{"id":18546,"url":"https://patchwork.libcamera.org/api/patches/18546/?format=json","web_url":"https://patchwork.libcamera.org/patch/18546/","project":{"id":1,"url":"https://patchwork.libcamera.org/api/projects/1/?format=json","name":"libcamera","link_name":"libcamera","list_id":"libcamera_core","list_email":"libcamera-devel@lists.libcamera.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20230423203931.108022-4-umang.jain@ideasonboard.com>","date":"2023-04-23T20:39:31","name":"[libcamera-devel,3/3] apps: cam: kms_sink: Introduce a requests tracking queue","commit_ref":null,"pull_url":null,"state":"not-applicable","archived":false,"hash":"d2e1d2efd717a6ff05ba6d71681d7643fd1a6031","submitter":{"id":86,"url":"https://patchwork.libcamera.org/api/people/86/?format=json","name":"Umang Jain","email":"umang.jain@ideasonboard.com"},"delegate":null,"mbox":"https://patchwork.libcamera.org/patch/18546/mbox/","series":[{"id":3845,"url":"https://patchwork.libcamera.org/api/series/3845/?format=json","web_url":"https://patchwork.libcamera.org/project/libcamera/list/?series=3845","date":"2023-04-23T20:39:28","name":"apps: cam: kms: Introduce requests tracking queue","version":1,"mbox":"https://patchwork.libcamera.org/series/3845/mbox/"}],"comments":"https://patchwork.libcamera.org/api/patches/18546/comments/","check":"pending","checks":"https://patchwork.libcamera.org/api/patches/18546/checks/","tags":{},"headers":{"Return-Path":"<libcamera-devel-bounces@lists.libcamera.org>","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 5AC11C32A5\n\tfor <parsemail@patchwork.libcamera.org>;\n\tSun, 23 Apr 2023 20:39:47 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 9E16A627E1;\n\tSun, 23 Apr 2023 22:39:46 +0200 (CEST)","from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id F2FE8627CF\n\tfor <libcamera-devel@lists.libcamera.org>;\n\tSun, 23 Apr 2023 22:39:42 +0200 (CEST)","from umang.jainideasonboard.com (unknown\n\t[IPv6:2401:4900:1f3f:df01:2ad:735a:b54c:741d])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id ABE79DFD;\n\tSun, 23 Apr 2023 22:39:32 +0200 (CEST)"],"DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org;\n\ts=mail; t=1682282386;\n\tbh=yjvqSOgsailu/1FTDCgOq4WLw5lm2RyFZx68MNvNTNI=;\n\th=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe:\n\tList-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:\n\tFrom;\n\tb=Q92CgDSu4/3ujJU1L80udP7zTy59Y+pgSHfhDz7jDIXBoiYkBWn+BlAt9p5PBCVCE\n\tes1D8X3avCzR4WC0Z/EgKGeD//E/5oEXcMCf+tccLiotvcSVYnKZxtYKrjlBaS1i7p\n\thviQwg6UHtMBDR0m5KyNxUPfYt57PK/J39QA5YQYu2sPHeTAwW0j/9ftmCxpCoYiWt\n\tuU+yLoc9uiv05Mej+zcSksrgrx5CFtI43Yjy++46PjbSgfoOoyWc9yRi0+TEPxhnaF\n\tNAjKyrDTci7Iu+Xfr5vwjEv6y2EbsvPfrz2TJ583SOAVvdH/qMPtnmKbRq16qO3ZEB\n\tvB/ZJMJ+gIVJw==","v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1682282373;\n\tbh=yjvqSOgsailu/1FTDCgOq4WLw5lm2RyFZx68MNvNTNI=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n\tb=mNrPUWy8GN0a/EFSjy6OMmKgcAX23M7eNNvJRXmU6iL0e+bn3EUaW3ttlqTZmB+wN\n\tYMy26ANoU1QnajFiDkQI6fFQcNSWOd/m8Z80x0FPJXpVSeDinxk2TmCW/zT+D/H0jZ\n\twIGzUeXKNfeBvw4JEqLNS8w0fv+CfqZz7nAnEzXI="],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key; \n\tunprotected) header.d=ideasonboard.com\n\theader.i=@ideasonboard.com\n\theader.b=\"mNrPUWy8\"; dkim-atps=neutral","To":"libcamera-devel@lists.libcamera.org","Date":"Mon, 24 Apr 2023 02:09:31 +0530","Message-Id":"<20230423203931.108022-4-umang.jain@ideasonboard.com>","X-Mailer":"git-send-email 2.39.1","In-Reply-To":"<20230423203931.108022-1-umang.jain@ideasonboard.com>","References":"<20230423203931.108022-1-umang.jain@ideasonboard.