| /* Copyright 2008 The Android Open Source Project |
| */ |
| |
| #define LOG_TAG "Binder" |
| |
| #include <errno.h> |
| #include <fcntl.h> |
| #include <inttypes.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <string.h> |
| #include <sys/mman.h> |
| #include <unistd.h> |
| |
| #include <log/log.h> |
| |
| #include "binder.h" |
| |
| #define MAX_BIO_SIZE (1 << 30) |
| |
| #define TRACE 0 |
| |
| void bio_init_from_txn(struct binder_io *io, struct binder_transaction_data *txn); |
| |
| #if TRACE |
| void hexdump(void *_data, size_t len) |
| { |
| unsigned char *data = _data; |
| size_t count; |
| |
| for (count = 0; count < len; count++) { |
| if ((count & 15) == 0) |
| fprintf(stderr,"%04zu:", count); |
| fprintf(stderr," %02x %c", *data, |
| (*data < 32) || (*data > 126) ? '.' : *data); |
| data++; |
| if ((count & 15) == 15) |
| fprintf(stderr,"\n"); |
| } |
| if ((count & 15) != 0) |
| fprintf(stderr,"\n"); |
| } |
| |
| void binder_dump_txn(struct binder_transaction_data *txn) |
| { |
| struct flat_binder_object *obj; |
| binder_size_t *offs = (binder_size_t *)(uintptr_t)txn->data.ptr.offsets; |
| size_t count = txn->offsets_size / sizeof(binder_size_t); |
| |
| fprintf(stderr," target %016"PRIx64" cookie %016"PRIx64" code %08x flags %08x\n", |
| (uint64_t)txn->target.ptr, (uint64_t)txn->cookie, txn->code, txn->flags); |
| fprintf(stderr," pid %8d uid %8d data %"PRIu64" offs %"PRIu64"\n", |
| txn->sender_pid, txn->sender_euid, (uint64_t)txn->data_size, (uint64_t)txn->offsets_size); |
| hexdump((void *)(uintptr_t)txn->data.ptr.buffer, txn->data_size); |
| while (count--) { |
| obj = (struct flat_binder_object *) (((char*)(uintptr_t)txn->data.ptr.buffer) + *offs++); |
| fprintf(stderr," - type %08x flags %08x ptr %016"PRIx64" cookie %016"PRIx64"\n", |
| obj->type, obj->flags, (uint64_t)obj->binder, (uint64_t)obj->cookie); |
| } |
| } |
| |
| #define NAME(n) case n: return #n |
| const char *cmd_name(uint32_t cmd) |
| { |
| switch(cmd) { |
| NAME(BR_NOOP); |
| NAME(BR_TRANSACTION_COMPLETE); |
| NAME(BR_INCREFS); |
| NAME(BR_ACQUIRE); |
| NAME(BR_RELEASE); |
| NAME(BR_DECREFS); |
| NAME(BR_TRANSACTION); |
| NAME(BR_REPLY); |
| NAME(BR_FAILED_REPLY); |
| NAME(BR_DEAD_REPLY); |
| NAME(BR_DEAD_BINDER); |
| default: return "???"; |
| } |
| } |
| #else |
| #define hexdump(a,b) do{} while (0) |
| #define binder_dump_txn(txn) do{} while (0) |
| #endif |
| |
| #define BIO_F_SHARED 0x01 /* needs to be buffer freed */ |
| #define BIO_F_OVERFLOW 0x02 /* ran out of space */ |
| #define BIO_F_IOERROR 0x04 |
| #define BIO_F_MALLOCED 0x08 /* needs to be free()'d */ |
| |
| struct binder_state |
| { |
| int fd; |
| void *mapped; |
| size_t mapsize; |
| }; |
| |
| struct binder_state *binder_open(const char* driver, size_t mapsize) |
| { |
| struct binder_state *bs; |
| struct binder_version vers; |
| |
| bs = malloc(sizeof(*bs)); |
| if (!bs) { |
| errno = ENOMEM; |
| return NULL; |
| } |
| |
| bs->fd = open(driver, O_RDWR | O_CLOEXEC); |
| if (bs->fd < 0) { |
| fprintf(stderr,"binder: cannot open %s (%s)\n", |
| driver, strerror(errno)); |
| goto fail_open; |
| } |
| |
| if ((ioctl(bs->fd, BINDER_VERSION, &vers) == -1) || |
| (vers.protocol_version != BINDER_CURRENT_PROTOCOL_VERSION)) { |
| fprintf(stderr, |
| "binder: kernel driver version (%d) differs from user space version (%d)\n", |
