From: Tomasz Stanislawski <t.stanislaws@samsung.com>
To: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org,
airlied@redhat.com, m.szyprowski@samsung.com,
kyungmin.park@samsung.com, sumit.semwal@ti.com,
daeinki@gmail.com, daniel.vetter@ffwll.ch, robdclark@gmail.com,
pawel@osciak.com, linaro-mm-sig@lists.linaro.org,
hverkuil@xs4all.nl, remi@remlab.net, subashrp@gmail.com,
mchehab@redhat.com, g.liakhovetski@gmx.de
Subject: Re: [PATCHv7 06/15] v4l: vb2-dma-contig: remove reference of alloc_ctx from a buffer
Date: Wed, 20 Jun 2012 13:51:06 +0200 [thread overview]
Message-ID: <4FE1B92A.7080702@samsung.com> (raw)
In-Reply-To: <63837768.yEisOgrV5B@avalon>
Hi Laurent,
On 06/19/2012 11:00 PM, Laurent Pinchart wrote:
> Hi Tomasz,
>
> Thanks for the patch.
>
> On Thursday 14 June 2012 15:37:40 Tomasz Stanislawski wrote:
>> This patch removes a reference to alloc_ctx from an instance of a DMA
>> contiguous buffer. It helps to avoid a risk of a dangling pointer if the
>> context is released while the buffer is still valid.
>
> Can this really happen ? All drivers except marvell-ccic seem to call
> vb2_dma_contig_cleanup_ctx() in their remove handler and probe cleanup path
> only. Freeing the context while buffers are still around would be a driver
> bug, and I expect drivers to destroy the queue in that case anyway.
>
> This being said, removing the dereference step is a good idea, so I think the
> patch should be applied, possibly with a different commit message.
>
The problem may happen if a DMABUF sharing is used.
- process A uses V4L2 queue to create a buffer
- process A exports a buffer and shares it with the process B (by sockets or /proc/pid/fd)
- the process A gets killed, queue is destroyed
- someone call rmmod on v4l driver, alloc_ctx is freed
- process B keeps reference to a buffer that has a dangling reference to alloc_ctx
The presented scenario might be a bit too pathological and artificial.
Moreover it involves root privileges. But it is possible to trigger this bug.
One solution might be keeping reference count in alloc_ctx but it would
be easier to get rid of the reference to alloc_ctx from vb2-dma-contig buffer.
BTW. I decided to drop 'Remove unneeded allocation context structure'
because Marek Szyprowski is working on extension to vb2-dma-contig
that allow to create buffers with no kernel mappings. That feature
involved additional parameter to alloc_ctx other than pointer to
the device.
Regards,
Tomasz Stanislawski
>> Moreover it removes one
>> dereference step while accessing a device structure.
>>
>> Signed-off-by: Tomasz Stanislawski <t.stanislaws@samsung.com>
>> Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
>
> Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
>
>> + dma_free_coherent(buf->dev, buf->size, buf->vaddr,
>> buf->dma_addr);
>> kfree(buf);
>> }
next prev parent reply other threads:[~2012-06-20 11:51 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-14 13:37 [PATCHv7 00/15] Integration of videobuf2 with dmabuf Tomasz Stanislawski
2012-06-14 13:37 ` [PATCHv7 01/15] v4l: Add DMABUF as a memory type Tomasz Stanislawski
2012-06-18 11:14 ` Tomasz Stanislawski
2012-06-14 13:37 ` [PATCHv7 02/15] Documentation: media: description of DMABUF importing in V4L2 Tomasz Stanislawski
2012-06-19 19:56 ` Laurent Pinchart
2012-06-14 13:37 ` [PATCHv7 03/15] v4l: vb2: add support for shared buffer (dma_buf) Tomasz Stanislawski
2012-06-20 6:12 ` Dima Zavin
2012-06-25 17:03 ` Dima Zavin
2012-06-26 8:40 ` Tomasz Stanislawski
2012-06-26 9:11 ` Laurent Pinchart
2012-06-26 9:40 ` Hans Verkuil
2012-06-26 20:53 ` Dima Zavin
2012-06-27 20:40 ` Laurent Pinchart
2012-08-02 16:31 ` Tomasz Stanislawski
2012-08-02 16:31 ` Tomasz Stanislawski
2012-08-15 1:13 ` Laurent Pinchart
2012-06-26 20:44 ` Dima Zavin
2012-06-14 13:37 ` [PATCHv7 04/15] v4l: vb: remove warnings about MEMORY_DMABUF Tomasz Stanislawski
2012-06-14 13:37 ` [PATCHv7 05/15] v4l: vb2-dma-contig: Shorten vb2_dma_contig prefix to vb2_dc Tomasz Stanislawski
2012-06-14 13:37 ` [PATCHv7 06/15] v4l: vb2-dma-contig: remove reference of alloc_ctx from a buffer Tomasz Stanislawski
2012-06-19 21:00 ` Laurent Pinchart
2012-06-20 11:51 ` Tomasz Stanislawski [this message]
2012-06-20 13:02 ` Laurent Pinchart
2012-06-14 13:37 ` [PATCHv7 07/15] v4l: vb2-dma-contig: Reorder functions Tomasz Stanislawski
2012-06-14 13:37 ` [PATCHv7 08/15] v4l: vb2-dma-contig: add support for scatterlist in userptr mode Tomasz Stanislawski
2012-06-14 13:37 ` [PATCHv7 09/15] v4l: vb2: add prepare/finish callbacks to allocators Tomasz Stanislawski
2012-06-14 13:37 ` [PATCHv7 10/15] v4l: vb2-dma-contig: add prepare/finish to dma-contig allocator Tomasz Stanislawski
2012-06-19 20:07 ` Laurent Pinchart
2012-06-14 13:37 ` [PATCHv7 11/15] v4l: vb2-dma-contig: add support for dma_buf importing Tomasz Stanislawski
2012-06-14 13:37 ` [PATCHv7 12/15] v4l: vb2-vmalloc: add support for dmabuf importing Tomasz Stanislawski
2012-06-19 20:30 ` Laurent Pinchart
2012-06-14 13:37 ` [PATCHv7 13/15] v4l: vivi: " Tomasz Stanislawski
2012-06-14 13:37 ` [PATCHv7 14/15] v4l: s5p-tv: mixer: " Tomasz Stanislawski
2012-06-14 13:37 ` [PATCHv7 15/15] v4l: s5p-fimc: " Tomasz Stanislawski
2012-06-19 21:16 ` [PATCHv7 00/15] Integration of videobuf2 with dmabuf Laurent Pinchart
2012-07-31 6:23 ` Hans Verkuil
2012-07-31 6:34 ` Hans Verkuil
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FE1B92A.7080702@samsung.com \
--to=t.stanislaws@samsung.com \
--cc=airlied@redhat.com \
--cc=daeinki@gmail.com \
--cc=daniel.vetter@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=g.liakhovetski@gmx.de \
--cc=hverkuil@xs4all.nl \
--cc=kyungmin.park@samsung.com \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linaro-mm-sig@lists.linaro.org \
--cc=linux-media@vger.kernel.org \
--cc=m.szyprowski@samsung.com \
--cc=mchehab@redhat.com \
--cc=pawel@osciak.com \
--cc=remi@remlab.net \
--cc=robdclark@gmail.com \
--cc=subashrp@gmail.com \
--cc=sumit.semwal@ti.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.