There are 2 possible race issues with msm_vidc_stats_handler.
[1] msm_vidc_close acquired inst->lock and called cancel_delayed_work,
by that time stats_handler already fired and incremented inst->kref
via get_inst_ref. Close sequence releases the lock and called
put_inst().
So now inst strong ref is held by stats_handler, which will acquire
inst->lock and schedules new stats_work and does put_inst. inst->kref
count reaches zero and it will free inst struct(using close_helper).
So that will lead to use-after-free crash at core kernel side.
[2] msm_vidc_close acquired inst->lock and called cancel_delayed_work,
by that time stats_handler is scheduled. So process_one_work() from
workqueue is ready to call stats_handler api. But before it invokes
stats handler(context switch), msm_vidc_close sequence continued to
run and completed the close sequence and called put_inst. So inst
struct got freed up(because inst->kref count reached to zero). Now if
core kernel(workqueue) attempts to invoke stats_handler by calling
worker->current_func(work), will lead to again use-after-free crash.
Added changes to avoid above mentioned issues.
Change-Id: I55bc33a753f4dbae4a8cdc6373b5465d183da3bc
Signed-off-by: Govindaraj Rajagopal <grajagop@codeaurora.org>
2eb5672463