[libcamera-devel] [PATCH 3/3] libcamera: camera: Add todo for race condition on queueRequest

[Paul Elder]

There is a risk of a racy segfault in Camera::queueRequest, related to
marking a Request for reuse without queueing it to the camera.
Camera::queueRequest() could race with Camera::stop(), which would
trigger a segfault if the buffers are freed before their Requests.

As it's not too critical at the moment, add a description of the problem
and a todo.

Signed-off-by: Paul Elder <paul.elder at ideasonboard.com>
---
 src/libcamera/camera.cpp | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/libcamera/camera.cpp b/src/libcamera/camera.cpp
index 2d947a44..6d871895 100644
--- a/src/libcamera/camera.cpp
+++ b/src/libcamera/camera.cpp
@@ -1114,6 +1114,21 @@ int Camera::queueRequest(Request *request)
 {
 	Private *const d = _d();
 
+	/*
+	 * There is a risk of a racy segfault here. If the application marks a
+	 * Request for reuse and queues it, but stop() changes the camera state
+	 * before we reach this point, then we would end up in a situation
+	 * where we have a buffer added to a Request yet not queued to the
+	 * camera. Thus Camera::stop() will not complete the buffer and
+	 * request, and if the buffer is freed before its request is destroyed,
+	 * then it will cause a segfault when the request tries to cancel the
+	 * freed buffer.
+	 *
+	 * The temporary workaround is to force applications to make sure to
+	 * free requests before the buffers.
+	 *
+	 * \todo Fix this race condition.
+	 */
 	int ret = d->isAccessAllowed(Private::CameraRunning);
 	if (ret < 0)
 		return ret;
-- 
2.35.1