surfaceflinger: don't close fence fds after passing to queueBuffer

ANativeWindow::queueBuffer takes ownership of the fence fd passed to
it, and will close it before returning. SurfaceFlinger's screenshot
code was also closing the syncFd it passed to queueBuffer. Most of the
time this meant the second close() silently failed, but in a rare race
condition the file descriptor could be reused between the two
close()s.

Bug: 17946343
Change-Id: Ib74fcb1dce52cc21328059c99b7c4c76f41aa3a5

diff --git a/services/surfaceflinger/SurfaceFlinger.cpp b/services/surfaceflinger/SurfaceFlinger.cpp
index 419b246..96a8adb 100644 (file)
--- a/services/surfaceflinger/SurfaceFlinger.cpp
+++ b/services/surfaceflinger/SurfaceFlinger.cpp
@@ -3247,10 +3247,8 @@ status_t SurfaceFlinger::captureScreenImplLocked(
                 } else {
                     result = BAD_VALUE;
                 }
+                // queueBuffer takes ownership of syncFd
                 window->queueBuffer(window, buffer, syncFd);
-                if (syncFd != -1) {
-                    close(syncFd);
-                }
             }
         } else {
             result = BAD_VALUE;