search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
perf bpf: Move perf_event_output() from stdio.h to bpf.h
[linux/fpc-iii.git] / drivers / android / binder_alloc.c
blob030c98f35cca73aaf5168f559e259e658b5d05ad
1 /* binder_alloc.c
2 *
3 * Android IPC Subsystem
4 *
5 * Copyright (C) 2007-2017 Google, Inc.
6 *
7 * This software is licensed under the terms of the GNU General Public
8 * License version 2, as published by the Free Software Foundation, and
9 * may be copied, distributed, and modified under those terms.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 */
17
18 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
19
20 #include <linux/list.h>
21 #include <linux/sched/mm.h>
22 #include <linux/module.h>
23 #include <linux/rtmutex.h>
24 #include <linux/rbtree.h>
25 #include <linux/seq_file.h>
26 #include <linux/vmalloc.h>
27 #include <linux/slab.h>
28 #include <linux/sched.h>
29 #include <linux/list_lru.h>
30 #include <linux/ratelimit.h>
31 #include <asm/cacheflush.h>
32 #include "binder_alloc.h"
33 #include "binder_trace.h"
34
35 struct list_lru binder_alloc_lru;
36
37 static DEFINE_MUTEX(binder_alloc_mmap_lock);
38
39 enum {
40 BINDER_DEBUG_USER_ERROR = 1U << 0,
41 BINDER_DEBUG_OPEN_CLOSE = 1U << 1,
42 BINDER_DEBUG_BUFFER_ALLOC = 1U << 2,
43 BINDER_DEBUG_BUFFER_ALLOC_ASYNC = 1U << 3,
44 };
45 static uint32_t binder_alloc_debug_mask = BINDER_DEBUG_USER_ERROR;
46
47 module_param_named(debug_mask, binder_alloc_debug_mask,
48 uint, 0644);
49
50 #define binder_alloc_debug(mask, x...) \
51 do { \
52 if (binder_alloc_debug_mask & mask) \
53 pr_info_ratelimited(x); \
54 } while (0)
55
56 static struct binder_buffer *binder_buffer_next(struct binder_buffer *buffer)
57 {
58 return list_entry(buffer->entry.next, struct binder_buffer, entry);
59 }
60
61 static struct binder_buffer *binder_buffer_prev(struct binder_buffer *buffer)
62 {
63 return list_entry(buffer->entry.prev, struct binder_buffer, entry);
64 }
65
66 static size_t binder_alloc_buffer_size(struct binder_alloc *alloc,
67 struct binder_buffer *buffer)
68 {
69 if (list_is_last(&buffer->entry, &alloc->buffers))
70 return (u8 *)alloc->buffer +
71 alloc->buffer_size - (u8 *)buffer->data;
72 return (u8 *)binder_buffer_next(buffer)->data - (u8 *)buffer->data;
73 }
74
75 static void binder_insert_free_buffer(struct binder_alloc *alloc,
76 struct binder_buffer *new_buffer)
77 {
78 struct rb_node **p = &alloc->free_buffers.rb_node;
79 struct rb_node *parent = NULL;
80 struct binder_buffer *buffer;
81 size_t buffer_size;
82 size_t new_buffer_size;
83
84 BUG_ON(!new_buffer->free);
85
86 new_buffer_size = binder_alloc_buffer_size(alloc, new_buffer);
87
88 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
89 "%d: add free buffer, size %zd, at %pK\n",
90 alloc->pid, new_buffer_size, new_buffer);
91
92 while (*p) {
93 parent = *p;
94 buffer = rb_entry(parent, struct binder_buffer, rb_node);
95 BUG_ON(!buffer->free);
96
97 buffer_size = binder_alloc_buffer_size(alloc, buffer);
98
99 if (new_buffer_size < buffer_size)
100 p = &parent->rb_left;
101 else
102 p = &parent->rb_right;
103 }
104 rb_link_node(&new_buffer->rb_node, parent, p);
105 rb_insert_color(&new_buffer->rb_node, &alloc->free_buffers);
106 }
107
108 static void binder_insert_allocated_buffer_locked(
109 struct binder_alloc *alloc, struct binder_buffer *new_buffer)
110 {
111 struct rb_node **p = &alloc->allocated_buffers.rb_node;
112 struct rb_node *parent = NULL;
113 struct binder_buffer *buffer;
114
115 BUG_ON(new_buffer->free);
116
117 while (*p) {
118 parent = *p;
119 buffer = rb_entry(parent, struct binder_buffer, rb_node);
120 BUG_ON(buffer->free);
121
122 if (new_buffer->data < buffer->data)
123 p = &parent->rb_left;
124 else if (new_buffer->data > buffer->data)
125 p = &parent->rb_right;
126 else
127 BUG();
128 }
129 rb_link_node(&new_buffer->rb_node, parent, p);
130 rb_insert_color(&new_buffer->rb_node, &alloc->allocated_buffers);
131 }
132
133 static struct binder_buffer *binder_alloc_prepare_to_free_locked(
134 struct binder_alloc *alloc,
135 uintptr_t user_ptr)
136 {
137 struct rb_node *n = alloc->allocated_buffers.rb_node;
138 struct binder_buffer *buffer;
139 void *kern_ptr;
140
141 kern_ptr = (void *)(user_ptr - alloc->user_buffer_offset);
142
143 while (n) {
144 buffer = rb_entry(n, struct binder_buffer, rb_node);
145 BUG_ON(buffer->free);
146
147 if (kern_ptr < buffer->data)
148 n = n->rb_left;
149 else if (kern_ptr > buffer->data)
150 n = n->rb_right;
151 else {
152 /*
153 * Guard against user threads attempting to
154 * free the buffer when in use by kernel or
155 * after it's already been freed.
