fix: Close() deadlock when read loop holds fdMu during blocking ioctl

xaionaro@dx.center · xaionaro@dx.center · commit c98a491fe293 · 2026-03-22T08:29:02.000Z
The read loop holds fdMu.RLock across a blocking BINDER_WRITE_READ ioctl.
Close() tried to take fdMu.Lock (write) before closing the fd, creating a
deadlock: the ioctl won't return until the fd is closed, but Close() can't
close the fd until the ioctl releases RLock.

Fix: close the raw fd first to interrupt blocked ioctls with EBADF, then
take fdMu.Lock to invalidate the fd field. No new Transact calls can
start because d.closed is already set.

Also fix camera_connect example: replace os.Exit(0) with return so
deferred drv.Close runs, and add Disconnect call on success path.
diff --git a/examples/camera_connect/main.go b/examples/camera_connect/main.go
@@ -112,8 +112,16 @@ func main() {
 	deviceUser, err := cameraProxy.ConnectDevice(ctx, callback, "0")
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "ConnectDevice error (expected): %v\n", err)
-		os.Exit(0)
+		// Let deferred drv.Close run for clean shutdown.
+		return
 	}
 
 	fmt.Printf("ConnectDevice succeeded: %v\n", deviceUser)
+
+	// Disconnect the camera device before closing the binder driver.
+	// This tells the camera service to release the callback, so the
+	// binder driver's read loop is not stuck waiting for transactions.
+	if err := deviceUser.Disconnect(ctx); err != nil {
+		fmt.Fprintf(os.Stderr, "Disconnect: %v\n", err)
+	}
 }
diff --git a/kernelbinder/driver.go b/kernelbinder/driver.go
@@ -224,12 +224,28 @@ func (d *Driver) Close(
 		}
 	}
 
-	// Take fdMu write lock to wait for all in-flight ioctls (which
-	// hold RLock) to finish, then invalidate fd/mapped so no new
-	// operations can use them. The actual munmap and close happen
-	// outside both locks using local copies.
-	d.fdMu.Lock()
+	// Close the raw fd FIRST to interrupt any blocked ioctl (e.g. the
+	// read loop's BINDER_WRITE_READ). The read loop holds fdMu.RLock
+	// across a blocking ioctl, so taking fdMu.Lock here would deadlock
+	// if the ioctl never returns. Closing the fd wakes the ioctl with
+	// EBADF, allowing it to release the RLock.
+	//
+	// No new Transact calls can start because d.closed is already true
+	// (checked under d.mu). The read loop will see EBADF and exit.
+	d.fdMu.RLock()
 	fd := d.fd
+	d.fdMu.RUnlock()
+
+	if fd >= 0 {
+		if err := unix.Close(fd); err != nil {
+			errs = append(errs, &aidlerrors.BinderError{Op: "close", Err: err})
+		}
+	}
+
+	// Now take the write lock to wait for all in-flight ioctls to
+	// finish (they will see EBADF and return promptly), then
+	// invalidate fd/mapped so no stale accesses occur.
+	d.fdMu.Lock()
 	mapped := d.mapped
 	d.fd = -1
 	d.mapped = nil
@@ -241,12 +257,6 @@ func (d *Driver) Close(
 		}
 	}
 
-	if fd >= 0 {
-		if err := unix.Close(fd); err != nil {
-			errs = append(errs, &aidlerrors.BinderError{Op: "close", Err: err})
-		}
-	}
-
 	// Wait for the read loop goroutine to exit after closing the fd.
 	// The read loop detects the closed fd via EBADF and returns.
 	// Only wait if the read loop was actually started; otherwise
