From patchwork Thu Oct 19 18:53:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 155692 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2010:b0:403:3b70:6f57 with SMTP id fe16csp587665vqb; Thu, 19 Oct 2023 11:54:08 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHDXFOeodu3a6uNtLUMMKw2N2QJk1RIX4gUSuzFa5uohGfzTytjEPdmsOg7M2kbd0qvuiZ3 X-Received: by 2002:a17:90a:684e:b0:27d:882f:e6cd with SMTP id e14-20020a17090a684e00b0027d882fe6cdmr2974465pjm.44.1697741648064; Thu, 19 Oct 2023 11:54:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697741648; cv=none; d=google.com; s=arc-20160816; b=dg222gIkvqiAcenVvIG4CNeH47znk/w+HUrH16oeEhw/R0GJwrMyy636Kya0hb3rFB ApHtkbuEdywlPK+t9KB6GRFZ8xV2B9U15E/f6w8QrfS3n29AT/Ci9BB1LRTQiNAZyKkX fw5oGgy8RWqMwd6b8OLiaPyTWZ48vPbsGfX7pODPQJlon4Xam5LIbN23MIAmtEnslz1p P0WsZw/z2bO1qtJB4uQLR2IDpG2nWHmYNMfRvQBgC0SvRP4/DbuuopbUlNPrU3AShUjU g+wvU5s5FcERFbli9FGmkzVuOdUYYEzPb9Al9PPDiA3ZblunhLz3txOIHhmJVAOcqybJ kx4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=aI9atJuwQEUSIJs92LDsIstBkzO79R8Gc6nh/vEA1vE=; fh=E5X6/3uWCMdGSKLB7vuNn1z8ZeRDzUIfiV2I8BhU+4Q=; b=ta2V/dp4pq7cDL9f0mXBQm/Pq0zBfS6l32Yms2F/yAi8n1MkIUnn7LahoHuCo3MXFt WN4SBKZJICvjv7z3Wx4qJyMsM7LqJqjiKUP8/Q51A8ZChItPn1UOAXKxgA+GRWgKaoGs JGyhZvkMsRs3HLqgLVGYp2Zrif7B7A8nvclP/0+MOHco/8+hQ9E6VAaID8dlTs/ulhQV cAswqHvDzCQ8qRsN7aINBjYUzGzxEZj5/cC8u7waQMn/F4FPaZgYX64C7cxHvW77HaYF ydj/wwqd2pdIt2VcGUYuEwnvI37JLd/Q7yD4t0pevttYCq5l32KqTCXmo3P9JgP5BXG3 2Y1g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=q0rIxK1T; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from howler.vger.email (howler.vger.email. [2620:137:e000::3:4]) by mx.google.com with ESMTPS id s1-20020a17090aad8100b0027d0c3507eesi2785370pjq.32.2023.10.19.11.54.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Oct 2023 11:54:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) client-ip=2620:137:e000::3:4; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=q0rIxK1T; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id 1EC1382C516B; Thu, 19 Oct 2023 11:54:03 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346397AbjJSSxb (ORCPT + 26 others); Thu, 19 Oct 2023 14:53:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43228 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345293AbjJSSx3 (ORCPT ); Thu, 19 Oct 2023 14:53:29 -0400 Received: from mail-pg1-x54a.google.com (mail-pg1-x54a.google.com [IPv6:2607:f8b0:4864:20::54a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1BBD312D for ; Thu, 19 Oct 2023 11:53:28 -0700 (PDT) Received: by mail-pg1-x54a.google.com with SMTP id 41be03b00d2f7-5b7e91d53e5so13485a12.0 for ; Thu, 19 Oct 2023 11:53:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1697741607; x=1698346407; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=aI9atJuwQEUSIJs92LDsIstBkzO79R8Gc6nh/vEA1vE=; b=q0rIxK1T/YDiN5sv0wI+Wm8K7QONnKa6LNZYFO7Xlyc/SHtbDGpuFsPJmh9+DQLdQJ ppg/e++/DtSeAZ1RI9W1axxxTA2/CJvG+sxE9HUG+V/B/IvH+lEwbwPsJwwoGJ1ik24u V72TwghXfXLoS03RfiO0lbgQ44M9spGZf7MI/+dpEhaPEpKj1LVodeYfgphyOJWDafv8 G91GzmJDVqg0nzZ0Rlwv7vTDOY+WW3oMir11mNT/rsMOhbYCMJxYOMp6Ojnd/xhWbt9/ CpT/D7qSrMXnl+wruis4HI6glmmC1AJPFEMs7El5qJM+sp010Sb74ThQgU1Ok5/ZaQMu 4Wwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697741607; x=1698346407; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=aI9atJuwQEUSIJs92LDsIstBkzO79R8Gc6nh/vEA1vE=; b=nwFi7NDCuV3udjaRwhqnxUYTJgvRjm/cE2XWgDTiLtJMI4S+dRYoPCEiYBev6fBnRe EPtuvu0JU76naIPfEolKl42JxTiZxZ5IDlRPe1sr9G90cCypob8lAkfXLxbke7c5D+gB 7PreQzvEOgVHLxU09m9tQxnMTpHBKjZc3nSa/lHF9ovqBkFZd8UYr6vgCyFp1GMlYP8v EUNAY/62R0tIdkvqr3mSAIfM/g/RCo0fty1Hh5HLqkMfA8HFmx31G1ryfJgHvzoUbvtU /V6n1RJDHDt2R6EeRjdzl09DupCSEDyKpGDtYg470tsCjxC26USTVJmQITB85qDyofzB wyHg== X-Gm-Message-State: AOJu0YyOpR3Fs/VqIZgJK8VsbEAgJHX/50kAaKAuWuPsYxHV1pgusmOg 15SMthPP3nCZC3d8PjHGCbRxc7MSVlgq X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a63:ec17:0:b0:5ae:3966:b620 with SMTP id j23-20020a63ec17000000b005ae3966b620mr50488pgh.1.1697741607504; Thu, 19 Oct 2023 11:53:27 -0700 (PDT) Date: Thu, 19 Oct 2023 11:53:16 -0700 In-Reply-To: <20231019185319.2714000-1-arakesh@google.com> Mime-Version: 1.0 References: <20230930184821.310143-1-arakesh@google.com> <20231019185319.2714000-1-arakesh@google.com> X-Mailer: git-send-email 2.42.0.758.gaed0368e0e-goog Message-ID: <20231019185319.2714000-2-arakesh@google.com> Subject: [PATCH v6 1/4] usb: gadget: uvc: prevent use of disabled endpoint From: Avichal Rakesh To: arakesh@google.com, dan.scally@ideasonboard.com, gregkh@linuxfoundation.org, laurent.pinchart@ideasonboard.com, m.grzeschik@pengutronix.de Cc: etalvala@google.com, jchowdhary@google.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on howler.