156 */
157 if (!buffer->allow_user_free)
158 return ERR_PTR(-EPERM);
159 buffer->allow_user_free = 0;
160 return buffer;
161 }
162 }
163 return NULL;
164 }
165
166 /**
167 * binder_alloc_buffer_lookup() - get buffer given user ptr
168 * @alloc: binder_alloc for this proc
169 * @user_ptr: User pointer to buffer data
170 *
171 * Validate userspace pointer to buffer data and return buffer corresponding to
172 * that user pointer. Search the rb tree for buffer that matches user data
173 * pointer.
174 *
175 * Return: Pointer to buffer or NULL
176 */
177 struct binder_buffer *binder_alloc_prepare_to_free(struct binder_alloc *alloc,
178 uintptr_t user_ptr)
179 {
180 struct binder_buffer *buffer;
181
182 mutex_lock(&alloc->mutex);
183 buffer = binder_alloc_prepare_to_free_locked(alloc, user_ptr);
184 mutex_unlock(&alloc->mutex);
185 return buffer;
186 }
187
188 static int binder_update_page_range(struct binder_alloc *alloc, int allocate,
189 void *start, void *end)
190 {
191 void *page_addr;
192 unsigned long user_page_addr;
193 struct binder_lru_page *page;
194 struct vm_area_struct *vma = NULL;
195 struct mm_struct *mm = NULL;
196 bool need_mm = false;
197
198 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
199 "%d: %s pages %pK-%pK\n", alloc->pid,
200 allocate ? "allocate" : "free", start, end);
201
202 if (end <= start)
203 return 0;
204
205 trace_binder_update_page_range(alloc, allocate, start, end);
206
207 if (allocate == 0)
208 goto free_range;
209
210 for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) {
211 page = &alloc->pages[(page_addr - alloc->buffer) / PAGE_SIZE];
212 if (!page->page_ptr) {
213 need_mm = true;
214 break;
215 }
216 }
217
218 if (need_mm && mmget_not_zero(alloc->vma_vm_mm))
219 mm = alloc->vma_vm_mm;
220
221 if (mm) {
222 down_read(&mm->mmap_sem);
223 vma = alloc->vma;
224 }
225
226 if (!vma && need_mm) {
227 binder_alloc_debug(BINDER_DEBUG_USER_ERROR,
228 "%d: binder_alloc_buf failed to map pages in userspace, no vma\n",
229 alloc->pid);
230 goto err_no_vma;
231 }
232
233 for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) {
234 int ret;
235 bool on_lru;
236 size_t index;
237
238 index = (page_addr - alloc->buffer) / PAGE_SIZE;
239 page = &alloc->pages[index];
240
241 if (page->page_ptr) {
242 trace_binder_alloc_lru_start(alloc, index);
243
244 on_lru = list_lru_del(&binder_alloc_lru, &page->lru);
245 WARN_ON(!on_lru);
246
247 trace_binder_alloc_lru_end(alloc, index);
248 continue;
249 }
250
251 if (WARN_ON(!vma))
252 goto err_page_ptr_cleared;
253
254 trace_binder_alloc_page_start(alloc, index);
255 page->page_ptr = alloc_page(GFP_KERNEL |
256 __GFP_HIGHMEM |
257 __GFP_ZERO);
258 if (!page->page_ptr) {
259 pr_err("%d: binder_alloc_buf failed for page at %pK\n",
260 alloc->pid, page_addr);
261 goto err_alloc_page_failed;
262 }
263 page->alloc = alloc;
264 INIT_LIST_HEAD(&page->lru);
265
266 ret = map_kernel_range_noflush((unsigned long)page_addr,
267 PAGE_SIZE, PAGE_KERNEL,
268 &page->page_ptr);
269 flush_cache_vmap((unsigned long)page_addr,
270 (unsigned long)page_addr + PAGE_SIZE);
271 if (ret != 1) {
272 pr_err("%d: binder_alloc_buf failed to map page at %pK in kernel\n",
273 alloc->pid, page_addr);
274 goto err_map_kernel_failed;
275 }
276 user_page_addr =
277 (uintptr_t)page_addr + alloc->user_buffer_offset;
278 ret = vm_insert_page(vma, user_page_addr, page[0].page_ptr);
279 if (ret) {
280 pr_err("%d: binder_alloc_buf failed to map page at %lx in userspace\n",
281 alloc->pid, user_page_addr);
282 goto err_vm_insert_page_failed;
283 }
284
285 if (index + 1 > alloc->pages_high)
286 alloc->pages_high = index + 1;
287
288 trace_binder_alloc_page_end(alloc, index);
289 /* vm_insert_page does not seem to increment the refcount */
290 }
291 if (mm) {
292 up_read(&mm->mmap_sem);
293 mmput(mm);
294 }
