github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/sys/linux/dev_binder.txt (about) 1 # Copyright 2017 syzkaller project authors. All rights reserved. 2 # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. 3 4 # These descriptions rely on binderfs being enabled and creating at least binder0 5 # and binder1 devices right after a mount. 6 # "binder,hwbinder,vndbinder" devices are also supported; this is the kconfig default 7 # and it's what's used on real Android devices (the main user of binder). 8 # Description assumes CONFIG_ANDROID_BINDER_IPC_32BIT is not set. 9 10 include <linux/android/binder.h> 11 include <linux/fcntl.h> 12 13 resource fd_binder[fd] 14 resource binder_ptr[int64]: 0 15 16 # What's the difference between these node and handle? Do they mean the same? 17 type binder_node int64[0:3] 18 type binder_handle int32[0:3] 19 # It seems that cookies are only checked for inequality and non-matching cookies only cover error paths. 20 type binder_cookie const[0, int64] 21 22 openat$binder(fd const[AT_FDCWD], file ptr[in, string["/dev/binder"]], flags flags[binder_open_flags], mode const[0]) fd_binder 23 openat$binderfs(fd const[AT_FDCWD], file ptr[in, string[binderfs_devpath]], flags flags[binder_open_flags], mode const[0]) fd_binder 24 openat$hwbinder(fd const[AT_FDCWD], file ptr[in, string["/dev/hwbinder"]], flags flags[binder_open_flags], mode const[0]) fd_binder 25 openat$vndbinder(fd const[AT_FDCWD], file ptr[in, string["/dev/vndbinder"]], flags flags[binder_open_flags], mode const[0]) fd_binder 26 27 mmap$binder(addr vma, len len[addr], prot const[PROT_READ], flags const[MAP_SHARED], fd fd_binder, offset fileoff) binder_ptr 28 29 ioctl$BINDER_SET_MAX_THREADS(fd fd_binder, cmd const[BINDER_SET_MAX_THREADS], arg ptr[in, int32]) 30 ioctl$BINDER_SET_CONTEXT_MGR(fd fd_binder, cmd const[BINDER_SET_CONTEXT_MGR], arg const[0]) 31 ioctl$BINDER_SET_CONTEXT_MGR_EXT(fd fd_binder, cmd const[BINDER_SET_CONTEXT_MGR_EXT], arg ptr[in, flat_binder_object_t[BINDER_TYPE_BINDER, binder_node]]) 32 ioctl$BINDER_THREAD_EXIT(fd fd_binder, cmd const[BINDER_THREAD_EXIT], arg const[0]) 33 ioctl$BINDER_GET_NODE_DEBUG_INFO(fd fd_binder, cmd const[BINDER_GET_NODE_DEBUG_INFO], arg ptr[inout, binder_node_debug_info]) 34 ioctl$BINDER_WRITE_READ(fd fd_binder, cmd const[BINDER_WRITE_READ], arg ptr[in, binder_write_read]) 35 ioctl$BINDER_GET_NODE_INFO_FOR_REF(fd fd_binder, cmd const[BINDER_GET_NODE_INFO_FOR_REF], arg ptr[in, binder_node_info_for_ref]) 36 ioctl$BINDER_FREEZE(fd fd_binder, cmd const[BINDER_FREEZE], arg ptr[in, binder_freeze_info]) 37 ioctl$BINDER_GET_FROZEN_INFO(fd fd_binder, cmd const[BINDER_GET_FROZEN_INFO], arg ptr[in, binder_frozen_status_info]) 38 ioctl$BINDER_ENABLE_ONEWAY_SPAM_DETECTION(fd fd_binder, cmd const[BINDER_ENABLE_ONEWAY_SPAM_DETECTION], arg ptr[in, bool32]) 39 ioctl$BINDER_GET_EXTENDED_ERROR(fd fd_binder, cmd const[BINDER_GET_EXTENDED_ERROR], arg ptr[out, binder_extended_error]) 40 41 openat$binder_debug(fd const[AT_FDCWD], file ptr[in, string[binder_debug_file]], flags const[O_RDONLY], mode const[0]) fd 42 43 binder_debug_file = "/sys/kernel/debug/binder/failed_transaction_log", "/sys/kernel/debug/binder/state", "/sys/kernel/debug/binder/stats", "/sys/kernel/debug/binder/transaction_log", "/sys/kernel/debug/binder/transactions" 44 45 binder_open_flags = O_RDWR, O_NONBLOCK 46 _ = __NR_mmap2 47 48 binder_freeze_info { 49 pid pid 50 enable bool32 51 timeout_ms int32 52 } 53 54 binder_frozen_status_info { 55 pid pid 56 sync_recv int32 (out) 57 async_recv int32 (out) 58 } 59 60 binder_node_debug_info { 61 ptr binder_node 62 cookie const[0, int64] 63 has_strong_ref const[0, int32] 64 has_weak_ref const[0, int32] 65 } 66 67 binder_node_info_for_ref { 68 handle binder_handle 69 strong_count const[0, int32] 70 weak_count const[0, int32] 71 reserved1 const[0, int32] 72 reserved2 const[0, int32] 73 reserved3 const[0, int32] 74 } 75 76 binder_write_read { 77 write_size bytesize[write_buffer, int64] 78 write_consumed const[0, int64] 79 write_buffer ptr64[in, array[binder_write_cmd]] 80 read_size bytesize[read_buffer, int64] 81 read_consumed const[0, int64] 82 read_buffer ptr64[in, array[int8]] 83 } 84 85 binder_write_cmd [ 86 transaction binder_cmd_transaction 87 reply binder_cmd_reply 88 transaction_sg binder_cmd_transaction_sg 89 reply_sg binder_cmd_reply_sg 90 free_buffer binder_cmd_free_buffer 91 increfs binder_cmd_increfs 92 acquire binder_cmd_acquire 93 release binder_cmd_release 94 decrefs binder_cmd_decrefs 95 increfs_done binder_cmd_increfs_done 96 acquire_done binder_cmd_acquire_done 97 register_looper binder_cmd_register_looper 98 enter_looper binder_cmd_enter_looper 99 exit_looper binder_cmd_exit_looper 100 request_death binder_cmd_request_death 101 clear_death binder_cmd_clear_death 102 dead_binder_done binder_cmd_dead_binder_done 103 ] [varlen] 104 105 binder_cmd_transaction { 106 cmd const[BC_TRANSACTION, int32] 107 data binder_transaction_data 108 } [packed] 109 110 binder_cmd_reply { 111 cmd const[BC_REPLY, int32] 112 data binder_transaction_data 113 } [packed] 114 115 binder_cmd_transaction_sg { 116 cmd const[BC_TRANSACTION_SG, int32] 117 data binder_transaction_data 118 buffers_size flags[binder_sg_size, int64] 119 } [packed] 120 121 binder_cmd_reply_sg { 122 cmd const[BC_REPLY_SG, int32] 123 data binder_transaction_data 124 buffers_size flags[binder_sg_size, int64] 125 } [packed] 126 127 # NEED: buffers_size should be multiple of 8 and must be no less than size of all BINDER_TYPE_PTR buffers. 128 binder_sg_size = 0, 64, 1024, 4096 129 130 binder_transaction_data { 131 handle binder_handle 132 # there is a union of handle with binder_uintptr_t 133 pad const[0, int32] 134 cookie binder_cookie 135 code const[0, int32] 136 flags flags[binder_transaction_flags, int32] 137 sender_pid const[0, int32] 138 sender_euid const[0, int32] 139 data_size bytesize[buffer, int64] 140 offsets_size bytesize[offsets, int64] 141 buffer ptr64[in, binder_objects] 142 offsets ptr64[in, binder_offsets] 143 } 144 145 binder_objects { 146 obj0 binder_object 147 obj1 binder_object 148 obj2 binder_object 149 } [packed, align[8]] 150 151 binder_offsets { 152 off0 offsetof[binder_transaction_data:buffer:obj0, int64] 153 off1 offsetof[binder_transaction_data:buffer:obj1, int64] 