From f696aed9e703de20fa0dc3e1cba9687b11dc7b3a Mon Sep 17 00:00:00 2001
From: Krishna Chaitanya Devarakonda <kdevarak@codeaurora.org>
Date: Thu, 31 Aug 2017 21:24:53 +0530
Subject: [PATCH] msm: sde: Avoid NULL pointer dereference in cancel request

There is a race condition possible when two threads are calling
the rotator cancel request. This might result in accessing a pointer
which was already assigned NULL. Fixing this by adding an extra check.

Change-Id: I9ce321a5f033d1fdc9d8b70a04098bfba3d7baaa
Signed-off-by: Krishna Chaitanya Devarakonda <kdevarak@codeaurora.org>
---
 drivers/media/platform/msm/sde/rotator/sde_rotator_core.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/media/platform/msm/sde/rotator/sde_rotator_core.c b/drivers/media/platform/msm/sde/rotator/sde_rotator_core.c
index abf20aef1256..422c7a590a45 100644
--- a/drivers/media/platform/msm/sde/rotator/sde_rotator_core.c
+++ b/drivers/media/platform/msm/sde/rotator/sde_rotator_core.c
@@ -2003,8 +2003,10 @@ static void sde_rotator_cancel_request(struct sde_rot_mgr *mgr,
 		sde_rot_mgr_unlock(mgr);
 		for (i = req->count - 1; i >= 0; i--) {
 			entry = req->entries + i;
-			flush_kthread_worker(&entry->commitq->rot_kw);
-			flush_kthread_worker(&entry->doneq->rot_kw);
+			if (entry->commitq)
+				flush_kthread_worker(&entry->commitq->rot_kw);
+			if (entry->doneq)
+				flush_kthread_worker(&entry->doneq->rot_kw);
 		}
 		sde_rot_mgr_lock(mgr);
 		SDEROT_DBG("cancel work done\n");