From patchwork Tue Aug 31 18:33:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hirokazu Honda X-Patchwork-Id: 13583 Return-Path: X-Original-To: parsemail@patchwork.libcamera.org Delivered-To: parsemail@patchwork.libcamera.org Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com [92.243.16.209]) by patchwork.libcamera.org (Postfix) with ESMTPS id 3C2BBBDC71 for ; Tue, 31 Aug 2021 18:33:57 +0000 (UTC) Received: from lancelot.ideasonboard.com (localhost [IPv6:::1]) by lancelot.ideasonboard.com (Postfix) with ESMTP id 8BE3E6916A; Tue, 31 Aug 2021 20:33:56 +0200 (CEST) Authentication-Results: lancelot.ideasonboard.com; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=chromium.org header.i=@chromium.org header.b="RJ8/yoxo"; dkim-atps=neutral Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id A1EB168890 for ; Tue, 31 Aug 2021 20:33:55 +0200 (CEST) Received: by mail-pj1-x1031.google.com with SMTP id j1so145560pjv.3 for ; Tue, 31 Aug 2021 11:33:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=S+eqU1bLzA9oEH9EAwbZlhQ2WPYO9EvvDGXfNwtzM4c=; b=RJ8/yoxowngO8Gjf43h+K4Z4cFQ9Y1IjM3z43y78wPlp3cyc0i0TGULMYJ1lUy6IHD tHRFuh/IU31ic76ll7rNpqMEgFN9j2zY6d28uyPDuO+MPz9PM701BxqxTigNovMlcT62 lcngdYBdIydJ0mv/5+B5RTVhNd0PMzFI4FWAo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=S+eqU1bLzA9oEH9EAwbZlhQ2WPYO9EvvDGXfNwtzM4c=; b=BuDLIK21Yb4RVVnyDTBE8g6JwiBkW741TGRpRFU8aCdLrHB9YCSQ2Spko1PDnJpg10 NMoaxt7DpnWD03f6ya/Cx0JeRlRoyHD5tkMFUfcxKGkPOE7GZ1Ea7ZMV/MKIUA4ahRvA 4XKCCq8xs3RE+lG5/h5HR9Pq/pPQBHNpsni0pB0lxQudcG57mRxozsOOPk3rXbujFmF5 sZsF/i7E+H/0xRox8dbkVbcn1NEd4hr/lVgJKvQNFakiOOUsAYU5tu60v9hQvivohpEk iknFpJG+rMeX52OyP37bGAKuKzVb1iwMxSn/PFpNhcBkwVyVIcjTbGkgsTHBIujpn+8B eRQg== X-Gm-Message-State: AOAM531teSG08Wa6Da7hwyM4926qy7kGeFQN5Z6OVxvh3DNMyZmy+M7z B3310vrwS6sEUP27K19FvXI/8F/jF5WEfg== X-Google-Smtp-Source: ABdhPJw3Z13Et5Wp/HPYn2vz0HCukNfZ7jp6QZmtIbgJ9R9HbJbf0zZsVBTtkv9d0shDGU10vmud4Q== X-Received: by 2002:a17:902:7202:b029:12c:dc6b:928f with SMTP id ba2-20020a1709027202b029012cdc6b928fmr5850149plb.55.1630434833721; Tue, 31 Aug 2021 11:33:53 -0700 (PDT) Received: from hiroh2.tok.corp.google.com ([2401:fa00:8f:203:af31:7c67:f02a:bccc]) by smtp.gmail.com with ESMTPSA id m28sm22110292pgl.9.2021.08.31.11.33.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Aug 2021 11:33:53 -0700 (PDT) From: Hirokazu Honda To: libcamera-devel@lists.libcamera.org Date: Wed, 1 Sep 2021 03:33:47 +0900 Message-Id: <20210831183347.900666-1-hiroh@chromium.org> X-Mailer: git-send-email 2.33.0.259.gc128427fd7-goog MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH v2] android: camera_device: Fix crash in calling CameraDevice::close() X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libcamera-devel-bounces@lists.libcamera.org Sender: "libcamera-devel" The problem is happening because we seem to add a CameraStream associated buffer(depending on the CameraStream::Type) to the Request, in CameraDevice::processCaptureRequest(). However, when the camera stops, all the current buffers are marked with FrameMetadata::FrameCancelled and proceed to completion. But the buffer associated with the CameraStream (that was previously added to the request) has now been cleared out with a part of streams_.clear(), even before the camera stop() has been invoked. Any access to those request buffers after they have been cleared, shall result in a crash. Signed-off-by: Hirokazu Honda --- src/android/camera_device.cpp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/android/camera_device.cpp b/src/android/camera_device.cpp index 8ca76719..bbe36509 100644 --- a/src/android/camera_device.cpp +++ b/src/android/camera_device.cpp @@ -423,8 +423,6 @@ int CameraDevice::open(const hw_module_t *hardwareModule) void CameraDevice::close() { - streams_.clear(); - stop(); camera_->release(); @@ -457,6 +455,8 @@ void CameraDevice::stop() camera_->stop(); descriptors_.clear(); + streams_.clear(); + state_ = State::Stopped; } @@ -561,11 +561,11 @@ int CameraDevice::configureStreams(camera3_stream_configuration_t *stream_list) } /* - * Clear and remove any existing configuration from previous calls, and - * ensure the required entries are available without further + * Any existing configuration from previous calls has been removed in + * stop(). Ensure the required entries are available without further * reallocation. */ - streams_.clear(); + ASSERT(streams_.empty()); streams_.reserve(stream_list->num_streams); std::vector streamConfigs;