6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wangao Wang wangao.wang@oss.qualcomm.com
commit ad699fa78b59241c9d71a8cafb51525f3dab04d4 upstream.
Add sanity check in iris_vb2_stop_streaming. If inst->state is already IRIS_INST_ERROR, we should skip the stream_off operation because it would still send packets to the firmware.
In iris_kill_session, inst->state is set to IRIS_INST_ERROR and session_close is executed, which will kfree(inst_hfi_gen2->packet). If stop_streaming is called afterward, it will cause a crash.
Fixes: 11712ce70f8e5 ("media: iris: implement vb2 streaming ops") Cc: stable@vger.kernel.org Reviewed-by: Bryan O'Donoghue bryan.odonoghue@linaro.org Reviewed-by: Dikshita Agarwal dikshita.agarwal@oss.qualcomm.com Signed-off-by: Wangao Wang wangao.wang@oss.qualcomm.com Reviewed-by: Vikash Garodia vikash.garodia@oss.qualcomm.com [bod: remove qcom from patch title] Signed-off-by: Bryan O'Donoghue bod@kernel.org Signed-off-by: Hans Verkuil hverkuil+cisco@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/media/platform/qcom/iris/iris_vb2.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/media/platform/qcom/iris/iris_vb2.c +++ b/drivers/media/platform/qcom/iris/iris_vb2.c @@ -231,6 +231,8 @@ void iris_vb2_stop_streaming(struct vb2_ return;
mutex_lock(&inst->lock); + if (inst->state == IRIS_INST_ERROR) + goto exit;
if (!V4L2_TYPE_IS_OUTPUT(q->type) && !V4L2_TYPE_IS_CAPTURE(q->type)) @@ -241,10 +243,10 @@ void iris_vb2_stop_streaming(struct vb2_ goto exit;
exit: - iris_helper_buffers_done(inst, q->type, VB2_BUF_STATE_ERROR); - if (ret) + if (ret) { + iris_helper_buffers_done(inst, q->type, VB2_BUF_STATE_ERROR); iris_inst_change_state(inst, IRIS_INST_ERROR); - + } mutex_unlock(&inst->lock); }