1 /* 2 * Copyright (C) 2005 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #define LOG_TAG "BpBinder" 18 //#define LOG_NDEBUG 0 19 20 #include <binder/BpBinder.h> 21 22 #include <binder/IPCThreadState.h> 23 #include <binder/IResultReceiver.h> 24 #include <cutils/compiler.h> 25 #include <utils/Log.h> 26 27 #include <stdio.h> 28 29 //#undef ALOGV 30 //#define ALOGV(...) fprintf(stderr, __VA_ARGS__) 31 32 namespace android { 33 34 // --------------------------------------------------------------------------- 35 36 Mutex BpBinder::sTrackingLock; 37 std::unordered_map<int32_t,uint32_t> BpBinder::sTrackingMap; 38 int BpBinder::sNumTrackedUids = 0; 39 std::atomic_bool BpBinder::sCountByUidEnabled(false); 40 binder_proxy_limit_callback BpBinder::sLimitCallback; 41 bool BpBinder::sBinderProxyThrottleCreate = false; 42 43 // Arbitrarily high value that probably distinguishes a bad behaving app 44 uint32_t BpBinder::sBinderProxyCountHighWatermark = 2500; 45 // Another arbitrary value a binder count needs to drop below before another callback will be called 46 uint32_t BpBinder::sBinderProxyCountLowWatermark = 2000; 47 48 enum { 49 LIMIT_REACHED_MASK = 0x80000000, // A flag denoting that the limit has been reached 50 COUNTING_VALUE_MASK = 0x7FFFFFFF, // A mask of the remaining bits for the count value 51 }; 52 53 BpBinder::ObjectManager::ObjectManager() 54 { 55 } 56 57 BpBinder::ObjectManager::~ObjectManager() 58 { 59 kill(); 60 } 61 62 void BpBinder::ObjectManager::attach( 63 const void* objectID, void* object, void* cleanupCookie, 64 IBinder::object_cleanup_func func) 65 { 66 entry_t e; 67 e.object = object; 68 e.cleanupCookie = cleanupCookie; 69 e.func = func; 70 71 if (mObjects.indexOfKey(objectID) >= 0) { 72 ALOGE("Trying to attach object ID %p to binder ObjectManager %p with object %p, but object ID already in use", 73 objectID, this, object); 74 return; 75 } 76 77 mObjects.add(objectID, e); 78 } 79 80 void* BpBinder::ObjectManager::find(const void* objectID) const 81 { 82 const ssize_t i = mObjects.indexOfKey(objectID); 83 if (i < 0) return nullptr; 84 return mObjects.valueAt(i).object; 85 } 86 87 void BpBinder::ObjectManager::detach(const void* objectID) 88 { 89 mObjects.removeItem(objectID); 90 } 91 92 void BpBinder::ObjectManager::kill() 93 { 94 const size_t N = mObjects.size(); 95 ALOGV("Killing %zu objects in manager %p", N, this); 96 for (size_t i=0; i<N; i++) { 97 const entry_t& e = mObjects.valueAt(i); 98 if (e.func != nullptr) { 99 e.func(mObjects.keyAt(i), e.object, e.cleanupCookie); 100 } 101 } 102 103 mObjects.clear(); 104 } 105 106 // --------------------------------------------------------------------------- 107 108 109 BpBinder* BpBinder::create(int32_t handle) { 110 int32_t trackedUid = -1; 111 if (sCountByUidEnabled) { 112 trackedUid = IPCThreadState::self()->getCallingUid(); 113 AutoMutex _l(sTrackingLock); 114 uint32_t trackedValue = sTrackingMap[trackedUid]; 115 if (CC_UNLIKELY(trackedValue & LIMIT_REACHED_MASK)) { 116 if (sBinderProxyThrottleCreate) { 117 return nullptr; 118 } 119 } else { 120 if ((trackedValue & COUNTING_VALUE_MASK) >= sBinderProxyCountHighWatermark) { 121 ALOGE("Too many binder proxy objects sent to uid %d from uid %d (%d proxies held)", 122 getuid(), trackedUid, trackedValue); 123 sTrackingMap[trackedUid] |= LIMIT_REACHED_MASK; 124 if (sLimitCallback) sLimitCallback(trackedUid); 