From b4dfb9b35a192f555d76fc4f670a447657bcc183 Mon Sep 17 00:00:00 2001
From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Date: Fri, 17 Jun 2016 21:03:29 -0300
Subject: [PATCH] [media] v4l: vsp1: Stop the pipeline upon the first STREAMOFF

The device is stopped when STREAMOFF is called on the last video node in
the pipeline. This results in possible memory corruption and/or crashes,
as userspace could free buffers while the hardware is still writing to
them, and the frame completion interrupt handler could try to access
buffers that don't exist anymore.

Fix this by stopping the pipeline upon the first STREAMOFF call, not the
last.

Reported-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
---
 drivers/media/platform/vsp1/vsp1_video.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/platform/vsp1/vsp1_video.c b/drivers/media/platform/vsp1/vsp1_video.c
index a899b15c8d87..f6208b9d8118 100644
--- a/drivers/media/platform/vsp1/vsp1_video.c
+++ b/drivers/media/platform/vsp1/vsp1_video.c
@@ -674,7 +674,7 @@ static void vsp1_video_stop_streaming(struct vb2_queue *vq)
 	int ret;
 
 	mutex_lock(&pipe->lock);
-	if (--pipe->stream_count == 0) {
+	if (--pipe->stream_count == pipe->num_inputs) {
 		/* Stop the pipeline. */
 		ret = vsp1_pipeline_stop(pipe);
 		if (ret == -ETIMEDOUT)
-- 
2.39.5