Gitiles
Code Review Sign In
192.168.1.100 / T800 / ae7cf9c1566c697c2ba616a120c7ff3e90d20dfd / . / src / kernel / linux / v4.19 / drivers / android / binder_alloc.c
blob: 754516c1f4fdd2a9ca1b21ecb9828c85f8d0790c [file] [log] [blame]
xjb04a4022021-11-25 15:01:52 +0800[diff] [blame]1/* binder_alloc.c
2 *
3 * Android IPC Subsystem
4 *
5 * Copyright (C) 2007-2017 Google, Inc.
6 *
7 * This software is licensed under the terms of the GNU General Public
8 * License version 2, as published by the Free Software Foundation, and
9 * may be copied, distributed, and modified under those terms.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 */
17
18#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
19
20#include <linux/list.h>
21#include <linux/sched/mm.h>
22#include <linux/module.h>
23#include <linux/rtmutex.h>
24#include <linux/rbtree.h>
25#include <linux/seq_file.h>
26#include <linux/vmalloc.h>
27#include <linux/slab.h>
28#include <linux/sched.h>
29#include <linux/list_lru.h>
30#include <linux/ratelimit.h>
31#include <asm/cacheflush.h>
32#include <linux/uaccess.h>
33#include <linux/highmem.h>
34#include "binder_alloc.h"
35#include "binder_trace.h"
36
37struct list_lru binder_alloc_lru;
38
39static DEFINE_MUTEX(binder_alloc_mmap_lock);
40
41enum {
42 BINDER_DEBUG_USER_ERROR = 1U << 0,
43 BINDER_DEBUG_OPEN_CLOSE = 1U << 1,
44 BINDER_DEBUG_BUFFER_ALLOC = 1U << 2,
45 BINDER_DEBUG_BUFFER_ALLOC_ASYNC = 1U << 3,
46};
47static uint32_t binder_alloc_debug_mask = BINDER_DEBUG_USER_ERROR;
48
49module_param_named(debug_mask, binder_alloc_debug_mask,
50 uint, 0644);
51
52#define binder_alloc_debug(mask, x...) \
53 do { \
54 if (binder_alloc_debug_mask & mask) \
55 pr_info_ratelimited(x); \
56 } while (0)
57
58static struct binder_buffer *binder_buffer_next(struct binder_buffer *buffer)
59{
60 return list_entry(buffer->entry.next, struct binder_buffer, entry);
61}
62
63static struct binder_buffer *binder_buffer_prev(struct binder_buffer *buffer)
64{
65 return list_entry(buffer->entry.prev, struct binder_buffer, entry);
66}
67
68static size_t binder_alloc_buffer_size(struct binder_alloc *alloc,
69 struct binder_buffer *buffer)
70{
71 if (list_is_last(&buffer->entry, &alloc->buffers))
72 return alloc->buffer + alloc->buffer_size - buffer->user_data;
73 return binder_buffer_next(buffer)->user_data - buffer->user_data;
74}
75
76static void binder_insert_free_buffer(struct binder_alloc *alloc,
77 struct binder_buffer *new_buffer)
78{
79 struct rb_node **p = &alloc->free_buffers.rb_node;
80 struct rb_node *parent = NULL;
81 struct binder_buffer *buffer;
82 size_t buffer_size;
83 size_t new_buffer_size;
84
85 BUG_ON(!new_buffer->free);
86
87 new_buffer_size = binder_alloc_buffer_size(alloc, new_buffer);
88
89 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
90 "%d: add free buffer, size %zd, at %pK\n",
91 alloc->pid, new_buffer_size, new_buffer);
92
93 while (*p) {
94 parent = *p;
95 buffer = rb_entry(parent, struct binder_buffer, rb_node);
96 BUG_ON(!buffer->free);
97
98 buffer_size = binder_alloc_buffer_size(alloc, buffer);
99
100 if (new_buffer_size < buffer_size)
101 p = &parent->rb_left;
102 else
103 p = &parent->rb_right;
104 }
105 rb_link_node(&new_buffer->rb_node, parent, p);
106 rb_insert_color(&new_buffer->rb_node, &alloc->free_buffers);
107}
108
109static void binder_insert_allocated_buffer_locked(
110 struct binder_alloc *alloc, struct binder_buffer *new_buffer)
111{
112 struct rb_node **p = &alloc->allocated_buffers.rb_node;
113 struct rb_node *parent = NULL;
114 struct binder_buffer *buffer;
115
116 BUG_ON(new_buffer->free);
117
118 while (*p) {
119 parent = *p;
120 buffer = rb_entry(parent, struct binder_buffer, rb_node);
121 BUG_ON(buffer->free);
122
123 if (new_buffer->user_data < buffer->user_data)
124 p = &parent->rb_left;
125 else if (new_buffer->user_data > buffer->user_data)
126 p = &parent->rb_right;
127 else
128 BUG();
129 }
130 rb_link_node(&new_buffer->rb_node, parent, p);
131 rb_insert_color(&new_buffer->rb_node, &alloc->allocated_buffers);
132}
133
134static struct binder_buffer *binder_alloc_prepare_to_free_locked(
135 struct binder_alloc *alloc,
136 uintptr_t user_ptr)
137{
138 struct rb_node *n = alloc->allocated_buffers.rb_node;
139 struct binder_buffer *buffer;
140 void __user *uptr;
141
142 uptr = (void __user *)user_ptr;
143
144 while (n) {
145 buffer = rb_entry(n, struct binder_buffer, rb_node);
146 BUG_ON(buffer->free);
147
148 if (uptr < buffer->user_data)
149 n = n->rb_left;
150 else if (uptr > buffer->user_data)
151 n = n->rb_right;
152 else {
153 /*
154 * Guard against user threads attempting to
155 * free the buffer when in use by kernel or
156 * after it's already been freed.
