From 062e9f67de7f2633dca6f93a40c1d0497a3ee418 Mon Sep 17 00:00:00 2001
From: Sankalp Sharma <c_sanksh@qti.qualcomm.com>
Date: Wed, 13 Sep 2017 18:01:10 +0530
Subject: [PATCH] msm: ais: Synchronize camera open/close calls

Synchronize camera_v4l2_open and camera_v4l2_close to avoid use
after free.

Change-Id: I4055f00ff30408cc0469015b3e49d877632726bf
CRs-fixed: 2048964
Signed-off-by: Rahul Sharma <sharah@codeaurora.org>
---
 drivers/media/platform/msm/ais/camera/camera.c | 6 ++++++
 drivers/media/platform/msm/ais/msm.h           | 1 +
 2 files changed, 7 insertions(+)

diff --git a/drivers/media/platform/msm/ais/camera/camera.c b/drivers/media/platform/msm/ais/camera/camera.c
index 33808d18d4c4..3f477d50ceaf 100644
--- a/drivers/media/platform/msm/ais/camera/camera.c
+++ b/drivers/media/platform/msm/ais/camera/camera.c
@@ -628,6 +628,7 @@ static int camera_v4l2_open(struct file *filep)
 	if (WARN_ON(!pvdev))
 		return -EIO;
 
+	mutex_lock(&pvdev->video_drvdata_mutex);
 	rc = camera_v4l2_fh_open(filep);
 	if (rc < 0) {
 		pr_err("%s : camera_v4l2_fh_open failed Line %d rc %d\n",
@@ -698,6 +699,7 @@ static int camera_v4l2_open(struct file *filep)
 	idx |= (1 << find_first_zero_bit((const unsigned long *)&opn_idx,
 				MSM_CAMERA_STREAM_CNT_BITS));
 	atomic_cmpxchg(&pvdev->opened, opn_idx, idx);
+	mutex_unlock(&pvdev->video_drvdata_mutex);
 
 	return rc;
 
@@ -712,6 +714,7 @@ stream_fail:
 vb2_q_fail:
 	camera_v4l2_fh_release(filep);
 fh_open_fail:
+	mutex_unlock(&pvdev->video_drvdata_mutex);
 	return rc;
 }
 
@@ -746,6 +749,7 @@ static int camera_v4l2_close(struct file *filep)
 	if (WARN_ON(!session))
 		return -EIO;
 
+	mutex_lock(&pvdev->video_drvdata_mutex);
 	mutex_lock(&session->close_lock);
 	opn_idx = atomic_read(&pvdev->opened);
 	mask = (1 << sp->stream_id);
@@ -788,6 +792,7 @@ static int camera_v4l2_close(struct file *filep)
 	}
 
 	camera_v4l2_fh_release(filep);
+	mutex_unlock(&pvdev->video_drvdata_mutex);
 
 	return 0;
 }
@@ -936,6 +941,7 @@ int camera_init_v4l2(struct device *dev, unsigned int *session)
 
 	*session = pvdev->vdev->num;
 	atomic_set(&pvdev->opened, 0);
+	mutex_init(&pvdev->video_drvdata_mutex);
 	video_set_drvdata(pvdev->vdev, pvdev);
 	device_init_wakeup(&pvdev->vdev->dev, 1);
 	goto init_end;
diff --git a/drivers/media/platform/msm/ais/msm.h b/drivers/media/platform/msm/ais/msm.h
index 5d456310c301..ff3008ec6872 100644
--- a/drivers/media/platform/msm/ais/msm.h
+++ b/drivers/media/platform/msm/ais/msm.h
@@ -46,6 +46,7 @@ extern bool is_daemon_status;
 struct msm_video_device {
 	struct video_device *vdev;
 	atomic_t opened;
+	struct mutex video_drvdata_mutex;
 };
 
 struct msm_queue_head {