[mirror_ubuntu-jammy-kernel.git] / drivers / android / binder_internal.h

/* SPDX-License-Identifier: GPL-2.0 */

#ifndef _LINUX_BINDER_INTERNAL_H
#define _LINUX_BINDER_INTERNAL_H

#include <linux/export.h>
#include <linux/fs.h>
#include <linux/kconfig.h>
#include <linux/list.h>
#include <linux/miscdevice.h>
#include <linux/mutex.h>
#include <linux/refcount.h>
#include <linux/stddef.h>
#include <linux/types.h>
#include <linux/uidgid.h>
#include <uapi/linux/android/binderfs.h>
#include "binder_alloc.h"

struct binder_context {
	struct binder_node *binder_context_mgr_node;
	struct mutex context_mgr_node_lock;
	kuid_t binder_context_mgr_uid;
	const char *name;
};

/**
 * struct binder_device - information about a binder device node
 * @hlist:          list of binder devices (only used for devices requested via
 *                  CONFIG_ANDROID_BINDER_DEVICES)
 * @miscdev:        information about a binder character device node
 * @context:        binder context information
 * @binderfs_inode: This is the inode of the root dentry of the super block
 *                  belonging to a binderfs mount.
 */
struct binder_device {
	struct hlist_node hlist;
	struct miscdevice miscdev;
	struct binder_context context;
	struct inode *binderfs_inode;
	refcount_t ref;
};

/**
 * binderfs_mount_opts - mount options for binderfs
 * @max: maximum number of allocatable binderfs binder devices
 * @stats_mode: enable binder stats in binderfs.
 */
struct binderfs_mount_opts {
	int max;
	int stats_mode;
};

/**
 * binderfs_info - information about a binderfs mount
 * @ipc_ns:         The ipc namespace the binderfs mount belongs to.
 * @control_dentry: This records the dentry of this binderfs mount
 *                  binder-control device.
 * @root_uid:       uid that needs to be used when a new binder device is
 *                  created.
 * @root_gid:       gid that needs to be used when a new binder device is
 *                  created.
 * @mount_opts:     The mount options in use.
 * @device_count:   The current number of allocated binder devices.
 * @proc_log_dir:   Pointer to the directory dentry containing process-specific
 *                  logs.
 */
struct binderfs_info {
	struct ipc_namespace *ipc_ns;
	struct dentry *control_dentry;
	kuid_t root_uid;
	kgid_t root_gid;
	struct binderfs_mount_opts mount_opts;
	int device_count;
	struct dentry *proc_log_dir;
};

extern const struct file_operations binder_fops;

extern char *binder_devices_param;

#if IS_ENABLED(CONFIG_ANDROID_BINDERFS)
extern bool is_binderfs_device(const struct inode *inode);
extern struct dentry *binderfs_create_file(struct dentry *dir, const char *name,
					   const struct file_operations *fops,
					   void *data);
extern void binderfs_remove_file(struct dentry *dentry);
#else
static inline bool is_binderfs_device(const struct inode *inode)
{
	return false;
}
static inline struct dentry *binderfs_create_file(struct dentry *dir,
					   const char *name,
					   const struct file_operations *fops,
					   void *data)
{
	return NULL;
}
static inline void binderfs_remove_file(struct dentry *dentry) {}
#endif

#if IS_ENABLED(CONFIG_ANDROID_BINDERFS)
extern int __init init_binderfs(void);
#else
static inline int __init init_binderfs(void)
{
	return 0;
}
#endif

int binder_stats_show(struct seq_file *m, void *unused);
DEFINE_SHOW_ATTRIBUTE(binder_stats);

int binder_state_show(struct seq_file *m, void *unused);
DEFINE_SHOW_ATTRIBUTE(binder_state);

int binder_transactions_show(struct seq_file *m, void *unused);
DEFINE_SHOW_ATTRIBUTE(binder_transactions);

int binder_transaction_log_show(struct seq_file *m, void *unused);
DEFINE_SHOW_ATTRIBUTE(binder_transaction_log);

struct binder_transaction_log_entry {
	int debug_id;
	int debug_id_done;
	int call_type;
	int from_proc;
	int from_thread;
	int target_handle;
	int to_proc;
	int to_thread;
	int to_node;
	int data_size;
	int offsets_size;
	int return_error_line;
	uint32_t return_error;
	uint32_t return_error_param;
	char context_name[BINDERFS_MAX_NAME + 1];
};

struct binder_transaction_log {
	atomic_t cur;
	bool full;
	struct binder_transaction_log_entry entry[32];
};

enum binder_stat_types {
	BINDER_STAT_PROC,
	BINDER_STAT_THREAD,
	BINDER_STAT_NODE,
	BINDER_STAT_REF,
	BINDER_STAT_DEATH,
	BINDER_STAT_TRANSACTION,
	BINDER_STAT_TRANSACTION_COMPLETE,
	BINDER_STAT_COUNT
};

struct binder_stats {
	atomic_t br[_IOC_NR(BR_ONEWAY_SPAM_SUSPECT) + 1];
	atomic_t bc[_IOC_NR(BC_REPLY_SG) + 1];
	atomic_t obj_created[BINDER_STAT_COUNT];
	atomic_t obj_deleted[BINDER_STAT_COUNT];
};

