From patchwork Mon Sep  6 14:01:48 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jacopo Mondi <jacopo@jmondi.org>
X-Patchwork-Id: 13631
Return-Path: <libcamera-devel-bounces@lists.libcamera.org>
X-Original-To: parsemail@patchwork.libcamera.org
Delivered-To: parsemail@patchwork.libcamera.org
Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com
	[92.243.16.209])
	by patchwork.libcamera.org (Postfix) with ESMTPS id 0D679BDC71
	for <parsemail@patchwork.libcamera.org>;
	Mon,  6 Sep 2021 14:01:11 +0000 (UTC)
Received: from lancelot.ideasonboard.com (localhost [IPv6:::1])
	by lancelot.ideasonboard.com (Postfix) with ESMTP id C02FC69168;
	Mon,  6 Sep 2021 16:01:10 +0200 (CEST)
Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net
	[217.70.183.194])
	by lancelot.ideasonboard.com (Postfix) with ESMTPS id EE3C360137
	for <libcamera-devel@lists.libcamera.org>;
	Mon,  6 Sep 2021 16:01:08 +0200 (CEST)
Received: (Authenticated sender: jacopo@jmondi.org)
	by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id ED2D44000E;
	Mon,  6 Sep 2021 14:01:07 +0000 (UTC)
From: Jacopo Mondi <jacopo@jmondi.org>
To: libcamera-devel@lists.libcamera.org
Date: Mon,  6 Sep 2021 16:01:48 +0200
Message-Id: <20210906140152.636883-2-jacopo@jmondi.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20210906140152.636883-1-jacopo@jmondi.org>
References: <20210906140152.636883-1-jacopo@jmondi.org>
MIME-Version: 1.0
Subject: [libcamera-devel] [PATCH 1/5] android: camera_device: Fix crash in
	calling CameraDevice::close()
X-BeenThere: libcamera-devel@lists.libcamera.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <libcamera-devel.lists.libcamera.org>
List-Unsubscribe: <https://lists.libcamera.org/options/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>
List-Archive: <https://lists.libcamera.org/pipermail/libcamera-devel/>
List-Post: <mailto:libcamera-devel@lists.libcamera.org>
List-Help: <mailto:libcamera-devel-request@lists.libcamera.org?subject=help>
List-Subscribe: <https://lists.libcamera.org/listinfo/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>
Errors-To: libcamera-devel-bounces@lists.libcamera.org
Sender: "libcamera-devel" <libcamera-devel-bounces@lists.libcamera.org>

From: Hirokazu Honda <hiroh@chromium.org>

The problem is happening because we seem to add a CameraStream
associated buffer (depending on the CameraStream::Type) to the Request,
in CameraDevice::processCaptureRequest().

However, when the camera stops, all the current buffers are marked with
FrameMetadata::FrameCancelled and proceed to completion. But the buffer
associated with the CameraStream (that was previously added to the
request) has now been cleared out with a part of streams_.clear(), even
before the camera stop() has been invoked. Any access to those request
buffers after they have been cleared, will result in a crash.

Signed-off-by: Hirokazu Honda <hiroh@chromium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Umang Jain <umang.jain@ideasonboard.com>
Reviewed-by: Jacopo Mondi <jacopo@jmondi.org>
---
 src/android/camera_device.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/android/camera_device.cpp b/src/android/camera_device.cpp
index 8ca76719a50f..fda77db4540c 100644
--- a/src/android/camera_device.cpp
+++ b/src/android/camera_device.cpp
@@ -423,8 +423,6 @@ int CameraDevice::open(const hw_module_t *hardwareModule)
 
 void CameraDevice::close()
 {
-	streams_.clear();
-
 	stop();
 
 	camera_->release();
@@ -457,6 +455,8 @@ void CameraDevice::stop()
 	camera_->stop();
 
 	descriptors_.clear();
+	streams_.clear();
+
 	state_ = State::Stopped;
 }