^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) // SPDX-License-Identifier: GPL-2.0-only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) /* binder.c
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) * Android IPC Subsystem
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) * Copyright (C) 2007-2008 Google, Inc.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) * Locking overview
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) * There are 3 main spinlocks which must be acquired in the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) * order shown:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) * 1) proc->outer_lock : protects binder_ref
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) * binder_proc_lock() and binder_proc_unlock() are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) * used to acq/rel.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) * 2) node->lock : protects most fields of binder_node.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) * binder_node_lock() and binder_node_unlock() are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) * used to acq/rel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) * 3) proc->inner_lock : protects the thread and node lists
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) * (proc->threads, proc->waiting_threads, proc->nodes)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) * and all todo lists associated with the binder_proc
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) * (proc->todo, thread->todo, proc->delivered_death and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) * node->async_todo), as well as thread->transaction_stack
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) * binder_inner_proc_lock() and binder_inner_proc_unlock()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) * are used to acq/rel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) * Any lock under procA must never be nested under any lock at the same
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) * level or below on procB.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) * Functions that require a lock held on entry indicate which lock
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) * in the suffix of the function name:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) * foo_olocked() : requires node->outer_lock
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) * foo_nlocked() : requires node->lock
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) * foo_ilocked() : requires proc->inner_lock
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) * foo_oilocked(): requires proc->outer_lock and proc->inner_lock
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) * foo_nilocked(): requires node->lock and proc->inner_lock
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) * ...
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) #include <linux/fdtable.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) #include <linux/file.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) #include <linux/freezer.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) #include <linux/fs.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) #include <linux/list.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) #include <linux/miscdevice.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) #include <linux/module.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) #include <linux/mutex.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) #include <linux/nsproxy.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) #include <linux/poll.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) #include <linux/debugfs.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) #include <linux/rbtree.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) #include <linux/sched/signal.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) #include <linux/sched/mm.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) #include <linux/seq_file.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) #include <linux/string.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) #include <linux/uaccess.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) #include <linux/pid_namespace.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) #include <linux/security.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) #include <linux/spinlock.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) #include <linux/ratelimit.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) #include <linux/syscalls.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) #include <linux/task_work.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) #include <linux/sizes.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) #include <linux/android_vendor.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) #include <uapi/linux/sched/types.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) #include <uapi/linux/android/binder.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) #include <asm/cacheflush.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) #include "binder_internal.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) #include "binder_trace.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) #include <trace/hooks/binder.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) static HLIST_HEAD(binder_deferred_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) static DEFINE_MUTEX(binder_deferred_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) static HLIST_HEAD(binder_devices);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) static HLIST_HEAD(binder_procs);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) static DEFINE_MUTEX(binder_procs_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) static HLIST_HEAD(binder_dead_nodes);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) static DEFINE_SPINLOCK(binder_dead_nodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) static struct dentry *binder_debugfs_dir_entry_root;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) static struct dentry *binder_debugfs_dir_entry_proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) static atomic_t binder_last_id;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) static int proc_show(struct seq_file *m, void *unused);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) DEFINE_SHOW_ATTRIBUTE(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) #define FORBIDDEN_MMAP_FLAGS (VM_WRITE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) enum {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) BINDER_DEBUG_USER_ERROR = 1U << 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) BINDER_DEBUG_FAILED_TRANSACTION = 1U << 1,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) BINDER_DEBUG_DEAD_TRANSACTION = 1U << 2,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) BINDER_DEBUG_OPEN_CLOSE = 1U << 3,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) BINDER_DEBUG_DEAD_BINDER = 1U << 4,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) BINDER_DEBUG_DEATH_NOTIFICATION = 1U << 5,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) BINDER_DEBUG_READ_WRITE = 1U << 6,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) BINDER_DEBUG_USER_REFS = 1U << 7,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) BINDER_DEBUG_THREADS = 1U << 8,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) BINDER_DEBUG_TRANSACTION = 1U << 9,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) BINDER_DEBUG_TRANSACTION_COMPLETE = 1U << 10,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) BINDER_DEBUG_FREE_BUFFER = 1U << 11,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) BINDER_DEBUG_INTERNAL_REFS = 1U << 12,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) BINDER_DEBUG_PRIORITY_CAP = 1U << 13,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) BINDER_DEBUG_SPINLOCKS = 1U << 14,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) static uint32_t binder_debug_mask = BINDER_DEBUG_USER_ERROR |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) BINDER_DEBUG_FAILED_TRANSACTION | BINDER_DEBUG_DEAD_TRANSACTION;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) module_param_named(debug_mask, binder_debug_mask, uint, 0644);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) char *binder_devices_param = CONFIG_ANDROID_BINDER_DEVICES;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) module_param_named(devices, binder_devices_param, charp, 0444);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) static DECLARE_WAIT_QUEUE_HEAD(binder_user_error_wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) static int binder_stop_on_user_error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) static int binder_set_stop_on_user_error(const char *val,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) const struct kernel_param *kp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) ret = param_set_int(val, kp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) if (binder_stop_on_user_error < 2)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) wake_up(&binder_user_error_wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) module_param_call(stop_on_user_error, binder_set_stop_on_user_error,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) param_get_int, &binder_stop_on_user_error, 0644);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) #define binder_debug(mask, x...) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) do { \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) if (binder_debug_mask & mask) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) pr_info_ratelimited(x); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) } while (0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) #define binder_user_error(x...) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) do { \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) if (binder_debug_mask & BINDER_DEBUG_USER_ERROR) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) pr_info_ratelimited(x); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) if (binder_stop_on_user_error) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) binder_stop_on_user_error = 2; \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) } while (0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) #define to_flat_binder_object(hdr) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) container_of(hdr, struct flat_binder_object, hdr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) #define to_binder_fd_object(hdr) container_of(hdr, struct binder_fd_object, hdr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) #define to_binder_buffer_object(hdr) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) container_of(hdr, struct binder_buffer_object, hdr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) #define to_binder_fd_array_object(hdr) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) container_of(hdr, struct binder_fd_array_object, hdr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) static struct binder_stats binder_stats;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) static inline void binder_stats_deleted(enum binder_stat_types type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) atomic_inc(&binder_stats.obj_deleted[type]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) static inline void binder_stats_created(enum binder_stat_types type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) atomic_inc(&binder_stats.obj_created[type]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) struct binder_transaction_log binder_transaction_log;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) struct binder_transaction_log binder_transaction_log_failed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) static struct binder_transaction_log_entry *binder_transaction_log_add(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) struct binder_transaction_log *log)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) struct binder_transaction_log_entry *e;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) unsigned int cur = atomic_inc_return(&log->cur);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) if (cur >= ARRAY_SIZE(log->entry))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) log->full = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) e = &log->entry[cur % ARRAY_SIZE(log->entry)];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) WRITE_ONCE(e->debug_id_done, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) * write-barrier to synchronize access to e->debug_id_done.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) * We make sure the initialized 0 value is seen before
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) * memset() other fields are zeroed by memset.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) smp_wmb();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) memset(e, 0, sizeof(*e));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) return e;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) enum binder_deferred_state {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) BINDER_DEFERRED_FLUSH = 0x01,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) BINDER_DEFERRED_RELEASE = 0x02,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) enum {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) BINDER_LOOPER_STATE_REGISTERED = 0x01,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) BINDER_LOOPER_STATE_ENTERED = 0x02,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) BINDER_LOOPER_STATE_EXITED = 0x04,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) BINDER_LOOPER_STATE_INVALID = 0x08,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) BINDER_LOOPER_STATE_WAITING = 0x10,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) BINDER_LOOPER_STATE_POLL = 0x20,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) * binder_proc_lock() - Acquire outer lock for given binder_proc
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) * @proc: struct binder_proc to acquire
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) * Acquires proc->outer_lock. Used to protect binder_ref
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) * structures associated with the given proc.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) #define binder_proc_lock(proc) _binder_proc_lock(proc, __LINE__)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) static void
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) _binder_proc_lock(struct binder_proc *proc, int line)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) __acquires(&proc->outer_lock)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) binder_debug(BINDER_DEBUG_SPINLOCKS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) "%s: line=%d\n", __func__, line);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) spin_lock(&proc->outer_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) * binder_proc_unlock() - Release spinlock for given binder_proc
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) * @proc: struct binder_proc to acquire
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) * Release lock acquired via binder_proc_lock()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) #define binder_proc_unlock(_proc) _binder_proc_unlock(_proc, __LINE__)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) static void
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) _binder_proc_unlock(struct binder_proc *proc, int line)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) __releases(&proc->outer_lock)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) binder_debug(BINDER_DEBUG_SPINLOCKS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) "%s: line=%d\n", __func__, line);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) spin_unlock(&proc->outer_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) * binder_inner_proc_lock() - Acquire inner lock for given binder_proc
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) * @proc: struct binder_proc to acquire
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) * Acquires proc->inner_lock. Used to protect todo lists
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) #define binder_inner_proc_lock(proc) _binder_inner_proc_lock(proc, __LINE__)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) static void
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) _binder_inner_proc_lock(struct binder_proc *proc, int line)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) __acquires(&proc->inner_lock)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) binder_debug(BINDER_DEBUG_SPINLOCKS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) "%s: line=%d\n", __func__, line);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) spin_lock(&proc->inner_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) * binder_inner_proc_unlock() - Release inner lock for given binder_proc
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) * @proc: struct binder_proc to acquire
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) * Release lock acquired via binder_inner_proc_lock()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) #define binder_inner_proc_unlock(proc) _binder_inner_proc_unlock(proc, __LINE__)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) static void
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) _binder_inner_proc_unlock(struct binder_proc *proc, int line)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) __releases(&proc->inner_lock)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) binder_debug(BINDER_DEBUG_SPINLOCKS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) "%s: line=%d\n", __func__, line);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) spin_unlock(&proc->inner_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) * binder_node_lock() - Acquire spinlock for given binder_node
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) * @node: struct binder_node to acquire
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) * Acquires node->lock. Used to protect binder_node fields
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) #define binder_node_lock(node) _binder_node_lock(node, __LINE__)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) static void
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) _binder_node_lock(struct binder_node *node, int line)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) __acquires(&node->lock)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) binder_debug(BINDER_DEBUG_SPINLOCKS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) "%s: line=%d\n", __func__, line);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) spin_lock(&node->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) * binder_node_unlock() - Release spinlock for given binder_proc
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) * @node: struct binder_node to acquire
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) * Release lock acquired via binder_node_lock()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) #define binder_node_unlock(node) _binder_node_unlock(node, __LINE__)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) static void
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) _binder_node_unlock(struct binder_node *node, int line)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) __releases(&node->lock)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) binder_debug(BINDER_DEBUG_SPINLOCKS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) "%s: line=%d\n", __func__, line);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) spin_unlock(&node->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) * binder_node_inner_lock() - Acquire node and inner locks
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) * @node: struct binder_node to acquire
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) * Acquires node->lock. If node->proc also acquires
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) * proc->inner_lock. Used to protect binder_node fields
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) #define binder_node_inner_lock(node) _binder_node_inner_lock(node, __LINE__)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) static void
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) _binder_node_inner_lock(struct binder_node *node, int line)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320) __acquires(&node->lock) __acquires(&node->proc->inner_lock)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) binder_debug(BINDER_DEBUG_SPINLOCKS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) "%s: line=%d\n", __func__, line);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) spin_lock(&node->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) if (node->proc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326) binder_inner_proc_lock(node->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) /* annotation for sparse */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329) __acquire(&node->proc->inner_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) * binder_node_unlock() - Release node and inner locks
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) * @node: struct binder_node to acquire
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) * Release lock acquired via binder_node_lock()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338) #define binder_node_inner_unlock(node) _binder_node_inner_unlock(node, __LINE__)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) static void
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) _binder_node_inner_unlock(struct binder_node *node, int line)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) __releases(&node->lock) __releases(&node->proc->inner_lock)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343) struct binder_proc *proc = node->proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) binder_debug(BINDER_DEBUG_SPINLOCKS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346) "%s: line=%d\n", __func__, line);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) if (proc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350) /* annotation for sparse */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) __release(&node->proc->inner_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352) spin_unlock(&node->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) static bool binder_worklist_empty_ilocked(struct list_head *list)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) return list_empty(list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) * binder_worklist_empty() - Check if no items on the work list
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) * @proc: binder_proc associated with list
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363) * @list: list to check
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) * Return: true if there are no items on list, else false
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) static bool binder_worklist_empty(struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) struct list_head *list)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370) bool ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) ret = binder_worklist_empty_ilocked(list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) * binder_enqueue_work_ilocked() - Add an item to the work list
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380) * @work: struct binder_work to add to list
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) * @target_list: list to add work to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) * Adds the work to the specified list. Asserts that work
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) * is not already on a list.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) * Requires the proc->inner_lock to be held.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) static void
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389) binder_enqueue_work_ilocked(struct binder_work *work,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) struct list_head *target_list)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) BUG_ON(target_list == NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393) BUG_ON(work->entry.next && !list_empty(&work->entry));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394) list_add_tail(&work->entry, target_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398) * binder_enqueue_deferred_thread_work_ilocked() - Add deferred thread work
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) * @thread: thread to queue work to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400) * @work: struct binder_work to add to list
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402) * Adds the work to the todo list of the thread. Doesn't set the process_todo
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403) * flag, which means that (if it wasn't already set) the thread will go to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404) * sleep without handling this work when it calls read.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406) * Requires the proc->inner_lock to be held.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408) static void
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409) binder_enqueue_deferred_thread_work_ilocked(struct binder_thread *thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410) struct binder_work *work)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412) WARN_ON(!list_empty(&thread->waiting_thread_node));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413) binder_enqueue_work_ilocked(work, &thread->todo);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417) * binder_enqueue_thread_work_ilocked() - Add an item to the thread work list
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418) * @thread: thread to queue work to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419) * @work: struct binder_work to add to list
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421) * Adds the work to the todo list of the thread, and enables processing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422) * of the todo queue.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 424) * Requires the proc->inner_lock to be held.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 425) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 426) static void
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 427) binder_enqueue_thread_work_ilocked(struct binder_thread *thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 428) struct binder_work *work)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 429) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 430) WARN_ON(!list_empty(&thread->waiting_thread_node));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 431) binder_enqueue_work_ilocked(work, &thread->todo);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 432) thread->process_todo = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 433) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 434)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 435) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 436) * binder_enqueue_thread_work() - Add an item to the thread work list
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 437) * @thread: thread to queue work to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 438) * @work: struct binder_work to add to list
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 439) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 440) * Adds the work to the todo list of the thread, and enables processing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 441) * of the todo queue.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 442) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 443) static void
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 444) binder_enqueue_thread_work(struct binder_thread *thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 445) struct binder_work *work)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 446) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 447) binder_inner_proc_lock(thread->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 448) binder_enqueue_thread_work_ilocked(thread, work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 449) binder_inner_proc_unlock(thread->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 450) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 451)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 452) static void
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 453) binder_dequeue_work_ilocked(struct binder_work *work)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 454) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 455) list_del_init(&work->entry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 456) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 457)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 458) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 459) * binder_dequeue_work() - Removes an item from the work list
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 460) * @proc: binder_proc associated with list
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 461) * @work: struct binder_work to remove from list
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 462) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 463) * Removes the specified work item from whatever list it is on.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 464) * Can safely be called if work is not on any list.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 465) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 466) static void
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 467) binder_dequeue_work(struct binder_proc *proc, struct binder_work *work)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 468) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 469) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 470) binder_dequeue_work_ilocked(work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 471) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 472) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 473)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 474) static struct binder_work *binder_dequeue_work_head_ilocked(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 475) struct list_head *list)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 476) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 477) struct binder_work *w;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 478)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 479) w = list_first_entry_or_null(list, struct binder_work, entry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 480) if (w)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 481) list_del_init(&w->entry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 482) return w;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 483) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 484)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 485) static void
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 486) binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 487) static void binder_free_thread(struct binder_thread *thread);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 488) static void binder_free_proc(struct binder_proc *proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 489) static void binder_inc_node_tmpref_ilocked(struct binder_node *node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 490)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 491) static bool binder_has_work_ilocked(struct binder_thread *thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 492) bool do_proc_work)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 493) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 494) int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 495)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 496) trace_android_vh_binder_has_work_ilocked(thread, do_proc_work, &ret);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 497) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 498) return true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 499) return thread->process_todo ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 500) thread->looper_need_return ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 501) (do_proc_work &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 502) !binder_worklist_empty_ilocked(&thread->proc->todo));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 503) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 504)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 505) static bool binder_has_work(struct binder_thread *thread, bool do_proc_work)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 506) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 507) bool has_work;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 508)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 509) binder_inner_proc_lock(thread->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 510) has_work = binder_has_work_ilocked(thread, do_proc_work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 511) binder_inner_proc_unlock(thread->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 512)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 513) return has_work;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 514) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 515)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 516) static bool binder_available_for_proc_work_ilocked(struct binder_thread *thread)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 517) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 518) return !thread->transaction_stack &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 519) binder_worklist_empty_ilocked(&thread->todo) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 520) (thread->looper & (BINDER_LOOPER_STATE_ENTERED |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 521) BINDER_LOOPER_STATE_REGISTERED));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 522) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 523)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 524) static void binder_wakeup_poll_threads_ilocked(struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 525) bool sync)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 526) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 527) struct rb_node *n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 528) struct binder_thread *thread;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 529)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 530) for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 531) thread = rb_entry(n, struct binder_thread, rb_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 532) if (thread->looper & BINDER_LOOPER_STATE_POLL &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 533) binder_available_for_proc_work_ilocked(thread)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 534) trace_android_vh_binder_wakeup_ilocked(thread->task, sync, proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 535) if (sync)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 536) wake_up_interruptible_sync(&thread->wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 537) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 538) wake_up_interruptible(&thread->wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 539) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 540) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 541) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 542)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 543) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 544) * binder_select_thread_ilocked() - selects a thread for doing proc work.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 545) * @proc: process to select a thread from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 546) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 547) * Note that calling this function moves the thread off the waiting_threads
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 548) * list, so it can only be woken up by the caller of this function, or a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 549) * signal. Therefore, callers *should* always wake up the thread this function
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 550) * returns.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 551) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 552) * Return: If there's a thread currently waiting for process work,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 553) * returns that thread. Otherwise returns NULL.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 554) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 555) static struct binder_thread *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 556) binder_select_thread_ilocked(struct binder_proc *proc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 557) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 558) struct binder_thread *thread;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 559)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 560) assert_spin_locked(&proc->inner_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 561) thread = list_first_entry_or_null(&proc->waiting_threads,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 562) struct binder_thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 563) waiting_thread_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 564)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 565) if (thread)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 566) list_del_init(&thread->waiting_thread_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 567)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 568) return thread;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 569) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 570)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 571) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 572) * binder_wakeup_thread_ilocked() - wakes up a thread for doing proc work.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 573) * @proc: process to wake up a thread in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 574) * @thread: specific thread to wake-up (may be NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 575) * @sync: whether to do a synchronous wake-up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 576) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 577) * This function wakes up a thread in the @proc process.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 578) * The caller may provide a specific thread to wake-up in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 579) * the @thread parameter. If @thread is NULL, this function
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 580) * will wake up threads that have called poll().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 581) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 582) * Note that for this function to work as expected, callers
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 583) * should first call binder_select_thread() to find a thread
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 584) * to handle the work (if they don't have a thread already),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 585) * and pass the result into the @thread parameter.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 586) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 587) static void binder_wakeup_thread_ilocked(struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 588) struct binder_thread *thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 589) bool sync)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 590) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 591) assert_spin_locked(&proc->inner_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 592)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 593) if (thread) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 594) trace_android_vh_binder_wakeup_ilocked(thread->task, sync, proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 595) if (sync)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 596) wake_up_interruptible_sync(&thread->wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 597) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 598) wake_up_interruptible(&thread->wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 599) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 600) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 601)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 602) /* Didn't find a thread waiting for proc work; this can happen
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 603) * in two scenarios:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 604) * 1. All threads are busy handling transactions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 605) * In that case, one of those threads should call back into
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 606) * the kernel driver soon and pick up this work.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 607) * 2. Threads are using the (e)poll interface, in which case
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 608) * they may be blocked on the waitqueue without having been
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 609) * added to waiting_threads. For this case, we just iterate
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 610) * over all threads not handling transaction work, and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 611) * wake them all up. We wake all because we don't know whether
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 612) * a thread that called into (e)poll is handling non-binder
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 613) * work currently.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 614) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 615) binder_wakeup_poll_threads_ilocked(proc, sync);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 616) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 617)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 618) static void binder_wakeup_proc_ilocked(struct binder_proc *proc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 619) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 620) struct binder_thread *thread = binder_select_thread_ilocked(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 621)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 622) binder_wakeup_thread_ilocked(proc, thread, /* sync = */false);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 623) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 624)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 625) static bool is_rt_policy(int policy)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 626) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 627) return policy == SCHED_FIFO || policy == SCHED_RR;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 628) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 629)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 630) static bool is_fair_policy(int policy)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 631) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 632) return policy == SCHED_NORMAL || policy == SCHED_BATCH;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 633) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 634)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 635) static bool binder_supported_policy(int policy)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 636) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 637) return is_fair_policy(policy) || is_rt_policy(policy);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 638) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 639)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 640) static int to_userspace_prio(int policy, int kernel_priority)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 641) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 642) if (is_fair_policy(policy))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 643) return PRIO_TO_NICE(kernel_priority);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 644) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 645) return MAX_USER_RT_PRIO - 1 - kernel_priority;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 646) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 647)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 648) static int to_kernel_prio(int policy, int user_priority)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 649) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 650) if (is_fair_policy(policy))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 651) return NICE_TO_PRIO(user_priority);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 652) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 653) return MAX_USER_RT_PRIO - 1 - user_priority;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 654) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 655)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 656) static void binder_do_set_priority(struct task_struct *task,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 657) struct binder_priority desired,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 658) bool verify)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 659) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 660) int priority; /* user-space prio value */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 661) bool has_cap_nice;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 662) unsigned int policy = desired.sched_policy;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 663)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 664) if (task->policy == policy && task->normal_prio == desired.prio)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 665) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 666)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 667) has_cap_nice = has_capability_noaudit(task, CAP_SYS_NICE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 668)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 669) priority = to_userspace_prio(policy, desired.prio);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 670)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 671) if (verify && is_rt_policy(policy) && !has_cap_nice) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 672) long max_rtprio = task_rlimit(task, RLIMIT_RTPRIO);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 673)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 674) if (max_rtprio == 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 675) policy = SCHED_NORMAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 676) priority = MIN_NICE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 677) } else if (priority > max_rtprio) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 678) priority = max_rtprio;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 679) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 680) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 681)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 682) if (verify && is_fair_policy(policy) && !has_cap_nice) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 683) long min_nice = rlimit_to_nice(task_rlimit(task, RLIMIT_NICE));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 684)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 685) if (min_nice > MAX_NICE) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 686) binder_user_error("%d RLIMIT_NICE not set\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 687) task->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 688) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 689) } else if (priority < min_nice) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 690) priority = min_nice;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 691) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 692) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 693)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 694) if (policy != desired.sched_policy ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 695) to_kernel_prio(policy, priority) != desired.prio)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 696) binder_debug(BINDER_DEBUG_PRIORITY_CAP,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 697) "%d: priority %d not allowed, using %d instead\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 698) task->pid, desired.prio,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 699) to_kernel_prio(policy, priority));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 700)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 701) trace_binder_set_priority(task->tgid, task->pid, task->normal_prio,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 702) to_kernel_prio(policy, priority),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 703) desired.prio);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 704)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 705) /* Set the actual priority */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 706) if (task->policy != policy || is_rt_policy(policy)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 707) struct sched_param params;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 708)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 709) params.sched_priority = is_rt_policy(policy) ? priority : 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 710)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 711) sched_setscheduler_nocheck(task,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 712) policy | SCHED_RESET_ON_FORK,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 713) ¶ms);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 714) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 715) if (is_fair_policy(policy))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 716) set_user_nice(task, priority);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 717) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 718)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 719) static void binder_set_priority(struct task_struct *task,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 720) struct binder_priority desired)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 721) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 722) binder_do_set_priority(task, desired, /* verify = */ true);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 723) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 724)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 725) static void binder_restore_priority(struct task_struct *task,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 726) struct binder_priority desired)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 727) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 728) binder_do_set_priority(task, desired, /* verify = */ false);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 729) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 730)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 731) static void binder_transaction_priority(struct task_struct *task,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 732) struct binder_transaction *t,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 733) struct binder_priority node_prio,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 734) bool inherit_rt)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 735) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 736) struct binder_priority desired_prio = t->priority;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 737) bool skip = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 738)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 739) if (t->set_priority_called)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 740) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 741)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 742) t->set_priority_called = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 743) t->saved_priority.sched_policy = task->policy;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 744) t->saved_priority.prio = task->normal_prio;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 745)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 746) trace_android_vh_binder_priority_skip(task, &skip);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 747) if (skip)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 748) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 749)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 750) if (!inherit_rt && is_rt_policy(desired_prio.sched_policy)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 751) desired_prio.prio = NICE_TO_PRIO(0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 752) desired_prio.sched_policy = SCHED_NORMAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 753) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 754)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 755) if (node_prio.prio < t->priority.prio ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 756) (node_prio.prio == t->priority.prio &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 757) node_prio.sched_policy == SCHED_FIFO)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 758) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 759) * In case the minimum priority on the node is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 760) * higher (lower value), use that priority. If
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 761) * the priority is the same, but the node uses
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 762) * SCHED_FIFO, prefer SCHED_FIFO, since it can
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 763) * run unbounded, unlike SCHED_RR.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 764) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 765) desired_prio = node_prio;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 766) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 767)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 768) binder_set_priority(task, desired_prio);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 769) trace_android_vh_binder_set_priority(t, task);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 770) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 771)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 772) static struct binder_node *binder_get_node_ilocked(struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 773) binder_uintptr_t ptr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 774) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 775) struct rb_node *n = proc->nodes.rb_node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 776) struct binder_node *node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 777)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 778) assert_spin_locked(&proc->inner_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 779)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 780) while (n) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 781) node = rb_entry(n, struct binder_node, rb_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 782)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 783) if (ptr < node->ptr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 784) n = n->rb_left;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 785) else if (ptr > node->ptr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 786) n = n->rb_right;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 787) else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 788) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 789) * take an implicit weak reference
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 790) * to ensure node stays alive until
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 791) * call to binder_put_node()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 792) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 793) binder_inc_node_tmpref_ilocked(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 794) return node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 795) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 796) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 797) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 798) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 799)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 800) static struct binder_node *binder_get_node(struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 801) binder_uintptr_t ptr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 802) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 803) struct binder_node *node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 804)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 805) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 806) node = binder_get_node_ilocked(proc, ptr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 807) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 808) return node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 809) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 810)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 811) static struct binder_node *binder_init_node_ilocked(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 812) struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 813) struct binder_node *new_node,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 814) struct flat_binder_object *fp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 815) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 816) struct rb_node **p = &proc->nodes.rb_node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 817) struct rb_node *parent = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 818) struct binder_node *node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 819) binder_uintptr_t ptr = fp ? fp->binder : 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 820) binder_uintptr_t cookie = fp ? fp->cookie : 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 821) __u32 flags = fp ? fp->flags : 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 822) s8 priority;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 823)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 824) assert_spin_locked(&proc->inner_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 825)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 826) while (*p) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 827)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 828) parent = *p;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 829) node = rb_entry(parent, struct binder_node, rb_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 830)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 831) if (ptr < node->ptr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 832) p = &(*p)->rb_left;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 833) else if (ptr > node->ptr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 834) p = &(*p)->rb_right;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 835) else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 836) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 837) * A matching node is already in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 838) * the rb tree. Abandon the init
