@@ -1114,6 +1114,21 @@ int Camera::queueRequest(Request *request)
{
Private *const d = _d();
+ /*
+ * There is a risk of a racy segfault here. If the application marks a
+ * Request for reuse and queues it, but stop() changes the camera state
+ * before we reach this point, then we would end up in a situation
+ * where we have a buffer added to a Request yet not queued to the
+ * camera. Thus Camera::stop() will not complete the buffer and
+ * request, and if the buffer is freed before its request is destroyed,
+ * then it will cause a segfault when the request tries to cancel the
+ * freed buffer.
+ *
+ * The temporary workaround is to force applications to make sure to
+ * free requests before the buffers.
+ *
+ * \todo Fix this race condition.
+ */
int ret = d->isAccessAllowed(Private::CameraRunning);
if (ret < 0)
return ret;
There is a risk of a racy segfault in Camera::queueRequest, related to marking a Request for reuse without queueing it to the camera. Camera::queueRequest() could race with Camera::stop(), which would trigger a segfault if the buffers are freed before their Requests. As it's not too critical at the moment, add a description of the problem and a todo. Signed-off-by: Paul Elder <paul.elder@ideasonboard.com> --- src/libcamera/camera.cpp | 15 +++++++++++++++ 1 file changed, 15 insertions(+)