295 return 0;
296
297 free_range:
298 for (page_addr = end - PAGE_SIZE; page_addr >= start;
299 page_addr -= PAGE_SIZE) {
300 bool ret;
301 size_t index;
302
303 index = (page_addr - alloc->buffer) / PAGE_SIZE;
304 page = &alloc->pages[index];
305
306 trace_binder_free_lru_start(alloc, index);
307
308 ret = list_lru_add(&binder_alloc_lru, &page->lru);
309 WARN_ON(!ret);
310
311 trace_binder_free_lru_end(alloc, index);
312 continue;
313
314 err_vm_insert_page_failed:
315 unmap_kernel_range((unsigned long)page_addr, PAGE_SIZE);
316 err_map_kernel_failed:
317 __free_page(page->page_ptr);
318 page->page_ptr = NULL;
319 err_alloc_page_failed:
320 err_page_ptr_cleared:
321 ;
322 }
323 err_no_vma:
324 if (mm) {
325 up_read(&mm->mmap_sem);
326 mmput(mm);
327 }
328 return vma ? -ENOMEM : -ESRCH;
329 }
330
331
332 static inline void binder_alloc_set_vma(struct binder_alloc *alloc,
333 struct vm_area_struct *vma)
334 {
335 if (vma)
336 alloc->vma_vm_mm = vma->vm_mm;
337 /*
338 * If we see alloc->vma is not NULL, buffer data structures set up
339 * completely. Look at smp_rmb side binder_alloc_get_vma.
340 * We also want to guarantee new alloc->vma_vm_mm is always visible
341 * if alloc->vma is set.
342 */
343 smp_wmb();
344 alloc->vma = vma;
345 }
346
347 static inline struct vm_area_struct *binder_alloc_get_vma(
348 struct binder_alloc *alloc)
349 {
350 struct vm_area_struct *vma = NULL;
351
352 if (alloc->vma) {
353 /* Look at description in binder_alloc_set_vma */
354 smp_rmb();
355 vma = alloc->vma;
356 }
357 return vma;
358 }
359
360 static struct binder_buffer *binder_alloc_new_buf_locked(
361 struct binder_alloc *alloc,
362 size_t data_size,
363 size_t offsets_size,
364 size_t extra_buffers_size,
365 int is_async)
366 {
367 struct rb_node *n = alloc->free_buffers.rb_node;
368 struct binder_buffer *buffer;
369 size_t buffer_size;
370 struct rb_node *best_fit = NULL;
371 void *has_page_addr;
372 void *end_page_addr;
373 size_t size, data_offsets_size;
374 int ret;
375
376 if (!binder_alloc_get_vma(alloc)) {
377 binder_alloc_debug(BINDER_DEBUG_USER_ERROR,
378 "%d: binder_alloc_buf, no vma\n",
379 alloc->pid);
380 return ERR_PTR(-ESRCH);
381 }
382
383 data_offsets_size = ALIGN(data_size, sizeof(void *)) +
384 ALIGN(offsets_size, sizeof(void *));
385
386 if (data_offsets_size < data_size || data_offsets_size < offsets_size) {
387 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
388 "%d: got transaction with invalid size %zd-%zd\n",
389 alloc->pid, data_size, offsets_size);
390 return ERR_PTR(-EINVAL);
391 }
392 size = data_offsets_size + ALIGN(extra_buffers_size, sizeof(void *));
393 if (size < data_offsets_size || size < extra_buffers_size) {
394 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
395 "%d: got transaction with invalid extra_buffers_size %zd\n",
396 alloc->pid, extra_buffers_size);
397 return ERR_PTR(-EINVAL);
398 }
399 if (is_async &&
400 alloc->free_async_space < size + sizeof(struct binder_buffer)) {
401 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
402 "%d: binder_alloc_buf size %zd failed, no async space left\n",
403 alloc->pid, size);
404 return ERR_PTR(-ENOSPC);
405 }
406
407 /* Pad 0-size buffers so they get assigned unique addresses */
408 size = max(size, sizeof(void *));
409
410 while (n) {
411 buffer = rb_entry(n, struct binder_buffer, rb_node);
412 BUG_ON(!buffer->free);
413 buffer_size = binder_alloc_buffer_size(alloc, buffer);
414
415 if (size < buffer_size) {
416 best_fit = n;
417 n = n->rb_left;
418 } else if (size > buffer_size)
419 n = n->rb_right;
420 else {
421 best_fit = n;
422 break;
423 }
424 }
425 if (best_fit == NULL) {
426 size_t allocated_buffers = 0;
427 size_t largest_alloc_size = 0;
428 size_t total_alloc_size = 0;
429 size_t free_buffers = 0;
430 size_t largest_free_size = 0;
