Because of lack of mutex lock when get mSidebandStream, if one thread
getSidebandStream, another thread setSidebandStream frequently, an UAF
will be triggered.
Bug: 32660278
Test: Marlin device with poc
Change-Id: Idbcf0976ce2db682d0f13455105c45a5c7481a45
(cherry picked from commit 2d8a2432e04234d9edbb3b099f9bbbaa36ad4843)
(cherry picked from commit 675e212c8c6653825cc3352c603caf2e40b00f9f)
This change allows producers to set a generation number on a
BufferQueue. This number will be embedded in any new GraphicBuffers
created in that BufferQueue, and attempts to attach buffers which have
a different generation number will fail.
It also plumbs the setGenerationNumber method through Surface, with the
additional effect that any buffers attached to the Surface after
setting a new generation number will automatically be updated with the
new number (as opposed to failing, as would happen on through IGBP).
Bug: 20923096
Change-Id: I32bf726b035f99c3e5834beaf76afb9f01adcbc2
This changes the way that SurfaceFlinger's shadow buffer management
works such that instead of tracking the size of the shadow queue in the
BufferQueue, SF tracks the last frame number it has seen, and passes
that into the acquireBuffer call. BufferQueueConsumer then ensures that
it never returns a buffer newer than that frame number, even if that
means that it must return PRESENT_LATER for an otherwise valid buffer.
Change-Id: I3fcb45f683ed660c3f18a8b85ae1f8a962ba6f0e
Clears the frame number of a slot when it is freed, since it is used
to determine if a released buffer is stale.
Bug: 20445852
Change-Id: I02415e7b25a1eafe7414d6eb1cedf62ac5543cd9
SurfaceFlinger's (Layer's) shadow copy of the BufferQueue queue was
getting out of sync for a few reasons. This change fixes these by
doing the following:
- Adds a check to re-synchronize the shadow copy every time we
successfully acquire a buffer by first dropping stale buffers before
removing the current buffer.
- Avoids trying to perform updates for buffers which have been rejected
(for incorrect dimensions) by SurfaceFlinger.
- Adds IGraphicBufferConsumer::setShadowQueueSize, which allows the
consumer to notify the BufferQueue that it is maintaining a shadow
copy of the queue and prevents it from dropping so many buffers
during acquireBuffer that it ends up returning a buffer for which the
consumer has not yet received an onFrameAvailable call.
Bug: 20096136
Change-Id: I78d0738428005fc19b3be85cc8f1db498043612f
(cherry picked from commit 2e36f2283f)
BufferQueue used to choose free buffers by scanning through its array
of slots and picking one based on timestamp. This changes that
mechanism to use a pair of free lists: one with buffers attached and
one without. This makes it easier to choose either type of free slot
depending on the needs of the current operation.
Fixes an issue with the first version of this change, found in bugs
20482952, 20443314, and 20464549.
Bug: 13175420
Change-Id: I9b6e83cfe8f9b4329a976025cb8e291d51fb6d4a
BufferQueue used to choose free buffers by scanning through its array
of slots and picking one based on timestamp. This changes that
mechanism to use a pair of free lists: one with buffers attached and
one without. This makes it easier to choose either type of free slot
depending on the needs of the current operation.
Bug: 13175420
Change-Id: Ic8398e7511bd11a60a1c82e3ad2ee271c9822be1
Removes IGraphicBufferConsumer::BufferItem. Depends on the
following changes:
I187b3a7d05196b6289596afac8fb9a9d4aebff76
I0ddd38df37500cfd6b21d1e768ed14e39c5cd9fc
Cherry-pick of Id1fa56d092188f2cb712768d5d2fc6a9027fb73c
Change-Id: I3edf0db8fba656fd78e18a5a7f1137f0fb6b237d
Currently, there are two instances of BufferItem: one inside of
IGraphicBufferConsumer, and a standalone one inside of libgui. They
only differ in the name of one of the fields, and we want to remove
the IGBC version. This changes things so that client code may be
incrementally switched over to the libgui version.
This is a squashed commit containing the following changes:
I64f495105f56cbf5803cea4aa6b072ea29b70cf5
I1394e693314429ada93427889f10b7b01c948053
I9c3bc8037fa9438d4d9080b8afb694219ef2f71f
I699ed0a6837076867ca756b28d1ffb2238f7a0d9
Iac8425e1241774304a131da2fb9dec6e82922f13
Change-Id: Ic4d51f5df6dbc70b376d13fceba2335b9bae4f3d
- Wire up new dataSpace parameter through buffer queue stack
- Update tests to include the parameter
- Switch eglApi to using dataSpace to indicate sRGB gamma/linear
difference
- Remove RAW_SENSOR in favor of RAW16
- Remove use of sRGB format enums
- Add default dataspace to buffer queue core
- Add query for default dataspace
Cherry pick of I070bd2e7c56506055c419004c29e2e3feac725df
Change-Id: I461952389c18051176c6b75e664f20ad369f5760
Enables -Weverything and -Werror, with just a few exceptions for
warnings we can't (or shouldn't need to) work around.
Cherry pick of I034abec27bf4020d84af60d7acc1939c59986dd6 plus a
couple of minor changes to CpuConsumer.cpp to make it work with a
prior change:
Uncomment CC_LOGV on line 46
Change C-style cast to static_cast on line 71
Change-Id: Iaec610477ea0122317b0578fb74caf2383d4cf08
Adds logic to dequeueBuffer that blocks if there are currently too
many buffers in the queue. This prevents unbounded growth around
times where the slots are cleared but the queue is not (e.g.,
during rapid connect/disconnect or setBufferCount activity). This
replaces the fix from ag/377958 in a more general way.
Bug: 11293214
Change-Id: Ieb7adfcd076ff7ffe3d4d369397b2c29cf5099c3
Increases NUM_BUFFER_SLOTS from 32 to 64 and changes the mask
returned by IGBC::getReleasedBuffers from 32 to 64 bits.
Bug: 13174352
Change-Id: Ie8ef0853916cfb91f83881c7241886bb1950f01a
Adds a StreamSplitter class, that takes one IGraphicBufferConsumer
interface and multiple IGraphicBufferProducer interfaces and
implements a one-to-many broadcast of GraphicBuffers (while managing
fences correctly).
Change-Id: I38ecdf3e311ac521bc781c30dde0cc382a4376a3
Sideband streams are essentially a device-specific buffer queue that
bypasses the BufferQueue system. They can be used for situations with
hard real-time requirements like high-quality TV and video playback
with A/V sync. A handle to the stream is provided by the source HAL,
and attached to a BufferQueue. The sink HAL can read buffers via the
stream handle rather than acquiring individual buffers from the
BufferQueue.
Change-Id: Ib3f262eddfc520f4bbe3d9b91753ed7dd09d3a9b
Adds detachBuffer and attachBuffer calls to both the producer and
consumer sides of BufferQueue. Buffers may be detached while dequeued
by the producer or acquired by the consumer, and when attached, enter
the dequeued and acquired states, respectively.
Bug: 13173343
Change-Id: Ic152692b0a94d99e0135b9bfa62747dab2a54220
Now that BufferQueue has been split into core + producer + consumer,
rewrite BufferQueue to be a thin layer over a producer and consumer
interface. Eventually, this layer will be deprecated in favor of
only using either the producer or consumer interface, as applicable.
Change-Id: I340ae5f5b633b244fb594615ff52ba50b9e2f7e4