157 */
158 if (!buffer->allow_user_free)
159 return ERR_PTR(-EPERM);
160 buffer->allow_user_free = 0;
161 return buffer;
162 }
163 }
164 return NULL;
165}
166
167/**
168 * binder_alloc_buffer_lookup() - get buffer given user ptr
169 * @alloc: binder_alloc for this proc
170 * @user_ptr: User pointer to buffer data
171 *
172 * Validate userspace pointer to buffer data and return buffer corresponding to
173 * that user pointer. Search the rb tree for buffer that matches user data
174 * pointer.
175 *
176 * Return: Pointer to buffer or NULL
177 */
178struct binder_buffer *binder_alloc_prepare_to_free(struct binder_alloc *alloc,
179 uintptr_t user_ptr)
180{
181 struct binder_buffer *buffer;
182
183 mutex_lock(&alloc->mutex);
184 buffer = binder_alloc_prepare_to_free_locked(alloc, user_ptr);
185 mutex_unlock(&alloc->mutex);
186 return buffer;
187}
188
189static int binder_update_page_range(struct binder_alloc *alloc, int allocate,
190 void __user *start, void __user *end)
191{
192 void __user *page_addr;
193 unsigned long user_page_addr;
194 struct binder_lru_page *page;
195 struct vm_area_struct *vma = NULL;
196 struct mm_struct *mm = NULL;
197 bool need_mm = false;
198
199 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
200 "%d: %s pages %pK-%pK\n", alloc->pid,
201 allocate ? "allocate" : "free", start, end);
202
203 if (end <= start)
204 return 0;
205
206 trace_binder_update_page_range(alloc, allocate, start, end);
207
208 if (allocate == 0)
209 goto free_range;
210
211 for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) {
212 page = &alloc->pages[(page_addr - alloc->buffer) / PAGE_SIZE];
213 if (!page->page_ptr) {
214 need_mm = true;
215 break;
216 }
217 }
218
219 if (need_mm && mmget_not_zero(alloc->vma_vm_mm))
220 mm = alloc->vma_vm_mm;
221
222 if (mm) {
223 down_read(&mm->mmap_sem);
224 if (!mmget_still_valid(mm)) {
225 if (allocate == 0)
226 goto free_range;
227 goto err_no_vma;
228 }
229 vma = alloc->vma;
230 }
231
232 if (!vma && need_mm) {
233 binder_alloc_debug(BINDER_DEBUG_USER_ERROR,
234 "%d: binder_alloc_buf failed to map pages in userspace, no vma\n",
235 alloc->pid);
236 goto err_no_vma;
237 }
238
239 for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) {
240 int ret;
241 bool on_lru;
242 size_t index;
243
244 index = (page_addr - alloc->buffer) / PAGE_SIZE;
245 page = &alloc->pages[index];
246
247 if (page->page_ptr) {
248 trace_binder_alloc_lru_start(alloc, index);
249
250 on_lru = list_lru_del(&binder_alloc_lru, &page->lru);
251 WARN_ON(!on_lru);
252
253 trace_binder_alloc_lru_end(alloc, index);
254 continue;
255 }
256
257 if (WARN_ON(!vma))
258 goto err_page_ptr_cleared;
259
260 trace_binder_alloc_page_start(alloc, index);
261 page->page_ptr = alloc_page(GFP_KERNEL |
262 __GFP_HIGHMEM |
263 __GFP_ZERO);
264 if (!page->page_ptr) {
265 pr_err("%d: binder_alloc_buf failed for page at %pK\n",
266 alloc->pid, page_addr);
267 goto err_alloc_page_failed;
268 }
269 page->alloc = alloc;
270 INIT_LIST_HEAD(&page->lru);
271
272 user_page_addr = (uintptr_t)page_addr;
273 ret = vm_insert_page(vma, user_page_addr, page[0].page_ptr);
274 if (ret) {
275 pr_err("%d: binder_alloc_buf failed to map page at %lx in userspace\n",
276 alloc->pid, user_page_addr);
277 goto err_vm_insert_page_failed;
278 }
279
280 if (index + 1 > alloc->pages_high)
281 alloc->pages_high = index + 1;
282
283 trace_binder_alloc_page_end(alloc, index);
284 /* vm_insert_page does not seem to increment the refcount */
285 }
286 if (mm) {
287 up_read(&mm->mmap_sem);
288 mmput(mm);
289 }
290 return 0;
291
292free_range:
293 for (page_addr = end - PAGE_SIZE; 1; page_addr -= PAGE_SIZE) {
294 bool ret;
295 size_t index;
296
297 index = (page_addr - alloc->buffer) / PAGE_SIZE;
298 page = &alloc->pages[index];
299
300 trace_binder_free_lru_start(alloc, index);
301
302 ret = list_lru_add(&binder_alloc_lru, &page->lru);
303 WARN_ON(!ret);
304
305 trace_binder_free_lru_end(alloc, index);
306 if (page_addr == start)
307 break;
308 continue;
309
310err_vm_insert_page_failed:
311 __free_page(page->page_ptr);
312 page->page_ptr = NULL;
313err_alloc_page_failed:
314err_page_ptr_cleared:
315 if (page_addr == start)
316 break;
317 }
318err_no_vma:
319 if (mm) {
320 up_read(&mm->mmap_sem);
321 mmput(mm);
322 }
323 return vma ? -ENOMEM : -ESRCH;
324}
325
326
327static inline void binder_alloc_set_vma(struct binder_alloc *alloc,
328 struct vm_area_struct *vma)
329{
330 if (vma)
331 alloc->vma_vm_mm = vma->vm_mm;
332 /*
333 * If we see alloc->vma is not NULL, buffer data structures set up
334 * completely. Look at smp_rmb side binder_alloc_get_vma.
