1
// SPDX-License-Identifier: GPL-2.0-only
2
/* binder.c
3
 *
4
 * Android IPC Subsystem
5
 *
6
 * Copyright (C) 2007-2008 Google, Inc.
7
 */
8

9
/*
10
 * Locking overview
11
 *
12
 * There are 3 main spinlocks which must be acquired in the
13
 * order shown:
14
 *
15
 * 1) proc->outer_lock : protects binder_ref
16
 *    binder_proc_lock() and binder_proc_unlock() are
17
 *    used to acq/rel.
18
 * 2) node->lock : protects most fields of binder_node.
19
 *    binder_node_lock() and binder_node_unlock() are
20
 *    used to acq/rel
21
 * 3) proc->inner_lock : protects the thread and node lists
22
 *    (proc->threads, proc->waiting_threads, proc->nodes)
23
 *    and all todo lists associated with the binder_proc
24
 *    (proc->todo, thread->todo, proc->delivered_death and
25
 *    node->async_todo), as well as thread->transaction_stack
26
 *    binder_inner_proc_lock() and binder_inner_proc_unlock()
27
 *    are used to acq/rel
28
 *
29
 * Any lock under procA must never be nested under any lock at the same
30
 * level or below on procB.
31
 *
32
 * Functions that require a lock held on entry indicate which lock
33
 * in the suffix of the function name:
34
 *
35
 * foo_olocked() : requires node->outer_lock
36
 * foo_nlocked() : requires node->lock
37
 * foo_ilocked() : requires proc->inner_lock
38
 * foo_oilocked(): requires proc->outer_lock and proc->inner_lock
39
 * foo_nilocked(): requires node->lock and proc->inner_lock
40
 * ...
41
 */
42

43
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
44

45
#include <linux/fdtable.h>
46
#include <linux/file.h>
47
#include <linux/freezer.h>
48
#include <linux/fs.h>
49
#include <linux/list.h>
50
#include <linux/miscdevice.h>
51
#include <linux/module.h>
52
#include <linux/mutex.h>
53
#include <linux/nsproxy.h>
54
#include <linux/poll.h>
55
#include <linux/debugfs.h>
56
#include <linux/rbtree.h>
57
#include <linux/sched/signal.h>
58
#include <linux/sched/mm.h>
59
#include <linux/seq_file.h>
60
#include <linux/string.h>
61
#include <linux/uaccess.h>
62
#include <linux/pid_namespace.h>
63
#include <linux/security.h>
64
#include <linux/spinlock.h>
65
#include <linux/ratelimit.h>
66
#include <linux/syscalls.h>
67
#include <linux/task_work.h>
68
#include <linux/sizes.h>
69
#include <linux/ktime.h>
70

71
#include <kunit/visibility.h>
72

73
#include <uapi/linux/android/binder.h>
74

75
#include <linux/cacheflush.h>
76

77
#include "binder_netlink.h"
78
#include "binder_internal.h"
79
#include "binder_trace.h"
80

81
static HLIST_HEAD(binder_deferred_list);
82
static DEFINE_MUTEX(binder_deferred_lock);
83

84
static HLIST_HEAD(binder_devices);
85
static DEFINE_SPINLOCK(binder_devices_lock);
86

87
static HLIST_HEAD(binder_procs);
88
static DEFINE_MUTEX(binder_procs_lock);
89

90
static HLIST_HEAD(binder_dead_nodes);
91
static DEFINE_SPINLOCK(binder_dead_nodes_lock);
92

93
static struct dentry *binder_debugfs_dir_entry_root;
94
static struct dentry *binder_debugfs_dir_entry_proc;
95
static atomic_t binder_last_id;
96

97
static int proc_show(struct seq_file *m, void *unused);
98
DEFINE_SHOW_ATTRIBUTE(proc);
99

100
#define FORBIDDEN_MMAP_FLAGS                (VM_WRITE)
101

102
enum {
103
	BINDER_DEBUG_USER_ERROR             = 1U << 0,
104
	BINDER_DEBUG_FAILED_TRANSACTION     = 1U << 1,
105
	BINDER_DEBUG_DEAD_TRANSACTION       = 1U << 2,
106
	BINDER_DEBUG_OPEN_CLOSE             = 1U << 3,
107
	BINDER_DEBUG_DEAD_BINDER            = 1U << 4,
108
	BINDER_DEBUG_DEATH_NOTIFICATION     = 1U << 5,
109
	BINDER_DEBUG_READ_WRITE             = 1U << 6,
110
	BINDER_DEBUG_USER_REFS              = 1U << 7,
111
	BINDER_DEBUG_THREADS                = 1U << 8,
112
	BINDER_DEBUG_TRANSACTION            = 1U << 9,
113
	BINDER_DEBUG_TRANSACTION_COMPLETE   = 1U << 10,
114
	BINDER_DEBUG_FREE_BUFFER            = 1U << 11,
115
	BINDER_DEBUG_INTERNAL_REFS          = 1U << 12,
116
	BINDER_DEBUG_PRIORITY_CAP           = 1U << 13,
117
	BINDER_DEBUG_SPINLOCKS              = 1U << 14,
118
};
119
static uint32_t binder_debug_mask = BINDER_DEBUG_USER_ERROR |
120
	BINDER_DEBUG_FAILED_TRANSACTION | BINDER_DEBUG_DEAD_TRANSACTION;
121
module_param_named(debug_mask, binder_debug_mask, uint, 0644);
122

123
char *binder_devices_param = CONFIG_ANDROID_BINDER_DEVICES;
124
module_param_named(devices, binder_devices_param, charp, 0444);
125

126
static DECLARE_WAIT_QUEUE_HEAD(binder_user_error_wait);
127
static int binder_stop_on_user_error;
128

129
static int binder_set_stop_on_user_error(const char *val,
130
					 const struct kernel_param *kp)
131
{
132
	int ret;
133

134
	ret = param_set_int(val, kp);
135
	if (binder_stop_on_user_error < 2)
136
		wake_up(&binder_user_error_wait);
137
	return ret;
138
}
139
module_param_call(stop_on_user_error, binder_set_stop_on_user_error,
140
	param_get_int, &binder_stop_on_user_error, 0644);
141

142
static __printf(2, 3) void binder_debug(int mask, const char *format, ...)
143
{
144
	struct va_format vaf;
145
	va_list args;
146

147
	if (binder_debug_mask & mask) {
148
		va_start(args, format);
149
		vaf.va = &args;
150
		vaf.fmt = format;
151
		pr_info_ratelimited("%pV", &vaf);
152
		va_end(args);
153
	}
154
}
155

156
#define binder_txn_error(x...) \
157
	binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, x)
158

159
static __printf(1, 2) void binder_user_error(const char *format, ...)
160
{
161
	struct va_format vaf;
162
	va_list args;
163

164
	if (binder_debug_mask & BINDER_DEBUG_USER_ERROR) {
165
		va_start(args, format);
166
		vaf.va = &args;
167
		vaf.fmt = format;
168
		pr_info_ratelimited("%pV", &vaf);
169
		va_end(args);
170
	}
171

172
	if (binder_stop_on_user_error)
173
		binder_stop_on_user_error = 2;
174
}
175

176
#define binder_set_extended_error(ee, _id, _command, _param) \
177
	do { \
178
		(ee)->id = _id; \
179
		(ee)->command = _command; \
180
		(ee)->param = _param; \
181
	} while (0)
182

183
#define to_flat_binder_object(hdr) \
184
	container_of(hdr, struct flat_binder_object, hdr)
185

186
#define to_binder_fd_object(hdr) container_of(hdr, struct binder_fd_object, hdr)
187

188
#define to_binder_buffer_object(hdr) \
189
	container_of(hdr, struct binder_buffer_object, hdr)
190

191
#define to_binder_fd_array_object(hdr) \
192
	container_of(hdr, struct binder_fd_array_object, hdr)
193

194
static struct binder_stats binder_stats;
195

196
static inline void binder_stats_deleted(enum binder_stat_types type)
197
{
198
	atomic_inc(&binder_stats.obj_deleted[type]);
199
}
200

201
static inline void binder_stats_created(enum binder_stat_types type)
202
{
203
	atomic_inc(&binder_stats.obj_created[type]);
204
}
205

206
struct binder_transaction_log_entry {
207
	int debug_id;
208
	int debug_id_done;
209
	int call_type;
210
	int from_proc;
211
	int from_thread;
212
	int target_handle;
213
	int to_proc;
214
	int to_thread;
215
	int to_node;
216
	int data_size;
217
	int offsets_size;
218
	int return_error_line;
219
	uint32_t return_error;
220
	uint32_t return_error_param;
221
	char context_name[BINDERFS_MAX_NAME + 1];
222
};
223

224
struct binder_transaction_log {
225
	atomic_t cur;
226
	bool full;
227
	struct binder_transaction_log_entry entry[32];
228
};
229

230
static struct binder_transaction_log binder_transaction_log;
231
static struct binder_transaction_log binder_transaction_log_failed;
232

233
static struct binder_transaction_log_entry *binder_transaction_log_add(
234
	struct binder_transaction_log *log)
235
{
236
	struct binder_transaction_log_entry *e;
237
	unsigned int cur = atomic_inc_return(&log->cur);
238

239
	if (cur >= ARRAY_SIZE(log->entry))
240
		log->full = true;
241
	e = &log->entry[cur % ARRAY_SIZE(log->entry)];
242
	WRITE_ONCE(e->debug_id_done, 0);
243
	/*
244
	 * write-barrier to synchronize access to e->debug_id_done.
245
	 * We make sure the initialized 0 value is seen before
246
	 * memset() other fields are zeroed by memset.
247
	 */
248
	smp_wmb();
249
	memset(e, 0, sizeof(*e));
250
	return e;
251
}
252

253
enum binder_deferred_state {
254
	BINDER_DEFERRED_FLUSH        = 0x01,
255
	BINDER_DEFERRED_RELEASE      = 0x02,
256
};
257

258
enum {
259
	BINDER_LOOPER_STATE_REGISTERED  = 0x01,
260
	BINDER_LOOPER_STATE_ENTERED     = 0x02,
261
	BINDER_LOOPER_STATE_EXITED      = 0x04,
262
	BINDER_LOOPER_STATE_INVALID     = 0x08,
263
	BINDER_LOOPER_STATE_WAITING     = 0x10,
264
	BINDER_LOOPER_STATE_POLL        = 0x20,
265
};
266

267
/**
268
 * binder_proc_lock() - Acquire outer lock for given binder_proc
269
 * @proc:         struct binder_proc to acquire
270
 *
271
 * Acquires proc->outer_lock. Used to protect binder_ref
272
 * structures associated with the given proc.
273
 */
274
#define binder_proc_lock(proc) _binder_proc_lock(proc, __LINE__)
275
static void
276
_binder_proc_lock(struct binder_proc *proc, int line)
277
	__acquires(&proc->outer_lock)
278
{
279
	binder_debug(BINDER_DEBUG_SPINLOCKS,
280
		     "%s: line=%d\n", __func__, line);
281
	spin_lock(&proc->outer_lock);
282
}
283

284
/**
285
 * binder_proc_unlock() - Release outer lock for given binder_proc
286
 * @proc:                struct binder_proc to acquire
287
 *
288
 * Release lock acquired via binder_proc_lock()
289
 */
290
#define binder_proc_unlock(proc) _binder_proc_unlock(proc, __LINE__)
291
static void
292
_binder_proc_unlock(struct binder_proc *proc, int line)
293
	__releases(&proc->outer_lock)
294
{
295
	binder_debug(BINDER_DEBUG_SPINLOCKS,
296
		     "%s: line=%d\n", __func__, line);
297
	spin_unlock(&proc->outer_lock);
298
}
299

300
/**
301
 * binder_inner_proc_lock() - Acquire inner lock for given binder_proc
302
 * @proc:         struct binder_proc to acquire
303
 *
304
 * Acquires proc->inner_lock. Used to protect todo lists
305
 */
306
#define binder_inner_proc_lock(proc) _binder_inner_proc_lock(proc, __LINE__)
307
static void
308
_binder_inner_proc_lock(struct binder_proc *proc, int line)
309
	__acquires(&proc->inner_lock)
310
{
311
	binder_debug(BINDER_DEBUG_SPINLOCKS,
312
		     "%s: line=%d\n", __func__, line);
313
	spin_lock(&proc->inner_lock);
314
}
315

316
/**
317
 * binder_inner_proc_unlock() - Release inner lock for given binder_proc
318
 * @proc:         struct binder_proc to acquire
319
 *
320
 * Release lock acquired via binder_inner_proc_lock()
321
 */
322
#define binder_inner_proc_unlock(proc) _binder_inner_proc_unlock(proc, __LINE__)
323
static void
324
_binder_inner_proc_unlock(struct binder_proc *proc, int line)
325
	__releases(&proc->inner_lock)
326
{
327
	binder_debug(BINDER_DEBUG_SPINLOCKS,
328
		     "%s: line=%d\n", __func__, line);
329
	spin_unlock(&proc->inner_lock);
330
}
331

332
/**
333
 * binder_node_lock() - Acquire spinlock for given binder_node
334
 * @node:         struct binder_node to acquire
335
 *
336
 * Acquires node->lock. Used to protect binder_node fields
337
 */
338
#define binder_node_lock(node) _binder_node_lock(node, __LINE__)
339
static void
340
_binder_node_lock(struct binder_node *node, int line)
341
	__acquires(&node->lock)
342
{
343
	binder_debug(BINDER_DEBUG_SPINLOCKS,
344
		     "%s: line=%d\n", __func__, line);
345
	spin_lock(&node->lock);
346
}
347

348
/**
349
 * binder_node_unlock() - Release spinlock for given binder_proc
350
 * @node:         struct binder_node to acquire
351
 *
352
 * Release lock acquired via binder_node_lock()
353
 */
354
#define binder_node_unlock(node) _binder_node_unlock(node, __LINE__)
355
static void
356
_binder_node_unlock(struct binder_node *node, int line)
357
	__releases(&node->lock)
358
{
359
	binder_debug(BINDER_DEBUG_SPINLOCKS,
360
		     "%s: line=%d\n", __func__, line);
361
	spin_unlock(&node->lock);
362
}
363

364
/**
365
 * binder_node_inner_lock() - Acquire node and inner locks
366
 * @node:         struct binder_node to acquire
367
 *
368
 * Acquires node->lock. If node->proc also acquires
369
 * proc->inner_lock. Used to protect binder_node fields
370
 */
371
#define binder_node_inner_lock(node) _binder_node_inner_lock(node, __LINE__)
372
static void
373
_binder_node_inner_lock(struct binder_node *node, int line)
374
	__acquires(&node->lock) __acquires(&node->proc->inner_lock)
375
{
376
	binder_debug(BINDER_DEBUG_SPINLOCKS,
377
		     "%s: line=%d\n", __func__, line);
378
	spin_lock(&node->lock);
379
	if (node->proc)
380
		binder_inner_proc_lock(node->proc);
381
	else
382
		/* annotation for sparse */
383
		__acquire(&node->proc->inner_lock);
384
}
385

386
/**
387
 * binder_node_inner_unlock() - Release node and inner locks
388
 * @node:         struct binder_node to acquire
389
 *
390
 * Release lock acquired via binder_node_lock()
391
 */
392
#define binder_node_inner_unlock(node) _binder_node_inner_unlock(node, __LINE__)
393
static void
394
_binder_node_inner_unlock(struct binder_node *node, int line)
395
	__releases(&node->lock) __releases(&node->proc->inner_lock)
396
{
397
	struct binder_proc *proc = node->proc;
398

399
	binder_debug(BINDER_DEBUG_SPINLOCKS,
400
		     "%s: line=%d\n", __func__, line);
401
	if (proc)
402
		binder_inner_proc_unlock(proc);
403
	else
404
		/* annotation for sparse */
405
		__release(&node->proc->inner_lock);
406
	spin_unlock(&node->lock);
407
}
408

409
static bool binder_worklist_empty_ilocked(struct list_head *list)
410
{
411
	return list_empty(list);
412
}
413

414
/**
415
 * binder_worklist_empty() - Check if no items on the work list
416
 * @proc:       binder_proc associated with list
417
 * @list:	list to check
418
 *
419
 * Return: true if there are no items on list, else false
420
 */
421
static bool binder_worklist_empty(struct binder_proc *proc,
422
				  struct list_head *list)
423
{
424
	bool ret;
425

426
	binder_inner_proc_lock(proc);
427
	ret = binder_worklist_empty_ilocked(list);
428
	binder_inner_proc_unlock(proc);
429
	return ret;
430
}
431

432
/**
433
 * binder_enqueue_work_ilocked() - Add an item to the work list
434
 * @work:         struct binder_work to add to list
435
 * @target_list:  list to add work to
436
 *
437
 * Adds the work to the specified list. Asserts that work
438
 * is not already on a list.
439
 *
440
 * Requires the proc->inner_lock to be held.
441
 */
442
static void
443
binder_enqueue_work_ilocked(struct binder_work *work,
444
			   struct list_head *target_list)
445
{
446
	BUG_ON(target_list == NULL);
447
	BUG_ON(work->entry.next && !list_empty(&work->entry));
448
	list_add_tail(&work->entry, target_list);
449
}
450

451
/**
452
 * binder_enqueue_deferred_thread_work_ilocked() - Add deferred thread work
453
 * @thread:       thread to queue work to
454
 * @work:         struct binder_work to add to list
455
 *
456
 * Adds the work to the todo list of the thread. Doesn't set the process_todo
457
 * flag, which means that (if it wasn't already set) the thread will go to
458
 * sleep without handling this work when it calls read.
459
 *
460
 * Requires the proc->inner_lock to be held.
461
 */
462
static void
463
binder_enqueue_deferred_thread_work_ilocked(struct binder_thread *thread,
464
					    struct binder_work *work)
465
{
466
	WARN_ON(!list_empty(&thread->waiting_thread_node));
467
	binder_enqueue_work_ilocked(work, &thread->todo);
468
}
469

470
/**
471
 * binder_enqueue_thread_work_ilocked() - Add an item to the thread work list
472
 * @thread:       thread to queue work to
473
 * @work:         struct binder_work to add to list
474
 *
475
 * Adds the work to the todo list of the thread, and enables processing
476
 * of the todo queue.
477
 *
478
 * Requires the proc->inner_lock to be held.
479
 */
480
static void
481
binder_enqueue_thread_work_ilocked(struct binder_thread *thread,
482
				   struct binder_work *work)
483
{
484
	WARN_ON(!list_empty(&thread->waiting_thread_node));
485
	binder_enqueue_work_ilocked(work, &thread->todo);
486

487
	/* (e)poll-based threads require an explicit wakeup signal when
488
	 * queuing their own work; they rely on these events to consume
489
	 * messages without I/O block. Without it, threads risk waiting
490
	 * indefinitely without handling the work.
491
	 */
492
	if (thread->looper & BINDER_LOOPER_STATE_POLL &&
493
	    thread->pid == current->pid && !thread->process_todo)
494
		wake_up_interruptible_sync(&thread->wait);
495

496
	thread->process_todo = true;
497
}
498

499
/**
500
 * binder_enqueue_thread_work() - Add an item to the thread work list
501
 * @thread:       thread to queue work to
502
 * @work:         struct binder_work to add to list
503
 *
504
 * Adds the work to the todo list of the thread, and enables processing
505
 * of the todo queue.
506
 */
507
static void
508
binder_enqueue_thread_work(struct binder_thread *thread,
509
			   struct binder_work *work)
510
{
511
	binder_inner_proc_lock(thread->proc);
512
	binder_enqueue_thread_work_ilocked(thread, work);
513
	binder_inner_proc_unlock(thread->proc);
514
}
515

516
static void
517
binder_dequeue_work_ilocked(struct binder_work *work)
518
{
519
	list_del_init(&work->entry);
520
}
521

522
/**
523
 * binder_dequeue_work() - Removes an item from the work list
524
 * @proc:         binder_proc associated with list
525
 * @work:         struct binder_work to remove from list
526
 *
527
 * Removes the specified work item from whatever list it is on.
528
 * Can safely be called if work is not on any list.
529
 */
530
static void
531
binder_dequeue_work(struct binder_proc *proc, struct binder_work *work)
532
{
533
	binder_inner_proc_lock(proc);
534
	binder_dequeue_work_ilocked(work);
535
	binder_inner_proc_unlock(proc);
536
}
537

538
static struct binder_work *binder_dequeue_work_head_ilocked(
539
					struct list_head *list)
540
{
541
	struct binder_work *w;
542

543
	w = list_first_entry_or_null(list, struct binder_work, entry);
544
	if (w)
545
		list_del_init(&w->entry);
546
	return w;
547
}
548

549
static void
550
binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer);
551
static void binder_free_thread(struct binder_thread *thread);
552
static void binder_free_proc(struct binder_proc *proc);
553
static void binder_inc_node_tmpref_ilocked(struct binder_node *node);
554

555
static bool binder_has_work_ilocked(struct binder_thread *thread,
556
				    bool do_proc_work)
557
{
558
	return thread->process_todo ||
559
		thread->looper_need_return ||
560
		(do_proc_work &&
561
		 !binder_worklist_empty_ilocked(&thread->proc->todo));
562
}
563

564
static bool binder_has_work(struct binder_thread *thread, bool do_proc_work)
565
{
566
	bool has_work;
567

568
	binder_inner_proc_lock(thread->proc);
569
	has_work = binder_has_work_ilocked(thread, do_proc_work);
570
	binder_inner_proc_unlock(thread->proc);
571

572
	return has_work;
573
}
574

575
static bool binder_available_for_proc_work_ilocked(struct binder_thread *thread)
576
{
577
	return !thread->transaction_stack &&
578
		binder_worklist_empty_ilocked(&thread->todo);
579
}
580

581
static void binder_wakeup_poll_threads_ilocked(struct binder_proc *proc,
582
					       bool sync)
583
{
584
	struct rb_node *n;
585
	struct binder_thread *thread;
586

587
	for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) {
588
		thread = rb_entry(n, struct binder_thread, rb_node);
589
		if (thread->looper & BINDER_LOOPER_STATE_POLL &&
590
		    binder_available_for_proc_work_ilocked(thread)) {
591
			if (sync)
592
				wake_up_interruptible_sync(&thread->wait);
593
			else
594
				wake_up_interruptible(&thread->wait);
595
		}
596
	}
597
}
598

599
/**
600
 * binder_select_thread_ilocked() - selects a thread for doing proc work.
601
 * @proc:	process to select a thread from
602
 *
603
 * Note that calling this function moves the thread off the waiting_threads
604
 * list, so it can only be woken up by the caller of this function, or a
605
 * signal. Therefore, callers *should* always wake up the thread this function
606
 * returns.
607
 *
608
 * Return:	If there's a thread currently waiting for process work,
609
 *		returns that thread. Otherwise returns NULL.
610
 */
611
static struct binder_thread *
612
binder_select_thread_ilocked(struct binder_proc *proc)
613
{
614
	struct binder_thread *thread;
615

616
	assert_spin_locked(&proc->inner_lock);
617
	thread = list_first_entry_or_null(&proc->waiting_threads,
618
					  struct binder_thread,
619
					  waiting_thread_node);
620

621
	if (thread)
622
		list_del_init(&thread->waiting_thread_node);
623

624
	return thread;
625
}
626

627
/**
628
 * binder_wakeup_thread_ilocked() - wakes up a thread for doing proc work.
629
 * @proc:	process to wake up a thread in
630
 * @thread:	specific thread to wake-up (may be NULL)
631
 * @sync:	whether to do a synchronous wake-up
632
 *
633
 * This function wakes up a thread in the @proc process.
634
 * The caller may provide a specific thread to wake-up in
635
 * the @thread parameter. If @thread is NULL, this function
636
 * will wake up threads that have called poll().
637
 *
638
 * Note that for this function to work as expected, callers
639
 * should first call binder_select_thread() to find a thread
640
 * to handle the work (if they don't have a thread already),
641
 * and pass the result into the @thread parameter.
642
 */
643
static void binder_wakeup_thread_ilocked(struct binder_proc *proc,
644
					 struct binder_thread *thread,
645
					 bool sync)
646
{
647
	assert_spin_locked(&proc->inner_lock);
648

649
	if (thread) {
650
		if (sync)
651
			wake_up_interruptible_sync(&thread->wait);
652
		else
653
			wake_up_interruptible(&thread->wait);
654
		return;
655
	}
656

657
	/* Didn't find a thread waiting for proc work; this can happen
658
	 * in two scenarios:
659
	 * 1. All threads are busy handling transactions
660
	 *    In that case, one of those threads should call back into
661
	 *    the kernel driver soon and pick up this work.
662
	 * 2. Threads are using the (e)poll interface, in which case
663
	 *    they may be blocked on the waitqueue without having been
664
	 *    added to waiting_threads. For this case, we just iterate
665
	 *    over all threads not handling transaction work, and
666
	 *    wake them all up. We wake all because we don't know whether
667
	 *    a thread that called into (e)poll is handling non-binder
668
	 *    work currently.
669
	 */
670
	binder_wakeup_poll_threads_ilocked(proc, sync);
671
}
672

673
static void binder_wakeup_proc_ilocked(struct binder_proc *proc)
674
{
675
	struct binder_thread *thread = binder_select_thread_ilocked(proc);
676

677
	binder_wakeup_thread_ilocked(proc, thread, /* sync = */false);
678
}
679

680
static void binder_set_nice(long nice)
681
{
682
	long min_nice;
683

684
	if (can_nice(current, nice)) {
685
		set_user_nice(current, nice);
686
		return;
687
	}
688
	min_nice = rlimit_to_nice(rlimit(RLIMIT_NICE));
689
	binder_debug(BINDER_DEBUG_PRIORITY_CAP,
690
		     "%d: nice value %ld not allowed use %ld instead\n",
691
		      current->pid, nice, min_nice);
692
	set_user_nice(current, min_nice);
693
	if (min_nice <= MAX_NICE)
694
		return;
695
	binder_user_error("%d RLIMIT_NICE not set\n", current->pid);
696
}
697

698
static struct binder_node *binder_get_node_ilocked(struct binder_proc *proc,
699
						   binder_uintptr_t ptr)
700
{
701
	struct rb_node *n = proc->nodes.rb_node;
702
	struct binder_node *node;
703

704
	assert_spin_locked(&proc->inner_lock);
705

706
	while (n) {
707
		node = rb_entry(n, struct binder_node, rb_node);
708

709
		if (ptr < node->ptr)
710
			n = n->rb_left;
711
		else if (ptr > node->ptr)
712
			n = n->rb_right;
713
		else {
714
			/*
715
			 * take an implicit weak reference
716
			 * to ensure node stays alive until
717
			 * call to binder_put_node()
718
			 */
719
			binder_inc_node_tmpref_ilocked(node);
720
			return node;
721
		}
722
	}
723
	return NULL;
724
}
725

726
static struct binder_node *binder_get_node(struct binder_proc *proc,
727
					   binder_uintptr_t ptr)
728
{
729
	struct binder_node *node;
730

731
	binder_inner_proc_lock(proc);
732
	node = binder_get_node_ilocked(proc, ptr);
733
	binder_inner_proc_unlock(proc);
734
	return node;
735
}
736

737
static struct binder_node *binder_init_node_ilocked(
738
						struct binder_proc *proc,
739
						struct binder_node *new_node,
740
						struct flat_binder_object *fp)
741
{
742
	struct rb_node **p = &proc->nodes.rb_node;
743
	struct rb_node *parent = NULL;
744
	struct binder_node *node;
745
	binder_uintptr_t ptr = fp ? fp->binder : 0;
746
	binder_uintptr_t cookie = fp ? fp->cookie : 0;
747
	__u32 flags = fp ? fp->flags : 0;
748

749
	assert_spin_locked(&proc->inner_lock);
750

751
	while (*p) {
752

753
		parent = *p;
754
		node = rb_entry(parent, struct binder_node, rb_node);
755

756
		if (ptr < node->ptr)
757
			p = &(*p)->rb_left;
758
		else if (ptr > node->ptr)
759
			p = &(*p)->rb_right;
760
		else {
761
			/*
762
			 * A matching node is already in
763
			 * the rb tree. Abandon the init
764
			 * and return it.
765
			 */
766
			binder_inc_node_tmpref_ilocked(node);
767
			return node;
768
		}
769
	}
770
	node = new_node;
771
	binder_stats_created(BINDER_STAT_NODE);
772
	node->tmp_refs++;
773
	rb_link_node(&node->rb_node, parent, p);
774
	rb_insert_color(&node->rb_node, &proc->nodes);
775
	node->debug_id = atomic_inc_return(&binder_last_id);
776
	node->proc = proc;
777
	node->ptr = ptr;
778
	node->cookie = cookie;
779
	node->work.type = BINDER_WORK_NODE;
780
	node->min_priority = flags & FLAT_BINDER_FLAG_PRIORITY_MASK;
781
	node->accept_fds = !!(flags & FLAT_BINDER_FLAG_ACCEPTS_FDS);
782
	node->txn_security_ctx = !!(flags & FLAT_BINDER_FLAG_TXN_SECURITY_CTX);
783
	spin_lock_init(&node->lock);
784
	INIT_LIST_HEAD(&node->work.entry);
785
	INIT_LIST_HEAD(&node->async_todo);
786
	binder_debug(BINDER_DEBUG_INTERNAL_REFS,
787
		     "%d:%d node %d u%016llx c%016llx created\n",
788
		     proc->pid, current->pid, node->debug_id,
789
		     (u64)node->ptr, (u64)node->cookie);
790

791
	return node;
792
}
793

794
static struct binder_node *binder_new_node(struct binder_proc *proc,
795
					   struct flat_binder_object *fp)
796
{
797
	struct binder_node *node;
798
	struct binder_node *new_node = kzalloc(sizeof(*node), GFP_KERNEL);
799

800
	if (!new_node)
801
		return NULL;
802
	binder_inner_proc_lock(proc);
803
	node = binder_init_node_ilocked(proc, new_node, fp);
804
	binder_inner_proc_unlock(proc);
805
	if (node != new_node)
806
		/*
807
		 * The node was already added by another thread
808
		 */
809
		kfree(new_node);
810

811
	return node;
812
}
813

814
static void binder_free_node(struct binder_node *node)
815
{
816
	kfree(node);
817
	binder_stats_deleted(BINDER_STAT_NODE);
818
}
819

820
static int binder_inc_node_nilocked(struct binder_node *node, int strong,
821
				    int internal,
822
				    struct list_head *target_list)
823
{
824
	struct binder_proc *proc = node->proc;
825

826
	assert_spin_locked(&node->lock);
827
	if (proc)
828
		assert_spin_locked(&proc->inner_lock);
829
	if (strong) {
830
		if (internal) {
831
			if (target_list == NULL &&
832
			    node->internal_strong_refs == 0 &&
833
			    !(node->proc &&
834
			      node == node->proc->context->binder_context_mgr_node &&
835
			      node->has_strong_ref)) {
836
				pr_err("invalid inc strong node for %d\n",
837
					node->debug_id);
838
				return -EINVAL;
839
			}
840
			node->internal_strong_refs++;
841
		} else
842
			node->local_strong_refs++;
843
		if (!node->has_strong_ref && target_list) {
844
			struct binder_thread *thread = container_of(target_list,
845
						    struct binder_thread, todo);
846
			binder_dequeue_work_ilocked(&node->work);
847
			BUG_ON(&thread->todo != target_list);
848
			binder_enqueue_deferred_thread_work_ilocked(thread,
849
								   &node->work);
850
		}
851
	} else {
852
		if (!internal)
853
			node->local_weak_refs++;
854
		if (!node->has_weak_ref && list_empty(&node->work.entry)) {
855
			if (target_list == NULL) {
856
				pr_err("invalid inc weak node for %d\n",
857
					node->debug_id);
858
				return -EINVAL;
859
			}
860
			/*
861
			 * See comment above
862
			 */
863
			binder_enqueue_work_ilocked(&node->work, target_list);
864
		}
865
	}
866
	return 0;
867
}
868

869
static int binder_inc_node(struct binder_node *node, int strong, int internal,
870
			   struct list_head *target_list)
871
{
872
	int ret;
873

874
	binder_node_inner_lock(node);
875
	ret = binder_inc_node_nilocked(node, strong, internal, target_list);
876
	binder_node_inner_unlock(node);
877

878
	return ret;
879
}
880

881
static bool binder_dec_node_nilocked(struct binder_node *node,
882
				     int strong, int internal)
883
{
884
	struct binder_proc *proc = node->proc;
885

886
	assert_spin_locked(&node->lock);
887
	if (proc)
888
		assert_spin_locked(&proc->inner_lock);
889
	if (strong) {
890
		if (internal)
891
			node->internal_strong_refs--;
892
		else
893
			node->local_strong_refs--;
894
		if (node->local_strong_refs || node->internal_strong_refs)
895
			return false;
896
	} else {
897
		if (!internal)
898
			node->local_weak_refs--;
899
		if (node->local_weak_refs || node->tmp_refs ||
900
				!hlist_empty(&node->refs))
901
			return false;
902
	}
903

904
	if (proc && (node->has_strong_ref || node->has_weak_ref)) {
905
		if (list_empty(&node->work.entry)) {
906
			binder_enqueue_work_ilocked(&node->work, &proc->todo);
907
			binder_wakeup_proc_ilocked(proc);
908
		}
909
	} else {
910
		if (hlist_empty(&node->refs) && !node->local_strong_refs &&
911
		    !node->local_weak_refs && !node->tmp_refs) {
912
			if (proc) {
913
				binder_dequeue_work_ilocked(&node->work);
914
				rb_erase(&node->rb_node, &proc->nodes);
915
				binder_debug(BINDER_DEBUG_INTERNAL_REFS,
916
					     "refless node %d deleted\n",
917
					     node->debug_id);
918
			} else {
919
				BUG_ON(!list_empty(&node->work.entry));
920
				spin_lock(&binder_dead_nodes_lock);
921
				/*
922
				 * tmp_refs could have changed so
923
				 * check it again
924
				 */
925
				if (node->tmp_refs) {
926
					spin_unlock(&binder_dead_nodes_lock);
927
					return false;
928
				}
929
				hlist_del(&node->dead_node);
930
				spin_unlock(&binder_dead_nodes_lock);
931
				binder_debug(BINDER_DEBUG_INTERNAL_REFS,
932
					     "dead node %d deleted\n",
933
					     node->debug_id);
934
			}
935
			return true;
936
		}
937
	}
938
	return false;
939
}
940

941
static void binder_dec_node(struct binder_node *node, int strong, int internal)
942
{
943
	bool free_node;
944

945
	binder_node_inner_lock(node);
946
	free_node = binder_dec_node_nilocked(node, strong, internal);
947
	binder_node_inner_unlock(node);
948
	if (free_node)
949
		binder_free_node(node);
950
}
951

952
static void binder_inc_node_tmpref_ilocked(struct binder_node *node)
953
{
954
	/*
955
	 * No call to binder_inc_node() is needed since we
956
	 * don't need to inform userspace of any changes to
957
	 * tmp_refs
958
	 */
959
	node->tmp_refs++;
960
}
961

962
/**
963
 * binder_inc_node_tmpref() - take a temporary reference on node
964
 * @node:	node to reference
965
 *
966
 * Take reference on node to prevent the node from being freed
967
 * while referenced only by a local variable. The inner lock is
968
 * needed to serialize with the node work on the queue (which
969
 * isn't needed after the node is dead). If the node is dead
970
 * (node->proc is NULL), use binder_dead_nodes_lock to protect
971
 * node->tmp_refs against dead-node-only cases where the node
972
 * lock cannot be acquired (eg traversing the dead node list to
973
 * print nodes)
974
 */
975
static void binder_inc_node_tmpref(struct binder_node *node)
976
{
977
	binder_node_lock(node);
978
	if (node->proc)
979
		binder_inner_proc_lock(node->proc);
980
	else
981
		spin_lock(&binder_dead_nodes_lock);
982
	binder_inc_node_tmpref_ilocked(node);
983
	if (node->proc)
984
		binder_inner_proc_unlock(node->proc);
985
	else
986
		spin_unlock(&binder_dead_nodes_lock);
987
	binder_node_unlock(node);
988
}
989

