aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/android/binder.c
diff options
context:
space:
mode:
Diffstat (limited to 'drivers/android/binder.c')
-rw-r--r--drivers/android/binder.c1001
1 files changed, 777 insertions, 224 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 3c71b982bf2a..9451b762fa1c 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -50,14 +50,13 @@ static DEFINE_MUTEX(binder_main_lock);
50static DEFINE_MUTEX(binder_deferred_lock); 50static DEFINE_MUTEX(binder_deferred_lock);
51static DEFINE_MUTEX(binder_mmap_lock); 51static DEFINE_MUTEX(binder_mmap_lock);
52 52
53static HLIST_HEAD(binder_devices);
53static HLIST_HEAD(binder_procs); 54static HLIST_HEAD(binder_procs);
54static HLIST_HEAD(binder_deferred_list); 55static HLIST_HEAD(binder_deferred_list);
55static HLIST_HEAD(binder_dead_nodes); 56static HLIST_HEAD(binder_dead_nodes);
56 57
57static struct dentry *binder_debugfs_dir_entry_root; 58static struct dentry *binder_debugfs_dir_entry_root;
58static struct dentry *binder_debugfs_dir_entry_proc; 59static struct dentry *binder_debugfs_dir_entry_proc;
59static struct binder_node *binder_context_mgr_node;
60static kuid_t binder_context_mgr_uid = INVALID_UID;
61static int binder_last_id; 60static int binder_last_id;
62 61
63#define BINDER_DEBUG_ENTRY(name) \ 62#define BINDER_DEBUG_ENTRY(name) \
@@ -115,6 +114,9 @@ module_param_named(debug_mask, binder_debug_mask, uint, S_IWUSR | S_IRUGO);
115static bool binder_debug_no_lock; 114static bool binder_debug_no_lock;
116module_param_named(proc_no_lock, binder_debug_no_lock, bool, S_IWUSR | S_IRUGO); 115module_param_named(proc_no_lock, binder_debug_no_lock, bool, S_IWUSR | S_IRUGO);
117 116
117static char *binder_devices_param = CONFIG_ANDROID_BINDER_DEVICES;
118module_param_named(devices, binder_devices_param, charp, 0444);
119
118static DECLARE_WAIT_QUEUE_HEAD(binder_user_error_wait); 120static DECLARE_WAIT_QUEUE_HEAD(binder_user_error_wait);
119static int binder_stop_on_user_error; 121static int binder_stop_on_user_error;
120 122
@@ -145,6 +147,17 @@ module_param_call(stop_on_user_error, binder_set_stop_on_user_error,
145 binder_stop_on_user_error = 2; \ 147 binder_stop_on_user_error = 2; \
146 } while (0) 148 } while (0)
147 149
150#define to_flat_binder_object(hdr) \
151 container_of(hdr, struct flat_binder_object, hdr)
152
153#define to_binder_fd_object(hdr) container_of(hdr, struct binder_fd_object, hdr)
154
155#define to_binder_buffer_object(hdr) \
156 container_of(hdr, struct binder_buffer_object, hdr)
157
158#define to_binder_fd_array_object(hdr) \
159 container_of(hdr, struct binder_fd_array_object, hdr)
160
148enum binder_stat_types { 161enum binder_stat_types {
149 BINDER_STAT_PROC, 162 BINDER_STAT_PROC,
150 BINDER_STAT_THREAD, 163 BINDER_STAT_THREAD,
@@ -158,7 +171,7 @@ enum binder_stat_types {
158 171
159struct binder_stats { 172struct binder_stats {
160 int br[_IOC_NR(BR_FAILED_REPLY) + 1]; 173 int br[_IOC_NR(BR_FAILED_REPLY) + 1];
161 int bc[_IOC_NR(BC_DEAD_BINDER_DONE) + 1]; 174 int bc[_IOC_NR(BC_REPLY_SG) + 1];
162 int obj_created[BINDER_STAT_COUNT]; 175 int obj_created[BINDER_STAT_COUNT];
163 int obj_deleted[BINDER_STAT_COUNT]; 176 int obj_deleted[BINDER_STAT_COUNT];
164}; 177};
@@ -186,6 +199,7 @@ struct binder_transaction_log_entry {
186 int to_node; 199 int to_node;
187 int data_size; 200 int data_size;
188 int offsets_size; 201 int offsets_size;
202 const char *context_name;
189}; 203};
190struct binder_transaction_log { 204struct binder_transaction_log {
191 int next; 205 int next;
@@ -210,6 +224,18 @@ static struct binder_transaction_log_entry *binder_transaction_log_add(
210 return e; 224 return e;
211} 225}
212 226
227struct binder_context {
228 struct binder_node *binder_context_mgr_node;
229 kuid_t binder_context_mgr_uid;
230 const char *name;
231};
232
233struct binder_device {
234 struct hlist_node hlist;
235 struct miscdevice miscdev;
236 struct binder_context context;
237};
238
213struct binder_work { 239struct binder_work {
214 struct list_head entry; 240 struct list_head entry;
215 enum { 241 enum {
@@ -282,6 +308,7 @@ struct binder_buffer {
282 struct binder_node *target_node; 308 struct binder_node *target_node;
283 size_t data_size; 309 size_t data_size;
284 size_t offsets_size; 310 size_t offsets_size;
311 size_t extra_buffers_size;
285 uint8_t data[0]; 312 uint8_t data[0];
286}; 313};
287 314
@@ -325,6 +352,7 @@ struct binder_proc {
325 int ready_threads; 352 int ready_threads;
326 long default_priority; 353 long default_priority;
327 struct dentry *debugfs_entry; 354 struct dentry *debugfs_entry;
355 struct binder_context *context;
328}; 356};
329 357
330enum { 358enum {
@@ -648,7 +676,9 @@ err_no_vma:
648 676
649static struct binder_buffer *binder_alloc_buf(struct binder_proc *proc, 677static struct binder_buffer *binder_alloc_buf(struct binder_proc *proc,
650 size_t data_size, 678 size_t data_size,
651 size_t offsets_size, int is_async) 679 size_t offsets_size,
680 size_t extra_buffers_size,
681 int is_async)
652{ 682{
653 struct rb_node *n = proc->free_buffers.rb_node; 683 struct rb_node *n = proc->free_buffers.rb_node;
654 struct binder_buffer *buffer; 684 struct binder_buffer *buffer;
@@ -656,7 +686,7 @@ static struct binder_buffer *binder_alloc_buf(struct binder_proc *proc,
656 struct rb_node *best_fit = NULL; 686 struct rb_node *best_fit = NULL;
657 void *has_page_addr; 687 void *has_page_addr;
658 void *end_page_addr; 688 void *end_page_addr;
659 size_t size; 689 size_t size, data_offsets_size;
660 690
661 if (proc->vma == NULL) { 691 if (proc->vma == NULL) {
662 pr_err("%d: binder_alloc_buf, no vma\n", 692 pr_err("%d: binder_alloc_buf, no vma\n",
@@ -664,15 +694,20 @@ static struct binder_buffer *binder_alloc_buf(struct binder_proc *proc,
664 return NULL; 694 return NULL;
665 } 695 }
666 696
667 size = ALIGN(data_size, sizeof(void *)) + 697 data_offsets_size = ALIGN(data_size, sizeof(void *)) +
668 ALIGN(offsets_size, sizeof(void *)); 698 ALIGN(offsets_size, sizeof(void *));
669 699
670 if (size < data_size || size < offsets_size) { 700 if (data_offsets_size < data_size || data_offsets_size < offsets_size) {
671 binder_user_error("%d: got transaction with invalid size %zd-%zd\n", 701 binder_user_error("%d: got transaction with invalid size %zd-%zd\n",
672 proc->pid, data_size, offsets_size); 702 proc->pid, data_size, offsets_size);
673 return NULL; 703 return NULL;
674 } 704 }
675 705 size = data_offsets_size + ALIGN(extra_buffers_size, sizeof(void *));
706 if (size < data_offsets_size || size < extra_buffers_size) {
707 binder_user_error("%d: got transaction with invalid extra_buffers_size %zd\n",
708 proc->pid, extra_buffers_size);
709 return NULL;
710 }
676 if (is_async && 711 if (is_async &&
677 proc->free_async_space < size + sizeof(struct binder_buffer)) { 712 proc->free_async_space < size + sizeof(struct binder_buffer)) {
678 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 713 binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
@@ -741,6 +776,7 @@ static struct binder_buffer *binder_alloc_buf(struct binder_proc *proc,
741 proc->pid, size, buffer); 776 proc->pid, size, buffer);
742 buffer->data_size = data_size; 777 buffer->data_size = data_size;
743 buffer->offsets_size = offsets_size; 778 buffer->offsets_size = offsets_size;
779 buffer->extra_buffers_size = extra_buffers_size;
744 buffer->async_transaction = is_async; 780 buffer->async_transaction = is_async;
745 if (is_async) { 781 if (is_async) {
746 proc->free_async_space -= size + sizeof(struct binder_buffer); 782 proc->free_async_space -= size + sizeof(struct binder_buffer);
@@ -815,7 +851,8 @@ static void binder_free_buf(struct binder_proc *proc,
815 buffer_size = binder_buffer_size(proc, buffer); 851 buffer_size = binder_buffer_size(proc, buffer);
816 852
817 size = ALIGN(buffer->data_size, sizeof(void *)) + 853 size = ALIGN(buffer->data_size, sizeof(void *)) +
818 ALIGN(buffer->offsets_size, sizeof(void *)); 854 ALIGN(buffer->offsets_size, sizeof(void *)) +
855 ALIGN(buffer->extra_buffers_size, sizeof(void *));
819 856
820 binder_debug(BINDER_DEBUG_BUFFER_ALLOC, 857 binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
821 "%d: binder_free_buf %p size %zd buffer_size %zd\n", 858 "%d: binder_free_buf %p size %zd buffer_size %zd\n",
@@ -929,8 +966,9 @@ static int binder_inc_node(struct binder_node *node, int strong, int internal,
929 if (internal) { 966 if (internal) {
930 if (target_list == NULL && 967 if (target_list == NULL &&
931 node->internal_strong_refs == 0 && 968 node->internal_strong_refs == 0 &&
932 !(node == binder_context_mgr_node && 969 !(node->proc &&
933 node->has_strong_ref)) { 970 node == node->proc->context->binder_context_mgr_node &&
971 node->has_strong_ref)) {
934 pr_err("invalid inc strong node for %d\n", 972 pr_err("invalid inc strong node for %d\n",
935 node->debug_id); 973 node->debug_id);
936 return -EINVAL; 974 return -EINVAL;
@@ -1031,6 +1069,7 @@ static struct binder_ref *binder_get_ref_for_node(struct binder_proc *proc,
1031 struct rb_node **p = &proc->refs_by_node.rb_node; 1069 struct rb_node **p = &proc->refs_by_node.rb_node;
1032 struct rb_node *parent = NULL; 1070 struct rb_node *parent = NULL;
1033 struct binder_ref *ref, *new_ref; 1071 struct binder_ref *ref, *new_ref;
1072 struct binder_context *context = proc->context;
1034 1073
1035 while (*p) { 1074 while (*p) {
1036 parent = *p; 1075 parent = *p;
@@ -1053,7 +1092,7 @@ static struct binder_ref *binder_get_ref_for_node(struct binder_proc *proc,
1053 rb_link_node(&new_ref->rb_node_node, parent, p); 1092 rb_link_node(&new_ref->rb_node_node, parent, p);
1054 rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node); 1093 rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node);
1055 1094
1056 new_ref->desc = (node == binder_context_mgr_node) ? 0 : 1; 1095 new_ref->desc = (node == context->binder_context_mgr_node) ? 0 : 1;
1057 for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) { 1096 for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) {
1058 ref = rb_entry(n, struct binder_ref, rb_node_desc); 1097 ref = rb_entry(n, struct binder_ref, rb_node_desc);
1059 if (ref->desc > new_ref->desc) 1098 if (ref->desc > new_ref->desc)
@@ -1240,11 +1279,158 @@ static void binder_send_failed_reply(struct binder_transaction *t,
1240 } 1279 }
1241} 1280}
1242 1281
1282/**
1283 * binder_validate_object() - checks for a valid metadata object in a buffer.
