Fix issue 2127371: Possible race condition in AudioFlinger::openRecord() when a Track is being destroyed. The fix consists in locking AudioFlinger::mLock mutex in the TrackBase destructor before clearing the strong pointer to the shared memory client. The mutex is not locked in removeclient() any more which implies that we must make sure that the Client destructor is always called from the TrackBase destructor or that we hold the mLock mutex before calling deleting the Client.

commit: b9481d8cf6f3ade96ed062dc3f601c777fe4430f [log] [tgz]
author: Eric Laurent <elaurent@google.com> Thu Sep 17 05:12:56 2009 -0700
committer: Eric Laurent <elaurent@google.com> Thu Sep 17 09:26:04 2009 -0700
tree: 4b6e08fb86055440d681edf00a7d891f08ca4e04
parent: 76f0111845f0886f522cfe1eb5ec1dee34181f7c [diff] [blame]
diff --git a/libs/audioflinger/AudioFlinger.h b/libs/audioflinger/AudioFlinger.h
index 7a6641f..3699019 100644
--- a/libs/audioflinger/AudioFlinger.h
+++ b/libs/audioflinger/AudioFlinger.h

@@ -189,6 +189,8 @@
         virtual             ~Client();
         const sp<MemoryDealer>&     heap() const;
         pid_t               pid() const { return mPid; }
+        sp<AudioFlinger>    audioFlinger() { return mAudioFlinger; }
+
     private:
                             Client(const Client&);
                             Client& operator = (const Client&);
@@ -641,7 +643,7 @@
     friend class PlaybackThread::Track;
 
 
-                void        removeClient(pid_t pid);
+                void        removeClient_l(pid_t pid);
 
 
     // record thread
commit	b9481d8cf6f3ade96ed062dc3f601c777fe4430f	[log] [tgz]
author	Eric Laurent <elaurent@google.com>	Thu Sep 17 05:12:56 2009 -0700
committer	Eric Laurent <elaurent@google.com>	Thu Sep 17 09:26:04 2009 -0700
tree	4b6e08fb86055440d681edf00a7d891f08ca4e04
parent	76f0111845f0886f522cfe1eb5ec1dee34181f7c [diff] [blame]