From patchwork Fri Oct 20 17:36:23 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Avichal Rakesh <arakesh@google.com>
X-Patchwork-Id: 156244
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:612c:2010:b0:403:3b70:6f57 with SMTP id
 fe16csp1220705vqb;
        Fri, 20 Oct 2023 10:37:19 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IHONlYJqnu0FbRW2J2fET5DcHfWxlRgkmkdrEUo1n0DCrkz48/tkZylkx3XT2FeuYJzLIsB
X-Received: by 2002:a05:6a00:158a:b0:6b4:231b:a45c with SMTP id
 u10-20020a056a00158a00b006b4231ba45cmr2726084pfk.26.1697823438744;
        Fri, 20 Oct 2023 10:37:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1697823438; cv=none;
        d=google.com; s=arc-20160816;
        b=CC+ry9fQX4t6e1Ja1GF/pu+Tdd+4bGZpzqTPBJ21SUXjtlO5xYOhwQlBJ9OO8tAFju
         Rhkyb7TBRT2JgJfSOOpkBaMfIO1Syqsy6V1ztYfwsaGIpS+GGRkvu0ffYCODjvtcX7D6
         e0TaLd5WM5CzKeDd2Fy+QPPlHZ7gvGguc+yYKcq2zvstCmALryoSKuipGp51APJeBUww
         1paCF9UooM6qAyCfRLTLFPqE2K+foYcjkrXHSyGA0UlrDsOfDUiRGieb3kqLXZTzCiWD
         BakoKOMysnWOonNMES1VEEYW6qHVHOUqywtxAGt3SSe9vpI/S0m0KGoDt0nhgraC32Gt
         1Rjg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:references
         :mime-version:in-reply-to:date:dkim-signature;
        bh=i7TD3ZSccxCXhsCPFqExZCbB1Sg3nt/792JiPN6tc54=;
        fh=ZuR/xKK0Vaehz3KB7/T22kQP0avlELYmENYirXVqW4Q=;
        b=uqpZoAZNXghoAjND9B/1CH8H3C06lcCfXIO48wD/PN8vkU387VgB8SMavky9C7dibX
         efN+5xB67Kh7kWY85VnKu+5yAsp+KxRK/TD0ar1LpEajD+XjoSuKed7nBteIYMwIfES0
         t8OoO8DUEbR4+P47BMJ0FU93RDwL8Ma6OgeoORp3sWlqVapvEqqTYFqOgpJnPYfnQovb
         wd9fIDsb3MNLT5lDzk+khPh/lu4ct/unFSDOaGXhKpDMdRxsczyp1oG7NMQsxekm01vR
         oAqQrdDOz1TD9dc7Q/xxVGiQkB3A2+YxddubTUS0oaBXUTElqSnoYHgj6E3SODLelS1Z
         9riQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=2OiBPOwe;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:7 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7])
        by mx.google.com with ESMTPS id
 b2-20020a056a00114200b0068e380c3654si2318157pfm.395.2023.10.20.10.37.17
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Oct 2023 10:37:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:7 as permitted sender)
 client-ip=2620:137:e000::3:7;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=2OiBPOwe;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:7 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by snail.vger.email (Postfix) with ESMTP id 9A7AD80B81F8;
	Fri, 20 Oct 2023 10:36:54 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1377925AbjJTRge (ORCPT <rfc822;a1648639935@gmail.com>
        + 26 others); Fri, 20 Oct 2023 13:36:34 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47724 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229909AbjJTRgc (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 20 Oct 2023 13:36:32 -0400
Received: from mail-yw1-x1149.google.com (mail-yw1-x1149.google.com
 [IPv6:2607:f8b0:4864:20::1149])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D96D411B
        for <linux-kernel@vger.kernel.org>;
 Fri, 20 Oct 2023 10:36:30 -0700 (PDT)
Received: by mail-yw1-x1149.google.com with SMTP id
 00721157ae682-5a7af69a4baso14897417b3.0
        for <linux-kernel@vger.kernel.org>;
 Fri, 20 Oct 2023 10:36:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1697823390; x=1698428190;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=i7TD3ZSccxCXhsCPFqExZCbB1Sg3nt/792JiPN6tc54=;
        b=2OiBPOweiTktKo+wkkYfXBF9sDPRNmpXrWD0Te6Ocu0Pr4dhCOR9dN//u1sXJUHtcm
         9pZ8XrWTb2bDK7MMSCKdtMrysnOOkOw/4Fik7SCWUDecsfa+2A+HWP3kEZbPROFkTqqS
         zaQ0OA83TboVEqa7ATItxgCoMCQowcuU4p2UYGcN4H+BXsXCr/z30gvqeKp0FRJ9hRLO
         6FFwvgkz80rqZO/IpJSJ+nGkg2llljirKVdg37H7M+kr2c/x7Z7HLPWbjVWQmBB0lwOD
         bN/Ez+JZSvexivYIPOEDoQrP/9x09q4ig0/fc1mEwHZsVLGo6Kuu4wPjZeXnwAI7ViNn
         O2fA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1697823390; x=1698428190;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=i7TD3ZSccxCXhsCPFqExZCbB1Sg3nt/792JiPN6tc54=;
        b=FjFqIUkJhBHMccj0DppwZ9Bj0Cpm18ewYxqnkle1T3RSvOMjgrly4oe0Obr7P3Vbv1
         HAVQ6pOGNRJ6i+ulTmIpv/4j3fT3NO8C3xa6loBJP+duU5ZO/juXQBDI+JSFY1wy1Qab
         GSgHVhVhF8831XSt29VTPFI1SuIXUtB5JAK3uLdMsUMxIeWfIAdiACbNK5ykqYOLFqwO
         Jsb7AiorcxJmUOblUN/tONll3BUkeJDYAP7rtGiQ4MzXrY33Et+ZTj+yPxpoRtusDPdM
         YfJDsNqW1UhZGFls6YB1E1YotbVKHFcJmUyzJp1NhffF7vWG8mkozXA5CdMEHsaQ/sBn
         PmGw==
X-Gm-Message-State: AOJu0YznpTlnmXB4Dq6eNKDjyN70i2ONiKBiERBrFTXBdL8MdW73Uutx
        cuv0jX/AVGhs/9aJqLGs+s3XSYKno0T3
X-Received: from hi-h2o-specialist.c.googlers.com
 ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef])
 (user=arakesh job=sendgmr) by 2002:a25:bc90:0:b0:d9c:bdff:e45a with SMTP id
 e16-20020a25bc90000000b00d9cbdffe45amr48984ybk.12.1697823390090; Fri, 20 Oct
 2023 10:36:30 -0700 (PDT)
Date: Fri, 20 Oct 2023 10:36:23 -0700
In-Reply-To: <20231019185319.2714000-1-arakesh@google.com>
Mime-Version: 1.0
References: <20231019185319.2714000-1-arakesh@google.com>
X-Mailer: git-send-email 2.42.0.758.gaed0368e0e-goog
Message-ID: <20231020173626.2978356-1-arakesh@google.com>
Subject: [PATCH v7 1/4] usb: gadget: uvc: prevent use of disabled endpoint
From: Avichal Rakesh <arakesh@google.com>
To: arakesh@google.com, dan.scally@ideasonboard.com,
        laurent.pinchart@ideasonboard.com
Cc: etalvala@google.com, gregkh@linuxfoundation.org,
        jchowdhary@google.com, linux-kernel@vger.kernel.org,
        linux-usb@vger.kernel.org, m.grzeschik@pengutronix.de
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
        RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
 not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]);
 Fri, 20 Oct 2023 10:36:54 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1778501398075540037
X-GMAIL-MSGID: 1780296909681070535

Currently the set_alt callback immediately disables the endpoint and queues
the v4l2 streamoff event. However, as the streamoff event is processed
asynchronously, it is possible that the video_pump thread attempts to queue
requests to an already disabled endpoint.

