1 // SPDX-License-Identifier: GPL-2.0-only 2 /* binder_alloc.c 3 * 4 * Android IPC Subsystem 5 * 6 * Copyright (C) 2007-2017 Google, Inc. 7 */ 8 9 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 10 11 #include <linux/list.h> 12 #include <linux/sched/mm.h> 13 #include <linux/module.h> 14 #include <linux/rtmutex.h> 15 #include <linux/rbtree.h> 16 #include <linux/seq_file.h> 17 #include <linux/vmalloc.h> 18 #include <linux/slab.h> 19 #include <linux/sched.h> 20 #include <linux/list_lru.h> 21 #include <linux/ratelimit.h> 22 #include <asm/cacheflush.h> 23 #include <linux/uaccess.h> 24 #include <linux/highmem.h> 25 #include <linux/sizes.h> 26 #include "binder_alloc.h" 27 #include "binder_trace.h" 28 29 struct list_lru binder_freelist; 30 31 static DEFINE_MUTEX(binder_alloc_mmap_lock); 32 33 enum { 34 BINDER_DEBUG_USER_ERROR = 1U << 0, 35 BINDER_DEBUG_OPEN_CLOSE = 1U << 1, 36 BINDER_DEBUG_BUFFER_ALLOC = 1U << 2, 37 BINDER_DEBUG_BUFFER_ALLOC_ASYNC = 1U << 3, 38 }; 39 static uint32_t binder_alloc_debug_mask = BINDER_DEBUG_USER_ERROR; 40 41 module_param_named(debug_mask, binder_alloc_debug_mask, 42 uint, 0644); 43 44 #define binder_alloc_debug(mask, x...) \ 45 do { \ 46 if (binder_alloc_debug_mask & mask) \ 47 pr_info_ratelimited(x); \ 48 } while (0) 49 50 static struct binder_buffer *binder_buffer_next(struct binder_buffer *buffer) 51 { 52 return list_entry(buffer->entry.next, struct binder_buffer, entry); 53 } 54 55 static struct binder_buffer *binder_buffer_prev(struct binder_buffer *buffer) 56 { 57 return list_entry(buffer->entry.prev, struct binder_buffer, entry); 58 } 59 60 static size_t binder_alloc_buffer_size(struct binder_alloc *alloc, 61 struct binder_buffer *buffer) 62 { 63 if (list_is_last(&buffer->entry, &alloc->buffers)) 64 return alloc->buffer + alloc->buffer_size - buffer->user_data; 65 return binder_buffer_next(buffer)->user_data - buffer->user_data; 66 } 67 68 static void binder_insert_free_buffer(struct binder_alloc *alloc, 69 struct binder_buffer *new_buffer) 70 { 71 struct rb_node **p = &alloc->free_buffers.rb_node; 72 struct rb_node *parent = NULL; 73 struct binder_buffer *buffer; 74 size_t buffer_size; 75 size_t new_buffer_size; 76 77 BUG_ON(!new_buffer->free); 78 79 new_buffer_size = binder_alloc_buffer_size(alloc, new_buffer); 80 81 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 82 "%d: add free buffer, size %zd, at %pK\n", 83 alloc->pid, new_buffer_size, new_buffer); 84 85 while (*p) { 86 parent = *p; 87 buffer = rb_entry(parent, struct binder_buffer, rb_node); 88 BUG_ON(!buffer->free); 89 90 buffer_size = binder_alloc_buffer_size(alloc, buffer); 91 92 if (new_buffer_size < buffer_size) 93 p = &parent->rb_left; 94 else 95 p = &parent->rb_right; 96 } 97 rb_link_node(&new_buffer->rb_node, parent, p); 98 rb_insert_color(&new_buffer->rb_node, &alloc->free_buffers); 99 } 100 101 static void binder_insert_allocated_buffer_locked( 102 struct binder_alloc *alloc, struct binder_buffer *new_buffer) 103 { 104 struct rb_node **p = &alloc->allocated_buffers.rb_node; 105 struct rb_node *parent = NULL; 106 struct binder_buffer *buffer; 107 108 BUG_ON(new_buffer->free); 109 110 while (*p) { 111 parent = *p; 112 buffer = rb_entry(parent, struct binder_buffer, rb_node); 113 BUG_ON(buffer->free); 114 115 if (new_buffer->user_data < buffer->user_data) 116 p = &parent->rb_left; 117 else if (new_buffer->user_data > buffer->user_data) 118 p = &parent->rb_right; 119 else 120 BUG(); 121 } 122 rb_link_node(&new_buffer->rb_node, parent, p); 123 rb_insert_color(&new_buffer->rb_node, &alloc->allocated_buffers); 124 } 125 126 static struct binder_buffer *binder_alloc_prepare_to_free_locked( 127 struct binder_alloc *alloc, 128 unsigned long user_ptr) 129 { 130 struct rb_node *n = alloc->allocated_buffers.rb_node; 131 struct binder_buffer *buffer; 132 133 while (n) { 134 buffer = rb_entry(n, struct binder_buffer, rb_node); 135 BUG_ON(buffer->free); 136 137 if (user_ptr < buffer->user_data) { 138 n = n->rb_left; 139 } else if (user_ptr > buffer->user_data) { 140 n = n->rb_right; 141 } else { 142 /* 143 * Guard against user threads attempting to 144 * free the buffer when in use by kernel or 145 * after it's already been freed. 146 */ 147 if (!buffer->allow_user_free) 148 return ERR_PTR(-EPERM); 149 buffer->allow_user_free = 0; 150 return buffer; 151 } 152 } 153 return NULL; 154 } 155 156 /** 157 * binder_alloc_prepare_to_free() - get buffer given user ptr 158 * @alloc: binder_alloc for this proc 159 * @user_ptr: User pointer to buffer data 160 * 161 * Validate userspace pointer to buffer data and return buffer corresponding to 162 * that user pointer. Search the rb tree for buffer that matches user data 163 * pointer. 