1 /* 2 * Copyright (C) 2018 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include <android/binder_ibinder.h> 18 #include "ibinder_internal.h" 19 20 #include <android/binder_status.h> 21 #include "parcel_internal.h" 22 #include "status_internal.h" 23 24 #include <android-base/logging.h> 25 #include <binder/IPCThreadState.h> 26 27 using DeathRecipient = ::android::IBinder::DeathRecipient; 28 29 using ::android::IBinder; 30 using ::android::Parcel; 31 using ::android::sp; 32 using ::android::status_t; 33 using ::android::String16; 34 using ::android::String8; 35 using ::android::wp; 36 37 namespace ABBinderTag { 38 39 static const void* kId = "ABBinder"; 40 static void* kValue = static_cast<void*>(new bool{true}); 41 void clean(const void* /*id*/, void* /*obj*/, void* /*cookie*/){/* do nothing */}; 42 43 static void attach(const sp<IBinder>& binder) { 44 binder->attachObject(kId, kValue, nullptr /*cookie*/, clean); 45 } 46 static bool has(const sp<IBinder>& binder) { 47 return binder != nullptr && binder->findObject(kId) == kValue; 48 } 49 50 } // namespace ABBinderTag 51 52 namespace ABpBinderTag { 53 54 static std::mutex gLock; 55 static const void* kId = "ABpBinder"; 56 struct Value { 57 wp<ABpBinder> binder; 58 }; 59 void clean(const void* id, void* obj, void* cookie) { 60 CHECK(id == kId) << id << " " << obj << " " << cookie; 61 62 delete static_cast<Value*>(obj); 63 }; 64 65 } // namespace ABpBinderTag 66 67 AIBinder::AIBinder(const AIBinder_Class* clazz) : mClazz(clazz) {} 68 AIBinder::~AIBinder() {} 69 70 bool AIBinder::associateClass(const AIBinder_Class* clazz) { 71 if (clazz == nullptr) return false; 72 if (mClazz == clazz) return true; 73 74 String8 newDescriptor(clazz->getInterfaceDescriptor()); 75 76 if (mClazz != nullptr) { 77 String8 currentDescriptor(mClazz->getInterfaceDescriptor()); 78 if (newDescriptor == currentDescriptor) { 79 LOG(ERROR) << __func__ << ": Class descriptors '" << currentDescriptor 80 << "' match during associateClass, but they are different class objects. " 81 "Class descriptor collision?"; 82 } else { 83 LOG(ERROR) << __func__ 84 << ": Class cannot be associated on object which already has a class. " 85 "Trying to associate to '" 86 << newDescriptor.c_str() << "' but already set to '" 87 << currentDescriptor.c_str() << "'."; 88 } 89 90 // always a failure because we know mClazz != clazz 91 return false; 92 } 93 94 CHECK(asABpBinder() != nullptr); // ABBinder always has a descriptor 95 96 String8 descriptor(getBinder()->getInterfaceDescriptor()); 97 if (descriptor != newDescriptor) { 98 LOG(ERROR) << __func__ << ": Expecting binder to have class '" << newDescriptor.c_str() 99 << "' but descriptor is actually '" << descriptor.c_str() << "'."; 100 return false; 101 } 102 103 // if this is a local object, it's not one known to libbinder_ndk 104 mClazz = clazz; 105 106 return true; 107 } 108 109 ABBinder::ABBinder(const AIBinder_Class* clazz, void* userData) 110 : AIBinder(clazz), BBinder(), mUserData(userData) { 111 CHECK(clazz != nullptr); 112 } 113 ABBinder::~ABBinder() { 114 getClass()->onDestroy(mUserData); 115 } 116 117 const String16& ABBinder::getInterfaceDescriptor() const { 118 return getClass()->getInterfaceDescriptor(); 119 } 120 121 status_t ABBinder::dump(int fd, const ::android::Vector<String16>& args) { 122 AIBinder_onDump onDump = getClass()->onDump; 123 124 if (onDump == nullptr) { 125 return STATUS_OK; 126 } 127 128 // technically UINT32_MAX would be okay here, but INT32_MAX is expected since this may be 129 // null in