1 /* SPDX-License-Identifier: GPL-2.0 */
3 #ifndef _LINUX_BINDER_INTERNAL_H
4 #define _LINUX_BINDER_INTERNAL_H
6 #include <linux/export.h>
8 #include <linux/list.h>
9 #include <linux/miscdevice.h>
10 #include <linux/mutex.h>
11 #include <linux/refcount.h>
12 #include <linux/stddef.h>
13 #include <linux/types.h>
14 #include <linux/uidgid.h>
15 #include <uapi/linux/android/binderfs.h>
16 #include "binder_alloc.h"
18 struct binder_context {
19 struct binder_node *binder_context_mgr_node;
20 struct mutex context_mgr_node_lock;
21 kuid_t binder_context_mgr_uid;
26 * struct binder_device - information about a binder device node
27 * @hlist: list of binder devices (only used for devices requested via
28 * CONFIG_ANDROID_BINDER_DEVICES)
29 * @miscdev: information about a binder character device node
30 * @context: binder context information
31 * @binderfs_inode: This is the inode of the root dentry of the super block
32 * belonging to a binderfs mount.
34 struct binder_device {
35 struct hlist_node hlist;
36 struct miscdevice miscdev;
37 struct binder_context context;
38 struct inode *binderfs_inode;
43 * binderfs_mount_opts - mount options for binderfs
44 * @max: maximum number of allocatable binderfs binder devices
45 * @stats_mode: enable binder stats in binderfs.
47 struct binderfs_mount_opts {
53 * binderfs_info - information about a binderfs mount
54 * @ipc_ns: The ipc namespace the binderfs mount belongs to.
55 * @control_dentry: This records the dentry of this binderfs mount
56 * binder-control device.
57 * @root_uid: uid that needs to be used when a new binder device is
59 * @root_gid: gid that needs to be used when a new binder device is
61 * @mount_opts: The mount options in use.
62 * @device_count: The current number of allocated binder devices.
63 * @proc_log_dir: Pointer to the directory dentry containing process-specific
66 struct binderfs_info {
67 struct ipc_namespace *ipc_ns;
68 struct dentry *control_dentry;
71 struct binderfs_mount_opts mount_opts;
73 struct dentry *proc_log_dir;
76 extern const struct file_operations binder_fops;
78 extern char *binder_devices_param;
80 #ifdef CONFIG_ANDROID_BINDERFS
81 extern bool is_binderfs_device(const struct inode *inode);
82 extern struct dentry *binderfs_create_file(struct dentry *dir, const char *name,
83 const struct file_operations *fops,
85 extern void binderfs_remove_file(struct dentry *dentry);
87 static inline bool is_binderfs_device(const struct inode *inode)
91 static inline struct dentry *binderfs_create_file(struct dentry *dir,
93 const struct file_operations *fops,
98 static inline void binderfs_remove_file(struct dentry *dentry) {}
101 #ifdef CONFIG_ANDROID_BINDERFS
102 extern int __init init_binderfs(void);
104 static inline int __init init_binderfs(void)
110 int binder_stats_show(struct seq_file *m, void *unused);
111 DEFINE_SHOW_ATTRIBUTE(binder_stats);
113 int binder_state_show(struct seq_file *m, void *unused);
114 DEFINE_SHOW_ATTRIBUTE(binder_state);
116 int binder_transactions_show(struct seq_file *m, void *unused);
117 DEFINE_SHOW_ATTRIBUTE(binder_transactions);
119 int binder_transaction_log_show(struct seq_file *m, void *unused);
120 DEFINE_SHOW_ATTRIBUTE(binder_transaction_log);
122 struct binder_transaction_log_entry {
134 int return_error_line;
135 uint32_t return_error;
136 uint32_t return_error_param;
137 char context_name[BINDERFS_MAX_NAME + 1];
140 struct binder_transaction_log {
143 struct binder_transaction_log_entry entry[32];
146 enum binder_stat_types {
152 BINDER_STAT_TRANSACTION,
153 BINDER_STAT_TRANSACTION_COMPLETE,
157 struct binder_stats {
158 atomic_t br[_IOC_NR(BR_ONEWAY_SPAM_SUSPECT) + 1];
159 atomic_t bc[_IOC_NR(BC_REPLY_SG) + 1];
160 atomic_t obj_created[BINDER_STAT_COUNT];
161 atomic_t obj_deleted[BINDER_STAT_COUNT];
165 * struct binder_work - work enqueued on a worklist
166 * @entry: node enqueued on list
167 * @type: type of work to be performed
169 * There are separate work lists for proc, thread, and node (async).