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Thu, 19 Oct 2023 11:54:03 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1778501398075540037 X-GMAIL-MSGID: 1780211146644501441 Currently the set_alt callback immediately disables the endpoint and queues the v4l2 streamoff event. However, as the streamoff event is processed asynchronously, it is possible that the video_pump thread attempts to queue requests to an already disabled endpoint. This change moves disabling usb endpoint to the end of streamoff event callback. As the endpoint's state can no longer be used, video_pump is now guarded by uvc->state as well. To be consistent with the actual streaming state, uvc->state is now toggled between CONNECTED and STREAMING from the v4l2 event callback only. Link: https://lore.kernel.org/20230615171558.GK741@pendragon.ideasonboard.com/ Link: https://lore.kernel.org/20230531085544.253363-1-dan.scally@ideasonboard.com/ Reviewed-by: Michael Grzeschik Tested-by: Michael Grzeschik Signed-off-by: Avichal Rakesh --- --- v1 -> v2: Rebased to ToT and reworded commit message. v2 -> v3: Fix email threading goof-up v3 -> v4: Address review comments & re-rebase to ToT v4 -> v5: Add Reviewed-by & Tested-by v5 -> v6: No change drivers/usb/gadget/function/f_uvc.c | 11 +++++------ drivers/usb/gadget/function/f_uvc.h | 2 +- drivers/usb/gadget/function/uvc.h | 2 +- drivers/usb/gadget/function/uvc_v4l2.c | 20 +++++++++++++++++--- drivers/usb/gadget/function/uvc_video.c | 3 ++- 5 files changed, 26 insertions(+), 12 deletions(-) -- 2.42.0.758.gaed0368e0e-goog diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c index faa398109431..ae08341961eb 100644 --- a/drivers/usb/gadget/function/f_uvc.c +++ b/drivers/usb/gadget/function/f_uvc.c @@ -263,10 +263,13 @@ uvc_function_setup(struct usb_function *f, const struct usb_ctrlrequest *ctrl) return 0; } -void uvc_function_setup_continue(struct uvc_device *uvc) +void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep) { struct usb_composite_dev *cdev = uvc->func.config->cdev; + if (disable_ep && uvc->video.ep) + usb_ep_disable(uvc->video.ep); + usb_composite_setup_continue(cdev); } @@ -337,15 +340,11 @@ uvc_function_set_alt(struct usb_function *f, unsigned interface, unsigned alt) if (uvc->state != UVC_STATE_STREAMING) return 0; - if (uvc->video.ep) - usb_ep_disable(uvc->video.ep); - memset(&v4l2_event, 0, sizeof(v4l2_event)); v4l2_event.type = UVC_EVENT_STREAMOFF; v4l2_event_queue(&uvc->vdev, &v4l2_event); - uvc->state = UVC_STATE_CONNECTED; - return 0; + return USB_GADGET_DELAYED_STATUS; case 1: if (uvc->state != UVC_STATE_CONNECTED) diff --git a/drivers/usb/gadget/function/f_uvc.h b/drivers/usb/gadget/function/f_uvc.h index 1db972d4beeb..e7f9f13f14dc 100644 --- a/drivers/usb/gadget/function/f_uvc.h +++ b/drivers/usb/gadget/function/f_uvc.h @@ -11,7 +11,7 @@ struct uvc_device; -void uvc_function_setup_continue(struct uvc_device *uvc); +void uvc_function_setup_continue(struct uvc_device *uvc, int disale_ep); void uvc_function_connect(struct uvc_device *uvc); diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h index 6751de8b63ad..989bc6b4e93d 100644 --- a/drivers/usb/gadget/function/uvc.h +++ b/drivers/usb/gadget/function/uvc.h @@ -177,7 +177,7 @@ struct uvc_file_handle { * Functions */ -extern void uvc_function_setup_continue(struct uvc_device *uvc); +extern void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep); extern void uvc_function_connect(struct uvc_device *uvc); extern void uvc_function_disconnect(struct uvc_device *uvc); diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c index 3f0a9795c0d4..7cb8d027ff0c 100644 --- a/drivers/usb/gadget/function/uvc_v4l2.c +++ b/drivers/usb/gadget/function/uvc_v4l2.c @@ -451,7 +451,7 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type) * Complete the alternate setting selection setup phase now that * userspace is ready to provide video frames. */ - uvc_function_setup_continue(uvc); + uvc_function_setup_continue(uvc, 0); uvc->state = UVC_STATE_STREAMING; return 0; @@ -463,11 +463,18 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type) struct video_device *vdev = video_devdata(file); struct uvc_device *uvc = video_get_drvdata(vdev); struct uvc_video *video = &uvc->video; + int ret = 0; if (type != video->queue.queue.type) return -EINVAL; - return uvcg_video_enable(video, 0); + uvc->state = UVC_STATE_CONNECTED; + ret = uvcg_video_enable(video, 0); + if (ret < 0) + return ret; + + uvc_function_setup_continue(uvc, 1); + return 0; } static int @@ -500,6 +507,14 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh, static void uvc_v4l2_disable(struct uvc_device *uvc) { uvc_function_disconnect(uvc); + /* + * Drop uvc->state to CONNECTED if it was streaming before. + * This ensures that the usb_requests are no longer queued + * to the controller. + */ + if (uvc->state == UVC_STATE_STREAMING) + uvc->state = UVC_STATE_CONNECTED; + uvcg_video_enable(&uvc->video, 0); uvcg_free_buffers(&uvc->video.queue); uvc->func_connected = false; @@ -647,4 +662,3 @@ const struct v4l2_file_operations uvc_v4l2_fops = { .get_unmapped_area = uvcg_v4l2_get_unmapped_area, #endif }; - diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c index 91af3b1ef0d4..c334802ac0a4 100644 --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -384,13 +384,14 @@ static void uvcg_video_pump(struct work_struct *work) struct uvc_video_queue *queue = &video->queue; /* video->max_payload_size is only set when using bulk transfer */ bool is_bulk = video->max_payload_size; + struct uvc_device *uvc = video->uvc; struct usb_request *req = NULL; struct uvc_buffer *buf; unsigned long flags; bool buf_done; int ret; - while (video->ep->enabled) { + while (uvc->state == UVC_STATE_STREAMING && video->ep->enabled) { /* * Retrieve the first available USB request, protected by the * request lock. From patchwork Thu Oct 19 18:53:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 155691 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2010:b0:403:3b70:6f57 