Merge "libsnapshot: Set default cluster size to 200"
diff --git a/fs_mgr/libsnapshot/snapuserd_server.cpp b/fs_mgr/libsnapshot/snapuserd_server.cpp
index 8351155..38abaec 100644
--- a/fs_mgr/libsnapshot/snapuserd_server.cpp
+++ b/fs_mgr/libsnapshot/snapuserd_server.cpp
@@ -77,9 +77,8 @@
     JoinAllThreads();
 }
 
-const std::string& DmUserHandler::GetMiscName() const {
-    return snapuserd_->GetMiscName();
-}
+DmUserHandler::DmUserHandler(std::unique_ptr<Snapuserd>&& snapuserd)
+    : snapuserd_(std::move(snapuserd)), misc_name_(snapuserd_->GetMiscName()) {}
 
 bool SnapuserdServer::Sendmsg(android::base::borrowed_fd fd, const std::string& msg) {
     ssize_t ret = TEMP_FAILURE_RETRY(send(fd.get(), msg.data(), msg.size(), 0));
@@ -148,7 +147,7 @@
                 LOG(ERROR) << "Could not find handler: " << out[1];
                 return Sendmsg(fd, "fail");
             }
-            if ((*iter)->snapuserd()->IsAttached()) {
+            if (!(*iter)->snapuserd() || (*iter)->snapuserd()->IsAttached()) {
                 LOG(ERROR) << "Tried to re-attach control device: " << out[1];
                 return Sendmsg(fd, "fail");
             }
@@ -185,7 +184,7 @@
                 LOG(ERROR) << "Malformed delete message, " << out.size() << " parts";
                 return Sendmsg(fd, "fail");
             }
-            if (!RemoveHandler(out[1], true)) {
+            if (!RemoveAndJoinHandler(out[1])) {
                 return Sendmsg(fd, "fail");
             }
             return Sendmsg(fd, "success");
@@ -203,20 +202,38 @@
 }
 
 void SnapuserdServer::RunThread(std::shared_ptr<DmUserHandler> handler) {
-    LOG(INFO) << "Entering thread for handler: " << handler->GetMiscName();
+    LOG(INFO) << "Entering thread for handler: " << handler->misc_name();
 
     while (!StopRequested()) {
         if (!handler->snapuserd()->Run()) {
-            LOG(INFO) << "Snapuserd: Thread terminating";
             break;
         }
     }
 
-    LOG(INFO) << "Exiting thread for handler: " << handler->GetMiscName();
+    auto misc_name = handler->misc_name();
+    LOG(INFO) << "Handler thread about to exit: " << misc_name;
 
-    // If the main thread called RemoveHandler, the handler was already removed
-    // from within the lock, and calling RemoveHandler again has no effect.
-    RemoveHandler(handler->GetMiscName(), false);
+    {
+        std::lock_guard<std::mutex> lock(lock_);
+        auto iter = FindHandler(&lock, handler->misc_name());
+        if (iter == dm_users_.end()) {
+            // RemoveAndJoinHandler() already removed us from the list, and is
+            // now waiting on a join(), so just return.
+            LOG(INFO) << "Exiting handler thread to allow for join: " << misc_name;
+            return;
+        }
+
+        LOG(INFO) << "Exiting handler thread and freeing resources: " << misc_name;
+
+        if (handler->snapuserd()->IsAttached()) {
+            handler->thread().detach();
+        }
+
+        // Important: free resources within the lock. This ensures that if
+        // WaitForDelete() is called, the handler is either in the list, or
+        // it's not and its resources are guaranteed to be freed.
+        handler->FreeResources();
+    }
 }
 
 bool SnapuserdServer::Start(const std::string& socketname) {
@@ -351,7 +368,7 @@
     CHECK(!handler->snapuserd()->IsAttached());
 
     if (!handler->snapuserd()->InitBackingAndControlDevice()) {
-        LOG(ERROR) << "Failed to initialize control device: " << handler->GetMiscName();
+        LOG(ERROR) << "Failed to initialize control device: " << handler->misc_name();
         return false;
     }
 
@@ -364,14 +381,14 @@
     CHECK(proof_of_lock);
 
     for (auto iter = dm_users_.begin(); iter != dm_users_.end(); iter++) {
-        if ((*iter)->GetMiscName() == misc_name) {
+        if ((*iter)->misc_name() == misc_name) {
             return iter;
         }
     }
     return dm_users_.end();
 }
 
