3 * Android IPC Subsystem
5 * Copyright (C) 2007-2017 Google, Inc.
7 * This software is licensed under the terms of the GNU General Public
8 * License version 2, as published by the Free Software Foundation, and
9 * may be copied, distributed, and modified under those terms.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
18 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
20 #include <linux/list.h>
21 #include <linux/sched/mm.h>
22 #include <linux/module.h>
23 #include <linux/rtmutex.h>
24 #include <linux/rbtree.h>
25 #include <linux/seq_file.h>
26 #include <linux/vmalloc.h>
27 #include <linux/slab.h>
28 #include <linux/sched.h>
29 #include <linux/list_lru.h>
30 #include <linux/ratelimit.h>
31 #include <asm/cacheflush.h>
32 #include "binder_alloc.h"
33 #include "binder_trace.h"
35 struct list_lru binder_alloc_lru
;
37 static DEFINE_MUTEX(binder_alloc_mmap_lock
);
40 BINDER_DEBUG_USER_ERROR
= 1U << 0,
41 BINDER_DEBUG_OPEN_CLOSE
= 1U << 1,
42 BINDER_DEBUG_BUFFER_ALLOC
= 1U << 2,
43 BINDER_DEBUG_BUFFER_ALLOC_ASYNC
= 1U << 3,
45 static uint32_t binder_alloc_debug_mask
= BINDER_DEBUG_USER_ERROR
;
47 module_param_named(debug_mask
, binder_alloc_debug_mask
,
50 #define binder_alloc_debug(mask, x...) \
52 if (binder_alloc_debug_mask & mask) \
53 pr_info_ratelimited(x); \
56 static struct binder_buffer
*binder_buffer_next(struct binder_buffer
*buffer
)
58 return list_entry(buffer
->entry
.next
, struct binder_buffer
, entry
);
61 static struct binder_buffer
*binder_buffer_prev(struct binder_buffer
*buffer
)
63 return list_entry(buffer
->entry
.prev
, struct binder_buffer
, entry
);
66 static size_t binder_alloc_buffer_size(struct binder_alloc
*alloc
,
67 struct binder_buffer
*buffer
)
69 if (list_is_last(&buffer
->entry
, &alloc
->buffers
))
70 return (u8
*)alloc
->buffer
+
71 alloc
->buffer_size
- (u8
*)buffer
->data
;
72 return (u8
*)binder_buffer_next(buffer
)->data
- (u8
*)buffer
->data
;
75 static void binder_insert_free_buffer(struct binder_alloc
*alloc
,
76 struct binder_buffer
*new_buffer
)
78 struct rb_node
**p
= &alloc
->free_buffers
.rb_node
;
79 struct rb_node
*parent
= NULL
;
80 struct binder_buffer
*buffer
;
82 size_t new_buffer_size
;
84 BUG_ON(!new_buffer
->free
);
86 new_buffer_size
= binder_alloc_buffer_size(alloc
, new_buffer
);
88 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC
,
89 "%d: add free buffer, size %zd, at %pK\n",
90 alloc
->pid
, new_buffer_size
, new_buffer
);
94 buffer
= rb_entry(parent
, struct binder_buffer
, rb_node
);
95 BUG_ON(!buffer
->free
);
97 buffer_size
= binder_alloc_buffer_size(alloc
, buffer
);
99 if (new_buffer_size
< buffer_size
)
100 p
= &parent
->rb_left
;
102 p
= &parent
->rb_right
;
104 rb_link_node(&new_buffer
->rb_node
, parent
, p
);
105 rb_insert_color(&new_buffer
->rb_node
, &alloc
->free_buffers
);
108 static void binder_insert_allocated_buffer_locked(
109 struct binder_alloc
*alloc
, struct binder_buffer
*new_buffer
)
111 struct rb_node
**p
= &alloc
->allocated_buffers
.rb_node
;
112 struct rb_node
*parent
= NULL
;
113 struct binder_buffer
*buffer
;
115 BUG_ON(new_buffer
->free
);
119 buffer
= rb_entry(parent
, struct binder_buffer
, rb_node
);
120 BUG_ON(buffer
->free
);
122 if (new_buffer
->data
< buffer
->data
)
123 p
= &parent
->rb_left
;
124 else if (new_buffer
->data
> buffer
->data
)
125 p
= &parent
->rb_right
;
129 rb_link_node(&new_buffer
->rb_node
, parent
, p
);
130 rb_insert_color(&new_buffer
->rb_node
, &alloc
->allocated_buffers
);
133 static struct binder_buffer
*binder_alloc_prepare_to_free_locked(
134 struct binder_alloc
*alloc
,
137 struct rb_node
*n
= alloc
->allocated_buffers
.rb_node
;
138 struct binder_buffer
*buffer
;
141 kern_ptr
= (void *)(user_ptr
- alloc
->user_buffer_offset
);
144 buffer
= rb_entry(n
, struct binder_buffer
, rb_node
);
145 BUG_ON(buffer
->free
);
147 if (kern_ptr
< buffer
->data
)
149 else if (kern_ptr
> buffer
->data
)
153 * Guard against user threads attempting to
154 * free the buffer when in use by kernel or
155 * after it's already been freed.