1284 * @buffer: binder_buffer that we're parsing.
1285 * @offset: offset in the buffer at which to validate an object.
1286 *
1287 * Return: If there's a valid metadata object at @offset in @buffer, the
1288 * size of that object. Otherwise, it returns zero.
1289 */
1290static size_t binder_validate_object(struct binder_buffer *buffer, u64 offset)
1291{
1292 /* Check if we can read a header first */
1293 struct binder_object_header *hdr;
1294 size_t object_size = 0;
1295
1296 if (offset > buffer->data_size - sizeof(*hdr) ||
1297 buffer->data_size < sizeof(*hdr) ||
1298 !IS_ALIGNED(offset, sizeof(u32)))
1299 return 0;
1300
1301 /* Ok, now see if we can read a complete object. */
1302 hdr = (struct binder_object_header *)(buffer->data + offset);
1303 switch (hdr->type) {
1304 case BINDER_TYPE_BINDER:
1305 case BINDER_TYPE_WEAK_BINDER:
1306 case BINDER_TYPE_HANDLE:
1307 case BINDER_TYPE_WEAK_HANDLE:
1308 object_size = sizeof(struct flat_binder_object);
1309 break;
1310 case BINDER_TYPE_FD:
1311 object_size = sizeof(struct binder_fd_object);
1312 break;
1313 case BINDER_TYPE_PTR:
1314 object_size = sizeof(struct binder_buffer_object);
1315 break;
1316 case BINDER_TYPE_FDA:
1317 object_size = sizeof(struct binder_fd_array_object);
1318 break;
1319 default:
1320 return 0;
1321 }
1322 if (offset <= buffer->data_size - object_size &&
1323 buffer->data_size >= object_size)
1324 return object_size;
1325 else
1326 return 0;
1327}
1328
1329/**
1330 * binder_validate_ptr() - validates binder_buffer_object in a binder_buffer.
1331 * @b: binder_buffer containing the object
1332 * @index: index in offset array at which the binder_buffer_object is
1333 * located
1334 * @start: points to the start of the offset array
1335 * @num_valid: the number of valid offsets in the offset array
1336 *
1337 * Return: If @index is within the valid range of the offset array
1338 * described by @start and @num_valid, and if there's a valid
1339 * binder_buffer_object at the offset found in index @index
1340 * of the offset array, that object is returned. Otherwise,
1341 * %NULL is returned.
1342 * Note that the offset found in index @index itself is not
1343 * verified; this function assumes that @num_valid elements
1344 * from @start were previously verified to have valid offsets.
1345 */
1346static struct binder_buffer_object *binder_validate_ptr(struct binder_buffer *b,
1347 binder_size_t index,
1348 binder_size_t *start,
1349 binder_size_t num_valid)
1350{
1351 struct binder_buffer_object *buffer_obj;
1352 binder_size_t *offp;
1353
1354 if (index >= num_valid)
1355 return NULL;
1356
1357 offp = start + index;
1358 buffer_obj = (struct binder_buffer_object *)(b->data + *offp);
1359 if (buffer_obj->hdr.type != BINDER_TYPE_PTR)
1360 return NULL;
1361
1362 return buffer_obj;
1363}
1364
1365/**
1366 * binder_validate_fixup() - validates pointer/fd fixups happen in order.
1367 * @b: transaction buffer
1368 * @objects_start start of objects buffer
1369 * @buffer: binder_buffer_object in which to fix up
1370 * @offset: start offset in @buffer to fix up
1371 * @last_obj: last binder_buffer_object that we fixed up in
1372 * @last_min_offset: minimum fixup offset in @last_obj
1373 *
1374 * Return: %true if a fixup in buffer @buffer at offset @offset is
1375 * allowed.
1376 *
1377 * For safety reasons, we only allow fixups inside a buffer to happen
1378 * at increasing offsets; additionally, we only allow fixup on the last
1379 * buffer object that was verified, or one of its parents.
1380 *
1381 * Example of what is allowed:
1382 *
1383 * A
1384 * B (parent = A, offset = 0)
1385 * C (parent = A, offset = 16)
1386 * D (parent = C, offset = 0)
1387 * E (parent = A, offset = 32) // min_offset is 16 (C.parent_offset)
1388 *
1389 * Examples of what is not allowed:
1390 *
1391 * Decreasing offsets within the same parent:
1392 * A
1393 * C (parent = A, offset = 16)
1394 * B (parent = A, offset = 0) // decreasing offset within A
1395 *
1396 * Referring to a parent that wasn't the last object or any of its parents:
1397 * A
1398 * B (parent = A, offset = 0)
1399 * C (parent = A, offset = 0)
1400 * C (parent = A, offset = 16)
1401 * D (parent = B, offset = 0) // B is not A or any of A's parents
1402 */
1403static bool binder_validate_fixup(struct binder_buffer *b,
1404 binder_size_t *objects_start,
1405 struct binder_buffer_object *buffer,
1406 binder_size_t fixup_offset,
1407 struct binder_buffer_object *last_obj,
1408 binder_size_t last_min_offset)
1409{
1410 if (!last_obj) {
1411 /* Nothing to fix up in */
1412 return false;
1413 }
1414
1415 while (last_obj != buffer) {
1416 /*
1417 * Safe to retrieve the parent of last_obj, since it
1418 * was already previously verified by the driver.