164 * 165 * Return: Pointer to buffer or NULL 166 */ 167 struct binder_buffer *binder_alloc_prepare_to_free(struct binder_alloc *alloc, 168 unsigned long user_ptr) 169 { 170 struct binder_buffer *buffer; 171 172 mutex_lock(&alloc->mutex); 173 buffer = binder_alloc_prepare_to_free_locked(alloc, user_ptr); 174 mutex_unlock(&alloc->mutex); 175 return buffer; 176 } 177 178 static inline void 179 binder_set_installed_page(struct binder_alloc *alloc, 180 unsigned long index, 181 struct page *page) 182 { 183 /* Pairs with acquire in binder_get_installed_page() */ 184 smp_store_release(&alloc->pages[index], page); 185 } 186 187 static inline struct page * 188 binder_get_installed_page(struct binder_alloc *alloc, unsigned long index) 189 { 190 /* Pairs with release in binder_set_installed_page() */ 191 return smp_load_acquire(&alloc->pages[index]); 192 } 193 194 static void binder_lru_freelist_add(struct binder_alloc *alloc, 195 unsigned long start, unsigned long end) 196 { 197 unsigned long page_addr; 198 struct page *page; 199 200 trace_binder_update_page_range(alloc, false, start, end); 201 202 for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) { 203 size_t index; 204 int ret; 205 206 index = (page_addr - alloc->buffer) / PAGE_SIZE; 207 page = binder_get_installed_page(alloc, index); 208 if (!page) 209 continue; 210 211 trace_binder_free_lru_start(alloc, index); 212 213 ret = list_lru_add(&binder_freelist, 214 page_to_lru(page), 215 page_to_nid(page), 216 NULL); 217 WARN_ON(!ret); 218 219 trace_binder_free_lru_end(alloc, index); 220 } 221 } 222 223 static struct page *binder_page_alloc(struct binder_alloc *alloc, 224 unsigned long index) 225 { 226 struct binder_shrinker_mdata *mdata; 227 struct page *page; 228 229 page = alloc_page(GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO); 230 if (!page) 231 return NULL; 232 233 /* allocate and install shrinker metadata under page->private */ 234 mdata = kzalloc(sizeof(*mdata), GFP_KERNEL); 235 if (!mdata) { 236 __free_page(page); 237 return NULL; 238 } 239 240 mdata->alloc = alloc; 241 mdata->page_index = index; 242 INIT_LIST_HEAD(&mdata->lru); 243 set_page_private(page, (unsigned long)mdata); 244 245 return page; 246 } 247 248 static void binder_free_page(struct page *page) 249 { 250 kfree((struct binder_shrinker_mdata *)page_private(page)); 251 __free_page(page); 252 } 253 254 static int binder_install_single_page(struct binder_alloc *alloc, 255 unsigned long index, 256 unsigned long addr) 257 { 258 struct vm_area_struct *vma; 259 struct page *page; 260 long npages; 261 int ret; 262 263 if (!mmget_not_zero(alloc->mm)) 264 return -ESRCH; 265 266 page = binder_page_alloc(alloc, index); 267 if (!page) { 268 ret = -ENOMEM; 269 goto out; 270 } 271 272 mmap_read_lock(alloc->mm); 273 vma = vma_lookup(alloc->mm, addr); 274 if (!vma || vma != alloc->vma) { 275 binder_free_page(page); 276 pr_err("%d: %s failed, no vma\n", alloc->pid, __func__); 277 ret = -ESRCH; 278 goto unlock; 279 } 280 281 ret = vm_insert_page(vma, addr, page); 282 switch (ret) { 283 case -EBUSY: 284 /* 285 * EBUSY is ok. Someone installed the pte first but the 286 * alloc->pages[index] has not been updated yet. Discard 287 * our page and look up the one already installed. 288 */ 289 ret = 0; 290 binder_free_page(page); 291 npages = get_user_pages_remote(alloc->mm, addr, 1, 292 FOLL_NOFAULT, &page, NULL); 293 if (npages <= 0) { 294 pr_err("%d: failed to find page at offset %lx\n", 295 alloc->pid, addr - alloc->buffer); 296 ret = -ESRCH; 297 break; 298 } 299 fallthrough; 300 case 0: 301 /* Mark page installation complete and safe to use */ 302 binder_set_installed_page(alloc, index, page); 303 break; 304 default: 305 binder_free_page(page); 306 pr_err("%d: %s failed to insert page at offset %lx with %d\n", 307 alloc->pid, __func__, addr - alloc->buffer, ret); 308 ret = -ENOMEM; 309 break; 310 } 311 unlock: 312 mmap_read_unlock(alloc->mm); 313 out: 314 mmput_async(alloc->mm); 315 return ret; 316 } 317 318 static int binder_install_buffer_pages(struct binder_alloc *alloc, 319 struct binder_buffer *buffer, 320 size_t size) 321 { 322 unsigned long start, final; 323 unsigned long page_addr; 324 325 start = buffer->user_data & PAGE_MASK; 326 final = PAGE_ALIGN(buffer->user_data + size); 327 328 for (page_addr = start; page_addr < final; page_addr += PAGE_SIZE) { 329 unsigned long index; 330 int ret; 331 332 index = (page_addr - alloc->buffer) / PAGE_SIZE; 333 if (binder_get_installed_page(alloc, index)) 334 continue; 335 336 trace_binder_alloc_page_start(alloc, index); 337 338 ret = binder_install_single_page(alloc, index, page_addr); 339 if (ret) 340 return ret; 341 342 trace_binder_alloc_page_end(alloc, index); 343 } 344 345 return 0; 346 } 347 348 /* The range of pages should exclude those shared with other buffers */ 349 static void binder_lru_freelist_del(struct binder_alloc *alloc, 350 unsigned long start, unsigned long end) 351 { 352 unsigned long page_addr; 353 struct page *page; 354 355 trace_binder_update_page_range(alloc, true, start, end); 356 357 for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) { 358 unsigned long index; 359 bool on_lru; 360 361 index = (page_addr - alloc->buffer) / PAGE_SIZE; 362 page = binder_get_installed_page(alloc, index); 363 364 if (page) { 365 trace_binder_alloc_lru_start(alloc, index); 366 367 on_lru = list_lru_del(&binder_freelist, 368 page_to_lru(page), 369 page_to_nid(page), 370 NULL); 371 WARN_ON(!on_lru); 372 373 trace_binder_alloc_lru_end(alloc, index); 374 continue; 375 } 376 377 if (index + 1 > alloc->pages_high) 378 alloc->pages_high = index + 1; 379 } 380 } 381 382 static inline void binder_alloc_set_vma(struct binder_alloc *alloc, 383 struct vm_area_struct *vma) 384 { 385 /* pairs with smp_load_acquire in binder_alloc_get_vma() */ 386 smp_store_release(&alloc->vma, vma); 387 } 388 389 static inline struct vm_area_struct *binder_alloc_get_vma( 390 struct binder_alloc *alloc) 391 { 392 /* pairs with smp_store_release in binder_alloc_set_vma() */ 393 return smp_load_acquire(&alloc->vma); 394 } 395 396 static void debug_no_space_locked(struct binder_alloc *alloc) 397 { 398 size_t largest_alloc_size = 0; 399 struct binder_buffer *buffer; 400 size_t allocated_buffers = 0; 401 size_t largest_free_size = 0; 402 size_t total_alloc_size = 0; 403 size_t total_free_size = 0; 404 size_t free_buffers = 0; 405 size_t buffer_size; 406 struct rb_node *n; 407 408 for (n = rb_first(&alloc->allocated_buffers); n; n = rb_next(n)) { 409 buffer = rb_entry(n, struct binder_buffer, rb_node); 410 buffer_size = binder_alloc_buffer_size(alloc, buffer); 411 allocated_buffers++; 412 total_alloc_size += buffer_size; 413 if (buffer_size > largest_alloc_size) 414 largest_alloc_size = buffer_size; 415 } 416 417 for (n = rb_first(&alloc->free_buffers); n; n = rb_next(n)) { 418 buffer = rb_entry(n, struct binder_buffer, rb_node); 419 buffer_size = binder_alloc_buffer_size(alloc, buffer); 420 free_buffers++; 421 total_free_size += buffer_size; 422 if (buffer_size > largest_free_size) 423 largest_free_size = buffer_size; 424 } 425 426 binder_alloc_debug(BINDER_DEBUG_USER_ERROR, 427 "allocated: %zd (num: %zd largest: %zd), free: %zd (num: %zd largest: %zd)\n", 428 total_alloc_size, allocated_buffers, 429 largest_alloc_size, total_free_size, 430 free_buffers, largest_free_size); 431 } 432 433 static bool debug_low_async_space_locked(struct binder_alloc *alloc) 434 { 435 /* 436 * Find the amount and size of buffers allocated by the current caller; 437 * The idea is that once we cross the threshold, whoever is responsible 438 * for the low async space is likely to try to send another async txn, 439 * and at some point we'll catch them in the act. This is more efficient 440 * than keeping a map per pid. 441 */ 442 struct binder_buffer *buffer; 443 size_t total_alloc_size = 0; 444 int pid = current->tgid; 445 size_t num_buffers = 0; 446 struct rb_node *n; 447 448 /* 449 * Only start detecting spammers once we have less than 20% of async 450 * space left (which is less than 10% of total buffer size). 451 */ 452 if (alloc->free_async_space >= alloc->buffer_size / 10) { 453 alloc->oneway_spam_detected = false; 454 return false; 455 } 456 457 for (n = rb_first(&alloc->allocated_buffers); n != NULL; 458 n = rb_next(n)) { 459 buffer = rb_entry(n, struct binder_buffer, rb_node); 460 if (buffer->pid != pid) 461 continue; 462 if (!buffer->async_transaction) 463 continue; 464 total_alloc_size += binder_alloc_buffer_size(alloc, buffer); 465 num_buffers++; 466 } 467 468 /* 469 * Warn if this pid has more than 50 transactions, or more than 50% of 470 * async space (which is 25% of total buffer size). Oneway spam is only 471 * detected when the threshold is exceeded. 472 */ 473 if (num_buffers > 50 || total_alloc_size > alloc->buffer_size / 4) { 474 binder_alloc_debug(BINDER_DEBUG_USER_ERROR, 475 "%d: pid %d spamming oneway? %zd buffers allocated for a total size of %zd\n", 476 alloc->pid, pid, num_buffers, total_alloc_size); 477 if (!alloc->oneway_spam_detected) { 478 alloc->oneway_spam_detected = true; 479 return true; 480 } 481 } 482 return false; 483 } 484 485 /* Callers preallocate @new_buffer, it is freed by this function if unused */ 486 static struct binder_buffer *binder_alloc_new_buf_locked( 487 struct binder_alloc *alloc, 488 struct binder_buffer *new_buffer, 489 size_t size, 490 int is_async) 491 { 492 struct rb_node *n = alloc->free_buffers.rb_node; 493 struct rb_node *best_fit = NULL; 494 struct binder_buffer *buffer; 495 unsigned long next_used_page; 496 unsigned long curr_last_page; 497 size_t buffer_size; 498 499 if (is_async && alloc->free_async_space < size) { 500 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 501 "%d: binder_alloc_buf size %zd failed, no async space left\n", 502 alloc->pid, size); 503 buffer = ERR_PTR(-ENOSPC); 504 goto out; 505 } 506 507 while (n) { 508 buffer = rb_entry(n, struct binder_buffer, rb_node); 509 BUG_ON(!buffer->free); 510 buffer_size = binder_alloc_buffer_size(alloc, buffer); 511 512 if (size < buffer_size) { 513 best_fit = n; 514 n = n->rb_left; 515 } else if (size > buffer_size) { 516 n = n->rb_right; 517 } else { 518 best_fit = n; 519 break; 520 } 