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Subject":"[libcamera-devel] [PATCH 3/3] apps: cam: kms_sink: Introduce a\n\trequests tracking queue","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"<libcamera-devel.lists.libcamera.org>","List-Unsubscribe":"<https://lists.libcamera.org/options/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>","List-Archive":"<https://lists.libcamera.org/pipermail/libcamera-devel/>","List-Post":"<mailto:libcamera-devel@lists.libcamera.org>","List-Help":"<mailto:libcamera-devel-request@lists.libcamera.org?subject=help>","List-Subscribe":"<https://lists.libcamera.org/listinfo/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>","From":"Umang Jain via libcamera-devel <libcamera-devel@lists.libcamera.org>","Reply-To":"Umang Jain <umang.jain@ideasonboard.com>","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" <libcamera-devel-bounces@lists.libcamera.org>"},"content":"Currently the queue depth tracking DRM completed requests is\neffectively 2, via queued_ and pending_ class members in KMSSink.\nThis patch introduces a queue which can track more requests thus giving\na higher queue depth.\n\nThe reason to introduce a higher queue depth is to avoid use-after-free\non KMSSink::stop() in cases where KMSSink class is frequently operated\nunder: start() -> configure() -> stop() cycles. As soon as the\nKMSSink::stop() is called, it used to free the queued_ and pending_\nrequests, but a DRM request can still complete asynchronously (and\nafter the queued_ and pending_ are freed). This led to use-after-free\nsegfault in Device::pageFlipComplete() while emitting the\n`requestComplete` signal on a (already freed) request.\n\nIn the design introduced in this patch, the requests already in the queue\nare marked as 'expired' and not freed in KMSSink::stop(). This prevents\nthe use-after-free segfault in Device::pageFlipComplete(). The expired\nrequests are dropped from the queue when new requests come into the\nqueue and gets completed in the KMSSink::requestComplete() handler.\n\nSigned-off-by: Umang Jain <umang.jain@ideasonboard.com>\n---\n src/apps/cam/kms_sink.cpp | 73 +++++++++++++++++++++------------------\n src/apps/cam/kms_sink.h   | 11 +++---\n 2 files changed, 47 insertions(+), 37 deletions(-)","diff":"diff --git a/src/apps/cam/kms_sink.cpp b/src/apps/cam/kms_sink.cpp\nindex 2aefec06..8305e6de 100644\n--- a/src/apps/cam/kms_sink.cpp\n+++ b/src/apps/cam/kms_sink.cpp\n@@ -24,7 +24,8 @@\n #include \"drm.h\"\n \n KMSSink::KMSSink(const std::string &connectorName)\n-\t: connector_(nullptr), crtc_(nullptr), plane_(nullptr), mode_(nullptr)\n+\t: connector_(nullptr), crtc_(nullptr), plane_(nullptr), mode_(nullptr),\n+\t  firstFrame_(false)\n {\n \tint ret = dev_.init();\n \tif (ret < 0)\n@@ -327,6 +328,8 @@ int KMSSink::start()\n \n \tdev_.requestComplete.connect(this, &KMSSink::requestComplete);\n \n+\tfirstFrame_ = true;\n+\n \treturn 0;\n }\n \n@@ -334,6 +337,13 @@ int KMSSink::stop()\n {\n \tdev_.requestComplete.disconnect();\n \n+\t{\n+\t\tstd::lock_guard<std::mutex> lock(lock_);\n+\t\t/* Expire all the DRM requests in the queue */\n+\t\tfor (std::unique_ptr<Request> &req : requests_)\n+\t\t\treq->expired_ = true;\n+\t}\n+\n \t/* Display pipeline. */\n \tDRM::AtomicRequest request(&dev_);\n \n@@ -352,9 +362,6 @@ int KMSSink::stop()\n \t}\n \n \t/* Free all buffers. */\n-\tpending_.reset();\n-\tqueued_.reset();\n-\tactive_.reset();\n \tbuffers_.clear();\n \n \treturn FrameSink::stop();\n@@ -450,13 +457,6 @@ bool KMSSink::setupComposition(DRM::FrameBuffer *drmBuffer)\n \n bool KMSSink::processRequest(libcamera::Request *camRequest)\n {\n-\t/*\n-\t * Perform a very crude rate adaptation by simply dropping the request\n-\t * if the display queue is full.