mbox series

[0/2] Use Media Dev Allocator to fix vimc dev lifetime bugs

Message ID cover.1558667245.git.skhan@linuxfoundation.org (mailing list archive)
Headers show
Series Use Media Dev Allocator to fix vimc dev lifetime bugs | expand

Message

Shuah Khan May 24, 2019, 3:31 a.m. UTC
media_device is embedded in struct vimc_device and when vimc is removed
vimc_device and the embedded media_device goes with it, while the active
stream and vimc_capture continue to access it.

Fix the media_device lifetime problem by changing vimc to create shared
media_device using Media Device Allocator API and vimc_capture getting
a reference to vimc module. With this change, vimc module can be removed
only when the references are gone. vimc can be removed after vimc_capture
is removed.

Media Device Allocator API supports just USB devices. Enhance it
adding a genetic device allocate interface to support other media
drivers.

The new interface takes pointer to struct device instead and creates
media device. This interface allows a group of drivers that have a
common root device to share media device resource and ensure media
device doesn't get deleted as long as one of the drivers holds its
reference.

The new interface has been tested with vimc component driver to fix
panics when vimc module is removed while streaming is in progress.

Shuah Khan (2):
  media: add generic device allocate interface to media-dev-allocator
  vimc: fix BUG: unable to handle kernel NULL pointer dereference

 drivers/media/Makefile                     |  4 +-
 drivers/media/media-dev-allocator.c        | 39 ++++++++++++++
 drivers/media/platform/vimc/vimc-capture.c | 17 +++++-
 drivers/media/platform/vimc/vimc-core.c    | 60 ++++++++++++----------
 include/media/media-dev-allocator.h        | 46 ++++++++++++++---
 5 files changed, 130 insertions(+), 36 deletions(-)

Comments

Hans Verkuil June 13, 2019, 5:44 a.m. UTC | #1
On 5/24/19 5:31 AM, Shuah Khan wrote:
> media_device is embedded in struct vimc_device and when vimc is removed
> vimc_device and the embedded media_device goes with it, while the active
> stream and vimc_capture continue to access it.
> 
> Fix the media_device lifetime problem by changing vimc to create shared
> media_device using Media Device Allocator API and vimc_capture getting
> a reference to vimc module. With this change, vimc module can be removed
> only when the references are gone. vimc can be removed after vimc_capture
> is removed.
> 
> Media Device Allocator API supports just USB devices. Enhance it
> adding a genetic device allocate interface to support other media
> drivers.
> 
> The new interface takes pointer to struct device instead and creates
> media device. This interface allows a group of drivers that have a
> common root device to share media device resource and ensure media
> device doesn't get deleted as long as one of the drivers holds its
> reference.
> 
> The new interface has been tested with vimc component driver to fix
> panics when vimc module is removed while streaming is in progress.

Helen, can you review this series? I'm not sure this is the right approach
for a driver like vimc, and even if it is, then it is odd that vimc-capture
is the only vimc module that's handled here.

My gut feeling is that this should be handled inside vimc directly and not
using the media-dev-allocator.

Regards,

	Hans

> 
> Shuah Khan (2):
>   media: add generic device allocate interface to media-dev-allocator
>   vimc: fix BUG: unable to handle kernel NULL pointer dereference
> 
>  drivers/media/Makefile                     |  4 +-
>  drivers/media/media-dev-allocator.c        | 39 ++++++++++++++
>  drivers/media/platform/vimc/vimc-capture.c | 17 +++++-
>  drivers/media/platform/vimc/vimc-core.c    | 60 ++++++++++++----------
>  include/media/media-dev-allocator.h        | 46 ++++++++++++++---
>  5 files changed, 130 insertions(+), 36 deletions(-)
>
Helen Mae Koike Fornazier June 13, 2019, 1:24 p.m. UTC | #2
On 6/13/19 2:44 AM, Hans Verkuil wrote:
> On 5/24/19 5:31 AM, Shuah Khan wrote:
>> media_device is embedded in struct vimc_device and when vimc is removed
>> vimc_device and the embedded media_device goes with it, while the active
>> stream and vimc_capture continue to access it.
>>
>> Fix the media_device lifetime problem by changing vimc to create shared
>> media_device using Media Device Allocator API and vimc_capture getting
>> a reference to vimc module. With this change, vimc module can be removed
>> only when the references are gone. vimc can be removed after vimc_capture
>> is removed.
>>
>> Media Device Allocator API supports just USB devices. Enhance it
>> adding a genetic device allocate interface to support other media
>> drivers.
>>
>> The new interface takes pointer to struct device instead and creates
>> media device. This interface allows a group of drivers that have a
>> common root device to share media device resource and ensure media
>> device doesn't get deleted as long as one of the drivers holds its
>> reference.
>>
>> The new interface has been tested with vimc component driver to fix
>> panics when vimc module is removed while streaming is in progress.
> 
> Helen, can you review this series? I'm not sure this is the right approach
> for a driver like vimc, and even if it is, then it is odd that vimc-capture
> is the only vimc module that's handled here.

Hi Hans,

Yes, I can take a look. Sorry, I've been a bit busy these days but I'll
try to take a look at this patch series (and the others) asap.

Helen

> 
> My gut feeling is that this should be handled inside vimc directly and not
> using the media-dev-allocator.
> 
> Regards,
> 
> 	Hans
> 
>>
>> Shuah Khan (2):
>>   media: add generic device allocate interface to media-dev-allocator
>>   vimc: fix BUG: unable to handle kernel NULL pointer dereference
>>
>>  drivers/media/Makefile                     |  4 +-
>>  drivers/media/media-dev-allocator.c        | 39 ++++++++++++++
>>  drivers/media/platform/vimc/vimc-capture.c | 17 +++++-
>>  drivers/media/platform/vimc/vimc-core.c    | 60 ++++++++++++----------
>>  include/media/media-dev-allocator.h        | 46 ++++++++++++++---
>>  5 files changed, 130 insertions(+), 36 deletions(-)
>>
>
Shuah Khan June 14, 2019, 11:26 p.m. UTC | #3
On 6/13/19 7:24 AM, Helen Koike wrote:
> 
> 
> On 6/13/19 2:44 AM, Hans Verkuil wrote:
>> On 5/24/19 5:31 AM, Shuah Khan wrote:
>>> media_device is embedded in struct vimc_device and when vimc is removed
>>> vimc_device and the embedded media_device goes with it, while the active
>>> stream and vimc_capture continue to access it.
>>>
>>> Fix the media_device lifetime problem by changing vimc to create shared
>>> media_device using Media Device Allocator API and vimc_capture getting
>>> a reference to vimc module. With this change, vimc module can be removed
>>> only when the references are gone. vimc can be removed after vimc_capture
>>> is removed.
>>>
>>> Media Device Allocator API supports just USB devices. Enhance it
>>> adding a genetic device allocate interface to support other media
>>> drivers.
>>>
>>> The new interface takes pointer to struct device instead and creates
>>> media device. This interface allows a group of drivers that have a
>>> common root device to share media device resource and ensure media
>>> device doesn't get deleted as long as one of the drivers holds its
>>> reference.
>>>
>>> The new interface has been tested with vimc component driver to fix
>>> panics when vimc module is removed while streaming is in progress.
>>
>> Helen, can you review this series? I'm not sure this is the right approach
>> for a driver like vimc, and even if it is, then it is odd that vimc-capture
>> is the only vimc module that's handled here.
> 
> Hi Hans,
> 
> Yes, I can take a look. Sorry, I've been a bit busy these days but I'll
> try to take a look at this patch series (and the others) asap.
> 
> Helen
> 
>>
>> My gut feeling is that this should be handled inside vimc directly and not
>> using the media-dev-allocator.
>>

