1 /*
2  * Copyright (C) 2005 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <binder/Binder.h>
18 
19 #include <atomic>
20 #include <set>
21 
22 #include <binder/BpBinder.h>
23 #include <binder/IInterface.h>
24 #include <binder/IPCThreadState.h>
25 #include <binder/IResultReceiver.h>
26 #include <binder/IShellCallback.h>
27 #include <binder/Parcel.h>
28 #include <binder/RecordedTransaction.h>
29 #include <binder/RpcServer.h>
30 #include <binder/unique_fd.h>
31 #include <pthread.h>
32 
33 #include <inttypes.h>
34 #include <stdio.h>
35 
36 #ifdef __linux__
37 #include <linux/sched.h>
38 #endif
39 
40 #include "BuildFlags.h"
41 #include "OS.h"
42 #include "RpcState.h"
43 
44 namespace android {
45 
46 using android::binder::unique_fd;
47 
48 constexpr uid_t kUidRoot = 0;
49 
50 // Service implementations inherit from BBinder and IBinder, and this is frozen
51 // in prebuilts.
52 #ifdef __LP64__
53 static_assert(sizeof(IBinder) == 24);
54 static_assert(sizeof(BBinder) == 40);
55 #else
56 static_assert(sizeof(IBinder) == 12);
57 static_assert(sizeof(BBinder) == 20);
58 #endif
59 
60 // global b/c b/230079120 - consistent symbol table
61 #ifdef BINDER_RPC_DEV_SERVERS
62 constexpr bool kEnableRpcDevServers = true;
63 #else
64 constexpr bool kEnableRpcDevServers = false;
65 #endif
66 
67 #ifdef BINDER_ENABLE_RECORDING
68 constexpr bool kEnableRecording = true;
69 #else
70 constexpr bool kEnableRecording = false;
71 #endif
72 
73 // Log any reply transactions for which the data exceeds this size
74 #define LOG_REPLIES_OVER_SIZE (300 * 1024)
75 // ---------------------------------------------------------------------------
76 
IBinder()77 IBinder::IBinder()
78     : RefBase()
79 {
80 }
81 
~IBinder()82 IBinder::~IBinder()
83 {
84 }
85 
86 // ---------------------------------------------------------------------------
87 
queryLocalInterface(const String16 &)88 sp<IInterface>  IBinder::queryLocalInterface(const String16& /*descriptor*/)
89 {
90     return nullptr;
91 }
92 
localBinder()93 BBinder* IBinder::localBinder()
94 {
95     return nullptr;
96 }
97 
remoteBinder()98 BpBinder* IBinder::remoteBinder()
99 {
100     return nullptr;
101 }
102 
checkSubclass(const void *) const103 bool IBinder::checkSubclass(const void* /*subclassID*/) const
104 {
105     return false;
106 }
107 
108 
shellCommand(const sp<IBinder> & target,int in,int out,int err,Vector<String16> & args,const sp<IShellCallback> & callback,const sp<IResultReceiver> & resultReceiver)109 status_t IBinder::shellCommand(const sp<IBinder>& target, int in, int out, int err,
110     Vector<String16>& args, const sp<IShellCallback>& callback,
111     const sp<IResultReceiver>& resultReceiver)
112 {
113     Parcel send;
114     Parcel reply;
115     send.writeFileDescriptor(in);
116     send.writeFileDescriptor(out);
117     send.writeFileDescriptor(err);
118     const size_t numArgs = args.size();
119     send.writeInt32(numArgs);
120     for (size_t i = 0; i < numArgs; i++) {
121         send.writeString16(args[i]);
122     }
123     send.writeStrongBinder(callback != nullptr ? IInterface::asBinder(callback) : nullptr);
124     send.writeStrongBinder(resultReceiver != nullptr ? IInterface::asBinder(resultReceiver) : nullptr);
125     return target->transact(SHELL_COMMAND_TRANSACTION, send, &reply);
126 }
127 
getExtension(sp<IBinder> * out)128 status_t IBinder::getExtension(sp<IBinder>* out) {
129     BBinder* local = this->localBinder();
130     if (local != nullptr) {
131         *out = local->getExtension();
132         return OK;
133     }
134 
135     BpBinder* proxy = this->remoteBinder();
136     LOG_ALWAYS_FATAL_IF(proxy == nullptr);
137 
138     Parcel data;
