3 * Android IPC Subsystem
5 * Copyright (C) 2007-2008 Google, Inc.
7 * This software is licensed under the terms of the GNU General Public
8 * License version 2, as published by the Free Software Foundation, and
9 * may be copied, distributed, and modified under those terms.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
21 * There are 3 main spinlocks which must be acquired in the
24 * 1) proc->outer_lock : protects binder_ref
25 * binder_proc_lock() and binder_proc_unlock() are
27 * 2) node->lock : protects most fields of binder_node.
28 * binder_node_lock() and binder_node_unlock() are
30 * 3) proc->inner_lock : protects the thread and node lists
31 * (proc->threads, proc->waiting_threads, proc->nodes)
32 * and all todo lists associated with the binder_proc
33 * (proc->todo, thread->todo, proc->delivered_death and
34 * node->async_todo), as well as thread->transaction_stack
35 * binder_inner_proc_lock() and binder_inner_proc_unlock()
38 * Any lock under procA must never be nested under any lock at the same
39 * level or below on procB.
41 * Functions that require a lock held on entry indicate which lock
42 * in the suffix of the function name:
44 * foo_olocked() : requires node->outer_lock
45 * foo_nlocked() : requires node->lock
46 * foo_ilocked() : requires proc->inner_lock
47 * foo_oilocked(): requires proc->outer_lock and proc->inner_lock
48 * foo_nilocked(): requires node->lock and proc->inner_lock
52 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
54 #include <asm/cacheflush.h>
55 #include <linux/fdtable.h>
56 #include <linux/file.h>
57 #include <linux/freezer.h>
59 #include <linux/list.h>
60 #include <linux/miscdevice.h>
61 #include <linux/module.h>
62 #include <linux/mutex.h>
63 #include <linux/nsproxy.h>
64 #include <linux/poll.h>
65 #include <linux/debugfs.h>
66 #include <linux/rbtree.h>
67 #include <linux/sched/signal.h>
68 #include <linux/sched/mm.h>
69 #include <linux/seq_file.h>
70 #include <linux/uaccess.h>
71 #include <linux/pid_namespace.h>
72 #include <linux/security.h>
73 #include <linux/spinlock.h>
75 #ifdef CONFIG_ANDROID_BINDER_IPC_32BIT
76 #define BINDER_IPC_32BIT 1
79 #include <uapi/linux/android/binder.h>
80 #include "binder_alloc.h"
81 #include "binder_trace.h"
83 static HLIST_HEAD(binder_deferred_list);
84 static DEFINE_MUTEX(binder_deferred_lock);
86 static HLIST_HEAD(binder_devices);
87 static HLIST_HEAD(binder_procs);
88 static DEFINE_MUTEX(binder_procs_lock);
90 static HLIST_HEAD(binder_dead_nodes);
91 static DEFINE_SPINLOCK(binder_dead_nodes_lock);
93 static struct dentry *binder_debugfs_dir_entry_root;
94 static struct dentry *binder_debugfs_dir_entry_proc;
95 static atomic_t binder_last_id;
97 #define BINDER_DEBUG_ENTRY(name) \
98 static int binder_##name##_open(struct inode *inode, struct file *file) \
100 return single_open(file, binder_##name##_show, inode->i_private); \
103 static const struct file_operations binder_##name##_fops = { \
104 .owner = THIS_MODULE, \
105 .open = binder_##name##_open, \
107 .llseek = seq_lseek, \
108 .release = single_release, \
111 static int binder_proc_show(struct seq_file *m, void *unused);
112 BINDER_DEBUG_ENTRY(proc);
114 /* This is only defined in include/asm-arm/sizes.h */
120 #define SZ_4M 0x400000
123 #define FORBIDDEN_MMAP_FLAGS (VM_WRITE)
126 BINDER_DEBUG_USER_ERROR = 1U << 0,
127 BINDER_DEBUG_FAILED_TRANSACTION = 1U << 1,
128 BINDER_DEBUG_DEAD_TRANSACTION = 1U << 2,
129 BINDER_DEBUG_OPEN_CLOSE = 1U << 3,
130 BINDER_DEBUG_DEAD_BINDER = 1U << 4,
131 BINDER_DEBUG_DEATH_NOTIFICATION = 1U << 5,
132 BINDER_DEBUG_READ_WRITE = 1U << 6,
133 BINDER_DEBUG_USER_REFS = 1U << 7,
134 BINDER_DEBUG_THREADS = 1U << 8,
135 BINDER_DEBUG_TRANSACTION = 1U << 9,
136 BINDER_DEBUG_TRANSACTION_COMPLETE = 1U << 10,
137 BINDER_DEBUG_FREE_BUFFER = 1U << 11,
138 BINDER_DEBUG_INTERNAL_REFS = 1U << 12,
139 BINDER_DEBUG_PRIORITY_CAP = 1U << 13,
140 BINDER_DEBUG_SPINLOCKS = 1U << 14,
142 static uint32_t binder_debug_mask = BINDER_DEBUG_USER_ERROR |
143 BINDER_DEBUG_FAILED_TRANSACTION | BINDER_DEBUG_DEAD_TRANSACTION;
144 module_param_named(debug_mask, binder_debug_mask, uint, S_IWUSR | S_IRUGO);
146 static char *binder_devices_param = CONFIG_ANDROID_BINDER_DEVICES;
147 module_param_named(devices, binder_devices_param, charp, 0444);
149 static DECLARE_WAIT_QUEUE_HEAD(binder_user_error_wait);
150 static int binder_stop_on_user_error;
152 static int binder_set_stop_on_user_error(const char *val,
153 const struct kernel_param *kp)
157 ret = param_set_int(val, kp);
158 if (binder_stop_on_user_error < 2)
159 wake_up(&binder_user_error_wait);
162 module_param_call(stop_on_user_error, binder_set_stop_on_user_error,
163 param_get_int, &binder_stop_on_user_error, S_IWUSR | S_IRUGO);
165 #define binder_debug(mask, x...) \
167 if (binder_debug_mask & mask) \
171 #define binder_user_error(x...) \
173 if (binder_debug_mask & BINDER_DEBUG_USER_ERROR) \
175 if (binder_stop_on_user_error) \
176 binder_stop_on_user_error = 2; \
179 #define to_flat_binder_object(hdr) \
180 container_of(hdr, struct flat_binder_object, hdr)
182 #define to_binder_fd_object(hdr) container_of(hdr, struct binder_fd_object, hdr)
184 #define to_binder_buffer_object(hdr) \
185 container_of(hdr, struct binder_buffer_object, hdr)
187 #define to_binder_fd_array_object(hdr) \
188 container_of(hdr, struct binder_fd_array_object, hdr)
190 enum binder_stat_types {
196 BINDER_STAT_TRANSACTION,
197 BINDER_STAT_TRANSACTION_COMPLETE,
201 struct binder_stats {
202 atomic_t br[_IOC_NR(BR_FAILED_REPLY) + 1];
203 atomic_t bc[_IOC_NR(BC_REPLY_SG) + 1];
204 atomic_t obj_created[BINDER_STAT_COUNT];
205 atomic_t obj_deleted[BINDER_STAT_COUNT];
208 static struct binder_stats binder_stats;
210 static inline void binder_stats_deleted(enum binder_stat_types type)
212 atomic_inc(&binder_stats.obj_deleted[type]);
215 static inline void binder_stats_created(enum binder_stat_types type)
217 atomic_inc(&binder_stats.obj_created[type]);
220 struct binder_transaction_log_entry {
232 int return_error_line;
233 uint32_t return_error;
234 uint32_t return_error_param;
235 const char *context_name;
237 struct binder_transaction_log {
240 struct binder_transaction_log_entry entry[32];
242 static struct binder_transaction_log binder_transaction_log;
243 static struct binder_transaction_log binder_transaction_log_failed;
245 static struct binder_transaction_log_entry *binder_transaction_log_add(
246 struct binder_transaction_log *log)
248 struct binder_transaction_log_entry *e;
249 unsigned int cur = atomic_inc_return(&log->cur);
251 if (cur >= ARRAY_SIZE(log->entry))
253 e = &log->entry[cur % ARRAY_SIZE(log->entry)];
254 WRITE_ONCE(e->debug_id_done, 0);
256 * write-barrier to synchronize access to e->debug_id_done.
257 * We make sure the initialized 0 value is seen before
258 * memset() other fields are zeroed by memset.
261 memset(e, 0, sizeof(*e));
265 struct binder_context {
266 struct binder_node *binder_context_mgr_node;
267 struct mutex context_mgr_node_lock;
269 kuid_t binder_context_mgr_uid;
273 struct binder_device {
274 struct hlist_node hlist;
275 struct miscdevice miscdev;
276 struct binder_context context;
280 * struct binder_work - work enqueued on a worklist
281 * @entry: node enqueued on list
282 * @type: type of work to be performed
284 * There are separate work lists for proc, thread, and node (async).
287 struct list_head entry;
290 BINDER_WORK_TRANSACTION = 1,
291 BINDER_WORK_TRANSACTION_COMPLETE,
292 BINDER_WORK_RETURN_ERROR,
294 BINDER_WORK_DEAD_BINDER,
295 BINDER_WORK_DEAD_BINDER_AND_CLEAR,
296 BINDER_WORK_CLEAR_DEATH_NOTIFICATION,
300 struct binder_error {
301 struct binder_work work;
306 * struct binder_node - binder node bookkeeping
307 * @debug_id: unique ID for debugging
308 * (invariant after initialized)
309 * @lock: lock for node fields
310 * @work: worklist element for node work
311 * (protected by @proc->inner_lock)
312 * @rb_node: element for proc->nodes tree
313 * (protected by @proc->inner_lock)
314 * @dead_node: element for binder_dead_nodes list
315 * (protected by binder_dead_nodes_lock)
316 * @proc: binder_proc that owns this node
317 * (invariant after initialized)
318 * @refs: list of references on this node
319 * (protected by @lock)
320 * @internal_strong_refs: used to take strong references when
321 * initiating a transaction
322 * (protected by @proc->inner_lock if @proc
324 * @local_weak_refs: weak user refs from local process
325 * (protected by @proc->inner_lock if @proc
327 * @local_strong_refs: strong user refs from local process
328 * (protected by @proc->inner_lock if @proc
330 * @tmp_refs: temporary kernel refs
331 * (protected by @proc->inner_lock while @proc
332 * is valid, and by binder_dead_nodes_lock
333 * if @proc is NULL. During inc/dec and node release
334 * it is also protected by @lock to provide safety
335 * as the node dies and @proc becomes NULL)
336 * @ptr: userspace pointer for node
337 * (invariant, no lock needed)
338 * @cookie: userspace cookie for node
339 * (invariant, no lock needed)
340 * @has_strong_ref: userspace notified of strong ref
341 * (protected by @proc->inner_lock if @proc
343 * @pending_strong_ref: userspace has acked notification of strong ref
344 * (protected by @proc->inner_lock if @proc
346 * @has_weak_ref: userspace notified of weak ref
347 * (protected by @proc->inner_lock if @proc
349 * @pending_weak_ref: userspace has acked notification of weak ref
350 * (protected by @proc->inner_lock if @proc
352 * @has_async_transaction: async transaction to node in progress
353 * (protected by @lock)
354 * @accept_fds: file descriptor operations supported for node
355 * (invariant after initialized)
356 * @min_priority: minimum scheduling priority
357 * (invariant after initialized)
358 * @async_todo: list of async work items
359 * (protected by @proc->inner_lock)
361 * Bookkeeping structure for binder nodes.
366 struct binder_work work;
368 struct rb_node rb_node;
369 struct hlist_node dead_node;
371 struct binder_proc *proc;
372 struct hlist_head refs;
373 int internal_strong_refs;
375 int local_strong_refs;
377 binder_uintptr_t ptr;
378 binder_uintptr_t cookie;
381 * bitfield elements protected by
385 u8 pending_strong_ref:1;
387 u8 pending_weak_ref:1;
391 * invariant after initialization
396 bool has_async_transaction;
397 struct list_head async_todo;
400 struct binder_ref_death {
402 * @work: worklist element for death notifications
403 * (protected by inner_lock of the proc that
404 * this ref belongs to)
406 struct binder_work work;
407 binder_uintptr_t cookie;
411 * struct binder_ref_data - binder_ref counts and id
412 * @debug_id: unique ID for the ref
413 * @desc: unique userspace handle for ref
414 * @strong: strong ref count (debugging only if not locked)
415 * @weak: weak ref count (debugging only if not locked)
417 * Structure to hold ref count and ref id information. Since
418 * the actual ref can only be accessed with a lock, this structure
419 * is used to return information about the ref to callers of
420 * ref inc/dec functions.
422 struct binder_ref_data {
430 * struct binder_ref - struct to track references on nodes
431 * @data: binder_ref_data containing id, handle, and current refcounts
432 * @rb_node_desc: node for lookup by @data.desc in proc's rb_tree
433 * @rb_node_node: node for lookup by @node in proc's rb_tree
434 * @node_entry: list entry for node->refs list in target node
435 * (protected by @node->lock)
436 * @proc: binder_proc containing ref
437 * @node: binder_node of target node. When cleaning up a
438 * ref for deletion in binder_cleanup_ref, a non-NULL
439 * @node indicates the node must be freed
440 * @death: pointer to death notification (ref_death) if requested
441 * (protected by @node->lock)
443 * Structure to track references from procA to target node (on procB). This
444 * structure is unsafe to access without holding @proc->outer_lock.
447 /* Lookups needed: */
448 /* node + proc => ref (transaction) */
449 /* desc + proc => ref (transaction, inc/dec ref) */
450 /* node => refs + procs (proc exit) */
451 struct binder_ref_data data;
452 struct rb_node rb_node_desc;
453 struct rb_node rb_node_node;
454 struct hlist_node node_entry;
455 struct binder_proc *proc;
456 struct binder_node *node;
457 struct binder_ref_death *death;
460 enum binder_deferred_state {
461 BINDER_DEFERRED_PUT_FILES = 0x01,
462 BINDER_DEFERRED_FLUSH = 0x02,
463 BINDER_DEFERRED_RELEASE = 0x04,
467 * struct binder_proc - binder process bookkeeping
468 * @proc_node: element for binder_procs list
469 * @threads: rbtree of binder_threads in this proc
470 * (protected by @inner_lock)
471 * @nodes: rbtree of binder nodes associated with
472 * this proc ordered by node->ptr
473 * (protected by @inner_lock)
474 * @refs_by_desc: rbtree of refs ordered by ref->desc
475 * (protected by @outer_lock)
476 * @refs_by_node: rbtree of refs ordered by ref->node
477 * (protected by @outer_lock)
478 * @waiting_threads: threads currently waiting for proc work
479 * (protected by @inner_lock)
480 * @pid PID of group_leader of process
481 * (invariant after initialized)
482 * @tsk task_struct for group_leader of process
483 * (invariant after initialized)
484 * @files files_struct for process
485 * (protected by @files_lock)
486 * @files_lock mutex to protect @files
487 * @deferred_work_node: element for binder_deferred_list
488 * (protected by binder_deferred_lock)
489 * @deferred_work: bitmap of deferred work to perform
490 * (protected by binder_deferred_lock)
491 * @is_dead: process is dead and awaiting free
492 * when outstanding transactions are cleaned up
493 * (protected by @inner_lock)
494 * @todo: list of work for this process
495 * (protected by @inner_lock)
496 * @wait: wait queue head to wait for proc work
497 * (invariant after initialized)
498 * @stats: per-process binder statistics
499 * (atomics, no lock needed)
500 * @delivered_death: list of delivered death notification
501 * (protected by @inner_lock)
502 * @max_threads: cap on number of binder threads
503 * (protected by @inner_lock)
504 * @requested_threads: number of binder threads requested but not
505 * yet started. In current implementation, can
507 * (protected by @inner_lock)
508 * @requested_threads_started: number binder threads started
509 * (protected by @inner_lock)
510 * @tmp_ref: temporary reference to indicate proc is in use
511 * (protected by @inner_lock)
512 * @default_priority: default scheduler priority
513 * (invariant after initialized)
514 * @debugfs_entry: debugfs node
515 * @alloc: binder allocator bookkeeping
516 * @context: binder_context for this proc
517 * (invariant after initialized)
518 * @inner_lock: can nest under outer_lock and/or node lock
519 * @outer_lock: no nesting under innor or node lock
520 * Lock order: 1) outer, 2) node, 3) inner
522 * Bookkeeping structure for binder processes
525 struct hlist_node proc_node;
526 struct rb_root threads;
527 struct rb_root nodes;
528 struct rb_root refs_by_desc;
529 struct rb_root refs_by_node;
530 struct list_head waiting_threads;
532 struct task_struct *tsk;
533 struct files_struct *files;
534 struct mutex files_lock;
535 struct hlist_node deferred_work_node;
539 struct list_head todo;
540 wait_queue_head_t wait;
541 struct binder_stats stats;
542 struct list_head delivered_death;
544 int requested_threads;
545 int requested_threads_started;
547 long default_priority;
548 struct dentry *debugfs_entry;
549 struct binder_alloc alloc;
550 struct binder_context *context;
551 spinlock_t inner_lock;
552 spinlock_t outer_lock;
556 BINDER_LOOPER_STATE_REGISTERED = 0x01,
557 BINDER_LOOPER_STATE_ENTERED = 0x02,
558 BINDER_LOOPER_STATE_EXITED = 0x04,
559 BINDER_LOOPER_STATE_INVALID = 0x08,
560 BINDER_LOOPER_STATE_WAITING = 0x10,
561 BINDER_LOOPER_STATE_POLL = 0x20,
565 * struct binder_thread - binder thread bookkeeping
566 * @proc: binder process for this thread
567 * (invariant after initialization)
568 * @rb_node: element for proc->threads rbtree
569 * (protected by @proc->inner_lock)
570 * @waiting_thread_node: element for @proc->waiting_threads list
571 * (protected by @proc->inner_lock)
572 * @pid: PID for this thread
573 * (invariant after initialization)
574 * @looper: bitmap of looping state
575 * (only accessed by this thread)
576 * @looper_needs_return: looping thread needs to exit driver
578 * @transaction_stack: stack of in-progress transactions for this thread
579 * (protected by @proc->inner_lock)
580 * @todo: list of work to do for this thread
581 * (protected by @proc->inner_lock)
582 * @return_error: transaction errors reported by this thread
583 * (only accessed by this thread)
584 * @reply_error: transaction errors reported by target thread
585 * (protected by @proc->inner_lock)
586 * @wait: wait queue for thread work
587 * @stats: per-thread statistics
588 * (atomics, no lock needed)
589 * @tmp_ref: temporary reference to indicate thread is in use
590 * (atomic since @proc->inner_lock cannot
591 * always be acquired)
592 * @is_dead: thread is dead and awaiting free
593 * when outstanding transactions are cleaned up
594 * (protected by @proc->inner_lock)
596 * Bookkeeping structure for binder threads.
598 struct binder_thread {
599 struct binder_proc *proc;
600 struct rb_node rb_node;
601 struct list_head waiting_thread_node;
603 int looper; /* only modified by this thread */
604 bool looper_need_return; /* can be written by other thread */
605 struct binder_transaction *transaction_stack;
606 struct list_head todo;
607 struct binder_error return_error;
608 struct binder_error reply_error;
609 wait_queue_head_t wait;
610 struct binder_stats stats;
615 struct binder_transaction {
617 struct binder_work work;
618 struct binder_thread *from;
619 struct binder_transaction *from_parent;
620 struct binder_proc *to_proc;
621 struct binder_thread *to_thread;
622 struct binder_transaction *to_parent;
623 unsigned need_reply:1;
624 /* unsigned is_dead:1; */ /* not used at the moment */
626 struct binder_buffer *buffer;
633 * @lock: protects @from, @to_proc, and @to_thread
635 * @from, @to_proc, and @to_thread can be set to NULL
636 * during thread teardown
642 * binder_proc_lock() - Acquire outer lock for given binder_proc
643 * @proc: struct binder_proc to acquire
645 * Acquires proc->outer_lock. Used to protect binder_ref
646 * structures associated with the given proc.
