Lines Matching defs:buffer
591 * @offset: offset in buffer data to this fixup
620 struct binder_buffer *buffer;
646 * @bbo: binder buffer pointer
1978 if (t->buffer)
1979 t->buffer->transaction = NULL;
1984 * t->buffer->transaction has already been cleared.
2059 if (t->buffer->target_node && !(t->flags & TF_ONE_WAY)) {
2071 * @proc: binder_proc owning the buffer
2072 * @u: sender's user pointer to base of buffer
2073 * @buffer: binder_buffer that we're parsing.
2074 * @offset: offset in the @buffer at which to validate an object.
2078 * provided then the copy is from the sender's buffer. If not, then
2079 * it is copied from the target's @buffer.
2087 struct binder_buffer *buffer,
2095 read_size = min_t(size_t, sizeof(*object), buffer->data_size - offset);
2096 if (offset > buffer->data_size || read_size < sizeof(*hdr) ||
2104 if (binder_alloc_copy_from_buffer(&proc->alloc, object, buffer,
2130 if (offset <= buffer->data_size - object_size &&
2131 buffer->data_size >= object_size)
2139 * @proc: binder_proc owning the buffer
2191 * @proc: binder_proc owning the buffer
2192 * @b: transaction buffer
2193 * @objects_start_offset: offset to start of objects buffer
2195 * @fixup_offset: start offset in @buffer to fix up
2199 * Return: %true if a fixup in buffer @buffer at offset @offset is
2202 * For safety reasons, we only allow fixups inside a buffer to happen
2204 * buffer object that was verified, or one of its parents.
2332 struct binder_buffer *buffer,
2336 int debug_id = buffer->debug_id;
2340 "%d buffer release %d, size %zd-%zd, failed at %llx\n",
2341 proc->pid, buffer->debug_id,
2342 buffer->data_size, buffer->offsets_size,
2345 if (buffer->target_node)
2346 binder_dec_node(buffer->target_node, 1, 0);
2348 off_start_offset = ALIGN(buffer->data_size, sizeof(void *));
2358 buffer, buffer_offset,
2360 object_size = binder_get_object(proc, NULL, buffer,
2364 debug_id, (u64)object_offset, buffer->data_size);
2422 * transaction buffer gets freed
2445 parent = binder_validate_ptr(proc, buffer, &ptr_object,
2464 pr_err("transaction release %d not enough space for %lld fds in buffer\n",
2470 * to user-space and the @buffer element is the user
2473 * the base of the transaction buffer.
2476 (parent->buffer - (uintptr_t)buffer->user_data) +
2486 &proc->alloc, &fd, buffer,
2509 /* Clean up all the objects in the buffer */
2512 struct binder_buffer *buffer,
2517 off_end_offset = ALIGN(buffer->data_size, sizeof(void *));
2518 off_end_offset += buffer->offsets_size;
2520 binder_transaction_buffer_release(proc, thread, buffer,
2665 target_allows_fd = t->buffer->target_node->accept_fds;
2714 * struct binder_ptr_fixup - data to be fixed-up in target buffer
2715 * @offset offset in target buffer to fixup
2735 * @offset offset in target buffer
2736 * @sender_uaddr user address in source buffer
2755 * @alloc: binder_alloc associated with @buffer
2756 * @buffer: binder buffer in target process
2762 * buffer to the target's buffer. It is expected that the list creation
2769 struct binder_buffer *buffer,
2795 alloc, buffer,
2815 alloc, buffer,
2865 * binder_defer_copy() - queue a scatter-gather buffer for copy
2867 * @offset: binder buffer offset in target process
2874 * from the source are never visible in the target buffer.
2907 * @offset: binder buffer offset in target process
2913 * data from the source buffer. For BINDER_TYPE_FDA fixups, the fixup
2983 binder_user_error("%d:%d not enough space to store %lld fds in buffer\n",
2989 * to user-space and the @buffer element is the user
2992 * the base of the transaction buffer.
