mirror of
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-11-27 01:11:31 +00:00
eafedbc7c0
We're generally not proponents of rewrites (nasty uncomfortable things that make you late for dinner!). So why rewrite Binder? Binder has been evolving over the past 15+ years to meet the evolving needs of Android. Its responsibilities, expectations, and complexity have grown considerably during that time. While we expect Binder to continue to evolve along with Android, there are a number of factors that currently constrain our ability to develop/maintain it. Briefly those are: 1. Complexity: Binder is at the intersection of everything in Android and fulfills many responsibilities beyond IPC. It has become many things to many people, and due to its many features and their interactions with each other, its complexity is quite high. In just 6kLOC it must deliver transactions to the right threads. It must correctly parse and translate the contents of transactions, which can contain several objects of different types (e.g., pointers, fds) that can interact with each other. It controls the size of thread pools in userspace, and ensures that transactions are assigned to threads in ways that avoid deadlocks where the threadpool has run out of threads. It must track refcounts of objects that are shared by several processes by forwarding refcount changes between the processes correctly. It must handle numerous error scenarios and it combines/nests 13 different locks, 7 reference counters, and atomic variables. Finally, It must do all of this as fast and efficiently as possible. Minor performance regressions can cause a noticeably degraded user experience. 2. Things to improve: Thousand-line functions [1], error-prone error handling [2], and confusing structure can occur as a code base grows organically. After more than a decade of development, this codebase could use an overhaul. [1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/android/binder.c?h=v6.5#n2896 [2]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/android/binder.c?h=v6.5#n3658 3. Security critical: Binder is a critical part of Android's sandboxing strategy. Even Android's most de-privileged sandboxes (e.g. the Chrome renderer, or SW Codec) have direct access to Binder. More than just about any other component, it's important that Binder provide robust security, and itself be robust against security vulnerabilities. It's #1 (high complexity) that has made continuing to evolve Binder and resolving #2 (tech debt) exceptionally difficult without causing #3 (security issues). For Binder to continue to meet Android's needs, we need better ways to manage (and reduce!) complexity without increasing the risk. The biggest change is obviously the choice of programming language. We decided to use Rust because it directly addresses a number of the challenges within Binder that we have faced during the last years. It prevents mistakes with ref counting, locking, bounds checking, and also does a lot to reduce the complexity of error handling. Additionally, we've been able to use the more expressive type system to encode the ownership semantics of the various structs and pointers, which takes the complexity of managing object lifetimes out of the hands of the programmer, reducing the risk of use-after-frees and similar problems. Rust has many different pointer types that it uses to encode ownership semantics into the type system, and this is probably one of the most important aspects of how it helps in Binder. The Binder driver has a lot of different objects that have complex ownership semantics; some pointers own a refcount, some pointers have exclusive ownership, and some pointers just reference the object and it is kept alive in some other manner. With Rust, we can use a different pointer type for each kind of pointer, which enables the compiler to enforce that the ownership semantics are implemented correctly. Another useful feature is Rust's error handling. Rust allows for more simplified error handling with features such as destructors, and you get compilation failures if errors are not properly handled. This means that even though Rust requires you to spend more lines of code than C on things such as writing down invariants that are left implicit in C, the Rust driver is still slightly smaller than C binder: Rust is 5.5kLOC and C is 5.8kLOC. (These numbers are excluding blank lines, comments, binderfs, and any debugging facilities in C that are not yet implemented in the Rust driver. The numbers include abstractions in rust/kernel/ that are unlikely to be used by other drivers than Binder.) Although this rewrite completely rethinks how the code is structured and how assumptions are enforced, we do not fundamentally change *how* the driver does the things it does. A lot of careful thought has gone into the existing design. The rewrite is aimed rather at improving code health, structure, readability, robustness, security, maintainability and extensibility. We also include more inline documentation, and improve how assumptions in the code are enforced. Furthermore, all unsafe code is annotated with a SAFETY comment that explains why it is correct. We have left the binderfs filesystem component in C. Rewriting it in Rust would be a large amount of work and requires a lot of bindings to the file system interfaces. Binderfs has not historically had the same challenges with security and complexity, so rewriting binderfs seems to have lower value than the rest of Binder. Correctness and feature parity ------------------------------ Rust binder passes all tests that validate the correctness of Binder in the Android Open Source Project. We can boot a device, and run a variety of apps and functionality without issues. We have performed this both on the Cuttlefish Android emulator device, and on a Pixel 6 Pro. As for feature parity, Rust binder currently implements all features that C binder supports, with the exception of some debugging facilities. The missing debugging facilities will be added before we submit the Rust implementation upstream. Tracepoints ----------- I did not include all of the tracepoints as I felt that the mechansim for making C access fields of Rust structs should be discussed on list separately. I also did not include the support for building Rust Binder as a module since that requires exporting a bunch of additional symbols on the C side. Original RFC Link with old benchmark numbers: https://lore.kernel.org/r/20231101-rust-binder-v1-0-08ba9197f637@google.com Co-developed-by: Wedson Almeida Filho <wedsonaf@gmail.com> Signed-off-by: Wedson Almeida Filho <wedsonaf@gmail.com> Co-developed-by: Matt Gilbride <mattgilbride@google.com> Signed-off-by: Matt Gilbride <mattgilbride@google.com> Acked-by: Carlos Llamas <cmllamas@google.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Alice Ryhl <aliceryhl@google.com> Link: https://lore.kernel.org/r/20250919-rust-binder-v2-1-a384b09f28dd@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
266 lines
11 KiB
Rust
266 lines
11 KiB
Rust
// SPDX-License-Identifier: GPL-2.0
|
|
|
|
//! Kernel page allocation and management.