157 if (!buffer
->allow_user_free
)
158 return ERR_PTR(-EPERM
);
159 buffer
->allow_user_free
= 0;
167 * binder_alloc_buffer_lookup() - get buffer given user ptr
168 * @alloc: binder_alloc for this proc
169 * @user_ptr: User pointer to buffer data
171 * Validate userspace pointer to buffer data and return buffer corresponding to
172 * that user pointer. Search the rb tree for buffer that matches user data
175 * Return: Pointer to buffer or NULL
177 struct binder_buffer
*binder_alloc_prepare_to_free(struct binder_alloc
*alloc
,
180 struct binder_buffer
*buffer
;
182 mutex_lock(&alloc
->mutex
);
183 buffer
= binder_alloc_prepare_to_free_locked(alloc
, user_ptr
);
184 mutex_unlock(&alloc
->mutex
);
188 static int binder_update_page_range(struct binder_alloc
*alloc
, int allocate
,
189 void *start
, void *end
)
192 unsigned long user_page_addr
;
193 struct binder_lru_page
*page
;
194 struct vm_area_struct
*vma
= NULL
;
195 struct mm_struct
*mm
= NULL
;
196 bool need_mm
= false;
198 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC
,
199 "%d: %s pages %pK-%pK\n", alloc
->pid
,
200 allocate
? "allocate" : "free", start
, end
);
205 trace_binder_update_page_range(alloc
, allocate
, start
, end
);
210 for (page_addr
= start
; page_addr
< end
; page_addr
+= PAGE_SIZE
) {
211 page
= &alloc
->pages
[(page_addr
- alloc
->buffer
) / PAGE_SIZE
];
212 if (!page
->page_ptr
) {
218 if (need_mm
&& mmget_not_zero(alloc
->vma_vm_mm
))
219 mm
= alloc
->vma_vm_mm
;
222 down_read(&mm
->mmap_sem
);
226 if (!vma
&& need_mm
) {
227 binder_alloc_debug(BINDER_DEBUG_USER_ERROR
,
228 "%d: binder_alloc_buf failed to map pages in userspace, no vma\n",
233 for (page_addr
= start
; page_addr
< end
; page_addr
+= PAGE_SIZE
) {
238 index
= (page_addr
- alloc
->buffer
) / PAGE_SIZE
;
239 page
= &alloc
->pages
[index
];
241 if (page
->page_ptr
) {
242 trace_binder_alloc_lru_start(alloc
, index
);
244 on_lru
= list_lru_del(&binder_alloc_lru
, &page
->lru
);
247 trace_binder_alloc_lru_end(alloc
, index
);
252 goto err_page_ptr_cleared
;
254 trace_binder_alloc_page_start(alloc
, index
);
255 page
->page_ptr
= alloc_page(GFP_KERNEL
|
258 if (!page
->page_ptr
) {
259 pr_err("%d: binder_alloc_buf failed for page at %pK\n",
260 alloc
->pid
, page_addr
);
261 goto err_alloc_page_failed
;
264 INIT_LIST_HEAD(&page
->lru
);
266 ret
= map_kernel_range_noflush((unsigned long)page_addr
,
267 PAGE_SIZE
, PAGE_KERNEL
,
269 flush_cache_vmap((unsigned long)page_addr
,
270 (unsigned long)page_addr
+ PAGE_SIZE
);
272 pr_err("%d: binder_alloc_buf failed to map page at %pK in kernel\n",
273 alloc
->pid
, page_addr
);
274 goto err_map_kernel_failed
;
277 (uintptr_t)page_addr
+ alloc
->user_buffer_offset
;
278 ret
= vm_insert_page(vma
, user_page_addr
, page
[0].page_ptr
);
280 pr_err("%d: binder_alloc_buf failed to map page at %lx in userspace\n",
281 alloc
->pid
, user_page_addr
);
282 goto err_vm_insert_page_failed
;
285 if (index
+ 1 > alloc
->pages_high
)
286 alloc
->pages_high
= index
+ 1;
288 trace_binder_alloc_page_end(alloc
, index
);
289 /* vm_insert_page does not seem to increment the refcount */
292 up_read(&mm
->mmap_sem
);
298 for (page_addr
= end
- PAGE_SIZE