2994 fda_offset = (parent->buffer - (uintptr_t)t->buffer->user_data) +
2996 sender_ufda_base = (void __user *)(uintptr_t)sender_uparent->buffer +
3034 struct binder_buffer *b = t->buffer;
3057 binder_user_error("%d:%d got transaction with out-of-order buffer fixup\n",
3070 (uintptr_t)parent->buffer - (uintptr_t)b->user_data;
3071 return binder_add_fixup(pf_head, buffer_offset, bp->buffer, 0);
3095 struct binder_node *node = t->buffer->target_node;
3209 (uintptr_t)tr->data.ptr.buffer;
3435 (u64)tr->data.ptr.buffer,
3444 (u64)tr->data.ptr.buffer,
3498 t->buffer = binder_alloc_new_buf(&target_proc->alloc, tr->data_size,
3501 if (IS_ERR(t->buffer)) {
3505 return_error_param = PTR_ERR(t->buffer);
3509 t->buffer = NULL;
3519 t->security_ctx = (uintptr_t)t->buffer->user_data + buf_offset;
3521 t->buffer, buf_offset,
3530 t->buffer->debug_id = t->debug_id;
3531 t->buffer->transaction = t;
3532 t->buffer->target_node = target_node;
3533 t->buffer->clear_on_free = !!(t->flags & TF_CLEAR_BUF);
3534 trace_binder_transaction_alloc_buf(t->buffer);
3538 t->buffer,
3584 t->buffer,
3594 * Copy the source user buffer up to the next object
3602 t->buffer, user_offset,
3613 t->buffer, object_offset, &object);
3619 (u64)t->buffer->data_size);
3626 * Set offset to the next buffer fragment to be
3643 t->buffer,
3660 t->buffer,
3680 t->buffer,
3699 binder_validate_ptr(target_proc, t->buffer,
3712 if (!binder_validate_fixup(target_proc, t->buffer,
3718 binder_user_error("%d:%d got transaction with out-of-order buffer fixup\n",
3730 binder_get_object(proc, user_buffer, t->buffer,
3748 t->buffer,
3768 binder_user_error("%d:%d got transaction with too large buffer\n",
3776 (const void __user *)(uintptr_t)bp->buffer,
3784 /* Fixup buffer pointer to target proc address space */
3785 bp->buffer = (uintptr_t)
3786 t->buffer->user_data + sg_buf_offset;
3799 t->buffer,
3819 /* Done processing objects, copy the rest of the buffer */
3822 t->buffer, user_offset,
3833 ret = binder_do_deferred_txn_copies(&target_proc->alloc, t->buffer,
3853 BUG_ON(t->buffer->async_transaction != 0);
3863 BUG_ON(t->buffer->async_transaction != 0);
3888 BUG_ON(t->buffer->async_transaction != 1);
3920 trace_binder_transaction_failed_buffer_release(t->buffer);
3921 binder_transaction_buffer_release(target_proc, NULL, t->buffer,
3926 t->buffer->transaction = NULL;
3927 binder_alloc_free_buf(&target_proc->alloc, t->buffer);
3988 * binder_free_buf() - free the specified buffer
3989 * @proc: binder proc that owns buffer
3990 * @buffer: buffer to be freed
3993 * If buffer for an async transaction, enqueue the next async
3996 * Cleanup buffer and free it.
4001 struct binder_buffer *buffer, bool is_failure)
4004 if (buffer->transaction) {
4005 buffer->transaction->buffer = NULL;
4006 buffer->transaction = NULL;
4009 if (buffer->async_transaction && buffer->target_node) {
4013 buf_node = buffer->target_node;
4028 trace_binder_transaction_buffer_release(buffer);
4029 binder_release_entire_buffer(proc, thread, buffer, is_failure);
4030 binder_alloc_free_buf(&proc->alloc, buffer);
4040 void __user *buffer = (void __user *)(uintptr_t)binder_buffer;
4041 void __user *ptr = buffer + *consumed;
4042 void __user *end = buffer + size;
4203 struct binder_buffer *buffer;
4209 buffer = binder_alloc_prepare_to_free(&proc->alloc,
4211 if (IS_ERR_OR_NULL(buffer)) {
4212 if (PTR_ERR(buffer) == -EPERM) {
4214 "%d:%d BC_FREE_BUFFER u%016llx matched unreturned or currently freeing buffer\n",
4226 "%d:%d BC_FREE_BUFFER u%016llx found buffer %d for %s transaction\n",
4228 buffer->debug_id,
4229 buffer->transaction ? "active" : "finished");
4230 binder_free_buf(proc, thread, buffer, false);
4474 *consumed = ptr - buffer;
4555 * @proc: binder_proc associated @t->buffer
4560 * list of fds to translate and fixup the buffer with the
4589 if (binder_alloc_copy_to_buffer(&proc->alloc, t->buffer,
4604 t->buffer,
4623 void __user *buffer = (void __user *)(uintptr_t)binder_buffer;
4624 void __user *ptr = buffer + *consumed;
4625 void __user *end = buffer + size;
4689 if (ptr - buffer == 4 && !thread->looper_need_return)
4873 BUG_ON(t->buffer == NULL);
4874 if (t->buffer->target_node) {
4875 struct binder_node *target_node = t->buffer->target_node;
4919 struct binder_buffer *buffer = t->buffer;
4925 buffer->transaction = NULL;
4928 binder_free_buf(proc, thread, buffer, true);
4945 trd->data_size = t->buffer->data_size;
4946 trd->offsets_size = t->buffer->offsets_size;
4947 trd->data.ptr.buffer = (uintptr_t)t->buffer->user_data;
4948 trd->data.ptr.offsets = trd->data.ptr.buffer +
4949 ALIGN(t->buffer->data_size,
4988 t->buffer->data_size, t->buffer->offsets_size,
4989 (u64)trd->data.ptr.buffer,
4994 t->buffer->allow_user_free = 1;
5015 *consumed = ptr - buffer;
5028 if (put_user(BR_SPAWN_LOOPER, (uint32_t __user *)buffer))
5224 if (t->buffer) {
5225 t->buffer->transaction = NULL;
5226 t->buffer = NULL;
6075 struct binder_buffer *buffer = t->buffer;
6091 * Can only safely deref buffer if we are holding the
6098 if (buffer == NULL) {
6099 seq_puts(m, " buffer free\n");
6102 if (buffer->target_node)
6103 seq_printf(m, " node %d", buffer->target_node->debug_id);
6105 buffer->data_size, buffer->offsets_size,
6106 buffer->user_data);