From patchwork Tue Aug 31 18:37:39 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hirokazu Honda <hiroh@chromium.org>
X-Patchwork-Id: 13584
Return-Path: <libcamera-devel-bounces@lists.libcamera.org>
X-Original-To: parsemail@patchwork.libcamera.org
Delivered-To: parsemail@patchwork.libcamera.org
Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com
	[92.243.16.209])
	by patchwork.libcamera.org (Postfix) with ESMTPS id 0CC47BD87D
	for <parsemail@patchwork.libcamera.org>;
	Tue, 31 Aug 2021 18:37:49 +0000 (UTC)
Received: from lancelot.ideasonboard.com (localhost [IPv6:::1])
	by lancelot.ideasonboard.com (Postfix) with ESMTP id 6FC866916A;
	Tue, 31 Aug 2021 20:37:48 +0200 (CEST)
Authentication-Results: lancelot.ideasonboard.com;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=chromium.org header.i=@chromium.org
	header.b="YSjUYpUb"; dkim-atps=neutral
Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com
	[IPv6:2607:f8b0:4864:20::52e])
	by lancelot.ideasonboard.com (Postfix) with ESMTPS id AE00068890
	for <libcamera-devel@lists.libcamera.org>;
	Tue, 31 Aug 2021 20:37:46 +0200 (CEST)
Received: by mail-pg1-x52e.google.com with SMTP id c17so162441pgc.0
	for <libcamera-devel@lists.libcamera.org>;
	Tue, 31 Aug 2021 11:37:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org;
	s=google; h=from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=JnoG+HBbKt91xqpDoLnHesnWam5ljOD2Dk0xRH52O64=;
	b=YSjUYpUbfNfbAikK64JIcPlwjhBajZmlsS2ki7HUq2bzbVIu1F7uLrmrfpLA07BPjN
	VxpULjDjdEGOc5SP5M7DL3g7fy5MGveTlotEfQdcNXoGTxDMCytNu1tAqiGcnXbxliIm
	AvoAkL2I/1wURPaodc0iBuOb7G3Y3s8iYEU8c=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=JnoG+HBbKt91xqpDoLnHesnWam5ljOD2Dk0xRH52O64=;
	b=Cemg7BwAfB/lex0WTVdqovJ97fYn10b9ZymhOVBcZK1za/NgR8u6EqvUE6nbJT3KVJ
	IgyhlYDq/Cze/PM4sGmMxJONO/gQCMobkHR79fg5IZ5E9N3/iUwSMueNpfqy836cyPq2
	Ue/PSHK+JOghFB6O8GTy/VLzK+RXm8sacWgIzkzVDmZiF9tHhnxwLvp316aX2i+iJjf2
	AYvX9WXkjuPQ1deA6iTg2I0zQDIAmODzkw7h44PqgPZggXblcPkL9YFhJj8ydMEp/wr4
	MeVuRLQl2qZtsUZaco3vha2brjB0RMV/8RayZLo3MqRfNbTO1AN1nlRJmx03d9B3bohm
	CalQ==
X-Gm-Message-State: AOAM531pJ8vw4dyuv4acoPSIVinGvyoEKz+8G8zNjKH1FJtkwGHhtKQe
	f4JmMgGa1slx8YisxNvjEC/rqqUa4fd2Eg==
X-Google-Smtp-Source: 
 ABdhPJyynAshAy0KdGmcZw/UftHv4HNCv8N/kaNTbnosbYFsSsxQg1RNrZz4wk00flHtREYJJ2xpKA==
X-Received: by 2002:aa7:9d02:0:b0:3f3:df3b:81ae with SMTP id
	k2-20020aa79d02000000b003f3df3b81aemr23521236pfp.19.1630435064854;
	Tue, 31 Aug 2021 11:37:44 -0700 (PDT)
Received: from hiroh2.tok.corp.google.com
	([2401:fa00:8f:203:af31:7c67:f02a:bccc])
	by smtp.gmail.com with ESMTPSA id
	q12sm18840146pfj.153.2021.08.31.11.37.43
	(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Tue, 31 Aug 2021 11:37:44 -0700 (PDT)
From: Hirokazu Honda <hiroh@chromium.org>
To: libcamera-devel@lists.libcamera.org
Date: Wed,  1 Sep 2021 03:37:39 +0900
Message-Id: <20210831183739.901729-1-hiroh@chromium.org>
X-Mailer: git-send-email 2.33.0.259.gc128427fd7-goog
MIME-Version: 1.0
Subject: [libcamera-devel] [PATCH v3] android: camera_device: Fix crash in
	calling CameraDevice::close()
X-BeenThere: libcamera-devel@lists.libcamera.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <libcamera-devel.lists.libcamera.org>
List-Unsubscribe: <https://lists.libcamera.org/options/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>
List-Archive: <https://lists.libcamera.org/pipermail/libcamera-devel/>
List-Post: <mailto:libcamera-devel@lists.libcamera.org>
List-Help: <mailto:libcamera-devel-request@lists.libcamera.org?subject=help>
List-Subscribe: <https://lists.libcamera.org/listinfo/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>
Errors-To: libcamera-devel-bounces@lists.libcamera.org
Sender: "libcamera-devel" <libcamera-devel-bounces@lists.libcamera.org>

The problem is happening because we seem to add a CameraStream
associated buffer(depending on the CameraStream::Type) to the Request,
in CameraDevice::processCaptureRequest().

However, when the camera stops, all the current buffers are marked with
FrameMetadata::FrameCancelled and proceed to completion. But the buffer
associated with the CameraStream (that was previously added to the
request) has now been cleared out with a part of streams_.clear(), even
before the camera stop() has been invoked. Any access to those request
buffers after they have been cleared, shall result in a crash.

Signed-off-by: Hirokazu Honda <hiroh@chromium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Umang Jain <umang.jain@ideasonboard.com>
Tested-by: Jacopo Mondi <jacopo@jmondi.org>
Acked-by: Jacopo Mondi <jacopo@jmondi.org>
---
 src/android/camera_device.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/android/camera_device.cpp b/src/android/camera_device.cpp
index 8ca76719..fda77db4 100644
--- a/src/android/camera_device.cpp
+++ b/src/android/camera_device.cpp
@@ -423,8 +423,6 @@ int CameraDevice::open(const hw_module_t *hardwareModule)
 
 void CameraDevice::close()
 {
-	streams_.clear();
-
 	stop();
 
 	camera_->release();
@@ -457,6 +455,8 @@ void CameraDevice::stop()
 	camera_->stop();
 
 	descriptors_.clear();
+	streams_.clear();
+
 	state_ = State::Stopped;
 }