{"id":17994,"url":"https://patchwork.libcamera.org/api/1.1/patches/17994/?format=json","web_url":"https://patchwork.libcamera.org/patch/17994/","project":{"id":1,"url":"https://patchwork.libcamera.org/api/1.1/projects/1/?format=json","name":"libcamera","link_name":"libcamera","list_id":"libcamera_core","list_email":"libcamera-devel@lists.libcamera.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20221213093802.704177-4-paul.elder@ideasonboard.com>","date":"2022-12-13T09:38:02","name":"[libcamera-devel,3/3] libcamera: camera: Add todo for race condition on queueRequest","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"3e3dad6389fc1e974021aa79b68b42055a0f98fa","submitter":{"id":17,"url":"https://patchwork.libcamera.org/api/1.1/people/17/?format=json","name":"Paul Elder","email":"paul.elder@ideasonboard.com"},"delegate":null,"mbox":"https://patchwork.libcamera.org/patch/17994/mbox/","series":[{"id":3669,"url":"https://patchwork.libcamera.org/api/1.1/series/3669/?format=json","web_url":"https://patchwork.libcamera.org/project/libcamera/list/?series=3669","date":"2022-12-13T09:37:59","name":"lc-compliance: Fix SimpleCapture test","version":1,"mbox":"https://patchwork.libcamera.org/series/3669/mbox/"}],"comments":"https://patchwork.libcamera.org/api/patches/17994/comments/","check":"pending","checks":"https://patchwork.libcamera.org/api/patches/17994/checks/","tags":{},"headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 22B4EC328D\n\tfor ;\n\tTue, 13 Dec 2022 09:38:19 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id C8C456336C;\n\tTue, 13 Dec 2022 10:38:18 +0100 (CET)","from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[213.167.242.64])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 16DB563354\n\tfor ;\n\tTue, 13 Dec 2022 10:38:17 +0100 (CET)","from pyrite.tail37cf.ts.net (h175-177-042-159.catv02.itscom.jp\n\t[175.177.42.159])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id E2EF9AFC;\n\tTue, 13 Dec 2022 10:38:15 +0100 (CET)"],"DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org;\n\ts=mail; t=1670924298;\n\tbh=AqyWvYINfP/fhCIr12ILm72HuTFOR9Ucc4NP/MUJz1o=;\n\th=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe:\n\tList-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:\n\tFrom;\n\tb=lbnNQ2t6eVWs8aOkpWndoONpuUJTnKs5+KQzEL32frrJr5L5AjVBidM+JK7+3TVYw\n\tVimCIpKVXYHsE8qwQnihqWZl/lDlPZi8Y3dZk70JEc2cpAWU/U5bVQYzO17fwZqHod\n\tn2GDuBM7/IbZUeKx+fiU5qAJrJq4zvzQYCt+6l3puuS/3X5vbw1Ozjcp+Sfd8NK3Pi\n\tcqdxAl5JcPb/z442nIXnDzaqIpeQF+2xg5ip8LaxXyITAGb/s9Y1aSn5405uHuuj01\n\tB4c5CyI5fjjDXU5o7pJCTyFpZj1i1Z7mVDNavGTVycp8vU+62jmHB+r4RLqmRoXibt\n\t5xmYMAum7iWhA==","v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1670924296;\n\tbh=AqyWvYINfP/fhCIr12ILm72HuTFOR9Ucc4NP/MUJz1o=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n\tb=ffuqU4SOyQ0yq89aN04fwQP4cN+8OGUY+z0blql04pgizPwQYlEJULT093tPcjVMC\n\t5SEP6Ro+RKa4OrEQ4W1+ze2/qT6dOdmb9Is7J4OQ3HFJKIjudL2uXbSZYlKxElyVoQ\n\terVBHKM3xnPMtQXS2GdewGB7WFZKh1M9dZgSAV6g="],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key; \n\tunprotected) header.d=ideasonboard.com\n\theader.i=@ideasonboard.com\n\theader.b=\"ffuqU4SO\"; dkim-atps=neutral","To":"libcamera-devel@lists.libcamera.org","Date":"Tue, 13 Dec 2022 18:38:02 +0900","Message-Id":"<20221213093802.704177-4-paul.elder@ideasonboard.com>","X-Mailer":"git-send-email 2.35.1","In-Reply-To":"<20221213093802.704177-1-paul.elder@ideasonboard.com>","References":"<20221213093802.704177-1-paul.elder@ideasonboard.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Subject":"[libcamera-devel] [PATCH 3/3] libcamera: camera: Add todo for race\n\tcondition on queueRequest","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","From":"Paul Elder via libcamera-devel ","Reply-To":"Paul Elder ","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "},"content":"There is a risk of a racy segfault in Camera::queueRequest, related to\nmarking a Request for reuse without queueing it to the camera.\nCamera::queueRequest() could race with Camera::stop(), which would\ntrigger a segfault if the buffers are freed before their Requests.\n\nAs it's not too critical at the moment, add a description of the problem\nand a todo.\n\nSigned-off-by: Paul Elder \n---\n src/libcamera/camera.cpp | 15 +++++++++++++++\n 1 file changed, 15 insertions(+)","diff":"diff --git a/src/libcamera/camera.cpp b/src/libcamera/camera.cpp\nindex 2d947a44..6d871895 100644\n--- a/src/libcamera/camera.cpp\n+++ b/src/libcamera/camera.cpp\n@@ -1114,6 +1114,21 @@ int Camera::queueRequest(Request *request)\n {\n \tPrivate *const d = _d();\n \n+\t/*\n+\t * There is a risk of a racy segfault here. If the application marks a\n+\t * Request for reuse and queues it, but stop() changes the camera state\n+\t * before we reach this point, then we would end up in a situation\n+\t * where we have a buffer added to a Request yet not queued to the\n+\t * camera. Thus Camera::stop() will not complete the buffer and\n+\t * request, and if the buffer is freed before its request is destroyed,\n+\t * then it will cause a segfault when the request tries to cancel the\n+\t * freed buffer.\n+\t *\n+\t * The temporary workaround is to force applications to make sure to\n+\t * free requests before the buffers.\n+\t *\n+\t * \\todo Fix this race condition.\n+\t */\n \tint ret = d->isAccessAllowed(Private::CameraRunning);\n \tif (ret < 0)\n \t\treturn ret;\n","prefixes":["libcamera-devel","3/3"]}