| Age | Commit message (Collapse) | Author |
|---|
|
* upstream/lineage-18.1:
aaudio: unlock when joining the timestamp thread
aaudio: prevent deadlock when stop() calls disconnect()
Change-Id: I7cb22b1c95cdc3b7a97c3b03b13a74e441fcf86b
|
|
staging/lineage-18.1_merge-android-11.0.0_r46
Android 11.0.0 Release 46 (RQ3A.211001.001)
* tag 'android-11.0.0_r46':
aaudio: unlock when joining the timestamp thread
aaudio: prevent deadlock when stop() calls disconnect()
Change-Id: I35dc0fbc07ef3e0594c11d218e35e064c7af8ffa
|
|
Change-Id: I6248937629cd8190f46503eef31a1db7c5d54510
|
|
AudioFlinger is not able to determine the correct
pid/tid for WifiDisplay and thus we do not pass checks
for CAPTURE_AUDIO_OUTPUT and RECORD_AUDIO permissions.
To fix audio for WifiDisplay, it should be safe to
always allow a trusted calling uid (AID_MEDIA which
has the same perms as AID_AUDIOSERVER).
Change-Id: Ifa46d8e77a43027645cad02a04263b58e134c3ad
|
|
In commit 3e32878 the stagefright code was restructured to fix
the logic for native handle source, but the change in the
function SurfaceMediaSource::signalBufferReturned was probably
missed.
Try to compare the media buffer handle also to the current native
buffer handle in this function when searching for correspondance.
Change-Id: I352293e525f75dde500ac8e71ee49209710030c3
Signed-off-by: DennySPb <dennyspb@gmail.com>
|
|
In function passMetadataBuffer_l, the bufferHandle(ANativeWindowBuffer) is
saved to data (VideoNativeMetadata) but in function getMediaBufferHandle it
gets the bufferHandle from (MediaBuffer*)buffer->data() + 4, which is a wrong
position. To solve this problem, we should get handle from ANativeWindowBuffer,
not from buffer->data() + 4. (If get bufferHandle from buffer->data() + 4, the
function signalBufferReturned will print "returned buffer was not found in the
current list" error.
Test: Running wifi display, we can see the handle could be found in buffer list.
Change-Id: I71ecf9e2bca1db67d8d6e862ac16b07e939bf521
Signed-off-by: zhangbo_a <zhangbo_a@pinecone.net>
Signed-off-by: DennySPb <dennyspb@gmail.com>
|
|
when done
* This fixes buffer flow SurfaceMediaSource -> MediaPuller -> Converted
freezing at mMediaBuffersAvailableCondition.wait(), due to this
condition never being broadcast. This was supposed to happen from within
SurfaceMediaSource::signalBufferReturned(), but this was never called.
The Converter class does feedEncoderInputBuffers(), and after the
encoder does its job, it should return the video buffer to the
SurfaceMediaSource in ACodec::BaseState::onOMXEmptyBufferDone().
* There (in ACodec class), the code for doing that used to be:
// We're in "store-metadata-in-buffers" mode, the underlying
// OMX component had access to data that's implicitly refcounted
// by this "MediaBuffer" object. Now that the OMX component has
// told us that it's done with the input buffer, we can decrement
// the mediaBuffer's reference count.
info->mData->setMediaBufferBase(NULL);
This means that if there was already a MediaBufferBase assigned to
this mediaBuffer, then it got released when explicitly setting it to NULL:
void MediaCodecBuffer::setMediaBufferBase(MediaBufferBase *mediaBuffer) {
if (mMediaBufferBase != NULL) {
mMediaBufferBase->release();
}
mMediaBufferBase = mediaBuffer;
}
Then in MediaBuffer::release(), which is a subclass of
MediaBufferBase, there is code that does
mObserver->signalBufferReturned(this);
This should have went on to call SurfaceMediaSource::signalBufferReturned(),
as it was setting itself as observer on the buffers sent to the video
encoder. Stay tuned to find out why the call path was broken.
* Now, after Mr. Dongwon Kang's commit
"f03606d9 Move MediaBufferXXX from foundation to libmediaextractor",
the setMediaBufferBase and getMediaBufferBase functions no longer
exist, and reference counting on MediaBuffer's is different.
The direct replacement of setMediaBufferBase(mbuf) is now
meta()->setObject("mediaBufferHolder", new MediaBufferHolder(mbuf)).
The reference counting seems to now be managed through the constructor
and destructor of this new MediaBufferHolder class (the code for
release() is now in the holder's destructor). Now the issue seems to
be that the lifetime of these new MediaBufferHolder's is not quite
what it should be, because their destructor never gets called, hence
the buffers never get returned.
