From patchwork Thu Oct  5 18:08:12 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Avichal Rakesh <arakesh@google.com>
X-Patchwork-Id: 148971
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:612c:2016:b0:403:3b70:6f57 with SMTP id
 fe22csp478283vqb;
        Thu, 5 Oct 2023 11:09:39 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IG447+pPHqPEMSwSRJoo/8OFZDI0NnHFY4NHSCP9+tAPETtNGwS9gvrRBsR6hFXiQAYbNEl
X-Received: by 2002:a05:6358:292a:b0:134:d45b:7dd1 with SMTP id
 y42-20020a056358292a00b00134d45b7dd1mr6252066rwb.21.1696529378872;
        Thu, 05 Oct 2023 11:09:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1696529378; cv=none;
        d=google.com; s=arc-20160816;
        b=KDQZIGye4dpR+ARQrcTP6VgoVfkN5w6flbdamR6zjmiM2+q6QkcTKjiboN1TFkFsxJ
         4k3Zv3UbARCr+Nxkxmo4gbxfhHEohv15axBGCLW3ueYAnuJc8o6hjSdR/ssErJwsTfUl
         +vABRNRAzCwmHlENTM/pdoYUjDkpZPAYlVV24ddgciPe1SYhkFt63vAiObFGAf5KAnX2
         aadL81OGeNVhwWuBApcDFazdeqtalTNfAXThIIGND6g7SlN/aP8nEYKZdnuk6Nmn+QEk
         za4DFOHMkrSJ76Lbxvn2E7Xi3itrMqC1qkoWO9xOWoVbFaGOZYvgljWGrkRwAr8u26gP
         Ie6w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:references
         :mime-version:in-reply-to:date:dkim-signature;
        bh=cGPEr42+ZwCTP+CEzEnFhGGfenBhCq6NKh2BAUdeTck=;
        fh=E5X6/3uWCMdGSKLB7vuNn1z8ZeRDzUIfiV2I8BhU+4Q=;
        b=Fkemnb0VYhszMWaOgmVs+j+zoXkHdZIBHRiupzVAkJSDLE5vSm+7mrum7P6Y3EXfoN
         2zx4H00J+ZSnZFbbSnuI4D8ft1gEAd+wOwXRmK8ZCxRVeVJf8inTY7Hyus+k9iyWR6zC
         gfDqTS9Rtf+hBNleyCTPrj+/XigetBS3+6fNLqDL3BFqTmZ1TXFxhyp1IHdZPEZXntrm
         B0njnwh90OK0RqGfKZkbTnhQAvPKAucszBInAYgxOCaiyli22GreEnNz7TQePRjWGyjY
         6T5epHHhAsOViCoU7/Ff368MJF7MRTcW5EfYG4h4gIHmaT4vswIcnxMlLp+dp1+6Pq0H
         LtYw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=1UAjV89+;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:3 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3])
        by mx.google.com with ESMTPS id
 a29-20020a637f1d000000b00565f0e91894si1911876pgd.394.2023.10.05.11.09.38
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 05 Oct 2023 11:09:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:3 as permitted sender)
 client-ip=2620:137:e000::3:3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=1UAjV89+;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:3 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by lipwig.vger.email (Postfix) with ESMTP id 282AE8039FEA;
	Thu,  5 Oct 2023 11:09:36 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231526AbjJESJH (ORCPT <rfc822;ezelljr.billy@gmail.com>
        + 18 others); Thu, 5 Oct 2023 14:09:07 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51422 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230203AbjJESI1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 5 Oct 2023 14:08:27 -0400
Received: from mail-yw1-x1149.google.com (mail-yw1-x1149.google.com
 [IPv6:2607:f8b0:4864:20::1149])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 04465112
        for <linux-kernel@vger.kernel.org>;
 Thu,  5 Oct 2023 11:08:19 -0700 (PDT)
Received: by mail-yw1-x1149.google.com with SMTP id
 00721157ae682-59f53027158so17128027b3.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 05 Oct 2023 11:08:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1696529298; x=1697134098;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=cGPEr42+ZwCTP+CEzEnFhGGfenBhCq6NKh2BAUdeTck=;
        b=1UAjV89+aPiZ6PfduyoOx/FVGFc1vjlm+88m960GJqSnjXrtwwqMI/qL9rcKTal9Ub
         YIqcddmQ0iGpp62XKF8UMBXnaUPqhfb8S26Tl+GctNI2A6S/6pLse//oqYHj7ArjLtG7
         cSWvr1cPkExnnrBrBZ/H6a2hQm7RnRmg+2w6iSMNOCfkLl3uGuoWnakFuRmFfpCbRJsJ
         rGu5SJX9mBB4oU4EunUppIJO+Jb4Z80VaEZ+YX4b11S5Q9eqRMxFQ2u8T3SZKBacjDFT
         FE6huwNN5AFa7B4v8BhQBOwf9DT6jrhbu2NoyZCOcR1OK7Ce0cVArtbGlcX9GY8tVA0B
         rUDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1696529298; x=1697134098;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=cGPEr42+ZwCTP+CEzEnFhGGfenBhCq6NKh2BAUdeTck=;
        b=TSzg2jQYbuRak7km3UDj39aLu8uPNz3ytSBOON+iHJbK0p55+GkbKWW9uqCQ749N3k
         J+E1myE1bgxr4l0vmjsv2VJG9lVR68BqJqefd1Ut5iPGa4HpgF0ucFnCSo/PMw9iIIda
         eh7lF2SgdnG1rRY9V6FRM6D8keahoEPbMH4Q6dUejPQX+EsYCc7ujqYVhoh2ArC68Vop
         12W5lot0nL6tG+sdw2qRvNCa3/3/CRB8OWnYSVz5h/R4Htk5cuNwPcN/MGHnLT1SMWfA
         dfKtYB4Fj4MZuZYqlbm0u4jfBE2EH/lct8SnTW9m5B9Sh5lJd0TF9UbEQdTQ3K7d8HPd
         8jHA==
X-Gm-Message-State: AOJu0YwjpM37cOCXUSbJy1mQfMVevAzNNDBwcSsQVsk0usLrtSLMV1kK
        amr5AFwjNT7Gumi/YUMIuGyB+8qyYM4y
X-Received: from hi-h2o-specialist.c.googlers.com
 ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef])
 (user=arakesh job=sendgmr) by 2002:a5b:5c9:0:b0:d8b:737f:8240 with SMTP id
 w9-20020a5b05c9000000b00d8b737f8240mr103527ybp.0.1696529298114; Thu, 05 Oct
 2023 11:08:18 -0700 (PDT)
Date: Thu,  5 Oct 2023 11:08:12 -0700
In-Reply-To: <20230930184821.310143-1-arakesh@google.com>
Mime-Version: 1.0
References: <20230930184821.310143-1-arakesh@google.com>
X-Mailer: git-send-email 2.42.0.609.gbb76f46606-goog
Message-ID: <20231005180814.3278050-1-arakesh@google.com>
Subject: [PATCH v3 1/3] usb: gadget: uvc: prevent use of disabled endpoint
From: Avichal Rakesh <arakesh@google.com>
To: arakesh@google.com, dan.scally@ideasonboard.com,
        gregkh@linuxfoundation.org, laurent.pinchart@ideasonboard.com,
        m.grzeschik@pengutronix.de
Cc: etalvala@google.com, jchowdhary@google.com,
        linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
 not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]);
 Thu, 05 Oct 2023 11:09:36 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1778501398075540037
X-GMAIL-MSGID: 1778939990037199770

