mbox series

[0/2] Introduce v4l2_async_nf_unregister_cleanup

Message ID 20240502-master-v1-0-8bd109c6a3ba@collabora.com
Headers show
Series Introduce v4l2_async_nf_unregister_cleanup | expand

Message

Julien Massot May 2, 2024, 3:22 p.m. UTC
Many drivers has
  v4l2_async_nf_unregister(&notifier);
  v4l2_async_nf_cleanup(&notifier);

Introduce a helper function to call both functions in one line.

---
Julien Massot (2):
      media: v4l: async: Add v4l2_async_nf_unregister_cleanup
      media: convert all drivers to use v4l2_async_nf_unregister_cleanup

 drivers/media/i2c/ds90ub913.c                           | 10 ++--------
 drivers/media/i2c/ds90ub953.c                           | 10 ++--------
 drivers/media/i2c/ds90ub960.c                           | 10 ++--------
 drivers/media/i2c/max9286.c                             |  3 +--
 drivers/media/i2c/st-mipid02.c                          |  6 ++----
 drivers/media/i2c/tc358746.c                            |  3 +--
 drivers/media/pci/intel/ipu3/ipu3-cio2.c                |  6 ++----
 drivers/media/pci/intel/ipu6/ipu6-isys.c                |  8 +-------
 drivers/media/pci/intel/ivsc/mei_csi.c                  |  6 ++----
 drivers/media/platform/atmel/atmel-isi.c                |  3 +--
 drivers/media/platform/cadence/cdns-csi2rx.c            |  6 ++----
 drivers/media/platform/intel/pxa_camera.c               |  3 +--
 drivers/media/platform/marvell/mcam-core.c              |  6 ++----
 drivers/media/platform/microchip/microchip-csi2dc.c     |  3 +--
 drivers/media/platform/microchip/microchip-isc-base.c   |  6 ++----
 drivers/media/platform/nxp/imx-mipi-csis.c              |  6 ++----
 drivers/media/platform/nxp/imx7-media-csi.c             |  3 +--
 drivers/media/platform/nxp/imx8-isi/imx8-isi-core.c     |  3 +--
 drivers/media/platform/nxp/imx8mq-mipi-csi2.c           |  6 ++----
 drivers/media/platform/qcom/camss/camss.c               |  3 +--
 drivers/media/platform/renesas/rcar-csi2.c              |  6 ++----
 drivers/media/platform/renesas/rcar-isp.c               |  6 ++----
 drivers/media/platform/renesas/rcar-vin/rcar-core.c     |  9 +++------
 drivers/media/platform/renesas/rcar_drif.c              |  3 +--
 drivers/media/platform/renesas/renesas-ceu.c            |  4 +---
 drivers/media/platform/renesas/rzg2l-cru/rzg2l-core.c   |  3 +--
 drivers/media/platform/renesas/rzg2l-cru/rzg2l-csi2.c   |  6 ++----
 drivers/media/platform/rockchip/rkisp1/rkisp1-dev.c     |  3 +--
 drivers/media/platform/samsung/exynos4-is/media-dev.c   |  3 +--
 drivers/media/platform/st/stm32/stm32-dcmi.c            |  3 +--
 .../media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c  |  3 +--
 drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c      |  3 +--
 .../media/platform/sunxi/sun6i-csi/sun6i_csi_bridge.c   |  3 +--
 .../platform/sunxi/sun6i-mipi-csi2/sun6i_mipi_csi2.c    |  3 +--
 .../sunxi/sun8i-a83t-mipi-csi2/sun8i_a83t_mipi_csi2.c   |  3 +--
 drivers/media/platform/ti/am437x/am437x-vpfe.c          |  3 +--
 drivers/media/platform/ti/cal/cal.c                     |  8 +-------
 drivers/media/platform/ti/davinci/vpif_capture.c        |  3 +--
 drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c   | 10 ++--------
 drivers/media/platform/ti/omap3isp/isp.c                |  3 +--
 drivers/media/platform/video-mux.c                      |  3 +--
 drivers/media/platform/xilinx/xilinx-vipp.c             |  3 +--
 drivers/staging/media/deprecated/atmel/atmel-isc-base.c |  6 ++----
 drivers/staging/media/sunxi/sun6i-isp/sun6i_isp_proc.c  |  3 +--
 drivers/staging/media/tegra-video/vi.c                  |  3 +--
 include/media/v4l2-async.h                              | 17 +++++++++++++++++
 46 files changed, 80 insertions(+), 153 deletions(-)
---
base-commit: 843a9f4a7a85988f2f3af98adf21797c2fd05ab1
change-id: 20240502-master-5deee133b4f5

