1 // SPDX-License-Identifier: GPL-2.0 2 3 // Copyright (C) 2025 Google LLC. 4 5 use kernel::{ 6 alloc::AllocError, 7 list::ListArc, 8 prelude::*, 9 rbtree::{self, RBTreeNodeReservation}, 10 seq_file::SeqFile, 11 seq_print, 12 sync::{Arc, UniqueArc}, 13 uaccess::UserSliceReader, 14 }; 15 16 use crate::{ 17 defs::*, node::Node, process::Process, thread::Thread, BinderReturnWriter, DArc, DLArc, 18 DTRWrap, DeliverToRead, 19 }; 20 21 #[derive(Clone, Copy, Eq, PartialEq, Ord, PartialOrd)] 22 pub(crate) struct FreezeCookie(u64); 23 24 /// Represents a listener for changes to the frozen state of a process. 25 pub(crate) struct FreezeListener { 26 /// The node we are listening for. 27 pub(crate) node: DArc<Node>, 28 /// The cookie of this freeze listener. 29 cookie: FreezeCookie, 30 /// What value of `is_frozen` did we most recently tell userspace about? 31 last_is_frozen: Option<bool>, 32 /// We sent a `BR_FROZEN_BINDER` and we are waiting for `BC_FREEZE_NOTIFICATION_DONE` before 33 /// sending any other commands. 34 is_pending: bool, 35 /// Userspace sent `BC_CLEAR_FREEZE_NOTIFICATION` and we need to reply with 36 /// `BR_CLEAR_FREEZE_NOTIFICATION_DONE` as soon as possible. If `is_pending` is set, then we 37 /// must wait for it to be unset before we can reply. 38 is_clearing: bool, 39 /// Number of cleared duplicates that can't be deleted until userspace sends 40 /// `BC_FREEZE_NOTIFICATION_DONE`. 41 num_pending_duplicates: u64, 42 /// Number of cleared duplicates that can be deleted. 43 num_cleared_duplicates: u64, 44 } 45 46 impl FreezeListener { 47 /// Is it okay to create a new listener with the same cookie as this one for the provided node? 48 /// 49 /// Under some scenarios, userspace may delete a freeze listener and immediately recreate it 50 /// with the same cookie. This results in duplicate listeners. To avoid issues with ambiguity, 51 /// we allow this only if the new listener is for the same node, and we also require that the 52 /// old listener has already been cleared. 53 fn allow_duplicate(&self, node: &DArc<Node>) -> bool { 54 Arc::ptr_eq(&self.node, node) && self.is_clearing 55 } 56 } 57 58 type UninitFM = UniqueArc<core::mem::MaybeUninit<DTRWrap<FreezeMessage>>>; 59 60 /// Represents a notification that the freeze state has changed. 61 pub(crate) struct FreezeMessage { 62 cookie: FreezeCookie, 63 } 64 65 kernel::list::impl_list_arc_safe! { 66 impl ListArcSafe<0> for FreezeMessage { 67 untracked; 68 } 69 } 70 71 impl FreezeMessage { 72 fn new(flags: kernel::alloc::Flags) -> Result<UninitFM, AllocError> { 73 UniqueArc::new_uninit(flags) 74 } 75 76 fn init(ua: UninitFM, cookie: FreezeCookie) -> DLArc<FreezeMessage> { 77 match ua.pin_init_with(DTRWrap::new(FreezeMessage { cookie })) { 78 Ok(msg) => ListArc::from(msg), 79 Err(err) => match err {}, 80 } 81 } 82 } 83 84 impl DeliverToRead for FreezeMessage { 85 fn do_work( 86 self: DArc<Self>, 87 thread: &Thread, 88 writer: &mut BinderReturnWriter<'_>, 89 ) -> Result<bool> { 90 let _removed_listener; 91 let mut node_refs = thread.process.node_refs.lock(); 92 let Some(mut freeze_entry) = node_refs.freeze_listeners.find_mut(&self.cookie) else { 93 return Ok(true); 94 }; 95 let freeze = freeze_entry.get_mut(); 96 97 if freeze.num_cleared_duplicates > 0 { 98 freeze.num_cleared_duplicates -= 1; 99 drop(node_refs); 100 writer.write_code(BR_CLEAR_FREEZE_NOTIFICATION_DONE)?; 101 writer.write_payload(&self.cookie.0)?; 102 return Ok(true); 103 } 104 105 if freeze.is_pending { 106 return Ok(true); 107 } 108 if freeze.is_clearing { 109 _removed_listener = freeze_entry.remove_node(); 110 drop(node_refs); 111 writer.write_code(BR_CLEAR_FREEZE_NOTIFICATION_DONE)?; 112 writer.write_payload(&self.cookie.0)?; 113 Ok(true) 114 } else { 115 let is_frozen = freeze.node.owner.inner.lock().is_frozen; 116 if freeze.last_is_frozen == Some(is_frozen) { 117 return Ok(true); 118 } 119 120 let mut state_info = BinderFrozenStateInfo::default(); 121 state_info.is_frozen = is_frozen as u32; 122 state_info.cookie = freeze.cookie.0; 123 freeze.is_pending = true; 124 freeze.last_is_frozen = Some(is_frozen); 125 drop(node_refs); 126 127 writer.write_code(BR_FROZEN_BINDER)?; 128 writer.write_payload(&state_info)?; 129 // BR_FROZEN_BINDER notifications can cause transactions 130 Ok(false) 131 } 132 } 133 134 fn cancel(self: DArc<Self>) {} 135 136 fn should_sync_wakeup(&self) -> bool { 137 false 138 } 139 140 #[inline(never)] 141 fn debug_print(&self, m: &SeqFile, prefix: &str, _tprefix: &str) -> Result<()> { 142 seq_print!(m, "{}has frozen binder\n", prefix); 143 Ok(()) 144 } 145 } 146 147 impl FreezeListener { 148 pub(crate) fn on_process_exit(&self, proc: &Arc<Process>) { 149 if !self.is_clearing { 150 self.node.remove_freeze_listener(proc); 151 } 152 } 153 } 154 155 impl Process { 156 pub(crate) fn request_freeze_notif( 157 self: &Arc<Self>, 158 reader: &mut UserSliceReader, 159 ) -> Result<()> { 160 let hc = reader.read::<BinderHandleCookie>()?; 161 let handle = hc.handle; 162 let cookie = FreezeCookie(hc.cookie); 163 164 let msg = FreezeMessage::new(GFP_KERNEL)?; 165 let alloc = RBTreeNodeReservation::new(GFP_KERNEL)?; 166 167 let mut node_refs_guard = self.node_refs.lock(); 168 let node_refs = &mut *node_refs_guard; 169 let Some(info) = node_refs.by_handle.get_mut(&handle) else { 170 pr_warn!("BC_REQUEST_FREEZE_NOTIFICATION invalid ref {}\n", handle); 171 return Err(EINVAL); 172 }; 173 if info.freeze().is_some() { 174 pr_warn!("BC_REQUEST_FREEZE_NOTIFICATION already set\n"); 175 return Err(EINVAL); 176 } 177 let node_ref = info.node_ref(); 178 let freeze_entry = node_refs.freeze_listeners.entry(cookie); 179 180 if let rbtree::Entry::Occupied(ref dupe) = freeze_entry { 181 if !dupe.get().allow_duplicate(&node_ref.node) { 182 pr_warn!("BC_REQUEST_FREEZE_NOTIFICATION duplicate cookie\n"); 183 return Err(EINVAL); 184 } 185 } 186 187 // All failure paths must come before this call, and all modifications must come after this 188 // call. 189 node_ref.node.add_freeze_listener(self, GFP_KERNEL)?; 190 191 match freeze_entry { 192 rbtree::Entry::Vacant(entry) => { 193 entry.insert( 194 FreezeListener { 195 cookie, 196 node: node_ref.node.clone(), 197 last_is_frozen: None, 198 is_pending: false, 199 is_clearing: false, 200 num_pending_duplicates: 