1 /* Copyright 2008 The Android Open Source Project 2 */ 3 4 #include <inttypes.h> 5 #include <stdio.h> 6 #include <stdlib.h> 7 #include <string.h> 8 #include <errno.h> 9 #include <unistd.h> 10 #include <fcntl.h> 11 #include <sys/mman.h> 12 13 #include "binder.h" 14 15 #define MAX_BIO_SIZE (1 << 30) 16 17 #define TRACE 0 18 19 #define LOG_TAG "Binder" 20 #include <cutils/log.h> 21 22 void bio_init_from_txn(struct binder_io *io, struct binder_transaction_data *txn); 23 24 #if TRACE 25 void hexdump(void *_data, size_t len) 26 { 27 unsigned char *data = _data; 28 size_t count; 29 30 for (count = 0; count < len; count++) { 31 if ((count & 15) == 0) 32 fprintf(stderr,"%04zu:", count); 33 fprintf(stderr," %02x %c", *data, 34 (*data < 32) || (*data > 126) ? '.' : *data); 35 data++; 36 if ((count & 15) == 15) 37 fprintf(stderr,"\n"); 38 } 39 if ((count & 15) != 0) 40 fprintf(stderr,"\n"); 41 } 42 43 void binder_dump_txn(struct binder_transaction_data *txn) 44 { 45 struct flat_binder_object *obj; 46 binder_size_t *offs = (binder_size_t *)(uintptr_t)txn->data.ptr.offsets; 47 size_t count = txn->offsets_size / sizeof(binder_size_t); 48 49 fprintf(stderr," target %016"PRIx64" cookie %016"PRIx64" code %08x flags %08x\n", 50 (uint64_t)txn->target.ptr, (uint64_t)txn->cookie, txn->code, txn->flags); 51 fprintf(stderr," pid %8d uid %8d data %"PRIu64" offs %"PRIu64"\n", 52 txn->sender_pid, txn->sender_euid, (uint64_t)txn->data_size, (uint64_t)txn->offsets_size); 53 hexdump((void *)(uintptr_t)txn->data.ptr.buffer, txn->data_size); 54 while (count--) { 55 obj = (struct flat_binder_object *) (((char*)(uintptr_t)txn->data.ptr.buffer) + *offs++); 56 fprintf(stderr," - type %08x flags %08x ptr %016"PRIx64" cookie %016"PRIx64"\n", 57 obj->type, obj->flags, (uint64_t)obj->binder, (uint64_t)obj->cookie); 58 } 59 } 60 61 #define NAME(n) case n: return #n 62 const char *cmd_name(uint32_t cmd) 63 { 64 switch(cmd) { 65 NAME(BR_NOOP); 66 NAME(BR_TRANSACTION_COMPLETE); 67 NAME(BR_INCREFS); 68 NAME(BR_ACQUIRE); 69 NAME(BR_RELEASE); 70 NAME(BR_DECREFS); 71 NAME(BR_TRANSACTION); 72 NAME(BR_REPLY); 73 NAME(BR_FAILED_REPLY); 74 NAME(BR_DEAD_REPLY); 75 NAME(BR_DEAD_BINDER); 76 default: return "???"; 77 } 78 } 79 #else 80 #define hexdump(a,b) do{} while (0) 81 #define binder_dump_txn(txn) do{} while (0) 82 #endif 83 84 #define BIO_F_SHARED 0x01 /* needs to be buffer freed */ 85 #define BIO_F_OVERFLOW 0x02 /* ran out of space */ 86 #define BIO_F_IOERROR 0x04 87 #define BIO_F_MALLOCED 0x08 /* needs to be free()'d */ 88 89 struct binder_state 90 { 91 int fd; 92 void *mapped; 93 size_t mapsize; 94 }; 95 96 struct binder_state *binder_open(size_t mapsize) 97 { 98 struct binder_state *bs; 99 struct binder_version vers; 100 101 bs = malloc(sizeof(*bs)); 102 if (!bs) { 103 errno = ENOMEM; 104 return NULL; 105 } 106 107 bs->fd = open("/dev/binder", O_RDWR | O_CLOEXEC); 108 if (bs->fd < 0) { 109 fprintf(stderr,"binder: cannot open device (%s)\n", 110 strerror(errno)); 111 goto fail_open; 112 } 113 114 if ((ioctl(bs->fd, BINDER_VERSION, &vers) == -1) || 115 (vers.protocol_version != BINDER_CURRENT_PROTOCOL_VERSION)) { 116 fprintf(stderr, 117 "binder: kernel driver version (%d) differs from user space version (%d)\n", 118 vers.protocol_version, BINDER_CURRENT_PROTOCOL_VERSION); 119 goto fail_open; 120 } 