From patchwork Thu Oct 5 18:08:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 148971 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2016:b0:403:3b70:6f57 with SMTP id fe22csp478283vqb; Thu, 5 Oct 2023 11:09:39 -0700 (PDT) X-Google-Smtp-Source: AGHT+IG447+pPHqPEMSwSRJoo/8OFZDI0NnHFY4NHSCP9+tAPETtNGwS9gvrRBsR6hFXiQAYbNEl X-Received: by 2002:a05:6358:292a:b0:134:d45b:7dd1 with SMTP id y42-20020a056358292a00b00134d45b7dd1mr6252066rwb.21.1696529378872; Thu, 05 Oct 2023 11:09:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696529378; cv=none; d=google.com; s=arc-20160816; b=KDQZIGye4dpR+ARQrcTP6VgoVfkN5w6flbdamR6zjmiM2+q6QkcTKjiboN1TFkFsxJ 4k3Zv3UbARCr+Nxkxmo4gbxfhHEohv15axBGCLW3ueYAnuJc8o6hjSdR/ssErJwsTfUl +vABRNRAzCwmHlENTM/pdoYUjDkpZPAYlVV24ddgciPe1SYhkFt63vAiObFGAf5KAnX2 aadL81OGeNVhwWuBApcDFazdeqtalTNfAXThIIGND6g7SlN/aP8nEYKZdnuk6Nmn+QEk za4DFOHMkrSJ76Lbxvn2E7Xi3itrMqC1qkoWO9xOWoVbFaGOZYvgljWGrkRwAr8u26gP Ie6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=cGPEr42+ZwCTP+CEzEnFhGGfenBhCq6NKh2BAUdeTck=; fh=E5X6/3uWCMdGSKLB7vuNn1z8ZeRDzUIfiV2I8BhU+4Q=; b=Fkemnb0VYhszMWaOgmVs+j+zoXkHdZIBHRiupzVAkJSDLE5vSm+7mrum7P6Y3EXfoN 2zx4H00J+ZSnZFbbSnuI4D8ft1gEAd+wOwXRmK8ZCxRVeVJf8inTY7Hyus+k9iyWR6zC gfDqTS9Rtf+hBNleyCTPrj+/XigetBS3+6fNLqDL3BFqTmZ1TXFxhyp1IHdZPEZXntrm B0njnwh90OK0RqGfKZkbTnhQAvPKAucszBInAYgxOCaiyli22GreEnNz7TQePRjWGyjY 6T5epHHhAsOViCoU7/Ff368MJF7MRTcW5EfYG4h4gIHmaT4vswIcnxMlLp+dp1+6Pq0H LtYw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=1UAjV89+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id a29-20020a637f1d000000b00565f0e91894si1911876pgd.394.2023.10.05.11.09.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Oct 2023 11:09:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=1UAjV89+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 282AE8039FEA; Thu, 5 Oct 2023 11:09:36 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231526AbjJESJH (ORCPT + 18 others); Thu, 5 Oct 2023 14:09:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51422 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230203AbjJESI1 (ORCPT ); Thu, 5 Oct 2023 14:08:27 -0400 Received: from mail-yw1-x1149.google.com (mail-yw1-x1149.google.com [IPv6:2607:f8b0:4864:20::1149]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 04465112 for ; Thu, 5 Oct 2023 11:08:19 -0700 (PDT) Received: by mail-yw1-x1149.google.com with SMTP id 00721157ae682-59f53027158so17128027b3.0 for ; Thu, 05 Oct 2023 11:08:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1696529298; x=1697134098; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=cGPEr42+ZwCTP+CEzEnFhGGfenBhCq6NKh2BAUdeTck=; b=1UAjV89+aPiZ6PfduyoOx/FVGFc1vjlm+88m960GJqSnjXrtwwqMI/qL9rcKTal9Ub YIqcddmQ0iGpp62XKF8UMBXnaUPqhfb8S26Tl+GctNI2A6S/6pLse//oqYHj7ArjLtG7 cSWvr1cPkExnnrBrBZ/H6a2hQm7RnRmg+2w6iSMNOCfkLl3uGuoWnakFuRmFfpCbRJsJ rGu5SJX9mBB4oU4EunUppIJO+Jb4Z80VaEZ+YX4b11S5Q9eqRMxFQ2u8T3SZKBacjDFT FE6huwNN5AFa7B4v8BhQBOwf9DT6jrhbu2NoyZCOcR1OK7Ce0cVArtbGlcX9GY8tVA0B rUDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696529298; x=1697134098; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=cGPEr42+ZwCTP+CEzEnFhGGfenBhCq6NKh2BAUdeTck=; b=TSzg2jQYbuRak7km3UDj39aLu8uPNz3ytSBOON+iHJbK0p55+GkbKWW9uqCQ749N3k J+E1myE1bgxr4l0vmjsv2VJG9lVR68BqJqefd1Ut5iPGa4HpgF0ucFnCSo/PMw9iIIda eh7lF2SgdnG1rRY9V6FRM6D8keahoEPbMH4Q6dUejPQX+EsYCc7ujqYVhoh2ArC68Vop 12W5lot0nL6tG+sdw2qRvNCa3/3/CRB8OWnYSVz5h/R4Htk5cuNwPcN/MGHnLT1SMWfA dfKtYB4Fj4MZuZYqlbm0u4jfBE2EH/lct8SnTW9m5B9Sh5lJd0TF9UbEQdTQ3K7d8HPd 8jHA== X-Gm-Message-State: AOJu0YwjpM37cOCXUSbJy1mQfMVevAzNNDBwcSsQVsk0usLrtSLMV1kK amr5AFwjNT7Gumi/YUMIuGyB+8qyYM4y X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a5b:5c9:0:b0:d8b:737f:8240 with SMTP id w9-20020a5b05c9000000b00d8b737f8240mr103527ybp.0.1696529298114; Thu, 05 Oct 2023 11:08:18 -0700 (PDT) Date: Thu, 5 Oct 2023 11:08:12 -0700 In-Reply-To: <20230930184821.310143-1-arakesh@google.com> Mime-Version: 1.0 References: <20230930184821.310143-1-arakesh@google.com> X-Mailer: git-send-email 2.42.0.609.gbb76f46606-goog Message-ID: <20231005180814.3278050-1-arakesh@google.com> Subject: [PATCH v3 1/3] usb: gadget: uvc: prevent use of disabled endpoint From: Avichal Rakesh To: arakesh@google.com, dan.scally@ideasonboard.com, gregkh@linuxfoundation.org, laurent.pinchart@ideasonboard.com, m.grzeschik@pengutronix.de Cc: etalvala@google.com, jchowdhary@google.