1 // SPDX-License-Identifier: GPL-2.0 2 3 // Copyright (C) 2024 Google LLC. 4 5 use kernel::{ 6 alloc::AllocError, 7 list::ListArc, 8 prelude::*, 9 rbtree::{self, RBTreeNodeReservation}, 10 seq_file::SeqFile, 11 seq_print, 12 sync::{Arc, UniqueArc}, 13 uaccess::UserSliceReader, 14 }; 15 16 use crate::{ 17 defs::*, node::Node, process::Process, thread::Thread, BinderReturnWriter, DArc, DLArc, 18 DTRWrap, DeliverToRead, 19 }; 20 21 #[derive(Clone, Copy, Eq, PartialEq, Ord, PartialOrd)] 22 pub(crate) struct FreezeCookie(u64); 23 24 /// Represents a listener for changes to the frozen state of a process. 25 pub(crate) struct FreezeListener { 26 /// The node we are listening for. 27 pub(crate) node: DArc<Node>, 28 /// The cookie of this freeze listener. 29 cookie: FreezeCookie, 30 /// What value of `is_frozen` did we most recently tell userspace about? 31 last_is_frozen: Option<bool>, 32 /// We sent a `BR_FROZEN_BINDER` and we are waiting for `BC_FREEZE_NOTIFICATION_DONE` before 33 /// sending any other commands. 34 is_pending: bool, 35 /// Userspace sent `BC_CLEAR_FREEZE_NOTIFICATION` and we need to reply with 36 /// `BR_CLEAR_FREEZE_NOTIFICATION_DONE` as soon as possible. If `is_pending` is set, then we 37 /// must wait for it to be unset before we can reply. 38 is_clearing: bool, 39 /// Number of cleared duplicates that can't be deleted until userspace sends 40 /// `BC_FREEZE_NOTIFICATION_DONE`. 41 num_pending_duplicates: u64, 42 /// Number of cleared duplicates that can be deleted. 43 num_cleared_duplicates: u64, 44 } 45 46 impl FreezeListener { 47 /// Is it okay to create a new listener with the same cookie as this one for the provided node? 48 /// 49 /// Under some scenarios, userspace may delete a freeze listener and immediately recreate it 50 /// with the same cookie. This results in duplicate listeners. To avoid issues with ambiguity, 51 /// we allow this only if the new listener is for the same node, and we also require that the 52 /// old listener has already been cleared. allow_duplicate(&self, node: &DArc<Node>) -> bool53 fn allow_duplicate(&self, node: &DArc<Node>) -> bool { 54 Arc::ptr_eq(&self.node, node) && self.is_clearing 55 } 56 } 57 58 type UninitFM = UniqueArc<core::mem::MaybeUninit<DTRWrap<FreezeMessage>>>; 59 60 /// Represents a notification that the freeze state has changed. 61 pub(crate) struct FreezeMessage { 62 cookie: FreezeCookie, 63 } 64 65 kernel::list::impl_list_arc_safe! { 66 impl ListArcSafe<0> for FreezeMessage { 67 untracked; 68 } 69 } 70 71 impl FreezeMessage { new(flags: kernel::alloc::Flags) -> Result<UninitFM, AllocError>72 fn new(flags: kernel::alloc::Flags) -> Result<UninitFM, AllocError> { 73 UniqueArc::new_uninit(flags) 74 } 75 init(ua: UninitFM, cookie: FreezeCookie) -> DLArc<FreezeMessage>76 fn init(ua: UninitFM, cookie: FreezeCookie) -> DLArc<FreezeMessage> { 77 match ua.pin_init_with(DTRWrap::new(FreezeMessage { cookie })) { 78 Ok(msg) => ListArc::from(msg), 79 Err(err) => match err {}, 80 } 81 } 82 } 83 84 impl DeliverToRead for FreezeMessage { do_work( self: DArc<Self>, thread: &Thread, writer: &mut BinderReturnWriter<'_>, ) -> Result<bool>85 fn do_work( 86 self: DArc<Self>, 87 thread: &Thread, 88 writer: &mut BinderReturnWriter<'_>, 89 ) -> Result<bool> { 90 let _removed_listener; 91 let mut node_refs = thread.process.node_refs.lock(); 92 let Some(mut