From ae571220e089a7790c7a820e98a86fd3071f8b75 Mon Sep 17 00:00:00 2001 From: wangmingming1 Date: Mon, 28 Jan 2019 14:13:35 +0800 Subject: [PATCH] binder: Release tracking lock before invoking binder_proxy_limit_callback fixed the following dead lock Bug: "ReferenceQueueDaemon" daemon prio=5 tid=5 Native native: #01 pc 000000000002248c /system/lib64/libc.so (__futex_wait_ex(... native: #02 pc 0000000000082c58 /system/lib64/libc.so (NonPI::MutexLockWithTimeout(... native: #03 pc 00000000000519b8 /system/lib64/libbinder.so (android::BpBinder::~BpBinder()+76) native: #04 pc 0000000000051c6c /system/lib64/libbinder.so (_ZTv0_n24_N7android8BpBinderD0Ev+36) native: #05 pc 000000000012f658 /system/lib64/libandroid_runtime.so (BinderProxy_destroy(void*)+72) "Binder:1501_10" prio=5 tid=27 Native native: #01 pc 000000000002248c /system/lib64/libc.so (__futex_wait_ex(... native: #02 pc 0000000000082c58 /system/lib64/libc.so (NonPI::MutexLockWithTimeout(... native: #03 pc 0000000000130d04 /system/lib64/libandroid_runtime.so (android_os_BinderInternal_proxyLimitcallback(... native: #04 pc 00000000000509c0 /system/lib64/libbinder.so (android::BpBinder::create(... native: #05 pc 000000000007a33c /system/lib64/libbinder.so (android::ProcessState::getStrongProxyForHandle(... native: #06 pc 0000000000061fd0 /system/lib64/libbinder.so (android::unflatten_binder(... native: #07 pc 0000000000068d48 /system/lib64/libbinder.so (android::Parcel::readStrongBinder(... native: #08 pc 00000000001229b0 /system/lib64/libandroid_runtime.so (android::android_os_Parcel_readStrongBinder(... Test: run monkey runner Signed-off-by: wangmingming1 Change-Id: I4c16d98646add0a173ec638d67276c1d8974c8e7 Signed-off-by: mydongistiny Signed-off-by: celtare21 --- libs/binder/BpBinder.cpp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libs/binder/BpBinder.cpp b/libs/binder/BpBinder.cpp index 449a9e9aa7..f502d775b6 100644 --- a/libs/binder/BpBinder.cpp +++ b/libs/binder/BpBinder.cpp @@ -110,10 +110,11 @@ BpBinder* BpBinder::create(int32_t handle) { int32_t trackedUid = -1; if (sCountByUidEnabled) { trackedUid = IPCThreadState::self()->getCallingUid(); - AutoMutex _l(sTrackingLock); + sTrackingLock.lock(); uint32_t trackedValue = sTrackingMap[trackedUid]; if (CC_UNLIKELY(trackedValue & LIMIT_REACHED_MASK)) { if (sBinderProxyThrottleCreate) { + sTrackingLock.unlock(); return nullptr; } } else { @@ -121,16 +122,21 @@ BpBinder* BpBinder::create(int32_t handle) { ALOGE("Too many binder proxy objects sent to uid %d from uid %d (%d proxies held)", getuid(), trackedUid, trackedValue); sTrackingMap[trackedUid] |= LIMIT_REACHED_MASK; + sTrackingLock.unlock(); + // Release sTrackingLock before calling into BinderProxy, or we might end in dead lock if (sLimitCallback) sLimitCallback(trackedUid); + sTrackingLock.lock(); if (sBinderProxyThrottleCreate) { ALOGI("Throttling binder proxy creates from uid %d in uid %d until binder proxy" " count drops below %d", trackedUid, getuid(), sBinderProxyCountLowWatermark); return nullptr; + sTrackingLock.unlock(); } } } sTrackingMap[trackedUid]++; + sTrackingLock.unlock(); } return new BpBinder(handle, trackedUid); }