+96

drivers/staging/android/Kconfig

reviewed

··· 1 1 + menu "Android" 2 2 + 3 3 + config ANDROID 4 4 + bool "Android Drivers" 5 5 + depends on BROKEN 6 6 + default N 7 7 + ---help--- 8 8 + Enable support for various drivers needed on the Android platform 9 9 + 10 10 + if ANDROID 11 11 + 12 12 + config ANDROID_BINDER_IPC 13 13 + bool "Android Binder IPC Driver" 14 14 + default n 15 15 + 16 16 + config ANDROID_LOGGER 17 17 + tristate "Android log driver" 18 18 + default n 19 19 + 20 20 + config ANDROID_RAM_CONSOLE 21 21 + bool "Android RAM buffer console" 22 22 + default n 23 23 + 24 24 + config ANDROID_RAM_CONSOLE_ENABLE_VERBOSE 25 25 + bool "Enable verbose console messages on Android RAM console" 26 26 + default y 27 27 + depends on ANDROID_RAM_CONSOLE 28 28 + 29 29 + menuconfig ANDROID_RAM_CONSOLE_ERROR_CORRECTION 30 30 + bool "Android RAM Console Enable error correction" 31 31 + default n 32 32 + depends on ANDROID_RAM_CONSOLE 33 33 + depends on !ANDROID_RAM_CONSOLE_EARLY_INIT 34 34 + select REED_SOLOMON 35 35 + select REED_SOLOMON_ENC8 36 36 + select REED_SOLOMON_DEC8 37 37 + 38 38 + if ANDROID_RAM_CONSOLE_ERROR_CORRECTION 39 39 + 40 40 + config ANDROID_RAM_CONSOLE_ERROR_CORRECTION_DATA_SIZE 41 41 + int "Android RAM Console Data data size" 42 42 + default 128 43 43 + help 44 44 + Must be a power of 2. 45 45 + 46 46 + config ANDROID_RAM_CONSOLE_ERROR_CORRECTION_ECC_SIZE 47 47 + int "Android RAM Console ECC size" 48 48 + default 16 49 49 + 50 50 + config ANDROID_RAM_CONSOLE_ERROR_CORRECTION_SYMBOL_SIZE 51 51 + int "Android RAM Console Symbol size" 52 52 + default 8 53 53 + 54 54 + config ANDROID_RAM_CONSOLE_ERROR_CORRECTION_POLYNOMIAL 55 55 + hex "Android RAM Console Polynomial" 56 56 + default 0x19 if (ANDROID_RAM_CONSOLE_ERROR_CORRECTION_SYMBOL_SIZE = 4) 57 57 + default 0x29 if (ANDROID_RAM_CONSOLE_ERROR_CORRECTION_SYMBOL_SIZE = 5) 58 58 + default 0x61 if (ANDROID_RAM_CONSOLE_ERROR_CORRECTION_SYMBOL_SIZE = 6) 59 59 + default 0x89 if (ANDROID_RAM_CONSOLE_ERROR_CORRECTION_SYMBOL_SIZE = 7) 60 60 + default 0x11d if (ANDROID_RAM_CONSOLE_ERROR_CORRECTION_SYMBOL_SIZE = 8) 61 61 + 62 62 + endif # ANDROID_RAM_CONSOLE_ERROR_CORRECTION 63 63 + 64 64 + config ANDROID_RAM_CONSOLE_EARLY_INIT 65 65 + bool "Start Android RAM console early" 66 66 + default n 67 67 + depends on ANDROID_RAM_CONSOLE 68 68 + 69 69 + config ANDROID_RAM_CONSOLE_EARLY_ADDR 70 70 + hex "Android RAM console virtual address" 71 71 + default 0 72 72 + depends on ANDROID_RAM_CONSOLE_EARLY_INIT 73 73 + 74 74 + config ANDROID_RAM_CONSOLE_EARLY_SIZE 75 75 + hex "Android RAM console buffer size" 76 76 + default 0 77 77 + depends on ANDROID_RAM_CONSOLE_EARLY_INIT 78 78 + 79 79 + config ANDROID_TIMED_OUTPUT 80 80 + bool "Timed output class driver" 81 81 + default y 82 82 + 83 83 + config ANDROID_TIMED_GPIO 84 84 + tristate "Android timed gpio driver" 85 85 + depends on GENERIC_GPIO && ANDROID_TIMED_OUTPUT 86 86 + default n 87 87 + 88 88 + config ANDROID_LOW_MEMORY_KILLER 89 89 + bool "Android Low Memory Killer" 90 90 + default N 91 91 + ---help--- 92 92 + Register processes to be killed when memory is low 93 93 + 94 94 + endif # if ANDROID 95 95 + 96 96 + endmenu

+6

drivers/staging/android/Makefile

reviewed

··· 1 1 + obj-$(CONFIG_ANDROID_BINDER_IPC) += binder.o 2 2 + obj-$(CONFIG_ANDROID_LOGGER) += logger.o 3 3 + obj-$(CONFIG_ANDROID_RAM_CONSOLE) += ram_console.o 4 4 + obj-$(CONFIG_ANDROID_TIMED_OUTPUT) += timed_output.o 5 5 + obj-$(CONFIG_ANDROID_TIMED_GPIO) += timed_gpio.o 6 6 + obj-$(CONFIG_ANDROID_LOW_MEMORY_KILLER) += lowmemorykiller.o

+10

drivers/staging/android/TODO

reviewed

··· 1 1 + TODO: 2 2 + - checkpatch.pl cleanups 3 3 + - sparse fixes 4 4 + - rename files to be not so "generic" 5 5 + - make sure things build as modules properly 6 6 + - add proper arch dependancies as needed 7 7 + - audit userspace interfaces to make sure they are sane 8 8 + 9 9 + Please send patches to Greg Kroah-Hartman <greg@kroah.com> and Cc: 10 10 + Brian Swetland <swetland@google.com>

