Home | History | Annotate | Download | only in servicemanager
      1 /* Copyright 2008 The Android Open Source Project
      2  */
      3 
      4 #include <inttypes.h>
      5 #include <stdio.h>
      6 #include <stdlib.h>
      7 #include <string.h>
      8 #include <errno.h>
      9 #include <unistd.h>
     10 #include <fcntl.h>
     11 #include <sys/mman.h>
     12 
     13 #include "binder.h"
     14 
     15 #define MAX_BIO_SIZE (1 << 30)
     16 
     17 #define TRACE 0
     18 
     19 #define LOG_TAG "Binder"
     20 #include <cutils/log.h>
     21 
     22 void bio_init_from_txn(struct binder_io *io, struct binder_transaction_data *txn);
     23 
     24 #if TRACE
     25 void hexdump(void *_data, size_t len)
     26 {
     27     unsigned char *data = _data;
     28     size_t count;
     29 
     30     for (count = 0; count < len; count++) {
     31         if ((count & 15) == 0)
     32             fprintf(stderr,"%04zu:", count);
     33         fprintf(stderr," %02x %c", *data,
     34                 (*data < 32) || (*data > 126) ? '.' : *data);
     35         data++;
     36         if ((count & 15) == 15)
     37             fprintf(stderr,"\n");
     38     }
     39     if ((count & 15) != 0)
     40         fprintf(stderr,"\n");
     41 }
     42 
     43 void binder_dump_txn(struct binder_transaction_data *txn)
     44 {
     45     struct flat_binder_object *obj;
     46     binder_size_t *offs = (binder_size_t *)(uintptr_t)txn->data.ptr.offsets;
     47     size_t count = txn->offsets_size / sizeof(binder_size_t);
     48 
     49     fprintf(stderr,"  target %016"PRIx64"  cookie %016"PRIx64"  code %08x  flags %08x\n",
     50             (uint64_t)txn->target.ptr, (uint64_t)txn->cookie, txn->code, txn->flags);
     51     fprintf(stderr,"  pid %8d  uid %8d  data %"PRIu64"  offs %"PRIu64"\n",
     52             txn->sender_pid, txn->sender_euid, (uint64_t)txn->data_size, (uint64_t)txn->offsets_size);
     53     hexdump((void *)(uintptr_t)txn->data.ptr.buffer, txn->data_size);
     54     while (count--) {
     55         obj = (struct flat_binder_object *) (((char*)(uintptr_t)txn->data.ptr.buffer) + *offs++);
     56         fprintf(stderr,"  - type %08x  flags %08x  ptr %016"PRIx64"  cookie %016"PRIx64"\n",
     57                 obj->type, obj->flags, (uint64_t)obj->binder, (uint64_t)obj->cookie);
     58     }
     59 }
     60 
     61 #define NAME(n) case n: return #n
     62 const char *cmd_name(uint32_t cmd)
     63 {
     64     switch(cmd) {
     65         NAME(BR_NOOP);
     66         NAME(BR_TRANSACTION_COMPLETE);
     67         NAME(BR_INCREFS);
     68         NAME(BR_ACQUIRE);
     69         NAME(BR_RELEASE);
     70         NAME(BR_DECREFS);
     71         NAME(BR_TRANSACTION);
     72         NAME(BR_REPLY);
     73         NAME(BR_FAILED_REPLY);
     74         NAME(BR_DEAD_REPLY);
     75         NAME(BR_DEAD_BINDER);
     76     default: return "???";
     77     }
     78 }
     79 #else
     80 #define hexdump(a,b) do{} while (0)
     81 #define binder_dump_txn(txn)  do{} while (0)
     82 #endif
     83 
     84 #define BIO_F_SHARED    0x01  /* needs to be buffer freed */
     85 #define BIO_F_OVERFLOW  0x02  /* ran out of space */
     86 #define BIO_F_IOERROR   0x04
     87 #define BIO_F_MALLOCED  0x08  /* needs to be free()'d */
     88 
     89 struct binder_state
     90 {
     91     int fd;
     92     void *mapped;
     93     size_t mapsize;
     94 };
     95 
     96 struct binder_state *binder_open(size_t mapsize)
     97 {
     98     struct binder_state *bs;
     99     struct binder_version vers;
    100 
    101     bs = malloc(sizeof(*bs));
    102     if (!bs) {
    103         errno = ENOMEM;
    104         return NULL;