with SMTP id fe16csp587525vqb; Thu, 19 Oct 2023 11:53:50 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEgny8Ji8SvFz74EhtVqY5tUEvUHPFAdz3txWmtmEQRXalZJKC0IjQRf246+/7TZKw3/+x5 X-Received: by 2002:a05:6a20:42a0:b0:16b:c9f2:b632 with SMTP id o32-20020a056a2042a000b0016bc9f2b632mr3240865pzj.62.1697741629739; Thu, 19 Oct 2023 11:53:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697741629; cv=none; d=google.com; s=arc-20160816; b=uPBXz5rNE6yib+yfKorqG0dwgVCV3Qc7HONuZ1optCuKODju4Rz7weU0cNbjQSBWhH 88TcSjJz081TZKm756TAg9q7SEpL0tdDlBfHJtPZbzicViuvNhKa5SIrWzsFezoho8VX 5F+pP6lWUfVSpAqLN2fcpHQXNGfW/BNsA1UxKx16YF0fDXVw5LC8TsqSaQR/cZokezr9 BFFVj2gg6/lvh7/NrWg+cDntLcitr6gQgU12i7b5SjvF5ZNHxyaez3eHE6nQxSVSnlDx wznWnNtClFDoiCXClZgMblki5PK5w49RjbztKHxNbubx5vKoHIYH522CsfRlCO8tFErS sedw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=CqNwqBp940RbFRM/5o5udERAg9HMJqaqzv8BBVQSwKE=; fh=E5X6/3uWCMdGSKLB7vuNn1z8ZeRDzUIfiV2I8BhU+4Q=; b=Yf0VB5RHMf9q3GUGoTfWjoI9Sp4DEoyTugpy38gTohFFqC8wwZ1XGyylA6koVyhdkd N2V75CL7C1ZWhSOL43btkcfoDdpa5Bvmr0UFK1mIwk2OvxcKVdxNuDilowO/9iwsVP8t LE3+kwi5bujD1yh5jUJMQmLaGjJglmyp3J1gUL+JS4wsTRD4Ukd0G3fiWky8BGe7/GoC r5qebaMTWoQQqT1B5Uw8BEtNQ2hyNTkPW/PyaJvTz1RV65Bav0Qp6T5kUBuOf8eJ9UR8 55sgifHjp1zKu/7dICfDMReq9G3ZThGIE3IX+uJIXDs0eO6Qv9Yg5WdUyCDJSdqMLp6f hELw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=ccE6V8xX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id z21-20020a17090ab11500b002790fa91d77si2756136pjq.145.2023.10.19.11.53.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Oct 2023 11:53:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=ccE6V8xX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 8D4528271755; Thu, 19 Oct 2023 11:53:48 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346509AbjJSSxk (ORCPT + 26 others); Thu, 19 Oct 2023 14:53:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43252 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346407AbjJSSxd (ORCPT ); Thu, 19 Oct 2023 14:53:33 -0400 Received: from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com [IPv6:2607:f8b0:4864:20::b4a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B3F7912F for ; Thu, 19 Oct 2023 11:53:30 -0700 (PDT) Received: by mail-yb1-xb4a.google.com with SMTP id 3f1490d57ef6-d9ace796374so43756276.0 for ; Thu, 19 Oct 2023 11:53:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1697741610; x=1698346410; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=CqNwqBp940RbFRM/5o5udERAg9HMJqaqzv8BBVQSwKE=; b=ccE6V8xXVe+ht/vRHkKpjfigtgw3Yk8xk1mKElaB6feSDe6HUDQfeEB9VvveWAuyRz 9pycUvzzNwdeIgnCAacHOwcQxZjH9E0T0MEbfulPDMPd5fwV4r+/Yjfa9Ar0pLasuOYM NIrLDYqPGdxPzDmwBVKaTiKUYHrJ5Y3dLdz36+wQxoB0I/dOCcd1OOuinpamcMbXls39 CfiV2iqbltPTATdQkOz78UY8CIwVrLddTBROA4ctf2qj2t/fNOOPBeWtxIHVqSZW279J s+7B4HmauWDWZVatwYZAcgnWycDYIDpkjei8UIi/QlDGrN0UninpP7rG9HnSP4N9TfIJ kOuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697741610; x=1698346410; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=CqNwqBp940RbFRM/5o5udERAg9HMJqaqzv8BBVQSwKE=; b=PjE7w8m04mvOdhfewDSrt8QSYeq9U3FKgV5KZ8BuMpnDz/wGGXrsLjiLKdv32dotn+ h8rfZakSVr69iZpCh2H3hpgHVhS3jFcdvcAGPiMbYueeUaddvPiZ3pB5xmKUm0n7fjhH +e/H2L4zcwes/eKWjiCMEk+ttwu9miUHBN+++q6GEnsm7eGTbu+Udh6SlRd7uwXOgNvL b6WI1DRYG1MHNpQalm11cHOLvPaBqRCDqR4UeQoEOtdhs5uSTersUkBZE0LSmh1bYaXk jFpP6gB8XnK6vcBob/pwmvJF4247MpZP03t2+a/evjXtiBE5bz/aO7A4yqIaCbPlvsuo iOPA== X-Gm-Message-State: AOJu0YyTqwyfQ7XnSrqLSzfAx+Wjr/auvRv4e/xQJDI+EmqqG94HvE5w xk+zw4siyXchG2ZfI9HI9THpZ9HcVpoV X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a05:6902:526:b0:d9a:3a25:36df with SMTP id y6-20020a056902052600b00d9a3a2536dfmr73398ybs.8.1697741609958; Thu, 19 Oct 2023 11:53:29 -0700 (PDT) Date: Thu, 19 Oct 2023 11:53:17 -0700 In-Reply-To: <20231019185319.2714000-1-arakesh@google.com> Mime-Version: 1.0 References: <20230930184821.310143-1-arakesh@google.com> <20231019185319.2714000-1-arakesh@google.com> X-Mailer: git-send-email 2.42.0.758.gaed0368e0e-goog Message-ID: <20231019185319.2714000-3-arakesh@google.com> Subject: [PATCH v6 2/4] usb: gadget: uvc: Allocate uvc_requests one at a time From: Avichal Rakesh To: arakesh@google.com, dan.scally@ideasonboard.com, gregkh@linuxfoundation.org, laurent.pinchart@ideasonboard.com, m.grzeschik@pengutronix.de Cc: etalvala@google.com, jchowdhary@google.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Thu, 19 Oct 2023 11:53:48 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1778501399086666798 X-GMAIL-MSGID: 1780211127009992722 Currently, the uvc gadget driver allocates all uvc_requests as one array and deallocates them all when the video stream stops. This includes de-allocating all the usb_requests associated with those uvc_requests. This can lead to use-after-free issues if any of those de-allocated usb_requests were still owned by the usb controller. This patch is 1 of 2 patches addressing the use-after-free issue. Instead of bulk allocating all uvc_requests as an array, this patch allocates uvc_requests one at a time, which should allows for similar granularity when deallocating the uvc_requests. This patch has no functional changes other than allocating each uvc_request separately, and similarly freeing each of them separately. Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com Suggested-by: Michael Grzeschik Reviewed-by: Michael Grzeschik Tested-by: Michael Grzeschik Signed-off-by: Avichal Rakesh --- v1 -> v2: Rebased to ToT v2 -> v3: Fix email threading goof-up v3 -> v4: Address review comments & re-rebase to ToT v4 -> v5: Address more review comments. Add Reviewed-by & Tested-by. v5 -> v6: No change drivers/usb/gadget/function/uvc.h | 3 +- drivers/usb/gadget/function/uvc_video.c | 89 ++++++++++++++----------- 2 files changed, 52 insertions(+), 40 deletions(-) -- 2.42.0.758.gaed0368e0e-goog diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h index 989bc6b4e93d..993694da0bbc 100644 --- a/drivers/usb/gadget/function/uvc.h +++ b/drivers/usb/gadget/function/uvc.h @@ -81,6 +81,7 @@ struct uvc_request { struct sg_table sgt; u8 header[UVCG_REQUEST_HEADER_LEN]; struct uvc_buffer *last_buf; + struct list_head list; }; struct uvc_video { @@ -102,7 +103,7 @@ struct uvc_video { /* Requests */ unsigned int req_size; - struct uvc_request *ureq; + struct list_head ureqs; /* all uvc_requests allocated by uvc_video */ struct list_head req_free; spinlock_t req_lock; diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c index c334802ac0a4..c180866c8e34 100644 --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -227,6 +227,24 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video, * Request handling */ +static void +uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep) +{ + sg_free_table(&ureq->sgt); + if (ureq->req && ep) { + usb_ep_free_request(ep, ureq->req); + ureq->req = NULL; + } + + kfree(ureq->req_buffer); + ureq->req_buffer = NULL; + + if (!list_empty(&ureq->list)) + list_del_init(&ureq->list); + + kfree(ureq); +} + static int uvcg_video_ep_queue(struct uvc_video *video, struct usb_request *req) { int ret; @@ -293,27 +311,12 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) static int uvc_video_free_requests(struct uvc_video *video) { - unsigned int i; - - if (video->ureq) { - for (i = 0; i < video->uvc_num_requests; ++i) { - sg_free_table(&video->ureq[i].sgt); + struct uvc_request *ureq, *temp; - if (video->ureq[i].req) { - usb_ep_free_request(video->ep, video->ureq[i].req); - video->ureq[i].req = NULL; - } - - if (video->ureq[i].req_buffer) { - kfree(video->ureq[i].req_buffer); - video->ureq[i].req_buffer = NULL; - } - } - - kfree(video->ureq); - video->ureq = NULL; - } + list_for_each_entry_safe(ureq, temp, &video->ureqs, list) + uvc_video_free_request(ureq, video->ep); + INIT_LIST_HEAD(&video->ureqs); INIT_LIST_HEAD(&video->req_free); video->req_size = 0; return 0; @@ -322,6 +325,7 @@ uvc_video_free_requests(struct uvc_video *video) static int uvc_video_alloc_requests(struct uvc_video *video) { + struct uvc_request *ureq; unsigned int req_size; unsigned int i; int ret = -ENOMEM; @@ -332,29 +336,34 @@ uvc_video_alloc_requests(struct uvc_video *video) * max_t(unsigned int, video->ep->maxburst, 1) * (video->ep->mult); - video->ureq = kcalloc(video->uvc_num_requests, sizeof(struct uvc_request), GFP_KERNEL); - if (video->ureq == NULL) - return -ENOMEM; + INIT_LIST_HEAD(&video->ureqs); + for (i = 0; i < video->uvc_num_requests; i++) { + ureq = kzalloc(sizeof(struct uvc_request), GFP_KERNEL); + if (ureq == NULL) + goto error; + + INIT_LIST_HEAD(&ureq->list); + + list_add_tail(&ureq->list, &video->ureqs); - for (i = 0; i < video->uvc_num_requests; ++i) { - video->ureq[i].req_buffer = kmalloc(req_size, GFP_KERNEL); - if (video->ureq[i].req_buffer == NULL) + ureq->req_buffer = kmalloc(req_size, GFP_KERNEL); + if (ureq->req_buffer == NULL) goto error; - video->ureq[i].req = usb_ep_alloc_request(video->ep, GFP_KERNEL); - if (video->ureq[i].req == NULL) + ureq->req = usb_ep_alloc_request(video->ep, GFP_KERNEL); + if (ureq->req == NULL) goto error; - video->ureq[i].req->buf = video->ureq[i].req_buffer; - video->ureq[i].req->length = 0; - video->ureq[i].req->complete = uvc_video_complete; - video->ureq[i].req->context = &video->ureq[i]; - video->ureq[i].video = video; - video->ureq[i].last_buf = NULL; + ureq->req->buf = ureq->req_buffer; + ureq->req->length = 0; + ureq->req->complete = uvc_video_complete; + ureq->req->context = ureq; + ureq->video = video; + ureq->last_buf = NULL; - list_add_tail(&video->ureq[i].req->list, &video->req_free); + list_add_tail(&ureq->req->list, &video->req_free); /* req_size/PAGE_SIZE + 1 for overruns and + 1 for header */ - sg_alloc_table(&video->ureq[i].sgt, + sg_alloc_table(&ureq->sgt, DIV_ROUND_UP(req_size - UVCG_REQUEST_HEADER_LEN, PAGE_SIZE) + 2, GFP_KERNEL); } @@ -489,8 +498,8 @@ static void uvcg_video_pump(struct work_struct *work) */ int uvcg_video_enable(struct uvc_video *video, int enable) { - unsigned int i; int ret; + struct uvc_request *ureq; if (video->ep == NULL) { uvcg_info(&video->uvc->func, @@ -502,9 +511,10 @@ int uvcg_video_enable(struct uvc_video *video, int enable) cancel_work_sync(&video->pump); uvcg_queue_cancel(&video->queue, 0); - for (i = 0; i < video->uvc_num_requests; ++i) - if (video->ureq && video->ureq[i].req) - usb_ep_dequeue(video->ep, video->ureq[i].req); + list_for_each_entry(ureq, &video->ureqs, list) { + if (ureq->req) + usb_ep_dequeue(video->ep, ureq->req); + } uvc_video_free_requests(video); uvcg_queue_enable(&video->queue, 0); @@ -536,6 +546,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable) */ int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc) { + INIT_LIST_HEAD(&video->ureqs); INIT_LIST_HEAD(&video->req_free); spin_lock_init(&video->req_lock); INIT_WORK(&video->pump, uvcg_video_pump); From