This change moves disabling usb endpoint to the end of streamoff event
callback. As the endpoint's state can no longer be used, video_pump is
now guarded by uvc->state as well. To be consistent with the actual
streaming state, uvc->state is now toggled between CONNECTED and STREAMING
from the v4l2 event callback only.

Link: https://lore.kernel.org/20230615171558.GK741@pendragon.ideasonboard.com/
Link: https://lore.kernel.org/20230531085544.253363-1-dan.scally@ideasonboard.com/
Reviewed-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Tested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
---
v1 -> v2: Rebased to ToT and reworded commit message.
v2 -> v3: Fix email threading goof-up
v3 -> v4: Address review comments & re-rebase to ToT
v4 -> v5: Add Reviewed-by & Tested-by
v5 -> v6: No change
v6 -> v7: No change

 drivers/usb/gadget/function/f_uvc.c     | 11 +++++------
 drivers/usb/gadget/function/f_uvc.h     |  2 +-
 drivers/usb/gadget/function/uvc.h       |  2 +-
 drivers/usb/gadget/function/uvc_v4l2.c  | 20 +++++++++++++++++---
 drivers/usb/gadget/function/uvc_video.c |  3 ++-
 5 files changed, 26 insertions(+), 12 deletions(-)

--
2.42.0.758.gaed0368e0e-goog

diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c
index faa398109431..ae08341961eb 100644
--- a/drivers/usb/gadget/function/f_uvc.c
+++ b/drivers/usb/gadget/function/f_uvc.c
@@ -263,10 +263,13 @@ uvc_function_setup(struct usb_function *f, const struct usb_ctrlrequest *ctrl)
 	return 0;
 }

-void uvc_function_setup_continue(struct uvc_device *uvc)
+void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep)
 {
 	struct usb_composite_dev *cdev = uvc->func.config->cdev;

+	if (disable_ep && uvc->video.ep)
+		usb_ep_disable(uvc->video.ep);
+
 	usb_composite_setup_continue(cdev);
 }

@@ -337,15 +340,11 @@ uvc_function_set_alt(struct usb_function *f, unsigned interface, unsigned alt)
 		if (uvc->state != UVC_STATE_STREAMING)
 			return 0;

-		if (uvc->video.ep)
-			usb_ep_disable(uvc->video.ep);
-
 		memset(&v4l2_event, 0, sizeof(v4l2_event));
 		v4l2_event.type = UVC_EVENT_STREAMOFF;
 		v4l2_event_queue(&uvc->vdev, &v4l2_event);

-		uvc->state = UVC_STATE_CONNECTED;
-		return 0;
+		return USB_GADGET_DELAYED_STATUS;

 	case 1:
 		if (uvc->state != UVC_STATE_CONNECTED)
diff --git a/drivers/usb/gadget/function/f_uvc.h b/drivers/usb/gadget/function/f_uvc.h
index 1db972d4beeb..e7f9f13f14dc 100644
--- a/drivers/usb/gadget/function/f_uvc.h
+++ b/drivers/usb/gadget/function/f_uvc.h
@@ -11,7 +11,7 @@

 struct uvc_device;

-void uvc_function_setup_continue(struct uvc_device *uvc);
+void uvc_function_setup_continue(struct uvc_device *uvc, int disale_ep);

 void uvc_function_connect(struct uvc_device *uvc);

diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
index 6751de8b63ad..989bc6b4e93d 100644
--- a/drivers/usb/gadget/function/uvc.h
+++ b/drivers/usb/gadget/function/uvc.h
@@ -177,7 +177,7 @@ struct uvc_file_handle {
  * Functions
  */

-extern void uvc_function_setup_continue(struct uvc_device *uvc);
+extern void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep);
 extern void uvc_function_connect(struct uvc_device *uvc);
 extern void uvc_function_disconnect(struct uvc_device *uvc);

diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c
index 3f0a9795c0d4..7cb8d027ff0c 100644
--- a/drivers/usb/gadget/function/uvc_v4l2.c
+++ b/drivers/usb/gadget/function/uvc_v4l2.c
@@ -451,7 +451,7 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type)
 	 * Complete the alternate setting selection setup phase now that
 	 * userspace is ready to provide video frames.
 	 */
-	uvc_function_setup_continue(uvc);
+	uvc_function_setup_continue(uvc, 0);
 	uvc->state = UVC_STATE_STREAMING;

 	return 0;
@@ -463,11 +463,18 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type)
 	struct video_device *vdev = video_devdata(file);
 	struct uvc_device *uvc = video_get_drvdata(vdev);
 	struct uvc_video *video = &uvc->video;
+	int ret = 0;

 	if (type != video->queue.queue.type)
 		return -EINVAL;

-	return uvcg_video_enable(video, 0);
+	uvc->state = UVC_STATE_CONNECTED;
+	ret = uvcg_video_enable(video, 0);
+	if (ret < 0)
+		return ret;
+
+	uvc_function_setup_continue(uvc, 1);
+	return 0;
 }

 static int
@@ -500,6 +507,14 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh,
 static void uvc_v4l2_disable(struct uvc_device *uvc)
 {
 	uvc_function_disconnect(uvc);
+	/*
+	 * Drop uvc->state to CONNECTED if it was streaming before.
+	 * This ensures that the usb_requests are no longer queued
+	 * to the controller.
+	 */
+	if (uvc->state == UVC_STATE_STREAMING)
+		uvc->state = UVC_STATE_CONNECTED;
+
 	uvcg_video_enable(&uvc->video, 0);
 	uvcg_free_buffers(&uvc->video.queue);
 	uvc->func_connected = false;
@@ -647,4 +662,3 @@ const struct v4l2_file_operations uvc_v4l2_fops = {
 	.get_unmapped_area = uvcg_v4l2_get_unmapped_area,
 #endif
 };
-
diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index 91af3b1ef0d4..c334802ac0a4 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -384,13 +384,14 @@ static void uvcg_video_pump(struct work_struct *work)
 	struct uvc_video_queue *queue = &video->queue;
 	/* video->max_payload_size is only set when using bulk transfer */
 	bool is_bulk = video->max_payload_size;
+	struct uvc_device *uvc = video->uvc;
 	struct usb_request *req = NULL;
 	struct uvc_buffer *buf;
 	unsigned long flags;
 	bool buf_done;
 	int ret;

-	while (video->ep->enabled) {
+	while (uvc->state == UVC_STATE_STREAMING && video->ep->enabled) {
 		/*
 		 * Retrieve the first available USB request, protected by the
 		 * request lock.

