1 /*
2 * Copyright (C) 2005 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define LOG_TAG "BpBinder"
18 //#define LOG_NDEBUG 0
19
20 #include <binder/BpBinder.h>
21
22 #include <binder/IPCThreadState.h>
23 #include <binder/IResultReceiver.h>
24 #include <binder/Stability.h>
25 #include <cutils/compiler.h>
26 #include <utils/Log.h>
27
28 #include <stdio.h>
29
30 //#undef ALOGV
31 //#define ALOGV(...) fprintf(stderr, __VA_ARGS__)
32
33 namespace android {
34
35 // ---------------------------------------------------------------------------
36
37 Mutex BpBinder::sTrackingLock;
38 std::unordered_map<int32_t,uint32_t> BpBinder::sTrackingMap;
39 int BpBinder::sNumTrackedUids = 0;
40 std::atomic_bool BpBinder::sCountByUidEnabled(false);
41 binder_proxy_limit_callback BpBinder::sLimitCallback;
42 bool BpBinder::sBinderProxyThrottleCreate = false;
43
44 // Arbitrarily high value that probably distinguishes a bad behaving app
45 uint32_t BpBinder::sBinderProxyCountHighWatermark = 2500;
46 // Another arbitrary value a binder count needs to drop below before another callback will be called
47 uint32_t BpBinder::sBinderProxyCountLowWatermark = 2000;
48
49 enum {
50 LIMIT_REACHED_MASK = 0x80000000, // A flag denoting that the limit has been reached
51 COUNTING_VALUE_MASK = 0x7FFFFFFF, // A mask of the remaining bits for the count value
52 };
53
ObjectManager()54 BpBinder::ObjectManager::ObjectManager()
55 {
56 }
57
~ObjectManager()58 BpBinder::ObjectManager::~ObjectManager()
59 {
60 kill();
61 }
62
attach(const void * objectID,void * object,void * cleanupCookie,IBinder::object_cleanup_func func)63 void BpBinder::ObjectManager::attach(
64 const void* objectID, void* object, void* cleanupCookie,
65 IBinder::object_cleanup_func func)
66 {
67 entry_t e;
68 e.object = object;
69 e.cleanupCookie = cleanupCookie;
70 e.func = func;
71
72 if (mObjects.indexOfKey(objectID) >= 0) {
73 ALOGE("Trying to attach object ID %p to binder ObjectManager %p with object %p, but object ID already in use",
74 objectID, this, object);
75 return;
76 }
77
78 mObjects.add(objectID, e);
79 }
80
find(const void * objectID) const81 void* BpBinder::ObjectManager::find(const void* objectID) const
82 {
83 const ssize_t i = mObjects.indexOfKey(objectID);
84 if (i < 0) return nullptr;
85 return mObjects.valueAt(i).object;
86 }
87
detach(const void * objectID)88 void BpBinder::ObjectManager::detach(const void* objectID)
89 {
90 mObjects.removeItem(objectID);
91 }
92
kill()93 void BpBinder::ObjectManager::kill()
94 {
95 const size_t N = mObjects.size();
96 ALOGV("Killing %zu objects in manager %p", N, this);
97 for (size_t i=0; i<N; i++) {
98 const entry_t& e = mObjects.valueAt(i);
99 if (e.func != nullptr) {
100 e.func(mObjects.keyAt(i), e.object, e.cleanupCookie);
101 }
102 }
103
104 mObjects.clear();
105 }
106
107 // ---------------------------------------------------------------------------
108
109
create(int32_t handle)110 BpBinder* BpBinder::create(int32_t handle) {
111 int32_t trackedUid = -1;
112 if (sCountByUidEnabled) {
113 trackedUid = IPCThreadState::self()->getCallingUid();
114 AutoMutex _l(sTrackingLock);
115 uint32_t trackedValue = sTrackingMap[trackedUid];
