From 760971951420b4b31420cbea83adf227784e381d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Barnab=C3=A1s=20P=C5=91cze?=
 <barnabas.pocze@ideasonboard.com>
Date: Thu, 14 Aug 2025 11:05:40 +0200
Subject: [PATCH] libcamera: base: semaphore: Do not unlock prematurely
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In `Semaphore::release()`, unlocking the mutex before signalling the condition
variable can be problematic, especially with "temporary" objects such as the
ones `BoundMethodBase::activatePack()` uses to handle `ConnectionTypeBlocking`.

Specifically, `Semaphore::acquire()` might lock the mutex after `Semaphore::release()`
has unlocked it, but before it had the chance to notify the condition variable.
In that case `Semaphore::acquire()` can succeed, and execution may proceed to
destroy the `Semaphore` object while the other thread is in the process of
running `std::condition_variable::notify_all()`.

Bug: https://bugs.libcamera.org/show_bug.cgi?id=225
Fixes: 66e7c5b774e288 ("libcamera: Add Semaphore class")
Signed-off-by: Barnabás Pőcze <barnabas.pocze@ideasonboard.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
---
 src/libcamera/base/semaphore.cpp | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/libcamera/base/semaphore.cpp b/src/libcamera/base/semaphore.cpp
index 862f3b31..6aec8b92 100644
--- a/src/libcamera/base/semaphore.cpp
+++ b/src/libcamera/base/semaphore.cpp
@@ -93,11 +93,9 @@ bool Semaphore::tryAcquire(unsigned int n)
  */
 void Semaphore::release(unsigned int n)
 {
-	{
-		MutexLocker locker(mutex_);
-		available_ += n;
-	}
+	MutexLocker locker(mutex_);
 
+	available_ += n;
 	cv_.notify_all();
 }