video: rockchip: mpp: Fix mpp_dev_release crash

This patch fix crash in mpp_dev_release. In multi-instance case the session on deinit is attached to session_detach and trigger the taskqueue to release session. But the session is released just after unlock and before trigger then the session and invalid and the session->mpp is also invalid. The crash log is shown below: [71267.807643] Call trace: [71267.810099] do_raw_spin_lock+0x20/0xd8 [71267.813937] _raw_spin_lock_irqsave+0x28/0x38 [71267.818292] kthread_queue_work+0x2c/0x80 [71267.822298] mpp_dev_release+0x118/0x154 [71267.826219] __fput+0xf4/0x1a8 [71267.829272] ____fput+0x20/0x2c [71267.832409] task_work_run+0x88/0xb0 [71267.835982] do_notify_resume+0xe8/0x10c [71267.839902] work_pending+0x8/0x10 [71267.843306] Code: aa1e03e0 d503201f 5289d5a0 72bbd5a0 (b9400661) [71267.849396] ---[ end trace d8082e9114a3a9da ]--- Signed-off-by: Herman Chen <herman.chen@rock-chips.com> Change-Id: Ib9825de2f1bc9f7999bdfe193aa440fd85d41448
2021-12-31 14:53:54 +08:00
parent d02ba68161
commit ddc1c24c52
1 changed files with 4 additions and 2 deletions
--- a/drivers/video/rockchip/mpp/mpp_common.c
+++ b/drivers/video/rockchip/mpp/mpp_common.c
@ -346,12 +346,14 @@ static void mpp_session_attach_workqueue(struct mpp_session *session,
 static void mpp_session_detach_workqueue(struct mpp_session *session)
 {
 	struct mpp_taskqueue *queue;
+	struct mpp_dev *mpp;

 	if (!session->mpp || !session->mpp->queue)
 		return;

 	mpp_dbg_session("session %p:%d detach\n", session, session->index);
-	queue = session->mpp->queue;
+	mpp = session->mpp;
+	queue = mpp->queue;

 	mutex_lock(&queue->session_lock);
 	list_del_init(&session->session_link);
@ -359,7 +361,7 @@ static void mpp_session_detach_workqueue(struct mpp_session *session)
 	queue->detach_count++;
 	mutex_unlock(&queue->session_lock);

-	mpp_taskqueue_trigger_work(session->mpp);
+	mpp_taskqueue_trigger_work(mpp);
 }

 static int