1 /* Copyright 2008 The Android Open Source Project
2 */
3
4 #include <stdio.h>
5 #include <stdlib.h>
6 #include <errno.h>
7 #include <unistd.h>
8 #include <fcntl.h>
9 #include <sys/mman.h>
10
11 #include "binder.h"
12
13 #define MAX_BIO_SIZE (1 << 30)
14
15 #define TRACE 0
16
17 #define LOG_TAG "Binder"
18 #include <cutils/log.h>
19
20 void bio_init_from_txn(struct binder_io *io, struct binder_txn *txn);
21
22 #if TRACE
hexdump(void * _data,unsigned len)23 void hexdump(void *_data, unsigned len)
24 {
25 unsigned char *data = _data;
26 unsigned count;
27
28 for (count = 0; count < len; count++) {
29 if ((count & 15) == 0)
30 fprintf(stderr,"%04x:", count);
31 fprintf(stderr," %02x %c", *data,
32 (*data < 32) || (*data > 126) ? '.' : *data);
33 data++;
34 if ((count & 15) == 15)
35 fprintf(stderr,"\n");
36 }
37 if ((count & 15) != 0)
38 fprintf(stderr,"\n");
39 }
40
binder_dump_txn(struct binder_txn * txn)41 void binder_dump_txn(struct binder_txn *txn)
42 {
43 struct binder_object *obj;
44 unsigned *offs = txn->offs;
45 unsigned count = txn->offs_size / 4;
46
47 fprintf(stderr," target %p cookie %p code %08x flags %08x\n",
48 txn->target, txn->cookie, txn->code, txn->flags);
49 fprintf(stderr," pid %8d uid %8d data %8d offs %8d\n",
50 txn->sender_pid, txn->sender_euid, txn->data_size, txn->offs_size);
51 hexdump(txn->data, txn->data_size);
52 while (count--) {
53 obj = (void*) (((char*) txn->data) + *offs++);
54 fprintf(stderr," - type %08x flags %08x ptr %p cookie %p\n",
55 obj->type, obj->flags, obj->pointer, obj->cookie);
56 }
57 }
58
59 #define NAME(n) case n: return #n
cmd_name(uint32_t cmd)60 const char *cmd_name(uint32_t cmd)
61 {
62 switch(cmd) {
63 NAME(BR_NOOP);
64 NAME(BR_TRANSACTION_COMPLETE);
65 NAME(BR_INCREFS);
66 NAME(BR_ACQUIRE);
67 NAME(BR_RELEASE);
68 NAME(BR_DECREFS);
69 NAME(BR_TRANSACTION);
70 NAME(BR_REPLY);
71 NAME(BR_FAILED_REPLY);
72 NAME(BR_DEAD_REPLY);
73 NAME(BR_DEAD_BINDER);
74 default: return "???";
75 }
76 }
77 #else
78 #define hexdump(a,b) do{} while (0)
79 #define binder_dump_txn(txn) do{} while (0)
80 #endif
81
82 #define BIO_F_SHARED 0x01 /* needs to be buffer freed */
83 #define BIO_F_OVERFLOW 0x02 /* ran out of space */
84 #define BIO_F_IOERROR 0x04
85 #define BIO_F_MALLOCED 0x08 /* needs to be free()'d */
86
87 struct binder_state
88 {
89 int fd;
90 void *mapped;
91 unsigned mapsize;
92 };
93
binder_open(unsigned mapsize)94 struct binder_state *binder_open(unsigned mapsize)
95 {
96 struct binder_state *bs;
97
98 bs = malloc(sizeof(*bs));
99 if (!bs) {
100 errno = ENOMEM;
101 return 0;
102 }
103
104 bs->fd = open("/dev/binder", O_RDWR);
105 if (bs->fd < 0) {
106 fprintf(stderr,"binder: cannot open device (%s)\n",
107 strerror(errno));
108 goto fail_open;
109 }
110
111 bs->mapsize = mapsize;
112 bs->mapped = mmap(NULL, mapsize, PROT_READ, MAP_PRIVATE, bs->fd, 0);
113 if (bs->mapped == MAP_FAILED) {
114 fprintf(stderr,"binder: cannot map device (%s)\n",
115 strerror(errno));
116 goto fail_map;
117 }
118
119 /* TODO: check version */
120
121 return bs;
122
123 fail_map:
124 close(bs->fd);
125 fail_open:
126 free(bs);
127 return 0;
128 }
129
binder_close(struct binder_state * bs)130 void binder_close(struct binder_state *bs)
131 {
