From 3478253879204e3ae061e0f90f7c02710494a95d Mon Sep 17 00:00:00 2001 From: Jimmy Shiu Date: Thu, 18 Jul 2024 20:16:00 +0530 Subject: [PATCH] sm6375-common: power-libperfmgr: ADPF: fix use-after-free crash The main problem is the timer thread could be woken after the session was destroyed. We did have a closed flag which was set in destructor and the flag would be checked before handleMessage accessing the session instance. To fix the problem, the operations of flag checking and session instance accessing should be guarded by the lock. Bug: 236674672 Test: manual test Change-Id: I49a18efbc135b1bc070b101038a8a0bcc6e19fec (cherry picked from commit 5c75978f530b27bd976d8695ed79acd336c24776) Merged-In: I49a18efbc135b1bc070b101038a8a0bcc6e19fec --- power-libperfmgr/PowerHintSession.cpp | 11 ++++------- power-libperfmgr/PowerHintSession.h | 2 +- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/power-libperfmgr/PowerHintSession.cpp b/power-libperfmgr/PowerHintSession.cpp index 2dbb464..1eb0172 100644 --- a/power-libperfmgr/PowerHintSession.cpp +++ b/power-libperfmgr/PowerHintSession.cpp @@ -263,14 +263,10 @@ ndk::ScopedAStatus PowerHintSession::close() { } // Remove the session from PowerSessionManager first to avoid racing. PowerSessionManager::getInstance()->removePowerSession(this); - setSessionUclampMin(0); - { - std::lock_guard guard(mSessionLock); - mSessionClosed.store(true); - } - mDescriptor->is_active.store(false); mEarlyBoostHandler->setSessionDead(); mStaleTimerHandler->setSessionDead(); + setSessionUclampMin(0); + mDescriptor->is_active.store(false); updateUniveralBoostMode(); return ndk::ScopedAStatus::ok(); } @@ -501,6 +497,7 @@ void PowerHintSession::StaleTimerHandler::updateTimer(time_point s } void PowerHintSession::StaleTimerHandler::handleMessage(const Message &) { + std::lock_guard guard(mClosedLock); if (mIsSessionDead) { return; } @@ -530,7 +527,7 @@ void PowerHintSession::StaleTimerHandler::handleMessage(const Message &) { } void PowerHintSession::StaleTimerHandler::setSessionDead() { - std::lock_guard guard(mStaleLock); + std::lock_guard guard(mClosedLock); mIsSessionDead = true; PowerHintMonitor::getInstance()->getLooper()->removeMessages(mSession->mStaleTimerHandler); } diff --git a/power-libperfmgr/PowerHintSession.h b/power-libperfmgr/PowerHintSession.h index d922744..33c6ed7 100644 --- a/power-libperfmgr/PowerHintSession.h +++ b/power-libperfmgr/PowerHintSession.h @@ -103,7 +103,7 @@ class PowerHintSession : public BnPowerHintSession { private: PowerHintSession *mSession; - std::mutex mStaleLock; + std::mutex mClosedLock; std::mutex mMessageLock; std::atomic> mStaleTime; std::atomic mIsMonitoring;