{"id":1705,"url":"https://patchwork.libcamera.org/api/patches/1705/?format=json","web_url":"https://patchwork.libcamera.org/patch/1705/","project":{"id":1,"url":"https://patchwork.libcamera.org/api/projects/1/?format=json","name":"libcamera","link_name":"libcamera","list_id":"libcamera_core","list_email":"libcamera-devel@lists.libcamera.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20190716054218.22136-2-laurent.pinchart@ideasonboard.com>","date":"2019-07-16T05:42:18","name":"[libcamera-devel,2/2] libcamera: pipeline: ipu3: Free internal buffers after stopping streaming","commit_ref":"124336329c11e1fc1687504fc37f67189a44ee2d","pull_url":null,"state":"accepted","archived":false,"hash":"5ea18ba25a76ff39a9fdc2757ea21e70cb987697","submitter":{"id":2,"url":"https://patchwork.libcamera.org/api/people/2/?format=json","name":"Laurent Pinchart","email":"laurent.pinchart@ideasonboard.com"},"delegate":null,"mbox":"https://patchwork.libcamera.org/patch/1705/mbox/","series":[{"id":433,"url":"https://patchwork.libcamera.org/api/series/433/?format=json","web_url":"https://patchwork.libcamera.org/project/libcamera/list/?series=433","date":"2019-07-16T05:42:17","name":"[libcamera-devel,1/2] libcamera: pipeline: ipu3: Initialise pixel format to NV12 in new config","version":1,"mbox":"https://patchwork.libcamera.org/series/433/mbox/"}],"comments":"https://patchwork.libcamera.org/api/patches/1705/comments/","check":"pending","checks":"https://patchwork.libcamera.org/api/patches/1705/checks/","tags":{},"headers":{"Return-Path":"","Received":["from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 74037618D6\n\tfor ;\n\tTue, 16 Jul 2019 07:42:52 +0200 (CEST)","from pendragon.ideasonboard.com (unknown\n\t[IPv6:2a00:79e1:abc:3602:59ec:6c:1869:337])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id 4728F564\n\tfor ;\n\tTue, 16 Jul 2019 07:42:50 +0200 (CEST)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1563255772;\n\tbh=pZUCkicrvDezla7Xgo88NgfgXuT9h5RSIEF/SRCqo68=;\n\th=From:To:Subject:Date:In-Reply-To:References:From;\n\tb=MhKdf38gQweF/VTXoe6kn+N2fR/GxVZ50fRfo2h3dtRS0kR98MJcgEIx6QynQTU4N\n\tveIr7TCJVYbV4zEkgBA8XKEm8SibvBFC1FON3GhH7/xZ9wwSuGmR2MAqwEZdMYFpdt\n\tduLrEwk41JKVThvtlxFQV2yUlLb77iupc57RrENQ=","From":"Laurent Pinchart ","To":"libcamera-devel@lists.libcamera.org","Date":"Tue, 16 Jul 2019 08:42:18 +0300","Message-Id":"<20190716054218.22136-2-laurent.pinchart@ideasonboard.com>","X-Mailer":"git-send-email 2.21.0","In-Reply-To":"<20190716054218.22136-1-laurent.pinchart@ideasonboard.com>","References":"<20190716054218.22136-1-laurent.pinchart@ideasonboard.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Subject":"[libcamera-devel] [PATCH 2/2] libcamera: pipeline: ipu3: Free\n\tinternal buffers after stopping streaming","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.23","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","X-List-Received-Date":"Tue, 16 Jul 2019 05:42:52 -0000"},"content":"The internal buffers between the CIO2 and ImgU are freed by the\nCIO2Device::stop() method, which is called first when stopping\nstreaming. The ImgUDevice::stop() method is then called, and attempts to\nreport completion for all queued buffers, which we have just freed. The\nuse-after-free corrupts memory, leading to crashes.\n\nFix this by moving the vector of internal buffers to the IPU3CameraData\nwhere it belongs, and free the buffers after stopping both devices.\n\nSigned-off-by: Laurent Pinchart \n---\n src/libcamera/pipeline/ipu3/ipu3.cpp | 28 ++++++++++++----------------\n 1 file changed, 12 insertions(+), 16 deletions(-)","diff":"diff --git a/src/libcamera/pipeline/ipu3/ipu3.cpp b/src/libcamera/pipeline/ipu3/ipu3.cpp\nindex febc867b4d7e..159a9312f95e 100644\n--- a/src/libcamera/pipeline/ipu3/ipu3.cpp\n+++ b/src/libcamera/pipeline/ipu3/ipu3.cpp\n@@ -122,7 +122,7 @@ public:\n \tBufferPool *exportBuffers();\n \tvoid freeBuffers();\n \n-\tint start();\n+\tint start(std::vector> *buffer);\n \tint stop();\n \n \tstatic int mediaBusToFormat(unsigned int code);\n@@ -132,7 +132,6 @@ public:\n \tCameraSensor *sensor_;\n \n \tBufferPool pool_;\n-\tstd::vector> buffers_;\n };\n \n class IPU3Stream : public Stream\n@@ -165,6 +164,8 @@ public:\n \n \tIPU3Stream outStream_;\n \tIPU3Stream vfStream_;\n+\n+\tstd::vector> rawBuffers_;\n };\n \n class IPU3CameraConfiguration : public CameraConfiguration\n@@ -688,7 +689,7 @@ int PipelineHandlerIPU3::start(Camera *camera)\n \t * Start the ImgU video devices, buffers will be queued to the\n \t * ImgU output and viewfinder when requests will be queued.\n \t */\n-\tret = cio2->start();\n+\tret = cio2->start(&data->rawBuffers_);\n \tif (ret)\n \t\tgoto error;\n \n@@ -704,6 +705,7 @@ int PipelineHandlerIPU3::start(Camera *camera)\n error:\n \tLOG(IPU3, Error) << \"Failed to start camera \" << camera->name();\n \n+\tdata->rawBuffers_.clear();\n \treturn ret;\n }\n \n@@ -717,6 +719,8 @@ void PipelineHandlerIPU3::stop(Camera *camera)\n \tif (ret)\n \t\tLOG(IPU3, Warning) << \"Failed to stop camera \"\n \t\t\t\t << camera->name();\n+\n+\tdata->rawBuffers_.clear();\n }\n \n int PipelineHandlerIPU3::queueRequest(Camera *camera, Request *request)\n@@ -1454,26 +1458,18 @@ void CIO2Device::freeBuffers()\n \t\tLOG(IPU3, Error) << \"Failed to release CIO2 buffers\";\n }\n \n-int CIO2Device::start()\n+int CIO2Device::start(std::vector> *buffers)\n {\n-\tint ret;\n-\n-\tbuffers_ = output_->queueAllBuffers();\n-\tif (buffers_.empty())\n+\t*buffers = output_->queueAllBuffers();\n+\tif (buffers->empty())\n \t\treturn -EINVAL;\n \n-\tret = output_->streamOn();\n-\tif (ret)\n-\t\treturn ret;\n-\n-\treturn 0;\n+\treturn output_->streamOn();\n }\n \n int CIO2Device::stop()\n {\n-\tint ret = output_->streamOff();\n-\tbuffers_.clear();\n-\treturn ret;\n+\treturn output_->streamOff();\n }\n \n int CIO2Device::mediaBusToFormat(unsigned int code)\n","prefixes":["libcamera-devel","2/2"]}