\n-\t */\n-\tif (pending_)\n-\t\treturn true;\n-\n \tlibcamera::FrameBuffer *buffer = camRequest->buffers().begin()->second;\n \tauto iter = buffers_.find(buffer);\n \tif (iter == buffers_.end())\n@@ -469,7 +469,7 @@ bool KMSSink::processRequest(libcamera::Request *camRequest)\n \t\tstd::make_unique<DRM::AtomicRequest>(&dev_);\n \tdrmRequest->addProperty(plane_, \"FB_ID\", drmBuffer->id());\n \n-\tif (!active_ && !queued_) {\n+\tif (firstFrame_) {\n \t\t/* Enable the display pipeline on the first frame. */\n \t\tif (!setupComposition(drmBuffer)) {\n \t\t\tstd::cerr << \"Failed to setup composition\" << std::endl;\n@@ -497,22 +497,22 @@ bool KMSSink::processRequest(libcamera::Request *camRequest)\n \t\t\tdrmRequest->addProperty(plane_, \"COLOR_RANGE\", *colorRange_);\n \n \t\tflags |= DRM::AtomicRequest::FlagAllowModeset;\n+\t\tfirstFrame_ = false;\n \t}\n \n-\tpending_ = std::make_unique<Request>(std::move(drmRequest), camRequest);\n+\tstd::unique_ptr<Request> pending =\n+\t\tstd::make_unique<Request>(std::move(drmRequest), camRequest);\n \n \tstd::lock_guard<std::mutex> lock(lock_);\n \n-\tif (!queued_) {\n-\t\tint ret = pending_->drmRequest_->commit(flags);\n-\t\tif (ret < 0) {\n-\t\t\tstd::cerr\n-\t\t\t\t<< \"Failed to commit atomic request: \"\n-\t\t\t\t<< strerror(-ret) << std::endl;\n-\t\t\t/* \\todo Implement error handling */\n-\t\t}\n-\n-\t\tqueued_ = std::move(pending_);\n+\tint ret = pending->drmRequest_->commit(flags);\n+\tif (ret < 0) {\n+\t\tstd::cerr\n+\t\t\t<< \"Failed to commit atomic request: \"\n+\t\t\t<< strerror(-ret) << std::endl;\n+\t\t/* \\todo Implement error handling */\n+\t} else {\n+\t\trequests_.push_back(std::move(pending));\n \t}\n \n \treturn false;\n@@ -522,18 +522,25 @@ void KMSSink::requestComplete([[maybe_unused]] DRM::AtomicRequest *request)\n {\n \tstd::lock_guard<std::mutex> lock(lock_);\n \n-\tassert(queued_ && queued_->drmRequest_.get() == request);\n+\tstd::unique_ptr<Request> &headReq = requests_.front();\n \n-\t/* Complete the active request, if any. */\n-\tif (active_)\n-\t\trequestProcessed.emit(active_->camRequest_);\n+\tassert(headReq->drmRequest_.get() == request);\n \n-\t/* The queued request becomes active. */\n-\tactive_ = std::move(queued_);\n+\tif (!headReq->expired_) {\n+\t\trequestProcessed.emit(headReq->camRequest_);\n+\t\trequests_.pop_front();\n+\t} else {\n+\t\t/* Remove candidates which are expired */\n+\t\twhile (requests_.size() > 0) {\n+\t\t\tif (requests_.front()->expired_)\n+\t\t\t\trequests_.pop_front();\n+\t\t\telse\n+\t\t\t\tbreak;\n+\t\t}\n \n-\t/* Queue the pending request, if any. */\n-\tif (pending_) {\n-\t\tpending_->drmRequest_->commit(DRM::AtomicRequest::FlagAsync);\n-\t\tqueued_ = std::move(pending_);\n+\t\treturn;\n \t}\n+\n+\tif (requests_.size())\n+\t\trequests_.front()->drmRequest_->commit(DRM::AtomicRequest::FlagAsync);\n }\ndiff --git a/src/apps/cam/kms_sink.h b/src/apps/cam/kms_sink.h\nindex e2c618a1..a6b418aa 100644\n--- a/src/apps/cam/kms_sink.h\n+++ b/src/apps/cam/kms_sink.h\n@@ -7,6 +7,7 @@\n \n #pragma once\n \n+#include <deque>\n #include <list>\n #include <memory>\n #include <mutex>\n@@ -41,12 +42,14 @@ private:\n \tpublic:\n \t\tRequest(std::unique_ptr<DRM::AtomicRequest> drmRequest,\n \t\t\tlibcamera::Request *camRequest)\n-\t\t\t: drmRequest_(std::move(drmRequest)), camRequest_(camRequest)\n+\t\t\t: drmRequest_(std::move(drmRequest)), camRequest_(camRequest),\n+\t\t\t  expired_(false)\n \t\t{\n \t\t}\n \n \t\tstd::unique_ptr<DRM::AtomicRequest> drmRequest_;\n \t\tlibcamera::Request *camRequest_;\n+\t\tbool expired_;\n \t};\n \n \tint selectPipeline(const libcamera::PixelFormat &format);\n@@ -76,8 +79,8 @@ private:\n \n \tstd::map<libcamera::FrameBuffer *, std::unique_ptr<DRM::FrameBuffer>> buffers_;\n \n+\tbool firstFrame_;\n+\n \tstd::mutex lock_;\n-\tstd::unique_ptr<Request> pending_;\n-\tstd::unique_ptr<Request> queued_;\n-\tstd::unique_ptr<Request> active_;\n+\tstd::deque<std::unique_ptr<Request>> requests_;\n };\n","prefixes":["libcamera-devel","3/3"]}