[re_kernel] binder 被冻结时不再有动作

lzghzr · Jun 21, 2024 · 9e3ace7 · 9e3ace7
1 parent 4554f50
commit 9e3ace7
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 4 deletions.
diff --git a/re_kernel/README.md b/re_kernel/README.md
@@ -4,7 +4,10 @@
 
 ## 更新记录
 ### 6.0.5
-变更 binder_proc->context 的搜索条件，变更 task_struct->jobctl 获取方式，移除 frozen()
+变更 binder_proc->context 的搜索条件<br />
+变更 task_struct->jobctl 获取方式<br />
+移除 frozen()<br />
+binder 被冻结时不再有动作
 ### 6.0.4
 再次扩大 binder_proc->alloc 的搜索范围
 ### 6.0.3

diff --git a/re_kernel/re_kernel.c b/re_kernel/re_kernel.c
@@ -117,7 +117,7 @@ int kfunc_def(get_cmdline)(struct task_struct* task, char* buffer, int buflen);
 
 // 最好初始化一个大于 0xffffffff 的值, 否则编译器优化后, 全局变量可能出错
 static uint64_t task_struct_jobctl_offset = UZERO, task_struct_pid_offset = UZERO, task_struct_group_leader_offset = UZERO,
-binder_proc_alloc_offset = UZERO, binder_proc_context_offset = UZERO, binder_proc_inner_lock_offset = UZERO, binder_proc_outer_lock_offset = UZERO,
+binder_proc_alloc_offset = UZERO, binder_proc_context_offset = UZERO, binder_proc_inner_lock_offset = UZERO, binder_proc_outer_lock_offset = UZERO, binder_proc_is_frozen = UZERO,
 binder_alloc_pid_offset = UZERO, binder_alloc_buffer_size_offset = UZERO, binder_alloc_free_async_space_offset = UZERO, binder_alloc_vma_offset = UZERO,
 // 实际上会被编译器优化为 bool
 binder_transaction_buffer_release_ver5 = UZERO, binder_transaction_buffer_release_ver4 = UZERO;
@@ -156,6 +156,15 @@ static inline void binder_inner_proc_unlock(struct binder_proc* proc) {
   spin_unlock(inner_lock);
 }
 
+// binder_is_frozen
+static inline bool binder_is_frozen(struct binder_proc* proc) {
+  bool is_frozen = false;
+  if (binder_proc_is_frozen != UZERO) {
+    is_frozen = *(bool*)((uintptr_t)proc + binder_proc_is_frozen);
+  }
+  return is_frozen;
+}
+
 // cgroupv2_freeze
 static inline bool jobctl_frozen(struct task_struct* task) {
   unsigned long jobctl = *(unsigned long*)((uintptr_t)task + task_struct_jobctl_offset);
@@ -331,6 +340,9 @@ static void binder_overflow_handler(pid_t src_pid, struct task_struct* src, pid_
 static void rekernel_binder_transaction(void* data, bool reply, struct binder_transaction* t, struct binder_node* target_node) {
   if (!t->to_proc)
     return;
+  // binder 冻结时不再传递消息
+  if (binder_is_frozen(t->to_proc))
+    return;
 
   if (reply) {
     binder_reply_handler(task_pid(current), current, t->to_proc->pid, t->to_proc->tsk, false);
@@ -398,6 +410,10 @@ static inline void binder_stats_deleted(enum binder_stat_types type) {
 static void binder_proc_transaction_before(hook_fargs3_t* args, void* udata) {
   struct binder_transaction* t = (struct binder_transaction*)args->arg0;
   struct binder_proc* proc = (struct binder_proc*)args->arg1;
+  // binder 冻结时不再清理过时消息
+  if (binder_is_frozen(proc))
+    return;
+
   // 兼容不支持 trace 的内核
   if (trace == UZERO) {
     rekernel_binder_transaction(NULL, false, t, NULL);
@@ -487,6 +503,25 @@ static long calculate_offsets() {
       binder_transaction_buffer_release_ver4 = IZERO;
     }
   }
+  // 获取 binder_proc->is_frozen, 没有就是不支持
+  uint32_t* binder_proc_transaction_src = (uint32_t*)binder_proc_transaction;
+  for (u32 i = 0; i < 0x100; i++) {
+#ifdef CONFIG_DEBUG
+    printk("re_kernel: binder_proc_transaction %x %llx\n", i, binder_proc_transaction_src[i]);
+#endif /* CONFIG_DEBUG */
+    if (binder_proc_transaction_src[i] == ARM64_RET) {
+      break;
+    } else if ((binder_proc_transaction_src[i] & MASK_MOVZ_imm16_0x7212) == INST_MOVZ_imm16_0x7212) {
+      for (u32 j = 0; j < 0x5; j++) {
+        if ((binder_proc_transaction_src[i - j] & MASK_LDRB) == INST_LDRB) {
+          uint64_t imm12 = bits32(binder_proc_transaction_src[i - j], 21, 10);
+          binder_proc_is_frozen = sign64_extend((imm12), 16u);
+          break;
+        }
+      }
+      break;
+    }
+  }
   // 获取 task_struct->jobctl
   void (*task_clear_jobctl_trapping)(struct task_struct* t);
   lookup_name(task_clear_jobctl_trapping);
@@ -685,11 +720,13 @@ binder_alloc_vma_offset);
 re_kernel: binder_proc_alloc_offset=0x%llx\n\
 re_kernel: binder_proc_context_offset=0x%llx\n\
 re_kernel: binder_proc_inner_lock_offset=0x%llx\n\
-re_kernel: binder_proc_outer_lock_offset=0x%llx\n",
+re_kernel: binder_proc_outer_lock_offset=0x%llx\n\
+re_kernel: binder_proc_is_frozen=0x%llx\n",
 binder_proc_alloc_offset,
 binder_proc_context_offset,
 binder_proc_inner_lock_offset,
-binder_proc_outer_lock_offset);
+binder_proc_outer_lock_offset,
+binder_proc_is_frozen);
   printk("\
 re_kernel: binder_transaction_buffer_release_ver5=0x%llx\n\
 re_kernel: binder_transaction_buffer_release_ver4=0x%llx\n",

diff --git a/re_kernel/re_utils.h b/re_kernel/re_utils.h
@@ -88,6 +88,9 @@ typedef uint32_t inst_mask_t;
 #define MASK_TBNZ 0x7F000000u
 #define MASK_TBNZ_5 0xFFF80000u
 
+#define INST_MOVZ_imm16_0x7212 0x528E4240u
+#define MASK_MOVZ_imm16_0x7212 0x7F9FFFE0u
+
 #define ARM64_MOV_x29_SP 0x910003FDu
 #define ARM64_RET 0xD65F03C0u