v4l2: v4l2_camera: Clear pending requests on freeBuffers and streamOff

V4L2 allows buffer queueing before streamon while libcamera does not.
The compatibility layer thus saves these buffers in a pending queue
until streamon, and then automatically queues them. However, this
pending queue is not cleared when the buffers are freed, so the
following sequence of actions will cause a use-after-free:

1. queue buffers
2. free buffers
   - buffers from 1. stay in pending queue but have been freed
3. queue buffers
4. streamon
   - buffers from 1. are enqueued, then the buffers from 3. are
     enqueued. Use-after-free segfault when libcamera tries to handle
     the enqueued buffers from 1.

Fix this by clearing the pending request queue upon buffers being freed.
Also clear the pending request queue on streamOff, for correctness.

Signed-off-by: Paul Elder <paul.elder@ideasonboard.com>
Reviewed-by: Jacopo Mondi <jacopo@jmondi.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

1 files changed, 4 insertions, 1 deletions

diff --git a/src/v4l2/v4l2_camera.cpp b/src/v4l2/v4l2_camera.cpp
index f7df9b85..ffc1230e 100644
--- a/src/v4l2/v4l2_camera.cpp
+++ b/src/v4l2/v4l2_camera.cpp
@@ -147,6 +147,8 @@ int V4L2Camera::allocBuffers(unsigned int count)
 
 void V4L2Camera::freeBuffers()
 {
+	pendingRequests_.clear();
+
 	Stream *stream = *camera_->streams().begin();
 	bufferAllocator_->free(stream);
 }
@@ -188,10 +190,11 @@ int V4L2Camera::streamOn()
 
 int V4L2Camera::streamOff()
 {
-	/* \todo Restore buffers to reqbufs state? */
 	if (!isRunning_)
 		return 0;
 
+	pendingRequests_.clear();
+
 	int ret = camera_->stop();
 	if (ret < 0)
 		return ret == -EACCES ? -EBUSY : ret;