|
|
|
|
use crate::{
|
|
alloc::{AllocError, Flags},
|
|
bindings,
|
|
error::code::*,
|
|
error::Result,
|
|
uaccess::UserSliceReader,
|
|
};
|
|
use core::ptr::{self, NonNull};
|
|
|
|
/// A bitwise shift for the page size.
|
|
pub const PAGE_SHIFT: usize = bindings::PAGE_SHIFT as usize;
|
|
|
|
/// The number of bytes in a page.
|
|
pub const PAGE_SIZE: usize = bindings::PAGE_SIZE;
|
|
|
|
/// A bitmask that gives the page containing a given address.
|
|
pub const PAGE_MASK: usize = !(PAGE_SIZE - 1);
|
|
|
|
/// Round up the given number to the next multiple of [`PAGE_SIZE`].
|
|
///
|
|
/// It is incorrect to pass an address where the next multiple of [`PAGE_SIZE`] doesn't fit in a
|
|
/// [`usize`].
|
|
pub const fn page_align(addr: usize) -> usize {
|
|
// Parentheses around `PAGE_SIZE - 1` to avoid triggering overflow sanitizers in the wrong
|
|
// cases.
|
|
(addr + (PAGE_SIZE - 1)) & PAGE_MASK
|
|
}
|
|
|
|
/// A pointer to a page that owns the page allocation.
|
|
///
|
|
/// # Invariants
|
|
///
|
|
/// The pointer is valid, and has ownership over the page.
|
|
pub struct Page {
|
|
page: NonNull<bindings::page>,
|
|
}
|
|
|
|
// SAFETY: Pages have no logic that relies on them staying on a given thread, so moving them across
|
|
// threads is safe.
|
|
unsafe impl Send for Page {}
|
|
|
|
// SAFETY: Pages have no logic that relies on them not being accessed concurrently, so accessing
|
|
// them concurrently is safe.
|
|
unsafe impl Sync for Page {}
|
|
|
|
impl Page {
|
|
/// Allocates a new page.
|
|
///
|
|
/// # Examples
|
|
///
|
|
/// Allocate memory for a page.
|
|
///
|
|
/// ```
|
|
/// use kernel::page::Page;
|
|
///
|
|
/// let page = Page::alloc_page(GFP_KERNEL)?;
|
|
/// # Ok::<(), kernel::alloc::AllocError>(())
|
|
/// ```
|
|
///
|
|
/// Allocate memory for a page and zero its contents.
|
|
///
|
|
/// ```
|
|
/// use kernel::page::Page;
|
|
///
|
|
/// let page = Page::alloc_page(GFP_KERNEL | __GFP_ZERO)?;
|
|
/// # Ok::<(), kernel::alloc::AllocError>(())
|
|
/// ```
|
|
#[inline]
|
|
pub fn alloc_page(flags: Flags) -> Result<Self, AllocError> {
|
|
// SAFETY: Depending on the value of `gfp_flags`, this call may sleep. Other than that, it
|
|
// is always safe to call this method.
|
|
let page = unsafe { bindings::alloc_pages(flags.as_raw(), 0) };
|
|
let page = NonNull::new(page).ok_or(AllocError)?;
|
|
// INVARIANT: We just successfully allocated a page, so we now have ownership of the newly
|
|
// allocated page. We transfer that ownership to the new `Page` object.
|
|
Ok(Self { page })
|
|
}
|
|
|
|
/// Returns a raw pointer to the page.