521 } 522 523 if (unlikely(!best_fit)) { 524 binder_alloc_debug(BINDER_DEBUG_USER_ERROR, 525 "%d: binder_alloc_buf size %zd failed, no address space\n", 526 alloc->pid, size); 527 debug_no_space_locked(alloc); 528 buffer = ERR_PTR(-ENOSPC); 529 goto out; 530 } 531 532 if (buffer_size != size) { 533 /* Found an oversized buffer and needs to be split */ 534 buffer = rb_entry(best_fit, struct binder_buffer, rb_node); 535 buffer_size = binder_alloc_buffer_size(alloc, buffer); 536 537 WARN_ON(n || buffer_size == size); 538 new_buffer->user_data = buffer->user_data + size; 539 list_add(&new_buffer->entry, &buffer->entry); 540 new_buffer->free = 1; 541 binder_insert_free_buffer(alloc, new_buffer); 542 new_buffer = NULL; 543 } 544 545 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 546 "%d: binder_alloc_buf size %zd got buffer %pK size %zd\n", 547 alloc->pid, size, buffer, buffer_size); 548 549 /* 550 * Now we remove the pages from the freelist. A clever calculation 551 * with buffer_size determines if the last page is shared with an 552 * adjacent in-use buffer. In such case, the page has been already 553 * removed from the freelist so we trim our range short. 554 */ 555 next_used_page = (buffer->user_data + buffer_size) & PAGE_MASK; 556 curr_last_page = PAGE_ALIGN(buffer->user_data + size); 557 binder_lru_freelist_del(alloc, PAGE_ALIGN(buffer->user_data), 558 min(next_used_page, curr_last_page)); 559 560 rb_erase(&buffer->rb_node, &alloc->free_buffers); 561 buffer->free = 0; 562 buffer->allow_user_free = 0; 563 binder_insert_allocated_buffer_locked(alloc, buffer); 564 buffer->async_transaction = is_async; 565 buffer->oneway_spam_suspect = false; 566 if (is_async) { 567 alloc->free_async_space -= size; 568 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC, 569 "%d: binder_alloc_buf size %zd async free %zd\n", 570 alloc->pid, size, alloc->free_async_space); 571 if (debug_low_async_space_locked(alloc)) 572 buffer->oneway_spam_suspect = true; 573 } 574 575 out: 576 /* Discard possibly unused new_buffer */ 577 kfree(new_buffer); 578 return buffer; 579 } 580 581 /* Calculate the sanitized total size, returns 0 for invalid request */ 582 static inline size_t sanitized_size(size_t data_size, 583 size_t offsets_size, 584 size_t extra_buffers_size) 585 { 586 size_t total, tmp; 587 588 /* Align to pointer size and check for overflows */ 589 tmp = ALIGN(data_size, sizeof(void *)) + 590 ALIGN(offsets_size, sizeof(void *)); 591 if (tmp < data_size || tmp < offsets_size) 592 return 0; 593 total = tmp + ALIGN(extra_buffers_size, sizeof(void *)); 594 if (total < tmp || total < extra_buffers_size) 595 return 0; 596 597 /* Pad 0-sized buffers so they get a unique address */ 598 total = max(total, sizeof(void *)); 599 600 return total; 601 } 602 603 /** 604 * binder_alloc_new_buf() - Allocate a new binder buffer 605 * @alloc: binder_alloc for this proc 606 * @data_size: size of user data buffer 607 * @offsets_size: user specified buffer offset 608 * @extra_buffers_size: size of extra space for meta-data (eg, security context) 609 * @is_async: buffer for async transaction 610 * 611 * Allocate a new buffer given the requested sizes. Returns 612 * the kernel version of the buffer pointer. The size allocated 613 * is the sum of the three given sizes (each rounded up to 614 * pointer-sized boundary) 615 * 616 * Return: The allocated buffer or %ERR_PTR(-errno) if error 617 */ 618 struct binder_buffer *binder_alloc_new_buf(struct binder_alloc *alloc, 619 size_t data_size, 620 size_t offsets_size, 621 size_t extra_buffers_size, 622 int is_async) 623 { 624 struct binder_buffer *buffer, *next; 625 size_t size; 626 int ret; 627 628 /* Check binder_alloc is fully initialized */ 629 if (!binder_alloc_get_vma(alloc)) { 630 binder_alloc_debug(BINDER_DEBUG_USER_ERROR, 631 "%d: binder_alloc_buf, no vma\n", 632 alloc->pid); 633 return ERR_PTR(-ESRCH); 634 } 635 636 size = sanitized_size(data_size, offsets_size, extra_buffers_size); 637 if (unlikely(!size)) { 638 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 639 "%d: got transaction with invalid size %zd-%zd-%zd\n", 640 alloc->pid, data_size, offsets_size, 641 extra_buffers_size); 642 return ERR_PTR(-EINVAL); 643 } 644 645 /* Preallocate the next buffer */ 646 next = kzalloc(sizeof(*next), GFP_KERNEL); 647 if (!next) 648 return ERR_PTR(-ENOMEM); 649 650 mutex_lock(&alloc->mutex); 651 buffer = binder_alloc_new_buf_locked(alloc, next, size, is_async); 652 if (IS_ERR(buffer)) { 653 mutex_unlock(&alloc->mutex); 654 goto out; 655 } 656 657 buffer->data_size = data_size; 658 buffer->offsets_size = offsets_size; 659 buffer->extra_buffers_size = extra_buffers_size; 660 buffer->pid = current->tgid; 661 mutex_unlock(&alloc->mutex); 662 663 ret = binder_install_buffer_pages(alloc, buffer, size); 664 if (ret) { 665 binder_alloc_free_buf(alloc, buffer); 666 buffer = ERR_PTR(ret); 667 } 668 out: 669 return buffer; 670 } 671 672 static unsigned long buffer_start_page(struct