1 /* SPDX-License-Identifier: GPL-2.0 */
2
3 #ifndef _LINUX_BINDER_INTERNAL_H
4 #define _LINUX_BINDER_INTERNAL_H
5
6 #include <linux/export.h>
7 #include <linux/fs.h>
8 #include <linux/list.h>
9 #include <linux/miscdevice.h>
10 #include <linux/mutex.h>
11 #include <linux/refcount.h>
12 #include <linux/stddef.h>
13 #include <linux/types.h>
14 #include <linux/uidgid.h>
15 #include <linux/android_vendor.h>
16 #include <uapi/linux/android/binderfs.h>
17 #include "binder_alloc.h"
18 #include "dbitmap.h"
19
20 struct binder_context {
21 struct binder_node *binder_context_mgr_node;
22 struct mutex context_mgr_node_lock;
23 kuid_t binder_context_mgr_uid;
24 const char *name;
25 };
26
27 /**
28 * struct binder_device - information about a binder device node
29 * @hlist: list of binder devices (only used for devices requested via
30 * CONFIG_ANDROID_BINDER_DEVICES)
31 * @miscdev: information about a binder character device node
32 * @context: binder context information
33 * @binderfs_inode: This is the inode of the root dentry of the super block
34 * belonging to a binderfs mount.
35 */
36 struct binder_device {
37 struct hlist_node hlist;
38 struct miscdevice miscdev;
39 struct binder_context context;
40 struct inode *binderfs_inode;
41 refcount_t ref;
42 };
43
44 /**
45 * binderfs_mount_opts - mount options for binderfs
46 * @max: maximum number of allocatable binderfs binder devices
47 * @stats_mode: enable binder stats in binderfs.
48 */
49 struct binderfs_mount_opts {
50 int max;
51 int stats_mode;
52 };
53
54 /**
55 * binderfs_info - information about a binderfs mount
56 * @ipc_ns: The ipc namespace the binderfs mount belongs to.
57 * @control_dentry: This records the dentry of this binderfs mount
58 * binder-control device.
59 * @root_uid: uid that needs to be used when a new binder device is
60 * created.
61 * @root_gid: gid that needs to be used when a new binder device is
62 * created.
63 * @mount_opts: The mount options in use.
64 * @device_count: The current number of allocated binder devices.
65 * @proc_log_dir: Pointer to the directory dentry containing process-specific
66 * logs.
67 */
68 struct binderfs_info {
69 struct ipc_namespace *ipc_ns;
70 struct dentry *control_dentry;
71 kuid_t root_uid;
72 kgid_t root_gid;
73 struct binderfs_mount_opts mount_opts;
74 int device_count;
75 struct dentry *proc_log_dir;
76 };
77
78 extern const struct file_operations binder_fops;
79
80 extern char *binder_devices_param;
81
82 #ifdef CONFIG_ANDROID_BINDERFS
83 extern bool is_binderfs_device(const struct inode *inode);
84 extern struct dentry *binderfs_create_file(struct dentry *dir, const char *name,
85 const struct file_operations *fops,
86 void *data);
87 extern void binderfs_remove_file(struct dentry *dentry);
88 #else
is_binderfs_device(const struct inode * inode)89 static inline bool is_binderfs_device(const struct inode *inode)
90 {
91 return false;
92 }
binderfs_create_file(struct dentry * dir,const char * name,const struct file_operations * fops,void * data)93 static inline struct dentry *binderfs_create_file(struct dentry *dir,
94 const char *name,
95 const struct file_operations *fops,
96 void *data)
97 {
98 return NULL;
99 }
binderfs_remove_file(struct dentry * dentry)100 static inline void binderfs_remove_file(struct dentry *dentry) {}
101 #endif
102
103 #ifdef CONFIG_ANDROID_BINDERFS
104 extern int __init init_binderfs(void);
105 #else
init_binderfs(void)106 static inline int __init init_binderfs(void)
107 {
108 return 0;
109 }
110 #endif
111
112 struct binder_debugfs_entry {
113 const char *name;
114 umode_t mode;
115 const struct file_operations *fops;
116 void *data;
117 };
118
119 extern const struct binder_debugfs_entry binder_debugfs_entries[];
120
121 #define binder_for_each_debugfs_entry(entry) \
122 for ((entry) = binder_debugfs_entries; \
123 (entry)->name; \
124 (entry)++)
125
126 enum binder_stat_types {
127 BINDER_STAT_PROC,
128 BINDER_STAT_THREAD,
129 BINDER_STAT_NODE,
130 BINDER_STAT_REF,
131 BINDER_STAT_DEATH,
132 BINDER_STAT_TRANSACTION,
133 BINDER_STAT_TRANSACTION_COMPLETE,
134 BINDER_STAT_COUNT
135 };
136
137 struct binder_stats {
138 atomic_t br[_IOC_NR(BR_TRANSACTION_PENDING_FROZEN) + 1];
139 atomic_t bc[_IOC_NR(BC_REPLY_SG) + 1];
140 atomic_t obj_created[BINDER_STAT_COUNT];
141 atomic_t obj_deleted[BINDER_STAT_COUNT];
142 };
143
144 /**
145 * struct binder_work - work enqueued on a worklist
146 * @entry: node enqueued on list
147 * @type: type of work to be performed
148 *
149 * There are separate work lists for proc, thread, and node (async).
