binder_alloc.c (35520B)
1// SPDX-License-Identifier: GPL-2.0-only 2/* binder_alloc.c 3 * 4 * Android IPC Subsystem 5 * 6 * Copyright (C) 2007-2017 Google, Inc. 7 */ 8 9#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 10 11#include <linux/list.h> 12#include <linux/sched/mm.h> 13#include <linux/module.h> 14#include <linux/rtmutex.h> 15#include <linux/rbtree.h> 16#include <linux/seq_file.h> 17#include <linux/vmalloc.h> 18#include <linux/slab.h> 19#include <linux/sched.h> 20#include <linux/list_lru.h> 21#include <linux/ratelimit.h> 22#include <asm/cacheflush.h> 23#include <linux/uaccess.h> 24#include <linux/highmem.h> 25#include <linux/sizes.h> 26#include "binder_alloc.h" 27#include "binder_trace.h" 28 29struct list_lru binder_alloc_lru; 30 31static DEFINE_MUTEX(binder_alloc_mmap_lock); 32 33enum { 34 BINDER_DEBUG_USER_ERROR = 1U << 0, 35 BINDER_DEBUG_OPEN_CLOSE = 1U << 1, 36 BINDER_DEBUG_BUFFER_ALLOC = 1U << 2, 37 BINDER_DEBUG_BUFFER_ALLOC_ASYNC = 1U << 3, 38}; 39static uint32_t binder_alloc_debug_mask = BINDER_DEBUG_USER_ERROR; 40 41module_param_named(debug_mask, binder_alloc_debug_mask, 42 uint, 0644); 43 44#define binder_alloc_debug(mask, x...) \ 45 do { \ 46 if (binder_alloc_debug_mask & mask) \ 47 pr_info_ratelimited(x); \ 48 } while (0) 49 50static struct binder_buffer *binder_buffer_next(struct binder_buffer *buffer) 51{ 52 return list_entry(buffer->entry.next, struct binder_buffer, entry); 53} 54 55static struct binder_buffer *binder_buffer_prev(struct binder_buffer *buffer) 56{ 57 return list_entry(buffer->entry.prev, struct binder_buffer, entry); 58} 59 60static size_t binder_alloc_buffer_size(struct binder_alloc *alloc, 61 struct binder_buffer *buffer) 62{ 63 if (list_is_last(&buffer->entry, &alloc->buffers)) 64 return alloc->buffer + alloc->buffer_size - buffer->user_data; 65 return binder_buffer_next(buffer)->user_data - buffer->user_data; 66} 67 68static void binder_insert_free_buffer(struct binder_alloc *alloc, 69 struct binder_buffer *new_buffer) 70{ 71 struct rb_node **p = &alloc->free_buffers.rb_node; 72 struct rb_node *parent = NULL; 73 struct binder_buffer *buffer; 74 size_t buffer_size; 75 size_t new_buffer_size; 76 77 BUG_ON(!new_buffer->free); 78 79 new_buffer_size = binder_alloc_buffer_size(alloc, new_buffer); 80 81 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 82 "%d: add free buffer, size %zd, at %pK\n", 83 alloc->pid, new_buffer_size, new_buffer); 84 85 while (*p) { 86 parent = *p; 87 buffer = rb_entry(parent, struct binder_buffer, rb_node); 88 BUG_ON(!buffer->free); 89 90 buffer_size = binder_alloc_buffer_size(alloc, buffer); 91 92 if (new_buffer_size < buffer_size) 93 p = &parent->rb_left; 94 else 95 p = &parent->rb_right; 96 } 97 rb_link_node(&new_buffer->rb_node, parent, p); 98 rb_insert_color(&new_buffer->rb_node, &alloc->free_buffers); 99} 100 101static void binder_insert_allocated_buffer_locked( 102 struct binder_alloc *alloc, struct binder_buffer *new_buffer) 103{ 104 struct rb_node **p = &alloc->allocated_buffers.rb_node; 105 struct rb_node *parent = NULL; 106 struct binder_buffer *buffer; 107 108 BUG_ON(new_buffer->free); 109 110 while (*p) { 111 parent = *p; 112 buffer = rb_entry(parent, struct binder_buffer, rb_node); 113 BUG_ON(buffer->free); 114 115 if (new_buffer->user_data < buffer->user_data) 116 p = &parent->rb_left; 117 else if (new_buffer->user_data > buffer->user_data) 118 p = &parent->rb_right; 119 else 120 BUG(); 121 } 122 rb_link_node(&new_buffer->rb_node, parent, p); 123 rb_insert_color(&new_buffer->rb_node, &alloc->allocated_buffers); 124} 125 126static struct binder_buffer *binder_alloc_prepare_to_free_locked( 127 struct binder_alloc *alloc, 128 uintptr_t user_ptr) 129{ 130 struct rb_node *n = alloc->allocated_buffers.rb_node; 131 struct binder_buffer *buffer; 132 void __user *uptr; 133 134 uptr = (void __user *)user_ptr; 135 136 while (n) { 137 buffer = rb_entry(n, struct binder_buffer, rb_node); 138 BUG_ON(buffer->free); 139 140 if (uptr < buffer->user_data) 141 n = n->rb_left; 142 else if (uptr > buffer->user_data) 143 n = n->rb_right; 144 else { 145 /* 146 * Guard against user threads attempting to 147 * free the buffer when in use by kernel or 148 * after it's already been freed. 149 */ 150 if (!buffer->allow_user_free) 151 return ERR_PTR(-EPERM); 152 buffer->allow_user_free = 0; 153 return buffer; 154 } 155 } 156 return NULL; 157} 158 159/** 160 * binder_alloc_prepare_to_free() - get buffer given user ptr 161 * @alloc: binder_alloc for this proc 162 * @user_ptr: User pointer to buffer data 163 * 164 * Validate userspace pointer to buffer data and return buffer corresponding to 165 * that user pointer. Search the rb tree for buffer that matches user data 166 * pointer. 