From patchwork Tue Oct 24 18:36:02 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Avichal Rakesh <arakesh@google.com>
X-Patchwork-Id: 157666
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:ce89:0:b0:403:3b70:6f57 with SMTP id p9csp2133745vqx;
        Tue, 24 Oct 2023 11:36:34 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IHtasggQ273moi3ZXUs28kCX5nlwdH2+yl6cSvgKrgCMMrMjpZMtqa3q9mInK49NHFyKJAw
X-Received: by 2002:a05:6a20:4323:b0:13d:d5bd:7593 with SMTP id
 h35-20020a056a20432300b0013dd5bd7593mr3969918pzk.12.1698172593920;
        Tue, 24 Oct 2023 11:36:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1698172593; cv=none;
        d=google.com; s=arc-20160816;
        b=ksfvvUHPFnsh77IUt2engwOyPT0aCz4G1rsvuOa+O5sTzYbexd7Amiv1xTa/BOo8n7
         yCZxY1Ki3mhOLXhNjocEM5yps6pZPUR0WH8Ljf0wKTRuGbNaezTWn/tHhwODz8rOsrZ7
         Jsic1rSy1zNtJewQCLmbUUv45cNnT8j4rukhMY+p/e+OJfHUiqyHDkqsfCsjmpkIXKl5
         2HRDlNhgvtwVSE7kr77U8Tg453UuLV7jRSHOL+wnSreGDgL9TJJQBU5GFjRPU6MLFqQj
         CrRkhYCDRU1Xxgp16CfwvDhVABXVtVOWoxBaLYFyzscrXg+yckx4VKBxiEat/H80s5bg
         iqDw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:references
         :mime-version:in-reply-to:date:dkim-signature;
        bh=9pSPStWZfaGxyc7aEXpJ6QS+ToFKtNrTx418c5IJDrY=;
        fh=mNRU094uygHtWEbbVt2iuJXx5ZS7icP/BgRleDWzkbQ=;
        b=XTG2cnw+riWvjgzJEWw+HBuMlBJu7zeZHc+EBANRcAHRnqQmhkhKY8oxZl4Hakyf9F
         9n+kjg1l6xJx/+qUDipfNxYjWA4OCPpCEGL5whXSHEwGKkm9hUk1j3jK3DE5OzF8qjEy
         i95KK2M3I1uLp93nF4c+FnxE9BPoaz0UmQ0r6dX3J/iv83qL56pIN5wS1MjpMSL3Rj5Y
         DRloOgAlXx6eHt/uDxeKjmACs6uz0DuvQVhuq0wdPKaFZj/w0ff+ktYMp/03NirkIWVM
         aa+dJ5kS3Yyxz6Pixokquf1J9rNGExj96It+Gdp967cmdJL5SbKpnfCtW+MxDSZmZ+oL
         +1cg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=AszNQvyT;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.32 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from agentk.vger.email (agentk.vger.email. [23.128.96.32])
        by mx.google.com with ESMTPS id
 22-20020a631256000000b005653e3f6d58si8576681pgs.748.2023.10.24.11.36.33
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 24 Oct 2023 11:36:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.32 as permitted sender) client-ip=23.128.96.32;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=AszNQvyT;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.32 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by agentk.vger.email (Postfix) with ESMTP id C1F59803D8EA;
	Tue, 24 Oct 2023 11:36:30 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1344173AbjJXSgS (ORCPT <rfc822;aposhian.dev@gmail.com>
        + 27 others); Tue, 24 Oct 2023 14:36:18 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53454 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1344184AbjJXSgP (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 24 Oct 2023 14:36:15 -0400
Received: from mail-pg1-x549.google.com (mail-pg1-x549.google.com
 [IPv6:2607:f8b0:4864:20::549])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4422810D0
        for <linux-kernel@vger.kernel.org>;
 Tue, 24 Oct 2023 11:36:10 -0700 (PDT)
Received: by mail-pg1-x549.google.com with SMTP id
 41be03b00d2f7-5b837dc4d91so2923582a12.1
        for <linux-kernel@vger.kernel.org>;
 Tue, 24 Oct 2023 11:36:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1698172570; x=1698777370;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=9pSPStWZfaGxyc7aEXpJ6QS+ToFKtNrTx418c5IJDrY=;
        b=AszNQvyTG0rBaRm2oTeWgi5f4lPhpY1koStvSI4QRdbXz+0RW1acV/2BruGNejGY4p
         gRMyD0nKbyuKZAMJ3EJ2WWT1TA6yOINJZOsFJ0sknMk6jplLt5HNeSa/hJct/ZtbhYc7
         /12ocCvdcoP7fqyX0Sd+fE6lAsa449kWb4/r5WwrMlUocELP/2g+PgRQZ4fM5ryyVMYU
         mRhIS4ROEvoBxT0iwIP4+xvJCi8wrPielwItpURAkAkQvHFhDTXyF9oQ1z/Jfl5uRK2n
         d77P9+7kvTku1ymqH4+YhGQJ0B00ZPVCqbQtQPqwPQwGvWd6iIa33MgYjNgNl09DK6Bl
         AdpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1698172570; x=1698777370;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=9pSPStWZfaGxyc7aEXpJ6QS+ToFKtNrTx418c5IJDrY=;
        b=JE8I/NWnAyS5cu4t9gjuSW1KWRJS0z1q+vze9lqhIQAubKJssLZIt4EYH+kbk+Uwfl
         4imbViH3x2JIi2xLOxqrVNx5WQODB5XDYbzjpX1wzkiIuaQh3HtEUAJtjgmuDKCl3+B0
         4YDLLc1GlpblIEk139onsAq3i5tQgFwW0QjSOb4S/kmfW/ihGd/xz6t3o0buRnKnddPl
         P55/mMpAEkPDSonubwTjaCHZcfRVIRbqxQj79tBNJ2yDmon95sl/8bmN/wzzKvWM7B3v
         ghKoYskICd4NuaDce6iyj9En5mVlZhlR4iREYepu/9wiAWqI4stIHB0eti6R0Ir/dndo
         +WLQ==
X-Gm-Message-State: AOJu0YwGyNY9caPZp4/R+lYVrnUfFOmmslagLhM7pB2jMa/6QZhJ6+3U
        5orYmlGfpHku84qkWfv0htoQMEQnel9C
X-Received: from hi-h2o-specialist.c.googlers.com
 ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef])
 (user=arakesh job=sendgmr) by 2002:a63:2012:0:b0:584:cd3d:f91e with SMTP id
 g18-20020a632012000000b00584cd3df91emr210931pgg.11.1698172569638; Tue, 24 Oct
 2023 11:36:09 -0700 (PDT)
Date: Tue, 24 Oct 2023 11:36:02 -0700
In-Reply-To: <20231019185319.2714000-1-arakesh@google.com>
Mime-Version: 1.0
References: <20231019185319.2714000-1-arakesh@google.com>
X-Mailer: git-send-email 2.42.0.758.gaed0368e0e-goog
Message-ID: <20231024183605.908253-1-arakesh@google.com>
Subject: [PATCH v8 1/4] usb: gadget: uvc: prevent use of disabled endpoint
From: Avichal Rakesh <arakesh@google.com>
To: arakesh@google.com, dan.scally@ideasonboard.com,
        gregkh@linuxfoundation.org, laurent.pinchart@ideasonboard.com
Cc: etalvala@google.com, jchowdhary@google.com,
        linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
        m.grzeschik@pengutronix.de
X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
 not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]);
 Tue, 24 Oct 2023 11:36:30 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1778501398075540037
X-GMAIL-MSGID: 1780663025907917998

Currently the set_alt callback immediately disables the endpoint and queues
the v4l2 streamoff event. However, as the streamoff event is processed
asynchronously, it is possible that the video_pump thread attempts to queue
requests to an already disabled endpoint.