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 839) * and return it.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 840) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 841) binder_inc_node_tmpref_ilocked(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 842) return node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 843) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 844) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 845) node = new_node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 846) binder_stats_created(BINDER_STAT_NODE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 847) node->tmp_refs++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 848) rb_link_node(&node->rb_node, parent, p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 849) rb_insert_color(&node->rb_node, &proc->nodes);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 850) node->debug_id = atomic_inc_return(&binder_last_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 851) node->proc = proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 852) node->ptr = ptr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 853) node->cookie = cookie;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 854) node->work.type = BINDER_WORK_NODE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 855) priority = flags & FLAT_BINDER_FLAG_PRIORITY_MASK;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 856) node->sched_policy = (flags & FLAT_BINDER_FLAG_SCHED_POLICY_MASK) >>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 857) FLAT_BINDER_FLAG_SCHED_POLICY_SHIFT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 858) node->min_priority = to_kernel_prio(node->sched_policy, priority);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 859) node->accept_fds = !!(flags & FLAT_BINDER_FLAG_ACCEPTS_FDS);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 860) node->inherit_rt = !!(flags & FLAT_BINDER_FLAG_INHERIT_RT);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 861) node->txn_security_ctx = !!(flags & FLAT_BINDER_FLAG_TXN_SECURITY_CTX);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 862) spin_lock_init(&node->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 863) INIT_LIST_HEAD(&node->work.entry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 864) INIT_LIST_HEAD(&node->async_todo);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 865) binder_debug(BINDER_DEBUG_INTERNAL_REFS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 866) "%d:%d node %d u%016llx c%016llx created\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 867) proc->pid, current->pid, node->debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 868) (u64)node->ptr, (u64)node->cookie);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 869)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 870) return node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 871) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 872)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 873) static struct binder_node *binder_new_node(struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 874) struct flat_binder_object *fp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 875) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 876) struct binder_node *node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 877) struct binder_node *new_node = kzalloc(sizeof(*node), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 878)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 879) if (!new_node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 880) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 881) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 882) node = binder_init_node_ilocked(proc, new_node, fp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 883) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 884) if (node != new_node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 885) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 886) * The node was already added by another thread
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 887) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 888) kfree(new_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 889)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 890) return node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 891) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 892)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 893) static void binder_free_node(struct binder_node *node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 894) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 895) kfree(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 896) binder_stats_deleted(BINDER_STAT_NODE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 897) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 898)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 899) static int binder_inc_node_nilocked(struct binder_node *node, int strong,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 900) int internal,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 901) struct list_head *target_list)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 902) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 903) struct binder_proc *proc = node->proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 904)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 905) assert_spin_locked(&node->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 906) if (proc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 907) assert_spin_locked(&proc->inner_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 908) if (strong) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 909) if (internal) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 910) if (target_list == NULL &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 911) node->internal_strong_refs == 0 &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 912) !(node->proc &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 913) node == node->proc->context->binder_context_mgr_node &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 914) node->has_strong_ref)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 915) pr_err("invalid inc strong node for %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 916) node->debug_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 917) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 918) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 919) node->internal_strong_refs++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 920) } else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 921) node->local_strong_refs++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 922) if (!node->has_strong_ref && target_list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 923) struct binder_thread *thread = container_of(target_list,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 924) struct binder_thread, todo);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 925) binder_dequeue_work_ilocked(&node->work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 926) BUG_ON(&thread->todo != target_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 927) binder_enqueue_deferred_thread_work_ilocked(thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 928) &node->work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 929) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 930) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 931) if (!internal)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 932) node->local_weak_refs++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 933) if (!node->has_weak_ref && list_empty(&node->work.entry)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 934) if (target_list == NULL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 935) pr_err("invalid inc weak node for %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 936) node->debug_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 937) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 938) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 939) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 940) * See comment above
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 941) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 942) binder_enqueue_work_ilocked(&node->work, target_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 943) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 944) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 945) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 946) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 947)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 948) static int binder_inc_node(struct binder_node *node, int strong, int internal,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 949) struct list_head *target_list)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 950) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 951) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 952)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 953) binder_node_inner_lock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 954) ret = binder_inc_node_nilocked(node, strong, internal, target_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 955) binder_node_inner_unlock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 956)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 957) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 958) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 959)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 960) static bool binder_dec_node_nilocked(struct binder_node *node,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 961) int strong, int internal)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 962) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 963) struct binder_proc *proc = node->proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 964)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 965) assert_spin_locked(&node->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 966) if (proc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 967) assert_spin_locked(&proc->inner_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 968) if (strong) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 969) if (internal)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 970) node->internal_strong_refs--;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 971) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 972) node->local_strong_refs--;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 973) if (node->local_strong_refs || node->internal_strong_refs)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 974) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 975) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 976) if (!internal)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 977) node->local_weak_refs--;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 978) if (node->local_weak_refs || node->tmp_refs ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 979) !hlist_empty(&node->refs))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 980) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 981) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 982)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 983) if (proc && (node->has_strong_ref || node->has_weak_ref)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 984) if (list_empty(&node->work.entry)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 985) binder_enqueue_work_ilocked(&node->work, &proc->todo);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 986) binder_wakeup_proc_ilocked(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 987) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 988) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 989) if (hlist_empty(&node->refs) && !node->local_strong_refs &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 990) !node->local_weak_refs && !node->tmp_refs) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 991) if (proc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 992) binder_dequeue_work_ilocked(&node->work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 993) rb_erase(&node->rb_node, &proc->nodes);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 994) binder_debug(BINDER_DEBUG_INTERNAL_REFS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 995) "refless node %d deleted\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 996) node->debug_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 997) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 998) BUG_ON(!list_empty(&node->work.entry));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 999) spin_lock(&binder_dead_nodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1000) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1001) * tmp_refs could have changed so
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1002) * check it again
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1003) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1004) if (node->tmp_refs) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1005) spin_unlock(&binder_dead_nodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1006) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1007) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1008) hlist_del(&node->dead_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1009) spin_unlock(&binder_dead_nodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1010) binder_debug(BINDER_DEBUG_INTERNAL_REFS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1011) "dead node %d deleted\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1012) node->debug_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1013) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1014) return true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1015) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1016) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1017) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1018) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1019)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1020) static void binder_dec_node(struct binder_node *node, int strong, int internal)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1021) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1022) bool free_node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1023)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1024) binder_node_inner_lock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1025) free_node = binder_dec_node_nilocked(node, strong, internal);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1026) binder_node_inner_unlock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1027) if (free_node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1028) binder_free_node(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1029) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1030)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1031) static void binder_inc_node_tmpref_ilocked(struct binder_node *node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1032) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1033) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1034) * No call to binder_inc_node() is needed since we
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1035) * don't need to inform userspace of any changes to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1036) * tmp_refs
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1037) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1038) node->tmp_refs++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1039) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1040)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1041) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1042) * binder_inc_node_tmpref() - take a temporary reference on node
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1043) * @node: node to reference
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1044) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1045) * Take reference on node to prevent the node from being freed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1046) * while referenced only by a local variable. The inner lock is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1047) * needed to serialize with the node work on the queue (which
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1048) * isn't needed after the node is dead). If the node is dead
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1049) * (node->proc is NULL), use binder_dead_nodes_lock to protect
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1050) * node->tmp_refs against dead-node-only cases where the node
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1051) * lock cannot be acquired (eg traversing the dead node list to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1052) * print nodes)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1053) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1054) static void binder_inc_node_tmpref(struct binder_node *node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1055) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1056) binder_node_lock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1057) if (node->proc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1058) binder_inner_proc_lock(node->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1059) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1060) spin_lock(&binder_dead_nodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1061) binder_inc_node_tmpref_ilocked(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1062) if (node->proc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1063) binder_inner_proc_unlock(node->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1064) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1065) spin_unlock(&binder_dead_nodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1066) binder_node_unlock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1067) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1068)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1069) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1070) * binder_dec_node_tmpref() - remove a temporary reference on node
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1071) * @node: node to reference
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1072) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1073) * Release temporary reference on node taken via binder_inc_node_tmpref()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1074) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1075) static void binder_dec_node_tmpref(struct binder_node *node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1076) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1077) bool free_node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1078)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1079) binder_node_inner_lock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1080) if (!node->proc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1081) spin_lock(&binder_dead_nodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1082) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1083) __acquire(&binder_dead_nodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1084) node->tmp_refs--;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1085) BUG_ON(node->tmp_refs < 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1086) if (!node->proc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1087) spin_unlock(&binder_dead_nodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1088) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1089) __release(&binder_dead_nodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1090) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1091) * Call binder_dec_node() to check if all refcounts are 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1092) * and cleanup is needed. Calling with strong=0 and internal=1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1093) * causes no actual reference to be released in binder_dec_node().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1094) * If that changes, a change is needed here too.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1095) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1096) free_node = binder_dec_node_nilocked(node, 0, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1097) binder_node_inner_unlock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1098) if (free_node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1099) binder_free_node(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1100) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1101)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1102) static void binder_put_node(struct binder_node *node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1103) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1104) binder_dec_node_tmpref(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1105) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1106)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1107) static struct binder_ref *binder_get_ref_olocked(struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1108) u32 desc, bool need_strong_ref)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1109) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1110) struct rb_node *n = proc->refs_by_desc.rb_node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1111) struct binder_ref *ref;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1112)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1113) while (n) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1114) ref = rb_entry(n, struct binder_ref, rb_node_desc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1115)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1116) if (desc < ref->data.desc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1117) n = n->rb_left;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1118) } else if (desc > ref->data.desc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1119) n = n->rb_right;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1120) } else if (need_strong_ref && !ref->data.strong) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1121) binder_user_error("tried to use weak ref as strong ref\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1122) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1123) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1124) return ref;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1125) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1126) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1127) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1128) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1129)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1130) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1131) * binder_get_ref_for_node_olocked() - get the ref associated with given node
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1132) * @proc: binder_proc that owns the ref
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1133) * @node: binder_node of target
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1134) * @new_ref: newly allocated binder_ref to be initialized or %NULL
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1135) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1136) * Look up the ref for the given node and return it if it exists
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1137) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1138) * If it doesn't exist and the caller provides a newly allocated
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1139) * ref, initialize the fields of the newly allocated ref and insert
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1140) * into the given proc rb_trees and node refs list.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1141) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1142) * Return: the ref for node. It is possible that another thread
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1143) * allocated/initialized the ref first in which case the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1144) * returned ref would be different than the passed-in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1145) * new_ref. new_ref must be kfree'd by the caller in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1146) * this case.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1147) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1148) static struct binder_ref *binder_get_ref_for_node_olocked(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1149) struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1150) struct binder_node *node,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1151) struct binder_ref *new_ref)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1152) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1153) struct binder_context *context = proc->context;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1154) struct rb_node **p = &proc->refs_by_node.rb_node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1155) struct rb_node *parent = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1156) struct binder_ref *ref;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1157) struct rb_node *n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1158)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1159) while (*p) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1160) parent = *p;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1161) ref = rb_entry(parent, struct binder_ref, rb_node_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1162)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1163) if (node < ref->node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1164) p = &(*p)->rb_left;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1165) else if (node > ref->node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1166) p = &(*p)->rb_right;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1167) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1168) return ref;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1169) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1170) if (!new_ref)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1171) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1172)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1173) binder_stats_created(BINDER_STAT_REF);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1174) new_ref->data.debug_id = atomic_inc_return(&binder_last_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1175) new_ref->proc = proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1176) new_ref->node = node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1177) rb_link_node(&new_ref->rb_node_node, parent, p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1178) rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1179)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1180) new_ref->data.desc = (node == context->binder_context_mgr_node) ? 0 : 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1181) for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1182) ref = rb_entry(n, struct binder_ref, rb_node_desc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1183) if (ref->data.desc > new_ref->data.desc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1184) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1185) new_ref->data.desc = ref->data.desc + 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1186) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1187)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1188) p = &proc->refs_by_desc.rb_node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1189) while (*p) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1190) parent = *p;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1191) ref = rb_entry(parent, struct binder_ref, rb_node_desc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1192)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1193) if (new_ref->data.desc < ref->data.desc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1194) p = &(*p)->rb_left;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1195) else if (new_ref->data.desc > ref->data.desc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1196) p = &(*p)->rb_right;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1197) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1198) BUG();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1199) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1200) rb_link_node(&new_ref->rb_node_desc, parent, p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1201) rb_insert_color(&new_ref->rb_node_desc, &proc->refs_by_desc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1202)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1203) binder_node_lock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1204) hlist_add_head(&new_ref->node_entry, &node->refs);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1205)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1206) binder_debug(BINDER_DEBUG_INTERNAL_REFS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1207) "%d new ref %d desc %d for node %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1208) proc->pid, new_ref->data.debug_id, new_ref->data.desc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1209) node->debug_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1210) trace_android_vh_binder_new_ref(proc->tsk, new_ref->data.desc, new_ref->node->debug_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1211) binder_node_unlock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1212) return new_ref;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1213) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1214)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1215) static void binder_cleanup_ref_olocked(struct binder_ref *ref)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1216) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1217) bool delete_node = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1218)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1219) binder_debug(BINDER_DEBUG_INTERNAL_REFS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1220) "%d delete ref %d desc %d for node %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1221) ref->proc->pid, ref->data.debug_id, ref->data.desc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1222) ref->node->debug_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1223)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1224) rb_erase(&ref->rb_node_desc, &ref->proc->refs_by_desc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1225) rb_erase(&ref->rb_node_node, &ref->proc->refs_by_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1226)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1227) binder_node_inner_lock(ref->node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1228) if (ref->data.strong)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1229) binder_dec_node_nilocked(ref->node, 1, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1230)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1231) hlist_del(&ref->node_entry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1232) delete_node = binder_dec_node_nilocked(ref->node, 0, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1233) binder_node_inner_unlock(ref->node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1234) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1235) * Clear ref->node unless we want the caller to free the node
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1236) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1237) if (!delete_node) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1238) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1239) * The caller uses ref->node to determine
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1240) * whether the node needs to be freed. Clear
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1241) * it since the node is still alive.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1242) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1243) ref->node = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1244) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1245)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1246) if (ref->death) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1247) binder_debug(BINDER_DEBUG_DEAD_BINDER,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1248) "%d delete ref %d desc %d has death notification\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1249) ref->proc->pid, ref->data.debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1250) ref->data.desc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1251) binder_dequeue_work(ref->proc, &ref->death->work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1252) binder_stats_deleted(BINDER_STAT_DEATH);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1253) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1254) binder_stats_deleted(BINDER_STAT_REF);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1255) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1256)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1257) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1258) * binder_inc_ref_olocked() - increment the ref for given handle
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1259) * @ref: ref to be incremented
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1260) * @strong: if true, strong increment, else weak
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1261) * @target_list: list to queue node work on
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1262) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1263) * Increment the ref. @ref->proc->outer_lock must be held on entry
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1264) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1265) * Return: 0, if successful, else errno
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1266) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1267) static int binder_inc_ref_olocked(struct binder_ref *ref, int strong,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1268) struct list_head *target_list)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1269) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1270) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1271)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1272) if (strong) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1273) if (ref->data.strong == 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1274) ret = binder_inc_node(ref->node, 1, 1, target_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1275) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1276) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1277) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1278) ref->data.strong++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1279) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1280) if (ref->data.weak == 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1281) ret = binder_inc_node(ref->node, 0, 1, target_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1282) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1283) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1284) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1285) ref->data.weak++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1286) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1287) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1288) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1289)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1290) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1291) * binder_dec_ref() - dec the ref for given handle
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1292) * @ref: ref to be decremented
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1293) * @strong: if true, strong decrement, else weak
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1294) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1295) * Decrement the ref.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1296) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1297) * Return: true if ref is cleaned up and ready to be freed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1298) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1299) static bool binder_dec_ref_olocked(struct binder_ref *ref, int strong)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1300) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1301) if (strong) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1302) if (ref->data.strong == 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1303) binder_user_error("%d invalid dec strong, ref %d desc %d s %d w %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1304) ref->proc->pid, ref->data.debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1305) ref->data.desc, ref->data.strong,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1306) ref->data.weak);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1307) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1308) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1309) ref->data.strong--;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1310) if (ref->data.strong == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1311) binder_dec_node(ref->node, strong, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1312) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1313) if (ref->data.weak == 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1314) binder_user_error("%d invalid dec weak, ref %d desc %d s %d w %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1315) ref->proc->pid, ref->data.debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1316) ref->data.desc, ref->data.strong,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1317) ref->data.weak);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1318) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1319) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1320) ref->data.weak--;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1321) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1322) if (ref->data.strong == 0 && ref->data.weak == 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1323) binder_cleanup_ref_olocked(ref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1324) return true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1325) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1326) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1327) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1328)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1329) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1330) * binder_get_node_from_ref() - get the node from the given proc/desc
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1331) * @proc: proc containing the ref
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1332) * @desc: the handle associated with the ref
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1333) * @need_strong_ref: if true, only return node if ref is strong
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1334) * @rdata: the id/refcount data for the ref
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1335) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1336) * Given a proc and ref handle, return the associated binder_node
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1337) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1338) * Return: a binder_node or NULL if not found or not strong when strong required
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1339) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1340) static struct binder_node *binder_get_node_from_ref(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1341) struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1342) u32 desc, bool need_strong_ref,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1343) struct binder_ref_data *rdata)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1344) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1345) struct binder_node *node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1346) struct binder_ref *ref;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1347)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1348) binder_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1349) ref = binder_get_ref_olocked(proc, desc, need_strong_ref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1350) if (!ref)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1351) goto err_no_ref;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1352) node = ref->node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1353) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1354) * Take an implicit reference on the node to ensure
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1355) * it stays alive until the call to binder_put_node()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1356) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1357) binder_inc_node_tmpref(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1358) if (rdata)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1359) *rdata = ref->data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1360) binder_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1361)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1362) return node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1363)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1364) err_no_ref:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1365) binder_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1366) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1367) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1368)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1369) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1370) * binder_free_ref() - free the binder_ref
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1371) * @ref: ref to free
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1372) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1373) * Free the binder_ref. Free the binder_node indicated by ref->node
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1374) * (if non-NULL) and the binder_ref_death indicated by ref->death.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1375) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1376) static void binder_free_ref(struct binder_ref *ref)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1377) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1378) trace_android_vh_binder_del_ref(ref->proc ? ref->proc->tsk : 0, ref->data.desc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1379) if (ref->node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1380) binder_free_node(ref->node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1381) kfree(ref->death);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1382) kfree(ref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1383) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1384)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1385) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1386) * binder_update_ref_for_handle() - inc/dec the ref for given handle
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1387) * @proc: proc containing the ref
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1388) * @desc: the handle associated with the ref
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1389) * @increment: true=inc reference, false=dec reference
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1390) * @strong: true=strong reference, false=weak reference
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1391) * @rdata: the id/refcount data for the ref
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1392) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1393) * Given a proc and ref handle, increment or decrement the ref
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1394) * according to "increment" arg.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1395) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1396) * Return: 0 if successful, else errno
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1397) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1398) static int binder_update_ref_for_handle(struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1399) uint32_t desc, bool increment, bool strong,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1400) struct binder_ref_data *rdata)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1401) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1402) int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1403) struct binder_ref *ref;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1404) bool delete_ref = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1405)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1406) binder_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1407) ref = binder_get_ref_olocked(proc, desc, strong);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1408) if (!ref) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1409) ret = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1410) goto err_no_ref;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1411) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1412) if (increment)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1413) ret = binder_inc_ref_olocked(ref, strong, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1414) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1415) delete_ref = binder_dec_ref_olocked(ref, strong);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1416)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1417) if (rdata)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1418) *rdata = ref->data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1419) binder_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1420)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1421) if (delete_ref)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1422) binder_free_ref(ref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1423) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1424)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1425) err_no_ref:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1426) binder_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1427) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1428) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1429)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1430) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1431) * binder_dec_ref_for_handle() - dec the ref for given handle
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1432) * @proc: proc containing the ref
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1433) * @desc: the handle associated with the ref
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1434) * @strong: true=strong reference, false=weak reference
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1435) * @rdata: the id/refcount data for the ref
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1436) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1437) * Just calls binder_update_ref_for_handle() to decrement the ref.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1438) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1439) * Return: 0 if successful, else errno
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1440) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1441) static int binder_dec_ref_for_handle(struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1442) uint32_t desc, bool strong, struct binder_ref_data *rdata)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1443) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1444) return binder_update_ref_for_handle(proc, desc, false, strong, rdata);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1445) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1446)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1447)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1448) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1449) * binder_inc_ref_for_node() - increment the ref for given proc/node
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1450) * @proc: proc containing the ref
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1451) * @node: target node
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1452) * @strong: true=strong reference, false=weak reference
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1453) * @target_list: worklist to use if node is incremented
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1454) * @rdata: the id/refcount data for the ref
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1455) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1456) * Given a proc and node, increment the ref. Create the ref if it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1457) * doesn't already exist
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1458) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1459) * Return: 0 if successful, else errno
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1460) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1461) static int binder_inc_ref_for_node(struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1462) struct binder_node *node,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1463) bool strong,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1464) struct list_head *target_list,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1465) struct binder_ref_data *rdata)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1466) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1467) struct binder_ref *ref;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1468) struct binder_ref *new_ref = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1469) int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1470)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1471) binder_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1472) ref = binder_get_ref_for_node_olocked(proc, node, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1473) if (!ref) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1474) binder_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1475) new_ref = kzalloc(sizeof(*ref), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1476) if (!new_ref)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1477) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1478) binder_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1479) ref = binder_get_ref_for_node_olocked(proc, node, new_ref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1480) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1481) ret = binder_inc_ref_olocked(ref, strong, target_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1482) *rdata = ref->data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1483) binder_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1484) if (new_ref && ref != new_ref)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1485) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1486) * Another thread created the ref first so
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1487) * free the one we allocated
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1488) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1489) kfree(new_ref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1490) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1491) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1492)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1493) static void binder_pop_transaction_ilocked(struct binder_thread *target_thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1494) struct binder_transaction *t)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1495) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1496) BUG_ON(!target_thread);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1497) assert_spin_locked(&target_thread->proc->inner_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1498) BUG_ON(target_thread->transaction_stack != t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1499) BUG_ON(target_thread->transaction_stack->from != target_thread);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1500) target_thread->transaction_stack =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1501) target_thread->transaction_stack->from_parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1502) t->from = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1503) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1504)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1505) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1506) * binder_thread_dec_tmpref() - decrement thread->tmp_ref
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1507) * @thread: thread to decrement
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1508) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1509) * A thread needs to be kept alive while being used to create or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1510) * handle a transaction. binder_get_txn_from() is used to safely
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1511) * extract t->from from a binder_transaction and keep the thread
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1512) * indicated by t->from from being freed. When done with that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1513) * binder_thread, this function is called to decrement the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1514) * tmp_ref and free if appropriate (thread has been released
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1515) * and no transaction being processed by the driver)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1516) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1517) static void binder_thread_dec_tmpref(struct binder_thread *thread)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1518) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1519) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1520) * atomic is used to protect the counter value while
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1521) * it cannot reach zero or thread->is_dead is false
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1522) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1523) binder_inner_proc_lock(thread->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1524) atomic_dec(&thread->tmp_ref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1525) if (thread->is_dead && !atomic_read(&thread->tmp_ref)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1526) binder_inner_proc_unlock(thread->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1527) binder_free_thread(thread);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1528) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1529) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1530) binder_inner_proc_unlock(thread->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1531) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1532)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1533) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1534) * binder_proc_dec_tmpref() - decrement proc->tmp_ref
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1535) * @proc: proc to decrement
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1536) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1537) * A binder_proc needs to be kept alive while being used to create or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1538) * handle a transaction. proc->tmp_ref is incremented when
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1539) * creating a new transaction or the binder_proc is currently in-use
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1540) * by threads that are being released. When done with the binder_proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1541) * this function is called to decrement the counter and free the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1542) * proc if appropriate (proc has been released, all threads have
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1543) * been released and not currenly in-use to process a transaction).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1544) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1545) static void binder_proc_dec_tmpref(struct binder_proc *proc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1546) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1547) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1548) proc->tmp_ref--;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1549) if (proc->is_dead && RB_EMPTY_ROOT(&proc->threads) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1550) !proc->tmp_ref) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1551) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1552) binder_free_proc(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1553) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1554) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1555) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1556) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1557)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1558) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1559) * binder_get_txn_from() - safely extract the "from" thread in transaction
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1560) * @t: binder transaction for t->from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1561) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1562) * Atomically return the "from" thread and increment the tmp_ref
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1563) * count for the thread to ensure it stays alive until
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1564) * binder_thread_dec_tmpref() is called.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1565) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1566) * Return: the value of t->from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1567) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1568) static struct binder_thread *binder_get_txn_from(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1569) struct binder_transaction *t)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1570) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1571) struct binder_thread *from;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1572)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1573) spin_lock(&t->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1574) from = t->from;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1575) if (from)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1576) atomic_inc(&from->tmp_ref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1577) spin_unlock(&t->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1578) return from;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1579) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1580)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1581) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1582) * binder_get_txn_from_and_acq_inner() - get t->from and acquire inner lock
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1583) * @t: binder transaction for t->from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1584) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1585) * Same as binder_get_txn_from() except it also acquires the proc->inner_lock
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1586) * to guarantee that the thread cannot be released while operating on it.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1587) * The caller must call binder_inner_proc_unlock() to release the inner lock
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1588) * as well as call binder_dec_thread_txn() to release the reference.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1589) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1590) * Return: the value of t->from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1591) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1592) static struct binder_thread *binder_get_txn_from_and_acq_inner(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1593) struct binder_transaction *t)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1594) __acquires(&t->from->proc->inner_lock)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1595) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1596) struct binder_thread *from;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1597)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1598) from = binder_get_txn_from(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1599) if (!from) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1600) __acquire(&from->proc->inner_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1601) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1602) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1603) binder_inner_proc_lock(from->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1604) if (t->from) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1605) BUG_ON(from != t->from);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1606) return from;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1607) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1608) binder_inner_proc_unlock(from->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1609) __acquire(&from->proc->inner_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1610) binder_thread_dec_tmpref(from);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1611) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1612) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1613)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1614) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1615) * binder_free_txn_fixups() - free unprocessed fd fixups