Currently the set_alt callback immediately disables the endpoint and queues
the v4l2 streamoff event. However, as the streamoff event is processed
asynchronously, it is possible that the video_pump thread attempts to queue
requests to an already disabled endpoint.

This change moves disabling usb endpoint to the end of streamoff event
callback. To be consistent with the actual streaming state, uvc->state
is now toggled between CONNECTED and STREAMING from the v4l2 event
callback only.

Link: https://lore.kernel.org/20230615171558.GK741@pendragon.ideasonboard.com/
Link: https://lore.kernel.org/20230531085544.253363-1-dan.scally@ideasonboard.com/
Signed-off-by: Avichal Rakesh <arakesh@google.com>
Reviewed-by: <m.grzeschik@pengutronix.de>
---
v1 -> v2: Rebased to ToT and reworded commit message.
v2 -> v3: Fix email threading goof-up

 drivers/usb/gadget/function/f_uvc.c    | 11 +++++------
 drivers/usb/gadget/function/f_uvc.h    |  2 +-
 drivers/usb/gadget/function/uvc.h      |  2 +-
 drivers/usb/gadget/function/uvc_v4l2.c | 21 ++++++++++++++++++---
 4 files changed, 25 insertions(+), 11 deletions(-)

--
2.42.0.609.gbb76f46606-goog

diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c
index faa398109431..75c9f9a3f884 100644
--- a/drivers/usb/gadget/function/f_uvc.c
+++ b/drivers/usb/gadget/function/f_uvc.c
@@ -263,10 +263,13 @@ uvc_function_setup(struct usb_function *f, const struct usb_ctrlrequest *ctrl)
 	return 0;
 }

-void uvc_function_setup_continue(struct uvc_device *uvc)
+void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep)
 {
 	struct usb_composite_dev *cdev = uvc->func.config->cdev;

+	if (disable_ep && uvc->video.ep) {
+		usb_ep_disable(uvc->video.ep);
+	}
 	usb_composite_setup_continue(cdev);
 }

@@ -337,15 +340,11 @@ uvc_function_set_alt(struct usb_function *f, unsigned interface, unsigned alt)
 		if (uvc->state != UVC_STATE_STREAMING)
 			return 0;

-		if (uvc->video.ep)
-			usb_ep_disable(uvc->video.ep);
-
 		memset(&v4l2_event, 0, sizeof(v4l2_event));
 		v4l2_event.type = UVC_EVENT_STREAMOFF;
 		v4l2_event_queue(&uvc->vdev, &v4l2_event);

-		uvc->state = UVC_STATE_CONNECTED;
-		return 0;
+		return USB_GADGET_DELAYED_STATUS;

 	case 1:
 		if (uvc->state != UVC_STATE_CONNECTED)
diff --git a/drivers/usb/gadget/function/f_uvc.h b/drivers/usb/gadget/function/f_uvc.h
index 1db972d4beeb..e7f9f13f14dc 100644
--- a/drivers/usb/gadget/function/f_uvc.h
+++ b/drivers/usb/gadget/function/f_uvc.h
@@ -11,7 +11,7 @@

 struct uvc_device;

-void uvc_function_setup_continue(struct uvc_device *uvc);
+void uvc_function_setup_continue(struct uvc_device *uvc, int disale_ep);

 void uvc_function_connect(struct uvc_device *uvc);

diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
index 6751de8b63ad..989bc6b4e93d 100644
--- a/drivers/usb/gadget/function/uvc.h
+++ b/drivers/usb/gadget/function/uvc.h
@@ -177,7 +177,7 @@ struct uvc_file_handle {
  * Functions
  */

