From patchwork Sat Sep 30 18:48:19 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Avichal Rakesh <arakesh@google.com>
X-Patchwork-Id: 146987
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:612c:2a8e:b0:403:3b70:6f57 with SMTP id
 in14csp591732vqb;
        Sat, 30 Sep 2023 14:58:25 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IGNR1bOP6xFWsPycJwPP/nciyma2pBLt39uYWSvSTUhK/Eg6aEftc4v28alKO/1tputDFga
X-Received: by 2002:a05:6871:795:b0:1d6:1c63:d451 with SMTP id
 o21-20020a056871079500b001d61c63d451mr6571529oap.18.1696111105532;
        Sat, 30 Sep 2023 14:58:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1696111105; cv=none;
        d=google.com; s=arc-20160816;
        b=LEmsJB1GdqeOKYKwz28je/76fuQmGJc3fXWPR68hxbejYO5fPPj3j3oVLXIGHXX/28
         67cIbmImG08scUBux7IcrAtqaTg76xEtQ3ZqzneANFAWoN3GsWUm4yKEX6WmLjtMRzw8
         guCRtmjbHekx7xv4XfvbHoCcAPVUjTXsKmxHHAEaI9GGHwsoaf/x7z62DGDKIM4uRj3Y
         1Tzil10yyhBOljewdwwSi7BxqeM8YGxuUdn46UHPmc0jBj0ysWOQMSzE+JQ7MCSv/Z/7
         QxNp2uizUPutcq+Cixhi46RvcJ8dbJJpDI1+2rJofq6bLYeoocb16snJ5kjX2WnLY/px
         5csg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:references
         :mime-version:in-reply-to:date:dkim-signature;
        bh=yVUNhv8Ca4Bneo2huWLmhKm4bUNhRAbGx7sDL56KZmE=;
        fh=X0UZ/0JiC2tQYTlQJjUvn7XaESk5c4hOSEK+aRyeDXE=;
        b=utqfmNPxLc9KlCHJMN6st5YOiRkFjbLHKp/L3qOMGaFb40LnF2RlDk7ZlbUS0MHW1q
         oMvAX2bC+pnyE/AXuGJs1xSWDwyXGN/N0vsIVzAo7TT5LCtutmsuw18J+7TNXjH+elcb
         HIWxlHO1z0kE+NInPCMn4vOSScQz8NlZ6kt+mG/AELM5qf1zPSoH08V9Dn5Of2HFih0K
         +yS1B8w+F/ndgJ82cv5MWhqYO6dgsJhSNMoVPx5kTgqDsP7sdETi7bx6dyeOQZWrfPyR
         iyYCl/0mkHQHxulbmCPhnMdVL5r55H07BPz1SJeH9jCJwo7PUOROoMCKYVzUIEXqRnAP
         baQA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=dn3jzL6U;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:7 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7])
        by mx.google.com with ESMTPS id
 z13-20020a6553cd000000b00574166b7d34si23494263pgr.881.2023.09.30.14.58.25
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 30 Sep 2023 14:58:25 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:7 as permitted sender)
 client-ip=2620:137:e000::3:7;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=dn3jzL6U;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:7 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by snail.vger.email (Postfix) with ESMTP id 9CF078025D00;
	Sat, 30 Sep 2023 11:48:44 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231603AbjI3Ssg (ORCPT <rfc822;chrisfriedt@gmail.com>
        + 20 others); Sat, 30 Sep 2023 14:48:36 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33952 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234734AbjI3Sse (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 30 Sep 2023 14:48:34 -0400
Received: from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com
 [IPv6:2607:f8b0:4864:20::b4a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D19A9E3
        for <linux-kernel@vger.kernel.org>;
 Sat, 30 Sep 2023 11:48:31 -0700 (PDT)
Received: by mail-yb1-xb4a.google.com with SMTP id
 3f1490d57ef6-d81c39acfd9so22170164276.0
        for <linux-kernel@vger.kernel.org>;
 Sat, 30 Sep 2023 11:48:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1696099711; x=1696704511;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=yVUNhv8Ca4Bneo2huWLmhKm4bUNhRAbGx7sDL56KZmE=;
        b=dn3jzL6UBvfdgT9ODHHBwGjuRi5jo/Qg9SAmRMCPoND7jdzfrDXUxpBRezyUyO1OGI
         pkPxAWPoiNYTz4t+mFpUvxLz245ILtM3OdO6r8HBAkA1zuYmJBHuS+DrXJUC6jPh/CcJ
         LuiEI3eQMvq1DvQtTvpIxAByi2LuAqHG5yiDf8MHGrWAaRMksEnEvn5GbEsq8jh8hDNf
         ffc6w0ZSBEGoKXUNF3NdQ1YlVzCDDWJlC8kuFhtiBd9CWIwjXq1mXPzdSZ6kojZJTaWU
         PvUI9V53D1qfcG2bHodz3kjKsUSOcark9mvPOpUSU28tO3THWnEkqlCpaQMTaWHeXnyM
         buvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1696099711; x=1696704511;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=yVUNhv8Ca4Bneo2huWLmhKm4bUNhRAbGx7sDL56KZmE=;
        b=A7KlTmpkQfxCW1blL765EF4kHQeB+mkgmigeNXtxQn18BnPX0UHiblTpFlVjzZTMDT
         G4jPp2jy9MFRzEmI2QinGzSvhVy+EtRQO+cxl+IAiO3D5S3d0A7wTScvIeat1G+72NlE
         sYfYb7qHki8nJFtfUq30OK35XTp73/zPIGepeDwU3hY+S79zorPQIxqAsbjDGXBI1zbQ
         Th5YQEQKHtXYBwjdPhC36QxcK+b8Iq/wQJRPYrCGhQ3NgbhZKCMWMS3aegti8HWe1pL7
         RaYLvH3wCrj4yGh2Vgu9DhYSlvFWaWJmo5TG5inKcZTftc3Ji+Trm1npPE51aJiWLllE
         ebzg==
X-Gm-Message-State: AOJu0YxX3e6JrxH8yy/D4titjBFQSbKnWL22KlQKvd8mSwpeiyhv4Xem
        zXwRcsv/BPyMh2gzJ7MBY7sRgtpe22GN
X-Received: from hi-h2o-specialist.c.googlers.com
 ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef])
 (user=arakesh job=sendgmr) by 2002:a25:6f82:0:b0:d81:43c7:61ed with SMTP id
 k124-20020a256f82000000b00d8143c761edmr121329ybc.5.1696099711011; Sat, 30 Sep
 2023 11:48:31 -0700 (PDT)
Date: Sat, 30 Sep 2023 11:48:19 -0700
In-Reply-To: <20230930184821.310143-1-arakesh@google.com>
Mime-Version: 1.0
References: <20230930184821.310143-1-arakesh@google.com>
X-Mailer: git-send-email 2.42.0.582.g8ccd20d70d-goog
Message-ID: <20230930184821.310143-2-arakesh@google.com>
Subject: [PATCH v1 1/3] usb: gadget: uvc: prevent use of disabled endpoint
From: Avichal Rakesh <arakesh@google.com>
To: Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
        Daniel Scally <dan.scally@ideasonboard.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Michael Grzeschik <m.grzeschik@pengutronix.de>
Cc: jchowdhary@google.com, etalvala@google.com,
        linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
        Avichal Rakesh <arakesh@google.com>
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
        RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
 not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]);
 Sat, 30 Sep 2023 11:48:44 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1778501398075540037
X-GMAIL-MSGID: 1778501398075540037

