From a79435bd6f7de397ac7f65f68c8db0f7173eabe5 Mon Sep 17 00:00:00 2001 From: Rob Carr Date: Fri, 6 Mar 2020 14:46:07 -0800 Subject: SurfaceFlinger: Avoid destroying Layer on Binder thread BufferQueueLayer::onFrameAvailable passes 'this' as an sp to SurfaceInterceptor. This constructs a temporary sp. We are on a binder thread and not holding any locks, so at this point the main thread could drop it's last references. Then when we destroy our temporary sp it is the last reference and we end up invoking ~Layer from the Binder thread, an invalid operation which in this case leads to dead-lock (as we attempt to reacquire the already acquired BufferQueue mutex from the BufferQueueLayer d'tor) Bug: 149473038 Test: Existing tests pass Change-Id: I77a20bedf2db3b974ac03d804f70993514478fb2 --- services/surfaceflinger/BufferQueueLayer.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'services/surfaceflinger/BufferQueueLayer.cpp') diff --git a/services/surfaceflinger/BufferQueueLayer.cpp b/services/surfaceflinger/BufferQueueLayer.cpp index 18f7f44fa5..fac9024121 100644 --- a/services/surfaceflinger/BufferQueueLayer.cpp +++ b/services/surfaceflinger/BufferQueueLayer.cpp @@ -441,7 +441,7 @@ void BufferQueueLayer::onFrameAvailable(const BufferItem& item) { mQueueItemCondition.broadcast(); } - mFlinger->mInterceptor->saveBufferUpdate(this, item.mGraphicBuffer->getWidth(), + mFlinger->mInterceptor->saveBufferUpdate(layerId, item.mGraphicBuffer->getWidth(), item.mGraphicBuffer->getHeight(), item.mFrameNumber); mFlinger->signalLayerUpdate(); -- cgit v1.2.3-59-g8ed1b