1 /*
2 * Copyright (C) 2008 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <cutils/ashmem.h>
18
19 /*
20 * Implementation of the user-space ashmem API for devices, which have our
21 * ashmem-enabled kernel. See ashmem-sim.c for the "fake" tmp-based version,
22 * used by the simulator.
23 */
24 #define LOG_TAG "ashmem"
25
26 #include <errno.h>
27 #include <fcntl.h>
28 #include <linux/ashmem.h>
29 #include <linux/memfd.h>
30 #include <log/log.h>
31 #include <pthread.h>
32 #include <stdio.h>
33 #include <string.h>
34 #include <sys/ioctl.h>
35 #include <sys/mman.h>
36 #include <sys/stat.h>
37 #include <sys/syscall.h>
38 #include <sys/sysmacros.h>
39 #include <sys/types.h>
40 #include <unistd.h>
41
42 #include <android-base/file.h>
43 #include <android-base/properties.h>
44 #include <android-base/strings.h>
45 #include <android-base/unique_fd.h>
46
47 /* ashmem identity */
48 static dev_t __ashmem_rdev;
49 /*
50 * If we trigger a signal handler in the middle of locked activity and the
51 * signal handler calls ashmem, we could get into a deadlock state.
52 */
53 static pthread_mutex_t __ashmem_lock = PTHREAD_MUTEX_INITIALIZER;
54
55 /*
56 * has_memfd_support() determines if the device can use memfd. memfd support
57 * has been there for long time, but certain things in it may be missing. We
58 * check for needed support in it. Also we check if the VNDK version of
59 * libcutils being used is new enough, if its not, then we cannot use memfd
60 * since the older copies may be using ashmem so we just use ashmem. Once all
61 * Android devices that are getting updates are new enough (ex, they were
62 * originally shipped with Android release > P), then we can just use memfd and
63 * delete all ashmem code from libcutils (while preserving the interface).
64 *
65 * NOTE:
66 * The sys.use_memfd property is set by default to false in Android
67 * to temporarily disable memfd, till vendor and apps are ready for it.
68 * The main issue: either apps or vendor processes can directly make ashmem
69 * IOCTLs on FDs they receive by assuming they are ashmem, without going
70 * through libcutils. Such fds could have very well be originally created with
71 * libcutils hence they could be memfd. Thus the IOCTLs will break.
72 *
73 * Set default value of sys.use_memfd property to true once the issue is
74 * resolved, so that the code can then self-detect if kernel support is present
75 * on the device. The property can also set to true from adb shell, for
76 * debugging.
77 */
78
79 static bool debug_log = false; /* set to true for verbose logging and other debug */
80 static bool pin_deprecation_warn = true; /* Log the pin deprecation warning only once */
81
82 /* Determine if vendor processes would be ok with memfd in the system:
83 *
84 * Previously this function checked if memfd is supported by checking if
85 * vendor VNDK version is greater than Q. As we can assume all treblelized
86 * device using this code is up to date enough to use memfd, memfd is allowed
87 * if the device is treblelized.
88 */
check_vendor_memfd_allowed()89 static bool check_vendor_memfd_allowed() {
90 static bool is_treblelized = android::base::GetBoolProperty("ro.treble.enabled", false);
91
92 return is_treblelized;
93 }
94
95 /* Determine if memfd can be supported. This is just one-time hardwork
96 * which will be cached by the caller.
97 */
__has_memfd_support()98 static bool __has_memfd_support() {
99 if (check_vendor_memfd_allowed() == false) {
100 return false;
101 }
102
103 /* Used to turn on/off the detection at runtime, in the future this
104 * property will be removed once we switch everything over to ashmem.
105 * Currently it is used only for debugging to switch the system over.
106 */
107 if (!android::base::GetBoolProperty("sys.use_memfd", false)) {
108 if (debug_log) {
109 ALOGD("sys.use_memfd=false so memfd disabled\n");
110 }
111 return false;
112 }
113
114 // Check if kernel support exists, otherwise fall back to ashmem.
115 // This code needs to build on old API levels, so we can't use the libc
116 // wrapper.
