -EFAULT; 1943 ptr += sizeof(tr); 1944 binder_transaction(proc, thread, &tr, cmd == BC_REPLY); 1945 break; 1946 } 1947 1948 case BC_REGISTER_LOOPER: 1949 binder_debug(BINDER_DEBUG_THREADS, 1950 "binder: %d:%d BC_REGISTER_LOOPER\n", 1951 proc->pid, thread->pid); 1952 if (thread->looper & BINDER_LOOPER_STATE_ENTERED) { 1953 thread->looper |= BINDER_LOOPER_STATE_INVALID; 1954 binder_user_error("binder: %d:%d ERROR:" 1955 " BC_REGISTER_LOOPER called " 1956 "after BC_ENTER_LOOPER\n", 1957 proc->pid, thread->pid); 1958 } else if (proc->requested_threads == 0) { 1959 thread->looper |= BINDER_LOOPER_STATE_INVALID; 1960 binder_user_error("binder: %d:%d ERROR:" 1961 " BC_REGISTER_LOOPER called " 1962 "without request\n", 1963 proc->pid, thread->pid); 1964 } else { 1965 proc->requested_threads--; 1966 proc->requested_threads_started++; 1967 } 1968 thread->looper |= BINDER_LOOPER_STATE_REGISTERED; 1969 break; 1970 case BC_ENTER_LOOPER: 1971 binder_debug(BINDER_DEBUG_THREADS, 1972 "binder: %d:%d BC_ENTER_LOOPER\n", 1973 proc->pid, thread->pid); 1974 if (thread->looper & BINDER_LOOPER_STATE_REGISTERED) { 1975 thread->looper |= BINDER_LOOPER_STATE_INVALID; 1976 binder_user_error("binder: %d:%d ERROR:" 1977 " BC_ENTER_LOOPER called after " 1978 "BC_REGISTER_LOOPER\n", 1979 proc->pid, thread->pid); 1980 } 1981 thread->looper |= BINDER_LOOPER_STATE_ENTERED; 1982 break; 1983 case BC_EXIT_LOOPER: 1984 binder_debug(BINDER_DEBUG_THREADS, 1985 "binder: %d:%d BC_EXIT_LOOPER\n", 1986 proc->pid, thread->pid); 1987 thread->looper |= BINDER_LOOPER_STATE_EXITED; 1988 break; 1989 1990 case BC_REQUEST_DEATH_NOTIFICATION: 1991 case BC_CLEAR_DEATH_NOTIFICATION: { 1992 uint32_t target; 1993 void __user *cookie; 1994 struct binder_ref *ref; 1995 struct binder_ref_death *death; 1996 1997 if (get_user(target, (uint32_t __user *)ptr)) 1998 return -EFAULT; 1999 ptr += sizeof(uint32_t); 2000 if (get_user(cookie, (void __user * __user *)ptr)) 2001 return -EFAULT; 2002 ptr += sizeof(void *); 2003 ref = binder_get_ref(proc, target); 2004 if (ref == NULL) { 2005 binder_user_error("binder: %d:%d %s " 2006 "invalid ref %d\n", 2007 proc->pid, thread->pid, 2008 cmd == BC_REQUEST_DEATH_NOTIFICATION ? 2009 "BC_REQUEST_DEATH_NOTIFICATION" : 2010 "BC_CLEAR_DEATH_NOTIFICATION", 2011 target); 2012 break; 2013 } 2014 2015 binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION, 2016 "binder: %d:%d %s %p ref %d desc %d s %d w %d for node %d\n", 2017 proc->pid, thread->pid, 2018 cmd == BC_REQUEST_DEATH_NOTIFICATION ? 2019 "BC_REQUEST_DEATH_NOTIFICATION" : 2020 "BC_CLEAR_DEATH_NOTIFICATION", 2021 cookie, ref->debug_id, ref->desc, 2022 ref->strong, ref->weak, ref->node->debug_id); 2023 2024 if (cmd == BC_REQUEST_DEATH_NOTIFICATION) { 2025 if (ref->death) { 2026 binder_user_error("binder: %d:%" 2027 "d BC_REQUEST_DEATH_NOTI" 2028 "FICATION death notific" 2029 "ation already set\n", 2030 proc->pid, thread->pid); 2031 break; 2032 } 2033 death = kzalloc(sizeof(*death), GFP_KERNEL); 2034 if (death == NULL) { 2035 thread->return_error = BR_ERROR; 2036 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 2037 "binder: %d:%d " 2038 "BC_REQUEST_DEATH_NOTIFICATION failed\n", 2039 proc->pid, thread->pid); 2040 break; 2041 } 2042 binder_stats.obj_created[BINDER_STAT_DEATH]++; 2043 INIT_LIST_HEAD(&death->work.entry); 2044 death->cookie = cookie; 2045 ref->death = death; 2046 if (ref->node->proc == NULL) { 2047 ref->death->work.type = BINDER_WORK_DEAD_BINDER; 2048 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2049 list_add_tail(&ref->death->work.entry, &thread->todo); 2050 } else { 2051 list_add_tail(&ref->death->work.entry, &proc->todo); 2052 wake_up_interruptible(&proc->wait); 2053 } 2054 } 2055 } else { 2056 if (ref->death == NULL) { 2057 binder_user_error("binder: %d:%" 2058 "d BC_CLEAR_DEATH_NOTIFI" 2059 "CATION death notificat" 2060 "ion not active\n", 2061 proc->pid, thread->pid); 2062 break; 2063 } 2064 death = ref->death; 2065 if (death->cookie != cookie) { 2066 binder_user_error("binder: %d:%" 2067 "d BC_CLEAR_DEATH_NOTIFI" 2068 "CATION death notificat" 2069 "ion cookie mismatch " 2070 "%p != %p\n", 2071 proc->pid, thread->pid, 2072 death->cookie, cookie); 2073 break; 2074 } 2075 ref->death = NULL; 2076 if (list_empty(&death->work.entry)) { 2077 death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION; 2078 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2079 list_add_tail(&death->work.entry, &thread->todo); 2080 } else { 2081 list_add_tail(&death->work.entry, &proc->todo); 2082 wake_up_interruptible(&proc->wait); 2083 } 2084 } else { 2085 BUG_ON(death->work.type != BINDER_WORK_DEAD_BINDER); 2086 death->work.type = BINDER_WORK_DEAD_BINDER_AND_CLEAR; 2087 } 2088 } 2089 } break; 2090 case BC_DEAD_BINDER_DONE: { 2091 struct binder_work *w; 2092 void __user *cookie; 2093 struct binder_ref_death *death = NULL; 2094 if (get_user(cookie, (void __user * __user *)ptr)) 2095 return -EFAULT; 2096 2097 ptr += sizeof(void *); 2098 list_for_each_entry(w, &proc->delivered_death, entry) { 2099 struct binder_ref_death *tmp_death = container_of(w, struct binder_ref_death, work); 2100 if (tmp_death->cookie == cookie) { 2101 death = tmp_death; 2102 break; 2103 } 2104 } 2105 binder_debug(BINDER_DEBUG_DEAD_BINDER, 2106 "binder: %d:%d BC_DEAD_BINDER_DONE %p found %p\n", 2107 proc->pid, thread->pid, cookie, death); 2108 if (death == NULL) { 2109 binder_user_error("binder: %d:%d BC_DEAD" 2110 "_BINDER_DONE %p not found\n", 2111 proc->pid, thread->pid, cookie); 2112 break; 2113 } 2114 2115 list_del_init(&death->work.entry); 2116 if (death->work.type == BINDER_WORK_DEAD_BINDER_AND_CLEAR) { 2117 death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION; 2118 if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2119 list_add_tail(&death->work.entry, &thread->todo); 2120 } else { 2121 list_add_tail(&death->work.entry, &proc->todo); 2122 wake_up_interruptible(&proc->wait); 2123 } 2124 } 2125 } break; 2126 2127 default: 2128 printk(KERN_ERR "binder: %d:%d unknown command %d\n", 2129 proc->pid, thread->pid, cmd); 2130 return -EINVAL; 2131 } 2132 *consumed = ptr - buffer; 2133 } 2134 return 0; 2135} 2136 2137void binder_stat_br(struct binder_proc *proc, struct binder_thread *thread, 2138 uint32_t cmd) 2139{ 2140 if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.br)) { 2141 binder_stats.br[_IOC_NR(cmd)]++; 2142 proc->stats.br[_IOC_NR(cmd)]++; 2143 thread->stats.br[_IOC_NR(cmd)]++; 2144 } 2145} 2146 2147static int binder_has_proc_work(struct binder_proc *proc, 2148 struct binder_thread *thread) 2149{ 2150 return !list_empty(&proc->todo) || 2151 (thread->looper & BINDER_LOOPER_STATE_NEED_RETURN); 2152} 2153 2154static int binder_has_thread_work(struct binder_thread *thread) 2155{ 2156 