patchwork Thu Oct 19 18:53:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 155693 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2010:b0:403:3b70:6f57 with SMTP id fe16csp587664vqb; Thu, 19 Oct 2023 11:54:08 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGkqrlXGnc3hzp334vclVEU/QNjlOYe1ZOP+TZ0PGJOETZfV4I1U7ap1txIWBJE9NxVvmq1 X-Received: by 2002:a17:902:c614:b0:1c5:d8a3:8783 with SMTP id r20-20020a170902c61400b001c5d8a38783mr3102744plr.11.1697741648081; Thu, 19 Oct 2023 11:54:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697741648; cv=none; d=google.com; s=arc-20160816; b=M5Oh6VrsSeStlfrNErHjaCLc3cSDwJ4jPSVRDKf/QVfgwX9oFlqHtl4UBB/iBh8HYz +57GtwoeLRFSyv6iz5y5pDBnw8qOMlYUa0YsTjxX9nzGi/VPsrepgQbdJ6N7XADUygrm GUfGyx7FPq12L2Ds2UlZreEKDte9WJExmyPWvksJ2FsvfQ9fRmykxJ1yA86gFHTqI/yb meehjMJ9mVs8lDDhKAdpS2eAL9w6pvwo3JYENAAqjwQhTF09lkX27aEqIMWJTmFLWjWO 6AlJfIykOWCejS67Imy9B6oB8dyFzeNa8iS3bDRvWhC7ftKX4A6trK62lgIxD5pIdQNv MPsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=QionUCvuT3m0k3agh1AZNJhfdHG7qgHMaPeO/bL+n4o=; fh=E5X6/3uWCMdGSKLB7vuNn1z8ZeRDzUIfiV2I8BhU+4Q=; b=LlGR+lW3VAnm5b26nft9gXgzA7eZKFfZnlSeRBjaFbMCnBbxfTT1oZhvFVKGFjqrUf LCAk1xWn4bXjq4gsPs7oi25edknTTK6Jj3Dx6gG7YvDAsjQMQ7KaiTEWkFGe2KdJGfmf qHfXNG2fFFUeac4mGLZVuO9L0Qq+I5xnjApke53J4FukxfrwiamMktdy3GqT4gZ+PpGG H6/sMIfon60cuzaICznDwWIMQIf7QszoFof3QWF+6b1TpjTfs87ko1EdO3oUMo74ekQM ws+muy751roUTFN0e+GmqSfvOQVrL5Fnyj19x3NXyOChWZFaQTs4YBzPDZW1vnN6qDJZ bMXA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=YJN9YgOH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from morse.vger.email (morse.vger.email. [2620:137:e000::3:1]) by mx.google.com with ESMTPS id i6-20020a170902eb4600b001c32d285db8si88870pli.308.2023.10.19.11.54.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Oct 2023 11:54:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) client-ip=2620:137:e000::3:1; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=YJN9YgOH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id 65578833E1DF; Thu, 19 Oct 2023 11:54:05 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346432AbjJSSxn (ORCPT + 26 others); Thu, 19 Oct 2023 14:53:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43274 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346428AbjJSSxe (ORCPT ); Thu, 19 Oct 2023 14:53:34 -0400 Received: from mail-yw1-x114a.google.com (mail-yw1-x114a.google.com [IPv6:2607:f8b0:4864:20::114a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 45951124 for ; Thu, 19 Oct 2023 11:53:33 -0700 (PDT) Received: by mail-yw1-x114a.google.com with SMTP id 00721157ae682-5a7fb3f311bso131089737b3.2 for ; Thu, 19 Oct 2023 11:53:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1697741612; x=1698346412; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=QionUCvuT3m0k3agh1AZNJhfdHG7qgHMaPeO/bL+n4o=; b=YJN9YgOH35FSE5qFIIYKCdF6xAHhJGAW2alUm6/yltMyH/sm5hzjTuCC6je/iLzSgc 9vjtUF32y/4nHgsa4o2li6zWXz+Q1jUcC5iI8MijZMgatNZ+zdyPp7YswK1tZs1dbSAW J6bJikaRGCPGk7TSBBHrHPFggM0HnHlnMpbPLj7Oqkq4kM48MzmuAKf0gFU+dQE9yIcx LbGLa/XZCCXwQ2PP0sLl6RcQvPy4iuiqJI005zuS56kN6UTqUFOstz7Tzuh/tqW3lEDa a9+Axwp1YP3t+NIZCQ3VFAciN0FkCa73n8Cq5701eQRrVvMJD92UWNvxhtWPLxH0lpHz 4NcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697741612; x=1698346412; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=QionUCvuT3m0k3agh1AZNJhfdHG7qgHMaPeO/bL+n4o=; b=P1xoy3lfWm5JrEICYkaMN+byZF9kxrf9K9476YDndZQzRw66kvp8SuSjwiJrJzLW+K ItcMn01TPA2LRlGd9Qb+uLIuLREaekwRK3apBeGXQ4mXZXVdhFUooWZO9EOgpj2BZXZ0 dkrVAm7aBEyPM10HNXDHZ7jHklE2EwRnXNCCWJNiyFPvJ0je8LPrg2tUs3uaBxVx5ZSj 7LlOlJMI7c0zOYswjLwQIDiI669kFr3HtbF1U5I0uE+d/2dfFeCp/hFY5ngjVKOLg/5r g8RjsBCwy4BHPBep7VvjuJxhgnAh4bQ0qEiqJMzDorqRNPpX4PTqasUr6BLuZeKbCBWc 72Jg== X-Gm-Message-State: AOJu0Ywjv8kWqsB9c8wFnsU6EE93VIM6vGhypzP2Vn9y3Kc8eEmtFl0z BC3DZIE30zqkBDIs1VXoCVgO9YsHTJuW X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a25:e7c2:0:b0:d9c:a59b:203c with SMTP id e185-20020a25e7c2000000b00d9ca59b203cmr65805ybh.4.1697741612510; Thu, 19 Oct 2023 11:53:32 -0700 (PDT) Date: Thu, 19 Oct 2023 11:53:18 -0700 In-Reply-To: <20231019185319.2714000-1-arakesh@google.com> Mime-Version: 1.0 References: <20230930184821.310143-1-arakesh@google.com> <20231019185319.2714000-1-arakesh@google.com> X-Mailer: git-send-email 2.42.0.758.gaed0368e0e-goog Message-ID: <20231019185319.2714000-4-arakesh@google.com> Subject: [PATCH v6 3/4] usb: gadget: uvc: move video disable logic to its own function From: Avichal Rakesh To: arakesh@google.com, dan.scally@ideasonboard.com, gregkh@linuxfoundation.org, laurent.pinchart@ideasonboard.com, m.grzeschik@pengutronix.de Cc: etalvala@google.com, jchowdhary@google.