mirror of
https://github.com/hardkernel/linux.git
synced 2026-04-03 03:33:01 +09:00
8549cdc1dd
PD#SWPL-8572 Problems: based on android platfrom, each process may allocate 1MB vmalloc memory space for IPC. But most process don't use full memory range of vmalloc space. It's a waste of memory space and may cause driver can't work normal based on 32bit kernel Soluton: On kernel 4.19, google have fixed it, so we need back porting following changes: Squashed commit of the following: commit b12a56e5342e15e99b0fb07c67dfce0891ba2f6b Author: Todd Kjos <tkjos@google.com> Date: Tue Mar 19 09:53:01 2019 -0700 FROMGIT: binder: fix BUG_ON found by selinux-testsuite The selinux-testsuite found an issue resulting in a BUG_ON() where a conditional relied on a size_t going negative when checking the validity of a buffer offset. (cherry picked from commit5997da8214git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-linus) Bug: 67668716 Change-Id: Ib3b408717141deadddcb6b95ad98c0b97d9d98ea Fixes:7a67a39320("binder: add function to copy binder object from buffer") Reported-by: Paul Moore <paul@paul-moore.com> Tested-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Todd Kjos <tkjos@google.com> commit 5b28e504d93a5f1efc074dd7cdcadc07293bb783 Author: Todd Kjos <tkjos@android.com> Date: Thu Feb 14 15:22:57 2019 -0800 UPSTREAM: binder: fix handling of misaligned binder object Fixes crash found by syzbot: kernel BUG at drivers/android/binder_alloc.c:LINE! (2) (cherry pick from commit26528be672) Bug: 67668716 Reported-and-tested-by: syzbot+55de1eb4975dec156d8f@syzkaller.appspotmail.com Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: Ib8597dd05a158f78503d4affe6c5f46ded16a811 commit e110c3b44e437bad09f76c2b42f23dcad898f57d Author: Todd Kjos <tkjos@android.com> Date: Wed Feb 13 11:48:53 2019 -0800 UPSTREAM: binder: fix sparse issue in binder_alloc_selftest.c Fixes sparse issues reported by the kbuild test robot running on https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-testing:bde4a19fc0("binder: use userspace pointer as base of buffer space") Error output (drivers/android/binder_alloc_selftest.c): sparse: warning: incorrect type in assignment (different address spaces) sparse: expected void *page_addr sparse: got void [noderef] <asn:1> *user_data sparse: error: subtraction of different types can't work Fixed by adding necessary "__user" tags. (cherry pick from commit36f3093792) Bug: 67668716 Reported-by: kbuild test robot <lkp@intel.com> Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: Ia0a16d163251381d4bc04f46a44dddbc18b10a85 commit 9f6fd7733286f1af04d153c9d3a050ca2615b3cc Author: Todd Kjos <tkjos@android.com> Date: Fri Feb 8 10:35:20 2019 -0800 BACKPORT: binder: use userspace pointer as base of buffer space Now that alloc->buffer points to the userspace vm_area rename buffer->data to buffer->user_data and rename local pointers that hold user addresses. Also use the "__user" tag to annotate all user pointers so sparse can flag cases where user pointer vaues are copied to kernel pointers. Refactor code to use offsets instead of user pointers. (cherry pick from commitbde4a19fc0) Bug: 67668716 Change-Id: I9d04b844c5994d1f6214da795799e6b373bc9816 Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> commit 194d8606b011657ce30bf0c240a5adcad0691201 Author: Todd Kjos <tkjos@android.com> Date: Wed Dec 5 15:19:25 2018 -0800 UPSTREAM: binder: fix kerneldoc header for struct binder_buffer Fix the incomplete kerneldoc header for struct binder_buffer. (cherry pick from commit7a2670a5bc) Bug: 67668716 Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: I6bb942e6a9466b02653349943524462f205af839 commit 55cb58623a60d48678d8eb74e1cabe7744ed62c2 Author: Todd Kjos <tkjos@android.com> Date: Fri Feb 8 10:35:19 2019 -0800 BACKPORT: binder: remove user_buffer_offset Remove user_buffer_offset since there is no kernel buffer pointer anymore. (cherry pick from commitc41358a5f5) Bug: 67668716 Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: I399219867704dc5013453a7738193c742fc970ad commit 3301f77efa9d99e742e5642243b891e014becf17 Author: Todd Kjos <tkjos@android.com> Date: Fri Feb 8 10:35:18 2019 -0800 UPSTREAM: binder: remove kernel vm_area for buffer space Remove the kernel's vm_area and the code that maps buffer pages into it. (cherry pick from commit880211667b) Bug: 67668716 Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: I2595bb8416c2bbfcf97ad3d7380ae94e29c209fb commit 628c27a60665f15984364f6c0a1bda03473b3a78 Author: Todd Kjos <tkjos@android.com> Date: Fri Feb 8 10:35:17 2019 -0800 UPSTREAM: binder: avoid kernel vm_area for