1 /* Copyright 2008 The Android Open Source Project
2 */
3
4 #define LOG_TAG "Binder"
5
6 #include <errno.h>
7 #include <fcntl.h>
8 #include <inttypes.h>
9 #include <stdio.h>
10 #include <stdlib.h>
11 #include <string.h>
12 #include <sys/mman.h>
13 #include <unistd.h>
14
15 #include <log/log.h>
16
17 #include "binder.h"
18
19 #define MAX_BIO_SIZE (1 << 30)
20
21 #define TRACE 0
22
23 void bio_init_from_txn(struct binder_io *io, struct binder_transaction_data *txn);
24
25 #if TRACE
hexdump(void * _data,size_t len)26 void hexdump(void *_data, size_t len)
27 {
28 unsigned char *data = _data;
29 size_t count;
30
31 for (count = 0; count < len; count++) {
32 if ((count & 15) == 0)
33 fprintf(stderr,"%04zu:", count);
34 fprintf(stderr," %02x %c", *data,
35 (*data < 32) || (*data > 126) ? '.' : *data);
36 data++;
37 if ((count & 15) == 15)
38 fprintf(stderr,"\n");
39 }
40 if ((count & 15) != 0)
41 fprintf(stderr,"\n");
42 }
43
binder_dump_txn(struct binder_transaction_data * txn)44 void binder_dump_txn(struct binder_transaction_data *txn)
45 {
46 struct flat_binder_object *obj;
47 binder_size_t *offs = (binder_size_t *)(uintptr_t)txn->data.ptr.offsets;
48 size_t count = txn->offsets_size / sizeof(binder_size_t);
49
50 fprintf(stderr," target %016"PRIx64" cookie %016"PRIx64" code %08x flags %08x\n",
51 (uint64_t)txn->target.ptr, (uint64_t)txn->cookie, txn->code, txn->flags);
52 fprintf(stderr," pid %8d uid %8d data %"PRIu64" offs %"PRIu64"\n",
53 txn->sender_pid, txn->sender_euid, (uint64_t)txn->data_size, (uint64_t)txn->offsets_size);
54 hexdump((void *)(uintptr_t)txn->data.ptr.buffer, txn->data_size);
55 while (count--) {
56 obj = (struct flat_binder_object *) (((char*)(uintptr_t)txn->data.ptr.buffer) + *offs++);
57 fprintf(stderr," - type %08x flags %08x ptr %016"PRIx64" cookie %016"PRIx64"\n",
58 obj->type, obj->flags, (uint64_t)obj->binder, (uint64_t)obj->cookie);
59 }
60 }
61
62 #define NAME(n) case n: return #n
cmd_name(uint32_t cmd)63 const char *cmd_name(uint32_t cmd)
64 {
65 switch(cmd) {
66 NAME(BR_NOOP);
67 NAME(BR_TRANSACTION_COMPLETE);
68 NAME(BR_INCREFS);
69 NAME(BR_ACQUIRE);
70 NAME(BR_RELEASE);
71 NAME(BR_DECREFS);
72 NAME(BR_TRANSACTION);
73 NAME(BR_REPLY);
74 NAME(BR_FAILED_REPLY);
75 NAME(BR_DEAD_REPLY);
76 NAME(BR_DEAD_BINDER);
77 default: return "???";
78 }
79 }
80 #else
81 #define hexdump(a,b) do{} while (0)
82 #define binder_dump_txn(txn) do{} while (0)
83 #endif
84
85 #define BIO_F_SHARED 0x01 /* needs to be buffer freed */
86 #define BIO_F_OVERFLOW 0x02 /* ran out of space */
87 #define BIO_F_IOERROR 0x04
88 #define BIO_F_MALLOCED 0x08 /* needs to be free()'d */
89
90 struct binder_state
91 {
92 int fd;
93 void *mapped;
94 size_t mapsize;
95 };
96
binder_open(const char * driver,size_t mapsize)97 struct binder_state *binder_open(const char* driver, size_t mapsize)
98 {
99 struct binder_state *bs;
100 struct binder_version vers;
101
102 bs = malloc(sizeof(*bs));
103 if (!bs) {
104 errno = ENOMEM;
105 return NULL;
106 }
107
108 bs->fd = open(driver, O_RDWR | O_CLOEXEC);
109 if (bs->fd < 0) {