335 * We also want to guarantee new alloc->vma_vm_mm is always visible
336 * if alloc->vma is set.
337 */
338 smp_wmb();
339 alloc->vma = vma;
340}
341
342static inline struct vm_area_struct *binder_alloc_get_vma(
343 struct binder_alloc *alloc)
344{
345 struct vm_area_struct *vma = NULL;
346
347 if (alloc->vma) {
348 /* Look at description in binder_alloc_set_vma */
349 smp_rmb();
350 vma = alloc->vma;
351 }
352 return vma;
353}
354
355static struct binder_buffer *binder_alloc_new_buf_locked(
356 struct binder_alloc *alloc,
357 size_t data_size,
358 size_t offsets_size,
359 size_t extra_buffers_size,
360 int is_async)
361{
362 struct rb_node *n = alloc->free_buffers.rb_node;
363 struct binder_buffer *buffer;
364 size_t buffer_size;
365 struct rb_node *best_fit = NULL;
366 void __user *has_page_addr;
367 void __user *end_page_addr;
368 size_t size, data_offsets_size;
369 int ret;
370
371 if (!binder_alloc_get_vma(alloc)) {
372 binder_alloc_debug(BINDER_DEBUG_USER_ERROR,
373 "%d: binder_alloc_buf, no vma\n",
374 alloc->pid);
375 return ERR_PTR(-ESRCH);
376 }
377
378 data_offsets_size = ALIGN(data_size, sizeof(void *)) +
379 ALIGN(offsets_size, sizeof(void *));
380
381 if (data_offsets_size < data_size || data_offsets_size < offsets_size) {
382 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
383 "%d: got transaction with invalid size %zd-%zd\n",
384 alloc->pid, data_size, offsets_size);
385 return ERR_PTR(-EINVAL);
386 }
387 size = data_offsets_size + ALIGN(extra_buffers_size, sizeof(void *));
388 if (size < data_offsets_size || size < extra_buffers_size) {
389 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
390 "%d: got transaction with invalid extra_buffers_size %zd\n",
391 alloc->pid, extra_buffers_size);
392 return ERR_PTR(-EINVAL);
393 }
394 if (is_async &&
395 alloc->free_async_space < size + sizeof(struct binder_buffer)) {
396 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
397 "%d: binder_alloc_buf size %zd failed, no async space left\n",
398 alloc->pid, size);
399 return ERR_PTR(-ENOSPC);
400 }
401
402 /* Pad 0-size buffers so they get assigned unique addresses */
403 size = max(size, sizeof(void *));
404
405 while (n) {
406 buffer = rb_entry(n, struct binder_buffer, rb_node);
407 BUG_ON(!buffer->free);
408 buffer_size = binder_alloc_buffer_size(alloc, buffer);
409
410 if (size < buffer_size) {
411 best_fit = n;
412 n = n->rb_left;
413 } else if (size > buffer_size)
414 n = n->rb_right;
415 else {
416 best_fit = n;
417 break;
418 }
419 }
420 if (best_fit == NULL) {
421 size_t allocated_buffers = 0;
422 size_t largest_alloc_size = 0;
423 size_t total_alloc_size = 0;
424 size_t free_buffers = 0;
425 size_t largest_free_size = 0;
426 size_t total_free_size = 0;
427
428 for (n = rb_first(&alloc->allocated_buffers); n != NULL;
429 n = rb_next(n)) {
430 buffer = rb_entry(n, struct binder_buffer, rb_node);
431 buffer_size = binder_alloc_buffer_size(alloc, buffer);
432 allocated_buffers++;
433 total_alloc_size += buffer_size;
434 if (buffer_size > largest_alloc_size)
435 largest_alloc_size = buffer_size;
436 }
437 for (n = rb_first(&alloc->free_buffers); n != NULL;
438 n = rb_next(n)) {
439 buffer = rb_entry(n, struct binder_buffer, rb_node);
440 buffer_size = binder_alloc_buffer_size(alloc, buffer);
441 free_buffers++;
442 total_free_size += buffer_size;
443 if (buffer_size > largest_free_size)
444 largest_free_size = buffer_size;
445 }
446 binder_alloc_debug(BINDER_DEBUG_USER_ERROR,
447 "%d: binder_alloc_buf size %zd failed, no address space\n",
448 alloc->pid, size);
449 binder_alloc_debug(BINDER_DEBUG_USER_ERROR,
450 "allocated: %zd (num: %zd largest: %zd), free: %zd (num: %zd largest: %zd)\n",
451 total_alloc_size, allocated_buffers,
452 largest_alloc_size, total_free_size,
453 free_buffers, largest_free_size);
454 return ERR_PTR(-ENOSPC);
455 }
456 if (n == NULL) {
457 buffer = rb_entry(best_fit, struct binder_buffer, rb_node);
458 buffer_size = binder_alloc_buffer_size(alloc, buffer);
459 }
460
461 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
462 "%d: binder_alloc_buf size %zd got buffer %pK size %zd\n",
463 alloc->pid, size, buffer, buffer_size);
464
465 has_page_addr = (void __user *)
466 (((uintptr_t)buffer->user_data + buffer_size) & PAGE_MASK);
467 WARN_ON(n && buffer_size != size);
468 end_page_addr =
469 (void __user *)PAGE_ALIGN((uintptr_t)buffer->user_data + size);