139     Parcel reply;
140     status_t status = transact(EXTENSION_TRANSACTION, data, &reply);
141     if (status != OK) return status;
142 
143     return reply.readNullableStrongBinder(out);
144 }
145 
getDebugPid(pid_t * out)146 status_t IBinder::getDebugPid(pid_t* out) {
147     BBinder* local = this->localBinder();
148     if (local != nullptr) {
149       *out = local->getDebugPid();
150       return OK;
151     }
152 
153     BpBinder* proxy = this->remoteBinder();
154     LOG_ALWAYS_FATAL_IF(proxy == nullptr);
155 
156     Parcel data;
157     Parcel reply;
158     status_t status = transact(DEBUG_PID_TRANSACTION, data, &reply);
159     if (status != OK) return status;
160 
161     int32_t pid;
162     status = reply.readInt32(&pid);
163     if (status != OK) return status;
164 
165     if (pid < 0 || pid > std::numeric_limits<pid_t>::max()) {
166         return BAD_VALUE;
167     }
168     *out = pid;
169     return OK;
170 }
171 
setRpcClientDebug(unique_fd socketFd,const sp<IBinder> & keepAliveBinder)172 status_t IBinder::setRpcClientDebug(unique_fd socketFd, const sp<IBinder>& keepAliveBinder) {
173     if (!kEnableRpcDevServers) {
174         ALOGW("setRpcClientDebug disallowed because RPC is not enabled");
175         return INVALID_OPERATION;
176     }
177     if (!kEnableKernelIpc) {
178         ALOGW("setRpcClientDebug disallowed because kernel binder is not enabled");
179         return INVALID_OPERATION;
180     }
181 
182     BBinder* local = this->localBinder();
183     if (local != nullptr) {
184         return local->BBinder::setRpcClientDebug(std::move(socketFd), keepAliveBinder);
185     }
186 
187     BpBinder* proxy = this->remoteBinder();
188     LOG_ALWAYS_FATAL_IF(proxy == nullptr, "binder object must be either local or remote");
189 
190     Parcel data;
191     Parcel reply;
192     status_t status;
193     if (status = data.writeBool(socketFd.ok()); status != OK) return status;
194     if (socketFd.ok()) {
195         // writeUniqueFileDescriptor currently makes an unnecessary dup().
196         status = data.writeFileDescriptor(socketFd.release(), true /* own */);
197         if (status != OK) return status;
198     }
199     if (status = data.writeStrongBinder(keepAliveBinder); status != OK) return status;
200     return transact(SET_RPC_CLIENT_TRANSACTION, data, &reply);
201 }
202 
withLock(const std::function<void ()> & doWithLock)203 void IBinder::withLock(const std::function<void()>& doWithLock) {
204     BBinder* local = localBinder();
205     if (local) {
206         local->withLock(doWithLock);
207         return;
208     }
209     BpBinder* proxy = this->remoteBinder();
210     LOG_ALWAYS_FATAL_IF(proxy == nullptr, "binder object must be either local or remote");
211     proxy->withLock(doWithLock);
212 }
213 
lookupOrCreateWeak(const void * objectID,object_make_func make,const void * makeArgs)214 sp<IBinder> IBinder::lookupOrCreateWeak(const void* objectID, object_make_func make,
215                                         const void* makeArgs) {
216     BBinder* local = localBinder();
217     if (local) {
218         return local->lookupOrCreateWeak(objectID, make, makeArgs);
219     }
220     BpBinder* proxy = this->remoteBinder();
221     LOG_ALWAYS_FATAL_IF(proxy == nullptr, "binder object must be either local or remote");
222     return proxy->lookupOrCreateWeak(objectID, make, makeArgs);
223 }
224 
225 // ---------------------------------------------------------------------------
226 
227 class BBinder::RpcServerLink : public IBinder::DeathRecipient {
228 public:
229     // On binder died, calls RpcServer::shutdown on @a rpcServer, and removes itself from @a binder.
