cam_hal/ll_cam: avoid ISR queue use-after-free; fully quiesce DMA on stop

In PSRAM DMA mode the driver could dereference a deleted event queue and
leave EOF interrupts armed after shutdown, leading to late ISRs and NPDs.

Changes:
- ll_cam_send_event(): return early if event_queue is NULL; use a local
  `woken` and propagate to caller via `hp` when non-NULL.
- cam_deinit(): call cam_stop() before deleting queues; NULL out
  event_queue and frame_buffer_queue after vQueueDelete().
- ll_cam_stop(): disable all GDMA IN interrupts and clear them with a
  full W1C mask; stop CAM_START and halt link.
- ll_cam_start(): clear all interrupts, then enable only IN_SUC_EOF.
- ll_cam_dma_reset(): use 0xFFFFFFFF W1C mask for int_clr.
- ISRs (VSYNC/DMA): use `hp` variable and portYIELD_FROM_ISR() if set.
- cam_obj.state: mark as volatile.
- Headers: update ll_cam_send_event() signature to `BaseType_t *hp`.

Result: no null-pointer derefs or late interrupts after teardown; ISR
wakeups propagate correctly and the DMA path restarts cleanly.

Author: RubenKelevra

driver/cam_hal.c

@@ -242,9 +242,15 @@ static bool cam_start_frame(int * frame_pos)
     return false;
 }
 
-void IRAM_ATTR ll_cam_send_event(cam_obj_t *cam, cam_event_t cam_event, BaseType_t * HPTaskAwoken)
+void IRAM_ATTR ll_cam_send_event(cam_obj_t *cam, cam_event_t cam_event, BaseType_t *hp)
 {
-    if (xQueueSendFromISR(cam->event_queue, (void *)&cam_event, HPTaskAwoken) != pdTRUE) {
+    if (!cam->event_queue) {
+        // ESP_DRAM_LOGD(TAG, "drop event: queue deleted");
+        return;
+    }
+
+    BaseType_t woken = pdFALSE;
+    if (xQueueSendFromISR(cam->event_queue, &cam_event, &woken) != pdTRUE) {
         ll_cam_stop(cam);
         cam->state = CAM_STATE_IDLE;
 #if CAM_LOG_SPAM_EVERY_FRAME
@@ -255,6 +261,10 @@ void IRAM_ATTR ll_cam_send_event(cam_obj_t *cam, cam_event_t cam_event, BaseType
                           cam_event==CAM_IN_SUC_EOF_EVENT ? "EV-EOF-OVF" : "EV-VSYNC-OVF");
 #endif
     }
+
+    if (hp && woken) {
+        *hp = pdTRUE;
+    }
 }
 
 //Copy fram from DMA dma_buffer to fram dma_buffer
@@ -633,15 +643,17 @@ esp_err_t cam_deinit(void)
         return ESP_FAIL;
     }
 
-    cam_stop();
+    cam_stop(); // disable VSYNC and DMA before deleting queues
     if (cam_obj->task_handle) {
         vTaskDelete(cam_obj->task_handle);
     }
     if (cam_obj->event_queue) {
         vQueueDelete(cam_obj->event_queue);
+        cam_obj->event_queue = NULL;
     }
     if (cam_obj->frame_buffer_queue) {
         vQueueDelete(cam_obj->frame_buffer_queue);
+        cam_obj->frame_buffer_queue = NULL;
     }
 
     ll_cam_deinit(cam_obj);

target/esp32s3/ll_cam.c

@@ -68,7 +68,7 @@ void ll_cam_dma_print_state(cam_obj_t *cam)
 void ll_cam_dma_reset(cam_obj_t *cam)
 {
 
-    GDMA.channel[cam->dma_num].in.int_clr.val = ~0;
+    GDMA.channel[cam->dma_num].in.int_clr.val = 0xFFFFFFFFU; // register is W1C; mask covers all sources
     GDMA.channel[cam->dma_num].in.int_ena.val = 0;
 