-extern void uvc_function_setup_continue(struct uvc_device *uvc);
+extern void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep);
 extern void uvc_function_connect(struct uvc_device *uvc);
 extern void uvc_function_disconnect(struct uvc_device *uvc);

diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c
index 3f0a9795c0d4..3d3469883ed0 100644
--- a/drivers/usb/gadget/function/uvc_v4l2.c
+++ b/drivers/usb/gadget/function/uvc_v4l2.c
@@ -451,7 +451,7 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type)
 	 * Complete the alternate setting selection setup phase now that
 	 * userspace is ready to provide video frames.
 	 */
-	uvc_function_setup_continue(uvc);
+	uvc_function_setup_continue(uvc, 0);
 	uvc->state = UVC_STATE_STREAMING;

 	return 0;
@@ -463,11 +463,19 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type)
 	struct video_device *vdev = video_devdata(file);
 	struct uvc_device *uvc = video_get_drvdata(vdev);
 	struct uvc_video *video = &uvc->video;
+	int ret = 0;

 	if (type != video->queue.queue.type)
 		return -EINVAL;

-	return uvcg_video_enable(video, 0);
+	uvc->state = UVC_STATE_CONNECTED;
+	ret = uvcg_video_enable(video, 0);
+	if (ret < 0) {
+		return ret;
+	}
+
+	uvc_function_setup_continue(uvc, 1);
+	return 0;
 }

 static int
@@ -500,6 +508,14 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh,
 static void uvc_v4l2_disable(struct uvc_device *uvc)
 {
 	uvc_function_disconnect(uvc);
+	if (uvc->state == UVC_STATE_STREAMING) {
+		/*
+		 * Drop uvc->state to CONNECTED if it was streaming before.
+		 * This ensures that the usb_requests are no longer queued
+		 * to the controller.
+		 */
+		uvc->state = UVC_STATE_CONNECTED;
+	}
 	uvcg_video_enable(&uvc->video, 0);
 	uvcg_free_buffers(&uvc->video.queue);
 	uvc->func_connected = false;
@@ -647,4 +663,3 @@ const struct v4l2_file_operations uvc_v4l2_fops = {
 	.get_unmapped_area = uvcg_v4l2_get_unmapped_area,
 #endif
 };
-