buffer fixups Refactor the functions to validate and fixup struct binder_buffer pointer objects to avoid using vm_area pointers. Instead copy to/from kernel space using binder_alloc_copy_to_buffer() and binder_alloc_copy_from_buffer(). The following functions were refactored: refactor binder_validate_ptr() binder_validate_fixup() binder_fixup_parent() (cherry pick from commitdb6b0b810b) Bug: 67668716 Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: Ic222af9b6c56bf48fd0b65debe981d19a7809e77 commit ed39057090cc4a95c318bafcd97f418da56e3867 Author: Todd Kjos <tkjos@android.com> Date: Fri Feb 8 10:35:16 2019 -0800 BACKPORT: binder: add function to copy binder object from buffer When creating or tearing down a transaction, the binder driver examines objects in the buffer and takes appropriate action. To do this without needing to dereference pointers into the buffer, the local copies of the objects are needed. This patch introduces a function to validate and copy binder objects from the buffer to a local structure. (cherry pick from commit7a67a39320) Bug: 67668716 Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: I42dfe238a2d20bdeff479068ca87a80e4577e64a commit 01f8f48c56b53faf1c795112f451a032a0d00b75 Author: Todd Kjos <tkjos@android.com> Date: Fri Feb 8 10:35:15 2019 -0800 BACKPORT: binder: add functions to copy to/from binder buffers Avoid vm_area when copying to or from binder buffers. Instead, new copy functions are added that copy from kernel space to binder buffer space. These use kmap_atomic() and kunmap_atomic() to create temporary mappings and then memcpy() is used to copy within that page. Also, kmap_atomic() / kunmap_atomic() use the appropriate cache flushing to support VIVT cache architectures. Allow binder to build if CPU_CACHE_VIVT is defined. Several uses of the new functions are added here. More to follow in subsequent patches. (cherry picked from commit8ced0c6231) Bug: 67668716 Change-Id: I6a93d2396d0a80c352a1d563fc7fb523a753e38c Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> commit bfc28d4c046d2a1aea5db66508e7fbb65a31a4a9 Author: Todd Kjos <tkjos@android.com> Date: Fri Feb 8 10:35:14 2019 -0800 UPSTREAM: binder: create userspace-to-binder-buffer copy function The binder driver uses a vm_area to map the per-process binder buffer space. For 32-bit android devices, this is now taking too much vmalloc space. This patch removes the use of vm_area when copying the transaction data from the sender to the buffer space. Instead of using copy_from_user() for multi-page copies, it now uses binder_alloc_copy_user_to_buffer() which uses kmap() and kunmap() to map each page, and uses copy_from_user() for copying to that page. (cherry picked from1a7c3d9bb7) Bug: 67668716 Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: I59ff83455984fce4626476e30601ed8b99858a92 commit 89a1a65d35200d8ca94c865f061f11af41a8ced7 Author: Todd Kjos <tkjos@android.com> Date: Mon Jan 14 09:10:21 2019 -0800 FROMGIT: binder: create node flag to request sender's security context To allow servers to verify client identity, allow a node flag to be set that causes the sender's security context to be delivered with the transaction. The BR_TRANSACTION command is extended in BR_TRANSACTION_SEC_CTX to contain a pointer to the security context string. Signed-off-by: Todd Kjos <tkjos@google.com> Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commitec74136dedhttps://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master) Change-Id: I44496546e2d0dc0022f818a45cd52feb1c1a92cb Signed-off-by: Todd Kjos <tkjos@google.com> commit 4afd6d2498ecd54e4211c6e47d8956a686a52ee3 Author: Todd Kjos <tkjos@android.com> Date: Wed Dec 5 15:19:26 2018 -0800 UPSTREAM: binder: filter out nodes when showing binder procs When dumping out binder transactions via a debug node, the output is too verbose if a process has many nodes. Change the output for transaction dumps to only display nodes with pending async transactions. Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commitecd589d8f5) Bug: 112037142 Change-Id: Iaa76ebdc844037ce1ee3bf2e590676790a959cef commit 72e3c1d60a499bfa547d962a150082f47bfb16af Author: Todd Kjos <tkjos@android.com> Date: Tue Nov 6 15:55:32 2018 -0800 binder: fix race that allows malicious free of live buffer commit7bada55ab5upstream. Malicious code can attempt to free buffers using the BC_FREE_BUFFER ioctl to binder. There are protections against a user freeing a buffer while in use by the kernel, however there was a window where BC_FREE_BUFFER could be used to free a recently allocated buffer that was not completely initialized. This resulted in a use-after-free detected by KASAN with a malicious test program. This window is closed by setting the buffer's allow_user_free attribute to 0 when the buffer is allocated or when the user has previously freed it instead of waiting for the caller to set it. The problem was that when the struct buffer was recycled, allow_user_free was stale and set to 1 allowing a free to go through. Signed-off-by: Todd Kjos <tkjos@google.com> Acked-by: Arve Hjønnevåg <arve@android.com> Cc: stable <stable@vger.kernel.org> # 4.14 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> commit c7940ee7e55f4caec80ab646b7f9d495ee2677c6 Author: Martijn Coenen <maco@android.com> Date: Sat Aug 25 13:50:56 2018 -0700 UPSTREAM: binder: Add BINDER_GET_NODE_INFO_FOR_REF ioctl. This allows the context manager to retrieve information about nodes that it holds a reference to, such as the current number of references to those nodes. Such information can for example be used to determine whether the servicemanager is the only process holding a reference to a node. This information can then be passed on to the process holding the node, which can in turn decide whether it wants to shut down to reduce resource usage. Bug: 79983843 Change-Id: I21e52ed1ca2137f7bfdc0300365fb1285b7e3d70 Signed-off-by: Martijn Coenen <maco@android.com> commit afd02b5ead68a94eb6bf1bf5234271687d7eb461 Author: Minchan Kim <minchan@kernel.org> Date: Thu Aug 23 14:29:56 2018 +0900 android: binder: fix the race mmap and alloc_new_buf_locked There is RaceFuzzer report like below because we have no lock to close below the race between binder_mmap and binder_alloc_new_buf_locked. To close the race, let's use memory barrier so that if someone see alloc->vma is not NULL, alloc->vma_vm_mm should be never NULL. (I didn't add stable mark intentionallybecause standard android userspace libraries that interact with binder (libbinder & libhwbinder) prevent the mmap/ioctl race. - from Todd) " Thread interleaving: CPU0 (binder_alloc_mmap_handler) CPU1 (binder_alloc_new_buf_locked) ===== ===== // drivers/android/binder_alloc.c // #L718 (v4.18-rc3) alloc->vma = vma; // drivers/android/binder_alloc.c // #L346 (v4.18-rc3) if (alloc->vma == NULL) { ... // alloc->vma is not NULL at this point return ERR_PTR(-ESRCH); } ... // #L438 binder_update_page_range(alloc, 0, (void *)PAGE_ALIGN((uintptr_t)buffer->data), end_page_addr); // In binder_update_page_range() #L218 // But still alloc->vma_vm_mm is NULL here if (need_mm && mmget_not_zero(alloc->vma_vm_mm)) alloc->vma_vm_mm = vma->vm_mm; Crash Log: ================================================================== BUG: KASAN: null-ptr-deref in __atomic_add_unless include/asm-generic/atomic-instrumented.h:89 [inline] BUG: KASAN: null-ptr-deref in atomic_add_unless include/linux/atomic.h:533 [inline] BUG: KASAN: null-ptr-deref in mmget_not_zero include/linux/sched/mm.h:75 [inline] BUG: KASAN: null-ptr-deref in binder_update_page_range+0xece/0x18e0 drivers/android/binder_alloc.c:218 Write of size 4 at addr 0000000000000058 by task syz-executor0/11184 CPU: 1 PID: 11184 Comm: syz-executor0 Not tainted 4.18.0-rc3 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x16e/0x22c lib/dump_stack.c:113 kasan_report_error mm/kasan/report.c:352 [inline] kasan_report+0x163/0x380 mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x140/0x1a0 mm/kasan/kasan.c:267 kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278 __atomic_add_unless include/asm-generic/atomic-instrumented.h:89 [inline] atomic_add_unless include/linux/atomic.h:533 [inline] mmget_not_zero include/linux/sched/mm.h:75 [inline] binder_update_page_range+0xece/0x18e0 drivers/android/binder_alloc.c:218 binder_alloc_new_buf_locked drivers/android/binder_alloc.c:443 [inline] binder_alloc_new_buf+0x467/0xc30 drivers/android/binder_alloc.c:513 binder_transaction+0x125b/0x4fb0 drivers/android/binder.c:2957 binder_thread_write+0xc08/0x2770 drivers/android/binder.c:3528 binder_ioctl_write_read.isra.39+0x24f/0x8e0 drivers/android/binder.c:4456 binder_ioctl+0xa86/0xf34 drivers/android/binder.c:4596 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x154/0xd40 fs/ioctl.c:686 ksys_ioctl+0x94/0xb0 fs/ioctl.c:701 __do_sys_ioctl fs/ioctl.c:708 [inline] __se_sys_ioctl fs/ioctl.c:706 [inline] __x64_sys_ioctl+0x43/0x50 fs/ioctl.c:706 do_syscall_64+0x167/0x4b0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe " Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Minchan Kim <minchan@kernel.org> Reviewed-by: Martijn Coenen <maco@android.