162306a36Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-only 262306a36Sopenharmony_ci/* binder_alloc.c 362306a36Sopenharmony_ci * 462306a36Sopenharmony_ci * Android IPC Subsystem 562306a36Sopenharmony_ci * 662306a36Sopenharmony_ci * Copyright (C) 2007-2017 Google, Inc. 762306a36Sopenharmony_ci */ 862306a36Sopenharmony_ci 962306a36Sopenharmony_ci#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 1062306a36Sopenharmony_ci 1162306a36Sopenharmony_ci#include <linux/list.h> 1262306a36Sopenharmony_ci#include <linux/sched/mm.h> 1362306a36Sopenharmony_ci#include <linux/module.h> 1462306a36Sopenharmony_ci#include <linux/rtmutex.h> 1562306a36Sopenharmony_ci#include <linux/rbtree.h> 1662306a36Sopenharmony_ci#include <linux/seq_file.h> 1762306a36Sopenharmony_ci#include <linux/vmalloc.h> 1862306a36Sopenharmony_ci#include <linux/slab.h> 1962306a36Sopenharmony_ci#include <linux/sched.h> 2062306a36Sopenharmony_ci#include <linux/list_lru.h> 2162306a36Sopenharmony_ci#include <linux/ratelimit.h> 2262306a36Sopenharmony_ci#include <asm/cacheflush.h> 2362306a36Sopenharmony_ci#include <linux/uaccess.h> 2462306a36Sopenharmony_ci#include <linux/highmem.h> 2562306a36Sopenharmony_ci#include <linux/sizes.h> 2662306a36Sopenharmony_ci#include "binder_alloc.h" 2762306a36Sopenharmony_ci#include "binder_trace.h" 2862306a36Sopenharmony_ci 2962306a36Sopenharmony_cistruct list_lru binder_alloc_lru; 3062306a36Sopenharmony_ci 3162306a36Sopenharmony_cistatic DEFINE_MUTEX(binder_alloc_mmap_lock); 3262306a36Sopenharmony_ci 3362306a36Sopenharmony_cienum { 3462306a36Sopenharmony_ci BINDER_DEBUG_USER_ERROR = 1U << 0, 3562306a36Sopenharmony_ci BINDER_DEBUG_OPEN_CLOSE = 1U << 1, 3662306a36Sopenharmony_ci BINDER_DEBUG_BUFFER_ALLOC = 1U << 2, 3762306a36Sopenharmony_ci BINDER_DEBUG_BUFFER_ALLOC_ASYNC = 1U << 3, 3862306a36Sopenharmony_ci}; 3962306a36Sopenharmony_cistatic uint32_t binder_alloc_debug_mask = BINDER_DEBUG_USER_ERROR; 4062306a36Sopenharmony_ci 4162306a36Sopenharmony_cimodule_param_named(debug_mask, binder_alloc_debug_mask, 4262306a36Sopenharmony_ci uint, 0644); 4362306a36Sopenharmony_ci 4462306a36Sopenharmony_ci#define binder_alloc_debug(mask, x...) \ 4562306a36Sopenharmony_ci do { \ 4662306a36Sopenharmony_ci if (binder_alloc_debug_mask & mask) \ 4762306a36Sopenharmony_ci pr_info_ratelimited(x); \ 4862306a36Sopenharmony_ci } while (0) 4962306a36Sopenharmony_ci 5062306a36Sopenharmony_cistatic struct binder_buffer *binder_buffer_next(struct binder_buffer *buffer) 5162306a36Sopenharmony_ci{ 5262306a36Sopenharmony_ci return list_entry(buffer->entry.next, struct binder_buffer, entry); 5362306a36Sopenharmony_ci} 5462306a36Sopenharmony_ci 5562306a36Sopenharmony_cistatic struct binder_buffer *binder_buffer_prev(struct binder_buffer *buffer) 5662306a36Sopenharmony_ci{ 5762306a36Sopenharmony_ci return list_entry(buffer->entry.prev, struct binder_buffer, entry); 5862306a36Sopenharmony_ci} 5962306a36Sopenharmony_ci 6062306a36Sopenharmony_cistatic size_t binder_alloc_buffer_size(struct binder_alloc *alloc, 6162306a36Sopenharmony_ci struct binder_buffer *buffer) 6262306a36Sopenharmony_ci{ 6362306a36Sopenharmony_ci if (list_is_last(&buffer->entry, &alloc->buffers)) 6462306a36Sopenharmony_ci return alloc->buffer + alloc->buffer_size - buffer->user_data; 6562306a36Sopenharmony_ci return binder_buffer_next(buffer)->user_data - buffer->user_data; 6662306a36Sopenharmony_ci} 6762306a36Sopenharmony_ci 6862306a36Sopenharmony_cistatic void binder_insert_free_buffer(struct binder_alloc *alloc, 6962306a36Sopenharmony_ci struct binder_buffer *new_buffer) 7062306a36Sopenharmony_ci{ 7162306a36Sopenharmony_ci struct rb_node **p = &alloc->free_buffers.rb_node; 7262306a36Sopenharmony_ci struct rb_node *parent = NULL; 7362306a36Sopenharmony_ci struct binder_buffer *buffer; 7462306a36Sopenharmony_ci size_t buffer_size; 7562306a36Sopenharmony_ci size_t new_buffer_size; 7662306a36Sopenharmony_ci 7762306a36Sopenharmony_ci BUG_ON(!new_buffer->free); 7862306a36Sopenharmony_ci 7962306a36Sopenharmony_ci new_buffer_size = binder_alloc_buffer_size(alloc, new_buffer); 8062306a36Sopenharmony_ci 8162306a36Sopenharmony_ci binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 8262306a36Sopenharmony_ci "%d: add free buffer, size %zd, at %pK\n", 8362306a36Sopenharmony_ci alloc->pid, new_buffer_size, new_buffer); 8462306a36Sopenharmony_ci 8562306a36Sopenharmony_ci while (*p) { 8662306a36Sopenharmony_ci parent = *p; 8762306a36Sopenharmony_ci buffer = rb_entry(parent, struct binder_buffer, rb_node); 8862306a36Sopenharmony_ci BUG_ON(!buffer->free); 8962306a36Sopenharmony_ci 9062306a36Sopenharmony_ci buffer_size = binder_alloc_buffer_size(alloc, buffer); 9162306a36Sopenharmony_ci 9262306a36Sopenharmony_ci if (new_buffer_size < buffer_size) 9362306a36Sopenharmony_ci p = &parent->rb_left; 9462306a36Sopenharmony_ci else 9562306a36Sopenharmony_ci p = &parent->rb_right; 9662306a36Sopenharmony_ci } 9762306a36Sopenharmony_ci rb_link_node(&new_buffer->rb_node, parent, p); 9862306a36Sopenharmony_ci rb_insert_color(&new_buffer->rb_node, &alloc->free_buffers); 9962306a36Sopenharmony_ci} 10062306a36Sopenharmony_ci 10162306a36Sopenharmony_cistatic void binder_insert_allocated_buffer_locked( 10262306a36Sopenharmony_ci struct binder_alloc *alloc, struct binder_buffer *new_buffer) 10362306a36Sopenharmony_ci{ 10462306a36Sopenharmony_ci struct rb_node **p = &alloc->allocated_buffers.rb_node; 10562306a36Sopenharmony_ci struct rb_node *parent = NULL; 10662306a36Sopenharmony_ci struct binder_buffer *buffer; 10762306a36Sopenharmony_ci 10862306a36Sopenharmony_ci BUG_ON(new_buffer->free); 10962306a36Sopenharmony_ci 11062306a36Sopenharmony_ci while (*p) { 11162306a36Sopenharmony_ci parent = *p; 11262306a36Sopenharmony_ci buffer = rb_entry(parent, struct binder_buffer, rb_node); 11362306a36Sopenharmony_ci BUG_ON(buffer->free); 11462306a36Sopenharmony_ci 11562306a36Sopenharmony_ci if (new_buffer->user_data < buffer->user_data) 11662306a36Sopenharmony_ci p = &parent->rb_left; 11762306a36Sopenharmony_ci else if (new_buffer->user_data > buffer->user_data) 11862306a36Sopenharmony_ci p = &parent->rb_right; 11962306a36Sopenharmony_ci else 12062306a36Sopenharmony_ci BUG(); 12162306a36Sopenharmony_ci } 12262306a36Sopenharmony_ci rb_link_node(&new_buffer->rb_node, parent, p); 12362306a36Sopenharmony_ci rb_insert_color(&new_buffer->rb_node, &alloc->allocated_buffers); 12462306a36Sopenharmony_ci} 12562306a36Sopenharmony_ci 12662306a36Sopenharmony_cistatic struct binder_buffer *binder_alloc_prepare_to_free_locked( 12762306a36Sopenharmony_ci struct binder_alloc *alloc, 12862306a36Sopenharmony_ci uintptr_t user_ptr) 12962306a36Sopenharmony_ci{ 13062306a36Sopenharmony_ci struct rb_node *n = alloc->allocated_buffers.rb_node; 13162306a36Sopenharmony_ci struct binder_buffer *buffer; 13262306a36Sopenharmony_ci void __user *uptr; 13362306a36Sopenharmony_ci 13462306a36Sopenharmony_ci uptr = (void __user *)user_ptr; 13562306a36Sopenharmony_ci 13662306a36Sopenharmony_ci while (n) { 13762306a36Sopenharmony_ci buffer = rb_entry(n, struct binder_buffer, rb_node); 13862306a36Sopenharmony_ci BUG_ON(buffer->free); 13962306a36Sopenharmony_ci 14062306a36Sopenharmony_ci if (uptr < buffer->user_data) 14162306a36Sopenharmony_ci n = n->rb_left; 14262306a36Sopenharmony_ci else if (uptr > buffer->user_data) 14362306a36Sopenharmony_ci n = n->rb_right; 14462306a36Sopenharmony_ci else { 14562306a36Sopenharmony_ci /* 14662306a36Sopenharmony_ci * Guard against user threads attempting to 14762306a36Sopenharmony_ci * free the buffer when in use by kernel or 14862306a36Sopenharmony_ci * after it's already been freed. 14962306a36Sopenharmony_ci */ 15062306a36Sopenharmony_ci if (!buffer->allow_user_free) 15162306a36Sopenharmony_ci return ERR_PTR(-EPERM); 15262306a36Sopenharmony_ci buffer->allow_user_free = 0; 15362306a36Sopenharmony_ci return buffer; 15462306a36Sopenharmony_ci } 15562306a36Sopenharmony_ci } 15662306a36Sopenharmony_ci return NULL; 15762306a36Sopenharmony_ci} 15862306a36Sopenharmony_ci 15962306a36Sopenharmony_ci/** 16062306a36Sopenharmony_ci * binder_alloc_prepare_to_free() - get buffer given user ptr 16162306a36Sopenharmony_ci * @alloc: binder_alloc for this proc 16262306a36Sopenharmony_ci * @user_ptr: User pointer to buffer data 16362306a36Sopenharmony_ci * 16462306a36Sopenharmony_ci * Validate userspace pointer to buffer data and return buffer corresponding to 16562306a36Sopenharmony_ci * that user pointer. Search the rb tree for buffer that matches user data 16662306a36Sopenharmony_ci * pointer. 