diff options
| author | Jimmy Shiu <jimmyshiu@google.com> | 2022-10-19 01:13:08 +0800 |
|---|---|---|
| committer | Jimmy Shiu <jimmyshiu@google.com> | 2022-10-28 09:27:45 +0800 |
| commit | 5c75978f530b27bd976d8695ed79acd336c24776 (patch) | |
| tree | 599e6524f0b1fd09bb072c6fe834c0018910b366 | |
| parent | 64284745bb8d31195e1861ce0e1b18fba3603ed9 (diff) | |
ADPF: fix use-after-free crash
The main problem is the timer thread could be woken after the session
was destroyed. We did have a closed flag which was set in destructor and the flag would be checked before handleMessage accessing the session
instance. To fix the problem, the operations of flag checking and session instance accessing should be guarded by the lock.
Bug: 236674672
Test: manual test
Change-Id: I49a18efbc135b1bc070b101038a8a0bcc6e19fec
| -rw-r--r-- | power-libperfmgr/aidl/PowerHintSession.cpp | 11 | ||||
| -rw-r--r-- | power-libperfmgr/aidl/PowerHintSession.h | 2 |
2 files changed, 5 insertions, 8 deletions
diff --git a/power-libperfmgr/aidl/PowerHintSession.cpp b/power-libperfmgr/aidl/PowerHintSession.cpp index 5f24496..14cbf01 100644 --- a/power-libperfmgr/aidl/PowerHintSession.cpp +++ b/power-libperfmgr/aidl/PowerHintSession.cpp @@ -265,14 +265,10 @@ ndk::ScopedAStatus PowerHintSession::close() { } // Remove the session from PowerSessionManager first to avoid racing. PowerSessionManager::getInstance()->removePowerSession(this); - setSessionUclampMin(0); - { - std::lock_guard<std::mutex> guard(mSessionLock); - mSessionClosed.store(true); - } - mDescriptor->is_active.store(false); mEarlyBoostHandler->setSessionDead(); mStaleTimerHandler->setSessionDead(); + setSessionUclampMin(0); + mDescriptor->is_active.store(false); updateUniveralBoostMode(); return ndk::ScopedAStatus::ok(); } @@ -505,6 +501,7 @@ void PowerHintSession::StaleTimerHandler::updateTimer(time_point<steady_clock> s } void PowerHintSession::StaleTimerHandler::handleMessage(const Message &) { + std::lock_guard<std::mutex> guard(mClosedLock); if (mIsSessionDead) { return; } @@ -534,7 +531,7 @@ void PowerHintSession::StaleTimerHandler::handleMessage(const Message &) { } void PowerHintSession::StaleTimerHandler::setSessionDead() { - std::lock_guard<std::mutex> guard(mStaleLock); + std::lock_guard<std::mutex> guard(mClosedLock); mIsSessionDead = true; PowerHintMonitor::getInstance()->getLooper()->removeMessages(mSession->mStaleTimerHandler); } diff --git a/power-libperfmgr/aidl/PowerHintSession.h b/power-libperfmgr/aidl/PowerHintSession.h index 96b445e..9bd9a2c 100644 --- a/power-libperfmgr/aidl/PowerHintSession.h +++ b/power-libperfmgr/aidl/PowerHintSession.h @@ -105,7 +105,7 @@ class PowerHintSession : public BnPowerHintSession { private: PowerHintSession *mSession; - std::mutex mStaleLock; + std::mutex mClosedLock; std::mutex mMessageLock; std::atomic<time_point<steady_clock>> mStaleTime; std::atomic<bool> mIsMonitoring; |