From ddc1c24c52b5079cf764cdd72254edb8b3be324b Mon Sep 17 00:00:00 2001 From: Herman Chen Date: Fri, 31 Dec 2021 14:53:54 +0800 Subject: [PATCH] video: rockchip: mpp: Fix mpp_dev_release crash This patch fix crash in mpp_dev_release. In multi-instance case the session on deinit is attached to session_detach and trigger the taskqueue to release session. But the session is released just after unlock and before trigger then the session and invalid and the session->mpp is also invalid. The crash log is shown below: [71267.807643] Call trace: [71267.810099] do_raw_spin_lock+0x20/0xd8 [71267.813937] _raw_spin_lock_irqsave+0x28/0x38 [71267.818292] kthread_queue_work+0x2c/0x80 [71267.822298] mpp_dev_release+0x118/0x154 [71267.826219] __fput+0xf4/0x1a8 [71267.829272] ____fput+0x20/0x2c [71267.832409] task_work_run+0x88/0xb0 [71267.835982] do_notify_resume+0xe8/0x10c [71267.839902] work_pending+0x8/0x10 [71267.843306] Code: aa1e03e0 d503201f 5289d5a0 72bbd5a0 (b9400661) [71267.849396] ---[ end trace d8082e9114a3a9da ]--- Signed-off-by: Herman Chen Change-Id: Ib9825de2f1bc9f7999bdfe193aa440fd85d41448 --- drivers/video/rockchip/mpp/mpp_common.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/video/rockchip/mpp/mpp_common.c b/drivers/video/rockchip/mpp/mpp_common.c index 602c4a3f1bee..728704a6e2ef 100644 --- a/drivers/video/rockchip/mpp/mpp_common.c +++ b/drivers/video/rockchip/mpp/mpp_common.c @@ -346,12 +346,14 @@ static void mpp_session_attach_workqueue(struct mpp_session *session, static void mpp_session_detach_workqueue(struct mpp_session *session) { struct mpp_taskqueue *queue; + struct mpp_dev *mpp; if (!session->mpp || !session->mpp->queue) return; mpp_dbg_session("session %p:%d detach\n", session, session->index); - queue = session->mpp->queue; + mpp = session->mpp; + queue = mpp->queue; mutex_lock(&queue->session_lock); list_del_init(&session->session_link); @@ -359,7 +361,7 @@ static void mpp_session_detach_workqueue(struct mpp_session *session) queue->detach_count++; mutex_unlock(&queue->session_lock); - mpp_taskqueue_trigger_work(session->mpp); + mpp_taskqueue_trigger_work(mpp); } static int