{"id":11547,"url":"https://patchwork.libcamera.org/api/1.1/patches/11547/?format=json","web_url":"https://patchwork.libcamera.org/patch/11547/","project":{"id":1,"url":"https://patchwork.libcamera.org/api/1.1/projects/1/?format=json","name":"libcamera","link_name":"libcamera","list_id":"libcamera_core","list_email":"libcamera-devel@lists.libcamera.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20210311093325.8933-1-m.cichy@pengutronix.de>","date":"2021-03-11T09:33:25","name":"[libcamera-devel,v2] libcamera: gst: Fix double-free when acquire_buffer fails","commit_ref":null,"pull_url":null,"state":"accepted","archived":false,"hash":"2a231a6ad34fc2ae7a83aaa28c1ceaea53bc0203","submitter":{"id":80,"url":"https://patchwork.libcamera.org/api/1.1/people/80/?format=json","name":"Marian Cichy","email":"m.cichy@pengutronix.de"},"delegate":null,"mbox":"https://patchwork.libcamera.org/patch/11547/mbox/","series":[{"id":1783,"url":"https://patchwork.libcamera.org/api/1.1/series/1783/?format=json","web_url":"https://patchwork.libcamera.org/project/libcamera/list/?series=1783","date":"2021-03-11T09:33:25","name":"[libcamera-devel,v2] libcamera: gst: Fix double-free when acquire_buffer fails","version":2,"mbox":"https://patchwork.libcamera.org/series/1783/mbox/"}],"comments":"https://patchwork.libcamera.org/api/patches/11547/comments/","check":"pending","checks":"https://patchwork.libcamera.org/api/patches/11547/checks/","tags":{},"headers":{"Return-Path":"<libcamera-devel-bounces@lists.libcamera.org>","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id B4FC4BD1F1\n\tfor <parsemail@patchwork.libcamera.org>;\n\tThu, 11 Mar 2021 09:33:39 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id E1E9568C69;\n\tThu, 11 Mar 2021 10:33:38 +0100 (CET)","from metis.ext.pengutronix.de (metis.ext.pengutronix.de\n\t[IPv6:2001:67c:670:201:290:27ff:fe1d:cc33])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 063C868AA3\n\tfor <libcamera-devel@lists.libcamera.org>;\n\tThu, 11 Mar 2021 10:33:37 +0100 (CET)","from dude02.hi.pengutronix.de ([2001:67c:670:100:1d::28])\n\tby metis.ext.pengutronix.de with esmtps\n\t(TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)\n\t(envelope-from <mci@pengutronix.de>)\n\tid 1lKHhI-00067z-Bm; Thu, 11 Mar 2021 10:33:36 +0100","from mci by dude02.hi.pengutronix.de with local (Exim 4.92)\n\t(envelope-from <mci@pengutronix.de>)\n\tid 1lKHhH-0002Ll-Ug; Thu, 11 Mar 2021 10:33:35 +0100"],"From":"Marian Cichy <m.cichy@pengutronix.de>","To":"libcamera-devel@lists.libcamera.org","Date":"Thu, 11 Mar 2021 10:33:25 +0100","Message-Id":"<20210311093325.8933-1-m.cichy@pengutronix.de>","X-Mailer":"git-send-email 2.29.2","MIME-Version":"1.0","X-SA-Exim-Connect-IP":"2001:67c:670:100:1d::28","X-SA-Exim-Mail-From":"mci@pengutronix.de","X-SA-Exim-Scanned":"No (on metis.ext.pengutronix.de);\n\tSAEximRunCond expanded to false","X-PTX-Original-Recipient":"libcamera-devel@lists.libcamera.org","Subject":"[libcamera-devel] [PATCH v2] libcamera: gst: Fix double-free when\n\tacquire_buffer fails","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"<libcamera-devel.lists.libcamera.org>","List-Unsubscribe":"<https://lists.libcamera.org/options/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>","List-Archive":"<https://lists.libcamera.org/pipermail/libcamera-devel/>","List-Post":"<mailto:libcamera-devel@lists.libcamera.org>","List-Help":"<mailto:libcamera-devel-request@lists.libcamera.org?subject=help>","List-Subscribe":"<https://lists.libcamera.org/listinfo/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>","Cc":"graphics@pengutronix.de, Marian Cichy <m.cichy@pengutronix.de>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" <libcamera-devel-bounces@lists.libcamera.org>"},"content":"If gst_buffer_pool_acquire_buffer in gst_libcamera_task_run fails, the\nunique_ptr to the request-object gets reset and hence, its destructor\nis called. However, the wrap-object points to the same object and is\nstill alive at this moment. When the task_run-function is finished, the\ndestructor of the wrap-object is called, which in return calls the\ndestructor of the request-object again.