Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
binder.c
Go to the documentation of this file.
1 /* binder.c
2  *
3  * Android IPC Subsystem
4  *
5  * Copyright (C) 2007-2008 Google, Inc.
6  *
7  * This software is licensed under the terms of the GNU General Public
8  * License version 2, as published by the Free Software Foundation, and
9  * may be copied, distributed, and modified under those terms.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14  * GNU General Public License for more details.
15  *
16  */
17 
18 #include <asm/cacheflush.h>
19 #include <linux/fdtable.h>
20 #include <linux/file.h>
21 #include <linux/fs.h>
22 #include <linux/list.h>
23 #include <linux/miscdevice.h>
24 #include <linux/mm.h>
25 #include <linux/module.h>
26 #include <linux/mutex.h>
27 #include <linux/nsproxy.h>
28 #include <linux/poll.h>
29 #include <linux/debugfs.h>
30 #include <linux/rbtree.h>
31 #include <linux/sched.h>
32 #include <linux/seq_file.h>
33 #include <linux/uaccess.h>
34 #include <linux/vmalloc.h>
35 #include <linux/slab.h>
36 
37 #include "binder.h"
38 
39 static DEFINE_MUTEX(binder_lock);
40 static DEFINE_MUTEX(binder_deferred_lock);
41 static DEFINE_MUTEX(binder_mmap_lock);
42 
43 static HLIST_HEAD(binder_procs);
44 static HLIST_HEAD(binder_deferred_list);
45 static HLIST_HEAD(binder_dead_nodes);
46 
47 static struct dentry *binder_debugfs_dir_entry_root;
48 static struct dentry *binder_debugfs_dir_entry_proc;
49 static struct binder_node *binder_context_mgr_node;
50 static kuid_t binder_context_mgr_uid = INVALID_UID;
51 static int binder_last_id;
52 static struct workqueue_struct *binder_deferred_workqueue;
53 
54 #define BINDER_DEBUG_ENTRY(name) \
55 static int binder_##name##_open(struct inode *inode, struct file *file) \
56 { \
57  return single_open(file, binder_##name##_show, inode->i_private); \
58 } \
59 \
60 static const struct file_operations binder_##name##_fops = { \
61  .owner = THIS_MODULE, \
62  .open = binder_##name##_open, \
63  .read = seq_read, \
64  .llseek = seq_lseek, \
65  .release = single_release, \
66 }
67 
68 static int binder_proc_show(struct seq_file *m, void *unused);
69 BINDER_DEBUG_ENTRY(proc);
70 
71 /* This is only defined in include/asm-arm/sizes.h */
72 #ifndef SZ_1K
73 #define SZ_1K 0x400
74 #endif
75 
76 #ifndef SZ_4M
77 #define SZ_4M 0x400000
78 #endif
79 
80 #define FORBIDDEN_MMAP_FLAGS (VM_WRITE)
81 
82 #define BINDER_SMALL_BUF_SIZE (PAGE_SIZE * 64)
83 
84 enum {
85  BINDER_DEBUG_USER_ERROR = 1U << 0,
86  BINDER_DEBUG_FAILED_TRANSACTION = 1U << 1,
87  BINDER_DEBUG_DEAD_TRANSACTION = 1U << 2,
88  BINDER_DEBUG_OPEN_CLOSE = 1U << 3,
89  BINDER_DEBUG_DEAD_BINDER = 1U << 4,
90  BINDER_DEBUG_DEATH_NOTIFICATION = 1U << 5,
91  BINDER_DEBUG_READ_WRITE = 1U << 6,
92  BINDER_DEBUG_USER_REFS = 1U << 7,
93  BINDER_DEBUG_THREADS = 1U << 8,
94  BINDER_DEBUG_TRANSACTION = 1U << 9,
95  BINDER_DEBUG_TRANSACTION_COMPLETE = 1U << 10,
96  BINDER_DEBUG_FREE_BUFFER = 1U << 11,
97  BINDER_DEBUG_INTERNAL_REFS = 1U << 12,
98  BINDER_DEBUG_BUFFER_ALLOC = 1U << 13,
99  BINDER_DEBUG_PRIORITY_CAP = 1U << 14,
100  BINDER_DEBUG_BUFFER_ALLOC_ASYNC = 1U << 15,
101 };
102 static uint32_t binder_debug_mask = BINDER_DEBUG_USER_ERROR |
103  BINDER_DEBUG_FAILED_TRANSACTION | BINDER_DEBUG_DEAD_TRANSACTION;
104 module_param_named(debug_mask, binder_debug_mask, uint, S_IWUSR | S_IRUGO);
105 
106 static bool binder_debug_no_lock;
107 module_param_named(proc_no_lock, binder_debug_no_lock, bool, S_IWUSR | S_IRUGO);
108 
109 static DECLARE_WAIT_QUEUE_HEAD(binder_user_error_wait);
110 static int binder_stop_on_user_error;
111 
112 static int binder_set_stop_on_user_error(const char *val,
113  struct kernel_param *kp)
114 {
115  int ret;
116  ret = param_set_int(val, kp);
117  if (binder_stop_on_user_error < 2)
118  wake_up(&binder_user_error_wait);
119  return ret;
120 }
121 module_param_call(stop_on_user_error, binder_set_stop_on_user_error,
122  param_get_int, &binder_stop_on_user_error, S_IWUSR | S_IRUGO);
123 
124 #define binder_debug(mask, x...) \
125  do { \
126  if (binder_debug_mask & mask) \
127  pr_info(x); \
128  } while (0)
129 
130 #define binder_user_error(x...) \
131  do { \
132  if (binder_debug_mask & BINDER_DEBUG_USER_ERROR) \
133  pr_info(x); \
134  if (binder_stop_on_user_error) \
135  binder_stop_on_user_error = 2; \
136  } while (0)
137 
138 enum binder_stat_types {
139  BINDER_STAT_PROC,
140  BINDER_STAT_THREAD,
141  BINDER_STAT_NODE,
142  BINDER_STAT_REF,
143  BINDER_STAT_DEATH,
144  BINDER_STAT_TRANSACTION,
145  BINDER_STAT_TRANSACTION_COMPLETE,
146  BINDER_STAT_COUNT
147 };
148 
149 struct binder_stats {
150  int br[_IOC_NR(BR_FAILED_REPLY) + 1];
151  int bc[_IOC_NR(BC_DEAD_BINDER_DONE) + 1];
152  int obj_created[BINDER_STAT_COUNT];
153  int obj_deleted[BINDER_STAT_COUNT];
154 };
155 
156 static struct binder_stats binder_stats;
157 
158 static inline void binder_stats_deleted(enum binder_stat_types type)
159 {
160  binder_stats.obj_deleted[type]++;
161 }
162 
163 static inline void binder_stats_created(enum binder_stat_types type)
164 {
165  binder_stats.obj_created[type]++;
166 }
167 
168 struct binder_transaction_log_entry {
169  int debug_id;
170  int call_type;
171  int from_proc;
172  int from_thread;
173  int target_handle;
174  int to_proc;
175  int to_thread;
176  int to_node;
177  int data_size;
178  int offsets_size;
179 };
180 struct binder_transaction_log {
181  int next;
182  int full;
183  struct binder_transaction_log_entry entry[32];
184 };
185 static struct binder_transaction_log binder_transaction_log;
186 static struct binder_transaction_log binder_transaction_log_failed;
187 
188 static struct binder_transaction_log_entry *binder_transaction_log_add(
189  struct binder_transaction_log *log)
190 {
191  struct binder_transaction_log_entry *e;
192  e = &log->entry[log->next];
193  memset(e, 0, sizeof(*e));
194  log->next++;
195  if (log->next == ARRAY_SIZE(log->entry)) {
196  log->next = 0;
197  log->full = 1;
198  }
199  return e;
200 }
201 
202 struct binder_work {
203  struct list_head entry;
204  enum {
205  BINDER_WORK_TRANSACTION = 1,
206  BINDER_WORK_TRANSACTION_COMPLETE,
207  BINDER_WORK_NODE,
208  BINDER_WORK_DEAD_BINDER,
209  BINDER_WORK_DEAD_BINDER_AND_CLEAR,
210  BINDER_WORK_CLEAR_DEATH_NOTIFICATION,
211  } type;
212 };
213 
214 struct binder_node {
215  int debug_id;
216  struct binder_work work;
217  union {
218  struct rb_node rb_node;
219  struct hlist_node dead_node;
220  };
221  struct binder_proc *proc;
222  struct hlist_head refs;
223  int internal_strong_refs;
224  int local_weak_refs;
225  int local_strong_refs;
226  void __user *ptr;
227  void __user *cookie;
228  unsigned has_strong_ref:1;
229  unsigned pending_strong_ref:1;
230  unsigned has_weak_ref:1;
231  unsigned pending_weak_ref:1;
232  unsigned has_async_transaction:1;
233  unsigned accept_fds:1;
234  unsigned min_priority:8;
235  struct list_head async_todo;
236 };
237 
238 struct binder_ref_death {
239  struct binder_work work;
240  void __user *cookie;
241 };
242 
243 struct binder_ref {
244  /* Lookups needed: */
245  /* node + proc => ref (transaction) */
246  /* desc + proc => ref (transaction, inc/dec ref) */
247  /* node => refs + procs (proc exit) */
248  int debug_id;
249  struct rb_node rb_node_desc;
250  struct rb_node rb_node_node;
251  struct hlist_node node_entry;
252  struct binder_proc *proc;
253  struct binder_node *node;
254  uint32_t desc;
255  int strong;
256  int weak;
257  struct binder_ref_death *death;
258 };
259 
260 struct binder_buffer {
261  struct list_head entry; /* free and allocated entries by address */
262  struct rb_node rb_node; /* free entry by size or allocated entry */
263  /* by address */
264  unsigned free:1;
265  unsigned allow_user_free:1;
266  unsigned async_transaction:1;
267  unsigned debug_id:29;
268 
269  struct binder_transaction *transaction;
270 
271  struct binder_node *target_node;
272  size_t data_size;
273  size_t offsets_size;
274  uint8_t data[0];
275 };
276 
277 enum binder_deferred_state {
278  BINDER_DEFERRED_PUT_FILES = 0x01,
279  BINDER_DEFERRED_FLUSH = 0x02,
280  BINDER_DEFERRED_RELEASE = 0x04,
281 };
282 
283 struct binder_proc {
284  struct hlist_node proc_node;
285  struct rb_root threads;
286  struct rb_root nodes;
287  struct rb_root refs_by_desc;
288  struct rb_root refs_by_node;
289  int pid;
290  struct vm_area_struct *vma;
291  struct mm_struct *vma_vm_mm;
292  struct task_struct *tsk;
293  struct files_struct *files;
294  struct hlist_node deferred_work_node;
295  int deferred_work;
296  void *buffer;
297  ptrdiff_t user_buffer_offset;
298 
299  struct list_head buffers;
300  struct rb_root free_buffers;
301  struct rb_root allocated_buffers;
302  size_t free_async_space;
303 
304  struct page **pages;
305  size_t buffer_size;
306  uint32_t buffer_free;
307  struct list_head todo;
308  wait_queue_head_t wait;
309  struct binder_stats stats;
310  struct list_head delivered_death;
311  int max_threads;
312  int requested_threads;
313  int requested_threads_started;
314  int ready_threads;
315  long default_priority;
316  struct dentry *debugfs_entry;
317 };
318 
319 enum {
320  BINDER_LOOPER_STATE_REGISTERED = 0x01,
321  BINDER_LOOPER_STATE_ENTERED = 0x02,
322  BINDER_LOOPER_STATE_EXITED = 0x04,
323  BINDER_LOOPER_STATE_INVALID = 0x08,
324  BINDER_LOOPER_STATE_WAITING = 0x10,
325  BINDER_LOOPER_STATE_NEED_RETURN = 0x20
326 };
327 
328 struct binder_thread {
329  struct binder_proc *proc;
330  struct rb_node rb_node;
331  int pid;
332  int looper;
333  struct binder_transaction *transaction_stack;
334  struct list_head todo;
335  uint32_t return_error; /* Write failed, return error code in read buf */
336  uint32_t return_error2; /* Write failed, return error code in read */
337  /* buffer. Used when sending a reply to a dead process that */
338  /* we are also waiting on */
339  wait_queue_head_t wait;
340  struct binder_stats stats;
341 };
342 
343 struct binder_transaction {
344  int debug_id;
345  struct binder_work work;
346  struct binder_thread *from;
347  struct binder_transaction *from_parent;
348  struct binder_proc *to_proc;
349  struct binder_thread *to_thread;
350  struct binder_transaction *to_parent;
351  unsigned need_reply:1;
352  /* unsigned is_dead:1; */ /* not used at the moment */
353 
354  struct binder_buffer *buffer;
355  unsigned int code;
356  unsigned int flags;
357  long priority;
358  long saved_priority;
359  kuid_t sender_euid;
360 };
361 
362 static void
363 binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer);
364 
365 static int task_get_unused_fd_flags(struct binder_proc *proc, int flags)
366 {
367  struct files_struct *files = proc->files;
368  unsigned long rlim_cur;
369  unsigned long irqs;
370 
371  if (files == NULL)
372  return -ESRCH;
373 
374  if (!lock_task_sighand(proc->tsk, &irqs))
375  return -EMFILE;
376 
377  rlim_cur = task_rlimit(proc->tsk, RLIMIT_NOFILE);
378  unlock_task_sighand(proc->tsk, &irqs);
379 
380  return __alloc_fd(files, 0, rlim_cur, flags);
381 }
382 
383 /*
384  * copied from fd_install
385  */
386 static void task_fd_install(
387  struct binder_proc *proc, unsigned int fd, struct file *file)
388 {
389  if (proc->files)
390  __fd_install(proc->files, fd, file);
391 }
392 
393 /*
394  * copied from sys_close
395  */
396 static long task_close_fd(struct binder_proc *proc, unsigned int fd)
397 {
398  int retval;
399 
400  if (proc->files == NULL)
401  return -ESRCH;
402 
403  retval = __close_fd(proc->files, fd);
404  /* can't restart close syscall because file table entry was cleared */
405  if (unlikely(retval == -ERESTARTSYS ||
406  retval == -ERESTARTNOINTR ||
407  retval == -ERESTARTNOHAND ||
408  retval == -ERESTART_RESTARTBLOCK))
409  retval = -EINTR;
410 
411  return retval;
412 }
413 
414 static void binder_set_nice(long nice)
415 {
416  long min_nice;
417  if (can_nice(current, nice)) {
418  set_user_nice(current, nice);
419  return;
420  }
421  min_nice = 20 - current->signal->rlim[RLIMIT_NICE].rlim_cur;
422  binder_debug(BINDER_DEBUG_PRIORITY_CAP,
423  "binder: %d: nice value %ld not allowed use "
424  "%ld instead\n", current->pid, nice, min_nice);
425  set_user_nice(current, min_nice);
426  if (min_nice < 20)
427  return;
428  binder_user_error("binder: %d RLIMIT_NICE not set\n", current->pid);
429 }
430 
431 static size_t binder_buffer_size(struct binder_proc *proc,
432  struct binder_buffer *buffer)
433 {
434  if (list_is_last(&buffer->entry, &proc->buffers))
435  return proc->buffer + proc->buffer_size - (void *)buffer->data;
436  else
437  return (size_t)list_entry(buffer->entry.next,
438  struct binder_buffer, entry) - (size_t)buffer->data;
439 }
440 
441 static void binder_insert_free_buffer(struct binder_proc *proc,
442  struct binder_buffer *new_buffer)
443 {
444  struct rb_node **p = &proc->free_buffers.rb_node;
445  struct rb_node *parent = NULL;
446  struct binder_buffer *buffer;
447  size_t buffer_size;
448  size_t new_buffer_size;
449 
450  BUG_ON(!new_buffer->free);
451 
452  new_buffer_size = binder_buffer_size(proc, new_buffer);
453 
454  binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
455  "binder: %d: add free buffer, size %zd, "
456  "at %p\n", proc->pid, new_buffer_size, new_buffer);
457 
458  while (*p) {
459  parent = *p;
460  buffer = rb_entry(parent, struct binder_buffer, rb_node);
461  BUG_ON(!buffer->free);
462 
463  buffer_size = binder_buffer_size(proc, buffer);
464 
465  if (new_buffer_size < buffer_size)
466  p = &parent->rb_left;
467  else
468  p = &parent->rb_right;
469  }
470  rb_link_node(&new_buffer->rb_node, parent, p);
471  rb_insert_color(&new_buffer->rb_node, &proc->free_buffers);
472 }
473 
474 static void binder_insert_allocated_buffer(struct binder_proc *proc,
475  struct binder_buffer *new_buffer)
476 {
477  struct rb_node **p = &proc->allocated_buffers.rb_node;
478  struct rb_node *parent = NULL;
479  struct binder_buffer *buffer;
480 
481  BUG_ON(new_buffer->free);
482 
483  while (*p) {
484  parent = *p;
485  buffer = rb_entry(parent, struct binder_buffer, rb_node);
486  BUG_ON(buffer->free);
487 
488  if (new_buffer < buffer)
489  p = &parent->rb_left;