Hi Hans and Helen,

I explored fixing the problem within vimc before I went down the path to
use Media Device Allocator API. I do think that it is cleaner to go this
way and easier to maintain.

vimc is a group pf component drivers that rely on the media device vimc
in vimc and falls into the use-case Media Device Allocator API is added
to address. The release and life-time management happens without vimc
component drivers being changed other than using the API to get and put
media device reference.

thanks,
-- Shuah
Laurent Pinchart June 16, 2019, 6:43 p.m. UTC | #4
Hi Hans,

On Thu, Jun 13, 2019 at 07:44:15AM +0200, Hans Verkuil wrote:
> On 5/24/19 5:31 AM, Shuah Khan wrote:
> > media_device is embedded in struct vimc_device and when vimc is removed
> > vimc_device and the embedded media_device goes with it, while the active
> > stream and vimc_capture continue to access it.
> > 
> > Fix the media_device lifetime problem by changing vimc to create shared
> > media_device using Media Device Allocator API and vimc_capture getting
> > a reference to vimc module. With this change, vimc module can be removed
> > only when the references are gone. vimc can be removed after vimc_capture
> > is removed.
> > 
> > Media Device Allocator API supports just USB devices. Enhance it
> > adding a genetic device allocate interface to support other media
> > drivers.
> > 
> > The new interface takes pointer to struct device instead and creates
> > media device. This interface allows a group of drivers that have a
> > common root device to share media device resource and ensure media
> > device doesn't get deleted as long as one of the drivers holds its
> > reference.
> > 
> > The new interface has been tested with vimc component driver to fix
> > panics when vimc module is removed while streaming is in progress.
> 
> Helen, can you review this series? I'm not sure this is the right approach
> for a driver like vimc, and even if it is, then it is odd that vimc-capture
> is the only vimc module that's handled here.
> 
> My gut feeling is that this should be handled inside vimc directly and not
> using the media-dev-allocator.

That's my opinion too, I don't see why the media dev allocator would be
needed here. We know how to fix this kind of issues, it requires proper
lifetime management of objects with refcouting, using the media dev
allocator is a hack that would just hide the problem deeper. Hiding
problems deeper during the last MC rework brought us where we are today,
and I don't think we should repeat the same mistake.

> > Shuah Khan (2):
> >   media: add generic device allocate interface to media-dev-allocator
> >   vimc: fix BUG: unable to handle kernel NULL pointer dereference
> > 
> >  drivers/media/Makefile                     |  4 +-
> >  drivers/media/media-dev-allocator.c        | 39 ++++++++++++++
> >  drivers/media/platform/vimc/vimc-capture.c | 17 +++++-
> >  drivers/media/platform/vimc/vimc-core.c    | 60 ++++++++++++----------
> >  include/media/media-dev-allocator.h        | 46 ++++++++++++++---
> >  5 files changed, 130 insertions(+), 36 deletions(-)
Laurent Pinchart June 16, 2019, 6:45 p.m. UTC | #5
Hi Shuah,

On Fri, Jun 14, 2019 at 05:26:46PM -0600, Shuah Khan wrote:
> On 6/13/19 7:24 AM, Helen Koike wrote:
> > On 6/13/19 2:44 AM, Hans Verkuil wrote:
> >> On 5/24/19 5:31 AM, Shuah Khan wrote:
> >>> media_device is embedded in struct vimc_device and when vimc is removed
> >>> vimc_device and the embedded media_device goes with it, while the active
> >>> stream and vimc_capture continue to access it.
> >>>
> >>> Fix the media_device lifetime problem by changing vimc to create shared
> >>> media_device using Media Device Allocator API and vimc_capture getting
> >>> a reference to vimc module. With this change, vimc module can be removed
> >>> only when the references are gone. vimc can be removed after vimc_capture
> >>> is removed.
> >>>
> >>> Media Device Allocator API supports just USB devices. Enhance it
> >>> adding a genetic device allocate interface to support other media
> >>> drivers.
> >>>
> >>> The new interface takes pointer to struct device instead and creates
> >>> media device. This interface allows a group of drivers that have a
> >>> common root device to share media device resource and ensure media
> >>> device doesn't get deleted as long as one of the drivers holds its
> >>> reference.
> >>>
> >>> The new interface has been tested with vimc component driver to fix
> >>> panics when vimc module is removed while streaming is in progress.
> >>
> >> Helen, can you review this series? I'm not sure this is the right approach
> >> for a driver like vimc, and even if it is, then it is odd that vimc-capture
> >> is the only vimc module that's handled here.
> > 
> > Hi Hans,
> > 
> > Yes, I can take a look. Sorry, I've been a bit busy these days but I'll
> > try to take a look at this patch series (and the others) asap.
> > 
> > Helen
> > 
> >> My gut feeling is that this should be handled inside vimc directly and not
> >> using the media-dev-allocator.
> 
> Hi Hans and Helen,
> 
> I explored fixing the problem within vimc before I went down the path to
> use Media Device Allocator API. I do think that it is cleaner to go this
> way and easier to maintain.
> 
> vimc is a group pf component drivers that rely on the media device vimc
> in vimc and falls into the use-case Media Device Allocator API is added
> to address. The release and life-time management happens without vimc
> component drivers being changed other than using the API to get and put
> media device reference.

Our replies crossed each other, please see my reply to Hans. I would
just like to comment here that if having multiple kernel modules causes
issue, they can all be merged together. There's no need for vimc to be
handled through multiple modules (I actually think it's quite
counterproductive, it only makes it more complex, for no added value).
Shuah Khan June 28, 2019, 4:41 p.m. UTC | #6
Hi Laurent,

