SurfaceFlinger: fix a potential race condition in stealReceiveChannel Add a mutex to prevent a potential race condition. Bug: 232541124 Test: See bug for details Change-Id: Ia338f124c786bf12d6adba10a67b9048fe9c34a5

commit: 899e8cd0749cb3f43bef0bdb28002edab42bbb1b [log] [tgz]
author: Ady Abraham <adyabr@google.com> Mon Jun 06 15:16:06 2022 -0700
committer: Ady Abraham <adyabr@google.com> Mon Jun 06 23:46:58 2022 +0000
tree: c70d25b64f61f65647329b1dcc2450e6d0fcaeec
parent: 47e41ac3c1a2502f675ca3d29812a3ef2d32d4a5 [diff]
diff --git a/services/surfaceflinger/Scheduler/EventThread.cpp b/services/surfaceflinger/Scheduler/EventThread.cpp
index cbea77e..639ba5a 100644
--- a/services/surfaceflinger/Scheduler/EventThread.cpp
+++ b/services/surfaceflinger/Scheduler/EventThread.cpp

@@ -177,6 +177,11 @@
 }
 
 binder::Status EventThreadConnection::stealReceiveChannel(gui::BitTube* outChannel) {
+    std::scoped_lock lock(mLock);
+    if (mChannel.initCheck() != NO_ERROR) {
+        return binder::Status::fromStatusT(NAME_NOT_FOUND);
+    }
+
     outChannel->setReceiveFd(mChannel.moveReceiveFd());
     outChannel->setSendFd(base::unique_fd(dup(mChannel.getSendFd())));
     return binder::Status::ok();

diff --git a/services/surfaceflinger/Scheduler/EventThread.h b/services/surfaceflinger/Scheduler/EventThread.h
index c406478..adb96fd 100644
--- a/services/surfaceflinger/Scheduler/EventThread.h
+++ b/services/surfaceflinger/Scheduler/EventThread.h

@@ -112,7 +112,8 @@
 private:
     virtual void onFirstRef();
     EventThread* const mEventThread;
-    gui::BitTube mChannel;
+    std::mutex mLock;
+    gui::BitTube mChannel GUARDED_BY(mLock);
 
     std::vector<DisplayEventReceiver::Event> mPendingEvents;
 };
commit	899e8cd0749cb3f43bef0bdb28002edab42bbb1b	[log] [tgz]
author	Ady Abraham <adyabr@google.com>	Mon Jun 06 15:16:06 2022 -0700
committer	Ady Abraham <adyabr@google.com>	Mon Jun 06 23:46:58 2022 +0000
tree	c70d25b64f61f65647329b1dcc2450e6d0fcaeec
parent	47e41ac3c1a2502f675ca3d29812a3ef2d32d4a5 [diff]