RpcServerLink(const sp<RpcServer> & rpcServer,const sp<IBinder> & keepAliveBinder,const wp<BBinder> & binder)230     RpcServerLink(const sp<RpcServer>& rpcServer, const sp<IBinder>& keepAliveBinder,
231                   const wp<BBinder>& binder)
232           : mRpcServer(rpcServer), mKeepAliveBinder(keepAliveBinder), mBinder(binder) {}
233     virtual ~RpcServerLink();
binderDied(const wp<IBinder> &)234     void binderDied(const wp<IBinder>&) override {
235         auto promoted = mBinder.promote();
236         ALOGI("RpcBinder: binder died, shutting down RpcServer for %s",
237               promoted ? String8(promoted->getInterfaceDescriptor()).c_str() : "<NULL>");
238 
239         if (mRpcServer == nullptr) {
240             ALOGW("RpcServerLink: Unable to shut down RpcServer because it does not exist.");
241         } else {
242             ALOGW_IF(!mRpcServer->shutdown(),
243                      "RpcServerLink: RpcServer did not shut down properly. Not started?");
244         }
245         mRpcServer.clear();
246 
247         if (promoted) {
248             promoted->removeRpcServerLink(sp<RpcServerLink>::fromExisting(this));
249         }
250         mBinder.clear();
251     }
252 
253 private:
254     sp<RpcServer> mRpcServer;
255     sp<IBinder> mKeepAliveBinder; // hold to avoid automatically unlinking
256     wp<BBinder> mBinder;
257 };
~RpcServerLink()258 BBinder::RpcServerLink::~RpcServerLink() {}
259 
260 class BBinder::Extras
261 {
262 public:
263     // unlocked objects
264     sp<IBinder> mExtension;
265 #ifdef __linux__
266     int mPolicy = SCHED_NORMAL;
267     int mPriority = 0;
268 #endif
269     bool mRequestingSid = false;
270     bool mInheritRt = false;
271 
272     // for below objects
273     RpcMutex mLock;
274     std::set<sp<RpcServerLink>> mRpcServerLinks;
275     BpBinder::ObjectManager mObjects;
276 
277     unique_fd mRecordingFd;
278 };
279 
280 // ---------------------------------------------------------------------------
281 
BBinder()282 BBinder::BBinder() : mExtras(nullptr), mStability(0), mParceled(false), mRecordingOn(false) {}
283 
isBinderAlive() const284 bool BBinder::isBinderAlive() const
285 {
286     return true;
287 }
288 
pingBinder()289 status_t BBinder::pingBinder()
290 {
291     return NO_ERROR;
292 }
293 
startRecordingTransactions(const Parcel & data)294 status_t BBinder::startRecordingTransactions(const Parcel& data) {
295     if (!kEnableRecording) {
296         ALOGW("Binder recording disallowed because recording is not enabled");
297         return INVALID_OPERATION;
298     }
299     if (!kEnableKernelIpc) {
300         ALOGW("Binder recording disallowed because kernel binder is not enabled");
301         return INVALID_OPERATION;
302     }
303     uid_t uid = IPCThreadState::self()->getCallingUid();
304     if (uid != kUidRoot) {
305         ALOGE("Binder recording not allowed because client %" PRIu32 " is not root", uid);
306         return PERMISSION_DENIED;
307     }
308     Extras* e = getOrCreateExtras();
309     RpcMutexUniqueLock lock(e->mLock);
310     if (mRecordingOn) {
311         ALOGI("Could not start Binder recording. Another is already in progress.");
312         return INVALID_OPERATION;
313     } else {
314         status_t readStatus = data.readUniqueFileDescriptor(&(e->mRecordingFd));
315         if (readStatus != OK) {
316             return readStatus;
317         }
318         mRecordingOn = true;
319         ALOGI("Started Binder recording.");
320         return NO_ERROR;
321     }
322 }
323 
stopRecordingTransactions()324 status_t BBinder::stopRecordingTransactions() {
325     if (!kEnableRecording) {
326         ALOGW("Binder recording disallowed because recording is not enabled");
327         return INVALID_OPERATION;
328     }
329     if (!kEnableKernelIpc) {
330         ALOGW("Binder recording disallowed because kernel binder is not enabled");
331         return INVALID_OPERATION;
332     }
333     uid_t uid = IPCThreadState::self()->getCallingUid();
334     if (uid != kUidRoot) {
335         ALOGE("Binder recording not allowed because client %" PRIu32 " is not root", uid);
