{"id":13584,"url":"https://patchwork.libcamera.org/api/1.1/patches/13584/?format=json","web_url":"https://patchwork.libcamera.org/patch/13584/","project":{"id":1,"url":"https://patchwork.libcamera.org/api/1.1/projects/1/?format=json","name":"libcamera","link_name":"libcamera","list_id":"libcamera_core","list_email":"libcamera-devel@lists.libcamera.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20210831183739.901729-1-hiroh@chromium.org>","date":"2021-08-31T18:37:39","name":"[libcamera-devel,v3] android: camera_device: Fix crash in calling CameraDevice::close()","commit_ref":null,"pull_url":null,"state":"superseded","archived":false,"hash":"dc5ff59ea4bbbbb9c1f80341e9368c8c41a9a1b9","submitter":{"id":63,"url":"https://patchwork.libcamera.org/api/1.1/people/63/?format=json","name":"Hirokazu Honda","email":"hiroh@chromium.org"},"delegate":null,"mbox":"https://patchwork.libcamera.org/patch/13584/mbox/","series":[{"id":2429,"url":"https://patchwork.libcamera.org/api/1.1/series/2429/?format=json","web_url":"https://patchwork.libcamera.org/project/libcamera/list/?series=2429","date":"2021-08-31T18:37:39","name":"[libcamera-devel,v3] android: camera_device: Fix crash in calling CameraDevice::close()","version":3,"mbox":"https://patchwork.libcamera.org/series/2429/mbox/"}],"comments":"https://patchwork.libcamera.org/api/patches/13584/comments/","check":"pending","checks":"https://patchwork.libcamera.org/api/patches/13584/checks/","tags":{},"headers":{"Return-Path":"<libcamera-devel-bounces@lists.libcamera.org>","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 0CC47BD87D\n\tfor <parsemail@patchwork.libcamera.org>;\n\tTue, 31 Aug 2021 18:37:49 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 6FC866916A;\n\tTue, 31 Aug 2021 20:37:48 +0200 (CEST)","from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com\n\t[IPv6:2607:f8b0:4864:20::52e])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id AE00068890\n\tfor <libcamera-devel@lists.libcamera.org>;\n\tTue, 31 Aug 2021 20:37:46 +0200 (CEST)","by mail-pg1-x52e.google.com with SMTP id c17so162441pgc.0\n\tfor <libcamera-devel@lists.libcamera.org>;\n\tTue, 31 Aug 2021 11:37:46 -0700 (PDT)","from hiroh2.tok.corp.google.com\n\t([2401:fa00:8f:203:af31:7c67:f02a:bccc])\n\tby smtp.gmail.com with ESMTPSA id\n\tq12sm18840146pfj.153.2021.08.31.11.37.43\n\t(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n\tTue, 31 Aug 2021 11:37:44 -0700 (PDT)"],"Authentication-Results":"lancelot.ideasonboard.com;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n\tunprotected) header.d=chromium.org header.i=@chromium.org\n\theader.b=\"YSjUYpUb\"; dkim-atps=neutral","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org;\n\ts=google; h=from:to:cc:subject:date:message-id:mime-version\n\t:content-transfer-encoding;\n\tbh=JnoG+HBbKt91xqpDoLnHesnWam5ljOD2Dk0xRH52O64=;\n\tb=YSjUYpUbfNfbAikK64JIcPlwjhBajZmlsS2ki7HUq2bzbVIu1F7uLrmrfpLA07BPjN\n\tVxpULjDjdEGOc5SP5M7DL3g7fy5MGveTlotEfQdcNXoGTxDMCytNu1tAqiGcnXbxliIm\n\tAvoAkL2I/1wURPaodc0iBuOb7G3Y3s8iYEU8c=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version\n\t:content-transfer-encoding;\n\tbh=JnoG+HBbKt91xqpDoLnHesnWam5ljOD2Dk0xRH52O64=;\n\tb=Cemg7BwAfB/lex0WTVdqovJ97fYn10b9ZymhOVBcZK1za/NgR8u6EqvUE6nbJT3KVJ\n\tIgyhlYDq/Cze/PM4sGmMxJONO/gQCMobkHR79fg5IZ5E9N3/iUwSMueNpfqy836cyPq2\n\tUe/PSHK+JOghFB6O8GTy/VLzK+RXm8sacWgIzkzVDmZiF9tHhnxwLvp316aX2i+iJjf2\n\tAYvX9WXkjuPQ1deA6iTg2I0zQDIAmODzkw7h44PqgPZggXblcPkL9YFhJj8ydMEp/wr4\n\tMeVuRLQl2qZtsUZaco3vha2brjB0RMV/8RayZLo3MqRfNbTO1AN1nlRJmx03d9B3bohm\n\tCalQ==","X-Gm-Message-State":"AOAM531pJ8vw4dyuv4acoPSIVinGvyoEKz+8G8zNjKH1FJtkwGHhtKQe\n\tf4JmMgGa1slx8YisxNvjEC/rqqUa4fd2Eg==","X-Google-Smtp-Source":"ABdhPJyynAshAy0KdGmcZw/UftHv4HNCv8N/kaNTbnosbYFsSsxQg1RNrZz4wk00flHtREYJJ2xpKA==","X-Received":"by 2002:aa7:9d02:0:b0:3f3:df3b:81ae with SMTP id\n\tk2-20020aa79d02000000b003f3df3b81aemr23521236pfp.19.1630435064854; \n\tTue, 31 Aug 2021 11:37:44 -0700 (PDT)","From":"Hirokazu Honda <hiroh@chromium.org>","To":"libcamera-devel@lists.libcamera.org","Date":"Wed,  1 Sep 2021 03:37:39 +0900","Message-Id":"<20210831183739.901729-1-hiroh@chromium.org>","X-Mailer":"git-send-email 2.33.0.259.gc128427fd7-goog","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Subject":"[libcamera-devel] [PATCH v3] android: camera_device: Fix crash in\n\tcalling CameraDevice::close()","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"<libcamera-devel.lists.libcamera.org>","List-Unsubscribe":"<https://lists.libcamera.org/options/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>","List-Archive":"<https://lists.libcamera.org/pipermail/libcamera-devel/>","List-Post":"<mailto:libcamera-devel@lists.libcamera.org>","List-Help":"<mailto:libcamera-devel-request@lists.libcamera.org?subject=help>","List-Subscribe":"<https://lists.libcamera.org/listinfo/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" <libcamera-devel-bounces@lists.libcamera.org>"},"content":"The problem is happening because we seem to add a CameraStream\nassociated buffer(depending on the CameraStream::Type) to the Request,\nin CameraDevice::processCaptureRequest().\n\nHowever, when the camera stops, all the current buffers are marked with\nFrameMetadata::FrameCancelled and proceed to completion. But the buffer\nassociated with the CameraStream (that was previously added to the\nrequest) has now been cleared out with a part of streams_.clear(), even\nbefore the camera stop() has been invoked. Any access to those request\nbuffers after they have been cleared, shall result in a crash.\n\nSigned-off-by: Hirokazu Honda <hiroh@chromium.org>\n---\n src/android/camera_device.cpp | 4 ++--\n 1 file changed, 2 insertions(+), 2 deletions(-)","diff":"diff --git a/src/android/camera_device.cpp b/src/android/camera_device.cpp\nindex 8ca76719..fda77db4 100644\n--- a/src/android/camera_device.cpp\n+++ b/src/android/camera_device.cpp\n@@ -423,8 +423,6 @@ int CameraDevice::open(const hw_module_t *hardwareModule)\n \n void CameraDevice::close()\n {\n-\tstreams_.clear();\n-\n \tstop();\n \n \tcamera_->release();\n@@ -457,6 +455,8 @@ void CameraDevice::stop()\n \tcamera_->stop();\n \n \tdescriptors_.clear();\n+\tstreams_.clear();\n+\n \tstate_ = State::Stopped;\n }\n \n","prefixes":["libcamera-devel","v3"]}