diff options
| author | Mathias Agopian <mathias@google.com> | 2017-04-03 17:14:31 -0700 |
|---|---|---|
| committer | JP Sugarbroad <jpsugar@google.com> | 2017-06-08 15:56:04 -0700 |
| commit | 93cfe560df721016d5627926b6296ab4986df720 (patch) | |
| tree | 9827260541fdbcb505d58be8b86fc02739056a69 | |
| parent | 7be50f64edb3e6e5ed296d84583b7db42fb39bdf (diff) | |
| download | native-93cfe560df721016d5627926b6296ab4986df720.tar.gz | |
fix race condition that can cause a use after free
Backported from 12a0ccd6f7201bac706d903ac3f436c4358fe203.
Bug: 33004354
Test: manual
Change-Id: I9b38ee644b02268c9b995a330db758aa2e568399
(cherry picked from commit 59485525a6047453e6ba16c03989381e2a0d56ec)
| -rw-r--r-- | libs/gui/BufferQueueProducer.cpp | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/libs/gui/BufferQueueProducer.cpp b/libs/gui/BufferQueueProducer.cpp index 05923b5d35..ce4778435f 100644 --- a/libs/gui/BufferQueueProducer.cpp +++ b/libs/gui/BufferQueueProducer.cpp @@ -921,7 +921,11 @@ status_t BufferQueueProducer::queueBuffer(int slot, // Call back without the main BufferQueue lock held, but with the callback // lock held so we can ensure that callbacks occur in order - { + + int connectedApi; + sp<Fence> lastQueuedFence; + + { // scope for the lock Mutex::Autolock lock(mCallbackMutex); while (callbackTicket != mCurrentCallbackTicket) { mCallbackCondition.wait(mCallbackMutex); @@ -933,20 +937,24 @@ status_t BufferQueueProducer::queueBuffer(int slot, frameReplacedListener->onFrameReplaced(item); } + connectedApi = mCore->mConnectedApi; + lastQueuedFence = std::move(mLastQueueBufferFence); + + mLastQueueBufferFence = std::move(fence); + mLastQueuedCrop = item.mCrop; + mLastQueuedTransform = item.mTransform; + ++mCurrentCallbackTicket; mCallbackCondition.broadcast(); } // Wait without lock held - if (mCore->mConnectedApi == NATIVE_WINDOW_API_EGL) { + if (connectedApi == NATIVE_WINDOW_API_EGL) { // Waiting here allows for two full buffers to be queued but not a // third. In the event that frames take varying time, this makes a // small trade-off in favor of latency rather than throughput. - mLastQueueBufferFence->waitForever("Throttling EGL Production"); + lastQueuedFence->waitForever("Throttling EGL Production"); } - mLastQueueBufferFence = fence; - mLastQueuedCrop = item.mCrop; - mLastQueuedTransform = item.mTransform; return NO_ERROR; } |