990
/**
991
 * binder_dec_node_tmpref() - remove a temporary reference on node
992
 * @node:	node to reference
993
 *
994
 * Release temporary reference on node taken via binder_inc_node_tmpref()
995
 */
996
static void binder_dec_node_tmpref(struct binder_node *node)
997
{
998
	bool free_node;
999

1000
	binder_node_inner_lock(node);
1001
	if (!node->proc)
1002
		spin_lock(&binder_dead_nodes_lock);
1003
	else
1004
		__acquire(&binder_dead_nodes_lock);
1005
	node->tmp_refs--;
1006
	BUG_ON(node->tmp_refs < 0);
1007
	if (!node->proc)
1008
		spin_unlock(&binder_dead_nodes_lock);
1009
	else
1010
		__release(&binder_dead_nodes_lock);
1011
	/*
1012
	 * Call binder_dec_node() to check if all refcounts are 0
1013
	 * and cleanup is needed. Calling with strong=0 and internal=1
1014
	 * causes no actual reference to be released in binder_dec_node().
1015
	 * If that changes, a change is needed here too.
1016
	 */
1017
	free_node = binder_dec_node_nilocked(node, 0, 1);
1018
	binder_node_inner_unlock(node);
1019
	if (free_node)
1020
		binder_free_node(node);
1021
}
1022

1023
static void binder_put_node(struct binder_node *node)
1024
{
1025
	binder_dec_node_tmpref(node);
1026
}
1027

1028
static struct binder_ref *binder_get_ref_olocked(struct binder_proc *proc,
1029
						 u32 desc, bool need_strong_ref)
1030
{
1031
	struct rb_node *n = proc->refs_by_desc.rb_node;
1032
	struct binder_ref *ref;
1033

1034
	while (n) {
1035
		ref = rb_entry(n, struct binder_ref, rb_node_desc);
1036

1037
		if (desc < ref->data.desc) {
1038
			n = n->rb_left;
1039
		} else if (desc > ref->data.desc) {
1040
			n = n->rb_right;
1041
		} else if (need_strong_ref && !ref->data.strong) {
1042
			binder_user_error("tried to use weak ref as strong ref\n");
1043
			return NULL;
1044
		} else {
1045
			return ref;
1046
		}
1047
	}
1048
	return NULL;
1049
}
1050

1051
/* Find the smallest unused descriptor the "slow way" */
1052
static u32 slow_desc_lookup_olocked(struct binder_proc *proc, u32 offset)
1053
{
1054
	struct binder_ref *ref;
1055
	struct rb_node *n;
1056
	u32 desc;
1057

1058
	desc = offset;
1059
	for (n = rb_first(&proc->refs_by_desc); n; n = rb_next(n)) {
1060
		ref = rb_entry(n, struct binder_ref, rb_node_desc);
1061
		if (ref->data.desc > desc)
1062
			break;
1063
		desc = ref->data.desc + 1;
1064
	}
1065

1066
	return desc;
1067
}
1068

1069
/*
1070
 * Find an available reference descriptor ID. The proc->outer_lock might
1071
 * be released in the process, in which case -EAGAIN is returned and the
1072
 * @desc should be considered invalid.
1073
 */
1074
static int get_ref_desc_olocked(struct binder_proc *proc,
1075
				struct binder_node *node,
1076
				u32 *desc)
1077
{
1078
	struct dbitmap *dmap = &proc->dmap;
1079
	unsigned int nbits, offset;
1080
	unsigned long *new, bit;
1081

1082
	/* 0 is reserved for the context manager */
1083
	offset = (node == proc->context->binder_context_mgr_node) ? 0 : 1;
1084

1085
	if (!dbitmap_enabled(dmap)) {
1086
		*desc = slow_desc_lookup_olocked(proc, offset);
1087
		return 0;
1088
	}
1089

1090
	if (dbitmap_acquire_next_zero_bit(dmap, offset, &bit) == 0) {
1091
		*desc = bit;
1092
		return 0;
1093
	}
1094

1095
	/*
1096
	 * The dbitmap is full and needs to grow. The proc->outer_lock
1097
	 * is briefly released to allocate the new bitmap safely.
1098
	 */
1099
	nbits = dbitmap_grow_nbits(dmap);
1100
	binder_proc_unlock(proc);
1101
	new = bitmap_zalloc(nbits, GFP_KERNEL);
1102
	binder_proc_lock(proc);
1103
	dbitmap_grow(dmap, new, nbits);
1104

1105
	return -EAGAIN;
1106
}
1107

1108
/**
1109
 * binder_get_ref_for_node_olocked() - get the ref associated with given node
1110
 * @proc:	binder_proc that owns the ref
1111
 * @node:	binder_node of target
1112
 * @new_ref:	newly allocated binder_ref to be initialized or %NULL
1113
 *
1114
 * Look up the ref for the given node and return it if it exists
1115
 *
1116
 * If it doesn't exist and the caller provides a newly allocated
1117
 * ref, initialize the fields of the newly allocated ref and insert
1118
 * into the given proc rb_trees and node refs list.
1119
 *
1120
 * Return:	the ref for node. It is possible that another thread
1121
 *		allocated/initialized the ref first in which case the
1122
 *		returned ref would be different than the passed-in
1123
 *		new_ref. new_ref must be kfree'd by the caller in
1124
 *		this case.
1125
 */
1126
static struct binder_ref *binder_get_ref_for_node_olocked(
1127
					struct binder_proc *proc,
1128
					struct binder_node *node,
1129
					struct binder_ref *new_ref)
1130
{
1131
	struct binder_ref *ref;
1132
	struct rb_node *parent;
1133
	struct rb_node **p;
1134
	u32 desc;
1135

1136
retry:
1137
	p = &proc->refs_by_node.rb_node;
1138
	parent = NULL;
1139
	while (*p) {
1140
		parent = *p;
1141
		ref = rb_entry(parent, struct binder_ref, rb_node_node);
1142

1143
		if (node < ref->node)
1144
			p = &(*p)->rb_left;
1145
		else if (node > ref->node)
1146
			p = &(*p)->rb_right;
1147
		else
1148
			return ref;
1149
	}
1150
	if (!new_ref)
1151
		return NULL;
1152

1153
	/* might release the proc->outer_lock */
1154
	if (get_ref_desc_olocked(proc, node, &desc) == -EAGAIN)
1155
		goto retry;
1156

1157
	binder_stats_created(BINDER_STAT_REF);
1158
	new_ref->data.debug_id = atomic_inc_return(&binder_last_id);
1159
	new_ref->proc = proc;
1160
	new_ref->node = node;
1161
	rb_link_node(&new_ref->rb_node_node, parent, p);
1162
	rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node);
1163

1164
	new_ref->data.desc = desc;
1165
	p = &proc->refs_by_desc.rb_node;
1166
	while (*p) {
1167
		parent = *p;
1168
		ref = rb_entry(parent, struct binder_ref, rb_node_desc);
1169

1170
		if (new_ref->data.desc < ref->data.desc)
1171
			p = &(*p)->rb_left;
1172
		else if (new_ref->data.desc > ref->data.desc)
1173
			p = &(*p)->rb_right;
1174
		else
1175
			BUG();
1176
	}
1177
	rb_link_node(&new_ref->rb_node_desc, parent, p);
1178
	rb_insert_color(&new_ref->rb_node_desc, &proc->refs_by_desc);
1179

1180
	binder_node_lock(node);
1181
	hlist_add_head(&new_ref->node_entry, &node->refs);
1182

1183
	binder_debug(BINDER_DEBUG_INTERNAL_REFS,
1184
		     "%d new ref %d desc %d for node %d\n",
1185
		      proc->pid, new_ref->data.debug_id, new_ref->data.desc,
1186
		      node->debug_id);
1187
	binder_node_unlock(node);
1188
	return new_ref;
1189
}
1190

1191
static void binder_cleanup_ref_olocked(struct binder_ref *ref)
1192
{
1193
	struct dbitmap *dmap = &ref->proc->dmap;
1194
	bool delete_node = false;
1195

1196
	binder_debug(BINDER_DEBUG_INTERNAL_REFS,
1197
		     "%d delete ref %d desc %d for node %d\n",
1198
		      ref->proc->pid, ref->data.debug_id, ref->data.desc,
1199
		      ref->node->debug_id);
1200

1201
	if (dbitmap_enabled(dmap))
1202
		dbitmap_clear_bit(dmap, ref->data.desc);
1203
	rb_erase(&ref->rb_node_desc, &ref->proc->refs_by_desc);
1204
	rb_erase(&ref->rb_node_node, &ref->proc->refs_by_node);
1205

1206
	binder_node_inner_lock(ref->node);
1207
	if (ref->data.strong)
1208
		binder_dec_node_nilocked(ref->node, 1, 1);
1209

1210
	hlist_del(&ref->node_entry);
1211
	delete_node = binder_dec_node_nilocked(ref->node, 0, 1);
1212
	binder_node_inner_unlock(ref->node);
1213
	/*
1214
	 * Clear ref->node unless we want the caller to free the node
1215
	 */
1216
	if (!delete_node) {
1217
		/*
1218
		 * The caller uses ref->node to determine
1219
		 * whether the node needs to be freed. Clear
1220
		 * it since the node is still alive.
1221
		 */
1222
		ref->node = NULL;
1223
	}
1224

1225
	if (ref->death) {
1226
		binder_debug(BINDER_DEBUG_DEAD_BINDER,
1227
			     "%d delete ref %d desc %d has death notification\n",
1228
			      ref->proc->pid, ref->data.debug_id,
1229
			      ref->data.desc);
1230
		binder_dequeue_work(ref->proc, &ref->death->work);
1231
		binder_stats_deleted(BINDER_STAT_DEATH);
1232
	}
1233

1234
	if (ref->freeze) {
1235
		binder_dequeue_work(ref->proc, &ref->freeze->work);
1236
		binder_stats_deleted(BINDER_STAT_FREEZE);
1237
	}
1238

1239
	binder_stats_deleted(BINDER_STAT_REF);
1240
}
1241

1242
/**
1243
 * binder_inc_ref_olocked() - increment the ref for given handle
1244
 * @ref:         ref to be incremented
1245
 * @strong:      if true, strong increment, else weak
1246
 * @target_list: list to queue node work on
1247
 *
1248
 * Increment the ref. @ref->proc->outer_lock must be held on entry
1249
 *
1250
 * Return: 0, if successful, else errno
1251
 */
1252
static int binder_inc_ref_olocked(struct binder_ref *ref, int strong,
1253
				  struct list_head *target_list)
1254
{
1255
	int ret;
1256

1257
	if (strong) {
1258
		if (ref->data.strong == 0) {
1259
			ret = binder_inc_node(ref->node, 1, 1, target_list);
1260
			if (ret)
1261
				return ret;
1262
		}
1263
		ref->data.strong++;
1264
	} else {
1265
		if (ref->data.weak == 0) {
1266
			ret = binder_inc_node(ref->node, 0, 1, target_list);
1267
			if (ret)
1268
				return ret;
1269
		}
1270
		ref->data.weak++;
1271
	}
1272
	return 0;
1273
}
1274

1275
/**
1276
 * binder_dec_ref_olocked() - dec the ref for given handle
1277
 * @ref:	ref to be decremented
1278
 * @strong:	if true, strong decrement, else weak
1279
 *
1280
 * Decrement the ref.
1281
 *
1282
 * Return: %true if ref is cleaned up and ready to be freed.
1283
 */
1284
static bool binder_dec_ref_olocked(struct binder_ref *ref, int strong)
1285
{
1286
	if (strong) {
1287
		if (ref->data.strong == 0) {
1288
			binder_user_error("%d invalid dec strong, ref %d desc %d s %d w %d\n",
1289
					  ref->proc->pid, ref->data.debug_id,
1290
					  ref->data.desc, ref->data.strong,
1291
					  ref->data.weak);
1292
			return false;
1293
		}
1294
		ref->data.strong--;
1295
		if (ref->data.strong == 0)
1296
			binder_dec_node(ref->node, strong, 1);
1297
	} else {
1298
		if (ref->data.weak == 0) {
1299
			binder_user_error("%d invalid dec weak, ref %d desc %d s %d w %d\n",
1300
					  ref->proc->pid, ref->data.debug_id,
1301
					  ref->data.desc, ref->data.strong,
1302
					  ref->data.weak);
1303
			return false;
1304
		}
1305
		ref->data.weak--;
1306
	}
1307
	if (ref->data.strong == 0 && ref->data.weak == 0) {
1308
		binder_cleanup_ref_olocked(ref);
1309
		return true;
1310
	}
1311
	return false;
1312
}
1313

1314
/**
1315
 * binder_get_node_from_ref() - get the node from the given proc/desc
1316
 * @proc:	proc containing the ref
1317
 * @desc:	the handle associated with the ref
1318
 * @need_strong_ref: if true, only return node if ref is strong
1319
 * @rdata:	the id/refcount data for the ref
1320
 *
1321
 * Given a proc and ref handle, return the associated binder_node
1322
 *
1323
 * Return: a binder_node or NULL if not found or not strong when strong required
1324
 */
1325
static struct binder_node *binder_get_node_from_ref(
1326
		struct binder_proc *proc,
1327
		u32 desc, bool need_strong_ref,
1328
		struct binder_ref_data *rdata)
1329
{
1330
	struct binder_node *node;
1331
	struct binder_ref *ref;
1332

1333
	binder_proc_lock(proc);
1334
	ref = binder_get_ref_olocked(proc, desc, need_strong_ref);
1335
	if (!ref)
1336
		goto err_no_ref;
1337
	node = ref->node;
1338
	/*
1339
	 * Take an implicit reference on the node to ensure
1340
	 * it stays alive until the call to binder_put_node()
1341
	 */
1342
	binder_inc_node_tmpref(node);
1343
	if (rdata)
1344
		*rdata = ref->data;
1345
	binder_proc_unlock(proc);
1346

1347
	return node;
1348

1349
err_no_ref:
1350
	binder_proc_unlock(proc);
1351
	return NULL;
1352
}
1353

1354
/**
1355
 * binder_free_ref() - free the binder_ref
1356
 * @ref:	ref to free
1357
 *
1358
 * Free the binder_ref. Free the binder_node indicated by ref->node
1359
 * (if non-NULL) and the binder_ref_death indicated by ref->death.
1360
 */
1361
static void binder_free_ref(struct binder_ref *ref)
1362
{
1363
	if (ref->node)
1364
		binder_free_node(ref->node);
1365
	kfree(ref->death);
1366
	kfree(ref->freeze);
1367
	kfree(ref);
1368
}
1369

1370
/* shrink descriptor bitmap if needed */
1371
static void try_shrink_dmap(struct binder_proc *proc)
1372
{
1373
	unsigned long *new;
1374
	int nbits;
1375

1376
	binder_proc_lock(proc);
1377
	nbits = dbitmap_shrink_nbits(&proc->dmap);
1378
	binder_proc_unlock(proc);
1379

1380
	if (!nbits)
1381
		return;
1382

1383
	new = bitmap_zalloc(nbits, GFP_KERNEL);
1384
	binder_proc_lock(proc);
1385
	dbitmap_shrink(&proc->dmap, new, nbits);
1386
	binder_proc_unlock(proc);
1387
}
1388

1389
/**
1390
 * binder_update_ref_for_handle() - inc/dec the ref for given handle
1391
 * @proc:	proc containing the ref
1392
 * @desc:	the handle associated with the ref
1393
 * @increment:	true=inc reference, false=dec reference
1394
 * @strong:	true=strong reference, false=weak reference
1395
 * @rdata:	the id/refcount data for the ref
1396
 *
1397
 * Given a proc and ref handle, increment or decrement the ref
1398
 * according to "increment" arg.
1399
 *
1400
 * Return: 0 if successful, else errno
1401
 */
1402
static int binder_update_ref_for_handle(struct binder_proc *proc,
1403
		uint32_t desc, bool increment, bool strong,
1404
		struct binder_ref_data *rdata)
1405
{
1406
	int ret = 0;
1407
	struct binder_ref *ref;
1408
	bool delete_ref = false;
1409

1410
	binder_proc_lock(proc);
1411
	ref = binder_get_ref_olocked(proc, desc, strong);
1412
	if (!ref) {
1413
		ret = -EINVAL;
1414
		goto err_no_ref;
1415
	}
1416
	if (increment)
1417
		ret = binder_inc_ref_olocked(ref, strong, NULL);
1418
	else
1419
		delete_ref = binder_dec_ref_olocked(ref, strong);
1420

1421
	if (rdata)
1422
		*rdata = ref->data;
1423
	binder_proc_unlock(proc);
1424

1425
	if (delete_ref) {
1426
		binder_free_ref(ref);
1427
		try_shrink_dmap(proc);
1428
	}
1429
	return ret;
1430

1431
err_no_ref:
1432
	binder_proc_unlock(proc);
1433
	return ret;
1434
}
1435

1436
/**
1437
 * binder_dec_ref_for_handle() - dec the ref for given handle
1438
 * @proc:	proc containing the ref
1439
 * @desc:	the handle associated with the ref
1440
 * @strong:	true=strong reference, false=weak reference
1441
 * @rdata:	the id/refcount data for the ref
1442
 *
1443
 * Just calls binder_update_ref_for_handle() to decrement the ref.
1444
 *
1445
 * Return: 0 if successful, else errno
1446
 */
1447
static int binder_dec_ref_for_handle(struct binder_proc *proc,
1448
		uint32_t desc, bool strong, struct binder_ref_data *rdata)
1449
{
1450
	return binder_update_ref_for_handle(proc, desc, false, strong, rdata);
1451
}
1452

1453

1454
/**
1455
 * binder_inc_ref_for_node() - increment the ref for given proc/node
1456
 * @proc:	 proc containing the ref
1457
 * @node:	 target node
1458
 * @strong:	 true=strong reference, false=weak reference
1459
 * @target_list: worklist to use if node is incremented
1460
 * @rdata:	 the id/refcount data for the ref
1461
 *
1462
 * Given a proc and node, increment the ref. Create the ref if it
1463
 * doesn't already exist
1464
 *
1465
 * Return: 0 if successful, else errno
1466
 */
1467
static int binder_inc_ref_for_node(struct binder_proc *proc,
1468
			struct binder_node *node,
1469
			bool strong,
1470
			struct list_head *target_list,
1471
			struct binder_ref_data *rdata)
1472
{
1473
	struct binder_ref *ref;
1474
	struct binder_ref *new_ref = NULL;
1475
	int ret = 0;
1476

1477
	binder_proc_lock(proc);
1478
	ref = binder_get_ref_for_node_olocked(proc, node, NULL);
1479
	if (!ref) {
1480
		binder_proc_unlock(proc);
1481
		new_ref = kzalloc(sizeof(*ref), GFP_KERNEL);
1482
		if (!new_ref)
1483
			return -ENOMEM;
1484
		binder_proc_lock(proc);
1485
		ref = binder_get_ref_for_node_olocked(proc, node, new_ref);
1486
	}
1487
	ret = binder_inc_ref_olocked(ref, strong, target_list);
1488
	*rdata = ref->data;
1489
	if (ret && ref == new_ref) {
1490
		/*
1491
		 * Cleanup the failed reference here as the target
1492
		 * could now be dead and have already released its
1493
		 * references by now. Calling on the new reference
1494
		 * with strong=0 and a tmp_refs will not decrement
1495
		 * the node. The new_ref gets kfree'd below.
1496
		 */
1497
		binder_cleanup_ref_olocked(new_ref);
1498
		ref = NULL;
1499
	}
1500

1501
	binder_proc_unlock(proc);
1502
	if (new_ref && ref != new_ref)
1503
		/*
1504
		 * Another thread created the ref first so
1505
		 * free the one we allocated
1506
		 */
1507
		kfree(new_ref);
1508
	return ret;
1509
}
1510

1511
static void binder_pop_transaction_ilocked(struct binder_thread *target_thread,
1512
					   struct binder_transaction *t)
1513
{
1514
	BUG_ON(!target_thread);
1515
	assert_spin_locked(&target_thread->proc->inner_lock);
1516
	BUG_ON(target_thread->transaction_stack != t);
1517
	BUG_ON(target_thread->transaction_stack->from != target_thread);
1518
	target_thread->transaction_stack =
1519
		target_thread->transaction_stack->from_parent;
1520
	t->from = NULL;
1521
}
1522

1523
/**
1524
 * binder_thread_dec_tmpref() - decrement thread->tmp_ref
1525
 * @thread:	thread to decrement
1526
 *
1527
 * A thread needs to be kept alive while being used to create or
1528
 * handle a transaction. binder_get_txn_from() is used to safely
1529
 * extract t->from from a binder_transaction and keep the thread
1530
 * indicated by t->from from being freed. When done with that
1531
 * binder_thread, this function is called to decrement the
1532
 * tmp_ref and free if appropriate (thread has been released
1533
 * and no transaction being processed by the driver)
1534
 */
1535
static void binder_thread_dec_tmpref(struct binder_thread *thread)
1536
{
1537
	/*
1538
	 * atomic is used to protect the counter value while
1539
	 * it cannot reach zero or thread->is_dead is false
1540
	 */
1541
	binder_inner_proc_lock(thread->proc);
1542
	atomic_dec(&thread->tmp_ref);
1543
	if (thread->is_dead && !atomic_read(&thread->tmp_ref)) {
1544
		binder_inner_proc_unlock(thread->proc);
1545
		binder_free_thread(thread);
1546
		return;
1547
	}
1548
	binder_inner_proc_unlock(thread->proc);
1549
}
1550

1551
/**
1552
 * binder_proc_dec_tmpref() - decrement proc->tmp_ref
1553
 * @proc:	proc to decrement
1554
 *
1555
 * A binder_proc needs to be kept alive while being used to create or
1556
 * handle a transaction. proc->tmp_ref is incremented when
1557
 * creating a new transaction or the binder_proc is currently in-use
1558
 * by threads that are being released. When done with the binder_proc,
1559
 * this function is called to decrement the counter and free the
1560
 * proc if appropriate (proc has been released, all threads have
1561
 * been released and not currently in-use to process a transaction).
1562
 */
1563
static void binder_proc_dec_tmpref(struct binder_proc *proc)
1564
{
1565
	binder_inner_proc_lock(proc);
1566
	proc->tmp_ref--;
1567
	if (proc->is_dead && RB_EMPTY_ROOT(&proc->threads) &&
1568
			!proc->tmp_ref) {
1569
		binder_inner_proc_unlock(proc);
1570
		binder_free_proc(proc);
1571
		return;
1572
	}
1573
	binder_inner_proc_unlock(proc);
1574
}
1575

1576
/**
1577
 * binder_get_txn_from() - safely extract the "from" thread in transaction
1578
 * @t:	binder transaction for t->from
1579
 *
1580
 * Atomically return the "from" thread and increment the tmp_ref
1581
 * count for the thread to ensure it stays alive until
1582
 * binder_thread_dec_tmpref() is called.
1583
 *
1584
 * Return: the value of t->from
1585
 */
1586
static struct binder_thread *binder_get_txn_from(
1587
		struct binder_transaction *t)
1588
{
1589
	struct binder_thread *from;
1590

1591
	guard(spinlock)(&t->lock);
1592
	from = t->from;
1593
	if (from)
1594
		atomic_inc(&from->tmp_ref);
1595
	return from;
1596
}
1597

1598
/**
1599
 * binder_get_txn_from_and_acq_inner() - get t->from and acquire inner lock
1600
 * @t:	binder transaction for t->from
1601
 *
1602
 * Same as binder_get_txn_from() except it also acquires the proc->inner_lock
1603
 * to guarantee that the thread cannot be released while operating on it.
1604
 * The caller must call binder_inner_proc_unlock() to release the inner lock
1605
 * as well as call binder_dec_thread_txn() to release the reference.
1606
 *
1607
 * Return: the value of t->from
1608
 */
1609
static struct binder_thread *binder_get_txn_from_and_acq_inner(
1610
		struct binder_transaction *t)
1611
	__acquires(&t->from->proc->inner_lock)
1612
{
1613
	struct binder_thread *from;
1614

1615
	from = binder_get_txn_from(t);
1616
	if (!from) {
1617
		__acquire(&from->proc->inner_lock);
1618
		return NULL;
1619
	}
1620
	binder_inner_proc_lock(from->proc);
1621
	if (t->from) {
1622
		BUG_ON(from != t->from);
1623
		return from;
1624
	}
1625
	binder_inner_proc_unlock(from->proc);
1626
	__acquire(&from->proc->inner_lock);
1627
	binder_thread_dec_tmpref(from);
1628
	return NULL;
1629
}
1630

1631
/**
1632
 * binder_free_txn_fixups() - free unprocessed fd fixups
1633
 * @t:	binder transaction for t->from
1634
 *
1635
 * If the transaction is being torn down prior to being
1636
 * processed by the target process, free all of the
1637
 * fd fixups and fput the file structs. It is safe to
1638
 * call this function after the fixups have been
1639
 * processed -- in that case, the list will be empty.
1640
 */
1641
static void binder_free_txn_fixups(struct binder_transaction *t)
1642
{
1643
	struct binder_txn_fd_fixup *fixup, *tmp;
1644

1645
	list_for_each_entry_safe(fixup, tmp, &t->fd_fixups, fixup_entry) {
1646
		fput(fixup->file);
1647
		if (fixup->target_fd >= 0)
1648
			put_unused_fd(fixup->target_fd);
1649
		list_del(&fixup->fixup_entry);
1650
		kfree(fixup);
1651
	}
1652
}
1653

1654
static void binder_txn_latency_free(struct binder_transaction *t)
1655
{
1656
	int from_proc, from_thread, to_proc, to_thread;
1657

1658
	spin_lock(&t->lock);
1659
	from_proc = t->from ? t->from->proc->pid : 0;
1660
	from_thread = t->from ? t->from->pid : 0;
1661
	to_proc = t->to_proc ? t->to_proc->pid : 0;
1662
	to_thread = t->to_thread ? t->to_thread->pid : 0;
1663
	spin_unlock(&t->lock);
1664

1665
	trace_binder_txn_latency_free(t, from_proc, from_thread, to_proc, to_thread);
1666
}
1667

1668
static void binder_free_transaction(struct binder_transaction *t)
1669
{
1670
	struct binder_proc *target_proc = t->to_proc;
1671

1672
	if (target_proc) {
1673
		binder_inner_proc_lock(target_proc);
1674
		target_proc->outstanding_txns--;
1675
		if (target_proc->outstanding_txns < 0)
1676
			pr_warn("%s: Unexpected outstanding_txns %d\n",
1677
				__func__, target_proc->outstanding_txns);
1678
		if (!target_proc->outstanding_txns && target_proc->is_frozen)
1679
			wake_up_interruptible_all(&target_proc->freeze_wait);
1680
		if (t->buffer)
1681
			t->buffer->transaction = NULL;
1682
		binder_inner_proc_unlock(target_proc);
1683
	}
1684
	if (trace_binder_txn_latency_free_enabled())
1685
		binder_txn_latency_free(t);
1686
	/*
1687
	 * If the transaction has no target_proc, then
1688
	 * t->buffer->transaction has already been cleared.
1689
	 */
1690
	binder_free_txn_fixups(t);
1691
	kfree(t);
1692
	binder_stats_deleted(BINDER_STAT_TRANSACTION);
1693
}
1694

1695
static void binder_send_failed_reply(struct binder_transaction *t,
1696
				     uint32_t error_code)
1697
{
1698
	struct binder_thread *target_thread;
1699
	struct binder_transaction *next;
1700

1701
	BUG_ON(t->flags & TF_ONE_WAY);
1702
	while (1) {
1703
		target_thread = binder_get_txn_from_and_acq_inner(t);
1704
		if (target_thread) {
1705
			binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
1706
				     "send failed reply for transaction %d to %d:%d\n",
1707
				      t->debug_id,
1708
				      target_thread->proc->pid,
1709
				      target_thread->pid);
1710

1711
			binder_pop_transaction_ilocked(target_thread, t);
1712
			if (target_thread->reply_error.cmd == BR_OK) {
1713
				target_thread->reply_error.cmd = error_code;
1714
				binder_enqueue_thread_work_ilocked(
1715
					target_thread,
1716
					&target_thread->reply_error.work);
1717
				wake_up_interruptible(&target_thread->wait);
1718
			} else {
1719
				/*
1720
				 * Cannot get here for normal operation, but
1721
				 * we can if multiple synchronous transactions
1722
				 * are sent without blocking for responses.
1723
				 * Just ignore the 2nd error in this case.
1724
				 */
1725
				pr_warn("Unexpected reply error: %u\n",
1726
					target_thread->reply_error.cmd);
1727
			}
1728
			binder_inner_proc_unlock(target_thread->proc);
1729
			binder_thread_dec_tmpref(target_thread);
1730
			binder_free_transaction(t);
1731
			return;
1732
		}
1733
		__release(&target_thread->proc->inner_lock);
1734
		next = t->from_parent;
1735

1736
		binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
1737
			     "send failed reply for transaction %d, target dead\n",
1738
			     t->debug_id);
1739

1740
		binder_free_transaction(t);
1741
		if (next == NULL) {
1742
			binder_debug(BINDER_DEBUG_DEAD_BINDER,
1743
				     "reply failed, no target thread at root\n");
1744
			return;
1745
		}
1746
		t = next;
1747
		binder_debug(BINDER_DEBUG_DEAD_BINDER,
1748
			     "reply failed, no target thread -- retry %d\n",
1749
			      t->debug_id);
1750
	}
1751
}
1752

1753
/**
1754
 * binder_cleanup_transaction() - cleans up undelivered transaction
1755
 * @t:		transaction that needs to be cleaned up
1756
 * @reason:	reason the transaction wasn't delivered
1757
 * @error_code:	error to return to caller (if synchronous call)
1758
 */
1759
static void binder_cleanup_transaction(struct binder_transaction *t,
1760
				       const char *reason,
1761
				       uint32_t error_code)
1762
{
1763
	if (t->buffer->target_node && !(t->flags & TF_ONE_WAY)) {
1764
		binder_send_failed_reply(t, error_code);
1765
	} else {
1766
		binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
1767
			"undelivered transaction %d, %s\n",
1768
			t->debug_id, reason);
1769
		binder_free_transaction(t);
1770
	}
1771
}
1772

1773
/**
1774
 * binder_get_object() - gets object and checks for valid metadata
1775
 * @proc:	binder_proc owning the buffer
1776
 * @u:		sender's user pointer to base of buffer
1777
 * @buffer:	binder_buffer that we're parsing.
1778
 * @offset:	offset in the @buffer at which to validate an object.
1779
 * @object:	struct binder_object to read into
1780
 *
1781
 * Copy the binder object at the given offset into @object. If @u is
1782
 * provided then the copy is from the sender's buffer. If not, then
1783
 * it is copied from the target's @buffer.
1784
 *
1785
 * Return:	If there's a valid metadata object at @offset, the
1786
 *		size of that object. Otherwise, it returns zero. The object
1787
 *		is read into the struct binder_object pointed to by @object.
1788
 */
1789
static size_t binder_get_object(struct binder_proc *proc,
1790
				const void __user *u,
1791
				struct binder_buffer *buffer,
1792
				unsigned long offset,
1793
				struct binder_object *object)
1794
{
1795
	size_t read_size;
1796
	struct binder_object_header *hdr;
1797
	size_t object_size = 0;
1798

1799
	read_size = min_t(size_t, sizeof(*object), buffer->data_size - offset);
1800
	if (offset > buffer->data_size || read_size < sizeof(*hdr) ||
1801
	    !IS_ALIGNED(offset, sizeof(u32)))
1802
		return 0;
1803

1804
	if (u) {
1805
		if (copy_from_user(object, u + offset, read_size))
1806
			return 0;
1807
	} else {
1808
		if (binder_alloc_copy_from_buffer(&proc->alloc, object, buffer,
1809
						  offset, read_size))
1810
			return 0;
1811
	}
1812

1813
	/* Ok, now see if we read a complete object. */
1814
	hdr = &object->hdr;
1815
	switch (hdr->type) {
1816
	case BINDER_TYPE_BINDER:
1817
	case BINDER_TYPE_WEAK_BINDER:
1818
	case BINDER_TYPE_HANDLE:
1819
	case BINDER_TYPE_WEAK_HANDLE:
1820
		object_size = sizeof(struct flat_binder_object);
1821
		break;
1822
	case BINDER_TYPE_FD:
1823
		object_size = sizeof(struct binder_fd_object);
1824
		break;
1825
	case BINDER_TYPE_PTR:
1826
		object_size = sizeof(struct binder_buffer_object);
1827
		break;
1828
	case BINDER_TYPE_FDA:
1829
		object_size = sizeof(struct binder_fd_array_object);
1830
		break;
1831
	default:
1832
		return 0;
1833
	}
1834
	if (offset <= buffer->data_size - object_size &&
1835
	    buffer->data_size >= object_size)
1836
		return object_size;
1837
	else
1838
		return 0;
1839
}
1840

1841
/**
1842
 * binder_validate_ptr() - validates binder_buffer_object in a binder_buffer.
1843
 * @proc:	binder_proc owning the buffer
1844
 * @b:		binder_buffer containing the object
1845
 * @object:	struct binder_object to read into
1846
 * @index:	index in offset array at which the binder_buffer_object is
1847
 *		located
1848
 * @start_offset: points to the start of the offset array
1849
 * @object_offsetp: offset of @object read from @b
1850
 * @num_valid:	the number of valid offsets in the offset array
1851
 *
1852
 * Return:	If @index is within the valid range of the offset array
1853
 *		described by @start and @num_valid, and if there's a valid
1854
 *		binder_buffer_object at the offset found in index @index
1855
 *		of the offset array, that object is returned. Otherwise,
1856
 *		%NULL is returned.
1857
 *		Note that the offset found in index @index itself is not
1858
 *		verified; this function assumes that @num_valid elements
1859
 *		from @start were previously verified to have valid offsets.
1860
 *		If @object_offsetp is non-NULL, then the offset within
1861
 *		@b is written to it.
1862
 */
1863
static struct binder_buffer_object *binder_validate_ptr(
1864
						struct binder_proc *proc,
1865
						struct binder_buffer *b,
1866
						struct binder_object *object,
1867
						binder_size_t index,
1868
						binder_size_t start_offset,
1869
						binder_size_t *object_offsetp,
1870
						binder_size_t num_valid)
1871
{
1872
	size_t object_size;
1873
	binder_size_t object_offset;
1874
	unsigned long buffer_offset;
1875

1876
	if (index >= num_valid)
1877
		return NULL;
1878

1879
	buffer_offset = start_offset + sizeof(binder_size_t) * index;
1880
	if (binder_alloc_copy_from_buffer(&proc->alloc, &object_offset,
1881
					  b, buffer_offset,
1882
					  sizeof(object_offset)))
1883
		return NULL;
1884
	object_size = binder_get_object(proc, NULL, b, object_offset, object);
1885
	if (!object_size || object->hdr.type != BINDER_TYPE_PTR)
1886
		return NULL;
1887
	if (object_offsetp)
1888
		*object_offsetp = object_offset;
1889

1890
	return &object->bbo;
1891
}
1892

1893
/**
1894
 * binder_validate_fixup() - validates pointer/fd fixups happen in order.
1895
 * @proc:		binder_proc owning the buffer
1896
 * @b:			transaction buffer
1897
 * @objects_start_offset: offset to start of objects buffer
1898
 * @buffer_obj_offset:	offset to binder_buffer_object in which to fix up
1899
 * @fixup_offset:	start offset in @buffer to fix up
1900
 * @last_obj_offset:	offset to last binder_buffer_object that we fixed
1901
 * @last_min_offset:	minimum fixup offset in object at @last_obj_offset
1902
 *
1903
 * Return:		%true if a fixup in buffer @buffer at offset @offset is
1904
 *			allowed.
1905
 *
1906
 * For safety reasons, we only allow fixups inside a buffer to happen
1907
 * at increasing offsets; additionally, we only allow fixup on the last
1908
 * buffer object that was verified, or one of its parents.
1909
 *
1910
 * Example of what is allowed:
1911
 *
1912
 * A
1913
 *   B (parent = A, offset = 0)
1914
 *   C (parent = A, offset = 16)
1915
 *     D (parent = C, offset = 0)
1916
 *   E (parent = A, offset = 32) // min_offset is 16 (C.parent_offset)
1917
 *
1918
 * Examples of what is not allowed:
1919
 *
1920
 * Decreasing offsets within the same parent:
1921
 * A
1922
 *   C (parent = A, offset = 16)
1923
 *   B (parent = A, offset = 0) // decreasing offset within A
1924
 *
1925
 * Referring to a parent that wasn't the last object or any of its parents:
1926
 * A
1927
 *   B (parent = A, offset = 0)
1928
 *   C (parent = A, offset = 0)
1929
 *   C (parent = A, offset = 16)
1930
 *     D (parent = B, offset = 0) // B is not A or any of A's parents
1931
 */
1932
static bool binder_validate_fixup(struct binder_proc *proc,
1933
				  struct binder_buffer *b,
1934
				  binder_size_t objects_start_offset,
1935
				  binder_size_t buffer_obj_offset,
1936
				  binder_size_t fixup_offset,
1937
				  binder_size_t last_obj_offset,
1938
				  binder_size_t last_min_offset)
1939
{
1940
	if (!last_obj_offset) {
1941
		/* Nothing to fix up in */
1942
		return false;
1943
	}
1944