470 if (end_page_addr > has_page_addr)
471 end_page_addr = has_page_addr;
472 ret = binder_update_page_range(alloc, 1, (void __user *)
473 PAGE_ALIGN((uintptr_t)buffer->user_data), end_page_addr);
474 if (ret)
475 return ERR_PTR(ret);
476
477 if (buffer_size != size) {
478 struct binder_buffer *new_buffer;
479
480 new_buffer = kzalloc(sizeof(*buffer), GFP_KERNEL);
481 if (!new_buffer) {
482 pr_err("%s: %d failed to alloc new buffer struct\n",
483 __func__, alloc->pid);
484 goto err_alloc_buf_struct_failed;
485 }
486 new_buffer->user_data = (u8 __user *)buffer->user_data + size;
487 list_add(&new_buffer->entry, &buffer->entry);
488 new_buffer->free = 1;
489 binder_insert_free_buffer(alloc, new_buffer);
490 }
491
492 rb_erase(best_fit, &alloc->free_buffers);
493 buffer->free = 0;
494 buffer->allow_user_free = 0;
495 binder_insert_allocated_buffer_locked(alloc, buffer);
496 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
497 "%d: binder_alloc_buf size %zd got %pK\n",
498 alloc->pid, size, buffer);
499 buffer->data_size = data_size;
500 buffer->offsets_size = offsets_size;
501 buffer->async_transaction = is_async;
502 buffer->extra_buffers_size = extra_buffers_size;
503 if (is_async) {
504 alloc->free_async_space -= size + sizeof(struct binder_buffer);
505 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC,
506 "%d: binder_alloc_buf size %zd async free %zd\n",
507 alloc->pid, size, alloc->free_async_space);
508 }
509 return buffer;
510
511err_alloc_buf_struct_failed:
512 binder_update_page_range(alloc, 0, (void __user *)
513 PAGE_ALIGN((uintptr_t)buffer->user_data),
514 end_page_addr);
515 return ERR_PTR(-ENOMEM);
516}
517
518/**
519 * binder_alloc_new_buf() - Allocate a new binder buffer
520 * @alloc: binder_alloc for this proc
521 * @data_size: size of user data buffer
522 * @offsets_size: user specified buffer offset
523 * @extra_buffers_size: size of extra space for meta-data (eg, security context)
524 * @is_async: buffer for async transaction
525 *
526 * Allocate a new buffer given the requested sizes. Returns
527 * the kernel version of the buffer pointer. The size allocated
528 * is the sum of the three given sizes (each rounded up to
529 * pointer-sized boundary)
530 *
531 * Return: The allocated buffer or %NULL if error
532 */
533struct binder_buffer *binder_alloc_new_buf(struct binder_alloc *alloc,
534 size_t data_size,
535 size_t offsets_size,
536 size_t extra_buffers_size,
537 int is_async)
538{
539 struct binder_buffer *buffer;
540
541 mutex_lock(&alloc->mutex);
542 buffer = binder_alloc_new_buf_locked(alloc, data_size, offsets_size,
543 extra_buffers_size, is_async);
544 mutex_unlock(&alloc->mutex);
545 return buffer;
546}
547
548static void __user *buffer_start_page(struct binder_buffer *buffer)
549{
550 return (void __user *)((uintptr_t)buffer->user_data & PAGE_MASK);
551}
552
553static void __user *prev_buffer_end_page(struct binder_buffer *buffer)
554{
555 return (void __user *)
556 (((uintptr_t)(buffer->user_data) - 1) & PAGE_MASK);
557}
558
559static void binder_delete_free_buffer(struct binder_alloc *alloc,
560 struct binder_buffer *buffer)
561{
562 struct binder_buffer *prev, *next = NULL;
563 bool to_free = true;
564 BUG_ON(alloc->buffers.next == &buffer->entry);
565 prev = binder_buffer_prev(buffer);
566 BUG_ON(!prev->free);
567 if (prev_buffer_end_page(prev) == buffer_start_page(buffer)) {
568 to_free = false;
569 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
570 "%d: merge free, buffer %pK share page with %pK\n",
571 alloc->pid, buffer->user_data,
572 prev->user_data);
573 }
574
575 if (!list_is_last(&buffer->entry, &alloc->buffers)) {
576 next = binder_buffer_next(buffer);
577 if (buffer_start_page(next) == buffer_start_page(buffer)) {
578 to_free = false;
579 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
580 "%d: merge free, buffer %pK share page with %pK\n",
581 alloc->pid,
582 buffer->user_data,
583 next->user_data);
584 }
585 }
586
587 if (PAGE_ALIGNED(buffer->user_data)) {
588 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
589 "%d: merge free, buffer start %pK is page aligned\n",
590 alloc->pid, buffer->user_data);
591 to_free = false;
592 }
593
594 if (to_free) {
595 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
596 "%d: merge free, buffer %pK do not share page with %pK or %pK\n",
597 alloc->pid, buffer->user_data,
598 prev->user_data,
