1 /* 2 * Copyright (C) 2008 Google, Inc. 3 * 4 * Based on, but no longer compatible with, the original 5 * OpenBinder.org binder driver interface, which is: 6 * 7 * Copyright (c) 2005 Palmsource, Inc. 8 * 9 * This software is licensed under the terms of the GNU General Public 10 * License version 2, as published by the Free Software Foundation, and 11 * may be copied, distributed, and modified under those terms. 12 * 13 * This program is distributed in the hope that it will be useful, 14 * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 * GNU General Public License for more details. 17 * 18 */ 19 20 #ifndef _UAPI_LINUX_BINDER_H 21 #define _UAPI_LINUX_BINDER_H 22 23 #include <linux/types.h> 24 #include <linux/ioctl.h> 25 26 #define B_PACK_CHARS(c1, c2, c3, c4) \ 27 ((((c1)<<24)) | (((c2)<<16)) | (((c3)<<8)) | (c4)) 28 #define B_TYPE_LARGE 0x85 29 30 enum { 31 BINDER_TYPE_BINDER = B_PACK_CHARS('s', 'b', '*', B_TYPE_LARGE), 32 BINDER_TYPE_WEAK_BINDER = B_PACK_CHARS('w', 'b', '*', B_TYPE_LARGE), 33 BINDER_TYPE_HANDLE = B_PACK_CHARS('s', 'h', '*', B_TYPE_LARGE), 34 BINDER_TYPE_WEAK_HANDLE = B_PACK_CHARS('w', 'h', '*', B_TYPE_LARGE), 35 BINDER_TYPE_FD = B_PACK_CHARS('f', 'd', '*', B_TYPE_LARGE), 36 BINDER_TYPE_FDA = B_PACK_CHARS('f', 'd', 'a', B_TYPE_LARGE), 37 BINDER_TYPE_PTR = B_PACK_CHARS('p', 't', '*', B_TYPE_LARGE), 38 }; 39 40 enum { 41 FLAT_BINDER_FLAG_PRIORITY_MASK = 0xff, 42 FLAT_BINDER_FLAG_ACCEPTS_FDS = 0x100, 43 }; 44 45 #ifdef BINDER_IPC_32BIT 46 typedef __u32 binder_size_t; 47 typedef __u32 binder_uintptr_t; 48 #else 49 typedef __u64 binder_size_t; 50 typedef __u64 binder_uintptr_t; 51 #endif 52 53 /** 54 * struct binder_object_header - header shared by all binder metadata objects. 55 * @type: type of the object 56 */ 57 struct binder_object_header { 58 __u32 type; 59 }; 60 61 /* 62 * This is the flattened representation of a Binder object for transfer 63 * between processes. The 'offsets' supplied as part of a binder transaction 64 * contains offsets into the data where these structures occur. The Binder 65 * driver takes care of re-writing the structure type and data as it moves 66 * between processes. 67 */ 68 struct flat_binder_object { 69 struct binder_object_header hdr; 70 __u32 flags; 71 72 /* 8 bytes of data. */ 73 union { 74 binder_uintptr_t binder; /* local object */ 75 __u32 handle; /* remote object */ 76 }; 77 78 /* extra data associated with local object */ 79 binder_uintptr_t cookie; 80 }; 81 82 /** 83 * struct binder_fd_object - describes a filedescriptor to be fixed up. 84 * @hdr: common header structure 85 * @pad_flags: padding to remain compatible with old userspace code 86 * @pad_binder: padding to remain compatible with old userspace code 87 * @fd: file descriptor 88 * @cookie: opaque data, used by user-space 89 */ 90 struct binder_fd_object { 91 struct binder_object_header hdr; 92 __u32 pad_flags; 93 union { 94 binder_uintptr_t pad_binder; 95 __u32 fd; 96 }; 97 98 binder_uintptr_t cookie; 99 }; 100 101 /* struct binder_buffer_object - object describing a userspace buffer 102 * @hdr: common header structure 103 * @flags: one or more BINDER_BUFFER_* flags 104 * @buffer: address of the buffer 105 * @length: length of the buffer 106 * @parent: index in offset array pointing to parent buffer 107 * @parent_offset: offset in @parent pointing to this buffer 108 * 109 * A binder_buffer object represents an object that the 110 * binder kernel driver can copy verbatim to the target 111 * address space. A buffer itself may be pointed to from 112 * within another buffer, meaning that the pointer inside 113 * that other buffer needs to be fixed up as well. This 114 * can be done by setting the BINDER_BUFFER_FLAG_HAS_PARENT 115 * flag in @flags, by setting @parent buffer to the index 116 * in the offset array pointing to the parent binder_buffer_object, 117 * and by setting @parent_offset to the offset in the parent buffer 118 * at which the pointer to this buffer is located. 