Best regards,

Comments

Laurent Pinchart May 2, 2024, 3:56 p.m. UTC | #1
Hi Julien,

On Thu, May 02, 2024 at 05:22:20PM +0200, Julien Massot wrote:
> Many drivers has
>   v4l2_async_nf_unregister(&notifier);
>   v4l2_async_nf_cleanup(&notifier);
> 
> Introduce a helper function to call both functions in one line.

Does this really go in the right direction ? For other objects (video
devices, media devices, ...), the unregistration should be done at
.remove() time, and the cleanup at .release() time (the operation called
when the last reference to the object is released). This is needed to
ensure proper lifetime management of the objects, and avoid a
use-after-free for objects that can be reached from userspace.

It could be argued that the notifier isn't exposed to userspace, but can
we guarantee that no driver will have a need to access the notifier in a
code path triggered by a userspace operation ? I think it would be safer
to adopt the same split for the nofifier unregistration and cleanup. In
my opinion using the same rule across different APIs also make it easier
for driver authors and for reviewers to get it right.

As shown by your series, lots of drivers call v4l2_async_nf_cleanup()
and .remove() time instead of .release(). That's because most drivers
get lifetime management wrong and don't even implement .release().
That's something Sakari is addressing with ongoing work. This patch
series seems to go in the opposite direction.

