From patchwork Thu Sep 9 15:08:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kieran Bingham X-Patchwork-Id: 13795 Return-Path: X-Original-To: parsemail@patchwork.libcamera.org Delivered-To: parsemail@patchwork.libcamera.org Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com [92.243.16.209]) by patchwork.libcamera.org (Postfix) with ESMTPS id 5B87BBDB1D for ; Thu, 9 Sep 2021 15:08:08 +0000 (UTC) Received: from lancelot.ideasonboard.com (localhost [IPv6:::1]) by lancelot.ideasonboard.com (Postfix) with ESMTP id 28BE669174; Thu, 9 Sep 2021 17:08:08 +0200 (CEST) Authentication-Results: lancelot.ideasonboard.com; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=ideasonboard.com header.i=@ideasonboard.com header.b="LYlKbnGs"; dkim-atps=neutral Received: from perceval.ideasonboard.com (perceval.ideasonboard.com [213.167.242.64]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id 4CE906916D for ; Thu, 9 Sep 2021 17:08:07 +0200 (CEST) Received: from Monstersaurus.local (cpc89244-aztw30-2-0-cust3082.18-1.cable.virginm.net [86.31.172.11]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id 097CFD88; Thu, 9 Sep 2021 17:08:06 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1631200087; bh=jAldA6Tsxi1Gtf5uS+NEcc6vjKb6l8TxMU/S/neNlac=; h=From:To:Cc:Subject:Date:From; b=LYlKbnGsAcDrUpzq1jTWz/qTvLpbDvFSG4RAwxF4vCLaNHP7/gtMsIM7hw6D4Cyeg j5V068CjocVNPMpKX9ker3IfEX7blvVNUMTH3ky+zIsE1LtGwMuT+F2dZpCUfdbGDE V7Oy02hwBRyqNCu5mcm/263vSQVxOz7Br34dBdR0= From: Kieran Bingham To: libcamera devel Date: Thu, 9 Sep 2021 16:08:03 +0100 Message-Id: <20210909150803.4014957-1-kieran.bingham@ideasonboard.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH] libcamera: v4l2_videodevice: Handle unexpected buffers X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libcamera-devel-bounces@lists.libcamera.org Sender: "libcamera-devel" A kernel bug can lead to unexpected buffers being dequeued where we haven't entered the buffer in our queuedBuffers_ list. This causes invalid accesses if not handled correctly within libcamera, and while it is a kernel issue, we can protect against unpatched kernels to provide a more suitable error message. This is fixed in the kernel by c592b46907ad ("media: videobuf2-core: dequeue if start_streaming fails") [0] [0] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c592b46907ad Handle unexpected buffers by returning a nullptr, and move cache management after the validation of the buffer. Signed-off-by: Kieran Bingham Reviewed-by: Paul Elder Reviewed-by: Laurent Pinchart --- src/libcamera/v4l2_videodevice.cpp | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/src/libcamera/v4l2_videodevice.cpp b/src/libcamera/v4l2_videodevice.cpp index 837a59d9bae2..7bb28aea357a 100644 --- a/src/libcamera/v4l2_videodevice.cpp +++ b/src/libcamera/v4l2_videodevice.cpp @@ -1654,9 +1654,28 @@ FrameBuffer *V4L2VideoDevice::dequeueBuffer() LOG(V4L2, Debug) << "Dequeuing buffer " << buf.index; + auto it = queuedBuffers_.find(buf.index); + /* + * If the video node fails to stream-on successfully (which can occur + * when queuing a buffer), a vb2 kernel bug can lead to the buffer which + * returns a failure upon queuing, being mistakenly kept in the kernel. + * This leads to the kernel notifying us that a buffer is available to + * dequeue, which we have no awareness of being queued, and thus we will + * not find it in the queuedBuffers_ list. + * + * Whilst this is a kernel bug and should be fixed there, ensure that we + * safely ignore buffers which are unexpected to prevent crashes on + * unpatched kernels. + */ + if (it == queuedBuffers_.end()) { + LOG(V4L2, Error) + << "Dequeued an unexpected buffer: " << buf.index; + + return nullptr; + } + cache_->put(buf.index); - auto it = queuedBuffers_.find(buf.index); FrameBuffer *buffer = it->second; queuedBuffers_.erase(it);