/**
 * struct binder_work - work enqueued on a worklist
 * @entry:             node enqueued on list
 * @type:              type of work to be performed
 *
 * There are separate work lists for proc, thread, and node (async).
 */
struct binder_work {
	struct list_head entry;

	enum binder_work_type {
		BINDER_WORK_TRANSACTION = 1,
		BINDER_WORK_TRANSACTION_COMPLETE,
		BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT,
		BINDER_WORK_RETURN_ERROR,
		BINDER_WORK_NODE,
		BINDER_WORK_DEAD_BINDER,
		BINDER_WORK_DEAD_BINDER_AND_CLEAR,
		BINDER_WORK_CLEAR_DEATH_NOTIFICATION,
	} type;
};

struct binder_error {
	struct binder_work work;
	uint32_t cmd;
};

/**
 * struct binder_node - binder node bookkeeping
 * @debug_id:             unique ID for debugging
 *                        (invariant after initialized)
 * @lock:                 lock for node fields
 * @work:                 worklist element for node work
 *                        (protected by @proc->inner_lock)
 * @rb_node:              element for proc->nodes tree
 *                        (protected by @proc->inner_lock)
 * @dead_node:            element for binder_dead_nodes list
 *                        (protected by binder_dead_nodes_lock)
 * @proc:                 binder_proc that owns this node
 *                        (invariant after initialized)
 * @refs:                 list of references on this node
 *                        (protected by @lock)
 * @internal_strong_refs: used to take strong references when
 *                        initiating a transaction
 *                        (protected by @proc->inner_lock if @proc
 *                        and by @lock)
 * @local_weak_refs:      weak user refs from local process
 *                        (protected by @proc->inner_lock if @proc
 *                        and by @lock)
 * @local_strong_refs:    strong user refs from local process
 *                        (protected by @proc->inner_lock if @proc
 *                        and by @lock)
 * @tmp_refs:             temporary kernel refs
 *                        (protected by @proc->inner_lock while @proc
 *                        is valid, and by binder_dead_nodes_lock
 *                        if @proc is NULL. During inc/dec and node release
 *                        it is also protected by @lock to provide safety
 *                        as the node dies and @proc becomes NULL)
 * @ptr:                  userspace pointer for node
 *                        (invariant, no lock needed)
 * @cookie:               userspace cookie for node
 *                        (invariant, no lock needed)
 * @has_strong_ref:       userspace notified of strong ref
 *                        (protected by @proc->inner_lock if @proc
 *                        and by @lock)
 * @pending_strong_ref:   userspace has acked notification of strong ref
 *                        (protected by @proc->inner_lock if @proc
 *                        and by @lock)
 * @has_weak_ref:         userspace notified of weak ref
 *                        (protected by @proc->inner_lock if @proc
 *                        and by @lock)
 * @pending_weak_ref:     userspace has acked notification of weak ref
 *                        (protected by @proc->inner_lock if @proc
 *                        and by @lock)
 * @has_async_transaction: async transaction to node in progress
 *                        (protected by @lock)
 * @accept_fds:           file descriptor operations supported for node
 *                        (invariant after initialized)
 * @min_priority:         minimum scheduling priority
 *                        (invariant after initialized)
 * @txn_security_ctx:     require sender's security context
 *                        (invariant after initialized)
 * @async_todo:           list of async work items
 *                        (protected by @proc->inner_lock)
 *
 * Bookkeeping structure for binder nodes.
 */
struct binder_node {
	int debug_id;
	spinlock_t lock;
	struct binder_work work;
	union {
		struct rb_node rb_node;
		struct hlist_node dead_node;
	};
	struct binder_proc *proc;
	struct hlist_head refs;
	int internal_strong_refs;
	int local_weak_refs;
	int local_strong_refs;
	int tmp_refs;
	binder_uintptr_t ptr;
	binder_uintptr_t cookie;
	struct {
		/*
		 * bitfield elements protected by
		 * proc inner_lock
		 */
		u8 has_strong_ref:1;
		u8 pending_strong_ref:1;
		u8 has_weak_ref:1;
		u8 pending_weak_ref:1;
	};
	struct {
		/*
		 * invariant after initialization
		 */
		u8 accept_fds:1;
		u8 txn_security_ctx:1;
		u8 min_priority;
	};
	bool has_async_transaction;
	struct list_head async_todo;
};

struct binder_ref_death {
	/**
	 * @work: worklist element for death notifications
	 *        (protected by inner_lock of the proc that
	 *        this ref belongs to)
	 */
	struct binder_work work;
	binder_uintptr_t cookie;
};

/**
 * struct binder_ref_data - binder_ref counts and id
 * @debug_id:        unique ID for the ref
 * @desc:            unique userspace handle for ref
 * @strong:          strong ref count (debugging only if not locked)
 * @weak:            weak ref count (debugging only if not locked)
 *
 * Structure to hold ref count and ref id information. Since
 * the actual ref can only be accessed with a lock, this structure
 * is used to return information about the ref to callers of
 * ref inc/dec functions.
 */
struct binder_ref_data {
	int debug_id;
	uint32_t desc;
	int strong;
	int weak;
};