return !list_empty(&thread->todo) || thread->return_error != BR_OK || 2157 (thread->looper & BINDER_LOOPER_STATE_NEED_RETURN); 2158} 2159 2160static int binder_thread_read(struct binder_proc *proc, 2161 struct binder_thread *thread, 2162 void __user *buffer, int size, 2163 signed long *consumed, int non_block) 2164{ 2165 void __user *ptr = buffer + *consumed; 2166 void __user *end = buffer + size; 2167 2168 int ret = 0; 2169 int wait_for_proc_work; 2170 2171 if (*consumed == 0) { 2172 if (put_user(BR_NOOP, (uint32_t __user *)ptr)) 2173 return -EFAULT; 2174 ptr += sizeof(uint32_t); 2175 } 2176 2177retry: 2178 wait_for_proc_work = thread->transaction_stack == NULL && 2179 list_empty(&thread->todo); 2180 2181 if (thread->return_error != BR_OK && ptr < end) { 2182 if (thread->return_error2 != BR_OK) { 2183 if (put_user(thread->return_error2, (uint32_t __user *)ptr)) 2184 return -EFAULT; 2185 ptr += sizeof(uint32_t); 2186 if (ptr == end) 2187 goto done; 2188 thread->return_error2 = BR_OK; 2189 } 2190 if (put_user(thread->return_error, (uint32_t __user *)ptr)) 2191 return -EFAULT; 2192 ptr += sizeof(uint32_t); 2193 thread->return_error = BR_OK; 2194 goto done; 2195 } 2196 2197 2198 thread->looper |= BINDER_LOOPER_STATE_WAITING; 2199 if (wait_for_proc_work) 2200 proc->ready_threads++; 2201 mutex_unlock(&binder_lock); 2202 if (wait_for_proc_work) { 2203 if (!(thread->looper & (BINDER_LOOPER_STATE_REGISTERED | 2204 BINDER_LOOPER_STATE_ENTERED))) { 2205 binder_user_error("binder: %d:%d ERROR: Thread waiting " 2206 "for process work before calling BC_REGISTER_" 2207 "LOOPER or BC_ENTER_LOOPER (state %x)\n", 2208 proc->pid, thread->pid, thread->looper); 2209 wait_event_interruptible(binder_user_error_wait, 2210 binder_stop_on_user_error < 2); 2211 } 2212 binder_set_nice(proc->default_priority); 2213 if (non_block) { 2214 if (!binder_has_proc_work(proc, thread)) 2215 ret = -EAGAIN; 2216 } else 2217 ret = wait_event_interruptible_exclusive(proc->wait, binder_has_proc_work(proc, thread)); 2218 } else { 2219 if (non_block) { 2220 if (!binder_has_thread_work(thread)) 2221 ret = -EAGAIN; 2222 } else 2223 ret = wait_event_interruptible(thread->wait, binder_has_thread_work(thread)); 2224 } 2225 mutex_lock(&binder_lock); 2226 if (wait_for_proc_work) 2227 proc->ready_threads--; 2228 thread->looper &= ~BINDER_LOOPER_STATE_WAITING; 2229 2230 if (ret) 2231 return ret; 2232 2233 while (1) { 2234 uint32_t cmd; 2235 struct binder_transaction_data tr; 2236 struct binder_work *w; 2237 struct binder_transaction *t = NULL; 2238 2239 if (!list_empty(&thread->todo)) 2240 w = list_first_entry(&thread->todo, struct binder_work, entry); 2241 else if (!list_empty(&proc->todo) && wait_for_proc_work) 2242 w = list_first_entry(&proc->todo, struct binder_work, entry); 2243 else { 2244 if (ptr - buffer == 4 && !(thread->looper & BINDER_LOOPER_STATE_NEED_RETURN)) /* no data added */ 2245 goto retry; 2246 break; 2247 } 2248 2249 if (end - ptr < sizeof(tr) + 4) 2250 break; 2251 2252 switch (w->type) { 2253 case BINDER_WORK_TRANSACTION: { 2254 t = container_of(w, struct binder_transaction, work); 2255 } break; 2256 case BINDER_WORK_TRANSACTION_COMPLETE: { 2257 cmd = BR_TRANSACTION_COMPLETE; 2258 if (put_user(cmd, (uint32_t __user *)ptr)) 2259 return -EFAULT; 2260 ptr += sizeof(uint32_t); 2261 2262 binder_stat_br(proc, thread, cmd); 2263 binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE, 2264 "binder: %d:%d BR_TRANSACTION_COMPLETE\n", 2265 proc->pid, thread->pid); 2266 2267 list_del(&w->entry); 2268 kfree(w); 2269 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION_COMPLETE]++; 2270 } break; 2271 case BINDER_WORK_NODE: { 2272 struct binder_node *node = container_of(w, struct binder_node, work); 2273 uint32_t cmd = BR_NOOP; 2274 const char *cmd_name; 2275 int strong = node->internal_strong_refs || node->local_strong_refs; 2276 int weak = !hlist_empty(&node->refs) || node->local_weak_refs || strong; 2277 if (weak && !node->has_weak_ref) { 2278 cmd = BR_INCREFS; 2279 cmd_name = "BR_INCREFS"; 2280 node->has_weak_ref = 1; 2281 node->pending_weak_ref = 1; 2282 node->local_weak_refs++; 2283 } else if (strong && !node->has_strong_ref) { 2284 cmd = BR_ACQUIRE; 2285 cmd_name = "BR_ACQUIRE"; 2286 node->has_strong_ref = 1; 2287 node->pending_strong_ref = 1; 2288 node->local_strong_refs++; 2289 } else if (!strong && node->has_strong_ref) { 2290 cmd = BR_RELEASE; 2291 cmd_name = "BR_RELEASE"; 2292 node->has_strong_ref = 0; 2293 } else if (!weak && node->has_weak_ref) { 2294 cmd = BR_DECREFS; 2295 cmd_name = "BR_DECREFS"; 2296 node->has_weak_ref = 0; 2297 } 2298 if (cmd != BR_NOOP) { 2299 if (put_user(cmd, (uint32_t __user *)ptr)) 2300 return -EFAULT; 2301 ptr += sizeof(uint32_t); 2302 if (put_user(node->ptr, (void * __user *)ptr)) 2303 return -EFAULT; 2304 ptr += sizeof(void *); 2305 if (put_user(node->cookie, (void * __user *)ptr)) 2306 return -EFAULT; 2307 ptr += sizeof(void *); 2308 2309 binder_stat_br(proc, thread, cmd); 2310 binder_debug(BINDER_DEBUG_USER_REFS, 2311 "binder: %d:%d %s %d u%p c%p\n", 2312 proc->pid, thread->pid, cmd_name, node->debug_id, node->ptr, node->cookie); 2313 } else { 2314 list_del_init(&w->entry); 2315 if (!weak && !strong) { 2316 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 2317 "binder: %d:%d node %d u%p c%p deleted\n", 2318 proc->pid, thread->pid, node->debug_id, 2319 node->ptr, node->cookie); 2320 rb_erase(&node->rb_node, &proc->nodes); 2321 kfree(node); 2322 binder_stats.obj_deleted[BINDER_STAT_NODE]++; 2323 } else { 2324 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 2325 "binder: %d:%d node %d u%p c%p state unchanged\n", 2326 proc->pid, thread->pid, node->debug_id, node->ptr, 2327 node->cookie); 2328 } 2329 } 2330 } break; 2331 case BINDER_WORK_DEAD_BINDER: 2332 case BINDER_WORK_DEAD_BINDER_AND_CLEAR: 2333 case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: { 2334 struct binder_ref_death *death; 2335 uint32_t cmd; 2336 2337 death = container_of(w, struct binder_ref_death, work); 2338 if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) 2339 cmd = BR_CLEAR_DEATH_NOTIFICATION_DONE; 2340 else 2341 cmd = BR_DEAD_BINDER; 2342 if (put_user(cmd, (uint32_t __user *)ptr)) 2343 return -EFAULT; 2344 ptr += sizeof(uint32_t); 2345 if (put_user(death->cookie, (void * __user *)ptr)) 2346 return -EFAULT; 2347 ptr += sizeof(void *); 2348 binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION, 2349 "binder: %d:%d %s %p\n", 2350 proc->pid, thread->pid, 2351 cmd == BR_DEAD_BINDER ? 