cjgrenlund/hardware_xiaomi
1
0
Fork 0
forked from donjohanliebert/hardware_xiaomi
Code Pull Requests Activity

power-libperfmgr: ADPF: fix use-after-free crash

Browse Source 
The main problem is the timer thread could be woken after the session
was destroyed. We did have a closed flag which was set in destructor and the flag would be checked before handleMessage accessing the session
instance. To fix the problem, the operations of flag checking and session instance accessing should be guarded by the lock.

Bug: 236674672
Test: manual test
Change-Id: I49a18efbc135b1bc070b101038a8a0bcc6e19fec
(cherry picked from commit 5c75978f530b27bd976d8695ed79acd336c24776)
Merged-In: I49a18efbc135b1bc070b101038a8a0bcc6e19fec
This commit is contained in:
Jimmy Shiu 2022-10-19 01:13:08 +08:00 committed by Bruno Martins
parent 6ab718385b
commit e69da0c258
2 changed files with 5 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
aidl/power-libperfmgr/PowerHintSession.cpp
View File

@ -263,14 +263,10 @@ ndk::ScopedAStatus PowerHintSession::close() {
}
// Remove the session from PowerSessionManager first to avoid racing.
PowerSessionManager::getInstance()->removePowerSession(this);
setSessionUclampMin(0);
{
std::lock_guard<std::mutex> guard(mSessionLock);
mSessionClosed.store(true);
}
mDescriptor->is_active.store(false);
mEarlyBoostHandler->setSessionDead();
mStaleTimerHandler->setSessionDead();
setSessionUclampMin(0);
mDescriptor->is_active.store(false);
updateUniveralBoostMode();
return ndk::ScopedAStatus::ok();
}
@ -501,6 +497,7 @@ void PowerHintSession::StaleTimerHandler::updateTimer(time_point<steady_clock> s
}
void PowerHintSession::StaleTimerHandler::handleMessage(const Message &) {
std::lock_guard<std::mutex> guard(mClosedLock);
if (mIsSessionDead) {
return;
}
@ -530,7 +527,7 @@ void PowerHintSession::StaleTimerHandler::handleMessage(const Message &) {
}
void PowerHintSession::StaleTimerHandler::setSessionDead() {
std::lock_guard<std::mutex> guard(mStaleLock);
std::lock_guard<std::mutex> guard(mClosedLock);
mIsSessionDead = true;
PowerHintMonitor::getInstance()->getLooper()->removeMessages(mSession->mStaleTimerHandler);
}

2
aidl/power-libperfmgr/PowerHintSession.h
View File

@ -103,7 +103,7 @@ class PowerHintSession : public BnPowerHintSession {
private:
PowerHintSession *mSession;
std::mutex mStaleLock;
std::mutex mClosedLock;
std::mutex mMessageLock;
std::atomic<time_point<steady_clock>> mStaleTime;
std::atomic<bool> mIsMonitoring;