110 fprintf(stderr,"binder: cannot open %s (%s)\n",
111 driver, strerror(errno));
112 goto fail_open;
113 }
114
115 if ((ioctl(bs->fd, BINDER_VERSION, &vers) == -1) ||
116 (vers.protocol_version != BINDER_CURRENT_PROTOCOL_VERSION)) {
117 fprintf(stderr,
118 "binder: kernel driver version (%d) differs from user space version (%d)\n",
119 vers.protocol_version, BINDER_CURRENT_PROTOCOL_VERSION);
120 goto fail_open;
121 }
122
123 bs->mapsize = mapsize;
124 bs->mapped = mmap(NULL, mapsize, PROT_READ, MAP_PRIVATE, bs->fd, 0);
125 if (bs->mapped == MAP_FAILED) {
126 fprintf(stderr,"binder: cannot map device (%s)\n",
127 strerror(errno));
128 goto fail_map;
129 }
130
131 return bs;
132
133 fail_map:
134 close(bs->fd);
135 fail_open:
136 free(bs);
137 return NULL;
138 }
139
binder_close(struct binder_state * bs)140 void binder_close(struct binder_state *bs)
141 {
142 munmap(bs->mapped, bs->mapsize);
143 close(bs->fd);
144 free(bs);
145 }
146
binder_become_context_manager(struct binder_state * bs)147 int binder_become_context_manager(struct binder_state *bs)
148 {
149 return ioctl(bs->fd, BINDER_SET_CONTEXT_MGR, 0);
150 }
151
binder_write(struct binder_state * bs,void * data,size_t len)152 int binder_write(struct binder_state *bs, void *data, size_t len)
153 {
154 struct binder_write_read bwr;
155 int res;
156
157 bwr.write_size = len;
158 bwr.write_consumed = 0;
159 bwr.write_buffer = (uintptr_t) data;
160 bwr.read_size = 0;
161 bwr.read_consumed = 0;
162 bwr.read_buffer = 0;
163 res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);
164 if (res < 0) {
165 fprintf(stderr,"binder_write: ioctl failed (%s)\n",
166 strerror(errno));
167 }
168 return res;
169 }
170
binder_free_buffer(struct binder_state * bs,binder_uintptr_t buffer_to_free)171 void binder_free_buffer(struct binder_state *bs,
172 binder_uintptr_t buffer_to_free)
173 {
174 struct {
175 uint32_t cmd_free;
176 binder_uintptr_t buffer;
177 } __attribute__((packed)) data;
178 data.cmd_free = BC_FREE_BUFFER;
179 data.buffer = buffer_to_free;
180 binder_write(bs, &data, sizeof(data));
181 }
182
binder_send_reply(struct binder_state * bs,struct binder_io * reply,binder_uintptr_t buffer_to_free,int status)183 void binder_send_reply(struct binder_state *bs,
184 struct binder_io *reply,
185 binder_uintptr_t buffer_to_free,
186 int status)
187 {
188 struct {
189 uint32_t cmd_free;
190 binder_uintptr_t buffer;
191 uint32_t cmd_reply;
192 struct binder_transaction_data txn;
193 } __attribute__((packed)) data;
194
195 data.cmd_free = BC_FREE_BUFFER;
196 data.buffer = buffer_to_free;
197 data.cmd_reply = BC_REPLY;
198 data.txn.target.ptr = 0;
199 data.txn.cookie = 0;
200 data.txn.code = 0;
201 if (status) {
202 data.txn.flags = TF_STATUS_CODE;
203 data.txn.data_size = sizeof(int);
204 data.txn.offsets_size = 0;
205 data.txn.data.ptr.buffer = (uintptr_t)&status;
206 data.txn.data.ptr.offsets = 0;
207 } else {
208 data.txn.flags = 0;
209 data.txn.data_size = reply->data - reply->data0;
210 data.txn.offsets_size = ((char*) reply->offs) - ((char*) reply->offs0);
