From patchwork Tue Oct 3 23:18:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 148091 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2a8e:b0:403:3b70:6f57 with SMTP id in14csp2409812vqb; Tue, 3 Oct 2023 16:19:25 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGa1avKlmK+TK2vpDz8Tgtyv8igBO9YEye0+sfJvyeOJPMw2gHkIXgkJgeteohspm//CdFD X-Received: by 2002:a17:902:e743:b0:1c7:7c2c:f845 with SMTP id p3-20020a170902e74300b001c77c2cf845mr1068144plf.20.1696375164998; Tue, 03 Oct 2023 16:19:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696375164; cv=none; d=google.com; s=arc-20160816; b=RLgZjn4mRK+2pr10aMjK7r1mii/0Gqffj1OEIWe4k9QMWhyOr1i5R+LodLaXCNPE7x N7BWf8pNUFqFrDkGdhcrRgtrcLgPLraH4AFS9YSCWObTko2+EC6PFhgJlQZJ2BEa3qIu PhPRuhslbWBBxOECCxPZf+nDp7LYLlXzrMlw2BwdbVXIGgNQ8eRukXVtqmsJ8k5gNzmQ wmlqQ1F5J7Yft9hlcw9VukPSaK68KCtTNrLTHq7vD3nQ7Fg2Bt9cv2iiTmeTLVnikt6/ WxQ6c+KlxWaEIQnEBIZZ8pKTgyqUVJAbamTyqAyK9A2ySX8oAJAqKS2NYyzs8HpJyoBm 0C4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=ArVoPjwYMHkkpCMoH+/iCkmQnlykQeUcYYwAmxq8LD0=; fh=5BWdLJySjPgItftvsL/P8EYBgXMiWouP0WnIFEJMtFE=; b=etu/zpOcUZ2gNE3ZndnuesPEqTTXGoaOhh1428vQpel9hBYmjPDZNwCJ2FRlE237P5 z1MnHyaz5Q6VcS78SCXUTeZY3rJqHIB9id6CbGG7OM1NT864rpAm9n+JtS9FpV7xPQza J+AJWOIfD7W8uIaHlVa6UQ+WSbNuprs89jpdjGvuH99L/8UIDsun042B7Kkjuc5URnnV uqnLoi7zJGUBdObOjvukBfoBd2ARAQ4aM08foXgPLhpj5AMbgbD4L0+bZyqWP8W0L5Fg lWgO3NCgscRWL212wQ+2xPQks8j2VESzCFneiIMlv1iyCOGWq5SGKt/9sRBT+L/DzGCu Jhew== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=WydiE7B3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from howler.vger.email (howler.vger.email. [23.128.96.34]) by mx.google.com with ESMTPS id x11-20020a170902ec8b00b001c566ea86eesi2652779plg.177.2023.10.03.16.19.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Oct 2023 16:19:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=WydiE7B3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id 3B03C8310D20; Tue, 3 Oct 2023 16:19:24 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234735AbjJCXTR (ORCPT + 17 others); Tue, 3 Oct 2023 19:19:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41692 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235727AbjJCXTQ (ORCPT ); Tue, 3 Oct 2023 19:19:16 -0400 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0C498E9 for ; Tue, 3 Oct 2023 16:19:02 -0700 (PDT) Received: by mail-yb1-xb49.google.com with SMTP id 3f1490d57ef6-d817775453dso1769846276.2 for ; Tue, 03 Oct 2023 16:19:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1696375141; x=1696979941; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=ArVoPjwYMHkkpCMoH+/iCkmQnlykQeUcYYwAmxq8LD0=; b=WydiE7B3N+hxLrGCWv4r4W2+Hd07tS0rkcgTxOlIh7Keo6dQK21MkUankHbAc5gPHM yTxnTiLLsGXswPhpSHpS4YGFvuedVq451ocS1KZjVmrC7j5gvw/425UlojvMTGzg0/xs Et8+UBWiGq+zV+6OH4AWSd+E8Y7xruiXGkS3mF5N7ZY3cNFxBdoPqMZB1ccMvQoEeRfe LCykC8MARovqNllAv5cOU1+7CxbaH8w1h1uUV/K2NWXrKJVQ2JSPRnWWYhx1rRa1dQm8 jlyR3VFClwnKlS+OUqXzxL/RkXpdMiYDulE86FaODXDFtPpYxjbCyI+nqJyfbZV9uOh9 ln7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696375141; x=1696979941; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ArVoPjwYMHkkpCMoH+/iCkmQnlykQeUcYYwAmxq8LD0=; b=v7+j8K0zcyhycALkhwOj5pV01/SdsNOFraOE1gt1r3ivxMSVkw6cCJbVkX5vR/OJT4 Wt2G0iQFCljdh2C0H558cT3Uabd4ifZpT7qQp451VC2sL3ZWMrKGdoaXMUkae6Ty/awZ fbdjxh0jgc1Lqd1TU/ATq55hJ7QaBe53MHeu70SWPkk98RcS/F0rGIg6ZSOJXuEtlgcE aqWNkVbP6SbLSxAW+RgoxsmoN+o6SxWDj6dzpHet5MaC5BpM4dkCiOtyDJtJ2eFZQJfv 8ZxxB+tD7Ps88AchRwNSOoSJ/ZXbZu/z+pNucjxHCYtSTx5lViLWKvtPh1swc+I0ZG/l OdtQ== X-Gm-Message-State: AOJu0YwuDB4QRA0ALu1sRiuYcWCUk//X2yxQCdj0W0u2w9UxYdnahBgf UC8FyQd9xexzSApTvzuY/tYkzqsWLfAs X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a25:f816:0:b0:d84:e73f:6f8c with SMTP id u22-20020a25f816000000b00d84e73f6f8cmr9891ybd.6.1696375141136; Tue, 03 Oct 2023 16:19:01 -0700 (PDT) Date: Tue, 3 Oct 2023 16:18:56 -0700 In-Reply-To: <20230930184821.310143-2-arakesh@google.com> Mime-Version: 1.0 References: <20230930184821.310143-2-arakesh@google.com> X-Mailer: git-send-email 2.42.0.582.g8ccd20d70d-goog Message-ID: <20231003231856.2591708-1-arakesh@google.com> Subject: [PATCH v2 1/3] usb: gadget: uvc: prevent use of disabled endpoint From: Avichal Rakesh To: arakesh@google.com, dan.scally@ideasonboard.com, gregkh@linuxfoundation.org, laurent.pinchart@ideasonboard.com, mgr@pengutronix.de Cc: etalvala@google.com, jchowdhary@google.