freeze_entry) = node_refs.freeze_listeners.find_mut(&self.cookie) else { 93 return Ok(true); 94 }; 95 let freeze = freeze_entry.get_mut(); 96 97 if freeze.num_cleared_duplicates > 0 { 98 freeze.num_cleared_duplicates -= 1; 99 drop(node_refs); 100 writer.write_code(BR_CLEAR_FREEZE_NOTIFICATION_DONE)?; 101 writer.write_payload(&self.cookie.0)?; 102 return Ok(true); 103 } 104 105 if freeze.is_pending { 106 return Ok(true); 107 } 108 if freeze.is_clearing { 109 _removed_listener = freeze_entry.remove_node(); 110 drop(node_refs); 111 writer.write_code(BR_CLEAR_FREEZE_NOTIFICATION_DONE)?; 112 writer.write_payload(&self.cookie.0)?; 113 Ok(true) 114 } else { 115 let is_frozen = freeze.node.owner.inner.lock().is_frozen; 116 if freeze.last_is_frozen == Some(is_frozen) { 117 return Ok(true); 118 } 119 120 let mut state_info = BinderFrozenStateInfo::default(); 121 state_info.is_frozen = is_frozen as u32; 122 state_info.cookie = freeze.cookie.0; 123 freeze.is_pending = true; 124 freeze.last_is_frozen = Some(is_frozen); 125 drop(node_refs); 126 127 writer.write_code(BR_FROZEN_BINDER)?; 128 writer.write_payload(&state_info)?; 129 // BR_FROZEN_BINDER notifications can cause transactions 130 Ok(false) 131 } 132 } 133 cancel(self: DArc<Self>)134 fn cancel(self: DArc<Self>) {} on_thread_selected(&self, _thread: &Thread)135 fn on_thread_selected(&self, _thread: &Thread) {} 136 should_sync_wakeup(&self) -> bool137 fn should_sync_wakeup(&self) -> bool { 138 false 139 } 140 141 #[inline(never)] debug_print(&self, m: &SeqFile, prefix: &str, _tprefix: &str) -> Result<()>142 fn debug_print(&self, m: &SeqFile, prefix: &str, _tprefix: &str) -> Result<()> { 143 seq_print!(m, "{}has frozen binder\n", prefix); 144 Ok(()) 145 } 146 } 147 148 impl FreezeListener { on_process_exit(&self, proc: &Arc<Process>)149 pub(crate) fn on_process_exit(&self, proc: &Arc<Process>) { 150 if !self.is_clearing { 151 self.node.remove_freeze_listener(proc); 152 } 153 } 154 } 155 156 impl Process { request_freeze_notif( self: &Arc<Self>, reader: &mut UserSliceReader, ) -> Result<()>157 pub(crate) fn request_freeze_notif( 158 self: &Arc<Self>, 159 reader: &mut UserSliceReader, 160 ) -> Result<()> { 161 let hc = reader.read::<BinderHandleCookie>()?; 162 let handle = hc.handle; 163 let cookie = FreezeCookie(hc.cookie); 164 165 let msg = FreezeMessage::new(GFP_KERNEL)?; 166 let alloc = RBTreeNodeReservation::new(GFP_KERNEL)?; 167 168 let mut node_refs_guard = self.node_refs.lock(); 169 let node_refs = &mut *node_refs_guard; 170 let Some(info) = node_refs.by_handle.get_mut(&handle) else { 171 pr_warn!("BC_REQUEST_FREEZE_NOTIFICATION invalid ref {}\n", handle); 172 return Err(EINVAL); 173 }; 174 if info.freeze().is_some() { 175 pr_warn!("BC_REQUEST_FREEZE_NOTIFICATION already set\n"); 176 return Err(EINVAL); 177 } 178 let node_ref = info.node_ref(); 179 let freeze_entry = node_refs.freeze_listeners.entry(cookie); 180 181 if let rbtree::Entry::Occupied(ref dupe) = freeze_entry { 182 if !dupe.get().allow_duplicate(&node_ref.node) { 183 pr_warn!