master
1/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
2/*
3 * Copyright (C) 2008 Google, Inc.
4 *
5 * Based on, but no longer compatible with, the original
6 * OpenBinder.org binder driver interface, which is:
7 *
8 * Copyright (c) 2005 Palmsource, Inc.
9 *
10 * This software is licensed under the terms of the GNU General Public
11 * License version 2, as published by the Free Software Foundation, and
12 * may be copied, distributed, and modified under those terms.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 */
20
21#ifndef _LINUX_BINDER_H
22#define _LINUX_BINDER_H
23
24#include <linux/types.h>
25#include <linux/ioctl.h>
26
27#define B_PACK_CHARS(c1, c2, c3, c4) \
28 ((((c1)<<24)) | (((c2)<<16)) | (((c3)<<8)) | (c4))
29#define B_TYPE_LARGE 0x85
30
31enum {
32 BINDER_TYPE_BINDER = B_PACK_CHARS('s', 'b', '*', B_TYPE_LARGE),
33 BINDER_TYPE_WEAK_BINDER = B_PACK_CHARS('w', 'b', '*', B_TYPE_LARGE),
34 BINDER_TYPE_HANDLE = B_PACK_CHARS('s', 'h', '*', B_TYPE_LARGE),
35 BINDER_TYPE_WEAK_HANDLE = B_PACK_CHARS('w', 'h', '*', B_TYPE_LARGE),
36 BINDER_TYPE_FD = B_PACK_CHARS('f', 'd', '*', B_TYPE_LARGE),
37 BINDER_TYPE_FDA = B_PACK_CHARS('f', 'd', 'a', B_TYPE_LARGE),
38 BINDER_TYPE_PTR = B_PACK_CHARS('p', 't', '*', B_TYPE_LARGE),
39};
40
41enum {
42 FLAT_BINDER_FLAG_PRIORITY_MASK = 0xff,
43 FLAT_BINDER_FLAG_ACCEPTS_FDS = 0x100,
44
45 /**
46 * @FLAT_BINDER_FLAG_TXN_SECURITY_CTX: request security contexts
47 *
48 * Only when set, causes senders to include their security
49 * context
50 */
51 FLAT_BINDER_FLAG_TXN_SECURITY_CTX = 0x1000,
52};
53
54#ifdef BINDER_IPC_32BIT
55typedef __u32 binder_size_t;
56typedef __u32 binder_uintptr_t;
57#else
58typedef __u64 binder_size_t;
59typedef __u64 binder_uintptr_t;
60#endif
61
62/**
63 * struct binder_object_header - header shared by all binder metadata objects.
64 * @type: type of the object
65 */
66struct binder_object_header {
67 __u32 type;
68};
69
70/*
71 * This is the flattened representation of a Binder object for transfer
72 * between processes. The 'offsets' supplied as part of a binder transaction
73 * contains offsets into the data where these structures occur. The Binder
74 * driver takes care of re-writing the structure type and data as it moves
75 * between processes.
76 */
77struct flat_binder_object {
78 struct binder_object_header hdr;
79 __u32 flags;
80
81 /* 8 bytes of data. */
82 union {
83 binder_uintptr_t binder; /* local object */
84 __u32 handle; /* remote object */
85 };
86
87 /* extra data associated with local object */
88 binder_uintptr_t cookie;
89};
90
91/**
92 * struct binder_fd_object - describes a filedescriptor to be fixed up.
93 * @hdr: common header structure
94 * @pad_flags: padding to remain compatible with old userspace code
95 * @pad_binder: padding to remain compatible with old userspace code
96 * @fd: file descriptor
97 * @cookie: opaque data, used by user-space
98 */
99struct binder_fd_object {
100 struct binder_object_header hdr;
101 __u32 pad_flags;
102 union {
103 binder_uintptr_t pad_binder;
104 __u32 fd;
105 };
106
107 binder_uintptr_t cookie;
108};
109
110/* struct binder_buffer_object - object describing a userspace buffer
111 * @hdr: common header structure
112 * @flags: one or more BINDER_BUFFER_* flags
113 * @buffer: address of the buffer
114 * @length: length of the buffer
115 * @parent: index in offset array pointing to parent buffer
116 * @parent_offset: offset in @parent pointing to this buffer
117 *
118 * A binder_buffer object represents an object that the
119 * binder kernel driver can copy verbatim to the target
120 * address space. A buffer itself may be pointed to from
121 * within another buffer, meaning that the pointer inside
122 * that other buffer needs to be fixed up as well. This
123 * can be done by setting the BINDER_BUFFER_FLAG_HAS_PARENT
124 * flag in @flags, by setting @parent buffer to the index
125 * in the offset array pointing to the parent binder_buffer_object,
126 * and by setting @parent_offset to the offset in the parent buffer
127 * at which the pointer to this buffer is located.
