Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
torvalds
GitHub Repository: torvalds/linux
 Path: blob/master/drivers/android/binder/freeze.rs
29519 views
1
// SPDX-License-Identifier: GPL-2.0

2


3
// Copyright (C) 2025 Google LLC.

4


5
use kernel::{

6
    alloc::AllocError,

7
    list::ListArc,

8
    prelude::*,

9
    rbtree::{self, RBTreeNodeReservation},

10
    seq_file::SeqFile,

11
    seq_print,

12
    sync::{Arc, UniqueArc},

13
    uaccess::UserSliceReader,

14
};

15


16
use crate::{

17
    defs::*, node::Node, process::Process, thread::Thread, BinderReturnWriter, DArc, DLArc,

18
    DTRWrap, DeliverToRead,

19
};

20


21
#[derive(Clone, Copy, Eq, PartialEq, Ord, PartialOrd)]

22
pub(crate) struct FreezeCookie(u64);

23


24
/// Represents a listener for changes to the frozen state of a process.

25
pub(crate) struct FreezeListener {

26
    /// The node we are listening for.

27
    pub(crate) node: DArc<Node>,

28
    /// The cookie of this freeze listener.

29
    cookie: FreezeCookie,

30
    /// What value of `is_frozen` did we most recently tell userspace about?

31
    last_is_frozen: Option<bool>,

32
    /// We sent a `BR_FROZEN_BINDER` and we are waiting for `BC_FREEZE_NOTIFICATION_DONE` before

33
    /// sending any other commands.

34
    is_pending: bool,

35
    /// Userspace sent `BC_CLEAR_FREEZE_NOTIFICATION` and we need to reply with

36
    /// `BR_CLEAR_FREEZE_NOTIFICATION_DONE` as soon as possible. If `is_pending` is set, then we

37
    /// must wait for it to be unset before we can reply.

38
    is_clearing: bool,

39
    /// Number of cleared duplicates that can't be deleted until userspace sends

40
    /// `BC_FREEZE_NOTIFICATION_DONE`.

41
    num_pending_duplicates: u64,

42
    /// Number of cleared duplicates that can be deleted.

43
    num_cleared_duplicates: u64,

44
}

45


46
impl FreezeListener {

47
    /// Is it okay to create a new listener with the same cookie as this one for the provided node?

48
    ///

49
    /// Under some scenarios, userspace may delete a freeze listener and immediately recreate it

50
    /// with the same cookie. This results in duplicate listeners. To avoid issues with ambiguity,

51
    /// we allow this only if the new listener is for the same node, and we also require that the

52
    /// old listener has already been cleared.

53
    fn allow_duplicate(&self, node: &DArc<Node>) -> bool {

54
        Arc::ptr_eq(&self.node, node) && self.is_clearing

55
    }

56
}

57


58
type UninitFM = UniqueArc<core::mem::MaybeUninit<DTRWrap<FreezeMessage>>>;

59


60
/// Represents a notification that the freeze state has changed.

61
pub(crate) struct FreezeMessage {

62
    cookie: FreezeCookie,

63
}

64


65
kernel::list::impl_list_arc_safe! {

66
    impl ListArcSafe<0> for FreezeMessage {

67
        untracked;

68
    }

69
}

70


71
impl FreezeMessage {

72
    fn new(flags: kernel::alloc::Flags) -> Result<UninitFM, AllocError> {

73
        UniqueArc::new_uninit(flags)

74
    }

75


76
    fn init(ua: UninitFM, cookie: FreezeCookie) -> DLArc<FreezeMessage> {

77
        match ua.pin_init_with(DTRWrap::new(FreezeMessage { cookie })) {

78
            Ok(msg) => ListArc::from(msg),

79
            Err(err) => match err {},

80
        }

81
    }

82
}

83


84
impl DeliverToRead for FreezeMessage {

85
    fn do_work(

86
        self: DArc<Self>,

87
        thread: &Thread,

88
        writer: &mut BinderReturnWriter<'_>,

89
    ) -> Result<bool> {

90
        let _removed_listener;

91
        let mut node_refs = thread.process.node_refs.lock();

92
        let Some(mut freeze_entry) = node_refs.freeze_listeners.find_mut(&self.cookie) else {