\n\nInstead of taking care of both, the request and the wrap-object, we can\nmove the request to the wrap which will then effectively take care of\nthe request object automatically.\n\nSigned-off-by: Marian Cichy <m.cichy@pengutronix.de>\nSuggested-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\n---\n src/gstreamer/gstlibcamerasrc.cpp | 28 ++++++++++++----------------\n 1 file changed, 12 insertions(+), 16 deletions(-)","diff":"diff --git a/src/gstreamer/gstlibcamerasrc.cpp b/src/gstreamer/gstlibcamerasrc.cpp\nindex 636c14df..e86c3d7f 100644\n--- a/src/gstreamer/gstlibcamerasrc.cpp\n+++ b/src/gstreamer/gstlibcamerasrc.cpp\n@@ -52,19 +52,19 @@ GST_DEBUG_CATEGORY_STATIC(source_debug);\n #define GST_CAT_DEFAULT source_debug\n \n struct RequestWrap {\n-\tRequestWrap(Request *request);\n+\tRequestWrap(std::unique_ptr<Request> request);\n \t~RequestWrap();\n \n \tvoid attachBuffer(GstBuffer *buffer);\n \tGstBuffer *detachBuffer(Stream *stream);\n \n \t/* For ptr comparison only. */\n-\tRequest *request_;\n+\tstd::unique_ptr<Request> request_;\n \tstd::map<Stream *, GstBuffer *> buffers_;\n };\n \n-RequestWrap::RequestWrap(Request *request)\n-\t: request_(request)\n+RequestWrap::RequestWrap(std::unique_ptr<Request> request)\n+\t: request_(std::move(request))\n {\n }\n \n@@ -74,8 +74,6 @@ RequestWrap::~RequestWrap()\n \t\tif (item.second)\n \t\t\tgst_buffer_unref(item.second);\n \t}\n-\n-\tdelete request_;\n }\n \n void RequestWrap::attachBuffer(GstBuffer *buffer)\n@@ -164,7 +162,7 @@ GstLibcameraSrcState::requestCompleted(Request *request)\n \tstd::unique_ptr<RequestWrap> wrap = std::move(requests_.front());\n \trequests_.pop();\n \n-\tg_return_if_fail(wrap->request_ == request);\n+\tg_return_if_fail(wrap->request_.get() == request);\n \n \tif ((request->status() == Request::RequestCancelled)) {\n \t\tGST_DEBUG_OBJECT(src_, \"Request was cancelled\");\n@@ -268,8 +266,7 @@ gst_libcamera_src_task_run(gpointer user_data)\n \tGstLibcameraSrc *self = GST_LIBCAMERA_SRC(user_data);\n \tGstLibcameraSrcState *state = self->state;\n \n-\tstd::unique_ptr<Request> request = state->cam_->createRequest();\n-\tauto wrap = std::make_unique<RequestWrap>(request.get());\n+\tauto wrap = std::make_unique<RequestWrap>(state->cam_->createRequest());\n \tfor (GstPad *srcpad : state->srcpads_) {\n \t\tGstLibcameraPool *pool = gst_libcamera_pad_get_pool(srcpad);\n \t\tGstBuffer *buffer;\n@@ -279,24 +276,23 @@ gst_libcamera_src_task_run(gpointer user_data)\n \t\t\t\t\t\t     &buffer, nullptr);\n \t\tif (ret != GST_FLOW_OK) {\n \t\t\t/*\n-\t\t\t * RequestWrap does not take ownership, and we won't be\n-\t\t\t * queueing this one due to lack of buffers.\n+\t\t\t * RequestWrap has ownership of the rquest, and we\n+\t\t\t * won't be queueing this one due to lack of buffers.\n \t\t\t */\n-\t\t\trequest.reset();\n+\t\t\twrap.release();\n \t\t\tbreak;\n \t\t}\n \n \t\twrap->attachBuffer(buffer);\n \t}\n \n-\tif (request) {\n+\tif (wrap) {\n \t\tGLibLocker lock(GST_OBJECT(self));\n \t\tGST_TRACE_OBJECT(self, \"Requesting buffers\");\n-\t\tstate->cam_->queueRequest(request.get());\n+\t\tstate->cam_->queueRequest(wrap->request_.get());\n \t\tstate->requests_.push(std::move(wrap));\n \n-\t\t/* The request will be deleted in the completion handler. */\n-\t\trequest.release();\n+\t\t/* The RequestWrap will be deleted in the completion handler. */\n \t}\n \n \tGstFlowReturn ret = GST_FLOW_OK;\n","prefixes":["libcamera-devel","v2"]}