From patchwork Thu Oct  5 18:08:13 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Avichal Rakesh <arakesh@google.com>
X-Patchwork-Id: 148969
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:612c:2016:b0:403:3b70:6f57 with SMTP id
 fe22csp478016vqb;
        Thu, 5 Oct 2023 11:09:16 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IES1HZ2Rt9FB26l90K47C94jijUQssJExKwbtCQ0Mu1wQKSI+TRah8DaxdLhyYKUUo79S6T
X-Received: by 2002:a17:902:da8d:b0:1c0:d17a:bfe9 with SMTP id
 j13-20020a170902da8d00b001c0d17abfe9mr7184934plx.46.1696529356206;
        Thu, 05 Oct 2023 11:09:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1696529356; cv=none;
        d=google.com; s=arc-20160816;
        b=Bkr54RPccg5BG8HTf9bx8U7xhCwU5ZfjOrcI9tuqp8X162qPeJmZxDyc2Y2Y2IEBuV
         NYASq0Cn0mHkKcDWoBxMUaeHLguxaoqoIAWxJLFtz/Ukba1bi4ku76EOAFMFZj6JcJ4l
         uy5bsVk4jootK/NdCZow5+bv8klSLC8OyEOFoYJckNAVUBGRv8joBnmkHU/VvU7ejUPx
         36bKUxg7Mwn/0CbjwFYLPymhGIrvo6MlifZe0eL6fv6eNRn8jFTSnD+Pk7Ov/g1CNUUD
         FKoIsx6ra5kwYf+38O5qr0K4XMramdNaRmpOWEE5vhLp9ra8bitpa1ay9cn1HmwODXDk
         EWHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:references
         :mime-version:in-reply-to:date:dkim-signature;
        bh=IkpdLXIt9+7FxRDrbqZkUhDTP8vYUcMsBTcxO7grRS4=;
        fh=q3sDYC4bBx/LQ35Tzyg5FsIVnW5P3mal7p7VS0xEYf0=;
        b=qZZFLd8aDmWOY6NXVltF4d8SVk/hQ0pzF2XKp5LjNJlezeV2K2SoW5qQ6t+ZIFWU+p
         qNOcY0jgbWGbC8JIRUjKnbfyvHt1/f6mvIDRzZpiWQCj8nyv36vAf/4Ck0QpS8YveeZk
         /goMNp7cxoKaKTRveyigp9ihIXNrSIHY/Th0eIJwlNTiaJ4UFSriKwncjKMdMsFFiHAx
         KFzJgy9f2p7lg5n+gWHsM3+6IlQjVmkkHurc0jPf7Y8bgtd4YiP7Xu1N7ungT8j+naab
         RkT4Rt6UI2XlfED0G6jsPpXVpgHocxK5ZzHppoh/p7w1Lhp0z5qlUbGNYHkJZf1I7M90
         FdDg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=ovGOLpxh;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:3 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3])
        by mx.google.com with ESMTPS id
 jz14-20020a170903430e00b001c62e2ce6a7si1784687plb.445.2023.10.05.11.09.15
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 05 Oct 2023 11:09:16 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:3 as permitted sender)
 client-ip=2620:137:e000::3:3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=ovGOLpxh;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:3 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by lipwig.vger.email (Postfix) with ESMTP id 3A2CA803BAB9;
	Thu,  5 Oct 2023 11:09:13 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231402AbjJESJD (ORCPT <rfc822;ezelljr.billy@gmail.com>
        + 18 others); Thu, 5 Oct 2023 14:09:03 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51452 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231284AbjJESIa (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 5 Oct 2023 14:08:30 -0400
Received: from mail-pg1-x549.google.com (mail-pg1-x549.google.com
 [IPv6:2607:f8b0:4864:20::549])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 94510124
        for <linux-kernel@vger.kernel.org>;
 Thu,  5 Oct 2023 11:08:21 -0700 (PDT)
Received: by mail-pg1-x549.google.com with SMTP id
 41be03b00d2f7-56f75e70190so940023a12.3
        for <linux-kernel@vger.kernel.org>;
 Thu, 05 Oct 2023 11:08:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1696529301; x=1697134101;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=IkpdLXIt9+7FxRDrbqZkUhDTP8vYUcMsBTcxO7grRS4=;
        b=ovGOLpxhv3kCLd0KOhKHtNXY/UcTgYeJIW5drJhk4Gieo4TeUirKDioDoUM4iIYHAo
         UqDB61bKMFL7vXMsX2QN2od4kFicnrNGyEQ4kgkmckYE2JqIcrI2aK5v0wj6RQwbL4Xr
         /a/Ary9xWJSbUpn9dpv9iqvqQM2Sl+Xpu095XOIO9plnihPl8ZFhKnzxQRuH7tquPUxZ
         YqxjXlQMQydgQO3oznOjFKLIZ1z4tw6dBMq2csmCGaFuaofnwoe7zQdQfvzXiOL5KHay
         sX0VtFSXkaiVmL3GAUuzw/0JJJNfoU49RZ26MPbWsTBRCtcxCvQi6zAxj4ifOr84J+Gy
         yKkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1696529301; x=1697134101;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=IkpdLXIt9+7FxRDrbqZkUhDTP8vYUcMsBTcxO7grRS4=;
        b=Ar0lb0Fk5Sa1o4D9+CVAUv7pF5qkXIm7RqdSNPXvCU/inFh3uu8qg4NwbzoFImM9yL
         sjfDQjGKhjFANcPy6kYkEPk3WOYfI3bt+1CwiNWVpy3u5c8oN9MRzE+18i6Xi1oUoRN8
         rjnaxf73jA6kYR3g9aONSH82HZ6Igiqb5HWHzNrItwn7EXgQmZw3hMHwJ4PrTwgxctGA
         CZbT9Xn7DXTbIk9GsGJ4M9oDerDcHCUKCJ6m+wMA83pXEblxX/7Dovc6ni2ooJ121BO8
         i63+NXn4GGmv4W9rA7RGtZCwyxZ6uvkRmRMPlPhNwFZDN9/2rU4L7Gf4OrS+xzXn9iza
         e3pw==
X-Gm-Message-State: AOJu0YxAD/5CbfRaUNbt8TvDvw/ETW1qTR4eJKaisxUoDlXISzs3cmNF
        je+xX388rnQGwElmBoSkVFEzy04qfUdS
X-Received: from hi-h2o-specialist.c.googlers.com
 ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef])
 (user=arakesh job=sendgmr) by 2002:a63:3ecd:0:b0:585:554c:27b1 with SMTP id
 l196-20020a633ecd000000b00585554c27b1mr80021pga.7.1696529301045; Thu, 05 Oct
 2023 11:08:21 -0700 (PDT)
Date: Thu,  5 Oct 2023 11:08:13 -0700
In-Reply-To: <20231005180814.3278050-1-arakesh@google.com>
Mime-Version: 1.0
References: <20230930184821.310143-1-arakesh@google.com>
 <20231005180814.3278050-1-arakesh@google.com>
X-Mailer: git-send-email 2.42.0.609.gbb76f46606-goog
Message-ID: <20231005180814.3278050-2-arakesh@google.com>
Subject: [PATCH v3 2/3] usb: gadget: uvc: Allocate uvc_requests one at a time
From: Avichal Rakesh <arakesh@google.com>
To: arakesh@google.com, dan.scally@ideasonboard.com,
        gregkh@linuxfoundation.org, laurent.pinchart@ideasonboard.com,
        m.grzeschik@pengutronix.de
Cc: etalvala@google.com, jchowdhary@google.com,
        linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
        Michael Grzeschik <mgr@pengutronix.de>
X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
 not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]);
 Thu, 05 Oct 2023 11:09:13 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1778501399086666798
X-GMAIL-MSGID: 1778939965889365974

Currently, the uvc gadget driver allocates all uvc_requests as one array
and deallocates them all when the video stream stops. This includes
de-allocating all the usb_requests associated with those uvc_requests.
This can lead to use-after-free issues if any of those de-allocated
usb_requests were still owned by the usb controller.

This patch is 1 of 2 patches addressing the use-after-free issue.
Instead of bulk allocating all uvc_requests as an array, this patch
allocates uvc_requests one at a time, which should allows for similar
granularity when deallocating the uvc_requests. This patch has no
functional changes other than allocating each uvc_request separately,
and similarly freeing each of them separately.

Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com
Suggested-by: Michael Grzeschik <mgr@pengutronix.de>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
---
v1 -> v2: Rebased to ToT
V2 -> V3: Fix email threading goof-up

 drivers/usb/gadget/function/uvc.h       |  3 +-
 drivers/usb/gadget/function/uvc_video.c | 90 ++++++++++++++-----------
 2 files changed, 51 insertions(+), 42 deletions(-)

--
2.42.0.609.gbb76f46606-goog

diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
index 989bc6b4e93d..993694da0bbc 100644
--- a/drivers/usb/gadget/function/uvc.h
+++ b/drivers/usb/gadget/function/uvc.h
@@ -81,6 +81,7 @@ struct uvc_request {
 	struct sg_table sgt;
 	u8 header[UVCG_REQUEST_HEADER_LEN];
 	struct uvc_buffer *last_buf;
+	struct list_head list;
 };

 struct uvc_video {
@@ -102,7 +103,7 @@ struct uvc_video {

 	/* Requests */
 	unsigned int req_size;
-	struct uvc_request *ureq;
+	struct list_head ureqs; /* all uvc_requests allocated by uvc_video */
 	struct list_head req_free;
 	spinlock_t req_lock;

diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index 97d875c27dcf..3c4d286d81c0 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -227,6 +227,23 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video,
  * Request handling
  */

+static void uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep)
+{
+	sg_free_table(&ureq->sgt);
+	if (ureq->req && ep) {
+		usb_ep_free_request(ep, ureq->req);
+		ureq->req = NULL;
+	}
+
+	kfree(ureq->req_buffer);
+	ureq->req_buffer = NULL;
+
+	if (!list_empty(&ureq->list))
+		list_del_init(&ureq->list);
+
+	kfree(ureq);
+}
+
 static int uvcg_video_ep_queue(struct uvc_video *video, struct usb_request *req)
 {
 	int ret;
@@ -299,27 +316,13 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
 static int
 uvc_video_free_requests(struct uvc_video *video)
 {
-	unsigned int i;
-
-	if (video->ureq) {
-		for (i = 0; i < video->uvc_num_requests; ++i) {
-			sg_free_table(&video->ureq[i].sgt);
-
-			if (video->ureq[i].req) {
-				usb_ep_free_request(video->ep, video->ureq[i].req);
-				video->ureq[i].req = NULL;
-			}
+	struct uvc_request *ureq, *temp;

-			if (video->ureq[i].req_buffer) {
-				kfree(video->ureq[i].req_buffer);
-				video->ureq[i].req_buffer = NULL;
-			}
-		}
-
-		kfree(video->ureq);
-		video->ureq = NULL;
+	list_for_each_entry_safe(ureq, temp, &video->ureqs, list) {
+		uvc_video_free_request(ureq, video->ep);
 	}

+	INIT_LIST_HEAD(&video->ureqs);
 	INIT_LIST_HEAD(&video->req_free);
 	video->req_size = 0;
 	return 0;
@@ -328,6 +331,7 @@ uvc_video_free_requests(struct uvc_video *video)
 static int
 uvc_video_alloc_requests(struct uvc_video *video)
 {
+	struct uvc_request *ureq;
 	unsigned int req_size;
 	unsigned int i;
 	int ret = -ENOMEM;
@@ -338,29 +342,31 @@ uvc_video_alloc_requests(struct uvc_video *video)
 		 * max_t(unsigned int, video->ep->maxburst, 1)
 		 * (video->ep->mult);

-	video->ureq = kcalloc(video->uvc_num_requests, sizeof(struct uvc_request), GFP_KERNEL);
-	if (video->ureq == NULL)
-		return -ENOMEM;
-
-	for (i = 0; i < video->uvc_num_requests; ++i) {
-		video->ureq[i].req_buffer = kmalloc(req_size, GFP_KERNEL);
-		if (video->ureq[i].req_buffer == NULL)
+	INIT_LIST_HEAD(&video->ureqs);
+	for (i = 0; i < video->uvc_num_requests; i++) {
+		ureq = kzalloc(sizeof(struct uvc_request), GFP_KERNEL);
+		if (ureq == NULL)
 			goto error;
+		INIT_LIST_HEAD(&ureq->list);
+		list_add_tail(&ureq->list, &video->ureqs);
+	}

-		video->ureq[i].req = usb_ep_alloc_request(video->ep, GFP_KERNEL);
-		if (video->ureq[i].req == NULL)
+	list_for_each_entry(ureq, &video->ureqs, list) {
+		ureq->req_buffer = kmalloc(req_size, GFP_KERNEL);
+		if (ureq->req_buffer == NULL)
 			goto error;
-
-		video->ureq[i].req->buf = video->ureq[i].req_buffer;
-		video->ureq[i].req->length = 0;
-		video->ureq[i].req->complete = uvc_video_complete;
-		video->ureq[i].req->context = &video->ureq[i];
-		video->ureq[i].video = video;
-		video->ureq[i].last_buf = NULL;
-
-		list_add_tail(&video->ureq[i].req->list, &video->req_free);
+		ureq->req = usb_ep_alloc_request(video->ep, GFP_KERNEL);
+		if (ureq->req == NULL)
+			goto error;
+		ureq->req->buf = ureq->req_buffer;
+		ureq->req->length = 0;
+		ureq->req->complete = uvc_video_complete;
+		ureq->req->context = ureq;
+		ureq->video = video;
+		ureq->last_buf = NULL;
+		list_add_tail(&ureq->req->list, &video->req_free);
 		/* req_size/PAGE_SIZE + 1 for overruns and + 1 for header */
-		sg_alloc_table(&video->ureq[i].sgt,
+		sg_alloc_table(&ureq->sgt,
 			       DIV_ROUND_UP(req_size - UVCG_REQUEST_HEADER_LEN,
 					    PAGE_SIZE) + 2, GFP_KERNEL);
 	}
@@ -504,7 +510,7 @@ static void uvcg_video_pump(struct work_struct *work)
 int uvcg_video_enable(struct uvc_video *video, int enable)
 {
 	struct uvc_device *uvc = video->uvc;
-	unsigned int i;
+	struct uvc_request *ureq;
 	int ret;

 	if (video->ep == NULL) {
@@ -519,9 +525,10 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
 		cancel_work_sync(&video->pump);
 		uvcg_queue_cancel(&video->queue, 0);