On 6/16/19 12:45 PM, Laurent Pinchart wrote:
> Hi Shuah,
> 
> On Fri, Jun 14, 2019 at 05:26:46PM -0600, Shuah Khan wrote:
>> On 6/13/19 7:24 AM, Helen Koike wrote:
>>> On 6/13/19 2:44 AM, Hans Verkuil wrote:
>>>> On 5/24/19 5:31 AM, Shuah Khan wrote:
>>>>> media_device is embedded in struct vimc_device and when vimc is removed
>>>>> vimc_device and the embedded media_device goes with it, while the active
>>>>> stream and vimc_capture continue to access it.
>>>>>
>>>>> Fix the media_device lifetime problem by changing vimc to create shared
>>>>> media_device using Media Device Allocator API and vimc_capture getting
>>>>> a reference to vimc module. With this change, vimc module can be removed
>>>>> only when the references are gone. vimc can be removed after vimc_capture
>>>>> is removed.
>>>>>
>>>>> Media Device Allocator API supports just USB devices. Enhance it
>>>>> adding a genetic device allocate interface to support other media
>>>>> drivers.
>>>>>
>>>>> The new interface takes pointer to struct device instead and creates
>>>>> media device. This interface allows a group of drivers that have a
>>>>> common root device to share media device resource and ensure media
>>>>> device doesn't get deleted as long as one of the drivers holds its
>>>>> reference.
>>>>>
>>>>> The new interface has been tested with vimc component driver to fix
>>>>> panics when vimc module is removed while streaming is in progress.
>>>>
>>>> Helen, can you review this series? I'm not sure this is the right approach
>>>> for a driver like vimc, and even if it is, then it is odd that vimc-capture
>>>> is the only vimc module that's handled here.
>>>
>>> Hi Hans,
>>>
>>> Yes, I can take a look. Sorry, I've been a bit busy these days but I'll
>>> try to take a look at this patch series (and the others) asap.
>>>
>>> Helen
>>>
>>>> My gut feeling is that this should be handled inside vimc directly and not
>>>> using the media-dev-allocator.
>>
>> Hi Hans and Helen,
>>
>> I explored fixing the problem within vimc before I went down the path to
>> use Media Device Allocator API. I do think that it is cleaner to go this
>> way and easier to maintain.
>>
>> vimc is a group pf component drivers that rely on the media device vimc
>> in vimc and falls into the use-case Media Device Allocator API is added
>> to address. The release and life-time management happens without vimc
>> component drivers being changed other than using the API to get and put
>> media device reference.
> 
> Our replies crossed each other, please see my reply to Hans. I would
> just like to comment here that if having multiple kernel modules causes
> issue, they can all be merged together. There's no need for vimc to be
> handled through multiple modules (I actually think it's quite
> counterproductive, it only makes it more complex, for no added value).
> 

There are several problems in this group of drivers as far as lifetime
management is concerned. I explained some of it in the patch 2/2

If vimc module is removed while streaming is active, vimc_exit runs
into NULL pointer dereference error when streaming thread tries to
access and lock graph_mutex in the struct media_device.

The primary reason for this is that:

media_device is embedded in struct vimc_device and when vimc is removed
vimc_device and the embedded media_device goes with it, while the active
stream and vimc_capture continue to access it.

If we chose to keep these drivers as component drivers, media device
needs to stick around until all components stop using it. This is tricky
because there is no tie between these set of drivers. vimc module can
be deleted while others are still active. As vimc gets removed, other
component drivers start wanting to access the media device tree.

This is classic media device lifetime problem which could be solved
easily with the way I solved it with this series. I saw this as a
variation on the same use-case we had with sound and media drivers
sharing the media device.

I have a TODO request from you asking to extend Media Device Allocator
API to generic case and not restrict it to USB devices. My thinking is
that this gives a perfect test case to extend the API to be generic
and use to solve this problem.

Collapsing the drivers into one might be lot more difficult and complex
than solving this problem with Media Device Allocator API. This approach
has an added benefit of extending the API to be generic and not just for
USB.

I looked at this as a good way to add generic API and have a great test
case for it. This patch series fixes the problem for the current vimc
architecture.

thanks,
-- Shuah
Laurent Pinchart June 30, 2019, 11:41 a.m. UTC | #7
Hi Shuah,

On Fri, Jun 28, 2019 at 10:41:07AM -0600, Shuah Khan wrote:
> On 6/16/19 12:45 PM, Laurent Pinchart wrote:
> > On Fri, Jun 14, 2019 at 05:26:46PM -0600, Shuah Khan wrote:
> >> On 6/13/19 7:24 AM, Helen Koike wrote:
> >>> On 6/13/19 2:44 AM, Hans Verkuil wrote:
> >>>> On 5/24/19 5:31 AM, Shuah Khan wrote:
> >>>>> media_device is embedded in struct vimc_device and when vimc is removed
> >>>>> vimc_device and the embedded media_device goes with it, while the active
> >>>>> stream and vimc_capture continue to access it.
> >>>>>
> >>>>> Fix the media_device lifetime problem by changing vimc to create shared
> >>>>> media_device using Media Device Allocator API and vimc_capture getting
> >>>>> a reference to vimc module. With this change, vimc module can be removed
> >>>>> only when the references are gone. vimc can be removed after vimc_capture
> >>>>> is removed.
> >>>>>
> >>>>> Media Device Allocator API supports just USB devices. Enhance it
> >>>>> adding a genetic device allocate interface to support other media
> >>>>> drivers.
> >>>>>
> >>>>> The new interface takes pointer to struct device instead and creates
> >>>>> media device. This interface allows a group of drivers that have a
> >>>>> common root device to share media device resource and ensure media
> >>>>> device doesn't get deleted as long as one of the drivers holds its
> >>>>> reference.
> >>>>>
> >>>>> The new interface has been tested with vimc component driver to fix
> >>>>> panics when vimc module is removed while streaming is in progress.
> >>>>
> >>>> Helen, can you review this series? I'm not sure this is the right approach
> >>>> for a driver like vimc, and even if it is, then it is odd that vimc-capture
> >>>> is the only vimc module that's handled here.
> >>>
> >>> Hi Hans,
> >>>
> >>> Yes, I can take a look. Sorry, I've been a bit busy these days but I'll
> >>> try to take a look at this patch series (and the others) asap.
> >>>
> >>> Helen
> >>>
> >>>> My gut feeling is that this should be handled inside vimc directly and not
> >>>> using the media-dev-allocator.
> >>
> >> Hi Hans and Helen,
> >>
> >> I explored fixing the problem within vimc before I went down the path to
> >> use Media Device Allocator API. I do think that it is cleaner to go this
> >> way and easier to maintain.
> >>
> >> vimc is a group pf component drivers that rely on the media device vimc
> >> in vimc and falls into the use-case Media Device Allocator API is added
> >> to address. The release and life-time management happens without vimc
> >> component drivers being changed other than using the API to get and put
> >> media device reference.
> > 
> > Our replies crossed each other, please see my reply to Hans. I would
> > just like to comment here that if having multiple kernel modules causes
> > issue, they can all be merged together. There's no need for vimc to be
> > handled through multiple modules (I actually think it's quite
> > counterproductive, it only makes it more complex, for no added value).
> 
> There are several problems in this group of drivers as far as lifetime
> management is concerned. I explained some of it in the patch 2/2
> 
> If vimc module is removed while streaming is active, vimc_exit runs
> into NULL pointer dereference error when streaming thread tries to
> access and lock graph_mutex in the struct media_device.
> 
> The primary reason for this is that:
> 
> media_device is embedded in struct vimc_device and when vimc is removed
> vimc_device and the embedded media_device goes with it, while the active
> stream and vimc_capture continue to access it.

The issue isn't so much that media_devic is embedded in vimc_device, but
that vimc_device is released too early. Not only does the thread need to
access the graph_mutex lock in the media_device structure, but it can
potentially access fields of the device-specific structures as well. The
proper solution is to propagate media_device_release() one level up, in
order to only release the top-level structure containing media_device
when the last reference to the media_device is dropped.

