1 /*
2  * Copyright (C) 2018 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <array>
18 #include <iomanip>
19 #include <random>
20 #include <sstream>
21 
22 #include <android/hardware_buffer.h>
23 #include <bufferhub/BufferHubService.h>
24 #include <cutils/native_handle.h>
25 #include <log/log.h>
26 #include <openssl/hmac.h>
27 #include <system/graphics-base.h>
28 #include <ui/BufferHubDefs.h>
29 
30 using ::android::BufferHubDefs::MetadataHeader;
31 using ::android::hardware::Void;
32 
33 namespace android {
34 namespace frameworks {
35 namespace bufferhub {
36 namespace V1_0 {
37 namespace implementation {
38 
BufferHubService()39 BufferHubService::BufferHubService() {
40     std::mt19937_64 randomEngine;
41     randomEngine.seed(time(nullptr));
42 
43     mKey = randomEngine();
44 }
45 
allocateBuffer(const HardwareBufferDescription & description,const uint32_t userMetadataSize,allocateBuffer_cb _hidl_cb)46 Return<void> BufferHubService::allocateBuffer(const HardwareBufferDescription& description,
47                                               const uint32_t userMetadataSize,
48                                               allocateBuffer_cb _hidl_cb) {
49     AHardwareBuffer_Desc desc;
50     memcpy(&desc, &description, sizeof(AHardwareBuffer_Desc));
51 
52     std::shared_ptr<BufferNode> node =
53             std::make_shared<BufferNode>(desc.width, desc.height, desc.layers, desc.format,
54                                          desc.usage, userMetadataSize,
55                                          BufferHubIdGenerator::getInstance().getId());
56     if (node == nullptr || !node->isValid()) {
57         ALOGE("%s: creating BufferNode failed.", __FUNCTION__);
58         _hidl_cb(/*status=*/BufferHubStatus::ALLOCATION_FAILED, /*bufferClient=*/nullptr,
59                  /*bufferTraits=*/{});
60         return Void();
61     }
62 
63     sp<BufferClient> client = BufferClient::create(this, node);
64     // Add it to list for bookkeeping and dumpsys.
65     std::lock_guard<std::mutex> lock(mClientSetMutex);
66     mClientSet.emplace(client);
67 
68     // Allocate memory for bufferInfo of type hidl_handle on the stack. See
69     // http://aosp/286282 for the usage of NATIVE_HANDLE_DECLARE_STORAGE.
70     NATIVE_HANDLE_DECLARE_STORAGE(bufferInfoStorage, BufferHubDefs::kBufferInfoNumFds,
71                                   BufferHubDefs::kBufferInfoNumInts);
72     hidl_handle bufferInfo =
73             buildBufferInfo(bufferInfoStorage, node->id(), node->addNewActiveClientsBitToMask(),
74                             node->userMetadataSize(), node->metadata().ashmemFd(),
75                             node->eventFd().get());
76     // During the gralloc allocation carried out by BufferNode, gralloc allocator will populate the
77     // fields of its HardwareBufferDescription (i.e. strides) according to the actual
78     // gralloc implementation. We need to read those fields back and send them to the client via
79     // BufferTraits.
80     HardwareBufferDescription allocatedBufferDesc;
81     memcpy(&allocatedBufferDesc, &node->bufferDesc(), sizeof(AHardwareBuffer_Desc));
82     BufferTraits bufferTraits = {/*bufferDesc=*/allocatedBufferDesc,
83                                  /*bufferHandle=*/hidl_handle(node->bufferHandle()),
84                                  /*bufferInfo=*/std::move(bufferInfo)};
85 
86     _hidl_cb(/*status=*/BufferHubStatus::NO_ERROR, /*bufferClient=*/client,
87              /*bufferTraits=*/std::move(bufferTraits));
88     return Void();
89 }
90 
importBuffer(const hidl_handle & tokenHandle,importBuffer_cb _hidl_cb)91 Return<void> BufferHubService::importBuffer(const hidl_handle& tokenHandle,
92                                             importBuffer_cb _hidl_cb) {
93     if (!tokenHandle.getNativeHandle() || tokenHandle->numFds != 0 || tokenHandle->numInts <= 1) {
94         // nullptr handle or wrong format
95         _hidl_cb(/*status=*/BufferHubStatus::INVALID_TOKEN, /*bufferClient=*/nullptr,
96                  /*bufferTraits=*/{});
97         return Void();
98     }
99 
100     int tokenId = tokenHandle->data[0];
101 
102     wp<BufferClient> originClientWp;
103     {
104         std::lock_guard<std::mutex> lock(mTokenMutex);
105         auto iter = mTokenMap.find(tokenId);
106         if (iter == mTokenMap.end()) {
107             // Token Id not exist
108             ALOGD("%s: token #%d not found.", __FUNCTION__, tokenId);