-		for (i = 0; i < video->uvc_num_requests; ++i)
-			if (video->ureq && video->ureq[i].req)
-				usb_ep_dequeue(video->ep, video->ureq[i].req);
+		list_for_each_entry(ureq, &video->ureqs, list) {
+			if (ureq->req)
+				usb_ep_dequeue(video->ep, ureq->req);
+		}

 		uvc_video_free_requests(video);
 		uvcg_queue_enable(&video->queue, 0);
@@ -555,6 +562,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
  */
 int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc)
 {
+	INIT_LIST_HEAD(&video->ureqs);
 	INIT_LIST_HEAD(&video->req_free);
 	spin_lock_init(&video->req_lock);
 	INIT_WORK(&video->pump, uvcg_video_pump);

From patchwork Thu Oct  5 18:08:14 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Avichal Rakesh <arakesh@google.com>
X-Patchwork-Id: 148970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:612c:2016:b0:403:3b70:6f57 with SMTP id
 fe22csp478266vqb;
        Thu, 5 Oct 2023 11:09:38 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IG4XzzEwjdR46drnNP845AvpPRtgKtsePD8HYO1YwuB6A6zDUvdNBRL9dTTttJoCSQag0QM
X-Received: by 2002:a17:90a:12cd:b0:274:6d4e:e0d9 with SMTP id
 b13-20020a17090a12cd00b002746d4ee0d9mr5782816pjg.45.1696529377734;
        Thu, 05 Oct 2023 11:09:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1696529377; cv=none;
        d=google.com; s=arc-20160816;
        b=zkAkam87SZ+PQ+JzcPAqw5q9qBjhX793kVHFMYFJSDj/K5XenyrlZZ39iZswpPOen3
         jumxJMUXdOBhCFlz9DVxjtJruxHuI5E8RS4EP32tlSAwgDv/1oM3o6PGffhSK3eER0bI
         xLvq581hVdqCRYPk/fGckvEzwRq2WayawA5vMUlZQGJVkNhmQQN14riD3NXHUssCUnpJ
         Qcn5MFWNaWgqCo7YknO0WomICH1BirrjEn4d2a3aaxNEepyrb2Tfpzb30l1dZzwSPBe5
         NQFmfOy5kk1TK3IPHpZ54OvmKoDGyoWtuzvvrIZ6zLqNByfvm182y/ZcuetOB5rz6gkh
         Hjhw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:references
         :mime-version:in-reply-to:date:dkim-signature;
        bh=Fulx3avKDjTg8wkMNU25aLrvIs7TbekfU944xGo/6Xc=;
        fh=q3sDYC4bBx/LQ35Tzyg5FsIVnW5P3mal7p7VS0xEYf0=;
        b=gKAMuRcgM5/3q4mWDKAYt6yXq1Rf1nxSiqwYyHN7EkqiTDF0SR69Bpk7YpA9xypJbJ
         snd2V4ZPp7cmaAfSOc0wpBjZNDhJ8lapEo2u9KJ8E8NzSu3YzcHRwkpHwgOaeEK4SfJM
         vBdGUJZyZyGmJMoTCb+9B1UZseZPsurYDbNeGPeNcrRxLpU/kFhDx1N6ykNlX5ecqfRj
         2/OSedYCOf7qL5EEqPwHqrrmHyzx2J8FzZ6uOOOKEKK1dhQ/QfuHDI6KUwzoKAmQZHD3
         fIWkmfPjtOOSK8N9HQim6ggzYFZJDRjhPqUDFkMbP3fFUw+RcuhtAhqwXnJnrYKd5M9l
         csnA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=duPIVGxZ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.37 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from snail.vger.email (snail.vger.email. [23.128.96.37])
        by mx.google.com with ESMTPS id
 sf9-20020a17090b51c900b0027749a1fe74si1988257pjb.182.2023.10.05.11.09.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 05 Oct 2023 11:09:37 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=duPIVGxZ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.37 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by snail.vger.email (Postfix) with ESMTP id 0406E835450C;
	Thu,  5 Oct 2023 11:09:37 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231827AbjJESJb (ORCPT <rfc822;ezelljr.billy@gmail.com>
        + 18 others); Thu, 5 Oct 2023 14:09:31 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39870 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231932AbjJESIm (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 5 Oct 2023 14:08:42 -0400
Received: from mail-pl1-x64a.google.com (mail-pl1-x64a.google.com
 [IPv6:2607:f8b0:4864:20::64a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 303B810F
        for <linux-kernel@vger.kernel.org>;
 Thu,  5 Oct 2023 11:08:24 -0700 (PDT)
Received: by mail-pl1-x64a.google.com with SMTP id
 d9443c01a7336-1c746bccbdcso11346505ad.2
        for <linux-kernel@vger.kernel.org>;
 Thu, 05 Oct 2023 11:08:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1696529303; x=1697134103;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=Fulx3avKDjTg8wkMNU25aLrvIs7TbekfU944xGo/6Xc=;
        b=duPIVGxZJIfn1ybzQqTdHGHA6EMmzUxRvXFfhfPL9B2GOR4JpygthjcOVxt6oSk2fh
         IF0sEYSz3CqwD+MJV5MM3uiee5H7GSPDaUqum1o/hPyDY1qAGQPYR9CPh5r8eQQXE1eM
         HsbPP6gm0G0ikGpoSrY+1TlBSKoMgTO+0jmrXExlzb+pF1KbkW7Ba0olAT8Ol9MB4hdU
         Ei+blOUF8XuLdcDdIxdMc1DIB4vOCY9I1362iCfd3QKe/QFA7JQYzp/F5fiTQJl5V8P6
         hRNSFCduc/Rt4vql5ip10hxJ1lFVefzY63x+G5wttQHw/MSG2rde2XgTi6eKZ+sYGISu
         L4ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1696529303; x=1697134103;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=Fulx3avKDjTg8wkMNU25aLrvIs7TbekfU944xGo/6Xc=;
        b=pVbQbm9j6XcQsTu0vQ9BlyfA3BZAKuc3BOzVGbES0yw2b0wK4kWNYVHHYw/P5L0oM8
         g8couCwp7/70ugPXDKOcVngQPuQT1i5NUXpPBJ2NXZru9+G/ZVGuCoJC3cNBSX4nC3lD
         tsDeBZlYKmd1uLpFv2txu8yfERPRWtejHONWuo3/Y20HnxDumf9Qr4iR/nTuUfe0K9F4
         ZWwyjfBtD7+WhLFMsHJxxkiF22XKxJieBlTzr75gHwlLXJ6+qi4ybL8pCSDCMYzsxUbo
         wxFy9jXEhq5sy0KjGrCnd1l/sGvWiBHObbOyAbACk+AqonlO72c4k9Jgjp8o25sISCxK
         5LJg==
X-Gm-Message-State: AOJu0YwM1hXghTWLCtQFfBLC3GxzuK7rfLUey+GaTaA1vqHQUyN/DEPI
        osxwH+NY0BtPi2U13wGo57y9AJS5mVfJ
X-Received: from hi-h2o-specialist.c.googlers.com
 ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef])
 (user=arakesh job=sendgmr) by 2002:a17:902:d4c4:b0:1b7:c944:edd4 with SMTP id
 o4-20020a170902d4c400b001b7c944edd4mr91628plg.2.1696529303598; Thu, 05 Oct
 2023 11:08:23 -0700 (PDT)
Date: Thu,  5 Oct 2023 11:08:14 -0700
In-Reply-To: <20231005180814.3278050-1-arakesh@google.com>
Mime-Version: 1.0
References: <20230930184821.310143-1-arakesh@google.com>
 <20231005180814.3278050-1-arakesh@google.com>
X-Mailer: git-send-email 2.42.0.609.gbb76f46606-goog
Message-ID: <20231005180814.3278050-3-arakesh@google.com>
Subject: [PATCH v3 3/3] usb: gadget: uvc: Fix use-after-free for inflight
 usb_requests
From: Avichal Rakesh <arakesh@google.com>
To: arakesh@google.com, dan.scally@ideasonboard.com,
        gregkh@linuxfoundation.org, laurent.pinchart@ideasonboard.com,
        m.grzeschik@pengutronix.de
Cc: etalvala@google.com, jchowdhary@google.com,
        linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
        Michael Grzeschik <mgr@pengutronix.de>
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
        RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL
        autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
 not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]);
 Thu, 05 Oct 2023 11:09:37 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1778517869169821913
X-GMAIL-MSGID: 1778939988513006701