1945
	while (last_obj_offset != buffer_obj_offset) {
1946
		unsigned long buffer_offset;
1947
		struct binder_object last_object;
1948
		struct binder_buffer_object *last_bbo;
1949
		size_t object_size = binder_get_object(proc, NULL, b,
1950
						       last_obj_offset,
1951
						       &last_object);
1952
		if (object_size != sizeof(*last_bbo))
1953
			return false;
1954

1955
		last_bbo = &last_object.bbo;
1956
		/*
1957
		 * Safe to retrieve the parent of last_obj, since it
1958
		 * was already previously verified by the driver.
1959
		 */
1960
		if ((last_bbo->flags & BINDER_BUFFER_FLAG_HAS_PARENT) == 0)
1961
			return false;
1962
		last_min_offset = last_bbo->parent_offset + sizeof(uintptr_t);
1963
		buffer_offset = objects_start_offset +
1964
			sizeof(binder_size_t) * last_bbo->parent;
1965
		if (binder_alloc_copy_from_buffer(&proc->alloc,
1966
						  &last_obj_offset,
1967
						  b, buffer_offset,
1968
						  sizeof(last_obj_offset)))
1969
			return false;
1970
	}
1971
	return (fixup_offset >= last_min_offset);
1972
}
1973

1974
/**
1975
 * struct binder_task_work_cb - for deferred close
1976
 *
1977
 * @twork:                callback_head for task work
1978
 * @file:                 file to close
1979
 *
1980
 * Structure to pass task work to be handled after
1981
 * returning from binder_ioctl() via task_work_add().
1982
 */
1983
struct binder_task_work_cb {
1984
	struct callback_head twork;
1985
	struct file *file;
1986
};
1987

1988
/**
1989
 * binder_do_fd_close() - close list of file descriptors
1990
 * @twork:	callback head for task work
1991
 *
1992
 * It is not safe to call ksys_close() during the binder_ioctl()
1993
 * function if there is a chance that binder's own file descriptor
1994
 * might be closed. This is to meet the requirements for using
1995
 * fdget() (see comments for __fget_light()). Therefore use
1996
 * task_work_add() to schedule the close operation once we have
1997
 * returned from binder_ioctl(). This function is a callback
1998
 * for that mechanism and does the actual ksys_close() on the
1999
 * given file descriptor.
2000
 */
2001
static void binder_do_fd_close(struct callback_head *twork)
2002
{
2003
	struct binder_task_work_cb *twcb = container_of(twork,
2004
			struct binder_task_work_cb, twork);
2005

2006
	fput(twcb->file);
2007
	kfree(twcb);
2008
}
2009

2010
/**
2011
 * binder_deferred_fd_close() - schedule a close for the given file-descriptor
2012
 * @fd:		file-descriptor to close
2013
 *
2014
 * See comments in binder_do_fd_close(). This function is used to schedule
2015
 * a file-descriptor to be closed after returning from binder_ioctl().
2016
 */
2017
static void binder_deferred_fd_close(int fd)
2018
{
2019
	struct binder_task_work_cb *twcb;
2020

2021
	twcb = kzalloc(sizeof(*twcb), GFP_KERNEL);
2022
	if (!twcb)
2023
		return;
2024
	init_task_work(&twcb->twork, binder_do_fd_close);
2025
	twcb->file = file_close_fd(fd);
2026
	if (twcb->file) {
2027
		// pin it until binder_do_fd_close(); see comments there
2028
		get_file(twcb->file);
2029
		filp_close(twcb->file, current->files);
2030
		task_work_add(current, &twcb->twork, TWA_RESUME);
2031
	} else {
2032
		kfree(twcb);
2033
	}
2034
}
2035

2036
static void binder_transaction_buffer_release(struct binder_proc *proc,
2037
					      struct binder_thread *thread,
2038
					      struct binder_buffer *buffer,
2039
					      binder_size_t off_end_offset,
2040
					      bool is_failure)
2041
{
2042
	int debug_id = buffer->debug_id;
2043
	binder_size_t off_start_offset, buffer_offset;
2044

2045
	binder_debug(BINDER_DEBUG_TRANSACTION,
2046
		     "%d buffer release %d, size %zd-%zd, failed at %llx\n",
2047
		     proc->pid, buffer->debug_id,
2048
		     buffer->data_size, buffer->offsets_size,
2049
		     (unsigned long long)off_end_offset);
2050

2051
	if (buffer->target_node)
2052
		binder_dec_node(buffer->target_node, 1, 0);
2053

2054
	off_start_offset = ALIGN(buffer->data_size, sizeof(void *));
2055

2056
	for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;
2057
	     buffer_offset += sizeof(binder_size_t)) {
2058
		struct binder_object_header *hdr;
2059
		size_t object_size = 0;
2060
		struct binder_object object;
2061
		binder_size_t object_offset;
2062

2063
		if (!binder_alloc_copy_from_buffer(&proc->alloc, &object_offset,
2064
						   buffer, buffer_offset,
2065
						   sizeof(object_offset)))
2066
			object_size = binder_get_object(proc, NULL, buffer,
2067
							object_offset, &object);
2068
		if (object_size == 0) {
2069
			pr_err("transaction release %d bad object at offset %lld, size %zd\n",
2070
			       debug_id, (u64)object_offset, buffer->data_size);
2071
			continue;
2072
		}
2073
		hdr = &object.hdr;
2074
		switch (hdr->type) {
2075
		case BINDER_TYPE_BINDER:
2076
		case BINDER_TYPE_WEAK_BINDER: {
2077
			struct flat_binder_object *fp;
2078
			struct binder_node *node;
2079

2080
			fp = to_flat_binder_object(hdr);
2081
			node = binder_get_node(proc, fp->binder);
2082
			if (node == NULL) {
2083
				pr_err("transaction release %d bad node %016llx\n",
2084
				       debug_id, (u64)fp->binder);
2085
				break;
2086
			}
2087
			binder_debug(BINDER_DEBUG_TRANSACTION,
2088
				     "        node %d u%016llx\n",
2089
				     node->debug_id, (u64)node->ptr);
2090
			binder_dec_node(node, hdr->type == BINDER_TYPE_BINDER,
2091
					0);
2092
			binder_put_node(node);
2093
		} break;
2094
		case BINDER_TYPE_HANDLE:
2095
		case BINDER_TYPE_WEAK_HANDLE: {
2096
			struct flat_binder_object *fp;
2097
			struct binder_ref_data rdata;
2098
			int ret;
2099

2100
			fp = to_flat_binder_object(hdr);
2101
			ret = binder_dec_ref_for_handle(proc, fp->handle,
2102
				hdr->type == BINDER_TYPE_HANDLE, &rdata);
2103

2104
			if (ret) {
2105
				pr_err("transaction release %d bad handle %d, ret = %d\n",
2106
				 debug_id, fp->handle, ret);
2107
				break;
2108
			}
2109
			binder_debug(BINDER_DEBUG_TRANSACTION,
2110
				     "        ref %d desc %d\n",
2111
				     rdata.debug_id, rdata.desc);
2112
		} break;
2113

2114
		case BINDER_TYPE_FD: {
2115
			/*
2116
			 * No need to close the file here since user-space
2117
			 * closes it for successfully delivered
2118
			 * transactions. For transactions that weren't
2119
			 * delivered, the new fd was never allocated so
2120
			 * there is no need to close and the fput on the
2121
			 * file is done when the transaction is torn
2122
			 * down.
2123
			 */
2124
		} break;
2125
		case BINDER_TYPE_PTR:
2126
			/*
2127
			 * Nothing to do here, this will get cleaned up when the
2128
			 * transaction buffer gets freed
2129
			 */
2130
			break;
2131
		case BINDER_TYPE_FDA: {
2132
			struct binder_fd_array_object *fda;
2133
			struct binder_buffer_object *parent;
2134
			struct binder_object ptr_object;
2135
			binder_size_t fda_offset;
2136
			size_t fd_index;
2137
			binder_size_t fd_buf_size;
2138
			binder_size_t num_valid;
2139

2140
			if (is_failure) {
2141
				/*
2142
				 * The fd fixups have not been applied so no
2143
				 * fds need to be closed.
2144
				 */
2145
				continue;
2146
			}
2147

2148
			num_valid = (buffer_offset - off_start_offset) /
2149
						sizeof(binder_size_t);
2150
			fda = to_binder_fd_array_object(hdr);
2151
			parent = binder_validate_ptr(proc, buffer, &ptr_object,
2152
						     fda->parent,
2153
						     off_start_offset,
2154
						     NULL,
2155
						     num_valid);
2156
			if (!parent) {
2157
				pr_err("transaction release %d bad parent offset\n",
2158
				       debug_id);
2159
				continue;
2160
			}
2161
			fd_buf_size = sizeof(u32) * fda->num_fds;
2162
			if (fda->num_fds >= SIZE_MAX / sizeof(u32)) {
2163
				pr_err("transaction release %d invalid number of fds (%lld)\n",
2164
				       debug_id, (u64)fda->num_fds);
2165
				continue;
2166
			}
2167
			if (fd_buf_size > parent->length ||
2168
			    fda->parent_offset > parent->length - fd_buf_size) {
2169
				/* No space for all file descriptors here. */
2170
				pr_err("transaction release %d not enough space for %lld fds in buffer\n",
2171
				       debug_id, (u64)fda->num_fds);
2172
				continue;
2173
			}
2174
			/*
2175
			 * the source data for binder_buffer_object is visible
2176
			 * to user-space and the @buffer element is the user
2177
			 * pointer to the buffer_object containing the fd_array.
2178
			 * Convert the address to an offset relative to
2179
			 * the base of the transaction buffer.
2180
			 */
2181
			fda_offset = parent->buffer - buffer->user_data +
2182
				fda->parent_offset;
2183
			for (fd_index = 0; fd_index < fda->num_fds;
2184
			     fd_index++) {
2185
				u32 fd;
2186
				int err;
2187
				binder_size_t offset = fda_offset +
2188
					fd_index * sizeof(fd);
2189

2190
				err = binder_alloc_copy_from_buffer(
2191
						&proc->alloc, &fd, buffer,
2192
						offset, sizeof(fd));
2193
				WARN_ON(err);
2194
				if (!err) {
2195
					binder_deferred_fd_close(fd);
2196
					/*
2197
					 * Need to make sure the thread goes
2198
					 * back to userspace to complete the
2199
					 * deferred close
2200
					 */
2201
					if (thread)
2202
						thread->looper_need_return = true;
2203
				}
2204
			}
2205
		} break;
2206
		default:
2207
			pr_err("transaction release %d bad object type %x\n",
2208
				debug_id, hdr->type);
2209
			break;
2210
		}
2211
	}
2212
}
2213

2214
/* Clean up all the objects in the buffer */
2215
static inline void binder_release_entire_buffer(struct binder_proc *proc,
2216
						struct binder_thread *thread,
2217
						struct binder_buffer *buffer,
2218
						bool is_failure)
2219
{
2220
	binder_size_t off_end_offset;
2221

2222
	off_end_offset = ALIGN(buffer->data_size, sizeof(void *));
2223
	off_end_offset += buffer->offsets_size;
2224

2225
	binder_transaction_buffer_release(proc, thread, buffer,
2226
					  off_end_offset, is_failure);
2227
}
2228

2229
static int binder_translate_binder(struct flat_binder_object *fp,
2230
				   struct binder_transaction *t,
2231
				   struct binder_thread *thread)
2232
{
2233
	struct binder_node *node;
2234
	struct binder_proc *proc = thread->proc;
2235
	struct binder_proc *target_proc = t->to_proc;
2236
	struct binder_ref_data rdata;
2237
	int ret = 0;
2238

2239
	node = binder_get_node(proc, fp->binder);
2240
	if (!node) {
2241
		node = binder_new_node(proc, fp);
2242
		if (!node)
2243
			return -ENOMEM;
2244
	}
2245
	if (fp->cookie != node->cookie) {
2246
		binder_user_error("%d:%d sending u%016llx node %d, cookie mismatch %016llx != %016llx\n",
2247
				  proc->pid, thread->pid, (u64)fp->binder,
2248
				  node->debug_id, (u64)fp->cookie,
2249
				  (u64)node->cookie);
2250
		ret = -EINVAL;
2251
		goto done;
2252
	}
2253
	if (security_binder_transfer_binder(proc->cred, target_proc->cred)) {
2254
		ret = -EPERM;
2255
		goto done;
2256
	}
2257

2258
	ret = binder_inc_ref_for_node(target_proc, node,
2259
			fp->hdr.type == BINDER_TYPE_BINDER,
2260
			&thread->todo, &rdata);
2261
	if (ret)
2262
		goto done;
2263

2264
	if (fp->hdr.type == BINDER_TYPE_BINDER)
2265
		fp->hdr.type = BINDER_TYPE_HANDLE;
2266
	else
2267
		fp->hdr.type = BINDER_TYPE_WEAK_HANDLE;
2268
	fp->binder = 0;
2269
	fp->handle = rdata.desc;
2270
	fp->cookie = 0;
2271

2272
	trace_binder_transaction_node_to_ref(t, node, &rdata);
2273
	binder_debug(BINDER_DEBUG_TRANSACTION,
2274
		     "        node %d u%016llx -> ref %d desc %d\n",
2275
		     node->debug_id, (u64)node->ptr,
2276
		     rdata.debug_id, rdata.desc);
2277
done:
2278
	binder_put_node(node);
2279
	return ret;
2280
}
2281

2282
static int binder_translate_handle(struct flat_binder_object *fp,
2283
				   struct binder_transaction *t,
2284
				   struct binder_thread *thread)
2285
{
2286
	struct binder_proc *proc = thread->proc;
2287
	struct binder_proc *target_proc = t->to_proc;
2288
	struct binder_node *node;
2289
	struct binder_ref_data src_rdata;
2290
	int ret = 0;
2291

2292
	node = binder_get_node_from_ref(proc, fp->handle,
2293
			fp->hdr.type == BINDER_TYPE_HANDLE, &src_rdata);
2294
	if (!node) {
2295
		binder_user_error("%d:%d got transaction with invalid handle, %d\n",
2296
				  proc->pid, thread->pid, fp->handle);
2297
		return -EINVAL;
2298
	}
2299
	if (security_binder_transfer_binder(proc->cred, target_proc->cred)) {
2300
		ret = -EPERM;
2301
		goto done;
2302
	}
2303

2304
	binder_node_lock(node);
2305
	if (node->proc == target_proc) {
2306
		if (fp->hdr.type == BINDER_TYPE_HANDLE)
2307
			fp->hdr.type = BINDER_TYPE_BINDER;
2308
		else
2309
			fp->hdr.type = BINDER_TYPE_WEAK_BINDER;
2310
		fp->binder = node->ptr;
2311
		fp->cookie = node->cookie;
2312
		if (node->proc)
2313
			binder_inner_proc_lock(node->proc);
2314
		else
2315
			__acquire(&node->proc->inner_lock);
2316
		binder_inc_node_nilocked(node,
2317
					 fp->hdr.type == BINDER_TYPE_BINDER,
2318
					 0, NULL);
2319
		if (node->proc)
2320
			binder_inner_proc_unlock(node->proc);
2321
		else
2322
			__release(&node->proc->inner_lock);
2323
		trace_binder_transaction_ref_to_node(t, node, &src_rdata);
2324
		binder_debug(BINDER_DEBUG_TRANSACTION,
2325
			     "        ref %d desc %d -> node %d u%016llx\n",
2326
			     src_rdata.debug_id, src_rdata.desc, node->debug_id,
2327
			     (u64)node->ptr);
2328
		binder_node_unlock(node);
2329
	} else {
2330
		struct binder_ref_data dest_rdata;
2331

2332
		binder_node_unlock(node);
2333
		ret = binder_inc_ref_for_node(target_proc, node,
2334
				fp->hdr.type == BINDER_TYPE_HANDLE,
2335
				NULL, &dest_rdata);
2336
		if (ret)
2337
			goto done;
2338

2339
		fp->binder = 0;
2340
		fp->handle = dest_rdata.desc;
2341
		fp->cookie = 0;
2342
		trace_binder_transaction_ref_to_ref(t, node, &src_rdata,
2343
						    &dest_rdata);
2344
		binder_debug(BINDER_DEBUG_TRANSACTION,
2345
			     "        ref %d desc %d -> ref %d desc %d (node %d)\n",
2346
			     src_rdata.debug_id, src_rdata.desc,
2347
			     dest_rdata.debug_id, dest_rdata.desc,
2348
			     node->debug_id);
2349
	}
2350
done:
2351
	binder_put_node(node);
2352
	return ret;
2353
}
2354

2355
static int binder_translate_fd(u32 fd, binder_size_t fd_offset,
2356
			       struct binder_transaction *t,
2357
			       struct binder_thread *thread,
2358
			       struct binder_transaction *in_reply_to)
2359
{
2360
	struct binder_proc *proc = thread->proc;
2361
	struct binder_proc *target_proc = t->to_proc;
2362
	struct binder_txn_fd_fixup *fixup;
2363
	struct file *file;
2364
	int ret = 0;
2365
	bool target_allows_fd;
2366

2367
	if (in_reply_to)
2368
		target_allows_fd = !!(in_reply_to->flags & TF_ACCEPT_FDS);
2369
	else
2370
		target_allows_fd = t->buffer->target_node->accept_fds;
2371
	if (!target_allows_fd) {
2372
		binder_user_error("%d:%d got %s with fd, %d, but target does not allow fds\n",
2373
				  proc->pid, thread->pid,
2374
				  in_reply_to ? "reply" : "transaction",
2375
				  fd);
2376
		ret = -EPERM;
2377
		goto err_fd_not_accepted;
2378
	}
2379

2380
	file = fget(fd);
2381
	if (!file) {
2382
		binder_user_error("%d:%d got transaction with invalid fd, %d\n",
2383
				  proc->pid, thread->pid, fd);
2384
		ret = -EBADF;
2385
		goto err_fget;
2386
	}
2387
	ret = security_binder_transfer_file(proc->cred, target_proc->cred, file);
2388
	if (ret < 0) {
2389
		ret = -EPERM;
2390
		goto err_security;
2391
	}
2392

2393
	/*
2394
	 * Add fixup record for this transaction. The allocation
2395
	 * of the fd in the target needs to be done from a
2396
	 * target thread.
2397
	 */
2398
	fixup = kzalloc(sizeof(*fixup), GFP_KERNEL);
2399
	if (!fixup) {
2400
		ret = -ENOMEM;
2401
		goto err_alloc;
2402
	}
2403
	fixup->file = file;
2404
	fixup->offset = fd_offset;
2405
	fixup->target_fd = -1;
2406
	trace_binder_transaction_fd_send(t, fd, fixup->offset);
2407
	list_add_tail(&fixup->fixup_entry, &t->fd_fixups);
2408

2409
	return ret;
2410

2411
err_alloc:
2412
err_security:
2413
	fput(file);
2414
err_fget:
2415
err_fd_not_accepted:
2416
	return ret;
2417
}
2418

2419
/**
2420
 * struct binder_ptr_fixup - data to be fixed-up in target buffer
2421
 * @offset	offset in target buffer to fixup
2422
 * @skip_size	bytes to skip in copy (fixup will be written later)
2423
 * @fixup_data	data to write at fixup offset
2424
 * @node	list node
2425
 *
2426
 * This is used for the pointer fixup list (pf) which is created and consumed
2427
 * during binder_transaction() and is only accessed locally. No
2428
 * locking is necessary.
2429
 *
2430
 * The list is ordered by @offset.
2431
 */
2432
struct binder_ptr_fixup {
2433
	binder_size_t offset;
2434
	size_t skip_size;
2435
	binder_uintptr_t fixup_data;
2436
	struct list_head node;
2437
};
2438

2439
/**
2440
 * struct binder_sg_copy - scatter-gather data to be copied
2441
 * @offset		offset in target buffer
2442
 * @sender_uaddr	user address in source buffer
2443
 * @length		bytes to copy
2444
 * @node		list node
2445
 *
2446
 * This is used for the sg copy list (sgc) which is created and consumed
2447
 * during binder_transaction() and is only accessed locally. No
2448
 * locking is necessary.
2449
 *
2450
 * The list is ordered by @offset.
2451
 */
2452
struct binder_sg_copy {
2453
	binder_size_t offset;
2454
	const void __user *sender_uaddr;
2455
	size_t length;
2456
	struct list_head node;
2457
};
2458

2459
/**
2460
 * binder_do_deferred_txn_copies() - copy and fixup scatter-gather data
2461
 * @alloc:	binder_alloc associated with @buffer
2462
 * @buffer:	binder buffer in target process
2463
 * @sgc_head:	list_head of scatter-gather copy list
2464
 * @pf_head:	list_head of pointer fixup list
2465
 *
2466
 * Processes all elements of @sgc_head, applying fixups from @pf_head
2467
 * and copying the scatter-gather data from the source process' user
2468
 * buffer to the target's buffer. It is expected that the list creation
2469
 * and processing all occurs during binder_transaction() so these lists
2470
 * are only accessed in local context.
2471
 *
2472
 * Return: 0=success, else -errno
2473
 */
2474
static int binder_do_deferred_txn_copies(struct binder_alloc *alloc,
2475
					 struct binder_buffer *buffer,
2476
					 struct list_head *sgc_head,
2477
					 struct list_head *pf_head)
2478
{
2479
	int ret = 0;
2480
	struct binder_sg_copy *sgc, *tmpsgc;
2481
	struct binder_ptr_fixup *tmppf;
2482
	struct binder_ptr_fixup *pf =
2483
		list_first_entry_or_null(pf_head, struct binder_ptr_fixup,
2484
					 node);
2485

2486
	list_for_each_entry_safe(sgc, tmpsgc, sgc_head, node) {
2487
		size_t bytes_copied = 0;
2488

2489
		while (bytes_copied < sgc->length) {
2490
			size_t copy_size;
2491
			size_t bytes_left = sgc->length - bytes_copied;
2492
			size_t offset = sgc->offset + bytes_copied;
2493

2494
			/*
2495
			 * We copy up to the fixup (pointed to by pf)
2496
			 */
2497
			copy_size = pf ? min(bytes_left, (size_t)pf->offset - offset)
2498
				       : bytes_left;
2499
			if (!ret && copy_size)
2500
				ret = binder_alloc_copy_user_to_buffer(
2501
						alloc, buffer,
2502
						offset,
2503
						sgc->sender_uaddr + bytes_copied,
2504
						copy_size);
2505
			bytes_copied += copy_size;
2506
			if (copy_size != bytes_left) {
2507
				BUG_ON(!pf);
2508
				/* we stopped at a fixup offset */
2509
				if (pf->skip_size) {
2510
					/*
2511
					 * we are just skipping. This is for
2512
					 * BINDER_TYPE_FDA where the translated
2513
					 * fds will be fixed up when we get
2514
					 * to target context.
2515
					 */
2516
					bytes_copied += pf->skip_size;
2517
				} else {
2518
					/* apply the fixup indicated by pf */
2519
					if (!ret)
2520
						ret = binder_alloc_copy_to_buffer(
2521
							alloc, buffer,
2522
							pf->offset,
2523
							&pf->fixup_data,
2524
							sizeof(pf->fixup_data));
2525
					bytes_copied += sizeof(pf->fixup_data);
2526
				}
2527
				list_del(&pf->node);
2528
				kfree(pf);
2529
				pf = list_first_entry_or_null(pf_head,
2530
						struct binder_ptr_fixup, node);
2531
			}
2532
		}
2533
		list_del(&sgc->node);
2534
		kfree(sgc);
2535
	}
2536
	list_for_each_entry_safe(pf, tmppf, pf_head, node) {
2537
		BUG_ON(pf->skip_size == 0);
2538
		list_del(&pf->node);
2539
		kfree(pf);
2540
	}
2541
	BUG_ON(!list_empty(sgc_head));
2542

2543
	return ret > 0 ? -EINVAL : ret;
2544
}
2545

2546
/**
2547
 * binder_cleanup_deferred_txn_lists() - free specified lists
2548
 * @sgc_head:	list_head of scatter-gather copy list
2549
 * @pf_head:	list_head of pointer fixup list
2550
 *
2551
 * Called to clean up @sgc_head and @pf_head if there is an
2552
 * error.
2553
 */
2554
static void binder_cleanup_deferred_txn_lists(struct list_head *sgc_head,
2555
					      struct list_head *pf_head)
2556
{
2557
	struct binder_sg_copy *sgc, *tmpsgc;
2558
	struct binder_ptr_fixup *pf, *tmppf;
2559

2560
	list_for_each_entry_safe(sgc, tmpsgc, sgc_head, node) {
2561
		list_del(&sgc->node);
2562
		kfree(sgc);
2563
	}
2564
	list_for_each_entry_safe(pf, tmppf, pf_head, node) {
2565
		list_del(&pf->node);
2566
		kfree(pf);
2567
	}
2568
}
2569

2570
/**
2571
 * binder_defer_copy() - queue a scatter-gather buffer for copy
2572
 * @sgc_head:		list_head of scatter-gather copy list
2573
 * @offset:		binder buffer offset in target process
2574
 * @sender_uaddr:	user address in source process
2575
 * @length:		bytes to copy
2576
 *
2577
 * Specify a scatter-gather block to be copied. The actual copy must
2578
 * be deferred until all the needed fixups are identified and queued.
2579
 * Then the copy and fixups are done together so un-translated values
2580
 * from the source are never visible in the target buffer.
2581
 *
2582
 * We are guaranteed that repeated calls to this function will have
2583
 * monotonically increasing @offset values so the list will naturally
2584
 * be ordered.
2585
 *
2586
 * Return: 0=success, else -errno
2587
 */
2588
static int binder_defer_copy(struct list_head *sgc_head, binder_size_t offset,
2589
			     const void __user *sender_uaddr, size_t length)
2590
{
2591
	struct binder_sg_copy *bc = kzalloc(sizeof(*bc), GFP_KERNEL);
2592

2593
	if (!bc)
2594
		return -ENOMEM;
2595

2596
	bc->offset = offset;
2597
	bc->sender_uaddr = sender_uaddr;
2598
	bc->length = length;
2599
	INIT_LIST_HEAD(&bc->node);
2600

2601
	/*
2602
	 * We are guaranteed that the deferred copies are in-order
2603
	 * so just add to the tail.
2604
	 */
2605
	list_add_tail(&bc->node, sgc_head);
2606

2607
	return 0;
2608
}
2609

2610
/**
2611
 * binder_add_fixup() - queue a fixup to be applied to sg copy
2612
 * @pf_head:	list_head of binder ptr fixup list
2613
 * @offset:	binder buffer offset in target process
2614
 * @fixup:	bytes to be copied for fixup
2615
 * @skip_size:	bytes to skip when copying (fixup will be applied later)
2616
 *
2617
 * Add the specified fixup to a list ordered by @offset. When copying
2618
 * the scatter-gather buffers, the fixup will be copied instead of
2619
 * data from the source buffer. For BINDER_TYPE_FDA fixups, the fixup
2620
 * will be applied later (in target process context), so we just skip
2621
 * the bytes specified by @skip_size. If @skip_size is 0, we copy the
2622
 * value in @fixup.
2623
 *
2624
 * This function is called *mostly* in @offset order, but there are
2625
 * exceptions. Since out-of-order inserts are relatively uncommon,
2626
 * we insert the new element by searching backward from the tail of
2627
 * the list.
2628
 *
2629
 * Return: 0=success, else -errno
2630
 */
2631
static int binder_add_fixup(struct list_head *pf_head, binder_size_t offset,
2632
			    binder_uintptr_t fixup, size_t skip_size)
2633
{
2634
	struct binder_ptr_fixup *pf = kzalloc(sizeof(*pf), GFP_KERNEL);
2635
	struct binder_ptr_fixup *tmppf;
2636

2637
	if (!pf)
2638
		return -ENOMEM;
2639

2640
	pf->offset = offset;
2641
	pf->fixup_data = fixup;
2642
	pf->skip_size = skip_size;
2643
	INIT_LIST_HEAD(&pf->node);
2644

2645
	/* Fixups are *mostly* added in-order, but there are some
2646
	 * exceptions. Look backwards through list for insertion point.
2647
	 */
2648
	list_for_each_entry_reverse(tmppf, pf_head, node) {
2649
		if (tmppf->offset < pf->offset) {
2650
			list_add(&pf->node, &tmppf->node);
2651
			return 0;
2652
		}
2653
	}
2654
	/*
2655
	 * if we get here, then the new offset is the lowest so
2656
	 * insert at the head
2657
	 */
2658
	list_add(&pf->node, pf_head);
2659
	return 0;
2660
}
2661

2662
static int binder_translate_fd_array(struct list_head *pf_head,
2663
				     struct binder_fd_array_object *fda,
2664
				     const void __user *sender_ubuffer,
2665
				     struct binder_buffer_object *parent,
2666
				     struct binder_buffer_object *sender_uparent,
2667
				     struct binder_transaction *t,
2668
				     struct binder_thread *thread,
2669
				     struct binder_transaction *in_reply_to)
2670
{
2671
	binder_size_t fdi, fd_buf_size;
2672
	binder_size_t fda_offset;
2673
	const void __user *sender_ufda_base;
2674
	struct binder_proc *proc = thread->proc;
2675
	int ret;
2676

2677
	if (fda->num_fds == 0)
2678
		return 0;
2679

2680
	fd_buf_size = sizeof(u32) * fda->num_fds;
2681
	if (fda->num_fds >= SIZE_MAX / sizeof(u32)) {
2682
		binder_user_error("%d:%d got transaction with invalid number of fds (%lld)\n",
2683
				  proc->pid, thread->pid, (u64)fda->num_fds);
2684
		return -EINVAL;
2685
	}
2686
	if (fd_buf_size > parent->length ||
2687
	    fda->parent_offset > parent->length - fd_buf_size) {
2688
		/* No space for all file descriptors here. */
2689
		binder_user_error("%d:%d not enough space to store %lld fds in buffer\n",
2690
				  proc->pid, thread->pid, (u64)fda->num_fds);
2691
		return -EINVAL;
2692
	}
2693
	/*
2694
	 * the source data for binder_buffer_object is visible
2695
	 * to user-space and the @buffer element is the user
2696
	 * pointer to the buffer_object containing the fd_array.
2697
	 * Convert the address to an offset relative to
2698
	 * the base of the transaction buffer.
2699
	 */
2700
	fda_offset = parent->buffer - t->buffer->user_data +
2701
		fda->parent_offset;
2702
	sender_ufda_base = (void __user *)(uintptr_t)sender_uparent->buffer +
2703
				fda->parent_offset;
2704

2705
	if (!IS_ALIGNED((unsigned long)fda_offset, sizeof(u32)) ||
2706
	    !IS_ALIGNED((unsigned long)sender_ufda_base, sizeof(u32))) {
2707
		binder_user_error("%d:%d parent offset not aligned correctly.\n",
2708
				  proc->pid, thread->pid);
2709
		return -EINVAL;
2710
	}
2711
	ret = binder_add_fixup(pf_head, fda_offset, 0, fda->num_fds * sizeof(u32));
2712
	if (ret)
2713
		return ret;
2714

2715
	for (fdi = 0; fdi < fda->num_fds; fdi++) {
2716
		u32 fd;
2717
		binder_size_t offset = fda_offset + fdi * sizeof(fd);
2718
		binder_size_t sender_uoffset = fdi * sizeof(fd);
2719

2720
		ret = copy_from_user(&fd, sender_ufda_base + sender_uoffset, sizeof(fd));
2721
		if (!ret)
2722
			ret = binder_translate_fd(fd, offset, t, thread,
2723
						  in_reply_to);
2724
		if (ret)
2725
			return ret > 0 ? -EINVAL : ret;
2726
	}
2727
	return 0;
2728
}
2729

2730
static int binder_fixup_parent(struct list_head *pf_head,
2731
			       struct binder_transaction *t,
2732
			       struct binder_thread *thread,
2733
			       struct binder_buffer_object *bp,
2734
			       binder_size_t off_start_offset,
2735
			       binder_size_t num_valid,
2736
			       binder_size_t last_fixup_obj_off,
2737
			       binder_size_t last_fixup_min_off)
2738
{
2739
	struct binder_buffer_object *parent;
2740
	struct binder_buffer *b = t->buffer;
2741
	struct binder_proc *proc = thread->proc;
2742
	struct binder_proc *target_proc = t->to_proc;
2743
	struct binder_object object;
2744
	binder_size_t buffer_offset;
2745
	binder_size_t parent_offset;
2746

2747
	if (!(bp->flags & BINDER_BUFFER_FLAG_HAS_PARENT))
2748
		return 0;
2749

2750
	parent = binder_validate_ptr(target_proc, b, &object, bp->parent,
2751
				     off_start_offset, &parent_offset,
2752
				     num_valid);
2753
	if (!parent) {
2754
		binder_user_error("%d:%d got transaction with invalid parent offset or type\n",
2755
				  proc->pid, thread->pid);
2756
		return -EINVAL;
2757
	}
2758

2759
	if (!binder_validate_fixup(target_proc, b, off_start_offset,
2760
				   parent_offset, bp->parent_offset,
2761
				   last_fixup_obj_off,
2762
				   last_fixup_min_off)) {
2763
		binder_user_error("%d:%d got transaction with out-of-order buffer fixup\n",
2764
				  proc->pid, thread->pid);
2765
		return -EINVAL;
2766
	}
2767

2768
	if (parent->length < sizeof(binder_uintptr_t) ||
2769
	    bp->parent_offset > parent->length - sizeof(binder_uintptr_t)) {
2770
		/* No space for a pointer here! */
2771
		binder_user_error("%d:%d got transaction with invalid parent offset\n",
2772
				  proc->pid, thread->pid);
2773
		return -EINVAL;
2774
	}
2775

2776
	buffer_offset = bp->parent_offset + parent->buffer - b->user_data;
2777

2778
	return binder_add_fixup(pf_head, buffer_offset, bp->buffer, 0);
2779
}
2780

2781
/**
2782
 * binder_can_update_transaction() - Can a txn be superseded by an updated one?
2783
 * @t1: the pending async txn in the frozen process
2784
 * @t2: the new async txn to supersede the outdated pending one
2785
 *
2786
 * Return:  true if t2 can supersede t1
2787
 *          false if t2 can not supersede t1
2788
 */
2789
static bool binder_can_update_transaction(struct binder_transaction *t1,
2790
					  struct binder_transaction *t2)
2791
{
2792
	if ((t1->flags & t2->flags & (TF_ONE_WAY | TF_UPDATE_TXN)) !=
2793
	    (TF_ONE_WAY | TF_UPDATE_TXN) || !t1->to_proc || !t2->to_proc)
2794
		return false;
2795
	if (t1->to_proc->tsk == t2->to_proc->tsk && t1->code == t2->code &&
2796
	    t1->flags == t2->flags && t1->buffer->pid == t2->buffer->pid &&
2797
	    t1->buffer->target_node->ptr == t2->buffer->target_node->ptr &&
2798
	    t1->buffer->target_node->cookie == t2->buffer->target_node->cookie)
2799
		return true;
2800
	return false;
2801
}
2802