128 */
129struct binder_buffer_object {
130 struct binder_object_header hdr;
131 __u32 flags;
132 binder_uintptr_t buffer;
133 binder_size_t length;
134 binder_size_t parent;
135 binder_size_t parent_offset;
136};
137
138enum {
139 BINDER_BUFFER_FLAG_HAS_PARENT = 0x01,
140};
141
142/* struct binder_fd_array_object - object describing an array of fds in a buffer
143 * @hdr: common header structure
144 * @pad: padding to ensure correct alignment
145 * @num_fds: number of file descriptors in the buffer
146 * @parent: index in offset array to buffer holding the fd array
147 * @parent_offset: start offset of fd array in the buffer
148 *
149 * A binder_fd_array object represents an array of file
150 * descriptors embedded in a binder_buffer_object. It is
151 * different from a regular binder_buffer_object because it
152 * describes a list of file descriptors to fix up, not an opaque
153 * blob of memory, and hence the kernel needs to treat it differently.
154 *
155 * An example of how this would be used is with Android's
156 * native_handle_t object, which is a struct with a list of integers
157 * and a list of file descriptors. The native_handle_t struct itself
158 * will be represented by a struct binder_buffer_objct, whereas the
159 * embedded list of file descriptors is represented by a
160 * struct binder_fd_array_object with that binder_buffer_object as
161 * a parent.
162 */
163struct binder_fd_array_object {
164 struct binder_object_header hdr;
165 __u32 pad;
166 binder_size_t num_fds;
167 binder_size_t parent;
168 binder_size_t parent_offset;
169};
170
171/*
172 * On 64-bit platforms where user code may run in 32-bits the driver must
173 * translate the buffer (and local binder) addresses appropriately.
174 */
175
176struct binder_write_read {
177 binder_size_t write_size; /* bytes to write */
178 binder_size_t write_consumed; /* bytes consumed by driver */
179 binder_uintptr_t write_buffer;
180 binder_size_t read_size; /* bytes to read */
181 binder_size_t read_consumed; /* bytes consumed by driver */
182 binder_uintptr_t read_buffer;
183};
184
185/* Use with BINDER_VERSION, driver fills in fields. */
186struct binder_version {
187 /* driver protocol version -- increment with incompatible change */
188 __s32 protocol_version;
189};
190
191/* This is the current protocol version. */
192#ifdef BINDER_IPC_32BIT
193#define BINDER_CURRENT_PROTOCOL_VERSION 7
194#else
195#define BINDER_CURRENT_PROTOCOL_VERSION 8
196#endif
197
198/*
199 * Use with BINDER_GET_NODE_DEBUG_INFO, driver reads ptr, writes to all fields.
200 * Set ptr to NULL for the first call to get the info for the first node, and
201 * then repeat the call passing the previously returned value to get the next
202 * nodes. ptr will be 0 when there are no more nodes.
203 */
204struct binder_node_debug_info {
205 binder_uintptr_t ptr;
206 binder_uintptr_t cookie;
207 __u32 has_strong_ref;
208 __u32 has_weak_ref;
209};
210
211struct binder_node_info_for_ref {
212 __u32 handle;
213 __u32 strong_count;
214 __u32 weak_count;
215 __u32 reserved1;
216 __u32 reserved2;
217 __u32 reserved3;
218};
219
220struct binder_freeze_info {
221 __u32 pid;
222 __u32 enable;
223 __u32 timeout_ms;
224};
225
226struct binder_frozen_status_info {
227 __u32 pid;
228
229 /* process received sync transactions since last frozen
230 * bit 0: received sync transaction after being frozen
231 * bit 1: new pending sync transaction during freezing
232 */
233 __u32 sync_recv;
234
235 /* process received async transactions since last frozen */
236 __u32 async_recv;
237};
238
239struct binder_frozen_state_info {
240 binder_uintptr_t cookie;
241 __u32 is_frozen;
242 __u32 reserved;
243};
244
245/* struct binder_extened_error - extended error information
246 * @id: identifier for the failed operation
247 * @command: command as defined by binder_driver_return_protocol
248 * @param: parameter holding a negative errno value
249 *
250 * Used with BINDER_GET_EXTENDED_ERROR. This extends the error information
251 * returned by the driver upon a failed operation. Userspace can pull this
252 * data to properly handle specific error scenarios.