150 */
151 struct binder_work {
152 struct list_head entry;
153
154 enum binder_work_type {
155 BINDER_WORK_TRANSACTION = 1,
156 BINDER_WORK_TRANSACTION_COMPLETE,
157 BINDER_WORK_TRANSACTION_PENDING,
158 BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT,
159 BINDER_WORK_RETURN_ERROR,
160 BINDER_WORK_NODE,
161 BINDER_WORK_DEAD_BINDER,
162 BINDER_WORK_DEAD_BINDER_AND_CLEAR,
163 BINDER_WORK_CLEAR_DEATH_NOTIFICATION,
164 } type;
165
166 ANDROID_OEM_DATA(1);
167 };
168
169 struct binder_error {
170 struct binder_work work;
171 uint32_t cmd;
172 };
173
174 /**
175 * struct binder_node - binder node bookkeeping
176 * @debug_id: unique ID for debugging
177 * (invariant after initialized)
178 * @lock: lock for node fields
179 * @work: worklist element for node work
180 * (protected by @proc->inner_lock)
181 * @rb_node: element for proc->nodes tree
182 * (protected by @proc->inner_lock)
183 * @dead_node: element for binder_dead_nodes list
184 * (protected by binder_dead_nodes_lock)
185 * @proc: binder_proc that owns this node
186 * (invariant after initialized)
187 * @refs: list of references on this node
188 * (protected by @lock)
189 * @internal_strong_refs: used to take strong references when
190 * initiating a transaction
191 * (protected by @proc->inner_lock if @proc
192 * and by @lock)
193 * @local_weak_refs: weak user refs from local process
194 * (protected by @proc->inner_lock if @proc
195 * and by @lock)
196 * @local_strong_refs: strong user refs from local process
197 * (protected by @proc->inner_lock if @proc
198 * and by @lock)
199 * @tmp_refs: temporary kernel refs
200 * (protected by @proc->inner_lock while @proc
201 * is valid, and by binder_dead_nodes_lock
202 * if @proc is NULL. During inc/dec and node release
203 * it is also protected by @lock to provide safety
204 * as the node dies and @proc becomes NULL)
205 * @ptr: userspace pointer for node
206 * (invariant, no lock needed)
207 * @cookie: userspace cookie for node
208 * (invariant, no lock needed)
209 * @has_strong_ref: userspace notified of strong ref
210 * (protected by @proc->inner_lock if @proc
211 * and by @lock)
212 * @pending_strong_ref: userspace has acked notification of strong ref
213 * (protected by @proc->inner_lock if @proc
214 * and by @lock)
215 * @has_weak_ref: userspace notified of weak ref
216 * (protected by @proc->inner_lock if @proc
217 * and by @lock)
218 * @pending_weak_ref: userspace has acked notification of weak ref
219 * (protected by @proc->inner_lock if @proc
220 * and by @lock)
221 * @has_async_transaction: async transaction to node in progress
222 * (protected by @lock)
223 * @sched_policy: minimum scheduling policy for node
224 * (invariant after initialized)
225 * @accept_fds: file descriptor operations supported for node
226 * (invariant after initialized)
227 * @min_priority: minimum scheduling priority
228 * (invariant after initialized)
229 * @inherit_rt: inherit RT scheduling policy from caller
230 * @txn_security_ctx: require sender's security context
231 * (invariant after initialized)
232 * @async_todo: list of async work items
233 * (protected by @proc->inner_lock)
234 *
235 * Bookkeeping structure for binder nodes.
