From patchwork Tue Dec 13 09:38:02 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Paul Elder <paul.elder@ideasonboard.com>
X-Patchwork-Id: 17994
Return-Path: <libcamera-devel-bounces@lists.libcamera.org>
X-Original-To: parsemail@patchwork.libcamera.org
Delivered-To: parsemail@patchwork.libcamera.org
Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com
	[92.243.16.209])
	by patchwork.libcamera.org (Postfix) with ESMTPS id 22B4EC328D
	for <parsemail@patchwork.libcamera.org>;
	Tue, 13 Dec 2022 09:38:19 +0000 (UTC)
Received: from lancelot.ideasonboard.com (localhost [IPv6:::1])
	by lancelot.ideasonboard.com (Postfix) with ESMTP id C8C456336C;
	Tue, 13 Dec 2022 10:38:18 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org;
	s=mail; t=1670924298;
	bh=AqyWvYINfP/fhCIr12ILm72HuTFOR9Ucc4NP/MUJz1o=;
	h=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe:
	List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	From;
	b=lbnNQ2t6eVWs8aOkpWndoONpuUJTnKs5+KQzEL32frrJr5L5AjVBidM+JK7+3TVYw
	VimCIpKVXYHsE8qwQnihqWZl/lDlPZi8Y3dZk70JEc2cpAWU/U5bVQYzO17fwZqHod
	n2GDuBM7/IbZUeKx+fiU5qAJrJq4zvzQYCt+6l3puuS/3X5vbw1Ozjcp+Sfd8NK3Pi
	cqdxAl5JcPb/z442nIXnDzaqIpeQF+2xg5ip8LaxXyITAGb/s9Y1aSn5405uHuuj01
	B4c5CyI5fjjDXU5o7pJCTyFpZj1i1Z7mVDNavGTVycp8vU+62jmHB+r4RLqmRoXibt
	5xmYMAum7iWhA==
Received: from perceval.ideasonboard.com (perceval.ideasonboard.com
	[213.167.242.64])
	by lancelot.ideasonboard.com (Postfix) with ESMTPS id 16DB563354
	for <libcamera-devel@lists.libcamera.org>;
	Tue, 13 Dec 2022 10:38:17 +0100 (CET)
Authentication-Results: lancelot.ideasonboard.com; dkim=pass (1024-bit key;
	unprotected) header.d=ideasonboard.com
	header.i=@ideasonboard.com
	header.b="ffuqU4SO"; dkim-atps=neutral
Received: from pyrite.tail37cf.ts.net (h175-177-042-159.catv02.itscom.jp
	[175.177.42.159])
	by perceval.ideasonboard.com (Postfix) with ESMTPSA id E2EF9AFC;
	Tue, 13 Dec 2022 10:38:15 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;
	s=mail; t=1670924296;
	bh=AqyWvYINfP/fhCIr12ILm72HuTFOR9Ucc4NP/MUJz1o=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=ffuqU4SOyQ0yq89aN04fwQP4cN+8OGUY+z0blql04pgizPwQYlEJULT093tPcjVMC
	5SEP6Ro+RKa4OrEQ4W1+ze2/qT6dOdmb9Is7J4OQ3HFJKIjudL2uXbSZYlKxElyVoQ
	erVBHKM3xnPMtQXS2GdewGB7WFZKh1M9dZgSAV6g=
To: libcamera-devel@lists.libcamera.org
Date: Tue, 13 Dec 2022 18:38:02 +0900
Message-Id: <20221213093802.704177-4-paul.elder@ideasonboard.com>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20221213093802.704177-1-paul.elder@ideasonboard.com>
References: <20221213093802.704177-1-paul.elder@ideasonboard.com>
MIME-Version: 1.0
Subject: [libcamera-devel] [PATCH 3/3] libcamera: camera: Add todo for race
	condition on queueRequest
X-BeenThere: libcamera-devel@lists.libcamera.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <libcamera-devel.lists.libcamera.org>
List-Unsubscribe: <https://lists.libcamera.org/options/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>
List-Archive: <https://lists.libcamera.org/pipermail/libcamera-devel/>
List-Post: <mailto:libcamera-devel@lists.libcamera.org>
List-Help: <mailto:libcamera-devel-request@lists.libcamera.org?subject=help>
List-Subscribe: <https://lists.libcamera.org/listinfo/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>
X-Patchwork-Original-From: Paul Elder via libcamera-devel
 <libcamera-devel@lists.libcamera.org>
From: Paul Elder <paul.elder@ideasonboard.com>
Reply-To: Paul Elder <paul.elder@ideasonboard.com>
Errors-To: libcamera-devel-bounces@lists.libcamera.org
Sender: "libcamera-devel" <libcamera-devel-bounces@lists.libcamera.org>

There is a risk of a racy segfault in Camera::queueRequest, related to
marking a Request for reuse without queueing it to the camera.
Camera::queueRequest() could race with Camera::stop(), which would
trigger a segfault if the buffers are freed before their Requests.

As it's not too critical at the moment, add a description of the problem
and a todo.

Signed-off-by: Paul Elder <paul.elder@ideasonboard.com>
---
 src/libcamera/camera.cpp | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/libcamera/camera.cpp b/src/libcamera/camera.cpp
index 2d947a44..6d871895 100644
--- a/src/libcamera/camera.cpp
+++ b/src/libcamera/camera.cpp
@@ -1114,6 +1114,21 @@ int Camera::queueRequest(Request *request)
 {
 	Private *const d = _d();
 
+	/*
+	 * There is a risk of a racy segfault here. If the application marks a
+	 * Request for reuse and queues it, but stop() changes the camera state
+	 * before we reach this point, then we would end up in a situation
+	 * where we have a buffer added to a Request yet not queued to the
+	 * camera. Thus Camera::stop() will not complete the buffer and
+	 * request, and if the buffer is freed before its request is destroyed,
+	 * then it will cause a segfault when the request tries to cancel the
+	 * freed buffer.
+	 *
+	 * The temporary workaround is to force applications to make sure to
+	 * free requests before the buffers.
+	 *
+	 * \todo Fix this race condition.
+	 */
 	int ret = d->isAccessAllowed(Private::CameraRunning);
 	if (ret < 0)
 		return ret;