253 */
254struct binder_extended_error {
255 __u32 id;
256 __u32 command;
257 __s32 param;
258};
259
260enum {
261 BINDER_WRITE_READ = _IOWR('b', 1, struct binder_write_read),
262 BINDER_SET_IDLE_TIMEOUT = _IOW('b', 3, __s64),
263 BINDER_SET_MAX_THREADS = _IOW('b', 5, __u32),
264 BINDER_SET_IDLE_PRIORITY = _IOW('b', 6, __s32),
265 BINDER_SET_CONTEXT_MGR = _IOW('b', 7, __s32),
266 BINDER_THREAD_EXIT = _IOW('b', 8, __s32),
267 BINDER_VERSION = _IOWR('b', 9, struct binder_version),
268 BINDER_GET_NODE_DEBUG_INFO = _IOWR('b', 11, struct binder_node_debug_info),
269 BINDER_GET_NODE_INFO_FOR_REF = _IOWR('b', 12, struct binder_node_info_for_ref),
270 BINDER_SET_CONTEXT_MGR_EXT = _IOW('b', 13, struct flat_binder_object),
271 BINDER_FREEZE = _IOW('b', 14, struct binder_freeze_info),
272 BINDER_GET_FROZEN_INFO = _IOWR('b', 15, struct binder_frozen_status_info),
273 BINDER_ENABLE_ONEWAY_SPAM_DETECTION = _IOW('b', 16, __u32),
274 BINDER_GET_EXTENDED_ERROR = _IOWR('b', 17, struct binder_extended_error),
275};
276
277/*
278 * NOTE: Two special error codes you should check for when calling
279 * in to the driver are:
280 *
281 * EINTR -- The operation has been interupted. This should be
282 * handled by retrying the ioctl() until a different error code
283 * is returned.
284 *
285 * ECONNREFUSED -- The driver is no longer accepting operations
286 * from your process. That is, the process is being destroyed.
287 * You should handle this by exiting from your process. Note
288 * that once this error code is returned, all further calls to
289 * the driver from any thread will return this same code.
290 */
291
292enum transaction_flags {
293 TF_ONE_WAY = 0x01, /* this is a one-way call: async, no return */
294 TF_ROOT_OBJECT = 0x04, /* contents are the component's root object */
295 TF_STATUS_CODE = 0x08, /* contents are a 32-bit status code */
296 TF_ACCEPT_FDS = 0x10, /* allow replies with file descriptors */
297 TF_CLEAR_BUF = 0x20, /* clear buffer on txn complete */
298 TF_UPDATE_TXN = 0x40, /* update the outdated pending async txn */
299};
300
301struct binder_transaction_data {
302 /* The first two are only used for bcTRANSACTION and brTRANSACTION,
303 * identifying the target and contents of the transaction.
304 */
305 union {
306 /* target descriptor of command transaction */
307 __u32 handle;
308 /* target descriptor of return transaction */
309 binder_uintptr_t ptr;
310 } target;
311 binder_uintptr_t cookie; /* target object cookie */
312 __u32 code; /* transaction command */
313
314 /* General information about the transaction. */
315 __u32 flags;
316 __kernel_pid_t sender_pid;
317 __kernel_uid32_t sender_euid;
318 binder_size_t data_size; /* number of bytes of data */
319 binder_size_t offsets_size; /* number of bytes of offsets */
320
321 /* If this transaction is inline, the data immediately
322 * follows here; otherwise, it ends with a pointer to
323 * the data buffer.