236 */
237 struct binder_node {
238 int debug_id;
239 spinlock_t lock;
240 struct binder_work work;
241 union {
242 struct rb_node rb_node;
243 struct hlist_node dead_node;
244 };
245 struct binder_proc *proc;
246 struct hlist_head refs;
247 int internal_strong_refs;
248 int local_weak_refs;
249 int local_strong_refs;
250 int tmp_refs;
251 binder_uintptr_t ptr;
252 binder_uintptr_t cookie;
253 struct {
254 /*
255 * bitfield elements protected by
256 * proc inner_lock
257 */
258 u8 has_strong_ref:1;
259 u8 pending_strong_ref:1;
260 u8 has_weak_ref:1;
261 u8 pending_weak_ref:1;
262 };
263 struct {
264 /*
265 * invariant after initialization
266 */
267 u8 sched_policy:2;
268 u8 inherit_rt:1;
269 u8 accept_fds:1;
270 u8 txn_security_ctx:1;
271 u8 min_priority;
272 };
273 bool has_async_transaction;
274 struct list_head async_todo;
275 };
276
277 struct binder_ref_death {
278 /**
279 * @work: worklist element for death notifications
280 * (protected by inner_lock of the proc that
281 * this ref belongs to)
282 */
283 struct binder_work work;
284 binder_uintptr_t cookie;
285 };
286
287 /**
288 * struct binder_ref_data - binder_ref counts and id
289 * @debug_id: unique ID for the ref
290 * @desc: unique userspace handle for ref
291 * @strong: strong ref count (debugging only if not locked)
292 * @weak: weak ref count (debugging only if not locked)
293 *
294 * Structure to hold ref count and ref id information. Since
295 * the actual ref can only be accessed with a lock, this structure
296 * is used to return information about the ref to callers of
297 * ref inc/dec functions.
298 */
299 struct binder_ref_data {
300 int debug_id;
301 uint32_t desc;
302 int strong;
303 int weak;
304 };
305
306 /**
307 * struct binder_ref - struct to track references on nodes
308 * @data: binder_ref_data containing id, handle, and current refcounts
309 * @rb_node_desc: node for lookup by @data.desc in proc's rb_tree
310 * @rb_node_node: node for lookup by @node in proc's rb_tree
311 * @node_entry: list entry for node->refs list in target node
312 * (protected by @node->lock)
313 * @proc: binder_proc containing ref
314 * @node: binder_node of target node. When cleaning up a
315 * ref for deletion in binder_cleanup_ref, a non-NULL
316 * @node indicates the node must be freed
317 * @death: pointer to death notification (ref_death) if requested
318 * (protected by @node->lock)
319 *
320 * Structure to track references from procA to target node (on procB). This
321 * structure is unsafe to access without holding @proc->outer_lock.
322 */
323 struct binder_ref {
324 /* Lookups needed: */
325 /* node + proc => ref (transaction) */
326 /* desc + proc => ref (transaction, inc/dec ref) */
327 /* node => refs + procs (proc exit) */
328 struct binder_ref_data data;
329 struct rb_node rb_node_desc;
330 struct rb_node rb_node_node;
331 struct hlist_node node_entry;
332 struct binder_proc *proc;
333 struct binder_node *node;
334 struct binder_ref_death *death;
335 };
336
337 /**
338 * struct binder_priority - scheduler policy and priority
339 * @sched_policy scheduler policy
340 * @prio [100..139] for SCHED_NORMAL, [0..99] for FIFO/RT
341 *
342 * The binder driver supports inheriting the following scheduler policies:
343 * SCHED_NORMAL
344 * SCHED_BATCH
345 * SCHED_FIFO
346 * SCHED_RR
347 */
348 struct binder_priority {
349 unsigned int sched_policy;
350 int prio;
351 };
352
353 enum binder_prio_state {
354 BINDER_PRIO_SET, /* desired priority set */
355 BINDER_PRIO_PENDING, /* initiated a saved priority restore */
356 BINDER_PRIO_ABORT, /* abort the pending priority restore */
357 };
358
359 /**
360 * struct binder_proc - binder process bookkeeping
361 * @proc_node: element for binder_procs list
362 * @threads: rbtree of binder_threads in this proc
363 * (protected by @inner_lock)
364 * @nodes: rbtree of binder nodes associated with
365 * this proc ordered by node->ptr
366 * (protected by @inner_lock)
367 * @refs_by_desc: rbtree of refs ordered by ref->desc
368 * (protected by @outer_lock)
369 * @refs_by_node: rbtree of refs ordered by ref->node
370 * (protected by @outer_lock)
371 * @waiting_threads: threads currently waiting for proc work
372 * (protected by @inner_lock)
373 * @pid PID of group_leader of process
374 * (invariant after initialized)
375 * @tsk task_struct for group_leader of process
376 * (invariant after initialized)
377 * @cred struct cred associated with the `struct file`