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1616) * @t: binder transaction for t->from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1617) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1618) * If the transaction is being torn down prior to being
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1619) * processed by the target process, free all of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1620) * fd fixups and fput the file structs. It is safe to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1621) * call this function after the fixups have been
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1622) * processed -- in that case, the list will be empty.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1623) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1624) static void binder_free_txn_fixups(struct binder_transaction *t)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1625) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1626) struct binder_txn_fd_fixup *fixup, *tmp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1627)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1628) list_for_each_entry_safe(fixup, tmp, &t->fd_fixups, fixup_entry) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1629) fput(fixup->file);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1630) list_del(&fixup->fixup_entry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1631) kfree(fixup);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1632) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1633) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1634)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1635) static void binder_free_transaction(struct binder_transaction *t)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1636) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1637) struct binder_proc *target_proc = t->to_proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1638)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1639) if (target_proc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1640) binder_inner_proc_lock(target_proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1641) target_proc->outstanding_txns--;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1642) if (target_proc->outstanding_txns < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1643) pr_warn("%s: Unexpected outstanding_txns %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1644) __func__, target_proc->outstanding_txns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1645) if (!target_proc->outstanding_txns && target_proc->is_frozen)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1646) wake_up_interruptible_all(&target_proc->freeze_wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1647) if (t->buffer)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1648) t->buffer->transaction = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1649) binder_inner_proc_unlock(target_proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1650) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1651) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1652) * If the transaction has no target_proc, then
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1653) * t->buffer->transaction has already been cleared.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1654) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1655) binder_free_txn_fixups(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1656) kfree(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1657) binder_stats_deleted(BINDER_STAT_TRANSACTION);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1658) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1659)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1660) static void binder_send_failed_reply(struct binder_transaction *t,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1661) uint32_t error_code)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1662) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1663) struct binder_thread *target_thread;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1664) struct binder_transaction *next;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1665)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1666) BUG_ON(t->flags & TF_ONE_WAY);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1667) while (1) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1668) target_thread = binder_get_txn_from_and_acq_inner(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1669) if (target_thread) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1670) binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1671) "send failed reply for transaction %d to %d:%d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1672) t->debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1673) target_thread->proc->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1674) target_thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1675)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1676) binder_pop_transaction_ilocked(target_thread, t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1677) if (target_thread->reply_error.cmd == BR_OK) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1678) target_thread->reply_error.cmd = error_code;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1679) binder_enqueue_thread_work_ilocked(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1680) target_thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1681) &target_thread->reply_error.work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1682) wake_up_interruptible(&target_thread->wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1683) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1684) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1685) * Cannot get here for normal operation, but
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1686) * we can if multiple synchronous transactions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1687) * are sent without blocking for responses.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1688) * Just ignore the 2nd error in this case.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1689) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1690) pr_warn("Unexpected reply error: %u\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1691) target_thread->reply_error.cmd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1692) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1693) binder_inner_proc_unlock(target_thread->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1694) binder_thread_dec_tmpref(target_thread);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1695) binder_free_transaction(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1696) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1697) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1698) __release(&target_thread->proc->inner_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1699) next = t->from_parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1700)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1701) binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1702) "send failed reply for transaction %d, target dead\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1703) t->debug_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1704)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1705) binder_free_transaction(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1706) if (next == NULL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1707) binder_debug(BINDER_DEBUG_DEAD_BINDER,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1708) "reply failed, no target thread at root\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1709) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1710) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1711) t = next;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1712) binder_debug(BINDER_DEBUG_DEAD_BINDER,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1713) "reply failed, no target thread -- retry %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1714) t->debug_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1715) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1716) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1717)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1718) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1719) * binder_cleanup_transaction() - cleans up undelivered transaction
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1720) * @t: transaction that needs to be cleaned up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1721) * @reason: reason the transaction wasn't delivered
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1722) * @error_code: error to return to caller (if synchronous call)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1723) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1724) static void binder_cleanup_transaction(struct binder_transaction *t,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1725) const char *reason,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1726) uint32_t error_code)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1727) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1728) if (t->buffer->target_node && !(t->flags & TF_ONE_WAY)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1729) binder_send_failed_reply(t, error_code);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1730) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1731) binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1732) "undelivered transaction %d, %s\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1733) t->debug_id, reason);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1734) binder_free_transaction(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1735) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1736) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1737)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1738) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1739) * binder_get_object() - gets object and checks for valid metadata
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1740) * @proc: binder_proc owning the buffer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1741) * @buffer: binder_buffer that we're parsing.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1742) * @offset: offset in the @buffer at which to validate an object.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1743) * @object: struct binder_object to read into
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1744) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1745) * Return: If there's a valid metadata object at @offset in @buffer, the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1746) * size of that object. Otherwise, it returns zero. The object
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1747) * is read into the struct binder_object pointed to by @object.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1748) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1749) static size_t binder_get_object(struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1750) struct binder_buffer *buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1751) unsigned long offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1752) struct binder_object *object)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1753) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1754) size_t read_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1755) struct binder_object_header *hdr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1756) size_t object_size = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1757)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1758) read_size = min_t(size_t, sizeof(*object), buffer->data_size - offset);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1759) if (offset > buffer->data_size || read_size < sizeof(*hdr) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1760) binder_alloc_copy_from_buffer(&proc->alloc, object, buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1761) offset, read_size))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1762) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1763)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1764) /* Ok, now see if we read a complete object. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1765) hdr = &object->hdr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1766) switch (hdr->type) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1767) case BINDER_TYPE_BINDER:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1768) case BINDER_TYPE_WEAK_BINDER:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1769) case BINDER_TYPE_HANDLE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1770) case BINDER_TYPE_WEAK_HANDLE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1771) object_size = sizeof(struct flat_binder_object);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1772) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1773) case BINDER_TYPE_FD:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1774) object_size = sizeof(struct binder_fd_object);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1775) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1776) case BINDER_TYPE_PTR:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1777) object_size = sizeof(struct binder_buffer_object);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1778) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1779) case BINDER_TYPE_FDA:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1780) object_size = sizeof(struct binder_fd_array_object);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1781) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1782) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1783) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1784) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1785) if (offset <= buffer->data_size - object_size &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1786) buffer->data_size >= object_size)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1787) return object_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1788) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1789) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1790) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1791)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1792) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1793) * binder_validate_ptr() - validates binder_buffer_object in a binder_buffer.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1794) * @proc: binder_proc owning the buffer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1795) * @b: binder_buffer containing the object
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1796) * @object: struct binder_object to read into
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1797) * @index: index in offset array at which the binder_buffer_object is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1798) * located
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1799) * @start_offset: points to the start of the offset array
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1800) * @object_offsetp: offset of @object read from @b
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1801) * @num_valid: the number of valid offsets in the offset array
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1802) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1803) * Return: If @index is within the valid range of the offset array
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1804) * described by @start and @num_valid, and if there's a valid
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1805) * binder_buffer_object at the offset found in index @index
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1806) * of the offset array, that object is returned. Otherwise,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1807) * %NULL is returned.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1808) * Note that the offset found in index @index itself is not
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1809) * verified; this function assumes that @num_valid elements
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1810) * from @start were previously verified to have valid offsets.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1811) * If @object_offsetp is non-NULL, then the offset within
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1812) * @b is written to it.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1813) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1814) static struct binder_buffer_object *binder_validate_ptr(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1815) struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1816) struct binder_buffer *b,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1817) struct binder_object *object,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1818) binder_size_t index,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1819) binder_size_t start_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1820) binder_size_t *object_offsetp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1821) binder_size_t num_valid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1822) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1823) size_t object_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1824) binder_size_t object_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1825) unsigned long buffer_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1826)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1827) if (index >= num_valid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1828) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1829)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1830) buffer_offset = start_offset + sizeof(binder_size_t) * index;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1831) if (binder_alloc_copy_from_buffer(&proc->alloc, &object_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1832) b, buffer_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1833) sizeof(object_offset)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1834) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1835) object_size = binder_get_object(proc, b, object_offset, object);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1836) if (!object_size || object->hdr.type != BINDER_TYPE_PTR)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1837) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1838) if (object_offsetp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1839) *object_offsetp = object_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1840)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1841) return &object->bbo;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1842) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1843)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1844) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1845) * binder_validate_fixup() - validates pointer/fd fixups happen in order.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1846) * @proc: binder_proc owning the buffer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1847) * @b: transaction buffer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1848) * @objects_start_offset: offset to start of objects buffer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1849) * @buffer_obj_offset: offset to binder_buffer_object in which to fix up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1850) * @fixup_offset: start offset in @buffer to fix up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1851) * @last_obj_offset: offset to last binder_buffer_object that we fixed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1852) * @last_min_offset: minimum fixup offset in object at @last_obj_offset
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1853) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1854) * Return: %true if a fixup in buffer @buffer at offset @offset is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1855) * allowed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1856) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1857) * For safety reasons, we only allow fixups inside a buffer to happen
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1858) * at increasing offsets; additionally, we only allow fixup on the last
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1859) * buffer object that was verified, or one of its parents.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1860) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1861) * Example of what is allowed:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1862) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1863) * A
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1864) * B (parent = A, offset = 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1865) * C (parent = A, offset = 16)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1866) * D (parent = C, offset = 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1867) * E (parent = A, offset = 32) // min_offset is 16 (C.parent_offset)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1868) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1869) * Examples of what is not allowed:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1870) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1871) * Decreasing offsets within the same parent:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1872) * A
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1873) * C (parent = A, offset = 16)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1874) * B (parent = A, offset = 0) // decreasing offset within A
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1875) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1876) * Referring to a parent that wasn't the last object or any of its parents:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1877) * A
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1878) * B (parent = A, offset = 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1879) * C (parent = A, offset = 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1880) * C (parent = A, offset = 16)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1881) * D (parent = B, offset = 0) // B is not A or any of A's parents
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1882) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1883) static bool binder_validate_fixup(struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1884) struct binder_buffer *b,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1885) binder_size_t objects_start_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1886) binder_size_t buffer_obj_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1887) binder_size_t fixup_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1888) binder_size_t last_obj_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1889) binder_size_t last_min_offset)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1890) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1891) if (!last_obj_offset) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1892) /* Nothing to fix up in */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1893) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1894) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1895)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1896) while (last_obj_offset != buffer_obj_offset) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1897) unsigned long buffer_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1898) struct binder_object last_object;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1899) struct binder_buffer_object *last_bbo;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1900) size_t object_size = binder_get_object(proc, b, last_obj_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1901) &last_object);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1902) if (object_size != sizeof(*last_bbo))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1903) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1904)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1905) last_bbo = &last_object.bbo;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1906) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1907) * Safe to retrieve the parent of last_obj, since it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1908) * was already previously verified by the driver.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1909) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1910) if ((last_bbo->flags & BINDER_BUFFER_FLAG_HAS_PARENT) == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1911) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1912) last_min_offset = last_bbo->parent_offset + sizeof(uintptr_t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1913) buffer_offset = objects_start_offset +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1914) sizeof(binder_size_t) * last_bbo->parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1915) if (binder_alloc_copy_from_buffer(&proc->alloc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1916) &last_obj_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1917) b, buffer_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1918) sizeof(last_obj_offset)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1919) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1920) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1921) return (fixup_offset >= last_min_offset);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1922) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1923)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1924) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1925) * struct binder_task_work_cb - for deferred close
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1926) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1927) * @twork: callback_head for task work
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1928) * @fd: fd to close
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1929) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1930) * Structure to pass task work to be handled after
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1931) * returning from binder_ioctl() via task_work_add().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1932) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1933) struct binder_task_work_cb {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1934) struct callback_head twork;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1935) struct file *file;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1936) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1937)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1938) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1939) * binder_do_fd_close() - close list of file descriptors
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1940) * @twork: callback head for task work
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1941) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1942) * It is not safe to call ksys_close() during the binder_ioctl()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1943) * function if there is a chance that binder's own file descriptor
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1944) * might be closed. This is to meet the requirements for using
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1945) * fdget() (see comments for __fget_light()). Therefore use
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1946) * task_work_add() to schedule the close operation once we have
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1947) * returned from binder_ioctl(). This function is a callback
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1948) * for that mechanism and does the actual ksys_close() on the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1949) * given file descriptor.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1950) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1951) static void binder_do_fd_close(struct callback_head *twork)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1952) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1953) struct binder_task_work_cb *twcb = container_of(twork,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1954) struct binder_task_work_cb, twork);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1955)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1956) fput(twcb->file);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1957) kfree(twcb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1958) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1959)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1960) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1961) * binder_deferred_fd_close() - schedule a close for the given file-descriptor
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1962) * @fd: file-descriptor to close
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1963) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1964) * See comments in binder_do_fd_close(). This function is used to schedule
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1965) * a file-descriptor to be closed after returning from binder_ioctl().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1966) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1967) static void binder_deferred_fd_close(int fd)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1968) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1969) struct binder_task_work_cb *twcb;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1970)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1971) twcb = kzalloc(sizeof(*twcb), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1972) if (!twcb)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1973) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1974) init_task_work(&twcb->twork, binder_do_fd_close);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1975) __close_fd_get_file(fd, &twcb->file);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1976) if (twcb->file) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1977) filp_close(twcb->file, current->files);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1978) task_work_add(current, &twcb->twork, TWA_RESUME);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1979) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1980) kfree(twcb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1981) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1982) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1983)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1984) static void binder_transaction_buffer_release(struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1985) struct binder_thread *thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1986) struct binder_buffer *buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1987) binder_size_t failed_at,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1988) bool is_failure)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1989) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1990) int debug_id = buffer->debug_id;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1991) binder_size_t off_start_offset, buffer_offset, off_end_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1992)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1993) binder_debug(BINDER_DEBUG_TRANSACTION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1994) "%d buffer release %d, size %zd-%zd, failed at %llx\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1995) proc->pid, buffer->debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1996) buffer->data_size, buffer->offsets_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1997) (unsigned long long)failed_at);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1998)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1999) if (buffer->target_node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2000) binder_dec_node(buffer->target_node, 1, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2001)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2002) off_start_offset = ALIGN(buffer->data_size, sizeof(void *));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2003) off_end_offset = is_failure && failed_at ? failed_at :
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2004) off_start_offset + buffer->offsets_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2005) for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2006) buffer_offset += sizeof(binder_size_t)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2007) struct binder_object_header *hdr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2008) size_t object_size = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2009) struct binder_object object;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2010) binder_size_t object_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2011)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2012) if (!binder_alloc_copy_from_buffer(&proc->alloc, &object_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2013) buffer, buffer_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2014) sizeof(object_offset)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2015) object_size = binder_get_object(proc, buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2016) object_offset, &object);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2017) if (object_size == 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2018) pr_err("transaction release %d bad object at offset %lld, size %zd\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2019) debug_id, (u64)object_offset, buffer->data_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2020) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2021) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2022) hdr = &object.hdr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2023) switch (hdr->type) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2024) case BINDER_TYPE_BINDER:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2025) case BINDER_TYPE_WEAK_BINDER: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2026) struct flat_binder_object *fp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2027) struct binder_node *node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2028)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2029) fp = to_flat_binder_object(hdr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2030) node = binder_get_node(proc, fp->binder);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2031) if (node == NULL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2032) pr_err("transaction release %d bad node %016llx\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2033) debug_id, (u64)fp->binder);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2034) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2035) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2036) binder_debug(BINDER_DEBUG_TRANSACTION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2037) " node %d u%016llx\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2038) node->debug_id, (u64)node->ptr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2039) binder_dec_node(node, hdr->type == BINDER_TYPE_BINDER,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2040) 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2041) binder_put_node(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2042) } break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2043) case BINDER_TYPE_HANDLE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2044) case BINDER_TYPE_WEAK_HANDLE: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2045) struct flat_binder_object *fp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2046) struct binder_ref_data rdata;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2047) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2048)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2049) fp = to_flat_binder_object(hdr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2050) ret = binder_dec_ref_for_handle(proc, fp->handle,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2051) hdr->type == BINDER_TYPE_HANDLE, &rdata);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2052)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2053) if (ret) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2054) pr_err("transaction release %d bad handle %d, ret = %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2055) debug_id, fp->handle, ret);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2056) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2057) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2058) binder_debug(BINDER_DEBUG_TRANSACTION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2059) " ref %d desc %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2060) rdata.debug_id, rdata.desc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2061) } break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2062)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2063) case BINDER_TYPE_FD: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2064) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2065) * No need to close the file here since user-space
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2066) * closes it for for successfully delivered
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2067) * transactions. For transactions that weren't
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2068) * delivered, the new fd was never allocated so
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2069) * there is no need to close and the fput on the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2070) * file is done when the transaction is torn
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2071) * down.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2072) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2073) } break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2074) case BINDER_TYPE_PTR:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2075) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2076) * Nothing to do here, this will get cleaned up when the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2077) * transaction buffer gets freed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2078) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2079) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2080) case BINDER_TYPE_FDA: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2081) struct binder_fd_array_object *fda;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2082) struct binder_buffer_object *parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2083) struct binder_object ptr_object;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2084) binder_size_t fda_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2085) size_t fd_index;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2086) binder_size_t fd_buf_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2087) binder_size_t num_valid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2088)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2089) if (is_failure) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2090) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2091) * The fd fixups have not been applied so no
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2092) * fds need to be closed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2093) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2094) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2095) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2096)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2097) num_valid = (buffer_offset - off_start_offset) /
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2098) sizeof(binder_size_t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2099) fda = to_binder_fd_array_object(hdr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2100) parent = binder_validate_ptr(proc, buffer, &ptr_object,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2101) fda->parent,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2102) off_start_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2103) NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2104) num_valid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2105) if (!parent) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2106) pr_err("transaction release %d bad parent offset\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2107) debug_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2108) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2109) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2110) fd_buf_size = sizeof(u32) * fda->num_fds;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2111) if (fda->num_fds >= SIZE_MAX / sizeof(u32)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2112) pr_err("transaction release %d invalid number of fds (%lld)\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2113) debug_id, (u64)fda->num_fds);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2114) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2115) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2116) if (fd_buf_size > parent->length ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2117) fda->parent_offset > parent->length - fd_buf_size) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2118) /* No space for all file descriptors here. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2119) pr_err("transaction release %d not enough space for %lld fds in buffer\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2120) debug_id, (u64)fda->num_fds);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2121) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2122) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2123) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2124) * the source data for binder_buffer_object is visible
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2125) * to user-space and the @buffer element is the user
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2126) * pointer to the buffer_object containing the fd_array.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2127) * Convert the address to an offset relative to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2128) * the base of the transaction buffer.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2129) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2130) fda_offset =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2131) (parent->buffer - (uintptr_t)buffer->user_data) +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2132) fda->parent_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2133) for (fd_index = 0; fd_index < fda->num_fds;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2134) fd_index++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2135) u32 fd;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2136) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2137) binder_size_t offset = fda_offset +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2138) fd_index * sizeof(fd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2139)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2140) err = binder_alloc_copy_from_buffer(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2141) &proc->alloc, &fd, buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2142) offset, sizeof(fd));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2143) WARN_ON(err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2144) if (!err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2145) binder_deferred_fd_close(fd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2146) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2147) * Need to make sure the thread goes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2148) * back to userspace to complete the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2149) * deferred close
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2150) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2151) if (thread)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2152) thread->looper_need_return = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2153) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2154) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2155) } break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2156) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2157) pr_err("transaction release %d bad object type %x\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2158) debug_id, hdr->type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2159) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2160) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2161) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2162) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2163)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2164) static int binder_translate_binder(struct flat_binder_object *fp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2165) struct binder_transaction *t,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2166) struct binder_thread *thread)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2167) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2168) struct binder_node *node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2169) struct binder_proc *proc = thread->proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2170) struct binder_proc *target_proc = t->to_proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2171) struct binder_ref_data rdata;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2172) int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2173)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2174) node = binder_get_node(proc, fp->binder);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2175) if (!node) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2176) node = binder_new_node(proc, fp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2177) if (!node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2178) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2179) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2180) if (fp->cookie != node->cookie) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2181) binder_user_error("%d:%d sending u%016llx node %d, cookie mismatch %016llx != %016llx\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2182) proc->pid, thread->pid, (u64)fp->binder,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2183) node->debug_id, (u64)fp->cookie,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2184) (u64)node->cookie);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2185) ret = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2186) goto done;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2187) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2188) if (security_binder_transfer_binder(binder_get_cred(proc),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2189) binder_get_cred(target_proc))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2190) ret = -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2191) goto done;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2192) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2193)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2194) ret = binder_inc_ref_for_node(target_proc, node,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2195) fp->hdr.type == BINDER_TYPE_BINDER,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2196) &thread->todo, &rdata);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2197) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2198) goto done;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2199)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2200) if (fp->hdr.type == BINDER_TYPE_BINDER)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2201) fp->hdr.type = BINDER_TYPE_HANDLE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2202) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2203) fp->hdr.type = BINDER_TYPE_WEAK_HANDLE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2204) fp->binder = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2205) fp->handle = rdata.desc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2206) fp->cookie = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2207)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2208) trace_binder_transaction_node_to_ref(t, node, &rdata);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2209) binder_debug(BINDER_DEBUG_TRANSACTION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2210) " node %d u%016llx -> ref %d desc %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2211) node->debug_id, (u64)node->ptr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2212) rdata.debug_id, rdata.desc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2213) done:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2214) binder_put_node(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2215) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2216) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2217)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2218) static int binder_translate_handle(struct flat_binder_object *fp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2219) struct binder_transaction *t,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2220) struct binder_thread *thread)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2221) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2222) struct binder_proc *proc = thread->proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2223) struct binder_proc *target_proc = t->to_proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2224) struct binder_node *node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2225) struct binder_ref_data src_rdata;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2226) int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2227)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2228) node = binder_get_node_from_ref(proc, fp->handle,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2229) fp->hdr.type == BINDER_TYPE_HANDLE, &src_rdata);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2230) if (!node) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2231) binder_user_error("%d:%d got transaction with invalid handle, %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2232) proc->pid, thread->pid, fp->handle);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2233) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2234) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2235) if (security_binder_transfer_binder(binder_get_cred(proc),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2236) binder_get_cred(target_proc))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2237) ret = -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2238) goto done;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2239) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2240)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2241) binder_node_lock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2242) if (node->proc == target_proc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2243) if (fp->hdr.type == BINDER_TYPE_HANDLE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2244) fp->hdr.type = BINDER_TYPE_BINDER;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2245) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2246) fp->hdr.type = BINDER_TYPE_WEAK_BINDER;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2247) fp->binder = node->ptr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2248) fp->cookie = node->cookie;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2249) if (node->proc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2250) binder_inner_proc_lock(node->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2251) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2252) __acquire(&node->proc->inner_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2253) binder_inc_node_nilocked(node,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2254) fp->hdr.type == BINDER_TYPE_BINDER,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2255) 0, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2256) if (node->proc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2257) binder_inner_proc_unlock(node->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2258) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2259) __release(&node->proc->inner_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2260) trace_binder_transaction_ref_to_node(t, node, &src_rdata);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2261) binder_debug(BINDER_DEBUG_TRANSACTION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2262) " ref %d desc %d -> node %d u%016llx\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2263) src_rdata.debug_id, src_rdata.desc, node->debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2264) (u64)node->ptr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2265) binder_node_unlock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2266) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2267) struct binder_ref_data dest_rdata;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2268)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2269) binder_node_unlock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2270) ret = binder_inc_ref_for_node(target_proc, node,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2271) fp->hdr.type == BINDER_TYPE_HANDLE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2272) NULL, &dest_rdata);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2273) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2274) goto done;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2275)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2276) fp->binder = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2277) fp->handle = dest_rdata.desc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2278) fp->cookie = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2279) trace_binder_transaction_ref_to_ref(t, node, &src_rdata,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2280) &dest_rdata);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2281) binder_debug(BINDER_DEBUG_TRANSACTION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2282) " ref %d desc %d -> ref %d desc %d (node %d)\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2283) src_rdata.debug_id, src_rdata.desc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2284) dest_rdata.debug_id, dest_rdata.desc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2285) node->debug_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2286) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2287) done:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2288) binder_put_node(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2289) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2290) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2291)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2292) static int binder_translate_fd(u32 fd, binder_size_t fd_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2293) struct binder_transaction *t,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2294) struct binder_thread *thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2295) struct binder_transaction *in_reply_to)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2296) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2297) struct binder_proc *proc = thread->proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2298) struct binder_proc *target_proc = t->to_proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2299) struct binder_txn_fd_fixup *fixup;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2300) struct file *file;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2301) int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2302) bool target_allows_fd;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2303)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2304) if (in_reply_to)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2305) target_allows_fd = !!(in_reply_to->flags & TF_ACCEPT_FDS);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2306) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2307) target_allows_fd = t->buffer->target_node->accept_fds;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2308) if (!target_allows_fd) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2309) binder_user_error("%d:%d got %s with fd, %d, but target does not allow fds\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2310) proc->pid, thread->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2311) in_reply_to ? "reply" : "transaction",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2312) fd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2313) ret = -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2314) goto err_fd_not_accepted;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2315) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2316)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2317) file = fget(fd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2318) if (!file) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2319) binder_user_error("%d:%d got transaction with invalid fd, %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2320) proc->pid, thread->pid, fd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2321) ret = -EBADF;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2322) goto err_fget;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2323) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2324) ret = security_binder_transfer_file(binder_get_cred(proc),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2325) binder_get_cred(target_proc), file);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2326) if (ret < 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2327) ret = -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2328) goto err_security;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2329) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2330)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2331) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2332) * Add fixup record for this transaction. The allocation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2333) * of the fd in the target needs to be done from a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2334) * target thread.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2335) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2336) fixup = kzalloc(sizeof(*fixup), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2337) if (!fixup) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2338) ret = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2339) goto err_alloc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2340) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2341) fixup->file = file;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2342) fixup->offset = fd_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2343) trace_binder_transaction_fd_send(t, fd, fixup->offset);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2344) list_add_tail(&fixup->fixup_entry, &t->fd_fixups);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2345)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2346) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2347)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2348) err_alloc:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2349) err_security:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2350) fput(file);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2351) err_fget:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2352) err_fd_not_accepted:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2353) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2354) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2355)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2356) static int binder_translate_fd_array(struct binder_fd_array_object *fda,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2357) struct binder_buffer_object *parent,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2358) struct binder_transaction *t,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2359) struct binder_thread *thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2360) struct binder_transaction *in_reply_to)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2361) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2362) binder_size_t fdi, fd_buf_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2363) binder_size_t fda_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2364) struct binder_proc *proc = thread->proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2365) struct binder_proc *target_proc = t->to_proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2366)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2367) fd_buf_size = sizeof(u32) * fda->num_fds;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2368) if (fda->num_fds >= SIZE_MAX / sizeof(u32)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2369) binder_user_error("%d:%d got transaction with invalid number of fds (%lld)\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2370) proc->pid, thread->pid, (u64)fda->num_fds);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2371) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2372) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2373) if (fd_buf_size > parent->length ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2374) fda->parent_offset > parent->length - fd_buf_size) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2375) /* No space for all file descriptors here. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2376) binder_user_error("%d:%d not enough space to store %lld fds in buffer\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2377) proc->pid, thread->pid, (u64)fda->num_fds);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2378) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2379) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2380) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2381) * the source data for binder_buffer_object is visible