121 122 bs->mapsize = mapsize; 123 bs->mapped = mmap(NULL, mapsize, PROT_READ, MAP_PRIVATE, bs->fd, 0); 124 if (bs->mapped == MAP_FAILED) { 125 fprintf(stderr,"binder: cannot map device (%s)\n", 126 strerror(errno)); 127 goto fail_map; 128 } 129 130 return bs; 131 132 fail_map: 133 close(bs->fd); 134 fail_open: 135 free(bs); 136 return NULL; 137 } 138 139 void binder_close(struct binder_state *bs) 140 { 141 munmap(bs->mapped, bs->mapsize); 142 close(bs->fd); 143 free(bs); 144 } 145 146 int binder_become_context_manager(struct binder_state *bs) 147 { 148 return ioctl(bs->fd, BINDER_SET_CONTEXT_MGR, 0); 149 } 150 151 int binder_write(struct binder_state *bs, void *data, size_t len) 152 { 153 struct binder_write_read bwr; 154 int res; 155 156 bwr.write_size = len; 157 bwr.write_consumed = 0; 158 bwr.write_buffer = (uintptr_t) data; 159 bwr.read_size = 0; 160 bwr.read_consumed = 0; 161 bwr.read_buffer = 0; 162 res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr); 163 if (res < 0) { 164 fprintf(stderr,"binder_write: ioctl failed (%s)\n", 165 strerror(errno)); 166 } 167 return res; 168 } 169 170 void binder_free_buffer(struct binder_state *bs, 171 binder_uintptr_t buffer_to_free) 172 { 173 struct { 174 uint32_t cmd_free; 175 binder_uintptr_t buffer; 176 } __attribute__((packed)) data; 177 data.cmd_free = BC_FREE_BUFFER; 178 data.buffer = buffer_to_free; 179 binder_write(bs, &data, sizeof(data)); 180 } 181 182 void binder_send_reply(struct binder_state *bs, 183 struct binder_io *reply, 184 binder_uintptr_t buffer_to_free, 185 int status) 186 { 187 struct { 188 uint32_t cmd_free; 189 binder_uintptr_t buffer; 190 uint32_t cmd_reply; 191 struct binder_transaction_data txn; 192 } __attribute__((packed)) data; 193 194 data.cmd_free = BC_FREE_BUFFER; 195 data.buffer = buffer_to_free; 196 data.cmd_reply = BC_REPLY; 197 data.txn.target.ptr = 0; 198 data.txn.cookie = 0; 199 data.txn.code = 0; 200 if (status) { 201 data.txn.flags = TF_STATUS_CODE; 202 data.txn.data_size = sizeof(int); 203 data.txn.offsets_size = 0; 204 data.txn.data.ptr.buffer = (uintptr_t)&status; 205 data.txn.data.ptr.offsets = 0; 206 } else { 207 data.txn.flags = 0; 208 data.txn.data_size = reply->data - reply->data0; 209 data.txn.offsets_size = ((char*) reply->offs) - ((char*) reply->offs0); 210 data.txn.data.ptr.buffer = (uintptr_t)reply->data0; 211 data.txn.data.ptr.offsets = (uintptr_t)reply->offs0; 212 } 213 binder_write(bs, &data, sizeof(data)); 214 } 215 216 int binder_parse(struct binder_state *bs, struct binder_io *bio, 217 uintptr_t ptr, size_t size, binder_handler func) 218 { 219 int r = 1; 220 uintptr_t end = ptr + (uintptr_t) size; 221 222 while (ptr < end) { 223 uint32_t cmd = *(uint32_t *) ptr; 224 ptr += sizeof(uint32_t); 225 #if TRACE 226 fprintf(stderr,"%s:\n", cmd_name(cmd)); 227 #endif 228 switch(cmd) { 229 case BR_NOOP: 230 break; 231 case BR_TRANSACTION_COMPLETE: 232 break; 233 case BR_INCREFS: 234 case BR_ACQUIRE: 235 case BR_RELEASE: 236 case BR_DECREFS: 237 #if TRACE 238 fprintf(stderr," %p, %p\n", (void *)ptr, (void *)(ptr + sizeof(void *))); 239 #endif 240 ptr += sizeof(struct binder_ptr_cookie); 241 break; 242 case BR_TRANSACTION: { 243 struct binder_transaction_data *txn = (struct binder_transaction_data *) ptr; 244 if ((end - ptr) < sizeof(*txn)) { 245 ALOGE("parse: txn too small!