125 if (sBinderProxyThrottleCreate) { 126 ALOGI("Throttling binder proxy creates from uid %d in uid %d until binder proxy" 127 " count drops below %d", 128 trackedUid, getuid(), sBinderProxyCountLowWatermark); 129 return nullptr; 130 } 131 } 132 } 133 sTrackingMap[trackedUid]++; 134 } 135 return new BpBinder(handle, trackedUid); 136 } 137 138 BpBinder::BpBinder(int32_t handle, int32_t trackedUid) 139 : mHandle(handle) 140 , mAlive(1) 141 , mObitsSent(0) 142 , mObituaries(nullptr) 143 , mTrackedUid(trackedUid) 144 { 145 ALOGV("Creating BpBinder %p handle %d\n", this, mHandle); 146 147 extendObjectLifetime(OBJECT_LIFETIME_WEAK); 148 IPCThreadState::self()->incWeakHandle(handle, this); 149 } 150 151 bool BpBinder::isDescriptorCached() const { 152 Mutex::Autolock _l(mLock); 153 return mDescriptorCache.size() ? true : false; 154 } 155 156 const String16& BpBinder::getInterfaceDescriptor() const 157 { 158 if (isDescriptorCached() == false) { 159 Parcel send, reply; 160 // do the IPC without a lock held. 161 status_t err = const_cast<BpBinder*>(this)->transact( 162 INTERFACE_TRANSACTION, send, &reply); 163 if (err == NO_ERROR) { 164 String16 res(reply.readString16()); 165 Mutex::Autolock _l(mLock); 166 // mDescriptorCache could have been assigned while the lock was 167 // released. 168 if (mDescriptorCache.size() == 0) 169 mDescriptorCache = res; 170 } 171 } 172 173 // we're returning a reference to a non-static object here. Usually this 174 // is not something smart to do, however, with binder objects it is 175 // (usually) safe because they are reference-counted. 176 177 return mDescriptorCache; 178 } 179 180 bool BpBinder::isBinderAlive() const 181 { 182 return mAlive != 0; 183 } 184 185 status_t BpBinder::pingBinder() 186 { 187 Parcel send; 188 Parcel reply; 189 status_t err = transact(PING_TRANSACTION, send, &reply); 190 if (err != NO_ERROR) return err; 191 if (reply.dataSize() < sizeof(status_t)) return NOT_ENOUGH_DATA; 192 return (status_t)reply.readInt32(); 193 } 194 195 status_t BpBinder::dump(int fd, const Vector<String16>& args) 196 { 197 Parcel send; 198 Parcel reply; 199 send.writeFileDescriptor(fd); 200 const size_t numArgs = args.size(); 201 send.writeInt32(numArgs); 202 for (size_t i = 0; i < numArgs; i++) { 203 send.writeString16(args[i]); 204 } 205 status_t err = transact(DUMP_TRANSACTION, send, &reply); 206 return err; 207 } 208 209 // NOLINTNEXTLINE(google-default-arguments) 210 status_t BpBinder::transact( 211 uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags) 212 { 213 // Once a binder has died, it will never come back to life. 214 if (mAlive) { 215 status_t status = IPCThreadState::self()->transact( 216 mHandle, code, data, reply, flags); 217 if (status == DEAD_OBJECT) mAlive = 0; 218 return status; 219 } 220 221 return DEAD_OBJECT; 222 } 223 224 // NOLINTNEXTLINE(google-default-arguments) 225 status_t BpBinder::linkToDeath( 226 const sp<DeathRecipient>& recipient, void* cookie, uint32_t flags) 227 { 228 Obituary ob; 229 ob.recipient = recipient; 230 ob.cookie = cookie; 231 ob.flags = flags; 232 233 LOG_ALWAYS_FATAL_IF(recipient == nullptr, 234 "linkToDeath(): recipient must be non-NULL"); 235 236 { 237 AutoMutex _l(mLock); 238 239 if (!mObitsSent) { 240 if (!mObituaries) { 241 mObituaries = new Vector<Obituary>; 242 if (!mObituaries) { 243 return NO_MEMORY; 