132 munmap(bs->mapped, bs->mapsize);
133 close(bs->fd);
134 free(bs);
135 }
136
binder_become_context_manager(struct binder_state * bs)137 int binder_become_context_manager(struct binder_state *bs)
138 {
139 return ioctl(bs->fd, BINDER_SET_CONTEXT_MGR, 0);
140 }
141
binder_write(struct binder_state * bs,void * data,unsigned len)142 int binder_write(struct binder_state *bs, void *data, unsigned len)
143 {
144 struct binder_write_read bwr;
145 int res;
146 bwr.write_size = len;
147 bwr.write_consumed = 0;
148 bwr.write_buffer = (unsigned) data;
149 bwr.read_size = 0;
150 bwr.read_consumed = 0;
151 bwr.read_buffer = 0;
152 res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);
153 if (res < 0) {
154 fprintf(stderr,"binder_write: ioctl failed (%s)\n",
155 strerror(errno));
156 }
157 return res;
158 }
159
binder_send_reply(struct binder_state * bs,struct binder_io * reply,void * buffer_to_free,int status)160 void binder_send_reply(struct binder_state *bs,
161 struct binder_io *reply,
162 void *buffer_to_free,
163 int status)
164 {
165 struct {
166 uint32_t cmd_free;
167 void *buffer;
168 uint32_t cmd_reply;
169 struct binder_txn txn;
170 } __attribute__((packed)) data;
171
172 data.cmd_free = BC_FREE_BUFFER;
173 data.buffer = buffer_to_free;
174 data.cmd_reply = BC_REPLY;
175 data.txn.target = 0;
176 data.txn.cookie = 0;
177 data.txn.code = 0;
178 if (status) {
179 data.txn.flags = TF_STATUS_CODE;
180 data.txn.data_size = sizeof(int);
181 data.txn.offs_size = 0;
182 data.txn.data = &status;
183 data.txn.offs = 0;
184 } else {
185 data.txn.flags = 0;
186 data.txn.data_size = reply->data - reply->data0;
187 data.txn.offs_size = ((char*) reply->offs) - ((char*) reply->offs0);
188 data.txn.data = reply->data0;
189 data.txn.offs = reply->offs0;
190 }
191 binder_write(bs, &data, sizeof(data));
192 }
193
binder_parse(struct binder_state * bs,struct binder_io * bio,uint32_t * ptr,uint32_t size,binder_handler func)194 int binder_parse(struct binder_state *bs, struct binder_io *bio,
195 uint32_t *ptr, uint32_t size, binder_handler func)
196 {
197 int r = 1;
198 uint32_t *end = ptr + (size / 4);
199
200 while (ptr < end) {
201 uint32_t cmd = *ptr++;
202 #if TRACE
203 fprintf(stderr,"%s:\n", cmd_name(cmd));
204 #endif
205 switch(cmd) {
206 case BR_NOOP:
207 break;
208 case BR_TRANSACTION_COMPLETE:
209 break;
210 case BR_INCREFS:
211 case BR_ACQUIRE:
212 case BR_RELEASE:
213 case BR_DECREFS:
214 #if TRACE
215 fprintf(stderr," %08x %08x\n", ptr[0], ptr[1]);
216 #endif
217 ptr += 2;
218 break;
219 case BR_TRANSACTION: {
220 struct binder_txn *txn = (void *) ptr;
221 if ((end - ptr) * sizeof(uint32_t) < sizeof(struct binder_txn)) {
222 LOGE("parse: txn too small!\n");
223 return -1;
224 }
225 binder_dump_txn(txn);
226 if (func) {
227 unsigned rdata[256/4];
228 struct binder_io msg;
229 struct binder_io reply;
230 int res;
231
232 bio_init(&reply, rdata, sizeof(rdata), 4);
233 bio_init_from_txn(&msg, txn);
234 res = func(bs, txn, &msg, &reply);
235 binder_send_reply(bs, &reply, txn->data, res);
236 }
237 ptr += sizeof(*txn) / sizeof(uint32_t);
238 break;
239 }
240 case BR_REPLY: {
241 struct binder_txn *txn = (void*) ptr;
242 if ((end - ptr) * sizeof(uint32_t) < sizeof(struct binder_txn)) {