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Thu, 19 Oct 2023 11:54:05 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780211146243827697 X-GMAIL-MSGID: 1780211146243827697 This patch refactors the video disable logic in uvcg_video_enable into its own separate function 'uvcg_video_disable'. Signed-off-by: Avichal Rakesh --- v6: Introduced this patch to make the next one easier to review drivers/usb/gadget/function/uvc_video.c | 37 +++++++++++++++---------- 1 file changed, 23 insertions(+), 14 deletions(-) -- 2.42.0.758.gaed0368e0e-goog diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c index c180866c8e34..80b8eaea2d39 100644 --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -493,13 +493,33 @@ static void uvcg_video_pump(struct work_struct *work) return; } +/* + * Disable video stream + */ +static int +uvcg_video_disable(struct uvc_video *video) +{ + struct uvc_request *ureq; + + cancel_work_sync(&video->pump); + uvcg_queue_cancel(&video->queue, 0); + + list_for_each_entry(ureq, &video->ureqs, list) { + if (ureq->req) + usb_ep_dequeue(video->ep, ureq->req); + } + + uvc_video_free_requests(video); + uvcg_queue_enable(&video->queue, 0); + return 0; +} + /* * Enable or disable the video stream. */ int uvcg_video_enable(struct uvc_video *video, int enable) { int ret; - struct uvc_request *ureq; if (video->ep == NULL) { uvcg_info(&video->uvc->func, @@ -507,19 +527,8 @@ int uvcg_video_enable(struct uvc_video *video, int enable) return -ENODEV; } - if (!enable) { - cancel_work_sync(&video->pump); - uvcg_queue_cancel(&video->queue, 0); - - list_for_each_entry(ureq, &video->ureqs, list) { - if (ureq->req) - usb_ep_dequeue(video->ep, ureq->req); - } - - uvc_video_free_requests(video); - uvcg_queue_enable(&video->queue, 0); - return 0; - } + if (!enable) + return uvcg_video_disable(video); if ((ret = uvcg_queue_enable(&video->queue, 1)) < 0) return ret; From patchwork Thu Oct 19 18:53:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 155694 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2010:b0:403:3b70:6f57 with SMTP id fe16csp587724vqb; Thu, 19 Oct 2023 11:54:22 -0700 (PDT) X-Google-Smtp-Source: AGHT+IG4y29NAqqIql7fqALSyIINaC0WX9hnkCgYNtnXfchxaueBqs3Kb+Y0TF85IlQ/kDF7yLAH X-Received: by 2002:a05:6a21:7783:b0:169:7d6f:9f22 with SMTP id bd3-20020a056a21778300b001697d6f9f22mr3177345pzc.54.1697741661869; Thu, 19 Oct 2023 11:54:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697741661; cv=none; d=google.com; s=arc-20160816; b=bjm54KGE5KI4oiSzejC5lBFlw8vRTZpLJTSPO1Y6cGIXNzpw6wlElmZf6/9+hh/llc e4YcLBPQvQtpOBXppdBtQ8bG/9WJP0Kp429Krui93U4gEtGbbOxwfaRglzOFtcnXBrBT jYfH6pa3I8zGeacbTtG8g5rBF5RonKHRrVxEjSiSikF6N1O44do6jrnF/wl0mqKJM2Jb oFVbYdgulNM+HY/vo3POlqNO7xdYY+rM7Q9QSF9EDoCXkCyOVVBqSi//WJYadQzfWWeJ RjELrpD2IPtO1YH/hbX1tWgoRxSyip903a86ES6HO2krKEAL/ILARJ1DUU6Z79wzga+T z8+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=MM3CI2mqCJiJcA7pmPcVh480LWhD3xCm92P8WXjdLX8=; fh=E5X6/3uWCMdGSKLB7vuNn1z8ZeRDzUIfiV2I8BhU+4Q=; b=uXuTu2jTjs5zgpRhx/C1VVya/MMGz+2+8c4o/XbuT5I/xAJGWk3P7eBJEnkie6Jb4l l8OHM/6aaIwhNiFA/0axZZ6jEJBRsswn6lX2ae2Celg6PVLigH2gCSGm6dhYULw8GA3W HnGXzDETiSk8lyGwaOdxzXmbu2/GDAUmwtnVqbL/kG5rADImXNDQXFJeVLayntuTJHgp sHuiuvg5NR1Dz9xGe5So2eVtCfkaIoD+fy41KjIPe68tPtlsxbwQt1XJ05Na2GQIkI16 8Wy78rfMFrT/dQjF1uFjRqDuMd+63qhUPIzTaRk4QQQm2mk/LNINuAePQESLE0r7mit1 s3Kw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=eTN6fbX9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from fry.vger.email (fry.vger.email. [23.128.96.38]) by mx.google.com with ESMTPS id ie10-20020a17090b400a00b0027d3c6f8ab2si225770pjb.66.2023.10.19.11.54.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Oct 2023 11:54:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=eTN6fbX9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id EECCE83EDDB0; Thu, 19 Oct 2023 11:54:18 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346522AbjJSSxp (ORCPT + 26 others); Thu, 19 Oct 2023 14:53:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53090 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346497AbjJSSxj (ORCPT ); Thu, 19 Oct 2023 14:53:39 -0400 Received: from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com [IPv6:2607:f8b0:4864:20::b4a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C40FC185 for ; Thu, 19 Oct 2023 11:53:35 -0700 (PDT) Received: by mail-yb1-xb4a.google.com with SMTP id 3f1490d57ef6-d9a397a7c1cso22875276.2 for ; Thu, 19 Oct 2023 11:53:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1697741615; x=1698346415; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=MM3CI2mqCJiJcA7pmPcVh480LWhD3xCm92P8WXjdLX8=; b=eTN6fbX9RCUTBKeOe3WOzRUo7P3FD6QIxOP3g/GLkMRORsWt5yIulodhCid7OxSfL5 zxBU5SQ+S/AZrbh2CBh9fnf/4t0YFma0xOEJBID/MYP9M43TioBmlHKqKeH2SW0kZXWA vWYbsPD/JYuGBqTi7FFWYbdIqs/IWTK8UvvYmXLb+OvycCQcaeKwd/W5UjTtds3n0dcW z65VILCHOm3qGjSTA9QDs+UGAbtiOBw6kIX1Ux2+gr3YqUswOyKHTh32lPfJ9KI1btLe CyTdd+1qNvyUZdJfs2qo6+ExP5D2BUoc9iAAAETBk/rdOoGHHr6umFIbc8zxB/9wWqjU Ca6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697741615; x=1698346415; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=MM3CI2mqCJiJcA7pmPcVh480LWhD3xCm92P8WXjdLX8=; b=RcTdpyNDxPMhtFfdsRTe8TFJOYTtt32Fxzm0XCLC6qFIJ5xGT/xq0nwMmdMm9TdP+E sIz/KFiA5jp7Y9Fn3dGRs9cLkEvAseppGJIIwa4hn6VR0afh6+ZzUgh1OUDr6NISxj+T 21U6wgzllyByUvez9yQJGX8GOS3wInAwj+ZUElM54Cx0PwOIwJO8Y6a+dLwlageT8LH0 RHy8dDyx3RcmZ8/3VvQ8dW+fwFQtL0hJK9r4/+ZA4NxYAOp4/53YnAxNNzSXLW4K07Y5 yZ4a65Z78LkbIHZC3BYAQPIW5EgCeLpaMtQ6Ec7Ac4SNirdqi4zt9hWfjrdwc9U//zmC Xv1Q== X-Gm-Message-State: AOJu0YxZj9kUp8OztGubUh+fRX8JIMtgLrmlAfo9udP/DvvOYPxzE5yT NI9m+dRtBv+cfiLto6LLahLt4osQX9sN X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a25:aa85:0:b0:d9a:f3dc:7d18 with SMTP id t5-20020a25aa85000000b00d9af3dc7d18mr64983ybi.13.1697741615036; Thu, 19 Oct 2023 11:53:35 -0700 (PDT) Date: Thu, 19 Oct 2023 11:53:19 -0700 In-Reply-To: <20231019185319.2714000-1-arakesh@google.com> Mime-Version: 1.0 References: <20230930184821.310143-1-arakesh@google.com> <20231019185319.2714000-1-arakesh@google.com> X-Mailer: git-send-email 2.42.0.758.gaed0368e0e-goog Message-ID: <20231019185319.2714000-5-arakesh@google.com> Subject: [PATCH v6 4/4] usb: gadget: uvc: Fix use-after-free for inflight usb_requests From: Avichal Rakesh To: arakesh@google.com, dan.scally@ideasonboard.com, gregkh@linuxfoundation.org, laurent.pinchart@ideasonboard.com, m.grzeschik@pengutronix.de Cc: etalvala@google.com, jchowdhary@google.