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2382) * to user-space and the @buffer element is the user
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2383) * pointer to the buffer_object containing the fd_array.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2384) * Convert the address to an offset relative to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2385) * the base of the transaction buffer.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2386) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2387) fda_offset = (parent->buffer - (uintptr_t)t->buffer->user_data) +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2388) fda->parent_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2389) if (!IS_ALIGNED((unsigned long)fda_offset, sizeof(u32))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2390) binder_user_error("%d:%d parent offset not aligned correctly.\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2391) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2392) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2393) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2394) for (fdi = 0; fdi < fda->num_fds; fdi++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2395) u32 fd;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2396) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2397) binder_size_t offset = fda_offset + fdi * sizeof(fd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2398)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2399) ret = binder_alloc_copy_from_buffer(&target_proc->alloc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2400) &fd, t->buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2401) offset, sizeof(fd));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2402) if (!ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2403) ret = binder_translate_fd(fd, offset, t, thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2404) in_reply_to);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2405) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2406) return ret > 0 ? -EINVAL : ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2407) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2408) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2409) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2410)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2411) static int binder_fixup_parent(struct binder_transaction *t,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2412) struct binder_thread *thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2413) struct binder_buffer_object *bp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2414) binder_size_t off_start_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2415) binder_size_t num_valid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2416) binder_size_t last_fixup_obj_off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2417) binder_size_t last_fixup_min_off)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2418) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2419) struct binder_buffer_object *parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2420) struct binder_buffer *b = t->buffer;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2421) struct binder_proc *proc = thread->proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2422) struct binder_proc *target_proc = t->to_proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2423) struct binder_object object;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2424) binder_size_t buffer_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2425) binder_size_t parent_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2426)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2427) if (!(bp->flags & BINDER_BUFFER_FLAG_HAS_PARENT))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2428) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2429)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2430) parent = binder_validate_ptr(target_proc, b, &object, bp->parent,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2431) off_start_offset, &parent_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2432) num_valid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2433) if (!parent) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2434) binder_user_error("%d:%d got transaction with invalid parent offset or type\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2435) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2436) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2437) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2438)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2439) if (!binder_validate_fixup(target_proc, b, off_start_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2440) parent_offset, bp->parent_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2441) last_fixup_obj_off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2442) last_fixup_min_off)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2443) binder_user_error("%d:%d got transaction with out-of-order buffer fixup\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2444) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2445) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2446) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2447)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2448) if (parent->length < sizeof(binder_uintptr_t) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2449) bp->parent_offset > parent->length - sizeof(binder_uintptr_t)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2450) /* No space for a pointer here! */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2451) binder_user_error("%d:%d got transaction with invalid parent offset\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2452) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2453) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2454) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2455) buffer_offset = bp->parent_offset +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2456) (uintptr_t)parent->buffer - (uintptr_t)b->user_data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2457) if (binder_alloc_copy_to_buffer(&target_proc->alloc, b, buffer_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2458) &bp->buffer, sizeof(bp->buffer))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2459) binder_user_error("%d:%d got transaction with invalid parent offset\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2460) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2461) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2462) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2463)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2464) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2465) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2466)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2467) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2468) * binder_proc_transaction() - sends a transaction to a process and wakes it up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2469) * @t: transaction to send
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2470) * @proc: process to send the transaction to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2471) * @thread: thread in @proc to send the transaction to (may be NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2472) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2473) * This function queues a transaction to the specified process. It will try
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2474) * to find a thread in the target process to handle the transaction and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2475) * wake it up. If no thread is found, the work is queued to the proc
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2476) * waitqueue.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2477) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2478) * If the @thread parameter is not NULL, the transaction is always queued
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2479) * to the waitlist of that specific thread.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2480) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2481) * Return: 0 if the transaction was successfully queued
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2482) * BR_DEAD_REPLY if the target process or thread is dead
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2483) * BR_FROZEN_REPLY if the target process or thread is frozen
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2484) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2485) static int binder_proc_transaction(struct binder_transaction *t,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2486) struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2487) struct binder_thread *thread)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2488) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2489) struct binder_node *node = t->buffer->target_node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2490) struct binder_priority node_prio;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2491) bool oneway = !!(t->flags & TF_ONE_WAY);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2492) bool pending_async = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2493) bool skip = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2494)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2495) BUG_ON(!node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2496) binder_node_lock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2497) node_prio.prio = node->min_priority;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2498) node_prio.sched_policy = node->sched_policy;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2499)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2500) if (oneway) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2501) BUG_ON(thread);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2502) if (node->has_async_transaction)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2503) pending_async = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2504) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2505) node->has_async_transaction = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2506) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2507)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2508) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2509) if (proc->is_frozen) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2510) proc->sync_recv |= !oneway;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2511) proc->async_recv |= oneway;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2512) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2513)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2514) if ((proc->is_frozen && !oneway) || proc->is_dead ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2515) (thread && thread->is_dead)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2516) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2517) binder_node_unlock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2518) return proc->is_frozen ? BR_FROZEN_REPLY : BR_DEAD_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2519) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2520)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2521) trace_android_vh_binder_proc_transaction_entry(proc, t,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2522) &thread, node->debug_id, pending_async, !oneway, &skip);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2523)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2524) if (!thread && !pending_async && !skip)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2525) thread = binder_select_thread_ilocked(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2526)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2527) trace_android_vh_binder_proc_transaction(current, proc->tsk,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2528) thread ? thread->task : 0, node->debug_id, t->code, pending_async);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2529)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2530) if (thread) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2531) binder_transaction_priority(thread->task, t, node_prio,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2532) node->inherit_rt);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2533) binder_enqueue_thread_work_ilocked(thread, &t->work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2534) } else if (!pending_async) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2535) binder_enqueue_work_ilocked(&t->work, &proc->todo);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2536) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2537) binder_enqueue_work_ilocked(&t->work, &node->async_todo);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2538) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2539)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2540) trace_android_vh_binder_proc_transaction_end(current, proc->tsk,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2541) thread ? thread->task : NULL, t->code, pending_async, !oneway);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2542)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2543) if (!pending_async)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2544) binder_wakeup_thread_ilocked(proc, thread, !oneway /* sync */);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2545)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2546) proc->outstanding_txns++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2547) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2548) binder_node_unlock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2549)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2550) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2551) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2552)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2553) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2554) * binder_get_node_refs_for_txn() - Get required refs on node for txn
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2555) * @node: struct binder_node for which to get refs
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2556) * @proc: returns @node->proc if valid
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2557) * @error: if no @proc then returns BR_DEAD_REPLY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2558) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2559) * User-space normally keeps the node alive when creating a transaction
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2560) * since it has a reference to the target. The local strong ref keeps it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2561) * alive if the sending process dies before the target process processes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2562) * the transaction. If the source process is malicious or has a reference
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2563) * counting bug, relying on the local strong ref can fail.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2564) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2565) * Since user-space can cause the local strong ref to go away, we also take
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2566) * a tmpref on the node to ensure it survives while we are constructing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2567) * the transaction. We also need a tmpref on the proc while we are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2568) * constructing the transaction, so we take that here as well.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2569) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2570) * Return: The target_node with refs taken or NULL if no @node->proc is NULL.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2571) * Also sets @proc if valid. If the @node->proc is NULL indicating that the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2572) * target proc has died, @error is set to BR_DEAD_REPLY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2573) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2574) static struct binder_node *binder_get_node_refs_for_txn(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2575) struct binder_node *node,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2576) struct binder_proc **procp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2577) uint32_t *error)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2578) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2579) struct binder_node *target_node = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2580)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2581) binder_node_inner_lock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2582) if (node->proc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2583) target_node = node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2584) binder_inc_node_nilocked(node, 1, 0, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2585) binder_inc_node_tmpref_ilocked(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2586) node->proc->tmp_ref++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2587) *procp = node->proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2588) } else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2589) *error = BR_DEAD_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2590) binder_node_inner_unlock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2591)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2592) return target_node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2593) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2594)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2595) static void binder_transaction(struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2596) struct binder_thread *thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2597) struct binder_transaction_data *tr, int reply,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2598) binder_size_t extra_buffers_size)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2599) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2600) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2601) struct binder_transaction *t;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2602) struct binder_work *w;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2603) struct binder_work *tcomplete;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2604) binder_size_t buffer_offset = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2605) binder_size_t off_start_offset, off_end_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2606) binder_size_t off_min;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2607) binder_size_t sg_buf_offset, sg_buf_end_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2608) struct binder_proc *target_proc = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2609) struct binder_thread *target_thread = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2610) struct binder_node *target_node = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2611) struct binder_transaction *in_reply_to = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2612) struct binder_transaction_log_entry *e;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2613) uint32_t return_error = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2614) uint32_t return_error_param = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2615) uint32_t return_error_line = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2616) binder_size_t last_fixup_obj_off = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2617) binder_size_t last_fixup_min_off = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2618) struct binder_context *context = proc->context;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2619) int t_debug_id = atomic_inc_return(&binder_last_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2620) char *secctx = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2621) u32 secctx_sz = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2622)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2623) e = binder_transaction_log_add(&binder_transaction_log);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2624) e->debug_id = t_debug_id;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2625) e->call_type = reply ? 2 : !!(tr->flags & TF_ONE_WAY);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2626) e->from_proc = proc->pid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2627) e->from_thread = thread->pid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2628) e->target_handle = tr->target.handle;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2629) e->data_size = tr->data_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2630) e->offsets_size = tr->offsets_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2631) strscpy(e->context_name, proc->context->name, BINDERFS_MAX_NAME);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2632)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2633) if (reply) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2634) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2635) in_reply_to = thread->transaction_stack;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2636) if (in_reply_to == NULL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2637) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2638) binder_user_error("%d:%d got reply transaction with no transaction stack\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2639) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2640) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2641) return_error_param = -EPROTO;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2642) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2643) goto err_empty_call_stack;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2644) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2645) if (in_reply_to->to_thread != thread) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2646) spin_lock(&in_reply_to->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2647) binder_user_error("%d:%d got reply transaction with bad transaction stack, transaction %d has target %d:%d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2648) proc->pid, thread->pid, in_reply_to->debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2649) in_reply_to->to_proc ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2650) in_reply_to->to_proc->pid : 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2651) in_reply_to->to_thread ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2652) in_reply_to->to_thread->pid : 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2653) spin_unlock(&in_reply_to->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2654) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2655) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2656) return_error_param = -EPROTO;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2657) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2658) in_reply_to = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2659) goto err_bad_call_stack;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2660) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2661) thread->transaction_stack = in_reply_to->to_parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2662) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2663) target_thread = binder_get_txn_from_and_acq_inner(in_reply_to);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2664) if (target_thread == NULL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2665) /* annotation for sparse */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2666) __release(&target_thread->proc->inner_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2667) return_error = BR_DEAD_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2668) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2669) goto err_dead_binder;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2670) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2671) if (target_thread->transaction_stack != in_reply_to) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2672) binder_user_error("%d:%d got reply transaction with bad target transaction stack %d, expected %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2673) proc->pid, thread->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2674) target_thread->transaction_stack ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2675) target_thread->transaction_stack->debug_id : 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2676) in_reply_to->debug_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2677) binder_inner_proc_unlock(target_thread->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2678) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2679) return_error_param = -EPROTO;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2680) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2681) in_reply_to = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2682) target_thread = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2683) goto err_dead_binder;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2684) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2685) target_proc = target_thread->proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2686) target_proc->tmp_ref++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2687) binder_inner_proc_unlock(target_thread->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2688) trace_android_vh_binder_reply(target_proc, proc, thread, tr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2689) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2690) if (tr->target.handle) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2691) struct binder_ref *ref;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2692)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2693) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2694) * There must already be a strong ref
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2695) * on this node. If so, do a strong
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2696) * increment on the node to ensure it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2697) * stays alive until the transaction is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2698) * done.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2699) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2700) binder_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2701) ref = binder_get_ref_olocked(proc, tr->target.handle,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2702) true);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2703) if (ref) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2704) target_node = binder_get_node_refs_for_txn(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2705) ref->node, &target_proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2706) &return_error);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2707) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2708) binder_user_error("%d:%d got transaction to invalid handle, %u\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2709) proc->pid, thread->pid, tr->target.handle);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2710) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2711) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2712) binder_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2713) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2714) mutex_lock(&context->context_mgr_node_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2715) target_node = context->binder_context_mgr_node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2716) if (target_node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2717) target_node = binder_get_node_refs_for_txn(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2718) target_node, &target_proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2719) &return_error);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2720) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2721) return_error = BR_DEAD_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2722) mutex_unlock(&context->context_mgr_node_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2723) if (target_node && target_proc->pid == proc->pid) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2724) binder_user_error("%d:%d got transaction to context manager from process owning it\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2725) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2726) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2727) return_error_param = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2728) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2729) goto err_invalid_target_handle;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2730) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2731) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2732) if (!target_node) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2733) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2734) * return_error is set above
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2735) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2736) return_error_param = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2737) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2738) goto err_dead_binder;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2739) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2740) e->to_node = target_node->debug_id;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2741) trace_android_vh_binder_trans(target_proc, proc, thread, tr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2742) if (security_binder_transaction(binder_get_cred(proc),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2743) binder_get_cred(target_proc)) < 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2744) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2745) return_error_param = -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2746) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2747) goto err_invalid_target_handle;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2748) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2749) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2750)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2751) w = list_first_entry_or_null(&thread->todo,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2752) struct binder_work, entry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2753) if (!(tr->flags & TF_ONE_WAY) && w &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2754) w->type == BINDER_WORK_TRANSACTION) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2755) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2756) * Do not allow new outgoing transaction from a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2757) * thread that has a transaction at the head of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2758) * its todo list. Only need to check the head
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2759) * because binder_select_thread_ilocked picks a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2760) * thread from proc->waiting_threads to enqueue
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2761) * the transaction, and nothing is queued to the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2762) * todo list while the thread is on waiting_threads.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2763) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2764) binder_user_error("%d:%d new transaction not allowed when there is a transaction on thread todo\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2765) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2766) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2767) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2768) return_error_param = -EPROTO;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2769) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2770) goto err_bad_todo_list;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2771) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2772)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2773) if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2774) struct binder_transaction *tmp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2775)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2776) tmp = thread->transaction_stack;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2777) if (tmp->to_thread != thread) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2778) spin_lock(&tmp->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2779) binder_user_error("%d:%d got new transaction with bad transaction stack, transaction %d has target %d:%d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2780) proc->pid, thread->pid, tmp->debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2781) tmp->to_proc ? tmp->to_proc->pid : 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2782) tmp->to_thread ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2783) tmp->to_thread->pid : 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2784) spin_unlock(&tmp->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2785) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2786) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2787) return_error_param = -EPROTO;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2788) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2789) goto err_bad_call_stack;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2790) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2791) while (tmp) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2792) struct binder_thread *from;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2793)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2794) spin_lock(&tmp->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2795) from = tmp->from;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2796) if (from && from->proc == target_proc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2797) atomic_inc(&from->tmp_ref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2798) target_thread = from;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2799) spin_unlock(&tmp->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2800) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2801) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2802) spin_unlock(&tmp->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2803) tmp = tmp->from_parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2804) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2805) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2806) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2807) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2808) if (target_thread)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2809) e->to_thread = target_thread->pid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2810) e->to_proc = target_proc->pid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2811) trace_android_rvh_binder_transaction(target_proc, proc, thread, tr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2812)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2813) /* TODO: reuse incoming transaction for reply */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2814) t = kzalloc(sizeof(*t), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2815) if (t == NULL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2816) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2817) return_error_param = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2818) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2819) goto err_alloc_t_failed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2820) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2821) INIT_LIST_HEAD(&t->fd_fixups);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2822) binder_stats_created(BINDER_STAT_TRANSACTION);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2823) spin_lock_init(&t->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2824) trace_android_vh_binder_transaction_init(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2825)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2826) tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2827) if (tcomplete == NULL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2828) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2829) return_error_param = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2830) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2831) goto err_alloc_tcomplete_failed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2832) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2833) binder_stats_created(BINDER_STAT_TRANSACTION_COMPLETE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2834)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2835) t->debug_id = t_debug_id;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2836)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2837) if (reply)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2838) binder_debug(BINDER_DEBUG_TRANSACTION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2839) "%d:%d BC_REPLY %d -> %d:%d, data %016llx-%016llx size %lld-%lld-%lld\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2840) proc->pid, thread->pid, t->debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2841) target_proc->pid, target_thread->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2842) (u64)tr->data.ptr.buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2843) (u64)tr->data.ptr.offsets,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2844) (u64)tr->data_size, (u64)tr->offsets_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2845) (u64)extra_buffers_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2846) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2847) binder_debug(BINDER_DEBUG_TRANSACTION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2848) "%d:%d BC_TRANSACTION %d -> %d - node %d, data %016llx-%016llx size %lld-%lld-%lld\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2849) proc->pid, thread->pid, t->debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2850) target_proc->pid, target_node->debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2851) (u64)tr->data.ptr.buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2852) (u64)tr->data.ptr.offsets,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2853) (u64)tr->data_size, (u64)tr->offsets_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2854) (u64)extra_buffers_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2855)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2856) if (!reply && !(tr->flags & TF_ONE_WAY))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2857) t->from = thread;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2858) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2859) t->from = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2860) t->sender_euid = task_euid(proc->tsk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2861) t->to_proc = target_proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2862) t->to_thread = target_thread;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2863) t->code = tr->code;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2864) t->flags = tr->flags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2865) if (!(t->flags & TF_ONE_WAY) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2866) binder_supported_policy(current->policy)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2867) /* Inherit supported policies for synchronous transactions */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2868) t->priority.sched_policy = current->policy;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2869) t->priority.prio = current->normal_prio;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2870) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2871) /* Otherwise, fall back to the default priority */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2872) t->priority = target_proc->default_priority;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2873) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2874)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2875) if (target_node && target_node->txn_security_ctx) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2876) u32 secid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2877) size_t added_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2878) int max_retries = 100;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2879)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2880) security_cred_getsecid(binder_get_cred(proc), &secid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2881) retry_alloc:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2882) ret = security_secid_to_secctx(secid, &secctx, &secctx_sz);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2883) if (ret == -ENOMEM && max_retries-- > 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2884) struct page *dummy_page;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2885)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2886) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2887) * security_secid_to_secctx() can fail because of a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2888) * GFP_ATOMIC allocation in which case -ENOMEM is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2889) * returned. This needs to be retried, but there is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2890) * currently no way to tell userspace to retry so we
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2891) * do it here. We make sure there is still available
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2892) * memory first and then retry.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2893) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2894) dummy_page = alloc_page(GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2895) if (dummy_page) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2896) __free_page(dummy_page);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2897) goto retry_alloc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2898) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2899) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2900) if (ret) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2901) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2902) return_error_param = ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2903) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2904) goto err_get_secctx_failed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2905) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2906) added_size = ALIGN(secctx_sz, sizeof(u64));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2907) extra_buffers_size += added_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2908) if (extra_buffers_size < added_size) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2909) /* integer overflow of extra_buffers_size */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2910) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2911) return_error_param = EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2912) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2913) goto err_bad_extra_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2914) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2915) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2916)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2917) trace_binder_transaction(reply, t, target_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2918)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2919) t->buffer = binder_alloc_new_buf(&target_proc->alloc, tr->data_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2920) tr->offsets_size, extra_buffers_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2921) !reply && (t->flags & TF_ONE_WAY), current->tgid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2922) if (IS_ERR(t->buffer)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2923) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2924) * -ESRCH indicates VMA cleared. The target is dying.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2925) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2926) return_error_param = PTR_ERR(t->buffer);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2927) return_error = return_error_param == -ESRCH ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2928) BR_DEAD_REPLY : BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2929) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2930) t->buffer = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2931) goto err_binder_alloc_buf_failed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2932) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2933) if (secctx) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2934) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2935) size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2936) ALIGN(tr->offsets_size, sizeof(void *)) +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2937) ALIGN(extra_buffers_size, sizeof(void *)) -
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2938) ALIGN(secctx_sz, sizeof(u64));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2939)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2940) t->security_ctx = (uintptr_t)t->buffer->user_data + buf_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2941) err = binder_alloc_copy_to_buffer(&target_proc->alloc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2942) t->buffer, buf_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2943) secctx, secctx_sz);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2944) if (err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2945) t->security_ctx = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2946) WARN_ON(1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2947) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2948) security_release_secctx(secctx, secctx_sz);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2949) secctx = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2950) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2951) t->buffer->debug_id = t->debug_id;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2952) t->buffer->transaction = t;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2953) t->buffer->target_node = target_node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2954) t->buffer->clear_on_free = !!(t->flags & TF_CLEAR_BUF);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2955) trace_binder_transaction_alloc_buf(t->buffer);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2956)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2957) if (binder_alloc_copy_user_to_buffer(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2958) &target_proc->alloc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2959) t->buffer, 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2960) (const void __user *)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2961) (uintptr_t)tr->data.ptr.buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2962) tr->data_size)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2963) binder_user_error("%d:%d got transaction with invalid data ptr\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2964) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2965) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2966) return_error_param = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2967) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2968) goto err_copy_data_failed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2969) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2970) if (binder_alloc_copy_user_to_buffer(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2971) &target_proc->alloc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2972) t->buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2973) ALIGN(tr->data_size, sizeof(void *)),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2974) (const void __user *)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2975) (uintptr_t)tr->data.ptr.offsets,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2976) tr->offsets_size)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2977) binder_user_error("%d:%d got transaction with invalid offsets ptr\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2978) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2979) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2980) return_error_param = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2981) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2982) goto err_copy_data_failed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2983) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2984) if (!IS_ALIGNED(tr->offsets_size, sizeof(binder_size_t))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2985) binder_user_error("%d:%d got transaction with invalid offsets size, %lld\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2986) proc->pid, thread->pid, (u64)tr->offsets_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2987) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2988) return_error_param = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2989) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2990) goto err_bad_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2991) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2992) if (!IS_ALIGNED(extra_buffers_size, sizeof(u64))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2993) binder_user_error("%d:%d got transaction with unaligned buffers size, %lld\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2994) proc->pid, thread->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2995) (u64)extra_buffers_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2996) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2997) return_error_param = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2998) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2999) goto err_bad_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3000) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3001) off_start_offset = ALIGN(tr->data_size, sizeof(void *));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3002) buffer_offset = off_start_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3003) off_end_offset = off_start_offset + tr->offsets_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3004) sg_buf_offset = ALIGN(off_end_offset, sizeof(void *));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3005) sg_buf_end_offset = sg_buf_offset + extra_buffers_size -
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3006) ALIGN(secctx_sz, sizeof(u64));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3007) off_min = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3008) for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3009) buffer_offset += sizeof(binder_size_t)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3010) struct binder_object_header *hdr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3011) size_t object_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3012) struct binder_object object;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3013) binder_size_t object_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3014)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3015) if (binder_alloc_copy_from_buffer(&target_proc->alloc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3016) &object_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3017) t->buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3018) buffer_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3019) sizeof(object_offset))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3020) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3021) return_error_param = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3022) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3023) goto err_bad_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3024) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3025) object_size = binder_get_object(target_proc, t->buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3026) object_offset, &object);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3027) if (object_size == 0 || object_offset < off_min) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3028) binder_user_error("%d:%d got transaction with invalid offset (%lld, min %lld max %lld) or object.\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3029) proc->pid, thread->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3030) (u64)object_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3031) (u64)off_min,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3032) (u64)t->buffer->data_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3033) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3034) return_error_param = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3035) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3036) goto err_bad_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3037) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3038)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3039) hdr = &object.hdr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3040) off_min = object_offset + object_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3041) switch (hdr->type) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3042) case BINDER_TYPE_BINDER:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3043) case BINDER_TYPE_WEAK_BINDER: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3044) struct flat_binder_object *fp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3045)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3046) fp = to_flat_binder_object(hdr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3047) ret = binder_translate_binder(fp, t, thread);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3048)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3049) if (ret < 0 ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3050) binder_alloc_copy_to_buffer(&target_proc->alloc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3051) t->buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3052) object_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3053) fp, sizeof(*fp))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3054) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3055) return_error_param = ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3056) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3057) goto err_translate_failed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3058) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3059) } break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3060) case BINDER_TYPE_HANDLE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3061) case BINDER_TYPE_WEAK_HANDLE: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3062) struct flat_binder_object *fp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3063)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3064) fp = to_flat_binder_object(hdr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3065) ret = binder_translate_handle(fp, t, thread);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3066) if (ret < 0 ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3067) binder_alloc_copy_to_buffer(&target_proc->alloc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3068) t->buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3069) object_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3070) fp, sizeof(*fp))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3071) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3072) return_error_param = ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3073) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3074) goto err_translate_failed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3075) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3076) } break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3077)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3078) case BINDER_TYPE_FD: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3079) struct binder_fd_object *fp = to_binder_fd_object(hdr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3080) binder_size_t fd_offset = object_offset +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3081) (uintptr_t)&fp->fd - (uintptr_t)fp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3082) int ret = binder_translate_fd(fp->fd, fd_offset, t,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3083) thread, in_reply_to);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3084)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3085) fp->pad_binder = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3086) if (ret < 0 ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3087) binder_alloc_copy_to_buffer(&target_proc->alloc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3088) t->buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3089) object_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3090) fp, sizeof(*fp))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3091) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3092) return_error_param = ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3093) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3094) goto err_translate_failed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3095) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3096) } break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3097) case BINDER_TYPE_FDA: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3098) struct binder_object ptr_object;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3099) binder_size_t parent_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3100) struct binder_fd_array_object *fda =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3101) to_binder_fd_array_object(hdr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3102) size_t num_valid = (buffer_offset - off_start_offset) /