211 data.txn.data.ptr.buffer = (uintptr_t)reply->data0;
212 data.txn.data.ptr.offsets = (uintptr_t)reply->offs0;
213 }
214 binder_write(bs, &data, sizeof(data));
215 }
216
binder_parse(struct binder_state * bs,struct binder_io * bio,uintptr_t ptr,size_t size,binder_handler func)217 int binder_parse(struct binder_state *bs, struct binder_io *bio,
218 uintptr_t ptr, size_t size, binder_handler func)
219 {
220 int r = 1;
221 uintptr_t end = ptr + (uintptr_t) size;
222
223 while (ptr < end) {
224 uint32_t cmd = *(uint32_t *) ptr;
225 ptr += sizeof(uint32_t);
226 #if TRACE
227 fprintf(stderr,"%s:\n", cmd_name(cmd));
228 #endif
229 switch(cmd) {
230 case BR_NOOP:
231 break;
232 case BR_TRANSACTION_COMPLETE:
233 break;
234 case BR_INCREFS:
235 case BR_ACQUIRE:
236 case BR_RELEASE:
237 case BR_DECREFS:
238 #if TRACE
239 fprintf(stderr," %p, %p\n", (void *)ptr, (void *)(ptr + sizeof(void *)));
240 #endif
241 ptr += sizeof(struct binder_ptr_cookie);
242 break;
243 case BR_TRANSACTION: {
244 struct binder_transaction_data *txn = (struct binder_transaction_data *) ptr;
245 if ((end - ptr) < sizeof(*txn)) {
246 ALOGE("parse: txn too small!\n");
247 return -1;
248 }
249 binder_dump_txn(txn);
250 if (func) {
251 unsigned rdata[256/4];
252 struct binder_io msg;
253 struct binder_io reply;
254 int res;
255
256 bio_init(&reply, rdata, sizeof(rdata), 4);
257 bio_init_from_txn(&msg, txn);
258 res = func(bs, txn, &msg, &reply);
259 if (txn->flags & TF_ONE_WAY) {
260 binder_free_buffer(bs, txn->data.ptr.buffer);
261 } else {
262 binder_send_reply(bs, &reply, txn->data.ptr.buffer, res);
263 }
264 }
265 ptr += sizeof(*txn);
266 break;
267 }
268 case BR_REPLY: {
269 struct binder_transaction_data *txn = (struct binder_transaction_data *) ptr;
270 if ((end - ptr) < sizeof(*txn)) {
271 ALOGE("parse: reply too small!\n");
272 return -1;
273 }
274 binder_dump_txn(txn);
275 if (bio) {
276 bio_init_from_txn(bio, txn);
277 bio = 0;
278 } else {
279 /* todo FREE BUFFER */
280 }
281 ptr += sizeof(*txn);
282 r = 0;
283 break;
284 }
285 case BR_DEAD_BINDER: {
286 struct binder_death *death = (struct binder_death *)(uintptr_t) *(binder_uintptr_t *)ptr;
287 ptr += sizeof(binder_uintptr_t);
288 death->func(bs, death->ptr);
289 break;
290 }
291 case BR_FAILED_REPLY:
292 r = -1;
293 break;
294 case BR_DEAD_REPLY:
295 r = -1;
296 break;
297 default:
298 ALOGE("parse: OOPS %d\n", cmd);
299 return -1;
300 }
301 }
302
303 return r;
304 }
305
binder_acquire(struct binder_state * bs,uint32_t target)306 void binder_acquire(struct binder_state *bs, uint32_t target)
307 {
308 uint32_t cmd[2];
309 cmd[0] = BC_ACQUIRE;
310 cmd[1] = target;
311 binder_write(bs, cmd, sizeof(cmd));
312 }
313
binder_release(struct binder_state * bs,uint32_t target)314 void binder_release(struct binder_state *bs, uint32_t target)
315 {
316 uint32_t cmd[2];
317 cmd[0] = BC_RELEASE;
318 cmd[1] = target;
319 binder_write(bs, cmd, sizeof(cmd));
320 }
321
binder_link_to_death(struct binder_state * bs,uint32_t target,struct binder_death * death)322 void binder_link_to_death(struct binder_state *bs, uint32_t target, struct binder_death *death)