From patchwork Fri Oct 20 17:36:24 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Avichal Rakesh <arakesh@google.com>
X-Patchwork-Id: 156243
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:612c:2010:b0:403:3b70:6f57 with SMTP id
 fe16csp1220702vqb;
        Fri, 20 Oct 2023 10:37:18 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IHfPlyaz1nX/c9bEkuU0zqdvb3AbMUfNIk2JyeWEXEOITtio6zlCZWAi3RGPIW6pnn07qE+
X-Received: by 2002:a17:90a:1957:b0:27d:1b37:8bfd with SMTP id
 23-20020a17090a195700b0027d1b378bfdmr2378963pjh.4.1697823438702;
        Fri, 20 Oct 2023 10:37:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1697823438; cv=none;
        d=google.com; s=arc-20160816;
        b=RxS/ObXsVxsAiDn6TArbJbv81iap/iWgiVTsoo4m5P8dqELymmoDZJnqu5PlDkwix7
         A3aOP8qjVhUj3yVO2w17nKU3DmsIceknnnDh49iDz8PqG95RnREWNtIhPXRFcsEH+cpR
         eMrhbaDSc77oD5/k+nLrgIxqtmk5y7B65VYei7p3aNKUclFtEzh9hNhNZ0+4XNMBiSmF
         nyhYzxctuUpYRrtQT2dzJ2/nWPp1ISrwN96jD5DZDdrzEeMMhT0kF2GzbIIyy2W5UXUk
         7zxhj3CFjiTEhoQRZft2Wkfype5QgUzcvmVnZxYJ8W6YgZCm3malrwSq1sCeyC50BQzt
         vPzA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:references
         :mime-version:in-reply-to:date:dkim-signature;
        bh=cjsX2sP8PdwktlIcT7vwgRSFgChlueYzuoED2ZHB1eE=;
        fh=ZuR/xKK0Vaehz3KB7/T22kQP0avlELYmENYirXVqW4Q=;
        b=eDS5JM9WEqjbLpaILx9Nvl0MmmkLcGUYpqJfmJKxMxVl/w7790fii3eENC0EVT3484
         kyndWzVlUSfn6PzNXuB9TxYeyLDAH2nT4gBm6YaS4qMCeFAC0M22N6FtIqJLWWX71XC2
         xso9ePAdu3brBQ6PVNlHAfvdbJcCPEJfJbeIRiaUePQ+ieNMcPDmSGgQUdXv9UfnwzL3
         1btHli4raq4Tb2iBvzXNgwgg2lW7E17Z4osknLB/sUlskLV9DZ3vJikYG05CeoNxl+nX
         V/Fs7MJYI5MLmuDG2zH8jgMBwxcVPpQ35R0aaqUCuOBTULupj13ZCOg0KxtE4+flCKd/
         Ar1A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=LzJt0LyR;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:7 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7])
        by mx.google.com with ESMTPS id
 f20-20020a17090ac29400b002791b907f0csi4780276pjt.121.2023.10.20.10.37.16
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Oct 2023 10:37:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:7 as permitted sender)
 client-ip=2620:137:e000::3:7;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=LzJt0LyR;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:7 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by snail.vger.email (Postfix) with ESMTP id CA63D8045BE4;
	Fri, 20 Oct 2023 10:36:47 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1377935AbjJTRgi (ORCPT <rfc822;a1648639935@gmail.com>
        + 26 others); Fri, 20 Oct 2023 13:36:38 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47752 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229909AbjJTRgf (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 20 Oct 2023 13:36:35 -0400
Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com
 [IPv6:2607:f8b0:4864:20::b49])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EDC32FA
        for <linux-kernel@vger.kernel.org>;
 Fri, 20 Oct 2023 10:36:33 -0700 (PDT)
Received: by mail-yb1-xb49.google.com with SMTP id
 3f1490d57ef6-d815354ea7fso1282495276.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 20 Oct 2023 10:36:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1697823393; x=1698428193;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=cjsX2sP8PdwktlIcT7vwgRSFgChlueYzuoED2ZHB1eE=;
        b=LzJt0LyR0s1b0mZkBi3ddem+iIizoIVZ9Tfe38dNAQLjOXIPqLpFANtI885uBcSLPm
         RsKknRgRYD6p/eTWuTjAwy0CPLzK5lbUFa0gKHjf9j4yNby7tT2OkQ0lMuoNd58OkImr
         cqjqijjPRrxjxZ7cnU5zbl37guS7psYrr7BSHZf6b5cu1pBkVXTeN2uVpzDMKP26BEWJ
         a43KVwH801dOwBtI7B0D0OrMPaMr64O2m+c6f7Iswjxuno+2rwn+64TRKs7yx+knuGuH
         3zJIU4aJYTUC7JeD7M8xxD6vEEOZck7IXC+XIzQJrSPdw/L8L1zt+4/+gj9Y7+Ae2g3u
         Exbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1697823393; x=1698428193;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=cjsX2sP8PdwktlIcT7vwgRSFgChlueYzuoED2ZHB1eE=;
        b=P5zflMbGy1Iqs8AFWI3fvdDutE+cOSkkcM1mau+lmdHyp1aSkVTvmVKnbuPATkOwtK
         BDZtuyWhe9UMQqk3UFA6u6mODM15PvEx5poqWqQ6aRO57rYmvxcgHP8fkYyeJMdIHJP1
         FMKgoK3N/y4Q8o+bhtVlIGS4g0MjIzl1hs26c9tCMiINCRT4VLjEslTpoWM4sPGxRoYY
         I6mCNermsvNckBOohPdFV7+YX5APoO8OUOjQKnmuDMT3cn95yQdeOoHPx8SsyYutUBPh
         6tFqsnpE4GcNZLmGwH74Vo2UFfV2MT5n3ovoVNtFbFzR0l+FxJ24hQ71fZrHS/JALTPF
         gvww==
X-Gm-Message-State: AOJu0YwbscEMYR1vxCUAXQ24KOxeq36+dlYfRVrtPUT3s9PO1UfKHjcy
        9VCikfDZlz5XiLzdGzdj05oPYx7JAYcw
X-Received: from hi-h2o-specialist.c.googlers.com
 ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef])
 (user=arakesh job=sendgmr) by 2002:a5b:b06:0:b0:d9a:3a26:fb56 with SMTP id
 z6-20020a5b0b06000000b00d9a3a26fb56mr53474ybp.2.1697823393235; Fri, 20 Oct
 2023 10:36:33 -0700 (PDT)
Date: Fri, 20 Oct 2023 10:36:24 -0700
In-Reply-To: <20231020173626.2978356-1-arakesh@google.com>
Mime-Version: 1.0
References: <20231019185319.2714000-1-arakesh@google.com>
 <20231020173626.2978356-1-arakesh@google.com>
X-Mailer: git-send-email 2.42.0.758.gaed0368e0e-goog
Message-ID: <20231020173626.2978356-2-arakesh@google.com>
Subject: [PATCH v7 2/4] usb: gadget: uvc: Allocate uvc_requests one at a time
From: Avichal Rakesh <arakesh@google.com>
To: arakesh@google.com, dan.scally@ideasonboard.com,
        laurent.pinchart@ideasonboard.com
Cc: etalvala@google.com, gregkh@linuxfoundation.org,
        jchowdhary@google.com, linux-kernel@vger.kernel.org,
        linux-usb@vger.kernel.org, m.grzeschik@pengutronix.de
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
        RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
 not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]);
 Fri, 20 Oct 2023 10:36:47 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1778501399086666798
X-GMAIL-MSGID: 1780296909963298023

Currently, the uvc gadget driver allocates all uvc_requests as one array
and deallocates them all when the video stream stops. This includes
de-allocating all the usb_requests associated with those uvc_requests.
This can lead to use-after-free issues if any of those de-allocated
usb_requests were still owned by the usb controller.