117 android::base::unique_fd fd(
118 syscall(__NR_memfd_create, "test_android_memfd", MFD_CLOEXEC | MFD_ALLOW_SEALING));
119 if (fd == -1) {
120 ALOGE("memfd_create failed: %s, no memfd support.\n", strerror(errno));
121 return false;
122 }
123
124 if (fcntl(fd, F_ADD_SEALS, F_SEAL_FUTURE_WRITE) == -1) {
125 ALOGE("fcntl(F_ADD_SEALS) failed: %s, no memfd support.\n", strerror(errno));
126 return false;
127 }
128
129 if (debug_log) {
130 ALOGD("memfd: device has memfd support, using it\n");
131 }
132 return true;
133 }
134
has_memfd_support()135 static bool has_memfd_support() {
136 /* memfd_supported is the initial global per-process state of what is known
137 * about memfd.
138 */
139 static bool memfd_supported = __has_memfd_support();
140
141 return memfd_supported;
142 }
143
get_ashmem_device_path()144 static std::string get_ashmem_device_path() {
145 static const std::string boot_id_path = "/proc/sys/kernel/random/boot_id";
146 std::string boot_id;
147 if (!android::base::ReadFileToString(boot_id_path, &boot_id)) {
148 ALOGE("Failed to read %s: %s.\n", boot_id_path.c_str(), strerror(errno));
149 return "";
150 };
151 boot_id = android::base::Trim(boot_id);
152
153 return "/dev/ashmem" + boot_id;
154 }
155
156 /* logistics of getting file descriptor for ashmem */
__ashmem_open_locked()157 static int __ashmem_open_locked()
158 {
159 static const std::string ashmem_device_path = get_ashmem_device_path();
160
161 if (ashmem_device_path.empty()) {
162 return -1;
163 }
164
165 int fd = TEMP_FAILURE_RETRY(open(ashmem_device_path.c_str(), O_RDWR | O_CLOEXEC));
166
167 // fallback for APEX w/ use_vendor on Q, which would have still used /dev/ashmem
168 if (fd < 0) {
169 int saved_errno = errno;
170 fd = TEMP_FAILURE_RETRY(open("/dev/ashmem", O_RDWR | O_CLOEXEC));
171 if (fd < 0) {
172 /* Q launching devices and newer must not reach here since they should have been
173 * able to open ashmem_device_path */
174 ALOGE("Unable to open ashmem device %s (error = %s) and /dev/ashmem(error = %s)",
175 ashmem_device_path.c_str(), strerror(saved_errno), strerror(errno));
176 return fd;
177 }
178 }
179 struct stat st;
180 int ret = TEMP_FAILURE_RETRY(fstat(fd, &st));
181 if (ret < 0) {
182 int save_errno = errno;
183 close(fd);
184 errno = save_errno;
185 return ret;
186 }
187 if (!S_ISCHR(st.st_mode) || !st.st_rdev) {
188 close(fd);
189 errno = ENOTTY;
190 return -1;
191 }
192
193 __ashmem_rdev = st.st_rdev;
194 return fd;
195 }
196
__ashmem_open()197 static int __ashmem_open()
198 {
199 int fd;
200
201 pthread_mutex_lock(&__ashmem_lock);
202 fd = __ashmem_open_locked();
203 pthread_mutex_unlock(&__ashmem_lock);
204
205 return fd;
206 }
207
208 /* Make sure file descriptor references ashmem, negative number means false */
__ashmem_is_ashmem(int fd,int fatal)209 static int __ashmem_is_ashmem(int fd, int fatal)
210 {
211 dev_t rdev;
212 struct stat st;
213
214 if (fstat(fd, &st) < 0) {
215 return -1;
216 }
217
218 rdev = 0; /* Too much complexity to sniff __ashmem_rdev */
219 if (S_ISCHR(st.st_mode) && st.st_rdev) {
220 pthread_mutex_lock(&__ashmem_lock);
221 rdev = __ashmem_rdev;
222 if (rdev) {
223 pthread_mutex_unlock(&__ashmem_lock);
224 } else {
225 int fd = __ashmem_open_locked();
226 if (fd < 0) {
227 pthread_mutex_unlock(&__ashmem_lock);
228 return -1;
229 }
230 rdev = __ashmem_rdev;
