commit b0221d1a8ee6d634b238361188c938e339d6083a
author Frederick Mayle <fmayle@google.com> Mon Oct 03 23:10:53 2022 +0000
committer Frederick Mayle <fmayle@google.com> Wed Oct 05 00:37:35 2022 +0000
tree cc3e1780e35bce3dbdf4c776c89e4f881adebd0f
parent 12b528b0527b1a60569d8c2ec0976659d56f3c60

libbinder: Fix FD handling for queued oneway RPC transactions

If a oneway transaction contained FDs and got queued, we'd drop the FDs
and then the Parcel validation would fail with an error once the
transaction was eventually processed.

Bug: 244484370
Test: m libbinder binderRpcTest && out/host/linux-x86/nativetest64/binderRpcTest/binderRpcTest
Change-Id: I781d851d875d496c8b57e3512f3f89c9911e9f3c

libs/binder/tests/binderRpcTestCommon.h

diff --git a/libs/binder/tests/binderRpcTestCommon.h b/libs/binder/tests/binderRpcTestCommon.h
index 4513d36..fddf5f3 100644
--- a/libs/binder/tests/binderRpcTestCommon.h
+++ b/libs/binder/tests/binderRpcTestCommon.h
@@ -167,6 +167,42 @@
     return readFd;
 }
 
+// A threadsafe channel where writes block until the value is read.
+template <typename T>
+class HandoffChannel {
+public:
+    void write(T v) {
+        {
+            RpcMutexUniqueLock lock(mMutex);
+            // Wait for space to send.
+            mCvEmpty.wait(lock, [&]() { return !mValue.has_value(); });
+            mValue.emplace(std::move(v));
+        }
+        mCvFull.notify_all();
+        RpcMutexUniqueLock lock(mMutex);
+        // Wait for it to be taken.
+        mCvEmpty.wait(lock, [&]() { return !mValue.has_value(); });
+    }
+
+    T read() {
+        RpcMutexUniqueLock lock(mMutex);
+        if (!mValue.has_value()) {
+            mCvFull.wait(lock, [&]() { return mValue.has_value(); });
+        }
+        T v = std::move(mValue.value());
+        mValue.reset();
+        lock.unlock();
+        mCvEmpty.notify_all();
+        return std::move(v);
+    }
+
+private:
+    RpcMutex mMutex;
+    RpcConditionVariable mCvEmpty;
+    RpcConditionVariable mCvFull;
+    std::optional<T> mValue;
+};
+
 using android::binder::Status;
 
 class MyBinderRpcSession : public BnBinderRpcSession {
@@ -374,6 +410,18 @@
         out->reset(mockFileDescriptor(acc));
         return Status::ok();
     }
+
+    HandoffChannel<android::base::unique_fd> mFdChannel;
+
+    Status blockingSendFdOneway(const android::os::ParcelFileDescriptor& fd) override {
+        mFdChannel.write(android::base::unique_fd(fcntl(fd.get(), F_DUPFD_CLOEXEC, 0)));
+        return Status::ok();
+    }
+
+    Status blockingRecvFd(android::os::ParcelFileDescriptor* fd) override {
+        fd->reset(mFdChannel.read());
+        return Status::ok();
+    }
 };
 
 } // namespace android