> If we chose to keep these drivers as component drivers, media device
> needs to stick around until all components stop using it. This is tricky
> because there is no tie between these set of drivers. vimc module can
> be deleted while others are still active. As vimc gets removed, other
> component drivers start wanting to access the media device tree.

Reference-counting is the key.

> This is classic media device lifetime problem which could be solved
> easily with the way I solved it with this series. I saw this as a
> variation on the same use-case we had with sound and media drivers
> sharing the media device.

This isn't about solving it easily, it's about solving it properly. The
media device allocator as used here is a hack and takes us in the
opposite direction of a proper fix.

> I have a TODO request from you asking to extend Media Device Allocator
> API to generic case and not restrict it to USB devices. My thinking is
> that this gives a perfect test case to extend the API to be generic
> and use to solve this problem.

The biggest issue at the moment with the media device allocator, which I
have pointed out numerous times and has never been addressed (and which
explains why I didn't think the code was ready to be merged) is that the
media_device contains operations that are based on having a single
driver controlling the media device. A proper shared media device
allocator needs to drop the concept of a single master for the media
device, and thus needs to refactor those operations to allow any user of
the media device to implement them (the .link_notify() operation is a
prime example, and the recently added request operations will make this
even more challenging - think of how this patch series would prevent
vimc from properly implementing the request API). As long as these issue
are not fixed I will be firmly opposed to spreading the usage of the
media device allocator beyond what exists today.

> Collapsing the drivers into one might be lot more difficult and complex
> than solving this problem with Media Device Allocator API. This approach
> has an added benefit of extending the API to be generic and not just for
> USB.

I've never disputed the fact that fixing a problem correctly is usually
more work than hacking around it :-)

> I looked at this as a good way to add generic API and have a great test
> case for it. This patch series fixes the problem for the current vimc
> architecture.

NAK, for the reasons above. Please drop this series and fix the problem
properly.
Niklas Söderlund July 3, 2019, 4:17 p.m. UTC | #8
Hi Shauah, Laurent,

On 2019-06-30 14:41:02 +0300, Laurent Pinchart wrote:
> Hi Shuah,
> 
> On Fri, Jun 28, 2019 at 10:41:07AM -0600, Shuah Khan wrote:
> > On 6/16/19 12:45 PM, Laurent Pinchart wrote:
> > > On Fri, Jun 14, 2019 at 05:26:46PM -0600, Shuah Khan wrote:
> > >> On 6/13/19 7:24 AM, Helen Koike wrote:
> > >>> On 6/13/19 2:44 AM, Hans Verkuil wrote:
> > >>>> On 5/24/19 5:31 AM, Shuah Khan wrote:
> > >>>>> media_device is embedded in struct vimc_device and when vimc is removed
> > >>>>> vimc_device and the embedded media_device goes with it, while the active
> > >>>>> stream and vimc_capture continue to access it.
> > >>>>>
> > >>>>> Fix the media_device lifetime problem by changing vimc to create shared
> > >>>>> media_device using Media Device Allocator API and vimc_capture getting
> > >>>>> a reference to vimc module. With this change, vimc module can be removed
> > >>>>> only when the references are gone. vimc can be removed after vimc_capture
> > >>>>> is removed.
> > >>>>>
> > >>>>> Media Device Allocator API supports just USB devices. Enhance it
> > >>>>> adding a genetic device allocate interface to support other media
> > >>>>> drivers.
> > >>>>>
> > >>>>> The new interface takes pointer to struct device instead and creates
> > >>>>> media device. This interface allows a group of drivers that have a
> > >>>>> common root device to share media device resource and ensure media
> > >>>>> device doesn't get deleted as long as one of the drivers holds its
> > >>>>> reference.
> > >>>>>
> > >>>>> The new interface has been tested with vimc component driver to fix
> > >>>>> panics when vimc module is removed while streaming is in progress.
> > >>>>
> > >>>> Helen, can you review this series? I'm not sure this is the right approach
> > >>>> for a driver like vimc, and even if it is, then it is odd that vimc-capture
> > >>>> is the only vimc module that's handled here.
> > >>>
> > >>> Hi Hans,
> > >>>
> > >>> Yes, I can take a look. Sorry, I've been a bit busy these days but I'll
> > >>> try to take a look at this patch series (and the others) asap.
> > >>>
> > >>> Helen
> > >>>
> > >>>> My gut feeling is that this should be handled inside vimc directly and not
> > >>>> using the media-dev-allocator.
> > >>
> > >> Hi Hans and Helen,
> > >>
> > >> I explored fixing the problem within vimc before I went down the path to
> > >> use Media Device Allocator API. I do think that it is cleaner to go this
> > >> way and easier to maintain.
> > >>
> > >> vimc is a group pf component drivers that rely on the media device vimc
> > >> in vimc and falls into the use-case Media Device Allocator API is added
> > >> to address. The release and life-time management happens without vimc
> > >> component drivers being changed other than using the API to get and put
> > >> media device reference.
> > > 
> > > Our replies crossed each other, please see my reply to Hans. I would
> > > just like to comment here that if having multiple kernel modules causes
> > > issue, they can all be merged together. There's no need for vimc to be
> > > handled through multiple modules (I actually think it's quite
> > > counterproductive, it only makes it more complex, for no added value).
> > 
> > There are several problems in this group of drivers as far as lifetime
> > management is concerned. I explained some of it in the patch 2/2
> > 
> > If vimc module is removed while streaming is active, vimc_exit runs
> > into NULL pointer dereference error when streaming thread tries to
> > access and lock graph_mutex in the struct media_device.
> > 
> > The primary reason for this is that:
> > 
> > media_device is embedded in struct vimc_device and when vimc is removed
> > vimc_device and the embedded media_device goes with it, while the active
> > stream and vimc_capture continue to access it.
> 
> The issue isn't so much that media_devic is embedded in vimc_device, but
> that vimc_device is released too early. Not only does the thread need to
> access the graph_mutex lock in the media_device structure, but it can
> potentially access fields of the device-specific structures as well. The
> proper solution is to propagate media_device_release() one level up, in
> order to only release the top-level structure containing media_device
> when the last reference to the media_device is dropped.

I have seen similar problems with rcar-vin, the device specific data is 
released to early. In my case it was not triggered by the struct
media_device but with a struct v4l2_device embedded in the device 
specific data IIRC.

This was when I tried to address the lifetime issues of the video device 
when binding/unbinding the device to the driver and not when unloading 
the module. This was quiet a while ago so I don't recall specifics, 
sorry about that. One finding was that there are also unsolved problems 
when it comes async notifiers and unloading/unbinding and then 
loading/binding subdevices as well as the driver controlling the video 
device. It was such a mess I gave up.

I'm happy to see activity in this area but I fear it might need work on 
a higher level and not trying to work around the problem in drivers.

