From patchwork Sun Nov 24 00:39:17 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Laurent Pinchart X-Patchwork-Id: 2347 Return-Path: Received: from perceval.ideasonboard.com (perceval.ideasonboard.com [213.167.242.64]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id D3B376136E for ; Sun, 24 Nov 2019 01:39:30 +0100 (CET) Received: from pendragon.ideasonboard.com (fs96f9c64d.tkyc509.ap.nuro.jp [150.249.198.77]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id 7FB9B310 for ; Sun, 24 Nov 2019 01:39:29 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1574555970; bh=3qCxK6afobXzAXH4iDSpMZbHYauW1BhOxg6qI1/qt60=; h=From:To:Subject:Date:From; b=V8kYLb59NK/Gq/uXp5BMvRGW/SjPXWLFsHWquNEOHdQI5g1oUNKSH29ZnjHOZewBV ooROBgalLYH0H8nTt/QYfUsubBo46yehyaICXKSuGx3FNwHePzdg/d/xZ/6zoHrKWk 3hviI4r+4vpIzTHrO1tn65ZjDERGRA5PGuvm1F8k= From: Laurent Pinchart To: libcamera-devel@lists.libcamera.org Date: Sun, 24 Nov 2019 02:39:17 +0200 Message-Id: <20191124003917.10887-1-laurent.pinchart@ideasonboard.com> X-Mailer: git-send-email 2.23.0 MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH] libcamera: thread: Fix locking when moving object X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Nov 2019 00:39:31 -0000 When moving an Object to a Thread, messages posted for the object are move to the target thread's message queue. This requires locking the message queues of the current and target threads, as the target thread may (and is usually) running. The implementation is faulty as it locks the thread data instead of the message queue. This creates a race condition with a tiny but exploitable time window. The issue was noticed by the event-thread test rarely but reproducibly failing with the following assertion error: [1:39:33.850878042]FATAL default thread.cpp:440 assertion "data_ == receiver->thread()->data_" failed The issue only occurred when libcamera was compiled in release mode, further hinting of a race condition. Fixes: 01b930964acd ("libcamera: thread: Add a messaging passing API") Signed-off-by: Laurent Pinchart Reviewed-by: Niklas Söderlund --- src/libcamera/thread.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/libcamera/thread.cpp b/src/libcamera/thread.cpp index e152af14631e..029a0e8fddd5 100644 --- a/src/libcamera/thread.cpp +++ b/src/libcamera/thread.cpp @@ -456,8 +456,8 @@ void Thread::moveObject(Object *object) ThreadData *currentData = object->thread_->data_; ThreadData *targetData = data_; - MutexLocker lockerFrom(currentData->mutex_, std::defer_lock); - MutexLocker lockerTo(targetData->mutex_, std::defer_lock); + MutexLocker lockerFrom(currentData->messages_.mutex_, std::defer_lock); + MutexLocker lockerTo(targetData->messages_.mutex_, std::defer_lock); std::lock(lockerFrom, lockerTo); moveObject(object, currentData, targetData);