binder_alloc.c 37 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /* binder_alloc.c
  3. *
  4. * Android IPC Subsystem
  5. *
  6. * Copyright (C) 2007-2017 Google, Inc.
  7. */
  8. #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  9. #include <linux/list.h>
  10. #include <linux/sched/mm.h>
  11. #include <linux/module.h>
  12. #include <linux/rtmutex.h>
  13. #include <linux/rbtree.h>
  14. #include <linux/seq_file.h>
  15. #include <linux/vmalloc.h>
  16. #include <linux/slab.h>
  17. #include <linux/sched.h>
  18. #include <linux/list_lru.h>
  19. #include <linux/ratelimit.h>
  20. #include <asm/cacheflush.h>
  21. #include <linux/uaccess.h>
  22. #include <linux/highmem.h>
  23. #include <linux/sizes.h>
  24. #include <kunit/visibility.h>
  25. #include "binder_alloc.h"
  26. #include "binder_trace.h"
  27. static struct list_lru binder_freelist;
  28. static DEFINE_MUTEX(binder_alloc_mmap_lock);
  29. enum {
  30. BINDER_DEBUG_USER_ERROR = 1U << 0,
  31. BINDER_DEBUG_OPEN_CLOSE = 1U << 1,
  32. BINDER_DEBUG_BUFFER_ALLOC = 1U << 2,
  33. BINDER_DEBUG_BUFFER_ALLOC_ASYNC = 1U << 3,
  34. };
  35. static uint32_t binder_alloc_debug_mask = BINDER_DEBUG_USER_ERROR;
  36. module_param_named(debug_mask, binder_alloc_debug_mask,
  37. uint, 0644);
  38. #define binder_alloc_debug(mask, x...) \
  39. do { \
  40. if (binder_alloc_debug_mask & mask) \
  41. pr_info_ratelimited(x); \
  42. } while (0)
  43. static struct binder_buffer *binder_buffer_next(struct binder_buffer *buffer)
  44. {
  45. return list_entry(buffer->entry.next, struct binder_buffer, entry);
  46. }
  47. static struct binder_buffer *binder_buffer_prev(struct binder_buffer *buffer)
  48. {
  49. return list_entry(buffer->entry.prev, struct binder_buffer, entry);
  50. }
  51. VISIBLE_IF_KUNIT size_t binder_alloc_buffer_size(struct binder_alloc *alloc,
  52. struct binder_buffer *buffer)
  53. {
  54. if (list_is_last(&buffer->entry, &alloc->buffers))
  55. return alloc->vm_start + alloc->buffer_size - buffer->user_data;
  56. return binder_buffer_next(buffer)->user_data - buffer->user_data;
  57. }
  58. EXPORT_SYMBOL_IF_KUNIT(binder_alloc_buffer_size);
  59. static void binder_insert_free_buffer(struct binder_alloc *alloc,
  60. struct binder_buffer *new_buffer)
  61. {
  62. struct rb_node **p = &alloc->free_buffers.rb_node;
  63. struct rb_node *parent = NULL;
  64. struct binder_buffer *buffer;
  65. size_t buffer_size;
  66. size_t new_buffer_size;
  67. BUG_ON(!new_buffer->free);
  68. new_buffer_size = binder_alloc_buffer_size(alloc, new_buffer);
  69. binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
  70. "%d: add free buffer, size %zd, at %p\n",
  71. alloc->pid, new_buffer_size, new_buffer);
  72. while (*p) {
  73. parent = *p;
  74. buffer = rb_entry(parent, struct binder_buffer, rb_node);
  75. BUG_ON(!buffer->free);
  76. buffer_size = binder_alloc_buffer_size(alloc, buffer);
  77. if (new_buffer_size < buffer_size)
  78. p = &parent->rb_left;
  79. else
  80. p = &parent->rb_right;
  81. }
  82. rb_link_node(&new_buffer->rb_node, parent, p);
  83. rb_insert_color(&new_buffer->rb_node, &alloc->free_buffers);
  84. }
  85. static void binder_insert_allocated_buffer_locked(
  86. struct binder_alloc *alloc, struct binder_buffer *new_buffer)
  87. {
  88. struct rb_node **p = &alloc->allocated_buffers.rb_node;
  89. struct rb_node *parent = NULL;
  90. struct binder_buffer *buffer;
  91. BUG_ON(new_buffer->free);
  92. while (*p) {
  93. parent = *p;
  94. buffer = rb_entry(parent, struct binder_buffer, rb_node);
  95. BUG_ON(buffer->free);
  96. if (new_buffer->user_data < buffer->user_data)
  97. p = &parent->rb_left;
  98. else if (new_buffer->user_data > buffer->user_data)
  99. p = &parent->rb_right;
  100. else
  101. BUG();
  102. }
  103. rb_link_node(&new_buffer->rb_node, parent, p);
  104. rb_insert_color(&new_buffer->rb_node, &alloc->allocated_buffers);
  105. }
  106. static struct binder_buffer *binder_alloc_prepare_to_free_locked(
  107. struct binder_alloc *alloc,
  108. unsigned long user_ptr)
  109. {
  110. struct rb_node *n = alloc->allocated_buffers.rb_node;
  111. struct binder_buffer *buffer;
  112. while (n) {
  113. buffer = rb_entry(n, struct binder_buffer, rb_node);
  114. BUG_ON(buffer->free);
  115. if (user_ptr < buffer->user_data) {
  116. n = n->rb_left;
  117. } else if (user_ptr > buffer->user_data) {
  118. n = n->rb_right;
  119. } else {
  120. /*
  121. * Guard against user threads attempting to
  122. * free the buffer when in use by kernel or
  123. * after it's already been freed.
  124. */
  125. if (!buffer->allow_user_free)
  126. return ERR_PTR(-EPERM);
  127. buffer->allow_user_free = 0;
  128. return buffer;
  129. }
  130. }
  131. return NULL;
  132. }
  133. /**
  134. * binder_alloc_prepare_to_free() - get buffer given user ptr
  135. * @alloc: binder_alloc for this proc
  136. * @user_ptr: User pointer to buffer data
  137. *
  138. * Validate userspace pointer to buffer data and return buffer corresponding to
  139. * that user pointer. Search the rb tree for buffer that matches user data
  140. * pointer.