("BC_REQUEST_FREEZE_NOTIFICATION duplicate cookie\n"); 184 return Err(EINVAL); 185 } 186 } 187 188 // All failure paths must come before this call, and all modifications must come after this 189 // call. 190 node_ref.node.add_freeze_listener(self, GFP_KERNEL)?; 191 192 match freeze_entry { 193 rbtree::Entry::Vacant(entry) => { 194 entry.insert( 195 FreezeListener { 196 cookie, 197 node: node_ref.node.clone(), 198 last_is_frozen: None, 199 is_pending: false, 200 is_clearing: false, 201 num_pending_duplicates: 0, 202 num_cleared_duplicates: 0, 203 }, 204 alloc, 205 ); 206 } 207 rbtree::Entry::Occupied(mut dupe) => { 208 let dupe = dupe.get_mut(); 209 if dupe.is_pending { 210 dupe.num_pending_duplicates += 1; 211 } else { 212 dupe.num_cleared_duplicates += 1; 213 } 214 dupe.last_is_frozen = None; 215 dupe.is_pending = false; 216 dupe.is_clearing = false; 217 } 218 } 219 220 *info.freeze() = Some(cookie); 221 let msg = FreezeMessage::init(msg, cookie); 222 drop(node_refs_guard); 223 let _ = self.push_work(msg); 224 Ok(()) 225 } 226 freeze_notif_done(self: &Arc<Self>, reader: &mut UserSliceReader) -> Result<()>227 pub(crate) fn freeze_notif_done(self: &Arc<Self>, reader: &mut UserSliceReader) -> Result<()> { 228 let cookie = FreezeCookie(reader.read()?); 229 let alloc = FreezeMessage::new(GFP_KERNEL)?; 230 let mut node_refs_guard = self.node_refs.lock(); 231 let node_refs = &mut *node_refs_guard; 232 let Some(freeze) = node_refs.freeze_listeners.get_mut(&cookie) else { 233 pr_warn!("BC_FREEZE_NOTIFICATION_DONE {:016x} not found\n", cookie.0); 234 return Err(EINVAL); 235 }; 236 let mut clear_msg = None; 237 if freeze.num_pending_duplicates > 0 { 238 clear_msg = Some(FreezeMessage::init(alloc, cookie)); 239 freeze.num_pending_duplicates -= 1; 240 freeze.num_cleared_duplicates += 1; 241 } else { 242 if !freeze.is_pending { 243 pr_warn!( 244 "BC_FREEZE_NOTIFICATION_DONE {:016x} not pending\n", 245 cookie.0 246 ); 247 return Err(EINVAL); 248 } 249 if freeze.is_clearing { 250 // Immediately send another FreezeMessage for BR_CLEAR_FREEZE_NOTIFICATION_DONE. 251 clear_msg = Some(FreezeMessage::init(alloc, cookie)); 252 } 253 freeze.is_pending = false; 254 } 255 drop(node_refs_guard); 256 if let Some(clear_msg) = clear_msg { 257 let _ = self.push_work(clear_msg); 258 } 259 Ok(()) 260 } 261 clear_freeze_notif(self: &Arc<Self>, reader: &mut UserSliceReader) -> Result<()>262 pub(crate) fn clear_freeze_notif(self: &Arc<Self>, reader: &mut UserSliceReader) -> Result<()> { 263 let hc = reader.read::<BinderHandleCookie>()?; 264 let handle = hc.handle; 265 let cookie = FreezeCookie(hc.cookie); 266 267 let alloc = FreezeMessage::new(GFP_KERNEL)?; 268 let mut node_refs_guard = self.node_refs.lock(); 269 let node_refs = &mut *node_refs_guard; 270 let Some(info) = node_refs.by_handle.get_mut(&handle) else { 271 pr_warn!("BC_CLEAR_FREEZE_NOTIFICATION invalid ref {}\n", handle); 272 return Err(EINVAL); 273 }; 274 let Some(info_cookie) = info.freeze() else { 275 pr_warn!("BC_CLEAR_FREEZE_NOTIFICATION freeze notification not active\n"); 276 return Err(EINVAL); 277 }; 278 if *info_cookie != cookie { 279 pr_warn!("BC_CLEAR_FREEZE_NOTIFICATION freeze notification cookie mismatch\n"); 280 return Err(EINVAL); 281 } 282 let Some(listener) = node_refs.freeze_listeners.get_mut(&cookie) else { 283 pr_warn!("BC_CLEAR_FREEZE_NOTIFICATION invalid cookie {}\n", handle); 284 return Err(EINVAL); 285 }; 286 listener.is_clearing = true; 287 listener.node.remove_freeze_listener(self); 288 *info.freeze() = None; 289 let mut msg = None; 290 if !listener.is_pending { 291 msg = Some(FreezeMessage::init(alloc, cookie)); 292 } 293 drop(node_refs_guard); 294 295 if let Some(msg) = msg { 296 let _ = self.push_work(msg); 297 } 298 Ok(()) 299 } 300 get_freeze_cookie(&self, node: &DArc<Node>) -> Option<FreezeCookie>301 fn get_freeze_cookie(&self, node: &DArc<Node>) -> Option<FreezeCookie> { 302 let node_refs = &mut *self.node_refs.lock(); 303 let handle = node_refs.by_node.get(&node.global_id())?; 304 let node_ref = node_refs.by_handle.get_mut(handle)?; 305 *node_ref.freeze() 306 } 307 308 /// Creates a vector of every freeze listener on this process. 