167 * 168 * Return: Pointer to buffer or NULL 169 */ 170struct binder_buffer *binder_alloc_prepare_to_free(struct binder_alloc *alloc, 171 uintptr_t user_ptr) 172{ 173 struct binder_buffer *buffer; 174 175 mutex_lock(&alloc->mutex); 176 buffer = binder_alloc_prepare_to_free_locked(alloc, user_ptr); 177 mutex_unlock(&alloc->mutex); 178 return buffer; 179} 180 181static int binder_update_page_range(struct binder_alloc *alloc, int allocate, 182 void __user *start, void __user *end) 183{ 184 void __user *page_addr; 185 unsigned long user_page_addr; 186 struct binder_lru_page *page; 187 struct vm_area_struct *vma = NULL; 188 struct mm_struct *mm = NULL; 189 bool need_mm = false; 190 191 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 192 "%d: %s pages %pK-%pK\n", alloc->pid, 193 allocate ? "allocate" : "free", start, end); 194 195 if (end <= start) 196 return 0; 197 198 trace_binder_update_page_range(alloc, allocate, start, end); 199 200 if (allocate == 0) 201 goto free_range; 202 203 for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) { 204 page = &alloc->pages[(page_addr - alloc->buffer) / PAGE_SIZE]; 205 if (!page->page_ptr) { 206 need_mm = true; 207 break; 208 } 209 } 210 211 if (need_mm && mmget_not_zero(alloc->vma_vm_mm)) 212 mm = alloc->vma_vm_mm; 213 214 if (mm) { 215 mmap_read_lock(mm); 216 vma = alloc->vma; 217 } 218 219 if (!vma && need_mm) { 220 binder_alloc_debug(BINDER_DEBUG_USER_ERROR, 221 "%d: binder_alloc_buf failed to map pages in userspace, no vma\n", 222 alloc->pid); 223 goto err_no_vma; 224 } 225 226 for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) { 227 int ret; 228 bool on_lru; 229 size_t index; 230 231 index = (page_addr - alloc->buffer) / PAGE_SIZE; 232 page = &alloc->pages[index]; 233 234 if (page->page_ptr) { 235 trace_binder_alloc_lru_start(alloc, index); 236 237 on_lru = list_lru_del(&binder_alloc_lru, &page->lru); 238 WARN_ON(!on_lru); 239 240 trace_binder_alloc_lru_end(alloc, index); 241 continue; 242 } 243 244 if (WARN_ON(!vma)) 245 goto err_page_ptr_cleared; 246 247 trace_binder_alloc_page_start(alloc, index); 248 page->page_ptr = alloc_page(GFP_KERNEL | 249 __GFP_HIGHMEM | 250 __GFP_ZERO); 251 if (!page->page_ptr) { 252 pr_err("%d: binder_alloc_buf failed for page at %pK\n", 253 alloc->pid, page_addr); 254 goto err_alloc_page_failed; 255 } 256 page->alloc = alloc; 257 INIT_LIST_HEAD(&page->lru); 258 259 user_page_addr = (uintptr_t)page_addr; 260 ret = vm_insert_page(vma, user_page_addr, page[0].page_ptr); 261 if (ret) { 262 pr_err("%d: binder_alloc_buf failed to map page at %lx in userspace\n", 263 alloc->pid, user_page_addr); 264 goto err_vm_insert_page_failed; 265 } 266 267 if (index + 1 > alloc->pages_high) 268 alloc->pages_high = index + 1; 269 270 trace_binder_alloc_page_end(alloc, index); 271 } 272 if (mm) { 273 mmap_read_unlock(mm); 274 mmput(mm); 275 } 276 return 0; 277 278free_range: 279 for (page_addr = end - PAGE_SIZE; 1; page_addr -= PAGE_SIZE) { 280 bool ret; 281 size_t index; 282 283 index = (page_addr - alloc->buffer) / PAGE_SIZE; 284 page = &alloc->pages[index]; 285 286 trace_binder_free_lru_start(alloc, index); 287 288 ret = list_lru_add(&binder_alloc_lru, &page->lru); 289 WARN_ON(!ret); 290 291 trace_binder_free_lru_end(alloc, index); 292 if (page_addr == start) 293 break; 294 continue; 295 296err_vm_insert_page_failed: 297 __free_page(page->page_ptr); 298 page->page_ptr = NULL; 299err_alloc_page_failed: 300err_page_ptr_cleared: 301 if (page_addr == start) 302 break; 303 } 304err_no_vma: 305 if (mm) { 306 mmap_read_unlock(mm); 307 mmput(mm); 308 } 309 return vma ? -ENOMEM : -ESRCH; 310} 311 312 313static inline void binder_alloc_set_vma(struct binder_alloc *alloc, 314 struct vm_area_struct *vma) 315{ 316 if (vma) 317 alloc->vma_vm_mm = vma->vm_mm; 318 /* 319 * If we see alloc->vma is not NULL, buffer data structures set up 320 * completely. Look at smp_rmb side binder_alloc_get_vma. 321 * We also want to guarantee new alloc->vma_vm_mm is always visible 322 * if alloc->vma is set. 323 */ 324 smp_wmb(); 325 alloc->vma = vma; 326} 327 328static inline struct vm_area_struct *binder_alloc_get_vma( 329 struct binder_alloc *alloc) 330{ 331 struct vm_area_struct *vma = NULL; 332 333 if (alloc->vma) { 334 /* Look at description in binder_alloc_set_vma */ 335 smp_rmb(); 336 vma = alloc->vma; 337 } 338 return vma; 339} 340 341static bool debug_low_async_space_locked(struct binder_alloc *alloc, int pid) 342{ 343 /* 344 * Find the amount and size of buffers allocated by the current caller; 345 * The idea is that once we cross the threshold, whoever is responsible 346 * for the low async space is likely to try to send another async txn, 347 * and at some point we'll catch them in the act. This is more efficient 348 * than keeping a map per pid. 349 */ 350 struct rb_node *n; 351 struct binder_buffer *buffer; 352 size_t total_alloc_size = 0; 353 size_t num_buffers = 0; 354 355 for (n = rb_first(&alloc->allocated_buffers); n != NULL; 356 n = rb_next(n)) { 357 buffer = rb_entry(n, struct binder_buffer, rb_node); 358 if (buffer->pid != pid) 359 continue; 360 if (!buffer->async_transaction) 361 continue; 362 total_alloc_size += binder_alloc_buffer_size(alloc, buffer) 363 + sizeof(struct binder_buffer); 364 num_buffers++; 365 } 366 367 /* 368 * Warn if this pid has more than 50 transactions, or more than 50% of 369 * async space (which is 25% of total buffer size). Oneway spam is only 370 * detected when the threshold is exceeded. 