From 7c166e19051768edfa7c098c8be1f635f429f819 Mon Sep 17 00:00:00 2001 From: Steven Moreland Date: Sat, 20 Jul 2024 00:40:56 +0000 Subject: libbinder: don't hold global locks for callbacks.. ... that can be set by other libraries :) Bug: 354286280 Bug: 199683153 Bug: 352692435 Test: boot Change-Id: I8b8b9a243336a45af50fffbddcab13808a4a1bdc --- libs/binder/BpBinder.cpp | 15 ++++++++++++--- libs/binder/ProcessState.cpp | 7 ++++++- libs/binder/include/binder/BpBinder.h | 6 ++++-- 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/libs/binder/BpBinder.cpp b/libs/binder/BpBinder.cpp index 6594aa6309..af9e04b0b6 100644 --- a/libs/binder/BpBinder.cpp +++ b/libs/binder/BpBinder.cpp @@ -160,11 +160,12 @@ void BpBinder::ObjectManager::kill() // --------------------------------------------------------------------------- -sp BpBinder::create(int32_t handle) { +sp BpBinder::create(int32_t handle, std::function* postTask) { if constexpr (!kEnableKernelIpc) { LOG_ALWAYS_FATAL("Binder kernel driver disabled at build time"); return nullptr; } + LOG_ALWAYS_FATAL_IF(postTask == nullptr, "BAD STATE"); int32_t trackedUid = -1; if (sCountByUidEnabled) { @@ -183,7 +184,11 @@ sp BpBinder::create(int32_t handle) { ALOGE("Still too many binder proxy objects sent to uid %d from uid %d (%d proxies " "held)", getuid(), trackedUid, trackedValue); - if (sLimitCallback) sLimitCallback(trackedUid); + + if (sLimitCallback) { + *postTask = [=]() { sLimitCallback(trackedUid); }; + } + sLastLimitCallbackMap[trackedUid] = trackedValue; } } else { @@ -197,7 +202,11 @@ sp BpBinder::create(int32_t handle) { ALOGE("Too many binder proxy objects sent to uid %d from uid %d (%d proxies held)", getuid(), trackedUid, trackedValue); sTrackingMap[trackedUid] |= LIMIT_REACHED_MASK; - if (sLimitCallback) sLimitCallback(trackedUid); + + if (sLimitCallback) { + *postTask = [=]() { sLimitCallback(trackedUid); }; + } + sLastLimitCallbackMap[trackedUid] = trackedValue & COUNTING_VALUE_MASK; if (sBinderProxyThrottleCreate) { ALOGI("Throttling binder proxy creates from uid %d in uid %d until binder proxy" diff --git a/libs/binder/ProcessState.cpp b/libs/binder/ProcessState.cpp index a42ede29a2..29ad8ef057 100644 --- a/libs/binder/ProcessState.cpp +++ b/libs/binder/ProcessState.cpp @@ -311,6 +311,7 @@ extern sp the_context_object; sp ProcessState::getStrongProxyForHandle(int32_t handle) { sp result; + std::function postTask; std::unique_lock _l(mLock); @@ -358,7 +359,7 @@ sp ProcessState::getStrongProxyForHandle(int32_t handle) return nullptr; } - sp b = BpBinder::PrivateAccessor::create(handle); + sp b = BpBinder::PrivateAccessor::create(handle, &postTask); e->binder = b.get(); if (b) e->refs = b->getWeakRefs(); result = b; @@ -371,6 +372,10 @@ sp ProcessState::getStrongProxyForHandle(int32_t handle) } } + _l.unlock(); + + if (postTask) postTask(); + return result; } diff --git a/libs/binder/include/binder/BpBinder.h b/libs/binder/include/binder/BpBinder.h index d7f74c4152..ca879a8f94 100644 --- a/libs/binder/include/binder/BpBinder.h +++ b/libs/binder/include/binder/BpBinder.h @@ -134,7 +134,9 @@ public: friend class ::android::RpcState; explicit PrivateAccessor(const BpBinder* binder) : mBinder(binder) {} - static sp create(int32_t handle) { return BpBinder::create(handle); } + static sp create(int32_t handle, std::function* postTask) { + return BpBinder::create(handle, postTask); + } static sp create(const sp& session, uint64_t address) { return BpBinder::create(session, address); } @@ -156,7 +158,7 @@ private: friend PrivateAccessor; friend class sp; - static sp create(int32_t handle); + static sp create(int32_t handle, std::function* postTask); static sp create(const sp& session, uint64_t address); struct BinderHandle { -- cgit v1.2.3-59-g8ed1b