This patch is 1 of 2 patches addressing the use-after-free issue.
Instead of bulk allocating all uvc_requests as an array, this patch
allocates uvc_requests one at a time, which should allows for similar
granularity when deallocating the uvc_requests. This patch has no
functional changes other than allocating each uvc_request separately,
and similarly freeing each of them separately.

Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com
Suggested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Reviewed-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Tested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
---
v1 -> v2: Rebased to ToT
v2 -> v3: Fix email threading goof-up
v3 -> v4: Address review comments & re-rebase to ToT
v4 -> v5: Address more review comments. Add Reviewed-by & Tested-by.
v5 -> v6: No change
v6 -> v7: No change

 drivers/usb/gadget/function/uvc.h       |  3 +-
 drivers/usb/gadget/function/uvc_video.c | 89 ++++++++++++++-----------
 2 files changed, 52 insertions(+), 40 deletions(-)

--
2.42.0.758.gaed0368e0e-goog

diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
index 989bc6b4e93d..993694da0bbc 100644
--- a/drivers/usb/gadget/function/uvc.h
+++ b/drivers/usb/gadget/function/uvc.h
@@ -81,6 +81,7 @@ struct uvc_request {
 	struct sg_table sgt;
 	u8 header[UVCG_REQUEST_HEADER_LEN];
 	struct uvc_buffer *last_buf;
+	struct list_head list;
 };

 struct uvc_video {
@@ -102,7 +103,7 @@ struct uvc_video {

 	/* Requests */
 	unsigned int req_size;
-	struct uvc_request *ureq;
+	struct list_head ureqs; /* all uvc_requests allocated by uvc_video */
 	struct list_head req_free;
 	spinlock_t req_lock;

diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index c334802ac0a4..c180866c8e34 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -227,6 +227,24 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video,
  * Request handling
  */

+static void
+uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep)
+{
+	sg_free_table(&ureq->sgt);
+	if (ureq->req && ep) {
+		usb_ep_free_request(ep, ureq->req);
+		ureq->req = NULL;
+	}
+
+	kfree(ureq->req_buffer);
+	ureq->req_buffer = NULL;
+
+	if (!list_empty(&ureq->list))
+		list_del_init(&ureq->list);
+
+	kfree(ureq);
+}
+
 static int uvcg_video_ep_queue(struct uvc_video *video, struct usb_request *req)
 {
 	int ret;
@@ -293,27 +311,12 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
 static int
 uvc_video_free_requests(struct uvc_video *video)
 {
-	unsigned int i;
-
-	if (video->ureq) {
-		for (i = 0; i < video->uvc_num_requests; ++i) {
-			sg_free_table(&video->ureq[i].sgt);
+	struct uvc_request *ureq, *temp;

-			if (video->ureq[i].req) {
-				usb_ep_free_request(video->ep, video->ureq[i].req);
-				video->ureq[i].req = NULL;
-			}
-
-			if (video->ureq[i].req_buffer) {
-				kfree(video->ureq[i].req_buffer);
-				video->ureq[i].req_buffer = NULL;
-			}
-		}
-
-		kfree(video->ureq);
-		video->ureq = NULL;
-	}
+	list_for_each_entry_safe(ureq, temp, &video->ureqs, list)
+		uvc_video_free_request(ureq, video->ep);

+	INIT_LIST_HEAD(&video->ureqs);
 	INIT_LIST_HEAD(&video->req_free);
 	video->req_size = 0;
 	return 0;
@@ -322,6 +325,7 @@ uvc_video_free_requests(struct uvc_video *video)
 static int
 uvc_video_alloc_requests(struct uvc_video *video)
 {
+	struct uvc_request *ureq;
 	unsigned int req_size;
 	unsigned int i;
 	int ret = -ENOMEM;
@@ -332,29 +336,34 @@ uvc_video_alloc_requests(struct uvc_video *video)
 		 * max_t(unsigned int, video->ep->maxburst, 1)
 		 * (video->ep->mult);

-	video->ureq = kcalloc(video->uvc_num_requests, sizeof(struct uvc_request), GFP_KERNEL);
-	if (video->ureq == NULL)
-		return -ENOMEM;
+	INIT_LIST_HEAD(&video->ureqs);
+	for (i = 0; i < video->uvc_num_requests; i++) {
+		ureq = kzalloc(sizeof(struct uvc_request), GFP_KERNEL);
+		if (ureq == NULL)
+			goto error;
+
+		INIT_LIST_HEAD(&ureq->list);
+
+		list_add_tail(&ureq->list, &video->ureqs);

-	for (i = 0; i < video->uvc_num_requests; ++i) {
-		video->ureq[i].req_buffer = kmalloc(req_size, GFP_KERNEL);
-		if (video->ureq[i].req_buffer == NULL)
+		ureq->req_buffer = kmalloc(req_size, GFP_KERNEL);
+		if (ureq->req_buffer == NULL)
 			goto error;

-		video->ureq[i].req = usb_ep_alloc_request(video->ep, GFP_KERNEL);
-		if (video->ureq[i].req == NULL)
+		ureq->req = usb_ep_alloc_request(video->ep, GFP_KERNEL);
+		if (ureq->req == NULL)
 			goto error;

-		video->ureq[i].req->buf = video->ureq[i].req_buffer;
-		video->ureq[i].req->length = 0;
-		video->ureq[i].req->complete = uvc_video_complete;
-		video->ureq[i].req->context = &video->ureq[i];
-		video->ureq[i].video = video;
-		video->ureq[i].last_buf = NULL;
+		ureq->req->buf = ureq->req_buffer;
+		ureq->req->length = 0;
+		ureq->req->complete = uvc_video_complete;
+		ureq->req->context = ureq;
+		ureq->video = video;
+		ureq->last_buf = NULL;

-		list_add_tail(&video->ureq[i].req->list, &video->req_free);
+		list_add_tail(&ureq->req->list, &video->req_free);
 		/* req_size/PAGE_SIZE + 1 for overruns and + 1 for header */
-		sg_alloc_table(&video->ureq[i].sgt,
+		sg_alloc_table(&ureq->sgt,
 			       DIV_ROUND_UP(req_size - UVCG_REQUEST_HEADER_LEN,
 					    PAGE_SIZE) + 2, GFP_KERNEL);
 	}
@@ -489,8 +498,8 @@ static void uvcg_video_pump(struct work_struct *work)
  */
 int uvcg_video_enable(struct uvc_video *video, int enable)
 {
-	unsigned int i;
 	int ret;
+	struct uvc_request *ureq;

 	if (video->ep == NULL) {
 		uvcg_info(&video->uvc->func,
@@ -502,9 +511,10 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
 		cancel_work_sync(&video->pump);
 		uvcg_queue_cancel(&video->queue, 0);