648 #define binder_proc_lock(proc) _binder_proc_lock(proc, __LINE__)
650 _binder_proc_lock(struct binder_proc *proc, int line)
652 binder_debug(BINDER_DEBUG_SPINLOCKS,
653 "%s: line=%d\n", __func__, line);
654 spin_lock(&proc->outer_lock);
658 * binder_proc_unlock() - Release spinlock for given binder_proc
659 * @proc: struct binder_proc to acquire
661 * Release lock acquired via binder_proc_lock()
663 #define binder_proc_unlock(_proc) _binder_proc_unlock(_proc, __LINE__)
665 _binder_proc_unlock(struct binder_proc *proc, int line)
667 binder_debug(BINDER_DEBUG_SPINLOCKS,
668 "%s: line=%d\n", __func__, line);
669 spin_unlock(&proc->outer_lock);
673 * binder_inner_proc_lock() - Acquire inner lock for given binder_proc
674 * @proc: struct binder_proc to acquire
676 * Acquires proc->inner_lock. Used to protect todo lists
678 #define binder_inner_proc_lock(proc) _binder_inner_proc_lock(proc, __LINE__)
680 _binder_inner_proc_lock(struct binder_proc *proc, int line)
682 binder_debug(BINDER_DEBUG_SPINLOCKS,
683 "%s: line=%d\n", __func__, line);
684 spin_lock(&proc->inner_lock);
688 * binder_inner_proc_unlock() - Release inner lock for given binder_proc
689 * @proc: struct binder_proc to acquire
691 * Release lock acquired via binder_inner_proc_lock()
693 #define binder_inner_proc_unlock(proc) _binder_inner_proc_unlock(proc, __LINE__)
695 _binder_inner_proc_unlock(struct binder_proc *proc, int line)
697 binder_debug(BINDER_DEBUG_SPINLOCKS,
698 "%s: line=%d\n", __func__, line);
699 spin_unlock(&proc->inner_lock);
703 * binder_node_lock() - Acquire spinlock for given binder_node
704 * @node: struct binder_node to acquire
706 * Acquires node->lock. Used to protect binder_node fields
708 #define binder_node_lock(node) _binder_node_lock(node, __LINE__)
710 _binder_node_lock(struct binder_node *node, int line)
712 binder_debug(BINDER_DEBUG_SPINLOCKS,
713 "%s: line=%d\n", __func__, line);
714 spin_lock(&node->lock);
718 * binder_node_unlock() - Release spinlock for given binder_proc
719 * @node: struct binder_node to acquire
721 * Release lock acquired via binder_node_lock()
723 #define binder_node_unlock(node) _binder_node_unlock(node, __LINE__)
725 _binder_node_unlock(struct binder_node *node, int line)
727 binder_debug(BINDER_DEBUG_SPINLOCKS,
728 "%s: line=%d\n", __func__, line);
729 spin_unlock(&node->lock);
733 * binder_node_inner_lock() - Acquire node and inner locks
734 * @node: struct binder_node to acquire
736 * Acquires node->lock. If node->proc also acquires
737 * proc->inner_lock. Used to protect binder_node fields
739 #define binder_node_inner_lock(node) _binder_node_inner_lock(node, __LINE__)
741 _binder_node_inner_lock(struct binder_node *node, int line)
743 binder_debug(BINDER_DEBUG_SPINLOCKS,
744 "%s: line=%d\n", __func__, line);
745 spin_lock(&node->lock);
747 binder_inner_proc_lock(node->proc);
751 * binder_node_unlock() - Release node and inner locks
752 * @node: struct binder_node to acquire
754 * Release lock acquired via binder_node_lock()
756 #define binder_node_inner_unlock(node) _binder_node_inner_unlock(node, __LINE__)
758 _binder_node_inner_unlock(struct binder_node *node, int line)
760 struct binder_proc *proc = node->proc;
762 binder_debug(BINDER_DEBUG_SPINLOCKS,
763 "%s: line=%d\n", __func__, line);
765 binder_inner_proc_unlock(proc);
766 spin_unlock(&node->lock);
769 static bool binder_worklist_empty_ilocked(struct list_head *list)
771 return list_empty(list);
775 * binder_worklist_empty() - Check if no items on the work list
776 * @proc: binder_proc associated with list
777 * @list: list to check
779 * Return: true if there are no items on list, else false
781 static bool binder_worklist_empty(struct binder_proc *proc,
782 struct list_head *list)
786 binder_inner_proc_lock(proc);
787 ret = binder_worklist_empty_ilocked(list);
788 binder_inner_proc_unlock(proc);
793 binder_enqueue_work_ilocked(struct binder_work *work,
794 struct list_head *target_list)
796 BUG_ON(target_list == NULL);
797 BUG_ON(work->entry.next && !list_empty(&work->entry));
798 list_add_tail(&work->entry, target_list);
802 * binder_enqueue_work() - Add an item to the work list
803 * @proc: binder_proc associated with list
804 * @work: struct binder_work to add to list
805 * @target_list: list to add work to
807 * Adds the work to the specified list. Asserts that work
808 * is not already on a list.
811 binder_enqueue_work(struct binder_proc *proc,
812 struct binder_work *work,
813 struct list_head *target_list)
815 binder_inner_proc_lock(proc);
816 binder_enqueue_work_ilocked(work, target_list);
817 binder_inner_proc_unlock(proc);
821 binder_dequeue_work_ilocked(struct binder_work *work)
823 list_del_init(&work->entry);
827 * binder_dequeue_work() - Removes an item from the work list
828 * @proc: binder_proc associated with list
829 * @work: struct binder_work to remove from list
831 * Removes the specified work item from whatever list it is on.
832 * Can safely be called if work is not on any list.
835 binder_dequeue_work(struct binder_proc *proc, struct binder_work *work)
837 binder_inner_proc_lock(proc);
838 binder_dequeue_work_ilocked(work);
839 binder_inner_proc_unlock(proc);
842 static struct binder_work *binder_dequeue_work_head_ilocked(
843 struct list_head *list)
845 struct binder_work *w;
847 w = list_first_entry_or_null(list, struct binder_work, entry);
849 list_del_init(&w->entry);
854 * binder_dequeue_work_head() - Dequeues the item at head of list
855 * @proc: binder_proc associated with list
856 * @list: list to dequeue head
858 * Removes the head of the list if there are items on the list
860 * Return: pointer dequeued binder_work, NULL if list was empty
862 static struct binder_work *binder_dequeue_work_head(
863 struct binder_proc *proc,
864 struct list_head *list)
866 struct binder_work *w;
868 binder_inner_proc_lock(proc);
869 w = binder_dequeue_work_head_ilocked(list);
870 binder_inner_proc_unlock(proc);
875 binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer);
876 static void binder_free_thread(struct binder_thread *thread);
877 static void binder_free_proc(struct binder_proc *proc);
878 static void binder_inc_node_tmpref_ilocked(struct binder_node *node);
880 static int task_get_unused_fd_flags(struct binder_proc *proc, int flags)
882 unsigned long rlim_cur;
886 mutex_lock(&proc->files_lock);
887 if (proc->files == NULL) {
891 if (!lock_task_sighand(proc->tsk, &irqs)) {
895 rlim_cur = task_rlimit(proc->tsk, RLIMIT_NOFILE);
896 unlock_task_sighand(proc->tsk, &irqs);
898 ret = __alloc_fd(proc->files, 0, rlim_cur, flags);
900 mutex_unlock(&proc->files_lock);
905 * copied from fd_install
907 static void task_fd_install(
908 struct binder_proc *proc, unsigned int fd, struct file *file)
910 mutex_lock(&proc->files_lock);
912 __fd_install(proc->files, fd, file);
913 mutex_unlock(&proc->files_lock);
917 * copied from sys_close
919 static long task_close_fd(struct binder_proc *proc, unsigned int fd)
923 mutex_lock(&proc->files_lock);
924 if (proc->files == NULL) {
928 retval = __close_fd(proc->files, fd);
929 /* can't restart close syscall because file table entry was cleared */
930 if (unlikely(retval == -ERESTARTSYS ||
931 retval == -ERESTARTNOINTR ||
932 retval == -ERESTARTNOHAND ||
933 retval == -ERESTART_RESTARTBLOCK))
936 mutex_unlock(&proc->files_lock);
940 static bool binder_has_work_ilocked(struct binder_thread *thread,
943 return !binder_worklist_empty_ilocked(&thread->todo) ||
944 thread->looper_need_return ||
946 !binder_worklist_empty_ilocked(&thread->proc->todo));
949 static bool binder_has_work(struct binder_thread *thread, bool do_proc_work)
953 binder_inner_proc_lock(thread->proc);
954 has_work = binder_has_work_ilocked(thread, do_proc_work);
955 binder_inner_proc_unlock(thread->proc);
960 static bool binder_available_for_proc_work_ilocked(struct binder_thread *thread)
962 return !thread->transaction_stack &&
963 binder_worklist_empty_ilocked(&thread->todo) &&
964 (thread->looper & (BINDER_LOOPER_STATE_ENTERED |
965 BINDER_LOOPER_STATE_REGISTERED));
968 static void binder_wakeup_poll_threads_ilocked(struct binder_proc *proc,
972 struct binder_thread *thread;
974 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) {
975 thread = rb_entry(n, struct binder_thread, rb_node);
976 if (thread->looper & BINDER_LOOPER_STATE_POLL &&
977 binder_available_for_proc_work_ilocked(thread)) {
979 wake_up_interruptible_sync(&thread->wait);
981 wake_up_interruptible(&thread->wait);
987 * binder_select_thread_ilocked() - selects a thread for doing proc work.
988 * @proc: process to select a thread from
990 * Note that calling this function moves the thread off the waiting_threads
991 * list, so it can only be woken up by the caller of this function, or a
992 * signal. Therefore, callers *should* always wake up the thread this function
995 * Return: If there's a thread currently waiting for process work,
996 * returns that thread. Otherwise returns NULL.
998 static struct binder_thread *
999 binder_select_thread_ilocked(struct binder_proc *proc)
1001 struct binder_thread *thread;
1003 assert_spin_locked(&proc->inner_lock);
1004 thread = list_first_entry_or_null(&proc->waiting_threads,
1005 struct binder_thread,
1006 waiting_thread_node);
1009 list_del_init(&thread->waiting_thread_node);
1015 * binder_wakeup_thread_ilocked() - wakes up a thread for doing proc work.
1016 * @proc: process to wake up a thread in
1017 * @thread: specific thread to wake-up (may be NULL)
1018 * @sync: whether to do a synchronous wake-up
1020 * This function wakes up a thread in the @proc process.
1021 * The caller may provide a specific thread to wake-up in
1022 * the @thread parameter. If @thread is NULL, this function
1023 * will wake up threads that have called poll().
1025 * Note that for this function to work as expected, callers
1026 * should first call binder_select_thread() to find a thread
1027 * to handle the work (if they don't have a thread already),
1028 * and pass the result into the @thread parameter.
1030 static void binder_wakeup_thread_ilocked(struct binder_proc *proc,
1031 struct binder_thread *thread,
1034 assert_spin_locked(&proc->inner_lock);
1038 wake_up_interruptible_sync(&thread->wait);
1040 wake_up_interruptible(&thread->wait);
1044 /* Didn't find a thread waiting for proc work; this can happen
1046 * 1. All threads are busy handling transactions
1047 * In that case, one of those threads should call back into
1048 * the kernel driver soon and pick up this work.
1049 * 2. Threads are using the (e)poll interface, in which case
1050 * they may be blocked on the waitqueue without having been
1051 * added to waiting_threads. For this case, we just iterate
1052 * over all threads not handling transaction work, and
1053 * wake them all up. We wake all because we don't know whether
1054 * a thread that called into (e)poll is handling non-binder
1057 binder_wakeup_poll_threads_ilocked(proc, sync);
1060 static void binder_wakeup_proc_ilocked(struct binder_proc *proc)
1062 struct binder_thread *thread = binder_select_thread_ilocked(proc);
1064 binder_wakeup_thread_ilocked(proc, thread, /* sync = */false);
1067 static void binder_set_nice(long nice)
1071 if (can_nice(current, nice)) {
1072 set_user_nice(current, nice);
1075 min_nice = rlimit_to_nice(rlimit(RLIMIT_NICE));
1076 binder_debug(BINDER_DEBUG_PRIORITY_CAP,
1077 "%d: nice value %ld not allowed use %ld instead\n",
1078 current->pid, nice, min_nice);
1079 set_user_nice(current, min_nice);
1080 if (min_nice <= MAX_NICE)
1082 binder_user_error("%d RLIMIT_NICE not set\n", current->pid);
1085 static struct binder_node *binder_get_node_ilocked(struct binder_proc *proc,
1086 binder_uintptr_t ptr)
1088 struct rb_node *n = proc->nodes.rb_node;
1089 struct binder_node *node;
1091 assert_spin_locked(&proc->inner_lock);
1094 node = rb_entry(n, struct binder_node, rb_node);
1096 if (ptr < node->ptr)
1098 else if (ptr > node->ptr)
1102 * take an implicit weak reference
1103 * to ensure node stays alive until
1104 * call to binder_put_node()
1106 binder_inc_node_tmpref_ilocked(node);
1113 static struct binder_node *binder_get_node(struct binder_proc *proc,
1114 binder_uintptr_t ptr)
1116 struct binder_node *node;
1118 binder_inner_proc_lock(proc);
1119 node = binder_get_node_ilocked(proc, ptr);
1120 binder_inner_proc_unlock(proc);
1124 static struct binder_node *binder_init_node_ilocked(
1125 struct binder_proc *proc,
1126 struct binder_node *new_node,
1127 struct flat_binder_object *fp)
1129 struct rb_node **p = &proc->nodes.rb_node;
1130 struct rb_node *parent = NULL;
1131 struct binder_node *node;
1132 binder_uintptr_t ptr = fp ? fp->binder : 0;
1133 binder_uintptr_t cookie = fp ? fp->cookie : 0;
1134 __u32 flags = fp ? fp->flags : 0;
1136 assert_spin_locked(&proc->inner_lock);
1141 node = rb_entry(parent, struct binder_node, rb_node);
1143 if (ptr < node->ptr)
1145 else if (ptr > node->ptr)
1146 p = &(*p)->rb_right;
1149 * A matching node is already in
1150 * the rb tree. Abandon the init
1153 binder_inc_node_tmpref_ilocked(node);
1158 binder_stats_created(BINDER_STAT_NODE);
1160 rb_link_node(&node->rb_node, parent, p);
1161 rb_insert_color(&node->rb_node, &proc->nodes);
1162 node->debug_id = atomic_inc_return(&binder_last_id);
1165 node->cookie = cookie;
1166 node->work.type = BINDER_WORK_NODE;
1167 node->min_priority = flags & FLAT_BINDER_FLAG_PRIORITY_MASK;
1168 node->accept_fds = !!(flags & FLAT_BINDER_FLAG_ACCEPTS_FDS);
1169 spin_lock_init(&node->lock);
1170 INIT_LIST_HEAD(&node->work.entry);
1171 INIT_LIST_HEAD(&node->async_todo);
1172 binder_debug(BINDER_DEBUG_INTERNAL_REFS,
1173 "%d:%d node %d u%016llx c%016llx created\n",
1174 proc->pid, current->pid, node->debug_id,
1175 (u64)node->ptr, (u64)node->cookie);
1180 static struct binder_node *binder_new_node(struct binder_proc *proc,
1181 struct flat_binder_object *fp)
1183 struct binder_node *node;
1184 struct binder_node *new_node = kzalloc(sizeof(*node), GFP_KERNEL);
1188 binder_inner_proc_lock(proc);
1189 node = binder_init_node_ilocked(proc, new_node, fp);
1190 binder_inner_proc_unlock(proc);
1191 if (node != new_node)
1193 * The node was already added by another thread
1200 static void binder_free_node(struct binder_node *node)
1203 binder_stats_deleted(BINDER_STAT_NODE);
1206 static int binder_inc_node_nilocked(struct binder_node *node, int strong,
1208 struct list_head *target_list)
1210 struct binder_proc *proc = node->proc;
1212 assert_spin_locked(&node->lock);
1214 assert_spin_locked(&proc->inner_lock);
1217 if (target_list == NULL &&
1218 node->internal_strong_refs == 0 &&
1220 node == node->proc->context->binder_context_mgr_node &&
1221 node->has_strong_ref)) {
1222 pr_err("invalid inc strong node for %d\n",
1226 node->internal_strong_refs++;
1228 node->local_strong_refs++;
1229 if (!node->has_strong_ref && target_list) {
1230 binder_dequeue_work_ilocked(&node->work);
1231 binder_enqueue_work_ilocked(&node->work, target_list);
1235 node->local_weak_refs++;
1236 if (!node->has_weak_ref && list_empty(&node->work.entry)) {
1237 if (target_list == NULL) {
1238 pr_err("invalid inc weak node for %d\n",
1242 binder_enqueue_work_ilocked(&node->work, target_list);
1248 static int binder_inc_node(struct binder_node *node, int strong, int internal,
1249 struct list_head *target_list)
1253 binder_node_inner_lock(node);
1254 ret = binder_inc_node_nilocked(node, strong, internal, target_list);
1255 binder_node_inner_unlock(node);
1260 static bool binder_dec_node_nilocked(struct binder_node *node,
1261 int strong, int internal)
1263 struct binder_proc *proc = node->proc;
1265 assert_spin_locked(&node->lock);
1267 assert_spin_locked(&proc->inner_lock);
1270 node->internal_strong_refs--;
1272 node->local_strong_refs--;
1273 if (node->local_strong_refs || node->internal_strong_refs)
1277 node->local_weak_refs--;
1278 if (node->local_weak_refs || node->tmp_refs ||
1279 !hlist_empty(&node->refs))
1283 if (proc && (node->has_strong_ref || node->has_weak_ref)) {
1284 if (list_empty(&node->work.entry)) {
1285 binder_enqueue_work_ilocked(&node->work, &proc->todo);
1286 binder_wakeup_proc_ilocked(proc);
1289 if (hlist_empty(&node->refs) && !node->local_strong_refs &&
1290 !node->local_weak_refs && !node->tmp_refs) {
1292 binder_dequeue_work_ilocked(&node->work);
1293 rb_erase(&node->rb_node, &proc->nodes);
1294 binder_debug(BINDER_DEBUG_INTERNAL_REFS,
1295 "refless node %d deleted\n",
1298 BUG_ON(!list_empty(&node->work.entry));
1299 spin_lock(&binder_dead_nodes_lock);
1301 * tmp_refs could have changed so
1304 if (node->tmp_refs) {
1305 spin_unlock(&binder_dead_nodes_lock);
1308 hlist_del(&node->dead_node);
1309 spin_unlock(&binder_dead_nodes_lock);
1310 binder_debug(BINDER_DEBUG_INTERNAL_REFS,
1311 "dead node %d deleted\n",
1320 static void binder_dec_node(struct binder_node *node, int strong, int internal)
1324 binder_node_inner_lock(node);
1325 free_node = binder_dec_node_nilocked(node, strong, internal);
1326 binder_node_inner_unlock(node);
1328 binder_free_node(node);
1331 static void binder_inc_node_tmpref_ilocked(struct binder_node *node)
1334 * No call to binder_inc_node() is needed since we
1335 * don't need to inform userspace of any changes to
1342 * binder_inc_node_tmpref() - take a temporary reference on node
1343 * @node: node to reference
1345 * Take reference on node to prevent the node from being freed
1346 * while referenced only by a local variable. The inner lock is
1347 * needed to serialize with the node work on the queue (which
1348 * isn't needed after the node is dead). If the node is dead
1349 * (node->proc is NULL), use binder_dead_nodes_lock to protect
1350 * node->tmp_refs against dead-node-only cases where the node
1351 * lock cannot be acquired (eg traversing the dead node list to
1354 static void binder_inc_node_tmpref(struct binder_node *node)
1356 binder_node_lock(node);
1358 binder_inner_proc_lock(node->proc);
1360 spin_lock(&binder_dead_nodes_lock);
1361 binder_inc_node_tmpref_ilocked(node);
1363 binder_inner_proc_unlock(node->proc);
1365 spin_unlock(&binder_dead_nodes_lock);
1366 binder_node_unlock(node);
1370 * binder_dec_node_tmpref() - remove a temporary reference on node
1371 * @node: node to reference
1373 * Release temporary reference on node taken via binder_inc_node_tmpref()
1375 static void binder_dec_node_tmpref(struct binder_node *node)
1379 binder_node_inner_lock(node);
1381 spin_lock(&binder_dead_nodes_lock);
1383 BUG_ON(node->tmp_refs < 0);
1385 spin_unlock(&binder_dead_nodes_lock);
1387 * Call binder_dec_node() to check if all refcounts are 0
1388 * and cleanup is needed. Calling with strong=0 and internal=1
1389 * causes no actual reference to be released in binder_dec_node().
1390 * If that changes, a change is needed here too.
1392 free_node = binder_dec_node_nilocked(node, 0, 1);
1393 binder_node_inner_unlock(node);
1395 binder_free_node(node);
1398 static void binder_put_node(struct binder_node *node)
1400 binder_dec_node_tmpref(node);
1403 static struct binder_ref *binder_get_ref_olocked(struct binder_proc *proc,
1404 u32 desc, bool need_strong_ref)
1406 struct rb_node *n = proc->refs_by_desc.rb_node;
1407 struct binder_ref *ref;
1410 ref = rb_entry(n, struct binder_ref, rb_node_desc);
1412 if (desc < ref->data.desc) {
1414 } else if (desc > ref->data.desc) {
1416 } else if (need_strong_ref && !ref->data.strong) {
1417 binder_user_error("tried to use weak ref as strong ref\n");
1427 * binder_get_ref_for_node_olocked() - get the ref associated with given node
1428 * @proc: binder_proc that owns the ref
1429 * @node: binder_node of target
1430 * @new_ref: newly allocated binder_ref to be initialized or %NULL
1432 * Look up the ref for the given node and return it if it exists
1434 * If it doesn't exist and the caller provides a newly allocated
1435 * ref, initialize the fields of the newly allocated ref and insert
1436 * into the given proc rb_trees and node refs list.