This change moves disabling usb endpoint to the end of streamoff event
callback. As the endpoint's state can no longer be used, video_pump is
now guarded by uvc->state as well. To be consistent with the actual
streaming state, uvc->state is now toggled between CONNECTED and STREAMING
from the v4l2 event callback only.

Link: https://lore.kernel.org/20230615171558.GK741@pendragon.ideasonboard.com/
Link: https://lore.kernel.org/20230531085544.253363-1-dan.scally@ideasonboard.com/
Reviewed-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Tested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
Reviewed-by: Daniel Scally <dan.scally@ideasonboard.com>
---
v1 -> v2: Rebased to ToT and reworded commit message.
v2 -> v3: Fix email threading goof-up
v3 -> v4: Address review comments & re-rebase to ToT
v4 -> v5: Add Reviewed-by & Tested-by
v5 -> v6: No change
v6 -> v7: No change
v7 -> v8: No change. Getting back in review queue

 drivers/usb/gadget/function/f_uvc.c     | 11 +++++------
 drivers/usb/gadget/function/f_uvc.h     |  2 +-
 drivers/usb/gadget/function/uvc.h       |  2 +-
 drivers/usb/gadget/function/uvc_v4l2.c  | 20 +++++++++++++++++---
 drivers/usb/gadget/function/uvc_video.c |  3 ++-
 5 files changed, 26 insertions(+), 12 deletions(-)

--
2.42.0.758.gaed0368e0e-goog

diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c
index faa398109431..ae08341961eb 100644
--- a/drivers/usb/gadget/function/f_uvc.c
+++ b/drivers/usb/gadget/function/f_uvc.c
@@ -263,10 +263,13 @@ uvc_function_setup(struct usb_function *f, const struct usb_ctrlrequest *ctrl)
 	return 0;
 }

-void uvc_function_setup_continue(struct uvc_device *uvc)
+void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep)
 {
 	struct usb_composite_dev *cdev = uvc->func.config->cdev;

+	if (disable_ep && uvc->video.ep)
+		usb_ep_disable(uvc->video.ep);
+
 	usb_composite_setup_continue(cdev);
 }

@@ -337,15 +340,11 @@ uvc_function_set_alt(struct usb_function *f, unsigned interface, unsigned alt)
 		if (uvc->state != UVC_STATE_STREAMING)
 			return 0;

-		if (uvc->video.ep)
-			usb_ep_disable(uvc->video.ep);
-
 		memset(&v4l2_event, 0, sizeof(v4l2_event));
 		v4l2_event.type = UVC_EVENT_STREAMOFF;
 		v4l2_event_queue(&uvc->vdev, &v4l2_event);

-		uvc->state = UVC_STATE_CONNECTED;
-		return 0;
+		return USB_GADGET_DELAYED_STATUS;

 	case 1:
 		if (uvc->state != UVC_STATE_CONNECTED)
diff --git a/drivers/usb/gadget/function/f_uvc.h b/drivers/usb/gadget/function/f_uvc.h
index 1db972d4beeb..e7f9f13f14dc 100644
--- a/drivers/usb/gadget/function/f_uvc.h
+++ b/drivers/usb/gadget/function/f_uvc.h
@@ -11,7 +11,7 @@

 struct uvc_device;

-void uvc_function_setup_continue(struct uvc_device *uvc);
+void uvc_function_setup_continue(struct uvc_device *uvc, int disale_ep);

 void uvc_function_connect(struct uvc_device *uvc);

diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
index 6751de8b63ad..989bc6b4e93d 100644
--- a/drivers/usb/gadget/function/uvc.h
+++ b/drivers/usb/gadget/function/uvc.h
@@ -177,7 +177,7 @@ struct uvc_file_handle {
  * Functions
  */

-extern void uvc_function_setup_continue(struct uvc_device *uvc);
+extern void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep);
 extern void uvc_function_connect(struct uvc_device *uvc);
 extern void uvc_function_disconnect(struct uvc_device *uvc);

diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c
index 3f0a9795c0d4..7cb8d027ff0c 100644
--- a/drivers/usb/gadget/function/uvc_v4l2.c
+++ b/drivers/usb/gadget/function/uvc_v4l2.c
@@ -451,7 +451,7 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type)
 	 * Complete the alternate setting selection setup phase now that
 	 * userspace is ready to provide video frames.
 	 */
-	uvc_function_setup_continue(uvc);
+	uvc_function_setup_continue(uvc, 0);
 	uvc->state = UVC_STATE_STREAMING;

 	return 0;
@@ -463,11 +463,18 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type)
 	struct video_device *vdev = video_devdata(file);
 	struct uvc_device *uvc = video_get_drvdata(vdev);
 	struct uvc_video *video = &uvc->video;
+	int ret = 0;

 	if (type != video->queue.queue.type)
 		return -EINVAL;

-	return uvcg_video_enable(video, 0);
+	uvc->state = UVC_STATE_CONNECTED;
+	ret = uvcg_video_enable(video, 0);
+	if (ret < 0)
+		return ret;
+
+	uvc_function_setup_continue(uvc, 1);
+	return 0;
 }

 static int
@@ -500,6 +507,14 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh,
 static void uvc_v4l2_disable(struct uvc_device *uvc)
 {
 	uvc_function_disconnect(uvc);
+	/*
+	 * Drop uvc->state to CONNECTED if it was streaming before.
+	 * This ensures that the usb_requests are no longer queued
+	 * to the controller.
+	 */
+	if (uvc->state == UVC_STATE_STREAMING)
+		uvc->state = UVC_STATE_CONNECTED;
+
 	uvcg_video_enable(&uvc->video, 0);
 	uvcg_free_buffers(&uvc->video.queue);
 	uvc->func_connected = false;
@@ -647,4 +662,3 @@ const struct v4l2_file_operations uvc_v4l2_fops = {
 	.get_unmapped_area = uvcg_v4l2_get_unmapped_area,
 #endif
 };
-
diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index 91af3b1ef0d4..c334802ac0a4 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -384,13 +384,14 @@ static void uvcg_video_pump(struct work_struct *work)
 	struct uvc_video_queue *queue = &video->queue;
 	/* video->max_payload_size is only set when using bulk transfer */
 	bool is_bulk = video->max_payload_size;
+	struct uvc_device *uvc = video->uvc;
 	struct usb_request *req = NULL;
 	struct uvc_buffer *buf;
 	unsigned long flags;
 	bool buf_done;
 	int ret;

-	while (video->ep->enabled) {
+	while (uvc->state == UVC_STATE_STREAMING && video->ep->enabled) {
 		/*
 		 * Retrieve the first available USB request, protected by the
 		 * request lock.

