search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge tag 'io_uring-6.11-20240802' of git://git.kernel.dk/linux
[linux.git] / drivers / android / binder_internal.h
blob7d4fc53f7a732cddd52b6db3655ca3f1a5b3c759
1 /* SPDX-License-Identifier: GPL-2.0 */
2
3 #ifndef _LINUX_BINDER_INTERNAL_H
4 #define _LINUX_BINDER_INTERNAL_H
5
6 #include <linux/export.h>
7 #include <linux/fs.h>
8 #include <linux/list.h>
9 #include <linux/miscdevice.h>
10 #include <linux/mutex.h>
11 #include <linux/refcount.h>
12 #include <linux/stddef.h>
13 #include <linux/types.h>
14 #include <linux/uidgid.h>
15 #include <uapi/linux/android/binderfs.h>
16 #include "binder_alloc.h"
17 #include "dbitmap.h"
18
19 struct binder_context {
20 struct binder_node *binder_context_mgr_node;
21 struct mutex context_mgr_node_lock;
22 kuid_t binder_context_mgr_uid;
23 const char *name;
24 };
25
26 /**
27 * struct binder_device - information about a binder device node
28 * @hlist: list of binder devices (only used for devices requested via
29 * CONFIG_ANDROID_BINDER_DEVICES)
30 * @miscdev: information about a binder character device node
31 * @context: binder context information
32 * @binderfs_inode: This is the inode of the root dentry of the super block
33 * belonging to a binderfs mount.
34 */
35 struct binder_device {
36 struct hlist_node hlist;
37 struct miscdevice miscdev;
38 struct binder_context context;
39 struct inode *binderfs_inode;
40 refcount_t ref;
41 };
42
43 /**
44 * binderfs_mount_opts - mount options for binderfs
45 * @max: maximum number of allocatable binderfs binder devices
46 * @stats_mode: enable binder stats in binderfs.
47 */
48 struct binderfs_mount_opts {
49 int max;
50 int stats_mode;
51 };
52
53 /**
54 * binderfs_info - information about a binderfs mount
55 * @ipc_ns: The ipc namespace the binderfs mount belongs to.
56 * @control_dentry: This records the dentry of this binderfs mount
57 * binder-control device.
58 * @root_uid: uid that needs to be used when a new binder device is
59 * created.
60 * @root_gid: gid that needs to be used when a new binder device is
61 * created.
62 * @mount_opts: The mount options in use.
63 * @device_count: The current number of allocated binder devices.
64 * @proc_log_dir: Pointer to the directory dentry containing process-specific
65 * logs.
66 */
67 struct binderfs_info {
68 struct ipc_namespace *ipc_ns;
69 struct dentry *control_dentry;
70 kuid_t root_uid;
71 kgid_t root_gid;
72 struct binderfs_mount_opts mount_opts;
73 int device_count;
74 struct dentry *proc_log_dir;
75 };
76
77 extern const struct file_operations binder_fops;
78
79 extern char *binder_devices_param;
80
81 #ifdef CONFIG_ANDROID_BINDERFS
82 extern bool is_binderfs_device(const struct inode *inode);
83 extern struct dentry *binderfs_create_file(struct dentry *dir, const char *name,
84 const struct file_operations *fops,
85 void *data);
86 extern void binderfs_remove_file(struct dentry *dentry);
87 #else
88 static inline bool is_binderfs_device(const struct inode *inode)
89 {
90 return false;
91 }
92 static inline struct dentry *binderfs_create_file(struct dentry *dir,
93 const char *name,
94 const struct file_operations *fops,
95 void *data)
96 {
97 return NULL;
98 }
99 static inline void binderfs_remove_file(struct dentry *dentry) {}
100 #endif
101
102 #ifdef CONFIG_ANDROID_BINDERFS
103 extern int __init init_binderfs(void);
104 #else
105 static inline int __init init_binderfs(void)
106 {
107 return 0;
108 }
109 #endif
110
111 struct binder_debugfs_entry {
112 const char *name;
113 umode_t mode;
114 const struct file_operations *fops;
115 void *data;
116 };
117
118 extern const struct binder_debugfs_entry binder_debugfs_entries[];
119
120 #define binder_for_each_debugfs_entry(entry) \
121 for ((entry) = binder_debugfs_entries; \
122 (entry)->name; \
123 (entry)++)
124
125 enum binder_stat_types {
126 BINDER_STAT_PROC,
127 BINDER_STAT_THREAD,
128 BINDER_STAT_NODE,
129 BINDER_STAT_REF,
130 BINDER_STAT_DEATH,
131 BINDER_STAT_TRANSACTION,
132 BINDER_STAT_TRANSACTION_COMPLETE,
133 BINDER_STAT_COUNT
134 };
135
136 struct binder_stats {
137 atomic_t br[_IOC_NR(BR_TRANSACTION_PENDING_FROZEN) + 1];
138 atomic_t bc[_IOC_NR(BC_REPLY_SG) + 1];
139 atomic_t obj_created[BINDER_STAT_COUNT];
140 atomic_t obj_deleted[BINDER_STAT_COUNT];
141 };
142
143 /**
144 * struct binder_work - work enqueued on a worklist
145 * @entry: node enqueued on list
146 * @type: type of work to be performed
147 *
148 * There are separate work lists for proc, thread, and node (async).