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Thu, 05 Oct 2023 11:09:36 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1778501398075540037 X-GMAIL-MSGID: 1778939990037199770 Currently the set_alt callback immediately disables the endpoint and queues the v4l2 streamoff event. However, as the streamoff event is processed asynchronously, it is possible that the video_pump thread attempts to queue requests to an already disabled endpoint. This change moves disabling usb endpoint to the end of streamoff event callback. To be consistent with the actual streaming state, uvc->state is now toggled between CONNECTED and STREAMING from the v4l2 event callback only. Link: https://lore.kernel.org/20230615171558.GK741@pendragon.ideasonboard.com/ Link: https://lore.kernel.org/20230531085544.253363-1-dan.scally@ideasonboard.com/ Signed-off-by: Avichal Rakesh Reviewed-by: --- v1 -> v2: Rebased to ToT and reworded commit message. v2 -> v3: Fix email threading goof-up drivers/usb/gadget/function/f_uvc.c | 11 +++++------ drivers/usb/gadget/function/f_uvc.h | 2 +- drivers/usb/gadget/function/uvc.h | 2 +- drivers/usb/gadget/function/uvc_v4l2.c | 21 ++++++++++++++++++--- 4 files changed, 25 insertions(+), 11 deletions(-) -- 2.42.0.609.gbb76f46606-goog diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c index faa398109431..75c9f9a3f884 100644 --- a/drivers/usb/gadget/function/f_uvc.c +++ b/drivers/usb/gadget/function/f_uvc.c @@ -263,10 +263,13 @@ uvc_function_setup(struct usb_function *f, const struct usb_ctrlrequest *ctrl) return 0; } -void uvc_function_setup_continue(struct uvc_device *uvc) +void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep) { struct usb_composite_dev *cdev = uvc->func.config->cdev; + if (disable_ep && uvc->video.ep) { + usb_ep_disable(uvc->video.ep); + } usb_composite_setup_continue(cdev); } @@ -337,15 +340,11 @@ uvc_function_set_alt(struct usb_function *f, unsigned interface, unsigned alt) if (uvc->state != UVC_STATE_STREAMING) return 0; - if (uvc->video.ep) - usb_ep_disable(uvc->video.ep); - memset(&v4l2_event, 0, sizeof(v4l2_event)); v4l2_event.type = UVC_EVENT_STREAMOFF; v4l2_event_queue(&uvc->vdev, &v4l2_event); - uvc->state = UVC_STATE_CONNECTED; - return 0; + return USB_GADGET_DELAYED_STATUS; case 1: if (uvc->state != UVC_STATE_CONNECTED) diff --git a/drivers/usb/gadget/function/f_uvc.h b/drivers/usb/gadget/function/f_uvc.h index 1db972d4beeb..e7f9f13f14dc 100644 --- a/drivers/usb/gadget/function/f_uvc.h +++ b/drivers/usb/gadget/function/f_uvc.h @@ -11,7 +11,7 @@ struct uvc_device; -void uvc_function_setup_continue(struct uvc_device *uvc); +void uvc_function_setup_continue(struct uvc_device *uvc, int disale_ep); void uvc_function_connect(struct uvc_device *uvc); diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h index 6751de8b63ad..989bc6b4e93d 100644 --- a/drivers/usb/gadget/function/uvc.h +++ b/drivers/usb/gadget/function/uvc.h @@ -177,7 +177,7 @@ struct uvc_file_handle { * Functions */ -extern void uvc_function_setup_continue(struct uvc_device *uvc); +extern void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep); extern void uvc_function_connect(struct uvc_device *uvc); extern void uvc_function_disconnect(struct uvc_device *uvc); diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c index 3f0a9795c0d4..3d3469883ed0 100644 --- a/drivers/usb/gadget/function/uvc_v4l2.c +++ b/drivers/usb/gadget/function/uvc_v4l2.c @@ -451,7 +451,7 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type) * Complete the alternate setting selection setup phase now that * userspace is ready to provide video frames. */ - uvc_function_setup_continue(uvc); + uvc_function_setup_continue(uvc, 0); uvc->state = UVC_STATE_STREAMING; return 0; @@ -463,11 +463,19 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type) struct video_device *vdev = video_devdata(file); struct uvc_device *uvc = video_get_drvdata(vdev); struct uvc_video *video = &uvc->video; + int ret = 0; if (type != video->queue.queue.type) return -EINVAL; - return uvcg_video_enable(video, 0); + uvc->state = UVC_STATE_CONNECTED; + ret = uvcg_video_enable(video, 0); + if (ret < 0) { + return ret; + } + + uvc_function_setup_continue(uvc, 1); + return 0; } static int @@ -500,6 +508,14 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh, static void uvc_v4l2_disable(struct uvc_device *uvc) { uvc_function_disconnect(uvc); + if (uvc->state == UVC_STATE_STREAMING) { + /* + * Drop uvc->state to CONNECTED if it was streaming before. + * This ensures that the usb_requests are no longer queued + * to the controller. + */ + uvc->state = UVC_STATE_CONNECTED; + } uvcg_video_enable(&uvc->video, 0); uvcg_free_buffers(&uvc->video.queue); uvc->func_connected = false; @@ -647,4 +663,3 @@ const struct v4l2_file_operations uvc_v4l2_fops = { .get_unmapped_area = uvcg_v4l2_get_unmapped_area, #endif }; - From patchwork Thu Oct 5 18:08:13 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 148969 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2016:b0:403:3b70:6f57 with SMTP id fe22csp478016vqb; Thu, 5 Oct 2023 11:09:16 -0700 (PDT) X-Google-Smtp-Source: AGHT+IES1HZ2Rt9FB26l90K47C94jijUQssJExKwbtCQ0Mu1wQKSI+TRah8DaxdLhyYKUUo79S6T X-Received: by 2002:a17:902:da8d:b0:1c0:d17a:bfe9 with SMTP id j13-20020a170902da8d00b001c0d17abfe9mr7184934plx.46.1696529356206; Thu, 05 Oct 2023 11:09:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696529356; cv=none; d=google.com; s=arc-20160816; b=Bkr54RPccg5BG8HTf9bx8U7xhCwU5ZfjOrcI9tuqp8X162qPeJmZxDyc2Y2Y2IEBuV NYASq0Cn0mHkKcDWoBxMUaeHLguxaoqoIAWxJLFtz/Ukba1bi4ku76EOAFMFZj6JcJ4l uy5bsVk4jootK/NdCZow5+bv8klSLC8OyEOFoYJckNAVUBGRv8joBnmkHU/VvU7ejUPx 36bKUxg7Mwn/0CbjwFYLPymhGIrvo6MlifZe0eL6fv6eNRn8jFTSnD+Pk7Ov/g1CNUUD FKoIsx6ra5kwYf+38O5qr0K4XMramdNaRmpOWEE5vhLp9ra8bitpa1ay9cn1HmwODXDk EWHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=IkpdLXIt9+7FxRDrbqZkUhDTP8vYUcMsBTcxO7grRS4=; fh=q3sDYC4bBx/LQ35Tzyg5FsIVnW5P3mal7p7VS0xEYf0=; b=qZZFLd8aDmWOY6NXVltF4d8SVk/hQ0pzF2XKp5LjNJlezeV2K2SoW5qQ6t+ZIFWU+p qNOcY0jgbWGbC8JIRUjKnbfyvHt1/f6mvIDRzZpiWQCj8nyv36vAf/4Ck0QpS8YveeZk /goMNp7cxoKaKTRveyigp9ihIXNrSIHY/Th0eIJwlNTiaJ4UFSriKwncjKMdMsFFiHAx KFzJgy9f2p7lg5n+gWHsM3+6IlQjVmkkHurc0jPf7Y8bgtd4YiP7Xu1N7ungT8j+naab RkT4Rt6UI2XlfED0G6jsPpXVpgHocxK5ZzHppoh/p7w1Lhp0z5qlUbGNYHkJZf1I7M90 FdDg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=ovGOLpxh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id jz14-20020a170903430e00b001c62e2ce6a7si1784687plb.445.2023.10.05.11.09.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Oct 2023 11:09:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=ovGOLpxh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 3A2CA803BAB9; Thu, 5 Oct 2023 11:09:13 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231402AbjJESJD (ORCPT + 18 others); Thu, 5 Oct 2023 14:09:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51452 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231284AbjJESIa (ORCPT ); Thu, 5 Oct 2023 14:08:30 -0400 Received: from mail-pg1-x549.google.com (mail-pg1-x549.google.com [IPv6:2607:f8b0:4864:20::549]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 94510124 for ; Thu, 5 Oct 2023 11:08:21 -0700 (PDT) Received: by mail-pg1-x549.google.com with SMTP id 41be03b00d2f7-56f75e70190so940023a12.3 for ; Thu, 05 Oct 2023 