2803
/**
2804
 * binder_find_outdated_transaction_ilocked() - Find the outdated transaction
2805
 * @t:		 new async transaction
2806
 * @target_list: list to find outdated transaction
2807
 *
2808
 * Return: the outdated transaction if found
2809
 *         NULL if no outdated transacton can be found
2810
 *
2811
 * Requires the proc->inner_lock to be held.
2812
 */
2813
static struct binder_transaction *
2814
binder_find_outdated_transaction_ilocked(struct binder_transaction *t,
2815
					 struct list_head *target_list)
2816
{
2817
	struct binder_work *w;
2818

2819
	list_for_each_entry(w, target_list, entry) {
2820
		struct binder_transaction *t_queued;
2821

2822
		if (w->type != BINDER_WORK_TRANSACTION)
2823
			continue;
2824
		t_queued = container_of(w, struct binder_transaction, work);
2825
		if (binder_can_update_transaction(t_queued, t))
2826
			return t_queued;
2827
	}
2828
	return NULL;
2829
}
2830

2831
/**
2832
 * binder_proc_transaction() - sends a transaction to a process and wakes it up
2833
 * @t:		transaction to send
2834
 * @proc:	process to send the transaction to
2835
 * @thread:	thread in @proc to send the transaction to (may be NULL)
2836
 *
2837
 * This function queues a transaction to the specified process. It will try
2838
 * to find a thread in the target process to handle the transaction and
2839
 * wake it up. If no thread is found, the work is queued to the proc
2840
 * waitqueue.
2841
 *
2842
 * If the @thread parameter is not NULL, the transaction is always queued
2843
 * to the waitlist of that specific thread.
2844
 *
2845
 * Return:	0 if the transaction was successfully queued
2846
 *		BR_DEAD_REPLY if the target process or thread is dead
2847
 *		BR_FROZEN_REPLY if the target process or thread is frozen and
2848
 *			the sync transaction was rejected
2849
 *		BR_TRANSACTION_PENDING_FROZEN if the target process is frozen
2850
 *		and the async transaction was successfully queued
2851
 */
2852
static int binder_proc_transaction(struct binder_transaction *t,
2853
				    struct binder_proc *proc,
2854
				    struct binder_thread *thread)
2855
{
2856
	struct binder_node *node = t->buffer->target_node;
2857
	bool oneway = !!(t->flags & TF_ONE_WAY);
2858
	bool pending_async = false;
2859
	struct binder_transaction *t_outdated = NULL;
2860
	bool frozen = false;
2861

2862
	BUG_ON(!node);
2863
	binder_node_lock(node);
2864
	if (oneway) {
2865
		BUG_ON(thread);
2866
		if (node->has_async_transaction)
2867
			pending_async = true;
2868
		else
2869
			node->has_async_transaction = true;
2870
	}
2871

2872
	binder_inner_proc_lock(proc);
2873
	if (proc->is_frozen) {
2874
		frozen = true;
2875
		proc->sync_recv |= !oneway;
2876
		proc->async_recv |= oneway;
2877
	}
2878

2879
	if ((frozen && !oneway) || proc->is_dead ||
2880
			(thread && thread->is_dead)) {
2881
		binder_inner_proc_unlock(proc);
2882
		binder_node_unlock(node);
2883
		return frozen ? BR_FROZEN_REPLY : BR_DEAD_REPLY;
2884
	}
2885

2886
	if (!thread && !pending_async)
2887
		thread = binder_select_thread_ilocked(proc);
2888

2889
	if (thread) {
2890
		binder_enqueue_thread_work_ilocked(thread, &t->work);
2891
	} else if (!pending_async) {
2892
		binder_enqueue_work_ilocked(&t->work, &proc->todo);
2893
	} else {
2894
		if ((t->flags & TF_UPDATE_TXN) && frozen) {
2895
			t_outdated = binder_find_outdated_transaction_ilocked(t,
2896
									      &node->async_todo);
2897
			if (t_outdated) {
2898
				binder_debug(BINDER_DEBUG_TRANSACTION,
2899
					     "txn %d supersedes %d\n",
2900
					     t->debug_id, t_outdated->debug_id);
2901
				list_del_init(&t_outdated->work.entry);
2902
				proc->outstanding_txns--;
2903
			}
2904
		}
2905
		binder_enqueue_work_ilocked(&t->work, &node->async_todo);
2906
	}
2907

2908
	if (!pending_async)
2909
		binder_wakeup_thread_ilocked(proc, thread, !oneway /* sync */);
2910

2911
	proc->outstanding_txns++;
2912
	binder_inner_proc_unlock(proc);
2913
	binder_node_unlock(node);
2914

2915
	/*
2916
	 * To reduce potential contention, free the outdated transaction and
2917
	 * buffer after releasing the locks.
2918
	 */
2919
	if (t_outdated) {
2920
		struct binder_buffer *buffer = t_outdated->buffer;
2921

2922
		t_outdated->buffer = NULL;
2923
		buffer->transaction = NULL;
2924
		trace_binder_transaction_update_buffer_release(buffer);
2925
		binder_release_entire_buffer(proc, NULL, buffer, false);
2926
		binder_alloc_free_buf(&proc->alloc, buffer);
2927
		kfree(t_outdated);
2928
		binder_stats_deleted(BINDER_STAT_TRANSACTION);
2929
	}
2930

2931
	if (oneway && frozen)
2932
		return BR_TRANSACTION_PENDING_FROZEN;
2933

2934
	return 0;
2935
}
2936

2937
/**
2938
 * binder_get_node_refs_for_txn() - Get required refs on node for txn
2939
 * @node:         struct binder_node for which to get refs
2940
 * @procp:        returns @node->proc if valid
2941
 * @error:        if no @procp then returns BR_DEAD_REPLY
2942
 *
2943
 * User-space normally keeps the node alive when creating a transaction
2944
 * since it has a reference to the target. The local strong ref keeps it
2945
 * alive if the sending process dies before the target process processes
2946
 * the transaction. If the source process is malicious or has a reference
2947
 * counting bug, relying on the local strong ref can fail.
2948
 *
2949
 * Since user-space can cause the local strong ref to go away, we also take
2950
 * a tmpref on the node to ensure it survives while we are constructing
2951
 * the transaction. We also need a tmpref on the proc while we are
2952
 * constructing the transaction, so we take that here as well.
2953
 *
2954
 * Return: The target_node with refs taken or NULL if no @node->proc is NULL.
2955
 * Also sets @procp if valid. If the @node->proc is NULL indicating that the
2956
 * target proc has died, @error is set to BR_DEAD_REPLY.
2957
 */
2958
static struct binder_node *binder_get_node_refs_for_txn(
2959
		struct binder_node *node,
2960
		struct binder_proc **procp,
2961
		uint32_t *error)
2962
{
2963
	struct binder_node *target_node = NULL;
2964

2965
	binder_node_inner_lock(node);
2966
	if (node->proc) {
2967
		target_node = node;
2968
		binder_inc_node_nilocked(node, 1, 0, NULL);
2969
		binder_inc_node_tmpref_ilocked(node);
2970
		node->proc->tmp_ref++;
2971
		*procp = node->proc;
2972
	} else
2973
		*error = BR_DEAD_REPLY;
2974
	binder_node_inner_unlock(node);
2975

2976
	return target_node;
2977
}
2978

2979
static void binder_set_txn_from_error(struct binder_transaction *t, int id,
2980
				      uint32_t command, int32_t param)
2981
{
2982
	struct binder_thread *from = binder_get_txn_from_and_acq_inner(t);
2983

2984
	if (!from) {
2985
		/* annotation for sparse */
2986
		__release(&from->proc->inner_lock);
2987
		return;
2988
	}
2989

2990
	/* don't override existing errors */
2991
	if (from->ee.command == BR_OK)
2992
		binder_set_extended_error(&from->ee, id, command, param);
2993
	binder_inner_proc_unlock(from->proc);
2994
	binder_thread_dec_tmpref(from);
2995
}
2996

2997
/**
2998
 * binder_netlink_report() - report a transaction failure via netlink
2999
 * @proc:	the binder proc sending the transaction
3000
 * @t:		the binder transaction that failed
3001
 * @data_size:	the user provided data size for the transaction
3002
 * @error:	enum binder_driver_return_protocol returned to sender
3003
 */
3004
static void binder_netlink_report(struct binder_proc *proc,
3005
				  struct binder_transaction *t,
3006
				  u32 data_size,
3007
				  u32 error)
3008
{
3009
	const char *context = proc->context->name;
3010
	struct sk_buff *skb;
3011
	void *hdr;
3012

3013
	if (!genl_has_listeners(&binder_nl_family, &init_net,
3014
				BINDER_NLGRP_REPORT))
3015
		return;
3016

3017
	trace_binder_netlink_report(context, t, data_size, error);
3018

3019
	skb = genlmsg_new(GENLMSG_DEFAULT_SIZE, GFP_KERNEL);
3020
	if (!skb)
3021
		return;
3022

3023
	hdr = genlmsg_put(skb, 0, 0, &binder_nl_family, 0, BINDER_CMD_REPORT);
3024
	if (!hdr)
3025
		goto free_skb;
3026

3027
	if (nla_put_u32(skb, BINDER_A_REPORT_ERROR, error) ||
3028
	    nla_put_string(skb, BINDER_A_REPORT_CONTEXT, context) ||
3029
	    nla_put_u32(skb, BINDER_A_REPORT_FROM_PID, t->from_pid) ||
3030
	    nla_put_u32(skb, BINDER_A_REPORT_FROM_TID, t->from_tid))
3031
		goto cancel_skb;
3032

3033
	if (t->to_proc &&
3034
	    nla_put_u32(skb, BINDER_A_REPORT_TO_PID, t->to_proc->pid))
3035
		goto cancel_skb;
3036

3037
	if (t->to_thread &&
3038
	    nla_put_u32(skb, BINDER_A_REPORT_TO_TID, t->to_thread->pid))
3039
		goto cancel_skb;
3040

3041
	if (t->is_reply && nla_put_flag(skb, BINDER_A_REPORT_IS_REPLY))
3042
		goto cancel_skb;
3043

3044
	if (nla_put_u32(skb, BINDER_A_REPORT_FLAGS, t->flags) ||
3045
	    nla_put_u32(skb, BINDER_A_REPORT_CODE, t->code) ||
3046
	    nla_put_u32(skb, BINDER_A_REPORT_DATA_SIZE, data_size))
3047
		goto cancel_skb;
3048

3049
	genlmsg_end(skb, hdr);
3050
	genlmsg_multicast(&binder_nl_family, skb, 0, BINDER_NLGRP_REPORT,
3051
			  GFP_KERNEL);
3052
	return;
3053

3054
cancel_skb:
3055
	genlmsg_cancel(skb, hdr);
3056
free_skb:
3057
	nlmsg_free(skb);
3058
}
3059

3060
static void binder_transaction(struct binder_proc *proc,
3061
			       struct binder_thread *thread,
3062
			       struct binder_transaction_data *tr, int reply,
3063
			       binder_size_t extra_buffers_size)
3064
{
3065
	int ret;
3066
	struct binder_transaction *t;
3067
	struct binder_work *w;
3068
	struct binder_work *tcomplete;
3069
	binder_size_t buffer_offset = 0;
3070
	binder_size_t off_start_offset, off_end_offset;
3071
	binder_size_t off_min;
3072
	binder_size_t sg_buf_offset, sg_buf_end_offset;
3073
	binder_size_t user_offset = 0;
3074
	struct binder_proc *target_proc = NULL;
3075
	struct binder_thread *target_thread = NULL;
3076
	struct binder_node *target_node = NULL;
3077
	struct binder_transaction *in_reply_to = NULL;
3078
	struct binder_transaction_log_entry *e;
3079
	uint32_t return_error = 0;
3080
	uint32_t return_error_param = 0;
3081
	uint32_t return_error_line = 0;
3082
	binder_size_t last_fixup_obj_off = 0;
3083
	binder_size_t last_fixup_min_off = 0;
3084
	struct binder_context *context = proc->context;
3085
	int t_debug_id = atomic_inc_return(&binder_last_id);
3086
	ktime_t t_start_time = ktime_get();
3087
	struct lsm_context lsmctx = { };
3088
	struct list_head sgc_head;
3089
	struct list_head pf_head;
3090
	const void __user *user_buffer = (const void __user *)
3091
				(uintptr_t)tr->data.ptr.buffer;
3092
	INIT_LIST_HEAD(&sgc_head);
3093
	INIT_LIST_HEAD(&pf_head);
3094

3095
	e = binder_transaction_log_add(&binder_transaction_log);
3096
	e->debug_id = t_debug_id;
3097
	e->call_type = reply ? 2 : !!(tr->flags & TF_ONE_WAY);
3098
	e->from_proc = proc->pid;
3099
	e->from_thread = thread->pid;
3100
	e->target_handle = tr->target.handle;
3101
	e->data_size = tr->data_size;
3102
	e->offsets_size = tr->offsets_size;
3103
	strscpy(e->context_name, proc->context->name, BINDERFS_MAX_NAME);
3104

3105
	binder_inner_proc_lock(proc);
3106
	binder_set_extended_error(&thread->ee, t_debug_id, BR_OK, 0);
3107
	binder_inner_proc_unlock(proc);
3108

3109
	t = kzalloc(sizeof(*t), GFP_KERNEL);
3110
	if (!t) {
3111
		binder_txn_error("%d:%d cannot allocate transaction\n",
3112
				 thread->pid, proc->pid);
3113
		return_error = BR_FAILED_REPLY;
3114
		return_error_param = -ENOMEM;
3115
		return_error_line = __LINE__;
3116
		goto err_alloc_t_failed;
3117
	}
3118
	INIT_LIST_HEAD(&t->fd_fixups);
3119
	binder_stats_created(BINDER_STAT_TRANSACTION);
3120
	spin_lock_init(&t->lock);
3121
	t->debug_id = t_debug_id;
3122
	t->start_time = t_start_time;
3123
	t->from_pid = proc->pid;
3124
	t->from_tid = thread->pid;
3125
	t->sender_euid = task_euid(proc->tsk);
3126
	t->code = tr->code;
3127
	t->flags = tr->flags;
3128
	t->priority = task_nice(current);
3129
	t->work.type = BINDER_WORK_TRANSACTION;
3130
	t->is_async = !reply && (tr->flags & TF_ONE_WAY);
3131
	t->is_reply = reply;
3132
	if (!reply && !(tr->flags & TF_ONE_WAY))
3133
		t->from = thread;
3134

3135
	if (reply) {
3136
		binder_inner_proc_lock(proc);
3137
		in_reply_to = thread->transaction_stack;
3138
		if (in_reply_to == NULL) {
3139
			binder_inner_proc_unlock(proc);
3140
			binder_user_error("%d:%d got reply transaction with no transaction stack\n",
3141
					  proc->pid, thread->pid);
3142
			return_error = BR_FAILED_REPLY;
3143
			return_error_param = -EPROTO;
3144
			return_error_line = __LINE__;
3145
			goto err_empty_call_stack;
3146
		}
3147
		if (in_reply_to->to_thread != thread) {
3148
			spin_lock(&in_reply_to->lock);
3149
			binder_user_error("%d:%d got reply transaction with bad transaction stack, transaction %d has target %d:%d\n",
3150
				proc->pid, thread->pid, in_reply_to->debug_id,
3151
				in_reply_to->to_proc ?
3152
				in_reply_to->to_proc->pid : 0,
3153
				in_reply_to->to_thread ?
3154
				in_reply_to->to_thread->pid : 0);
3155
			spin_unlock(&in_reply_to->lock);
3156
			binder_inner_proc_unlock(proc);
3157
			return_error = BR_FAILED_REPLY;
3158
			return_error_param = -EPROTO;
3159
			return_error_line = __LINE__;
3160
			in_reply_to = NULL;
3161
			goto err_bad_call_stack;
3162
		}
3163
		thread->transaction_stack = in_reply_to->to_parent;
3164
		binder_inner_proc_unlock(proc);
3165
		binder_set_nice(in_reply_to->saved_priority);
3166
		target_thread = binder_get_txn_from_and_acq_inner(in_reply_to);
3167
		if (target_thread == NULL) {
3168
			/* annotation for sparse */
3169
			__release(&target_thread->proc->inner_lock);
3170
			binder_txn_error("%d:%d reply target not found\n",
3171
				thread->pid, proc->pid);
3172
			return_error = BR_DEAD_REPLY;
3173
			return_error_line = __LINE__;
3174
			goto err_dead_binder;
3175
		}
3176
		if (target_thread->transaction_stack != in_reply_to) {
3177
			binder_user_error("%d:%d got reply transaction with bad target transaction stack %d, expected %d\n",
3178
				proc->pid, thread->pid,
3179
				target_thread->transaction_stack ?
3180
				target_thread->transaction_stack->debug_id : 0,
3181
				in_reply_to->debug_id);
3182
			binder_inner_proc_unlock(target_thread->proc);
3183
			return_error = BR_FAILED_REPLY;
3184
			return_error_param = -EPROTO;
3185
			return_error_line = __LINE__;
3186
			in_reply_to = NULL;
3187
			target_thread = NULL;
3188
			goto err_dead_binder;
3189
		}
3190
		target_proc = target_thread->proc;
3191
		target_proc->tmp_ref++;
3192
		binder_inner_proc_unlock(target_thread->proc);
3193
	} else {
3194
		if (tr->target.handle) {
3195
			struct binder_ref *ref;
3196

3197
			/*
3198
			 * There must already be a strong ref
3199
			 * on this node. If so, do a strong
3200
			 * increment on the node to ensure it
3201
			 * stays alive until the transaction is
3202
			 * done.
3203
			 */
3204
			binder_proc_lock(proc);
3205
			ref = binder_get_ref_olocked(proc, tr->target.handle,
3206
						     true);
3207
			if (ref) {
3208
				target_node = binder_get_node_refs_for_txn(
3209
						ref->node, &target_proc,
3210
						&return_error);
3211
			} else {
3212
				binder_user_error("%d:%d got transaction to invalid handle, %u\n",
3213
						  proc->pid, thread->pid, tr->target.handle);
3214
				return_error = BR_FAILED_REPLY;
3215
			}
3216
			binder_proc_unlock(proc);
3217
		} else {
3218
			mutex_lock(&context->context_mgr_node_lock);
3219
			target_node = context->binder_context_mgr_node;
3220
			if (target_node)
3221
				target_node = binder_get_node_refs_for_txn(
3222
						target_node, &target_proc,
3223
						&return_error);
3224
			else
3225
				return_error = BR_DEAD_REPLY;
3226
			mutex_unlock(&context->context_mgr_node_lock);
3227
			if (target_node && target_proc->pid == proc->pid) {
3228
				binder_user_error("%d:%d got transaction to context manager from process owning it\n",
3229
						  proc->pid, thread->pid);
3230
				return_error = BR_FAILED_REPLY;
3231
				return_error_param = -EINVAL;
3232
				return_error_line = __LINE__;
3233
				goto err_invalid_target_handle;
3234
			}
3235
		}
3236
		if (!target_node) {
3237
			binder_txn_error("%d:%d cannot find target node\n",
3238
					 proc->pid, thread->pid);
3239
			/* return_error is set above */
3240
			return_error_param = -EINVAL;
3241
			return_error_line = __LINE__;
3242
			goto err_dead_binder;
3243
		}
3244
		e->to_node = target_node->debug_id;
3245
		if (WARN_ON(proc == target_proc)) {
3246
			binder_txn_error("%d:%d self transactions not allowed\n",
3247
				thread->pid, proc->pid);
3248
			return_error = BR_FAILED_REPLY;
3249
			return_error_param = -EINVAL;
3250
			return_error_line = __LINE__;
3251
			goto err_invalid_target_handle;
3252
		}
3253
		if (security_binder_transaction(proc->cred,
3254
						target_proc->cred) < 0) {
3255
			binder_txn_error("%d:%d transaction credentials failed\n",
3256
				thread->pid, proc->pid);
3257
			return_error = BR_FAILED_REPLY;
3258
			return_error_param = -EPERM;
3259
			return_error_line = __LINE__;
3260
			goto err_invalid_target_handle;
3261
		}
3262
		binder_inner_proc_lock(proc);
3263

3264
		w = list_first_entry_or_null(&thread->todo,
3265
					     struct binder_work, entry);
3266
		if (!(tr->flags & TF_ONE_WAY) && w &&
3267
		    w->type == BINDER_WORK_TRANSACTION) {
3268
			/*
3269
			 * Do not allow new outgoing transaction from a
3270
			 * thread that has a transaction at the head of
3271
			 * its todo list. Only need to check the head
3272
			 * because binder_select_thread_ilocked picks a
3273
			 * thread from proc->waiting_threads to enqueue
3274
			 * the transaction, and nothing is queued to the
3275
			 * todo list while the thread is on waiting_threads.
3276
			 */
3277
			binder_user_error("%d:%d new transaction not allowed when there is a transaction on thread todo\n",
3278
					  proc->pid, thread->pid);
3279
			binder_inner_proc_unlock(proc);
3280
			return_error = BR_FAILED_REPLY;
3281
			return_error_param = -EPROTO;
3282
			return_error_line = __LINE__;
3283
			goto err_bad_todo_list;
3284
		}
3285

3286
		if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) {
3287
			struct binder_transaction *tmp;
3288

3289
			tmp = thread->transaction_stack;
3290
			if (tmp->to_thread != thread) {
3291
				spin_lock(&tmp->lock);
3292
				binder_user_error("%d:%d got new transaction with bad transaction stack, transaction %d has target %d:%d\n",
3293
					proc->pid, thread->pid, tmp->debug_id,
3294
					tmp->to_proc ? tmp->to_proc->pid : 0,
3295
					tmp->to_thread ?
3296
					tmp->to_thread->pid : 0);
3297
				spin_unlock(&tmp->lock);
3298
				binder_inner_proc_unlock(proc);
3299
				return_error = BR_FAILED_REPLY;
3300
				return_error_param = -EPROTO;
3301
				return_error_line = __LINE__;
3302
				goto err_bad_call_stack;
3303
			}
3304
			while (tmp) {
3305
				struct binder_thread *from;
3306

3307
				spin_lock(&tmp->lock);
3308
				from = tmp->from;
3309
				if (from && from->proc == target_proc) {
3310
					atomic_inc(&from->tmp_ref);
3311
					target_thread = from;
3312
					spin_unlock(&tmp->lock);
3313
					break;
3314
				}
3315
				spin_unlock(&tmp->lock);
3316
				tmp = tmp->from_parent;
3317
			}
3318
		}
3319
		binder_inner_proc_unlock(proc);
3320
	}
3321

3322
	t->to_proc = target_proc;
3323
	t->to_thread = target_thread;
3324
	if (target_thread)
3325
		e->to_thread = target_thread->pid;
3326
	e->to_proc = target_proc->pid;
3327

3328
	tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL);
3329
	if (tcomplete == NULL) {
3330
		binder_txn_error("%d:%d cannot allocate work for transaction\n",
3331
			thread->pid, proc->pid);
3332
		return_error = BR_FAILED_REPLY;
3333
		return_error_param = -ENOMEM;
3334
		return_error_line = __LINE__;
3335
		goto err_alloc_tcomplete_failed;
3336
	}
3337
	binder_stats_created(BINDER_STAT_TRANSACTION_COMPLETE);
3338

3339
	if (reply)
3340
		binder_debug(BINDER_DEBUG_TRANSACTION,
3341
			     "%d:%d BC_REPLY %d -> %d:%d, data size %lld-%lld-%lld\n",
3342
			     proc->pid, thread->pid, t->debug_id,
3343
			     target_proc->pid, target_thread->pid,
3344
			     (u64)tr->data_size, (u64)tr->offsets_size,
3345
			     (u64)extra_buffers_size);
3346
	else
3347
		binder_debug(BINDER_DEBUG_TRANSACTION,
3348
			     "%d:%d BC_TRANSACTION %d -> %d - node %d, data size %lld-%lld-%lld\n",
3349
			     proc->pid, thread->pid, t->debug_id,
3350
			     target_proc->pid, target_node->debug_id,
3351
			     (u64)tr->data_size, (u64)tr->offsets_size,
3352
			     (u64)extra_buffers_size);
3353

3354
	if (target_node && target_node->txn_security_ctx) {
3355
		u32 secid;
3356
		size_t added_size;
3357

3358
		security_cred_getsecid(proc->cred, &secid);
3359
		ret = security_secid_to_secctx(secid, &lsmctx);
3360
		if (ret < 0) {
3361
			binder_txn_error("%d:%d failed to get security context\n",
3362
				thread->pid, proc->pid);
3363
			return_error = BR_FAILED_REPLY;
3364
			return_error_param = ret;
3365
			return_error_line = __LINE__;
3366
			goto err_get_secctx_failed;
3367
		}
3368
		added_size = ALIGN(lsmctx.len, sizeof(u64));
3369
		extra_buffers_size += added_size;
3370
		if (extra_buffers_size < added_size) {
3371
			binder_txn_error("%d:%d integer overflow of extra_buffers_size\n",
3372
				thread->pid, proc->pid);
3373
			return_error = BR_FAILED_REPLY;
3374
			return_error_param = -EINVAL;
3375
			return_error_line = __LINE__;
3376
			goto err_bad_extra_size;
3377
		}
3378
	}
3379

3380
	trace_binder_transaction(reply, t, target_node);
3381

3382
	t->buffer = binder_alloc_new_buf(&target_proc->alloc, tr->data_size,
3383
		tr->offsets_size, extra_buffers_size,
3384
		!reply && (t->flags & TF_ONE_WAY));
3385
	if (IS_ERR(t->buffer)) {
3386
		char *s;
3387

3388
		ret = PTR_ERR(t->buffer);
3389
		s = (ret == -ESRCH) ? ": vma cleared, target dead or dying"
3390
			: (ret == -ENOSPC) ? ": no space left"
3391
			: (ret == -ENOMEM) ? ": memory allocation failed"
3392
			: "";
3393
		binder_txn_error("cannot allocate buffer%s", s);
3394

3395
		return_error_param = PTR_ERR(t->buffer);
3396
		return_error = return_error_param == -ESRCH ?
3397
			BR_DEAD_REPLY : BR_FAILED_REPLY;
3398
		return_error_line = __LINE__;
3399
		t->buffer = NULL;
3400
		goto err_binder_alloc_buf_failed;
3401
	}
3402
	if (lsmctx.context) {
3403
		int err;
3404
		size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) +
3405
				    ALIGN(tr->offsets_size, sizeof(void *)) +
3406
				    ALIGN(extra_buffers_size, sizeof(void *)) -
3407
				    ALIGN(lsmctx.len, sizeof(u64));
3408

3409
		t->security_ctx = t->buffer->user_data + buf_offset;
3410
		err = binder_alloc_copy_to_buffer(&target_proc->alloc,
3411
						  t->buffer, buf_offset,
3412
						  lsmctx.context, lsmctx.len);
3413
		if (err) {
3414
			t->security_ctx = 0;
3415
			WARN_ON(1);
3416
		}
3417
		security_release_secctx(&lsmctx);
3418
		lsmctx.context = NULL;
3419
	}
3420
	t->buffer->debug_id = t->debug_id;
3421
	t->buffer->transaction = t;
3422
	t->buffer->target_node = target_node;
3423
	t->buffer->clear_on_free = !!(t->flags & TF_CLEAR_BUF);
3424
	trace_binder_transaction_alloc_buf(t->buffer);
3425

3426
	if (binder_alloc_copy_user_to_buffer(
3427
				&target_proc->alloc,
3428
				t->buffer,
3429
				ALIGN(tr->data_size, sizeof(void *)),
3430
				(const void __user *)
3431
					(uintptr_t)tr->data.ptr.offsets,
3432
				tr->offsets_size)) {
3433
		binder_user_error("%d:%d got transaction with invalid offsets ptr\n",
3434
				proc->pid, thread->pid);
3435
		return_error = BR_FAILED_REPLY;
3436
		return_error_param = -EFAULT;
3437
		return_error_line = __LINE__;
3438
		goto err_copy_data_failed;
3439
	}
3440
	if (!IS_ALIGNED(tr->offsets_size, sizeof(binder_size_t))) {
3441
		binder_user_error("%d:%d got transaction with invalid offsets size, %lld\n",
3442
				proc->pid, thread->pid, (u64)tr->offsets_size);
3443
		return_error = BR_FAILED_REPLY;
3444
		return_error_param = -EINVAL;
3445
		return_error_line = __LINE__;
3446
		goto err_bad_offset;
3447
	}
3448
	if (!IS_ALIGNED(extra_buffers_size, sizeof(u64))) {
3449
		binder_user_error("%d:%d got transaction with unaligned buffers size, %lld\n",
3450
				  proc->pid, thread->pid,
3451
				  (u64)extra_buffers_size);
3452
		return_error = BR_FAILED_REPLY;
3453
		return_error_param = -EINVAL;
3454
		return_error_line = __LINE__;
3455
		goto err_bad_offset;
3456
	}
3457
	off_start_offset = ALIGN(tr->data_size, sizeof(void *));
3458
	buffer_offset = off_start_offset;
3459
	off_end_offset = off_start_offset + tr->offsets_size;
3460
	sg_buf_offset = ALIGN(off_end_offset, sizeof(void *));
3461
	sg_buf_end_offset = sg_buf_offset + extra_buffers_size -
3462
		ALIGN(lsmctx.len, sizeof(u64));
3463
	off_min = 0;
3464
	for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;
3465
	     buffer_offset += sizeof(binder_size_t)) {
3466
		struct binder_object_header *hdr;
3467
		size_t object_size;
3468
		struct binder_object object;
3469
		binder_size_t object_offset;
3470
		binder_size_t copy_size;
3471

3472
		if (binder_alloc_copy_from_buffer(&target_proc->alloc,
3473
						  &object_offset,
3474
						  t->buffer,
3475
						  buffer_offset,
3476
						  sizeof(object_offset))) {
3477
			binder_txn_error("%d:%d copy offset from buffer failed\n",
3478
				thread->pid, proc->pid);
3479
			return_error = BR_FAILED_REPLY;
3480
			return_error_param = -EINVAL;
3481
			return_error_line = __LINE__;
3482
			goto err_bad_offset;
3483
		}
3484

3485
		/*
3486
		 * Copy the source user buffer up to the next object
3487
		 * that will be processed.
3488
		 */
3489
		copy_size = object_offset - user_offset;
3490
		if (copy_size && (user_offset > object_offset ||
3491
				object_offset > tr->data_size ||
3492
				binder_alloc_copy_user_to_buffer(
3493
					&target_proc->alloc,
3494
					t->buffer, user_offset,
3495
					user_buffer + user_offset,
3496
					copy_size))) {
3497
			binder_user_error("%d:%d got transaction with invalid data ptr\n",
3498
					proc->pid, thread->pid);
3499
			return_error = BR_FAILED_REPLY;
3500
			return_error_param = -EFAULT;
3501
			return_error_line = __LINE__;
3502
			goto err_copy_data_failed;
3503
		}
3504
		object_size = binder_get_object(target_proc, user_buffer,
3505
				t->buffer, object_offset, &object);
3506
		if (object_size == 0 || object_offset < off_min) {
3507
			binder_user_error("%d:%d got transaction with invalid offset (%lld, min %lld max %lld) or object.\n",
3508
					  proc->pid, thread->pid,
3509
					  (u64)object_offset,
3510
					  (u64)off_min,
3511
					  (u64)t->buffer->data_size);
3512
			return_error = BR_FAILED_REPLY;
3513
			return_error_param = -EINVAL;
3514
			return_error_line = __LINE__;
3515
			goto err_bad_offset;
3516
		}
3517
		/*
3518
		 * Set offset to the next buffer fragment to be
3519
		 * copied
3520
		 */
3521
		user_offset = object_offset + object_size;
3522

3523
		hdr = &object.hdr;
3524
		off_min = object_offset + object_size;
3525
		switch (hdr->type) {
3526
		case BINDER_TYPE_BINDER:
3527
		case BINDER_TYPE_WEAK_BINDER: {
3528
			struct flat_binder_object *fp;
3529

3530
			fp = to_flat_binder_object(hdr);
3531
			ret = binder_translate_binder(fp, t, thread);
3532

3533
			if (ret < 0 ||
3534
			    binder_alloc_copy_to_buffer(&target_proc->alloc,
3535
							t->buffer,
3536
							object_offset,
3537
							fp, sizeof(*fp))) {
3538
				binder_txn_error("%d:%d translate binder failed\n",
3539
					thread->pid, proc->pid);
3540
				return_error = BR_FAILED_REPLY;
3541
				return_error_param = ret;
3542
				return_error_line = __LINE__;
3543
				goto err_translate_failed;
3544
			}
3545
		} break;
3546
		case BINDER_TYPE_HANDLE:
3547
		case BINDER_TYPE_WEAK_HANDLE: {
3548
			struct flat_binder_object *fp;
3549

3550
			fp = to_flat_binder_object(hdr);
3551
			ret = binder_translate_handle(fp, t, thread);
3552
			if (ret < 0 ||
3553
			    binder_alloc_copy_to_buffer(&target_proc->alloc,
3554
							t->buffer,
3555
							object_offset,
3556
							fp, sizeof(*fp))) {
3557
				binder_txn_error("%d:%d translate handle failed\n",
3558
					thread->pid, proc->pid);
3559
				return_error = BR_FAILED_REPLY;
3560
				return_error_param = ret;
3561
				return_error_line = __LINE__;
3562
				goto err_translate_failed;
3563
			}
3564
		} break;
3565

3566
		case BINDER_TYPE_FD: {
3567
			struct binder_fd_object *fp = to_binder_fd_object(hdr);
3568
			binder_size_t fd_offset = object_offset +
3569
				(uintptr_t)&fp->fd - (uintptr_t)fp;
3570
			int ret = binder_translate_fd(fp->fd, fd_offset, t,
3571
						      thread, in_reply_to);
3572

3573
			fp->pad_binder = 0;
3574
			if (ret < 0 ||
3575
			    binder_alloc_copy_to_buffer(&target_proc->alloc,
3576
							t->buffer,
3577
							object_offset,
3578
							fp, sizeof(*fp))) {
3579
				binder_txn_error("%d:%d translate fd failed\n",
3580
					thread->pid, proc->pid);
3581
				return_error = BR_FAILED_REPLY;
3582
				return_error_param = ret;
3583
				return_error_line = __LINE__;
3584
				goto err_translate_failed;
3585
			}
3586
		} break;
3587
		case BINDER_TYPE_FDA: {
3588
			struct binder_object ptr_object;
3589
			binder_size_t parent_offset;
3590
			struct binder_object user_object;
3591
			size_t user_parent_size;
3592
			struct binder_fd_array_object *fda =
3593
				to_binder_fd_array_object(hdr);
3594
			size_t num_valid = (buffer_offset - off_start_offset) /
3595
						sizeof(binder_size_t);
3596
			struct binder_buffer_object *parent =
3597
				binder_validate_ptr(target_proc, t->buffer,
3598
						    &ptr_object, fda->parent,
3599
						    off_start_offset,
3600
						    &parent_offset,
3601
						    num_valid);
3602
			if (!parent) {
3603
				binder_user_error("%d:%d got transaction with invalid parent offset or type\n",
3604
						  proc->pid, thread->pid);
3605
				return_error = BR_FAILED_REPLY;
3606
				return_error_param = -EINVAL;
3607
				return_error_line = __LINE__;
3608
				goto err_bad_parent;
3609
			}
3610
			if (!binder_validate_fixup(target_proc, t->buffer,
3611
						   off_start_offset,
3612
						   parent_offset,
3613
						   fda->parent_offset,
3614
						   last_fixup_obj_off,
3615
						   last_fixup_min_off)) {
3616
				binder_user_error("%d:%d got transaction with out-of-order buffer fixup\n",
3617
						  proc->pid, thread->pid);
3618
				return_error = BR_FAILED_REPLY;
3619
				return_error_param = -EINVAL;
3620
				return_error_line = __LINE__;
3621
				goto err_bad_parent;
3622
			}
3623
			/*
3624
			 * We need to read the user version of the parent
3625
			 * object to get the original user offset
3626
			 */
3627
			user_parent_size =
3628
				binder_get_object(proc, user_buffer, t->buffer,
3629
						  parent_offset, &user_object);
3630
			if (user_parent_size != sizeof(user_object.bbo)) {
3631
				binder_user_error("%d:%d invalid ptr object size: %zd vs %zd\n",
3632
						  proc->pid, thread->pid,
3633
						  user_parent_size,
3634
						  sizeof(user_object.bbo));
3635
				return_error = BR_FAILED_REPLY;
3636
				return_error_param = -EINVAL;
3637
				return_error_line = __LINE__;
3638
				goto err_bad_parent;
3639
			}
3640
			ret = binder_translate_fd_array(&pf_head, fda,
3641
							user_buffer, parent,
3642
							&user_object.bbo, t,
3643
							thread, in_reply_to);
3644
			if (!ret)
3645
				ret = binder_alloc_copy_to_buffer(&target_proc->alloc,
3646
								  t->buffer,
3647
								  object_offset,
3648
								  fda, sizeof(*fda));
3649
			if (ret) {
3650
				binder_txn_error("%d:%d translate fd array failed\n",
3651
					thread->pid, proc->pid);
3652
				return_error = BR_FAILED_REPLY;
3653
				return_error_param = ret > 0 ? -EINVAL : ret;
3654
				return_error_line = __LINE__;
3655
				goto err_translate_failed;
3656
			}
3657
			last_fixup_obj_off = parent_offset;
3658
			last_fixup_min_off =
3659
				fda->parent_offset + sizeof(u32) * fda->num_fds;
3660
		} break;
3661
		case BINDER_TYPE_PTR: {
3662
			struct binder_buffer_object *bp =
3663
				to_binder_buffer_object(hdr);
3664
			size_t buf_left = sg_buf_end_offset - sg_buf_offset;
3665
			size_t num_valid;
3666