/**
 * struct binder_ref - struct to track references on nodes
 * @data:        binder_ref_data containing id, handle, and current refcounts
 * @rb_node_desc: node for lookup by @data.desc in proc's rb_tree
 * @rb_node_node: node for lookup by @node in proc's rb_tree
 * @node_entry:  list entry for node->refs list in target node
 *               (protected by @node->lock)
 * @proc:        binder_proc containing ref
 * @node:        binder_node of target node. When cleaning up a
 *               ref for deletion in binder_cleanup_ref, a non-NULL
 *               @node indicates the node must be freed
 * @death:       pointer to death notification (ref_death) if requested
 *               (protected by @node->lock)
 *
 * Structure to track references from procA to target node (on procB). This
 * structure is unsafe to access without holding @proc->outer_lock.
 */
struct binder_ref {
	/* Lookups needed: */
	/*   node + proc => ref (transaction) */
	/*   desc + proc => ref (transaction, inc/dec ref) */
	/*   node => refs + procs (proc exit) */
	struct binder_ref_data data;
	struct rb_node rb_node_desc;
	struct rb_node rb_node_node;
	struct hlist_node node_entry;
	struct binder_proc *proc;
	struct binder_node *node;
	struct binder_ref_death *death;
};

/**
 * struct binder_proc - binder process bookkeeping
 * @proc_node:            element for binder_procs list
 * @threads:              rbtree of binder_threads in this proc
 *                        (protected by @inner_lock)
 * @nodes:                rbtree of binder nodes associated with
 *                        this proc ordered by node->ptr
 *                        (protected by @inner_lock)
 * @refs_by_desc:         rbtree of refs ordered by ref->desc
 *                        (protected by @outer_lock)
 * @refs_by_node:         rbtree of refs ordered by ref->node
 *                        (protected by @outer_lock)
 * @waiting_threads:      threads currently waiting for proc work
 *                        (protected by @inner_lock)
 * @pid                   PID of group_leader of process
 *                        (invariant after initialized)
 * @tsk                   task_struct for group_leader of process
 *                        (invariant after initialized)
 * @cred                  struct cred associated with the `struct file`
 *                        in binder_open()
 *                        (invariant after initialized)
 * @deferred_work_node:   element for binder_deferred_list
 *                        (protected by binder_deferred_lock)
 * @deferred_work:        bitmap of deferred work to perform
 *                        (protected by binder_deferred_lock)
 * @outstanding_txns:     number of transactions to be transmitted before
 *                        processes in freeze_wait are woken up
 *                        (protected by @inner_lock)
 * @is_dead:              process is dead and awaiting free
 *                        when outstanding transactions are cleaned up
 *                        (protected by @inner_lock)
 * @is_frozen:            process is frozen and unable to service
 *                        binder transactions
 *                        (protected by @inner_lock)
 * @sync_recv:            process received sync transactions since last frozen
 *                        bit 0: received sync transaction after being frozen
 *                        bit 1: new pending sync transaction during freezing
 *                        (protected by @inner_lock)
 * @async_recv:           process received async transactions since last frozen
 *                        (protected by @inner_lock)
 * @freeze_wait:          waitqueue of processes waiting for all outstanding
 *                        transactions to be processed
 *                        (protected by @inner_lock)
 * @todo:                 list of work for this process
 *                        (protected by @inner_lock)
 * @stats:                per-process binder statistics
 *                        (atomics, no lock needed)
 * @delivered_death:      list of delivered death notification
 *                        (protected by @inner_lock)
 * @max_threads:          cap on number of binder threads
 *                        (protected by @inner_lock)
 * @requested_threads:    number of binder threads requested but not
 *                        yet started. In current implementation, can
 *                        only be 0 or 1.
 *                        (protected by @inner_lock)
 * @requested_threads_started: number binder threads started
 *                        (protected by @inner_lock)
 * @tmp_ref:              temporary reference to indicate proc is in use
 *                        (protected by @inner_lock)
 * @default_priority:     default scheduler priority
 *                        (invariant after initialized)
 * @debugfs_entry:        debugfs node
 * @alloc:                binder allocator bookkeeping
 * @context:              binder_context for this proc
 *                        (invariant after initialized)
 * @inner_lock:           can nest under outer_lock and/or node lock
 * @outer_lock:           no nesting under innor or node lock
 *                        Lock order: 1) outer, 2) node, 3) inner
 * @binderfs_entry:       process-specific binderfs log file
 * @oneway_spam_detection_enabled: process enabled oneway spam detection
 *                        or not
 *
 * Bookkeeping structure for binder processes
 */
struct binder_proc {
	struct hlist_node proc_node;
	struct rb_root threads;
	struct rb_root nodes;
	struct rb_root refs_by_desc;
	struct rb_root refs_by_node;
	struct list_head waiting_threads;
	int pid;
	struct task_struct *tsk;
	const struct cred *cred;
	struct hlist_node deferred_work_node;
	int deferred_work;
	int outstanding_txns;
	bool is_dead;
	bool is_frozen;
	bool sync_recv;
	bool async_recv;
	wait_queue_head_t freeze_wait;

	struct list_head todo;
	struct binder_stats stats;
	struct list_head delivered_death;
	int max_threads;
	int requested_threads;
	int requested_threads_started;
	int tmp_ref;
	long default_priority;
	struct dentry *debugfs_entry;
	struct binder_alloc alloc;
	struct binder_context *context;
	spinlock_t inner_lock;
	spinlock_t outer_lock;
	struct dentry *binderfs_entry;
	bool oneway_spam_detection_enabled;
};