11:08:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1696529301; x=1697134101; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=IkpdLXIt9+7FxRDrbqZkUhDTP8vYUcMsBTcxO7grRS4=; b=ovGOLpxhv3kCLd0KOhKHtNXY/UcTgYeJIW5drJhk4Gieo4TeUirKDioDoUM4iIYHAo UqDB61bKMFL7vXMsX2QN2od4kFicnrNGyEQ4kgkmckYE2JqIcrI2aK5v0wj6RQwbL4Xr /a/Ary9xWJSbUpn9dpv9iqvqQM2Sl+Xpu095XOIO9plnihPl8ZFhKnzxQRuH7tquPUxZ YqxjXlQMQydgQO3oznOjFKLIZ1z4tw6dBMq2csmCGaFuaofnwoe7zQdQfvzXiOL5KHay sX0VtFSXkaiVmL3GAUuzw/0JJJNfoU49RZ26MPbWsTBRCtcxCvQi6zAxj4ifOr84J+Gy yKkw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696529301; x=1697134101; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=IkpdLXIt9+7FxRDrbqZkUhDTP8vYUcMsBTcxO7grRS4=; b=Ar0lb0Fk5Sa1o4D9+CVAUv7pF5qkXIm7RqdSNPXvCU/inFh3uu8qg4NwbzoFImM9yL sjfDQjGKhjFANcPy6kYkEPk3WOYfI3bt+1CwiNWVpy3u5c8oN9MRzE+18i6Xi1oUoRN8 rjnaxf73jA6kYR3g9aONSH82HZ6Igiqb5HWHzNrItwn7EXgQmZw3hMHwJ4PrTwgxctGA CZbT9Xn7DXTbIk9GsGJ4M9oDerDcHCUKCJ6m+wMA83pXEblxX/7Dovc6ni2ooJ121BO8 i63+NXn4GGmv4W9rA7RGtZCwyxZ6uvkRmRMPlPhNwFZDN9/2rU4L7Gf4OrS+xzXn9iza e3pw== X-Gm-Message-State: AOJu0YxAD/5CbfRaUNbt8TvDvw/ETW1qTR4eJKaisxUoDlXISzs3cmNF je+xX388rnQGwElmBoSkVFEzy04qfUdS X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a63:3ecd:0:b0:585:554c:27b1 with SMTP id l196-20020a633ecd000000b00585554c27b1mr80021pga.7.1696529301045; Thu, 05 Oct 2023 11:08:21 -0700 (PDT) Date: Thu, 5 Oct 2023 11:08:13 -0700 In-Reply-To: <20231005180814.3278050-1-arakesh@google.com> Mime-Version: 1.0 References: <20230930184821.310143-1-arakesh@google.com> <20231005180814.3278050-1-arakesh@google.com> X-Mailer: git-send-email 2.42.0.609.gbb76f46606-goog Message-ID: <20231005180814.3278050-2-arakesh@google.com> Subject: [PATCH v3 2/3] usb: gadget: uvc: Allocate uvc_requests one at a time From: Avichal Rakesh To: arakesh@google.com, dan.scally@ideasonboard.com, gregkh@linuxfoundation.org, laurent.pinchart@ideasonboard.com, m.grzeschik@pengutronix.de Cc: etalvala@google.com, jchowdhary@google.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, Michael Grzeschik X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Thu, 05 Oct 2023 11:09:13 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1778501399086666798 X-GMAIL-MSGID: 1778939965889365974 Currently, the uvc gadget driver allocates all uvc_requests as one array and deallocates them all when the video stream stops. This includes de-allocating all the usb_requests associated with those uvc_requests. This can lead to use-after-free issues if any of those de-allocated usb_requests were still owned by the usb controller. This patch is 1 of 2 patches addressing the use-after-free issue. Instead of bulk allocating all uvc_requests as an array, this patch allocates uvc_requests one at a time, which should allows for similar granularity when deallocating the uvc_requests. This patch has no functional changes other than allocating each uvc_request separately, and similarly freeing each of them separately. Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com Suggested-by: Michael Grzeschik Signed-off-by: Avichal Rakesh --- v1 -> v2: Rebased to ToT V2 -> V3: Fix email threading goof-up drivers/usb/gadget/function/uvc.h | 3 +- drivers/usb/gadget/function/uvc_video.c | 90 ++++++++++++++----------- 2 files changed, 51 insertions(+), 42 deletions(-) -- 2.42.0.609.gbb76f46606-goog diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h index 989bc6b4e93d..993694da0bbc 100644 --- a/drivers/usb/gadget/function/uvc.h +++ b/drivers/usb/gadget/function/uvc.h @@ -81,6 +81,7 @@ struct uvc_request { struct sg_table sgt; u8 header[UVCG_REQUEST_HEADER_LEN]; struct uvc_buffer *last_buf; + struct list_head list; }; struct uvc_video { @@ -102,7 +103,7 @@ struct uvc_video { /* Requests */ unsigned int req_size; - struct uvc_request *ureq; + struct list_head ureqs; /* all uvc_requests allocated by uvc_video */ struct list_head req_free; spinlock_t