Merge "Crash if too many open files"
diff --git a/cmds/lshal/ListCommand.cpp b/cmds/lshal/ListCommand.cpp
index ad7e4c4..a7ccf64 100644
--- a/cmds/lshal/ListCommand.cpp
+++ b/cmds/lshal/ListCommand.cpp
@@ -163,11 +163,11 @@
 VintfInfo getVintfInfo(const std::shared_ptr<const ObjectType>& object,
                        const FqInstance& fqInstance, vintf::TransportArch ta, VintfInfo value) {
     bool found = false;
-    (void)object->forEachInstanceOfVersion(fqInstance.getPackage(), fqInstance.getVersion(),
-                                           [&](const auto& instance) {
-                                               found = match(instance, fqInstance, ta);
-                                               return !found; // continue if not found
-                                           });
+    (void)object->forEachHidlInstanceOfVersion(fqInstance.getPackage(), fqInstance.getVersion(),
+                                               [&](const auto& instance) {
+                                                   found = match(instance, fqInstance, ta);
+                                                   return !found; // continue if not found
+                                               });
     return found ? value : VINTF_INFO_EMPTY;
 }
 
@@ -453,7 +453,7 @@
     }
 
     bool found = false;
-    (void)manifest->forEachInstanceOfVersion(package, version, [&found](const auto&) {
+    (void)manifest->forEachHidlInstanceOfVersion(package, version, [&found](const auto&) {
         found = true;
         return false; // break
     });
@@ -797,9 +797,9 @@
 
         std::map<std::string, TableEntry> entries;
 
-        manifest->forEachInstance([&] (const vintf::ManifestInstance& manifestInstance) {
+        manifest->forEachHidlInstance([&] (const vintf::ManifestInstance& manifestInstance) {
             TableEntry entry{
-                .interfaceName = manifestInstance.getFqInstance().string(),
+                .interfaceName = manifestInstance.description(),
                 .transport = manifestInstance.transport(),
                 .arch = manifestInstance.arch(),
                 // TODO(b/71555570): Device manifest does not distinguish HALs from vendor or ODM.
diff --git a/libs/binder/IMemory.cpp b/libs/binder/IMemory.cpp
index caf2318..a7662e9 100644
--- a/libs/binder/IMemory.cpp
+++ b/libs/binder/IMemory.cpp
@@ -149,7 +149,7 @@
     return static_cast<char*>(base) + offset;
 }
 
-void* IMemory::pointer() const {
+void* IMemory::unsecurePointer() const {
     ssize_t offset;
     sp<IMemoryHeap> heap = getMemory(&offset);
     void* const base = heap!=nullptr ? heap->base() : MAP_FAILED;
@@ -158,6 +158,8 @@
     return static_cast<char*>(base) + offset;
 }
 
+void* IMemory::pointer() const { return unsecurePointer(); }
+
 size_t IMemory::size() const {
     size_t size;
     getMemory(nullptr, &size);
diff --git a/libs/binder/include/binder/IMemory.h b/libs/binder/include/binder/IMemory.h
index 071946f..8791741 100644
--- a/libs/binder/include/binder/IMemory.h
+++ b/libs/binder/include/binder/IMemory.h
@@ -77,10 +77,33 @@
     virtual sp<IMemoryHeap> getMemory(ssize_t* offset=nullptr, size_t* size=nullptr) const = 0;
 
     // helpers
-    void* fastPointer(const sp<IBinder>& heap, ssize_t offset) const;
-    void* pointer() const;
+
+    // Accessing the underlying pointer must be done with caution, as there are
+    // some inherent security risks associated with it. When receiving an
+    // IMemory from an untrusted process, there is currently no way to guarantee
+    // that this process would't change the content after the fact. This may
+    // lead to TOC/TOU class of security bugs. In most cases, when performance
+    // is not an issue, the recommended practice is to immediately copy the
+    // buffer upon reception, then work with the copy, e.g.:
+    //
+    // std::string private_copy(mem.size(), '\0');
+    // memcpy(private_copy.data(), mem.unsecurePointer(), mem.size());
+    //
+    // In cases where performance is an issue, this matter must be addressed on
+    // an ad-hoc basis.
+    void* unsecurePointer() const;
+
     size_t size() const;
     ssize_t offset() const;
+
+private:
+    // These are now deprecated and are left here for backward-compatibility
+    // with prebuilts that may reference these symbol at runtime.
+    // Instead, new code should use unsecurePointer()/unsecureFastPointer(),
+    // which do the same thing, but make it more obvious that there are some
+    // security-related pitfalls associated with them.
+    void* pointer() const;
+    void* fastPointer(const sp<IBinder>& heap, ssize_t offset) const;
 };
 