| vers.protocol_version, BINDER_CURRENT_PROTOCOL_VERSION); |
| goto fail_open; |
| } |
| |
| bs->mapsize = mapsize; |
| bs->mapped = mmap(NULL, mapsize, PROT_READ, MAP_PRIVATE, bs->fd, 0); |
| if (bs->mapped == MAP_FAILED) { |
| fprintf(stderr,"binder: cannot map device (%s)\n", |
| strerror(errno)); |
| goto fail_map; |
| } |
| |
| return bs; |
| |
| fail_map: |
| close(bs->fd); |
| fail_open: |
| free(bs); |
| return NULL; |
| } |
| |
| void binder_close(struct binder_state *bs) |
| { |
| munmap(bs->mapped, bs->mapsize); |
| close(bs->fd); |
| free(bs); |
| } |
| |
| int binder_become_context_manager(struct binder_state *bs) |
| { |
| return ioctl(bs->fd, BINDER_SET_CONTEXT_MGR, 0); |
| } |
| |
| int binder_write(struct binder_state *bs, void *data, size_t len) |
| { |
| struct binder_write_read bwr; |
| int res; |
| |
| bwr.write_size = len; |
| bwr.write_consumed = 0; |
| bwr.write_buffer = (uintptr_t) data; |
| bwr.read_size = 0; |
| bwr.read_consumed = 0; |
| bwr.read_buffer = 0; |
| res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr); |
| if (res < 0) { |
| fprintf(stderr,"binder_write: ioctl failed (%s)\n", |
| strerror(errno)); |
| } |
| return res; |
| } |
| |
| void binder_free_buffer(struct binder_state *bs, |
| binder_uintptr_t buffer_to_free) |
| { |
| struct { |
| uint32_t cmd_free; |
| binder_uintptr_t buffer; |
| } __attribute__((packed)) data; |
| data.cmd_free = BC_FREE_BUFFER; |
| data.buffer = buffer_to_free; |
| binder_write(bs, &data, sizeof(data)); |
| } |
| |
| void binder_send_reply(struct binder_state *bs, |
| struct binder_io *reply, |
| binder_uintptr_t buffer_to_free, |
| int status) |
| { |
| struct { |
| uint32_t cmd_free; |
| binder_uintptr_t buffer; |
| uint32_t cmd_reply; |
| struct binder_transaction_data txn; |
| } __attribute__((packed)) data; |
| |
| data.cmd_free = BC_FREE_BUFFER; |
| data.buffer = buffer_to_free; |
| data.cmd_reply = BC_REPLY; |
| data.txn.target.ptr = 0; |
| data.txn.cookie = 0; |
| data.txn.code = 0; |
| if (status) { |
| data.txn.flags = TF_STATUS_CODE; |
| data.txn.data_size = sizeof(int); |
| data.txn.offsets_size = 0; |
| data.txn.data.ptr.buffer = (uintptr_t)&status; |
| data.txn.data.ptr.offsets = 0; |
| } else { |
| data.txn.flags = 0; |
| data.txn.data_size = reply->data - reply->data0; |
| data.txn.offsets_size = ((char*) reply->offs) - ((char*) reply->offs0); |
| data.txn.data.ptr.buffer = (uintptr_t)reply->data0; |
| data.txn.data.ptr.offsets = (uintptr_t)reply->offs0; |
| } |
| binder_write(bs, &data, sizeof(data)); |
| } |
| |
| int binder_parse(struct binder_state *bs, struct binder_io *bio, |
| uintptr_t ptr, size_t size, binder_handler func) |
| { |
| int r = 1; |
| uintptr_t end = ptr + (uintptr_t) size; |
| |
| while (ptr < end) { |
| uint32_t cmd = *(uint32_t *) ptr; |
| ptr += sizeof(uint32_t); |
| #if TRACE |
| fprintf(stderr,"%s:\n", cmd_name(cmd)); |
| #endif |
| switch(cmd) { |
| case BR_NOOP: |
| break; |
| case BR_TRANSACTION_COMPLETE: |
| break; |
| case BR_INCREFS: |
| case BR_ACQUIRE: |
| case BR_RELEASE: |
| case BR_DECREFS: |
| #if TRACE |
| fprintf(stderr," %p, %p\n", (void *)ptr, (void *)(ptr + sizeof(void *))); |
| #endif |
| ptr += sizeof(struct binder_ptr_cookie); |
| break; |
| case BR_TRANSACTION: { |
| struct binder_transaction_data *txn = (struct binder_transaction_data *) ptr; |