    105     }
    106 
    107     bs->fd = open("/dev/binder", O_RDWR | O_CLOEXEC);
    108     if (bs->fd < 0) {
    109         fprintf(stderr,"binder: cannot open device (%s)\n",
    110                 strerror(errno));
    111         goto fail_open;
    112     }
    113 
    114     if ((ioctl(bs->fd, BINDER_VERSION, &vers) == -1) ||
    115         (vers.protocol_version != BINDER_CURRENT_PROTOCOL_VERSION)) {
    116         fprintf(stderr,
    117                 "binder: kernel driver version (%d) differs from user space version (%d)\n",
    118                 vers.protocol_version, BINDER_CURRENT_PROTOCOL_VERSION);
    119         goto fail_open;
    120     }
    121 
    122     bs->mapsize = mapsize;
    123     bs->mapped = mmap(NULL, mapsize, PROT_READ, MAP_PRIVATE, bs->fd, 0);
    124     if (bs->mapped == MAP_FAILED) {
    125         fprintf(stderr,"binder: cannot map device (%s)\n",
    126                 strerror(errno));
    127         goto fail_map;
    128     }
    129 
    130     return bs;
    131 
    132 fail_map:
    133     close(bs->fd);
    134 fail_open:
    135     free(bs);
    136     return NULL;
    137 }
    138 
    139 void binder_close(struct binder_state *bs)
    140 {
    141     munmap(bs->mapped, bs->mapsize);
    142     close(bs->fd);
    143     free(bs);
    144 }
    145 
    146 int binder_become_context_manager(struct binder_state *bs)
    147 {
    148     return ioctl(bs->fd, BINDER_SET_CONTEXT_MGR, 0);
    149 }
    150 
    151 int binder_write(struct binder_state *bs, void *data, size_t len)
    152 {
    153     struct binder_write_read bwr;
    154     int res;
    155 
    156     bwr.write_size = len;
    157     bwr.write_consumed = 0;
    158     bwr.write_buffer = (uintptr_t) data;
    159     bwr.read_size = 0;
    160     bwr.read_consumed = 0;
    161     bwr.read_buffer = 0;
    162     res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);
    163     if (res < 0) {
    164         fprintf(stderr,"binder_write: ioctl failed (%s)\n",
    165                 strerror(errno));
    166     }
    167     return res;
    168 }
    169 
    170 void binder_free_buffer(struct binder_state *bs,
    171                         binder_uintptr_t buffer_to_free)
    172 {
    173     struct {
    174         uint32_t cmd_free;
    175         binder_uintptr_t buffer;
    176     } __attribute__((packed)) data;
    177     data.cmd_free = BC_FREE_BUFFER;
    178     data.buffer = buffer_to_free;
    179     binder_write(bs, &data, sizeof(data));
    180 }
    181 
    182 void binder_send_reply(struct binder_state *bs,
    183                        struct binder_io *reply,
    184                        binder_uintptr_t buffer_to_free,
    185                        int status)
    186 {
    187     struct {
    188         uint32_t cmd_free;
    189         binder_uintptr_t buffer;
    190         uint32_t cmd_reply;
    191         struct binder_transaction_data txn;
    192     } __attribute__((packed)) data;
    193 
    194     data.cmd_free = BC_FREE_BUFFER;
    195     data.buffer = buffer_to_free;
    196     data.cmd_reply = BC_REPLY;
    197     data.txn.target.ptr = 0;
    198     data.txn.cookie = 0;
    199     data.txn.code = 0;
    200     if (status) {
    201         data.txn.flags = TF_STATUS_CODE;
    202         data.txn.data_size = sizeof(int);
    203         data.txn.offsets_size = 0;
    204         data.txn.data.ptr.buffer = (uintptr_t)&status;
    205         data.txn.data.ptr.offsets = 0;
    206     } else {
    207         data.txn.flags = 0;
    208         data.txn.data_size = reply->data - reply->data0;
    209         data.txn.offsets_size = ((char*) reply->offs) - ((char*) reply->offs0);