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3103) sizeof(binder_size_t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3104) struct binder_buffer_object *parent =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3105) binder_validate_ptr(target_proc, t->buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3106) &ptr_object, fda->parent,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3107) off_start_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3108) &parent_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3109) num_valid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3110) if (!parent) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3111) binder_user_error("%d:%d got transaction with invalid parent offset or type\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3112) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3113) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3114) return_error_param = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3115) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3116) goto err_bad_parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3117) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3118) if (!binder_validate_fixup(target_proc, t->buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3119) off_start_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3120) parent_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3121) fda->parent_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3122) last_fixup_obj_off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3123) last_fixup_min_off)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3124) binder_user_error("%d:%d got transaction with out-of-order buffer fixup\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3125) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3126) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3127) return_error_param = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3128) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3129) goto err_bad_parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3130) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3131) ret = binder_translate_fd_array(fda, parent, t, thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3132) in_reply_to);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3133) if (ret < 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3134) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3135) return_error_param = ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3136) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3137) goto err_translate_failed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3138) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3139) last_fixup_obj_off = parent_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3140) last_fixup_min_off =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3141) fda->parent_offset + sizeof(u32) * fda->num_fds;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3142) } break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3143) case BINDER_TYPE_PTR: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3144) struct binder_buffer_object *bp =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3145) to_binder_buffer_object(hdr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3146) size_t buf_left = sg_buf_end_offset - sg_buf_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3147) size_t num_valid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3148)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3149) if (bp->length > buf_left) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3150) binder_user_error("%d:%d got transaction with too large buffer\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3151) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3152) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3153) return_error_param = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3154) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3155) goto err_bad_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3156) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3157) if (binder_alloc_copy_user_to_buffer(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3158) &target_proc->alloc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3159) t->buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3160) sg_buf_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3161) (const void __user *)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3162) (uintptr_t)bp->buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3163) bp->length)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3164) binder_user_error("%d:%d got transaction with invalid offsets ptr\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3165) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3166) return_error_param = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3167) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3168) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3169) goto err_copy_data_failed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3170) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3171) /* Fixup buffer pointer to target proc address space */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3172) bp->buffer = (uintptr_t)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3173) t->buffer->user_data + sg_buf_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3174) sg_buf_offset += ALIGN(bp->length, sizeof(u64));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3175)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3176) num_valid = (buffer_offset - off_start_offset) /
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3177) sizeof(binder_size_t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3178) ret = binder_fixup_parent(t, thread, bp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3179) off_start_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3180) num_valid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3181) last_fixup_obj_off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3182) last_fixup_min_off);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3183) if (ret < 0 ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3184) binder_alloc_copy_to_buffer(&target_proc->alloc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3185) t->buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3186) object_offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3187) bp, sizeof(*bp))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3188) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3189) return_error_param = ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3190) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3191) goto err_translate_failed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3192) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3193) last_fixup_obj_off = object_offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3194) last_fixup_min_off = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3195) } break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3196) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3197) binder_user_error("%d:%d got transaction with invalid object type, %x\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3198) proc->pid, thread->pid, hdr->type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3199) return_error = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3200) return_error_param = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3201) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3202) goto err_bad_object_type;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3203) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3204) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3205) if (t->buffer->oneway_spam_suspect)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3206) tcomplete->type = BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3207) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3208) tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3209) t->work.type = BINDER_WORK_TRANSACTION;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3210)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3211) if (reply) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3212) binder_enqueue_thread_work(thread, tcomplete);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3213) binder_inner_proc_lock(target_proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3214) if (target_thread->is_dead) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3215) return_error = BR_DEAD_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3216) binder_inner_proc_unlock(target_proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3217) goto err_dead_proc_or_thread;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3218) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3219) BUG_ON(t->buffer->async_transaction != 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3220) binder_pop_transaction_ilocked(target_thread, in_reply_to);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3221) binder_enqueue_thread_work_ilocked(target_thread, &t->work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3222) target_proc->outstanding_txns++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3223) binder_inner_proc_unlock(target_proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3224) wake_up_interruptible_sync(&target_thread->wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3225) trace_android_vh_binder_restore_priority(in_reply_to, current);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3226) binder_restore_priority(current, in_reply_to->saved_priority);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3227) binder_free_transaction(in_reply_to);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3228) } else if (!(t->flags & TF_ONE_WAY)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3229) BUG_ON(t->buffer->async_transaction != 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3230) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3231) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3232) * Defer the TRANSACTION_COMPLETE, so we don't return to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3233) * userspace immediately; this allows the target process to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3234) * immediately start processing this transaction, reducing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3235) * latency. We will then return the TRANSACTION_COMPLETE when
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3236) * the target replies (or there is an error).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3237) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3238) binder_enqueue_deferred_thread_work_ilocked(thread, tcomplete);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3239) t->need_reply = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3240) t->from_parent = thread->transaction_stack;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3241) thread->transaction_stack = t;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3242) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3243) return_error = binder_proc_transaction(t,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3244) target_proc, target_thread);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3245) if (return_error) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3246) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3247) binder_pop_transaction_ilocked(thread, t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3248) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3249) goto err_dead_proc_or_thread;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3250) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3251) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3252) BUG_ON(target_node == NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3253) BUG_ON(t->buffer->async_transaction != 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3254) binder_enqueue_thread_work(thread, tcomplete);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3255) return_error = binder_proc_transaction(t, target_proc, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3256) if (return_error)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3257) goto err_dead_proc_or_thread;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3258) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3259) if (target_thread)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3260) binder_thread_dec_tmpref(target_thread);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3261) binder_proc_dec_tmpref(target_proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3262) if (target_node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3263) binder_dec_node_tmpref(target_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3264) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3265) * write barrier to synchronize with initialization
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3266) * of log entry
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3267) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3268) smp_wmb();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3269) WRITE_ONCE(e->debug_id_done, t_debug_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3270) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3271)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3272) err_dead_proc_or_thread:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3273) return_error_line = __LINE__;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3274) binder_dequeue_work(proc, tcomplete);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3275) err_translate_failed:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3276) err_bad_object_type:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3277) err_bad_offset:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3278) err_bad_parent:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3279) err_copy_data_failed:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3280) binder_free_txn_fixups(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3281) trace_binder_transaction_failed_buffer_release(t->buffer);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3282) binder_transaction_buffer_release(target_proc, NULL, t->buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3283) buffer_offset, true);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3284) if (target_node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3285) binder_dec_node_tmpref(target_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3286) target_node = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3287) t->buffer->transaction = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3288) binder_alloc_free_buf(&target_proc->alloc, t->buffer);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3289) err_binder_alloc_buf_failed:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3290) err_bad_extra_size:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3291) if (secctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3292) security_release_secctx(secctx, secctx_sz);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3293) err_get_secctx_failed:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3294) kfree(tcomplete);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3295) binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3296) err_alloc_tcomplete_failed:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3297) kfree(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3298) binder_stats_deleted(BINDER_STAT_TRANSACTION);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3299) err_alloc_t_failed:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3300) err_bad_todo_list:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3301) err_bad_call_stack:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3302) err_empty_call_stack:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3303) err_dead_binder:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3304) err_invalid_target_handle:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3305) if (target_thread)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3306) binder_thread_dec_tmpref(target_thread);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3307) if (target_proc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3308) binder_proc_dec_tmpref(target_proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3309) if (target_node) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3310) binder_dec_node(target_node, 1, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3311) binder_dec_node_tmpref(target_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3312) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3313)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3314) binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3315) "%d:%d transaction failed %d/%d, size %lld-%lld line %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3316) proc->pid, thread->pid, return_error, return_error_param,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3317) (u64)tr->data_size, (u64)tr->offsets_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3318) return_error_line);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3319)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3320) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3321) struct binder_transaction_log_entry *fe;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3322)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3323) e->return_error = return_error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3324) e->return_error_param = return_error_param;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3325) e->return_error_line = return_error_line;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3326) fe = binder_transaction_log_add(&binder_transaction_log_failed);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3327) *fe = *e;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3328) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3329) * write barrier to synchronize with initialization
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3330) * of log entry
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3331) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3332) smp_wmb();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3333) WRITE_ONCE(e->debug_id_done, t_debug_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3334) WRITE_ONCE(fe->debug_id_done, t_debug_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3335) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3336)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3337) BUG_ON(thread->return_error.cmd != BR_OK);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3338) if (in_reply_to) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3339) trace_android_vh_binder_restore_priority(in_reply_to, current);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3340) binder_restore_priority(current, in_reply_to->saved_priority);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3341) thread->return_error.cmd = BR_TRANSACTION_COMPLETE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3342) binder_enqueue_thread_work(thread, &thread->return_error.work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3343) binder_send_failed_reply(in_reply_to, return_error);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3344) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3345) thread->return_error.cmd = return_error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3346) binder_enqueue_thread_work(thread, &thread->return_error.work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3347) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3348) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3349)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3350) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3351) * binder_free_buf() - free the specified buffer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3352) * @proc: binder proc that owns buffer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3353) * @buffer: buffer to be freed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3354) * @is_failure: failed to send transaction
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3355) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3356) * If buffer for an async transaction, enqueue the next async
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3357) * transaction from the node.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3358) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3359) * Cleanup buffer and free it.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3360) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3361) static void
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3362) binder_free_buf(struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3363) struct binder_thread *thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3364) struct binder_buffer *buffer, bool is_failure)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3365) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3366) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3367) if (buffer->transaction) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3368) buffer->transaction->buffer = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3369) buffer->transaction = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3370) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3371) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3372) if (buffer->async_transaction && buffer->target_node) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3373) struct binder_node *buf_node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3374) struct binder_work *w;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3375)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3376) buf_node = buffer->target_node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3377) binder_node_inner_lock(buf_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3378) BUG_ON(!buf_node->has_async_transaction);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3379) BUG_ON(buf_node->proc != proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3380) w = binder_dequeue_work_head_ilocked(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3381) &buf_node->async_todo);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3382) if (!w) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3383) buf_node->has_async_transaction = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3384) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3385) binder_enqueue_work_ilocked(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3386) w, &proc->todo);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3387) binder_wakeup_proc_ilocked(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3388) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3389) binder_node_inner_unlock(buf_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3390) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3391) trace_binder_transaction_buffer_release(buffer);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3392) binder_transaction_buffer_release(proc, thread, buffer, 0, is_failure);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3393) binder_alloc_free_buf(&proc->alloc, buffer);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3394) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3395)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3396) static int binder_thread_write(struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3397) struct binder_thread *thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3398) binder_uintptr_t binder_buffer, size_t size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3399) binder_size_t *consumed)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3400) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3401) uint32_t cmd;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3402) struct binder_context *context = proc->context;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3403) void __user *buffer = (void __user *)(uintptr_t)binder_buffer;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3404) void __user *ptr = buffer + *consumed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3405) void __user *end = buffer + size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3406)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3407) while (ptr < end && thread->return_error.cmd == BR_OK) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3408) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3409)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3410) if (get_user(cmd, (uint32_t __user *)ptr))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3411) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3412) ptr += sizeof(uint32_t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3413) trace_binder_command(cmd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3414) if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.bc)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3415) atomic_inc(&binder_stats.bc[_IOC_NR(cmd)]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3416) atomic_inc(&proc->stats.bc[_IOC_NR(cmd)]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3417) atomic_inc(&thread->stats.bc[_IOC_NR(cmd)]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3418) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3419) switch (cmd) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3420) case BC_INCREFS:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3421) case BC_ACQUIRE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3422) case BC_RELEASE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3423) case BC_DECREFS: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3424) uint32_t target;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3425) const char *debug_string;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3426) bool strong = cmd == BC_ACQUIRE || cmd == BC_RELEASE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3427) bool increment = cmd == BC_INCREFS || cmd == BC_ACQUIRE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3428) struct binder_ref_data rdata;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3429)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3430) if (get_user(target, (uint32_t __user *)ptr))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3431) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3432)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3433) ptr += sizeof(uint32_t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3434) ret = -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3435) if (increment && !target) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3436) struct binder_node *ctx_mgr_node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3437) mutex_lock(&context->context_mgr_node_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3438) ctx_mgr_node = context->binder_context_mgr_node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3439) if (ctx_mgr_node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3440) ret = binder_inc_ref_for_node(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3441) proc, ctx_mgr_node,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3442) strong, NULL, &rdata);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3443) mutex_unlock(&context->context_mgr_node_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3444) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3445) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3446) ret = binder_update_ref_for_handle(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3447) proc, target, increment, strong,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3448) &rdata);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3449) if (!ret && rdata.desc != target) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3450) binder_user_error("%d:%d tried to acquire reference to desc %d, got %d instead\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3451) proc->pid, thread->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3452) target, rdata.desc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3453) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3454) switch (cmd) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3455) case BC_INCREFS:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3456) debug_string = "IncRefs";
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3457) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3458) case BC_ACQUIRE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3459) debug_string = "Acquire";
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3460) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3461) case BC_RELEASE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3462) debug_string = "Release";
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3463) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3464) case BC_DECREFS:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3465) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3466) debug_string = "DecRefs";
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3467) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3468) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3469) if (ret) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3470) binder_user_error("%d:%d %s %d refcount change on invalid ref %d ret %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3471) proc->pid, thread->pid, debug_string,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3472) strong, target, ret);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3473) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3474) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3475) binder_debug(BINDER_DEBUG_USER_REFS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3476) "%d:%d %s ref %d desc %d s %d w %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3477) proc->pid, thread->pid, debug_string,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3478) rdata.debug_id, rdata.desc, rdata.strong,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3479) rdata.weak);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3480) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3481) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3482) case BC_INCREFS_DONE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3483) case BC_ACQUIRE_DONE: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3484) binder_uintptr_t node_ptr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3485) binder_uintptr_t cookie;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3486) struct binder_node *node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3487) bool free_node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3488)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3489) if (get_user(node_ptr, (binder_uintptr_t __user *)ptr))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3490) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3491) ptr += sizeof(binder_uintptr_t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3492) if (get_user(cookie, (binder_uintptr_t __user *)ptr))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3493) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3494) ptr += sizeof(binder_uintptr_t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3495) node = binder_get_node(proc, node_ptr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3496) if (node == NULL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3497) binder_user_error("%d:%d %s u%016llx no match\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3498) proc->pid, thread->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3499) cmd == BC_INCREFS_DONE ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3500) "BC_INCREFS_DONE" :
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3501) "BC_ACQUIRE_DONE",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3502) (u64)node_ptr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3503) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3504) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3505) if (cookie != node->cookie) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3506) binder_user_error("%d:%d %s u%016llx node %d cookie mismatch %016llx != %016llx\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3507) proc->pid, thread->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3508) cmd == BC_INCREFS_DONE ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3509) "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3510) (u64)node_ptr, node->debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3511) (u64)cookie, (u64)node->cookie);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3512) binder_put_node(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3513) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3514) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3515) binder_node_inner_lock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3516) if (cmd == BC_ACQUIRE_DONE) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3517) if (node->pending_strong_ref == 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3518) binder_user_error("%d:%d BC_ACQUIRE_DONE node %d has no pending acquire request\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3519) proc->pid, thread->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3520) node->debug_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3521) binder_node_inner_unlock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3522) binder_put_node(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3523) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3524) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3525) node->pending_strong_ref = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3526) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3527) if (node->pending_weak_ref == 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3528) binder_user_error("%d:%d BC_INCREFS_DONE node %d has no pending increfs request\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3529) proc->pid, thread->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3530) node->debug_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3531) binder_node_inner_unlock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3532) binder_put_node(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3533) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3534) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3535) node->pending_weak_ref = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3536) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3537) free_node = binder_dec_node_nilocked(node,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3538) cmd == BC_ACQUIRE_DONE, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3539) WARN_ON(free_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3540) binder_debug(BINDER_DEBUG_USER_REFS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3541) "%d:%d %s node %d ls %d lw %d tr %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3542) proc->pid, thread->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3543) cmd == BC_INCREFS_DONE ? "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3544) node->debug_id, node->local_strong_refs,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3545) node->local_weak_refs, node->tmp_refs);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3546) binder_node_inner_unlock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3547) binder_put_node(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3548) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3549) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3550) case BC_ATTEMPT_ACQUIRE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3551) pr_err("BC_ATTEMPT_ACQUIRE not supported\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3552) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3553) case BC_ACQUIRE_RESULT:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3554) pr_err("BC_ACQUIRE_RESULT not supported\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3555) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3556)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3557) case BC_FREE_BUFFER: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3558) binder_uintptr_t data_ptr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3559) struct binder_buffer *buffer;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3560)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3561) if (get_user(data_ptr, (binder_uintptr_t __user *)ptr))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3562) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3563) ptr += sizeof(binder_uintptr_t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3564)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3565) buffer = binder_alloc_prepare_to_free(&proc->alloc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3566) data_ptr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3567) if (IS_ERR_OR_NULL(buffer)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3568) if (PTR_ERR(buffer) == -EPERM) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3569) binder_user_error(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3570) "%d:%d BC_FREE_BUFFER u%016llx matched unreturned or currently freeing buffer\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3571) proc->pid, thread->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3572) (u64)data_ptr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3573) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3574) binder_user_error(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3575) "%d:%d BC_FREE_BUFFER u%016llx no match\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3576) proc->pid, thread->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3577) (u64)data_ptr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3578) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3579) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3580) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3581) binder_debug(BINDER_DEBUG_FREE_BUFFER,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3582) "%d:%d BC_FREE_BUFFER u%016llx found buffer %d for %s transaction\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3583) proc->pid, thread->pid, (u64)data_ptr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3584) buffer->debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3585) buffer->transaction ? "active" : "finished");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3586) binder_free_buf(proc, thread, buffer, false);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3587) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3588) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3589)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3590) case BC_TRANSACTION_SG:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3591) case BC_REPLY_SG: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3592) struct binder_transaction_data_sg tr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3593)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3594) if (copy_from_user(&tr, ptr, sizeof(tr)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3595) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3596) ptr += sizeof(tr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3597) binder_transaction(proc, thread, &tr.transaction_data,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3598) cmd == BC_REPLY_SG, tr.buffers_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3599) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3600) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3601) case BC_TRANSACTION:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3602) case BC_REPLY: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3603) struct binder_transaction_data tr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3604)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3605) if (copy_from_user(&tr, ptr, sizeof(tr)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3606) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3607) ptr += sizeof(tr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3608) binder_transaction(proc, thread, &tr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3609) cmd == BC_REPLY, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3610) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3611) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3612)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3613) case BC_REGISTER_LOOPER:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3614) binder_debug(BINDER_DEBUG_THREADS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3615) "%d:%d BC_REGISTER_LOOPER\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3616) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3617) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3618) if (thread->looper & BINDER_LOOPER_STATE_ENTERED) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3619) thread->looper |= BINDER_LOOPER_STATE_INVALID;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3620) binder_user_error("%d:%d ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3621) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3622) } else if (proc->requested_threads == 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3623) thread->looper |= BINDER_LOOPER_STATE_INVALID;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3624) binder_user_error("%d:%d ERROR: BC_REGISTER_LOOPER called without request\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3625) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3626) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3627) proc->requested_threads--;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3628) proc->requested_threads_started++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3629) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3630) thread->looper |= BINDER_LOOPER_STATE_REGISTERED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3631) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3632) trace_android_vh_binder_looper_state_registered(thread, proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3633) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3634) case BC_ENTER_LOOPER:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3635) binder_debug(BINDER_DEBUG_THREADS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3636) "%d:%d BC_ENTER_LOOPER\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3637) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3638) if (thread->looper & BINDER_LOOPER_STATE_REGISTERED) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3639) thread->looper |= BINDER_LOOPER_STATE_INVALID;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3640) binder_user_error("%d:%d ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3641) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3642) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3643) thread->looper |= BINDER_LOOPER_STATE_ENTERED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3644) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3645) case BC_EXIT_LOOPER:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3646) binder_debug(BINDER_DEBUG_THREADS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3647) "%d:%d BC_EXIT_LOOPER\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3648) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3649) thread->looper |= BINDER_LOOPER_STATE_EXITED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3650) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3651)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3652) case BC_REQUEST_DEATH_NOTIFICATION:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3653) case BC_CLEAR_DEATH_NOTIFICATION: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3654) uint32_t target;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3655) binder_uintptr_t cookie;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3656) struct binder_ref *ref;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3657) struct binder_ref_death *death = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3658)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3659) if (get_user(target, (uint32_t __user *)ptr))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3660) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3661) ptr += sizeof(uint32_t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3662) if (get_user(cookie, (binder_uintptr_t __user *)ptr))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3663) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3664) ptr += sizeof(binder_uintptr_t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3665) if (cmd == BC_REQUEST_DEATH_NOTIFICATION) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3666) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3667) * Allocate memory for death notification
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3668) * before taking lock
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3669) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3670) death = kzalloc(sizeof(*death), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3671) if (death == NULL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3672) WARN_ON(thread->return_error.cmd !=
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3673) BR_OK);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3674) thread->return_error.cmd = BR_ERROR;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3675) binder_enqueue_thread_work(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3676) thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3677) &thread->return_error.work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3678) binder_debug(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3679) BINDER_DEBUG_FAILED_TRANSACTION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3680) "%d:%d BC_REQUEST_DEATH_NOTIFICATION failed\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3681) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3682) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3683) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3684) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3685) binder_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3686) ref = binder_get_ref_olocked(proc, target, false);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3687) if (ref == NULL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3688) binder_user_error("%d:%d %s invalid ref %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3689) proc->pid, thread->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3690) cmd == BC_REQUEST_DEATH_NOTIFICATION ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3691) "BC_REQUEST_DEATH_NOTIFICATION" :
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3692) "BC_CLEAR_DEATH_NOTIFICATION",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3693) target);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3694) binder_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3695) kfree(death);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3696) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3697) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3698)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3699) binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3700) "%d:%d %s %016llx ref %d desc %d s %d w %d for node %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3701) proc->pid, thread->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3702) cmd == BC_REQUEST_DEATH_NOTIFICATION ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3703) "BC_REQUEST_DEATH_NOTIFICATION" :
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3704) "BC_CLEAR_DEATH_NOTIFICATION",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3705) (u64)cookie, ref->data.debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3706) ref->data.desc, ref->data.strong,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3707) ref->data.weak, ref->node->debug_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3708)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3709) binder_node_lock(ref->node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3710) if (cmd == BC_REQUEST_DEATH_NOTIFICATION) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3711) if (ref->death) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3712) binder_user_error("%d:%d BC_REQUEST_DEATH_NOTIFICATION death notification already set\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3713) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3714) binder_node_unlock(ref->node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3715) binder_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3716) kfree(death);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3717) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3718) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3719) binder_stats_created(BINDER_STAT_DEATH);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3720) INIT_LIST_HEAD(&death->work.entry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3721) death->cookie = cookie;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3722) ref->death = death;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3723) if (ref->node->proc == NULL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3724) ref->death->work.type = BINDER_WORK_DEAD_BINDER;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3725)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3726) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3727) binder_enqueue_work_ilocked(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3728) &ref->death->work, &proc->todo);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3729) binder_wakeup_proc_ilocked(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3730) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3731) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3732) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3733) if (ref->death == NULL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3734) binder_user_error("%d:%d BC_CLEAR_DEATH_NOTIFICATION death notification not active\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3735) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3736) binder_node_unlock(ref->node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3737) binder_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3738) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3739) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3740) death = ref->death;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3741) if (death->cookie != cookie) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3742) binder_user_error("%d:%d BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch %016llx != %016llx\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3743) proc->pid, thread->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3744) (u64)death->cookie,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3745) (u64)cookie);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3746) binder_node_unlock(ref->node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3747) binder_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3748) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3749) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3750) ref->death = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3751) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3752) if (list_empty(&death->work.entry)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3753) death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3754) if (thread->looper &
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3755) (BINDER_LOOPER_STATE_REGISTERED |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3756) BINDER_LOOPER_STATE_ENTERED))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3757) binder_enqueue_thread_work_ilocked(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3758) thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3759) &death->work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3760) else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3761) binder_enqueue_work_ilocked(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3762) &death->work,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3763) &proc->todo);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3764) binder_wakeup_proc_ilocked(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3765) proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3766) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3767) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3768) BUG_ON(death->work.type != BINDER_WORK_DEAD_BINDER);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3769) death->work.type = BINDER_WORK_DEAD_BINDER_AND_CLEAR;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3770) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3771) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3772) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3773) binder_node_unlock(ref->node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3774) binder_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3775) } break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3776) case BC_DEAD_BINDER_DONE: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3777) struct binder_work *w;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3778) binder_uintptr_t cookie;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3779) struct binder_ref_death *death = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3780)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3781) if (get_user(cookie, (binder_uintptr_t __user *)ptr))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3782) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3783)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3784) ptr += sizeof(cookie);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3785) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3786) list_for_each_entry(w, &proc->delivered_death,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3787) entry) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3788) struct binder_ref_death *tmp_death =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3789) container_of(w,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3790) struct binder_ref_death,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3791) work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3792)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3793) if (tmp_death->cookie == cookie) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3794) death = tmp_death;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3795) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3796) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3797) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3798) binder_debug(BINDER_DEBUG_DEAD_BINDER,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3799) "%d:%d BC_DEAD_BINDER_DONE %016llx found %pK\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3800) proc->pid, thread->pid, (u64)cookie,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3801) death);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3802) if (death == NULL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3803) binder_user_error("%d:%d BC_DEAD_BINDER_DONE %016llx not found\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3804) proc->pid, thread->pid, (u64)cookie);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3805) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3806) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3807) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3808) binder_dequeue_work_ilocked(&death->work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3809) if (death->work.type == BINDER_WORK_DEAD_BINDER_AND_CLEAR) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3810) death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3811) if (thread->looper &
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3812) (BINDER_LOOPER_STATE_REGISTERED |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3813) BINDER_LOOPER_STATE_ENTERED))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3814) binder_enqueue_thread_work_ilocked(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3815) thread, &death->work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3816) else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3817) binder_enqueue_work_ilocked(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3818) &death->work,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3819) &proc->todo);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3820) binder_wakeup_proc_ilocked(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3821) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3822) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3823) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3824) } break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3825)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3826) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3827) pr_err("%d:%d unknown command %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3828) proc->pid, thread->pid, cmd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3829) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3830) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3831) *consumed = ptr - buffer;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3832) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3833) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3834) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3835)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3836) static void binder_stat_br(struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3837) struct binder_thread *thread, uint32_t cmd)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3838) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3839) trace_binder_return(cmd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3840) if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.br)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3841) atomic_inc(&binder_stats.br[_IOC_NR(cmd)]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3842) atomic_inc(&proc->stats.br[_IOC_NR(cmd)]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3843) atomic_inc(&thread->stats.br[_IOC_NR(cmd)]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3844) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3845) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3846)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3847) static int binder_put_node_cmd(struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3848) struct binder_thread *thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3849) void __user **ptrp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3850) binder_uintptr_t node_ptr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3851) binder_uintptr_t node_cookie,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3852) int node_debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3853) uint32_t cmd, const char *cmd_name)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3854) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3855) void __user *ptr = *ptrp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3856)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3857) if (put_user(cmd, (uint32_t __user *)ptr))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3858) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3859) ptr += sizeof(uint32_t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3860)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3861) if (put_user(node_ptr, (binder_uintptr_t __user *)ptr))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3862) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3863) ptr += sizeof(binder_uintptr_t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3864)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3865) if (put_user(node_cookie, (binder_uintptr_t __user *)ptr))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3866) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3867) ptr += sizeof(binder_uintptr_t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3868)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3869) binder_stat_br(proc, thread, cmd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3870) binder_debug(BINDER_DEBUG_USER_REFS, "%d:%d %s %d u%016llx c%016llx\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3871) proc->pid, thread->pid, cmd_name, node_debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3872) (u64)node_ptr, (u64)node_cookie);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3873)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3874) *ptrp = ptr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3875) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3876) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3877)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3878) static int binder_wait_for_work(struct binder_thread *thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3879) bool do_proc_work)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3880) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3881) DEFINE_WAIT(wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3882) struct binder_proc *proc = thread->proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3883) int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3884)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3885) freezer_do_not_count();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3886) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3887) for (;;) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3888) prepare_to_wait(&thread->wait, &wait, TASK_INTERRUPTIBLE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3889) if (binder_has_work_ilocked(thread, do_proc_work))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3890) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3891) if (do_proc_work)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3892) list_add(&thread->waiting_thread_node,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3893) &proc->waiting_threads);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3894) trace_android_vh_binder_wait_for_work(do_proc_work, thread, proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3895) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3896) schedule();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3897) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3898) list_del_init(&thread->waiting_thread_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3899) if (signal_pending(current)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3900) ret = -EINTR;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3901) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3902) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3903) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3904) finish_wait(&thread->wait, &wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3905) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3906) freezer_count();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3907)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3908) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3909) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3910)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3911) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3912) * binder_apply_fd_fixups() - finish fd translation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3913) * @proc: binder_proc associated @t->buffer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3914) * @t: binder transaction with list of fd fixups
