From patchwork Tue Jun 16 13:12:42 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Paul Elder <paul.elder@ideasonboard.com>
X-Patchwork-Id: 4057
Return-Path: <paul.elder@ideasonboard.com>
Received: from perceval.ideasonboard.com (perceval.ideasonboard.com
	[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])
	by lancelot.ideasonboard.com (Postfix) with ESMTPS id F41FC61F24
	for <libcamera-devel@lists.libcamera.org>;
	Tue, 16 Jun 2020 15:13:24 +0200 (CEST)
Authentication-Results: lancelot.ideasonboard.com; dkim=pass (1024-bit key;
	unprotected) header.d=ideasonboard.com
	header.i=@ideasonboard.com
	header.b="dIbT/Wzb"; dkim-atps=neutral
Received: from jade.flets-east.jp (unknown
	[IPv6:2400:4051:61:600:2807:bdfa:f6a:8e53])
	by perceval.ideasonboard.com (Postfix) with ESMTPSA id 8050EF9;
	Tue, 16 Jun 2020 15:13:23 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;
	s=mail; t=1592313204;
	bh=DPvSHDRp8TzqSJUTVCDUJSUfdzWl+oRyQNMNklCfEh8=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=dIbT/WzbkuKXgmpmMQAhb8N3WopapxMlyKuvwUq7sPS1LSGpwPb51S6wM2mW4eyDb
	omI6guhgXzErycxFuUEHnYd8uDK81U2GjUcVt9Y3JhbosfbBf1FJ5YT+D86KhUpO7Z
	MGbQrETCiOgaDiSgeW4qOHnfIAlOwwXRjPe29WoA=
From: Paul Elder <paul.elder@ideasonboard.com>
To: libcamera-devel@lists.libcamera.org
Date: Tue, 16 Jun 2020 22:12:42 +0900
Message-Id: <20200616131244.70308-14-paul.elder@ideasonboard.com>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <20200616131244.70308-1-paul.elder@ideasonboard.com>
References: <20200616131244.70308-1-paul.elder@ideasonboard.com>
MIME-Version: 1.0
Subject: [libcamera-devel] [PATCH 13/15] v4l2: v4l2_camera: Clear pending
	requests on freeBuffers
X-BeenThere: libcamera-devel@lists.libcamera.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <libcamera-devel.lists.libcamera.org>
List-Unsubscribe: <https://lists.libcamera.org/options/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>
List-Archive: <https://lists.libcamera.org/pipermail/libcamera-devel/>
List-Post: <mailto:libcamera-devel@lists.libcamera.org>
List-Help: <mailto:libcamera-devel-request@lists.libcamera.org?subject=help>
List-Subscribe: <https://lists.libcamera.org/listinfo/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jun 2020 13:13:25 -0000

V4L2 allows buffer queueing before streamon while libcamera does not.
The compatibility layer thus saves these buffers in a pending queue
until streamon, and then automatically queues them. However, this
pending queue is not cleared when the buffers a freed, so if buffers are
queued, the stream is not started, buffers are freed, more buffers are
queued, and the stream is finally started, then the first set of buffers
will be used-after-free. Fix this by clearing the pending quest queue
upon the buffers being freed.

Signed-off-by: Paul Elder <paul.elder@ideasonboard.com>
Reviewed-by: Jacopo Mondi <jacopo@jmondi.org>
---
 src/v4l2/v4l2_camera.cpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/v4l2/v4l2_camera.cpp b/src/v4l2/v4l2_camera.cpp
index f0ec54b..bae270a 100644
--- a/src/v4l2/v4l2_camera.cpp
+++ b/src/v4l2/v4l2_camera.cpp
@@ -155,6 +155,7 @@ void V4L2Camera::freeBuffers()
 	Stream *stream = *camera_->streams().begin();
 
 	bufferAllocator_->free(stream);
+	pendingRequests_.clear();
 }
 
 FileDescriptor V4L2Camera::getBufferFd(unsigned int index)