231 pthread_mutex_unlock(&__ashmem_lock);
232
233 close(fd);
234 }
235
236 if (st.st_rdev == rdev) {
237 return 0;
238 }
239 }
240
241 if (fatal) {
242 if (rdev) {
243 LOG_ALWAYS_FATAL("illegal fd=%d mode=0%o rdev=%d:%d expected 0%o %d:%d",
244 fd, st.st_mode, major(st.st_rdev), minor(st.st_rdev),
245 S_IFCHR | S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IRGRP,
246 major(rdev), minor(rdev));
247 } else {
248 LOG_ALWAYS_FATAL("illegal fd=%d mode=0%o rdev=%d:%d expected 0%o",
249 fd, st.st_mode, major(st.st_rdev), minor(st.st_rdev),
250 S_IFCHR | S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IRGRP);
251 }
252 /* NOTREACHED */
253 }
254
255 errno = ENOTTY;
256 return -1;
257 }
258
__ashmem_check_failure(int fd,int result)259 static int __ashmem_check_failure(int fd, int result)
260 {
261 if (result == -1 && errno == ENOTTY) __ashmem_is_ashmem(fd, 1);
262 return result;
263 }
264
memfd_is_ashmem(int fd)265 static bool memfd_is_ashmem(int fd) {
266 static bool fd_check_error_once = false;
267
268 if (__ashmem_is_ashmem(fd, 0) == 0) {
269 if (!fd_check_error_once) {
270 ALOGE("memfd: memfd expected but ashmem fd used - please use libcutils.\n");
271 fd_check_error_once = true;
272 }
273
274 return true;
275 }
276
277 return false;
278 }
279
ashmem_valid(int fd)280 int ashmem_valid(int fd)
281 {
282 if (has_memfd_support() && !memfd_is_ashmem(fd)) {
283 return 1;
284 }
285
286 return __ashmem_is_ashmem(fd, 0) >= 0;
287 }
288
memfd_create_region(const char * name,size_t size)289 static int memfd_create_region(const char* name, size_t size) {
290 // This code needs to build on old API levels, so we can't use the libc
291 // wrapper.
292 android::base::unique_fd fd(syscall(__NR_memfd_create, name, MFD_CLOEXEC | MFD_ALLOW_SEALING));
293
294 if (fd == -1) {
295 ALOGE("memfd_create(%s, %zd) failed: %s\n", name, size, strerror(errno));
296 return -1;
297 }
298
299 if (ftruncate(fd, size) == -1) {
300 ALOGE("ftruncate(%s, %zd) failed for memfd creation: %s\n", name, size, strerror(errno));
301 return -1;
302 }
303
304 // forbid size changes to match ashmem behaviour
305 if (fcntl(fd, F_ADD_SEALS, F_SEAL_GROW | F_SEAL_SHRINK) == -1) {
306 ALOGE("memfd_create(%s, %zd) F_ADD_SEALS failed: %m", name, size);
307 return -1;
308 }
309
310 if (debug_log) {
311 ALOGE("memfd_create(%s, %zd) success. fd=%d\n", name, size, fd.get());
312 }
313 return fd.release();
314 }
315
316 /*
317 * ashmem_create_region - creates a new ashmem region and returns the file
318 * descriptor, or <0 on error
319 *
320 * `name' is an optional label to give the region (visible in /proc/pid/maps)
321 * `size' is the size of the region, in page-aligned bytes
322 */
ashmem_create_region(const char * name,size_t size)323 int ashmem_create_region(const char *name, size_t size)
324 {
325 int ret, save_errno;
326
327 if (has_memfd_support()) {
328 return memfd_create_region(name ? name : "none", size);
329 }
330
331 int fd = __ashmem_open();
332 if (fd < 0) {
333 return fd;
334 }
335
336 if (name) {
337 char buf[ASHMEM_NAME_LEN] = {0};
338
339 strlcpy(buf, name, sizeof(buf));
340 ret = TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_SET_NAME, buf));
341 if (ret < 0) {
342 goto error;
343 }
344 }
345
346 ret = TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_SET_SIZE, size));
347 if (ret < 0) {