0, 201 num_cleared_duplicates: 0, 202 }, 203 alloc, 204 ); 205 } 206 rbtree::Entry::Occupied(mut dupe) => { 207 let dupe = dupe.get_mut(); 208 if dupe.is_pending { 209 dupe.num_pending_duplicates += 1; 210 } else { 211 dupe.num_cleared_duplicates += 1; 212 } 213 dupe.last_is_frozen = None; 214 dupe.is_pending = false; 215 dupe.is_clearing = false; 216 } 217 } 218 219 *info.freeze() = Some(cookie); 220 let msg = FreezeMessage::init(msg, cookie); 221 drop(node_refs_guard); 222 let _ = self.push_work(msg); 223 Ok(()) 224 } 225 226 pub(crate) fn freeze_notif_done(self: &Arc<Self>, reader: &mut UserSliceReader) -> Result<()> { 227 let cookie = FreezeCookie(reader.read()?); 228 let alloc = FreezeMessage::new(GFP_KERNEL)?; 229 let mut node_refs_guard = self.node_refs.lock(); 230 let node_refs = &mut *node_refs_guard; 231 let Some(freeze) = node_refs.freeze_listeners.get_mut(&cookie) else { 232 pr_warn!("BC_FREEZE_NOTIFICATION_DONE {:016x} not found\n", cookie.0); 233 return Err(EINVAL); 234 }; 235 let mut clear_msg = None; 236 if freeze.num_pending_duplicates > 0 { 237 clear_msg = Some(FreezeMessage::init(alloc, cookie)); 238 freeze.num_pending_duplicates -= 1; 239 freeze.num_cleared_duplicates += 1; 240 } else { 241 if !freeze.is_pending { 242 pr_warn!( 243 "BC_FREEZE_NOTIFICATION_DONE {:016x} not pending\n", 244 cookie.0 245 ); 246 return Err(EINVAL); 247 } 248 if freeze.is_clearing { 249 // Immediately send another FreezeMessage for BR_CLEAR_FREEZE_NOTIFICATION_DONE. 250 clear_msg = Some(FreezeMessage::init(alloc, cookie)); 251 } 252 freeze.is_pending = false; 253 } 254 drop(node_refs_guard); 255 if let Some(clear_msg) = clear_msg { 256 let _ = self.push_work(clear_msg); 257 } 258 Ok(()) 259 } 260 261 pub(crate) fn clear_freeze_notif(self: &Arc<Self>, reader: &mut UserSliceReader) -> Result<()> { 262 let hc = reader.read::<BinderHandleCookie>()?; 263 let handle = hc.handle; 264 let cookie = FreezeCookie(hc.cookie); 265 266 let alloc = FreezeMessage::new(GFP_KERNEL)?; 267 let mut node_refs_guard = self.node_refs.lock(); 268 let node_refs = &mut *node_refs_guard; 269 let Some(info) = node_refs.by_handle.get_mut(&handle) else { 270 pr_warn!("BC_CLEAR_FREEZE_NOTIFICATION invalid ref {}\n", handle); 271 return Err(EINVAL); 272 }; 273 let Some(info_cookie) = info.freeze() else { 274 pr_warn!("BC_CLEAR_FREEZE_NOTIFICATION freeze notification not active\n"); 275 return Err(EINVAL); 276 }; 277 if *info_cookie != cookie { 278 pr_warn!("BC_CLEAR_FREEZE_NOTIFICATION freeze notification cookie mismatch\n"); 279 return Err(EINVAL); 280 } 281 let Some(listener) = node_refs.freeze_listeners.get_mut(&cookie) else { 282 pr_warn!("BC_CLEAR_FREEZE_NOTIFICATION invalid cookie {}\n", handle); 283 return Err(EINVAL); 284 }; 285 listener.is_clearing = true; 286 listener.node.remove_freeze_listener(self); 287 *info.freeze() = None; 288 let mut msg = None; 289 if !listener.is_pending { 290 msg = Some(FreezeMessage::init(alloc, cookie)); 291 } 292 drop(node_refs_guard); 293 294 if let Some(msg) = msg { 295 let _ = self.push_work(msg); 296 } 297 Ok(()) 298 } 299 300 fn get_freeze_cookie(&self, node: &DArc<Node>) -> Option<FreezeCookie> { 301 let node_refs = &mut *self.node_refs.lock(); 302 let handle = node_refs.by_node.get(&node.global_id())?; 303 let node_ref = node_refs.by_handle.get_mut(handle)?; 304 *node_ref.freeze() 305 } 306 307 /// Creates a vector of every freeze listener on this process. 