431 size_t total_free_size = 0;
432
433 for (n = rb_first(&alloc->allocated_buffers); n != NULL;
434 n = rb_next(n)) {
435 buffer = rb_entry(n, struct binder_buffer, rb_node);
436 buffer_size = binder_alloc_buffer_size(alloc, buffer);
437 allocated_buffers++;
438 total_alloc_size += buffer_size;
439 if (buffer_size > largest_alloc_size)
440 largest_alloc_size = buffer_size;
441 }
442 for (n = rb_first(&alloc->free_buffers); n != NULL;
443 n = rb_next(n)) {
444 buffer = rb_entry(n, struct binder_buffer, rb_node);
445 buffer_size = binder_alloc_buffer_size(alloc, buffer);
446 free_buffers++;
447 total_free_size += buffer_size;
448 if (buffer_size > largest_free_size)
449 largest_free_size = buffer_size;
450 }
451 binder_alloc_debug(BINDER_DEBUG_USER_ERROR,
452 "%d: binder_alloc_buf size %zd failed, no address space\n",
453 alloc->pid, size);
454 binder_alloc_debug(BINDER_DEBUG_USER_ERROR,
455 "allocated: %zd (num: %zd largest: %zd), free: %zd (num: %zd largest: %zd)\n",
456 total_alloc_size, allocated_buffers,
457 largest_alloc_size, total_free_size,
458 free_buffers, largest_free_size);
459 return ERR_PTR(-ENOSPC);
460 }
461 if (n == NULL) {
462 buffer = rb_entry(best_fit, struct binder_buffer, rb_node);
463 buffer_size = binder_alloc_buffer_size(alloc, buffer);
464 }
465
466 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
467 "%d: binder_alloc_buf size %zd got buffer %pK size %zd\n",
468 alloc->pid, size, buffer, buffer_size);
469
470 has_page_addr =
471 (void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK);
472 WARN_ON(n && buffer_size != size);
473 end_page_addr =
474 (void *)PAGE_ALIGN((uintptr_t)buffer->data + size);
475 if (end_page_addr > has_page_addr)
476 end_page_addr = has_page_addr;
477 ret = binder_update_page_range(alloc, 1,
478 (void *)PAGE_ALIGN((uintptr_t)buffer->data), end_page_addr);
479 if (ret)
480 return ERR_PTR(ret);
481
482 if (buffer_size != size) {
483 struct binder_buffer *new_buffer;
484
485 new_buffer = kzalloc(sizeof(*buffer), GFP_KERNEL);
486 if (!new_buffer) {
487 pr_err("%s: %d failed to alloc new buffer struct\n",
488 __func__, alloc->pid);
489 goto err_alloc_buf_struct_failed;
490 }
491 new_buffer->data = (u8 *)buffer->data + size;
492 list_add(&new_buffer->entry, &buffer->entry);
493 new_buffer->free = 1;
494 binder_insert_free_buffer(alloc, new_buffer);
495 }
496
497 rb_erase(best_fit, &alloc->free_buffers);
498 buffer->free = 0;
499 buffer->allow_user_free = 0;
500 binder_insert_allocated_buffer_locked(alloc, buffer);
501 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
502 "%d: binder_alloc_buf size %zd got %pK\n",
503 alloc->pid, size, buffer);
504 buffer->data_size = data_size;
505 buffer->offsets_size = offsets_size;
506 buffer->async_transaction = is_async;
507 buffer->extra_buffers_size = extra_buffers_size;
508 if (is_async) {
509 alloc->free_async_space -= size + sizeof(struct binder_buffer);
510 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC,
511 "%d: binder_alloc_buf size %zd async free %zd\n",
512 alloc->pid, size, alloc->free_async_space);
513 }
514 return buffer;
515
516 err_alloc_buf_struct_failed:
517 binder_update_page_range(alloc, 0,
518 (void *)PAGE_ALIGN((uintptr_t)buffer->data),
519 end_page_addr);
520 return ERR_PTR(-ENOMEM);
521 }
522
523 /**
524 * binder_alloc_new_buf() - Allocate a new binder buffer
525 * @alloc: binder_alloc for this proc
526 * @data_size: size of user data buffer
527 * @offsets_size: user specified buffer offset
528 * @extra_buffers_size: size of extra space for meta-data (eg, security context)
529 * @is_async: buffer for async transaction
530 *
531 * Allocate a new buffer given the requested sizes. Returns
532 * the kernel version of the buffer pointer. The size allocated
533 * is the sum of the three given sizes (each rounded up to