-bool SnapuserdServer::RemoveHandler(const std::string& misc_name, bool wait) {
+bool SnapuserdServer::RemoveAndJoinHandler(const std::string& misc_name) {
     std::shared_ptr<DmUserHandler> handler;
     {
         std::lock_guard<std::mutex> lock(lock_);
@@ -386,10 +403,8 @@
     }
 
     auto& th = handler->thread();
-    if (th.joinable() && wait) {
+    if (th.joinable()) {
         th.join();
-    } else if (handler->snapuserd()->IsAttached()) {
-        th.detach();
     }
     return true;
 }
diff --git a/fs_mgr/libsnapshot/snapuserd_server.h b/fs_mgr/libsnapshot/snapuserd_server.h
index 01e2365..7cbc2de 100644
--- a/fs_mgr/libsnapshot/snapuserd_server.h
+++ b/fs_mgr/libsnapshot/snapuserd_server.h
@@ -46,18 +46,19 @@
 };
 
 class DmUserHandler {
-  private:
-    std::thread thread_;
-    std::unique_ptr<Snapuserd> snapuserd_;
-
   public:
-    explicit DmUserHandler(std::unique_ptr<Snapuserd>&& snapuserd)
-        : snapuserd_(std::move(snapuserd)) {}
+    explicit DmUserHandler(std::unique_ptr<Snapuserd>&& snapuserd);
 
+    void FreeResources() { snapuserd_ = nullptr; }
     const std::unique_ptr<Snapuserd>& snapuserd() const { return snapuserd_; }
     std::thread& thread() { return thread_; }
 
-    const std::string& GetMiscName() const;
+    const std::string& misc_name() const { return misc_name_; }
+
+  private:
+    std::thread thread_;
+    std::unique_ptr<Snapuserd> snapuserd_;
+    std::string misc_name_;
 };
 
 class Stoppable {
@@ -71,8 +72,9 @@
 
     bool StopRequested() {
         // checks if value in future object is available
-        if (futureObj_.wait_for(std::chrono::milliseconds(0)) == std::future_status::timeout)
+        if (futureObj_.wait_for(std::chrono::milliseconds(0)) == std::future_status::timeout) {
             return false;
+        }
         return true;
     }
     // Request the thread to stop by setting value in promise object
@@ -98,7 +100,7 @@
     bool Receivemsg(android::base::borrowed_fd fd, const std::string& str);
 
     void ShutdownThreads();
-    bool RemoveHandler(const std::string& control_device, bool wait);
+    bool RemoveAndJoinHandler(const std::string& control_device);
     DaemonOperations Resolveop(std::string& input);
     std::string GetDaemonStatus();
     void Parsemsg(std::string const& msg, const char delim, std::vector<std::string>& out);
diff --git a/init/init.cpp b/init/init.cpp
index d6753f5..ca2d5da 100644
--- a/init/init.cpp
+++ b/init/init.cpp
@@ -878,6 +878,21 @@
     auto is_installed = android::gsi::IsGsiInstalled() ? "1" : "0";
     SetProperty(gsi::kGsiInstalledProp, is_installed);
 
+    /*
+     * For debug builds of S launching devices, init mounts debugfs for
+     * enabling vendor debug data collection setup at boot time. Init will unmount it on
+     * boot-complete after vendor code has performed the required initializations
+     * during boot. Dumpstate will then mount debugfs in order to read data
+     * from the same using the dumpstate HAL during bugreport creation.
+     * Dumpstate will also unmount debugfs after bugreport creation.
+     * first_api_level comparison is done here instead
+     * of init.rc since init.rc parser does not support >/< operators.
+     */
+    auto api_level = android::base::GetIntProperty("ro.product.first_api_level", 0);
+    bool is_debuggable = android::base::GetBoolProperty("ro.debuggable", false);
+    auto mount_debugfs = (is_debuggable && (api_level >= 31)) ? "1" : "0";
+    SetProperty("init.mount_debugfs", mount_debugfs);
+
     am.QueueBuiltinAction(SetupCgroupsAction, "SetupCgroups");
     am.QueueBuiltinAction(SetKptrRestrictAction, "SetKptrRestrict");
     am.QueueBuiltinAction(TestPerfEventSelinuxAction, "TestPerfEventSelinux");
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 4478bea..049301d 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -934,6 +934,9 @@
     write /proc/sys/vm/dirty_expire_centisecs 200
     write /proc/sys/vm/dirty_background_ratio  5
 