371 */ 372 if (num_buffers > 50 || total_alloc_size > alloc->buffer_size / 4) { 373 binder_alloc_debug(BINDER_DEBUG_USER_ERROR, 374 "%d: pid %d spamming oneway? %zd buffers allocated for a total size of %zd\n", 375 alloc->pid, pid, num_buffers, total_alloc_size); 376 if (!alloc->oneway_spam_detected) { 377 alloc->oneway_spam_detected = true; 378 return true; 379 } 380 } 381 return false; 382} 383 384static struct binder_buffer *binder_alloc_new_buf_locked( 385 struct binder_alloc *alloc, 386 size_t data_size, 387 size_t offsets_size, 388 size_t extra_buffers_size, 389 int is_async, 390 int pid) 391{ 392 struct rb_node *n = alloc->free_buffers.rb_node; 393 struct binder_buffer *buffer; 394 size_t buffer_size; 395 struct rb_node *best_fit = NULL; 396 void __user *has_page_addr; 397 void __user *end_page_addr; 398 size_t size, data_offsets_size; 399 int ret; 400 401 if (!binder_alloc_get_vma(alloc)) { 402 binder_alloc_debug(BINDER_DEBUG_USER_ERROR, 403 "%d: binder_alloc_buf, no vma\n", 404 alloc->pid); 405 return ERR_PTR(-ESRCH); 406 } 407 408 data_offsets_size = ALIGN(data_size, sizeof(void *)) + 409 ALIGN(offsets_size, sizeof(void *)); 410 411 if (data_offsets_size < data_size || data_offsets_size < offsets_size) { 412 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 413 "%d: got transaction with invalid size %zd-%zd\n", 414 alloc->pid, data_size, offsets_size); 415 return ERR_PTR(-EINVAL); 416 } 417 size = data_offsets_size + ALIGN(extra_buffers_size, sizeof(void *)); 418 if (size < data_offsets_size || size < extra_buffers_size) { 419 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 420 "%d: got transaction with invalid extra_buffers_size %zd\n", 421 alloc->pid, extra_buffers_size); 422 return ERR_PTR(-EINVAL); 423 } 424 if (is_async && 425 alloc->free_async_space < size + sizeof(struct binder_buffer)) { 426 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 427 "%d: binder_alloc_buf size %zd failed, no async space left\n", 428 alloc->pid, size); 429 return ERR_PTR(-ENOSPC); 430 } 431 432 /* Pad 0-size buffers so they get assigned unique addresses */ 433 size = max(size, sizeof(void *)); 434 435 while (n) { 436 buffer = rb_entry(n, struct binder_buffer, rb_node); 437 BUG_ON(!buffer->free); 438 buffer_size = binder_alloc_buffer_size(alloc, buffer); 439 440 if (size < buffer_size) { 441 best_fit = n; 442 n = n->rb_left; 443 } else if (size > buffer_size) 444 n = n->rb_right; 445 else { 446 best_fit = n; 447 break; 448 } 449 } 450 if (best_fit == NULL) { 451 size_t allocated_buffers = 0; 452 size_t largest_alloc_size = 0; 453 size_t total_alloc_size = 0; 454 size_t free_buffers = 0; 455 size_t largest_free_size = 0; 456 size_t total_free_size = 0; 457 458 for (n = rb_first(&alloc->allocated_buffers); n != NULL; 459 n = rb_next(n)) { 460 buffer = rb_entry(n, struct binder_buffer, rb_node); 461 buffer_size = binder_alloc_buffer_size(alloc, buffer); 462 allocated_buffers++; 463 total_alloc_size += buffer_size; 464 if (buffer_size > largest_alloc_size) 465 largest_alloc_size = buffer_size; 466 } 467 for (n = rb_first(&alloc->free_buffers); n != NULL; 468 n = rb_next(n)) { 469 buffer = rb_entry(n, struct binder_buffer, rb_node); 470 buffer_size = binder_alloc_buffer_size(alloc, buffer); 471 free_buffers++; 472 total_free_size += buffer_size; 473 if (buffer_size > largest_free_size) 474 largest_free_size = buffer_size; 475 } 476 binder_alloc_debug(BINDER_DEBUG_USER_ERROR, 477 "%d: binder_alloc_buf size %zd failed, no address space\n", 478 alloc->pid, size); 479 binder_alloc_debug(BINDER_DEBUG_USER_ERROR, 480 "allocated: %zd (num: %zd largest: %zd), free: %zd (num: %zd largest: %zd)\n", 481 total_alloc_size, allocated_buffers, 482 largest_alloc_size, total_free_size, 483 free_buffers, largest_free_size); 484 return ERR_PTR(-ENOSPC); 485 } 486 if (n == NULL) { 487 buffer = rb_entry(best_fit, struct binder_buffer, rb_node); 488 buffer_size = binder_alloc_buffer_size(alloc, buffer); 489 } 490 491 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 492 "%d: binder_alloc_buf size %zd got buffer %pK size %zd\n", 493 alloc->pid, size, buffer, buffer_size); 494 