Java 130 if (args.size() > INT32_MAX) { 131 LOG(ERROR) << "ABBinder::dump received too many arguments: " << args.size(); 132 return STATUS_BAD_VALUE; 133 } 134 135 std::vector<String8> utf8Args; // owns memory of utf8s 136 utf8Args.reserve(args.size()); 137 std::vector<const char*> utf8Pointers; // what can be passed over NDK API 138 utf8Pointers.reserve(args.size()); 139 140 for (size_t i = 0; i < args.size(); i++) { 141 utf8Args.push_back(String8(args[i])); 142 utf8Pointers.push_back(utf8Args[i].c_str()); 143 } 144 145 return onDump(this, fd, utf8Pointers.data(), utf8Pointers.size()); 146 } 147 148 status_t ABBinder::onTransact(transaction_code_t code, const Parcel& data, Parcel* reply, 149 binder_flags_t flags) { 150 if (isUserCommand(code)) { 151 if (!data.checkInterface(this)) { 152 return STATUS_BAD_TYPE; 153 } 154 155 const AParcel in = AParcel::readOnly(this, &data); 156 AParcel out = AParcel(this, reply, false /*owns*/); 157 158 binder_status_t status = getClass()->onTransact(this, code, &in, &out); 159 return PruneStatusT(status); 160 } else { 161 return BBinder::onTransact(code, data, reply, flags); 162 } 163 } 164 165 ABpBinder::ABpBinder(const ::android::sp<::android::IBinder>& binder) 166 : AIBinder(nullptr /*clazz*/), BpRefBase(binder) { 167 CHECK(binder != nullptr); 168 } 169 ABpBinder::~ABpBinder() {} 170 171 void ABpBinder::onLastStrongRef(const void* id) { 172 { 173 std::lock_guard<std::mutex> lock(ABpBinderTag::gLock); 174 // Since ABpBinder is OBJECT_LIFETIME_WEAK, we must remove this weak reference in order for 175 // the ABpBinder to be deleted. Since a strong reference to this ABpBinder object should no 176 // longer be able to exist at the time of this method call, there is no longer a need to 177 // recover it. 178 179 ABpBinderTag::Value* value = 180 static_cast<ABpBinderTag::Value*>(remote()->findObject(ABpBinderTag::kId)); 181 if (value != nullptr) { 182 value->binder = nullptr; 183 } 184 } 185 186 BpRefBase::onLastStrongRef(id); 187 } 188 189 sp<AIBinder> ABpBinder::lookupOrCreateFromBinder(const ::android::sp<::android::IBinder>& binder) { 190 if (binder == nullptr) { 191 return nullptr; 192 } 193 if (ABBinderTag::has(binder)) { 194 return static_cast<ABBinder*>(binder.get()); 195 } 196 197 // The following code ensures that for a given binder object (remote or local), if it is not an 198 // ABBinder then at most one ABpBinder object exists in a given process representing it. 199 std::lock_guard<std::mutex> lock(ABpBinderTag::gLock); 200 201 ABpBinderTag::Value* value = 202 static_cast<ABpBinderTag::Value*>(binder->findObject(ABpBinderTag::kId)); 203 if (value == nullptr) { 204 value = new ABpBinderTag::Value; 205 binder->attachObject(ABpBinderTag::kId, static_cast<void*>(value), nullptr /*cookie*/, 206 ABpBinderTag::clean); 207 } 208 209 sp<ABpBinder> ret = value->binder.promote(); 210 if (ret == nullptr) { 211 ret = new ABpBinder(binder); 212 value->binder = ret; 213 } 214 215 return ret; 216 } 217 218 struct AIBinder_Weak { 219 wp<AIBinder> binder; 220 }; 221 AIBinder_Weak* AIBinder_Weak_new(AIBinder* binder) { 222 if (binder == nullptr) { 223 return nullptr; 224 } 225 226 return new AIBinder_Weak{wp<AIBinder>(binder)}; 227 } 228 void AIBinder_Weak_delete(AIBinder_Weak* weakBinder) { 229 delete weakBinder; 230 } 231 AIBinder* AIBinder_Weak_promote(AIBinder_Weak* weakBinder) { 232 if (weakBinder == nullptr) { 233 return nullptr; 234 } 235 236 sp<AIBinder> binder = weakBinder->binder.promote(); 237 AIBinder_incStrong(binder.get()); 238 return