msm: vidc: Fix a bug in closing the instance
When sending the SESSION END command to FW, driver
is moving to OPEN state due to a bug. This is causing
state transitions to go out of order. When session end
is recieved from FW, driver is accessing the memory which
is freed.This may cause pointer mismatch resulting random
crashes. This change fix the same.
Change-Id: I89373ccbcf72983e82119b9247ff29defc6f5305
CRs-Fixed: 468218
Signed-off-by: Praneeth Paladugu <ppaladug@codeaurora.org>
diff --git a/drivers/media/platform/msm/vidc/hfi_response_handler.c b/drivers/media/platform/msm/vidc/hfi_response_handler.c
index 102e1ec..91fb514 100644
--- a/drivers/media/platform/msm/vidc/hfi_response_handler.c
+++ b/drivers/media/platform/msm/vidc/hfi_response_handler.c
@@ -1003,12 +1003,6 @@
return;
}
- sess_close = (struct hal_session *)pkt->session_id;
- dprintk(VIDC_INFO, "deleted the session: 0x%x",
- sess_close->session_id);
- list_del(&sess_close->list);
- kfree(sess_close);
-
memset(&cmd_done, 0, sizeof(struct msm_vidc_cb_cmd_done));
cmd_done.device_id = device_id;
cmd_done.session_id =
@@ -1016,6 +1010,11 @@
cmd_done.status = hfi_map_err_status((u32)pkt->error_type);
cmd_done.data = NULL;
cmd_done.size = 0;
+ sess_close = (struct hal_session *)pkt->session_id;
+ dprintk(VIDC_INFO, "deleted the session: 0x%x",
+ sess_close->session_id);
+ list_del(&sess_close->list);
+ kfree(sess_close);
callback(SESSION_END_DONE, &cmd_done);
}
diff --git a/drivers/media/platform/msm/vidc/msm_vidc_common.c b/drivers/media/platform/msm/vidc/msm_vidc_common.c
index 30530d4..512f075 100644
--- a/drivers/media/platform/msm/vidc/msm_vidc_common.c
+++ b/drivers/media/platform/msm/vidc/msm_vidc_common.c
@@ -1431,7 +1431,7 @@
"Failed to send close\n");
goto exit;
}
- change_inst_state(inst, MSM_VIDC_OPEN);
+ change_inst_state(inst, MSM_VIDC_CLOSE);
exit:
return rc;
}