  141. *
  142. * Return: Pointer to buffer or NULL
  143. */
  144. struct binder_buffer *binder_alloc_prepare_to_free(struct binder_alloc *alloc,
  145. unsigned long user_ptr)
  146. {
  147. guard(mutex)(&alloc->mutex);
  148. return binder_alloc_prepare_to_free_locked(alloc, user_ptr);
  149. }
  150. static inline void
  151. binder_set_installed_page(struct binder_alloc *alloc,
  152. unsigned long index,
  153. struct page *page)
  154. {
  155. /* Pairs with acquire in binder_get_installed_page() */
  156. smp_store_release(&alloc->pages[index], page);
  157. }
  158. static inline struct page *
  159. binder_get_installed_page(struct binder_alloc *alloc, unsigned long index)
  160. {
  161. /* Pairs with release in binder_set_installed_page() */
  162. return smp_load_acquire(&alloc->pages[index]);
  163. }
  164. static void binder_lru_freelist_add(struct binder_alloc *alloc,
  165. unsigned long start, unsigned long end)
  166. {
  167. unsigned long page_addr;
  168. struct page *page;
  169. trace_binder_update_page_range(alloc, false, start, end);
  170. for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) {
  171. size_t index;
  172. int ret;
  173. index = (page_addr - alloc->vm_start) / PAGE_SIZE;
  174. page = binder_get_installed_page(alloc, index);
  175. if (!page)
  176. continue;
  177. trace_binder_free_lru_start(alloc, index);
  178. ret = list_lru_add(alloc->freelist,
  179. page_to_lru(page),
  180. page_to_nid(page),
  181. NULL);
  182. WARN_ON(!ret);
  183. trace_binder_free_lru_end(alloc, index);
  184. }
  185. }
  186. static inline
  187. void binder_alloc_set_mapped(struct binder_alloc *alloc, bool state)
  188. {
  189. /* pairs with smp_load_acquire in binder_alloc_is_mapped() */
  190. smp_store_release(&alloc->mapped, state);
  191. }
  192. static inline bool binder_alloc_is_mapped(struct binder_alloc *alloc)
  193. {
  194. /* pairs with smp_store_release in binder_alloc_set_mapped() */
  195. return smp_load_acquire(&alloc->mapped);
  196. }
  197. static struct page *binder_page_lookup(struct binder_alloc *alloc,
  198. unsigned long addr)
  199. {
  200. struct mm_struct *mm = alloc->mm;
  201. struct page *page;
  202. long npages = 0;
  203. /*
  204. * Find an existing page in the remote mm. If missing,
  205. * don't attempt to fault-in just propagate an error.
  206. */
  207. mmap_read_lock(mm);
  208. if (binder_alloc_is_mapped(alloc))
  209. npages = get_user_pages_remote(mm, addr, 1, FOLL_NOFAULT,
  210. &page, NULL);
  211. mmap_read_unlock(mm);
  212. return npages > 0 ? page : NULL;
  213. }
  214. static int binder_page_insert(struct binder_alloc *alloc,
  215. unsigned long addr,
  216. struct page *page)
  217. {
  218. struct mm_struct *mm = alloc->mm;
  219. struct vm_area_struct *vma;
  220. int ret = -ESRCH;
  221. /* attempt per-vma lock first */
  222. vma = lock_vma_under_rcu(mm, addr);
  223. if (vma) {
  224. if (binder_alloc_is_mapped(alloc))
  225. ret = vm_insert_page(vma, addr, page);
  226. vma_end_read(vma);
  227. return ret;
  228. }
  229. /* fall back to mmap_lock */
  230. mmap_read_lock(mm);
  231. vma = vma_lookup(mm, addr);
  232. if (vma && binder_alloc_is_mapped(alloc))
  233. ret = vm_insert_page(vma, addr, page);
  234. mmap_read_unlock(mm);
  235. return ret;
  236. }
  237. static struct page *binder_page_alloc(struct binder_alloc *alloc,
  238. unsigned long index)
  239. {
  240. struct binder_shrinker_mdata *mdata;
  241. struct page *page;
  242. page = alloc_page(GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO);
  243. if (!page)
  244. return NULL;
  245. /* allocate and install shrinker metadata under page->private */
  246. mdata = kzalloc_obj(*mdata);
  247. if (!mdata) {
  248. __free_page(page);
  249. return NULL;
  250. }
  251. mdata->alloc = alloc;
  252. mdata->page_index = index;
  253. INIT_LIST_HEAD(&mdata->lru);
  254. set_page_private(page, (unsigned long)mdata);
  255. return page;
  256. }
  257. static void binder_free_page(struct page *page)
  258. {
  259. kfree((struct binder_shrinker_mdata *)page_private(page));
  260. __free_page(page);
  261. }
  262. static int binder_install_single_page(struct binder_alloc *alloc,
  263. unsigned long index,
  264. unsigned long addr)
  265. {
  266. struct page *page;
  267. int ret;
  268. if (!mmget_not_zero(alloc->mm))
  269. return -ESRCH;
  270. page = binder_page_alloc(alloc, index);
  271. if (!page) {
  272. ret = -ENOMEM;
  273. goto out;
  274. }
  275. ret = binder_page_insert(alloc, addr, page);
  276. switch (ret) {
  277. case -EBUSY:
  278. /*
  279. * EBUSY is ok. Someone installed the pte first but the
  280. * alloc->pages[index] has not been updated yet. Discard
  281. * our page and look up the one already installed.