     GDMA.channel[cam->dma_num].in.conf0.val = 0;
@@ -94,7 +94,7 @@ static void CAMERA_ISR_IRAM_ATTR ll_cam_vsync_isr(void *arg)
 {
     //DBG_PIN_SET(1);
     cam_obj_t *cam = (cam_obj_t *)arg;
-    BaseType_t HPTaskAwoken = pdFALSE;
+    BaseType_t hp = pdFALSE;
 
     typeof(LCD_CAM.lc_dma_int_st) status = LCD_CAM.lc_dma_int_st;
     if (status.val == 0) {
@@ -104,10 +104,10 @@ static void CAMERA_ISR_IRAM_ATTR ll_cam_vsync_isr(void *arg)
     LCD_CAM.lc_dma_int_clr.val = status.val;
 
     if (status.cam_vsync_int_st) {
-        ll_cam_send_event(cam, CAM_VSYNC_EVENT, &HPTaskAwoken);
+        ll_cam_send_event(cam, CAM_VSYNC_EVENT, &hp);
     }
 
-    if (HPTaskAwoken == pdTRUE) {
+    if (hp == pdTRUE) {
         portYIELD_FROM_ISR();
     }
     //DBG_PIN_SET(0);
@@ -116,7 +116,7 @@ static void CAMERA_ISR_IRAM_ATTR ll_cam_vsync_isr(void *arg)
 static void CAMERA_ISR_IRAM_ATTR ll_cam_dma_isr(void *arg)
 {
     cam_obj_t *cam = (cam_obj_t *)arg;
-    BaseType_t HPTaskAwoken = pdFALSE;
+    BaseType_t hp = pdFALSE;
 
     typeof(GDMA.channel[cam->dma_num].in.int_st) status = GDMA.channel[cam->dma_num].in.int_st;
     if (status.val == 0) {
@@ -126,20 +126,19 @@ static void CAMERA_ISR_IRAM_ATTR ll_cam_dma_isr(void *arg)
     GDMA.channel[cam->dma_num].in.int_clr.val = status.val;
 
     if (status.in_suc_eof) {
-        ll_cam_send_event(cam, CAM_IN_SUC_EOF_EVENT, &HPTaskAwoken);
+        ll_cam_send_event(cam, CAM_IN_SUC_EOF_EVENT, &hp);
     }
 
-    if (HPTaskAwoken == pdTRUE) {
+    if (hp == pdTRUE) {
         portYIELD_FROM_ISR();
     }
 }
 
 bool IRAM_ATTR ll_cam_stop(cam_obj_t *cam)
 {
-    if (cam->jpeg_mode || !cam->psram_mode) {
-        GDMA.channel[cam->dma_num].in.int_ena.in_suc_eof = 0;
-        GDMA.channel[cam->dma_num].in.int_clr.in_suc_eof = 1;
-    }
+    GDMA.channel[cam->dma_num].in.int_ena.val = 0;
+    GDMA.channel[cam->dma_num].in.int_clr.val = 0xFFFFFFFFU; // register is W1C; mask covers all sources
+    LCD_CAM.cam_ctrl1.cam_start = 0;
     GDMA.channel[cam->dma_num].in.link.stop = 1;
     return true;
 }
@@ -148,10 +147,10 @@ bool ll_cam_start(cam_obj_t *cam, int frame_pos)
 {
     LCD_CAM.cam_ctrl1.cam_start = 0;
 
-    if (cam->jpeg_mode || !cam->psram_mode) {
-        GDMA.channel[cam->dma_num].in.int_clr.in_suc_eof = 1;
-        GDMA.channel[cam->dma_num].in.int_ena.in_suc_eof = 1;
-    }
+    GDMA.channel[cam->dma_num].in.int_ena.val = 0;
+    GDMA.channel[cam->dma_num].in.int_clr.val = 0xFFFFFFFFU; // register is W1C; mask covers all sources
+    GDMA.channel[cam->dma_num].in.int_clr.in_suc_eof = 1; // redundant but explicit
+    GDMA.channel[cam->dma_num].in.int_ena.in_suc_eof = 1; // only EOF interrupt is re-enabled
 
     LCD_CAM.cam_ctrl1.cam_reset = 1;
     LCD_CAM.cam_ctrl1.cam_reset = 0;

target/private_include/ll_cam.h

@@ -140,7 +140,7 @@ typedef struct {
 #endif
     uint32_t fb_size;
 
-    cam_state_t state;
+    volatile cam_state_t state;
 } cam_obj_t;
 
 
@@ -162,4 +162,4 @@ void ll_cam_dma_reset(cam_obj_t *cam);
 #endif
 
 // implemented in cam_hal
-void ll_cam_send_event(cam_obj_t *cam, cam_event_t cam_event, BaseType_t * HPTaskAwoken);
+void ll_cam_send_event(cam_obj_t *cam, cam_event_t cam_event, BaseType_t *hp);