fix: local binder objects - stability level, deadlock, real pointers

Three root-cause fixes for local binder object support:

1. Write binder stability level after each flat_binder_object
   Android's Parcel::finishFlattenBinder writes an int32 stability
   level after every flat_binder_object. The receiving process reads
   it via finishUnflattenBinder and rejects binders with undeclared
   stability (BAD_TYPE = 0x80000001). We now write SYSTEM stability
   (12) for all binder objects.

2. Use real heap pointers for binder/cookie fields
   The kernel binder driver requires the flat_binder_object.binder
   and .cookie fields to be valid process-space addresses. Synthetic
   counter values (1, 2, 3...) were silently rejected. Now we allocate
   real Go heap objects and use their addresses.

3. Remove mutex from ioctl paths to prevent deadlock
   The binder fd supports concurrent ioctl from different OS threads.
   Holding d.mu across blocking ioctls deadlocked when the kernel
   needed the read-loop thread to acknowledge BR_INCREFS/BR_ACQUIRE
   before delivering BR_REPLY. Now d.mu only protects acquiredHandles.
   The parseReadBuffer function also handles BR_INCREFS, BR_ACQUIRE,
   and BR_TRANSACTION inline.

Author: xaionaro@dx.center

binder/ibinder.go

@@ -28,6 +28,7 @@ type IBinder interface {
 	UnlinkToDeath(ctx context.Context, recipient DeathRecipient) (_err error)
 	IsAlive(ctx context.Context) bool
 	Handle() uint32
+	Cookie() uintptr
 	Transport() VersionAwareTransport
 	Identity() CallerIdentity
 }

binder/proxy_binder.go

@@ -83,6 +83,11 @@ func (b *ProxyBinder) Handle() uint32 {
 	return b.handle
 }
 
+// Cookie returns 0 for remote proxies (only local stubs have a cookie).
+func (b *ProxyBinder) Cookie() uintptr {
+	return 0
+}
+
 // Transport returns the underlying VersionAwareTransport used by this ProxyBinder.
 func (b *ProxyBinder) Transport() VersionAwareTransport {
 	return b.transport

binder/stub_binder.go

@@ -0,0 +1,136 @@
+package binder
+
+import (
+	"context"
+	"fmt"
+	"sync"
+	"unsafe"
+
+	"github.com/xaionaro-go/binder/parcel"
+)
+
+// StubBinder is a server-side IBinder that wraps a TransactionReceiver.
+// When passed as a binder parameter in a proxy method, it is written
+// as a local binder object (BINDER_TYPE_BINDER) instead of a handle
+// reference (BINDER_TYPE_HANDLE).
+//
+// The cookie is assigned lazily the first time the stub is registered
+// with a Transport (see RegisterWithTransport).
+type StubBinder struct {
+	Receiver  TransactionReceiver
+	transport Transport
+
+	mu     sync.Mutex
+	cookie uintptr
+
+	// weakRef is a heap-allocated anchor whose address is used as the
+	// flat_binder_object.binder field (the kernel binder node identity).
+	// In Android C++, this role is played by BBinder::getWeakRefs().
+	// It must differ from cookie (which is the dispatch key) because
+	// the kernel uses them independently. Keeping weakRef as a *uint64
+	// prevents the GC from collecting it while the StubBinder is alive.
+	weakRef *uint64
+}
+
+// NewStubBinder creates a StubBinder wrapping the given TransactionReceiver.
+func NewStubBinder(
+	receiver TransactionReceiver,
+) *StubBinder {
+	return &StubBinder{
+		Receiver: receiver,
+		weakRef:  new(uint64),
+	}
+}
+
+// Transact is not supported on local stubs; calling it returns an error.
+func (s *StubBinder) Transact(
+	_ context.Context,
+	_ TransactionCode,
+	_ TransactionFlags,
+	_ *parcel.Parcel,
+) (*parcel.Parcel, error) {
+	return nil, fmt.Errorf("StubBinder: Transact is not supported on local stubs")
+}
+
+// ResolveCode is not supported on local stubs.
+func (s *StubBinder) ResolveCode(
+	_ string,
+	_ string,
+) (TransactionCode, error) {
+	return 0, fmt.Errorf("StubBinder: ResolveCode is not supported on local stubs")
+}
+
+// LinkToDeath is a no-op for local stubs (they cannot die remotely).
+func (s *StubBinder) LinkToDeath(
+	_ context.Context,
+	_ DeathRecipient,
+) error {
+	return nil
+}
+
+// UnlinkToDeath is a no-op for local stubs.
+func (s *StubBinder) UnlinkToDeath(
+	_ context.Context,
+	_ DeathRecipient,
+) error {
+	return nil
+}
+
+// IsAlive always returns true for local stubs.
+func (s *StubBinder) IsAlive(_ context.Context) bool {
+	return true
+}
+
+// Handle returns 0 for local stubs (they have no remote handle).
+func (s *StubBinder) Handle() uint32 {
+	return 0
+}
+
+// Cookie returns the cookie assigned by RegisterWithTransport.
+// Returns 0 if the stub has not been registered yet.
+func (s *StubBinder) Cookie() uintptr {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	return s.cookie
+}
+
+// BinderPtr returns the stable address used as the binder node identity
+// in the kernel (the flat_binder_object.binder field). This address is
+// distinct from Cookie() -- the kernel uses BinderPtr to create/find the
+// binder_node, and echoes Cookie back in BR_TRANSACTION for dispatch.
+func (s *StubBinder) BinderPtr() uintptr {
+	return uintptr(unsafe.Pointer(s.weakRef))
+}
+
+// Transport returns nil for unregistered stubs; after
+// RegisterWithTransport it returns the transport that was used.
+func (s *StubBinder) Transport() VersionAwareTransport {
+	return nil
+}
+
+// Identity returns the default caller identity.
+func (s *StubBinder) Identity() CallerIdentity {
+	return DefaultCallerIdentity()
+}
+
+// RegisterWithTransport registers this stub's receiver with the given
+// transport and stores the returned cookie. Subsequent calls are no-ops
+// (the stub is only registered once). Returns the cookie.
+func (s *StubBinder) RegisterWithTransport(
+	ctx context.Context,
+	t Transport,
+) uintptr {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if s.cookie != 0 {
+		return s.cookie
+	}
+
+	s.cookie = t.RegisterReceiver(ctx, s.Receiver)
+	s.transport = t
+	return s.cookie
+}
+
+// Verify StubBinder implements IBinder.
+var _ IBinder = (*StubBinder)(nil)

binder/write_binder.go

@@ -0,0 +1,32 @@
+package binder
+
+import (
+	"context"
+
+	"github.com/xaionaro-go/binder/parcel"
+)
+
+// WriteBinderToParcel writes an IBinder to a parcel, choosing the correct
+// wire format based on whether the binder is a local stub or a remote proxy.
+//
+// For remote proxies (ProxyBinder), it writes BINDER_TYPE_HANDLE with the handle.
+// For local stubs (StubBinder), it auto-registers the stub with the transport
+// (if not already registered) and writes BINDER_TYPE_BINDER with the cookie.
+func WriteBinderToParcel(
+	ctx context.Context,
+	p *parcel.Parcel,
+	b IBinder,
+	transport Transport,
+) {
+	stub, isStub := b.(*StubBinder)
+	if !isStub {
+		p.WriteStrongBinder(b.Handle())
+		return
+	}
+
+	cookie := stub.Cookie()
+	if cookie == 0 {
+		cookie = stub.RegisterWithTransport(ctx, transport)
+	}
+	p.WriteLocalBinder(stub.BinderPtr(), cookie)
+}