244 } 245 ALOGV("Requesting death notification: %p handle %d\n", this, mHandle); 246 getWeakRefs()->incWeak(this); 247 IPCThreadState* self = IPCThreadState::self(); 248 self->requestDeathNotification(mHandle, this); 249 self->flushCommands(); 250 } 251 ssize_t res = mObituaries->add(ob); 252 return res >= (ssize_t)NO_ERROR ? (status_t)NO_ERROR : res; 253 } 254 } 255 256 return DEAD_OBJECT; 257 } 258 259 // NOLINTNEXTLINE(google-default-arguments) 260 status_t BpBinder::unlinkToDeath( 261 const wp<DeathRecipient>& recipient, void* cookie, uint32_t flags, 262 wp<DeathRecipient>* outRecipient) 263 { 264 AutoMutex _l(mLock); 265 266 if (mObitsSent) { 267 return DEAD_OBJECT; 268 } 269 270 const size_t N = mObituaries ? mObituaries->size() : 0; 271 for (size_t i=0; i<N; i++) { 272 const Obituary& obit = mObituaries->itemAt(i); 273 if ((obit.recipient == recipient 274 || (recipient == nullptr && obit.cookie == cookie)) 275 && obit.flags == flags) { 276 if (outRecipient != nullptr) { 277 *outRecipient = mObituaries->itemAt(i).recipient; 278 } 279 mObituaries->removeAt(i); 280 if (mObituaries->size() == 0) { 281 ALOGV("Clearing death notification: %p handle %d\n", this, mHandle); 282 IPCThreadState* self = IPCThreadState::self(); 283 self->clearDeathNotification(mHandle, this); 284 self->flushCommands(); 285 delete mObituaries; 286 mObituaries = nullptr; 287 } 288 return NO_ERROR; 289 } 290 } 291 292 return NAME_NOT_FOUND; 293 } 294 295 void BpBinder::sendObituary() 296 { 297 ALOGV("Sending obituary for proxy %p handle %d, mObitsSent=%s\n", 298 this, mHandle, mObitsSent ? "true" : "false"); 299 300 mAlive = 0; 301 if (mObitsSent) return; 302 303 mLock.lock(); 304 Vector<Obituary>* obits = mObituaries; 305 if(obits != nullptr) { 306 ALOGV("Clearing sent death notification: %p handle %d\n", this, mHandle); 307 IPCThreadState* self = IPCThreadState::self(); 308 self->clearDeathNotification(mHandle, this); 309 self->flushCommands(); 310 mObituaries = nullptr; 311 } 312 mObitsSent = 1; 313 mLock.unlock(); 314 315 ALOGV("Reporting death of proxy %p for %zu recipients\n", 316 this, obits ? obits->size() : 0U); 317 318 if (obits != nullptr) { 319 const size_t N = obits->size(); 320 for (size_t i=0; i<N; i++) { 321 reportOneDeath(obits->itemAt(i)); 322 } 323 324 delete obits; 325 } 326 } 327 328 void BpBinder::reportOneDeath(const Obituary& obit) 329 { 330 sp<DeathRecipient> recipient = obit.recipient.promote(); 331 ALOGV("Reporting death to recipient: %p\n", recipient.get()); 332 if (recipient == nullptr) return; 333 334 recipient->binderDied(this); 335 } 336 337 338 void BpBinder::attachObject( 339 const void* objectID, void* object, void* cleanupCookie, 340 object_cleanup_func func) 341 { 342 AutoMutex _l(mLock); 343 ALOGV("Attaching object %p to binder %p (manager=%p)", object, this, &mObjects); 344 mObjects.attach(objectID, object, cleanupCookie, func); 345 } 346 347 void* BpBinder::findObject(const void* objectID) const 348 { 349 AutoMutex _l(mLock); 350 return mObjects.find(objectID); 351 } 352 353 void BpBinder::detachObject(const void* objectID) 354 { 355 AutoMutex _l(mLock); 356 mObjects.detach(objectID); 357 } 358 359 BpBinder* BpBinder::remoteBinder() 360 { 361 return this; 362 } 363 364 BpBinder::~BpBinder() 365 { 366 ALOGV("Destroying BpBinder %p handle %d\n", this, mHandle); 367 368 IPCThreadState* ipc = IPCThreadState::self(); 369 370 if (mTrackedUid >= 0) { 371 AutoMutex _l(sTrackingLock); 372 uint32_t trackedValue = sTrackingMap[mTrackedUid]; 373 if (CC_UNLIKELY((trackedValue & COUNTING_VALUE_MASK) == 0)) { 374 ALOGE("Unexpected Binder Proxy tracking decrement in %p handle %d\n", this, mHandle); 375 } else { 376 if (CC_UNLIKELY( 377 (trackedValue & LIMIT_REACHED_MASK) && 378 ((trackedValue & COUNTING_VALUE_MASK) <= sBinderProxyCountLowWatermark) 379 )) { 380 ALOGI("Limit reached bit reset for uid %d (fewer than %d proxies from uid %d held)", 381 getuid(), mTrackedUid, sBinderProxyCountLowWatermark); 382 sTrackingMap[mTrackedUid] &= ~LIMIT_REACHED_MASK; 383 } 384 if (--sTrackingMap[mTrackedUid] == 0) { 385 sTrackingMap.erase(mTrackedUid); 386 } 387 } 388 } 389 390 mLock.lock(); 391 Vector<Obituary>* obits = mObituaries; 392 if(obits != nullptr) { 393 if (ipc) ipc->clearDeathNotification(mHandle, this); 394 mObituaries = nullptr; 395 } 396 mLock.unlock(); 397 398 if (obits != nullptr) { 399 // XXX Should we tell any remaining DeathRecipient 400 // objects that the last strong ref has gone away, so they 401 // are no longer linked? 402 delete obits; 403 } 404 405 if (ipc) { 406 ipc->expungeHandle(mHandle, this); 407 ipc->decWeakHandle(mHandle); 408 } 409 } 410 411 void BpBinder::onFirstRef() 412 { 413 ALOGV("onFirstRef BpBinder %p handle %d\n", this, mHandle); 414 IPCThreadState* ipc = IPCThreadState::self(); 415 if (ipc) ipc->incStrongHandle(mHandle, this); 416 } 417 418 void BpBinder::onLastStrongRef(const void* /*id*/) 419 { 420 ALOGV("onLastStrongRef BpBinder %p handle %d\n", this, mHandle); 421 IF_ALOGV() { 422 printRefs(); 423 } 424 IPCThreadState* ipc = IPCThreadState::self(); 425 if (ipc) ipc->decStrongHandle(mHandle); 426 } 427 428 bool BpBinder::onIncStrongAttempted(uint32_t /*flags*/, const void* /*id*/) 429 { 430 ALOGV("onIncStrongAttempted BpBinder %p handle %d\n", this, mHandle); 431 IPCThreadState* ipc = IPCThreadState::self(); 432 return ipc ? ipc->attemptIncStrongHandle(mHandle) == NO_ERROR : false; 433 } 434 435 uint32_t BpBinder::getBinderProxyCount(uint32_t uid) 436 { 437 AutoMutex _l(sTrackingLock); 438 auto it = sTrackingMap.find(uid); 439 if (it != sTrackingMap.end()) { 440 return it->second & COUNTING_VALUE_MASK; 441 } 442 return 0; 443 } 444 445 void BpBinder::getCountByUid(Vector<uint32_t>& uids, Vector<uint32_t>& counts) 446 { 447 AutoMutex _l(sTrackingLock); 448 uids.setCapacity(sTrackingMap.size()); 449 counts.setCapacity(sTrackingMap.size()); 450 for (const auto& it : sTrackingMap) { 451 uids.push_back(it.first); 452 counts.push_back(it.second & COUNTING_VALUE_MASK); 453 } 454 } 455 456 void BpBinder::enableCountByUid() { sCountByUidEnabled.store(true); } 457 void BpBinder::disableCountByUid() { sCountByUidEnabled.store(false); } 458 void BpBinder::setCountByUidEnabled(bool enable) { sCountByUidEnabled.store(enable); } 459 460 void BpBinder::setLimitCallback(binder_proxy_limit_callback cb) { 461 AutoMutex _l(sTrackingLock); 462 sLimitCallback = cb; 463 } 464 465 void BpBinder::setBinderProxyCountWatermarks(int high, int low) { 466 AutoMutex _l(sTrackingLock); 467 sBinderProxyCountHighWatermark = high; 468 sBinderProxyCountLowWatermark = low; 469 } 470 471 // --------------------------------------------------------------------------- 472 473 }; // namespace android 474
