From patchwork Tue Jul 16 05:42:18 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
X-Patchwork-Id: 1705
Return-Path: <laurent.pinchart@ideasonboard.com>
Received: from perceval.ideasonboard.com (perceval.ideasonboard.com
	[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])
	by lancelot.ideasonboard.com (Postfix) with ESMTPS id 74037618D6
	for <libcamera-devel@lists.libcamera.org>;
	Tue, 16 Jul 2019 07:42:52 +0200 (CEST)
Received: from pendragon.ideasonboard.com (unknown
	[IPv6:2a00:79e1:abc:3602:59ec:6c:1869:337])
	by perceval.ideasonboard.com (Postfix) with ESMTPSA id 4728F564
	for <libcamera-devel@lists.libcamera.org>;
	Tue, 16 Jul 2019 07:42:50 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;
	s=mail; t=1563255772;
	bh=pZUCkicrvDezla7Xgo88NgfgXuT9h5RSIEF/SRCqo68=;
	h=From:To:Subject:Date:In-Reply-To:References:From;
	b=MhKdf38gQweF/VTXoe6kn+N2fR/GxVZ50fRfo2h3dtRS0kR98MJcgEIx6QynQTU4N
	veIr7TCJVYbV4zEkgBA8XKEm8SibvBFC1FON3GhH7/xZ9wwSuGmR2MAqwEZdMYFpdt
	duLrEwk41JKVThvtlxFQV2yUlLb77iupc57RrENQ=
From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
To: libcamera-devel@lists.libcamera.org
Date: Tue, 16 Jul 2019 08:42:18 +0300
Message-Id: <20190716054218.22136-2-laurent.pinchart@ideasonboard.com>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20190716054218.22136-1-laurent.pinchart@ideasonboard.com>
References: <20190716054218.22136-1-laurent.pinchart@ideasonboard.com>
MIME-Version: 1.0
Subject: [libcamera-devel] [PATCH 2/2] libcamera: pipeline: ipu3: Free
	internal buffers after stopping streaming
X-BeenThere: libcamera-devel@lists.libcamera.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <libcamera-devel.lists.libcamera.org>
List-Unsubscribe: <https://lists.libcamera.org/options/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>
List-Archive: <https://lists.libcamera.org/pipermail/libcamera-devel/>
List-Post: <mailto:libcamera-devel@lists.libcamera.org>
List-Help: <mailto:libcamera-devel-request@lists.libcamera.org?subject=help>
List-Subscribe: <https://lists.libcamera.org/listinfo/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2019 05:42:52 -0000

The internal buffers between the CIO2 and ImgU are freed by the
CIO2Device::stop() method, which is called first when stopping
streaming. The ImgUDevice::stop() method is then called, and attempts to
report completion for all queued buffers, which we have just freed. The
use-after-free corrupts memory, leading to crashes.

Fix this by moving the vector of internal buffers to the IPU3CameraData
where it belongs, and free the buffers after stopping both devices.

Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Niklas Söderlund <niklas.soderlund@ragnatech.se>
Reviewed-by: Paul Elder <paul.elder@ideasonboard.com>
---
 src/libcamera/pipeline/ipu3/ipu3.cpp | 28 ++++++++++++----------------
 1 file changed, 12 insertions(+), 16 deletions(-)

diff --git a/src/libcamera/pipeline/ipu3/ipu3.cpp b/src/libcamera/pipeline/ipu3/ipu3.cpp
index febc867b4d7e..159a9312f95e 100644
--- a/src/libcamera/pipeline/ipu3/ipu3.cpp
+++ b/src/libcamera/pipeline/ipu3/ipu3.cpp
@@ -122,7 +122,7 @@ public:
 	BufferPool *exportBuffers();
 	void freeBuffers();
 
-	int start();
+	int start(std::vector<std::unique_ptr<Buffer>> *buffer);
 	int stop();
 
 	static int mediaBusToFormat(unsigned int code);
@@ -132,7 +132,6 @@ public:
 	CameraSensor *sensor_;
 
 	BufferPool pool_;
-	std::vector<std::unique_ptr<Buffer>> buffers_;
 };
 
 class IPU3Stream : public Stream
@@ -165,6 +164,8 @@ public:
 
 	IPU3Stream outStream_;
 	IPU3Stream vfStream_;
+
+	std::vector<std::unique_ptr<Buffer>> rawBuffers_;
 };
 
 class IPU3CameraConfiguration : public CameraConfiguration
@@ -688,7 +689,7 @@ int PipelineHandlerIPU3::start(Camera *camera)
 	 * Start the ImgU video devices, buffers will be queued to the
 	 * ImgU output and viewfinder when requests will be queued.
 	 */
-	ret = cio2->start();
+	ret = cio2->start(&data->rawBuffers_);
 	if (ret)
 		goto error;
 
@@ -704,6 +705,7 @@ int PipelineHandlerIPU3::start(Camera *camera)
 error:
 	LOG(IPU3, Error) << "Failed to start camera " << camera->name();
 
+	data->rawBuffers_.clear();
 	return ret;
 }
 
@@ -717,6 +719,8 @@ void PipelineHandlerIPU3::stop(Camera *camera)
 	if (ret)
 		LOG(IPU3, Warning) << "Failed to stop camera "
 				   << camera->name();
+
+	data->rawBuffers_.clear();
 }
 
 int PipelineHandlerIPU3::queueRequest(Camera *camera, Request *request)
@@ -1454,26 +1458,18 @@ void CIO2Device::freeBuffers()
 		LOG(IPU3, Error) << "Failed to release CIO2 buffers";
 }
 
-int CIO2Device::start()
+int CIO2Device::start(std::vector<std::unique_ptr<Buffer>> *buffers)
 {
-	int ret;
-
-	buffers_ = output_->queueAllBuffers();
-	if (buffers_.empty())
+	*buffers = output_->queueAllBuffers();
+	if (buffers->empty())
 		return -EINVAL;
 
-	ret = output_->streamOn();
-	if (ret)
-		return ret;
-
-	return 0;
+	return output_->streamOn();
 }
 
 int CIO2Device::stop()
 {
-	int ret = output_->streamOff();
-	buffers_.clear();
-	return ret;
+	return output_->streamOff();
 }
 
 int CIO2Device::mediaBusToFormat(unsigned int code)