| if ((end - ptr) < sizeof(*txn)) { |
| ALOGE("parse: txn too small!\n"); |
| return -1; |
| } |
| binder_dump_txn(txn); |
| if (func) { |
| unsigned rdata[256/4]; |
| struct binder_io msg; |
| struct binder_io reply; |
| int res; |
| |
| bio_init(&reply, rdata, sizeof(rdata), 4); |
| bio_init_from_txn(&msg, txn); |
| res = func(bs, txn, &msg, &reply); |
| if (txn->flags & TF_ONE_WAY) { |
| binder_free_buffer(bs, txn->data.ptr.buffer); |
| } else { |
| binder_send_reply(bs, &reply, txn->data.ptr.buffer, res); |
| } |
| } |
| ptr += sizeof(*txn); |
| break; |
| } |
| case BR_REPLY: { |
| struct binder_transaction_data *txn = (struct binder_transaction_data *) ptr; |
| if ((end - ptr) < sizeof(*txn)) { |
| ALOGE("parse: reply too small!\n"); |
| return -1; |
| } |
| binder_dump_txn(txn); |
| if (bio) { |
| bio_init_from_txn(bio, txn); |
| bio = 0; |
| } else { |
| /* todo FREE BUFFER */ |
| } |
| ptr += sizeof(*txn); |
| r = 0; |
| break; |
| } |
| case BR_DEAD_BINDER: { |
| struct binder_death *death = (struct binder_death *)(uintptr_t) *(binder_uintptr_t *)ptr; |
| ptr += sizeof(binder_uintptr_t); |
| death->func(bs, death->ptr); |
| break; |
| } |
| case BR_FAILED_REPLY: |
| r = -1; |
| break; |
| case BR_DEAD_REPLY: |
| r = -1; |
| break; |
| default: |
| ALOGE("parse: OOPS %d\n", cmd); |
| return -1; |
| } |
| } |
| |
| return r; |
| } |
| |
| void binder_acquire(struct binder_state *bs, uint32_t target) |
| { |
| uint32_t cmd[2]; |
| cmd[0] = BC_ACQUIRE; |
| cmd[1] = target; |
| binder_write(bs, cmd, sizeof(cmd)); |
| } |
| |
| void binder_release(struct binder_state *bs, uint32_t target) |
| { |
| uint32_t cmd[2]; |
| cmd[0] = BC_RELEASE; |
| cmd[1] = target; |
| binder_write(bs, cmd, sizeof(cmd)); |
| } |
| |
| void binder_link_to_death(struct binder_state *bs, uint32_t target, struct binder_death *death) |
| { |
| struct { |
| uint32_t cmd; |
| struct binder_handle_cookie payload; |
| } __attribute__((packed)) data; |
| |
| data.cmd = BC_REQUEST_DEATH_NOTIFICATION; |
| data.payload.handle = target; |
| data.payload.cookie = (uintptr_t) death; |
| binder_write(bs, &data, sizeof(data)); |
| } |
| |
| int binder_call(struct binder_state *bs, |
| struct binder_io *msg, struct binder_io *reply, |
| uint32_t target, uint32_t code) |
| { |
| int res; |
| struct binder_write_read bwr; |
| struct { |
| uint32_t cmd; |
| struct binder_transaction_data txn; |
| } __attribute__((packed)) writebuf; |
| unsigned readbuf[32]; |
| |
| if (msg->flags & BIO_F_OVERFLOW) { |
| fprintf(stderr,"binder: txn buffer overflow\n"); |
| goto fail; |
| } |
| |
| writebuf.cmd = BC_TRANSACTION; |
| writebuf.txn.target.handle = target; |
| writebuf.txn.code = code; |
| writebuf.txn.flags = 0; |
| writebuf.txn.data_size = msg->data - msg->data0; |
| writebuf.txn.offsets_size = ((char*) msg->offs) - ((char*) msg->offs0); |
| writebuf.txn.data.ptr.buffer = (uintptr_t)msg->data0; |
| writebuf.txn.data.ptr.offsets = (uintptr_t)msg->offs0; |
| |
| bwr.write_size = sizeof(writebuf); |
| bwr.write_consumed = 0; |
| bwr.write_buffer = (uintptr_t) &writebuf; |
| |
| hexdump(msg->data0, msg->data - msg->data0); |
| for (;;) { |
| bwr.read_size = sizeof(readbuf); |
| bwr.read_consumed = 0; |
| bwr.read_buffer = (uintptr_t) readbuf; |
| |
| res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr); |