495 has_page_addr = (void __user *) 496 (((uintptr_t)buffer->user_data + buffer_size) & PAGE_MASK); 497 WARN_ON(n && buffer_size != size); 498 end_page_addr = 499 (void __user *)PAGE_ALIGN((uintptr_t)buffer->user_data + size); 500 if (end_page_addr > has_page_addr) 501 end_page_addr = has_page_addr; 502 ret = binder_update_page_range(alloc, 1, (void __user *) 503 PAGE_ALIGN((uintptr_t)buffer->user_data), end_page_addr); 504 if (ret) 505 return ERR_PTR(ret); 506 507 if (buffer_size != size) { 508 struct binder_buffer *new_buffer; 509 510 new_buffer = kzalloc(sizeof(*buffer), GFP_KERNEL); 511 if (!new_buffer) { 512 pr_err("%s: %d failed to alloc new buffer struct\n", 513 __func__, alloc->pid); 514 goto err_alloc_buf_struct_failed; 515 } 516 new_buffer->user_data = (u8 __user *)buffer->user_data + size; 517 list_add(&new_buffer->entry, &buffer->entry); 518 new_buffer->free = 1; 519 binder_insert_free_buffer(alloc, new_buffer); 520 } 521 522 rb_erase(best_fit, &alloc->free_buffers); 523 buffer->free = 0; 524 buffer->allow_user_free = 0; 525 binder_insert_allocated_buffer_locked(alloc, buffer); 526 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 527 "%d: binder_alloc_buf size %zd got %pK\n", 528 alloc->pid, size, buffer); 529 buffer->data_size = data_size; 530 buffer->offsets_size = offsets_size; 531 buffer->async_transaction = is_async; 532 buffer->extra_buffers_size = extra_buffers_size; 533 buffer->pid = pid; 534 buffer->oneway_spam_suspect = false; 535 if (is_async) { 536 alloc->free_async_space -= size + sizeof(struct binder_buffer); 537 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC, 538 "%d: binder_alloc_buf size %zd async free %zd\n", 539 alloc->pid, size, alloc->free_async_space); 540 if (alloc->free_async_space < alloc->buffer_size / 10) { 541 /* 542 * Start detecting spammers once we have less than 20% 543 * of async space left (which is less than 10% of total 544 * buffer size). 545 */ 546 buffer->oneway_spam_suspect = debug_low_async_space_locked(alloc, pid); 547 } else { 548 alloc->oneway_spam_detected = false; 549 } 550 } 551 return buffer; 552 553err_alloc_buf_struct_failed: 554 binder_update_page_range(alloc, 0, (void __user *) 555 PAGE_ALIGN((uintptr_t)buffer->user_data), 556 end_page_addr); 557 return ERR_PTR(-ENOMEM); 558} 559 560/** 561 * binder_alloc_new_buf() - Allocate a new binder buffer 562 * @alloc: binder_alloc for this proc 563 * @data_size: size of user data buffer 564 * @offsets_size: user specified buffer offset 565 * @extra_buffers_size: size of extra space for meta-data (eg, security context) 566 * @is_async: buffer for async transaction 567 * @pid: pid to attribute allocation to (used for debugging) 568 * 569 * Allocate a new buffer given the requested sizes. Returns 570 * the kernel version of the buffer pointer. The size allocated 571 * is the sum of the three given sizes (each rounded up to 572 * pointer-sized boundary) 573 * 574 * Return: The allocated buffer or %NULL if error 575 */ 576struct binder_buffer *binder_alloc_new_buf(struct binder_alloc *alloc, 577 size_t data_size, 578 size_t offsets_size, 579 size_t extra_buffers_size, 580 int is_async, 581 int pid) 582{ 583 struct binder_buffer *buffer; 584 585 mutex_lock(&alloc->mutex); 586 buffer = binder_alloc_new_buf_locked(alloc, data_size, offsets_size, 587 extra_buffers_size, is_async, pid); 588 mutex_unlock(&alloc->mutex); 589 return buffer; 590} 591 592static void __user *buffer_start_page(struct binder_buffer *buffer) 593{ 594 return (void __user *)((uintptr_t)buffer->user_data & PAGE_MASK); 595} 596 597static void __user *prev_buffer_end_page(struct binder_buffer *buffer) 598{ 599 return (void __user *) 600 (((uintptr_t)(buffer->user_data) - 1) & PAGE_MASK); 601} 602 603static void binder_delete_free_buffer(struct binder_alloc *alloc, 604 struct binder_buffer *buffer) 605{ 606 struct binder_buffer *prev, *next = NULL; 607 bool to_free = true; 608 609 BUG_ON(alloc->buffers.next == &buffer->entry); 610 prev = binder_buffer_prev(buffer); 611 BUG_ON(!prev->free); 612 if (prev_buffer_end_page(prev) == buffer_start_page(buffer)) { 613 to_free = false; 614 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 615 "%d: merge free, buffer %pK share page with %pK\n", 616 alloc->pid, buffer->user_data, 617 prev->user_data); 618 } 619 620 if (!list_is_last(&buffer->entry, &alloc->buffers)) { 621 next = binder_buffer_next(buffer); 622 if (buffer_start_page(next) == buffer_start_page(buffer)) { 623 to_free = false; 624 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 625 "%d: merge free, buffer %pK share page with %pK\n", 626 alloc->pid, 627 buffer->user_data, 628 next->user_data); 629 } 630 } 631 632 if (PAGE_ALIGNED(buffer->user_data)) { 633 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 