From patchwork Sat Sep 30 18:48:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 146987 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2a8e:b0:403:3b70:6f57 with SMTP id in14csp591732vqb; Sat, 30 Sep 2023 14:58:25 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGNR1bOP6xFWsPycJwPP/nciyma2pBLt39uYWSvSTUhK/Eg6aEftc4v28alKO/1tputDFga X-Received: by 2002:a05:6871:795:b0:1d6:1c63:d451 with SMTP id o21-20020a056871079500b001d61c63d451mr6571529oap.18.1696111105532; Sat, 30 Sep 2023 14:58:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696111105; cv=none; d=google.com; s=arc-20160816; b=LEmsJB1GdqeOKYKwz28je/76fuQmGJc3fXWPR68hxbejYO5fPPj3j3oVLXIGHXX/28 67cIbmImG08scUBux7IcrAtqaTg76xEtQ3ZqzneANFAWoN3GsWUm4yKEX6WmLjtMRzw8 guCRtmjbHekx7xv4XfvbHoCcAPVUjTXsKmxHHAEaI9GGHwsoaf/x7z62DGDKIM4uRj3Y 1Tzil10yyhBOljewdwwSi7BxqeM8YGxuUdn46UHPmc0jBj0ysWOQMSzE+JQ7MCSv/Z/7 QxNp2uizUPutcq+Cixhi46RvcJ8dbJJpDI1+2rJofq6bLYeoocb16snJ5kjX2WnLY/px 5csg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=yVUNhv8Ca4Bneo2huWLmhKm4bUNhRAbGx7sDL56KZmE=; fh=X0UZ/0JiC2tQYTlQJjUvn7XaESk5c4hOSEK+aRyeDXE=; b=utqfmNPxLc9KlCHJMN6st5YOiRkFjbLHKp/L3qOMGaFb40LnF2RlDk7ZlbUS0MHW1q oMvAX2bC+pnyE/AXuGJs1xSWDwyXGN/N0vsIVzAo7TT5LCtutmsuw18J+7TNXjH+elcb HIWxlHO1z0kE+NInPCMn4vOSScQz8NlZ6kt+mG/AELM5qf1zPSoH08V9Dn5Of2HFih0K +yS1B8w+F/ndgJ82cv5MWhqYO6dgsJhSNMoVPx5kTgqDsP7sdETi7bx6dyeOQZWrfPyR iyYCl/0mkHQHxulbmCPhnMdVL5r55H07BPz1SJeH9jCJwo7PUOROoMCKYVzUIEXqRnAP baQA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=dn3jzL6U; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id z13-20020a6553cd000000b00574166b7d34si23494263pgr.881.2023.09.30.14.58.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 30 Sep 2023 14:58:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=dn3jzL6U; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 9CF078025D00; Sat, 30 Sep 2023 11:48:44 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231603AbjI3Ssg (ORCPT + 20 others); Sat, 30 Sep 2023 14:48:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33952 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234734AbjI3Sse (ORCPT ); Sat, 30 Sep 2023 14:48:34 -0400 Received: from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com [IPv6:2607:f8b0:4864:20::b4a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D19A9E3 for ; Sat, 30 Sep 2023 11:48:31 -0700 (PDT) Received: by mail-yb1-xb4a.google.com with SMTP id 3f1490d57ef6-d81c39acfd9so22170164276.0 for ; Sat, 30 Sep 2023 11:48:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1696099711; x=1696704511; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=yVUNhv8Ca4Bneo2huWLmhKm4bUNhRAbGx7sDL56KZmE=; b=dn3jzL6UBvfdgT9ODHHBwGjuRi5jo/Qg9SAmRMCPoND7jdzfrDXUxpBRezyUyO1OGI pkPxAWPoiNYTz4t+mFpUvxLz245ILtM3OdO6r8HBAkA1zuYmJBHuS+DrXJUC6jPh/CcJ LuiEI3eQMvq1DvQtTvpIxAByi2LuAqHG5yiDf8MHGrWAaRMksEnEvn5GbEsq8jh8hDNf ffc6w0ZSBEGoKXUNF3NdQ1YlVzCDDWJlC8kuFhtiBd9CWIwjXq1mXPzdSZ6kojZJTaWU PvUI9V53D1qfcG2bHodz3kjKsUSOcark9mvPOpUSU28tO3THWnEkqlCpaQMTaWHeXnyM buvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696099711; x=1696704511; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=yVUNhv8Ca4Bneo2huWLmhKm4bUNhRAbGx7sDL56KZmE=; b=A7KlTmpkQfxCW1blL765EF4kHQeB+mkgmigeNXtxQn18BnPX0UHiblTpFlVjzZTMDT G4jPp2jy9MFRzEmI2QinGzSvhVy+EtRQO+cxl+IAiO3D5S3d0A7wTScvIeat1G+72NlE sYfYb7qHki8nJFtfUq30OK35XTp73/zPIGepeDwU3hY+S79zorPQIxqAsbjDGXBI1zbQ Th5YQEQKHtXYBwjdPhC36QxcK+b8Iq/wQJRPYrCGhQ3NgbhZKCMWMS3aegti8HWe1pL7 RaYLvH3wCrj4yGh2Vgu9DhYSlvFWaWJmo5TG5inKcZTftc3Ji+Trm1npPE51aJiWLllE ebzg== X-Gm-Message-State: AOJu0YxX3e6JrxH8yy/D4titjBFQSbKnWL22KlQKvd8mSwpeiyhv4Xem zXwRcsv/BPyMh2gzJ7MBY7sRgtpe22GN X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a25:6f82:0:b0:d81:43c7:61ed with SMTP id k124-20020a256f82000000b00d8143c761edmr121329ybc.5.1696099711011; Sat, 30 Sep 2023 11:48:31 -0700 (PDT) Date: Sat, 30 Sep 2023 11:48:19 -0700 In-Reply-To: <20230930184821.310143-1-arakesh@google.com> Mime-Version: 1.0 References: <20230930184821.310143-1-arakesh@google.com> X-Mailer: git-send-email 2.42.0.582.g8ccd20d70d-goog Message-ID: <20230930184821.310143-2-arakesh@google.com> Subject: [PATCH v1 1/3] usb: gadget: uvc: prevent use of disabled endpoint From: Avichal Rakesh To: Laurent Pinchart , Daniel Scally , Greg Kroah-Hartman , Michael Grzeschik Cc: jchowdhary@google.com, etalvala@google.com, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Avichal Rakesh X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Sat, 30 Sep 2023 11:48:44 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1778501398075540037 X-GMAIL-MSGID: 1778501398075540037 Currently the set_alt callback immediately disables the endpoint and queues the v4l2 streamoff event. However, as the streamoff event is processed asynchronously, it is possible that the video_pump thread attempts to queue requests to an already disabled endpoint. This change moves disabling usb endpoint to the end of streamoff event callback. As the endpoint's state can no longer be used, video_pump is now guarded by uvc->state as well. To be consistent with the actual streaming state, uvc->state is now toggled between CONNECTED and STREAMING from the v4l2 event callback only. Link: https://lore.kernel.org/20230615171558.GK741@pendragon.ideasonboard.com/ Link: https://lore.kernel.org/20230531085544.253363-1-dan.scally@ideasonboard.com/ Signed-off-by: Avichal Rakesh --- drivers/usb/gadget/function/f_uvc.c | 11 +++++------ drivers/usb/gadget/function/f_uvc.h | 2 +- drivers/usb/gadget/function/uvc.h | 2 +- drivers/usb/gadget/function/uvc_v4l2.c | 21 ++++++++++++++++++--- drivers/usb/gadget/function/uvc_video.c | 3 ++- 5 files changed, 27 insertions(+), 12 deletions(-) diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c index faa398109431..75c9f9a3f884 100644 --- a/drivers/usb/gadget/function/f_uvc.c +++ b/drivers/usb/gadget/function/f_uvc.c @@ -263,10 +263,13 @@ uvc_function_setup(struct usb_function *f, const struct usb_ctrlrequest *ctrl) return 0; } -void uvc_function_setup_continue(struct uvc_device *uvc) +void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep) { struct usb_composite_dev *cdev = uvc->func.config->cdev; + if (disable_ep && uvc->video.ep) { + usb_ep_disable(uvc->video.ep); + } usb_composite_setup_continue(cdev); } @@ -337,15 +340,11 @@ uvc_function_set_alt(struct usb_function *f, unsigned interface, unsigned alt) if (uvc->state != UVC_STATE_STREAMING) return 0; - if (uvc->video.ep) - usb_ep_disable(uvc->video.ep); - memset(&v4l2_event, 0, sizeof(v4l2_event)); v4l2_event.type = UVC_EVENT_STREAMOFF; v4l2_event_queue(&uvc->vdev, &v4l2_event); - uvc->state = UVC_STATE_CONNECTED; - return 0; + return USB_GADGET_DELAYED_STATUS; case 1: if (uvc->state != UVC_STATE_CONNECTED) diff --git a/drivers/usb/gadget/function/f_uvc.h b/drivers/usb/gadget/function/f_uvc.h index 1db972d4beeb..e7f9f13f14dc 100644 --- a/drivers/usb/gadget/function/f_uvc.h +++ b/drivers/usb/gadget/function/f_uvc.h @@ -11,7 +11,7 @@ struct uvc_device; -void uvc_function_setup_continue(struct uvc_device *uvc); +void uvc_function_setup_continue(struct uvc_device *uvc, int disale_ep); void uvc_function_connect(struct uvc_device *uvc); diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h index 6751de8b63ad..989bc6b4e93d 100644 --- a/drivers/usb/gadget/function/uvc.h +++ b/drivers/usb/gadget/function/uvc.h @@ -177,7 +177,7 @@ struct uvc_file_handle { * Functions */ -extern void uvc_function_setup_continue(struct uvc_device *uvc); +extern void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep); extern void uvc_function_connect(struct uvc_device *uvc); extern void uvc_function_disconnect(struct uvc_device *uvc); diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c index 3f0a9795c0d4..3d3469883ed0 100644 --- a/drivers/usb/gadget/function/uvc_v4l2.c +++ b/drivers/usb/gadget/function/uvc_v4l2.c @@ -451,7 +451,7 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type) * Complete the alternate setting selection setup phase now that * userspace is ready to provide video frames. */ - uvc_function_setup_continue(uvc); + uvc_function_setup_continue(uvc, 0); uvc->state = UVC_STATE_STREAMING; return 0; @@ -463,11 +463,19 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type) struct video_device *vdev = video_devdata(file); struct uvc_device *uvc = video_get_drvdata(vdev); struct uvc_video *video = &uvc->video; + int ret = 0; if (type != video->queue.queue.type) return -EINVAL; - return uvcg_video_enable(video, 0); + uvc->state = UVC_STATE_CONNECTED; + ret = uvcg_video_enable(video, 0); + if (ret < 0) { + return ret; + } + + uvc_function_setup_continue(uvc, 1); + return 0; } static int @@ -500,6 +508,14 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh, static void uvc_v4l2_disable(struct uvc_device *uvc) { uvc_function_disconnect(uvc); + if (uvc->state == UVC_STATE_STREAMING) { + /* + * Drop uvc->state to CONNECTED if it was streaming before. + * This ensures that the usb_requests are no longer queued + * to the controller. + */ + uvc->state = UVC_STATE_CONNECTED; + } uvcg_video_enable(&uvc->video, 0); uvcg_free_buffers(&uvc->video.queue); uvc->func_connected = false; @@ -647,4 +663,3 @@ const struct v4l2_file_operations uvc_v4l2_fops = { .get_unmapped_area = uvcg_v4l2_get_unmapped_area, #endif }; - diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c index 91af3b1ef0d4..70ff88854539 100644 --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -382,6 +382,7 @@ static void uvcg_video_pump(struct work_struct *work) { struct uvc_video *video = container_of(work, struct uvc_video, pump); struct uvc_video_queue *queue = &video->queue; + struct uvc_device *uvc = video->uvc; /* video->max_payload_size is only set when using bulk transfer */ bool is_bulk = video->max_payload_size; struct usb_request *req = NULL; @@ -390,7 +391,7 @@ static void uvcg_video_pump(struct work_struct *work) bool buf_done; int ret; - while (video->ep->enabled) { + while (uvc->state == UVC_STATE_STREAMING && video->ep->enabled) { /* * Retrieve the first available USB request, protected by the * request lock. From patchwork Sat Sep 30 18:48:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 146988 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2a8e:b0:403:3b70:6f57 with SMTP id in14csp591734vqb; Sat, 30 Sep 2023 14:58:26 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFbKbb/rK9M7N5ro2pOMo3VhP8cqlwDAbcBrVeNTpuPnAbdIw3osHEqKgF/iAzsct3pdvzS X-Received: by 2002:a05:6358:718:b0:144:9cef:cd28 with SMTP id e24-20020a056358071800b001449cefcd28mr8087645rwj.7.1696111105963; Sat, 30 Sep 2023 14:58:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696111105; cv=none; d=google.com; s=arc-20160816; b=UGBc1b9KKcfvSgzCwLEdMt2B457nO67aCYXI80YDI0DDd/J870D28C0AmSVDci36DP tgcc5R6sgGtb2IbgLo4adZVFr5c8Pic4VIh1TE+W+Mu3GsQ+SYuXCJikzUpNdawHpahw ltoPOGwAJqtO4CoyETb6qKx9XQ+/T7SJfp7Q5Op5+LI1pfzaBpLJVE/UgK7n9LbBEM9Z Mgp2cEfLZYeYDH7rJFcjawlepSw9mtTt7mnPypvFpXjAXYlaYf3+U4Vd1/hWN3OK/gbu i2pPgwJuX1hESZ5w/EQ52uF0Z/GC6xkS6KxKQoznPfIgGVWLBYnceZc/Cfk1Qny1REzk BEng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=mAs460jPiMP8R4cGJH03uN3F+PMNEKWmOscua1DAK48=; fh=wZkaaK2eKArnv6Ec1Lfd2WLt2af6DzMK9J2Zc3h8Qac=; b=VC4YuK4K3wPEmVCRAO5m6JRZnT2QUEJgpPiYjj4aWzNLXY0SYSdsK3bBnfSHuNce5Q GMLHPENx87PdWQ4+nC7CXTriI4AauR84MODT8IOyzQtcWsUVcvb9TR1vv8XrNksZbnhV iw2SOY4FSjxtD7rttnpTQpqx96RhDNbUxguHBzBHio8nHI2L5C754W1aekkm3pLLGJGO yrQLE4StYLBTAQ2BxfGQcZbinTPesHn7qdxW9JWiWcecztK2wvoHXj2GHCc3NCXwQHya yqiT2gwsM3iVbXILV7VQjZvL7c/MhMgdUPq7jKwhpa/Xw9/DWBPHL9H0E9+oN9E5A5St a7mg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=Y6pweDJp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id gb22-20020a17090b061600b00277382d4803si4161594pjb.173.2023.09.30.14.58.