From patchwork Tue Oct 24 18:36:03 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Avichal Rakesh <arakesh@google.com>
X-Patchwork-Id: 157665
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:ce89:0:b0:403:3b70:6f57 with SMTP id p9csp2133727vqx;
        Tue, 24 Oct 2023 11:36:31 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IF7nqEDapyzmlMRolcbXdUSedeAgCnBddgUGElgNEjSPC6dL9olpTl7IgIqquS+BwCDnHke
X-Received: by 2002:a17:903:32d0:b0:1c9:c3eb:6557 with SMTP id
 i16-20020a17090332d000b001c9c3eb6557mr12975487plr.0.1698172591638;
        Tue, 24 Oct 2023 11:36:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1698172591; cv=none;
        d=google.com; s=arc-20160816;
        b=iL7bQ6cGYCjfn8qS3vB2U6x+cmoyADYqyW33RNml+SFKoxaAkeMKdL2Iov9kFqPZRN
         KimKVt216brfxclzxoTc8JuWl1w+GBKfz8+9aYHjN66ldAXebzUPfCGpqCvjKiz9fF3d
         qUHQL/wxLteY9idqMe3pYekYJFA6hdiOHHnK7D0PKd4v4OAsThtOvoR/6BTaf+yTumdt
         1P3QPd9bn9b23yRdSQNXqbkL8SxNaxGtyt1bNSWL5eTJL9TZNZIuOSL0E7QTGjmLJurR
         KveIovkyaQHUxLDxcaDhAkXrYztQP055QL4wp5XfPEb9+lyD1eSxZt/4KSUW8MVM/0Ph
         7i9g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:references
         :mime-version:in-reply-to:date:dkim-signature;
        bh=hRUXvy8/XKNswASeHRSnOVdGaLDxB5TNedbds+hDLLQ=;
        fh=mNRU094uygHtWEbbVt2iuJXx5ZS7icP/BgRleDWzkbQ=;
        b=dqWB3o2ceRIJabFaexRp0JpRLHpB0AE9vrbSLw1n2RVZiLG7vz0toQ+DFZlFyMs8bp
         sFr7N8qHDUWIwObLfGn+0VSF9CvRajwDwnLXo+yiRoB7qzuzehMmtId3jFvtQnRxDQh0
         Bgx12g0Q3amo3uzioXXugvlNCAvuFI1TasgVzlILum/88LfTj29iQPOXF2bnfVfcgbXW
         IlmGEhIF5KXvxrFgbocLt4WcKDQd8iNmt2Vhjlw9ArXQMMX7b08yRQubU8EiwXhl4nkF
         vL3KQblNhxrpg6Fml5kfCcCYG3E6yzbaINjQNqbecU0W3wZ+tWCQ1z4ORYBbyyHpc/CE
         D+sQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=O8ZDjY2T;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.33 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33])
        by mx.google.com with ESMTPS id
 19-20020a170902c15300b001c9cc3a07c3si8249883plj.280.2023.10.24.11.36.31
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 24 Oct 2023 11:36:31 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=O8ZDjY2T;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.33 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by lipwig.vger.email (Postfix) with ESMTP id 874AA802794F;
	Tue, 24 Oct 2023 11:36:28 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1344187AbjJXSgW (ORCPT <rfc822;aposhian.dev@gmail.com>
        + 27 others); Tue, 24 Oct 2023 14:36:22 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53458 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1344185AbjJXSgP (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 24 Oct 2023 14:36:15 -0400
Received: from mail-pg1-x549.google.com (mail-pg1-x549.google.com
 [IPv6:2607:f8b0:4864:20::549])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0F2BB10E6
        for <linux-kernel@vger.kernel.org>;
 Tue, 24 Oct 2023 11:36:13 -0700 (PDT)
Received: by mail-pg1-x549.google.com with SMTP id
 41be03b00d2f7-5896dac4f32so4410872a12.1
        for <linux-kernel@vger.kernel.org>;
 Tue, 24 Oct 2023 11:36:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1698172572; x=1698777372;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=hRUXvy8/XKNswASeHRSnOVdGaLDxB5TNedbds+hDLLQ=;
        b=O8ZDjY2TNx0HpX0FIwQTdI+GBppMiM6NhaMsu0cedzZCpxhvDM+lRuBdEnO5Sv0NRx
         9VTGr6us1rOQsVlKOtuka/uF326KpdCoCN7s3mYfc86vEf7A3Yt+dqEZxmDSQMs0dGTf
         PbjP97eFi3FJg0p6Oysh7HUyYH7i4wtlMureG4Xg2eSnScczZpG58jhE1XndKr2b2+V9
         jNurw8aBuMU9tYgy1qJGo6XscwF7mxm1l17W9+a9qNtpbWqfKcP37B8Ycq7aCrYjiObN
         WtJNL2P5MCNuvaxl7H2iQVLZ9CMvmz8WhydREDQuV3S0R/hoCKsWcaI3d+j7W1f5yLTx
         GsIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1698172572; x=1698777372;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=hRUXvy8/XKNswASeHRSnOVdGaLDxB5TNedbds+hDLLQ=;
        b=AOHFWLDwE6Ap5yUMZrIJXlp8X6hKOwI/sjBq94VEbvIeqeKBtSnsfdEAI3ihNOxjDS
         UV5A+ypcygpNr/ew9pj/f0JGkuX0pMUnraER1vaDgF3daY7FZlBDnAPperrk8t2XCEEX
         T+qtpmRKy2SnXffluFa9tleqYLlABPqJ2CGyQHraJgPc/gh0vYoBfl+DyeXKy7hqkqL2
         0TUzaeTiC3PO5f6vpiu5WB/fyizUzm1ivdVoLNenHLRVoa3XQbNhJEi47AEAXkOkFz2W
         dq2aVnPj7XzbTLO4CGSOnVGi38/L+KH1mCzzKlhjfJluWFfwG1z5p7KILmg83B1T2Lsa
         E3dg==
X-Gm-Message-State: AOJu0Yz0OCBUOADS7SHB1M5fo0YMZUsial0n863DigS9Lif5HeY73II4
        3s3leipbqc+DaTrRni6vqssu7lFv2Dz4
X-Received: from hi-h2o-specialist.c.googlers.com
 ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef])
 (user=arakesh job=sendgmr) by 2002:a63:4e5a:0:b0:5aa:74e:2166 with SMTP id
 o26-20020a634e5a000000b005aa074e2166mr234818pgl.10.1698172572440; Tue, 24 Oct
 2023 11:36:12 -0700 (PDT)
Date: Tue, 24 Oct 2023 11:36:03 -0700
In-Reply-To: <20231024183605.908253-1-arakesh@google.com>
Mime-Version: 1.0
References: <20231019185319.2714000-1-arakesh@google.com>
 <20231024183605.908253-1-arakesh@google.com>
X-Mailer: git-send-email 2.42.0.758.gaed0368e0e-goog
Message-ID: <20231024183605.908253-2-arakesh@google.com>
Subject: [PATCH v8 2/4] usb: gadget: uvc: Allocate uvc_requests one at a time
From: Avichal Rakesh <arakesh@google.com>
To: arakesh@google.com, dan.scally@ideasonboard.com,
        gregkh@linuxfoundation.org, laurent.pinchart@ideasonboard.com
Cc: etalvala@google.com, jchowdhary@google.com,
        linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
        m.grzeschik@pengutronix.de
X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
 not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]);
 Tue, 24 Oct 2023 11:36:28 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1778501399086666798
X-GMAIL-MSGID: 1780663023914855230

Currently, the uvc gadget driver allocates all uvc_requests as one array
and deallocates them all when the video stream stops. This includes
de-allocating all the usb_requests associated with those uvc_requests.
This can lead to use-after-free issues if any of those de-allocated
usb_requests were still owned by the usb controller.