336         return PERMISSION_DENIED;
337     }
338     Extras* e = getOrCreateExtras();
339     RpcMutexUniqueLock lock(e->mLock);
340     if (mRecordingOn) {
341         e->mRecordingFd.reset();
342         mRecordingOn = false;
343         ALOGI("Stopped Binder recording.");
344         return NO_ERROR;
345     } else {
346         ALOGI("Could not stop Binder recording. One is not in progress.");
347         return INVALID_OPERATION;
348     }
349 }
350 
getInterfaceDescriptor() const351 const String16& BBinder::getInterfaceDescriptor() const
352 {
353     static StaticString16 sBBinder(u"BBinder");
354     ALOGW("Reached BBinder::getInterfaceDescriptor (this=%p). Override?", this);
355     return sBBinder;
356 }
357 
358 // NOLINTNEXTLINE(google-default-arguments)
transact(uint32_t code,const Parcel & data,Parcel * reply,uint32_t flags)359 status_t BBinder::transact(
360     uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)
361 {
362     data.setDataPosition(0);
363 
364     if (reply != nullptr && (flags & FLAG_CLEAR_BUF)) {
365         reply->markSensitive();
366     }
367 
368     status_t err = NO_ERROR;
369     switch (code) {
370         case PING_TRANSACTION:
371             err = pingBinder();
372             break;
373         case START_RECORDING_TRANSACTION:
374             err = startRecordingTransactions(data);
375             break;
376         case STOP_RECORDING_TRANSACTION:
377             err = stopRecordingTransactions();
378             break;
379         case EXTENSION_TRANSACTION:
380             LOG_ALWAYS_FATAL_IF(reply == nullptr, "reply == nullptr");
381             err = reply->writeStrongBinder(getExtension());
382             break;
383         case DEBUG_PID_TRANSACTION:
384             LOG_ALWAYS_FATAL_IF(reply == nullptr, "reply == nullptr");
385             err = reply->writeInt32(getDebugPid());
386             break;
387         case SET_RPC_CLIENT_TRANSACTION: {
388             err = setRpcClientDebug(data);
389             break;
390         }
391         default:
392             err = onTransact(code, data, reply, flags);
393             break;
394     }
395 
396     // In case this is being transacted on in the same process.
397     if (reply != nullptr) {
398         reply->setDataPosition(0);
399         if (reply->dataSize() > LOG_REPLIES_OVER_SIZE) {
400             ALOGW("Large reply transaction of %zu bytes, interface descriptor %s, code %d",
401                   reply->dataSize(), String8(getInterfaceDescriptor()).c_str(), code);
402         }
403     }
404 
405     if (kEnableKernelIpc && mRecordingOn && code != START_RECORDING_TRANSACTION) [[unlikely]] {
406         Extras* e = mExtras.load(std::memory_order_acquire);
407         RpcMutexUniqueLock lock(e->mLock);
408         if (mRecordingOn) {
409             Parcel emptyReply;
410             timespec ts;
411             timespec_get(&ts, TIME_UTC);
412             auto transaction = android::binder::debug::RecordedTransaction::
413                     fromDetails(getInterfaceDescriptor(), code, flags, ts, data,
414                                 reply ? *reply : emptyReply, err);
415             if (transaction) {
416                 if (status_t err = transaction->dumpToFile(e->mRecordingFd); err != NO_ERROR) {
417                     ALOGI("Failed to dump RecordedTransaction to file with error %d", err);
418                 }
419             } else {
420                 ALOGI("Failed to create RecordedTransaction object.");
421             }
422         }
423     }
424 
425     return err;
426 }
427 
428 // NOLINTNEXTLINE(google-default-arguments)
linkToDeath(const sp<DeathRecipient> &,void *,uint32_t)429 status_t BBinder::linkToDeath(
430     const sp<DeathRecipient>& /*recipient*/, void* /*cookie*/,
431     uint32_t /*flags*/)
432 {
433     return INVALID_OPERATION;
434 }
435 
436 // NOLINTNEXTLINE(google-default-arguments)
unlinkToDeath(const wp<DeathRecipient> &,void *,uint32_t,wp<DeathRecipient> *)437 status_t BBinder::unlinkToDeath(
438     const wp<DeathRecipient>& /*recipient*/, void* /*cookie*/,
439     uint32_t /*flags*/, wp<DeathRecipient>* /*outRecipient*/)
