| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Not used, came up over email recently.
Bug: N/A
Test: N/A
Change-Id: Ibde57ce5607587254a3d9262ac429488f3a5d263
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
It will end up in the same index as BR_TRANSACTION because they are
both defined as reply 2 with the only difference being the size of the
structs which is stored in the lower 14 bits of the top 16 bits of the
32-bit structure. When we index into this array, we use only the bottom
8 bits with _IOC_NRBITS.
See the definition in bionic/libc/kernel/uapi/linux/android/binder.h
Test: m
Bug: none
Change-Id: Ie301d1fd89085dc69a2966b0f3ca349732133f8f
|
| |
|
|
|
|
| |
Test: m
Bug: 313369251
Change-Id: Iabddad2cb3fc3090517178be3b62ee08e501e24e
|
| |
|
|
|
|
| |
Test: mma
Bug: 302723053
Change-Id: Ie7c13c324311f600d72bc8ecc4157ad6c46259a0
|
| |
|
|
|
|
|
|
|
| |
This should go/disgracefully-explode but this has been here long enough
that just making it crash would be scary.
Test: build and boot emulator
Bug: 262395166
Change-Id: I9f68e08d153c9ed0aa5d0208db6f3184ed9e8f5e
|
| |\ |
|
| | |
| |
| |
| |
| | |
Test: tried running it and the output looks good
Change-Id: Id4a6029c708e57f3ee79f9eb013d93d14f1eb417
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When an async binder transaction is sent to a frozen process, the kernel
binder driver returns BR_TRANSACTION_PENDING_FROZEN. This tells the user
space app that pending async binder transaction won't be processed until
the target process is unfrozen at an unspecified time in the future.
Generally all binder transactions to frozen processes should be avoided
to prevent the kernel async binder buffer from running out.
Bug: 253913841
Test: freeze process and check logcat
Change-Id: Ie0191b0b3b6b0a4a8481f27f3b0e64e4c1279cb5
|
| |/
|
|
|
|
|
|
| |
This new method will track whether the caller is within a Binder.clearCallingIdentity/restoreCallingIdentity block based on packing this state information into the token returned by clearCallingIdentity.
Bug: b/252975769
Test: static_assert in IPCThreadState.cpp
Change-Id: Ifa71fcf2f31b607fec39a51e3a8d16eb2987440a
|
| |
|
|
|
|
|
|
|
|
| |
TextOutput based logs are causing direct leaks while fuzzing service
manager. Modifying logs to use liblog based logging functions.
BUG: 240388906
Test: m SANITIZE_HOST=address servicemanager_fuzzer &&
out/host/linux-x86/fuzz/x86_64/servicemanager_fuzzer/servicemanager_fuzzer
Change-Id: I3721051bc92df86c80dce9ed2e9dcac20cafef84
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Well, so the race is:
- client sends a large transaction (buffer A)
- server processes result
- server sends reply (1)
- client gets reply
- client sends another large transaction (buffer B)
- transaction fails, not enough space
- server frees buffer A (2)
This CL moves (2) to happen before (1). We set the Parcel size
to 0, which has the effect of freeing data, before the destructor
runs.
Test: binderLibTest
Test: binderLibTest --gtest_filter="*Garg*" --gtest_repeat=1000 --gtest_break_on_failure
Fixes: 238777741
Change-Id: Ic223a98c55904bb3f77ca13729cdf24a992cef1e
|
| |
|
|
|
|
|
|
|
|
| |
This enforces a clearer separation of concerns between the data owner
and the parcel code. It happened to reveal an edge case where FDs are
prematurely closed (tracking a fix in b/239222407).
Test: TH
Bug: 239222407
Change-Id: I54ff0c8e4a8f64afd529092d2038dac40c853371
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added tests for max total thread count.
Renamed getThreadPoolMaxThreadCount to getThreadPoolMaxTotalThreadCount
which takes into account user joined threads and polling threads.
Test added to check that the current available threads update properly
and do not lock.
Added second test that simulates a deadlock and confirms the deadlock.
Bug: 188834514
Test: binderLibTest
Change-Id: Ia99d95544a38596ec9fc316e623e523b64337bc7
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This adds basic support to pull extended error information provided by
the driver via BINDER_GET_EXTENDED_ERROR ioctl. For now, we'll only log
the information upon a failed transaction. However, this data can later
be used to handle error scenarios such as retry strategies.
Bug: 28321379
Test: atest binderLibTest
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Change-Id: I8aed63cb0d1aa15aa96db4ab8999e300fef1f505
|
| |
|
|
|
|
|
|
| |
This reverts commit a643e2dabde445e257dc97e9ce81436497f6b2ee.