599 next ? next->user_data : NULL);
600 binder_update_page_range(alloc, 0, buffer_start_page(buffer),
601 buffer_start_page(buffer) + PAGE_SIZE);
602 }
603 list_del(&buffer->entry);
604 kfree(buffer);
605}
606
607static void binder_free_buf_locked(struct binder_alloc *alloc,
608 struct binder_buffer *buffer)
609{
610 size_t size, buffer_size;
611
612 buffer_size = binder_alloc_buffer_size(alloc, buffer);
613
614 size = ALIGN(buffer->data_size, sizeof(void *)) +
615 ALIGN(buffer->offsets_size, sizeof(void *)) +
616 ALIGN(buffer->extra_buffers_size, sizeof(void *));
617
618 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
619 "%d: binder_free_buf %pK size %zd buffer_size %zd\n",
620 alloc->pid, buffer, size, buffer_size);
621
622 BUG_ON(buffer->free);
623 BUG_ON(size > buffer_size);
624 BUG_ON(buffer->transaction != NULL);
625 BUG_ON(buffer->user_data < alloc->buffer);
626 BUG_ON(buffer->user_data > alloc->buffer + alloc->buffer_size);
627
628 if (buffer->async_transaction) {
629 alloc->free_async_space += size + sizeof(struct binder_buffer);
630
631 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC,
632 "%d: binder_free_buf size %zd async free %zd\n",
633 alloc->pid, size, alloc->free_async_space);
634 }
635
636 binder_update_page_range(alloc, 0,
637 (void __user *)PAGE_ALIGN((uintptr_t)buffer->user_data),
638 (void __user *)(((uintptr_t)
639 buffer->user_data + buffer_size) & PAGE_MASK));
640
641 rb_erase(&buffer->rb_node, &alloc->allocated_buffers);
642 buffer->free = 1;
643 if (!list_is_last(&buffer->entry, &alloc->buffers)) {
644 struct binder_buffer *next = binder_buffer_next(buffer);
645
646 if (next->free) {
647 rb_erase(&next->rb_node, &alloc->free_buffers);
648 binder_delete_free_buffer(alloc, next);
649 }
650 }
651 if (alloc->buffers.next != &buffer->entry) {
652 struct binder_buffer *prev = binder_buffer_prev(buffer);
653
654 if (prev->free) {
655 binder_delete_free_buffer(alloc, buffer);
656 rb_erase(&prev->rb_node, &alloc->free_buffers);
657 buffer = prev;
658 }
659 }
660 binder_insert_free_buffer(alloc, buffer);
661}
662
663/**
664 * binder_alloc_free_buf() - free a binder buffer
665 * @alloc: binder_alloc for this proc
666 * @buffer: kernel pointer to buffer
667 *
668 * Free the buffer allocated via binder_alloc_new_buffer()
669 */
670void binder_alloc_free_buf(struct binder_alloc *alloc,
671 struct binder_buffer *buffer)
672{
673 mutex_lock(&alloc->mutex);
674 binder_free_buf_locked(alloc, buffer);
675 mutex_unlock(&alloc->mutex);
676}
677
678/**
679 * binder_alloc_mmap_handler() - map virtual address space for proc
680 * @alloc: alloc structure for this proc
681 * @vma: vma passed to mmap()
682 *
683 * Called by binder_mmap() to initialize the space specified in
684 * vma for allocating binder buffers
685 *
686 * Return:
687 * 0 = success
688 * -EBUSY = address space already mapped
689 * -ENOMEM = failed to map memory to given address space
690 */
691int binder_alloc_mmap_handler(struct binder_alloc *alloc,
692 struct vm_area_struct *vma)
693{
694 int ret;
695 const char *failure_string;
696 struct binder_buffer *buffer;
697
698 mutex_lock(&binder_alloc_mmap_lock);
699 if (alloc->buffer) {
700 ret = -EBUSY;
701 failure_string = "already mapped";
702 goto err_already_mapped;
703 }
704
705 alloc->buffer = (void __user *)vma->vm_start;
706 mutex_unlock(&binder_alloc_mmap_lock);
707
708 alloc->pages = kcalloc((vma->vm_end - vma->vm_start) / PAGE_SIZE,
709 sizeof(alloc->pages[0]),
710 GFP_KERNEL);
711 if (alloc->pages == NULL) {
712 ret = -ENOMEM;
713 failure_string = "alloc page array";
714 goto err_alloc_pages_failed;
715 }
716 alloc->buffer_size = vma->vm_end - vma->vm_start;
717
718 buffer = kzalloc(sizeof(*buffer), GFP_KERNEL);
719 if (!buffer) {
720 ret = -ENOMEM;
721 failure_string = "alloc buffer struct";
722 goto err_alloc_buf_struct_failed;
723 }
724
725 buffer->user_data = alloc->buffer;
726 list_add(&buffer->entry, &alloc->buffers);
727 buffer->free = 1;
728 binder_insert_free_buffer(alloc, buffer);
729 alloc->free_async_space = alloc->buffer_size / 2;
730 binder_alloc_set_vma(alloc, vma);
731 mmgrab(alloc->vma_vm_mm);
732
733 return 0;
734
735err_alloc_buf_struct_failed:
736 kfree(alloc->pages);
737 alloc->pages = NULL;
738err_alloc_pages_failed:
739 mutex_lock(&binder_alloc_mmap_lock);
740 alloc->buffer = NULL;
741err_already_mapped:
742 mutex_unlock(&binder_alloc_mmap_lock);
