msm: sde: Avoid NULL pointer dereference in cancel request

There is a race condition possible when two threads are calling
the rotator cancel request. This might result in accessing a pointer
which was already assigned NULL. Fixing this by adding an extra check.

Change-Id: I9ce321a5f033d1fdc9d8b70a04098bfba3d7baaa
Signed-off-by: Krishna Chaitanya Devarakonda <kdevarak@codeaurora.org>

diff --git a/drivers/media/platform/msm/sde/rotator/sde_rotator_core.c b/drivers/media/platform/msm/sde/rotator/sde_rotator_core.c
index abf20ae..422c7a5 100644 (file)
--- a/drivers/media/platform/msm/sde/rotator/sde_rotator_core.c
+++ b/drivers/media/platform/msm/sde/rotator/sde_rotator_core.c
@@ -2003,8 +2003,10 @@ static void sde_rotator_cancel_request(struct sde_rot_mgr *mgr,
                sde_rot_mgr_unlock(mgr);
                for (i = req->count - 1; i >= 0; i--) {
                        entry = req->entries + i;
-                       flush_kthread_worker(&entry->commitq->rot_kw);
-                       flush_kthread_worker(&entry->doneq->rot_kw);
+                       if (entry->commitq)
+                               flush_kthread_worker(&entry->commitq->rot_kw);
+                       if (entry->doneq)
+                               flush_kthread_worker(&entry->doneq->rot_kw);
                }
                sde_rot_mgr_lock(mgr);
                SDEROT_DBG("cancel work done\n");