119 */ 120 struct binder_buffer_object { 121 struct binder_object_header hdr; 122 __u32 flags; 123 binder_uintptr_t buffer; 124 binder_size_t length; 125 binder_size_t parent; 126 binder_size_t parent_offset; 127 }; 128 129 enum { 130 BINDER_BUFFER_FLAG_HAS_PARENT = 0x01, 131 }; 132 133 /* struct binder_fd_array_object - object describing an array of fds in a buffer 134 * @hdr: common header structure 135 * @pad: padding to ensure correct alignment 136 * @num_fds: number of file descriptors in the buffer 137 * @parent: index in offset array to buffer holding the fd array 138 * @parent_offset: start offset of fd array in the buffer 139 * 140 * A binder_fd_array object represents an array of file 141 * descriptors embedded in a binder_buffer_object. It is 142 * different from a regular binder_buffer_object because it 143 * describes a list of file descriptors to fix up, not an opaque 144 * blob of memory, and hence the kernel needs to treat it differently. 145 * 146 * An example of how this would be used is with Android's 147 * native_handle_t object, which is a struct with a list of integers 148 * and a list of file descriptors. The native_handle_t struct itself 149 * will be represented by a struct binder_buffer_objct, whereas the 150 * embedded list of file descriptors is represented by a 151 * struct binder_fd_array_object with that binder_buffer_object as 152 * a parent. 153 */ 154 struct binder_fd_array_object { 155 struct binder_object_header hdr; 156 __u32 pad; 157 binder_size_t num_fds; 158 binder_size_t parent; 159 binder_size_t parent_offset; 160 }; 161 162 /* 163 * On 64-bit platforms where user code may run in 32-bits the driver must 164 * translate the buffer (and local binder) addresses appropriately. 165 */ 166 167 struct binder_write_read { 168 binder_size_t write_size; /* bytes to write */ 169 binder_size_t write_consumed; /* bytes consumed by driver */ 170 binder_uintptr_t write_buffer; 171 binder_size_t read_size; /* bytes to read */ 172 binder_size_t read_consumed; /* bytes consumed by driver */ 173 binder_uintptr_t read_buffer; 174 }; 175 176 /* Use with BINDER_VERSION, driver fills in fields. */ 177 struct binder_version { 178 /* driver protocol version -- increment with incompatible change */ 179 __s32 protocol_version; 180 }; 181 182 /* This is the current protocol version. */ 183 #ifdef BINDER_IPC_32BIT 184 #define BINDER_CURRENT_PROTOCOL_VERSION 7 185 #else 186 #define BINDER_CURRENT_PROTOCOL_VERSION 8 187 #endif 188 189 #define BINDER_WRITE_READ _IOWR('b', 1, struct binder_write_read) 190 #define BINDER_SET_IDLE_TIMEOUT _IOW('b', 3, __s64) 191 #define BINDER_SET_MAX_THREADS _IOW('b', 5, __u32) 192 #define BINDER_SET_IDLE_PRIORITY _IOW('b', 6, __s32) 193 #define BINDER_SET_CONTEXT_MGR _IOW('b', 7, __s32) 194 #define BINDER_THREAD_EXIT _IOW('b', 8, __s32) 195 #define BINDER_VERSION _IOWR('b', 9, struct binder_version) 196 197 /* 198 * NOTE: Two special error codes you should check for when calling 199 * in to the driver are: 200 * 201 * EINTR -- The operation has been interupted. This should be 202 * handled by retrying the ioctl() until a different error code 203 * is returned. 