16762306a36Sopenharmony_ci * 16862306a36Sopenharmony_ci * Return: Pointer to buffer or NULL 16962306a36Sopenharmony_ci */ 17062306a36Sopenharmony_cistruct binder_buffer *binder_alloc_prepare_to_free(struct binder_alloc *alloc, 17162306a36Sopenharmony_ci uintptr_t user_ptr) 17262306a36Sopenharmony_ci{ 17362306a36Sopenharmony_ci struct binder_buffer *buffer; 17462306a36Sopenharmony_ci 17562306a36Sopenharmony_ci mutex_lock(&alloc->mutex); 17662306a36Sopenharmony_ci buffer = binder_alloc_prepare_to_free_locked(alloc, user_ptr); 17762306a36Sopenharmony_ci mutex_unlock(&alloc->mutex); 17862306a36Sopenharmony_ci return buffer; 17962306a36Sopenharmony_ci} 18062306a36Sopenharmony_ci 18162306a36Sopenharmony_cistatic int binder_update_page_range(struct binder_alloc *alloc, int allocate, 18262306a36Sopenharmony_ci void __user *start, void __user *end) 18362306a36Sopenharmony_ci{ 18462306a36Sopenharmony_ci void __user *page_addr; 18562306a36Sopenharmony_ci unsigned long user_page_addr; 18662306a36Sopenharmony_ci struct binder_lru_page *page; 18762306a36Sopenharmony_ci struct vm_area_struct *vma = NULL; 18862306a36Sopenharmony_ci struct mm_struct *mm = NULL; 18962306a36Sopenharmony_ci bool need_mm = false; 19062306a36Sopenharmony_ci 19162306a36Sopenharmony_ci binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 19262306a36Sopenharmony_ci "%d: %s pages %pK-%pK\n", alloc->pid, 19362306a36Sopenharmony_ci allocate ? "allocate" : "free", start, end); 19462306a36Sopenharmony_ci 19562306a36Sopenharmony_ci if (end <= start) 19662306a36Sopenharmony_ci return 0; 19762306a36Sopenharmony_ci 19862306a36Sopenharmony_ci trace_binder_update_page_range(alloc, allocate, start, end); 19962306a36Sopenharmony_ci 20062306a36Sopenharmony_ci if (allocate == 0) 20162306a36Sopenharmony_ci goto free_range; 20262306a36Sopenharmony_ci 20362306a36Sopenharmony_ci for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) { 20462306a36Sopenharmony_ci page = &alloc->pages[(page_addr - alloc->buffer) / PAGE_SIZE]; 20562306a36Sopenharmony_ci if (!page->page_ptr) { 20662306a36Sopenharmony_ci need_mm = true; 20762306a36Sopenharmony_ci break; 20862306a36Sopenharmony_ci } 20962306a36Sopenharmony_ci } 21062306a36Sopenharmony_ci 21162306a36Sopenharmony_ci if (need_mm && mmget_not_zero(alloc->mm)) 21262306a36Sopenharmony_ci mm = alloc->mm; 21362306a36Sopenharmony_ci 21462306a36Sopenharmony_ci if (mm) { 21562306a36Sopenharmony_ci mmap_write_lock(mm); 21662306a36Sopenharmony_ci vma = alloc->vma; 21762306a36Sopenharmony_ci } 21862306a36Sopenharmony_ci 21962306a36Sopenharmony_ci if (!vma && need_mm) { 22062306a36Sopenharmony_ci binder_alloc_debug(BINDER_DEBUG_USER_ERROR, 22162306a36Sopenharmony_ci "%d: binder_alloc_buf failed to map pages in userspace, no vma\n", 22262306a36Sopenharmony_ci alloc->pid); 22362306a36Sopenharmony_ci goto err_no_vma; 22462306a36Sopenharmony_ci } 22562306a36Sopenharmony_ci 22662306a36Sopenharmony_ci for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) { 22762306a36Sopenharmony_ci int ret; 22862306a36Sopenharmony_ci bool on_lru; 22962306a36Sopenharmony_ci size_t index; 23062306a36Sopenharmony_ci 23162306a36Sopenharmony_ci index = (page_addr - alloc->buffer) / PAGE_SIZE; 23262306a36Sopenharmony_ci page = &alloc->pages[index]; 23362306a36Sopenharmony_ci 23462306a36Sopenharmony_ci if (page->page_ptr) { 23562306a36Sopenharmony_ci trace_binder_alloc_lru_start(alloc, index); 23662306a36Sopenharmony_ci 23762306a36Sopenharmony_ci on_lru = list_lru_del(&binder_alloc_lru, &page->lru); 23862306a36Sopenharmony_ci WARN_ON(!on_lru); 23962306a36Sopenharmony_ci 24062306a36Sopenharmony_ci trace_binder_alloc_lru_end(alloc, index); 24162306a36Sopenharmony_ci continue; 24262306a36Sopenharmony_ci } 24362306a36Sopenharmony_ci 24462306a36Sopenharmony_ci if (WARN_ON(!vma)) 24562306a36Sopenharmony_ci goto err_page_ptr_cleared; 24662306a36Sopenharmony_ci 24762306a36Sopenharmony_ci trace_binder_alloc_page_start(alloc, index); 24862306a36Sopenharmony_ci page->page_ptr = alloc_page(GFP_KERNEL | 24962306a36Sopenharmony_ci __GFP_HIGHMEM | 25062306a36Sopenharmony_ci __GFP_ZERO); 25162306a36Sopenharmony_ci if (!page->page_ptr) { 25262306a36Sopenharmony_ci pr_err("%d: binder_alloc_buf failed for page at %pK\n", 25362306a36Sopenharmony_ci alloc->pid, page_addr); 25462306a36Sopenharmony_ci goto err_alloc_page_failed; 25562306a36Sopenharmony_ci } 25662306a36Sopenharmony_ci page->alloc = alloc; 25762306a36Sopenharmony_ci INIT_LIST_HEAD(&page->lru); 25862306a36Sopenharmony_ci 25962306a36Sopenharmony_ci user_page_addr = (uintptr_t)page_addr; 26062306a36Sopenharmony_ci ret = vm_insert_page(vma, user_page_addr, page[0].page_ptr); 26162306a36Sopenharmony_ci if (ret) { 26262306a36Sopenharmony_ci pr_err("%d: binder_alloc_buf failed to map page at %lx in userspace\n", 26362306a36Sopenharmony_ci alloc->pid, user_page_addr); 26462306a36Sopenharmony_ci goto err_vm_insert_page_failed; 26562306a36Sopenharmony_ci } 26662306a36Sopenharmony_ci 26762306a36Sopenharmony_ci if (index + 1 > alloc->pages_high) 26862306a36Sopenharmony_ci alloc->pages_high = index + 1; 26962306a36Sopenharmony_ci 27062306a36Sopenharmony_ci trace_binder_alloc_page_end(alloc, index); 27162306a36Sopenharmony_ci } 27262306a36Sopenharmony_ci if (mm) { 27362306a36Sopenharmony_ci mmap_write_unlock(mm); 27462306a36Sopenharmony_ci mmput_async(mm); 27562306a36Sopenharmony_ci } 27662306a36Sopenharmony_ci return 0; 27762306a36Sopenharmony_ci 27862306a36Sopenharmony_cifree_range: 27962306a36Sopenharmony_ci for (page_addr = end - PAGE_SIZE; 1; page_addr -= PAGE_SIZE) { 28062306a36Sopenharmony_ci bool ret; 28162306a36Sopenharmony_ci size_t index; 28262306a36Sopenharmony_ci 28362306a36Sopenharmony_ci index = (page_addr - alloc->buffer) / PAGE_SIZE; 28462306a36Sopenharmony_ci page = &alloc->pages[index]; 28562306a36Sopenharmony_ci 28662306a36Sopenharmony_ci trace_binder_free_lru_start(alloc, index); 28762306a36Sopenharmony_ci 28862306a36Sopenharmony_ci ret = list_lru_add(&binder_alloc_lru, &page->lru); 28962306a36Sopenharmony_ci WARN_ON(!ret); 29062306a36Sopenharmony_ci 29162306a36Sopenharmony_ci trace_binder_free_lru_end(alloc, index); 29262306a36Sopenharmony_ci if (page_addr == start) 29362306a36Sopenharmony_ci break; 29462306a36Sopenharmony_ci continue; 29562306a36Sopenharmony_ci 29662306a36Sopenharmony_cierr_vm_insert_page_failed: 29762306a36Sopenharmony_ci __free_page(page->page_ptr); 29862306a36Sopenharmony_ci page->page_ptr = NULL; 29962306a36Sopenharmony_cierr_alloc_page_failed: 30062306a36Sopenharmony_cierr_page_ptr_cleared: 30162306a36Sopenharmony_ci if (page_addr == start) 30262306a36Sopenharmony_ci break; 30362306a36Sopenharmony_ci } 30462306a36Sopenharmony_cierr_no_vma: 30562306a36Sopenharmony_ci if (mm) { 30662306a36Sopenharmony_ci mmap_write_unlock(mm); 30762306a36Sopenharmony_ci mmput_async(mm); 30862306a36Sopenharmony_ci } 30962306a36Sopenharmony_ci return vma ? -ENOMEM : -ESRCH; 31062306a36Sopenharmony_ci} 31162306a36Sopenharmony_ci 31262306a36Sopenharmony_cistatic inline void binder_alloc_set_vma(struct binder_alloc *alloc, 31362306a36Sopenharmony_ci struct vm_area_struct *vma) 31462306a36Sopenharmony_ci{ 31562306a36Sopenharmony_ci /* pairs with smp_load_acquire in binder_alloc_get_vma() */ 31662306a36Sopenharmony_ci smp_store_release(&alloc->vma, vma); 31762306a36Sopenharmony_ci} 31862306a36Sopenharmony_ci 31962306a36Sopenharmony_cistatic inline struct vm_area_struct *binder_alloc_get_vma( 32062306a36Sopenharmony_ci struct binder_alloc *alloc) 32162306a36Sopenharmony_ci{ 32262306a36Sopenharmony_ci /* pairs with smp_store_release in binder_alloc_set_vma() */ 32362306a36Sopenharmony_ci return smp_load_acquire(&alloc->vma); 32462306a36Sopenharmony_ci} 32562306a36Sopenharmony_ci 32662306a36Sopenharmony_cistatic bool debug_low_async_space_locked(struct binder_alloc *alloc, int pid) 32762306a36Sopenharmony_ci{ 32862306a36Sopenharmony_ci /* 32962306a36Sopenharmony_ci * Find the amount and size of buffers allocated by the current caller; 33062306a36Sopenharmony_ci * The idea is that once we cross the threshold, whoever is responsible 33162306a36Sopenharmony_ci * for the low async space is likely to try to send another async txn, 33262306a36Sopenharmony_ci * and at some point we'll catch them in the act. This is more efficient 33362306a36Sopenharmony_ci * than keeping a map per pid. 33462306a36Sopenharmony_ci */ 33562306a36Sopenharmony_ci struct rb_node *n; 33662306a36Sopenharmony_ci struct binder_buffer *buffer; 33762306a36Sopenharmony_ci size_t total_alloc_size = 0; 33862306a36Sopenharmony_ci size_t num_buffers = 0; 33962306a36Sopenharmony_ci 34062306a36Sopenharmony_ci for (n = rb_first(&alloc->allocated_buffers); n != NULL; 34162306a36Sopenharmony_ci n = rb_next(n)) { 34262306a36Sopenharmony_ci buffer = rb_entry(n, struct binder_buffer, rb_node); 34362306a36Sopenharmony_ci if (buffer->pid != pid) 34462306a36Sopenharmony_ci continue; 34562306a36Sopenharmony_ci if (!buffer->async_transaction) 34662306a36Sopenharmony_ci continue; 34762306a36Sopenharmony_ci total_alloc_size += binder_alloc_buffer_size(alloc, buffer); 34862306a36Sopenharmony_ci num_buffers++; 34962306a36Sopenharmony_ci } 35062306a36Sopenharmony_ci 35162306a36Sopenharmony_ci /* 35262306a36Sopenharmony_ci * Warn if this pid has more than 50 transactions, or more than 50% of 35362306a36Sopenharmony_ci * async space (which is 25% of total buffer size). Oneway spam is only 35462306a36Sopenharmony_ci * detected when the threshold is exceeded. 