149 */
150 struct binder_work {
151 struct list_head entry;
152
153 enum binder_work_type {
154 BINDER_WORK_TRANSACTION = 1,
155 BINDER_WORK_TRANSACTION_COMPLETE,
156 BINDER_WORK_TRANSACTION_PENDING,
157 BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT,
158 BINDER_WORK_RETURN_ERROR,
159 BINDER_WORK_NODE,
160 BINDER_WORK_DEAD_BINDER,
161 BINDER_WORK_DEAD_BINDER_AND_CLEAR,
162 BINDER_WORK_CLEAR_DEATH_NOTIFICATION,
163 } type;
164 };
165
166 struct binder_error {
167 struct binder_work work;
168 uint32_t cmd;
169 };
170
171 /**
172 * struct binder_node - binder node bookkeeping
173 * @debug_id: unique ID for debugging
174 * (invariant after initialized)
175 * @lock: lock for node fields
176 * @work: worklist element for node work
177 * (protected by @proc->inner_lock)
178 * @rb_node: element for proc->nodes tree
179 * (protected by @proc->inner_lock)
180 * @dead_node: element for binder_dead_nodes list
181 * (protected by binder_dead_nodes_lock)
182 * @proc: binder_proc that owns this node
183 * (invariant after initialized)
184 * @refs: list of references on this node
185 * (protected by @lock)
186 * @internal_strong_refs: used to take strong references when
187 * initiating a transaction
188 * (protected by @proc->inner_lock if @proc
189 * and by @lock)
190 * @local_weak_refs: weak user refs from local process
191 * (protected by @proc->inner_lock if @proc
192 * and by @lock)
193 * @local_strong_refs: strong user refs from local process
194 * (protected by @proc->inner_lock if @proc
195 * and by @lock)
196 * @tmp_refs: temporary kernel refs
197 * (protected by @proc->inner_lock while @proc
198 * is valid, and by binder_dead_nodes_lock
199 * if @proc is NULL. During inc/dec and node release
200 * it is also protected by @lock to provide safety
201 * as the node dies and @proc becomes NULL)
202 * @ptr: userspace pointer for node
203 * (invariant, no lock needed)
204 * @cookie: userspace cookie for node
205 * (invariant, no lock needed)
206 * @has_strong_ref: userspace notified of strong ref
207 * (protected by @proc->inner_lock if @proc
208 * and by @lock)
209 * @pending_strong_ref: userspace has acked notification of strong ref
210 * (protected by @proc->inner_lock if @proc
211 * and by @lock)
212 * @has_weak_ref: userspace notified of weak ref
213 * (protected by @proc->inner_lock if @proc
214 * and by @lock)
215 * @pending_weak_ref: userspace has acked notification of weak ref
216 * (protected by @proc->inner_lock if @proc
217 * and by @lock)
218 * @has_async_transaction: async transaction to node in progress
219 * (protected by @lock)
220 * @accept_fds: file descriptor operations supported for node
221 * (invariant after initialized)
222 * @min_priority: minimum scheduling priority
223 * (invariant after initialized)
224 * @txn_security_ctx: require sender's security context
225 * (invariant after initialized)
226 * @async_todo: list of async work items
227 * (protected by @proc->inner_lock)
228 *
229 * Bookkeeping structure for binder nodes.
