{"id":11539,"url":"https://patchwork.libcamera.org/api/1.1/patches/11539/?format=json","web_url":"https://patchwork.libcamera.org/patch/11539/","project":{"id":1,"url":"https://patchwork.libcamera.org/api/1.1/projects/1/?format=json","name":"libcamera","link_name":"libcamera","list_id":"libcamera_core","list_email":"libcamera-devel@lists.libcamera.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20210309143518.31405-1-m.cichy@pengutronix.de>","date":"2021-03-09T14:35:18","name":"[libcamera-devel] libcamera: gst: Fix double-free when acquire_buffer fails","commit_ref":null,"pull_url":null,"state":"changes-requested","archived":false,"hash":"ddcb992ee1391032f9be595b2ad7b3258ea00c2f","submitter":{"id":80,"url":"https://patchwork.libcamera.org/api/1.1/people/80/?format=json","name":"Marian Cichy","email":"m.cichy@pengutronix.de"},"delegate":null,"mbox":"https://patchwork.libcamera.org/patch/11539/mbox/","series":[{"id":1778,"url":"https://patchwork.libcamera.org/api/1.1/series/1778/?format=json","web_url":"https://patchwork.libcamera.org/project/libcamera/list/?series=1778","date":"2021-03-09T14:35:18","name":"[libcamera-devel] libcamera: gst: Fix double-free when acquire_buffer fails","version":1,"mbox":"https://patchwork.libcamera.org/series/1778/mbox/"}],"comments":"https://patchwork.libcamera.org/api/patches/11539/comments/","check":"pending","checks":"https://patchwork.libcamera.org/api/patches/11539/checks/","tags":{},"headers":{"Return-Path":"<libcamera-devel-bounces@lists.libcamera.org>","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 4EFFEBD1F1\n\tfor <parsemail@patchwork.libcamera.org>;\n\tTue,  9 Mar 2021 14:35:23 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id D9EC468AA3;\n\tTue,  9 Mar 2021 15:35:22 +0100 (CET)","from metis.ext.pengutronix.de (metis.ext.pengutronix.de\n\t[IPv6:2001:67c:670:201:290:27ff:fe1d:cc33])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 60E2568A99\n\tfor <libcamera-devel@lists.libcamera.org>;\n\tTue,  9 Mar 2021 15:35:21 +0100 (CET)","from dude02.hi.pengutronix.de ([2001:67c:670:100:1d::28])\n\tby metis.ext.pengutronix.de with esmtps\n\t(TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)\n\t(envelope-from <mci@pengutronix.de>)\n\tid 1lJdSC-0000zZ-PX; Tue, 09 Mar 2021 15:35:20 +0100","from mci by dude02.hi.pengutronix.de with local (Exim 4.92)\n\t(envelope-from <mci@pengutronix.de>)\n\tid 1lJdSC-0008JN-HD; Tue, 09 Mar 2021 15:35:20 +0100"],"From":"Marian Cichy <m.cichy@pengutronix.de>","To":"libcamera-devel@lists.libcamera.org","Date":"Tue,  9 Mar 2021 15:35:18 +0100","Message-Id":"<20210309143518.31405-1-m.cichy@pengutronix.de>","X-Mailer":"git-send-email 2.29.2","MIME-Version":"1.0","X-SA-Exim-Connect-IP":"2001:67c:670:100:1d::28","X-SA-Exim-Mail-From":"mci@pengutronix.de","X-SA-Exim-Scanned":"No (on metis.ext.pengutronix.de);\n\tSAEximRunCond expanded to false","X-PTX-Original-Recipient":"libcamera-devel@lists.libcamera.org","Subject":"[libcamera-devel] [PATCH] libcamera: gst: Fix double-free when\n\tacquire_buffer fails","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"<libcamera-devel.lists.libcamera.org>","List-Unsubscribe":"<https://lists.libcamera.org/options/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>","List-Archive":"<https://lists.libcamera.org/pipermail/libcamera-devel/>","List-Post":"<mailto:libcamera-devel@lists.libcamera.org>","List-Help":"<mailto:libcamera-devel-request@lists.libcamera.org?subject=help>","List-Subscribe":"<https://lists.libcamera.org/listinfo/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>","Cc":"graphics@pengutronix.de, Marian Cichy <m.cichy@pengutronix.de>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" <libcamera-devel-bounces@lists.libcamera.org>"},"content":"If gst_buffer_pool_acquire_buffer in gst_libcamera_task_run fails, the\nunique_ptr to the request-object gets reset and hence, its destructor\nis called. However, the wrap-object points to the same object and is\nstill alive at this moment. When the task_run-function is finished, the\ndestructor of the wrap-object is called, which in return calls the\ndestructor of the request-object again.\n\nAlso note the wrong comment, which claims that WrapRequest does not\ntake ownership of the request, however, actually it already has\nownership.\n\nReplacing request.reset() with request.release() doesn't call the\ndestructor on the request-object and only one free happens at the end.\n\nSigned-off-by: Marian Cichy <m.cichy@pengutronix.de>\n---\n src/gstreamer/gstlibcamerasrc.cpp | 6 ++++--\n 1 file changed, 4 insertions(+), 2 deletions(-)","diff":"diff --git a/src/gstreamer/gstlibcamerasrc.cpp b/src/gstreamer/gstlibcamerasrc.cpp\nindex a8ed7652..b0194c2f 100644\n--- a/src/gstreamer/gstlibcamerasrc.cpp\n+++ b/src/gstreamer/gstlibcamerasrc.cpp\n@@ -279,10 +279,12 @@ gst_libcamera_src_task_run(gpointer user_data)\n \t\t\t\t\t\t     &buffer, nullptr);\n \t\tif (ret != GST_FLOW_OK) {\n \t\t\t/*\n-\t\t\t * RequestWrap does not take ownership, and we won't be\n+\t\t\t * RequestWrap has ownership, and we won't be\n \t\t\t * queueing this one due to lack of buffers.\n+\t\t\t * So the request will be freed when RequestWrap\n+\t\t\t * goes out of scope.\n \t\t\t */\n-\t\t\trequest.reset();\n+\t\t\trequest.release();\n \t\t\tbreak;\n \t\t}\n \n","prefixes":["libcamera-devel"]}