-		for (i = 0; i < video->uvc_num_requests; ++i)
-			if (video->ureq && video->ureq[i].req)
-				usb_ep_dequeue(video->ep, video->ureq[i].req);
+		list_for_each_entry(ureq, &video->ureqs, list) {
+			if (ureq->req)
+				usb_ep_dequeue(video->ep, ureq->req);
+		}

 		uvc_video_free_requests(video);
 		uvcg_queue_enable(&video->queue, 0);
@@ -536,6 +546,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
  */
 int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc)
 {
+	INIT_LIST_HEAD(&video->ureqs);
 	INIT_LIST_HEAD(&video->req_free);
 	spin_lock_init(&video->req_lock);
 	INIT_WORK(&video->pump, uvcg_video_pump);

From patchwork Fri Oct 20 17:36:25 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Avichal Rakesh <arakesh@google.com>
X-Patchwork-Id: 156242
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:612c:2010:b0:403:3b70:6f57 with SMTP id
 fe16csp1220700vqb;
        Fri, 20 Oct 2023 10:37:18 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IFUQoBAeXEIcFfOCx1BDjciRSR5FdxbZms151NkSvdgVIzE+Q9IZ28bC6qZ17smAhFfU7Es
X-Received: by 2002:a17:902:d506:b0:1c2:1068:1f4f with SMTP id
 b6-20020a170902d50600b001c210681f4fmr2389066plg.17.1697823438720;
        Fri, 20 Oct 2023 10:37:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1697823438; cv=none;
        d=google.com; s=arc-20160816;
        b=si+SWnYK5LADeMYkhANKuC7xsHNMF9G0VP1V42y3y3puBVxWSalAWmFg4BZfR75eA8
         QW8OiTrlHdMUcn/NI/MNmk+I3rcT+eiomWBqiYJ70L6PfVorvHl3H7xFHNp+6LHf2blw
         fitOXehRmfLY3SKE6mq36NxO5Wo2DSsmRJCqFHY0mNVoC8foSluYtLxGcdC24dyF6MNM
         fFVAzahsSvn83LbbsjSVNTzkHQ6zGn1vPeqbht9ZPYil5BiTEW8rYaziPLdZUjgYw5fB
         ESU6zWIjDXAYBdEIjFQWzsM08el89M9dNWSDbUJDABCoebl02C5Px17zCXfeCX7vWqBC
         5XjA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:references
         :mime-version:in-reply-to:date:dkim-signature;
        bh=dvfxkLD/8r79lzQNiiWwUNyjecc96GlFwHFwp2Vnnrk=;
        fh=ZuR/xKK0Vaehz3KB7/T22kQP0avlELYmENYirXVqW4Q=;
        b=EjkfVzqcs9LRVj5dMuykv3FeEMyWdScpZBZ375VeRZB+y+MviPUdf3uabfOMoHu8ug
         O9PRRSv9fdYUvX02wRKVuGVSut/fVvFtEf/VyuM6fcl3UmC11rLvV1YHcvaPa6Vedq7S
         XbD1D88j6Ply0bdD5UjdVNFV3T4DdE4Rht60k8IJpLozt1/JcXphOkzjpVhwkPfUCEW1
         zCoUBYUWTL7Z8e7FAZHnCnc4dEGYtS1RQTfr5Sh8PxNvjlX/Uylq7iWVoS3+w7l0pJZh
         S3AiIs5gOZs7pQAfzqPwR885rmX6xwYc8m3hILw4jT0W25wD+prYuNkwdxa2Wp/CrBV0
         zXfQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=g6qV6FY8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.37 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from snail.vger.email (snail.vger.email. [23.128.96.37])
        by mx.google.com with ESMTPS id
 t23-20020a1709028c9700b001c3fa95ca03si2204585plo.9.2023.10.20.10.37.18
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Oct 2023 10:37:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=g6qV6FY8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.37 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by snail.vger.email (Postfix) with ESMTP id E80848311BC3;
	Fri, 20 Oct 2023 10:36:56 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1377934AbjJTRgk (ORCPT <rfc822;a1648639935@gmail.com>
        + 26 others); Fri, 20 Oct 2023 13:36:40 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41872 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1377939AbjJTRgj (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 20 Oct 2023 13:36:39 -0400
Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com
 [IPv6:2607:f8b0:4864:20::b49])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 57CC0124
        for <linux-kernel@vger.kernel.org>;
 Fri, 20 Oct 2023 10:36:37 -0700 (PDT)
Received: by mail-yb1-xb49.google.com with SMTP id
 3f1490d57ef6-d9b9aeb4962so1488123276.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 20 Oct 2023 10:36:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1697823396; x=1698428196;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=dvfxkLD/8r79lzQNiiWwUNyjecc96GlFwHFwp2Vnnrk=;
        b=g6qV6FY8GwIbu7Fx1w4A9VsltnvhRD7oMmiXbvgNNyD6l1OmzvDH1Sn5HMx0+/63MC
         wl75yJ5uvjyDTxC9IA3qXOoHUBTPWywO06HwVqvwVHrg/bWH9Dg1nAFl9yJQdf1y3rk/
         oxeC3BKTtzF46nvBj0Tq287QFYaWPg2oIDSrw8qTb6xGvwPude3SbohOrrgS/584Bult
         tHp6OBDlTl1T0VqzBEIDZDu65jl3K1TIkpRxYgj7F7rYwSP/AH1g7dPH7N2Rj+k7G4Zi
         jZk0QvMKXjPjQpvCkjQKBs/zQBpCR7czGNzKfB2rbinuU2gguaA1UJ8q0SdI+7h6NuN/
         BsOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1697823396; x=1698428196;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=dvfxkLD/8r79lzQNiiWwUNyjecc96GlFwHFwp2Vnnrk=;
        b=cR9eKCvbqY2lCqyf5sox3M3iyNiretP+tPB1QaPh0vN0O/TKSWXHR4LgkP9G5Q1oH4
         hLOdbv+ia5dGkV8AzVopbZ4KWQn8cij3jqMtWIP2I3GSFfWGqzOHd78H5erh4I1kS8rJ
         gJOMWRmw0P9xotlkA5zYjOvcsnWiTB1D/eRuYscI8V//2E1i7G73/l9dO8qtZFHX29jv
         5irh319Gq4cd+u1GRTJpDeRHtvqTCA4F87p/1m+AKVD8CDGK2rqX03eo9HKQYlBUkfO4
         C/WZXabmiNFNOMfThyDaHJVhldaovgnWUWuyBqdeokqB38A8K/rsV3Vn0JluZ9e+1xHJ
         7k8A==
X-Gm-Message-State: AOJu0Yw+F4vgVnJonBbP4ZK8RRKIbr4e02BkS5VRnBj+1NTIgidR30+J
        Xb0/vPGm98RDWfHMzzJNo0Xg4KOsJVXi
X-Received: from hi-h2o-specialist.c.googlers.com
 ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef])
 (user=arakesh job=sendgmr) by 2002:a5b:f03:0:b0:d9a:d233:b2a3 with SMTP id
 x3-20020a5b0f03000000b00d9ad233b2a3mr57003ybr.1.1697823396520; Fri, 20 Oct
 2023 10:36:36 -0700 (PDT)
Date: Fri, 20 Oct 2023 10:36:25 -0700
In-Reply-To: <20231020173626.2978356-1-arakesh@google.com>
Mime-Version: 1.0
References: <20231019185319.2714000-1-arakesh@google.com>
 <20231020173626.2978356-1-arakesh@google.com>
X-Mailer: git-send-email 2.42.0.758.gaed0368e0e-goog
Message-ID: <20231020173626.2978356-3-arakesh@google.com>
Subject: [PATCH v7 3/4] usb: gadget: uvc: move video disable logic to its own
 function
From: Avichal Rakesh <arakesh@google.com>
To: arakesh@google.com, dan.scally@ideasonboard.com,
        laurent.pinchart@ideasonboard.com
Cc: etalvala@google.com, gregkh@linuxfoundation.org,
        jchowdhary@google.com, linux-kernel@vger.kernel.org,
        linux-usb@vger.kernel.org, m.grzeschik@pengutronix.de
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
        RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL
        autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
 not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]);
 Fri, 20 Oct 2023 10:36:57 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1780211146243827697
X-GMAIL-MSGID: 1780296909879418006

This patch refactors the video disable logic in uvcg_video_enable
into its own separate function 'uvcg_video_disable'.