binder_buffer *buffer) 673 { 674 return buffer->user_data & PAGE_MASK; 675 } 676 677 static unsigned long prev_buffer_end_page(struct binder_buffer *buffer) 678 { 679 return (buffer->user_data - 1) & PAGE_MASK; 680 } 681 682 static void binder_delete_free_buffer(struct binder_alloc *alloc, 683 struct binder_buffer *buffer) 684 { 685 struct binder_buffer *prev, *next; 686 687 if (PAGE_ALIGNED(buffer->user_data)) 688 goto skip_freelist; 689 690 BUG_ON(alloc->buffers.next == &buffer->entry); 691 prev = binder_buffer_prev(buffer); 692 BUG_ON(!prev->free); 693 if (prev_buffer_end_page(prev) == buffer_start_page(buffer)) 694 goto skip_freelist; 695 696 if (!list_is_last(&buffer->entry, &alloc->buffers)) { 697 next = binder_buffer_next(buffer); 698 if (buffer_start_page(next) == buffer_start_page(buffer)) 699 goto skip_freelist; 700 } 701 702 binder_lru_freelist_add(alloc, buffer_start_page(buffer), 703 buffer_start_page(buffer) + PAGE_SIZE); 704 skip_freelist: 705 list_del(&buffer->entry); 706 kfree(buffer); 707 } 708 709 static void binder_free_buf_locked(struct binder_alloc *alloc, 710 struct binder_buffer *buffer) 711 { 712 size_t size, buffer_size; 713 714 buffer_size = binder_alloc_buffer_size(alloc, buffer); 715 716 size = ALIGN(buffer->data_size, sizeof(void *)) + 717 ALIGN(buffer->offsets_size, sizeof(void *)) + 718 ALIGN(buffer->extra_buffers_size, sizeof(void *)); 719 720 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 721 "%d: binder_free_buf %pK size %zd buffer_size %zd\n", 722 alloc->pid, buffer, size, buffer_size); 723 724 BUG_ON(buffer->free); 725 BUG_ON(size > buffer_size); 726 BUG_ON(buffer->transaction != NULL); 727 BUG_ON(buffer->user_data < alloc->buffer); 728 BUG_ON(buffer->user_data > alloc->buffer + alloc->buffer_size); 729 730 if (buffer->async_transaction) { 731 alloc->free_async_space += buffer_size; 732 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC, 733 "%d: binder_free_buf size %zd async free %zd\n", 734 alloc->pid, size, alloc->free_async_space); 735 } 736 737 binder_lru_freelist_add(alloc, PAGE_ALIGN(buffer->user_data), 738 (buffer->user_data + buffer_size) & PAGE_MASK); 739 740 rb_erase(&buffer->rb_node, &alloc->allocated_buffers); 741 buffer->free = 1; 742 if (!list_is_last(&buffer->entry, &alloc->buffers)) { 743 struct binder_buffer *next = binder_buffer_next(buffer); 744 745 if (next->free) { 746 rb_erase(&next->rb_node, &alloc->free_buffers); 747 binder_delete_free_buffer(alloc, next); 748 } 749 } 750 if (alloc->buffers.next != &buffer->entry) { 751 struct binder_buffer *prev = binder_buffer_prev(buffer); 752 753 if (prev->free) { 754 binder_delete_free_buffer(alloc, buffer); 755 rb_erase(&prev->rb_node, &alloc->free_buffers); 756 buffer = prev; 757 } 758 } 759 binder_insert_free_buffer(alloc, buffer); 760 } 761 762 /** 763 * binder_alloc_get_page() - get kernel pointer for given buffer offset 764 * @alloc: binder_alloc for this proc 765 * @buffer: binder buffer to be accessed 766 * @buffer_offset: offset into @buffer data 767 * @pgoffp: address to copy final page offset to 768 * 769 * Lookup the struct page corresponding to the address 770 * at @buffer_offset into @buffer->user_data. If @pgoffp is not 771 * NULL, the byte-offset into the page is written there. 772 * 773 * The caller is responsible to ensure that the offset points 774 * to a valid address within the @buffer and that @buffer is 775 * not freeable by the user. Since it can't be freed, we are 776 * guaranteed that the corresponding elements of @alloc->pages[] 777 * cannot change. 778 * 779 * Return: struct page 780 */ 781 static struct page *binder_alloc_get_page(struct binder_alloc *alloc, 782 struct binder_buffer *buffer, 783 binder_size_t buffer_offset, 784 pgoff_t *pgoffp) 785 { 786 binder_size_t buffer_space_offset = buffer_offset + 787 (buffer->user_data - alloc->buffer); 788 pgoff_t pgoff = buffer_space_offset & ~PAGE_MASK; 789 size_t index = buffer_space_offset >> PAGE_SHIFT; 790 791 *pgoffp = pgoff; 792 793 return alloc->pages[index]; 794 } 795 796 /** 797 * binder_alloc_clear_buf() - zero out buffer 798 * @alloc: binder_alloc for this proc 799 * @buffer: binder buffer to be cleared 800 * 801 * memset the given buffer to 0 802 */ 803 static void binder_alloc_clear_buf(struct binder_alloc *alloc, 804 struct binder_buffer *buffer) 805 { 806 size_t bytes = binder_alloc_buffer_size(alloc, buffer); 807 binder_size_t buffer_offset = 0; 808 809 while (bytes) { 810 unsigned long size; 811 struct page *page; 812 pgoff_t pgoff; 813 814 page = binder_alloc_get_page(alloc, buffer, 815 buffer_offset, &pgoff); 816 size = min_t(size_t, bytes, PAGE_SIZE - pgoff); 817 memset_page(page, pgoff, 0, size); 818 bytes -= size; 819 buffer_offset += size; 820 } 821 } 822 823 /** 824 * binder_alloc_free_buf() - free a binder buffer 825 * @alloc: binder_alloc for this proc 826 * @buffer: kernel pointer to buffer 827 * 828 * Free the buffer allocated via binder_alloc_new_buf() 829 */ 