/* SPDX-License-Identifier: GPL-2.0 */12#ifndef _LINUX_BINDER_INTERNAL_H3#define _LINUX_BINDER_INTERNAL_H45#include <linux/fs.h>6#include <linux/list.h>7#include <linux/miscdevice.h>8#include <linux/mutex.h>9#include <linux/refcount.h>10#include <linux/stddef.h>11#include <linux/types.h>12#include <linux/uidgid.h>13#include <uapi/linux/android/binderfs.h>14#include "binder_alloc.h"15#include "dbitmap.h"1617struct binder_context {18struct binder_node *binder_context_mgr_node;19struct mutex context_mgr_node_lock;20kuid_t binder_context_mgr_uid;21const char *name;22};2324/**25* struct binder_device - information about a binder device node26* @hlist: list of binder devices27* @miscdev: information about a binder character device node28* @context: binder context information29* @binderfs_inode: This is the inode of the root dentry of the super block30* belonging to a binderfs mount.31*/32struct binder_device {33struct hlist_node hlist;34struct miscdevice miscdev;35struct binder_context context;36struct inode *binderfs_inode;37refcount_t ref;38};3940/**41* binderfs_mount_opts - mount options for binderfs42* @max: maximum number of allocatable binderfs binder devices43* @stats_mode: enable binder stats in binderfs.44*/45struct binderfs_mount_opts {46int max;47int stats_mode;48};4950/**51* binderfs_info - information about a binderfs mount52* @ipc_ns: The ipc namespace the binderfs mount belongs to.53* @control_dentry: This records the dentry of this binderfs mount54* binder-control device.55* @root_uid: uid that needs to be used when a new binder device is56* created.57* @root_gid: gid that needs to be used when a new binder device is58* created.59* @mount_opts: The mount options in use.60* @device_count: The current number of allocated binder devices.61* @proc_log_dir: Pointer to the directory dentry containing process-specific62* logs.63*/64struct binderfs_info {65struct ipc_namespace *ipc_ns;66struct dentry *control_dentry;67kuid_t root_uid;68kgid_t root_gid;69struct binderfs_mount_opts mount_opts;70int device_count;71struct dentry *proc_log_dir;72};7374extern const struct file_operations binder_fops;7576extern char *binder_devices_param;7778#ifdef CONFIG_ANDROID_BINDERFS79extern bool is_binderfs_device(const struct inode *inode);80extern struct dentry *binderfs_create_file(struct dentry *dir, const char *name,81const struct file_operations *fops,82void *data);83#else84static inline bool is_binderfs_device(const struct inode *inode)85{86return false;87}88static inline struct dentry *binderfs_create_file(struct dentry *dir,89const char *name,90const struct file_operations *fops,91void *data)92{93return NULL;94}95#endif9697#ifdef CONFIG_ANDROID_BINDERFS98extern int __init init_binderfs(void);99#else100static inline int __init init_binderfs(void)101{102return 0;103}104#endif105106struct binder_debugfs_entry {107const char *name;108umode_t mode;109const struct file_operations *fops;110void *data;111};112113extern const struct binder_debugfs_entry binder_debugfs_entries[];114115#define binder_for_each_debugfs_entry(entry) \116for ((entry) = binder_debugfs_entries; \117(entry)->name; \118(entry)++)119120enum binder_stat_types {121BINDER_STAT_PROC,122BINDER_STAT_THREAD,123BINDER_STAT_NODE,124BINDER_STAT_REF,125BINDER_STAT_DEATH,126BINDER_STAT_TRANSACTION,127BINDER_STAT_TRANSACTION_COMPLETE,128BINDER_STAT_FREEZE,129BINDER_STAT_COUNT130};131132struct binder_stats {133atomic_t br[_IOC_NR(BR_CLEAR_FREEZE_NOTIFICATION_DONE) + 1];134atomic_t bc[_IOC_NR(BC_FREEZE_NOTIFICATION_DONE) + 1];135atomic_t obj_created[BINDER_STAT_COUNT];136atomic_t obj_deleted[BINDER_STAT_COUNT];137};138139/**140* struct binder_work - work enqueued on a worklist141* @entry: node enqueued on list142* @type: type of work to be performed143*144* There are separate work lists for proc, thread, and node (async).145*/146struct binder_work {147struct list_head entry;148149enum binder_work_type {150BINDER_WORK_TRANSACTION = 1,151BINDER_WORK_TRANSACTION_COMPLETE,152BINDER_WORK_TRANSACTION_PENDING,153BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT,154BINDER_WORK_RETURN_ERROR,155BINDER_WORK_NODE,156BINDER_WORK_DEAD_BINDER,157BINDER_WORK_DEAD_BINDER_AND_CLEAR,158BINDER_WORK_CLEAR_DEATH_NOTIFICATION,159BINDER_WORK_FROZEN_BINDER,160BINDER_WORK_CLEAR_FREEZE_NOTIFICATION,161} type;162};163164struct binder_error {165struct binder_work work;166uint32_t cmd;167};168169/**170* struct binder_node - binder node bookkeeping171* @debug_id: unique ID for debugging172* (invariant after initialized)173* @lock: lock for node fields174* @work: worklist element for node work175* (protected by @proc->inner_lock)176* @rb_node: element for proc->nodes tree177* (protected by @proc->inner_lock)178* @dead_node: element for binder_dead_nodes list179* (protected by binder_dead_nodes_lock)180* @proc: binder_proc that owns this node181* (invariant after initialized)182* @refs: list of references on this node183* (protected by @lock)184* @internal_strong_refs: used to take strong references when185* initiating a transaction186* (protected by @proc->inner_lock if @proc187* and by @lock)188* @local_weak_refs: weak user refs from local process189* (protected by @proc->inner_lock if @proc190* and by @lock)191* @local_strong_refs: strong user refs from local process192* (protected by @proc->inner_lock if @proc193* and by @lock)194* @tmp_refs: temporary kernel refs195* (protected by @proc->inner_lock while @proc196* is valid, and by binder_dead_nodes_lock197* if @proc is NULL. During inc/dec and node release198* it is also protected by @lock to provide safety199* as the node dies and @proc becomes NULL)200* @ptr: userspace pointer for node201* (invariant, no lock needed)202* @cookie: userspace cookie for node203* (invariant, no lock needed)204* @has_strong_ref: userspace notified of strong ref205* (protected by @proc->inner_lock if @proc206* and by @lock)207* @pending_strong_ref: userspace has acked notification of strong ref208* (protected by @proc->inner_lock if @proc209* and by @lock)210* @has_weak_ref: userspace notified of weak ref211* (protected by @proc->inner_lock if @proc212* and by @lock)213* @pending_weak_ref: userspace has acked notification of weak ref214* (protected by @proc->inner_lock if @proc215* and by @lock)216* @has_async_transaction: async transaction to node in progress217* (protected by @lock)218* @accept_fds: file descriptor operations supported for node219* (invariant after initialized)220* @min_priority: minimum scheduling priority221* (invariant after initialized)222* @txn_security_ctx: require sender's security context223* (invariant after initialized)224* @async_todo: list of async work items225* (protected by @proc->inner_lock)226*227* Bookkeeping structure for binder nodes.228*/229struct binder_node {230int debug_id;231spinlock_t lock;232struct binder_work work;233union {234struct rb_node rb_node;235struct hlist_node dead_node;236};237struct binder_proc *proc;238struct hlist_head refs;239int internal_strong_refs;240int local_weak_refs;241int local_strong_refs;242int tmp_refs;243binder_uintptr_t ptr;244binder_uintptr_t cookie;245struct {246/*247* bitfield elements protected by248* proc inner_lock249*/250u8 has_strong_ref:1;251u8 pending_strong_ref:1;252u8 has_weak_ref:1;253u8 pending_weak_ref:1;254};255struct {256/*257* invariant after initialization258*/259u8 accept_fds:1;260u8 txn_security_ctx:1;261u8 min_priority;262};263bool has_async_transaction;264struct list_head async_todo;265};266267struct binder_ref_death {268/**269* @work: worklist element for death notifications270* (protected by inner_lock of the proc that271* this ref belongs to)272*/273struct binder_work work;274binder_uintptr_t cookie;275};276277struct binder_ref_freeze {278struct binder_work work;279binder_uintptr_t cookie;280bool is_frozen:1;281bool sent:1;282bool resend:1;283};284285/**286* struct binder_ref_data - binder_ref counts and id287* @debug_id: unique ID for the ref288* @desc: unique userspace handle for ref289* @strong: strong ref count (debugging only if not locked)290* @weak: weak ref count (debugging only if not locked)291*292* Structure to hold ref count and ref id information. Since293* the actual ref can only be accessed with a lock, this structure294* is used to return information about the ref to callers of295* ref inc/dec functions.296*/297struct binder_ref_data {298int debug_id;299uint32_t desc;300int strong;301int weak;302};303304/**305* struct binder_ref - struct to track references on nodes306* @data: binder_ref_data containing id, handle, and current refcounts307* @rb_node_desc: node for lookup by @data.desc in proc's rb_tree308* @rb_node_node: node for lookup by @node in proc's rb_tree309* @node_entry: list entry for node->refs list in target node310* (protected by @node->lock)311* @proc: binder_proc containing ref312* @node: binder_node of target node. When cleaning up a313* ref for deletion in binder_cleanup_ref, a non-NULL314* @node indicates the node must be freed315* @death: pointer to death notification (ref_death) if requested316* (protected by @node->lock)317* @freeze: pointer to freeze notification (ref_freeze) if requested318* (protected by @node->lock)319*320* Structure to track references from procA to