Suggested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
---
v6: Introduced this patch to make the next one easier to review
v6 -> v7: Add Suggested-by

 drivers/usb/gadget/function/uvc_video.c | 37 +++++++++++++++----------
 1 file changed, 23 insertions(+), 14 deletions(-)

--
2.42.0.758.gaed0368e0e-goog

diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index c180866c8e34..80b8eaea2d39 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -493,13 +493,33 @@ static void uvcg_video_pump(struct work_struct *work)
 	return;
 }

+/*
+ * Disable video stream
+ */
+static int
+uvcg_video_disable(struct uvc_video *video)
+{
+	struct uvc_request *ureq;
+
+	cancel_work_sync(&video->pump);
+	uvcg_queue_cancel(&video->queue, 0);
+
+	list_for_each_entry(ureq, &video->ureqs, list) {
+		if (ureq->req)
+			usb_ep_dequeue(video->ep, ureq->req);
+	}
+
+	uvc_video_free_requests(video);
+	uvcg_queue_enable(&video->queue, 0);
+	return 0;
+}
+
 /*
  * Enable or disable the video stream.
  */
 int uvcg_video_enable(struct uvc_video *video, int enable)
 {
 	int ret;
-	struct uvc_request *ureq;

 	if (video->ep == NULL) {
 		uvcg_info(&video->uvc->func,
@@ -507,19 +527,8 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
 		return -ENODEV;
 	}

-	if (!enable) {
-		cancel_work_sync(&video->pump);
-		uvcg_queue_cancel(&video->queue, 0);
-
-		list_for_each_entry(ureq, &video->ureqs, list) {
-			if (ureq->req)
-				usb_ep_dequeue(video->ep, ureq->req);
-		}
-
-		uvc_video_free_requests(video);
-		uvcg_queue_enable(&video->queue, 0);
-		return 0;
-	}
+	if (!enable)
+		return uvcg_video_disable(video);

 	if ((ret = uvcg_queue_enable(&video->queue, 1)) < 0)
 		return ret;

From patchwork Fri Oct 20 17:36:26 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Avichal Rakesh <arakesh@google.com>
X-Patchwork-Id: 156241
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:612c:2010:b0:403:3b70:6f57 with SMTP id
 fe16csp1220626vqb;
        Fri, 20 Oct 2023 10:37:10 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IEbmUo+ZlFPq2zOCm1exuIWZIReaYzV/nknMSRgeJkamQiHIq7awKCyBwV7uirA26xoLjm1
X-Received: by 2002:a17:90a:7543:b0:268:1355:b03e with SMTP id
 q61-20020a17090a754300b002681355b03emr2644665pjk.38.1697823429994;
        Fri, 20 Oct 2023 10:37:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1697823429; cv=none;
        d=google.com; s=arc-20160816;
        b=O7nLXMPxL5RW7bAaxNAVjZLCRE0WGPTZOrVL47+2d67ObPqAHZUO/iYv1YR7nCZOCg
         W3O0UcOyj4KNmLIAbQ5GM8ko52K2X/8dOWTaEcMH/jeU1rzg+XuCpJDmGiKjkJllDlGf
         ebpMOlEBaBw7R2uvHNhSn0AxvIW20FZwFtElRX3QwMjZPXejpJzbFLS7P+DoTrUbbPyR
         0sDto4xvEE40yS0Y1HnqesrARuwtXB/BzF1aBiHE1qN5zc5LHTMLR+xxz4HA3Ukao92e
         onyWrLUEmBw5vwrDxsF3xWuJshbkzwhmbB82hzfxg97g5Y2CC6KebgeldsZZ4/eGyuRs
         mhNg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:references
         :mime-version:in-reply-to:date:dkim-signature;
        bh=s9OZof0VrQkpJ3kjnoO2pRREbFpcF4c3uABD7DFeyRQ=;
        fh=ZuR/xKK0Vaehz3KB7/T22kQP0avlELYmENYirXVqW4Q=;
        b=B0BI6J8EcJirRCXhD5Hajh9TsDjMxiyASshMAOGpgXv8r1AiAtIZ9Yi25Zz4Lqw2TK
         sb+xEikCtuc+SQx1xbRnWqjihT3C+4qS2GpOGDuexJvFSHeSvrqKv1tUcM8TiNaYh5uG
         Ba199pGbausFrzftWecxzFu/90mPqmJLEJ+RO13IXUnOKGtyxq1MHLp4eNL8fxXu/WUk
         FAXjbLasPNzLc8YLyIa6RV92czPWX/fKVquLzrCFYWu5NQ7XTChiBek+qyd1YhqIKk0f
         7JU/qdZ0FdFHzIl45kU3LCWJ8Y/k14VX8QfEVwr8HJYK7bNsCI24Sn7xJSRRzY9YA9kX
         eb6g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=QvQbuz4d;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:5 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5])
        by mx.google.com with ESMTPS id
 az3-20020a17090b028300b002777b6d0cabsi4644346pjb.89.2023.10.20.10.37.09
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Oct 2023 10:37:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:5 as permitted sender)
 client-ip=2620:137:e000::3:5;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=QvQbuz4d;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:5 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by groat.vger.email (Postfix) with ESMTP id 581D5808D292;
	Fri, 20 Oct 2023 10:37:06 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230043AbjJTRgs (ORCPT <rfc822;a1648639935@gmail.com>
        + 26 others); Fri, 20 Oct 2023 13:36:48 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41972 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1377955AbjJTRgn (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 20 Oct 2023 13:36:43 -0400
Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com
 [IPv6:2607:f8b0:4864:20::b49])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 941F711B
        for <linux-kernel@vger.kernel.org>;
 Fri, 20 Oct 2023 10:36:40 -0700 (PDT)
Received: by mail-yb1-xb49.google.com with SMTP id
 3f1490d57ef6-d9ace796374so1380136276.0
        for <linux-kernel@vger.kernel.org>;
 Fri, 20 Oct 2023 10:36:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1697823399; x=1698428199;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=s9OZof0VrQkpJ3kjnoO2pRREbFpcF4c3uABD7DFeyRQ=;
        b=QvQbuz4diRp/j1qvM57QLq5E0MioPJ3+zN+8h5/U0T3ZXKxHezLxuNFL+aAwguRFm3
         uiuMBcW+tWaF7e91yDaRbENzTTDG+iRnwuFc4le324k4PTEZ8CKb6St4/0nPkSXMCFDk
         KxNyOZW11aUHZBtPTdlX1UdebiapiP6IxJ/wrokRSvRsy8W8cn0v4U33Kq1GUy+YinTY
         XZciQ7YfIxCsAgsTkRQuhbmsx/Nv3/mc879M2dZwtd6qM6/12LMp/DPsD+KdjNuWntcr
         O0E5KxH860UFoMwEVOUxvwjWFFidWd6RdVsMf7HWzgMheyVhocjbPZrBNpU0WVEb+ml8
         Y8Nw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1697823399; x=1698428199;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=s9OZof0VrQkpJ3kjnoO2pRREbFpcF4c3uABD7DFeyRQ=;
        b=UJ+wth5w4z8pm+LHf+gOvrqVvKgfEv4MbI6SZ4YaUxco3A4qjNF/URZoJOFFSIv0zE
         h5V/Onoko0VnR2dIVEOcUY8l/35D1tir0xJHlDl8jUyodNSHXIrAccKM1YEtPrV789wr
         HZfx5IzAy25ctZrWRHi+FvPPN5ZW4GTcfQbPA0v0pnhU62gldaxozvdiylAwGbsAZULb
         tiVTPAFTWAU5B+5Ab6acCtXh7TugePuO/Of8s4zynWnHHC5LLYNfHqTbmF+pGPi/8YIO
         CvsFcxRrkhW4aK4DlQALJFhA753tirLgrUV8fjzV6LD+gTtNx5rKgGs1esYdhaJac2Bm
         TUmg==
X-Gm-Message-State: AOJu0YwLY3TrvQ5SUfbLLzCcHCf8Q+OgEhHGtjDVECcmQDYgcP/S5Cvw
        +Bsmu+byT0eubmZiThI1T+Io595UhIZi
X-Received: from hi-h2o-specialist.c.googlers.com
 ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef])
 (user=arakesh job=sendgmr) by 2002:a25:40cc:0:b0:d9a:54e7:e910 with SMTP id
 n195-20020a2540cc000000b00d9a54e7e910mr53315yba.4.1697823399538; Fri, 20 Oct
 2023 10:36:39 -0700 (PDT)
Date: Fri, 20 Oct 2023 10:36:26 -0700
In-Reply-To: <20231020173626.2978356-1-arakesh@google.com>
Mime-Version: 1.0
References: <20231019185319.2714000-1-arakesh@google.com>
 <20231020173626.2978356-1-arakesh@google.com>
X-Mailer: git-send-email 2.42.0.758.gaed0368e0e-goog
Message-ID: <20231020173626.2978356-4-arakesh@google.com>
Subject: [PATCH v7 4/4] usb: gadget: uvc: Fix use-after-free for inflight
 usb_requests
From: Avichal Rakesh <arakesh@google.com>
To: arakesh@google.com, dan.scally@ideasonboard.com,
        laurent.pinchart@ideasonboard.com
Cc: etalvala@google.com, gregkh@linuxfoundation.org,
        jchowdhary@google.com, linux-kernel@vger.kernel.org,
        linux-usb@vger.kernel.org, m.grzeschik@pengutronix.de
X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
 not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]);
 Fri, 20 Oct 2023 10:37:06 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1778517869169821913
X-GMAIL-MSGID: 1780296900786726383

