v4l2bufferpool: Ensure freshly created buffers are not marked as queued

Otherwise, if we run in to the copy case, this can cause these groups to stay around with queued flag set, but never actually queued, until gst_v4l2_allocator_flush() is called, which then erroneously frees the associated memories, causing the release function to decrement the allocator refcount where it was never incremented, resulting in early allocator disposal, and either deadlock or use after free. Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/6685>
2025-01-20 14:18:34 +00:00 · 2024-04-05 17:30:01 +02:00 · 2024-04-05 17:30:01 +02:00 · 23c5ff8032
commit 23c5ff8032
parent 3efcfef4b5
1 changed files with 7 additions and 0 deletions
--- a/subprojects/gst-plugins-good/sys/v4l2/gstv4l2allocator.c
+++ b/subprojects/gst-plugins-good/sys/v4l2/gstv4l2allocator.c
@ -272,6 +272,13 @@ gst_v4l2_memory_group_new (GstV4l2Allocator * allocator, guint32 index)
    return NULL;
  }

+  if (IS_QUEUED (group->buffer)) {
+    GST_WARNING_OBJECT (allocator,
+        "Driver pretends buffer %d is queued even if freshly created, "
+        "this indicates a bug in the driver.", group->buffer.index);
+    UNSET_QUEUED (group->buffer);
+  }
+
  /* Check that provided size matches the format we have negotiation. Failing
   * there usually means a driver of libv4l bug. */
  if (V4L2_TYPE_IS_MULTIPLANAR (obj->type)) {