93
            return Ok(true);

94
        };

95
        let freeze = freeze_entry.get_mut();

96


97
        if freeze.num_cleared_duplicates > 0 {

98
            freeze.num_cleared_duplicates -= 1;

99
            drop(node_refs);

100
            writer.write_code(BR_CLEAR_FREEZE_NOTIFICATION_DONE)?;

101
            writer.write_payload(&self.cookie.0)?;

102
            return Ok(true);

103
        }

104


105
        if freeze.is_pending {

106
            return Ok(true);

107
        }

108
        if freeze.is_clearing {

109
            _removed_listener = freeze_entry.remove_node();

110
            drop(node_refs);

111
            writer.write_code(BR_CLEAR_FREEZE_NOTIFICATION_DONE)?;

112
            writer.write_payload(&self.cookie.0)?;

113
            Ok(true)

114
        } else {

115
            let is_frozen = freeze.node.owner.inner.lock().is_frozen;

116
            if freeze.last_is_frozen == Some(is_frozen) {

117
                return Ok(true);

118
            }

119


120
            let mut state_info = BinderFrozenStateInfo::default();

121
            state_info.is_frozen = is_frozen as u32;

122
            state_info.cookie = freeze.cookie.0;

123
            freeze.is_pending = true;

124
            freeze.last_is_frozen = Some(is_frozen);

125
            drop(node_refs);

126


127
            writer.write_code(BR_FROZEN_BINDER)?;

128
            writer.write_payload(&state_info)?;

129
            // BR_FROZEN_BINDER notifications can cause transactions

130
            Ok(false)

131
        }

132
    }

133


134
    fn cancel(self: DArc<Self>) {}

135


136
    fn should_sync_wakeup(&self) -> bool {

137
        false

138
    }

139


140
    #[inline(never)]

141
    fn debug_print(&self, m: &SeqFile, prefix: &str, _tprefix: &str) -> Result<()> {

142
        seq_print!(m, "{}has frozen binder\n", prefix);

143
        Ok(())

144
    }

145
}

146


147
impl FreezeListener {

148
    pub(crate) fn on_process_exit(&self, proc: &Arc<Process>) {

149
        if !self.is_clearing {

150
            self.node.remove_freeze_listener(proc);

151
        }

152
    }

153
}

154


155
impl Process {

156
    pub(crate) fn request_freeze_notif(

157
        self: &Arc<Self>,

158
        reader: &mut UserSliceReader,

159
    ) -> Result<()> {

160
        let hc = reader.read::<BinderHandleCookie>()?;

161
        let handle = hc.handle;

162
        let cookie = FreezeCookie(hc.cookie);

163


164
        let msg = FreezeMessage::new(GFP_KERNEL)?;

165
        let alloc = RBTreeNodeReservation::new(GFP_KERNEL)?;

166


167
        let mut node_refs_guard = self.node_refs.lock();

168
        let node_refs = &mut *node_refs_guard;

169
        let Some(info) = node_refs.by_handle.get_mut(&handle) else {

170
            pr_warn!("BC_REQUEST_FREEZE_NOTIFICATION invalid ref {}\n", handle);

171
            return Err(EINVAL);

172
        };

173
        if info.freeze().is_some() {

174
            pr_warn!("BC_REQUEST_FREEZE_NOTIFICATION already set\n");

175
            return Err(EINVAL);

176
        }

177
        let node_ref = info.node_ref();

178
        let freeze_entry = node_refs.freeze_listeners.entry(cookie);

179


180
        if let rbtree::Entry::Occupied(ref dupe) = freeze_entry {

181
            if !dupe.get().allow_duplicate(&node_ref.node) {

182
                pr_warn!("BC_REQUEST_FREEZE_NOTIFICATION duplicate cookie\n");

183
                return Err(EINVAL);

184
            }

185
        }

186


187
        // All failure paths must come before this call, and all modifications must come after this

188
        // call.

