Revert "mm-video-v4l2: venc: Avoid buffer access after free"
This reverts commit d53750a9db5b622fa19423ab82f0ee3ab1e25cbb.
Bug: 67670457
Bug: 36130225
Test: capture a video
(cherry picked from commit 16df6cadaee3fc5b47fb0bc43214bfed658a87e7)
Change-Id: Iecc4e13fad9bc35ad09a6f4347f75eafcbf00f60
diff --git a/msm8998/mm-video-v4l2/vidc/venc/inc/omx_video_base.h b/msm8998/mm-video-v4l2/vidc/venc/inc/omx_video_base.h
index afe31ef..13b5025 100644
--- a/msm8998/mm-video-v4l2/vidc/venc/inc/omx_video_base.h
+++ b/msm8998/mm-video-v4l2/vidc/venc/inc/omx_video_base.h
@@ -702,7 +702,6 @@
bool allocate_native_handle;
uint64_t m_out_bm_count;
- uint64_t m_client_out_bm_count;
uint64_t m_inp_bm_count;
uint64_t m_flags;
uint64_t m_etb_count;
diff --git a/msm8998/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp b/msm8998/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
index 43b5f6b..5d0f445 100644
--- a/msm8998/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
+++ b/msm8998/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
@@ -289,7 +289,6 @@
pending_output_buffers(0),
allocate_native_handle(false),
m_out_bm_count(0),
- m_client_out_bm_count(0),
m_inp_bm_count(0),
m_flags(0),
m_etb_count(0),
@@ -2903,7 +2902,6 @@
}
BITMASK_SET(&m_out_bm_count,i);
- BITMASK_SET(&m_client_out_bm_count,i);
} else {
DEBUG_PRINT_ERROR("ERROR: All o/p Buffers have been Used, invalid use_buf call for "
"index = %u", i);
@@ -2941,8 +2939,6 @@
DEBUG_PRINT_ERROR("ERROR: Use Buffer in Invalid State");
return OMX_ErrorInvalidState;
}
-
- auto_lock l(m_buf_lock);
if (port == PORT_INDEX_IN) {
auto_lock l(m_lock);
eRet = use_input_buffer(hComp,bufferHdr,port,appData,bytes,buffer);
@@ -2952,6 +2948,7 @@
DEBUG_PRINT_ERROR("ERROR: Invalid Port Index received %d",(int)port);
eRet = OMX_ErrorBadPortIndex;
}
+
if (eRet == OMX_ErrorNone) {
if (allocate_done()) {
if (BITMASK_PRESENT(&m_flags,OMX_COMPONENT_IDLE_PENDING)) {
@@ -3014,6 +3011,7 @@
}
if (index < m_sInPortDef.nBufferCountActual && m_pInput_pmem) {
+ auto_lock l(m_lock);
if (mUseProxyColorFormat) {
if (m_opq_pmem_q.m_size) {
@@ -3567,7 +3565,7 @@
DEBUG_PRINT_ERROR("ERROR: Allocate Buf in Invalid State");
return OMX_ErrorInvalidState;
}
- auto_lock l(m_buf_lock);
+
// What if the client calls again.
if (port == PORT_INDEX_IN) {
auto_lock l(m_lock);
@@ -3639,12 +3637,7 @@
unsigned int nPortIndex;
DEBUG_PRINT_LOW("In for encoder free_buffer");
- auto_lock l(m_buf_lock);
- if (port == PORT_INDEX_OUT) { //client called freebuffer, clearing client buffer bitmask right away to avoid use after free
- nPortIndex = buffer - (OMX_BUFFERHEADERTYPE*)m_out_mem_ptr;
- if(BITMASK_PRESENT(&m_client_out_bm_count, nPortIndex))
- BITMASK_CLEAR(&m_client_out_bm_count,nPortIndex);
- }
+
if (m_state == OMX_StateIdle &&
(BITMASK_PRESENT(&m_flags ,OMX_COMPONENT_LOADING_PENDING))) {
DEBUG_PRINT_LOW(" free buffer while Component in Loading pending");
@@ -4004,7 +3997,7 @@
{
DEBUG_PRINT_LOW("Heap UseBuffer case, so memcpy the data");
- auto_lock l(m_buf_lock);
+ auto_lock l(m_lock);
pmem_data_buf = (OMX_U8 *)m_pInput_pmem[nBufIndex].buffer;
if (pmem_data_buf && BITMASK_PRESENT(&m_inp_bm_count, nBufIndex)) {
memcpy (pmem_data_buf, (buffer->pBuffer + buffer->nOffset),
diff --git a/msm8998/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp b/msm8998/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp
index 20213b3..b8ee093 100644
--- a/msm8998/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp
+++ b/msm8998/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp
@@ -2361,15 +2361,11 @@
DEBUG_PRINT_ERROR("WARNING:Rxd DeInit,OMX not in LOADED state %d",\
m_state);
}
-
- auto_lock l(m_buf_lock);
if (m_out_mem_ptr) {
DEBUG_PRINT_LOW("Freeing the Output Memory");
for (i=0; i< m_sOutPortDef.nBufferCountActual; i++ ) {
if (BITMASK_PRESENT(&m_out_bm_count, i)) {
BITMASK_CLEAR(&m_out_bm_count, i);
- if (BITMASK_PRESENT(&m_client_out_bm_count, i))
- BITMASK_CLEAR(&m_client_out_bm_count, i);
free_output_buffer (&m_out_mem_ptr[i]);
}
@@ -2729,8 +2725,7 @@
omxhdr->nFlags = m_sVenc_msg->buf.flags;
/*Use buffer case*/
- if (BITMASK_PRESENT(&(omx->m_client_out_bm_count), bufIndex) &&
- omx->output_use_buffer && !omx->m_use_output_pmem && !omx->is_secure_session()) {
+ if (omx->output_use_buffer && !omx->m_use_output_pmem && !omx->is_secure_session()) {
DEBUG_PRINT_LOW("memcpy() for o/p Heap UseBuffer");
memcpy(omxhdr->pBuffer,
(m_sVenc_msg->buf.ptrbuffer),