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Thu, 19 Oct 2023 11:54:19 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1778517869169821913 X-GMAIL-MSGID: 1780211161157206228 Currently, the uvc gadget driver allocates all uvc_requests as one array and deallocates them all when the video stream stops. This includes de-allocating all the usb_requests associated with those uvc_requests. This can lead to use-after-free issues if any of those de-allocated usb_requests were still owned by the usb controller. This is patch 2 of 2 in fixing the use-after-free issue. It adds a new flag to uvc_video to track when frames and requests should be flowing. When disabling the video stream, the flag is tripped and, instead of de-allocating all uvc_requests and usb_requests, the gadget driver only de-allocates those usb_requests that are currently owned by it (as present in req_free). Other usb_requests are left untouched until their completion handler is called which takes care of freeing the usb_request and its corresponding uvc_request. Now that uvc_video does not depends on uvc->state, this patch removes unnecessary upates to uvc->state that were made to accommodate uvc_video logic. This should ensure that uvc gadget driver never accidentally de-allocates a usb_request that it doesn't own. Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com Suggested-by: Michael Grzeschik Reviewed-by: Michael Grzeschik Tested-by: Michael Grzeschik Signed-off-by: Avichal Rakesh --- v1 -> v2: Rebased to ToT, and fixed deadlock reported in https://lore.kernel.org/all/ZRv2UnKztgyqk2pt@pengutronix.de/ v2 -> v3: Fix email threading goof-up v3 -> v4: re-rebase to ToT & moved to a uvc_video level lock as discussed in https://lore.kernel.org/b14b296f-2e08-4edf-aeea-1c5b621e2d0c@google.com/ v4 -> v5: Address review comments. Add Reviewed-by & Tested-by. v5 -> v6: Added another patch before this one to make uvcg_video_disable easier to review. drivers/usb/gadget/function/uvc.h | 1 + drivers/usb/gadget/function/uvc_v4l2.c | 12 +-- drivers/usb/gadget/function/uvc_video.c | 128 ++++++++++++++++++++---- 3 files changed, 111 insertions(+), 30 deletions(-) -- 2.42.0.758.gaed0368e0e-goog diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h index 993694da0bbc..be0d012aa244 100644 --- a/drivers/usb/gadget/function/uvc.h +++ b/drivers/usb/gadget/function/uvc.h @@ -102,6 +102,7 @@ struct uvc_video { unsigned int uvc_num_requests; /* Requests */ + bool is_enabled; /* tracks whether video stream is enabled */ unsigned int req_size; struct list_head ureqs; /* all uvc_requests allocated by uvc_video */ struct list_head req_free; diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c index 7cb8d027ff0c..f4d2e24835d4 100644 --- a/drivers/usb/gadget/function/uvc_v4l2.c +++ b/drivers/usb/gadget/function/uvc_v4l2.c @@ -451,8 +451,8 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type) * Complete the alternate setting selection setup phase now that * userspace is ready to provide video frames. */ - uvc_function_setup_continue(uvc, 0); uvc->state = UVC_STATE_STREAMING; + uvc_function_setup_continue(uvc, 0); return 0; } @@ -468,11 +468,11 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type) if (type != video->queue.queue.type) return -EINVAL; - uvc->state = UVC_STATE_CONNECTED; ret = uvcg_video_enable(video, 0); if (ret < 0) return ret; + uvc->state = UVC_STATE_CONNECTED; uvc_function_setup_continue(uvc, 1); return 0; } @@ -507,14 +507,6 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh, static void uvc_v4l2_disable(struct uvc_device *uvc) { uvc_function_disconnect(uvc); - /* - * Drop uvc->state to CONNECTED if it was streaming before. - * This ensures that the usb_requests are no longer queued - * to the controller. - */ - if (uvc->state == UVC_STATE_STREAMING) - uvc->state = UVC_STATE_CONNECTED; - uvcg_video_enable(&uvc->video, 0); uvcg_free_buffers(&uvc->video.queue); uvc->func_connected = false; diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c index 80b8eaea2d39..41fb4f24e829 100644 --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -227,6 +227,9 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video, * Request handling */ +/** + * Must be called with req_lock held as it modifies the list ureq is held in + */ static void uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep) { @@ -271,9 +274,25 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) struct uvc_request *ureq = req->context; struct uvc_video *video = ureq->video; struct uvc_video_queue *queue = &video->queue; - struct uvc_device *uvc = video->uvc; + struct uvc_buffer *last_buf = NULL; unsigned long flags; + spin_lock_irqsave(&video->req_lock, flags); + if (!video->is_enabled) { + /* + * When is_enabled is false, uvc_video_disable ensures that + * in-flight uvc_buffers are returned, so we can safely + * call free_request