android: binder: support for file-descriptor arrays.
authorMartijn Coenen <maco@google.com>
Tue, 18 Oct 2016 11:58:55 +0000 (13:58 +0200)
committerMartijn Coenen <maco@android.com>
Mon, 31 Oct 2016 14:14:59 +0000 (15:14 +0100)
This patch introduces a new binder_fd_array object,
that allows us to support one or more file descriptors
embedded in a buffer that is scatter-gathered.

Change-Id: I647a53cf0d905c7be0dfd9333806982def68dd74
Signed-off-by: Martijn Coenen <maco@google.com>
drivers/android/binder.c
include/uapi/linux/android/binder.h

index a0f4d29e514888c74cfbd03b726192b185d4ab0a..9513938252615b146d3abffdc4c0cb3d58afa44c 100644 (file)
@@ -156,6 +156,9 @@ module_param_call(stop_on_user_error, binder_set_stop_on_user_error,
 #define to_binder_buffer_object(hdr) \
        container_of(hdr, struct binder_buffer_object, hdr)
 
+#define to_binder_fd_array_object(hdr) \
+       container_of(hdr, struct binder_fd_array_object, hdr)
+
 enum binder_stat_types {
        BINDER_STAT_PROC,
        BINDER_STAT_THREAD,
@@ -1312,6 +1315,9 @@ static size_t binder_validate_object(struct binder_buffer *buffer, u64 offset)
        case BINDER_TYPE_PTR:
                object_size = sizeof(struct binder_buffer_object);
                break;
+       case BINDER_TYPE_FDA:
+               object_size = sizeof(struct binder_fd_array_object);
+               break;
        default:
                return 0;
        }
@@ -1505,6 +1511,47 @@ static void binder_transaction_buffer_release(struct binder_proc *proc,
                         * transaction buffer gets freed
                         */
                        break;
+               case BINDER_TYPE_FDA: {
+                       struct binder_fd_array_object *fda;
+                       struct binder_buffer_object *parent;
+                       uintptr_t parent_buffer;
+                       u32 *fd_array;
+                       size_t fd_index;
+                       binder_size_t fd_buf_size;
+
+                       fda = to_binder_fd_array_object(hdr);
+                       parent = binder_validate_ptr(buffer, fda->parent,
+                                                    off_start,
+                                                    offp - off_start);
+                       if (!parent) {
+                               pr_err("transaction release %d bad parent offset",
+                                      debug_id);
+                               continue;
+                       }
+                       /*
+                        * Since the parent was already fixed up, convert it
+                        * back to kernel address space to access it
+                        */
+                       parent_buffer = parent->buffer -
+                               proc->user_buffer_offset;
+
+                       fd_buf_size = sizeof(u32) * fda->num_fds;
+                       if (fda->num_fds >= SIZE_MAX / sizeof(u32)) {
+                               pr_err("transaction release %d invalid number of fds (%lld)\n",
+                                      debug_id, (u64)fda->num_fds);
+                               continue;
+                       }
+                       if (fd_buf_size > parent->length ||
+                           fda->parent_offset > parent->length - fd_buf_size) {
+                               /* No space for all file descriptors here. */
+                               pr_err("transaction release %d not enough space for %lld fds in buffer\n",
+                                      debug_id, (u64)fda->num_fds);
+                               continue;
+                       }
+                       fd_array = (u32 *)(parent_buffer + fda->parent_offset);
+                       for (fd_index = 0; fd_index < fda->num_fds; fd_index++)
+                               task_close_fd(proc, fd_array[fd_index]);
+               } break;
                default:
                        pr_err("transaction release %d bad object type %x\n",
                                debug_id, hdr->type);
@@ -1674,6 +1721,63 @@ err_fd_not_accepted:
        return ret;
 }
 