> ---
> Julien Massot (2):
>       media: v4l: async: Add v4l2_async_nf_unregister_cleanup
>       media: convert all drivers to use v4l2_async_nf_unregister_cleanup
> 
>  drivers/media/i2c/ds90ub913.c                           | 10 ++--------
>  drivers/media/i2c/ds90ub953.c                           | 10 ++--------
>  drivers/media/i2c/ds90ub960.c                           | 10 ++--------
>  drivers/media/i2c/max9286.c                             |  3 +--
>  drivers/media/i2c/st-mipid02.c                          |  6 ++----
>  drivers/media/i2c/tc358746.c                            |  3 +--
>  drivers/media/pci/intel/ipu3/ipu3-cio2.c                |  6 ++----
>  drivers/media/pci/intel/ipu6/ipu6-isys.c                |  8 +-------
>  drivers/media/pci/intel/ivsc/mei_csi.c                  |  6 ++----
>  drivers/media/platform/atmel/atmel-isi.c                |  3 +--
>  drivers/media/platform/cadence/cdns-csi2rx.c            |  6 ++----
>  drivers/media/platform/intel/pxa_camera.c               |  3 +--
>  drivers/media/platform/marvell/mcam-core.c              |  6 ++----
>  drivers/media/platform/microchip/microchip-csi2dc.c     |  3 +--
>  drivers/media/platform/microchip/microchip-isc-base.c   |  6 ++----
>  drivers/media/platform/nxp/imx-mipi-csis.c              |  6 ++----
>  drivers/media/platform/nxp/imx7-media-csi.c             |  3 +--
>  drivers/media/platform/nxp/imx8-isi/imx8-isi-core.c     |  3 +--
>  drivers/media/platform/nxp/imx8mq-mipi-csi2.c           |  6 ++----
>  drivers/media/platform/qcom/camss/camss.c               |  3 +--
>  drivers/media/platform/renesas/rcar-csi2.c              |  6 ++----
>  drivers/media/platform/renesas/rcar-isp.c               |  6 ++----
>  drivers/media/platform/renesas/rcar-vin/rcar-core.c     |  9 +++------
>  drivers/media/platform/renesas/rcar_drif.c              |  3 +--
>  drivers/media/platform/renesas/renesas-ceu.c            |  4 +---
>  drivers/media/platform/renesas/rzg2l-cru/rzg2l-core.c   |  3 +--
>  drivers/media/platform/renesas/rzg2l-cru/rzg2l-csi2.c   |  6 ++----
>  drivers/media/platform/rockchip/rkisp1/rkisp1-dev.c     |  3 +--
>  drivers/media/platform/samsung/exynos4-is/media-dev.c   |  3 +--
>  drivers/media/platform/st/stm32/stm32-dcmi.c            |  3 +--
>  .../media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c  |  3 +--
>  drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c      |  3 +--
>  .../media/platform/sunxi/sun6i-csi/sun6i_csi_bridge.c   |  3 +--
>  .../platform/sunxi/sun6i-mipi-csi2/sun6i_mipi_csi2.c    |  3 +--
>  .../sunxi/sun8i-a83t-mipi-csi2/sun8i_a83t_mipi_csi2.c   |  3 +--
>  drivers/media/platform/ti/am437x/am437x-vpfe.c          |  3 +--
>  drivers/media/platform/ti/cal/cal.c                     |  8 +-------
>  drivers/media/platform/ti/davinci/vpif_capture.c        |  3 +--
>  drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c   | 10 ++--------
>  drivers/media/platform/ti/omap3isp/isp.c                |  3 +--
>  drivers/media/platform/video-mux.c                      |  3 +--
>  drivers/media/platform/xilinx/xilinx-vipp.c             |  3 +--
>  drivers/staging/media/deprecated/atmel/atmel-isc-base.c |  6 ++----
>  drivers/staging/media/sunxi/sun6i-isp/sun6i_isp_proc.c  |  3 +--
>  drivers/staging/media/tegra-video/vi.c                  |  3 +--
>  include/media/v4l2-async.h                              | 17 +++++++++++++++++
>  46 files changed, 80 insertions(+), 153 deletions(-)
> ---
> base-commit: 843a9f4a7a85988f2f3af98adf21797c2fd05ab1
> change-id: 20240502-master-5deee133b4f5
Sakari Ailus May 2, 2024, 4:01 p.m. UTC | #2
Hi Laurent,

On Thu, May 02, 2024 at 06:56:26PM +0300, Laurent Pinchart wrote:
> Hi Julien,
> 
> On Thu, May 02, 2024 at 05:22:20PM +0200, Julien Massot wrote:
> > Many drivers has
> >   v4l2_async_nf_unregister(&notifier);
> >   v4l2_async_nf_cleanup(&notifier);
> > 
> > Introduce a helper function to call both functions in one line.
> 
> Does this really go in the right direction ? For other objects (video
> devices, media devices, ...), the unregistration should be done at
> .remove() time, and the cleanup at .release() time (the operation called
> when the last reference to the object is released). This is needed to
> ensure proper lifetime management of the objects, and avoid a
> use-after-free for objects that can be reached from userspace.
> 
> It could be argued that the notifier isn't exposed to userspace, but can
> we guarantee that no driver will have a need to access the notifier in a
> code path triggered by a userspace operation ? I think it would be safer
> to adopt the same split for the nofifier unregistration and cleanup. In
> my opinion using the same rule across different APIs also make it easier
> for driver authors and for reviewers to get it right.
> 
> As shown by your series, lots of drivers call v4l2_async_nf_cleanup()
> and .remove() time instead of .release(). That's because most drivers
> get lifetime management wrong and don't even implement .release().
> That's something Sakari is addressing with ongoing work. This patch
> series seems to go in the opposite direction.

This still avoids the driver authors feeling they need to implement wrapper
functions for v4l2_async_nf_{unregister,cleanup}. I'd be in favour merging
this.