1419 */
1420 if ((last_obj->flags & BINDER_BUFFER_FLAG_HAS_PARENT) == 0)
1421 return false;
1422 last_min_offset = last_obj->parent_offset + sizeof(uintptr_t);
1423 last_obj = (struct binder_buffer_object *)
1424 (b->data + *(objects_start + last_obj->parent));
1425 }
1426 return (fixup_offset >= last_min_offset);
1427}
1428
1243static void binder_transaction_buffer_release(struct binder_proc *proc, 1429static void binder_transaction_buffer_release(struct binder_proc *proc,
1244 struct binder_buffer *buffer, 1430 struct binder_buffer *buffer,
1245 binder_size_t *failed_at) 1431 binder_size_t *failed_at)
1246{ 1432{
1247 binder_size_t *offp, *off_end; 1433 binder_size_t *offp, *off_start, *off_end;
1248 int debug_id = buffer->debug_id; 1434 int debug_id = buffer->debug_id;
1249 1435
1250 binder_debug(BINDER_DEBUG_TRANSACTION, 1436 binder_debug(BINDER_DEBUG_TRANSACTION,
@@ -1255,28 +1441,30 @@ static void binder_transaction_buffer_release(struct binder_proc *proc,
1255 if (buffer->target_node) 1441 if (buffer->target_node)
1256 binder_dec_node(buffer->target_node, 1, 0); 1442 binder_dec_node(buffer->target_node, 1, 0);
1257 1443
1258 offp = (binder_size_t *)(buffer->data + 1444 off_start = (binder_size_t *)(buffer->data +
1259 ALIGN(buffer->data_size, sizeof(void *))); 1445 ALIGN(buffer->data_size, sizeof(void *)));
1260 if (failed_at) 1446 if (failed_at)
1261 off_end = failed_at; 1447 off_end = failed_at;
1262 else 1448 else
1263 off_end = (void *)offp + buffer->offsets_size; 1449 off_end = (void *)off_start + buffer->offsets_size;
1264 for (; offp < off_end; offp++) { 1450 for (offp = off_start; offp < off_end; offp++) {
1265 struct flat_binder_object *fp; 1451 struct binder_object_header *hdr;
1452 size_t object_size = binder_validate_object(buffer, *offp);
1266 1453
1267 if (*offp > buffer->data_size - sizeof(*fp) || 1454 if (object_size == 0) {
1268 buffer->data_size < sizeof(*fp) || 1455 pr_err("transaction release %d bad object at offset %lld, size %zd\n",
1269 !IS_ALIGNED(*offp, sizeof(u32))) {
1270 pr_err("transaction release %d bad offset %lld, size %zd\n",
1271 debug_id, (u64)*offp, buffer->data_size); 1456 debug_id, (u64)*offp, buffer->data_size);
1272 continue; 1457 continue;
1273 } 1458 }
1274 fp = (struct flat_binder_object *)(buffer->data + *offp); 1459 hdr = (struct binder_object_header *)(buffer->data + *offp);
1275 switch (fp->type) { 1460 switch (hdr->type) {
1276 case BINDER_TYPE_BINDER: 1461 case BINDER_TYPE_BINDER:
1277 case BINDER_TYPE_WEAK_BINDER: { 1462 case BINDER_TYPE_WEAK_BINDER: {
1278 struct binder_node *node = binder_get_node(proc, fp->binder); 1463 struct flat_binder_object *fp;
1464 struct binder_node *node;
1279 1465
1466 fp = to_flat_binder_object(hdr);
1467 node = binder_get_node(proc, fp->binder);
1280 if (node == NULL) { 1468 if (node == NULL) {
1281 pr_err("transaction release %d bad node %016llx\n", 1469 pr_err("transaction release %d bad node %016llx\n",
1282 debug_id, (u64)fp->binder); 1470 debug_id, (u64)fp->binder);
@@ -1285,15 +1473,17 @@ static void binder_transaction_buffer_release(struct binder_proc *proc,
1285 binder_debug(BINDER_DEBUG_TRANSACTION, 1473 binder_debug(BINDER_DEBUG_TRANSACTION,
1286 " node %d u%016llx\n", 1474 " node %d u%016llx\n",
1287 node->debug_id, (u64)node->ptr); 1475 node->debug_id, (u64)node->ptr);
1288 binder_dec_node(node, fp->type == BINDER_TYPE_BINDER, 0); 1476 binder_dec_node(node, hdr->type == BINDER_TYPE_BINDER,
1477 0);
1289 } break; 1478 } break;
1290 case BINDER_TYPE_HANDLE: 1479 case BINDER_TYPE_HANDLE:
1291 case BINDER_TYPE_WEAK_HANDLE: { 1480 case BINDER_TYPE_WEAK_HANDLE: {
1481 struct flat_binder_object *fp;
1292 struct binder_ref *ref; 1482 struct binder_ref *ref;
1293 1483
1484 fp = to_flat_binder_object(hdr);
1294 ref = binder_get_ref(proc, fp->handle, 1485 ref = binder_get_ref(proc, fp->handle,
1295 fp->type == BINDER_TYPE_HANDLE); 1486 hdr->type == BINDER_TYPE_HANDLE);
1296
1297 if (ref == NULL) { 1487 if (ref == NULL) {
1298 pr_err("transaction release %d bad handle %d\n", 1488 pr_err("transaction release %d bad handle %d\n",
1299 debug_id, fp->handle); 1489 debug_id, fp->handle);
@@ -1302,32 +1492,348 @@ static void binder_transaction_buffer_release(struct binder_proc *proc,
1302 binder_debug(BINDER_DEBUG_TRANSACTION, 1492 binder_debug(BINDER_DEBUG_TRANSACTION,
1303 " ref %d desc %d (node %d)\n", 1493 " ref %d desc %d (node %d)\n",
1304 ref->debug_id, ref->desc, ref->node->debug_id); 1494 ref->debug_id, ref->desc, ref->node->debug_id);
1305 binder_dec_ref(ref, fp->type == BINDER_TYPE_HANDLE); 1495 binder_dec_ref(ref, hdr->type == BINDER_TYPE_HANDLE);
1306 } break; 1496 } break;
1307 1497
1308 case BINDER_TYPE_FD: 1498 case BINDER_TYPE_FD: {
1499 struct binder_fd_object *fp = to_binder_fd_object(hdr);
1500
1309 binder_debug(BINDER_DEBUG_TRANSACTION, 1501 binder_debug(BINDER_DEBUG_TRANSACTION,
1310 " fd %d\n", fp->handle); 1502 " fd %d\n", fp->fd);
1311 if (failed_at) 1503 if (failed_at)
1312 task_close_fd(proc, fp->handle); 1504 task_close_fd(proc, fp->fd);
1505 } break;
1506 case BINDER_TYPE_PTR:
1507 /*
1508 * Nothing to do here, this will get cleaned up when the
1509 * transaction buffer gets freed
1510 */
1313 break; 1511 break;
1314 1512 case BINDER_TYPE_FDA: {
1513 struct binder_fd_array_object *fda;
1514 struct binder_buffer_object *parent;
1515 uintptr_t parent_buffer;
1516 u32 *fd_array;
1517 size_t fd_index;
1518 binder_size_t fd_buf_size;
1519
1520 fda = to_binder_fd_array_object(hdr);
1521 parent = binder_validate_ptr(buffer, fda->parent,
1522 off_start,
1523 offp - off_start);
1524 if (!parent) {
1525 pr_err("transaction release %d bad parent offset",
1526 debug_id);
1527 continue;
1528 }
1529 /*
1530 * Since the parent was already fixed up, convert it
1531 * back to kernel address space to access it
1532 */
1533 parent_buffer = parent->buffer -
1534 proc->user_buffer_offset;
1535
1536 fd_buf_size = sizeof(u32) * fda->num_fds;
1537 if (fda->num_fds >= SIZE_MAX / sizeof(u32)) {
1538 pr_err("transaction release %d invalid number of fds (%lld)\n",
1539 debug_id, (u64)fda->num_fds);
1540 continue;
1541 }
1542 if (fd_buf_size > parent->length ||
1543 fda->parent_offset > parent->length - fd_buf_size) {
1544 /* No space for all file descriptors here. */
1545 pr_err("transaction release %d not enough space for %lld fds in buffer\n",
1546 debug_id, (u64)fda->num_fds);
1547 continue;
1548 }
1549 fd_array = (u32 *)(parent_buffer + fda->parent_offset);
1550 for (fd_index = 0; fd_index < fda->num_fds; fd_index++)
1551 task_close_fd(proc, fd_array[fd_index]);
1552 } break;
1315 default: 1553 default:
1316 pr_err("transaction release %d bad object type %x\n", 1554 pr_err("transaction release %d bad object type %x\n",
1317 debug_id, fp->type); 1555 debug_id, hdr->type);
1318 break; 1556 break;
1319 } 1557 }
1320 } 1558 }
1321} 1559}
1322 1560
1561static int binder_translate_binder(struct flat_binder_object *fp,
1562 struct binder_transaction *t,
1563 struct binder_thread *thread)
1564{
1565 struct binder_node *node;
1566 struct binder_ref *ref;
1567 struct binder_proc *proc = thread->proc;
1568 struct binder_proc *target_proc = t->to_proc;
1569
1570 node = binder_get_node(proc, fp->binder);
1571 if (!node) {
1572 node = binder_new_node(proc, fp->binder, fp->cookie);
1573 if (!node)
1574 return -ENOMEM;
1575
1576 node->min_priority = fp->flags & FLAT_BINDER_FLAG_PRIORITY_MASK;
1577 node->accept_fds = !!(fp->flags & FLAT_BINDER_FLAG_ACCEPTS_FDS);
1578 }
1579 if (fp->cookie != node->cookie) {
1580 binder_user_error("%d:%d sending u%016llx node %d, cookie mismatch %016llx != %016llx\n",
1581 proc->pid, thread->pid, (u64)fp->binder,
1582 node->debug_id, (u64)fp->cookie,
1583 (u64)node->cookie);
1584 return -EINVAL;
1585 }
1586 if (security_binder_transfer_binder(proc->tsk, target_proc->tsk))