109             _hidl_cb(/*status=*/BufferHubStatus::INVALID_TOKEN, /*bufferClient=*/nullptr,
110                      /*bufferTraits=*/{});
111             return Void();
112         }
113 
114         const std::vector<uint8_t>& tokenHMAC = iter->second.first;
115 
116         int numIntsForHMAC = (int)ceil(tokenHMAC.size() * sizeof(uint8_t) / (double)sizeof(int));
117         if (tokenHandle->numInts - 1 != numIntsForHMAC) {
118             // HMAC size not match
119             ALOGD("%s: token #%d HMAC size not match. Expected: %d Actual: %d", __FUNCTION__,
120                   tokenId, numIntsForHMAC, tokenHandle->numInts - 1);
121             _hidl_cb(/*status=*/BufferHubStatus::INVALID_TOKEN, /*bufferClient=*/nullptr,
122                      /*bufferTraits=*/{});
123             return Void();
124         }
125 
126         size_t hmacSize = tokenHMAC.size() * sizeof(uint8_t);
127         if (memcmp(tokenHMAC.data(), &tokenHandle->data[1], hmacSize) != 0) {
128             // HMAC not match
129             ALOGD("%s: token #%d HMAC not match.", __FUNCTION__, tokenId);
130             _hidl_cb(/*status=*/BufferHubStatus::INVALID_TOKEN, /*bufferClient=*/nullptr,
131                      /*bufferTraits=*/{});
132             return Void();
133         }
134 
135         originClientWp = iter->second.second;
136         mTokenMap.erase(iter);
137     }
138 
139     // Check if original client is dead
140     sp<BufferClient> originClient = originClientWp.promote();
141     if (!originClient) {
142         // Should not happen since token should be removed if already gone
143         ALOGE("%s: original client %p gone!", __FUNCTION__, originClientWp.unsafe_get());
144         _hidl_cb(/*status=*/BufferHubStatus::BUFFER_FREED, /*bufferClient=*/nullptr,
145                  /*bufferTraits=*/{});
146         return Void();
147     }
148 
149     sp<BufferClient> client = new BufferClient(*originClient);
150     uint32_t clientStateMask = client->getBufferNode()->addNewActiveClientsBitToMask();
151     if (clientStateMask == 0U) {
152         // Reach max client count
153         ALOGE("%s: import failed, BufferNode#%u reached maximum clients.", __FUNCTION__,
154               client->getBufferNode()->id());
155         _hidl_cb(/*status=*/BufferHubStatus::MAX_CLIENT, /*bufferClient=*/nullptr,
156                  /*bufferTraits=*/{});
157         return Void();
158     }
159 
160     std::lock_guard<std::mutex> lock(mClientSetMutex);
161     mClientSet.emplace(client);
162 
163     std::shared_ptr<BufferNode> node = client->getBufferNode();
164 
165     HardwareBufferDescription bufferDesc;
166     memcpy(&bufferDesc, &node->bufferDesc(), sizeof(HardwareBufferDescription));
167 
168     // Allocate memory for bufferInfo of type hidl_handle on the stack. See
169     // http://aosp/286282 for the usage of NATIVE_HANDLE_DECLARE_STORAGE.
170     NATIVE_HANDLE_DECLARE_STORAGE(bufferInfoStorage, BufferHubDefs::kBufferInfoNumFds,
171                                   BufferHubDefs::kBufferInfoNumInts);
172     hidl_handle bufferInfo = buildBufferInfo(bufferInfoStorage, node->id(), clientStateMask,
173                                              node->userMetadataSize(), node->metadata().ashmemFd(),
174                                              node->eventFd().get());
175     BufferTraits bufferTraits = {/*bufferDesc=*/bufferDesc,
176                                  /*bufferHandle=*/hidl_handle(node->bufferHandle()),
177                                  /*bufferInfo=*/std::move(bufferInfo)};
178 
179     _hidl_cb(/*status=*/BufferHubStatus::NO_ERROR, /*bufferClient=*/client,
180              /*bufferTraits=*/std::move(bufferTraits));
181     return Void();
182 }
183 
debug(const hidl_handle & fd,const hidl_vec<hidl_string> & args)184 Return<void> BufferHubService::debug(const hidl_handle& fd, const hidl_vec<hidl_string>& args) {
185     if (fd.getNativeHandle() == nullptr || fd->numFds < 1) {
186         ALOGE("%s: missing fd for writing.", __FUNCTION__);
187         return Void();
188     }
189 
190     FILE* out = fdopen(dup(fd->data[0]), "w");
191 
192     if (args.size() != 0) {
193         fprintf(out,
194                 "Note: lshal bufferhub currently does not support args. Input arguments are "
195                 "ignored.\n");
196     }
197 
198     std::ostringstream stream;
199 
200     // Get the number of clients of each buffer.