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 30 Sep 2023 14:58:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=Y6pweDJp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 7F8138025834; Sat, 30 Sep 2023 11:48:50 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234742AbjI3Ssj (ORCPT + 20 others); Sat, 30 Sep 2023 14:48:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55048 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234734AbjI3Ssh (ORCPT ); Sat, 30 Sep 2023 14:48:37 -0400 Received: from mail-pg1-x549.google.com (mail-pg1-x549.google.com [IPv6:2607:f8b0:4864:20::549]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 070AAD3 for ; Sat, 30 Sep 2023 11:48:35 -0700 (PDT) Received: by mail-pg1-x549.google.com with SMTP id 41be03b00d2f7-5803b6fadceso11936399a12.0 for ; Sat, 30 Sep 2023 11:48:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1696099714; x=1696704514; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=mAs460jPiMP8R4cGJH03uN3F+PMNEKWmOscua1DAK48=; b=Y6pweDJp4Qn1rPKAL66slcaJGYTwDBvuqU9PMwSH+hgkZuVHqyrDsa/ur0RQyQe/O8 D7kG8M8FpIbYe2crnJpN9V3HOmZzZFaC4s6J/g/ORjGG3F/Sfubj40snFA0UEzZyRWWN 8nYgmhTsnj6HO4r6dgzeLEoBW0pJ3g0mUJwdNaWIu6tW/M55fDjNqbNPog73ReSbD/AP 3oXvUtCVEppxjw2CENX4huGGDrNT39nUU0QtPuraEEFKzLx4h7IE0RQyKhy7a3PBK2ha plmLTLoVaqCYMh7ouUq+nyjYnHKyjriJQIw6fYCwsbIlJdDakLmSNjMjK5qVLUyGmTMO 553g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696099714; x=1696704514; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=mAs460jPiMP8R4cGJH03uN3F+PMNEKWmOscua1DAK48=; b=M//TJdlyo0Bjeix1Leosx0VYx3NNKwl8I2E6PEMbPCeF1noase+IxZn2xr2iHFb7YT wljjAzH4PaY9Tzrf+W4jAxIKD2G4TLzwOmZNvq2zicjgnL8WIvrX3gos67PZ4783FHxw 4OWbBsbVhd8EZ2TUkIxYNGuKwvuxDPO6MFL8IxrStKTDmu28Q1g5dKSCbE4xhzRgRqnc XUX8DhsqTRjnHqZ76KBYd4CmXj3sTR5FwEPtH7Z4YtxqyfhskLGq0lD5Hsn+dzoCP9Vb q75/zkV2ki/PkdWC12gLYSBipMsXMk0EdMteXsSdo0aiVDM8VKUu+zvl6MiWrqZmY43B P5PQ== X-Gm-Message-State: AOJu0Yzo115DT3kcwcYFQlqk6jUgaoW2NxnzlV2YlaLvTTdYyRfzJRlZ Jbgmf+QM1Fd0mgKRuafAfGWSHnpJhxmo X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a63:3649:0:b0:56f:8ff0:d164 with SMTP id d70-20020a633649000000b0056f8ff0d164mr114801pga.2.1696099714278; Sat, 30 Sep 2023 11:48:34 -0700 (PDT) Date: Sat, 30 Sep 2023 11:48:20 -0700 In-Reply-To: <20230930184821.310143-1-arakesh@google.com> Mime-Version: 1.0 References: <20230930184821.310143-1-arakesh@google.com> X-Mailer: git-send-email 2.42.0.582.g8ccd20d70d-goog Message-ID: <20230930184821.310143-3-arakesh@google.com> Subject: [PATCH v1 2/3] usb: gadget: uvc: Allocate uvc_requests one at a time From: Avichal Rakesh To: Laurent Pinchart , Daniel Scally , Greg Kroah-Hartman , Michael Grzeschik Cc: jchowdhary@google.com, etalvala@google.com, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Avichal Rakesh , Michael Grzeschik X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Sat, 30 Sep 2023 11:48:50 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1778501399086666798 X-GMAIL-MSGID: 1778501399086666798 Currently, the uvc gadget driver allocates all uvc_requests as one array and deallocates them all when the video stream stops. This includes de-allocating all the usb_requests associated with those uvc_requests. This can lead to use-after-free issues if any of those de-allocated usb_requests were still owned by the usb controller. This patch is 1 of 2 patches addressing the use-after-free issue. Instead of bulk allocating all uvc_requests as an array, this patch allocates uvc_requests one at a time, which should allows for similar granularity when deallocating the uvc_requests. This patch has no functional changes other than allocating each uvc_request separately, and similarly freeing each of them separately. Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com Suggested-by: Michael Grzeschik Signed-off-by: Avichal Rakesh --- drivers/usb/gadget/function/uvc.h | 3 +- drivers/usb/gadget/function/uvc_video.c | 90 ++++++++++++++----------- 2 files changed, 51 insertions(+), 42 deletions(-) diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h index 989bc6b4e93d..993694da0bbc 100644 --- a/drivers/usb/gadget/function/uvc.h +++ b/drivers/usb/gadget/function/uvc.h @@ -81,6 +81,7 @@ struct uvc_request { struct sg_table sgt; u8 header[UVCG_REQUEST_HEADER_LEN]; struct uvc_buffer *last_buf; + struct list_head list; }; struct uvc_video { @@ -102,7 +103,7 @@ struct uvc_video { /* Requests */ unsigned int req_size; - struct uvc_request *ureq; + struct list_head ureqs; /* all uvc_requests allocated by uvc_video */ struct list_head req_free; spinlock_t req_lock; diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c index 70ff88854539..ffecd7a140dc 100644 --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -227,6 +227,23 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video, * Request handling */ +static void uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep) +{ + sg_free_table(&ureq->sgt); + if (ureq->req && ep) { + usb_ep_free_request(ep, ureq->req); + ureq->req = NULL; + } + + kfree(ureq->req_buffer); + ureq->req_buffer = NULL; + + if (!list_empty(&ureq->list)) + list_del_init(&ureq->list); + + kfree(ureq); +} + static int uvcg_video_ep_queue(struct uvc_video *video, struct usb_request *req) { int ret; @@ -293,27 +310,13 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) static int uvc_video_free_requests(struct uvc_video *video) { - unsigned int i; - - if (video->ureq) { - for (i = 0; i < video->uvc_num_requests; ++i) { - sg_free_table(&video->ureq[i].sgt); - - if (video->ureq[i].req) { - usb_ep_free_request(video->ep, video->ureq[i].req); - video->ureq[i].req = NULL; - } + struct uvc_request *ureq, *temp; - if (video->ureq[i].req_buffer) { - kfree(video->ureq[i].req_buffer); - video->ureq[i].req_buffer = NULL; - } - } - - kfree(video->ureq); - video->ureq = NULL; + list_for_each_entry_safe(ureq, temp, &video->ureqs, list) { + uvc_video_free_request(ureq, video->ep); } + INIT_LIST_HEAD(&video->ureqs); INIT_LIST_HEAD(&video->req_free); video->req_size = 0; return 0; @@ -322,6 +325,7 @@ uvc_video_free_requests(struct uvc_video *video) static int uvc_video_alloc_requests(struct uvc_video *video) { + struct uvc_request *ureq; unsigned int req_size; unsigned int i; int ret = -ENOMEM; @@ -332,29 +336,31 @@ uvc_video_alloc_requests(struct uvc_video *video) * max_t(unsigned int, video->ep->maxburst, 1) * (video->ep->mult); - video->ureq = kcalloc(video->uvc_num_requests, sizeof(struct uvc_request), GFP_KERNEL); - if (video->ureq == NULL) - return -ENOMEM; - - for (i = 0; i < video->uvc_num_requests; ++i) { - video->ureq[i].req_buffer = kmalloc(req_size, GFP_KERNEL); - if (video->ureq[i].req_buffer == NULL) + INIT_LIST_HEAD(&video->ureqs); + for (i = 0; i < video->uvc_num_requests; i++) { + ureq = kzalloc(sizeof(struct uvc_request), GFP_KERNEL); + if (ureq == NULL) goto error; + INIT_LIST_HEAD(&ureq->list); + list_add_tail(&ureq->list, &video->ureqs); + } - video->ureq[i].req = usb_ep_alloc_request(video->ep, GFP_KERNEL); - if (video->ureq[i].req == NULL) + list_for_each_entry(ureq, &video->ureqs, list) { + ureq->req_buffer = kmalloc(req_size, GFP_KERNEL); + if (ureq->req_buffer == NULL) goto error; - - video->ureq[i].req->buf = video->ureq[i].req_buffer; - video->ureq[i].req->length = 0; - video->ureq[i].req->complete = uvc_video_complete; - video->ureq[i].req->context = &video->ureq[i]; - video->ureq[i].video = video; - video->ureq[i].last_buf = NULL; - - list_add_tail(&video->ureq[i].req->list, &video->req_free); + ureq->req = usb_ep_alloc_request(video->ep, GFP_KERNEL); + if (ureq->req == NULL) + goto error; + ureq->req->buf = ureq->req_buffer; + ureq->req->length = 0; + ureq->req->complete = uvc_video_complete; + ureq->req->context = ureq; + ureq->video = video; + ureq->last_buf = NULL; + list_add_tail(&ureq->req->list, &video->req_free); /* req_size/PAGE_SIZE + 1 for overruns and + 1 for header */ - sg_alloc_table(&video->ureq[i].sgt, + sg_alloc_table(&ureq->sgt, DIV_ROUND_UP(req_size - UVCG_REQUEST_HEADER_LEN, PAGE_SIZE) + 2, GFP_KERNEL); } @@ -489,8 +495,8 @@ static void uvcg_video_pump(struct work_struct *work) */ int uvcg_video_enable(struct uvc_video *video, int enable) { - unsigned int i; int ret; + struct uvc_request *ureq; if (video->ep == NULL) { uvcg_info(&video->uvc->func, @@ -502,9 +508,10 @@ int uvcg_video_enable(struct uvc_video *video, int enable) cancel_work_sync(&video->pump); uvcg_queue_cancel(&video->queue, 0); - for (i = 0; i < video->uvc_num_requests; ++i) - if (video->ureq && video->ureq[i].req) - usb_ep_dequeue(video->ep, video->ureq[i].req); + list_for_each_entry(ureq, &video->ureqs, list) { + if (ureq->req) + usb_ep_dequeue(video->ep, ureq->req); + } uvc_video_free_requests(video); uvcg_queue_enable(&video->queue, 0); @@ -536,6 +543,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable) */ int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc) { + INIT_LIST_HEAD(&video->ureqs); INIT_LIST_HEAD(&video->req_free); spin_lock_init(&video->req_lock); INIT_WORK(&video->pump, uvcg_video_pump); From patchwork Sat Sep 30 18:48:21 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 147024 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2a8e:b0:403:3b70:6f57 with SMTP id in14csp664995vqb; Sat, 30 Sep 2023 19:20:13 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFMQ59mQyqE7XeMq/mpjBORhvHIyq78BpqzPKeoRnpBTYMLmnKKoHJQZFNs2uP2S80xBiSI X-Received: by 2002:a17:902:d34b:b0:1bb:9b29:20d9 with SMTP id l11-20020a170902d34b00b001bb9b2920d9mr9065083plk.20.1696126813137; Sat, 30 Sep 2023 19:20:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696126813; cv=none; d=google.com; s=arc-20160816; b=bhlky9YWEr1AjsuVOv6S2cr4NeEvN+UME22Ax1v+2GVdjbnMZy1rweC5HyNlcJl7oE 6md7UyGbER6ta2hBNh0yx9urV/1e5rNyNV/m07S9Z6pNsnYOMq2w9roz+mG1qhWhzIy4 EUSHEhyAFVzI+N7bHlRvN6n2Kc1EBr3P5osNZWXH1V1cZAZgE9Nb/Zxu5HsFPL0FQdG3 3X2fsI9EUATTlOYqemL1KAuMkOgA6WXi7AuymqjSqZIzILt2E3AkVzLOrzTPq2Fvc7Dm /0I8MpjkiAqPifXwTcgtglZDpqqwQI8v2DcX/hc3O0SDl4gei/ZawVJAXPnzkZRkRtfk YhMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=8sS0/uaQLhAvse+d/NY7S3JtHJHgQXnCXFHZHAD5jYQ=; fh=wZkaaK2eKArnv6Ec1Lfd2WLt2af6DzMK9J2Zc3h8Qac=; b=eiuAuqTbXW+WKvmFv4Etrd8c9xeVxJtB0SyR0xpKPYv8RMMQUg8e6NiOhq/1gW/QBd jhr4nyi1ZAZmz/p5LbDcFBTWxOykxhj9R4Nc/q31HIdjDRVmB8so7GtW73tVGq7jGSon vIy8fH8m3K4gT5qmFv04dgXCJfa7Po6P1pzeZi1f0TMbVuiXa7u/vnuSV/UFFwJK4EH5 e41iUCsbAC7Y1DVBXtYTQrBV77qZDmJUHV/aJNZQNCdsetNYGu9lk0qXJazePQpbFjyz f8qNFo9vZDiWToLGCN3cXFq15A7Fpg7SIYUnAqh7C5tme7SYIrZ4e2aTXEY8mF+pGNDI YLHA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=tRLc6bqB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33]) by mx.google.com with ESMTPS id kg14-20020a170903060e00b001b89b1bae72si14183377plb.528.2023.09.30.19.20.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 30 Sep 2023 19:20:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=tRLc6bqB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 7A9CE8142D90; Sat, 30 Sep 2023 11:49:10 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234756AbjI3Ssp (ORCPT + 20 others); Sat, 30 Sep 2023 14:48:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55114 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234751AbjI3Ssn (ORCPT ); Sat, 30 Sep 2023 14:48:43 -0400 Received: from mail-yw1-x1149.google.com (mail-yw1-x1149.google.com [IPv6:2607:f8b0:4864:20::1149]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 111C0100 for ; Sat, 30 Sep 2023 11:48:39 -0700 (PDT) Received: by mail-yw1-x1149.google.com with SMTP id 00721157ae682-59f6902dc8bso215755367b3.0 for ; Sat, 30 Sep 2023 11:48:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1696099718; x=1696704518; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=8sS0/uaQLhAvse+d/NY7S3JtHJHgQXnCXFHZHAD5jYQ=; b=tRLc6bqBTUC+HjWpMuM+lJSzMX7JOeSi+5VjDfx965ORJh4k2dXGYvpooRLZTa5g2f