Google Git
Sign in
android/platform/hardware/st/nfc/c6da9eeb710c6690d189cb2d1b80b44755860b55
commit
c6da9eeb710c6690d189cb2d1b80b44755860b55
[log]
author
Kyle Hsiao <kylehsiao@google.com>
Wed Oct 01 11:57:54 2025 +0000
committer
Android Build Coastguard Worker <android-build-coastguard-worker@google.com>
Wed Jan 07 21:40:07 2026 -0800
tree
c9a2d3cd39f7b4a95e5fe4a79f0322df19335fc6
parent
ffc570734ef14c1d153b0dcc13ce63a733d6540a [diff]
[NFC] Fix use-after-free in eventCallback

Transform access to the static shared pointer 'Nfc::mCallback' to be thread-safe to prevent a use-after-free crash.

The use-after-free occurred when an asynchronous thread (eventCallback) attempted to call a method on 'mCallback' immediately after the main thread Nfc::open had destroyed the underlying object. The simple null check was insufficient due to the race condition.

This fix implements the correct shared pointer synchronization pattern:
1. Protects the read/write of 'mCallback' using 'mCallbackLock'.
2. Creates a local 'std::shared_ptr<INfcClientCallback> localCallback' inside the critical section. This local copy holds a temporary strong reference, guaranteeing the object's lifetime for the duration of the subsequent sendEvent() call.

Bug: 392699284
Test: nfc_service_fuzzer
Test: atest NfcNciUnitTests
Test: atest CtsNfcTestCases
Test: atest VtsAidlHalNfcTargetTest
Test: atest NfcTestCases
Test: atest NfcServiceTest
(cherry picked from commit fc619c3348188ff0020cdeb7d4c4728a0246fe1a)
Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:33b3c128e0f480f6e421761b85c5f00289b62449
Merged-In: I8e9e83be7f939bbfc183cb3879808ceacf931450
Change-Id: I8e9e83be7f939bbfc183cb3879808ceacf931450
1 file changed
tree: c9a2d3cd39f7b4a95e5fe4a79f0322df19335fc6
  1. 1.0/
  2. 1.1/
  3. 1.2/
  4. aidl/
  5. st21nfc/
  6. .clang-format
  7. Android.bp
  8. LICENSE
  9. METADATA
  10. OWNERS
  11. README.md
README.md

HAL

st21nfc HAL