fix: handle TF_STATUS_CODE, prevent mutex deadlock, fix binder token writing

xaionaro@dx.center · xaionaro@dx.center · commit 9516580d4bc5 · 2026-03-16T00:40:12.000Z
Bug 3: In BR_REPLY handling, check the TF_STATUS_CODE flag (0x08).
When set, the 4-byte reply data is a kernel status_t error code,
not a regular parcel. Added tfStatusCode constant to protocol.go.

Bug 4: Transact() held d.mu for the entire transaction (send + wait
for reply). The read loop also needs d.mu to acknowledge
BR_INCREFS/BR_ACQUIRE callbacks. If the server sends callbacks
before replying, this causes deadlock. Fixed by extracting
lockedIoctl() and scoping the mutex to individual ioctl calls.

Bug 2: IBinder fields in generated parcelable MarshalParcel would
panic on nil Token (calling .Handle() on nil). Added nil guards
that write null binder objects. Also fixed codegen to generate
these guards for all IBinder/interface parcelable fields.

Bug 1: AttributionSourceState uses @utf8InCpp String fields but
codegen wrote UTF-16 (WriteString16). Fixed by merging field-level
annotations into TypeSpecifier before marshal lookup, so @utf8InCpp
is visible to marshalForType. Manually patched attributionsourcestate.go
to use WriteString/ReadString (will be regenerated correctly now).
diff --git a/android/content/attributionsourcestate.go b/android/content/attributionsourcestate.go
diff --git a/kernelbinder/driver.go b/kernelbinder/driver.go
@@ -186,9 +186,6 @@ func (d *Driver) Transact(
 	runtime.LockOSThread()
 	defer runtime.UnlockOSThread()
 
-	d.mu.Lock()
-	defer d.mu.Unlock()
-
 	dataBytes := data.Data()
 	objects := data.Objects()
 
@@ -232,29 +229,17 @@ func (d *Driver) Transact(
 		readBuffer:  uint64(uintptr(unsafe.Pointer(&readBuf[0]))),
 	}
 
-	for {
-		_, _, errno := unix.Syscall(
-			unix.SYS_IOCTL,
-			uintptr(d.fd),
-			binderWriteReadIoctl,
-			uintptr(unsafe.Pointer(&bwr)),
-		)
-		switch errno {
-		case 0:
-			// Success — proceed to parse.
-		case unix.EINTR:
-			// Retry on interrupted system call.
-			// Reset write buffer (already consumed) but keep read buffer.
-			bwr.writeSize = 0
-			continue
-		default:
-			return nil, &aidlerrors.BinderError{Op: "ioctl(BINDER_WRITE_READ)", Err: errno}
-		}
-		break
+	// Lock only around each individual ioctl call, not across the entire
+	// transaction. Holding the mutex during a blocking read-wait would
+	// prevent the read loop from acknowledging BR_INCREFS/BR_ACQUIRE
+	// callbacks, causing deadlock when the kernel expects acknowledgment
+	// before sending BR_REPLY.
+	if err := d.lockedIoctl(&bwr); err != nil {
+		return nil, err
 	}
 
 	// Parse the read buffer for BR codes. The kernel may split
-	// BR_TRANSACTION_COMPLETE and BR_REPLY across separate ioctl reads —
+	// BR_TRANSACTION_COMPLETE and BR_REPLY across separate ioctl reads --
 	// if we got TC but no reply yet, read again to wait for BR_REPLY.
 	isOneway := flags&binder.FlagOneway != 0
 	for {
@@ -269,27 +254,14 @@ func (d *Driver) Transact(
 			return reply, nil
 		}
 
-		// BR_TRANSACTION_COMPLETE without BR_REPLY — the service hasn't
+		// BR_TRANSACTION_COMPLETE without BR_REPLY -- the service hasn't
 		// responded yet. Issue a read-only ioctl to wait for BR_REPLY.
 		logger.Debugf(ctx, "Transact: got BR_TRANSACTION_COMPLETE without BR_REPLY, reading again")
 		bwr.writeSize = 0
 		bwr.writeConsumed = 0
 		bwr.readConsumed = 0
-		for {
-			_, _, errno := unix.Syscall(
-				unix.SYS_IOCTL,
-				uintptr(d.fd),
-				binderWriteReadIoctl,
-				uintptr(unsafe.Pointer(&bwr)),
-			)
-			switch errno {
-			case 0:
-			case unix.EINTR:
-				continue
-			default:
-				return nil, &aidlerrors.BinderError{Op: "ioctl(BINDER_WRITE_READ/read)", Err: errno}
-			}
-			break
+		if err := d.lockedIoctl(&bwr); err != nil {
+			return nil, err
 		}
 	}
 }
@@ -343,15 +315,35 @@ func (d *Driver) parseReadBuffer(
 			// Copy data from the mmap'd region into a new parcel.
 			replyData := d.copyFromMapped(txn.dataBuffer, txn.dataSize)
 
