commit 5e74d2db3fa66d80e872333779bfc8600d4ac242
author Andrei Homescu <ahomescu@google.com> Fri Aug 19 22:46:38 2022 +0000
committer Andrei Homescu <ahomescu@google.com> Tue Aug 23 03:53:25 2022 +0000
tree f11cc4fc27be34bc26affa07b4a7d80e7c95df96
parent 62bb50a6edb019952e106ca037e34d6c1525dcda

libbinder: keep track of multiple connections in RpcServerTrusty

Correctly keep track of each individual RpcConnection made
to RpcServerTrusty and close the correct one on cleanup.
The code previously assumed that each session would only
have one connection, which is not necessarily the case
in practice with multi-threaded Android clients.

Bug: 224644083
Test: Trusty tests
Change-Id: I12d04de803e0c5df5c658cdbaf3dd0d45e10ef20

libs/binder/trusty/RpcServerTrusty.cpp

diff --git a/libs/binder/trusty/RpcServerTrusty.cpp b/libs/binder/trusty/RpcServerTrusty.cpp
index e8b91e7..c789614 100644
--- a/libs/binder/trusty/RpcServerTrusty.cpp
+++ b/libs/binder/trusty/RpcServerTrusty.cpp
@@ -104,8 +104,17 @@
             return;
         }
 
-        /* Save the session for easy access */
-        *ctx_p = session.get();
+        /* Save the session and connection for the other callbacks */
+        auto* channelContext = new (std::nothrow) ChannelContext;
+        if (channelContext == nullptr) {
+            rc = ERR_NO_MEMORY;
+            return;
+        }
+
+        channelContext->session = std::move(session);
+        channelContext->connection = std::move(result.connection);
+
+        *ctx_p = channelContext;
     };
 
     base::unique_fd clientFd(chan);
@@ -119,9 +128,14 @@
 }
 
 int RpcServerTrusty::handleMessage(const tipc_port* port, handle_t chan, void* ctx) {
-    auto* session = reinterpret_cast<RpcSession*>(ctx);
-    status_t status = session->state()->drainCommands(session->mConnections.mIncoming[0], session,
-                                                      RpcState::CommandType::ANY);
+    auto* channelContext = reinterpret_cast<ChannelContext*>(ctx);
+    LOG_ALWAYS_FATAL_IF(channelContext == nullptr,
+                        "bad state: message received on uninitialized channel");
+
+    auto& session = channelContext->session;
+    auto& connection = channelContext->connection;
+    status_t status =
+            session->state()->drainCommands(connection, session, RpcState::CommandType::ANY);
     if (status != OK) {
         LOG_RPC_DETAIL("Binder connection thread closing w/ status %s",
                        statusToString(status).c_str());
@@ -133,10 +147,17 @@
 void RpcServerTrusty::handleDisconnect(const tipc_port* port, handle_t chan, void* ctx) {}
 
 void RpcServerTrusty::handleChannelCleanup(void* ctx) {
-    auto* session = reinterpret_cast<RpcSession*>(ctx);
-    auto& connection = session->mConnections.mIncoming.at(0);
+    auto* channelContext = reinterpret_cast<ChannelContext*>(ctx);
+    if (channelContext == nullptr) {
+        return;
+    }
+
+    auto& session = channelContext->session;
+    auto& connection = channelContext->connection;
     LOG_ALWAYS_FATAL_IF(!session->removeIncomingConnection(connection),
                         "bad state: connection object guaranteed to be in list");
+
+    delete channelContext;
 }
 
 } // namespace android