1438 * Return: the ref for node. It is possible that another thread
1439 * allocated/initialized the ref first in which case the
1440 * returned ref would be different than the passed-in
1441 * new_ref. new_ref must be kfree'd by the caller in
1444 static struct binder_ref *binder_get_ref_for_node_olocked(
1445 struct binder_proc *proc,
1446 struct binder_node *node,
1447 struct binder_ref *new_ref)
1449 struct binder_context *context = proc->context;
1450 struct rb_node **p = &proc->refs_by_node.rb_node;
1451 struct rb_node *parent = NULL;
1452 struct binder_ref *ref;
1457 ref = rb_entry(parent, struct binder_ref, rb_node_node);
1459 if (node < ref->node)
1461 else if (node > ref->node)
1462 p = &(*p)->rb_right;
1469 binder_stats_created(BINDER_STAT_REF);
1470 new_ref->data.debug_id = atomic_inc_return(&binder_last_id);
1471 new_ref->proc = proc;
1472 new_ref->node = node;
1473 rb_link_node(&new_ref->rb_node_node, parent, p);
1474 rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node);
1476 new_ref->data.desc = (node == context->binder_context_mgr_node) ? 0 : 1;
1477 for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) {
1478 ref = rb_entry(n, struct binder_ref, rb_node_desc);
1479 if (ref->data.desc > new_ref->data.desc)
1481 new_ref->data.desc = ref->data.desc + 1;
1484 p = &proc->refs_by_desc.rb_node;
1487 ref = rb_entry(parent, struct binder_ref, rb_node_desc);
1489 if (new_ref->data.desc < ref->data.desc)
1491 else if (new_ref->data.desc > ref->data.desc)
1492 p = &(*p)->rb_right;
1496 rb_link_node(&new_ref->rb_node_desc, parent, p);
1497 rb_insert_color(&new_ref->rb_node_desc, &proc->refs_by_desc);
1499 binder_node_lock(node);
1500 hlist_add_head(&new_ref->node_entry, &node->refs);
1502 binder_debug(BINDER_DEBUG_INTERNAL_REFS,
1503 "%d new ref %d desc %d for node %d\n",
1504 proc->pid, new_ref->data.debug_id, new_ref->data.desc,
1506 binder_node_unlock(node);
1510 static void binder_cleanup_ref_olocked(struct binder_ref *ref)
1512 bool delete_node = false;
1514 binder_debug(BINDER_DEBUG_INTERNAL_REFS,
1515 "%d delete ref %d desc %d for node %d\n",
1516 ref->proc->pid, ref->data.debug_id, ref->data.desc,
1517 ref->node->debug_id);
1519 rb_erase(&ref->rb_node_desc, &ref->proc->refs_by_desc);
1520 rb_erase(&ref->rb_node_node, &ref->proc->refs_by_node);
1522 binder_node_inner_lock(ref->node);
1523 if (ref->data.strong)
1524 binder_dec_node_nilocked(ref->node, 1, 1);
1526 hlist_del(&ref->node_entry);
1527 delete_node = binder_dec_node_nilocked(ref->node, 0, 1);
1528 binder_node_inner_unlock(ref->node);
1530 * Clear ref->node unless we want the caller to free the node
1534 * The caller uses ref->node to determine
1535 * whether the node needs to be freed. Clear
1536 * it since the node is still alive.
1542 binder_debug(BINDER_DEBUG_DEAD_BINDER,
1543 "%d delete ref %d desc %d has death notification\n",
1544 ref->proc->pid, ref->data.debug_id,
1546 binder_dequeue_work(ref->proc, &ref->death->work);
1547 binder_stats_deleted(BINDER_STAT_DEATH);
1549 binder_stats_deleted(BINDER_STAT_REF);
1553 * binder_inc_ref_olocked() - increment the ref for given handle
1554 * @ref: ref to be incremented
1555 * @strong: if true, strong increment, else weak
1556 * @target_list: list to queue node work on
1558 * Increment the ref. @ref->proc->outer_lock must be held on entry
1560 * Return: 0, if successful, else errno
1562 static int binder_inc_ref_olocked(struct binder_ref *ref, int strong,
1563 struct list_head *target_list)
1568 if (ref->data.strong == 0) {
1569 ret = binder_inc_node(ref->node, 1, 1, target_list);
1575 if (ref->data.weak == 0) {
1576 ret = binder_inc_node(ref->node, 0, 1, target_list);
1586 * binder_dec_ref() - dec the ref for given handle
1587 * @ref: ref to be decremented
1588 * @strong: if true, strong decrement, else weak
1590 * Decrement the ref.
1592 * Return: true if ref is cleaned up and ready to be freed
1594 static bool binder_dec_ref_olocked(struct binder_ref *ref, int strong)
1597 if (ref->data.strong == 0) {
1598 binder_user_error("%d invalid dec strong, ref %d desc %d s %d w %d\n",
1599 ref->proc->pid, ref->data.debug_id,
1600 ref->data.desc, ref->data.strong,
1605 if (ref->data.strong == 0)
1606 binder_dec_node(ref->node, strong, 1);
1608 if (ref->data.weak == 0) {
1609 binder_user_error("%d invalid dec weak, ref %d desc %d s %d w %d\n",
1610 ref->proc->pid, ref->data.debug_id,
1611 ref->data.desc, ref->data.strong,
1617 if (ref->data.strong == 0 && ref->data.weak == 0) {
1618 binder_cleanup_ref_olocked(ref);
1625 * binder_get_node_from_ref() - get the node from the given proc/desc
1626 * @proc: proc containing the ref
1627 * @desc: the handle associated with the ref
1628 * @need_strong_ref: if true, only return node if ref is strong
1629 * @rdata: the id/refcount data for the ref
1631 * Given a proc and ref handle, return the associated binder_node
1633 * Return: a binder_node or NULL if not found or not strong when strong required
1635 static struct binder_node *binder_get_node_from_ref(
1636 struct binder_proc *proc,
1637 u32 desc, bool need_strong_ref,
1638 struct binder_ref_data *rdata)
1640 struct binder_node *node;
1641 struct binder_ref *ref;
1643 binder_proc_lock(proc);
1644 ref = binder_get_ref_olocked(proc, desc, need_strong_ref);
1649 * Take an implicit reference on the node to ensure
1650 * it stays alive until the call to binder_put_node()
1652 binder_inc_node_tmpref(node);
1655 binder_proc_unlock(proc);
1660 binder_proc_unlock(proc);
1665 * binder_free_ref() - free the binder_ref
1668 * Free the binder_ref. Free the binder_node indicated by ref->node
1669 * (if non-NULL) and the binder_ref_death indicated by ref->death.
1671 static void binder_free_ref(struct binder_ref *ref)
1674 binder_free_node(ref->node);
1680 * binder_update_ref_for_handle() - inc/dec the ref for given handle
1681 * @proc: proc containing the ref
1682 * @desc: the handle associated with the ref
1683 * @increment: true=inc reference, false=dec reference
1684 * @strong: true=strong reference, false=weak reference
1685 * @rdata: the id/refcount data for the ref
1687 * Given a proc and ref handle, increment or decrement the ref
1688 * according to "increment" arg.
1690 * Return: 0 if successful, else errno
1692 static int binder_update_ref_for_handle(struct binder_proc *proc,
1693 uint32_t desc, bool increment, bool strong,
1694 struct binder_ref_data *rdata)
1697 struct binder_ref *ref;
1698 bool delete_ref = false;
1700 binder_proc_lock(proc);
1701 ref = binder_get_ref_olocked(proc, desc, strong);
1707 ret = binder_inc_ref_olocked(ref, strong, NULL);
1709 delete_ref = binder_dec_ref_olocked(ref, strong);
1713 binder_proc_unlock(proc);
1716 binder_free_ref(ref);
1720 binder_proc_unlock(proc);
1725 * binder_dec_ref_for_handle() - dec the ref for given handle
1726 * @proc: proc containing the ref
1727 * @desc: the handle associated with the ref
1728 * @strong: true=strong reference, false=weak reference
1729 * @rdata: the id/refcount data for the ref
1731 * Just calls binder_update_ref_for_handle() to decrement the ref.
1733 * Return: 0 if successful, else errno
1735 static int binder_dec_ref_for_handle(struct binder_proc *proc,
1736 uint32_t desc, bool strong, struct binder_ref_data *rdata)
1738 return binder_update_ref_for_handle(proc, desc, false, strong, rdata);
1743 * binder_inc_ref_for_node() - increment the ref for given proc/node
1744 * @proc: proc containing the ref
1745 * @node: target node
1746 * @strong: true=strong reference, false=weak reference
1747 * @target_list: worklist to use if node is incremented
1748 * @rdata: the id/refcount data for the ref
1750 * Given a proc and node, increment the ref. Create the ref if it
1751 * doesn't already exist
1753 * Return: 0 if successful, else errno
1755 static int binder_inc_ref_for_node(struct binder_proc *proc,
1756 struct binder_node *node,
1758 struct list_head *target_list,
1759 struct binder_ref_data *rdata)
1761 struct binder_ref *ref;
1762 struct binder_ref *new_ref = NULL;
1765 binder_proc_lock(proc);
1766 ref = binder_get_ref_for_node_olocked(proc, node, NULL);
1768 binder_proc_unlock(proc);
1769 new_ref = kzalloc(sizeof(*ref), GFP_KERNEL);
1772 binder_proc_lock(proc);
1773 ref = binder_get_ref_for_node_olocked(proc, node, new_ref);
1775 ret = binder_inc_ref_olocked(ref, strong, target_list);
1777 binder_proc_unlock(proc);
1778 if (new_ref && ref != new_ref)
1780 * Another thread created the ref first so
1781 * free the one we allocated
1787 static void binder_pop_transaction_ilocked(struct binder_thread *target_thread,
1788 struct binder_transaction *t)
1790 BUG_ON(!target_thread);
1791 assert_spin_locked(&target_thread->proc->inner_lock);
1792 BUG_ON(target_thread->transaction_stack != t);
1793 BUG_ON(target_thread->transaction_stack->from != target_thread);
1794 target_thread->transaction_stack =
1795 target_thread->transaction_stack->from_parent;
1800 * binder_thread_dec_tmpref() - decrement thread->tmp_ref
1801 * @thread: thread to decrement
1803 * A thread needs to be kept alive while being used to create or
1804 * handle a transaction. binder_get_txn_from() is used to safely
1805 * extract t->from from a binder_transaction and keep the thread
1806 * indicated by t->from from being freed. When done with that
1807 * binder_thread, this function is called to decrement the
1808 * tmp_ref and free if appropriate (thread has been released
1809 * and no transaction being processed by the driver)
1811 static void binder_thread_dec_tmpref(struct binder_thread *thread)
1814 * atomic is used to protect the counter value while
1815 * it cannot reach zero or thread->is_dead is false
1817 binder_inner_proc_lock(thread->proc);
1818 atomic_dec(&thread->tmp_ref);
1819 if (thread->is_dead && !atomic_read(&thread->tmp_ref)) {
1820 binder_inner_proc_unlock(thread->proc);
1821 binder_free_thread(thread);
1824 binder_inner_proc_unlock(thread->proc);
1828 * binder_proc_dec_tmpref() - decrement proc->tmp_ref
1829 * @proc: proc to decrement
1831 * A binder_proc needs to be kept alive while being used to create or
1832 * handle a transaction. proc->tmp_ref is incremented when
1833 * creating a new transaction or the binder_proc is currently in-use
1834 * by threads that are being released. When done with the binder_proc,
1835 * this function is called to decrement the counter and free the
1836 * proc if appropriate (proc has been released, all threads have
1837 * been released and not currenly in-use to process a transaction).
1839 static void binder_proc_dec_tmpref(struct binder_proc *proc)
1841 binder_inner_proc_lock(proc);
1843 if (proc->is_dead && RB_EMPTY_ROOT(&proc->threads) &&
1845 binder_inner_proc_unlock(proc);
1846 binder_free_proc(proc);
1849 binder_inner_proc_unlock(proc);
1853 * binder_get_txn_from() - safely extract the "from" thread in transaction
1854 * @t: binder transaction for t->from
1856 * Atomically return the "from" thread and increment the tmp_ref
1857 * count for the thread to ensure it stays alive until
1858 * binder_thread_dec_tmpref() is called.
1860 * Return: the value of t->from
1862 static struct binder_thread *binder_get_txn_from(
1863 struct binder_transaction *t)
1865 struct binder_thread *from;
1867 spin_lock(&t->lock);
1870 atomic_inc(&from->tmp_ref);
1871 spin_unlock(&t->lock);
1876 * binder_get_txn_from_and_acq_inner() - get t->from and acquire inner lock
1877 * @t: binder transaction for t->from
1879 * Same as binder_get_txn_from() except it also acquires the proc->inner_lock
1880 * to guarantee that the thread cannot be released while operating on it.
1881 * The caller must call binder_inner_proc_unlock() to release the inner lock
1882 * as well as call binder_dec_thread_txn() to release the reference.
1884 * Return: the value of t->from
1886 static struct binder_thread *binder_get_txn_from_and_acq_inner(
1887 struct binder_transaction *t)
1889 struct binder_thread *from;
1891 from = binder_get_txn_from(t);
1894 binder_inner_proc_lock(from->proc);
1896 BUG_ON(from != t->from);
1899 binder_inner_proc_unlock(from->proc);
1900 binder_thread_dec_tmpref(from);
1904 static void binder_free_transaction(struct binder_transaction *t)
1907 t->buffer->transaction = NULL;
1909 binder_stats_deleted(BINDER_STAT_TRANSACTION);
1912 static void binder_send_failed_reply(struct binder_transaction *t,
1913 uint32_t error_code)
1915 struct binder_thread *target_thread;
1916 struct binder_transaction *next;
1918 BUG_ON(t->flags & TF_ONE_WAY);
1920 target_thread = binder_get_txn_from_and_acq_inner(t);
1921 if (target_thread) {
1922 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
1923 "send failed reply for transaction %d to %d:%d\n",
1925 target_thread->proc->pid,
1926 target_thread->pid);
1928 binder_pop_transaction_ilocked(target_thread, t);
1929 if (target_thread->reply_error.cmd == BR_OK) {
1930 target_thread->reply_error.cmd = error_code;
1931 binder_enqueue_work_ilocked(
1932 &target_thread->reply_error.work,
1933 &target_thread->todo);
1934 wake_up_interruptible(&target_thread->wait);
1936 WARN(1, "Unexpected reply error: %u\n",
1937 target_thread->reply_error.cmd);
1939 binder_inner_proc_unlock(target_thread->proc);
1940 binder_thread_dec_tmpref(target_thread);
1941 binder_free_transaction(t);
1944 next = t->from_parent;
1946 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
1947 "send failed reply for transaction %d, target dead\n",
1950 binder_free_transaction(t);
1952 binder_debug(BINDER_DEBUG_DEAD_BINDER,
1953 "reply failed, no target thread at root\n");
1957 binder_debug(BINDER_DEBUG_DEAD_BINDER,
1958 "reply failed, no target thread -- retry %d\n",
1964 * binder_cleanup_transaction() - cleans up undelivered transaction
1965 * @t: transaction that needs to be cleaned up
1966 * @reason: reason the transaction wasn't delivered
1967 * @error_code: error to return to caller (if synchronous call)
1969 static void binder_cleanup_transaction(struct binder_transaction *t,
1971 uint32_t error_code)
1973 if (t->buffer->target_node && !(t->flags & TF_ONE_WAY)) {
1974 binder_send_failed_reply(t, error_code);
1976 binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
1977 "undelivered transaction %d, %s\n",
1978 t->debug_id, reason);
1979 binder_free_transaction(t);
1984 * binder_validate_object() - checks for a valid metadata object in a buffer.
1985 * @buffer: binder_buffer that we're parsing.
1986 * @offset: offset in the buffer at which to validate an object.
1988 * Return: If there's a valid metadata object at @offset in @buffer, the
1989 * size of that object. Otherwise, it returns zero.
1991 static size_t binder_validate_object(struct binder_buffer *buffer, u64 offset)
1993 /* Check if we can read a header first */
1994 struct binder_object_header *hdr;
1995 size_t object_size = 0;
1997 if (offset > buffer->data_size - sizeof(*hdr) ||
1998 buffer->data_size < sizeof(*hdr) ||
1999 !IS_ALIGNED(offset, sizeof(u32)))
2002 /* Ok, now see if we can read a complete object. */
2003 hdr = (struct binder_object_header *)(buffer->data + offset);
2004 switch (hdr->type) {
2005 case BINDER_TYPE_BINDER:
2006 case BINDER_TYPE_WEAK_BINDER:
2007 case BINDER_TYPE_HANDLE:
2008 case BINDER_TYPE_WEAK_HANDLE:
2009 object_size = sizeof(struct flat_binder_object);
2011 case BINDER_TYPE_FD:
2012 object_size = sizeof(struct binder_fd_object);
2014 case BINDER_TYPE_PTR:
2015 object_size = sizeof(struct binder_buffer_object);
2017 case BINDER_TYPE_FDA:
2018 object_size = sizeof(struct binder_fd_array_object);
2023 if (offset <= buffer->data_size - object_size &&
2024 buffer->data_size >= object_size)
2031 * binder_validate_ptr() - validates binder_buffer_object in a binder_buffer.
2032 * @b: binder_buffer containing the object
2033 * @index: index in offset array at which the binder_buffer_object is
2035 * @start: points to the start of the offset array
2036 * @num_valid: the number of valid offsets in the offset array
2038 * Return: If @index is within the valid range of the offset array
2039 * described by @start and @num_valid, and if there's a valid
2040 * binder_buffer_object at the offset found in index @index
2041 * of the offset array, that object is returned. Otherwise,
2042 * %NULL is returned.
2043 * Note that the offset found in index @index itself is not
2044 * verified; this function assumes that @num_valid elements
2045 * from @start were previously verified to have valid offsets.
2047 static struct binder_buffer_object *binder_validate_ptr(struct binder_buffer *b,
2048 binder_size_t index,
2049 binder_size_t *start,
2050 binder_size_t num_valid)
2052 struct binder_buffer_object *buffer_obj;
2053 binder_size_t *offp;
2055 if (index >= num_valid)
2058 offp = start + index;
2059 buffer_obj = (struct binder_buffer_object *)(b->data + *offp);
2060 if (buffer_obj->hdr.type != BINDER_TYPE_PTR)
2067 * binder_validate_fixup() - validates pointer/fd fixups happen in order.
2068 * @b: transaction buffer
2069 * @objects_start start of objects buffer
2070 * @buffer: binder_buffer_object in which to fix up
2071 * @offset: start offset in @buffer to fix up
2072 * @last_obj: last binder_buffer_object that we fixed up in
2073 * @last_min_offset: minimum fixup offset in @last_obj
2075 * Return: %true if a fixup in buffer @buffer at offset @offset is
2078 * For safety reasons, we only allow fixups inside a buffer to happen
2079 * at increasing offsets; additionally, we only allow fixup on the last
2080 * buffer object that was verified, or one of its parents.
2082 * Example of what is allowed:
2085 * B (parent = A, offset = 0)
2086 * C (parent = A, offset = 16)
2087 * D (parent = C, offset = 0)
2088 * E (parent = A, offset = 32) // min_offset is 16 (C.parent_offset)
2090 * Examples of what is not allowed:
2092 * Decreasing offsets within the same parent:
2094 * C (parent = A, offset = 16)
2095 * B (parent = A, offset = 0) // decreasing offset within A
2097 * Referring to a parent that wasn't the last object or any of its parents:
2099 * B (parent = A, offset = 0)
2100 * C (parent = A, offset = 0)
2101 * C (parent = A, offset = 16)
2102 * D (parent = B, offset = 0) // B is not A or any of A's parents
2104 static bool binder_validate_fixup(struct binder_buffer *b,
2105 binder_size_t *objects_start,
2106 struct binder_buffer_object *buffer,
2107 binder_size_t fixup_offset,
2108 struct binder_buffer_object *last_obj,
2109 binder_size_t last_min_offset)
2112 /* Nothing to fix up in */
2116 while (last_obj != buffer) {
2118 * Safe to retrieve the parent of last_obj, since it
2119 * was already previously verified by the driver.