> 
> > If we chose to keep these drivers as component drivers, media device
> > needs to stick around until all components stop using it. This is tricky
> > because there is no tie between these set of drivers. vimc module can
> > be deleted while others are still active. As vimc gets removed, other
> > component drivers start wanting to access the media device tree.
> 
> Reference-counting is the key.
> 
> > This is classic media device lifetime problem which could be solved
> > easily with the way I solved it with this series. I saw this as a
> > variation on the same use-case we had with sound and media drivers
> > sharing the media device.
> 
> This isn't about solving it easily, it's about solving it properly. The
> media device allocator as used here is a hack and takes us in the
> opposite direction of a proper fix.
> 
> > I have a TODO request from you asking to extend Media Device Allocator
> > API to generic case and not restrict it to USB devices. My thinking is
> > that this gives a perfect test case to extend the API to be generic
> > and use to solve this problem.
> 
> The biggest issue at the moment with the media device allocator, which I
> have pointed out numerous times and has never been addressed (and which
> explains why I didn't think the code was ready to be merged) is that the
> media_device contains operations that are based on having a single
> driver controlling the media device. A proper shared media device
> allocator needs to drop the concept of a single master for the media
> device, and thus needs to refactor those operations to allow any user of
> the media device to implement them (the .link_notify() operation is a
> prime example, and the recently added request operations will make this
> even more challenging - think of how this patch series would prevent
> vimc from properly implementing the request API). As long as these issue
> are not fixed I will be firmly opposed to spreading the usage of the
> media device allocator beyond what exists today.
> 
> > Collapsing the drivers into one might be lot more difficult and complex
> > than solving this problem with Media Device Allocator API. This approach
> > has an added benefit of extending the API to be generic and not just for
> > USB.
> 
> I've never disputed the fact that fixing a problem correctly is usually
> more work than hacking around it :-)
> 
> > I looked at this as a good way to add generic API and have a great test
> > case for it. This patch series fixes the problem for the current vimc
> > architecture.
> 
> NAK, for the reasons above. Please drop this series and fix the problem
> properly.
> 
> -- 
> Regards,
> 
> Laurent Pinchart
Shuah Khan July 3, 2019, 4:52 p.m. UTC | #9
Hi Niklas, Laurent,

On 7/3/19 10:17 AM, Niklas Söderlund wrote:
> Hi Shauah, Laurent,
> 
> On 2019-06-30 14:41:02 +0300, Laurent Pinchart wrote:
>> Hi Shuah,
>>
>> On Fri, Jun 28, 2019 at 10:41:07AM -0600, Shuah Khan wrote:
>>> On 6/16/19 12:45 PM, Laurent Pinchart wrote:
>>>> On Fri, Jun 14, 2019 at 05:26:46PM -0600, Shuah Khan wrote:
>>>>> On 6/13/19 7:24 AM, Helen Koike wrote:
>>>>>> On 6/13/19 2:44 AM, Hans Verkuil wrote:
>>>>>>> On 5/24/19 5:31 AM, Shuah Khan wrote:
>>>>>>>> media_device is embedded in struct vimc_device and when vimc is removed
>>>>>>>> vimc_device and the embedded media_device goes with it, while the active
>>>>>>>> stream and vimc_capture continue to access it.
>>>>>>>>
>>>>>>>> Fix the media_device lifetime problem by changing vimc to create shared
>>>>>>>> media_device using Media Device Allocator API and vimc_capture getting
>>>>>>>> a reference to vimc module. With this change, vimc module can be removed
>>>>>>>> only when the references are gone. vimc can be removed after vimc_capture
>>>>>>>> is removed.
>>>>>>>>
>>>>>>>> Media Device Allocator API supports just USB devices. Enhance it
>>>>>>>> adding a genetic device allocate interface to support other media
>>>>>>>> drivers.
>>>>>>>>
>>>>>>>> The new interface takes pointer to struct device instead and creates
>>>>>>>> media device. This interface allows a group of drivers that have a
>>>>>>>> common root device to share media device resource and ensure media
>>>>>>>> device doesn't get deleted as long as one of the drivers holds its
>>>>>>>> reference.
>>>>>>>>
>>>>>>>> The new interface has been tested with vimc component driver to fix
>>>>>>>> panics when vimc module is removed while streaming is in progress.
>>>>>>>
>>>>>>> Helen, can you review this series? I'm not sure this is the right approach
>>>>>>> for a driver like vimc, and even if it is, then it is odd that vimc-capture
>>>>>>> is the only vimc module that's handled here.
>>>>>>
>>>>>> Hi Hans,
>>>>>>
>>>>>> Yes, I can take a look. Sorry, I've been a bit busy these days but I'll
>>>>>> try to take a look at this patch series (and the others) asap.
>>>>>>
>>>>>> Helen
>>>>>>
>>>>>>> My gut feeling is that this should be handled inside vimc directly and not
>>>>>>> using the media-dev-allocator.
>>>>>
>>>>> Hi Hans and Helen,
>>>>>
>>>>> I explored fixing the problem within vimc before I went down the path to
>>>>> use Media Device Allocator API. I do think that it is cleaner to go this
>>>>> way and easier to maintain.
>>>>>
>>>>> vimc is a group pf component drivers that rely on the media device vimc
>>>>> in vimc and falls into the use-case Media Device Allocator API is added
>>>>> to address. The release and life-time management happens without vimc
>>>>> component drivers being changed other than using the API to get and put
>>>>> media device reference.
>>>>
>>>> Our replies crossed each other, please see my reply to Hans. I would
>>>> just like to comment here that if having multiple kernel modules causes
>>>> issue, they can all be merged together. There's no need for vimc to be
>>>> handled through multiple modules (I actually think it's quite
>>>> counterproductive, it only makes it more complex, for no added value).
>>>
>>> There are several problems in this group of drivers as far as lifetime
>>> management is concerned. I explained some of it in the patch 2/2
>>>
>>> If vimc module is removed while streaming is active, vimc_exit runs
>>> into NULL pointer dereference error when streaming thread tries to
>>> access and lock graph_mutex in the struct media_device.
>>>
>>> The primary reason for this is that:
>>>
>>> media_device is embedded in struct vimc_device and when vimc is removed
>>> vimc_device and the embedded media_device goes with it, while the active
>>> stream and vimc_capture continue to access it.
>>
>> The issue isn't so much that media_devic is embedded in vimc_device, but
>> that vimc_device is released too early. Not only does the thread need to
>> access the graph_mutex lock in the media_device structure, but it can
>> potentially access fields of the device-specific structures as well. The
>> proper solution is to propagate media_device_release() one level up, in
>> order to only release the top-level structure containing media_device
>> when the last reference to the media_device is dropped.
> 

Yes. vimc_device is the master device for all the component drivers and
it being released early definitely causes problems. I tried to solve
this by isolating the media_device embedded in it and taking that out
of contention for release later. This problem could be solved by making
sure vimc_device sticks around and I am on that solution now.

> I have seen similar problems with rcar-vin, the device specific data is
> released to early. In my case it was not triggered by the struct
> media_device but with a struct v4l2_device embedded in the device
> specific data IIRC.
> 
> This was when I tried to address the lifetime issues of the video device
> when binding/unbinding the device to the driver and not when unloading
> the module. This was quiet a while ago so I don't recall specifics,
> sorry about that. One finding was that there are also unsolved problems
> when it comes async notifiers and unloading/unbinding and then
> loading/binding subdevices as well as the driver controlling the video
> device. It was such a mess I gave up.
> 

Yes. You will find such problems with various media drivers. It could be
the v4l2 device or some other device that gets released while still in
use.

