power-libperfmgr: ADPF: fix use-after-free crash

Jimmy Shiu · lifehackerhansol · commit 8cd4e1ff6d2d · 2024-05-07T21:45:42.000-07:00
The main problem is the timer thread could be woken after the session
was destroyed. We did have a closed flag which was set in destructor and the flag would be checked before handleMessage accessing the session
instance. To fix the problem, the operations of flag checking and session instance accessing should be guarded by the lock.

Bug: 236674672
Test: manual test
Change-Id: I49a18efbc135b1bc070b101038a8a0bcc6e19fec
(cherry picked from commit 5c75978f530b27bd976d8695ed79acd336c24776)
Merged-In: I49a18efbc135b1bc070b101038a8a0bcc6e19fec
diff --git a/power-libperfmgr/aidl/PowerHintSession.cpp b/power-libperfmgr/aidl/PowerHintSession.cpp
@@ -263,14 +263,10 @@ ndk::ScopedAStatus PowerHintSession::close() {
     }
     // Remove the session from PowerSessionManager first to avoid racing.
     PowerSessionManager::getInstance()->removePowerSession(this);
-    setSessionUclampMin(0);
-    {
-        std::lock_guard<std::mutex> guard(mSessionLock);
-        mSessionClosed.store(true);
-    }
-    mDescriptor->is_active.store(false);
     mEarlyBoostHandler->setSessionDead();
     mStaleTimerHandler->setSessionDead();
+    setSessionUclampMin(0);
+    mDescriptor->is_active.store(false);
     updateUniveralBoostMode();
     return ndk::ScopedAStatus::ok();
 }
@@ -501,6 +497,7 @@ void PowerHintSession::StaleTimerHandler::updateTimer(time_point<steady_clock> s
 }
 
 void PowerHintSession::StaleTimerHandler::handleMessage(const Message &) {
+    std::lock_guard<std::mutex> guard(mClosedLock);
     if (mIsSessionDead) {
         return;
     }
@@ -530,7 +527,7 @@ void PowerHintSession::StaleTimerHandler::handleMessage(const Message &) {
 }
 
 void PowerHintSession::StaleTimerHandler::setSessionDead() {
-    std::lock_guard<std::mutex> guard(mStaleLock);
+    std::lock_guard<std::mutex> guard(mClosedLock);
     mIsSessionDead = true;
     PowerHintMonitor::getInstance()->getLooper()->removeMessages(mSession->mStaleTimerHandler);
 }
diff --git a/power-libperfmgr/aidl/PowerHintSession.h b/power-libperfmgr/aidl/PowerHintSession.h
@@ -103,7 +103,7 @@ class PowerHintSession : public BnPowerHintSession {
 
       private:
         PowerHintSession *mSession;
-        std::mutex mStaleLock;
+        std::mutex mClosedLock;
         std::mutex mMessageLock;
         std::atomic<time_point<steady_clock>> mStaleTime;
         std::atomic<bool> mIsMonitoring;

Original file line number	Diff line number	Diff line change
`@@ -263,14 +263,10 @@ ndk::ScopedAStatus PowerHintSession::close() {`
`263`	`263`	`}`
`264`	`264`	`// Remove the session from PowerSessionManager first to avoid racing.`
`265`	`265`	`PowerSessionManager::getInstance()->removePowerSession(this);`
`266`		`- setSessionUclampMin(0);`
`267`		`- {`
`268`		`- std::lock_guard<std::mutex> guard(mSessionLock);`
`269`		`- mSessionClosed.store(true);`
`270`		`- }`
`271`		`- mDescriptor->is_active.store(false);`
`272`	`266`	`mEarlyBoostHandler->setSessionDead();`
`273`	`267`	`mStaleTimerHandler->setSessionDead();`
	`268`	`+ setSessionUclampMin(0);`
	`269`	`+ mDescriptor->is_active.store(false);`
`274`	`270`	`updateUniveralBoostMode();`
`275`	`271`	`return ndk::ScopedAStatus::ok();`
`276`	`272`	`}`
`@@ -501,6 +497,7 @@ void PowerHintSession::StaleTimerHandler::updateTimer(time_point<steady_clock> s`
`501`	`497`	`}`
`502`	`498`
`503`	`499`	`void PowerHintSession::StaleTimerHandler::handleMessage(const Message &) {`
	`500`	`+ std::lock_guard<std::mutex> guard(mClosedLock);`
`504`	`501`	`if (mIsSessionDead) {`
`505`	`502`	`return;`
`506`	`503`	`}`
`@@ -530,7 +527,7 @@ void PowerHintSession::StaleTimerHandler::handleMessage(const Message &) {`
`530`	`527`	`}`
`531`	`528`
`532`	`529`	`void PowerHintSession::StaleTimerHandler::setSessionDead() {`
`533`		`- std::lock_guard<std::mutex> guard(mStaleLock);`
	`530`	`+ std::lock_guard<std::mutex> guard(mClosedLock);`
`534`	`531`	`mIsSessionDead = true;`
`535`	`532`	`PowerHintMonitor::getInstance()->getLooper()->removeMessages(mSession->mStaleTimerHandler);`
`536`	`533`	`}`