172 struct list_head entry;
174 enum binder_work_type {
175 BINDER_WORK_TRANSACTION = 1,
176 BINDER_WORK_TRANSACTION_COMPLETE,
177 BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT,
178 BINDER_WORK_RETURN_ERROR,
180 BINDER_WORK_DEAD_BINDER,
181 BINDER_WORK_DEAD_BINDER_AND_CLEAR,
182 BINDER_WORK_CLEAR_DEATH_NOTIFICATION,
186 struct binder_error {
187 struct binder_work work;
192 * struct binder_node - binder node bookkeeping
193 * @debug_id: unique ID for debugging
194 * (invariant after initialized)
195 * @lock: lock for node fields
196 * @work: worklist element for node work
197 * (protected by @proc->inner_lock)
198 * @rb_node: element for proc->nodes tree
199 * (protected by @proc->inner_lock)
200 * @dead_node: element for binder_dead_nodes list
201 * (protected by binder_dead_nodes_lock)
202 * @proc: binder_proc that owns this node
203 * (invariant after initialized)
204 * @refs: list of references on this node
205 * (protected by @lock)
206 * @internal_strong_refs: used to take strong references when
207 * initiating a transaction
208 * (protected by @proc->inner_lock if @proc
210 * @local_weak_refs: weak user refs from local process
211 * (protected by @proc->inner_lock if @proc
213 * @local_strong_refs: strong user refs from local process
214 * (protected by @proc->inner_lock if @proc
216 * @tmp_refs: temporary kernel refs
217 * (protected by @proc->inner_lock while @proc
218 * is valid, and by binder_dead_nodes_lock
219 * if @proc is NULL. During inc/dec and node release
220 * it is also protected by @lock to provide safety
221 * as the node dies and @proc becomes NULL)
222 * @ptr: userspace pointer for node
223 * (invariant, no lock needed)
224 * @cookie: userspace cookie for node
225 * (invariant, no lock needed)
226 * @has_strong_ref: userspace notified of strong ref
227 * (protected by @proc->inner_lock if @proc
229 * @pending_strong_ref: userspace has acked notification of strong ref
230 * (protected by @proc->inner_lock if @proc
232 * @has_weak_ref: userspace notified of weak ref
233 * (protected by @proc->inner_lock if @proc
235 * @pending_weak_ref: userspace has acked notification of weak ref
236 * (protected by @proc->inner_lock if @proc
238 * @has_async_transaction: async transaction to node in progress
239 * (protected by @lock)
240 * @accept_fds: file descriptor operations supported for node
241 * (invariant after initialized)
242 * @min_priority: minimum scheduling priority
243 * (invariant after initialized)
244 * @txn_security_ctx: require sender's security context
245 * (invariant after initialized)
246 * @async_todo: list of async work items
247 * (protected by @proc->inner_lock)
249 * Bookkeeping structure for binder nodes.
254 struct binder_work work;
256 struct rb_node rb_node;
257 struct hlist_node dead_node;
259 struct binder_proc *proc;
260 struct hlist_head refs;
261 int internal_strong_refs;
263 int local_strong_refs;
265 binder_uintptr_t ptr;
266 binder_uintptr_t cookie;
269 * bitfield elements protected by
273 u8 pending_strong_ref:1;
275 u8 pending_weak_ref:1;
279 * invariant after initialization
282 u8 txn_security_ctx:1;
285 bool has_async_transaction;
286 struct list_head async_todo;
289 struct binder_ref_death {
291 * @work: worklist element for death notifications
292 * (protected by inner_lock of the proc that
293 * this ref belongs to)
295 struct binder_work work;
296 binder_uintptr_t cookie;
300 * struct binder_ref_data - binder_ref counts and id
301 * @debug_id: unique ID for the ref
302 * @desc: unique userspace handle for ref
303 * @strong: strong ref count (debugging only if not locked)
304 * @weak: weak ref count (debugging only if not locked)
306 * Structure to hold ref count and ref id information. Since
307 * the actual ref can only be accessed with a lock, this structure
308 * is used to return information about the ref to callers of
309 * ref inc/dec functions.
