From 2fac95b400b72b33d075bc77407376eb935f3458 Mon Sep 17 00:00:00 2001
From: Kieran Bingham <kieran.bingham@ideasonboard.com>
Date: Wed, 3 Mar 2021 17:04:25 +0000
Subject: libcamera: pipeline: ipu3: Ensure that IPU3Frames::info is not used
 after delete

When the IPU3Frames completes, it deletes the internal info storage.

This storage contains the pointer to the Request, but in some cases the
pointer was being accessed after the info structure was removed.

Ensure that the Request is obtained before attempting to complete to
obtain a valid pointer.

Signed-off-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Jacopo Mondi <jacopo@jmondi.org>
Signed-off-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
---
 src/libcamera/pipeline/ipu3/ipu3.cpp | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

(limited to 'src/libcamera/pipeline')

diff --git a/src/libcamera/pipeline/ipu3/ipu3.cpp b/src/libcamera/pipeline/ipu3/ipu3.cpp
index 2b4d3150..3dd1bdd0 100644
--- a/src/libcamera/pipeline/ipu3/ipu3.cpp
+++ b/src/libcamera/pipeline/ipu3/ipu3.cpp
@@ -1164,6 +1164,7 @@ void IPU3CameraData::queueFrameAction(unsigned int id,
 		 * in action.controls to register additional metadata.
 		 */
 		Request *request = info->request;
+
 		info->metadataProcessed = true;
 		if (frameInfos_.tryComplete(info))
 			pipe_->completeRequest(request);
@@ -1253,8 +1254,17 @@ void IPU3CameraData::paramBufferReady(FrameBuffer *buffer)
 		return;
 
 	info->paramDequeued = true;
+
+	/*
+	 * tryComplete() will delete info if it completes the IPU3Frame.
+	 * In that event, we must have obtained the Request before hand.
+	 *
+	 * \todo Improve the FrameInfo API to avoid this type of issue
+	 */
+	Request *request = info->request;
+
 	if (frameInfos_.tryComplete(info))
-		pipe_->completeRequest(info->request);
+		pipe_->completeRequest(request);
 }
 
 void IPU3CameraData::statBufferReady(FrameBuffer *buffer)
@@ -1265,8 +1275,16 @@ void IPU3CameraData::statBufferReady(FrameBuffer *buffer)
 
 	if (buffer->metadata().status == FrameMetadata::FrameCancelled) {
 		info->metadataProcessed = true;
+
+		/*
+		* tryComplete() will delete info if it completes the IPU3Frame.
+		* In that event, we must have obtained the Request before hand.
+		*/
+		Request *request = info->request;
+
 		if (frameInfos_.tryComplete(info))
-			pipe_->completeRequest(info->request);
+			pipe_->completeRequest(request);
+
 		return;
 	}
 
-- 
cgit v1.2.1