/**
 * struct binder_thread - binder thread bookkeeping
 * @proc:                 binder process for this thread
 *                        (invariant after initialization)
 * @rb_node:              element for proc->threads rbtree
 *                        (protected by @proc->inner_lock)
 * @waiting_thread_node:  element for @proc->waiting_threads list
 *                        (protected by @proc->inner_lock)
 * @pid:                  PID for this thread
 *                        (invariant after initialization)
 * @looper:               bitmap of looping state
 *                        (only accessed by this thread)
 * @looper_needs_return:  looping thread needs to exit driver
 *                        (no lock needed)
 * @transaction_stack:    stack of in-progress transactions for this thread
 *                        (protected by @proc->inner_lock)
 * @todo:                 list of work to do for this thread
 *                        (protected by @proc->inner_lock)
 * @process_todo:         whether work in @todo should be processed
 *                        (protected by @proc->inner_lock)
 * @return_error:         transaction errors reported by this thread
 *                        (only accessed by this thread)
 * @reply_error:          transaction errors reported by target thread
 *                        (protected by @proc->inner_lock)
 * @wait:                 wait queue for thread work
 * @stats:                per-thread statistics
 *                        (atomics, no lock needed)
 * @tmp_ref:              temporary reference to indicate thread is in use
 *                        (atomic since @proc->inner_lock cannot
 *                        always be acquired)
 * @is_dead:              thread is dead and awaiting free
 *                        when outstanding transactions are cleaned up
 *                        (protected by @proc->inner_lock)
 *
 * Bookkeeping structure for binder threads.
 */
struct binder_thread {
	struct binder_proc *proc;
	struct rb_node rb_node;
	struct list_head waiting_thread_node;
	int pid;
	int looper;              /* only modified by this thread */
	bool looper_need_return; /* can be written by other thread */
	struct binder_transaction *transaction_stack;
	struct list_head todo;
	bool process_todo;
	struct binder_error return_error;
	struct binder_error reply_error;
	wait_queue_head_t wait;
	struct binder_stats stats;
	atomic_t tmp_ref;
	bool is_dead;
};

/**
 * struct binder_txn_fd_fixup - transaction fd fixup list element
 * @fixup_entry:          list entry
 * @file:                 struct file to be associated with new fd
 * @offset:               offset in buffer data to this fixup
 *
 * List element for fd fixups in a transaction. Since file
 * descriptors need to be allocated in the context of the
 * target process, we pass each fd to be processed in this
 * struct.
 */
struct binder_txn_fd_fixup {
	struct list_head fixup_entry;
	struct file *file;
	size_t offset;
};

struct binder_transaction {
	int debug_id;
	struct binder_work work;
	struct binder_thread *from;
	struct binder_transaction *from_parent;
	struct binder_proc *to_proc;
	struct binder_thread *to_thread;
	struct binder_transaction *to_parent;
	unsigned need_reply:1;
	/* unsigned is_dead:1; */       /* not used at the moment */

	struct binder_buffer *buffer;
	unsigned int    code;
	unsigned int    flags;
	long    priority;
	long    saved_priority;
	kuid_t  sender_euid;
	struct list_head fd_fixups;
	binder_uintptr_t security_ctx;
	/**
	 * @lock:  protects @from, @to_proc, and @to_thread
	 *
	 * @from, @to_proc, and @to_thread can be set to NULL
	 * during thread teardown
	 */
	spinlock_t lock;
};

/**
 * struct binder_object - union of flat binder object types
 * @hdr:   generic object header
 * @fbo:   binder object (nodes and refs)
 * @fdo:   file descriptor object
 * @bbo:   binder buffer pointer
 * @fdao:  file descriptor array
 *
 * Used for type-independent object copies
 */
struct binder_object {
	union {
		struct binder_object_header hdr;
		struct flat_binder_object fbo;
		struct binder_fd_object fdo;
		struct binder_buffer_object bbo;
		struct binder_fd_array_object fdao;
	};
};