204 * 205 * ECONNREFUSED -- The driver is no longer accepting operations 206 * from your process. That is, the process is being destroyed. 207 * You should handle this by exiting from your process. Note 208 * that once this error code is returned, all further calls to 209 * the driver from any thread will return this same code. 210 */ 211 212 enum transaction_flags { 213 TF_ONE_WAY = 0x01, /* this is a one-way call: async, no return */ 214 TF_ROOT_OBJECT = 0x04, /* contents are the component's root object */ 215 TF_STATUS_CODE = 0x08, /* contents are a 32-bit status code */ 216 TF_ACCEPT_FDS = 0x10, /* allow replies with file descriptors */ 217 }; 218 219 struct binder_transaction_data { 220 /* The first two are only used for bcTRANSACTION and brTRANSACTION, 221 * identifying the target and contents of the transaction. 222 */ 223 union { 224 /* target descriptor of command transaction */ 225 __u32 handle; 226 /* target descriptor of return transaction */ 227 binder_uintptr_t ptr; 228 } target; 229 binder_uintptr_t cookie; /* target object cookie */ 230 __u32 code; /* transaction command */ 231 232 /* General information about the transaction. */ 233 __u32 flags; 234 pid_t sender_pid; 235 uid_t sender_euid; 236 binder_size_t data_size; /* number of bytes of data */ 237 binder_size_t offsets_size; /* number of bytes of offsets */ 238 239 /* If this transaction is inline, the data immediately 240 * follows here; otherwise, it ends with a pointer to 241 * the data buffer. 242 */ 243 union { 244 struct { 245 /* transaction data */ 246 binder_uintptr_t buffer; 247 /* offsets from buffer to flat_binder_object structs */ 248 binder_uintptr_t offsets; 249 } ptr; 250 __u8 buf[8]; 251 } data; 252 }; 253 254 struct binder_transaction_data_sg { 255 struct binder_transaction_data transaction_data; 256 binder_size_t buffers_size; 257 }; 258 259 struct binder_ptr_cookie { 260 binder_uintptr_t ptr; 261 binder_uintptr_t cookie; 262 }; 263 264 struct binder_handle_cookie { 265 __u32 handle; 266 binder_uintptr_t cookie; 267 } __packed; 268 269 struct binder_pri_desc { 270 __s32 priority; 271 __u32 desc; 272 }; 273 274 struct binder_pri_ptr_cookie { 275 __s32 priority; 276 binder_uintptr_t ptr; 277 binder_uintptr_t cookie; 278 }; 279 280 enum binder_driver_return_protocol { 281 BR_ERROR = _IOR('r', 0, __s32), 282 /* 283 * int: error code 284 */ 285 286 BR_OK = _IO('r', 1), 287 /* No parameters! */ 288 289 BR_TRANSACTION = _IOR('r', 2, struct binder_transaction_data), 290 BR_REPLY = _IOR('r', 3, struct binder_transaction_data), 291 /* 292 * binder_transaction_data: the received command. 293 */ 294 295 BR_ACQUIRE_RESULT = _IOR('r', 4, __s32), 296 /* 297 * not currently supported 298 * int: 0 if the last bcATTEMPT_ACQUIRE was not successful. 299 * Else the remote object has acquired a primary reference. 300 */ 301 302 BR_DEAD_REPLY = _IO('r', 5), 303 /* 304 * The target of the last transaction (either a bcTRANSACTION or 305 * a bcATTEMPT_ACQUIRE) is no longer with us. No parameters. 306 */ 307 308 BR_TRANSACTION_COMPLETE = _IO('r', 6), 309 /* 310 * No parameters... always refers to the last transaction requested 311 * (including replies). Note that this will be sent even for 312 * asynchronous transactions. 