Reason for revert: Fixed libvrflinger
Change-Id: I2df02b571b49fe040958ee2c8236605426315d68
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Use std::map instead of KeyedVector (deprecated) in order to avoid
unnecessary (and implicit) initialization of the value type. KeyedVector
does it even when only the key is neeed (e.g. indexOfKey). std::map
doesn't have such a problem.
Bug: 222775179
Test: unset WITH_TIDY; CLANG_ANALYZER_CHECKS=1 make -k
tidy-frameworks-native-libs-binder
Change-Id: I548fc96a34bac9c7135e206983150948dbca57d4
|
| |
|
|
|
|
|
|
| |
This reverts commit bc8d5b4830d7fb5afe52f9d8809212babedd72b1.
Reason for revert: breaks libvrflinger build
Change-Id: I767dbf3ed56893ead497184d2204a04156faaa9d
|
| |
|
|
|
|
|
|
|
| |
Replaces the old utils/threads.h with the newer replacement
headers or removes it altogether from some files.
Bug: None
Test: m
Change-Id: Id85ddcb6b647e95a649ca2cd77e9db34c5e77b30
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This function isn't used, and ProcessState is a global object.
Future consideration:
- would it be worth the saved memory in thread local storage to drop
IPCThreadState::mProcess and reference the global?
Bug: N/A
Test: N/A
Change-Id: I984f57827d3ade423b24132dd5b5f18028dc2a1d
|
| |
|
|
|
|
| |
Bug: 199537730
Test: Build and boot Android with Freezer enabled
Change-Id: I661f8fa628df2894be4f4c695ba78e43ac621bd1
|
| |
|
|
|
|
|
|
|
|
| |
Improve primitive binder function to check if a process has any pending
binder transactions so that the freezer policy can choose to wait and
drain those pending transactions.
Bug: 198493121
Test: app launch/foreground/background stress test
Change-Id: Ia7ce6899ddaeb8e8453b0b8f3536d129b6b761d3
|
| |
|
|
|
|
|
|
|
|
|
| |
Revert submission 1553275-Bug139327211_V5
Reason for revert: causing a different race condition? b/187218964
Reverted Changes:
I9345f4439:binder: race condition by parcel finalize
Ib06e38e22:binder: race condition by parcel finalize
Change-Id: Ic83ad85441d310aa272b462f8b5c46735c6378b5
|
| |
|
|
|
| |
Change-Id: I959ea32145a530f49288cc84b5ce27808937ff2e
Bug: 188512748
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
df2e017a4f492478137a27a566c560787017380e
Rein in the context! These "global" functions make sense sometimes, and
sometimes they make NO sense. Specifically, if you're going to make a
binder RPC call, you shouldn't be relying on getCalling* (silly!).
This is added as a generic mechanism in order that it might see more
use.
Bug: 186647790
Test: binderLibTest
Change-Id: Ic64bde4e8e0d6b203f58eef1ba09f2229ad2008b
|
| |
|
|
|
|
|
|
|
|
|
| |
Revert submission 1707789
Reason for revert: potential cause of b/188228705
Reverted Changes:
Id8fc889f4:libbinder: binder RPC - using getCalling* aborts
I2145ad0e7:libbinder: introduce guards for getCalling*
Change-Id: Id824b7dff55f5cd1a7ac5f2443bd9604fba9fe63
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rein in the context! These "global" functions make sense sometimes, and
sometimes they make NO sense. Specifically, if you're going to make a
binder RPC call, you shouldn't be relying on getCalling* (silly!).
This is added as a generic mechanism in order that it might see more
use.
Bug: 186647790
Test: binderLibTest
Change-Id: I2145ad0e7dc44d257c25098160ad65086fa8cf21
|
| |
|
|
|
|
|
|
|
|
|
| |
Having a 'private' include directory for a library is somewhat of an
artifact. There is no need to export these (or once include_dirs is
eliminated, make them available at any capacity). We want libbinder to
completely encapsulate the kernel API.
Bug: N/A
Test: binderLibTest
Change-Id: If84ff928a186f3397150660c2cc1faadb46b796c
|
| |
|
|
|
|
|
|
|
|
| |
This command tells userspace to dump current stack, which happened
when oneway spamming is detected in kernel. And also add an ioctl
command BINDER_ENABLE_ONEWAY_SPAM_DETECTION to enable/disable this
feature per-proc.
Bug: 181190340
Change-Id: I7afb1df46a4fbf59bc69b56649aa3ee779dfea5a
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Minimal-ish change for basic binder RPC.
