[{"id":5302,"web_url":"https://patchwork.libcamera.org/comment/5302/","msgid":"<20200620022507.GZ5823@pendragon.ideasonboard.com>","date":"2020-06-20T02:25:07","subject":"Re: [libcamera-devel] [PATCH v2 13/17] v4l2: v4l2_camera: Clear\n\tpending requests on freeBuffers and streamOff","submitter":{"id":2,"url":"https://patchwork.libcamera.org/api/people/2/","name":"Laurent Pinchart","email":"laurent.pinchart@ideasonboard.com"},"content":"Hi Paul,\n\nThank you for the patch.\n\nOn Fri, Jun 19, 2020 at 02:41:19PM +0900, Paul Elder wrote:\n> V4L2 allows buffer queueing before streamon while libcamera does not.\n> The compatibility layer thus saves these buffers in a pending queue\n> until streamon, and then automatically queues them. However, this\n> pending queue is not cleared when the buffers are freed, so the\n> following sequence of actions will cause a use-after-free:\n> \n> 1. queue buffers\n> 2. free buffers\n>    - buffers from 1. stay in pending queue but have been freed\n> 3. queue buffers\n> 4. streamon\n>    - buffers from 1. are enqueued, then the buffers from 3. are\n>      enqueued. Use-after-free segfault when libcamera tries to handle\n>      the enqueued buffers from 1.\n> \n> Fix this by clearing the pending request queue upon buffers being freed.\n> Also clear the pending request queue on streamOff, for correctness.\n> \n> Signed-off-by: Paul Elder <paul.elder@ideasonboard.com>\n> Reviewed-by: Jacopo Mondi <jacopo@jmondi.org>\n> \n> ---\n> Changes in v2:\n> - also clear pending request queue on streamOff\n> - clarify the issue in changelog\n> ---\n>  src/v4l2/v4l2_camera.cpp | 4 +++-\n>  1 file changed, 3 insertions(+), 1 deletion(-)\n> \n> diff --git a/src/v4l2/v4l2_camera.cpp b/src/v4l2/v4l2_camera.cpp\n> index 99d34b9..301a80e 100644\n> --- a/src/v4l2/v4l2_camera.cpp\n> +++ b/src/v4l2/v4l2_camera.cpp\n> @@ -148,6 +148,7 @@ void V4L2Camera::freeBuffers()\n>  \tStream *stream = *camera_->streams().begin();\n>  \n>  \tbufferAllocator_->free(stream);\n> +\tpendingRequests_.clear();\n\nWouldn't it be safer to first clear pendingRequests_, as the requests\nreference the buffers ? The Request destructor should no access the\nbuffers, so in practice it should be fine, but inverting the order would\nseem less fragile to me.\n\n>  }\n>  \n>  FileDescriptor V4L2Camera::getBufferFd(unsigned int index)\n> @@ -187,7 +188,8 @@ int V4L2Camera::streamOn()\n>  \n>  int V4L2Camera::streamOff()\n>  {\n> -\t/* \\todo Restore buffers to reqbufs state? */\n> +\tpendingRequests_.clear();\n> +\n\nShould this be moved after the isRunning_ check ?\n\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\n\n>  \tif (!isRunning_)\n>  \t\treturn 0;\n>","headers":{"Return-Path":"<laurent.pinchart@ideasonboard.com>","Received":["from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 77B9160710\n\tfor <libcamera-devel@lists.libcamera.org>;\n\tSat, 20 Jun 2020 04:25:31 +0200 (CEST)","from pendragon.ideasonboard.com (81-175-216-236.bb.dnainternet.fi\n\t[81.175.216.236])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id D58CA592;\n\tSat, 20 Jun 2020 04:25:30 +0200 (CEST)"],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key; \n\tunprotected) header.d=ideasonboard.com\n\theader.i=@ideasonboard.com\n\theader.b=\"GUxxX+d7\"; dkim-atps=neutral","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1592619931;\n\tbh=9nnhmypBoZSHi6c6Nx8dmq7s65sYrbFBjRXtsrTr//I=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=GUxxX+d71kTHUHLRihwun9R+6bgk1qHT3QOWqNWDU7EWhKYQhzwzZyNZ/Am4gXEPp\n\topPPQsjxdJhmcL1UPxYJDwMgAwYrbSRGnndFm+x6gdpYJ6qgYlPfZ96hGdtYEigITv\n\tPod72fJ6ckcYm2YfOTN1Nna/iIB2h9B/jotOBKsw=","Date":"Sat, 20 Jun 2020 05:25:07 +0300","From":"Laurent Pinchart <laurent.pinchart@ideasonboard.com>","To":"Paul Elder <paul.elder@ideasonboard.com>","Cc":"libcamera-devel@lists.libcamera.org","Message-ID":"<20200620022507.GZ5823@pendragon.ideasonboard.com>","References":"<20200619054123.19052-1-paul.elder@ideasonboard.com>\n\t<20200619054123.19052-14-paul.elder@ideasonboard.com>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<20200619054123.19052-14-paul.elder@ideasonboard.com>","Subject":"Re: [libcamera-devel] [PATCH v2 13/17] v4l2: v4l2_camera: Clear\n\tpending requests on freeBuffers and streamOff","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"<libcamera-devel.lists.libcamera.org>","List-Unsubscribe":"<https://lists.libcamera.org/options/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>","List-Archive":"<https://lists.libcamera.org/pipermail/libcamera-devel/>","List-Post":"<mailto:libcamera-devel@lists.libcamera.org>","List-Help":"<mailto:libcamera-devel-request@lists.libcamera.org?subject=help>","List-Subscribe":"<https://lists.libcamera.org/listinfo/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>","X-List-Received-Date":"Sat, 20 Jun 2020 02:25:31 -0000"}}]