2121 if ((last_obj->flags & BINDER_BUFFER_FLAG_HAS_PARENT) == 0)
2123 last_min_offset = last_obj->parent_offset + sizeof(uintptr_t);
2124 last_obj = (struct binder_buffer_object *)
2125 (b->data + *(objects_start + last_obj->parent));
2127 return (fixup_offset >= last_min_offset);
2130 static void binder_transaction_buffer_release(struct binder_proc *proc,
2131 struct binder_buffer *buffer,
2132 binder_size_t *failed_at)
2134 binder_size_t *offp, *off_start, *off_end;
2135 int debug_id = buffer->debug_id;
2137 binder_debug(BINDER_DEBUG_TRANSACTION,
2138 "%d buffer release %d, size %zd-%zd, failed at %p\n",
2139 proc->pid, buffer->debug_id,
2140 buffer->data_size, buffer->offsets_size, failed_at);
2142 if (buffer->target_node)
2143 binder_dec_node(buffer->target_node, 1, 0);
2145 off_start = (binder_size_t *)(buffer->data +
2146 ALIGN(buffer->data_size, sizeof(void *)));
2148 off_end = failed_at;
2150 off_end = (void *)off_start + buffer->offsets_size;
2151 for (offp = off_start; offp < off_end; offp++) {
2152 struct binder_object_header *hdr;
2153 size_t object_size = binder_validate_object(buffer, *offp);
2155 if (object_size == 0) {
2156 pr_err("transaction release %d bad object at offset %lld, size %zd\n",
2157 debug_id, (u64)*offp, buffer->data_size);
2160 hdr = (struct binder_object_header *)(buffer->data + *offp);
2161 switch (hdr->type) {
2162 case BINDER_TYPE_BINDER:
2163 case BINDER_TYPE_WEAK_BINDER: {
2164 struct flat_binder_object *fp;
2165 struct binder_node *node;
2167 fp = to_flat_binder_object(hdr);
2168 node = binder_get_node(proc, fp->binder);
2170 pr_err("transaction release %d bad node %016llx\n",
2171 debug_id, (u64)fp->binder);
2174 binder_debug(BINDER_DEBUG_TRANSACTION,
2175 " node %d u%016llx\n",
2176 node->debug_id, (u64)node->ptr);
2177 binder_dec_node(node, hdr->type == BINDER_TYPE_BINDER,
2179 binder_put_node(node);
2181 case BINDER_TYPE_HANDLE:
2182 case BINDER_TYPE_WEAK_HANDLE: {
2183 struct flat_binder_object *fp;
2184 struct binder_ref_data rdata;
2187 fp = to_flat_binder_object(hdr);
2188 ret = binder_dec_ref_for_handle(proc, fp->handle,
2189 hdr->type == BINDER_TYPE_HANDLE, &rdata);
2192 pr_err("transaction release %d bad handle %d, ret = %d\n",
2193 debug_id, fp->handle, ret);
2196 binder_debug(BINDER_DEBUG_TRANSACTION,
2197 " ref %d desc %d\n",
2198 rdata.debug_id, rdata.desc);
2201 case BINDER_TYPE_FD: {
2202 struct binder_fd_object *fp = to_binder_fd_object(hdr);
2204 binder_debug(BINDER_DEBUG_TRANSACTION,
2205 " fd %d\n", fp->fd);
2207 task_close_fd(proc, fp->fd);
2209 case BINDER_TYPE_PTR:
2211 * Nothing to do here, this will get cleaned up when the
2212 * transaction buffer gets freed
2215 case BINDER_TYPE_FDA: {
2216 struct binder_fd_array_object *fda;
2217 struct binder_buffer_object *parent;
2218 uintptr_t parent_buffer;
2221 binder_size_t fd_buf_size;
2223 fda = to_binder_fd_array_object(hdr);
2224 parent = binder_validate_ptr(buffer, fda->parent,
2228 pr_err("transaction release %d bad parent offset\n",
2233 * Since the parent was already fixed up, convert it
2234 * back to kernel address space to access it
2236 parent_buffer = parent->buffer -
2237 binder_alloc_get_user_buffer_offset(
2240 fd_buf_size = sizeof(u32) * fda->num_fds;
2241 if (fda->num_fds >= SIZE_MAX / sizeof(u32)) {
2242 pr_err("transaction release %d invalid number of fds (%lld)\n",
2243 debug_id, (u64)fda->num_fds);
2246 if (fd_buf_size > parent->length ||
2247 fda->parent_offset > parent->length - fd_buf_size) {
2248 /* No space for all file descriptors here. */
2249 pr_err("transaction release %d not enough space for %lld fds in buffer\n",
2250 debug_id, (u64)fda->num_fds);
2253 fd_array = (u32 *)(parent_buffer + (uintptr_t)fda->parent_offset);
2254 for (fd_index = 0; fd_index < fda->num_fds; fd_index++)
2255 task_close_fd(proc, fd_array[fd_index]);
2258 pr_err("transaction release %d bad object type %x\n",
2259 debug_id, hdr->type);
2265 static int binder_translate_binder(struct flat_binder_object *fp,
2266 struct binder_transaction *t,
2267 struct binder_thread *thread)
2269 struct binder_node *node;
2270 struct binder_proc *proc = thread->proc;
2271 struct binder_proc *target_proc = t->to_proc;
2272 struct binder_ref_data rdata;
2275 node = binder_get_node(proc, fp->binder);
2277 node = binder_new_node(proc, fp);
2281 if (fp->cookie != node->cookie) {
2282 binder_user_error("%d:%d sending u%016llx node %d, cookie mismatch %016llx != %016llx\n",
2283 proc->pid, thread->pid, (u64)fp->binder,
2284 node->debug_id, (u64)fp->cookie,
2289 if (security_binder_transfer_binder(proc->tsk, target_proc->tsk)) {
2294 ret = binder_inc_ref_for_node(target_proc, node,
2295 fp->hdr.type == BINDER_TYPE_BINDER,
2296 &thread->todo, &rdata);
2300 if (fp->hdr.type == BINDER_TYPE_BINDER)
2301 fp->hdr.type = BINDER_TYPE_HANDLE;
2303 fp->hdr.type = BINDER_TYPE_WEAK_HANDLE;
2305 fp->handle = rdata.desc;
2308 trace_binder_transaction_node_to_ref(t, node, &rdata);
2309 binder_debug(BINDER_DEBUG_TRANSACTION,
2310 " node %d u%016llx -> ref %d desc %d\n",
2311 node->debug_id, (u64)node->ptr,
2312 rdata.debug_id, rdata.desc);
2314 binder_put_node(node);
2318 static int binder_translate_handle(struct flat_binder_object *fp,
2319 struct binder_transaction *t,
2320 struct binder_thread *thread)
2322 struct binder_proc *proc = thread->proc;
2323 struct binder_proc *target_proc = t->to_proc;
2324 struct binder_node *node;
2325 struct binder_ref_data src_rdata;
2328 node = binder_get_node_from_ref(proc, fp->handle,
2329 fp->hdr.type == BINDER_TYPE_HANDLE, &src_rdata);
2331 binder_user_error("%d:%d got transaction with invalid handle, %d\n",
2332 proc->pid, thread->pid, fp->handle);
2335 if (security_binder_transfer_binder(proc->tsk, target_proc->tsk)) {
2340 binder_node_lock(node);
2341 if (node->proc == target_proc) {
2342 if (fp->hdr.type == BINDER_TYPE_HANDLE)
2343 fp->hdr.type = BINDER_TYPE_BINDER;
2345 fp->hdr.type = BINDER_TYPE_WEAK_BINDER;
2346 fp->binder = node->ptr;
2347 fp->cookie = node->cookie;
2349 binder_inner_proc_lock(node->proc);
2350 binder_inc_node_nilocked(node,
2351 fp->hdr.type == BINDER_TYPE_BINDER,
2354 binder_inner_proc_unlock(node->proc);
2355 trace_binder_transaction_ref_to_node(t, node, &src_rdata);
2356 binder_debug(BINDER_DEBUG_TRANSACTION,
2357 " ref %d desc %d -> node %d u%016llx\n",
2358 src_rdata.debug_id, src_rdata.desc, node->debug_id,
2360 binder_node_unlock(node);
2362 struct binder_ref_data dest_rdata;
2364 binder_node_unlock(node);
2365 ret = binder_inc_ref_for_node(target_proc, node,
2366 fp->hdr.type == BINDER_TYPE_HANDLE,
2372 fp->handle = dest_rdata.desc;
2374 trace_binder_transaction_ref_to_ref(t, node, &src_rdata,
2376 binder_debug(BINDER_DEBUG_TRANSACTION,
2377 " ref %d desc %d -> ref %d desc %d (node %d)\n",
2378 src_rdata.debug_id, src_rdata.desc,
2379 dest_rdata.debug_id, dest_rdata.desc,
2383 binder_put_node(node);
2387 static int binder_translate_fd(int fd,
2388 struct binder_transaction *t,
2389 struct binder_thread *thread,
2390 struct binder_transaction *in_reply_to)
2392 struct binder_proc *proc = thread->proc;
2393 struct binder_proc *target_proc = t->to_proc;
2397 bool target_allows_fd;
2400 target_allows_fd = !!(in_reply_to->flags & TF_ACCEPT_FDS);
2402 target_allows_fd = t->buffer->target_node->accept_fds;
2403 if (!target_allows_fd) {
2404 binder_user_error("%d:%d got %s with fd, %d, but target does not allow fds\n",
2405 proc->pid, thread->pid,
2406 in_reply_to ? "reply" : "transaction",
2409 goto err_fd_not_accepted;
2414 binder_user_error("%d:%d got transaction with invalid fd, %d\n",
2415 proc->pid, thread->pid, fd);
2419 ret = security_binder_transfer_file(proc->tsk, target_proc->tsk, file);
2425 target_fd = task_get_unused_fd_flags(target_proc, O_CLOEXEC);
2426 if (target_fd < 0) {
2428 goto err_get_unused_fd;
2430 task_fd_install(target_proc, target_fd, file);
2431 trace_binder_transaction_fd(t, fd, target_fd);
2432 binder_debug(BINDER_DEBUG_TRANSACTION, " fd %d -> %d\n",
2441 err_fd_not_accepted:
2445 static int binder_translate_fd_array(struct binder_fd_array_object *fda,
2446 struct binder_buffer_object *parent,
2447 struct binder_transaction *t,
2448 struct binder_thread *thread,
2449 struct binder_transaction *in_reply_to)
2451 binder_size_t fdi, fd_buf_size, num_installed_fds;
2453 uintptr_t parent_buffer;
2455 struct binder_proc *proc = thread->proc;
2456 struct binder_proc *target_proc = t->to_proc;
2458 fd_buf_size = sizeof(u32) * fda->num_fds;
2459 if (fda->num_fds >= SIZE_MAX / sizeof(u32)) {
2460 binder_user_error("%d:%d got transaction with invalid number of fds (%lld)\n",
2461 proc->pid, thread->pid, (u64)fda->num_fds);
2464 if (fd_buf_size > parent->length ||
2465 fda->parent_offset > parent->length - fd_buf_size) {
2466 /* No space for all file descriptors here. */
2467 binder_user_error("%d:%d not enough space to store %lld fds in buffer\n",
2468 proc->pid, thread->pid, (u64)fda->num_fds);
2472 * Since the parent was already fixed up, convert it
2473 * back to the kernel address space to access it
2475 parent_buffer = parent->buffer -
2476 binder_alloc_get_user_buffer_offset(&target_proc->alloc);
2477 fd_array = (u32 *)(parent_buffer + (uintptr_t)fda->parent_offset);
2478 if (!IS_ALIGNED((unsigned long)fd_array, sizeof(u32))) {
2479 binder_user_error("%d:%d parent offset not aligned correctly.\n",
2480 proc->pid, thread->pid);
2483 for (fdi = 0; fdi < fda->num_fds; fdi++) {
2484 target_fd = binder_translate_fd(fd_array[fdi], t, thread,
2487 goto err_translate_fd_failed;
2488 fd_array[fdi] = target_fd;
2492 err_translate_fd_failed:
2494 * Failed to allocate fd or security error, free fds
2497 num_installed_fds = fdi;
2498 for (fdi = 0; fdi < num_installed_fds; fdi++)
2499 task_close_fd(target_proc, fd_array[fdi]);
2503 static int binder_fixup_parent(struct binder_transaction *t,
2504 struct binder_thread *thread,
2505 struct binder_buffer_object *bp,
2506 binder_size_t *off_start,
2507 binder_size_t num_valid,
2508 struct binder_buffer_object *last_fixup_obj,
2509 binder_size_t last_fixup_min_off)
2511 struct binder_buffer_object *parent;
2513 struct binder_buffer *b = t->buffer;
2514 struct binder_proc *proc = thread->proc;
2515 struct binder_proc *target_proc = t->to_proc;
2517 if (!(bp->flags & BINDER_BUFFER_FLAG_HAS_PARENT))
2520 parent = binder_validate_ptr(b, bp->parent, off_start, num_valid);
2522 binder_user_error("%d:%d got transaction with invalid parent offset or type\n",
2523 proc->pid, thread->pid);
2527 if (!binder_validate_fixup(b, off_start,
2528 parent, bp->parent_offset,
2530 last_fixup_min_off)) {
2531 binder_user_error("%d:%d got transaction with out-of-order buffer fixup\n",
2532 proc->pid, thread->pid);
2536 if (parent->length < sizeof(binder_uintptr_t) ||
2537 bp->parent_offset > parent->length - sizeof(binder_uintptr_t)) {
2538 /* No space for a pointer here! */
2539 binder_user_error("%d:%d got transaction with invalid parent offset\n",
2540 proc->pid, thread->pid);
2543 parent_buffer = (u8 *)((uintptr_t)parent->buffer -
2544 binder_alloc_get_user_buffer_offset(
2545 &target_proc->alloc));
2546 *(binder_uintptr_t *)(parent_buffer + bp->parent_offset) = bp->buffer;
2552 * binder_proc_transaction() - sends a transaction to a process and wakes it up
2553 * @t: transaction to send
2554 * @proc: process to send the transaction to
2555 * @thread: thread in @proc to send the transaction to (may be NULL)
2557 * This function queues a transaction to the specified process. It will try
2558 * to find a thread in the target process to handle the transaction and
2559 * wake it up. If no thread is found, the work is queued to the proc
2562 * If the @thread parameter is not NULL, the transaction is always queued
2563 * to the waitlist of that specific thread.
2565 * Return: true if the transactions was successfully queued
2566 * false if the target process or thread is dead
2568 static bool binder_proc_transaction(struct binder_transaction *t,
2569 struct binder_proc *proc,
2570 struct binder_thread *thread)
2572 struct list_head *target_list = NULL;
2573 struct binder_node *node = t->buffer->target_node;
2574 bool oneway = !!(t->flags & TF_ONE_WAY);
2578 binder_node_lock(node);
2581 if (node->has_async_transaction) {
2582 target_list = &node->async_todo;
2585 node->has_async_transaction = 1;
2589 binder_inner_proc_lock(proc);
2591 if (proc->is_dead || (thread && thread->is_dead)) {
2592 binder_inner_proc_unlock(proc);
2593 binder_node_unlock(node);
2597 if (!thread && !target_list)
2598 thread = binder_select_thread_ilocked(proc);
2601 target_list = &thread->todo;
2602 else if (!target_list)
2603 target_list = &proc->todo;
2605 BUG_ON(target_list != &node->async_todo);
2607 binder_enqueue_work_ilocked(&t->work, target_list);
2610 binder_wakeup_thread_ilocked(proc, thread, !oneway /* sync */);
2612 binder_inner_proc_unlock(proc);
2613 binder_node_unlock(node);
2619 * binder_get_node_refs_for_txn() - Get required refs on node for txn
2620 * @node: struct binder_node for which to get refs
2621 * @proc: returns @node->proc if valid
2622 * @error: if no @proc then returns BR_DEAD_REPLY
2624 * User-space normally keeps the node alive when creating a transaction
2625 * since it has a reference to the target. The local strong ref keeps it
2626 * alive if the sending process dies before the target process processes
2627 * the transaction. If the source process is malicious or has a reference
2628 * counting bug, relying on the local strong ref can fail.
2630 * Since user-space can cause the local strong ref to go away, we also take
2631 * a tmpref on the node to ensure it survives while we are constructing
2632 * the transaction. We also need a tmpref on the proc while we are
2633 * constructing the transaction, so we take that here as well.
2635 * Return: The target_node with refs taken or NULL if no @node->proc is NULL.
2636 * Also sets @proc if valid. If the @node->proc is NULL indicating that the
2637 * target proc has died, @error is set to BR_DEAD_REPLY
2639 static struct binder_node *binder_get_node_refs_for_txn(
2640 struct binder_node *node,
2641 struct binder_proc **procp,
2644 struct binder_node *target_node = NULL;
2646 binder_node_inner_lock(node);
2649 binder_inc_node_nilocked(node, 1, 0, NULL);
2650 binder_inc_node_tmpref_ilocked(node);
2651 node->proc->tmp_ref++;
2652 *procp = node->proc;
2654 *error = BR_DEAD_REPLY;
2655 binder_node_inner_unlock(node);
2660 static void binder_transaction(struct binder_proc *proc,
2661 struct binder_thread *thread,
2662 struct binder_transaction_data *tr, int reply,
2663 binder_size_t extra_buffers_size)
2666 struct binder_transaction *t;
2667 struct binder_work *tcomplete;
2668 binder_size_t *offp, *off_end, *off_start;
2669 binder_size_t off_min;
2670 u8 *sg_bufp, *sg_buf_end;
2671 struct binder_proc *target_proc = NULL;
2672 struct binder_thread *target_thread = NULL;
2673 struct binder_node *target_node = NULL;
2674 struct binder_transaction *in_reply_to = NULL;
2675 struct binder_transaction_log_entry *e;
2676 uint32_t return_error = 0;
2677 uint32_t return_error_param = 0;
2678 uint32_t return_error_line = 0;
2679 struct binder_buffer_object *last_fixup_obj = NULL;
2680 binder_size_t last_fixup_min_off = 0;
2681 struct binder_context *context = proc->context;
2682 int t_debug_id = atomic_inc_return(&binder_last_id);
2684 e = binder_transaction_log_add(&binder_transaction_log);
2685 e->debug_id = t_debug_id;
2686 e->call_type = reply ? 2 : !!(tr->flags & TF_ONE_WAY);
2687 e->from_proc = proc->pid;
2688 e->from_thread = thread->pid;
2689 e->target_handle = tr->target.handle;
2690 e->data_size = tr->data_size;
2691 e->offsets_size = tr->offsets_size;
2692 e->context_name = proc->context->name;
2695 binder_inner_proc_lock(proc);
2696 in_reply_to = thread->transaction_stack;
2697 if (in_reply_to == NULL) {
2698 binder_inner_proc_unlock(proc);
2699 binder_user_error("%d:%d got reply transaction with no transaction stack\n",
2700 proc->pid, thread->pid);
2701 return_error = BR_FAILED_REPLY;
2702 return_error_param = -EPROTO;
2703 return_error_line = __LINE__;
2704 goto err_empty_call_stack;
2706 if (in_reply_to->to_thread != thread) {
2707 spin_lock(&in_reply_to->lock);
2708 binder_user_error("%d:%d got reply transaction with bad transaction stack, transaction %d has target %d:%d\n",
2709 proc->pid, thread->pid, in_reply_to->debug_id,
2710 in_reply_to->to_proc ?
2711 in_reply_to->to_proc->pid : 0,
2712 in_reply_to->to_thread ?
2713 in_reply_to->to_thread->pid : 0);
2714 spin_unlock(&in_reply_to->lock);
2715 binder_inner_proc_unlock(proc);
2716 return_error = BR_FAILED_REPLY;
2717 return_error_param = -EPROTO;
2718 return_error_line = __LINE__;
2720 goto err_bad_call_stack;
2722 thread->transaction_stack = in_reply_to->to_parent;
2723 binder_inner_proc_unlock(proc);
2724 binder_set_nice(in_reply_to->saved_priority);
2725 target_thread = binder_get_txn_from_and_acq_inner(in_reply_to);
2726 if (target_thread == NULL) {
2727 return_error = BR_DEAD_REPLY;
2728 return_error_line = __LINE__;
2729 goto err_dead_binder;
2731 if (target_thread->transaction_stack != in_reply_to) {
2732 binder_user_error("%d:%d got reply transaction with bad target transaction stack %d, expected %d\n",
2733 proc->pid, thread->pid,
2734 target_thread->transaction_stack ?
2735 target_thread->transaction_stack->debug_id : 0,
2736 in_reply_to->debug_id);
2737 binder_inner_proc_unlock(target_thread->proc);
2738 return_error = BR_FAILED_REPLY;
2739 return_error_param = -EPROTO;
2740 return_error_line = __LINE__;
2742 target_thread = NULL;
2743 goto err_dead_binder;
2745 target_proc = target_thread->proc;
2746 target_proc->tmp_ref++;
2747 binder_inner_proc_unlock(target_thread->proc);
2749 if (tr->target.handle) {
2750 struct binder_ref *ref;
2753 * There must already be a strong ref
2754 * on this node. If so, do a strong
2755 * increment on the node to ensure it
2756 * stays alive until the transaction is
2759 binder_proc_lock(proc);
2760 ref = binder_get_ref_olocked(proc, tr->target.handle,
2763 target_node = binder_get_node_refs_for_txn(
2764 ref->node, &target_proc,
2767 binder_user_error("%d:%d got transaction to invalid handle\n",
2768 proc->pid, thread->pid);
2769 return_error = BR_FAILED_REPLY;
2771 binder_proc_unlock(proc);
2773 mutex_lock(&context->context_mgr_node_lock);
2774 target_node = context->binder_context_mgr_node;
2776 target_node = binder_get_node_refs_for_txn(
2777 target_node, &target_proc,
2780 return_error = BR_DEAD_REPLY;
2781 mutex_unlock(&context->context_mgr_node_lock);
2785 * return_error is set above
2787 return_error_param = -EINVAL;
2788 return_error_line = __LINE__;
2789 goto err_dead_binder;
2791 e->to_node = target_node->debug_id;
2792 if (security_binder_transaction(proc->tsk,
2793 target_proc->tsk) < 0) {
2794 return_error = BR_FAILED_REPLY;
2795 return_error_param = -EPERM;
2796 return_error_line = __LINE__;
2797 goto err_invalid_target_handle;
2799 binder_inner_proc_lock(proc);
2800 if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) {
2801 struct binder_transaction *tmp;
2803 tmp = thread->transaction_stack;
2804 if (tmp->to_thread != thread) {
2805 spin_lock(&tmp->lock);
2806 binder_user_error("%d:%d got new transaction with bad transaction stack, transaction %d has target %d:%d\n",
2807 proc->pid, thread->pid, tmp->debug_id,
2808 tmp->to_proc ? tmp->to_proc->pid : 0,
2810 tmp->to_thread->pid : 0);
2811 spin_unlock(&tmp->lock);
2812 binder_inner_proc_unlock(proc);
2813 return_error = BR_FAILED_REPLY;
2814 return_error_param = -EPROTO;
2815 return_error_line = __LINE__;
2816 goto err_bad_call_stack;
2819 struct binder_thread *from;
2821 spin_lock(&tmp->lock);
2823 if (from && from->proc == target_proc) {
2824 atomic_inc(&from->tmp_ref);
2825 target_thread = from;
2826 spin_unlock(&tmp->lock);
2829 spin_unlock(&tmp->lock);
2830 tmp = tmp->from_parent;
2833 binder_inner_proc_unlock(proc);
2836 e->to_thread = target_thread->pid;
2837 e->to_proc = target_proc->pid;
2839 /* TODO: reuse incoming transaction for reply */
2840 t = kzalloc(sizeof(*t), GFP_KERNEL);
2842 return_error = BR_FAILED_REPLY;
2843 return_error_param = -ENOMEM;
2844 return_error_line = __LINE__;
2845 goto err_alloc_t_failed;
2847 binder_stats_created(BINDER_STAT_TRANSACTION);
2848 spin_lock_init(&t->lock);
2850 tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL);
2851 if (tcomplete == NULL) {
2852 return_error = BR_FAILED_REPLY;
2853 return_error_param = -ENOMEM;
2854 return_error_line = __LINE__;
2855 goto err_alloc_tcomplete_failed;
2857 binder_stats_created(BINDER_STAT_TRANSACTION_COMPLETE);
2859 t->debug_id = t_debug_id;
2862 binder_debug(BINDER_DEBUG_TRANSACTION,
2863 "%d:%d BC_REPLY %d -> %d:%d, data %016llx-%016llx size %lld-%lld-%lld\n",
2864 proc->pid, thread->pid, t->debug_id,
2865 target_proc->pid, target_thread->pid,
2866 (u64)tr->data.ptr.buffer,
2867 (u64)tr->data.ptr.offsets,
2868 (u64)tr->data_size, (u64)tr->offsets_size,
2869 (u64)extra_buffers_size);
2871 binder_debug(BINDER_DEBUG_TRANSACTION,
2872 "%d:%d BC_TRANSACTION %d -> %d - node %d, data %016llx-%016llx size %lld-%lld-%lld\n",
2873 proc->pid, thread->pid, t->debug_id,
2874 target_proc->pid, target_node->debug_id,
2875 (u64)tr->data.ptr.buffer,
2876 (u64)tr->data.ptr.offsets,
2877 (u64)tr->data_size, (u64)tr->offsets_size,
2878 (u64)extra_buffers_size);
2880 if (!reply && !(tr->flags & TF_ONE_WAY))
2884 t->sender_euid = task_euid(proc->tsk);
2885 t->to_proc = target_proc;
2886 t->to_thread = target_thread;
2888 t->flags = tr->flags;
2889 t->priority = task_nice(current);
2891 trace_binder_transaction(reply, t, target_node);
2893 t->buffer = binder_alloc_new_buf(&target_proc->alloc, tr->data_size,
2894 tr->offsets_size, extra_buffers_size,
2895 !reply && (t->flags & TF_ONE_WAY));
2896 if (IS_ERR(t->buffer)) {
2898 * -ESRCH indicates VMA cleared. The target is dying.
