From c17751e14a8b302d9b202a65eed06b99c9be7312 Mon Sep 17 00:00:00 2001 From: Darshan Kumsi Srinivasa Date: Fri, 5 Oct 2018 17:14:32 +0530 Subject: [PATCH] msm: vidc: do not set video state to DEINIT very early If video state set to DEINIT before processing all frame done packets in the list may create video failures as explained below, the client communication to video hardware will fail because of DEINIT state and client will close the session upon failure which will happen in parallel to response thread processing the response packets in the list. It may happen that client already free'd the buffer references and response thread might access the same buffer reference and results in use-after-free memory fault. So In case of sys error from video hardware, set video state to DEINIT after processing all packets in the list to avoid use-after-free failure Change-Id: I688c3ec3feb2b5621d75c4da93ee9870aa0e6dfe Signed-off-by: Darshan Kumsi Srinivasa Signed-off-by: Sanjay Singh --- drivers/media/platform/msm/vidc/venus_hfi.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/media/platform/msm/vidc/venus_hfi.c b/drivers/media/platform/msm/vidc/venus_hfi.c index 99903c0e7944..f6180b848c7f 100644 --- a/drivers/media/platform/msm/vidc/venus_hfi.c +++ b/drivers/media/platform/msm/vidc/venus_hfi.c @@ -1682,7 +1682,7 @@ static int __iface_cmdq_write_relaxed(struct venus_hfi_device *device, __strict_check(device); if (!__core_in_valid_state(device)) { - dprintk(VIDC_DBG, "%s - fw not in init state\n", __func__); + dprintk(VIDC_ERR, "%s - fw not in init state\n", __func__); result = -EINVAL; goto err_q_null; } @@ -3408,8 +3408,6 @@ static void __process_sys_error(struct venus_hfi_device *device) { struct hfi_sfr_struct *vsfr = NULL; - __set_state(device, VENUS_STATE_DEINIT); - /* Once SYS_ERROR received from HW, it is safe to halt the AXI. * With SYS_ERROR, Venus FW may have crashed and HW might be * active and causing unnecessary transactions. Hence it is @@ -3656,6 +3654,10 @@ static int __response_handler(struct venus_hfi_device *device) "Too many packets in message queue to handle at once, deferring read\n"); break; } + + /* do not read packets after sys error packet */ + if (info->response_type == HAL_SYS_ERROR) + break; } if (requeue_pm_work && device->res->sw_power_collapsible) {