| |
| if (res < 0) { |
| fprintf(stderr,"binder: ioctl failed (%s)\n", strerror(errno)); |
| goto fail; |
| } |
| |
| res = binder_parse(bs, reply, (uintptr_t) readbuf, bwr.read_consumed, 0); |
| if (res == 0) return 0; |
| if (res < 0) goto fail; |
| } |
| |
| fail: |
| memset(reply, 0, sizeof(*reply)); |
| reply->flags |= BIO_F_IOERROR; |
| return -1; |
| } |
| |
| void binder_loop(struct binder_state *bs, binder_handler func) |
| { |
| int res; |
| struct binder_write_read bwr; |
| uint32_t readbuf[32]; |
| |
| bwr.write_size = 0; |
| bwr.write_consumed = 0; |
| bwr.write_buffer = 0; |
| |
| readbuf[0] = BC_ENTER_LOOPER; |
| binder_write(bs, readbuf, sizeof(uint32_t)); |
| |
| for (;;) { |
| bwr.read_size = sizeof(readbuf); |
| bwr.read_consumed = 0; |
| bwr.read_buffer = (uintptr_t) readbuf; |
| |
| res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr); |
| |
| if (res < 0) { |
| ALOGE("binder_loop: ioctl failed (%s)\n", strerror(errno)); |
| break; |
| } |
| |
| res = binder_parse(bs, 0, (uintptr_t) readbuf, bwr.read_consumed, func); |
| if (res == 0) { |
| ALOGE("binder_loop: unexpected reply?!\n"); |
| break; |
| } |
| if (res < 0) { |
| ALOGE("binder_loop: io error %d %s\n", res, strerror(errno)); |
| break; |
| } |
| } |
| } |
| |
| void bio_init_from_txn(struct binder_io *bio, struct binder_transaction_data *txn) |
| { |
| bio->data = bio->data0 = (char *)(intptr_t)txn->data.ptr.buffer; |
| bio->offs = bio->offs0 = (binder_size_t *)(intptr_t)txn->data.ptr.offsets; |
| bio->data_avail = txn->data_size; |
| bio->offs_avail = txn->offsets_size / sizeof(size_t); |
| bio->flags = BIO_F_SHARED; |
| } |
| |
| void bio_init(struct binder_io *bio, void *data, |
| size_t maxdata, size_t maxoffs) |
| { |
| size_t n = maxoffs * sizeof(size_t); |
| |
| if (n > maxdata) { |
| bio->flags = BIO_F_OVERFLOW; |
| bio->data_avail = 0; |
| bio->offs_avail = 0; |
| return; |
| } |
| |
| bio->data = bio->data0 = (char *) data + n; |
| bio->offs = bio->offs0 = data; |
| bio->data_avail = maxdata - n; |
| bio->offs_avail = maxoffs; |
| bio->flags = 0; |
| } |
| |
| static void *bio_alloc(struct binder_io *bio, size_t size) |
| { |
| size = (size + 3) & (~3); |
| if (size > bio->data_avail) { |
| bio->flags |= BIO_F_OVERFLOW; |
| return NULL; |
| } else { |
| void *ptr = bio->data; |
| bio->data += size; |
| bio->data_avail -= size; |
| return ptr; |
| } |
| } |
| |
| void binder_done(struct binder_state *bs, |
| __unused struct binder_io *msg, |
| struct binder_io *reply) |
| { |
| struct { |
| uint32_t cmd; |
| uintptr_t buffer; |
| } __attribute__((packed)) data; |
| |
| if (reply->flags & BIO_F_SHARED) { |
| data.cmd = BC_FREE_BUFFER; |
| data.buffer = (uintptr_t) reply->data0; |
| binder_write(bs, &data, sizeof(data)); |
| reply->flags = 0; |
| } |
| } |
| |
| static struct flat_binder_object *bio_alloc_obj(struct binder_io *bio) |
| { |
| struct flat_binder_object *obj; |
| |
| obj = bio_alloc(bio, sizeof(*obj)); |
| |
| if (obj && bio->offs_avail) { |
| bio->offs_avail--; |
| *bio->offs++ = ((char*) obj) - ((char*) bio->data0); |
| return obj; |
| } |
| |
| bio->flags |= BIO_F_OVERFLOW; |
| return NULL; |
| } |
| |
| void bio_put_uint32(struct binder_io *bio, uint32_t n) |
| { |
| uint32_t *ptr = bio_alloc(bio, sizeof(n)); |
| if (ptr) |
| *ptr = n; |
| } |
| |