3667
			if (bp->length > buf_left) {
3668
				binder_user_error("%d:%d got transaction with too large buffer\n",
3669
						  proc->pid, thread->pid);
3670
				return_error = BR_FAILED_REPLY;
3671
				return_error_param = -EINVAL;
3672
				return_error_line = __LINE__;
3673
				goto err_bad_offset;
3674
			}
3675
			ret = binder_defer_copy(&sgc_head, sg_buf_offset,
3676
				(const void __user *)(uintptr_t)bp->buffer,
3677
				bp->length);
3678
			if (ret) {
3679
				binder_txn_error("%d:%d deferred copy failed\n",
3680
					thread->pid, proc->pid);
3681
				return_error = BR_FAILED_REPLY;
3682
				return_error_param = ret;
3683
				return_error_line = __LINE__;
3684
				goto err_translate_failed;
3685
			}
3686
			/* Fixup buffer pointer to target proc address space */
3687
			bp->buffer = t->buffer->user_data + sg_buf_offset;
3688
			sg_buf_offset += ALIGN(bp->length, sizeof(u64));
3689

3690
			num_valid = (buffer_offset - off_start_offset) /
3691
					sizeof(binder_size_t);
3692
			ret = binder_fixup_parent(&pf_head, t,
3693
						  thread, bp,
3694
						  off_start_offset,
3695
						  num_valid,
3696
						  last_fixup_obj_off,
3697
						  last_fixup_min_off);
3698
			if (ret < 0 ||
3699
			    binder_alloc_copy_to_buffer(&target_proc->alloc,
3700
							t->buffer,
3701
							object_offset,
3702
							bp, sizeof(*bp))) {
3703
				binder_txn_error("%d:%d failed to fixup parent\n",
3704
					thread->pid, proc->pid);
3705
				return_error = BR_FAILED_REPLY;
3706
				return_error_param = ret;
3707
				return_error_line = __LINE__;
3708
				goto err_translate_failed;
3709
			}
3710
			last_fixup_obj_off = object_offset;
3711
			last_fixup_min_off = 0;
3712
		} break;
3713
		default:
3714
			binder_user_error("%d:%d got transaction with invalid object type, %x\n",
3715
				proc->pid, thread->pid, hdr->type);
3716
			return_error = BR_FAILED_REPLY;
3717
			return_error_param = -EINVAL;
3718
			return_error_line = __LINE__;
3719
			goto err_bad_object_type;
3720
		}
3721
	}
3722
	/* Done processing objects, copy the rest of the buffer */
3723
	if (binder_alloc_copy_user_to_buffer(
3724
				&target_proc->alloc,
3725
				t->buffer, user_offset,
3726
				user_buffer + user_offset,
3727
				tr->data_size - user_offset)) {
3728
		binder_user_error("%d:%d got transaction with invalid data ptr\n",
3729
				proc->pid, thread->pid);
3730
		return_error = BR_FAILED_REPLY;
3731
		return_error_param = -EFAULT;
3732
		return_error_line = __LINE__;
3733
		goto err_copy_data_failed;
3734
	}
3735

3736
	ret = binder_do_deferred_txn_copies(&target_proc->alloc, t->buffer,
3737
					    &sgc_head, &pf_head);
3738
	if (ret) {
3739
		binder_user_error("%d:%d got transaction with invalid offsets ptr\n",
3740
				  proc->pid, thread->pid);
3741
		return_error = BR_FAILED_REPLY;
3742
		return_error_param = ret;
3743
		return_error_line = __LINE__;
3744
		goto err_copy_data_failed;
3745
	}
3746
	if (t->buffer->oneway_spam_suspect) {
3747
		tcomplete->type = BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT;
3748
		binder_netlink_report(proc, t, tr->data_size,
3749
				      BR_ONEWAY_SPAM_SUSPECT);
3750
	} else {
3751
		tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE;
3752
	}
3753

3754
	if (reply) {
3755
		binder_enqueue_thread_work(thread, tcomplete);
3756
		binder_inner_proc_lock(target_proc);
3757
		if (target_thread->is_dead) {
3758
			return_error = BR_DEAD_REPLY;
3759
			binder_inner_proc_unlock(target_proc);
3760
			goto err_dead_proc_or_thread;
3761
		}
3762
		BUG_ON(t->buffer->async_transaction != 0);
3763
		binder_pop_transaction_ilocked(target_thread, in_reply_to);
3764
		binder_enqueue_thread_work_ilocked(target_thread, &t->work);
3765
		target_proc->outstanding_txns++;
3766
		binder_inner_proc_unlock(target_proc);
3767
		wake_up_interruptible_sync(&target_thread->wait);
3768
		binder_free_transaction(in_reply_to);
3769
	} else if (!(t->flags & TF_ONE_WAY)) {
3770
		BUG_ON(t->buffer->async_transaction != 0);
3771
		binder_inner_proc_lock(proc);
3772
		/*
3773
		 * Defer the TRANSACTION_COMPLETE, so we don't return to
3774
		 * userspace immediately; this allows the target process to
3775
		 * immediately start processing this transaction, reducing
3776
		 * latency. We will then return the TRANSACTION_COMPLETE when
3777
		 * the target replies (or there is an error).
3778
		 */
3779
		binder_enqueue_deferred_thread_work_ilocked(thread, tcomplete);
3780
		t->from_parent = thread->transaction_stack;
3781
		thread->transaction_stack = t;
3782
		binder_inner_proc_unlock(proc);
3783
		return_error = binder_proc_transaction(t,
3784
				target_proc, target_thread);
3785
		if (return_error) {
3786
			binder_inner_proc_lock(proc);
3787
			binder_pop_transaction_ilocked(thread, t);
3788
			binder_inner_proc_unlock(proc);
3789
			goto err_dead_proc_or_thread;
3790
		}
3791
	} else {
3792
		BUG_ON(target_node == NULL);
3793
		BUG_ON(t->buffer->async_transaction != 1);
3794
		return_error = binder_proc_transaction(t, target_proc, NULL);
3795
		/*
3796
		 * Let the caller know when async transaction reaches a frozen
3797
		 * process and is put in a pending queue, waiting for the target
3798
		 * process to be unfrozen.
3799
		 */
3800
		if (return_error == BR_TRANSACTION_PENDING_FROZEN) {
3801
			tcomplete->type = BINDER_WORK_TRANSACTION_PENDING;
3802
			binder_netlink_report(proc, t, tr->data_size,
3803
					      return_error);
3804
		}
3805
		binder_enqueue_thread_work(thread, tcomplete);
3806
		if (return_error &&
3807
		    return_error != BR_TRANSACTION_PENDING_FROZEN)
3808
			goto err_dead_proc_or_thread;
3809
	}
3810
	if (target_thread)
3811
		binder_thread_dec_tmpref(target_thread);
3812
	binder_proc_dec_tmpref(target_proc);
3813
	if (target_node)
3814
		binder_dec_node_tmpref(target_node);
3815
	/*
3816
	 * write barrier to synchronize with initialization
3817
	 * of log entry
3818
	 */
3819
	smp_wmb();
3820
	WRITE_ONCE(e->debug_id_done, t_debug_id);
3821
	return;
3822

3823
err_dead_proc_or_thread:
3824
	binder_txn_error("%d:%d dead process or thread\n",
3825
		thread->pid, proc->pid);
3826
	return_error_line = __LINE__;
3827
	binder_dequeue_work(proc, tcomplete);
3828
err_translate_failed:
3829
err_bad_object_type:
3830
err_bad_offset:
3831
err_bad_parent:
3832
err_copy_data_failed:
3833
	binder_cleanup_deferred_txn_lists(&sgc_head, &pf_head);
3834
	binder_free_txn_fixups(t);
3835
	trace_binder_transaction_failed_buffer_release(t->buffer);
3836
	binder_transaction_buffer_release(target_proc, NULL, t->buffer,
3837
					  buffer_offset, true);
3838
	if (target_node)
3839
		binder_dec_node_tmpref(target_node);
3840
	target_node = NULL;
3841
	t->buffer->transaction = NULL;
3842
	binder_alloc_free_buf(&target_proc->alloc, t->buffer);
3843
err_binder_alloc_buf_failed:
3844
err_bad_extra_size:
3845
	if (lsmctx.context)
3846
		security_release_secctx(&lsmctx);
3847
err_get_secctx_failed:
3848
	kfree(tcomplete);
3849
	binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
3850
err_alloc_tcomplete_failed:
3851
	if (trace_binder_txn_latency_free_enabled())
3852
		binder_txn_latency_free(t);
3853
err_bad_todo_list:
3854
err_bad_call_stack:
3855
err_empty_call_stack:
3856
err_dead_binder:
3857
err_invalid_target_handle:
3858
	if (target_node) {
3859
		binder_dec_node(target_node, 1, 0);
3860
		binder_dec_node_tmpref(target_node);
3861
	}
3862

3863
	binder_netlink_report(proc, t, tr->data_size, return_error);
3864
	kfree(t);
3865
	binder_stats_deleted(BINDER_STAT_TRANSACTION);
3866
err_alloc_t_failed:
3867

3868
	binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
3869
		     "%d:%d transaction %s to %d:%d failed %d/%d/%d, code %u size %lld-%lld line %d\n",
3870
		     proc->pid, thread->pid, reply ? "reply" :
3871
		     (tr->flags & TF_ONE_WAY ? "async" : "call"),
3872
		     target_proc ? target_proc->pid : 0,
3873
		     target_thread ? target_thread->pid : 0,
3874
		     t_debug_id, return_error, return_error_param,
3875
		     tr->code, (u64)tr->data_size, (u64)tr->offsets_size,
3876
		     return_error_line);
3877

3878
	if (target_thread)
3879
		binder_thread_dec_tmpref(target_thread);
3880
	if (target_proc)
3881
		binder_proc_dec_tmpref(target_proc);
3882

3883
	{
3884
		struct binder_transaction_log_entry *fe;
3885

3886
		e->return_error = return_error;
3887
		e->return_error_param = return_error_param;
3888
		e->return_error_line = return_error_line;
3889
		fe = binder_transaction_log_add(&binder_transaction_log_failed);
3890
		*fe = *e;
3891
		/*
3892
		 * write barrier to synchronize with initialization
3893
		 * of log entry
3894
		 */
3895
		smp_wmb();
3896
		WRITE_ONCE(e->debug_id_done, t_debug_id);
3897
		WRITE_ONCE(fe->debug_id_done, t_debug_id);
3898
	}
3899

3900
	BUG_ON(thread->return_error.cmd != BR_OK);
3901
	if (in_reply_to) {
3902
		binder_set_txn_from_error(in_reply_to, t_debug_id,
3903
				return_error, return_error_param);
3904
		thread->return_error.cmd = BR_TRANSACTION_COMPLETE;
3905
		binder_enqueue_thread_work(thread, &thread->return_error.work);
3906
		binder_send_failed_reply(in_reply_to, return_error);
3907
	} else {
3908
		binder_inner_proc_lock(proc);
3909
		binder_set_extended_error(&thread->ee, t_debug_id,
3910
				return_error, return_error_param);
3911
		binder_inner_proc_unlock(proc);
3912
		thread->return_error.cmd = return_error;
3913
		binder_enqueue_thread_work(thread, &thread->return_error.work);
3914
	}
3915
}
3916

3917
static int
3918
binder_request_freeze_notification(struct binder_proc *proc,
3919
				   struct binder_thread *thread,
3920
				   struct binder_handle_cookie *handle_cookie)
3921
{
3922
	struct binder_ref_freeze *freeze;
3923
	struct binder_ref *ref;
3924

3925
	freeze = kzalloc(sizeof(*freeze), GFP_KERNEL);
3926
	if (!freeze)
3927
		return -ENOMEM;
3928
	binder_proc_lock(proc);
3929
	ref = binder_get_ref_olocked(proc, handle_cookie->handle, false);
3930
	if (!ref) {
3931
		binder_user_error("%d:%d BC_REQUEST_FREEZE_NOTIFICATION invalid ref %d\n",
3932
				  proc->pid, thread->pid, handle_cookie->handle);
3933
		binder_proc_unlock(proc);
3934
		kfree(freeze);
3935
		return -EINVAL;
3936
	}
3937

3938
	binder_node_lock(ref->node);
3939
	if (ref->freeze) {
3940
		binder_user_error("%d:%d BC_REQUEST_FREEZE_NOTIFICATION already set\n",
3941
				  proc->pid, thread->pid);
3942
		binder_node_unlock(ref->node);
3943
		binder_proc_unlock(proc);
3944
		kfree(freeze);
3945
		return -EINVAL;
3946
	}
3947

3948
	binder_stats_created(BINDER_STAT_FREEZE);
3949
	INIT_LIST_HEAD(&freeze->work.entry);
3950
	freeze->cookie = handle_cookie->cookie;
3951
	freeze->work.type = BINDER_WORK_FROZEN_BINDER;
3952
	ref->freeze = freeze;
3953

3954
	if (ref->node->proc) {
3955
		binder_inner_proc_lock(ref->node->proc);
3956
		freeze->is_frozen = ref->node->proc->is_frozen;
3957
		binder_inner_proc_unlock(ref->node->proc);
3958

3959
		binder_inner_proc_lock(proc);
3960
		binder_enqueue_work_ilocked(&freeze->work, &proc->todo);
3961
		binder_wakeup_proc_ilocked(proc);
3962
		binder_inner_proc_unlock(proc);
3963
	}
3964

3965
	binder_node_unlock(ref->node);
3966
	binder_proc_unlock(proc);
3967
	return 0;
3968
}
3969

3970
static int
3971
binder_clear_freeze_notification(struct binder_proc *proc,
3972
				 struct binder_thread *thread,
3973
				 struct binder_handle_cookie *handle_cookie)
3974
{
3975
	struct binder_ref_freeze *freeze;
3976
	struct binder_ref *ref;
3977

3978
	binder_proc_lock(proc);
3979
	ref = binder_get_ref_olocked(proc, handle_cookie->handle, false);
3980
	if (!ref) {
3981
		binder_user_error("%d:%d BC_CLEAR_FREEZE_NOTIFICATION invalid ref %d\n",
3982
				  proc->pid, thread->pid, handle_cookie->handle);
3983
		binder_proc_unlock(proc);
3984
		return -EINVAL;
3985
	}
3986

3987
	binder_node_lock(ref->node);
3988

3989
	if (!ref->freeze) {
3990
		binder_user_error("%d:%d BC_CLEAR_FREEZE_NOTIFICATION freeze notification not active\n",
3991
				  proc->pid, thread->pid);
3992
		binder_node_unlock(ref->node);
3993
		binder_proc_unlock(proc);
3994
		return -EINVAL;
3995
	}
3996
	freeze = ref->freeze;
3997
	binder_inner_proc_lock(proc);
3998
	if (freeze->cookie != handle_cookie->cookie) {
3999
		binder_user_error("%d:%d BC_CLEAR_FREEZE_NOTIFICATION freeze notification cookie mismatch %016llx != %016llx\n",
4000
				  proc->pid, thread->pid, (u64)freeze->cookie,
4001
				  (u64)handle_cookie->cookie);
4002
		binder_inner_proc_unlock(proc);
4003
		binder_node_unlock(ref->node);
4004
		binder_proc_unlock(proc);
4005
		return -EINVAL;
4006
	}
4007
	ref->freeze = NULL;
4008
	/*
4009
	 * Take the existing freeze object and overwrite its work type. There are three cases here:
4010
	 * 1. No pending notification. In this case just add the work to the queue.
4011
	 * 2. A notification was sent and is pending an ack from userspace. Once an ack arrives, we
4012
	 *    should resend with the new work type.
4013
	 * 3. A notification is pending to be sent. Since the work is already in the queue, nothing
4014
	 *    needs to be done here.
4015
	 */
4016
	freeze->work.type = BINDER_WORK_CLEAR_FREEZE_NOTIFICATION;
4017
	if (list_empty(&freeze->work.entry)) {
4018
		binder_enqueue_work_ilocked(&freeze->work, &proc->todo);
4019
		binder_wakeup_proc_ilocked(proc);
4020
	} else if (freeze->sent) {
4021
		freeze->resend = true;
4022
	}
4023
	binder_inner_proc_unlock(proc);
4024
	binder_node_unlock(ref->node);
4025
	binder_proc_unlock(proc);
4026
	return 0;
4027
}
4028

4029
static int
4030
binder_freeze_notification_done(struct binder_proc *proc,
4031
				struct binder_thread *thread,
4032
				binder_uintptr_t cookie)
4033
{
4034
	struct binder_ref_freeze *freeze = NULL;
4035
	struct binder_work *w;
4036

4037
	binder_inner_proc_lock(proc);
4038
	list_for_each_entry(w, &proc->delivered_freeze, entry) {
4039
		struct binder_ref_freeze *tmp_freeze =
4040
			container_of(w, struct binder_ref_freeze, work);
4041

4042
		if (tmp_freeze->cookie == cookie) {
4043
			freeze = tmp_freeze;
4044
			break;
4045
		}
4046
	}
4047
	if (!freeze) {
4048
		binder_user_error("%d:%d BC_FREEZE_NOTIFICATION_DONE %016llx not found\n",
4049
				  proc->pid, thread->pid, (u64)cookie);
4050
		binder_inner_proc_unlock(proc);
4051
		return -EINVAL;
4052
	}
4053
	binder_dequeue_work_ilocked(&freeze->work);
4054
	freeze->sent = false;
4055
	if (freeze->resend) {
4056
		freeze->resend = false;
4057
		binder_enqueue_work_ilocked(&freeze->work, &proc->todo);
4058
		binder_wakeup_proc_ilocked(proc);
4059
	}
4060
	binder_inner_proc_unlock(proc);
4061
	return 0;
4062
}
4063

4064
/**
4065
 * binder_free_buf() - free the specified buffer
4066
 * @proc:	binder proc that owns buffer
4067
 * @buffer:	buffer to be freed
4068
 * @is_failure:	failed to send transaction
4069
 *
4070
 * If buffer for an async transaction, enqueue the next async
4071
 * transaction from the node.
4072
 *
4073
 * Cleanup buffer and free it.
4074
 */
4075
static void
4076
binder_free_buf(struct binder_proc *proc,
4077
		struct binder_thread *thread,
4078
		struct binder_buffer *buffer, bool is_failure)
4079
{
4080
	binder_inner_proc_lock(proc);
4081
	if (buffer->transaction) {
4082
		buffer->transaction->buffer = NULL;
4083
		buffer->transaction = NULL;
4084
	}
4085
	binder_inner_proc_unlock(proc);
4086
	if (buffer->async_transaction && buffer->target_node) {
4087
		struct binder_node *buf_node;
4088
		struct binder_work *w;
4089

4090
		buf_node = buffer->target_node;
4091
		binder_node_inner_lock(buf_node);
4092
		BUG_ON(!buf_node->has_async_transaction);
4093
		BUG_ON(buf_node->proc != proc);
4094
		w = binder_dequeue_work_head_ilocked(
4095
				&buf_node->async_todo);
4096
		if (!w) {
4097
			buf_node->has_async_transaction = false;
4098
		} else {
4099
			binder_enqueue_work_ilocked(
4100
					w, &proc->todo);
4101
			binder_wakeup_proc_ilocked(proc);
4102
		}
4103
		binder_node_inner_unlock(buf_node);
4104
	}
4105
	trace_binder_transaction_buffer_release(buffer);
4106
	binder_release_entire_buffer(proc, thread, buffer, is_failure);
4107
	binder_alloc_free_buf(&proc->alloc, buffer);
4108
}
4109

4110
static int binder_thread_write(struct binder_proc *proc,
4111
			struct binder_thread *thread,
4112
			binder_uintptr_t binder_buffer, size_t size,
4113
			binder_size_t *consumed)
4114
{
4115
	uint32_t cmd;
4116
	struct binder_context *context = proc->context;
4117
	void __user *buffer = (void __user *)(uintptr_t)binder_buffer;
4118
	void __user *ptr = buffer + *consumed;
4119
	void __user *end = buffer + size;
4120

4121
	while (ptr < end && thread->return_error.cmd == BR_OK) {
4122
		int ret;
4123

4124
		if (get_user(cmd, (uint32_t __user *)ptr))
4125
			return -EFAULT;
4126
		ptr += sizeof(uint32_t);
4127
		trace_binder_command(cmd);
4128
		if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.bc)) {
4129
			atomic_inc(&binder_stats.bc[_IOC_NR(cmd)]);
4130
			atomic_inc(&proc->stats.bc[_IOC_NR(cmd)]);
4131
			atomic_inc(&thread->stats.bc[_IOC_NR(cmd)]);
4132
		}
4133
		switch (cmd) {
4134
		case BC_INCREFS:
4135
		case BC_ACQUIRE:
4136
		case BC_RELEASE:
4137
		case BC_DECREFS: {
4138
			uint32_t target;
4139
			const char *debug_string;
4140
			bool strong = cmd == BC_ACQUIRE || cmd == BC_RELEASE;
4141
			bool increment = cmd == BC_INCREFS || cmd == BC_ACQUIRE;
4142
			struct binder_ref_data rdata;
4143

4144
			if (get_user(target, (uint32_t __user *)ptr))
4145
				return -EFAULT;
4146

4147
			ptr += sizeof(uint32_t);
4148
			ret = -1;
4149
			if (increment && !target) {
4150
				struct binder_node *ctx_mgr_node;
4151

4152
				mutex_lock(&context->context_mgr_node_lock);
4153
				ctx_mgr_node = context->binder_context_mgr_node;
4154
				if (ctx_mgr_node) {
4155
					if (ctx_mgr_node->proc == proc) {
4156
						binder_user_error("%d:%d context manager tried to acquire desc 0\n",
4157
								  proc->pid, thread->pid);
4158
						mutex_unlock(&context->context_mgr_node_lock);
4159
						return -EINVAL;
4160
					}
4161
					ret = binder_inc_ref_for_node(
4162
							proc, ctx_mgr_node,
4163
							strong, NULL, &rdata);
4164
				}
4165
				mutex_unlock(&context->context_mgr_node_lock);
4166
			}
4167
			if (ret)
4168
				ret = binder_update_ref_for_handle(
4169
						proc, target, increment, strong,
4170
						&rdata);
4171
			if (!ret && rdata.desc != target) {
4172
				binder_user_error("%d:%d tried to acquire reference to desc %d, got %d instead\n",
4173
					proc->pid, thread->pid,
4174
					target, rdata.desc);
4175
			}
4176
			switch (cmd) {
4177
			case BC_INCREFS:
4178
				debug_string = "IncRefs";
4179
				break;
4180
			case BC_ACQUIRE:
4181
				debug_string = "Acquire";
4182
				break;
4183
			case BC_RELEASE:
4184
				debug_string = "Release";
4185
				break;
4186
			case BC_DECREFS:
4187
			default:
4188
				debug_string = "DecRefs";
4189
				break;
4190
			}
4191
			if (ret) {
4192
				binder_user_error("%d:%d %s %d refcount change on invalid ref %d ret %d\n",
4193
					proc->pid, thread->pid, debug_string,
4194
					strong, target, ret);
4195
				break;
4196
			}
4197
			binder_debug(BINDER_DEBUG_USER_REFS,
4198
				     "%d:%d %s ref %d desc %d s %d w %d\n",
4199
				     proc->pid, thread->pid, debug_string,
4200
				     rdata.debug_id, rdata.desc, rdata.strong,
4201
				     rdata.weak);
4202
			break;
4203
		}
4204
		case BC_INCREFS_DONE:
4205
		case BC_ACQUIRE_DONE: {
4206
			binder_uintptr_t node_ptr;
4207
			binder_uintptr_t cookie;
4208
			struct binder_node *node;
4209
			bool free_node;
4210

4211
			if (get_user(node_ptr, (binder_uintptr_t __user *)ptr))
4212
				return -EFAULT;
4213
			ptr += sizeof(binder_uintptr_t);
4214
			if (get_user(cookie, (binder_uintptr_t __user *)ptr))
4215
				return -EFAULT;
4216
			ptr += sizeof(binder_uintptr_t);
4217
			node = binder_get_node(proc, node_ptr);
4218
			if (node == NULL) {
4219
				binder_user_error("%d:%d %s u%016llx no match\n",
4220
					proc->pid, thread->pid,
4221
					cmd == BC_INCREFS_DONE ?
4222
					"BC_INCREFS_DONE" :
4223
					"BC_ACQUIRE_DONE",
4224
					(u64)node_ptr);
4225
				break;
4226
			}
4227
			if (cookie != node->cookie) {
4228
				binder_user_error("%d:%d %s u%016llx node %d cookie mismatch %016llx != %016llx\n",
4229
					proc->pid, thread->pid,
4230
					cmd == BC_INCREFS_DONE ?
4231
					"BC_INCREFS_DONE" : "BC_ACQUIRE_DONE",
4232
					(u64)node_ptr, node->debug_id,
4233
					(u64)cookie, (u64)node->cookie);
4234
				binder_put_node(node);
4235
				break;
4236
			}
4237
			binder_node_inner_lock(node);
4238
			if (cmd == BC_ACQUIRE_DONE) {
4239
				if (node->pending_strong_ref == 0) {
4240
					binder_user_error("%d:%d BC_ACQUIRE_DONE node %d has no pending acquire request\n",
4241
						proc->pid, thread->pid,
4242
						node->debug_id);
4243
					binder_node_inner_unlock(node);
4244
					binder_put_node(node);
4245
					break;
4246
				}
4247
				node->pending_strong_ref = 0;
4248
			} else {
4249
				if (node->pending_weak_ref == 0) {
4250
					binder_user_error("%d:%d BC_INCREFS_DONE node %d has no pending increfs request\n",
4251
						proc->pid, thread->pid,
4252
						node->debug_id);
4253
					binder_node_inner_unlock(node);
4254
					binder_put_node(node);
4255
					break;
4256
				}
4257
				node->pending_weak_ref = 0;
4258
			}
4259
			free_node = binder_dec_node_nilocked(node,
4260
					cmd == BC_ACQUIRE_DONE, 0);
4261
			WARN_ON(free_node);
4262
			binder_debug(BINDER_DEBUG_USER_REFS,
4263
				     "%d:%d %s node %d ls %d lw %d tr %d\n",
4264
				     proc->pid, thread->pid,
4265
				     cmd == BC_INCREFS_DONE ? "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE",
4266
				     node->debug_id, node->local_strong_refs,
4267
				     node->local_weak_refs, node->tmp_refs);
4268
			binder_node_inner_unlock(node);
4269
			binder_put_node(node);
4270
			break;
4271
		}
4272
		case BC_ATTEMPT_ACQUIRE:
4273
			pr_err("BC_ATTEMPT_ACQUIRE not supported\n");
4274
			return -EINVAL;
4275
		case BC_ACQUIRE_RESULT:
4276
			pr_err("BC_ACQUIRE_RESULT not supported\n");
4277
			return -EINVAL;
4278

4279
		case BC_FREE_BUFFER: {
4280
			binder_uintptr_t data_ptr;
4281
			struct binder_buffer *buffer;
4282

4283
			if (get_user(data_ptr, (binder_uintptr_t __user *)ptr))
4284
				return -EFAULT;
4285
			ptr += sizeof(binder_uintptr_t);
4286

4287
			buffer = binder_alloc_prepare_to_free(&proc->alloc,
4288
							      data_ptr);
4289
			if (IS_ERR_OR_NULL(buffer)) {
4290
				if (PTR_ERR(buffer) == -EPERM) {
4291
					binder_user_error(
4292
						"%d:%d BC_FREE_BUFFER matched unreturned or currently freeing buffer at offset %lx\n",
4293
						proc->pid, thread->pid,
4294
						(unsigned long)data_ptr - proc->alloc.vm_start);
4295
				} else {
4296
					binder_user_error(
4297
						"%d:%d BC_FREE_BUFFER no match for buffer at offset %lx\n",
4298
						proc->pid, thread->pid,
4299
						(unsigned long)data_ptr - proc->alloc.vm_start);
4300
				}
4301
				break;
4302
			}
4303
			binder_debug(BINDER_DEBUG_FREE_BUFFER,
4304
				     "%d:%d BC_FREE_BUFFER at offset %lx found buffer %d for %s transaction\n",
4305
				     proc->pid, thread->pid,
4306
				     (unsigned long)data_ptr - proc->alloc.vm_start,
4307
				     buffer->debug_id,
4308
				     buffer->transaction ? "active" : "finished");
4309
			binder_free_buf(proc, thread, buffer, false);
4310
			break;
4311
		}
4312

4313
		case BC_TRANSACTION_SG:
4314
		case BC_REPLY_SG: {
4315
			struct binder_transaction_data_sg tr;
4316

4317
			if (copy_from_user(&tr, ptr, sizeof(tr)))
4318
				return -EFAULT;
4319
			ptr += sizeof(tr);
4320
			binder_transaction(proc, thread, &tr.transaction_data,
4321
					   cmd == BC_REPLY_SG, tr.buffers_size);
4322
			break;
4323
		}
4324
		case BC_TRANSACTION:
4325
		case BC_REPLY: {
4326
			struct binder_transaction_data tr;
4327

4328
			if (copy_from_user(&tr, ptr, sizeof(tr)))
4329
				return -EFAULT;
4330
			ptr += sizeof(tr);
4331
			binder_transaction(proc, thread, &tr,
4332
					   cmd == BC_REPLY, 0);
4333
			break;
4334
		}
4335

4336
		case BC_REGISTER_LOOPER:
4337
			binder_debug(BINDER_DEBUG_THREADS,
4338
				     "%d:%d BC_REGISTER_LOOPER\n",
4339
				     proc->pid, thread->pid);
4340
			binder_inner_proc_lock(proc);
4341
			if (thread->looper & BINDER_LOOPER_STATE_ENTERED) {
4342
				thread->looper |= BINDER_LOOPER_STATE_INVALID;
4343
				binder_user_error("%d:%d ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER\n",
4344
					proc->pid, thread->pid);
4345
			} else if (proc->requested_threads == 0) {
4346
				thread->looper |= BINDER_LOOPER_STATE_INVALID;
4347
				binder_user_error("%d:%d ERROR: BC_REGISTER_LOOPER called without request\n",
4348
					proc->pid, thread->pid);
4349
			} else {
4350
				proc->requested_threads--;
4351
				proc->requested_threads_started++;
4352
			}
4353
			thread->looper |= BINDER_LOOPER_STATE_REGISTERED;
4354
			binder_inner_proc_unlock(proc);
4355
			break;
4356
		case BC_ENTER_LOOPER:
4357
			binder_debug(BINDER_DEBUG_THREADS,
4358
				     "%d:%d BC_ENTER_LOOPER\n",
4359
				     proc->pid, thread->pid);
4360
			if (thread->looper & BINDER_LOOPER_STATE_REGISTERED) {
4361
				thread->looper |= BINDER_LOOPER_STATE_INVALID;
4362
				binder_user_error("%d:%d ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER\n",
4363
					proc->pid, thread->pid);
4364
			}
4365
			thread->looper |= BINDER_LOOPER_STATE_ENTERED;
4366
			break;
4367
		case BC_EXIT_LOOPER:
4368
			binder_debug(BINDER_DEBUG_THREADS,
4369
				     "%d:%d BC_EXIT_LOOPER\n",
4370
				     proc->pid, thread->pid);
4371
			thread->looper |= BINDER_LOOPER_STATE_EXITED;
4372
			break;
4373

4374
		case BC_REQUEST_DEATH_NOTIFICATION:
4375
		case BC_CLEAR_DEATH_NOTIFICATION: {
4376
			uint32_t target;
4377
			binder_uintptr_t cookie;
4378
			struct binder_ref *ref;
4379
			struct binder_ref_death *death = NULL;
4380

4381
			if (get_user(target, (uint32_t __user *)ptr))
4382
				return -EFAULT;
4383
			ptr += sizeof(uint32_t);
4384
			if (get_user(cookie, (binder_uintptr_t __user *)ptr))
4385
				return -EFAULT;
4386
			ptr += sizeof(binder_uintptr_t);
4387
			if (cmd == BC_REQUEST_DEATH_NOTIFICATION) {
4388
				/*
4389
				 * Allocate memory for death notification
4390
				 * before taking lock
4391
				 */
4392
				death = kzalloc(sizeof(*death), GFP_KERNEL);
4393
				if (death == NULL) {
4394
					WARN_ON(thread->return_error.cmd !=
4395
						BR_OK);
4396
					thread->return_error.cmd = BR_ERROR;
4397
					binder_enqueue_thread_work(
4398
						thread,
4399
						&thread->return_error.work);
4400
					binder_debug(
4401
						BINDER_DEBUG_FAILED_TRANSACTION,
4402
						"%d:%d BC_REQUEST_DEATH_NOTIFICATION failed\n",
4403
						proc->pid, thread->pid);
4404
					break;
4405
				}
4406
			}
4407
			binder_proc_lock(proc);
4408
			ref = binder_get_ref_olocked(proc, target, false);
4409
			if (ref == NULL) {
4410
				binder_user_error("%d:%d %s invalid ref %d\n",
4411
					proc->pid, thread->pid,
4412
					cmd == BC_REQUEST_DEATH_NOTIFICATION ?
4413
					"BC_REQUEST_DEATH_NOTIFICATION" :
4414
					"BC_CLEAR_DEATH_NOTIFICATION",
4415
					target);
4416
				binder_proc_unlock(proc);
4417
				kfree(death);
4418
				break;
4419
			}
4420

4421
			binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION,
4422
				     "%d:%d %s %016llx ref %d desc %d s %d w %d for node %d\n",
4423
				     proc->pid, thread->pid,
4424
				     cmd == BC_REQUEST_DEATH_NOTIFICATION ?
4425
				     "BC_REQUEST_DEATH_NOTIFICATION" :
4426
				     "BC_CLEAR_DEATH_NOTIFICATION",
4427
				     (u64)cookie, ref->data.debug_id,
4428
				     ref->data.desc, ref->data.strong,
4429
				     ref->data.weak, ref->node->debug_id);
4430

4431
			binder_node_lock(ref->node);
4432
			if (cmd == BC_REQUEST_DEATH_NOTIFICATION) {
4433
				if (ref->death) {
4434
					binder_user_error("%d:%d BC_REQUEST_DEATH_NOTIFICATION death notification already set\n",
4435
						proc->pid, thread->pid);
4436
					binder_node_unlock(ref->node);
4437
					binder_proc_unlock(proc);
4438
					kfree(death);
4439
					break;
4440
				}
4441
				binder_stats_created(BINDER_STAT_DEATH);
4442
				INIT_LIST_HEAD(&death->work.entry);
4443
				death->cookie = cookie;
4444
				ref->death = death;
4445
				if (ref->node->proc == NULL) {
4446
					ref->death->work.type = BINDER_WORK_DEAD_BINDER;
4447