    210         data.txn.data.ptr.buffer = (uintptr_t)reply->data0;
    211         data.txn.data.ptr.offsets = (uintptr_t)reply->offs0;
    212     }
    213     binder_write(bs, &data, sizeof(data));
    214 }
    215 
    216 int binder_parse(struct binder_state *bs, struct binder_io *bio,
    217                  uintptr_t ptr, size_t size, binder_handler func)
    218 {
    219     int r = 1;
    220     uintptr_t end = ptr + (uintptr_t) size;
    221 
    222     while (ptr < end) {
    223         uint32_t cmd = *(uint32_t *) ptr;
    224         ptr += sizeof(uint32_t);
    225 #if TRACE
    226         fprintf(stderr,"%s:\n", cmd_name(cmd));
    227 #endif
    228         switch(cmd) {
    229         case BR_NOOP:
    230             break;
    231         case BR_TRANSACTION_COMPLETE:
    232             break;
    233         case BR_INCREFS:
    234         case BR_ACQUIRE:
    235         case BR_RELEASE:
    236         case BR_DECREFS:
    237 #if TRACE
    238             fprintf(stderr,"  %p, %p\n", (void *)ptr, (void *)(ptr + sizeof(void *)));
    239 #endif
    240             ptr += sizeof(struct binder_ptr_cookie);
    241             break;
    242         case BR_TRANSACTION: {
    243             struct binder_transaction_data *txn = (struct binder_transaction_data *) ptr;
    244             if ((end - ptr) < sizeof(*txn)) {
    245                 ALOGE("parse: txn too small!\n");
    246                 return -1;
    247             }
    248             binder_dump_txn(txn);
    249             if (func) {
    250                 unsigned rdata[256/4];
    251                 struct binder_io msg;
    252                 struct binder_io reply;
    253                 int res;
    254 
    255                 bio_init(&reply, rdata, sizeof(rdata), 4);
    256                 bio_init_from_txn(&msg, txn);
    257                 res = func(bs, txn, &msg, &reply);
    258                 if (txn->flags & TF_ONE_WAY) {
    259                     binder_free_buffer(bs, txn->data.ptr.buffer);
    260                 } else {
    261                     binder_send_reply(bs, &reply, txn->data.ptr.buffer, res);
    262                 }
    263             }
    264             ptr += sizeof(*txn);
    265             break;
    266         }
    267         case BR_REPLY: {
    268             struct binder_transaction_data *txn = (struct binder_transaction_data *) ptr;
    269             if ((end - ptr) < sizeof(*txn)) {
    270                 ALOGE("parse: reply too small!\n");
    271                 return -1;
    272             }
    273             binder_dump_txn(txn);
    274             if (bio) {
    275                 bio_init_from_txn(bio, txn);
    276                 bio = 0;
    277             } else {
    278                 /* todo FREE BUFFER */
    279             }
    280             ptr += sizeof(*txn);
    281             r = 0;
    282             break;
    283         }
    284         case BR_DEAD_BINDER: {
    285             struct binder_death *death = (struct binder_death *)(uintptr_t) *(binder_uintptr_t *)ptr;
    286             ptr += sizeof(binder_uintptr_t);
    287             death->func(bs, death->ptr);
    288             break;
    289         }
    290         case BR_FAILED_REPLY:
    291             r = -1;
    292             break;
    293         case BR_DEAD_REPLY:
    294             r = -1;
    295             break;
    296         default:
    297             ALOGE("parse: OOPS %d\n", cmd);
    298             return -1;
    299         }
    300     }
    301 
    302     return r;
    303 }
    304 
    305 void binder_acquire(struct binder_state *bs, uint32_t target)
    306 {
    307     uint32_t cmd[2];
    308     cmd[0] = BC_ACQUIRE;