35562306a36Sopenharmony_ci */ 35662306a36Sopenharmony_ci if (num_buffers > 50 || total_alloc_size > alloc->buffer_size / 4) { 35762306a36Sopenharmony_ci binder_alloc_debug(BINDER_DEBUG_USER_ERROR, 35862306a36Sopenharmony_ci "%d: pid %d spamming oneway? %zd buffers allocated for a total size of %zd\n", 35962306a36Sopenharmony_ci alloc->pid, pid, num_buffers, total_alloc_size); 36062306a36Sopenharmony_ci if (!alloc->oneway_spam_detected) { 36162306a36Sopenharmony_ci alloc->oneway_spam_detected = true; 36262306a36Sopenharmony_ci return true; 36362306a36Sopenharmony_ci } 36462306a36Sopenharmony_ci } 36562306a36Sopenharmony_ci return false; 36662306a36Sopenharmony_ci} 36762306a36Sopenharmony_ci 36862306a36Sopenharmony_cistatic struct binder_buffer *binder_alloc_new_buf_locked( 36962306a36Sopenharmony_ci struct binder_alloc *alloc, 37062306a36Sopenharmony_ci size_t data_size, 37162306a36Sopenharmony_ci size_t offsets_size, 37262306a36Sopenharmony_ci size_t extra_buffers_size, 37362306a36Sopenharmony_ci int is_async, 37462306a36Sopenharmony_ci int pid) 37562306a36Sopenharmony_ci{ 37662306a36Sopenharmony_ci struct rb_node *n = alloc->free_buffers.rb_node; 37762306a36Sopenharmony_ci struct binder_buffer *buffer; 37862306a36Sopenharmony_ci size_t buffer_size; 37962306a36Sopenharmony_ci struct rb_node *best_fit = NULL; 38062306a36Sopenharmony_ci void __user *has_page_addr; 38162306a36Sopenharmony_ci void __user *end_page_addr; 38262306a36Sopenharmony_ci size_t size, data_offsets_size; 38362306a36Sopenharmony_ci int ret; 38462306a36Sopenharmony_ci 38562306a36Sopenharmony_ci /* Check binder_alloc is fully initialized */ 38662306a36Sopenharmony_ci if (!binder_alloc_get_vma(alloc)) { 38762306a36Sopenharmony_ci binder_alloc_debug(BINDER_DEBUG_USER_ERROR, 38862306a36Sopenharmony_ci "%d: binder_alloc_buf, no vma\n", 38962306a36Sopenharmony_ci alloc->pid); 39062306a36Sopenharmony_ci return ERR_PTR(-ESRCH); 39162306a36Sopenharmony_ci } 39262306a36Sopenharmony_ci 39362306a36Sopenharmony_ci data_offsets_size = ALIGN(data_size, sizeof(void *)) + 39462306a36Sopenharmony_ci ALIGN(offsets_size, sizeof(void *)); 39562306a36Sopenharmony_ci 39662306a36Sopenharmony_ci if (data_offsets_size < data_size || data_offsets_size < offsets_size) { 39762306a36Sopenharmony_ci binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 39862306a36Sopenharmony_ci "%d: got transaction with invalid size %zd-%zd\n", 39962306a36Sopenharmony_ci alloc->pid, data_size, offsets_size); 40062306a36Sopenharmony_ci return ERR_PTR(-EINVAL); 40162306a36Sopenharmony_ci } 40262306a36Sopenharmony_ci size = data_offsets_size + ALIGN(extra_buffers_size, sizeof(void *)); 40362306a36Sopenharmony_ci if (size < data_offsets_size || size < extra_buffers_size) { 40462306a36Sopenharmony_ci binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 40562306a36Sopenharmony_ci "%d: got transaction with invalid extra_buffers_size %zd\n", 40662306a36Sopenharmony_ci alloc->pid, extra_buffers_size); 40762306a36Sopenharmony_ci return ERR_PTR(-EINVAL); 40862306a36Sopenharmony_ci } 40962306a36Sopenharmony_ci 41062306a36Sopenharmony_ci /* Pad 0-size buffers so they get assigned unique addresses */ 41162306a36Sopenharmony_ci size = max(size, sizeof(void *)); 41262306a36Sopenharmony_ci 41362306a36Sopenharmony_ci if (is_async && alloc->free_async_space < size) { 41462306a36Sopenharmony_ci binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 41562306a36Sopenharmony_ci "%d: binder_alloc_buf size %zd failed, no async space left\n", 41662306a36Sopenharmony_ci alloc->pid, size); 41762306a36Sopenharmony_ci return ERR_PTR(-ENOSPC); 41862306a36Sopenharmony_ci } 41962306a36Sopenharmony_ci 42062306a36Sopenharmony_ci while (n) { 42162306a36Sopenharmony_ci buffer = rb_entry(n, struct binder_buffer, rb_node); 42262306a36Sopenharmony_ci BUG_ON(!buffer->free); 42362306a36Sopenharmony_ci buffer_size = binder_alloc_buffer_size(alloc, buffer); 42462306a36Sopenharmony_ci 42562306a36Sopenharmony_ci if (size < buffer_size) { 42662306a36Sopenharmony_ci best_fit = n; 42762306a36Sopenharmony_ci n = n->rb_left; 42862306a36Sopenharmony_ci } else if (size > buffer_size) 42962306a36Sopenharmony_ci n = n->rb_right; 43062306a36Sopenharmony_ci else { 43162306a36Sopenharmony_ci best_fit = n; 43262306a36Sopenharmony_ci break; 43362306a36Sopenharmony_ci } 43462306a36Sopenharmony_ci } 43562306a36Sopenharmony_ci if (best_fit == NULL) { 43662306a36Sopenharmony_ci size_t allocated_buffers = 0; 43762306a36Sopenharmony_ci size_t largest_alloc_size = 0; 43862306a36Sopenharmony_ci size_t total_alloc_size = 0; 43962306a36Sopenharmony_ci size_t free_buffers = 0; 44062306a36Sopenharmony_ci size_t largest_free_size = 0; 44162306a36Sopenharmony_ci size_t total_free_size = 0; 44262306a36Sopenharmony_ci 44362306a36Sopenharmony_ci for (n = rb_first(&alloc->allocated_buffers); n != NULL; 44462306a36Sopenharmony_ci n = rb_next(n)) { 44562306a36Sopenharmony_ci buffer = rb_entry(n, struct binder_buffer, rb_node); 44662306a36Sopenharmony_ci buffer_size = binder_alloc_buffer_size(alloc, buffer); 44762306a36Sopenharmony_ci allocated_buffers++; 44862306a36Sopenharmony_ci total_alloc_size += buffer_size; 44962306a36Sopenharmony_ci if (buffer_size > largest_alloc_size) 45062306a36Sopenharmony_ci largest_alloc_size = buffer_size; 45162306a36Sopenharmony_ci } 45262306a36Sopenharmony_ci for (n = rb_first(&alloc->free_buffers); n != NULL; 45362306a36Sopenharmony_ci n = rb_next(n)) { 45462306a36Sopenharmony_ci buffer = rb_entry(n, struct binder_buffer, rb_node); 45562306a36Sopenharmony_ci buffer_size = binder_alloc_buffer_size(alloc, buffer); 45662306a36Sopenharmony_ci free_buffers++; 45762306a36Sopenharmony_ci total_free_size += buffer_size; 45862306a36Sopenharmony_ci if (buffer_size > largest_free_size) 45962306a36Sopenharmony_ci largest_free_size = buffer_size; 46062306a36Sopenharmony_ci } 46162306a36Sopenharmony_ci binder_alloc_debug(BINDER_DEBUG_USER_ERROR, 46262306a36Sopenharmony_ci "%d: binder_alloc_buf size %zd failed, no address space\n", 46362306a36Sopenharmony_ci alloc->pid, size); 46462306a36Sopenharmony_ci binder_alloc_debug(BINDER_DEBUG_USER_ERROR, 46562306a36Sopenharmony_ci "allocated: %zd (num: %zd largest: %zd), free: %zd (num: %zd largest: %zd)\n", 46662306a36Sopenharmony_ci total_alloc_size, allocated_buffers, 46762306a36Sopenharmony_ci largest_alloc_size, total_free_size, 46862306a36Sopenharmony_ci free_buffers, largest_free_size); 46962306a36Sopenharmony_ci return ERR_PTR(-ENOSPC); 47062306a36Sopenharmony_ci } 47162306a36Sopenharmony_ci if (n == NULL) { 47262306a36Sopenharmony_ci buffer = rb_entry(best_fit, struct binder_buffer, rb_node); 47362306a36Sopenharmony_ci buffer_size = binder_alloc_buffer_size(alloc, buffer); 47462306a36Sopenharmony_ci } 47562306a36Sopenharmony_ci 47662306a36Sopenharmony_ci binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 47762306a36Sopenharmony_ci "%d: binder_alloc_buf size %zd got buffer %pK size %zd\n", 47862306a36Sopenharmony_ci alloc->pid, size, buffer, buffer_size); 47962306a36Sopenharmony_ci 48062306a36Sopenharmony_ci has_page_addr = (void __user *) 48162306a36Sopenharmony_ci (((uintptr_t)buffer->user_data + buffer_size) & PAGE_MASK); 48262306a36Sopenharmony_ci WARN_ON(n && buffer_size != size); 48362306a36Sopenharmony_ci end_page_addr = 48462306a36Sopenharmony_ci (void __user *)PAGE_ALIGN((uintptr_t)buffer->user_data + size); 48562306a36Sopenharmony_ci if (end_page_addr > has_page_addr) 48662306a36Sopenharmony_ci end_page_addr = has_page_addr; 