; 1; page_addr
-= PAGE_SIZE
) {
302 index
= (page_addr
- alloc
->buffer
) / PAGE_SIZE
;
303 page
= &alloc
->pages
[index
];
305 trace_binder_free_lru_start(alloc
, index
);
307 ret
= list_lru_add(&binder_alloc_lru
, &page
->lru
);
310 trace_binder_free_lru_end(alloc
, index
);
311 if (page_addr
== start
)
315 err_vm_insert_page_failed
:
316 unmap_kernel_range((unsigned long)page_addr
, PAGE_SIZE
);
317 err_map_kernel_failed
:
318 __free_page(page
->page_ptr
);
319 page
->page_ptr
= NULL
;
320 err_alloc_page_failed
:
321 err_page_ptr_cleared
:
322 if (page_addr
== start
)
327 up_read(&mm
->mmap_sem
);
330 return vma
? -ENOMEM
: -ESRCH
;
334 static inline void binder_alloc_set_vma(struct binder_alloc
*alloc
,
335 struct vm_area_struct
*vma
)
338 alloc
->vma_vm_mm
= vma
->vm_mm
;
340 * If we see alloc->vma is not NULL, buffer data structures set up
341 * completely. Look at smp_rmb side binder_alloc_get_vma.
342 * We also want to guarantee new alloc->vma_vm_mm is always visible
343 * if alloc->vma is set.
349 static inline struct vm_area_struct
*binder_alloc_get_vma(
350 struct binder_alloc
*alloc
)
352 struct vm_area_struct
*vma
= NULL
;
355 /* Look at description in binder_alloc_set_vma */
362 static struct binder_buffer
*binder_alloc_new_buf_locked(
363 struct binder_alloc
*alloc
,
366 size_t extra_buffers_size
,
369 struct rb_node
*n
= alloc
->free_buffers
.rb_node
;
370 struct binder_buffer
*buffer
;
372 struct rb_node
*best_fit
= NULL
;
375 size_t size
, data_offsets_size
;
378 if (!binder_alloc_get_vma(alloc
)) {
379 binder_alloc_debug(BINDER_DEBUG_USER_ERROR
,
380 "%d: binder_alloc_buf, no vma\n",
382 return ERR_PTR(-ESRCH
);
385 data_offsets_size
= ALIGN(data_size
, sizeof(void *)) +
386 ALIGN(offsets_size
, sizeof(void *));
388 if (data_offsets_size
< data_size
|| data_offsets_size
< offsets_size
) {
389 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC
,
390 "%d: got transaction with invalid size %zd-%zd\n",
391 alloc
->pid
, data_size
, offsets_size
);
392 return ERR_PTR(-EINVAL
);
394 size
= data_offsets_size
+ ALIGN(extra_buffers_size
, sizeof(void *));
395 if (size
< data_offsets_size
|| size
< extra_buffers_size
) {
396 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC
,
397 "%d: got transaction with invalid extra_buffers_size %zd\n",
398 alloc
->pid
, extra_buffers_size
);
399 return ERR_PTR(-EINVAL
);
402 alloc
->free_async_space
< size
+ sizeof(struct binder_buffer
)) {
403 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC
,
404 "%d: binder_alloc_buf size %zd failed, no async space left\n",
406 return ERR_PTR(-ENOSPC
);
409 /* Pad 0-size buffers so they get assigned unique addresses */
410 size
= max(size
, sizeof(void *));
413 buffer
= rb_entry(n
, struct binder_buffer
, rb_node
);
414 BUG_ON(!buffer
->free
);
415 buffer_size
= binder_alloc_buffer_size(alloc
, buffer
);
417 if (size
< buffer_size
) {
420 } else if (size
> buffer_size
)
427 if (best_fit
== NULL
) {
428 size_t allocated_buffers
= 0;
429 size_t largest_alloc_size
= 0;
430 size_t total_alloc_size
= 0;
431 size_t free_buffers
= 0;
432 size_t largest_free_size
= 0;
433 size_t total_free_size
= 0;
435 for (n
= rb_first(&alloc