extern struct binder_transaction_log binder_transaction_log;
extern struct binder_transaction_log binder_transaction_log_failed;
#endif /* _LINUX_BINDER_INTERNAL_H */
Commit	Line	Data
3ad20fe3 CB	1	/* SPDX-License-Identifier: GPL-2.0 */
	2
	3	#ifndef _LINUX_BINDER_INTERNAL_H
	4	#define _LINUX_BINDER_INTERNAL_H
	5
	6	#include <linux/export.h>
	7	#include <linux/fs.h>
ebafbcf7	8	#include <linux/kconfig.h>
3ad20fe3 CB	9	#include <linux/list.h>
	10	#include <linux/miscdevice.h>
	11	#include <linux/mutex.h>
f0fe2c0f	12	#include <linux/refcount.h>
3ad20fe3 CB	13	#include <linux/stddef.h>
	14	#include <linux/types.h>
	15	#include <linux/uidgid.h>
421518a2 FC	16	#include <uapi/linux/android/binderfs.h>
421518a2 FC	17	#include "binder_alloc.h"
3ad20fe3 CB	18
	19	struct binder_context {
	20	struct binder_node *binder_context_mgr_node;
	21	struct mutex context_mgr_node_lock;
	22	kuid_t binder_context_mgr_uid;
	23	const char *name;
	24	};
	25
	26	/**
	27	* struct binder_device - information about a binder device node
	28	* @hlist: list of binder devices (only used for devices requested via
	29	* CONFIG_ANDROID_BINDER_DEVICES)
	30	* @miscdev: information about a binder character device node
	31	* @context: binder context information
	32	* @binderfs_inode: This is the inode of the root dentry of the super block
	33	* belonging to a binderfs mount.
	34	*/
	35	struct binder_device {
	36	struct hlist_node hlist;
	37	struct miscdevice miscdev;
	38	struct binder_context context;
	39	struct inode *binderfs_inode;
f0fe2c0f	40	refcount_t ref;
3ad20fe3 CB	41	};
3ad20fe3 CB	42
4feb80fa HV	43	/**
	44	* binderfs_mount_opts - mount options for binderfs
	45	* @max: maximum number of allocatable binderfs binder devices
	46	* @stats_mode: enable binder stats in binderfs.
	47	*/
	48	struct binderfs_mount_opts {
	49	int max;
	50	int stats_mode;
	51	};
	52
	53	/**
	54	* binderfs_info - information about a binderfs mount
	55	* @ipc_ns: The ipc namespace the binderfs mount belongs to.
	56	* @control_dentry: This records the dentry of this binderfs mount
	57	* binder-control device.
	58	* @root_uid: uid that needs to be used when a new binder device is
	59	* created.
	60	* @root_gid: gid that needs to be used when a new binder device is
	61	* created.
	62	* @mount_opts: The mount options in use.
	63	* @device_count: The current number of allocated binder devices.
	64	* @proc_log_dir: Pointer to the directory dentry containing process-specific
	65	* logs.
	66	*/
	67	struct binderfs_info {
	68	struct ipc_namespace *ipc_ns;
	69	struct dentry *control_dentry;
	70	kuid_t root_uid;
	71	kgid_t root_gid;
	72	struct binderfs_mount_opts mount_opts;
	73	int device_count;
	74	struct dentry *proc_log_dir;
	75	};
	76
3ad20fe3 CB	77	extern const struct file_operations binder_fops;
3ad20fe3 CB	78
ca2864c6 HV	79	extern char *binder_devices_param;
ca2864c6 HV	80
ebafbcf7	81	#if IS_ENABLED(CONFIG_ANDROID_BINDERFS)
3ad20fe3	82	extern bool is_binderfs_device(const struct inode *inode);
4feb80fa HV	83	extern struct dentry binderfs_create_file(struct dentry dir, const char *name,
	84	const struct file_operations *fops,
	85	void *data);
	86	extern void binderfs_remove_file(struct dentry *dentry);
3ad20fe3 CB	87	#else
	88	static inline bool is_binderfs_device(const struct inode *inode)
	89	{
	90	return false;
	91	}
4feb80fa HV	92	static inline struct dentry binderfs_create_file(struct dentry dir,
	93	const char *name,
	94	const struct file_operations *fops,
	95	void *data)
	96	{
	97	return NULL;
	98	}
	99	static inline void binderfs_remove_file(struct dentry *dentry) {}
3ad20fe3 CB	100	#endif
3ad20fe3 CB	101
ebafbcf7	102	#if IS_ENABLED(CONFIG_ANDROID_BINDERFS)
5b9633af CB	103	extern int __init init_binderfs(void);
	104	#else
	105	static inline int __init init_binderfs(void)
	106	{
	107	return 0;
	108	}
	109	#endif
	110
0e13e452 HV	111	int binder_stats_show(struct seq_file m, void unused);
	112	DEFINE_SHOW_ATTRIBUTE(binder_stats);
	113
	114	int binder_state_show(struct seq_file m, void unused);
	115	DEFINE_SHOW_ATTRIBUTE(binder_state);
	116
	117	int binder_transactions_show(struct seq_file m, void unused);
	118	DEFINE_SHOW_ATTRIBUTE(binder_transactions);
03e2e07e HV	119
	120	int binder_transaction_log_show(struct seq_file m, void unused);
	121	DEFINE_SHOW_ATTRIBUTE(binder_transaction_log);
	122
	123	struct binder_transaction_log_entry {
	124	int debug_id;
	125	int debug_id_done;
	126	int call_type;
	127	int from_proc;
	128	int from_thread;
	129	int target_handle;
	130	int to_proc;
	131	int to_thread;
	132	int to_node;
	133	int data_size;
	134	int offsets_size;
	135	int return_error_line;
	136	uint32_t return_error;
	137	uint32_t return_error_param;
51d8a7ec	138	char context_name[BINDERFS_MAX_NAME + 1];
03e2e07e HV	139	};
	140
	141	struct binder_transaction_log {
	142	atomic_t cur;
	143	bool full;
	144	struct binder_transaction_log_entry entry[32];
	145	};
	146
421518a2 FC	147	enum binder_stat_types {
	148	BINDER_STAT_PROC,
	149	BINDER_STAT_THREAD,
	150	BINDER_STAT_NODE,
	151	BINDER_STAT_REF,
	152	BINDER_STAT_DEATH,
	153	BINDER_STAT_TRANSACTION,
	154	BINDER_STAT_TRANSACTION_COMPLETE,