Currently, the uvc gadget driver allocates all uvc_requests as one array
and deallocates them all when the video stream stops. This includes
de-allocating all the usb_requests associated with those uvc_requests.
This can lead to use-after-free issues if any of those de-allocated
usb_requests were still owned by the usb controller.

This is patch 2 of 2 in fixing the use-after-free issue. It adds a new
flag to uvc_video to track when frames and requests should be flowing.
When disabling the video stream, the flag is tripped and, instead
of de-allocating all uvc_requests and usb_requests, the gadget
driver only de-allocates those usb_requests that are currently
owned by it (as present in req_free). Other usb_requests are left
untouched until their completion handler is called which takes care
of freeing the usb_request and its corresponding uvc_request.

Now that uvc_video does not depends on uvc->state, this patch removes
unnecessary upates to uvc->state that were made to accommodate uvc_video
logic. This should ensure that uvc gadget driver never accidentally
de-allocates a usb_request that it doesn't own.

Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com
Suggested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Reviewed-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Tested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
---
v1 -> v2: Rebased to ToT, and fixed deadlock reported in
          https://lore.kernel.org/all/ZRv2UnKztgyqk2pt@pengutronix.de/
v2 -> v3: Fix email threading goof-up
v3 -> v4: re-rebase to ToT & moved to a uvc_video level lock
          as discussed in
          https://lore.kernel.org/b14b296f-2e08-4edf-aeea-1c5b621e2d0c@google.com/
v4 -> v5: Address review comments. Add Reviewed-by & Tested-by.
v5 -> v6: Added another patch before this one to make uvcg_video_disable
          easier to review.
v6 -> v7: Fix warning reported in
          https://lore.kernel.org/202310200457.GwPPFuHX-lkp@intel.com/

 drivers/usb/gadget/function/uvc.h       |   1 +
 drivers/usb/gadget/function/uvc_v4l2.c  |  12 +--
 drivers/usb/gadget/function/uvc_video.c | 128 ++++++++++++++++++++----
 3 files changed, 111 insertions(+), 30 deletions(-)

--
2.42.0.758.gaed0368e0e-goog

diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
index 993694da0bbc..be0d012aa244 100644
--- a/drivers/usb/gadget/function/uvc.h
+++ b/drivers/usb/gadget/function/uvc.h
@@ -102,6 +102,7 @@ struct uvc_video {
 	unsigned int uvc_num_requests;

 	/* Requests */
+	bool is_enabled; /* tracks whether video stream is enabled */
 	unsigned int req_size;
 	struct list_head ureqs; /* all uvc_requests allocated by uvc_video */
 	struct list_head req_free;
diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c
index 7cb8d027ff0c..f4d2e24835d4 100644
--- a/drivers/usb/gadget/function/uvc_v4l2.c
+++ b/drivers/usb/gadget/function/uvc_v4l2.c
@@ -451,8 +451,8 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type)
 	 * Complete the alternate setting selection setup phase now that
 	 * userspace is ready to provide video frames.
 	 */
-	uvc_function_setup_continue(uvc, 0);
 	uvc->state = UVC_STATE_STREAMING;
+	uvc_function_setup_continue(uvc, 0);

 	return 0;
 }
@@ -468,11 +468,11 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type)
 	if (type != video->queue.queue.type)
 		return -EINVAL;

-	uvc->state = UVC_STATE_CONNECTED;
 	ret = uvcg_video_enable(video, 0);
 	if (ret < 0)
 		return ret;

+	uvc->state = UVC_STATE_CONNECTED;
 	uvc_function_setup_continue(uvc, 1);
 	return 0;
 }
@@ -507,14 +507,6 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh,
 static void uvc_v4l2_disable(struct uvc_device *uvc)
 {
 	uvc_function_disconnect(uvc);
-	/*
-	 * Drop uvc->state to CONNECTED if it was streaming before.
-	 * This ensures that the usb_requests are no longer queued
-	 * to the controller.
-	 */
-	if (uvc->state == UVC_STATE_STREAMING)
-		uvc->state = UVC_STATE_CONNECTED;
-
 	uvcg_video_enable(&uvc->video, 0);
 	uvcg_free_buffers(&uvc->video.queue);
 	uvc->func_connected = false;
diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index 80b8eaea2d39..ab3f02054e85 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -227,6 +227,9 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video,
  * Request handling
  */