    309     cmd[1] = target;
    310     binder_write(bs, cmd, sizeof(cmd));
    311 }
    312 
    313 void binder_release(struct binder_state *bs, uint32_t target)
    314 {
    315     uint32_t cmd[2];
    316     cmd[0] = BC_RELEASE;
    317     cmd[1] = target;
    318     binder_write(bs, cmd, sizeof(cmd));
    319 }
    320 
    321 void binder_link_to_death(struct binder_state *bs, uint32_t target, struct binder_death *death)
    322 {
    323     struct {
    324         uint32_t cmd;
    325         struct binder_handle_cookie payload;
    326     } __attribute__((packed)) data;
    327 
    328     data.cmd = BC_REQUEST_DEATH_NOTIFICATION;
    329     data.payload.handle = target;
    330     data.payload.cookie = (uintptr_t) death;
    331     binder_write(bs, &data, sizeof(data));
    332 }
    333 
    334 int binder_call(struct binder_state *bs,
    335                 struct binder_io *msg, struct binder_io *reply,
    336                 uint32_t target, uint32_t code)
    337 {
    338     int res;
    339     struct binder_write_read bwr;
    340     struct {
    341         uint32_t cmd;
    342         struct binder_transaction_data txn;
    343     } __attribute__((packed)) writebuf;
    344     unsigned readbuf[32];
    345 
    346     if (msg->flags & BIO_F_OVERFLOW) {
    347         fprintf(stderr,"binder: txn buffer overflow\n");
    348         goto fail;
    349     }
    350 
    351     writebuf.cmd = BC_TRANSACTION;
    352     writebuf.txn.target.handle = target;
    353     writebuf.txn.code = code;
    354     writebuf.txn.flags = 0;
    355     writebuf.txn.data_size = msg->data - msg->data0;
    356     writebuf.txn.offsets_size = ((char*) msg->offs) - ((char*) msg->offs0);
    357     writebuf.txn.data.ptr.buffer = (uintptr_t)msg->data0;
    358     writebuf.txn.data.ptr.offsets = (uintptr_t)msg->offs0;
    359 
    360     bwr.write_size = sizeof(writebuf);
    361     bwr.write_consumed = 0;
    362     bwr.write_buffer = (uintptr_t) &writebuf;
    363 
    364     hexdump(msg->data0, msg->data - msg->data0);
    365     for (;;) {
    366         bwr.read_size = sizeof(readbuf);
    367         bwr.read_consumed = 0;
    368         bwr.read_buffer = (uintptr_t) readbuf;
    369 
    370         res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);
    371 
    372         if (res < 0) {
    373             fprintf(stderr,"binder: ioctl failed (%s)\n", strerror(errno));
    374             goto fail;
    375         }
    376 
    377         res = binder_parse(bs, reply, (uintptr_t) readbuf, bwr.read_consumed, 0);
    378         if (res == 0) return 0;
    379         if (res < 0) goto fail;
    380     }
    381 
    382 fail:
    383     memset(reply, 0, sizeof(*reply));
    384     reply->flags |= BIO_F_IOERROR;
    385     return -1;
    386 }
    387 
    388 void binder_loop(struct binder_state *bs, binder_handler func)
    389 {
    390     int res;
    391     struct binder_write_read bwr;
    392     uint32_t readbuf[32];
    393 
    394     bwr.write_size = 0;
    395     bwr.write_consumed = 0;
    396     bwr.write_buffer = 0;
    397 
    398     readbuf[0] = BC_ENTER_LOOPER;
    399     binder_write(bs, readbuf, sizeof(uint32_t));
    400 
    401     for (;;) {
    402         bwr.read_size = sizeof(readbuf);
    403         bwr.read_consumed = 0;
    404         bwr.read_buffer = (uintptr_t) readbuf;
    405 
    406         res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);
    407 
    408         if (res < 0) {
    409             ALOGE("binder_loop: ioctl failed (%s)\n", strerror(errno));
    410             break;
    411         }
    412 
    413         res = binder_parse(bs, 0, (uintptr_t) readbuf, bwr.read_consumed, func);