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> commit 3ed5fd0f095e9d6fe5f33f909165a8cd596e8b46 Author: Sherry Yang <sherryy@android.com> Date: Tue Aug 7 12:57:13 2018 -0700 android: binder: Rate-limit debug and userspace triggered err msgs Use rate-limited debug messages where userspace can trigger excessive log spams. Acked-by: Arve Hjønnevåg <arve@android.com> Signed-off-by: Sherry Yang <sherryy@android.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> commit 8129fb3ee7af23a888383aa23647c9d576ecdfef Author: Sherry Yang <sherryy@android.com> Date: Thu Jul 26 17:17:17 2018 -0700 android: binder: Show extra_buffers_size in trace Add extra_buffers_size to the binder_transaction_alloc_buf tracepoint. Acked-by: Arve Hjønnevåg <arve@android.com> Signed-off-by: Sherry Yang <sherryy@android.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> commit 3b0bbcb65457ddec6fbee72bb26002e2bba16089 Author: Guenter Roeck <linux@roeck-us.net> Date: Mon Jul 23 14:41:38 2018 -0700 android: binder: Include asm/cacheflush.h after linux/ include files If asm/cacheflush.h is included first, the following build warnings are seen with sparc32 builds. In file included from arch/sparc/include/asm/cacheflush.h:11:0, from drivers/android/binder.c:54: arch/sparc/include/asm/cacheflush_32.h:40:37: warning: 'struct page' declared inside parameter list will not be visible outside of this definition or declaration Moving the asm/ include after linux/ includes solves the problem. Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> commit e8a4948f49629c6ab122339f46908884d55ca7e9 Author: Guenter Roeck <linux@roeck-us.net> Date: Mon Jul 23 14:47:23 2018 -0700 android: binder_alloc: Include asm/cacheflush.h after linux/ include files If asm/cacheflush.h is included first, the following build warnings are seen with sparc32 builds. In file included from ./arch/sparc/include/asm/cacheflush.h:11:0, from drivers/android/binder_alloc.c:20: ./arch/sparc/include/asm/cacheflush_32.h:40:37: warning: 'struct page' declared inside parameter list Moving the asm/ include after linux/ includes fixes the problem. Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> commit 8cae6730ef318700ab3a0db3ef43ee6a5e5856c8 Author: Geert Uytterhoeven <geert@linux-m68k.org> Date: Wed Jun 6 14:40:56 2018 +0200 android: binder: Drop dependency on !M68K As of commit7124330dab("m68k/uaccess: Revive 64-bit get_user()"), the 64-bit Android binder interface builds fine on m68k. Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> verify: p212 Change-Id: I1bac2c5345bcac64a3890f1688c1ecc4a3654a79 Signed-off-by: Tao Zeng <tao.zeng@amlogic.com>
543 lines
16 KiB
C
543 lines
16 KiB
C
/*
|
|
* Copyright (C) 2008 Google, Inc.
|
|
*
|
|
* Based on, but no longer compatible with, the original
|
|
* OpenBinder.org binder driver interface, which is:
|
|
*
|
|
* Copyright (c) 2005 Palmsource, Inc.
|
|
*
|
|
* This software is licensed under the terms of the GNU General Public
|
|
* License version 2, as published by the Free Software Foundation, and
|
|
* may be copied, distributed, and modified under those terms.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
*/
|
|
|
|
#ifndef _UAPI_LINUX_BINDER_H
|
|
#define _UAPI_LINUX_BINDER_H
|
|
|
|
#include <linux/types.h>
|
|
#include <linux/ioctl.h>
|
|
|
|
#define B_PACK_CHARS(c1, c2, c3, c4) \
|
|
((((c1)<<24)) | (((c2)<<16)) | (((c3)<<8)) | (c4))
|
|
#define B_TYPE_LARGE 0x85
|
|
|
|
enum {
|
|
BINDER_TYPE_BINDER = B_PACK_CHARS('s', 'b', '*', B_TYPE_LARGE),
|
|
BINDER_TYPE_WEAK_BINDER = B_PACK_CHARS('w', 'b', '*', B_TYPE_LARGE),
|
|
BINDER_TYPE_HANDLE = B_PACK_CHARS('s', 'h', '*', B_TYPE_LARGE),
|
|
BINDER_TYPE_WEAK_HANDLE = B_PACK_CHARS('w', 'h', '*', B_TYPE_LARGE),
|
|
BINDER_TYPE_FD = B_PACK_CHARS('f', 'd', '*', B_TYPE_LARGE),
|
|
BINDER_TYPE_FDA = B_PACK_CHARS('f', 'd', 'a', B_TYPE_LARGE),
|
|
BINDER_TYPE_PTR = B_PACK_CHARS('p', 't', '*', B_TYPE_LARGE),
|
|
};
|
|
|
|
/**
|
|
* enum flat_binder_object_shifts: shift values for flat_binder_object_flags
|
|
* @FLAT_BINDER_FLAG_SCHED_POLICY_SHIFT: shift for getting scheduler policy.
|
|
*
|
|
*/
|
|
enum flat_binder_object_shifts {
|
|
FLAT_BINDER_FLAG_SCHED_POLICY_SHIFT = 9,
|
|
};
|
|
|
|
/**
|
|
* enum flat_binder_object_flags - flags for use in flat_binder_object.flags
|
|
*/
|
|
enum flat_binder_object_flags {
|
|
/**
|
|
* @FLAT_BINDER_FLAG_PRIORITY_MASK: bit-mask for min scheduler priority
|
|
*
|
|
* These bits can be used to set the minimum scheduler priority
|
|
* at which transactions into this node should run. Valid values
|
|
* in these bits depend on the scheduler policy encoded in
|
|
* @FLAT_BINDER_FLAG_SCHED_POLICY_MASK.