+3767

drivers/staging/android/binder.c

reviewed

··· 1 1 + /* binder.c 2 2 + * 3 3 + * Android IPC Subsystem 4 4 + * 5 5 + * Copyright (C) 2007-2008 Google, Inc. 6 6 + * 7 7 + * This software is licensed under the terms of the GNU General Public 8 8 + * License version 2, as published by the Free Software Foundation, and 9 9 + * may be copied, distributed, and modified under those terms. 10 10 + * 11 11 + * This program is distributed in the hope that it will be useful, 12 12 + * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 13 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 14 + * GNU General Public License for more details. 15 15 + * 16 16 + */ 17 17 + 18 18 + #include <asm/cacheflush.h> 19 19 + #include <linux/fdtable.h> 20 20 + #include <linux/file.h> 21 21 + #include <linux/fs.h> 22 22 + #include <linux/list.h> 23 23 + #include <linux/miscdevice.h> 24 24 + #include <linux/mm.h> 25 25 + #include <linux/module.h> 26 26 + #include <linux/mutex.h> 27 27 + #include <linux/nsproxy.h> 28 28 + #include <linux/poll.h> 29 29 + #include <linux/proc_fs.h> 30 30 + #include <linux/rbtree.h> 31 31 + #include <linux/sched.h> 32 32 + #include <linux/uaccess.h> 33 33 + #include <linux/vmalloc.h> 34 34 + 35 35 + #include "binder.h" 36 36 + 37 37 + static DEFINE_MUTEX(binder_lock); 38 38 + static DEFINE_MUTEX(binder_deferred_lock); 39 39 + 40 40 + static HLIST_HEAD(binder_procs); 41 41 + static HLIST_HEAD(binder_deferred_list); 42 42 + static HLIST_HEAD(binder_dead_nodes); 43 43 + 44 44 + static struct proc_dir_entry *binder_proc_dir_entry_root; 45 45 + static struct proc_dir_entry *binder_proc_dir_entry_proc; 46 46 + static struct binder_node *binder_context_mgr_node; 47 47 + static uid_t binder_context_mgr_uid = -1; 48 48 + static int binder_last_id; 49 49 + 50 50 + static int binder_read_proc_proc(char *page, char **start, off_t off, 51 51 + int count, int *eof, void *data); 52 52 + 53 53 + /* This is only defined in include/asm-arm/sizes.h */ 54 54 + #ifndef SZ_1K 55 55 + #define SZ_1K 0x400 56 56 + #endif 57 57 + 58 58 + #ifndef SZ_4M 59 59 + #define SZ_4M 0x400000 60 60 + #endif 61 61 + 62 62 + #define FORBIDDEN_MMAP_FLAGS (VM_WRITE) 63 63 + 64 64 + #define BINDER_SMALL_BUF_SIZE (PAGE_SIZE * 64) 65 65 + 66 66 + enum { 67 67 + BINDER_DEBUG_USER_ERROR = 1U << 0, 68 68 + BINDER_DEBUG_FAILED_TRANSACTION = 1U << 1, 69 69 + BINDER_DEBUG_DEAD_TRANSACTION = 1U << 2, 70 70 + BINDER_DEBUG_OPEN_CLOSE = 1U << 3, 71 71 + BINDER_DEBUG_DEAD_BINDER = 1U << 4, 72 72 + BINDER_DEBUG_DEATH_NOTIFICATION = 1U << 5, 73 73 + BINDER_DEBUG_READ_WRITE = 1U << 6, 74 74 + BINDER_DEBUG_USER_REFS = 1U << 7, 75 75 + BINDER_DEBUG_THREADS = 1U << 8, 76 76 + BINDER_DEBUG_TRANSACTION = 1U << 9, 77 77 + BINDER_DEBUG_TRANSACTION_COMPLETE = 1U << 10, 78 78 + BINDER_DEBUG_FREE_BUFFER = 1U << 11, 79 79 + BINDER_DEBUG_INTERNAL_REFS = 1U << 12, 80 80 + BINDER_DEBUG_BUFFER_ALLOC = 1U << 13, 81 81 + BINDER_DEBUG_PRIORITY_CAP = 1U << 14, 82 82 + BINDER_DEBUG_BUFFER_ALLOC_ASYNC = 1U << 15, 83 83 + }; 84 84 + static uint32_t binder_debug_mask = BINDER_DEBUG_USER_ERROR | 85 85 + BINDER_DEBUG_FAILED_TRANSACTION | BINDER_DEBUG_DEAD_TRANSACTION; 86 86 + module_param_named(debug_mask, binder_debug_mask, uint, S_IWUSR | S_IRUGO); 87 87 + 88 88 + static int binder_debug_no_lock; 89 89 + module_param_named(proc_no_lock, binder_debug_no_lock, bool, S_IWUSR | S_IRUGO); 90 90 + 91 91 + static DECLARE_WAIT_QUEUE_HEAD(binder_user_error_wait); 92 92 + static int binder_stop_on_user_error; 93 93 + 94 94 + static int binder_set_stop_on_user_error(const char *val, 95 95 + struct kernel_param *kp) 96 96 + { 97 97 + int ret; 98 98 + ret = param_set_int(val, kp); 99 99 + if (binder_stop_on_user_error < 2) 100 100 + wake_up(&binder_user_error_wait); 101 101 + return ret; 102 102 + } 103 103 + module_param_call(stop_on_user_error, binder_set_stop_on_user_error, 104 104 + param_get_int, &binder_stop_on_user_error, S_IWUSR | S_IRUGO); 105 105 + 106 106 + #define binder_debug(mask, x...) \ 107 107 + do { \ 108 108 + if (binder_debug_mask & mask) \ 109 109 + printk(KERN_INFO x); \ 110 110 + } while (0) 111 111 + 112 112 + #define binder_user_error(x...) \ 113 113 + do { \ 114 114 + if (binder_debug_mask & BINDER_DEBUG_USER_ERROR) \ 115 115 + printk(KERN_INFO x); \ 116 116 + if (binder_stop_on_user_error) \ 117 117 + binder_stop_on_user_error = 2; \ 118 118 + } while (0) 119 119 + 120 120 + enum binder_stat_types { 121 121 + BINDER_STAT_PROC, 122 122 + BINDER_STAT_THREAD, 123 123 + BINDER_STAT_NODE, 124 124 + BINDER_STAT_REF, 125 125 + BINDER_STAT_DEATH, 126 126 + BINDER_STAT_TRANSACTION, 127 127 + BINDER_STAT_TRANSACTION_COMPLETE, 128 128 + BINDER_STAT_COUNT 129 129 + }; 130 130 + 131 131 + struct binder_stats { 132 132 + int br[_IOC_NR(BR_FAILED_REPLY) + 1]; 133 133 + int bc[_IOC_NR(BC_DEAD_BINDER_DONE) + 1]; 134 134 + int obj_created[BINDER_STAT_COUNT]; 135 135 + int obj_deleted[BINDER_STAT_COUNT]; 136 136 + }; 137 137 + 138 138 + static struct binder_stats binder_stats; 139 139 + 140 140 + static inline void binder_stats_deleted(enum binder_stat_types type) 141 141 + { 142 142 + binder_stats.obj_deleted[type]++; 143 143 + } 144 144 + 145 145 + static inline void binder_stats_created(enum binder_stat_types type) 146 146 + { 147 147 + binder_stats.obj_created[type]++; 148 148 + } 149 149 + 150 150 + struct binder_transaction_log_entry { 151 151 + int debug_id; 152 152 + int call_type; 153 153 + int from_proc; 154 154 + int from_thread; 155 155 + int target_handle; 156 156 + int to_proc; 157 157 + int to_thread; 158 158 + int to_node; 159 159 + int data_size; 160 160 + int offsets_size; 161 161 + }; 162 162 + struct binder_transaction_log { 163 163 + int next; 164 164 + int full; 165 165 + struct binder_transaction_log_entry entry[32]; 166 166 + }; 167 167 + static struct binder_transaction_log binder_transaction_log; 168 168 + static struct binder_transaction_log binder_transaction_log_failed; 169 169 + 170 170 + static struct binder_transaction_log_entry *binder_transaction_log_add( 171 171 + struct binder_transaction_log *log) 172 172 + { 173 173 + struct binder_transaction_log_entry *e; 174 174 + e = &log->entry[log->next]; 175 175 + memset(e, 0, sizeof(*e)); 176 176 + log->next++; 177 177 + if (log->next == ARRAY_SIZE(log->entry)) { 178 178 + log->next = 0; 179 179 + log->full = 1; 180 180 + } 181 181 + return e; 182 182 + } 183 183 + 184 184 + struct binder_work { 185 185 + struct list_head entry; 186 186 + enum { 187 187 + BINDER_WORK_TRANSACTION = 1, 188 188 + BINDER_WORK_TRANSACTION_COMPLETE, 189 189 + BINDER_WORK_NODE, 190 190 + BINDER_WORK_DEAD_BINDER, 191 191 + BINDER_WORK_DEAD_BINDER_AND_CLEAR, 192 192 + BINDER_WORK_CLEAR_DEATH_NOTIFICATION, 193 193 + } type; 194 194 + }; 195 195 + 196 196 + struct binder_node { 197 197 + int debug_id; 198 198 + struct binder_work work; 199 199 + union { 200 200 + struct rb_node rb_node; 201 201 + struct hlist_node dead_node; 202 202 + }; 203 203 + struct binder_proc *proc; 204 204 + struct hlist_head refs; 205 205 + int internal_strong_refs; 206 206 + int local_weak_refs; 207 207 + int local_strong_refs; 208 208 + void __user *ptr; 209 209 + void __user *cookie; 210 210 + unsigned has_strong_ref:1; 211 211 + unsigned pending_strong_ref:1; 212 212 + unsigned has_weak_ref:1; 213 213 + unsigned pending_weak_ref:1; 214 214 + unsigned has_async_transaction:1; 215 215 + unsigned accept_fds:1; 216 216 + unsigned min_priority:8; 217 217 + struct list_head async_todo; 218 218 + }; 219 219 + 220 220 + struct binder_ref_death { 221 221 + struct binder_work work; 222 222 + void __user *cookie; 223 223 + }; 224 224 + 225 225 + struct binder_ref { 226 226 + /* Lookups needed: */ 227 227 + /* node + proc => ref (transaction) */ 228 228 + /* desc + proc => ref (transaction, inc/dec ref) */ 229 229 + /* node => refs + procs (proc exit) */ 230 230 + int debug_id; 231 231 + struct rb_node rb_node_desc; 232 232 + struct rb_node rb_node_node; 233 233 + struct hlist_node node_entry; 234 234 + struct binder_proc *proc; 235 235 + struct binder_node *node; 236 236 + uint32_t desc; 237 237 + int strong; 238 238 + int weak; 239 239 + struct binder_ref_death *death; 240 240 + }; 241 241 + 242 242 + struct binder_buffer { 243 243 + struct list_head entry; /* free and allocated entries by addesss */ 244 244 + struct rb_node rb_node; /* free entry by size or allocated entry */ 245 245 + /* by address */ 246 246 + unsigned free:1; 247 247 + unsigned allow_user_free:1; 248 248 + unsigned async_transaction:1; 249 249 + unsigned debug_id:29; 250 250 + 251 251 + struct binder_transaction *transaction; 252 252 + 253 253 + struct binder_node *target_node; 254 254 + size_t data_size; 255 255 + size_t offsets_size; 256 256 + uint8_t data[0]; 257 257 + }; 258 258 + 259 259 + enum binder_deferred_state { 260 260 + BINDER_DEFERRED_PUT_FILES = 0x01, 261 261 + BINDER_DEFERRED_FLUSH = 0x02, 262 262 + BINDER_DEFERRED_RELEASE = 0x04, 263 263 + }; 264 264 + 265 265 + struct binder_proc { 266 266 + struct hlist_node proc_node; 267 267 + struct rb_root threads; 268 268 + struct rb_root nodes; 269 269 + struct rb_root refs_by_desc; 270 270 + struct rb_root refs_by_node; 271 271 + int pid; 272 272 + struct vm_area_struct *vma; 273 273 + struct task_struct *tsk; 274 274 + struct files_struct *files; 275 275 + struct hlist_node deferred_work_node; 276 276 + int deferred_work; 277 277 + void *buffer; 278 278 + ptrdiff_t user_buffer_offset; 279 279 + 280 280 + struct list_head buffers; 281 281 + struct rb_root free_buffers; 282 282 + struct rb_root allocated_buffers; 283 283 + size_t free_async_space; 284 284 + 285 285 + struct page **pages; 286 286 + size_t buffer_size; 287 287 + uint32_t buffer_free; 288 288 + struct list_head todo; 289 289 + wait_queue_head_t wait; 290 290 + struct binder_stats stats; 291 291 + struct list_head delivered_death; 292 292 + int max_threads; 293 293 + int requested_threads; 294 294 + int requested_threads_started; 295 295 + int ready_threads; 296 296 + long default_priority; 297 297 + }; 298 298 + 299 299 + enum { 300 300 + BINDER_LOOPER_STATE_REGISTERED = 0x01, 301 301 + BINDER_LOOPER_STATE_ENTERED = 0x02, 302 302 + BINDER_LOOPER_STATE_EXITED = 0x04, 303 303 + BINDER_LOOPER_STATE_INVALID = 0x08, 304 304 + BINDER_LOOPER_STATE_WAITING = 0x10, 305 305 + BINDER_LOOPER_STATE_NEED_RETURN = 0x20 306 306 + }; 307 307 + 308 308 + struct binder_thread { 309 309 + struct binder_proc *proc; 310 310 + struct rb_node rb_node; 311 311 + int pid; 312 312 + int looper; 313 313 + struct binder_transaction *transaction_stack; 314 314 + struct list_head todo; 315 315 + uint32_t return_error; /* Write failed, return error code in read buf */ 316 316 + uint32_t return_error2; /* Write failed, return error code in read */ 317 317 + /* buffer. Used when sending a reply to a dead process that */ 318 318 + /* we are also waiting on */ 319 319 + wait_queue_head_t wait; 320 320 + struct binder_stats stats; 321 321 + }; 322 322 + 323 323 + struct binder_transaction { 324 324 + int debug_id; 325 325 + struct binder_work work; 326 326 + struct binder_thread *from; 327 327 + struct binder_transaction *from_parent; 328 328 + struct binder_proc *to_proc; 329 329 + struct binder_thread *to_thread; 330 330 + struct binder_transaction *to_parent; 331 331 + unsigned need_reply:1; 332 332 + /* unsigned is_dead:1; */ /* not used at the moment */ 333 333 + 334 334 + struct binder_buffer *buffer; 335 335 + unsigned int code; 336 336 + unsigned int flags; 337 337 + long priority; 338 338 + long saved_priority; 339 339 + uid_t sender_euid; 340 340 + }; 341 341 + 342 342 + static void 343 343 + binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer); 344 344 + 345 345 + /* 346 346 + * copied from get_unused_fd_flags 347 347 + */ 348 348 + int task_get_unused_fd_flags(struct binder_proc *proc, int flags) 349 349 + { 350 350 + struct files_struct *files = proc->files; 351 351 + int fd, error; 352 352 + struct fdtable *fdt; 353 353 + unsigned long rlim_cur; 354 354 + unsigned long irqs; 355 355 + 356 356 + if (files == NULL) 357 357 + return -ESRCH; 358 358 + 359 359 + error = -EMFILE; 360 360 + spin_lock(&files->file_lock); 361 361 + 362 362 + repeat: 363 363 + fdt = files_fdtable(files); 364 364 + fd = find_next_zero_bit(fdt->open_fds->fds_bits, fdt->max_fds, 365 365 + files->next_fd); 366 366 + 367 367 + /* 368 368 + * N.B. For clone tasks sharing a files structure, this test 369 369 + * will limit the total number of files that can be opened. 370 370 + */ 371 371 + rlim_cur = 0; 372 372 + if (lock_task_sighand(proc->tsk, &irqs)) { 373 373 + rlim_cur = proc->tsk->signal->rlim[RLIMIT_NOFILE].rlim_cur; 374 374 + unlock_task_sighand(proc->tsk, &irqs); 375 375 + } 376 376 + if (fd >= rlim_cur) 377 377 + goto out; 378 378 + 379 379 + /* Do we need to expand the fd array or fd set? */ 380 380 + error = expand_files(files, fd); 381 381 + if (error < 0) 382 382 + goto out; 383 383 + 384 384 + if (error) { 385 385 + /* 386 386 + * If we needed to expand the fs array we 387 387 + * might have blocked - try again. 388 388 + */ 389 389 + error = -EMFILE; 390 390 + goto repeat; 391 391 + } 392 392 + 393 393 + FD_SET(fd, fdt->open_fds); 394 394 + if (flags & O_CLOEXEC) 395 395 + FD_SET(fd, fdt->close_on_exec); 396 396 + else 397 397 + FD_CLR(fd, fdt->close_on_exec); 398 398 + files->next_fd = fd + 1; 399 399 + #if 1 400 400 + /* Sanity check */ 401 401 + if (fdt->fd[fd] != NULL) { 402 402 + printk(KERN_WARNING "get_unused_fd: slot %d not NULL!\n", fd); 403 403 + fdt->fd[fd] = NULL; 404 404 + } 405 405 + #endif 406 406 + error = fd; 407 407 + 408 408 + out: 409 409 + spin_unlock(&files->file_lock); 410 410 + return error; 411 411 + } 412 412 + 413 413 + /* 414 414 + * copied from fd_install 415 415 + */ 416 416 + static void task_fd_install( 417 417 + struct binder_proc *proc, unsigned int fd, struct file *file) 418 418 + { 419 419 + struct files_struct *files = proc->files; 420 420 + struct fdtable *fdt; 421 421 + 422 422 + if (files == NULL) 423 423 + return; 424 424 + 425 425 + spin_lock(&files->file_lock); 426 426 + fdt = files_fdtable(files); 427 427 + BUG_ON(fdt->fd[fd] != NULL); 428 428 + rcu_assign_pointer(fdt->fd[fd], file); 429 429 + spin_unlock(&files->file_lock); 430 430 + } 431 431 + 432 432 + /* 433 433 + * copied from __put_unused_fd in open.c 434 434 + */ 435 435 + static void __put_unused_fd(struct files_struct *files, unsigned int fd) 436 436 + { 437 437 + struct fdtable *fdt = files_fdtable(files); 438 438 + __FD_CLR(fd, fdt->open_fds); 439 439 + if (fd < files->next_fd) 440 440 + files->next_fd = fd; 441 441 + } 442 442 + 443 443 + /* 444 444 + * copied from sys_close 445 445 + */ 446 446 + static long task_close_fd(struct binder_proc *proc, unsigned int fd) 447 447 + { 448 448 + struct file *filp; 449 449 + struct files_struct *files = proc->files; 450 450 + struct fdtable *fdt; 451 451 + int retval; 452 452 + 453 453 + if (files == NULL) 454 454 + return -ESRCH; 455 455 + 456 456 + spin_lock(&files->file_lock); 457 457 + fdt = files_fdtable(files); 458 458 + if (fd >= fdt->max_fds) 459 459 + goto out_unlock; 460 460 + filp = fdt->fd[fd]; 461 461 + if (!filp) 462 462 + goto out_unlock; 463 463 + rcu_assign_pointer(fdt->fd[fd], NULL); 464 464 + FD_CLR(fd, fdt->close_on_exec); 465 465 + __put_unused_fd(files, fd); 466 466 + spin_unlock(&files->file_lock); 467 467 + retval = filp_close(filp, files); 468 468 + 469 469 + /* can't restart close syscall because file table entry was cleared */ 470 470 + if (unlikely(retval == -ERESTARTSYS || 471 471 + retval == -ERESTARTNOINTR || 472 472 + retval == -ERESTARTNOHAND || 473 473 + retval == -ERESTART_RESTARTBLOCK)) 474 474 + retval = -EINTR; 475 475 + 476 476 + return retval; 477 477 + 478 478 + out_unlock: 479 479 + spin_unlock(&files->file_lock); 480 480 + return -EBADF; 481 481 + } 482 482 + 483 483 + static void binder_set_nice(long nice) 484 484 + { 485 485 + long min_nice; 486 486 + if (can_nice(current, nice)) { 487 487 + set_user_nice(current, nice); 488 488 + return; 489 489 + } 490 490 + min_nice = 20 - current->signal->rlim[RLIMIT_NICE].rlim_cur; 491 491 + binder_debug(BINDER_DEBUG_PRIORITY_CAP, 492 492 + "binder: %d: nice value %ld not allowed use " 493 493 + "%ld instead\n", current->pid, nice, min_nice); 494 494 + set_user_nice(current, min_nice); 495 495 + if (min_nice < 20) 496 496 + return; 497 497 + binder_user_error("binder: %d RLIMIT_NICE not set\n", current->pid); 498 498 + } 499 499 + 500 500 + static size_t binder_buffer_size(struct binder_proc *proc, 501 501 + struct binder_buffer *buffer) 502 502 + { 503 503 + if (list_is_last(&buffer->entry, &proc->buffers)) 504 504 + return proc->buffer + proc->buffer_size - (void *)buffer->data; 505 505 + else 506 506 + return (size_t)list_entry(buffer->entry.next, 507 507 + struct binder_buffer, entry) - (size_t)buffer->data; 508 508 + } 509 509 + 510 510 + static void binder_insert_free_buffer(struct binder_proc *proc, 511 511 + struct binder_buffer *new_buffer) 512 512 + { 513 513 + struct rb_node **p = &proc->free_buffers.rb_node; 514 514 + struct rb_node *parent = NULL; 515 515 + struct binder_buffer *buffer; 516 516 + size_t buffer_size; 517 517 + size_t new_buffer_size; 518 518 + 519 519 + BUG_ON(!new_buffer->free); 520 520 + 521 521 + new_buffer_size = binder_buffer_size(proc, new_buffer); 522 522 + 523 523 + binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 524 524 + "binder: %d: add free buffer, size %zd, " 525 525 + "at %p\n", proc->pid, new_buffer_size, new_buffer); 526 526 + 527 527 + while (*p) { 528 528 + parent = *p; 529 529 + buffer = rb_entry(parent, struct binder_buffer, rb_node); 530 530 + BUG_ON(!buffer->free); 531 531 + 532 532 + buffer_size = binder_buffer_size(proc, buffer); 533 533 + 534 534 + if (new_buffer_size < buffer_size) 535 535 + p = &parent->rb_left; 536 536 + else 537 537 + p = &parent->rb_right; 538 538 + } 539 539 + rb_link_node(&new_buffer->rb_node, parent, p); 540 540 + rb_insert_color(&new_buffer->rb_node, &proc->free_buffers); 541 541 + } 542 542 + 543 543 + static void binder_insert_allocated_buffer(struct binder_proc *proc, 544 544 + struct binder_buffer *new_buffer) 545 545 + { 546 546 + struct rb_node **p = &proc->allocated_buffers.rb_node; 547 547 + struct rb_node *parent = NULL; 548 548 + struct binder_buffer *buffer; 549 549 + 550 550 + BUG_ON(new_buffer->free); 551 551 + 552 552 + while (*p) { 553 553 + parent = *p; 554 554 + buffer = rb_entry(parent, struct binder_buffer, rb_node); 555 555 + BUG_ON(buffer->free); 556 556 + 557 557 + if (new_buffer < buffer) 558 558 + p = &parent->rb_left; 559 559 + else if (new_buffer > buffer) 560 560 + p = &parent->rb_right; 561 561 + else 562 562 + BUG(); 563 563 + } 564 564 + rb_link_node(&new_buffer->rb_node, parent, p); 565 565 + rb_insert_color(&new_buffer->rb_node, &proc->allocated_buffers); 566 566 + } 567 567 + 568 568 + static struct binder_buffer *binder_buffer_lookup(struct binder_proc *proc, 569 569 + void __user *user_ptr) 570 570 + { 571 571 + struct rb_node *n = proc->allocated_buffers.rb_node; 572 572 + struct binder_buffer *buffer; 573 573 + struct binder_buffer *kern_ptr; 574 574 + 575 575 + kern_ptr = user_ptr - proc->user_buffer_offset 576 576 + - offsetof(struct binder_buffer, data); 577 577 + 578 578 + while (n) { 579 579 + buffer = rb_entry(n, struct binder_buffer, rb_node); 580 580 + BUG_ON(buffer->free); 581 581 + 582 582 + if (kern_ptr < buffer) 583 583 + n = n->rb_left; 584 584 + else if (kern_ptr > buffer) 585 585 + n = n->rb_right; 586 586 + else 587 587 + return buffer; 588 588 + } 589 589 + return NULL; 590 590 + } 591 591 + 592 592 + static int binder_update_page_range(struct binder_proc *proc, int allocate, 593 593 + void *start, void *end, 594 594 + struct vm_area_struct *vma) 595 595 + { 596 596 + void *page_addr; 597 597 + unsigned long user_page_addr; 598 598 + struct vm_struct tmp_area; 599 599 + struct page **page; 600 600 + struct mm_struct *mm; 601 601 + 602 602 + binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 603 603 + "binder: %d: %s pages %p-%p\n", proc->pid, 604 604 + allocate ? "allocate" : "free", start, end); 605 605 + 606 606 + if (end <= start) 607 607 + return 0; 608 608 + 609 609 + if (vma) 610 610 + mm = NULL; 611 611 + else 612 612 + mm = get_task_mm(proc->tsk); 613 613 + 614 614 + if (mm) { 615 615 + down_write(&mm->mmap_sem); 616 616 + vma = proc->vma; 617 617 + } 618 618 + 619 619 + if (allocate == 0) 620 620 + goto free_range; 621 621 + 622 622 + if (vma == NULL) { 623 623 + printk(KERN_ERR "binder: %d: binder_alloc_buf failed to " 624 624 + "map pages in userspace, no vma\n", proc->pid); 625 625 + goto err_no_vma; 626 626 + } 627 627 + 628 628 + for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) { 629 629 + int ret; 630 630 + struct page **page_array_ptr; 631 631 + page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE]; 632 632 + 633 633 + BUG_ON(*page); 634 634 + *page = alloc_page(GFP_KERNEL | __GFP_ZERO); 635 635 + if (*page == NULL) { 636 636 + printk(KERN_ERR "binder: %d: binder_alloc_buf failed " 637 637 + "for page at %p\n", proc->pid, page_addr); 638 638 + goto err_alloc_page_failed; 639 639 + } 640 640 + tmp_area.addr = page_addr; 641 641 + tmp_area.size = PAGE_SIZE + PAGE_SIZE /* guard page? */; 642 642 + page_array_ptr = page; 643 643 + ret = map_vm_area(&tmp_area, PAGE_KERNEL, &page_array_ptr); 644 644 + if (ret) { 645 645 + printk(KERN_ERR "binder: %d: binder_alloc_buf failed " 646 646 + "to map page at %p in kernel\n", 647 647 + proc->pid, page_addr); 648 648 + goto err_map_kernel_failed; 649 649 + } 650 650 + user_page_addr = 651 651 + (uintptr_t)page_addr + proc->user_buffer_offset; 652 652 + ret = vm_insert_page(vma, user_page_addr, page[0]); 653 653 + if (ret) { 654 654 + printk(KERN_ERR "binder: %d: binder_alloc_buf failed " 655 655 + "to map page at %lx in userspace\n", 656 656 + proc->pid, user_page_addr); 657 657 + goto err_vm_insert_page_failed; 658 658 + } 659 659 + /* vm_insert_page does not seem to increment the refcount */ 660 660 + } 661 661 + if (mm) { 662 662 + up_write(&mm->mmap_sem); 663 663 + mmput(mm); 664 664 + } 665 665 + return 0; 666 666 + 667 667 + free_range: 668 668 + for (page_addr = end - PAGE_SIZE; page_addr >= start; 669 669 + page_addr -= PAGE_SIZE) { 670 670 + page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE]; 671 671 + if (vma) 672 672 + zap_page_range(vma, (uintptr_t)page_addr + 673 673 + proc->user_buffer_offset, PAGE_SIZE, NULL); 674 674 + err_vm_insert_page_failed: 675 675 + unmap_kernel_range((unsigned long)page_addr, PAGE_SIZE); 676 676 + err_map_kernel_failed: 677 677 + __free_page(*page); 678 678 + *page = NULL; 679 679 + err_alloc_page_failed: 680 680 + ; 681 681 + } 682 682 + err_no_vma: 683 683 + if (mm) { 684 684 + up_write(&mm->mmap_sem); 685 685 + mmput(mm); 686 686 + } 687 687 + return -ENOMEM; 688 688 + } 689 689 + 690 690 + static struct binder_buffer *binder_alloc_buf(struct binder_proc *proc, 691 691 + size_t data_size, 692 692 + size_t offsets_size, int is_async) 693 693 + { 694 694 + struct rb_node *n = proc->free_buffers.rb_node; 695 695 + struct binder_buffer *buffer; 696 696 + size_t buffer_size; 697 697 + struct rb_node *best_fit = NULL; 698 698 + void *has_page_addr; 699 699 + void *end_page_addr; 700 700 + size_t size; 701 701 + 702 702 + if (proc->vma == NULL) { 703 703 + printk(KERN_ERR "binder: %d: binder_alloc_buf, no vma\n", 704 704 + proc->pid); 705 705 + return NULL; 706 706 + } 707 707 + 708 708 + size = ALIGN(data_size, sizeof(void *)) + 709 709 + ALIGN(offsets_size, sizeof(void *)); 710 710 + 711 711 + if (size < data_size || size < offsets_size) { 712 712 + binder_user_error("binder: %d: got transaction with invalid " 713 713 + "size %zd-%zd\n", proc->pid, data_size, offsets_size); 714 714 + return NULL; 715 715 + } 716 716 + 717 717 + if (is_async && 718 718 + proc->free_async_space < size + sizeof(struct binder_buffer)) { 719 719 + binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 720 720 + "binder: %d: binder_alloc_buf size %zd" 721 721 + "failed, no async space left\n", proc->pid, size); 722 722 + return NULL; 723 723 + } 724 724 + 725 725 + while (n) { 726 726 + buffer = rb_entry(n, struct binder_buffer, rb_node); 727 727 + BUG_ON(!buffer->free); 728 728 + buffer_size = binder_buffer_size(proc, buffer); 729 729 + 730 730 + if (size < buffer_size) { 731 731 + best_fit = n; 732 732 + n = n->rb_left; 733 733 + } else if (size > buffer_size) 734 734 + n = n->rb_right; 735 735 + else { 736 736 + best_fit = n; 737 737 + break; 738 738 + } 739 739 + } 740 740 + if (best_fit == NULL) { 741 741 + printk(KERN_ERR "binder: %d: binder_alloc_buf size %zd failed, " 742 742 + "no address space\n", proc->pid, size); 743 743 + return NULL; 744 744 + } 745 745 + if (n == NULL) { 746 746 + buffer = rb_entry(best_fit, struct binder_buffer, rb_node); 747 747 + buffer_size = binder_buffer_size(proc, buffer); 748 748 + } 749 749 + 750 750 + binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 751 751 + "binder: %d: binder_alloc_buf size %zd got buff" 752 752 + "er %p size %zd\n", proc->pid, size, buffer, buffer_size); 753 753 + 754 754 + has_page_addr = 755 755 + (void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK); 756 756 + if (n == NULL) { 757 757 + if (size + sizeof(struct binder_buffer) + 4 >= buffer_size) 758 758 + buffer_size = size; /* no room for other buffers */ 759 759 + else 760 760 + buffer_size = size + sizeof(struct binder_buffer); 761 761 + } 762 762 + end_page_addr = 763 763 + (void *)PAGE_ALIGN((uintptr_t)buffer->data + buffer_size); 764 764 + if (end_page_addr > has_page_addr) 765 765 + end_page_addr = has_page_addr; 766 766 + if (binder_update_page_range(proc, 1, 767 767 + (void *)PAGE_ALIGN((uintptr_t)buffer->data), end_page_addr, NULL)) 768 768 + return NULL; 769 769 + 770 770 + rb_erase(best_fit, &proc->free_buffers); 771 771 + buffer->free = 0; 772 772 + binder_insert_allocated_buffer(proc, buffer); 773 773 + if (buffer_size != size) { 774 774 + struct binder_buffer *new_buffer = (void *)buffer->data + size; 775 775 + list_add(&new_buffer->entry, &buffer->entry); 776 776 + new_buffer->free = 1; 777 777 + binder_insert_free_buffer(proc, new_buffer); 778 778 + } 779 779 + binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 780 780 + "binder: %d: binder_alloc_buf size %zd got " 781 781 + "%p\n", proc->pid, size, buffer); 782 782 + buffer->data_size = data_size; 783 783 + buffer->offsets_size = offsets_size; 784 784 + buffer->async_transaction = is_async; 785 785 + if (is_async) { 786 786 + proc->free_async_space -= size + sizeof(struct binder_buffer); 787 787 + binder_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC, 788 788 + "binder: %d: binder_alloc_buf size %zd " 789 789 + "async free %zd\n", proc->pid, size, 790 790 + proc->free_async_space); 791 791 + } 792 792 + 793 793 + return buffer; 794 794 + } 795 795 + 796 796 + static void *buffer_start_page(struct binder_buffer *buffer) 797 797 + { 798 798 + return (void *)((uintptr_t)buffer & PAGE_MASK); 799 799 + } 800 800 + 801 801 + static void *buffer_end_page(struct binder_buffer *buffer) 802 802 + { 803 803 + return (void *)(((uintptr_t)(buffer + 1) - 1) & PAGE_MASK); 804 804 + } 805 805 + 806 806 + static void binder_delete_free_buffer(struct binder_proc *proc, 807 807 + struct binder_buffer *buffer) 808 808 + { 809 809 + struct binder_buffer *prev, *next = NULL; 810 810 + int free_page_end = 1; 811 811 + int free_page_start = 1; 812 812 + 813 813 + BUG_ON(proc->buffers.next == &buffer->entry); 814 814 + prev = list_entry(buffer->entry.prev, struct binder_buffer, entry); 815 815 + BUG_ON(!prev->free); 816 816 + if (buffer_end_page(prev) == buffer_start_page(buffer)) { 817 817 + free_page_start = 0; 818 818 + if (buffer_end_page(prev) == buffer_end_page(buffer)) 819 819 + free_page_end = 0; 820 820 + binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 821 821 + "binder: %d: merge free, buffer %p " 822 822 + "share page with %p\n", proc->pid, buffer, prev); 823 823 + } 824 824 + 825 825 + if (!list_is_last(&buffer->entry, &proc->buffers)) { 826 826 + next = list_entry(buffer->entry.next, 827 827 + struct binder_buffer, entry); 828 828 + if (buffer_start_page(next) == buffer_end_page(buffer)) { 829 829 + free_page_end = 0; 830 830 + if (buffer_start_page(next) == 831 831 + buffer_start_page(buffer)) 832 832 + free_page_start = 0; 833 833 + binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 834 834 + "binder: %d: merge free, buffer" 835 835 + " %p share page with %p\n", proc->pid, 836 836 + buffer, prev); 837 837 + } 838 838 + } 839 839 + list_del(&buffer->entry); 840 840 + if (free_page_start || free_page_end) { 841 841 + binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 842 842 + "binder: %d: merge free, buffer %p do " 843 843 + "not share page%s%s with with %p or %p\n", 844 844 + proc->pid, buffer, free_page_start ? "" : " end", 845 845 + free_page_end ? "" : " start", prev, next); 846 846 + binder_update_page_range(proc, 0, free_page_start ? 847 847 + buffer_start_page(buffer) : buffer_end_page(buffer), 848 848 + (free_page_end ? buffer_end_page(buffer) : 849 849 + buffer_start_page(buffer)) + PAGE_SIZE, NULL); 850 850 + } 851 851 + } 852 852 + 853 853 + static void binder_free_buf(struct binder_proc *proc, 854 854 + struct binder_buffer *buffer) 855 855 + { 856 856 + size_t size, buffer_size; 857 857 + 858 858 + buffer_size = binder_buffer_size(proc, buffer); 859 859 + 860 860 + size = ALIGN(buffer->data_size, sizeof(void *)) + 861 861 + ALIGN(buffer->offsets_size, sizeof(void *)); 862 862 + 863 863 + binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 864 864 + "binder: %d: binder_free_buf %p size %zd buffer" 865 865 + "_size %zd\n", proc->pid, buffer, size, buffer_size); 866 866 + 867 867 + BUG_ON(buffer->free); 868 868 + BUG_ON(size > buffer_size); 869 869 + BUG_ON(buffer->transaction != NULL); 870 870 + BUG_ON((void *)buffer < proc->buffer); 871 871 + BUG_ON((void *)buffer > proc->buffer + proc->buffer_size); 872 872 + 873 873 + if (buffer->async_transaction) { 874 874 + proc->free_async_space += size + sizeof(struct binder_buffer); 875 875 + 876 876 + binder_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC, 877 877 + "binder: %d: binder_free_buf size %zd " 878 878 + "async free %zd\n", proc->pid, size, 879 879 + proc->free_async_space); 880 880 + } 881 881 + 882 882 + binder_update_page_range(proc, 0, 883 883 + (void *)PAGE_ALIGN((uintptr_t)buffer->data), 884 884 + (void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK), 885 885 + NULL); 886 886 + rb_erase(&buffer->rb_node, &proc->allocated_buffers); 887 887 + buffer->free = 1; 888 888 + if (!list_is_last(&buffer->entry, &proc->buffers)) { 889 889 + struct binder_buffer *next = list_entry(buffer->entry.next, 890 890 + struct binder_buffer, entry); 891 891 + if (next->free) { 892 892 + rb_erase(&next->rb_node, &proc->free_buffers); 893 893 + binder_delete_free_buffer(proc, next); 894 894 + } 895 895 + } 896 896 + if (proc->buffers.next != &buffer->entry) { 897 897 + struct binder_buffer *prev = list_entry(buffer->entry.prev, 898 898 + struct binder_buffer, entry); 899 899 + if (prev->free) { 900 900 + binder_delete_free_buffer(proc, buffer); 901 901 + rb_erase(&prev->rb_node, &proc->free_buffers); 902 902 + buffer = prev; 903 903 + } 904 904 + } 905 905 + binder_insert_free_buffer(proc, buffer); 906 906 + } 907 907 + 908 908 + static struct binder_node *binder_get_node(struct binder_proc *proc, 909 909 + void __user *ptr) 910 910 + { 911 911 + struct rb_node *n = proc->nodes.rb_node; 912 912 + struct binder_node *node; 913 913 + 914 914 + while (n) { 915 915 + node = rb_entry(n, struct binder_node, rb_node); 916 916 + 917 917 + if (ptr < node->ptr) 918 918 + n = n->rb_left; 919 919 + else if (ptr > node->ptr) 920 920 + n = n->rb_right; 921 921 + else 922 922 + return node; 923 923 + } 924 924 + return NULL; 925 925 + } 926 926 + 927 927 + static struct binder_node *binder_new_node(struct binder_proc *proc, 928 928 + void __user *ptr, 929 929 + void __user *cookie) 930 930 + { 931 931 + struct rb_node **p = &proc->nodes.rb_node; 932 932 + struct rb_node *parent = NULL; 933 933 + struct binder_node *node; 934 934 + 935 935 + while (*p) { 936 936 + parent = *p; 937 937 + node = rb_entry(parent, struct binder_node, rb_node); 938 938 + 939 939 + if (ptr < node->ptr) 940 940 + p = &(*p)->rb_left; 941 941 + else if (ptr > node->ptr) 942 942 + p = &(*p)->rb_right; 943 943 + else 944 944 + return NULL; 945 945 + } 946 946 + 947 947 + node = kzalloc(sizeof(*node), GFP_KERNEL); 948 948 + if (node == NULL) 949 949 + return NULL; 950 950 + binder_stats_created(BINDER_STAT_NODE); 951 951 + rb_link_node(&node->rb_node, parent, p); 952 952 + rb_insert_color(&node->rb_node, &proc->nodes); 953 953 + node->debug_id = ++binder_last_id; 954 954 + node->proc = proc; 955 955 + node->ptr = ptr; 956 956 + node->cookie = cookie; 957 957 + node->work.type = BINDER_WORK_NODE; 958 958 + INIT_LIST_HEAD(&node->work.entry); 959 959 + INIT_LIST_HEAD(&node->async_todo); 960 960 + binder_debug(BINDER_DEBUG_INTERNAL_REFS, 961 961 + "binder: %d:%d node %d u%p c%p created\n", 962 962 + proc->pid, current->pid, node->debug_id, 963 963 + node->ptr, node->cookie); 964 964 + return node; 965 965 + } 966 966 + 967 967 + static int binder_inc_node(struct binder_node *node, int strong, int internal, 968 968 + struct list_head *target_list) 969 969 + { 970 970 + if (strong) { 971 971 + if (internal) { 972 972 + if (target_list == NULL && 973 973 + node->internal_strong_refs == 0 && 974 974 + !(node == binder_context_mgr_node && 975 975 + node->has_strong_ref)) { 976 976 + printk(KERN_ERR "binder: invalid inc strong " 977 977 + "node for %d\n", node->debug_id); 978 978 + return -EINVAL; 979 979 + } 980 980 + node->internal_strong_refs++; 981 981 + } else 982 982 + node->local_strong_refs++; 983 983 + if (!node->has_strong_ref && target_list) { 984 984 + list_del_init(&node->work.entry); 985 985 + list_add_tail(&node->work.entry, target_list); 986 986 + } 987 987 + } else { 988 988 + if (!internal) 989 989 + node->local_weak_refs++; 990 990 + if (!node->has_weak_ref && list_empty(&node->work.entry)) { 991 991 + if (target_list == NULL) { 992 992 + printk(KERN_ERR "binder: invalid inc weak node " 993 993 + "for %d\n", node->debug_id); 994 994 + return -EINVAL; 995 995 + } 996 996 + list_add_tail(&node->work.entry, target_list); 997 997 + } 998 998 + } 999 999 + return 0; 1000 1000 + } 1001 1001 + 1002 1002 + static int binder_dec_node(struct binder_node *node, int strong, int internal) 1003 1003 + { 1004 1004 + if (strong) { 1005 1005 + if (internal) 1006 1006 + node->internal_strong_refs--; 1007 1007 + else 1008 1008 + node->local_strong_refs--; 1009 1009 + if (node->local_strong_refs || node->internal_strong_refs) 1010 1010 + return 0; 1011 1011 + } else { 1012 1012 + if (!internal) 1013 1013 + node->local_weak_refs--; 1014 1014 + if (node->local_weak_refs || !hlist_empty(&node->refs)) 1015 1015 + return 0; 1016 1016 + } 1017 1017 + if (node->proc && (node->has_strong_ref || node->has_weak_ref)) { 1018 1018 + if (list_empty(&node->work.entry)) { 1019 1019 + list_add_tail(&node->work.entry, &node->proc->todo); 1020 1020 + wake_up_interruptible(&node->proc->wait); 1021 1021 + } 1022 1022 + } else { 1023 1023 + if (hlist_empty(&node->refs) && !node->local_strong_refs && 1024 1024 + !node->local_weak_refs) { 1025 1025 + list_del_init(&node->work.entry); 1026 1026 + if (node->proc) { 1027 1027 + rb_erase(&node->rb_node, &node->proc->nodes); 1028 1028 + binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1029 1029 + "binder: refless node %d deleted\n", 1030 1030 + node->debug_id); 1031 1031 + } else { 1032 1032 + hlist_del(&node->dead_node); 1033 1033 + binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1034 1034 + "binder: dead node %d deleted\n", 1035 1035 + node->debug_id); 1036 1036 + } 1037 1037 + kfree(node); 1038 1038 + binder_stats_deleted(BINDER_STAT_NODE); 1039 1039 + } 1040 1040 + } 1041 1041 + 1042 1042 + return 0; 1043 1043 + } 1044 1044 + 1045 1045 + 1046 1046 + static struct binder_ref *binder_get_ref(struct binder_proc *proc, 1047 1047 + uint32_t desc) 1048 1048 + { 1049 1049 + struct rb_node *n = proc->refs_by_desc.rb_node; 1050 1050 + struct binder_ref *ref; 1051 1051 + 1052 1052 + while (n) { 1053 1053 + ref = rb_entry(n, struct binder_ref, rb_node_desc); 1054 1054 + 1055 1055 + if (desc < ref->desc) 1056 1056 + n = n->rb_left; 1057 1057 + else if (desc > ref->desc) 1058 1058 + n = n->rb_right; 1059 1059 + else 1060 1060 + return ref; 1061 1061 + } 1062 1062 + return NULL; 1063 1063 + } 1064 1064 + 1065 1065 + static struct binder_ref *binder_get_ref_for_node(struct binder_proc *proc, 1066 1066 + struct binder_node *node) 1067 1067 + { 1068 1068 + struct rb_node *n; 1069 1069 + struct rb_node **p = &proc->refs_by_node.rb_node; 1070 1070 + struct rb_node *parent = NULL; 1071 1071 + struct binder_ref *ref, *new_ref; 1072 1072 + 1073 1073 + while (*p) { 1074 1074 + parent = *p; 1075 1075 + ref = rb_entry(parent, struct binder_ref, rb_node_node); 1076 1076 + 1077 1077 + if (node < ref->node) 1078 1078 + p = &(*p)->rb_left; 1079 1079 + else if (node > ref->node) 1080 1080 + p = &(*p)->rb_right; 1081 1081 + else 1082 1082 + return ref; 1083 1083 + } 1084 1084 + new_ref = kzalloc(sizeof(*ref), GFP_KERNEL); 1085 1085 + if (new_ref == NULL) 1086 1086 + return NULL; 1087 1087 + binder_stats_created(BINDER_STAT_REF); 1088 1088 + new_ref->debug_id = ++binder_last_id; 1089 1089 + new_ref->proc = proc; 1090 1090 + new_ref->node = node; 1091 1091 + rb_link_node(&new_ref->rb_node_node, parent, p); 1092 1092 + rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node); 1093 1093 + 1094 1094 + new_ref->desc = (node == binder_context_mgr_node) ? 0 : 1; 1095 1095 + for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) { 1096 1096 + ref = rb_entry(n, struct binder_ref, rb_node_desc); 1097 1097 + if (ref->desc > new_ref->desc) 1098 1098 + break; 1099 1099 + new_ref->desc = ref->desc + 1; 1100 1100 + } 1101 1101 + 1102 1102 + p = &proc->refs_by_desc.rb_node; 1103 1103 + while (*p) { 1104 1104 + parent = *p; 1105 1105 + ref = rb_entry(parent, struct binder_ref, rb_node_desc); 1106 1106 + 1107 1107 + if (new_ref->desc < ref->desc) 1108 1108 + p = &(*p)->rb_left; 1109 1109 + else if (new_ref->desc > ref->desc) 1110 1110 + p = &(*p)->rb_right; 1111 1111 + else 1112 1112 + BUG(); 1113 1113 + } 1114 1114 + rb_link_node(&new_ref->rb_node_desc, parent, p); 1115 1115 + rb_insert_color(&new_ref->rb_node_desc, &proc->refs_by_desc); 1116 1116 + if (node) { 1117 1117 + hlist_add_head(&new_ref->node_entry, &node->refs); 1118 1118 + 1119 1119 + binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1120 1120 + "binder: %d new ref %d desc %d for " 1121 1121 + "node %d\n", proc->pid, new_ref->debug_id, 1122 1122 + new_ref->desc, node->debug_id); 1123 1123 + } else { 1124 1124 + binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1125 1125 + "binder: %d new ref %d desc %d for " 1126 1126 + "dead node\n", proc->pid, new_ref->debug_id, 1127 1127 + new_ref->desc); 1128 1128 + } 1129 1129 + return new_ref; 1130 1130 + } 1131 1131 + 1132 1132 + static void binder_delete_ref(struct binder_ref *ref) 1133 1133 + { 1134 1134 + binder_debug(BINDER_DEBUG_INTERNAL_REFS, 1135 1135 + "binder: %d delete ref %d desc %d for " 1136 1136 + "node %d\n", ref->proc->pid, ref->debug_id, 1137 1137 + ref->desc, ref->node->debug_id); 1138 1138 + 1139 1139 + rb_erase(&ref->rb_node_desc, &ref->proc->refs_by_desc); 1140 1140 + rb_erase(&ref->rb_node_node, &ref->proc->refs_by_node); 1141 1141 + if (ref->strong) 1142 1142 + binder_dec_node(ref->node, 1, 1); 1143 1143 + hlist_del(&ref->node_entry); 1144 1144 + binder_dec_node(ref->node, 0, 1); 1145 1145 + if (ref->death) { 1146 1146 + binder_debug(BINDER_DEBUG_DEAD_BINDER, 1147 1147 + "binder: %d delete ref %d desc %d " 1148 1148 + "has death notification\n", ref->proc->pid, 1149 1149 + ref->debug_id, ref->desc); 1150 1150 + list_del(&ref->death->work.entry); 1151 1151 + kfree(ref->death); 1152 1152 + binder_stats_deleted(BINDER_STAT_DEATH); 1153 1153 + } 1154 1154 + kfree(ref); 1155 1155 + binder_stats_deleted(BINDER_STAT_REF); 1156 1156 + } 1157 1157 + 1158 1158 + static int binder_inc_ref(struct binder_ref *ref, int strong, 1159 1159 + struct list_head *target_list) 1160 1160 + { 1161 1161 + int ret; 1162 1162 + if (strong) { 1163 1163 + if (ref->strong == 0) { 1164 1164 + ret = binder_inc_node(ref->node, 1, 1, target_list); 1165 1165 + if (ret) 1166 1166 + return ret; 1167 1167 + } 1168 1168 + ref->strong++; 1169 1169 + } else { 1170 1170 + if (ref->weak == 0) { 1171 1171 + ret = binder_inc_node(ref->node, 0, 1, target_list); 1172 1172 + if (ret) 1173 1173 + return ret; 1174 1174 + } 1175 1175 + ref->weak++; 1176 1176 + } 1177 1177 + return 0; 1178 1178 + } 1179 1179 + 1180 1180 + 1181 1181 + static int binder_dec_ref(struct binder_ref *ref, int strong) 1182 1182 + { 1183 1183 + if (strong) { 1184 1184 + if (ref->strong == 0) { 1185 1185 + binder_user_error("binder: %d invalid dec strong, " 1186 1186 + "ref %d desc %d s %d w %d\n", 1187 1187 + ref->proc->pid, ref->debug_id, 1188 1188 + ref->desc, ref->strong, ref->weak); 1189 1189 + return -EINVAL; 1190 1190 + } 1191 1191 + ref->strong--; 1192 1192 + if (ref->strong == 0) { 1193 1193 + int ret; 1194 1194 + ret = binder_dec_node(ref->node, strong, 1); 1195 1195 + if (ret) 1196 1196 + return ret; 1197 1197 + } 1198 1198 + } else { 1199 1199 + if (ref->weak == 0) { 1200 1200 + binder_user_error("binder: %d invalid dec weak, " 1201 1201 + "ref %d desc %d s %d w %d\n", 1202 1202 + ref->proc->pid, ref->debug_id, 1203 1203 + ref->desc, ref->strong, ref->weak); 1204 1204 + return -EINVAL; 1205 1205 + } 1206 1206 + ref->weak--; 1207 1207 + } 1208 1208 + if (ref->strong == 0 && ref->weak == 0) 1209 1209 + binder_delete_ref(ref); 1210 1210 + return 0; 1211 1211 + } 1212 1212 + 1213 1213 + static void binder_pop_transaction(struct binder_thread *target_thread, 1214 1214 + struct binder_transaction *t) 1215 1215 + { 1216 1216 + if (target_thread) { 1217 1217 + BUG_ON(target_thread->transaction_stack != t); 1218 1218 + BUG_ON(target_thread->transaction_stack->from != target_thread); 1219 1219 + target_thread->transaction_stack = 1220 1220 + target_thread->transaction_stack->from_parent; 1221 1221 + t->from = NULL; 1222 1222 + } 1223 1223 + t->need_reply = 0; 1224 1224 + if (t->buffer) 1225 1225 + t->buffer->transaction = NULL; 1226 1226 + kfree(t); 1227 1227 + binder_stats_deleted(BINDER_STAT_TRANSACTION); 1228 1228 + } 1229 1229 + 1230 1230 + static void binder_send_failed_reply(struct binder_transaction *t, 1231 1231 + uint32_t error_code) 1232 1232 + { 1233 1233 + struct binder_thread *target_thread; 1234 1234 + BUG_ON(t->flags & TF_ONE_WAY); 1235 1235 + while (1) { 1236 1236 + target_thread = t->from; 1237 1237 + if (target_thread) { 1238 1238 + if (target_thread->return_error != BR_OK && 1239 1239 + target_thread->return_error2 == BR_OK) { 1240 1240 + target_thread->return_error2 = 1241 1241 + target_thread->return_error; 1242 1242 + target_thread->return_error = BR_OK; 1243 1243 + } 1244 1244 + if (target_thread->return_error == BR_OK) { 1245 1245 + binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 1246 1246 + "binder: send failed reply for " 1247 1247 + "transaction %d to %d:%d\n", 1248 1248 + t->debug_id, target_thread->proc->pid, 1249 1249 + target_thread->pid); 1250 1250 + 1251 1251 + binder_pop_transaction(target_thread, t); 1252 1252 + target_thread->return_error = error_code; 1253 1253 + wake_up_interruptible(&target_thread->wait); 1254 1254 + } else { 1255 1255 + printk(KERN_ERR "binder: reply failed, target " 1256 1256 + "thread, %d:%d, has error code %d " 1257 1257 + "already\n", target_thread->proc->pid, 1258 1258 + target_thread->pid, 1259 1259 + target_thread->return_error); 1260 1260 + } 1261 1261 + return; 1262 1262 + } else { 1263 1263 + struct binder_transaction *next = t->from_parent; 1264 1264 + 1265 1265 + binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 1266 1266 + "binder: send failed reply " 1267 1267 + "for transaction %d, target dead\n", 1268 1268 + t->debug_id); 1269 1269 + 1270 1270 + binder_pop_transaction(target_thread, t); 1271 1271 + if (next == NULL) { 1272 1272 + binder_debug(BINDER_DEBUG_DEAD_BINDER, 1273 1273 + "binder: reply failed," 1274 1274 + " no target thread at root\n"); 1275 1275 + return; 1276 1276 + } 1277 1277 + t = next; 1278 1278 + binder_debug(BINDER_DEBUG_DEAD_BINDER, 1279 1279 + "binder: reply failed, no target " 1280 1280 + "thread -- retry %d\n", t->debug_id); 1281 1281 + } 1282 1282 + } 1283 1283 + } 1284 1284 + 1285 1285 + static void binder_transaction_buffer_release(struct binder_proc *proc, 1286 1286 + struct binder_buffer *buffer, 1287 1287 + size_t *failed_at) 1288 1288 + { 1289 1289 + size_t *offp, *off_end; 1290 1290 + int debug_id = buffer->debug_id; 1291 1291 + 1292 1292 + binder_debug(BINDER_DEBUG_TRANSACTION, 1293 1293 + "binder: %d buffer release %d, size %zd-%zd, failed at %p\n", 1294 1294 + proc->pid, buffer->debug_id, 1295 1295 + buffer->data_size, buffer->offsets_size, failed_at); 1296 1296 + 1297 1297 + if (buffer->target_node) 1298 1298 + binder_dec_node(buffer->target_node, 1, 0); 1299 1299 + 1300 1300 + offp = (size_t *)(buffer->data + ALIGN(buffer->data_size, sizeof(void *))); 1301 1301 + if (failed_at) 1302 1302 + off_end = failed_at; 1303 1303 + else 1304 1304 + off_end = (void *)offp + buffer->offsets_size; 1305 1305 + for (; offp < off_end; offp++) { 1306 1306 + struct flat_binder_object *fp; 1307 1307 + if (*offp > buffer->data_size - sizeof(*fp) || 1308 1308 + buffer->data_size < sizeof(*fp) || 1309 1309 + !IS_ALIGNED(*offp, sizeof(void *))) { 1310 1310 + printk(KERN_ERR "binder: transaction release %d bad" 1311 1311 + "offset %zd, size %zd\n", debug_id, 1312 1312 + *offp, buffer->data_size); 1313 1313 + continue; 1314 1314 + } 1315 1315 + fp = (struct flat_binder_object *)(buffer->data + *offp); 1316 1316 + switch (fp->type) { 1317 1317 + case BINDER_TYPE_BINDER: 1318 1318 + case BINDER_TYPE_WEAK_BINDER: { 1319 1319 + struct binder_node *node = binder_get_node(proc, fp->binder); 1320 1320 + if (node == NULL) { 1321 1321 + printk(KERN_ERR "binder: transaction release %d" 1322 1322 + " bad node %p\n", debug_id, fp->binder); 1323 1323 + break; 1324 1324 + } 1325 1325 + binder_debug(BINDER_DEBUG_TRANSACTION, 1326 1326 + " node %d u%p\n", 1327 1327 + node->debug_id, node->ptr); 1328 1328 + binder_dec_node(node, fp->type == BINDER_TYPE_BINDER, 0); 1329 1329 + } break; 1330 1330 + case BINDER_TYPE_HANDLE: 1331 1331 + case BINDER_TYPE_WEAK_HANDLE: { 1332 1332 + struct binder_ref *ref = binder_get_ref(proc, fp->handle); 1333 1333 + if (ref == NULL) { 1334 1334 + printk(KERN_ERR "binder: transaction release %d" 1335 1335 + " bad handle %ld\n", debug_id, 1336 1336 + fp->handle); 1337 1337 + break; 1338 1338 + } 1339 1339 + binder_debug(BINDER_DEBUG_TRANSACTION, 1340 1340 + " ref %d desc %d (node %d)\n", 1341 1341 + ref->debug_id, ref->desc, ref->node->debug_id); 1342 1342 + binder_dec_ref(ref, fp->type == BINDER_TYPE_HANDLE); 1343 1343 + } break; 1344 1344 + 1345 1345 + case BINDER_TYPE_FD: 1346 1346 + binder_debug(BINDER_DEBUG_TRANSACTION, 1347 1347 + " fd %ld\n", fp->handle); 1348 1348 + if (failed_at) 1349 1349 + task_close_fd(proc, fp->handle); 1350 1350 + break; 1351 1351 + 1352 1352 + default: 1353 1353 + printk(KERN_ERR "binder: transaction release %d bad " 1354 1354 + "object type %lx\n", debug_id, fp->type); 1355 1355 + break; 1356 1356 + } 1357 1357 + } 1358 1358 + } 1359 1359 + 1360 1360 + static void binder_transaction(struct binder_proc *proc, 1361 1361 + struct binder_thread *thread, 1362 1362 + struct binder_transaction_data *tr, int reply) 1363 1363 + { 1364 1364 + struct binder_transaction *t; 1365 1365 + struct binder_work *tcomplete; 1366 1366 + size_t *offp, *off_end; 1367 1367 + struct binder_proc *target_proc; 1368 1368 + struct binder_thread *target_thread = NULL; 1369 1369 + struct binder_node *target_node = NULL; 1370 1370 + struct list_head *target_list; 1371 1371 + wait_queue_head_t *target_wait; 1372 1372 + struct binder_transaction *in_reply_to = NULL; 1373 1373 + struct binder_transaction_log_entry *e; 1374 1374 + uint32_t return_error; 1375 1375 + 1376 1376 + e = binder_transaction_log_add(&binder_transaction_log); 1377 1377 + e->call_type = reply ? 2 : !!(tr->flags & TF_ONE_WAY); 1378 1378 + e->from_proc = proc->pid; 1379 1379 + e->from_thread = thread->pid; 1380 1380 + e->target_handle = tr->target.handle; 1381 1381 + e->data_size = tr->data_size; 1382 1382 + e->offsets_size = tr->offsets_size; 1383 1383 + 1384 1384 + if (reply) { 1385 1385 + in_reply_to = thread->transaction_stack; 1386 1386 + if (in_reply_to == NULL) { 1387 1387 + binder_user_error("binder: %d:%d got reply transaction " 1388 1388 + "with no transaction stack\n", 1389 1389 + proc->pid, thread->pid); 1390 1390 + return_error = BR_FAILED_REPLY; 1391 1391 + goto err_empty_call_stack; 1392 1392 + } 1393 1393 + binder_set_nice(in_reply_to->saved_priority); 1394 1394 + if (in_reply_to->to_thread != thread) { 1395 1395 + binder_user_error("binder: %d:%d got reply transaction " 1396 1396 + "with bad transaction stack," 1397 1397 + " transaction %d has target %d:%d\n", 1398 1398 + proc->pid, thread->pid, in_reply_to->debug_id, 1399 1399 + in_reply_to->to_proc ? 1400 1400 + in_reply_to->to_proc->pid : 0, 1401 1401 + in_reply_to->to_thread ? 1402 1402 + in_reply_to->to_thread->pid : 0); 1403 1403 + return_error = BR_FAILED_REPLY; 1404 1404 + in_reply_to = NULL; 1405 1405 + goto err_bad_call_stack; 1406 1406 + } 1407 1407 + thread->transaction_stack = in_reply_to->to_parent; 1408 1408 + target_thread = in_reply_to->from; 1409 1409 + if (target_thread == NULL) { 1410 1410 + return_error = BR_DEAD_REPLY; 1411 1411 + goto err_dead_binder; 1412 1412 + } 1413 1413 + if (target_thread->transaction_stack != in_reply_to) { 1414 1414 + binder_user_error("binder: %d:%d got reply transaction " 1415 1415 + "with bad target transaction stack %d, " 1416 1416 + "expected %d\n", 1417 1417 + proc->pid, thread->pid, 1418 1418 + target_thread->transaction_stack ? 1419 1419 + target_thread->transaction_stack->debug_id : 0, 1420 1420 + in_reply_to->debug_id); 1421 1421 + return_error = BR_FAILED_REPLY; 1422 1422 + in_reply_to = NULL; 1423 1423 + target_thread = NULL; 1424 1424 + goto err_dead_binder; 1425 1425 + } 1426 1426 + target_proc = target_thread->proc; 1427 1427 + } else { 1428 1428 + if (tr->target.handle) { 1429 1429 + struct binder_ref *ref; 1430 1430 + ref = binder_get_ref(proc, tr->target.handle); 1431 1431 + if (ref == NULL) { 1432 1432 + binder_user_error("binder: %d:%d got " 1433 1433 + "transaction to invalid handle\n", 1434 1434 + proc->pid, thread->pid); 1435 1435 + return_error = BR_FAILED_REPLY; 1436 1436 + goto err_invalid_target_handle; 1437 1437 + } 1438 1438 + target_node = ref->node; 1439 1439 + } else { 1440 1440 + target_node = binder_context_mgr_node; 1441 1441 + if (target_node == NULL) { 1442 1442 + return_error = BR_DEAD_REPLY; 1443 1443 + goto err_no_context_mgr_node; 1444 1444 + } 1445 1445 + } 1446 1446 + e->to_node = target_node->debug_id; 1447 1447 + target_proc = target_node->proc; 1448 1448 + if (target_proc == NULL) { 1449 1449 + return_error = BR_DEAD_REPLY; 1450 1450 + goto err_dead_binder; 1451 1451 + } 1452 1452 + if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) { 1453 1453 + struct binder_transaction *tmp; 1454 1454 + tmp = thread->transaction_stack; 1455 1455 + if (tmp->to_thread != thread) { 1456 1456 + binder_user_error("binder: %d:%d got new " 1457 1457 + "transaction with bad transaction stack" 1458 1458 + ", transaction %d has target %d:%d\n", 1459 1459 + proc->pid, thread->pid, tmp->debug_id, 1460 1460 + tmp->to_proc ? tmp->to_proc->pid : 0, 1461 1461 + tmp->to_thread ? 1462 1462 + tmp->to_thread->pid : 0); 1463 1463 + return_error = BR_FAILED_REPLY; 1464 1464 + goto err_bad_call_stack; 1465 1465 + } 1466 1466 + while (tmp) { 1467 1467 + if (tmp->from && tmp->from->proc == target_proc) 1468 1468 + target_thread = tmp->from; 1469 1469 + tmp = tmp->from_parent; 1470 1470 + } 1471 1471 + } 1472 1472 + } 1473 1473 + if (target_thread) { 1474 1474 + e->to_thread = target_thread->pid; 1475 1475 + target_list = &target_thread->todo; 1476 1476 + target_wait = &target_thread->wait; 1477 1477 + } else { 1478 1478 + target_list = &target_proc->todo; 1479 1479 + target_wait = &target_proc->wait; 1480 1480 + } 1481 1481 + e->to_proc = target_proc->pid; 1482 1482 + 1483 1483 + /* TODO: reuse incoming transaction for reply */ 1484 1484 + t = kzalloc(sizeof(*t), GFP_KERNEL); 1485 1485 + if (t == NULL) { 1486 1486 + return_error = BR_FAILED_REPLY; 1487 1487 + goto err_alloc_t_failed; 1488 1488 + } 1489 1489 + binder_stats_created(BINDER_STAT_TRANSACTION); 1490 1490 + 1491 1491 + tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL); 1492 1492 + if (tcomplete == NULL) { 1493 1493 + return_error = BR_FAILED_REPLY; 1494 1494 + goto err_alloc_tcomplete_failed; 1495 1495 + } 1496 1496 + binder_stats_created(BINDER_STAT_TRANSACTION_COMPLETE); 1497 1497 + 1498 1498 + t->debug_id = ++binder_last_id; 1499 1499 + e->debug_id = t->debug_id; 1500 1500 + 1501 1501 + if (reply) 1502 1502 + binder_debug(BINDER_DEBUG_TRANSACTION, 1503 1503 + "binder: %d:%d BC_REPLY %d -> %d:%d, " 1504 1504 + "data %p-%p size %zd-%zd\n", 1505 1505 + proc->pid, thread->pid, t->debug_id, 1506 1506 + target_proc->pid, target_thread->pid, 1507 1507 + tr->data.ptr.buffer, tr->data.ptr.offsets, 1508 1508 + tr->data_size, tr->offsets_size); 1509 1509 + else 1510 1510 + binder_debug(BINDER_DEBUG_TRANSACTION, 1511 1511 + "binder: %d:%d BC_TRANSACTION %d -> " 1512 1512 + "%d - node %d, data %p-%p size %zd-%zd\n", 1513 1513 + proc->pid, thread->pid, t->debug_id, 1514 1514 + target_proc->pid, target_node->debug_id, 1515 1515 + tr->data.ptr.buffer, tr->data.ptr.offsets, 1516 1516 + tr->data_size, tr->offsets_size); 1517 1517 + 1518 1518 + if (!reply && !(tr->flags & TF_ONE_WAY)) 1519 1519 + t->from = thread; 1520 1520 + else 1521 1521 + t->from = NULL; 1522 1522 + t->sender_euid = proc->tsk->cred->euid; 1523 1523 + t->to_proc = target_proc; 1524 1524 + t->to_thread = target_thread; 1525 1525 + t->code = tr->code; 1526 1526 + t->flags = tr->flags; 1527 1527 + t->priority = task_nice(current); 1528 1528 + t->buffer = binder_alloc_buf(target_proc, tr->data_size, 1529 1529 + tr->offsets_size, !reply && (t->flags & TF_ONE_WAY)); 1530 1530 + if (t->buffer == NULL) { 1531 1531 + return_error = BR_FAILED_REPLY; 1532 1532 + goto err_binder_alloc_buf_failed; 1533 1533 + } 1534 1534 + t->buffer->allow_user_free = 0; 1535 1535 + t->buffer->debug_id = t->debug_id; 1536 1536 + t->buffer->transaction = t; 1537 1537 + t->buffer->target_node = target_node; 1538 1538 + if (target_node) 1539 1539 + binder_inc_node(target_node, 1, 0, NULL); 1540 1540 + 1541 1541 + offp = (size_t *)(t->buffer->data + ALIGN(tr->data_size, sizeof(void *))); 1542 1542 + 1543 1543 + if (copy_from_user(t->buffer->data, tr->data.ptr.buffer, tr->data_size)) { 1544 1544 + binder_user_error("binder: %d:%d got transaction with invalid " 1545 1545 + "data ptr\n", proc->pid, thread->pid); 1546 1546 + return_error = BR_FAILED_REPLY; 1547 1547 + goto err_copy_data_failed; 1548 1548 + } 1549 1549 + if (copy_from_user(offp, tr->data.ptr.offsets, tr->offsets_size)) { 1550 1550 + binder_user_error("binder: %d:%d got transaction with invalid " 1551 1551 + "offsets ptr\n", proc->pid, thread->pid); 1552 1552 + return_error = BR_FAILED_REPLY; 1553 1553 + goto err_copy_data_failed; 1554 1554 + } 1555 1555 + if (!IS_ALIGNED(tr->offsets_size, sizeof(size_t))) { 1556 1556 + binder_user_error("binder: %d:%d got transaction with " 1557 1557 + "invalid offsets size, %zd\n", 1558 1558 + proc->pid, thread->pid, tr->offsets_size); 1559 1559 + return_error = BR_FAILED_REPLY; 1560 1560 + goto err_bad_offset; 1561 1561 + } 1562 1562 + off_end = (void *)offp + tr->offsets_size; 1563 1563 + for (; offp < off_end; offp++) { 1564 1564 + struct flat_binder_object *fp; 1565 1565 + if (*offp > t->buffer->data_size - sizeof(*fp) || 1566 1566 + t->buffer->data_size < sizeof(*fp) || 1567 1567 + !IS_ALIGNED(*offp, sizeof(void *))) { 1568 1568 + binder_user_error("binder: %d:%d got transaction with " 1569 1569 + "invalid offset, %zd\n", 1570 1570 + proc->pid, thread->pid, *offp); 1571 1571 + return_error = BR_FAILED_REPLY; 1572 1572 + goto err_bad_offset; 1573 1573 + } 1574 1574 + fp = (struct flat_binder_object *)(t->buffer->data + *offp); 1575 1575 + switch (fp->type) { 1576 1576 + case BINDER_TYPE_BINDER: 1577 1577 + case BINDER_TYPE_WEAK_BINDER: { 1578 1578 + struct binder_ref *ref; 1579 1579 + struct binder_node *node = binder_get_node(proc, fp->binder); 1580 1580 + if (node == NULL) { 1581 1581 + node = binder_new_node(proc, fp->binder, fp->cookie); 1582 1582 + if (node == NULL) { 1583 1583 + return_error = BR_FAILED_REPLY; 1584 1584 + goto err_binder_new_node_failed; 1585 1585 + } 1586 1586 + node->min_priority = fp->flags & FLAT_BINDER_FLAG_PRIORITY_MASK; 1587 1587 + node->accept_fds = !!(fp->flags & FLAT_BINDER_FLAG_ACCEPTS_FDS); 1588 1588 + } 1589 1589 + if (fp->cookie != node->cookie) { 1590 1590 + binder_user_error("binder: %d:%d sending u%p " 1591 1591 + "node %d, cookie mismatch %p != %p\n", 1592 1592 + proc->pid, thread->pid, 1593 1593 + fp->binder, node->debug_id, 1594 1594 + fp->cookie, node->cookie); 1595 1595 + goto err_binder_get_ref_for_node_failed; 1596 1596 + } 1597 1597 + ref = binder_get_ref_for_node(target_proc, node); 1598 1598 + if (ref == NULL) { 1599 1599 + return_error = BR_FAILED_REPLY; 1600 1600 + goto err_binder_get_ref_for_node_failed; 1601 1601 + } 1602 1602 + if (fp->type == BINDER_TYPE_BINDER) 1603 1603 + fp->type = BINDER_TYPE_HANDLE; 1604 1604 + else 1605 1605 + fp->type = BINDER_TYPE_WEAK_HANDLE; 1606 1606 + fp->handle = ref->desc; 1607 1607 + binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE, 1608 1608 + &thread->todo); 1609 1609 + 1610 1610 + binder_debug(BINDER_DEBUG_TRANSACTION, 1611 1611 + " node %d u%p -> ref %d desc %d\n", 1612 1612 + node->debug_id, node->ptr, ref->debug_id, 1613 1613 + ref->desc); 1614 1614 + } break; 1615 1615 + case BINDER_TYPE_HANDLE: 1616 1616 + case BINDER_TYPE_WEAK_HANDLE: { 1617 1617 + struct binder_ref *ref = binder_get_ref(proc, fp->handle); 1618 1618 + if (ref == NULL) { 1619 1619 + binder_user_error("binder: %d:%d got " 1620 1620 + "transaction with invalid " 1621 1621 + "handle, %ld\n", proc->pid, 1622 1622 + thread->pid, fp->handle); 1623 1623 + return_error = BR_FAILED_REPLY; 1624 1624 + goto err_binder_get_ref_failed; 1625 1625 + } 1626 1626 + if (ref->node->proc == target_proc) { 1627 1627 + if (fp->type == BINDER_TYPE_HANDLE) 1628 1628 + fp->type = BINDER_TYPE_BINDER; 1629 1629 + else 1630 1630 + fp->type = BINDER_TYPE_WEAK_BINDER; 1631 1631 + fp->binder = ref->node->ptr; 1632 1632 + fp->cookie = ref->node->cookie; 1633 1633 + binder_inc_node(ref->node, fp->type == BINDER_TYPE_BINDER, 0, NULL); 1634 1634 + binder_debug(BINDER_DEBUG_TRANSACTION, 1635 1635 + " ref %d desc %d -> node %d u%p\n", 1636 1636 + ref->debug_id, ref->desc, ref->node->debug_id, 1637 1637 + ref->node->ptr); 1638 1638 + } else { 1639 1639 + struct binder_ref *new_ref; 1640 1640 + new_ref = binder_get_ref_for_node(target_proc, ref->node); 1641 1641 + if (new_ref == NULL) { 1642 1642 + return_error = BR_FAILED_REPLY; 1643 1643 + goto err_binder_get_ref_for_node_failed; 1644 1644 + } 1645 1645 + fp->handle = new_ref->desc; 1646 1646 + binder_inc_ref(new_ref, fp->type == BINDER_TYPE_HANDLE, NULL); 1647 1647 + binder_debug(BINDER_DEBUG_TRANSACTION, 1648 1648 + " ref %d desc %d -> ref %d desc %d (node %d)\n", 1649 1649 + ref->debug_id, ref->desc, new_ref->debug_id, 1650 1650 + new_ref->desc, ref->node->debug_id); 1651 1651 + } 1652 1652 + } break; 1653 1653 + 1654 1654 + case BINDER_TYPE_FD: { 1655 1655 + int target_fd; 1656 1656 + struct file *file; 1657 1657 + 1658 1658 + if (reply) { 1659 1659 + if (!(in_reply_to->flags & TF_ACCEPT_FDS)) { 1660 1660 + binder_user_error("binder: %d:%d got reply with fd, %ld, but target does not allow fds\n", 1661 1661 + proc->pid, thread->pid, fp->handle); 1662 1662 + return_error = BR_FAILED_REPLY; 1663 1663 + goto err_fd_not_allowed; 1664 1664 + } 1665 1665 + } else if (!target_node->accept_fds) { 1666 1666 + binder_user_error("binder: %d:%d got transaction with fd, %ld, but target does not allow fds\n", 1667 1667 + proc->pid, thread->pid, fp->handle); 1668 1668 + return_error = BR_FAILED_REPLY; 1669 1669 + goto err_fd_not_allowed; 1670 1670 + } 1671 1671 + 1672 1672 + file = fget(fp->handle); 1673 1673 + if (file == NULL) { 1674 1674 + binder_user_error("binder: %d:%d got transaction with invalid fd, %ld\n", 1675 1675 + proc->pid, thread->pid, fp->handle); 1676 1676 + return_error = BR_FAILED_REPLY; 1677 1677 + goto err_fget_failed; 1678 1678 + } 1679 1679 + target_fd = task_get_unused_fd_flags(target_proc, O_CLOEXEC); 1680 1680 + if (target_fd < 0) { 1681 1681 + fput(file); 1682 1682 + return_error = BR_FAILED_REPLY; 1683 1683 + goto err_get_unused_fd_failed; 1684 1684 + } 1685 1685 + task_fd_install(target_proc, target_fd, file); 1686 1686 + binder_debug(BINDER_DEBUG_TRANSACTION, 1687 1687 + " fd %ld -> %d\n", fp->handle, target_fd); 1688 1688 + /* TODO: fput? */ 1689 1689 + fp->handle = target_fd; 1690 1690 + } break; 1691 1691 + 1692 1692 + default: 1693 1693 + binder_user_error("binder: %d:%d got transactio" 1694 1694 + "n with invalid object type, %lx\n", 1695 1695 + proc->pid, thread->pid, fp->type); 1696 1696 + return_error = BR_FAILED_REPLY; 1697 1697 + goto err_bad_object_type; 1698 1698 + } 1699 1699 + } 1700 1700 + if (reply) { 1701 1701 + BUG_ON(t->buffer->async_transaction != 0); 1702 1702 + binder_pop_transaction(target_thread, in_reply_to); 1703 1703 + } else if (!(t->flags & TF_ONE_WAY)) { 1704 1704 + BUG_ON(t->buffer->async_transaction != 0); 1705 1705 + t->need_reply = 1; 1706 1706 + t->from_parent = thread->transaction_stack; 1707 1707 + thread->transaction_stack = t; 1708 1708 + } else { 1709 1709 + BUG_ON(target_node == NULL); 1710 1710 + BUG_ON(t->buffer->async_transaction != 1); 1711 1711 + if (target_node->has_async_transaction) { 1712 1712 + target_list = &target_node->async_todo; 1713 1713 + target_wait = NULL; 1714 1714 + } else 1715 1715 + target_node->has_async_transaction = 1; 1716 1716 + } 1717 1717 + t->work.type = BINDER_WORK_TRANSACTION; 1718 1718 + list_add_tail(&t->work.entry, target_list); 1719 1719 + tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE; 1720 1720 + list_add_tail(&tcomplete->entry, &thread->todo); 1721 1721 + if (target_wait) 1722 1722 + wake_up_interruptible(target_wait); 1723 1723 + return; 1724 1724 + 1725 1725 + err_get_unused_fd_failed: 1726 1726 + err_fget_failed: 1727 1727 + err_fd_not_allowed: 1728 1728 + err_binder_get_ref_for_node_failed: 1729 1729 + err_binder_get_ref_failed: 1730 1730 + err_binder_new_node_failed: 1731 1731 + err_bad_object_type: 1732 1732 + err_bad_offset: 1733 1733 + err_copy_data_failed: 1734 1734 + binder_transaction_buffer_release(target_proc, t->buffer, offp); 1735 1735 + t->buffer->transaction = NULL; 1736 1736 + binder_free_buf(target_proc, t->buffer); 1737 1737 + err_binder_alloc_buf_failed: 1738 1738 + kfree(tcomplete); 1739 1739 + binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); 1740 1740 + err_alloc_tcomplete_failed: 1741 1741 + kfree(t); 1742 1742 + binder_stats_deleted(BINDER_STAT_TRANSACTION); 1743 1743 + err_alloc_t_failed: 1744 1744 + err_bad_call_stack: 1745 1745 + err_empty_call_stack: 1746 1746 + err_dead_binder: 1747 1747 + err_invalid_target_handle: 1748 1748 + err_no_context_mgr_node: 1749 1749 + binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 1750 1750 + "binder: %d:%d transaction failed %d, size %zd-%zd\n", 1751 1751 + proc->pid, thread->pid, return_error, 1752 1752 + tr->data_size, tr->offsets_size); 1753 1753 + 1754 1754 + { 1755 1755 + struct binder_transaction_log_entry *fe; 1756 1756 + fe = binder_transaction_log_add(&binder_transaction_log_failed); 1757 1757 + *fe = *e; 1758 1758 + } 1759 1759 + 1760 1760 + BUG_ON(thread->return_error != BR_OK); 1761 1761 + if (in_reply_to) { 1762 1762 + thread->return_error = BR_TRANSACTION_COMPLETE; 1763 1763 + binder_send_failed_reply(in_reply_to, return_error); 1764 1764 + } else 1765 1765 + thread->return_error = return_error; 1766 1766 + } 1767 1767 + 1768 1768 + int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread, 1769 1769 + void __user *buffer, int size, signed long *consumed) 1770 1770 + { 1771 1771 + uint32_t cmd; 1772 1772 + void __user *ptr = buffer + *consumed; 1773 1773 + void __user *end = buffer + size; 1774 1774 + 1775 1775 + while (ptr < end && thread->return_error == BR_OK) { 1776 1776 + if (get_user(cmd, (uint32_t __user *)ptr)) 1777 1777 + return -EFAULT; 1778 1778 + ptr += sizeof(uint32_t); 1779 1779 + if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.bc)) { 1780 1780 + binder_stats.bc[_IOC_NR(cmd)]++; 1781 1781 + proc->stats.bc[_IOC_NR(cmd)]++; 1782 1782 + thread->stats.bc[_IOC_NR(cmd)]++; 1783 1783 + } 1784 1784 + switch (cmd) { 1785 1785 + case BC_INCREFS: 1786 1786 + case BC_ACQUIRE: 1787 1787 + case BC_RELEASE: 1788 1788 + case BC_DECREFS: { 1789 1789 + uint32_t target; 1790 1790 + struct binder_ref *ref; 1791 1791 + const char *debug_string; 1792 1792 + 1793 1793 + if (get_user(target, (uint32_t __user *)ptr)) 1794 1794 + return -EFAULT; 1795 1795 + ptr += sizeof(uint32_t); 1796 1796 + if (target == 0 && binder_context_mgr_node && 1797 1797 + (cmd == BC_INCREFS || cmd == BC_ACQUIRE)) { 1798 1798 + ref = binder_get_ref_for_node(proc, 1799 1799 + binder_context_mgr_node); 1800 1800 + if (ref->desc != target) { 1801 1801 + binder_user_error("binder: %d:" 1802 1802 + "%d tried to acquire " 1803 1803 + "reference to desc 0, " 1804 1804 + "got %d instead\n", 1805 1805 + proc->pid, thread->pid, 1806 1806 + ref->desc); 1807 1807 + } 1808 1808 + } else 1809 1809 + ref = binder_get_ref(proc, target); 1810 1810 + if (ref == NULL) { 1811 1811 + binder_user_error("binder: %d:%d refcou" 1812 1812 + "nt change on invalid ref %d\n", 1813 1813 + proc->pid, thread->pid, target); 1814 1814 + break; 1815 1815 + } 1816 1816 + switch (cmd) { 1817 1817 + case BC_INCREFS: 1818 1818 + debug_string = "IncRefs"; 1819 1819 + binder_inc_ref(ref, 0, NULL); 1820 1820 + break; 1821 1821 + case BC_ACQUIRE: 1822 1822 + debug_string = "Acquire"; 1823 1823 + binder_inc_ref(ref, 1, NULL); 1824 1824 + break; 1825 1825 + case BC_RELEASE: 1826 1826 + debug_string = "Release"; 1827 1827 + binder_dec_ref(ref, 1); 1828 1828 + break; 1829 1829 + case BC_DECREFS: 1830 1830 + default: 1831 1831 + debug_string = "DecRefs"; 1832 1832 + binder_dec_ref(ref, 0); 1833 1833 + break; 1834 1834 + } 1835 1835 + binder_debug(BINDER_DEBUG_USER_REFS, 1836 1836 + "binder: %d:%d %s ref %d desc %d s %d w %d for node %d\n", 1837 1837 + proc->pid, thread->pid, debug_string, ref->debug_id, 1838 1838 + ref->desc, ref->strong, ref->weak, ref->node->debug_id); 1839 1839 + break; 1840 1840 + } 1841 1841 + case BC_INCREFS_DONE: 1842 1842 + case BC_ACQUIRE_DONE: { 1843 1843 + void __user *node_ptr; 1844 1844 + void *cookie; 1845 1845 + struct binder_node *node; 1846 1846 + 1847 1847 + if (get_user(node_ptr, (void * __user *)ptr)) 1848 1848 + return -EFAULT; 1849 1849 + ptr += sizeof(void *); 1850 1850 + if (get_user(cookie, (void * __user *)ptr)) 1851 1851 + return -EFAULT; 1852 1852 + ptr += sizeof(void *); 1853 1853 + node = binder_get_node(proc, node_ptr); 1854 1854 + if (node == NULL) { 1855 1855 + binder_user_error("binder: %d:%d " 1856 1856 + "%s u%p no match\n", 1857 1857 + proc->pid, thread->pid, 1858 1858 + cmd == BC_INCREFS_DONE ? 1859 1859 + "BC_INCREFS_DONE" : 1860 1860 + "BC_ACQUIRE_DONE", 1861 1861 + node_ptr); 1862 1862 + break; 1863 1863 + } 1864 1864 + if (cookie != node->cookie) { 1865 1865 + binder_user_error("binder: %d:%d %s u%p node %d" 1866 1866 + " cookie mismatch %p != %p\n", 1867 1867 + proc->pid, thread->pid, 1868 1868 + cmd == BC_INCREFS_DONE ? 1869 1869 + "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE", 1870 1870 + node_ptr, node->debug_id, 1871 1871 + cookie, node->cookie); 1872 1872 + break; 1873 1873 + } 1874 1874 + if (cmd == BC_ACQUIRE_DONE) { 1875 1875 + if (node->pending_strong_ref == 0) { 1876 1876 + binder_user_error("binder: %d:%d " 1877 1877 + "BC_ACQUIRE_DONE node %d has " 1878 1878 + "no pending acquire request\n", 1879 1879 + proc->pid, thread->pid, 1880 1880 + node->debug_id); 1881 1881 + break; 1882 1882 + } 1883 1883 + node->pending_strong_ref = 0; 1884 1884 + } else { 1885 1885 + if (node->pending_weak_ref == 0) { 1886 1886 + binder_user_error("binder: %d:%d " 1887 1887 + "BC_INCREFS_DONE node %d has " 1888 1888 + "no pending increfs request\n", 1889 1889 + proc->pid, thread->pid, 1890 1890 + node->debug_id); 1891 1891 + break; 1892 1892 + } 1893 1893 + node->pending_weak_ref = 0; 1894 1894 + } 1895 1895 + binder_dec_node(node, cmd == BC_ACQUIRE_DONE, 0); 1896 1896 + binder_debug(BINDER_DEBUG_USER_REFS, 1897 1897 + "binder: %d:%d %s node %d ls %d lw %d\n", 1898 1898 + proc->pid, thread->pid, 1899 1899 + cmd == BC_INCREFS_DONE ? "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE", 1900 1900 + node->debug_id, node->local_strong_refs, node->local_weak_refs); 1901 1901 + break; 1902 1902 + } 1903 1903 + case BC_ATTEMPT_ACQUIRE: 1904 1904 + printk(KERN_ERR "binder: BC_ATTEMPT_ACQUIRE not supported\n"); 1905 1905 + return -EINVAL; 1906 1906 + case BC_ACQUIRE_RESULT: 1907 1907 + printk(KERN_ERR "binder: BC_ACQUIRE_RESULT not supported\n"); 1908 1908 + return -EINVAL; 1909 1909 + 1910 1910 + case BC_FREE_BUFFER: { 1911 1911 + void __user *data_ptr; 1912 1912 + struct binder_buffer *buffer; 1913 1913 + 1914 1914 + if (get_user(data_ptr, (void * __user *)ptr)) 1915 1915 + return -EFAULT; 1916 1916 + ptr += sizeof(void *); 1917 1917 + 1918 1918 + buffer = binder_buffer_lookup(proc, data_ptr); 1919 1919 + if (buffer == NULL) { 1920 1920 + binder_user_error("binder: %d:%d " 1921 1921 + "BC_FREE_BUFFER u%p no match\n", 1922 1922 + proc->pid, thread->pid, data_ptr); 1923 1923 + break; 1924 1924 + } 1925 1925 + if (!buffer->allow_user_free) { 1926 1926 + binder_user_error("binder: %d:%d " 1927 1927 + "BC_FREE_BUFFER u%p matched " 1928 1928 + "unreturned buffer\n", 1929 1929 + proc->pid, thread->pid, data_ptr); 1930 1930 + break; 1931 1931 + } 1932 1932 + binder_debug(BINDER_DEBUG_FREE_BUFFER, 1933 1933 + "binder: %d:%d BC_FREE_BUFFER u%p found buffer %d for %s transaction\n", 1934 1934 + proc->pid, thread->pid, data_ptr, buffer->debug_id, 1935 1935 + buffer->transaction ? "active" : "finished"); 1936 1936 + 1937 1937 + if (buffer->transaction) { 1938 1938 + buffer->transaction->buffer = NULL; 1939 1939 + buffer->transaction = NULL; 1940 1940 + } 1941 1941 + if (buffer->async_transaction && buffer->target_node) { 1942 1942 + BUG_ON(!buffer->target_node->has_async_transaction); 1943 1943 + if (list_empty(&buffer->target_node->async_todo)) 1944 1944 + buffer->target_node->has_async_transaction = 0; 1945 1945 + else 1946 1946 + list_move_tail(buffer->target_node->async_todo.next, &thread->todo); 1947 1947 + } 1948 1948 + binder_transaction_buffer_release(proc, buffer, NULL); 1949 1949 + binder_free_buf(proc, buffer); 1950 1950 + break; 1951 1951 + } 1952 1952 + 1953 1953 + case BC_TRANSACTION: 1954 1954 + case BC_REPLY: { 1955 1955 + struct binder_transaction_data tr; 1956 1956 + 1957 1957 + if (copy_from_user(&tr, ptr, sizeof(tr))) 1958 1958 + return -EFAULT; 1959 1959 + ptr += sizeof(tr); 1960 1960 + binder_transaction(proc, thread, &tr, cmd == BC_REPLY); 1961 1961 + break; 1962 1962 + } 1963 1963 + 1964 1964 + case BC_REGISTER_LOOPER: 1965 1965 + binder_debug(BINDER_DEBUG_THREADS, 1966 1966 + "binder: %d:%d BC_REGISTER_LOOPER\n", 1967 1967 + proc->pid, thread->pid); 1968 1968 + if (thread->looper & BINDER_LOOPER_STATE_ENTERED) { 1969 1969 + thread->looper |= BINDER_LOOPER_STATE_INVALID; 1970 1970 + binder_user_error("binder: %d:%d ERROR:" 1971 1971 + " BC_REGISTER_LOOPER called " 1972 1972 + "after BC_ENTER_LOOPER\n", 1973 1973 + proc->pid, thread->pid); 1974 1974 + } else if (proc->requested_threads == 0) { 1975 1975 + thread->looper |= BINDER_LOOPER_STATE_INVALID; 1976 1976 + binder_user_error("binder: %d:%d ERROR:" 1977 1977 + " BC_REGISTER_LOOPER called " 1978 1978 + "without request\n", 1979 1979 + proc->pid, thread->pid); 1980 1980 + } else { 1981 1981 + proc->requested_threads--; 1982 1982 + proc->requested_threads_started++; 1983 1983 + } 1984 1984 + thread->looper |= BINDER_LOOPER_STATE_REGISTERED; 1985 1985 + break; 1986 1986 + case BC_ENTER_LOOPER: 1987 1987 + binder_debug(BINDER_DEBUG_THREADS, 1988 1988 + "binder: %d:%d BC_ENTER_LOOPER\n", 1989 1989 + proc->pid, thread->pid); 1990 1990 + if (thread->looper & BINDER_LOOPER_STATE_REGISTERED) { 1991 1991 + thread->looper |= BINDER_LOOPER_STATE_INVALID; 1992 1992 + binder_user_error("binder: %d:%d ERROR:" 1993 1993 + " BC_ENTER_LOOPER called after " 1994 1994 + "BC_REGISTER_LOOPER\n", 1995 1995 + proc->pid, thread->pid); 1996 1996 + } 1997 1997 + thread->looper |= BINDER_LOOPER_STATE_ENTERED; 1998 1998 + break; 1999 1999 + case BC_EXIT_LOOPER: 2000 2000 + binder_debug(BINDER_DEBUG_THREADS, 2001 2001 + "binder: %d:%d BC_EXIT_LOOPER\n", 2002 2002 + proc->pid, thread->pid); 2003 2003 + thread->looper |= BINDER_LOOPER_STATE_EXITED; 2004 2004 + break; 2005 2005 + 2006 2006 + case BC_REQUEST_DEATH_NOTIFICATION: 2007 2007 + case BC_CLEAR_DEATH_NOTIFICATION: { 2008 2008 + uint32_t target; 2009 2009 + void __user *cookie; 2010 2010 + struct binder_ref *ref; 2011 2011 + struct binder_ref_death *death; 2012 2012 + 2013 2013 + if (get_user(target, (uint32_t __user *)ptr)) 2014 2014 + return -EFAULT; 2015 2015 + ptr += sizeof(uint32_t); 2016 2016 + if (get_user(cookie, (void __user * __user *)ptr)) 2017 2017 + return -EFAULT; 2018 2018 + ptr += sizeof(void *); 2019 2019 + ref = binder_get_ref(proc, target); 2020 2020 + if (ref == NULL) { 2021 2021 + binder_user_error("binder: %d:%d %s " 2022 2022 + "invalid ref %d\n", 2023 2023 + proc->pid, thread->pid, 2024 2024 + cmd == BC_REQUEST_DEATH_NOTIFICATION ? 2025 2025 + "BC_REQUEST_DEATH_NOTIFICATION" : 2026 2026 + "BC_CLEAR_DEATH_NOTIFICATION", 2027 2027 + target); 2028 2028 + break; 2029 2029 + } 2030 2030 + 2031 2031 + binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION, 2032 2032 + "binder: %d:%d %s %p ref %d desc %d s %d w %d for node %d\n", 2033 2033 + proc->pid, thread->pid, 2034 2034 + cmd == BC_REQUEST_DEATH_NOTIFICATION ? 2035 2035 + "BC_REQUEST_DEATH_NOTIFICATION" : 2036 2036 + "BC_CLEAR_DEATH_NOTIFICATION", 2037 2037 + cookie, ref->debug_id, ref->desc, 2038 2038 + ref->strong, ref->weak, ref->node->debug_id); 2039 2039 + 2040 2040 + if (cmd == BC_REQUEST_DEATH_NOTIFICATION) { 2041 2041 + if (ref->death) { 2042 2042 + binder_user_error("binder: %d:%" 2043 2043 + "d BC_REQUEST_DEATH_NOTI" 2044 2044 + "FICATION death notific" 2045 2045 + "ation already set\n", 2046 2046 + proc->pid, thread->pid); 2047 2047 + break; 2048 2048 + } 2049 2049 + death = kzalloc(sizeof(*death), GFP_KERNEL); 2050 2050 + if (death == NULL) { 2051 2051 + thread->return_error = BR_ERROR; 2052 2052 + binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 2053 2053 + "binder: %d:%d " 2054 2054 + "BC_REQUEST_DEATH_NOTIFICATION failed\n", 2055 2055 + proc->pid, thread->pid); 2056 2056 + break; 2057 2057 + } 2058 2058 + binder_stats_created(BINDER_STAT_DEATH); 2059 2059 + INIT_LIST_HEAD(&death->work.entry); 2060 2060 + death->cookie = cookie; 2061 2061 + ref->death = death; 2062 2062 + if (ref->node->proc == NULL) { 2063 2063 + ref->death->work.type = BINDER_WORK_DEAD_BINDER; 2064 2064 + if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2065 2065 + list_add_tail(&ref->death->work.entry, &thread->todo); 2066 2066 + } else { 2067 2067 + list_add_tail(&ref->death->work.entry, &proc->todo); 2068 2068 + wake_up_interruptible(&proc->wait); 2069 2069 + } 2070 2070 + } 2071 2071 + } else { 2072 2072 + if (ref->death == NULL) { 2073 2073 + binder_user_error("binder: %d:%" 2074 2074 + "d BC_CLEAR_DEATH_NOTIFI" 2075 2075 + "CATION death notificat" 2076 2076 + "ion not active\n", 2077 2077 + proc->pid, thread->pid); 2078 2078 + break; 2079 2079 + } 2080 2080 + death = ref->death; 2081 2081 + if (death->cookie != cookie) { 2082 2082 + binder_user_error("binder: %d:%" 2083 2083 + "d BC_CLEAR_DEATH_NOTIFI" 2084 2084 + "CATION death notificat" 2085 2085 + "ion cookie mismatch " 2086 2086 + "%p != %p\n", 2087 2087 + proc->pid, thread->pid, 2088 2088 + death->cookie, cookie); 2089 2089 + break; 2090 2090 + } 2091 2091 + ref->death = NULL; 2092 2092 + if (list_empty(&death->work.entry)) { 2093 2093 + death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION; 2094 2094 + if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2095 2095 + list_add_tail(&death->work.entry, &thread->todo); 2096 2096 + } else { 2097 2097 + list_add_tail(&death->work.entry, &proc->todo); 2098 2098 + wake_up_interruptible(&proc->wait); 2099 2099 + } 2100 2100 + } else { 2101 2101 + BUG_ON(death->work.type != BINDER_WORK_DEAD_BINDER); 2102 2102 + death->work.type = BINDER_WORK_DEAD_BINDER_AND_CLEAR; 2103 2103 + } 2104 2104 + } 2105 2105 + } break; 2106 2106 + case BC_DEAD_BINDER_DONE: { 2107 2107 + struct binder_work *w; 2108 2108 + void __user *cookie; 2109 2109 + struct binder_ref_death *death = NULL; 2110 2110 + if (get_user(cookie, (void __user * __user *)ptr)) 2111 2111 + return -EFAULT; 2112 2112 + 2113 2113 + ptr += sizeof(void *); 2114 2114 + list_for_each_entry(w, &proc->delivered_death, entry) { 2115 2115 + struct binder_ref_death *tmp_death = container_of(w, struct binder_ref_death, work); 2116 2116 + if (tmp_death->cookie == cookie) { 2117 2117 + death = tmp_death; 2118 2118 + break; 2119 2119 + } 2120 2120 + } 2121 2121 + binder_debug(BINDER_DEBUG_DEAD_BINDER, 2122 2122 + "binder: %d:%d BC_DEAD_BINDER_DONE %p found %p\n", 2123 2123 + proc->pid, thread->pid, cookie, death); 2124 2124 + if (death == NULL) { 2125 2125 + binder_user_error("binder: %d:%d BC_DEAD" 2126 2126 + "_BINDER_DONE %p not found\n", 2127 2127 + proc->pid, thread->pid, cookie); 2128 2128 + break; 2129 2129 + } 2130 2130 + 2131 2131 + list_del_init(&death->work.entry); 2132 2132 + if (death->work.type == BINDER_WORK_DEAD_BINDER_AND_CLEAR) { 2133 2133 + death->work.type = BINDER_WORK_CLEAR_DEATH_NOTIFICATION; 2134 2134 + if (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | BINDER_LOOPER_STATE_ENTERED)) { 2135 2135 + list_add_tail(&death->work.entry, &thread->todo); 2136 2136 + } else { 2137 2137 + list_add_tail(&death->work.entry, &proc->todo); 2138 2138 + wake_up_interruptible(&proc->wait); 2139 2139 + } 2140 2140 + } 2141 2141 + } break; 2142 2142 + 2143 2143 + default: 2144 2144 + printk(KERN_ERR "binder: %d:%d unknown command %d\n", 2145 2145 + proc->pid, thread->pid, cmd); 2146 2146 + return -EINVAL; 2147 2147 + } 2148 2148 + *consumed = ptr - buffer; 2149 2149 + } 2150 2150 + return 0; 2151 2151 + } 2152 2152 + 2153 2153 + void binder_stat_br(struct binder_proc *proc, struct binder_thread *thread, 2154 2154 + uint32_t cmd) 2155 2155 + { 2156 2156 + if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.br)) { 2157 2157 + binder_stats.br[_IOC_NR(cmd)]++; 2158 2158 + proc->stats.br[_IOC_NR(cmd)]++; 2159 2159 + thread->stats.br[_IOC_NR(cmd)]++; 2160 2160 + } 2161 2161 + } 2162 2162 + 2163 2163 + static int binder_has_proc_work(struct binder_proc *proc, 2164 2164 + struct binder_thread *thread) 2165 2165 + { 2166 2166 + return !list_empty(&proc->todo) || 2167 2167 + (thread->looper & BINDER_LOOPER_STATE_NEED_RETURN); 2168 2168 + } 2169 2169 + 2170 2170 + static int binder_has_thread_work(struct binder_thread *thread) 2171 2171 + { 2172 2172 + return !list_empty(&thread->todo) || thread->return_error != BR_OK || 2173 2173 + (thread->looper & BINDER_LOOPER_STATE_NEED_RETURN); 2174 2174 + } 2175 2175 + 2176 2176 + static int binder_thread_read(struct binder_proc *proc, 2177 2177 + struct binder_thread *thread, 2178 2178 + void __user *buffer, int size, 2179 2179 + signed long *consumed, int non_block) 2180 2180 + { 2181 2181 + void __user *ptr = buffer + *consumed; 2182 2182 + void __user *end = buffer + size; 2183 2183 + 2184 2184 + int ret = 0; 2185 2185 + int wait_for_proc_work; 2186 2186 + 2187 2187 + if (*consumed == 0) { 2188 2188 + if (put_user(BR_NOOP, (uint32_t __user *)ptr)) 2189 2189 + return -EFAULT; 2190 2190 + ptr += sizeof(uint32_t); 2191 2191 + } 2192 2192 + 2193 2193 + retry: 2194 2194 + wait_for_proc_work = thread->transaction_stack == NULL && 2195 2195 + list_empty(&thread->todo); 2196 2196 + 2197 2197 + if (thread->return_error != BR_OK && ptr < end) { 2198 2198 + if (thread->return_error2 != BR_OK) { 2199 2199 + if (put_user(thread->return_error2, (uint32_t __user *)ptr)) 2200 2200 + return -EFAULT; 2201 2201 + ptr += sizeof(uint32_t); 2202 2202 + if (ptr == end) 2203 2203 + goto done; 2204 2204 + thread->return_error2 = BR_OK; 2205 2205 + } 2206 2206 + if (put_user(thread->return_error, (uint32_t __user *)ptr)) 2207 2207 + return -EFAULT; 2208 2208 + ptr += sizeof(uint32_t); 2209 2209 + thread->return_error = BR_OK; 2210 2210 + goto done; 2211 2211 + } 2212 2212 + 2213 2213 + 2214 2214 + thread->looper |= BINDER_LOOPER_STATE_WAITING; 2215 2215 + if (wait_for_proc_work) 2216 2216 + proc->ready_threads++; 2217 2217 + mutex_unlock(&binder_lock); 2218 2218 + if (wait_for_proc_work) { 2219 2219 + if (!(thread->looper & (BINDER_LOOPER_STATE_REGISTERED | 2220 2220 + BINDER_LOOPER_STATE_ENTERED))) { 2221 2221 + binder_user_error("binder: %d:%d ERROR: Thread waiting " 2222 2222 + "for process work before calling BC_REGISTER_" 2223 2223 + "LOOPER or BC_ENTER_LOOPER (state %x)\n", 2224 2224 + proc->pid, thread->pid, thread->looper); 2225 2225 + wait_event_interruptible(binder_user_error_wait, 2226 2226 + binder_stop_on_user_error < 2); 2227 2227 + } 2228 2228 + binder_set_nice(proc->default_priority); 2229 2229 + if (non_block) { 2230 2230 + if (!binder_has_proc_work(proc, thread)) 2231 2231 + ret = -EAGAIN; 2232 2232 + } else 2233 2233 + ret = wait_event_interruptible_exclusive(proc->wait, binder_has_proc_work(proc, thread)); 2234 2234 + } else { 2235 2235 + if (non_block) { 2236 2236 + if (!binder_has_thread_work(thread)) 2237 2237 + ret = -EAGAIN; 2238 2238 + } else 2239 2239 + ret = wait_event_interruptible(thread->wait, binder_has_thread_work(thread)); 2240 2240 + } 2241 2241 + mutex_lock(&binder_lock); 2242 2242 + if (wait_for_proc_work) 2243 2243 + proc->ready_threads--; 2244 2244 + thread->looper &= ~BINDER_LOOPER_STATE_WAITING; 2245 2245 + 2246 2246 + if (ret) 2247 2247 + return ret; 2248 2248 + 2249 2249 + while (1) { 2250 2250 + uint32_t cmd; 2251 2251 + struct binder_transaction_data tr; 2252 2252 + struct binder_work *w; 2253 2253 + struct binder_transaction *t = NULL; 2254 2254 + 2255 2255 + if (!list_empty(&thread->todo)) 2256 2256 + w = list_first_entry(&thread->todo, struct binder_work, entry); 2257 2257 + else if (!list_empty(&proc->todo) && wait_for_proc_work) 2258 2258 + w = list_first_entry(&proc->todo, struct binder_work, entry); 2259 2259 + else { 2260 2260 + if (ptr - buffer == 4 && !(thread->looper & BINDER_LOOPER_STATE_NEED_RETURN)) /* no data added */ 2261 2261 + goto retry; 2262 2262 + break; 2263 2263 + } 2264 2264 + 2265 2265 + if (end - ptr < sizeof(tr) + 4) 2266 2266 + break; 2267 2267 + 2268 2268 + switch (w->type) { 2269 2269 + case BINDER_WORK_TRANSACTION: { 2270 2270 + t = container_of(w, struct binder_transaction, work); 2271 2271 + } break; 2272 2272 + case BINDER_WORK_TRANSACTION_COMPLETE: { 2273 2273 + cmd = BR_TRANSACTION_COMPLETE; 2274 2274 + if (put_user(cmd, (uint32_t __user *)ptr)) 2275 2275 + return -EFAULT; 2276 2276 + ptr += sizeof(uint32_t); 2277 2277 + 2278 2278 + binder_stat_br(proc, thread, cmd); 2279 2279 + binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE, 2280 2280 + "binder: %d:%d BR_TRANSACTION_COMPLETE\n", 2281 2281 + proc->pid, thread->pid); 2282 2282 + 2283 2283 + list_del(&w->entry); 2284 2284 + kfree(w); 2285 2285 + binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); 2286 2286 + } break; 2287 2287 + case BINDER_WORK_NODE: { 2288 2288 + struct binder_node *node = container_of(w, struct binder_node, work); 2289 2289 + uint32_t cmd = BR_NOOP; 2290 2290 + const char *cmd_name; 2291 2291 + int strong = node->internal_strong_refs || node->local_strong_refs; 2292 2292 + int weak = !hlist_empty(&node->refs) || node->local_weak_refs || strong; 2293 2293 + if (weak && !node->has_weak_ref) { 2294 2294 + cmd = BR_INCREFS; 2295 2295 + cmd_name = "BR_INCREFS"; 2296 2296 + node->has_weak_ref = 1; 2297 2297 + node->pending_weak_ref = 1; 2298 2298 + node->local_weak_refs++; 2299 2299 + } else if (strong && !node->has_strong_ref) { 2300 2300 + cmd = BR_ACQUIRE; 2301 2301 + cmd_name = "BR_ACQUIRE"; 2302 2302 + node->has_strong_ref = 1; 2303 2303 + node->pending_strong_ref = 1; 2304 2304 + node->local_strong_refs++; 2305 2305 + } else if (!strong && node->has_strong_ref) { 2306 2306 + cmd = BR_RELEASE; 2307 2307 + cmd_name = "BR_RELEASE"; 2308 2308 + node->has_strong_ref = 0; 2309 2309 + } else if (!weak && node->has_weak_ref) { 2310 2310 + cmd = BR_DECREFS; 2311 2311 + cmd_name = "BR_DECREFS"; 2312 2312 + node->has_weak_ref = 0; 2313 2313 + } 2314 2314 + if (cmd != BR_NOOP) { 2315 2315 + if (put_user(cmd, (uint32_t __user *)ptr)) 2316 2316 + return -EFAULT; 2317 2317 + ptr += sizeof(uint32_t); 2318 2318 + if (put_user(node->ptr, (void * __user *)ptr)) 2319 2319 + return -EFAULT; 2320 2320 + ptr += sizeof(void *); 2321 2321 + if (put_user(node->cookie, (void * __user *)ptr)) 2322 2322 + return -EFAULT; 2323 2323 + ptr += sizeof(void *); 2324 2324 + 2325 2325 + binder_stat_br(proc, thread, cmd); 2326 2326 + binder_debug(BINDER_DEBUG_USER_REFS, 2327 2327 + "binder: %d:%d %s %d u%p c%p\n", 2328 2328 + proc->pid, thread->pid, cmd_name, node->debug_id, node->ptr, node->cookie); 2329 2329 + } else { 2330 2330 + list_del_init(&w->entry); 2331 2331 + if (!weak && !strong) { 2332 2332 + binder_debug(BINDER_DEBUG_INTERNAL_REFS, 2333 2333 + "binder: %d:%d node %d u%p c%p deleted\n", 2334 2334 + proc->pid, thread->pid, node->debug_id, 2335 2335 + node->ptr, node->cookie); 2336 2336 + rb_erase(&node->rb_node, &proc->nodes); 2337 2337 + kfree(node); 2338 2338 + binder_stats_deleted(BINDER_STAT_NODE); 2339 2339 + } else { 2340 2340 + binder_debug(BINDER_DEBUG_INTERNAL_REFS, 2341 2341 + "binder: %d:%d node %d u%p c%p state unchanged\n", 2342 2342 + proc->pid, thread->pid, node->debug_id, node->ptr, 2343 2343 + node->cookie); 2344 2344 + } 2345 2345 + } 2346 2346 + } break; 2347 2347 + case BINDER_WORK_DEAD_BINDER: 2348 2348 + case BINDER_WORK_DEAD_BINDER_AND_CLEAR: 2349 2349 + case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: { 2350 2350 + struct binder_ref_death *death; 2351 2351 + uint32_t cmd; 2352 2352 + 2353 2353 + death = container_of(w, struct binder_ref_death, work); 2354 2354 + if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) 2355 2355 + cmd = BR_CLEAR_DEATH_NOTIFICATION_DONE; 2356 2356 + else 2357 2357 + cmd = BR_DEAD_BINDER; 2358 2358 + if (put_user(cmd, (uint32_t __user *)ptr)) 2359 2359 + return -EFAULT; 2360 2360 + ptr += sizeof(uint32_t); 2361 2361 + if (put_user(death->cookie, (void * __user *)ptr)) 2362 2362 + return -EFAULT; 2363 2363 + ptr += sizeof(void *); 2364 2364 + binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION, 2365 2365 + "binder: %d:%d %s %p\n", 2366 2366 + proc->pid, thread->pid, 2367 2367 + cmd == BR_DEAD_BINDER ? 2368 2368 + "BR_DEAD_BINDER" : 2369 2369 + "BR_CLEAR_DEATH_NOTIFICATION_DONE", 2370 2370 + death->cookie); 2371 2371 + 2372 2372 + if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) { 2373 2373 + list_del(&w->entry); 2374 2374 + kfree(death); 2375 2375 + binder_stats_deleted(BINDER_STAT_DEATH); 2376 2376 + } else 2377 2377 + list_move(&w->entry, &proc->delivered_death); 2378 2378 + if (cmd == BR_DEAD_BINDER) 2379 2379 + goto done; /* DEAD_BINDER notifications can cause transactions */ 2380 2380 + } break; 2381 2381 + } 2382 2382 + 2383 2383 + if (!t) 2384 2384 + continue; 2385 2385 + 2386 2386 + BUG_ON(t->buffer == NULL); 2387 2387 + if (t->buffer->target_node) { 2388 2388 + struct binder_node *target_node = t->buffer->target_node; 2389 2389 + tr.target.ptr = target_node->ptr; 2390 2390 + tr.cookie = target_node->cookie; 2391 2391 + t->saved_priority = task_nice(current); 2392 2392 + if (t->priority < target_node->min_priority && 2393 2393 + !(t->flags & TF_ONE_WAY)) 2394 2394 + binder_set_nice(t->priority); 2395 2395 + else if (!(t->flags & TF_ONE_WAY) || 2396 2396 + t->saved_priority > target_node->min_priority) 2397 2397 + binder_set_nice(target_node->min_priority); 2398 2398 + cmd = BR_TRANSACTION; 2399 2399 + } else { 2400 2400 + tr.target.ptr = NULL; 2401 2401 + tr.cookie = NULL; 2402 2402 + cmd = BR_REPLY; 2403 2403 + } 2404 2404 + tr.code = t->code; 2405 2405 + tr.flags = t->flags; 2406 2406 + tr.sender_euid = t->sender_euid; 2407 2407 + 2408 2408 + if (t->from) { 2409 2409 + struct task_struct *sender = t->from->proc->tsk; 2410 2410 + tr.sender_pid = task_tgid_nr_ns(sender, 2411 2411 + current->nsproxy->pid_ns); 2412 2412 + } else { 2413 2413 + tr.sender_pid = 0; 2414 2414 + } 2415 2415 + 2416 2416 + tr.data_size = t->buffer->data_size; 2417 2417 + tr.offsets_size = t->buffer->offsets_size; 2418 2418 + tr.data.ptr.buffer = (void *)t->buffer->data + 2419 2419 + proc->user_buffer_offset; 2420 2420 + tr.data.ptr.offsets = tr.data.ptr.buffer + 2421 2421 + ALIGN(t->buffer->data_size, 2422 2422 + sizeof(void *)); 2423 2423 + 2424 2424 + if (put_user(cmd, (uint32_t __user *)ptr)) 2425 2425 + return -EFAULT; 2426 2426 + ptr += sizeof(uint32_t); 2427 2427 + if (copy_to_user(ptr, &tr, sizeof(tr))) 2428 2428 + return -EFAULT; 2429 2429 + ptr += sizeof(tr); 2430 2430 + 2431 2431 + binder_stat_br(proc, thread, cmd); 2432 2432 + binder_debug(BINDER_DEBUG_TRANSACTION, 2433 2433 + "binder: %d:%d %s %d %d:%d, cmd %d" 2434 2434 + "size %zd-%zd ptr %p-%p\n", 2435 2435 + proc->pid, thread->pid, 2436 2436 + (cmd == BR_TRANSACTION) ? "BR_TRANSACTION" : 2437 2437 + "BR_REPLY", 2438 2438 + t->debug_id, t->from ? t->from->proc->pid : 0, 2439 2439 + t->from ? t->from->pid : 0, cmd, 2440 2440 + t->buffer->data_size, t->buffer->offsets_size, 2441 2441 + tr.data.ptr.buffer, tr.data.ptr.offsets); 2442 2442 + 2443 2443 + list_del(&t->work.entry); 2444 2444 + t->buffer->allow_user_free = 1; 2445 2445 + if (cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)) { 2446 2446 + t->to_parent = thread->transaction_stack; 2447 2447 + t->to_thread = thread; 2448 2448 + thread->transaction_stack = t; 2449 2449 + } else { 2450 2450 + t->buffer->transaction = NULL; 2451 2451 + kfree(t); 2452 2452 + binder_stats_deleted(BINDER_STAT_TRANSACTION); 2453 2453 + } 2454 2454 + break; 2455 2455 + } 2456 2456 + 2457 2457 + done: 2458 2458 + 2459 2459 + *consumed = ptr - buffer; 2460 2460 + if (proc->requested_threads + proc->ready_threads == 0 && 2461 2461 + proc->requested_threads_started < proc->max_threads && 2462 2462 + (thread->looper & (BINDER_LOOPER_STATE_REGISTERED | 2463 2463 + BINDER_LOOPER_STATE_ENTERED)) /* the user-space code fails to */ 2464 2464 + /*spawn a new thread if we leave this out */) { 2465 2465 + proc->requested_threads++; 2466 2466 + binder_debug(BINDER_DEBUG_THREADS, 2467 2467 + "binder: %d:%d BR_SPAWN_LOOPER\n", 2468 2468 + proc->pid, thread->pid); 2469 2469 + if (put_user(BR_SPAWN_LOOPER, (uint32_t __user *)buffer)) 2470 2470 + return -EFAULT; 2471 2471 + } 2472 2472 + return 0; 2473 2473 + } 2474 2474 + 2475 2475 + static void binder_release_work(struct list_head *list) 2476 2476 + { 2477 2477 + struct binder_work *w; 2478 2478 + while (!list_empty(list)) { 2479 2479 + w = list_first_entry(list, struct binder_work, entry); 2480 2480 + list_del_init(&w->entry); 2481 2481 + switch (w->type) { 2482 2482 + case BINDER_WORK_TRANSACTION: { 2483 2483 + struct binder_transaction *t; 2484 2484 + 2485 2485 + t = container_of(w, struct binder_transaction, work); 2486 2486 + if (t->buffer->target_node && !(t->flags & TF_ONE_WAY)) 2487 2487 + binder_send_failed_reply(t, BR_DEAD_REPLY); 2488 2488 + } break; 2489 2489 + case BINDER_WORK_TRANSACTION_COMPLETE: { 2490 2490 + kfree(w); 2491 2491 + binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); 2492 2492 + } break; 2493 2493 + default: 2494 2494 + break; 2495 2495 + } 2496 2496 + } 2497 2497 + 2498 2498 + } 2499 2499 + 2500 2500 + static struct binder_thread *binder_get_thread(struct binder_proc *proc) 2501 2501 + { 2502 2502 + struct binder_thread *thread = NULL; 2503 2503 + struct rb_node *parent = NULL; 2504 2504 + struct rb_node **p = &proc->threads.rb_node; 2505 2505 + 2506 2506 + while (*p) { 2507 2507 + parent = *p; 2508 2508 + thread = rb_entry(parent, struct binder_thread, rb_node); 2509 2509 + 2510 2510 + if (current->pid < thread->pid) 2511 2511 + p = &(*p)->rb_left; 2512 2512 + else if (current->pid > thread->pid) 2513 2513 + p = &(*p)->rb_right; 2514 2514 + else 2515 2515 + break; 2516 2516 + } 2517 2517 + if (*p == NULL) { 2518 2518 + thread = kzalloc(sizeof(*thread), GFP_KERNEL); 2519 2519 + if (thread == NULL) 2520 2520 + return NULL; 2521 2521 + binder_stats_created(BINDER_STAT_THREAD); 2522 2522 + thread->proc = proc; 2523 2523 + thread->pid = current->pid; 2524 2524 + init_waitqueue_head(&thread->wait); 2525 2525 + INIT_LIST_HEAD(&thread->todo); 2526 2526 + rb_link_node(&thread->rb_node, parent, p); 2527 2527 + rb_insert_color(&thread->rb_node, &proc->threads); 2528 2528 + thread->looper |= BINDER_LOOPER_STATE_NEED_RETURN; 2529 2529 + thread->return_error = BR_OK; 2530 2530 + thread->return_error2 = BR_OK; 2531 2531 + } 2532 2532 + return thread; 2533 2533 + } 2534 2534 + 2535 2535 + static int binder_free_thread(struct binder_proc *proc, 2536 2536 + struct binder_thread *thread) 2537 2537 + { 2538 2538 + struct binder_transaction *t; 2539 2539 + struct binder_transaction *send_reply = NULL; 2540 2540 + int active_transactions = 0; 2541 2541 + 2542 2542 + rb_erase(&thread->rb_node, &proc->threads); 2543 2543 + t = thread->transaction_stack; 2544 2544 + if (t && t->to_thread == thread) 2545 2545 + send_reply = t; 2546 2546 + while (t) { 2547 2547 + active_transactions++; 2548 2548 + binder_debug(BINDER_DEBUG_DEAD_TRANSACTION, 2549 2549 + "binder: release %d:%d transaction %d " 2550 2550 + "%s, still active\n", proc->pid, thread->pid, 2551 2551 + t->debug_id, 2552 2552 + (t->to_thread == thread) ? "in" : "out"); 2553 2553 + 2554 2554 + if (t->to_thread == thread) { 2555 2555 + t->to_proc = NULL; 2556 2556 + t->to_thread = NULL; 2557 2557 + if (t->buffer) { 2558 2558 + t->buffer->transaction = NULL; 2559 2559 + t->buffer = NULL; 2560 2560 + } 2561 2561 + t = t->to_parent; 2562 2562 + } else if (t->from == thread) { 2563 2563 + t->from = NULL; 2564 2564 + t = t->from_parent; 2565 2565 + } else 2566 2566 + BUG(); 2567 2567 + } 2568 2568 + if (send_reply) 2569 2569 + binder_send_failed_reply(send_reply, BR_DEAD_REPLY); 2570 2570 + binder_release_work(&thread->todo); 2571 2571 + kfree(thread); 2572 2572 + binder_stats_deleted(BINDER_STAT_THREAD); 2573 2573 + return active_transactions; 2574 2574 + } 2575 2575 + 2576 2576 + static unsigned int binder_poll(struct file *filp, 2577 2577 + struct poll_table_struct *wait) 2578 2578 + { 2579 2579 + struct binder_proc *proc = filp->private_data; 2580 2580 + struct binder_thread *thread = NULL; 2581 2581 + int wait_for_proc_work; 2582 2582 + 2583 2583 + mutex_lock(&binder_lock); 2584 2584 + thread = binder_get_thread(proc); 2585 2585 + 2586 2586 + wait_for_proc_work = thread->transaction_stack == NULL && 2587 2587 + list_empty(&thread->todo) && thread->return_error == BR_OK; 2588 2588 + mutex_unlock(&binder_lock); 2589 2589 + 2590 2590 + if (wait_for_proc_work) { 2591 2591 + if (binder_has_proc_work(proc, thread)) 2592 2592 + return POLLIN; 2593 2593 + poll_wait(filp, &proc->wait, wait); 2594 2594 + if (binder_has_proc_work(proc, thread)) 2595 2595 + return POLLIN; 2596 2596 + } else { 2597 2597 + if (binder_has_thread_work(thread)) 2598 2598 + return POLLIN; 2599 2599 + poll_wait(filp, &thread->wait, wait); 2600 2600 + if (binder_has_thread_work(thread)) 2601 2601 + return POLLIN; 2602 2602 + } 2603 2603 + return 0; 2604 2604 + } 2605 2605 + 2606 2606 + static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 2607 2607 + { 2608 2608 + int ret; 2609 2609 + struct binder_proc *proc = filp->private_data; 2610 2610 + struct binder_thread *thread; 2611 2611 + unsigned int size = _IOC_SIZE(cmd); 2612 2612 + void __user *ubuf = (void __user *)arg; 2613 2613 + 2614 2614 + /*printk(KERN_INFO "binder_ioctl: %d:%d %x %lx\n", proc->pid, current->pid, cmd, arg);*/ 2615 2615 + 2616 2616 + ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); 2617 2617 + if (ret) 2618 2618 + return ret; 2619 2619 + 2620 2620 + mutex_lock(&binder_lock); 2621 2621 + thread = binder_get_thread(proc); 2622 2622 + if (thread == NULL) { 2623 2623 + ret = -ENOMEM; 2624 2624 + goto err; 2625 2625 + } 2626 2626 + 2627 2627 + switch (cmd) { 2628 2628 + case BINDER_WRITE_READ: { 2629 2629 + struct binder_write_read bwr; 2630 2630 + if (size != sizeof(struct binder_write_read)) { 2631 2631 + ret = -EINVAL; 2632 2632 + goto err; 2633 2633 + } 2634 2634 + if (copy_from_user(&bwr, ubuf, sizeof(bwr))) { 2635 2635 + ret = -EFAULT; 2636 2636 + goto err; 2637 2637 + } 2638 2638 + binder_debug(BINDER_DEBUG_READ_WRITE, 2639 2639 + "binder: %d:%d write %ld at %08lx, read %ld at %08lx\n", 2640 2640 + proc->pid, thread->pid, bwr.write_size, bwr.write_buffer, 2641 2641 + bwr.read_size, bwr.read_buffer); 2642 2642 + 2643 2643 + if (bwr.write_size > 0) { 2644 2644 + ret = binder_thread_write(proc, thread, (void __user *)bwr.write_buffer, bwr.write_size, &bwr.write_consumed); 2645 2645 + if (ret < 0) { 2646 2646 + bwr.read_consumed = 0; 2647 2647 + if (copy_to_user(ubuf, &bwr, sizeof(bwr))) 2648 2648 + ret = -EFAULT; 2649 2649 + goto err; 2650 2650 + } 2651 2651 + } 2652 2652 + if (bwr.read_size > 0) { 2653 2653 + ret = binder_thread_read(proc, thread, (void __user *)bwr.read_buffer, bwr.read_size, &bwr.read_consumed, filp->f_flags & O_NONBLOCK); 2654 2654 + if (!list_empty(&proc->todo)) 2655 2655 + wake_up_interruptible(&proc->wait); 2656 2656 + if (ret < 0) { 2657 2657 + if (copy_to_user(ubuf, &bwr, sizeof(bwr))) 2658 2658 + ret = -EFAULT; 2659 2659 + goto err; 2660 2660 + } 2661 2661 + } 2662 2662 + binder_debug(BINDER_DEBUG_READ_WRITE, 2663 2663 + "binder: %d:%d wrote %ld of %ld, read return %ld of %ld\n", 2664 2664 + proc->pid, thread->pid, bwr.write_consumed, bwr.write_size, 2665 2665 + bwr.read_consumed, bwr.read_size); 2666 2666 + if (copy_to_user(ubuf, &bwr, sizeof(bwr))) { 2667 2667 + ret = -EFAULT; 2668 2668 + goto err; 2669 2669 + } 2670 2670 + break; 2671 2671 + } 2672 2672 + case BINDER_SET_MAX_THREADS: 2673 2673 + if (copy_from_user(&proc->max_threads, ubuf, sizeof(proc->max_threads))) { 2674 2674 + ret = -EINVAL; 2675 2675 + goto err; 2676 2676 + } 2677 2677 + break; 2678 2678 + case BINDER_SET_CONTEXT_MGR: 2679 2679 + if (binder_context_mgr_node != NULL) { 2680 2680 + printk(KERN_ERR "binder: BINDER_SET_CONTEXT_MGR already set\n"); 2681 2681 + ret = -EBUSY; 2682 2682 + goto err; 2683 2683 + } 2684 2684 + if (binder_context_mgr_uid != -1) { 2685 2685 + if (binder_context_mgr_uid != current->cred->euid) { 2686 2686 + printk(KERN_ERR "binder: BINDER_SET_" 2687 2687 + "CONTEXT_MGR bad uid %d != %d\n", 2688 2688 + current->cred->euid, 2689 2689 + binder_context_mgr_uid); 2690 2690 + ret = -EPERM; 2691 2691 + goto err; 2692 2692 + } 2693 2693 + } else 2694 2694 + binder_context_mgr_uid = current->cred->euid; 2695 2695 + binder_context_mgr_node = binder_new_node(proc, NULL, NULL); 2696 2696 + if (binder_context_mgr_node == NULL) { 2697 2697 + ret = -ENOMEM; 2698 2698 + goto err; 2699 2699 + } 2700 2700 + binder_context_mgr_node->local_weak_refs++; 2701 2701 + binder_context_mgr_node->local_strong_refs++; 2702 2702 + binder_context_mgr_node->has_strong_ref = 1; 2703 2703 + binder_context_mgr_node->has_weak_ref = 1; 2704 2704 + break; 2705 2705 + case BINDER_THREAD_EXIT: 2706 2706 + binder_debug(BINDER_DEBUG_THREADS, "binder: %d:%d exit\n", 2707 2707 + proc->pid, thread->pid); 2708 2708 + binder_free_thread(proc, thread); 2709 2709 + thread = NULL; 2710 2710 + break; 2711 2711 + case BINDER_VERSION: 2712 2712 + if (size != sizeof(struct binder_version)) { 2713 2713 + ret = -EINVAL; 2714 2714 + goto err; 2715 2715 + } 2716 2716 + if (put_user(BINDER_CURRENT_PROTOCOL_VERSION, &((struct binder_version *)ubuf)->protocol_version)) { 2717 2717 + ret = -EINVAL; 2718 2718 + goto err; 2719 2719 + } 2720 2720 + break; 2721 2721 + default: 2722 2722 + ret = -EINVAL; 2723 2723 + goto err; 2724 2724 + } 2725 2725 + ret = 0; 2726 2726 + err: 2727 2727 + if (thread) 2728 2728 + thread->looper &= ~BINDER_LOOPER_STATE_NEED_RETURN; 2729 2729 + mutex_unlock(&binder_lock); 2730 2730 + wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); 2731 2731 + if (ret && ret != -ERESTARTSYS) 2732 2732 + printk(KERN_INFO "binder: %d:%d ioctl %x %lx returned %d\n", proc->pid, current->pid, cmd, arg, ret); 2733 2733 + return ret; 2734 2734 + } 2735 2735 + 2736 2736 + static void binder_vma_open(struct vm_area_struct *vma) 2737 2737 + { 2738 2738 + struct binder_proc *proc = vma->vm_private_data; 2739 2739 + binder_debug(BINDER_DEBUG_OPEN_CLOSE, 2740 2740 + "binder: %d open vm area %lx-%lx (%ld K) vma %lx pagep %lx\n", 2741 2741 + proc->pid, vma->vm_start, vma->vm_end, 2742 2742 + (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2743 2743 + (unsigned long)pgprot_val(vma->vm_page_prot)); 2744 2744 + dump_stack(); 2745 2745 + } 2746 2746 + 2747 2747 + static void binder_vma_close(struct vm_area_struct *vma) 2748 2748 + { 2749 2749 + struct binder_proc *proc = vma->vm_private_data; 2750 2750 + binder_debug(BINDER_DEBUG_OPEN_CLOSE, 2751 2751 + "binder: %d close vm area %lx-%lx (%ld K) vma %lx pagep %lx\n", 2752 2752 + proc->pid, vma->vm_start, vma->vm_end, 2753 2753 + (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2754 2754 + (unsigned long)pgprot_val(vma->vm_page_prot)); 2755 2755 + proc->vma = NULL; 2756 2756 + binder_defer_work(proc, BINDER_DEFERRED_PUT_FILES); 2757 2757 + } 2758 2758 + 2759 2759 + static struct vm_operations_struct binder_vm_ops = { 2760 2760 + .open = binder_vma_open, 2761 2761 + .close = binder_vma_close, 2762 2762 + }; 2763 2763 + 2764 2764 + static int binder_mmap(struct file *filp, struct vm_area_struct *vma) 2765 2765 + { 2766 2766 + int ret; 2767 2767 + struct vm_struct *area; 2768 2768 + struct binder_proc *proc = filp->private_data; 2769 2769 + const char *failure_string; 2770 2770 + struct binder_buffer *buffer; 2771 2771 + 2772 2772 + if ((vma->vm_end - vma->vm_start) > SZ_4M) 2773 2773 + vma->vm_end = vma->vm_start + SZ_4M; 2774 2774 + 2775 2775 + binder_debug(BINDER_DEBUG_OPEN_CLOSE, 2776 2776 + "binder_mmap: %d %lx-%lx (%ld K) vma %lx pagep %lx\n", 2777 2777 + proc->pid, vma->vm_start, vma->vm_end, 2778 2778 + (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, 2779 2779 + (unsigned long)pgprot_val(vma->vm_page_prot)); 2780 2780 + 2781 2781 + if (vma->vm_flags & FORBIDDEN_MMAP_FLAGS) { 2782 2782 + ret = -EPERM; 2783 2783 + failure_string = "bad vm_flags"; 2784 2784 + goto err_bad_arg; 2785 2785 + } 2786 2786 + vma->vm_flags = (vma->vm_flags | VM_DONTCOPY) & ~VM_MAYWRITE; 2787 2787 + 2788 2788 + if (proc->buffer) { 2789 2789 + ret = -EBUSY; 2790 2790 + failure_string = "already mapped"; 2791 2791 + goto err_already_mapped; 2792 2792 + } 2793 2793 + 2794 2794 + area = get_vm_area(vma->vm_end - vma->vm_start, VM_IOREMAP); 2795 2795 + if (area == NULL) { 2796 2796 + ret = -ENOMEM; 2797 2797 + failure_string = "get_vm_area"; 2798 2798 + goto err_get_vm_area_failed; 2799 2799 + } 2800 2800 + proc->buffer = area->addr; 2801 2801 + proc->user_buffer_offset = vma->vm_start - (uintptr_t)proc->buffer; 2802 2802 + 2803 2803 + #ifdef CONFIG_CPU_CACHE_VIPT 2804 2804 + if (cache_is_vipt_aliasing()) { 2805 2805 + while (CACHE_COLOUR((vma->vm_start ^ (uint32_t)proc->buffer))) { 2806 2806 + printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p bad alignment\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer); 2807 2807 + vma->vm_start += PAGE_SIZE; 2808 2808 + } 2809 2809 + } 2810 2810 + #endif 2811 2811 + proc->pages = kzalloc(sizeof(proc->pages[0]) * ((vma->vm_end - vma->vm_start) / PAGE_SIZE), GFP_KERNEL); 2812 2812 + if (proc->pages == NULL) { 2813 2813 + ret = -ENOMEM; 2814 2814 + failure_string = "alloc page array"; 2815 2815 + goto err_alloc_pages_failed; 2816 2816 + } 2817 2817 + proc->buffer_size = vma->vm_end - vma->vm_start; 2818 2818 + 2819 2819 + vma->vm_ops = &binder_vm_ops; 2820 2820 + vma->vm_private_data = proc; 2821 2821 + 2822 2822 + if (binder_update_page_range(proc, 1, proc->buffer, proc->buffer + PAGE_SIZE, vma)) { 2823 2823 + ret = -ENOMEM; 2824 2824 + failure_string = "alloc small buf"; 2825 2825 + goto err_alloc_small_buf_failed; 2826 2826 + } 2827 2827 + buffer = proc->buffer; 2828 2828 + INIT_LIST_HEAD(&proc->buffers); 2829 2829 + list_add(&buffer->entry, &proc->buffers); 2830 2830 + buffer->free = 1; 2831 2831 + binder_insert_free_buffer(proc, buffer); 2832 2832 + proc->free_async_space = proc->buffer_size / 2; 2833 2833 + barrier(); 2834 2834 + proc->files = get_files_struct(current); 2835 2835 + proc->vma = vma; 2836 2836 + 2837 2837 + /*printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p\n", 2838 2838 + proc->pid, vma->vm_start, vma->vm_end, proc->buffer);*/ 2839 2839 + return 0; 2840 2840 + 2841 2841 + err_alloc_small_buf_failed: 2842 2842 + kfree(proc->pages); 2843 2843 + proc->pages = NULL; 2844 2844 + err_alloc_pages_failed: 2845 2845 + vfree(proc->buffer); 2846 2846 + proc->buffer = NULL; 2847 2847 + err_get_vm_area_failed: 2848 2848 + err_already_mapped: 2849 2849 + err_bad_arg: 2850 2850 + printk(KERN_ERR "binder_mmap: %d %lx-%lx %s failed %d\n", 2851 2851 + proc->pid, vma->vm_start, vma->vm_end, failure_string, ret); 2852 2852 + return ret; 2853 2853 + } 2854 2854 + 2855 2855 + static int binder_open(struct inode *nodp, struct file *filp) 2856 2856 + { 2857 2857 + struct binder_proc *proc; 2858 2858 + 2859 2859 + binder_debug(BINDER_DEBUG_OPEN_CLOSE, "binder_open: %d:%d\n", 2860 2860 + current->group_leader->pid, current->pid); 2861 2861 + 2862 2862 + proc = kzalloc(sizeof(*proc), GFP_KERNEL); 2863 2863 + if (proc == NULL) 2864 2864 + return -ENOMEM; 2865 2865 + get_task_struct(current); 2866 2866 + proc->tsk = current; 2867 2867 + INIT_LIST_HEAD(&proc->todo); 2868 2868 + init_waitqueue_head(&proc->wait); 2869 2869 + proc->default_priority = task_nice(current); 2870 2870 + mutex_lock(&binder_lock); 2871 2871 + binder_stats_created(BINDER_STAT_PROC); 2872 2872 + hlist_add_head(&proc->proc_node, &binder_procs); 2873 2873 + proc->pid = current->group_leader->pid; 2874 2874 + INIT_LIST_HEAD(&proc->delivered_death); 2875 2875 + filp->private_data = proc; 2876 2876 + mutex_unlock(&binder_lock); 2877 2877 + 2878 2878 + if (binder_proc_dir_entry_proc) { 2879 2879 + char strbuf[11]; 2880 2880 + snprintf(strbuf, sizeof(strbuf), "%u", proc->pid); 2881 2881 + remove_proc_entry(strbuf, binder_proc_dir_entry_proc); 2882 2882 + create_proc_read_entry(strbuf, S_IRUGO, 2883 2883 + binder_proc_dir_entry_proc, 2884 2884 + binder_read_proc_proc, proc); 2885 2885 + } 2886 2886 + 2887 2887 + return 0; 2888 2888 + } 2889 2889 + 2890 2890 + static int binder_flush(struct file *filp, fl_owner_t id) 2891 2891 + { 2892 2892 + struct binder_proc *proc = filp->private_data; 2893 2893 + 2894 2894 + binder_defer_work(proc, BINDER_DEFERRED_FLUSH); 2895 2895 + 2896 2896 + return 0; 2897 2897 + } 2898 2898 + 2899 2899 + static void binder_deferred_flush(struct binder_proc *proc) 2900 2900 + { 2901 2901 + struct rb_node *n; 2902 2902 + int wake_count = 0; 2903 2903 + for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) { 2904 2904 + struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node); 2905 2905 + thread->looper |= BINDER_LOOPER_STATE_NEED_RETURN; 2906 2906 + if (thread->looper & BINDER_LOOPER_STATE_WAITING) { 2907 2907 + wake_up_interruptible(&thread->wait); 2908 2908 + wake_count++; 2909 2909 + } 2910 2910 + } 2911 2911 + wake_up_interruptible_all(&proc->wait); 2912 2912 + 2913 2913 + binder_debug(BINDER_DEBUG_OPEN_CLOSE, 2914 2914 + "binder_flush: %d woke %d threads\n", proc->pid, 2915 2915 + wake_count); 2916 2916 + } 2917 2917 + 2918 2918 + static int binder_release(struct inode *nodp, struct file *filp) 2919 2919 + { 2920 2920 + struct binder_proc *proc = filp->private_data; 2921 2921 + if (binder_proc_dir_entry_proc) { 2922 2922 + char strbuf[11]; 2923 2923 + snprintf(strbuf, sizeof(strbuf), "%u", proc->pid); 2924 2924 + remove_proc_entry(strbuf, binder_proc_dir_entry_proc); 2925 2925 + } 2926 2926 + 2927 2927 + binder_defer_work(proc, BINDER_DEFERRED_RELEASE); 2928 2928 + 2929 2929 + return 0; 2930 2930 + } 2931 2931 + 2932 2932 + static void binder_deferred_release(struct binder_proc *proc) 2933 2933 + { 2934 2934 + struct hlist_node *pos; 2935 2935 + struct binder_transaction *t; 2936 2936 + struct rb_node *n; 2937 2937 + int threads, nodes, incoming_refs, outgoing_refs, buffers, active_transactions, page_count; 2938 2938 + 2939 2939 + BUG_ON(proc->vma); 2940 2940 + BUG_ON(proc->files); 2941 2941 + 2942 2942 + hlist_del(&proc->proc_node); 2943 2943 + if (binder_context_mgr_node && binder_context_mgr_node->proc == proc) { 2944 2944 + binder_debug(BINDER_DEBUG_DEAD_BINDER, 2945 2945 + "binder_release: %d context_mgr_node gone\n", 2946 2946 + proc->pid); 2947 2947 + binder_context_mgr_node = NULL; 2948 2948 + } 2949 2949 + 2950 2950 + threads = 0; 2951 2951 + active_transactions = 0; 2952 2952 + while ((n = rb_first(&proc->threads))) { 2953 2953 + struct binder_thread *thread = rb_entry(n, struct binder_thread, rb_node); 2954 2954 + threads++; 2955 2955 + active_transactions += binder_free_thread(proc, thread); 2956 2956 + } 2957 2957 + nodes = 0; 2958 2958 + incoming_refs = 0; 2959 2959 + while ((n = rb_first(&proc->nodes))) { 2960 2960 + struct binder_node *node = rb_entry(n, struct binder_node, rb_node); 2961 2961 + 2962 2962 + nodes++; 2963 2963 + rb_erase(&node->rb_node, &proc->nodes); 2964 2964 + list_del_init(&node->work.entry); 2965 2965 + if (hlist_empty(&node->refs)) { 2966 2966 + kfree(node); 2967 2967 + binder_stats_deleted(BINDER_STAT_NODE); 2968 2968 + } else { 2969 2969 + struct binder_ref *ref; 2970 2970 + int death = 0; 2971 2971 + 2972 2972 + node->proc = NULL; 2973 2973 + node->local_strong_refs = 0; 2974 2974 + node->local_weak_refs = 0; 2975 2975 + hlist_add_head(&node->dead_node, &binder_dead_nodes); 2976 2976 + 2977 2977 + hlist_for_each_entry(ref, pos, &node->refs, node_entry) { 2978 2978 + incoming_refs++; 2979 2979 + if (ref->death) { 2980 2980 + death++; 2981 2981 + if (list_empty(&ref->death->work.entry)) { 2982 2982 + ref->death->work.type = BINDER_WORK_DEAD_BINDER; 2983 2983 + list_add_tail(&ref->death->work.entry, &ref->proc->todo); 2984 2984 + wake_up_interruptible(&ref->proc->wait); 2985 2985 + } else 2986 2986 + BUG(); 2987 2987 + } 2988 2988 + } 2989 2989 + binder_debug(BINDER_DEBUG_DEAD_BINDER, 2990 2990 + "binder: node %d now dead, " 2991 2991 + "refs %d, death %d\n", node->debug_id, 2992 2992 + incoming_refs, death); 2993 2993 + } 2994 2994 + } 2995 2995 + outgoing_refs = 0; 2996 2996 + while ((n = rb_first(&proc->refs_by_desc))) { 2997 2997 + struct binder_ref *ref = rb_entry(n, struct binder_ref, 2998 2998 + rb_node_desc); 2999 2999 + outgoing_refs++; 3000 3000 + binder_delete_ref(ref); 3001 3001 + } 3002 3002 + binder_release_work(&proc->todo); 3003 3003 + buffers = 0; 3004 3004 + 3005 3005 + while ((n = rb_first(&proc->allocated_buffers))) { 3006 3006 + struct binder_buffer *buffer = rb_entry(n, struct binder_buffer, 3007 3007 + rb_node); 3008 3008 + t = buffer->transaction; 3009 3009 + if (t) { 3010 3010 + t->buffer = NULL; 3011 3011 + buffer->transaction = NULL; 3012 3012 + printk(KERN_ERR "binder: release proc %d, " 3013 3013 + "transaction %d, not freed\n", 3014 3014 + proc->pid, t->debug_id); 3015 3015 + /*BUG();*/ 3016 3016 + } 3017 3017 + binder_free_buf(proc, buffer); 3018 3018 + buffers++; 3019 3019 + } 3020 3020 + 3021 3021 + binder_stats_deleted(BINDER_STAT_PROC); 3022 3022 + 3023 3023 + page_count = 0; 3024 3024 + if (proc->pages) { 3025 3025 + int i; 3026 3026 + for (i = 0; i < proc->buffer_size / PAGE_SIZE; i++) { 3027 3027 + if (proc->pages[i]) { 3028 3028 + binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 3029 3029 + "binder_release: %d: " 3030 3030 + "page %d at %p not freed\n", 3031 3031 + proc->pid, i, 3032 3032 + proc->buffer + i * PAGE_SIZE); 3033 3033 + __free_page(proc->pages[i]); 3034 3034 + page_count++; 3035 3035 + } 3036 3036 + } 3037 3037 + kfree(proc->pages); 3038 3038 + vfree(proc->buffer); 3039 3039 + } 3040 3040 + 3041 3041 + put_task_struct(proc->tsk); 3042 3042 + 3043 3043 + binder_debug(BINDER_DEBUG_OPEN_CLOSE, 3044 3044 + "binder_release: %d threads %d, nodes %d (ref %d), " 3045 3045 + "refs %d, active transactions %d, buffers %d, " 3046 3046 + "pages %d\n", 3047 3047 + proc->pid, threads, nodes, incoming_refs, outgoing_refs, 3048 3048 + active_transactions, buffers, page_count); 3049 3049 + 3050 3050 + kfree(proc); 3051 3051 + } 3052 3052 + 3053 3053 + static void binder_deferred_func(struct work_struct *work) 3054 3054 + { 3055 3055 + struct binder_proc *proc; 3056 3056 + struct files_struct *files; 3057 3057 + 3058 3058 + int defer; 3059 3059 + do { 3060 3060 + mutex_lock(&binder_lock); 3061 3061 + mutex_lock(&binder_deferred_lock); 3062 3062 + if (!hlist_empty(&binder_deferred_list)) { 3063 3063 + proc = hlist_entry(binder_deferred_list.first, 3064 3064 + struct binder_proc, deferred_work_node); 3065 3065 + hlist_del_init(&proc->deferred_work_node); 3066 3066 + defer = proc->deferred_work; 3067 3067 + proc->deferred_work = 0; 3068 3068 + } else { 3069 3069 + proc = NULL; 3070 3070 + defer = 0; 3071 3071 + } 3072 3072 + mutex_unlock(&binder_deferred_lock); 3073 3073 + 3074 3074 + files = NULL; 3075 3075 + if (defer & BINDER_DEFERRED_PUT_FILES) { 3076 3076 + files = proc->files; 3077 3077 + if (files) 3078 3078 + proc->files = NULL; 3079 3079 + } 3080 3080 + 3081 3081 + if (defer & BINDER_DEFERRED_FLUSH) 3082 3082 + binder_deferred_flush(proc); 3083 3083 + 3084 3084 + if (defer & BINDER_DEFERRED_RELEASE) 3085 3085 + binder_deferred_release(proc); /* frees proc */ 3086 3086 + 3087 3087 + mutex_unlock(&binder_lock); 3088 3088 + if (files) 3089 3089 + put_files_struct(files); 3090 3090 + } while (proc); 3091 3091 + } 3092 3092 + static DECLARE_WORK(binder_deferred_work, binder_deferred_func); 3093 3093 + 3094 3094 + static void 3095 3095 + binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer) 3096 3096 + { 3097 3097 + mutex_lock(&binder_deferred_lock); 3098 3098 + proc->deferred_work |= defer; 3099 3099 + if (hlist_unhashed(&proc->deferred_work_node)) { 3100 3100 + hlist_add_head(&proc->deferred_work_node, 3101 3101 + &binder_deferred_list); 3102 3102 + schedule_work(&binder_deferred_work); 3103 3103 + } 3104 3104 + mutex_unlock(&binder_deferred_lock); 3105 3105 + } 3106 3106 + 3107 3107 + static char *print_binder_transaction(char *buf, char *end, const char *prefix, 3108 3108 + struct binder_transaction *t) 3109 3109 + { 3110 3110 + buf += snprintf(buf, end - buf, 3111 3111 + "%s %d: %p from %d:%d to %d:%d code %x " 3112 3112 + "flags %x pri %ld r%d", 3113 3113 + prefix, t->debug_id, t, 3114 3114 + t->from ? t->from->proc->pid : 0, 3115 3115 + t->from ? t->from->pid : 0, 3116 3116 + t->to_proc ? t->to_proc->pid : 0, 3117 3117 + t->to_thread ? t->to_thread->pid : 0, 3118 3118 + t->code, t->flags, t->priority, t->need_reply); 3119 3119 + if (buf >= end) 3120 3120 + return buf; 3121 3121 + if (t->buffer == NULL) { 3122 3122 + buf += snprintf(buf, end - buf, " buffer free\n"); 3123 3123 + return buf; 3124 3124 + } 3125 3125 + if (t->buffer->target_node) { 3126 3126 + buf += snprintf(buf, end - buf, " node %d", 3127 3127 + t->buffer->target_node->debug_id); 3128 3128 + if (buf >= end) 3129 3129 + return buf; 3130 3130 + } 3131 3131 + buf += snprintf(buf, end - buf, " size %zd:%zd data %p\n", 3132 3132 + t->buffer->data_size, t->buffer->offsets_size, 3133 3133 + t->buffer->data); 3134 3134 + return buf; 3135 3135 + } 3136 3136 + 3137 3137 + static char *print_binder_buffer(char *buf, char *end, const char *prefix, 3138 3138 + struct binder_buffer *buffer) 3139 3139 + { 3140 3140 + buf += snprintf(buf, end - buf, "%s %d: %p size %zd:%zd %s\n", 3141 3141 + prefix, buffer->debug_id, buffer->data, 3142 3142 + buffer->data_size, buffer->offsets_size, 3143 3143 + buffer->transaction ? "active" : "delivered"); 3144 3144 + return buf; 3145 3145 + } 3146 3146 + 3147 3147 + static char *print_binder_work(char *buf, char *end, const char *prefix, 3148 3148 + const char *transaction_prefix, 3149 3149 + struct binder_work *w) 3150 3150 + { 3151 3151 + struct binder_node *node; 3152 3152 + struct binder_transaction *t; 3153 3153 + 3154 3154 + switch (w->type) { 3155 3155 + case BINDER_WORK_TRANSACTION: 3156 3156 + t = container_of(w, struct binder_transaction, work); 3157 3157 + buf = print_binder_transaction(buf, end, transaction_prefix, t); 3158 3158 + break; 3159 3159 + case BINDER_WORK_TRANSACTION_COMPLETE: 3160 3160 + buf += snprintf(buf, end - buf, 3161 3161 + "%stransaction complete\n", prefix); 3162 3162 + break; 3163 3163 + case BINDER_WORK_NODE: 3164 3164 + node = container_of(w, struct binder_node, work); 3165 3165 + buf += snprintf(buf, end - buf, "%snode work %d: u%p c%p\n", 3166 3166 + prefix, node->debug_id, node->ptr, 3167 3167 + node->cookie); 3168 3168 + break; 3169 3169 + case BINDER_WORK_DEAD_BINDER: 3170 3170 + buf += snprintf(buf, end - buf, "%shas dead binder\n", prefix); 3171 3171 + break; 3172 3172 + case BINDER_WORK_DEAD_BINDER_AND_CLEAR: 3173 3173 + buf += snprintf(buf, end - buf, 3174 3174 + "%shas cleared dead binder\n", prefix); 3175 3175 + break; 3176 3176 + case BINDER_WORK_CLEAR_DEATH_NOTIFICATION: 3177 3177 + buf += snprintf(buf, end - buf, 3178 3178 + "%shas cleared death notification\n", prefix); 3179 3179 + break; 3180 3180 + default: 3181 3181 + buf += snprintf(buf, end - buf, "%sunknown work: type %d\n", 3182 3182 + prefix, w->type); 3183 3183 + break; 3184 3184 + } 3185 3185 + return buf; 3186 3186 + } 3187 3187 + 3188 3188 + static char *print_binder_thread(char *buf, char *end, 3189 3189 + struct binder_thread *thread, 3190 3190 + int print_always) 3191 3191 + { 3192 3192 + struct binder_transaction *t; 3193 3193 + struct binder_work *w; 3194 3194 + char *start_buf = buf; 3195 3195 + char *header_buf; 3196 3196 + 3197 3197 + buf += snprintf(buf, end - buf, " thread %d: l %02x\n", 3198 3198 + thread->pid, thread->looper); 3199 3199 + header_buf = buf; 3200 3200 + t = thread->transaction_stack; 3201 3201 + while (t) { 3202 3202 + if (buf >= end) 3203 3203 + break; 3204 3204 + if (t->from == thread) { 3205 3205 + buf = print_binder_transaction(buf, end, 3206 3206 + " outgoing transaction", t); 3207 3207 + t = t->from_parent; 3208 3208 + } else if (t->to_thread == thread) { 3209 3209 + buf = print_binder_transaction(buf, end, 3210 3210 + " incoming transaction", t); 3211 3211 + t = t->to_parent; 3212 3212 + } else { 3213 3213 + buf = print_binder_transaction(buf, end, 3214 3214 + " bad transaction", t); 3215 3215 + t = NULL; 3216 3216 + } 3217 3217 + } 3218 3218 + list_for_each_entry(w, &thread->todo, entry) { 3219 3219 + if (buf >= end) 3220 3220 + break; 3221 3221 + buf = print_binder_work(buf, end, " ", 3222 3222 + " pending transaction", w); 3223 3223 + } 3224 3224 + if (!print_always && buf == header_buf) 3225 3225 + buf = start_buf; 3226 3226 + return buf; 3227 3227 + } 3228 3228 + 3229 3229 + static char *print_binder_node(char *buf, char *end, struct binder_node *node) 3230 3230 + { 3231 3231 + struct binder_ref *ref; 3232 3232 + struct hlist_node *pos; 3233 3233 + struct binder_work *w; 3234 3234 + int count; 3235 3235 + 3236 3236 + count = 0; 3237 3237 + hlist_for_each_entry(ref, pos, &node->refs, node_entry) 3238 3238 + count++; 3239 3239 + 3240 3240 + buf += snprintf(buf, end - buf, 3241 3241 + " node %d: u%p c%p hs %d hw %d ls %d lw %d " 3242 3242 + "is %d iw %d", 3243 3243 + node->debug_id, node->ptr, node->cookie, 3244 3244 + node->has_strong_ref, node->has_weak_ref, 3245 3245 + node->local_strong_refs, node->local_weak_refs, 3246 3246 + node->internal_strong_refs, count); 3247 3247 + if (buf >= end) 3248 3248 + return buf; 3249 3249 + if (count) { 3250 3250 + buf += snprintf(buf, end - buf, " proc"); 3251 3251 + if (buf >= end) 3252 3252 + return buf; 3253 3253 + hlist_for_each_entry(ref, pos, &node->refs, node_entry) { 3254 3254 + buf += snprintf(buf, end - buf, " %d", ref->proc->pid); 3255 3255 + if (buf >= end) 3256 3256 + return buf; 3257 3257 + } 3258 3258 + } 3259 3259 + buf += snprintf(buf, end - buf, "\n"); 3260 3260 + list_for_each_entry(w, &node->async_todo, entry) { 3261 3261 + if (buf >= end) 3262 3262 + break; 3263 3263 + buf = print_binder_work(buf, end, " ", 3264 3264 + " pending async transaction", w); 3265 3265 + } 3266 3266 + return buf; 3267 3267 + } 3268 3268 + 3269 3269 + static char *print_binder_ref(char *buf, char *end, struct binder_ref *ref) 3270 3270 + { 3271 3271 + buf += snprintf(buf, end - buf, 3272 3272 + " ref %d: desc %d %snode %d s %d w %d d %p\n", 3273 3273 + ref->debug_id, ref->desc, 3274 3274 + ref->node->proc ? "" : "dead ", ref->node->debug_id, 3275 3275 + ref->strong, ref->weak, ref->death); 3276 3276 + return buf; 3277 3277 + } 3278 3278 + 3279 3279 + static char *print_binder_proc(char *buf, char *end, 3280 3280 + struct binder_proc *proc, int print_all) 3281 3281 + { 3282 3282 + struct binder_work *w; 3283 3283 + struct rb_node *n; 3284 3284 + char *start_buf = buf; 3285 3285 + char *header_buf; 3286 3286 + 3287 3287 + buf += snprintf(buf, end - buf, "proc %d\n", proc->pid); 3288 3288 + header_buf = buf; 3289 3289 + 3290 3290 + for (n = rb_first(&proc->threads); 3291 3291 + n != NULL && buf < end; 3292 3292 + n = rb_next(n)) 3293 3293 + buf = print_binder_thread(buf, end, 3294 3294 + rb_entry(n, struct binder_thread, 3295 3295 + rb_node), print_all); 3296 3296 + for (n = rb_first(&proc->nodes); 3297 3297 + n != NULL && buf < end; 3298 3298 + n = rb_next(n)) { 3299 3299 + struct binder_node *node = rb_entry(n, struct binder_node, 3300 3300 + rb_node); 3301 3301 + if (print_all || node->has_async_transaction) 3302 3302 + buf = print_binder_node(buf, end, node); 3303 3303 + } 3304 3304 + if (print_all) { 3305 3305 + for (n = rb_first(&proc->refs_by_desc); 3306 3306 + n != NULL && buf < end; 3307 3307 + n = rb_next(n)) 3308 3308 + buf = print_binder_ref(buf, end, 3309 3309 + rb_entry(n, struct binder_ref, 3310 3310 + rb_node_desc)); 3311 3311 + } 3312 3312 + for (n = rb_first(&proc->allocated_buffers); 3313 3313 + n != NULL && buf < end; 3314 3314 + n = rb_next(n)) 3315 3315 + buf = print_binder_buffer(buf, end, " buffer", 3316 3316 + rb_entry(n, struct binder_buffer, 3317 3317 + rb_node)); 3318 3318 + list_for_each_entry(w, &proc->todo, entry) { 3319 3319 + if (buf >= end) 3320 3320 + break; 3321 3321 + buf = print_binder_work(buf, end, " ", 3322 3322 + " pending transaction", w); 3323 3323 + } 3324 3324 + list_for_each_entry(w, &proc->delivered_death, entry) { 3325 3325 + if (buf >= end) 3326 3326 + break; 3327 3327 + buf += snprintf(buf, end - buf, 3328 3328 + " has delivered dead binder\n"); 3329 3329 + break; 3330 3330 + } 3331 3331 + if (!print_all && buf == header_buf) 3332 3332 + buf = start_buf; 3333 3333 + return buf; 3334 3334 + } 3335 3335 + 3336 3336 + static const char *binder_return_strings[] = { 3337 3337 + "BR_ERROR", 3338 3338 + "BR_OK", 3339 3339 + "BR_TRANSACTION", 3340 3340 + "BR_REPLY", 3341 3341 + "BR_ACQUIRE_RESULT", 3342 3342 + "BR_DEAD_REPLY", 3343 3343 + "BR_TRANSACTION_COMPLETE", 3344 3344 + "BR_INCREFS", 3345 3345 + "BR_ACQUIRE", 3346 3346 + "BR_RELEASE", 3347 3347 + "BR_DECREFS", 3348 3348 + "BR_ATTEMPT_ACQUIRE", 3349 3349 + "BR_NOOP", 3350 3350 + "BR_SPAWN_LOOPER", 3351 3351 + "BR_FINISHED", 3352 3352 + "BR_DEAD_BINDER", 3353 3353 + "BR_CLEAR_DEATH_NOTIFICATION_DONE", 3354 3354 + "BR_FAILED_REPLY" 3355 3355 + }; 3356 3356 + 3357 3357 + static const char *binder_command_strings[] = { 3358 3358 + "BC_TRANSACTION", 3359 3359 + "BC_REPLY", 3360 3360 + "BC_ACQUIRE_RESULT", 3361 3361 + "BC_FREE_BUFFER", 3362 3362 + "BC_INCREFS", 3363 3363 + "BC_ACQUIRE", 3364 3364 + "BC_RELEASE", 3365 3365 + "BC_DECREFS", 3366 3366 + "BC_INCREFS_DONE", 3367 3367 + "BC_ACQUIRE_DONE", 3368 3368 + "BC_ATTEMPT_ACQUIRE", 3369 3369 + "BC_REGISTER_LOOPER", 3370 3370 + "BC_ENTER_LOOPER", 3371 3371 + "BC_EXIT_LOOPER", 3372 3372 + "BC_REQUEST_DEATH_NOTIFICATION", 3373 3373 + "BC_CLEAR_DEATH_NOTIFICATION", 3374 3374 + "BC_DEAD_BINDER_DONE" 3375 3375 + }; 3376 3376 + 3377 3377 + static const char *binder_objstat_strings[] = { 3378 3378 + "proc", 3379 3379 + "thread", 3380 3380 + "node", 3381 3381 + "ref", 3382 3382 + "death", 3383 3383 + "transaction", 3384 3384 + "transaction_complete" 3385 3385 + }; 3386 3386 + 3387 3387 + static char *print_binder_stats(char *buf, char *end, const char *prefix, 3388 3388 + struct binder_stats *stats) 3389 3389 + { 3390 3390 + int i; 3391 3391 + 3392 3392 + BUILD_BUG_ON(ARRAY_SIZE(stats->bc) != 3393 3393 + ARRAY_SIZE(binder_command_strings)); 3394 3394 + for (i = 0; i < ARRAY_SIZE(stats->bc); i++) { 3395 3395 + if (stats->bc[i]) 3396 3396 + buf += snprintf(buf, end - buf, "%s%s: %d\n", prefix, 3397 3397 + binder_command_strings[i], 3398 3398 + stats->bc[i]); 3399 3399 + if (buf >= end) 3400 3400 + return buf; 3401 3401 + } 3402 3402 + 3403 3403 + BUILD_BUG_ON(ARRAY_SIZE(stats->br) != 3404 3404 + ARRAY_SIZE(binder_return_strings)); 3405 3405 + for (i = 0; i < ARRAY_SIZE(stats->br); i++) { 3406 3406 + if (stats->br[i]) 3407 3407 + buf += snprintf(buf, end - buf, "%s%s: %d\n", prefix, 3408 3408 + binder_return_strings[i], stats->br[i]); 3409 3409 + if (buf >= end) 3410 3410 + return buf; 3411 3411 + } 3412 3412 + 3413 3413 + BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) != 3414 3414 + ARRAY_SIZE(binder_objstat_strings)); 3415 3415 + BUILD_BUG_ON(ARRAY_SIZE(stats->obj_created) != 3416 3416 + ARRAY_SIZE(stats->obj_deleted)); 3417 3417 + for (i = 0; i < ARRAY_SIZE(stats->obj_created); i++) { 3418 3418 + if (stats->obj_created[i] || stats->obj_deleted[i]) 3419 3419 + buf += snprintf(buf, end - buf, 3420 3420 + "%s%s: active %d total %d\n", prefix, 3421 3421 + binder_objstat_strings[i], 3422 3422 + stats->obj_created[i] - 3423 3423 + stats->obj_deleted[i], 3424 3424 + stats->obj_created[i]); 3425 3425 + if (buf >= end) 3426 3426 + return buf; 3427 3427 + } 3428 3428 + return buf; 3429 3429 + } 3430 3430 + 3431 3431 + static char *print_binder_proc_stats(char *buf, char *end, 3432 3432 + struct binder_proc *proc) 3433 3433 + { 3434 3434 + struct binder_work *w; 3435 3435 + struct rb_node *n; 3436 3436 + int count, strong, weak; 3437 3437 + 3438 3438 + buf += snprintf(buf, end - buf, "proc %d\n", proc->pid); 3439 3439 + if (buf >= end) 3440 3440 + return buf; 3441 3441 + count = 0; 3442 3442 + for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) 3443 3443 + count++; 3444 3444 + buf += snprintf(buf, end - buf, " threads: %d\n", count); 3445 3445 + if (buf >= end) 3446 3446 + return buf; 3447 3447 + buf += snprintf(buf, end - buf, " requested threads: %d+%d/%d\n" 3448 3448 + " ready threads %d\n" 3449 3449 + " free async space %zd\n", proc->requested_threads, 3450 3450 + proc->requested_threads_started, proc->max_threads, 3451 3451 + proc->ready_threads, proc->free_async_space); 3452 3452 + if (buf >= end) 3453 3453 + return buf; 3454 3454 + count = 0; 3455 3455 + for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) 3456 3456 + count++; 3457 3457 + buf += snprintf(buf, end - buf, " nodes: %d\n", count); 3458 3458 + if (buf >= end) 3459 3459 + return buf; 3460 3460 + count = 0; 3461 3461 + strong = 0; 3462 3462 + weak = 0; 3463 3463 + for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) { 3464 3464 + struct binder_ref *ref = rb_entry(n, struct binder_ref, 3465 3465 + rb_node_desc); 3466 3466 + count++; 3467 3467 + strong += ref->strong; 3468 3468 + weak += ref->weak; 3469 3469 + } 3470 3470 + buf += snprintf(buf, end - buf, " refs: %d s %d w %d\n", 3471 3471 + count, strong, weak); 3472 3472 + if (buf >= end) 3473 3473 + return buf; 3474 3474 + 3475 3475 + count = 0; 3476 3476 + for (n = rb_first(&proc->allocated_buffers); n != NULL; n = rb_next(n)) 3477 3477 + count++; 3478 3478 + buf += snprintf(buf, end - buf, " buffers: %d\n", count); 3479 3479 + if (buf >= end) 3480 3480 + return buf; 3481 3481 + 3482 3482 + count = 0; 3483 3483 + list_for_each_entry(w, &proc->todo, entry) { 3484 3484 + switch (w->type) { 3485 3485 + case BINDER_WORK_TRANSACTION: 3486 3486 + count++; 3487 3487 + break; 3488 3488 + default: 3489 3489 + break; 3490 3490 + } 3491 3491 + } 3492 3492 + buf += snprintf(buf, end - buf, " pending transactions: %d\n", count); 3493 3493 + if (buf >= end) 3494 3494 + return buf; 3495 3495 + 3496 3496 + buf = print_binder_stats(buf, end, " ", &proc->stats); 3497 3497 + 3498 3498 + return buf; 3499 3499 + } 3500 3500 + 3501 3501 + 3502 3502 + static int binder_read_proc_state(char *page, char **start, off_t off, 3503 3503 + int count, int *eof, void *data) 3504 3504 + { 3505 3505 + struct binder_proc *proc; 3506 3506 + struct hlist_node *pos; 3507 3507 + struct binder_node *node; 3508 3508 + int len = 0; 3509 3509 + char *buf = page; 3510 3510 + char *end = page + PAGE_SIZE; 3511 3511 + int do_lock = !binder_debug_no_lock; 3512 3512 + 3513 3513 + if (off) 3514 3514 + return 0; 3515 3515 + 3516 3516 + if (do_lock) 3517 3517 + mutex_lock(&binder_lock); 3518 3518 + 3519 3519 + buf += snprintf(buf, end - buf, "binder state:\n"); 3520 3520 + 3521 3521 + if (!hlist_empty(&binder_dead_nodes)) 3522 3522 + buf += snprintf(buf, end - buf, "dead nodes:\n"); 3523 3523 + hlist_for_each_entry(node, pos, &binder_dead_nodes, dead_node) { 3524 3524 + if (buf >= end) 3525 3525 + break; 3526 3526 + buf = print_binder_node(buf, end, node); 3527 3527 + } 3528 3528 + 3529 3529 + hlist_for_each_entry(proc, pos, &binder_procs, proc_node) { 3530 3530 + if (buf >= end) 3531 3531 + break; 3532 3532 + buf = print_binder_proc(buf, end, proc, 1); 3533 3533 + } 3534 3534 + if (do_lock) 3535 3535 + mutex_unlock(&binder_lock); 3536 3536 + if (buf > page + PAGE_SIZE) 3537 3537 + buf = page + PAGE_SIZE; 3538 3538 + 3539 3539 + *start = page + off; 3540 3540 + 3541 3541 + len = buf - page; 3542 3542 + if (len > off) 3543 3543 + len -= off; 3544 3544 + else 3545 3545 + len = 0; 3546 3546 + 3547 3547 + return len < count ? len : count; 3548 3548 + } 3549 3549 + 3550 3550 + static int binder_read_proc_stats(char *page, char **start, off_t off, 3551 3551 + int count, int *eof, void *data) 3552 3552 + { 3553 3553 + struct binder_proc *proc; 3554 3554 + struct hlist_node *pos; 3555 3555 + int len = 0; 3556 3556 + char *p = page; 3557 3557 + int do_lock = !binder_debug_no_lock; 3558 3558 + 3559 3559 + if (off) 3560 3560 + return 0; 3561 3561 + 3562 3562 + if (do_lock) 3563 3563 + mutex_lock(&binder_lock); 3564 3564 + 3565 3565 + p += snprintf(p, PAGE_SIZE, "binder stats:\n"); 3566 3566 + 3567 3567 + p = print_binder_stats(p, page + PAGE_SIZE, "", &binder_stats); 3568 3568 + 3569 3569 + hlist_for_each_entry(proc, pos, &binder_procs, proc_node) { 3570 3570 + if (p >= page + PAGE_SIZE) 3571 3571 + break; 3572 3572 + p = print_binder_proc_stats(p, page + PAGE_SIZE, proc); 3573 3573 + } 3574 3574 + if (do_lock) 3575 3575 + mutex_unlock(&binder_lock); 3576 3576 + if (p > page + PAGE_SIZE) 3577 3577 + p = page + PAGE_SIZE; 3578 3578 + 3579 3579 + *start = page + off; 3580 3580 + 3581 3581 + len = p - page; 3582 3582 + if (len > off) 3583 3583 + len -= off; 3584 3584 + else 3585 3585 + len = 0; 3586 3586 + 3587 3587 + return len < count ? len : count; 3588 3588 + } 3589 3589 + 3590 3590 + static int binder_read_proc_transactions(char *page, char **start, off_t off, 3591 3591 + int count, int *eof, void *data) 3592 3592 + { 3593 3593 + struct binder_proc *proc; 3594 3594 + struct hlist_node *pos; 3595 3595 + int len = 0; 3596 3596 + char *buf = page; 3597 3597 + char *end = page + PAGE_SIZE; 3598 3598 + int do_lock = !binder_debug_no_lock; 3599 3599 + 3600 3600 + if (off) 3601 3601 + return 0; 3602 3602 + 3603 3603 + if (do_lock) 3604 3604 + mutex_lock(&binder_lock); 3605 3605 + 3606 3606 + buf += snprintf(buf, end - buf, "binder transactions:\n"); 3607 3607 + hlist_for_each_entry(proc, pos, &binder_procs, proc_node) { 3608 3608 + if (buf >= end) 3609 3609 + break; 3610 3610 + buf = print_binder_proc(buf, end, proc, 0); 3611 3611 + } 3612 3612 + if (do_lock) 3613 3613 + mutex_unlock(&binder_lock); 3614 3614 + if (buf > page + PAGE_SIZE) 3615 3615 + buf = page + PAGE_SIZE; 3616 3616 + 3617 3617 + *start = page + off; 3618 3618 + 3619 3619 + len = buf - page; 3620 3620 + if (len > off) 3621 3621 + len -= off; 3622 3622 + else 3623 3623 + len = 0; 3624 3624 + 3625 3625 + return len < count ? len : count; 3626 3626 + } 3627 3627 + 3628 3628 + static int binder_read_proc_proc(char *page, char **start, off_t off, 3629 3629 + int count, int *eof, void *data) 3630 3630 + { 3631 3631 + struct binder_proc *proc = data; 3632 3632 + int len = 0; 3633 3633 + char *p = page; 3634 3634 + int do_lock = !binder_debug_no_lock; 3635 3635 + 3636 3636 + if (off) 3637 3637 + return 0; 3638 3638 + 3639 3639 + if (do_lock) 3640 3640 + mutex_lock(&binder_lock); 3641 3641 + p += snprintf(p, PAGE_SIZE, "binder proc state:\n"); 3642 3642 + p = print_binder_proc(p, page + PAGE_SIZE, proc, 1); 3643 3643 + if (do_lock) 3644 3644 + mutex_unlock(&binder_lock); 3645 3645 + 3646 3646 + if (p > page + PAGE_SIZE) 3647 3647 + p = page + PAGE_SIZE; 3648 3648 + *start = page + off; 3649 3649 + 3650 3650 + len = p - page; 3651 3651 + if (len > off) 3652 3652 + len -= off; 3653 3653 + else 3654 3654 + len = 0; 3655 3655 + 3656 3656 + return len < count ? len : count; 3657 3657 + } 3658 3658 + 3659 3659 + static char *print_binder_transaction_log_entry(char *buf, char *end, 3660 3660 + struct binder_transaction_log_entry *e) 3661 3661 + { 3662 3662 + buf += snprintf(buf, end - buf, 3663 3663 + "%d: %s from %d:%d to %d:%d node %d handle %d " 3664 3664 + "size %d:%d\n", 3665 3665 + e->debug_id, (e->call_type == 2) ? "reply" : 3666 3666 + ((e->call_type == 1) ? "async" : "call "), e->from_proc, 3667 3667 + e->from_thread, e->to_proc, e->to_thread, e->to_node, 3668 3668 + e->target_handle, e->data_size, e->offsets_size); 3669 3669 + return buf; 3670 3670 + } 3671 3671 + 3672 3672 + static int binder_read_proc_transaction_log( 3673 3673 + char *page, char **start, off_t off, int count, int *eof, void *data) 3674 3674 + { 3675 3675 + struct binder_transaction_log *log = data; 3676 3676 + int len = 0; 3677 3677 + int i; 3678 3678 + char *buf = page; 3679 3679 + char *end = page + PAGE_SIZE; 3680 3680 + 3681 3681 + if (off) 3682 3682 + return 0; 3683 3683 + 3684 3684 + if (log->full) { 3685 3685 + for (i = log->next; i < ARRAY_SIZE(log->entry); i++) { 3686 3686 + if (buf >= end) 3687 3687 + break; 3688 3688 + buf = print_binder_transaction_log_entry(buf, end, 3689 3689 + &log->entry[i]); 3690 3690 + } 3691 3691 + } 3692 3692 + for (i = 0; i < log->next; i++) { 3693 3693 + if (buf >= end) 3694 3694 + break; 3695 3695 + buf = print_binder_transaction_log_entry(buf, end, 3696 3696 + &log->entry[i]); 3697 3697 + } 3698 3698 + 3699 3699 + *start = page + off; 3700 3700 + 3701 3701 + len = buf - page; 3702 3702 + if (len > off) 3703 3703 + len -= off; 3704 3704 + else 3705 3705 + len = 0; 3706 3706 + 3707 3707 + return len < count ? len : count; 3708 3708 + } 3709 3709 + 3710 3710 + static const struct file_operations binder_fops = { 3711 3711 + .owner = THIS_MODULE, 3712 3712 + .poll = binder_poll, 3713 3713 + .unlocked_ioctl = binder_ioctl, 3714 3714 + .mmap = binder_mmap, 3715 3715 + .open = binder_open, 3716 3716 + .flush = binder_flush, 3717 3717 + .release = binder_release, 3718 3718 + }; 3719 3719 + 3720 3720 + static struct miscdevice binder_miscdev = { 3721 3721 + .minor = MISC_DYNAMIC_MINOR, 3722 3722 + .name = "binder", 3723 3723 + .fops = &binder_fops 3724 3724 + }; 3725 3725 + 3726 3726 + static int __init binder_init(void) 3727 3727 + { 3728 3728 + int ret; 3729 3729 + 3730 3730 + binder_proc_dir_entry_root = proc_mkdir("binder", NULL); 3731 3731 + if (binder_proc_dir_entry_root) 3732 3732 + binder_proc_dir_entry_proc = proc_mkdir("proc", 3733 3733 + binder_proc_dir_entry_root); 3734 3734 + ret = misc_register(&binder_miscdev); 3735 3735 + if (binder_proc_dir_entry_root) { 3736 3736 + create_proc_read_entry("state", 3737 3737 + S_IRUGO, 3738 3738 + binder_proc_dir_entry_root, 3739 3739 + binder_read_proc_state, 3740 3740 + NULL); 3741 3741 + create_proc_read_entry("stats", 3742 3742 + S_IRUGO, 3743 3743 + binder_proc_dir_entry_root, 3744 3744 + binder_read_proc_stats, 3745 3745 + NULL); 3746 3746 + create_proc_read_entry("transactions", 3747 3747 + S_IRUGO, 3748 3748 + binder_proc_dir_entry_root, 3749 3749 + binder_read_proc_transactions, 3750 3750 + NULL); 3751 3751 + create_proc_read_entry("transaction_log", 3752 3752 + S_IRUGO, 3753 3753 + binder_proc_dir_entry_root, 3754 3754 + binder_read_proc_transaction_log, 3755 3755 + &binder_transaction_log); 3756 3756 + create_proc_read_entry("failed_transaction_log", 3757 3757 + S_IRUGO, 3758 3758 + binder_proc_dir_entry_root, 3759 3759 + binder_read_proc_transaction_log, 3760 3760 + &binder_transaction_log_failed); 3761 3761 + } 3762 3762 + return ret; 3763 3763 + } 3764 3764 + 3765 3765 + device_initcall(binder_init); 3766 3766 + 3767 3767 + MODULE_LICENSE("GPL v2");

+330

drivers/staging/android/binder.h

reviewed

··· 1 1 + /* 2 2 + * Copyright (C) 2008 Google, Inc. 3 3 + * 4 4 + * Based on, but no longer compatible with, the original 5 5 + * OpenBinder.org binder driver interface, which is: 6 6 + * 7 7 + * Copyright (c) 2005 Palmsource, Inc. 8 8 + * 9 9 + * This software is licensed under the terms of the GNU General Public 10 10 + * License version 2, as published by the Free Software Foundation, and 11 11 + * may be copied, distributed, and modified under those terms. 12 12 + * 13 13 + * This program is distributed in the hope that it will be useful, 14 14 + * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 15 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 16 + * GNU General Public License for more details. 17 17 + * 18 18 + */ 19 19 + 20 20 + #ifndef _LINUX_BINDER_H 21 21 + #define _LINUX_BINDER_H 22 22 + 23 23 + #include <linux/ioctl.h> 24 24 + 25 25 + #define B_PACK_CHARS(c1, c2, c3, c4) \ 26 26 + ((((c1)<<24)) | (((c2)<<16)) | (((c3)<<8)) | (c4)) 27 27 + #define B_TYPE_LARGE 0x85 28 28 + 29 29 + enum { 30 30 + BINDER_TYPE_BINDER = B_PACK_CHARS('s', 'b', '*', B_TYPE_LARGE), 31 31 + BINDER_TYPE_WEAK_BINDER = B_PACK_CHARS('w', 'b', '*', B_TYPE_LARGE), 32 32 + BINDER_TYPE_HANDLE = B_PACK_CHARS('s', 'h', '*', B_TYPE_LARGE), 33 33 + BINDER_TYPE_WEAK_HANDLE = B_PACK_CHARS('w', 'h', '*', B_TYPE_LARGE), 34 34 + BINDER_TYPE_FD = B_PACK_CHARS('f', 'd', '*', B_TYPE_LARGE), 35 35 + }; 36 36 + 37 37 + enum { 38 38 + FLAT_BINDER_FLAG_PRIORITY_MASK = 0xff, 39 39 + FLAT_BINDER_FLAG_ACCEPTS_FDS = 0x100, 40 40 + }; 41 41 + 42 42 + /* 43 43 + * This is the flattened representation of a Binder object for transfer 44 44 + * between processes. The 'offsets' supplied as part of a binder transaction 45 45 + * contains offsets into the data where these structures occur. The Binder 46 46 + * driver takes care of re-writing the structure type and data as it moves 47 47 + * between processes. 48 48 + */ 49 49 + struct flat_binder_object { 50 50 + /* 8 bytes for large_flat_header. */ 51 51 + unsigned long type; 52 52 + unsigned long flags; 53 53 + 54 54 + /* 8 bytes of data. */ 55 55 + union { 56 56 + void *binder; /* local object */ 57 57 + signed long handle; /* remote object */ 58 58 + }; 59 59 + 60 60 + /* extra data associated with local object */ 61 61 + void *cookie; 62 62 + }; 63 63 + 64 64 + /* 65 65 + * On 64-bit platforms where user code may run in 32-bits the driver must 66 66 + * translate the buffer (and local binder) addresses apropriately. 67 67 + */ 68 68 + 69 69 + struct binder_write_read { 70 70 + signed long write_size; /* bytes to write */ 71 71 + signed long write_consumed; /* bytes consumed by driver */ 72 72 + unsigned long write_buffer; 73 73 + signed long read_size; /* bytes to read */ 74 74 + signed long read_consumed; /* bytes consumed by driver */ 75 75 + unsigned long read_buffer; 76 76 + }; 77 77 + 78 78 + /* Use with BINDER_VERSION, driver fills in fields. */ 79 79 + struct binder_version { 80 80 + /* driver protocol version -- increment with incompatible change */ 81 81 + signed long protocol_version; 82 82 + }; 83 83 + 84 84 + /* This is the current protocol version. */ 85 85 + #define BINDER_CURRENT_PROTOCOL_VERSION 7 86 86 + 87 87 + #define BINDER_WRITE_READ _IOWR('b', 1, struct binder_write_read) 88 88 + #define BINDER_SET_IDLE_TIMEOUT _IOW('b', 3, int64_t) 89 89 + #define BINDER_SET_MAX_THREADS _IOW('b', 5, size_t) 90 90 + #define BINDER_SET_IDLE_PRIORITY _IOW('b', 6, int) 91 91 + #define BINDER_SET_CONTEXT_MGR _IOW('b', 7, int) 92 92 + #define BINDER_THREAD_EXIT _IOW('b', 8, int) 93 93 + #define BINDER_VERSION _IOWR('b', 9, struct binder_version) 94 94 + 95 95 + /* 96 96 + * NOTE: Two special error codes you should check for when calling 97 97 + * in to the driver are: 98 98 + * 99 99 + * EINTR -- The operation has been interupted. This should be 100 100 + * handled by retrying the ioctl() until a different error code 101 101 + * is returned. 102 102 + * 103 103 + * ECONNREFUSED -- The driver is no longer accepting operations 104 104 + * from your process. That is, the process is being destroyed. 105 105 + * You should handle this by exiting from your process. Note 106 106 + * that once this error code is returned, all further calls to 107 107 + * the driver from any thread will return this same code. 108 108 + */ 109 109 + 110 110 + enum transaction_flags { 111 111 + TF_ONE_WAY = 0x01, /* this is a one-way call: async, no return */ 112 112 + TF_ROOT_OBJECT = 0x04, /* contents are the component's root object */ 113 113 + TF_STATUS_CODE = 0x08, /* contents are a 32-bit status code */ 114 114 + TF_ACCEPT_FDS = 0x10, /* allow replies with file descriptors */ 115 115 + }; 116 116 + 117 117 + struct binder_transaction_data { 118 118 + /* The first two are only used for bcTRANSACTION and brTRANSACTION, 119 119 + * identifying the target and contents of the transaction. 120 120 + */ 121 121 + union { 122 122 + size_t handle; /* target descriptor of command transaction */ 123 123 + void *ptr; /* target descriptor of return transaction */ 124 124 + } target; 125 125 + void *cookie; /* target object cookie */ 126 126 + unsigned int code; /* transaction command */ 127 127 + 128 128 + /* General information about the transaction. */ 129 129 + unsigned int flags; 130 130 + pid_t sender_pid; 131 131 + uid_t sender_euid; 132 132 + size_t data_size; /* number of bytes of data */ 133 133 + size_t offsets_size; /* number of bytes of offsets */ 134 134 + 135 135 + /* If this transaction is inline, the data immediately 136 136 + * follows here; otherwise, it ends with a pointer to 137 137 + * the data buffer. 138 138 + */ 139 139 + union { 140 140 + struct { 141 141 + /* transaction data */ 142 142 + const void *buffer; 143 143 + /* offsets from buffer to flat_binder_object structs */ 144 144 + const void *offsets; 145 145 + } ptr; 146 146 + uint8_t buf[8]; 147 147 + } data; 148 148 + }; 149 149 + 150 150 + struct binder_ptr_cookie { 151 151 + void *ptr; 152 152 + void *cookie; 153 153 + }; 154 154 + 155 155 + struct binder_pri_desc { 156 156 + int priority; 157 157 + int desc; 158 158 + }; 159 159 + 160 160 + struct binder_pri_ptr_cookie { 161 161 + int priority; 162 162 + void *ptr; 163 163 + void *cookie; 164 164 + }; 165 165 + 166 166 + enum BinderDriverReturnProtocol { 167 167 + BR_ERROR = _IOR('r', 0, int), 168 168 + /* 169 169 + * int: error code 170 170 + */ 171 171 + 172 172 + BR_OK = _IO('r', 1), 173 173 + /* No parameters! */ 174 174 + 175 175 + BR_TRANSACTION = _IOR('r', 2, struct binder_transaction_data), 176 176 + BR_REPLY = _IOR('r', 3, struct binder_transaction_data), 177 177 + /* 178 178 + * binder_transaction_data: the received command. 179 179 + */ 180 180 + 181 181 + BR_ACQUIRE_RESULT = _IOR('r', 4, int), 182 182 + /* 183 183 + * not currently supported 184 184 + * int: 0 if the last bcATTEMPT_ACQUIRE was not successful. 185 185 + * Else the remote object has acquired a primary reference. 186 186 + */ 187 187 + 188 188 + BR_DEAD_REPLY = _IO('r', 5), 189 189 + /* 190 190 + * The target of the last transaction (either a bcTRANSACTION or 191 191 + * a bcATTEMPT_ACQUIRE) is no longer with us. No parameters. 192 192 + */ 193 193 + 194 194 + BR_TRANSACTION_COMPLETE = _IO('r', 6), 195 195 + /* 196 196 + * No parameters... always refers to the last transaction requested 197 197 + * (including replies). Note that this will be sent even for 198 198 + * asynchronous transactions. 199 199 + */ 200 200 + 201 201 + BR_INCREFS = _IOR('r', 7, struct binder_ptr_cookie), 202 202 + BR_ACQUIRE = _IOR('r', 8, struct binder_ptr_cookie), 203 203 + BR_RELEASE = _IOR('r', 9, struct binder_ptr_cookie), 204 204 + BR_DECREFS = _IOR('r', 10, struct binder_ptr_cookie), 205 205 + /* 206 206 + * void *: ptr to binder 207 207 + * void *: cookie for binder 208 208 + */ 209 209 + 210 210 + BR_ATTEMPT_ACQUIRE = _IOR('r', 11, struct binder_pri_ptr_cookie), 211 211 + /* 212 212 + * not currently supported 213 213 + * int: priority 214 214 + * void *: ptr to binder 215 215 + * void *: cookie for binder 216 216 + */ 217 217 + 218 218 + BR_NOOP = _IO('r', 12), 219 219 + /* 220 220 + * No parameters. Do nothing and examine the next command. It exists 221 221 + * primarily so that we can replace it with a BR_SPAWN_LOOPER command. 222 222 + */ 223 223 + 224 224 + BR_SPAWN_LOOPER = _IO('r', 13), 225 225 + /* 226 226 + * No parameters. The driver has determined that a process has no 227 227 + * threads waiting to service incomming transactions. When a process 228 228 + * receives this command, it must spawn a new service thread and 229 229 + * register it via bcENTER_LOOPER. 230 230 + */ 231 231 + 232 232 + BR_FINISHED = _IO('r', 14), 233 233 + /* 234 234 + * not currently supported 235 235 + * stop threadpool thread 236 236 + */ 237 237 + 238 238 + BR_DEAD_BINDER = _IOR('r', 15, void *), 239 239 + /* 240 240 + * void *: cookie 241 241 + */ 242 242 + BR_CLEAR_DEATH_NOTIFICATION_DONE = _IOR('r', 16, void *), 243 243 + /* 244 244 + * void *: cookie 245 245 + */ 246 246 + 247 247 + BR_FAILED_REPLY = _IO('r', 17), 248 248 + /* 249 249 + * The the last transaction (either a bcTRANSACTION or 250 250 + * a bcATTEMPT_ACQUIRE) failed (e.g. out of memory). No parameters. 251 251 + */ 252 252 + }; 253 253 + 254 254 + enum BinderDriverCommandProtocol { 255 255 + BC_TRANSACTION = _IOW('c', 0, struct binder_transaction_data), 256 256 + BC_REPLY = _IOW('c', 1, struct binder_transaction_data), 257 257 + /* 258 258 + * binder_transaction_data: the sent command. 259 259 + */ 260 260 + 261 261 + BC_ACQUIRE_RESULT = _IOW('c', 2, int), 262 262 + /* 263 263 + * not currently supported 264 264 + * int: 0 if the last BR_ATTEMPT_ACQUIRE was not successful. 265 265 + * Else you have acquired a primary reference on the object. 266 266 + */ 267 267 + 268 268 + BC_FREE_BUFFER = _IOW('c', 3, int), 269 269 + /* 270 270 + * void *: ptr to transaction data received on a read 271 271 + */ 272 272 + 273 273 + BC_INCREFS = _IOW('c', 4, int), 274 274 + BC_ACQUIRE = _IOW('c', 5, int), 275 275 + BC_RELEASE = _IOW('c', 6, int), 276 276 + BC_DECREFS = _IOW('c', 7, int), 277 277 + /* 278 278 + * int: descriptor 279 279 + */ 280 280 + 281 281 + BC_INCREFS_DONE = _IOW('c', 8, struct binder_ptr_cookie), 282 282 + BC_ACQUIRE_DONE = _IOW('c', 9, struct binder_ptr_cookie), 283 283 + /* 284 284 + * void *: ptr to binder 285 285 + * void *: cookie for binder 286 286 + */ 287 287 + 288 288 + BC_ATTEMPT_ACQUIRE = _IOW('c', 10, struct binder_pri_desc), 289 289 + /* 290 290 + * not currently supported 291 291 + * int: priority 292 292 + * int: descriptor 293 293 + */ 294 294 + 295 295 + BC_REGISTER_LOOPER = _IO('c', 11), 296 296 + /* 297 297 + * No parameters. 298 298 + * Register a spawned looper thread with the device. 299 299 + */ 300 300 + 301 301 + BC_ENTER_LOOPER = _IO('c', 12), 302 302 + BC_EXIT_LOOPER = _IO('c', 13), 303 303 + /* 304 304 + * No parameters. 305 305 + * These two commands are sent as an application-level thread 306 306 + * enters and exits the binder loop, respectively. They are 307 307 + * used so the binder can have an accurate count of the number 308 308 + * of looping threads it has available. 309 309 + */ 310 310 + 311 311 + BC_REQUEST_DEATH_NOTIFICATION = _IOW('c', 14, struct binder_ptr_cookie), 312 312 + /* 313 313 + * void *: ptr to binder 314 314 + * void *: cookie 315 315 + */ 316 316 + 317 317 + BC_CLEAR_DEATH_NOTIFICATION = _IOW('c', 15, struct binder_ptr_cookie), 318 318 + /* 319 319 + * void *: ptr to binder 320 320 + * void *: cookie 321 321 + */ 322 322 + 323 323 + BC_DEAD_BINDER_DONE = _IOW('c', 16, void *), 324 324 + /* 325 325 + * void *: cookie 326 326 + */ 327 327 + }; 328 328 + 329 329 + #endif /* _LINUX_BINDER_H */ 330 330 +

+607

drivers/staging/android/logger.c

reviewed

··· 1 1 + /* 2 2 + * drivers/misc/logger.c 3 3 + * 4 4 + * A Logging Subsystem 5 5 + * 6 6 + * Copyright (C) 2007-2008 Google, Inc. 7 7 + * 8 8 + * Robert Love <rlove@google.com> 9 9 + * 10 10 + * This software is licensed under the terms of the GNU General Public 11 11 + * License version 2, as published by the Free Software Foundation, and 12 12 + * may be copied, distributed, and modified under those terms. 13 13 + * 14 14 + * This program is distributed in the hope that it will be useful, 15 15 + * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 16 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 17 + * GNU General Public License for more details. 18 18 + */ 19 19 + 20 20 + #include <linux/module.h> 21 21 + #include <linux/fs.h> 22 22 + #include <linux/miscdevice.h> 23 23 + #include <linux/uaccess.h> 24 24 + #include <linux/poll.h> 25 25 + #include <linux/time.h> 26 26 + #include "logger.h" 27 27 + 28 28 + #include <asm/ioctls.h> 29 29 + 30 30 + /* 31 31 + * struct logger_log - represents a specific log, such as 'main' or 'radio' 32 32 + * 33 33 + * This structure lives from module insertion until module removal, so it does 34 34 + * not need additional reference counting. The structure is protected by the 35 35 + * mutex 'mutex'. 36 36 + */ 37 37 + struct logger_log { 38 38 + unsigned char *buffer;/* the ring buffer itself */ 39 39 + struct miscdevice misc; /* misc device representing the log */ 40 40 + wait_queue_head_t wq; /* wait queue for readers */ 41 41 + struct list_head readers; /* this log's readers */ 42 42 + struct mutex mutex; /* mutex protecting buffer */ 43 43 + size_t w_off; /* current write head offset */ 44 44 + size_t head; /* new readers start here */ 45 45 + size_t size; /* size of the log */ 46 46 + }; 47 47 + 48 48 + /* 49 49 + * struct logger_reader - a logging device open for reading 50 50 + * 51 51 + * This object lives from open to release, so we don't need additional 52 52 + * reference counting. The structure is protected by log->mutex. 53 53 + */ 54 54 + struct logger_reader { 55 55 + struct logger_log *log; /* associated log */ 56 56 + struct list_head list; /* entry in logger_log's list */ 57 57 + size_t r_off; /* current read head offset */ 58 58 + }; 59 59 + 60 60 + /* logger_offset - returns index 'n' into the log via (optimized) modulus */ 61 61 + #define logger_offset(n) ((n) & (log->size - 1)) 62 62 + 63 63 + /* 64 64 + * file_get_log - Given a file structure, return the associated log 65 65 + * 66 66 + * This isn't aesthetic. We have several goals: 67 67 + * 68 68 + * 1) Need to quickly obtain the associated log during an I/O operation 69 69 + * 2) Readers need to maintain state (logger_reader) 70 70 + * 3) Writers need to be very fast (open() should be a near no-op) 71 71 + * 72 72 + * In the reader case, we can trivially go file->logger_reader->logger_log. 73 73 + * For a writer, we don't want to maintain a logger_reader, so we just go 74 74 + * file->logger_log. Thus what file->private_data points at depends on whether 75 75 + * or not the file was opened for reading. This function hides that dirtiness. 76 76 + */ 77 77 + static inline struct logger_log *file_get_log(struct file *file) 78 78 + { 79 79 + if (file->f_mode & FMODE_READ) { 80 80 + struct logger_reader *reader = file->private_data; 81 81 + return reader->log; 82 82 + } else 83 83 + return file->private_data; 84 84 + } 85 85 + 86 86 + /* 87 87 + * get_entry_len - Grabs the length of the payload of the next entry starting 88 88 + * from 'off'. 89 89 + * 90 90 + * Caller needs to hold log->mutex. 91 91 + */ 92 92 + static __u32 get_entry_len(struct logger_log *log, size_t off) 93 93 + { 94 94 + __u16 val; 95 95 + 96 96 + switch (log->size - off) { 97 97 + case 1: 98 98 + memcpy(&val, log->buffer + off, 1); 99 99 + memcpy(((char *) &val) + 1, log->buffer, 1); 100 100 + break; 101 101 + default: 102 102 + memcpy(&val, log->buffer + off, 2); 103 103 + } 104 104 + 105 105 + return sizeof(struct logger_entry) + val; 106 106 + } 107 107 + 108 108 + /* 109 109 + * do_read_log_to_user - reads exactly 'count' bytes from 'log' into the 110 110 + * user-space buffer 'buf'. Returns 'count' on success. 111 111 + * 112 112 + * Caller must hold log->mutex. 113 113 + */ 114 114 + static ssize_t do_read_log_to_user(struct logger_log *log, 115 115 + struct logger_reader *reader, 116 116 + char __user *buf, 117 117 + size_t count) 118 118 + { 119 119 + size_t len; 120 120 + 121 121 + /* 122 122 + * We read from the log in two disjoint operations. First, we read from 123 123 + * the current read head offset up to 'count' bytes or to the end of 124 124 + * the log, whichever comes first. 125 125 + */ 126 126 + len = min(count, log->size - reader->r_off); 127 127 + if (copy_to_user(buf, log->buffer + reader->r_off, len)) 128 128 + return -EFAULT; 129 129 + 130 130 + /* 131 131 + * Second, we read any remaining bytes, starting back at the head of 132 132 + * the log. 133 133 + */ 134 134 + if (count != len) 135 135 + if (copy_to_user(buf + len, log->buffer, count - len)) 136 136 + return -EFAULT; 137 137 + 138 138 + reader->r_off = logger_offset(reader->r_off + count); 139 139 + 140 140 + return count; 141 141 + } 142 142 + 143 143 + /* 144 144 + * logger_read - our log's read() method 145 145 + * 146 146 + * Behavior: 147 147 + * 148 148 + * - O_NONBLOCK works 149 149 + * - If there are no log entries to read, blocks until log is written to 150 150 + * - Atomically reads exactly one log entry 151 151 + * 152 152 + * Optimal read size is LOGGER_ENTRY_MAX_LEN. Will set errno to EINVAL if read 153 153 + * buffer is insufficient to hold next entry. 154 154 + */ 155 155 + static ssize_t logger_read(struct file *file, char __user *buf, 156 156 + size_t count, loff_t *pos) 157 157 + { 158 158 + struct logger_reader *reader = file->private_data; 159 159 + struct logger_log *log = reader->log; 160 160 + ssize_t ret; 161 161 + DEFINE_WAIT(wait); 162 162 + 163 163 + start: 164 164 + while (1) { 165 165 + prepare_to_wait(&log->wq, &wait, TASK_INTERRUPTIBLE); 166 166 + 167 167 + mutex_lock(&log->mutex); 168 168 + ret = (log->w_off == reader->r_off); 169 169 + mutex_unlock(&log->mutex); 170 170 + if (!ret) 171 171 + break; 172 172 + 173 173 + if (file->f_flags & O_NONBLOCK) { 174 174 + ret = -EAGAIN; 175 175 + break; 176 176 + } 177 177 + 178 178 + if (signal_pending(current)) { 179 179 + ret = -EINTR; 180 180 + break; 181 181 + } 182 182 + 183 183 + schedule(); 184 184 + } 185 185 + 186 186 + finish_wait(&log->wq, &wait); 187 187 + if (ret) 188 188 + return ret; 189 189 + 190 190 + mutex_lock(&log->mutex); 191 191 + 192 192 + /* is there still something to read or did we race? */ 193 193 + if (unlikely(log->w_off == reader->r_off)) { 194 194 + mutex_unlock(&log->mutex); 195 195 + goto start; 196 196 + } 197 197 + 198 198 + /* get the size of the next entry */ 199 199 + ret = get_entry_len(log, reader->r_off); 200 200 + if (count < ret) { 201 201 + ret = -EINVAL; 202 202 + goto out; 203 203 + } 204 204 + 205 205 + /* get exactly one entry from the log */ 206 206 + ret = do_read_log_to_user(log, reader, buf, ret); 207 207 + 208 208 + out: 209 209 + mutex_unlock(&log->mutex); 210 210 + 211 211 + return ret; 212 212 + } 213 213 + 214 214 + /* 215 215 + * get_next_entry - return the offset of the first valid entry at least 'len' 216 216 + * bytes after 'off'. 217 217 + * 218 218 + * Caller must hold log->mutex. 219 219 + */ 220 220 + static size_t get_next_entry(struct logger_log *log, size_t off, size_t len) 221 221 + { 222 222 + size_t count = 0; 223 223 + 224 224 + do { 225 225 + size_t nr = get_entry_len(log, off); 226 226 + off = logger_offset(off + nr); 227 227 + count += nr; 228 228 + } while (count < len); 229 229 + 230 230 + return off; 231 231 + } 232 232 + 233 233 + /* 234 234 + * clock_interval - is a < c < b in mod-space? Put another way, does the line 235 235 + * from a to b cross c? 236 236 + */ 237 237 + static inline int clock_interval(size_t a, size_t b, size_t c) 238 238 + { 239 239 + if (b < a) { 240 240 + if (a < c || b >= c) 241 241 + return 1; 242 242 + } else { 243 243 + if (a < c && b >= c) 244 244 + return 1; 245 245 + } 246 246 + 247 247 + return 0; 248 248 + } 249 249 + 250 250 + /* 251 251 + * fix_up_readers - walk the list of all readers and "fix up" any who were 252 252 + * lapped by the writer; also do the same for the default "start head". 253 253 + * We do this by "pulling forward" the readers and start head to the first 254 254 + * entry after the new write head. 255 255 + * 256 256 + * The caller needs to hold log->mutex. 257 257 + */ 258 258 + static void fix_up_readers(struct logger_log *log, size_t len) 259 259 + { 260 260 + size_t old = log->w_off; 261 261 + size_t new = logger_offset(old + len); 262 262 + struct logger_reader *reader; 263 263 + 264 264 + if (clock_interval(old, new, log->head)) 265 265 + log->head = get_next_entry(log, log->head, len); 266 266 + 267 267 + list_for_each_entry(reader, &log->readers, list) 268 268 + if (clock_interval(old, new, reader->r_off)) 269 269 + reader->r_off = get_next_entry(log, reader->r_off, len); 270 270 + } 271 271 + 272 272 + /* 273 273 + * do_write_log - writes 'len' bytes from 'buf' to 'log' 274 274 + * 275 275 + * The caller needs to hold log->mutex. 276 276 + */ 277 277 + static void do_write_log(struct logger_log *log, const void *buf, size_t count) 278 278 + { 279 279 + size_t len; 280 280 + 281 281 + len = min(count, log->size - log->w_off); 282 282 + memcpy(log->buffer + log->w_off, buf, len); 283 283 + 284 284 + if (count != len) 285 285 + memcpy(log->buffer, buf + len, count - len); 286 286 + 287 287 + log->w_off = logger_offset(log->w_off + count); 288 288 + 289 289 + } 290 290 + 291 291 + /* 292 292 + * do_write_log_user - writes 'len' bytes from the user-space buffer 'buf' to 293 293 + * the log 'log' 294 294 + * 295 295 + * The caller needs to hold log->mutex. 296 296 + * 297 297 + * Returns 'count' on success, negative error code on failure. 298 298 + */ 299 299 + static ssize_t do_write_log_from_user(struct logger_log *log, 300 300 + const void __user *buf, size_t count) 301 301 + { 302 302 + size_t len; 303 303 + 304 304 + len = min(count, log->size - log->w_off); 305 305 + if (len && copy_from_user(log->buffer + log->w_off, buf, len)) 306 306 + return -EFAULT; 307 307 + 308 308 + if (count != len) 309 309 + if (copy_from_user(log->buffer, buf + len, count - len)) 310 310 + return -EFAULT; 311 311 + 312 312 + log->w_off = logger_offset(log->w_off + count); 313 313 + 314 314 + return count; 315 315 + } 316 316 + 317 317 + /* 318 318 + * logger_aio_write - our write method, implementing support for write(), 319 319 + * writev(), and aio_write(). Writes are our fast path, and we try to optimize 320 320 + * them above all else. 321 321 + */ 322 322 + ssize_t logger_aio_write(struct kiocb *iocb, const struct iovec *iov, 323 323 + unsigned long nr_segs, loff_t ppos) 324 324 + { 325 325 + struct logger_log *log = file_get_log(iocb->ki_filp); 326 326 + size_t orig = log->w_off; 327 327 + struct logger_entry header; 328 328 + struct timespec now; 329 329 + ssize_t ret = 0; 330 330 + 331 331 + now = current_kernel_time(); 332 332 + 333 333 + header.pid = current->tgid; 334 334 + header.tid = current->pid; 335 335 + header.sec = now.tv_sec; 336 336 + header.nsec = now.tv_nsec; 337 337 + header.len = min_t(size_t, iocb->ki_left, LOGGER_ENTRY_MAX_PAYLOAD); 338 338 + 339 339 + /* null writes succeed, return zero */ 340 340 + if (unlikely(!header.len)) 341 341 + return 0; 342 342 + 343 343 + mutex_lock(&log->mutex); 344 344 + 345 345 + /* 346 346 + * Fix up any readers, pulling them forward to the first readable 347 347 + * entry after (what will be) the new write offset. We do this now 348 348 + * because if we partially fail, we can end up with clobbered log 349 349 + * entries that encroach on readable buffer. 350 350 + */ 351 351 + fix_up_readers(log, sizeof(struct logger_entry) + header.len); 352 352 + 353 353 + do_write_log(log, &header, sizeof(struct logger_entry)); 354 354 + 355 355 + while (nr_segs-- > 0) { 356 356 + size_t len; 357 357 + ssize_t nr; 358 358 + 359 359 + /* figure out how much of this vector we can keep */ 360 360 + len = min_t(size_t, iov->iov_len, header.len - ret); 361 361 + 362 362 + /* write out this segment's payload */ 363 363 + nr = do_write_log_from_user(log, iov->iov_base, len); 364 364 + if (unlikely(nr < 0)) { 365 365 + log->w_off = orig; 366 366 + mutex_unlock(&log->mutex); 367 367 + return nr; 368 368 + } 369 369 + 370 370 + iov++; 371 371 + ret += nr; 372 372 + } 373 373 + 374 374 + mutex_unlock(&log->mutex); 375 375 + 376 376 + /* wake up any blocked readers */ 377 377 + wake_up_interruptible(&log->wq); 378 378 + 379 379 + return ret; 380 380 + } 381 381 + 382 382 + static struct logger_log *get_log_from_minor(int); 383 383 + 384 384 + /* 385 385 + * logger_open - the log's open() file operation 386 386 + * 387 387 + * Note how near a no-op this is in the write-only case. Keep it that way! 388 388 + */ 389 389 + static int logger_open(struct inode *inode, struct file *file) 390 390 + { 391 391 + struct logger_log *log; 392 392 + int ret; 393 393 + 394 394 + ret = nonseekable_open(inode, file); 395 395 + if (ret) 396 396 + return ret; 397 397 + 398 398 + log = get_log_from_minor(MINOR(inode->i_rdev)); 399 399 + if (!log) 400 400 + return -ENODEV; 401 401 + 402 402 + if (file->f_mode & FMODE_READ) { 403 403 + struct logger_reader *reader; 404 404 + 405 405 + reader = kmalloc(sizeof(struct logger_reader), GFP_KERNEL); 406 406 + if (!reader) 407 407 + return -ENOMEM; 408 408 + 409 409 + reader->log = log; 410 410 + INIT_LIST_HEAD(&reader->list); 411 411 + 412 412 + mutex_lock(&log->mutex); 413 413 + reader->r_off = log->head; 414 414 + list_add_tail(&reader->list, &log->readers); 415 415 + mutex_unlock(&log->mutex); 416 416 + 417 417 + file->private_data = reader; 418 418 + } else 419 419 + file->private_data = log; 420 420 + 421 421 + return 0; 422 422 + } 423 423 + 424 424 + /* 425 425 + * logger_release - the log's release file operation 426 426 + * 427 427 + * Note this is a total no-op in the write-only case. Keep it that way! 428 428 + */ 429 429 + static int logger_release(struct inode *ignored, struct file *file) 430 430 + { 431 431 + if (file->f_mode & FMODE_READ) { 432 432 + struct logger_reader *reader = file->private_data; 433 433 + list_del(&reader->list); 434 434 + kfree(reader); 435 435 + } 436 436 + 437 437 + return 0; 438 438 + } 439 439 + 440 440 + /* 441 441 + * logger_poll - the log's poll file operation, for poll/select/epoll 442 442 + * 443 443 + * Note we always return POLLOUT, because you can always write() to the log. 444 444 + * Note also that, strictly speaking, a return value of POLLIN does not 445 445 + * guarantee that the log is readable without blocking, as there is a small 446 446 + * chance that the writer can lap the reader in the interim between poll() 447 447 + * returning and the read() request. 448 448 + */ 449 449 + static unsigned int logger_poll(struct file *file, poll_table *wait) 450 450 + { 451 451 + struct logger_reader *reader; 452 452 + struct logger_log *log; 453 453 + unsigned int ret = POLLOUT | POLLWRNORM; 454 454 + 455 455 + if (!(file->f_mode & FMODE_READ)) 456 456 + return ret; 457 457 + 458 458 + reader = file->private_data; 459 459 + log = reader->log; 460 460 + 461 461 + poll_wait(file, &log->wq, wait); 462 462 + 463 463 + mutex_lock(&log->mutex); 464 464 + if (log->w_off != reader->r_off) 465 465 + ret |= POLLIN | POLLRDNORM; 466 466 + mutex_unlock(&log->mutex); 467 467 + 468 468 + return ret; 469 469 + } 470 470 + 471 471 + static long logger_ioctl(struct file *file, unsigned int cmd, unsigned long arg) 472 472 + { 473 473 + struct logger_log *log = file_get_log(file); 474 474 + struct logger_reader *reader; 475 475 + long ret = -ENOTTY; 476 476 + 477 477 + mutex_lock(&log->mutex); 478 478 + 479 479 + switch (cmd) { 480 480 + case LOGGER_GET_LOG_BUF_SIZE: 481 481 + ret = log->size; 482 482 + break; 483 483 + case LOGGER_GET_LOG_LEN: 484 484 + if (!(file->f_mode & FMODE_READ)) { 485 485 + ret = -EBADF; 486 486 + break; 487 487 + } 488 488 + reader = file->private_data; 489 489 + if (log->w_off >= reader->r_off) 490 490 + ret = log->w_off - reader->r_off; 491 491 + else 492 492 + ret = (log->size - reader->r_off) + log->w_off; 493 493 + break; 494 494 + case LOGGER_GET_NEXT_ENTRY_LEN: 495 495 + if (!(file->f_mode & FMODE_READ)) { 496 496 + ret = -EBADF; 497 497 + break; 498 498 + } 499 499 + reader = file->private_data; 500 500 + if (log->w_off != reader->r_off) 501 501 + ret = get_entry_len(log, reader->r_off); 502 502 + else 503 503 + ret = 0; 504 504 + break; 505 505 + case LOGGER_FLUSH_LOG: 506 506 + if (!(file->f_mode & FMODE_WRITE)) { 507 507 + ret = -EBADF; 508 508 + break; 509 509 + } 510 510 + list_for_each_entry(reader, &log->readers, list) 511 511 + reader->r_off = log->w_off; 512 512 + log->head = log->w_off; 513 513 + ret = 0; 514 514 + break; 515 515 + } 516 516 + 517 517 + mutex_unlock(&log->mutex); 518 518 + 519 519 + return ret; 520 520 + } 521 521 + 522 522 + static const struct file_operations logger_fops = { 523 523 + .owner = THIS_MODULE, 524 524 + .read = logger_read, 525 525 + .aio_write = logger_aio_write, 526 526 + .poll = logger_poll, 527 527 + .unlocked_ioctl = logger_ioctl, 528 528 + .compat_ioctl = logger_ioctl, 529 529 + .open = logger_open, 530 530 + .release = logger_release, 531 531 + }; 532 532 + 533 533 + /* 534 534 + * Defines a log structure with name 'NAME' and a size of 'SIZE' bytes, which 535 535 + * must be a power of two, greater than LOGGER_ENTRY_MAX_LEN, and less than 536 536 + * LONG_MAX minus LOGGER_ENTRY_MAX_LEN. 537 537 + */ 538 538 + #define DEFINE_LOGGER_DEVICE(VAR, NAME, SIZE) \ 539 539 + static unsigned char _buf_ ## VAR[SIZE]; \ 540 540 + static struct logger_log VAR = { \ 541 541 + .buffer = _buf_ ## VAR, \ 542 542 + .misc = { \ 543 543 + .minor = MISC_DYNAMIC_MINOR, \ 544 544 + .name = NAME, \ 545 545 + .fops = &logger_fops, \ 546 546 + .parent = NULL, \ 547 547 + }, \ 548 548 + .wq = __WAIT_QUEUE_HEAD_INITIALIZER(VAR .wq), \ 549 549 + .readers = LIST_HEAD_INIT(VAR .readers), \ 550 550 + .mutex = __MUTEX_INITIALIZER(VAR .mutex), \ 551 551 + .w_off = 0, \ 552 552 + .head = 0, \ 553 553 + .size = SIZE, \ 554 554 + }; 555 555 + 556 556 + DEFINE_LOGGER_DEVICE(log_main, LOGGER_LOG_MAIN, 64*1024) 557 557 + DEFINE_LOGGER_DEVICE(log_events, LOGGER_LOG_EVENTS, 256*1024) 558 558 + DEFINE_LOGGER_DEVICE(log_radio, LOGGER_LOG_RADIO, 64*1024) 559 559 + 560 560 + static struct logger_log *get_log_from_minor(int minor) 561 561 + { 562 562 + if (log_main.misc.minor == minor) 563 563 + return &log_main; 564 564 + if (log_events.misc.minor == minor) 565 565 + return &log_events; 566 566 + if (log_radio.misc.minor == minor) 567 567 + return &log_radio; 568 568 + return NULL; 569 569 + } 570 570 + 571 571 + static int __init init_log(struct logger_log *log) 572 572 + { 573 573 + int ret; 574 574 + 575 575 + ret = misc_register(&log->misc); 576 576 + if (unlikely(ret)) { 577 577 + printk(KERN_ERR "logger: failed to register misc " 578 578 + "device for log '%s'!\n", log->misc.name); 579 579 + return ret; 580 580 + } 581 581 + 582 582 + printk(KERN_INFO "logger: created %luK log '%s'\n", 583 583 + (unsigned long) log->size >> 10, log->misc.name); 584 584 + 585 585 + return 0; 586 586 + } 587 587 + 588 588 + static int __init logger_init(void) 589 589 + { 590 590 + int ret; 591 591 + 592 592 + ret = init_log(&log_main); 593 593 + if (unlikely(ret)) 594 594 + goto out; 595 595 + 596 596 + ret = init_log(&log_events); 597 597 + if (unlikely(ret)) 598 598 + goto out; 599 599 + 600 600 + ret = init_log(&log_radio); 601 601 + if (unlikely(ret)) 602 602 + goto out; 603 603 + 604 604 + out: 605 605 + return ret; 606 606 + } 607 607 + device_initcall(logger_init);

+48

drivers/staging/android/logger.h

reviewed

··· 1 1 + /* include/linux/logger.h 2 2 + * 3 3 + * Copyright (C) 2007-2008 Google, Inc. 4 4 + * Author: Robert Love <rlove@android.com> 5 5 + * 6 6 + * This software is licensed under the terms of the GNU General Public 7 7 + * License version 2, as published by the Free Software Foundation, and 8 8 + * may be copied, distributed, and modified under those terms. 9 9 + * 10 10 + * This program is distributed in the hope that it will be useful, 11 11 + * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 12 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 13 + * GNU General Public License for more details. 14 14 + * 15 15 + */ 16 16 + 17 17 + #ifndef _LINUX_LOGGER_H 18 18 + #define _LINUX_LOGGER_H 19 19 + 20 20 + #include <linux/types.h> 21 21 + #include <linux/ioctl.h> 22 22 + 23 23 + struct logger_entry { 24 24 + __u16 len; /* length of the payload */ 25 25 + __u16 __pad; /* no matter what, we get 2 bytes of padding */ 26 26 + __s32 pid; /* generating process's pid */ 27 27 + __s32 tid; /* generating process's tid */ 28 28 + __s32 sec; /* seconds since Epoch */ 29 29 + __s32 nsec; /* nanoseconds */ 30 30 + char msg[0]; /* the entry's payload */ 31 31 + }; 32 32 + 33 33 + #define LOGGER_LOG_RADIO "log_radio" /* radio-related messages */ 34 34 + #define LOGGER_LOG_EVENTS "log_events" /* system/hardware events */ 35 35 + #define LOGGER_LOG_MAIN "log_main" /* everything else */ 36 36 + 37 37 + #define LOGGER_ENTRY_MAX_LEN (4*1024) 38 38 + #define LOGGER_ENTRY_MAX_PAYLOAD \ 39 39 + (LOGGER_ENTRY_MAX_LEN - sizeof(struct logger_entry)) 40 40 + 41 41 + #define __LOGGERIO 0xAE 42 42 + 43 43 + #define LOGGER_GET_LOG_BUF_SIZE _IO(__LOGGERIO, 1) /* size of log */ 44 44 + #define LOGGER_GET_LOG_LEN _IO(__LOGGERIO, 2) /* used log len */ 45 45 + #define LOGGER_GET_NEXT_ENTRY_LEN _IO(__LOGGERIO, 3) /* next entry len */ 46 46 + #define LOGGER_FLUSH_LOG _IO(__LOGGERIO, 4) /* flush log */ 47 47 + 48 48 + #endif /* _LINUX_LOGGER_H */

+173

drivers/staging/android/lowmemorykiller.c

reviewed

··· 1 1 + /* drivers/misc/lowmemorykiller.c 2 2 + * 3 3 + * The lowmemorykiller driver lets user-space specify a set of memory thresholds 4 4 + * where processes with a range of oom_adj values will get killed. Specify the 5 5 + * minimum oom_adj values in /sys/module/lowmemorykiller/parameters/adj and the 6 6 + * number of free pages in /sys/module/lowmemorykiller/parameters/minfree. Both 7 7 + * files take a comma separated list of numbers in ascending order. 8 8 + * 9 9 + * For example, write "0,8" to /sys/module/lowmemorykiller/parameters/adj and 10 10 + * "1024,4096" to /sys/module/lowmemorykiller/parameters/minfree to kill processes 11 11 + * with a oom_adj value of 8 or higher when the free memory drops below 4096 pages 12 12 + * and kill processes with a oom_adj value of 0 or higher when the free memory 13 13 + * drops below 1024 pages. 14 14 + * 15 15 + * The driver considers memory used for caches to be free, but if a large 16 16 + * percentage of the cached memory is locked this can be very inaccurate 17 17 + * and processes may not get killed until the normal oom killer is triggered. 18 18 + * 19 19 + * Copyright (C) 2007-2008 Google, Inc. 20 20 + * 21 21 + * This software is licensed under the terms of the GNU General Public 22 22 + * License version 2, as published by the Free Software Foundation, and 23 23 + * may be copied, distributed, and modified under those terms. 24 24 + * 25 25 + * This program is distributed in the hope that it will be useful, 26 26 + * but WITHOUT ANY WARRANTY; without even the implied warranty of 27 27 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 28 28 + * GNU General Public License for more details. 29 29 + * 30 30 + */ 31 31 + 32 32 + #include <linux/module.h> 33 33 + #include <linux/kernel.h> 34 34 + #include <linux/mm.h> 35 35 + #include <linux/oom.h> 36 36 + #include <linux/sched.h> 37 37 + 38 38 + static uint32_t lowmem_debug_level = 2; 39 39 + static int lowmem_adj[6] = { 40 40 + 0, 41 41 + 1, 42 42 + 6, 43 43 + 12, 44 44 + }; 45 45 + static int lowmem_adj_size = 4; 46 46 + static size_t lowmem_minfree[6] = { 47 47 + 3 * 512, /* 6MB */ 48 48 + 2 * 1024, /* 8MB */ 49 49 + 4 * 1024, /* 16MB */ 50 50 + 16 * 1024, /* 64MB */ 51 51 + }; 52 52 + static int lowmem_minfree_size = 4; 53 53 + 54 54 + #define lowmem_print(level, x...) \ 55 55 + do { \ 56 56 + if (lowmem_debug_level >= (level)) \ 57 57 + printk(x); \ 58 58 + } while (0) 59 59 + 60 60 + static int lowmem_shrink(int nr_to_scan, gfp_t gfp_mask) 61 61 + { 62 62 + struct task_struct *p; 63 63 + struct task_struct *selected = NULL; 64 64 + int rem = 0; 65 65 + int tasksize; 66 66 + int i; 67 67 + int min_adj = OOM_ADJUST_MAX + 1; 68 68 + int selected_tasksize = 0; 69 69 + int selected_oom_adj; 70 70 + int array_size = ARRAY_SIZE(lowmem_adj); 71 71 + int other_free = global_page_state(NR_FREE_PAGES); 72 72 + int other_file = global_page_state(NR_FILE_PAGES); 73 73 + 74 74 + if (lowmem_adj_size < array_size) 75 75 + array_size = lowmem_adj_size; 76 76 + if (lowmem_minfree_size < array_size) 77 77 + array_size = lowmem_minfree_size; 78 78 + for (i = 0; i < array_size; i++) { 79 79 + if (other_free < lowmem_minfree[i] && 80 80 + other_file < lowmem_minfree[i]) { 81 81 + min_adj = lowmem_adj[i]; 82 82 + break; 83 83 + } 84 84 + } 85 85 + if (nr_to_scan > 0) 86 86 + lowmem_print(3, "lowmem_shrink %d, %x, ofree %d %d, ma %d\n", 87 87 + nr_to_scan, gfp_mask, other_free, other_file, 88 88 + min_adj); 89 89 + rem = global_page_state(NR_ACTIVE_ANON) + 90 90 + global_page_state(NR_ACTIVE_FILE) + 91 91 + global_page_state(NR_INACTIVE_ANON) + 92 92 + global_page_state(NR_INACTIVE_FILE); 93 93 + if (nr_to_scan <= 0 || min_adj == OOM_ADJUST_MAX + 1) { 94 94 + lowmem_print(5, "lowmem_shrink %d, %x, return %d\n", 95 95 + nr_to_scan, gfp_mask, rem); 96 96 + return rem; 97 97 + } 98 98 + selected_oom_adj = min_adj; 99 99 + 100 100 + read_lock(&tasklist_lock); 101 101 + for_each_process(p) { 102 102 + struct mm_struct *mm; 103 103 + int oom_adj; 104 104 + 105 105 + task_lock(p); 106 106 + mm = p->mm; 107 107 + if (!mm) { 108 108 + task_unlock(p); 109 109 + continue; 110 110 + } 111 111 + oom_adj = mm->oom_adj; 112 112 + if (oom_adj < min_adj) { 113 113 + task_unlock(p); 114 114 + continue; 115 115 + } 116 116 + tasksize = get_mm_rss(mm); 117 117 + task_unlock(p); 118 118 + if (tasksize <= 0) 119 119 + continue; 120 120 + if (selected) { 121 121 + if (oom_adj < selected_oom_adj) 122 122 + continue; 123 123 + if (oom_adj == selected_oom_adj && 124 124 + tasksize <= selected_tasksize) 125 125 + continue; 126 126 + } 127 127 + selected = p; 128 128 + selected_tasksize = tasksize; 129 129 + selected_oom_adj = oom_adj; 130 130 + lowmem_print(2, "select %d (%s), adj %d, size %d, to kill\n", 131 131 + p->pid, p->comm, oom_adj, tasksize); 132 132 + } 133 133 + if (selected) { 134 134 + lowmem_print(1, "send sigkill to %d (%s), adj %d, size %d\n", 135 135 + selected->pid, selected->comm, 136 136 + selected_oom_adj, selected_tasksize); 137 137 + force_sig(SIGKILL, selected); 138 138 + rem -= selected_tasksize; 139 139 + } 140 140 + lowmem_print(4, "lowmem_shrink %d, %x, return %d\n", 141 141 + nr_to_scan, gfp_mask, rem); 142 142 + read_unlock(&tasklist_lock); 143 143 + return rem; 144 144 + } 145 145 + 146 146 + static struct shrinker lowmem_shrinker = { 147 147 + .shrink = lowmem_shrink, 148 148 + .seeks = DEFAULT_SEEKS * 16 149 149 + }; 150 150 + 151 151 + static int __init lowmem_init(void) 152 152 + { 153 153 + register_shrinker(&lowmem_shrinker); 154 154 + return 0; 155 155 + } 156 156 + 157 157 + static void __exit lowmem_exit(void) 158 158 + { 159 159 + unregister_shrinker(&lowmem_shrinker); 160 160 + } 161 161 + 162 162 + module_param_named(cost, lowmem_shrinker.seeks, int, S_IRUGO | S_IWUSR); 163 163 + module_param_array_named(adj, lowmem_adj, int, &lowmem_adj_size, 164 164 + S_IRUGO | S_IWUSR); 165 165 + module_param_array_named(minfree, lowmem_minfree, uint, &lowmem_minfree_size, 166 166 + S_IRUGO | S_IWUSR); 167 167 + module_param_named(debug_level, lowmem_debug_level, uint, S_IRUGO | S_IWUSR); 168 168 + 169 169 + module_init(lowmem_init); 170 170 + module_exit(lowmem_exit); 171 171 + 172 172 + MODULE_LICENSE("GPL"); 173 173 +

+410

drivers/staging/android/ram_console.c

reviewed

··· 1 1 + /* drivers/android/ram_console.c 2 2 + * 3 3 + * Copyright (C) 2007-2008 Google, Inc. 4 4 + * 5 5 + * This software is licensed under the terms of the GNU General Public 6 6 + * License version 2, as published by the Free Software Foundation, and 7 7 + * may be copied, distributed, and modified under those terms. 8 8 + * 9 9 + * This program is distributed in the hope that it will be useful, 10 10 + * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 11 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 12 + * GNU General Public License for more details. 13 13 + * 14 14 + */ 15 15 + 16 16 + #include <linux/console.h> 17 17 + #include <linux/init.h> 18 18 + #include <linux/module.h> 19 19 + #include <linux/platform_device.h> 20 20 + #include <linux/proc_fs.h> 21 21 + #include <linux/string.h> 22 22 + #include <linux/uaccess.h> 23 23 + #include <linux/io.h> 24 24 + 25 25 + #ifdef CONFIG_ANDROID_RAM_CONSOLE_ERROR_CORRECTION 26 26 + #include <linux/rslib.h> 27 27 + #endif 28 28 + 29 29 + struct ram_console_buffer { 30 30 + uint32_t sig; 31 31 + uint32_t start; 32 32 + uint32_t size; 33 33 + uint8_t data[0]; 34 34 + }; 35 35 + 36 36 + #define RAM_CONSOLE_SIG (0x43474244) /* DBGC */ 37 37 + 38 38 + #ifdef CONFIG_ANDROID_RAM_CONSOLE_EARLY_INIT 39 39 + static char __initdata 40 40 + ram_console_old_log_init_buffer[CONFIG_ANDROID_RAM_CONSOLE_EARLY_SIZE]; 41 41 + #endif 42 42 + static char *ram_console_old_log; 43 43 + static size_t ram_console_old_log_size; 44 44 + 45 45 + static struct ram_console_buffer *ram_console_buffer; 46 46 + static size_t ram_console_buffer_size; 47 47 + #ifdef CONFIG_ANDROID_RAM_CONSOLE_ERROR_CORRECTION 48 48 + static char *ram_console_par_buffer; 49 49 + static struct rs_control *ram_console_rs_decoder; 50 50 + static int ram_console_corrected_bytes; 51 51 + static int ram_console_bad_blocks; 52 52 + #define ECC_BLOCK_SIZE CONFIG_ANDROID_RAM_CONSOLE_ERROR_CORRECTION_DATA_SIZE 53 53 + #define ECC_SIZE CONFIG_ANDROID_RAM_CONSOLE_ERROR_CORRECTION_ECC_SIZE 54 54 + #define ECC_SYMSIZE CONFIG_ANDROID_RAM_CONSOLE_ERROR_CORRECTION_SYMBOL_SIZE 55 55 + #define ECC_POLY CONFIG_ANDROID_RAM_CONSOLE_ERROR_CORRECTION_POLYNOMIAL 56 56 + #endif 57 57 + 58 58 + #ifdef CONFIG_ANDROID_RAM_CONSOLE_ERROR_CORRECTION 59 59 + static void ram_console_encode_rs8(uint8_t *data, size_t len, uint8_t *ecc) 60 60 + { 61 61 + int i; 62 62 + uint16_t par[ECC_SIZE]; 63 63 + /* Initialize the parity buffer */ 64 64 + memset(par, 0, sizeof(par)); 65 65 + encode_rs8(ram_console_rs_decoder, data, len, par, 0); 66 66 + for (i = 0; i < ECC_SIZE; i++) 67 67 + ecc[i] = par[i]; 68 68 + } 69 69 + 70 70 + static int ram_console_decode_rs8(void *data, size_t len, uint8_t *ecc) 71 71 + { 72 72 + int i; 73 73 + uint16_t par[ECC_SIZE]; 74 74 + for (i = 0; i < ECC_SIZE; i++) 75 75 + par[i] = ecc[i]; 76 76 + return decode_rs8(ram_console_rs_decoder, data, par, len, 77 77 + NULL, 0, NULL, 0, NULL); 78 78 + } 79 79 + #endif 80 80 + 81 81 + static void ram_console_update(const char *s, unsigned int count) 82 82 + { 83 83 + struct ram_console_buffer *buffer = ram_console_buffer; 84 84 + #ifdef CONFIG_ANDROID_RAM_CONSOLE_ERROR_CORRECTION 85 85 + uint8_t *buffer_end = buffer->data + ram_console_buffer_size; 86 86 + uint8_t *block; 87 87 + uint8_t *par; 88 88 + int size = ECC_BLOCK_SIZE; 89 89 + #endif 90 90 + memcpy(buffer->data + buffer->start, s, count); 91 91 + #ifdef CONFIG_ANDROID_RAM_CONSOLE_ERROR_CORRECTION 92 92 + block = buffer->data + (buffer->start & ~(ECC_BLOCK_SIZE - 1)); 93 93 + par = ram_console_par_buffer + 94 94 + (buffer->start / ECC_BLOCK_SIZE) * ECC_SIZE; 95 95 + do { 96 96 + if (block + ECC_BLOCK_SIZE > buffer_end) 97 97 + size = buffer_end - block; 98 98 + ram_console_encode_rs8(block, size, par); 99 99 + block += ECC_BLOCK_SIZE; 100 100 + par += ECC_SIZE; 101 101 + } while (block < buffer->data + buffer->start + count); 102 102 + #endif 103 103 + } 104 104 + 105 105 + static void ram_console_update_header(void) 106 106 + { 107 107 + #ifdef CONFIG_ANDROID_RAM_CONSOLE_ERROR_CORRECTION 108 108 + struct ram_console_buffer *buffer = ram_console_buffer; 109 109 + uint8_t *par; 110 110 + par = ram_console_par_buffer + 111 111 + DIV_ROUND_UP(ram_console_buffer_size, ECC_BLOCK_SIZE) * ECC_SIZE; 112 112 + ram_console_encode_rs8((uint8_t *)buffer, sizeof(*buffer), par); 113 113 + #endif 114 114 + } 115 115 + 116 116 + static void 117 117 + ram_console_write(struct console *console, const char *s, unsigned int count) 118 118 + { 119 119 + int rem; 120 120 + struct ram_console_buffer *buffer = ram_console_buffer; 121 121 + 122 122 + if (count > ram_console_buffer_size) { 123 123 + s += count - ram_console_buffer_size; 124 124 + count = ram_console_buffer_size; 125 125 + } 126 126 + rem = ram_console_buffer_size - buffer->start; 127 127 + if (rem < count) { 128 128 + ram_console_update(s, rem); 129 129 + s += rem; 130 130 + count -= rem; 131 131 + buffer->start = 0; 132 132 + buffer->size = ram_console_buffer_size; 133 133 + } 134 134 + ram_console_update(s, count); 135 135 + 136 136 + buffer->start += count; 137 137 + if (buffer->size < ram_console_buffer_size) 138 138 + buffer->size += count; 139 139 + ram_console_update_header(); 140 140 + } 141 141 + 142 142 + static struct console ram_console = { 143 143 + .name = "ram", 144 144 + .write = ram_console_write, 145 145 + .flags = CON_PRINTBUFFER | CON_ENABLED, 146 146 + .index = -1, 147 147 + }; 148 148 + 149 149 + static void __init 150 150 + ram_console_save_old(struct ram_console_buffer *buffer, char *dest) 151 151 + { 152 152 + size_t old_log_size = buffer->size; 153 153 + #ifdef CONFIG_ANDROID_RAM_CONSOLE_ERROR_CORRECTION 154 154 + uint8_t *block; 155 155 + uint8_t *par; 156 156 + char strbuf[80]; 157 157 + int strbuf_len; 158 158 + 159 159 + block = buffer->data; 160 160 + par = ram_console_par_buffer; 161 161 + while (block < buffer->data + buffer->size) { 162 162 + int numerr; 163 163 + int size = ECC_BLOCK_SIZE; 164 164 + if (block + size > buffer->data + ram_console_buffer_size) 165 165 + size = buffer->data + ram_console_buffer_size - block; 166 166 + numerr = ram_console_decode_rs8(block, size, par); 167 167 + if (numerr > 0) { 168 168 + #if 0 169 169 + printk(KERN_INFO "ram_console: error in block %p, %d\n", 170 170 + block, numerr); 171 171 + #endif 172 172 + ram_console_corrected_bytes += numerr; 173 173 + } else if (numerr < 0) { 174 174 + #if 0 175 175 + printk(KERN_INFO "ram_console: uncorrectable error in " 176 176 + "block %p\n", block); 177 177 + #endif 178 178 + ram_console_bad_blocks++; 179 179 + } 180 180 + block += ECC_BLOCK_SIZE; 181 181 + par += ECC_SIZE; 182 182 + } 183 183 + if (ram_console_corrected_bytes || ram_console_bad_blocks) 184 184 + strbuf_len = snprintf(strbuf, sizeof(strbuf), 185 185 + "\n%d Corrected bytes, %d unrecoverable blocks\n", 186 186 + ram_console_corrected_bytes, ram_console_bad_blocks); 187 187 + else 188 188 + strbuf_len = snprintf(strbuf, sizeof(strbuf), 189 189 + "\nNo errors detected\n"); 190 190 + if (strbuf_len >= sizeof(strbuf)) 191 191 + strbuf_len = sizeof(strbuf) - 1; 192 192 + old_log_size += strbuf_len; 193 193 + #endif 194 194 + 195 195 + if (dest == NULL) { 196 196 + dest = kmalloc(old_log_size, GFP_KERNEL); 197 197 + if (dest == NULL) { 198 198 + printk(KERN_ERR 199 199 + "ram_console: failed to allocate buffer\n"); 200 200 + return; 201 201 + } 202 202 + } 203 203 + 204 204 + ram_console_old_log = dest; 205 205 + ram_console_old_log_size = old_log_size; 206 206 + memcpy(ram_console_old_log, 207 207 + &buffer->data[buffer->start], buffer->size - buffer->start); 208 208 + memcpy(ram_console_old_log + buffer->size - buffer->start, 209 209 + &buffer->data[0], buffer->start); 210 210 + #ifdef CONFIG_ANDROID_RAM_CONSOLE_ERROR_CORRECTION 211 211 + memcpy(ram_console_old_log + old_log_size - strbuf_len, 212 212 + strbuf, strbuf_len); 213 213 + #endif 214 214 + } 215 215 + 216 216 + static int __init ram_console_init(struct ram_console_buffer *buffer, 217 217 + size_t buffer_size, char *old_buf) 218 218 + { 219 219 + #ifdef CONFIG_ANDROID_RAM_CONSOLE_ERROR_CORRECTION 220 220 + int numerr; 221 221 + uint8_t *par; 222 222 + #endif 223 223 + ram_console_buffer = buffer; 224 224 + ram_console_buffer_size = 225 225 + buffer_size - sizeof(struct ram_console_buffer); 226 226 + 227 227 + if (ram_console_buffer_size > buffer_size) { 228 228 + pr_err("ram_console: buffer %p, invalid size %zu, " 229 229 + "datasize %zu\n", buffer, buffer_size, 230 230 + ram_console_buffer_size); 231 231 + return 0; 232 232 + } 233 233 + 234 234 + #ifdef CONFIG_ANDROID_RAM_CONSOLE_ERROR_CORRECTION 235 235 + ram_console_buffer_size -= (DIV_ROUND_UP(ram_console_buffer_size, 236 236 + ECC_BLOCK_SIZE) + 1) * ECC_SIZE; 237 237 + 238 238 + if (ram_console_buffer_size > buffer_size) { 239 239 + pr_err("ram_console: buffer %p, invalid size %zu, " 240 240 + "non-ecc datasize %zu\n", 241 241 + buffer, buffer_size, ram_console_buffer_size); 242 242 + return 0; 243 243 + } 244 244 + 245 245 + ram_console_par_buffer = buffer->data + ram_console_buffer_size; 246 246 + 247 247 + 248 248 + /* first consecutive root is 0 249 249 + * primitive element to generate roots = 1 250 250 + */ 251 251 + ram_console_rs_decoder = init_rs(ECC_SYMSIZE, ECC_POLY, 0, 1, ECC_SIZE); 252 252 + if (ram_console_rs_decoder == NULL) { 253 253 + printk(KERN_INFO "ram_console: init_rs failed\n"); 254 254 + return 0; 255 255 + } 256 256 + 257 257 + ram_console_corrected_bytes = 0; 258 258 + ram_console_bad_blocks = 0; 259 259 + 260 260 + par = ram_console_par_buffer + 261 261 + DIV_ROUND_UP(ram_console_buffer_size, ECC_BLOCK_SIZE) * ECC_SIZE; 262 262 + 263 263 + numerr = ram_console_decode_rs8(buffer, sizeof(*buffer), par); 264 264 + if (numerr > 0) { 265 265 + printk(KERN_INFO "ram_console: error in header, %d\n", numerr); 266 266 + ram_console_corrected_bytes += numerr; 267 267 + } else if (numerr < 0) { 268 268 + printk(KERN_INFO 269 269 + "ram_console: uncorrectable error in header\n"); 270 270 + ram_console_bad_blocks++; 271 271 + } 272 272 + #endif 273 273 + 274 274 + if (buffer->sig == RAM_CONSOLE_SIG) { 275 275 + if (buffer->size > ram_console_buffer_size 276 276 + || buffer->start > buffer->size) 277 277 + printk(KERN_INFO "ram_console: found existing invalid " 278 278 + "buffer, size %d, start %d\n", 279 279 + buffer->size, buffer->start); 280 280 + else { 281 281 + printk(KERN_INFO "ram_console: found existing buffer, " 282 282 + "size %d, start %d\n", 283 283 + buffer->size, buffer->start); 284 284 + ram_console_save_old(buffer, old_buf); 285 285 + } 286 286 + } else { 287 287 + printk(KERN_INFO "ram_console: no valid data in buffer " 288 288 + "(sig = 0x%08x)\n", buffer->sig); 289 289 + } 290 290 + 291 291 + buffer->sig = RAM_CONSOLE_SIG; 292 292 + buffer->start = 0; 293 293 + buffer->size = 0; 294 294 + 295 295 + register_console(&ram_console); 296 296 + #ifdef CONFIG_ANDROID_RAM_CONSOLE_ENABLE_VERBOSE 297 297 + console_verbose(); 298 298 + #endif 299 299 + return 0; 300 300 + } 301 301 + 302 302 + #ifdef CONFIG_ANDROID_RAM_CONSOLE_EARLY_INIT 303 303 + static int __init ram_console_early_init(void) 304 304 + { 305 305 + return ram_console_init((struct ram_console_buffer *) 306 306 + CONFIG_ANDROID_RAM_CONSOLE_EARLY_ADDR, 307 307 + CONFIG_ANDROID_RAM_CONSOLE_EARLY_SIZE, 308 308 + ram_console_old_log_init_buffer); 309 309 + } 310 310 + #else 311 311 + static int ram_console_driver_probe(struct platform_device *pdev) 312 312 + { 313 313 + struct resource *res = pdev->resource; 314 314 + size_t start; 315 315 + size_t buffer_size; 316 316 + void *buffer; 317 317 + 318 318 + if (res == NULL || pdev->num_resources != 1 || 319 319 + !(res->flags & IORESOURCE_MEM)) { 320 320 + printk(KERN_ERR "ram_console: invalid resource, %p %d flags " 321 321 + "%lx\n", res, pdev->num_resources, res ? res->flags : 0); 322 322 + return -ENXIO; 323 323 + } 324 324 + buffer_size = res->end - res->start + 1; 325 325 + start = res->start; 326 326 + printk(KERN_INFO "ram_console: got buffer at %zx, size %zx\n", 327 327 + start, buffer_size); 328 328 + buffer = ioremap(res->start, buffer_size); 329 329 + if (buffer == NULL) { 330 330 + printk(KERN_ERR "ram_console: failed to map memory\n"); 331 331 + return -ENOMEM; 332 332 + } 333 333 + 334 334 + return ram_console_init(buffer, buffer_size, NULL/* allocate */); 335 335 + } 336 336 + 337 337 + static struct platform_driver ram_console_driver = { 338 338 + .probe = ram_console_driver_probe, 339 339 + .driver = { 340 340 + .name = "ram_console", 341 341 + }, 342 342 + }; 343 343 + 344 344 + static int __init ram_console_module_init(void) 345 345 + { 346 346 + int err; 347 347 + err = platform_driver_register(&ram_console_driver); 348 348 + return err; 349 349 + } 350 350 + #endif 351 351 + 352 352 + static ssize_t ram_console_read_old(struct file *file, char __user *buf, 353 353 + size_t len, loff_t *offset) 354 354 + { 355 355 + loff_t pos = *offset; 356 356 + ssize_t count; 357 357 + 358 358 + if (pos >= ram_console_old_log_size) 359 359 + return 0; 360 360 + 361 361 + count = min(len, (size_t)(ram_console_old_log_size - pos)); 362 362 + if (copy_to_user(buf, ram_console_old_log + pos, count)) 363 363 + return -EFAULT; 364 364 + 365 365 + *offset += count; 366 366 + return count; 367 367 + } 368 368 + 369 369 + static const struct file_operations ram_console_file_ops = { 370 370 + .owner = THIS_MODULE, 371 371 + .read = ram_console_read_old, 372 372 + }; 373 373 + 374 374 + static int __init ram_console_late_init(void) 375 375 + { 376 376 + struct proc_dir_entry *entry; 377 377 + 378 378 + if (ram_console_old_log == NULL) 379 379 + return 0; 380 380 + #ifdef CONFIG_ANDROID_RAM_CONSOLE_EARLY_INIT 381 381 + ram_console_old_log = kmalloc(ram_console_old_log_size, GFP_KERNEL); 382 382 + if (ram_console_old_log == NULL) { 383 383 + printk(KERN_ERR 384 384 + "ram_console: failed to allocate buffer for old log\n"); 385 385 + ram_console_old_log_size = 0; 386 386 + return 0; 387 387 + } 388 388 + memcpy(ram_console_old_log, 389 389 + ram_console_old_log_init_buffer, ram_console_old_log_size); 390 390 + #endif 391 391 + entry = create_proc_entry("last_kmsg", S_IFREG | S_IRUGO, NULL); 392 392 + if (!entry) { 393 393 + printk(KERN_ERR "ram_console: failed to create proc entry\n"); 394 394 + kfree(ram_console_old_log); 395 395 + ram_console_old_log = NULL; 396 396 + return 0; 397 397 + } 398 398 + 399 399 + entry->proc_fops = &ram_console_file_ops; 400 400 + entry->size = ram_console_old_log_size; 401 401 + return 0; 402 402 + } 403 403 + 404 404 + #ifdef CONFIG_ANDROID_RAM_CONSOLE_EARLY_INIT 405 405 + console_initcall(ram_console_early_init); 406 406 + #else 407 407 + module_init(ram_console_module_init); 408 408 + #endif 409 409 + late_initcall(ram_console_late_init); 410 410 +

+166

drivers/staging/android/timed_gpio.c

reviewed

··· 1 1 + /* drivers/misc/timed_gpio.c 2 2 + * 3 3 + * Copyright (C) 2008 Google, Inc. 4 4 + * Author: Mike Lockwood <lockwood@android.com> 5 5 + * 6 6 + * This software is licensed under the terms of the GNU General Public 7 7 + * License version 2, as published by the Free Software Foundation, and 8 8 + * may be copied, distributed, and modified under those terms. 9 9 + * 10 10 + * This program is distributed in the hope that it will be useful, 11 11 + * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 12 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 13 + * GNU General Public License for more details. 14 14 + * 15 15 + */ 16 16 + 17 17 + #include <linux/module.h> 18 18 + #include <linux/platform_device.h> 19 19 + #include <linux/hrtimer.h> 20 20 + #include <linux/err.h> 21 21 + #include <linux/gpio.h> 22 22 + 23 23 + #include "timed_output.h" 24 24 + #include "timed_gpio.h" 25 25 + 26 26 + 27 27 + struct timed_gpio_data { 28 28 + struct timed_output_dev dev; 29 29 + struct hrtimer timer; 30 30 + spinlock_t lock; 31 31 + unsigned gpio; 32 32 + int max_timeout; 33 33 + u8 active_low; 34 34 + }; 35 35 + 36 36 + static enum hrtimer_restart gpio_timer_func(struct hrtimer *timer) 37 37 + { 38 38 + struct timed_gpio_data *data = 39 39 + container_of(timer, struct timed_gpio_data, timer); 40 40 + 41 41 + gpio_direction_output(data->gpio, data->active_low ? 1 : 0); 42 42 + return HRTIMER_NORESTART; 43 43 + } 44 44 + 45 45 + static int gpio_get_time(struct timed_output_dev *dev) 46 46 + { 47 47 + struct timed_gpio_data *data = 48 48 + container_of(dev, struct timed_gpio_data, dev); 49 49 + 50 50 + if (hrtimer_active(&data->timer)) { 51 51 + ktime_t r = hrtimer_get_remaining(&data->timer); 52 52 + struct timeval t = ktime_to_timeval(r); 53 53 + return t.tv_sec * 1000 + t.tv_usec / 1000; 54 54 + } else 55 55 + return 0; 56 56 + } 57 57 + 58 58 + static void gpio_enable(struct timed_output_dev *dev, int value) 59 59 + { 60 60 + struct timed_gpio_data *data = 61 61 + container_of(dev, struct timed_gpio_data, dev); 62 62 + unsigned long flags; 63 63 + 64 64 + spin_lock_irqsave(&data->lock, flags); 65 65 + 66 66 + /* cancel previous timer and set GPIO according to value */ 67 67 + hrtimer_cancel(&data->timer); 68 68 + gpio_direction_output(data->gpio, data->active_low ? !value : !!value); 69 69 + 70 70 + if (value > 0) { 71 71 + if (value > data->max_timeout) 72 72 + value = data->max_timeout; 73 73 + 74 74 + hrtimer_start(&data->timer, 75 75 + ktime_set(value / 1000, (value % 1000) * 1000000), 76 76 + HRTIMER_MODE_REL); 77 77 + } 78 78 + 79 79 + spin_unlock_irqrestore(&data->lock, flags); 80 80 + } 81 81 + 82 82 + static int timed_gpio_probe(struct platform_device *pdev) 83 83 + { 84 84 + struct timed_gpio_platform_data *pdata = pdev->dev.platform_data; 85 85 + struct timed_gpio *cur_gpio; 86 86 + struct timed_gpio_data *gpio_data, *gpio_dat; 87 87 + int i, j, ret = 0; 88 88 + 89 89 + if (!pdata) 90 90 + return -EBUSY; 91 91 + 92 92 + gpio_data = kzalloc(sizeof(struct timed_gpio_data) * pdata->num_gpios, 93 93 + GFP_KERNEL); 94 94 + if (!gpio_data) 95 95 + return -ENOMEM; 96 96 + 97 97 + for (i = 0; i < pdata->num_gpios; i++) { 98 98 + cur_gpio = &pdata->gpios[i]; 99 99 + gpio_dat = &gpio_data[i]; 100 100 + 101 101 + hrtimer_init(&gpio_dat->timer, CLOCK_MONOTONIC, 102 102 + HRTIMER_MODE_REL); 103 103 + gpio_dat->timer.function = gpio_timer_func; 104 104 + spin_lock_init(&gpio_dat->lock); 105 105 + 106 106 + gpio_dat->dev.name = cur_gpio->name; 107 107 + gpio_dat->dev.get_time = gpio_get_time; 108 108 + gpio_dat->dev.enable = gpio_enable; 109 109 + ret = timed_output_dev_register(&gpio_dat->dev); 110 110 + if (ret < 0) { 111 111 + for (j = 0; j < i; j++) 112 112 + timed_output_dev_unregister(&gpio_data[i].dev); 113 113 + kfree(gpio_data); 114 114 + return ret; 115 115 + } 116 116 + 117 117 + gpio_dat->gpio = cur_gpio->gpio; 118 118 + gpio_dat->max_timeout = cur_gpio->max_timeout; 119 119 + gpio_dat->active_low = cur_gpio->active_low; 120 120 + gpio_direction_output(gpio_dat->gpio, gpio_dat->active_low); 121 121 + } 122 122 + 123 123 + platform_set_drvdata(pdev, gpio_data); 124 124 + 125 125 + return 0; 126 126 + } 127 127 + 128 128 + static int timed_gpio_remove(struct platform_device *pdev) 129 129 + { 130 130 + struct timed_gpio_platform_data *pdata = pdev->dev.platform_data; 131 131 + struct timed_gpio_data *gpio_data = platform_get_drvdata(pdev); 132 132 + int i; 133 133 + 134 134 + for (i = 0; i < pdata->num_gpios; i++) 135 135 + timed_output_dev_unregister(&gpio_data[i].dev); 136 136 + 137 137 + kfree(gpio_data); 138 138 + 139 139 + return 0; 140 140 + } 141 141 + 142 142 + static struct platform_driver timed_gpio_driver = { 143 143 + .probe = timed_gpio_probe, 144 144 + .remove = timed_gpio_remove, 145 145 + .driver = { 146 146 + .name = TIMED_GPIO_NAME, 147 147 + .owner = THIS_MODULE, 148 148 + }, 149 149 + }; 150 150 + 151 151 + static int __init timed_gpio_init(void) 152 152 + { 153 153 + return platform_driver_register(&timed_gpio_driver); 154 154 + } 155 155 + 156 156 + static void __exit timed_gpio_exit(void) 157 157 + { 158 158 + platform_driver_unregister(&timed_gpio_driver); 159 159 + } 160 160 + 161 161 + module_init(timed_gpio_init); 162 162 + module_exit(timed_gpio_exit); 163 163 + 164 164 + MODULE_AUTHOR("Mike Lockwood <lockwood@android.com>"); 165 165 + MODULE_DESCRIPTION("timed gpio driver"); 166 166 + MODULE_LICENSE("GPL");

+33

drivers/staging/android/timed_gpio.h

reviewed

··· 1 1 + /* include/linux/timed_gpio.h 2 2 + * 3 3 + * Copyright (C) 2008 Google, Inc. 4 4 + * 5 5 + * This software is licensed under the terms of the GNU General Public 6 6 + * License version 2, as published by the Free Software Foundation, and 7 7 + * may be copied, distributed, and modified under those terms. 8 8 + * 9 9 + * This program is distributed in the hope that it will be useful, 10 10 + * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 11 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 12 + * GNU General Public License for more details. 13 13 + * 14 14 + */ 15 15 + 16 16 + #ifndef _LINUX_TIMED_GPIO_H 17 17 + #define _LINUX_TIMED_GPIO_H 18 18 + 19 19 + #define TIMED_GPIO_NAME "timed-gpio" 20 20 + 21 21 + struct timed_gpio { 22 22 + const char *name; 23 23 + unsigned gpio; 24 24 + int max_timeout; 25 25 + u8 active_low; 26 26 + }; 27 27 + 28 28 + struct timed_gpio_platform_data { 29 29 + int num_gpios; 30 30 + struct timed_gpio *gpios; 31 31 + }; 32 32 + 33 33 + #endif

+121

drivers/staging/android/timed_output.c

reviewed

··· 1 1 + /* drivers/misc/timed_output.c 2 2 + * 3 3 + * Copyright (C) 2009 Google, Inc. 4 4 + * Author: Mike Lockwood <lockwood@android.com> 5 5 + * 6 6 + * This software is licensed under the terms of the GNU General Public 7 7 + * License version 2, as published by the Free Software Foundation, and 8 8 + * may be copied, distributed, and modified under those terms. 9 9 + * 10 10 + * This program is distributed in the hope that it will be useful, 11 11 + * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 12 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 13 + * GNU General Public License for more details. 14 14 + * 15 15 + */ 16 16 + 17 17 + #include <linux/module.h> 18 18 + #include <linux/types.h> 19 19 + #include <linux/device.h> 20 20 + #include <linux/fs.h> 21 21 + #include <linux/err.h> 22 22 + 23 23 + #include "timed_output.h" 24 24 + 25 25 + static struct class *timed_output_class; 26 26 + static atomic_t device_count; 27 27 + 28 28 + static ssize_t enable_show(struct device *dev, struct device_attribute *attr, 29 29 + char *buf) 30 30 + { 31 31 + struct timed_output_dev *tdev = dev_get_drvdata(dev); 32 32 + int remaining = tdev->get_time(tdev); 33 33 + 34 34 + return sprintf(buf, "%d\n", remaining); 35 35 + } 36 36 + 37 37 + static ssize_t enable_store( 38 38 + struct device *dev, struct device_attribute *attr, 39 39 + const char *buf, size_t size) 40 40 + { 41 41 + struct timed_output_dev *tdev = dev_get_drvdata(dev); 42 42 + int value; 43 43 + 44 44 + sscanf(buf, "%d", &value); 45 45 + tdev->enable(tdev, value); 46 46 + 47 47 + return size; 48 48 + } 49 49 + 50 50 + static DEVICE_ATTR(enable, S_IRUGO | S_IWUSR, enable_show, enable_store); 51 51 + 52 52 + static int create_timed_output_class(void) 53 53 + { 54 54 + if (!timed_output_class) { 55 55 + timed_output_class = class_create(THIS_MODULE, "timed_output"); 56 56 + if (IS_ERR(timed_output_class)) 57 57 + return PTR_ERR(timed_output_class); 58 58 + atomic_set(&device_count, 0); 59 59 + } 60 60 + 61 61 + return 0; 62 62 + } 63 63 + 64 64 + int timed_output_dev_register(struct timed_output_dev *tdev) 65 65 + { 66 66 + int ret; 67 67 + 68 68 + if (!tdev || !tdev->name || !tdev->enable || !tdev->get_time) 69 69 + return -EINVAL; 70 70 + 71 71 + ret = create_timed_output_class(); 72 72 + if (ret < 0) 73 73 + return ret; 74 74 + 75 75 + tdev->index = atomic_inc_return(&device_count); 76 76 + tdev->dev = device_create(timed_output_class, NULL, 77 77 + MKDEV(0, tdev->index), NULL, tdev->name); 78 78 + if (IS_ERR(tdev->dev)) 79 79 + return PTR_ERR(tdev->dev); 80 80 + 81 81 + ret = device_create_file(tdev->dev, &dev_attr_enable); 82 82 + if (ret < 0) 83 83 + goto err_create_file; 84 84 + 85 85 + dev_set_drvdata(tdev->dev, tdev); 86 86 + tdev->state = 0; 87 87 + return 0; 88 88 + 89 89 + err_create_file: 90 90 + device_destroy(timed_output_class, MKDEV(0, tdev->index)); 91 91 + printk(KERN_ERR "timed_output: Failed to register driver %s\n", 92 92 + tdev->name); 93 93 + 94 94 + return ret; 95 95 + } 96 96 + EXPORT_SYMBOL_GPL(timed_output_dev_register); 97 97 + 98 98 + void timed_output_dev_unregister(struct timed_output_dev *tdev) 99 99 + { 100 100 + device_remove_file(tdev->dev, &dev_attr_enable); 101 101 + device_destroy(timed_output_class, MKDEV(0, tdev->index)); 102 102 + dev_set_drvdata(tdev->dev, NULL); 103 103 + } 104 104 + EXPORT_SYMBOL_GPL(timed_output_dev_unregister); 105 105 + 106 106 + static int __init timed_output_init(void) 107 107 + { 108 108 + return create_timed_output_class(); 109 109 + } 110 110 + 111 111 + static void __exit timed_output_exit(void) 112 112 + { 113 113 + class_destroy(timed_output_class); 114 114 + } 115 115 + 116 116 + module_init(timed_output_init); 117 117 + module_exit(timed_output_exit); 118 118 + 119 119 + MODULE_AUTHOR("Mike Lockwood <lockwood@android.com>"); 120 120 + MODULE_DESCRIPTION("timed output class driver"); 121 121 + MODULE_LICENSE("GPL");

+37

drivers/staging/android/timed_output.h

reviewed

··· 1 1 + /* include/linux/timed_output.h 2 2 + * 3 3 + * Copyright (C) 2008 Google, Inc. 4 4 + * 5 5 + * This software is licensed under the terms of the GNU General Public 6 6 + * License version 2, as published by the Free Software Foundation, and 7 7 + * may be copied, distributed, and modified under those terms. 8 8 + * 9 9 + * This program is distributed in the hope that it will be useful, 10 10 + * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 11 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 12 + * GNU General Public License for more details. 13 13 + * 14 14 + */ 15 15 + 16 16 + #ifndef _LINUX_TIMED_OUTPUT_H 17 17 + #define _LINUX_TIMED_OUTPUT_H 18 18 + 19 19 + struct timed_output_dev { 20 20 + const char *name; 21 21 + 22 22 + /* enable the output and set the timer */ 23 23 + void (*enable)(struct timed_output_dev *sdev, int timeout); 24 24 + 25 25 + /* returns the current number of milliseconds remaining on the timer */ 26 26 + int (*get_time)(struct timed_output_dev *sdev); 27 27 + 28 28 + /* private data */ 29 29 + struct device *dev; 30 30 + int index; 31 31 + int state; 32 32 + }; 33 33 + 34 34 + extern int timed_output_dev_register(struct timed_output_dev *dev); 35 35 + extern void timed_output_dev_unregister(struct timed_output_dev *dev); 36 36 + 37 37 + #endif