2352 "BR_DEAD_BINDER" : 2353 "BR_CLEAR_DEATH_NOTIFICATION_DONE", 2354 death->cookie); 2355 2356 if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) { 2357 list_del(&w->entry); 2358 kfree(death); 2359 binder_stats.obj_deleted[BINDER_STAT_DEATH]++; 2360 } else 2361 list_move(&w->entry, &proc->delivered_death); 2362 if (cmd == BR_DEAD_BINDER) 2363 goto done; /* DEAD_BINDER notifications can cause transactions */ 2364 } break; 2365 } 2366 2367 if (!t) 2368 continue; 2369 2370 BUG_ON(t->buffer == NULL); 2371 if (t->buffer->target_node) { 2372 struct binder_node *target_node = t->buffer->target_node; 2373 tr.target.ptr = target_node->ptr; 2374 tr.cookie = target_node->cookie; 2375 t->saved_priority = task_nice(current); 2376 if (t->priority < target_node->min_priority && 2377 !(t->flags & TF_ONE_WAY)) 2378 binder_set_nice(t->priority); 2379 else if (!(t->flags & TF_ONE_WAY) || 2380 t->saved_priority > target_node->min_priority) 2381 binder_set_nice(target_node->min_priority); 2382 cmd = BR_TRANSACTION; 2383 } else { 2384 tr.target.ptr = NULL; 2385 tr.cookie = NULL; 2386 cmd = BR_REPLY; 2387 } 2388 tr.code = t->code; 2389 tr.flags = t->flags; 2390 tr.sender_euid = t->sender_euid; 2391 2392 if (t->from) { 2393 struct task_struct *sender = t->from->proc->tsk; 2394 tr.sender_pid = task_tgid_nr_ns(sender, 2395 current->nsproxy->pid_ns); 2396 } else { 2397 tr.sender_pid = 0; 2398 } 2399 2400 tr.data_size = t->buffer->data_size; 2401 tr.offsets_size = t->buffer->offsets_size; 2402 tr.data.ptr.buffer = (void *)t->buffer->data + 2403 proc->user_buffer_offset; 2404 tr.data.ptr.offsets = tr.data.ptr.buffer + 2405 ALIGN(t->buffer->data_size, 2406 sizeof(void *)); 2407 2408 if (put_user(cmd, (uint32_t __user *)ptr)) 2409 return -EFAULT; 2410 ptr += sizeof(uint32_t); 2411 if (copy_to_user(ptr, &tr, sizeof(tr))) 2412 return -EFAULT; 2413 ptr += sizeof(tr); 2414 2415 binder_stat_br(proc, thread, cmd); 2416 binder_debug(BINDER_DEBUG_TRANSACTION, 2417 "binder: %d:%d %s %d %d:%d, cmd %d" 2418 "size %zd-%zd ptr %p-%p\n", 2419 proc->pid, thread->pid, 2420 (cmd == BR_TRANSACTION) ? "BR_TRANSACTION" : 2421 "BR_REPLY", 2422 t->debug_id, t->from ? t->from->proc->pid : 0, 2423 t->from ? t->from->pid : 0, cmd, 2424 t->buffer->data_size, t->buffer->offsets_size, 2425 tr.data.ptr.buffer, tr.data.ptr.offsets); 2426 2427 list_del(&t->work.entry); 2428 t->buffer->allow_user_free = 1; 2429 if (cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)) { 2430 t->to_parent = thread->transaction_stack; 2431 t->to_thread = thread; 2432 thread->transaction_stack = t; 2433 } else { 2434 t->buffer->transaction = NULL; 2435 kfree(t); 2436 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION]++; 2437 } 2438 break; 2439 } 2440 2441done: 2442 2443 *consumed = ptr - buffer; 2444 if (proc->requested_threads + proc->ready_threads == 0 && 2445 proc->requested_threads_started < proc->max_threads && 2446 (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | 2447 BINDER_LOOPER_STATE_ENTERED)) /* the user-space code fails to */ 2448 /*spawn a new thread if we leave this out */) { 2449 proc->requested_threads++; 2450 binder_debug(BINDER_DEBUG_THREADS, 2451 "binder: %d:%d BR_SPAWN_LOOPER\n", 2452 proc->pid, thread->pid); 2453 if (put_user(BR_SPAWN_LOOPER, (uint32_t __user *)buffer)) 2454 return -EFAULT; 2455 } 2456 return 0; 2457} 2458 2459static void binder_release_work(struct list_head *list) 2460{ 2461 struct binder_work *w; 2462 while (!list_empty(list)) { 2463 w = list_first_entry(list, struct binder_work, entry); 2464 list_del_init(&w->entry); 2465 switch (w->type) { 2466 case BINDER_WORK_TRANSACTION: { 2467 struct binder_transaction *t; 2468 2469 t = container_of(w, struct binder_transaction, work); 2470 if (t->buffer->target_node && !(t->flags & TF_ONE_WAY)) 2471 binder_send_failed_reply(t, BR_DEAD_REPLY); 2472 } break; 2473 case BINDER_WORK_TRANSACTION_COMPLETE: { 2474 kfree(w); 2475 binder_stats.obj_deleted[BINDER_STAT_TRANSACTION_COMPLETE]++; 2476 } break; 2477 default: 2478 break; 2479 } 2480 } 2481 2482} 2483 2484static struct binder_thread *binder_get_thread(struct binder_proc *proc) 2485{ 2486 struct binder_thread *thread = NULL; 2487 struct rb_node *parent = NULL; 2488 struct rb_node **p = &proc->threads.rb_node; 2489 2490 while (*p) { 2491 parent = *p; 2492 thread = rb_entry(parent, struct binder_thread, rb_node); 2493 2494 if (current->pid < thread->pid) 2495 p = &(*p)->rb_left; 2496 else if (current->pid > thread->pid) 2497 p = &(*p)->rb_right; 2498 else 2499 break; 2500 } 2501 if (*p == NULL) { 2502 thread = kzalloc(sizeof(*thread), GFP_KERNEL); 2503 if (thread == NULL) 2504 return NULL; 2505 binder_stats.obj_created[BINDER_STAT_THREAD]++; 2506 thread->proc = proc; 2507 thread->pid = current->pid; 2508 init_waitqueue_head(&thread->wait); 2509 INIT_LIST_HEAD(&thread->todo); 2510 rb_link_node(&thread->rb_node, parent, p); 2511 rb_insert_color(&thread->rb_node, &proc->threads); 2512 thread->looper |= BINDER_LOOPER_STATE_NEED_RETURN; 2513 thread->return_error = BR_OK; 2514 thread->return_error2 = BR_OK; 2515 } 2516 return thread; 2517} 2518 2519static int binder_free_thread(struct binder_proc *proc, 2520 struct binder_thread *thread) 2521{ 2522 struct binder_transaction *t; 2523 struct binder_transaction *send_reply = NULL; 2524 int active_transactions = 0; 2525 2526 rb_erase(&thread->rb_node, &proc->threads); 2527 t = thread->transaction_stack; 2528 if (t && t->to_thread == thread) 2529 send_reply = t; 2530 while (t) { 2531 active_transactions++; 2532 binder_debug(BINDER_DEBUG_DEAD_TRANSACTION, 2533 "binder: release %d:%d transaction %d " 2534 "%s, still active\n", proc->pid, thread->pid, 2535 t->debug_id, 2536 (t->to_thread == thread) ? "in" : "out"); 2537 2538 if (t->to_thread == thread) { 2539 t->to_proc = NULL; 2540 t->to_thread = NULL; 2541 if (t->buffer) { 2542 t->buffer->transaction = NULL; 2543 t->buffer = NULL; 2544 } 2545 t = t->to_parent; 2546 } else if (t->from == thread) { 2547 t->from = NULL; 2548 t = t->from_parent; 2549 } else 2550 BUG(); 2551 } 2552 if (send_reply) 2553 binder_send_failed_reply(send_reply, BR_DEAD_REPLY); 2554 binder_release_work(&thread->todo); 2555 kfree(thread); 2556 binder_stats.obj_deleted[BINDER_STAT_THREAD]++; 2557 return active_transactions; 2558} 2559 2560static unsigned int binder_poll(struct file *filp, 2561 struct poll_table_struct *wait) 2562{ 2563 struct binder_proc *proc = filp->private_data; 2564 struct binder_thread *thread = NULL; 2565 int wait_for_proc_work; 2566 2567 mutex_lock(&binder_lock); 2568 thread = binder_get_thread(proc); 2569 2570 wait_for_proc_work = thread->transaction_stack == NULL && 2571 list_empty(&thread->todo) && thread->return_error == BR_OK; 2572 mutex_unlock(&binder_lock); 2573 2574 if (wait_for_proc_work) { 2575 if (binder_has_proc_work(proc, thread)) 2576 return POLLIN; 2577 poll_wait(filp, &proc->wait, wait); 2578 if (binder_has_proc_work(proc, thread)) 2579 return POLLIN; 2580 } else { 2581 if (binder_has_thread_work(thread)) 