binder: Release tracking lock before invoking binder_proxy_limit_call…

…back fixed the following dead lock Bug: "ReferenceQueueDaemon" daemon prio=5 tid=5 Native native: #1 pc 000000000002248c /system/lib64/libc.so (__futex_wait_ex(... native: #2 pc 0000000000082c58 /system/lib64/libc.so (NonPI::MutexLockWithTimeout(... native: #3 pc 00000000000519b8 /system/lib64/libbinder.so (android::BpBinder::~BpBinder()+76) native: #4 pc 0000000000051c6c /system/lib64/libbinder.so (_ZTv0_n24_N7android8BpBinderD0Ev+36) native: #5 pc 000000000012f658 /system/lib64/libandroid_runtime.so (BinderProxy_destroy(void*)+72) "Binder:1501_10" prio=5 tid=27 Native native: #1 pc 000000000002248c /system/lib64/libc.so (__futex_wait_ex(... native: #2 pc 0000000000082c58 /system/lib64/libc.so (NonPI::MutexLockWithTimeout(... native: #3 pc 0000000000130d04 /system/lib64/libandroid_runtime.so (android_os_BinderInternal_proxyLimitcallback(... native: #4 pc 00000000000509c0 /system/lib64/libbinder.so (android::BpBinder::create(... native: #5 pc 000000000007a33c /system/lib64/libbinder.so (android::ProcessState::getStrongProxyForHandle(... native: #6 pc 0000000000061fd0 /system/lib64/libbinder.so (android::unflatten_binder(... native: #7 pc 0000000000068d48 /system/lib64/libbinder.so (android::Parcel::readStrongBinder(... native: #8 pc 00000000001229b0 /system/lib64/libandroid_runtime.so (android::android_os_Parcel_readStrongBinder(... Test: run monkey runner Signed-off-by: wangmingming1 <[email protected]> Change-Id: I4c16d98646add0a173ec638d67276c1d8974c8e7 Signed-off-by: mydongistiny <[email protected]> Signed-off-by: celtare21 <[email protected]>
AospExtended · Sep 17, 2019 · ae57122 · ae57122
1 parent 264f000
commit ae57122
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/libs/binder/BpBinder.cpp b/libs/binder/BpBinder.cpp
@@ -110,27 +110,33 @@ BpBinder* BpBinder::create(int32_t handle) {
     int32_t trackedUid = -1;
     if (sCountByUidEnabled) {
         trackedUid = IPCThreadState::self()->getCallingUid();
-        AutoMutex _l(sTrackingLock);
+        sTrackingLock.lock();
         uint32_t trackedValue = sTrackingMap[trackedUid];
         if (CC_UNLIKELY(trackedValue & LIMIT_REACHED_MASK)) {
             if (sBinderProxyThrottleCreate) {
+                sTrackingLock.unlock();
                 return nullptr;
             }
         } else {
             if ((trackedValue & COUNTING_VALUE_MASK) >= sBinderProxyCountHighWatermark) {
                 ALOGE("Too many binder proxy objects sent to uid %d from uid %d (%d proxies held)",
                       getuid(), trackedUid, trackedValue);
                 sTrackingMap[trackedUid] |= LIMIT_REACHED_MASK;
+                sTrackingLock.unlock();
+                // Release sTrackingLock before calling into BinderProxy, or we might end in dead lock
                 if (sLimitCallback) sLimitCallback(trackedUid);
+                sTrackingLock.lock();
                 if (sBinderProxyThrottleCreate) {
                     ALOGI("Throttling binder proxy creates from uid %d in uid %d until binder proxy"
                           " count drops below %d",
                           trackedUid, getuid(), sBinderProxyCountLowWatermark);
                     return nullptr;
+                    sTrackingLock.unlock();
                 }
             }
         }
         sTrackingMap[trackedUid]++;
+        sTrackingLock.unlock();
     }
     return new BpBinder(handle, trackedUid);
 }