Currently the set_alt callback immediately disables the endpoint and queues
the v4l2 streamoff event. However, as the streamoff event is processed
asynchronously, it is possible that the video_pump thread attempts to queue
requests to an already disabled endpoint.

This change moves disabling usb endpoint to the end of streamoff event
callback. As the endpoint's state can no longer be used, video_pump is
now guarded by uvc->state as well. To be consistent with the actual
streaming state, uvc->state is now toggled between CONNECTED and STREAMING
from the v4l2 event callback only.

Link: https://lore.kernel.org/20230615171558.GK741@pendragon.ideasonboard.com/
Link: https://lore.kernel.org/20230531085544.253363-1-dan.scally@ideasonboard.com/
Signed-off-by: Avichal Rakesh <arakesh@google.com>
---
 drivers/usb/gadget/function/f_uvc.c     | 11 +++++------
 drivers/usb/gadget/function/f_uvc.h     |  2 +-
 drivers/usb/gadget/function/uvc.h       |  2 +-
 drivers/usb/gadget/function/uvc_v4l2.c  | 21 ++++++++++++++++++---
 drivers/usb/gadget/function/uvc_video.c |  3 ++-
 5 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c
index faa398109431..75c9f9a3f884 100644
--- a/drivers/usb/gadget/function/f_uvc.c
+++ b/drivers/usb/gadget/function/f_uvc.c
@@ -263,10 +263,13 @@ uvc_function_setup(struct usb_function *f, const struct usb_ctrlrequest *ctrl)
 	return 0;
 }
 
-void uvc_function_setup_continue(struct uvc_device *uvc)
+void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep)
 {
 	struct usb_composite_dev *cdev = uvc->func.config->cdev;
 
+	if (disable_ep && uvc->video.ep) {
+		usb_ep_disable(uvc->video.ep);
+	}
 	usb_composite_setup_continue(cdev);
 }
 
@@ -337,15 +340,11 @@ uvc_function_set_alt(struct usb_function *f, unsigned interface, unsigned alt)
 		if (uvc->state != UVC_STATE_STREAMING)
 			return 0;
 
-		if (uvc->video.ep)
-			usb_ep_disable(uvc->video.ep);
-
 		memset(&v4l2_event, 0, sizeof(v4l2_event));
 		v4l2_event.type = UVC_EVENT_STREAMOFF;
 		v4l2_event_queue(&uvc->vdev, &v4l2_event);
 
-		uvc->state = UVC_STATE_CONNECTED;
-		return 0;
+		return USB_GADGET_DELAYED_STATUS;
 
 	case 1:
 		if (uvc->state != UVC_STATE_CONNECTED)
diff --git a/drivers/usb/gadget/function/f_uvc.h b/drivers/usb/gadget/function/f_uvc.h
index 1db972d4beeb..e7f9f13f14dc 100644
--- a/drivers/usb/gadget/function/f_uvc.h
+++ b/drivers/usb/gadget/function/f_uvc.h
@@ -11,7 +11,7 @@
 
 struct uvc_device;
 
-void uvc_function_setup_continue(struct uvc_device *uvc);
+void uvc_function_setup_continue(struct uvc_device *uvc, int disale_ep);
 
 void uvc_function_connect(struct uvc_device *uvc);
 
diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
index 6751de8b63ad..989bc6b4e93d 100644
--- a/drivers/usb/gadget/function/uvc.h
+++ b/drivers/usb/gadget/function/uvc.h
@@ -177,7 +177,7 @@ struct uvc_file_handle {
  * Functions
  */
 