  282. */
  283. ret = 0;
  284. binder_free_page(page);
  285. page = binder_page_lookup(alloc, addr);
  286. if (!page) {
  287. pr_err("%d: failed to find page at offset %lx\n",
  288. alloc->pid, addr - alloc->vm_start);
  289. ret = -ESRCH;
  290. break;
  291. }
  292. fallthrough;
  293. case 0:
  294. /* Mark page installation complete and safe to use */
  295. binder_set_installed_page(alloc, index, page);
  296. break;
  297. default:
  298. binder_free_page(page);
  299. pr_err("%d: %s failed to insert page at offset %lx with %d\n",
  300. alloc->pid, __func__, addr - alloc->vm_start, ret);
  301. break;
  302. }
  303. out:
  304. mmput_async(alloc->mm);
  305. return ret;
  306. }
  307. static int binder_install_buffer_pages(struct binder_alloc *alloc,
  308. struct binder_buffer *buffer,
  309. size_t size)
  310. {
  311. unsigned long start, final;
  312. unsigned long page_addr;
  313. start = buffer->user_data & PAGE_MASK;
  314. final = PAGE_ALIGN(buffer->user_data + size);
  315. for (page_addr = start; page_addr < final; page_addr += PAGE_SIZE) {
  316. unsigned long index;
  317. int ret;
  318. index = (page_addr - alloc->vm_start) / PAGE_SIZE;
  319. if (binder_get_installed_page(alloc, index))
  320. continue;
  321. trace_binder_alloc_page_start(alloc, index);
  322. ret = binder_install_single_page(alloc, index, page_addr);
  323. if (ret)
  324. return ret;
  325. trace_binder_alloc_page_end(alloc, index);
  326. }
  327. return 0;
  328. }
  329. /* The range of pages should exclude those shared with other buffers */
  330. static void binder_lru_freelist_del(struct binder_alloc *alloc,
  331. unsigned long start, unsigned long end)
  332. {
  333. unsigned long page_addr;
  334. struct page *page;
  335. trace_binder_update_page_range(alloc, true, start, end);
  336. for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) {
  337. unsigned long index;
  338. bool on_lru;
  339. index = (page_addr - alloc->vm_start) / PAGE_SIZE;
  340. page = binder_get_installed_page(alloc, index);
  341. if (page) {
  342. trace_binder_alloc_lru_start(alloc, index);
  343. on_lru = list_lru_del(alloc->freelist,
  344. page_to_lru(page),
  345. page_to_nid(page),
  346. NULL);
  347. WARN_ON(!on_lru);
  348. trace_binder_alloc_lru_end(alloc, index);
  349. continue;
  350. }
  351. if (index + 1 > alloc->pages_high)
  352. alloc->pages_high = index + 1;
  353. }
  354. }
  355. static void debug_no_space_locked(struct binder_alloc *alloc)
  356. {
  357. size_t largest_alloc_size = 0;
  358. struct binder_buffer *buffer;
  359. size_t allocated_buffers = 0;
  360. size_t largest_free_size = 0;
  361. size_t total_alloc_size = 0;
  362. size_t total_free_size = 0;
  363. size_t free_buffers = 0;
  364. size_t buffer_size;
  365. struct rb_node *n;
  366. for (n = rb_first(&alloc->allocated_buffers); n; n = rb_next(n)) {
  367. buffer = rb_entry(n, struct binder_buffer, rb_node);
  368. buffer_size = binder_alloc_buffer_size(alloc, buffer);
  369. allocated_buffers++;
  370. total_alloc_size += buffer_size;
  371. if (buffer_size > largest_alloc_size)
  372. largest_alloc_size = buffer_size;
  373. }
  374. for (n = rb_first(&alloc->free_buffers); n; n = rb_next(n)) {
  375. buffer = rb_entry(n, struct binder_buffer, rb_node);
  376. buffer_size = binder_alloc_buffer_size(alloc, buffer);
  377. free_buffers++;
  378. total_free_size += buffer_size;
  379. if (buffer_size > largest_free_size)
  380. largest_free_size = buffer_size;
  381. }
  382. binder_alloc_debug(BINDER_DEBUG_USER_ERROR,
  383. "allocated: %zd (num: %zd largest: %zd), free: %zd (num: %zd largest: %zd)\n",
  384. total_alloc_size, allocated_buffers,
  385. largest_alloc_size, total_free_size,
  386. free_buffers, largest_free_size);
  387. }
  388. static bool debug_low_async_space_locked(struct binder_alloc *alloc)
  389. {
  390. /*
  391. * Find the amount and size of buffers allocated by the current caller;
  392. * The idea is that once we cross the threshold, whoever is responsible
  393. * for the low async space is likely to try to send another async txn,
  394. * and at some point we'll catch them in the act. This is more efficient
  395. * than keeping a map per pid.
  396. */
  397. struct binder_buffer *buffer;
  398. size_t total_alloc_size = 0;
  399. int pid = current->tgid;
  400. size_t num_buffers = 0;
  401. struct rb_node *n;
  402. /*
  403. * Only start detecting spammers once we have less than 20% of async
  404. * space left (which is less than 10% of total buffer size).
  405. */
  406. if (alloc->free_async_space >= alloc->buffer_size / 10) {
  407. alloc->oneway_spam_detected = false;
  408. return false;
  409. }
  410. for (n = rb_first(&alloc->allocated_buffers); n != NULL;
  411. n = rb_next(n)) {
  412. buffer = rb_entry(n, struct binder_buffer, rb_node);
  413. if (buffer->pid != pid)
  414. continue;
  415. if (!buffer->async_transaction)
  416. continue;
  417. total_alloc_size += binder_alloc_buffer_size(alloc, buffer);
  418. num_buffers++;
  419. }
  420. /*
  421. * Warn if this pid has more than 50 transactions, or more than 50% of
  422. * async space (which is 25% of total buffer size). Oneway spam is only
  423. * detected when the threshold is exceeded.
  424. */
  425. if (num_buffers > 50 || total_alloc_size > alloc->buffer_size / 4) {
  426. binder_alloc_debug(BINDER_DEBUG_USER_ERROR,
  427. "%d: pid %d spamming oneway? %zd buffers allocated for a total size of %zd\n",
  428. alloc->pid, pid, num_buffers, total_alloc_size);
  429. if (!alloc->oneway_spam_detected) {
  430. alloc->oneway_spam_detected = true;
  431. return true;
  432. }
  433. }
  434. return false;
  435. }
  436. /* Callers preallocate @new_buffer, it is freed by this function if unused */
  437. static struct binder_buffer *binder_alloc_new_buf_locked(
  438. struct binder_alloc *alloc,
  439. struct binder_buffer *new_buffer,
  440. size_t size,
  441. int is_async)
  442. {
  443. struct rb_node *n = alloc->free_buffers.rb_node;
  444. struct rb_node *best_fit = NULL;
  445. struct binder_buffer *buffer;
  446. unsigned long next_used_page;
  447. unsigned long curr_last_page;
  448. size_t buffer_size;
  449. if (is_async && alloc->free_async_space < size) {
  450. binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
  451. "%d: binder_alloc_buf size %zd failed, no async space left\n",
  452. alloc->pid, size);
  453. buffer = ERR_PTR(-ENOSPC);
  454. goto out;
  455. }
  456. while (n) {
  457. buffer = rb_entry(n, struct binder_buffer, rb_node);
  458. BUG_ON(!buffer->free);
  459. buffer_size = binder_alloc_buffer_size(alloc, buffer);
  460. if (size < buffer_size) {
  461. best_fit = n;
  462. n = n->rb_left;
  463. } else if (size > buffer_size) {
  464. n = n->rb_right;
  465. } else {
  466. best_fit = n;
  467. break;
  468. }
  469. }
  470. if (unlikely(!best_fit)) {
  471. binder_alloc_debug(BINDER_DEBUG_USER_ERROR,
  472. "%d: binder_alloc_buf size %zd failed, no address space\n",
  473. alloc->pid, size);
  474. debug_no_space_locked(alloc);
  475. buffer = ERR_PTR(-ENOSPC);
  476. goto out;
  477. }
  478. if (buffer_size != size) {
  479. /* Found an oversized buffer and needs to be split */
  480. buffer = rb_entry(best_fit, struct binder_buffer, rb_node);
  481. buffer_size = binder_alloc_buffer_size(alloc, buffer);
  482. WARN_ON(n || buffer_size == size);
  483. new_buffer->user_data = buffer->user_data + size;
  484. list_add(&new_buffer->entry, &buffer->entry);
  485. new_buffer->free = 1;
  486. binder_insert_free_buffer(alloc, new_buffer);
  487. new_buffer = NULL;
  488. }
  489. binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
  490. "%d: binder_alloc_buf size %zd got buffer %p size %zd\n",
  491. alloc->pid, size, buffer, buffer_size);
  492. /*
  493. * Now we remove the pages from the freelist. A clever calculation
  494. * with buffer_size determines if the last page is shared with an
  495. * adjacent in-use buffer. In such case, the page has been already
  496. * removed from the freelist so we trim our range short.