378 * in binder_open()
379 * (invariant after initialized)
380 * @deferred_work_node: element for binder_deferred_list
381 * (protected by binder_deferred_lock)
382 * @deferred_work: bitmap of deferred work to perform
383 * (protected by binder_deferred_lock)
384 * @outstanding_txns: number of transactions to be transmitted before
385 * processes in freeze_wait are woken up
386 * (protected by @inner_lock)
387 * @is_dead: process is dead and awaiting free
388 * when outstanding transactions are cleaned up
389 * (protected by @inner_lock)
390 * @is_frozen: process is frozen and unable to service
391 * binder transactions
392 * (protected by @inner_lock)
393 * @sync_recv: process received sync transactions since last frozen
394 * bit 0: received sync transaction after being frozen
395 * bit 1: new pending sync transaction during freezing
396 * (protected by @inner_lock)
397 * @async_recv: process received async transactions since last frozen
398 * (protected by @inner_lock)
399 * @freeze_wait: waitqueue of processes waiting for all outstanding
400 * transactions to be processed
401 * (protected by @inner_lock)
402 * @todo: list of work for this process
403 * (protected by @inner_lock)
404 * @stats: per-process binder statistics
405 * (atomics, no lock needed)
406 * @delivered_death: list of delivered death notification
407 * (protected by @inner_lock)
408 * @max_threads: cap on number of binder threads
409 * (protected by @inner_lock)
410 * @requested_threads: number of binder threads requested but not
411 * yet started. In current implementation, can
412 * only be 0 or 1.
413 * (protected by @inner_lock)
414 * @requested_threads_started: number binder threads started
415 * (protected by @inner_lock)
416 * @tmp_ref: temporary reference to indicate proc is in use
417 * (protected by @inner_lock)
418 * @default_priority: default scheduler priority
419 * (invariant after initialized)
420 * @debugfs_entry: debugfs node
421 * @alloc: binder allocator bookkeeping
422 * @context: binder_context for this proc
423 * (invariant after initialized)
424 * @inner_lock: can nest under outer_lock and/or node lock
425 * @outer_lock: no nesting under innor or node lock
426 * Lock order: 1) outer, 2) node, 3) inner
427 * @binderfs_entry: process-specific binderfs log file
428 * @oneway_spam_detection_enabled: process enabled oneway spam detection
429 * or not
430 *
431 * Bookkeeping structure for binder processes
432 */
433 struct binder_proc {
434 struct hlist_node proc_node;
435 struct rb_root threads;
436 struct rb_root nodes;
437 struct rb_root refs_by_desc;
438 struct rb_root refs_by_node;
439 struct list_head waiting_threads;
440 int pid;
441 struct task_struct *tsk;
442 const struct cred *cred;
443 struct hlist_node deferred_work_node;
444 int deferred_work;
445 int outstanding_txns;
446 bool is_dead;
447 bool is_frozen;
448 bool sync_recv;
449 bool async_recv;
450 wait_queue_head_t freeze_wait;
451 struct list_head todo;
452 struct binder_stats stats;
453 struct list_head delivered_death;
454 u32 max_threads;
455 int requested_threads;
456 int requested_threads_started;
457 int tmp_ref;
458 struct binder_priority default_priority;
459 struct dentry *debugfs_entry;
460 struct binder_alloc alloc;
461 struct binder_context *context;
462 spinlock_t inner_lock;
463 spinlock_t outer_lock;
464 struct dentry *binderfs_entry;
465 bool oneway_spam_detection_enabled;
466 ANDROID_OEM_DATA(1);
467 };
468
469 /**
470 * struct binder_proc_wrap - wrapper to preserve KMI in binder_proc
471 * @proc: binder_proc being wrapped
472 * @dmap dbitmap to manage available reference descriptors
473 * (protected by @proc.outer_lock)
474 */
475 struct binder_proc_wrap {
476 struct binder_proc proc;
477 struct dbitmap dmap;
478 };
479
480 static inline
proc_wrapper(struct binder_proc * proc)481 struct binder_proc_wrap *proc_wrapper(struct binder_proc *proc)
482 {
483 return container_of(proc, struct binder_proc_wrap, proc);
484 }
485
486 /**
487 * struct binder_thread - binder thread bookkeeping
488 * @proc: binder process for this thread
489 * (invariant after initialization)
490 * @rb_node: element for proc->threads rbtree
491 * (protected by @proc->inner_lock)
492 * @waiting_thread_node: element for @proc->waiting_threads list
493 * (protected by @proc->inner_lock)
494 * @pid: PID for this thread
495 * (invariant after initialization)