-extern void uvc_function_setup_continue(struct uvc_device *uvc);
+extern void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep);
 extern void uvc_function_connect(struct uvc_device *uvc);
 extern void uvc_function_disconnect(struct uvc_device *uvc);
 
diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c
index 3f0a9795c0d4..3d3469883ed0 100644
--- a/drivers/usb/gadget/function/uvc_v4l2.c
+++ b/drivers/usb/gadget/function/uvc_v4l2.c
@@ -451,7 +451,7 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type)
 	 * Complete the alternate setting selection setup phase now that
 	 * userspace is ready to provide video frames.
 	 */
-	uvc_function_setup_continue(uvc);
+	uvc_function_setup_continue(uvc, 0);
 	uvc->state = UVC_STATE_STREAMING;
 
 	return 0;
@@ -463,11 +463,19 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type)
 	struct video_device *vdev = video_devdata(file);
 	struct uvc_device *uvc = video_get_drvdata(vdev);
 	struct uvc_video *video = &uvc->video;
+	int ret = 0;
 
 	if (type != video->queue.queue.type)
 		return -EINVAL;
 
-	return uvcg_video_enable(video, 0);
+	uvc->state = UVC_STATE_CONNECTED;
+	ret = uvcg_video_enable(video, 0);
+	if (ret < 0) {
+		return ret;
+	}
+
+	uvc_function_setup_continue(uvc, 1);
+	return 0;
 }
 
 static int
@@ -500,6 +508,14 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh,
 static void uvc_v4l2_disable(struct uvc_device *uvc)
 {
 	uvc_function_disconnect(uvc);
+	if (uvc->state == UVC_STATE_STREAMING) {
+		/*
+		 * Drop uvc->state to CONNECTED if it was streaming before.
+		 * This ensures that the usb_requests are no longer queued
+		 * to the controller.
+		 */
+		uvc->state = UVC_STATE_CONNECTED;
+	}
 	uvcg_video_enable(&uvc->video, 0);
 	uvcg_free_buffers(&uvc->video.queue);
 	uvc->func_connected = false;
@@ -647,4 +663,3 @@ const struct v4l2_file_operations uvc_v4l2_fops = {
 	.get_unmapped_area = uvcg_v4l2_get_unmapped_area,
 #endif
 };
-
diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index 91af3b1ef0d4..70ff88854539 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -382,6 +382,7 @@ static void uvcg_video_pump(struct work_struct *work)
 {
 	struct uvc_video *video = container_of(work, struct uvc_video, pump);
 	struct uvc_video_queue *queue = &video->queue;
+	struct uvc_device *uvc = video->uvc;
 	/* video->max_payload_size is only set when using bulk transfer */
 	bool is_bulk = video->max_payload_size;
 	struct usb_request *req = NULL;
@@ -390,7 +391,7 @@ static void uvcg_video_pump(struct work_struct *work)
 	bool buf_done;
 	int ret;
 
-	while (video->ep->enabled) {
+	while (uvc->state == UVC_STATE_STREAMING && video->ep->enabled) {
 		/*
 		 * Retrieve the first available USB request, protected by the
 		 * request lock.