> I'm happy to see activity in this area but I fear it might need work on
> a higher level and not trying to work around the problem in drivers.
> 

Drivers still need to handle such issues anyway. Is there a reason why
you think it is a work-around?

>>
>>> If we chose to keep these drivers as component drivers, media device
>>> needs to stick around until all components stop using it. This is tricky
>>> because there is no tie between these set of drivers. vimc module can
>>> be deleted while others are still active. As vimc gets removed, other
>>> component drivers start wanting to access the media device tree.
>>
>> Reference-counting is the key.
>>
>>> This is classic media device lifetime problem which could be solved
>>> easily with the way I solved it with this series. I saw this as a
>>> variation on the same use-case we had with sound and media drivers
>>> sharing the media device.
>>
>> This isn't about solving it easily, it's about solving it properly. The
>> media device allocator as used here is a hack and takes us in the
>> opposite direction of a proper fix.
>>

Labeling this hack doesn't accurate. I agree though that this might be a
big hammer and there might be other solutions that can be limited to
just vimc scope. :)

>>> I have a TODO request from you asking to extend Media Device Allocator
>>> API to generic case and not restrict it to USB devices. My thinking is
>>> that this gives a perfect test case to extend the API to be generic
>>> and use to solve this problem.
>>
>> The biggest issue at the moment with the media device allocator, which I
>> have pointed out numerous times and has never been addressed (and which
>> explains why I didn't think the code was ready to be merged) is that the
>> media_device contains operations that are based on having a single
>> driver controlling the media device. A proper shared media device
>> allocator needs to drop the concept of a single master for the media
>> device, and thus needs to refactor those operations to allow any user of
>> the media device to implement them (the .link_notify() operation is a
>> prime example, and the recently added request operations will make this
>> even more challenging - think of how this patch series would prevent
>> vimc from properly implementing the request API). As long as these issue
>> are not fixed I will be firmly opposed to spreading the usage of the
>> media device allocator beyond what exists today.
>>

During the reviews, it was deemed necessary to make media driver as the
master for creating parts of the tree and provide hooks for other
drivers to add their own media components to the tree. The same is
extended to other interfaces. This feature was on ice for so long,
I don't recall all the details on how it evolved.

thanks,
-- Shuah
Laurent Pinchart July 3, 2019, 11:25 p.m. UTC | #10
Hi Shuah,

On Wed, Jul 03, 2019 at 10:52:17AM -0600, Shuah Khan wrote:
> On 7/3/19 10:17 AM, Niklas Söderlund wrote:
> > On 2019-06-30 14:41:02 +0300, Laurent Pinchart wrote:
> >> On Fri, Jun 28, 2019 at 10:41:07AM -0600, Shuah Khan wrote:
> >>> On 6/16/19 12:45 PM, Laurent Pinchart wrote:
> >>>> On Fri, Jun 14, 2019 at 05:26:46PM -0600, Shuah Khan wrote:
> >>>>> On 6/13/19 7:24 AM, Helen Koike wrote:
> >>>>>> On 6/13/19 2:44 AM, Hans Verkuil wrote:
> >>>>>>> On 5/24/19 5:31 AM, Shuah Khan wrote:
> >>>>>>>> media_device is embedded in struct vimc_device and when vimc is removed
> >>>>>>>> vimc_device and the embedded media_device goes with it, while the active
> >>>>>>>> stream and vimc_capture continue to access it.
> >>>>>>>>
> >>>>>>>> Fix the media_device lifetime problem by changing vimc to create shared
> >>>>>>>> media_device using Media Device Allocator API and vimc_capture getting
> >>>>>>>> a reference to vimc module. With this change, vimc module can be removed
> >>>>>>>> only when the references are gone. vimc can be removed after vimc_capture
> >>>>>>>> is removed.
> >>>>>>>>
> >>>>>>>> Media Device Allocator API supports just USB devices. Enhance it
> >>>>>>>> adding a genetic device allocate interface to support other media
> >>>>>>>> drivers.
> >>>>>>>>
> >>>>>>>> The new interface takes pointer to struct device instead and creates
> >>>>>>>> media device. This interface allows a group of drivers that have a
> >>>>>>>> common root device to share media device resource and ensure media
> >>>>>>>> device doesn't get deleted as long as one of the drivers holds its
> >>>>>>>> reference.
> >>>>>>>>
> >>>>>>>> The new interface has been tested with vimc component driver to fix
> >>>>>>>> panics when vimc module is removed while streaming is in progress.
> >>>>>>>
> >>>>>>> Helen, can you review this series? I'm not sure this is the right approach
> >>>>>>> for a driver like vimc, and even if it is, then it is odd that vimc-capture
> >>>>>>> is the only vimc module that's handled here.
> >>>>>>
> >>>>>> Hi Hans,
> >>>>>>
> >>>>>> Yes, I can take a look. Sorry, I've been a bit busy these days but I'll
> >>>>>> try to take a look at this patch series (and the others) asap.
> >>>>>>
> >>>>>> Helen
> >>>>>>
> >>>>>>> My gut feeling is that this should be handled inside vimc directly and not
> >>>>>>> using the media-dev-allocator.
> >>>>>
> >>>>> Hi Hans and Helen,
> >>>>>
> >>>>> I explored fixing the problem within vimc before I went down the path to
> >>>>> use Media Device Allocator API. I do think that it is cleaner to go this
> >>>>> way and easier to maintain.
> >>>>>
> >>>>> vimc is a group pf component drivers that rely on the media device vimc
> >>>>> in vimc and falls into the use-case Media Device Allocator API is added
> >>>>> to address. The release and life-time management happens without vimc
> >>>>> component drivers being changed other than using the API to get and put
> >>>>> media device reference.
> >>>>
> >>>> Our replies crossed each other, please see my reply to Hans. I would
> >>>> just like to comment here that if having multiple kernel modules causes
> >>>> issue, they can all be merged together. There's no need for vimc to be
> >>>> handled through multiple modules (I actually think it's quite
> >>>> counterproductive, it only makes it more complex, for no added value).
> >>>
> >>> There are several problems in this group of drivers as far as lifetime
> >>> management is concerned. I explained some of it in the patch 2/2
> >>>
> >>> If vimc module is removed while streaming is active, vimc_exit runs
> >>> into NULL pointer dereference error when streaming thread tries to
> >>> access and lock graph_mutex in the struct media_device.
> >>>
> >>> The primary reason for this is that:
> >>>
> >>> media_device is embedded in struct vimc_device and when vimc is removed
> >>> vimc_device and the embedded media_device goes with it, while the active
> >>> stream and vimc_capture continue to access it.
> >>
> >> The issue isn't so much that media_devic is embedded in vimc_device, but
> >> that vimc_device is released too early. Not only does the thread need to
> >> access the graph_mutex lock in the media_device structure, but it can
> >> potentially access fields of the device-specific structures as well. The
> >> proper solution is to propagate media_device_release() one level up, in
> >> order to only release the top-level structure containing media_device
> >> when the last reference to the media_device is dropped.
> 
> Yes. vimc_device is the master device for all the component drivers and
> it being released early definitely causes problems. I tried to solve
> this by isolating the media_device embedded in it and taking that out
> of contention for release later. This problem could be solved by making
> sure vimc_device sticks around and I am on that solution now.