->allocated_buffers
); n
!= NULL
;
437 buffer
= rb_entry(n
, struct binder_buffer
, rb_node
);
438 buffer_size
= binder_alloc_buffer_size(alloc
, buffer
);
440 total_alloc_size
+= buffer_size
;
441 if (buffer_size
> largest_alloc_size
)
442 largest_alloc_size
= buffer_size
;
444 for (n
= rb_first(&alloc
->free_buffers
); n
!= NULL
;
446 buffer
= rb_entry(n
, struct binder_buffer
, rb_node
);
447 buffer_size
= binder_alloc_buffer_size(alloc
, buffer
);
449 total_free_size
+= buffer_size
;
450 if (buffer_size
> largest_free_size
)
451 largest_free_size
= buffer_size
;
453 binder_alloc_debug(BINDER_DEBUG_USER_ERROR
,
454 "%d: binder_alloc_buf size %zd failed, no address space\n",
456 binder_alloc_debug(BINDER_DEBUG_USER_ERROR
,
457 "allocated: %zd (num: %zd largest: %zd), free: %zd (num: %zd largest: %zd)\n",
458 total_alloc_size
, allocated_buffers
,
459 largest_alloc_size
, total_free_size
,
460 free_buffers
, largest_free_size
);
461 return ERR_PTR(-ENOSPC
);
464 buffer
= rb_entry(best_fit
, struct binder_buffer
, rb_node
);
465 buffer_size
= binder_alloc_buffer_size(alloc
, buffer
);
468 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC
,
469 "%d: binder_alloc_buf size %zd got buffer %pK size %zd\n",
470 alloc
->pid
, size
, buffer
, buffer_size
);
473 (void *)(((uintptr_t)buffer
->data
+ buffer_size
) & PAGE_MASK
);
474 WARN_ON(n
&& buffer_size
!= size
);
476 (void *)PAGE_ALIGN((uintptr_t)buffer
->data
+ size
);
477 if (end_page_addr
> has_page_addr
)
478 end_page_addr
= has_page_addr
;
479 ret
= binder_update_page_range(alloc
, 1,
480 (void *)PAGE_ALIGN((uintptr_t)buffer
->data
), end_page_addr
);
484 if (buffer_size
!= size
) {
485 struct binder_buffer
*new_buffer
;
487 new_buffer
= kzalloc(sizeof(*buffer
), GFP_KERNEL
);
489 pr_err("%s: %d failed to alloc new buffer struct\n",
490 __func__
, alloc
->pid
);
491 goto err_alloc_buf_struct_failed
;
493 new_buffer
->data
= (u8
*)buffer
->data
+ size
;
494 list_add(&new_buffer
->entry
, &buffer
->entry
);
495 new_buffer
->free
= 1;
496 binder_insert_free_buffer(alloc
, new_buffer
);
499 rb_erase(best_fit
, &alloc
->free_buffers
);
501 buffer
->allow_user_free
= 0;
502 binder_insert_allocated_buffer_locked(alloc
, buffer
);
503 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC
,
504 "%d: binder_alloc_buf size %zd got %pK\n",
505 alloc
->pid
, size
, buffer
);
506 buffer
->data_size
= data_size
;
507 buffer
->offsets_size
= offsets_size
;
508 buffer
->async_transaction
= is_async
;
509 buffer
->extra_buffers_size
= extra_buffers_size
;
511 alloc
->free_async_space
-= size
+ sizeof(struct binder_buffer
);
512 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC
,
513 "%d: binder_alloc_buf size %zd async free %zd\n",
514 alloc
->pid
, size
, alloc
->free_async_space
);
518 err_alloc_buf_struct_failed
:
519 binder_update_page_range(alloc
, 0,
520 (void *)PAGE_ALIGN((uintptr_t)buffer
->data
),
522 return ERR_PTR(-ENOMEM
);
526 * binder_alloc_new_buf() - Allocate a new binder buffer
527 * @alloc: binder_alloc for this proc
528 * @data_size: size of user data buffer
529 * @offsets_size: user specified buffer offset
530 * @extra_buffers_size: size of extra space for meta-data (eg, security context)