743 binder_alloc_debug(BINDER_DEBUG_USER_ERROR,
744 "%s: %d %lx-%lx %s failed %d\n", __func__,
745 alloc->pid, vma->vm_start, vma->vm_end,
746 failure_string, ret);
747 return ret;
748}
749
750
751void binder_alloc_deferred_release(struct binder_alloc *alloc)
752{
753 struct rb_node *n;
754 int buffers, page_count;
755 struct binder_buffer *buffer;
756
757 buffers = 0;
758 mutex_lock(&alloc->mutex);
759 BUG_ON(alloc->vma);
760
761 while ((n = rb_first(&alloc->allocated_buffers))) {
762 buffer = rb_entry(n, struct binder_buffer, rb_node);
763
764 /* Transaction should already have been freed */
765 BUG_ON(buffer->transaction);
766
767 binder_free_buf_locked(alloc, buffer);
768 buffers++;
769 }
770
771 while (!list_empty(&alloc->buffers)) {
772 buffer = list_first_entry(&alloc->buffers,
773 struct binder_buffer, entry);
774 WARN_ON(!buffer->free);
775
776 list_del(&buffer->entry);
777 WARN_ON_ONCE(!list_empty(&alloc->buffers));
778 kfree(buffer);
779 }
780
781 page_count = 0;
782 if (alloc->pages) {
783 int i;
784
785 for (i = 0; i < alloc->buffer_size / PAGE_SIZE; i++) {
786 void __user *page_addr;
787 bool on_lru;
788
789 if (!alloc->pages[i].page_ptr)
790 continue;
791
792 on_lru = list_lru_del(&binder_alloc_lru,
793 &alloc->pages[i].lru);
794 page_addr = alloc->buffer + i * PAGE_SIZE;
795 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
796 "%s: %d: page %d at %pK %s\n",
797 __func__, alloc->pid, i, page_addr,
798 on_lru ? "on lru" : "active");
799 __free_page(alloc->pages[i].page_ptr);
800 page_count++;
801 }
802 kfree(alloc->pages);
803 }
804 mutex_unlock(&alloc->mutex);
805 if (alloc->vma_vm_mm)
806 mmdrop(alloc->vma_vm_mm);
807
808 binder_alloc_debug(BINDER_DEBUG_OPEN_CLOSE,
809 "%s: %d buffers %d, pages %d\n",
810 __func__, alloc->pid, buffers, page_count);
811}
812
813static void print_binder_buffer(struct seq_file *m, const char *prefix,
814 struct binder_buffer *buffer)
815{
816 seq_printf(m, "%s %d: %pK size %zd:%zd:%zd %s\n",
817 prefix, buffer->debug_id, buffer->user_data,
818 buffer->data_size, buffer->offsets_size,
819 buffer->extra_buffers_size,
820 buffer->transaction ? "active" : "delivered");
821}
822
823/**
824 * binder_alloc_print_allocated() - print buffer info
825 * @m: seq_file for output via seq_printf()
826 * @alloc: binder_alloc for this proc
827 *
828 * Prints information about every buffer associated with
829 * the binder_alloc state to the given seq_file
830 */
831void binder_alloc_print_allocated(struct seq_file *m,
832 struct binder_alloc *alloc)
833{
834 struct rb_node *n;
835
836 mutex_lock(&alloc->mutex);
837 for (n = rb_first(&alloc->allocated_buffers); n != NULL; n = rb_next(n))
838 print_binder_buffer(m, " buffer",
839 rb_entry(n, struct binder_buffer, rb_node));
840 mutex_unlock(&alloc->mutex);
841}
842
843/**
844 * binder_alloc_print_pages() - print page usage
845 * @m: seq_file for output via seq_printf()
846 * @alloc: binder_alloc for this proc
847 */
848void binder_alloc_print_pages(struct seq_file *m,
849 struct binder_alloc *alloc)
850{
851 struct binder_lru_page *page;
852 int i;
853 int active = 0;
854 int lru = 0;
855 int free = 0;
856
857 mutex_lock(&alloc->mutex);
858 /*
859 * Make sure the binder_alloc is fully initialized, otherwise we might
860 * read inconsistent state.
861 */
862 if (binder_alloc_get_vma(alloc) != NULL) {
863 for (i = 0; i < alloc->buffer_size / PAGE_SIZE; i++) {
864 page = &alloc->pages[i];
865 if (!page->page_ptr)
866 free++;
867 else if (list_empty(&page->lru))
868 active++;
869 else
870 lru++;
871 }
872 }
873 mutex_unlock(&alloc->mutex);
874 seq_printf(m, " pages: %d:%d:%d\n", active, lru, free);
875 seq_printf(m, " pages high watermark: %zu\n", alloc->pages_high);
876}
877
878/**
879 * binder_alloc_get_allocated_count() - return count of buffers
880 * @alloc: binder_alloc for this proc
881 *
882 * Return: count of allocated buffers
883 */
884int binder_alloc_get_allocated_count(struct binder_alloc *alloc)
885{
886 struct rb_node *n;
887 int count = 0;
888
889 mutex_lock(&alloc->mutex);
890 for (n = rb_first(&alloc->allocated_buffers); n != NULL; n = rb_next(n))
891 count++;
892 mutex_unlock(&alloc->mutex);
893 return count;
894}
895
896
897/**
898 * binder_alloc_vma_close() - invalidate address space
899 * @alloc: binder_alloc for this proc
900 *
901 * Called from binder_vma_close() when releasing address space.