+			// When the kernel sets TF_STATUS_CODE, the 4-byte data is a
+			// status_t error code, not a regular parcel response.
+			if txn.flags&tfStatusCode != 0 {
+				d.mu.Lock()
+				freeErr := d.freeBuffer(ctx, txn.dataBuffer)
+				d.mu.Unlock()
+				if freeErr != nil {
+					logger.Warnf(ctx, "failed to free binder buffer: %v", freeErr)
+				}
+				if len(replyData) >= 4 {
+					statusCode := int32(binary.LittleEndian.Uint32(replyData))
+					if statusCode != 0 {
+						return nil, true, fmt.Errorf("binder: kernel status error: %d (0x%x)", statusCode, uint32(statusCode))
+					}
+				}
+				return parcel.New(), true, nil
+			}
+
 			// Acquire references for any binder handles in the reply
 			// BEFORE freeing the buffer, otherwise the kernel drops
 			// the handle references.
+			d.mu.Lock()
 			d.acquireReplyHandles(ctx, replyData, txn.offsetsBuffer, txn.offsetsSize)
 
 			// Free the mmap'd buffer.
 			if err := d.freeBuffer(ctx, txn.dataBuffer); err != nil {
 				logger.Warnf(ctx, "failed to free binder buffer: %v", err)
 			}
+			d.mu.Unlock()
 
 			return parcel.FromBytes(replyData), true, nil
 
@@ -573,6 +565,35 @@ func (d *Driver) writeCommand(
 	}
 }
 
+// lockedIoctl executes a BINDER_WRITE_READ ioctl while holding d.mu,
+// retrying on EINTR.
+func (d *Driver) lockedIoctl(
+	bwr *binderWriteRead,
+) error {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+
+	for {
+		_, _, errno := unix.Syscall(
+			unix.SYS_IOCTL,
+			uintptr(d.fd),
+			binderWriteReadIoctl,
+			uintptr(unsafe.Pointer(bwr)),
+		)
+		switch errno {
+		case 0:
+			return nil
+		case unix.EINTR:
+			// Retry on interrupted system call.
+			// Reset write buffer (already consumed) but keep read buffer.
+			bwr.writeSize = 0
+			continue
+		default:
+			return &aidlerrors.BinderError{Op: "ioctl(BINDER_WRITE_READ)", Err: errno}
+		}
+	}
+}
+
 // copyStructToBytes copies a struct's raw memory into a byte slice.
 func copyStructToBytes(
 	dst []byte,
diff --git a/kernelbinder/protocol.go b/kernelbinder/protocol.go
@@ -33,6 +33,10 @@ const binderPtrCookieSize = 2 * unsafe.Sizeof(uintptr(0)) // = 16 on 64-bit
 // __attribute__((packed)), so there is NO alignment padding between fields.
 const binderHandleCookieSize = unsafe.Sizeof(uint32(0)) + unsafe.Sizeof(uintptr(0)) // = 12 on 64-bit
 
+// tfStatusCode is TF_STATUS_CODE (0x08). When the kernel sets this flag on a
+// BR_REPLY, the 4-byte data payload is a status_t error code, not a regular parcel.
+const tfStatusCode = uint32(0x08)
+
 // Binder return (BR) codes -- read from the driver.
 var (
 	brError               = uint32(ior('r', 0, unsafe.Sizeof(int32(0))))
diff --git a/tools/pkg/codegen/parcelable_gen.go b/tools/pkg/codegen/parcelable_gen.go
@@ -73,6 +73,22 @@ func GenerateParcelable(
 	return f.Bytes()
 }
 
+// fieldTypeWithAnnotations returns a TypeSpecifier that includes both the
+// field-level and type-level annotations. In AIDL, annotations like
+// @utf8InCpp and @nullable are placed before the type in field declarations
+// but the parser attaches them to the FieldDecl, not the TypeSpecifier.
+// Merging them ensures marshalForType sees annotations like @utf8InCpp.
+func fieldTypeWithAnnotations(
+	field *parser.FieldDecl,
+) *parser.TypeSpecifier {
+	if len(field.Annots) == 0 {
+		return field.Type
+	}
+	merged := *field.Type
+	merged.Annots = append(append([]*parser.Annotation(nil), field.Annots...), field.Type.Annots...)
+	return &merged
+}
+
 // hasBinderField returns true if any field requires the binder import
 // (either an AIDL interface type or the IBinder primitive type).
 func hasBinderField(
@@ -137,31 +153,50 @@ func writeMarshalParcel(
 	for _, field := range fields {
 		goFieldName := AIDLToGoName(field.FieldName)
 		fieldAccess := "s." + goFieldName
+		// Merge field-level annotations (e.g. @utf8InCpp) into the type
+		// so marshalForType sees them when choosing the write method.
+		fieldType := fieldTypeWithAnnotations(field)
 