+/*
+ * Must be called with req_lock held as it modifies the list ureq is held in
+ */
 static void
 uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep)
 {
@@ -271,9 +274,25 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
 	struct uvc_request *ureq = req->context;
 	struct uvc_video *video = ureq->video;
 	struct uvc_video_queue *queue = &video->queue;
-	struct uvc_device *uvc = video->uvc;
+	struct uvc_buffer *last_buf = NULL;
 	unsigned long flags;

+	spin_lock_irqsave(&video->req_lock, flags);
+	if (!video->is_enabled) {
+		/*
+		 * When is_enabled is false, uvc_video_disable ensures that
+		 * in-flight uvc_buffers are returned, so we can safely
+		 * call free_request without worrying about last_buf.
+		 */
+		uvc_video_free_request(ureq, ep);
+		spin_unlock_irqrestore(&video->req_lock, flags);
+		return;
+	}
+
+	last_buf = ureq->last_buf;
+	ureq->last_buf = NULL;
+	spin_unlock_irqrestore(&video->req_lock, flags);
+
 	switch (req->status) {
 	case 0:
 		break;
@@ -295,17 +314,26 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
 		uvcg_queue_cancel(queue, 0);
 	}

-	if (ureq->last_buf) {
-		uvcg_complete_buffer(&video->queue, ureq->last_buf);
-		ureq->last_buf = NULL;
+	if (last_buf) {
+		spin_lock_irqsave(&queue->irqlock, flags);
+		uvcg_complete_buffer(&video->queue, last_buf);
+		spin_unlock_irqrestore(&queue->irqlock, flags);
 	}

 	spin_lock_irqsave(&video->req_lock, flags);
-	list_add_tail(&req->list, &video->req_free);
-	spin_unlock_irqrestore(&video->req_lock, flags);
-
-	if (uvc->state == UVC_STATE_STREAMING)
+	/*
+	 * Video stream might have been disabled while we were
+	 * processing the current usb_request. So make sure
+	 * we're still streaming before queueing the usb_request
+	 * back to req_free
+	 */
+	if (video->is_enabled) {
+		list_add_tail(&req->list, &video->req_free);
 		queue_work(video->async_wq, &video->pump);
+	} else {
+		uvc_video_free_request(ureq, ep);
+	}
+	spin_unlock_irqrestore(&video->req_lock, flags);
 }

 static int
@@ -393,20 +421,22 @@ static void uvcg_video_pump(struct work_struct *work)
 	struct uvc_video_queue *queue = &video->queue;
 	/* video->max_payload_size is only set when using bulk transfer */
 	bool is_bulk = video->max_payload_size;
-	struct uvc_device *uvc = video->uvc;
 	struct usb_request *req = NULL;
 	struct uvc_buffer *buf;
 	unsigned long flags;
 	bool buf_done;
 	int ret;

-	while (uvc->state == UVC_STATE_STREAMING && video->ep->enabled) {
+	while (true) {
+		if (!video->ep->enabled)
+			return;
+
 		/*
-		 * Retrieve the first available USB request, protected by the
-		 * request lock.
+		 * Check is_enabled and retrieve the first available USB
+		 * request, protected by the request lock.
 		 */
 		spin_lock_irqsave(&video->req_lock, flags);
-		if (list_empty(&video->req_free)) {
+		if (!video->is_enabled || list_empty(&video->req_free)) {
 			spin_unlock_irqrestore(&video->req_lock, flags);
 			return;
 		}
@@ -488,9 +518,11 @@ static void uvcg_video_pump(struct work_struct *work)
 		return;

 	spin_lock_irqsave(&video->req_lock, flags);
-	list_add_tail(&req->list, &video->req_free);
+	if (video->is_enabled)
+		list_add_tail(&req->list, &video->req_free);
+	else
+		uvc_video_free_request(req->context, video->ep);
 	spin_unlock_irqrestore(&video->req_lock, flags);
-	return;
 }

 /*
@@ -499,17 +531,64 @@ static void uvcg_video_pump(struct work_struct *work)
 static int
 uvcg_video_disable(struct uvc_video *video)
 {
-	struct uvc_request *ureq;
+	unsigned long flags;
+	struct list_head inflight_bufs;
+	struct usb_request *req, *temp;
+	struct uvc_buffer *buf, *btemp;
+	struct uvc_request *ureq, *utemp;
+
+	INIT_LIST_HEAD(&inflight_bufs);
+	spin_lock_irqsave(&video->req_lock, flags);
+	video->is_enabled = false;
+
+	/*
+	 * Remove any in-flight buffers from the uvc_requests
+	 * because we want to return them before cancelling the
+	 * queue. This ensures that we aren't stuck waiting for
+	 * all complete callbacks to come through before disabling
+	 * vb2 queue.
+	 */
+	list_for_each_entry(ureq, &video->ureqs, list) {
+		if (ureq->last_buf) {
+			list_add_tail(&ureq->last_buf->queue, &inflight_bufs);
+			ureq->last_buf = NULL;
+		}
+	}
+	spin_unlock_irqrestore(&video->req_lock, flags);

 	cancel_work_sync(&video->pump);
 	uvcg_queue_cancel(&video->queue, 0);

-	list_for_each_entry(ureq, &video->ureqs, list) {
-		if (ureq->req)
-			usb_ep_dequeue(video->ep, ureq->req);
+	spin_lock_irqsave(&video->req_lock, flags);
+	/*
+	 * Remove all uvc_reqeusts from ureqs with list_del_init
+	 * This lets uvc_video_free_request correctly identify
+	 * if the uvc_request is attached to a list or not when freeing
+	 * memory.
+	 */
+	list_for_each_entry_safe(ureq, utemp, &video->ureqs, list)
+		list_del_init(&ureq->list);
+
+	list_for_each_entry_safe(req, temp, &video->req_free, list) {
+		list_del(&req->list);
+		uvc_video_free_request(req->context, video->ep);
 	}

-	uvc_video_free_requests(video);
+	INIT_LIST_HEAD(&video->ureqs);
+	INIT_LIST_HEAD(&video->req_free);
+	video->req_size = 0;
+	spin_unlock_irqrestore(&video->req_lock, flags);
+
+	/*
+	 * Return all the video buffers before disabling the queue.
+	 */
+	spin_lock_irqsave(&video->queue.irqlock, flags);
+	list_for_each_entry_safe(buf, btemp, &inflight_bufs, queue) {
+		list_del(&buf->queue);
+		uvcg_complete_buffer(&video->queue, buf);
+	}
+	spin_unlock_irqrestore(&video->queue.irqlock, flags);
+
 	uvcg_queue_enable(&video->queue, 0);
 	return 0;
 }
@@ -530,6 +609,14 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
 	if (!enable)
 		return uvcg_video_disable(video);

+	/*
+	 * Safe to access request related fields without req_lock because
+	 * this is the only thread currently active, and no other
+	 * request handling thread will become active until this function
+	 * returns.
+	 */
+	video->is_enabled = true;
+
 	if ((ret = uvcg_queue_enable(&video->queue, 1)) < 0)
 		return ret;

@@ -555,6 +642,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
  */
 int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc)
 {
+	video->is_enabled = false;
 	INIT_LIST_HEAD(&video->ureqs);
 	INIT_LIST_HEAD(&video->req_free);
 	spin_lock_init(&video->req_lock);