{"id":8415,"url":"https://patchwork.libcamera.org/api/1.1/patches/8415/?format=json","web_url":"https://patchwork.libcamera.org/patch/8415/","project":{"id":1,"url":"https://patchwork.libcamera.org/api/1.1/projects/1/?format=json","name":"libcamera","link_name":"libcamera","list_id":"libcamera_core","list_email":"libcamera-devel@lists.libcamera.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20200624145256.48266-18-paul.elder@ideasonboard.com>","date":"2020-06-24T14:52:51","name":"[libcamera-devel,v4,17/22] v4l2: v4l2_camera: Clear pending requests on freeBuffers and streamOff","commit_ref":null,"pull_url":null,"state":"accepted","archived":false,"hash":"8bb410862114a65186572d2210b8db0f12ae624d","submitter":{"id":17,"url":"https://patchwork.libcamera.org/api/1.1/people/17/?format=json","name":"Paul Elder","email":"paul.elder@ideasonboard.com"},"delegate":null,"mbox":"https://patchwork.libcamera.org/patch/8415/mbox/","series":[{"id":1041,"url":"https://patchwork.libcamera.org/api/1.1/series/1041/?format=json","web_url":"https://patchwork.libcamera.org/project/libcamera/list/?series=1041","date":"2020-06-24T14:52:34","name":"Support v4l2-compliance","version":4,"mbox":"https://patchwork.libcamera.org/series/1041/mbox/"}],"comments":"https://patchwork.libcamera.org/api/patches/8415/comments/","check":"pending","checks":"https://patchwork.libcamera.org/api/patches/8415/checks/","tags":{},"headers":{"Return-Path":"<paul.elder@ideasonboard.com>","Received":["from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 9BA82609B3\n\tfor <libcamera-devel@lists.libcamera.org>;\n\tWed, 24 Jun 2020 16:53:56 +0200 (CEST)","from jade.rasen.tech (unknown\n\t[IPv6:2400:4051:61:600:8147:f2a2:a8c6:9087])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id 7A16A2A8;\n\tWed, 24 Jun 2020 16:53:54 +0200 (CEST)"],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key; \n\tunprotected) header.d=ideasonboard.com\n\theader.i=@ideasonboard.com\n\theader.b=\"Rky2R81w\"; dkim-atps=neutral","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1593010436;\n\tbh=+JZqZReMXotnIPxlzWAao6FhXtvnDG+Qy2Bxax/Och4=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n\tb=Rky2R81wXN7tKS+zQtH67AZwSrg/u4t2GY7YJgwtnrzOuBR6ZitOwKNpJ5n97/BVU\n\th/oB6n+k5oMKVw+mmqjHkiE0NVHLKZloP9L+FO7fIWoT1yzgjG5qBPZMtXemS2nnUA\n\t9UDP6BHT1wm69tLmwExOuagIy7CBQNCB9NNiGxxM=","From":"Paul Elder <paul.elder@ideasonboard.com>","To":"libcamera-devel@lists.libcamera.org","Date":"Wed, 24 Jun 2020 23:52:51 +0900","Message-Id":"<20200624145256.48266-18-paul.elder@ideasonboard.com>","X-Mailer":"git-send-email 2.27.0","In-Reply-To":"<20200624145256.48266-1-paul.elder@ideasonboard.com>","References":"<20200624145256.48266-1-paul.elder@ideasonboard.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Subject":"[libcamera-devel] [PATCH v4 17/22] v4l2: v4l2_camera: Clear pending\n\trequests on freeBuffers and streamOff","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"<libcamera-devel.lists.libcamera.org>","List-Unsubscribe":"<https://lists.libcamera.org/options/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>","List-Archive":"<https://lists.libcamera.org/pipermail/libcamera-devel/>","List-Post":"<mailto:libcamera-devel@lists.libcamera.org>","List-Help":"<mailto:libcamera-devel-request@lists.libcamera.org?subject=help>","List-Subscribe":"<https://lists.libcamera.org/listinfo/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>","X-List-Received-Date":"Wed, 24 Jun 2020 14:53:56 -0000"},"content":"V4L2 allows buffer queueing before streamon while libcamera does not.\nThe compatibility layer thus saves these buffers in a pending queue\nuntil streamon, and then automatically queues them. However, this\npending queue is not cleared when the buffers are freed, so the\nfollowing sequence of actions will cause a use-after-free:\n\n1. queue buffers\n2. free buffers\n   - buffers from 1. stay in pending queue but have been freed\n3. queue buffers\n4. streamon\n   - buffers from 1. are enqueued, then the buffers from 3. are\n     enqueued. Use-after-free segfault when libcamera tries to handle\n     the enqueued buffers from 1.\n\nFix this by clearing the pending request queue upon buffers being freed.\nAlso clear the pending request queue on streamOff, for correctness.\n\nSigned-off-by: Paul Elder <paul.elder@ideasonboard.com>\nReviewed-by: Jacopo Mondi <jacopo@jmondi.org>\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\n\n---\nNo change in v4\n\nChanges in v3:\n- reorder clearing the pending request queue, to before freeing\n  buffers, and to after checking isRunning\n\nChanges in v2:\n- also clear pending request queue on streamOff\n- clarify the issue in changelog\n---\n src/v4l2/v4l2_camera.cpp | 5 ++++-\n 1 file changed, 4 insertions(+), 1 deletion(-)","diff":"diff --git a/src/v4l2/v4l2_camera.cpp b/src/v4l2/v4l2_camera.cpp\nindex f7df9b8..ffc1230 100644\n--- a/src/v4l2/v4l2_camera.cpp\n+++ b/src/v4l2/v4l2_camera.cpp\n@@ -147,6 +147,8 @@ int V4L2Camera::allocBuffers(unsigned int count)\n \n void V4L2Camera::freeBuffers()\n {\n+\tpendingRequests_.clear();\n+\n \tStream *stream = *camera_->streams().begin();\n \tbufferAllocator_->free(stream);\n }\n@@ -188,10 +190,11 @@ int V4L2Camera::streamOn()\n \n int V4L2Camera::streamOff()\n {\n-\t/* \\todo Restore buffers to reqbufs state? */\n \tif (!isRunning_)\n \t\treturn 0;\n \n+\tpendingRequests_.clear();\n+\n \tint ret = camera_->stop();\n \tif (ret < 0)\n \t\treturn ret == -EACCES ? -EBUSY : ret;\n","prefixes":["libcamera-devel","v4","17/22"]}