This patch is 1 of 2 patches addressing the use-after-free issue.
Instead of bulk allocating all uvc_requests as an array, this patch
allocates uvc_requests one at a time, which should allows for similar
granularity when deallocating the uvc_requests. This patch has no
functional changes other than allocating each uvc_request separately,
and similarly freeing each of them separately.

Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com
Suggested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Reviewed-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Tested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
---
v1 -> v2: Rebased to ToT
v2 -> v3: Fix email threading goof-up
v3 -> v4: Address review comments & re-rebase to ToT
v4 -> v5: Address more review comments. Add Reviewed-by & Tested-by.
v5 -> v6: No change
v6 -> v7: No change
v7 -> v8: No change. Getting back in review queue

 drivers/usb/gadget/function/uvc.h       |  3 +-
 drivers/usb/gadget/function/uvc_video.c | 89 ++++++++++++++-----------
 2 files changed, 52 insertions(+), 40 deletions(-)

--
2.42.0.758.gaed0368e0e-goog

diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
index 989bc6b4e93d..993694da0bbc 100644
--- a/drivers/usb/gadget/function/uvc.h
+++ b/drivers/usb/gadget/function/uvc.h
@@ -81,6 +81,7 @@ struct uvc_request {
 	struct sg_table sgt;
 	u8 header[UVCG_REQUEST_HEADER_LEN];
 	struct uvc_buffer *last_buf;
+	struct list_head list;
 };

 struct uvc_video {
@@ -102,7 +103,7 @@ struct uvc_video {

 	/* Requests */
 	unsigned int req_size;
-	struct uvc_request *ureq;
+	struct list_head ureqs; /* all uvc_requests allocated by uvc_video */
 	struct list_head req_free;
 	spinlock_t req_lock;

diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index c334802ac0a4..c180866c8e34 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -227,6 +227,24 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video,
  * Request handling
  */

+static void
+uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep)
+{
+	sg_free_table(&ureq->sgt);
+	if (ureq->req && ep) {
+		usb_ep_free_request(ep, ureq->req);
+		ureq->req = NULL;
+	}
+
+	kfree(ureq->req_buffer);
+	ureq->req_buffer = NULL;
+
+	if (!list_empty(&ureq->list))
+		list_del_init(&ureq->list);
+
+	kfree(ureq);
+}
+
 static int uvcg_video_ep_queue(struct uvc_video *video, struct usb_request *req)
 {
 	int ret;
@@ -293,27 +311,12 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
 static int
 uvc_video_free_requests(struct uvc_video *video)
 {
-	unsigned int i;
-
-	if (video->ureq) {
-		for (i = 0; i < video->uvc_num_requests; ++i) {
-			sg_free_table(&video->ureq[i].sgt);
+	struct uvc_request *ureq, *temp;

-			if (video->ureq[i].req) {
-				usb_ep_free_request(video->ep, video->ureq[i].req);
-				video->ureq[i].req = NULL;
-			}
-
-			if (video->ureq[i].req_buffer) {
-				kfree(video->ureq[i].req_buffer);
-				video->ureq[i].req_buffer = NULL;
-			}
-		}
-
-		kfree(video->ureq);
-		video->ureq = NULL;
-	}
+	list_for_each_entry_safe(ureq, temp, &video->ureqs, list)
+		uvc_video_free_request(ureq, video->ep);

+	INIT_LIST_HEAD(&video->ureqs);
 	INIT_LIST_HEAD(&video->req_free);
 	video->req_size = 0;
 	return 0;
@@ -322,6 +325,7 @@ uvc_video_free_requests(struct uvc_video *video)
 static int
 uvc_video_alloc_requests(struct uvc_video *video)
 {
+	struct uvc_request *ureq;
 	unsigned int req_size;
 	unsigned int i;
 	int ret = -ENOMEM;
@@ -332,29 +336,34 @@ uvc_video_alloc_requests(struct uvc_video *video)
 		 * max_t(unsigned int, video->ep->maxburst, 1)
 		 * (video->ep->mult);

-	video->ureq = kcalloc(video->uvc_num_requests, sizeof(struct uvc_request), GFP_KERNEL);
-	if (video->ureq == NULL)
-		return -ENOMEM;
+	INIT_LIST_HEAD(&video->ureqs);
+	for (i = 0; i < video->uvc_num_requests; i++) {
+		ureq = kzalloc(sizeof(struct uvc_request), GFP_KERNEL);
+		if (ureq == NULL)
+			goto error;
+
+		INIT_LIST_HEAD(&ureq->list);
+
+		list_add_tail(&ureq->list, &video->ureqs);

-	for (i = 0; i < video->uvc_num_requests; ++i) {
-		video->ureq[i].req_buffer = kmalloc(req_size, GFP_KERNEL);
-		if (video->ureq[i].req_buffer == NULL)
+		ureq->req_buffer = kmalloc(req_size, GFP_KERNEL);
+		if (ureq->req_buffer == NULL)
 			goto error;

-		video->ureq[i].req = usb_ep_alloc_request(video->ep, GFP_KERNEL);
-		if (video->ureq[i].req == NULL)
+		ureq->req = usb_ep_alloc_request(video->ep, GFP_KERNEL);
+		if (ureq->req == NULL)
 			goto error;

-		video->ureq[i].req->buf = video->ureq[i].req_buffer;
-		video->ureq[i].req->length = 0;
-		video->ureq[i].req->complete = uvc_video_complete;
-		video->ureq[i].req->context = &video->ureq[i];
-		video->ureq[i].video = video;
-		video->ureq[i].last_buf = NULL;
+		ureq->req->buf = ureq->req_buffer;
+		ureq->req->length = 0;
+		ureq->req->complete = uvc_video_complete;
+		ureq->req->context = ureq;
+		ureq->video = video;
+		ureq->last_buf = NULL;

-		list_add_tail(&video->ureq[i].req->list, &video->req_free);
+		list_add_tail(&ureq->req->list, &video->req_free);
 		/* req_size/PAGE_SIZE + 1 for overruns and + 1 for header */
-		sg_alloc_table(&video->ureq[i].sgt,
+		sg_alloc_table(&ureq->sgt,
 			       DIV_ROUND_UP(req_size - UVCG_REQUEST_HEADER_LEN,
 					    PAGE_SIZE) + 2, GFP_KERNEL);
 	}
@@ -489,8 +498,8 @@ static void uvcg_video_pump(struct work_struct *work)
  */
 int uvcg_video_enable(struct uvc_video *video, int enable)
 {
-	unsigned int i;
 	int ret;
+	struct uvc_request *ureq;

 	if (video->ep == NULL) {
 		uvcg_info(&video->uvc->func,
@@ -502,9 +511,10 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
 		cancel_work_sync(&video->pump);
 		uvcg_queue_cancel(&video->queue, 0);