|
|
pub fn as_ptr(&self) -> *mut bindings::page {
|
|
self.page.as_ptr()
|
|
}
|
|
|
|
/// Get the node id containing this page.
|
|
pub fn nid(&self) -> i32 {
|
|
// SAFETY: Always safe to call with a valid page.
|
|
unsafe { bindings::page_to_nid(self.as_ptr()) }
|
|
}
|
|
|
|
/// Runs a piece of code with this page mapped to an address.
|
|
///
|
|
/// The page is unmapped when this call returns.
|
|
///
|
|
/// # Using the raw pointer
|
|
///
|
|
/// It is up to the caller to use the provided raw pointer correctly. The pointer is valid for
|
|
/// `PAGE_SIZE` bytes and for the duration in which the closure is called. The pointer might
|
|
/// only be mapped on the current thread, and when that is the case, dereferencing it on other
|
|
/// threads is UB. Other than that, the usual rules for dereferencing a raw pointer apply: don't
|
|
/// cause data races, the memory may be uninitialized, and so on.
|
|
///
|
|
/// If multiple threads map the same page at the same time, then they may reference with
|
|
/// different addresses. However, even if the addresses are different, the underlying memory is
|
|
/// still the same for these purposes (e.g., it's still a data race if they both write to the
|
|
/// same underlying byte at the same time).
|
|
fn with_page_mapped<T>(&self, f: impl FnOnce(*mut u8) -> T) -> T {
|
|
// SAFETY: `page` is valid due to the type invariants on `Page`.
|
|
let mapped_addr = unsafe { bindings::kmap_local_page(self.as_ptr()) };
|
|
|
|
let res = f(mapped_addr.cast());
|
|
|
|
// This unmaps the page mapped above.
|
|
//
|
|
// SAFETY: Since this API takes the user code as a closure, it can only be used in a manner
|
|
// where the pages are unmapped in reverse order. This is as required by `kunmap_local`.
|
|
//
|
|
// In other words, if this call to `kunmap_local` happens when a different page should be
|
|
// unmapped first, then there must necessarily be a call to `kmap_local_page` other than the
|
|
// call just above in `with_page_mapped` that made that possible. In this case, it is the
|
|
// unsafe block that wraps that other call that is incorrect.
|
|
unsafe { bindings::kunmap_local(mapped_addr) };
|
|
|
|
res
|
|
}
|
|
|
|
/// Runs a piece of code with a raw pointer to a slice of this page, with bounds checking.
|
|
///
|
|
/// If `f` is called, then it will be called with a pointer that points at `off` bytes into the
|
|
/// page, and the pointer will be valid for at least `len` bytes. The pointer is only valid on
|
|
/// this task, as this method uses a local mapping.
|
|
///
|
|
/// If `off` and `len` refers to a region outside of this page, then this method returns
|
|
/// [`EINVAL`] and does not call `f`.
|
|
///
|
|
/// # Using the raw pointer
|
|
///
|
|
/// It is up to the caller to use the provided raw pointer correctly. The pointer is valid for
|
|
/// `len` bytes and for the duration in which the closure is called. The pointer might only be
|
|
/// mapped on the current thread, and when that is the case, dereferencing it on other threads
|
|
/// is UB. Other than that, the usual rules for dereferencing a raw pointer apply: don't cause
|
|
/// data races, the memory may be uninitialized, and so on.
|
|
///
|
|
/// If multiple threads map the same page at the same time, then they may reference with
|
|
/// different addresses. However, even if the addresses are different, the underlying memory is
|
|
/// still the same for these purposes (e.g., it's still a data race if they both write to the
|
|
/// same underlying byte at the same time).
|
|
fn with_pointer_into_page<T>(
|
|
&self,
|
|
off: usize,
|
|
len: usize,
|
|
f: impl FnOnce(*mut u8) -> Result<T>,
|
|
) -> Result<T> {
|
|
let bounds_ok = off <= PAGE_SIZE && len <= PAGE_SIZE && (off + len) <= PAGE_SIZE;
|
|
|
|
if bounds_ok {
|
|
self.with_page_mapped(move |page_addr| {
|
|
// SAFETY: The `off` integer is at most `PAGE_SIZE`, so this pointer offset will
|
|
// result in a pointer that is in bounds or one off the end of the page.
|
|
f(unsafe { page_addr.add(off) })
|
|
})
|
|
} else {
|
|
Err(EINVAL)
|
|
}
|
|
}
|
|
|
|
/// Maps the page and reads from it into the given buffer.