634 "%d: merge free, buffer start %pK is page aligned\n", 635 alloc->pid, buffer->user_data); 636 to_free = false; 637 } 638 639 if (to_free) { 640 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 641 "%d: merge free, buffer %pK do not share page with %pK or %pK\n", 642 alloc->pid, buffer->user_data, 643 prev->user_data, 644 next ? next->user_data : NULL); 645 binder_update_page_range(alloc, 0, buffer_start_page(buffer), 646 buffer_start_page(buffer) + PAGE_SIZE); 647 } 648 list_del(&buffer->entry); 649 kfree(buffer); 650} 651 652static void binder_free_buf_locked(struct binder_alloc *alloc, 653 struct binder_buffer *buffer) 654{ 655 size_t size, buffer_size; 656 657 buffer_size = binder_alloc_buffer_size(alloc, buffer); 658 659 size = ALIGN(buffer->data_size, sizeof(void *)) + 660 ALIGN(buffer->offsets_size, sizeof(void *)) + 661 ALIGN(buffer->extra_buffers_size, sizeof(void *)); 662 663 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 664 "%d: binder_free_buf %pK size %zd buffer_size %zd\n", 665 alloc->pid, buffer, size, buffer_size); 666 667 BUG_ON(buffer->free); 668 BUG_ON(size > buffer_size); 669 BUG_ON(buffer->transaction != NULL); 670 BUG_ON(buffer->user_data < alloc->buffer); 671 BUG_ON(buffer->user_data > alloc->buffer + alloc->buffer_size); 672 673 if (buffer->async_transaction) { 674 alloc->free_async_space += buffer_size + sizeof(struct binder_buffer); 675 676 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC, 677 "%d: binder_free_buf size %zd async free %zd\n", 678 alloc->pid, size, alloc->free_async_space); 679 } 680 681 binder_update_page_range(alloc, 0, 682 (void __user *)PAGE_ALIGN((uintptr_t)buffer->user_data), 683 (void __user *)(((uintptr_t) 684 buffer->user_data + buffer_size) & PAGE_MASK)); 685 686 rb_erase(&buffer->rb_node, &alloc->allocated_buffers); 687 buffer->free = 1; 688 if (!list_is_last(&buffer->entry, &alloc->buffers)) { 689 struct binder_buffer *next = binder_buffer_next(buffer); 690 691 if (next->free) { 692 rb_erase(&next->rb_node, &alloc->free_buffers); 693 binder_delete_free_buffer(alloc, next); 694 } 695 } 696 if (alloc->buffers.next != &buffer->entry) { 697 struct binder_buffer *prev = binder_buffer_prev(buffer); 698 699 if (prev->free) { 700 binder_delete_free_buffer(alloc, buffer); 701 rb_erase(&prev->rb_node, &alloc->free_buffers); 702 buffer = prev; 703 } 704 } 705 binder_insert_free_buffer(alloc, buffer); 706} 707 708static void binder_alloc_clear_buf(struct binder_alloc *alloc, 709 struct binder_buffer *buffer); 710/** 711 * binder_alloc_free_buf() - free a binder buffer 712 * @alloc: binder_alloc for this proc 713 * @buffer: kernel pointer to buffer 714 * 715 * Free the buffer allocated via binder_alloc_new_buf() 716 */ 717void binder_alloc_free_buf(struct binder_alloc *alloc, 718 struct binder_buffer *buffer) 719{ 720 /* 721 * We could eliminate the call to binder_alloc_clear_buf() 722 * from binder_alloc_deferred_release() by moving this to 723 * binder_alloc_free_buf_locked(). However, that could 724 * increase contention for the alloc mutex if clear_on_free 725 * is used frequently for large buffers. The mutex is not 726 * needed for correctness here. 727 */ 728 if (buffer->clear_on_free) { 729 binder_alloc_clear_buf(alloc, buffer); 730 buffer->clear_on_free = false; 731 } 732 mutex_lock(&alloc->mutex); 733 binder_free_buf_locked(alloc, buffer); 734 mutex_unlock(&alloc->mutex); 735} 736 737/** 738 * binder_alloc_mmap_handler() - map virtual address space for proc 739 * @alloc: alloc structure for this proc 740 * @vma: vma passed to mmap() 741 * 742 * Called by binder_mmap() to initialize the space specified in 743 * vma for allocating binder buffers 744 * 745 * Return: 746 * 0 = success 747 * -EBUSY = address space already mapped 748 * -ENOMEM = failed to map memory to given address space 749 */ 750int binder_alloc_mmap_handler(struct binder_alloc *alloc, 751 struct vm_area_struct *vma) 752{ 753 int ret; 754 const char *failure_string; 755 struct binder_buffer *buffer; 756 757 mutex_lock(&binder_alloc_mmap_lock); 758 if (alloc->buffer_size) { 759 ret = -EBUSY; 760 failure_string = "already mapped"; 761 goto err_already_mapped; 762 } 763 alloc->buffer_size = min_t(unsigned long, vma->vm_end - vma->vm_start, 764 SZ_4M); 765 mutex_unlock(&binder_alloc_mmap_lock); 766 767 alloc->buffer = (void __user *)vma->vm_start; 768 769 alloc->pages = kcalloc(alloc->buffer_size / PAGE_SIZE, 770 sizeof(alloc->pages[0]), 771 GFP_KERNEL); 772 if (alloc->pages == NULL) { 773 ret = -ENOMEM; 774 failure_string = "alloc page array"; 775 goto err_alloc_pages_failed; 776 } 777 778 buffer = kzalloc(sizeof(*buffer), GFP_KERNEL); 779 if (!buffer) { 780 ret = -ENOMEM; 781 failure_string = "alloc buffer struct"; 782 goto err_alloc_buf_struct_failed; 783 } 