From b15699a98a8f4184675e6a22e2ccf5de2ea8349f Mon Sep 17 00:00:00 2001 From: Cho KyongHo Date: Thu, 26 Jan 2017 15:32:17 +0900 Subject: [PATCH] [COMMON] media: scaler: fix buffer free during working Scaler driver is able to run H/W twice to support the users who want to zoom out the given image by the larger minification factor than the factor H/W supports. It is called pre-scaling and pre-scaling requires a temporary buffer that is not supplied by the users but allocaged by Scaler driver itself. Scaler driver allocates the buffer when it finds that pre-scaling is required and frees when it notices that the pre-scaling is not needed any more. However the driver has a flaw of logic in sc_release() that releases the temporary buffer before waiting for the H/W to be done. It results in accessing a freed buffer by H/W. Change-Id: I951de839884382b9806a744aac92ec4d083fa689 Signed-off-by: Cho KyongHo --- drivers/media/platform/exynos/scaler/scaler-core.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/media/platform/exynos/scaler/scaler-core.c b/drivers/media/platform/exynos/scaler/scaler-core.c index baa4ebac731d..ee56fa700887 100644 --- a/drivers/media/platform/exynos/scaler/scaler-core.c +++ b/drivers/media/platform/exynos/scaler/scaler-core.c @@ -2156,8 +2156,10 @@ static int sc_release(struct file *file) atomic_dec(&sc->m2m.in_use); - destroy_intermediate_frame(ctx); v4l2_m2m_ctx_release(ctx->m2m_ctx); + + destroy_intermediate_frame(ctx); + if (!IS_ERR(sc->aclk)) clk_unprepare(sc->aclk); if (!IS_ERR(sc->pclk)) -- 2.20.1