diff options
| author | Yin-Chia Yeh <yinchiayeh@google.com> | 2017-11-06 17:16:22 -0800 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2017-11-09 05:42:56 +0000 |
| commit | 3ad3aecaf66af97c513def4d2d859fbac32bf4ca (patch) | |
| tree | ce6f8b1ebc560f1b8c9f5bb20c161ccff12e02ea | |
| parent | 18d2294a4cd46cc285a95436c503b46184217451 (diff) | |
| download | av-3ad3aecaf66af97c513def4d2d859fbac32bf4ca.tar.gz | |
Camera NDK: fix bug in lock order
AImage::close() can be called by AImageReader while holding
AImageReader::mLock.
Also fix ACaptureFailure double free issue.
Test: AR test app + CTS stress
Bug: 68885255
Change-Id: I17037e3e30e0f53b35ca538a3f321693c539cbdc
Merged-In: I17037e3e30e0f53b35ca538a3f321693c539cbdc
(cherry picked from commit a10ab5bfd1ca27128fdbe43ce58a68e92b2896a1)
| -rw-r--r-- | camera/ndk/impl/ACameraDevice.cpp | 1 | ||||
| -rw-r--r-- | media/ndk/NdkImage.cpp | 4 | ||||
| -rw-r--r-- | media/ndk/NdkImageReader.cpp | 4 | ||||
| -rw-r--r-- | media/ndk/NdkImageReaderPriv.h | 2 |
4 files changed, 6 insertions, 5 deletions
diff --git a/camera/ndk/impl/ACameraDevice.cpp b/camera/ndk/impl/ACameraDevice.cpp index 3ae208aa14..af977b8ecb 100644 --- a/camera/ndk/impl/ACameraDevice.cpp +++ b/camera/ndk/impl/ACameraDevice.cpp @@ -941,7 +941,6 @@ void CameraDevice::CallbackHandler::onMessageReceived( ACaptureRequest* request = allocateACaptureRequest(requestSp); (*onFail)(context, session.get(), request, failure); freeACaptureRequest(request); - delete failure; break; } case kWhatCaptureSeqEnd: diff --git a/media/ndk/NdkImage.cpp b/media/ndk/NdkImage.cpp index 87b649ad41..c4ff537687 100644 --- a/media/ndk/NdkImage.cpp +++ b/media/ndk/NdkImage.cpp @@ -53,7 +53,6 @@ AImage::isClosed() const { void AImage::close(int releaseFenceFd) { - lockReader(); Mutex::Autolock _l(mLock); if (mIsClosed) { return; @@ -71,7 +70,6 @@ AImage::close(int releaseFenceFd) { mBuffer = nullptr; mLockedBuffer = nullptr; mIsClosed = true; - unlockReader(); } void @@ -622,7 +620,9 @@ EXPORT void AImage_deleteAsync(AImage* image, int releaseFenceFd) { ALOGV("%s", __FUNCTION__); if (image != nullptr) { + image->lockReader(); image->close(releaseFenceFd); + image->unlockReader(); if (!image->isClosed()) { LOG_ALWAYS_FATAL("Image close failed!"); } diff --git a/media/ndk/NdkImageReader.cpp b/media/ndk/NdkImageReader.cpp index e90783d0e7..fd6ecb51da 100644 --- a/media/ndk/NdkImageReader.cpp +++ b/media/ndk/NdkImageReader.cpp @@ -349,8 +349,8 @@ AImageReader::~AImageReader() { for (auto it = mAcquiredImages.begin(); it != mAcquiredImages.end(); it++) { AImage* image = *it; + Mutex::Autolock _l(image->mLock); releaseImageLocked(image, /*releaseFenceFd*/-1); - image->close(); } // Delete Buffer Items @@ -502,6 +502,8 @@ AImageReader::releaseImageLocked(AImage* image, int releaseFenceFd) { mBufferItemConsumer->releaseBuffer(*buffer, bufferFence); returnBufferItemLocked(buffer); image->mBuffer = nullptr; + image->mLockedBuffer = nullptr; + image->mIsClosed = true; bool found = false; // cleanup acquired image list diff --git a/media/ndk/NdkImageReaderPriv.h b/media/ndk/NdkImageReaderPriv.h index 989b937815..bed8a21c91 100644 --- a/media/ndk/NdkImageReaderPriv.h +++ b/media/ndk/NdkImageReaderPriv.h @@ -85,7 +85,7 @@ struct AImageReader : public RefBase { // Called by AImageReader_acquireXXX to acquire a Buffer and setup AImage. media_status_t acquireImageLocked(/*out*/AImage** image, /*out*/int* fenceFd); - // Called by AImage to close image + // Called by AImage/~AImageReader to close image. Caller is responsible to grab AImage::mLock void releaseImageLocked(AImage* image, int releaseFenceFd); static int getBufferWidth(BufferItem* buffer); |