243 LOGE("parse: reply too small!\n");
244 return -1;
245 }
246 binder_dump_txn(txn);
247 if (bio) {
248 bio_init_from_txn(bio, txn);
249 bio = 0;
250 } else {
251 /* todo FREE BUFFER */
252 }
253 ptr += (sizeof(*txn) / sizeof(uint32_t));
254 r = 0;
255 break;
256 }
257 case BR_DEAD_BINDER: {
258 struct binder_death *death = (void*) *ptr++;
259 death->func(bs, death->ptr);
260 break;
261 }
262 case BR_FAILED_REPLY:
263 r = -1;
264 break;
265 case BR_DEAD_REPLY:
266 r = -1;
267 break;
268 default:
269 LOGE("parse: OOPS %d\n", cmd);
270 return -1;
271 }
272 }
273
274 return r;
275 }
276
binder_acquire(struct binder_state * bs,void * ptr)277 void binder_acquire(struct binder_state *bs, void *ptr)
278 {
279 uint32_t cmd[2];
280 cmd[0] = BC_ACQUIRE;
281 cmd[1] = (uint32_t) ptr;
282 binder_write(bs, cmd, sizeof(cmd));
283 }
284
binder_release(struct binder_state * bs,void * ptr)285 void binder_release(struct binder_state *bs, void *ptr)
286 {
287 uint32_t cmd[2];
288 cmd[0] = BC_RELEASE;
289 cmd[1] = (uint32_t) ptr;
290 binder_write(bs, cmd, sizeof(cmd));
291 }
292
binder_link_to_death(struct binder_state * bs,void * ptr,struct binder_death * death)293 void binder_link_to_death(struct binder_state *bs, void *ptr, struct binder_death *death)
294 {
295 uint32_t cmd[3];
296 cmd[0] = BC_REQUEST_DEATH_NOTIFICATION;
297 cmd[1] = (uint32_t) ptr;
298 cmd[2] = (uint32_t) death;
299 binder_write(bs, cmd, sizeof(cmd));
300 }
301
302
binder_call(struct binder_state * bs,struct binder_io * msg,struct binder_io * reply,void * target,uint32_t code)303 int binder_call(struct binder_state *bs,
304 struct binder_io *msg, struct binder_io *reply,
305 void *target, uint32_t code)
306 {
307 int res;
308 struct binder_write_read bwr;
309 struct {
310 uint32_t cmd;
311 struct binder_txn txn;
312 } writebuf;
313 unsigned readbuf[32];
314
315 if (msg->flags & BIO_F_OVERFLOW) {
316 fprintf(stderr,"binder: txn buffer overflow\n");
317 goto fail;
318 }
319
320 writebuf.cmd = BC_TRANSACTION;
321 writebuf.txn.target = target;
322 writebuf.txn.code = code;
323 writebuf.txn.flags = 0;
324 writebuf.txn.data_size = msg->data - msg->data0;
325 writebuf.txn.offs_size = ((char*) msg->offs) - ((char*) msg->offs0);
326 writebuf.txn.data = msg->data0;
327 writebuf.txn.offs = msg->offs0;
328
329 bwr.write_size = sizeof(writebuf);
330 bwr.write_consumed = 0;
331 bwr.write_buffer = (unsigned) &writebuf;
332
333 hexdump(msg->data0, msg->data - msg->data0);
334 for (;;) {
335 bwr.read_size = sizeof(readbuf);
336 bwr.read_consumed = 0;
337 bwr.read_buffer = (unsigned) readbuf;
338
339 res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);
340
341 if (res < 0) {
342 fprintf(stderr,"binder: ioctl failed (%s)\n", strerror(errno));
343 goto fail;
344 }
345
346 res = binder_parse(bs, reply, readbuf, bwr.read_consumed, 0);
347 if (res == 0) return 0;
348 if (res < 0) goto fail;
349 }
350
351 fail:
352 memset(reply, 0, sizeof(*reply));
353 reply->flags |= BIO_F_IOERROR;
354 return -1;
355 }
356
binder_loop(struct binder_state * bs,binder_handler func)357 void binder_loop(struct binder_state *bs, binder_handler func)
358 {
359 int res;
360 struct binder_write_read bwr;
361 unsigned readbuf[32];
362
