diff options
author | Krishna Chaitanya Devarakonda <kdevarak@codeaurora.org> | 2017-08-31 21:24:53 +0530 |
---|---|---|
committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2017-09-04 22:43:21 -0700 |
commit | f696aed9e703de20fa0dc3e1cba9687b11dc7b3a (patch) | |
tree | 407dd7041eed43ce20f4cdfe0a1c8f7ac92792be | |
parent | a2e923bd7d0cca53287c5806d8cc130737ac30a0 (diff) |
msm: sde: Avoid NULL pointer dereference in cancel request
There is a race condition possible when two threads are calling
the rotator cancel request. This might result in accessing a pointer
which was already assigned NULL. Fixing this by adding an extra check.
Change-Id: I9ce321a5f033d1fdc9d8b70a04098bfba3d7baaa
Signed-off-by: Krishna Chaitanya Devarakonda <kdevarak@codeaurora.org>
-rw-r--r-- | drivers/media/platform/msm/sde/rotator/sde_rotator_core.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/drivers/media/platform/msm/sde/rotator/sde_rotator_core.c b/drivers/media/platform/msm/sde/rotator/sde_rotator_core.c index abf20aef1256..422c7a590a45 100644 --- a/drivers/media/platform/msm/sde/rotator/sde_rotator_core.c +++ b/drivers/media/platform/msm/sde/rotator/sde_rotator_core.c @@ -2003,8 +2003,10 @@ static void sde_rotator_cancel_request(struct sde_rot_mgr *mgr, sde_rot_mgr_unlock(mgr); for (i = req->count - 1; i >= 0; i--) { entry = req->entries + i; - flush_kthread_worker(&entry->commitq->rot_kw); - flush_kthread_worker(&entry->doneq->rot_kw); + if (entry->commitq) + flush_kthread_worker(&entry->commitq->rot_kw); + if (entry->doneq) + flush_kthread_worker(&entry->doneq->rot_kw); } sde_rot_mgr_lock(mgr); SDEROT_DBG("cancel work done\n"); |