490  else if (new_buffer > buffer)
491  p = &parent->rb_right;
492  else
493  BUG();
494  }
495  rb_link_node(&new_buffer->rb_node, parent, p);
496  rb_insert_color(&new_buffer->rb_node, &proc->allocated_buffers);
497 }
498 
499 static struct binder_buffer *binder_buffer_lookup(struct binder_proc *proc,
500  void __user *user_ptr)
501 {
502  struct rb_node *n = proc->allocated_buffers.rb_node;
503  struct binder_buffer *buffer;
504  struct binder_buffer *kern_ptr;
505 
506  kern_ptr = user_ptr - proc->user_buffer_offset
507  - offsetof(struct binder_buffer, data);
508 
509  while (n) {
510  buffer = rb_entry(n, struct binder_buffer, rb_node);
511  BUG_ON(buffer->free);
512 
513  if (kern_ptr < buffer)
514  n = n->rb_left;
515  else if (kern_ptr > buffer)
516  n = n->rb_right;
517  else
518  return buffer;
519  }
520  return NULL;
521 }
522 
523 static int binder_update_page_range(struct binder_proc *proc, int allocate,
524  void *start, void *end,
525  struct vm_area_struct *vma)
526 {
527  void *page_addr;
528  unsigned long user_page_addr;
529  struct vm_struct tmp_area;
530  struct page **page;
531  struct mm_struct *mm;
532 
533  binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
534  "binder: %d: %s pages %p-%p\n", proc->pid,
535  allocate ? "allocate" : "free", start, end);
536 
537  if (end <= start)
538  return 0;
539 
540  if (vma)
541  mm = NULL;
542  else
543  mm = get_task_mm(proc->tsk);
544 
545  if (mm) {
546  down_write(&mm->mmap_sem);
547  vma = proc->vma;
548  if (vma && mm != proc->vma_vm_mm) {
549  pr_err("binder: %d: vma mm and task mm mismatch\n",
550  proc->pid);
551  vma = NULL;
552  }
553  }
554 
555  if (allocate == 0)
556  goto free_range;
557 
558  if (vma == NULL) {
559  pr_err("binder: %d: binder_alloc_buf failed to "
560  "map pages in userspace, no vma\n", proc->pid);
561  goto err_no_vma;
562  }
563 
564  for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) {
565  int ret;
566  struct page **page_array_ptr;
567  page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE];
568 
569  BUG_ON(*page);
570  *page = alloc_page(GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO);
571  if (*page == NULL) {
572  pr_err("binder: %d: binder_alloc_buf failed "
573  "for page at %p\n", proc->pid, page_addr);
574  goto err_alloc_page_failed;
575  }
576  tmp_area.addr = page_addr;
577  tmp_area.size = PAGE_SIZE + PAGE_SIZE /* guard page? */;
578  page_array_ptr = page;
579  ret = map_vm_area(&tmp_area, PAGE_KERNEL, &page_array_ptr);
580  if (ret) {
581  pr_err("binder: %d: binder_alloc_buf failed "
582  "to map page at %p in kernel\n",
583  proc->pid, page_addr);
584  goto err_map_kernel_failed;
585  }
586  user_page_addr =
587  (uintptr_t)page_addr + proc->user_buffer_offset;
588  ret = vm_insert_page(vma, user_page_addr, page[0]);
589  if (ret) {
590  pr_err("binder: %d: binder_alloc_buf failed "
591  "to map page at %lx in userspace\n",
592  proc->pid, user_page_addr);
593  goto err_vm_insert_page_failed;
594  }
595  /* vm_insert_page does not seem to increment the refcount */
596  }
597  if (mm) {
598  up_write(&mm->mmap_sem);
599  mmput(mm);
600  }
601  return 0;
602 
603 free_range:
604  for (page_addr = end - PAGE_SIZE; page_addr >= start;
605  page_addr -= PAGE_SIZE) {
606  page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE];
607  if (vma)
608  zap_page_range(vma, (uintptr_t)page_addr +
609  proc->user_buffer_offset, PAGE_SIZE, NULL);
610 err_vm_insert_page_failed:
611  unmap_kernel_range((unsigned long)page_addr, PAGE_SIZE);
612 err_map_kernel_failed:
613  __free_page(*page);
614  *page = NULL;
615 err_alloc_page_failed:
616  ;
617  }
618 err_no_vma:
619  if (mm) {
620  up_write(&mm->mmap_sem);
621  mmput(mm);
622  }
623  return -ENOMEM;
624 }
625 
626 static struct binder_buffer *binder_alloc_buf(struct binder_proc *proc,
627  size_t data_size,
628  size_t offsets_size, int is_async)
629 {
630  struct rb_node *n = proc->free_buffers.rb_node;
631  struct binder_buffer *buffer;
632  size_t buffer_size;
633  struct rb_node *best_fit = NULL;
634  void *has_page_addr;
635  void *end_page_addr;
636  size_t size;
637 
638  if (proc->vma == NULL) {
639  pr_err("binder: %d: binder_alloc_buf, no vma\n",
640  proc->pid);
641  return NULL;
642  }
643 
644  size = ALIGN(data_size, sizeof(void *)) +
645  ALIGN(offsets_size, sizeof(void *));
646 
647  if (size < data_size || size < offsets_size) {
648  binder_user_error("binder: %d: got transaction with invalid "
649  "size %zd-%zd\n", proc->pid, data_size, offsets_size);
650  return NULL;
651  }
652 
653  if (is_async &&
654  proc->free_async_space < size + sizeof(struct binder_buffer)) {
655  binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
656  "binder: %d: binder_alloc_buf size %zd"
657  "failed, no async space left\n", proc->pid, size);
658  return NULL;
659  }
660 
661  while (n) {
662  buffer = rb_entry(n, struct binder_buffer, rb_node);
663  BUG_ON(!buffer->free);
664  buffer_size = binder_buffer_size(proc, buffer);
665 
666  if (size < buffer_size) {
667  best_fit = n;
668  n = n->rb_left;
669  } else if (size > buffer_size)
670  n = n->rb_right;
671  else {
672  best_fit = n;
673  break;
674  }
675  }
676  if (best_fit == NULL) {
677  pr_err("binder: %d: binder_alloc_buf size %zd failed, "
678  "no address space\n", proc->pid, size);
679  return NULL;
680  }
681  if (n == NULL) {
682  buffer = rb_entry(best_fit, struct binder_buffer, rb_node);
683  buffer_size = binder_buffer_size(proc, buffer);
684  }
685 
686  binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
687  "binder: %d: binder_alloc_buf size %zd got buff"
688  "er %p size %zd\n", proc->pid, size, buffer, buffer_size);
689 
690  has_page_addr =
691  (void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK);
692  if (n == NULL) {
693  if (size + sizeof(struct binder_buffer) + 4 >= buffer_size)
694  buffer_size = size; /* no room for other buffers */
695  else
696  buffer_size = size + sizeof(struct binder_buffer);
697  }
698  end_page_addr =
699  (void *)PAGE_ALIGN((uintptr_t)buffer->data + buffer_size);
700  if (end_page_addr > has_page_addr)
701  end_page_addr = has_page_addr;
702  if (binder_update_page_range(proc, 1,
703  (void *)PAGE_ALIGN((uintptr_t)buffer->data), end_page_addr, NULL))
704  return NULL;
705 
706  rb_erase(best_fit, &proc->free_buffers);
707  buffer->free = 0;
708  binder_insert_allocated_buffer(proc, buffer);
709  if (buffer_size != size) {
710  struct binder_buffer *new_buffer = (void *)buffer->data + size;
711  list_add(&new_buffer->entry, &buffer->entry);
712  new_buffer->free = 1;
713  binder_insert_free_buffer(proc, new_buffer);
714  }
715  binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
716  "binder: %d: binder_alloc_buf size %zd got "
717  "%p\n", proc->pid, size, buffer);
718  buffer->data_size = data_size;
719  buffer->offsets_size = offsets_size;
720  buffer->async_transaction = is_async;
721  if (is_async) {
722  proc->free_async_space -= size + sizeof(struct binder_buffer);
723  binder_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC,
724  "binder: %d: binder_alloc_buf size %zd "
725  "async free %zd\n", proc->pid, size,
726  proc->free_async_space);
727  }
728 
729  return buffer;
730 }
731 
732 static void *buffer_start_page(struct binder_buffer *buffer)
733 {
734  return (void *)((uintptr_t)buffer & PAGE_MASK);
735 }
736 
737 static void *buffer_end_page(struct binder_buffer *buffer)
738 {
739  return (void *)(((uintptr_t)(buffer + 1) - 1) & PAGE_MASK);
740 }
741 
742 static void binder_delete_free_buffer(struct binder_proc *proc,
743  struct binder_buffer *buffer)
744 {
745  struct binder_buffer *prev, *next = NULL;
746  int free_page_end = 1;
747  int free_page_start = 1;
748 
749  BUG_ON(proc->buffers.next == &buffer->entry);
750  prev = list_entry(buffer->entry.prev, struct binder_buffer, entry);
751  BUG_ON(!prev->free);
752  if (buffer_end_page(prev) == buffer_start_page(buffer)) {
753  free_page_start = 0;
754  if (buffer_end_page(prev) == buffer_end_page(buffer))
755  free_page_end = 0;
756  binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
757  "binder: %d: merge free, buffer %p "
758  "share page with %p\n", proc->pid, buffer, prev);
759  }
760 
761  if (!list_is_last(&buffer->entry, &proc->buffers)) {
762  next = list_entry(buffer->entry.next,
763  struct binder_buffer, entry);
764  if (buffer_start_page(next) == buffer_end_page(buffer)) {
765  free_page_end = 0;
766  if (buffer_start_page(next) ==
767  buffer_start_page(buffer))
768  free_page_start = 0;
769  binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
770  "binder: %d: merge free, buffer"
771  " %p share page with %p\n", proc->pid,
772  buffer, prev);
773  }
774  }
775  list_del(&buffer->entry);
776  if (free_page_start || free_page_end) {
777  binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
778  "binder: %d: merge free, buffer %p do "
779  "not share page%s%s with with %p or %p\n",
780  proc->pid, buffer, free_page_start ? "" : " end",
781  free_page_end ? "" : " start", prev, next);
782  binder_update_page_range(proc, 0, free_page_start ?
783  buffer_start_page(buffer) : buffer_end_page(buffer),
784  (free_page_end ? buffer_end_page(buffer) :
785  buffer_start_page(buffer)) + PAGE_SIZE, NULL);
786  }
787 }
788 
789 static void binder_free_buf(struct binder_proc *proc,
790  struct binder_buffer *buffer)
791 {
792  size_t size, buffer_size;
793 
794  buffer_size = binder_buffer_size(proc, buffer);
795 
796  size = ALIGN(buffer->data_size, sizeof(void *)) +
797  ALIGN(buffer->offsets_size, sizeof(void *));
798 
799  binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
800  "binder: %d: binder_free_buf %p size %zd buffer"
801  "_size %zd\n", proc->pid, buffer, size, buffer_size);
802 
803  BUG_ON(buffer->free);
804  BUG_ON(size > buffer_size);
805  BUG_ON(buffer->transaction != NULL);
806  BUG_ON((void *)buffer < proc->buffer);
807  BUG_ON((void *)buffer > proc->buffer + proc->buffer_size);
808 
809  if (buffer->async_transaction) {
810  proc->free_async_space += size + sizeof(struct binder_buffer);
811 
812  binder_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC,
813  "binder: %d: binder_free_buf size %zd "
814  "async free %zd\n", proc->pid, size,
815  proc->free_async_space);
816  }
817 
818  binder_update_page_range(proc, 0,
819  (void *)PAGE_ALIGN((uintptr_t)buffer->data),
820  (void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK),
821  NULL);
822  rb_erase(&buffer->rb_node, &proc->allocated_buffers);
823  buffer->free = 1;
824  if (!list_is_last(&buffer->entry, &proc->buffers)) {
825  struct binder_buffer *next = list_entry(buffer->entry.next,
826  struct binder_buffer, entry);
827  if (next->free) {
828  rb_erase(&next->rb_node, &proc->free_buffers);
829  binder_delete_free_buffer(proc, next);
830  }
831  }
832  if (proc->buffers.next != &buffer->entry) {
833  struct binder_buffer *prev = list_entry(buffer->entry.prev,
834  struct binder_buffer, entry);
835  if (prev->free) {
836  binder_delete_free_buffer(proc, buffer);
837  rb_erase(&prev->rb_node, &proc->free_buffers);
838  buffer = prev;
839  }
840  }
841  binder_insert_free_buffer(proc, buffer);
842 }
843 
844 static struct binder_node *binder_get_node(struct binder_proc *proc,
845  void __user *ptr)
846 {
847  struct rb_node *n = proc->nodes.rb_node;
848  struct binder_node *node;
849 
850  while (n) {
851  node = rb_entry(n, struct binder_node, rb_node);
852 
853  if (ptr < node->ptr)
854  n = n->rb_left;
855  else if (ptr > node->ptr)
856  n = n->rb_right;
857  else
858  return node;
859  }
860  return NULL;
861 }
862 
863 static struct binder_node *binder_new_node(struct binder_proc *proc,
864  void __user *ptr,
865  void __user *cookie)
866 {
867  struct rb_node **p = &proc->nodes.rb_node;
868  struct rb_node *parent = NULL;
869  struct binder_node *node;
870 
871  while (*p) {
872  parent = *p;
873  node = rb_entry(parent, struct binder_node, rb_node);
874 
875  if (ptr < node->ptr)
876  p = &(*p)->rb_left;
877  else if (ptr > node->ptr)
878  p = &(*p)->rb_right;
879  else
880  return NULL;
881  }
882 
883  node = kzalloc(sizeof(*node), GFP_KERNEL);
884  if (node == NULL)
885  return NULL;
886  binder_stats_created(BINDER_STAT_NODE);
887  rb_link_node(&node->rb_node, parent, p);
888  rb_insert_color(&node->rb_node, &proc->nodes);
889  node->debug_id = ++binder_last_id;
890  node->proc = proc;
891  node->ptr = ptr;
892  node->cookie = cookie;
893  node->work.type = BINDER_WORK_NODE;
894  INIT_LIST_HEAD(&node->work.entry);
895  INIT_LIST_HEAD(&node->async_todo);
896  binder_debug(BINDER_DEBUG_INTERNAL_REFS,
897  "binder: %d:%d node %d u%p c%p created\n",
898  proc->pid, current->pid, node->debug_id,
899  node->ptr, node->cookie);
900  return node;
901 }
902 
903 static int binder_inc_node(struct binder_node *node, int strong, int internal,
904  struct list_head *target_list)
905 {
906  if (strong) {
907  if (internal) {
908  if (target_list == NULL &&
909  node->internal_strong_refs == 0 &&
910  !(node == binder_context_mgr_node &&
911  node->has_strong_ref)) {
912  pr_err("binder: invalid inc strong "
913  "node for %d\n", node->debug_id);
914  return -EINVAL;
915  }
916  node->internal_strong_refs++;
917  } else
918  node->local_strong_refs++;
919  if (!node->has_strong_ref && target_list) {
920  list_del_init(&node->work.entry);
921  list_add_tail(&node->work.entry, target_list);
922  }
923  } else {
924  if (!internal)
925  node->local_weak_refs++;
926  if (!node->has_weak_ref && list_empty(&node->work.entry)) {
927  if (target_list == NULL) {
928  pr_err("binder: invalid inc weak node "
929  "for %d\n", node->debug_id);
930  return -EINVAL;
931  }
932  list_add_tail(&node->work.entry, target_list);
933  }
934  }
935  return 0;
936 }
937 
938 static int binder_dec_node(struct binder_node *node, int strong, int internal)
939 {
940  if (strong) {
941  if (internal)
942  node->internal_strong_refs--;
943  else
944  node->local_strong_refs--;
945  if (node->local_strong_refs || node->internal_strong_refs)
946  return 0;
947  } else {
948  if (!internal)
949  node->local_weak_refs--;