1587 return -EPERM;
1588
1589 ref = binder_get_ref_for_node(target_proc, node);
1590 if (!ref)
1591 return -EINVAL;
1592
1593 if (fp->hdr.type == BINDER_TYPE_BINDER)
1594 fp->hdr.type = BINDER_TYPE_HANDLE;
1595 else
1596 fp->hdr.type = BINDER_TYPE_WEAK_HANDLE;
1597 fp->binder = 0;
1598 fp->handle = ref->desc;
1599 fp->cookie = 0;
1600 binder_inc_ref(ref, fp->hdr.type == BINDER_TYPE_HANDLE, &thread->todo);
1601
1602 trace_binder_transaction_node_to_ref(t, node, ref);
1603 binder_debug(BINDER_DEBUG_TRANSACTION,
1604 " node %d u%016llx -> ref %d desc %d\n",
1605 node->debug_id, (u64)node->ptr,
1606 ref->debug_id, ref->desc);
1607
1608 return 0;
1609}
1610
1611static int binder_translate_handle(struct flat_binder_object *fp,
1612 struct binder_transaction *t,
1613 struct binder_thread *thread)
1614{
1615 struct binder_ref *ref;
1616 struct binder_proc *proc = thread->proc;
1617 struct binder_proc *target_proc = t->to_proc;
1618
1619 ref = binder_get_ref(proc, fp->handle,
1620 fp->hdr.type == BINDER_TYPE_HANDLE);
1621 if (!ref) {
1622 binder_user_error("%d:%d got transaction with invalid handle, %d\n",
1623 proc->pid, thread->pid, fp->handle);
1624 return -EINVAL;
1625 }
1626 if (security_binder_transfer_binder(proc->tsk, target_proc->tsk))
1627 return -EPERM;
1628
1629 if (ref->node->proc == target_proc) {
1630 if (fp->hdr.type == BINDER_TYPE_HANDLE)
1631 fp->hdr.type = BINDER_TYPE_BINDER;
1632 else
1633 fp->hdr.type = BINDER_TYPE_WEAK_BINDER;
1634 fp->binder = ref->node->ptr;
1635 fp->cookie = ref->node->cookie;
1636 binder_inc_node(ref->node, fp->hdr.type == BINDER_TYPE_BINDER,
1637 0, NULL);
1638 trace_binder_transaction_ref_to_node(t, ref);
1639 binder_debug(BINDER_DEBUG_TRANSACTION,
1640 " ref %d desc %d -> node %d u%016llx\n",
1641 ref->debug_id, ref->desc, ref->node->debug_id,
1642 (u64)ref->node->ptr);
1643 } else {
1644 struct binder_ref *new_ref;
1645
1646 new_ref = binder_get_ref_for_node(target_proc, ref->node);
1647 if (!new_ref)
1648 return -EINVAL;
1649
1650 fp->binder = 0;
1651 fp->handle = new_ref->desc;
1652 fp->cookie = 0;
1653 binder_inc_ref(new_ref, fp->hdr.type == BINDER_TYPE_HANDLE,
1654 NULL);
1655 trace_binder_transaction_ref_to_ref(t, ref, new_ref);
1656 binder_debug(BINDER_DEBUG_TRANSACTION,
1657 " ref %d desc %d -> ref %d desc %d (node %d)\n",
1658 ref->debug_id, ref->desc, new_ref->debug_id,
1659 new_ref->desc, ref->node->debug_id);
1660 }
1661 return 0;
1662}
1663
1664static int binder_translate_fd(int fd,
1665 struct binder_transaction *t,
1666 struct binder_thread *thread,
1667 struct binder_transaction *in_reply_to)
1668{
1669 struct binder_proc *proc = thread->proc;
1670 struct binder_proc *target_proc = t->to_proc;
1671 int target_fd;
1672 struct file *file;
1673 int ret;
1674 bool target_allows_fd;
1675
1676 if (in_reply_to)
1677 target_allows_fd = !!(in_reply_to->flags & TF_ACCEPT_FDS);
1678 else
1679 target_allows_fd = t->buffer->target_node->accept_fds;
1680 if (!target_allows_fd) {
1681 binder_user_error("%d:%d got %s with fd, %d, but target does not allow fds\n",
1682 proc->pid, thread->pid,
1683 in_reply_to ? "reply" : "transaction",
1684 fd);
1685 ret = -EPERM;
1686 goto err_fd_not_accepted;
1687 }
1688
1689 file = fget(fd);
1690 if (!file) {
1691 binder_user_error("%d:%d got transaction with invalid fd, %d\n",
1692 proc->pid, thread->pid, fd);
1693 ret = -EBADF;
1694 goto err_fget;
1695 }
1696 ret = security_binder_transfer_file(proc->tsk, target_proc->tsk, file);
1697 if (ret < 0) {
1698 ret = -EPERM;
1699 goto err_security;
1700 }
1701
1702 target_fd = task_get_unused_fd_flags(target_proc, O_CLOEXEC);
1703 if (target_fd < 0) {
1704 ret = -ENOMEM;
1705 goto err_get_unused_fd;
1706 }
1707 task_fd_install(target_proc, target_fd, file);
1708 trace_binder_transaction_fd(t, fd, target_fd);
1709 binder_debug(BINDER_DEBUG_TRANSACTION, " fd %d -> %d\n",
1710 fd, target_fd);
1711
1712 return target_fd;
1713
1714err_get_unused_fd:
1715err_security:
1716 fput(file);
1717err_fget:
1718err_fd_not_accepted:
1719 return ret;
1720}
1721
1722static int binder_translate_fd_array(struct binder_fd_array_object *fda,
1723 struct binder_buffer_object *parent,
1724 struct binder_transaction *t,
1725 struct binder_thread *thread,
1726 struct binder_transaction *in_reply_to)
1727{
1728 binder_size_t fdi, fd_buf_size, num_installed_fds;
1729 int target_fd;
1730 uintptr_t parent_buffer;
1731 u32 *fd_array;
1732 struct binder_proc *proc = thread->proc;
1733 struct binder_proc *target_proc = t->to_proc;
1734
1735 fd_buf_size = sizeof(u32) * fda->num_fds;
1736 if (fda->num_fds >= SIZE_MAX / sizeof(u32)) {
1737 binder_user_error("%d:%d got transaction with invalid number of fds (%lld)\n",
1738 proc->pid, thread->pid, (u64)fda->num_fds);
1739 return -EINVAL;
1740 }
1741 if (fd_buf_size > parent->length ||
1742 fda->parent_offset > parent->length - fd_buf_size) {
1743 /* No space for all file descriptors here. */
1744 binder_user_error("%d:%d not enough space to store %lld fds in buffer\n",
1745 proc->pid, thread->pid, (u64)fda->num_fds);
1746 return -EINVAL;
1747 }
1748 /*
1749 * Since the parent was already fixed up, convert it
1750 * back to the kernel address space to access it
1751 */
1752 parent_buffer = parent->buffer - target_proc->user_buffer_offset;
1753 fd_array = (u32 *)(parent_buffer + fda->parent_offset);
1754 if (!IS_ALIGNED((unsigned long)fd_array, sizeof(u32))) {
1755 binder_user_error("%d:%d parent offset not aligned correctly.\n",
1756 proc->pid, thread->pid);
1757 return -EINVAL;
1758 }
1759 for (fdi = 0; fdi < fda->num_fds; fdi++) {
1760 target_fd = binder_translate_fd(fd_array[fdi], t, thread,
1761 in_reply_to);
1762 if (target_fd < 0)
1763 goto err_translate_fd_failed;
1764 fd_array[fdi] = target_fd;
1765 }
1766 return 0;
1767
1768err_translate_fd_failed:
1769 /*
1770 * Failed to allocate fd or security error, free fds
1771 * installed so far.
1772 */
1773 num_installed_fds = fdi;
1774 for (fdi = 0; fdi < num_installed_fds; fdi++)
1775 task_close_fd(target_proc, fd_array[fdi]);
1776 return target_fd;
1777}
1778
1779static int binder_fixup_parent(struct binder_transaction *t,
1780 struct binder_thread *thread,
1781 struct binder_buffer_object *bp,
1782 binder_size_t *off_start,
1783 binder_size_t num_valid,
1784 struct binder_buffer_object *last_fixup_obj,
1785 binder_size_t last_fixup_min_off)
1786{
1787 struct binder_buffer_object *parent;
1788 u8 *parent_buffer;
1789 struct binder_buffer *b = t->buffer;
1790 struct binder_proc *proc = thread->proc;
1791 struct binder_proc *target_proc = t->to_proc;
1792
1793 if (!(bp->flags & BINDER_BUFFER_FLAG_HAS_PARENT))
1794 return 0;
1795
1796 parent = binder_validate_ptr(b, bp->parent, off_start, num_valid);
1797 if (!parent) {
1798 binder_user_error("%d:%d got transaction with invalid parent offset or type\n",
1799 proc->pid, thread->pid);
1800 return -EINVAL;
1801 }
1802
1803 if (!binder_validate_fixup(b, off_start,
1804 parent, bp->parent_offset,
1805 last_fixup_obj,
1806 last_fixup_min_off)) {
1807 binder_user_error("%d:%d got transaction with out-of-order buffer fixup\n",
1808 proc->pid, thread->pid);
1809 return -EINVAL;
1810 }
1811
1812 if (parent->length < sizeof(binder_uintptr_t) ||
1813 bp->parent_offset > parent->length - sizeof(binder_uintptr_t)) {
1814 /* No space for a pointer here! */
1815 binder_user_error("%d:%d got transaction with invalid parent offset\n",
1816 proc->pid, thread->pid);
1817 return -EINVAL;
1818 }
1819 parent_buffer = (u8 *)(parent->buffer -
1820 target_proc->user_buffer_offset);
1821 *(binder_uintptr_t *)(parent_buffer + bp->parent_offset) = bp->buffer;
1822
1823 return 0;
1824}
1825
1323static void binder_transaction(struct binder_proc *proc, 1826static void binder_transaction(struct binder_proc *proc,
1324 struct binder_thread *thread, 1827 struct binder_thread *thread,