* This might be an API problem that Mr. Dongwon Kang himself acknowledged,
since in the aforementioned patch, he forcefully called mbuf->release()
right below a comment where it clearly said that "video encoder will
release MediaBuffer when done with underlying data":
https://android.googlesource.com/platform/frameworks/av/+/f03606d9034730bea1a394e6803f9ebc36f3d2eb%5E%21/#F13
* Without addressing the root cause of the issue, in this commit we are
simply mirroring a workaround for what appears to be broken media
buffer reference counting.
Change-Id: Ie540e6dcf5536f93091ced2af2e121b71f70bb83
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
Signed-off-by: DennySPb <dennyspb@gmail.com>
|
|
* Among others, adapt to the ABuffer API changes in
"f03606d9 Move MediaBufferXXX from foundation to libmediaextractor"
Change-Id: Ie92fc035c6430f1458d45995a5b2627d0bc75122
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
Signed-off-by: DennySPb <dennyspb@gmail.com>
libstagefright_wfd: Adapt to A11 changes
Change-Id: I69f13c93a68b1ad60e085000361331a3fdc98049
Signed-off-by: DennySPb <dennyspb@gmail.com>
libstagefright: Remove libmediaextractor dependency
Change-Id: Ifb564aafcf6f9bd45010500a589050b6577c0f7a
Signed-off-by: DennySPb <dennyspb@gmail.com>
Remove libmediaextractor dependency from libstagefright_wfd
Change-Id: I3d417d2f2ce468eb9d45f55f7818bb9a46348667
Signed-off-by: DennySPb <dennyspb@gmail.com>
libstagefright_wfd: Log MediaExtractor entry point to MediaMetrics
Change-Id: Ic8fac2cd5ee4d3bb59804e69efc1d5c482aa2417
Change-Id: Ie92fc035c6430f1458d45995a5b2627d0bc75122
|
|
This imports the old foundation code in the standard platform stagefright.
The foundation variant is used in VNDK, we can't change the ABI there.
This reverts commit 5ec3d6ac0c607e89d03ba5a9499e471d8559dc7e.
Change-Id: Iebcf5d89a768fdb830bea90fbf2c2427a4c3d139
Signed-off-by: DennySPb <dennyspb@gmail.com>
Signed-off-by: Luca Stefani <luca.stefani.ge1@gmail.com>
|
|
This reverts commit d0a98fa05f0f6719b93d000c4638230af06e0b99.
Change-Id: I0554b92c290c1ebbd1a40fc2edb43573a97d4f6a
Signed-off-by: DennySPb <dennyspb@gmail.com>
|
|
This adds back the SurfaceMediaSource class, needed for WFD.
This reverts commit e885915204f252c93a072ba1a8802f5811e40b3d.
Change-Id: I3f67d01f18441e49205e2e263d20f0fb6fc91fe6
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
Signed-off-by: DennySPb <dennyspb@gmail.com>
|
|
15566999, 15567396, 15567397, 15567412, 15567413, 15567096, 15567448, 15567449, 15567097, 15567098, 15567450, 15567099, 15567398, 15567100, 15567621, 15567622, 15567468, 15567000] into rvc-qpr3-release
Change-Id: I6db9d7b6aa517253316793f5798147c29a19af02
|
|
This will prevent a deadlock in case the timestamp
thread tries to acquire the same lock.
Bug: 182852602
Bug: 153358911
Test: plug and unplug headphones while playing
Change-Id: I625d191906c7e280f3a223f476716ef17b9098ea
Merged-In: I625d191906c7e280f3a223f476716ef17b9098ea
(cherry picked from commit 5f6fda778bf35be4cd67363ca0fe40cf710364c3)
|
|
Move all calls to send the timestamp into the one timestamp thread.
There was a clear code path that could lead to a deadlock.
If the call to get the timestamp from the HAL returned
an unexpected error code then it would call disconnect().
If that happened below the call to stop() then the
deadlock would occur.
The sequence of calls was AAudioServiceStreamBase::stop()
which locked mLock,
then called AAudioServiceStreamBase::stop_l(),
which called AAudioServiceStreamBase:sendCurrentTimeStamp(),
which called AAudioServiceStreamMMAP::getFreeRunningPosition(),
which called disconnect(),
which locked mLock AGAIN.
It is not clear what would trigger the error return
from the HAL but a routing change may be involved.
The bug was discovered during stress tests and we do not
have a clear repro case.
Bug: 182852602
Bug: 153358911
Test: atest CtsNativeMediaAAudioTestCases
Change-Id: I575f75ece9b459e7412bca293d7338babe76b3a7
Merged-In: I575f75ece9b459e7412bca293d7338babe76b3a7
(cherry picked from commit 45da1b7e3231bf3475cb9ca1a2243a27355c0466)
(cherry picked from commit 9dd928e100d38c42f68c04c01f09fa8c8cb606d3)
|
|
* Some /mad/ HALs use boottime clock without reporting
timestamp source as realtime
-> Add a flag to force boottime offset calculation
[SebaUbuntu] Edit for Soong conditional
Change-Id: I56b623a1c2b58ca8a6287783d938fb665de201df
|
|
mapped yet
* By calling `getSystemCameraKind()` directly in
`broadcastTorchModeStatus()` we ensure that previous calls to
`getTorchStatusLocked` and `setTorchStatusLocked` had succeeded,
meaning that the camera device is already present in mCameraStates.
