Commit 0a07b6df authored Oct 12, 2018 by Darshan Kumsi Srinivasa Committed by Gerrit - the friendly Code Review server Oct 12, 2018

msm: vidc: do not set video state to DEINIT very early

If video state set to DEINIT before processing all frame done
packets in the list may create video failures as explained below,
the client communication to video hardware will fail because of
DEINIT state and client will close the session upon failure which
will happen in parallel to response thread processing the response
packets in the list. It may happen that client already free'd the
buffer references and response thread might access the same buffer
reference and results in use-after-free memory fault. So In case
of sys error from video hardware, set video state to DEINIT after
processing all packets in the list to avoid use-after-free failure

Change-Id: I688c3ec3feb2b5621d75c4da93ee9870aa0e6dfe
Signed-off-by: Darshan Kumsi Srinivasa <darssr@codeaurora.org>

parent e9e17712

drivers/media/platform/msm/vidc/venus_hfi.c

+5 −3

Original line number	Diff line number	Diff line
		@@ -1175,7 +1175,7 @@ static int __iface_cmdq_write_relaxed(struct venus_hfi_device *device,
		__strict_check(device);

		if (!__core_in_valid_state(device)) {
		dprintk(VIDC_DBG, "%s - fw not in init state\n", __func__);
		dprintk(VIDC_ERR, "%s - fw not in init state\n", __func__);
		result = -EINVAL;
		goto err_q_null;
		}
		@@ -2904,8 +2904,6 @@ static void __process_sys_error(struct venus_hfi_device *device)
		{
		struct hfi_sfr_struct *vsfr = NULL;

		__set_state(device, VENUS_STATE_DEINIT);

		if (__halt_axi(device))
		dprintk(VIDC_WARN, "Failed to halt AXI after SYS_ERROR\n");

		@@ -3163,6 +3161,10 @@ static int __response_handler(struct venus_hfi_device *device)
		"Too many packets in message queue to handle at once, deferring read\n");
		break;
		}

		/* do not read packets after sys error packet */
		if (info->response_type == HAL_SYS_ERROR)
		break;
		}

		if (requeue_pm_work && device->res->sw_power_collapsible) {