348 goto error;
349 }
350
351 return fd;
352
353 error:
354 save_errno = errno;
355 close(fd);
356 errno = save_errno;
357 return ret;
358 }
359
memfd_set_prot_region(int fd,int prot)360 static int memfd_set_prot_region(int fd, int prot) {
361 int seals = fcntl(fd, F_GET_SEALS);
362 if (seals == -1) {
363 ALOGE("memfd_set_prot_region(%d, %d): F_GET_SEALS failed: %s\n", fd, prot, strerror(errno));
364 return -1;
365 }
366
367 if (prot & PROT_WRITE) {
368 /* Now we want the buffer to be read-write, let's check if the buffer
369 * has been previously marked as read-only before, if so return error
370 */
371 if (seals & F_SEAL_FUTURE_WRITE) {
372 ALOGE("memfd_set_prot_region(%d, %d): region is write protected\n", fd, prot);
373 errno = EINVAL; // inline with ashmem error code, if already in
374 // read-only mode
375 return -1;
376 }
377 return 0;
378 }
379
380 /* We would only allow read-only for any future file operations */
381 if (fcntl(fd, F_ADD_SEALS, F_SEAL_FUTURE_WRITE | F_SEAL_SEAL) == -1) {
382 ALOGE("memfd_set_prot_region(%d, %d): F_SEAL_FUTURE_WRITE | F_SEAL_SEAL seal failed: %s\n",
383 fd, prot, strerror(errno));
384 return -1;
385 }
386
387 return 0;
388 }
389
ashmem_set_prot_region(int fd,int prot)390 int ashmem_set_prot_region(int fd, int prot)
391 {
392 if (has_memfd_support() && !memfd_is_ashmem(fd)) {
393 return memfd_set_prot_region(fd, prot);
394 }
395
396 return __ashmem_check_failure(fd, TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_SET_PROT_MASK, prot)));
397 }
398
ashmem_pin_region(int fd,size_t offset,size_t len)399 int ashmem_pin_region(int fd, size_t offset, size_t len)
400 {
401 if (!pin_deprecation_warn || debug_log) {
402 ALOGE("Pinning is deprecated since Android Q. Please use trim or other methods.\n");
403 pin_deprecation_warn = true;
404 }
405
406 if (has_memfd_support() && !memfd_is_ashmem(fd)) {
407 return 0;
408 }
409
410 // TODO: should LP64 reject too-large offset/len?
411 ashmem_pin pin = { static_cast<uint32_t>(offset), static_cast<uint32_t>(len) };
412 return __ashmem_check_failure(fd, TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_PIN, &pin)));
413 }
414
ashmem_unpin_region(int fd,size_t offset,size_t len)415 int ashmem_unpin_region(int fd, size_t offset, size_t len)
416 {
417 if (!pin_deprecation_warn || debug_log) {
418 ALOGE("Pinning is deprecated since Android Q. Please use trim or other methods.\n");
419 pin_deprecation_warn = true;
420 }
421
422 if (has_memfd_support() && !memfd_is_ashmem(fd)) {
423 return 0;
424 }
425
426 // TODO: should LP64 reject too-large offset/len?
427 ashmem_pin pin = { static_cast<uint32_t>(offset), static_cast<uint32_t>(len) };
428 return __ashmem_check_failure(fd, TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_UNPIN, &pin)));
429 }
430
ashmem_get_size_region(int fd)431 int ashmem_get_size_region(int fd)
432 {
433 if (has_memfd_support() && !memfd_is_ashmem(fd)) {
434 struct stat sb;
435
436 if (fstat(fd, &sb) == -1) {
437 ALOGE("ashmem_get_size_region(%d): fstat failed: %s\n", fd, strerror(errno));
438 return -1;
439 }
440
441 if (debug_log) {
442 ALOGD("ashmem_get_size_region(%d): %d\n", fd, static_cast<int>(sb.st_size));
443 }
444
445 return sb.st_size;
446 }
447
448 return __ashmem_check_failure(fd, TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_GET_SIZE, NULL)));
449 }
450