\n"); 246 return -1; 247 } 248 binder_dump_txn(txn); 249 if (func) { 250 unsigned rdata[256/4]; 251 struct binder_io msg; 252 struct binder_io reply; 253 int res; 254 255 bio_init(&reply, rdata, sizeof(rdata), 4); 256 bio_init_from_txn(&msg, txn); 257 res = func(bs, txn, &msg, &reply); 258 if (txn->flags & TF_ONE_WAY) { 259 binder_free_buffer(bs, txn->data.ptr.buffer); 260 } else { 261 binder_send_reply(bs, &reply, txn->data.ptr.buffer, res); 262 } 263 } 264 ptr += sizeof(*txn); 265 break; 266 } 267 case BR_REPLY: { 268 struct binder_transaction_data *txn = (struct binder_transaction_data *) ptr; 269 if ((end - ptr) < sizeof(*txn)) { 270 ALOGE("parse: reply too small!\n"); 271 return -1; 272 } 273 binder_dump_txn(txn); 274 if (bio) { 275 bio_init_from_txn(bio, txn); 276 bio = 0; 277 } else { 278 /* todo FREE BUFFER */ 279 } 280 ptr += sizeof(*txn); 281 r = 0; 282 break; 283 } 284 case BR_DEAD_BINDER: { 285 struct binder_death *death = (struct binder_death *)(uintptr_t) *(binder_uintptr_t *)ptr; 286 ptr += sizeof(binder_uintptr_t); 287 death->func(bs, death->ptr); 288 break; 289 } 290 case BR_FAILED_REPLY: 291 r = -1; 292 break; 293 case BR_DEAD_REPLY: 294 r = -1; 295 break; 296 default: 297 ALOGE("parse: OOPS %d\n", cmd); 298 return -1; 299 } 300 } 301 302 return r; 303 } 304 305 void binder_acquire(struct binder_state *bs, uint32_t target) 306 { 307 uint32_t cmd[2]; 308 cmd[0] = BC_ACQUIRE; 309 cmd[1] = target; 310 binder_write(bs, cmd, sizeof(cmd)); 311 } 312 313 void binder_release(struct binder_state *bs, uint32_t target) 314 { 315 uint32_t cmd[2]; 316 cmd[0] = BC_RELEASE; 317 cmd[1] = target; 318 binder_write(bs, cmd, sizeof(cmd)); 319 } 320 321 void binder_link_to_death(struct binder_state *bs, uint32_t target, struct binder_death *death) 322 { 323 struct { 324 uint32_t cmd; 325 struct binder_handle_cookie payload; 326 } __attribute__((packed)) data; 327 328 data.cmd = BC_REQUEST_DEATH_NOTIFICATION; 329 data.payload.handle = target; 330 data.payload.cookie = (uintptr_t) death; 331 binder_write(bs, &data, sizeof(data)); 332 } 333 334 int binder_call(struct binder_state *bs, 335 struct binder_io *msg, struct binder_io *reply, 336 uint32_t target, uint32_t code) 337 { 338 int res; 339 struct binder_write_read bwr; 340 struct { 341 uint32_t cmd; 342 struct binder_transaction_data txn; 343 } __attribute__((packed)) writebuf; 344 unsigned readbuf[32]; 345 346 if (msg->flags & BIO_F_OVERFLOW) { 347 fprintf(stderr,"binder: txn buffer overflow\n"); 348 goto fail; 349 } 350 351 writebuf.cmd = BC_TRANSACTION; 352 writebuf.txn.target.handle = target; 353 writebuf.txn.code = code; 354 writebuf.txn.flags = 0; 355 writebuf.txn.data_size = msg->data - msg->data0; 356 writebuf.txn.offsets_size = ((char*) msg->offs) - ((char*) msg->offs0); 357 writebuf.txn.data.ptr.buffer = (uintptr_t)msg->data0; 358 writebuf.txn.data.ptr.offsets = (uintptr_t)msg->offs0; 359 360 bwr.write_size = sizeof(writebuf); 361 bwr.write_consumed = 0; 362 bwr.write_buffer = (uintptr_t) &writebuf; 363 364 hexdump(msg->data0, msg->data - msg->data0); 365 for (;;) { 366 bwr.read_size = sizeof(readbuf); 367 bwr.read_consumed = 0; 368 bwr.read_buffer = (uintptr_t) readbuf; 369 370 res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr); 371 372 if (res < 0) { 373 fprintf(stderr,"binder: ioctl failed (%s)\n", strerror(errno)); 374 goto fail; 375 } 376 377 res = binder_parse(bs, reply, (uintptr_t) readbuf, bwr.read_consumed, 0); 378 if (res == 0) return 0; 379 if (res < 0) goto fail; 380 } 381 382 fail: 383 memset(reply, 0, sizeof(*reply)); 384 reply->flags |= BIO_F_IOERROR; 385 return -1; 386 } 387 388 void binder_loop(struct binder_state *bs, binder_handler func) 389 { 390 int res; 391 struct binder_write_read bwr; 392 uint32_t readbuf[32]; 393 394 bwr.write_size = 0; 395 bwr.write_consumed = 0; 396 bwr.write_buffer = 0; 397 398 readbuf[0] = BC_ENTER_LOOPER; 399 binder_write(bs, readbuf, sizeof(uint32_t)); 400 401 for (;;) { 402 bwr.read_size = sizeof(readbuf); 403 bwr.read_consumed = 0; 404 bwr.read_buffer = (uintptr_t) readbuf; 405 406 res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr); 407 408 if (res < 0) { 409 ALOGE("binder_loop: ioctl failed (%s)\n", strerror(errno)); 410 break; 411 } 412 413 res = binder_parse(bs, 0, (uintptr_t) readbuf, bwr.read_consumed, func); 414 if (res == 0) { 415 ALOGE("binder_loop: unexpected reply?!\n"); 416 break; 417 } 418 if (res < 0) { 419 ALOGE("binder_loop: io error %d %s\n", res, strerror(errno)); 420 break; 421 } 422 } 423 } 424 425 void bio_init_from_txn(struct binder_io *bio, struct binder_transaction_data *txn) 426 { 427 bio->data = bio->data0 = (char *)(intptr_t)txn->data.ptr.buffer; 428 bio->offs = bio->offs0 = (binder_size_t *)(intptr_t)txn->data.ptr.offsets; 429 bio->data_avail = txn->data_size; 430 bio->offs_avail = txn->offsets_size / sizeof(size_t); 431 bio->flags = BIO_F_SHARED; 432 } 433 434 void bio_init(struct binder_io *bio, void *data, 435 size_t maxdata, size_t maxoffs) 436 { 437 size_t n = maxoffs * sizeof(size_t); 438 439 if (n > maxdata) { 440 bio->flags = BIO_F_OVERFLOW; 441 bio->data_avail = 0; 442 bio->offs_avail = 0; 443 return; 444 } 445 446 bio->data = bio->data0 = (char *) data + n; 447 bio->offs = bio->offs0 = data; 448 bio->data_avail = maxdata - n; 449 bio->offs_avail = maxoffs; 450 bio->flags = 0; 451 } 452 453 static void *bio_alloc(struct binder_io *bio, size_t size) 454 { 455 size = (size + 3) & (~3); 456 if (size > bio->data_avail) { 457 bio->flags |= BIO_F_OVERFLOW; 458 return NULL; 459 } else { 460 void *ptr = bio->data; 461 bio->data += size; 462 bio->data_avail -= size; 463 return ptr; 464 } 465 } 466 467 void binder_done(struct binder_state *bs, 468 __unused struct binder_io *msg, 469 struct binder_io *reply) 470 { 471 struct { 472 uint32_t cmd; 473 uintptr_t buffer; 474 } __attribute__((packed)) data; 475 476 if (reply->flags & BIO_F_SHARED) { 477 data.cmd = BC_FREE_BUFFER; 478 data.buffer = (uintptr_t) reply->data0; 479 binder_write(bs, &data, sizeof(data)); 480 reply->flags = 0; 481 } 482 } 483 484 static struct flat_binder_object *bio_alloc_obj(struct binder_io *bio) 485 { 486 struct flat_binder_object *obj; 487 488 obj = bio_alloc(bio, sizeof(*obj)); 489 490 if (obj && bio->offs_avail) { 491 bio->offs_avail--; 492 *bio->offs++ = ((char*) obj) - ((char*) bio->data0); 493 return obj; 494 } 495 496 bio->flags |= BIO_F_OVERFLOW; 497 return NULL; 498 } 499 500 void bio_put_uint32(struct binder_io *bio, uint32_t n) 501 { 502 uint32_t *ptr = bio_alloc(bio, sizeof(n)); 503 if (ptr) 504 *ptr = n; 505 } 506 507 void bio_put_obj(struct binder_io *bio, void *ptr) 508 { 509 struct flat_binder_object *obj; 510 511 obj = bio_alloc_obj(bio); 512 if (!obj) 513 return; 514 515 obj->flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS; 516 obj->type = BINDER_TYPE_BINDER; 517 obj->binder = (uintptr_t)ptr; 518 obj->cookie = 0; 519 } 520 521 void bio_put_ref(struct binder_io *bio, uint32_t handle) 522 { 523 struct flat_binder_object *obj; 524 525 if (handle) 526 obj = bio_alloc_obj(bio); 527 else 528 obj = bio_alloc(bio, sizeof(*obj)); 529 530 if (!obj) 531 return; 532 533 obj->flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS; 534 obj->type = BINDER_TYPE_HANDLE; 535 obj->handle = handle; 536 obj->cookie = 0; 537 } 538 539 void bio_put_string16(struct binder_io *bio, const uint16_t *str) 540 { 541 size_t len; 542 uint16_t *ptr; 543 544 if (!str) { 545 bio_put_uint32(bio, 0xffffffff); 546 return; 547 } 548 549 len = 0; 550 while (str[len]) len++; 551 552 if (len >= (MAX_BIO_SIZE / sizeof(uint16_t))) { 553 bio_put_uint32(bio, 0xffffffff); 554 return; 555 } 556 557 /* Note: The payload will carry 32bit size instead of size_t */ 558 bio_put_uint32(bio, (uint32_t) len); 559 len = (len + 1) * sizeof(uint16_t); 560 ptr = bio_alloc(bio, len); 561 if (ptr) 562 memcpy(ptr, str, len); 563 } 564 565 void bio_put_string16_x(struct binder_io *bio, const char *_str) 566 { 567 unsigned char *str = (unsigned char*) _str; 568 size_t len; 569 uint16_t *ptr; 570 571 if (!str) { 572 bio_put_uint32(bio, 0xffffffff); 573 return; 574 } 575 576 len = strlen(_str); 577 578 if (len >= (MAX_BIO_SIZE / sizeof(uint16_t))) { 579 bio_put_uint32(bio, 0xffffffff); 580 return; 581 } 582 583 /* Note: The payload will carry 32bit size instead of size_t */ 584 bio_put_uint32(bio, len); 585 ptr = bio_alloc(bio, (len + 1) * sizeof(uint16_t)); 586 if (!ptr) 587 return; 588 589 while (*str) 590 *ptr++ = *str++; 591 *ptr++ = 0; 592 } 593 594 static void *bio_get(struct binder_io *bio, size_t size) 595 { 596 size = (size + 3) & (~3); 597 598 if (bio->data_avail < size){ 599 bio->data_avail = 0; 600 bio->flags |= BIO_F_OVERFLOW; 601 return NULL; 602 } else { 603 void *ptr = bio->data; 604 bio->data += size; 605 bio->data_avail -= size; 606 return ptr; 607 } 608 } 609 610 uint32_t bio_get_uint32(struct binder_io *bio) 611 { 612 uint32_t *ptr = bio_get(bio, sizeof(*ptr)); 613 return ptr ? *ptr : 0; 614 } 615 616 uint16_t *bio_get_string16(struct binder_io *bio, size_t *sz) 617 { 618 size_t len; 619 620 /* Note: The payload will carry 32bit size instead of size_t */ 621 len = (size_t) bio_get_uint32(bio); 622 if (sz) 623 *sz = len; 624 return bio_get(bio, (len + 1) * sizeof(uint16_t)); 625 } 626 627 static struct flat_binder_object *_bio_get_obj(struct binder_io *bio) 628 { 629 size_t n; 630 size_t off = bio->data - bio->data0; 631 632 /* TODO: be smarter about this? */ 633 for (n = 0; n < bio->offs_avail; n++) { 634 if (bio->offs[n] == off) 635 return bio_get(bio, sizeof(struct flat_binder_object)); 636 } 637 638 bio->data_avail = 0; 639 bio->flags |= BIO_F_OVERFLOW; 640 return NULL; 641 } 642 643 uint32_t bio_get_ref(struct binder_io *bio) 644 { 645 struct flat_binder_object *obj; 646 647 obj = _bio_get_obj(bio); 648 if (!obj) 649 return 0; 650 651 if (obj->type == BINDER_TYPE_HANDLE) 652 return obj->handle; 653 654 return 0; 655 } 656