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Tue, 03 Oct 2023 16:19:24 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1778501398075540037 X-GMAIL-MSGID: 1778778285126672705 Currently the set_alt callback immediately disables the endpoint and queues the v4l2 streamoff event. However, as the streamoff event is processed asynchronously, it is possible that the video_pump thread attempts to queue requests to an already disabled endpoint. This change moves disabling usb endpoint to the end of streamoff event callback. To be consistent with the actual streaming state, uvc->state is now toggled between CONNECTED and STREAMING from the v4l2 event callback only. Link: https://lore.kernel.org/20230615171558.GK741@pendragon.ideasonboard.com/ Link: https://lore.kernel.org/20230531085544.253363-1-dan.scally@ideasonboard.com/ Signed-off-by: Avichal Rakesh --- v1 -> v2: Rebased to ToT and reworded commit message. drivers/usb/gadget/function/f_uvc.c | 11 +++++------ drivers/usb/gadget/function/f_uvc.h | 2 +- drivers/usb/gadget/function/uvc.h | 2 +- drivers/usb/gadget/function/uvc_v4l2.c | 21 ++++++++++++++++++--- 4 files changed, 25 insertions(+), 11 deletions(-) -- 2.42.0.582.g8ccd20d70d-goog diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c index faa398109431..75c9f9a3f884 100644 --- a/drivers/usb/gadget/function/f_uvc.c +++ b/drivers/usb/gadget/function/f_uvc.c @@ -263,10 +263,13 @@ uvc_function_setup(struct usb_function *f, const struct usb_ctrlrequest *ctrl) return 0; } -void uvc_function_setup_continue(struct uvc_device *uvc) +void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep) { struct usb_composite_dev *cdev = uvc->func.config->cdev; + if (disable_ep && uvc->video.ep) { + usb_ep_disable(uvc->video.ep); + } usb_composite_setup_continue(cdev); } @@ -337,15 +340,11 @@ uvc_function_set_alt(struct usb_function *f, unsigned interface, unsigned alt) if (uvc->state != UVC_STATE_STREAMING) return 0; - if (uvc->video.ep) - usb_ep_disable(uvc->video.ep); - memset(&v4l2_event, 0, sizeof(v4l2_event)); v4l2_event.type = UVC_EVENT_STREAMOFF; v4l2_event_queue(&uvc->vdev, &v4l2_event); - uvc->state = UVC_STATE_CONNECTED; - return 0; + return USB_GADGET_DELAYED_STATUS; case 1: if (uvc->state != UVC_STATE_CONNECTED) diff --git a/drivers/usb/gadget/function/f_uvc.h b/drivers/usb/gadget/function/f_uvc.h index 1db972d4beeb..e7f9f13f14dc 100644 --- a/drivers/usb/gadget/function/f_uvc.h +++ b/drivers/usb/gadget/function/f_uvc.h @@ -11,7 +11,7 @@ struct uvc_device; -void uvc_function_setup_continue(struct uvc_device *uvc); +void uvc_function_setup_continue(struct uvc_device *uvc, int disale_ep); void uvc_function_connect(struct uvc_device *uvc); diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h index 6751de8b63ad..989bc6b4e93d 100644 --- a/drivers/usb/gadget/function/uvc.h +++ b/drivers/usb/gadget/function/uvc.h @@ -177,7 +177,7 @@ struct uvc_file_handle { * Functions */ -extern void uvc_function_setup_continue(struct uvc_device *uvc); +extern void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep); extern void uvc_function_connect(struct uvc_device *uvc); extern void uvc_function_disconnect(struct uvc_device *uvc); diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c index 3f0a9795c0d4..3d3469883ed0 100644 --- a/drivers/usb/gadget/function/uvc_v4l2.c +++ b/drivers/usb/gadget/function/uvc_v4l2.c @@ -451,7 +451,7 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type) * Complete the alternate setting selection setup phase now that * userspace is ready to provide video frames. */ - uvc_function_setup_continue(uvc); + uvc_function_setup_continue(uvc, 0); uvc->state = UVC_STATE_STREAMING; return 0; @@ -463,11 +463,19 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type) struct video_device *vdev = video_devdata(file); struct uvc_device *uvc = video_get_drvdata(vdev); struct uvc_video *video = &uvc->video; + int ret = 0; if (type != video->queue.queue.type) return -EINVAL; - return uvcg_video_enable(video, 0); + uvc->state = UVC_STATE_CONNECTED; + ret = uvcg_video_enable(video, 0); + if (ret < 0) { + return ret; + } + + uvc_function_setup_continue(uvc, 1); + return 0; } static int @@ -500,6 +508,14 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh, static void uvc_v4l2_disable(struct uvc_device *uvc) { uvc_function_disconnect(uvc); + if (uvc->state == UVC_STATE_STREAMING) { + /* + * Drop uvc->state to CONNECTED if it was streaming before. + * This ensures that the usb_requests are no longer queued + * to the controller. + */ + uvc->state = UVC_STATE_CONNECTED; + } uvcg_video_enable(&uvc->video, 0); uvcg_free_buffers(&uvc->video.queue); uvc->func_connected = false; @@ -647,4 +663,3 @@ const struct v4l2_file_operations uvc_v4l2_fops = { .get_unmapped_area = uvcg_v4l2_get_unmapped_area, #endif }; - From patchwork Tue Oct 3 23:19:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 148093 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2a8e:b0:403:3b70:6f57 with SMTP id in14csp2410176vqb; Tue, 3 Oct 2023 16:20:13 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEp5tJ0RmVc2bz7AuF4VHrh5JNbHuO8rYFhsHB9MLlcBuyeiOcfc5HclfLEbj+WJoXXWVDx X-Received: by 2002:a05:6870:8294:b0:1ba:9a49:d967 with SMTP id q20-20020a056870829400b001ba9a49d967mr1021120oae.23.1696375213115; Tue, 03 Oct 2023 16:20:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696375213; cv=none; d=google.com; s=arc-20160816; b=JVw87unrv1omJrMzm7l46A1KSDFDgYg06yGoceMAEaII9JYrjDAm4nQRoNU9wzskYo Ji20/hkv+M/n+jjImBe6gvWOZqN93eEj5t6sCsbbWy469L5FqDkD2m2LK5CxJLCsxAcC rXo1daoAQdMnjCKhxuL0Wj8d/klmVT6ArZWdb3o9385GklBqg7zeV9PUbrcX0lRvNoXf o03szAlJlBxYUC5IEs3FuwgVLwZY8FP7ath+DcsuXhxfiJ5eZ6adI9I3X02eIw5joD6a Mg7dI77wcqPdSHdYDOkmsFI8uqhYGXD6uAN6yk25DfTDQgxV8mhXK+9GhjwL7UEidcu7 w0cw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=a9F/CsgN+I3aKYDGh78e89+RvKvnGhCoOINQE/TaiJM=; fh=ngrjX1VLmu2Qwog7wb57/8Vw8bQnXqExREwHC+LncGU=; b=tioZGqO4XEcW8obhUGCk5GM8V3SR2IdfWTU8MYCs0bGii5PNLwKCTkaNqT1fFraXsd seS6/V96btfsjaSRA88cW4BvfagMvzKrZs/59lac7HFrNTBAUjvPkPvVTOcJsJoksLqo p1/rn+HrpWtx95W7IYAI5QLN049UYrJJVSnaec95wpWQfsCUHPcrK8ZNCnQ8Umm2gBM2 2Wh5qqkLwWfMD6ktcPvR/7bVkhIWS+A2IPdwV+BVuWcuM1HUg8ETy2sKLvfRj1EawKAd Wzk/1YvBtL7fuI1Hl8+FgUPPoGFx+T/RA6keBTG0W2zrlQxsc1FReiW2obgyFs3+5qDs NcXQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=2Al8PCCA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id u22-20020a056a00125600b006933b29f560si2566885pfi.46.2023.10.03.16.20.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Oct 2023 16:20:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=2Al8PCCA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 3A24281B93FF; Tue, 3 Oct 2023 16:20:12 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234798AbjJCXUK (ORCPT + 17 others); Tue, 3 Oct 2023 19:20:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59738 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229805AbjJCXUG (ORCPT ); Tue, 3 Oct 2023 19:20:06 -0400 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 243CEAB for ; Tue, 3 Oct 2023 16:20:02 -0700 (PDT) Received: by mail-yb1-xb49.google.com with SMTP id 3f1490d57ef6-d848694462aso1848093276.3 for ; Tue, 03 Oct 2023 