I don't see this getting in the way of adding use counts as the code will
need to be changed in any case.
Laurent Pinchart May 2, 2024, 4:08 p.m. UTC | #3
On Thu, May 02, 2024 at 04:01:45PM +0000, Sakari Ailus wrote:
> On Thu, May 02, 2024 at 06:56:26PM +0300, Laurent Pinchart wrote:
> > On Thu, May 02, 2024 at 05:22:20PM +0200, Julien Massot wrote:
> > > Many drivers has
> > >   v4l2_async_nf_unregister(&notifier);
> > >   v4l2_async_nf_cleanup(&notifier);
> > > 
> > > Introduce a helper function to call both functions in one line.
> > 
> > Does this really go in the right direction ? For other objects (video
> > devices, media devices, ...), the unregistration should be done at
> > .remove() time, and the cleanup at .release() time (the operation called
> > when the last reference to the object is released). This is needed to
> > ensure proper lifetime management of the objects, and avoid a
> > use-after-free for objects that can be reached from userspace.
> > 
> > It could be argued that the notifier isn't exposed to userspace, but can
> > we guarantee that no driver will have a need to access the notifier in a
> > code path triggered by a userspace operation ? I think it would be safer
> > to adopt the same split for the nofifier unregistration and cleanup. In
> > my opinion using the same rule across different APIs also make it easier
> > for driver authors and for reviewers to get it right.
> > 
> > As shown by your series, lots of drivers call v4l2_async_nf_cleanup()
> > and .remove() time instead of .release(). That's because most drivers
> > get lifetime management wrong and don't even implement .release().
> > That's something Sakari is addressing with ongoing work. This patch
> > series seems to go in the opposite direction.
> 
> This still avoids the driver authors feeling they need to implement wrapper
> functions for v4l2_async_nf_{unregister,cleanup}. I'd be in favour merging
> this.
> 
> I don't see this getting in the way of adding use counts as the code will
> need to be changed in any case.

Fixing the lifetime issues would essentially revert 2/2 and move the
v4l2_async_nf_cleanup() call to .remove(). I don't think providing a
helper that forces the cleanup at .remove() time is a good idea, it
gives a false sense of doing things right to drivers. This is the same
reason why devm_kzalloc() is so harmful, it gave the wrong message, and
created (or participated in) all those lifetime issues.
Sakari Ailus May 2, 2024, 4:24 p.m. UTC | #4
Hi Laurent,

On Thu, May 02, 2024 at 07:08:30PM +0300, Laurent Pinchart wrote:
> On Thu, May 02, 2024 at 04:01:45PM +0000, Sakari Ailus wrote:
> > On Thu, May 02, 2024 at 06:56:26PM +0300, Laurent Pinchart wrote:
> > > On Thu, May 02, 2024 at 05:22:20PM +0200, Julien Massot wrote:
> > > > Many drivers has
> > > >   v4l2_async_nf_unregister(&notifier);
> > > >   v4l2_async_nf_cleanup(&notifier);
> > > > 
> > > > Introduce a helper function to call both functions in one line.
> > > 
> > > Does this really go in the right direction ? For other objects (video
> > > devices, media devices, ...), the unregistration should be done at
> > > .remove() time, and the cleanup at .release() time (the operation called
> > > when the last reference to the object is released). This is needed to
> > > ensure proper lifetime management of the objects, and avoid a
> > > use-after-free for objects that can be reached from userspace.
> > > 
> > > It could be argued that the notifier isn't exposed to userspace, but can
> > > we guarantee that no driver will have a need to access the notifier in a
> > > code path triggered by a userspace operation ? I think it would be safer
> > > to adopt the same split for the nofifier unregistration and cleanup. In
> > > my opinion using the same rule across different APIs also make it easier
> > > for driver authors and for reviewers to get it right.
> > > 
> > > As shown by your series, lots of drivers call v4l2_async_nf_cleanup()
> > > and .remove() time instead of .release(). That's because most drivers
> > > get lifetime management wrong and don't even implement .release().
> > > That's something Sakari is addressing with ongoing work. This patch
> > > series seems to go in the opposite direction.
> > 
> > This still avoids the driver authors feeling they need to implement wrapper
> > functions for v4l2_async_nf_{unregister,cleanup}. I'd be in favour merging
> > this.
> > 
> > I don't see this getting in the way of adding use counts as the code will
> > need to be changed in any case.
> 
> Fixing the lifetime issues would essentially revert 2/2 and move the
> v4l2_async_nf_cleanup() call to .remove(). I don't think providing a
> helper that forces the cleanup at .remove() time is a good idea, it
> gives a false sense of doing things right to drivers. This is the same
> reason why devm_kzalloc() is so harmful, it gave the wrong message, and
> created (or participated in) all those lifetime issues.