48762306a36Sopenharmony_ci ret = binder_update_page_range(alloc, 1, (void __user *) 48862306a36Sopenharmony_ci PAGE_ALIGN((uintptr_t)buffer->user_data), end_page_addr); 48962306a36Sopenharmony_ci if (ret) 49062306a36Sopenharmony_ci return ERR_PTR(ret); 49162306a36Sopenharmony_ci 49262306a36Sopenharmony_ci if (buffer_size != size) { 49362306a36Sopenharmony_ci struct binder_buffer *new_buffer; 49462306a36Sopenharmony_ci 49562306a36Sopenharmony_ci new_buffer = kzalloc(sizeof(*buffer), GFP_KERNEL); 49662306a36Sopenharmony_ci if (!new_buffer) { 49762306a36Sopenharmony_ci pr_err("%s: %d failed to alloc new buffer struct\n", 49862306a36Sopenharmony_ci __func__, alloc->pid); 49962306a36Sopenharmony_ci goto err_alloc_buf_struct_failed; 50062306a36Sopenharmony_ci } 50162306a36Sopenharmony_ci new_buffer->user_data = (u8 __user *)buffer->user_data + size; 50262306a36Sopenharmony_ci list_add(&new_buffer->entry, &buffer->entry); 50362306a36Sopenharmony_ci new_buffer->free = 1; 50462306a36Sopenharmony_ci binder_insert_free_buffer(alloc, new_buffer); 50562306a36Sopenharmony_ci } 50662306a36Sopenharmony_ci 50762306a36Sopenharmony_ci rb_erase(best_fit, &alloc->free_buffers); 50862306a36Sopenharmony_ci buffer->free = 0; 50962306a36Sopenharmony_ci buffer->allow_user_free = 0; 51062306a36Sopenharmony_ci binder_insert_allocated_buffer_locked(alloc, buffer); 51162306a36Sopenharmony_ci binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 51262306a36Sopenharmony_ci "%d: binder_alloc_buf size %zd got %pK\n", 51362306a36Sopenharmony_ci alloc->pid, size, buffer); 51462306a36Sopenharmony_ci buffer->data_size = data_size; 51562306a36Sopenharmony_ci buffer->offsets_size = offsets_size; 51662306a36Sopenharmony_ci buffer->async_transaction = is_async; 51762306a36Sopenharmony_ci buffer->extra_buffers_size = extra_buffers_size; 51862306a36Sopenharmony_ci buffer->pid = pid; 51962306a36Sopenharmony_ci buffer->oneway_spam_suspect = false; 52062306a36Sopenharmony_ci if (is_async) { 52162306a36Sopenharmony_ci alloc->free_async_space -= size; 52262306a36Sopenharmony_ci binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC, 52362306a36Sopenharmony_ci "%d: binder_alloc_buf size %zd async free %zd\n", 52462306a36Sopenharmony_ci alloc->pid, size, alloc->free_async_space); 52562306a36Sopenharmony_ci if (alloc->free_async_space < alloc->buffer_size / 10) { 52662306a36Sopenharmony_ci /* 52762306a36Sopenharmony_ci * Start detecting spammers once we have less than 20% 52862306a36Sopenharmony_ci * of async space left (which is less than 10% of total 52962306a36Sopenharmony_ci * buffer size). 53062306a36Sopenharmony_ci */ 53162306a36Sopenharmony_ci buffer->oneway_spam_suspect = debug_low_async_space_locked(alloc, pid); 53262306a36Sopenharmony_ci } else { 53362306a36Sopenharmony_ci alloc->oneway_spam_detected = false; 53462306a36Sopenharmony_ci } 53562306a36Sopenharmony_ci } 53662306a36Sopenharmony_ci return buffer; 53762306a36Sopenharmony_ci 53862306a36Sopenharmony_cierr_alloc_buf_struct_failed: 53962306a36Sopenharmony_ci binder_update_page_range(alloc, 0, (void __user *) 54062306a36Sopenharmony_ci PAGE_ALIGN((uintptr_t)buffer->user_data), 54162306a36Sopenharmony_ci end_page_addr); 54262306a36Sopenharmony_ci return ERR_PTR(-ENOMEM); 54362306a36Sopenharmony_ci} 54462306a36Sopenharmony_ci 54562306a36Sopenharmony_ci/** 54662306a36Sopenharmony_ci * binder_alloc_new_buf() - Allocate a new binder buffer 54762306a36Sopenharmony_ci * @alloc: binder_alloc for this proc 54862306a36Sopenharmony_ci * @data_size: size of user data buffer 54962306a36Sopenharmony_ci * @offsets_size: user specified buffer offset 55062306a36Sopenharmony_ci * @extra_buffers_size: size of extra space for meta-data (eg, security context) 55162306a36Sopenharmony_ci * @is_async: buffer for async transaction 55262306a36Sopenharmony_ci * @pid: pid to attribute allocation to (used for debugging) 55362306a36Sopenharmony_ci * 55462306a36Sopenharmony_ci * Allocate a new buffer given the requested sizes. Returns 55562306a36Sopenharmony_ci * the kernel version of the buffer pointer. The size allocated 55662306a36Sopenharmony_ci * is the sum of the three given sizes (each rounded up to 55762306a36Sopenharmony_ci * pointer-sized boundary) 55862306a36Sopenharmony_ci * 55962306a36Sopenharmony_ci * Return: The allocated buffer or %ERR_PTR(-errno) if error 56062306a36Sopenharmony_ci */ 56162306a36Sopenharmony_cistruct binder_buffer *binder_alloc_new_buf(struct binder_alloc *alloc, 56262306a36Sopenharmony_ci size_t data_size, 56362306a36Sopenharmony_ci size_t offsets_size, 56462306a36Sopenharmony_ci size_t extra_buffers_size, 56562306a36Sopenharmony_ci int is_async, 56662306a36Sopenharmony_ci int pid) 56762306a36Sopenharmony_ci{ 56862306a36Sopenharmony_ci struct binder_buffer *buffer; 56962306a36Sopenharmony_ci 57062306a36Sopenharmony_ci mutex_lock(&alloc->mutex); 57162306a36Sopenharmony_ci buffer = binder_alloc_new_buf_locked(alloc, data_size, offsets_size, 57262306a36Sopenharmony_ci extra_buffers_size, is_async, pid); 57362306a36Sopenharmony_ci mutex_unlock(&alloc->mutex); 57462306a36Sopenharmony_ci return buffer; 57562306a36Sopenharmony_ci} 57662306a36Sopenharmony_ci 57762306a36Sopenharmony_cistatic void __user *buffer_start_page(struct binder_buffer *buffer) 57862306a36Sopenharmony_ci{ 57962306a36Sopenharmony_ci return (void __user *)((uintptr_t)buffer->user_data & PAGE_MASK); 58062306a36Sopenharmony_ci} 58162306a36Sopenharmony_ci 58262306a36Sopenharmony_cistatic void __user *prev_buffer_end_page(struct binder_buffer *buffer) 58362306a36Sopenharmony_ci{ 58462306a36Sopenharmony_ci return (void __user *) 58562306a36Sopenharmony_ci (((uintptr_t)(buffer->user_data) - 1) & PAGE_MASK); 58662306a36Sopenharmony_ci} 58762306a36Sopenharmony_ci 58862306a36Sopenharmony_cistatic void binder_delete_free_buffer(struct binder_alloc *alloc, 58962306a36Sopenharmony_ci struct binder_buffer *buffer) 59062306a36Sopenharmony_ci{ 59162306a36Sopenharmony_ci struct binder_buffer *prev, *next = NULL; 59262306a36Sopenharmony_ci bool to_free = true; 59362306a36Sopenharmony_ci 59462306a36Sopenharmony_ci BUG_ON(alloc->buffers.next == &buffer->entry); 59562306a36Sopenharmony_ci prev = binder_buffer_prev(buffer); 59662306a36Sopenharmony_ci BUG_ON(!prev->free); 59762306a36Sopenharmony_ci if (prev_buffer_end_page(prev) == buffer_start_page(buffer)) { 59862306a36Sopenharmony_ci to_free = false; 59962306a36Sopenharmony_ci binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 60062306a36Sopenharmony_ci "%d: merge free, buffer %pK share page with %pK\n", 60162306a36Sopenharmony_ci alloc->pid, buffer->user_data, 60262306a36Sopenharmony_ci prev->user_data); 60362306a36Sopenharmony_ci } 60462306a36Sopenharmony_ci 60562306a36Sopenharmony_ci if (!list_is_last(&buffer->entry, &alloc->buffers)) { 60662306a36Sopenharmony_ci next = binder_buffer_next(buffer); 60762306a36Sopenharmony_ci if (buffer_start_page(next) == buffer_start_page(buffer)) { 60862306a36Sopenharmony_ci to_free = false; 60962306a36Sopenharmony_ci binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 61062306a36Sopenharmony_ci "%d: merge free, buffer %pK share page with %pK\n", 61162306a36Sopenharmony_ci alloc->pid, 61262306a36Sopenharmony_ci buffer->user_data, 61362306a36Sopenharmony_ci next->user_data); 61462306a36Sopenharmony_ci } 61562306a36Sopenharmony_ci } 61662306a36Sopenharmony_ci 61762306a36Sopenharmony_ci if (PAGE_ALIGNED(buffer->user_data)) { 61862306a36Sopenharmony_ci binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 61962306a36Sopenharmony_ci "%d: merge free, buffer start %pK is page aligned\n", 62062306a36Sopenharmony_ci alloc->pid, buffer->user_data); 62162306a36Sopenharmony_ci to_free = false; 62262306a36Sopenharmony_ci } 62362306a36Sopenharmony_ci 62462306a36Sopenharmony_ci if (to_free) { 62562306a36Sopenharmony_ci binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 62662306a36Sopenharmony_ci "%d: merge free, buffer %pK do not share page with %pK or %pK\n", 62762306a36Sopenharmony_ci alloc->pid, buffer->user_data, 62862306a36Sopenharmony_ci prev->user_data, 62962306a36Sopenharmony_ci next ? next->user_data : NULL); 63062306a36Sopenharmony_ci binder_update_page_range(alloc, 0, buffer_start_page(buffer), 63162306a36Sopenharmony_ci buffer_start_page(buffer) + PAGE_SIZE); 63262306a36Sopenharmony_ci } 63362306a36Sopenharmony_ci list_del(&buffer->entry); 63462306a36Sopenharmony_ci kfree(buffer); 63562306a36Sopenharmony_ci} 63662306a36Sopenharmony_ci 63762306a36Sopenharmony_cistatic