950  if (node->local_weak_refs || !hlist_empty(&node->refs))
951  return 0;
952  }
953  if (node->proc && (node->has_strong_ref || node->has_weak_ref)) {
954  if (list_empty(&node->work.entry)) {
955  list_add_tail(&node->work.entry, &node->proc->todo);
956  wake_up_interruptible(&node->proc->wait);
957  }
958  } else {
959  if (hlist_empty(&node->refs) && !node->local_strong_refs &&
960  !node->local_weak_refs) {
961  list_del_init(&node->work.entry);
962  if (node->proc) {
963  rb_erase(&node->rb_node, &node->proc->nodes);
964  binder_debug(BINDER_DEBUG_INTERNAL_REFS,
965  "binder: refless node %d deleted\n",
966  node->debug_id);
967  } else {
968  hlist_del(&node->dead_node);
969  binder_debug(BINDER_DEBUG_INTERNAL_REFS,
970  "binder: dead node %d deleted\n",
971  node->debug_id);
972  }
973  kfree(node);
974  binder_stats_deleted(BINDER_STAT_NODE);
975  }
976  }
977 
978  return 0;
979 }
980 
981 
982 static struct binder_ref *binder_get_ref(struct binder_proc *proc,
983  uint32_t desc)
984 {
985  struct rb_node *n = proc->refs_by_desc.rb_node;
986  struct binder_ref *ref;
987 
988  while (n) {
989  ref = rb_entry(n, struct binder_ref, rb_node_desc);
990 
991  if (desc < ref->desc)
992  n = n->rb_left;
993  else if (desc > ref->desc)
994  n = n->rb_right;
995  else
996  return ref;
997  }
998  return NULL;
999 }
1000 
1001 static struct binder_ref *binder_get_ref_for_node(struct binder_proc *proc,
1002  struct binder_node *node)
1003 {
1004  struct rb_node *n;
1005  struct rb_node **p = &proc->refs_by_node.rb_node;
1006  struct rb_node *parent = NULL;
1007  struct binder_ref *ref, *new_ref;
1008 
1009  while (*p) {
1010  parent = *p;
1011  ref = rb_entry(parent, struct binder_ref, rb_node_node);
1012 
1013  if (node < ref->node)
1014  p = &(*p)->rb_left;
1015  else if (node > ref->node)
1016  p = &(*p)->rb_right;
1017  else
1018  return ref;
1019  }
1020  new_ref = kzalloc(sizeof(*ref), GFP_KERNEL);
1021  if (new_ref == NULL)
1022  return NULL;
1023  binder_stats_created(BINDER_STAT_REF);
1024  new_ref->debug_id = ++binder_last_id;
1025  new_ref->proc = proc;
1026  new_ref->node = node;
1027  rb_link_node(&new_ref->rb_node_node, parent, p);
1028  rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node);
1029 
1030  new_ref->desc = (node == binder_context_mgr_node) ? 0 : 1;
1031  for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) {
1032  ref = rb_entry(n, struct binder_ref, rb_node_desc);
1033  if (ref->desc > new_ref->desc)
1034  break;
1035  new_ref->desc = ref->desc + 1;
1036  }
1037 
1038  p = &proc->refs_by_desc.rb_node;
1039  while (*p) {
1040  parent = *p;
1041  ref = rb_entry(parent, struct binder_ref, rb_node_desc);
1042 
1043  if (new_ref->desc < ref->desc)
1044  p = &(*p)->rb_left;
1045  else if (new_ref->desc > ref->desc)
1046  p = &(*p)->rb_right;
1047  else
1048  BUG();
1049  }
1050  rb_link_node(&new_ref->rb_node_desc, parent, p);
1051  rb_insert_color(&new_ref->rb_node_desc, &proc->refs_by_desc);
1052  if (node) {
1053  hlist_add_head(&new_ref->node_entry, &node->refs);
1054 
1055  binder_debug(BINDER_DEBUG_INTERNAL_REFS,
1056  "binder: %d new ref %d desc %d for "
1057  "node %d\n", proc->pid, new_ref->debug_id,
1058  new_ref->desc, node->debug_id);
1059  } else {
1060  binder_debug(BINDER_DEBUG_INTERNAL_REFS,
1061  "binder: %d new ref %d desc %d for "
1062  "dead node\n", proc->pid, new_ref->debug_id,
1063  new_ref->desc);
1064  }
1065  return new_ref;
1066 }
1067 
1068 static void binder_delete_ref(struct binder_ref *ref)
1069 {
1070  binder_debug(BINDER_DEBUG_INTERNAL_REFS,
1071  "binder: %d delete ref %d desc %d for "
1072  "node %d\n", ref->proc->pid, ref->debug_id,
1073  ref->desc, ref->node->debug_id);
1074 
1075  rb_erase(&ref->rb_node_desc, &ref->proc->refs_by_desc);
1076  rb_erase(&ref->rb_node_node, &ref->proc->refs_by_node);
1077  if (ref->strong)
1078  binder_dec_node(ref->node, 1, 1);
1079  hlist_del(&ref->node_entry);
1080  binder_dec_node(ref->node, 0, 1);
1081  if (ref->death) {
1082  binder_debug(BINDER_DEBUG_DEAD_BINDER,
1083  "binder: %d delete ref %d desc %d "
1084  "has death notification\n", ref->proc->pid,
1085  ref->debug_id, ref->desc);
1086  list_del(&ref->death->work.entry);
1087  kfree(ref->death);
1088  binder_stats_deleted(BINDER_STAT_DEATH);
1089  }
1090  kfree(ref);
1091  binder_stats_deleted(BINDER_STAT_REF);
1092 }
1093 
1094 static int binder_inc_ref(struct binder_ref *ref, int strong,
1095  struct list_head *target_list)
1096 {
1097  int ret;
1098  if (strong) {
1099  if (ref->strong == 0) {
1100  ret = binder_inc_node(ref->node, 1, 1, target_list);
1101  if (ret)
1102  return ret;
1103  }
1104  ref->strong++;
1105  } else {
1106  if (ref->weak == 0) {
1107  ret = binder_inc_node(ref->node, 0, 1, target_list);
1108  if (ret)
1109  return ret;
1110  }
1111  ref->weak++;
1112  }
1113  return 0;
1114 }
1115 
1116 
1117 static int binder_dec_ref(struct binder_ref *ref, int strong)
1118 {
1119  if (strong) {
1120  if (ref->strong == 0) {
1121  binder_user_error("binder: %d invalid dec strong, "
1122  "ref %d desc %d s %d w %d\n",
1123  ref->proc->pid, ref->debug_id,
1124  ref->desc, ref->strong, ref->weak);
1125  return -EINVAL;
1126  }
1127  ref->strong--;
1128  if (ref->strong == 0) {
1129  int ret;
1130  ret = binder_dec_node(ref->node, strong, 1);
1131  if (ret)
1132  return ret;
1133  }
1134  } else {
1135  if (ref->weak == 0) {
1136  binder_user_error("binder: %d invalid dec weak, "
1137  "ref %d desc %d s %d w %d\n",
1138  ref->proc->pid, ref->debug_id,
1139  ref->desc, ref->strong, ref->weak);
1140  return -EINVAL;
1141  }
1142  ref->weak--;
1143  }
1144  if (ref->strong == 0 && ref->weak == 0)
1145  binder_delete_ref(ref);
1146  return 0;
1147 }
1148 
1149 static void binder_pop_transaction(struct binder_thread *target_thread,
1150  struct binder_transaction *t)
1151 {
1152  if (target_thread) {
1153  BUG_ON(target_thread->transaction_stack != t);
1154  BUG_ON(target_thread->transaction_stack->from != target_thread);
1155  target_thread->transaction_stack =
1156  target_thread->transaction_stack->from_parent;
1157  t->from = NULL;
1158  }
1159  t->need_reply = 0;
1160  if (t->buffer)
1161  t->buffer->transaction = NULL;
1162  kfree(t);
1163  binder_stats_deleted(BINDER_STAT_TRANSACTION);
1164 }
1165 
1166 static void binder_send_failed_reply(struct binder_transaction *t,
1167  uint32_t error_code)
1168 {
1169  struct binder_thread *target_thread;
1170  BUG_ON(t->flags & TF_ONE_WAY);
1171  while (1) {
1172  target_thread = t->from;
1173  if (target_thread) {
1174  if (target_thread->return_error != BR_OK &&
1175  target_thread->return_error2 == BR_OK) {
1176  target_thread->return_error2 =
1177  target_thread->return_error;
1178  target_thread->return_error = BR_OK;
1179  }
1180  if (target_thread->return_error == BR_OK) {
1181  binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
1182  "binder: send failed reply for "
1183  "transaction %d to %d:%d\n",
1184  t->debug_id, target_thread->proc->pid,
1185  target_thread->pid);
1186 
1187  binder_pop_transaction(target_thread, t);
1188  target_thread->return_error = error_code;
1189  wake_up_interruptible(&target_thread->wait);
1190  } else {
1191  pr_err("binder: reply failed, target "
1192  "thread, %d:%d, has error code %d "
1193  "already\n", target_thread->proc->pid,
1194  target_thread->pid,
1195  target_thread->return_error);
1196  }
1197  return;
1198  } else {
1199  struct binder_transaction *next = t->from_parent;
1200 
1201  binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
1202  "binder: send failed reply "
1203  "for transaction %d, target dead\n",
1204  t->debug_id);
1205 
1206  binder_pop_transaction(target_thread, t);
1207  if (next == NULL) {
1208  binder_debug(BINDER_DEBUG_DEAD_BINDER,
1209  "binder: reply failed,"
1210  " no target thread at root\n");
1211  return;
1212  }
1213  t = next;
1214  binder_debug(BINDER_DEBUG_DEAD_BINDER,
1215  "binder: reply failed, no target "
1216  "thread -- retry %d\n", t->debug_id);
1217  }
1218  }
1219 }
1220 
1221 static void binder_transaction_buffer_release(struct binder_proc *proc,
1222  struct binder_buffer *buffer,
1223  size_t *failed_at)
1224 {
1225  size_t *offp, *off_end;
1226  int debug_id = buffer->debug_id;
1227 
1228  binder_debug(BINDER_DEBUG_TRANSACTION,
1229  "binder: %d buffer release %d, size %zd-%zd, failed at %p\n",
1230  proc->pid, buffer->debug_id,
1231  buffer->data_size, buffer->offsets_size, failed_at);
1232 
1233  if (buffer->target_node)
1234  binder_dec_node(buffer->target_node, 1, 0);
1235 
1236  offp = (size_t *)(buffer->data + ALIGN(buffer->data_size, sizeof(void *)));
1237  if (failed_at)
1238  off_end = failed_at;
1239  else
1240  off_end = (void *)offp + buffer->offsets_size;
1241  for (; offp < off_end; offp++) {
1242  struct flat_binder_object *fp;
1243  if (*offp > buffer->data_size - sizeof(*fp) ||
1244  buffer->data_size < sizeof(*fp) ||
1245  !IS_ALIGNED(*offp, sizeof(void *))) {
1246  pr_err("binder: transaction release %d bad"
1247  "offset %zd, size %zd\n", debug_id,
1248  *offp, buffer->data_size);
1249  continue;
1250  }
1251  fp = (struct flat_binder_object *)(buffer->data + *offp);
1252  switch (fp->type) {
1253  case BINDER_TYPE_BINDER:
1254  case BINDER_TYPE_WEAK_BINDER: {
1255  struct binder_node *node = binder_get_node(proc, fp->binder);
1256  if (node == NULL) {
1257  pr_err("binder: transaction release %d"
1258  " bad node %p\n", debug_id, fp->binder);
1259  break;
1260  }
1261  binder_debug(BINDER_DEBUG_TRANSACTION,
1262  " node %d u%p\n",
1263  node->debug_id, node->ptr);
1264  binder_dec_node(node, fp->type == BINDER_TYPE_BINDER, 0);
1265  } break;
1266  case BINDER_TYPE_HANDLE:
1267  case BINDER_TYPE_WEAK_HANDLE: {
1268  struct binder_ref *ref = binder_get_ref(proc, fp->handle);
1269  if (ref == NULL) {
1270  pr_err("binder: transaction release %d"
1271  " bad handle %ld\n", debug_id,
1272  fp->handle);
1273  break;
1274  }
1275  binder_debug(BINDER_DEBUG_TRANSACTION,
1276  " ref %d desc %d (node %d)\n",
1277  ref->debug_id, ref->desc, ref->node->debug_id);
1278  binder_dec_ref(ref, fp->type == BINDER_TYPE_HANDLE);
1279  } break;
1280 
1281  case BINDER_TYPE_FD:
1282  binder_debug(BINDER_DEBUG_TRANSACTION,
1283  " fd %ld\n", fp->handle);
1284  if (failed_at)
1285  task_close_fd(proc, fp->handle);
1286  break;
1287 
1288  default:
1289  pr_err("binder: transaction release %d bad "
1290  "object type %lx\n", debug_id, fp->type);
1291  break;
1292  }
1293  }
1294 }
1295 
1296 static void binder_transaction(struct binder_proc *proc,
1297  struct binder_thread *thread,
1298  struct binder_transaction_data *tr, int reply)
1299 {
1300  struct binder_transaction *t;
1301  struct binder_work *tcomplete;
1302  size_t *offp, *off_end;
1303  struct binder_proc *target_proc;
1304  struct binder_thread *target_thread = NULL;
1305  struct binder_node *target_node = NULL;
1306  struct list_head *target_list;
1307  wait_queue_head_t *target_wait;
1308  struct binder_transaction *in_reply_to = NULL;
1309  struct binder_transaction_log_entry *e;
1310  uint32_t return_error;
1311 
1312  e = binder_transaction_log_add(&binder_transaction_log);
1313  e->call_type = reply ? 2 : !!(tr->flags & TF_ONE_WAY);
1314  e->from_proc = proc->pid;
1315  e->from_thread = thread->pid;
1316  e->target_handle = tr->target.handle;
1317  e->data_size = tr->data_size;
1318  e->offsets_size = tr->offsets_size;
1319 
1320  if (reply) {
1321  in_reply_to = thread->transaction_stack;
1322  if (in_reply_to == NULL) {
1323  binder_user_error("binder: %d:%d got reply transaction "
1324  "with no transaction stack\n",
1325  proc->pid, thread->pid);
1326  return_error = BR_FAILED_REPLY;
1327  goto err_empty_call_stack;
1328  }
1329  binder_set_nice(in_reply_to->saved_priority);
1330  if (in_reply_to->to_thread != thread) {
1331  binder_user_error("binder: %d:%d got reply transaction "
1332  "with bad transaction stack,"
1333  " transaction %d has target %d:%d\n",
1334  proc->pid, thread->pid, in_reply_to->debug_id,
1335  in_reply_to->to_proc ?
1336  in_reply_to->to_proc->pid : 0,
1337  in_reply_to->to_thread ?
1338  in_reply_to->to_thread->pid : 0);
1339  return_error = BR_FAILED_REPLY;
1340  in_reply_to = NULL;
1341  goto err_bad_call_stack;
1342  }
1343  thread->transaction_stack = in_reply_to->to_parent;
1344  target_thread = in_reply_to->from;
1345  if (target_thread == NULL) {
1346  return_error = BR_DEAD_REPLY;
1347  goto err_dead_binder;
1348  }
1349  if (target_thread->transaction_stack != in_reply_to) {
1350  binder_user_error("binder: %d:%d got reply transaction "
1351  "with bad target transaction stack %d, "
1352  "expected %d\n",
1353  proc->pid, thread->pid,
1354  target_thread->transaction_stack ?
1355  target_thread->transaction_stack->debug_id : 0,
1356  in_reply_to->debug_id);
1357  return_error = BR_FAILED_REPLY;
1358  in_reply_to = NULL;
1359  target_thread = NULL;
1360  goto err_dead_binder;
1361  }
1362  target_proc = target_thread->proc;
1363  } else {
1364  if (tr->target.handle) {
1365  struct binder_ref *ref;
1366  ref = binder_get_ref(proc, tr->target.handle);
1367  if (ref == NULL) {
1368  binder_user_error("binder: %d:%d got "
1369  "transaction to invalid handle\n",
1370  proc->pid, thread->pid);
1371  return_error = BR_FAILED_REPLY;
1372  goto err_invalid_target_handle;
1373  }
1374  target_node = ref->node;
1375  } else {
1376  target_node = binder_context_mgr_node;
1377  if (target_node == NULL) {
1378  return_error = BR_DEAD_REPLY;
1379  goto err_no_context_mgr_node;
1380  }
1381  }
1382  e->to_node = target_node->debug_id;
1383  target_proc = target_node->proc;
1384  if (target_proc == NULL) {
1385  return_error = BR_DEAD_REPLY;
1386  goto err_dead_binder;
1387  }
1388  if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) {
1389  struct binder_transaction *tmp;
1390  tmp = thread->transaction_stack;
1391  if (tmp->to_thread != thread) {
1392  binder_user_error("binder: %d:%d got new "
1393  "transaction with bad transaction stack"
1394  ", transaction %d has target %d:%d\n",
1395  proc->pid, thread->pid, tmp->debug_id,
1396  tmp->to_proc ? tmp->to_proc->pid : 0,
1397  tmp->to_thread ?
