Fix deadlock in camera destruction after client app's crash

* why deadlock happened: when an app (CTS camera test) crashes while using
  camera, its binder is closed and reference counter is decreased. If camera
  is inside callback, sp<Client> inside callback will hold the Client instance,
  and Client instance is destroyed when the callback ends as sp<Client> to hold
  it no longer exists. The destructor of Client instance tries to clean up
  camera H/W which tries to stop threads created by camera HAL including the
  thread context where the callback is running. This causes deadlock where the
  callback thread itself is waiting for itself to terminate.
  Note that the deadlock will not happen if camera callback is not active. In
  that case, closing of binder will force the destruction of Client instance,
  and the destruction happens in binder thread.

* Fix: Forces Client descruction in binder thread
- remove sp<Client> from callbacks to prevent destruction in callback context
- add client lock to allow callback to use raw pointer safely. This prevents
  the destructor from deleting the instance while callback is using it.
- add status change inside destructor with client lock to safely destroy Client

Bug: 6214383
Change-Id: Ic6d6396d4d95ce9e72a16ec2480ae65c100fe806

1 files changed, 13 insertions, 3 deletions

diff --git a/services/camera/libcameraservice/CameraService.h b/services/camera/libcameraservice/CameraService.h
index 457c79b..7972201 100644
--- a/services/camera/libcameraservice/CameraService.h
+++ b/services/camera/libcameraservice/CameraService.h
@@ -49,7 +49,10 @@ public:
     virtual sp<ICamera> connect(const sp<ICameraClient>& cameraClient, int cameraId,
                                 bool force, bool keep);
     virtual void        removeClient(const sp<ICameraClient>& cameraClient);
-    virtual sp<Client>  getClientById(int cameraId);
+    // returns plain pointer of client. Note that mClientLock should be acquired to
+    // prevent the client from destruction. The result can be NULL.
+    virtual Client*     getClientByIdUnsafe(int cameraId);
+    virtual Mutex*      getClientLockById(int cameraId);
 
     virtual status_t    dump(int fd, const Vector<String16>& args);
     virtual status_t    onTransact(uint32_t code, const Parcel& data,
@@ -69,6 +72,7 @@ public:
 private:
     Mutex               mServiceLock;
     wp<Client>          mClient[MAX_CAMERAS];  // protected by mServiceLock
+    Mutex               mClientLock[MAX_CAMERAS]; // prevent Client destruction inside callbacks
     int                 mNumberOfCameras;
 
     // atomics to record whether the hardware is allocated to some client.
@@ -147,8 +151,9 @@ private:
         static void             dataCallback(int32_t msgType, const sp<IMemory>& dataPtr,
                                              camera_frame_metadata_t *metadata, void* user);
         static void             dataCallbackTimestamp(nsecs_t timestamp, int32_t msgType, const sp<IMemory>& dataPtr, void* user);
-        // convert client from cookie
-        static sp<Client>       getClientFromCookie(void* user);
+        static Mutex*        getClientLockFromCookie(void* user);
+        // convert client from cookie. Client lock should be acquired before getting Client.
+        static Client*       getClientFromCookie(void* user);
         // handlers for messages
         void                    handleShutter(void);
         void                    handlePreviewData(int32_t msgType, const sp<IMemory>& mem,
@@ -204,6 +209,11 @@ private:
         // of the original one), we allocate mPreviewBuffer and reuse it if possible.
         sp<MemoryHeapBase>              mPreviewBuffer;
 
+        // the instance is in the middle of destruction. When this is set,
+        // the instance should not be accessed from callback.
+        // CameraService's mClientLock should be acquired to access this.
+        bool                            mDestructionStarted;
+
         // We need to avoid the deadlock when the incoming command thread and
         // the CameraHardwareInterface callback thread both want to grab mLock.
         // An extra flag is used to tell the callback thread that it should stop