534 * pointer-sized boundary)
535 *
536 * Return: The allocated buffer or %NULL if error
537 */
538 struct binder_buffer *binder_alloc_new_buf(struct binder_alloc *alloc,
539 size_t data_size,
540 size_t offsets_size,
541 size_t extra_buffers_size,
542 int is_async)
543 {
544 struct binder_buffer *buffer;
545
546 mutex_lock(&alloc->mutex);
547 buffer = binder_alloc_new_buf_locked(alloc, data_size, offsets_size,
548 extra_buffers_size, is_async);
549 mutex_unlock(&alloc->mutex);
550 return buffer;
551 }
552
553 static void *buffer_start_page(struct binder_buffer *buffer)
554 {
555 return (void *)((uintptr_t)buffer->data & PAGE_MASK);
556 }
557
558 static void *prev_buffer_end_page(struct binder_buffer *buffer)
559 {
560 return (void *)(((uintptr_t)(buffer->data) - 1) & PAGE_MASK);
561 }
562
563 static void binder_delete_free_buffer(struct binder_alloc *alloc,
564 struct binder_buffer *buffer)
565 {
566 struct binder_buffer *prev, *next = NULL;
567 bool to_free = true;
568 BUG_ON(alloc->buffers.next == &buffer->entry);
569 prev = binder_buffer_prev(buffer);
570 BUG_ON(!prev->free);
571 if (prev_buffer_end_page(prev) == buffer_start_page(buffer)) {
572 to_free = false;
573 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
574 "%d: merge free, buffer %pK share page with %pK\n",
575 alloc->pid, buffer->data, prev->data);
576 }
577
578 if (!list_is_last(&buffer->entry, &alloc->buffers)) {
579 next = binder_buffer_next(buffer);
580 if (buffer_start_page(next) == buffer_start_page(buffer)) {
581 to_free = false;
582 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
583 "%d: merge free, buffer %pK share page with %pK\n",
584 alloc->pid,
585 buffer->data,
586 next->data);
587 }
588 }
589
590 if (PAGE_ALIGNED(buffer->data)) {
591 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
592 "%d: merge free, buffer start %pK is page aligned\n",
593 alloc->pid, buffer->data);
594 to_free = false;
595 }
596
597 if (to_free) {
598 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
599 "%d: merge free, buffer %pK do not share page with %pK or %pK\n",
600 alloc->pid, buffer->data,
601 prev->data, next ? next->data : NULL);
602 binder_update_page_range(alloc, 0, buffer_start_page(buffer),
603 buffer_start_page(buffer) + PAGE_SIZE);
604 }
605 list_del(&buffer->entry);
606 kfree(buffer);
607 }
608
609 static void binder_free_buf_locked(struct binder_alloc *alloc,
610 struct binder_buffer *buffer)
611 {
612 size_t size, buffer_size;
613
614 buffer_size = binder_alloc_buffer_size(alloc, buffer);
615
616 size = ALIGN(buffer->data_size, sizeof(void *)) +
617 ALIGN(buffer->offsets_size, sizeof(void *)) +
618 ALIGN(buffer->extra_buffers_size, sizeof(void *));
619
620 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
621 "%d: binder_free_buf %pK size %zd buffer_size %zd\n",
622 alloc->pid, buffer, size, buffer_size);
623
624 BUG_ON(buffer->free);
625 BUG_ON(size > buffer_size);
626 BUG_ON(buffer->transaction != NULL);
627 BUG_ON(buffer->data < alloc->buffer);
628 BUG_ON(buffer->data > alloc->buffer + alloc->buffer_size);
629
630 if (buffer->async_transaction) {
631 alloc->free_async_space += size + sizeof(struct binder_buffer);
632
633 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC,
634 "%d: binder_free_buf size %zd async free %zd\n",
635 alloc->pid, size, alloc->free_async_space);
636 }
637
638 binder_update_page_range(alloc, 0,
639 (void *)PAGE_ALIGN((uintptr_t)buffer->data),
640 (void *)(((uintptr_t)buffer->data + buffer_size) & PAGE_MASK));
641
642 rb_erase(&buffer->rb_node, &alloc->allocated_buffers);
643 buffer->free = 1;
644 if (!list_is_last(&buffer->entry, &alloc->buffers)) {
645 struct binder_buffer *next = binder_buffer_next(buffer);
646
647 if (next->free) {
648 rb_erase(&next->rb_node, &alloc->free_buffers);
649 binder_delete_free_buffer(alloc, next);
