Fix race conditions in a2dp sink
- Use std::atomic for btif_a2dp_sink_state variable
- Add a lock for other static members
Explanation:
- There's the main thread that things on this file should run on:
btif_a2dp_sink_cb.worker_thread
- External callers may call from any thread.
- fixed_queue_t is a thread safe queue which uses locking.
Many of the functions just append commands to cmd_msg_queue which are
commands which are processed by btif_a2dp_sink_command_ready. Operations
on this queue can be done without locking.
The main bug is a TOCTOU bug on 'rx_audio_queue'.
btif_a2dp_sink_avk_handle_timer preforms a fixed_queue_try_peek_first
operation and modifies the pointer without dequing it. This causes a
race when other operations cause a dequeue on rx_audio_queue.
I have added locks on all functions which modify the static data except:
- Helpers which are only called while locked
- Functions which only modify cmd_msg_queue or access
btif_a2dp_sink_state
Bug:
35807779
Test: Test on device.
Change-Id: I289e23213426dbc182ca4a3fca26bc5658299381
OSDN Git Service