902 * Clears alloc->vma to prevent new incoming transactions from
903 * allocating more buffers.
904 */
905void binder_alloc_vma_close(struct binder_alloc *alloc)
906{
907 binder_alloc_set_vma(alloc, NULL);
908}
909
910/**
911 * binder_alloc_free_page() - shrinker callback to free pages
912 * @item: item to free
913 * @lock: lock protecting the item
914 * @cb_arg: callback argument
915 *
916 * Called from list_lru_walk() in binder_shrink_scan() to free
917 * up pages when the system is under memory pressure.
918 */
919enum lru_status binder_alloc_free_page(struct list_head *item,
920 struct list_lru_one *lru,
921 spinlock_t *lock,
922 void *cb_arg)
923{
924 struct mm_struct *mm = NULL;
925 struct binder_lru_page *page = container_of(item,
926 struct binder_lru_page,
927 lru);
928 struct binder_alloc *alloc;
929 uintptr_t page_addr;
930 size_t index;
931 struct vm_area_struct *vma;
932
933 alloc = page->alloc;
934 if (!mutex_trylock(&alloc->mutex))
935 goto err_get_alloc_mutex_failed;
936
937 if (!page->page_ptr)
938 goto err_page_already_freed;
939
940 index = page - alloc->pages;
941 page_addr = (uintptr_t)alloc->buffer + index * PAGE_SIZE;
942
943 mm = alloc->vma_vm_mm;
944 if (!mmget_not_zero(mm))
945 goto err_mmget;
946 if (!down_write_trylock(&mm->mmap_sem))
947 goto err_down_write_mmap_sem_failed;
948 vma = binder_alloc_get_vma(alloc);
949
950 list_lru_isolate(lru, item);
951 spin_unlock(lock);
952
953 if (vma) {
954 trace_binder_unmap_user_start(alloc, index);
955
956 zap_page_range(vma, page_addr, PAGE_SIZE);
957
958 trace_binder_unmap_user_end(alloc, index);
959 }
960 up_write(&mm->mmap_sem);
961 mmput(mm);
962
963 trace_binder_unmap_kernel_start(alloc, index);
964
965 __free_page(page->page_ptr);
966 page->page_ptr = NULL;
967
968 trace_binder_unmap_kernel_end(alloc, index);
969
970 spin_lock(lock);
971 mutex_unlock(&alloc->mutex);
972 return LRU_REMOVED_RETRY;
973
974err_down_write_mmap_sem_failed:
975 mmput_async(mm);
976err_mmget:
977err_page_already_freed:
978 mutex_unlock(&alloc->mutex);
979err_get_alloc_mutex_failed:
980 return LRU_SKIP;
981}
982
983static unsigned long
984binder_shrink_count(struct shrinker *shrink, struct shrink_control *sc)
985{
986 unsigned long ret = list_lru_count(&binder_alloc_lru);
987 return ret;
988}
989
990static unsigned long
991binder_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
992{
993 unsigned long ret;
994
995 ret = list_lru_walk(&binder_alloc_lru, binder_alloc_free_page,
996 NULL, sc->nr_to_scan);
997 return ret;
998}
999
1000static struct shrinker binder_shrinker = {
1001 .count_objects = binder_shrink_count,
1002 .scan_objects = binder_shrink_scan,
1003 .seeks = DEFAULT_SEEKS,
1004};
1005
1006/**
1007 * binder_alloc_init() - called by binder_open() for per-proc initialization
1008 * @alloc: binder_alloc for this proc
1009 *
1010 * Called from binder_open() to initialize binder_alloc fields for
1011 * new binder proc
1012 */
1013void binder_alloc_init(struct binder_alloc *alloc)
1014{
1015 alloc->pid = current->group_leader->pid;
1016 mutex_init(&alloc->mutex);
1017 INIT_LIST_HEAD(&alloc->buffers);
1018}
1019
1020int binder_alloc_shrinker_init(void)
1021{
1022 int ret = list_lru_init(&binder_alloc_lru);
1023
1024 if (ret == 0) {
1025 ret = register_shrinker(&binder_shrinker);
1026 if (ret)
1027 list_lru_destroy(&binder_alloc_lru);
1028 }
1029 return ret;
1030}
1031
1032/**
1033 * check_buffer() - verify that buffer/offset is safe to access
1034 * @alloc: binder_alloc for this proc
1035 * @buffer: binder buffer to be accessed
1036 * @offset: offset into @buffer data
1037 * @bytes: bytes to access from offset
1038 *
1039 * Check that the @offset/@bytes are within the size of the given
1040 * @buffer and that the buffer is currently active and not freeable.
1041 * Offsets must also be multiples of sizeof(u32). The kernel is
1042 * allowed to touch the buffer in two cases:
1043 *
1044 * 1) when the buffer is being created:
1045 * (buffer->free == 0 && buffer->allow_user_free == 0)
1046 * 2) when the buffer is being torn down:
1047 * (buffer->free == 0 && buffer->transaction == NULL).