4448
					binder_inner_proc_lock(proc);
4449
					binder_enqueue_work_ilocked(
4450
						&ref->death->work, &proc->todo);
4451
					binder_wakeup_proc_ilocked(proc);
4452
					binder_inner_proc_unlock(proc);
4453
				}
4454
			} else {
4455
				if (ref->death == NULL) {
4456
					binder_user_error("%d:%d BC_CLEAR_DEATH_NOTIFICATION death notification not active\n",
4457
						proc->pid, thread->pid);
4458
					binder_node_unlock(ref->node);
4459
					binder_proc_unlock(proc);
4460
					break;
4461
				}
4462
				death = ref->death;
4463
				if (death->cookie != cookie) {
4464
					binder_user_error("%d:%d BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch %016llx != %016llx\n",
4465
						proc->pid, thread->pid,
4466
						(u64)death->cookie,
4467
						(u64)cookie);
4468
					binder_node_unlock(ref->node);
4469
					binder_proc_unlock(proc);
4470
					break;
4471
				}
4472
				ref->death = NULL;
4473
				binder_inner_proc_lock(proc);
4474
				if (list_empty(&death->work.entry)) {
4475
					death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION;
4476
					if (thread->looper &
4477
					    (BINDER_LOOPER_STATE_REGISTERED |
4478
					     BINDER_LOOPER_STATE_ENTERED))
4479
						binder_enqueue_thread_work_ilocked(
4480
								thread,
4481
								&death->work);
4482
					else {
4483
						binder_enqueue_work_ilocked(
4484
								&death->work,
4485
								&proc->todo);
4486
						binder_wakeup_proc_ilocked(
4487
								proc);
4488
					}
4489
				} else {
4490
					BUG_ON(death->work.type != BINDER_WORK_DEAD_BINDER);
4491
					death->work.type = BINDER_WORK_DEAD_BINDER_AND_CLEAR;
4492
				}
4493
				binder_inner_proc_unlock(proc);
4494
			}
4495
			binder_node_unlock(ref->node);
4496
			binder_proc_unlock(proc);
4497
		} break;
4498
		case BC_DEAD_BINDER_DONE: {
4499
			struct binder_work *w;
4500
			binder_uintptr_t cookie;
4501
			struct binder_ref_death *death = NULL;
4502

4503
			if (get_user(cookie, (binder_uintptr_t __user *)ptr))
4504
				return -EFAULT;
4505

4506
			ptr += sizeof(cookie);
4507
			binder_inner_proc_lock(proc);
4508
			list_for_each_entry(w, &proc->delivered_death,
4509
					    entry) {
4510
				struct binder_ref_death *tmp_death =
4511
					container_of(w,
4512
						     struct binder_ref_death,
4513
						     work);
4514

4515
				if (tmp_death->cookie == cookie) {
4516
					death = tmp_death;
4517
					break;
4518
				}
4519
			}
4520
			binder_debug(BINDER_DEBUG_DEAD_BINDER,
4521
				     "%d:%d BC_DEAD_BINDER_DONE %016llx found %pK\n",
4522
				     proc->pid, thread->pid, (u64)cookie,
4523
				     death);
4524
			if (death == NULL) {
4525
				binder_user_error("%d:%d BC_DEAD_BINDER_DONE %016llx not found\n",
4526
					proc->pid, thread->pid, (u64)cookie);
4527
				binder_inner_proc_unlock(proc);
4528
				break;
4529
			}
4530
			binder_dequeue_work_ilocked(&death->work);
4531
			if (death->work.type == BINDER_WORK_DEAD_BINDER_AND_CLEAR) {
4532
				death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION;
4533
				if (thread->looper &
4534
					(BINDER_LOOPER_STATE_REGISTERED |
4535
					 BINDER_LOOPER_STATE_ENTERED))
4536
					binder_enqueue_thread_work_ilocked(
4537
						thread, &death->work);
4538
				else {
4539
					binder_enqueue_work_ilocked(
4540
							&death->work,
4541
							&proc->todo);
4542
					binder_wakeup_proc_ilocked(proc);
4543
				}
4544
			}
4545
			binder_inner_proc_unlock(proc);
4546
		} break;
4547

4548
		case BC_REQUEST_FREEZE_NOTIFICATION: {
4549
			struct binder_handle_cookie handle_cookie;
4550
			int error;
4551

4552
			if (copy_from_user(&handle_cookie, ptr, sizeof(handle_cookie)))
4553
				return -EFAULT;
4554
			ptr += sizeof(handle_cookie);
4555
			error = binder_request_freeze_notification(proc, thread,
4556
								   &handle_cookie);
4557
			if (error)
4558
				return error;
4559
		} break;
4560

4561
		case BC_CLEAR_FREEZE_NOTIFICATION: {
4562
			struct binder_handle_cookie handle_cookie;
4563
			int error;
4564

4565
			if (copy_from_user(&handle_cookie, ptr, sizeof(handle_cookie)))
4566
				return -EFAULT;
4567
			ptr += sizeof(handle_cookie);
4568
			error = binder_clear_freeze_notification(proc, thread, &handle_cookie);
4569
			if (error)
4570
				return error;
4571
		} break;
4572

4573
		case BC_FREEZE_NOTIFICATION_DONE: {
4574
			binder_uintptr_t cookie;
4575
			int error;
4576

4577
			if (get_user(cookie, (binder_uintptr_t __user *)ptr))
4578
				return -EFAULT;
4579

4580
			ptr += sizeof(cookie);
4581
			error = binder_freeze_notification_done(proc, thread, cookie);
4582
			if (error)
4583
				return error;
4584
		} break;
4585

4586
		default:
4587
			pr_err("%d:%d unknown command %u\n",
4588
			       proc->pid, thread->pid, cmd);
4589
			return -EINVAL;
4590
		}
4591
		*consumed = ptr - buffer;
4592
	}
4593
	return 0;
4594
}
4595

4596
static void binder_stat_br(struct binder_proc *proc,
4597
			   struct binder_thread *thread, uint32_t cmd)
4598
{
4599
	trace_binder_return(cmd);
4600
	if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.br)) {
4601
		atomic_inc(&binder_stats.br[_IOC_NR(cmd)]);
4602
		atomic_inc(&proc->stats.br[_IOC_NR(cmd)]);
4603
		atomic_inc(&thread->stats.br[_IOC_NR(cmd)]);
4604
	}
4605
}
4606

4607
static int binder_put_node_cmd(struct binder_proc *proc,
4608
			       struct binder_thread *thread,
4609
			       void __user **ptrp,
4610
			       binder_uintptr_t node_ptr,
4611
			       binder_uintptr_t node_cookie,
4612
			       int node_debug_id,
4613
			       uint32_t cmd, const char *cmd_name)
4614
{
4615
	void __user *ptr = *ptrp;
4616

4617
	if (put_user(cmd, (uint32_t __user *)ptr))
4618
		return -EFAULT;
4619
	ptr += sizeof(uint32_t);
4620

4621
	if (put_user(node_ptr, (binder_uintptr_t __user *)ptr))
4622
		return -EFAULT;
4623
	ptr += sizeof(binder_uintptr_t);
4624

4625
	if (put_user(node_cookie, (binder_uintptr_t __user *)ptr))
4626
		return -EFAULT;
4627
	ptr += sizeof(binder_uintptr_t);
4628

4629
	binder_stat_br(proc, thread, cmd);
4630
	binder_debug(BINDER_DEBUG_USER_REFS, "%d:%d %s %d u%016llx c%016llx\n",
4631
		     proc->pid, thread->pid, cmd_name, node_debug_id,
4632
		     (u64)node_ptr, (u64)node_cookie);
4633

4634
	*ptrp = ptr;
4635
	return 0;
4636
}
4637

4638
static int binder_wait_for_work(struct binder_thread *thread,
4639
				bool do_proc_work)
4640
{
4641
	DEFINE_WAIT(wait);
4642
	struct binder_proc *proc = thread->proc;
4643
	int ret = 0;
4644

4645
	binder_inner_proc_lock(proc);
4646
	for (;;) {
4647
		prepare_to_wait(&thread->wait, &wait, TASK_INTERRUPTIBLE|TASK_FREEZABLE);
4648
		if (binder_has_work_ilocked(thread, do_proc_work))
4649
			break;
4650
		if (do_proc_work)
4651
			list_add(&thread->waiting_thread_node,
4652
				 &proc->waiting_threads);
4653
		binder_inner_proc_unlock(proc);
4654
		schedule();
4655
		binder_inner_proc_lock(proc);
4656
		list_del_init(&thread->waiting_thread_node);
4657
		if (signal_pending(current)) {
4658
			ret = -EINTR;
4659
			break;
4660
		}
4661
	}
4662
	finish_wait(&thread->wait, &wait);
4663
	binder_inner_proc_unlock(proc);
4664

4665
	return ret;
4666
}
4667

4668
/**
4669
 * binder_apply_fd_fixups() - finish fd translation
4670
 * @proc:         binder_proc associated @t->buffer
4671
 * @t:	binder transaction with list of fd fixups
4672
 *
4673
 * Now that we are in the context of the transaction target
4674
 * process, we can allocate and install fds. Process the
4675
 * list of fds to translate and fixup the buffer with the
4676
 * new fds first and only then install the files.
4677
 *
4678
 * If we fail to allocate an fd, skip the install and release
4679
 * any fds that have already been allocated.
4680
 */
4681
static int binder_apply_fd_fixups(struct binder_proc *proc,
4682
				  struct binder_transaction *t)
4683
{
4684
	struct binder_txn_fd_fixup *fixup, *tmp;
4685
	int ret = 0;
4686

4687
	list_for_each_entry(fixup, &t->fd_fixups, fixup_entry) {
4688
		int fd = get_unused_fd_flags(O_CLOEXEC);
4689

4690
		if (fd < 0) {
4691
			binder_debug(BINDER_DEBUG_TRANSACTION,
4692
				     "failed fd fixup txn %d fd %d\n",
4693
				     t->debug_id, fd);
4694
			ret = -ENOMEM;
4695
			goto err;
4696
		}
4697
		binder_debug(BINDER_DEBUG_TRANSACTION,
4698
			     "fd fixup txn %d fd %d\n",
4699
			     t->debug_id, fd);
4700
		trace_binder_transaction_fd_recv(t, fd, fixup->offset);
4701
		fixup->target_fd = fd;
4702
		if (binder_alloc_copy_to_buffer(&proc->alloc, t->buffer,
4703
						fixup->offset, &fd,
4704
						sizeof(u32))) {
4705
			ret = -EINVAL;
4706
			goto err;
4707
		}
4708
	}
4709
	list_for_each_entry_safe(fixup, tmp, &t->fd_fixups, fixup_entry) {
4710
		fd_install(fixup->target_fd, fixup->file);
4711
		list_del(&fixup->fixup_entry);
4712
		kfree(fixup);
4713
	}
4714

4715
	return ret;
4716

4717
err:
4718
	binder_free_txn_fixups(t);
4719
	return ret;
4720
}
4721

4722
static int binder_thread_read(struct binder_proc *proc,
4723
			      struct binder_thread *thread,
4724
			      binder_uintptr_t binder_buffer, size_t size,
4725
			      binder_size_t *consumed, int non_block)
4726
{
4727
	void __user *buffer = (void __user *)(uintptr_t)binder_buffer;
4728
	void __user *ptr = buffer + *consumed;
4729
	void __user *end = buffer + size;
4730

4731
	int ret = 0;
4732
	int wait_for_proc_work;
4733

4734
	if (*consumed == 0) {
4735
		if (put_user(BR_NOOP, (uint32_t __user *)ptr))
4736
			return -EFAULT;
4737
		ptr += sizeof(uint32_t);
4738
	}
4739

4740
retry:
4741
	binder_inner_proc_lock(proc);
4742
	wait_for_proc_work = binder_available_for_proc_work_ilocked(thread);
4743
	binder_inner_proc_unlock(proc);
4744

4745
	thread->looper |= BINDER_LOOPER_STATE_WAITING;
4746

4747
	trace_binder_wait_for_work(wait_for_proc_work,
4748
				   !!thread->transaction_stack,
4749
				   !binder_worklist_empty(proc, &thread->todo));
4750
	if (wait_for_proc_work) {
4751
		if (!(thread->looper & (BINDER_LOOPER_STATE_REGISTERED |
4752
					BINDER_LOOPER_STATE_ENTERED))) {
4753
			binder_user_error("%d:%d ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state %x)\n",
4754
				proc->pid, thread->pid, thread->looper);
4755
			wait_event_interruptible(binder_user_error_wait,
4756
						 binder_stop_on_user_error < 2);
4757
		}
4758
		binder_set_nice(proc->default_priority);
4759
	}
4760

4761
	if (non_block) {
4762
		if (!binder_has_work(thread, wait_for_proc_work))
4763
			ret = -EAGAIN;
4764
	} else {
4765
		ret = binder_wait_for_work(thread, wait_for_proc_work);
4766
	}
4767

4768
	thread->looper &= ~BINDER_LOOPER_STATE_WAITING;
4769

4770
	if (ret)
4771
		return ret;
4772

4773
	while (1) {
4774
		uint32_t cmd;
4775
		struct binder_transaction_data_secctx tr;
4776
		struct binder_transaction_data *trd = &tr.transaction_data;
4777
		struct binder_work *w = NULL;
4778
		struct list_head *list = NULL;
4779
		struct binder_transaction *t = NULL;
4780
		struct binder_thread *t_from;
4781
		size_t trsize = sizeof(*trd);
4782

4783
		binder_inner_proc_lock(proc);
4784
		if (!binder_worklist_empty_ilocked(&thread->todo))
4785
			list = &thread->todo;
4786
		else if (!binder_worklist_empty_ilocked(&proc->todo) &&
4787
			   wait_for_proc_work)
4788
			list = &proc->todo;
4789
		else {
4790
			binder_inner_proc_unlock(proc);
4791

4792
			/* no data added */
4793
			if (ptr - buffer == 4 && !thread->looper_need_return)
4794
				goto retry;
4795
			break;
4796
		}
4797

4798
		if (end - ptr < sizeof(tr) + 4) {
4799
			binder_inner_proc_unlock(proc);
4800
			break;
4801
		}
4802
		w = binder_dequeue_work_head_ilocked(list);
4803
		if (binder_worklist_empty_ilocked(&thread->todo))
4804
			thread->process_todo = false;
4805

4806
		switch (w->type) {
4807
		case BINDER_WORK_TRANSACTION: {
4808
			binder_inner_proc_unlock(proc);
4809
			t = container_of(w, struct binder_transaction, work);
4810
		} break;
4811
		case BINDER_WORK_RETURN_ERROR: {
4812
			struct binder_error *e = container_of(
4813
					w, struct binder_error, work);
4814

4815
			WARN_ON(e->cmd == BR_OK);
4816
			binder_inner_proc_unlock(proc);
4817
			if (put_user(e->cmd, (uint32_t __user *)ptr))
4818
				return -EFAULT;
4819
			cmd = e->cmd;
4820
			e->cmd = BR_OK;
4821
			ptr += sizeof(uint32_t);
4822

4823
			binder_stat_br(proc, thread, cmd);
4824
		} break;
4825
		case BINDER_WORK_TRANSACTION_COMPLETE:
4826
		case BINDER_WORK_TRANSACTION_PENDING:
4827
		case BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT: {
4828
			if (proc->oneway_spam_detection_enabled &&
4829
				   w->type == BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT)
4830
				cmd = BR_ONEWAY_SPAM_SUSPECT;
4831
			else if (w->type == BINDER_WORK_TRANSACTION_PENDING)
4832
				cmd = BR_TRANSACTION_PENDING_FROZEN;
4833
			else
4834
				cmd = BR_TRANSACTION_COMPLETE;
4835
			binder_inner_proc_unlock(proc);
4836
			kfree(w);
4837
			binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
4838
			if (put_user(cmd, (uint32_t __user *)ptr))
4839
				return -EFAULT;
4840
			ptr += sizeof(uint32_t);
4841

4842
			binder_stat_br(proc, thread, cmd);
4843
			binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE,
4844
				     "%d:%d BR_TRANSACTION_COMPLETE\n",
4845
				     proc->pid, thread->pid);
4846
		} break;
4847
		case BINDER_WORK_NODE: {
4848
			struct binder_node *node = container_of(w, struct binder_node, work);
4849
			int strong, weak;
4850
			binder_uintptr_t node_ptr = node->ptr;
4851
			binder_uintptr_t node_cookie = node->cookie;
4852
			int node_debug_id = node->debug_id;
4853
			int has_weak_ref;
4854
			int has_strong_ref;
4855
			void __user *orig_ptr = ptr;
4856

4857
			BUG_ON(proc != node->proc);
4858
			strong = node->internal_strong_refs ||
4859
					node->local_strong_refs;
4860
			weak = !hlist_empty(&node->refs) ||
4861
					node->local_weak_refs ||
4862
					node->tmp_refs || strong;
4863
			has_strong_ref = node->has_strong_ref;
4864
			has_weak_ref = node->has_weak_ref;
4865

4866
			if (weak && !has_weak_ref) {
4867
				node->has_weak_ref = 1;
4868
				node->pending_weak_ref = 1;
4869
				node->local_weak_refs++;
4870
			}
4871
			if (strong && !has_strong_ref) {
4872
				node->has_strong_ref = 1;
4873
				node->pending_strong_ref = 1;
4874
				node->local_strong_refs++;
4875
			}
4876
			if (!strong && has_strong_ref)
4877
				node->has_strong_ref = 0;
4878
			if (!weak && has_weak_ref)
4879
				node->has_weak_ref = 0;
4880
			if (!weak && !strong) {
4881
				binder_debug(BINDER_DEBUG_INTERNAL_REFS,
4882
					     "%d:%d node %d u%016llx c%016llx deleted\n",
4883
					     proc->pid, thread->pid,
4884
					     node_debug_id,
4885
					     (u64)node_ptr,
4886
					     (u64)node_cookie);
4887
				rb_erase(&node->rb_node, &proc->nodes);
4888
				binder_inner_proc_unlock(proc);
4889
				binder_node_lock(node);
4890
				/*
4891
				 * Acquire the node lock before freeing the
4892
				 * node to serialize with other threads that
4893
				 * may have been holding the node lock while
4894
				 * decrementing this node (avoids race where
4895
				 * this thread frees while the other thread
4896
				 * is unlocking the node after the final
4897
				 * decrement)
4898
				 */
4899
				binder_node_unlock(node);
4900
				binder_free_node(node);
4901
			} else
4902
				binder_inner_proc_unlock(proc);
4903

4904
			if (weak && !has_weak_ref)
4905
				ret = binder_put_node_cmd(
4906
						proc, thread, &ptr, node_ptr,
4907
						node_cookie, node_debug_id,
4908
						BR_INCREFS, "BR_INCREFS");
4909
			if (!ret && strong && !has_strong_ref)
4910
				ret = binder_put_node_cmd(
4911
						proc, thread, &ptr, node_ptr,
4912
						node_cookie, node_debug_id,
4913
						BR_ACQUIRE, "BR_ACQUIRE");
4914
			if (!ret && !strong && has_strong_ref)
4915
				ret = binder_put_node_cmd(
4916
						proc, thread, &ptr, node_ptr,
4917
						node_cookie, node_debug_id,
4918
						BR_RELEASE, "BR_RELEASE");
4919
			if (!ret && !weak && has_weak_ref)
4920
				ret = binder_put_node_cmd(
4921
						proc, thread, &ptr, node_ptr,
4922
						node_cookie, node_debug_id,
4923
						BR_DECREFS, "BR_DECREFS");
4924
			if (orig_ptr == ptr)
4925
				binder_debug(BINDER_DEBUG_INTERNAL_REFS,
4926
					     "%d:%d node %d u%016llx c%016llx state unchanged\n",
4927
					     proc->pid, thread->pid,
4928
					     node_debug_id,
4929
					     (u64)node_ptr,
4930
					     (u64)node_cookie);
4931
			if (ret)
4932
				return ret;
4933
		} break;
4934
		case BINDER_WORK_DEAD_BINDER:
4935
		case BINDER_WORK_DEAD_BINDER_AND_CLEAR:
4936
		case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: {
4937
			struct binder_ref_death *death;
4938
			uint32_t cmd;
4939
			binder_uintptr_t cookie;
4940

4941
			death = container_of(w, struct binder_ref_death, work);
4942
			if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION)
4943
				cmd = BR_CLEAR_DEATH_NOTIFICATION_DONE;
4944
			else
4945
				cmd = BR_DEAD_BINDER;
4946
			cookie = death->cookie;
4947

4948
			binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION,
4949
				     "%d:%d %s %016llx\n",
4950
				      proc->pid, thread->pid,
4951
				      cmd == BR_DEAD_BINDER ?
4952
				      "BR_DEAD_BINDER" :
4953
				      "BR_CLEAR_DEATH_NOTIFICATION_DONE",
4954
				      (u64)cookie);
4955
			if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) {
4956
				binder_inner_proc_unlock(proc);
4957
				kfree(death);
4958
				binder_stats_deleted(BINDER_STAT_DEATH);
4959
			} else {
4960
				binder_enqueue_work_ilocked(
4961
						w, &proc->delivered_death);
4962
				binder_inner_proc_unlock(proc);
4963
			}
4964
			if (put_user(cmd, (uint32_t __user *)ptr))
4965
				return -EFAULT;
4966
			ptr += sizeof(uint32_t);
4967
			if (put_user(cookie,
4968
				     (binder_uintptr_t __user *)ptr))
4969
				return -EFAULT;
4970
			ptr += sizeof(binder_uintptr_t);
4971
			binder_stat_br(proc, thread, cmd);
4972
			if (cmd == BR_DEAD_BINDER)
4973
				goto done; /* DEAD_BINDER notifications can cause transactions */
4974
		} break;
4975

4976
		case BINDER_WORK_FROZEN_BINDER: {
4977
			struct binder_ref_freeze *freeze;
4978
			struct binder_frozen_state_info info;
4979

4980
			memset(&info, 0, sizeof(info));
4981
			freeze = container_of(w, struct binder_ref_freeze, work);
4982
			info.is_frozen = freeze->is_frozen;
4983
			info.cookie = freeze->cookie;
4984
			freeze->sent = true;
4985
			binder_enqueue_work_ilocked(w, &proc->delivered_freeze);
4986
			binder_inner_proc_unlock(proc);
4987

4988
			if (put_user(BR_FROZEN_BINDER, (uint32_t __user *)ptr))
4989
				return -EFAULT;
4990
			ptr += sizeof(uint32_t);
4991
			if (copy_to_user(ptr, &info, sizeof(info)))
4992
				return -EFAULT;
4993
			ptr += sizeof(info);
4994
			binder_stat_br(proc, thread, BR_FROZEN_BINDER);
4995
			goto done; /* BR_FROZEN_BINDER notifications can cause transactions */
4996
		} break;
4997

4998
		case BINDER_WORK_CLEAR_FREEZE_NOTIFICATION: {
4999
			struct binder_ref_freeze *freeze =
5000
			    container_of(w, struct binder_ref_freeze, work);
5001
			binder_uintptr_t cookie = freeze->cookie;
5002

5003
			binder_inner_proc_unlock(proc);
5004
			kfree(freeze);
5005
			binder_stats_deleted(BINDER_STAT_FREEZE);
5006
			if (put_user(BR_CLEAR_FREEZE_NOTIFICATION_DONE, (uint32_t __user *)ptr))
5007
				return -EFAULT;
5008
			ptr += sizeof(uint32_t);
5009
			if (put_user(cookie, (binder_uintptr_t __user *)ptr))
5010
				return -EFAULT;
5011
			ptr += sizeof(binder_uintptr_t);
5012
			binder_stat_br(proc, thread, BR_CLEAR_FREEZE_NOTIFICATION_DONE);
5013
		} break;
5014

5015
		default:
5016
			binder_inner_proc_unlock(proc);
5017
			pr_err("%d:%d: bad work type %d\n",
5018
			       proc->pid, thread->pid, w->type);
5019
			break;
5020
		}
5021

5022
		if (!t)
5023
			continue;
5024

5025
		BUG_ON(t->buffer == NULL);
5026
		if (t->buffer->target_node) {
5027
			struct binder_node *target_node = t->buffer->target_node;
5028

5029
			trd->target.ptr = target_node->ptr;
5030
			trd->cookie =  target_node->cookie;
5031
			t->saved_priority = task_nice(current);
5032
			if (t->priority < target_node->min_priority &&
5033
			    !(t->flags & TF_ONE_WAY))
5034
				binder_set_nice(t->priority);
5035
			else if (!(t->flags & TF_ONE_WAY) ||
5036
				 t->saved_priority > target_node->min_priority)
5037
				binder_set_nice(target_node->min_priority);
5038
			cmd = BR_TRANSACTION;
5039
		} else {
5040
			trd->target.ptr = 0;
5041
			trd->cookie = 0;
5042
			cmd = BR_REPLY;
5043
		}
5044
		trd->code = t->code;
5045
		trd->flags = t->flags;
5046
		trd->sender_euid = from_kuid(current_user_ns(), t->sender_euid);
5047

5048
		t_from = binder_get_txn_from(t);
5049
		if (t_from) {
5050
			struct task_struct *sender = t_from->proc->tsk;
5051

5052
			trd->sender_pid =
5053
				task_tgid_nr_ns(sender,
5054
						task_active_pid_ns(current));
5055
		} else {
5056
			trd->sender_pid = 0;
5057
		}
5058

5059
		ret = binder_apply_fd_fixups(proc, t);
5060
		if (ret) {
5061
			struct binder_buffer *buffer = t->buffer;
5062
			bool oneway = !!(t->flags & TF_ONE_WAY);
5063
			int tid = t->debug_id;
5064

5065
			if (t_from)
5066
				binder_thread_dec_tmpref(t_from);
5067
			buffer->transaction = NULL;
5068
			binder_cleanup_transaction(t, "fd fixups failed",
5069
						   BR_FAILED_REPLY);
5070
			binder_free_buf(proc, thread, buffer, true);
5071
			binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
5072
				     "%d:%d %stransaction %d fd fixups failed %d/%d, line %d\n",
5073
				     proc->pid, thread->pid,
5074
				     oneway ? "async " :
5075
					(cmd == BR_REPLY ? "reply " : ""),
5076
				     tid, BR_FAILED_REPLY, ret, __LINE__);
5077
			if (cmd == BR_REPLY) {
5078
				cmd = BR_FAILED_REPLY;
5079
				if (put_user(cmd, (uint32_t __user *)ptr))
5080
					return -EFAULT;
5081
				ptr += sizeof(uint32_t);
5082
				binder_stat_br(proc, thread, cmd);
5083
				break;
5084
			}
5085
			continue;
5086
		}
5087
		trd->data_size = t->buffer->data_size;
5088
		trd->offsets_size = t->buffer->offsets_size;
5089
		trd->data.ptr.buffer = t->buffer->user_data;
5090
		trd->data.ptr.offsets = trd->data.ptr.buffer +
5091
					ALIGN(t->buffer->data_size,
5092
					    sizeof(void *));
5093

5094
		tr.secctx = t->security_ctx;
5095
		if (t->security_ctx) {
5096
			cmd = BR_TRANSACTION_SEC_CTX;
5097
			trsize = sizeof(tr);
5098
		}
5099
		if (put_user(cmd, (uint32_t __user *)ptr)) {
5100
			if (t_from)
5101
				binder_thread_dec_tmpref(t_from);
5102

5103
			binder_cleanup_transaction(t, "put_user failed",
5104
						   BR_FAILED_REPLY);
5105

5106
			return -EFAULT;
5107
		}
5108
		ptr += sizeof(uint32_t);
5109
		if (copy_to_user(ptr, &tr, trsize)) {
5110
			if (t_from)
5111
				binder_thread_dec_tmpref(t_from);
5112

5113
			binder_cleanup_transaction(t, "copy_to_user failed",
5114
						   BR_FAILED_REPLY);
5115

5116
			return -EFAULT;
5117
		}
5118
		ptr += trsize;
5119

5120
		trace_binder_transaction_received(t);
5121
		binder_stat_br(proc, thread, cmd);
5122
		binder_debug(BINDER_DEBUG_TRANSACTION,
5123
			     "%d:%d %s %d %d:%d, cmd %u size %zd-%zd\n",
5124
			     proc->pid, thread->pid,
5125
			     (cmd == BR_TRANSACTION) ? "BR_TRANSACTION" :
5126
				(cmd == BR_TRANSACTION_SEC_CTX) ?
5127
				     "BR_TRANSACTION_SEC_CTX" : "BR_REPLY",
5128
			     t->debug_id, t_from ? t_from->proc->pid : 0,
5129
			     t_from ? t_from->pid : 0, cmd,
5130
			     t->buffer->data_size, t->buffer->offsets_size);
5131

5132
		if (t_from)
5133
			binder_thread_dec_tmpref(t_from);
5134
		t->buffer->allow_user_free = 1;
5135
		if (cmd != BR_REPLY && !(t->flags & TF_ONE_WAY)) {
5136
			binder_inner_proc_lock(thread->proc);
5137
			t->to_parent = thread->transaction_stack;
5138
			t->to_thread = thread;
5139
			thread->transaction_stack = t;
5140
			binder_inner_proc_unlock(thread->proc);
5141
		} else {
5142
			binder_free_transaction(t);
5143
		}
5144
		break;
5145
	}
5146

5147
done:
5148

5149
	*consumed = ptr - buffer;
5150
	binder_inner_proc_lock(proc);
5151
	if (proc->requested_threads == 0 &&
5152
	    list_empty(&thread->proc->waiting_threads) &&
5153
	    proc->requested_threads_started < proc->max_threads &&
5154
	    (thread->looper & (BINDER_LOOPER_STATE_REGISTERED |
5155
	     BINDER_LOOPER_STATE_ENTERED)) /* the user-space code fails to */
5156
	     /*spawn a new thread if we leave this out */) {
5157
		proc->requested_threads++;
5158
		binder_inner_proc_unlock(proc);
5159
		binder_debug(BINDER_DEBUG_THREADS,
5160
			     "%d:%d BR_SPAWN_LOOPER\n",
5161
			     proc->pid, thread->pid);
5162
		if (put_user(BR_SPAWN_LOOPER, (uint32_t __user *)buffer))
5163
			return -EFAULT;
5164
		binder_stat_br(proc, thread, BR_SPAWN_LOOPER);
5165
	} else
5166
		binder_inner_proc_unlock(proc);
5167
	return 0;
5168
}
5169

5170
static void binder_release_work(struct binder_proc *proc,
5171
				struct list_head *list)
5172
{
5173
	struct binder_work *w;
5174
	enum binder_work_type wtype;
5175

5176
	while (1) {
5177
		binder_inner_proc_lock(proc);
5178
		w = binder_dequeue_work_head_ilocked(list);
5179
		wtype = w ? w->type : 0;
5180
		binder_inner_proc_unlock(proc);
5181
		if (!w)
5182
			return;
5183

5184
		switch (wtype) {
5185
		case BINDER_WORK_TRANSACTION: {
5186
			struct binder_transaction *t;
5187

5188
			t = container_of(w, struct binder_transaction, work);
5189

5190
			binder_cleanup_transaction(t, "process died.",
5191
						   BR_DEAD_REPLY);
5192
		} break;
5193
		case BINDER_WORK_RETURN_ERROR: {
5194
			struct binder_error *e = container_of(
5195
					w, struct binder_error, work);
5196

5197
			binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
5198
				"undelivered TRANSACTION_ERROR: %u\n",
5199
				e->cmd);
5200
		} break;
5201
		case BINDER_WORK_TRANSACTION_PENDING:
5202
		case BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT:
5203
		case BINDER_WORK_TRANSACTION_COMPLETE: {
5204
			binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
5205
				"undelivered TRANSACTION_COMPLETE\n");
5206
			kfree(w);
5207
			binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
5208
		} break;
5209
		case BINDER_WORK_DEAD_BINDER_AND_CLEAR:
5210
		case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: {
5211
			struct binder_ref_death *death;
5212

5213
			death = container_of(w, struct binder_ref_death, work);
5214
			binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
5215
				"undelivered death notification, %016llx\n",
5216
				(u64)death->cookie);
5217
			kfree(death);
5218
			binder_stats_deleted(BINDER_STAT_DEATH);
5219
		} break;
5220
		case BINDER_WORK_NODE:
5221
			break;
5222
		case BINDER_WORK_CLEAR_FREEZE_NOTIFICATION: {
5223
			struct binder_ref_freeze *freeze;
5224

5225
			freeze = container_of(w, struct binder_ref_freeze, work);
5226
			binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
5227
				     "undelivered freeze notification, %016llx\n",
5228
				     (u64)freeze->cookie);
5229
			kfree(freeze);
5230
			binder_stats_deleted(BINDER_STAT_FREEZE);
5231
		} break;
5232
		default:
5233
			pr_err("unexpected work type, %d, not freed\n",
5234
			       wtype);
5235
			break;
5236
		}
5237
	}
5238

5239
}
5240

5241
static struct binder_thread *binder_get_thread_ilocked(
5242
		struct binder_proc *proc, struct binder_thread *new_thread)
5243
{
5244
	struct binder_thread *thread = NULL;
5245
	struct rb_node *parent = NULL;
5246
	struct rb_node **p = &proc->threads.rb_node;
5247

5248
	while (*p) {
5249
		parent = *p;
5250
		thread = rb_entry(parent, struct binder_thread, rb_node);
5251

5252
		if (current->pid < thread->pid)
5253
			p = &(*p)->rb_left;
5254
		else if (current->pid > thread->pid)
5255
			p = &(*p)->rb_right;
5256
		else
5257
			return thread;
5258
	}
5259
	if (!new_thread)
5260
		return NULL;
5261
	thread = new_thread;
5262
	binder_stats_created(BINDER_STAT_THREAD);
5263
	thread->proc = proc;
5264
	thread->pid = current->pid;
5265
	atomic_set(&thread->tmp_ref, 0);
5266
	init_waitqueue_head(&thread->wait);
5267
	INIT_LIST_HEAD(&thread->todo);
5268
	rb_link_node(&thread->rb_node, parent, p);
5269
	rb_insert_color(&thread->rb_node, &proc->threads);
5270
	thread->looper_need_return = true;
5271
	thread->return_error.work.type = BINDER_WORK_RETURN_ERROR;
5272
	thread->return_error.cmd = BR_OK;
5273
	thread->reply_error.work.type = BINDER_WORK_RETURN_ERROR;
5274
	thread->reply_error.cmd = BR_OK;
5275
	thread->ee.command = BR_OK;
5276
	INIT_LIST_HEAD(&new_thread->waiting_thread_node);
5277
	return thread;
5278
}
5279

5280
static struct binder_thread *binder_get_thread(struct binder_proc *proc)
5281
{
5282
	struct binder_thread *thread;
5283
	struct binder_thread *new_thread;
5284

5285
	binder_inner_proc_lock(proc);
5286
	thread = binder_get_thread_ilocked(proc, NULL);
5287
	binder_inner_proc_unlock(proc);
5288
	if (!thread) {
5289
		new_thread = kzalloc(sizeof(*thread), GFP_KERNEL);
5290
		if (new_thread == NULL)
5291
			return NULL;
5292
		binder_inner_proc_lock(proc);
5293
		thread = binder_get_thread_ilocked(proc, new_thread);
5294
		binder_inner_proc_unlock(proc);
5295
		if (thread != new_thread)
5296
			kfree(new_thread);
5297
	}
5298
	return thread;
5299
}
5300

5301
static void binder_free_proc(struct binder_proc *proc)
5302
{
5303
	struct binder_device *device;
5304