  497. */
  498. next_used_page = (buffer->user_data + buffer_size) & PAGE_MASK;
  499. curr_last_page = PAGE_ALIGN(buffer->user_data + size);
  500. binder_lru_freelist_del(alloc, PAGE_ALIGN(buffer->user_data),
  501. min(next_used_page, curr_last_page));
  502. rb_erase(&buffer->rb_node, &alloc->free_buffers);
  503. buffer->free = 0;
  504. buffer->allow_user_free = 0;
  505. binder_insert_allocated_buffer_locked(alloc, buffer);
  506. buffer->async_transaction = is_async;
  507. buffer->oneway_spam_suspect = false;
  508. if (is_async) {
  509. alloc->free_async_space -= size;
  510. binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC,
  511. "%d: binder_alloc_buf size %zd async free %zd\n",
  512. alloc->pid, size, alloc->free_async_space);
  513. if (debug_low_async_space_locked(alloc))
  514. buffer->oneway_spam_suspect = true;
  515. }
  516. out:
  517. /* Discard possibly unused new_buffer */
  518. kfree(new_buffer);
  519. return buffer;
  520. }
  521. /* Calculate the sanitized total size, returns 0 for invalid request */
  522. static inline size_t sanitized_size(size_t data_size,
  523. size_t offsets_size,
  524. size_t extra_buffers_size)
  525. {
  526. size_t total, tmp;
  527. /* Align to pointer size and check for overflows */
  528. tmp = ALIGN(data_size, sizeof(void *)) +
  529. ALIGN(offsets_size, sizeof(void *));
  530. if (tmp < data_size || tmp < offsets_size)
  531. return 0;
  532. total = tmp + ALIGN(extra_buffers_size, sizeof(void *));
  533. if (total < tmp || total < extra_buffers_size)
  534. return 0;
  535. /* Pad 0-sized buffers so they get a unique address */
  536. total = max(total, sizeof(void *));
  537. return total;
  538. }
  539. /**
  540. * binder_alloc_new_buf() - Allocate a new binder buffer
  541. * @alloc: binder_alloc for this proc
  542. * @data_size: size of user data buffer
  543. * @offsets_size: user specified buffer offset
  544. * @extra_buffers_size: size of extra space for meta-data (eg, security context)
  545. * @is_async: buffer for async transaction
  546. *
  547. * Allocate a new buffer given the requested sizes. Returns
  548. * the kernel version of the buffer pointer. The size allocated
  549. * is the sum of the three given sizes (each rounded up to
  550. * pointer-sized boundary)
  551. *
  552. * Return: The allocated buffer or %ERR_PTR(-errno) if error
  553. */
  554. struct binder_buffer *binder_alloc_new_buf(struct binder_alloc *alloc,
  555. size_t data_size,
  556. size_t offsets_size,
  557. size_t extra_buffers_size,
  558. int is_async)
  559. {
  560. struct binder_buffer *buffer, *next;
  561. size_t size;
  562. int ret;
  563. /* Check binder_alloc is fully initialized */
  564. if (!binder_alloc_is_mapped(alloc)) {
  565. binder_alloc_debug(BINDER_DEBUG_USER_ERROR,
  566. "%d: binder_alloc_buf, no vma\n",
  567. alloc->pid);
  568. return ERR_PTR(-ESRCH);
  569. }
  570. size = sanitized_size(data_size, offsets_size, extra_buffers_size);
  571. if (unlikely(!size)) {
  572. binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
  573. "%d: got transaction with invalid size %zd-%zd-%zd\n",
  574. alloc->pid, data_size, offsets_size,
  575. extra_buffers_size);
  576. return ERR_PTR(-EINVAL);
  577. }
  578. /* Preallocate the next buffer */
  579. next = kzalloc_obj(*next);
  580. if (!next)
  581. return ERR_PTR(-ENOMEM);
  582. mutex_lock(&alloc->mutex);
  583. buffer = binder_alloc_new_buf_locked(alloc, next, size, is_async);
  584. if (IS_ERR(buffer)) {
  585. mutex_unlock(&alloc->mutex);
  586. goto out;
  587. }
  588. buffer->data_size = data_size;
  589. buffer->offsets_size = offsets_size;
  590. buffer->extra_buffers_size = extra_buffers_size;
  591. buffer->pid = current->tgid;
  592. mutex_unlock(&alloc->mutex);
  593. ret = binder_install_buffer_pages(alloc, buffer, size);
  594. if (ret) {
  595. binder_alloc_free_buf(alloc, buffer);
  596. buffer = ERR_PTR(ret);
  597. }
  598. out:
  599. return buffer;
  600. }
  601. EXPORT_SYMBOL_IF_KUNIT(binder_alloc_new_buf);
  602. static unsigned long buffer_start_page(struct binder_buffer *buffer)
  603. {
  604. return buffer->user_data & PAGE_MASK;
  605. }
  606. static unsigned long prev_buffer_end_page(struct binder_buffer *buffer)
  607. {
  608. return (buffer->user_data - 1) & PAGE_MASK;
  609. }
  610. static void binder_delete_free_buffer(struct binder_alloc *alloc,
  611. struct binder_buffer *buffer)
  612. {
  613. struct binder_buffer *prev, *next;
  614. if (PAGE_ALIGNED(buffer->user_data))
  615. goto skip_freelist;
  616. BUG_ON(alloc->buffers.next == &buffer->entry);
  617. prev = binder_buffer_prev(buffer);
  618. BUG_ON(!prev->free);
  619. if (prev_buffer_end_page(prev) == buffer_start_page(buffer))
  620. goto skip_freelist;
  621. if (!list_is_last(&buffer->entry, &alloc->buffers)) {
  622. next = binder_buffer_next(buffer);
  623. if (buffer_start_page(next) == buffer_start_page(buffer))