531 * @is_async: buffer for async transaction
533 * Allocate a new buffer given the requested sizes. Returns
534 * the kernel version of the buffer pointer. The size allocated
535 * is the sum of the three given sizes (each rounded up to
536 * pointer-sized boundary)
538 * Return: The allocated buffer or %NULL if error
540 struct binder_buffer
*binder_alloc_new_buf(struct binder_alloc
*alloc
,
543 size_t extra_buffers_size
,
546 struct binder_buffer
*buffer
;
548 mutex_lock(&alloc
->mutex
);
549 buffer
= binder_alloc_new_buf_locked(alloc
, data_size
, offsets_size
,
550 extra_buffers_size
, is_async
);
551 mutex_unlock(&alloc
->mutex
);
555 static void *buffer_start_page(struct binder_buffer
*buffer
)
557 return (void *)((uintptr_t)buffer
->data
& PAGE_MASK
);
560 static void *prev_buffer_end_page(struct binder_buffer
*buffer
)
562 return (void *)(((uintptr_t)(buffer
->data
) - 1) & PAGE_MASK
);
565 static void binder_delete_free_buffer(struct binder_alloc
*alloc
,
566 struct binder_buffer
*buffer
)
568 struct binder_buffer
*prev
, *next
= NULL
;
570 BUG_ON(alloc
->buffers
.next
== &buffer
->entry
);
571 prev
= binder_buffer_prev(buffer
);
573 if (prev_buffer_end_page(prev
) == buffer_start_page(buffer
)) {
575 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC
,
576 "%d: merge free, buffer %pK share page with %pK\n",
577 alloc
->pid
, buffer
->data
, prev
->data
);
580 if (!list_is_last(&buffer
->entry
, &alloc
->buffers
)) {
581 next
= binder_buffer_next(buffer
);
582 if (buffer_start_page(next
) == buffer_start_page(buffer
)) {
584 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC
,
585 "%d: merge free, buffer %pK share page with %pK\n",
592 if (PAGE_ALIGNED(buffer
->data
)) {
593 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC
,
594 "%d: merge free, buffer start %pK is page aligned\n",
595 alloc
->pid
, buffer
->data
);
600 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC
,
601 "%d: merge free, buffer %pK do not share page with %pK or %pK\n",
602 alloc
->pid
, buffer
->data
,
603 prev
->data
, next
? next
->data
: NULL
);
604 binder_update_page_range(alloc
, 0, buffer_start_page(buffer
),
605 buffer_start_page(buffer
) + PAGE_SIZE
);
607 list_del(&buffer
->entry
);
611 static void binder_free_buf_locked(struct binder_alloc
*alloc
,
612 struct binder_buffer
*buffer
)
614 size_t size
, buffer_size
;
616 buffer_size
= binder_alloc_buffer_size(alloc
, buffer
);
618 size
= ALIGN(buffer
->data_size
, sizeof(void *)) +
619 ALIGN(buffer
->offsets_size
, sizeof(void *)) +
620 ALIGN(buffer
->extra_buffers_size
, sizeof(void *));
622 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC
,
623 "%d: binder_free_buf %pK size %zd buffer_size %zd\n",
624 alloc
->pid
, buffer
, size
, buffer_size
);
626 BUG_ON(buffer
->free
);
627 BUG_ON(size
> buffer_size
);
628 BUG_ON(buffer
->transaction
!= NULL
);
629 BUG_ON(buffer
->data
< alloc
->buffer
);
630 BUG_ON(buffer
->data
> alloc
->buffer
+ alloc
->buffer_size
);
632 if (buffer
->async_transaction
) {
633 alloc
->free_async_space
+= size
+ sizeof(struct binder_buffer
);
635 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC
,
636 "%d: binder_free_buf size %zd async free %zd\n",
637 alloc
->pid
, size
, alloc
->free_async_space
);
640 binder_update_page_range(alloc
, 0,
641 (void *)PAGE_ALIGN((uintptr_t)buffer
->data
),
642 (void *)(((uintptr_t)buffer
->data
+ buffer_size
) & PAGE_MASK
));
644 rb_erase(&buffer
->rb_node
, &alloc
->allocated_buffers
);
646 if (!list_is_last(&buffer
->entry
, &alloc
->buffers
)) {
647 struct binder_buffer
*next
= binder_buffer_next(buffer
);
650 rb_erase(&next
->rb_node
, &alloc
->free_buffers
);
651 binder_delete_free_buffer(alloc
, next
);
654 if (alloc
->buffers
.next
!= &buffer
->entry
) {
655 struct binder_buffer
*prev
= binder_buffer_prev(buffer
);
658 binder_delete_free_buffer(alloc
, buffer
);
659 rb_erase(&prev
->rb_node
, &alloc
->free_buffers
);
663 binder_insert_free_buffer(alloc
, buffer
);
667 * binder_alloc_free_buf() - free a binder buffer
668 * @alloc: binder_alloc for this proc
669 * @buffer: kernel pointer to buffer
671 * Free the buffer allocated via binder_alloc_new_buffer()
673 void binder_alloc_free_buf(struct binder_alloc
*alloc
,
674 struct binder_buffer
*buffer
)
676 mutex_lock(&alloc
->mutex
);
677 binder_free_buf_locked(alloc
, buffer
);
678 mutex_unlock(&alloc
->mutex
);
682 * binder_alloc_mmap_handler() - map virtual address space for proc
683 * @alloc: alloc structure for this proc
684 * @vma: vma passed to mmap()
686 * Called by binder_mmap() to initialize the space specified in
687 * vma for allocating binder buffers
691 * -EBUSY = address space already mapped
692 * -ENOMEM = failed to map memory to given address space
694 int binder_alloc_mmap_handler(struct binder_alloc
*alloc
,
695 struct vm_area_struct
*vma
)
698 struct vm_struct
*area
;
699 const char *failure_string
;
700 struct binder_buffer
*buffer
;
702 mutex_lock(&binder_alloc_mmap_lock
);
705 failure_string
= "already mapped";
706 goto err_already_mapped
;
709 area
= get_vm_area(vma
->vm_end
- vma
->vm_start
, VM_ALLOC
);
712 failure_string
= "get_vm_area";
713 goto err_get_vm_area_failed
;
715 alloc
->buffer
= area
->addr
;
716 alloc
->user_buffer_offset
=
717 vma
->vm_start
- (uintptr_t)alloc
->buffer
;
718 mutex_unlock(&binder_alloc_mmap_lock
);
720 #ifdef CONFIG_CPU_CACHE_VIPT
721 if (cache_is_vipt_aliasing()) {
723 (vma
->vm_start
^ (uint32_t)alloc
->buffer
))) {
724 pr_info("%s: %d %lx-%lx maps %pK bad alignment\n",
725 __func__
, alloc
->pid
, vma
->vm_start
,
726 vma
->vm_end
, alloc
->buffer
);
727 vma
->vm_start
+= PAGE_SIZE
;
731 alloc
->pages
= kcalloc((vma
->vm_end
- vma
->vm_start
) / PAGE_SIZE
,
732 sizeof(alloc
->pages
[0]),
734 if (alloc
->pages
== NULL
) {
736 failure_string
= "alloc page array";
737 goto err_alloc_pages_failed
;
739 alloc
->buffer_size
= vma
->vm_end
- vma
->vm_start
;
741 buffer
= kzalloc(sizeof(*buffer
), GFP_KERNEL
);
744 failure_string
= "alloc buffer struct";
745 goto err_alloc_buf_struct_failed
;
748 buffer
->data
= alloc
->buffer
;
749 list_add(&buffer
->entry
, &alloc
->buffers
);
751 binder_insert_free_buffer(alloc
, buffer
);
752 alloc
->free_async_space
= alloc
->buffer_size
/ 2;
753 binder_alloc_set_vma(alloc
, vma
);
754 mmgrab(alloc
->vma_vm_mm
);
