)]}'
{"id":"LineageOS%2Fandroid_frameworks_native~427552","triplet_id":"LineageOS%2Fandroid_frameworks_native~lineage-20.0~Ibea7117e4c85cd1e98bbd01872ce249cbb2d54bd","project":"LineageOS/android_frameworks_native","branch":"lineage-20.0","topic":"T_asb_2025-04","hashtags":[],"change_id":"Ibea7117e4c85cd1e98bbd01872ce249cbb2d54bd","subject":"Ensure objects remain valid after calling policy","status":"MERGED","created":"2025-04-16 21:43:11.000000000","updated":"2025-05-10 13:35:35.000000000","submitted":"2025-05-10 13:35:35.000000000","submitter":{"_account_id":15173,"name":"Kevin Haggerty","email":"haggertk@lineageos.org","username":"haggertk","avatars":[{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"total_comment_count":0,"unresolved_comment_count":0,"has_review_started":true,"submission_id":"427552-T_asb_2025-04","meta_rev_id":"49dd3656e6cfcec6f6ac0544fec09608b761549d","_number":427552,"virtual_id_number":427552,"owner":{"_account_id":17656,"name":"Markus S","email":"mse1969@posteo.de","username":"mse1969","avatars":[{"url":"https://www.gravatar.com/avatar/faf0a883d71780207ed87e774bfbaff0.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/faf0a883d71780207ed87e774bfbaff0.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/faf0a883d71780207ed87e774bfbaff0.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/faf0a883d71780207ed87e774bfbaff0.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"actions":{},"labels":{"Verified":{"all":[{"value":0,"_account_id":15173,"name":"Kevin Haggerty","email":"haggertk@lineageos.org","username":"haggertk","avatars":[{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]}],"values":{"-1":"Fails"," 0":"No score","+1":"Verified"},"description":"","default_value":0},"Code-Review":{"all":[{"value":0,"_account_id":15173,"name":"Kevin Haggerty","email":"haggertk@lineageos.org","username":"haggertk","avatars":[{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]}],"values":{"-2":"Do not submit","-1":"I would prefer that you didn\u0027t submit this"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me, approved"},"description":"","default_value":0},"CI":{"all":[{"value":0,"_account_id":15173,"name":"Kevin Haggerty","email":"haggertk@lineageos.org","username":"haggertk","avatars":[{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]}],"values":{"-1":"Fail"," 0":"No score","+1":"Pass"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{},"pending_reviewers":{},"reviewer_updates":[],"messages":[{"id":"ee61c32965058746b82e78be8a713d745d16363a","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":17656,"name":"Markus S","email":"mse1969@posteo.de","username":"mse1969","avatars":[{"url":"https://www.gravatar.com/avatar/faf0a883d71780207ed87e774bfbaff0.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/faf0a883d71780207ed87e774bfbaff0.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/faf0a883d71780207ed87e774bfbaff0.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/faf0a883d71780207ed87e774bfbaff0.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"date":"2025-04-16 21:43:11.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"f7589018aa5ea52e72eadd3b8e6bc607479678ba","tag":"autogenerated:gerrit:setTopic","author":{"_account_id":17656,"name":"Markus S","email":"mse1969@posteo.de","username":"mse1969","avatars":[{"url":"https://www.gravatar.com/avatar/faf0a883d71780207ed87e774bfbaff0.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/faf0a883d71780207ed87e774bfbaff0.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/faf0a883d71780207ed87e774bfbaff0.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/faf0a883d71780207ed87e774bfbaff0.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"date":"2025-04-16 21:43:26.000000000","message":"Topic set to T_asb_2025-04","accounts_in_message":[],"_revision_number":1},{"id":"566f8fcfad9421768c543d3ba6c7cce10a65fe80","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":15173,"name":"Kevin Haggerty","email":"haggertk@lineageos.org","username":"haggertk","avatars":[{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"date":"2025-04-18 17:40:01.000000000","message":"Uploaded patch set 2: New patch set was added with same tree, parent tree, and commit message as Patch Set 1.","accounts_in_message":[],"_revision_number":2},{"id":"49dd3656e6cfcec6f6ac0544fec09608b761549d","tag":"autogenerated:gerrit:merged","author":{"_account_id":15173,"name":"Kevin Haggerty","email":"haggertk@lineageos.org","username":"haggertk","avatars":[{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"date":"2025-05-10 13:35:35.000000000","message":"Change has been successfully pushed.","accounts_in_message":[],"_revision_number":3}],"current_revision_number":3,"current_revision":"7bc54835419913bea9822054508fbc78dbf7ef6c","revisions":{"ceff08df2f74375ed30239df627e444e29dfd24a":{"kind":"REWORK","_number":1,"created":"2025-04-16 21:43:11.000000000","uploader":{"_account_id":17656,"name":"Markus S","email":"mse1969@posteo.de","username":"mse1969","avatars":[{"url":"https://www.gravatar.com/avatar/faf0a883d71780207ed87e774bfbaff0.