440 {
441     return INVALID_OPERATION;
442 }
443 
dump(int,const Vector<String16> &)444 status_t BBinder::dump(int /*fd*/, const Vector<String16>& /*args*/)
445 {
446     return NO_ERROR;
447 }
448 
attachObject(const void * objectID,void * object,void * cleanupCookie,object_cleanup_func func)449 void* BBinder::attachObject(const void* objectID, void* object, void* cleanupCookie,
450                             object_cleanup_func func) {
451     Extras* e = getOrCreateExtras();
452     LOG_ALWAYS_FATAL_IF(!e, "no memory");
453 
454     RpcMutexUniqueLock _l(e->mLock);
455     return e->mObjects.attach(objectID, object, cleanupCookie, func);
456 }
457 
findObject(const void * objectID) const458 void* BBinder::findObject(const void* objectID) const
459 {
460     Extras* e = mExtras.load(std::memory_order_acquire);
461     if (!e) return nullptr;
462 
463     RpcMutexUniqueLock _l(e->mLock);
464     return e->mObjects.find(objectID);
465 }
466 
detachObject(const void * objectID)467 void* BBinder::detachObject(const void* objectID) {
468     Extras* e = mExtras.load(std::memory_order_acquire);
469     if (!e) return nullptr;
470 
471     RpcMutexUniqueLock _l(e->mLock);
472     return e->mObjects.detach(objectID);
473 }
474 
withLock(const std::function<void ()> & doWithLock)475 void BBinder::withLock(const std::function<void()>& doWithLock) {
476     Extras* e = getOrCreateExtras();
477     LOG_ALWAYS_FATAL_IF(!e, "no memory");
478 
479     RpcMutexUniqueLock _l(e->mLock);
480     doWithLock();
481 }
482 
lookupOrCreateWeak(const void * objectID,object_make_func make,const void * makeArgs)483 sp<IBinder> BBinder::lookupOrCreateWeak(const void* objectID, object_make_func make,
484                                         const void* makeArgs) {
485     Extras* e = getOrCreateExtras();
486     LOG_ALWAYS_FATAL_IF(!e, "no memory");
487     RpcMutexUniqueLock _l(e->mLock);
488     return e->mObjects.lookupOrCreateWeak(objectID, make, makeArgs);
489 }
490 
localBinder()491 BBinder* BBinder::localBinder()
492 {
493     return this;
494 }
495 
isRequestingSid()496 bool BBinder::isRequestingSid()
497 {
498     Extras* e = mExtras.load(std::memory_order_acquire);
499 
500     return e && e->mRequestingSid;
501 }
502 
setRequestingSid(bool requestingSid)503 void BBinder::setRequestingSid(bool requestingSid)
504 {
505     LOG_ALWAYS_FATAL_IF(mParceled,
506                         "setRequestingSid() should not be called after a binder object "
507                         "is parceled/sent to another process");
508 
509     Extras* e = mExtras.load(std::memory_order_acquire);
510 
511     if (!e) {
512         // default is false. Most things don't need sids, so avoiding allocations when possible.
513         if (!requestingSid) {
514             return;
515         }
516 
517         e = getOrCreateExtras();
518         if (!e) return; // out of memory
519     }
520 
521     e->mRequestingSid = requestingSid;
522 }
523 
getExtension()524 sp<IBinder> BBinder::getExtension() {
525     Extras* e = mExtras.load(std::memory_order_acquire);
526     if (e == nullptr) return nullptr;
527     return e->mExtension;
528 }
529 
530 #ifdef __linux__
setMinSchedulerPolicy(int policy,int priority)531 void BBinder::setMinSchedulerPolicy(int policy, int priority) {
532     LOG_ALWAYS_FATAL_IF(mParceled,
533                         "setMinSchedulerPolicy() should not be called after a binder object "
534                         "is parceled/sent to another process");
535 
536     switch (policy) {
537     case SCHED_NORMAL:
538       LOG_ALWAYS_FATAL_IF(priority < -20 || priority > 19, "Invalid priority for SCHED_NORMAL: %d", priority);
539       break;
540     case SCHED_RR:
541     case SCHED_FIFO:
542       LOG_ALWAYS_FATAL_IF(priority < 1 || priority > 99, "Invalid priority for sched %d: %d", policy, priority);
543       break;
544     default:
545       LOG_ALWAYS_FATAL("Unrecognized scheduling policy: %d", policy);
546     }
547 
548     Extras* e = mExtras.load(std::memory_order_acquire);
549 
550     if (e == nullptr) {
551         // Avoid allocations if called with default.
