C2AllocatorIon:protect mMappings using mutex

Use mutex to prevent multiple threads accessing same member of mMappings list at the same time. Bug: 193790350 Test: adb shell UBSAN_OPTIONS=print_stacktrace=1 /data/local/tmp/C2FuzzerMp3Dec -rss_limit_mb=2560 -timeout=90 -runs=100 /data/local/tmp/clusterfuzz-testcase-minimized-C2FuzzerMp3Dec-5713156165206016 Change-Id: I24e53629d5a6dfad22b84dd2278eb1a288c9ab35 Merged-In: I24e53629d5a6dfad22b84dd2278eb1a288c9ab35 (cherry picked from commit 9d2295f)
CipherOS-Revived · Jan 12, 2022 · 416da6e · 416da6e
1 parent f708734
commit 416da6e
Showing 1 changed file with 22 additions and 15 deletions.
diff --git a/media/codec2/vndk/C2AllocatorIon.cpp b/media/codec2/vndk/C2AllocatorIon.cpp
@@ -202,6 +202,7 @@ class C2AllocationIon::Impl {
 
         c2_status_t err = mapInternal(mapSize, mapOffset, alignmentBytes, prot, flags, &(map.addr), addr);
         if (map.addr) {
+            std::lock_guard<std::mutex> guard(mMutexMappings);
             mMappings.push_back(map);
         }
         return err;
@@ -212,22 +213,26 @@ class C2AllocationIon::Impl {
             ALOGD("tried to unmap unmapped buffer");
             return C2_NOT_FOUND;
         }
-        for (auto it = mMappings.begin(); it != mMappings.end(); ++it) {
-            if (addr != (uint8_t *)it->addr + it->alignmentBytes ||
-                    size + it->alignmentBytes != it->size) {
-                continue;
+        { // Scope for the lock_guard of mMutexMappings.
+            std::lock_guard<std::mutex> guard(mMutexMappings);
+            for (auto it = mMappings.begin(); it != mMappings.end(); ++it) {
+                if (addr != (uint8_t *)it->addr + it->alignmentBytes ||
+                        size + it->alignmentBytes != it->size) {
+                    continue;
+                }
+                int err = munmap(it->addr, it->size);
+                if (err != 0) {
+                    ALOGD("munmap failed");
+                    return c2_map_errno<EINVAL>(errno);
+                }
+                if (fence) {
+                    *fence = C2Fence(); // not using fences
+                }
+                (void)mMappings.erase(it);
+                ALOGV("successfully unmapped: addr=%p size=%zu fd=%d", addr, size,
+                          mHandle.bufferFd());
+                return C2_OK;
             }
-            int err = munmap(it->addr, it->size);
-            if (err != 0) {
-                ALOGD("munmap failed");
-                return c2_map_errno<EINVAL>(errno);
-            }
-            if (fence) {
-                *fence = C2Fence(); // not using fences
-            }
-            (void)mMappings.erase(it);
-            ALOGV("successfully unmapped: addr=%p size=%zu fd=%d", addr, size, mHandle.bufferFd());
-            return C2_OK;
         }
         ALOGD("unmap failed to find specified map");
         return C2_BAD_VALUE;
@@ -236,6 +241,7 @@ class C2AllocationIon::Impl {
     virtual ~Impl() {
         if (!mMappings.empty()) {
             ALOGD("Dangling mappings!");
+            std::lock_guard<std::mutex> guard(mMutexMappings);
             for (const Mapping &map : mMappings) {
                 (void)munmap(map.addr, map.size);
             }
@@ -315,6 +321,7 @@ class C2AllocationIon::Impl {
         size_t size;
     };
     std::list<Mapping> mMappings;
+    std::mutex mMutexMappings;
 };
 
 class C2AllocationIon::ImplV2 : public C2AllocationIon::Impl {