154 off2 offsetof[binder_transaction_data:buffer:obj2, int64] 155 } 156 157 binder_transaction_flags = TF_ONE_WAY, TF_ACCEPT_FDS, TF_CLEAR_BUF 158 159 binder_object [ 160 flat flat_binder_object 161 fd binder_fd_object 162 fda binder_fd_array_object 163 ptr binder_buffer_object 164 ] [varlen] 165 166 flat_binder_object [ 167 binder flat_binder_object_t[BINDER_TYPE_BINDER, binder_node] 168 weak_binder flat_binder_object_t[BINDER_TYPE_WEAK_BINDER, binder_node] 169 handle flat_binder_object_t[BINDER_TYPE_HANDLE, binder_handle] 170 weak_handle flat_binder_object_t[BINDER_TYPE_WEAK_HANDLE, binder_handle] 171 ] 172 173 type flat_binder_object_t[TYP, DATA] { 174 type const[TYP, int32] 175 flags flags[binder_flat_flags, int32] 176 binder DATA 177 cookie binder_cookie 178 } 179 180 binder_flat_flags = 1, 10, FLAT_BINDER_FLAG_ACCEPTS_FDS, FLAT_BINDER_FLAG_TXN_SECURITY_CTX 181 182 binder_fd_object { 183 type const[BINDER_TYPE_FD, int32] 184 pad const[0, int32] 185 fd fd 186 pad2 const[0, int32] 187 cookie binder_cookie 188 } 189 190 binder_fd_array_object { 191 type const[BINDER_TYPE_FDA, int32] 192 num_fds int64[0:10] 193 parnt int64[0:2] 194 parent_offset int64[0:64] 195 } 196 197 binder_buffer_object { 198 type const[BINDER_TYPE_PTR, int32] 199 # This is BINDER_BUFFER_FLAG_HAS_PARENT. 200 flags bool32 201 # The buffer is actually input, but the data is opaque. 202 buffer ptr64[out, array[int8]] 203 length bytesize[buffer, int64] 204 # If flags == BINDER_BUFFER_FLAG_HAS_PARENT, this must point to another BINDER_TYPE_PTR object. 205 parnt int64[0:2] 206 parent_offset int64[0:64] 207 } 208 209 binder_cmd_free_buffer { 210 cmd const[BC_FREE_BUFFER, int32] 211 ptr binder_ptr 212 } [packed] 213 214 binder_cmd_increfs { 215 cmd const[BC_INCREFS, int32] 216 ref binder_handle 217 } [packed] 218 219 binder_cmd_acquire { 220 cmd const[BC_ACQUIRE, int32] 221 ref binder_handle 222 } [packed] 223 224 binder_cmd_release { 225 cmd const[BC_RELEASE, int32] 226 ref binder_handle 227 } [packed] 228 229 binder_cmd_decrefs { 230 cmd const[BC_DECREFS, int32] 231 ref binder_handle 232 } [packed] 233 234 binder_cmd_increfs_done { 235 cmd const[BC_INCREFS_DONE, int32] 236 ptr binder_node 237 cookie binder_cookie 238 } [packed] 239 240 binder_cmd_acquire_done { 241 cmd const[BC_ACQUIRE_DONE, int32] 242 ptr binder_node 243 cookie binder_cookie 244 } [packed] 245 246 binder_cmd_register_looper { 247 cmd const[BC_REGISTER_LOOPER, int32] 248 } [packed] 249 250 binder_cmd_enter_looper { 251 cmd const[BC_ENTER_LOOPER, int32] 252 } [packed] 253 254 binder_cmd_exit_looper { 255 cmd const[BC_EXIT_LOOPER, int32] 256 } [packed] 257 258 binder_cmd_request_death { 259 cmd const[BC_REQUEST_DEATH_NOTIFICATION, int32] 260 handle binder_handle 261 cookie binder_cookie 262 } [packed] 263 264 binder_cmd_clear_death { 265 cmd const[BC_CLEAR_DEATH_NOTIFICATION, int32] 266 handle binder_handle 267 cookie binder_cookie 268 } [packed] 269 270 binder_cmd_dead_binder_done { 271 cmd const[BC_DEAD_BINDER_DONE, int32] 272 cookie binder_cookie 273 } [packed] 274 275 binder_extended_error { 276 id int32 277 command int32 278 param int32 279 }