  624. goto skip_freelist;
  625. }
  626. binder_lru_freelist_add(alloc, buffer_start_page(buffer),
  627. buffer_start_page(buffer) + PAGE_SIZE);
  628. skip_freelist:
  629. list_del(&buffer->entry);
  630. kfree(buffer);
  631. }
  632. static void binder_free_buf_locked(struct binder_alloc *alloc,
  633. struct binder_buffer *buffer)
  634. {
  635. size_t size, buffer_size;
  636. buffer_size = binder_alloc_buffer_size(alloc, buffer);
  637. size = ALIGN(buffer->data_size, sizeof(void *)) +
  638. ALIGN(buffer->offsets_size, sizeof(void *)) +
  639. ALIGN(buffer->extra_buffers_size, sizeof(void *));
  640. binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
  641. "%d: binder_free_buf %p size %zd buffer_size %zd\n",
  642. alloc->pid, buffer, size, buffer_size);
  643. BUG_ON(buffer->free);
  644. BUG_ON(size > buffer_size);
  645. BUG_ON(buffer->transaction != NULL);
  646. BUG_ON(buffer->user_data < alloc->vm_start);
  647. BUG_ON(buffer->user_data > alloc->vm_start + alloc->buffer_size);
  648. if (buffer->async_transaction) {
  649. alloc->free_async_space += buffer_size;
  650. binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC,
  651. "%d: binder_free_buf size %zd async free %zd\n",
  652. alloc->pid, size, alloc->free_async_space);
  653. }
  654. binder_lru_freelist_add(alloc, PAGE_ALIGN(buffer->user_data),
  655. (buffer->user_data + buffer_size) & PAGE_MASK);
  656. rb_erase(&buffer->rb_node, &alloc->allocated_buffers);
  657. buffer->free = 1;
  658. if (!list_is_last(&buffer->entry, &alloc->buffers)) {
  659. struct binder_buffer *next = binder_buffer_next(buffer);
  660. if (next->free) {
  661. rb_erase(&next->rb_node, &alloc->free_buffers);
  662. binder_delete_free_buffer(alloc, next);
  663. }
  664. }
  665. if (alloc->buffers.next != &buffer->entry) {
  666. struct binder_buffer *prev = binder_buffer_prev(buffer);
  667. if (prev->free) {
  668. binder_delete_free_buffer(alloc, buffer);
  669. rb_erase(&prev->rb_node, &alloc->free_buffers);
  670. buffer = prev;
  671. }
  672. }
  673. binder_insert_free_buffer(alloc, buffer);
  674. }
  675. /**
  676. * binder_alloc_get_page() - get kernel pointer for given buffer offset
  677. * @alloc: binder_alloc for this proc
  678. * @buffer: binder buffer to be accessed
  679. * @buffer_offset: offset into @buffer data
  680. * @pgoffp: address to copy final page offset to
  681. *
  682. * Lookup the struct page corresponding to the address
  683. * at @buffer_offset into @buffer->user_data. If @pgoffp is not
  684. * NULL, the byte-offset into the page is written there.
  685. *
  686. * The caller is responsible to ensure that the offset points
  687. * to a valid address within the @buffer and that @buffer is
  688. * not freeable by the user. Since it can't be freed, we are
  689. * guaranteed that the corresponding elements of @alloc->pages[]
  690. * cannot change.
  691. *
  692. * Return: struct page
  693. */
  694. static struct page *binder_alloc_get_page(struct binder_alloc *alloc,
  695. struct binder_buffer *buffer,
  696. binder_size_t buffer_offset,
  697. pgoff_t *pgoffp)
  698. {
  699. binder_size_t buffer_space_offset = buffer_offset +
  700. (buffer->user_data - alloc->vm_start);
  701. pgoff_t pgoff = buffer_space_offset & ~PAGE_MASK;
  702. size_t index = buffer_space_offset >> PAGE_SHIFT;
  703. *pgoffp = pgoff;
  704. return alloc->pages[index];
  705. }
  706. /**
  707. * binder_alloc_clear_buf() - zero out buffer
  708. * @alloc: binder_alloc for this proc
  709. * @buffer: binder buffer to be cleared
  710. *
  711. * memset the given buffer to 0
  712. */
  713. static void binder_alloc_clear_buf(struct binder_alloc *alloc,
  714. struct binder_buffer *buffer)
  715. {
  716. size_t bytes = binder_alloc_buffer_size(alloc, buffer);
  717. binder_size_t buffer_offset = 0;
  718. while (bytes) {
  719. unsigned long size;
  720. struct page *page;
  721. pgoff_t pgoff;
  722. page = binder_alloc_get_page(alloc, buffer,
  723. buffer_offset, &pgoff);
  724. size = min_t(size_t, bytes, PAGE_SIZE - pgoff);
  725. memset_page(page, pgoff, 0, size);
  726. bytes -= size;
  727. buffer_offset += size;
  728. }
  729. }
  730. /**
  731. * binder_alloc_free_buf() - free a binder buffer
  732. * @alloc: binder_alloc for this proc
  733. * @buffer: kernel pointer to buffer
  734. *
  735. * Free the buffer allocated via binder_alloc_new_buf()
  736. */
  737. void binder_alloc_free_buf(struct binder_alloc *alloc,
  738. struct binder_buffer *buffer)
  739. {
  740. /*
  741. * We could eliminate the call to binder_alloc_clear_buf()
  742. * from binder_alloc_deferred_release() by moving this to
  743. * binder_free_buf_locked(). However, that could
  744. * increase contention for the alloc mutex if clear_on_free
  745. * is used frequently for large buffers. The mutex is not
  746. * needed for correctness here.