830 void binder_alloc_free_buf(struct binder_alloc *alloc, 831 struct binder_buffer *buffer) 832 { 833 /* 834 * We could eliminate the call to binder_alloc_clear_buf() 835 * from binder_alloc_deferred_release() by moving this to 836 * binder_free_buf_locked(). However, that could 837 * increase contention for the alloc mutex if clear_on_free 838 * is used frequently for large buffers. The mutex is not 839 * needed for correctness here. 840 */ 841 if (buffer->clear_on_free) { 842 binder_alloc_clear_buf(alloc, buffer); 843 buffer->clear_on_free = false; 844 } 845 mutex_lock(&alloc->mutex); 846 binder_free_buf_locked(alloc, buffer); 847 mutex_unlock(&alloc->mutex); 848 } 849 850 /** 851 * binder_alloc_mmap_handler() - map virtual address space for proc 852 * @alloc: alloc structure for this proc 853 * @vma: vma passed to mmap() 854 * 855 * Called by binder_mmap() to initialize the space specified in 856 * vma for allocating binder buffers 857 * 858 * Return: 859 * 0 = success 860 * -EBUSY = address space already mapped 861 * -ENOMEM = failed to map memory to given address space 862 */ 863 int binder_alloc_mmap_handler(struct binder_alloc *alloc, 864 struct vm_area_struct *vma) 865 { 866 struct binder_buffer *buffer; 867 const char *failure_string; 868 int ret; 869 870 if (unlikely(vma->vm_mm != alloc->mm)) { 871 ret = -EINVAL; 872 failure_string = "invalid vma->vm_mm"; 873 goto err_invalid_mm; 874 } 875 876 mutex_lock(&binder_alloc_mmap_lock); 877 if (alloc->buffer_size) { 878 ret = -EBUSY; 879 failure_string = "already mapped"; 880 goto err_already_mapped; 881 } 882 alloc->buffer_size = min_t(unsigned long, vma->vm_end - vma->vm_start, 883 SZ_4M); 884 mutex_unlock(&binder_alloc_mmap_lock); 885 886 alloc->buffer = vma->vm_start; 887 888 alloc->pages = kvcalloc(alloc->buffer_size / PAGE_SIZE, 889 sizeof(alloc->pages[0]), 890 GFP_KERNEL); 891 if (!alloc->pages) { 892 ret = -ENOMEM; 893 failure_string = "alloc page array"; 894 goto err_alloc_pages_failed; 895 } 896 897 buffer = kzalloc(sizeof(*buffer), GFP_KERNEL); 898 if (!buffer) { 899 ret = -ENOMEM; 900 failure_string = "alloc buffer struct"; 901 goto err_alloc_buf_struct_failed; 902 } 903 904 buffer->user_data = alloc->buffer; 905 list_add(&buffer->entry, &alloc->buffers); 906 buffer->free = 1; 907 binder_insert_free_buffer(alloc, buffer); 908 alloc->free_async_space = alloc->buffer_size / 2; 909 910 /* Signal binder_alloc is fully initialized */ 911 binder_alloc_set_vma(alloc, vma); 912 913 return 0; 914 915 err_alloc_buf_struct_failed: 916 kvfree(alloc->pages); 917 alloc->pages = NULL; 918 err_alloc_pages_failed: 919 alloc->buffer = 0; 920 mutex_lock(&binder_alloc_mmap_lock); 921 alloc->buffer_size = 0; 922 err_already_mapped: 923 mutex_unlock(&binder_alloc_mmap_lock); 924 err_invalid_mm: 925 binder_alloc_debug(BINDER_DEBUG_USER_ERROR, 926 "%s: %d %lx-%lx %s failed %d\n", __func__, 927 alloc->pid, vma->vm_start, vma->vm_end, 928 failure_string, ret); 929 return ret; 930 } 931 932 933 void binder_alloc_deferred_release(struct binder_alloc *alloc) 934 { 935 struct rb_node *n; 936 int buffers, page_count; 937 struct binder_buffer *buffer; 938 939 buffers = 0; 940 mutex_lock(&alloc->mutex); 941 BUG_ON(alloc->vma); 942 943 while ((n = rb_first(&alloc->allocated_buffers))) { 944 buffer = rb_entry(n, struct binder_buffer, rb_node); 945 946 /* Transaction should already have been freed */ 947 BUG_ON(buffer->transaction); 948 949 if (buffer->clear_on_free) { 950 binder_alloc_clear_buf(alloc, buffer); 951 buffer->clear_on_free = false; 952 } 953 binder_free_buf_locked(alloc, buffer); 954 buffers++; 955 } 956 957 while (!list_empty(&alloc->buffers)) { 958 buffer = list_first_entry(&alloc->buffers, 959 struct binder_buffer, entry); 960 WARN_ON(!buffer->free); 961 962 list_del(&buffer->entry); 963 WARN_ON_ONCE(!list_empty(&alloc->buffers)); 964 kfree(buffer); 965 } 966 967 page_count = 0; 968 if (alloc->pages) { 969 int i; 970 971 for (i = 0; i < alloc->buffer_size / PAGE_SIZE; i++) { 972 struct page *page; 973 bool on_lru; 974 975 page = binder_get_installed_page(alloc, i); 976 if (!page) 977 continue; 978 979 on_lru = list_lru_del(&binder_freelist, 980 page_to_lru(page), 981 page_to_nid(page), 982 NULL); 983 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, 984 "%s: %d: page %d %s\n", 985 __func__, alloc->pid, i, 986 on_lru ? "on lru" : "active"); 987 binder_free_page(page); 988 page_count++; 989 } 990 } 991 mutex_unlock(&alloc->mutex); 992 kvfree(alloc->pages); 993 if (alloc->mm) 994 mmdrop(alloc->mm); 995 996 binder_alloc_debug(BINDER_DEBUG_OPEN_CLOSE, 997 "%s: %d buffers %d, pages %d\n", 998 __func__, alloc->pid, buffers, page_count); 999 } 1000 1001 /** 1002 * binder_alloc_print_allocated() - print buffer info 1003 * @m: seq_file for output via seq_printf() 1004 * @alloc: binder_alloc for this proc 1005 * 1006 * Prints information about every buffer associated with 1007 * the binder_alloc state to the given seq_file 1008 */ 1009 void