1325 struct binder_transaction_data *tr, int reply) 1828 struct binder_transaction_data *tr, int reply,
1829 binder_size_t extra_buffers_size)
1326{ 1830{
1831 int ret;
1327 struct binder_transaction *t; 1832 struct binder_transaction *t;
1328 struct binder_work *tcomplete; 1833 struct binder_work *tcomplete;
1329 binder_size_t *offp, *off_end; 1834 binder_size_t *offp, *off_end, *off_start;
1330 binder_size_t off_min; 1835 binder_size_t off_min;
1836 u8 *sg_bufp, *sg_buf_end;
1331 struct binder_proc *target_proc; 1837 struct binder_proc *target_proc;
1332 struct binder_thread *target_thread = NULL; 1838 struct binder_thread *target_thread = NULL;
1333 struct binder_node *target_node = NULL; 1839 struct binder_node *target_node = NULL;
@@ -1336,6 +1842,9 @@ static void binder_transaction(struct binder_proc *proc,
1336 struct binder_transaction *in_reply_to = NULL; 1842 struct binder_transaction *in_reply_to = NULL;
1337 struct binder_transaction_log_entry *e; 1843 struct binder_transaction_log_entry *e;
1338 uint32_t return_error; 1844 uint32_t return_error;
1845 struct binder_buffer_object *last_fixup_obj = NULL;
1846 binder_size_t last_fixup_min_off = 0;
1847 struct binder_context *context = proc->context;
1339 1848
1340 e = binder_transaction_log_add(&binder_transaction_log); 1849 e = binder_transaction_log_add(&binder_transaction_log);
1341 e->call_type = reply ? 2 : !!(tr->flags & TF_ONE_WAY); 1850 e->call_type = reply ? 2 : !!(tr->flags & TF_ONE_WAY);
@@ -1344,6 +1853,7 @@ static void binder_transaction(struct binder_proc *proc,
1344 e->target_handle = tr->target.handle; 1853 e->target_handle = tr->target.handle;
1345 e->data_size = tr->data_size; 1854 e->data_size = tr->data_size;
1346 e->offsets_size = tr->offsets_size; 1855 e->offsets_size = tr->offsets_size;
1856 e->context_name = proc->context->name;
1347 1857
1348 if (reply) { 1858 if (reply) {
1349 in_reply_to = thread->transaction_stack; 1859 in_reply_to = thread->transaction_stack;
@@ -1396,7 +1906,7 @@ static void binder_transaction(struct binder_proc *proc,
1396 } 1906 }
1397 target_node = ref->node; 1907 target_node = ref->node;
1398 } else { 1908 } else {
1399 target_node = binder_context_mgr_node; 1909 target_node = context->binder_context_mgr_node;
1400 if (target_node == NULL) { 1910 if (target_node == NULL) {
1401 return_error = BR_DEAD_REPLY; 1911 return_error = BR_DEAD_REPLY;
1402 goto err_no_context_mgr_node; 1912 goto err_no_context_mgr_node;
@@ -1463,20 +1973,22 @@ static void binder_transaction(struct binder_proc *proc,
1463 1973
1464 if (reply) 1974 if (reply)
1465 binder_debug(BINDER_DEBUG_TRANSACTION, 1975 binder_debug(BINDER_DEBUG_TRANSACTION,
1466 "%d:%d BC_REPLY %d -> %d:%d, data %016llx-%016llx size %lld-%lld\n", 1976 "%d:%d BC_REPLY %d -> %d:%d, data %016llx-%016llx size %lld-%lld-%lld\n",
1467 proc->pid, thread->pid, t->debug_id, 1977 proc->pid, thread->pid, t->debug_id,
1468 target_proc->pid, target_thread->pid, 1978 target_proc->pid, target_thread->pid,
1469 (u64)tr->data.ptr.buffer, 1979 (u64)tr->data.ptr.buffer,
1470 (u64)tr->data.ptr.offsets, 1980 (u64)tr->data.ptr.offsets,
1471 (u64)tr->data_size, (u64)tr->offsets_size); 1981 (u64)tr->data_size, (u64)tr->offsets_size,
1982 (u64)extra_buffers_size);
1472 else 1983 else
1473 binder_debug(BINDER_DEBUG_TRANSACTION, 1984 binder_debug(BINDER_DEBUG_TRANSACTION,
1474 "%d:%d BC_TRANSACTION %d -> %d - node %d, data %016llx-%016llx size %lld-%lld\n", 1985 "%d:%d BC_TRANSACTION %d -> %d - node %d, data %016llx-%016llx size %lld-%lld-%lld\n",
1475 proc->pid, thread->pid, t->debug_id, 1986 proc->pid, thread->pid, t->debug_id,
1476 target_proc->pid, target_node->debug_id, 1987 target_proc->pid, target_node->debug_id,
1477 (u64)tr->data.ptr.buffer, 1988 (u64)tr->data.ptr.buffer,
1478 (u64)tr->data.ptr.offsets, 1989 (u64)tr->data.ptr.offsets,
1479 (u64)tr->data_size, (u64)tr->offsets_size); 1990 (u64)tr->data_size, (u64)tr->offsets_size,
1991 (u64)extra_buffers_size);
1480 1992
1481 if (!reply && !(tr->flags & TF_ONE_WAY)) 1993 if (!reply && !(tr->flags & TF_ONE_WAY))
1482 t->from = thread; 1994 t->from = thread;
@@ -1492,7 +2004,8 @@ static void binder_transaction(struct binder_proc *proc,
1492 trace_binder_transaction(reply, t, target_node); 2004 trace_binder_transaction(reply, t, target_node);
1493 2005
1494 t->buffer = binder_alloc_buf(target_proc, tr->data_size, 2006 t->buffer = binder_alloc_buf(target_proc, tr->data_size,
1495 tr->offsets_size, !reply && (t->flags & TF_ONE_WAY)); 2007 tr->offsets_size, extra_buffers_size,
2008 !reply && (t->flags & TF_ONE_WAY));
1496 if (t->buffer == NULL) { 2009 if (t->buffer == NULL) {
1497 return_error = BR_FAILED_REPLY; 2010 return_error = BR_FAILED_REPLY;
1498 goto err_binder_alloc_buf_failed; 2011 goto err_binder_alloc_buf_failed;
@@ -1505,8 +2018,9 @@ static void binder_transaction(struct binder_proc *proc,
1505 if (target_node) 2018 if (target_node)
1506 binder_inc_node(target_node, 1, 0, NULL); 2019 binder_inc_node(target_node, 1, 0, NULL);
1507 2020
1508 offp = (binder_size_t *)(t->buffer->data + 2021 off_start = (binder_size_t *)(t->buffer->data +
1509 ALIGN(tr->data_size, sizeof(void *))); 2022 ALIGN(tr->data_size, sizeof(void *)));
2023 offp = off_start;
1510 2024
1511 if (copy_from_user(t->buffer->data, (const void __user *)(uintptr_t) 2025 if (copy_from_user(t->buffer->data, (const void __user *)(uintptr_t)
1512 tr->data.ptr.buffer, tr->data_size)) { 2026 tr->data.ptr.buffer, tr->data_size)) {
@@ -1528,177 +2042,138 @@ static void binder_transaction(struct binder_proc *proc,
1528 return_error = BR_FAILED_REPLY; 2042 return_error = BR_FAILED_REPLY;
1529 goto err_bad_offset; 2043 goto err_bad_offset;
1530 } 2044 }
1531 off_end = (void *)offp + tr->offsets_size; 2045 if (!IS_ALIGNED(extra_buffers_size, sizeof(u64))) {
2046 binder_user_error("%d:%d got transaction with unaligned buffers size, %lld\n",
2047 proc->pid, thread->pid,
2048 (u64)extra_buffers_size);
2049 return_error = BR_FAILED_REPLY;
2050 goto err_bad_offset;
2051 }
2052 off_end = (void *)off_start + tr->offsets_size;
2053 sg_bufp = (u8 *)(PTR_ALIGN(off_end, sizeof(void *)));
2054 sg_buf_end = sg_bufp + extra_buffers_size;
1532 off_min = 0; 2055 off_min = 0;
1533 for (; offp < off_end; offp++) { 2056 for (; offp < off_end; offp++) {
1534 struct flat_binder_object *fp; 2057 struct binder_object_header *hdr;
2058 size_t object_size = binder_validate_object(t->buffer, *offp);
1535 2059
1536 if (*offp > t->buffer->data_size - sizeof(*fp) || 2060 if (object_size == 0 || *offp < off_min) {
1537 *offp < off_min || 2061 binder_user_error("%d:%d got transaction with invalid offset (%lld, min %lld max %lld) or object.\n",
1538 t->buffer->data_size < sizeof(*fp) ||
1539 !IS_ALIGNED(*offp, sizeof(u32))) {
1540 binder_user_error("%d:%d got transaction with invalid offset, %lld (min %lld, max %lld)\n",
1541 proc->pid, thread->pid, (u64)*offp, 2062 proc->pid, thread->pid, (u64)*offp,
1542 (u64)off_min, 2063 (u64)off_min,
1543 (u64)(t->buffer->data_size - 2064 (u64)t->buffer->data_size);
1544 sizeof(*fp)));
1545 return_error = BR_FAILED_REPLY; 2065 return_error = BR_FAILED_REPLY;
1546 goto err_bad_offset; 2066 goto err_bad_offset;
1547 } 2067 }
1548 fp = (struct flat_binder_object *)(t->buffer->data + *offp); 2068
1549 off_min = *offp + sizeof(struct flat_binder_object); 2069 hdr = (struct binder_object_header *)(t->buffer->data + *offp);
1550 switch (fp->type) { 2070 off_min = *offp + object_size;
2071 switch (hdr->type) {
1551 case BINDER_TYPE_BINDER: 2072 case BINDER_TYPE_BINDER:
1552 case BINDER_TYPE_WEAK_BINDER: { 2073 case BINDER_TYPE_WEAK_BINDER: {
1553 struct binder_ref *ref; 2074 struct flat_binder_object *fp;
1554 struct binder_node *node = binder_get_node(proc, fp->binder);
1555 2075
1556 if (node == NULL) { 2076 fp = to_flat_binder_object(hdr);