req_lock; diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c index 97d875c27dcf..3c4d286d81c0 100644 --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -227,6 +227,23 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video, * Request handling */ +static void uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep) +{ + sg_free_table(&ureq->sgt); + if (ureq->req && ep) { + usb_ep_free_request(ep, ureq->req); + ureq->req = NULL; + } + + kfree(ureq->req_buffer); + ureq->req_buffer = NULL; + + if (!list_empty(&ureq->list)) + list_del_init(&ureq->list); + + kfree(ureq); +} + static int uvcg_video_ep_queue(struct uvc_video *video, struct usb_request *req) { int ret; @@ -299,27 +316,13 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) static int uvc_video_free_requests(struct uvc_video *video) { - unsigned int i; - - if (video->ureq) { - for (i = 0; i < video->uvc_num_requests; ++i) { - sg_free_table(&video->ureq[i].sgt); - - if (video->ureq[i].req) { - usb_ep_free_request(video->ep, video->ureq[i].req); - video->ureq[i].req = NULL; - } + struct uvc_request *ureq, *temp; - if (video->ureq[i].req_buffer) { - kfree(video->ureq[i].req_buffer); - video->ureq[i].req_buffer = NULL; - } - } - - kfree(video->ureq); - video->ureq = NULL; + list_for_each_entry_safe(ureq, temp, &video->ureqs, list) { + uvc_video_free_request(ureq, video->ep); } + INIT_LIST_HEAD(&video->ureqs); INIT_LIST_HEAD(&video->req_free); video->req_size = 0; return 0; @@ -328,6 +331,7 @@ uvc_video_free_requests(struct uvc_video *video) static int uvc_video_alloc_requests(struct uvc_video *video) { + struct uvc_request *ureq; unsigned int req_size; unsigned int i; int ret = -ENOMEM; @@ -338,29 +342,31 @@ uvc_video_alloc_requests(struct uvc_video *video) * max_t(unsigned int, video->ep->maxburst, 1) * (video->ep->mult); - video->ureq = kcalloc(video->uvc_num_requests, sizeof(struct uvc_request), GFP_KERNEL); - if (video->ureq == NULL) - return -ENOMEM; - - for (i = 0; i < video->uvc_num_requests; ++i) { - video->ureq[i].req_buffer = kmalloc(req_size, GFP_KERNEL); - if (video->ureq[i].req_buffer == NULL) + INIT_LIST_HEAD(&video->ureqs); + for (i = 0; i < video->uvc_num_requests; i++) { + ureq = kzalloc(sizeof(struct uvc_request), GFP_KERNEL); + if (ureq == NULL) goto error; + INIT_LIST_HEAD(&ureq->list); + list_add_tail(&ureq->list, &video->ureqs); + } - video->ureq[i].req = usb_ep_alloc_request(video->ep, GFP_KERNEL); - if (video->ureq[i].req == NULL) + list_for_each_entry(ureq, &video->ureqs, list) { + ureq->req_buffer = kmalloc(req_size, GFP_KERNEL); + if (ureq->req_buffer == NULL) goto error; - - video->ureq[i].req->buf = video->ureq[i].req_buffer; - video->ureq[i].req->length = 0; - video->ureq[i].req->complete = uvc_video_complete; - video->ureq[i].req->context = &video->ureq[i]; - video->ureq[i].video = video; - video->ureq[i].last_buf = NULL; - - list_add_tail(&video->ureq[i].req->list, &video->req_free); + ureq->req = usb_ep_alloc_request(video->ep, GFP_KERNEL); + if (ureq->req == NULL) + goto error; + ureq->req->buf = ureq->req_buffer; + ureq->req->length = 0; + ureq->req->complete = uvc_video_complete; + ureq->req->context = ureq; + ureq->video = video; + ureq->last_buf = NULL; + list_add_tail(&ureq->req->list, &video->req_free); /* req_size/PAGE_SIZE + 1 for overruns and + 1 for header */ - sg_alloc_table(&video->ureq[i].sgt, + sg_alloc_table(&ureq->sgt, DIV_ROUND_UP(req_size - UVCG_REQUEST_HEADER_LEN, PAGE_SIZE) + 2, GFP_KERNEL); } @@ -504,7 +510,7 @@ static void uvcg_video_pump(struct work_struct *work) int uvcg_video_enable(struct uvc_video *video, int enable) { struct uvc_device *uvc = video->uvc; - unsigned int i; + struct uvc_request *ureq; int ret; if (video->ep == NULL) { @@ -519,9 +525,10 @@ int uvcg_video_enable(struct uvc_video *video, int enable) cancel_work_sync(&video->pump); uvcg_queue_cancel(&video->queue, 0); - for (i = 0; i < video->uvc_num_requests; ++i) - if (video->ureq && video->ureq[i].req) - usb_ep_dequeue(video->ep, video->ureq[i].req); + list_for_each_entry(ureq, &video->ureqs, list) { + if (ureq->req) + usb_ep_dequeue(video->ep, ureq->req); + } uvc_video_free_requests(video); uvcg_queue_enable(&video->queue, 0); @@ -555,6 +562,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable) */ int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc) { + INIT_LIST_HEAD(&video->ureqs); INIT_LIST_HEAD(&video->req_free); spin_lock_init(&video->req_lock); INIT_WORK(&video->pump, uvcg_video_pump); From patchwork Thu Oct 5 18:08:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 148970 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2016:b0:403:3b70:6f57 with SMTP id fe22csp478266vqb; Thu, 5 Oct 2023 11:09:38 -0700 (PDT) X-Google-Smtp-Source: AGHT+IG4XzzEwjdR46drnNP845AvpPRtgKtsePD8HYO1YwuB6A6zDUvdNBRL9dTTttJoCSQag0QM X-Received: by 2002:a17:90a:12cd:b0:274:6d4e:e0d9 with SMTP id b13-20020a17090a12cd00b002746d4ee0d9mr5782816pjg.45.1696529377734; Thu, 05 Oct 2023 11:09:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696529377; cv=none; d=google.com; s=arc-20160816; b=zkAkam87SZ+PQ+JzcPAqw5q9qBjhX793kVHFMYFJSDj/K5XenyrlZZ39iZswpPOen3 jumxJMUXdOBhCFlz9DVxjtJruxHuI5E8RS4EP32tlSAwgDv/1oM3o6PGffhSK3eER0bI xLvq581hVdqCRYPk/fGckvEzwRq2WayawA5vMUlZQGJVkNhmQQN14riD3NXHUssCUnpJ Qcn5MFWNaWgqCo7YknO0WomICH1BirrjEn4d2a3aaxNEepyrb2Tfpzb30l1dZzwSPBe5 NQFmfOy5kk1TK3IPHpZ54OvmKoDGyoWtuzvvrIZ6zLqNByfvm182y/ZcuetOB5rz6gkh Hjhw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=Fulx3avKDjTg8wkMNU25aLrvIs7TbekfU944xGo/6Xc=; fh=q3sDYC4bBx/LQ35Tzyg5FsIVnW5P3mal7p7VS0xEYf0=; b=gKAMuRcgM5/3q4mWDKAYt6yXq1Rf1nxSiqwYyHN7EkqiTDF0SR69Bpk7YpA9xypJbJ snd2V4ZPp7cmaAfSOc0wpBjZNDhJ8lapEo2u9KJ8E8NzSu3YzcHRwkpHwgOaeEK4SfJM vBdGUJZyZyGmJMoTCb+9B1UZseZPsurYDbNeGPeNcrRxLpU/kFhDx1N6ykNlX5ecqfRj 2/OSedYCOf7qL5EEqPwHqrrmHyzx2J8FzZ6uOOOKEKK1dhQ/QfuHDI6KUwzoKAmQZHD3 fIWkmfPjtOOSK8N9HQim6ggzYFZJDRjhPqUDFkMbP3fFUw+RcuhtAhqwXnJnrYKd5M9l csnA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=duPIVGxZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id sf9-20020a17090b51c900b0027749a1fe74si1988257pjb.182.2023.10.05.11.09.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Oct 2023 11:09:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=duPIVGxZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 0406E835450C; Thu, 5 Oct 2023 11:09:37 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231827AbjJESJb (ORCPT + 18 others); Thu, 5 Oct 2023 14:09:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39870 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231932AbjJESIm (ORCPT ); Thu, 5 Oct 2023 14:08:42 -0400 Received: from mail-pl1-x64a.google.com (mail-pl1-x64a.google.com [IPv6:2607:f8b0:4864:20::64a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 303B810F for ; Thu, 5 Oct 2023 11:08:24 -0700 (PDT) Received: by mail-pl1-x64a.google.com with SMTP id d9443c01a7336-1c746bccbdcso11346505ad.2 for ; Thu, 05 Oct 2023 11:08:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1696529303; x=1697134103; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=Fulx3avKDjTg8wkMNU25aLrvIs7TbekfU944xGo/6Xc=; b=duPIVGxZJIfn1ybzQqTdHGHA6EMmzUxRvXFfhfPL9B2GOR4JpygthjcOVxt6oSk2fh IF0sEYSz3CqwD+MJV5MM3uiee5H7GSPDaUqum1o/hPyDY1qAGQPYR9CPh5r8eQQXE1eM HsbPP6gm0G0ikGpoSrY+1TlBSKoMgTO+0jmrXExlzb+pF1KbkW7Ba0olAT8Ol9MB4hdU Ei+blOUF8XuLdcDdIxdMc1DIB4vOCY9I1362iCfd3QKe/QFA7JQYzp/F5fiTQJl5V8P6 hRNSFCduc/Rt4vql5ip10hxJ1lFVefzY63x+G5wttQHw/MSG2rde2XgTi6eKZ+sYGISu L4ow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696529303; x=1697134103; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Fulx3avKDjTg8wkMNU25aLrvIs7TbekfU944xGo/6Xc=; b=pVbQbm9j6XcQsTu0vQ9BlyfA3BZAKuc3BOzVGbES0yw2b0wK4kWNYVHHYw/P5L0oM8 g8couCwp7/70ugPXDKOcVngQPuQT1i5NUXpPBJ2NXZru9+G/ZVGuCoJC3cNBSX4nC3lD tsDeBZlYKmd1uLpFv2txu8yfERPRWtejHONWuo3/Y20HnxDumf9Qr4iR/nTuUfe0K9F4 