[{"id":2278,"web_url":"https://patchwork.libcamera.org/comment/2278/","msgid":"<20190716054829.GE4384@wyvern>","date":"2019-07-16T05:48:29","subject":"Re: [libcamera-devel] [PATCH 2/2] libcamera: pipeline: ipu3: Free\n\tinternal buffers after stopping streaming","submitter":{"id":5,"url":"https://patchwork.libcamera.org/api/people/5/","name":"Niklas Söderlund","email":"niklas.soderlund@ragnatech.se"},"content":"Hi Laurent,\n\nThanks for your patch.\n\nOn 2019-07-16 08:42:18 +0300, Laurent Pinchart wrote:\n> The internal buffers between the CIO2 and ImgU are freed by the\n> CIO2Device::stop() method, which is called first when stopping\n> streaming. The ImgUDevice::stop() method is then called, and attempts to\n> report completion for all queued buffers, which we have just freed. The\n> use-after-free corrupts memory, leading to crashes.\n> \n> Fix this by moving the vector of internal buffers to the IPU3CameraData\n> where it belongs, and free the buffers after stopping both devices.\n> \n> Signed-off-by: Laurent Pinchart \n\nReviewed-by: Niklas Söderlund \n\n> ---\n> src/libcamera/pipeline/ipu3/ipu3.cpp | 28 ++++++++++++----------------\n> 1 file changed, 12 insertions(+), 16 deletions(-)\n> \n> diff --git a/src/libcamera/pipeline/ipu3/ipu3.cpp b/src/libcamera/pipeline/ipu3/ipu3.cpp\n> index febc867b4d7e..159a9312f95e 100644\n> --- a/src/libcamera/pipeline/ipu3/ipu3.cpp\n> +++ b/src/libcamera/pipeline/ipu3/ipu3.cpp\n> @@ -122,7 +122,7 @@ public:\n> \tBufferPool *exportBuffers();\n> \tvoid freeBuffers();\n> \n> -\tint start();\n> +\tint start(std::vector> *buffer);\n> \tint stop();\n> \n> \tstatic int mediaBusToFormat(unsigned int code);\n> @@ -132,7 +132,6 @@ public:\n> \tCameraSensor *sensor_;\n> \n> \tBufferPool pool_;\n> -\tstd::vector> buffers_;\n> };\n> \n> class IPU3Stream : public Stream\n> @@ -165,6 +164,8 @@ public:\n> \n> \tIPU3Stream outStream_;\n> \tIPU3Stream vfStream_;\n> +\n> +\tstd::vector> rawBuffers_;\n> };\n> \n> class IPU3CameraConfiguration : public CameraConfiguration\n> @@ -688,7 +689,7 @@ int PipelineHandlerIPU3::start(Camera *camera)\n> \t * Start the ImgU video devices, buffers will be queued to the\n> \t * ImgU output and viewfinder when requests will be queued.\n> \t */\n> -\tret = cio2->start();\n> +\tret = cio2->start(&data->rawBuffers_);\n> \tif (ret)\n> \t\tgoto error;\n> \n> @@ -704,6 +705,7 @@ int PipelineHandlerIPU3::start(Camera *camera)\n> error:\n> \tLOG(IPU3, Error) << \"Failed to start camera \" << camera->name();\n> \n> +\tdata->rawBuffers_.clear();\n> \treturn ret;\n> }\n> \n> @@ -717,6 +719,8 @@ void PipelineHandlerIPU3::stop(Camera *camera)\n> \tif (ret)\n> \t\tLOG(IPU3, Warning) << \"Failed to stop camera \"\n> \t\t\t\t << camera->name();\n> +\n> +\tdata->rawBuffers_.clear();\n> }\n> \n> int PipelineHandlerIPU3::queueRequest(Camera *camera, Request *request)\n> @@ -1454,26 +1458,18 @@ void CIO2Device::freeBuffers()\n> \t\tLOG(IPU3, Error) << \"Failed to release CIO2 buffers\";\n> }\n> \n> -int CIO2Device::start()\n> +int CIO2Device::start(std::vector> *buffers)\n> {\n> -\tint ret;\n> -\n> -\tbuffers_ = output_->queueAllBuffers();\n> -\tif (buffers_.empty())\n> +\t*buffers = output_->queueAllBuffers();\n> +\tif (buffers->empty())\n> \t\treturn -EINVAL;\n> \n> -\tret = output_->streamOn();\n> -\tif (ret)\n> -\t\treturn ret;\n> -\n> -\treturn 0;\n> +\treturn output_->streamOn();\n> }\n> \n> int CIO2Device::stop()\n> {\n> -\tint ret = output_->streamOff();\n> -\tbuffers_.clear();\n> -\treturn ret;\n> +\treturn output_->streamOff();\n> }\n> \n> int CIO2Device::mediaBusToFormat(unsigned int code)\n> -- \n> Regards,\n> \n> Laurent Pinchart\n> \n> _______________________________________________\n> libcamera-devel mailing list\n> libcamera-devel@lists.libcamera.org\n> https://lists.libcamera.org/listinfo/libcamera-devel","headers":{"Return-Path":"","Received":["from mail-pf1-x444.google.com (mail-pf1-x444.google.com\n\t[IPv6:2607:f8b0:4864:20::444])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 37C6F60E3C\n\tfor ;\n\tTue, 16 Jul 2019 07:48:36 +0200 (CEST)","by mail-pf1-x444.google.com with SMTP id q10so8527221pff.9\n\tfor ;\n\tMon, 15 Jul 2019 22:48:36 -0700 (PDT)","from localhost ([2a00:79e1:abc:3602:7ede:6a18:219f:2025])\n\tby smtp.gmail.com with ESMTPSA id\n\tk22sm19289869pfk.157.2019.07.15.22.48.33\n\t(version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);\n\tMon, 15 Jul 2019 22:48:33 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=ragnatech-se.20150623.gappssmtp.com; s=20150623;\n\th=date:from:to:cc:subject:message-id:references:mime-version\n\t:content-disposition:content-transfer-encoding:in-reply-to\n\t:user-agent; bh=/BP2talylTAUBXxKc117rCTnXKFbPwlPlqcRtyIC/Is=;\n\tb=Z64U8ZEOCiPWLL7FhH5tNCJjvBl3Jd2RpnSW6E1eABR2XtQi6pBq6Tg3H9SG21CzEh\n\t+rBvMpJ6p7RkcJ239WI9VYjyn5UJ+WocJU2fBlJcFop9KwYidF4PrqBqTqC0RNhHtnm9\n\t0fRWMRE/SoVRs4I859JhrhjUM1715BKmvBBhEmH7g09+Ojy4Kf5pZ7Jg0bsBuzPTRRZd\n\tS0cfJyF24dx7xT80eHRcpWxXL4C2xGliY73mpkRjJkjq2c1VAqj5J6PqiR++Z5oEJNw8\n\tQbq7xHp0Va9NOaxSIkgmrFZSzSWE56juTuY/xL8SryrD+EVQnEb5xS7G7z0FUQUohiqX\n\tJgKQ==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:date:from:to:cc:subject:message-id:references\n\t:mime-version:content-disposition:content-transfer-encoding\n\t:in-reply-to:user-agent;\n\tbh=/BP2talylTAUBXxKc117rCTnXKFbPwlPlqcRtyIC/Is=;\n\tb=rK1zBJen1awL5588X1Dyip0aCXpTQ9y0G8PNxbDfBOGzrMTEF6b2d/x94rG4u85Qf4\n\tWO1dNdQIoUjM8I1cGL5o1IL1cCdcvDAxwo8EzeTvKjeemFRJo5NKlCd/SZBfGQlzJvFA\n\tv8aJtNUVvw0ECiGokD4l6MsfXZmSOLGFvP0rUwmcKomFsr33t2SCZqPNOThXi2twv+/c\n\tlpaqgUxLnH1dzjIdKKlfZncVXSB0XHr5Iu7KT/yPBlIL4IpW9T9m9v8z5WG/P2HFUKEX\n\t8S8aZRwikzQHftu7/GyL+ot2igfxSev/q018AOpOMtlyTAdSvrJ6NKARYw8AIBiJc7Ji\n\tdt2w==","X-Gm-Message-State":"APjAAAXVwt/wMsjszdlbr27kN98t7sGUUVSiZb/1/1ezHfQ/rw0CtN6m\n\tTRwRTue1xZyoBaPQlc+M/4zONh9o+24=","X-Google-Smtp-Source":"APXvYqxSAbrORfj15OYt9MxBMveMfkeQIMmH1myyouxLeh/wO+EPwNkE1cdn5Km7KRZ8JkVgN22bVg==","X-Received":"by 2002:a65:6415:: with SMTP id\n\ta21mr22057489pgv.98.1563256114615; \n\tMon, 15 Jul 2019 22:48:34 -0700 (PDT)","Date":"Tue, 16 Jul 2019 14:48:29 +0900","From":"Niklas =?iso-8859-1?q?S=F6derlund?