    414         if (res == 0) {
    415             ALOGE("binder_loop: unexpected reply?!\n");
    416             break;
    417         }
    418         if (res < 0) {
    419             ALOGE("binder_loop: io error %d %s\n", res, strerror(errno));
    420             break;
    421         }
    422     }
    423 }
    424 
    425 void bio_init_from_txn(struct binder_io *bio, struct binder_transaction_data *txn)
    426 {
    427     bio->data = bio->data0 = (char *)(intptr_t)txn->data.ptr.buffer;
    428     bio->offs = bio->offs0 = (binder_size_t *)(intptr_t)txn->data.ptr.offsets;
    429     bio->data_avail = txn->data_size;
    430     bio->offs_avail = txn->offsets_size / sizeof(size_t);
    431     bio->flags = BIO_F_SHARED;
    432 }
    433 
    434 void bio_init(struct binder_io *bio, void *data,
    435               size_t maxdata, size_t maxoffs)
    436 {
    437     size_t n = maxoffs * sizeof(size_t);
    438 
    439     if (n > maxdata) {
    440         bio->flags = BIO_F_OVERFLOW;
    441         bio->data_avail = 0;
    442         bio->offs_avail = 0;
    443         return;
    444     }
    445 
    446     bio->data = bio->data0 = (char *) data + n;
    447     bio->offs = bio->offs0 = data;
    448     bio->data_avail = maxdata - n;
    449     bio->offs_avail = maxoffs;
    450     bio->flags = 0;
    451 }
    452 
    453 static void *bio_alloc(struct binder_io *bio, size_t size)
    454 {
    455     size = (size + 3) & (~3);
    456     if (size > bio->data_avail) {
    457         bio->flags |= BIO_F_OVERFLOW;
    458         return NULL;
    459     } else {
    460         void *ptr = bio->data;
    461         bio->data += size;
    462         bio->data_avail -= size;
    463         return ptr;
    464     }
    465 }
    466 
    467 void binder_done(struct binder_state *bs,
    468                  __unused struct binder_io *msg,
    469                  struct binder_io *reply)
    470 {
    471     struct {
    472         uint32_t cmd;
    473         uintptr_t buffer;
    474     } __attribute__((packed)) data;
    475 
    476     if (reply->flags & BIO_F_SHARED) {
    477         data.cmd = BC_FREE_BUFFER;
    478         data.buffer = (uintptr_t) reply->data0;
    479         binder_write(bs, &data, sizeof(data));
    480         reply->flags = 0;
    481     }
    482 }
    483 
    484 static struct flat_binder_object *bio_alloc_obj(struct binder_io *bio)
    485 {
    486     struct flat_binder_object *obj;
    487 
    488     obj = bio_alloc(bio, sizeof(*obj));
    489 
    490     if (obj && bio->offs_avail) {
    491         bio->offs_avail--;
    492         *bio->offs++ = ((char*) obj) - ((char*) bio->data0);
    493         return obj;
    494     }
    495 
    496     bio->flags |= BIO_F_OVERFLOW;
    497     return NULL;
    498 }
    499 
    500 void bio_put_uint32(struct binder_io *bio, uint32_t n)
    501 {
    502     uint32_t *ptr = bio_alloc(bio, sizeof(n));
    503     if (ptr)
    504         *ptr = n;
    505 }
    506 
    507 void bio_put_obj(struct binder_io *bio, void *ptr)
    508 {
    509     struct flat_binder_object *obj;
    510 
    511     obj = bio_alloc_obj(bio);
    512     if (!obj)
    513         return;
    514 
    515     obj->flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS;
    516     obj->type = BINDER_TYPE_BINDER;
    517     obj->binder = (uintptr_t)ptr;
    518     obj->cookie = 0;
    519 }
    520 
    521 void bio_put_ref(struct binder_io *bio, uint32_t handle)
    522 {
    523     struct flat_binder_object *obj;
    524 
    525     if (handle)
    526         obj = bio_alloc_obj(bio);
    527     else
    528         obj = bio_alloc(bio, sizeof(*obj));
    529 