| void bio_put_obj(struct binder_io *bio, void *ptr) |
| { |
| struct flat_binder_object *obj; |
| |
| obj = bio_alloc_obj(bio); |
| if (!obj) |
| return; |
| |
| obj->flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS; |
| obj->type = BINDER_TYPE_BINDER; |
| obj->binder = (uintptr_t)ptr; |
| obj->cookie = 0; |
| } |
| |
| void bio_put_ref(struct binder_io *bio, uint32_t handle) |
| { |
| struct flat_binder_object *obj; |
| |
| if (handle) |
| obj = bio_alloc_obj(bio); |
| else |
| obj = bio_alloc(bio, sizeof(*obj)); |
| |
| if (!obj) |
| return; |
| |
| obj->flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS; |
| obj->type = BINDER_TYPE_HANDLE; |
| obj->handle = handle; |
| obj->cookie = 0; |
| } |
| |
| void bio_put_string16(struct binder_io *bio, const uint16_t *str) |
| { |
| size_t len; |
| uint16_t *ptr; |
| |
| if (!str) { |
| bio_put_uint32(bio, 0xffffffff); |
| return; |
| } |
| |
| len = 0; |
| while (str[len]) len++; |
| |
| if (len >= (MAX_BIO_SIZE / sizeof(uint16_t))) { |
| bio_put_uint32(bio, 0xffffffff); |
| return; |
| } |
| |
| /* Note: The payload will carry 32bit size instead of size_t */ |
| bio_put_uint32(bio, (uint32_t) len); |
| len = (len + 1) * sizeof(uint16_t); |
| ptr = bio_alloc(bio, len); |
| if (ptr) |
| memcpy(ptr, str, len); |
| } |
| |
| void bio_put_string16_x(struct binder_io *bio, const char *_str) |
| { |
| unsigned char *str = (unsigned char*) _str; |
| size_t len; |
| uint16_t *ptr; |
| |
| if (!str) { |
| bio_put_uint32(bio, 0xffffffff); |
| return; |
| } |
| |
| len = strlen(_str); |
| |
| if (len >= (MAX_BIO_SIZE / sizeof(uint16_t))) { |
| bio_put_uint32(bio, 0xffffffff); |
| return; |
| } |
| |
| /* Note: The payload will carry 32bit size instead of size_t */ |
| bio_put_uint32(bio, len); |
| ptr = bio_alloc(bio, (len + 1) * sizeof(uint16_t)); |
| if (!ptr) |
| return; |
| |
| while (*str) |
| *ptr++ = *str++; |
| *ptr++ = 0; |
| } |
| |
| static void *bio_get(struct binder_io *bio, size_t size) |
| { |
| size = (size + 3) & (~3); |
| |
| if (bio->data_avail < size){ |
| bio->data_avail = 0; |
| bio->flags |= BIO_F_OVERFLOW; |
| return NULL; |
| } else { |
| void *ptr = bio->data; |
| bio->data += size; |
| bio->data_avail -= size; |
| return ptr; |
| } |
| } |
| |
| uint32_t bio_get_uint32(struct binder_io *bio) |
| { |
| uint32_t *ptr = bio_get(bio, sizeof(*ptr)); |
| return ptr ? *ptr : 0; |
| } |
| |
| uint16_t *bio_get_string16(struct binder_io *bio, size_t *sz) |
| { |
| size_t len; |
| |
| /* Note: The payload will carry 32bit size instead of size_t */ |
| len = (size_t) bio_get_uint32(bio); |
| if (sz) |
| *sz = len; |
| return bio_get(bio, (len + 1) * sizeof(uint16_t)); |
| } |
| |
| static struct flat_binder_object *_bio_get_obj(struct binder_io *bio) |
| { |
| size_t n; |
| size_t off = bio->data - bio->data0; |
| |
| /* TODO: be smarter about this? */ |
| for (n = 0; n < bio->offs_avail; n++) { |
| if (bio->offs[n] == off) |
| return bio_get(bio, sizeof(struct flat_binder_object)); |
| } |
| |
| bio->data_avail = 0; |
| bio->flags |= BIO_F_OVERFLOW; |
| return NULL; |
| } |
| |
| uint32_t bio_get_ref(struct binder_io *bio) |
| { |
| struct flat_binder_object *obj; |
| |
| obj = _bio_get_obj(bio); |
| if (!obj) |
| return 0; |
| |
| if (obj->type == BINDER_TYPE_HANDLE) |
| return obj->handle; |
| |
| return 0; |
| } |