binder_alloc_print_allocated(struct seq_file *m, 1010 struct binder_alloc *alloc) 1011 { 1012 struct binder_buffer *buffer; 1013 struct rb_node *n; 1014 1015 mutex_lock(&alloc->mutex); 1016 for (n = rb_first(&alloc->allocated_buffers); n; n = rb_next(n)) { 1017 buffer = rb_entry(n, struct binder_buffer, rb_node); 1018 seq_printf(m, " buffer %d: %lx size %zd:%zd:%zd %s\n", 1019 buffer->debug_id, 1020 buffer->user_data - alloc->buffer, 1021 buffer->data_size, buffer->offsets_size, 1022 buffer->extra_buffers_size, 1023 buffer->transaction ? "active" : "delivered"); 1024 } 1025 mutex_unlock(&alloc->mutex); 1026 } 1027 1028 /** 1029 * binder_alloc_print_pages() - print page usage 1030 * @m: seq_file for output via seq_printf() 1031 * @alloc: binder_alloc for this proc 1032 */ 1033 void binder_alloc_print_pages(struct seq_file *m, 1034 struct binder_alloc *alloc) 1035 { 1036 struct page *page; 1037 int i; 1038 int active = 0; 1039 int lru = 0; 1040 int free = 0; 1041 1042 mutex_lock(&alloc->mutex); 1043 /* 1044 * Make sure the binder_alloc is fully initialized, otherwise we might 1045 * read inconsistent state. 1046 */ 1047 if (binder_alloc_get_vma(alloc) != NULL) { 1048 for (i = 0; i < alloc->buffer_size / PAGE_SIZE; i++) { 1049 page = binder_get_installed_page(alloc, i); 1050 if (!page) 1051 free++; 1052 else if (list_empty(page_to_lru(page))) 1053 active++; 1054 else 1055 lru++; 1056 } 1057 } 1058 mutex_unlock(&alloc->mutex); 1059 seq_printf(m, " pages: %d:%d:%d\n", active, lru, free); 1060 seq_printf(m, " pages high watermark: %zu\n", alloc->pages_high); 1061 } 1062 1063 /** 1064 * binder_alloc_get_allocated_count() - return count of buffers 1065 * @alloc: binder_alloc for this proc 1066 * 1067 * Return: count of allocated buffers 1068 */ 1069 int binder_alloc_get_allocated_count(struct binder_alloc *alloc) 1070 { 1071 struct rb_node *n; 1072 int count = 0; 1073 1074 mutex_lock(&alloc->mutex); 1075 for (n = rb_first(&alloc->allocated_buffers); n != NULL; n = rb_next(n)) 1076 count++; 1077 mutex_unlock(&alloc->mutex); 1078 return count; 1079 } 1080 1081 1082 /** 1083 * binder_alloc_vma_close() - invalidate address space 1084 * @alloc: binder_alloc for this proc 1085 * 1086 * Called from binder_vma_close() when releasing address space. 1087 * Clears alloc->vma to prevent new incoming transactions from 1088 * allocating more buffers. 1089 */ 1090 void binder_alloc_vma_close(struct binder_alloc *alloc) 1091 { 1092 binder_alloc_set_vma(alloc, NULL); 1093 } 1094 1095 /** 1096 * binder_alloc_free_page() - shrinker callback to free pages 1097 * @item: item to free 1098 * @lru: list_lru instance of the item 1099 * @cb_arg: callback argument 1100 * 1101 * Called from list_lru_walk() in binder_shrink_scan() to free 1102 * up pages when the system is under memory pressure. 1103 */ 1104 enum lru_status binder_alloc_free_page(struct list_head *item, 1105 struct list_lru_one *lru, 1106 void *cb_arg) 1107 __must_hold(&lru->lock) 1108 { 1109 struct binder_shrinker_mdata *mdata = container_of(item, typeof(*mdata), lru); 1110 struct binder_alloc *alloc = mdata->alloc; 1111 struct mm_struct *mm = alloc->mm; 1112 struct vm_area_struct *vma; 1113 struct page *page_to_free; 1114 unsigned long page_addr; 1115 size_t index; 1116 1117 if (!mmget_not_zero(mm)) 1118 goto err_mmget; 1119 if (!mmap_read_trylock(mm)) 1120 goto err_mmap_read_lock_failed; 1121 if (!mutex_trylock(&alloc->mutex)) 1122 goto err_get_alloc_mutex_failed; 1123 1124 index = mdata->page_index; 1125 page_addr = alloc->buffer + index * PAGE_SIZE; 1126 1127 vma = vma_lookup(mm, page_addr); 1128 if (vma && vma != binder_alloc_get_vma(alloc)) 1129 goto err_invalid_vma; 1130 1131 trace_binder_unmap_kernel_start(alloc, index); 1132 1133 page_to_free = alloc->pages[index]; 1134 binder_set_installed_page(alloc, index, NULL); 1135 1136 trace_binder_unmap_kernel_end(alloc, index); 1137 1138 list_lru_isolate(lru, item); 1139 spin_unlock(&lru->lock); 1140 1141 if (vma) { 1142 trace_binder_unmap_user_start(alloc, index); 1143 1144 zap_page_range_single(vma, page_addr, PAGE_SIZE, NULL); 1145 1146 trace_binder_unmap_user_end(alloc, index); 1147 } 1148 1149 mutex_unlock(&alloc->mutex); 1150 mmap_read_unlock(mm); 1151 mmput_async(mm); 1152 binder_free_page(page_to_free); 1153 1154 return LRU_REMOVED_RETRY; 1155 1156 err_invalid_vma: 1157 mutex_unlock(&alloc->mutex); 1158 err_get_alloc_mutex_failed: 1159 mmap_read_unlock(mm); 1160 err_mmap_read_lock_failed: 1161 mmput_async(mm); 1162 err_mmget: 1163 return LRU_SKIP; 1164 } 1165 1166 static unsigned long 1167 binder_shrink_count(struct shrinker *shrink, struct shrink_control *sc) 1168 { 1169 return list_lru_count(&binder_freelist); 1170 } 1171 1172 static unsigned long 1173 binder_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) 1174 { 1175 return list_lru_walk(&binder_freelist, binder_alloc_free_page, 1176 NULL, sc->nr_to_scan); 1177 } 1178 1179 static struct shrinker *binder_shrinker; 1180 1181 /** 