From patchwork Sat Sep 30 18:48:20 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Avichal Rakesh <arakesh@google.com>
X-Patchwork-Id: 146988
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:612c:2a8e:b0:403:3b70:6f57 with SMTP id
 in14csp591734vqb;
        Sat, 30 Sep 2023 14:58:26 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IFbKbb/rK9M7N5ro2pOMo3VhP8cqlwDAbcBrVeNTpuPnAbdIw3osHEqKgF/iAzsct3pdvzS
X-Received: by 2002:a05:6358:718:b0:144:9cef:cd28 with SMTP id
 e24-20020a056358071800b001449cefcd28mr8087645rwj.7.1696111105963;
        Sat, 30 Sep 2023 14:58:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1696111105; cv=none;
        d=google.com; s=arc-20160816;
        b=UGBc1b9KKcfvSgzCwLEdMt2B457nO67aCYXI80YDI0DDd/J870D28C0AmSVDci36DP
         tgcc5R6sgGtb2IbgLo4adZVFr5c8Pic4VIh1TE+W+Mu3GsQ+SYuXCJikzUpNdawHpahw
         ltoPOGwAJqtO4CoyETb6qKx9XQ+/T7SJfp7Q5Op5+LI1pfzaBpLJVE/UgK7n9LbBEM9Z
         Mgp2cEfLZYeYDH7rJFcjawlepSw9mtTt7mnPypvFpXjAXYlaYf3+U4Vd1/hWN3OK/gbu
         i2pPgwJuX1hESZ5w/EQ52uF0Z/GC6xkS6KxKQoznPfIgGVWLBYnceZc/Cfk1Qny1REzk
         BEng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:references
         :mime-version:in-reply-to:date:dkim-signature;
        bh=mAs460jPiMP8R4cGJH03uN3F+PMNEKWmOscua1DAK48=;
        fh=wZkaaK2eKArnv6Ec1Lfd2WLt2af6DzMK9J2Zc3h8Qac=;
        b=VC4YuK4K3wPEmVCRAO5m6JRZnT2QUEJgpPiYjj4aWzNLXY0SYSdsK3bBnfSHuNce5Q
         GMLHPENx87PdWQ4+nC7CXTriI4AauR84MODT8IOyzQtcWsUVcvb9TR1vv8XrNksZbnhV
         iw2SOY4FSjxtD7rttnpTQpqx96RhDNbUxguHBzBHio8nHI2L5C754W1aekkm3pLLGJGO
         yrQLE4StYLBTAQ2BxfGQcZbinTPesHn7qdxW9JWiWcecztK2wvoHXj2GHCc3NCXwQHya
         yqiT2gwsM3iVbXILV7VQjZvL7c/MhMgdUPq7jKwhpa/Xw9/DWBPHL9H0E9+oN9E5A5St
         a7mg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=Y6pweDJp;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.37 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from snail.vger.email (snail.vger.email. [23.128.96.37])
        by mx.google.com with ESMTPS id
 gb22-20020a17090b061600b00277382d4803si4161594pjb.173.2023.09.30.14.58.25
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 30 Sep 2023 14:58:25 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=Y6pweDJp;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.37 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by snail.vger.email (Postfix) with ESMTP id 7F8138025834;
	Sat, 30 Sep 2023 11:48:50 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234742AbjI3Ssj (ORCPT <rfc822;chrisfriedt@gmail.com>
        + 20 others); Sat, 30 Sep 2023 14:48:39 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55048 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234734AbjI3Ssh (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 30 Sep 2023 14:48:37 -0400
Received: from mail-pg1-x549.google.com (mail-pg1-x549.google.com
 [IPv6:2607:f8b0:4864:20::549])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 070AAD3
        for <linux-kernel@vger.kernel.org>;
 Sat, 30 Sep 2023 11:48:35 -0700 (PDT)
Received: by mail-pg1-x549.google.com with SMTP id
 41be03b00d2f7-5803b6fadceso11936399a12.0
        for <linux-kernel@vger.kernel.org>;
 Sat, 30 Sep 2023 11:48:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1696099714; x=1696704514;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=mAs460jPiMP8R4cGJH03uN3F+PMNEKWmOscua1DAK48=;
        b=Y6pweDJp4Qn1rPKAL66slcaJGYTwDBvuqU9PMwSH+hgkZuVHqyrDsa/ur0RQyQe/O8
         D7kG8M8FpIbYe2crnJpN9V3HOmZzZFaC4s6J/g/ORjGG3F/Sfubj40snFA0UEzZyRWWN
         8nYgmhTsnj6HO4r6dgzeLEoBW0pJ3g0mUJwdNaWIu6tW/M55fDjNqbNPog73ReSbD/AP
         3oXvUtCVEppxjw2CENX4huGGDrNT39nUU0QtPuraEEFKzLx4h7IE0RQyKhy7a3PBK2ha
         plmLTLoVaqCYMh7ouUq+nyjYnHKyjriJQIw6fYCwsbIlJdDakLmSNjMjK5qVLUyGmTMO
         553g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1696099714; x=1696704514;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=mAs460jPiMP8R4cGJH03uN3F+PMNEKWmOscua1DAK48=;
        b=M//TJdlyo0Bjeix1Leosx0VYx3NNKwl8I2E6PEMbPCeF1noase+IxZn2xr2iHFb7YT
         wljjAzH4PaY9Tzrf+W4jAxIKD2G4TLzwOmZNvq2zicjgnL8WIvrX3gos67PZ4783FHxw
         4OWbBsbVhd8EZ2TUkIxYNGuKwvuxDPO6MFL8IxrStKTDmu28Q1g5dKSCbE4xhzRgRqnc
         XUX8DhsqTRjnHqZ76KBYd4CmXj3sTR5FwEPtH7Z4YtxqyfhskLGq0lD5Hsn+dzoCP9Vb
         q75/zkV2ki/PkdWC12gLYSBipMsXMk0EdMteXsSdo0aiVDM8VKUu+zvl6MiWrqZmY43B
         P5PQ==
X-Gm-Message-State: AOJu0Yzo115DT3kcwcYFQlqk6jUgaoW2NxnzlV2YlaLvTTdYyRfzJRlZ
        Jbgmf+QM1Fd0mgKRuafAfGWSHnpJhxmo
X-Received: from hi-h2o-specialist.c.googlers.com
 ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef])
 (user=arakesh job=sendgmr) by 2002:a63:3649:0:b0:56f:8ff0:d164 with SMTP id
 d70-20020a633649000000b0056f8ff0d164mr114801pga.2.1696099714278; Sat, 30 Sep
 2023 11:48:34 -0700 (PDT)
Date: Sat, 30 Sep 2023 11:48:20 -0700
In-Reply-To: <20230930184821.310143-1-arakesh@google.com>
Mime-Version: 1.0
References: <20230930184821.310143-1-arakesh@google.com>
X-Mailer: git-send-email 2.42.0.582.g8ccd20d70d-goog
Message-ID: <20230930184821.310143-3-arakesh@google.com>
Subject: [PATCH v1 2/3] usb: gadget: uvc: Allocate uvc_requests one at a time
From: Avichal Rakesh <arakesh@google.com>
To: Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
        Daniel Scally <dan.scally@ideasonboard.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Michael Grzeschik <m.grzeschik@pengutronix.de>
Cc: jchowdhary@google.com, etalvala@google.com,
        linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
        Avichal Rakesh <arakesh@google.com>,
        Michael Grzeschik <mgr@pengutronix.de>
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
        RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
 not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]);
 Sat, 30 Sep 2023 11:48:50 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1778501399086666798
X-GMAIL-MSGID: 1778501399086666798

Currently, the uvc gadget driver allocates all uvc_requests as one array
and deallocates them all when the video stream stops. This includes
de-allocating all the usb_requests associated with those uvc_requests.
This can lead to use-after-free issues if any of those de-allocated
usb_requests were still owned by the usb controller.