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3915) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3916) * Now that we are in the context of the transaction target
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3917) * process, we can allocate and install fds. Process the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3918) * list of fds to translate and fixup the buffer with the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3919) * new fds.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3920) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3921) * If we fail to allocate an fd, then free the resources by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3922) * fput'ing files that have not been processed and ksys_close'ing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3923) * any fds that have already been allocated.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3924) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3925) static int binder_apply_fd_fixups(struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3926) struct binder_transaction *t)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3927) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3928) struct binder_txn_fd_fixup *fixup, *tmp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3929) int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3930)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3931) list_for_each_entry(fixup, &t->fd_fixups, fixup_entry) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3932) int fd = get_unused_fd_flags(O_CLOEXEC);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3933)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3934) if (fd < 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3935) binder_debug(BINDER_DEBUG_TRANSACTION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3936) "failed fd fixup txn %d fd %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3937) t->debug_id, fd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3938) ret = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3939) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3940) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3941) binder_debug(BINDER_DEBUG_TRANSACTION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3942) "fd fixup txn %d fd %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3943) t->debug_id, fd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3944) trace_binder_transaction_fd_recv(t, fd, fixup->offset);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3945) fd_install(fd, fixup->file);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3946) fixup->file = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3947) if (binder_alloc_copy_to_buffer(&proc->alloc, t->buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3948) fixup->offset, &fd,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3949) sizeof(u32))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3950) ret = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3951) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3952) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3953) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3954) list_for_each_entry_safe(fixup, tmp, &t->fd_fixups, fixup_entry) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3955) if (fixup->file) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3956) fput(fixup->file);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3957) } else if (ret) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3958) u32 fd;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3959) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3960)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3961) err = binder_alloc_copy_from_buffer(&proc->alloc, &fd,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3962) t->buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3963) fixup->offset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3964) sizeof(fd));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3965) WARN_ON(err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3966) if (!err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3967) binder_deferred_fd_close(fd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3968) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3969) list_del(&fixup->fixup_entry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3970) kfree(fixup);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3971) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3972)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3973) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3974) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3975)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3976) static int binder_thread_read(struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3977) struct binder_thread *thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3978) binder_uintptr_t binder_buffer, size_t size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3979) binder_size_t *consumed, int non_block)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3980) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3981) void __user *buffer = (void __user *)(uintptr_t)binder_buffer;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3982) void __user *ptr = buffer + *consumed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3983) void __user *end = buffer + size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3984)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3985) int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3986) int wait_for_proc_work;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3987)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3988) if (*consumed == 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3989) if (put_user(BR_NOOP, (uint32_t __user *)ptr))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3990) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3991) ptr += sizeof(uint32_t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3992) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3993)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3994) retry:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3995) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3996) wait_for_proc_work = binder_available_for_proc_work_ilocked(thread);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3997) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3998)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3999) thread->looper |= BINDER_LOOPER_STATE_WAITING;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4000)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4001) trace_binder_wait_for_work(wait_for_proc_work,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4002) !!thread->transaction_stack,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4003) !binder_worklist_empty(proc, &thread->todo));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4004) if (wait_for_proc_work) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4005) if (!(thread->looper & (BINDER_LOOPER_STATE_REGISTERED |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4006) BINDER_LOOPER_STATE_ENTERED))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4007) binder_user_error("%d:%d ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state %x)\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4008) proc->pid, thread->pid, thread->looper);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4009) wait_event_interruptible(binder_user_error_wait,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4010) binder_stop_on_user_error < 2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4011) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4012) trace_android_vh_binder_restore_priority(NULL, current);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4013) binder_restore_priority(current, proc->default_priority);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4014) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4015)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4016) if (non_block) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4017) if (!binder_has_work(thread, wait_for_proc_work))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4018) ret = -EAGAIN;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4019) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4020) ret = binder_wait_for_work(thread, wait_for_proc_work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4021) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4022)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4023) thread->looper &= ~BINDER_LOOPER_STATE_WAITING;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4024)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4025) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4026) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4027)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4028) while (1) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4029) uint32_t cmd;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4030) struct binder_transaction_data_secctx tr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4031) struct binder_transaction_data *trd = &tr.transaction_data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4032) struct binder_work *w = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4033) struct list_head *list = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4034) struct binder_transaction *t = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4035) struct binder_thread *t_from;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4036) size_t trsize = sizeof(*trd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4037)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4038) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4039) trace_android_vh_binder_select_worklist_ilocked(&list, thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4040) proc, wait_for_proc_work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4041) if (list)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4042) goto skip;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4043) if (!binder_worklist_empty_ilocked(&thread->todo))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4044) list = &thread->todo;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4045) else if (!binder_worklist_empty_ilocked(&proc->todo) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4046) wait_for_proc_work)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4047) list = &proc->todo;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4048) else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4049) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4050)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4051) /* no data added */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4052) if (ptr - buffer == 4 && !thread->looper_need_return)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4053) goto retry;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4054) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4055) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4056) skip:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4057) if (end - ptr < sizeof(tr) + 4) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4058) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4059) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4060) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4061) trace_android_vh_binder_thread_read(&list, proc, thread);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4062) w = binder_dequeue_work_head_ilocked(list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4063) if (binder_worklist_empty_ilocked(&thread->todo))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4064) thread->process_todo = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4065)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4066) switch (w->type) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4067) case BINDER_WORK_TRANSACTION: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4068) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4069) t = container_of(w, struct binder_transaction, work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4070) } break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4071) case BINDER_WORK_RETURN_ERROR: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4072) struct binder_error *e = container_of(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4073) w, struct binder_error, work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4074)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4075) WARN_ON(e->cmd == BR_OK);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4076) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4077) if (put_user(e->cmd, (uint32_t __user *)ptr))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4078) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4079) cmd = e->cmd;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4080) e->cmd = BR_OK;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4081) ptr += sizeof(uint32_t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4082)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4083) binder_stat_br(proc, thread, cmd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4084) } break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4085) case BINDER_WORK_TRANSACTION_COMPLETE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4086) case BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4087) if (proc->oneway_spam_detection_enabled &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4088) w->type == BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4089) cmd = BR_ONEWAY_SPAM_SUSPECT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4090) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4091) cmd = BR_TRANSACTION_COMPLETE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4092) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4093) kfree(w);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4094) binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4095) if (put_user(cmd, (uint32_t __user *)ptr))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4096) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4097) ptr += sizeof(uint32_t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4098)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4099) binder_stat_br(proc, thread, cmd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4100) binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4101) "%d:%d BR_TRANSACTION_COMPLETE\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4102) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4103) } break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4104) case BINDER_WORK_NODE: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4105) struct binder_node *node = container_of(w, struct binder_node, work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4106) int strong, weak;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4107) binder_uintptr_t node_ptr = node->ptr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4108) binder_uintptr_t node_cookie = node->cookie;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4109) int node_debug_id = node->debug_id;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4110) int has_weak_ref;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4111) int has_strong_ref;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4112) void __user *orig_ptr = ptr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4113)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4114) BUG_ON(proc != node->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4115) strong = node->internal_strong_refs ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4116) node->local_strong_refs;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4117) weak = !hlist_empty(&node->refs) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4118) node->local_weak_refs ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4119) node->tmp_refs || strong;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4120) has_strong_ref = node->has_strong_ref;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4121) has_weak_ref = node->has_weak_ref;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4122)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4123) if (weak && !has_weak_ref) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4124) node->has_weak_ref = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4125) node->pending_weak_ref = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4126) node->local_weak_refs++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4127) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4128) if (strong && !has_strong_ref) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4129) node->has_strong_ref = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4130) node->pending_strong_ref = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4131) node->local_strong_refs++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4132) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4133) if (!strong && has_strong_ref)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4134) node->has_strong_ref = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4135) if (!weak && has_weak_ref)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4136) node->has_weak_ref = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4137) if (!weak && !strong) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4138) binder_debug(BINDER_DEBUG_INTERNAL_REFS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4139) "%d:%d node %d u%016llx c%016llx deleted\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4140) proc->pid, thread->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4141) node_debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4142) (u64)node_ptr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4143) (u64)node_cookie);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4144) rb_erase(&node->rb_node, &proc->nodes);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4145) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4146) binder_node_lock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4147) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4148) * Acquire the node lock before freeing the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4149) * node to serialize with other threads that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4150) * may have been holding the node lock while
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4151) * decrementing this node (avoids race where
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4152) * this thread frees while the other thread
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4153) * is unlocking the node after the final
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4154) * decrement)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4155) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4156) binder_node_unlock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4157) binder_free_node(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4158) } else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4159) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4160)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4161) if (weak && !has_weak_ref)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4162) ret = binder_put_node_cmd(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4163) proc, thread, &ptr, node_ptr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4164) node_cookie, node_debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4165) BR_INCREFS, "BR_INCREFS");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4166) if (!ret && strong && !has_strong_ref)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4167) ret = binder_put_node_cmd(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4168) proc, thread, &ptr, node_ptr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4169) node_cookie, node_debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4170) BR_ACQUIRE, "BR_ACQUIRE");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4171) if (!ret && !strong && has_strong_ref)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4172) ret = binder_put_node_cmd(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4173) proc, thread, &ptr, node_ptr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4174) node_cookie, node_debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4175) BR_RELEASE, "BR_RELEASE");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4176) if (!ret && !weak && has_weak_ref)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4177) ret = binder_put_node_cmd(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4178) proc, thread, &ptr, node_ptr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4179) node_cookie, node_debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4180) BR_DECREFS, "BR_DECREFS");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4181) if (orig_ptr == ptr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4182) binder_debug(BINDER_DEBUG_INTERNAL_REFS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4183) "%d:%d node %d u%016llx c%016llx state unchanged\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4184) proc->pid, thread->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4185) node_debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4186) (u64)node_ptr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4187) (u64)node_cookie);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4188) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4189) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4190) } break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4191) case BINDER_WORK_DEAD_BINDER:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4192) case BINDER_WORK_DEAD_BINDER_AND_CLEAR:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4193) case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4194) struct binder_ref_death *death;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4195) uint32_t cmd;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4196) binder_uintptr_t cookie;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4197)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4198) death = container_of(w, struct binder_ref_death, work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4199) if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4200) cmd = BR_CLEAR_DEATH_NOTIFICATION_DONE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4201) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4202) cmd = BR_DEAD_BINDER;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4203) cookie = death->cookie;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4204)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4205) binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4206) "%d:%d %s %016llx\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4207) proc->pid, thread->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4208) cmd == BR_DEAD_BINDER ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4209) "BR_DEAD_BINDER" :
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4210) "BR_CLEAR_DEATH_NOTIFICATION_DONE",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4211) (u64)cookie);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4212) if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4213) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4214) kfree(death);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4215) binder_stats_deleted(BINDER_STAT_DEATH);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4216) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4217) binder_enqueue_work_ilocked(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4218) w, &proc->delivered_death);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4219) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4220) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4221) if (put_user(cmd, (uint32_t __user *)ptr))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4222) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4223) ptr += sizeof(uint32_t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4224) if (put_user(cookie,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4225) (binder_uintptr_t __user *)ptr))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4226) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4227) ptr += sizeof(binder_uintptr_t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4228) binder_stat_br(proc, thread, cmd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4229) if (cmd == BR_DEAD_BINDER)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4230) goto done; /* DEAD_BINDER notifications can cause transactions */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4231) } break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4232) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4233) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4234) pr_err("%d:%d: bad work type %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4235) proc->pid, thread->pid, w->type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4236) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4237) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4238)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4239) if (!t)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4240) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4241)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4242) BUG_ON(t->buffer == NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4243) if (t->buffer->target_node) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4244) struct binder_node *target_node = t->buffer->target_node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4245) struct binder_priority node_prio;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4246)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4247) trd->target.ptr = target_node->ptr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4248) trd->cookie = target_node->cookie;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4249) node_prio.sched_policy = target_node->sched_policy;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4250) node_prio.prio = target_node->min_priority;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4251) binder_transaction_priority(current, t, node_prio,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4252) target_node->inherit_rt);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4253) cmd = BR_TRANSACTION;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4254) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4255) trd->target.ptr = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4256) trd->cookie = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4257) cmd = BR_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4258) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4259) trd->code = t->code;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4260) trd->flags = t->flags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4261) trd->sender_euid = from_kuid(current_user_ns(), t->sender_euid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4262)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4263) t_from = binder_get_txn_from(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4264) if (t_from) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4265) struct task_struct *sender = t_from->proc->tsk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4266)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4267) trd->sender_pid =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4268) task_tgid_nr_ns(sender,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4269) task_active_pid_ns(current));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4270) trace_android_vh_sync_txn_recvd(thread->task, t_from->task);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4271) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4272) trd->sender_pid = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4273) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4274)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4275) ret = binder_apply_fd_fixups(proc, t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4276) if (ret) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4277) struct binder_buffer *buffer = t->buffer;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4278) bool oneway = !!(t->flags & TF_ONE_WAY);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4279) int tid = t->debug_id;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4280)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4281) if (t_from)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4282) binder_thread_dec_tmpref(t_from);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4283) buffer->transaction = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4284) binder_cleanup_transaction(t, "fd fixups failed",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4285) BR_FAILED_REPLY);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4286) binder_free_buf(proc, thread, buffer, true);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4287) binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4288) "%d:%d %stransaction %d fd fixups failed %d/%d, line %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4289) proc->pid, thread->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4290) oneway ? "async " :
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4291) (cmd == BR_REPLY ? "reply " : ""),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4292) tid, BR_FAILED_REPLY, ret, __LINE__);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4293) if (cmd == BR_REPLY) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4294) cmd = BR_FAILED_REPLY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4295) if (put_user(cmd, (uint32_t __user *)ptr))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4296) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4297) ptr += sizeof(uint32_t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4298) binder_stat_br(proc, thread, cmd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4299) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4300) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4301) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4302) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4303) trd->data_size = t->buffer->data_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4304) trd->offsets_size = t->buffer->offsets_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4305) trd->data.ptr.buffer = (uintptr_t)t->buffer->user_data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4306) trd->data.ptr.offsets = trd->data.ptr.buffer +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4307) ALIGN(t->buffer->data_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4308) sizeof(void *));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4309)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4310) tr.secctx = t->security_ctx;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4311) if (t->security_ctx) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4312) cmd = BR_TRANSACTION_SEC_CTX;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4313) trsize = sizeof(tr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4314) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4315) if (put_user(cmd, (uint32_t __user *)ptr)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4316) if (t_from)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4317) binder_thread_dec_tmpref(t_from);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4318)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4319) binder_cleanup_transaction(t, "put_user failed",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4320) BR_FAILED_REPLY);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4321)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4322) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4323) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4324) ptr += sizeof(uint32_t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4325) if (copy_to_user(ptr, &tr, trsize)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4326) if (t_from)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4327) binder_thread_dec_tmpref(t_from);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4328)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4329) binder_cleanup_transaction(t, "copy_to_user failed",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4330) BR_FAILED_REPLY);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4331)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4332) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4333) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4334) ptr += trsize;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4335)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4336) trace_binder_transaction_received(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4337) binder_stat_br(proc, thread, cmd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4338) binder_debug(BINDER_DEBUG_TRANSACTION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4339) "%d:%d %s %d %d:%d, cmd %d size %zd-%zd ptr %016llx-%016llx\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4340) proc->pid, thread->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4341) (cmd == BR_TRANSACTION) ? "BR_TRANSACTION" :
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4342) (cmd == BR_TRANSACTION_SEC_CTX) ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4343) "BR_TRANSACTION_SEC_CTX" : "BR_REPLY",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4344) t->debug_id, t_from ? t_from->proc->pid : 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4345) t_from ? t_from->pid : 0, cmd,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4346) t->buffer->data_size, t->buffer->offsets_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4347) (u64)trd->data.ptr.buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4348) (u64)trd->data.ptr.offsets);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4349)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4350) if (t_from)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4351) binder_thread_dec_tmpref(t_from);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4352) t->buffer->allow_user_free = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4353) if (cmd != BR_REPLY && !(t->flags & TF_ONE_WAY)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4354) binder_inner_proc_lock(thread->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4355) t->to_parent = thread->transaction_stack;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4356) t->to_thread = thread;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4357) thread->transaction_stack = t;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4358) binder_inner_proc_unlock(thread->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4359) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4360) binder_free_transaction(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4361) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4362) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4363) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4364)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4365) done:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4366)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4367) *consumed = ptr - buffer;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4368) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4369) if (proc->requested_threads == 0 &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4370) list_empty(&thread->proc->waiting_threads) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4371) proc->requested_threads_started < proc->max_threads &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4372) (thread->looper & (BINDER_LOOPER_STATE_REGISTERED |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4373) BINDER_LOOPER_STATE_ENTERED)) /* the user-space code fails to */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4374) /*spawn a new thread if we leave this out */) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4375) proc->requested_threads++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4376) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4377) binder_debug(BINDER_DEBUG_THREADS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4378) "%d:%d BR_SPAWN_LOOPER\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4379) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4380) if (put_user(BR_SPAWN_LOOPER, (uint32_t __user *)buffer))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4381) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4382) binder_stat_br(proc, thread, BR_SPAWN_LOOPER);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4383) } else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4384) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4385) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4386) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4387)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4388) static void binder_release_work(struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4389) struct list_head *list)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4390) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4391) struct binder_work *w;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4392) enum binder_work_type wtype;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4393)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4394) while (1) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4395) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4396) w = binder_dequeue_work_head_ilocked(list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4397) wtype = w ? w->type : 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4398) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4399) if (!w)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4400) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4401)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4402) switch (wtype) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4403) case BINDER_WORK_TRANSACTION: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4404) struct binder_transaction *t;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4405)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4406) t = container_of(w, struct binder_transaction, work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4407)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4408) binder_cleanup_transaction(t, "process died.",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4409) BR_DEAD_REPLY);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4410) } break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4411) case BINDER_WORK_RETURN_ERROR: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4412) struct binder_error *e = container_of(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4413) w, struct binder_error, work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4414)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4415) binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4416) "undelivered TRANSACTION_ERROR: %u\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4417) e->cmd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4418) } break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4419) case BINDER_WORK_TRANSACTION_COMPLETE: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4420) binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4421) "undelivered TRANSACTION_COMPLETE\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4422) kfree(w);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4423) binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4424) } break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4425) case BINDER_WORK_DEAD_BINDER_AND_CLEAR:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4426) case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4427) struct binder_ref_death *death;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4428)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4429) death = container_of(w, struct binder_ref_death, work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4430) binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4431) "undelivered death notification, %016llx\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4432) (u64)death->cookie);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4433) kfree(death);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4434) binder_stats_deleted(BINDER_STAT_DEATH);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4435) } break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4436) case BINDER_WORK_NODE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4437) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4438) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4439) pr_err("unexpected work type, %d, not freed\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4440) wtype);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4441) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4442) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4443) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4444)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4445) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4446)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4447) static struct binder_thread *binder_get_thread_ilocked(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4448) struct binder_proc *proc, struct binder_thread *new_thread)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4449) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4450) struct binder_thread *thread = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4451) struct rb_node *parent = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4452) struct rb_node **p = &proc->threads.rb_node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4453)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4454) while (*p) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4455) parent = *p;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4456) thread = rb_entry(parent, struct binder_thread, rb_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4457)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4458) if (current->pid < thread->pid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4459) p = &(*p)->rb_left;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4460) else if (current->pid > thread->pid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4461) p = &(*p)->rb_right;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4462) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4463) return thread;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4464) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4465) if (!new_thread)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4466) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4467) thread = new_thread;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4468) binder_stats_created(BINDER_STAT_THREAD);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4469) thread->proc = proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4470) thread->pid = current->pid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4471) get_task_struct(current);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4472) thread->task = current;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4473) atomic_set(&thread->tmp_ref, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4474) init_waitqueue_head(&thread->wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4475) INIT_LIST_HEAD(&thread->todo);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4476) rb_link_node(&thread->rb_node, parent, p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4477) rb_insert_color(&thread->rb_node, &proc->threads);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4478) thread->looper_need_return = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4479) thread->return_error.work.type = BINDER_WORK_RETURN_ERROR;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4480) thread->return_error.cmd = BR_OK;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4481) thread->reply_error.work.type = BINDER_WORK_RETURN_ERROR;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4482) thread->reply_error.cmd = BR_OK;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4483) INIT_LIST_HEAD(&new_thread->waiting_thread_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4484) return thread;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4485) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4486)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4487) static struct binder_thread *binder_get_thread(struct binder_proc *proc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4488) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4489) struct binder_thread *thread;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4490) struct binder_thread *new_thread;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4491)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4492) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4493) thread = binder_get_thread_ilocked(proc, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4494) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4495) if (!thread) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4496) new_thread = kzalloc(sizeof(*thread), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4497) if (new_thread == NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4498) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4499) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4500) thread = binder_get_thread_ilocked(proc, new_thread);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4501) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4502) if (thread != new_thread)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4503) kfree(new_thread);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4504) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4505) return thread;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4506) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4507)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4508) static void binder_free_proc(struct binder_proc *proc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4509) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4510) struct binder_device *device;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4511) struct binder_proc_ext *eproc =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4512) container_of(proc, struct binder_proc_ext, proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4513)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4514) BUG_ON(!list_empty(&proc->todo));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4515) BUG_ON(!list_empty(&proc->delivered_death));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4516) if (proc->outstanding_txns)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4517) pr_warn("%s: Unexpected outstanding_txns %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4518) __func__, proc->outstanding_txns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4519) device = container_of(proc->context, struct binder_device, context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4520) if (refcount_dec_and_test(&device->ref)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4521) kfree(proc->context->name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4522) kfree(device);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4523) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4524) binder_alloc_deferred_release(&proc->alloc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4525) put_task_struct(proc->tsk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4526) put_cred(eproc->cred);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4527) binder_stats_deleted(BINDER_STAT_PROC);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4528) trace_android_vh_binder_free_proc(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4529) kfree(eproc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4530) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4531)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4532) static void binder_free_thread(struct binder_thread *thread)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4533) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4534) BUG_ON(!list_empty(&thread->todo));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4535) binder_stats_deleted(BINDER_STAT_THREAD);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4536) binder_proc_dec_tmpref(thread->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4537) put_task_struct(thread->task);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4538) kfree(thread);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4539) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4540)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4541) static int binder_thread_release(struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4542) struct binder_thread *thread)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4543) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4544) struct binder_transaction *t;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4545) struct binder_transaction *send_reply = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4546) int active_transactions = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4547) struct binder_transaction *last_t = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4548)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4549) binder_inner_proc_lock(thread->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4550) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4551) * take a ref on the proc so it survives
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4552) * after we remove this thread from proc->threads.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4553) * The corresponding dec is when we actually
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4554) * free the thread in binder_free_thread()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4555) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4556) proc->tmp_ref++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4557) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4558) * take a ref on this thread to ensure it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4559) * survives while we are releasing it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4560) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4561) atomic_inc(&thread->tmp_ref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4562) rb_erase(&thread->rb_node, &proc->threads);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4563) t = thread->transaction_stack;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4564) if (t) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4565) spin_lock(&t->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4566) if (t->to_thread == thread)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4567) send_reply = t;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4568) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4569) __acquire(&t->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4570) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4571) thread->is_dead = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4572)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4573) while (t) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4574) last_t = t;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4575) active_transactions++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4576) binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4577) "release %d:%d transaction %d %s, still active\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4578) proc->pid, thread->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4579) t->debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4580) (t->to_thread == thread) ? "in" : "out");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4581)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4582) if (t->to_thread == thread) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4583) thread->proc->outstanding_txns--;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4584) t->to_proc = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4585) t->to_thread = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4586) if (t->buffer) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4587) t->buffer->transaction = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4588) t->buffer = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4589) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4590) t = t->to_parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4591) } else if (t->from == thread) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4592) t->from = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4593) t = t->from_parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4594) } else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4595) BUG();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4596) spin_unlock(&last_t->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4597) if (t)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4598) spin_lock(&t->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4599) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4600) __acquire(&t->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4601) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4602) /* annotation for sparse, lock not acquired in last iteration above */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4603) __release(&t->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4604)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4605) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4606) * If this thread used poll, make sure we remove the waitqueue from any
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4607) * poll data structures holding it.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4608) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4609) if (thread->looper & BINDER_LOOPER_STATE_POLL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4610) wake_up_pollfree(&thread->wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4611)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4612) binder_inner_proc_unlock(thread->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4613)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4614) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4615) * This is needed to avoid races between wake_up_pollfree() above and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4616) * someone else removing the last entry from the queue for other reasons
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4617) * (e.g. ep_remove_wait_queue() being called due to an epoll file
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4618) * descriptor being closed). Such other users hold an RCU read lock, so