311 struct binder_ref_data {
319 * struct binder_ref - struct to track references on nodes
320 * @data: binder_ref_data containing id, handle, and current refcounts
321 * @rb_node_desc: node for lookup by @data.desc in proc's rb_tree
322 * @rb_node_node: node for lookup by @node in proc's rb_tree
323 * @node_entry: list entry for node->refs list in target node
324 * (protected by @node->lock)
325 * @proc: binder_proc containing ref
326 * @node: binder_node of target node. When cleaning up a
327 * ref for deletion in binder_cleanup_ref, a non-NULL
328 * @node indicates the node must be freed
329 * @death: pointer to death notification (ref_death) if requested
330 * (protected by @node->lock)
332 * Structure to track references from procA to target node (on procB). This
333 * structure is unsafe to access without holding @proc->outer_lock.
336 /* Lookups needed: */
337 /* node + proc => ref (transaction) */
338 /* desc + proc => ref (transaction, inc/dec ref) */
339 /* node => refs + procs (proc exit) */
340 struct binder_ref_data data;
341 struct rb_node rb_node_desc;
342 struct rb_node rb_node_node;
343 struct hlist_node node_entry;
344 struct binder_proc *proc;
345 struct binder_node *node;
346 struct binder_ref_death *death;
350 * struct binder_proc - binder process bookkeeping
351 * @proc_node: element for binder_procs list
352 * @threads: rbtree of binder_threads in this proc
353 * (protected by @inner_lock)
354 * @nodes: rbtree of binder nodes associated with
355 * this proc ordered by node->ptr
356 * (protected by @inner_lock)
357 * @refs_by_desc: rbtree of refs ordered by ref->desc
358 * (protected by @outer_lock)
359 * @refs_by_node: rbtree of refs ordered by ref->node
360 * (protected by @outer_lock)
361 * @waiting_threads: threads currently waiting for proc work
362 * (protected by @inner_lock)
363 * @pid PID of group_leader of process
364 * (invariant after initialized)
365 * @tsk task_struct for group_leader of process
366 * (invariant after initialized)
367 * @cred struct cred associated with the `struct file`
369 * (invariant after initialized)
370 * @deferred_work_node: element for binder_deferred_list
371 * (protected by binder_deferred_lock)
372 * @deferred_work: bitmap of deferred work to perform
373 * (protected by binder_deferred_lock)
374 * @outstanding_txns: number of transactions to be transmitted before
375 * processes in freeze_wait are woken up
376 * (protected by @inner_lock)
377 * @is_dead: process is dead and awaiting free
378 * when outstanding transactions are cleaned up
379 * (protected by @inner_lock)
380 * @is_frozen: process is frozen and unable to service
381 * binder transactions
382 * (protected by @inner_lock)
383 * @sync_recv: process received sync transactions since last frozen
384 * bit 0: received sync transaction after being frozen
385 * bit 1: new pending sync transaction during freezing
386 * (protected by @inner_lock)
387 * @async_recv: process received async transactions since last frozen
388 * (protected by @inner_lock)
389 * @freeze_wait: waitqueue of processes waiting for all outstanding
390 * transactions to be processed
391 * (protected by @inner_lock)
392 * @todo: list of work for this process
393 * (protected by @inner_lock)
394 * @stats: per-process binder statistics
395 * (atomics, no lock needed)
396 * @delivered_death: list of delivered death notification
397 * (protected by @inner_lock)
398 * @max_threads: cap on number of binder threads
399 * (protected by @inner_lock)
400 * @requested_threads: number of binder threads requested but not
401 * yet started. In current implementation, can
403 * (protected by @inner_lock)
404 * @requested_threads_started: number binder threads started
405 * (protected by @inner_lock)
406 * @tmp_ref: temporary reference to indicate proc is in use
407 * (protected by @inner_lock)
408 * @default_priority: default scheduler priority
409 * (invariant after initialized)
410 * @debugfs_entry: debugfs node
411 * @alloc: binder allocator bookkeeping
412 * @context: binder_context for this proc
413 * (invariant after initialized)
414 * @inner_lock: can nest under outer_lock and/or node lock
415 * @outer_lock: no nesting under innor or node lock
416 * Lock order: 1) outer, 2) node, 3) inner
417 * @binderfs_entry: process-specific binderfs log file
418 * @oneway_spam_detection_enabled: process enabled oneway spam detection
421 * Bookkeeping structure for binder processes
424 struct hlist_node proc_node;
425 struct rb_root threads;
426 struct rb_root nodes;