1398  tmp->to_thread->pid : 0);
1399  return_error = BR_FAILED_REPLY;
1400  goto err_bad_call_stack;
1401  }
1402  while (tmp) {
1403  if (tmp->from && tmp->from->proc == target_proc)
1404  target_thread = tmp->from;
1405  tmp = tmp->from_parent;
1406  }
1407  }
1408  }
1409  if (target_thread) {
1410  e->to_thread = target_thread->pid;
1411  target_list = &target_thread->todo;
1412  target_wait = &target_thread->wait;
1413  } else {
1414  target_list = &target_proc->todo;
1415  target_wait = &target_proc->wait;
1416  }
1417  e->to_proc = target_proc->pid;
1418 
1419  /* TODO: reuse incoming transaction for reply */
1420  t = kzalloc(sizeof(*t), GFP_KERNEL);
1421  if (t == NULL) {
1422  return_error = BR_FAILED_REPLY;
1423  goto err_alloc_t_failed;
1424  }
1425  binder_stats_created(BINDER_STAT_TRANSACTION);
1426 
1427  tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL);
1428  if (tcomplete == NULL) {
1429  return_error = BR_FAILED_REPLY;
1430  goto err_alloc_tcomplete_failed;
1431  }
1432  binder_stats_created(BINDER_STAT_TRANSACTION_COMPLETE);
1433 
1434  t->debug_id = ++binder_last_id;
1435  e->debug_id = t->debug_id;
1436 
1437  if (reply)
1438  binder_debug(BINDER_DEBUG_TRANSACTION,
1439  "binder: %d:%d BC_REPLY %d -> %d:%d, "
1440  "data %p-%p size %zd-%zd\n",
1441  proc->pid, thread->pid, t->debug_id,
1442  target_proc->pid, target_thread->pid,
1443  tr->data.ptr.buffer, tr->data.ptr.offsets,
1444  tr->data_size, tr->offsets_size);
1445  else
1446  binder_debug(BINDER_DEBUG_TRANSACTION,
1447  "binder: %d:%d BC_TRANSACTION %d -> "
1448  "%d - node %d, data %p-%p size %zd-%zd\n",
1449  proc->pid, thread->pid, t->debug_id,
1450  target_proc->pid, target_node->debug_id,
1451  tr->data.ptr.buffer, tr->data.ptr.offsets,
1452  tr->data_size, tr->offsets_size);
1453 
1454  if (!reply && !(tr->flags & TF_ONE_WAY))
1455  t->from = thread;
1456  else
1457  t->from = NULL;
1458  t->sender_euid = proc->tsk->cred->euid;
1459  t->to_proc = target_proc;
1460  t->to_thread = target_thread;
1461  t->code = tr->code;
1462  t->flags = tr->flags;
1463  t->priority = task_nice(current);
1464  t->buffer = binder_alloc_buf(target_proc, tr->data_size,
1465  tr->offsets_size, !reply && (t->flags & TF_ONE_WAY));
1466  if (t->buffer == NULL) {
1467  return_error = BR_FAILED_REPLY;
1468  goto err_binder_alloc_buf_failed;
1469  }
1470  t->buffer->allow_user_free = 0;
1471  t->buffer->debug_id = t->debug_id;
1472  t->buffer->transaction = t;
1473  t->buffer->target_node = target_node;
1474  if (target_node)
1475  binder_inc_node(target_node, 1, 0, NULL);
1476 
1477  offp = (size_t *)(t->buffer->data + ALIGN(tr->data_size, sizeof(void *)));
1478 
1479  if (copy_from_user(t->buffer->data, tr->data.ptr.buffer, tr->data_size)) {
1480  binder_user_error("binder: %d:%d got transaction with invalid "
1481  "data ptr\n", proc->pid, thread->pid);
1482  return_error = BR_FAILED_REPLY;
1483  goto err_copy_data_failed;
1484  }
1485  if (copy_from_user(offp, tr->data.ptr.offsets, tr->offsets_size)) {
1486  binder_user_error("binder: %d:%d got transaction with invalid "
1487  "offsets ptr\n", proc->pid, thread->pid);
1488  return_error = BR_FAILED_REPLY;
1489  goto err_copy_data_failed;
1490  }
1491  if (!IS_ALIGNED(tr->offsets_size, sizeof(size_t))) {
1492  binder_user_error("binder: %d:%d got transaction with "
1493  "invalid offsets size, %zd\n",
1494  proc->pid, thread->pid, tr->offsets_size);
1495  return_error = BR_FAILED_REPLY;
1496  goto err_bad_offset;
1497  }
1498  off_end = (void *)offp + tr->offsets_size;
1499  for (; offp < off_end; offp++) {
1500  struct flat_binder_object *fp;
1501  if (*offp > t->buffer->data_size - sizeof(*fp) ||
1502  t->buffer->data_size < sizeof(*fp) ||
1503  !IS_ALIGNED(*offp, sizeof(void *))) {
1504  binder_user_error("binder: %d:%d got transaction with "
1505  "invalid offset, %zd\n",
1506  proc->pid, thread->pid, *offp);
1507  return_error = BR_FAILED_REPLY;
1508  goto err_bad_offset;
1509  }
1510  fp = (struct flat_binder_object *)(t->buffer->data + *offp);
1511  switch (fp->type) {
1512  case BINDER_TYPE_BINDER:
1513  case BINDER_TYPE_WEAK_BINDER: {
1514  struct binder_ref *ref;
1515  struct binder_node *node = binder_get_node(proc, fp->binder);
1516  if (node == NULL) {
1517  node = binder_new_node(proc, fp->binder, fp->cookie);
1518  if (node == NULL) {
1519  return_error = BR_FAILED_REPLY;
1520  goto err_binder_new_node_failed;
1521  }
1522  node->min_priority = fp->flags & FLAT_BINDER_FLAG_PRIORITY_MASK;
1523  node->accept_fds = !!(fp->flags & FLAT_BINDER_FLAG_ACCEPTS_FDS);
1524  }
1525  if (fp->cookie != node->cookie) {
1526  binder_user_error("binder: %d:%d sending u%p "
1527  "node %d, cookie mismatch %p != %p\n",
1528  proc->pid, thread->pid,
1529  fp->binder, node->debug_id,
1530  fp->cookie, node->cookie);
1531  goto err_binder_get_ref_for_node_failed;
1532  }
1533  ref = binder_get_ref_for_node(target_proc, node);
1534  if (ref == NULL) {
1535  return_error = BR_FAILED_REPLY;
1536  goto err_binder_get_ref_for_node_failed;
1537  }
1538  if (fp->type == BINDER_TYPE_BINDER)
1539  fp->type = BINDER_TYPE_HANDLE;
1540  else
1541  fp->type = BINDER_TYPE_WEAK_HANDLE;
1542  fp->handle = ref->desc;
1543  binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE,
1544  &thread->todo);
1545 
1546  binder_debug(BINDER_DEBUG_TRANSACTION,
1547  " node %d u%p -> ref %d desc %d\n",
1548  node->debug_id, node->ptr, ref->debug_id,
1549  ref->desc);
1550  } break;
1551  case BINDER_TYPE_HANDLE:
1552  case BINDER_TYPE_WEAK_HANDLE: {
1553  struct binder_ref *ref = binder_get_ref(proc, fp->handle);
1554  if (ref == NULL) {
1555  binder_user_error("binder: %d:%d got "
1556  "transaction with invalid "
1557  "handle, %ld\n", proc->pid,
1558  thread->pid, fp->handle);
1559  return_error = BR_FAILED_REPLY;
1560  goto err_binder_get_ref_failed;
1561  }
1562  if (ref->node->proc == target_proc) {
1563  if (fp->type == BINDER_TYPE_HANDLE)
1564  fp->type = BINDER_TYPE_BINDER;
1565  else
1566  fp->type = BINDER_TYPE_WEAK_BINDER;
1567  fp->binder = ref->node->ptr;
1568  fp->cookie = ref->node->cookie;
1569  binder_inc_node(ref->node, fp->type == BINDER_TYPE_BINDER, 0, NULL);
1570  binder_debug(BINDER_DEBUG_TRANSACTION,
1571  " ref %d desc %d -> node %d u%p\n",
1572  ref->debug_id, ref->desc, ref->node->debug_id,
1573  ref->node->ptr);
1574  } else {
1575  struct binder_ref *new_ref;
1576  new_ref = binder_get_ref_for_node(target_proc, ref->node);
1577  if (new_ref == NULL) {
1578  return_error = BR_FAILED_REPLY;
1579  goto err_binder_get_ref_for_node_failed;
1580  }
1581  fp->handle = new_ref->desc;
1582  binder_inc_ref(new_ref, fp->type == BINDER_TYPE_HANDLE, NULL);
1583  binder_debug(BINDER_DEBUG_TRANSACTION,
1584  " ref %d desc %d -> ref %d desc %d (node %d)\n",
1585  ref->debug_id, ref->desc, new_ref->debug_id,
1586  new_ref->desc, ref->node->debug_id);
1587  }
1588  } break;
1589 
1590  case BINDER_TYPE_FD: {
1591  int target_fd;
1592  struct file *file;
1593 
1594  if (reply) {
1595  if (!(in_reply_to->flags & TF_ACCEPT_FDS)) {
1596  binder_user_error("binder: %d:%d got reply with fd, %ld, but target does not allow fds\n",
1597  proc->pid, thread->pid, fp->handle);
1598  return_error = BR_FAILED_REPLY;
1599  goto err_fd_not_allowed;
1600  }
1601  } else if (!target_node->accept_fds) {
1602  binder_user_error("binder: %d:%d got transaction with fd, %ld, but target does not allow fds\n",
1603  proc->pid, thread->pid, fp->handle);
1604  return_error = BR_FAILED_REPLY;
1605  goto err_fd_not_allowed;
1606  }
1607 
1608  file = fget(fp->handle);
1609  if (file == NULL) {
1610  binder_user_error("binder: %d:%d got transaction with invalid fd, %ld\n",
1611  proc->pid, thread->pid, fp->handle);
1612  return_error = BR_FAILED_REPLY;
1613  goto err_fget_failed;
1614  }
1615  target_fd = task_get_unused_fd_flags(target_proc, O_CLOEXEC);
1616  if (target_fd < 0) {
1617  fput(file);
1618  return_error = BR_FAILED_REPLY;
1619  goto err_get_unused_fd_failed;
1620  }
1621  task_fd_install(target_proc, target_fd, file);
1622  binder_debug(BINDER_DEBUG_TRANSACTION,
1623  " fd %ld -> %d\n", fp->handle, target_fd);
1624  /* TODO: fput? */
1625  fp->handle = target_fd;
1626  } break;
1627 
1628  default:
1629  binder_user_error("binder: %d:%d got transactio"
1630  "n with invalid object type, %lx\n",
1631  proc->pid, thread->pid, fp->type);
1632  return_error = BR_FAILED_REPLY;
1633  goto err_bad_object_type;
1634  }
1635  }
1636  if (reply) {
1637  BUG_ON(t->buffer->async_transaction != 0);
1638  binder_pop_transaction(target_thread, in_reply_to);
1639  } else if (!(t->flags & TF_ONE_WAY)) {
1640  BUG_ON(t->buffer->async_transaction != 0);
1641  t->need_reply = 1;
1642  t->from_parent = thread->transaction_stack;
1643  thread->transaction_stack = t;
1644  } else {
1645  BUG_ON(target_node == NULL);
1646  BUG_ON(t->buffer->async_transaction != 1);
1647  if (target_node->has_async_transaction) {
1648  target_list = &target_node->async_todo;
1649  target_wait = NULL;
1650  } else
1651  target_node->has_async_transaction = 1;
1652  }
1653  t->work.type = BINDER_WORK_TRANSACTION;
1654  list_add_tail(&t->work.entry, target_list);
1655  tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE;
1656  list_add_tail(&tcomplete->entry, &thread->todo);
1657  if (target_wait)
1658  wake_up_interruptible(target_wait);
1659  return;
1660 
1661 err_get_unused_fd_failed:
1662 err_fget_failed:
1663 err_fd_not_allowed:
1664 err_binder_get_ref_for_node_failed:
1665 err_binder_get_ref_failed:
1666 err_binder_new_node_failed:
1667 err_bad_object_type:
1668 err_bad_offset:
1669 err_copy_data_failed:
1670  binder_transaction_buffer_release(target_proc, t->buffer, offp);
1671  t->buffer->transaction = NULL;
1672  binder_free_buf(target_proc, t->buffer);
1673 err_binder_alloc_buf_failed:
1674  kfree(tcomplete);
1675  binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
1676 err_alloc_tcomplete_failed:
1677  kfree(t);
1678  binder_stats_deleted(BINDER_STAT_TRANSACTION);
1679 err_alloc_t_failed:
1680 err_bad_call_stack:
1681 err_empty_call_stack:
1682 err_dead_binder:
1683 err_invalid_target_handle:
1684 err_no_context_mgr_node:
1685  binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
1686  "binder: %d:%d transaction failed %d, size %zd-%zd\n",
1687  proc->pid, thread->pid, return_error,
1688  tr->data_size, tr->offsets_size);
1689 
1690  {
1691  struct binder_transaction_log_entry *fe;
1692  fe = binder_transaction_log_add(&binder_transaction_log_failed);
1693  *fe = *e;
1694  }
1695 
1696  BUG_ON(thread->return_error != BR_OK);
1697  if (in_reply_to) {
1698  thread->return_error = BR_TRANSACTION_COMPLETE;
1699  binder_send_failed_reply(in_reply_to, return_error);
1700  } else
1701  thread->return_error = return_error;
1702 }
1703 
1704 int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread,
1705  void __user *buffer, int size, signed long *consumed)
1706 {
1707  uint32_t cmd;
1708  void __user *ptr = buffer + *consumed;
1709  void __user *end = buffer + size;
1710 
1711  while (ptr < end && thread->return_error == BR_OK) {
1712  if (get_user(cmd, (uint32_t __user *)ptr))
1713  return -EFAULT;
1714  ptr += sizeof(uint32_t);
1715  if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.bc)) {
1716  binder_stats.bc[_IOC_NR(cmd)]++;
1717  proc->stats.bc[_IOC_NR(cmd)]++;
1718  thread->stats.bc[_IOC_NR(cmd)]++;
1719  }
1720  switch (cmd) {
1721  case BC_INCREFS:
1722  case BC_ACQUIRE:
1723  case BC_RELEASE:
1724  case BC_DECREFS: {
1725  uint32_t target;
1726  struct binder_ref *ref;
1727  const char *debug_string;
1728 
1729  if (get_user(target, (uint32_t __user *)ptr))
1730  return -EFAULT;
1731  ptr += sizeof(uint32_t);
1732  if (target == 0 && binder_context_mgr_node &&
1733  (cmd == BC_INCREFS || cmd == BC_ACQUIRE)) {
1734  ref = binder_get_ref_for_node(proc,
1735  binder_context_mgr_node);
1736  if (ref->desc != target) {
1737  binder_user_error("binder: %d:"
1738  "%d tried to acquire "
1739  "reference to desc 0, "
1740  "got %d instead\n",
1741  proc->pid, thread->pid,
1742  ref->desc);
1743  }
1744  } else
1745  ref = binder_get_ref(proc, target);
1746  if (ref == NULL) {
1747  binder_user_error("binder: %d:%d refcou"
1748  "nt change on invalid ref %d\n",
1749  proc->pid, thread->pid, target);
1750  break;
1751  }
1752  switch (cmd) {
1753  case BC_INCREFS:
1754  debug_string = "IncRefs";
1755  binder_inc_ref(ref, 0, NULL);
1756  break;
1757  case BC_ACQUIRE:
1758  debug_string = "Acquire";
1759  binder_inc_ref(ref, 1, NULL);
1760  break;
1761  case BC_RELEASE:
1762  debug_string = "Release";
1763  binder_dec_ref(ref, 1);
1764  break;
1765  case BC_DECREFS:
1766  default:
1767  debug_string = "DecRefs";
1768  binder_dec_ref(ref, 0);
1769  break;
1770  }
1771  binder_debug(BINDER_DEBUG_USER_REFS,
1772  "binder: %d:%d %s ref %d desc %d s %d w %d for node %d\n",
1773  proc->pid, thread->pid, debug_string, ref->debug_id,
1774  ref->desc, ref->strong, ref->weak, ref->node->debug_id);
1775  break;
1776  }
1777  case BC_INCREFS_DONE:
1778  case BC_ACQUIRE_DONE: {
1779  void __user *node_ptr;
1780  void *cookie;
1781  struct binder_node *node;
1782 
1783  if (get_user(node_ptr, (void * __user *)ptr))
1784  return -EFAULT;
1785  ptr += sizeof(void *);
1786  if (get_user(cookie, (void * __user *)ptr))
1787  return -EFAULT;
1788  ptr += sizeof(void *);
1789  node = binder_get_node(proc, node_ptr);
1790  if (node == NULL) {
1791  binder_user_error("binder: %d:%d "
1792  "%s u%p no match\n",
1793  proc->pid, thread->pid,
1794  cmd == BC_INCREFS_DONE ?
1795  "BC_INCREFS_DONE" :
1796  "BC_ACQUIRE_DONE",
1797  node_ptr);
1798  break;
1799  }
1800  if (cookie != node->cookie) {
1801  binder_user_error("binder: %d:%d %s u%p node %d"
1802  " cookie mismatch %p != %p\n",
1803  proc->pid, thread->pid,
1804  cmd == BC_INCREFS_DONE ?