-		if field.Type.IsArray || field.Type.Name == "List" {
-			writeArrayFieldToParcel(f, field.Type, fieldAccess, "p", opts, typeRef)
+		if fieldType.IsArray || fieldType.Name == "List" {
+			writeArrayFieldToParcel(f, fieldType, fieldAccess, "p", opts, typeRef)
 			continue
 		}
 
-		if field.Type.Name == "Map" {
-			writeMapFieldToParcel(f, field.Type, fieldAccess, "p", opts, typeRef)
+		if fieldType.Name == "Map" {
+			writeMapFieldToParcel(f, fieldType, fieldAccess, "p", opts, typeRef)
 			continue
 		}
 
-		info := marshalForTypeWithCycleCheck(field.Type, opts, typeRef)
+		info := marshalForTypeWithCycleCheck(fieldType, opts, typeRef)
 		if info.WriteExpr == "" {
 			continue
 		}
 
-		writeExpr := fmt.Sprintf(info.WriteExpr, fieldAccess)
-		writeExpr = strings.ReplaceAll(writeExpr, "_data", "p")
-
-		if strings.Contains(info.WriteExpr, ".MarshalParcel") {
-			writeExpr = fmt.Sprintf("%s.MarshalParcel(p)", fieldAccess)
+		// IBinder/interface fields need a nil guard: write a null binder
+		// object when nil, otherwise use WriteStrongBinder with the handle.
+		// MarshalParcel does not have ctx/transport, so WriteBinderToParcel
+		// cannot be used here; local StubBinders must be pre-registered.
+		switch {
+		case info.IsIBinder:
+			f.P("\tif %s == nil {", fieldAccess)
+			f.P("\t\tp.WriteNullStrongBinder()")
+			f.P("\t} else {")
+			f.P("\t\tp.WriteStrongBinder(%s.Handle())", fieldAccess)
+			f.P("\t}")
+		case info.IsInterface:
+			f.P("\tif %s == nil {", fieldAccess)
+			f.P("\t\tp.WriteNullStrongBinder()")
+			f.P("\t} else {")
+			f.P("\t\tp.WriteStrongBinder(%s.AsBinder().Handle())", fieldAccess)
+			f.P("\t}")
+		case strings.Contains(info.WriteExpr, ".MarshalParcel"):
+			writeExpr := fmt.Sprintf("%s.MarshalParcel(p)", fieldAccess)
 			f.P("\tif _err := %s; _err != nil {", writeExpr)
 			f.P("\t\treturn _err")
 			f.P("\t}")
-		} else {
+		default:
+			writeExpr := fmt.Sprintf(info.WriteExpr, fieldAccess)
+			writeExpr = strings.ReplaceAll(writeExpr, "_data", "p")
 			f.P("\t%s", writeExpr)
 		}
 	}
@@ -227,19 +262,22 @@ func writeUnmarshalParcel(
 	arrayIdx := 0
 	for _, field := range fields {
 		goFieldName := AIDLToGoName(field.FieldName)
+		// Merge field-level annotations (e.g. @utf8InCpp) into the type
+		// so marshalForType sees them when choosing the read method.
+		fieldType := fieldTypeWithAnnotations(field)
 
-		if field.Type.IsArray || field.Type.Name == "List" {
-			readArrayFieldFromParcel(f, field.Type, "s."+goFieldName, "p", arrayIdx, opts, typeRef)
+		if fieldType.IsArray || fieldType.Name == "List" {
+			readArrayFieldFromParcel(f, fieldType, "s."+goFieldName, "p", arrayIdx, opts, typeRef)
 			arrayIdx++
 			continue
 		}
 
-		if field.Type.Name == "Map" {
-			readMapFieldFromParcel(f, field.Type, "s."+goFieldName, "p", opts, typeRef)
+		if fieldType.Name == "Map" {
+			readMapFieldFromParcel(f, fieldType, "s."+goFieldName, "p", opts, typeRef)
 			continue
 		}
 
-		info := marshalForTypeWithCycleCheck(field.Type, opts, typeRef)
+		info := marshalForTypeWithCycleCheck(fieldType, opts, typeRef)
 		if info.ReadExpr == "" {
 			continue
 		}