|
|
*
|
|
* For SCHED_NORMAL/SCHED_BATCH, the valid range is between [-20..19]
|
|
* For SCHED_FIFO/SCHED_RR, the value can run between [1..99]
|
|
*/
|
|
FLAT_BINDER_FLAG_PRIORITY_MASK = 0xff,
|
|
/**
|
|
* @FLAT_BINDER_FLAG_ACCEPTS_FDS: whether the node accepts fds.
|
|
*/
|
|
FLAT_BINDER_FLAG_ACCEPTS_FDS = 0x100,
|
|
/**
|
|
* @FLAT_BINDER_FLAG_SCHED_POLICY_MASK: bit-mask for scheduling policy
|
|
*
|
|
* These two bits can be used to set the min scheduling policy at which
|
|
* transactions on this node should run. These match the UAPI
|
|
* scheduler policy values, eg:
|
|
* 00b: SCHED_NORMAL
|
|
* 01b: SCHED_FIFO
|
|
* 10b: SCHED_RR
|
|
* 11b: SCHED_BATCH
|
|
*/
|
|
FLAT_BINDER_FLAG_SCHED_POLICY_MASK =
|
|
3U << FLAT_BINDER_FLAG_SCHED_POLICY_SHIFT,
|
|
|
|
/**
|
|
* @FLAT_BINDER_FLAG_INHERIT_RT: whether the node inherits RT policy
|
|
*
|
|
* Only when set, calls into this node will inherit a real-time
|
|
* scheduling policy from the caller (for synchronous transactions).
|
|
*/
|
|
FLAT_BINDER_FLAG_INHERIT_RT = 0x800,
|
|
|
|
/**
|
|
* @FLAT_BINDER_FLAG_TXN_SECURITY_CTX: request security contexts
|
|
*
|
|
* Only when set, causes senders to include their security
|
|
* context
|
|
*/
|
|
FLAT_BINDER_FLAG_TXN_SECURITY_CTX = 0x1000,
|
|
};
|
|
|
|
#ifdef BINDER_IPC_32BIT
|
|
typedef __u32 binder_size_t;
|
|
typedef __u32 binder_uintptr_t;
|
|
#else
|
|
typedef __u64 binder_size_t;
|
|
typedef __u64 binder_uintptr_t;
|
|
#endif
|
|
|
|
/**
|
|
* struct binder_object_header - header shared by all binder metadata objects.
|
|
* @type: type of the object
|
|
*/
|
|
struct binder_object_header {
|
|
__u32 type;
|
|
};
|
|
|
|
/*
|
|
* This is the flattened representation of a Binder object for transfer
|
|
* between processes. The 'offsets' supplied as part of a binder transaction
|
|
* contains offsets into the data where these structures occur. The Binder
|
|
* driver takes care of re-writing the structure type and data as it moves
|
|
* between processes.
|
|
*/
|
|
struct flat_binder_object {
|
|
struct binder_object_header hdr;
|
|
__u32 flags;
|
|
|
|
/* 8 bytes of data. */
|
|
union {
|
|
binder_uintptr_t binder; /* local object */
|
|
__u32 handle; /* remote object */
|
|
};
|
|
|
|
/* extra data associated with local object */
|
|
binder_uintptr_t cookie;
|
|
};
|
|
|
|
/**
|
|
* struct binder_fd_object - describes a filedescriptor to be fixed up.
|
|
* @hdr: common header structure
|
|
* @pad_flags: padding to remain compatible with old userspace code
|
|
* @pad_binder: padding to remain compatible with old userspace code
|
|
* @fd: file descriptor
|
|
* @cookie: opaque data, used by user-space
|
|
*/
|
|
struct binder_fd_object {
|
|
struct binder_object_header hdr;
|
|
__u32 pad_flags;
|
|
union {
|
|
binder_uintptr_t pad_binder;
|
|
__u32 fd;
|
|
};
|
|
|
|
binder_uintptr_t cookie;
|
|
};
|
|
|
|
/* struct binder_buffer_object - object describing a userspace buffer
|
|
* @hdr: common header structure
|
|
* @flags: one or more BINDER_BUFFER_* flags
|
|
* @buffer: address of the buffer
|
|
* @length: length of the buffer
|
|
* @parent: index in offset array pointing to parent buffer
|
|
* @parent_offset: offset in @parent pointing to this buffer
|
|
*
|
|
* A binder_buffer object represents an object that the
|
|
* binder kernel driver can copy verbatim to the target
|
|
* address space. A buffer itself may be pointed to from
|
|
* within another buffer, meaning that the pointer inside
|
|
* that other buffer needs to be fixed up as well. This
|
|
* can be done by setting the BINDER_BUFFER_FLAG_HAS_PARENT
|
|
* flag in @flags, by setting @parent buffer to the index
|
|
* in the offset array pointing to the parent binder_buffer_object,
|
|
* and by setting @parent_offset to the offset in the parent buffer
|
|
* at which the pointer to this buffer is located.