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/faf0a883d71780207ed87e774bfbaff0.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/faf0a883d71780207ed87e774bfbaff0.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/faf0a883d71780207ed87e774bfbaff0.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"ref":"refs/changes/52/427552/1","fetch":{"anonymous http":{"url":"https://github.com/LineageOS/android_frameworks_native","ref":"refs/changes/52/427552/1","commands":{"Branch":"git fetch https://github.com/LineageOS/android_frameworks_native refs/changes/52/427552/1 \u0026\u0026 git checkout -b change-427552 FETCH_HEAD","Checkout":"git fetch https://github.com/LineageOS/android_frameworks_native refs/changes/52/427552/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://github.com/LineageOS/android_frameworks_native refs/changes/52/427552/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://github.com/LineageOS/android_frameworks_native refs/changes/52/427552/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://github.com/LineageOS/android_frameworks_native refs/changes/52/427552/1","Reset To":"git fetch https://github.com/LineageOS/android_frameworks_native refs/changes/52/427552/1 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"ae25b83dbade58fe493c25b1ac81aee95f1257b0","subject":"Merge tag \u0027android-security-13.0.0_r27\u0027 into staging/lineage-20.0_android-security-13.0.0_r27","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_frameworks_native/commit/ae25b83dbade58fe493c25b1ac81aee95f1257b0"}]}],"author":{"name":"Siarhei Vishniakou","email":"svv@google.com","date":"2025-01-14 22:45:38.000000000","tz":0},"committer":{"name":"mse1969","email":"mse1969@posteo.de","date":"2025-04-16 13:26:00.000000000","tz":120},"subject":"Ensure objects remain valid after calling policy","message":"Ensure objects remain valid after calling policy\n\nThe function\nafterKeyEventLockedInterruptable releases the lock and calls into\npolicy. During this time, the call to \"removeInputChannel\" might come\nin. This call would cause the waitQueue to be drained. Therefore, the\ndispatchEntry that\u0027s stored in this queue would be deleted.\n\nBefore this CL, we obtained a reference to the EventEntry object before\ncalling policy. If there aren\u0027t any more strong pointers remaining to\nthe EventEntry, the object would become deleted, and the reference would\nend up pointing to freed memory.\n\nPrevious flow of events:\n- KeyEntry is allocated during setFocusedWindow call, as part of\n  \"synthesizeCancelationEvents\".\n- App calls \"finish\" on an event, and dispatcher notifies policy about\n  the unhandled key event. But dispatcher must release lock before\n  calling policy.\n- After dispatcher has released the lock, but before it called policy,\n  there is a binder call to \"removeInputChannel\" that comes in. That\n  causes the waitQueue to be drained, and deletes the DispatchEntry. If\n  the dispatch entry is the last remaining reference to the KeyEntry,\n  then the KeyEntry gets deleted, as well.\n- The dispatcher calls policy, and uses the reference to the KeyEntry\n  that it was provided. But that reference points to freed memory. This\n  causes a crash.\n\nTo deal with this, make a few changes in this CL:\n- Since the \"doDispatchCycleFinishedCommand\" is stored in queue, it\n  should have a strong pointer to the connection object, and not just\n  a reference. That means the Connection object will be valid when the\n  command actually runs (otherwise, someone might delete it)\n- Inside afterKeyEventLockedInterruptable, assume that the dispatchEntry\n  will be deleted after the lock is released. Make copies of the data\n  that we need after the lock is regained:\n  1) Add refcount for EventEntry\n  2) Store the \"hasForegroundTarget\" into a separate variable\n     (technically, it\u0027s not necessary, but it allows us to remove all\n     usages of \"dispatchEntry\" in the rest of the function.\n\nAs an alternative, we could re-look up the DispatchEntry in the\nwaitQueue after we regain the lock, but that seems more complex in terms\nof implementation / readability.