  747. */
  748. if (buffer->clear_on_free) {
  749. binder_alloc_clear_buf(alloc, buffer);
  750. buffer->clear_on_free = false;
  751. }
  752. mutex_lock(&alloc->mutex);
  753. binder_free_buf_locked(alloc, buffer);
  754. mutex_unlock(&alloc->mutex);
  755. }
  756. EXPORT_SYMBOL_IF_KUNIT(binder_alloc_free_buf);
  757. /**
  758. * binder_alloc_mmap_handler() - map virtual address space for proc
  759. * @alloc: alloc structure for this proc
  760. * @vma: vma passed to mmap()
  761. *
  762. * Called by binder_mmap() to initialize the space specified in
  763. * vma for allocating binder buffers
  764. *
  765. * Return:
  766. * 0 = success
  767. * -EBUSY = address space already mapped
  768. * -ENOMEM = failed to map memory to given address space
  769. */
  770. int binder_alloc_mmap_handler(struct binder_alloc *alloc,
  771. struct vm_area_struct *vma)
  772. {
  773. struct binder_buffer *buffer;
  774. const char *failure_string;
  775. int ret;
  776. if (unlikely(vma->vm_mm != alloc->mm)) {
  777. ret = -EINVAL;
  778. failure_string = "invalid vma->vm_mm";
  779. goto err_invalid_mm;
  780. }
  781. mutex_lock(&binder_alloc_mmap_lock);
  782. if (alloc->buffer_size) {
  783. ret = -EBUSY;
  784. failure_string = "already mapped";
  785. goto err_already_mapped;
  786. }
  787. alloc->buffer_size = min_t(unsigned long, vma->vm_end - vma->vm_start,
  788. SZ_4M);
  789. mutex_unlock(&binder_alloc_mmap_lock);
  790. alloc->vm_start = vma->vm_start;
  791. alloc->pages = kvzalloc_objs(alloc->pages[0],
  792. alloc->buffer_size / PAGE_SIZE);
  793. if (!alloc->pages) {
  794. ret = -ENOMEM;
  795. failure_string = "alloc page array";
  796. goto err_alloc_pages_failed;
  797. }
  798. buffer = kzalloc_obj(*buffer);
  799. if (!buffer) {
  800. ret = -ENOMEM;
  801. failure_string = "alloc buffer struct";
  802. goto err_alloc_buf_struct_failed;
  803. }
  804. buffer->user_data = alloc->vm_start;
  805. list_add(&buffer->entry, &alloc->buffers);
  806. buffer->free = 1;
  807. binder_insert_free_buffer(alloc, buffer);
  808. alloc->free_async_space = alloc->buffer_size / 2;
  809. /* Signal binder_alloc is fully initialized */
  810. binder_alloc_set_mapped(alloc, true);
  811. return 0;
  812. err_alloc_buf_struct_failed:
  813. kvfree(alloc->pages);
  814. alloc->pages = NULL;
  815. err_alloc_pages_failed:
  816. alloc->vm_start = 0;
  817. mutex_lock(&binder_alloc_mmap_lock);
  818. alloc->buffer_size = 0;
  819. err_already_mapped:
  820. mutex_unlock(&binder_alloc_mmap_lock);
  821. err_invalid_mm:
  822. binder_alloc_debug(BINDER_DEBUG_USER_ERROR,
  823. "%s: %d %lx-%lx %s failed %d\n", __func__,
  824. alloc->pid, vma->vm_start, vma->vm_end,
  825. failure_string, ret);
  826. return ret;
  827. }
  828. EXPORT_SYMBOL_IF_KUNIT(binder_alloc_mmap_handler);
  829. void binder_alloc_deferred_release(struct binder_alloc *alloc)
  830. {
  831. struct rb_node *n;
  832. int buffers, page_count;
  833. struct binder_buffer *buffer;
  834. buffers = 0;
  835. mutex_lock(&alloc->mutex);
  836. BUG_ON(alloc->mapped);
  837. while ((n = rb_first(&alloc->allocated_buffers))) {
  838. buffer = rb_entry(n, struct binder_buffer, rb_node);
  839. /* Transaction should already have been freed */
  840. BUG_ON(buffer->transaction);
  841. if (buffer->clear_on_free) {
  842. binder_alloc_clear_buf(alloc, buffer);
  843. buffer->clear_on_free = false;
  844. }
  845. binder_free_buf_locked(alloc, buffer);
  846. buffers++;
  847. }
  848. while (!list_empty(&alloc->buffers)) {
  849. buffer = list_first_entry(&alloc->buffers,
  850. struct binder_buffer, entry);
  851. WARN_ON(!buffer->free);
  852. list_del(&buffer->entry);
  853. WARN_ON_ONCE(!list_empty(&alloc->buffers));
  854. kfree(buffer);
  855. }
  856. page_count = 0;
  857. if (alloc->pages) {
  858. int i;
  859. for (i = 0; i < alloc->buffer_size / PAGE_SIZE; i++) {
  860. struct page *page;
  861. bool on_lru;
  862. page = binder_get_installed_page(alloc, i);
  863. if (!page)
  864. continue;
  865. on_lru = list_lru_del(alloc->freelist,
  866. page_to_lru(page),
  867. page_to_nid(page),
  868. NULL);
  869. binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
  870. "%s: %d: page %d %s\n",
  871. __func__, alloc->pid, i,
  872. on_lru ? "on lru" : "active");
  873. binder_free_page(page);
  874. page_count++;
  875. }
  876. }
  877. mutex_unlock(&alloc->mutex);
  878. kvfree(alloc->pages);
  879. if (alloc->mm)
  880. mmdrop(alloc->mm);
  881. binder_alloc_debug(BINDER_DEBUG_OPEN_CLOSE,
  882. "%s: %d buffers %d, pages %d\n",
  883. __func__, alloc->pid, buffers, page_count);
  884. }
  885. EXPORT_SYMBOL_IF_KUNIT(binder_alloc_deferred_release);
  886. /**
  887. * binder_alloc_print_allocated() - print buffer info
  888. * @m: seq_file for output via seq_printf()
  889. * @alloc: binder_alloc for this proc
  890. *
  891. * Prints information about every buffer associated with
  892. * the binder_alloc state to the given seq_file
  893. */
  894. void binder_alloc_print_allocated(struct seq_file *m,
  895. struct binder_alloc *alloc)
  896. {
  897. struct binder_buffer *buffer;
  898. struct rb_node *n;
  899. guard(mutex)(&alloc->mutex);
  900. for (n = rb_first(&alloc->allocated_buffers); n; n = rb_next(n)) {
  901. buffer = rb_entry(n, struct binder_buffer, rb_node);
  902. seq_printf(m, " buffer %d: %lx size %zd:%zd:%zd %s\n",
  903. buffer->debug_id,
  904. buffer->user_data - alloc->vm_start,
  905. buffer->data_size, buffer->offsets_size,
  906. buffer->extra_buffers_size,
  907. buffer->transaction ? "active" : "delivered");
  908. }
  909. }
  910. /**
  911. * binder_alloc_print_pages() - print page usage
  912. * @m: seq_file for output via seq_printf()
  913. * @alloc: binder_alloc for this proc
  914. */
  915. void binder_alloc_print_pages(struct seq_file *m,
  916. struct binder_alloc *alloc)
  917. {
  918. struct page *page;
  919. int i;
  920. int active = 0;
  921. int lru = 0;
  922. int free = 0;
  923. mutex_lock(&alloc->mutex);
  924. /*
  925. * Make sure the binder_alloc is fully initialized, otherwise we might
  926. * read inconsistent state.