784 785 buffer->user_data = alloc->buffer; 786 list_add(&buffer->entry, &alloc->buffers); 787 buffer->free = 1; 788 binder_insert_free_buffer(alloc, buffer); 789 alloc->free_async_space = alloc->buffer_size / 2; 790 binder_alloc_set_vma(alloc, vma); 791 mmgrab(alloc->vma_vm_mm); 792 793 return 0; 794 795err_alloc_buf_struct_failed: 796 kfree(alloc->pages); 797 alloc->pages = NULL; 798err_alloc_pages_failed: 799 alloc->buffer = NULL; 800 mutex_lock(&binder_alloc_mmap_lock); 801 alloc->buffer_size = 0; 802err_already_mapped: 803 mutex_unlock(&binder_alloc_mmap_lock); 804 binder_alloc_debug(BINDER_DEBUG_USER_ERROR, 805 "%s: %d %lx-%lx %s failed %d\n", __func__, 806 alloc->pid, vma->vm_start, vma->vm_end, 807 failure_string, ret); 808 return ret; 809} 810 811 812void binder_alloc_deferred_release(struct binder_alloc *alloc) 813{ 814 struct rb_node *n; 815 int buffers, page_count; 816 struct binder_buffer *buffer; 817 818 buffers = 0; 819 mutex_lock(&alloc->mutex); 820 BUG_ON(alloc->vma); 821 822 while ((n = rb_first(&alloc->allocated_buffers))) { 823 buffer = rb_entry(n, struct binder_buffer, rb_node); 824 825 /* Transaction should already have been freed */ 826 BUG_ON(buffer->transaction); 827 828 if (buffer->clear_on_free) { 829 binder_alloc_clear_buf(alloc, buffer); 830 buffer->clear_on_free = false; 831 } 832 binder_free_buf_locked(alloc, buffer); 833 buffers++; 834 } 835 836 while (!list_empty(&alloc->buffers)) { 837 buffer = list_first_entry(&alloc->buffers, 838 struct binder_buffer, entry); 839 WARN_ON(!buffer->free); 840 841 list_del(&buffer->entry); 842 WARN_ON_ONCE(!list_empty(&alloc->buffers)); 843 kfree(buffer); 844 } 845 846 page_count = 0; 847 if (alloc->pages) { 848 int i; 849 850 for (i = 0; i < alloc->buffer_size / PAGE_SIZE; i++) { 851 void __user *page_addr; 852 bool on_lru; 853 854 if (!alloc->pages[i].page_ptr) 855 continue; 856 857 on_lru = list_lru_del(&binder_alloc_lru, 858 &alloc->pages[i].lru); 859 page_addr = alloc->buffer + i * PAGE_SIZE; 860 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 861 "%s: %d: page %d at %pK %s\n", 862 __func__, alloc->pid, i, page_addr, 863 on_lru ? "on lru" : "active"); 864 __free_page(alloc->pages[i].page_ptr); 865 page_count++; 866 } 867 kfree(alloc->pages); 868 } 869 mutex_unlock(&alloc->mutex); 870 if (alloc->vma_vm_mm) 871 mmdrop(alloc->vma_vm_mm); 872 873 binder_alloc_debug(BINDER_DEBUG_OPEN_CLOSE, 874 "%s: %d buffers %d, pages %d\n", 875 __func__, alloc->pid, buffers, page_count); 876} 877 878static void print_binder_buffer(struct seq_file *m, const char *prefix, 879 struct binder_buffer *buffer) 880{ 881 seq_printf(m, "%s %d: %pK size %zd:%zd:%zd %s\n", 882 prefix, buffer->debug_id, buffer->user_data, 883 buffer->data_size, buffer->offsets_size, 884 buffer->extra_buffers_size, 885 buffer->transaction ? "active" : "delivered"); 886} 887 888/** 889 * binder_alloc_print_allocated() - print buffer info 890 * @m: seq_file for output via seq_printf() 891 * @alloc: binder_alloc for this proc 892 * 893 * Prints information about every buffer associated with 894 * the binder_alloc state to the given seq_file 895 */ 896void binder_alloc_print_allocated(struct seq_file *m, 897 struct binder_alloc *alloc) 898{ 899 struct rb_node *n; 900 901 mutex_lock(&alloc->mutex); 902 for (n = rb_first(&alloc->allocated_buffers); n != NULL; n = rb_next(n)) 903 print_binder_buffer(m, " buffer", 904 rb_entry(n, struct binder_buffer, rb_node)); 905 mutex_unlock(&alloc->mutex); 906} 907 908/** 909 * binder_alloc_print_pages() - print page usage 910 * @m: seq_file for output via seq_printf() 911 * @alloc: binder_alloc for this proc 912 */ 913void binder_alloc_print_pages(struct seq_file *m, 914 struct binder_alloc *alloc) 915{ 916 struct binder_lru_page *page; 917 int i; 918 int active = 0; 919 int lru = 0; 920 int free = 0; 921 922 mutex_lock(&alloc->mutex); 923 /* 924 * Make sure the binder_alloc is fully initialized, otherwise we might 925 * read inconsistent state. 926 */ 927 if (binder_alloc_get_vma(alloc) != NULL) { 928 for (i = 0; i < alloc->buffer_size / PAGE_SIZE; i++) { 929 page = &alloc->pages[i]; 930 if (!page->page_ptr) 931 free++; 932 else if (list_empty(&page->lru)) 933 active++; 934 else 935 lru++; 936 } 937 } 938 mutex_unlock(&alloc->mutex); 939 seq_printf(m, " pages: %d:%d:%d\n", active, lru, free); 940 seq_printf(m, " pages high watermark: %zu\n", alloc->pages_high); 941} 942 943/** 944 * binder_alloc_get_allocated_count() - return count of buffers 945 * @alloc: binder_alloc for this proc 946 * 947 * Return: count of allocated buffers 948 */ 949int binder_alloc_get_allocated_count(struct binder_alloc *alloc) 950{ 951 struct rb_node *n; 952 int count = 0; 953 954 mutex_lock(&alloc->mutex); 955 for (n = rb_first(&alloc->allocated_buffers); n != NULL; n = rb_next(n)) 956 count++; 957 mutex_unlock(&alloc->mutex); 958 return count; 959} 960 961 962/** 963 * binder_alloc_vma_close() - invalidate address space 964 * @alloc: binder_alloc for this proc 965 * 966 * Called from binder_vma_close() when releasing address space. 