void binder_free_buf_locked(struct binder_alloc *alloc, 63862306a36Sopenharmony_ci struct binder_buffer *buffer) 63962306a36Sopenharmony_ci{ 64062306a36Sopenharmony_ci size_t size, buffer_size; 64162306a36Sopenharmony_ci 64262306a36Sopenharmony_ci buffer_size = binder_alloc_buffer_size(alloc, buffer); 64362306a36Sopenharmony_ci 64462306a36Sopenharmony_ci size = ALIGN(buffer->data_size, sizeof(void *)) + 64562306a36Sopenharmony_ci ALIGN(buffer->offsets_size, sizeof(void *)) + 64662306a36Sopenharmony_ci ALIGN(buffer->extra_buffers_size, sizeof(void *)); 64762306a36Sopenharmony_ci 64862306a36Sopenharmony_ci binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 64962306a36Sopenharmony_ci "%d: binder_free_buf %pK size %zd buffer_size %zd\n", 65062306a36Sopenharmony_ci alloc->pid, buffer, size, buffer_size); 65162306a36Sopenharmony_ci 65262306a36Sopenharmony_ci BUG_ON(buffer->free); 65362306a36Sopenharmony_ci BUG_ON(size > buffer_size); 65462306a36Sopenharmony_ci BUG_ON(buffer->transaction != NULL); 65562306a36Sopenharmony_ci BUG_ON(buffer->user_data < alloc->buffer); 65662306a36Sopenharmony_ci BUG_ON(buffer->user_data > alloc->buffer + alloc->buffer_size); 65762306a36Sopenharmony_ci 65862306a36Sopenharmony_ci if (buffer->async_transaction) { 65962306a36Sopenharmony_ci alloc->free_async_space += buffer_size; 66062306a36Sopenharmony_ci binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC, 66162306a36Sopenharmony_ci "%d: binder_free_buf size %zd async free %zd\n", 66262306a36Sopenharmony_ci alloc->pid, size, alloc->free_async_space); 66362306a36Sopenharmony_ci } 66462306a36Sopenharmony_ci 66562306a36Sopenharmony_ci binder_update_page_range(alloc, 0, 66662306a36Sopenharmony_ci (void __user *)PAGE_ALIGN((uintptr_t)buffer->user_data), 66762306a36Sopenharmony_ci (void __user *)(((uintptr_t) 66862306a36Sopenharmony_ci buffer->user_data + buffer_size) & PAGE_MASK)); 66962306a36Sopenharmony_ci 67062306a36Sopenharmony_ci rb_erase(&buffer->rb_node, &alloc->allocated_buffers); 67162306a36Sopenharmony_ci buffer->free = 1; 67262306a36Sopenharmony_ci if (!list_is_last(&buffer->entry, &alloc->buffers)) { 67362306a36Sopenharmony_ci struct binder_buffer *next = binder_buffer_next(buffer); 67462306a36Sopenharmony_ci 67562306a36Sopenharmony_ci if (next->free) { 67662306a36Sopenharmony_ci rb_erase(&next->rb_node, &alloc->free_buffers); 67762306a36Sopenharmony_ci binder_delete_free_buffer(alloc, next); 67862306a36Sopenharmony_ci } 67962306a36Sopenharmony_ci } 68062306a36Sopenharmony_ci if (alloc->buffers.next != &buffer->entry) { 68162306a36Sopenharmony_ci struct binder_buffer *prev = binder_buffer_prev(buffer); 68262306a36Sopenharmony_ci 68362306a36Sopenharmony_ci if (prev->free) { 68462306a36Sopenharmony_ci binder_delete_free_buffer(alloc, buffer); 68562306a36Sopenharmony_ci rb_erase(&prev->rb_node, &alloc->free_buffers); 68662306a36Sopenharmony_ci buffer = prev; 68762306a36Sopenharmony_ci } 68862306a36Sopenharmony_ci } 68962306a36Sopenharmony_ci binder_insert_free_buffer(alloc, buffer); 69062306a36Sopenharmony_ci} 69162306a36Sopenharmony_ci 69262306a36Sopenharmony_cistatic void binder_alloc_clear_buf(struct binder_alloc *alloc, 69362306a36Sopenharmony_ci struct binder_buffer *buffer); 69462306a36Sopenharmony_ci/** 69562306a36Sopenharmony_ci * binder_alloc_free_buf() - free a binder buffer 69662306a36Sopenharmony_ci * @alloc: binder_alloc for this proc 69762306a36Sopenharmony_ci * @buffer: kernel pointer to buffer 69862306a36Sopenharmony_ci * 69962306a36Sopenharmony_ci * Free the buffer allocated via binder_alloc_new_buf() 70062306a36Sopenharmony_ci */ 70162306a36Sopenharmony_civoid binder_alloc_free_buf(struct binder_alloc *alloc, 70262306a36Sopenharmony_ci struct binder_buffer *buffer) 70362306a36Sopenharmony_ci{ 70462306a36Sopenharmony_ci /* 70562306a36Sopenharmony_ci * We could eliminate the call to binder_alloc_clear_buf() 70662306a36Sopenharmony_ci * from binder_alloc_deferred_release() by moving this to 70762306a36Sopenharmony_ci * binder_free_buf_locked(). However, that could 70862306a36Sopenharmony_ci * increase contention for the alloc mutex if clear_on_free 70962306a36Sopenharmony_ci * is used frequently for large buffers. The mutex is not 71062306a36Sopenharmony_ci * needed for correctness here. 71162306a36Sopenharmony_ci */ 71262306a36Sopenharmony_ci if (buffer->clear_on_free) { 71362306a36Sopenharmony_ci binder_alloc_clear_buf(alloc, buffer); 71462306a36Sopenharmony_ci buffer->clear_on_free = false; 71562306a36Sopenharmony_ci } 71662306a36Sopenharmony_ci mutex_lock(&alloc->mutex); 71762306a36Sopenharmony_ci binder_free_buf_locked(alloc, buffer); 71862306a36Sopenharmony_ci mutex_unlock(&alloc->mutex); 71962306a36Sopenharmony_ci} 72062306a36Sopenharmony_ci 72162306a36Sopenharmony_ci/** 72262306a36Sopenharmony_ci * binder_alloc_mmap_handler() - map virtual address space for proc 72362306a36Sopenharmony_ci * @alloc: alloc structure for this proc 72462306a36Sopenharmony_ci * @vma: vma passed to mmap() 72562306a36Sopenharmony_ci * 72662306a36Sopenharmony_ci * Called by binder_mmap() to initialize the space specified in 72762306a36Sopenharmony_ci * vma for allocating binder buffers 72862306a36Sopenharmony_ci * 72962306a36Sopenharmony_ci * Return: 73062306a36Sopenharmony_ci * 0 = success 73162306a36Sopenharmony_ci * -EBUSY = address space already mapped 73262306a36Sopenharmony_ci * -ENOMEM = failed to map memory to given address space 73362306a36Sopenharmony_ci */ 73462306a36Sopenharmony_ciint binder_alloc_mmap_handler(struct binder_alloc *alloc, 73562306a36Sopenharmony_ci struct vm_area_struct *vma) 73662306a36Sopenharmony_ci{ 73762306a36Sopenharmony_ci int ret; 73862306a36Sopenharmony_ci const char *failure_string; 73962306a36Sopenharmony_ci struct binder_buffer *buffer; 74062306a36Sopenharmony_ci 74162306a36Sopenharmony_ci if (unlikely(vma->vm_mm != alloc->mm)) { 74262306a36Sopenharmony_ci ret = -EINVAL; 74362306a36Sopenharmony_ci failure_string = "invalid vma->vm_mm"; 74462306a36Sopenharmony_ci goto err_invalid_mm; 74562306a36Sopenharmony_ci } 74662306a36Sopenharmony_ci 74762306a36Sopenharmony_ci mutex_lock(&binder_alloc_mmap_lock); 74862306a36Sopenharmony_ci if (alloc->buffer_size) { 74962306a36Sopenharmony_ci ret = -EBUSY; 75062306a36Sopenharmony_ci failure_string = "already mapped"; 75162306a36Sopenharmony_ci goto err_already_mapped; 75262306a36Sopenharmony_ci } 75362306a36Sopenharmony_ci alloc->buffer_size = min_t(unsigned long, vma->vm_end - vma->vm_start, 75462306a36Sopenharmony_ci SZ_4M); 75562306a36Sopenharmony_ci mutex_unlock(&binder_alloc_mmap_lock); 75662306a36Sopenharmony_ci 75762306a36Sopenharmony_ci alloc->buffer = (void __user *)vma->vm_start; 75862306a36Sopenharmony_ci 75962306a36Sopenharmony_ci alloc->pages = kcalloc(alloc->buffer_size / PAGE_SIZE, 76062306a36Sopenharmony_ci sizeof(alloc->pages[0]), 76162306a36Sopenharmony_ci GFP_KERNEL); 76262306a36Sopenharmony_ci if (alloc->pages == NULL) { 76362306a36Sopenharmony_ci ret = -ENOMEM; 76462306a36Sopenharmony_ci failure_string = "alloc page array"; 76562306a36Sopenharmony_ci goto err_alloc_pages_failed; 76662306a36Sopenharmony_ci } 76762306a36Sopenharmony_ci 76862306a36Sopenharmony_ci buffer = kzalloc(sizeof(*buffer), GFP_KERNEL); 76962306a36Sopenharmony_ci if (!buffer) { 77062306a36Sopenharmony_ci ret = -ENOMEM; 77162306a36Sopenharmony_ci failure_string = "alloc buffer struct"; 77262306a36Sopenharmony_ci goto err_alloc_buf_struct_failed; 77362306a36Sopenharmony_ci } 77462306a36Sopenharmony_ci 77562306a36Sopenharmony_ci buffer->user_data = alloc->buffer; 77662306a36Sopenharmony_ci list_add(&buffer->entry, &alloc->buffers); 77762306a36Sopenharmony_ci buffer->free = 1; 77862306a36Sopenharmony_ci binder_insert_free_buffer(alloc, buffer); 77962306a36Sopenharmony_ci alloc->free_async_space = alloc->buffer_size / 2; 78062306a36Sopenharmony_ci 78162306a36Sopenharmony_ci /* Signal binder_alloc is fully initialized */ 78262306a36Sopenharmony_ci binder_alloc_set_vma(alloc, vma); 78362306a36Sopenharmony_ci 78462306a36Sopenharmony_ci return 0; 78562306a36Sopenharmony_ci 78662306a36Sopenharmony_cierr_alloc_buf_struct_failed: 78762306a36Sopenharmony_ci kfree(alloc->pages); 78862306a36Sopenharmony_ci alloc->pages = NULL; 78962306a36Sopenharmony_cierr_alloc_pages_failed: 79062306a36Sopenharmony_ci alloc->buffer = NULL; 79162306a36Sopenharmony_ci mutex_lock(&binder_alloc_mmap_lock); 79262306a36Sopenharmony_ci alloc->buffer_size = 0; 79362306a36Sopenharmony_cierr_already_mapped: 