5305
	BUG_ON(!list_empty(&proc->todo));
5306
	BUG_ON(!list_empty(&proc->delivered_death));
5307
	if (proc->outstanding_txns)
5308
		pr_warn("%s: Unexpected outstanding_txns %d\n",
5309
			__func__, proc->outstanding_txns);
5310
	device = container_of(proc->context, struct binder_device, context);
5311
	if (refcount_dec_and_test(&device->ref)) {
5312
		binder_remove_device(device);
5313
		kfree(proc->context->name);
5314
		kfree(device);
5315
	}
5316
	binder_alloc_deferred_release(&proc->alloc);
5317
	put_task_struct(proc->tsk);
5318
	put_cred(proc->cred);
5319
	binder_stats_deleted(BINDER_STAT_PROC);
5320
	dbitmap_free(&proc->dmap);
5321
	kfree(proc);
5322
}
5323

5324
static void binder_free_thread(struct binder_thread *thread)
5325
{
5326
	BUG_ON(!list_empty(&thread->todo));
5327
	binder_stats_deleted(BINDER_STAT_THREAD);
5328
	binder_proc_dec_tmpref(thread->proc);
5329
	kfree(thread);
5330
}
5331

5332
static int binder_thread_release(struct binder_proc *proc,
5333
				 struct binder_thread *thread)
5334
{
5335
	struct binder_transaction *t;
5336
	struct binder_transaction *send_reply = NULL;
5337
	int active_transactions = 0;
5338
	struct binder_transaction *last_t = NULL;
5339

5340
	binder_inner_proc_lock(thread->proc);
5341
	/*
5342
	 * take a ref on the proc so it survives
5343
	 * after we remove this thread from proc->threads.
5344
	 * The corresponding dec is when we actually
5345
	 * free the thread in binder_free_thread()
5346
	 */
5347
	proc->tmp_ref++;
5348
	/*
5349
	 * take a ref on this thread to ensure it
5350
	 * survives while we are releasing it
5351
	 */
5352
	atomic_inc(&thread->tmp_ref);
5353
	rb_erase(&thread->rb_node, &proc->threads);
5354
	t = thread->transaction_stack;
5355
	if (t) {
5356
		spin_lock(&t->lock);
5357
		if (t->to_thread == thread)
5358
			send_reply = t;
5359
	} else {
5360
		__acquire(&t->lock);
5361
	}
5362
	thread->is_dead = true;
5363

5364
	while (t) {
5365
		last_t = t;
5366
		active_transactions++;
5367
		binder_debug(BINDER_DEBUG_DEAD_TRANSACTION,
5368
			     "release %d:%d transaction %d %s, still active\n",
5369
			      proc->pid, thread->pid,
5370
			     t->debug_id,
5371
			     (t->to_thread == thread) ? "in" : "out");
5372

5373
		if (t->to_thread == thread) {
5374
			thread->proc->outstanding_txns--;
5375
			t->to_proc = NULL;
5376
			t->to_thread = NULL;
5377
			if (t->buffer) {
5378
				t->buffer->transaction = NULL;
5379
				t->buffer = NULL;
5380
			}
5381
			t = t->to_parent;
5382
		} else if (t->from == thread) {
5383
			t->from = NULL;
5384
			t = t->from_parent;
5385
		} else
5386
			BUG();
5387
		spin_unlock(&last_t->lock);
5388
		if (t)
5389
			spin_lock(&t->lock);
5390
		else
5391
			__acquire(&t->lock);
5392
	}
5393
	/* annotation for sparse, lock not acquired in last iteration above */
5394
	__release(&t->lock);
5395

5396
	/*
5397
	 * If this thread used poll, make sure we remove the waitqueue from any
5398
	 * poll data structures holding it.
5399
	 */
5400
	if (thread->looper & BINDER_LOOPER_STATE_POLL)
5401
		wake_up_pollfree(&thread->wait);
5402

5403
	binder_inner_proc_unlock(thread->proc);
5404

5405
	/*
5406
	 * This is needed to avoid races between wake_up_pollfree() above and
5407
	 * someone else removing the last entry from the queue for other reasons
5408
	 * (e.g. ep_remove_wait_queue() being called due to an epoll file
5409
	 * descriptor being closed).  Such other users hold an RCU read lock, so
5410
	 * we can be sure they're done after we call synchronize_rcu().
5411
	 */
5412
	if (thread->looper & BINDER_LOOPER_STATE_POLL)
5413
		synchronize_rcu();
5414

5415
	if (send_reply)
5416
		binder_send_failed_reply(send_reply, BR_DEAD_REPLY);
5417
	binder_release_work(proc, &thread->todo);
5418
	binder_thread_dec_tmpref(thread);
5419
	return active_transactions;
5420
}
5421

5422
static __poll_t binder_poll(struct file *filp,
5423
				struct poll_table_struct *wait)
5424
{
5425
	struct binder_proc *proc = filp->private_data;
5426
	struct binder_thread *thread = NULL;
5427
	bool wait_for_proc_work;
5428

5429
	thread = binder_get_thread(proc);
5430
	if (!thread)
5431
		return EPOLLERR;
5432

5433
	binder_inner_proc_lock(thread->proc);
5434
	thread->looper |= BINDER_LOOPER_STATE_POLL;
5435
	wait_for_proc_work = binder_available_for_proc_work_ilocked(thread);
5436

5437
	binder_inner_proc_unlock(thread->proc);
5438

5439
	poll_wait(filp, &thread->wait, wait);
5440

5441
	if (binder_has_work(thread, wait_for_proc_work))
5442
		return EPOLLIN;
5443

5444
	return 0;
5445
}
5446

5447
static int binder_ioctl_write_read(struct file *filp, unsigned long arg,
5448
				struct binder_thread *thread)
5449
{
5450
	int ret = 0;
5451
	struct binder_proc *proc = filp->private_data;
5452
	void __user *ubuf = (void __user *)arg;
5453
	struct binder_write_read bwr;
5454

5455
	if (copy_from_user(&bwr, ubuf, sizeof(bwr)))
5456
		return -EFAULT;
5457

5458
	binder_debug(BINDER_DEBUG_READ_WRITE,
5459
		     "%d:%d write %lld at %016llx, read %lld at %016llx\n",
5460
		     proc->pid, thread->pid,
5461
		     (u64)bwr.write_size, (u64)bwr.write_buffer,
5462
		     (u64)bwr.read_size, (u64)bwr.read_buffer);
5463

5464
	if (bwr.write_size > 0) {
5465
		ret = binder_thread_write(proc, thread,
5466
					  bwr.write_buffer,
5467
					  bwr.write_size,
5468
					  &bwr.write_consumed);
5469
		trace_binder_write_done(ret);
5470
		if (ret < 0) {
5471
			bwr.read_consumed = 0;
5472
			goto out;
5473
		}
5474
	}
5475
	if (bwr.read_size > 0) {
5476
		ret = binder_thread_read(proc, thread, bwr.read_buffer,
5477
					 bwr.read_size,
5478
					 &bwr.read_consumed,
5479
					 filp->f_flags & O_NONBLOCK);
5480
		trace_binder_read_done(ret);
5481
		binder_inner_proc_lock(proc);
5482
		if (!binder_worklist_empty_ilocked(&proc->todo))
5483
			binder_wakeup_proc_ilocked(proc);
5484
		binder_inner_proc_unlock(proc);
5485
		if (ret < 0)
5486
			goto out;
5487
	}
5488
	binder_debug(BINDER_DEBUG_READ_WRITE,
5489
		     "%d:%d wrote %lld of %lld, read return %lld of %lld\n",
5490
		     proc->pid, thread->pid,
5491
		     (u64)bwr.write_consumed, (u64)bwr.write_size,
5492
		     (u64)bwr.read_consumed, (u64)bwr.read_size);
5493
out:
5494
	if (copy_to_user(ubuf, &bwr, sizeof(bwr)))
5495
		ret = -EFAULT;
5496
	return ret;
5497
}
5498

5499
static int binder_ioctl_set_ctx_mgr(struct file *filp,
5500
				    struct flat_binder_object *fbo)
5501
{
5502
	int ret = 0;
5503
	struct binder_proc *proc = filp->private_data;
5504
	struct binder_context *context = proc->context;
5505
	struct binder_node *new_node;
5506
	kuid_t curr_euid = current_euid();
5507

5508
	guard(mutex)(&context->context_mgr_node_lock);
5509
	if (context->binder_context_mgr_node) {
5510
		pr_err("BINDER_SET_CONTEXT_MGR already set\n");
5511
		return -EBUSY;
5512
	}
5513
	ret = security_binder_set_context_mgr(proc->cred);
5514
	if (ret < 0)
5515
		return ret;
5516
	if (uid_valid(context->binder_context_mgr_uid)) {
5517
		if (!uid_eq(context->binder_context_mgr_uid, curr_euid)) {
5518
			pr_err("BINDER_SET_CONTEXT_MGR bad uid %d != %d\n",
5519
			       from_kuid(&init_user_ns, curr_euid),
5520
			       from_kuid(&init_user_ns,
5521
					 context->binder_context_mgr_uid));
5522
			return -EPERM;
5523
		}
5524
	} else {
5525
		context->binder_context_mgr_uid = curr_euid;
5526
	}
5527
	new_node = binder_new_node(proc, fbo);
5528
	if (!new_node)
5529
		return -ENOMEM;
5530
	binder_node_lock(new_node);
5531
	new_node->local_weak_refs++;
5532
	new_node->local_strong_refs++;
5533
	new_node->has_strong_ref = 1;
5534
	new_node->has_weak_ref = 1;
5535
	context->binder_context_mgr_node = new_node;
5536
	binder_node_unlock(new_node);
5537
	binder_put_node(new_node);
5538
	return ret;
5539
}
5540

5541
static int binder_ioctl_get_node_info_for_ref(struct binder_proc *proc,
5542
		struct binder_node_info_for_ref *info)
5543
{
5544
	struct binder_node *node;
5545
	struct binder_context *context = proc->context;
5546
	__u32 handle = info->handle;
5547

5548
	if (info->strong_count || info->weak_count || info->reserved1 ||
5549
	    info->reserved2 || info->reserved3) {
5550
		binder_user_error("%d BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero.",
5551
				  proc->pid);
5552
		return -EINVAL;
5553
	}
5554

5555
	/* This ioctl may only be used by the context manager */
5556
	mutex_lock(&context->context_mgr_node_lock);
5557
	if (!context->binder_context_mgr_node ||
5558
		context->binder_context_mgr_node->proc != proc) {
5559
		mutex_unlock(&context->context_mgr_node_lock);
5560
		return -EPERM;
5561
	}
5562
	mutex_unlock(&context->context_mgr_node_lock);
5563

5564
	node = binder_get_node_from_ref(proc, handle, true, NULL);
5565
	if (!node)
5566
		return -EINVAL;
5567

5568
	info->strong_count = node->local_strong_refs +
5569
		node->internal_strong_refs;
5570
	info->weak_count = node->local_weak_refs;
5571

5572
	binder_put_node(node);
5573

5574
	return 0;
5575
}
5576

5577
static int binder_ioctl_get_node_debug_info(struct binder_proc *proc,
5578
				struct binder_node_debug_info *info)
5579
{
5580
	struct rb_node *n;
5581
	binder_uintptr_t ptr = info->ptr;
5582

5583
	memset(info, 0, sizeof(*info));
5584

5585
	binder_inner_proc_lock(proc);
5586
	for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) {
5587
		struct binder_node *node = rb_entry(n, struct binder_node,
5588
						    rb_node);
5589
		if (node->ptr > ptr) {
5590
			info->ptr = node->ptr;
5591
			info->cookie = node->cookie;
5592
			info->has_strong_ref = node->has_strong_ref;
5593
			info->has_weak_ref = node->has_weak_ref;
5594
			break;
5595
		}
5596
	}
5597
	binder_inner_proc_unlock(proc);
5598

5599
	return 0;
5600
}
5601

5602
static bool binder_txns_pending_ilocked(struct binder_proc *proc)
5603
{
5604
	struct rb_node *n;
5605
	struct binder_thread *thread;
5606

5607
	if (proc->outstanding_txns > 0)
5608
		return true;
5609

5610
	for (n = rb_first(&proc->threads); n; n = rb_next(n)) {
5611
		thread = rb_entry(n, struct binder_thread, rb_node);
5612
		if (thread->transaction_stack)
5613
			return true;
5614
	}
5615
	return false;
5616
}
5617

5618
static void binder_add_freeze_work(struct binder_proc *proc, bool is_frozen)
5619
{
5620
	struct binder_node *prev = NULL;
5621
	struct rb_node *n;
5622
	struct binder_ref *ref;
5623

5624
	binder_inner_proc_lock(proc);
5625
	for (n = rb_first(&proc->nodes); n; n = rb_next(n)) {
5626
		struct binder_node *node;
5627

5628
		node = rb_entry(n, struct binder_node, rb_node);
5629
		binder_inc_node_tmpref_ilocked(node);
5630
		binder_inner_proc_unlock(proc);
5631
		if (prev)
5632
			binder_put_node(prev);
5633
		binder_node_lock(node);
5634
		hlist_for_each_entry(ref, &node->refs, node_entry) {
5635
			/*
5636
			 * Need the node lock to synchronize
5637
			 * with new notification requests and the
5638
			 * inner lock to synchronize with queued
5639
			 * freeze notifications.
5640
			 */
5641
			binder_inner_proc_lock(ref->proc);
5642
			if (!ref->freeze) {
5643
				binder_inner_proc_unlock(ref->proc);
5644
				continue;
5645
			}
5646
			ref->freeze->work.type = BINDER_WORK_FROZEN_BINDER;
5647
			if (list_empty(&ref->freeze->work.entry)) {
5648
				ref->freeze->is_frozen = is_frozen;
5649
				binder_enqueue_work_ilocked(&ref->freeze->work, &ref->proc->todo);
5650
				binder_wakeup_proc_ilocked(ref->proc);
5651
			} else {
5652
				if (ref->freeze->sent && ref->freeze->is_frozen != is_frozen)
5653
					ref->freeze->resend = true;
5654
				ref->freeze->is_frozen = is_frozen;
5655
			}
5656
			binder_inner_proc_unlock(ref->proc);
5657
		}
5658
		prev = node;
5659
		binder_node_unlock(node);
5660
		binder_inner_proc_lock(proc);
5661
		if (proc->is_dead)
5662
			break;
5663
	}
5664
	binder_inner_proc_unlock(proc);
5665
	if (prev)
5666
		binder_put_node(prev);
5667
}
5668

5669
static int binder_ioctl_freeze(struct binder_freeze_info *info,
5670
			       struct binder_proc *target_proc)
5671
{
5672
	int ret = 0;
5673

5674
	if (!info->enable) {
5675
		binder_inner_proc_lock(target_proc);
5676
		target_proc->sync_recv = false;
5677
		target_proc->async_recv = false;
5678
		target_proc->is_frozen = false;
5679
		binder_inner_proc_unlock(target_proc);
5680
		binder_add_freeze_work(target_proc, false);
5681
		return 0;
5682
	}
5683

5684
	/*
5685
	 * Freezing the target. Prevent new transactions by
5686
	 * setting frozen state. If timeout specified, wait
5687
	 * for transactions to drain.
5688
	 */
5689
	binder_inner_proc_lock(target_proc);
5690
	target_proc->sync_recv = false;
5691
	target_proc->async_recv = false;
5692
	target_proc->is_frozen = true;
5693
	binder_inner_proc_unlock(target_proc);
5694

5695
	if (info->timeout_ms > 0)
5696
		ret = wait_event_interruptible_timeout(
5697
			target_proc->freeze_wait,
5698
			(!target_proc->outstanding_txns),
5699
			msecs_to_jiffies(info->timeout_ms));
5700

5701
	/* Check pending transactions that wait for reply */
5702
	if (ret >= 0) {
5703
		binder_inner_proc_lock(target_proc);
5704
		if (binder_txns_pending_ilocked(target_proc))
5705
			ret = -EAGAIN;
5706
		binder_inner_proc_unlock(target_proc);
5707
	}
5708

5709
	if (ret < 0) {
5710
		binder_inner_proc_lock(target_proc);
5711
		target_proc->is_frozen = false;
5712
		binder_inner_proc_unlock(target_proc);
5713
	} else {
5714
		binder_add_freeze_work(target_proc, true);
5715
	}
5716

5717
	return ret;
5718
}
5719

5720
static int binder_ioctl_get_freezer_info(
5721
				struct binder_frozen_status_info *info)
5722
{
5723
	struct binder_proc *target_proc;
5724
	bool found = false;
5725
	__u32 txns_pending;
5726

5727
	info->sync_recv = 0;
5728
	info->async_recv = 0;
5729

5730
	mutex_lock(&binder_procs_lock);
5731
	hlist_for_each_entry(target_proc, &binder_procs, proc_node) {
5732
		if (target_proc->pid == info->pid) {
5733
			found = true;
5734
			binder_inner_proc_lock(target_proc);
5735
			txns_pending = binder_txns_pending_ilocked(target_proc);
5736
			info->sync_recv |= target_proc->sync_recv |
5737
					(txns_pending << 1);
5738
			info->async_recv |= target_proc->async_recv;
5739
			binder_inner_proc_unlock(target_proc);
5740
		}
5741
	}
5742
	mutex_unlock(&binder_procs_lock);
5743

5744
	if (!found)
5745
		return -EINVAL;
5746

5747
	return 0;
5748
}
5749

5750
static int binder_ioctl_get_extended_error(struct binder_thread *thread,
5751
					   void __user *ubuf)
5752
{
5753
	struct binder_extended_error ee;
5754

5755
	binder_inner_proc_lock(thread->proc);
5756
	ee = thread->ee;
5757
	binder_set_extended_error(&thread->ee, 0, BR_OK, 0);
5758
	binder_inner_proc_unlock(thread->proc);
5759

5760
	if (copy_to_user(ubuf, &ee, sizeof(ee)))
5761
		return -EFAULT;
5762

5763
	return 0;
5764
}
5765

5766
static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
5767
{
5768
	int ret;
5769
	struct binder_proc *proc = filp->private_data;
5770
	struct binder_thread *thread;
5771
	void __user *ubuf = (void __user *)arg;
5772

5773
	trace_binder_ioctl(cmd, arg);
5774

5775
	ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);
5776
	if (ret)
5777
		goto err_unlocked;
5778

5779
	thread = binder_get_thread(proc);
5780
	if (thread == NULL) {
5781
		ret = -ENOMEM;
5782
		goto err;
5783
	}
5784

5785
	switch (cmd) {
5786
	case BINDER_WRITE_READ:
5787
		ret = binder_ioctl_write_read(filp, arg, thread);
5788
		if (ret)
5789
			goto err;
5790
		break;
5791
	case BINDER_SET_MAX_THREADS: {
5792
		u32 max_threads;
5793

5794
		if (copy_from_user(&max_threads, ubuf,
5795
				   sizeof(max_threads))) {
5796
			ret = -EINVAL;
5797
			goto err;
5798
		}
5799
		binder_inner_proc_lock(proc);
5800
		proc->max_threads = max_threads;
5801
		binder_inner_proc_unlock(proc);
5802
		break;
5803
	}
5804
	case BINDER_SET_CONTEXT_MGR_EXT: {
5805
		struct flat_binder_object fbo;
5806

5807
		if (copy_from_user(&fbo, ubuf, sizeof(fbo))) {
5808
			ret = -EINVAL;
5809
			goto err;
5810
		}
5811
		ret = binder_ioctl_set_ctx_mgr(filp, &fbo);
5812
		if (ret)
5813
			goto err;
5814
		break;
5815
	}
5816
	case BINDER_SET_CONTEXT_MGR:
5817
		ret = binder_ioctl_set_ctx_mgr(filp, NULL);
5818
		if (ret)
5819
			goto err;
5820
		break;
5821
	case BINDER_THREAD_EXIT:
5822
		binder_debug(BINDER_DEBUG_THREADS, "%d:%d exit\n",
5823
			     proc->pid, thread->pid);
5824
		binder_thread_release(proc, thread);
5825
		thread = NULL;
5826
		break;
5827
	case BINDER_VERSION: {
5828
		struct binder_version __user *ver = ubuf;
5829

5830
		if (put_user(BINDER_CURRENT_PROTOCOL_VERSION,
5831
			     &ver->protocol_version)) {
5832
			ret = -EINVAL;
5833
			goto err;
5834
		}
5835
		break;
5836
	}
5837
	case BINDER_GET_NODE_INFO_FOR_REF: {
5838
		struct binder_node_info_for_ref info;
5839

5840
		if (copy_from_user(&info, ubuf, sizeof(info))) {
5841
			ret = -EFAULT;
5842
			goto err;
5843
		}
5844

5845
		ret = binder_ioctl_get_node_info_for_ref(proc, &info);
5846
		if (ret < 0)
5847
			goto err;
5848

5849
		if (copy_to_user(ubuf, &info, sizeof(info))) {
5850
			ret = -EFAULT;
5851
			goto err;
5852
		}
5853

5854
		break;
5855
	}
5856
	case BINDER_GET_NODE_DEBUG_INFO: {
5857
		struct binder_node_debug_info info;
5858

5859
		if (copy_from_user(&info, ubuf, sizeof(info))) {
5860
			ret = -EFAULT;
5861
			goto err;
5862
		}
5863

5864
		ret = binder_ioctl_get_node_debug_info(proc, &info);
5865
		if (ret < 0)
5866
			goto err;
5867

5868
		if (copy_to_user(ubuf, &info, sizeof(info))) {
5869
			ret = -EFAULT;
5870
			goto err;
5871
		}
5872
		break;
5873
	}
5874
	case BINDER_FREEZE: {
5875
		struct binder_freeze_info info;
5876
		struct binder_proc **target_procs = NULL, *target_proc;
5877
		int target_procs_count = 0, i = 0;
5878

5879
		ret = 0;
5880

5881
		if (copy_from_user(&info, ubuf, sizeof(info))) {
5882
			ret = -EFAULT;
5883
			goto err;
5884
		}
5885

5886
		mutex_lock(&binder_procs_lock);
5887
		hlist_for_each_entry(target_proc, &binder_procs, proc_node) {
5888
			if (target_proc->pid == info.pid)
5889
				target_procs_count++;
5890
		}
5891

5892
		if (target_procs_count == 0) {
5893
			mutex_unlock(&binder_procs_lock);
5894
			ret = -EINVAL;
5895
			goto err;
5896
		}
5897

5898
		target_procs = kcalloc(target_procs_count,
5899
				       sizeof(struct binder_proc *),
5900
				       GFP_KERNEL);
5901

5902
		if (!target_procs) {
5903
			mutex_unlock(&binder_procs_lock);
5904
			ret = -ENOMEM;
5905
			goto err;
5906
		}
5907

5908
		hlist_for_each_entry(target_proc, &binder_procs, proc_node) {
5909
			if (target_proc->pid != info.pid)
5910
				continue;
5911

5912
			binder_inner_proc_lock(target_proc);
5913
			target_proc->tmp_ref++;
5914
			binder_inner_proc_unlock(target_proc);
5915

5916
			target_procs[i++] = target_proc;
5917
		}
5918
		mutex_unlock(&binder_procs_lock);
5919

5920
		for (i = 0; i < target_procs_count; i++) {
5921
			if (ret >= 0)
5922
				ret = binder_ioctl_freeze(&info,
5923
							  target_procs[i]);
5924

5925
			binder_proc_dec_tmpref(target_procs[i]);
5926
		}
5927

5928
		kfree(target_procs);
5929

5930
		if (ret < 0)
5931
			goto err;
5932
		break;
5933
	}
5934
	case BINDER_GET_FROZEN_INFO: {
5935
		struct binder_frozen_status_info info;
5936

5937
		if (copy_from_user(&info, ubuf, sizeof(info))) {
5938
			ret = -EFAULT;
5939
			goto err;
5940
		}
5941

5942
		ret = binder_ioctl_get_freezer_info(&info);
5943
		if (ret < 0)
5944
			goto err;
5945

5946
		if (copy_to_user(ubuf, &info, sizeof(info))) {
5947
			ret = -EFAULT;
5948
			goto err;
5949
		}
5950
		break;
5951
	}
5952
	case BINDER_ENABLE_ONEWAY_SPAM_DETECTION: {
5953
		uint32_t enable;
5954

5955
		if (copy_from_user(&enable, ubuf, sizeof(enable))) {
5956
			ret = -EFAULT;
5957
			goto err;
5958
		}
5959
		binder_inner_proc_lock(proc);
5960
		proc->oneway_spam_detection_enabled = (bool)enable;
5961
		binder_inner_proc_unlock(proc);
5962
		break;
5963
	}
5964
	case BINDER_GET_EXTENDED_ERROR:
5965
		ret = binder_ioctl_get_extended_error(thread, ubuf);
5966
		if (ret < 0)
5967
			goto err;
5968
		break;
5969
	default:
5970
		ret = -EINVAL;
5971
		goto err;
5972
	}
5973
	ret = 0;
5974
err:
5975
	if (thread)
5976
		thread->looper_need_return = false;
5977
	wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);
5978
	if (ret && ret != -EINTR)
5979
		pr_info("%d:%d ioctl %x %lx returned %d\n", proc->pid, current->pid, cmd, arg, ret);
5980
err_unlocked:
5981
	trace_binder_ioctl_done(ret);
5982
	return ret;
5983
}
5984

5985
static void binder_vma_open(struct vm_area_struct *vma)
5986
{
5987
	struct binder_proc *proc = vma->vm_private_data;
5988

5989
	binder_debug(BINDER_DEBUG_OPEN_CLOSE,
5990
		     "%d open vm area %lx-%lx (%ld K) vma %lx pagep %lx\n",
5991
		     proc->pid, vma->vm_start, vma->vm_end,
5992
		     (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
5993
		     (unsigned long)pgprot_val(vma->vm_page_prot));
5994
}
5995

5996
static void binder_vma_close(struct vm_area_struct *vma)
5997
{
5998
	struct binder_proc *proc = vma->vm_private_data;
5999

6000
	binder_debug(BINDER_DEBUG_OPEN_CLOSE,
6001
		     "%d close vm area %lx-%lx (%ld K) vma %lx pagep %lx\n",
6002
		     proc->pid, vma->vm_start, vma->vm_end,
6003
		     (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
6004
		     (unsigned long)pgprot_val(vma->vm_page_prot));
6005
	binder_alloc_vma_close(&proc->alloc);
6006
}
6007

6008
VISIBLE_IF_KUNIT vm_fault_t binder_vm_fault(struct vm_fault *vmf)
6009
{
6010
	return VM_FAULT_SIGBUS;
6011
}
6012
EXPORT_SYMBOL_IF_KUNIT(binder_vm_fault);
6013

6014
static const struct vm_operations_struct binder_vm_ops = {
6015
	.open = binder_vma_open,
6016
	.close = binder_vma_close,
6017
	.fault = binder_vm_fault,
6018
};
6019

6020
static int binder_mmap(struct file *filp, struct vm_area_struct *vma)
6021
{
6022
	struct binder_proc *proc = filp->private_data;
6023

6024
	if (proc->tsk != current->group_leader)
6025
		return -EINVAL;
6026

6027
	binder_debug(BINDER_DEBUG_OPEN_CLOSE,
6028
		     "%s: %d %lx-%lx (%ld K) vma %lx pagep %lx\n",
6029
		     __func__, proc->pid, vma->vm_start, vma->vm_end,
6030
		     (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
6031
		     (unsigned long)pgprot_val(vma->vm_page_prot));
6032

6033
	if (vma->vm_flags & FORBIDDEN_MMAP_FLAGS) {
6034
		pr_err("%s: %d %lx-%lx %s failed %d\n", __func__,
6035
		       proc->pid, vma->vm_start, vma->vm_end, "bad vm_flags", -EPERM);
6036
		return -EPERM;
6037
	}
6038
	vm_flags_mod(vma, VM_DONTCOPY | VM_MIXEDMAP, VM_MAYWRITE);
6039

6040
	vma->vm_ops = &binder_vm_ops;
6041
	vma->vm_private_data = proc;
6042

6043
	return binder_alloc_mmap_handler(&proc->alloc, vma);
6044
}
6045

6046
static int binder_open(struct inode *nodp, struct file *filp)
6047
{
6048
	struct binder_proc *proc, *itr;
6049
	struct binder_device *binder_dev;
6050
	struct binderfs_info *info;
6051
	struct dentry *binder_binderfs_dir_entry_proc = NULL;
6052
	bool existing_pid = false;
6053

6054
	binder_debug(BINDER_DEBUG_OPEN_CLOSE, "%s: %d:%d\n", __func__,
6055
		     current->group_leader->pid, current->pid);
6056

6057
	proc = kzalloc(sizeof(*proc), GFP_KERNEL);
6058
	if (proc == NULL)
6059
		return -ENOMEM;
6060

6061
	dbitmap_init(&proc->dmap);
6062
	spin_lock_init(&proc->inner_lock);
6063
	spin_lock_init(&proc->outer_lock);
6064
	get_task_struct(current->group_leader);
6065
	proc->tsk = current->group_leader;
6066
	proc->cred = get_cred(filp->f_cred);
6067
	INIT_LIST_HEAD(&proc->todo);
6068
	init_waitqueue_head(&proc->freeze_wait);
6069
	proc->default_priority = task_nice(current);
6070
	/* binderfs stashes devices in i_private */
6071
	if (is_binderfs_device(nodp)) {
6072
		binder_dev = nodp->i_private;
6073
		info = nodp->i_sb->s_fs_info;
6074
		binder_binderfs_dir_entry_proc = info->proc_log_dir;
6075
	} else {
6076
		binder_dev = container_of(filp->private_data,
6077
					  struct binder_device, miscdev);
6078
	}
6079
	refcount_inc(&binder_dev->ref);
6080
	proc->context = &binder_dev->context;
6081
	binder_alloc_init(&proc->alloc);
6082

6083
	binder_stats_created(BINDER_STAT_PROC);
6084
	proc->pid = current->group_leader->pid;
6085
	INIT_LIST_HEAD(&proc->delivered_death);
6086
	INIT_LIST_HEAD(&proc->delivered_freeze);
6087
	INIT_LIST_HEAD(&proc->waiting_threads);
6088
	filp->private_data = proc;
6089

6090
	mutex_lock(&binder_procs_lock);
6091
	hlist_for_each_entry(itr, &binder_procs, proc_node) {
6092
		if (itr->pid == proc->pid) {
6093
			existing_pid = true;
6094
			break;
6095
		}
6096
	}
6097
	hlist_add_head(&proc->proc_node, &binder_procs);
6098
	mutex_unlock(&binder_procs_lock);
6099

6100
	if (binder_debugfs_dir_entry_proc && !existing_pid) {
6101
		char strbuf[11];
6102

6103
		snprintf(strbuf, sizeof(strbuf), "%u", proc->pid);
6104
		/*
6105
		 * proc debug entries are shared between contexts.
6106
		 * Only create for the first PID to avoid debugfs log spamming
6107
		 * The printing code will anyway print all contexts for a given
6108
		 * PID so this is not a problem.
6109
		 */
6110
		proc->debugfs_entry = debugfs_create_file(strbuf, 0444,
6111
			binder_debugfs_dir_entry_proc,
6112
			(void *)(unsigned long)proc->pid,
6113
			&proc_fops);
6114
	}
6115

6116
	if (binder_binderfs_dir_entry_proc && !existing_pid) {
6117
		char strbuf[11];
6118
		struct dentry *binderfs_entry;
6119

6120
		snprintf(strbuf, sizeof(strbuf), "%u", proc->pid);
6121
		/*
6122
		 * Similar to debugfs, the process specific log file is shared
6123
		 * between contexts. Only create for the first PID.
6124
		 * This is ok since same as debugfs, the log file will contain
6125
		 * information on all contexts of a given PID.
6126
		 */
6127
		binderfs_entry = binderfs_create_file(binder_binderfs_dir_entry_proc,
6128
			strbuf, &proc_fops, (void *)(unsigned long)proc->pid);
6129
		if (!IS_ERR(binderfs_entry)) {
6130
			proc->binderfs_entry = binderfs_entry;
6131
		} else {
6132
			int error;
6133

6134
			error = PTR_ERR(binderfs_entry);
6135
			pr_warn("Unable to create file %s in binderfs (error %d)\n",
6136
				strbuf, error);
6137
		}
6138
	}
6139

6140
	return 0;
6141
}
6142

6143
static int binder_flush(struct file *filp, fl_owner_t id)
6144
{
6145
	struct binder_proc *proc = filp->private_data;
6146

6147
	binder_defer_work(proc, BINDER_DEFERRED_FLUSH);
6148

6149
	return 0;
6150
}
6151

6152
static void binder_deferred_flush(struct binder_proc *proc)
6153
{
6154
	struct rb_node *n;
6155
	int wake_count = 0;
6156

6157
	binder_inner_proc_lock(proc);
6158
	for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) {
6159
		struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node);
6160

6161
		thread->looper_need_return = true;
6162
		if (thread->looper & BINDER_LOOPER_STATE_WAITING) {
6163
			wake_up_interruptible(&thread->wait);
6164
			wake_count++;
6165
		}
6166
	}
6167
	binder_inner_proc_unlock(proc);
6168

6169
	binder_debug(BINDER_DEBUG_OPEN_CLOSE,
6170
		     "binder_flush: %d woke %d threads\n", proc->pid,
6171
		     wake_count);
6172
}
6173

6174
static int binder_release(struct inode *nodp, struct file *filp)
6175
{
6176
	struct binder_proc *proc = filp->private_data;
6177

6178
	debugfs_remove(proc->debugfs_entry);
6179

6180
	if (proc->binderfs_entry) {
6181
		simple_recursive_removal(proc->binderfs_entry, NULL);
6182
		proc->binderfs_entry = NULL;
6183
	}
6184

6185
	binder_defer_work(proc, BINDER_DEFERRED_RELEASE);
6186

6187
	return 0;
6188
}
6189

6190
static int binder_node_release(struct binder_node *node, int refs)
6191
{
6192
	struct binder_ref *ref;
6193
	int death = 0;
6194
	struct binder_proc *proc = node->proc;
6195

6196
	binder_release_work(proc, &node->async_todo);
6197

6198
	binder_node_lock(node);
6199
	binder_inner_proc_lock(proc);
6200
	binder_dequeue_work_ilocked(&node->work);
6201
	/*
6202
	 * The caller must have taken a temporary ref on the node,
6203
	 */
6204
	BUG_ON(!node->tmp_refs);
6205
	if (hlist_empty(&node->refs) && node->tmp_refs == 1) {
6206
		binder_inner_proc_unlock(proc);
6207
		binder_node_unlock(node);
6208
		binder_free_node(node);
6209

6210
		return refs;
6211
	}
6212

6213
	node->proc = NULL;
6214
	node->local_strong_refs = 0;
6215
	node->local_weak_refs = 0;
6216
	binder_inner_proc_unlock(proc);
6217

6218
	spin_lock(&binder_dead_nodes_lock);
6219
	hlist_add_head(&node->dead_node, &binder_dead_nodes);
6220
	spin_unlock(&binder_dead_nodes_lock);
6221

6222
	hlist_for_each_entry(ref, &node->refs, node_entry) {
6223
		refs++;
6224
		/*
6225
		 * Need the node lock to synchronize
6226
		 * with new notification requests and the
6227
		 * inner lock to synchronize with queued
6228
		 * death notifications.
6229
		 */
6230
		binder_inner_proc_lock(ref->proc);
6231
		if (!ref->death) {
6232
			binder_inner_proc_unlock(ref->proc);
6233
			continue;
6234
		}
6235

6236
		death++;
6237

6238
		BUG_ON(!list_empty(&ref->death->work.entry));
6239
		ref->death->work.type = BINDER_WORK_DEAD_BINDER;
6240
		binder_enqueue_work_ilocked(&ref->death->work,
6241
					    &ref->proc->todo);
6242
		binder_wakeup_proc_ilocked(ref->proc);
6243
		binder_inner_proc_unlock(ref->proc);
6244
	}
6245

6246
	binder_debug(BINDER_DEBUG_DEAD_BINDER,
6247
		     "node %d now dead, refs %d, death %d\n",
6248
		     node->debug_id, refs, death);
6249
	binder_node_unlock(node);
6250
	binder_put_node(node);
6251

6252
	return refs;
6253
}
6254

6255
static void binder_deferred_release(struct binder_proc *proc)
6256
{
6257
	struct binder_context *context = proc->context;
6258
	struct rb_node *n;
6259
	int threads, nodes, incoming_refs, outgoing_refs, active_transactions;
6260