967 * Clears alloc->vma to prevent new incoming transactions from 968 * allocating more buffers. 969 */ 970void binder_alloc_vma_close(struct binder_alloc *alloc) 971{ 972 binder_alloc_set_vma(alloc, NULL); 973} 974 975/** 976 * binder_alloc_free_page() - shrinker callback to free pages 977 * @item: item to free 978 * @lock: lock protecting the item 979 * @cb_arg: callback argument 980 * 981 * Called from list_lru_walk() in binder_shrink_scan() to free 982 * up pages when the system is under memory pressure. 983 */ 984enum lru_status binder_alloc_free_page(struct list_head *item, 985 struct list_lru_one *lru, 986 spinlock_t *lock, 987 void *cb_arg) 988 __must_hold(lock) 989{ 990 struct mm_struct *mm = NULL; 991 struct binder_lru_page *page = container_of(item, 992 struct binder_lru_page, 993 lru); 994 struct binder_alloc *alloc; 995 uintptr_t page_addr; 996 size_t index; 997 struct vm_area_struct *vma; 998 999 alloc = page->alloc; 1000 if (!mutex_trylock(&alloc->mutex)) 1001 goto err_get_alloc_mutex_failed; 1002 1003 if (!page->page_ptr) 1004 goto err_page_already_freed; 1005 1006 index = page - alloc->pages; 1007 page_addr = (uintptr_t)alloc->buffer + index * PAGE_SIZE; 1008 1009 mm = alloc->vma_vm_mm; 1010 if (!mmget_not_zero(mm)) 1011 goto err_mmget; 1012 if (!mmap_read_trylock(mm)) 1013 goto err_mmap_read_lock_failed; 1014 vma = binder_alloc_get_vma(alloc); 1015 1016 list_lru_isolate(lru, item); 1017 spin_unlock(lock); 1018 1019 if (vma) { 1020 trace_binder_unmap_user_start(alloc, index); 1021 1022 zap_page_range(vma, page_addr, PAGE_SIZE); 1023 1024 trace_binder_unmap_user_end(alloc, index); 1025 } 1026 mmap_read_unlock(mm); 1027 mmput_async(mm); 1028 1029 trace_binder_unmap_kernel_start(alloc, index); 1030 1031 __free_page(page->page_ptr); 1032 page->page_ptr = NULL; 1033 1034 trace_binder_unmap_kernel_end(alloc, index); 1035 1036 spin_lock(lock); 1037 mutex_unlock(&alloc->mutex); 1038 return LRU_REMOVED_RETRY; 1039 1040err_mmap_read_lock_failed: 1041 mmput_async(mm); 1042err_mmget: 1043err_page_already_freed: 1044 mutex_unlock(&alloc->mutex); 1045err_get_alloc_mutex_failed: 1046 return LRU_SKIP; 1047} 1048 1049static unsigned long 1050binder_shrink_count(struct shrinker *shrink, struct shrink_control *sc) 1051{ 1052 return list_lru_count(&binder_alloc_lru); 1053} 1054 1055static unsigned long 1056binder_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) 1057{ 1058 return list_lru_walk(&binder_alloc_lru, binder_alloc_free_page, 1059 NULL, sc->nr_to_scan); 1060} 1061 1062static struct shrinker binder_shrinker = { 1063 .count_objects = binder_shrink_count, 1064 .scan_objects = binder_shrink_scan, 1065 .seeks = DEFAULT_SEEKS, 1066}; 1067 1068/** 1069 * binder_alloc_init() - called by binder_open() for per-proc initialization 1070 * @alloc: binder_alloc for this proc 1071 * 1072 * Called from binder_open() to initialize binder_alloc fields for 1073 * new binder proc 1074 */ 1075void binder_alloc_init(struct binder_alloc *alloc) 1076{ 1077 alloc->pid = current->group_leader->pid; 1078 mutex_init(&alloc->mutex); 1079 INIT_LIST_HEAD(&alloc->buffers); 1080} 1081 1082int binder_alloc_shrinker_init(void) 1083{ 1084 int ret = list_lru_init(&binder_alloc_lru); 1085 1086 if (ret == 0) { 1087 ret = register_shrinker(&binder_shrinker); 1088 if (ret) 1089 list_lru_destroy(&binder_alloc_lru); 1090 } 1091 return ret; 1092} 1093 1094/** 1095 * check_buffer() - verify that buffer/offset is safe to access 1096 * @alloc: binder_alloc for this proc 1097 * @buffer: binder buffer to be accessed 1098 * @offset: offset into @buffer data 1099 * @bytes: bytes to access from offset 1100 * 1101 * Check that the @offset/@bytes are within the size of the given 1102 * @buffer and that the buffer is currently active and not freeable. 1103 * Offsets must also be multiples of sizeof(u32). The kernel is 1104 * allowed to touch the buffer in two cases: 1105 * 1106 * 1) when the buffer is being created: 1107 * (buffer->free == 0 && buffer->allow_user_free == 0) 1108 * 2) when the buffer is being torn down: 1109 * (buffer->free == 0 && buffer->transaction == NULL). 