230 */
231 struct binder_node {
232 int debug_id;
233 spinlock_t lock;
234 struct binder_work work;
235 union {
236 struct rb_node rb_node;
237 struct hlist_node dead_node;
238 };
239 struct binder_proc *proc;
240 struct hlist_head refs;
241 int internal_strong_refs;
242 int local_weak_refs;
243 int local_strong_refs;
244 int tmp_refs;
245 binder_uintptr_t ptr;
246 binder_uintptr_t cookie;
247 struct {
248 /*
249 * bitfield elements protected by
250 * proc inner_lock
251 */
252 u8 has_strong_ref:1;
253 u8 pending_strong_ref:1;
254 u8 has_weak_ref:1;
255 u8 pending_weak_ref:1;
256 };
257 struct {
258 /*
259 * invariant after initialization
260 */
261 u8 accept_fds:1;
262 u8 txn_security_ctx:1;
263 u8 min_priority;
264 };
265 bool has_async_transaction;
266 struct list_head async_todo;
267 };
268
269 struct binder_ref_death {
270 /**
271 * @work: worklist element for death notifications
272 * (protected by inner_lock of the proc that
273 * this ref belongs to)
274 */
275 struct binder_work work;
276 binder_uintptr_t cookie;
277 };
278
279 /**
280 * struct binder_ref_data - binder_ref counts and id
281 * @debug_id: unique ID for the ref
282 * @desc: unique userspace handle for ref
283 * @strong: strong ref count (debugging only if not locked)
284 * @weak: weak ref count (debugging only if not locked)
285 *
286 * Structure to hold ref count and ref id information. Since
287 * the actual ref can only be accessed with a lock, this structure
288 * is used to return information about the ref to callers of
289 * ref inc/dec functions.
290 */
291 struct binder_ref_data {
292 int debug_id;
293 uint32_t desc;
294 int strong;
295 int weak;
296 };
297
298 /**
299 * struct binder_ref - struct to track references on nodes
300 * @data: binder_ref_data containing id, handle, and current refcounts
301 * @rb_node_desc: node for lookup by @data.desc in proc's rb_tree
302 * @rb_node_node: node for lookup by @node in proc's rb_tree
303 * @node_entry: list entry for node->refs list in target node
304 * (protected by @node->lock)
305 * @proc: binder_proc containing ref
306 * @node: binder_node of target node. When cleaning up a
307 * ref for deletion in binder_cleanup_ref, a non-NULL
308 * @node indicates the node must be freed
309 * @death: pointer to death notification (ref_death) if requested
310 * (protected by @node->lock)
311 *
312 * Structure to track references from procA to target node (on procB). This
313 * structure is unsafe to access without holding @proc->outer_lock.
