From 2ebce32cf68189f790dc5580a2f6da90814009b1 Mon Sep 17 00:00:00 2001
From: Naushir Patuck <naush@raspberrypi.com>
Date: Fri, 20 May 2022 13:49:19 +0100
Subject: pipeline: raspberrypi: Fix possible null dereference

The freeBuffers() cleanup code calls into the IPA to unmap and free
shared buffers. However, this function could be called before the IPA
has opened (via registerCamera()), causing a segmentation fault. Fix
this by guarding against calling the IPA if it has not been opened.

Signed-off-by: Naushir Patuck <naush@raspberrypi.com>
Reviewed-by: Jacopo Mondi <jacopo@jmondi.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
---
 src/libcamera/pipeline/raspberrypi/raspberrypi.cpp | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

(limited to 'src/libcamera/pipeline/raspberrypi/raspberrypi.cpp')

diff --git a/src/libcamera/pipeline/raspberrypi/raspberrypi.cpp b/src/libcamera/pipeline/raspberrypi/raspberrypi.cpp
index 2636acb7..adc397e8 100644
--- a/src/libcamera/pipeline/raspberrypi/raspberrypi.cpp
+++ b/src/libcamera/pipeline/raspberrypi/raspberrypi.cpp
@@ -1484,10 +1484,16 @@ void PipelineHandlerRPi::mapBuffers(Camera *camera, const RPi::BufferMap &buffer
 
 void RPiCameraData::freeBuffers()
 {
-	/* Copy the buffer ids from the unordered_set to a vector to pass to the IPA. */
-	std::vector<unsigned int> ipaBuffers(ipaBuffers_.begin(), ipaBuffers_.end());
-	ipa_->unmapBuffers(ipaBuffers);
-	ipaBuffers_.clear();
+	if (ipa_) {
+		/*
+		 * Copy the buffer ids from the unordered_set to a vector to
+		 * pass to the IPA.
+		 */
+		std::vector<unsigned int> ipaBuffers(ipaBuffers_.begin(),
+						     ipaBuffers_.end());
+		ipa_->unmapBuffers(ipaBuffers);
+		ipaBuffers_.clear();
+	}
 
 	for (auto const stream : streams_)
 		stream->releaseBuffers();
-- 
cgit v1.2.1