2582 return POLLIN; 2583 poll_wait(filp, &thread->wait, wait); 2584 if (binder_has_thread_work(thread)) 2585 return POLLIN; 2586 } 2587 return 0; 2588} 2589 2590static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 2591{ 2592 int ret; 2593 struct binder_proc *proc = filp->private_data; 2594 struct binder_thread *thread; 2595 unsigned int size = _IOC_SIZE(cmd); 2596 void __user *ubuf = (void __user *)arg; 2597 2598 /*printk(KERN_INFO "binder_ioctl: %d:%d %x %lx\n", proc->pid, current->pid, cmd, arg);*/ 2599 2600 ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); 2601 if (ret) 2602 return ret; 2603 2604 mutex_lock(&binder_lock); 2605 thread = binder_get_thread(proc); 2606 if (thread == NULL) { 2607 ret = -ENOMEM; 2608 goto err; 2609 } 2610 2611 switch (cmd) { 2612 case BINDER_WRITE_READ: { 2613 struct binder_write_read bwr; 2614 if (size != sizeof(struct binder_write_read)) { 2615 ret = -EINVAL; 2616 goto err; 2617 } 2618 if (copy_from_user(&bwr, ubuf, sizeof(bwr))) { 2619 ret = -EFAULT; 2620 goto err; 2621 } 2622 binder_debug(BINDER_DEBUG_READ_WRITE, 2623 "binder: %d:%d write %ld at %08lx, read %ld at %08lx\n", 2624 proc->pid, thread->pid, bwr.write_size, bwr.write_buffer, 2625 bwr.read_size, bwr.read_buffer); 2626 2627 if (bwr.write_size > 0) { 2628 ret = binder_thread_write(proc, thread, (void __user *)bwr.write_buffer, bwr.write_size, &bwr.write_consumed); 2629 if (ret < 0) { 2630 bwr.read_consumed = 0; 2631 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) 2632 ret = -EFAULT; 2633 goto err; 2634 } 2635 } 2636 if (bwr.read_size > 0) { 2637 ret = binder_thread_read(proc, thread, (void __user *)bwr.read_buffer, bwr.read_size, &bwr.read_consumed, filp->f_flags & O_NONBLOCK); 2638 if (!list_empty(&proc->todo)) 2639 wake_up_interruptible(&proc->wait); 2640 if (ret < 0) { 2641 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) 2642 ret = -EFAULT; 2643 goto err; 2644 } 2645 } 2646 binder_debug(BINDER_DEBUG_READ_WRITE, 2647 "binder: %d:%d wrote %ld of %ld, read return %ld of %ld\n", 2648 proc->pid, thread->pid, bwr.write_consumed, bwr.write_size, 2649 bwr.read_consumed, bwr.read_size); 2650 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) { 2651 ret = -EFAULT; 2652 goto err; 2653 } 2654 break; 2655 } 2656 case BINDER_SET_MAX_THREADS: 2657 if (copy_from_user(&proc->max_threads, ubuf, sizeof(proc->max_threads))) { 2658 ret = -EINVAL; 2659 goto err; 2660 } 2661 break; 2662 case BINDER_SET_CONTEXT_MGR: 2663 if (binder_context_mgr_node != NULL) { 2664 printk(KERN_ERR "binder: BINDER_SET_CONTEXT_MGR already set\n"); 2665 ret = -EBUSY; 2666 goto err; 2667 } 2668 if (binder_context_mgr_uid != -1) { 2669 if (binder_context_mgr_uid != current->cred->euid) { 2670 printk(KERN_ERR "binder: BINDER_SET_" 2671 "CONTEXT_MGR bad uid %d != %d\n", 2672 current->cred->euid, 2673 binder_context_mgr_uid); 2674 ret = -EPERM; 2675 goto err; 2676 } 2677 } else 2678 binder_context_mgr_uid = current->cred->euid; 2679 binder_context_mgr_node = binder_new_node(proc, NULL, NULL); 2680 if (binder_context_mgr_node == NULL) { 2681 ret = -ENOMEM; 2682 goto err; 2683 } 2684 binder_context_mgr_node->local_weak_refs++; 2685 binder_context_mgr_node->local_strong_refs++; 2686 binder_context_mgr_node->has_strong_ref = 1; 2687 binder_context_mgr_node->has_weak_ref = 1; 2688 break; 2689 case BINDER_THREAD_EXIT: 2690 binder_debug(BINDER_DEBUG_THREADS, "binder: %d:%d exit\n", 2691 proc->pid, thread->pid); 2692 binder_free_thread(proc, thread); 2693 thread = NULL; 2694 break; 2695 case BINDER_VERSION: 2696 if (size != sizeof(struct binder_version)) { 2697 ret = -EINVAL; 2698 goto err; 2699 } 2700 if (put_user(BINDER_CURRENT_PROTOCOL_VERSION, &((struct binder_version *)ubuf)->protocol_version)) { 2701 ret = -EINVAL; 2702 goto err; 2703 } 2704 break; 2705 default: 2706 ret = -EINVAL; 2707 goto err; 2708 } 2709 ret = 0; 2710err: 2711 if (thread) 2712 thread->looper &= ~BINDER_LOOPER_STATE_NEED_RETURN; 2713 mutex_unlock(&binder_lock); 2714 wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); 2715 if (ret && ret != -ERESTARTSYS) 2716 printk(KERN_INFO "binder: %d:%d ioctl %x %lx returned %d\n", proc->pid, current->pid, cmd, arg, ret); 2717 return ret; 2718} 2719 2720static void binder_vma_open(struct vm_area_struct *vma) 2721{ 2722 struct binder_proc *proc = vma->vm_private_data; 2723 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 2724 "binder: %d open vm area %lx-%lx (%ld K) vma %lx pagep %lx\n", 2725 proc->pid, vma->vm_start, vma->vm_end, 2726 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2727 (unsigned long)pgprot_val(vma->vm_page_prot)); 2728 dump_stack(); 2729} 2730 2731static void binder_vma_close(struct vm_area_struct *vma) 2732{ 2733 struct binder_proc *proc = vma->vm_private_data; 2734 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 2735 "binder: %d close vm area %lx-%lx (%ld K) vma %lx pagep %lx\n", 2736 proc->pid, vma->vm_start, vma->vm_end, 2737 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2738 (unsigned long)pgprot_val(vma->vm_page_prot)); 2739 proc->vma = NULL; 2740 binder_defer_work(proc, BINDER_DEFERRED_PUT_FILES); 2741} 2742 2743static struct vm_operations_struct binder_vm_ops = { 2744 .open = binder_vma_open, 2745 .close = binder_vma_close, 2746}; 2747 2748static int binder_mmap(struct file *filp, struct vm_area_struct *vma) 2749{ 2750 int ret; 2751 struct vm_struct *area; 2752 struct binder_proc *proc = filp->private_data; 2753 const char *failure_string; 2754 struct binder_buffer *buffer; 2755 2756 if ((vma->vm_end - vma->vm_start) > SZ_4M) 2757 vma->vm_end = vma->vm_start + SZ_4M; 2758 2759 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 2760 "binder_mmap: %d %lx-%lx (%ld K) vma %lx pagep %lx\n", 2761 proc->pid, vma->vm_start, vma->vm_end, 2762 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2763 (unsigned long)pgprot_val(vma->vm_page_prot)); 2764 2765 if (vma->vm_flags & FORBIDDEN_MMAP_FLAGS) { 2766 ret = -EPERM; 2767 failure_string = "bad vm_flags"; 2768 goto err_bad_arg; 2769 } 2770 vma->vm_flags = (vma->vm_flags | VM_DONTCOPY) & ~VM_MAYWRITE; 2771 2772 if (proc->buffer) { 2773 ret = -EBUSY; 2774 failure_string = "already mapped"; 2775 goto err_already_mapped; 2776 } 2777 2778 area = get_vm_area(vma->vm_end - vma->vm_start, VM_IOREMAP); 2779 if (area == NULL) { 2780 ret = -ENOMEM; 2781 failure_string = "get_vm_area"; 2782 goto err_get_vm_area_failed; 2783 } 2784 proc->buffer = area->addr; 2785 proc->user_buffer_offset = vma->vm_start - (uintptr_t)proc->buffer; 2786 2787#ifdef CONFIG_CPU_CACHE_VIPT 2788 if (cache_is_vipt_aliasing()) { 2789 while (CACHE_COLOUR((vma->vm_start ^ (uint32_t)proc->buffer))) { 2790 printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p bad