116 if (CC_UNLIKELY(trackedValue & LIMIT_REACHED_MASK)) {
117 if (sBinderProxyThrottleCreate) {
118 return nullptr;
119 }
120 } else {
121 if ((trackedValue & COUNTING_VALUE_MASK) >= sBinderProxyCountHighWatermark) {
122 ALOGE("Too many binder proxy objects sent to uid %d from uid %d (%d proxies held)",
123 getuid(), trackedUid, trackedValue);
124 sTrackingMap[trackedUid] |= LIMIT_REACHED_MASK;
125 if (sLimitCallback) sLimitCallback(trackedUid);
126 if (sBinderProxyThrottleCreate) {
127 ALOGI("Throttling binder proxy creates from uid %d in uid %d until binder proxy"
128 " count drops below %d",
129 trackedUid, getuid(), sBinderProxyCountLowWatermark);
130 return nullptr;
131 }
132 }
133 }
134 sTrackingMap[trackedUid]++;
135 }
136 return new BpBinder(handle, trackedUid);
137 }
138
BpBinder(int32_t handle,int32_t trackedUid)139 BpBinder::BpBinder(int32_t handle, int32_t trackedUid)
140 : mHandle(handle)
141 , mStability(0)
142 , mAlive(1)
143 , mObitsSent(0)
144 , mObituaries(nullptr)
145 , mTrackedUid(trackedUid)
146 {
147 ALOGV("Creating BpBinder %p handle %d\n", this, mHandle);
148
149 extendObjectLifetime(OBJECT_LIFETIME_WEAK);
150 IPCThreadState::self()->incWeakHandle(handle, this);
151 }
152
handle() const153 int32_t BpBinder::handle() const {
154 return mHandle;
155 }
156
isDescriptorCached() const157 bool BpBinder::isDescriptorCached() const {
158 Mutex::Autolock _l(mLock);
159 return mDescriptorCache.size() ? true : false;
160 }
161
getInterfaceDescriptor() const162 const String16& BpBinder::getInterfaceDescriptor() const
163 {
164 if (isDescriptorCached() == false) {
165 Parcel send, reply;
166 // do the IPC without a lock held.
167 status_t err = const_cast<BpBinder*>(this)->transact(
168 INTERFACE_TRANSACTION, send, &reply);
169 if (err == NO_ERROR) {
170 String16 res(reply.readString16());
171 Mutex::Autolock _l(mLock);
172 // mDescriptorCache could have been assigned while the lock was
173 // released.
174 if (mDescriptorCache.size() == 0)
175 mDescriptorCache = res;
176 }
177 }
178
179 // we're returning a reference to a non-static object here. Usually this
180 // is not something smart to do, however, with binder objects it is
181 // (usually) safe because they are reference-counted.
182
183 return mDescriptorCache;
184 }
185
isBinderAlive() const186 bool BpBinder::isBinderAlive() const
187 {
188 return mAlive != 0;
189 }
190
pingBinder()191 status_t BpBinder::pingBinder()
192 {
193 Parcel send;
194 Parcel reply;
195 return transact(PING_TRANSACTION, send, &reply);
196 }
197
dump(int fd,const Vector<String16> & args)198 status_t BpBinder::dump(int fd, const Vector<String16>& args)
199 {
200 Parcel send;
201 Parcel reply;
202 send.writeFileDescriptor(fd);
203 const size_t numArgs = args.size();
204 send.writeInt32(numArgs);
205 for (size_t i = 0; i < numArgs; i++) {
206 send.writeString16(args[i]);
207 }
208 status_t err = transact(DUMP_TRANSACTION, send, &reply);
209 return err;
210 }
211
212 // NOLINTNEXTLINE(google-default-arguments)
transact(uint32_t code,const Parcel & data,Parcel * reply,uint32_t flags)213 status_t BpBinder::transact(
214 uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)
215 {
216 // Once a binder has died, it will never come back to life.
