[libcamera-devel] [PATCH] libcamera: v4l2_videodevice: Handle unexpected buffers
paul.elder at ideasonboard.com
paul.elder at ideasonboard.com
Wed Jul 28 04:11:25 CEST 2021
Hi Kieran,
On Thu, Jul 15, 2021 at 03:21:30PM +0100, Kieran Bingham wrote:
> A kernel bug can lead to unexpected buffers being dequeued where we
> haven't entered the buffer in our queuedBuffers_ list.
>
> This causes invalid accesses if not handled correctly within libcamera,
> and while it is a kernel issue, we must protect against unpatched
> kernels.
>
> Handle unexpected buffers by returning a nullptr, and move cache
> management after the validation of the buffer.
>
> Signed-off-by: Kieran Bingham <kieran.bingham at ideasonboard.com>
Looks good.
Reviewed-by: Paul Elder <paul.elder at ideasonboard.com>
> ---
> src/libcamera/v4l2_videodevice.cpp | 21 ++++++++++++++++++++-
> 1 file changed, 20 insertions(+), 1 deletion(-)
>
> diff --git a/src/libcamera/v4l2_videodevice.cpp b/src/libcamera/v4l2_videodevice.cpp
> index 3d2d99b46e4e..6c7f9daf24db 100644
> --- a/src/libcamera/v4l2_videodevice.cpp
> +++ b/src/libcamera/v4l2_videodevice.cpp
> @@ -1519,9 +1519,28 @@ FrameBuffer *V4L2VideoDevice::dequeueBuffer()
>
> LOG(V4L2, Debug) << "Dequeuing buffer " << buf.index;
>
> + auto it = queuedBuffers_.find(buf.index);
> + /*
> + * If the video node fails to stream-on successfully (which can occur
> + * when queing a buffer), a vb2 kernel bug can lead to the buffer which
> + * returns a failure upon queing, being mistakenely kept in the kernel.
> + * This leads to the kernel notifying us that a buffer is available to
> + * dequeue, which we have no awareness of being queued, and thus we will
> + * not find it in the queuedBuffers_ list.
> + *
> + * Whilst this is a kernel bug and should be fixed there, ensure that we
> + * safely ignore buffers which are unexpected to prevent crashes on
> + * unpatched kernels.
> + */
> + if (it == queuedBuffers_.end()) {
> + LOG(V4L2, Error)
> + << "Dequeued an unexpected buffer:" << buf.index;
> +
> + return nullptr;
> + }
> +
> cache_->put(buf.index);
>
> - auto it = queuedBuffers_.find(buf.index);
> FrameBuffer *buffer = it->second;
> queuedBuffers_.erase(it);
>
> --
> 2.30.2
>
More information about the libcamera-devel
mailing list