alignment\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer); 2791 vma->vm_start += PAGE_SIZE; 2792 } 2793 } 2794#endif 2795 proc->pages = kzalloc(sizeof(proc->pages[0]) * ((vma->vm_end - vma->vm_start) / PAGE_SIZE), GFP_KERNEL); 2796 if (proc->pages == NULL) { 2797 ret = -ENOMEM; 2798 failure_string = "alloc page array"; 2799 goto err_alloc_pages_failed; 2800 } 2801 proc->buffer_size = vma->vm_end - vma->vm_start; 2802 2803 vma->vm_ops = &binder_vm_ops; 2804 vma->vm_private_data = proc; 2805 2806 if (binder_update_page_range(proc, 1, proc->buffer, proc->buffer + PAGE_SIZE, vma)) { 2807 ret = -ENOMEM; 2808 failure_string = "alloc small buf"; 2809 goto err_alloc_small_buf_failed; 2810 } 2811 buffer = proc->buffer; 2812 INIT_LIST_HEAD(&proc->buffers); 2813 list_add(&buffer->entry, &proc->buffers); 2814 buffer->free = 1; 2815 binder_insert_free_buffer(proc, buffer); 2816 proc->free_async_space = proc->buffer_size / 2; 2817 barrier(); 2818 proc->files = get_files_struct(current); 2819 proc->vma = vma; 2820 2821 /*printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p\n", 2822 proc->pid, vma->vm_start, vma->vm_end, proc->buffer);*/ 2823 return 0; 2824 2825err_alloc_small_buf_failed: 2826 kfree(proc->pages); 2827 proc->pages = NULL; 2828err_alloc_pages_failed: 2829 vfree(proc->buffer); 2830 proc->buffer = NULL; 2831err_get_vm_area_failed: 2832err_already_mapped: 2833err_bad_arg: 2834 printk(KERN_ERR "binder_mmap: %d %lx-%lx %s failed %d\n", 2835 proc->pid, vma->vm_start, vma->vm_end, failure_string, ret); 2836 return ret; 2837} 2838 2839static int binder_open(struct inode *nodp, struct file *filp) 2840{ 2841 struct binder_proc *proc; 2842 2843 binder_debug(BINDER_DEBUG_OPEN_CLOSE, "binder_open: %d:%d\n", 2844 current->group_leader->pid, current->pid); 2845 2846 proc = kzalloc(sizeof(*proc), GFP_KERNEL); 2847 if (proc == NULL) 2848 return -ENOMEM; 2849 get_task_struct(current); 2850 proc->tsk = current; 2851 INIT_LIST_HEAD(&proc->todo); 2852 init_waitqueue_head(&proc->wait); 2853 proc->default_priority = task_nice(current); 2854 mutex_lock(&binder_lock); 2855 binder_stats.obj_created[BINDER_STAT_PROC]++; 2856 hlist_add_head(&proc->proc_node, &binder_procs); 2857 proc->pid = current->group_leader->pid; 2858 INIT_LIST_HEAD(&proc->delivered_death); 2859 filp->private_data = proc; 2860 mutex_unlock(&binder_lock); 2861 2862 if (binder_proc_dir_entry_proc) { 2863 char strbuf[11]; 2864 snprintf(strbuf, sizeof(strbuf), "%u", proc->pid); 2865 remove_proc_entry(strbuf, binder_proc_dir_entry_proc); 2866 create_proc_read_entry(strbuf, S_IRUGO, 2867 binder_proc_dir_entry_proc, 2868 binder_read_proc_proc, proc); 2869 } 2870 2871 return 0; 2872} 2873 2874static int binder_flush(struct file *filp, fl_owner_t id) 2875{ 2876 struct binder_proc *proc = filp->private_data; 2877 2878 binder_defer_work(proc, BINDER_DEFERRED_FLUSH); 2879 2880 return 0; 2881} 2882 2883static void binder_deferred_flush(struct binder_proc *proc) 2884{ 2885 struct rb_node *n; 2886 int wake_count = 0; 2887 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) { 2888 struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node); 2889 thread->looper |= BINDER_LOOPER_STATE_NEED_RETURN; 2890 if (thread->looper & BINDER_LOOPER_STATE_WAITING) { 2891 wake_up_interruptible(&thread->wait); 2892 wake_count++; 2893 } 2894 } 2895 wake_up_interruptible_all(&proc->wait); 2896 2897 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 2898 "binder_flush: %d woke %d threads\n", proc->pid, 2899 wake_count); 2900} 2901 2902static int binder_release(struct inode *nodp, struct file *filp) 2903{ 2904 struct binder_proc *proc = filp->private_data; 2905 if (binder_proc_dir_entry_proc) { 2906 char strbuf[11]; 2907 snprintf(strbuf, sizeof(strbuf), "%u", proc->pid); 2908 remove_proc_entry(strbuf, binder_proc_dir_entry_proc); 2909 } 2910 2911 binder_defer_work(proc, BINDER_DEFERRED_RELEASE); 2912 2913 return 0; 2914} 2915 2916static void binder_deferred_release(struct binder_proc *proc) 2917{ 2918 struct hlist_node *pos; 2919 struct binder_transaction *t; 2920 struct rb_node *n; 2921 int threads, nodes, incoming_refs, outgoing_refs, buffers, active_transactions, page_count; 2922 2923 BUG_ON(proc->vma); 2924 BUG_ON(proc->files); 2925 2926 hlist_del(&proc->proc_node); 2927 if (binder_context_mgr_node && binder_context_mgr_node->proc == proc) { 2928 binder_debug(BINDER_DEBUG_DEAD_BINDER, 2929 "binder_release: %d context_mgr_node gone\n", 2930 proc->pid); 2931 binder_context_mgr_node = NULL; 2932 } 2933 2934 threads = 0; 2935 active_transactions = 0; 2936 while ((n = rb_first(&proc->threads))) { 2937 struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node); 2938 threads++; 2939 active_transactions += binder_free_thread(proc, thread); 2940 } 2941 nodes = 0; 2942 incoming_refs = 0; 2943 while ((n = rb_first(&proc->nodes))) { 2944 struct binder_node *node = rb_entry(n, struct binder_node, rb_node); 2945 2946 nodes++; 2947 rb_erase(&node->rb_node, &proc->nodes); 2948 list_del_init(&node->work.entry); 2949 if (hlist_empty(&node->refs)) { 2950 kfree(node); 2951 binder_stats.obj_deleted[BINDER_STAT_NODE]++; 2952 } else { 2953 struct binder_ref *ref; 2954 int death = 0; 2955 2956 node->proc = NULL; 2957 node->local_strong_refs = 0; 2958 node->local_weak_refs = 0; 2959 hlist_add_head(&node->dead_node, &binder_dead_nodes); 2960 2961 hlist_for_each_entry(ref, pos, &node->refs, node_entry) { 2962 incoming_refs++; 2963 if (ref->death) { 2964 death++; 2965 if (list_empty(&ref->death->work.entry)) { 2966 ref->death->work.type = BINDER_WORK_DEAD_BINDER; 2967 list_add_tail(&ref->death->work.entry, &ref->proc->todo); 2968 wake_up_interruptible(&ref->proc->wait); 2969 } else 2970 BUG(); 2971 } 2972 } 2973 binder_debug(BINDER_DEBUG_DEAD_BINDER, 2974 "binder: node %d now dead, " 2975 "refs %d, death %d\n", node->debug_id, 2976 incoming_refs, death); 2977 } 2978 } 2979 outgoing_refs = 0; 2980 while ((n = rb_first(&proc->refs_by_desc))) { 2981 struct binder_ref *ref = rb_entry(n, struct binder_ref, 2982 rb_node_desc); 2983 outgoing_refs++; 2984 binder_delete_ref(ref); 2985 } 2986 binder_release_work(&proc->todo); 2987 buffers = 0; 2988 2989 while ((n = rb_first(&proc->allocated_buffers))) { 2990 struct binder_buffer *buffer = rb_entry(n, struct binder_buffer, 2991 rb_node); 2992 t = buffer->transaction; 2993 if (t) { 2994 t->buffer = NULL; 2995 buffer->transaction = NULL; 2996 printk(KERN_ERR "binder: release proc %d, " 2997 "transaction %d, not freed\n", 2998 proc->pid, t->debug_id); 2999 /*BUG();*/ 3000 } 3001 binder_free_buf(proc, buffer); 3002 buffers++; 3003 } 3004 3005 binder_stats.obj_deleted[BINDER_STAT_PROC]++; 3006 3007 page_count = 0; 3008 if (proc->pages) { 3009 int i; 3010 for (i = 0; i < proc->buffer_size / PAGE_SIZE; i++) { 3011 if (proc->pages[i]) { 3012 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 3013 "binder_release: %d: " 3014 "page %d at %p not freed\n", 3015 proc->pid, i, 3016 proc->buffer + i * PAGE_SIZE); 3017 __free_page(proc->pages[i]); 3018 page_count++; 3019 } 3020 } 3021 kfree(proc->pages); 3022 vfree(proc->buffer); 3023 } 3024 3025 put_task_struct(proc->tsk); 3026 3027 binder_debug(BINDER_DEBUG_OPEN_CLOSE, 3028 "binder_release: %d threads %d, nodes %d (ref %d), " 3029 "refs %d, active transactions %d, buffers %d, " 3030 "pages %d\n", 3031 proc->pid, threads, nodes, incoming_refs, outgoing_refs, 3032 active_transactions, buffers, page_count); 3033 3034 kfree(proc); 3035} 3036 3037static void binder_deferred_func(struct work_struct *work) 3038{ 3039 struct binder_proc *proc; 3040 struct files_struct *files; 3041 3042 int defer; 3043 do { 3044 mutex_lock(&binder_lock); 3045 mutex_lock(&binder_deferred_lock); 3046 if (!hlist_empty(&binder_deferred_list)) { 3047 proc = hlist_entry(binder_deferred_list.first, 3048 struct binder_proc, deferred_work_node); 3049 hlist_del_init(&proc->deferred_work_node); 3050 defer = proc->deferred_work; 3051 proc->deferred_work = 0; 3052 } else { 3053 proc = NULL; 3054 defer = 0; 3055 } 3056 mutex_unlock(&binder_deferred_lock); 3057 3058 files = NULL; 3059 if (defer & BINDER_DEFERRED_PUT_FILES) { 3060 files = proc->files; 3061 if (files) 3062 proc->files = NULL; 3063 } 3064 3065 if (defer & BINDER_DEFERRED_FLUSH) 3066 binder_deferred_flush(proc); 3067 3068 if (defer & BINDER_DEFERRED_RELEASE) 3069 binder_deferred_release(proc); /* frees proc */ 3070 3071 mutex_unlock(&binder_lock); 3072 if (files) 3073 put_files_struct(files); 3074 } while (proc); 3075} 3076static DECLARE_WORK(binder_deferred_work, binder_deferred_func); 3077 3078static void binder_defer_work(struct binder_proc *proc, int defer) 3079{ 3080 mutex_lock(&binder_deferred_lock); 3081 proc->deferred_work |= defer; 3082 if (hlist_unhashed(&proc->deferred_work_node)) { 3083 hlist_add_head(&proc->deferred_work_node, 3084 &binder_deferred_list); 3085 schedule_work(&binder_deferred_work); 3086 } 3087 mutex_unlock(&binder_deferred_lock); 3088} 3089 3090static char *print_binder_transaction(char *buf, char *end, const char *prefix, 3091 struct binder_transaction *t) 3092{ 3093 buf += snprintf(buf, end - buf, 3094 "%s %d: %p from %d:%d to %d:%d code %x " 3095 "flags %x pri %ld r%d", 3096 prefix, t->debug_id, t, 3097 t->from ? t->from->proc->pid : 0, 3098 t->from ? t->from->pid : 0, 3099 t->to_proc ? t->to_proc->pid : 0, 3100 t->to_thread ? t->to_thread->pid : 0, 3101 t->code, t->flags, t->priority, t->need_reply); 3102 if (buf >= end) 3103 return buf; 3104 if (t->buffer == NULL) { 3105 buf += snprintf(buf, end - buf, " buffer free\n"); 3106 return buf; 3107 } 3108 if (t->buffer->target_node) { 3109 buf += snprintf(buf, end - buf, " node %d", 3110 t->buffer->target_node->debug_id); 3111 if (buf >= end) 3112 return buf; 3113 } 3114 buf += snprintf(buf, end - buf, " size %zd:%zd data %p\n", 3115 t->buffer->data_size, t->buffer->offsets_size, 3116 t->buffer->data); 3117 return buf; 3118} 3119 3120static char *print_binder_buffer(char *buf, char *end, const char *prefix, 3121 struct binder_buffer *buffer) 3122{ 3123 buf += snprintf(buf, end - buf, "%s %d: %p size %zd:%zd %s\n", 3124 prefix, buffer->debug_id, buffer->data, 3125 buffer->data_size, buffer->offsets_size, 3126 buffer->transaction ? "active" : "delivered"); 3127 return buf; 3128} 3129 3130static char *print_binder_work(char *buf, char *end, const char *prefix, 3131 const char *transaction_prefix, 3132 struct binder_work *w) 3133{ 3134 struct binder_node *node; 3135 struct binder_transaction *t; 3136 3137 switch (w->type) { 3138 case BINDER_WORK_TRANSACTION: 3139 t = container_of(w, struct binder_transaction, work); 3140 buf = print_binder_transaction(buf, end, transaction_prefix, t); 3141 break; 3142 case BINDER_WORK_TRANSACTION_COMPLETE: 3143 buf += snprintf(buf, end - buf, 3144 "%stransaction complete\n", prefix); 3145 break; 3146 case BINDER_WORK_NODE: 3147 node = container_of(w, struct binder_node, work); 3148 buf += snprintf(buf, end - buf, "%snode work %d: u%p c%p\n", 3149 prefix, node->debug_id, node->ptr, 3150 node->cookie); 3151 break; 3152 case BINDER_WORK_DEAD_BINDER: 3153 buf += snprintf(buf, end - buf, "%shas dead binder\n", prefix); 3154 break; 3155 case BINDER_WORK_DEAD_BINDER_AND_CLEAR: 3156 buf += snprintf(buf, end - buf, 3157 "%shas cleared dead binder\n", prefix); 3158 break; 3159 case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: 3160 buf += snprintf(buf, end - buf, 3161 "%shas cleared death notification\n", prefix); 3162 break; 3163 default: 3164 buf += snprintf(buf, end - buf, "%sunknown work: type %d\n", 3165 prefix, w->type); 3166 break; 3167 } 3168 return buf; 3169} 3170 3171static char *print_binder_thread(char *buf, char *end, 3172 struct binder_thread *thread, 3173 int print_always) 3174{ 3175 struct binder_transaction *t; 3176 struct binder_work *w; 3177 char *start_buf = buf; 3178 char *header_buf; 3179 3180 buf += snprintf(buf, end - buf, " thread %d: l %02x\n", 3181 thread->pid, thread->looper); 3182 header_buf = buf; 3183 t = thread->transaction_stack; 3184 while (t) { 3185 if (buf >= end) 3186 break; 3187 if (t->from == thread) { 3188 buf = print_binder_transaction(buf, end, 3189 " outgoing transaction", t); 3190 t = t->from_parent; 3191 } else if (t->to_thread == thread) { 3192 buf = print_binder_transaction(buf, end, 3193 " incoming transaction", t); 3194 t = t->to_parent; 3195 } else { 3196 buf = print_binder_transaction(buf, end, 3197 " bad transaction", t); 3198 t = NULL; 3199 } 3200 } 3201 list_for_each_entry(w, &thread->todo, entry) { 3202 if (buf >= end) 3203 break; 3204 buf = print_binder_work(buf, end, " ", 3205 " pending transaction", w); 3206 } 3207 if (!print_always && buf == header_buf) 3208 buf = start_buf; 3209 return buf; 3210} 3211 3212static char *print_binder_node(char *buf, char *end, struct binder_node *node) 3213{ 3214 struct binder_ref *ref; 3215 struct hlist_node *pos; 3216 struct binder_work *w; 3217 int count; 3218 3219 count = 0; 3220 hlist_for_each_entry(ref, pos, &node->refs, node_entry) 3221 count++; 3222 3223 buf += snprintf(buf, end - buf, 3224 " node %d: u%p c%p hs %d hw %d ls %d lw %d " 3225 "is %d iw %d", 3226 node->debug_id, node->ptr, node->cookie, 3227 node->has_strong_ref, node->has_weak_ref, 3228 node->local_strong_refs, node->local_weak_refs, 3229 node->internal_strong_refs, count); 3230 if (buf >= end) 3231 return buf; 3232 if (count) { 3233 buf += snprintf(buf, end - buf, " proc"); 3234 if (buf >= end) 3235 return buf; 3236 hlist_for_each_entry(ref, pos, &node->refs, node_entry) { 