|
|
*/
|
|
struct binder_buffer_object {
|
|
struct binder_object_header hdr;
|
|
__u32 flags;
|
|
binder_uintptr_t buffer;
|
|
binder_size_t length;
|
|
binder_size_t parent;
|
|
binder_size_t parent_offset;
|
|
};
|
|
|
|
enum {
|
|
BINDER_BUFFER_FLAG_HAS_PARENT = 0x01,
|
|
};
|
|
|
|
/* struct binder_fd_array_object - object describing an array of fds in a buffer
|
|
* @hdr: common header structure
|
|
* @pad: padding to ensure correct alignment
|
|
* @num_fds: number of file descriptors in the buffer
|
|
* @parent: index in offset array to buffer holding the fd array
|
|
* @parent_offset: start offset of fd array in the buffer
|
|
*
|
|
* A binder_fd_array object represents an array of file
|
|
* descriptors embedded in a binder_buffer_object. It is
|
|
* different from a regular binder_buffer_object because it
|
|
* describes a list of file descriptors to fix up, not an opaque
|
|
* blob of memory, and hence the kernel needs to treat it differently.
|
|
*
|
|
* An example of how this would be used is with Android's
|
|
* native_handle_t object, which is a struct with a list of integers
|
|
* and a list of file descriptors. The native_handle_t struct itself
|
|
* will be represented by a struct binder_buffer_objct, whereas the
|
|
* embedded list of file descriptors is represented by a
|
|
* struct binder_fd_array_object with that binder_buffer_object as
|
|
* a parent.
|
|
*/
|
|
struct binder_fd_array_object {
|
|
struct binder_object_header hdr;
|
|
__u32 pad;
|
|
binder_size_t num_fds;
|
|
binder_size_t parent;
|
|
binder_size_t parent_offset;
|
|
};
|
|
|
|
/*
|
|
* On 64-bit platforms where user code may run in 32-bits the driver must
|
|
* translate the buffer (and local binder) addresses appropriately.
|
|
*/
|
|
|
|
struct binder_write_read {
|
|
binder_size_t write_size; /* bytes to write */
|
|
binder_size_t write_consumed; /* bytes consumed by driver */
|
|
binder_uintptr_t write_buffer;
|
|
binder_size_t read_size; /* bytes to read */
|
|
binder_size_t read_consumed; /* bytes consumed by driver */
|
|
binder_uintptr_t read_buffer;
|
|
};
|
|
|
|
/* Use with BINDER_VERSION, driver fills in fields. */
|
|
struct binder_version {
|
|
/* driver protocol version -- increment with incompatible change */
|
|
__s32 protocol_version;
|
|
};
|
|
|
|
/* This is the current protocol version. */
|
|
#ifdef BINDER_IPC_32BIT
|
|
#define BINDER_CURRENT_PROTOCOL_VERSION 7
|
|
#else
|
|
#define BINDER_CURRENT_PROTOCOL_VERSION 8
|
|
#endif
|
|
|
|
/*
|
|
* Use with BINDER_GET_NODE_DEBUG_INFO, driver reads ptr, writes to all fields.
|
|
* Set ptr to NULL for the first call to get the info for the first node, and
|
|
* then repeat the call passing the previously returned value to get the next
|
|
* nodes. ptr will be 0 when there are no more nodes.
|
|
*/
|
|
struct binder_node_debug_info {
|
|
binder_uintptr_t ptr;
|
|
binder_uintptr_t cookie;
|
|
__u32 has_strong_ref;
|
|
__u32 has_weak_ref;
|
|
};
|
|
|
|
struct binder_node_info_for_ref {
|
|
__u32 handle;
|
|
__u32 strong_count;
|
|
__u32 weak_count;
|
|
__u32 reserved1;
|
|
__u32 reserved2;
|
|
__u32 reserved3;
|
|
};
|
|
|
|
#define BINDER_WRITE_READ _IOWR('b', 1, struct binder_write_read)
|
|
#define BINDER_SET_IDLE_TIMEOUT _IOW('b', 3, __s64)
|
|
#define BINDER_SET_MAX_THREADS _IOW('b', 5, __u32)
|
|
#define BINDER_SET_IDLE_PRIORITY _IOW('b', 6, __s32)
|
|
#define BINDER_SET_CONTEXT_MGR _IOW('b', 7, __s32)
|
|
#define BINDER_THREAD_EXIT _IOW('b', 8, __s32)
|
|
#define BINDER_VERSION _IOWR('b', 9, struct binder_version)
|
|
#define BINDER_GET_NODE_DEBUG_INFO _IOWR('b', 11, struct binder_node_debug_info)
|
|
#define BINDER_GET_NODE_INFO_FOR_REF _IOWR('b', 12, struct binder_node_info_for_ref)
|
|
#define BINDER_SET_CONTEXT_MGR_EXT _IOW('b', 13, struct flat_binder_object)
|
|
|
|
/*
|
|
* NOTE: Two special error codes you should check for when calling
|
|
* in to the driver are:
|
|
*
|
|
* EINTR -- The operation has been interupted. This should be
|
|
* handled by retrying the ioctl() until a different error code
|
|
* is returned.
|
|
*
|
|
* ECONNREFUSED -- The driver is no longer accepting operations
|
|
* from your process. That is, the process is being destroyed.