binder.get(); 239 } 240 241 AIBinder_Class::AIBinder_Class(const char* interfaceDescriptor, AIBinder_Class_onCreate onCreate, 242 AIBinder_Class_onDestroy onDestroy, 243 AIBinder_Class_onTransact onTransact) 244 : onCreate(onCreate), 245 onDestroy(onDestroy), 246 onTransact(onTransact), 247 mInterfaceDescriptor(interfaceDescriptor) {} 248 249 AIBinder_Class* AIBinder_Class_define(const char* interfaceDescriptor, 250 AIBinder_Class_onCreate onCreate, 251 AIBinder_Class_onDestroy onDestroy, 252 AIBinder_Class_onTransact onTransact) { 253 if (interfaceDescriptor == nullptr || onCreate == nullptr || onDestroy == nullptr || 254 onTransact == nullptr) { 255 return nullptr; 256 } 257 258 return new AIBinder_Class(interfaceDescriptor, onCreate, onDestroy, onTransact); 259 } 260 261 void AIBinder_Class_setOnDump(AIBinder_Class* clazz, AIBinder_onDump onDump) { 262 CHECK(clazz != nullptr) << "setOnDump requires non-null clazz"; 263 264 // this is required to be called before instances are instantiated 265 clazz->onDump = onDump; 266 } 267 268 void AIBinder_DeathRecipient::TransferDeathRecipient::binderDied(const wp<IBinder>& who) { 269 CHECK(who == mWho); 270 271 mOnDied(mCookie); 272 273 sp<AIBinder_DeathRecipient> recipient = mParentRecipient.promote(); 274 sp<IBinder> strongWho = who.promote(); 275 276 // otherwise this will be cleaned up later with pruneDeadTransferEntriesLocked 277 if (recipient != nullptr && strongWho != nullptr) { 278 status_t result = recipient->unlinkToDeath(strongWho, mCookie); 279 if (result != ::android::DEAD_OBJECT) { 280 LOG(WARNING) << "Unlinking to dead binder resulted in: " << result; 281 } 282 } 283 284 mWho = nullptr; 285 } 286 287 AIBinder_DeathRecipient::AIBinder_DeathRecipient(AIBinder_DeathRecipient_onBinderDied onDied) 288 : mOnDied(onDied) { 289 CHECK(onDied != nullptr); 290 } 291 292 void AIBinder_DeathRecipient::pruneDeadTransferEntriesLocked() { 293 mDeathRecipients.erase(std::remove_if(mDeathRecipients.begin(), mDeathRecipients.end(), 294 [](const sp<TransferDeathRecipient>& tdr) { 295 return tdr->getWho() == nullptr; 296 }), 297 mDeathRecipients.end()); 298 } 299 300 binder_status_t AIBinder_DeathRecipient::linkToDeath(sp<IBinder> binder, void* cookie) { 301 CHECK(binder != nullptr); 302 303 std::lock_guard<std::mutex> l(mDeathRecipientsMutex); 304 305 sp<TransferDeathRecipient> recipient = 306 new TransferDeathRecipient(binder, cookie, this, mOnDied); 307 308 status_t status = binder->linkToDeath(recipient, cookie, 0 /*flags*/); 309 if (status != STATUS_OK) { 310 return PruneStatusT(status); 311 } 312 313 mDeathRecipients.push_back(recipient); 314 315 pruneDeadTransferEntriesLocked(); 316 return STATUS_OK; 317 } 318 319 binder_status_t AIBinder_DeathRecipient::unlinkToDeath(sp<IBinder> binder, void* cookie) { 320 CHECK(binder != nullptr); 321 322 std::lock_guard<std::mutex> l(mDeathRecipientsMutex); 323 324 for (auto it = mDeathRecipients.rbegin(); it != mDeathRecipients.rend(); ++it) { 325 sp<TransferDeathRecipient> recipient = *it; 326 327 if (recipient->getCookie() == cookie && recipient->getWho() == binder) { 328 mDeathRecipients.erase(it.base() - 1); 329 330 status_t status = binder->unlinkToDeath(recipient, cookie, 0 /*flags*/); 331 if (status != ::android::OK) { 332 LOG(ERROR) << __func__ 333 << ": removed reference to death recipient but unlink failed."; 334 } 335 return PruneStatusT(status); 336 } 337 } 338 339 return STATUS_NAME_NOT_FOUND; 340 } 341 342 // start of C-API methods 343 344 AIBinder* AIBinder_new(const