	155	BINDER_STAT_COUNT
	156	};
	157
	158	struct binder_stats {
a7dc1e6f	159	atomic_t br[_IOC_NR(BR_ONEWAY_SPAM_SUSPECT) + 1];
421518a2 FC	160	atomic_t bc[_IOC_NR(BC_REPLY_SG) + 1];
	161	atomic_t obj_created[BINDER_STAT_COUNT];
	162	atomic_t obj_deleted[BINDER_STAT_COUNT];
	163	};
	164
	165	/**
	166	* struct binder_work - work enqueued on a worklist
	167	* @entry: node enqueued on list
	168	* @type: type of work to be performed
	169	*
	170	* There are separate work lists for proc, thread, and node (async).
	171	*/
	172	struct binder_work {
	173	struct list_head entry;
	174
	175	enum binder_work_type {
	176	BINDER_WORK_TRANSACTION = 1,
	177	BINDER_WORK_TRANSACTION_COMPLETE,
a7dc1e6f	178	BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT,
421518a2 FC	179	BINDER_WORK_RETURN_ERROR,
	180	BINDER_WORK_NODE,
	181	BINDER_WORK_DEAD_BINDER,
	182	BINDER_WORK_DEAD_BINDER_AND_CLEAR,
	183	BINDER_WORK_CLEAR_DEATH_NOTIFICATION,
	184	} type;
	185	};
	186
	187	struct binder_error {
	188	struct binder_work work;
	189	uint32_t cmd;
	190	};
	191
	192	/**
	193	* struct binder_node - binder node bookkeeping
	194	* @debug_id: unique ID for debugging
	195	* (invariant after initialized)
	196	* @lock: lock for node fields
	197	* @work: worklist element for node work
	198	* (protected by @proc->inner_lock)
	199	* @rb_node: element for proc->nodes tree
	200	* (protected by @proc->inner_lock)
	201	* @dead_node: element for binder_dead_nodes list
	202	* (protected by binder_dead_nodes_lock)
	203	* @proc: binder_proc that owns this node
	204	* (invariant after initialized)
	205	* @refs: list of references on this node
	206	* (protected by @lock)
	207	* @internal_strong_refs: used to take strong references when
	208	* initiating a transaction
	209	* (protected by @proc->inner_lock if @proc
	210	* and by @lock)
	211	* @local_weak_refs: weak user refs from local process
	212	* (protected by @proc->inner_lock if @proc
	213	* and by @lock)
	214	* @local_strong_refs: strong user refs from local process
	215	* (protected by @proc->inner_lock if @proc
	216	* and by @lock)
	217	* @tmp_refs: temporary kernel refs
	218	* (protected by @proc->inner_lock while @proc
	219	* is valid, and by binder_dead_nodes_lock
	220	* if @proc is NULL. During inc/dec and node release
	221	* it is also protected by @lock to provide safety
	222	* as the node dies and @proc becomes NULL)
	223	* @ptr: userspace pointer for node
	224	* (invariant, no lock needed)
	225	* @cookie: userspace cookie for node
	226	* (invariant, no lock needed)
	227	* @has_strong_ref: userspace notified of strong ref
	228	* (protected by @proc->inner_lock if @proc
	229	* and by @lock)
	230	* @pending_strong_ref: userspace has acked notification of strong ref
	231	* (protected by @proc->inner_lock if @proc
	232	* and by @lock)
	233	* @has_weak_ref: userspace notified of weak ref
	234	* (protected by @proc->inner_lock if @proc
	235	* and by @lock)
	236	* @pending_weak_ref: userspace has acked notification of weak ref
	237	* (protected by @proc->inner_lock if @proc
	238	* and by @lock)
	239	* @has_async_transaction: async transaction to node in progress
	240	* (protected by @lock)
	241	* @accept_fds: file descriptor operations supported for node
	242	* (invariant after initialized)
243	* @min_priority: minimum scheduling priority
244	* (invariant after initialized)
245	* @txn_security_ctx: require sender's security context
246	* (invariant after initialized)
247	* @async_todo: list of async work items
248	* (protected by @proc->inner_lock)
249	*
250	* Bookkeeping structure for binder nodes.
251	*/
252	struct binder_node {
253	int debug_id;
254	spinlock_t lock;
255	struct binder_work work;
256	union {
257	struct rb_node rb_node;
258	struct hlist_node dead_node;
259	};
260	struct binder_proc *proc;
261	struct hlist_head refs;
262	int internal_strong_refs;
263	int local_weak_refs;
264	int local_strong_refs;
265	int tmp_refs;
266	binder_uintptr_t ptr;
267	binder_uintptr_t cookie;
268	struct {
269	/*
270	* bitfield elements protected by
271	* proc inner_lock
272	*/
273	u8 has_strong_ref:1;
274	u8 pending_strong_ref:1;
275	u8 has_weak_ref:1;
276	u8 pending_weak_ref:1;
277	};
278	struct {
279	/*
280	* invariant after initialization
281	*/
282	u8 accept_fds:1;
283	u8 txn_security_ctx:1;
284	u8 min_priority;
285	};
286	bool has_async_transaction;
287	struct list_head async_todo;
288	};
289
290	struct binder_ref_death {
291	/**
292	* @work: worklist element for death notifications
293	* (protected by inner_lock of the proc that
294	* this ref belongs to)
295	*/
296	struct binder_work work;
297	binder_uintptr_t cookie;
298	};
299
300	/**
301	* struct binder_ref_data - binder_ref counts and id
302	* @debug_id: unique ID for the ref
303	* @desc: unique userspace handle for ref
304	* @strong: strong ref count (debugging only if not locked)
305	* @weak: weak ref count (debugging only if not locked)
306	*
307	* Structure to hold ref count and ref id information. Since
308	* the actual ref can only be accessed with a lock, this structure
309	* is used to return information about the ref to callers of
