USB: Fix race condition in acquiring global reference in UsbRequest JNI code
Fixes bug https://code.google.com/p/android/issues/detail?id=59467
Change-Id: I8365e1be4eb0f1f2da49b658af677b590a80e382
diff --git a/core/jni/android_hardware_UsbRequest.cpp b/core/jni/android_hardware_UsbRequest.cpp
index 01eaec4..a3c7b0a 100644
--- a/core/jni/android_hardware_UsbRequest.cpp
+++ b/core/jni/android_hardware_UsbRequest.cpp
@@ -100,18 +100,19 @@
}
request->buffer_length = length;
+ // save a reference to ourselves so UsbDeviceConnection.waitRequest() can find us
+ request->client_data = (void *)env->NewGlobalRef(thiz);
+
if (usb_request_queue(request)) {
if (request->buffer) {
// free our buffer if usb_request_queue fails
free(request->buffer);
request->buffer = NULL;
}
+ env->DeleteGlobalRef((jobject)request->client_data);
return false;
- } else {
- // save a reference to ourselves so UsbDeviceConnection.waitRequest() can find us
- request->client_data = (void *)env->NewGlobalRef(thiz);
- return true;
}
+ return true;
}
static jint
@@ -152,16 +153,17 @@
}
request->buffer_length = length;
+ // save a reference to ourselves so UsbDeviceConnection.waitRequest() can find us
+ // we also need this to make sure our native buffer is not deallocated
+ // while IO is active
+ request->client_data = (void *)env->NewGlobalRef(thiz);
+
if (usb_request_queue(request)) {
request->buffer = NULL;
+ env->DeleteGlobalRef((jobject)request->client_data);
return false;
- } else {
- // save a reference to ourselves so UsbDeviceConnection.waitRequest() can find us
- // we also need this to make sure our native buffer is not deallocated
- // while IO is active
- request->client_data = (void *)env->NewGlobalRef(thiz);
- return true;
}
+ return true;
}
static jint