16:20:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1696375201; x=1696980001; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=a9F/CsgN+I3aKYDGh78e89+RvKvnGhCoOINQE/TaiJM=; b=2Al8PCCAeqOt2ZY/IpRVRAfx99jz0+W4MKczNHNcarodPdjda2d5FNBCLASTb5fPRc UlugbHFdKap274tFo9MhrAyh2z+W6fxdOcLJH+TEH+KRshPUAi2a3Q8SInnfo59pUR44 DREPnG6h8mHW4Y/XTvdWZYu7grX1JWCGOA7QyLdRex+yRf+EP4bx6Zrk6Qq/7eOG04QL QSMy0aPK7CtKdh7G68tF3ckp/y8IFc44ZdteWuVOb8LgNZKGnVh+U30jlNBMS+xuBmpm H/0EToLTneRxmHzxFweqBvtjfVQqM6w7vONiEG1Il7XhaWBpCTYxWUEO6GidDMPOMY2F EVqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696375201; x=1696980001; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=a9F/CsgN+I3aKYDGh78e89+RvKvnGhCoOINQE/TaiJM=; b=ESTp0dsNBjf6aJ/hp/UXFkPceKKd2rY5jBfIZENSlWWMcdJB0JD+L7Dt0LF7K/jiDz hZC5yQR3vA33MTLJAsq4o72Isfmjgo+qNBvrVTKKUVgCLmmlULKu9gZSvVTeF0bDwiEe zniaX71EK28UDnHTApuEWODaaznLMBMVJjeMFWffIcYQncQwttNZbV/dgBCbND0wlzyC eYHOdJdLcASYmXnyHEmgv9171wj1fWi6HaPLR3J9Fql2fxemDkglX5jXtQq5sBgSqtbP zHhoh/cuP/CuQvMuxj0yZo7hpSalfysIIEJ0EW5d1j4cN3xSz7YyOX2vzI6EOyJpTvWm fJPg== X-Gm-Message-State: AOJu0YwvmmVYfHHzA4x68Qv+WuLlvFv1cYejrI8WzOGfq8dGHBpxRzis rBsQKCxydwhoq+RAD7FWr7fj5dEISQ+U X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a25:bcd:0:b0:d7f:2cb6:7d8c with SMTP id 196-20020a250bcd000000b00d7f2cb67d8cmr10653ybl.13.1696375201361; Tue, 03 Oct 2023 16:20:01 -0700 (PDT) Date: Tue, 3 Oct 2023 16:19:58 -0700 In-Reply-To: <20230930184821.310143-3-arakesh@google.com> Mime-Version: 1.0 References: <20230930184821.310143-3-arakesh@google.com> X-Mailer: git-send-email 2.42.0.582.g8ccd20d70d-goog Message-ID: <20231003231958.2592275-1-arakesh@google.com> Subject: [PATCH v2 2/3] usb: gadget: uvc: Allocate uvc_requests one at a time From: Avichal Rakesh To: arakesh@google.com, dan.scally@ideasonboard.com, gregkh@linuxfoundation.org, laurent.pinchart@ideasonboard.com, m.grzeschik@pengutronix.de, mgr@pengutronix.de Cc: etalvala@google.com, jchowdhary@google.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Tue, 03 Oct 2023 16:20:12 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1778501399086666798 X-GMAIL-MSGID: 1778778335649551697 Currently, the uvc gadget driver allocates all uvc_requests as one array and deallocates them all when the video stream stops. This includes de-allocating all the usb_requests associated with those uvc_requests. This can lead to use-after-free issues if any of those de-allocated usb_requests were still owned by the usb controller. This patch is 1 of 2 patches addressing the use-after-free issue. Instead of bulk allocating all uvc_requests as an array, this patch allocates uvc_requests one at a time, which should allows for similar granularity when deallocating the uvc_requests. This patch has no functional changes other than allocating each uvc_request separately, and similarly freeing each of them separately. Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com Suggested-by: Michael Grzeschik Signed-off-by: Avichal Rakesh --- v1 -> v2: Rebased to ToT drivers/usb/gadget/function/uvc.h | 3 +- drivers/usb/gadget/function/uvc_video.c | 90 ++++++++++++++----------- 2 files changed, 51 insertions(+), 42 deletions(-) -- 2.42.0.582.g8ccd20d70d-goog diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h index 989bc6b4e93d..993694da0bbc 100644 --- a/drivers/usb/gadget/function/uvc.h +++ b/drivers/usb/gadget/function/uvc.h @@ -81,6 +81,7 @@ struct uvc_request { struct sg_table sgt; u8 header[UVCG_REQUEST_HEADER_LEN]; struct uvc_buffer *last_buf; + struct list_head list; }; struct uvc_video { @@ -102,7 +103,7 @@ struct uvc_video { /* Requests */ unsigned int req_size; - struct uvc_request *ureq; + struct list_head ureqs; /* all uvc_requests allocated by uvc_video */ struct list_head req_free; spinlock_t req_lock; diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c index 97d875c27dcf..3c4d286d81c0 100644 --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -227,6 +227,23 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video, * Request handling */ +static void uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep) +{ + sg_free_table(&ureq->sgt); + if (ureq->req && ep) { + usb_ep_free_request(ep, ureq->req); + ureq->req = NULL; + } + + kfree(ureq->req_buffer); + ureq->req_buffer = NULL; + + if (!list_empty(&ureq->list)) + list_del_init(&ureq->list); + + kfree(ureq); +} + static int uvcg_video_ep_queue(struct uvc_video *video, struct usb_request *req) { int ret; @@ -299,27 +316,13 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) static int uvc_video_free_requests(struct uvc_video *video) { - unsigned int i; - - if (video->ureq) { - for (i = 0; i < video->uvc_num_requests; ++i) { - sg_free_table(&video->ureq[i].sgt); - - if (video->ureq[i].req) { - usb_ep_free_request(video->ep, video->ureq[i].req); - video->ureq[i].req = NULL; - } + struct uvc_request *ureq, *temp; - if (video->ureq[i].req_buffer) { - kfree(video->ureq[i].req_buffer); - video->ureq[i].req_buffer = NULL; - } - } - - kfree(video->ureq); - video->ureq = NULL; + list_for_each_entry_safe(ureq, temp, &video->ureqs, list) { + uvc_video_free_request(ureq, video->ep); } + INIT_LIST_HEAD(&video->ureqs); INIT_LIST_HEAD(&video->req_free); video->req_size = 0; return 0; @@ -328,6 +331,7 @@ uvc_video_free_requests(struct uvc_video *video) static int uvc_video_alloc_requests(struct uvc_video *video) { + struct uvc_request *ureq; unsigned int req_size; unsigned int i; int ret = -ENOMEM; @@ -338,29 +342,31 @@ uvc_video_alloc_requests(struct uvc_video *video) * max_t(unsigned int, video->ep->maxburst, 1) * (video->ep->mult); - video->ureq = kcalloc(video->uvc_num_requests, sizeof(struct uvc_request), GFP_KERNEL); - if (video->ureq == NULL) - return -ENOMEM; - - for (i = 0; i < video->uvc_num_requests; ++i) { - video->ureq[i].req_buffer = kmalloc(req_size, GFP_KERNEL); - if (video->ureq[i].req_buffer == NULL) + INIT_LIST_HEAD(&video->ureqs); + for (i = 0; i < video->uvc_num_requests; i++) { + ureq = kzalloc(sizeof(struct uvc_request), GFP_KERNEL); + if (ureq == NULL) goto error; + INIT_LIST_HEAD(&ureq->list); + list_add_tail(&ureq->list, &video->ureqs); + } - video->ureq[i].req = usb_ep_alloc_request(video->ep, GFP_KERNEL); - if (video->ureq[i].req == NULL) + list_for_each_entry(ureq, &video->ureqs, list) { + ureq->req_buffer = kmalloc(req_size, GFP_KERNEL); + if (ureq->req_buffer == NULL) goto error; - - video->ureq[i].req->buf = video->ureq[i].req_buffer; - video->ureq[i].req->length = 0; - video->ureq[i].req->complete = uvc_video_complete; - video->ureq[i].req->context = &video->ureq[i]; - video->ureq[i].video = video; - video->ureq[i].last_buf = NULL; - - list_add_tail(&video->ureq[i].req->list, &video->req_free); + ureq->req = usb_ep_alloc_request(video->ep, GFP_KERNEL); + if (ureq->req == NULL) + goto error; + ureq->req->buf = ureq->req_buffer; + ureq->req->length = 0; + ureq->req->complete = uvc_video_complete; + ureq->req->context = ureq; + ureq->video = video; + ureq->last_buf = NULL; + list_add_tail(&ureq->req->list, &video->req_free); /* req_size/PAGE_SIZE + 1 for overruns and + 1 for header */ - sg_alloc_table(&video->ureq[i].sgt, + sg_alloc_table(&ureq->sgt, DIV_ROUND_UP(req_size - UVCG_REQUEST_HEADER_LEN, PAGE_SIZE) + 2, GFP_KERNEL); } @@ -504,7 +510,7 @@ static void uvcg_video_pump(struct work_struct *work) int uvcg_video_enable(struct uvc_video *video, int enable) { struct uvc_device *uvc = video->uvc; - unsigned int i; + struct uvc_request *ureq; int ret; if (video->ep == NULL) { @@ -519,9 +525,10 @@ int uvcg_video_enable(struct uvc_video *video, int enable) cancel_work_sync(&video->pump); uvcg_queue_cancel(&video->queue, 0); - for (i = 0; i < video->uvc_num_requests; ++i) - if (video->ureq && video->ureq[i].req) - usb_ep_dequeue(video->ep, video->ureq[i].req); + list_for_each_entry(ureq, &video->ureqs, list) { + if (ureq->req) + usb_ep_dequeue(video->ep, ureq->req); + } uvc_video_free_requests(video); uvcg_queue_enable(&video->queue, 0); @@ -555,6 +562,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable) */ int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc) { + INIT_LIST_HEAD(&video->ureqs); INIT_LIST_HEAD(&video->req_free); spin_lock_init(&video->req_lock); INIT_WORK(&video->pump, uvcg_video_pump); From patchwork Tue Oct 3 23:21:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 148095 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2a8e:b0:403:3b70:6f57 with SMTP id in14csp2410764vqb; Tue, 3 Oct 2023 16:21:53 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGewYSgOobNa15Ss+eluucLQaZ5cqXaz18W+12OEuJW3LzTkQeJ7CsAmjysfPw6IcIwO7yJ X-Received: by 2002:a17:903:11d2:b0:1c7:2697:ec0a with SMTP id q18-20020a17090311d200b001c72697ec0amr1026967plh.30.1696375313254; Tue, 03 Oct 2023 16:21:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696375313; cv=none; d=google.com; s=arc-20160816; b=hHQgYZg/YGKYv+30FvzISJy4+bxvCZA0QPznRe9JG3b9/HFIX7gMZ6da4qJAW4Ssov IEjc/R8J2JJ/7vdrnyCOixUxLd9yHBkcClxt9gOuybeTmQcLqSGZEuRpfXXykezZFNC9 zgYQ5MPF9/RsPKWQrxhnRErNSBXpPCZR74s6U/LTdBAx3KQJ6hjVcnHn0LyZ7p3dcMHj RWJTVIAdgzR9ZOaBhWBft1E7g453HQEaSTRaDOIWs2njwJjN/a/3MiqMyK7ht3pfjbbz Gt+MYGtOYPDxB0zbTsEurb/240edx8xhZEyfRKK0o8hR7PI3LoD0abzZTqCIIo4anRsW cEnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=xX0umRmiZ0cLGmGD38f/MibuOBTvqO+eaoVVtdmVDCY=; fh=ngrjX1VLmu2Qwog7wb57/8Vw8bQnXqExREwHC+LncGU=; b=P7hIpdHgcvJb/t8FpGXVh6YIOAF781yAko0p1bUA00VkRFSDUhYfca04FGNaMgjXm9 KK10BSFHfj6bZ1KAuQzSWU0tKI/iTUpzFxhKoOdwltqO3WBtNmiNblZh4NTZccb+anpN 4h3rM3+6YhAy9j6JIm0ZKBbHXXZtEeHOG04bxyX/x/SO0wg8ohHUgb7tVeunn9Vjs7VE 04dFJz6NMe5XRyGYQ1EpNwhQlGJdrGogkO9CP20jaM0u9RmBry2HmGyBctA+1ANprO0b allRV/q/0dLrAafPsX0buGdYoR/+k3rlax8cxFd6RH4mUzgNkGRzuoiUUULyjFRtbHrP xeBA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b="nd4Vi0j/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id e15-20020a17090301cf00b001c5bd811c46si2483445plh.581.2023.10.03.16.21.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Oct 2023 16:21:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b="nd4Vi0j/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id C334881BB0B9; Tue, 3 Oct 2023 16:21:50 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235659AbjJCXV3 (ORCPT + 17 others); Tue, 3 Oct 2023 19:21:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55130 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236029AbjJCXV1 (ORCPT ); Tue, 3 Oct 2023 19:21:27 -0400 Received: from mail-yw1-x114a.google.com (mail-yw1-x114a.google.com [IPv6:2607:f8b0:4864:20::114a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B8C8BA6 for ; Tue, 3 Oct 2023 16:21:23 -0700 (PDT) Received: by mail-yw1-x114a.google.com with SMTP id 00721157ae682-5a2318df875so21389207b3.2 for ; Tue, 03 Oct 2023 16:21:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1696375283; x=1696980083; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=xX0umRmiZ0cLGmGD38f/MibuOBTvqO+eaoVVtdmVDCY=; b=nd4Vi0j/kzWHsBJ17zftBwdc6C/M7Msob9+RgKP5gBZxYSHK3vfmFbpJ0RncMTgpu/ R6RGKa8jBe96fK3O+YKKvkxGJipEsMkwQrQLTV9xPytZcHP6R91aON1heMWcSG+boVmF CUkQpvyVhDReZWgzmuOo2/v+kvleNInOiWsIq+LL3Ss/9D+tQK/prAMsH5ur6kyAHOPy H12705hfVo5Z7kchSOvXhxHCOALaS/hH6xNlYF6rKHuQOTBnYrnEIosYkAJMqX61MbTP W5w52YKfbRhj6+c9qlzr8fteVsxli236ZXDKHtkrehs3YogjxT4OzIacA+t6Fr4VyXZV 8MJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696375283; x=1696980083; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=xX0umRmiZ0cLGmGD38f/MibuOBTvqO+eaoVVtdmVDCY=; b=Ix4TuQxLzeV1Qcek9cfyQ8yebvI2u4qIa+WuTRvJyeyWIZ1FPCdq735PvA1Os2x9KJ haqfqWuGQdTUVfyvNPE6N4aRgYWgQDLyFYPZH/8XQDBWSTT6bqQ2llTxS63U6h29Jo9r