audioflinger: Pass pid of process creating track or opening record
AudioFlinger allocates a Client heap for each unique pid.
If two applications use mediaplayer APIs, the same Client heap
is reused as the pid used is not the application pid but that
of mediaserver. With this change, the pid of the application
pid is used to decide the heap to be used.
Bug: 23525542
Bug: 28772898
Change-Id: I31a695b0b321eff6e2aca80c3bc4aeb3e1cd9ac7
diff --git a/include/media/IAudioFlinger.h b/include/media/IAudioFlinger.h
index 1ade4ba..984bc02 100644
--- a/include/media/IAudioFlinger.h
+++ b/include/media/IAudioFlinger.h
@@ -73,6 +73,7 @@
// reference and will release it when the track is destroyed.
// However on failure, the client is responsible for release.
audio_io_handle_t output,
+ pid_t pid,
pid_t tid, // -1 means unused, otherwise must be valid non-0
audio_session_t *sessionId,
int clientUid,
@@ -89,6 +90,7 @@
const String16& callingPackage,
size_t *pFrameCount,
track_flags_t *flags,
+ pid_t pid,
pid_t tid, // -1 means unused, otherwise must be valid non-0
int clientUid,
audio_session_t *sessionId,
diff --git a/media/libmedia/AudioRecord.cpp b/media/libmedia/AudioRecord.cpp
index 2976a5c..343bf1a 100644
--- a/media/libmedia/AudioRecord.cpp
+++ b/media/libmedia/AudioRecord.cpp
@@ -615,6 +615,7 @@
opPackageName,
&temp,
&trackFlags,
+ mClientPid,
tid,
mClientUid,
&mSessionId,
diff --git a/media/libmedia/AudioTrack.cpp b/media/libmedia/AudioTrack.cpp
index 22a5acd..f206f5c 100644
--- a/media/libmedia/AudioTrack.cpp
+++ b/media/libmedia/AudioTrack.cpp
@@ -1401,6 +1401,7 @@
&trackFlags,
mSharedBuffer,
output,
+ mClientPid,
tid,
&mSessionId,
mClientUid,
diff --git a/media/libmedia/IAudioFlinger.cpp b/media/libmedia/IAudioFlinger.cpp
index aa75188..92e65e4 100644
--- a/media/libmedia/IAudioFlinger.cpp
+++ b/media/libmedia/IAudioFlinger.cpp
@@ -104,6 +104,7 @@
track_flags_t *flags,
const sp<IMemory>& sharedBuffer,
audio_io_handle_t output,
+ pid_t pid,
pid_t tid,
audio_session_t *sessionId,
int clientUid,
@@ -128,6 +129,7 @@
data.writeInt32(false);
}
data.writeInt32((int32_t) output);
+ data.writeInt32((int32_t) pid);
data.writeInt32((int32_t) tid);
audio_session_t lSessionId = AUDIO_SESSION_ALLOCATE;
if (sessionId != NULL) {
@@ -179,6 +181,7 @@
const String16& opPackageName,
size_t *pFrameCount,
track_flags_t *flags,
+ pid_t pid,
pid_t tid,
int clientUid,
audio_session_t *sessionId,
@@ -199,6 +202,7 @@
data.writeInt64(frameCount);
track_flags_t lFlags = flags != NULL ? *flags : (track_flags_t) TRACK_DEFAULT;
data.writeInt32(lFlags);
+ data.writeInt32((int32_t) pid);
data.writeInt32((int32_t) tid);
data.writeInt32((int32_t) clientUid);
audio_session_t lSessionId = AUDIO_SESSION_ALLOCATE;
@@ -950,6 +954,7 @@
buffer = interface_cast<IMemory>(data.readStrongBinder());
}
audio_io_handle_t output = (audio_io_handle_t) data.readInt32();
+ pid_t pid = (pid_t) data.readInt32();
pid_t tid = (pid_t) data.readInt32();
audio_session_t sessionId = (audio_session_t) data.readInt32();
int clientUid = data.readInt32();
@@ -962,7 +967,7 @@
} else {
track = createTrack(
(audio_stream_type_t) streamType, sampleRate, format,
- channelMask, &frameCount, &flags, buffer, output, tid,
+ channelMask, &frameCount, &flags, buffer, output, pid, tid,
&sessionId, clientUid, &status);
LOG_ALWAYS_FATAL_IF((track != 0) != (status == NO_ERROR));
}
@@ -982,6 +987,7 @@
const String16& opPackageName = data.readString16();
size_t frameCount = data.readInt64();