    530     if (!obj)
    531         return;
    532 
    533     obj->flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS;
    534     obj->type = BINDER_TYPE_HANDLE;
    535     obj->handle = handle;
    536     obj->cookie = 0;
    537 }
    538 
    539 void bio_put_string16(struct binder_io *bio, const uint16_t *str)
    540 {
    541     size_t len;
    542     uint16_t *ptr;
    543 
    544     if (!str) {
    545         bio_put_uint32(bio, 0xffffffff);
    546         return;
    547     }
    548 
    549     len = 0;
    550     while (str[len]) len++;
    551 
    552     if (len >= (MAX_BIO_SIZE / sizeof(uint16_t))) {
    553         bio_put_uint32(bio, 0xffffffff);
    554         return;
    555     }
    556 
    557     /* Note: The payload will carry 32bit size instead of size_t */
    558     bio_put_uint32(bio, (uint32_t) len);
    559     len = (len + 1) * sizeof(uint16_t);
    560     ptr = bio_alloc(bio, len);
    561     if (ptr)
    562         memcpy(ptr, str, len);
    563 }
    564 
    565 void bio_put_string16_x(struct binder_io *bio, const char *_str)
    566 {
    567     unsigned char *str = (unsigned char*) _str;
    568     size_t len;
    569     uint16_t *ptr;
    570 
    571     if (!str) {
    572         bio_put_uint32(bio, 0xffffffff);
    573         return;
    574     }
    575 
    576     len = strlen(_str);
    577 
    578     if (len >= (MAX_BIO_SIZE / sizeof(uint16_t))) {
    579         bio_put_uint32(bio, 0xffffffff);
    580         return;
    581     }
    582 
    583     /* Note: The payload will carry 32bit size instead of size_t */
    584     bio_put_uint32(bio, len);
    585     ptr = bio_alloc(bio, (len + 1) * sizeof(uint16_t));
    586     if (!ptr)
    587         return;
    588 
    589     while (*str)
    590         *ptr++ = *str++;
    591     *ptr++ = 0;
    592 }
    593 
    594 static void *bio_get(struct binder_io *bio, size_t size)
    595 {
    596     size = (size + 3) & (~3);
    597 
    598     if (bio->data_avail < size){
    599         bio->data_avail = 0;
    600         bio->flags |= BIO_F_OVERFLOW;
    601         return NULL;
    602     }  else {
    603         void *ptr = bio->data;
    604         bio->data += size;
    605         bio->data_avail -= size;
    606         return ptr;
    607     }
    608 }
    609 
    610 uint32_t bio_get_uint32(struct binder_io *bio)
    611 {
    612     uint32_t *ptr = bio_get(bio, sizeof(*ptr));
    613     return ptr ? *ptr : 0;
    614 }
    615 
    616 uint16_t *bio_get_string16(struct binder_io *bio, size_t *sz)
    617 {
    618     size_t len;
    619 
    620     /* Note: The payload will carry 32bit size instead of size_t */
    621     len = (size_t) bio_get_uint32(bio);
    622     if (sz)
    623         *sz = len;
    624     return bio_get(bio, (len + 1) * sizeof(uint16_t));
    625 }
    626 
    627 static struct flat_binder_object *_bio_get_obj(struct binder_io *bio)
    628 {
    629     size_t n;
    630     size_t off = bio->data - bio->data0;
    631 
    632     /* TODO: be smarter about this? */
    633     for (n = 0; n < bio->offs_avail; n++) {
    634         if (bio->offs[n] == off)
    635             return bio_get(bio, sizeof(struct flat_binder_object));
    636     }
    637 
    638     bio->data_avail = 0;
    639     bio->flags |= BIO_F_OVERFLOW;
    640     return NULL;
    641 }
    642 
    643 uint32_t bio_get_ref(struct binder_io *bio)
    644 {
    645     struct flat_binder_object *obj;
    646 
    647     obj = _bio_get_obj(bio);
    648     if (!obj)
    649         return 0;
    650 
    651     if (obj->type == BINDER_TYPE_HANDLE)
    652         return obj->handle;
    653 
    654     return 0;
    655 }
    656