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4619) * we can be sure they're done after we call synchronize_rcu().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4620) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4621) if (thread->looper & BINDER_LOOPER_STATE_POLL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4622) synchronize_rcu();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4623)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4624) if (send_reply)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4625) binder_send_failed_reply(send_reply, BR_DEAD_REPLY);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4626) binder_release_work(proc, &thread->todo);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4627) trace_android_vh_binder_thread_release(proc, thread);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4628) binder_thread_dec_tmpref(thread);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4629) return active_transactions;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4630) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4631)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4632) static __poll_t binder_poll(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4633) struct poll_table_struct *wait)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4634) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4635) struct binder_proc *proc = filp->private_data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4636) struct binder_thread *thread = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4637) bool wait_for_proc_work;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4638)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4639) thread = binder_get_thread(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4640) if (!thread)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4641) return POLLERR;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4642)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4643) binder_inner_proc_lock(thread->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4644) thread->looper |= BINDER_LOOPER_STATE_POLL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4645) wait_for_proc_work = binder_available_for_proc_work_ilocked(thread);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4646)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4647) binder_inner_proc_unlock(thread->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4648)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4649) poll_wait(filp, &thread->wait, wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4650)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4651) if (binder_has_work(thread, wait_for_proc_work))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4652) return EPOLLIN;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4653)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4654) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4655) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4656)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4657) static int binder_ioctl_write_read(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4658) unsigned int cmd, unsigned long arg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4659) struct binder_thread *thread)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4660) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4661) int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4662) struct binder_proc *proc = filp->private_data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4663) unsigned int size = _IOC_SIZE(cmd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4664) void __user *ubuf = (void __user *)arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4665) struct binder_write_read bwr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4666)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4667) if (size != sizeof(struct binder_write_read)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4668) ret = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4669) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4670) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4671) if (copy_from_user(&bwr, ubuf, sizeof(bwr))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4672) ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4673) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4674) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4675) binder_debug(BINDER_DEBUG_READ_WRITE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4676) "%d:%d write %lld at %016llx, read %lld at %016llx\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4677) proc->pid, thread->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4678) (u64)bwr.write_size, (u64)bwr.write_buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4679) (u64)bwr.read_size, (u64)bwr.read_buffer);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4680)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4681) if (bwr.write_size > 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4682) ret = binder_thread_write(proc, thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4683) bwr.write_buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4684) bwr.write_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4685) &bwr.write_consumed);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4686) trace_binder_write_done(ret);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4687) if (ret < 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4688) bwr.read_consumed = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4689) if (copy_to_user(ubuf, &bwr, sizeof(bwr)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4690) ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4691) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4692) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4693) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4694) if (bwr.read_size > 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4695) ret = binder_thread_read(proc, thread, bwr.read_buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4696) bwr.read_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4697) &bwr.read_consumed,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4698) filp->f_flags & O_NONBLOCK);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4699) trace_binder_read_done(ret);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4700) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4701) if (!binder_worklist_empty_ilocked(&proc->todo))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4702) binder_wakeup_proc_ilocked(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4703) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4704) trace_android_vh_binder_read_done(proc, thread);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4705) if (ret < 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4706) if (copy_to_user(ubuf, &bwr, sizeof(bwr)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4707) ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4708) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4709) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4710) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4711) binder_debug(BINDER_DEBUG_READ_WRITE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4712) "%d:%d wrote %lld of %lld, read return %lld of %lld\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4713) proc->pid, thread->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4714) (u64)bwr.write_consumed, (u64)bwr.write_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4715) (u64)bwr.read_consumed, (u64)bwr.read_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4716) if (copy_to_user(ubuf, &bwr, sizeof(bwr))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4717) ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4718) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4719) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4720) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4721) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4722) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4723)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4724) static int binder_ioctl_set_ctx_mgr(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4725) struct flat_binder_object *fbo)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4726) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4727) int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4728) struct binder_proc *proc = filp->private_data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4729) struct binder_context *context = proc->context;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4730) struct binder_node *new_node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4731) kuid_t curr_euid = current_euid();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4732)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4733) mutex_lock(&context->context_mgr_node_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4734) if (context->binder_context_mgr_node) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4735) pr_err("BINDER_SET_CONTEXT_MGR already set\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4736) ret = -EBUSY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4737) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4738) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4739) ret = security_binder_set_context_mgr(binder_get_cred(proc));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4740) if (ret < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4741) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4742) if (uid_valid(context->binder_context_mgr_uid)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4743) if (!uid_eq(context->binder_context_mgr_uid, curr_euid)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4744) pr_err("BINDER_SET_CONTEXT_MGR bad uid %d != %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4745) from_kuid(&init_user_ns, curr_euid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4746) from_kuid(&init_user_ns,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4747) context->binder_context_mgr_uid));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4748) ret = -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4749) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4750) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4751) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4752) context->binder_context_mgr_uid = curr_euid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4753) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4754) new_node = binder_new_node(proc, fbo);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4755) if (!new_node) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4756) ret = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4757) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4758) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4759) binder_node_lock(new_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4760) new_node->local_weak_refs++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4761) new_node->local_strong_refs++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4762) new_node->has_strong_ref = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4763) new_node->has_weak_ref = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4764) context->binder_context_mgr_node = new_node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4765) binder_node_unlock(new_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4766) binder_put_node(new_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4767) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4768) mutex_unlock(&context->context_mgr_node_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4769) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4770) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4771)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4772) static int binder_ioctl_get_node_info_for_ref(struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4773) struct binder_node_info_for_ref *info)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4774) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4775) struct binder_node *node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4776) struct binder_context *context = proc->context;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4777) __u32 handle = info->handle;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4778)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4779) if (info->strong_count || info->weak_count || info->reserved1 ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4780) info->reserved2 || info->reserved3) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4781) binder_user_error("%d BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero.",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4782) proc->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4783) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4784) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4785)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4786) /* This ioctl may only be used by the context manager */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4787) mutex_lock(&context->context_mgr_node_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4788) if (!context->binder_context_mgr_node ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4789) context->binder_context_mgr_node->proc != proc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4790) mutex_unlock(&context->context_mgr_node_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4791) return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4792) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4793) mutex_unlock(&context->context_mgr_node_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4794)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4795) node = binder_get_node_from_ref(proc, handle, true, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4796) if (!node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4797) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4798)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4799) info->strong_count = node->local_strong_refs +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4800) node->internal_strong_refs;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4801) info->weak_count = node->local_weak_refs;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4802)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4803) binder_put_node(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4804)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4805) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4806) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4807)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4808) static int binder_ioctl_get_node_debug_info(struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4809) struct binder_node_debug_info *info)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4810) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4811) struct rb_node *n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4812) binder_uintptr_t ptr = info->ptr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4813)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4814) memset(info, 0, sizeof(*info));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4815)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4816) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4817) for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4818) struct binder_node *node = rb_entry(n, struct binder_node,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4819) rb_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4820) if (node->ptr > ptr) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4821) info->ptr = node->ptr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4822) info->cookie = node->cookie;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4823) info->has_strong_ref = node->has_strong_ref;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4824) info->has_weak_ref = node->has_weak_ref;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4825) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4826) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4827) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4828) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4829)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4830) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4831) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4832)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4833) static bool binder_txns_pending_ilocked(struct binder_proc *proc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4834) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4835) struct rb_node *n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4836) struct binder_thread *thread;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4837)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4838) if (proc->outstanding_txns > 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4839) return true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4840)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4841) for (n = rb_first(&proc->threads); n; n = rb_next(n)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4842) thread = rb_entry(n, struct binder_thread, rb_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4843) if (thread->transaction_stack)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4844) return true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4845) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4846) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4847) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4848)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4849) static int binder_ioctl_freeze(struct binder_freeze_info *info,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4850) struct binder_proc *target_proc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4851) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4852) int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4853)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4854) if (!info->enable) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4855) binder_inner_proc_lock(target_proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4856) target_proc->sync_recv = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4857) target_proc->async_recv = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4858) target_proc->is_frozen = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4859) binder_inner_proc_unlock(target_proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4860) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4861) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4862)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4863) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4864) * Freezing the target. Prevent new transactions by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4865) * setting frozen state. If timeout specified, wait
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4866) * for transactions to drain.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4867) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4868) binder_inner_proc_lock(target_proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4869) target_proc->sync_recv = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4870) target_proc->async_recv = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4871) target_proc->is_frozen = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4872) binder_inner_proc_unlock(target_proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4873)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4874) if (info->timeout_ms > 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4875) ret = wait_event_interruptible_timeout(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4876) target_proc->freeze_wait,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4877) (!target_proc->outstanding_txns),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4878) msecs_to_jiffies(info->timeout_ms));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4879)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4880) /* Check pending transactions that wait for reply */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4881) if (ret >= 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4882) binder_inner_proc_lock(target_proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4883) if (binder_txns_pending_ilocked(target_proc))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4884) ret = -EAGAIN;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4885) binder_inner_proc_unlock(target_proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4886) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4887)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4888) if (ret < 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4889) binder_inner_proc_lock(target_proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4890) target_proc->is_frozen = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4891) binder_inner_proc_unlock(target_proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4892) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4893)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4894) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4895) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4896)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4897) static int binder_ioctl_get_freezer_info(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4898) struct binder_frozen_status_info *info)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4899) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4900) struct binder_proc *target_proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4901) bool found = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4902) __u32 txns_pending;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4903)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4904) info->sync_recv = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4905) info->async_recv = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4906)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4907) mutex_lock(&binder_procs_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4908) hlist_for_each_entry(target_proc, &binder_procs, proc_node) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4909) if (target_proc->pid == info->pid) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4910) found = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4911) binder_inner_proc_lock(target_proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4912) txns_pending = binder_txns_pending_ilocked(target_proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4913) info->sync_recv |= target_proc->sync_recv |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4914) (txns_pending << 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4915) info->async_recv |= target_proc->async_recv;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4916) binder_inner_proc_unlock(target_proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4917) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4918) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4919) mutex_unlock(&binder_procs_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4920)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4921) if (!found)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4922) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4923)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4924) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4925) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4926)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4927) static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4928) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4929) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4930) struct binder_proc *proc = filp->private_data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4931) struct binder_thread *thread;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4932) unsigned int size = _IOC_SIZE(cmd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4933) void __user *ubuf = (void __user *)arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4934)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4935) /*pr_info("binder_ioctl: %d:%d %x %lx\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4936) proc->pid, current->pid, cmd, arg);*/
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4937)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4938) binder_selftest_alloc(&proc->alloc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4939)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4940) trace_binder_ioctl(cmd, arg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4941)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4942) ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4943) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4944) goto err_unlocked;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4945)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4946) thread = binder_get_thread(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4947) if (thread == NULL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4948) ret = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4949) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4950) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4951)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4952) switch (cmd) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4953) case BINDER_WRITE_READ:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4954) ret = binder_ioctl_write_read(filp, cmd, arg, thread);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4955) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4956) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4957) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4958) case BINDER_SET_MAX_THREADS: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4959) int max_threads;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4960)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4961) if (copy_from_user(&max_threads, ubuf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4962) sizeof(max_threads))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4963) ret = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4964) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4965) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4966) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4967) proc->max_threads = max_threads;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4968) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4969) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4970) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4971) case BINDER_SET_CONTEXT_MGR_EXT: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4972) struct flat_binder_object fbo;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4973)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4974) if (copy_from_user(&fbo, ubuf, sizeof(fbo))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4975) ret = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4976) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4977) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4978) ret = binder_ioctl_set_ctx_mgr(filp, &fbo);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4979) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4980) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4981) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4982) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4983) case BINDER_SET_CONTEXT_MGR:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4984) ret = binder_ioctl_set_ctx_mgr(filp, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4985) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4986) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4987) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4988) case BINDER_THREAD_EXIT:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4989) binder_debug(BINDER_DEBUG_THREADS, "%d:%d exit\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4990) proc->pid, thread->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4991) binder_thread_release(proc, thread);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4992) thread = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4993) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4994) case BINDER_VERSION: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4995) struct binder_version __user *ver = ubuf;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4996)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4997) if (size != sizeof(struct binder_version)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4998) ret = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4999) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5000) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5001) if (put_user(BINDER_CURRENT_PROTOCOL_VERSION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5002) &ver->protocol_version)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5003) ret = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5004) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5005) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5006) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5007) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5008) case BINDER_GET_NODE_INFO_FOR_REF: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5009) struct binder_node_info_for_ref info;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5010)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5011) if (copy_from_user(&info, ubuf, sizeof(info))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5012) ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5013) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5014) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5015)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5016) ret = binder_ioctl_get_node_info_for_ref(proc, &info);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5017) if (ret < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5018) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5019)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5020) if (copy_to_user(ubuf, &info, sizeof(info))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5021) ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5022) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5023) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5024)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5025) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5026) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5027) case BINDER_GET_NODE_DEBUG_INFO: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5028) struct binder_node_debug_info info;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5029)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5030) if (copy_from_user(&info, ubuf, sizeof(info))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5031) ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5032) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5033) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5034)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5035) ret = binder_ioctl_get_node_debug_info(proc, &info);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5036) if (ret < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5037) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5038)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5039) if (copy_to_user(ubuf, &info, sizeof(info))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5040) ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5041) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5042) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5043) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5044) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5045) case BINDER_FREEZE: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5046) struct binder_freeze_info info;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5047) struct binder_proc **target_procs = NULL, *target_proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5048) int target_procs_count = 0, i = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5049)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5050) ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5051)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5052) if (copy_from_user(&info, ubuf, sizeof(info))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5053) ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5054) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5055) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5056)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5057) mutex_lock(&binder_procs_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5058) hlist_for_each_entry(target_proc, &binder_procs, proc_node) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5059) if (target_proc->pid == info.pid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5060) target_procs_count++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5061) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5062)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5063) if (target_procs_count == 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5064) mutex_unlock(&binder_procs_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5065) ret = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5066) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5067) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5068)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5069) target_procs = kcalloc(target_procs_count,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5070) sizeof(struct binder_proc *),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5071) GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5072)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5073) if (!target_procs) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5074) mutex_unlock(&binder_procs_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5075) ret = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5076) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5077) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5078)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5079) hlist_for_each_entry(target_proc, &binder_procs, proc_node) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5080) if (target_proc->pid != info.pid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5081) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5082)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5083) binder_inner_proc_lock(target_proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5084) target_proc->tmp_ref++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5085) binder_inner_proc_unlock(target_proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5086)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5087) target_procs[i++] = target_proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5088) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5089) mutex_unlock(&binder_procs_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5090)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5091) for (i = 0; i < target_procs_count; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5092) if (ret >= 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5093) ret = binder_ioctl_freeze(&info,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5094) target_procs[i]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5095)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5096) binder_proc_dec_tmpref(target_procs[i]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5097) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5098)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5099) kfree(target_procs);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5100)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5101) if (ret < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5102) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5103) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5104) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5105) case BINDER_GET_FROZEN_INFO: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5106) struct binder_frozen_status_info info;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5107)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5108) if (copy_from_user(&info, ubuf, sizeof(info))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5109) ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5110) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5111) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5112)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5113) ret = binder_ioctl_get_freezer_info(&info);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5114) if (ret < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5115) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5116)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5117) if (copy_to_user(ubuf, &info, sizeof(info))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5118) ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5119) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5120) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5121) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5122) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5123) case BINDER_ENABLE_ONEWAY_SPAM_DETECTION: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5124) uint32_t enable;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5125)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5126) if (copy_from_user(&enable, ubuf, sizeof(enable))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5127) ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5128) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5129) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5130) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5131) proc->oneway_spam_detection_enabled = (bool)enable;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5132) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5133) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5134) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5135) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5136) ret = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5137) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5138) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5139) ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5140) err:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5141) if (thread)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5142) thread->looper_need_return = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5143) wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5144) if (ret && ret != -EINTR)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5145) pr_info("%d:%d ioctl %x %lx returned %d\n", proc->pid, current->pid, cmd, arg, ret);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5146) err_unlocked:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5147) trace_binder_ioctl_done(ret);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5148) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5149) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5150)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5151) static void binder_vma_open(struct vm_area_struct *vma)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5152) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5153) struct binder_proc *proc = vma->vm_private_data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5154)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5155) binder_debug(BINDER_DEBUG_OPEN_CLOSE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5156) "%d open vm area %lx-%lx (%ld K) vma %lx pagep %lx\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5157) proc->pid, vma->vm_start, vma->vm_end,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5158) (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5159) (unsigned long)pgprot_val(vma->vm_page_prot));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5160) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5161)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5162) static void binder_vma_close(struct vm_area_struct *vma)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5163) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5164) struct binder_proc *proc = vma->vm_private_data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5165)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5166) binder_debug(BINDER_DEBUG_OPEN_CLOSE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5167) "%d close vm area %lx-%lx (%ld K) vma %lx pagep %lx\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5168) proc->pid, vma->vm_start, vma->vm_end,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5169) (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5170) (unsigned long)pgprot_val(vma->vm_page_prot));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5171) binder_alloc_vma_close(&proc->alloc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5172) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5173)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5174) static vm_fault_t binder_vm_fault(struct vm_fault *vmf)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5175) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5176) return VM_FAULT_SIGBUS;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5177) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5178)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5179) static const struct vm_operations_struct binder_vm_ops = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5180) .open = binder_vma_open,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5181) .close = binder_vma_close,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5182) .fault = binder_vm_fault,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5183) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5184)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5185) static int binder_mmap(struct file *filp, struct vm_area_struct *vma)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5186) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5187) struct binder_proc *proc = filp->private_data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5188)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5189) if (proc->tsk != current->group_leader)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5190) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5191)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5192) binder_debug(BINDER_DEBUG_OPEN_CLOSE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5193) "%s: %d %lx-%lx (%ld K) vma %lx pagep %lx\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5194) __func__, proc->pid, vma->vm_start, vma->vm_end,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5195) (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5196) (unsigned long)pgprot_val(vma->vm_page_prot));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5197)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5198) if (vma->vm_flags & FORBIDDEN_MMAP_FLAGS) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5199) pr_err("%s: %d %lx-%lx %s failed %d\n", __func__,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5200) proc->pid, vma->vm_start, vma->vm_end, "bad vm_flags", -EPERM);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5201) return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5202) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5203) vma->vm_flags |= VM_DONTCOPY | VM_MIXEDMAP;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5204) vma->vm_flags &= ~VM_MAYWRITE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5205)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5206) vma->vm_ops = &binder_vm_ops;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5207) vma->vm_private_data = proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5208)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5209) return binder_alloc_mmap_handler(&proc->alloc, vma);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5210) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5211)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5212) static int binder_open(struct inode *nodp, struct file *filp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5213) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5214) struct binder_proc *proc, *itr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5215) struct binder_proc_ext *eproc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5216) struct binder_device *binder_dev;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5217) struct binderfs_info *info;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5218) struct dentry *binder_binderfs_dir_entry_proc = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5219) bool existing_pid = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5220)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5221) binder_debug(BINDER_DEBUG_OPEN_CLOSE, "%s: %d:%d\n", __func__,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5222) current->group_leader->pid, current->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5223)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5224) eproc = kzalloc(sizeof(*eproc), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5225) proc = &eproc->proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5226) if (proc == NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5227) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5228) spin_lock_init(&proc->inner_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5229) spin_lock_init(&proc->outer_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5230) get_task_struct(current->group_leader);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5231) proc->tsk = current->group_leader;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5232) eproc->cred = get_cred(filp->f_cred);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5233) INIT_LIST_HEAD(&proc->todo);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5234) init_waitqueue_head(&proc->freeze_wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5235) if (binder_supported_policy(current->policy)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5236) proc->default_priority.sched_policy = current->policy;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5237) proc->default_priority.prio = current->normal_prio;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5238) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5239) proc->default_priority.sched_policy = SCHED_NORMAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5240) proc->default_priority.prio = NICE_TO_PRIO(0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5241) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5242)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5243) /* binderfs stashes devices in i_private */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5244) if (is_binderfs_device(nodp)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5245) binder_dev = nodp->i_private;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5246) info = nodp->i_sb->s_fs_info;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5247) binder_binderfs_dir_entry_proc = info->proc_log_dir;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5248) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5249) binder_dev = container_of(filp->private_data,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5250) struct binder_device, miscdev);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5251) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5252) refcount_inc(&binder_dev->ref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5253) proc->context = &binder_dev->context;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5254) binder_alloc_init(&proc->alloc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5255)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5256) binder_stats_created(BINDER_STAT_PROC);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5257) proc->pid = current->group_leader->pid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5258) INIT_LIST_HEAD(&proc->delivered_death);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5259) INIT_LIST_HEAD(&proc->waiting_threads);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5260) filp->private_data = proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5261)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5262) mutex_lock(&binder_procs_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5263) hlist_for_each_entry(itr, &binder_procs, proc_node) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5264) if (itr->pid == proc->pid) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5265) existing_pid = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5266) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5267) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5268) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5269) hlist_add_head(&proc->proc_node, &binder_procs);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5270) mutex_unlock(&binder_procs_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5271) trace_android_vh_binder_preset(&binder_procs, &binder_procs_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5272) if (binder_debugfs_dir_entry_proc && !existing_pid) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5273) char strbuf[11];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5274)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5275) snprintf(strbuf, sizeof(strbuf), "%u", proc->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5276) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5277) * proc debug entries are shared between contexts.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5278) * Only create for the first PID to avoid debugfs log spamming
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5279) * The printing code will anyway print all contexts for a given
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5280) * PID so this is not a problem.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5281) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5282) proc->debugfs_entry = debugfs_create_file(strbuf, 0444,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5283) binder_debugfs_dir_entry_proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5284) (void *)(unsigned long)proc->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5285) &proc_fops);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5286) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5287)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5288) if (binder_binderfs_dir_entry_proc && !existing_pid) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5289) char strbuf[11];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5290) struct dentry *binderfs_entry;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5291)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5292) snprintf(strbuf, sizeof(strbuf), "%u", proc->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5293) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5294) * Similar to debugfs, the process specific log file is shared
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5295) * between contexts. Only create for the first PID.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5296) * This is ok since same as debugfs, the log file will contain
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5297) * information on all contexts of a given PID.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5298) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5299) binderfs_entry = binderfs_create_file(binder_binderfs_dir_entry_proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5300) strbuf, &proc_fops, (void *)(unsigned long)proc->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5301) if (!IS_ERR(binderfs_entry)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5302) proc->binderfs_entry = binderfs_entry;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5303) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5304) int error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5305)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5306) error = PTR_ERR(binderfs_entry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5307) pr_warn("Unable to create file %s in binderfs (error %d)\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5308) strbuf, error);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5309) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5310) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5311)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5312) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5313) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5314)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5315) static int binder_flush(struct file *filp, fl_owner_t id)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5316) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5317) struct binder_proc *proc = filp->private_data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5318)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5319) binder_defer_work(proc, BINDER_DEFERRED_FLUSH);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5320)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5321) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5322) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5323)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5324) static void binder_deferred_flush(struct binder_proc *proc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5325) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5326) struct rb_node *n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5327) int wake_count = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5328)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5329) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5330) for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5331) struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5332)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5333) thread->looper_need_return = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5334) if (thread->looper & BINDER_LOOPER_STATE_WAITING) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5335) wake_up_interruptible(&thread->wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5336) wake_count++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5337) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5338) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5339) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5340)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5341) binder_debug(BINDER_DEBUG_OPEN_CLOSE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5342) "binder_flush: %d woke %d threads\n", proc->pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5343) wake_count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5344) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5345)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5346) static int binder_release(struct inode *nodp, struct file *filp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5347) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5348) struct binder_proc *proc = filp->private_data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5349)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5350) debugfs_remove(proc->debugfs_entry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5351)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5352) if (proc->binderfs_entry) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5353) binderfs_remove_file(proc->binderfs_entry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5354) proc->binderfs_entry = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5355) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5356)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5357) binder_defer_work(proc, BINDER_DEFERRED_RELEASE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5358)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5359) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5360) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5361)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5362) static int binder_node_release(struct binder_node *node, int refs)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5363) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5364) struct binder_ref *ref;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5365) int death = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5366) struct binder_proc *proc = node->proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5367)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5368) binder_release_work(proc, &node->async_todo);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5369)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5370) binder_node_lock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5371) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5372) binder_dequeue_work_ilocked(&node->work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5373) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5374) * The caller must have taken a temporary ref on the node,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5375) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5376) BUG_ON(!node->tmp_refs);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5377) if (hlist_empty(&node->refs) && node->tmp_refs == 1) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5378) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5379) binder_node_unlock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5380) binder_free_node(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5381)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5382) return refs;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5383) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5384)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5385) node->proc = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5386) node->local_strong_refs = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5387) node->local_weak_refs = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5388) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5389)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5390) spin_lock(&binder_dead_nodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5391) hlist_add_head(&node->dead_node, &binder_dead_nodes);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5392) spin_unlock(&binder_dead_nodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5393)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5394) hlist_for_each_entry(ref, &node->refs, node_entry) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5395) refs++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5396) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5397) * Need the node lock to synchronize
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5398) * with new notification requests and the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5399) * inner lock to synchronize with queued
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5400) * death notifications.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5401) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5402) binder_inner_proc_lock(ref->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5403) if (!ref->death) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5404) binder_inner_proc_unlock(ref->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5405) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5406) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5407)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5408) death++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5409)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5410) BUG_ON(!list_empty(&ref->death->work.entry));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5411) ref->death->work.type = BINDER_WORK_DEAD_BINDER;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5412) binder_enqueue_work_ilocked(&ref->death->work,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5413) &ref->proc->todo);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5414) binder_wakeup_proc_ilocked(ref->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5415) binder_inner_proc_unlock(ref->proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5416) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5417)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5418) binder_debug(BINDER_DEBUG_DEAD_BINDER,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5419) "node %d now dead, refs %d, death %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5420) node->debug_id, refs, death);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5421) binder_node_unlock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5422) binder_put_node(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5423)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5424) return refs;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5425) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5426)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5427) static void binder_deferred_release(struct binder_proc *proc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5428) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5429) struct binder_context *context = proc->context;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5430) struct rb_node *n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5431) int threads, nodes, incoming_refs, outgoing_refs, active_transactions;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5432)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5433) mutex_lock(&binder_procs_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5434) hlist_del(&proc->proc_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5435) mutex_unlock(&binder_procs_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5436)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5437) mutex_lock(&context->context_mgr_node_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5438) if (context->binder_context_mgr_node &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5439) context->binder_context_mgr_node->proc == proc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5440) binder_debug(BINDER_DEBUG_DEAD_BINDER,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5441) "%s: %d context_mgr_node gone\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5442) __func__, proc->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5443) context->binder_context_mgr_node = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5444) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5445) mutex_unlock(&context->context_mgr_node_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5446) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5447) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5448) * Make sure proc stays alive after we
