commit 4b93da988f02c652f3429661f9a9859fa1c1ea0a
author Gopalakrishnan Nallasamy <gokrishnan@google.com> Tue Jan 11 23:44:20 2022 -0800
committer Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Mon Feb 14 23:12:30 2022 +0000
tree c5b0258a8b20f2062ae586be7d719bf6e6cff6a4
parent 858c828b922cbe32675d787507830a6c691aee6b

C2AllocatorIon:protect mMappings using mutex

Use mutex to prevent multiple threads accessing same member of
mMappings list at the same time.

Bug: 193790350

Test: adb shell UBSAN_OPTIONS=print_stacktrace=1 /data/local/tmp/C2FuzzerMp3Dec -rss_limit_mb=2560 -timeout=90 -runs=100 /data/local/tmp/clusterfuzz-testcase-minimized-C2FuzzerMp3Dec-5713156165206016
Change-Id: I24e53629d5a6dfad22b84dd2278eb1a288c9ab35
Merged-In: I24e53629d5a6dfad22b84dd2278eb1a288c9ab35
(cherry picked from commit 9d2295f3a008f60bcfa3d2da3b43c078efec1878)
(cherry picked from commit 416da6e8da6b6a16c5c00bddd9fbc7a5f060cd58)
Merged-In:I24e53629d5a6dfad22b84dd2278eb1a288c9ab35

media/codec2/vndk/C2AllocatorIon.cpp

diff --git a/media/codec2/vndk/C2AllocatorIon.cpp b/media/codec2/vndk/C2AllocatorIon.cpp
index 77b265a..7b593ee 100644
--- a/media/codec2/vndk/C2AllocatorIon.cpp
+++ b/media/codec2/vndk/C2AllocatorIon.cpp
@@ -207,6 +207,7 @@
 
         c2_status_t err = mapInternal(mapSize, mapOffset, alignmentBytes, prot, flags, &(map.addr), addr);
         if (map.addr) {
+            std::lock_guard<std::mutex> guard(mMutexMappings);
             mMappings.push_back(map);
         }
         return err;
@@ -217,22 +218,26 @@
             ALOGD("tried to unmap unmapped buffer");
             return C2_NOT_FOUND;
         }
-        for (auto it = mMappings.begin(); it != mMappings.end(); ++it) {
-            if (addr != (uint8_t *)it->addr + it->alignmentBytes ||
-                    size + it->alignmentBytes != it->size) {
-                continue;
+        { // Scope for the lock_guard of mMutexMappings.
+            std::lock_guard<std::mutex> guard(mMutexMappings);
+            for (auto it = mMappings.begin(); it != mMappings.end(); ++it) {
+                if (addr != (uint8_t *)it->addr + it->alignmentBytes ||
+                        size + it->alignmentBytes != it->size) {
+                    continue;
+                }
+                int err = munmap(it->addr, it->size);
+                if (err != 0) {
+                    ALOGD("munmap failed");
+                    return c2_map_errno<EINVAL>(errno);
+                }
+                if (fence) {
+                    *fence = C2Fence(); // not using fences
+                }
+                (void)mMappings.erase(it);
+                ALOGV("successfully unmapped: addr=%p size=%zu fd=%d", addr, size,
+                          mHandle.bufferFd());
+                return C2_OK;
             }
-            int err = munmap(it->addr, it->size);
-            if (err != 0) {
-                ALOGD("munmap failed");
-                return c2_map_errno<EINVAL>(errno);
-            }
-            if (fence) {
-                *fence = C2Fence(); // not using fences
-            }
-            (void)mMappings.erase(it);
-            ALOGV("successfully unmapped: addr=%p size=%zu fd=%d", addr, size, mHandle.bufferFd());
-            return C2_OK;
         }
         ALOGD("unmap failed to find specified map");
         return C2_BAD_VALUE;
@@ -241,6 +246,7 @@
     virtual ~Impl() {
         if (!mMappings.empty()) {
             ALOGD("Dangling mappings!");
+            std::lock_guard<std::mutex> guard(mMutexMappings);
             for (const Mapping &map : mMappings) {
                 (void)munmap(map.addr, map.size);
             }
@@ -320,6 +326,7 @@
         size_t size;
     };
     std::list<Mapping> mMappings;
+    std::mutex mMutexMappings;
 };
 
 class C2AllocationIon::ImplV2 : public C2AllocationIon::Impl {