1182 * binder_alloc_init() - called by binder_open() for per-proc initialization 1183 * @alloc: binder_alloc for this proc 1184 * 1185 * Called from binder_open() to initialize binder_alloc fields for 1186 * new binder proc 1187 */ 1188 void binder_alloc_init(struct binder_alloc *alloc) 1189 { 1190 alloc->pid = current->group_leader->pid; 1191 alloc->mm = current->mm; 1192 mmgrab(alloc->mm); 1193 mutex_init(&alloc->mutex); 1194 INIT_LIST_HEAD(&alloc->buffers); 1195 } 1196 1197 int binder_alloc_shrinker_init(void) 1198 { 1199 int ret; 1200 1201 ret = list_lru_init(&binder_freelist); 1202 if (ret) 1203 return ret; 1204 1205 binder_shrinker = shrinker_alloc(0, "android-binder"); 1206 if (!binder_shrinker) { 1207 list_lru_destroy(&binder_freelist); 1208 return -ENOMEM; 1209 } 1210 1211 binder_shrinker->count_objects = binder_shrink_count; 1212 binder_shrinker->scan_objects = binder_shrink_scan; 1213 1214 shrinker_register(binder_shrinker); 1215 1216 return 0; 1217 } 1218 1219 void binder_alloc_shrinker_exit(void) 1220 { 1221 shrinker_free(binder_shrinker); 1222 list_lru_destroy(&binder_freelist); 1223 } 1224 1225 /** 1226 * check_buffer() - verify that buffer/offset is safe to access 1227 * @alloc: binder_alloc for this proc 1228 * @buffer: binder buffer to be accessed 1229 * @offset: offset into @buffer data 1230 * @bytes: bytes to access from offset 1231 * 1232 * Check that the @offset/@bytes are within the size of the given 1233 * @buffer and that the buffer is currently active and not freeable. 1234 * Offsets must also be multiples of sizeof(u32). The kernel is 1235 * allowed to touch the buffer in two cases: 1236 * 1237 * 1) when the buffer is being created: 1238 * (buffer->free == 0 && buffer->allow_user_free == 0) 1239 * 2) when the buffer is being torn down: 1240 * (buffer->free == 0 && buffer->transaction == NULL). 1241 * 1242 * Return: true if the buffer is safe to access 1243 */ 1244 static inline bool check_buffer(struct binder_alloc *alloc, 1245 struct binder_buffer *buffer, 1246 binder_size_t offset, size_t bytes) 1247 { 1248 size_t buffer_size = binder_alloc_buffer_size(alloc, buffer); 1249 1250 return buffer_size >= bytes && 1251 offset <= buffer_size - bytes && 1252 IS_ALIGNED(offset, sizeof(u32)) && 1253 !buffer->free && 1254 (!buffer->allow_user_free || !buffer->transaction); 1255 } 1256 1257 /** 1258 * binder_alloc_copy_user_to_buffer() - copy src user to tgt user 1259 * @alloc: binder_alloc for this proc 1260 * @buffer: binder buffer to be accessed 1261 * @buffer_offset: offset into @buffer data 1262 * @from: userspace pointer to source buffer 1263 * @bytes: bytes to copy 1264 * 1265 * Copy bytes from source userspace to target buffer. 1266 * 1267 * Return: bytes remaining to be copied 1268 */ 1269 unsigned long 1270 binder_alloc_copy_user_to_buffer(struct binder_alloc *alloc, 1271 struct binder_buffer *buffer, 1272 binder_size_t buffer_offset, 1273 const void __user *from, 1274 size_t bytes) 1275 { 1276 if (!check_buffer(alloc, buffer, buffer_offset, bytes)) 1277 return bytes; 1278 1279 while (bytes) { 1280 unsigned long size; 1281 unsigned long ret; 1282 struct page *page; 1283 pgoff_t pgoff; 1284 void *kptr; 1285 1286 page = binder_alloc_get_page(alloc, buffer, 1287 buffer_offset, &pgoff); 1288 size = min_t(size_t, bytes, PAGE_SIZE - pgoff); 1289 kptr = kmap_local_page(page) + pgoff; 1290 ret = copy_from_user(kptr, from, size); 1291 kunmap_local(kptr); 1292 if (ret) 1293 return bytes - size + ret; 1294 bytes -= size; 1295 from += size; 1296 buffer_offset += size; 1297 } 1298 return 0; 1299 } 1300 1301 static int binder_alloc_do_buffer_copy(struct binder_alloc *alloc, 1302 bool to_buffer, 1303 struct binder_buffer *buffer, 1304 binder_size_t buffer_offset, 1305 void *ptr, 1306 size_t bytes) 1307 { 1308 /* All copies must be 32-bit aligned and 32-bit size */ 1309 if (!check_buffer(alloc, buffer, buffer_offset, bytes)) 1310 return -EINVAL; 1311 1312 while (bytes) { 1313 unsigned long size; 1314 struct page *page; 1315 pgoff_t pgoff; 1316 1317 page = binder_alloc_get_page(alloc, buffer, 1318 buffer_offset, &pgoff); 1319 size = min_t(size_t, bytes, PAGE_SIZE - pgoff); 1320 if (to_buffer) 1321 memcpy_to_page(page, pgoff, ptr, size); 1322 else 1323 memcpy_from_page(ptr, page, pgoff, size); 1324 bytes -= size; 1325 pgoff = 0; 1326 ptr = ptr + size; 1327 buffer_offset += size; 1328 } 1329 return 0; 1330 } 1331 1332 int binder_alloc_copy_to_buffer(struct binder_alloc *alloc, 1333 struct binder_buffer *buffer, 1334 binder_size_t buffer_offset, 1335 void *src, 1336 size_t bytes) 1337 { 1338 return binder_alloc_do_buffer_copy(alloc, true, buffer, buffer_offset, 1339 src, bytes); 1340 } 1341 1342 int binder_alloc_copy_from_buffer(struct binder_alloc *alloc, 1343 void *dest, 1344 struct binder_buffer *buffer, 1345 binder_size_t buffer_offset, 1346 size_t bytes) 1347 { 1348 return binder_alloc_do_buffer_copy(alloc, false, buffer, buffer_offset, 1349 dest, bytes); 1350 } 1351