552         if (policy == SCHED_NORMAL && priority == 0) {
553             return;
554         }
555 
556         e = getOrCreateExtras();
557         if (!e) return; // out of memory
558     }
559 
560     e->mPolicy = policy;
561     e->mPriority = priority;
562 }
563 
getMinSchedulerPolicy()564 int BBinder::getMinSchedulerPolicy() {
565     Extras* e = mExtras.load(std::memory_order_acquire);
566     if (e == nullptr) return SCHED_NORMAL;
567     return e->mPolicy;
568 }
569 
getMinSchedulerPriority()570 int BBinder::getMinSchedulerPriority() {
571     Extras* e = mExtras.load(std::memory_order_acquire);
572     if (e == nullptr) return 0;
573     return e->mPriority;
574 }
575 #endif // __linux__
576 
isInheritRt()577 bool BBinder::isInheritRt() {
578     Extras* e = mExtras.load(std::memory_order_acquire);
579 
580     return e && e->mInheritRt;
581 }
582 
setInheritRt(bool inheritRt)583 void BBinder::setInheritRt(bool inheritRt) {
584     LOG_ALWAYS_FATAL_IF(mParceled,
585                         "setInheritRt() should not be called after a binder object "
586                         "is parceled/sent to another process");
587 
588     Extras* e = mExtras.load(std::memory_order_acquire);
589 
590     if (!e) {
591         if (!inheritRt) {
592             return;
593         }
594 
595         e = getOrCreateExtras();
596         if (!e) return; // out of memory
597     }
598 
599     e->mInheritRt = inheritRt;
600 }
601 
getDebugPid()602 pid_t BBinder::getDebugPid() {
603 #ifdef __linux__
604     return getpid();
605 #else
606     // TODO: handle other OSes
607     return 0;
608 #endif // __linux__
609 }
610 
setExtension(const sp<IBinder> & extension)611 void BBinder::setExtension(const sp<IBinder>& extension) {
612     LOG_ALWAYS_FATAL_IF(mParceled,
613                         "setExtension() should not be called after a binder object "
614                         "is parceled/sent to another process");
615 
616     Extras* e = getOrCreateExtras();
617     e->mExtension = extension;
618 }
619 
wasParceled()620 bool BBinder::wasParceled() {
621     return mParceled;
622 }
623 
setParceled()624 void BBinder::setParceled() {
625     mParceled = true;
626 }
627 
setRpcClientDebug(const Parcel & data)628 status_t BBinder::setRpcClientDebug(const Parcel& data) {
629     if (!kEnableRpcDevServers) {
630         ALOGW("%s: disallowed because RPC is not enabled", __PRETTY_FUNCTION__);
631         return INVALID_OPERATION;
632     }
633     if (!kEnableKernelIpc) {
634         ALOGW("setRpcClientDebug disallowed because kernel binder is not enabled");
635         return INVALID_OPERATION;
636     }
637     uid_t uid = IPCThreadState::self()->getCallingUid();
638     if (uid != kUidRoot) {
639         ALOGE("%s: not allowed because client %" PRIu32 " is not root", __PRETTY_FUNCTION__, uid);
640         return PERMISSION_DENIED;
641     }
642     status_t status;
643     bool hasSocketFd;
644     unique_fd clientFd;
645 
646     if (status = data.readBool(&hasSocketFd); status != OK) return status;
647     if (hasSocketFd) {
648         if (status = data.readUniqueFileDescriptor(&clientFd); status != OK) return status;
649     }
650     sp<IBinder> keepAliveBinder;
651     if (status = data.readNullableStrongBinder(&keepAliveBinder); status != OK) return status;
652 
653     return setRpcClientDebug(std::move(clientFd), keepAliveBinder);
654 }
655 
setRpcClientDebug(unique_fd socketFd,const sp<IBinder> & keepAliveBinder)656 status_t BBinder::setRpcClientDebug(unique_fd socketFd, const sp<IBinder>& keepAliveBinder) {
657     if (!kEnableRpcDevServers) {
658         ALOGW("%s: disallowed because RPC is not enabled", __PRETTY_FUNCTION__);
659         return INVALID_OPERATION;
660     }
661     if (!kEnableKernelIpc) {
662         ALOGW("setRpcClientDebug disallowed because kernel binder is not enabled");
663         return INVALID_OPERATION;
664     }
665 
666     const int socketFdForPrint = socketFd.get();
667     LOG_RPC_DETAIL("%s(fd=%d)", __PRETTY_FUNCTION__, socketFdForPrint);
668 
669     if (!socketFd.ok()) {
670         ALOGE("%s: No socket FD provided.", __PRETTY_FUNCTION__);
671         return BAD_VALUE;
672     }
673 
674     if (keepAliveBinder == nullptr) {
675         ALOGE("%s: No keepAliveBinder provided.", __PRETTY_FUNCTION__);
676         return UNEXPECTED_NULL;
677     }
678 
679     size_t binderThreadPoolMaxCount = ProcessState::self()->getThreadPoolMaxTotalThreadCount();
680     if (binderThreadPoolMaxCount <= 1) {