|
|
* You should handle this by exiting from your process. Note
|
|
* that once this error code is returned, all further calls to
|
|
* the driver from any thread will return this same code.
|
|
*/
|
|
|
|
enum transaction_flags {
|
|
TF_ONE_WAY = 0x01, /* this is a one-way call: async, no return */
|
|
TF_ROOT_OBJECT = 0x04, /* contents are the component's root object */
|
|
TF_STATUS_CODE = 0x08, /* contents are a 32-bit status code */
|
|
TF_ACCEPT_FDS = 0x10, /* allow replies with file descriptors */
|
|
};
|
|
|
|
struct binder_transaction_data {
|
|
/* The first two are only used for bcTRANSACTION and brTRANSACTION,
|
|
* identifying the target and contents of the transaction.
|
|
*/
|
|
union {
|
|
/* target descriptor of command transaction */
|
|
__u32 handle;
|
|
/* target descriptor of return transaction */
|
|
binder_uintptr_t ptr;
|
|
} target;
|
|
binder_uintptr_t cookie; /* target object cookie */
|
|
__u32 code; /* transaction command */
|
|
|
|
/* General information about the transaction. */
|
|
__u32 flags;
|
|
pid_t sender_pid;
|
|
uid_t sender_euid;
|
|
binder_size_t data_size; /* number of bytes of data */
|
|
binder_size_t offsets_size; /* number of bytes of offsets */
|
|
|
|
/* If this transaction is inline, the data immediately
|
|
* follows here; otherwise, it ends with a pointer to
|
|
* the data buffer.
|
|
*/
|
|
union {
|
|
struct {
|
|
/* transaction data */
|
|
binder_uintptr_t buffer;
|
|
/* offsets from buffer to flat_binder_object structs */
|
|
binder_uintptr_t offsets;
|
|
} ptr;
|
|
__u8 buf[8];
|
|
} data;
|
|
};
|
|
|
|
struct binder_transaction_data_secctx {
|
|
struct binder_transaction_data transaction_data;
|
|
binder_uintptr_t secctx;
|
|
};
|
|
|
|
struct binder_transaction_data_sg {
|
|
struct binder_transaction_data transaction_data;
|
|
binder_size_t buffers_size;
|
|
};
|
|
|
|
struct binder_ptr_cookie {
|
|
binder_uintptr_t ptr;
|
|
binder_uintptr_t cookie;
|
|
};
|
|
|
|
struct binder_handle_cookie {
|
|
__u32 handle;
|
|
binder_uintptr_t cookie;
|
|
} __packed;
|
|
|
|
struct binder_pri_desc {
|
|
__s32 priority;
|
|
__u32 desc;
|
|
};
|
|
|
|
struct binder_pri_ptr_cookie {
|
|
__s32 priority;
|
|
binder_uintptr_t ptr;
|
|
binder_uintptr_t cookie;
|
|
};
|
|
|
|
enum binder_driver_return_protocol {
|
|
BR_ERROR = _IOR('r', 0, __s32),
|
|
/*
|
|
* int: error code
|
|
*/
|
|
|
|
BR_OK = _IO('r', 1),
|
|
/* No parameters! */
|
|
|
|
BR_TRANSACTION_SEC_CTX = _IOR('r', 2,
|
|
struct binder_transaction_data_secctx),
|
|
/*
|
|
* binder_transaction_data_secctx: the received command.
|
|
*/
|
|
BR_TRANSACTION = _IOR('r', 2, struct binder_transaction_data),
|
|
BR_REPLY = _IOR('r', 3, struct binder_transaction_data),
|
|
/*
|
|
* binder_transaction_data: the received command.
|
|
*/
|
|
|
|
BR_ACQUIRE_RESULT = _IOR('r', 4, __s32),
|
|
/*
|
|
* not currently supported
|
|
* int: 0 if the last bcATTEMPT_ACQUIRE was not successful.
|
|
* Else the remote object has acquired a primary reference.
|
|
*/
|
|
|
|
BR_DEAD_REPLY = _IO('r', 5),
|
|
/*
|
|
* The target of the last transaction (either a bcTRANSACTION or
|
|
* a bcATTEMPT_ACQUIRE) is no longer with us. No parameters.
|
|
*/
|
|
|
|
BR_TRANSACTION_COMPLETE = _IO('r', 6),
|
|
/*
|
|
* No parameters... always refers to the last transaction requested
|
|
* (including replies). Note that this will be sent even for
|
|
* asynchronous transactions.
|
|
*/
|
|
|
|
BR_INCREFS = _IOR('r', 7, struct binder_ptr_cookie),
|
|
BR_ACQUIRE = _IOR('r', 8, struct binder_ptr_cookie),
|
|
BR_RELEASE = _IOR('r', 9, struct binder_ptr_cookie),
|
|
BR_DECREFS = _IOR('r', 10, struct binder_ptr_cookie),
|
|
/*
|
|
* void *: ptr to binder
|
|
* void *: cookie for binder
|
|
*/
|
|
|
|
BR_ATTEMPT_ACQUIRE = _IOR('r', 11, struct binder_pri_ptr_cookie),
|
|
/*
|
|
* not currently supported
|
|
* int: priority
|
|
* void *: ptr to binder
|
|
* void *: cookie for binder
|
|
*/
|
|
|
|
BR_NOOP = _IO('r', 12),
|
|
/*
|
|
* No parameters. Do nothing and examine the next command. It exists
|
|
* primarily so that we can replace it with a BR_SPAWN_LOOPER command.
