mm-camera2:isp2: Handle use after free buffer
In the code, start_fetch can try to access the buffer pointer variable after free, as the same pointer can be freed at RELEASE_BUF call at the same time. Change-Id: Ic83f22336504cf67afe12131f791eee25477f011 Signed-off-by: Meera Gande <mgande@codeaurora.org> Signed-off-by: Darshan Kumsi Srinivasa <darssr@codeaurora.org>
This commit is contained in:
parent
1fd85fc4b7
commit
d6f20078ac
|
@ -1079,14 +1079,16 @@ static long msm_isp_ioctl_unlocked(struct v4l2_subdev *sd,
|
|||
mutex_unlock(&vfe_dev->core_mutex);
|
||||
break;
|
||||
case VIDIOC_MSM_ISP_AXI_RESTART:
|
||||
mutex_lock(&vfe_dev->core_mutex);
|
||||
mutex_lock(&vfe_dev->buf_mgr->lock);
|
||||
if (atomic_read(&vfe_dev->error_info.overflow_state)
|
||||
!= HALT_ENFORCED) {
|
||||
mutex_lock(&vfe_dev->core_mutex);
|
||||
rc = msm_isp_stats_restart(vfe_dev);
|
||||
rc |= msm_isp_axi_restart(vfe_dev, arg);
|
||||
} else {
|
||||
pr_err_ratelimited("Halt Enforced");
|
||||
}
|
||||
mutex_unlock(&vfe_dev->buf_mgr->lock);
|
||||
mutex_unlock(&vfe_dev->core_mutex);
|
||||
break;
|
||||
case VIDIOC_MSM_ISP_INPUT_CFG:
|
||||
|
|
Loading…
Reference in New Issue