650 }
651 }
652 if (alloc->buffers.next != &buffer->entry) {
653 struct binder_buffer *prev = binder_buffer_prev(buffer);
654
655 if (prev->free) {
656 binder_delete_free_buffer(alloc, buffer);
657 rb_erase(&prev->rb_node, &alloc->free_buffers);
658 buffer = prev;
659 }
660 }
661 binder_insert_free_buffer(alloc, buffer);
662 }
663
664 /**
665 * binder_alloc_free_buf() - free a binder buffer
666 * @alloc: binder_alloc for this proc
667 * @buffer: kernel pointer to buffer
668 *
669 * Free the buffer allocated via binder_alloc_new_buffer()
670 */
671 void binder_alloc_free_buf(struct binder_alloc *alloc,
672 struct binder_buffer *buffer)
673 {
674 mutex_lock(&alloc->mutex);
675 binder_free_buf_locked(alloc, buffer);
676 mutex_unlock(&alloc->mutex);
677 }
678
679 /**
680 * binder_alloc_mmap_handler() - map virtual address space for proc
681 * @alloc: alloc structure for this proc
682 * @vma: vma passed to mmap()
683 *
684 * Called by binder_mmap() to initialize the space specified in
685 * vma for allocating binder buffers
686 *
687 * Return:
688 * 0 = success
689 * -EBUSY = address space already mapped
690 * -ENOMEM = failed to map memory to given address space
691 */
692 int binder_alloc_mmap_handler(struct binder_alloc *alloc,
693 struct vm_area_struct *vma)
694 {
695 int ret;
696 struct vm_struct *area;
697 const char *failure_string;
698 struct binder_buffer *buffer;
699
700 mutex_lock(&binder_alloc_mmap_lock);
701 if (alloc->buffer) {
702 ret = -EBUSY;
703 failure_string = "already mapped";
704 goto err_already_mapped;
705 }
706
707 area = get_vm_area(vma->vm_end - vma->vm_start, VM_ALLOC);
708 if (area == NULL) {
709 ret = -ENOMEM;
710 failure_string = "get_vm_area";
711 goto err_get_vm_area_failed;
712 }
713 alloc->buffer = area->addr;
714 alloc->user_buffer_offset =
715 vma->vm_start - (uintptr_t)alloc->buffer;
716 mutex_unlock(&binder_alloc_mmap_lock);
717
718 #ifdef CONFIG_CPU_CACHE_VIPT
719 if (cache_is_vipt_aliasing()) {
720 while (CACHE_COLOUR(
721 (vma->vm_start ^ (uint32_t)alloc->buffer))) {
722 pr_info("%s: %d %lx-%lx maps %pK bad alignment\n",
723 __func__, alloc->pid, vma->vm_start,
724 vma->vm_end, alloc->buffer);
725 vma->vm_start += PAGE_SIZE;
726 }
727 }
728 #endif
729 alloc->pages = kcalloc((vma->vm_end - vma->vm_start) / PAGE_SIZE,
730 sizeof(alloc->pages[0]),
731 GFP_KERNEL);
732 if (alloc->pages == NULL) {
733 ret = -ENOMEM;
734 failure_string = "alloc page array";
735 goto err_alloc_pages_failed;
736 }
737 alloc->buffer_size = vma->vm_end - vma->vm_start;
738
739 buffer = kzalloc(sizeof(*buffer), GFP_KERNEL);
740 if (!buffer) {
741 ret = -ENOMEM;
742 failure_string = "alloc buffer struct";
743 goto err_alloc_buf_struct_failed;
744 }
745
746 buffer->data = alloc->buffer;
747 list_add(&buffer->entry, &alloc->buffers);
748 buffer->free = 1;
749 binder_insert_free_buffer(alloc, buffer);
750 alloc->free_async_space = alloc->buffer_size / 2;
751 binder_alloc_set_vma(alloc, vma);
752 mmgrab(alloc->vma_vm_mm);
753
754 return 0;
755
756 err_alloc_buf_struct_failed:
757 kfree(alloc->pages);
758 alloc->pages = NULL;
759 err_alloc_pages_failed:
760 mutex_lock(&binder_alloc_mmap_lock);
761 vfree(alloc->buffer);
762 alloc->buffer = NULL;
763 err_get_vm_area_failed:
764 err_already_mapped:
765 mutex_unlock(&binder_alloc_mmap_lock);
766 binder_alloc_debug(BINDER_DEBUG_USER_ERROR,
767 "%s: %d %lx-%lx %s failed %d\n", __func__,
768 alloc->pid, vma->vm_start, vma->vm_end,
769 failure_string, ret);
770 return ret;
771 }
772
773
774 void binder_alloc_deferred_release(struct binder_alloc *alloc)
775 {
776 struct rb_node *n;
777 int buffers, page_count;
778 struct binder_buffer *buffer;
779
780 buffers = 0;
781 mutex_lock(&alloc->mutex);
782 BUG_ON(alloc->vma);
783
784 while ((n = rb_first(&alloc->allocated_buffers))) {
