From 08c8d3a7146a5ad807c8b60fde5035b418ce20de Mon Sep 17 00:00:00 2001
From: Rahul Sharma <sharah@codeaurora.org>
Date: Mon, 12 Feb 2018 11:25:36 +0530
Subject: msm: ais: isp: Handling buffer use after getting it freed

In the code, start_fetch can try to access the
buffer pointer variable after free, as the
same pointer can be freed at RELEASE_BUF call too
at the same time. Hence fixing this race condition.

Change-Id: Ifb643bace27064e1324d714aebed706b48e44b65
Signed-off-by: Rahul Sharma <sharah@codeaurora.org>
---
 drivers/media/platform/msm/ais/isp/msm_isp47.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/media/platform/msm/ais/isp/msm_isp47.c b/drivers/media/platform/msm/ais/isp/msm_isp47.c
index 9cd367925314..6ca91b4fcf83 100644
--- a/drivers/media/platform/msm/ais/isp/msm_isp47.c
+++ b/drivers/media/platform/msm/ais/isp/msm_isp47.c
@@ -1097,8 +1097,10 @@ int msm_vfe47_start_fetch_engine_multi_pass(struct vfe_device *vfe_dev,
 			fe_cfg->stream_id);
 		vfe_dev->fetch_engine_info.bufq_handle = bufq_handle;
 
+		mutex_lock(&vfe_dev->buf_mgr->lock);
 		rc = vfe_dev->buf_mgr->ops->get_buf_by_index(
 			vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);
+		mutex_unlock(&vfe_dev->buf_mgr->lock);
 		if (rc < 0 || !buf) {
 			pr_err("%s: No fetch buffer rc= %d buf= %pK\n",
 				__func__, rc, buf);
-- 
cgit v1.2.3