314 */
315 struct binder_ref {
316 /* Lookups needed: */
317 /* node + proc => ref (transaction) */
318 /* desc + proc => ref (transaction, inc/dec ref) */
319 /* node => refs + procs (proc exit) */
320 struct binder_ref_data data;
321 struct rb_node rb_node_desc;
322 struct rb_node rb_node_node;
323 struct hlist_node node_entry;
324 struct binder_proc *proc;
325 struct binder_node *node;
326 struct binder_ref_death *death;
327 };
328
329 /**
330 * struct binder_proc - binder process bookkeeping
331 * @proc_node: element for binder_procs list
332 * @threads: rbtree of binder_threads in this proc
333 * (protected by @inner_lock)
334 * @nodes: rbtree of binder nodes associated with
335 * this proc ordered by node->ptr
336 * (protected by @inner_lock)
337 * @refs_by_desc: rbtree of refs ordered by ref->desc
338 * (protected by @outer_lock)
339 * @refs_by_node: rbtree of refs ordered by ref->node
340 * (protected by @outer_lock)
341 * @waiting_threads: threads currently waiting for proc work
342 * (protected by @inner_lock)
343 * @pid PID of group_leader of process
344 * (invariant after initialized)
345 * @tsk task_struct for group_leader of process
346 * (invariant after initialized)
347 * @cred struct cred associated with the `struct file`
348 * in binder_open()
349 * (invariant after initialized)
350 * @deferred_work_node: element for binder_deferred_list
351 * (protected by binder_deferred_lock)
352 * @deferred_work: bitmap of deferred work to perform
353 * (protected by binder_deferred_lock)
354 * @outstanding_txns: number of transactions to be transmitted before
355 * processes in freeze_wait are woken up
356 * (protected by @inner_lock)
357 * @is_dead: process is dead and awaiting free
358 * when outstanding transactions are cleaned up
359 * (protected by @inner_lock)
360 * @is_frozen: process is frozen and unable to service
361 * binder transactions
362 * (protected by @inner_lock)
363 * @sync_recv: process received sync transactions since last frozen
364 * bit 0: received sync transaction after being frozen
365 * bit 1: new pending sync transaction during freezing
366 * (protected by @inner_lock)
367 * @async_recv: process received async transactions since last frozen
368 * (protected by @inner_lock)
369 * @freeze_wait: waitqueue of processes waiting for all outstanding
370 * transactions to be processed
371 * (protected by @inner_lock)
372 * @dmap dbitmap to manage available reference descriptors
373 * (protected by @outer_lock)
374 * @todo: list of work for this process
375 * (protected by @inner_lock)
376 * @stats: per-process binder statistics
377 * (atomics, no lock needed)
378 * @delivered_death: list of delivered death notification
379 * (protected by @inner_lock)
380 * @max_threads: cap on number of binder threads
381 * (protected by @inner_lock)
382 * @requested_threads: number of binder threads requested but not
383 * yet started. In current implementation, can
384 * only be 0 or 1.
385 * (protected by @inner_lock)
386 * @requested_threads_started: number binder threads started
387 * (protected by @inner_lock)
388 * @tmp_ref: temporary reference to indicate proc is in use
389 * (protected by @inner_lock)
390 * @default_priority: default scheduler priority
391 * (invariant after initialized)
392 * @debugfs_entry: debugfs node
393 * @alloc: binder allocator bookkeeping
394 * @context: binder_context for this proc
395 * (invariant after initialized)
396 * @inner_lock: can nest under outer_lock and/or node lock
397 * @outer_lock: no nesting under innor or node lock
398 * Lock order: 1) outer, 2) node, 3) inner
399 * @binderfs_entry: process-specific binderfs log file
400 * @oneway_spam_detection_enabled: process enabled oneway spam detection
401 * or not
402 *
403 * Bookkeeping structure for binder processes
404 */
405 struct binder_proc {
406 struct hlist_node proc_node;
407 struct rb_root threads;
408 struct rb_root nodes;
409 struct rb_root refs_by_desc;
410 struct rb_root refs_by_node;
411 struct list_head waiting_threads;
412 int pid;
413 struct task_struct *tsk;
414 const struct cred *cred;
415 struct hlist_node deferred_work_node;
416 int deferred_work;
417 int outstanding_txns;
418 bool is_dead;
419 bool is_frozen;
420 bool sync_recv;
421 bool async_recv;
422 wait_queue_head_t freeze_wait;
423 struct dbitmap dmap;
424 struct list_head todo;
425 struct binder_stats stats;
426 struct list_head delivered_death;
427 u32 max_threads;
428 int requested_threads;
429 int requested_threads_started;
430 int tmp_ref;