309 /// 310 /// Returns pairs of the remote process listening for notifications and the local node it is 311 /// listening on. find_freeze_recipients(&self) -> Result<KVVec<(DArc<Node>, Arc<Process>)>, AllocError>312 fn find_freeze_recipients(&self) -> Result<KVVec<(DArc<Node>, Arc<Process>)>, AllocError> { 313 // Defined before `inner` to drop after releasing spinlock if `push_within_capacity` fails. 314 let mut node_proc_pair; 315 316 // We pre-allocate space for up to 8 recipients before we take the spinlock. However, if 317 // the allocation fails, use a vector with a capacity of zero instead of failing. After 318 // all, there might not be any freeze listeners, in which case this operation could still 319 // succeed. 320 let mut recipients = 321 KVVec::with_capacity(8, GFP_KERNEL).unwrap_or_else(|_err| KVVec::new()); 322 323 let mut inner = self.lock_with_nodes(); 324 let mut curr = inner.nodes.cursor_front(); 325 while let Some(cursor) = curr { 326 let (key, node) = cursor.current(); 327 let key = *key; 328 let list = node.freeze_list(&inner.inner); 329 let len = list.len(); 330 331 if recipients.spare_capacity_mut().len() < len { 332 drop(inner); 333 recipients.reserve(len, GFP_KERNEL)?; 334 inner = self.lock_with_nodes(); 335 // Find the node we were looking at and try again. If the set of nodes was changed, 336 // then just proceed to the next node. This is ok because we don't guarantee the 337 // inclusion of nodes that are added or removed in parallel with this operation. 338 curr = inner.nodes.cursor_lower_bound(&key); 339 continue; 340 } 341 342 for proc in list { 343 node_proc_pair = (node.clone(), proc.clone()); 344 recipients 345 .push_within_capacity(node_proc_pair) 346 .map_err(|_| { 347 pr_err!( 348 "push_within_capacity failed even though we checked the capacity\n" 349 ); 350 AllocError 351 })?; 352 } 353 354 curr = cursor.move_next(); 355 } 356 Ok(recipients) 357 } 358 359 /// Prepare allocations for sending freeze messages. prepare_freeze_messages(&self) -> Result<FreezeMessages, AllocError>360 pub(crate) fn prepare_freeze_messages(&self) -> Result<FreezeMessages, AllocError> { 361 let recipients = self.find_freeze_recipients()?; 362 let mut batch = KVVec::with_capacity(recipients.len(), GFP_KERNEL)?; 363 for (node, proc) in recipients { 364 let Some(cookie) = proc.get_freeze_cookie(&node) else { 365 // If the freeze listener was removed in the meantime, just discard the 366 // notification. 367 continue; 368 }; 369 let msg_alloc = FreezeMessage::new(GFP_KERNEL)?; 370 let msg = FreezeMessage::init(msg_alloc, cookie); 371 batch.push((proc, msg), GFP_KERNEL)?; 372 } 373 374 Ok(FreezeMessages { batch }) 375 } 376 } 377 378 pub(crate) struct FreezeMessages { 379 batch: KVVec<(Arc<Process>, DLArc<FreezeMessage>)>, 380 } 381 382 impl FreezeMessages { send_messages(self)383 pub(crate) fn send_messages(self) { 384 for (proc, msg) in self.batch { 385 let _ = proc.push_work(msg); 386 } 387 } 388 } 389