6261
	mutex_lock(&binder_procs_lock);
6262
	hlist_del(&proc->proc_node);
6263
	mutex_unlock(&binder_procs_lock);
6264

6265
	mutex_lock(&context->context_mgr_node_lock);
6266
	if (context->binder_context_mgr_node &&
6267
	    context->binder_context_mgr_node->proc == proc) {
6268
		binder_debug(BINDER_DEBUG_DEAD_BINDER,
6269
			     "%s: %d context_mgr_node gone\n",
6270
			     __func__, proc->pid);
6271
		context->binder_context_mgr_node = NULL;
6272
	}
6273
	mutex_unlock(&context->context_mgr_node_lock);
6274
	binder_inner_proc_lock(proc);
6275
	/*
6276
	 * Make sure proc stays alive after we
6277
	 * remove all the threads
6278
	 */
6279
	proc->tmp_ref++;
6280

6281
	proc->is_dead = true;
6282
	proc->is_frozen = false;
6283
	proc->sync_recv = false;
6284
	proc->async_recv = false;
6285
	threads = 0;
6286
	active_transactions = 0;
6287
	while ((n = rb_first(&proc->threads))) {
6288
		struct binder_thread *thread;
6289

6290
		thread = rb_entry(n, struct binder_thread, rb_node);
6291
		binder_inner_proc_unlock(proc);
6292
		threads++;
6293
		active_transactions += binder_thread_release(proc, thread);
6294
		binder_inner_proc_lock(proc);
6295
	}
6296

6297
	nodes = 0;
6298
	incoming_refs = 0;
6299
	while ((n = rb_first(&proc->nodes))) {
6300
		struct binder_node *node;
6301

6302
		node = rb_entry(n, struct binder_node, rb_node);
6303
		nodes++;
6304
		/*
6305
		 * take a temporary ref on the node before
6306
		 * calling binder_node_release() which will either
6307
		 * kfree() the node or call binder_put_node()
6308
		 */
6309
		binder_inc_node_tmpref_ilocked(node);
6310
		rb_erase(&node->rb_node, &proc->nodes);
6311
		binder_inner_proc_unlock(proc);
6312
		incoming_refs = binder_node_release(node, incoming_refs);
6313
		binder_inner_proc_lock(proc);
6314
	}
6315
	binder_inner_proc_unlock(proc);
6316

6317
	outgoing_refs = 0;
6318
	binder_proc_lock(proc);
6319
	while ((n = rb_first(&proc->refs_by_desc))) {
6320
		struct binder_ref *ref;
6321

6322
		ref = rb_entry(n, struct binder_ref, rb_node_desc);
6323
		outgoing_refs++;
6324
		binder_cleanup_ref_olocked(ref);
6325
		binder_proc_unlock(proc);
6326
		binder_free_ref(ref);
6327
		binder_proc_lock(proc);
6328
	}
6329
	binder_proc_unlock(proc);
6330

6331
	binder_release_work(proc, &proc->todo);
6332
	binder_release_work(proc, &proc->delivered_death);
6333
	binder_release_work(proc, &proc->delivered_freeze);
6334

6335
	binder_debug(BINDER_DEBUG_OPEN_CLOSE,
6336
		     "%s: %d threads %d, nodes %d (ref %d), refs %d, active transactions %d\n",
6337
		     __func__, proc->pid, threads, nodes, incoming_refs,
6338
		     outgoing_refs, active_transactions);
6339

6340
	binder_proc_dec_tmpref(proc);
6341
}
6342

6343
static void binder_deferred_func(struct work_struct *work)
6344
{
6345
	struct binder_proc *proc;
6346

6347
	int defer;
6348

6349
	do {
6350
		mutex_lock(&binder_deferred_lock);
6351
		if (!hlist_empty(&binder_deferred_list)) {
6352
			proc = hlist_entry(binder_deferred_list.first,
6353
					struct binder_proc, deferred_work_node);
6354
			hlist_del_init(&proc->deferred_work_node);
6355
			defer = proc->deferred_work;
6356
			proc->deferred_work = 0;
6357
		} else {
6358
			proc = NULL;
6359
			defer = 0;
6360
		}
6361
		mutex_unlock(&binder_deferred_lock);
6362

6363
		if (defer & BINDER_DEFERRED_FLUSH)
6364
			binder_deferred_flush(proc);
6365

6366
		if (defer & BINDER_DEFERRED_RELEASE)
6367
			binder_deferred_release(proc); /* frees proc */
6368
	} while (proc);
6369
}
6370
static DECLARE_WORK(binder_deferred_work, binder_deferred_func);
6371

6372
static void
6373
binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer)
6374
{
6375
	guard(mutex)(&binder_deferred_lock);
6376
	proc->deferred_work |= defer;
6377
	if (hlist_unhashed(&proc->deferred_work_node)) {
6378
		hlist_add_head(&proc->deferred_work_node,
6379
				&binder_deferred_list);
6380
		schedule_work(&binder_deferred_work);
6381
	}
6382
}
6383

6384
static void print_binder_transaction_ilocked(struct seq_file *m,
6385
					     struct binder_proc *proc,
6386
					     const char *prefix,
6387
					     struct binder_transaction *t)
6388
{
6389
	struct binder_proc *to_proc;
6390
	struct binder_buffer *buffer = t->buffer;
6391
	ktime_t current_time = ktime_get();
6392

6393
	spin_lock(&t->lock);
6394
	to_proc = t->to_proc;
6395
	seq_printf(m,
6396
		   "%s %d: %pK from %d:%d to %d:%d code %x flags %x pri %ld a%d r%d elapsed %lldms",
6397
		   prefix, t->debug_id, t,
6398
		   t->from_pid,
6399
		   t->from_tid,
6400
		   to_proc ? to_proc->pid : 0,
6401
		   t->to_thread ? t->to_thread->pid : 0,
6402
		   t->code, t->flags, t->priority, t->is_async, t->is_reply,
6403
		   ktime_ms_delta(current_time, t->start_time));
6404
	spin_unlock(&t->lock);
6405

6406
	if (proc != to_proc) {
6407
		/*
6408
		 * Can only safely deref buffer if we are holding the
6409
		 * correct proc inner lock for this node
6410
		 */
6411
		seq_puts(m, "\n");
6412
		return;
6413
	}
6414

6415
	if (buffer == NULL) {
6416
		seq_puts(m, " buffer free\n");
6417
		return;
6418
	}
6419
	if (buffer->target_node)
6420
		seq_printf(m, " node %d", buffer->target_node->debug_id);
6421
	seq_printf(m, " size %zd:%zd offset %lx\n",
6422
		   buffer->data_size, buffer->offsets_size,
6423
		   buffer->user_data - proc->alloc.vm_start);
6424
}
6425

6426
static void print_binder_work_ilocked(struct seq_file *m,
6427
				      struct binder_proc *proc,
6428
				      const char *prefix,
6429
				      const char *transaction_prefix,
6430
				      struct binder_work *w, bool hash_ptrs)
6431
{
6432
	struct binder_node *node;
6433
	struct binder_transaction *t;
6434

6435
	switch (w->type) {
6436
	case BINDER_WORK_TRANSACTION:
6437
		t = container_of(w, struct binder_transaction, work);
6438
		print_binder_transaction_ilocked(
6439
				m, proc, transaction_prefix, t);
6440
		break;
6441
	case BINDER_WORK_RETURN_ERROR: {
6442
		struct binder_error *e = container_of(
6443
				w, struct binder_error, work);
6444

6445
		seq_printf(m, "%stransaction error: %u\n",
6446
			   prefix, e->cmd);
6447
	} break;
6448
	case BINDER_WORK_TRANSACTION_COMPLETE:
6449
		seq_printf(m, "%stransaction complete\n", prefix);
6450
		break;
6451
	case BINDER_WORK_NODE:
6452
		node = container_of(w, struct binder_node, work);
6453
		if (hash_ptrs)
6454
			seq_printf(m, "%snode work %d: u%p c%p\n",
6455
				   prefix, node->debug_id,
6456
				   (void *)(long)node->ptr,
6457
				   (void *)(long)node->cookie);
6458
		else
6459
			seq_printf(m, "%snode work %d: u%016llx c%016llx\n",
6460
				   prefix, node->debug_id,
6461
				   (u64)node->ptr, (u64)node->cookie);
6462
		break;
6463
	case BINDER_WORK_DEAD_BINDER:
6464
		seq_printf(m, "%shas dead binder\n", prefix);
6465
		break;
6466
	case BINDER_WORK_DEAD_BINDER_AND_CLEAR:
6467
		seq_printf(m, "%shas cleared dead binder\n", prefix);
6468
		break;
6469
	case BINDER_WORK_CLEAR_DEATH_NOTIFICATION:
6470
		seq_printf(m, "%shas cleared death notification\n", prefix);
6471
		break;
6472
	case BINDER_WORK_FROZEN_BINDER:
6473
		seq_printf(m, "%shas frozen binder\n", prefix);
6474
		break;
6475
	case BINDER_WORK_CLEAR_FREEZE_NOTIFICATION:
6476
		seq_printf(m, "%shas cleared freeze notification\n", prefix);
6477
		break;
6478
	default:
6479
		seq_printf(m, "%sunknown work: type %d\n", prefix, w->type);
6480
		break;
6481
	}
6482
}
6483

6484
static void print_binder_thread_ilocked(struct seq_file *m,
6485
					struct binder_thread *thread,
6486
					bool print_always, bool hash_ptrs)
6487
{
6488
	struct binder_transaction *t;
6489
	struct binder_work *w;
6490
	size_t start_pos = m->count;
6491
	size_t header_pos;
6492

6493
	seq_printf(m, "  thread %d: l %02x need_return %d tr %d\n",
6494
			thread->pid, thread->looper,
6495
			thread->looper_need_return,
6496
			atomic_read(&thread->tmp_ref));
6497
	header_pos = m->count;
6498
	t = thread->transaction_stack;
6499
	while (t) {
6500
		if (t->from == thread) {
6501
			print_binder_transaction_ilocked(m, thread->proc,
6502
					"    outgoing transaction", t);
6503
			t = t->from_parent;
6504
		} else if (t->to_thread == thread) {
6505
			print_binder_transaction_ilocked(m, thread->proc,
6506
						 "    incoming transaction", t);
6507
			t = t->to_parent;
6508
		} else {
6509
			print_binder_transaction_ilocked(m, thread->proc,
6510
					"    bad transaction", t);
6511
			t = NULL;
6512
		}
6513
	}
6514
	list_for_each_entry(w, &thread->todo, entry) {
6515
		print_binder_work_ilocked(m, thread->proc, "    ",
6516
					  "    pending transaction",
6517
					  w, hash_ptrs);
6518
	}
6519
	if (!print_always && m->count == header_pos)
6520
		m->count = start_pos;
6521
}
6522

6523
static void print_binder_node_nilocked(struct seq_file *m,
6524
				       struct binder_node *node,
6525
				       bool hash_ptrs)
6526
{
6527
	struct binder_ref *ref;
6528
	struct binder_work *w;
6529
	int count;
6530

6531
	count = hlist_count_nodes(&node->refs);
6532

6533
	if (hash_ptrs)
6534
		seq_printf(m, "  node %d: u%p c%p", node->debug_id,
6535
			   (void *)(long)node->ptr, (void *)(long)node->cookie);
6536
	else
6537
		seq_printf(m, "  node %d: u%016llx c%016llx", node->debug_id,
6538
			   (u64)node->ptr, (u64)node->cookie);
6539
	seq_printf(m, " hs %d hw %d ls %d lw %d is %d iw %d tr %d",
6540
		   node->has_strong_ref, node->has_weak_ref,
6541
		   node->local_strong_refs, node->local_weak_refs,
6542
		   node->internal_strong_refs, count, node->tmp_refs);
6543
	if (count) {
6544
		seq_puts(m, " proc");
6545
		hlist_for_each_entry(ref, &node->refs, node_entry)
6546
			seq_printf(m, " %d", ref->proc->pid);
6547
	}
6548
	seq_puts(m, "\n");
6549
	if (node->proc) {
6550
		list_for_each_entry(w, &node->async_todo, entry)
6551
			print_binder_work_ilocked(m, node->proc, "    ",
6552
					  "    pending async transaction",
6553
					  w, hash_ptrs);
6554
	}
6555
}
6556

6557
static void print_binder_ref_olocked(struct seq_file *m,
6558
				     struct binder_ref *ref)
6559
{
6560
	binder_node_lock(ref->node);
6561
	seq_printf(m, "  ref %d: desc %d %snode %d s %d w %d d %pK\n",
6562
		   ref->data.debug_id, ref->data.desc,
6563
		   ref->node->proc ? "" : "dead ",
6564
		   ref->node->debug_id, ref->data.strong,
6565
		   ref->data.weak, ref->death);
6566
	binder_node_unlock(ref->node);
6567
}
6568

6569
/**
6570
 * print_next_binder_node_ilocked() - Print binder_node from a locked list
6571
 * @m:          struct seq_file for output via seq_printf()
6572
 * @proc:       struct binder_proc we hold the inner_proc_lock to (if any)
6573
 * @node:       struct binder_node to print fields of
6574
 * @prev_node:	struct binder_node we hold a temporary reference to (if any)
6575
 * @hash_ptrs:  whether to hash @node's binder_uintptr_t fields
6576
 *
6577
 * Helper function to handle synchronization around printing a struct
6578
 * binder_node while iterating through @proc->nodes or the dead nodes list.
6579
 * Caller must hold either @proc->inner_lock (for live nodes) or
6580
 * binder_dead_nodes_lock. This lock will be released during the body of this
6581
 * function, but it will be reacquired before returning to the caller.
6582
 *
6583
 * Return:	pointer to the struct binder_node we hold a tmpref on
6584
 */
6585
static struct binder_node *
6586
print_next_binder_node_ilocked(struct seq_file *m, struct binder_proc *proc,
6587
			       struct binder_node *node,
6588
			       struct binder_node *prev_node, bool hash_ptrs)
6589
{
6590
	/*
6591
	 * Take a temporary reference on the node so that isn't freed while
6592
	 * we print it.
6593
	 */
6594
	binder_inc_node_tmpref_ilocked(node);
6595
	/*
6596
	 * Live nodes need to drop the inner proc lock and dead nodes need to
6597
	 * drop the binder_dead_nodes_lock before trying to take the node lock.
6598
	 */
6599
	if (proc)
6600
		binder_inner_proc_unlock(proc);
6601
	else
6602
		spin_unlock(&binder_dead_nodes_lock);
6603
	if (prev_node)
6604
		binder_put_node(prev_node);
6605
	binder_node_inner_lock(node);
6606
	print_binder_node_nilocked(m, node, hash_ptrs);
6607
	binder_node_inner_unlock(node);
6608
	if (proc)
6609
		binder_inner_proc_lock(proc);
6610
	else
6611
		spin_lock(&binder_dead_nodes_lock);
6612
	return node;
6613
}
6614

6615
static void print_binder_proc(struct seq_file *m, struct binder_proc *proc,
6616
			      bool print_all, bool hash_ptrs)
6617
{
6618
	struct binder_work *w;
6619
	struct rb_node *n;
6620
	size_t start_pos = m->count;
6621
	size_t header_pos;
6622
	struct binder_node *last_node = NULL;
6623

6624
	seq_printf(m, "proc %d\n", proc->pid);
6625
	seq_printf(m, "context %s\n", proc->context->name);
6626
	header_pos = m->count;
6627

6628
	binder_inner_proc_lock(proc);
6629
	for (n = rb_first(&proc->threads); n; n = rb_next(n))
6630
		print_binder_thread_ilocked(m, rb_entry(n, struct binder_thread,
6631
						rb_node), print_all, hash_ptrs);
6632

6633
	for (n = rb_first(&proc->nodes); n; n = rb_next(n)) {
6634
		struct binder_node *node = rb_entry(n, struct binder_node,
6635
						    rb_node);
6636
		if (!print_all && !node->has_async_transaction)
6637
			continue;
6638

6639
		last_node = print_next_binder_node_ilocked(m, proc, node,
6640
							   last_node,
6641
							   hash_ptrs);
6642
	}
6643
	binder_inner_proc_unlock(proc);
6644
	if (last_node)
6645
		binder_put_node(last_node);
6646

6647
	if (print_all) {
6648
		binder_proc_lock(proc);
6649
		for (n = rb_first(&proc->refs_by_desc); n; n = rb_next(n))
6650
			print_binder_ref_olocked(m, rb_entry(n,
6651
							     struct binder_ref,
6652
							     rb_node_desc));
6653
		binder_proc_unlock(proc);
6654
	}
6655
	binder_alloc_print_allocated(m, &proc->alloc);
6656
	binder_inner_proc_lock(proc);
6657
	list_for_each_entry(w, &proc->todo, entry)
6658
		print_binder_work_ilocked(m, proc, "  ",
6659
					  "  pending transaction", w,
6660
					  hash_ptrs);
6661
	list_for_each_entry(w, &proc->delivered_death, entry) {
6662
		seq_puts(m, "  has delivered dead binder\n");
6663
		break;
6664
	}
6665
	list_for_each_entry(w, &proc->delivered_freeze, entry) {
6666
		seq_puts(m, "  has delivered freeze binder\n");
6667
		break;
6668
	}
6669
	binder_inner_proc_unlock(proc);
6670
	if (!print_all && m->count == header_pos)
6671
		m->count = start_pos;
6672
}
6673

6674
static const char * const binder_return_strings[] = {
6675
	"BR_ERROR",
6676
	"BR_OK",
6677
	"BR_TRANSACTION",
6678
	"BR_REPLY",
6679
	"BR_ACQUIRE_RESULT",
6680
	"BR_DEAD_REPLY",
6681
	"BR_TRANSACTION_COMPLETE",
6682
	"BR_INCREFS",
6683
	"BR_ACQUIRE",
6684
	"BR_RELEASE",
6685
	"BR_DECREFS",
6686
	"BR_ATTEMPT_ACQUIRE",
6687
	"BR_NOOP",
6688
	"BR_SPAWN_LOOPER",
6689
	"BR_FINISHED",
6690
	"BR_DEAD_BINDER",
6691
	"BR_CLEAR_DEATH_NOTIFICATION_DONE",
6692
	"BR_FAILED_REPLY",
6693
	"BR_FROZEN_REPLY",
6694
	"BR_ONEWAY_SPAM_SUSPECT",
6695
	"BR_TRANSACTION_PENDING_FROZEN",
6696
	"BR_FROZEN_BINDER",
6697
	"BR_CLEAR_FREEZE_NOTIFICATION_DONE",
6698
};
6699

6700
static const char * const binder_command_strings[] = {
6701
	"BC_TRANSACTION",
6702
	"BC_REPLY",
6703
	"BC_ACQUIRE_RESULT",
6704
	"BC_FREE_BUFFER",
6705
	"BC_INCREFS",
6706
	"BC_ACQUIRE",
6707
	"BC_RELEASE",
6708
	"BC_DECREFS",
6709
	"BC_INCREFS_DONE",
6710
	"BC_ACQUIRE_DONE",
6711
	"BC_ATTEMPT_ACQUIRE",
6712
	"BC_REGISTER_LOOPER",
6713
	"BC_ENTER_LOOPER",
6714
	"BC_EXIT_LOOPER",
6715
	"BC_REQUEST_DEATH_NOTIFICATION",
6716
	"BC_CLEAR_DEATH_NOTIFICATION",
6717
	"BC_DEAD_BINDER_DONE",
6718
	"BC_TRANSACTION_SG",
6719
	"BC_REPLY_SG",
6720
	"BC_REQUEST_FREEZE_NOTIFICATION",
6721
	"BC_CLEAR_FREEZE_NOTIFICATION",
6722
	"BC_FREEZE_NOTIFICATION_DONE",
6723
};
6724

6725
static const char * const binder_objstat_strings[] = {
6726
	"proc",
6727
	"thread",
6728
	"node",
6729
	"ref",
6730
	"death",
6731
	"transaction",
6732
	"transaction_complete",
6733
	"freeze",
6734
};
6735

6736
static void print_binder_stats(struct seq_file *m, const char *prefix,
6737
			       struct binder_stats *stats)
6738
{
6739
	int i;
6740

6741
	BUILD_BUG_ON(ARRAY_SIZE(stats->bc) !=
6742
		     ARRAY_SIZE(binder_command_strings));
6743
	for (i = 0; i < ARRAY_SIZE(stats->bc); i++) {
6744
		int temp = atomic_read(&stats->bc[i]);
6745

6746
		if (temp)
6747
			seq_printf(m, "%s%s: %d\n", prefix,
6748
				   binder_command_strings[i], temp);
6749
	}
6750

6751
	BUILD_BUG_ON(ARRAY_SIZE(stats->br) !=
6752
		     ARRAY_SIZE(binder_return_strings));
6753
	for (i = 0; i < ARRAY_SIZE(stats->br); i++) {
6754
		int temp = atomic_read(&stats->br[i]);
6755

6756
		if (temp)
6757
			seq_printf(m, "%s%s: %d\n", prefix,
6758
				   binder_return_strings[i], temp);
6759
	}
6760

6761
	BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) !=
6762
		     ARRAY_SIZE(binder_objstat_strings));
6763
	BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) !=
6764
		     ARRAY_SIZE(stats->obj_deleted));
6765
	for (i = 0; i < ARRAY_SIZE(stats->obj_created); i++) {
6766
		int created = atomic_read(&stats->obj_created[i]);
6767
		int deleted = atomic_read(&stats->obj_deleted[i]);
6768

6769
		if (created || deleted)
6770
			seq_printf(m, "%s%s: active %d total %d\n",
6771
				prefix,
6772
				binder_objstat_strings[i],
6773
				created - deleted,
6774
				created);
6775
	}
6776
}
6777

6778
static void print_binder_proc_stats(struct seq_file *m,
6779
				    struct binder_proc *proc)
6780
{
6781
	struct binder_work *w;
6782
	struct binder_thread *thread;
6783
	struct rb_node *n;
6784
	int count, strong, weak, ready_threads;
6785
	size_t free_async_space =
6786
		binder_alloc_get_free_async_space(&proc->alloc);
6787

6788
	seq_printf(m, "proc %d\n", proc->pid);
6789
	seq_printf(m, "context %s\n", proc->context->name);
6790
	count = 0;
6791
	ready_threads = 0;
6792
	binder_inner_proc_lock(proc);
6793
	for (n = rb_first(&proc->threads); n; n = rb_next(n))
6794
		count++;
6795

6796
	list_for_each_entry(thread, &proc->waiting_threads, waiting_thread_node)
6797
		ready_threads++;
6798

6799
	seq_printf(m, "  threads: %d\n", count);
6800
	seq_printf(m, "  requested threads: %d+%d/%d\n"
6801
			"  ready threads %d\n"
6802
			"  free async space %zd\n", proc->requested_threads,
6803
			proc->requested_threads_started, proc->max_threads,
6804
			ready_threads,
6805
			free_async_space);
6806
	count = 0;
6807
	for (n = rb_first(&proc->nodes); n; n = rb_next(n))
6808
		count++;
6809
	binder_inner_proc_unlock(proc);
6810
	seq_printf(m, "  nodes: %d\n", count);
6811
	count = 0;
6812
	strong = 0;
6813
	weak = 0;
6814
	binder_proc_lock(proc);
6815
	for (n = rb_first(&proc->refs_by_desc); n; n = rb_next(n)) {
6816
		struct binder_ref *ref = rb_entry(n, struct binder_ref,
6817
						  rb_node_desc);
6818
		count++;
6819
		strong += ref->data.strong;
6820
		weak += ref->data.weak;
6821
	}
6822
	binder_proc_unlock(proc);
6823
	seq_printf(m, "  refs: %d s %d w %d\n", count, strong, weak);
6824

6825
	count = binder_alloc_get_allocated_count(&proc->alloc);
6826
	seq_printf(m, "  buffers: %d\n", count);
6827

6828
	binder_alloc_print_pages(m, &proc->alloc);
6829

6830
	count = 0;
6831
	binder_inner_proc_lock(proc);
6832
	list_for_each_entry(w, &proc->todo, entry) {
6833
		if (w->type == BINDER_WORK_TRANSACTION)
6834
			count++;
6835
	}
6836
	binder_inner_proc_unlock(proc);
6837
	seq_printf(m, "  pending transactions: %d\n", count);
6838

6839
	print_binder_stats(m, "  ", &proc->stats);
6840
}
6841

6842
static void print_binder_state(struct seq_file *m, bool hash_ptrs)
6843
{
6844
	struct binder_proc *proc;
6845
	struct binder_node *node;
6846
	struct binder_node *last_node = NULL;
6847

6848
	seq_puts(m, "binder state:\n");
6849

6850
	spin_lock(&binder_dead_nodes_lock);
6851
	if (!hlist_empty(&binder_dead_nodes))
6852
		seq_puts(m, "dead nodes:\n");
6853
	hlist_for_each_entry(node, &binder_dead_nodes, dead_node)
6854
		last_node = print_next_binder_node_ilocked(m, NULL, node,
6855
							   last_node,
6856
							   hash_ptrs);
6857
	spin_unlock(&binder_dead_nodes_lock);
6858
	if (last_node)
6859
		binder_put_node(last_node);
6860

6861
	mutex_lock(&binder_procs_lock);
6862
	hlist_for_each_entry(proc, &binder_procs, proc_node)
6863
		print_binder_proc(m, proc, true, hash_ptrs);
6864
	mutex_unlock(&binder_procs_lock);
6865
}
6866

6867
static void print_binder_transactions(struct seq_file *m, bool hash_ptrs)
6868
{
6869
	struct binder_proc *proc;
6870

6871
	seq_puts(m, "binder transactions:\n");
6872
	mutex_lock(&binder_procs_lock);
6873
	hlist_for_each_entry(proc, &binder_procs, proc_node)
6874
		print_binder_proc(m, proc, false, hash_ptrs);
6875
	mutex_unlock(&binder_procs_lock);
6876
}
6877

6878
static int state_show(struct seq_file *m, void *unused)
6879
{
6880
	print_binder_state(m, false);
6881
	return 0;
6882
}
6883

6884
static int state_hashed_show(struct seq_file *m, void *unused)
6885
{
6886
	print_binder_state(m, true);
6887
	return 0;
6888
}
6889

6890
static int stats_show(struct seq_file *m, void *unused)
6891
{
6892
	struct binder_proc *proc;
6893

6894
	seq_puts(m, "binder stats:\n");
6895

6896
	print_binder_stats(m, "", &binder_stats);
6897

6898
	mutex_lock(&binder_procs_lock);
6899
	hlist_for_each_entry(proc, &binder_procs, proc_node)
6900
		print_binder_proc_stats(m, proc);
6901
	mutex_unlock(&binder_procs_lock);
6902

6903
	return 0;
6904
}
6905

6906
static int transactions_show(struct seq_file *m, void *unused)
6907
{
6908
	print_binder_transactions(m, false);
6909
	return 0;
6910
}
6911

6912
static int transactions_hashed_show(struct seq_file *m, void *unused)
6913
{
6914
	print_binder_transactions(m, true);
6915
	return 0;
6916
}
6917

6918
static int proc_show(struct seq_file *m, void *unused)
6919
{
6920
	struct binder_proc *itr;
6921
	int pid = (unsigned long)m->private;
6922

6923
	guard(mutex)(&binder_procs_lock);
6924
	hlist_for_each_entry(itr, &binder_procs, proc_node) {
6925
		if (itr->pid == pid) {
6926
			seq_puts(m, "binder proc state:\n");
6927
			print_binder_proc(m, itr, true, false);
6928
		}
6929
	}
6930

6931
	return 0;
6932
}
6933

6934
static void print_binder_transaction_log_entry(struct seq_file *m,
6935
					struct binder_transaction_log_entry *e)
6936
{
6937
	int debug_id = READ_ONCE(e->debug_id_done);
6938
	/*
6939
	 * read barrier to guarantee debug_id_done read before
6940
	 * we print the log values
6941
	 */
6942
	smp_rmb();
6943
	seq_printf(m,
6944
		   "%d: %s from %d:%d to %d:%d context %s node %d handle %d size %d:%d ret %d/%d l=%d",
6945
		   e->debug_id, (e->call_type == 2) ? "reply" :
6946
		   ((e->call_type == 1) ? "async" : "call "), e->from_proc,
6947
		   e->from_thread, e->to_proc, e->to_thread, e->context_name,
6948
		   e->to_node, e->target_handle, e->data_size, e->offsets_size,
6949
		   e->return_error, e->return_error_param,
6950
		   e->return_error_line);
6951
	/*
6952
	 * read-barrier to guarantee read of debug_id_done after
6953
	 * done printing the fields of the entry
6954
	 */
6955
	smp_rmb();
6956
	seq_printf(m, debug_id && debug_id == READ_ONCE(e->debug_id_done) ?
6957
			"\n" : " (incomplete)\n");
6958
}
6959

6960
static int transaction_log_show(struct seq_file *m, void *unused)
6961
{
6962
	struct binder_transaction_log *log = m->private;
6963
	unsigned int log_cur = atomic_read(&log->cur);
6964
	unsigned int count;
6965
	unsigned int cur;
6966
	int i;
6967

6968
	count = log_cur + 1;
6969
	cur = count < ARRAY_SIZE(log->entry) && !log->full ?
6970
		0 : count % ARRAY_SIZE(log->entry);
6971
	if (count > ARRAY_SIZE(log->entry) || log->full)
6972
		count = ARRAY_SIZE(log->entry);
6973
	for (i = 0; i < count; i++) {
6974
		unsigned int index = cur++ % ARRAY_SIZE(log->entry);
6975

6976
		print_binder_transaction_log_entry(m, &log->entry[index]);
6977
	}
6978
	return 0;
6979
}
6980

6981
const struct file_operations binder_fops = {
6982
	.owner = THIS_MODULE,
6983
	.poll = binder_poll,
6984
	.unlocked_ioctl = binder_ioctl,
6985
	.compat_ioctl = compat_ptr_ioctl,
6986
	.mmap = binder_mmap,
6987
	.open = binder_open,
6988
	.flush = binder_flush,
6989
	.release = binder_release,
6990
};
6991

6992
DEFINE_SHOW_ATTRIBUTE(state);
6993
DEFINE_SHOW_ATTRIBUTE(state_hashed);
6994
DEFINE_SHOW_ATTRIBUTE(stats);
6995
DEFINE_SHOW_ATTRIBUTE(transactions);
6996
DEFINE_SHOW_ATTRIBUTE(transactions_hashed);
6997
DEFINE_SHOW_ATTRIBUTE(transaction_log);
6998

6999
const struct binder_debugfs_entry binder_debugfs_entries[] = {
7000
	{
7001
		.name = "state",
7002
		.mode = 0444,
7003
		.fops = &state_fops,
7004
		.data = NULL,
7005
	},
7006
	{
7007
		.name = "state_hashed",
7008
		.mode = 0444,
7009
		.fops = &state_hashed_fops,
7010
		.data = NULL,
7011
	},
7012
	{
7013
		.name = "stats",
7014
		.mode = 0444,
7015
		.fops = &stats_fops,
7016
		.data = NULL,
7017
	},
7018
	{
7019
		.name = "transactions",
7020
		.mode = 0444,
7021
		.fops = &transactions_fops,
7022
		.data = NULL,
7023
	},
7024
	{
7025
		.name = "transactions_hashed",
7026
		.mode = 0444,
7027
		.fops = &transactions_hashed_fops,
7028
		.data = NULL,
7029
	},
7030
	{
7031
		.name = "transaction_log",
7032
		.mode = 0444,
7033
		.fops = &transaction_log_fops,
7034
		.data = &binder_transaction_log,
7035
	},
7036
	{
7037
		.name = "failed_transaction_log",
7038
		.mode = 0444,
7039
		.fops = &transaction_log_fops,
7040
		.data = &binder_transaction_log_failed,
7041
	},
7042
	{} /* terminator */
7043
};
7044

7045
void binder_add_device(struct binder_device *device)
7046
{
7047
	guard(spinlock)(&binder_devices_lock);
7048
	hlist_add_head(&device->hlist, &binder_devices);
7049
}
7050

7051
void binder_remove_device(struct binder_device *device)
7052
{
7053
	guard(spinlock)(&binder_devices_lock);
7054
	hlist_del_init(&device->hlist);
7055
}
7056

7057
static int __init init_binder_device(const char *name)
7058
{
7059
	int ret;
7060
	struct binder_device *binder_device;
7061

7062
	binder_device = kzalloc(sizeof(*binder_device), GFP_KERNEL);
7063
	if (!binder_device)
7064
		return -ENOMEM;
7065

7066
	binder_device->miscdev.fops = &binder_fops;
7067
	binder_device->miscdev.minor = MISC_DYNAMIC_MINOR;
7068
	binder_device->miscdev.name = name;
7069

7070
	refcount_set(&binder_device->ref, 1);
7071
	binder_device->context.binder_context_mgr_uid = INVALID_UID;
7072
	binder_device->context.name = name;
7073
	mutex_init(&binder_device->context.context_mgr_node_lock);
7074

7075
	ret = misc_register(&binder_device->miscdev);
7076
	if (ret < 0) {
7077
		kfree(binder_device);
7078
		return ret;
7079
	}
7080

7081
	binder_add_device(binder_device);
7082

7083
	return ret;
7084
}
7085

7086
static int __init binder_init(void)
7087
{
7088
	int ret;
7089
	char *device_name, *device_tmp;
7090
	struct binder_device *device;
7091
	struct hlist_node *tmp;
7092
	char *device_names = NULL;
7093
	const struct binder_debugfs_entry *db_entry;
7094

7095
	ret = binder_alloc_shrinker_init();
7096
	if (ret)
7097
		return ret;
7098

7099
	atomic_set(&binder_transaction_log.cur, ~0U);
7100
	atomic_set(&binder_transaction_log_failed.cur, ~0U);
7101

7102
	binder_debugfs_dir_entry_root = debugfs_create_dir("binder", NULL);
7103

7104
	binder_for_each_debugfs_entry(db_entry)
7105
		debugfs_create_file(db_entry->name,
7106
					db_entry->mode,
7107
					binder_debugfs_dir_entry_root,
7108
					db_entry->data,
7109
					db_entry->fops);
7110

7111
	binder_debugfs_dir_entry_proc = debugfs_create_dir("proc",
7112
						binder_debugfs_dir_entry_root);
7113

7114
	if (!IS_ENABLED(CONFIG_ANDROID_BINDERFS) &&
7115
	    strcmp(binder_devices_param, "") != 0) {
7116
		/*
7117
		* Copy the module_parameter string, because we don't want to
7118
		* tokenize it in-place.
7119
		 */
7120
		device_names = kstrdup(binder_devices_param, GFP_KERNEL);
7121
		if (!device_names) {
7122
			ret = -ENOMEM;
7123
			goto err_alloc_device_names_failed;
7124
		}
7125

7126
		device_tmp = device_names;
7127
		while ((device_name = strsep(&device_tmp, ","))) {
7128
			ret = init_binder_device(device_name);
7129
			if (ret)
7130
				goto err_init_binder_device_failed;
7131
		}
7132
	}
7133

7134
	ret = genl_register_family(&binder_nl_family);
7135
	if (ret)
7136
		goto err_init_binder_device_failed;
7137

7138
	ret = init_binderfs();
7139
	if (ret)
7140
		goto err_init_binderfs_failed;
7141

7142
	return ret;
7143

7144
err_init_binderfs_failed:
7145
	genl_unregister_family(&binder_nl_family);
7146

7147
err_init_binder_device_failed:
7148
	hlist_for_each_entry_safe(device, tmp, &binder_devices, hlist) {
7149
		misc_deregister(&device->miscdev);
7150
		binder_remove_device(device);
7151
		kfree(device);
7152
	}
7153

7154
	kfree(device_names);
7155

7156
err_alloc_device_names_failed:
7157
	debugfs_remove_recursive(binder_debugfs_dir_entry_root);
7158
	binder_alloc_shrinker_exit();
7159

7160
	return ret;
7161
}
7162

7163
device_initcall(binder_init);
7164

7165
#define CREATE_TRACE_POINTS
7166
#include "binder_trace.h"
7167

7168