o/6cYNB6pXGXw+DCQoQXyCxfrGz8oQW6bkTbAxP1rlO7l1cQp4i8L+NZ/Yl8u4FhG+WB Bkb4S9gRWR04NGOJMishgCr4Jbzi3OF+ePmmajq+efN53iurJvUIUVT1v6D11kKRP8nY RZl/4CP6Qlxfk5ZmiiPAs4s1hi6nG4lOhJq3YuctxnKiMqhL50tNTmRpTp5SJFO/2bhL RsDbJXpNVrmCElhY2PHGbGaP9tjPTVxBzJze0umhW8G+/omiQnNzZriw4XqCNxP1ybJW 2vmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696099718; x=1696704518; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=8sS0/uaQLhAvse+d/NY7S3JtHJHgQXnCXFHZHAD5jYQ=; b=fYwe6FwzyAylKg7gydbZwJF3hQIhmG92G4kc2lCdX7eXBosMPg9+bbVg5yX1vL+Muk xAubc/X2vb2bJKy2olmRUg1X1bwCTGCwLM2x1PVrMJwdRA/C/OmLVgZ8jUigBmzuD0jz WRdM2EZW1hwnJ0ATUpU9C2M5i23yiC4dQiw8Xs7KFl+d0Va3W+10YGkpCedt2JbxWMla bg9B6ExZC2Ag5hJkHI3ioREHyY2wHg10j9UvC2Di0B4y32SfxEoJEzuB5K2Uraie6f2i OAYiJbFtnsxSiPa4tv7EX+SVGuzhpW21ZUttB/ZzexEoCMGFYXvyfHimDnPsO3kMD9HH 4CHw== X-Gm-Message-State: AOJu0Yz8PI3jsyUn2qLbtwGEOBikT8GrpWDHRqD9cfQuZkJoo3XQO9mV fNZ/WEw53gHikYVhoEt6rpuAjO/AdZKp X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a05:690c:3412:b0:579:f832:74b with SMTP id fn18-20020a05690c341200b00579f832074bmr130768ywb.10.1696099718241; Sat, 30 Sep 2023 11:48:38 -0700 (PDT) Date: Sat, 30 Sep 2023 11:48:21 -0700 In-Reply-To: <20230930184821.310143-1-arakesh@google.com> Mime-Version: 1.0 References: <20230930184821.310143-1-arakesh@google.com> X-Mailer: git-send-email 2.42.0.582.g8ccd20d70d-goog Message-ID: <20230930184821.310143-4-arakesh@google.com> Subject: [PATCH v1 3/3] usb: gadget: uvc: Fix use-after-free for inflight usb_requests From: Avichal Rakesh To: Laurent Pinchart , Daniel Scally , Greg Kroah-Hartman , Michael Grzeschik Cc: jchowdhary@google.com, etalvala@google.com, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Avichal Rakesh , Michael Grzeschik X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Sat, 30 Sep 2023 11:49:10 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1778517869169821913 X-GMAIL-MSGID: 1778517869169821913 Currently, the uvc gadget driver allocates all uvc_requests as one array and deallocates them all when the video stream stops. This includes de-allocating all the usb_requests associated with those uvc_requests. This can lead to use-after-free issues if any of those de-allocated usb_requests were still owned by the usb controller. This is patch 2 of 2 in fixing the use-after-free issue. It adds a new flag to uvc_request to mark it as 'abandoned'. When disabling the video stream, instead of de-allocating all uvc_requests and usb_requests, the gadget driver only de-allocates those usb_requests that are currently owned by the gadget driver (as present in req_free). Other usb_requests have their corresponding 'is_abandoned' flag tripped, and the usb_requests complete handler takes care of freeing the usb_request and its corresponding uvc_request. This should ensure that uvc gadget driver never accidentally de-allocates a usb_request that it doesn't own. Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com Suggested-by: Michael Grzeschik Signed-off-by: Avichal Rakesh --- drivers/usb/gadget/function/uvc.h | 1 + drivers/usb/gadget/function/uvc_video.c | 106 ++++++++++++++++++++---- 2 files changed, 91 insertions(+), 16 deletions(-) diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h index 993694da0bbc..e69cfb7cced1 100644 --- a/drivers/usb/gadget/function/uvc.h +++ b/drivers/usb/gadget/function/uvc.h @@ -82,6 +82,7 @@ struct uvc_request { u8 header[UVCG_REQUEST_HEADER_LEN]; struct uvc_buffer *last_buf; struct list_head list; + bool is_abandoned; }; struct uvc_video { diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c index ffecd7a140dc..aad7dcba46ee 100644 --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -271,7 +271,21 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) struct uvc_video *video = ureq->video; struct uvc_video_queue *queue = &video->queue; struct uvc_device *uvc = video->uvc; + struct uvc_buffer *last_buf; unsigned long flags; + bool is_abandoned; + + spin_lock_irqsave(&video->req_lock, flags); + is_abandoned = ureq->is_abandoned; + last_buf = ureq->last_buf; + ureq->last_buf = NULL; + spin_unlock_irqrestore(&video->req_lock, flags); + + if (is_abandoned) { + uvcg_dbg(&video->uvc->func, "Freeing abandoned usb_request\n"); + uvc_video_free_request(ureq, ep); + return; + } switch (req->status) { case 0: @@ -294,15 +308,29 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) uvcg_queue_cancel(queue, 0); } - if (ureq->last_buf) { - uvcg_complete_buffer(&video->queue, ureq->last_buf); - ureq->last_buf = NULL; + if (last_buf) { + spin_lock_irqsave(&video->queue.irqlock, flags); + uvcg_complete_buffer(&video->queue, last_buf); + spin_unlock_irqrestore(&video->queue.irqlock, flags); } + /* + * request might have been abandoned while being processed. + * do a last minute check before queueing the request back. + */ spin_lock_irqsave(&video->req_lock, flags); - list_add_tail(&req->list, &video->req_free); + is_abandoned = ureq->is_abandoned; + if (!is_abandoned) + list_add_tail(&req->list, &video->req_free); spin_unlock_irqrestore(&video->req_lock, flags); + if (is_abandoned) { + uvcg_dbg(&video->uvc->func, + "usb_request abandoned mid-processing - freeing.\n"); + uvc_video_free_request(ureq, ep); + return; + } + if (uvc->state == UVC_STATE_STREAMING) queue_work(video->async_wq, &video->pump); } @@ -366,7 +394,6 @@ uvc_video_alloc_requests(struct uvc_video *video) } video->req_size = req_size; - return 0; error: @@ -490,13 +517,69 @@ static void uvcg_video_pump(struct work_struct *work) return; } +/* + * Disable video stream. This ensures that any inflight usb requests are marked + * for clean up and all video buffers are dropped before returning. + */ +static void uvcg_video_disable(struct uvc_video *video) +{ + struct uvc_buffer *buf, *tmp_buf; + struct uvc_request *ureq, *temp; + struct list_head buf_list; /* track in-flight video buffers */ + struct usb_request *req; + unsigned long flags; + + cancel_work_sync(&video->pump); + uvcg_queue_cancel(&video->queue, 0); + + INIT_LIST_HEAD(&buf_list); + spin_lock_irqsave(&video->req_lock, flags); + /* abandon all usb requests */ + list_for_each_entry_safe(ureq, temp, &video->ureqs, list) { + ureq->is_abandoned = true; + if (ureq->last_buf) { + list_add(&ureq->last_buf->queue, &buf_list); + ureq->last_buf = NULL; + } + list_del_init(&ureq->list); + if (ureq->req) + usb_ep_dequeue(video->ep, ureq->req); + } + /* + * re-add uvc_requests currently owned by the gadget to + * video->ureqs to be deallocated + */ + list_for_each_entry(req, &video->req_free, list) { + ureq = req->context; + list_add_tail(&ureq->list, &video->ureqs); + } + spin_unlock_irqrestore(&video->req_lock, flags); + + /* + * drop abandoned uvc_buffers, as the completion handler + * no longer will + */ + if (!list_empty(&buf_list)) { + spin_lock_irqsave(&video->queue.irqlock, flags); + list_for_each_entry_safe(buf, tmp_buf, + &buf_list, queue) { + video->queue.flags |= UVC_QUEUE_DROP_INCOMPLETE; + uvcg_complete_buffer(&video->queue, buf); + list_del(&buf->queue); + } + spin_unlock_irqrestore(&video->queue.irqlock, flags); + } + + uvc_video_free_requests(video); + uvcg_queue_enable(&video->queue, 0); +} + /* * Enable or disable the video stream. */ int uvcg_video_enable(struct uvc_video *video, int enable) { int ret; - struct uvc_request *ureq; if (video->ep == NULL) { uvcg_info(&video->uvc->func, @@ -505,16 +588,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable) } if (!enable) { - cancel_work_sync(&video->pump); - uvcg_queue_cancel(&video->queue, 0); - - list_for_each_entry(ureq, &video->ureqs, list) { - if (ureq->req) - usb_ep_dequeue(video->ep, ureq->req); - } - - uvc_video_free_requests(video); - uvcg_queue_enable(&video->queue, 0); + uvcg_video_disable(video); return 0; }