785 buffer = rb_entry(n, struct binder_buffer, rb_node);
786
787 /* Transaction should already have been freed */
788 BUG_ON(buffer->transaction);
789
790 binder_free_buf_locked(alloc, buffer);
791 buffers++;
792 }
793
794 while (!list_empty(&alloc->buffers)) {
795 buffer = list_first_entry(&alloc->buffers,
796 struct binder_buffer, entry);
797 WARN_ON(!buffer->free);
798
799 list_del(&buffer->entry);
800 WARN_ON_ONCE(!list_empty(&alloc->buffers));
801 kfree(buffer);
802 }
803
804 page_count = 0;
805 if (alloc->pages) {
806 int i;
807
808 for (i = 0; i < alloc->buffer_size / PAGE_SIZE; i++) {
809 void *page_addr;
810 bool on_lru;
811
812 if (!alloc->pages[i].page_ptr)
813 continue;
814
815 on_lru = list_lru_del(&binder_alloc_lru,
816 &alloc->pages[i].lru);
817 page_addr = alloc->buffer + i * PAGE_SIZE;
818 binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
819 "%s: %d: page %d at %pK %s\n",
820 __func__, alloc->pid, i, page_addr,
821 on_lru ? "on lru" : "active");
822 unmap_kernel_range((unsigned long)page_addr, PAGE_SIZE);
823 __free_page(alloc->pages[i].page_ptr);
824 page_count++;
825 }
826 kfree(alloc->pages);
827 vfree(alloc->buffer);
828 }
829 mutex_unlock(&alloc->mutex);
830 if (alloc->vma_vm_mm)
831 mmdrop(alloc->vma_vm_mm);
832
833 binder_alloc_debug(BINDER_DEBUG_OPEN_CLOSE,
834 "%s: %d buffers %d, pages %d\n",
835 __func__, alloc->pid, buffers, page_count);
836 }
837
838 static void print_binder_buffer(struct seq_file *m, const char *prefix,
839 struct binder_buffer *buffer)
840 {
841 seq_printf(m, "%s %d: %pK size %zd:%zd:%zd %s\n",
842 prefix, buffer->debug_id, buffer->data,
843 buffer->data_size, buffer->offsets_size,
844 buffer->extra_buffers_size,
845 buffer->transaction ? "active" : "delivered");
846 }
847
848 /**
849 * binder_alloc_print_allocated() - print buffer info
850 * @m: seq_file for output via seq_printf()
851 * @alloc: binder_alloc for this proc
852 *
853 * Prints information about every buffer associated with
854 * the binder_alloc state to the given seq_file
855 */
856 void binder_alloc_print_allocated(struct seq_file *m,
857 struct binder_alloc *alloc)
858 {
859 struct rb_node *n;
860
861 mutex_lock(&alloc->mutex);
862 for (n = rb_first(&alloc->allocated_buffers); n != NULL; n = rb_next(n))
863 print_binder_buffer(m, " buffer",
864 rb_entry(n, struct binder_buffer, rb_node));
865 mutex_unlock(&alloc->mutex);
866 }
867
868 /**
869 * binder_alloc_print_pages() - print page usage
870 * @m: seq_file for output via seq_printf()
871 * @alloc: binder_alloc for this proc
872 */
873 void binder_alloc_print_pages(struct seq_file *m,
874 struct binder_alloc *alloc)
875 {
876 struct binder_lru_page *page;
877 int i;
878 int active = 0;
879 int lru = 0;
880 int free = 0;
881
882 mutex_lock(&alloc->mutex);
883 for (i = 0; i < alloc->buffer_size / PAGE_SIZE; i++) {
884 page = &alloc->pages[i];
885 if (!page->page_ptr)
886 free++;
887 else if (list_empty(&page->lru))
888 active++;
889 else
890 lru++;
891 }
892 mutex_unlock(&alloc->mutex);
893 seq_printf(m, " pages: %d:%d:%d\n", active, lru, free);
894 seq_printf(m, " pages high watermark: %zu\n", alloc->pages_high);
895 }
896
897 /**
898 * binder_alloc_get_allocated_count() - return count of buffers
899 * @alloc: binder_alloc for this proc
900 *
901 * Return: count of allocated buffers
902 */
903 int binder_alloc_get_allocated_count(struct binder_alloc *alloc)
904 {
905 struct rb_node *n;
906 int count = 0;
907
908 mutex_lock(&alloc->mutex);
909 for (n = rb_first(&alloc->allocated_buffers); n != NULL; n = rb_next(n))
910 count++;
911 mutex_unlock(&alloc->mutex);
912 return count;
913 }
914
915
916 /**
917 * binder_alloc_vma_close() - invalidate address space
918 * @alloc: binder_alloc for this proc
919 *
920 * Called from binder_vma_close() when releasing address space.