1805  "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE",
1806  node_ptr, node->debug_id,
1807  cookie, node->cookie);
1808  break;
1809  }
1810  if (cmd == BC_ACQUIRE_DONE) {
1811  if (node->pending_strong_ref == 0) {
1812  binder_user_error("binder: %d:%d "
1813  "BC_ACQUIRE_DONE node %d has "
1814  "no pending acquire request\n",
1815  proc->pid, thread->pid,
1816  node->debug_id);
1817  break;
1818  }
1819  node->pending_strong_ref = 0;
1820  } else {
1821  if (node->pending_weak_ref == 0) {
1822  binder_user_error("binder: %d:%d "
1823  "BC_INCREFS_DONE node %d has "
1824  "no pending increfs request\n",
1825  proc->pid, thread->pid,
1826  node->debug_id);
1827  break;
1828  }
1829  node->pending_weak_ref = 0;
1830  }
1831  binder_dec_node(node, cmd == BC_ACQUIRE_DONE, 0);
1832  binder_debug(BINDER_DEBUG_USER_REFS,
1833  "binder: %d:%d %s node %d ls %d lw %d\n",
1834  proc->pid, thread->pid,
1835  cmd == BC_INCREFS_DONE ? "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE",
1836  node->debug_id, node->local_strong_refs, node->local_weak_refs);
1837  break;
1838  }
1839  case BC_ATTEMPT_ACQUIRE:
1840  pr_err("binder: BC_ATTEMPT_ACQUIRE not supported\n");
1841  return -EINVAL;
1842  case BC_ACQUIRE_RESULT:
1843  pr_err("binder: BC_ACQUIRE_RESULT not supported\n");
1844  return -EINVAL;
1845 
1846  case BC_FREE_BUFFER: {
1847  void __user *data_ptr;
1848  struct binder_buffer *buffer;
1849 
1850  if (get_user(data_ptr, (void * __user *)ptr))
1851  return -EFAULT;
1852  ptr += sizeof(void *);
1853 
1854  buffer = binder_buffer_lookup(proc, data_ptr);
1855  if (buffer == NULL) {
1856  binder_user_error("binder: %d:%d "
1857  "BC_FREE_BUFFER u%p no match\n",
1858  proc->pid, thread->pid, data_ptr);
1859  break;
1860  }
1861  if (!buffer->allow_user_free) {
1862  binder_user_error("binder: %d:%d "
1863  "BC_FREE_BUFFER u%p matched "
1864  "unreturned buffer\n",
1865  proc->pid, thread->pid, data_ptr);
1866  break;
1867  }
1868  binder_debug(BINDER_DEBUG_FREE_BUFFER,
1869  "binder: %d:%d BC_FREE_BUFFER u%p found buffer %d for %s transaction\n",
1870  proc->pid, thread->pid, data_ptr, buffer->debug_id,
1871  buffer->transaction ? "active" : "finished");
1872 
1873  if (buffer->transaction) {
1874  buffer->transaction->buffer = NULL;
1875  buffer->transaction = NULL;
1876  }
1877  if (buffer->async_transaction && buffer->target_node) {
1878  BUG_ON(!buffer->target_node->has_async_transaction);
1879  if (list_empty(&buffer->target_node->async_todo))
1880  buffer->target_node->has_async_transaction = 0;
1881  else
1882  list_move_tail(buffer->target_node->async_todo.next, &thread->todo);
1883  }
1884  binder_transaction_buffer_release(proc, buffer, NULL);
1885  binder_free_buf(proc, buffer);
1886  break;
1887  }
1888 
1889  case BC_TRANSACTION:
1890  case BC_REPLY: {
1891  struct binder_transaction_data tr;
1892 
1893  if (copy_from_user(&tr, ptr, sizeof(tr)))
1894  return -EFAULT;
1895  ptr += sizeof(tr);
1896  binder_transaction(proc, thread, &tr, cmd == BC_REPLY);
1897  break;
1898  }
1899 
1900  case BC_REGISTER_LOOPER:
1901  binder_debug(BINDER_DEBUG_THREADS,
1902  "binder: %d:%d BC_REGISTER_LOOPER\n",
1903  proc->pid, thread->pid);
1904  if (thread->looper & BINDER_LOOPER_STATE_ENTERED) {
1905  thread->looper |= BINDER_LOOPER_STATE_INVALID;
1906  binder_user_error("binder: %d:%d ERROR:"
1907  " BC_REGISTER_LOOPER called "
1908  "after BC_ENTER_LOOPER\n",
1909  proc->pid, thread->pid);
1910  } else if (proc->requested_threads == 0) {
1911  thread->looper |= BINDER_LOOPER_STATE_INVALID;
1912  binder_user_error("binder: %d:%d ERROR:"
1913  " BC_REGISTER_LOOPER called "
1914  "without request\n",
1915  proc->pid, thread->pid);
1916  } else {
1917  proc->requested_threads--;
1918  proc->requested_threads_started++;
1919  }
1920  thread->looper |= BINDER_LOOPER_STATE_REGISTERED;
1921  break;
1922  case BC_ENTER_LOOPER:
1923  binder_debug(BINDER_DEBUG_THREADS,
1924  "binder: %d:%d BC_ENTER_LOOPER\n",
1925  proc->pid, thread->pid);
1926  if (thread->looper & BINDER_LOOPER_STATE_REGISTERED) {
1927  thread->looper |= BINDER_LOOPER_STATE_INVALID;
1928  binder_user_error("binder: %d:%d ERROR:"
1929  " BC_ENTER_LOOPER called after "
1930  "BC_REGISTER_LOOPER\n",
1931  proc->pid, thread->pid);
1932  }
1933  thread->looper |= BINDER_LOOPER_STATE_ENTERED;
1934  break;
1935  case BC_EXIT_LOOPER:
1936  binder_debug(BINDER_DEBUG_THREADS,
1937  "binder: %d:%d BC_EXIT_LOOPER\n",
1938  proc->pid, thread->pid);
1939  thread->looper |= BINDER_LOOPER_STATE_EXITED;
1940  break;
1941 
1942  case BC_REQUEST_DEATH_NOTIFICATION:
1943  case BC_CLEAR_DEATH_NOTIFICATION: {
1944  uint32_t target;
1945  void __user *cookie;
1946  struct binder_ref *ref;
1947  struct binder_ref_death *death;
1948 
1949  if (get_user(target, (uint32_t __user *)ptr))
1950  return -EFAULT;
1951  ptr += sizeof(uint32_t);
1952  if (get_user(cookie, (void __user * __user *)ptr))
1953  return -EFAULT;
1954  ptr += sizeof(void *);
1955  ref = binder_get_ref(proc, target);
1956  if (ref == NULL) {
1957  binder_user_error("binder: %d:%d %s "
1958  "invalid ref %d\n",
1959  proc->pid, thread->pid,
1960  cmd == BC_REQUEST_DEATH_NOTIFICATION ?
1961  "BC_REQUEST_DEATH_NOTIFICATION" :
1962  "BC_CLEAR_DEATH_NOTIFICATION",
1963  target);
1964  break;
1965  }
1966 
1967  binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION,
1968  "binder: %d:%d %s %p ref %d desc %d s %d w %d for node %d\n",
1969  proc->pid, thread->pid,
1970  cmd == BC_REQUEST_DEATH_NOTIFICATION ?
1971  "BC_REQUEST_DEATH_NOTIFICATION" :
1972  "BC_CLEAR_DEATH_NOTIFICATION",
1973  cookie, ref->debug_id, ref->desc,
1974  ref->strong, ref->weak, ref->node->debug_id);
1975 
1976  if (cmd == BC_REQUEST_DEATH_NOTIFICATION) {
1977  if (ref->death) {
1978  binder_user_error("binder: %d:%"
1979  "d BC_REQUEST_DEATH_NOTI"
1980  "FICATION death notific"
1981  "ation already set\n",
1982  proc->pid, thread->pid);
1983  break;
1984  }
1985  death = kzalloc(sizeof(*death), GFP_KERNEL);
1986  if (death == NULL) {
1987  thread->return_error = BR_ERROR;
1988  binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
1989  "binder: %d:%d "
1990  "BC_REQUEST_DEATH_NOTIFICATION failed\n",
1991  proc->pid, thread->pid);
1992  break;
1993  }
1994  binder_stats_created(BINDER_STAT_DEATH);
1995  INIT_LIST_HEAD(&death->work.entry);
1996  death->cookie = cookie;
1997  ref->death = death;
1998  if (ref->node->proc == NULL) {
1999  ref->death->work.type = BINDER_WORK_DEAD_BINDER;
2000  if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) {
2001  list_add_tail(&ref->death->work.entry, &thread->todo);
2002  } else {
2003  list_add_tail(&ref->death->work.entry, &proc->todo);
2004  wake_up_interruptible(&proc->wait);
2005  }
2006  }
2007  } else {
2008  if (ref->death == NULL) {
2009  binder_user_error("binder: %d:%"
2010  "d BC_CLEAR_DEATH_NOTIFI"
2011  "CATION death notificat"
2012  "ion not active\n",
2013  proc->pid, thread->pid);
2014  break;
2015  }
2016  death = ref->death;
2017  if (death->cookie != cookie) {
2018  binder_user_error("binder: %d:%"
2019  "d BC_CLEAR_DEATH_NOTIFI"
2020  "CATION death notificat"
2021  "ion cookie mismatch "
2022  "%p != %p\n",
2023  proc->pid, thread->pid,
2024  death->cookie, cookie);
2025  break;
2026  }
2027  ref->death = NULL;
2028  if (list_empty(&death->work.entry)) {
2029  death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION;
2030  if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) {
2031  list_add_tail(&death->work.entry, &thread->todo);
2032  } else {
2033  list_add_tail(&death->work.entry, &proc->todo);
2034  wake_up_interruptible(&proc->wait);
2035  }
2036  } else {
2037  BUG_ON(death->work.type != BINDER_WORK_DEAD_BINDER);
2038  death->work.type = BINDER_WORK_DEAD_BINDER_AND_CLEAR;
2039  }
2040  }
2041  } break;
2042  case BC_DEAD_BINDER_DONE: {
2043  struct binder_work *w;
2044  void __user *cookie;
2045  struct binder_ref_death *death = NULL;
2046  if (get_user(cookie, (void __user * __user *)ptr))
2047  return -EFAULT;
2048 
2049  ptr += sizeof(void *);
2050  list_for_each_entry(w, &proc->delivered_death, entry) {
2051  struct binder_ref_death *tmp_death = container_of(w, struct binder_ref_death, work);
2052  if (tmp_death->cookie == cookie) {
2053  death = tmp_death;
2054  break;
2055  }
2056  }
2057  binder_debug(BINDER_DEBUG_DEAD_BINDER,
2058  "binder: %d:%d BC_DEAD_BINDER_DONE %p found %p\n",
2059  proc->pid, thread->pid, cookie, death);
2060  if (death == NULL) {
2061  binder_user_error("binder: %d:%d BC_DEAD"
2062  "_BINDER_DONE %p not found\n",
2063  proc->pid, thread->pid, cookie);
2064  break;
2065  }
2066 
2067  list_del_init(&death->work.entry);
2068  if (death->work.type == BINDER_WORK_DEAD_BINDER_AND_CLEAR) {
2069  death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION;
2070  if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) {
2071  list_add_tail(&death->work.entry, &thread->todo);
2072  } else {
2073  list_add_tail(&death->work.entry, &proc->todo);
2074  wake_up_interruptible(&proc->wait);
2075  }
2076  }
2077  } break;
2078 
2079  default:
2080  pr_err("binder: %d:%d unknown command %d\n",
2081  proc->pid, thread->pid, cmd);
2082  return -EINVAL;
2083  }
2084  *consumed = ptr - buffer;
2085  }
2086  return 0;
2087 }
2088 
2089 void binder_stat_br(struct binder_proc *proc, struct binder_thread *thread,
2090  uint32_t cmd)
2091 {
2092  if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.br)) {
2093  binder_stats.br[_IOC_NR(cmd)]++;
2094  proc->stats.br[_IOC_NR(cmd)]++;
2095  thread->stats.br[_IOC_NR(cmd)]++;
2096  }
2097 }
2098 
2099 static int binder_has_proc_work(struct binder_proc *proc,
2100  struct binder_thread *thread)
2101 {
2102  return !list_empty(&proc->todo) ||
2103  (thread->looper & BINDER_LOOPER_STATE_NEED_RETURN);
2104 }
2105 
2106 static int binder_has_thread_work(struct binder_thread *thread)
2107 {
2108  return !list_empty(&thread->todo) || thread->return_error != BR_OK ||
2109  (thread->looper & BINDER_LOOPER_STATE_NEED_RETURN);
2110 }
2111 
2112 static int binder_thread_read(struct binder_proc *proc,
2113  struct binder_thread *thread,
2114  void __user *buffer, int size,
2115  signed long *consumed, int non_block)
2116 {
2117  void __user *ptr = buffer + *consumed;
2118  void __user *end = buffer + size;
2119 
2120  int ret = 0;
2121  int wait_for_proc_work;
2122 
2123  if (*consumed == 0) {
2124  if (put_user(BR_NOOP, (uint32_t __user *)ptr))
2125  return -EFAULT;
2126  ptr += sizeof(uint32_t);
2127  }
2128 
2129 retry:
2130  wait_for_proc_work = thread->transaction_stack == NULL &&
2131  list_empty(&thread->todo);
2132 
2133  if (thread->return_error != BR_OK && ptr < end) {
2134  if (thread->return_error2 != BR_OK) {
2135  if (put_user(thread->return_error2, (uint32_t __user *)ptr))
2136  return -EFAULT;
2137  ptr += sizeof(uint32_t);
2138  if (ptr == end)
2139  goto done;
2140  thread->return_error2 = BR_OK;
2141  }
2142  if (put_user(thread->return_error, (uint32_t __user *)ptr))
2143  return -EFAULT;
2144  ptr += sizeof(uint32_t);
2145  thread->return_error = BR_OK;
2146  goto done;
2147  }
2148 
2149 
2150  thread->looper |= BINDER_LOOPER_STATE_WAITING;
2151  if (wait_for_proc_work)
2152  proc->ready_threads++;
2153  mutex_unlock(&binder_lock);
2154  if (wait_for_proc_work) {
2155  if (!(thread->looper & (BINDER_LOOPER_STATE_REGISTERED |
2156  BINDER_LOOPER_STATE_ENTERED))) {
2157  binder_user_error("binder: %d:%d ERROR: Thread waiting "
2158  "for process work before calling BC_REGISTER_"
2159  "LOOPER or BC_ENTER_LOOPER (state %x)\n",
2160  proc->pid, thread->pid, thread->looper);
2161  wait_event_interruptible(binder_user_error_wait,
2162  binder_stop_on_user_error < 2);
2163  }
2164  binder_set_nice(proc->default_priority);
2165  if (non_block) {
2166  if (!binder_has_proc_work(proc, thread))
2167  ret = -EAGAIN;
2168  } else
2169  ret = wait_event_interruptible_exclusive(proc->wait, binder_has_proc_work(proc, thread));
2170  } else {
2171  if (non_block) {
2172  if (!binder_has_thread_work(thread))
2173  ret = -EAGAIN;
2174  } else
2175  ret = wait_event_interruptible(thread->wait, binder_has_thread_work(thread));
2176  }
2177  mutex_lock(&binder_lock);
2178  if (wait_for_proc_work)
2179  proc->ready_threads--;
2180  thread->looper &= ~BINDER_LOOPER_STATE_WAITING;
2181 
2182  if (ret)
2183  return ret;
2184 
2185  while (1) {
2186  uint32_t cmd;
2187  struct binder_transaction_data tr;
2188  struct binder_work *w;
2189  struct binder_transaction *t = NULL;
2190 
2191  if (!list_empty(&thread->todo))
2192  w = list_first_entry(&thread->todo, struct binder_work, entry);
2193  else if (!list_empty(&proc->todo) && wait_for_proc_work)
2194  w = list_first_entry(&proc->todo, struct binder_work, entry);
2195  else {
2196  if (ptr - buffer == 4 && !(thread->looper & BINDER_LOOPER_STATE_NEED_RETURN)) /* no data added */
2197  goto retry;
2198  break;
2199  }
2200 
2201  if (end - ptr < sizeof(tr) + 4)
2202  break;
2203 
2204  switch (w->type) {
2205  case BINDER_WORK_TRANSACTION: {
2206  t = container_of(w, struct binder_transaction, work);
2207  } break;
2208  case BINDER_WORK_TRANSACTION_COMPLETE: {
2209  cmd = BR_TRANSACTION_COMPLETE;
2210  if (put_user(cmd, (uint32_t __user *)ptr))
2211  return -EFAULT;
2212  ptr += sizeof(uint32_t);
2213 
2214  binder_stat_br(proc, thread, cmd);
2215  binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE,
2216  "binder: %d:%d BR_TRANSACTION_COMPLETE\n",
2217  proc->pid, thread->pid);
2218 
2219  list_del(&w->entry);
2220  kfree(w);
2221  binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
2222  } break;
2223  case BINDER_WORK_NODE: {
2224  struct binder_node *node = container_of(w, struct binder_node, work);
2225  uint32_t cmd = BR_NOOP;
2226  const char *cmd_name;
2227  int strong = node->internal_strong_refs || node->local_strong_refs;
2228  int weak = !hlist_empty(&node->refs) || node->local_weak_refs || strong;
2229  if (weak && !node->has_weak_ref) {
2230  cmd = BR_INCREFS;
2231  cmd_name = "BR_INCREFS";
2232  node->has_weak_ref = 1;
2233  node->pending_weak_ref = 1;
2234  node->local_weak_refs++;
2235  } else if (strong && !node->has_strong_ref) {
2236  cmd = BR_ACQUIRE;
2237  cmd_name = "BR_ACQUIRE";
2238  node->has_strong_ref = 1;
2239  node->pending_strong_ref = 1;
2240  node->local_strong_refs++;
2241  } else if (!strong && node->has_strong_ref) {
2242  cmd = BR_RELEASE;
2243  cmd_name = "BR_RELEASE";
2244  node->has_strong_ref = 0;
2245  } else if (!weak && node->has_weak_ref) {
2246  cmd = BR_DECREFS;
2247  cmd_name = "BR_DECREFS";
2248  node->has_weak_ref = 0;
2249  }
2250  if (cmd != BR_NOOP) {
2251  if (put_user(cmd, (uint32_t __user *)ptr))
2252  return -EFAULT;
2253  ptr += sizeof(uint32_t);
2254  if (put_user(node->ptr, (void * __user *)ptr))
2255  return -EFAULT;
2256  ptr += sizeof(void *);
2257  if (put_user(node->cookie, (void * __user *)ptr))
2258  return -EFAULT;
2259  ptr += sizeof(void *);
2260 
2261  binder_stat_br(proc, thread, cmd);
2262  binder_debug(BINDER_DEBUG_USER_REFS,
2263  "binder: %d:%d %s %d u%p c%p\n",
2264  proc->pid, thread->pid, cmd_name, node->debug_id, node->ptr, node->cookie);
2265  } else {
2266  list_del_init(&w->entry);
2267  if (!weak && !strong) {
2268  binder_debug(BINDER_DEBUG_INTERNAL_REFS,
2269  "binder: %d:%d node %d u%p c%p deleted\n",
2270  proc->pid, thread->pid, node->debug_id,
2271  node->ptr, node->cookie);
2272  rb_erase(&node->rb_node, &proc->nodes);
2273  kfree(node);
2274  binder_stats_deleted(BINDER_STAT_NODE);
2275  } else {
2276  binder_debug(BINDER_DEBUG_INTERNAL_REFS,
2277  "binder: %d:%d node %d u%p c%p state unchanged\n",
2278  proc->pid, thread->pid, node->debug_id, node->ptr,
2279  node->cookie);
2280  }
2281  }
2282  } break;
2283  case BINDER_WORK_DEAD_BINDER:
2284  case BINDER_WORK_DEAD_BINDER_AND_CLEAR:
2285  case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: {
2286  struct binder_ref_death *death;
2287  uint32_t cmd;
2288 
2289  death = container_of(w, struct binder_ref_death, work);
2290  if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION)
2291  cmd = BR_CLEAR_DEATH_NOTIFICATION_DONE;
2292  else
2293  cmd = BR_DEAD_BINDER;
2294  if (put_user(cmd, (uint32_t __user *)ptr))
2295  return -EFAULT;
2296  ptr += sizeof(uint32_t);
2297  if (put_user(death->cookie, (void * __user *)ptr))
2298  return -EFAULT;
2299  ptr += sizeof(void *);
2300  binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION,
2301  "binder: %d:%d %s %p\n",
2302  proc->pid, thread->pid,
2303  cmd == BR_DEAD_BINDER ?