This patch is 1 of 2 patches addressing the use-after-free issue.
Instead of bulk allocating all uvc_requests as an array, this patch
allocates uvc_requests one at a time, which should allows for similar
granularity when deallocating the uvc_requests. This patch has no
functional changes other than allocating each uvc_request separately,
and similarly freeing each of them separately.

Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com
Suggested-by: Michael Grzeschik <mgr@pengutronix.de>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
---
 drivers/usb/gadget/function/uvc.h       |  3 +-
 drivers/usb/gadget/function/uvc_video.c | 90 ++++++++++++++-----------
 2 files changed, 51 insertions(+), 42 deletions(-)

diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
index 989bc6b4e93d..993694da0bbc 100644
--- a/drivers/usb/gadget/function/uvc.h
+++ b/drivers/usb/gadget/function/uvc.h
@@ -81,6 +81,7 @@ struct uvc_request {
 	struct sg_table sgt;
 	u8 header[UVCG_REQUEST_HEADER_LEN];
 	struct uvc_buffer *last_buf;
+	struct list_head list;
 };
 
 struct uvc_video {
@@ -102,7 +103,7 @@ struct uvc_video {
 
 	/* Requests */
 	unsigned int req_size;
-	struct uvc_request *ureq;
+	struct list_head ureqs; /* all uvc_requests allocated by uvc_video */
 	struct list_head req_free;
 	spinlock_t req_lock;
 
diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index 70ff88854539..ffecd7a140dc 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -227,6 +227,23 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video,
  * Request handling
  */
 
+static void uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep)
+{
+	sg_free_table(&ureq->sgt);
+	if (ureq->req && ep) {
+		usb_ep_free_request(ep, ureq->req);
+		ureq->req = NULL;
+	}
+
+	kfree(ureq->req_buffer);
+	ureq->req_buffer = NULL;
+
+	if (!list_empty(&ureq->list))
+		list_del_init(&ureq->list);
+
+	kfree(ureq);
+}
+
 static int uvcg_video_ep_queue(struct uvc_video *video, struct usb_request *req)
 {
 	int ret;
@@ -293,27 +310,13 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
 static int
 uvc_video_free_requests(struct uvc_video *video)
 {
-	unsigned int i;
-
-	if (video->ureq) {
-		for (i = 0; i < video->uvc_num_requests; ++i) {
-			sg_free_table(&video->ureq[i].sgt);
-
-			if (video->ureq[i].req) {
-				usb_ep_free_request(video->ep, video->ureq[i].req);
-				video->ureq[i].req = NULL;
-			}
+	struct uvc_request *ureq, *temp;
 
-			if (video->ureq[i].req_buffer) {
-				kfree(video->ureq[i].req_buffer);
-				video->ureq[i].req_buffer = NULL;
-			}
-		}
-
-		kfree(video->ureq);
-		video->ureq = NULL;
+	list_for_each_entry_safe(ureq, temp, &video->ureqs, list) {
+		uvc_video_free_request(ureq, video->ep);
 	}
 
+	INIT_LIST_HEAD(&video->ureqs);
 	INIT_LIST_HEAD(&video->req_free);
 	video->req_size = 0;
 	return 0;
@@ -322,6 +325,7 @@ uvc_video_free_requests(struct uvc_video *video)
 static int
 uvc_video_alloc_requests(struct uvc_video *video)
 {
+	struct uvc_request *ureq;
 	unsigned int req_size;
 	unsigned int i;
 	int ret = -ENOMEM;
@@ -332,29 +336,31 @@ uvc_video_alloc_requests(struct uvc_video *video)
 		 * max_t(unsigned int, video->ep->maxburst, 1)
 		 * (video->ep->mult);
 
-	video->ureq = kcalloc(video->uvc_num_requests, sizeof(struct uvc_request), GFP_KERNEL);
-	if (video->ureq == NULL)
-		return -ENOMEM;
-
-	for (i = 0; i < video->uvc_num_requests; ++i) {
-		video->ureq[i].req_buffer = kmalloc(req_size, GFP_KERNEL);
-		if (video->ureq[i].req_buffer == NULL)
+	INIT_LIST_HEAD(&video->ureqs);
+	for (i = 0; i < video->uvc_num_requests; i++) {
+		ureq = kzalloc(sizeof(struct uvc_request), GFP_KERNEL);
+		if (ureq == NULL)
 			goto error;
+		INIT_LIST_HEAD(&ureq->list);
+		list_add_tail(&ureq->list, &video->ureqs);
+	}
 
-		video->ureq[i].req = usb_ep_alloc_request(video->ep, GFP_KERNEL);
-		if (video->ureq[i].req == NULL)
+	list_for_each_entry(ureq, &video->ureqs, list) {
+		ureq->req_buffer = kmalloc(req_size, GFP_KERNEL);
+		if (ureq->req_buffer == NULL)
 			goto error;
-
-		video->ureq[i].req->buf = video->ureq[i].req_buffer;
-		video->ureq[i].req->length = 0;
-		video->ureq[i].req->complete = uvc_video_complete;
-		video->ureq[i].req->context = &video->ureq[i];
-		video->ureq[i].video = video;
-		video->ureq[i].last_buf = NULL;
-
-		list_add_tail(&video->ureq[i].req->list, &video->req_free);
+		ureq->req = usb_ep_alloc_request(video->ep, GFP_KERNEL);
+		if (ureq->req == NULL)
+			goto error;
+		ureq->req->buf = ureq->req_buffer;
+		ureq->req->length = 0;
+		ureq->req->complete = uvc_video_complete;
+		ureq->req->context = ureq;
+		ureq->video = video;
+		ureq->last_buf = NULL;
+		list_add_tail(&ureq->req->list, &video->req_free);
 		/* req_size/PAGE_SIZE + 1 for overruns and + 1 for header */
-		sg_alloc_table(&video->ureq[i].sgt,
+		sg_alloc_table(&ureq->sgt,
 			       DIV_ROUND_UP(req_size - UVCG_REQUEST_HEADER_LEN,
 					    PAGE_SIZE) + 2, GFP_KERNEL);
 	}
@@ -489,8 +495,8 @@ static void uvcg_video_pump(struct work_struct *work)
  */
 int uvcg_video_enable(struct uvc_video *video, int enable)
 {
-	unsigned int i;
 	int ret;
+	struct uvc_request *ureq;
 