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5449) * remove all the threads
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5450) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5451) proc->tmp_ref++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5452)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5453) proc->is_dead = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5454) proc->is_frozen = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5455) proc->sync_recv = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5456) proc->async_recv = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5457) threads = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5458) active_transactions = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5459) while ((n = rb_first(&proc->threads))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5460) struct binder_thread *thread;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5461)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5462) thread = rb_entry(n, struct binder_thread, rb_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5463) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5464) threads++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5465) active_transactions += binder_thread_release(proc, thread);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5466) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5467) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5468)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5469) nodes = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5470) incoming_refs = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5471) while ((n = rb_first(&proc->nodes))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5472) struct binder_node *node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5473)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5474) node = rb_entry(n, struct binder_node, rb_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5475) nodes++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5476) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5477) * take a temporary ref on the node before
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5478) * calling binder_node_release() which will either
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5479) * kfree() the node or call binder_put_node()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5480) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5481) binder_inc_node_tmpref_ilocked(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5482) rb_erase(&node->rb_node, &proc->nodes);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5483) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5484) incoming_refs = binder_node_release(node, incoming_refs);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5485) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5486) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5487) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5488)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5489) outgoing_refs = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5490) binder_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5491) while ((n = rb_first(&proc->refs_by_desc))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5492) struct binder_ref *ref;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5493)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5494) ref = rb_entry(n, struct binder_ref, rb_node_desc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5495) outgoing_refs++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5496) binder_cleanup_ref_olocked(ref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5497) binder_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5498) binder_free_ref(ref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5499) binder_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5500) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5501) binder_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5502)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5503) binder_release_work(proc, &proc->todo);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5504) binder_release_work(proc, &proc->delivered_death);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5505)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5506) binder_debug(BINDER_DEBUG_OPEN_CLOSE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5507) "%s: %d threads %d, nodes %d (ref %d), refs %d, active transactions %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5508) __func__, proc->pid, threads, nodes, incoming_refs,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5509) outgoing_refs, active_transactions);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5510)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5511) binder_proc_dec_tmpref(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5512) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5513)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5514) static void binder_deferred_func(struct work_struct *work)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5515) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5516) struct binder_proc *proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5517)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5518) int defer;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5519)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5520) do {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5521) mutex_lock(&binder_deferred_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5522) if (!hlist_empty(&binder_deferred_list)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5523) proc = hlist_entry(binder_deferred_list.first,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5524) struct binder_proc, deferred_work_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5525) hlist_del_init(&proc->deferred_work_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5526) defer = proc->deferred_work;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5527) proc->deferred_work = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5528) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5529) proc = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5530) defer = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5531) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5532) mutex_unlock(&binder_deferred_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5533)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5534) if (defer & BINDER_DEFERRED_FLUSH)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5535) binder_deferred_flush(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5536)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5537) if (defer & BINDER_DEFERRED_RELEASE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5538) binder_deferred_release(proc); /* frees proc */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5539) } while (proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5540) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5541) static DECLARE_WORK(binder_deferred_work, binder_deferred_func);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5542)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5543) static void
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5544) binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5545) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5546) mutex_lock(&binder_deferred_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5547) proc->deferred_work |= defer;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5548) if (hlist_unhashed(&proc->deferred_work_node)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5549) hlist_add_head(&proc->deferred_work_node,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5550) &binder_deferred_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5551) schedule_work(&binder_deferred_work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5552) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5553) mutex_unlock(&binder_deferred_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5554) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5555)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5556) static void print_binder_transaction_ilocked(struct seq_file *m,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5557) struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5558) const char *prefix,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5559) struct binder_transaction *t)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5560) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5561) struct binder_proc *to_proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5562) struct binder_buffer *buffer = t->buffer;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5563)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5564) spin_lock(&t->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5565) trace_android_vh_binder_print_transaction_info(m, proc, prefix, t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5566) to_proc = t->to_proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5567) seq_printf(m,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5568) "%s %d: %pK from %d:%d to %d:%d code %x flags %x pri %d:%d r%d",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5569) prefix, t->debug_id, t,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5570) t->from ? t->from->proc->pid : 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5571) t->from ? t->from->pid : 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5572) to_proc ? to_proc->pid : 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5573) t->to_thread ? t->to_thread->pid : 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5574) t->code, t->flags, t->priority.sched_policy,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5575) t->priority.prio, t->need_reply);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5576) spin_unlock(&t->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5577)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5578) if (proc != to_proc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5579) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5580) * Can only safely deref buffer if we are holding the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5581) * correct proc inner lock for this node
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5582) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5583) seq_puts(m, "\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5584) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5585) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5586)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5587) if (buffer == NULL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5588) seq_puts(m, " buffer free\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5589) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5590) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5591) if (buffer->target_node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5592) seq_printf(m, " node %d", buffer->target_node->debug_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5593) seq_printf(m, " size %zd:%zd data %pK\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5594) buffer->data_size, buffer->offsets_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5595) buffer->user_data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5596) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5597)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5598) static void print_binder_work_ilocked(struct seq_file *m,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5599) struct binder_proc *proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5600) const char *prefix,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5601) const char *transaction_prefix,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5602) struct binder_work *w)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5603) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5604) struct binder_node *node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5605) struct binder_transaction *t;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5606)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5607) switch (w->type) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5608) case BINDER_WORK_TRANSACTION:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5609) t = container_of(w, struct binder_transaction, work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5610) print_binder_transaction_ilocked(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5611) m, proc, transaction_prefix, t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5612) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5613) case BINDER_WORK_RETURN_ERROR: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5614) struct binder_error *e = container_of(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5615) w, struct binder_error, work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5616)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5617) seq_printf(m, "%stransaction error: %u\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5618) prefix, e->cmd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5619) } break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5620) case BINDER_WORK_TRANSACTION_COMPLETE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5621) seq_printf(m, "%stransaction complete\n", prefix);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5622) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5623) case BINDER_WORK_NODE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5624) node = container_of(w, struct binder_node, work);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5625) seq_printf(m, "%snode work %d: u%016llx c%016llx\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5626) prefix, node->debug_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5627) (u64)node->ptr, (u64)node->cookie);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5628) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5629) case BINDER_WORK_DEAD_BINDER:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5630) seq_printf(m, "%shas dead binder\n", prefix);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5631) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5632) case BINDER_WORK_DEAD_BINDER_AND_CLEAR:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5633) seq_printf(m, "%shas cleared dead binder\n", prefix);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5634) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5635) case BINDER_WORK_CLEAR_DEATH_NOTIFICATION:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5636) seq_printf(m, "%shas cleared death notification\n", prefix);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5637) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5638) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5639) seq_printf(m, "%sunknown work: type %d\n", prefix, w->type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5640) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5641) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5642) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5643)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5644) static void print_binder_thread_ilocked(struct seq_file *m,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5645) struct binder_thread *thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5646) int print_always)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5647) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5648) struct binder_transaction *t;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5649) struct binder_work *w;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5650) size_t start_pos = m->count;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5651) size_t header_pos;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5652)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5653) seq_printf(m, " thread %d: l %02x need_return %d tr %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5654) thread->pid, thread->looper,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5655) thread->looper_need_return,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5656) atomic_read(&thread->tmp_ref));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5657) header_pos = m->count;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5658) t = thread->transaction_stack;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5659) while (t) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5660) if (t->from == thread) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5661) print_binder_transaction_ilocked(m, thread->proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5662) " outgoing transaction", t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5663) t = t->from_parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5664) } else if (t->to_thread == thread) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5665) print_binder_transaction_ilocked(m, thread->proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5666) " incoming transaction", t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5667) t = t->to_parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5668) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5669) print_binder_transaction_ilocked(m, thread->proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5670) " bad transaction", t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5671) t = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5672) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5673) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5674) list_for_each_entry(w, &thread->todo, entry) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5675) print_binder_work_ilocked(m, thread->proc, " ",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5676) " pending transaction", w);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5677) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5678) if (!print_always && m->count == header_pos)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5679) m->count = start_pos;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5680) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5681)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5682) static void print_binder_node_nilocked(struct seq_file *m,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5683) struct binder_node *node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5684) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5685) struct binder_ref *ref;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5686) struct binder_work *w;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5687) int count;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5688)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5689) count = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5690) hlist_for_each_entry(ref, &node->refs, node_entry)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5691) count++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5692)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5693) seq_printf(m, " node %d: u%016llx c%016llx pri %d:%d hs %d hw %d ls %d lw %d is %d iw %d tr %d",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5694) node->debug_id, (u64)node->ptr, (u64)node->cookie,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5695) node->sched_policy, node->min_priority,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5696) node->has_strong_ref, node->has_weak_ref,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5697) node->local_strong_refs, node->local_weak_refs,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5698) node->internal_strong_refs, count, node->tmp_refs);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5699) if (count) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5700) seq_puts(m, " proc");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5701) hlist_for_each_entry(ref, &node->refs, node_entry)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5702) seq_printf(m, " %d", ref->proc->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5703) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5704) seq_puts(m, "\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5705) if (node->proc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5706) list_for_each_entry(w, &node->async_todo, entry)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5707) print_binder_work_ilocked(m, node->proc, " ",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5708) " pending async transaction", w);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5709) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5710) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5711)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5712) static void print_binder_ref_olocked(struct seq_file *m,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5713) struct binder_ref *ref)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5714) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5715) binder_node_lock(ref->node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5716) seq_printf(m, " ref %d: desc %d %snode %d s %d w %d d %pK\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5717) ref->data.debug_id, ref->data.desc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5718) ref->node->proc ? "" : "dead ",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5719) ref->node->debug_id, ref->data.strong,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5720) ref->data.weak, ref->death);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5721) binder_node_unlock(ref->node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5722) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5723)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5724) static void print_binder_proc(struct seq_file *m,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5725) struct binder_proc *proc, int print_all)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5726) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5727) struct binder_work *w;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5728) struct rb_node *n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5729) size_t start_pos = m->count;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5730) size_t header_pos;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5731) struct binder_node *last_node = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5732)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5733) seq_printf(m, "proc %d\n", proc->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5734) seq_printf(m, "context %s\n", proc->context->name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5735) header_pos = m->count;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5736)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5737) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5738) for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5739) print_binder_thread_ilocked(m, rb_entry(n, struct binder_thread,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5740) rb_node), print_all);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5741)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5742) for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5743) struct binder_node *node = rb_entry(n, struct binder_node,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5744) rb_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5745) if (!print_all && !node->has_async_transaction)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5746) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5747)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5748) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5749) * take a temporary reference on the node so it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5750) * survives and isn't removed from the tree
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5751) * while we print it.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5752) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5753) binder_inc_node_tmpref_ilocked(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5754) /* Need to drop inner lock to take node lock */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5755) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5756) if (last_node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5757) binder_put_node(last_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5758) binder_node_inner_lock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5759) print_binder_node_nilocked(m, node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5760) binder_node_inner_unlock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5761) last_node = node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5762) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5763) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5764) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5765) if (last_node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5766) binder_put_node(last_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5767)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5768) if (print_all) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5769) binder_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5770) for (n = rb_first(&proc->refs_by_desc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5771) n != NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5772) n = rb_next(n))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5773) print_binder_ref_olocked(m, rb_entry(n,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5774) struct binder_ref,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5775) rb_node_desc));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5776) binder_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5777) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5778) binder_alloc_print_allocated(m, &proc->alloc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5779) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5780) list_for_each_entry(w, &proc->todo, entry)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5781) print_binder_work_ilocked(m, proc, " ",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5782) " pending transaction", w);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5783) list_for_each_entry(w, &proc->delivered_death, entry) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5784) seq_puts(m, " has delivered dead binder\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5785) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5786) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5787) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5788) if (!print_all && m->count == header_pos)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5789) m->count = start_pos;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5790) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5791)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5792) static const char * const binder_return_strings[] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5793) "BR_ERROR",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5794) "BR_OK",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5795) "BR_TRANSACTION",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5796) "BR_REPLY",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5797) "BR_ACQUIRE_RESULT",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5798) "BR_DEAD_REPLY",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5799) "BR_TRANSACTION_COMPLETE",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5800) "BR_INCREFS",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5801) "BR_ACQUIRE",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5802) "BR_RELEASE",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5803) "BR_DECREFS",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5804) "BR_ATTEMPT_ACQUIRE",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5805) "BR_NOOP",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5806) "BR_SPAWN_LOOPER",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5807) "BR_FINISHED",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5808) "BR_DEAD_BINDER",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5809) "BR_CLEAR_DEATH_NOTIFICATION_DONE",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5810) "BR_FAILED_REPLY",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5811) "BR_FROZEN_REPLY",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5812) "BR_ONEWAY_SPAM_SUSPECT",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5813) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5814)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5815) static const char * const binder_command_strings[] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5816) "BC_TRANSACTION",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5817) "BC_REPLY",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5818) "BC_ACQUIRE_RESULT",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5819) "BC_FREE_BUFFER",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5820) "BC_INCREFS",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5821) "BC_ACQUIRE",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5822) "BC_RELEASE",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5823) "BC_DECREFS",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5824) "BC_INCREFS_DONE",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5825) "BC_ACQUIRE_DONE",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5826) "BC_ATTEMPT_ACQUIRE",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5827) "BC_REGISTER_LOOPER",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5828) "BC_ENTER_LOOPER",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5829) "BC_EXIT_LOOPER",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5830) "BC_REQUEST_DEATH_NOTIFICATION",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5831) "BC_CLEAR_DEATH_NOTIFICATION",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5832) "BC_DEAD_BINDER_DONE",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5833) "BC_TRANSACTION_SG",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5834) "BC_REPLY_SG",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5835) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5836)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5837) static const char * const binder_objstat_strings[] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5838) "proc",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5839) "thread",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5840) "node",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5841) "ref",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5842) "death",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5843) "transaction",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5844) "transaction_complete"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5845) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5846)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5847) static void print_binder_stats(struct seq_file *m, const char *prefix,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5848) struct binder_stats *stats)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5849) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5850) int i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5851)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5852) BUILD_BUG_ON(ARRAY_SIZE(stats->bc) !=
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5853) ARRAY_SIZE(binder_command_strings));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5854) for (i = 0; i < ARRAY_SIZE(stats->bc); i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5855) int temp = atomic_read(&stats->bc[i]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5856)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5857) if (temp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5858) seq_printf(m, "%s%s: %d\n", prefix,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5859) binder_command_strings[i], temp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5860) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5861)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5862) BUILD_BUG_ON(ARRAY_SIZE(stats->br) !=
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5863) ARRAY_SIZE(binder_return_strings));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5864) for (i = 0; i < ARRAY_SIZE(stats->br); i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5865) int temp = atomic_read(&stats->br[i]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5866)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5867) if (temp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5868) seq_printf(m, "%s%s: %d\n", prefix,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5869) binder_return_strings[i], temp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5870) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5871)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5872) BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) !=
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5873) ARRAY_SIZE(binder_objstat_strings));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5874) BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) !=
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5875) ARRAY_SIZE(stats->obj_deleted));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5876) for (i = 0; i < ARRAY_SIZE(stats->obj_created); i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5877) int created = atomic_read(&stats->obj_created[i]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5878) int deleted = atomic_read(&stats->obj_deleted[i]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5879)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5880) if (created || deleted)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5881) seq_printf(m, "%s%s: active %d total %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5882) prefix,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5883) binder_objstat_strings[i],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5884) created - deleted,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5885) created);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5886) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5887) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5888)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5889) static void print_binder_proc_stats(struct seq_file *m,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5890) struct binder_proc *proc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5891) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5892) struct binder_work *w;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5893) struct binder_thread *thread;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5894) struct rb_node *n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5895) int count, strong, weak, ready_threads;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5896) size_t free_async_space =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5897) binder_alloc_get_free_async_space(&proc->alloc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5898)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5899) seq_printf(m, "proc %d\n", proc->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5900) seq_printf(m, "context %s\n", proc->context->name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5901) count = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5902) ready_threads = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5903) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5904) for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5905) count++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5906)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5907) list_for_each_entry(thread, &proc->waiting_threads, waiting_thread_node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5908) ready_threads++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5909)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5910) seq_printf(m, " threads: %d\n", count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5911) seq_printf(m, " requested threads: %d+%d/%d\n"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5912) " ready threads %d\n"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5913) " free async space %zd\n", proc->requested_threads,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5914) proc->requested_threads_started, proc->max_threads,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5915) ready_threads,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5916) free_async_space);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5917) count = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5918) for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5919) count++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5920) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5921) seq_printf(m, " nodes: %d\n", count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5922) count = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5923) strong = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5924) weak = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5925) binder_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5926) for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5927) struct binder_ref *ref = rb_entry(n, struct binder_ref,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5928) rb_node_desc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5929) count++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5930) strong += ref->data.strong;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5931) weak += ref->data.weak;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5932) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5933) binder_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5934) seq_printf(m, " refs: %d s %d w %d\n", count, strong, weak);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5935)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5936) count = binder_alloc_get_allocated_count(&proc->alloc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5937) seq_printf(m, " buffers: %d\n", count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5938)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5939) binder_alloc_print_pages(m, &proc->alloc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5940)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5941) count = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5942) binder_inner_proc_lock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5943) list_for_each_entry(w, &proc->todo, entry) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5944) if (w->type == BINDER_WORK_TRANSACTION)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5945) count++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5946) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5947) binder_inner_proc_unlock(proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5948) seq_printf(m, " pending transactions: %d\n", count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5949)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5950) print_binder_stats(m, " ", &proc->stats);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5951) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5952)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5953)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5954) int binder_state_show(struct seq_file *m, void *unused)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5955) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5956) struct binder_proc *proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5957) struct binder_node *node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5958) struct binder_node *last_node = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5959)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5960) seq_puts(m, "binder state:\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5961)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5962) spin_lock(&binder_dead_nodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5963) if (!hlist_empty(&binder_dead_nodes))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5964) seq_puts(m, "dead nodes:\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5965) hlist_for_each_entry(node, &binder_dead_nodes, dead_node) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5966) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5967) * take a temporary reference on the node so it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5968) * survives and isn't removed from the list
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5969) * while we print it.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5970) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5971) node->tmp_refs++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5972) spin_unlock(&binder_dead_nodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5973) if (last_node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5974) binder_put_node(last_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5975) binder_node_lock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5976) print_binder_node_nilocked(m, node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5977) binder_node_unlock(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5978) last_node = node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5979) spin_lock(&binder_dead_nodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5980) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5981) spin_unlock(&binder_dead_nodes_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5982) if (last_node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5983) binder_put_node(last_node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5984)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5985) mutex_lock(&binder_procs_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5986) hlist_for_each_entry(proc, &binder_procs, proc_node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5987) print_binder_proc(m, proc, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5988) mutex_unlock(&binder_procs_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5989)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5990) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5991) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5992)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5993) int binder_stats_show(struct seq_file *m, void *unused)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5994) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5995) struct binder_proc *proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5996)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5997) seq_puts(m, "binder stats:\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5998)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5999) print_binder_stats(m, "", &binder_stats);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6000)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6001) mutex_lock(&binder_procs_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6002) hlist_for_each_entry(proc, &binder_procs, proc_node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6003) print_binder_proc_stats(m, proc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6004) mutex_unlock(&binder_procs_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6005)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6006) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6007) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6008)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6009) int binder_transactions_show(struct seq_file *m, void *unused)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6010) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6011) struct binder_proc *proc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6012)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6013) seq_puts(m, "binder transactions:\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6014) mutex_lock(&binder_procs_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6015) hlist_for_each_entry(proc, &binder_procs, proc_node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6016) print_binder_proc(m, proc, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6017) mutex_unlock(&binder_procs_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6018)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6019) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6020) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6021)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6022) static int proc_show(struct seq_file *m, void *unused)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6023) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6024) struct binder_proc *itr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6025) int pid = (unsigned long)m->private;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6026)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6027) mutex_lock(&binder_procs_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6028) hlist_for_each_entry(itr, &binder_procs, proc_node) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6029) if (itr->pid == pid) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6030) seq_puts(m, "binder proc state:\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6031) print_binder_proc(m, itr, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6032) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6033) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6034) mutex_unlock(&binder_procs_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6035)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6036) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6037) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6038)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6039) static void print_binder_transaction_log_entry(struct seq_file *m,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6040) struct binder_transaction_log_entry *e)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6041) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6042) int debug_id = READ_ONCE(e->debug_id_done);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6043) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6044) * read barrier to guarantee debug_id_done read before
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6045) * we print the log values
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6046) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6047) smp_rmb();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6048) seq_printf(m,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6049) "%d: %s from %d:%d to %d:%d context %s node %d handle %d size %d:%d ret %d/%d l=%d",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6050) e->debug_id, (e->call_type == 2) ? "reply" :
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6051) ((e->call_type == 1) ? "async" : "call "), e->from_proc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6052) e->from_thread, e->to_proc, e->to_thread, e->context_name,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6053) e->to_node, e->target_handle, e->data_size, e->offsets_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6054) e->return_error, e->return_error_param,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6055) e->return_error_line);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6056) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6057) * read-barrier to guarantee read of debug_id_done after
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6058) * done printing the fields of the entry
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6059) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6060) smp_rmb();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6061) seq_printf(m, debug_id && debug_id == READ_ONCE(e->debug_id_done) ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6062) "\n" : " (incomplete)\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6063) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6064)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6065) int binder_transaction_log_show(struct seq_file *m, void *unused)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6066) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6067) struct binder_transaction_log *log = m->private;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6068) unsigned int log_cur = atomic_read(&log->cur);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6069) unsigned int count;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6070) unsigned int cur;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6071) int i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6072)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6073) count = log_cur + 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6074) cur = count < ARRAY_SIZE(log->entry) && !log->full ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6075) 0 : count % ARRAY_SIZE(log->entry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6076) if (count > ARRAY_SIZE(log->entry) || log->full)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6077) count = ARRAY_SIZE(log->entry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6078) for (i = 0; i < count; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6079) unsigned int index = cur++ % ARRAY_SIZE(log->entry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6080)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6081) print_binder_transaction_log_entry(m, &log->entry[index]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6082) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6083) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6084) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6085)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6086) const struct file_operations binder_fops = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6087) .owner = THIS_MODULE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6088) .poll = binder_poll,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6089) .unlocked_ioctl = binder_ioctl,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6090) .compat_ioctl = compat_ptr_ioctl,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6091) .mmap = binder_mmap,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6092) .open = binder_open,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6093) .flush = binder_flush,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6094) .release = binder_release,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6095) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6096)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6097) static int __init init_binder_device(const char *name)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6098) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6099) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6100) struct binder_device *binder_device;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6101)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6102) binder_device = kzalloc(sizeof(*binder_device), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6103) if (!binder_device)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6104) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6105)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6106) binder_device->miscdev.fops = &binder_fops;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6107) binder_device->miscdev.minor = MISC_DYNAMIC_MINOR;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6108) binder_device->miscdev.name = name;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6109)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6110) refcount_set(&binder_device->ref, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6111) binder_device->context.binder_context_mgr_uid = INVALID_UID;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6112) binder_device->context.name = name;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6113) mutex_init(&binder_device->context.context_mgr_node_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6114)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6115) ret = misc_register(&binder_device->miscdev);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6116) if (ret < 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6117) kfree(binder_device);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6118) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6119) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6120)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6121) hlist_add_head(&binder_device->hlist, &binder_devices);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6122)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6123) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6124) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6125)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6126) static int __init binder_init(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6127) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6128) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6129) char *device_name, *device_tmp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6130) struct binder_device *device;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6131) struct hlist_node *tmp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6132) char *device_names = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6133)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6134) ret = binder_alloc_shrinker_init();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6135) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6136) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6137)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6138) atomic_set(&binder_transaction_log.cur, ~0U);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6139) atomic_set(&binder_transaction_log_failed.cur, ~0U);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6140)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6141) binder_debugfs_dir_entry_root = debugfs_create_dir("binder", NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6142) if (binder_debugfs_dir_entry_root)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6143) binder_debugfs_dir_entry_proc = debugfs_create_dir("proc",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6144) binder_debugfs_dir_entry_root);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6145)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6146) if (binder_debugfs_dir_entry_root) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6147) debugfs_create_file("state",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6148) 0444,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6149) binder_debugfs_dir_entry_root,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6150) NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6151) &binder_state_fops);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6152) debugfs_create_file("stats",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6153) 0444,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6154) binder_debugfs_dir_entry_root,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6155) NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6156) &binder_stats_fops);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6157) debugfs_create_file("transactions",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6158) 0444,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6159) binder_debugfs_dir_entry_root,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6160) NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6161) &binder_transactions_fops);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6162) debugfs_create_file("transaction_log",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6163) 0444,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6164) binder_debugfs_dir_entry_root,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6165) &binder_transaction_log,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6166) &binder_transaction_log_fops);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6167) debugfs_create_file("failed_transaction_log",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6168) 0444,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6169) binder_debugfs_dir_entry_root,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6170) &binder_transaction_log_failed,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6171) &binder_transaction_log_fops);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6172) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6173)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6174) if (!IS_ENABLED(CONFIG_ANDROID_BINDERFS) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6175) strcmp(binder_devices_param, "") != 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6176) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6177) * Copy the module_parameter string, because we don't want to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6178) * tokenize it in-place.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6179) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6180) device_names = kstrdup(binder_devices_param, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6181) if (!device_names) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6182) ret = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6183) goto err_alloc_device_names_failed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6184) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6185)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6186) device_tmp = device_names;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6187) while ((device_name = strsep(&device_tmp, ","))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6188) ret = init_binder_device(device_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6189) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6190) goto err_init_binder_device_failed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6191) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6192) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6193)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6194) ret = init_binderfs();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6195) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6196) goto err_init_binder_device_failed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6197)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6198) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6199)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6200) err_init_binder_device_failed:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6201) hlist_for_each_entry_safe(device, tmp, &binder_devices, hlist) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6202) misc_deregister(&device->miscdev);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6203) hlist_del(&device->hlist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6204) kfree(device);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6205) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6206)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6207) kfree(device_names);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6208)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6209) err_alloc_device_names_failed:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6210) debugfs_remove_recursive(binder_debugfs_dir_entry_root);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6211)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6212) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6213) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6214)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6215) device_initcall(binder_init);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6216)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6217) #define CREATE_TRACE_POINTS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6218) #include "binder_trace.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6219) EXPORT_TRACEPOINT_SYMBOL_GPL(binder_transaction_received);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6220)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6221) MODULE_LICENSE("GPL v2");
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags