tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

staging: binder: Support concurrent 32 bit and 64 bit processes.

For 64bit systems we want to use the same binder interface for 32bit and
64bit processes. Thus the size and the layout of the structures passed
between the kernel and the userspace has to be the same for both 32 and
64bit processes.

This change replaces all the uses of void* and size_t with
binder_uintptr_t and binder_size_t. These are then typedefed to specific
sizes depending on the use of the interface, as follows:
* __u32 - on legacy 32bit only userspace
* __u64 - on mixed 32/64bit userspace where all processes use the same
interface.

This change also increments the BINDER_CURRENT_PROTOCOL_VERSION to 8 and
hooks the compat_ioctl entry for the mixed 32/64bit Android userspace.

This patch also provides a CONFIG_ANDROID_BINDER_IPC_32BIT option for
compatability, which if set which enables the old protocol, setting
BINDER_CURRENT_PROTOCOL_VERSION to 7, on 32 bit systems.

Please note that all 64bit kernels will use the 64bit Binder ABI.

Cc: Colin Cross <ccross@android.com>
Cc: Arve Hjønnevåg <arve@android.com>
Cc: Serban Constantinescu <serban.constantinescu@arm.com>
Cc: Android Kernel Team <kernel-team@android.com>
Signed-off-by: Arve Hjønnevåg <arve@android.com>
[jstultz: Merged with upstream type changes. Various whitespace fixes
and longer Kconfig description for checkpatch. Included improved commit
message from Serban (with a few tweaks).]
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Arve Hjønnevåg and committed by
Greg Kroah-Hartman da49889d df24a2ea

+213 -149
+12
drivers/staging/android/Kconfig
··· 20 20 Android process, using Binder to identify, invoke and pass arguments 21 21 between said processes. 22 22 23 + config ANDROID_BINDER_IPC_32BIT 24 + bool "Use old 32-bit binder api" 25 + depends on !64BIT 26 + ---help--- 27 + The Binder API has been changed to support both 32 and 64bit 28 + applications in a mixed environment. 29 + 30 + Enable this to support an old 32-bit Android user-space (v4.4 and 31 + earlier). 32 + 33 + Note that enabling this will break newer Android user-space. 34 + 23 35 config ASHMEM 24 36 bool "Enable the Anonymous Shared Memory Subsystem" 25 37 default n
+150 -118
drivers/staging/android/binder.c
··· 228 228 int internal_strong_refs; 229 229 int local_weak_refs; 230 230 int local_strong_refs; 231 - void __user *ptr; 232 - void __user *cookie; 231 + binder_uintptr_t ptr; 232 + binder_uintptr_t cookie; 233 233 unsigned has_strong_ref:1; 234 234 unsigned pending_strong_ref:1; 235 235 unsigned has_weak_ref:1; ··· 242 242 243 243 struct binder_ref_death { 244 244 struct binder_work work; 245 - void __user *cookie; 245 + binder_uintptr_t cookie; 246 246 }; 247 247 248 248 struct binder_ref { ··· 515 515 } 516 516 517 517 static struct binder_buffer *binder_buffer_lookup(struct binder_proc *proc, 518 - void __user *user_ptr) 518 + uintptr_t user_ptr) 519 519 { 520 520 struct rb_node *n = proc->allocated_buffers.rb_node; 521 521 struct binder_buffer *buffer; 522 522 struct binder_buffer *kern_ptr; 523 523 524 - kern_ptr = user_ptr - proc->user_buffer_offset 525 - - offsetof(struct binder_buffer, data); 524 + kern_ptr = (struct binder_buffer *)(user_ptr - proc->user_buffer_offset 525 + - offsetof(struct binder_buffer, data)); 526 526 527 527 while (n) { 528 528 buffer = rb_entry(n, struct binder_buffer, rb_node); ··· 856 856 } 857 857 858 858 static struct binder_node *binder_get_node(struct binder_proc *proc, 859 - void __user *ptr) 859 + binder_uintptr_t ptr) 860 860 { 861 861 struct rb_node *n = proc->nodes.rb_node; 862 862 struct binder_node *node; ··· 875 875 } 876 876 877 877 static struct binder_node *binder_new_node(struct binder_proc *proc, 878 - void __user *ptr, 879 - void __user *cookie) 878 + binder_uintptr_t ptr, 879 + binder_uintptr_t cookie) 880 880 { 881 881 struct rb_node **p = &proc->nodes.rb_node; 882 882 struct rb_node *parent = NULL; ··· 908 908 INIT_LIST_HEAD(&node->work.entry); 909 909 INIT_LIST_HEAD(&node->async_todo); 910 910 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 911 - "%d:%d node %d u%p c%p created\n", 911 + "%d:%d node %d u%016llx c%016llx created\n", 912 912 proc->pid, current->pid, node->debug_id, 913 - node->ptr, node->cookie); 913 + (u64)node->ptr, (u64)node->cookie); 914 914 return node; 915 915 } 916 916 ··· 1226 1226 1227 1227 static void binder_transaction_buffer_release(struct binder_proc *proc, 1228 1228 struct binder_buffer *buffer, 1229 - size_t *failed_at) 1229 + binder_size_t *failed_at) 1230 1230 { 1231 - size_t *offp, *off_end; 1231 + binder_size_t *offp, *off_end; 1232 1232 int debug_id = buffer->debug_id; 1233 1233 1234 1234 binder_debug(BINDER_DEBUG_TRANSACTION, ··· 1239 1239 if (buffer->target_node) 1240 1240 binder_dec_node(buffer->target_node, 1, 0); 1241 1241 1242 - offp = (size_t *)(buffer->data + ALIGN(buffer->data_size, sizeof(void *))); 1242 + offp = (binder_size_t *)(buffer->data + 1243 + ALIGN(buffer->data_size, sizeof(void *))); 1243 1244 if (failed_at) 1244 1245 off_end = failed_at; 1245 1246 else ··· 1250 1249 if (*offp > buffer->data_size - sizeof(*fp) || 1251 1250 buffer->data_size < sizeof(*fp) || 1252 1251 !IS_ALIGNED(*offp, sizeof(u32))) { 1253 - pr_err("transaction release %d bad offset %zd, size %zd\n", 1254 - debug_id, *offp, buffer->data_size); 1252 + pr_err("transaction release %d bad offset %lld, size %zd\n", 1253 + debug_id, (u64)*offp, buffer->data_size); 1255 1254 continue; 1256 1255 } 1257 1256 fp = (struct flat_binder_object *)(buffer->data + *offp); ··· 1260 1259 case BINDER_TYPE_WEAK_BINDER: { 1261 1260 struct binder_node *node = binder_get_node(proc, fp->binder); 1262 1261 if (node == NULL) { 1263 - pr_err("transaction release %d bad node %p\n", 1264 - debug_id, fp->binder); 1262 + pr_err("transaction release %d bad node %016llx\n", 1263 + debug_id, (u64)fp->binder); 1265 1264 break; 1266 1265 } 1267 1266 binder_debug(BINDER_DEBUG_TRANSACTION, 1268 - " node %d u%p\n", 1269 - node->debug_id, node->ptr); 1267 + " node %d u%016llx\n", 1268 + node->debug_id, (u64)node->ptr); 1270 1269 binder_dec_node(node, fp->type == BINDER_TYPE_BINDER, 0); 1271 1270 } break; 1272 1271 case BINDER_TYPE_HANDLE: ··· 1304 1303 { 1305 1304 struct binder_transaction *t; 1306 1305 struct binder_work *tcomplete; 1307 - size_t *offp, *off_end; 1306 + binder_size_t *offp, *off_end; 1308 1307 struct binder_proc *target_proc; 1309 1308 struct binder_thread *target_thread = NULL; 1310 1309 struct binder_node *target_node = NULL; ··· 1433 1432 1434 1433 if (reply) 1435 1434 binder_debug(BINDER_DEBUG_TRANSACTION, 1436 - "%d:%d BC_REPLY %d -> %d:%d, data %p-%p size %zd-%zd\n", 1435 + "%d:%d BC_REPLY %d -> %d:%d, data %016llx-%016llx size %lld-%lld\n", 1437 1436 proc->pid, thread->pid, t->debug_id, 1438 1437 target_proc->pid, target_thread->pid, 1439 - tr->data.ptr.buffer, tr->data.ptr.offsets, 1440 - tr->data_size, tr->offsets_size); 1438 + (u64)tr->data.ptr.buffer, 1439 + (u64)tr->data.ptr.offsets, 1440 + (u64)tr->data_size, (u64)tr->offsets_size); 1441 1441 else 1442 1442 binder_debug(BINDER_DEBUG_TRANSACTION, 1443 - "%d:%d BC_TRANSACTION %d -> %d - node %d, data %p-%p size %zd-%zd\n", 1443 + "%d:%d BC_TRANSACTION %d -> %d - node %d, data %016llx-%016llx size %lld-%lld\n", 1444 1444 proc->pid, thread->pid, t->debug_id, 1445 1445 target_proc->pid, target_node->debug_id, 1446 - tr->data.ptr.buffer, tr->data.ptr.offsets, 1447 - tr->data_size, tr->offsets_size); 1446 + (u64)tr->data.ptr.buffer, 1447 + (u64)tr->data.ptr.offsets, 1448 + (u64)tr->data_size, (u64)tr->offsets_size); 1448 1449 1449 1450 if (!reply && !(tr->flags & TF_ONE_WAY)) 1450 1451 t->from = thread; ··· 1475 1472 if (target_node) 1476 1473 binder_inc_node(target_node, 1, 0, NULL); 1477 1474 1478 - offp = (size_t *)(t->buffer->data + ALIGN(tr->data_size, sizeof(void *))); 1475 + offp = (binder_size_t *)(t->buffer->data + 1476 + ALIGN(tr->data_size, sizeof(void *))); 1479 1477 1480 - if (copy_from_user(t->buffer->data, tr->data.ptr.buffer, tr->data_size)) { 1478 + if (copy_from_user(t->buffer->data, (const void __user *)(uintptr_t) 1479 + tr->data.ptr.buffer, tr->data_size)) { 1481 1480 binder_user_error("%d:%d got transaction with invalid data ptr\n", 1482 1481 proc->pid, thread->pid); 1483 1482 return_error = BR_FAILED_REPLY; 1484 1483 goto err_copy_data_failed; 1485 1484 } 1486 - if (copy_from_user(offp, tr->data.ptr.offsets, tr->offsets_size)) { 1485 + if (copy_from_user(offp, (const void __user *)(uintptr_t) 1486 + tr->data.ptr.offsets, tr->offsets_size)) { 1487 1487 binder_user_error("%d:%d got transaction with invalid offsets ptr\n", 1488 1488 proc->pid, thread->pid); 1489 1489 return_error = BR_FAILED_REPLY; 1490 1490 goto err_copy_data_failed; 1491 1491 } 1492 - if (!IS_ALIGNED(tr->offsets_size, sizeof(size_t))) { 1493 - binder_user_error("%d:%d got transaction with invalid offsets size, %zd\n", 1494 - proc->pid, thread->pid, tr->offsets_size); 1492 + if (!IS_ALIGNED(tr->offsets_size, sizeof(binder_size_t))) { 1493 + binder_user_error("%d:%d got transaction with invalid offsets size, %lld\n", 1494 + proc->pid, thread->pid, (u64)tr->offsets_size); 1495 1495 return_error = BR_FAILED_REPLY; 1496 1496 goto err_bad_offset; 1497 1497 } ··· 1504 1498 if (*offp > t->buffer->data_size - sizeof(*fp) || 1505 1499 t->buffer->data_size < sizeof(*fp) || 1506 1500 !IS_ALIGNED(*offp, sizeof(u32))) { 1507 - binder_user_error("%d:%d got transaction with invalid offset, %zd\n", 1508 - proc->pid, thread->pid, *offp); 1501 + binder_user_error("%d:%d got transaction with invalid offset, %lld\n", 1502 + proc->pid, thread->pid, (u64)*offp); 1509 1503 return_error = BR_FAILED_REPLY; 1510 1504 goto err_bad_offset; 1511 1505 } ··· 1525 1519 node->accept_fds = !!(fp->flags & FLAT_BINDER_FLAG_ACCEPTS_FDS); 1526 1520 } 1527 1521 if (fp->cookie != node->cookie) { 1528 - binder_user_error("%d:%d sending u%p node %d, cookie mismatch %p != %p\n", 1522 + binder_user_error("%d:%d sending u%016llx node %d, cookie mismatch %016llx != %016llx\n", 1529 1523 proc->pid, thread->pid, 1530 - fp->binder, node->debug_id, 1531 - fp->cookie, node->cookie); 1524 + (u64)fp->binder, node->debug_id, 1525 + (u64)fp->cookie, (u64)node->cookie); 1532 1526 goto err_binder_get_ref_for_node_failed; 1533 1527 } 1534 1528 ref = binder_get_ref_for_node(target_proc, node); ··· 1546 1540 1547 1541 trace_binder_transaction_node_to_ref(t, node, ref); 1548 1542 binder_debug(BINDER_DEBUG_TRANSACTION, 1549 - " node %d u%p -> ref %d desc %d\n", 1550 - node->debug_id, node->ptr, ref->debug_id, 1551 - ref->desc); 1543 + " node %d u%016llx -> ref %d desc %d\n", 1544 + node->debug_id, (u64)node->ptr, 1545 + ref->debug_id, ref->desc); 1552 1546 } break; 1553 1547 case BINDER_TYPE_HANDLE: 1554 1548 case BINDER_TYPE_WEAK_HANDLE: { ··· 1570 1564 binder_inc_node(ref->node, fp->type == BINDER_TYPE_BINDER, 0, NULL); 1571 1565 trace_binder_transaction_ref_to_node(t, ref); 1572 1566 binder_debug(BINDER_DEBUG_TRANSACTION, 1573 - " ref %d desc %d -> node %d u%p\n", 1567 + " ref %d desc %d -> node %d u%016llx\n", 1574 1568 ref->debug_id, ref->desc, ref->node->debug_id, 1575 - ref->node->ptr); 1569 + (u64)ref->node->ptr); 1576 1570 } else { 1577 1571 struct binder_ref *new_ref; 1578 1572 new_ref = binder_get_ref_for_node(target_proc, ref->node); ··· 1688 1682 err_invalid_target_handle: 1689 1683 err_no_context_mgr_node: 1690 1684 binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, 1691 - "%d:%d transaction failed %d, size %zd-%zd\n", 1685 + "%d:%d transaction failed %d, size %lld-%lld\n", 1692 1686 proc->pid, thread->pid, return_error, 1693 - tr->data_size, tr->offsets_size); 1687 + (u64)tr->data_size, (u64)tr->offsets_size); 1694 1688 1695 1689 { 1696 1690 struct binder_transaction_log_entry *fe; ··· 1708 1702 1709 1703 static int binder_thread_write(struct binder_proc *proc, 1710 1704 struct binder_thread *thread, 1711 - void __user *buffer, size_t size, size_t *consumed) 1705 + binder_uintptr_t binder_buffer, size_t size, 1706 + binder_size_t *consumed) 1712 1707 { 1713 1708 uint32_t cmd; 1709 + void __user *buffer = (void __user *)(uintptr_t)binder_buffer; 1714 1710 void __user *ptr = buffer + *consumed; 1715 1711 void __user *end = buffer + size; 1716 1712 ··· 1781 1773 } 1782 1774 case BC_INCREFS_DONE: 1783 1775 case BC_ACQUIRE_DONE: { 1784 - void __user *node_ptr; 1785 - void __user *cookie; 1776 + binder_uintptr_t node_ptr; 1777 + binder_uintptr_t cookie; 1786 1778 struct binder_node *node; 1787 1779 1788 - if (get_user(node_ptr, (void * __user *)ptr)) 1780 + if (get_user(node_ptr, (binder_uintptr_t __user *)ptr)) 1789 1781 return -EFAULT; 1790 - ptr += sizeof(void *); 1791 - if (get_user(cookie, (void * __user *)ptr)) 1782 + ptr += sizeof(binder_uintptr_t); 1783 + if (get_user(cookie, (binder_uintptr_t __user *)ptr)) 1792 1784 return -EFAULT; 1793 - ptr += sizeof(void *); 1785 + ptr += sizeof(binder_uintptr_t); 1794 1786 node = binder_get_node(proc, node_ptr); 1795 1787 if (node == NULL) { 1796 - binder_user_error("%d:%d %s u%p no match\n", 1788 + binder_user_error("%d:%d %s u%016llx no match\n", 1797 1789 proc->pid, thread->pid, 1798 1790 cmd == BC_INCREFS_DONE ? 1799 1791 "BC_INCREFS_DONE" : 1800 1792 "BC_ACQUIRE_DONE", 1801 - node_ptr); 1793 + (u64)node_ptr); 1802 1794 break; 1803 1795 } 1804 1796 if (cookie != node->cookie) { 1805 - binder_user_error("%d:%d %s u%p node %d cookie mismatch %p != %p\n", 1797 + binder_user_error("%d:%d %s u%016llx node %d cookie mismatch %016llx != %016llx\n", 1806 1798 proc->pid, thread->pid, 1807 1799 cmd == BC_INCREFS_DONE ? 1808 1800 "BC_INCREFS_DONE" : "BC_ACQUIRE_DONE", 1809 - node_ptr, node->debug_id, 1810 - cookie, node->cookie); 1801 + (u64)node_ptr, node->debug_id, 1802 + (u64)cookie, (u64)node->cookie); 1811 1803 break; 1812 1804 } 1813 1805 if (cmd == BC_ACQUIRE_DONE) { ··· 1843 1835 return -EINVAL; 1844 1836 1845 1837 case BC_FREE_BUFFER: { 1846 - void __user *data_ptr; 1838 + binder_uintptr_t data_ptr; 1847 1839 struct binder_buffer *buffer; 1848 1840 1849 - if (get_user(data_ptr, (void * __user *)ptr)) 1841 + if (get_user(data_ptr, (binder_uintptr_t __user *)ptr)) 1850 1842 return -EFAULT; 1851 - ptr += sizeof(void *); 1843 + ptr += sizeof(binder_uintptr_t); 1852 1844 1853 1845 buffer = binder_buffer_lookup(proc, data_ptr); 1854 1846 if (buffer == NULL) { 1855 - binder_user_error("%d:%d BC_FREE_BUFFER u%p no match\n", 1856 - proc->pid, thread->pid, data_ptr); 1847 + binder_user_error("%d:%d BC_FREE_BUFFER u%016llx no match\n", 1848 + proc->pid, thread->pid, (u64)data_ptr); 1857 1849 break; 1858 1850 } 1859 1851 if (!buffer->allow_user_free) { 1860 - binder_user_error("%d:%d BC_FREE_BUFFER u%p matched unreturned buffer\n", 1861 - proc->pid, thread->pid, data_ptr); 1852 + binder_user_error("%d:%d BC_FREE_BUFFER u%016llx matched unreturned buffer\n", 1853 + proc->pid, thread->pid, (u64)data_ptr); 1862 1854 break; 1863 1855 } 1864 1856 binder_debug(BINDER_DEBUG_FREE_BUFFER, 1865 - "%d:%d BC_FREE_BUFFER u%p found buffer %d for %s transaction\n", 1866 - proc->pid, thread->pid, data_ptr, buffer->debug_id, 1857 + "%d:%d BC_FREE_BUFFER u%016llx found buffer %d for %s transaction\n", 1858 + proc->pid, thread->pid, (u64)data_ptr, 1859 + buffer->debug_id, 1867 1860 buffer->transaction ? "active" : "finished"); 1868 1861 1869 1862 if (buffer->transaction) { ··· 1934 1925 case BC_REQUEST_DEATH_NOTIFICATION: 1935 1926 case BC_CLEAR_DEATH_NOTIFICATION: { 1936 1927 uint32_t target; 1937 - void __user *cookie; 1928 + binder_uintptr_t cookie; 1938 1929 struct binder_ref *ref; 1939 1930 struct binder_ref_death *death; 1940 1931 1941 1932 if (get_user(target, (uint32_t __user *)ptr)) 1942 1933 return -EFAULT; 1943 1934 ptr += sizeof(uint32_t); 1944 - if (get_user(cookie, (void __user * __user *)ptr)) 1935 + if (get_user(cookie, (binder_uintptr_t __user *)ptr)) 1945 1936 return -EFAULT; 1946 - ptr += sizeof(void *); 1937 + ptr += sizeof(binder_uintptr_t); 1947 1938 ref = binder_get_ref(proc, target); 1948 1939 if (ref == NULL) { 1949 1940 binder_user_error("%d:%d %s invalid ref %d\n", ··· 1956 1947 } 1957 1948 1958 1949 binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION, 1959 - "%d:%d %s %p ref %d desc %d s %d w %d for node %d\n", 1950 + "%d:%d %s %016llx ref %d desc %d s %d w %d for node %d\n", 1960 1951 proc->pid, thread->pid, 1961 1952 cmd == BC_REQUEST_DEATH_NOTIFICATION ? 1962 1953 "BC_REQUEST_DEATH_NOTIFICATION" : 1963 1954 "BC_CLEAR_DEATH_NOTIFICATION", 1964 - cookie, ref->debug_id, ref->desc, 1955 + (u64)cookie, ref->debug_id, ref->desc, 1965 1956 ref->strong, ref->weak, ref->node->debug_id); 1966 1957 1967 1958 if (cmd == BC_REQUEST_DEATH_NOTIFICATION) { ··· 1999 1990 } 2000 1991 death = ref->death; 2001 1992 if (death->cookie != cookie) { 2002 - binder_user_error("%d:%d BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch %p != %p\n", 1993 + binder_user_error("%d:%d BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch %016llx != %016llx\n", 2003 1994 proc->pid, thread->pid, 2004 - death->cookie, cookie); 1995 + (u64)death->cookie, 1996 + (u64)cookie); 2005 1997 break; 2006 1998 } 2007 1999 ref->death = NULL; ··· 2022 2012 } break; 2023 2013 case BC_DEAD_BINDER_DONE: { 2024 2014 struct binder_work *w; 2025 - void __user *cookie; 2015 + binder_uintptr_t cookie; 2026 2016 struct binder_ref_death *death = NULL; 2027 - if (get_user(cookie, (void __user * __user *)ptr)) 2017 + if (get_user(cookie, (binder_uintptr_t __user *)ptr)) 2028 2018 return -EFAULT; 2029 2019 2030 2020 ptr += sizeof(void *); ··· 2036 2026 } 2037 2027 } 2038 2028 binder_debug(BINDER_DEBUG_DEAD_BINDER, 2039 - "%d:%d BC_DEAD_BINDER_DONE %p found %p\n", 2040 - proc->pid, thread->pid, cookie, death); 2029 + "%d:%d BC_DEAD_BINDER_DONE %016llx found %p\n", 2030 + proc->pid, thread->pid, (u64)cookie, 2031 + death); 2041 2032 if (death == NULL) { 2042 - binder_user_error("%d:%d BC_DEAD_BINDER_DONE %p not found\n", 2043 - proc->pid, thread->pid, cookie); 2033 + binder_user_error("%d:%d BC_DEAD_BINDER_DONE %016llx not found\n", 2034 + proc->pid, thread->pid, (u64)cookie); 2044 2035 break; 2045 2036 } 2046 2037 ··· 2093 2082 2094 2083 static int binder_thread_read(struct binder_proc *proc, 2095 2084 struct binder_thread *thread, 2096 - void __user *buffer, size_t size, 2097 - size_t *consumed, int non_block) 2085 + binder_uintptr_t binder_buffer, size_t size, 2086 + binder_size_t *consumed, int non_block) 2098 2087 { 2088 + void __user *buffer = (void __user *)(uintptr_t)binder_buffer; 2099 2089 void __user *ptr = buffer + *consumed; 2100 2090 void __user *end = buffer + size; 2101 2091 ··· 2241 2229 if (put_user(cmd, (uint32_t __user *)ptr)) 2242 2230 return -EFAULT; 2243 2231 ptr += sizeof(uint32_t); 2244 - if (put_user(node->ptr, (void * __user *)ptr)) 2232 + if (put_user(node->ptr, 2233 + (binder_uintptr_t __user *)ptr)) 2245 2234 return -EFAULT; 2246 - ptr += sizeof(void *); 2247 - if (put_user(node->cookie, (void * __user *)ptr)) 2235 + ptr += sizeof(binder_uintptr_t); 2236 + if (put_user(node->cookie, 2237 + (binder_uintptr_t __user *)ptr)) 2248 2238 return -EFAULT; 2249 - ptr += sizeof(void *); 2239 + ptr += sizeof(binder_uintptr_t); 2250 2240 2251 2241 binder_stat_br(proc, thread, cmd); 2252 2242 binder_debug(BINDER_DEBUG_USER_REFS, 2253 - "%d:%d %s %d u%p c%p\n", 2254 - proc->pid, thread->pid, cmd_name, node->debug_id, node->ptr, node->cookie); 2243 + "%d:%d %s %d u%016llx c%016llx\n", 2244 + proc->pid, thread->pid, cmd_name, 2245 + node->debug_id, 2246 + (u64)node->ptr, (u64)node->cookie); 2255 2247 } else { 2256 2248 list_del_init(&w->entry); 2257 2249 if (!weak && !strong) { 2258 2250 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 2259 - "%d:%d node %d u%p c%p deleted\n", 2260 - proc->pid, thread->pid, node->debug_id, 2261 - node->ptr, node->cookie); 2251 + "%d:%d node %d u%016llx c%016llx deleted\n", 2252 + proc->pid, thread->pid, 2253 + node->debug_id, 2254 + (u64)node->ptr, 2255 + (u64)node->cookie); 2262 2256 rb_erase(&node->rb_node, &proc->nodes); 2263 2257 kfree(node); 2264 2258 binder_stats_deleted(BINDER_STAT_NODE); 2265 2259 } else { 2266 2260 binder_debug(BINDER_DEBUG_INTERNAL_REFS, 2267 - "%d:%d node %d u%p c%p state unchanged\n", 2268 - proc->pid, thread->pid, node->debug_id, node->ptr, 2269 - node->cookie); 2261 + "%d:%d node %d u%016llx c%016llx state unchanged\n", 2262 + proc->pid, thread->pid, 2263 + node->debug_id, 2264 + (u64)node->ptr, 2265 + (u64)node->cookie); 2270 2266 } 2271 2267 } 2272 2268 } break; ··· 2292 2272 if (put_user(cmd, (uint32_t __user *)ptr)) 2293 2273 return -EFAULT; 2294 2274 ptr += sizeof(uint32_t); 2295 - if (put_user(death->cookie, (void * __user *)ptr)) 2275 + if (put_user(death->cookie, 2276 + (binder_uintptr_t __user *)ptr)) 2296 2277 return -EFAULT; 2297 - ptr += sizeof(void *); 2278 + ptr += sizeof(binder_uintptr_t); 2298 2279 binder_stat_br(proc, thread, cmd); 2299 2280 binder_debug(BINDER_DEBUG_DEATH_NOTIFICATION, 2300 - "%d:%d %s %p\n", 2281 + "%d:%d %s %016llx\n", 2301 2282 proc->pid, thread->pid, 2302 2283 cmd == BR_DEAD_BINDER ? 2303 2284 "BR_DEAD_BINDER" : 2304 2285 "BR_CLEAR_DEATH_NOTIFICATION_DONE", 2305 - death->cookie); 2286 + (u64)death->cookie); 2306 2287 2307 2288 if (w->type == BINDER_WORK_CLEAR_DEATH_NOTIFICATION) { 2308 2289 list_del(&w->entry); ··· 2333 2312 binder_set_nice(target_node->min_priority); 2334 2313 cmd = BR_TRANSACTION; 2335 2314 } else { 2336 - tr.target.ptr = NULL; 2337 - tr.cookie = NULL; 2315 + tr.target.ptr = 0; 2316 + tr.cookie = 0; 2338 2317 cmd = BR_REPLY; 2339 2318 } 2340 2319 tr.code = t->code; ··· 2351 2330 2352 2331 tr.data_size = t->buffer->data_size; 2353 2332 tr.offsets_size = t->buffer->offsets_size; 2354 - tr.data.ptr.buffer = (void *)t->buffer->data + 2355 - proc->user_buffer_offset; 2333 + tr.data.ptr.buffer = (binder_uintptr_t)( 2334 + (uintptr_t)t->buffer->data + 2335 + proc->user_buffer_offset); 2356 2336 tr.data.ptr.offsets = tr.data.ptr.buffer + 2357 2337 ALIGN(t->buffer->data_size, 2358 2338 sizeof(void *)); ··· 2368 2346 trace_binder_transaction_received(t); 2369 2347 binder_stat_br(proc, thread, cmd); 2370 2348 binder_debug(BINDER_DEBUG_TRANSACTION, 2371 - "%d:%d %s %d %d:%d, cmd %d size %zd-%zd ptr %p-%p\n", 2349 + "%d:%d %s %d %d:%d, cmd %d size %zd-%zd ptr %016llx-%016llx\n", 2372 2350 proc->pid, thread->pid, 2373 2351 (cmd == BR_TRANSACTION) ? "BR_TRANSACTION" : 2374 2352 "BR_REPLY", 2375 2353 t->debug_id, t->from ? t->from->proc->pid : 0, 2376 2354 t->from ? t->from->pid : 0, cmd, 2377 2355 t->buffer->data_size, t->buffer->offsets_size, 2378 - tr.data.ptr.buffer, tr.data.ptr.offsets); 2356 + (u64)tr.data.ptr.buffer, (u64)tr.data.ptr.offsets); 2379 2357 2380 2358 list_del(&t->work.entry); 2381 2359 t->buffer->allow_user_free = 1; ··· 2445 2423 2446 2424 death = container_of(w, struct binder_ref_death, work); 2447 2425 binder_debug(BINDER_DEBUG_DEAD_TRANSACTION, 2448 - "undelivered death notification, %p\n", 2449 - death->cookie); 2426 + "undelivered death notification, %016llx\n", 2427 + (u64)death->cookie); 2450 2428 kfree(death); 2451 2429 binder_stats_deleted(BINDER_STAT_DEATH); 2452 2430 } break; ··· 2602 2580 goto err; 2603 2581 } 2604 2582 binder_debug(BINDER_DEBUG_READ_WRITE, 2605 - "%d:%d write %zd at %016lx, read %zd at %016lx\n", 2606 - proc->pid, thread->pid, bwr.write_size, 2607 - bwr.write_buffer, bwr.read_size, bwr.read_buffer); 2583 + "%d:%d write %lld at %016llx, read %lld at %016llx\n", 2584 + proc->pid, thread->pid, 2585 + (u64)bwr.write_size, (u64)bwr.write_buffer, 2586 + (u64)bwr.read_size, (u64)bwr.read_buffer); 2608 2587 2609 2588 if (bwr.write_size > 0) { 2610 - ret = binder_thread_write(proc, thread, (void __user *)bwr.write_buffer, bwr.write_size, &bwr.write_consumed); 2589 + ret = binder_thread_write(proc, thread, 2590 + bwr.write_buffer, 2591 + bwr.write_size, 2592 + &bwr.write_consumed); 2611 2593 trace_binder_write_done(ret); 2612 2594 if (ret < 0) { 2613 2595 bwr.read_consumed = 0; ··· 2621 2595 } 2622 2596 } 2623 2597 if (bwr.read_size > 0) { 2624 - ret = binder_thread_read(proc, thread, (void __user *)bwr.read_buffer, bwr.read_size, &bwr.read_consumed, filp->f_flags & O_NONBLOCK); 2598 + ret = binder_thread_read(proc, thread, bwr.read_buffer, 2599 + bwr.read_size, 2600 + &bwr.read_consumed, 2601 + filp->f_flags & O_NONBLOCK); 2625 2602 trace_binder_read_done(ret); 2626 2603 if (!list_empty(&proc->todo)) 2627 2604 wake_up_interruptible(&proc->wait); ··· 2635 2606 } 2636 2607 } 2637 2608 binder_debug(BINDER_DEBUG_READ_WRITE, 2638 - "%d:%d wrote %zd of %zd, read return %zd of %zd\n", 2639 - proc->pid, thread->pid, bwr.write_consumed, bwr.write_size, 2640 - bwr.read_consumed, bwr.read_size); 2609 + "%d:%d wrote %lld of %lld, read return %lld of %lld\n", 2610 + proc->pid, thread->pid, 2611 + (u64)bwr.write_consumed, (u64)bwr.write_size, 2612 + (u64)bwr.read_consumed, (u64)bwr.read_size); 2641 2613 if (copy_to_user(ubuf, &bwr, sizeof(bwr))) { 2642 2614 ret = -EFAULT; 2643 2615 goto err; ··· 2667 2637 } 2668 2638 } else 2669 2639 binder_context_mgr_uid = current->cred->euid; 2670 - binder_context_mgr_node = binder_new_node(proc, NULL, NULL); 2640 + binder_context_mgr_node = binder_new_node(proc, 0, 0); 2671 2641 if (binder_context_mgr_node == NULL) { 2672 2642 ret = -ENOMEM; 2673 2643 goto err; ··· 3162 3132 break; 3163 3133 case BINDER_WORK_NODE: 3164 3134 node = container_of(w, struct binder_node, work); 3165 - seq_printf(m, "%snode work %d: u%p c%p\n", 3166 - prefix, node->debug_id, node->ptr, node->cookie); 3135 + seq_printf(m, "%snode work %d: u%016llx c%016llx\n", 3136 + prefix, node->debug_id, 3137 + (u64)node->ptr, (u64)node->cookie); 3167 3138 break; 3168 3139 case BINDER_WORK_DEAD_BINDER: 3169 3140 seq_printf(m, "%shas dead binder\n", prefix); ··· 3224 3193 hlist_for_each_entry(ref, &node->refs, node_entry) 3225 3194 count++; 3226 3195 3227 - seq_printf(m, " node %d: u%p c%p hs %d hw %d ls %d lw %d is %d iw %d", 3228 - node->debug_id, node->ptr, node->cookie, 3196 + seq_printf(m, " node %d: u%016llx c%016llx hs %d hw %d ls %d lw %d is %d iw %d", 3197 + node->debug_id, (u64)node->ptr, (u64)node->cookie, 3229 3198 node->has_strong_ref, node->has_weak_ref, 3230 3199 node->local_strong_refs, node->local_weak_refs, 3231 3200 node->internal_strong_refs, count); ··· 3527 3496 .owner = THIS_MODULE, 3528 3497 .poll = binder_poll, 3529 3498 .unlocked_ioctl = binder_ioctl, 3499 + .compat_ioctl = binder_ioctl, 3530 3500 .mmap = binder_mmap, 3531 3501 .open = binder_open, 3532 3502 .flush = binder_flush,
+4
drivers/staging/android/binder.h
··· 20 20 #ifndef _LINUX_BINDER_H 21 21 #define _LINUX_BINDER_H 22 22 23 + #ifdef CONFIG_ANDROID_BINDER_IPC_32BIT 24 + #define BINDER_IPC_32BIT 1 25 + #endif 26 + 23 27 #include "uapi/binder.h" 24 28 25 29 #endif /* _LINUX_BINDER_H */
+8 -6
drivers/staging/android/binder_trace.h
··· 152 152 TP_STRUCT__entry( 153 153 __field(int, debug_id) 154 154 __field(int, node_debug_id) 155 - __field(void __user *, node_ptr) 155 + __field(binder_uintptr_t, node_ptr) 156 156 __field(int, ref_debug_id) 157 157 __field(uint32_t, ref_desc) 158 158 ), ··· 163 163 __entry->ref_debug_id = ref->debug_id; 164 164 __entry->ref_desc = ref->desc; 165 165 ), 166 - TP_printk("transaction=%d node=%d src_ptr=0x%p ==> dest_ref=%d dest_desc=%d", 167 - __entry->debug_id, __entry->node_debug_id, __entry->node_ptr, 166 + TP_printk("transaction=%d node=%d src_ptr=0x%016llx ==> dest_ref=%d dest_desc=%d", 167 + __entry->debug_id, __entry->node_debug_id, 168 + (u64)__entry->node_ptr, 168 169 __entry->ref_debug_id, __entry->ref_desc) 169 170 ); 170 171 ··· 178 177 __field(int, ref_debug_id) 179 178 __field(uint32_t, ref_desc) 180 179 __field(int, node_debug_id) 181 - __field(void __user *, node_ptr) 180 + __field(binder_uintptr_t, node_ptr) 182 181 ), 183 182 TP_fast_assign( 184 183 __entry->debug_id = t->debug_id; ··· 187 186 __entry->node_debug_id = ref->node->debug_id; 188 187 __entry->node_ptr = ref->node->ptr; 189 188 ), 190 - TP_printk("transaction=%d node=%d src_ref=%d src_desc=%d ==> dest_ptr=0x%p", 189 + TP_printk("transaction=%d node=%d src_ref=%d src_desc=%d ==> dest_ptr=0x%016llx", 191 190 __entry->debug_id, __entry->node_debug_id, 192 - __entry->ref_debug_id, __entry->ref_desc, __entry->node_ptr) 191 + __entry->ref_debug_id, __entry->ref_desc, 192 + (u64)__entry->node_ptr) 193 193 ); 194 194 195 195 TRACE_EVENT(binder_transaction_ref_to_ref,
+39 -25
drivers/staging/android/uapi/binder.h
