From patchwork Wed Mar  3 17:04:25 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kieran Bingham <kieran.bingham@ideasonboard.com>
X-Patchwork-Id: 11482
Return-Path: <libcamera-devel-bounces@lists.libcamera.org>
X-Original-To: parsemail@patchwork.libcamera.org
Delivered-To: parsemail@patchwork.libcamera.org
Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com
	[92.243.16.209])
	by patchwork.libcamera.org (Postfix) with ESMTPS id 4022CBD1F1
	for <parsemail@patchwork.libcamera.org>;
	Wed,  3 Mar 2021 17:04:33 +0000 (UTC)
Received: from lancelot.ideasonboard.com (localhost [IPv6:::1])
	by lancelot.ideasonboard.com (Postfix) with ESMTP id C626868AA7;
	Wed,  3 Mar 2021 18:04:31 +0100 (CET)
Authentication-Results: lancelot.ideasonboard.com;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=ideasonboard.com header.i=@ideasonboard.com
	header.b="HIpaSri8"; dkim-atps=neutral
Received: from perceval.ideasonboard.com (perceval.ideasonboard.com
	[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])
	by lancelot.ideasonboard.com (Postfix) with ESMTPS id 450DA68A91
	for <libcamera-devel@lists.libcamera.org>;
	Wed,  3 Mar 2021 18:04:30 +0100 (CET)
Received: from Q.local (cpc89244-aztw30-2-0-cust3082.18-1.cable.virginm.net
	[86.31.172.11])
	by perceval.ideasonboard.com (Postfix) with ESMTPSA id D67D68DE;
	Wed,  3 Mar 2021 18:04:29 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;
	s=mail; t=1614791070;
	bh=uO27BIlzWeSyMUE85FWKqTxyU+/kPwFYPDJQo+Bl5Vk=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=HIpaSri8Bv9VyzNbC77Q37SymmR5yhetS1Z+t9aR4hg7I/EkQVf/nFyX8C/yDDUFY
	beZcr2BIW5nETyrI1jkZe9ooOpbNFC4QekLI78rOjhgtCNjAkehtQ8U2QYUCEcVenP
	nfwFe0URc0D6W7Q29WhztgkSPEmW4twJSRj7WeXQ=
From: Kieran Bingham <kieran.bingham@ideasonboard.com>
To: libcamera devel <libcamera-devel@lists.libcamera.org>
Date: Wed,  3 Mar 2021 17:04:25 +0000
Message-Id: <20210303170426.189648-3-kieran.bingham@ideasonboard.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20210303170426.189648-1-kieran.bingham@ideasonboard.com>
References: <20210303170426.189648-1-kieran.bingham@ideasonboard.com>
MIME-Version: 1.0
Subject: [libcamera-devel] [PATCH 2/3] libcamera: pipeline: ipu3: Ensure
	that IPU3Frames::info is not used after delete
X-BeenThere: libcamera-devel@lists.libcamera.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <libcamera-devel.lists.libcamera.org>
List-Unsubscribe: <https://lists.libcamera.org/options/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>
List-Archive: <https://lists.libcamera.org/pipermail/libcamera-devel/>
List-Post: <mailto:libcamera-devel@lists.libcamera.org>
List-Help: <mailto:libcamera-devel-request@lists.libcamera.org?subject=help>
List-Subscribe: <https://lists.libcamera.org/listinfo/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>
Errors-To: libcamera-devel-bounces@lists.libcamera.org
Sender: "libcamera-devel" <libcamera-devel-bounces@lists.libcamera.org>

When the IPU3Frames completes, it deletes the internal info storage.

This storage contains the pointer to the Request, but in some cases the
pointer was being accessed after the info structure was removed.

Ensure that the Request is obtained before attempting to complete to
obtain a valid pointer.

Signed-off-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Jacopo Mondi <jacopo@jmondi.org>
---
This may be a further sign that we should rework how this is allocated,
but for now - this patch fixes the crash which can occur when shutting
down streams.


    The blank line addition in the first hunk is intentional.


 src/libcamera/pipeline/ipu3/ipu3.cpp | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/libcamera/pipeline/ipu3/ipu3.cpp b/src/libcamera/pipeline/ipu3/ipu3.cpp
index 2b4d31500533..9539393e5d84 100644
--- a/src/libcamera/pipeline/ipu3/ipu3.cpp
+++ b/src/libcamera/pipeline/ipu3/ipu3.cpp
@@ -1164,6 +1164,7 @@ void IPU3CameraData::queueFrameAction(unsigned int id,
 		 * in action.controls to register additional metadata.
 		 */
 		Request *request = info->request;
+
 		info->metadataProcessed = true;
 		if (frameInfos_.tryComplete(info))
 			pipe_->completeRequest(request);
@@ -1253,8 +1254,15 @@ void IPU3CameraData::paramBufferReady(FrameBuffer *buffer)
 		return;
 
 	info->paramDequeued = true;
+
+	/*
+	 * tryComplete() will delete info if it completes the IPU3Frame.
+	 * In that event, we must have obtained the Request before hand.
+	 */
+	Request *request = info->request;
+
 	if (frameInfos_.tryComplete(info))
-		pipe_->completeRequest(info->request);
+		pipe_->completeRequest(request);
 }
 
 void IPU3CameraData::statBufferReady(FrameBuffer *buffer)
@@ -1265,8 +1273,16 @@ void IPU3CameraData::statBufferReady(FrameBuffer *buffer)
 
 	if (buffer->metadata().status == FrameMetadata::FrameCancelled) {
 		info->metadataProcessed = true;
+
+		/*
+		* tryComplete() will delete info if it completes the IPU3Frame.
+		* In that event, we must have obtained the Request before hand.
+		*/
+		Request *request = info->request;
+
 		if (frameInfos_.tryComplete(info))
-			pipe_->completeRequest(info->request);
+			pipe_->completeRequest(request);
+
 		return;
 	}