1557 node = binder_new_node(proc, fp->binder, fp->cookie); 2077 ret = binder_translate_binder(fp, t, thread);
1558 if (node == NULL) { 2078 if (ret < 0) {
1559 return_error = BR_FAILED_REPLY;
1560 goto err_binder_new_node_failed;
1561 }
1562 node->min_priority = fp->flags & FLAT_BINDER_FLAG_PRIORITY_MASK;
1563 node->accept_fds = !!(fp->flags & FLAT_BINDER_FLAG_ACCEPTS_FDS);
1564 }
1565 if (fp->cookie != node->cookie) {
1566 binder_user_error("%d:%d sending u%016llx node %d, cookie mismatch %016llx != %016llx\n",
1567 proc->pid, thread->pid,
1568 (u64)fp->binder, node->debug_id,
1569 (u64)fp->cookie, (u64)node->cookie);
1570 return_error = BR_FAILED_REPLY;
1571 goto err_binder_get_ref_for_node_failed;
1572 }
1573 if (security_binder_transfer_binder(proc->tsk,
1574 target_proc->tsk)) {
1575 return_error = BR_FAILED_REPLY; 2079 return_error = BR_FAILED_REPLY;
1576 goto err_binder_get_ref_for_node_failed; 2080 goto err_translate_failed;
1577 } 2081 }
1578 ref = binder_get_ref_for_node(target_proc, node);
1579 if (ref == NULL) {
1580 return_error = BR_FAILED_REPLY;
1581 goto err_binder_get_ref_for_node_failed;
1582 }
1583 if (fp->type == BINDER_TYPE_BINDER)
1584 fp->type = BINDER_TYPE_HANDLE;
1585 else
1586 fp->type = BINDER_TYPE_WEAK_HANDLE;
1587 fp->binder = 0;
1588 fp->handle = ref->desc;
1589 fp->cookie = 0;
1590 binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE,
1591 &thread->todo);
1592
1593 trace_binder_transaction_node_to_ref(t, node, ref);
1594 binder_debug(BINDER_DEBUG_TRANSACTION,
1595 " node %d u%016llx -> ref %d desc %d\n",
1596 node->debug_id, (u64)node->ptr,
1597 ref->debug_id, ref->desc);
1598 } break; 2082 } break;
1599 case BINDER_TYPE_HANDLE: 2083 case BINDER_TYPE_HANDLE:
1600 case BINDER_TYPE_WEAK_HANDLE: { 2084 case BINDER_TYPE_WEAK_HANDLE: {
1601 struct binder_ref *ref; 2085 struct flat_binder_object *fp;
1602 2086
1603 ref = binder_get_ref(proc, fp->handle, 2087 fp = to_flat_binder_object(hdr);
1604 fp->type == BINDER_TYPE_HANDLE); 2088 ret = binder_translate_handle(fp, t, thread);
2089 if (ret < 0) {
2090 return_error = BR_FAILED_REPLY;
2091 goto err_translate_failed;
2092 }
2093 } break;
1605 2094
1606 if (ref == NULL) { 2095 case BINDER_TYPE_FD: {
1607 binder_user_error("%d:%d got transaction with invalid handle, %d\n", 2096 struct binder_fd_object *fp = to_binder_fd_object(hdr);
1608 proc->pid, 2097 int target_fd = binder_translate_fd(fp->fd, t, thread,
1609 thread->pid, fp->handle); 2098 in_reply_to);
2099
2100 if (target_fd < 0) {
1610 return_error = BR_FAILED_REPLY; 2101 return_error = BR_FAILED_REPLY;
1611 goto err_binder_get_ref_failed; 2102 goto err_translate_failed;
1612 } 2103 }
1613 if (security_binder_transfer_binder(proc->tsk, 2104 fp->pad_binder = 0;
1614 target_proc->tsk)) { 2105 fp->fd = target_fd;
2106 } break;
2107 case BINDER_TYPE_FDA: {
2108 struct binder_fd_array_object *fda =
2109 to_binder_fd_array_object(hdr);
2110 struct binder_buffer_object *parent =
2111 binder_validate_ptr(t->buffer, fda->parent,
2112 off_start,
2113 offp - off_start);
2114 if (!parent) {
2115 binder_user_error("%d:%d got transaction with invalid parent offset or type\n",
2116 proc->pid, thread->pid);
1615 return_error = BR_FAILED_REPLY; 2117 return_error = BR_FAILED_REPLY;
1616 goto err_binder_get_ref_failed; 2118 goto err_bad_parent;
1617 } 2119 }
1618 if (ref->node->proc == target_proc) { 2120 if (!binder_validate_fixup(t->buffer, off_start,
1619 if (fp->type == BINDER_TYPE_HANDLE) 2121 parent, fda->parent_offset,
1620 fp->type = BINDER_TYPE_BINDER; 2122 last_fixup_obj,
1621 else 2123 last_fixup_min_off)) {
1622 fp->type = BINDER_TYPE_WEAK_BINDER; 2124 binder_user_error("%d:%d got transaction with out-of-order buffer fixup\n",
1623 fp->binder = ref->node->ptr; 2125 proc->pid, thread->pid);
1624 fp->cookie = ref->node->cookie; 2126 return_error = BR_FAILED_REPLY;
1625 binder_inc_node(ref->node, fp->type == BINDER_TYPE_BINDER, 0, NULL); 2127 goto err_bad_parent;
1626 trace_binder_transaction_ref_to_node(t, ref);
1627 binder_debug(BINDER_DEBUG_TRANSACTION,
1628 " ref %d desc %d -> node %d u%016llx\n",
1629 ref->debug_id, ref->desc, ref->node->debug_id,
1630 (u64)ref->node->ptr);
1631 } else {
1632 struct binder_ref *new_ref;
1633
1634 new_ref = binder_get_ref_for_node(target_proc, ref->node);
1635 if (new_ref == NULL) {
1636 return_error = BR_FAILED_REPLY;
1637 goto err_binder_get_ref_for_node_failed;
1638 }
1639 fp->binder = 0;
1640 fp->handle = new_ref->desc;
1641 fp->cookie = 0;
1642 binder_inc_ref(new_ref, fp->type == BINDER_TYPE_HANDLE, NULL);
1643 trace_binder_transaction_ref_to_ref(t, ref,
1644 new_ref);
1645 binder_debug(BINDER_DEBUG_TRANSACTION,
1646 " ref %d desc %d -> ref %d desc %d (node %d)\n",
1647 ref->debug_id, ref->desc, new_ref->debug_id,
1648 new_ref->desc, ref->node->debug_id);
1649 } 2128 }
1650 } break; 2129 ret = binder_translate_fd_array(fda, parent, t, thread,
1651 2130 in_reply_to);
1652 case BINDER_TYPE_FD: { 2131 if (ret < 0) {
1653 int target_fd;
1654 struct file *file;
1655
1656 if (reply) {
1657 if (!(in_reply_to->flags & TF_ACCEPT_FDS)) {
1658 binder_user_error("%d:%d got reply with fd, %d, but target does not allow fds\n",
1659 proc->pid, thread->pid, fp->handle);
1660 return_error = BR_FAILED_REPLY;
1661 goto err_fd_not_allowed;
1662 }
1663 } else if (!target_node->accept_fds) {
1664 binder_user_error("%d:%d got transaction with fd, %d, but target does not allow fds\n",
1665 proc->pid, thread->pid, fp->handle);
1666 return_error = BR_FAILED_REPLY; 2132 return_error = BR_FAILED_REPLY;
1667 goto err_fd_not_allowed; 2133 goto err_translate_failed;
1668 } 2134 }
1669 2135 last_fixup_obj = parent;
1670 file = fget(fp->handle); 2136 last_fixup_min_off =
1671 if (file == NULL) { 2137 fda->parent_offset + sizeof(u32) * fda->num_fds;
1672 binder_user_error("%d:%d got transaction with invalid fd, %d\n", 2138 } break;
1673 proc->pid, thread->pid, fp->handle); 2139 case BINDER_TYPE_PTR: {
2140 struct binder_buffer_object *bp =
2141 to_binder_buffer_object(hdr);
2142 size_t buf_left = sg_buf_end - sg_bufp;
2143
2144 if (bp->length > buf_left) {
2145 binder_user_error("%d:%d got transaction with too large buffer\n",
2146 proc->pid, thread->pid);
1674 return_error = BR_FAILED_REPLY; 2147 return_error = BR_FAILED_REPLY;
1675 goto err_fget_failed; 2148 goto err_bad_offset;
1676 } 2149 }
1677 if (security_binder_transfer_file(proc->tsk, 2150 if (copy_from_user(sg_bufp,
1678 target_proc->tsk, 2151 (const void __user *)(uintptr_t)
1679 file) < 0) { 2152 bp->buffer, bp->length)) {
1680 fput(file); 2153 binder_user_error("%d:%d got transaction with invalid offsets ptr\n",
2154 proc->pid, thread->pid);
1681 return_error = BR_FAILED_REPLY; 2155 return_error = BR_FAILED_REPLY;
1682 goto err_get_unused_fd_failed; 2156 goto err_copy_data_failed;
1683 } 2157 }
1684 target_fd = task_get_unused_fd_flags(target_proc, O_CLOEXEC); 2158 /* Fixup buffer pointer to target proc address space */
1685 if (target_fd < 0) { 2159 bp->buffer = (uintptr_t)sg_bufp +
1686 fput(file); 2160 target_proc->user_buffer_offset;
2161 sg_bufp += ALIGN(bp->length, sizeof(u64));
2162
2163 ret = binder_fixup_parent(t, thread, bp, off_start,
2164 offp - off_start,
2165 last_fixup_obj,
2166 last_fixup_min_off);
2167 if (ret < 0) {
1687 return_error = BR_FAILED_REPLY; 2168 return_error = BR_FAILED_REPLY;
1688 goto err_get_unused_fd_failed; 2169 goto err_translate_failed;
1689 } 2170 }
1690 task_fd_install(target_proc, target_fd, file); 2171 last_fixup_obj = bp;
1691 trace_binder_transaction_fd(t, fp->handle, target_fd); 2172 last_fixup_min_off = 0;
1692 binder_debug(BINDER_DEBUG_TRANSACTION,
1693 " fd %d -> %d\n", fp->handle, target_fd);
1694 /* TODO: fput? */
1695 fp->binder = 0;
1696 fp->handle = target_fd;
1697 } break; 2173 } break;
1698
1699 default: 2174 default:
1700 binder_user_error("%d:%d got transaction with invalid object type, %x\n", 2175 binder_user_error("%d:%d got transaction with invalid object type, %x\n",
1701 proc->pid, thread->pid, fp->type); 2176 proc->pid, thread->pid, hdr->type);
1702 return_error = BR_FAILED_REPLY; 2177 return_error = BR_FAILED_REPLY;
1703 goto err_bad_object_type; 2178 goto err_bad_object_type;
1704 } 2179 }
@@ -1728,14 +2203,10 @@ static void binder_transaction(struct binder_proc *proc,
1728 wake_up_interruptible(target_wait); 2203 wake_up_interruptible(target_wait);
1729 return; 2204 return;
1730 2205
1731err_get_unused_fd_failed: 2206err_translate_failed:
1732err_fget_failed:
1733err_fd_not_allowed:
1734err_binder_get_ref_for_node_failed:
1735err_binder_get_ref_failed:
1736err_binder_new_node_failed:
1737err_bad_object_type: 2207err_bad_object_type:
1738err_bad_offset: 2208err_bad_offset:
2209err_bad_parent:
1739err_copy_data_failed: 2210err_copy_data_failed:
1740 trace_binder_transaction_failed_buffer_release(t->buffer); 2211 trace_binder_transaction_failed_buffer_release(t->buffer);
1741 binder_transaction_buffer_release(target_proc, t->buffer, offp); 2212 binder_transaction_buffer_release(target_proc, t->buffer, offp);
@@ -1779,6 +2250,7 @@ static int binder_thread_write(struct binder_proc *proc,
1779 binder_size_t *consumed) 2250 binder_size_t *consumed)
1780{ 2251{
1781 uint32_t cmd; 2252 uint32_t cmd;
2253 struct binder_context *context = proc->context;
1782 void __user *buffer = (void __user *)(uintptr_t)binder_buffer; 2254 void __user *buffer = (void __user *)(uintptr_t)binder_buffer;
1783 void __user *ptr = buffer + *consumed; 2255 void __user *ptr = buffer + *consumed;
1784 void __user *end = buffer + size; 2256 void __user *end = buffer + size;
@@ -1805,10 +2277,10 @@ static int binder_thread_write(struct binder_proc *proc,
1805 if (get_user(target, (uint32_t __user *)ptr)) 2277 if (get_user(target, (uint32_t __user *)ptr))
1806 return -EFAULT; 2278 return -EFAULT;
1807 ptr += sizeof(uint32_t); 2279 ptr += sizeof(uint32_t);
1808 if (target == 0 && binder_context_mgr_node && 2280 if (target == 0 && context->binder_context_mgr_node &&
1809 (cmd == BC_INCREFS || cmd == BC_ACQUIRE)) { 2281 (cmd == BC_INCREFS || cmd == BC_ACQUIRE)) {
1810 ref = binder_get_ref_for_node(proc, 2282 ref = binder_get_ref_for_node(proc,
1811 binder_context_mgr_node); 2283 context->binder_context_mgr_node);
1812 if (ref->desc != target) { 2284 if (ref->desc != target) {
1813 binder_user_error("%d:%d tried to acquire reference to desc 0, got %d instead\n", 2285 binder_user_error("%d:%d tried to acquire reference to desc 0, got %d instead\n",
1814 proc->pid, thread->pid, 2286 proc->pid, thread->pid,
@@ -1953,6 +2425,17 @@ static int binder_thread_write(struct binder_proc *proc,
1953 break; 2425 break;
1954 } 2426 }
1955 2427
2428 case BC_TRANSACTION_SG:
2429 case BC_REPLY_SG: {
2430 struct binder_transaction_data_sg tr;
2431
2432 if (copy_from_user(&tr, ptr, sizeof(tr)))
2433 return -EFAULT;
2434 ptr += sizeof(tr);
2435 binder_transaction(proc, thread, &tr.transaction_data,
2436 cmd == BC_REPLY_SG, tr.buffers_size);
2437 break;
2438 }
1956 case BC_TRANSACTION: 2439 case BC_TRANSACTION:
1957 case BC_REPLY: { 2440 case BC_REPLY: {
1958 struct binder_transaction_data tr; 2441 struct binder_transaction_data tr;
@@ -1960,7 +2443,8 @@ static int binder_thread_write(struct binder_proc *proc,
1960 if (copy_from_user(&tr, ptr, sizeof(tr))) 2443 if (copy_from_user(&tr, ptr, sizeof(tr)))
1961 return -EFAULT; 2444 return -EFAULT;
1962 ptr += sizeof(tr); 2445 ptr += sizeof(tr);
1963 binder_transaction(proc, thread, &tr, cmd == BC_REPLY); 2446 binder_transaction(proc, thread, &tr,
2447 cmd == BC_REPLY, 0);
1964 break; 2448 break;
1965 } 2449 }
1966 2450
@@ -2714,9 +3198,11 @@ static int binder_ioctl_set_ctx_mgr(struct file *filp)
2714{ 3198{
2715 int ret = 0; 3199 int ret = 0;
2716 struct binder_proc *proc = filp->private_data; 3200 struct binder_proc *proc = filp->private_data;
3201 struct binder_context *context = proc->context;
3202
2717 kuid_t curr_euid = current_euid(); 3203 kuid_t curr_euid = current_euid();
2718 3204
2719 if (binder_context_mgr_node != NULL) { 3205 if (context->binder_context_mgr_node) {
2720 pr_err("BINDER_SET_CONTEXT_MGR already set\n"); 3206 pr_err("BINDER_SET_CONTEXT_MGR already set\n");
2721 ret = -EBUSY; 3207 ret = -EBUSY;
2722 goto out; 3208 goto out;
@@ -2724,27 +3210,27 @@ static int binder_ioctl_set_ctx_mgr(struct file *filp)
2724 ret = security_binder_set_context_mgr(proc->tsk); 3210 ret = security_binder_set_context_mgr(proc->tsk);
2725 if (ret < 0) 3211 if (ret < 0)
2726 goto out; 3212 goto out;
2727 if (uid_valid(binder_context_mgr_uid)) { 3213 if (uid_valid(context->binder_context_mgr_uid)) {
2728 if (!uid_eq(binder_context_mgr_uid, curr_euid)) { 3214 if (!uid_eq(context->binder_context_mgr_uid, curr_euid)) {
2729 pr_err("BINDER_SET_CONTEXT_MGR bad uid %d != %d\n", 3215 pr_err("BINDER_SET_CONTEXT_MGR bad uid %d != %d\n",
2730 from_kuid(&init_user_ns, curr_euid), 3216 from_kuid(&init_user_ns, curr_euid),
2731 from_kuid(&init_user_ns, 3217 from_kuid(&init_user_ns,
2732 binder_context_mgr_uid)); 3218 context->binder_context_mgr_uid));
2733 ret = -EPERM; 3219 ret = -EPERM;
2734 goto out; 3220 goto out;
2735 } 3221 }
2736 } else { 3222 } else {
2737 binder_context_mgr_uid = curr_euid; 3223 context->binder_context_mgr_uid = curr_euid;
2738 } 3224 }
2739 binder_context_mgr_node = binder_new_node(proc, 0, 0); 3225 context->binder_context_mgr_node = binder_new_node(proc, 0, 0);
2740 if (binder_context_mgr_node == NULL) { 3226 if (!context->binder_context_mgr_node) {
2741 ret = -ENOMEM; 3227 ret = -ENOMEM;
2742 goto out; 3228 goto out;
2743 } 3229 }
2744 binder_context_mgr_node->local_weak_refs++; 3230 context->binder_context_mgr_node->local_weak_refs++;
2745 binder_context_mgr_node->local_strong_refs++; 3231 context->binder_context_mgr_node->local_strong_refs++;
2746 binder_context_mgr_node->has_strong_ref = 1; 3232 context->binder_context_mgr_node->has_strong_ref = 1;
2747 binder_context_mgr_node->has_weak_ref = 1; 3233 context->binder_context_mgr_node->has_weak_ref = 1;
2748out: 3234out:
2749 return ret; 3235 return ret;
2750} 3236}
@@ -2969,6 +3455,7 @@ err_bad_arg:
2969static int binder_open(struct inode *nodp, struct file *filp) 3455static int binder_open(struct inode *nodp, struct file *filp)
2970{ 3456{
2971 struct binder_proc *proc; 3457 struct binder_proc *proc;
3458 struct binder_device *binder_dev;
2972 3459
2973 binder_debug(BINDER_DEBUG_OPEN_CLOSE, "binder_open: %d:%d\n", 3460 binder_debug(BINDER_DEBUG_OPEN_CLOSE, "binder_open: %d:%d\n",
2974 current->group_leader->pid, current->pid); 3461 current->group_leader->pid, current->pid);
@@ -2982,6 +3469,9 @@ static int binder_open(struct inode *nodp, struct file *filp)
2982 INIT_LIST_HEAD(&proc->todo); 3469 INIT_LIST_HEAD(&proc->todo);
2983 init_waitqueue_head(&proc->wait); 3470 init_waitqueue_head(&proc->wait);
2984 proc->default_priority = task_nice(current); 3471 proc->default_priority = task_nice(current);
3472 binder_dev = container_of(filp->private_data, struct binder_device,
3473 miscdev);
3474 proc->context = &binder_dev->context;
2985 3475
2986 binder_lock(__func__); 3476 binder_lock(__func__);
2987 3477
@@ -2997,8 +3487,17 @@ static int binder_open(struct inode *nodp, struct file *filp)
2997 char strbuf[11]; 3487 char strbuf[11];
2998 3488
2999 snprintf(strbuf, sizeof(strbuf), "%u", proc->pid); 3489 snprintf(strbuf, sizeof(strbuf), "%u", proc->pid);
3490 /*
3491 * proc debug entries are shared between contexts, so
3492 * this will fail if the process tries to open the driver
3493 * again with a different context. The priting code will
3494 * anyway print all contexts that a given PID has, so this
3495 * is not a problem.