2900 return_error_param = PTR_ERR(t->buffer);
2901 return_error = return_error_param == -ESRCH ?
2902 BR_DEAD_REPLY : BR_FAILED_REPLY;
2903 return_error_line = __LINE__;
2905 goto err_binder_alloc_buf_failed;
2907 t->buffer->allow_user_free = 0;
2908 t->buffer->debug_id = t->debug_id;
2909 t->buffer->transaction = t;
2910 t->buffer->target_node = target_node;
2911 trace_binder_transaction_alloc_buf(t->buffer);
2912 off_start = (binder_size_t *)(t->buffer->data +
2913 ALIGN(tr->data_size, sizeof(void *)));
2916 if (copy_from_user(t->buffer->data, (const void __user *)(uintptr_t)
2917 tr->data.ptr.buffer, tr->data_size)) {
2918 binder_user_error("%d:%d got transaction with invalid data ptr\n",
2919 proc->pid, thread->pid);
2920 return_error = BR_FAILED_REPLY;
2921 return_error_param = -EFAULT;
2922 return_error_line = __LINE__;
2923 goto err_copy_data_failed;
2925 if (copy_from_user(offp, (const void __user *)(uintptr_t)
2926 tr->data.ptr.offsets, tr->offsets_size)) {
2927 binder_user_error("%d:%d got transaction with invalid offsets ptr\n",
2928 proc->pid, thread->pid);
2929 return_error = BR_FAILED_REPLY;
2930 return_error_param = -EFAULT;
2931 return_error_line = __LINE__;
2932 goto err_copy_data_failed;
2934 if (!IS_ALIGNED(tr->offsets_size, sizeof(binder_size_t))) {
2935 binder_user_error("%d:%d got transaction with invalid offsets size, %lld\n",
2936 proc->pid, thread->pid, (u64)tr->offsets_size);
2937 return_error = BR_FAILED_REPLY;
2938 return_error_param = -EINVAL;
2939 return_error_line = __LINE__;
2940 goto err_bad_offset;
2942 if (!IS_ALIGNED(extra_buffers_size, sizeof(u64))) {
2943 binder_user_error("%d:%d got transaction with unaligned buffers size, %lld\n",
2944 proc->pid, thread->pid,
2945 (u64)extra_buffers_size);
2946 return_error = BR_FAILED_REPLY;
2947 return_error_param = -EINVAL;
2948 return_error_line = __LINE__;
2949 goto err_bad_offset;
2951 off_end = (void *)off_start + tr->offsets_size;
2952 sg_bufp = (u8 *)(PTR_ALIGN(off_end, sizeof(void *)));
2953 sg_buf_end = sg_bufp + extra_buffers_size;
2955 for (; offp < off_end; offp++) {
2956 struct binder_object_header *hdr;
2957 size_t object_size = binder_validate_object(t->buffer, *offp);
2959 if (object_size == 0 || *offp < off_min) {
2960 binder_user_error("%d:%d got transaction with invalid offset (%lld, min %lld max %lld) or object.\n",
2961 proc->pid, thread->pid, (u64)*offp,
2963 (u64)t->buffer->data_size);
2964 return_error = BR_FAILED_REPLY;
2965 return_error_param = -EINVAL;
2966 return_error_line = __LINE__;
2967 goto err_bad_offset;
2970 hdr = (struct binder_object_header *)(t->buffer->data + *offp);
2971 off_min = *offp + object_size;
2972 switch (hdr->type) {
2973 case BINDER_TYPE_BINDER:
2974 case BINDER_TYPE_WEAK_BINDER: {
2975 struct flat_binder_object *fp;
2977 fp = to_flat_binder_object(hdr);
2978 ret = binder_translate_binder(fp, t, thread);
2980 return_error = BR_FAILED_REPLY;
2981 return_error_param = ret;
2982 return_error_line = __LINE__;
2983 goto err_translate_failed;
2986 case BINDER_TYPE_HANDLE:
2987 case BINDER_TYPE_WEAK_HANDLE: {
2988 struct flat_binder_object *fp;
2990 fp = to_flat_binder_object(hdr);
2991 ret = binder_translate_handle(fp, t, thread);
2993 return_error = BR_FAILED_REPLY;
2994 return_error_param = ret;
2995 return_error_line = __LINE__;
2996 goto err_translate_failed;
3000 case BINDER_TYPE_FD: {
3001 struct binder_fd_object *fp = to_binder_fd_object(hdr);
3002 int target_fd = binder_translate_fd(fp->fd, t, thread,
3005 if (target_fd < 0) {
3006 return_error = BR_FAILED_REPLY;
3007 return_error_param = target_fd;
3008 return_error_line = __LINE__;
3009 goto err_translate_failed;
3014 case BINDER_TYPE_FDA: {
3015 struct binder_fd_array_object *fda =
3016 to_binder_fd_array_object(hdr);
3017 struct binder_buffer_object *parent =
3018 binder_validate_ptr(t->buffer, fda->parent,
3022 binder_user_error("%d:%d got transaction with invalid parent offset or type\n",
3023 proc->pid, thread->pid);
3024 return_error = BR_FAILED_REPLY;
3025 return_error_param = -EINVAL;
3026 return_error_line = __LINE__;
3027 goto err_bad_parent;
3029 if (!binder_validate_fixup(t->buffer, off_start,
3030 parent, fda->parent_offset,
3032 last_fixup_min_off)) {
3033 binder_user_error("%d:%d got transaction with out-of-order buffer fixup\n",
3034 proc->pid, thread->pid);
3035 return_error = BR_FAILED_REPLY;
3036 return_error_param = -EINVAL;
3037 return_error_line = __LINE__;
3038 goto err_bad_parent;
3040 ret = binder_translate_fd_array(fda, parent, t, thread,
3043 return_error = BR_FAILED_REPLY;
3044 return_error_param = ret;
3045 return_error_line = __LINE__;
3046 goto err_translate_failed;
3048 last_fixup_obj = parent;
3049 last_fixup_min_off =
3050 fda->parent_offset + sizeof(u32) * fda->num_fds;
3052 case BINDER_TYPE_PTR: {
3053 struct binder_buffer_object *bp =
3054 to_binder_buffer_object(hdr);
3055 size_t buf_left = sg_buf_end - sg_bufp;
3057 if (bp->length > buf_left) {
3058 binder_user_error("%d:%d got transaction with too large buffer\n",
3059 proc->pid, thread->pid);
3060 return_error = BR_FAILED_REPLY;
3061 return_error_param = -EINVAL;
3062 return_error_line = __LINE__;
3063 goto err_bad_offset;
3065 if (copy_from_user(sg_bufp,
3066 (const void __user *)(uintptr_t)
3067 bp->buffer, bp->length)) {
3068 binder_user_error("%d:%d got transaction with invalid offsets ptr\n",
3069 proc->pid, thread->pid);
3070 return_error_param = -EFAULT;
3071 return_error = BR_FAILED_REPLY;
3072 return_error_line = __LINE__;
3073 goto err_copy_data_failed;
3075 /* Fixup buffer pointer to target proc address space */
3076 bp->buffer = (uintptr_t)sg_bufp +
3077 binder_alloc_get_user_buffer_offset(
3078 &target_proc->alloc);
3079 sg_bufp += ALIGN(bp->length, sizeof(u64));
3081 ret = binder_fixup_parent(t, thread, bp, off_start,
3084 last_fixup_min_off);
3086 return_error = BR_FAILED_REPLY;
3087 return_error_param = ret;
3088 return_error_line = __LINE__;
3089 goto err_translate_failed;
3091 last_fixup_obj = bp;
3092 last_fixup_min_off = 0;
3095 binder_user_error("%d:%d got transaction with invalid object type, %x\n",
3096 proc->pid, thread->pid, hdr->type);
3097 return_error = BR_FAILED_REPLY;
3098 return_error_param = -EINVAL;
3099 return_error_line = __LINE__;
3100 goto err_bad_object_type;
3103 tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE;
3104 binder_enqueue_work(proc, tcomplete, &thread->todo);
3105 t->work.type = BINDER_WORK_TRANSACTION;
3108 binder_inner_proc_lock(target_proc);
3109 if (target_thread->is_dead) {
3110 binder_inner_proc_unlock(target_proc);
3111 goto err_dead_proc_or_thread;
3113 BUG_ON(t->buffer->async_transaction != 0);
3114 binder_pop_transaction_ilocked(target_thread, in_reply_to);
3115 binder_enqueue_work_ilocked(&t->work, &target_thread->todo);
3116 binder_inner_proc_unlock(target_proc);
3117 wake_up_interruptible_sync(&target_thread->wait);
3118 binder_free_transaction(in_reply_to);
3119 } else if (!(t->flags & TF_ONE_WAY)) {
3120 BUG_ON(t->buffer->async_transaction != 0);
3121 binder_inner_proc_lock(proc);
3123 t->from_parent = thread->transaction_stack;
3124 thread->transaction_stack = t;
3125 binder_inner_proc_unlock(proc);
3126 if (!binder_proc_transaction(t, target_proc, target_thread)) {
3127 binder_inner_proc_lock(proc);
3128 binder_pop_transaction_ilocked(thread, t);
3129 binder_inner_proc_unlock(proc);
3130 goto err_dead_proc_or_thread;
3133 BUG_ON(target_node == NULL);
3134 BUG_ON(t->buffer->async_transaction != 1);
3135 if (!binder_proc_transaction(t, target_proc, NULL))
3136 goto err_dead_proc_or_thread;
3139 binder_thread_dec_tmpref(target_thread);
3140 binder_proc_dec_tmpref(target_proc);
3142 binder_dec_node_tmpref(target_node);
3144 * write barrier to synchronize with initialization
3148 WRITE_ONCE(e->debug_id_done, t_debug_id);
3151 err_dead_proc_or_thread:
3152 return_error = BR_DEAD_REPLY;
3153 return_error_line = __LINE__;
3154 binder_dequeue_work(proc, tcomplete);
3155 err_translate_failed:
3156 err_bad_object_type:
3159 err_copy_data_failed:
3160 trace_binder_transaction_failed_buffer_release(t->buffer);
3161 binder_transaction_buffer_release(target_proc, t->buffer, offp);
3163 binder_dec_node_tmpref(target_node);
3165 t->buffer->transaction = NULL;
3166 binder_alloc_free_buf(&target_proc->alloc, t->buffer);
3167 err_binder_alloc_buf_failed:
3169 binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
3170 err_alloc_tcomplete_failed:
3172 binder_stats_deleted(BINDER_STAT_TRANSACTION);
3175 err_empty_call_stack:
3177 err_invalid_target_handle:
3179 binder_thread_dec_tmpref(target_thread);
3181 binder_proc_dec_tmpref(target_proc);
3183 binder_dec_node(target_node, 1, 0);
3184 binder_dec_node_tmpref(target_node);
3187 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
3188 "%d:%d transaction failed %d/%d, size %lld-%lld line %d\n",
3189 proc->pid, thread->pid, return_error, return_error_param,
3190 (u64)tr->data_size, (u64)tr->offsets_size,
3194 struct binder_transaction_log_entry *fe;
3196 e->return_error = return_error;
3197 e->return_error_param = return_error_param;
3198 e->return_error_line = return_error_line;
3199 fe = binder_transaction_log_add(&binder_transaction_log_failed);
3202 * write barrier to synchronize with initialization
3206 WRITE_ONCE(e->debug_id_done, t_debug_id);
3207 WRITE_ONCE(fe->debug_id_done, t_debug_id);
3210 BUG_ON(thread->return_error.cmd != BR_OK);
3212 thread->return_error.cmd = BR_TRANSACTION_COMPLETE;
3213 binder_enqueue_work(thread->proc,
3214 &thread->return_error.work,
3216 binder_send_failed_reply(in_reply_to, return_error);
3218 thread->return_error.cmd = return_error;
3219 binder_enqueue_work(thread->proc,
3220 &thread->return_error.work,
3225 static int binder_thread_write(struct binder_proc *proc,
3226 struct binder_thread *thread,
3227 binder_uintptr_t binder_buffer, size_t size,
3228 binder_size_t *consumed)
3231 struct binder_context *context = proc->context;
3232 void __user *buffer = (void __user *)(uintptr_t)binder_buffer;
3233 void __user *ptr = buffer + *consumed;
3234 void __user *end = buffer + size;
3236 while (ptr < end && thread->return_error.cmd == BR_OK) {
3239 if (get_user(cmd, (uint32_t __user *)ptr))
3241 ptr += sizeof(uint32_t);
3242 trace_binder_command(cmd);
3243 if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.bc)) {
3244 atomic_inc(&binder_stats.bc[_IOC_NR(cmd)]);
3245 atomic_inc(&proc->stats.bc[_IOC_NR(cmd)]);
3246 atomic_inc(&thread->stats.bc[_IOC_NR(cmd)]);
3254 const char *debug_string;
3255 bool strong = cmd == BC_ACQUIRE || cmd == BC_RELEASE;
3256 bool increment = cmd == BC_INCREFS || cmd == BC_ACQUIRE;
3257 struct binder_ref_data rdata;
3259 if (get_user(target, (uint32_t __user *)ptr))
3262 ptr += sizeof(uint32_t);
3264 if (increment && !target) {
3265 struct binder_node *ctx_mgr_node;
3266 mutex_lock(&context->context_mgr_node_lock);
3267 ctx_mgr_node = context->binder_context_mgr_node;
3269 ret = binder_inc_ref_for_node(
3271 strong, NULL, &rdata);
3272 mutex_unlock(&context->context_mgr_node_lock);
3275 ret = binder_update_ref_for_handle(
3276 proc, target, increment, strong,
3278 if (!ret && rdata.desc != target) {
3279 binder_user_error("%d:%d tried to acquire reference to desc %d, got %d instead\n",
3280 proc->pid, thread->pid,
3281 target, rdata.desc);
3285 debug_string = "IncRefs";
3288 debug_string = "Acquire";
3291 debug_string = "Release";
3295 debug_string = "DecRefs";
3299 binder_user_error("%d:%d %s %d refcount change on invalid ref %d ret %d\n",
3300 proc->pid, thread->pid, debug_string,
3301 strong, target, ret);
3304 binder_debug(BINDER_DEBUG_USER_REFS,
3305 "%d:%d %s ref %d desc %d s %d w %d\n",
3306 proc->pid, thread->pid, debug_string,
3307 rdata.debug_id, rdata.desc, rdata.strong,
3311 case BC_INCREFS_DONE:
3312 case BC_ACQUIRE_DONE: {
3313 binder_uintptr_t node_ptr;
3314 binder_uintptr_t cookie;
3315 struct binder_node *node;
3318 if (get_user(node_ptr, (binder_uintptr_t __user *)ptr))
3320 ptr += sizeof(binder_uintptr_t);
3321 if (get_user(cookie, (binder_uintptr_t __user *)ptr))
3323 ptr += sizeof(binder_uintptr_t);
3324 node = binder_get_node(proc, node_ptr);
3326 binder_user_error("%d:%d %s u%016llx no match\n",
3327 proc->pid, thread->pid,
3328 cmd == BC_INCREFS_DONE ?
3334 if (cookie != node->cookie) {
3335 binder_user_error("%d:%d %s u%016llx node %d cookie mismatch %016llx != %016llx\n",
3336 proc->pid, thread->pid,
3337 cmd == BC_INCREFS_DONE ?
3338 "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE",
3339 (u64)node_ptr, node->debug_id,
3340 (u64)cookie, (u64)node->cookie);
3341 binder_put_node(node);
3344 binder_node_inner_lock(node);
3345 if (cmd == BC_ACQUIRE_DONE) {
3346 if (node->pending_strong_ref == 0) {
3347 binder_user_error("%d:%d BC_ACQUIRE_DONE node %d has no pending acquire request\n",
3348 proc->pid, thread->pid,
3350 binder_node_inner_unlock(node);
3351 binder_put_node(node);
3354 node->pending_strong_ref = 0;
3356 if (node->pending_weak_ref == 0) {
3357 binder_user_error("%d:%d BC_INCREFS_DONE node %d has no pending increfs request\n",
3358 proc->pid, thread->pid,
3360 binder_node_inner_unlock(node);
3361 binder_put_node(node);
3364 node->pending_weak_ref = 0;
3366 free_node = binder_dec_node_nilocked(node,
3367 cmd == BC_ACQUIRE_DONE, 0);
3369 binder_debug(BINDER_DEBUG_USER_REFS,
3370 "%d:%d %s node %d ls %d lw %d tr %d\n",
3371 proc->pid, thread->pid,
3372 cmd == BC_INCREFS_DONE ? "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE",
3373 node->debug_id, node->local_strong_refs,
3374 node->local_weak_refs, node->tmp_refs);
3375 binder_node_inner_unlock(node);
3376 binder_put_node(node);
3379 case BC_ATTEMPT_ACQUIRE:
3380 pr_err("BC_ATTEMPT_ACQUIRE not supported\n");
3382 case BC_ACQUIRE_RESULT:
3383 pr_err("BC_ACQUIRE_RESULT not supported\n");
3386 case BC_FREE_BUFFER: {
3387 binder_uintptr_t data_ptr;
3388 struct binder_buffer *buffer;
3390 if (get_user(data_ptr, (binder_uintptr_t __user *)ptr))
3392 ptr += sizeof(binder_uintptr_t);
3394 buffer = binder_alloc_prepare_to_free(&proc->alloc,
3396 if (buffer == NULL) {
3397 binder_user_error("%d:%d BC_FREE_BUFFER u%016llx no match\n",
3398 proc->pid, thread->pid, (u64)data_ptr);
3401 if (!buffer->allow_user_free) {
3402 binder_user_error("%d:%d BC_FREE_BUFFER u%016llx matched unreturned buffer\n",
3403 proc->pid, thread->pid, (u64)data_ptr);
3406 binder_debug(BINDER_DEBUG_FREE_BUFFER,
3407 "%d:%d BC_FREE_BUFFER u%016llx found buffer %d for %s transaction\n",
3408 proc->pid, thread->pid, (u64)data_ptr,
3410 buffer->transaction ? "active" : "finished");
3412 if (buffer->transaction) {
3413 buffer->transaction->buffer = NULL;
3414 buffer->transaction = NULL;
3416 if (buffer->async_transaction && buffer->target_node) {
3417 struct binder_node *buf_node;
3418 struct binder_work *w;
3420 buf_node = buffer->target_node;
3421 binder_node_inner_lock(buf_node);
3422 BUG_ON(!buf_node->has_async_transaction);
3423 BUG_ON(buf_node->proc != proc);
3424 w = binder_dequeue_work_head_ilocked(
3425 &buf_node->async_todo);
3427 buf_node->has_async_transaction = 0;
3429 binder_enqueue_work_ilocked(
3431 binder_wakeup_proc_ilocked(proc);
3433 binder_node_inner_unlock(buf_node);
3435 trace_binder_transaction_buffer_release(buffer);
3436 binder_transaction_buffer_release(proc, buffer, NULL);
3437 binder_alloc_free_buf(&proc->alloc, buffer);
3441 case BC_TRANSACTION_SG:
3443 struct binder_transaction_data_sg tr;
3445 if (copy_from_user(&tr, ptr, sizeof(tr)))
3448 binder_transaction(proc, thread, &tr.transaction_data,
3449 cmd == BC_REPLY_SG, tr.buffers_size);
3452 case BC_TRANSACTION:
3454 struct binder_transaction_data tr;
3456 if (copy_from_user(&tr, ptr, sizeof(tr)))
3459 binder_transaction(proc, thread, &tr,
3460 cmd == BC_REPLY, 0);
3464 case BC_REGISTER_LOOPER:
3465 binder_debug(BINDER_DEBUG_THREADS,
3466 "%d:%d BC_REGISTER_LOOPER\n",
3467 proc->pid, thread->pid);
3468 binder_inner_proc_lock(proc);
3469 if (thread->looper & BINDER_LOOPER_STATE_ENTERED) {
3470 thread->looper |= BINDER_LOOPER_STATE_INVALID;
3471 binder_user_error("%d:%d ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER\n",
3472 proc->pid, thread->pid);
3473 } else if (proc->requested_threads == 0) {
3474 thread->looper |= BINDER_LOOPER_STATE_INVALID;
3475 binder_user_error("%d:%d ERROR: BC_REGISTER_LOOPER called without request\n",
3476 proc->pid, thread->pid);
3478 proc->requested_threads--;
3479 proc->requested_threads_started++;
3481 thread->looper |= BINDER_LOOPER_STATE_REGISTERED;
3482 binder_inner_proc_unlock(proc);
3484 case BC_ENTER_LOOPER:
3485 binder_debug(BINDER_DEBUG_THREADS,
3486 "%d:%d BC_ENTER_LOOPER\n",
3487 proc->pid, thread->pid);
3488 if (thread->looper & BINDER_LOOPER_STATE_REGISTERED) {
3489 thread->looper |= BINDER_LOOPER_STATE_INVALID;
3490 binder_user_error("%d:%d ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER\n",
3491 proc->pid, thread->pid);
3493 thread->looper |= BINDER_LOOPER_STATE_ENTERED;
3495 case BC_EXIT_LOOPER:
3496 binder_debug(BINDER_DEBUG_THREADS,
3497 "%d:%d BC_EXIT_LOOPER\n",
3498 proc->pid, thread->pid);
3499 thread->looper |= BINDER_LOOPER_STATE_EXITED;
3502 case BC_REQUEST_DEATH_NOTIFICATION:
3503 case BC_CLEAR_DEATH_NOTIFICATION: {
3505 binder_uintptr_t cookie;
3506 struct binder_ref *ref;
3507 struct binder_ref_death *death = NULL;
3509 if (get_user(target, (uint32_t __user *)ptr))
3511 ptr += sizeof(uint32_t);
3512 if (get_user(cookie, (binder_uintptr_t __user *)ptr))
3514 ptr += sizeof(binder_uintptr_t);
3515 if (cmd == BC_REQUEST_DEATH_NOTIFICATION) {
3517 * Allocate memory for death notification
3518 * before taking lock
3520 death = kzalloc(sizeof(*death), GFP_KERNEL);
3521 if (death == NULL) {
3522 WARN_ON(thread->return_error.cmd !=
3524 thread->return_error.cmd = BR_ERROR;
3525 binder_enqueue_work(
3527 &thread->return_error.work,
3530 BINDER_DEBUG_FAILED_TRANSACTION,
3531 "%d:%d BC_REQUEST_DEATH_NOTIFICATION failed\n",
3532 proc->pid, thread->pid);
3536 binder_proc_lock(proc);
3537 ref = binder_get_ref_olocked(proc, target, false);
3539 binder_user_error("%d:%d %s invalid ref %d\n",
3540 proc->pid, thread->pid,
3541 cmd == BC_REQUEST_DEATH_NOTIFICATION ?