 	if (video->ep == NULL) {
 		uvcg_info(&video->uvc->func,
@@ -502,9 +508,10 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
 		cancel_work_sync(&video->pump);
 		uvcg_queue_cancel(&video->queue, 0);
 
-		for (i = 0; i < video->uvc_num_requests; ++i)
-			if (video->ureq && video->ureq[i].req)
-				usb_ep_dequeue(video->ep, video->ureq[i].req);
+		list_for_each_entry(ureq, &video->ureqs, list) {
+			if (ureq->req)
+				usb_ep_dequeue(video->ep, ureq->req);
+		}
 
 		uvc_video_free_requests(video);
 		uvcg_queue_enable(&video->queue, 0);
@@ -536,6 +543,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
  */
 int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc)
 {
+	INIT_LIST_HEAD(&video->ureqs);
 	INIT_LIST_HEAD(&video->req_free);
 	spin_lock_init(&video->req_lock);
 	INIT_WORK(&video->pump, uvcg_video_pump);

From patchwork Sat Sep 30 18:48:21 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Avichal Rakesh <arakesh@google.com>
X-Patchwork-Id: 147024
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:612c:2a8e:b0:403:3b70:6f57 with SMTP id
 in14csp664995vqb;
        Sat, 30 Sep 2023 19:20:13 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IFMQ59mQyqE7XeMq/mpjBORhvHIyq78BpqzPKeoRnpBTYMLmnKKoHJQZFNs2uP2S80xBiSI
X-Received: by 2002:a17:902:d34b:b0:1bb:9b29:20d9 with SMTP id
 l11-20020a170902d34b00b001bb9b2920d9mr9065083plk.20.1696126813137;
        Sat, 30 Sep 2023 19:20:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1696126813; cv=none;
        d=google.com; s=arc-20160816;
        b=bhlky9YWEr1AjsuVOv6S2cr4NeEvN+UME22Ax1v+2GVdjbnMZy1rweC5HyNlcJl7oE
         6md7UyGbER6ta2hBNh0yx9urV/1e5rNyNV/m07S9Z6pNsnYOMq2w9roz+mG1qhWhzIy4
         EUSHEhyAFVzI+N7bHlRvN6n2Kc1EBr3P5osNZWXH1V1cZAZgE9Nb/Zxu5HsFPL0FQdG3
         3X2fsI9EUATTlOYqemL1KAuMkOgA6WXi7AuymqjSqZIzILt2E3AkVzLOrzTPq2Fvc7Dm
         /0I8MpjkiAqPifXwTcgtglZDpqqwQI8v2DcX/hc3O0SDl4gei/ZawVJAXPnzkZRkRtfk
         YhMw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:references
         :mime-version:in-reply-to:date:dkim-signature;
        bh=8sS0/uaQLhAvse+d/NY7S3JtHJHgQXnCXFHZHAD5jYQ=;
        fh=wZkaaK2eKArnv6Ec1Lfd2WLt2af6DzMK9J2Zc3h8Qac=;
        b=eiuAuqTbXW+WKvmFv4Etrd8c9xeVxJtB0SyR0xpKPYv8RMMQUg8e6NiOhq/1gW/QBd
         jhr4nyi1ZAZmz/p5LbDcFBTWxOykxhj9R4Nc/q31HIdjDRVmB8so7GtW73tVGq7jGSon
         vIy8fH8m3K4gT5qmFv04dgXCJfa7Po6P1pzeZi1f0TMbVuiXa7u/vnuSV/UFFwJK4EH5
         e41iUCsbAC7Y1DVBXtYTQrBV77qZDmJUHV/aJNZQNCdsetNYGu9lk0qXJazePQpbFjyz
         f8qNFo9vZDiWToLGCN3cXFq15A7Fpg7SIYUnAqh7C5tme7SYIrZ4e2aTXEY8mF+pGNDI
         YLHA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=tRLc6bqB;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.33 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33])
        by mx.google.com with ESMTPS id
 kg14-20020a170903060e00b001b89b1bae72si14183377plb.528.2023.09.30.19.20.12
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 30 Sep 2023 19:20:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=tRLc6bqB;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.33 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by lipwig.vger.email (Postfix) with ESMTP id 7A9CE8142D90;
	Sat, 30 Sep 2023 11:49:10 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234756AbjI3Ssp (ORCPT <rfc822;chrisfriedt@gmail.com>
        + 20 others); Sat, 30 Sep 2023 14:48:45 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55114 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234751AbjI3Ssn (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 30 Sep 2023 14:48:43 -0400
Received: from mail-yw1-x1149.google.com (mail-yw1-x1149.google.com
 [IPv6:2607:f8b0:4864:20::1149])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 111C0100
        for <linux-kernel@vger.kernel.org>;
 Sat, 30 Sep 2023 11:48:39 -0700 (PDT)
