From: Laurent Pinchart Date: Sat, 18 Jun 2016 00:03:29 +0000 (-0300) Subject: [media] v4l: vsp1: Stop the pipeline upon the first STREAMOFF X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=b4dfb9b35a192f555d76fc4f670a447657bcc183;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git [media] v4l: vsp1: Stop the pipeline upon the first STREAMOFF The device is stopped when STREAMOFF is called on the last video node in the pipeline. This results in possible memory corruption and/or crashes, as userspace could free buffers while the hardware is still writing to them, and the frame completion interrupt handler could try to access buffers that don't exist anymore. Fix this by stopping the pipeline upon the first STREAMOFF call, not the last. Reported-by: Kuninori Morimoto Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab --- diff --git a/drivers/media/platform/vsp1/vsp1_video.c b/drivers/media/platform/vsp1/vsp1_video.c index a899b15c8d87..f6208b9d8118 100644 --- a/drivers/media/platform/vsp1/vsp1_video.c +++ b/drivers/media/platform/vsp1/vsp1_video.c @@ -674,7 +674,7 @@ static void vsp1_video_stop_streaming(struct vb2_queue *vq) int ret; mutex_lock(&pipe->lock); - if (--pipe->stream_count == 0) { + if (--pipe->stream_count == pipe->num_inputs) { /* Stop the pipeline. */ ret = vsp1_pipeline_stop(pipe); if (ret == -ETIMEDOUT)