track_flags_t flags = (track_flags_t) data.readInt32();
+ pid_t pid = (pid_t) data.readInt32();
pid_t tid = (pid_t) data.readInt32();
int clientUid = data.readInt32();
audio_session_t sessionId = (audio_session_t) data.readInt32();
@@ -990,8 +996,9 @@
sp<IMemory> buffers;
status_t status = NO_ERROR;
sp<IAudioRecord> record = openRecord(input,
- sampleRate, format, channelMask, opPackageName, &frameCount, &flags, tid,
- clientUid, &sessionId, ¬ificationFrames, cblk, buffers, &status);
+ sampleRate, format, channelMask, opPackageName, &frameCount, &flags,
+ pid, tid, clientUid, &sessionId, ¬ificationFrames, cblk, buffers,
+ &status);
LOG_ALWAYS_FATAL_IF((record != 0) != (status == NO_ERROR));
reply->writeInt64(frameCount);
reply->writeInt32(flags);
diff --git a/services/audioflinger/AudioFlinger.cpp b/services/audioflinger/AudioFlinger.cpp
index 2b0d4c8..0e61e76 100644
--- a/services/audioflinger/AudioFlinger.cpp
+++ b/services/audioflinger/AudioFlinger.cpp
@@ -571,6 +571,7 @@
IAudioFlinger::track_flags_t *flags,
const sp<IMemory>& sharedBuffer,
audio_io_handle_t output,
+ pid_t pid,
pid_t tid,
audio_session_t *sessionId,
int clientUid,
@@ -582,6 +583,15 @@
status_t lStatus;
audio_session_t lSessionId;
+ const uid_t callingUid = IPCThreadState::self()->getCallingUid();
+ if (pid == -1 || !isTrustedCallingUid(callingUid)) {
+ const pid_t callingPid = IPCThreadState::self()->getCallingPid();
+ ALOGW_IF(pid != -1 && pid != callingPid,
+ "%s uid %d pid %d tried to pass itself off as pid %d",
+ __func__, callingUid, callingPid, pid);
+ pid = callingPid;
+ }
+
// client AudioTrack::set already implements AUDIO_STREAM_DEFAULT => AUDIO_STREAM_MUSIC,
// but if someone uses binder directly they could bypass that and cause us to crash
if (uint32_t(streamType) >= AUDIO_STREAM_CNT) {
@@ -626,7 +636,6 @@
goto Exit;
}
- pid_t pid = IPCThreadState::self()->getCallingPid();
client = registerPid(pid);
PlaybackThread *effectThread = NULL;
@@ -1447,6 +1456,7 @@
const String16& opPackageName,
size_t *frameCount,
IAudioFlinger::track_flags_t *flags,
+ pid_t pid,
pid_t tid,
int clientUid,
audio_session_t *sessionId,
@@ -1464,11 +1474,21 @@
cblk.clear();
buffers.clear();
+ bool updatePid = (pid == -1);
const uid_t callingUid = IPCThreadState::self()->getCallingUid();
if (!isTrustedCallingUid(callingUid)) {
ALOGW_IF((uid_t)clientUid != callingUid,
"%s uid %d tried to pass itself off as %d", __FUNCTION__, callingUid, clientUid);
clientUid = callingUid;
+ updatePid = true;
+ }
+
+ if (updatePid) {
+ const pid_t callingPid = IPCThreadState::self()->getCallingPid();
+ ALOGW_IF(pid != -1 && pid != callingPid,
+ "%s uid %d pid %d tried to pass itself off as pid %d",
+ __func__, callingUid, callingPid, pid);
+ pid = callingPid;
}
// check calling permissions
@@ -1508,7 +1528,6 @@
goto Exit;
}
- pid_t pid = IPCThreadState::self()->getCallingPid();
client = registerPid(pid);
if (sessionId != NULL && *sessionId != AUDIO_SESSION_ALLOCATE) {
diff --git a/services/audioflinger/AudioFlinger.h b/services/audioflinger/AudioFlinger.h
index 96d38d0..59ad688 100644
--- a/services/audioflinger/AudioFlinger.h
+++ b/services/audioflinger/AudioFlinger.h
@@ -107,6 +107,7 @@
IAudioFlinger::track_flags_t *flags,
const sp<IMemory>& sharedBuffer,
audio_io_handle_t output,
+ pid_t pid,
pid_t tid,
audio_session_t *sessionId,
int clientUid,
@@ -120,6 +121,7 @@
const String16& opPackageName,
size_t *pFrameCount,
IAudioFlinger::track_flags_t *flags,
+ pid_t pid,
pid_t tid,
int clientUid,
audio_session_t *sessionId,