[media] v4l: vb2: Fix stream start and buffer completion race

videobuf2 stores the driver streaming state internally in the queue in
the start_streaming_called variable. The state is set right after the
driver start_stream operation returns, and checked in the
vb2_buffer_done() function, typically called from the frame completion
interrupt handler. A race condition exists if the hardware finishes
processing the first frame before the start_stream operation returns.

Fix this by setting start_streaming_called to 1 before calling the
start_stream operation, and resetting it to 0 if the operation fails.

Cc: stable@vger.kernel.org      # for v3.15 and up
Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>

diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c
index 7c4489c..1d67e95 100644 (file)
--- a/drivers/media/v4l2-core/videobuf2-core.c
+++ b/drivers/media/v4l2-core/videobuf2-core.c
@@ -1750,12 +1750,14 @@ static int vb2_start_streaming(struct vb2_queue *q)
                __enqueue_in_driver(vb);
 
        /* Tell the driver to start streaming */
+       q->start_streaming_called = 1;
        ret = call_qop(q, start_streaming, q,
                       atomic_read(&q->owned_by_drv_count));
-       q->start_streaming_called = ret == 0;
        if (!ret)
                return 0;
 
+       q->start_streaming_called = 0;
+
        dprintk(1, "driver refused to start streaming\n");
        if (WARN_ON(atomic_read(&q->owned_by_drv_count))) {
                unsigned i;