Merge "CE: Functional test for Display::postFramebuffer"
diff --git a/services/sensorservice/SensorService.cpp b/services/sensorservice/SensorService.cpp
index 14ed73d..c2e1204 100644
--- a/services/sensorservice/SensorService.cpp
+++ b/services/sensorservice/SensorService.cpp
@@ -1173,6 +1173,11 @@
return nullptr;
}
int fd = resource->data[0];
+ if (!ashmem_valid(fd)) {
+ ALOGE("Supplied Ashmem memory region is invalid");
+ return nullptr;
+ }
+
int size2 = ashmem_get_size_region(fd);
// check size consistency
if (size2 < static_cast<int64_t>(size)) {
diff --git a/services/sensorservice/tests/sensorservicetest.cpp b/services/sensorservice/tests/sensorservicetest.cpp
index 1cb0489..caf7f03 100644
--- a/services/sensorservice/tests/sensorservicetest.cpp
+++ b/services/sensorservice/tests/sensorservicetest.cpp
@@ -15,19 +15,20 @@
*/
#include <inttypes.h>
+#include <android/hardware_buffer.h>
#include <android/sensor.h>
#include <sensor/Sensor.h>
#include <sensor/SensorManager.h>
#include <sensor/SensorEventQueue.h>
#include <utils/Looper.h>
+#include <vndk/hardware_buffer.h>
using namespace android;
static nsecs_t sStartTime = 0;
-int receiver(__unused int fd, __unused int events, void* data)
-{
+int receiver(__unused int fd, __unused int events, void* data) {
sp<SensorEventQueue> q((SensorEventQueue*)data);
ssize_t n;
ASensorEvent buffer[8];
@@ -59,11 +60,42 @@
return 1;
}
+void testInvalidSharedMem_NoCrash(SensorManager &mgr) {
+ AHardwareBuffer *hardwareBuffer;
+ char* buffer;
-int main()
-{
+ constexpr size_t kEventSize = sizeof(ASensorEvent);
+ constexpr size_t kNEvent = 4096; // enough to contain 1.5 * 800 * 2.2 events
+ constexpr size_t kMemSize = kEventSize * kNEvent;
+ AHardwareBuffer_Desc desc = {
+ .width = static_cast<uint32_t>(kMemSize),
+ .height = 1,
+ .layers = 1,
+ .format = AHARDWAREBUFFER_FORMAT_BLOB,
+ .usage = AHARDWAREBUFFER_USAGE_SENSOR_DIRECT_DATA
+ | AHARDWAREBUFFER_USAGE_CPU_READ_OFTEN,
+ };
+
+ AHardwareBuffer_allocate(&desc, &hardwareBuffer);
+ AHardwareBuffer_lock(hardwareBuffer, AHARDWAREBUFFER_USAGE_CPU_READ_RARELY,
+ -1, nullptr, reinterpret_cast<void **>(&buffer));
+
+ const native_handle_t *resourceHandle = AHardwareBuffer_getNativeHandle(hardwareBuffer);
+
+ // Pass in AHardwareBuffer, but with the wrong DIRECT_CHANNEL_TYPE to see
+ // if anything in the Sensor framework crashes
+ int ret = mgr.createDirectChannel(
+ kMemSize, ASENSOR_DIRECT_CHANNEL_TYPE_SHARED_MEMORY, resourceHandle);
+
+ // Should print -22 (BAD_VALUE) and the device runtime shouldn't restart
+ printf("createInvalidDirectChannel=%d\n", ret);
+}
+
+int main() {
SensorManager& mgr = SensorManager::getInstanceForPackage(String16("Sensor Service Test"));
+ testInvalidSharedMem_NoCrash(mgr);
+
Sensor const* const* list;
ssize_t count = mgr.getSensorList(&list);
printf("numSensors=%d\n", int(count));
diff --git a/services/surfaceflinger/SurfaceFlinger.cpp b/services/surfaceflinger/SurfaceFlinger.cpp
index 0a2e071..27947db 100644
--- a/services/surfaceflinger/SurfaceFlinger.cpp
+++ b/services/surfaceflinger/SurfaceFlinger.cpp
@@ -3129,7 +3129,13 @@
listenerCallbacks.insert(listener);
}
- sp<Layer> layer(fromHandle(s.surface));
+ sp<Layer> layer = nullptr;
+ if (s.surface) {
+ layer = fromHandle(s.surface);
+ } else {
+ // The client may provide us a null handle. Treat it as if the layer was removed.
+ ALOGW("Attempt to set client state with a null layer handle");
+ }
if (layer == nullptr) {
for (auto& [listener, callbackIds] : s.listeners) {
mTransactionCompletedThread.registerUnpresentedCallbackHandle(