From patchwork Fri Jun 19 05:41:19 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Elder X-Patchwork-Id: 4093 Return-Path: Received: from perceval.ideasonboard.com (perceval.ideasonboard.com [213.167.242.64]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id 9FD84603BF for ; Fri, 19 Jun 2020 07:42:03 +0200 (CEST) Authentication-Results: lancelot.ideasonboard.com; dkim=pass (1024-bit key; unprotected) header.d=ideasonboard.com header.i=@ideasonboard.com header.b="hR5DiO/s"; dkim-atps=neutral Received: from jade.flets-east.jp (unknown [IPv6:2400:4051:61:600:e972:d773:e99a:4f79]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id D5F55560; Fri, 19 Jun 2020 07:42:01 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1592545323; bh=V65Bq0jLP4sLjT4P5OiWcus3Rt72bXo3FMcikhMaMuY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hR5DiO/sbBwPgBh1/gK/y9EftL9yAwpuEb83y6yLN4RhxU82AyVUUU3mt6CB4blQO RCVfcP0aWoKfgy9QBDTJQq8972eCx0xDdS36a9KNvfUvNW/kT6DdkZPsvCUFx7phMo wbYHvu8MG1NtMwcsZC8VjwIh9SvFAh8AMyG6Se1E= From: Paul Elder To: libcamera-devel@lists.libcamera.org Date: Fri, 19 Jun 2020 14:41:19 +0900 Message-Id: <20200619054123.19052-14-paul.elder@ideasonboard.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200619054123.19052-1-paul.elder@ideasonboard.com> References: <20200619054123.19052-1-paul.elder@ideasonboard.com> MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH v2 13/17] v4l2: v4l2_camera: Clear pending requests on freeBuffers and streamOff X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Jun 2020 05:42:03 -0000 V4L2 allows buffer queueing before streamon while libcamera does not. The compatibility layer thus saves these buffers in a pending queue until streamon, and then automatically queues them. However, this pending queue is not cleared when the buffers are freed, so the following sequence of actions will cause a use-after-free: 1. queue buffers 2. free buffers - buffers from 1. stay in pending queue but have been freed 3. queue buffers 4. streamon - buffers from 1. are enqueued, then the buffers from 3. are enqueued. Use-after-free segfault when libcamera tries to handle the enqueued buffers from 1. Fix this by clearing the pending request queue upon buffers being freed. Also clear the pending request queue on streamOff, for correctness. Signed-off-by: Paul Elder Reviewed-by: Jacopo Mondi Reviewed-by: Laurent Pinchart --- Changes in v2: - also clear pending request queue on streamOff - clarify the issue in changelog --- src/v4l2/v4l2_camera.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/v4l2/v4l2_camera.cpp b/src/v4l2/v4l2_camera.cpp index 99d34b9..301a80e 100644 --- a/src/v4l2/v4l2_camera.cpp +++ b/src/v4l2/v4l2_camera.cpp @@ -148,6 +148,7 @@ void V4L2Camera::freeBuffers() Stream *stream = *camera_->streams().begin(); bufferAllocator_->free(stream); + pendingRequests_.clear(); } FileDescriptor V4L2Camera::getBufferFd(unsigned int index) @@ -187,7 +188,8 @@ int V4L2Camera::streamOn() int V4L2Camera::streamOff() { - /* \todo Restore buffers to reqbufs state? */ + pendingRequests_.clear(); + if (!isRunning_) return 0;