msm: ais: isp: Handling buffer use after getting it freed

In the code, start_fetch can try to access the buffer pointer variable after free, as the same pointer can be freed at RELEASE_BUF call too at the same time. Hence fixing this race condition. Change-Id: Ifb643bace27064e1324d714aebed706b48e44b65 Signed-off-by: Rahul Sharma <sharah@codeaurora.org>
author: Rahul Sharma <sharah@codeaurora.org> 2018-02-12 11:25:36 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2018-02-11 22:25:30 -0800
commit: 08c8d3a7146a5ad807c8b60fde5035b418ce20de (patch)
tree: 0734c216b13d4758ed8036f0f8cf204c331ab117 /drivers
parent: b57f252a8bc188c42915745b56733a7a5ba5bf37 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/media/platform/msm/ais/isp/msm_isp47.c b/drivers/media/platform/msm/ais/isp/msm_isp47.c
index 9cd367925314..6ca91b4fcf83 100644
--- a/drivers/media/platform/msm/ais/isp/msm_isp47.c
+++ b/drivers/media/platform/msm/ais/isp/msm_isp47.c
@@ -1097,8 +1097,10 @@ int msm_vfe47_start_fetch_engine_multi_pass(struct vfe_device *vfe_dev,
 			fe_cfg->stream_id);
 		vfe_dev->fetch_engine_info.bufq_handle = bufq_handle;
 
+		mutex_lock(&vfe_dev->buf_mgr->lock);
 		rc = vfe_dev->buf_mgr->ops->get_buf_by_index(
 			vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);
+		mutex_unlock(&vfe_dev->buf_mgr->lock);
 		if (rc < 0 || !buf) {
 			pr_err("%s: No fetch buffer rc= %d buf= %pK\n",
 				__func__, rc, buf);
author	Rahul Sharma <sharah@codeaurora.org>	2018-02-12 11:25:36 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2018-02-11 22:25:30 -0800
commit	08c8d3a7146a5ad807c8b60fde5035b418ce20de (patch)
tree	0734c216b13d4758ed8036f0f8cf204c331ab117 /drivers
parent	b57f252a8bc188c42915745b56733a7a5ba5bf37 (diff)