From 29e34cfcf95c6de1f2cbfe2bf588e4e354dbabe0 Mon Sep 17 00:00:00 2001
From: Ady Abraham <adyabr@google.com>
Date: Mon, 6 Jun 2022 15:16:06 -0700
Subject: RESTRICT AUTOMERGE SurfaceFlinger: fix a potential race condition in
 stealReceiveChannel

Add a mutex to prevent a potential race condition.

Bug: 232541124
Test: See bug for details
Change-Id: Ia338f124c786bf12d6adba10a67b9048fe9c34a5
---
 services/surfaceflinger/Scheduler/EventThread.cpp | 5 +++++
 services/surfaceflinger/Scheduler/EventThread.h   | 3 ++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/services/surfaceflinger/Scheduler/EventThread.cpp b/services/surfaceflinger/Scheduler/EventThread.cpp
index 2321e2d082..68f62ba8c3 100644
--- a/services/surfaceflinger/Scheduler/EventThread.cpp
+++ b/services/surfaceflinger/Scheduler/EventThread.cpp
@@ -171,6 +171,11 @@ void EventThreadConnection::onFirstRef() {
 }
 
 status_t EventThreadConnection::stealReceiveChannel(gui::BitTube* outChannel) {
+    std::scoped_lock lock(mLock);
+    if (mChannel.initCheck() != NO_ERROR) {
+        return NAME_NOT_FOUND;
+    }
+
     outChannel->setReceiveFd(mChannel.moveReceiveFd());
     outChannel->setSendFd(base::unique_fd(dup(mChannel.getSendFd())));
     return NO_ERROR;
diff --git a/services/surfaceflinger/Scheduler/EventThread.h b/services/surfaceflinger/Scheduler/EventThread.h
index 1e6793f77c..b15817a41b 100644
--- a/services/surfaceflinger/Scheduler/EventThread.h
+++ b/services/surfaceflinger/Scheduler/EventThread.h
@@ -102,7 +102,8 @@ public:
 private:
     virtual void onFirstRef();
     EventThread* const mEventThread;
-    gui::BitTube mChannel;
+    std::mutex mLock;
+    gui::BitTube mChannel GUARDED_BY(mLock);
 
     std::vector<DisplayEventReceiver::Event> mPendingEvents;
 };
-- 
cgit v1.2.3-59-g8ed1b