323 {
324 struct {
325 uint32_t cmd;
326 struct binder_handle_cookie payload;
327 } __attribute__((packed)) data;
328
329 data.cmd = BC_REQUEST_DEATH_NOTIFICATION;
330 data.payload.handle = target;
331 data.payload.cookie = (uintptr_t) death;
332 binder_write(bs, &data, sizeof(data));
333 }
334
binder_call(struct binder_state * bs,struct binder_io * msg,struct binder_io * reply,uint32_t target,uint32_t code)335 int binder_call(struct binder_state *bs,
336 struct binder_io *msg, struct binder_io *reply,
337 uint32_t target, uint32_t code)
338 {
339 int res;
340 struct binder_write_read bwr;
341 struct {
342 uint32_t cmd;
343 struct binder_transaction_data txn;
344 } __attribute__((packed)) writebuf;
345 unsigned readbuf[32];
346
347 if (msg->flags & BIO_F_OVERFLOW) {
348 fprintf(stderr,"binder: txn buffer overflow\n");
349 goto fail;
350 }
351
352 writebuf.cmd = BC_TRANSACTION;
353 writebuf.txn.target.handle = target;
354 writebuf.txn.code = code;
355 writebuf.txn.flags = 0;
356 writebuf.txn.data_size = msg->data - msg->data0;
357 writebuf.txn.offsets_size = ((char*) msg->offs) - ((char*) msg->offs0);
358 writebuf.txn.data.ptr.buffer = (uintptr_t)msg->data0;
359 writebuf.txn.data.ptr.offsets = (uintptr_t)msg->offs0;
360
361 bwr.write_size = sizeof(writebuf);
362 bwr.write_consumed = 0;
363 bwr.write_buffer = (uintptr_t) &writebuf;
364
365 hexdump(msg->data0, msg->data - msg->data0);
366 for (;;) {
367 bwr.read_size = sizeof(readbuf);
368 bwr.read_consumed = 0;
369 bwr.read_buffer = (uintptr_t) readbuf;
370
371 res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);
372
373 if (res < 0) {
374 fprintf(stderr,"binder: ioctl failed (%s)\n", strerror(errno));
375 goto fail;
376 }
377
378 res = binder_parse(bs, reply, (uintptr_t) readbuf, bwr.read_consumed, 0);
379 if (res == 0) return 0;
380 if (res < 0) goto fail;
381 }
382
383 fail:
384 memset(reply, 0, sizeof(*reply));
385 reply->flags |= BIO_F_IOERROR;
386 return -1;
387 }
388
binder_loop(struct binder_state * bs,binder_handler func)389 void binder_loop(struct binder_state *bs, binder_handler func)
390 {
391 int res;
392 struct binder_write_read bwr;
393 uint32_t readbuf[32];
394
395 bwr.write_size = 0;
396 bwr.write_consumed = 0;
397 bwr.write_buffer = 0;
398
399 readbuf[0] = BC_ENTER_LOOPER;
400 binder_write(bs, readbuf, sizeof(uint32_t));
401
402 for (;;) {
403 bwr.read_size = sizeof(readbuf);
404 bwr.read_consumed = 0;
405 bwr.read_buffer = (uintptr_t) readbuf;
406
407 res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);
408
409 if (res < 0) {
410 ALOGE("binder_loop: ioctl failed (%s)\n", strerror(errno));
411 break;
412 }
413
414 res = binder_parse(bs, 0, (uintptr_t) readbuf, bwr.read_consumed, func);
415 if (res == 0) {
416 ALOGE("binder_loop: unexpected reply?!\n");
417 break;
418 }
419 if (res < 0) {
420 ALOGE("binder_loop: io error %d %s\n", res, strerror(errno));
421 break;
422 }
423 }
424 }
425
