Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b2a4658a authored by Mike Lockwood's avatar Mike Lockwood
Browse files

USB: Fix race condition in acquiring global reference in UsbRequest JNI code 

Fixes bug https://code.google.com/p/android/issues/detail?id=59467

Change-Id: I8365e1be4eb0f1f2da49b658af677b590a80e382
parent fa2b3fc6

core/jni/android_hardware_UsbRequest.cpp

+12 −10
Original line number Diff line number Diff line
@@ -100,18 +100,19 @@ android_hardware_UsbRequest_queue_array(JNIEnv *env, jobject thiz, 
    }

    request->buffer_length = length;



    // save a reference to ourselves so UsbDeviceConnection.waitRequest() can find us

    request->client_data = (void *)env->NewGlobalRef(thiz);



    if (usb_request_queue(request)) {

        if (request->buffer) {

            // free our buffer if usb_request_queue fails

            free(request->buffer);

            request->buffer = NULL;

        }

        env->DeleteGlobalRef((jobject)request->client_data);

        return false;

    } else {

        // save a reference to ourselves so UsbDeviceConnection.waitRequest() can find us

        request->client_data = (void *)env->NewGlobalRef(thiz);

        return true;

    }

    return true;

}



static jint
@@ -152,16 +153,17 @@ android_hardware_UsbRequest_queue_direct(JNIEnv *env, jobject thiz, 
    }

    request->buffer_length = length;



    if (usb_request_queue(request)) {

        request->buffer = NULL;

        return false;

    } else {

    // save a reference to ourselves so UsbDeviceConnection.waitRequest() can find us

    // we also need this to make sure our native buffer is not deallocated

    // while IO is active

    request->client_data = (void *)env->NewGlobalRef(thiz);

        return true;



    if (usb_request_queue(request)) {

        request->buffer = NULL;

        env->DeleteGlobalRef((jobject)request->client_data);

        return false;

    }

    return true;

}



static jint