system_server BINDER_TYPE_FD driver ashmem accessors
check if device matches the ashmem rdev, before calling
ashmem_get_size_region. This eliminates making this call
when associated with other driver file descriptors.
Bug: 26374183
Bug: 26918423
Bug: 26871259
Change-Id: I1f88c2c93ea35a73c8e14125f3d1a6c67fa4f15b
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index 2e9e658..4a6bce8 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -18,7 +18,9 @@
//#define LOG_NDEBUG 0
#include <errno.h>
+#include <fcntl.h>
#include <inttypes.h>
+#include <pthread.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
@@ -95,6 +97,32 @@
BLOB_ASHMEM_MUTABLE = 2,
};
+static dev_t ashmem_rdev()
+{
+ static dev_t __ashmem_rdev;
+ static pthread_mutex_t __ashmem_rdev_lock = PTHREAD_MUTEX_INITIALIZER;
+
+ pthread_mutex_lock(&__ashmem_rdev_lock);
+
+ dev_t rdev = __ashmem_rdev;
+ if (!rdev) {
+ int fd = TEMP_FAILURE_RETRY(open("/dev/ashmem", O_RDONLY));
+ if (fd >= 0) {
+ struct stat st;
+
+ int ret = TEMP_FAILURE_RETRY(fstat(fd, &st));
+ close(fd);
+ if ((ret >= 0) && S_ISCHR(st.st_mode)) {
+ rdev = __ashmem_rdev = st.st_rdev;
+ }
+ }
+ }
+
+ pthread_mutex_unlock(&__ashmem_rdev_lock);
+
+ return rdev;
+}
+
void acquire_object(const sp<ProcessState>& proc,
const flat_binder_object& obj, const void* who, size_t* outAshmemSize)
{
@@ -126,7 +154,7 @@
if ((obj.cookie != 0) && (outAshmemSize != NULL)) {
struct stat st;
int ret = fstat(obj.handle, &st);
- if (!ret && S_ISCHR(st.st_mode)) {
+ if (!ret && S_ISCHR(st.st_mode) && (st.st_rdev == ashmem_rdev())) {
// If we own an ashmem fd, keep track of how much memory it refers to.
int size = ashmem_get_size_region(obj.handle);
if (size > 0) {
@@ -179,7 +207,7 @@
if (outAshmemSize != NULL) {
struct stat st;
int ret = fstat(obj.handle, &st);
- if (!ret && S_ISCHR(st.st_mode)) {
+ if (!ret && S_ISCHR(st.st_mode) && (st.st_rdev == ashmem_rdev())) {
int size = ashmem_get_size_region(obj.handle);
if (size > 0) {
*outAshmemSize -= size;