79462306a36Sopenharmony_ci mutex_unlock(&binder_alloc_mmap_lock); 79562306a36Sopenharmony_cierr_invalid_mm: 79662306a36Sopenharmony_ci binder_alloc_debug(BINDER_DEBUG_USER_ERROR, 79762306a36Sopenharmony_ci "%s: %d %lx-%lx %s failed %d\n", __func__, 79862306a36Sopenharmony_ci alloc->pid, vma->vm_start, vma->vm_end, 79962306a36Sopenharmony_ci failure_string, ret); 80062306a36Sopenharmony_ci return ret; 80162306a36Sopenharmony_ci} 80262306a36Sopenharmony_ci 80362306a36Sopenharmony_ci 80462306a36Sopenharmony_civoid binder_alloc_deferred_release(struct binder_alloc *alloc) 80562306a36Sopenharmony_ci{ 80662306a36Sopenharmony_ci struct rb_node *n; 80762306a36Sopenharmony_ci int buffers, page_count; 80862306a36Sopenharmony_ci struct binder_buffer *buffer; 80962306a36Sopenharmony_ci 81062306a36Sopenharmony_ci buffers = 0; 81162306a36Sopenharmony_ci mutex_lock(&alloc->mutex); 81262306a36Sopenharmony_ci BUG_ON(alloc->vma); 81362306a36Sopenharmony_ci 81462306a36Sopenharmony_ci while ((n = rb_first(&alloc->allocated_buffers))) { 81562306a36Sopenharmony_ci buffer = rb_entry(n, struct binder_buffer, rb_node); 81662306a36Sopenharmony_ci 81762306a36Sopenharmony_ci /* Transaction should already have been freed */ 81862306a36Sopenharmony_ci BUG_ON(buffer->transaction); 81962306a36Sopenharmony_ci 82062306a36Sopenharmony_ci if (buffer->clear_on_free) { 82162306a36Sopenharmony_ci binder_alloc_clear_buf(alloc, buffer); 82262306a36Sopenharmony_ci buffer->clear_on_free = false; 82362306a36Sopenharmony_ci } 82462306a36Sopenharmony_ci binder_free_buf_locked(alloc, buffer); 82562306a36Sopenharmony_ci buffers++; 82662306a36Sopenharmony_ci } 82762306a36Sopenharmony_ci 82862306a36Sopenharmony_ci while (!list_empty(&alloc->buffers)) { 82962306a36Sopenharmony_ci buffer = list_first_entry(&alloc->buffers, 83062306a36Sopenharmony_ci struct binder_buffer, entry); 83162306a36Sopenharmony_ci WARN_ON(!buffer->free); 83262306a36Sopenharmony_ci 83362306a36Sopenharmony_ci list_del(&buffer->entry); 83462306a36Sopenharmony_ci WARN_ON_ONCE(!list_empty(&alloc->buffers)); 83562306a36Sopenharmony_ci kfree(buffer); 83662306a36Sopenharmony_ci } 83762306a36Sopenharmony_ci 83862306a36Sopenharmony_ci page_count = 0; 83962306a36Sopenharmony_ci if (alloc->pages) { 84062306a36Sopenharmony_ci int i; 84162306a36Sopenharmony_ci 84262306a36Sopenharmony_ci for (i = 0; i < alloc->buffer_size / PAGE_SIZE; i++) { 84362306a36Sopenharmony_ci void __user *page_addr; 84462306a36Sopenharmony_ci bool on_lru; 84562306a36Sopenharmony_ci 84662306a36Sopenharmony_ci if (!alloc->pages[i].page_ptr) 84762306a36Sopenharmony_ci continue; 84862306a36Sopenharmony_ci 84962306a36Sopenharmony_ci on_lru = list_lru_del(&binder_alloc_lru, 85062306a36Sopenharmony_ci &alloc->pages[i].lru); 85162306a36Sopenharmony_ci page_addr = alloc->buffer + i * PAGE_SIZE; 85262306a36Sopenharmony_ci binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 85362306a36Sopenharmony_ci "%s: %d: page %d at %pK %s\n", 85462306a36Sopenharmony_ci __func__, alloc->pid, i, page_addr, 85562306a36Sopenharmony_ci on_lru ? "on lru" : "active"); 85662306a36Sopenharmony_ci __free_page(alloc->pages[i].page_ptr); 85762306a36Sopenharmony_ci page_count++; 85862306a36Sopenharmony_ci } 85962306a36Sopenharmony_ci kfree(alloc->pages); 86062306a36Sopenharmony_ci } 86162306a36Sopenharmony_ci mutex_unlock(&alloc->mutex); 86262306a36Sopenharmony_ci if (alloc->mm) 86362306a36Sopenharmony_ci mmdrop(alloc->mm); 86462306a36Sopenharmony_ci 86562306a36Sopenharmony_ci binder_alloc_debug(BINDER_DEBUG_OPEN_CLOSE, 86662306a36Sopenharmony_ci "%s: %d buffers %d, pages %d\n", 86762306a36Sopenharmony_ci __func__, alloc->pid, buffers, page_count); 86862306a36Sopenharmony_ci} 86962306a36Sopenharmony_ci 87062306a36Sopenharmony_cistatic void print_binder_buffer(struct seq_file *m, const char *prefix, 87162306a36Sopenharmony_ci struct binder_buffer *buffer) 87262306a36Sopenharmony_ci{ 87362306a36Sopenharmony_ci seq_printf(m, "%s %d: %pK size %zd:%zd:%zd %s\n", 87462306a36Sopenharmony_ci prefix, buffer->debug_id, buffer->user_data, 87562306a36Sopenharmony_ci buffer->data_size, buffer->offsets_size, 87662306a36Sopenharmony_ci buffer->extra_buffers_size, 87762306a36Sopenharmony_ci buffer->transaction ? "active" : "delivered"); 87862306a36Sopenharmony_ci} 87962306a36Sopenharmony_ci 88062306a36Sopenharmony_ci/** 88162306a36Sopenharmony_ci * binder_alloc_print_allocated() - print buffer info 88262306a36Sopenharmony_ci * @m: seq_file for output via seq_printf() 88362306a36Sopenharmony_ci * @alloc: binder_alloc for this proc 88462306a36Sopenharmony_ci * 88562306a36Sopenharmony_ci * Prints information about every buffer associated with 88662306a36Sopenharmony_ci * the binder_alloc state to the given seq_file 88762306a36Sopenharmony_ci */ 88862306a36Sopenharmony_civoid binder_alloc_print_allocated(struct seq_file *m, 88962306a36Sopenharmony_ci struct binder_alloc *alloc) 89062306a36Sopenharmony_ci{ 89162306a36Sopenharmony_ci struct rb_node *n; 89262306a36Sopenharmony_ci 89362306a36Sopenharmony_ci mutex_lock(&alloc->mutex); 89462306a36Sopenharmony_ci for (n = rb_first(&alloc->allocated_buffers); n != NULL; n = rb_next(n)) 89562306a36Sopenharmony_ci print_binder_buffer(m, " buffer", 89662306a36Sopenharmony_ci rb_entry(n, struct binder_buffer, rb_node)); 89762306a36Sopenharmony_ci mutex_unlock(&alloc->mutex); 89862306a36Sopenharmony_ci} 89962306a36Sopenharmony_ci 90062306a36Sopenharmony_ci/** 90162306a36Sopenharmony_ci * binder_alloc_print_pages() - print page usage 90262306a36Sopenharmony_ci * @m: seq_file for output via seq_printf() 90362306a36Sopenharmony_ci * @alloc: binder_alloc for this proc 90462306a36Sopenharmony_ci */ 90562306a36Sopenharmony_civoid binder_alloc_print_pages(struct seq_file *m, 90662306a36Sopenharmony_ci struct binder_alloc *alloc) 90762306a36Sopenharmony_ci{ 90862306a36Sopenharmony_ci struct binder_lru_page *page; 90962306a36Sopenharmony_ci int i; 91062306a36Sopenharmony_ci int active = 0; 91162306a36Sopenharmony_ci int lru = 0; 91262306a36Sopenharmony_ci int free = 0; 91362306a36Sopenharmony_ci 91462306a36Sopenharmony_ci mutex_lock(&alloc->mutex); 91562306a36Sopenharmony_ci /* 91662306a36Sopenharmony_ci * Make sure the binder_alloc is fully initialized, otherwise we might 91762306a36Sopenharmony_ci * read inconsistent state. 91862306a36Sopenharmony_ci */ 91962306a36Sopenharmony_ci if (binder_alloc_get_vma(alloc) != NULL) { 92062306a36Sopenharmony_ci for (i = 0; i < alloc->buffer_size / PAGE_SIZE; i++) { 92162306a36Sopenharmony_ci page = &alloc->pages[i]; 92262306a36Sopenharmony_ci if (!page->page_ptr) 92362306a36Sopenharmony_ci free++; 92462306a36Sopenharmony_ci else if (list_empty(&page->lru)) 92562306a36Sopenharmony_ci active++; 92662306a36Sopenharmony_ci else 92762306a36Sopenharmony_ci lru++; 92862306a36Sopenharmony_ci } 92962306a36Sopenharmony_ci } 93062306a36Sopenharmony_ci mutex_unlock(&alloc->mutex); 93162306a36Sopenharmony_ci seq_printf(m, " pages: %d:%d:%d\n", active, lru, free); 93262306a36Sopenharmony_ci seq_printf(m, " pages high watermark: %zu\n", alloc->pages_high); 93362306a36Sopenharmony_ci} 93462306a36Sopenharmony_ci 93562306a36Sopenharmony_ci/** 93662306a36Sopenharmony_ci * binder_alloc_get_allocated_count() - return count of buffers 93762306a36Sopenharmony_ci * @alloc: binder_alloc for this proc 93862306a36Sopenharmony_ci * 93962306a36Sopenharmony_ci * Return: count of allocated buffers 94062306a36Sopenharmony_ci */ 94162306a36Sopenharmony_ciint binder_alloc_get_allocated_count(struct binder_alloc *alloc) 94262306a36Sopenharmony_ci{ 94362306a36Sopenharmony_ci struct rb_node *n; 94462306a36Sopenharmony_ci int count = 0; 94562306a36Sopenharmony_ci 94662306a36Sopenharmony_ci mutex_lock(&alloc->mutex); 94762306a36Sopenharmony_ci for (n = rb_first(&alloc->allocated_buffers); n != NULL; n = rb_next(n)) 94862306a36Sopenharmony_ci count++; 94962306a36Sopenharmony_ci mutex_unlock(&alloc->mutex); 95062306a36Sopenharmony_ci return count; 95162306a36Sopenharmony_ci} 95262306a36Sopenharmony_ci 95362306a36Sopenharmony_ci 95462306a36Sopenharmony_ci/** 95562306a36Sopenharmony_ci * binder_alloc_vma_close() - invalidate address space 95662306a36Sopenharmony_ci * @alloc: binder_alloc for this proc 95762306a36Sopenharmony_ci * 95862306a36Sopenharmony_ci * Called from binder_vma_close() when releasing address space. 95962306a36Sopenharmony_ci * Clears alloc->vma to prevent new incoming transactions from 96062306a36Sopenharmony_ci * allocating more buffers. 