summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLaurent Pinchart <laurent.pinchart@ideasonboard.com>2019-07-16 08:36:31 +0300
committerLaurent Pinchart <laurent.pinchart@ideasonboard.com>2019-07-16 08:51:09 +0300
commit124336329c11e1fc1687504fc37f67189a44ee2d (patch)
tree5770ed299cde016eac0763624982991704a438f0
parentd55c8018cdfe6a18aea1f761c8b3f0673d902aff (diff)
libcamera: pipeline: ipu3: Free internal buffers after stopping streaming
The internal buffers between the CIO2 and ImgU are freed by the CIO2Device::stop() method, which is called first when stopping streaming. The ImgUDevice::stop() method is then called, and attempts to report completion for all queued buffers, which we have just freed. The use-after-free corrupts memory, leading to crashes. Fix this by moving the vector of internal buffers to the IPU3CameraData where it belongs, and free the buffers after stopping both devices. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Reviewed-by: Niklas Söderlund <niklas.soderlund@ragnatech.se>
-rw-r--r--src/libcamera/pipeline/ipu3/ipu3.cpp28
1 files changed, 12 insertions, 16 deletions
diff --git a/src/libcamera/pipeline/ipu3/ipu3.cpp b/src/libcamera/pipeline/ipu3/ipu3.cpp
index febc867b..159a9312 100644
--- a/src/libcamera/pipeline/ipu3/ipu3.cpp
+++ b/src/libcamera/pipeline/ipu3/ipu3.cpp
@@ -122,7 +122,7 @@ public:
BufferPool *exportBuffers();
void freeBuffers();
- int start();
+ int start(std::vector<std::unique_ptr<Buffer>> *buffer);
int stop();
static int mediaBusToFormat(unsigned int code);
@@ -132,7 +132,6 @@ public:
CameraSensor *sensor_;
BufferPool pool_;
- std::vector<std::unique_ptr<Buffer>> buffers_;
};
class IPU3Stream : public Stream
@@ -165,6 +164,8 @@ public:
IPU3Stream outStream_;
IPU3Stream vfStream_;
+
+ std::vector<std::unique_ptr<Buffer>> rawBuffers_;
};
class IPU3CameraConfiguration : public CameraConfiguration
@@ -688,7 +689,7 @@ int PipelineHandlerIPU3::start(Camera *camera)
* Start the ImgU video devices, buffers will be queued to the
* ImgU output and viewfinder when requests will be queued.
*/
- ret = cio2->start();
+ ret = cio2->start(&data->rawBuffers_);
if (ret)
goto error;
@@ -704,6 +705,7 @@ int PipelineHandlerIPU3::start(Camera *camera)
error:
LOG(IPU3, Error) << "Failed to start camera " << camera->name();
+ data->rawBuffers_.clear();
return ret;
}
@@ -717,6 +719,8 @@ void PipelineHandlerIPU3::stop(Camera *camera)
if (ret)
LOG(IPU3, Warning) << "Failed to stop camera "
<< camera->name();
+
+ data->rawBuffers_.clear();
}
int PipelineHandlerIPU3::queueRequest(Camera *camera, Request *request)
@@ -1454,26 +1458,18 @@ void CIO2Device::freeBuffers()
LOG(IPU3, Error) << "Failed to release CIO2 buffers";
}
-int CIO2Device::start()
+int CIO2Device::start(std::vector<std::unique_ptr<Buffer>> *buffers)
{
- int ret;
-
- buffers_ = output_->queueAllBuffers();
- if (buffers_.empty())
+ *buffers = output_->queueAllBuffers();
+ if (buffers->empty())
return -EINVAL;
- ret = output_->streamOn();
- if (ret)
- return ret;
-
- return 0;
+ return output_->streamOn();
}
int CIO2Device::stop()
{
- int ret = output_->streamOff();
- buffers_.clear();
- return ret;
+ return output_->streamOff();
}
int CIO2Device::mediaBusToFormat(unsigned int code)