Thank you :-)

> > I have seen similar problems with rcar-vin, the device specific data is
> > released to early. In my case it was not triggered by the struct
> > media_device but with a struct v4l2_device embedded in the device
> > specific data IIRC.
> > 
> > This was when I tried to address the lifetime issues of the video device
> > when binding/unbinding the device to the driver and not when unloading
> > the module. This was quiet a while ago so I don't recall specifics,
> > sorry about that. One finding was that there are also unsolved problems
> > when it comes async notifiers and unloading/unbinding and then
> > loading/binding subdevices as well as the driver controlling the video
> > device. It was such a mess I gave up.
> 
> Yes. You will find such problems with various media drivers. It could be
> the v4l2 device or some other device that gets released while still in
> use.
> 
> > I'm happy to see activity in this area but I fear it might need work on
> > a higher level and not trying to work around the problem in drivers.
> 
> Drivers still need to handle such issues anyway. Is there a reason why
> you think it is a work-around?
> 
> >>> If we chose to keep these drivers as component drivers, media device
> >>> needs to stick around until all components stop using it. This is tricky
> >>> because there is no tie between these set of drivers. vimc module can
> >>> be deleted while others are still active. As vimc gets removed, other
> >>> component drivers start wanting to access the media device tree.
> >>
> >> Reference-counting is the key.
> >>
> >>> This is classic media device lifetime problem which could be solved
> >>> easily with the way I solved it with this series. I saw this as a
> >>> variation on the same use-case we had with sound and media drivers
> >>> sharing the media device.
> >>
> >> This isn't about solving it easily, it's about solving it properly. The
> >> media device allocator as used here is a hack and takes us in the
> >> opposite direction of a proper fix.
> 
> Labeling this hack doesn't accurate. I agree though that this might be a
> big hammer and there might be other solutions that can be limited to
> just vimc scope. :)

The reason I call this a hack is that it may hide the early free of the
media_device structure itself, but won't help at all with the vimc
device structure that may also need to be accessed by the other drivers.
In order to fix this problem - and all similar lifetime management
problems - correctly we need to look at every structure and track how
they are referenced. Only through proper reference counting can we be
safe.

The media device allocator was specifically designed to handle cases
where there is no single master driver that can own a media device. This
caused the problems explained below which to my infinite disappointment
have been ignored while being pointed out multiple times during review.
I can only blame myself for not having done a better job at explaining
those issues of course, as the patch adding the allocator is signed by
three V4L2 core developers, so I must have failed three times.
Nevertheless, this API shall not be used until those problems are fixed,
to avoid spreading them to more drivers. At least until then - and I
believe beyond that too - it shall not be used for drivers where a media
device master exists, such as vimc.

> >>> I have a TODO request from you asking to extend Media Device Allocator
> >>> API to generic case and not restrict it to USB devices. My thinking is
> >>> that this gives a perfect test case to extend the API to be generic
> >>> and use to solve this problem.
> >>
> >> The biggest issue at the moment with the media device allocator, which I
> >> have pointed out numerous times and has never been addressed (and which
> >> explains why I didn't think the code was ready to be merged) is that the
> >> media_device contains operations that are based on having a single
> >> driver controlling the media device. A proper shared media device
> >> allocator needs to drop the concept of a single master for the media
> >> device, and thus needs to refactor those operations to allow any user of
> >> the media device to implement them (the .link_notify() operation is a
> >> prime example, and the recently added request operations will make this
> >> even more challenging - think of how this patch series would prevent
> >> vimc from properly implementing the request API). As long as these issue
> >> are not fixed I will be firmly opposed to spreading the usage of the
> >> media device allocator beyond what exists today.
> 
> During the reviews, it was deemed necessary to make media driver as the
> master for creating parts of the tree and provide hooks for other
> drivers to add their own media components to the tree. The same is
> extended to other interfaces. This feature was on ice for so long,
> I don't recall all the details on how it evolved.