324 */
325 union {
326 struct {
327 /* transaction data */
328 binder_uintptr_t buffer;
329 /* offsets from buffer to flat_binder_object structs */
330 binder_uintptr_t offsets;
331 } ptr;
332 __u8 buf[8];
333 } data;
334};
335
336struct binder_transaction_data_secctx {
337 struct binder_transaction_data transaction_data;
338 binder_uintptr_t secctx;
339};
340
341struct binder_transaction_data_sg {
342 struct binder_transaction_data transaction_data;
343 binder_size_t buffers_size;
344};
345
346struct binder_ptr_cookie {
347 binder_uintptr_t ptr;
348 binder_uintptr_t cookie;
349};
350
351struct binder_handle_cookie {
352 __u32 handle;
353 binder_uintptr_t cookie;
354} __attribute__((packed));
355
356struct binder_pri_desc {
357 __s32 priority;
358 __u32 desc;
359};
360
361struct binder_pri_ptr_cookie {
362 __s32 priority;
363 binder_uintptr_t ptr;
364 binder_uintptr_t cookie;
365};
366
367enum binder_driver_return_protocol {
368 BR_ERROR = _IOR('r', 0, __s32),
369 /*
370 * int: error code
371 */
372
373 BR_OK = _IO('r', 1),
374 /* No parameters! */
375
376 BR_TRANSACTION_SEC_CTX = _IOR('r', 2,
377 struct binder_transaction_data_secctx),
378 /*
379 * binder_transaction_data_secctx: the received command.
380 */
381 BR_TRANSACTION = _IOR('r', 2, struct binder_transaction_data),
382 BR_REPLY = _IOR('r', 3, struct binder_transaction_data),
383 /*
384 * binder_transaction_data: the received command.
385 */
386
387 BR_ACQUIRE_RESULT = _IOR('r', 4, __s32),
388 /*
389 * not currently supported
390 * int: 0 if the last bcATTEMPT_ACQUIRE was not successful.
391 * Else the remote object has acquired a primary reference.
392 */
393
394 BR_DEAD_REPLY = _IO('r', 5),
395 /*
396 * The target of the last transaction (either a bcTRANSACTION or
397 * a bcATTEMPT_ACQUIRE) is no longer with us. No parameters.
398 */
399
400 BR_TRANSACTION_COMPLETE = _IO('r', 6),
401 /*
402 * No parameters... always refers to the last transaction requested
403 * (including replies). Note that this will be sent even for
404 * asynchronous transactions.
405 */
406
407 BR_INCREFS = _IOR('r', 7, struct binder_ptr_cookie),
408 BR_ACQUIRE = _IOR('r', 8, struct binder_ptr_cookie),
409 BR_RELEASE = _IOR('r', 9, struct binder_ptr_cookie),
410 BR_DECREFS = _IOR('r', 10, struct binder_ptr_cookie),
411 /*
412 * void *: ptr to binder
413 * void *: cookie for binder
414 */
415
416 BR_ATTEMPT_ACQUIRE = _IOR('r', 11, struct binder_pri_ptr_cookie),
417 /*
418 * not currently supported
419 * int: priority
420 * void *: ptr to binder
421 * void *: cookie for binder
422 */
423
424 BR_NOOP = _IO('r', 12),
425 /*
426 * No parameters. Do nothing and examine the next command. It exists
427 * primarily so that we can replace it with a BR_SPAWN_LOOPER command.
428 */
429
430 BR_SPAWN_LOOPER = _IO('r', 13),
431 /*
432 * No parameters. The driver has determined that a process has no
433 * threads waiting to service incoming transactions. When a process
434 * receives this command, it must spawn a new service thread and
435 * register it via bcENTER_LOOPER.
436 */
437
438 BR_FINISHED = _IO('r', 14),
439 /*
440 * not currently supported
441 * stop threadpool thread
442 */
443
444 BR_DEAD_BINDER = _IOR('r', 15, binder_uintptr_t),
445 /*
446 * void *: cookie
447 */
448 BR_CLEAR_DEATH_NOTIFICATION_DONE = _IOR('r', 16, binder_uintptr_t),
449 /*
450 * void *: cookie
451 */
452
453 BR_FAILED_REPLY = _IO('r', 17),
454 /*
455 * The last transaction (either a bcTRANSACTION or
456 * a bcATTEMPT_ACQUIRE) failed (e.g. out of memory). No parameters.
457 */
458
459 BR_FROZEN_REPLY = _IO('r', 18),
460 /*
461 * The target of the last sync transaction (either a bcTRANSACTION or
462 * a bcATTEMPT_ACQUIRE) is frozen. No parameters.
