From: Tomasz Stanislawski <t.stanislaws@samsung.com>
To: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org,
airlied@redhat.com, m.szyprowski@samsung.com,
kyungmin.park@samsung.com, sumit.semwal@ti.com,
daeinki@gmail.com, daniel.vetter@ffwll.ch, robdclark@gmail.com,
pawel@osciak.com, linaro-mm-sig@lists.linaro.org,
hverkuil@xs4all.nl, remi@remlab.net, subashrp@gmail.com,
mchehab@redhat.com, g.liakhovetski@gmx.de
Subject: Re: [PATCHv7 06/15] v4l: vb2-dma-contig: remove reference of alloc_ctx from a buffer
Date: Wed, 20 Jun 2012 13:51:06 +0200 [thread overview]
Message-ID: <4FE1B92A.7080702@samsung.com> (raw)
In-Reply-To: <63837768.yEisOgrV5B@avalon>
Hi Laurent,
On 06/19/2012 11:00 PM, Laurent Pinchart wrote:
> Hi Tomasz,
>
> Thanks for the patch.
>
> On Thursday 14 June 2012 15:37:40 Tomasz Stanislawski wrote:
>> This patch removes a reference to alloc_ctx from an instance of a DMA
>> contiguous buffer. It helps to avoid a risk of a dangling pointer if the
>> context is released while the buffer is still valid.
>
> Can this really happen ? All drivers except marvell-ccic seem to call
> vb2_dma_contig_cleanup_ctx() in their remove handler and probe cleanup path
> only. Freeing the context while buffers are still around would be a driver
> bug, and I expect drivers to destroy the queue in that case anyway.
>
> This being said, removing the dereference step is a good idea, so I think the
> patch should be applied, possibly with a different commit message.
>
The problem may happen if a DMABUF sharing is used.
- process A uses V4L2 queue to create a buffer
- process A exports a buffer and shares it with the process B (by sockets or /proc/pid/fd)
- the process A gets killed, queue is destroyed
- someone call rmmod on v4l driver, alloc_ctx is freed
- process B keeps reference to a buffer that has a dangling reference to alloc_ctx
The presented scenario might be a bit too pathological and artificial.
Moreover it involves root privileges. But it is possible to trigger this bug.
One solution might be keeping reference count in alloc_ctx but it would
be easier to get rid of the reference to alloc_ctx from vb2-dma-contig buffer.
BTW. I decided to drop 'Remove unneeded allocation context structure'
because Marek Szyprowski is working on extension to vb2-dma-contig
that allow to create buffers with no kernel mappings. That feature
involved additional parameter to alloc_ctx other than pointer to
the device.
Regards,
Tomasz Stanislawski
>> Moreover it removes one
>> dereference step while accessing a device structure.
>>
>> Signed-off-by: Tomasz Stanislawski <t.stanislaws@samsung.com>
>> Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
>
> Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
>
>> + dma_free_coherent(buf->dev, buf->size, buf->vaddr,
>> buf->dma_addr);
>> kfree(buf);
>> }
next prev parent reply other threads:[~2012-06-20 11:51 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-14 13:37 [PATCHv7 00/15] Integration of videobuf2 with dmabuf Tomasz Stanislawski
2012-06-14 13:37 ` [PATCHv7 01/15] v4l: Add DMABUF as a memory type Tomasz Stanislawski
2012-06-18 11:14 ` Tomasz Stanislawski
2012-06-14 13:37 ` [PATCHv7 02/15] Documentation: media: description of DMABUF importing in V4L2 Tomasz Stanislawski
2012-06-19 19:56 ` Laurent Pinchart
2012-06-14 13:37 ` [PATCHv7 03/15] v4l: vb2: add support for shared buffer (dma_buf) Tomasz Stanislawski
2012-06-20 6:12 ` Dima Zavin
2012-06-26 8:40 ` Tomasz Stanislawski
2012-06-26 9:11 ` Laurent Pinchart
2012-06-26 9:40 ` Hans Verkuil
2012-06-26 20:53 ` Dima Zavin
2012-06-27 20:40 ` Laurent Pinchart
2012-08-02 16:31 ` Tomasz Stanislawski
2012-08-15 1:13 ` Laurent Pinchart
2012-06-26 20:44 ` Dima Zavin
2012-06-14 13:37 ` [PATCHv7 04/15] v4l: vb: remove warnings about MEMORY_DMABUF Tomasz Stanislawski
2012-06-14 13:37 ` [PATCHv7 05/15] v4l: vb2-dma-contig: Shorten vb2_dma_contig prefix to vb2_dc Tomasz Stanislawski
2012-06-14 13:37 ` [PATCHv7 06/15] v4l: vb2-dma-contig: remove reference of alloc_ctx from a buffer Tomasz Stanislawski
2012-06-19 21:00 ` Laurent Pinchart
2012-06-20 11:51 ` Tomasz Stanislawski [this message]
2012-06-20 13:02 ` Laurent Pinchart
2012-06-14 13:37 ` [PATCHv7 07/15] v4l: vb2-dma-contig: Reorder functions Tomasz Stanislawski
2012-06-14 13:37 ` [PATCHv7 08/15] v4l: vb2-dma-contig: add support for scatterlist in userptr mode Tomasz Stanislawski
2012-06-14 13:37 ` [PATCHv7 09/15] v4l: vb2: add prepare/finish callbacks to allocators Tomasz Stanislawski
2012-06-14 13:37 ` [PATCHv7 10/15] v4l: vb2-dma-contig: add prepare/finish to dma-contig allocator Tomasz Stanislawski
2012-06-19 20:07 ` Laurent Pinchart
2012-06-14 13:37 ` [PATCHv7 11/15] v4l: vb2-dma-contig: add support for dma_buf importing Tomasz Stanislawski
2012-06-14 13:37 ` [PATCHv7 12/15] v4l: vb2-vmalloc: add support for dmabuf importing Tomasz Stanislawski
2012-06-19 20:30 ` Laurent Pinchart
2012-06-14 13:37 ` [PATCHv7 13/15] v4l: vivi: " Tomasz Stanislawski
2012-06-14 13:37 ` [PATCHv7 14/15] v4l: s5p-tv: mixer: " Tomasz Stanislawski
2012-06-14 13:37 ` [PATCHv7 15/15] v4l: s5p-fimc: " Tomasz Stanislawski
2012-06-19 21:16 ` [PATCHv7 00/15] Integration of videobuf2 with dmabuf Laurent Pinchart
2012-07-31 6:23 ` Hans Verkuil
2012-07-31 6:34 ` Hans Verkuil
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FE1B92A.7080702@samsung.com \
--to=t.stanislaws@samsung.com \
--cc=airlied@redhat.com \
--cc=daeinki@gmail.com \
--cc=daniel.vetter@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=g.liakhovetski@gmx.de \
--cc=hverkuil@xs4all.nl \
--cc=kyungmin.park@samsung.com \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linaro-mm-sig@lists.linaro.org \
--cc=linux-media@vger.kernel.org \
--cc=m.szyprowski@samsung.com \
--cc=mchehab@redhat.com \
--cc=pawel@osciak.com \
--cc=remi@remlab.net \
--cc=robdclark@gmail.com \
--cc=subashrp@gmail.com \
--cc=sumit.semwal@ti.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).