3542 "BC_REQUEST_DEATH_NOTIFICATION" :
3543 "BC_CLEAR_DEATH_NOTIFICATION",
3545 binder_proc_unlock(proc);
3550 binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION,
3551 "%d:%d %s %016llx ref %d desc %d s %d w %d for node %d\n",
3552 proc->pid, thread->pid,
3553 cmd == BC_REQUEST_DEATH_NOTIFICATION ?
3554 "BC_REQUEST_DEATH_NOTIFICATION" :
3555 "BC_CLEAR_DEATH_NOTIFICATION",
3556 (u64)cookie, ref->data.debug_id,
3557 ref->data.desc, ref->data.strong,
3558 ref->data.weak, ref->node->debug_id);
3560 binder_node_lock(ref->node);
3561 if (cmd == BC_REQUEST_DEATH_NOTIFICATION) {
3563 binder_user_error("%d:%d BC_REQUEST_DEATH_NOTIFICATION death notification already set\n",
3564 proc->pid, thread->pid);
3565 binder_node_unlock(ref->node);
3566 binder_proc_unlock(proc);
3570 binder_stats_created(BINDER_STAT_DEATH);
3571 INIT_LIST_HEAD(&death->work.entry);
3572 death->cookie = cookie;
3574 if (ref->node->proc == NULL) {
3575 ref->death->work.type = BINDER_WORK_DEAD_BINDER;
3577 binder_inner_proc_lock(proc);
3578 binder_enqueue_work_ilocked(
3579 &ref->death->work, &proc->todo);
3580 binder_wakeup_proc_ilocked(proc);
3581 binder_inner_proc_unlock(proc);
3584 if (ref->death == NULL) {
3585 binder_user_error("%d:%d BC_CLEAR_DEATH_NOTIFICATION death notification not active\n",
3586 proc->pid, thread->pid);
3587 binder_node_unlock(ref->node);
3588 binder_proc_unlock(proc);
3592 if (death->cookie != cookie) {
3593 binder_user_error("%d:%d BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch %016llx != %016llx\n",
3594 proc->pid, thread->pid,
3597 binder_node_unlock(ref->node);
3598 binder_proc_unlock(proc);
3602 binder_inner_proc_lock(proc);
3603 if (list_empty(&death->work.entry)) {
3604 death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION;
3605 if (thread->looper &
3606 (BINDER_LOOPER_STATE_REGISTERED |
3607 BINDER_LOOPER_STATE_ENTERED))
3608 binder_enqueue_work_ilocked(
3612 binder_enqueue_work_ilocked(
3615 binder_wakeup_proc_ilocked(
3619 BUG_ON(death->work.type != BINDER_WORK_DEAD_BINDER);
3620 death->work.type = BINDER_WORK_DEAD_BINDER_AND_CLEAR;
3622 binder_inner_proc_unlock(proc);
3624 binder_node_unlock(ref->node);
3625 binder_proc_unlock(proc);
3627 case BC_DEAD_BINDER_DONE: {
3628 struct binder_work *w;
3629 binder_uintptr_t cookie;
3630 struct binder_ref_death *death = NULL;
3632 if (get_user(cookie, (binder_uintptr_t __user *)ptr))
3635 ptr += sizeof(cookie);
3636 binder_inner_proc_lock(proc);
3637 list_for_each_entry(w, &proc->delivered_death,
3639 struct binder_ref_death *tmp_death =
3641 struct binder_ref_death,
3644 if (tmp_death->cookie == cookie) {
3649 binder_debug(BINDER_DEBUG_DEAD_BINDER,
3650 "%d:%d BC_DEAD_BINDER_DONE %016llx found %p\n",
3651 proc->pid, thread->pid, (u64)cookie,
3653 if (death == NULL) {
3654 binder_user_error("%d:%d BC_DEAD_BINDER_DONE %016llx not found\n",
3655 proc->pid, thread->pid, (u64)cookie);
3656 binder_inner_proc_unlock(proc);
3659 binder_dequeue_work_ilocked(&death->work);
3660 if (death->work.type == BINDER_WORK_DEAD_BINDER_AND_CLEAR) {
3661 death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION;
3662 if (thread->looper &
3663 (BINDER_LOOPER_STATE_REGISTERED |
3664 BINDER_LOOPER_STATE_ENTERED))
3665 binder_enqueue_work_ilocked(
3666 &death->work, &thread->todo);
3668 binder_enqueue_work_ilocked(
3671 binder_wakeup_proc_ilocked(proc);
3674 binder_inner_proc_unlock(proc);
3678 pr_err("%d:%d unknown command %d\n",
3679 proc->pid, thread->pid, cmd);
3682 *consumed = ptr - buffer;
3687 static void binder_stat_br(struct binder_proc *proc,
3688 struct binder_thread *thread, uint32_t cmd)
3690 trace_binder_return(cmd);
3691 if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.br)) {
3692 atomic_inc(&binder_stats.br[_IOC_NR(cmd)]);
3693 atomic_inc(&proc->stats.br[_IOC_NR(cmd)]);
3694 atomic_inc(&thread->stats.br[_IOC_NR(cmd)]);
3698 static int binder_put_node_cmd(struct binder_proc *proc,
3699 struct binder_thread *thread,
3701 binder_uintptr_t node_ptr,
3702 binder_uintptr_t node_cookie,
3704 uint32_t cmd, const char *cmd_name)
3706 void __user *ptr = *ptrp;
3708 if (put_user(cmd, (uint32_t __user *)ptr))
3710 ptr += sizeof(uint32_t);
3712 if (put_user(node_ptr, (binder_uintptr_t __user *)ptr))
3714 ptr += sizeof(binder_uintptr_t);
3716 if (put_user(node_cookie, (binder_uintptr_t __user *)ptr))
3718 ptr += sizeof(binder_uintptr_t);
3720 binder_stat_br(proc, thread, cmd);
3721 binder_debug(BINDER_DEBUG_USER_REFS, "%d:%d %s %d u%016llx c%016llx\n",
3722 proc->pid, thread->pid, cmd_name, node_debug_id,
3723 (u64)node_ptr, (u64)node_cookie);
3729 static int binder_wait_for_work(struct binder_thread *thread,
3733 struct binder_proc *proc = thread->proc;
3736 freezer_do_not_count();
3737 binder_inner_proc_lock(proc);
3739 prepare_to_wait(&thread->wait, &wait, TASK_INTERRUPTIBLE);
3740 if (binder_has_work_ilocked(thread, do_proc_work))
3743 list_add(&thread->waiting_thread_node,
3744 &proc->waiting_threads);
3745 binder_inner_proc_unlock(proc);
3747 binder_inner_proc_lock(proc);
3748 list_del_init(&thread->waiting_thread_node);
3749 if (signal_pending(current)) {
3754 finish_wait(&thread->wait, &wait);
3755 binder_inner_proc_unlock(proc);
3761 static int binder_thread_read(struct binder_proc *proc,
3762 struct binder_thread *thread,
3763 binder_uintptr_t binder_buffer, size_t size,
3764 binder_size_t *consumed, int non_block)
3766 void __user *buffer = (void __user *)(uintptr_t)binder_buffer;
3767 void __user *ptr = buffer + *consumed;
3768 void __user *end = buffer + size;
3771 int wait_for_proc_work;
3773 if (*consumed == 0) {
3774 if (put_user(BR_NOOP, (uint32_t __user *)ptr))
3776 ptr += sizeof(uint32_t);
3780 binder_inner_proc_lock(proc);
3781 wait_for_proc_work = binder_available_for_proc_work_ilocked(thread);
3782 binder_inner_proc_unlock(proc);
3784 thread->looper |= BINDER_LOOPER_STATE_WAITING;
3786 trace_binder_wait_for_work(wait_for_proc_work,
3787 !!thread->transaction_stack,
3788 !binder_worklist_empty(proc, &thread->todo));
3789 if (wait_for_proc_work) {
3790 if (!(thread->looper & (BINDER_LOOPER_STATE_REGISTERED |
3791 BINDER_LOOPER_STATE_ENTERED))) {
3792 binder_user_error("%d:%d ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state %x)\n",
3793 proc->pid, thread->pid, thread->looper);
3794 wait_event_interruptible(binder_user_error_wait,
3795 binder_stop_on_user_error < 2);
3797 binder_set_nice(proc->default_priority);
3801 if (!binder_has_work(thread, wait_for_proc_work))
3804 ret = binder_wait_for_work(thread, wait_for_proc_work);
3807 thread->looper &= ~BINDER_LOOPER_STATE_WAITING;
3814 struct binder_transaction_data tr;
3815 struct binder_work *w = NULL;
3816 struct list_head *list = NULL;
3817 struct binder_transaction *t = NULL;
3818 struct binder_thread *t_from;
3820 binder_inner_proc_lock(proc);
3821 if (!binder_worklist_empty_ilocked(&thread->todo))
3822 list = &thread->todo;
3823 else if (!binder_worklist_empty_ilocked(&proc->todo) &&
3827 binder_inner_proc_unlock(proc);
3830 if (ptr - buffer == 4 && !thread->looper_need_return)
3835 if (end - ptr < sizeof(tr) + 4) {
3836 binder_inner_proc_unlock(proc);
3839 w = binder_dequeue_work_head_ilocked(list);
3842 case BINDER_WORK_TRANSACTION: {
3843 binder_inner_proc_unlock(proc);
3844 t = container_of(w, struct binder_transaction, work);
3846 case BINDER_WORK_RETURN_ERROR: {
3847 struct binder_error *e = container_of(
3848 w, struct binder_error, work);
3850 WARN_ON(e->cmd == BR_OK);
3851 binder_inner_proc_unlock(proc);
3852 if (put_user(e->cmd, (uint32_t __user *)ptr))
3855 ptr += sizeof(uint32_t);
3857 binder_stat_br(proc, thread, e->cmd);
3859 case BINDER_WORK_TRANSACTION_COMPLETE: {
3860 binder_inner_proc_unlock(proc);
3861 cmd = BR_TRANSACTION_COMPLETE;
3862 if (put_user(cmd, (uint32_t __user *)ptr))
3864 ptr += sizeof(uint32_t);
3866 binder_stat_br(proc, thread, cmd);
3867 binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE,
3868 "%d:%d BR_TRANSACTION_COMPLETE\n",
3869 proc->pid, thread->pid);
3871 binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
3873 case BINDER_WORK_NODE: {
3874 struct binder_node *node = container_of(w, struct binder_node, work);
3876 binder_uintptr_t node_ptr = node->ptr;
3877 binder_uintptr_t node_cookie = node->cookie;
3878 int node_debug_id = node->debug_id;
3881 void __user *orig_ptr = ptr;
3883 BUG_ON(proc != node->proc);
3884 strong = node->internal_strong_refs ||
3885 node->local_strong_refs;
3886 weak = !hlist_empty(&node->refs) ||
3887 node->local_weak_refs ||
3888 node->tmp_refs || strong;
3889 has_strong_ref = node->has_strong_ref;
3890 has_weak_ref = node->has_weak_ref;
3892 if (weak && !has_weak_ref) {
3893 node->has_weak_ref = 1;
3894 node->pending_weak_ref = 1;
3895 node->local_weak_refs++;
3897 if (strong && !has_strong_ref) {
3898 node->has_strong_ref = 1;
3899 node->pending_strong_ref = 1;
3900 node->local_strong_refs++;
3902 if (!strong && has_strong_ref)
3903 node->has_strong_ref = 0;
3904 if (!weak && has_weak_ref)
3905 node->has_weak_ref = 0;
3906 if (!weak && !strong) {
3907 binder_debug(BINDER_DEBUG_INTERNAL_REFS,
3908 "%d:%d node %d u%016llx c%016llx deleted\n",
3909 proc->pid, thread->pid,
3913 rb_erase(&node->rb_node, &proc->nodes);
3914 binder_inner_proc_unlock(proc);
3915 binder_node_lock(node);
3917 * Acquire the node lock before freeing the
3918 * node to serialize with other threads that
3919 * may have been holding the node lock while
3920 * decrementing this node (avoids race where
3921 * this thread frees while the other thread
3922 * is unlocking the node after the final
3925 binder_node_unlock(node);
3926 binder_free_node(node);
3928 binder_inner_proc_unlock(proc);
3930 if (weak && !has_weak_ref)
3931 ret = binder_put_node_cmd(
3932 proc, thread, &ptr, node_ptr,
3933 node_cookie, node_debug_id,
3934 BR_INCREFS, "BR_INCREFS");
3935 if (!ret && strong && !has_strong_ref)
3936 ret = binder_put_node_cmd(
3937 proc, thread, &ptr, node_ptr,
3938 node_cookie, node_debug_id,
3939 BR_ACQUIRE, "BR_ACQUIRE");
3940 if (!ret && !strong && has_strong_ref)
3941 ret = binder_put_node_cmd(
3942 proc, thread, &ptr, node_ptr,
3943 node_cookie, node_debug_id,
3944 BR_RELEASE, "BR_RELEASE");
3945 if (!ret && !weak && has_weak_ref)
3946 ret = binder_put_node_cmd(
3947 proc, thread, &ptr, node_ptr,
3948 node_cookie, node_debug_id,
3949 BR_DECREFS, "BR_DECREFS");
3950 if (orig_ptr == ptr)
3951 binder_debug(BINDER_DEBUG_INTERNAL_REFS,
3952 "%d:%d node %d u%016llx c%016llx state unchanged\n",
3953 proc->pid, thread->pid,
3960 case BINDER_WORK_DEAD_BINDER:
3961 case BINDER_WORK_DEAD_BINDER_AND_CLEAR:
3962 case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: {
3963 struct binder_ref_death *death;
3965 binder_uintptr_t cookie;
3967 death = container_of(w, struct binder_ref_death, work);
3968 if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION)
3969 cmd = BR_CLEAR_DEATH_NOTIFICATION_DONE;
3971 cmd = BR_DEAD_BINDER;
3972 cookie = death->cookie;
3974 binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION,
3975 "%d:%d %s %016llx\n",
3976 proc->pid, thread->pid,
3977 cmd == BR_DEAD_BINDER ?
3979 "BR_CLEAR_DEATH_NOTIFICATION_DONE",
3981 if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) {
3982 binder_inner_proc_unlock(proc);
3984 binder_stats_deleted(BINDER_STAT_DEATH);
3986 binder_enqueue_work_ilocked(
3987 w, &proc->delivered_death);
3988 binder_inner_proc_unlock(proc);
3990 if (put_user(cmd, (uint32_t __user *)ptr))
3992 ptr += sizeof(uint32_t);
3993 if (put_user(cookie,
3994 (binder_uintptr_t __user *)ptr))
3996 ptr += sizeof(binder_uintptr_t);
3997 binder_stat_br(proc, thread, cmd);
3998 if (cmd == BR_DEAD_BINDER)
3999 goto done; /* DEAD_BINDER notifications can cause transactions */
4006 BUG_ON(t->buffer == NULL);
4007 if (t->buffer->target_node) {
4008 struct binder_node *target_node = t->buffer->target_node;
4010 tr.target.ptr = target_node->ptr;
4011 tr.cookie = target_node->cookie;
4012 t->saved_priority = task_nice(current);
4013 if (t->priority < target_node->min_priority &&
4014 !(t->flags & TF_ONE_WAY))
4015 binder_set_nice(t->priority);
4016 else if (!(t->flags & TF_ONE_WAY) ||
4017 t->saved_priority > target_node->min_priority)
4018 binder_set_nice(target_node->min_priority);
4019 cmd = BR_TRANSACTION;
4026 tr.flags = t->flags;
4027 tr.sender_euid = from_kuid(current_user_ns(), t->sender_euid);
4029 t_from = binder_get_txn_from(t);
4031 struct task_struct *sender = t_from->proc->tsk;
4033 tr.sender_pid = task_tgid_nr_ns(sender,
4034 task_active_pid_ns(current));
4039 tr.data_size = t->buffer->data_size;
4040 tr.offsets_size = t->buffer->offsets_size;
4041 tr.data.ptr.buffer = (binder_uintptr_t)
4042 ((uintptr_t)t->buffer->data +
4043 binder_alloc_get_user_buffer_offset(&proc->alloc));
4044 tr.data.ptr.offsets = tr.data.ptr.buffer +
4045 ALIGN(t->buffer->data_size,
4048 if (put_user(cmd, (uint32_t __user *)ptr)) {
4050 binder_thread_dec_tmpref(t_from);
4052 binder_cleanup_transaction(t, "put_user failed",
4057 ptr += sizeof(uint32_t);
4058 if (copy_to_user(ptr, &tr, sizeof(tr))) {
4060 binder_thread_dec_tmpref(t_from);
4062 binder_cleanup_transaction(t, "copy_to_user failed",
4069 trace_binder_transaction_received(t);
4070 binder_stat_br(proc, thread, cmd);
4071 binder_debug(BINDER_DEBUG_TRANSACTION,
4072 "%d:%d %s %d %d:%d, cmd %d size %zd-%zd ptr %016llx-%016llx\n",
4073 proc->pid, thread->pid,
4074 (cmd == BR_TRANSACTION) ? "BR_TRANSACTION" :
4076 t->debug_id, t_from ? t_from->proc->pid : 0,
4077 t_from ? t_from->pid : 0, cmd,
4078 t->buffer->data_size, t->buffer->offsets_size,
4079 (u64)tr.data.ptr.buffer, (u64)tr.data.ptr.offsets);
4082 binder_thread_dec_tmpref(t_from);
4083 t->buffer->allow_user_free = 1;
4084 if (cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)) {
4085 binder_inner_proc_lock(thread->proc);
4086 t->to_parent = thread->transaction_stack;
4087 t->to_thread = thread;
4088 thread->transaction_stack = t;
4089 binder_inner_proc_unlock(thread->proc);
4091 binder_free_transaction(t);
4098 *consumed = ptr - buffer;
4099 binder_inner_proc_lock(proc);
4100 if (proc->requested_threads == 0 &&
4101 list_empty(&thread->proc->waiting_threads) &&
4102 proc->requested_threads_started < proc->max_threads &&
4103 (thread->looper & (BINDER_LOOPER_STATE_REGISTERED |
4104 BINDER_LOOPER_STATE_ENTERED)) /* the user-space code fails to */
4105 /*spawn a new thread if we leave this out */) {
4106 proc->requested_threads++;
4107 binder_inner_proc_unlock(proc);
4108 binder_debug(BINDER_DEBUG_THREADS,
4109 "%d:%d BR_SPAWN_LOOPER\n",
4110 proc->pid, thread->pid);
4111 if (put_user(BR_SPAWN_LOOPER, (uint32_t __user *)buffer))
4113 binder_stat_br(proc, thread, BR_SPAWN_LOOPER);
4115 binder_inner_proc_unlock(proc);
4119 static void binder_release_work(struct binder_proc *proc,
4120 struct list_head *list)
4122 struct binder_work *w;
4125 w = binder_dequeue_work_head(proc, list);
4130 case BINDER_WORK_TRANSACTION: {
4131 struct binder_transaction *t;
4133 t = container_of(w, struct binder_transaction, work);
4135 binder_cleanup_transaction(t, "process died.",
4138 case BINDER_WORK_RETURN_ERROR: {
4139 struct binder_error *e = container_of(
4140 w, struct binder_error, work);
4142 binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
4143 "undelivered TRANSACTION_ERROR: %u\n",
4146 case BINDER_WORK_TRANSACTION_COMPLETE: {
4147 binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
4148 "undelivered TRANSACTION_COMPLETE\n");
4150 binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
4152 case BINDER_WORK_DEAD_BINDER_AND_CLEAR:
4153 case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: {
4154 struct binder_ref_death *death;
4156 death = container_of(w, struct binder_ref_death, work);
4157 binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
4158 "undelivered death notification, %016llx\n",
4159 (u64)death->cookie);
4161 binder_stats_deleted(BINDER_STAT_DEATH);
4164 pr_err("unexpected work type, %d, not freed\n",
4172 static struct binder_thread *binder_get_thread_ilocked(
4173 struct binder_proc *proc, struct binder_thread *new_thread)
4175 struct binder_thread *thread = NULL;
4176 struct rb_node *parent = NULL;
4177 struct rb_node **p = &proc->threads.rb_node;
4181 thread = rb_entry(parent, struct binder_thread, rb_node);
4183 if (current->pid < thread->pid)
4185 else if (current->pid > thread->pid)
4186 p = &(*p)->rb_right;
4192 thread = new_thread;
4193 binder_stats_created(BINDER_STAT_THREAD);
4194 thread->proc = proc;
4195 thread->pid = current->pid;
4196 atomic_set(&thread->tmp_ref, 0);
4197 init_waitqueue_head(&thread->wait);
4198 INIT_LIST_HEAD(&thread->todo);
4199 rb_link_node(&thread->rb_node, parent, p);
4200 rb_insert_color(&thread->rb_node, &proc->threads);
4201 thread->looper_need_return = true;
4202 thread->return_error.work.type = BINDER_WORK_RETURN_ERROR;
4203 thread->return_error.cmd = BR_OK;
4204 thread->reply_error.work.type = BINDER_WORK_RETURN_ERROR;
4205 thread->reply_error.cmd = BR_OK;
4206 INIT_LIST_HEAD(&new_thread->waiting_thread_node);
4210 static struct binder_thread *binder_get_thread(struct binder_proc *proc)
4212 struct binder_thread *thread;
4213 struct binder_thread *new_thread;
4215 binder_inner_proc_lock(proc);
4216 thread = binder_get_thread_ilocked(proc, NULL);
4217 binder_inner_proc_unlock(proc);
4219 new_thread = kzalloc(sizeof(*thread), GFP_KERNEL);
4220 if (new_thread == NULL)
4222 binder_inner_proc_lock(proc);
4223 thread = binder_get_thread_ilocked(proc, new_thread);
4224 binder_inner_proc_unlock(proc);
4225 if (thread != new_thread)
4231 static void binder_free_proc(struct binder_proc *proc)
4233 BUG_ON(!list_empty(&proc->todo));
4234 BUG_ON(!list_empty(&proc->delivered_death));
4235 binder_alloc_deferred_release(&proc->alloc);
4236 put_task_struct(proc->tsk);
4237 binder_stats_deleted(BINDER_STAT_PROC);
4241 static void binder_free_thread(struct binder_thread *thread)
4243 BUG_ON(!list_empty(&thread->todo));
4244 binder_stats_deleted(BINDER_STAT_THREAD);
4245 binder_proc_dec_tmpref(thread->proc);
4249 static int binder_thread_release(struct binder_proc *proc,
4250 struct binder_thread *thread)
4252 struct binder_transaction *t;
4253 struct binder_transaction *send_reply = NULL;
4254 int active_transactions = 0;
4255 struct binder_transaction *last_t = NULL;
4257 binder_inner_proc_lock(thread->proc);
4259 * take a ref on the proc so it survives
4260 * after we remove this thread from proc->threads.