1110 * 1111 * Return: true if the buffer is safe to access 1112 */ 1113static inline bool check_buffer(struct binder_alloc *alloc, 1114 struct binder_buffer *buffer, 1115 binder_size_t offset, size_t bytes) 1116{ 1117 size_t buffer_size = binder_alloc_buffer_size(alloc, buffer); 1118 1119 return buffer_size >= bytes && 1120 offset <= buffer_size - bytes && 1121 IS_ALIGNED(offset, sizeof(u32)) && 1122 !buffer->free && 1123 (!buffer->allow_user_free || !buffer->transaction); 1124} 1125 1126/** 1127 * binder_alloc_get_page() - get kernel pointer for given buffer offset 1128 * @alloc: binder_alloc for this proc 1129 * @buffer: binder buffer to be accessed 1130 * @buffer_offset: offset into @buffer data 1131 * @pgoffp: address to copy final page offset to 1132 * 1133 * Lookup the struct page corresponding to the address 1134 * at @buffer_offset into @buffer->user_data. If @pgoffp is not 1135 * NULL, the byte-offset into the page is written there. 1136 * 1137 * The caller is responsible to ensure that the offset points 1138 * to a valid address within the @buffer and that @buffer is 1139 * not freeable by the user. Since it can't be freed, we are 1140 * guaranteed that the corresponding elements of @alloc->pages[] 1141 * cannot change. 1142 * 1143 * Return: struct page 1144 */ 1145static struct page *binder_alloc_get_page(struct binder_alloc *alloc, 1146 struct binder_buffer *buffer, 1147 binder_size_t buffer_offset, 1148 pgoff_t *pgoffp) 1149{ 1150 binder_size_t buffer_space_offset = buffer_offset + 1151 (buffer->user_data - alloc->buffer); 1152 pgoff_t pgoff = buffer_space_offset & ~PAGE_MASK; 1153 size_t index = buffer_space_offset >> PAGE_SHIFT; 1154 struct binder_lru_page *lru_page; 1155 1156 lru_page = &alloc->pages[index]; 1157 *pgoffp = pgoff; 1158 return lru_page->page_ptr; 1159} 1160 1161/** 1162 * binder_alloc_clear_buf() - zero out buffer 1163 * @alloc: binder_alloc for this proc 1164 * @buffer: binder buffer to be cleared 1165 * 1166 * memset the given buffer to 0 1167 */ 1168static void binder_alloc_clear_buf(struct binder_alloc *alloc, 1169 struct binder_buffer *buffer) 1170{ 1171 size_t bytes = binder_alloc_buffer_size(alloc, buffer); 1172 binder_size_t buffer_offset = 0; 1173 1174 while (bytes) { 1175 unsigned long size; 1176 struct page *page; 1177 pgoff_t pgoff; 1178 1179 page = binder_alloc_get_page(alloc, buffer, 1180 buffer_offset, &pgoff); 1181 size = min_t(size_t, bytes, PAGE_SIZE - pgoff); 1182 memset_page(page, pgoff, 0, size); 1183 bytes -= size; 1184 buffer_offset += size; 1185 } 1186} 1187 1188/** 1189 * binder_alloc_copy_user_to_buffer() - copy src user to tgt user 1190 * @alloc: binder_alloc for this proc 1191 * @buffer: binder buffer to be accessed 1192 * @buffer_offset: offset into @buffer data 1193 * @from: userspace pointer to source buffer 1194 * @bytes: bytes to copy 1195 * 1196 * Copy bytes from source userspace to target buffer. 1197 * 1198 * Return: bytes remaining to be copied 1199 */ 1200unsigned long 1201binder_alloc_copy_user_to_buffer(struct binder_alloc *alloc, 1202 struct binder_buffer *buffer, 1203 binder_size_t buffer_offset, 1204 const void __user *from, 1205 size_t bytes) 1206{ 1207 if (!check_buffer(alloc, buffer, buffer_offset, bytes)) 1208 return bytes; 1209 1210 while (bytes) { 1211 unsigned long size; 1212 unsigned long ret; 1213 struct page *page; 1214 pgoff_t pgoff; 1215 void *kptr; 1216 1217 page = binder_alloc_get_page(alloc, buffer, 1218 buffer_offset, &pgoff); 1219 size = min_t(size_t, bytes, PAGE_SIZE - pgoff); 1220 kptr = kmap_local_page(page) + pgoff; 1221 ret = copy_from_user(kptr, from, size); 1222 kunmap_local(kptr); 1223 if (ret) 1224 return bytes - size + ret; 1225 bytes -= size; 1226 from += size; 1227 buffer_offset += size; 1228 } 1229 return 0; 1230} 1231 1232static int binder_alloc_do_buffer_copy(struct binder_alloc *alloc, 1233 bool to_buffer, 1234 struct binder_buffer *buffer, 1235 binder_size_t buffer_offset, 1236 void *ptr, 1237 size_t bytes) 1238{ 1239 /* All copies must be 32-bit aligned and 32-bit size */ 1240 if (!check_buffer(alloc, buffer, buffer_offset, bytes)) 1241 return -EINVAL; 1242 1243 while (bytes) { 1244 unsigned long size; 1245 struct page *page; 1246 pgoff_t pgoff; 1247 1248 page = binder_alloc_get_page(alloc, buffer, 1249 buffer_offset, &pgoff); 1250 size = min_t(size_t, bytes, PAGE_SIZE - pgoff); 1251 if (to_buffer) 1252 memcpy_to_page(page, pgoff, ptr, size); 1253 else 1254 memcpy_from_page(ptr, page, pgoff, size); 1255 bytes -= size; 1256 pgoff = 0; 1257 ptr = ptr + size; 1258 buffer_offset += size; 1259 } 1260 return 0; 1261} 1262 1263int binder_alloc_copy_to_buffer(struct binder_alloc *alloc, 1264 struct binder_buffer *buffer, 1265 binder_size_t buffer_offset, 1266 void *src, 1267 size_t bytes) 1268{ 1269 return binder_alloc_do_buffer_copy(alloc, true, buffer, buffer_offset, 1270 src, bytes); 1271} 1272 1273int binder_alloc_copy_from_buffer(struct binder_alloc *alloc, 1274 void *dest, 1275 struct binder_buffer *buffer, 1276 binder_size_t buffer_offset, 1277 size_t bytes) 1278{ 1279 return binder_alloc_do_buffer_copy(alloc, false, buffer, buffer_offset, 1280 dest, bytes); 1281} 1282