ZWwyjfBtD7+WhLFMsHJxxkiF22XKxJieBlTzr75gHwlLXJ6+qi4ybL8pCSDCMYzsxUbo wxFy9jXEhq5sy0KjGrCnd1l/sGvWiBHObbOyAbACk+AqonlO72c4k9Jgjp8o25sISCxK 5LJg== X-Gm-Message-State: AOJu0YwM1hXghTWLCtQFfBLC3GxzuK7rfLUey+GaTaA1vqHQUyN/DEPI osxwH+NY0BtPi2U13wGo57y9AJS5mVfJ X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a17:902:d4c4:b0:1b7:c944:edd4 with SMTP id o4-20020a170902d4c400b001b7c944edd4mr91628plg.2.1696529303598; Thu, 05 Oct 2023 11:08:23 -0700 (PDT) Date: Thu, 5 Oct 2023 11:08:14 -0700 In-Reply-To: <20231005180814.3278050-1-arakesh@google.com> Mime-Version: 1.0 References: <20230930184821.310143-1-arakesh@google.com> <20231005180814.3278050-1-arakesh@google.com> X-Mailer: git-send-email 2.42.0.609.gbb76f46606-goog Message-ID: <20231005180814.3278050-3-arakesh@google.com> Subject: [PATCH v3 3/3] usb: gadget: uvc: Fix use-after-free for inflight usb_requests From: Avichal Rakesh To: arakesh@google.com, dan.scally@ideasonboard.com, gregkh@linuxfoundation.org, laurent.pinchart@ideasonboard.com, m.grzeschik@pengutronix.de Cc: etalvala@google.com, jchowdhary@google.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, Michael Grzeschik X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Thu, 05 Oct 2023 11:09:37 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1778517869169821913 X-GMAIL-MSGID: 1778939988513006701 Currently, the uvc gadget driver allocates all uvc_requests as one array and deallocates them all when the video stream stops. This includes de-allocating all the usb_requests associated with those uvc_requests. This can lead to use-after-free issues if any of those de-allocated usb_requests were still owned by the usb controller. This is patch 2 of 2 in fixing the use-after-free issue. It adds a new flag to uvc_request to mark it as 'abandoned'. When disabling the video stream, instead of de-allocating all uvc_requests and usb_requests, the gadget driver only de-allocates those usb_requests that are currently owned by the gadget driver (as present in req_free). Other usb_requests have their corresponding 'is_abandoned' flag tripped, and the usb_requests complete handler takes care of freeing the usb_request and its corresponding uvc_request. This should ensure that uvc gadget driver never accidentally de-allocates a usb_request that it doesn't own. Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com Suggested-by: Michael Grzeschik Signed-off-by: Avichal Rakesh --- v1 -> v2: Rebased to ToT, and fixed deadlock reported in https://lore.kernel.org/all/ZRv2UnKztgyqk2pt@pengutronix.de/ v2 -> v3: Fix email threading goof-up drivers/usb/gadget/function/uvc.h | 1 + drivers/usb/gadget/function/uvc_video.c | 118 ++++++++++++++++++++---- 2 files changed, 102 insertions(+), 17 deletions(-) -- 2.42.0.609.gbb76f46606-goog diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h index 993694da0bbc..e69cfb7cced1 100644 --- a/drivers/usb/gadget/function/uvc.h +++ b/drivers/usb/gadget/function/uvc.h @@ -82,6 +82,7 @@ struct uvc_request { u8 header[UVCG_REQUEST_HEADER_LEN]; struct uvc_buffer *last_buf; struct list_head list; + bool is_abandoned; }; struct uvc_video { diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c index 3c4d286d81c0..69521886d599 100644 --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -271,7 +271,21 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) struct uvc_video *video = ureq->video; struct uvc_video_queue *queue = &video->queue; struct uvc_device *uvc = video->uvc; + struct uvc_buffer *last_buf; unsigned long flags; + bool is_abandoned; + + spin_lock_irqsave(&video->req_lock, flags); + is_abandoned = ureq->is_abandoned; + last_buf = ureq->last_buf; + ureq->last_buf = NULL; + spin_unlock_irqrestore(&video->req_lock, flags); + + if (is_abandoned) { + uvcg_dbg(&video->uvc->func, "Freeing abandoned usb_request\n"); + uvc_video_free_request(ureq, ep); + return; + } if (uvc->state == UVC_STATE_CONNECTED) { usb_ep_free_request(video->ep, ureq->req); @@ -300,15 +314,29 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) uvcg_queue_cancel(queue, 0); } - if (ureq->last_buf) { - uvcg_complete_buffer(&video->queue, ureq->last_buf); - ureq->last_buf = NULL; + if (last_buf) { + spin_lock_irqsave(&video->queue.irqlock, flags); + uvcg_complete_buffer(&video->queue, last_buf); + spin_unlock_irqrestore(&video->queue.irqlock, flags); } + /* + * request might have been abandoned while being processed. + * do a last minute check before queueing the request back. + */ spin_lock_irqsave(&video->req_lock, flags); - list_add_tail(&req->list, &video->req_free); + is_abandoned = ureq->is_abandoned; + if (!is_abandoned) + list_add_tail(&req->list, &video->req_free); spin_unlock_irqrestore(&video->req_lock, flags); + if (is_abandoned) { + uvcg_dbg(&video->uvc->func, + "usb_request abandoned mid-processing - freeing.\n"); + uvc_video_free_request(ureq, ep); + return; + } + if (uvc->state == UVC_STATE_STREAMING) queue_work(video->async_wq, &video->pump); } @@ -372,7 +400,6 @@ uvc_video_alloc_requests(struct uvc_video *video) } video->req_size = req_size; - return 0; error: @@ -504,13 +531,80 @@ static void uvcg_video_pump(struct work_struct *work) return; } +/* + * Disable video stream. This ensures that any inflight usb requests are marked + * for clean up and all video buffers are dropped before returning. + */ +static void uvcg_video_disable(struct uvc_video *video) +{ + struct uvc_buffer *buf, *tmp_buf; + struct uvc_request *ureq, *temp; + struct list_head buf_list; /* track in-flight video buffers */ + struct usb_request *req; + unsigned long flags; + + INIT_LIST_HEAD(&buf_list); + + cancel_work_sync(&video->pump); + uvcg_queue_cancel(&video->queue, 0); + + list_for_each_entry(ureq, &video->ureqs, list) { + if (ureq->req) + usb_ep_dequeue(video->ep, ureq->req); + } + + /** + * acquiring req_lock here should prevent any more complete + * callbacks from processing until we've abandoned the + * requests that are still in-flight and let the complete + * callback handle cleanup + */ + spin_lock_irqsave(&video->req_lock, flags); + /* abandon all usb requests */ + list_for_each_entry_safe(ureq, temp, &video->ureqs, list) { + ureq->is_abandoned = true; + if (ureq->last_buf) { + list_add(&ureq->last_buf->queue, &buf_list); + ureq->last_buf = NULL; + } + list_del_init(&ureq->list); + } + /* + * re-add uvc_requests currently owned by the gadget to + * video->ureqs to be deallocated. This effectively leaves + * video->ureqs with the requests that we currently own. + */ + list_for_each_entry(req, &video->req_free, list) { + ureq = req->context; + list_add_tail(&ureq->list, &video->ureqs); + } + spin_unlock_irqrestore(&video->req_lock, flags); + + /* + * drop abandoned uvc_buffers, as the completion handler + * no longer will + */ + if (!list_empty(&buf_list)) { + spin_lock_irqsave(&video->queue.irqlock, flags); + list_for_each_entry_safe(buf, tmp_buf, + &buf_list, queue) { + video->queue.flags |= UVC_QUEUE_DROP_INCOMPLETE; + uvcg_complete_buffer(&video->queue, buf); + list_del(&buf->queue); + } + spin_unlock_irqrestore(&video->queue.irqlock, flags); + } + + uvc_video_free_requests(video); + uvcg_queue_enable(&video->queue, 0); +} + /* * Enable or disable the video stream. */ int uvcg_video_enable(struct uvc_video *video, int enable) { struct uvc_device *uvc = video->uvc; - struct uvc_request *ureq; int ret; if (video->ep == NULL) { @@ -521,17 +615,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable) if (!enable) { uvc->state = UVC_STATE_CONNECTED; - - cancel_work_sync(&video->pump); - uvcg_queue_cancel(&video->queue, 0); - - list_for_each_entry(ureq, &video->ureqs, list) { - if (ureq->req) - usb_ep_dequeue(video->ep, ureq->req); - } - - uvc_video_free_requests(video); - uvcg_queue_enable(&video->queue, 0); + uvcg_video_disable(video); return 0; }