\n\nBug: 343129193\nTest: atest --host inputflinger_tests\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:299fd8ed96d30b5a83f0f8476c591b457cff4acb)\nMerged-In: Ibea7117e4c85cd1e98bbd01872ce249cbb2d54bd\nChange-Id: Ibea7117e4c85cd1e98bbd01872ce249cbb2d54bd\n","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_frameworks_native/commit/ceff08df2f74375ed30239df627e444e29dfd24a"}],"resolve_conflicts_web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_frameworks_native/commit/ceff08df2f74375ed30239df627e444e29dfd24a"}]},"branch":"refs/heads/lineage-20.0"},"574a8cc6d4001bfc9957e9128b5694694ee2f777":{"kind":"NO_CHANGE","_number":2,"created":"2025-04-18 17:40:01.000000000","uploader":{"_account_id":15173,"name":"Kevin Haggerty","email":"haggertk@lineageos.org","username":"haggertk","avatars":[{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"ref":"refs/changes/52/427552/2","fetch":{"anonymous http":{"url":"https://github.com/LineageOS/android_frameworks_native","ref":"refs/changes/52/427552/2","commands":{"Branch":"git fetch https://github.com/LineageOS/android_frameworks_native refs/changes/52/427552/2 \u0026\u0026 git checkout -b change-427552 FETCH_HEAD","Checkout":"git fetch https://github.com/LineageOS/android_frameworks_native refs/changes/52/427552/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://github.com/LineageOS/android_frameworks_native refs/changes/52/427552/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://github.com/LineageOS/android_frameworks_native refs/changes/52/427552/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://github.com/LineageOS/android_frameworks_native refs/changes/52/427552/2","Reset To":"git fetch https://github.com/LineageOS/android_frameworks_native refs/changes/52/427552/2 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"ae25b83dbade58fe493c25b1ac81aee95f1257b0","subject":"Merge tag \u0027android-security-13.0.0_r27\u0027 into staging/lineage-20.0_android-security-13.0.0_r27","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_frameworks_native/commit/ae25b83dbade58fe493c25b1ac81aee95f1257b0"}]}],"author":{"name":"Siarhei Vishniakou","email":"svv@google.com","date":"2025-01-14 22:45:38.000000000","tz":0},"committer":{"name":"Kevin F. Haggerty","email":"haggertk@lineageos.org","date":"2025-04-18 02:02:47.000000000","tz":-360},"subject":"Ensure objects remain valid after calling policy","message":"Ensure objects remain valid after calling policy\n\nThe function\nafterKeyEventLockedInterruptable releases the lock and calls into\npolicy. During this time, the call to \"removeInputChannel\" might come\nin. This call would cause the waitQueue to be drained. Therefore, the\ndispatchEntry that\u0027s stored in this queue would be deleted.\n\nBefore this CL, we obtained a reference to the EventEntry object before\ncalling policy. If there aren\u0027t any more strong pointers remaining to\nthe EventEntry, the object would become deleted, and the reference would\nend up pointing to freed memory.\n\nPrevious flow of events:\n- KeyEntry is allocated during setFocusedWindow call, as part of\n  \"synthesizeCancelationEvents\".\n- App calls \"finish\" on an event, and dispatcher notifies policy about\n  the unhandled key event. But dispatcher must release lock before\n  calling policy.\n- After dispatcher has released the lock, but before it called policy,\n  there is a binder call to \"removeInputChannel\" that comes in. That\n  causes the waitQueue to be drained, and deletes the DispatchEntry. If\n  the dispatch entry is the last remaining reference to the KeyEntry,\n  then the KeyEntry gets deleted, as well.\n- The dispatcher calls policy, and uses the reference to the KeyEntry\n  that it was provided. But that reference points to freed memory. This\n  causes a crash.\n\nTo deal with this, make a few changes in this CL:\n- Since the \"doDispatchCycleFinishedCommand\" is stored in queue, it\n  should have a strong pointer to the connection object, and not just\n  a reference. That means the Connection object will be valid when the\n  command actually runs (otherwise, someone might delete it)\n- Inside afterKeyEventLockedInterruptable, assume that the dispatchEntry\n  will be deleted after the lock is released. Make copies of the data\n  that we need after the lock is regained:\n  1) Add refcount for EventEntry\n  2) Store the \"hasForegroundTarget\" into a separate variable\n     (technically, it\u0027s not necessary, but it allows us to remove all\n     usages of \"dispatchEntry\" in the rest of the function.\n\nAs an alternative, we could re-look up the DispatchEntry in the\nwaitQueue after we regain the lock, but that seems more complex in terms\nof implementation / readability.\n\nBug: 343129193\nTest: atest --host inputflinger_tests\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:299fd8ed96d30b5a83f0f8476c591b457cff4acb)\nMerged-In: Ibea7117e4c85cd1e98bbd01872ce249cbb2d54bd\nChange-Id: Ibea7117e4c85cd1e98bbd01872ce249cbb2d54bd\n","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_frameworks_native/commit/574a8cc6d4001bfc9957e9128b5694694ee2f777"}],"resolve_conflicts_web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_frameworks_native/commit/574a8cc6d4001bfc9957e9128b5694694ee2f777"}]},"branch":"refs/heads/lineage-20.0"},"7bc54835419913bea9822054508fbc78dbf7ef6c":{"kind":"TRIVIAL_REBASE","_number":3,"created":"2025-05-10 13:35:35.000000000","uploader":{"_account_id":15173,"name":"Kevin Haggerty","email":"haggertk@lineageos.org","username":"haggertk","avatars":[{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/258edfac858c1ce5f056ed4ca050a578.