496 * @looper: bitmap of looping state
497 * (only accessed by this thread)
498 * @looper_needs_return: looping thread needs to exit driver
499 * (no lock needed)
500 * @transaction_stack: stack of in-progress transactions for this thread
501 * (protected by @proc->inner_lock)
502 * @todo: list of work to do for this thread
503 * (protected by @proc->inner_lock)
504 * @process_todo: whether work in @todo should be processed
505 * (protected by @proc->inner_lock)
506 * @return_error: transaction errors reported by this thread
507 * (only accessed by this thread)
508 * @reply_error: transaction errors reported by target thread
509 * (protected by @proc->inner_lock)
510 * @ee: extended error information from this thread
511 * (protected by @proc->inner_lock)
512 * @wait: wait queue for thread work
513 * @stats: per-thread statistics
514 * (atomics, no lock needed)
515 * @tmp_ref: temporary reference to indicate thread is in use
516 * (atomic since @proc->inner_lock cannot
517 * always be acquired)
518 * @is_dead: thread is dead and awaiting free
519 * when outstanding transactions are cleaned up
520 * (protected by @proc->inner_lock)
521 * @task: struct task_struct for this thread
522 * @prio_lock: protects thread priority fields
523 * @prio_next: saved priority to be restored next
524 * (protected by @prio_lock)
525 * @prio_state: state of the priority restore process as
526 * defined by enum binder_prio_state
527 * (protected by @prio_lock)
528 *
529 * Bookkeeping structure for binder threads.
530 */
531 struct binder_thread {
532 struct binder_proc *proc;
533 struct rb_node rb_node;
534 struct list_head waiting_thread_node;
535 int pid;
536 int looper; /* only modified by this thread */
537 bool looper_need_return; /* can be written by other thread */
538 struct binder_transaction *transaction_stack;
539 struct list_head todo;
540 bool process_todo;
541 struct binder_error return_error;
542 struct binder_error reply_error;
543 struct binder_extended_error ee;
544 wait_queue_head_t wait;
545 struct binder_stats stats;
546 atomic_t tmp_ref;
547 bool is_dead;
548 struct task_struct *task;
549 spinlock_t prio_lock;
550 struct binder_priority prio_next;
551 enum binder_prio_state prio_state;
552 };
553
554 /**
555 * struct binder_txn_fd_fixup - transaction fd fixup list element
556 * @fixup_entry: list entry
557 * @file: struct file to be associated with new fd
558 * @offset: offset in buffer data to this fixup
559 * @target_fd: fd to use by the target to install @file
560 *
561 * List element for fd fixups in a transaction. Since file
562 * descriptors need to be allocated in the context of the
563 * target process, we pass each fd to be processed in this
564 * struct.
565 */
566 struct binder_txn_fd_fixup {
567 struct list_head fixup_entry;
568 struct file *file;
569 size_t offset;
570 int target_fd;
571 };
572
573 struct binder_transaction {
574 int debug_id;
575 struct binder_work work;
576 struct binder_thread *from;
577 pid_t from_pid;
578 pid_t from_tid;
579 struct binder_transaction *from_parent;
580 struct binder_proc *to_proc;
581 struct binder_thread *to_thread;
582 struct binder_transaction *to_parent;
583 unsigned need_reply:1;
584 /* unsigned is_dead:1; */ /* not used at the moment */
585
586 struct binder_buffer *buffer;
587 unsigned int code;
588 unsigned int flags;
589 struct binder_priority priority;
590 struct binder_priority saved_priority;
591 bool set_priority_called;
592 bool is_nested;
593 kuid_t sender_euid;
594 ktime_t start_time;
595 struct list_head fd_fixups;
596 binder_uintptr_t security_ctx;
597 /**
598 * @lock: protects @from, @to_proc, and @to_thread
599 *
600 * @from, @to_proc, and @to_thread can be set to NULL
601 * during thread teardown
602 */
603 spinlock_t lock;
604 ANDROID_VENDOR_DATA(1);
605 ANDROID_OEM_DATA(1);
606 };
607
608 /**
609 * struct binder_object - union of flat binder object types
610 * @hdr: generic object header
611 * @fbo: binder object (nodes and refs)
612 * @fdo: file descriptor object
613 * @bbo: binder buffer pointer
614 * @fdao: file descriptor array
615 *
616 * Used for type-independent object copies
617 */
618 struct binder_object {
619 union {
620 struct binder_object_header hdr;
621 struct flat_binder_object fbo;
622 struct binder_fd_object fdo;
623 struct binder_buffer_object bbo;
624 struct binder_fd_array_object fdao;
625 };
626 };
627
628 #endif /* _LINUX_BINDER_INTERNAL_H */
629