Commit 5b6c3ef0 authored Aug 13, 2011 by Laurent Pinchart Committed by Mauro Carvalho Chehab Sep 21, 2011

[media] omap3isp: video: Avoid crashes when pipeline set stream operation fails

If streaming can't be enabled on the pipeline, the DMA buffers queue is
not emptied. If the buffers then get freed the queue will end up
referencing free memory. This is usually not an issue, as the DMA queue
will be reinitialized the next time streaming is enabled, before
enabling the hardware.

However, if the sensor connected at the pipeline input is free-running,
the CCDC will start generating interrupts as soon as it gets powered up,
before the streaming gets enabled on the hardware. This will make the
CCDC interrupt handler access freed memory, causing a crash.

Reinitialize the DMA buffers queue in isp_video_streamon() if the error
path to make sure this situation won't happen.

Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

parent c62e2a19

drivers/media/video/omap3isp/ispvideo.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -1056,6 +1056,14 @@ isp_video_streamon(struct file file, void fh, enum v4l2_buf_type type)
		if (video->isp->pdata->set_constraints)
		video->isp->pdata->set_constraints(video->isp, false);
		media_entity_pipeline_stop(&video->video.entity);
		/* The DMA queue must be emptied here, otherwise CCDC interrupts
		* that will get triggered the next time the CCDC is powered up
		* will try to access buffers that might have been freed but
		* still present in the DMA queue. This can easily get triggered
		* if the above omap3isp_pipeline_set_stream() call fails on a
		* system with a free-running sensor.
		*/
		INIT_LIST_HEAD(&video->dmaqueue);
		video->queue = NULL;
		}