bio_init_from_txn(struct binder_io * bio,struct binder_transaction_data * txn)426 void bio_init_from_txn(struct binder_io *bio, struct binder_transaction_data *txn)
427 {
428 bio->data = bio->data0 = (char *)(intptr_t)txn->data.ptr.buffer;
429 bio->offs = bio->offs0 = (binder_size_t *)(intptr_t)txn->data.ptr.offsets;
430 bio->data_avail = txn->data_size;
431 bio->offs_avail = txn->offsets_size / sizeof(size_t);
432 bio->flags = BIO_F_SHARED;
433 }
434
bio_init(struct binder_io * bio,void * data,size_t maxdata,size_t maxoffs)435 void bio_init(struct binder_io *bio, void *data,
436 size_t maxdata, size_t maxoffs)
437 {
438 size_t n = maxoffs * sizeof(size_t);
439
440 if (n > maxdata) {
441 bio->flags = BIO_F_OVERFLOW;
442 bio->data_avail = 0;
443 bio->offs_avail = 0;
444 return;
445 }
446
447 bio->data = bio->data0 = (char *) data + n;
448 bio->offs = bio->offs0 = data;
449 bio->data_avail = maxdata - n;
450 bio->offs_avail = maxoffs;
451 bio->flags = 0;
452 }
453
bio_alloc(struct binder_io * bio,size_t size)454 static void *bio_alloc(struct binder_io *bio, size_t size)
455 {
456 size = (size + 3) & (~3);
457 if (size > bio->data_avail) {
458 bio->flags |= BIO_F_OVERFLOW;
459 return NULL;
460 } else {
461 void *ptr = bio->data;
462 bio->data += size;
463 bio->data_avail -= size;
464 return ptr;
465 }
466 }
467
binder_done(struct binder_state * bs,__unused struct binder_io * msg,struct binder_io * reply)468 void binder_done(struct binder_state *bs,
469 __unused struct binder_io *msg,
470 struct binder_io *reply)
471 {
472 struct {
473 uint32_t cmd;
474 uintptr_t buffer;
475 } __attribute__((packed)) data;
476
477 if (reply->flags & BIO_F_SHARED) {
478 data.cmd = BC_FREE_BUFFER;
479 data.buffer = (uintptr_t) reply->data0;
480 binder_write(bs, &data, sizeof(data));
481 reply->flags = 0;
482 }
483 }
484
bio_alloc_obj(struct binder_io * bio)485 static struct flat_binder_object *bio_alloc_obj(struct binder_io *bio)
486 {
487 struct flat_binder_object *obj;
488
489 obj = bio_alloc(bio, sizeof(*obj));
490
491 if (obj && bio->offs_avail) {
492 bio->offs_avail--;
493 *bio->offs++ = ((char*) obj) - ((char*) bio->data0);
494 return obj;
495 }
496
497 bio->flags |= BIO_F_OVERFLOW;
498 return NULL;
499 }
500
bio_put_uint32(struct binder_io * bio,uint32_t n)501 void bio_put_uint32(struct binder_io *bio, uint32_t n)
502 {
503 uint32_t *ptr = bio_alloc(bio, sizeof(n));
504 if (ptr)
505 *ptr = n;
506 }
507
bio_put_obj(struct binder_io * bio,void * ptr)508 void bio_put_obj(struct binder_io *bio, void *ptr)
509 {
510 struct flat_binder_object *obj;
511
512 obj = bio_alloc_obj(bio);
513 if (!obj)
514 return;
515
516 obj->flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS;
517 obj->type = BINDER_TYPE_BINDER;
518 obj->binder = (uintptr_t)ptr;
519 obj->cookie = 0;
520 }
521
bio_put_ref(struct binder_io * bio,uint32_t handle)522 void bio_put_ref(struct binder_io *bio, uint32_t handle)
523 {
524 struct flat_binder_object *obj;
525
526 if (handle)
527 obj = bio_alloc_obj(bio);
528 else
529 obj = bio_alloc(bio, sizeof(*obj));
530
531 if (!obj)
532 return;
533
534 obj->flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS;