189
        node_ref.node.add_freeze_listener(self, GFP_KERNEL)?;

190


191
        match freeze_entry {

192
            rbtree::Entry::Vacant(entry) => {

193
                entry.insert(

194
                    FreezeListener {

195
                        cookie,

196
                        node: node_ref.node.clone(),

197
                        last_is_frozen: None,

198
                        is_pending: false,

199
                        is_clearing: false,

200
                        num_pending_duplicates: 0,

201
                        num_cleared_duplicates: 0,

202
                    },

203
                    alloc,

204
                );

205
            }

206
            rbtree::Entry::Occupied(mut dupe) => {

207
                let dupe = dupe.get_mut();

208
                if dupe.is_pending {

209
                    dupe.num_pending_duplicates += 1;

210
                } else {

211
                    dupe.num_cleared_duplicates += 1;

212
                }

213
                dupe.last_is_frozen = None;

214
                dupe.is_pending = false;

215
                dupe.is_clearing = false;

216
            }

217
        }

218


219
        *info.freeze() = Some(cookie);

220
        let msg = FreezeMessage::init(msg, cookie);

221
        drop(node_refs_guard);

222
        let _ = self.push_work(msg);

223
        Ok(())

224
    }

225


226
    pub(crate) fn freeze_notif_done(self: &Arc<Self>, reader: &mut UserSliceReader) -> Result<()> {

227
        let cookie = FreezeCookie(reader.read()?);

228
        let alloc = FreezeMessage::new(GFP_KERNEL)?;

229
        let mut node_refs_guard = self.node_refs.lock();

230
        let node_refs = &mut *node_refs_guard;

231
        let Some(freeze) = node_refs.freeze_listeners.get_mut(&cookie) else {

232
            pr_warn!("BC_FREEZE_NOTIFICATION_DONE {:016x} not found\n", cookie.0);

233
            return Err(EINVAL);

234
        };

235
        let mut clear_msg = None;

236
        if freeze.num_pending_duplicates > 0 {

237
            clear_msg = Some(FreezeMessage::init(alloc, cookie));

238
            freeze.num_pending_duplicates -= 1;

239
            freeze.num_cleared_duplicates += 1;

240
        } else {

241
            if !freeze.is_pending {

242
                pr_warn!(

243
                    "BC_FREEZE_NOTIFICATION_DONE {:016x} not pending\n",

244
                    cookie.0

245
                );

246
                return Err(EINVAL);

247
            }

248
            if freeze.is_clearing {

249
                // Immediately send another FreezeMessage for BR_CLEAR_FREEZE_NOTIFICATION_DONE.

250
                clear_msg = Some(FreezeMessage::init(alloc, cookie));

251
            }

252
            freeze.is_pending = false;

253
        }

254
        drop(node_refs_guard);

255
        if let Some(clear_msg) = clear_msg {

256
            let _ = self.push_work(clear_msg);

257
        }

258
        Ok(())

259
    }

260


261
    pub(crate) fn clear_freeze_notif(self: &Arc<Self>, reader: &mut UserSliceReader) -> Result<()> {

262
        let hc = reader.read::<BinderHandleCookie>()?;

263
        let handle = hc.handle;

264
        let cookie = FreezeCookie(hc.cookie);

265


266
        let alloc = FreezeMessage::new(GFP_KERNEL)?;

267
        let mut node_refs_guard = self.node_refs.lock();

268
        let node_refs = &mut *node_refs_guard;

269
        let Some(info) = node_refs.by_handle.get_mut(&handle) else {

270
            pr_warn!("BC_CLEAR_FREEZE_NOTIFICATION invalid ref {}\n", handle);

271
            return Err(EINVAL);

272
        };

273
        let Some(info_cookie) = info.freeze() else {

274
            pr_warn!("BC_CLEAR_FREEZE_NOTIFICATION freeze notification not active\n");

275
            return Err(EINVAL);

276
        };

277
        if *info_cookie != cookie {

278
            pr_warn!("BC_CLEAR_FREEZE_NOTIFICATION freeze notification cookie mismatch\n");

279
            return Err(EINVAL);

280
        }

281
        let Some(listener) = node_refs.freeze_listeners.get_mut(&cookie) else {

282
            pr_warn!("BC_CLEAR_FREEZE_NOTIFICATION invalid cookie {}\n", handle);

283
            return Err(EINVAL);

284
        };

285
        listener.is_clearing = true;

286
        listener.node.remove_freeze_listener(self);