201     // Map from bufferId to bufferNode_clientCount pair.
202     std::map<int, std::pair<const std::shared_ptr<BufferNode>, uint32_t>> clientCount;
203     {
204         std::lock_guard<std::mutex> lock(mClientSetMutex);
205         for (auto iter = mClientSet.begin(); iter != mClientSet.end(); ++iter) {
206             sp<BufferClient> client = iter->promote();
207             if (client != nullptr) {
208                 const std::shared_ptr<BufferNode> node = client->getBufferNode();
209                 auto mapIter = clientCount.find(node->id());
210                 if (mapIter != clientCount.end()) {
211                     ++mapIter->second.second;
212                 } else {
213                     clientCount.emplace(node->id(),
214                                         std::pair<std::shared_ptr<BufferNode>, uint32_t>(node, 1U));
215                 }
216             }
217         }
218     }
219 
220     stream << "Active Buffers:\n";
221     stream << std::right;
222     stream << std::setw(6) << "Id";
223     stream << " ";
224     stream << std::setw(9) << "#Clients";
225     stream << " ";
226     stream << std::setw(14) << "Geometry";
227     stream << " ";
228     stream << std::setw(6) << "Format";
229     stream << " ";
230     stream << std::setw(10) << "Usage";
231     stream << " ";
232     stream << std::setw(10) << "State";
233     stream << " ";
234     stream << std::setw(8) << "Index";
235     stream << std::endl;
236 
237     for (auto iter = clientCount.begin(); iter != clientCount.end(); ++iter) {
238         const std::shared_ptr<BufferNode> node = std::move(iter->second.first);
239         const uint32_t clientCount = iter->second.second;
240         AHardwareBuffer_Desc desc = node->bufferDesc();
241 
242         MetadataHeader* metadataHeader =
243                 const_cast<BufferHubMetadata*>(&node->metadata())->metadataHeader();
244         const uint32_t state = metadataHeader->bufferState.load(std::memory_order_acquire);
245         const uint64_t index = metadataHeader->queueIndex;
246 
247         stream << std::right;
248         stream << std::setw(6) << /*Id=*/node->id();
249         stream << " ";
250         stream << std::setw(9) << /*#Clients=*/clientCount;
251         stream << " ";
252         if (desc.format == HAL_PIXEL_FORMAT_BLOB) {
253             std::string size = std::to_string(desc.width) + " B";
254             stream << std::setw(14) << /*Geometry=*/size;
255         } else {
256             std::string dimensions = std::to_string(desc.width) + "x" +
257                     std::to_string(desc.height) + "x" + std::to_string(desc.layers);
258             stream << std::setw(14) << /*Geometry=*/dimensions;
259         }
260         stream << " ";
261         stream << std::setw(6) << /*Format=*/desc.format;
262         stream << " ";
263         stream << "0x" << std::hex << std::setfill('0');
264         stream << std::setw(8) << /*Usage=*/desc.usage;
265         stream << std::dec << std::setfill(' ');
266         stream << " ";
267         stream << "0x" << std::hex << std::setfill('0');
268         stream << std::setw(8) << /*State=*/state;
269         stream << std::dec << std::setfill(' ');
270         stream << " ";
271         stream << std::setw(8) << /*Index=*/index;
272         stream << std::endl;
273     }
274 
275     stream << std::endl;
276 
277     // Get the number of tokens of each buffer.