427 struct rb_root refs_by_desc;
428 struct rb_root refs_by_node;
429 struct list_head waiting_threads;
431 struct task_struct *tsk;
432 const struct cred *cred;
433 struct hlist_node deferred_work_node;
435 int outstanding_txns;
440 wait_queue_head_t freeze_wait;
442 struct list_head todo;
443 struct binder_stats stats;
444 struct list_head delivered_death;
446 int requested_threads;
447 int requested_threads_started;
449 long default_priority;
450 struct dentry *debugfs_entry;
451 struct binder_alloc alloc;
452 struct binder_context *context;
453 spinlock_t inner_lock;
454 spinlock_t outer_lock;
455 struct dentry *binderfs_entry;
456 bool oneway_spam_detection_enabled;
460 * struct binder_thread - binder thread bookkeeping
461 * @proc: binder process for this thread
462 * (invariant after initialization)
463 * @rb_node: element for proc->threads rbtree
464 * (protected by @proc->inner_lock)
465 * @waiting_thread_node: element for @proc->waiting_threads list
466 * (protected by @proc->inner_lock)
467 * @pid: PID for this thread
468 * (invariant after initialization)
469 * @looper: bitmap of looping state
470 * (only accessed by this thread)
471 * @looper_needs_return: looping thread needs to exit driver
473 * @transaction_stack: stack of in-progress transactions for this thread
474 * (protected by @proc->inner_lock)
475 * @todo: list of work to do for this thread
476 * (protected by @proc->inner_lock)
477 * @process_todo: whether work in @todo should be processed
478 * (protected by @proc->inner_lock)
479 * @return_error: transaction errors reported by this thread
480 * (only accessed by this thread)
481 * @reply_error: transaction errors reported by target thread
482 * (protected by @proc->inner_lock)
483 * @ee: extended error information from this thread
484 * (protected by @proc->inner_lock)
485 * @wait: wait queue for thread work
486 * @stats: per-thread statistics
487 * (atomics, no lock needed)
488 * @tmp_ref: temporary reference to indicate thread is in use
489 * (atomic since @proc->inner_lock cannot
490 * always be acquired)
491 * @is_dead: thread is dead and awaiting free
492 * when outstanding transactions are cleaned up
493 * (protected by @proc->inner_lock)
495 * Bookkeeping structure for binder threads.
497 struct binder_thread {
498 struct binder_proc *proc;
499 struct rb_node rb_node;
500 struct list_head waiting_thread_node;
502 int looper; /* only modified by this thread */
503 bool looper_need_return; /* can be written by other thread */
504 struct binder_transaction *transaction_stack;
505 struct list_head todo;
507 struct binder_error return_error;
508 struct binder_error reply_error;
509 struct binder_extended_error ee;
510 wait_queue_head_t wait;
511 struct binder_stats stats;
517 * struct binder_txn_fd_fixup - transaction fd fixup list element
518 * @fixup_entry: list entry
519 * @file: struct file to be associated with new fd
520 * @offset: offset in buffer data to this fixup
521 * @target_fd: fd to use by the target to install @file
523 * List element for fd fixups in a transaction. Since file
524 * descriptors need to be allocated in the context of the
525 * target process, we pass each fd to be processed in this
528 struct binder_txn_fd_fixup {
529 struct list_head fixup_entry;
535 struct binder_transaction {
537 struct binder_work work;
538 struct binder_thread *from;
539 struct binder_transaction *from_parent;
540 struct binder_proc *to_proc;
541 struct binder_thread *to_thread;
542 struct binder_transaction *to_parent;
543 unsigned need_reply:1;
544 /* unsigned is_dead:1; */ /* not used at the moment */
546 struct binder_buffer *buffer;
552 struct list_head fd_fixups;
553 binder_uintptr_t security_ctx;
555 * @lock: protects @from, @to_proc, and @to_thread
557 * @from, @to_proc, and @to_thread can be set to NULL
558 * during thread teardown
564 * struct binder_object - union of flat binder object types
565 * @hdr: generic object header
566 * @fbo: binder object (nodes and refs)
567 * @fdo: file descriptor object
568 * @bbo: binder buffer pointer
569 * @fdao: file descriptor array
571 * Used for type-independent object copies
573 struct binder_object {
575 struct binder_object_header hdr;
576 struct flat_binder_object fbo;
577 struct binder_fd_object fdo;
578 struct binder_buffer_object bbo;
579 struct binder_fd_array_object fdao;
583 extern struct binder_transaction_log binder_transaction_log;
584 extern struct binder_transaction_log binder_transaction_log_failed;
585 #endif /* _LINUX_BINDER_INTERNAL_H */