Currently, the uvc gadget driver allocates all uvc_requests as one array
and deallocates them all when the video stream stops. This includes
de-allocating all the usb_requests associated with those uvc_requests.
This can lead to use-after-free issues if any of those de-allocated
usb_requests were still owned by the usb controller.

This is patch 2 of 2 in fixing the use-after-free issue. It adds a new
flag to uvc_request to mark it as 'abandoned'. When disabling the video
stream, instead of de-allocating all uvc_requests and usb_requests, the
gadget driver only de-allocates those usb_requests that are currently
owned by the gadget driver (as present in req_free). Other usb_requests
have their corresponding 'is_abandoned' flag tripped, and the
usb_requests complete handler takes care of freeing the usb_request and
its corresponding uvc_request.

This should ensure that uvc gadget driver never accidentally de-allocates
a usb_request that it doesn't own.

Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com
Suggested-by: Michael Grzeschik <mgr@pengutronix.de>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
---
v1 -> v2: Rebased to ToT, and fixed deadlock reported in
          https://lore.kernel.org/all/ZRv2UnKztgyqk2pt@pengutronix.de/
v2 -> v3: Fix email threading goof-up

 drivers/usb/gadget/function/uvc.h       |   1 +
 drivers/usb/gadget/function/uvc_video.c | 118 ++++++++++++++++++++----
 2 files changed, 102 insertions(+), 17 deletions(-)

--
2.42.0.609.gbb76f46606-goog

diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
index 993694da0bbc..e69cfb7cced1 100644
--- a/drivers/usb/gadget/function/uvc.h
+++ b/drivers/usb/gadget/function/uvc.h
@@ -82,6 +82,7 @@ struct uvc_request {
 	u8 header[UVCG_REQUEST_HEADER_LEN];
 	struct uvc_buffer *last_buf;
 	struct list_head list;
+	bool is_abandoned;
 };

 struct uvc_video {
diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index 3c4d286d81c0..69521886d599 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -271,7 +271,21 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
 	struct uvc_video *video = ureq->video;
 	struct uvc_video_queue *queue = &video->queue;
 	struct uvc_device *uvc = video->uvc;
+	struct uvc_buffer *last_buf;
 	unsigned long flags;
+	bool is_abandoned;
+
+	spin_lock_irqsave(&video->req_lock, flags);
+	is_abandoned = ureq->is_abandoned;
+	last_buf = ureq->last_buf;
+	ureq->last_buf = NULL;
+	spin_unlock_irqrestore(&video->req_lock, flags);
+
+	if (is_abandoned) {
+		uvcg_dbg(&video->uvc->func, "Freeing abandoned usb_request\n");
+		uvc_video_free_request(ureq, ep);
+		return;
+	}

 	if (uvc->state == UVC_STATE_CONNECTED) {
 		usb_ep_free_request(video->ep, ureq->req);
@@ -300,15 +314,29 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
 		uvcg_queue_cancel(queue, 0);
 	}