··· 39 39 FLAT_BINDER_FLAG_ACCEPTS_FDS = 0x100, 40 40 }; 41 41 42 + #ifdef BINDER_IPC_32BIT 43 + typedef __u32 binder_size_t; 44 + typedef __u32 binder_uintptr_t; 45 + #else 46 + typedef __u64 binder_size_t; 47 + typedef __u64 binder_uintptr_t; 48 + #endif 49 + 42 50 /* 43 51 * This is the flattened representation of a Binder object for transfer 44 52 * between processes. The 'offsets' supplied as part of a binder transaction ··· 61 53 62 54 /* 8 bytes of data. */ 63 55 union { 64 - void __user *binder; /* local object */ 65 - __u32 handle; /* remote object */ 56 + binder_uintptr_t binder; /* local object */ 57 + __u32 handle; /* remote object */ 66 58 }; 67 59 68 60 /* extra data associated with local object */ 69 - void __user *cookie; 61 + binder_uintptr_t cookie; 70 62 }; 71 63 72 64 /* ··· 75 67 */ 76 68 77 69 struct binder_write_read { 78 - size_t write_size; /* bytes to write */ 79 - size_t write_consumed; /* bytes consumed by driver */ 80 - unsigned long write_buffer; 81 - size_t read_size; /* bytes to read */ 82 - size_t read_consumed; /* bytes consumed by driver */ 83 - unsigned long read_buffer; 70 + binder_size_t write_size; /* bytes to write */ 71 + binder_size_t write_consumed; /* bytes consumed by driver */ 72 + binder_uintptr_t write_buffer; 73 + binder_size_t read_size; /* bytes to read */ 74 + binder_size_t read_consumed; /* bytes consumed by driver */ 75 + binder_uintptr_t read_buffer; 84 76 }; 85 77 86 78 /* Use with BINDER_VERSION, driver fills in fields. */ ··· 90 82 }; 91 83 92 84 /* This is the current protocol version. */ 85 + #ifdef BINDER_IPC_32BIT 93 86 #define BINDER_CURRENT_PROTOCOL_VERSION 7 87 + #else 88 + #define BINDER_CURRENT_PROTOCOL_VERSION 8 89 + #endif 94 90 95 91 #define BINDER_WRITE_READ _IOWR('b', 1, struct binder_write_read) 96 92 #define BINDER_SET_IDLE_TIMEOUT _IOW('b', 3, __s64) ··· 131 119 * identifying the target and contents of the transaction. 132 120 */ 133 121 union { 134 - __u32 handle; /* target descriptor of command transaction */ 135 - void *ptr; /* target descriptor of return transaction */ 122 + /* target descriptor of command transaction */ 123 + __u32 handle; 124 + /* target descriptor of return transaction */ 125 + binder_uintptr_t ptr; 136 126 } target; 137 - void *cookie; /* target object cookie */ 127 + binder_uintptr_t cookie; /* target object cookie */ 138 128 __u32 code; /* transaction command */ 139 129 140 130 /* General information about the transaction. */ 141 131 __u32 flags; 142 132 pid_t sender_pid; 143 133 uid_t sender_euid; 144 - size_t data_size; /* number of bytes of data */ 145 - size_t offsets_size; /* number of bytes of offsets */ 134 + binder_size_t data_size; /* number of bytes of data */ 135 + binder_size_t offsets_size; /* number of bytes of offsets */ 146 136 147 137 /* If this transaction is inline, the data immediately 148 138 * follows here; otherwise, it ends with a pointer to ··· 153 139 union { 154 140 struct { 155 141 /* transaction data */ 156 - const void __user *buffer; 142 + binder_uintptr_t buffer; 157 143 /* offsets from buffer to flat_binder_object structs */ 158 - const void __user *offsets; 144 + binder_uintptr_t offsets; 159 145 } ptr; 160 146 __u8 buf[8]; 161 147 } data; 162 148 }; 163 149 164 150 struct binder_ptr_cookie { 165 - void *ptr; 166 - void *cookie; 151 + binder_uintptr_t ptr; 152 + binder_uintptr_t cookie; 167 153 }; 168 154 169 155 struct binder_handle_cookie { 170 156 __u32 handle; 171 - void *cookie; 157 + binder_uintptr_t cookie; 172 158 } __attribute__((packed)); 173 159 174 160 struct binder_pri_desc { ··· 178 164 179 165 struct binder_pri_ptr_cookie { 180 166 __s32 priority; 181 - void *ptr; 182 - void *cookie; 167 + binder_uintptr_t ptr; 168 + binder_uintptr_t cookie; 183 169 }; 184 170 185 171 enum binder_driver_return_protocol { ··· 254 240 * stop threadpool thread 255 241 */ 256 242 257 - BR_DEAD_BINDER = _IOR('r', 15, void *), 243 + BR_DEAD_BINDER = _IOR('r', 15, binder_uintptr_t), 258 244 /* 259 245 * void *: cookie 260 246 */ 261 - BR_CLEAR_DEATH_NOTIFICATION_DONE = _IOR('r', 16, void *), 247 + BR_CLEAR_DEATH_NOTIFICATION_DONE = _IOR('r', 16, binder_uintptr_t), 262 248 /* 263 249 * void *: cookie 264 250 */ ··· 284 270 * Else you have acquired a primary reference on the object. 285 271 */ 286 272 287 - BC_FREE_BUFFER = _IOW('c', 3, void *), 273 + BC_FREE_BUFFER = _IOW('c', 3, binder_uintptr_t), 288 274 /* 289 275 * void *: ptr to transaction data received on a read 290 276 */ ··· 341 327 * void *: cookie 342 328 */ 343 329 344 - BC_DEAD_BINDER_DONE = _IOW('c', 16, void *), 330 + BC_DEAD_BINDER_DONE = _IOW('c', 16, binder_uintptr_t), 345 331 /* 346 332 * void *: cookie 347 333 */