commit fa17f09bfaa4c31f8c448ba24ae84b6d4a6eacb0
author Emilian Peev <epeev@google.com> Fri Jul 29 13:28:55 2022 -0700
committer Emilian Peev <epeev@google.com> Fri Jul 29 13:42:28 2022 -0700
tree 3b21b455af2b254911e6c5e841bf7906713d9a98
parent ebba6f05032dd162ad013b9e9732ea1ca8609398

Camera: Ensure that 'opChanged' can access a valid device instance

'opChanged' callbacks will get registered before the camera3
device initialization. They are not synchronized with the
main service lock and can potentially try to access an invalid
device reference.
Ensure that the 'opChanged' callback registration always happens
after the camera3 device initialization.

Bug: 240725858
Test: Camera CTS
Change-Id: Id3d9877dfafc894cceca5358213f39d5b46a7aee

services/camera/libcameraservice/common/Camera2ClientBase.cpp

diff --git a/services/camera/libcameraservice/common/Camera2ClientBase.cpp b/services/camera/libcameraservice/common/Camera2ClientBase.cpp
index 6f43270..f926b88 100644
--- a/services/camera/libcameraservice/common/Camera2ClientBase.cpp
+++ b/services/camera/libcameraservice/common/Camera2ClientBase.cpp
@@ -105,11 +105,6 @@
           TClientBase::mCameraIdStr.string());
     status_t res;
 
-    // Verify ops permissions
-    res = TClientBase::startCameraOps();
-    if (res != OK) {
-        return res;
-    }
     IPCTransport providerTransport = IPCTransport::INVALID;
     res = providerPtr->getCameraIdIPCTransport(TClientBase::mCameraIdStr.string(),
             &providerTransport);
@@ -145,6 +140,14 @@
         return res;
     }
 
+    // Verify ops permissions
+    res = TClientBase::startCameraOps();
+    if (res != OK) {
+        TClientBase::finishCameraOps();
+        mDevice.clear();
+        return res;
+    }
+
     wp<NotificationListener> weakThis(this);
     res = mDevice->setNotifyCallback(weakThis);
     if (res != OK) {