535 obj->type = BINDER_TYPE_HANDLE;
536 obj->handle = handle;
537 obj->cookie = 0;
538 }
539
bio_put_string16(struct binder_io * bio,const uint16_t * str)540 void bio_put_string16(struct binder_io *bio, const uint16_t *str)
541 {
542 size_t len;
543 uint16_t *ptr;
544
545 if (!str) {
546 bio_put_uint32(bio, 0xffffffff);
547 return;
548 }
549
550 len = 0;
551 while (str[len]) len++;
552
553 if (len >= (MAX_BIO_SIZE / sizeof(uint16_t))) {
554 bio_put_uint32(bio, 0xffffffff);
555 return;
556 }
557
558 /* Note: The payload will carry 32bit size instead of size_t */
559 bio_put_uint32(bio, (uint32_t) len);
560 len = (len + 1) * sizeof(uint16_t);
561 ptr = bio_alloc(bio, len);
562 if (ptr)
563 memcpy(ptr, str, len);
564 }
565
bio_put_string16_x(struct binder_io * bio,const char * _str)566 void bio_put_string16_x(struct binder_io *bio, const char *_str)
567 {
568 unsigned char *str = (unsigned char*) _str;
569 size_t len;
570 uint16_t *ptr;
571
572 if (!str) {
573 bio_put_uint32(bio, 0xffffffff);
574 return;
575 }
576
577 len = strlen(_str);
578
579 if (len >= (MAX_BIO_SIZE / sizeof(uint16_t))) {
580 bio_put_uint32(bio, 0xffffffff);
581 return;
582 }
583
584 /* Note: The payload will carry 32bit size instead of size_t */
585 bio_put_uint32(bio, len);
586 ptr = bio_alloc(bio, (len + 1) * sizeof(uint16_t));
587 if (!ptr)
588 return;
589
590 while (*str)
591 *ptr++ = *str++;
592 *ptr++ = 0;
593 }
594
bio_get(struct binder_io * bio,size_t size)595 static void *bio_get(struct binder_io *bio, size_t size)
596 {
597 size = (size + 3) & (~3);
598
599 if (bio->data_avail < size){
600 bio->data_avail = 0;
601 bio->flags |= BIO_F_OVERFLOW;
602 return NULL;
603 } else {
604 void *ptr = bio->data;
605 bio->data += size;
606 bio->data_avail -= size;
607 return ptr;
608 }
609 }
610
bio_get_uint32(struct binder_io * bio)611 uint32_t bio_get_uint32(struct binder_io *bio)
612 {
613 uint32_t *ptr = bio_get(bio, sizeof(*ptr));
614 return ptr ? *ptr : 0;
615 }
616
bio_get_string16(struct binder_io * bio,size_t * sz)617 uint16_t *bio_get_string16(struct binder_io *bio, size_t *sz)
618 {
619 size_t len;
620
621 /* Note: The payload will carry 32bit size instead of size_t */
622 len = (size_t) bio_get_uint32(bio);
623 if (sz)
624 *sz = len;
625 return bio_get(bio, (len + 1) * sizeof(uint16_t));
626 }
627
_bio_get_obj(struct binder_io * bio)628 static struct flat_binder_object *_bio_get_obj(struct binder_io *bio)
629 {
630 size_t n;
631 size_t off = bio->data - bio->data0;
632
633 /* TODO: be smarter about this? */
634 for (n = 0; n < bio->offs_avail; n++) {
635 if (bio->offs[n] == off)
636 return bio_get(bio, sizeof(struct flat_binder_object));
637 }
638
639 bio->data_avail = 0;
640 bio->flags |= BIO_F_OVERFLOW;
641 return NULL;
642 }
643
bio_get_ref(struct binder_io * bio)644 uint32_t bio_get_ref(struct binder_io *bio)
645 {
646 struct flat_binder_object *obj;
647
648 obj = _bio_get_obj(bio);
649 if (!obj)
650 return 0;
651
652 if (obj->type == BINDER_TYPE_HANDLE)
653 return obj->handle;
654
655 return 0;
656 }
657