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"ref":"refs/changes/52/427552/3","fetch":{"anonymous http":{"url":"https://github.com/LineageOS/android_frameworks_native","ref":"refs/changes/52/427552/3","commands":{"Branch":"git fetch https://github.com/LineageOS/android_frameworks_native refs/changes/52/427552/3 \u0026\u0026 git checkout -b change-427552 FETCH_HEAD","Checkout":"git fetch https://github.com/LineageOS/android_frameworks_native refs/changes/52/427552/3 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://github.com/LineageOS/android_frameworks_native refs/changes/52/427552/3 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://github.com/LineageOS/android_frameworks_native refs/changes/52/427552/3 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://github.com/LineageOS/android_frameworks_native refs/changes/52/427552/3","Reset To":"git fetch https://github.com/LineageOS/android_frameworks_native refs/changes/52/427552/3 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"690b05851b0c3c30de838ec57bc2f25c0133c224","subject":"Merge cherrypicks of [\u0027googleplex-android-review.googlesource.com/30808300\u0027] into security-aosp-tm-release.","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_frameworks_native/commit/690b05851b0c3c30de838ec57bc2f25c0133c224"}]}],"author":{"name":"Siarhei Vishniakou","email":"svv@google.com","date":"2025-01-14 22:45:38.000000000","tz":0},"committer":{"name":"Android Build Coastguard Worker","email":"android-build-coastguard-worker@google.com","date":"2025-02-06 05:21:10.000000000","tz":-480},"subject":"Ensure objects remain valid after calling policy","message":"Ensure objects remain valid after calling policy\n\nThe function\nafterKeyEventLockedInterruptable releases the lock and calls into\npolicy. During this time, the call to \"removeInputChannel\" might come\nin. This call would cause the waitQueue to be drained. Therefore, the\ndispatchEntry that\u0027s stored in this queue would be deleted.\n\nBefore this CL, we obtained a reference to the EventEntry object before\ncalling policy. If there aren\u0027t any more strong pointers remaining to\nthe EventEntry, the object would become deleted, and the reference would\nend up pointing to freed memory.\n\nPrevious flow of events:\n- KeyEntry is allocated during setFocusedWindow call, as part of\n  \"synthesizeCancelationEvents\".\n- App calls \"finish\" on an event, and dispatcher notifies policy about\n  the unhandled key event. But dispatcher must release lock before\n  calling policy.\n- After dispatcher has released the lock, but before it called policy,\n  there is a binder call to \"removeInputChannel\" that comes in. That\n  causes the waitQueue to be drained, and deletes the DispatchEntry. If\n  the dispatch entry is the last remaining reference to the KeyEntry,\n  then the KeyEntry gets deleted, as well.\n- The dispatcher calls policy, and uses the reference to the KeyEntry\n  that it was provided. But that reference points to freed memory. This\n  causes a crash.\n\nTo deal with this, make a few changes in this CL:\n- Since the \"doDispatchCycleFinishedCommand\" is stored in queue, it\n  should have a strong pointer to the connection object, and not just\n  a reference. That means the Connection object will be valid when the\n  command actually runs (otherwise, someone might delete it)\n- Inside afterKeyEventLockedInterruptable, assume that the dispatchEntry\n  will be deleted after the lock is released. Make copies of the data\n  that we need after the lock is regained:\n  1) Add refcount for EventEntry\n  2) Store the \"hasForegroundTarget\" into a separate variable\n     (technically, it\u0027s not necessary, but it allows us to remove all\n     usages of \"dispatchEntry\" in the rest of the function.\n\nAs an alternative, we could re-look up the DispatchEntry in the\nwaitQueue after we regain the lock, but that seems more complex in terms\nof implementation / readability.\n\nBug: 343129193\nTest: atest --host inputflinger_tests\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:299fd8ed96d30b5a83f0f8476c591b457cff4acb)\nMerged-In: Ibea7117e4c85cd1e98bbd01872ce249cbb2d54bd\nChange-Id: Ibea7117e4c85cd1e98bbd01872ce249cbb2d54bd\n","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_frameworks_native/commit/7bc54835419913bea9822054508fbc78dbf7ef6c"}],"resolve_conflicts_web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_frameworks_native/commit/7bc54835419913bea9822054508fbc78dbf7ef6c"}]},"branch":"refs/heads/lineage-20.0"}},"requirements":[],"submit_records":[],"submit_requirements":[]}