217 if (mAlive) {
218 bool privateVendor = flags & FLAG_PRIVATE_VENDOR;
219 // don't send userspace flags to the kernel
220 flags = flags & ~FLAG_PRIVATE_VENDOR;
221
222 // user transactions require a given stability level
223 if (code >= FIRST_CALL_TRANSACTION && code <= LAST_CALL_TRANSACTION) {
224 using android::internal::Stability;
225
226 auto stability = Stability::get(this);
227 auto required = privateVendor ? Stability::VENDOR : Stability::kLocalStability;
228
229 if (CC_UNLIKELY(!Stability::check(stability, required))) {
230 ALOGE("Cannot do a user transaction on a %s binder in a %s context.",
231 Stability::stabilityString(stability).c_str(),
232 Stability::stabilityString(required).c_str());
233 return BAD_TYPE;
234 }
235 }
236
237 status_t status = IPCThreadState::self()->transact(
238 mHandle, code, data, reply, flags);
239 if (status == DEAD_OBJECT) mAlive = 0;
240
241 return status;
242 }
243
244 return DEAD_OBJECT;
245 }
246
247 // NOLINTNEXTLINE(google-default-arguments)
linkToDeath(const sp<DeathRecipient> & recipient,void * cookie,uint32_t flags)248 status_t BpBinder::linkToDeath(
249 const sp<DeathRecipient>& recipient, void* cookie, uint32_t flags)
250 {
251 Obituary ob;
252 ob.recipient = recipient;
253 ob.cookie = cookie;
254 ob.flags = flags;
255
256 LOG_ALWAYS_FATAL_IF(recipient == nullptr,
257 "linkToDeath(): recipient must be non-NULL");
258
259 {
260 AutoMutex _l(mLock);
261
262 if (!mObitsSent) {
263 if (!mObituaries) {
264 mObituaries = new Vector<Obituary>;
265 if (!mObituaries) {
266 return NO_MEMORY;
267 }
268 ALOGV("Requesting death notification: %p handle %d\n", this, mHandle);
269 getWeakRefs()->incWeak(this);
270 IPCThreadState* self = IPCThreadState::self();
271 self->requestDeathNotification(mHandle, this);
272 self->flushCommands();
273 }
274 ssize_t res = mObituaries->add(ob);
275 return res >= (ssize_t)NO_ERROR ? (status_t)NO_ERROR : res;
276 }
277 }
278
279 return DEAD_OBJECT;
280 }
281
282 // NOLINTNEXTLINE(google-default-arguments)
unlinkToDeath(const wp<DeathRecipient> & recipient,void * cookie,uint32_t flags,wp<DeathRecipient> * outRecipient)283 status_t BpBinder::unlinkToDeath(
284 const wp<DeathRecipient>& recipient, void* cookie, uint32_t flags,
285 wp<DeathRecipient>* outRecipient)
286 {
287 AutoMutex _l(mLock);
288
289 if (mObitsSent) {
290 return DEAD_OBJECT;
291 }
292
293 const size_t N = mObituaries ? mObituaries->size() : 0;
294 for (size_t i=0; i<N; i++) {
295 const Obituary& obit = mObituaries->itemAt(i);
296 if ((obit.recipient == recipient
297 || (recipient == nullptr && obit.cookie == cookie))
298 && obit.flags == flags) {
299 if (outRecipient != nullptr) {
300 *outRecipient = mObituaries->itemAt(i).recipient;
301 }
302 mObituaries->removeAt(i);
303 if (mObituaries->size() == 0) {
304 ALOGV("Clearing death notification: %p handle %d\n", this, mHandle);
305 IPCThreadState* self = IPCThreadState::self();
306 self->clearDeathNotification(mHandle, this);
307 self->flushCommands();
308 delete mObituaries;
309 mObituaries = nullptr;
310 }
311 return NO_ERROR;
