video: driver: avoid race between core_timeout and handle_response

In fwd thread, for sync cmd timeout, core->response_packet willbe freed as part of venus_hfi_core_deinit. So i.e leading to a crash at reverse thread, which is, in the middle of processing response packet as part of handle_response api. So added change to avoid this race issue. Change-Id: Ice7e52c46e8858c89439c17213a08d01b358fe9d Signed-off-by: Govindaraj Rajagopal <grajagop@codeaurora.org>
2021-05-03 18:20:05 +05:30
parent 401b0010e7
commit b0997af910
3 changed files with 25 additions and 20 deletions
--- a/driver/vidc/src/msm_vidc_probe.c
+++ b/driver/vidc/src/msm_vidc_probe.c
@@ -180,6 +180,11 @@ static int msm_vidc_deinitialize_core(struct msm_vidc_core *core)
 	mutex_destroy(&core->lock);
 	msm_vidc_change_core_state(core, MSM_VIDC_CORE_DEINIT, __func__);

+	kfree(core->response_packet);
+	kfree(core->packet);
+	core->response_packet = NULL;
+	core->packet = NULL;
+
 	if (core->batch_workq)
 		destroy_workqueue(core->batch_workq);

@@ -229,6 +234,22 @@ static int msm_vidc_initialize_core(struct msm_vidc_core *core)
 		goto exit;
 	}

+	core->packet_size = 4096;
+	core->packet = kzalloc(core->packet_size, GFP_KERNEL);
+	if (!core->packet) {
+		d_vpr_e("%s(): core packet allocation failed\n", __func__);
+		rc = -ENOMEM;
+		goto exit;
+	}
+
+	core->response_packet = kzalloc(core->packet_size, GFP_KERNEL);
+	if (!core->response_packet) {
+		d_vpr_e("%s(): core response packet allocation failed\n",
+			__func__);
+		rc = -ENOMEM;
+		goto exit;
+	}
+
 	mutex_init(&core->lock);
 	INIT_LIST_HEAD(&core->instances);
 	INIT_LIST_HEAD(&core->dangling_instances);
@@ -240,6 +261,10 @@ static int msm_vidc_initialize_core(struct msm_vidc_core *core)

 	return 0;
 exit:
+	kfree(core->response_packet);
+	kfree(core->packet);
+	core->response_packet = NULL;
+	core->packet = NULL;
 	if (core->batch_workq)
 		destroy_workqueue(core->batch_workq);
 	if (core->pm_workq)
--- a/driver/vidc/src/venus_hfi.c
+++ b/driver/vidc/src/venus_hfi.c
@@ -2805,21 +2805,6 @@ int venus_hfi_core_init(struct msm_vidc_core *core)

 	__strict_check(core);

-	core->packet_size = 4096;
-	core->packet = kzalloc(core->packet_size, GFP_KERNEL);
-	if (!core->packet) {
-		d_vpr_e("%s(): core packet allocation failed\n", __func__);
-		return -ENOMEM;
-	}
-
-	core->response_packet = kzalloc(core->packet_size, GFP_KERNEL);
-	if (!core->response_packet) {
-		d_vpr_e("%s(): core response packet allocation failed\n",
-			__func__);
-		kfree(core->packet);
-		return -ENOMEM;
-	}
-
 	core->handoff_done = 0;

 	rc = __load_fw(core);
@@ -2879,10 +2864,6 @@ int venus_hfi_core_deinit(struct msm_vidc_core *core)
 	__disable_subcaches(core);
 	__interface_queues_deinit(core);
 	__unload_fw(core);
-	kfree(core->response_packet);
-	core->response_packet = NULL;
-	kfree(core->packet);
-	core->packet = NULL;
 	return 0;
 }

--- a/driver/vidc/src/venus_hfi_response.c
+++ b/driver/vidc/src/venus_hfi_response.c
@@ -1439,7 +1439,6 @@ static int __handle_session_response(struct msm_vidc_inst *inst,
 				rc = handle_session_error(inst, packet);
 				if (rc)
 					goto exit;
-				continue;
 			}
 			if (in_range(be[i], packet->type)) {
 				dequeue |= (packet->type == HFI_CMD_BUFFER);