Commit 58569675 authored Sep 21, 2015 by Arun Menon

msm: vidc: Fix race condition with v4l2 event handler



The v4l2 event handler struct should be de-initialized
after we remove inst from the core->instances list.
E.g. There are two video instances and client has called
close on the first instance. Driver de-initializes the event
handler struct. At this moment, there is a sys error from
firmware. So the response handler thread gets scheduled
and driver tries to notify each client about the hardware
error. Since the driver has already de-initialized the
event handler struct for the first video inst, there is
a null pointer access in the v4l2 framework and causes
a device crash. This change will fix the issue.

Change-Id: If27064d97848b1afda513e1a06bf8750ad25cf2d
Signed-off-by: Arun Menon <avmenon@codeaurora.org>

parent e7c95927

drivers/media/platform/msm/vidc/msm_vidc.c

+6 −5

Original line number	Diff line number	Diff line
		@@ -1286,16 +1286,17 @@ int msm_vidc_destroy(struct msm_vidc_inst *inst)

		core = inst->core;

		v4l2_fh_del(&inst->event_handler);

		for (i = 0; i < MAX_PORT_NUM; i++)
		vb2_queue_release(&inst->bufq[i].vb2_bufq);

		mutex_lock(&core->lock);
		/* inst->list lives in core->instances */
		list_del(&inst->list);
		mutex_unlock(&core->lock);

		v4l2_fh_del(&inst->event_handler);
		v4l2_fh_exit(&inst->event_handler);

		for (i = 0; i < MAX_PORT_NUM; i++)
		vb2_queue_release(&inst->bufq[i].vb2_bufq);

		pr_info(VIDC_DBG_TAG "Closed video instance: %p\n",
		VIDC_MSG_PRIO2STRING(VIDC_INFO), inst);
		kfree(inst);