313 */ 314 315 BR_INCREFS = _IOR('r', 7, struct binder_ptr_cookie), 316 BR_ACQUIRE = _IOR('r', 8, struct binder_ptr_cookie), 317 BR_RELEASE = _IOR('r', 9, struct binder_ptr_cookie), 318 BR_DECREFS = _IOR('r', 10, struct binder_ptr_cookie), 319 /* 320 * void *: ptr to binder 321 * void *: cookie for binder 322 */ 323 324 BR_ATTEMPT_ACQUIRE = _IOR('r', 11, struct binder_pri_ptr_cookie), 325 /* 326 * not currently supported 327 * int: priority 328 * void *: ptr to binder 329 * void *: cookie for binder 330 */ 331 332 BR_NOOP = _IO('r', 12), 333 /* 334 * No parameters. Do nothing and examine the next command. It exists 335 * primarily so that we can replace it with a BR_SPAWN_LOOPER command. 336 */ 337 338 BR_SPAWN_LOOPER = _IO('r', 13), 339 /* 340 * No parameters. The driver has determined that a process has no 341 * threads waiting to service incoming transactions. When a process 342 * receives this command, it must spawn a new service thread and 343 * register it via bcENTER_LOOPER. 344 */ 345 346 BR_FINISHED = _IO('r', 14), 347 /* 348 * not currently supported 349 * stop threadpool thread 350 */ 351 352 BR_DEAD_BINDER = _IOR('r', 15, binder_uintptr_t), 353 /* 354 * void *: cookie 355 */ 356 BR_CLEAR_DEATH_NOTIFICATION_DONE = _IOR('r', 16, binder_uintptr_t), 357 /* 358 * void *: cookie 359 */ 360 361 BR_FAILED_REPLY = _IO('r', 17), 362 /* 363 * The the last transaction (either a bcTRANSACTION or 364 * a bcATTEMPT_ACQUIRE) failed (e.g. out of memory). No parameters. 365 */ 366 }; 367 368 enum binder_driver_command_protocol { 369 BC_TRANSACTION = _IOW('c', 0, struct binder_transaction_data), 370 BC_REPLY = _IOW('c', 1, struct binder_transaction_data), 371 /* 372 * binder_transaction_data: the sent command. 373 */ 374 375 BC_ACQUIRE_RESULT = _IOW('c', 2, __s32), 376 /* 377 * not currently supported 378 * int: 0 if the last BR_ATTEMPT_ACQUIRE was not successful. 379 * Else you have acquired a primary reference on the object. 380 */ 381 382 BC_FREE_BUFFER = _IOW('c', 3, binder_uintptr_t), 383 /* 384 * void *: ptr to transaction data received on a read 385 */ 386 387 BC_INCREFS = _IOW('c', 4, __u32), 388 BC_ACQUIRE = _IOW('c', 5, __u32), 389 BC_RELEASE = _IOW('c', 6, __u32), 390 BC_DECREFS = _IOW('c', 7, __u32), 391 /* 392 * int: descriptor 393 */ 394 395 BC_INCREFS_DONE = _IOW('c', 8, struct binder_ptr_cookie), 396 BC_ACQUIRE_DONE = _IOW('c', 9, struct binder_ptr_cookie), 397 /* 398 * void *: ptr to binder 399 * void *: cookie for binder 400 */ 401 402 BC_ATTEMPT_ACQUIRE = _IOW('c', 10, struct binder_pri_desc), 403 /* 404 * not currently supported 405 * int: priority 406 * int: descriptor 407 */ 408 409 BC_REGISTER_LOOPER = _IO('c', 11), 410 /* 411 * No parameters. 412 * Register a spawned looper thread with the device. 413 */ 414 415 BC_ENTER_LOOPER = _IO('c', 12), 416 BC_EXIT_LOOPER = _IO('c', 13), 417 /* 418 * No parameters. 419 * These two commands are sent as an application-level thread 420 * enters and exits the binder loop, respectively. They are 421 * used so the binder can have an accurate count of the number 422 * of looping threads it has available. 423 */ 424 425 BC_REQUEST_DEATH_NOTIFICATION = _IOW('c', 14, 426 struct binder_handle_cookie), 427 /* 428 * int: handle 429 * void *: cookie 430 */ 431 432 BC_CLEAR_DEATH_NOTIFICATION = _IOW('c', 15, 433 struct binder_handle_cookie), 434 /* 435 * int: handle 436 * void *: cookie 437 */ 438 439 BC_DEAD_BINDER_DONE = _IOW('c', 16, binder_uintptr_t), 440 /* 441 * void *: cookie 442 */ 443 444 BC_TRANSACTION_SG = _IOW('c', 17, struct binder_transaction_data_sg), 445 BC_REPLY_SG = _IOW('c', 18, struct binder_transaction_data_sg), 446 /* 447 * binder_transaction_data_sg: the sent command. 448 */ 449 }; 450 451 #endif /* _UAPI_LINUX_BINDER_H */ 452 453