|
|
///
|
|
/// This method will perform bounds checks on the page offset. If `offset .. offset+len` goes
|
|
/// outside of the page, then this call returns [`EINVAL`].
|
|
///
|
|
/// # Safety
|
|
///
|
|
/// * Callers must ensure that `dst` is valid for writing `len` bytes.
|
|
/// * Callers must ensure that this call does not race with a write to the same page that
|
|
/// overlaps with this read.
|
|
pub unsafe fn read_raw(&self, dst: *mut u8, offset: usize, len: usize) -> Result {
|
|
self.with_pointer_into_page(offset, len, move |src| {
|
|
// SAFETY: If `with_pointer_into_page` calls into this closure, then
|
|
// it has performed a bounds check and guarantees that `src` is
|
|
// valid for `len` bytes.
|
|
//
|
|
// There caller guarantees that there is no data race.
|
|
unsafe { ptr::copy_nonoverlapping(src, dst, len) };
|
|
Ok(())
|
|
})
|
|
}
|
|
|
|
/// Maps the page and writes into it from the given buffer.
|
|
///
|
|
/// This method will perform bounds checks on the page offset. If `offset .. offset+len` goes
|
|
/// outside of the page, then this call returns [`EINVAL`].
|
|
///
|
|
/// # Safety
|
|
///
|
|
/// * Callers must ensure that `src` is valid for reading `len` bytes.
|
|
/// * Callers must ensure that this call does not race with a read or write to the same page
|
|
/// that overlaps with this write.
|
|
pub unsafe fn write_raw(&self, src: *const u8, offset: usize, len: usize) -> Result {
|
|
self.with_pointer_into_page(offset, len, move |dst| {
|
|
// SAFETY: If `with_pointer_into_page` calls into this closure, then it has performed a
|
|
// bounds check and guarantees that `dst` is valid for `len` bytes.
|
|
//
|
|
// There caller guarantees that there is no data race.
|
|
unsafe { ptr::copy_nonoverlapping(src, dst, len) };
|
|
Ok(())
|
|
})
|
|
}
|
|
|
|
/// Maps the page and zeroes the given slice.
|
|
///
|
|
/// This method will perform bounds checks on the page offset. If `offset .. offset+len` goes
|
|
/// outside of the page, then this call returns [`EINVAL`].
|
|
///
|
|
/// # Safety
|
|
///
|
|
/// Callers must ensure that this call does not race with a read or write to the same page that
|
|
/// overlaps with this write.
|
|
pub unsafe fn fill_zero_raw(&self, offset: usize, len: usize) -> Result {
|
|
self.with_pointer_into_page(offset, len, move |dst| {
|
|
// SAFETY: If `with_pointer_into_page` calls into this closure, then it has performed a
|
|
// bounds check and guarantees that `dst` is valid for `len` bytes.
|
|
//
|
|
// There caller guarantees that there is no data race.
|
|
unsafe { ptr::write_bytes(dst, 0u8, len) };
|
|
Ok(())
|
|
})
|
|
}
|
|
|
|
/// Copies data from userspace into this page.
|
|
///
|
|
/// This method will perform bounds checks on the page offset. If `offset .. offset+len` goes
|
|
/// outside of the page, then this call returns [`EINVAL`].
|
|
///
|
|
/// Like the other `UserSliceReader` methods, data races are allowed on the userspace address.
|
|
/// However, they are not allowed on the page you are copying into.
|
|
///
|
|
/// # Safety
|
|
///
|
|
/// Callers must ensure that this call does not race with a read or write to the same page that
|
|
/// overlaps with this write.
|
|
pub unsafe fn copy_from_user_slice_raw(
|
|
&self,
|
|
reader: &mut UserSliceReader,
|
|
offset: usize,
|
|
len: usize,
|
|
) -> Result {
|
|
self.with_pointer_into_page(offset, len, move |dst| {
|
|
// SAFETY: If `with_pointer_into_page` calls into this closure, then it has performed a
|
|
// bounds check and guarantees that `dst` is valid for `len` bytes. Furthermore, we have
|
|
// exclusive access to the slice since the caller guarantees that there are no races.
|
|
reader.read_raw(unsafe { core::slice::from_raw_parts_mut(dst.cast(), len) })
|
|
})
|
|
}
|
|
}
|
|
|
|
impl Drop for Page {
|
|
#[inline]
|
|
fn drop(&mut self) {
|
|
// SAFETY: By the type invariants, we have ownership of the page and can free it.
|
|
unsafe { bindings::__free_pages(self.page.as_ptr(), 0) };
|
|
}
|
|
}
|