Do you mean during the review of the vimc driver or of the media
allocator API ?
Shuah Khan July 3, 2019, 11:42 p.m. UTC | #11
On 7/3/19 5:25 PM, Laurent Pinchart wrote:
> Hi Shuah,
> 
> On Wed, Jul 03, 2019 at 10:52:17AM -0600, Shuah Khan wrote:
>> On 7/3/19 10:17 AM, Niklas Söderlund wrote:
>>> On 2019-06-30 14:41:02 +0300, Laurent Pinchart wrote:
>>>> On Fri, Jun 28, 2019 at 10:41:07AM -0600, Shuah Khan wrote:
>>>>> On 6/16/19 12:45 PM, Laurent Pinchart wrote:
>>>>>> On Fri, Jun 14, 2019 at 05:26:46PM -0600, Shuah Khan wrote:
>>>>>>> On 6/13/19 7:24 AM, Helen Koike wrote:
>>>>>>>> On 6/13/19 2:44 AM, Hans Verkuil wrote:
>>>>>>>>> On 5/24/19 5:31 AM, Shuah Khan wrote:
>>>>>>>>>> media_device is embedded in struct vimc_device and when vimc is removed
>>>>>>>>>> vimc_device and the embedded media_device goes with it, while the active
>>>>>>>>>> stream and vimc_capture continue to access it.
>>>>>>>>>>
>>>>>>>>>> Fix the media_device lifetime problem by changing vimc to create shared
>>>>>>>>>> media_device using Media Device Allocator API and vimc_capture getting
>>>>>>>>>> a reference to vimc module. With this change, vimc module can be removed
>>>>>>>>>> only when the references are gone. vimc can be removed after vimc_capture
>>>>>>>>>> is removed.
>>>>>>>>>>
>>>>>>>>>> Media Device Allocator API supports just USB devices. Enhance it
>>>>>>>>>> adding a genetic device allocate interface to support other media
>>>>>>>>>> drivers.
>>>>>>>>>>
>>>>>>>>>> The new interface takes pointer to struct device instead and creates
>>>>>>>>>> media device. This interface allows a group of drivers that have a
>>>>>>>>>> common root device to share media device resource and ensure media
>>>>>>>>>> device doesn't get deleted as long as one of the drivers holds its
>>>>>>>>>> reference.
>>>>>>>>>>
>>>>>>>>>> The new interface has been tested with vimc component driver to fix
>>>>>>>>>> panics when vimc module is removed while streaming is in progress.
>>>>>>>>>
>>>>>>>>> Helen, can you review this series? I'm not sure this is the right approach
>>>>>>>>> for a driver like vimc, and even if it is, then it is odd that vimc-capture
>>>>>>>>> is the only vimc module that's handled here.
>>>>>>>>
>>>>>>>> Hi Hans,
>>>>>>>>
>>>>>>>> Yes, I can take a look. Sorry, I've been a bit busy these days but I'll
>>>>>>>> try to take a look at this patch series (and the others) asap.
>>>>>>>>
>>>>>>>> Helen
>>>>>>>>
>>>>>>>>> My gut feeling is that this should be handled inside vimc directly and not
>>>>>>>>> using the media-dev-allocator.
>>>>>>>
>>>>>>> Hi Hans and Helen,
>>>>>>>
>>>>>>> I explored fixing the problem within vimc before I went down the path to
>>>>>>> use Media Device Allocator API. I do think that it is cleaner to go this
>>>>>>> way and easier to maintain.
>>>>>>>
>>>>>>> vimc is a group pf component drivers that rely on the media device vimc
>>>>>>> in vimc and falls into the use-case Media Device Allocator API is added
>>>>>>> to address. The release and life-time management happens without vimc
>>>>>>> component drivers being changed other than using the API to get and put
>>>>>>> media device reference.
>>>>>>
>>>>>> Our replies crossed each other, please see my reply to Hans. I would
>>>>>> just like to comment here that if having multiple kernel modules causes
>>>>>> issue, they can all be merged together. There's no need for vimc to be
>>>>>> handled through multiple modules (I actually think it's quite
>>>>>> counterproductive, it only makes it more complex, for no added value).
>>>>>
>>>>> There are several problems in this group of drivers as far as lifetime
>>>>> management is concerned. I explained some of it in the patch 2/2
>>>>>
>>>>> If vimc module is removed while streaming is active, vimc_exit runs
>>>>> into NULL pointer dereference error when streaming thread tries to
>>>>> access and lock graph_mutex in the struct media_device.
>>>>>
>>>>> The primary reason for this is that:
>>>>>
>>>>> media_device is embedded in struct vimc_device and when vimc is removed
>>>>> vimc_device and the embedded media_device goes with it, while the active
>>>>> stream and vimc_capture continue to access it.
>>>>
>>>> The issue isn't so much that media_devic is embedded in vimc_device, but
>>>> that vimc_device is released too early. Not only does the thread need to
>>>> access the graph_mutex lock in the media_device structure, but it can
>>>> potentially access fields of the device-specific structures as well. The
>>>> proper solution is to propagate media_device_release() one level up, in
>>>> order to only release the top-level structure containing media_device
>>>> when the last reference to the media_device is dropped.
>>
>> Yes. vimc_device is the master device for all the component drivers and
>> it being released early definitely causes problems. I tried to solve
>> this by isolating the media_device embedded in it and taking that out
>> of contention for release later. This problem could be solved by making
>> sure vimc_device sticks around and I am on that solution now.
> 
> Thank you :-)
> 
>>> I have seen similar problems with rcar-vin, the device specific data is
>>> released to early. In my case it was not triggered by the struct
>>> media_device but with a struct v4l2_device embedded in the device
>>> specific data IIRC.
>>>
>>> This was when I tried to address the lifetime issues of the video device
>>> when binding/unbinding the device to the driver and not when unloading
>>> the module. This was quiet a while ago so I don't recall specifics,
>>> sorry about that. One finding was that there are also unsolved problems
>>> when it comes async notifiers and unloading/unbinding and then
>>> loading/binding subdevices as well as the driver controlling the video
>>> device. It was such a mess I gave up.
>>
>> Yes. You will find such problems with various media drivers. It could be
>> the v4l2 device or some other device that gets released while still in
>> use.
>>
>>> I'm happy to see activity in this area but I fear it might need work on
>>> a higher level and not trying to work around the problem in drivers.
>>
>> Drivers still need to handle such issues anyway. Is there a reason why
>> you think it is a work-around?
>>
>>>>> If we chose to keep these drivers as component drivers, media device
>>>>> needs to stick around until all components stop using it. This is tricky
>>>>> because there is no tie between these set of drivers. vimc module can
>>>>> be deleted while others are still active. As vimc gets removed, other
>>>>> component drivers start wanting to access the media device tree.
>>>>
>>>> Reference-counting is the key.
>>>>
>>>>> This is classic media device lifetime problem which could be solved
>>>>> easily with the way I solved it with this series. I saw this as a
>>>>> variation on the same use-case we had with sound and media drivers
>>>>> sharing the media device.
>>>>
>>>> This isn't about solving it easily, it's about solving it properly. The
>>>> media device allocator as used here is a hack and takes us in the
>>>> opposite direction of a proper fix.
>>
>> Labeling this hack doesn't accurate. I agree though that this might be a
>> big hammer and there might be other solutions that can be limited to
>> just vimc scope. :)
> 
> The reason I call this a hack is that it may hide the early free of the
> media_device structure itself, but won't help at all with the vimc
> device structure that may also need to be accessed by the other drivers.
> In order to fix this problem - and all similar lifetime management
> problems - correctly we need to look at every structure and track how
> they are referenced. Only through proper reference counting can we be
> safe.
> 
> The media device allocator was specifically designed to handle cases
> where there is no single master driver that can own a media device. This
> caused the problems explained below which to my infinite disappointment
> have been ignored while being pointed out multiple times during review.
> I can only blame myself for not having done a better job at explaining
> those issues of course, as the patch adding the allocator is signed by
> three V4L2 core developers, so I must have failed three times.
> Nevertheless, this API shall not be used until those problems are fixed,
> to avoid spreading them to more drivers. At least until then - and I
> believe beyond that too - it shall not be used for drivers where a media
> device master exists, such as vimc.
> 
>>>>> I have a TODO request from you asking to extend Media Device Allocator
>>>>> API to generic case and not restrict it to USB devices. My thinking is
>>>>> that this gives a perfect test case to extend the API to be generic
>>>>> and use to solve this problem.
>>>>
>>>> The biggest issue at the moment with the media device allocator, which I
>>>> have pointed out numerous times and has never been addressed (and which
>>>> explains why I didn't think the code was ready to be merged) is that the
>>>> media_device contains operations that are based on having a single
>>>> driver controlling the media device. A proper shared media device
>>>> allocator needs to drop the concept of a single master for the media
>>>> device, and thus needs to refactor those operations to allow any user of
>>>> the media device to implement them (the .link_notify() operation is a
>>>> prime example, and the recently added request operations will make this
>>>> even more challenging - think of how this patch series would prevent
>>>> vimc from properly implementing the request API). As long as these issue
>>>> are not fixed I will be firmly opposed to spreading the usage of the
>>>> media device allocator beyond what exists today.
>>
>> During the reviews, it was deemed necessary to make media driver as the
>> master for creating parts of the tree and provide hooks for other
>> drivers to add their own media components to the tree. The same is
>> extended to other interfaces. This feature was on ice for so long,
>> I don't recall all the details on how it evolved.
> 
> Do you mean during the review of the vimc driver or of the media
> allocator API ?
> 

I meant the media device allocator api. I did some looking after I sent
this email. link_notify itself isn't in the media device allocator api
scope. What is missing is someway to provide registering link_notify
similar to entity_notify that exists today.

Perhaps we can adrres the link_notify can be solved in the future. Let's
chat when we meet in person at one of the conferences.

thanks,
-- Shuah