278     // Map from bufferId to tokenCount
279     std::map<int, uint32_t> tokenCount;
280     {
281         std::lock_guard<std::mutex> lock(mTokenMutex);
282         for (auto iter = mTokenMap.begin(); iter != mTokenMap.end(); ++iter) {
283             sp<BufferClient> client = iter->second.second.promote();
284             if (client != nullptr) {
285                 const std::shared_ptr<BufferNode> node = client->getBufferNode();
286                 auto mapIter = tokenCount.find(node->id());
287                 if (mapIter != tokenCount.end()) {
288                     ++mapIter->second;
289                 } else {
290                     tokenCount.emplace(node->id(), 1U);
291                 }
292             }
293         }
294     }
295 
296     stream << "Unused Tokens:\n";
297     stream << std::right;
298     stream << std::setw(8) << "Buffer Id";
299     stream << " ";
300     stream << std::setw(7) << "#Tokens";
301     stream << std::endl;
302 
303     for (auto iter = tokenCount.begin(); iter != tokenCount.end(); ++iter) {
304         stream << std::right;
305         stream << std::setw(8) << /*Buffer Id=*/iter->first;
306         stream << " ";
307         stream << std::setw(7) << /*#Tokens=*/iter->second;
308         stream << std::endl;
309     }
310 
311     fprintf(out, "%s", stream.str().c_str());
312 
313     fclose(out);
314     return Void();
315 }
316 
registerToken(const wp<BufferClient> & client)317 hidl_handle BufferHubService::registerToken(const wp<BufferClient>& client) {
318     // Find next available token id
319     std::lock_guard<std::mutex> lock(mTokenMutex);
320     do {
321         ++mLastTokenId;
322     } while (mTokenMap.find(mLastTokenId) != mTokenMap.end());
323 
324     std::array<uint8_t, EVP_MAX_MD_SIZE> hmac;
325     uint32_t hmacSize = 0U;
326 
327     HMAC(/*evp_md=*/EVP_sha256(), /*key=*/&mKey, /*key_len=*/kKeyLen,
328          /*data=*/(uint8_t*)&mLastTokenId, /*data_len=*/mTokenIdSize,
329          /*out=*/hmac.data(), /*out_len=*/&hmacSize);
330 
331     int numIntsForHMAC = (int)ceil(hmacSize / (double)sizeof(int));
332     native_handle_t* handle = native_handle_create(/*numFds=*/0, /*numInts=*/1 + numIntsForHMAC);
333     handle->data[0] = mLastTokenId;
334     // Set all the the bits of last int to 0 since it might not be fully overwritten
335     handle->data[numIntsForHMAC] = 0;
336     memcpy(&handle->data[1], hmac.data(), hmacSize);
337 
338     // returnToken owns the native_handle_t* thus doing lifecycle management
339     hidl_handle returnToken;
340     returnToken.setTo(handle, /*shoudOwn=*/true);
341 
342     std::vector<uint8_t> hmacVec;
343     hmacVec.resize(hmacSize);
344     memcpy(hmacVec.data(), hmac.data(), hmacSize);
345     mTokenMap.emplace(mLastTokenId, std::pair(hmacVec, client));
346 
347     return returnToken;
348 }
349 
onClientClosed(const BufferClient * client)350 void BufferHubService::onClientClosed(const BufferClient* client) {
351     removeTokenByClient(client);
352 
353     std::lock_guard<std::mutex> lock(mClientSetMutex);
354     auto iter = std::find(mClientSet.begin(), mClientSet.end(), client);
355     if (iter != mClientSet.end()) {
356         mClientSet.erase(iter);
357     }
358 }
359 
360 // Implementation of this function should be consistent with the definition of bufferInfo handle in
361 // ui/BufferHubDefs.h.
buildBufferInfo(char * bufferInfoStorage,int bufferId,uint32_t clientBitMask,uint32_t userMetadataSize,int metadataFd,int eventFd)362 hidl_handle BufferHubService::buildBufferInfo(char* bufferInfoStorage, int bufferId,
363                                               uint32_t clientBitMask, uint32_t userMetadataSize,
364                                               int metadataFd, int eventFd) {
365     native_handle_t* infoHandle =
366             native_handle_init(bufferInfoStorage, BufferHubDefs::kBufferInfoNumFds,
367                                BufferHubDefs::kBufferInfoNumInts);
368 
369     infoHandle->data[0] = metadataFd;
370     infoHandle->data[1] = eventFd;
371     infoHandle->data[2] = bufferId;
372     // Use memcpy to convert to int without missing digit.
373     // TOOD(b/121345852): use bit_cast to unpack bufferInfo when C++20 becomes available.
374     memcpy(&infoHandle->data[3], &clientBitMask, sizeof(clientBitMask));
375     memcpy(&infoHandle->data[4], &userMetadataSize, sizeof(userMetadataSize));
376 
377     hidl_handle bufferInfo;
378     bufferInfo.setTo(infoHandle, /*shouldOwn=*/false);
379 
380     return bufferInfo;
381 }
382 
removeTokenByClient(const BufferClient * client)383 void BufferHubService::removeTokenByClient(const BufferClient* client) {
384     std::lock_guard<std::mutex> lock(mTokenMutex);
385     auto iter = mTokenMap.begin();
386     while (iter != mTokenMap.end()) {
387         if (iter->second.second == client) {
388             auto oldIter = iter;
389             ++iter;
390             mTokenMap.erase(oldIter);
391         } else {
392             ++iter;
393         }
394     }
395 }
396 
397 } // namespace implementation
398 } // namespace V1_0
399 } // namespace bufferhub
400 } // namespace frameworks
401 } // namespace android
402