without worrying about last_buf. + */ + uvc_video_free_request(ureq, ep); + spin_unlock_irqrestore(&video->req_lock, flags); + return; + } + + last_buf = ureq->last_buf; + ureq->last_buf = NULL; + spin_unlock_irqrestore(&video->req_lock, flags); + switch (req->status) { case 0: break; @@ -295,17 +314,26 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) uvcg_queue_cancel(queue, 0); } - if (ureq->last_buf) { - uvcg_complete_buffer(&video->queue, ureq->last_buf); - ureq->last_buf = NULL; + if (last_buf) { + spin_lock_irqsave(&queue->irqlock, flags); + uvcg_complete_buffer(&video->queue, last_buf); + spin_unlock_irqrestore(&queue->irqlock, flags); } spin_lock_irqsave(&video->req_lock, flags); - list_add_tail(&req->list, &video->req_free); - spin_unlock_irqrestore(&video->req_lock, flags); - - if (uvc->state == UVC_STATE_STREAMING) + /* + * Video stream might have been disabled while we were + * processing the current usb_request. So make sure + * we're still streaming before queueing the usb_request + * back to req_free + */ + if (video->is_enabled) { + list_add_tail(&req->list, &video->req_free); queue_work(video->async_wq, &video->pump); + } else { + uvc_video_free_request(ureq, ep); + } + spin_unlock_irqrestore(&video->req_lock, flags); } static int @@ -393,20 +421,22 @@ static void uvcg_video_pump(struct work_struct *work) struct uvc_video_queue *queue = &video->queue; /* video->max_payload_size is only set when using bulk transfer */ bool is_bulk = video->max_payload_size; - struct uvc_device *uvc = video->uvc; struct usb_request *req = NULL; struct uvc_buffer *buf; unsigned long flags; bool buf_done; int ret; - while (uvc->state == UVC_STATE_STREAMING && video->ep->enabled) { + while (true) { + if (!video->ep->enabled) + return; + /* - * Retrieve the first available USB request, protected by the - * request lock. + * Check is_enabled and retrieve the first available USB + * request, protected by the request lock. */ spin_lock_irqsave(&video->req_lock, flags); - if (list_empty(&video->req_free)) { + if (!video->is_enabled || list_empty(&video->req_free)) { spin_unlock_irqrestore(&video->req_lock, flags); return; } @@ -488,9 +518,11 @@ static void uvcg_video_pump(struct work_struct *work) return; spin_lock_irqsave(&video->req_lock, flags); - list_add_tail(&req->list, &video->req_free); + if (video->is_enabled) + list_add_tail(&req->list, &video->req_free); + else + uvc_video_free_request(req->context, video->ep); spin_unlock_irqrestore(&video->req_lock, flags); - return; } /* @@ -499,17 +531,64 @@ static void uvcg_video_pump(struct work_struct *work) static int uvcg_video_disable(struct uvc_video *video) { - struct uvc_request *ureq; + unsigned long flags; + struct list_head inflight_bufs; + struct usb_request *req, *temp; + struct uvc_buffer *buf, *btemp; + struct uvc_request *ureq, *utemp; + + INIT_LIST_HEAD(&inflight_bufs); + spin_lock_irqsave(&video->req_lock, flags); + video->is_enabled = false; + + /* + * Remove any in-flight buffers from the uvc_requests + * because we want to return them before cancelling the + * queue. This ensures that we aren't stuck waiting for + * all complete callbacks to come through before disabling + * vb2 queue. + */ + list_for_each_entry(ureq, &video->ureqs, list) { + if (ureq->last_buf) { + list_add_tail(&ureq->last_buf->queue, &inflight_bufs); + ureq->last_buf = NULL; + } + } + spin_unlock_irqrestore(&video->req_lock, flags); cancel_work_sync(&video->pump); uvcg_queue_cancel(&video->queue, 0); - list_for_each_entry(ureq, &video->ureqs, list) { - if (ureq->req) - usb_ep_dequeue(video->ep, ureq->req); + spin_lock_irqsave(&video->req_lock, flags); + /* + * Remove all uvc_reqeusts from ureqs with list_del_init + * This lets uvc_video_free_request correctly identify + * if the uvc_request is attached to a list or not when freeing + * memory. + */ + list_for_each_entry_safe(ureq, utemp, &video->ureqs, list) + list_del_init(&ureq->list); + + list_for_each_entry_safe(req, temp, &video->req_free, list) { + list_del(&req->list); + uvc_video_free_request(req->context, video->ep); } - uvc_video_free_requests(video); + INIT_LIST_HEAD(&video->ureqs); + INIT_LIST_HEAD(&video->req_free); + video->req_size = 0; + spin_unlock_irqrestore(&video->req_lock, flags); + + /* + * Return all the video buffers before disabling the queue. + */ + spin_lock_irqsave(&video->queue.irqlock, flags); + list_for_each_entry_safe(buf, btemp, &inflight_bufs, queue) { + list_del(&buf->queue); + uvcg_complete_buffer(&video->queue, buf); + } + spin_unlock_irqrestore(&video->queue.irqlock, flags); + uvcg_queue_enable(&video->queue, 0); return 0; } @@ -530,6 +609,14 @@ int uvcg_video_enable(struct uvc_video *video, int enable) if (!enable) return uvcg_video_disable(video); + /* + * Safe to access request related fields without req_lock because + * this is the only thread currently active, and no other + * request handling thread will become active until this function + * returns. + */ + video->is_enabled = true; + if ((ret = uvcg_queue_enable(&video->queue, 1)) < 0) return ret; @@ -555,6 +642,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable) */ int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc) { + video->is_enabled = false; INIT_LIST_HEAD(&video->ureqs); INIT_LIST_HEAD(&video->req_free); spin_lock_init(&video->req_lock);