 class BnMemory : public BnInterface<IMemory>
diff --git a/libs/binder/tests/Android.bp b/libs/binder/tests/Android.bp
index bc457ce..f25e954 100644
--- a/libs/binder/tests/Android.bp
+++ b/libs/binder/tests/Android.bp
@@ -70,6 +70,7 @@
         "libutils",
     ],
     test_suites: ["device-tests"],
+    require_root: true,
 }
 
 cc_test {
@@ -136,6 +137,7 @@
         "libutils",
     ],
     test_suites: ["device-tests"],
+    require_root: true,
 }
 
 aidl_interface {
diff --git a/libs/vr/libvrflinger/display_service.cpp b/libs/vr/libvrflinger/display_service.cpp
index 5a9360c..582fed3 100644
--- a/libs/vr/libvrflinger/display_service.cpp
+++ b/libs/vr/libvrflinger/display_service.cpp
@@ -18,6 +18,8 @@
 #include <private/dvr/trusted_uids.h>
 #include <private/dvr/types.h>
 
+#include "DisplayHardware/DisplayIdentification.h"
+
 using android::dvr::display::DisplayProtocol;
 using android::pdx::Channel;
 using android::pdx::ErrorStatus;
@@ -44,19 +46,6 @@
            Endpoint::Create(display::DisplayProtocol::kClientPath)) {
     hardware_composer_.Initialize(
         hidl, primary_display_id, request_display_callback);
-
-    uint8_t port;
-    const auto error = hidl->getDisplayIdentificationData(
-        primary_display_id, &display_identification_port_,
-        &display_identification_data_);
-    if (error != android::hardware::graphics::composer::V2_1::Error::NONE) {
-      if (error !=
-          android::hardware::graphics::composer::V2_1::Error::UNSUPPORTED) {
-        ALOGI("DisplayService: identification data error\n");
-      } else {
-        ALOGI("DisplayService: identification data unsupported\n");
-      }
-    }
 }
 
 bool DisplayService::IsInitialized() const {
@@ -212,6 +201,7 @@
 pdx::Status<std::string> DisplayService::OnGetConfigurationData(
     pdx::Message& /*message*/, display::ConfigFileType config_type) {
   std::string property_name;
+  DisplayIdentificationData display_identification_data;
   switch (config_type) {
     case display::ConfigFileType::kLensMetrics:
       property_name = kDvrLensMetricsProperty;
@@ -223,11 +213,13 @@
       property_name = kDvrDeviceConfigProperty;
       break;
     case display::ConfigFileType::kDeviceEdid:
-      if (display_identification_data_.size() == 0) {
+      display_identification_data =
+          hardware_composer_.GetCurrentDisplayIdentificationData();
+      if (display_identification_data.size() == 0) {
         return ErrorStatus(ENOENT);
       }
-      return std::string(display_identification_data_.begin(),
-                         display_identification_data_.end());
+      return std::string(display_identification_data.begin(),
+                         display_identification_data.end());
     default:
       return ErrorStatus(EINVAL);
   }
@@ -246,7 +238,7 @@
 
 pdx::Status<uint8_t> DisplayService::OnGetDisplayIdentificationPort(
     pdx::Message& /*message*/) {
-  return display_identification_port_;
+  return hardware_composer_.GetCurrentDisplayPort();
 }
 
 // Creates a new DisplaySurface and associates it with this channel. This may
diff --git a/libs/vr/libvrflinger/display_service.h b/libs/vr/libvrflinger/display_service.h
index 06ba566..89f1eae 100644
--- a/libs/vr/libvrflinger/display_service.h
+++ b/libs/vr/libvrflinger/display_service.h
@@ -18,8 +18,6 @@
 #include "epoll_event_dispatcher.h"
 #include "hardware_composer.h"
 
-#include "DisplayHardware/DisplayIdentification.h"
-
 namespace android {
 namespace dvr {
 
@@ -120,9 +118,6 @@
 
   DisplayService(const DisplayService&) = delete;
   void operator=(const DisplayService&) = delete;
-
-  DisplayIdentificationData display_identification_data_;
-  uint8_t display_identification_port_;
 };
 