363 bwr.write_size = 0;
364 bwr.write_consumed = 0;
365 bwr.write_buffer = 0;
366
367 readbuf[0] = BC_ENTER_LOOPER;
368 binder_write(bs, readbuf, sizeof(unsigned));
369
370 for (;;) {
371 bwr.read_size = sizeof(readbuf);
372 bwr.read_consumed = 0;
373 bwr.read_buffer = (unsigned) readbuf;
374
375 res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);
376
377 if (res < 0) {
378 LOGE("binder_loop: ioctl failed (%s)\n", strerror(errno));
379 break;
380 }
381
382 res = binder_parse(bs, 0, readbuf, bwr.read_consumed, func);
383 if (res == 0) {
384 LOGE("binder_loop: unexpected reply?!\n");
385 break;
386 }
387 if (res < 0) {
388 LOGE("binder_loop: io error %d %s\n", res, strerror(errno));
389 break;
390 }
391 }
392 }
393
bio_init_from_txn(struct binder_io * bio,struct binder_txn * txn)394 void bio_init_from_txn(struct binder_io *bio, struct binder_txn *txn)
395 {
396 bio->data = bio->data0 = txn->data;
397 bio->offs = bio->offs0 = txn->offs;
398 bio->data_avail = txn->data_size;
399 bio->offs_avail = txn->offs_size / 4;
400 bio->flags = BIO_F_SHARED;
401 }
402
bio_init(struct binder_io * bio,void * data,uint32_t maxdata,uint32_t maxoffs)403 void bio_init(struct binder_io *bio, void *data,
404 uint32_t maxdata, uint32_t maxoffs)
405 {
406 uint32_t n = maxoffs * sizeof(uint32_t);
407
408 if (n > maxdata) {
409 bio->flags = BIO_F_OVERFLOW;
410 bio->data_avail = 0;
411 bio->offs_avail = 0;
412 return;
413 }
414
415 bio->data = bio->data0 = data + n;
416 bio->offs = bio->offs0 = data;
417 bio->data_avail = maxdata - n;
418 bio->offs_avail = maxoffs;
419 bio->flags = 0;
420 }
421
bio_alloc(struct binder_io * bio,uint32_t size)422 static void *bio_alloc(struct binder_io *bio, uint32_t size)
423 {
424 size = (size + 3) & (~3);
425 if (size > bio->data_avail) {
426 bio->flags |= BIO_F_OVERFLOW;
427 return 0;
428 } else {
429 void *ptr = bio->data;
430 bio->data += size;
431 bio->data_avail -= size;
432 return ptr;
433 }
434 }
435
binder_done(struct binder_state * bs,struct binder_io * msg,struct binder_io * reply)436 void binder_done(struct binder_state *bs,
437 struct binder_io *msg,
438 struct binder_io *reply)
439 {
440 if (reply->flags & BIO_F_SHARED) {
441 uint32_t cmd[2];
442 cmd[0] = BC_FREE_BUFFER;
443 cmd[1] = (uint32_t) reply->data0;
444 binder_write(bs, cmd, sizeof(cmd));
445 reply->flags = 0;
446 }
447 }
448
bio_alloc_obj(struct binder_io * bio)449 static struct binder_object *bio_alloc_obj(struct binder_io *bio)
450 {
451 struct binder_object *obj;
452
453 obj = bio_alloc(bio, sizeof(*obj));
454
455 if (obj && bio->offs_avail) {
456 bio->offs_avail--;
457 *bio->offs++ = ((char*) obj) - ((char*) bio->data0);
458 return obj;
459 }
460
461 bio->flags |= BIO_F_OVERFLOW;
462 return 0;
463 }
464
bio_put_uint32(struct binder_io * bio,uint32_t n)465 void bio_put_uint32(struct binder_io *bio, uint32_t n)
466 {
467 uint32_t *ptr = bio_alloc(bio, sizeof(n));
468 if (ptr)
469 *ptr = n;
470 }
471
bio_put_obj(struct binder_io * bio,void * ptr)472 void bio_put_obj(struct binder_io *bio, void *ptr)
473 {
474 struct binder_object *obj;
475
476 obj = bio_alloc_obj(bio);
477 if (!obj)
478 return;
479
480 obj->flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS;