96162306a36Sopenharmony_ci */ 96262306a36Sopenharmony_civoid binder_alloc_vma_close(struct binder_alloc *alloc) 96362306a36Sopenharmony_ci{ 96462306a36Sopenharmony_ci binder_alloc_set_vma(alloc, NULL); 96562306a36Sopenharmony_ci} 96662306a36Sopenharmony_ci 96762306a36Sopenharmony_ci/** 96862306a36Sopenharmony_ci * binder_alloc_free_page() - shrinker callback to free pages 96962306a36Sopenharmony_ci * @item: item to free 97062306a36Sopenharmony_ci * @lock: lock protecting the item 97162306a36Sopenharmony_ci * @cb_arg: callback argument 97262306a36Sopenharmony_ci * 97362306a36Sopenharmony_ci * Called from list_lru_walk() in binder_shrink_scan() to free 97462306a36Sopenharmony_ci * up pages when the system is under memory pressure. 97562306a36Sopenharmony_ci */ 97662306a36Sopenharmony_cienum lru_status binder_alloc_free_page(struct list_head *item, 97762306a36Sopenharmony_ci struct list_lru_one *lru, 97862306a36Sopenharmony_ci spinlock_t *lock, 97962306a36Sopenharmony_ci void *cb_arg) 98062306a36Sopenharmony_ci __must_hold(lock) 98162306a36Sopenharmony_ci{ 98262306a36Sopenharmony_ci struct mm_struct *mm = NULL; 98362306a36Sopenharmony_ci struct binder_lru_page *page = container_of(item, 98462306a36Sopenharmony_ci struct binder_lru_page, 98562306a36Sopenharmony_ci lru); 98662306a36Sopenharmony_ci struct binder_alloc *alloc; 98762306a36Sopenharmony_ci uintptr_t page_addr; 98862306a36Sopenharmony_ci size_t index; 98962306a36Sopenharmony_ci struct vm_area_struct *vma; 99062306a36Sopenharmony_ci 99162306a36Sopenharmony_ci alloc = page->alloc; 99262306a36Sopenharmony_ci if (!mutex_trylock(&alloc->mutex)) 99362306a36Sopenharmony_ci goto err_get_alloc_mutex_failed; 99462306a36Sopenharmony_ci 99562306a36Sopenharmony_ci if (!page->page_ptr) 99662306a36Sopenharmony_ci goto err_page_already_freed; 99762306a36Sopenharmony_ci 99862306a36Sopenharmony_ci index = page - alloc->pages; 99962306a36Sopenharmony_ci page_addr = (uintptr_t)alloc->buffer + index * PAGE_SIZE; 100062306a36Sopenharmony_ci 100162306a36Sopenharmony_ci mm = alloc->mm; 100262306a36Sopenharmony_ci if (!mmget_not_zero(mm)) 100362306a36Sopenharmony_ci goto err_mmget; 100462306a36Sopenharmony_ci if (!mmap_read_trylock(mm)) 100562306a36Sopenharmony_ci goto err_mmap_read_lock_failed; 100662306a36Sopenharmony_ci vma = vma_lookup(mm, page_addr); 100762306a36Sopenharmony_ci if (vma && vma != binder_alloc_get_vma(alloc)) 100862306a36Sopenharmony_ci goto err_invalid_vma; 100962306a36Sopenharmony_ci 101062306a36Sopenharmony_ci list_lru_isolate(lru, item); 101162306a36Sopenharmony_ci spin_unlock(lock); 101262306a36Sopenharmony_ci 101362306a36Sopenharmony_ci if (vma) { 101462306a36Sopenharmony_ci trace_binder_unmap_user_start(alloc, index); 101562306a36Sopenharmony_ci 101662306a36Sopenharmony_ci zap_page_range_single(vma, page_addr, PAGE_SIZE, NULL); 101762306a36Sopenharmony_ci 101862306a36Sopenharmony_ci trace_binder_unmap_user_end(alloc, index); 101962306a36Sopenharmony_ci } 102062306a36Sopenharmony_ci mmap_read_unlock(mm); 102162306a36Sopenharmony_ci mmput_async(mm); 102262306a36Sopenharmony_ci 102362306a36Sopenharmony_ci trace_binder_unmap_kernel_start(alloc, index); 102462306a36Sopenharmony_ci 102562306a36Sopenharmony_ci __free_page(page->page_ptr); 102662306a36Sopenharmony_ci page->page_ptr = NULL; 102762306a36Sopenharmony_ci 102862306a36Sopenharmony_ci trace_binder_unmap_kernel_end(alloc, index); 102962306a36Sopenharmony_ci 103062306a36Sopenharmony_ci spin_lock(lock); 103162306a36Sopenharmony_ci mutex_unlock(&alloc->mutex); 103262306a36Sopenharmony_ci return LRU_REMOVED_RETRY; 103362306a36Sopenharmony_ci 103462306a36Sopenharmony_cierr_invalid_vma: 103562306a36Sopenharmony_ci mmap_read_unlock(mm); 103662306a36Sopenharmony_cierr_mmap_read_lock_failed: 103762306a36Sopenharmony_ci mmput_async(mm); 103862306a36Sopenharmony_cierr_mmget: 103962306a36Sopenharmony_cierr_page_already_freed: 104062306a36Sopenharmony_ci mutex_unlock(&alloc->mutex); 104162306a36Sopenharmony_cierr_get_alloc_mutex_failed: 104262306a36Sopenharmony_ci return LRU_SKIP; 104362306a36Sopenharmony_ci} 104462306a36Sopenharmony_ci 104562306a36Sopenharmony_cistatic unsigned long 104662306a36Sopenharmony_cibinder_shrink_count(struct shrinker *shrink, struct shrink_control *sc) 104762306a36Sopenharmony_ci{ 104862306a36Sopenharmony_ci return list_lru_count(&binder_alloc_lru); 104962306a36Sopenharmony_ci} 105062306a36Sopenharmony_ci 105162306a36Sopenharmony_cistatic unsigned long 105262306a36Sopenharmony_cibinder_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) 105362306a36Sopenharmony_ci{ 105462306a36Sopenharmony_ci return list_lru_walk(&binder_alloc_lru, binder_alloc_free_page, 105562306a36Sopenharmony_ci NULL, sc->nr_to_scan); 105662306a36Sopenharmony_ci} 105762306a36Sopenharmony_ci 105862306a36Sopenharmony_cistatic struct shrinker binder_shrinker = { 105962306a36Sopenharmony_ci .count_objects = binder_shrink_count, 106062306a36Sopenharmony_ci .scan_objects = binder_shrink_scan, 106162306a36Sopenharmony_ci .seeks = DEFAULT_SEEKS, 106262306a36Sopenharmony_ci}; 106362306a36Sopenharmony_ci 106462306a36Sopenharmony_ci/** 106562306a36Sopenharmony_ci * binder_alloc_init() - called by binder_open() for per-proc initialization 106662306a36Sopenharmony_ci * @alloc: binder_alloc for this proc 106762306a36Sopenharmony_ci * 106862306a36Sopenharmony_ci * Called from binder_open() to initialize binder_alloc fields for 106962306a36Sopenharmony_ci * new binder proc 107062306a36Sopenharmony_ci */ 107162306a36Sopenharmony_civoid binder_alloc_init(struct binder_alloc *alloc) 107262306a36Sopenharmony_ci{ 107362306a36Sopenharmony_ci alloc->pid = current->group_leader->pid; 107462306a36Sopenharmony_ci alloc->mm = current->mm; 107562306a36Sopenharmony_ci mmgrab(alloc->mm); 107662306a36Sopenharmony_ci mutex_init(&alloc->mutex); 107762306a36Sopenharmony_ci INIT_LIST_HEAD(&alloc->buffers); 107862306a36Sopenharmony_ci} 107962306a36Sopenharmony_ci 108062306a36Sopenharmony_ciint binder_alloc_shrinker_init(void) 108162306a36Sopenharmony_ci{ 108262306a36Sopenharmony_ci int ret = list_lru_init(&binder_alloc_lru); 108362306a36Sopenharmony_ci 108462306a36Sopenharmony_ci if (ret == 0) { 108562306a36Sopenharmony_ci ret = register_shrinker(&binder_shrinker, "android-binder"); 108662306a36Sopenharmony_ci if (ret) 108762306a36Sopenharmony_ci list_lru_destroy(&binder_alloc_lru); 108862306a36Sopenharmony_ci } 108962306a36Sopenharmony_ci return ret; 109062306a36Sopenharmony_ci} 109162306a36Sopenharmony_ci 109262306a36Sopenharmony_civoid binder_alloc_shrinker_exit(void) 109362306a36Sopenharmony_ci{ 109462306a36Sopenharmony_ci unregister_shrinker(&binder_shrinker); 109562306a36Sopenharmony_ci list_lru_destroy(&binder_alloc_lru); 109662306a36Sopenharmony_ci} 109762306a36Sopenharmony_ci 109862306a36Sopenharmony_ci/** 109962306a36Sopenharmony_ci * check_buffer() - verify that buffer/offset is safe to access 110062306a36Sopenharmony_ci * @alloc: binder_alloc for this proc 110162306a36Sopenharmony_ci * @buffer: binder buffer to be accessed 110262306a36Sopenharmony_ci * @offset: offset into @buffer data 110362306a36Sopenharmony_ci * @bytes: bytes to access from offset 110462306a36Sopenharmony_ci * 110562306a36Sopenharmony_ci * Check that the @offset/@bytes are within the size of the given 110662306a36Sopenharmony_ci * @buffer and that the buffer is currently active and not freeable. 110762306a36Sopenharmony_ci * Offsets must also be multiples of sizeof(u32). The kernel is 110862306a36Sopenharmony_ci * allowed to touch the buffer in two cases: 110962306a36Sopenharmony_ci * 111062306a36Sopenharmony_ci * 1) when the buffer is being created: 111162306a36Sopenharmony_ci * (buffer->free == 0 && buffer->allow_user_free == 0) 111262306a36Sopenharmony_ci * 2) when the buffer is being torn down: 111362306a36Sopenharmony_ci * (buffer->free == 0 && buffer->transaction == NULL). 