[libcamera-devel,v4,17/22] v4l2: v4l2_camera: Clear pending requests on freeBuffers and streamOff
diff mbox series

Message ID 20200624145256.48266-18-paul.elder@ideasonboard.com
State Accepted
Headers show
Series
  • Support v4l2-compliance
Related show

Commit Message

Paul Elder June 24, 2020, 2:52 p.m. UTC 
V4L2 allows buffer queueing before streamon while libcamera does not.
The compatibility layer thus saves these buffers in a pending queue
until streamon, and then automatically queues them. However, this
pending queue is not cleared when the buffers are freed, so the
following sequence of actions will cause a use-after-free:

1. queue buffers
2. free buffers
   - buffers from 1. stay in pending queue but have been freed
3. queue buffers
4. streamon
   - buffers from 1. are enqueued, then the buffers from 3. are
     enqueued. Use-after-free segfault when libcamera tries to handle
     the enqueued buffers from 1.

Fix this by clearing the pending request queue upon buffers being freed.
Also clear the pending request queue on streamOff, for correctness.

Signed-off-by: Paul Elder <paul.elder@ideasonboard.com>
Reviewed-by: Jacopo Mondi <jacopo@jmondi.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

---
No change in v4

Changes in v3:
- reorder clearing the pending request queue, to before freeing
  buffers, and to after checking isRunning

Changes in v2:
- also clear pending request queue on streamOff
- clarify the issue in changelog
---
 src/v4l2/v4l2_camera.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Patch
diff mbox series 

diff --git a/src/v4l2/v4l2_camera.cpp b/src/v4l2/v4l2_camera.cpp
index f7df9b8..ffc1230 100644
--- a/src/v4l2/v4l2_camera.cpp
+++ b/src/v4l2/v4l2_camera.cpp
@@ -147,6 +147,8 @@  int V4L2Camera::allocBuffers(unsigned int count)
 
 void V4L2Camera::freeBuffers()
 {
+	pendingRequests_.clear();
+
 	Stream *stream = *camera_->streams().begin();
 	bufferAllocator_->free(stream);
 }
@@ -188,10 +190,11 @@  int V4L2Camera::streamOn()
 
 int V4L2Camera::streamOff()
 {
-	/* \todo Restore buffers to reqbufs state? */
 	if (!isRunning_)
 		return 0;
 
+	pendingRequests_.clear();
+
 	int ret = camera_->stop();
 	if (ret < 0)
 		return ret == -EACCES ? -EBUSY : ret;