481 obj->type = BINDER_TYPE_BINDER;
482 obj->pointer = ptr;
483 obj->cookie = 0;
484 }
485
bio_put_ref(struct binder_io * bio,void * ptr)486 void bio_put_ref(struct binder_io *bio, void *ptr)
487 {
488 struct binder_object *obj;
489
490 if (ptr)
491 obj = bio_alloc_obj(bio);
492 else
493 obj = bio_alloc(bio, sizeof(*obj));
494
495 if (!obj)
496 return;
497
498 obj->flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS;
499 obj->type = BINDER_TYPE_HANDLE;
500 obj->pointer = ptr;
501 obj->cookie = 0;
502 }
503
bio_put_string16(struct binder_io * bio,const uint16_t * str)504 void bio_put_string16(struct binder_io *bio, const uint16_t *str)
505 {
506 uint32_t len;
507 uint16_t *ptr;
508
509 if (!str) {
510 bio_put_uint32(bio, 0xffffffff);
511 return;
512 }
513
514 len = 0;
515 while (str[len]) len++;
516
517 if (len >= (MAX_BIO_SIZE / sizeof(uint16_t))) {
518 bio_put_uint32(bio, 0xffffffff);
519 return;
520 }
521
522 bio_put_uint32(bio, len);
523 len = (len + 1) * sizeof(uint16_t);
524 ptr = bio_alloc(bio, len);
525 if (ptr)
526 memcpy(ptr, str, len);
527 }
528
bio_put_string16_x(struct binder_io * bio,const char * _str)529 void bio_put_string16_x(struct binder_io *bio, const char *_str)
530 {
531 unsigned char *str = (unsigned char*) _str;
532 uint32_t len;
533 uint16_t *ptr;
534
535 if (!str) {
536 bio_put_uint32(bio, 0xffffffff);
537 return;
538 }
539
540 len = strlen(_str);
541
542 if (len >= (MAX_BIO_SIZE / sizeof(uint16_t))) {
543 bio_put_uint32(bio, 0xffffffff);
544 return;
545 }
546
547 bio_put_uint32(bio, len);
548 ptr = bio_alloc(bio, (len + 1) * sizeof(uint16_t));
549 if (!ptr)
550 return;
551
552 while (*str)
553 *ptr++ = *str++;
554 *ptr++ = 0;
555 }
556
bio_get(struct binder_io * bio,uint32_t size)557 static void *bio_get(struct binder_io *bio, uint32_t size)
558 {
559 size = (size + 3) & (~3);
560
561 if (bio->data_avail < size){
562 bio->data_avail = 0;
563 bio->flags |= BIO_F_OVERFLOW;
564 return 0;
565 } else {
566 void *ptr = bio->data;
567 bio->data += size;
568 bio->data_avail -= size;
569 return ptr;
570 }
571 }
572
bio_get_uint32(struct binder_io * bio)573 uint32_t bio_get_uint32(struct binder_io *bio)
574 {
575 uint32_t *ptr = bio_get(bio, sizeof(*ptr));
576 return ptr ? *ptr : 0;
577 }
578
bio_get_string16(struct binder_io * bio,unsigned * sz)579 uint16_t *bio_get_string16(struct binder_io *bio, unsigned *sz)
580 {
581 unsigned len;
582 len = bio_get_uint32(bio);
583 if (sz)
584 *sz = len;
585 return bio_get(bio, (len + 1) * sizeof(uint16_t));
586 }
587
_bio_get_obj(struct binder_io * bio)588 static struct binder_object *_bio_get_obj(struct binder_io *bio)
589 {
590 unsigned n;
591 unsigned off = bio->data - bio->data0;
592
593 /* TODO: be smarter about this? */
594 for (n = 0; n < bio->offs_avail; n++) {
595 if (bio->offs[n] == off)
596 return bio_get(bio, sizeof(struct binder_object));
597 }
598
599 bio->data_avail = 0;
600 bio->flags |= BIO_F_OVERFLOW;
601 return 0;
602 }
603
bio_get_ref(struct binder_io * bio)604 void *bio_get_ref(struct binder_io *bio)
605 {
606 struct binder_object *obj;
607
608 obj = _bio_get_obj(bio);
609 if (!obj)
610 return 0;
611
612 if (obj->type == BINDER_TYPE_HANDLE)
613 return obj->pointer;
614
615 return 0;
616 }
617