This enables binder to work over sockets. The main change to core code
is in 'Parcel' and 'BpBinder'. The Parcel format is now associated with
the binder that it is either for or a reply from (we no longer have
binder 'objects' for the kernel). BpBinder is extended to support
talking over sockets (ideally, this would be a subclass, but
IBinder::localBinder/remoteBinder mean there is a lot of code which
presupposes what type of binder we have).
In addition, we have a few new objects:
- RpcServer - set this up to serve a connection
- RpcConnection - symmetrical object handling dispatch to a known
server/client
- RpcAddress - (this will definitely change) randomly generated
addresses - this might include things like host VM context, ip
address, or similar in the future. In that case, the address
generation should be cryptographically secure.
- RpcState - this keeps track of known binders, their refcounts, and
async transactions, and it understand the binder socket wire
protocol
The connection itself looks like N socket accepts to a server (the
server might have M socket accepts back to the client for symmetrical
connections, that is connections which need more than nested
transactions). The number of these socket connections controls how many
synchronous transactions can be made. Wherever possible, the behavior
here seeks to mimick the binder driver, and some differences are
documented in the code.
After this CL merges, the future work I intend on completing includes:
- support to work over vsock
- performance benchmarking
- optimization of the socket code here (may include delaying refcounts)
- support to pass 'transitive' binders (pass a binder from one service
to a different service, to let it setup a new connection). This task
may be excluded from my efforts as a security hedge if I can manage.
- fuzzer for this wire format
- support for linkToDeath
- support for transaction encryption
- support for promoting from a weak pointer
- handling SIGPIPE for dead connections
- and many more! :)
Bug: 167966510
Test: binderRpcTest
Change-Id: I276c6e312f584b57f4e7a14389ea4a1d63cfa2f4
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Root cause:
1) a client thread calls "transact", and then, reads a java binder object from the java parcel object
2) the java binder object sends BC_ACQUIRE/BC_INCREFS, but still in the queue, not yet flushed to driver
3) the java parcel object is garbage-collect-ed, and, its finalize method may possibly sends BC_FREE_BUFFER
Because "BC_FREE_BUFFER" is from the java finalize thread, which is different from the "client thread", so, it is possible that "BC_FREE_BUFFER" will be flushed to driver before "BC_ACQUIRE/BC_INCREFS", which makes driver destroy the related "binder_ref" object prematurely.
Consequences of the issue:
The user space process might always hold the above java binder object, whose "handle value" is indeed invalid because the related "binder_ref" in driver is destroyed. This causes a lot of chaos inside the process:
<a> any binder call on the java binder object will be a failure, with kernel log complain: ...got transaction to invalid handle...
<b> afterward, any new bind object passed to this process will NOT create a brand new one for it, instead, it will be simply and incorrectly mapped to the above old biner object, because the new incoming one will use the same "handle value" as the old one. This will make a mess and many weird bugs.
First, it may break "binder object identity" compare based functionality. For example, after registering a listener to a service, all following registering may fail because the latter new listener object is mapped to the old one incorrectly. The service will reject them as "already registered".
Second, binder call on the old binder object is actually dispatched to the new remote binder object, it might even be a success if they are of the same class/interface, which is actually not we expected; and on the other hand, the new binder object may even be of different class/interface, and of course, the binder call may be a failure due to "interface descriptor check".
<c> the user space process cannot recover from the bug automatically unless restart.
Solution:
Hold a temporary reference to the parcel object until "BC_ACQUIRE/BC_INCREFS" flushed to driver.
Bug: 139327211
Test: monkey test for one day and one night
Co-authored-by: Steven Moreland <smoreland@google.com>
Signed-off-by: Jintao Zhu <zhujtcsieee@gmail.com>
Change-Id: Ib06e38e22924faa78f5aaa5fd6fdd37fbb80206d
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
BC_FREE_BUFFER and ref commands are normally just queued, and not
automatically flushed out to the kernel driver. This usually works fine,
because BC_FREE_BUFFER is typically called from a binder thread (which
flushes when calling back into the kernel), or a thread making regular
binder transactions itself.
But it can happen that a Parcel is destructed from a thread that meets
neither of those requirements; especially Parcels created from Java are
sensitive to this, because if they aren't immediately recycled, they
will instead be garbage collected, and in that case the BC_FREE_BUFFER
will be queued to the FinalizerDaemon thread, which otherwise never
makes or receives any binder calls.
To prevent these commands from getting stuck, flush BC_FREE_BUFFER and
refcount operations automatically from such threads.
Bug: 68604253
Bug: 139697085
Test: boots, binderLibTest
Change-Id: I98109a7046c122db22af0b15a268629284f06663
|
| |\ \ \ |
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Because it uses:
- 0.4% of system_server CPU time
- 1% of com.android.bluetooth
- 0.8% of com.android.phone
This call is used to implement
IPCThreadState::blockUntilThreadAvailable, but this API is actually only
used by WatchDog.java, and due to the locking we have in place here, we
have more information than pthread does internally to tell it when a
broadcast would actually be useful.