2304  "BR_DEAD_BINDER" :
2305  "BR_CLEAR_DEATH_NOTIFICATION_DONE",
2306  death->cookie);
2307 
2308  if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) {
2309  list_del(&w->entry);
2310  kfree(death);
2311  binder_stats_deleted(BINDER_STAT_DEATH);
2312  } else
2313  list_move(&w->entry, &proc->delivered_death);
2314  if (cmd == BR_DEAD_BINDER)
2315  goto done; /* DEAD_BINDER notifications can cause transactions */
2316  } break;
2317  }
2318 
2319  if (!t)
2320  continue;
2321 
2322  BUG_ON(t->buffer == NULL);
2323  if (t->buffer->target_node) {
2324  struct binder_node *target_node = t->buffer->target_node;
2325  tr.target.ptr = target_node->ptr;
2326  tr.cookie = target_node->cookie;
2327  t->saved_priority = task_nice(current);
2328  if (t->priority < target_node->min_priority &&
2329  !(t->flags & TF_ONE_WAY))
2330  binder_set_nice(t->priority);
2331  else if (!(t->flags & TF_ONE_WAY) ||
2332  t->saved_priority > target_node->min_priority)
2333  binder_set_nice(target_node->min_priority);
2334  cmd = BR_TRANSACTION;
2335  } else {
2336  tr.target.ptr = NULL;
2337  tr.cookie = NULL;
2338  cmd = BR_REPLY;
2339  }
2340  tr.code = t->code;
2341  tr.flags = t->flags;
2342  tr.sender_euid = from_kuid(current_user_ns(), t->sender_euid);
2343 
2344  if (t->from) {
2345  struct task_struct *sender = t->from->proc->tsk;
2346  tr.sender_pid = task_tgid_nr_ns(sender,
2347  current->nsproxy->pid_ns);
2348  } else {
2349  tr.sender_pid = 0;
2350  }
2351 
2352  tr.data_size = t->buffer->data_size;
2353  tr.offsets_size = t->buffer->offsets_size;
2354  tr.data.ptr.buffer = (void *)t->buffer->data +
2355  proc->user_buffer_offset;
2356  tr.data.ptr.offsets = tr.data.ptr.buffer +
2357  ALIGN(t->buffer->data_size,
2358  sizeof(void *));
2359 
2360  if (put_user(cmd, (uint32_t __user *)ptr))
2361  return -EFAULT;
2362  ptr += sizeof(uint32_t);
2363  if (copy_to_user(ptr, &tr, sizeof(tr)))
2364  return -EFAULT;
2365  ptr += sizeof(tr);
2366 
2367  binder_stat_br(proc, thread, cmd);
2368  binder_debug(BINDER_DEBUG_TRANSACTION,
2369  "binder: %d:%d %s %d %d:%d, cmd %d"
2370  "size %zd-%zd ptr %p-%p\n",
2371  proc->pid, thread->pid,
2372  (cmd == BR_TRANSACTION) ? "BR_TRANSACTION" :
2373  "BR_REPLY",
2374  t->debug_id, t->from ? t->from->proc->pid : 0,
2375  t->from ? t->from->pid : 0, cmd,
2376  t->buffer->data_size, t->buffer->offsets_size,
2377  tr.data.ptr.buffer, tr.data.ptr.offsets);
2378 
2379  list_del(&t->work.entry);
2380  t->buffer->allow_user_free = 1;
2381  if (cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)) {
2382  t->to_parent = thread->transaction_stack;
2383  t->to_thread = thread;
2384  thread->transaction_stack = t;
2385  } else {
2386  t->buffer->transaction = NULL;
2387  kfree(t);
2388  binder_stats_deleted(BINDER_STAT_TRANSACTION);
2389  }
2390  break;
2391  }
2392 
2393 done:
2394 
2395  *consumed = ptr - buffer;
2396  if (proc->requested_threads + proc->ready_threads == 0 &&
2397  proc->requested_threads_started < proc->max_threads &&
2398  (thread->looper & (BINDER_LOOPER_STATE_REGISTERED |
2399  BINDER_LOOPER_STATE_ENTERED)) /* the user-space code fails to */
2400  /*spawn a new thread if we leave this out */) {
2401  proc->requested_threads++;
2402  binder_debug(BINDER_DEBUG_THREADS,
2403  "binder: %d:%d BR_SPAWN_LOOPER\n",
2404  proc->pid, thread->pid);
2405  if (put_user(BR_SPAWN_LOOPER, (uint32_t __user *)buffer))
2406  return -EFAULT;
2407  }
2408  return 0;
2409 }
2410 
2411 static void binder_release_work(struct list_head *list)
2412 {
2413  struct binder_work *w;
2414  while (!list_empty(list)) {
2415  w = list_first_entry(list, struct binder_work, entry);
2416  list_del_init(&w->entry);
2417  switch (w->type) {
2418  case BINDER_WORK_TRANSACTION: {
2419  struct binder_transaction *t;
2420 
2421  t = container_of(w, struct binder_transaction, work);
2422  if (t->buffer->target_node &&
2423  !(t->flags & TF_ONE_WAY)) {
2424  binder_send_failed_reply(t, BR_DEAD_REPLY);
2425  } else {
2426  binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
2427  "binder: undelivered transaction %d\n",
2428  t->debug_id);
2429  t->buffer->transaction = NULL;
2430  kfree(t);
2431  binder_stats_deleted(BINDER_STAT_TRANSACTION);
2432  }
2433  } break;
2434  case BINDER_WORK_TRANSACTION_COMPLETE: {
2435  binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
2436  "binder: undelivered TRANSACTION_COMPLETE\n");
2437  kfree(w);
2438  binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
2439  } break;
2440  case BINDER_WORK_DEAD_BINDER_AND_CLEAR:
2441  case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: {
2442  struct binder_ref_death *death;
2443 
2444  death = container_of(w, struct binder_ref_death, work);
2445  binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
2446  "binder: undelivered death notification, %p\n",
2447  death->cookie);
2448  kfree(death);
2449  binder_stats_deleted(BINDER_STAT_DEATH);
2450  } break;
2451  default:
2452  pr_err("binder: unexpected work type, %d, not freed\n",
2453  w->type);
2454  break;
2455  }
2456  }
2457 
2458 }
2459 
2460 static struct binder_thread *binder_get_thread(struct binder_proc *proc)
2461 {
2462  struct binder_thread *thread = NULL;
2463  struct rb_node *parent = NULL;
2464  struct rb_node **p = &proc->threads.rb_node;
2465 
2466  while (*p) {
2467  parent = *p;
2468  thread = rb_entry(parent, struct binder_thread, rb_node);
2469 
2470  if (current->pid < thread->pid)
2471  p = &(*p)->rb_left;
2472  else if (current->pid > thread->pid)
2473  p = &(*p)->rb_right;
2474  else
2475  break;
2476  }
2477  if (*p == NULL) {
2478  thread = kzalloc(sizeof(*thread), GFP_KERNEL);
2479  if (thread == NULL)
2480  return NULL;
2481  binder_stats_created(BINDER_STAT_THREAD);
2482  thread->proc = proc;
2483  thread->pid = current->pid;
2484  init_waitqueue_head(&thread->wait);
2485  INIT_LIST_HEAD(&thread->todo);
2486  rb_link_node(&thread->rb_node, parent, p);
2487  rb_insert_color(&thread->rb_node, &proc->threads);
2488  thread->looper |= BINDER_LOOPER_STATE_NEED_RETURN;
2489  thread->return_error = BR_OK;
2490  thread->return_error2 = BR_OK;
2491  }
2492  return thread;
2493 }
2494 
2495 static int binder_free_thread(struct binder_proc *proc,
2496  struct binder_thread *thread)
2497 {
2498  struct binder_transaction *t;
2499  struct binder_transaction *send_reply = NULL;
2500  int active_transactions = 0;
2501 
2502  rb_erase(&thread->rb_node, &proc->threads);
2503  t = thread->transaction_stack;
2504  if (t && t->to_thread == thread)
2505  send_reply = t;
2506  while (t) {
2507  active_transactions++;
2508  binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
2509  "binder: release %d:%d transaction %d "
2510  "%s, still active\n", proc->pid, thread->pid,
2511  t->debug_id,
2512  (t->to_thread == thread) ? "in" : "out");
2513 
2514  if (t->to_thread == thread) {
2515  t->to_proc = NULL;
2516  t->to_thread = NULL;
2517  if (t->buffer) {
2518  t->buffer->transaction = NULL;
2519  t->buffer = NULL;
2520  }
2521  t = t->to_parent;
2522  } else if (t->from == thread) {
2523  t->from = NULL;
2524  t = t->from_parent;
2525  } else
2526  BUG();
2527  }
2528  if (send_reply)
2529  binder_send_failed_reply(send_reply, BR_DEAD_REPLY);
2530  binder_release_work(&thread->todo);
2531  kfree(thread);
2532  binder_stats_deleted(BINDER_STAT_THREAD);
2533  return active_transactions;
2534 }
2535 
2536 static unsigned int binder_poll(struct file *filp,
2537  struct poll_table_struct *wait)
2538 {
2539  struct binder_proc *proc = filp->private_data;
2540  struct binder_thread *thread = NULL;
2541  int wait_for_proc_work;
2542 
2543  mutex_lock(&binder_lock);
2544  thread = binder_get_thread(proc);
2545 
2546  wait_for_proc_work = thread->transaction_stack == NULL &&
2547  list_empty(&thread->todo) && thread->return_error == BR_OK;
2548  mutex_unlock(&binder_lock);
2549 
2550  if (wait_for_proc_work) {
2551  if (binder_has_proc_work(proc, thread))
2552  return POLLIN;
2553  poll_wait(filp, &proc->wait, wait);
2554  if (binder_has_proc_work(proc, thread))
2555  return POLLIN;
2556  } else {
2557  if (binder_has_thread_work(thread))
2558  return POLLIN;
2559  poll_wait(filp, &thread->wait, wait);
2560  if (binder_has_thread_work(thread))
2561  return POLLIN;
2562  }
2563  return 0;
2564 }
2565 
2566 static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
2567 {
2568  int ret;
2569  struct binder_proc *proc = filp->private_data;
2570  struct binder_thread *thread;
2571  unsigned int size = _IOC_SIZE(cmd);
2572  void __user *ubuf = (void __user *)arg;
2573 
2574  /*pr_info("binder_ioctl: %d:%d %x %lx\n", proc->pid, current->pid, cmd, arg);*/
2575 
2576  ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);
2577  if (ret)
2578  return ret;
2579 
2580  mutex_lock(&binder_lock);
2581  thread = binder_get_thread(proc);
2582  if (thread == NULL) {
2583  ret = -ENOMEM;
2584  goto err;
2585  }
2586 
2587  switch (cmd) {
2588  case BINDER_WRITE_READ: {
2589  struct binder_write_read bwr;
2590  if (size != sizeof(struct binder_write_read)) {
2591  ret = -EINVAL;
2592  goto err;
2593  }
2594  if (copy_from_user(&bwr, ubuf, sizeof(bwr))) {
2595  ret = -EFAULT;
2596  goto err;
2597  }
2598  binder_debug(BINDER_DEBUG_READ_WRITE,
2599  "binder: %d:%d write %ld at %08lx, read %ld at %08lx\n",
2600  proc->pid, thread->pid, bwr.write_size, bwr.write_buffer,
2601  bwr.read_size, bwr.read_buffer);
2602 
2603  if (bwr.write_size > 0) {
2604  ret = binder_thread_write(proc, thread, (void __user *)bwr.write_buffer, bwr.write_size, &bwr.write_consumed);
2605  if (ret < 0) {
2606  bwr.read_consumed = 0;
2607  if (copy_to_user(ubuf, &bwr, sizeof(bwr)))
2608  ret = -EFAULT;
2609  goto err;
2610  }
2611  }
2612  if (bwr.read_size > 0) {
2613  ret = binder_thread_read(proc, thread, (void __user *)bwr.read_buffer, bwr.read_size, &bwr.read_consumed, filp->f_flags & O_NONBLOCK);
2614  if (!list_empty(&proc->todo))
2615  wake_up_interruptible(&proc->wait);
2616  if (ret < 0) {
2617  if (copy_to_user(ubuf, &bwr, sizeof(bwr)))
2618  ret = -EFAULT;
2619  goto err;
2620  }
2621  }
2622  binder_debug(BINDER_DEBUG_READ_WRITE,
2623  "binder: %d:%d wrote %ld of %ld, read return %ld of %ld\n",
2624  proc->pid, thread->pid, bwr.write_consumed, bwr.write_size,
2625  bwr.read_consumed, bwr.read_size);
2626  if (copy_to_user(ubuf, &bwr, sizeof(bwr))) {
2627  ret = -EFAULT;
2628  goto err;
2629  }
2630  break;
2631  }
2632  case BINDER_SET_MAX_THREADS:
2633  if (copy_from_user(&proc->max_threads, ubuf, sizeof(proc->max_threads))) {
2634  ret = -EINVAL;
2635  goto err;
2636  }
2637  break;
2638  case BINDER_SET_CONTEXT_MGR:
2639  if (binder_context_mgr_node != NULL) {
2640  pr_err("binder: BINDER_SET_CONTEXT_MGR already set\n");
2641  ret = -EBUSY;
2642  goto err;
2643  }
2644  if (uid_valid(binder_context_mgr_uid)) {
2645  if (!uid_eq(binder_context_mgr_uid, current->cred->euid)) {
2646  pr_err("binder: BINDER_SET_"
2647  "CONTEXT_MGR bad uid %d != %d\n",
2648  from_kuid(&init_user_ns, current->cred->euid),
2649  from_kuid(&init_user_ns, binder_context_mgr_uid));
2650  ret = -EPERM;
2651  goto err;
2652  }
2653  } else
2654  binder_context_mgr_uid = current->cred->euid;
2655  binder_context_mgr_node = binder_new_node(proc, NULL, NULL);
2656  if (binder_context_mgr_node == NULL) {
2657  ret = -ENOMEM;
2658  goto err;
2659  }
2660  binder_context_mgr_node->local_weak_refs++;
2661  binder_context_mgr_node->local_strong_refs++;
2662  binder_context_mgr_node->has_strong_ref = 1;
2663  binder_context_mgr_node->has_weak_ref = 1;
2664  break;
2665  case BINDER_THREAD_EXIT:
2666  binder_debug(BINDER_DEBUG_THREADS, "binder: %d:%d exit\n",
2667  proc->pid, thread->pid);
2668  binder_free_thread(proc, thread);
2669  thread = NULL;
2670  break;
2671  case BINDER_VERSION:
2672  if (size != sizeof(struct binder_version)) {
2673  ret = -EINVAL;
2674  goto err;
2675  }
2676  if (put_user(BINDER_CURRENT_PROTOCOL_VERSION, &((struct binder_version *)ubuf)->protocol_version)) {
2677  ret = -EINVAL;
2678  goto err;
2679  }
2680  break;
2681  default:
2682  ret = -EINVAL;
2683  goto err;
2684  }
2685  ret = 0;
2686 err:
2687  if (thread)
2688  thread->looper &= ~BINDER_LOOPER_STATE_NEED_RETURN;
2689  mutex_unlock(&binder_lock);
2690  wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);
2691  if (ret && ret != -ERESTARTSYS)
2692  pr_info("binder: %d:%d ioctl %x %lx returned %d\n", proc->pid, current->pid, cmd, arg, ret);
2693  return ret;
2694 }
2695 
2696 static void binder_vma_open(struct vm_area_struct *vma)
2697 {
2698  struct binder_proc *proc = vma->vm_private_data;
2699  binder_debug(BINDER_DEBUG_OPEN_CLOSE,
2700  "binder: %d open vm area %lx-%lx (%ld K) vma %lx pagep %lx\n",
2701  proc->pid, vma->vm_start, vma->vm_end,
2702  (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
2703  (unsigned long)pgprot_val(vma->vm_page_prot));
2704 }
2705 
2706 static void binder_vma_close(struct vm_area_struct *vma)
2707 {
2708  struct binder_proc *proc = vma->vm_private_data;
2709  binder_debug(BINDER_DEBUG_OPEN_CLOSE,
2710  "binder: %d close vm area %lx-%lx (%ld K) vma %lx pagep %lx\n",