3237 buf += snprintf(buf, end - buf, " %d", ref->proc->pid); 3238 if (buf >= end) 3239 return buf; 3240 } 3241 } 3242 buf += snprintf(buf, end - buf, "\n"); 3243 list_for_each_entry(w, &node->async_todo, entry) { 3244 if (buf >= end) 3245 break; 3246 buf = print_binder_work(buf, end, " ", 3247 " pending async transaction", w); 3248 } 3249 return buf; 3250} 3251 3252static char *print_binder_ref(char *buf, char *end, struct binder_ref *ref) 3253{ 3254 buf += snprintf(buf, end - buf, 3255 " ref %d: desc %d %snode %d s %d w %d d %p\n", 3256 ref->debug_id, ref->desc, 3257 ref->node->proc ? "" : "dead ", ref->node->debug_id, 3258 ref->strong, ref->weak, ref->death); 3259 return buf; 3260} 3261 3262static char *print_binder_proc(char *buf, char *end, 3263 struct binder_proc *proc, int print_all) 3264{ 3265 struct binder_work *w; 3266 struct rb_node *n; 3267 char *start_buf = buf; 3268 char *header_buf; 3269 3270 buf += snprintf(buf, end - buf, "proc %d\n", proc->pid); 3271 header_buf = buf; 3272 3273 for (n = rb_first(&proc->threads); 3274 n != NULL && buf < end; 3275 n = rb_next(n)) 3276 buf = print_binder_thread(buf, end, 3277 rb_entry(n, struct binder_thread, 3278 rb_node), print_all); 3279 for (n = rb_first(&proc->nodes); 3280 n != NULL && buf < end; 3281 n = rb_next(n)) { 3282 struct binder_node *node = rb_entry(n, struct binder_node, 3283 rb_node); 3284 if (print_all || node->has_async_transaction) 3285 buf = print_binder_node(buf, end, node); 3286 } 3287 if (print_all) { 3288 for (n = rb_first(&proc->refs_by_desc); 3289 n != NULL && buf < end; 3290 n = rb_next(n)) 3291 buf = print_binder_ref(buf, end, 3292 rb_entry(n, struct binder_ref, 3293 rb_node_desc)); 3294 } 3295 for (n = rb_first(&proc->allocated_buffers); 3296 n != NULL && buf < end; 3297 n = rb_next(n)) 3298 buf = print_binder_buffer(buf, end, " buffer", 3299 rb_entry(n, struct binder_buffer, 3300 rb_node)); 3301 list_for_each_entry(w, &proc->todo, entry) { 3302 if (buf >= end) 3303 break; 3304 buf = print_binder_work(buf, end, " ", 3305 " pending transaction", w); 3306 } 3307 list_for_each_entry(w, &proc->delivered_death, entry) { 3308 if (buf >= end) 3309 break; 3310 buf += snprintf(buf, end - buf, 3311 " has delivered dead binder\n"); 3312 break; 3313 } 3314 if (!print_all && buf == header_buf) 3315 buf = start_buf; 3316 return buf; 3317} 3318 3319static const char *binder_return_strings[] = { 3320 "BR_ERROR", 3321 "BR_OK", 3322 "BR_TRANSACTION", 3323 "BR_REPLY", 3324 "BR_ACQUIRE_RESULT", 3325 "BR_DEAD_REPLY", 3326 "BR_TRANSACTION_COMPLETE", 3327 "BR_INCREFS", 3328 "BR_ACQUIRE", 3329 "BR_RELEASE", 3330 "BR_DECREFS", 3331 "BR_ATTEMPT_ACQUIRE", 3332 "BR_NOOP", 3333 "BR_SPAWN_LOOPER", 3334 "BR_FINISHED", 3335 "BR_DEAD_BINDER", 3336 "BR_CLEAR_DEATH_NOTIFICATION_DONE", 3337 "BR_FAILED_REPLY" 3338}; 3339 3340static const char *binder_command_strings[] = { 3341 "BC_TRANSACTION", 3342 "BC_REPLY", 3343 "BC_ACQUIRE_RESULT", 3344 "BC_FREE_BUFFER", 3345 "BC_INCREFS", 3346 "BC_ACQUIRE", 3347 "BC_RELEASE", 3348 "BC_DECREFS", 3349 "BC_INCREFS_DONE", 3350 "BC_ACQUIRE_DONE", 3351 "BC_ATTEMPT_ACQUIRE", 3352 "BC_REGISTER_LOOPER", 3353 "BC_ENTER_LOOPER", 3354 "BC_EXIT_LOOPER", 3355 "BC_REQUEST_DEATH_NOTIFICATION", 3356 "BC_CLEAR_DEATH_NOTIFICATION", 3357 "BC_DEAD_BINDER_DONE" 3358}; 3359 3360static const char *binder_objstat_strings[] = { 3361 "proc", 3362 "thread", 3363 "node", 3364 "ref", 3365 "death", 3366 "transaction", 3367 "transaction_complete" 3368}; 3369 3370static char *print_binder_stats(char *buf, char *end, const char *prefix, 3371 struct binder_stats *stats) 3372{ 3373 int i; 3374 3375 BUILD_BUG_ON(ARRAY_SIZE(stats->bc) != 3376 ARRAY_SIZE(binder_command_strings)); 3377 for (i = 0; i < ARRAY_SIZE(stats->bc); i++) { 3378 if (stats->bc[i]) 3379 buf += snprintf(buf, end - buf, "%s%s: %d\n", prefix, 3380 binder_command_strings[i], 3381 stats->bc[i]); 3382 if (buf >= end) 3383 return buf; 3384 } 3385 3386 BUILD_BUG_ON(ARRAY_SIZE(stats->br) != 3387 ARRAY_SIZE(binder_return_strings)); 3388 for (i = 0; i < ARRAY_SIZE(stats->br); i++) { 3389 if (stats->br[i]) 3390 buf += snprintf(buf, end - buf, "%s%s: %d\n", prefix, 3391 binder_return_strings[i], stats->br[i]); 3392 if (buf >= end) 3393 return buf; 3394 } 3395 3396 BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) != 3397 ARRAY_SIZE(binder_objstat_strings)); 3398 BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) != 3399 ARRAY_SIZE(stats->obj_deleted)); 3400 for (i = 0; i < ARRAY_SIZE(stats->obj_created); i++) { 3401 if (stats->obj_created[i] || stats->obj_deleted[i]) 3402 buf += snprintf(buf, end - buf, 3403 "%s%s: active %d total %d\n", prefix, 3404 binder_objstat_strings[i], 3405 stats->obj_created[i] - 3406 stats->obj_deleted[i], 3407 stats->obj_created[i]); 3408 if (buf >= end) 3409 return buf; 3410 } 3411 return buf; 3412} 3413 3414static char *print_binder_proc_stats(char *buf, char *end, 3415 struct binder_proc *proc) 3416{ 3417 struct binder_work *w; 3418 struct rb_node *n; 3419 int count, strong, weak; 3420 3421 buf += snprintf(buf, end - buf, "proc %d\n", proc->pid); 3422 if (buf >= end) 3423 return buf; 3424 count = 0; 3425 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) 3426 count++; 3427 buf += snprintf(buf, end - buf, " threads: %d\n", count); 3428 if (buf >= end) 3429 return buf; 3430 buf += snprintf(buf, end - buf, " requested threads: %d+%d/%d\n" 3431 " ready threads %d\n" 3432 " free async space %zd\n", proc->requested_threads, 3433 proc->requested_threads_started, proc->max_threads, 3434 proc->ready_threads, proc->free_async_space); 3435 if (buf >= end) 3436 return buf; 3437 count = 0; 3438 for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) 3439 count++; 3440 buf += snprintf(buf, end - buf, " nodes: %d\n", count); 3441 if (buf >= end) 3442 return buf; 3443 count = 0; 3444 strong = 0; 3445 weak = 0; 3446 for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) { 3447 struct binder_ref *ref = rb_entry(n, struct binder_ref, 3448 rb_node_desc); 3449 count++; 3450 strong += ref->strong; 3451 weak += ref->weak; 3452 } 3453 buf += snprintf(buf, end - buf, " refs: %d s %d w %d\n", 3454 count, strong, weak); 3455 if (buf >= end) 3456 return buf; 3457 3458 count = 0; 3459 for (n = rb_first(&proc->allocated_buffers); n != NULL; n = rb_next(n)) 3460 count++; 3461 buf += snprintf(buf, end - buf, " buffers: %d\n", count); 3462 if (buf >= end) 3463 return buf; 3464 3465 count = 0; 3466 list_for_each_entry(w, &proc->todo, entry) { 3467 switch (w->type) { 3468 case BINDER_WORK_TRANSACTION: 3469 count++; 3470 break; 3471 default: 3472 break; 3473 } 3474 } 3475 buf += snprintf(buf, end - buf, " pending transactions: %d\n", count); 3476 if (buf >= end) 3477 return buf; 3478 3479 buf = print_binder_stats(buf, end, " ", &proc->stats); 3480 3481 return buf; 3482} 3483 3484 3485static int binder_read_proc_state(char *page, char **start, off_t off, 3486 int count, int *eof, void *data) 3487{ 3488 struct binder_proc *proc; 3489 struct hlist_node *pos; 3490 struct binder_node *node; 3491 int len = 0; 3492 char *buf = page; 3493 char *end = page + PAGE_SIZE; 3494 int do_lock = !binder_debug_no_lock; 3495 3496 if (off) 3497 return 0; 3498 3499 if (do_lock) 3500 mutex_lock(&binder_lock); 3501 3502 buf += snprintf(buf, end - buf, "binder state:\n"); 3503 3504 if (!hlist_empty(&binder_dead_nodes)) 3505 buf += snprintf(buf, end - buf, "dead nodes:\n"); 3506 hlist_for_each_entry(node, pos, &binder_dead_nodes, dead_node) { 3507 if (buf >= end) 3508 break; 3509 buf = print_binder_node(buf, end, node); 3510 } 3511 3512 hlist_for_each_entry(proc, pos, &binder_procs, proc_node) { 3513 if (buf >= end) 3514 break; 3515 buf = print_binder_proc(buf, end, proc, 1); 3516 } 3517 if (do_lock) 3518 mutex_unlock(&binder_lock); 3519 if (buf > page + PAGE_SIZE) 3520 buf = page + PAGE_SIZE; 3521 3522 *start = page + off; 3523 3524 len = buf - page; 3525 if (len > off) 3526 len -= off; 3527 else 3528 len = 0; 3529 3530 return len < count ? len : count; 3531} 3532 3533static int binder_read_proc_stats(char *page, char **start, off_t off, 3534 int count, int *eof, void *data) 3535{ 3536 struct binder_proc *proc; 3537 struct hlist_node *pos; 3538 int len = 0; 3539 char *p = page; 3540 int do_lock = !binder_debug_no_lock; 3541 3542 if (off) 3543 return 0; 3544 3545 if (do_lock) 3546 mutex_lock(&binder_lock); 3547 3548 p += snprintf(p, PAGE_SIZE, "binder stats:\n"); 3549 3550 p = print_binder_stats(p, page + PAGE_SIZE, "", &binder_stats); 3551 3552 hlist_for_each_entry(proc, pos, &binder_procs, proc_node) { 3553 if (p >= page + PAGE_SIZE) 3554 break; 3555 p = print_binder_proc_stats(p, page + PAGE_SIZE, proc); 3556 } 3557 if (do_lock) 3558 mutex_unlock(&binder_lock); 3559 if (p > page + PAGE_SIZE) 3560 p = page + PAGE_SIZE; 3561 3562 *start = page + off; 3563 3564 len = p - page; 3565 if (len > off) 3566 len -= off; 3567 else 3568 len = 0; 3569 3570 return len < count ? len : count; 3571} 3572 3573static int binder_read_proc_transactions(char *page, char **start, off_t off, 3574 int count, int *eof, void *data) 3575{ 3576 struct binder_proc *proc; 3577 struct hlist_node *pos; 3578 int len = 0; 3579 char *buf = page; 3580 char *end = page + PAGE_SIZE; 3581 int do_lock = !binder_debug_no_lock; 3582 3583 if (off) 3584 return 0; 3585 3586 if (do_lock) 3587 mutex_lock(&binder_lock); 3588 3589 buf += snprintf(buf, end - buf, "binder transactions:\n"); 3590 hlist_for_each_entry(proc, pos, &binder_procs, proc_node) { 3591 if (buf >= end) 3592 break; 3593 buf = print_binder_proc(buf, end, proc, 0); 3594 } 3595 if (do_lock) 3596 mutex_unlock(&binder_lock); 3597 if (buf > page + PAGE_SIZE) 3598 buf = page + PAGE_SIZE; 3599 3600 *start = page + off; 3601 3602 len = buf - page; 3603 if (len > off) 3604 len -= off; 3605 else 3606 len = 0; 3607 3608 return len < count ? len : count; 3609} 3610 3611static int binder_read_proc_proc(char *page, char **start, off_t off, 3612 int count, int *eof, void *data) 3613{ 3614 struct binder_proc *proc = data; 3615 int len = 0; 3616 char *p = page; 3617 int do_lock = !binder_debug_no_lock; 3618 3619 if (off) 3620 return 0; 3621 3622 if (do_lock) 3623 mutex_lock(&binder_lock); 3624 p += snprintf(p, PAGE_SIZE, "binder proc state:\n"); 3625 p = print_binder_proc(p, page + PAGE_SIZE, proc, 1); 3626 if (do_lock) 3627 mutex_unlock(&binder_lock); 3628 3629 if (p > page + PAGE_SIZE) 3630 p = page + PAGE_SIZE; 3631 *start = page + off; 3632 3633 len = p - page; 3634 if (len > off) 3635 len -= off; 3636 else 3637 len = 0; 3638 3639 return len < count ? len : count; 3640} 3641 3642static char *print_binder_transaction_log_entry(char *buf, char *end, 3643 struct binder_transaction_log_entry *e) 3644{ 3645 buf += snprintf(buf, end - buf, 3646 "%d: %s from %d:%d to %d:%d node %d handle %d " 3647 "size %d:%d\n", 3648 e->debug_id, (e->call_type == 2) ? "reply" : 3649 ((e->call_type == 1) ? "async" : "call "), e->from_proc, 3650 e->from_thread, e->to_proc, e->to_thread, e->to_node, 3651 e->target_handle, e->data_size, e->offsets_size); 3652 return buf; 3653} 3654 3655static int binder_read_proc_transaction_log( 3656 char *page, char **start, off_t off, int count, int *eof, void *data) 3657{ 3658 struct binder_transaction_log *log = data; 3659 int len = 0; 3660 int i; 3661 char *buf = page; 3662 char *end = page + PAGE_SIZE; 3663 3664 if (off) 3665 return 0; 3666 3667 if (log->full) { 3668 for (i = log->next; i < ARRAY_SIZE(log->entry); i++) { 3669 if (buf >= end) 3670 break; 3671 buf = print_binder_transaction_log_entry(buf, end, 3672 &log->entry[i]); 3673 } 3674 } 3675 for (i = 0; i < log->next; i++) { 3676 if (buf >= end) 3677 break; 3678 buf = print_binder_transaction_log_entry(buf, end, 3679 &log->entry[i]); 3680 } 3681 3682 *start = page + off; 3683 3684 len = buf - page; 3685 if (len > off) 3686 len -= off; 3687 else 3688 len = 0; 3689 3690 return len < count ? len : count; 3691} 3692 3693static const struct file_operations binder_fops = { 3694 .owner = THIS_MODULE, 3695 .poll = binder_poll, 3696 .unlocked_ioctl = binder_ioctl, 3697 .mmap = binder_mmap, 3698 .open = binder_open, 3699 .flush = binder_flush, 3700 .release = binder_release, 3701}; 3702 3703static struct miscdevice binder_miscdev = { 3704 .minor = MISC_DYNAMIC_MINOR, 3705 .name = "binder", 3706 .fops = &binder_fops 3707}; 3708 3709static int __init binder_init(void) 3710{ 3711 int ret; 3712 3713 binder_proc_dir_entry_root = proc_mkdir("binder", NULL); 3714 if (binder_proc_dir_entry_root) 3715 binder_proc_dir_entry_proc = proc_mkdir("proc", 3716 binder_proc_dir_entry_root); 3717 ret = misc_register(&binder_miscdev); 3718 if (binder_proc_dir_entry_root) { 3719 create_proc_read_entry("state", 3720 S_IRUGO, 3721 binder_proc_dir_entry_root, 3722 binder_read_proc_state, 3723 NULL); 3724 create_proc_read_entry("stats", 3725 S_IRUGO, 3726 binder_proc_dir_entry_root, 3727 binder_read_proc_stats, 3728 NULL); 3729 create_proc_read_entry("transactions", 3730 S_IRUGO, 3731 binder_proc_dir_entry_root, 3732 binder_read_proc_transactions, 3733 NULL); 3734 create_proc_read_entry("transaction_log", 3735 S_IRUGO, 3736 binder_proc_dir_entry_root, 3737 binder_read_proc_transaction_log, 3738 &binder_transaction_log); 3739 create_proc_read_entry("failed_transaction_log", 3740 S_IRUGO, 3741 binder_proc_dir_entry_root, 3742 binder_read_proc_transaction_log, 3743 &binder_transaction_log_failed); 3744 } 3745 return ret; 3746} 3747 3748device_initcall(binder_init); 3749 3750MODULE_LICENSE("GPL v2"); 3751