From a0169a073d88efefbfb35fa0ea8e94f7b31d7469 Mon Sep 17 00:00:00 2001 From: Eric Laurent Date: Mon, 6 Jul 2015 18:32:01 -0700 Subject: audio: Do not delete PatchRecord before Peer is stopped PatchPanel::clearPatchConnections deletes PatchRecord before the peer PatchTrack is stopped. This can cause an access to already free'ed memory leading to a crash in PatchTrack::getNextBuffer. Fix is to delete PatchRecord and PatchTrack only after removing both of them from active tracks list Bug: 22304526. Change-Id: I7003756d3d2dd8912ce5e3b2fc31f5e82f455888 --- services/audioflinger/PatchPanel.cpp | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'services/audioflinger/PatchPanel.cpp') diff --git a/services/audioflinger/PatchPanel.cpp b/services/audioflinger/PatchPanel.cpp index 9248bba..f6078a2 100644 --- a/services/audioflinger/PatchPanel.cpp +++ b/services/audioflinger/PatchPanel.cpp @@ -481,22 +481,31 @@ void AudioFlinger::PatchPanel::clearPatchConnections(Patch *patch) if (patch->mRecordThread != 0) { if (patch->mPatchRecord != 0) { patch->mRecordThread->deletePatchRecord(patch->mPatchRecord); - patch->mPatchRecord.clear(); } audioflinger->closeInputInternal_l(patch->mRecordThread); - patch->mRecordThread.clear(); } if (patch->mPlaybackThread != 0) { if (patch->mPatchTrack != 0) { patch->mPlaybackThread->deletePatchTrack(patch->mPatchTrack); - patch->mPatchTrack.clear(); } // if num sources == 2 we are reusing an existing playback thread so we do not close it if (patch->mAudioPatch.num_sources != 2) { audioflinger->closeOutputInternal_l(patch->mPlaybackThread); } + } + if (patch->mRecordThread != 0) { + if (patch->mPatchRecord != 0) { + patch->mPatchRecord.clear(); + } + patch->mRecordThread.clear(); + } + if (patch->mPlaybackThread != 0) { + if (patch->mPatchTrack != 0) { + patch->mPatchTrack.clear(); + } patch->mPlaybackThread.clear(); } + } /* Disconnect a patch */ -- cgit v1.1