681         ALOGE("%s: ProcessState thread pool max count is %zu. RPC is disabled for this service "
682               "because RPC requires the service to support multithreading.",
683               __PRETTY_FUNCTION__, binderThreadPoolMaxCount);
684         return INVALID_OPERATION;
685     }
686 
687     // Weak ref to avoid circular dependency:
688     // BBinder -> RpcServerLink ----> RpcServer -X-> BBinder
689     //                          `-X-> BBinder
690     auto weakThis = wp<BBinder>::fromExisting(this);
691 
692     Extras* e = getOrCreateExtras();
693     RpcMutexUniqueLock _l(e->mLock);
694     auto rpcServer = RpcServer::make();
695     LOG_ALWAYS_FATAL_IF(rpcServer == nullptr, "RpcServer::make returns null");
696     auto link = sp<RpcServerLink>::make(rpcServer, keepAliveBinder, weakThis);
697     if (auto status = keepAliveBinder->linkToDeath(link, nullptr, 0); status != OK) {
698         ALOGE("%s: keepAliveBinder->linkToDeath returns %s", __PRETTY_FUNCTION__,
699               statusToString(status).c_str());
700         return status;
701     }
702     rpcServer->setRootObjectWeak(weakThis);
703     if (auto status = rpcServer->setupExternalServer(std::move(socketFd)); status != OK) {
704         return status;
705     }
706     rpcServer->setMaxThreads(binderThreadPoolMaxCount);
707     ALOGI("RpcBinder: Started Binder debug on %s", String8(getInterfaceDescriptor()).c_str());
708     rpcServer->start();
709     e->mRpcServerLinks.emplace(link);
710     LOG_RPC_DETAIL("%s(fd=%d) successful", __PRETTY_FUNCTION__, socketFdForPrint);
711     return OK;
712 }
713 
removeRpcServerLink(const sp<RpcServerLink> & link)714 void BBinder::removeRpcServerLink(const sp<RpcServerLink>& link) {
715     Extras* e = mExtras.load(std::memory_order_acquire);
716     if (!e) return;
717     RpcMutexUniqueLock _l(e->mLock);
718     (void)e->mRpcServerLinks.erase(link);
719 }
720 
~BBinder()721 BBinder::~BBinder()
722 {
723     if (!wasParceled()) {
724         if (getExtension()) {
725             ALOGW("Binder %p destroyed with extension attached before being parceled.", this);
726         }
727         if (isRequestingSid()) {
728             ALOGW("Binder %p destroyed when requesting SID before being parceled.", this);
729         }
730         if (isInheritRt()) {
731             ALOGW("Binder %p destroyed after setInheritRt before being parceled.", this);
732         }
733 #ifdef __linux__
734         if (getMinSchedulerPolicy() != SCHED_NORMAL) {
735             ALOGW("Binder %p destroyed after setMinSchedulerPolicy before being parceled.", this);
736         }
737         if (getMinSchedulerPriority() != 0) {
738             ALOGW("Binder %p destroyed after setMinSchedulerPolicy before being parceled.", this);
739         }
740 #endif // __linux__
741     }
742 
743     Extras* e = mExtras.load(std::memory_order_relaxed);
744     if (e) delete e;
745 }
746 
747 
748 // NOLINTNEXTLINE(google-default-arguments)
onTransact(uint32_t code,const Parcel & data,Parcel * reply,uint32_t)749 status_t BBinder::onTransact(
750     uint32_t code, const Parcel& data, Parcel* reply, uint32_t /*flags*/)
751 {
752     switch (code) {
753         case INTERFACE_TRANSACTION:
754             LOG_ALWAYS_FATAL_IF(reply == nullptr, "reply == nullptr");
755             reply->writeString16(getInterfaceDescriptor());
756             return NO_ERROR;
757 
758         case DUMP_TRANSACTION: {
759             int fd = data.readFileDescriptor();
760             int argc = data.readInt32();
761             Vector<String16> args;
762             for (int i = 0; i < argc && data.dataAvail() > 0; i++) {
763                args.add(data.readString16());
764             }
765             return dump(fd, args);
766         }
767 
768         case SHELL_COMMAND_TRANSACTION: {
769             int in = data.readFileDescriptor();
770             int out = data.readFileDescriptor();
771             int err = data.readFileDescriptor();
772             int argc = data.readInt32();
773             Vector<String16> args;
774             for (int i = 0; i < argc && data.dataAvail() > 0; i++) {
775                args.add(data.readString16());
776             }
777             sp<IBinder> shellCallbackBinder = data.readStrongBinder();
778             sp<IResultReceiver> resultReceiver = IResultReceiver::asInterface(
779                     data.readStrongBinder());
780 
781             // XXX can't add virtuals until binaries are updated.
