From: Hsin-Yi Wang <hsinyi@xxxxxxxxxxxx>
It is possible that empty_flush_buf is removed in mtk_venc_worker() and
then again in vb2ops_venc_stop_streaming(). However, there's no empty
list check in v4l2_m2m_buf_remove_by_buf(). Double remove causes a
kernel crash.
Signed-off-by: Hsin-Yi Wang <hsinyi@xxxxxxxxxxxx>
[acourbot: fix commit log a bit]
Signed-off-by: Alexandre Courbot <acourbot@xxxxxxxxxxxx>
---
.../media/platform/mtk-vcodec/mtk_vcodec_enc.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c
index 4de381b522ae..8af7e840b958 100644
--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c
+++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c
@@ -933,9 +933,21 @@ static void vb2ops_venc_stop_streaming(struct vb2_queue *q)
}
/* STREAMOFF on the CAPTURE queue completes any ongoing flush */
if (ctx->is_flushing) {
+ struct v4l2_m2m_buffer *b, *n;
+
mtk_v4l2_debug(1, "STREAMOFF called while flushing");
- v4l2_m2m_buf_remove_by_buf(&ctx->m2m_ctx->out_q_ctx,
- &ctx->empty_flush_buf.vb);
+ /*
+ * STREAMOFF could be called before the flush buffer is
+ * dequeued. Check whether empty flush buf is still in
+ * queue before removing it.
+ */
+ v4l2_m2m_for_each_src_buf_safe(ctx->m2m_ctx, b, n) {
+ if (b == &ctx->empty_flush_buf) {
+ v4l2_m2m_src_buf_remove_by_buf(
+ ctx->m2m_ctx, &b->vb);
+ break;
+ }
+ }
ctx->is_flushing = false;
}
} else {
--
2.30.1.766.gb4fecdf3b7-goog