2711  proc->pid, vma->vm_start, vma->vm_end,
2712  (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
2713  (unsigned long)pgprot_val(vma->vm_page_prot));
2714  proc->vma = NULL;
2715  proc->vma_vm_mm = NULL;
2716  binder_defer_work(proc, BINDER_DEFERRED_PUT_FILES);
2717 }
2718 
2719 static struct vm_operations_struct binder_vm_ops = {
2720  .open = binder_vma_open,
2721  .close = binder_vma_close,
2722 };
2723 
2724 static int binder_mmap(struct file *filp, struct vm_area_struct *vma)
2725 {
2726  int ret;
2727  struct vm_struct *area;
2728  struct binder_proc *proc = filp->private_data;
2729  const char *failure_string;
2730  struct binder_buffer *buffer;
2731 
2732  if (proc->tsk != current)
2733  return -EINVAL;
2734 
2735  if ((vma->vm_end - vma->vm_start) > SZ_4M)
2736  vma->vm_end = vma->vm_start + SZ_4M;
2737 
2738  binder_debug(BINDER_DEBUG_OPEN_CLOSE,
2739  "binder_mmap: %d %lx-%lx (%ld K) vma %lx pagep %lx\n",
2740  proc->pid, vma->vm_start, vma->vm_end,
2741  (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
2742  (unsigned long)pgprot_val(vma->vm_page_prot));
2743 
2744  if (vma->vm_flags & FORBIDDEN_MMAP_FLAGS) {
2745  ret = -EPERM;
2746  failure_string = "bad vm_flags";
2747  goto err_bad_arg;
2748  }
2749  vma->vm_flags = (vma->vm_flags | VM_DONTCOPY) & ~VM_MAYWRITE;
2750 
2751  mutex_lock(&binder_mmap_lock);
2752  if (proc->buffer) {
2753  ret = -EBUSY;
2754  failure_string = "already mapped";
2755  goto err_already_mapped;
2756  }
2757 
2758  area = get_vm_area(vma->vm_end - vma->vm_start, VM_IOREMAP);
2759  if (area == NULL) {
2760  ret = -ENOMEM;
2761  failure_string = "get_vm_area";
2762  goto err_get_vm_area_failed;
2763  }
2764  proc->buffer = area->addr;
2765  proc->user_buffer_offset = vma->vm_start - (uintptr_t)proc->buffer;
2766  mutex_unlock(&binder_mmap_lock);
2767 
2768 #ifdef CONFIG_CPU_CACHE_VIPT
2769  if (cache_is_vipt_aliasing()) {
2770  while (CACHE_COLOUR((vma->vm_start ^ (uint32_t)proc->buffer))) {
2771  pr_info("binder_mmap: %d %lx-%lx maps %p bad alignment\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer);
2772  vma->vm_start += PAGE_SIZE;
2773  }
2774  }
2775 #endif
2776  proc->pages = kzalloc(sizeof(proc->pages[0]) * ((vma->vm_end - vma->vm_start) / PAGE_SIZE), GFP_KERNEL);
2777  if (proc->pages == NULL) {
2778  ret = -ENOMEM;
2779  failure_string = "alloc page array";
2780  goto err_alloc_pages_failed;
2781  }
2782  proc->buffer_size = vma->vm_end - vma->vm_start;
2783 
2784  vma->vm_ops = &binder_vm_ops;
2785  vma->vm_private_data = proc;
2786 
2787  if (binder_update_page_range(proc, 1, proc->buffer, proc->buffer + PAGE_SIZE, vma)) {
2788  ret = -ENOMEM;
2789  failure_string = "alloc small buf";
2790  goto err_alloc_small_buf_failed;
2791  }
2792  buffer = proc->buffer;
2793  INIT_LIST_HEAD(&proc->buffers);
2794  list_add(&buffer->entry, &proc->buffers);
2795  buffer->free = 1;
2796  binder_insert_free_buffer(proc, buffer);
2797  proc->free_async_space = proc->buffer_size / 2;
2798  barrier();
2799  proc->files = get_files_struct(current);
2800  proc->vma = vma;
2801  proc->vma_vm_mm = vma->vm_mm;
2802 
2803  /*pr_info("binder_mmap: %d %lx-%lx maps %p\n",
2804  proc->pid, vma->vm_start, vma->vm_end, proc->buffer);*/
2805  return 0;
2806 
2807 err_alloc_small_buf_failed:
2808  kfree(proc->pages);
2809  proc->pages = NULL;
2810 err_alloc_pages_failed:
2811  mutex_lock(&binder_mmap_lock);
2812  vfree(proc->buffer);
2813  proc->buffer = NULL;
2814 err_get_vm_area_failed:
2815 err_already_mapped:
2816  mutex_unlock(&binder_mmap_lock);
2817 err_bad_arg:
2818  pr_err("binder_mmap: %d %lx-%lx %s failed %d\n",
2819  proc->pid, vma->vm_start, vma->vm_end, failure_string, ret);
2820  return ret;
2821 }
2822 
2823 static int binder_open(struct inode *nodp, struct file *filp)
2824 {
2825  struct binder_proc *proc;
2826 
2827  binder_debug(BINDER_DEBUG_OPEN_CLOSE, "binder_open: %d:%d\n",
2828  current->group_leader->pid, current->pid);
2829 
2830  proc = kzalloc(sizeof(*proc), GFP_KERNEL);
2831  if (proc == NULL)
2832  return -ENOMEM;
2833  get_task_struct(current);
2834  proc->tsk = current;
2835  INIT_LIST_HEAD(&proc->todo);
2836  init_waitqueue_head(&proc->wait);
2837  proc->default_priority = task_nice(current);
2838  mutex_lock(&binder_lock);
2839  binder_stats_created(BINDER_STAT_PROC);
2840  hlist_add_head(&proc->proc_node, &binder_procs);
2841  proc->pid = current->group_leader->pid;
2842  INIT_LIST_HEAD(&proc->delivered_death);
2843  filp->private_data = proc;
2844  mutex_unlock(&binder_lock);
2845 
2846  if (binder_debugfs_dir_entry_proc) {
2847  char strbuf[11];
2848  snprintf(strbuf, sizeof(strbuf), "%u", proc->pid);
2849  proc->debugfs_entry = debugfs_create_file(strbuf, S_IRUGO,
2850  binder_debugfs_dir_entry_proc, proc, &binder_proc_fops);
2851  }
2852 
2853  return 0;
2854 }
2855 
2856 static int binder_flush(struct file *filp, fl_owner_t id)
2857 {
2858  struct binder_proc *proc = filp->private_data;
2859 
2860  binder_defer_work(proc, BINDER_DEFERRED_FLUSH);
2861 
2862  return 0;
2863 }
2864 
2865 static void binder_deferred_flush(struct binder_proc *proc)
2866 {
2867  struct rb_node *n;
2868  int wake_count = 0;
2869  for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) {
2870  struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node);
2871  thread->looper |= BINDER_LOOPER_STATE_NEED_RETURN;
2872  if (thread->looper & BINDER_LOOPER_STATE_WAITING) {
2873  wake_up_interruptible(&thread->wait);
2874  wake_count++;
2875  }
2876  }
2877  wake_up_interruptible_all(&proc->wait);
2878 
2879  binder_debug(BINDER_DEBUG_OPEN_CLOSE,
2880  "binder_flush: %d woke %d threads\n", proc->pid,
2881  wake_count);
2882 }
2883 
2884 static int binder_release(struct inode *nodp, struct file *filp)
2885 {
2886  struct binder_proc *proc = filp->private_data;
2887  debugfs_remove(proc->debugfs_entry);
2888  binder_defer_work(proc, BINDER_DEFERRED_RELEASE);
2889 
2890  return 0;
2891 }
2892 
2893 static void binder_deferred_release(struct binder_proc *proc)
2894 {
2895  struct hlist_node *pos;
2896  struct binder_transaction *t;
2897  struct rb_node *n;
2898  int threads, nodes, incoming_refs, outgoing_refs, buffers, active_transactions, page_count;
2899 
2900  BUG_ON(proc->vma);
2901  BUG_ON(proc->files);
2902 
2903  hlist_del(&proc->proc_node);
2904  if (binder_context_mgr_node && binder_context_mgr_node->proc == proc) {
2905  binder_debug(BINDER_DEBUG_DEAD_BINDER,
2906  "binder_release: %d context_mgr_node gone\n",
2907  proc->pid);
2908  binder_context_mgr_node = NULL;
2909  }
2910 
2911  threads = 0;
2912  active_transactions = 0;
2913  while ((n = rb_first(&proc->threads))) {
2914  struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node);
2915  threads++;
2916  active_transactions += binder_free_thread(proc, thread);
2917  }
2918  nodes = 0;
2919  incoming_refs = 0;
2920  while ((n = rb_first(&proc->nodes))) {
2921  struct binder_node *node = rb_entry(n, struct binder_node, rb_node);
2922 
2923  nodes++;
2924  rb_erase(&node->rb_node, &proc->nodes);
2925  list_del_init(&node->work.entry);
2926  binder_release_work(&node->async_todo);
2927  if (hlist_empty(&node->refs)) {
2928  kfree(node);
2929  binder_stats_deleted(BINDER_STAT_NODE);
2930  } else {
2931  struct binder_ref *ref;
2932  int death = 0;
2933 
2934  node->proc = NULL;
2935  node->local_strong_refs = 0;
2936  node->local_weak_refs = 0;
2937  hlist_add_head(&node->dead_node, &binder_dead_nodes);
2938 
2939  hlist_for_each_entry(ref, pos, &node->refs, node_entry) {
2940  incoming_refs++;
2941  if (ref->death) {
2942  death++;
2943  if (list_empty(&ref->death->work.entry)) {
2944  ref->death->work.type = BINDER_WORK_DEAD_BINDER;
2945  list_add_tail(&ref->death->work.entry, &ref->proc->todo);
2946  wake_up_interruptible(&ref->proc->wait);
2947  } else
2948  BUG();
2949  }
2950  }
2951  binder_debug(BINDER_DEBUG_DEAD_BINDER,
2952  "binder: node %d now dead, "
2953  "refs %d, death %d\n", node->debug_id,
2954  incoming_refs, death);
2955  }
2956  }
2957  outgoing_refs = 0;
2958  while ((n = rb_first(&proc->refs_by_desc))) {
2959  struct binder_ref *ref = rb_entry(n, struct binder_ref,
2960  rb_node_desc);
2961  outgoing_refs++;
2962  binder_delete_ref(ref);
2963  }
2964  binder_release_work(&proc->todo);
2965  binder_release_work(&proc->delivered_death);
2966  buffers = 0;
2967 
2968  while ((n = rb_first(&proc->allocated_buffers))) {
2969  struct binder_buffer *buffer = rb_entry(n, struct binder_buffer,
2970  rb_node);
2971  t = buffer->transaction;
2972  if (t) {
2973  t->buffer = NULL;
2974  buffer->transaction = NULL;
2975  pr_err("binder: release proc %d, "
2976  "transaction %d, not freed\n",
2977  proc->pid, t->debug_id);
2978  /*BUG();*/
2979  }
2980  binder_free_buf(proc, buffer);
2981  buffers++;
2982  }
2983 
2984  binder_stats_deleted(BINDER_STAT_PROC);
2985 
2986  page_count = 0;
2987  if (proc->pages) {
2988  int i;
2989  for (i = 0; i < proc->buffer_size / PAGE_SIZE; i++) {
2990  if (proc->pages[i]) {
2991  void *page_addr = proc->buffer + i * PAGE_SIZE;
2992  binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
2993  "binder_release: %d: "
2994  "page %d at %p not freed\n",
2995  proc->pid, i,
2996  page_addr);
2997  unmap_kernel_range((unsigned long)page_addr,
2998  PAGE_SIZE);
2999  __free_page(proc->pages[i]);
3000  page_count++;
3001  }
3002  }
3003  kfree(proc->pages);
3004  vfree(proc->buffer);
3005  }
3006 
3007  put_task_struct(proc->tsk);
3008 
3009  binder_debug(BINDER_DEBUG_OPEN_CLOSE,
3010  "binder_release: %d threads %d, nodes %d (ref %d), "
3011  "refs %d, active transactions %d, buffers %d, "
3012  "pages %d\n",
3013  proc->pid, threads, nodes, incoming_refs, outgoing_refs,
3014  active_transactions, buffers, page_count);
3015 
3016  kfree(proc);
3017 }
3018 
3019 static void binder_deferred_func(struct work_struct *work)
3020 {
3021  struct binder_proc *proc;
3022  struct files_struct *files;
3023 
3024  int defer;
3025  do {
3026  mutex_lock(&binder_lock);
3027  mutex_lock(&binder_deferred_lock);
3028  if (!hlist_empty(&binder_deferred_list)) {
3029  proc = hlist_entry(binder_deferred_list.first,
3030  struct binder_proc, deferred_work_node);
3031  hlist_del_init(&proc->deferred_work_node);
3032  defer = proc->deferred_work;
3033  proc->deferred_work = 0;
3034  } else {
3035  proc = NULL;
3036  defer = 0;
3037  }
3038  mutex_unlock(&binder_deferred_lock);
3039 
3040  files = NULL;
3041  if (defer & BINDER_DEFERRED_PUT_FILES) {
3042  files = proc->files;
3043  if (files)
3044  proc->files = NULL;
3045  }
3046 
3047  if (defer & BINDER_DEFERRED_FLUSH)
3048  binder_deferred_flush(proc);
3049 
3050  if (defer & BINDER_DEFERRED_RELEASE)
3051  binder_deferred_release(proc); /* frees proc */
3052 
3053  mutex_unlock(&binder_lock);
3054  if (files)
3055  put_files_struct(files);
3056  } while (proc);
3057 }
3058 static DECLARE_WORK(binder_deferred_work, binder_deferred_func);
3059 
3060 static void
3061 binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer)
3062 {
3063  mutex_lock(&binder_deferred_lock);
3064  proc->deferred_work |= defer;
3065  if (hlist_unhashed(&proc->deferred_work_node)) {
3066  hlist_add_head(&proc->deferred_work_node,
3067  &binder_deferred_list);
3068  queue_work(binder_deferred_workqueue, &binder_deferred_work);
3069  }
3070  mutex_unlock(&binder_deferred_lock);
3071 }
3072 
3073 static void print_binder_transaction(struct seq_file *m, const char *prefix,
3074  struct binder_transaction *t)
3075 {
3076  seq_printf(m,
3077  "%s %d: %p from %d:%d to %d:%d code %x flags %x pri %ld r%d",
3078  prefix, t->debug_id, t,
3079  t->from ? t->from->proc->pid : 0,
3080  t->from ? t->from->pid : 0,
3081  t->to_proc ? t->to_proc->pid : 0,
3082  t->to_thread ? t->to_thread->pid : 0,
3083  t->code, t->flags, t->priority, t->need_reply);
3084  if (t->buffer == NULL) {
3085  seq_puts(m, " buffer free\n");
3086  return;
3087  }
3088  if (t->buffer->target_node)
3089  seq_printf(m, " node %d",
3090  t->buffer->target_node->debug_id);
3091  seq_printf(m, " size %zd:%zd data %p\n",
3092  t->buffer->data_size, t->buffer->offsets_size,
3093  t->buffer->data);
3094 }
3095 
3096 static void print_binder_buffer(struct seq_file *m, const char *prefix,
3097  struct binder_buffer *buffer)
3098 {
3099  seq_printf(m, "%s %d: %p size %zd:%zd %s\n",
3100  prefix, buffer->debug_id, buffer->data,
3101  buffer->data_size, buffer->offsets_size,
3102  buffer->transaction ? "active" : "delivered");
3103 }
3104 
3105 static void print_binder_work(struct seq_file *m, const char *prefix,
3106  const char *transaction_prefix,
3107  struct binder_work *w)
3108 {
3109  struct binder_node *node;
3110  struct binder_transaction *t;
3111 
3112  switch (w->type) {
3113  case BINDER_WORK_TRANSACTION:
3114  t = container_of(w, struct binder_transaction, work);
3115  print_binder_transaction(m, transaction_prefix, t);
3116  break;
3117  case BINDER_WORK_TRANSACTION_COMPLETE:
3118  seq_printf(m, "%stransaction complete\n", prefix);
3119  break;
3120  case BINDER_WORK_NODE:
3121  node = container_of(w, struct binder_node, work);