target node (on procB). This321* structure is unsafe to access without holding @proc->outer_lock.322*/323struct binder_ref {324/* Lookups needed: */325/* node + proc => ref (transaction) */326/* desc + proc => ref (transaction, inc/dec ref) */327/* node => refs + procs (proc exit) */328struct binder_ref_data data;329struct rb_node rb_node_desc;330struct rb_node rb_node_node;331struct hlist_node node_entry;332struct binder_proc *proc;333struct binder_node *node;334struct binder_ref_death *death;335struct binder_ref_freeze *freeze;336};337338/**339* struct binder_proc - binder process bookkeeping340* @proc_node: element for binder_procs list341* @threads: rbtree of binder_threads in this proc342* (protected by @inner_lock)343* @nodes: rbtree of binder nodes associated with344* this proc ordered by node->ptr345* (protected by @inner_lock)346* @refs_by_desc: rbtree of refs ordered by ref->desc347* (protected by @outer_lock)348* @refs_by_node: rbtree of refs ordered by ref->node349* (protected by @outer_lock)350* @waiting_threads: threads currently waiting for proc work351* (protected by @inner_lock)352* @pid PID of group_leader of process353* (invariant after initialized)354* @tsk task_struct for group_leader of process355* (invariant after initialized)356* @cred struct cred associated with the `struct file`357* in binder_open()358* (invariant after initialized)359* @deferred_work_node: element for binder_deferred_list360* (protected by binder_deferred_lock)361* @deferred_work: bitmap of deferred work to perform362* (protected by binder_deferred_lock)363* @outstanding_txns: number of transactions to be transmitted before364* processes in freeze_wait are woken up365* (protected by @inner_lock)366* @is_dead: process is dead and awaiting free367* when outstanding transactions are cleaned up368* (protected by @inner_lock)369* @is_frozen: process is frozen and unable to service370* binder transactions371* (protected by @inner_lock)372* @sync_recv: process received sync transactions since last frozen373* bit 0: received sync transaction after being frozen374* bit 1: new pending sync transaction during freezing375* (protected by @inner_lock)376* @async_recv: process received async transactions since last frozen377* (protected by @inner_lock)378* @freeze_wait: waitqueue of processes waiting for all outstanding379* transactions to be processed380* (protected by @inner_lock)381* @dmap dbitmap to manage available reference descriptors382* (protected by @outer_lock)383* @todo: list of work for this process384* (protected by @inner_lock)385* @stats: per-process binder statistics386* (atomics, no lock needed)387* @delivered_death: list of delivered death notification388* (protected by @inner_lock)389* @delivered_freeze: list of delivered freeze notification390* (protected by @inner_lock)391* @max_threads: cap on number of binder threads392* (protected by @inner_lock)393* @requested_threads: number of binder threads requested but not394* yet started. In current implementation, can395* only be 0 or 1.396* (protected by @inner_lock)397* @requested_threads_started: number binder threads started398* (protected by @inner_lock)399* @tmp_ref: temporary reference to indicate proc is in use400* (protected by @inner_lock)401* @default_priority: default scheduler priority402* (invariant after initialized)403* @debugfs_entry: debugfs node404* @alloc: binder allocator bookkeeping405* @context: binder_context for this proc406* (invariant after initialized)407* @inner_lock: can nest under outer_lock and/or node lock408* @outer_lock: no nesting under innor or node lock409* Lock order: 1) outer, 2) node, 3) inner410* @binderfs_entry: process-specific binderfs log file411* @oneway_spam_detection_enabled: process enabled oneway spam detection412* or not413*414* Bookkeeping structure for binder processes415*/416struct binder_proc {417struct hlist_node proc_node;418struct rb_root threads;419struct rb_root nodes;420struct rb_root refs_by_desc;421struct rb_root refs_by_node;422struct list_head waiting_threads;423int pid;424struct task_struct *tsk;425const struct cred *cred;426struct hlist_node deferred_work_node;427int deferred_work;428int outstanding_txns;429bool is_dead;430bool is_frozen;431bool sync_recv;432bool async_recv;433wait_queue_head_t freeze_wait;434struct dbitmap dmap;435struct list_head todo;436struct binder_stats stats;437struct list_head delivered_death;438struct list_head delivered_freeze;439u32 max_threads;440int requested_threads;441int requested_threads_started;442int tmp_ref;443long default_priority;444struct dentry *debugfs_entry;445struct binder_alloc