All of lore.kernel.org
 help / color / mirror / Atom feed
From: Hans Verkuil <hverkuil@xs4all.nl>
To: Tomasz Figa <tfiga@chromium.org>
Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
	Linux Media Mailing List <linux-media@vger.kernel.org>,
	Marek Szyprowski <m.szyprowski@samsung.com>,
	Sakari Ailus <sakari.ailus@linux.intel.com>
Subject: Re: [PATCH for v5.2] videobuf2-core.c: always reacquire USERPTR memory
Date: Fri, 7 Jun 2019 14:24:41 +0200	[thread overview]
Message-ID: <c4bfba37-dc6c-43cd-c91c-1472d2f500c1@xs4all.nl> (raw)
In-Reply-To: <CAAFQd5CTgm0bimJOzdFUdM35Bro4xsLwa698E7pR_hQ=ebaM3g@mail.gmail.com>

On 6/7/19 2:20 PM, Tomasz Figa wrote:
> On Fri, Jun 7, 2019 at 9:01 PM Hans Verkuil <hverkuil@xs4all.nl> wrote:
>>
>> On 6/7/19 1:16 PM, Laurent Pinchart wrote:
>>> Hi Hans,
>>>
>>> Thank you for the patch.
>>>
>>> On Fri, Jun 07, 2019 at 10:45:31AM +0200, Hans Verkuil wrote:
>>>> The __prepare_userptr() function made the incorrect assumption that if the
>>>> same user pointer was used as the last one for which memory was acquired, then
>>>> there was no need to re-acquire the memory. This assumption was never properly
>>>> tested, and after doing that it became clear that this was in fact wrong.
>>>
>>> Could you explain in the commit message why the assumption is not
>>> correct ?
>>
>> You can free the memory, then allocate it again and you can get the same pointer,
>> even though it is not necessarily using the same physical pages for the memory
>> that the kernel is still using for it.
>>
>> Worse, you can free the memory, then allocate only half the memory you need and
>> get back the same pointer. vb2 wouldn't notice this. And it seems to work (since
>> the original mapping still remains), but this can corrupt userspace memory
>> causing the application to crash. It's not quite clear to me how the memory can
>> get corrupted. I don't know enough of those low-level mm internals to understand
>> the sequence of events.
> 
> Chrome specifically didn't keep the mapping between user pointers and
> indexes, so it the cache just missed every time. What we noticed was
> the put_userptr on the previous userptr at the index being unmapped
> apparently caused that memory (often already returned back to the
> application) to be corrupted... But we didn't get to the bottom of it
> either, as we didn't have any MM expert look at the issue.

I think this patch needs a bit more work. The put_userptr should happen
before the buffer is dequeued to userspace, not when queuing a new buffer.

I'll make a v2.

Regards,

	Hans

> 
> The free and realloc scenario just came to my mind when trying to
> recall our original problem earlier today.
> 
> Best regards,
> Tomasz
> 


      reply	other threads:[~2019-06-07 12:24 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-07  8:45 [PATCH for v5.2] videobuf2-core.c: always reacquire USERPTR memory Hans Verkuil
2019-06-07 11:16 ` Laurent Pinchart
2019-06-07 12:01   ` Hans Verkuil
2019-06-07 12:14     ` Marek Szyprowski
2019-06-07 12:23       ` Hans Verkuil
2019-06-07 12:47         ` Hans Verkuil
2019-06-07 13:40           ` Hans Verkuil
2019-06-07 13:53             ` Tomasz Figa
2019-06-07 13:55             ` Marek Szyprowski
2019-06-07 13:58               ` Laurent Pinchart
2019-06-07 19:38                 ` Nicolas Dufresne
2019-06-11 10:24                   ` Laurent Pinchart
2019-06-12  0:09                     ` Nicolas Dufresne
2019-06-12  8:17                       ` Laurent Pinchart
2019-06-13  0:21                         ` Nicolas Dufresne
2019-07-03  9:08                           ` Tomasz Figa
2019-06-07 14:11               ` Hans Verkuil
2019-06-07 14:34                 ` Tomasz Figa
2019-06-07 15:09                   ` Laurent Pinchart
2019-06-11  7:48                   ` Hans Verkuil
2019-06-07 14:39                 ` Marek Szyprowski
2019-06-07 14:44                   ` Sakari Ailus
2019-06-07 19:43                   ` Nicolas Dufresne
2019-06-11  7:52                     ` Hans Verkuil
2019-06-11 11:56                       ` Marek Szyprowski
2019-06-12  0:12                         ` Nicolas Dufresne
2019-06-12  0:18                           ` Nicolas Dufresne
2019-06-07 14:41                 ` Sakari Ailus
2019-06-07 12:20     ` Tomasz Figa
2019-06-07 12:24       ` Hans Verkuil [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c4bfba37-dc6c-43cd-c91c-1472d2f500c1@xs4all.nl \
    --to=hverkuil@xs4all.nl \
    --cc=laurent.pinchart@ideasonboard.com \
    --cc=linux-media@vger.kernel.org \
    --cc=m.szyprowski@samsung.com \
    --cc=sakari.ailus@linux.intel.com \
    --cc=tfiga@chromium.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.