From 12794d4f69e1ef1e17e5c835f2ff9551b9beb3f3 Mon Sep 17 00:00:00 2001 From: Yin-Chia Yeh Date: Tue, 27 Jun 2017 17:13:33 -0700 Subject: [PATCH] Camera: fix status tracker race condition Request thread may race with disconnect call when device is disconnected in error condition. Acquire mLock when camera device is updating status tracker to prevent that race (status tracker being freed and then updated). In other places where status tracker is updated, there is a promoted sp to guarantee status tracker remain alive during the call. Test: CTS, manual camera testing Bug: 62420820, 65432229 Change-Id: Id894b5d3482c64125c114f79dbe746c56048fcbe Merged-In: Id894b5d3482c64125c114f79dbe746c56048fcbe --- .../libcameraservice/device3/Camera3Device.cpp | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/services/camera/libcameraservice/device3/Camera3Device.cpp b/services/camera/libcameraservice/device3/Camera3Device.cpp index e8b9b205b4..0c83ed05d7 100644 --- a/services/camera/libcameraservice/device3/Camera3Device.cpp +++ b/services/camera/libcameraservice/device3/Camera3Device.cpp @@ -2326,7 +2326,11 @@ status_t Camera3Device::registerInFlight(uint32_t frameNumber, if (res < 0) return res; if (mInFlightMap.size() == 1) { - mStatusTracker->markComponentActive(mInFlightStatusId); + // hold mLock to prevent race with disconnect + Mutex::Autolock l(mLock); + if (mStatusTracker != nullptr) { + mStatusTracker->markComponentActive(mInFlightStatusId); + } } return OK; @@ -2353,7 +2357,11 @@ void Camera3Device::removeInFlightMapEntryLocked(int idx) { // Indicate idle inFlightMap to the status tracker if (mInFlightMap.size() == 0) { - mStatusTracker->markComponentIdle(mInFlightStatusId, Fence::NO_FENCE); + // hold mLock to prevent race with disconnect + Mutex::Autolock l(mLock); + if (mStatusTracker != nullptr) { + mStatusTracker->markComponentIdle(mInFlightStatusId, Fence::NO_FENCE); + } } }