3122  seq_printf(m, "%snode work %d: u%p c%p\n",
3123  prefix, node->debug_id, node->ptr, node->cookie);
3124  break;
3125  case BINDER_WORK_DEAD_BINDER:
3126  seq_printf(m, "%shas dead binder\n", prefix);
3127  break;
3128  case BINDER_WORK_DEAD_BINDER_AND_CLEAR:
3129  seq_printf(m, "%shas cleared dead binder\n", prefix);
3130  break;
3131  case BINDER_WORK_CLEAR_DEATH_NOTIFICATION:
3132  seq_printf(m, "%shas cleared death notification\n", prefix);
3133  break;
3134  default:
3135  seq_printf(m, "%sunknown work: type %d\n", prefix, w->type);
3136  break;
3137  }
3138 }
3139 
3140 static void print_binder_thread(struct seq_file *m,
3141  struct binder_thread *thread,
3142  int print_always)
3143 {
3144  struct binder_transaction *t;
3145  struct binder_work *w;
3146  size_t start_pos = m->count;
3147  size_t header_pos;
3148 
3149  seq_printf(m, " thread %d: l %02x\n", thread->pid, thread->looper);
3150  header_pos = m->count;
3151  t = thread->transaction_stack;
3152  while (t) {
3153  if (t->from == thread) {
3154  print_binder_transaction(m,
3155  " outgoing transaction", t);
3156  t = t->from_parent;
3157  } else if (t->to_thread == thread) {
3158  print_binder_transaction(m,
3159  " incoming transaction", t);
3160  t = t->to_parent;
3161  } else {
3162  print_binder_transaction(m, " bad transaction", t);
3163  t = NULL;
3164  }
3165  }
3166  list_for_each_entry(w, &thread->todo, entry) {
3167  print_binder_work(m, " ", " pending transaction", w);
3168  }
3169  if (!print_always && m->count == header_pos)
3170  m->count = start_pos;
3171 }
3172 
3173 static void print_binder_node(struct seq_file *m, struct binder_node *node)
3174 {
3175  struct binder_ref *ref;
3176  struct hlist_node *pos;
3177  struct binder_work *w;
3178  int count;
3179 
3180  count = 0;
3181  hlist_for_each_entry(ref, pos, &node->refs, node_entry)
3182  count++;
3183 
3184  seq_printf(m, " node %d: u%p c%p hs %d hw %d ls %d lw %d is %d iw %d",
3185  node->debug_id, node->ptr, node->cookie,
3186  node->has_strong_ref, node->has_weak_ref,
3187  node->local_strong_refs, node->local_weak_refs,
3188  node->internal_strong_refs, count);
3189  if (count) {
3190  seq_puts(m, " proc");
3191  hlist_for_each_entry(ref, pos, &node->refs, node_entry)
3192  seq_printf(m, " %d", ref->proc->pid);
3193  }
3194  seq_puts(m, "\n");
3195  list_for_each_entry(w, &node->async_todo, entry)
3196  print_binder_work(m, " ",
3197  " pending async transaction", w);
3198 }
3199 
3200 static void print_binder_ref(struct seq_file *m, struct binder_ref *ref)
3201 {
3202  seq_printf(m, " ref %d: desc %d %snode %d s %d w %d d %p\n",
3203  ref->debug_id, ref->desc, ref->node->proc ? "" : "dead ",
3204  ref->node->debug_id, ref->strong, ref->weak, ref->death);
3205 }
3206 
3207 static void print_binder_proc(struct seq_file *m,
3208  struct binder_proc *proc, int print_all)
3209 {
3210  struct binder_work *w;
3211  struct rb_node *n;
3212  size_t start_pos = m->count;
3213  size_t header_pos;
3214 
3215  seq_printf(m, "proc %d\n", proc->pid);
3216  header_pos = m->count;
3217 
3218  for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n))
3219  print_binder_thread(m, rb_entry(n, struct binder_thread,
3220  rb_node), print_all);
3221  for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) {
3222  struct binder_node *node = rb_entry(n, struct binder_node,
3223  rb_node);
3224  if (print_all || node->has_async_transaction)
3225  print_binder_node(m, node);
3226  }
3227  if (print_all) {
3228  for (n = rb_first(&proc->refs_by_desc);
3229  n != NULL;
3230  n = rb_next(n))
3231  print_binder_ref(m, rb_entry(n, struct binder_ref,
3232  rb_node_desc));
3233  }
3234  for (n = rb_first(&proc->allocated_buffers); n != NULL; n = rb_next(n))
3235  print_binder_buffer(m, " buffer",
3236  rb_entry(n, struct binder_buffer, rb_node));
3237  list_for_each_entry(w, &proc->todo, entry)
3238  print_binder_work(m, " ", " pending transaction", w);
3239  list_for_each_entry(w, &proc->delivered_death, entry) {
3240  seq_puts(m, " has delivered dead binder\n");
3241  break;
3242  }
3243  if (!print_all && m->count == header_pos)
3244  m->count = start_pos;
3245 }
3246 
3247 static const char *binder_return_strings[] = {
3248  "BR_ERROR",
3249  "BR_OK",
3250  "BR_TRANSACTION",
3251  "BR_REPLY",
3252  "BR_ACQUIRE_RESULT",
3253  "BR_DEAD_REPLY",
3254  "BR_TRANSACTION_COMPLETE",
3255  "BR_INCREFS",
3256  "BR_ACQUIRE",
3257  "BR_RELEASE",
3258  "BR_DECREFS",
3259  "BR_ATTEMPT_ACQUIRE",
3260  "BR_NOOP",
3261  "BR_SPAWN_LOOPER",
3262  "BR_FINISHED",
3263  "BR_DEAD_BINDER",
3264  "BR_CLEAR_DEATH_NOTIFICATION_DONE",
3265  "BR_FAILED_REPLY"
3266 };
3267 
3268 static const char *binder_command_strings[] = {
3269  "BC_TRANSACTION",
3270  "BC_REPLY",
3271  "BC_ACQUIRE_RESULT",
3272  "BC_FREE_BUFFER",
3273  "BC_INCREFS",
3274  "BC_ACQUIRE",
3275  "BC_RELEASE",
3276  "BC_DECREFS",
3277  "BC_INCREFS_DONE",
3278  "BC_ACQUIRE_DONE",
3279  "BC_ATTEMPT_ACQUIRE",
3280  "BC_REGISTER_LOOPER",
3281  "BC_ENTER_LOOPER",
3282  "BC_EXIT_LOOPER",
3283  "BC_REQUEST_DEATH_NOTIFICATION",
3284  "BC_CLEAR_DEATH_NOTIFICATION",
3285  "BC_DEAD_BINDER_DONE"
3286 };
3287 
3288 static const char *binder_objstat_strings[] = {
3289  "proc",
3290  "thread",
3291  "node",
3292  "ref",
3293  "death",
3294  "transaction",
3295  "transaction_complete"
3296 };
3297 
3298 static void print_binder_stats(struct seq_file *m, const char *prefix,
3299  struct binder_stats *stats)
3300 {
3301  int i;
3302 
3303  BUILD_BUG_ON(ARRAY_SIZE(stats->bc) !=
3304  ARRAY_SIZE(binder_command_strings));
3305  for (i = 0; i < ARRAY_SIZE(stats->bc); i++) {
3306  if (stats->bc[i])
3307  seq_printf(m, "%s%s: %d\n", prefix,
3308  binder_command_strings[i], stats->bc[i]);
3309  }
3310 
3311  BUILD_BUG_ON(ARRAY_SIZE(stats->br) !=
3312  ARRAY_SIZE(binder_return_strings));
3313  for (i = 0; i < ARRAY_SIZE(stats->br); i++) {
3314  if (stats->br[i])
3315  seq_printf(m, "%s%s: %d\n", prefix,
3316  binder_return_strings[i], stats->br[i]);
3317  }
3318 
3319  BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) !=
3320  ARRAY_SIZE(binder_objstat_strings));
3321  BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) !=
3322  ARRAY_SIZE(stats->obj_deleted));
3323  for (i = 0; i < ARRAY_SIZE(stats->obj_created); i++) {
3324  if (stats->obj_created[i] || stats->obj_deleted[i])
3325  seq_printf(m, "%s%s: active %d total %d\n", prefix,
3326  binder_objstat_strings[i],
3327  stats->obj_created[i] - stats->obj_deleted[i],
3328  stats->obj_created[i]);
3329  }
3330 }
3331 
3332 static void print_binder_proc_stats(struct seq_file *m,
3333  struct binder_proc *proc)
3334 {
3335  struct binder_work *w;
3336  struct rb_node *n;
3337  int count, strong, weak;
3338 
3339  seq_printf(m, "proc %d\n", proc->pid);
3340  count = 0;
3341  for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n))
3342  count++;
3343  seq_printf(m, " threads: %d\n", count);
3344  seq_printf(m, " requested threads: %d+%d/%d\n"
3345  " ready threads %d\n"
3346  " free async space %zd\n", proc->requested_threads,
3347  proc->requested_threads_started, proc->max_threads,
3348  proc->ready_threads, proc->free_async_space);
3349  count = 0;
3350  for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n))
3351  count++;
3352  seq_printf(m, " nodes: %d\n", count);
3353  count = 0;
3354  strong = 0;
3355  weak = 0;
3356  for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) {
3357  struct binder_ref *ref = rb_entry(n, struct binder_ref,
3358  rb_node_desc);
3359  count++;
3360  strong += ref->strong;
3361  weak += ref->weak;
3362  }
3363  seq_printf(m, " refs: %d s %d w %d\n", count, strong, weak);
3364 
3365  count = 0;
3366  for (n = rb_first(&proc->allocated_buffers); n != NULL; n = rb_next(n))
3367  count++;
3368  seq_printf(m, " buffers: %d\n", count);
3369 
3370  count = 0;
3371  list_for_each_entry(w, &proc->todo, entry) {
3372  switch (w->type) {
3373  case BINDER_WORK_TRANSACTION:
3374  count++;
3375  break;
3376  default:
3377  break;
3378  }
3379  }
3380  seq_printf(m, " pending transactions: %d\n", count);
3381 
3382  print_binder_stats(m, " ", &proc->stats);
3383 }
3384 
3385 
3386 static int binder_state_show(struct seq_file *m, void *unused)
3387 {
3388  struct binder_proc *proc;
3389  struct hlist_node *pos;
3390  struct binder_node *node;
3391  int do_lock = !binder_debug_no_lock;
3392 
3393  if (do_lock)
3394  mutex_lock(&binder_lock);
3395 
3396  seq_puts(m, "binder state:\n");
3397 
3398  if (!hlist_empty(&binder_dead_nodes))
3399  seq_puts(m, "dead nodes:\n");
3400  hlist_for_each_entry(node, pos, &binder_dead_nodes, dead_node)
3401  print_binder_node(m, node);
3402 
3403  hlist_for_each_entry(proc, pos, &binder_procs, proc_node)
3404  print_binder_proc(m, proc, 1);
3405  if (do_lock)
3406  mutex_unlock(&binder_lock);
3407  return 0;
3408 }
3409 
3410 static int binder_stats_show(struct seq_file *m, void *unused)
3411 {
3412  struct binder_proc *proc;
3413  struct hlist_node *pos;
3414  int do_lock = !binder_debug_no_lock;
3415 
3416  if (do_lock)
3417  mutex_lock(&binder_lock);
3418 
3419  seq_puts(m, "binder stats:\n");
3420 
3421  print_binder_stats(m, "", &binder_stats);
3422 
3423  hlist_for_each_entry(proc, pos, &binder_procs, proc_node)
3424  print_binder_proc_stats(m, proc);
3425  if (do_lock)
3426  mutex_unlock(&binder_lock);
3427  return 0;
3428 }
3429 
3430 static int binder_transactions_show(struct seq_file *m, void *unused)
3431 {
3432  struct binder_proc *proc;
3433  struct hlist_node *pos;
3434  int do_lock = !binder_debug_no_lock;
3435 
3436  if (do_lock)
3437  mutex_lock(&binder_lock);
3438 
3439  seq_puts(m, "binder transactions:\n");
3440  hlist_for_each_entry(proc, pos, &binder_procs, proc_node)
3441  print_binder_proc(m, proc, 0);
3442  if (do_lock)
3443  mutex_unlock(&binder_lock);
3444  return 0;
3445 }
3446 
3447 static int binder_proc_show(struct seq_file *m, void *unused)
3448 {
3449  struct binder_proc *proc = m->private;
3450  int do_lock = !binder_debug_no_lock;
3451 
3452  if (do_lock)
3453  mutex_lock(&binder_lock);
3454  seq_puts(m, "binder proc state:\n");
3455  print_binder_proc(m, proc, 1);
3456  if (do_lock)
3457  mutex_unlock(&binder_lock);
3458  return 0;
3459 }
3460 
3461 static void print_binder_transaction_log_entry(struct seq_file *m,
3462  struct binder_transaction_log_entry *e)
3463 {
3464  seq_printf(m,
3465  "%d: %s from %d:%d to %d:%d node %d handle %d size %d:%d\n",
3466  e->debug_id, (e->call_type == 2) ? "reply" :
3467  ((e->call_type == 1) ? "async" : "call "), e->from_proc,
3468  e->from_thread, e->to_proc, e->to_thread, e->to_node,
3469  e->target_handle, e->data_size, e->offsets_size);
3470 }
3471 
3472 static int binder_transaction_log_show(struct seq_file *m, void *unused)
3473 {
3474  struct binder_transaction_log *log = m->private;
3475  int i;
3476 
3477  if (log->full) {
3478  for (i = log->next; i < ARRAY_SIZE(log->entry); i++)
3479  print_binder_transaction_log_entry(m, &log->entry[i]);
3480  }
3481  for (i = 0; i < log->next; i++)
3482  print_binder_transaction_log_entry(m, &log->entry[i]);
3483  return 0;
3484 }
3485 
3486 static const struct file_operations binder_fops = {
3487  .owner = THIS_MODULE,
3488  .poll = binder_poll,
3489  .unlocked_ioctl = binder_ioctl,
3490  .mmap = binder_mmap,
3491  .open = binder_open,
3492  .flush = binder_flush,
3493  .release = binder_release,
3494 };
3495 
3496 static struct miscdevice binder_miscdev = {
3497  .minor = MISC_DYNAMIC_MINOR,
3498  .name = "binder",
3499  .fops = &binder_fops
3500 };
3501 
3502 BINDER_DEBUG_ENTRY(state);
3503 BINDER_DEBUG_ENTRY(stats);
3504 BINDER_DEBUG_ENTRY(transactions);
3505 BINDER_DEBUG_ENTRY(transaction_log);
3506 
3507 static int __init binder_init(void)
3508 {
3509  int ret;
3510 
3511  binder_deferred_workqueue = create_singlethread_workqueue("binder");
3512  if (!binder_deferred_workqueue)
3513  return -ENOMEM;
3514 
3515  binder_debugfs_dir_entry_root = debugfs_create_dir("binder", NULL);
3516  if (binder_debugfs_dir_entry_root)
3517  binder_debugfs_dir_entry_proc = debugfs_create_dir("proc",
3518  binder_debugfs_dir_entry_root);
3519  ret = misc_register(&binder_miscdev);
3520  if (binder_debugfs_dir_entry_root) {
3521  debugfs_create_file("state",
3522  S_IRUGO,
3523  binder_debugfs_dir_entry_root,
3524  NULL,
3525  &binder_state_fops);
3526  debugfs_create_file("stats",
3527  S_IRUGO,
3528  binder_debugfs_dir_entry_root,
3529  NULL,
3530  &binder_stats_fops);
3531  debugfs_create_file("transactions",
3532  S_IRUGO,
3533  binder_debugfs_dir_entry_root,
3534  NULL,
3535  &binder_transactions_fops);
3536  debugfs_create_file("transaction_log",
3537  S_IRUGO,
3538  binder_debugfs_dir_entry_root,
3539  &binder_transaction_log,
3540  &binder_transaction_log_fops);
3541  debugfs_create_file("failed_transaction_log",
3542  S_IRUGO,
3543  binder_debugfs_dir_entry_root,
3544  &binder_transaction_log_failed,
3545  &binder_transaction_log_fops);
3546  }
3547  return ret;
3548 }
3549 
3550 device_initcall(binder_init);
3551 
3552 MODULE_LICENSE("GPL v2");
Generated on Thu Jan 10 2013 14:25:52 for Linux Kernel by   doxygen 1.8.2