alloc;446struct binder_context *context;447spinlock_t inner_lock;448spinlock_t outer_lock;449struct dentry *binderfs_entry;450bool oneway_spam_detection_enabled;451};452453/**454* struct binder_thread - binder thread bookkeeping455* @proc: binder process for this thread456* (invariant after initialization)457* @rb_node: element for proc->threads rbtree458* (protected by @proc->inner_lock)459* @waiting_thread_node: element for @proc->waiting_threads list460* (protected by @proc->inner_lock)461* @pid: PID for this thread462* (invariant after initialization)463* @looper: bitmap of looping state464* (only accessed by this thread)465* @looper_needs_return: looping thread needs to exit driver466* (no lock needed)467* @transaction_stack: stack of in-progress transactions for this thread468* (protected by @proc->inner_lock)469* @todo: list of work to do for this thread470* (protected by @proc->inner_lock)471* @process_todo: whether work in @todo should be processed472* (protected by @proc->inner_lock)473* @return_error: transaction errors reported by this thread474* (only accessed by this thread)475* @reply_error: transaction errors reported by target thread476* (protected by @proc->inner_lock)477* @ee: extended error information from this thread478* (protected by @proc->inner_lock)479* @wait: wait queue for thread work480* @stats: per-thread statistics481* (atomics, no lock needed)482* @tmp_ref: temporary reference to indicate thread is in use483* (atomic since @proc->inner_lock cannot484* always be acquired)485* @is_dead: thread is dead and awaiting free486* when outstanding transactions are cleaned up487* (protected by @proc->inner_lock)488*489* Bookkeeping structure for binder threads.490*/491struct binder_thread {492struct binder_proc *proc;493struct rb_node rb_node;494struct list_head waiting_thread_node;495int pid;496int looper; /* only modified by this thread */497bool looper_need_return; /* can be written by other thread */498struct binder_transaction *transaction_stack;499struct list_head todo;500bool process_todo;501struct binder_error return_error;502struct binder_error reply_error;503struct binder_extended_error ee;504wait_queue_head_t wait;505struct binder_stats stats;506atomic_t tmp_ref;507bool is_dead;508};509510/**511* struct binder_txn_fd_fixup - transaction fd fixup list element512* @fixup_entry: list entry513* @file: struct file to be associated with new fd514* @offset: offset in buffer data to this fixup515* @target_fd: fd to use by the target to install @file516*517* List element for fd fixups in a transaction. Since file518* descriptors need to be allocated in the context of the519* target process, we pass each fd to be processed in this520* struct.521*/522struct binder_txn_fd_fixup {523struct list_head fixup_entry;524struct file *file;525size_t offset;526int target_fd;527};528529struct binder_transaction {530int debug_id;531struct binder_work work;532struct binder_thread *from;533pid_t from_pid;534pid_t from_tid;535struct binder_transaction *from_parent;536struct binder_proc *to_proc;537struct binder_thread *to_thread;538struct binder_transaction *to_parent;539unsigned need_reply:1;540/* unsigned is_dead:1; */ /* not used at the moment */541542struct binder_buffer *buffer;543unsigned int code;544unsigned int flags;545long priority;546long saved_priority;547kuid_t sender_euid;548ktime_t start_time;549struct list_head fd_fixups;550binder_uintptr_t security_ctx;551/**552* @lock: protects @from, @to_proc, and @to_thread553*554* @from, @to_proc, and @to_thread can be set to NULL555* during thread teardown556*/557spinlock_t lock;558};559560/**561* struct binder_object - union of flat binder object types562* @hdr: generic object header563* @fbo: binder object (nodes and refs)564* @fdo: file descriptor object565* @bbo: binder buffer pointer566* @fdao: file descriptor array567*568* Used for type-independent object copies569*/570struct binder_object {571union {572struct binder_object_header hdr;573struct flat_binder_object fbo;574struct binder_fd_object fdo;575struct binder_buffer_object bbo;576struct binder_fd_array_object fdao;577};578};579580/**581* Add a binder device to binder_devices582* @device: the new binder device to add to the global list583*/584void binder_add_device(struct binder_device *device);585586/**587* Remove a binder device to binder_devices588* @device: the binder device to remove from the global list589*/590void binder_remove_device(struct binder_device *device);591592#if IS_ENABLED(CONFIG_KUNIT)593vm_fault_t binder_vm_fault(struct vm_fault *vmf);594#endif595596#endif /* _LINUX_BINDER_INTERNAL_H */597598599