= ","To":"Laurent Pinchart ","Cc":"libcamera-devel@lists.libcamera.org","Message-ID":"<20190716054829.GE4384@wyvern>","References":"<20190716054218.22136-1-laurent.pinchart@ideasonboard.com>\n\t<20190716054218.22136-2-laurent.pinchart@ideasonboard.com>","MIME-Version":"1.0","Content-Type":"text/plain; charset=iso-8859-1","Content-Disposition":"inline","Content-Transfer-Encoding":"8bit","In-Reply-To":"<20190716054218.22136-2-laurent.pinchart@ideasonboard.com>","User-Agent":"Mutt/1.12.1 (2019-06-15)","Subject":"Re: [libcamera-devel] [PATCH 2/2] libcamera: pipeline: ipu3: Free\n\tinternal buffers after stopping streaming","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.23","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","X-List-Received-Date":"Tue, 16 Jul 2019 05:48:36 -0000"}},{"id":2283,"web_url":"https://patchwork.libcamera.org/comment/2283/","msgid":"<20190716073425.GC7030@emerald.amanokami.net>","date":"2019-07-16T07:34:25","subject":"Re: [libcamera-devel] [PATCH 2/2] libcamera: pipeline: ipu3: Free\n\tinternal buffers after stopping streaming","submitter":{"id":17,"url":"https://patchwork.libcamera.org/api/people/17/","name":"Paul Elder","email":"paul.elder@ideasonboard.com"},"content":"Hi Laurent,\n\nThanks for the patch.\n\nOn Tue, Jul 16, 2019 at 08:42:18AM +0300, Laurent Pinchart wrote:\n> The internal buffers between the CIO2 and ImgU are freed by the\n> CIO2Device::stop() method, which is called first when stopping\n> streaming. The ImgUDevice::stop() method is then called, and attempts to\n> report completion for all queued buffers, which we have just freed. The\n> use-after-free corrupts memory, leading to crashes.\n> \n> Fix this by moving the vector of internal buffers to the IPU3CameraData\n> where it belongs, and free the buffers after stopping both devices.\n> \n> Signed-off-by: Laurent Pinchart \n> ---\n> src/libcamera/pipeline/ipu3/ipu3.cpp | 28 ++++++++++++----------------\n> 1 file changed, 12 insertions(+), 16 deletions(-)\n> \n> diff --git a/src/libcamera/pipeline/ipu3/ipu3.cpp b/src/libcamera/pipeline/ipu3/ipu3.cpp\n> index febc867b4d7e..159a9312f95e 100644\n> --- a/src/libcamera/pipeline/ipu3/ipu3.cpp\n> +++ b/src/libcamera/pipeline/ipu3/ipu3.cpp\n> @@ -122,7 +122,7 @@ public:\n> \tBufferPool *exportBuffers();\n> \tvoid freeBuffers();\n> \n> -\tint start();\n> +\tint start(std::vector> *buffer);\n\ns/buffer/buffers\n\nTo match the definition that you have below.\n\nOther than than, looks good to me.\n\nReviewed-by: Paul Elder \n\n> \tint stop();\n> \n> \tstatic int mediaBusToFormat(unsigned int code);\n> @@ -132,7 +132,6 @@ public:\n> \tCameraSensor *sensor_;\n> \n> \tBufferPool pool_;\n> -\tstd::vector> buffers_;\n> };\n> \n> class IPU3Stream : public Stream\n> @@ -165,6 +164,8 @@ public:\n> \n> \tIPU3Stream outStream_;\n> \tIPU3Stream vfStream_;\n> +\n> +\tstd::vector> rawBuffers_;\n> };\n> \n> class IPU3CameraConfiguration : public CameraConfiguration\n> @@ -688,7 +689,7 @@ int PipelineHandlerIPU3::start(Camera *camera)\n> \t * Start the ImgU video devices, buffers will be queued to the\n> \t * ImgU output and viewfinder when requests will be queued.