-		for (i = 0; i < video->uvc_num_requests; ++i)
-			if (video->ureq && video->ureq[i].req)
-				usb_ep_dequeue(video->ep, video->ureq[i].req);
+		list_for_each_entry(ureq, &video->ureqs, list) {
+			if (ureq->req)
+				usb_ep_dequeue(video->ep, ureq->req);
+		}

 		uvc_video_free_requests(video);
 		uvcg_queue_enable(&video->queue, 0);
@@ -536,6 +546,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
  */
 int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc)
 {
+	INIT_LIST_HEAD(&video->ureqs);
 	INIT_LIST_HEAD(&video->req_free);
 	spin_lock_init(&video->req_lock);
 	INIT_WORK(&video->pump, uvcg_video_pump);

From patchwork Tue Oct 24 18:36:04 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Avichal Rakesh <arakesh@google.com>
X-Patchwork-Id: 157667
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:ce89:0:b0:403:3b70:6f57 with SMTP id p9csp2133775vqx;
        Tue, 24 Oct 2023 11:36:37 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IGfZXuui1XzUHXIFPGg/xEq8XXXeYSvdt6opV0qP1TX2TmI65l+Qo2XRoWx58Et5nFphvv/
X-Received: by 2002:a05:6a00:2d10:b0:6b6:5ed4:dd42 with SMTP id
 fa16-20020a056a002d1000b006b65ed4dd42mr16389920pfb.31.1698172597091;
        Tue, 24 Oct 2023 11:36:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1698172597; cv=none;
        d=google.com; s=arc-20160816;
        b=07hDR+QeI6oUIMEwpaQWs55Pvb7zCbLG2rk9IXgb2LcowkEiabMoLWrD9TNQFqblfm
         BqLoj+mVlIZz04vkfiStFKHvGw4P/NgN10J9sgdYSWWGl2iko/MVjT+GP8R0B90S/Gm5
         F6We1LZkIFF9GgqCp3HVLWreGCvTEO0so2gycjxhq2XOo3UrIU8nlrd6ZptHPSWOSkY9
         PRspADMQtVSpLu2u9aSYOddnQ3LoBwawhHKXx5jjqdP3jmrwrXdmNumKYUJfvM5FHaOl
         MBto2b+5CKm+VDHdYhaPF2EcSmjBYBFhN1O/uul1qyMvKImYeJ4rdNPdgOO0geIaT2uF
         zDBQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:references
         :mime-version:in-reply-to:date:dkim-signature;
        bh=Y4WZ1HmvUmacPvyIaR17cHvCpQJGXPJrdUyEy8+V7mI=;
        fh=mNRU094uygHtWEbbVt2iuJXx5ZS7icP/BgRleDWzkbQ=;
        b=xd0ldSB0pbuzO+moXgf5kUdapJV0Y3xeIf35k4jfY1yKdN3eCfhzSC1XWsEXfhkkOF
         HY252ClQqcknH6V95f3Hibz4VXAqZ1UabHrUy+s5mYqYQYBg2ls/HEe2rQyC0o3tC83X
         jxcySCRDbLmAFBRMIaHDzkR7/SZu5PQuLpIYv31aJeQ59+z1ADVFWRhycpRQYEbYIocb
         dI4xcVVoTmEbyyGe9JQBvHdVIzrLhucZFBkzucNDs1LlALtWoAvZJbh0vYnO7c0Nz6he
         edOwUUnv9oQwbYT3yc9fpTan63V7estMCJgKraJNRFqCiXszeqJAHnkJp2rOkSzW21NX
         d/Kw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=09WLSfof;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:3 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3])
        by mx.google.com with ESMTPS id
 j17-20020a62b611000000b00690da053918si8479638pff.4.2023.10.24.11.36.36
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 24 Oct 2023 11:36:37 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:3 as permitted sender)
 client-ip=2620:137:e000::3:3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=09WLSfof;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:3 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by lipwig.vger.email (Postfix) with ESMTP id 0AB028027956;
	Tue, 24 Oct 2023 11:36:35 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1344204AbjJXSgY (ORCPT <rfc822;aposhian.dev@gmail.com>
        + 27 others); Tue, 24 Oct 2023 14:36:24 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46756 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1344151AbjJXSgR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 24 Oct 2023 14:36:17 -0400
Received: from mail-pg1-x549.google.com (mail-pg1-x549.google.com
 [IPv6:2607:f8b0:4864:20::549])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5A1C29F
        for <linux-kernel@vger.kernel.org>;
 Tue, 24 Oct 2023 11:36:15 -0700 (PDT)
Received: by mail-pg1-x549.google.com with SMTP id
 41be03b00d2f7-5a08e5c7debso3151085a12.2
        for <linux-kernel@vger.kernel.org>;
 Tue, 24 Oct 2023 11:36:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1698172575; x=1698777375;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=Y4WZ1HmvUmacPvyIaR17cHvCpQJGXPJrdUyEy8+V7mI=;
        b=09WLSfofrd7WGFjn9ZyNZ84zvC2k/UnSEETZ+SZSRHKu8PDZ8FVndiHnZU359dB3eH
         1KuT8iJOV2M4qoB3LO7GPsyXf+lkKCpErwhw1RA4njpyIO/jfAKR06jPjkRF2E/7T2EF
         90CZp1IUk1JnyT58p02VKJ5l2i6SY9P+ZkTTUIythZCgy5DIsJqDlur2fNO52rtt1rxx
         jmoTKXONpSaI6a0QOKoPsV7uFXnHTOsagJa1C8WsD4pMAhCzKr0PpzqGuMwOiI9grbdh
         U6zAXk7W1l6a6KQvL6nCqE78hIw5R4nyUB5HmHWtbOHAGDjphwCpCMY58uMvrAv8KrTA
         HjzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1698172575; x=1698777375;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=Y4WZ1HmvUmacPvyIaR17cHvCpQJGXPJrdUyEy8+V7mI=;
        b=eocymeuAbYhhuTrDtG6j4vFl/agSVIgqS9MfhoNHrdim62Os8RDvj16skSBIY1Ih2g
         9AYpFP7DXQv+hrvalw+825Aea5VRQTgmKAjthKKMZa0nGkUSvexS559EScO0VB7HBDKn
         YyJ4GGc40vTElv5GYUasTNa9t9gfvVbGAKi8Qrd1ZpgJxIEAei4Tjss/xj37KhwiyvMI
         8vxTh3N41WjZs+UJSQfoOIE1+ZKk4eTVyD7+8gCq1w7UMG42T2xjPKZIsmIH3RoeIqWB
         0/jl/W6PlfAcuv5M3+5xh/Iz+QsZiafBWZ7pz2FrccNZHBzEBbjN7aHM4zsLYIE98ep/
         e1zg==
X-Gm-Message-State: AOJu0Yz6nu7Gur0BjsvGJFb+vOHEJZ+jBFJggV06LtSINo36vjSVQtro
        jFMQU1Wj3k0vUFDyHE1rELc+XiY5M3ZO
X-Received: from hi-h2o-specialist.c.googlers.com
 ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef])
 (user=arakesh job=sendgmr) by 2002:a05:6a02:68c:b0:589:86ae:2107 with SMTP id
 ca12-20020a056a02068c00b0058986ae2107mr299068pgb.9.1698172574872; Tue, 24 Oct
 2023 11:36:14 -0700 (PDT)
Date: Tue, 24 Oct 2023 11:36:04 -0700
In-Reply-To: <20231024183605.908253-1-arakesh@google.com>
Mime-Version: 1.0
References: <20231019185319.2714000-1-arakesh@google.com>
 <20231024183605.908253-1-arakesh@google.com>
X-Mailer: git-send-email 2.42.0.758.gaed0368e0e-goog
Message-ID: <20231024183605.908253-3-arakesh@google.com>
Subject: [PATCH v8 3/4] usb: gadget: uvc: move video disable logic to its own
 function
From: Avichal Rakesh <arakesh@google.com>
To: arakesh@google.com, dan.scally@ideasonboard.com,
        gregkh@linuxfoundation.org, laurent.pinchart@ideasonboard.com
Cc: etalvala@google.com, jchowdhary@google.com,
        linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
        m.grzeschik@pengutronix.de
X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
 not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]);
 Tue, 24 Oct 2023 11:36:35 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1780211146243827697
X-GMAIL-MSGID: 1780663028832415730

This patch refactors the video disable logic in uvcg_video_enable
into its own separate function 'uvcg_video_disable'.