921 * Clears alloc->vma to prevent new incoming transactions from
922 * allocating more buffers.
923 */
924 void binder_alloc_vma_close(struct binder_alloc *alloc)
925 {
926 binder_alloc_set_vma(alloc, NULL);
927 }
928
929 /**
930 * binder_alloc_free_page() - shrinker callback to free pages
931 * @item: item to free
932 * @lock: lock protecting the item
933 * @cb_arg: callback argument
934 *
935 * Called from list_lru_walk() in binder_shrink_scan() to free
936 * up pages when the system is under memory pressure.
937 */
938 enum lru_status binder_alloc_free_page(struct list_head *item,
939 struct list_lru_one *lru,
940 spinlock_t *lock,
941 void *cb_arg)
942 {
943 struct mm_struct *mm = NULL;
944 struct binder_lru_page *page = container_of(item,
945 struct binder_lru_page,
946 lru);
947 struct binder_alloc *alloc;
948 uintptr_t page_addr;
949 size_t index;
950 struct vm_area_struct *vma;
951
952 alloc = page->alloc;
953 if (!mutex_trylock(&alloc->mutex))
954 goto err_get_alloc_mutex_failed;
955
956 if (!page->page_ptr)
957 goto err_page_already_freed;
958
959 index = page - alloc->pages;
960 page_addr = (uintptr_t)alloc->buffer + index * PAGE_SIZE;
961 vma = binder_alloc_get_vma(alloc);
962 if (vma) {
963 if (!mmget_not_zero(alloc->vma_vm_mm))
964 goto err_mmget;
965 mm = alloc->vma_vm_mm;
966 if (!down_write_trylock(&mm->mmap_sem))
967 goto err_down_write_mmap_sem_failed;
968 }
969
970 list_lru_isolate(lru, item);
971 spin_unlock(lock);
972
973 if (vma) {
974 trace_binder_unmap_user_start(alloc, index);
975
976 zap_page_range(vma,
977 page_addr + alloc->user_buffer_offset,
978 PAGE_SIZE);
979
980 trace_binder_unmap_user_end(alloc, index);
981
982 up_write(&mm->mmap_sem);
983 mmput(mm);
984 }
985
986 trace_binder_unmap_kernel_start(alloc, index);
987
988 unmap_kernel_range(page_addr, PAGE_SIZE);
989 __free_page(page->page_ptr);
990 page->page_ptr = NULL;
991
992 trace_binder_unmap_kernel_end(alloc, index);
993
994 spin_lock(lock);
995 mutex_unlock(&alloc->mutex);
996 return LRU_REMOVED_RETRY;
997
998 err_down_write_mmap_sem_failed:
999 mmput_async(mm);
1000 err_mmget:
1001 err_page_already_freed:
1002 mutex_unlock(&alloc->mutex);
1003 err_get_alloc_mutex_failed:
1004 return LRU_SKIP;
1005 }
1006
1007 static unsigned long
1008 binder_shrink_count(struct shrinker *shrink, struct shrink_control *sc)
1009 {
1010 unsigned long ret = list_lru_count(&binder_alloc_lru);
1011 return ret;
1012 }
1013
1014 static unsigned long
1015 binder_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
1016 {
1017 unsigned long ret;
1018
1019 ret = list_lru_walk(&binder_alloc_lru, binder_alloc_free_page,
1020 NULL, sc->nr_to_scan);
1021 return ret;
1022 }
1023
1024 static struct shrinker binder_shrinker = {
1025 .count_objects = binder_shrink_count,
1026 .scan_objects = binder_shrink_scan,
1027 .seeks = DEFAULT_SEEKS,
1028 };
1029
1030 /**
1031 * binder_alloc_init() - called by binder_open() for per-proc initialization
1032 * @alloc: binder_alloc for this proc
1033 *
1034 * Called from binder_open() to initialize binder_alloc fields for
1035 * new binder proc
1036 */
1037 void binder_alloc_init(struct binder_alloc *alloc)
1038 {
1039 alloc->pid = current->group_leader->pid;
1040 mutex_init(&alloc->mutex);
1041 INIT_LIST_HEAD(&alloc->buffers);
1042 }
1043
1044 int binder_alloc_shrinker_init(void)
1045 {
1046 int ret = list_lru_init(&binder_alloc_lru);
1047
1048 if (ret == 0) {
1049 ret = register_shrinker(&binder_shrinker);
1050 if (ret)
1051 list_lru_destroy(&binder_alloc_lru);
1052 }
1053 return ret;
1054 }
Linux with added FPC-III support