+on property:sys.boot_completed=1 && property:init.mount_debugfs=1
+   umount /sys/kernel/debug
+
 on boot
     # basic network init
     ifup lo
@@ -1202,6 +1205,10 @@
 on property:sys.boot_completed=1 && property:sys.init.userspace_reboot.in_progress=1
   setprop sys.init.userspace_reboot.in_progress ""
 
+on early-init && property:init.mount_debugfs=1
+    mount debugfs debugfs /sys/kernel/debug
+    chmod 0755 /sys/kernel/debug
+
 # Migrate tasks again in case kernel threads are created during boot
 on property:sys.boot_completed=1
   copy_per_line /dev/cpuctl/tasks /dev/cpuctl/system/tasks
diff --git a/rootdir/ueventd.rc b/rootdir/ueventd.rc
index a1e9b12..64a64d2 100644
--- a/rootdir/ueventd.rc
+++ b/rootdir/ueventd.rc
@@ -48,6 +48,7 @@
 /dev/pmsg0                0222   root       log
 /dev/dma_heap/system      0444   system     system
 /dev/dma_heap/system-uncached      0444   system     system
+/dev/dma_heap/system-secure        0444   system     system
 
 # kms driver for drm based gpu
 /dev/dri/*                0666   root       graphics
diff --git a/trusty/confirmationui/fuzz/Android.bp b/trusty/confirmationui/fuzz/Android.bp
index 0819c21..635966f 100644
--- a/trusty/confirmationui/fuzz/Android.bp
+++ b/trusty/confirmationui/fuzz/Android.bp
@@ -16,4 +16,8 @@
     name: "trusty_confirmationui_fuzzer",
     defaults: ["trusty_fuzzer_defaults"],
     srcs: ["fuzz.cpp"],
+
+    // The initial corpus for this fuzzer was derived by dumping bytes from
+    // ConfirmationUI VTS.
+    corpus: ["corpus/*"],
 }
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-2ekYc2 b/trusty/confirmationui/fuzz/corpus/confirmationui-2ekYc2
new file mode 100644
index 0000000..53fe0c9
--- /dev/null
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-2ekYc2
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-5yTG3f b/trusty/confirmationui/fuzz/corpus/confirmationui-5yTG3f
new file mode 100644
index 0000000..d627b01
--- /dev/null
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-5yTG3f
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-6l8Soq b/trusty/confirmationui/fuzz/corpus/confirmationui-6l8Soq
new file mode 100644
index 0000000..bda80fd
--- /dev/null
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-6l8Soq
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-7kFpGO b/trusty/confirmationui/fuzz/corpus/confirmationui-7kFpGO
new file mode 100644
index 0000000..5adf905
--- /dev/null
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-7kFpGO
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-92m2f3 b/trusty/confirmationui/fuzz/corpus/confirmationui-92m2f3
new file mode 100644
index 0000000..5adf905
--- /dev/null
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-92m2f3
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-ALYIzO b/trusty/confirmationui/fuzz/corpus/confirmationui-ALYIzO
new file mode 100644
index 0000000..5adf905
--- /dev/null
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-ALYIzO
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-AcIMhR b/trusty/confirmationui/fuzz/corpus/confirmationui-AcIMhR
new file mode 100644
index 0000000..f5854f8
--- /dev/null
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-AcIMhR
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-AieaIi b/trusty/confirmationui/fuzz/corpus/confirmationui-AieaIi
new file mode 100644
index 0000000..5adf905
--- /dev/null
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-AieaIi
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-BdqX5j b/trusty/confirmationui/fuzz/corpus/confirmationui-BdqX5j
new file mode 100644
index 0000000..5adf905
--- /dev/null
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-BdqX5j
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-JBPIGs b/trusty/confirmationui/fuzz/corpus/confirmationui-JBPIGs
new file mode 100644
index 0000000..5adf905
--- /dev/null
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-JBPIGs
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-MWHw4T b/trusty/confirmationui/fuzz/corpus/confirmationui-MWHw4T
new file mode 100644
index 0000000..0dc6e91
--- /dev/null
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-MWHw4T
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-TZzVLO b/trusty/confirmationui/fuzz/corpus/confirmationui-TZzVLO
new file mode 100644
index 0000000..927d64d
--- /dev/null
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-TZzVLO
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-WwdA3B b/trusty/confirmationui/fuzz/corpus/confirmationui-WwdA3B
new file mode 100644
index 0000000..5adf905
--- /dev/null
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-WwdA3B
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-globJV b/trusty/confirmationui/fuzz/corpus/confirmationui-globJV
new file mode 100644
index 0000000..5adf905
--- /dev/null
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-globJV
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-hzUgjD b/trusty/confirmationui/fuzz/corpus/confirmationui-hzUgjD
new file mode 100644
index 0000000..87870ca
--- /dev/null
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-hzUgjD
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-jXC78o b/trusty/confirmationui/fuzz/corpus/confirmationui-jXC78o
new file mode 100644
index 0000000..0b274bf
--- /dev/null
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-jXC78o
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-kykxni b/trusty/confirmationui/fuzz/corpus/confirmationui-kykxni
new file mode 100644
index 0000000..5adf905
--- /dev/null
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-kykxni
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-npHe8t b/trusty/confirmationui/fuzz/corpus/confirmationui-npHe8t
new file mode 100644
index 0000000..87870ca
--- /dev/null
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-npHe8t
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-rPgnyI b/trusty/confirmationui/fuzz/corpus/confirmationui-rPgnyI
new file mode 100644
index 0000000..87870ca
--- /dev/null
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-rPgnyI
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-uCJ1Me b/trusty/confirmationui/fuzz/corpus/confirmationui-uCJ1Me
new file mode 100644
index 0000000..5adf905
--- /dev/null
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-uCJ1Me
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-wAQEjK b/trusty/confirmationui/fuzz/corpus/confirmationui-wAQEjK
new file mode 100644
index 0000000..5adf905
--- /dev/null
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-wAQEjK
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-xjtOks b/trusty/confirmationui/fuzz/corpus/confirmationui-xjtOks
new file mode 100644
index 0000000..b4a1c49
--- /dev/null
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-xjtOks
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-zKFIjN b/trusty/confirmationui/fuzz/corpus/confirmationui-zKFIjN
new file mode 100644
index 0000000..5adf905
--- /dev/null
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-zKFIjN
Binary files differ
diff --git a/trusty/confirmationui/fuzz/fuzz.cpp b/trusty/confirmationui/fuzz/fuzz.cpp
index aa132e8..9d3008b 100644
--- a/trusty/confirmationui/fuzz/fuzz.cpp
+++ b/trusty/confirmationui/fuzz/fuzz.cpp
@@ -39,6 +39,15 @@
     {0xb0, 0x86, 0xdf, 0x0f, 0x6c, 0x23, 0x3c, 0x1b},
 };
 