310	* ref inc/dec functions.
311	*/
312	struct binder_ref_data {
313	int debug_id;
314	uint32_t desc;
315	int strong;
316	int weak;
317	};
318
319	/**
320	* struct binder_ref - struct to track references on nodes
321	* @data: binder_ref_data containing id, handle, and current refcounts
322	* @rb_node_desc: node for lookup by @data.desc in proc's rb_tree
323	* @rb_node_node: node for lookup by @node in proc's rb_tree
324	* @node_entry: list entry for node->refs list in target node
325	* (protected by @node->lock)
326	* @proc: binder_proc containing ref
327	* @node: binder_node of target node. When cleaning up a
328	* ref for deletion in binder_cleanup_ref, a non-NULL
329	* @node indicates the node must be freed
330	* @death: pointer to death notification (ref_death) if requested
331	* (protected by @node->lock)
332	*
333	* Structure to track references from procA to target node (on procB). This
334	* structure is unsafe to access without holding @proc->outer_lock.
335	*/
336	struct binder_ref {
337	/* Lookups needed: */
338	/* node + proc => ref (transaction) */
339	/* desc + proc => ref (transaction, inc/dec ref) */
340	/* node => refs + procs (proc exit) */
341	struct binder_ref_data data;
342	struct rb_node rb_node_desc;
343	struct rb_node rb_node_node;
344	struct hlist_node node_entry;
345	struct binder_proc *proc;
346	struct binder_node *node;
347	struct binder_ref_death *death;
348	};
349
350	/**
351	* struct binder_proc - binder process bookkeeping
352	* @proc_node: element for binder_procs list
353	* @threads: rbtree of binder_threads in this proc
354	* (protected by @inner_lock)
355	* @nodes: rbtree of binder nodes associated with
356	* this proc ordered by node->ptr
357	* (protected by @inner_lock)
358	* @refs_by_desc: rbtree of refs ordered by ref->desc
359	* (protected by @outer_lock)
360	* @refs_by_node: rbtree of refs ordered by ref->node
361	* (protected by @outer_lock)
362	* @waiting_threads: threads currently waiting for proc work
363	* (protected by @inner_lock)
364	* @pid PID of group_leader of process
365	* (invariant after initialized)
366	* @tsk task_struct for group_leader of process
367	* (invariant after initialized)
4110173c TK	368	* @cred struct cred associated with the `struct file`
	369	* in binder_open()
	370	* (invariant after initialized)
421518a2 FC	371	* @deferred_work_node: element for binder_deferred_list
	372	* (protected by binder_deferred_lock)
	373	* @deferred_work: bitmap of deferred work to perform
	374	* (protected by binder_deferred_lock)
432ff1e9 MB	375	* @outstanding_txns: number of transactions to be transmitted before
	376	* processes in freeze_wait are woken up
	377	* (protected by @inner_lock)
421518a2 FC	378	* @is_dead: process is dead and awaiting free
	379	* when outstanding transactions are cleaned up
	380	* (protected by @inner_lock)
432ff1e9 MB	381	* @is_frozen: process is frozen and unable to service
	382	* binder transactions
	383	* (protected by @inner_lock)
ae28c1be	384	* @sync_recv: process received sync transactions since last frozen
b564171a LL	385	* bit 0: received sync transaction after being frozen
b564171a LL	386	* bit 1: new pending sync transaction during freezing
ae28c1be MB	387	* (protected by @inner_lock)
	388	* @async_recv: process received async transactions since last frozen
	389	* (protected by @inner_lock)
432ff1e9 MB	390	* @freeze_wait: waitqueue of processes waiting for all outstanding
	391	* transactions to be processed
	392	* (protected by @inner_lock)
421518a2 FC	393	* @todo: list of work for this process
	394	* (protected by @inner_lock)
	395	* @stats: per-process binder statistics
	396	* (atomics, no lock needed)
	397	* @delivered_death: list of delivered death notification
	398	* (protected by @inner_lock)
	399	* @max_threads: cap on number of binder threads
	400	* (protected by @inner_lock)
	401	* @requested_threads: number of binder threads requested but not
	402	* yet started. In current implementation, can
	403	* only be 0 or 1.
	404	* (protected by @inner_lock)
	405	* @requested_threads_started: number binder threads started
	406	* (protected by @inner_lock)
	407	* @tmp_ref: temporary reference to indicate proc is in use
	408	* (protected by @inner_lock)
	409	* @default_priority: default scheduler priority
	410	* (invariant after initialized)
	411	* @debugfs_entry: debugfs node
	412	* @alloc: binder allocator bookkeeping
	413	* @context: binder_context for this proc
	414	* (invariant after initialized)
	415	* @inner_lock: can nest under outer_lock and/or node lock
	416	* @outer_lock: no nesting under innor or node lock
	417	* Lock order: 1) outer, 2) node, 3) inner
	418	* @binderfs_entry: process-specific binderfs log file
a7dc1e6f HL	419	* @oneway_spam_detection_enabled: process enabled oneway spam detection
a7dc1e6f HL	420	* or not
421518a2 FC	421	*
	422	* Bookkeeping structure for binder processes
	423	*/
	424	struct binder_proc {
	425	struct hlist_node proc_node;
	426	struct rb_root threads;
	427	struct rb_root nodes;
	428	struct rb_root refs_by_desc;
	429	struct rb_root refs_by_node;
	430	struct list_head waiting_threads;