431 long default_priority;
432 struct dentry *debugfs_entry;
433 struct binder_alloc alloc;
434 struct binder_context *context;
435 spinlock_t inner_lock;
436 spinlock_t outer_lock;
437 struct dentry *binderfs_entry;
438 bool oneway_spam_detection_enabled;
439 };
440
441 /**
442 * struct binder_thread - binder thread bookkeeping
443 * @proc: binder process for this thread
444 * (invariant after initialization)
445 * @rb_node: element for proc->threads rbtree
446 * (protected by @proc->inner_lock)
447 * @waiting_thread_node: element for @proc->waiting_threads list
448 * (protected by @proc->inner_lock)
449 * @pid: PID for this thread
450 * (invariant after initialization)
451 * @looper: bitmap of looping state
452 * (only accessed by this thread)
453 * @looper_needs_return: looping thread needs to exit driver
454 * (no lock needed)
455 * @transaction_stack: stack of in-progress transactions for this thread
456 * (protected by @proc->inner_lock)
457 * @todo: list of work to do for this thread
458 * (protected by @proc->inner_lock)
459 * @process_todo: whether work in @todo should be processed
460 * (protected by @proc->inner_lock)
461 * @return_error: transaction errors reported by this thread
462 * (only accessed by this thread)
463 * @reply_error: transaction errors reported by target thread
464 * (protected by @proc->inner_lock)
465 * @ee: extended error information from this thread
466 * (protected by @proc->inner_lock)
467 * @wait: wait queue for thread work
468 * @stats: per-thread statistics
469 * (atomics, no lock needed)
470 * @tmp_ref: temporary reference to indicate thread is in use
471 * (atomic since @proc->inner_lock cannot
472 * always be acquired)
473 * @is_dead: thread is dead and awaiting free
474 * when outstanding transactions are cleaned up
475 * (protected by @proc->inner_lock)
476 *
477 * Bookkeeping structure for binder threads.
478 */
479 struct binder_thread {
480 struct binder_proc *proc;
481 struct rb_node rb_node;
482 struct list_head waiting_thread_node;
483 int pid;
484 int looper; /* only modified by this thread */
485 bool looper_need_return; /* can be written by other thread */
486 struct binder_transaction *transaction_stack;
487 struct list_head todo;
488 bool process_todo;
489 struct binder_error return_error;
490 struct binder_error reply_error;
491 struct binder_extended_error ee;
492 wait_queue_head_t wait;
493 struct binder_stats stats;
494 atomic_t tmp_ref;
495 bool is_dead;
496 };
497
498 /**
499 * struct binder_txn_fd_fixup - transaction fd fixup list element
500 * @fixup_entry: list entry
501 * @file: struct file to be associated with new fd
502 * @offset: offset in buffer data to this fixup
503 * @target_fd: fd to use by the target to install @file
504 *
505 * List element for fd fixups in a transaction. Since file
506 * descriptors need to be allocated in the context of the
507 * target process, we pass each fd to be processed in this
508 * struct.
509 */
510 struct binder_txn_fd_fixup {
511 struct list_head fixup_entry;
512 struct file *file;
513 size_t offset;
514 int target_fd;
515 };
516
517 struct binder_transaction {
518 int debug_id;
519 struct binder_work work;
520 struct binder_thread *from;
521 pid_t from_pid;
522 pid_t from_tid;
523 struct binder_transaction *from_parent;
524 struct binder_proc *to_proc;
525 struct binder_thread *to_thread;
526 struct binder_transaction *to_parent;
527 unsigned need_reply:1;
528 /* unsigned is_dead:1; */ /* not used at the moment */
529
530 struct binder_buffer *buffer;
531 unsigned int code;
532 unsigned int flags;
533 long priority;
534 long saved_priority;
535 kuid_t sender_euid;
536 ktime_t start_time;
537 struct list_head fd_fixups;
538 binder_uintptr_t security_ctx;
539 /**
540 * @lock: protects @from, @to_proc, and @to_thread
541 *
542 * @from, @to_proc, and @to_thread can be set to NULL
543 * during thread teardown
544 */
545 spinlock_t lock;
546 };
547
548 /**
549 * struct binder_object - union of flat binder object types
550 * @hdr: generic object header
551 * @fbo: binder object (nodes and refs)
552 * @fdo: file descriptor object
553 * @bbo: binder buffer pointer
554 * @fdao: file descriptor array
555 *
556 * Used for type-independent object copies
557 */
558 struct binder_object {
559 union {
560 struct binder_object_header hdr;
561 struct flat_binder_object fbo;
562 struct binder_fd_object fdo;
563 struct binder_buffer_object bbo;
564 struct binder_fd_array_object fdao;
565 };
566 };
567
568 #endif /* _LINUX_BINDER_INTERNAL_H */
Linux Kernel