+/* The format of the packets is as following:
+ * 16 bits (uint16_t, header) + payload bytes
+ * The 16 bits header spicify the number of bytes of payload (header excluded).
+ */
+struct data_packet {
+    uint16_t header;
+    uint8_t payload[];
+};
+
 static CoverageRecord record(TIPC_DEV, &confirmationui_uuid);
 
 extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
@@ -47,8 +56,10 @@
     return 0;
 }
 
+/* Each corpus contains one or more data packets. */
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
     static uint8_t buf[TIPC_MAX_MSG_SIZE];
+    size_t data_idx = 0;
 
     ExtraCounters counters(&record);
     counters.Reset();
@@ -59,16 +70,22 @@
         android::trusty::fuzz::Abort();
     }
 
-    /* Write message to confirmationui server */
-    ret = ta.Write(data, size);
-    if (!ret.ok()) {
-        return -1;
-    }
+    while (data_idx < size) {
+        struct data_packet* data_packet_ptr = (struct data_packet*)&data[data_idx];
+        size_t payload_size = data_packet_ptr->header;
+        data_idx += data_packet_ptr->header + sizeof(data_packet_ptr->header);
 
-    /* Read message from confirmationui server */
-    ret = ta.Read(&buf, sizeof(buf));
-    if (!ret.ok()) {
-        return -1;
+        /* Write message to confirmationui server */
+        ret = ta.Write(data_packet_ptr->payload, payload_size);
+        if (!ret.ok()) {
+            return -1;
+        }
+
+        /* Read message from confirmationui server */
+        ret = ta.Read(&buf, sizeof(buf));
+        if (!ret.ok()) {
+            return -1;
+        }
     }
 
     return 0;