Suggested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
---
v6: Introduced this patch to make the next one easier to review
v6 -> v7: Add Suggested-by
v7 -> v8: No change. Getting back in review queue

 drivers/usb/gadget/function/uvc_video.c | 37 +++++++++++++++----------
 1 file changed, 23 insertions(+), 14 deletions(-)

--
2.42.0.758.gaed0368e0e-goog

diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index c180866c8e34..80b8eaea2d39 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -493,13 +493,33 @@ static void uvcg_video_pump(struct work_struct *work)
 	return;
 }

+/*
+ * Disable video stream
+ */
+static int
+uvcg_video_disable(struct uvc_video *video)
+{
+	struct uvc_request *ureq;
+
+	cancel_work_sync(&video->pump);
+	uvcg_queue_cancel(&video->queue, 0);
+
+	list_for_each_entry(ureq, &video->ureqs, list) {
+		if (ureq->req)
+			usb_ep_dequeue(video->ep, ureq->req);
+	}
+
+	uvc_video_free_requests(video);
+	uvcg_queue_enable(&video->queue, 0);
+	return 0;
+}
+
 /*
  * Enable or disable the video stream.
  */
 int uvcg_video_enable(struct uvc_video *video, int enable)
 {
 	int ret;
-	struct uvc_request *ureq;

 	if (video->ep == NULL) {
 		uvcg_info(&video->uvc->func,
@@ -507,19 +527,8 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
 		return -ENODEV;
 	}

-	if (!enable) {
-		cancel_work_sync(&video->pump);
-		uvcg_queue_cancel(&video->queue, 0);
-
-		list_for_each_entry(ureq, &video->ureqs, list) {
-			if (ureq->req)
-				usb_ep_dequeue(video->ep, ureq->req);
-		}
-
-		uvc_video_free_requests(video);
-		uvcg_queue_enable(&video->queue, 0);
-		return 0;
-	}
+	if (!enable)
+		return uvcg_video_disable(video);

 	if ((ret = uvcg_queue_enable(&video->queue, 1)) < 0)
 		return ret;

From patchwork Tue Oct 24 18:36:05 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Avichal Rakesh <arakesh@google.com>
X-Patchwork-Id: 157669
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:ce89:0:b0:403:3b70:6f57 with SMTP id p9csp2133876vqx;
        Tue, 24 Oct 2023 11:36:47 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IG/365sfGyEfOKm6JM9l+Bavny7obTDW+Qt+LFysAD6V5bpUm+ICT2VFRcMqY00wsPWglzL
X-Received: by 2002:a05:6358:729c:b0:168:e06f:d798 with SMTP id
 w28-20020a056358729c00b00168e06fd798mr6325562rwf.12.1698172607075;
        Tue, 24 Oct 2023 11:36:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1698172607; cv=none;
        d=google.com; s=arc-20160816;
        b=x5+xl7Irpmko3z3riv4/2R4eQwHOu5MkJgYqrMwgtcrGxbCghtRqMRYk3ezYJQWWFN
         GFk4kmM42bT7lr5mprBm8qT1zbDuk/l16+HC/As3FL0RtNF6s3/OQ/gbhNgu5bd9EAvc
         u7e+Qkbk3ZdMgpgJLnlsWdXneRW9IS7gj/gv3D7o8dU39VlCUIBZpHj9ga551XlD5H5i
         2oqO+Kqy0xlZCyQAFSil2jynYiIHm8u45nZf7pEbflpi8sd8xMtI58Iocr3n95g+yPDq
         Wi/jVIQZKwMnCPtmILHBKk5U05OIvgmSNLzVyymq38dLzR3sQu5DPrA9oM0wofCRcsoe
         oXbw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:references
         :mime-version:in-reply-to:date:dkim-signature;
        bh=znU7TMxG4WwaAvkxwpYyhySgtF4OskU9iamXPqB9Rkw=;
        fh=mNRU094uygHtWEbbVt2iuJXx5ZS7icP/BgRleDWzkbQ=;
        b=erqU8DfS1XmrwheDypKxJkDUxGVwMEn3PJsZ/3ShtCY6tkd9W2J3DLHCJhrk1u8C6g
         OS+tGK8e/sXjltPi83jIBUAZ+Goj/wXQQTMAyAXdhmONKbY8PSvtq/ssCuDLloZDpiHy
         fbRTj3ay632zG55tdNp+fH3ek67p53sgO+MMeaJe9LxqpRUBFt4Ysr7945yHhMVqRgOk
         4zgwRIIxXmxbvhLSEdCmZxZukPIliqolVOIlDJc84MgWOxYpsq/c2l06KC3sq9Tdyyvy
         3JVjtWnbq4xwcP7kY9GsR+qVKEHdC+D7Z8OXMVwrhboX0xELXbxYd9bzpLhJdcceBJnu
         zOZw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=gNtXhn+o;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.37 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from snail.vger.email (snail.vger.email. [23.128.96.37])
        by mx.google.com with ESMTPS id
 by23-20020a056a02059700b005ad8009e301si9995434pgb.250.2023.10.24.11.36.46
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 24 Oct 2023 11:36:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=gNtXhn+o;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.37 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by snail.vger.email (Postfix) with ESMTP id 198B88029451;
	Tue, 24 Oct 2023 11:36:39 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1344222AbjJXSgd (ORCPT <rfc822;aposhian.dev@gmail.com>
        + 27 others); Tue, 24 Oct 2023 14:36:33 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46802 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1344175AbjJXSgW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 24 Oct 2023 14:36:22 -0400
Received: from mail-pg1-x54a.google.com (mail-pg1-x54a.google.com
 [IPv6:2607:f8b0:4864:20::54a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D970910DB
        for <linux-kernel@vger.kernel.org>;
 Tue, 24 Oct 2023 11:36:17 -0700 (PDT)
Received: by mail-pg1-x54a.google.com with SMTP id
 41be03b00d2f7-5b8ec55eb42so835901a12.0
        for <linux-kernel@vger.kernel.org>;
 Tue, 24 Oct 2023 11:36:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1698172577; x=1698777377;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=znU7TMxG4WwaAvkxwpYyhySgtF4OskU9iamXPqB9Rkw=;
        b=gNtXhn+oItDzWL5K0lAFYfFs46YhsFXuIJrpjY4vE8IkQ8qADcV+w5mpX1u9eUdOpo
         zgaUTLhEIrP0MSBhDDCT56a9NwSx483Smpl/saeekvb84K/Y2449VyVyXUQENb+BDC1Z
         lWZwj1w7i4IVRq+TMeXd16iIY9QZ4mE/xZTfZGrPjMptKQB+SF1M3VDPZi5YpTEPJl9a
         wieTim5tKwShaGdRP8N3bEuDqS54YbDwJ8MlFhAAwPYnFR2LASINF6AsNo75R6NU2lB+
         yFNVFeY0NUHdwuXvRUV6FmLdk7gS6JfWMNBWQgLd6/ZVFTespBV9cfu3vEhfD0N/o5SR
         RBaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1698172577; x=1698777377;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=znU7TMxG4WwaAvkxwpYyhySgtF4OskU9iamXPqB9Rkw=;
        b=Rcfrm8mvsubLXqorut5aj94zrmo6gApHO3wzSvgyNaMFmLdvy8ixdR/2306sBvUc27
         7EmIxFwKvM+ySa4ladq37ZRBqEpL2RrRg+EZQ1DeSdZgCeeaFjuxm4P3AC0TcXUJvAyH
         twA8vP+zXQ52Cxuy8VsnbY8vX6FCndQgmGaClMDY3/S3iE2GpTeYUGVtEUzgADBQkqLX
         SqtMg/l3lkngU8QN7nFNXKpjN6x8MPLTkYW/gZSyJwTPNrUcYYOIFlOdb1R37dTdsU3T
         9YR2MDFV6YbYNCdjNPRe2kolYmxMMThCJT5QYwzQ3caV9YDykXdhuz4OACPMiB+AusRk
         8nyQ==
X-Gm-Message-State: AOJu0Yw67roQyrSmka9iIAfV8FN43x5VQiuBallpR7hDbC9nyOt7cq+A
        2ISwetBofTtVCjX4fBT0X9WOumlaiZw8
X-Received: from hi-h2o-specialist.c.googlers.com
 ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef])
 (user=arakesh job=sendgmr) by 2002:a63:4e5a:0:b0:5aa:74e:2166 with SMTP id
 o26-20020a634e5a000000b005aa074e2166mr234822pgl.10.1698172577206; Tue, 24 Oct
 2023 11:36:17 -0700 (PDT)
Date: Tue, 24 Oct 2023 11:36:05 -0700
In-Reply-To: <20231024183605.908253-1-arakesh@google.com>
Mime-Version: 1.0
References: <20231019185319.2714000-1-arakesh@google.com>
 <20231024183605.908253-1-arakesh@google.com>
X-Mailer: git-send-email 2.42.0.758.gaed0368e0e-goog
Message-ID: <20231024183605.908253-4-arakesh@google.com>
Subject: [PATCH v8 4/4] usb: gadget: uvc: Fix use-after-free for inflight
 usb_requests
From: Avichal Rakesh <arakesh@google.com>
To: arakesh@google.com, dan.scally@ideasonboard.com,
        gregkh@linuxfoundation.org, laurent.pinchart@ideasonboard.com
Cc: etalvala@google.com, jchowdhary@google.com,
        linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
        m.grzeschik@pengutronix.de
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
        RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
 not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]);
 Tue, 24 Oct 2023 11:36:40 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1778517869169821913
X-GMAIL-MSGID: 1780663039801041489