AIBinder_Class* clazz, void* args) { 345 if (clazz == nullptr) { 346 LOG(ERROR) << __func__ << ": Must provide class to construct local binder."; 347 return nullptr; 348 } 349 350 void* userData = clazz->onCreate(args); 351 352 sp<AIBinder> ret = new ABBinder(clazz, userData); 353 ABBinderTag::attach(ret->getBinder()); 354 355 AIBinder_incStrong(ret.get()); 356 return ret.get(); 357 } 358 359 bool AIBinder_isRemote(const AIBinder* binder) { 360 if (binder == nullptr) { 361 return false; 362 } 363 364 return binder->isRemote(); 365 } 366 367 bool AIBinder_isAlive(const AIBinder* binder) { 368 if (binder == nullptr) { 369 return false; 370 } 371 372 return const_cast<AIBinder*>(binder)->getBinder()->isBinderAlive(); 373 } 374 375 binder_status_t AIBinder_ping(AIBinder* binder) { 376 if (binder == nullptr) { 377 return STATUS_UNEXPECTED_NULL; 378 } 379 380 return PruneStatusT(binder->getBinder()->pingBinder()); 381 } 382 383 binder_status_t AIBinder_dump(AIBinder* binder, int fd, const char** args, uint32_t numArgs) { 384 if (binder == nullptr) { 385 return STATUS_UNEXPECTED_NULL; 386 } 387 388 ABBinder* bBinder = binder->asABBinder(); 389 if (bBinder != nullptr) { 390 AIBinder_onDump onDump = binder->getClass()->onDump; 391 if (onDump == nullptr) { 392 return STATUS_OK; 393 } 394 return PruneStatusT(onDump(bBinder, fd, args, numArgs)); 395 } 396 397 ::android::Vector<String16> utf16Args; 398 utf16Args.setCapacity(numArgs); 399 for (uint32_t i = 0; i < numArgs; i++) { 400 utf16Args.push(String16(String8(args[i]))); 401 } 402 403 status_t status = binder->getBinder()->dump(fd, utf16Args); 404 return PruneStatusT(status); 405 } 406 407 binder_status_t AIBinder_linkToDeath(AIBinder* binder, AIBinder_DeathRecipient* recipient, 408 void* cookie) { 409 if (binder == nullptr || recipient == nullptr) { 410 LOG(ERROR) << __func__ << ": Must provide binder and recipient."; 411 return STATUS_UNEXPECTED_NULL; 412 } 413 414 // returns binder_status_t 415 return recipient->linkToDeath(binder->getBinder(), cookie); 416 } 417 418 binder_status_t AIBinder_unlinkToDeath(AIBinder* binder, AIBinder_DeathRecipient* recipient, 419 void* cookie) { 420 if (binder == nullptr || recipient == nullptr) { 421 LOG(ERROR) << __func__ << ": Must provide binder and recipient."; 422 return STATUS_UNEXPECTED_NULL; 423 } 424 425 // returns binder_status_t 426 return recipient->unlinkToDeath(binder->getBinder(), cookie); 427 } 428 429 uid_t AIBinder_getCallingUid() { 430 return ::android::IPCThreadState::self()->getCallingUid(); 431 } 432 433 pid_t AIBinder_getCallingPid() { 434 return ::android::IPCThreadState::self()->getCallingPid(); 435 } 436 437 void AIBinder_incStrong(AIBinder* binder) { 438 if (binder == nullptr) { 439 LOG(ERROR) << __func__ << ": on null binder"; 440 return; 441 } 442 443 binder->incStrong(nullptr); 444 } 445 void AIBinder_decStrong(AIBinder* binder) { 446 if (binder == nullptr) { 447 LOG(ERROR) << __func__ << ": on null binder"; 448 return; 449 } 450 451 binder->decStrong(nullptr); 452 } 453 int32_t AIBinder_debugGetRefCount(AIBinder* binder) { 454 if (binder == nullptr) { 455 LOG(ERROR) << __func__ << ": on null binder"; 456 return -1; 457 } 458 459 return binder->getStrongCount(); 460 } 461 462 bool AIBinder_associateClass(AIBinder* binder, const AIBinder_Class* clazz) { 463 if (binder == nullptr) { 464 return false; 465 } 466 467 return binder->associateClass(clazz); 468 } 469 470 const AIBinder_Class* AIBinder_getClass(AIBinder* binder) { 471 if (binder == nullptr) { 472 return nullptr; 473 } 474 475 