When the camera device is already mapped in mCameraStates
calls to `getSystemCameraKind()` will avoid interrogating the
CameraProviderManager, which was causing a deadlock
upon attempting to lock mInterfaceLock.
Change-Id: I2aed9d53f13859d26efe6a8ab300afab6944f5f7
|
|
staging/lineage-18.1_merge-android-11.0.0_r38
Android 11.0.0 Release 38 (RQ3A.210605.005)
* tag 'android-11.0.0_r38':
[RESTRICT AUTOMERGE]Fix CryptoPlugin use after free vulnerability.
[RESTRICT AUTOMERGE] Fix clearkey CryptoPlugin use after free vulnerability.
cameraserver: Enforce system camera rules for setTorchMode and torch callbacks.
Modify MediaRecorder stopping process to avoid blocking
C2SoftAvcEnc: Use dimensions from mSize instead of input buffer
Revert "CCodecConfig: don't dup input format"
aaudio: fix race when disconnecting
aaudio: lock transport methods
[RESTRICT AUTOMERGE] Fix possible uaf of play policy state
mediautils : TimeCheck: fix OOB access
[RESTRICT AUTOMERGE] Fix UAF in clearkey service's MemoryFileSystem
Fix UAF in clearkey service's MemoryFileSystem
Fix potential decrypt destPtr overflow.
[RESTRICT AUTOMERGE] Fix potential decrypt destPtr overflow.
Prevent read of uninitialized memory
Prevent read of uninitialized memory
Prevent read of uninitialized memory
mp3dec: Changes in the fillMainDataBuf function
Rephrase to avoid integer overflow
Fix possible uaf of play policy state
Fix double free of play policy in a race condition.
Add a null check in RTSPSource::stop
Valid pitch value is required to prevent out of bound access
Fix potential decrypt src pointer overflow.
mpeg4enc: fix OOB in RasterIntraUpdate
Improve handling MediaCodec linkToDeath() resource manager
Codec2: Initialize InputSurfaceWrapper::Config structure fields
Camera: Fix deadlock in ACameraCaptureSession destructor
m4v_h263: Add check on the encode dimension
ACodec: Reduce the TWOmxNode wrapper in GraphicBufferSource
Conflicts:
drm/mediadrm/plugins/clearkey/default/include/DrmPlugin.h
Change-Id: I24a4de763f8f91baddc517491313d6ada6514c79
|
|
staging/lineage-18.1_merge-android-11.0.0_r37
Android 11.0.0 Release 37 (RQ2A.210505.003)
* tag 'android-11.0.0_r37':
Prevent read of uninitialized memory
Improve handling MediaCodec linkToDeath() resource manager
Change-Id: I611979b13a9c56bf79293dab6f129a66f0493241
|
|
The DRC parameter has been introduced by
I50fcc5ef35cb7e96592c2267652228b5fa074ba9, and is parsed by vendor.
Vendors prior to this commit are supposed to fail this request.
Anyway, assume this isn't an error, and simply ignore DRC parameters if
vendor doesn't support this.
Change-Id: I117411ad7063e24a7d01de90774d5ca1f5dc4bea
|
|
rvc-qpr3-release
Change-Id: Idbdd7dc479661b4e9c10dc414bd74a2b0941d3b7
|
|
use after free vulnerability." into qt-dev am: a791711394 am: bdd6f616f0 -s ours am: 534493a522
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/13499528
Change-Id: Iff46b81afa2298dca7068e1d9cd041d36e30fc81
|
|
after free vulnerability. am: abb7ad47b0 am: 2e056f1923 -s ours am: 6fc9c6ed98
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/13499528
Change-Id: I509890052f364e25d596853d9db7f45c5c5e6f18
|
|
use after free vulnerability." into qt-dev am: a791711394 am: bdd6f616f0 -s ours
am skip reason: subject contains skip directive
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/13499528
Change-Id: Ie66a1d09f6bd587d7698b77ae487e784f3d90cc4
|
|
after free vulnerability. am: abb7ad47b0 am: 2e056f1923 -s ours
am skip reason: subject contains skip directive
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/13499528
Change-Id: I1eca94fe9a0491c44bc4a5314f8d5283076fb292
|
|
vulnerability." into qt-dev am: a791711394
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/13499528
Change-Id: Ib8db65b4c136ea80aa5761ab0137e96ed551e687
|
|
am: abb7ad47b0
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/13499528
Change-Id: I6d702cef4ea2063a4e3d57213c8d2ec36bacd7e9
|
|
vulnerability." into qt-dev
|
|
rvc-qpr3-release
Change-Id: I3e799fefd4be4c43754add99d1ff80b6a3d5188e
|
|
79a6ffbdaf
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/13808809
Change-Id: I05e0d7f0260cb4686e7333d1cf8f9afa440b23a0
|
|
staging/lineage-18.1_merge-android-11.0.0_r34
Android 11.0.0 release 34
* tag 'android-11.0.0_r34':
Fix double free of play policy in a race condition.