K0Fm3Ujp8xa2f7xUrWy8iKba7P1Eu4/YCtNYBeMun5pkqekvAvGumbjXVoRIhpvxvWtI 7o7gcJzeY9RDDMWTuhVQzkEkmO9sBGLLO1ycUeFXPhYf93KdR0aCvL5n7mejlFhlXP6U zkYDv+6RquWeENv2joJla10r410ZN07TBMcnvj3tiHc3aBpjv0NwIP+DkaHSzgRmL4n7 QQBA== X-Gm-Message-State: AOJu0YwZvyK4Gn+K8Pp5WJl6YJ0tK/kgzjlR8jBtWqCrgBpwUziigrD2 LjEhoQ3O+MN9lnqd7znKCsbPmy3UyFRQ X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a81:b3c3:0:b0:59b:eb63:4beb with SMTP id r186-20020a81b3c3000000b0059beb634bebmr18764ywh.7.1696375283016; Tue, 03 Oct 2023 16:21:23 -0700 (PDT) Date: Tue, 3 Oct 2023 16:21:20 -0700 In-Reply-To: <20230930184821.310143-4-arakesh@google.com> Mime-Version: 1.0 References: <20230930184821.310143-4-arakesh@google.com> X-Mailer: git-send-email 2.42.0.582.g8ccd20d70d-goog Message-ID: <20231003232120.2594176-1-arakesh@google.com> Subject: [PATCH v2 3/3] usb: gadget: uvc: Fix use-after-free for inflight usb_requests From: Avichal Rakesh To: arakesh@google.com, dan.scally@ideasonboard.com, gregkh@linuxfoundation.org, laurent.pinchart@ideasonboard.com, m.grzeschik@pengutronix.de, mgr@pengutronix.de Cc: etalvala@google.com, jchowdhary@google.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Tue, 03 Oct 2023 16:21:50 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1778517869169821913 X-GMAIL-MSGID: 1778778440255522630 Currently, the uvc gadget driver allocates all uvc_requests as one array and deallocates them all when the video stream stops. This includes de-allocating all the usb_requests associated with those uvc_requests. This can lead to use-after-free issues if any of those de-allocated usb_requests were still owned by the usb controller. This is patch 2 of 2 in fixing the use-after-free issue. It adds a new flag to uvc_request to mark it as 'abandoned'. When disabling the video stream, instead of de-allocating all uvc_requests and usb_requests, the gadget driver only de-allocates those usb_requests that are currently owned by the gadget driver (as present in req_free). Other usb_requests have their corresponding 'is_abandoned' flag tripped, and the usb_requests complete handler takes care of freeing the usb_request and its corresponding uvc_request. This should ensure that uvc gadget driver never accidentally de-allocates a usb_request that it doesn't own. Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com Suggested-by: Michael Grzeschik Signed-off-by: Avichal Rakesh --- v1 -> v2: Rebased to ToT, and fixed deadlock reported in https://lore.kernel.org/all/ZRv2UnKztgyqk2pt@pengutronix.de/ drivers/usb/gadget/function/uvc.h | 1 + drivers/usb/gadget/function/uvc_video.c | 118 ++++++++++++++++++++---- 2 files changed, 102 insertions(+), 17 deletions(-) -- 2.42.0.582.g8ccd20d70d-goog diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h index 993694da0bbc..e69cfb7cced1 100644 --- a/drivers/usb/gadget/function/uvc.h +++ b/drivers/usb/gadget/function/uvc.h @@ -82,6 +82,7 @@ struct uvc_request { u8 header[UVCG_REQUEST_HEADER_LEN]; struct uvc_buffer *last_buf; struct list_head list; + bool is_abandoned; }; struct uvc_video { diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c index 3c4d286d81c0..69521886d599 100644 --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -271,7 +271,21 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) struct uvc_video *video = ureq->video; struct uvc_video_queue *queue = &video->queue; struct uvc_device *uvc = video->uvc; + struct uvc_buffer *last_buf; unsigned long flags; + bool is_abandoned; + + spin_lock_irqsave(&video->req_lock, flags); + is_abandoned = ureq->is_abandoned; + last_buf = ureq->last_buf; + ureq->last_buf = NULL; + spin_unlock_irqrestore(&video->req_lock, flags); + + if (is_abandoned) { + uvcg_dbg(&video->uvc->func, "Freeing abandoned usb_request\n"); + uvc_video_free_request(ureq, ep); + return; + } if (uvc->state == UVC_STATE_CONNECTED) { usb_ep_free_request(video->ep, ureq->req); @@ -300,15 +314,29 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) uvcg_queue_cancel(queue, 0); } - if (ureq->last_buf) { - uvcg_complete_buffer(&video->queue, ureq->last_buf); - ureq->last_buf = NULL; + if (last_buf) { + spin_lock_irqsave(&video->queue.irqlock, flags); + uvcg_complete_buffer(&video->queue, last_buf); + spin_unlock_irqrestore(&video->queue.irqlock, flags); } + /* + * request might have been abandoned while being processed. + * do a last minute check before queueing the request back. + */ spin_lock_irqsave(&video->req_lock, flags); - list_add_tail(&req->list, &video->req_free); + is_abandoned = ureq->is_abandoned; + if (!is_abandoned) + list_add_tail(&req->list, &video->req_free); spin_unlock_irqrestore(&video->req_lock, flags); + if (is_abandoned) { + uvcg_dbg(&video->uvc->func, + "usb_request abandoned mid-processing - freeing.\n"); + uvc_video_free_request(ureq, ep); + return; + } + if (uvc->state == UVC_STATE_STREAMING) queue_work(video->async_wq, &video->pump); } @@ -372,7 +400,6 @@ uvc_video_alloc_requests(struct uvc_video *video) } video->req_size = req_size; - return 0; error: @@ -504,13 +531,80 @@ static void uvcg_video_pump(struct work_struct *work) return; } +/* + * Disable video stream. This ensures that any inflight usb requests are marked + * for clean up and all video buffers are dropped before returning. + */ +static void uvcg_video_disable(struct uvc_video *video) +{ + struct uvc_buffer *buf, *tmp_buf; + struct uvc_request *ureq, *temp; + struct list_head buf_list; /* track in-flight video buffers */ + struct usb_request *req; + unsigned long flags; + + INIT_LIST_HEAD(&buf_list); + + cancel_work_sync(&video->pump); + uvcg_queue_cancel(&video->queue, 0); + + list_for_each_entry(ureq, &video->ureqs, list) { + if (ureq->req) + usb_ep_dequeue(video->ep, ureq->req); + } + + /** + * acquiring req_lock here should prevent any more complete + * callbacks from processing until we've abandoned the + * requests that are still in-flight and let the complete + * callback handle cleanup + */ + spin_lock_irqsave(&video->req_lock, flags); + /* abandon all usb requests */ + list_for_each_entry_safe(ureq, temp, &video->ureqs, list) { + ureq->is_abandoned = true; + if (ureq->last_buf) { + list_add(&ureq->last_buf->queue, &buf_list); + ureq->last_buf = NULL; + } + list_del_init(&ureq->list); + } + /* + * re-add uvc_requests currently owned by the gadget to + * video->ureqs to be deallocated. This effectively leaves + * video->ureqs with the requests that we currently own. + */ + list_for_each_entry(req, &video->req_free, list) { + ureq = req->context; + list_add_tail(&ureq->list, &video->ureqs); + } + spin_unlock_irqrestore(&video->req_lock, flags); + + /* + * drop abandoned uvc_buffers, as the completion handler + * no longer will + */ + if (!list_empty(&buf_list)) { + spin_lock_irqsave(&video->queue.irqlock, flags); + list_for_each_entry_safe(buf, tmp_buf, + &buf_list, queue) { + video->queue.flags |= UVC_QUEUE_DROP_INCOMPLETE; + uvcg_complete_buffer(&video->queue, buf); + list_del(&buf->queue); + } + spin_unlock_irqrestore(&video->queue.irqlock, flags); + } + + uvc_video_free_requests(video); + uvcg_queue_enable(&video->queue, 0); +} + /* * Enable or disable the video stream. */ int uvcg_video_enable(struct uvc_video *video, int enable) { struct uvc_device *uvc = video->uvc; - struct uvc_request *ureq; int ret; if (video->ep == NULL) { @@ -521,17 +615,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable) if (!enable) { uvc->state = UVC_STATE_CONNECTED; - - cancel_work_sync(&video->pump); - uvcg_queue_cancel(&video->queue, 0); - - list_for_each_entry(ureq, &video->ureqs, list) { - if (ureq->req) - usb_ep_dequeue(video->ep, ureq->req); - } - - uvc_video_free_requests(video); - uvcg_queue_enable(&video->queue, 0); + uvcg_video_disable(video); return 0; }