 }  // namespace dvr
diff --git a/libs/vr/libvrflinger/hardware_composer.cpp b/libs/vr/libvrflinger/hardware_composer.cpp
index 9072d89..67607af 100644
--- a/libs/vr/libvrflinger/hardware_composer.cpp
+++ b/libs/vr/libvrflinger/hardware_composer.cpp
@@ -137,6 +137,20 @@
   composer_callback_->SetVsyncService(nullptr);
 }
 
+void HardwareComposer::UpdateEdidData(Hwc2::Composer* composer,
+                                      hwc2_display_t hw_id) {
+  const auto error = composer->getDisplayIdentificationData(
+      hw_id, &display_port_, &display_identification_data_);
+  if (error != android::hardware::graphics::composer::V2_1::Error::NONE) {
+    if (error !=
+        android::hardware::graphics::composer::V2_1::Error::UNSUPPORTED) {
+      ALOGI("hardware_composer: identification data error\n");
+    } else {
+      ALOGI("hardware_composer: identification data unsupported\n");
+    }
+  }
+}
+
 bool HardwareComposer::Initialize(
     Hwc2::Composer* composer, hwc2_display_t primary_display_id,
     RequestDisplayCallback request_display_callback) {
@@ -164,6 +178,8 @@
       "HardwareComposer: Failed to create interrupt event fd : %s",
       strerror(errno));
 
+  UpdateEdidData(composer, primary_display_id);
+
   post_thread_ = std::thread(&HardwareComposer::PostThread, this);
 
   initialized_ = true;
@@ -988,6 +1004,9 @@
       EnableDisplay(*external_display_, false);
     }
 
+    // Update the cached edid data for the current display.
+    UpdateEdidData(composer_.get(), target_display_->id);
+
     // Turn the new target display on.
     EnableDisplay(*target_display_, true);
 
diff --git a/libs/vr/libvrflinger/hardware_composer.h b/libs/vr/libvrflinger/hardware_composer.h
index db0d6a7..989ce35 100644
--- a/libs/vr/libvrflinger/hardware_composer.h
+++ b/libs/vr/libvrflinger/hardware_composer.h
@@ -25,6 +25,7 @@
 #include <private/dvr/shared_buffer_helpers.h>
 #include <private/dvr/vsync_service.h>
 
+#include "DisplayHardware/DisplayIdentification.h"
 #include "acquired_buffer.h"
 #include "display_surface.h"
 
@@ -334,6 +335,14 @@
   int OnNewGlobalBuffer(DvrGlobalBufferKey key, IonBuffer& ion_buffer);
   void OnDeletedGlobalBuffer(DvrGlobalBufferKey key);
 
+  // Gets the edid data for the current active display (internal or external)
+  DisplayIdentificationData GetCurrentDisplayIdentificationData() {
+    return display_identification_data_;
+  }
+
+  // Gets the edid port for the current active display (internal or external)
+  uint8_t GetCurrentDisplayPort() { return display_port_; }
+
  private:
   DisplayParams GetDisplayParams(Hwc2::Composer* composer,
       hwc2_display_t display, bool is_primary);
@@ -544,6 +553,11 @@
   bool vsync_trace_parity_ = false;
   sp<VsyncService> vsync_service_;
 
+  // Edid section.
+  void UpdateEdidData(Hwc2::Composer* composer, hwc2_display_t hw_id);
+  DisplayIdentificationData display_identification_data_;
+  uint8_t display_port_;
+
   static constexpr int kPostThreadInterrupted = 1;
 
   HardwareComposer(const HardwareComposer&) = delete;
diff --git a/services/surfaceflinger/BufferQueueLayer.cpp b/services/surfaceflinger/BufferQueueLayer.cpp
index 5f79750..f2e861d 100644
--- a/services/surfaceflinger/BufferQueueLayer.cpp
+++ b/services/surfaceflinger/BufferQueueLayer.cpp
@@ -196,8 +196,9 @@
     bool sidebandStreamChanged = true;
     if (mSidebandStreamChanged.compare_exchange_strong(sidebandStreamChanged, false)) {
         // mSidebandStreamChanged was changed to false
+        mSidebandStream = mConsumer->getSidebandStream();
         auto& layerCompositionState = getCompositionLayer()->editState().frontEnd;
-        layerCompositionState.sidebandStream = mConsumer->getSidebandStream();
+        layerCompositionState.sidebandStream = mSidebandStream;
         if (layerCompositionState.sidebandStream != nullptr) {
             setTransactionFlags(eTransactionNeeded);
             mFlinger->setTransactionFlags(eTraversalNeeded);