Fix potential decrypt src pointer overflow.
Change-Id: Ia4d094e00e6b71ce3477cf99e63c72223fe77fef
|
|
The shared memory buffer used by srcPtr can be freed by another
thread because it is not protected by a mutex. Subsequently,
a use after free AIGABRT can occur in a race condition.
SafetyNet logging is not added to avoid log spamming. The
mutex lock is called to setup for decryption, which is
called frequently.
The crash was reproduced on the device before the fix.
Verified the test passes after the fix.
Test: sts
sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176495665#testPocBug_176495665
Test: push to device with target_hwasan-userdebug build
adb shell /data/local/tmp/Bug-176495665_sts64
Bug: 176495665
Bug: 176444161
Change-Id: I3bfe5c34acb41608d1250a075984ab7860076331
|
|
qt-dev am: 2a41846f89 am: 8e3741aac8 -s ours am: 9a4d85f6bd -s ours
am skip reason: skip tag Change-Id I07cc93c255942d56e866d0b08fb786f154f6e0d3 with SHA-1 e07417a9b7 is already in history
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/13486147
Change-Id: I61793d04496a299273a7be864a4827f252794132
|
|
qt-dev am: 2a41846f89 am: 8e3741aac8 -s ours
am skip reason: skip tag Change-Id I07cc93c255942d56e866d0b08fb786f154f6e0d3 with SHA-1 e07417a9b7 is already in history
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/13486147
Change-Id: Id12483ad9ae84e6aaab7c75f3652534fd3051cba
|
|
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/13467358
Change-Id: Icdd26d85132711d859d328a0eb7334d7daa8dbe3
|
|
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/13486147
Change-Id: Id454c425990a2a0913a1ee6dadc052fbae405482
|
|
|
|
|
|
rvc-qpr3-release
Change-Id: I904032f9a134d7e0a5de141a32cb31b3b9c393b2
|
|
callbacks." into rvc-qpr-dev
|
|
rvc-qpr3-release
Change-Id: I91d93651c7dba4e7a30847f2a3cc3b22595c1da0
|
|
service's MemoryFileSystem" into qt-dev am: 6889557362 am: b68392b02e -s ours am: 78cc122909
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/13711823
Change-Id: I3abf202ad73ee4b32885930b7ff6df13deb2cdcb
|
|
MemoryFileSystem am: 9ba33b3586 -s ours am: 0a2abba43f -s ours am: a4e3bea9e4
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/13711823
Change-Id: Ic56cc6361b40290199fa024f3140ba7979cd675e
|
|
service's MemoryFileSystem" into qt-dev am: 6889557362 am: b68392b02e -s ours
am skip reason: subject contains skip directive
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/13711823
Change-Id: Iceb881f3b875f5ce6c13cbe8716d3fd19ca3cde0
|
|
MemoryFileSystem am: 9ba33b3586 -s ours am: 0a2abba43f -s ours
am skip reason: subject contains skip directive
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/13711823
Change-Id: Ief269862c12e11595281006f6271ebe4832e4c60
|
|
into qt-dev am: 6889557362
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/13711823
Change-Id: If1e8db9435ac18678879548bd92debe6b2b21e94
|
|
MemoryFileSystem am: 9ba33b3586 -s ours
am skip reason: skipped by user edwinwong
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/13711823
Change-Id: I6562f9f8829e7a565bdc54bce723984711c73c4a
|
|
00b96f0a78
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/13462731
Change-Id: Ibd2266df7dcca56ce17eaa79d774158ff48e3079
|
|
The shared memory buffer used by srcPtr can be freed by another
thread because it is not protected by a mutex. Subsequently,
a use after free AIGABRT can occur in a race condition.
SafetyNet logging is not added to avoid log spamming. The
mutex lock is called to setup for decryption, which is
called frequently.
The crash was reproduced on the device before the fix.
Verified the test passes after the fix.
Test: sts
sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176495665#testPocBug_176495665
Test: push to device with target_hwasan-userdebug build
adb shell /data/local/tmp/Bug-176495665_sts64
Bug: 176495665
Bug: 176444161
Change-Id: I2094ab904a34104089f29a219596e61a7317e00b
|
|
into qt-dev
|
|
|