|
|
*/
|
|
|
|
BR_SPAWN_LOOPER = _IO('r', 13),
|
|
/*
|
|
* No parameters. The driver has determined that a process has no
|
|
* threads waiting to service incoming transactions. When a process
|
|
* receives this command, it must spawn a new service thread and
|
|
* register it via bcENTER_LOOPER.
|
|
*/
|
|
|
|
BR_FINISHED = _IO('r', 14),
|
|
/*
|
|
* not currently supported
|
|
* stop threadpool thread
|
|
*/
|
|
|
|
BR_DEAD_BINDER = _IOR('r', 15, binder_uintptr_t),
|
|
/*
|
|
* void *: cookie
|
|
*/
|
|
BR_CLEAR_DEATH_NOTIFICATION_DONE = _IOR('r', 16, binder_uintptr_t),
|
|
/*
|
|
* void *: cookie
|
|
*/
|
|
|
|
BR_FAILED_REPLY = _IO('r', 17),
|
|
/*
|
|
* The the last transaction (either a bcTRANSACTION or
|
|
* a bcATTEMPT_ACQUIRE) failed (e.g. out of memory). No parameters.
|
|
*/
|
|
};
|
|
|
|
enum binder_driver_command_protocol {
|
|
BC_TRANSACTION = _IOW('c', 0, struct binder_transaction_data),
|
|
BC_REPLY = _IOW('c', 1, struct binder_transaction_data),
|
|
/*
|
|
* binder_transaction_data: the sent command.
|
|
*/
|
|
|
|
BC_ACQUIRE_RESULT = _IOW('c', 2, __s32),
|
|
/*
|
|
* not currently supported
|
|
* int: 0 if the last BR_ATTEMPT_ACQUIRE was not successful.
|
|
* Else you have acquired a primary reference on the object.
|
|
*/
|
|
|
|
BC_FREE_BUFFER = _IOW('c', 3, binder_uintptr_t),
|
|
/*
|
|
* void *: ptr to transaction data received on a read
|
|
*/
|
|
|
|
BC_INCREFS = _IOW('c', 4, __u32),
|
|
BC_ACQUIRE = _IOW('c', 5, __u32),
|
|
BC_RELEASE = _IOW('c', 6, __u32),
|
|
BC_DECREFS = _IOW('c', 7, __u32),
|
|
/*
|
|
* int: descriptor
|
|
*/
|
|
|
|
BC_INCREFS_DONE = _IOW('c', 8, struct binder_ptr_cookie),
|
|
BC_ACQUIRE_DONE = _IOW('c', 9, struct binder_ptr_cookie),
|
|
/*
|
|
* void *: ptr to binder
|
|
* void *: cookie for binder
|
|
*/
|
|
|
|
BC_ATTEMPT_ACQUIRE = _IOW('c', 10, struct binder_pri_desc),
|
|
/*
|
|
* not currently supported
|
|
* int: priority
|
|
* int: descriptor
|
|
*/
|
|
|
|
BC_REGISTER_LOOPER = _IO('c', 11),
|
|
/*
|
|
* No parameters.
|
|
* Register a spawned looper thread with the device.
|
|
*/
|
|
|
|
BC_ENTER_LOOPER = _IO('c', 12),
|
|
BC_EXIT_LOOPER = _IO('c', 13),
|
|
/*
|
|
* No parameters.
|
|
* These two commands are sent as an application-level thread
|
|
* enters and exits the binder loop, respectively. They are
|
|
* used so the binder can have an accurate count of the number
|
|
* of looping threads it has available.
|
|
*/
|
|
|
|
BC_REQUEST_DEATH_NOTIFICATION = _IOW('c', 14,
|
|
struct binder_handle_cookie),
|
|
/*
|
|
* int: handle
|
|
* void *: cookie
|
|
*/
|
|
|
|
BC_CLEAR_DEATH_NOTIFICATION = _IOW('c', 15,
|
|
struct binder_handle_cookie),
|
|
/*
|
|
* int: handle
|
|
* void *: cookie
|
|
*/
|
|
|
|
BC_DEAD_BINDER_DONE = _IOW('c', 16, binder_uintptr_t),
|
|
/*
|
|
* void *: cookie
|
|
*/
|
|
|
|
BC_TRANSACTION_SG = _IOW('c', 17, struct binder_transaction_data_sg),
|
|
BC_REPLY_SG = _IOW('c', 18, struct binder_transaction_data_sg),
|
|
/*
|
|
* binder_transaction_data_sg: the sent command.
|
|
*/
|
|
};
|
|
|
|
#endif /* _UAPI_LINUX_BINDER_H */
|
|
|