msm: ais: isp: Handling buffer use after getting it freed (08c8d3a7) · Commits · e / devices / android_kernel_sony_msm8998

In the code, start_fetch can try to access the buffer pointer variable after free, as the same pointer can be freed at RELEASE_BUF call too at the same time. Hence fixing this race condition. Change-Id: Ifb643bace27064e1324d714aebed706b48e44b65 Signed-off-by:

Rahul Sharma <sharah@codeaurora.org>

drivers/media/platform/msm/ais/isp/msm_isp47.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -1097,8 +1097,10 @@ int msm_vfe47_start_fetch_engine_multi_pass(struct vfe_device *vfe_dev,
		fe_cfg->stream_id);
		vfe_dev->fetch_engine_info.bufq_handle = bufq_handle;

		mutex_lock(&vfe_dev->buf_mgr->lock);
		rc = vfe_dev->buf_mgr->ops->get_buf_by_index(
		vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);
		mutex_unlock(&vfe_dev->buf_mgr->lock);
		if (rc < 0 \|\| !buf) {
		pr_err("%s: No fetch buffer rc= %d buf= %pK\n",
		__func__, rc, buf);