Received: by mail-yw1-x1149.google.com with SMTP id
 00721157ae682-59f6902dc8bso215755367b3.0
        for <linux-kernel@vger.kernel.org>;
 Sat, 30 Sep 2023 11:48:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1696099718; x=1696704518;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=8sS0/uaQLhAvse+d/NY7S3JtHJHgQXnCXFHZHAD5jYQ=;
        b=tRLc6bqBTUC+HjWpMuM+lJSzMX7JOeSi+5VjDfx965ORJh4k2dXGYvpooRLZTa5g2f
         o/6cYNB6pXGXw+DCQoQXyCxfrGz8oQW6bkTbAxP1rlO7l1cQp4i8L+NZ/Yl8u4FhG+WB
         Bkb4S9gRWR04NGOJMishgCr4Jbzi3OF+ePmmajq+efN53iurJvUIUVT1v6D11kKRP8nY
         RZl/4CP6Qlxfk5ZmiiPAs4s1hi6nG4lOhJq3YuctxnKiMqhL50tNTmRpTp5SJFO/2bhL
         RsDbJXpNVrmCElhY2PHGbGaP9tjPTVxBzJze0umhW8G+/omiQnNzZriw4XqCNxP1ybJW
         2vmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1696099718; x=1696704518;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=8sS0/uaQLhAvse+d/NY7S3JtHJHgQXnCXFHZHAD5jYQ=;
        b=fYwe6FwzyAylKg7gydbZwJF3hQIhmG92G4kc2lCdX7eXBosMPg9+bbVg5yX1vL+Muk
         xAubc/X2vb2bJKy2olmRUg1X1bwCTGCwLM2x1PVrMJwdRA/C/OmLVgZ8jUigBmzuD0jz
         WRdM2EZW1hwnJ0ATUpU9C2M5i23yiC4dQiw8Xs7KFl+d0Va3W+10YGkpCedt2JbxWMla
         bg9B6ExZC2Ag5hJkHI3ioREHyY2wHg10j9UvC2Di0B4y32SfxEoJEzuB5K2Uraie6f2i
         OAYiJbFtnsxSiPa4tv7EX+SVGuzhpW21ZUttB/ZzexEoCMGFYXvyfHimDnPsO3kMD9HH
         4CHw==
X-Gm-Message-State: AOJu0Yz8PI3jsyUn2qLbtwGEOBikT8GrpWDHRqD9cfQuZkJoo3XQO9mV
        fNZ/WEw53gHikYVhoEt6rpuAjO/AdZKp
X-Received: from hi-h2o-specialist.c.googlers.com
 ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef])
 (user=arakesh job=sendgmr) by 2002:a05:690c:3412:b0:579:f832:74b with SMTP id
 fn18-20020a05690c341200b00579f832074bmr130768ywb.10.1696099718241; Sat, 30
 Sep 2023 11:48:38 -0700 (PDT)
Date: Sat, 30 Sep 2023 11:48:21 -0700
In-Reply-To: <20230930184821.310143-1-arakesh@google.com>
Mime-Version: 1.0
References: <20230930184821.310143-1-arakesh@google.com>
X-Mailer: git-send-email 2.42.0.582.g8ccd20d70d-goog
Message-ID: <20230930184821.310143-4-arakesh@google.com>
Subject: [PATCH v1 3/3] usb: gadget: uvc: Fix use-after-free for inflight
 usb_requests
From: Avichal Rakesh <arakesh@google.com>
To: Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
        Daniel Scally <dan.scally@ideasonboard.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Michael Grzeschik <m.grzeschik@pengutronix.de>
Cc: jchowdhary@google.com, etalvala@google.com,
        linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
        Avichal Rakesh <arakesh@google.com>,
        Michael Grzeschik <mgr@pengutronix.de>
X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
 not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]);
 Sat, 30 Sep 2023 11:49:10 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1778517869169821913
X-GMAIL-MSGID: 1778517869169821913

Currently, the uvc gadget driver allocates all uvc_requests as one array
and deallocates them all when the video stream stops. This includes
de-allocating all the usb_requests associated with those uvc_requests.
This can lead to use-after-free issues if any of those de-allocated
usb_requests were still owned by the usb controller.

This is patch 2 of 2 in fixing the use-after-free issue. It adds a new
flag to uvc_request to mark it as 'abandoned'. When disabling the video
stream, instead of de-allocating all uvc_requests and usb_requests, the
gadget driver only de-allocates those usb_requests that are currently
owned by the gadget driver (as present in req_free). Other usb_requests
have their corresponding 'is_abandoned' flag tripped, and the
usb_requests complete handler takes care of freeing the usb_request and
its corresponding uvc_request.

This should ensure that uvc gadget driver never accidentally de-allocates
a usb_request that it doesn't own.

Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com
Suggested-by: Michael Grzeschik <mgr@pengutronix.de>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
---
 drivers/usb/gadget/function/uvc.h       |   1 +
 drivers/usb/gadget/function/uvc_video.c | 106 ++++++++++++++++++++----
 2 files changed, 91 insertions(+), 16 deletions(-)

diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
index 993694da0bbc..e69cfb7cced1 100644
--- a/drivers/usb/gadget/function/uvc.h
+++ b/drivers/usb/gadget/function/uvc.h
@@ -82,6 +82,7 @@ struct uvc_request {
 	u8 header[UVCG_REQUEST_HEADER_LEN];
 	struct uvc_buffer *last_buf;
 	struct list_head list;
+	bool is_abandoned;
 };
 
 struct uvc_video {
diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index ffecd7a140dc..aad7dcba46ee 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -271,7 +271,21 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
 	struct uvc_video *video = ureq->video;
 	struct uvc_video_queue *queue = &video->queue;
 	struct uvc_device *uvc = video->uvc;
+	struct uvc_buffer *last_buf;
 	unsigned long flags;
+	bool is_abandoned;
+
+	spin_lock_irqsave(&video->req_lock, flags);
+	is_abandoned = ureq->is_abandoned;
+	last_buf = ureq->last_buf;
+	ureq->last_buf = NULL;
+	spin_unlock_irqrestore(&video->req_lock, flags);
+
+	if (is_abandoned) {
+		uvcg_dbg(&video->uvc->func, "Freeing abandoned usb_request\n");
+		uvc_video_free_request(ureq, ep);
+		return;
+	}
 
 	switch (req->status) {
 	case 0:
@@ -294,15 +308,29 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
 		uvcg_queue_cancel(queue, 0);
 	}
 
-	if (ureq->last_buf) {
-		uvcg_complete_buffer(&video->queue, ureq->last_buf);
-		ureq->last_buf = NULL;
+	if (last_buf) {
+		spin_lock_irqsave(&video->queue.irqlock, flags);
+		uvcg_complete_buffer(&video->queue, last_buf);
+		spin_unlock_irqrestore(&video->queue.irqlock, flags);
 	}
 
+	/*
+	 * request might have been abandoned while being processed.
+	 * do a last minute check before queueing the request back.
+	 */
 	spin_lock_irqsave(&video->req_lock, flags);
-	list_add_tail(&req->list, &video->req_free);
+	is_abandoned = ureq->is_abandoned;
+	if (!is_abandoned)
+		list_add_tail(&req->list, &video->req_free);
 	spin_unlock_irqrestore(&video->req_lock, flags);
 
+	if (is_abandoned) {
+		uvcg_dbg(&video->uvc->func,
+			 "usb_request abandoned mid-processing - freeing.\n");
+		uvc_video_free_request(ureq, ep);
+		return;
+	}
+
 	if (uvc->state == UVC_STATE_STREAMING)
 		queue_work(video->async_wq, &video->pump);
 }
@@ -366,7 +394,6 @@ uvc_video_alloc_requests(struct uvc_video *video)
 	}
 
 	video->req_size = req_size;
-
 	return 0;
 
 error:
@@ -490,13 +517,69 @@ static void uvcg_video_pump(struct work_struct *work)
 	return;
 }
 
+/*
+ * Disable video stream. This ensures that any inflight usb requests are marked
+ * for clean up and all video buffers are dropped before returning.
+ */
+static void uvcg_video_disable(struct uvc_video *video)
+{
+	struct uvc_buffer *buf, *tmp_buf;
+	struct uvc_request *ureq, *temp;
+	struct list_head buf_list; /* track in-flight video buffers */
+	struct usb_request *req;
+	unsigned long flags;
+
+	cancel_work_sync(&video->pump);
+	uvcg_queue_cancel(&video->queue, 0);
+
+	INIT_LIST_HEAD(&buf_list);
+	spin_lock_irqsave(&video->req_lock, flags);
+	/* abandon all usb requests */
+	list_for_each_entry_safe(ureq, temp, &video->ureqs, list) {
+		ureq->is_abandoned = true;
+		if (ureq->last_buf) {
+			list_add(&ureq->last_buf->queue, &buf_list);
+			ureq->last_buf = NULL;
+		}
+		list_del_init(&ureq->list);
+		if (ureq->req)
+			usb_ep_dequeue(video->ep, ureq->req);
+	}
+	/*
+	 * re-add uvc_requests currently owned by the gadget to
+	 * video->ureqs to be deallocated
+	 */
+	list_for_each_entry(req, &video->req_free, list) {
+		ureq = req->context;
+		list_add_tail(&ureq->list, &video->ureqs);
+	}
+	spin_unlock_irqrestore(&video->req_lock, flags);
+
+	/*
+	 * drop abandoned uvc_buffers, as the completion handler
+	 * no longer will
+	 */
+	if (!list_empty(&buf_list)) {
+		spin_lock_irqsave(&video->queue.irqlock, flags);
+		list_for_each_entry_safe(buf, tmp_buf,
+						&buf_list, queue) {
+			video->queue.flags |= UVC_QUEUE_DROP_INCOMPLETE;
+			uvcg_complete_buffer(&video->queue, buf);
+			list_del(&buf->queue);
+		}
+		spin_unlock_irqrestore(&video->queue.irqlock, flags);
+	}
+
+	uvc_video_free_requests(video);
+	uvcg_queue_enable(&video->queue, 0);
+}
+
 /*
  * Enable or disable the video stream.
  */
 int uvcg_video_enable(struct uvc_video *video, int enable)
 {
 	int ret;
-	struct uvc_request *ureq;
 
 	if (video->ep == NULL) {
 		uvcg_info(&video->uvc->func,
@@ -505,16 +588,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
 	}
 
 	if (!enable) {
-		cancel_work_sync(&video->pump);
-		uvcg_queue_cancel(&video->queue, 0);
-
-		list_for_each_entry(ureq, &video->ureqs, list) {
-			if (ureq->req)
-				usb_ep_dequeue(video->ep, ureq->req);
-		}
-
-		uvc_video_free_requests(video);
-		uvcg_queue_enable(&video->queue, 0);
+		uvcg_video_disable(video);
 		return 0;
 	}