-	if (ureq->last_buf) {
-		uvcg_complete_buffer(&video->queue, ureq->last_buf);
-		ureq->last_buf = NULL;
+	if (last_buf) {
+		spin_lock_irqsave(&video->queue.irqlock, flags);
+		uvcg_complete_buffer(&video->queue, last_buf);
+		spin_unlock_irqrestore(&video->queue.irqlock, flags);
 	}

+	/*
+	 * request might have been abandoned while being processed.
+	 * do a last minute check before queueing the request back.
+	 */
 	spin_lock_irqsave(&video->req_lock, flags);
-	list_add_tail(&req->list, &video->req_free);
+	is_abandoned = ureq->is_abandoned;
+	if (!is_abandoned)
+		list_add_tail(&req->list, &video->req_free);
 	spin_unlock_irqrestore(&video->req_lock, flags);

+	if (is_abandoned) {
+		uvcg_dbg(&video->uvc->func,
+			 "usb_request abandoned mid-processing - freeing.\n");
+		uvc_video_free_request(ureq, ep);
+		return;
+	}
+
 	if (uvc->state == UVC_STATE_STREAMING)
 		queue_work(video->async_wq, &video->pump);
 }
@@ -372,7 +400,6 @@ uvc_video_alloc_requests(struct uvc_video *video)
 	}

 	video->req_size = req_size;
-
 	return 0;

 error:
@@ -504,13 +531,80 @@ static void uvcg_video_pump(struct work_struct *work)
 	return;
 }

+/*
+ * Disable video stream. This ensures that any inflight usb requests are marked
+ * for clean up and all video buffers are dropped before returning.
+ */
+static void uvcg_video_disable(struct uvc_video *video)
+{
+	struct uvc_buffer *buf, *tmp_buf;
+	struct uvc_request *ureq, *temp;
+	struct list_head buf_list; /* track in-flight video buffers */
+	struct usb_request *req;
+	unsigned long flags;
+
+	INIT_LIST_HEAD(&buf_list);
+
+	cancel_work_sync(&video->pump);
+	uvcg_queue_cancel(&video->queue, 0);
+
+	list_for_each_entry(ureq, &video->ureqs, list) {
+		if (ureq->req)
+			usb_ep_dequeue(video->ep, ureq->req);
+	}
+
+	/**
+	 * acquiring req_lock here should prevent any more complete
+	 * callbacks from processing until we've abandoned the
+	 * requests that are still in-flight and let the complete
+	 * callback handle cleanup
+	 */
+	spin_lock_irqsave(&video->req_lock, flags);
+	/* abandon all usb requests */
+	list_for_each_entry_safe(ureq, temp, &video->ureqs, list) {
+		ureq->is_abandoned = true;
+		if (ureq->last_buf) {
+			list_add(&ureq->last_buf->queue, &buf_list);
+			ureq->last_buf = NULL;
+		}
+		list_del_init(&ureq->list);
+	}
+	/*
+	 * re-add uvc_requests currently owned by the gadget to
+	 * video->ureqs to be deallocated. This effectively leaves
+	 * video->ureqs with the requests that we currently own.
+	 */
+	list_for_each_entry(req, &video->req_free, list) {
+		ureq = req->context;
+		list_add_tail(&ureq->list, &video->ureqs);
+	}
+	spin_unlock_irqrestore(&video->req_lock, flags);
+
+	/*
+	 * drop abandoned uvc_buffers, as the completion handler
+	 * no longer will
+	 */
+	if (!list_empty(&buf_list)) {
+		spin_lock_irqsave(&video->queue.irqlock, flags);
+		list_for_each_entry_safe(buf, tmp_buf,
+						&buf_list, queue) {
+			video->queue.flags |= UVC_QUEUE_DROP_INCOMPLETE;
+			uvcg_complete_buffer(&video->queue, buf);
+			list_del(&buf->queue);
+		}
+		spin_unlock_irqrestore(&video->queue.irqlock, flags);
+	}
+
+	uvc_video_free_requests(video);
+	uvcg_queue_enable(&video->queue, 0);
+}
+
 /*
  * Enable or disable the video stream.
  */
 int uvcg_video_enable(struct uvc_video *video, int enable)
 {
 	struct uvc_device *uvc = video->uvc;
-	struct uvc_request *ureq;
 	int ret;

 	if (video->ep == NULL) {
@@ -521,17 +615,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable)

 	if (!enable) {
 		uvc->state = UVC_STATE_CONNECTED;
-
-		cancel_work_sync(&video->pump);
-		uvcg_queue_cancel(&video->queue, 0);
-
-		list_for_each_entry(ureq, &video->ureqs, list) {
-			if (ureq->req)
-				usb_ep_dequeue(video->ep, ureq->req);
-		}
-
-		uvc_video_free_requests(video);
-		uvcg_queue_enable(&video->queue, 0);
+		uvcg_video_disable(video);
 		return 0;
 	}