  927. */
  928. if (binder_alloc_is_mapped(alloc)) {
  929. for (i = 0; i < alloc->buffer_size / PAGE_SIZE; i++) {
  930. page = binder_get_installed_page(alloc, i);
  931. if (!page)
  932. free++;
  933. else if (list_empty(page_to_lru(page)))
  934. active++;
  935. else
  936. lru++;
  937. }
  938. }
  939. mutex_unlock(&alloc->mutex);
  940. seq_printf(m, " pages: %d:%d:%d\n", active, lru, free);
  941. seq_printf(m, " pages high watermark: %zu\n", alloc->pages_high);
  942. }
  943. /**
  944. * binder_alloc_get_allocated_count() - return count of buffers
  945. * @alloc: binder_alloc for this proc
  946. *
  947. * Return: count of allocated buffers
  948. */
  949. int binder_alloc_get_allocated_count(struct binder_alloc *alloc)
  950. {
  951. struct rb_node *n;
  952. int count = 0;
  953. guard(mutex)(&alloc->mutex);
  954. for (n = rb_first(&alloc->allocated_buffers); n != NULL; n = rb_next(n))
  955. count++;
  956. return count;
  957. }
  958. /**
  959. * binder_alloc_vma_close() - invalidate address space
  960. * @alloc: binder_alloc for this proc
  961. *
  962. * Called from binder_vma_close() when releasing address space.
  963. * Clears alloc->mapped to prevent new incoming transactions from
  964. * allocating more buffers.
  965. */
  966. void binder_alloc_vma_close(struct binder_alloc *alloc)
  967. {
  968. binder_alloc_set_mapped(alloc, false);
  969. }
  970. EXPORT_SYMBOL_IF_KUNIT(binder_alloc_vma_close);
  971. /**
  972. * binder_alloc_free_page() - shrinker callback to free pages
  973. * @item: item to free
  974. * @lru: list_lru instance of the item
  975. * @cb_arg: callback argument
  976. *
  977. * Called from list_lru_walk() in binder_shrink_scan() to free
  978. * up pages when the system is under memory pressure.
  979. */
  980. enum lru_status binder_alloc_free_page(struct list_head *item,
  981. struct list_lru_one *lru,
  982. void *cb_arg)
  983. __must_hold(&lru->lock)
  984. {
  985. struct binder_shrinker_mdata *mdata = container_of(item, typeof(*mdata), lru);
  986. struct binder_alloc *alloc = mdata->alloc;
  987. struct mm_struct *mm = alloc->mm;
  988. struct vm_area_struct *vma;
  989. struct page *page_to_free;
  990. unsigned long page_addr;
  991. int mm_locked = 0;
  992. size_t index;
  993. if (!mmget_not_zero(mm))
  994. goto err_mmget;
  995. index = mdata->page_index;
  996. page_addr = alloc->vm_start + index * PAGE_SIZE;
  997. /* attempt per-vma lock first */
  998. vma = lock_vma_under_rcu(mm, page_addr);
  999. if (!vma) {
  1000. /* fall back to mmap_lock */
  1001. if (!mmap_read_trylock(mm))
  1002. goto err_mmap_read_lock_failed;
  1003. mm_locked = 1;
  1004. vma = vma_lookup(mm, page_addr);
  1005. }
  1006. if (!mutex_trylock(&alloc->mutex))
  1007. goto err_get_alloc_mutex_failed;
  1008. /*
  1009. * Since a binder_alloc can only be mapped once, we ensure
  1010. * the vma corresponds to this mapping by checking whether
  1011. * the binder_alloc is still mapped.
  1012. */
  1013. if (vma && !binder_alloc_is_mapped(alloc))
  1014. goto err_invalid_vma;
  1015. trace_binder_unmap_kernel_start(alloc, index);
  1016. page_to_free = alloc->pages[index];
  1017. binder_set_installed_page(alloc, index, NULL);
  1018. trace_binder_unmap_kernel_end(alloc, index);
  1019. list_lru_isolate(lru, item);
  1020. spin_unlock(&lru->lock);
  1021. if (vma) {
  1022. trace_binder_unmap_user_start(alloc, index);
  1023. zap_page_range_single(vma, page_addr, PAGE_SIZE, NULL);
  1024. trace_binder_unmap_user_end(alloc, index);
  1025. }
  1026. mutex_unlock(&alloc->mutex);
  1027. if (mm_locked)
  1028. mmap_read_unlock(mm);
  1029. else
  1030. vma_end_read(vma);
  1031. mmput_async(mm);
  1032. binder_free_page(page_to_free);
  1033. return LRU_REMOVED_RETRY;
  1034. err_invalid_vma:
  1035. mutex_unlock(&alloc->mutex);
  1036. err_get_alloc_mutex_failed:
  1037. if (mm_locked)
  1038. mmap_read_unlock(mm);
  1039. else
  1040. vma_end_read(vma);
  1041. err_mmap_read_lock_failed:
  1042. mmput_async(mm);
  1043. err_mmget:
  1044. return LRU_SKIP;
  1045. }
  1046. EXPORT_SYMBOL_IF_KUNIT(binder_alloc_free_page);
  1047. static unsigned long
  1048. binder_shrink_count(struct shrinker *shrink, struct shrink_control *sc)
  1049. {
  1050. return list_lru_count(&binder_freelist);
  1051. }
  1052. static unsigned long
  1053. binder_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
  1054. {
  1055. return list_lru_walk(&binder_freelist, binder_alloc_free_page,
  1056. NULL, sc->nr_to_scan);
  1057. }
  1058. static struct shrinker *binder_shrinker;
  1059. VISIBLE_IF_KUNIT void __binder_alloc_init(struct binder_alloc *alloc,
  1060. struct list_lru *freelist)
  1061. {
  1062. alloc->pid = current->tgid;
  1063. alloc->mm = current->mm;
  1064. mmgrab(alloc->mm);
  1065. mutex_init(&alloc->mutex);
  1066. INIT_LIST_HEAD(&alloc->buffers);
  1067. alloc->freelist = freelist;
  1068. }
  1069. EXPORT_SYMBOL_IF_KUNIT(__binder_alloc_init);
  1070. /**
  1071. * binder_alloc_init() - called by binder_open() for per-proc initialization
  1072. * @alloc: binder_alloc for this proc
  1073. *
  1074. * Called from binder_open() to initialize binder_alloc fields for
  1075. * new binder proc
  1076. */
  1077. void binder_alloc_init(struct binder_alloc *alloc)
  1078. {
  1079. __binder_alloc_init(alloc, &binder_freelist);
  1080. }
  1081. int binder_alloc_shrinker_init(void)
  1082. {
  1083. int ret;
  1084. ret = list_lru_init(&binder_freelist);
  1085. if (ret)
  1086. return ret;
  1087. binder_shrinker = shrinker_alloc(0, "android-binder");
  1088. if (!binder_shrinker) {
  1089. list_lru_destroy(&binder_freelist);
  1090. return -ENOMEM;
  1091. }
  1092. binder_shrinker->count_objects = binder_shrink_count;
  1093. binder_shrinker->scan_objects = binder_shrink_scan;
  1094. shrinker_register(binder_shrinker);
  1095. return 0;
  1096. }
  1097. void binder_alloc_shrinker_exit(void)
  1098. {
  1099. shrinker_free(binder_shrinker);
  1100. list_lru_destroy(&binder_freelist);
  1101. }
  1102. /**
  1103. * check_buffer() - verify that buffer/offset is safe to access
  1104. * @alloc: binder_alloc for this proc
  1105. * @buffer: binder buffer to be accessed
  1106. * @offset: offset into @buffer data
  1107. * @bytes: bytes to access from offset
  1108. *
  1109. * Check that the @offset/@bytes are within the size of the given
  1110. * @buffer and that the buffer is currently active and not freeable.
