Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4964e44e authored Oct 09, 2017 by Harsh Shah

msm: camera: isp: Protect the evt_handler with lock



Extend the rw_lock to include th_procesing(), else unsunscribe_irq()
can be called and evt_handler will be freed, causing use after free
in th_processing on evt_handler.
Also, remove asymmetric call to unsubscribe in cam_vfe_stop(). For
VFE Out resources, we do not call subscribe in cam_vfe_start(), so no
need to call unsubscribe.

Change-Id: Ie45a7244645d364b727948fd30f830c6d958ff8a
Signed-off-by: Harsh Shah <harshs@codeaurora.org>

parent 0f62c596

drivers/media/platform/msm/camera/cam_isp/isp_hw_mgr/hw_utils/irq_controller/cam_irq_controller.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -613,7 +613,6 @@ irqreturn_t cam_irq_controller_handle_irq(int irq_num, void *priv)
		i, j, need_th_processing[j]);
		}
		}
		read_unlock(&controller->rw_lock);
		CAM_DBG(CAM_ISP, "unlocked controller %pK name %s rw_lock %pK",
		controller, controller->name, &controller->rw_lock);

		@@ -632,6 +631,7 @@ irqreturn_t cam_irq_controller_handle_irq(int irq_num, void *priv)
		&controller->th_list_head[i]);
		}
		}
		read_unlock(&controller->rw_lock);

		return IRQ_HANDLED;
		}

drivers/media/platform/msm/camera/cam_isp/isp_hw_mgr/isp_hw/vfe_hw/cam_vfe_core.c

+0 −2

Original line number	Diff line number	Diff line
		@@ -507,8 +507,6 @@ int cam_vfe_stop(void hw_priv, void stop_args, uint32_t arg_size)
		core_info->vfe_top->top_priv, isp_res,
		sizeof(struct cam_isp_resource_node));
		} else if (isp_res->res_type == CAM_ISP_RESOURCE_VFE_OUT) {
		cam_irq_controller_unsubscribe_irq(
		core_info->vfe_irq_controller, isp_res->irq_handle);
		rc = core_info->vfe_bus->hw_ops.stop(isp_res, NULL, 0);
		} else {
		CAM_ERR(CAM_ISP, "Invalid res type:%d", isp_res->res_type);