782             // sp<IShellCallback> shellCallback = IShellCallback::asInterface(
783             //        shellCallbackBinder);
784             // return shellCommand(in, out, err, args, resultReceiver);
785             (void)in;
786             (void)out;
787             (void)err;
788 
789             if (resultReceiver != nullptr) {
790                 resultReceiver->send(INVALID_OPERATION);
791             }
792 
793             return NO_ERROR;
794         }
795 
796         case SYSPROPS_TRANSACTION: {
797             if (!binder::os::report_sysprop_change()) return INVALID_OPERATION;
798             return NO_ERROR;
799         }
800 
801         default:
802             return UNKNOWN_TRANSACTION;
803     }
804 }
805 
getOrCreateExtras()806 BBinder::Extras* BBinder::getOrCreateExtras()
807 {
808     Extras* e = mExtras.load(std::memory_order_acquire);
809 
810     if (!e) {
811         e = new Extras;
812         Extras* expected = nullptr;
813         if (!mExtras.compare_exchange_strong(expected, e,
814                                              std::memory_order_release,
815                                              std::memory_order_acquire)) {
816             delete e;
817             e = expected;  // Filled in by CAS
818         }
819         if (e == nullptr) return nullptr; // out of memory
820     }
821 
822     return e;
823 }
824 
825 // ---------------------------------------------------------------------------
826 
827 enum {
828     // This is used to transfer ownership of the remote binder from
829     // the BpRefBase object holding it (when it is constructed), to the
830     // owner of the BpRefBase object when it first acquires that BpRefBase.
831     kRemoteAcquired = 0x00000001
832 };
833 
BpRefBase(const sp<IBinder> & o)834 BpRefBase::BpRefBase(const sp<IBinder>& o)
835     : mRemote(o.get()), mRefs(nullptr), mState(0)
836 {
837     extendObjectLifetime(OBJECT_LIFETIME_WEAK);
838 
839     if (mRemote) {
840         mRemote->incStrong(this);           // Removed on first IncStrong().
841         mRefs = mRemote->createWeak(this);  // Held for our entire lifetime.
842     }
843 }
844 
~BpRefBase()845 BpRefBase::~BpRefBase()
846 {
847     if (mRemote) {
848         if (!(mState.load(std::memory_order_relaxed)&kRemoteAcquired)) {
849             mRemote->decStrong(this);
850         }
851         mRefs->decWeak(this);
852     }
853 }
854 
onFirstRef()855 void BpRefBase::onFirstRef()
856 {
857     mState.fetch_or(kRemoteAcquired, std::memory_order_relaxed);
858 }
859 
onLastStrongRef(const void *)860 void BpRefBase::onLastStrongRef(const void* /*id*/)
861 {
862     if (mRemote) {
863         mRemote->decStrong(this);
864     }
865 }
866 
onIncStrongAttempted(uint32_t,const void *)867 bool BpRefBase::onIncStrongAttempted(uint32_t /*flags*/, const void* /*id*/)
868 {
869     return mRemote ? mRefs->attemptIncStrong(this) : false;
870 }
871 
872 // ---------------------------------------------------------------------------
873 
874 } // namespace android
875