  1111. * Offsets must also be multiples of sizeof(u32). The kernel is
  1112. * allowed to touch the buffer in two cases:
  1113. *
  1114. * 1) when the buffer is being created:
  1115. * (buffer->free == 0 && buffer->allow_user_free == 0)
  1116. * 2) when the buffer is being torn down:
  1117. * (buffer->free == 0 && buffer->transaction == NULL).
  1118. *
  1119. * Return: true if the buffer is safe to access
  1120. */
  1121. static inline bool check_buffer(struct binder_alloc *alloc,
  1122. struct binder_buffer *buffer,
  1123. binder_size_t offset, size_t bytes)
  1124. {
  1125. size_t buffer_size = binder_alloc_buffer_size(alloc, buffer);
  1126. return buffer_size >= bytes &&
  1127. offset <= buffer_size - bytes &&
  1128. IS_ALIGNED(offset, sizeof(u32)) &&
  1129. !buffer->free &&
  1130. (!buffer->allow_user_free || !buffer->transaction);
  1131. }
  1132. /**
  1133. * binder_alloc_copy_user_to_buffer() - copy src user to tgt user
  1134. * @alloc: binder_alloc for this proc
  1135. * @buffer: binder buffer to be accessed
  1136. * @buffer_offset: offset into @buffer data
  1137. * @from: userspace pointer to source buffer
  1138. * @bytes: bytes to copy
  1139. *
  1140. * Copy bytes from source userspace to target buffer.
  1141. *
  1142. * Return: bytes remaining to be copied
  1143. */
  1144. unsigned long
  1145. binder_alloc_copy_user_to_buffer(struct binder_alloc *alloc,
  1146. struct binder_buffer *buffer,
  1147. binder_size_t buffer_offset,
  1148. const void __user *from,
  1149. size_t bytes)
  1150. {
  1151. if (!check_buffer(alloc, buffer, buffer_offset, bytes))
  1152. return bytes;
  1153. while (bytes) {
  1154. unsigned long size;
  1155. unsigned long ret;
  1156. struct page *page;
  1157. pgoff_t pgoff;
  1158. void *kptr;
  1159. page = binder_alloc_get_page(alloc, buffer,
  1160. buffer_offset, &pgoff);
  1161. size = min_t(size_t, bytes, PAGE_SIZE - pgoff);
  1162. kptr = kmap_local_page(page) + pgoff;
  1163. ret = copy_from_user(kptr, from, size);
  1164. kunmap_local(kptr);
  1165. if (ret)
  1166. return bytes - size + ret;
  1167. bytes -= size;
  1168. from += size;
  1169. buffer_offset += size;
  1170. }
  1171. return 0;
  1172. }
  1173. static int binder_alloc_do_buffer_copy(struct binder_alloc *alloc,
  1174. bool to_buffer,
  1175. struct binder_buffer *buffer,
  1176. binder_size_t buffer_offset,
  1177. void *ptr,
  1178. size_t bytes)
  1179. {
  1180. /* All copies must be 32-bit aligned and 32-bit size */
  1181. if (!check_buffer(alloc, buffer, buffer_offset, bytes))
  1182. return -EINVAL;
  1183. while (bytes) {
  1184. unsigned long size;
  1185. struct page *page;
  1186. pgoff_t pgoff;
  1187. page = binder_alloc_get_page(alloc, buffer,
  1188. buffer_offset, &pgoff);
  1189. size = min_t(size_t, bytes, PAGE_SIZE - pgoff);
  1190. if (to_buffer)
  1191. memcpy_to_page(page, pgoff, ptr, size);
  1192. else
  1193. memcpy_from_page(ptr, page, pgoff, size);
  1194. bytes -= size;
  1195. pgoff = 0;
  1196. ptr = ptr + size;
  1197. buffer_offset += size;
  1198. }
  1199. return 0;
  1200. }
  1201. int binder_alloc_copy_to_buffer(struct binder_alloc *alloc,
  1202. struct binder_buffer *buffer,
  1203. binder_size_t buffer_offset,
  1204. void *src,
  1205. size_t bytes)
  1206. {
  1207. return binder_alloc_do_buffer_copy(alloc, true, buffer, buffer_offset,
  1208. src, bytes);
  1209. }
  1210. int binder_alloc_copy_from_buffer(struct binder_alloc *alloc,
  1211. void *dest,
  1212. struct binder_buffer *buffer,
  1213. binder_size_t buffer_offset,
  1214. size_t bytes)
  1215. {
  1216. return binder_alloc_do_buffer_copy(alloc, false, buffer, buffer_offset,
  1217. dest, bytes);
  1218. }