758 err_alloc_buf_struct_failed
:
761 err_alloc_pages_failed
:
762 mutex_lock(&binder_alloc_mmap_lock
);
763 vfree(alloc
->buffer
);
764 alloc
->buffer
= NULL
;
765 err_get_vm_area_failed
:
767 mutex_unlock(&binder_alloc_mmap_lock
);
768 binder_alloc_debug(BINDER_DEBUG_USER_ERROR
,
769 "%s: %d %lx-%lx %s failed %d\n", __func__
,
770 alloc
->pid
, vma
->vm_start
, vma
->vm_end
,
771 failure_string
, ret
);
776 void binder_alloc_deferred_release(struct binder_alloc
*alloc
)
779 int buffers
, page_count
;
780 struct binder_buffer
*buffer
;
783 mutex_lock(&alloc
->mutex
);
786 while ((n
= rb_first(&alloc
->allocated_buffers
))) {
787 buffer
= rb_entry(n
, struct binder_buffer
, rb_node
);
789 /* Transaction should already have been freed */
790 BUG_ON(buffer
->transaction
);
792 binder_free_buf_locked(alloc
, buffer
);
796 while (!list_empty(&alloc
->buffers
)) {
797 buffer
= list_first_entry(&alloc
->buffers
,
798 struct binder_buffer
, entry
);
799 WARN_ON(!buffer
->free
);
801 list_del(&buffer
->entry
);
802 WARN_ON_ONCE(!list_empty(&alloc
->buffers
));
810 for (i
= 0; i
< alloc
->buffer_size
/ PAGE_SIZE
; i
++) {
814 if (!alloc
->pages
[i
].page_ptr
)
817 on_lru
= list_lru_del(&binder_alloc_lru
,
818 &alloc
->pages
[i
].lru
);
819 page_addr
= alloc
->buffer
+ i
* PAGE_SIZE
;
820 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC
,
821 "%s: %d: page %d at %pK %s\n",
822 __func__
, alloc
->pid
, i
, page_addr
,
823 on_lru
? "on lru" : "active");
824 unmap_kernel_range((unsigned long)page_addr
, PAGE_SIZE
);
825 __free_page(alloc
->pages
[i
].page_ptr
);
829 vfree(alloc
->buffer
);
831 mutex_unlock(&alloc
->mutex
);
832 if (alloc
->vma_vm_mm
)
833 mmdrop(alloc
->vma_vm_mm
);
835 binder_alloc_debug(BINDER_DEBUG_OPEN_CLOSE
,
836 "%s: %d buffers %d, pages %d\n",
837 __func__
, alloc
->pid
, buffers
, page_count
);
840 static void print_binder_buffer(struct seq_file
*m
, const char *prefix
,
841 struct binder_buffer
*buffer
)
843 seq_printf(m
, "%s %d: %pK size %zd:%zd:%zd %s\n",
844 prefix
, buffer
->debug_id
, buffer
->data
,
845 buffer
->data_size
, buffer
->offsets_size
,
846 buffer
->extra_buffers_size
,
847 buffer
->transaction
? "active" : "delivered");
851 * binder_alloc_print_allocated() - print buffer info
852 * @m: seq_file for output via seq_printf()
853 * @alloc: binder_alloc for this proc
855 * Prints information about every buffer associated with
856 * the binder_alloc state to the given seq_file
858 void binder_alloc_print_allocated(struct seq_file
*m
,
859 struct binder_alloc
*alloc
)
863 mutex_lock(&alloc
->mutex
);
864 for (n
= rb_first(&alloc
->allocated_buffers
); n
!= NULL
; n
= rb_next(n
))
865 print_binder_buffer(m
, " buffer",
866 rb_entry(n
, struct binder_buffer
, rb_node
));
867 mutex_unlock(&alloc
->mutex
);
871 * binder_alloc_print_pages() - print page usage
872 * @m: seq_file for output via seq_printf()
873 * @alloc: binder_alloc for this proc
875 void binder_alloc_print_pages(struct seq_file
*m
,
876 struct binder_alloc
*alloc
)
878 struct binder_lru_page
*page
;
884 mutex_lock(&alloc
->mutex
);
886 * Make sure the binder_alloc is fully initialized, otherwise we might
887 * read inconsistent state.