463 */
464
465 BR_ONEWAY_SPAM_SUSPECT = _IO('r', 19),
466 /*
467 * Current process sent too many oneway calls to target, and the last
468 * asynchronous transaction makes the allocated async buffer size exceed
469 * detection threshold. No parameters.
470 */
471
472 BR_TRANSACTION_PENDING_FROZEN = _IO('r', 20),
473 /*
474 * The target of the last async transaction is frozen. No parameters.
475 */
476
477 BR_FROZEN_BINDER = _IOR('r', 21, struct binder_frozen_state_info),
478 /*
479 * The cookie and a boolean (is_frozen) that indicates whether the process
480 * transitioned into a frozen or an unfrozen state.
481 */
482
483 BR_CLEAR_FREEZE_NOTIFICATION_DONE = _IOR('r', 22, binder_uintptr_t),
484 /*
485 * void *: cookie
486 */
487};
488
489enum binder_driver_command_protocol {
490 BC_TRANSACTION = _IOW('c', 0, struct binder_transaction_data),
491 BC_REPLY = _IOW('c', 1, struct binder_transaction_data),
492 /*
493 * binder_transaction_data: the sent command.
494 */
495
496 BC_ACQUIRE_RESULT = _IOW('c', 2, __s32),
497 /*
498 * not currently supported
499 * int: 0 if the last BR_ATTEMPT_ACQUIRE was not successful.
500 * Else you have acquired a primary reference on the object.
501 */
502
503 BC_FREE_BUFFER = _IOW('c', 3, binder_uintptr_t),
504 /*
505 * void *: ptr to transaction data received on a read
506 */
507
508 BC_INCREFS = _IOW('c', 4, __u32),
509 BC_ACQUIRE = _IOW('c', 5, __u32),
510 BC_RELEASE = _IOW('c', 6, __u32),
511 BC_DECREFS = _IOW('c', 7, __u32),
512 /*
513 * int: descriptor
514 */
515
516 BC_INCREFS_DONE = _IOW('c', 8, struct binder_ptr_cookie),
517 BC_ACQUIRE_DONE = _IOW('c', 9, struct binder_ptr_cookie),
518 /*
519 * void *: ptr to binder
520 * void *: cookie for binder
521 */
522
523 BC_ATTEMPT_ACQUIRE = _IOW('c', 10, struct binder_pri_desc),
524 /*
525 * not currently supported
526 * int: priority
527 * int: descriptor
528 */
529
530 BC_REGISTER_LOOPER = _IO('c', 11),
531 /*
532 * No parameters.
533 * Register a spawned looper thread with the device.
534 */
535
536 BC_ENTER_LOOPER = _IO('c', 12),
537 BC_EXIT_LOOPER = _IO('c', 13),
538 /*
539 * No parameters.
540 * These two commands are sent as an application-level thread
541 * enters and exits the binder loop, respectively. They are
542 * used so the binder can have an accurate count of the number
543 * of looping threads it has available.
544 */
545
546 BC_REQUEST_DEATH_NOTIFICATION = _IOW('c', 14,
547 struct binder_handle_cookie),
548 /*
549 * int: handle
550 * void *: cookie
551 */
552
553 BC_CLEAR_DEATH_NOTIFICATION = _IOW('c', 15,
554 struct binder_handle_cookie),
555 /*
556 * int: handle
557 * void *: cookie
558 */
559
560 BC_DEAD_BINDER_DONE = _IOW('c', 16, binder_uintptr_t),
561 /*
562 * void *: cookie
563 */
564
565 BC_TRANSACTION_SG = _IOW('c', 17, struct binder_transaction_data_sg),
566 BC_REPLY_SG = _IOW('c', 18, struct binder_transaction_data_sg),
567 /*
568 * binder_transaction_data_sg: the sent command.
569 */
570
571 BC_REQUEST_FREEZE_NOTIFICATION =
572 _IOW('c', 19, struct binder_handle_cookie),
573 /*
574 * int: handle
575 * void *: cookie
576 */
577
578 BC_CLEAR_FREEZE_NOTIFICATION = _IOW('c', 20,
579 struct binder_handle_cookie),
580 /*
581 * int: handle
582 * void *: cookie
583 */
584
585 BC_FREEZE_NOTIFICATION_DONE = _IOW('c', 21, binder_uintptr_t),
586 /*
587 * void *: cookie
588 */
589};
590
591#endif /* _LINUX_BINDER_H */