From f88e756ceac9a442f12de5d2913047ed40b34542 Mon Sep 17 00:00:00 2001 From: Laurent Pinchart Date: Sun, 24 Nov 2019 01:03:46 +0200 Subject: libcamera: thread: Fix locking when moving object MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When moving an Object to a Thread, messages posted for the object are move to the target thread's message queue. This requires locking the message queues of the current and target threads, as the target thread may (and is usually) running. The implementation is faulty as it locks the thread data instead of the message queue. This creates a race condition with a tiny but exploitable time window. The issue was noticed by the event-thread test rarely but reproducibly failing with the following assertion error: [1:39:33.850878042]FATAL default thread.cpp:440 assertion "data_ == receiver->thread()->data_" failed The issue only occurred when libcamera was compiled in release mode, further hinting of a race condition. Fixes: 01b930964acd ("libcamera: thread: Add a messaging passing API") Signed-off-by: Laurent Pinchart Reviewed-by: Niklas Söderlund --- src/libcamera/thread.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/libcamera/thread.cpp b/src/libcamera/thread.cpp index e152af14..029a0e8f 100644 --- a/src/libcamera/thread.cpp +++ b/src/libcamera/thread.cpp @@ -456,8 +456,8 @@ void Thread::moveObject(Object *object) ThreadData *currentData = object->thread_->data_; ThreadData *targetData = data_; - MutexLocker lockerFrom(currentData->mutex_, std::defer_lock); - MutexLocker lockerTo(targetData->mutex_, std::defer_lock); + MutexLocker lockerFrom(currentData->messages_.mutex_, std::defer_lock); + MutexLocker lockerTo(targetData->messages_.mutex_, std::defer_lock); std::lock(lockerFrom, lockerTo); moveObject(object, currentData, targetData); -- cgit v1.2.1