4261 * The corresponding dec is when we actually
4262 * free the thread in binder_free_thread()
4266 * take a ref on this thread to ensure it
4267 * survives while we are releasing it
4269 atomic_inc(&thread->tmp_ref);
4270 rb_erase(&thread->rb_node, &proc->threads);
4271 t = thread->transaction_stack;
4273 spin_lock(&t->lock);
4274 if (t->to_thread == thread)
4277 thread->is_dead = true;
4281 active_transactions++;
4282 binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
4283 "release %d:%d transaction %d %s, still active\n",
4284 proc->pid, thread->pid,
4286 (t->to_thread == thread) ? "in" : "out");
4288 if (t->to_thread == thread) {
4290 t->to_thread = NULL;
4292 t->buffer->transaction = NULL;
4296 } else if (t->from == thread) {
4301 spin_unlock(&last_t->lock);
4303 spin_lock(&t->lock);
4305 binder_inner_proc_unlock(thread->proc);
4308 binder_send_failed_reply(send_reply, BR_DEAD_REPLY);
4309 binder_release_work(proc, &thread->todo);
4310 binder_thread_dec_tmpref(thread);
4311 return active_transactions;
4314 static unsigned int binder_poll(struct file *filp,
4315 struct poll_table_struct *wait)
4317 struct binder_proc *proc = filp->private_data;
4318 struct binder_thread *thread = NULL;
4319 bool wait_for_proc_work;
4321 thread = binder_get_thread(proc);
4323 binder_inner_proc_lock(thread->proc);
4324 thread->looper |= BINDER_LOOPER_STATE_POLL;
4325 wait_for_proc_work = binder_available_for_proc_work_ilocked(thread);
4327 binder_inner_proc_unlock(thread->proc);
4329 poll_wait(filp, &thread->wait, wait);
4331 if (binder_has_work(thread, wait_for_proc_work))
4337 static int binder_ioctl_write_read(struct file *filp,
4338 unsigned int cmd, unsigned long arg,
4339 struct binder_thread *thread)
4342 struct binder_proc *proc = filp->private_data;
4343 unsigned int size = _IOC_SIZE(cmd);
4344 void __user *ubuf = (void __user *)arg;
4345 struct binder_write_read bwr;
4347 if (size != sizeof(struct binder_write_read)) {
4351 if (copy_from_user(&bwr, ubuf, sizeof(bwr))) {
4355 binder_debug(BINDER_DEBUG_READ_WRITE,
4356 "%d:%d write %lld at %016llx, read %lld at %016llx\n",
4357 proc->pid, thread->pid,
4358 (u64)bwr.write_size, (u64)bwr.write_buffer,
4359 (u64)bwr.read_size, (u64)bwr.read_buffer);
4361 if (bwr.write_size > 0) {
4362 ret = binder_thread_write(proc, thread,
4365 &bwr.write_consumed);
4366 trace_binder_write_done(ret);
4368 bwr.read_consumed = 0;
4369 if (copy_to_user(ubuf, &bwr, sizeof(bwr)))
4374 if (bwr.read_size > 0) {
4375 ret = binder_thread_read(proc, thread, bwr.read_buffer,
4378 filp->f_flags & O_NONBLOCK);
4379 trace_binder_read_done(ret);
4380 binder_inner_proc_lock(proc);
4381 if (!binder_worklist_empty_ilocked(&proc->todo))
4382 binder_wakeup_proc_ilocked(proc);
4383 binder_inner_proc_unlock(proc);
4385 if (copy_to_user(ubuf, &bwr, sizeof(bwr)))
4390 binder_debug(BINDER_DEBUG_READ_WRITE,
4391 "%d:%d wrote %lld of %lld, read return %lld of %lld\n",
4392 proc->pid, thread->pid,
4393 (u64)bwr.write_consumed, (u64)bwr.write_size,
4394 (u64)bwr.read_consumed, (u64)bwr.read_size);
4395 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) {
4403 static int binder_ioctl_set_ctx_mgr(struct file *filp)
4406 struct binder_proc *proc = filp->private_data;
4407 struct binder_context *context = proc->context;
4408 struct binder_node *new_node;
4409 kuid_t curr_euid = current_euid();
4411 mutex_lock(&context->context_mgr_node_lock);
4412 if (context->binder_context_mgr_node) {
4413 pr_err("BINDER_SET_CONTEXT_MGR already set\n");
4417 ret = security_binder_set_context_mgr(proc->tsk);
4420 if (uid_valid(context->binder_context_mgr_uid)) {
4421 if (!uid_eq(context->binder_context_mgr_uid, curr_euid)) {
4422 pr_err("BINDER_SET_CONTEXT_MGR bad uid %d != %d\n",
4423 from_kuid(&init_user_ns, curr_euid),
4424 from_kuid(&init_user_ns,
4425 context->binder_context_mgr_uid));
4430 context->binder_context_mgr_uid = curr_euid;
4432 new_node = binder_new_node(proc, NULL);
4437 binder_node_lock(new_node);
4438 new_node->local_weak_refs++;
4439 new_node->local_strong_refs++;
4440 new_node->has_strong_ref = 1;
4441 new_node->has_weak_ref = 1;
4442 context->binder_context_mgr_node = new_node;
4443 binder_node_unlock(new_node);
4444 binder_put_node(new_node);
4446 mutex_unlock(&context->context_mgr_node_lock);
4450 static int binder_ioctl_get_node_debug_info(struct binder_proc *proc,
4451 struct binder_node_debug_info *info)
4454 binder_uintptr_t ptr = info->ptr;
4456 memset(info, 0, sizeof(*info));
4458 binder_inner_proc_lock(proc);
4459 for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) {
4460 struct binder_node *node = rb_entry(n, struct binder_node,
4462 if (node->ptr > ptr) {
4463 info->ptr = node->ptr;
4464 info->cookie = node->cookie;
4465 info->has_strong_ref = node->has_strong_ref;
4466 info->has_weak_ref = node->has_weak_ref;
4470 binder_inner_proc_unlock(proc);
4475 static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
4478 struct binder_proc *proc = filp->private_data;
4479 struct binder_thread *thread;
4480 unsigned int size = _IOC_SIZE(cmd);
4481 void __user *ubuf = (void __user *)arg;
4483 /*pr_info("binder_ioctl: %d:%d %x %lx\n",
4484 proc->pid, current->pid, cmd, arg);*/
4486 binder_selftest_alloc(&proc->alloc);
4488 trace_binder_ioctl(cmd, arg);
4490 ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);
4494 thread = binder_get_thread(proc);
4495 if (thread == NULL) {
4501 case BINDER_WRITE_READ:
4502 ret = binder_ioctl_write_read(filp, cmd, arg, thread);
4506 case BINDER_SET_MAX_THREADS: {
4509 if (copy_from_user(&max_threads, ubuf,
4510 sizeof(max_threads))) {
4514 binder_inner_proc_lock(proc);
4515 proc->max_threads = max_threads;
4516 binder_inner_proc_unlock(proc);
4519 case BINDER_SET_CONTEXT_MGR:
4520 ret = binder_ioctl_set_ctx_mgr(filp);
4524 case BINDER_THREAD_EXIT:
4525 binder_debug(BINDER_DEBUG_THREADS, "%d:%d exit\n",
4526 proc->pid, thread->pid);
4527 binder_thread_release(proc, thread);
4530 case BINDER_VERSION: {
4531 struct binder_version __user *ver = ubuf;
4533 if (size != sizeof(struct binder_version)) {
4537 if (put_user(BINDER_CURRENT_PROTOCOL_VERSION,
4538 &ver->protocol_version)) {
4544 case BINDER_GET_NODE_DEBUG_INFO: {
4545 struct binder_node_debug_info info;
4547 if (copy_from_user(&info, ubuf, sizeof(info))) {
4552 ret = binder_ioctl_get_node_debug_info(proc, &info);
4556 if (copy_to_user(ubuf, &info, sizeof(info))) {
4569 thread->looper_need_return = false;
4570 wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);
4571 if (ret && ret != -ERESTARTSYS)
4572 pr_info("%d:%d ioctl %x %lx returned %d\n", proc->pid, current->pid, cmd, arg, ret);
4574 trace_binder_ioctl_done(ret);
4578 static void binder_vma_open(struct vm_area_struct *vma)
4580 struct binder_proc *proc = vma->vm_private_data;
4582 binder_debug(BINDER_DEBUG_OPEN_CLOSE,
4583 "%d open vm area %lx-%lx (%ld K) vma %lx pagep %lx\n",
4584 proc->pid, vma->vm_start, vma->vm_end,
4585 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
4586 (unsigned long)pgprot_val(vma->vm_page_prot));
4589 static void binder_vma_close(struct vm_area_struct *vma)
4591 struct binder_proc *proc = vma->vm_private_data;
4593 binder_debug(BINDER_DEBUG_OPEN_CLOSE,
4594 "%d close vm area %lx-%lx (%ld K) vma %lx pagep %lx\n",
4595 proc->pid, vma->vm_start, vma->vm_end,
4596 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
4597 (unsigned long)pgprot_val(vma->vm_page_prot));
4598 binder_alloc_vma_close(&proc->alloc);
4599 binder_defer_work(proc, BINDER_DEFERRED_PUT_FILES);
4602 static int binder_vm_fault(struct vm_fault *vmf)
4604 return VM_FAULT_SIGBUS;
4607 static const struct vm_operations_struct binder_vm_ops = {
4608 .open = binder_vma_open,
4609 .close = binder_vma_close,
4610 .fault = binder_vm_fault,
4613 static int binder_mmap(struct file *filp, struct vm_area_struct *vma)
4616 struct binder_proc *proc = filp->private_data;
4617 const char *failure_string;
4619 if (proc->tsk != current->group_leader)
4622 if ((vma->vm_end - vma->vm_start) > SZ_4M)
4623 vma->vm_end = vma->vm_start + SZ_4M;
4625 binder_debug(BINDER_DEBUG_OPEN_CLOSE,
4626 "%s: %d %lx-%lx (%ld K) vma %lx pagep %lx\n",
4627 __func__, proc->pid, vma->vm_start, vma->vm_end,
4628 (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
4629 (unsigned long)pgprot_val(vma->vm_page_prot));
4631 if (vma->vm_flags & FORBIDDEN_MMAP_FLAGS) {
4633 failure_string = "bad vm_flags";
4636 vma->vm_flags = (vma->vm_flags | VM_DONTCOPY) & ~VM_MAYWRITE;
4637 vma->vm_ops = &binder_vm_ops;
4638 vma->vm_private_data = proc;
4640 ret = binder_alloc_mmap_handler(&proc->alloc, vma);
4643 mutex_lock(&proc->files_lock);
4644 proc->files = get_files_struct(current);
4645 mutex_unlock(&proc->files_lock);
4649 pr_err("binder_mmap: %d %lx-%lx %s failed %d\n",
4650 proc->pid, vma->vm_start, vma->vm_end, failure_string, ret);
4654 static int binder_open(struct inode *nodp, struct file *filp)
4656 struct binder_proc *proc;
4657 struct binder_device *binder_dev;
4659 binder_debug(BINDER_DEBUG_OPEN_CLOSE, "binder_open: %d:%d\n",
4660 current->group_leader->pid, current->pid);
4662 proc = kzalloc(sizeof(*proc), GFP_KERNEL);
4665 spin_lock_init(&proc->inner_lock);
4666 spin_lock_init(&proc->outer_lock);
4667 get_task_struct(current->group_leader);
4668 proc->tsk = current->group_leader;
4669 mutex_init(&proc->files_lock);
4670 INIT_LIST_HEAD(&proc->todo);
4671 proc->default_priority = task_nice(current);
4672 binder_dev = container_of(filp->private_data, struct binder_device,
4674 proc->context = &binder_dev->context;
4675 binder_alloc_init(&proc->alloc);
4677 binder_stats_created(BINDER_STAT_PROC);
4678 proc->pid = current->group_leader->pid;
4679 INIT_LIST_HEAD(&proc->delivered_death);
4680 INIT_LIST_HEAD(&proc->waiting_threads);
4681 filp->private_data = proc;
4683 mutex_lock(&binder_procs_lock);
4684 hlist_add_head(&proc->proc_node, &binder_procs);
4685 mutex_unlock(&binder_procs_lock);
4687 if (binder_debugfs_dir_entry_proc) {
4690 snprintf(strbuf, sizeof(strbuf), "%u", proc->pid);
4692 * proc debug entries are shared between contexts, so
4693 * this will fail if the process tries to open the driver
4694 * again with a different context. The priting code will
4695 * anyway print all contexts that a given PID has, so this
4698 proc->debugfs_entry = debugfs_create_file(strbuf, S_IRUGO,
4699 binder_debugfs_dir_entry_proc,
4700 (void *)(unsigned long)proc->pid,
4707 static int binder_flush(struct file *filp, fl_owner_t id)
4709 struct binder_proc *proc = filp->private_data;
4711 binder_defer_work(proc, BINDER_DEFERRED_FLUSH);
4716 static void binder_deferred_flush(struct binder_proc *proc)
4721 binder_inner_proc_lock(proc);
4722 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) {
4723 struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node);
4725 thread->looper_need_return = true;
4726 if (thread->looper & BINDER_LOOPER_STATE_WAITING) {
4727 wake_up_interruptible(&thread->wait);
4731 binder_inner_proc_unlock(proc);
4733 binder_debug(BINDER_DEBUG_OPEN_CLOSE,
4734 "binder_flush: %d woke %d threads\n", proc->pid,
4738 static int binder_release(struct inode *nodp, struct file *filp)
4740 struct binder_proc *proc = filp->private_data;
4742 debugfs_remove(proc->debugfs_entry);
4743 binder_defer_work(proc, BINDER_DEFERRED_RELEASE);
4748 static int binder_node_release(struct binder_node *node, int refs)
4750 struct binder_ref *ref;
4752 struct binder_proc *proc = node->proc;
4754 binder_release_work(proc, &node->async_todo);
4756 binder_node_lock(node);
4757 binder_inner_proc_lock(proc);
4758 binder_dequeue_work_ilocked(&node->work);
4760 * The caller must have taken a temporary ref on the node,
4762 BUG_ON(!node->tmp_refs);
4763 if (hlist_empty(&node->refs) && node->tmp_refs == 1) {
4764 binder_inner_proc_unlock(proc);
4765 binder_node_unlock(node);
4766 binder_free_node(node);
4772 node->local_strong_refs = 0;
4773 node->local_weak_refs = 0;
4774 binder_inner_proc_unlock(proc);
4776 spin_lock(&binder_dead_nodes_lock);
4777 hlist_add_head(&node->dead_node, &binder_dead_nodes);
4778 spin_unlock(&binder_dead_nodes_lock);
4780 hlist_for_each_entry(ref, &node->refs, node_entry) {
4783 * Need the node lock to synchronize
4784 * with new notification requests and the
4785 * inner lock to synchronize with queued
4786 * death notifications.