I still prefer having devm_*alloc() functions than having the drivers open
coding the same -- with the same result. The frameworks won't enable doing
this right at the moment and I don't think drivers (or us!) should be
penalised for that. The driver authors will only change what they do, with
these patches or without, when told so. But we don't really have an
alternative today.

A similar situation exists with clk_unprepare() and clk_disable().
Laurent Pinchart May 4, 2024, 2:18 p.m. UTC | #5
On Thu, May 02, 2024 at 04:24:04PM +0000, Sakari Ailus wrote:
> On Thu, May 02, 2024 at 07:08:30PM +0300, Laurent Pinchart wrote:
> > On Thu, May 02, 2024 at 04:01:45PM +0000, Sakari Ailus wrote:
> > > On Thu, May 02, 2024 at 06:56:26PM +0300, Laurent Pinchart wrote:
> > > > On Thu, May 02, 2024 at 05:22:20PM +0200, Julien Massot wrote:
> > > > > Many drivers has
> > > > >   v4l2_async_nf_unregister(&notifier);
> > > > >   v4l2_async_nf_cleanup(&notifier);
> > > > > 
> > > > > Introduce a helper function to call both functions in one line.
> > > > 
> > > > Does this really go in the right direction ? For other objects (video
> > > > devices, media devices, ...), the unregistration should be done at
> > > > .remove() time, and the cleanup at .release() time (the operation called
> > > > when the last reference to the object is released). This is needed to
> > > > ensure proper lifetime management of the objects, and avoid a
> > > > use-after-free for objects that can be reached from userspace.
> > > > 
> > > > It could be argued that the notifier isn't exposed to userspace, but can
> > > > we guarantee that no driver will have a need to access the notifier in a
> > > > code path triggered by a userspace operation ? I think it would be safer
> > > > to adopt the same split for the nofifier unregistration and cleanup. In
> > > > my opinion using the same rule across different APIs also make it easier
> > > > for driver authors and for reviewers to get it right.
> > > > 
> > > > As shown by your series, lots of drivers call v4l2_async_nf_cleanup()
> > > > and .remove() time instead of .release(). That's because most drivers
> > > > get lifetime management wrong and don't even implement .release().
> > > > That's something Sakari is addressing with ongoing work. This patch
> > > > series seems to go in the opposite direction.
> > > 
> > > This still avoids the driver authors feeling they need to implement wrapper
> > > functions for v4l2_async_nf_{unregister,cleanup}. I'd be in favour merging
> > > this.
> > > 
> > > I don't see this getting in the way of adding use counts as the code will
> > > need to be changed in any case.
> > 
> > Fixing the lifetime issues would essentially revert 2/2 and move the
> > v4l2_async_nf_cleanup() call to .remove(). I don't think providing a
> > helper that forces the cleanup at .remove() time is a good idea, it
> > gives a false sense of doing things right to drivers. This is the same
> > reason why devm_kzalloc() is so harmful, it gave the wrong message, and
> > created (or participated in) all those lifetime issues.
> 
> I still prefer having devm_*alloc() functions than having the drivers open
> coding the same -- with the same result. The frameworks won't enable doing
> this right at the moment and I don't think drivers (or us!) should be
> penalised for that.

I don't really see where the penalty is. What's the urgency to switch
from calling v4l2_async_nf_unregister() and v4l2_async_nf_cleanup() to a
helper that we know goes in the wrong direction ?

> The driver authors will only change what they do, with
> these patches or without, when told so. But we don't really have an
> alternative today.

There's already a .release() callback that can be used, and some drivers
use it.

> A similar situation exists with clk_unprepare() and clk_disable().