308 /// 309 /// Returns pairs of the remote process listening for notifications and the local node it is 310 /// listening on. 311 #[expect(clippy::type_complexity)] 312 fn find_freeze_recipients(&self) -> Result<KVVec<(DArc<Node>, Arc<Process>)>, AllocError> { 313 // Defined before `inner` to drop after releasing spinlock if `push_within_capacity` fails. 314 let mut node_proc_pair; 315 316 // We pre-allocate space for up to 8 recipients before we take the spinlock. However, if 317 // the allocation fails, use a vector with a capacity of zero instead of failing. After 318 // all, there might not be any freeze listeners, in which case this operation could still 319 // succeed. 320 let mut recipients = 321 KVVec::with_capacity(8, GFP_KERNEL).unwrap_or_else(|_err| KVVec::new()); 322 323 let mut inner = self.lock_with_nodes(); 324 let mut curr = inner.nodes.cursor_front(); 325 while let Some(cursor) = curr { 326 let (key, node) = cursor.current(); 327 let key = *key; 328 let list = node.freeze_list(&inner.inner); 329 let len = list.len(); 330 331 if recipients.spare_capacity_mut().len() < len { 332 drop(inner); 333 recipients.reserve(len, GFP_KERNEL)?; 334 inner = self.lock_with_nodes(); 335 // Find the node we were looking at and try again. If the set of nodes was changed, 336 // then just proceed to the next node. This is ok because we don't guarantee the 337 // inclusion of nodes that are added or removed in parallel with this operation. 338 curr = inner.nodes.cursor_lower_bound(&key); 339 continue; 340 } 341 342 for proc in list { 343 node_proc_pair = (node.clone(), proc.clone()); 344 recipients 345 .push_within_capacity(node_proc_pair) 346 .map_err(|_| { 347 pr_err!( 348 "push_within_capacity failed even though we checked the capacity\n" 349 ); 350 AllocError 351 })?; 352 } 353 354 curr = cursor.move_next(); 355 } 356 Ok(recipients) 357 } 358 359 /// Prepare allocations for sending freeze messages. 360 pub(crate) fn prepare_freeze_messages(&self) -> Result<FreezeMessages, AllocError> { 361 let recipients = self.find_freeze_recipients()?; 362 let mut batch = KVVec::with_capacity(recipients.len(), GFP_KERNEL)?; 363 for (node, proc) in recipients { 364 let Some(cookie) = proc.get_freeze_cookie(&node) else { 365 // If the freeze listener was removed in the meantime, just discard the 366 // notification. 367 continue; 368 }; 369 let msg_alloc = FreezeMessage::new(GFP_KERNEL)?; 370 let msg = FreezeMessage::init(msg_alloc, cookie); 371 batch.push((proc, msg), GFP_KERNEL)?; 372 } 373 374 Ok(FreezeMessages { batch }) 375 } 376 } 377 378 pub(crate) struct FreezeMessages { 379 batch: KVVec<(Arc<Process>, DLArc<FreezeMessage>)>, 380 } 381 382 impl FreezeMessages { 383 pub(crate) fn send_messages(self) { 384 for (proc, msg) in self.batch { 385 let _ = proc.push_work(msg); 386 } 387 } 388 } 389