1048 *
1049 * Return: true if the buffer is safe to access
1050 */
1051static inline bool check_buffer(struct binder_alloc *alloc,
1052 struct binder_buffer *buffer,
1053 binder_size_t offset, size_t bytes)
1054{
1055 size_t buffer_size = binder_alloc_buffer_size(alloc, buffer);
1056
1057 return buffer_size >= bytes &&
1058 offset <= buffer_size - bytes &&
1059 IS_ALIGNED(offset, sizeof(u32)) &&
1060 !buffer->free &&
1061 (!buffer->allow_user_free || !buffer->transaction);
1062}
1063
1064/**
1065 * binder_alloc_get_page() - get kernel pointer for given buffer offset
1066 * @alloc: binder_alloc for this proc
1067 * @buffer: binder buffer to be accessed
1068 * @buffer_offset: offset into @buffer data
1069 * @pgoffp: address to copy final page offset to
1070 *
1071 * Lookup the struct page corresponding to the address
1072 * at @buffer_offset into @buffer->user_data. If @pgoffp is not
1073 * NULL, the byte-offset into the page is written there.
1074 *
1075 * The caller is responsible to ensure that the offset points
1076 * to a valid address within the @buffer and that @buffer is
1077 * not freeable by the user. Since it can't be freed, we are
1078 * guaranteed that the corresponding elements of @alloc->pages[]
1079 * cannot change.
1080 *
1081 * Return: struct page
1082 */
1083static struct page *binder_alloc_get_page(struct binder_alloc *alloc,
1084 struct binder_buffer *buffer,
1085 binder_size_t buffer_offset,
1086 pgoff_t *pgoffp)
1087{
1088 binder_size_t buffer_space_offset = buffer_offset +
1089 (buffer->user_data - alloc->buffer);
1090 pgoff_t pgoff = buffer_space_offset & ~PAGE_MASK;
1091 size_t index = buffer_space_offset >> PAGE_SHIFT;
1092 struct binder_lru_page *lru_page;
1093
1094 lru_page = &alloc->pages[index];
1095 *pgoffp = pgoff;
1096 return lru_page->page_ptr;
1097}
1098
1099/**
1100 * binder_alloc_copy_user_to_buffer() - copy src user to tgt user
1101 * @alloc: binder_alloc for this proc
1102 * @buffer: binder buffer to be accessed
1103 * @buffer_offset: offset into @buffer data
1104 * @from: userspace pointer to source buffer
1105 * @bytes: bytes to copy
1106 *
1107 * Copy bytes from source userspace to target buffer.
1108 *
1109 * Return: bytes remaining to be copied
1110 */
1111unsigned long
1112binder_alloc_copy_user_to_buffer(struct binder_alloc *alloc,
1113 struct binder_buffer *buffer,
1114 binder_size_t buffer_offset,
1115 const void __user *from,
1116 size_t bytes)
1117{
1118 if (!check_buffer(alloc, buffer, buffer_offset, bytes))
1119 return bytes;
1120
1121 while (bytes) {
1122 unsigned long size;
1123 unsigned long ret;
1124 struct page *page;
1125 pgoff_t pgoff;
1126 void *kptr;
1127
1128 page = binder_alloc_get_page(alloc, buffer,
1129 buffer_offset, &pgoff);
1130 size = min_t(size_t, bytes, PAGE_SIZE - pgoff);
1131 kptr = kmap(page) + pgoff;
1132 ret = copy_from_user(kptr, from, size);
1133 kunmap(page);
1134 if (ret)
1135 return bytes - size + ret;
1136 bytes -= size;
1137 from += size;
1138 buffer_offset += size;
1139 }
1140 return 0;
1141}
1142
1143static void binder_alloc_do_buffer_copy(struct binder_alloc *alloc,
1144 bool to_buffer,
1145 struct binder_buffer *buffer,
1146 binder_size_t buffer_offset,
1147 void *ptr,
1148 size_t bytes)
1149{
1150 /* All copies must be 32-bit aligned and 32-bit size */
1151 BUG_ON(!check_buffer(alloc, buffer, buffer_offset, bytes));
1152
1153 while (bytes) {
1154 unsigned long size;
1155 struct page *page;
1156 pgoff_t pgoff;
1157 void *tmpptr;
1158 void *base_ptr;
1159
1160 page = binder_alloc_get_page(alloc, buffer,
1161 buffer_offset, &pgoff);
1162 size = min_t(size_t, bytes, PAGE_SIZE - pgoff);
1163 base_ptr = kmap_atomic(page);
1164 tmpptr = base_ptr + pgoff;
1165 if (to_buffer)
1166 memcpy(tmpptr, ptr, size);
1167 else
1168 memcpy(ptr, tmpptr, size);
1169 /*
1170 * kunmap_atomic() takes care of flushing the cache
1171 * if this device has VIVT cache arch
1172 */
1173 kunmap_atomic(base_ptr);
1174 bytes -= size;
1175 pgoff = 0;
1176 ptr = ptr + size;
1177 buffer_offset += size;
1178 }
1179}
1180
1181void binder_alloc_copy_to_buffer(struct binder_alloc *alloc,
1182 struct binder_buffer *buffer,
1183 binder_size_t buffer_offset,
1184 void *src,
1185 size_t bytes)
1186{
1187 binder_alloc_do_buffer_copy(alloc, true, buffer, buffer_offset,
1188 src, bytes);
1189}
1190
1191void binder_alloc_copy_from_buffer(struct binder_alloc *alloc,
1192 void *dest,
1193 struct binder_buffer *buffer,
1194 binder_size_t buffer_offset,
1195 size_t bytes)
1196{
1197 binder_alloc_do_buffer_copy(alloc, false, buffer, buffer_offset,
1198 dest, bytes);
1199}
1200