889 if (binder_alloc_get_vma(alloc
) != NULL
) {
890 for (i
= 0; i
< alloc
->buffer_size
/ PAGE_SIZE
; i
++) {
891 page
= &alloc
->pages
[i
];
894 else if (list_empty(&page
->lru
))
900 mutex_unlock(&alloc
->mutex
);
901 seq_printf(m
, " pages: %d:%d:%d\n", active
, lru
, free
);
902 seq_printf(m
, " pages high watermark: %zu\n", alloc
->pages_high
);
906 * binder_alloc_get_allocated_count() - return count of buffers
907 * @alloc: binder_alloc for this proc
909 * Return: count of allocated buffers
911 int binder_alloc_get_allocated_count(struct binder_alloc
*alloc
)
916 mutex_lock(&alloc
->mutex
);
917 for (n
= rb_first(&alloc
->allocated_buffers
); n
!= NULL
; n
= rb_next(n
))
919 mutex_unlock(&alloc
->mutex
);
925 * binder_alloc_vma_close() - invalidate address space
926 * @alloc: binder_alloc for this proc
928 * Called from binder_vma_close() when releasing address space.
929 * Clears alloc->vma to prevent new incoming transactions from
930 * allocating more buffers.
932 void binder_alloc_vma_close(struct binder_alloc
*alloc
)
934 binder_alloc_set_vma(alloc
, NULL
);
938 * binder_alloc_free_page() - shrinker callback to free pages
939 * @item: item to free
940 * @lock: lock protecting the item
941 * @cb_arg: callback argument
943 * Called from list_lru_walk() in binder_shrink_scan() to free
944 * up pages when the system is under memory pressure.
946 enum lru_status
binder_alloc_free_page(struct list_head
*item
,
947 struct list_lru_one
*lru
,
951 struct mm_struct
*mm
= NULL
;
952 struct binder_lru_page
*page
= container_of(item
,
953 struct binder_lru_page
,
955 struct binder_alloc
*alloc
;
958 struct vm_area_struct
*vma
;
961 if (!mutex_trylock(&alloc
->mutex
))
962 goto err_get_alloc_mutex_failed
;
965 goto err_page_already_freed
;
967 index
= page
- alloc
->pages
;
968 page_addr
= (uintptr_t)alloc
->buffer
+ index
* PAGE_SIZE
;
970 mm
= alloc
->vma_vm_mm
;
971 if (!mmget_not_zero(mm
))
973 if (!down_read_trylock(&mm
->mmap_sem
))
974 goto err_down_read_mmap_sem_failed
;
975 vma
= binder_alloc_get_vma(alloc
);
977 list_lru_isolate(lru
, item
);
981 trace_binder_unmap_user_start(alloc
, index
);
984 page_addr
+ alloc
->user_buffer_offset
,
987 trace_binder_unmap_user_end(alloc
, index
);
989 up_read(&mm
->mmap_sem
);
992 trace_binder_unmap_kernel_start(alloc
, index
);
994 unmap_kernel_range(page_addr
, PAGE_SIZE
);
995 __free_page(page
->page_ptr
);
996 page
->page_ptr
= NULL
;
998 trace_binder_unmap_kernel_end(alloc
, index
);
1001 mutex_unlock(&alloc
->mutex
);
1002 return LRU_REMOVED_RETRY
;
1004 err_down_read_mmap_sem_failed
:
1007 err_page_already_freed
:
1008 mutex_unlock(&alloc
->mutex
);
1009 err_get_alloc_mutex_failed
:
1013 static unsigned long
1014 binder_shrink_count(struct shrinker
*shrink
, struct shrink_control
*sc
)
1016 unsigned long ret
= list_lru_count(&binder_alloc_lru
);
1020 static unsigned long
1021 binder_shrink_scan(struct shrinker
*shrink
, struct shrink_control
*sc
)
1025 ret
= list_lru_walk(&binder_alloc_lru
, binder_alloc_free_page
,
1026 NULL
, sc
->nr_to_scan
);
1030 static struct shrinker binder_shrinker
= {
1031 .count_objects
= binder_shrink_count
,
1032 .scan_objects
= binder_shrink_scan
,
1033 .seeks
= DEFAULT_SEEKS
,
1037 * binder_alloc_init() - called by binder_open() for per-proc initialization
1038 * @alloc: binder_alloc for this proc
1040 * Called from binder_open() to initialize binder_alloc fields for
1043 void binder_alloc_init(struct binder_alloc
*alloc
)
1045 alloc
->pid
= current
->group_leader
->pid
;
1046 mutex_init(&alloc
->mutex
);
1047 INIT_LIST_HEAD(&alloc
->buffers
);
1050 int binder_alloc_shrinker_init(void)
1052 int ret
= list_lru_init(&binder_alloc_lru
);
1055 ret
= register_shrinker(&binder_shrinker
);
1057 list_lru_destroy(&binder_alloc_lru
);