Currently, the uvc gadget driver allocates all uvc_requests as one array
and deallocates them all when the video stream stops. This includes
de-allocating all the usb_requests associated with those uvc_requests.
This can lead to use-after-free issues if any of those de-allocated
usb_requests were still owned by the usb controller.

This is patch 2 of 2 in fixing the use-after-free issue. It adds a new
flag to uvc_video to track when frames and requests should be flowing.
When disabling the video stream, the flag is tripped and, instead
of de-allocating all uvc_requests and usb_requests, the gadget
driver only de-allocates those usb_requests that are currently
owned by it (as present in req_free). Other usb_requests are left
untouched until their completion handler is called which takes care
of freeing the usb_request and its corresponding uvc_request.

Now that uvc_video does not depends on uvc->state, this patch removes
unnecessary upates to uvc->state that were made to accommodate uvc_video
logic. This should ensure that uvc gadget driver never accidentally
de-allocates a usb_request that it doesn't own.

Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com
Suggested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Reviewed-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Tested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
---
v1 -> v2: Rebased to ToT, and fixed deadlock reported in
          https://lore.kernel.org/all/ZRv2UnKztgyqk2pt@pengutronix.de/
v2 -> v3: Fix email threading goof-up
v3 -> v4: re-rebase to ToT & moved to a uvc_video level lock
          as discussed in
          https://lore.kernel.org/b14b296f-2e08-4edf-aeea-1c5b621e2d0c@google.com/
v4 -> v5: Address review comments. Add Reviewed-by & Tested-by.
v5 -> v6: Added another patch before this one to make uvcg_video_disable
          easier to review.
v6 -> v7: Fix warning reported in
          https://lore.kernel.org/202310200457.GwPPFuHX-lkp@intel.com/
v7 -> v8: No change. Getting back in review queue

 drivers/usb/gadget/function/uvc.h       |   1 +
 drivers/usb/gadget/function/uvc_v4l2.c  |  12 +--
 drivers/usb/gadget/function/uvc_video.c | 128 ++++++++++++++++++++----
 3 files changed, 111 insertions(+), 30 deletions(-)

--
2.42.0.758.gaed0368e0e-goog

diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
index 993694da0bbc..be0d012aa244 100644
--- a/drivers/usb/gadget/function/uvc.h
+++ b/drivers/usb/gadget/function/uvc.h
@@ -102,6 +102,7 @@ struct uvc_video {
 	unsigned int uvc_num_requests;

 	/* Requests */
+	bool is_enabled; /* tracks whether video stream is enabled */
 	unsigned int req_size;
 	struct list_head ureqs; /* all uvc_requests allocated by uvc_video */
 	struct list_head req_free;
diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c
index 7cb8d027ff0c..f4d2e24835d4 100644
--- a/drivers/usb/gadget/function/uvc_v4l2.c
+++ b/drivers/usb/gadget/function/uvc_v4l2.c
@@ -451,8 +451,8 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type)
 	 * Complete the alternate setting selection setup phase now that
 	 * userspace is ready to provide video frames.
 	 */
-	uvc_function_setup_continue(uvc, 0);
 	uvc->state = UVC_STATE_STREAMING;
+	uvc_function_setup_continue(uvc, 0);

 	return 0;
 }
@@ -468,11 +468,11 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type)
 	if (type != video->queue.queue.type)
 		return -EINVAL;

-	uvc->state = UVC_STATE_CONNECTED;
 	ret = uvcg_video_enable(video, 0);
 	if (ret < 0)
 		return ret;

+	uvc->state = UVC_STATE_CONNECTED;
 	uvc_function_setup_continue(uvc, 1);
 	return 0;
 }
@@ -507,14 +507,6 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh,
 static void uvc_v4l2_disable(struct uvc_device *uvc)
 {
 	uvc_function_disconnect(uvc);
-	/*
-	 * Drop uvc->state to CONNECTED if it was streaming before.
-	 * This ensures that the usb_requests are no longer queued
-	 * to the controller.
-	 */
-	if (uvc->state == UVC_STATE_STREAMING)
-		uvc->state = UVC_STATE_CONNECTED;
-
 	uvcg_video_enable(&uvc->video, 0);
 	uvcg_free_buffers(&uvc->video.queue);
 	uvc->func_connected = false;
diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index 80b8eaea2d39..ab3f02054e85 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -227,6 +227,9 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video,
  * Request handling
  */