Future considerations: this API is actually broken in the case of poll
calls or if too many userspace threads manually call joinRpcThreadpool.
We could move the binder part of WatchDog.java into a separate process
and completely remove all of the associated infrastructure. An external
process could call pingBinder (or similar) on different services. This
would have the same effect, but it would use the existing path of
processing a transaction in order to detect deadlocks.
Bug: 168806193
Test: boot, manually check how often this gets called now (only when
the binder threadpool is saturated when this is called, so at most
once/30 seconds given WatchDog's current implementation)
Change-Id: I44f8ff0d8ca2cdf236a9fa3ad1e3a0241663bfcd
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Calling setupPolling and then handling polled commands has the effect
of never telling the kernel anything, and then then waiting for it to
get back to you. While this type of (non)communication may be common
among some humans, it should not be common among our processes.
So - the general requirement for a flushCommands call by every client of
this call is lifted.
Critically, also, this means that LL-NDK users of the setupPolling
command don't also need a flushCommand. This avoids an extra API. Sure,
it may be useful to have such a command, but whenever it is used in our
tree, it is mostly used as a hack. So, hopefully this delay in adding it
will instead encourage fixes in libbinder which help avoid people
needing to understand binder internals.
Bug: 139697085
Test: use with servicemanager and boot
Change-Id: I45d19bf6b58950f9d91dd6f7dcaa94b8061d3666
|
| |/
|
|
|
|
|
|
|
| |
For manually written/some backends. At least the C++ backend doesn't
pipe oneway errors into libbinder, so won't have the log there yet.
Bug: 160191455
Test: binderLibTest
Change-Id: I96c8b46044e5abc1a61812a998e5fabbb1859984
|
| |
|
|
|
|
|
| |
Bug: 162909698
Test: m libbinder
Change-Id: I63ec0e57166a97711d254156bde04ffe155465a5
|
| |
|
|
|
|
|
| |
Bug: 162909698
Test: m libbinder
Change-Id: I91afd69d482984138a52dda39bc68056d62a442e
|
| |
|
|
|
|
|
|
|
| |
This field is unused, and I would like to use it. Temporarily adding a
very explicit error value here.
Bug: 167966510
Test: build & boot
Change-Id: Ie623f1639bb33420c9dcf71053c1887ffce73b5f
|
| |
|
|
|
|
|
|
|
|
| |
This flag instructs the kernel to clear transactions from send/reply
buffers for certain transactions which may contain sensitive data, as a
security precaution.
Bug: 171501998
Test: binderLibTest (only checks there is no error)
Change-Id: I69d732e5cc2b15472dc52d47c66716bc1b3be6ae
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit 41a4c36712b23aff58d9305e4191dc18d143f6bd.
This fixes the CallRestriction issue, but removes the added test
which has problems in another context and will be fixed separately.
Reason for revert: refix b/167302413
Testing issue will be handled separately in b/168942807.
Fixes: 167302413
Change-Id: Iedc1ff73d086c973bfcab511ace26d0ec2291040
|
| |\| |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit 9f50ea66b4cd4ddf436fea574f768a7fab7963ea.
Reason for revert: b/168942807
Change-Id: I7ab5de17441f972bc3e6cfdba09e8b4901669f6d
|
| |\| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There is a special transaction required to make sure that the context
manager is setup before we get a reference to it. Since this is required
to use binder, it would prevent use of CallRestriction outside of
servicemanager.
Fixes: 167302413
Test: binderLibTest
Change-Id: I029e2a99013008a7c8614d63dc29df2889067d11
|
| |/
|
|
|
|
|
|
|
|
| |
Introduce a new function to use BINDER_GET_FROZEN_INFO and related
tests.
Bug: 143717177
Test: atest testBinderLib
Change-Id: I8a6c550fadef90b73a36a7931c2a8b2d00a64a04
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The BINDER_FREEZE ioctl and related structures have been added to the
driver to notify binder of the frozen state of a process. This patch
introduces low-level user space handling for libbinder.
Bug: 143717177
Test: verified that binder transactions to a frozen app return ERR_FROZEN
Test: verified that transactions are correctly received by non-frozen apps
Co-developed-by: Todd Kjos <tkjos@google.com>
Change-Id: I31fed5ecb040f5ba5b8e27ab6a20c441964f32b4
|
| |
|
|
|
|
|
|
| |
Missing negation. 'oneway' -> 'non-oneway'
Bug: N/A
Test: N/A
Change-Id: Ic96e352506462d6354bd137eb22dce72d1279cdd
|