4788 binder_inner_proc_lock(ref->proc);
4790 binder_inner_proc_unlock(ref->proc);
4796 BUG_ON(!list_empty(&ref->death->work.entry));
4797 ref->death->work.type = BINDER_WORK_DEAD_BINDER;
4798 binder_enqueue_work_ilocked(&ref->death->work,
4800 binder_wakeup_proc_ilocked(ref->proc);
4801 binder_inner_proc_unlock(ref->proc);
4804 binder_debug(BINDER_DEBUG_DEAD_BINDER,
4805 "node %d now dead, refs %d, death %d\n",
4806 node->debug_id, refs, death);
4807 binder_node_unlock(node);
4808 binder_put_node(node);
4813 static void binder_deferred_release(struct binder_proc *proc)
4815 struct binder_context *context = proc->context;
4817 int threads, nodes, incoming_refs, outgoing_refs, active_transactions;
4819 BUG_ON(proc->files);
4821 mutex_lock(&binder_procs_lock);
4822 hlist_del(&proc->proc_node);
4823 mutex_unlock(&binder_procs_lock);
4825 mutex_lock(&context->context_mgr_node_lock);
4826 if (context->binder_context_mgr_node &&
4827 context->binder_context_mgr_node->proc == proc) {
4828 binder_debug(BINDER_DEBUG_DEAD_BINDER,
4829 "%s: %d context_mgr_node gone\n",
4830 __func__, proc->pid);
4831 context->binder_context_mgr_node = NULL;
4833 mutex_unlock(&context->context_mgr_node_lock);
4834 binder_inner_proc_lock(proc);
4836 * Make sure proc stays alive after we
4837 * remove all the threads
4841 proc->is_dead = true;
4843 active_transactions = 0;
4844 while ((n = rb_first(&proc->threads))) {
4845 struct binder_thread *thread;
4847 thread = rb_entry(n, struct binder_thread, rb_node);
4848 binder_inner_proc_unlock(proc);
4850 active_transactions += binder_thread_release(proc, thread);
4851 binder_inner_proc_lock(proc);
4856 while ((n = rb_first(&proc->nodes))) {
4857 struct binder_node *node;
4859 node = rb_entry(n, struct binder_node, rb_node);
4862 * take a temporary ref on the node before
4863 * calling binder_node_release() which will either
4864 * kfree() the node or call binder_put_node()
4866 binder_inc_node_tmpref_ilocked(node);
4867 rb_erase(&node->rb_node, &proc->nodes);
4868 binder_inner_proc_unlock(proc);
4869 incoming_refs = binder_node_release(node, incoming_refs);
4870 binder_inner_proc_lock(proc);
4872 binder_inner_proc_unlock(proc);
4875 binder_proc_lock(proc);
4876 while ((n = rb_first(&proc->refs_by_desc))) {
4877 struct binder_ref *ref;
4879 ref = rb_entry(n, struct binder_ref, rb_node_desc);
4881 binder_cleanup_ref_olocked(ref);
4882 binder_proc_unlock(proc);
4883 binder_free_ref(ref);
4884 binder_proc_lock(proc);
4886 binder_proc_unlock(proc);
4888 binder_release_work(proc, &proc->todo);
4889 binder_release_work(proc, &proc->delivered_death);
4891 binder_debug(BINDER_DEBUG_OPEN_CLOSE,
4892 "%s: %d threads %d, nodes %d (ref %d), refs %d, active transactions %d\n",
4893 __func__, proc->pid, threads, nodes, incoming_refs,
4894 outgoing_refs, active_transactions);
4896 binder_proc_dec_tmpref(proc);
4899 static void binder_deferred_func(struct work_struct *work)
4901 struct binder_proc *proc;
4902 struct files_struct *files;
4907 mutex_lock(&binder_deferred_lock);
4908 if (!hlist_empty(&binder_deferred_list)) {
4909 proc = hlist_entry(binder_deferred_list.first,
4910 struct binder_proc, deferred_work_node);
4911 hlist_del_init(&proc->deferred_work_node);
4912 defer = proc->deferred_work;
4913 proc->deferred_work = 0;
4918 mutex_unlock(&binder_deferred_lock);
4921 if (defer & BINDER_DEFERRED_PUT_FILES) {
4922 mutex_lock(&proc->files_lock);
4923 files = proc->files;
4926 mutex_unlock(&proc->files_lock);
4929 if (defer & BINDER_DEFERRED_FLUSH)
4930 binder_deferred_flush(proc);
4932 if (defer & BINDER_DEFERRED_RELEASE)
4933 binder_deferred_release(proc); /* frees proc */
4936 put_files_struct(files);
4939 static DECLARE_WORK(binder_deferred_work, binder_deferred_func);
4942 binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer)
4944 mutex_lock(&binder_deferred_lock);
4945 proc->deferred_work |= defer;
4946 if (hlist_unhashed(&proc->deferred_work_node)) {
4947 hlist_add_head(&proc->deferred_work_node,
4948 &binder_deferred_list);
4949 schedule_work(&binder_deferred_work);
4951 mutex_unlock(&binder_deferred_lock);
4954 static void print_binder_transaction_ilocked(struct seq_file *m,
4955 struct binder_proc *proc,
4957 struct binder_transaction *t)
4959 struct binder_proc *to_proc;
4960 struct binder_buffer *buffer = t->buffer;
4962 spin_lock(&t->lock);
4963 to_proc = t->to_proc;
4965 "%s %d: %p from %d:%d to %d:%d code %x flags %x pri %ld r%d",
4966 prefix, t->debug_id, t,
4967 t->from ? t->from->proc->pid : 0,
4968 t->from ? t->from->pid : 0,
4969 to_proc ? to_proc->pid : 0,
4970 t->to_thread ? t->to_thread->pid : 0,
4971 t->code, t->flags, t->priority, t->need_reply);
4972 spin_unlock(&t->lock);
4974 if (proc != to_proc) {
4976 * Can only safely deref buffer if we are holding the
4977 * correct proc inner lock for this node
4983 if (buffer == NULL) {
4984 seq_puts(m, " buffer free\n");
4987 if (buffer->target_node)
4988 seq_printf(m, " node %d", buffer->target_node->debug_id);
4989 seq_printf(m, " size %zd:%zd data %p\n",
4990 buffer->data_size, buffer->offsets_size,
4994 static void print_binder_work_ilocked(struct seq_file *m,
4995 struct binder_proc *proc,
4997 const char *transaction_prefix,
4998 struct binder_work *w)
5000 struct binder_node *node;
5001 struct binder_transaction *t;
5004 case BINDER_WORK_TRANSACTION:
5005 t = container_of(w, struct binder_transaction, work);
5006 print_binder_transaction_ilocked(
5007 m, proc, transaction_prefix, t);
5009 case BINDER_WORK_RETURN_ERROR: {
5010 struct binder_error *e = container_of(
5011 w, struct binder_error, work);
5013 seq_printf(m, "%stransaction error: %u\n",
5016 case BINDER_WORK_TRANSACTION_COMPLETE:
5017 seq_printf(m, "%stransaction complete\n", prefix);
5019 case BINDER_WORK_NODE:
5020 node = container_of(w, struct binder_node, work);
5021 seq_printf(m, "%snode work %d: u%016llx c%016llx\n",
5022 prefix, node->debug_id,
5023 (u64)node->ptr, (u64)node->cookie);
5025 case BINDER_WORK_DEAD_BINDER:
5026 seq_printf(m, "%shas dead binder\n", prefix);
5028 case BINDER_WORK_DEAD_BINDER_AND_CLEAR:
5029 seq_printf(m, "%shas cleared dead binder\n", prefix);
5031 case BINDER_WORK_CLEAR_DEATH_NOTIFICATION:
5032 seq_printf(m, "%shas cleared death notification\n", prefix);
5035 seq_printf(m, "%sunknown work: type %d\n", prefix, w->type);
5040 static void print_binder_thread_ilocked(struct seq_file *m,
5041 struct binder_thread *thread,
5044 struct binder_transaction *t;
5045 struct binder_work *w;
5046 size_t start_pos = m->count;
5049 seq_printf(m, " thread %d: l %02x need_return %d tr %d\n",
5050 thread->pid, thread->looper,
5051 thread->looper_need_return,
5052 atomic_read(&thread->tmp_ref));
5053 header_pos = m->count;
5054 t = thread->transaction_stack;
5056 if (t->from == thread) {
5057 print_binder_transaction_ilocked(m, thread->proc,
5058 " outgoing transaction", t);
5060 } else if (t->to_thread == thread) {
5061 print_binder_transaction_ilocked(m, thread->proc,
5062 " incoming transaction", t);
5065 print_binder_transaction_ilocked(m, thread->proc,
5066 " bad transaction", t);
5070 list_for_each_entry(w, &thread->todo, entry) {
5071 print_binder_work_ilocked(m, thread->proc, " ",
5072 " pending transaction", w);
5074 if (!print_always && m->count == header_pos)
5075 m->count = start_pos;
5078 static void print_binder_node_nilocked(struct seq_file *m,
5079 struct binder_node *node)
5081 struct binder_ref *ref;
5082 struct binder_work *w;
5086 hlist_for_each_entry(ref, &node->refs, node_entry)
5089 seq_printf(m, " node %d: u%016llx c%016llx hs %d hw %d ls %d lw %d is %d iw %d tr %d",
5090 node->debug_id, (u64)node->ptr, (u64)node->cookie,
5091 node->has_strong_ref, node->has_weak_ref,
5092 node->local_strong_refs, node->local_weak_refs,
5093 node->internal_strong_refs, count, node->tmp_refs);
5095 seq_puts(m, " proc");
5096 hlist_for_each_entry(ref, &node->refs, node_entry)
5097 seq_printf(m, " %d", ref->proc->pid);
5101 list_for_each_entry(w, &node->async_todo, entry)
5102 print_binder_work_ilocked(m, node->proc, " ",
5103 " pending async transaction", w);
5107 static void print_binder_ref_olocked(struct seq_file *m,
5108 struct binder_ref *ref)
5110 binder_node_lock(ref->node);
5111 seq_printf(m, " ref %d: desc %d %snode %d s %d w %d d %pK\n",
5112 ref->data.debug_id, ref->data.desc,
5113 ref->node->proc ? "" : "dead ",
5114 ref->node->debug_id, ref->data.strong,
5115 ref->data.weak, ref->death);
5116 binder_node_unlock(ref->node);
5119 static void print_binder_proc(struct seq_file *m,
5120 struct binder_proc *proc, int print_all)
5122 struct binder_work *w;
5124 size_t start_pos = m->count;
5126 struct binder_node *last_node = NULL;
5128 seq_printf(m, "proc %d\n", proc->pid);
5129 seq_printf(m, "context %s\n", proc->context->name);
5130 header_pos = m->count;
5132 binder_inner_proc_lock(proc);
5133 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n))
5134 print_binder_thread_ilocked(m, rb_entry(n, struct binder_thread,
5135 rb_node), print_all);
5137 for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) {
5138 struct binder_node *node = rb_entry(n, struct binder_node,
5141 * take a temporary reference on the node so it
5142 * survives and isn't removed from the tree
5143 * while we print it.
5145 binder_inc_node_tmpref_ilocked(node);
5146 /* Need to drop inner lock to take node lock */
5147 binder_inner_proc_unlock(proc);
5149 binder_put_node(last_node);
5150 binder_node_inner_lock(node);
5151 print_binder_node_nilocked(m, node);
5152 binder_node_inner_unlock(node);
5154 binder_inner_proc_lock(proc);
5156 binder_inner_proc_unlock(proc);
5158 binder_put_node(last_node);
5161 binder_proc_lock(proc);
5162 for (n = rb_first(&proc->refs_by_desc);
5165 print_binder_ref_olocked(m, rb_entry(n,
5168 binder_proc_unlock(proc);
5170 binder_alloc_print_allocated(m, &proc->alloc);
5171 binder_inner_proc_lock(proc);
5172 list_for_each_entry(w, &proc->todo, entry)
5173 print_binder_work_ilocked(m, proc, " ",
5174 " pending transaction", w);
5175 list_for_each_entry(w, &proc->delivered_death, entry) {
5176 seq_puts(m, " has delivered dead binder\n");
5179 binder_inner_proc_unlock(proc);
5180 if (!print_all && m->count == header_pos)
5181 m->count = start_pos;
5184 static const char * const binder_return_strings[] = {
5189 "BR_ACQUIRE_RESULT",
5191 "BR_TRANSACTION_COMPLETE",
5196 "BR_ATTEMPT_ACQUIRE",
5201 "BR_CLEAR_DEATH_NOTIFICATION_DONE",
5205 static const char * const binder_command_strings[] = {
5208 "BC_ACQUIRE_RESULT",
5216 "BC_ATTEMPT_ACQUIRE",
5217 "BC_REGISTER_LOOPER",
5220 "BC_REQUEST_DEATH_NOTIFICATION",
5221 "BC_CLEAR_DEATH_NOTIFICATION",
5222 "BC_DEAD_BINDER_DONE",
5223 "BC_TRANSACTION_SG",
5227 static const char * const binder_objstat_strings[] = {
5234 "transaction_complete"
5237 static void print_binder_stats(struct seq_file *m, const char *prefix,
5238 struct binder_stats *stats)
5242 BUILD_BUG_ON(ARRAY_SIZE(stats->bc) !=
5243 ARRAY_SIZE(binder_command_strings));
5244 for (i = 0; i < ARRAY_SIZE(stats->bc); i++) {
5245 int temp = atomic_read(&stats->bc[i]);
5248 seq_printf(m, "%s%s: %d\n", prefix,
5249 binder_command_strings[i], temp);
5252 BUILD_BUG_ON(ARRAY_SIZE(stats->br) !=
5253 ARRAY_SIZE(binder_return_strings));
5254 for (i = 0; i < ARRAY_SIZE(stats->br); i++) {
5255 int temp = atomic_read(&stats->br[i]);
5258 seq_printf(m, "%s%s: %d\n", prefix,
5259 binder_return_strings[i], temp);
5262 BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) !=
5263 ARRAY_SIZE(binder_objstat_strings));
5264 BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) !=
5265 ARRAY_SIZE(stats->obj_deleted));
5266 for (i = 0; i < ARRAY_SIZE(stats->obj_created); i++) {
5267 int created = atomic_read(&stats->obj_created[i]);
5268 int deleted = atomic_read(&stats->obj_deleted[i]);
5270 if (created || deleted)
5271 seq_printf(m, "%s%s: active %d total %d\n",
5273 binder_objstat_strings[i],
5279 static void print_binder_proc_stats(struct seq_file *m,
5280 struct binder_proc *proc)
5282 struct binder_work *w;
5283 struct binder_thread *thread;
5285 int count, strong, weak, ready_threads;
5286 size_t free_async_space =
5287 binder_alloc_get_free_async_space(&proc->alloc);
5289 seq_printf(m, "proc %d\n", proc->pid);
5290 seq_printf(m, "context %s\n", proc->context->name);
5293 binder_inner_proc_lock(proc);
5294 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n))
5297 list_for_each_entry(thread, &proc->waiting_threads, waiting_thread_node)
5300 seq_printf(m, " threads: %d\n", count);
5301 seq_printf(m, " requested threads: %d+%d/%d\n"
5302 " ready threads %d\n"
5303 " free async space %zd\n", proc->requested_threads,
5304 proc->requested_threads_started, proc->max_threads,
5308 for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n))
5310 binder_inner_proc_unlock(proc);
5311 seq_printf(m, " nodes: %d\n", count);
5315 binder_proc_lock(proc);
5316 for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) {
5317 struct binder_ref *ref = rb_entry(n, struct binder_ref,
5320 strong += ref->data.strong;
5321 weak += ref->data.weak;
5323 binder_proc_unlock(proc);
5324 seq_printf(m, " refs: %d s %d w %d\n", count, strong, weak);
5326 count = binder_alloc_get_allocated_count(&proc->alloc);
5327 seq_printf(m, " buffers: %d\n", count);
5329 binder_alloc_print_pages(m, &proc->alloc);
5332 binder_inner_proc_lock(proc);
5333 list_for_each_entry(w, &proc->todo, entry) {
5334 if (w->type == BINDER_WORK_TRANSACTION)
5337 binder_inner_proc_unlock(proc);
5338 seq_printf(m, " pending transactions: %d\n", count);
5340 print_binder_stats(m, " ", &proc->stats);
5344 static int binder_state_show(struct seq_file *m, void *unused)
5346 struct binder_proc *proc;
5347 struct binder_node *node;
5348 struct binder_node *last_node = NULL;
5350 seq_puts(m, "binder state:\n");
5352 spin_lock(&binder_dead_nodes_lock);
5353 if (!hlist_empty(&binder_dead_nodes))
5354 seq_puts(m, "dead nodes:\n");
5355 hlist_for_each_entry(node, &binder_dead_nodes, dead_node) {
5357 * take a temporary reference on the node so it
5358 * survives and isn't removed from the list
5359 * while we print it.
5362 spin_unlock(&binder_dead_nodes_lock);
5364 binder_put_node(last_node);
5365 binder_node_lock(node);
5366 print_binder_node_nilocked(m, node);
5367 binder_node_unlock(node);
5369 spin_lock(&binder_dead_nodes_lock);
5371 spin_unlock(&binder_dead_nodes_lock);
5373 binder_put_node(last_node);
5375 mutex_lock(&binder_procs_lock);
5376 hlist_for_each_entry(proc, &binder_procs, proc_node)
5377 print_binder_proc(m, proc, 1);
5378 mutex_unlock(&binder_procs_lock);
5383 static int binder_stats_show(struct seq_file *m, void *unused)
5385 struct binder_proc *proc;
5387 seq_puts(m, "binder stats:\n");
5389 print_binder_stats(m, "", &binder_stats);
5391 mutex_lock(&binder_procs_lock);
5392 hlist_for_each_entry(proc, &binder_procs, proc_node)
5393 print_binder_proc_stats(m, proc);
5394 mutex_unlock(&binder_procs_lock);
5399 static int binder_transactions_show(struct seq_file *m, void *unused)
5401 struct binder_proc *proc;
5403 seq_puts(m, "binder transactions:\n");
5404 mutex_lock(&binder_procs_lock);
5405 hlist_for_each_entry(proc, &binder_procs, proc_node)
5406 print_binder_proc(m, proc, 0);
5407 mutex_unlock(&binder_procs_lock);
5412 static int binder_proc_show(struct seq_file *m, void *unused)
5414 struct binder_proc *itr;
5415 int pid = (unsigned long)m->private;
5417 mutex_lock(&binder_procs_lock);
5418 hlist_for_each_entry(itr, &binder_procs, proc_node) {
5419 if (itr->pid == pid) {
5420 seq_puts(m, "binder proc state:\n");
5421 print_binder_proc(m, itr, 1);
5424 mutex_unlock(&binder_procs_lock);
5429 static void print_binder_transaction_log_entry(struct seq_file *m,
5430 struct binder_transaction_log_entry *e)
5432 int debug_id = READ_ONCE(e->debug_id_done);
5434 * read barrier to guarantee debug_id_done read before
5435 * we print the log values
5439 "%d: %s from %d:%d to %d:%d context %s node %d handle %d size %d:%d ret %d/%d l=%d",
5440 e->debug_id, (e->call_type == 2) ? "reply" :
5441 ((e->call_type == 1) ? "async" : "call "), e->from_proc,
5442 e->from_thread, e->to_proc, e->to_thread, e->context_name,
5443 e->to_node, e->target_handle, e->data_size, e->offsets_size,
5444 e->return_error, e->return_error_param,
5445 e->return_error_line);
5447 * read-barrier to guarantee read of debug_id_done after
5448 * done printing the fields of the entry
5451 seq_printf(m, debug_id && debug_id == READ_ONCE(e->debug_id_done) ?
5452 "\n" : " (incomplete)\n");
5455 static int binder_transaction_log_show(struct seq_file *m, void *unused)
5457 struct binder_transaction_log *log = m->private;
5458 unsigned int log_cur = atomic_read(&log->cur);
5463 count = log_cur + 1;
5464 cur = count < ARRAY_SIZE(log->entry) && !log->full ?
5465 0 : count % ARRAY_SIZE(log->entry);
5466 if (count > ARRAY_SIZE(log->entry) || log->full)
5467 count = ARRAY_SIZE(log->entry);
5468 for (i = 0; i < count; i++) {
5469 unsigned int index = cur++ % ARRAY_SIZE(log->entry);
5471 print_binder_transaction_log_entry(m, &log->entry[index]);
5476 static const struct file_operations binder_fops = {
5477 .owner = THIS_MODULE,
5478 .poll = binder_poll,
5479 .unlocked_ioctl = binder_ioctl,
5480 .compat_ioctl = binder_ioctl,
5481 .mmap = binder_mmap,
5482 .open = binder_open,
5483 .flush = binder_flush,
5484 .release = binder_release,
5487 BINDER_DEBUG_ENTRY(state);
5488 BINDER_DEBUG_ENTRY(stats);
5489 BINDER_DEBUG_ENTRY(transactions);
5490 BINDER_DEBUG_ENTRY(transaction_log);
5492 static int __init init_binder_device(const char *name)
5495 struct binder_device *binder_device;
5497 binder_device = kzalloc(sizeof(*binder_device), GFP_KERNEL);
5501 binder_device->miscdev.fops = &binder_fops;
5502 binder_device->miscdev.minor = MISC_DYNAMIC_MINOR;
5503 binder_device->miscdev.name = name;
5505 binder_device->context.binder_context_mgr_uid = INVALID_UID;
5506 binder_device->context.name = name;
5507 mutex_init(&binder_device->context.context_mgr_node_lock);
5509 ret = misc_register(&binder_device->miscdev);
5511 kfree(binder_device);
5515 hlist_add_head(&binder_device->hlist, &binder_devices);
5520 static int __init binder_init(void)
5523 char *device_name, *device_names, *device_tmp;
5524 struct binder_device *device;
5525 struct hlist_node *tmp;
5527 binder_alloc_shrinker_init();
5529 atomic_set(&binder_transaction_log.cur, ~0U);
5530 atomic_set(&binder_transaction_log_failed.cur, ~0U);
5532 binder_debugfs_dir_entry_root = debugfs_create_dir("binder", NULL);
5533 if (binder_debugfs_dir_entry_root)
5534 binder_debugfs_dir_entry_proc = debugfs_create_dir("proc",
5535 binder_debugfs_dir_entry_root);
5537 if (binder_debugfs_dir_entry_root) {
5538 debugfs_create_file("state",
5540 binder_debugfs_dir_entry_root,
5542 &binder_state_fops);
5543 debugfs_create_file("stats",
5545 binder_debugfs_dir_entry_root,
5547 &binder_stats_fops);
5548 debugfs_create_file("transactions",
5550 binder_debugfs_dir_entry_root,
5552 &binder_transactions_fops);
5553 debugfs_create_file("transaction_log",
5555 binder_debugfs_dir_entry_root,
5556 &binder_transaction_log,
5557 &binder_transaction_log_fops);
5558 debugfs_create_file("failed_transaction_log",
5560 binder_debugfs_dir_entry_root,
5561 &binder_transaction_log_failed,
5562 &binder_transaction_log_fops);
5566 * Copy the module_parameter string, because we don't want to
5567 * tokenize it in-place.
5569 device_names = kzalloc(strlen(binder_devices_param) + 1, GFP_KERNEL);
5570 if (!device_names) {
5572 goto err_alloc_device_names_failed;
5574 strcpy(device_names, binder_devices_param);
5576 device_tmp = device_names;
5577 while ((device_name = strsep(&device_tmp, ","))) {
5578 ret = init_binder_device(device_name);
5580 goto err_init_binder_device_failed;
5585 err_init_binder_device_failed:
5586 hlist_for_each_entry_safe(device, tmp, &binder_devices, hlist) {
5587 misc_deregister(&device->miscdev);
5588 hlist_del(&device->hlist);
5592 kfree(device_names);
5594 err_alloc_device_names_failed:
5595 debugfs_remove_recursive(binder_debugfs_dir_entry_root);
5600 device_initcall(binder_init);
5602 #define CREATE_TRACE_POINTS
5603 #include "binder_trace.h"
5605 MODULE_LICENSE("GPL v2");
git.samba.org / sfrench / cifs-2.6.git / blob