312 }
313 }
314
315 return NAME_NOT_FOUND;
316 }
317
sendObituary()318 void BpBinder::sendObituary()
319 {
320 ALOGV("Sending obituary for proxy %p handle %d, mObitsSent=%s\n",
321 this, mHandle, mObitsSent ? "true" : "false");
322
323 mAlive = 0;
324 if (mObitsSent) return;
325
326 mLock.lock();
327 Vector<Obituary>* obits = mObituaries;
328 if(obits != nullptr) {
329 ALOGV("Clearing sent death notification: %p handle %d\n", this, mHandle);
330 IPCThreadState* self = IPCThreadState::self();
331 self->clearDeathNotification(mHandle, this);
332 self->flushCommands();
333 mObituaries = nullptr;
334 }
335 mObitsSent = 1;
336 mLock.unlock();
337
338 ALOGV("Reporting death of proxy %p for %zu recipients\n",
339 this, obits ? obits->size() : 0U);
340
341 if (obits != nullptr) {
342 const size_t N = obits->size();
343 for (size_t i=0; i<N; i++) {
344 reportOneDeath(obits->itemAt(i));
345 }
346
347 delete obits;
348 }
349 }
350
reportOneDeath(const Obituary & obit)351 void BpBinder::reportOneDeath(const Obituary& obit)
352 {
353 sp<DeathRecipient> recipient = obit.recipient.promote();
354 ALOGV("Reporting death to recipient: %p\n", recipient.get());
355 if (recipient == nullptr) return;
356
357 recipient->binderDied(this);
358 }
359
360
attachObject(const void * objectID,void * object,void * cleanupCookie,object_cleanup_func func)361 void BpBinder::attachObject(
362 const void* objectID, void* object, void* cleanupCookie,
363 object_cleanup_func func)
364 {
365 AutoMutex _l(mLock);
366 ALOGV("Attaching object %p to binder %p (manager=%p)", object, this, &mObjects);
367 mObjects.attach(objectID, object, cleanupCookie, func);
368 }
369
findObject(const void * objectID) const370 void* BpBinder::findObject(const void* objectID) const
371 {
372 AutoMutex _l(mLock);
373 return mObjects.find(objectID);
374 }
375
detachObject(const void * objectID)376 void BpBinder::detachObject(const void* objectID)
377 {
378 AutoMutex _l(mLock);
379 mObjects.detach(objectID);
380 }
381
remoteBinder()382 BpBinder* BpBinder::remoteBinder()
383 {
384 return this;
385 }
386
~BpBinder()387 BpBinder::~BpBinder()
388 {
389 ALOGV("Destroying BpBinder %p handle %d\n", this, mHandle);
390
391 IPCThreadState* ipc = IPCThreadState::self();
392
393 if (mTrackedUid >= 0) {
394 AutoMutex _l(sTrackingLock);
395 uint32_t trackedValue = sTrackingMap[mTrackedUid];
396 if (CC_UNLIKELY((trackedValue & COUNTING_VALUE_MASK) == 0)) {
397 ALOGE("Unexpected Binder Proxy tracking decrement in %p handle %d\n", this, mHandle);
398 } else {
399 if (CC_UNLIKELY(
400 (trackedValue & LIMIT_REACHED_MASK) &&
401 ((trackedValue & COUNTING_VALUE_MASK) <= sBinderProxyCountLowWatermark)
402 )) {
403 ALOGI("Limit reached bit reset for uid %d (fewer than %d proxies from uid %d held)",
404 getuid(), mTrackedUid, sBinderProxyCountLowWatermark);
405 sTrackingMap[mTrackedUid] &= ~LIMIT_REACHED_MASK;
406 }
407 if (--sTrackingMap[mTrackedUid] == 0) {
408 sTrackingMap.erase(mTrackedUid);
409 }
410 }
411 }
412
413 if (ipc) {
414 ipc->expungeHandle(mHandle, this);
415 ipc->decWeakHandle(mHandle);