287
        *info.freeze() = None;

288
        let mut msg = None;

289
        if !listener.is_pending {

290
            msg = Some(FreezeMessage::init(alloc, cookie));

291
        }

292
        drop(node_refs_guard);

293


294
        if let Some(msg) = msg {

295
            let _ = self.push_work(msg);

296
        }

297
        Ok(())

298
    }

299


300
    fn get_freeze_cookie(&self, node: &DArc<Node>) -> Option<FreezeCookie> {

301
        let node_refs = &mut *self.node_refs.lock();

302
        let handle = node_refs.by_node.get(&node.global_id())?;

303
        let node_ref = node_refs.by_handle.get_mut(handle)?;

304
        *node_ref.freeze()

305
    }

306


307
    /// Creates a vector of every freeze listener on this process.

308
    ///

309
    /// Returns pairs of the remote process listening for notifications and the local node it is

310
    /// listening on.

311
    #[expect(clippy::type_complexity)]

312
    fn find_freeze_recipients(&self) -> Result<KVVec<(DArc<Node>, Arc<Process>)>, AllocError> {

313
        // Defined before `inner` to drop after releasing spinlock if `push_within_capacity` fails.

314
        let mut node_proc_pair;

315


316
        // We pre-allocate space for up to 8 recipients before we take the spinlock. However, if

317
        // the allocation fails, use a vector with a capacity of zero instead of failing. After

318
        // all, there might not be any freeze listeners, in which case this operation could still

319
        // succeed.

320
        let mut recipients =

321
            KVVec::with_capacity(8, GFP_KERNEL).unwrap_or_else(|_err| KVVec::new());

322


323
        let mut inner = self.lock_with_nodes();

324
        let mut curr = inner.nodes.cursor_front();

325
        while let Some(cursor) = curr {

326
            let (key, node) = cursor.current();

327
            let key = *key;

328
            let list = node.freeze_list(&inner.inner);

329
            let len = list.len();

330


331
            if recipients.spare_capacity_mut().len() < len {

332
                drop(inner);

333
                recipients.reserve(len, GFP_KERNEL)?;

334
                inner = self.lock_with_nodes();

335
                // Find the node we were looking at and try again. If the set of nodes was changed,

336
                // then just proceed to the next node. This is ok because we don't guarantee the

337
                // inclusion of nodes that are added or removed in parallel with this operation.

338
                curr = inner.nodes.cursor_lower_bound(&key);

339
                continue;

340
            }

341


342
            for proc in list {

343
                node_proc_pair = (node.clone(), proc.clone());

344
                recipients

345
                    .push_within_capacity(node_proc_pair)

346
                    .map_err(|_| {

347
                        pr_err!(

348
                            "push_within_capacity failed even though we checked the capacity\n"

349
                        );

350
                        AllocError

351
                    })?;

352
            }

353


354
            curr = cursor.move_next();

355
        }

356
        Ok(recipients)

357
    }

358


359
    /// Prepare allocations for sending freeze messages.

360
    pub(crate) fn prepare_freeze_messages(&self) -> Result<FreezeMessages, AllocError> {

361
        let recipients = self.find_freeze_recipients()?;

362
        let mut batch = KVVec::with_capacity(recipients.len(), GFP_KERNEL)?;

363
        for (node, proc) in recipients {

364
            let Some(cookie) = proc.get_freeze_cookie(&node) else {

365
                // If the freeze listener was removed in the meantime, just discard the

366
                // notification.

367
                continue;

368
            };

369
            let msg_alloc = FreezeMessage::new(GFP_KERNEL)?;

370
            let msg = FreezeMessage::init(msg_alloc, cookie);

371
            batch.push((proc, msg), GFP_KERNEL)?;

372
        }

373


374
        Ok(FreezeMessages { batch })

375
    }

376
}

377


378
pub(crate) struct FreezeMessages {

379
    batch: KVVec<(Arc<Process>, DLArc<FreezeMessage>)>,

380
}

381


382
impl FreezeMessages {

383
    pub(crate) fn send_messages(self) {

384
        for (proc, msg) in self.batch {

385
            let _ = proc.push_work(msg);

386
        }

387
    }

388
}

389


390