Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7eb38ce6 authored by Yiming Cao's avatar Yiming Cao Committed by Steve Kondik
Browse files

Binder: Resolve race condition 



The transaction buffer does not be freed before sendReply,
which may result in the next command fails. e.g. If one
application immediately creates another player to play next
video clip after releases the previous one, the setup may
fail for the native player does not be freed and the surface
is still connected to the previous one.

Change-Id: Id4ce215e5558edeb7468c8b08ec939f578beb184
Signed-off-by: default avatarYiming Cao <ym.caoyiming@gmail.com>
parent a29eae2a

libs/binder/IPCThreadState.cpp

+5 −4
Original line number Diff line number Diff line
@@ -1026,6 +1026,10 @@ status_t IPCThreadState::executeCommand(int32_t cmd) 
                "Not enough command data for brTRANSACTION");

            if (result != NO_ERROR) break;

            

            const pid_t origPid = mCallingPid;

            const uid_t origUid = mCallingUid;

            Parcel reply;

            {

            Parcel buffer;

            buffer.ipcSetDataReference(

                reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer),
@@ -1033,9 +1037,6 @@ status_t IPCThreadState::executeCommand(int32_t cmd) 
                reinterpret_cast<const size_t*>(tr.data.ptr.offsets),

                tr.offsets_size/sizeof(size_t), freeBuffer, this);

            

            const pid_t origPid = mCallingPid;

            const uid_t origUid = mCallingUid;

            

            mCallingPid = tr.sender_pid;

            mCallingUid = tr.sender_euid;
@@ -1061,7 +1062,6 @@ status_t IPCThreadState::executeCommand(int32_t cmd) 


            //ALOGI(">>>> TRANSACT from pid %d uid %d\n", mCallingPid, mCallingUid);

            

            Parcel reply;

            IF_LOG_TRANSACTIONS() {

                TextOutput::Bundle _b(alog);

                alog << "BR_TRANSACTION thr " << (void*)pthread_self()
@@ -1082,6 +1082,7 @@ status_t IPCThreadState::executeCommand(int32_t cmd) 
                const status_t error = the_context_object->transact(tr.code, buffer, &reply, tr.flags);

                if (error < NO_ERROR) reply.setError(error);

            }

            }

            

            //ALOGI("<<<< TRANSACT from pid %d restore pid %d uid %d\n",

            //     mCallingPid, origPid, origUid);