111462306a36Sopenharmony_ci * 111562306a36Sopenharmony_ci * Return: true if the buffer is safe to access 111662306a36Sopenharmony_ci */ 111762306a36Sopenharmony_cistatic inline bool check_buffer(struct binder_alloc *alloc, 111862306a36Sopenharmony_ci struct binder_buffer *buffer, 111962306a36Sopenharmony_ci binder_size_t offset, size_t bytes) 112062306a36Sopenharmony_ci{ 112162306a36Sopenharmony_ci size_t buffer_size = binder_alloc_buffer_size(alloc, buffer); 112262306a36Sopenharmony_ci 112362306a36Sopenharmony_ci return buffer_size >= bytes && 112462306a36Sopenharmony_ci offset <= buffer_size - bytes && 112562306a36Sopenharmony_ci IS_ALIGNED(offset, sizeof(u32)) && 112662306a36Sopenharmony_ci !buffer->free && 112762306a36Sopenharmony_ci (!buffer->allow_user_free || !buffer->transaction); 112862306a36Sopenharmony_ci} 112962306a36Sopenharmony_ci 113062306a36Sopenharmony_ci/** 113162306a36Sopenharmony_ci * binder_alloc_get_page() - get kernel pointer for given buffer offset 113262306a36Sopenharmony_ci * @alloc: binder_alloc for this proc 113362306a36Sopenharmony_ci * @buffer: binder buffer to be accessed 113462306a36Sopenharmony_ci * @buffer_offset: offset into @buffer data 113562306a36Sopenharmony_ci * @pgoffp: address to copy final page offset to 113662306a36Sopenharmony_ci * 113762306a36Sopenharmony_ci * Lookup the struct page corresponding to the address 113862306a36Sopenharmony_ci * at @buffer_offset into @buffer->user_data. If @pgoffp is not 113962306a36Sopenharmony_ci * NULL, the byte-offset into the page is written there. 114062306a36Sopenharmony_ci * 114162306a36Sopenharmony_ci * The caller is responsible to ensure that the offset points 114262306a36Sopenharmony_ci * to a valid address within the @buffer and that @buffer is 114362306a36Sopenharmony_ci * not freeable by the user. Since it can't be freed, we are 114462306a36Sopenharmony_ci * guaranteed that the corresponding elements of @alloc->pages[] 114562306a36Sopenharmony_ci * cannot change. 114662306a36Sopenharmony_ci * 114762306a36Sopenharmony_ci * Return: struct page 114862306a36Sopenharmony_ci */ 114962306a36Sopenharmony_cistatic struct page *binder_alloc_get_page(struct binder_alloc *alloc, 115062306a36Sopenharmony_ci struct binder_buffer *buffer, 115162306a36Sopenharmony_ci binder_size_t buffer_offset, 115262306a36Sopenharmony_ci pgoff_t *pgoffp) 115362306a36Sopenharmony_ci{ 115462306a36Sopenharmony_ci binder_size_t buffer_space_offset = buffer_offset + 115562306a36Sopenharmony_ci (buffer->user_data - alloc->buffer); 115662306a36Sopenharmony_ci pgoff_t pgoff = buffer_space_offset & ~PAGE_MASK; 115762306a36Sopenharmony_ci size_t index = buffer_space_offset >> PAGE_SHIFT; 115862306a36Sopenharmony_ci struct binder_lru_page *lru_page; 115962306a36Sopenharmony_ci 116062306a36Sopenharmony_ci lru_page = &alloc->pages[index]; 116162306a36Sopenharmony_ci *pgoffp = pgoff; 116262306a36Sopenharmony_ci return lru_page->page_ptr; 116362306a36Sopenharmony_ci} 116462306a36Sopenharmony_ci 116562306a36Sopenharmony_ci/** 116662306a36Sopenharmony_ci * binder_alloc_clear_buf() - zero out buffer 116762306a36Sopenharmony_ci * @alloc: binder_alloc for this proc 116862306a36Sopenharmony_ci * @buffer: binder buffer to be cleared 116962306a36Sopenharmony_ci * 117062306a36Sopenharmony_ci * memset the given buffer to 0 117162306a36Sopenharmony_ci */ 117262306a36Sopenharmony_cistatic void binder_alloc_clear_buf(struct binder_alloc *alloc, 117362306a36Sopenharmony_ci struct binder_buffer *buffer) 117462306a36Sopenharmony_ci{ 117562306a36Sopenharmony_ci size_t bytes = binder_alloc_buffer_size(alloc, buffer); 117662306a36Sopenharmony_ci binder_size_t buffer_offset = 0; 117762306a36Sopenharmony_ci 117862306a36Sopenharmony_ci while (bytes) { 117962306a36Sopenharmony_ci unsigned long size; 118062306a36Sopenharmony_ci struct page *page; 118162306a36Sopenharmony_ci pgoff_t pgoff; 118262306a36Sopenharmony_ci 118362306a36Sopenharmony_ci page = binder_alloc_get_page(alloc, buffer, 118462306a36Sopenharmony_ci buffer_offset, &pgoff); 118562306a36Sopenharmony_ci size = min_t(size_t, bytes, PAGE_SIZE - pgoff); 118662306a36Sopenharmony_ci memset_page(page, pgoff, 0, size); 118762306a36Sopenharmony_ci bytes -= size; 118862306a36Sopenharmony_ci buffer_offset += size; 118962306a36Sopenharmony_ci } 119062306a36Sopenharmony_ci} 119162306a36Sopenharmony_ci 119262306a36Sopenharmony_ci/** 119362306a36Sopenharmony_ci * binder_alloc_copy_user_to_buffer() - copy src user to tgt user 119462306a36Sopenharmony_ci * @alloc: binder_alloc for this proc 119562306a36Sopenharmony_ci * @buffer: binder buffer to be accessed 119662306a36Sopenharmony_ci * @buffer_offset: offset into @buffer data 119762306a36Sopenharmony_ci * @from: userspace pointer to source buffer 119862306a36Sopenharmony_ci * @bytes: bytes to copy 119962306a36Sopenharmony_ci * 120062306a36Sopenharmony_ci * Copy bytes from source userspace to target buffer. 120162306a36Sopenharmony_ci * 120262306a36Sopenharmony_ci * Return: bytes remaining to be copied 120362306a36Sopenharmony_ci */ 120462306a36Sopenharmony_ciunsigned long 120562306a36Sopenharmony_cibinder_alloc_copy_user_to_buffer(struct binder_alloc *alloc, 120662306a36Sopenharmony_ci struct binder_buffer *buffer, 120762306a36Sopenharmony_ci binder_size_t buffer_offset, 120862306a36Sopenharmony_ci const void __user *from, 120962306a36Sopenharmony_ci size_t bytes) 121062306a36Sopenharmony_ci{ 121162306a36Sopenharmony_ci if (!check_buffer(alloc, buffer, buffer_offset, bytes)) 121262306a36Sopenharmony_ci return bytes; 121362306a36Sopenharmony_ci 121462306a36Sopenharmony_ci while (bytes) { 121562306a36Sopenharmony_ci unsigned long size; 121662306a36Sopenharmony_ci unsigned long ret; 121762306a36Sopenharmony_ci struct page *page; 121862306a36Sopenharmony_ci pgoff_t pgoff; 121962306a36Sopenharmony_ci void *kptr; 122062306a36Sopenharmony_ci 122162306a36Sopenharmony_ci page = binder_alloc_get_page(alloc, buffer, 122262306a36Sopenharmony_ci buffer_offset, &pgoff); 122362306a36Sopenharmony_ci size = min_t(size_t, bytes, PAGE_SIZE - pgoff); 122462306a36Sopenharmony_ci kptr = kmap_local_page(page) + pgoff; 122562306a36Sopenharmony_ci ret = copy_from_user(kptr, from, size); 122662306a36Sopenharmony_ci kunmap_local(kptr); 122762306a36Sopenharmony_ci if (ret) 122862306a36Sopenharmony_ci return bytes - size + ret; 122962306a36Sopenharmony_ci bytes -= size; 123062306a36Sopenharmony_ci from += size; 123162306a36Sopenharmony_ci buffer_offset += size; 123262306a36Sopenharmony_ci } 123362306a36Sopenharmony_ci return 0; 123462306a36Sopenharmony_ci} 123562306a36Sopenharmony_ci 123662306a36Sopenharmony_cistatic int binder_alloc_do_buffer_copy(struct binder_alloc *alloc, 123762306a36Sopenharmony_ci bool to_buffer, 123862306a36Sopenharmony_ci struct binder_buffer *buffer, 123962306a36Sopenharmony_ci binder_size_t buffer_offset, 124062306a36Sopenharmony_ci void *ptr, 124162306a36Sopenharmony_ci size_t bytes) 124262306a36Sopenharmony_ci{ 124362306a36Sopenharmony_ci /* All copies must be 32-bit aligned and 32-bit size */ 124462306a36Sopenharmony_ci if (!check_buffer(alloc, buffer, buffer_offset, bytes)) 124562306a36Sopenharmony_ci return -EINVAL; 124662306a36Sopenharmony_ci 124762306a36Sopenharmony_ci while (bytes) { 124862306a36Sopenharmony_ci unsigned long size; 124962306a36Sopenharmony_ci struct page *page; 125062306a36Sopenharmony_ci pgoff_t pgoff; 125162306a36Sopenharmony_ci 125262306a36Sopenharmony_ci page = binder_alloc_get_page(alloc, buffer, 125362306a36Sopenharmony_ci buffer_offset, &pgoff); 125462306a36Sopenharmony_ci size = min_t(size_t, bytes, PAGE_SIZE - pgoff); 125562306a36Sopenharmony_ci if (to_buffer) 125662306a36Sopenharmony_ci memcpy_to_page(page, pgoff, ptr, size); 125762306a36Sopenharmony_ci else 125862306a36Sopenharmony_ci memcpy_from_page(ptr, page, pgoff, size); 125962306a36Sopenharmony_ci bytes -= size; 126062306a36Sopenharmony_ci pgoff = 0; 126162306a36Sopenharmony_ci ptr = ptr + size; 126262306a36Sopenharmony_ci buffer_offset += size; 126362306a36Sopenharmony_ci } 126462306a36Sopenharmony_ci return 0; 126562306a36Sopenharmony_ci} 126662306a36Sopenharmony_ci 126762306a36Sopenharmony_ciint binder_alloc_copy_to_buffer(struct binder_alloc *alloc, 126862306a36Sopenharmony_ci struct binder_buffer *buffer, 126962306a36Sopenharmony_ci binder_size_t buffer_offset, 127062306a36Sopenharmony_ci void *src, 127162306a36Sopenharmony_ci size_t bytes) 127262306a36Sopenharmony_ci{ 127362306a36Sopenharmony_ci return binder_alloc_do_buffer_copy(alloc, true, buffer, buffer_offset, 127462306a36Sopenharmony_ci src, bytes); 127562306a36Sopenharmony_ci} 127662306a36Sopenharmony_ci 127762306a36Sopenharmony_ciint binder_alloc_copy_from_buffer(struct binder_alloc *alloc, 127862306a36Sopenharmony_ci void *dest, 127962306a36Sopenharmony_ci struct binder_buffer *buffer, 128062306a36Sopenharmony_ci binder_size_t buffer_offset, 128162306a36Sopenharmony_ci size_t bytes) 128262306a36Sopenharmony_ci{ 128362306a36Sopenharmony_ci return binder_alloc_do_buffer_copy(alloc, false, buffer, buffer_offset, 128462306a36Sopenharmony_ci dest, bytes); 128562306a36Sopenharmony_ci} 128662306a36Sopenharmony_ci 1287