\n> \t */\n> -\tret = cio2->start();\n> +\tret = cio2->start(&data->rawBuffers_);\n> \tif (ret)\n> \t\tgoto error;\n> \n> @@ -704,6 +705,7 @@ int PipelineHandlerIPU3::start(Camera *camera)\n> error:\n> \tLOG(IPU3, Error) << \"Failed to start camera \" << camera->name();\n> \n> +\tdata->rawBuffers_.clear();\n> \treturn ret;\n> }\n> \n> @@ -717,6 +719,8 @@ void PipelineHandlerIPU3::stop(Camera *camera)\n> \tif (ret)\n> \t\tLOG(IPU3, Warning) << \"Failed to stop camera \"\n> \t\t\t\t << camera->name();\n> +\n> +\tdata->rawBuffers_.clear();\n> }\n> \n> int PipelineHandlerIPU3::queueRequest(Camera *camera, Request *request)\n> @@ -1454,26 +1458,18 @@ void CIO2Device::freeBuffers()\n> \t\tLOG(IPU3, Error) << \"Failed to release CIO2 buffers\";\n> }\n> \n> -int CIO2Device::start()\n> +int CIO2Device::start(std::vector> *buffers)\n> {\n> -\tint ret;\n> -\n> -\tbuffers_ = output_->queueAllBuffers();\n> -\tif (buffers_.empty())\n> +\t*buffers = output_->queueAllBuffers();\n> +\tif (buffers->empty())\n> \t\treturn -EINVAL;\n> \n> -\tret = output_->streamOn();\n> -\tif (ret)\n> -\t\treturn ret;\n> -\n> -\treturn 0;\n> +\treturn output_->streamOn();\n> }\n> \n> int CIO2Device::stop()\n> {\n> -\tint ret = output_->streamOff();\n> -\tbuffers_.clear();\n> -\treturn ret;\n> +\treturn output_->streamOff();\n> }\n> \n> int CIO2Device::mediaBusToFormat(unsigned int code)\n> -- \n> Regards,\n> \n> Laurent Pinchart\n> \n> _______________________________________________\n> libcamera-devel mailing list\n> libcamera-devel@lists.libcamera.org\n> https://lists.libcamera.org/listinfo/libcamera-devel","headers":{"Return-Path":"","Received":["from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 5F9FE60C23\n\tfor ;\n\tTue, 16 Jul 2019 09:34:33 +0200 (CEST)","from emerald.amanokami.net (unknown\n\t[IPv6:2a00:79e1:abc:3602:b57a:2dda:be67:ac6e])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id D9B3A564;\n\tTue, 16 Jul 2019 09:34:31 +0200 (CEST)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1563262473;\n\tbh=kgTFHTgQuOuAQJwPiiIaWhjdPkaZ0mCBo1J6uiFv34k=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=bSYcn1nVh4M84D/vI/MMzEy+OPyUHkEqEY+D7/3dkMauSxWBLz0AUc+rROExC/IQH\n\t+EnUn2ZvlOJfqCWBjqw6egmFM5QWCtoSjewtRT148F5xFCmb93b6AyVSN8TeK5fGFJ\n\t9uX4nExiF3tqjepYt54mxBMIPMIs7Ei+/KiRmWwM=","Date":"Tue, 16 Jul 2019 16:34:25 +0900","From":"Paul Elder ","To":"Laurent Pinchart ","Cc":"libcamera-devel@lists.libcamera.org","Message-ID":"<20190716073425.GC7030@emerald.amanokami.net>","References":"<20190716054218.22136-1-laurent.pinchart@ideasonboard.com>\n\t<20190716054218.22136-2-laurent.pinchart@ideasonboard.com>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<20190716054218.22136-2-laurent.pinchart@ideasonboard.com>","User-Agent":"Mutt/1.9.4 (2018-02-28)","Subject":"Re: [libcamera-devel] [PATCH 2/2] libcamera: pipeline: ipu3: Free\n\tinternal buffers after stopping streaming","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.23","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","X-List-Received-Date":"Tue, 16 Jul 2019 07:34:33 -0000"}}]