416 }
417 }
418
onFirstRef()419 void BpBinder::onFirstRef()
420 {
421 ALOGV("onFirstRef BpBinder %p handle %d\n", this, mHandle);
422 IPCThreadState* ipc = IPCThreadState::self();
423 if (ipc) ipc->incStrongHandle(mHandle, this);
424 }
425
onLastStrongRef(const void *)426 void BpBinder::onLastStrongRef(const void* /*id*/)
427 {
428 ALOGV("onLastStrongRef BpBinder %p handle %d\n", this, mHandle);
429 IF_ALOGV() {
430 printRefs();
431 }
432 IPCThreadState* ipc = IPCThreadState::self();
433 if (ipc) ipc->decStrongHandle(mHandle);
434
435 mLock.lock();
436 Vector<Obituary>* obits = mObituaries;
437 if(obits != nullptr) {
438 if (!obits->isEmpty()) {
439 ALOGI("onLastStrongRef automatically unlinking death recipients: %s",
440 mDescriptorCache.size() ? String8(mDescriptorCache).c_str() : "<uncached descriptor>");
441 }
442
443 if (ipc) ipc->clearDeathNotification(mHandle, this);
444 mObituaries = nullptr;
445 }
446 mLock.unlock();
447
448 if (obits != nullptr) {
449 // XXX Should we tell any remaining DeathRecipient
450 // objects that the last strong ref has gone away, so they
451 // are no longer linked?
452 delete obits;
453 }
454 }
455
onIncStrongAttempted(uint32_t,const void *)456 bool BpBinder::onIncStrongAttempted(uint32_t /*flags*/, const void* /*id*/)
457 {
458 ALOGV("onIncStrongAttempted BpBinder %p handle %d\n", this, mHandle);
459 IPCThreadState* ipc = IPCThreadState::self();
460 return ipc ? ipc->attemptIncStrongHandle(mHandle) == NO_ERROR : false;
461 }
462
getBinderProxyCount(uint32_t uid)463 uint32_t BpBinder::getBinderProxyCount(uint32_t uid)
464 {
465 AutoMutex _l(sTrackingLock);
466 auto it = sTrackingMap.find(uid);
467 if (it != sTrackingMap.end()) {
468 return it->second & COUNTING_VALUE_MASK;
469 }
470 return 0;
471 }
472
getCountByUid(Vector<uint32_t> & uids,Vector<uint32_t> & counts)473 void BpBinder::getCountByUid(Vector<uint32_t>& uids, Vector<uint32_t>& counts)
474 {
475 AutoMutex _l(sTrackingLock);
476 uids.setCapacity(sTrackingMap.size());
477 counts.setCapacity(sTrackingMap.size());
478 for (const auto& it : sTrackingMap) {
479 uids.push_back(it.first);
480 counts.push_back(it.second & COUNTING_VALUE_MASK);
481 }
482 }
483
enableCountByUid()484 void BpBinder::enableCountByUid() { sCountByUidEnabled.store(true); }
disableCountByUid()485 void BpBinder::disableCountByUid() { sCountByUidEnabled.store(false); }
setCountByUidEnabled(bool enable)486 void BpBinder::setCountByUidEnabled(bool enable) { sCountByUidEnabled.store(enable); }
487
setLimitCallback(binder_proxy_limit_callback cb)488 void BpBinder::setLimitCallback(binder_proxy_limit_callback cb) {
489 AutoMutex _l(sTrackingLock);
490 sLimitCallback = cb;
491 }
492
setBinderProxyCountWatermarks(int high,int low)493 void BpBinder::setBinderProxyCountWatermarks(int high, int low) {
494 AutoMutex _l(sTrackingLock);
495 sBinderProxyCountHighWatermark = high;
496 sBinderProxyCountLowWatermark = low;
497 }
498
499 // ---------------------------------------------------------------------------
500
501 } // namespace android
502