+/*
+ * Must be called with req_lock held as it modifies the list ureq is held in
+ */
 static void
 uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep)
 {
@@ -271,9 +274,25 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
 	struct uvc_request *ureq = req->context;
 	struct uvc_video *video = ureq->video;
 	struct uvc_video_queue *queue = &video->queue;
-	struct uvc_device *uvc = video->uvc;
+	struct uvc_buffer *last_buf = NULL;
 	unsigned long flags;

+	spin_lock_irqsave(&video->req_lock, flags);
+	if (!video->is_enabled) {
+		/*
+		 * When is_enabled is false, uvc_video_disable ensures that
+		 * in-flight uvc_buffers are returned, so we can safely
+		 * call free_request without worrying about last_buf.
+		 */
+		uvc_video_free_request(ureq, ep);
+		spin_unlock_irqrestore(&video->req_lock, flags);
+		return;
+	}
+
+	last_buf = ureq->last_buf;
+	ureq->last_buf = NULL;
+	spin_unlock_irqrestore(&video->req_lock, flags);
+
 	switch (req->status) {
 	case 0:
 		break;
@@ -295,17 +314,26 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
 		uvcg_queue_cancel(queue, 0);
 	}

-	if (ureq->last_buf) {
-		uvcg_complete_buffer(&video->queue, ureq->last_buf);
-		ureq->last_buf = NULL;
+	if (last_buf) {
+		spin_lock_irqsave(&queue->irqlock, flags);
+		uvcg_complete_buffer(&video->queue, last_buf);
+		spin_unlock_irqrestore(&queue->irqlock, flags);
 	}

 	spin_lock_irqsave(&video->req_lock, flags);
-	list_add_tail(&req->list, &video->req_free);
-	spin_unlock_irqrestore(&video->req_lock, flags);
-
-	if (uvc->state == UVC_STATE_STREAMING)
+	/*
+	 * Video stream might have been disabled while we were
+	 * processing the current usb_request. So make sure
+	 * we're still streaming before queueing the usb_request
+	 * back to req_free
+	 */
+	if (video->is_enabled) {
+		list_add_tail(&req->list, &video->req_free);
 		queue_work(video->async_wq, &video->pump);
+	} else {
+		uvc_video_free_request(ureq, ep);
+	}
+	spin_unlock_irqrestore(&video->req_lock, flags);
 }

 static int
@@ -393,20 +421,22 @@ static void uvcg_video_pump(struct work_struct *work)
 	struct uvc_video_queue *queue = &video->queue;
 	/* video->max_payload_size is only set when using bulk transfer */
 	bool is_bulk = video->max_payload_size;
-	struct uvc_device *uvc = video->uvc;
 	struct usb_request *req = NULL;
 	struct uvc_buffer *buf;
 	unsigned long flags;
 	bool buf_done;
 	int ret;

-	while (uvc->state == UVC_STATE_STREAMING && video->ep->enabled) {
+	while (true) {
+		if (!video->ep->enabled)
+			return;
+
 		/*
-		 * Retrieve the first available USB request, protected by the
-		 * request lock.
+		 * Check is_enabled and retrieve the first available USB
+		 * request, protected by the request lock.
 		 */
 		spin_lock_irqsave(&video->req_lock, flags);
-		if (list_empty(&video->req_free)) {
+		if (!video->is_enabled || list_empty(&video->req_free)) {
 			spin_unlock_irqrestore(&video->req_lock, flags);
 			return;
 		}
@@ -488,9 +518,11 @@ static void uvcg_video_pump(struct work_struct *work)
 		return;

 	spin_lock_irqsave(&video->req_lock, flags);
-	list_add_tail(&req->list, &video->req_free);
+	if (video->is_enabled)
+		list_add_tail(&req->list, &video->req_free);
+	else
+		uvc_video_free_request(req->context, video->ep);
 	spin_unlock_irqrestore(&video->req_lock, flags);
-	return;
 }

 /*
@@ -499,17 +531,64 @@ static void uvcg_video_pump(struct work_struct *work)
 static int
 uvcg_video_disable(struct uvc_video *video)
 {
-	struct uvc_request *ureq;
+	unsigned long flags;
+	struct list_head inflight_bufs;
+	struct usb_request *req, *temp;
+	struct uvc_buffer *buf, *btemp;
+	struct uvc_request *ureq, *utemp;
+
+	INIT_LIST_HEAD(&inflight_bufs);
+	spin_lock_irqsave(&video->req_lock, flags);
+	video->is_enabled = false;
+
+	/*
+	 * Remove any in-flight buffers from the uvc_requests
+	 * because we want to return them before cancelling the
+	 * queue. This ensures that we aren't stuck waiting for
+	 * all complete callbacks to come through before disabling
+	 * vb2 queue.
+	 */
+	list_for_each_entry(ureq, &video->ureqs, list) {
+		if (ureq->last_buf) {
+			list_add_tail(&ureq->last_buf->queue, &inflight_bufs);
+			ureq->last_buf = NULL;
+		}
+	}
+	spin_unlock_irqrestore(&video->req_lock, flags);

 	cancel_work_sync(&video->pump);
 	uvcg_queue_cancel(&video->queue, 0);

-	list_for_each_entry(ureq, &video->ureqs, list) {
-		if (ureq->req)
-			usb_ep_dequeue(video->ep, ureq->req);
+	spin_lock_irqsave(&video->req_lock, flags);
+	/*
+	 * Remove all uvc_reqeusts from ureqs with list_del_init
+	 * This lets uvc_video_free_request correctly identify
+	 * if the uvc_request is attached to a list or not when freeing
+	 * memory.
+	 */
+	list_for_each_entry_safe(ureq, utemp, &video->ureqs, list)
+		list_del_init(&ureq->list);
+
+	list_for_each_entry_safe(req, temp, &video->req_free, list) {
+		list_del(&req->list);
+		uvc_video_free_request(req->context, video->ep);
 	}

-	uvc_video_free_requests(video);
+	INIT_LIST_HEAD(&video->ureqs);
+	INIT_LIST_HEAD(&video->req_free);
+	video->req_size = 0;
+	spin_unlock_irqrestore(&video->req_lock, flags);
+
+	/*
+	 * Return all the video buffers before disabling the queue.
+	 */
+	spin_lock_irqsave(&video->queue.irqlock, flags);
+	list_for_each_entry_safe(buf, btemp, &inflight_bufs, queue) {
+		list_del(&buf->queue);
+		uvcg_complete_buffer(&video->queue, buf);
+	}
+	spin_unlock_irqrestore(&video->queue.irqlock, flags);
+
 	uvcg_queue_enable(&video->queue, 0);
 	return 0;
 }
@@ -530,6 +609,14 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
 	if (!enable)
 		return uvcg_video_disable(video);

+	/*
+	 * Safe to access request related fields without req_lock because
+	 * this is the only thread currently active, and no other
+	 * request handling thread will become active until this function
+	 * returns.
+	 */
+	video->is_enabled = true;
+
 	if ((ret = uvcg_queue_enable(&video->queue, 1)) < 0)
 		return ret;

@@ -555,6 +642,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
  */
 int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc)
 {
+	video->is_enabled = false;
 	INIT_LIST_HEAD(&video->ureqs);
 	INIT_LIST_HEAD(&video->req_free);
 	spin_lock_init(&video->req_lock);