	431	int pid;
	432	struct task_struct *tsk;
4110173c	433	const struct cred *cred;
421518a2 FC	434	struct hlist_node deferred_work_node;
421518a2 FC	435	int deferred_work;
432ff1e9	436	int outstanding_txns;
421518a2	437	bool is_dead;
432ff1e9	438	bool is_frozen;
ae28c1be MB	439	bool sync_recv;
ae28c1be MB	440	bool async_recv;
432ff1e9	441	wait_queue_head_t freeze_wait;
421518a2 FC	442
	443	struct list_head todo;
	444	struct binder_stats stats;
	445	struct list_head delivered_death;
	446	int max_threads;
	447	int requested_threads;
	448	int requested_threads_started;
	449	int tmp_ref;
	450	long default_priority;
	451	struct dentry *debugfs_entry;
	452	struct binder_alloc alloc;
	453	struct binder_context *context;
	454	spinlock_t inner_lock;
	455	spinlock_t outer_lock;
	456	struct dentry *binderfs_entry;
a7dc1e6f	457	bool oneway_spam_detection_enabled;
421518a2 FC	458	};
	459
	460	/**
	461	* struct binder_thread - binder thread bookkeeping
	462	* @proc: binder process for this thread
	463	* (invariant after initialization)
	464	* @rb_node: element for proc->threads rbtree
	465	* (protected by @proc->inner_lock)
	466	* @waiting_thread_node: element for @proc->waiting_threads list
	467	* (protected by @proc->inner_lock)
	468	* @pid: PID for this thread
	469	* (invariant after initialization)
	470	* @looper: bitmap of looping state
	471	* (only accessed by this thread)
	472	* @looper_needs_return: looping thread needs to exit driver
	473	* (no lock needed)
	474	* @transaction_stack: stack of in-progress transactions for this thread
	475	* (protected by @proc->inner_lock)
	476	* @todo: list of work to do for this thread
	477	* (protected by @proc->inner_lock)
	478	* @process_todo: whether work in @todo should be processed
	479	* (protected by @proc->inner_lock)
	480	* @return_error: transaction errors reported by this thread
	481	* (only accessed by this thread)
	482	* @reply_error: transaction errors reported by target thread
	483	* (protected by @proc->inner_lock)
	484	* @wait: wait queue for thread work
	485	* @stats: per-thread statistics
	486	* (atomics, no lock needed)
	487	* @tmp_ref: temporary reference to indicate thread is in use
	488	* (atomic since @proc->inner_lock cannot
	489	* always be acquired)
	490	* @is_dead: thread is dead and awaiting free
	491	* when outstanding transactions are cleaned up
	492	* (protected by @proc->inner_lock)
	493	*
	494	* Bookkeeping structure for binder threads.
	495	*/
	496	struct binder_thread {
	497	struct binder_proc *proc;
	498	struct rb_node rb_node;
	499	struct list_head waiting_thread_node;
	500	int pid;
	501	int looper; /* only modified by this thread */
	502	bool looper_need_return; /* can be written by other thread */
	503	struct binder_transaction *transaction_stack;
	504	struct list_head todo;
	505	bool process_todo;
	506	struct binder_error return_error;
	507	struct binder_error reply_error;
	508	wait_queue_head_t wait;
	509	struct binder_stats stats;
	510	atomic_t tmp_ref;
	511	bool is_dead;
	512	};
	513
	514	/**
	515	* struct binder_txn_fd_fixup - transaction fd fixup list element
	516	* @fixup_entry: list entry
	517	* @file: struct file to be associated with new fd
	518	* @offset: offset in buffer data to this fixup
	519	*
	520	* List element for fd fixups in a transaction. Since file
	521	* descriptors need to be allocated in the context of the
522	* target process, we pass each fd to be processed in this
523	* struct.
524	*/
525	struct binder_txn_fd_fixup {
526	struct list_head fixup_entry;
527	struct file *file;
528	size_t offset;
529	};
530
531	struct binder_transaction {
532	int debug_id;
533	struct binder_work work;
534	struct binder_thread *from;
535	struct binder_transaction *from_parent;
536	struct binder_proc *to_proc;
537	struct binder_thread *to_thread;
538	struct binder_transaction *to_parent;
539	unsigned need_reply:1;
540	/* unsigned is_dead:1; / / not used at the moment */
541
542	struct binder_buffer *buffer;
543	unsigned int code;
544	unsigned int flags;
545	long priority;
546	long saved_priority;
547	kuid_t sender_euid;
548	struct list_head fd_fixups;
549	binder_uintptr_t security_ctx;
550	/**
551	* @lock: protects @from, @to_proc, and @to_thread
552	*
553	* @from, @to_proc, and @to_thread can be set to NULL
554	* during thread teardown
555	*/
556	spinlock_t lock;
557	};
558
559	/**
560	* struct binder_object - union of flat binder object types
561	* @hdr: generic object header
562	* @fbo: binder object (nodes and refs)
563	* @fdo: file descriptor object
564	* @bbo: binder buffer pointer
565	* @fdao: file descriptor array
566	*
567	* Used for type-independent object copies
568	*/
569	struct binder_object {
570	union {
571	struct binder_object_header hdr;
572	struct flat_binder_object fbo;
573	struct binder_fd_object fdo;
574	struct binder_buffer_object bbo;
575	struct binder_fd_array_object fdao;
576	};
577	};
578
03e2e07e HV	579	extern struct binder_transaction_log binder_transaction_log;
03e2e07e HV	580	extern struct binder_transaction_log binder_transaction_log_failed;
3ad20fe3	581	#endif /* _LINUX_BINDER_INTERNAL_H */