+static int binder_translate_fd_array(struct binder_fd_array_object *fda,
+                                    struct binder_buffer_object *parent,
+                                    struct binder_transaction *t,
+                                    struct binder_thread *thread,
+                                    struct binder_transaction *in_reply_to)
+{
+       binder_size_t fdi, fd_buf_size, num_installed_fds;
+       int target_fd;
+       uintptr_t parent_buffer;
+       u32 *fd_array;
+       struct binder_proc *proc = thread->proc;
+       struct binder_proc *target_proc = t->to_proc;
+
+       fd_buf_size = sizeof(u32) * fda->num_fds;
+       if (fda->num_fds >= SIZE_MAX / sizeof(u32)) {
+               binder_user_error("%d:%d got transaction with invalid number of fds (%lld)\n",
+                                 proc->pid, thread->pid, (u64)fda->num_fds);
+               return -EINVAL;
+       }
+       if (fd_buf_size > parent->length ||
+           fda->parent_offset > parent->length - fd_buf_size) {
+               /* No space for all file descriptors here. */
+               binder_user_error("%d:%d not enough space to store %lld fds in buffer\n",
+                                 proc->pid, thread->pid, (u64)fda->num_fds);
+               return -EINVAL;
+       }
+       /*
+        * Since the parent was already fixed up, convert it
+        * back to the kernel address space to access it
+        */
+       parent_buffer = parent->buffer - target_proc->user_buffer_offset;
+       fd_array = (u32 *)(parent_buffer + fda->parent_offset);
+       if (!IS_ALIGNED((unsigned long)fd_array, sizeof(u32))) {
+               binder_user_error("%d:%d parent offset not aligned correctly.\n",
+                                 proc->pid, thread->pid);
+               return -EINVAL;
+       }
+       for (fdi = 0; fdi < fda->num_fds; fdi++) {
+               target_fd = binder_translate_fd(fd_array[fdi], t, thread,
+                                               in_reply_to);
+               if (target_fd < 0)
+                       goto err_translate_fd_failed;
+               fd_array[fdi] = target_fd;
+       }
+       return 0;
+
+err_translate_fd_failed:
+       /*
+        * Failed to allocate fd or security error, free fds
+        * installed so far.
+        */
+       num_installed_fds = fdi;
+       for (fdi = 0; fdi < num_installed_fds; fdi++)
+               task_close_fd(target_proc, fd_array[fdi]);
+       return target_fd;
+}
+
 static int binder_fixup_parent(struct binder_transaction *t,
                               struct binder_thread *thread,
                               struct binder_buffer_object *bp,
@@ -2002,6 +2106,38 @@ static void binder_transaction(struct binder_proc *proc,
                        fp->pad_binder = 0;
                        fp->fd = target_fd;
                } break;
+               case BINDER_TYPE_FDA: {
+                       struct binder_fd_array_object *fda =
+                               to_binder_fd_array_object(hdr);
+                       struct binder_buffer_object *parent =
+                               binder_validate_ptr(t->buffer, fda->parent,
+                                                   off_start,
+                                                   offp - off_start);
+                       if (!parent) {
+                               binder_user_error("%d:%d got transaction with invalid parent offset or type\n",
+                                                 proc->pid, thread->pid);
+                               return_error = BR_FAILED_REPLY;
+                               goto err_bad_parent;
+                       }
+                       if (!binder_validate_fixup(t->buffer, off_start,
+                                                  parent, fda->parent_offset,
+                                                  last_fixup_obj,
+                                                  last_fixup_min_off)) {
+                               binder_user_error("%d:%d got transaction with out-of-order buffer fixup\n",
+                                                 proc->pid, thread->pid);
+                               return_error = BR_FAILED_REPLY;
+                               goto err_bad_parent;
+                       }
+                       ret = binder_translate_fd_array(fda, parent, t, thread,
+                                                       in_reply_to);
+                       if (ret < 0) {
+                               return_error = BR_FAILED_REPLY;
+                               goto err_translate_failed;
+                       }
+                       last_fixup_obj = parent;
+                       last_fixup_min_off =
+                               fda->parent_offset + sizeof(u32) * fda->num_fds;
+               } break;
                case BINDER_TYPE_PTR: {
                        struct binder_buffer_object *bp =
                                to_binder_buffer_object(hdr);
@@ -2072,6 +2208,7 @@ static void binder_transaction(struct binder_proc *proc,
 err_translate_failed:
 err_bad_object_type:
 err_bad_offset:
+err_bad_parent:
 err_copy_data_failed:
        trace_binder_transaction_failed_buffer_release(t->buffer);
        binder_transaction_buffer_release(target_proc, t->buffer, offp);
index f3ef6e2634ba9f360171f28cb62dc8f2fbe5f8f8..51f891fb1b18ad9b14713fe3a4f2a541c9ca5442 100644 (file)
@@ -33,6 +33,7 @@ enum {
        BINDER_TYPE_HANDLE      = B_PACK_CHARS('s', 'h', '*', B_TYPE_LARGE),
        BINDER_TYPE_WEAK_HANDLE = B_PACK_CHARS('w', 'h', '*', B_TYPE_LARGE),
        BINDER_TYPE_FD          = B_PACK_CHARS('f', 'd', '*', B_TYPE_LARGE),
+       BINDER_TYPE_FDA         = B_PACK_CHARS('f', 'd', 'a', B_TYPE_LARGE),
        BINDER_TYPE_PTR         = B_PACK_CHARS('p', 't', '*', B_TYPE_LARGE),
 };
 
@@ -129,6 +130,33 @@ enum {
        BINDER_BUFFER_FLAG_HAS_PARENT = 0x01,
 };
 
+/* struct binder_fd_array_object - object describing an array of fds in a buffer
+ * @hdr:               common header structure
+ * @num_fds:           number of file descriptors in the buffer
+ * @parent:            index in offset array to buffer holding the fd array
+ * @parent_offset:     start offset of fd array in the buffer
+ *
+ * A binder_fd_array object represents an array of file
+ * descriptors embedded in a binder_buffer_object. It is
+ * different from a regular binder_buffer_object because it
+ * describes a list of file descriptors to fix up, not an opaque
+ * blob of memory, and hence the kernel needs to treat it differently.
+ *
+ * An example of how this would be used is with Android's
+ * native_handle_t object, which is a struct with a list of integers
+ * and a list of file descriptors. The native_handle_t struct itself
+ * will be represented by a struct binder_buffer_objct, whereas the
+ * embedded list of file descriptors is represented by a
+ * struct binder_fd_array_object with that binder_buffer_object as
+ * a parent.
+ */
+struct binder_fd_array_object {
+       struct binder_object_header     hdr;
+       binder_size_t                   num_fds;
+       binder_size_t                   parent;
+       binder_size_t                   parent_offset;
+};
+
 /*
  * On 64-bit platforms where user code may run in 32-bits the driver must
  * translate the buffer (and local binder) addresses appropriately.