return binder->getClass(); 476 } 477 478 void* AIBinder_getUserData(AIBinder* binder) { 479 if (binder == nullptr) { 480 return nullptr; 481 } 482 483 ABBinder* bBinder = binder->asABBinder(); 484 if (bBinder == nullptr) { 485 return nullptr; 486 } 487 488 return bBinder->getUserData(); 489 } 490 491 binder_status_t AIBinder_prepareTransaction(AIBinder* binder, AParcel** in) { 492 if (binder == nullptr || in == nullptr) { 493 LOG(ERROR) << __func__ << ": requires non-null parameters."; 494 return STATUS_UNEXPECTED_NULL; 495 } 496 const AIBinder_Class* clazz = binder->getClass(); 497 if (clazz == nullptr) { 498 LOG(ERROR) << __func__ 499 << ": Class must be defined for a remote binder transaction. See " 500 "AIBinder_associateClass."; 501 return STATUS_INVALID_OPERATION; 502 } 503 504 if (!binder->isRemote()) { 505 LOG(WARNING) << "A binder object at " << binder 506 << " is being transacted on, however, this object is in the same process as " 507 "its proxy. Transacting with this binder is expensive compared to just " 508 "calling the corresponding functionality in the same process."; 509 } 510 511 *in = new AParcel(binder); 512 status_t status = (*in)->get()->writeInterfaceToken(clazz->getInterfaceDescriptor()); 513 binder_status_t ret = PruneStatusT(status); 514 515 if (ret != STATUS_OK) { 516 delete *in; 517 *in = nullptr; 518 } 519 520 return ret; 521 } 522 523 static void DestroyParcel(AParcel** parcel) { 524 delete *parcel; 525 *parcel = nullptr; 526 } 527 528 binder_status_t AIBinder_transact(AIBinder* binder, transaction_code_t code, AParcel** in, 529 AParcel** out, binder_flags_t flags) { 530 if (in == nullptr) { 531 LOG(ERROR) << __func__ << ": requires non-null in parameter"; 532 return STATUS_UNEXPECTED_NULL; 533 } 534 535 using AutoParcelDestroyer = std::unique_ptr<AParcel*, void (*)(AParcel**)>; 536 // This object is the input to the transaction. This function takes ownership of it and deletes 537 // it. 538 AutoParcelDestroyer forIn(in, DestroyParcel); 539 540 if (!isUserCommand(code)) { 541 LOG(ERROR) << __func__ << ": Only user-defined transactions can be made from the NDK."; 542 return STATUS_UNKNOWN_TRANSACTION; 543 } 544 545 if ((flags & ~FLAG_ONEWAY) != 0) { 546 LOG(ERROR) << __func__ << ": Unrecognized flags sent: " << flags; 547 return STATUS_BAD_VALUE; 548 } 549 550 if (binder == nullptr || *in == nullptr || out == nullptr) { 551 LOG(ERROR) << __func__ << ": requires non-null parameters."; 552 return STATUS_UNEXPECTED_NULL; 553 } 554 555 if ((*in)->getBinder() != binder) { 556 LOG(ERROR) << __func__ << ": parcel is associated with binder object " << binder 557 << " but called with " << (*in)->getBinder(); 558 return STATUS_BAD_VALUE; 559 } 560 561 *out = new AParcel(binder); 562 563 status_t status = binder->getBinder()->transact(code, *(*in)->get(), (*out)->get(), flags); 564 binder_status_t ret = PruneStatusT(status); 565 566 if (ret != STATUS_OK) { 567 delete *out; 568 *out = nullptr; 569 } 570 571 return ret; 572 } 573 574 AIBinder_DeathRecipient* AIBinder_DeathRecipient_new( 575 AIBinder_DeathRecipient_onBinderDied onBinderDied) { 576 if (onBinderDied == nullptr) { 577 LOG(ERROR) << __func__ << ": requires non-null onBinderDied parameter."; 578 return nullptr; 579 } 580 auto ret = new AIBinder_DeathRecipient(onBinderDied); 581 ret->incStrong(nullptr); 582 return ret; 583 } 584 585 void AIBinder_DeathRecipient_delete(AIBinder_DeathRecipient* recipient) { 586 if (recipient == nullptr) { 587 return; 588 } 589 590 recipient->decStrong(nullptr); 591 } 592
