Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2e9d8fa3 authored by Shuzhen Wang's avatar Shuzhen Wang
Browse files

Camera: Fix race between notifyDeviceStateChange and removeProvider 

Make a copy of mProviders in notifyDeviceStateChange to avoid race
condition between notifyDeviceStateChange and removeProvider.

When iterating through mProviders, we temporarly unlock mInterfaceMutex.
Because of that, it's possible some providers have been removed from
mProviders during iteration, causing invalid memory access.

Test: Vendor testing, Camera CTS
Bug: 234146453
Change-Id: I69cbeff07bacc905f34e4fbd0ba666c677ccf1a7
parent 621b2e0d

services/camera/libcameraservice/common/CameraProviderManager.cpp

+5 −1
Original line number Diff line number Diff line
@@ -356,7 +356,11 @@ status_t CameraProviderManager::notifyDeviceStateChange( 
    std::lock_guard<std::mutex> lock(mInterfaceMutex);

    mDeviceState = newState;

    status_t res = OK;

    for (auto& provider : mProviders) {

    // Make a copy of mProviders because we unlock mInterfaceMutex temporarily

    // within the loop. It's possible that during the time mInterfaceMutex is

    // unlocked, mProviders has changed.

    auto providers = mProviders;

    for (auto& provider : providers) {

        ALOGV("%s: Notifying %s for new state 0x%" PRIx64,

                __FUNCTION__, provider->mProviderName.c_str(), newState);

        // b/199240726 Camera providers can for example try to add/remove