3496 */
3000 proc->debugfs_entry = debugfs_create_file(strbuf, S_IRUGO, 3497 proc->debugfs_entry = debugfs_create_file(strbuf, S_IRUGO,
3001 binder_debugfs_dir_entry_proc, proc, &binder_proc_fops); 3498 binder_debugfs_dir_entry_proc,
3499 (void *)(unsigned long)proc->pid,
3500 &binder_proc_fops);
3002 } 3501 }
3003 3502
3004 return 0; 3503 return 0;
@@ -3091,6 +3590,7 @@ static int binder_node_release(struct binder_node *node, int refs)
3091static void binder_deferred_release(struct binder_proc *proc) 3590static void binder_deferred_release(struct binder_proc *proc)
3092{ 3591{
3093 struct binder_transaction *t; 3592 struct binder_transaction *t;
3593 struct binder_context *context = proc->context;
3094 struct rb_node *n; 3594 struct rb_node *n;
3095 int threads, nodes, incoming_refs, outgoing_refs, buffers, 3595 int threads, nodes, incoming_refs, outgoing_refs, buffers,
3096 active_transactions, page_count; 3596 active_transactions, page_count;
@@ -3100,11 +3600,12 @@ static void binder_deferred_release(struct binder_proc *proc)
3100 3600
3101 hlist_del(&proc->proc_node); 3601 hlist_del(&proc->proc_node);
3102 3602
3103 if (binder_context_mgr_node && binder_context_mgr_node->proc == proc) { 3603 if (context->binder_context_mgr_node &&
3604 context->binder_context_mgr_node->proc == proc) {
3104 binder_debug(BINDER_DEBUG_DEAD_BINDER, 3605 binder_debug(BINDER_DEBUG_DEAD_BINDER,
3105 "%s: %d context_mgr_node gone\n", 3606 "%s: %d context_mgr_node gone\n",
3106 __func__, proc->pid); 3607 __func__, proc->pid);
3107 binder_context_mgr_node = NULL; 3608 context->binder_context_mgr_node = NULL;
3108 } 3609 }
3109 3610
3110 threads = 0; 3611 threads = 0;
@@ -3391,6 +3892,7 @@ static void print_binder_proc(struct seq_file *m,
3391 size_t header_pos; 3892 size_t header_pos;
3392 3893
3393 seq_printf(m, "proc %d\n", proc->pid); 3894 seq_printf(m, "proc %d\n", proc->pid);
3895 seq_printf(m, "context %s\n", proc->context->name);
3394 header_pos = m->count; 3896 header_pos = m->count;
3395 3897
3396 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) 3898 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n))
@@ -3460,7 +3962,9 @@ static const char * const binder_command_strings[] = {
3460 "BC_EXIT_LOOPER", 3962 "BC_EXIT_LOOPER",
3461 "BC_REQUEST_DEATH_NOTIFICATION", 3963 "BC_REQUEST_DEATH_NOTIFICATION",
3462 "BC_CLEAR_DEATH_NOTIFICATION", 3964 "BC_CLEAR_DEATH_NOTIFICATION",
3463 "BC_DEAD_BINDER_DONE" 3965 "BC_DEAD_BINDER_DONE",
3966 "BC_TRANSACTION_SG",
3967 "BC_REPLY_SG",
3464}; 3968};
3465 3969
3466static const char * const binder_objstat_strings[] = { 3970static const char * const binder_objstat_strings[] = {
@@ -3515,6 +4019,7 @@ static void print_binder_proc_stats(struct seq_file *m,
3515 int count, strong, weak; 4019 int count, strong, weak;
3516 4020
3517 seq_printf(m, "proc %d\n", proc->pid); 4021 seq_printf(m, "proc %d\n", proc->pid);
4022 seq_printf(m, "context %s\n", proc->context->name);
3518 count = 0; 4023 count = 0;
3519 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n)) 4024 for (n = rb_first(&proc->threads); n != NULL; n = rb_next(n))
3520 count++; 4025 count++;
@@ -3622,23 +4127,18 @@ static int binder_transactions_show(struct seq_file *m, void *unused)
3622static int binder_proc_show(struct seq_file *m, void *unused) 4127static int binder_proc_show(struct seq_file *m, void *unused)
3623{ 4128{
3624 struct binder_proc *itr; 4129 struct binder_proc *itr;
3625 struct binder_proc *proc = m->private; 4130 int pid = (unsigned long)m->private;
3626 int do_lock = !binder_debug_no_lock; 4131 int do_lock = !binder_debug_no_lock;
3627 bool valid_proc = false;
3628 4132
3629 if (do_lock) 4133 if (do_lock)
3630 binder_lock(__func__); 4134 binder_lock(__func__);
3631 4135
3632 hlist_for_each_entry(itr, &binder_procs, proc_node) { 4136 hlist_for_each_entry(itr, &binder_procs, proc_node) {
3633 if (itr == proc) { 4137 if (itr->pid == pid) {
3634 valid_proc = true; 4138 seq_puts(m, "binder proc state:\n");
3635 break; 4139 print_binder_proc(m, itr, 1);
3636 } 4140 }
3637 } 4141 }
3638 if (valid_proc) {
3639 seq_puts(m, "binder proc state:\n");
3640 print_binder_proc(m, proc, 1);
3641 }
3642 if (do_lock) 4142 if (do_lock)
3643 binder_unlock(__func__); 4143 binder_unlock(__func__);
3644 return 0; 4144 return 0;
@@ -3648,11 +4148,11 @@ static void print_binder_transaction_log_entry(struct seq_file *m,
3648 struct binder_transaction_log_entry *e) 4148 struct binder_transaction_log_entry *e)
3649{ 4149{
3650 seq_printf(m, 4150 seq_printf(m,
3651 "%d: %s from %d:%d to %d:%d node %d handle %d size %d:%d\n", 4151 "%d: %s from %d:%d to %d:%d context %s node %d handle %d size %d:%d\n",
3652 e->debug_id, (e->call_type == 2) ? "reply" : 4152 e->debug_id, (e->call_type == 2) ? "reply" :
3653 ((e->call_type == 1) ? "async" : "call "), e->from_proc, 4153 ((e->call_type == 1) ? "async" : "call "), e->from_proc,
3654 e->from_thread, e->to_proc, e->to_thread, e->to_node, 4154 e->from_thread, e->to_proc, e->to_thread, e->context_name,
3655 e->target_handle, e->data_size, e->offsets_size); 4155 e->to_node, e->target_handle, e->data_size, e->offsets_size);
3656} 4156}
3657 4157
3658static int binder_transaction_log_show(struct seq_file *m, void *unused) 4158static int binder_transaction_log_show(struct seq_file *m, void *unused)
@@ -3680,26 +4180,50 @@ static const struct file_operations binder_fops = {
3680 .release = binder_release, 4180 .release = binder_release,
3681}; 4181};
3682 4182
3683static struct miscdevice binder_miscdev = {
3684 .minor = MISC_DYNAMIC_MINOR,
3685 .name = "binder",
3686 .fops = &binder_fops
3687};
3688
3689BINDER_DEBUG_ENTRY(state); 4183BINDER_DEBUG_ENTRY(state);
3690BINDER_DEBUG_ENTRY(stats); 4184BINDER_DEBUG_ENTRY(stats);
3691BINDER_DEBUG_ENTRY(transactions); 4185BINDER_DEBUG_ENTRY(transactions);
3692BINDER_DEBUG_ENTRY(transaction_log); 4186BINDER_DEBUG_ENTRY(transaction_log);
3693 4187
4188static int __init init_binder_device(const char *name)
4189{
4190 int ret;
4191 struct binder_device *binder_device;
4192
4193 binder_device = kzalloc(sizeof(*binder_device), GFP_KERNEL);
4194 if (!binder_device)
4195 return -ENOMEM;
4196
4197 binder_device->miscdev.fops = &binder_fops;
4198 binder_device->miscdev.minor = MISC_DYNAMIC_MINOR;
4199 binder_device->miscdev.name = name;
4200
4201 binder_device->context.binder_context_mgr_uid = INVALID_UID;
4202 binder_device->context.name = name;
4203
4204 ret = misc_register(&binder_device->miscdev);
4205 if (ret < 0) {
4206 kfree(binder_device);
4207 return ret;
4208 }
4209
4210 hlist_add_head(&binder_device->hlist, &binder_devices);
4211
4212 return ret;
4213}
4214
3694static int __init binder_init(void) 4215static int __init binder_init(void)
3695{ 4216{
3696 int ret; 4217 int ret;
4218 char *device_name, *device_names;
4219 struct binder_device *device;
4220 struct hlist_node *tmp;
3697 4221
3698 binder_debugfs_dir_entry_root = debugfs_create_dir("binder", NULL); 4222 binder_debugfs_dir_entry_root = debugfs_create_dir("binder", NULL);
3699 if (binder_debugfs_dir_entry_root) 4223 if (binder_debugfs_dir_entry_root)
3700 binder_debugfs_dir_entry_proc = debugfs_create_dir("proc", 4224 binder_debugfs_dir_entry_proc = debugfs_create_dir("proc",
3701 binder_debugfs_dir_entry_root); 4225 binder_debugfs_dir_entry_root);
3702 ret = misc_register(&binder_miscdev); 4226
3703 if (binder_debugfs_dir_entry_root) { 4227 if (binder_debugfs_dir_entry_root) {
3704 debugfs_create_file("state", 4228 debugfs_create_file("state",
3705 S_IRUGO, 4229 S_IRUGO,
@@ -3727,6 +4251,35 @@ static int __init binder_init(void)
3727 &binder_transaction_log_failed, 4251 &binder_transaction_log_failed,
3728 &binder_transaction_log_fops); 4252 &binder_transaction_log_fops);
3729 } 4253 }
4254
4255 /*
4256 * Copy the module_parameter string, because we don't want to
4257 * tokenize it in-place.
4258 */
4259 device_names = kzalloc(strlen(binder_devices_param) + 1, GFP_KERNEL);
4260 if (!device_names) {
4261 ret = -ENOMEM;
4262 goto err_alloc_device_names_failed;
4263 }
4264 strcpy(device_names, binder_devices_param);
4265
4266 while ((device_name = strsep(&device_names, ","))) {
4267 ret = init_binder_device(device_name);
4268 if (ret)
4269 goto err_init_binder_device_failed;
4270 }
4271
4272 return ret;
4273
4274err_init_binder_device_failed:
4275 hlist_for_each_entry_safe(device, tmp, &binder_devices, hlist) {
4276 misc_deregister(&device->miscdev);
4277 hlist_del(&device->hlist);
4278 kfree(device);
4279 }
4280err_alloc_device_names_failed:
4281 debugfs_remove_recursive(binder_debugfs_dir_entry_root);
4282
3730 return ret; 4283 return ret;
3731} 4284}
3732 4285
generated by cgit v1.2.2 (git 2.25.0) at 2025-05-30 19:54:36 -0400