From patchwork Mon Oct 30 20:22:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 159869 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:d641:0:b0:403:3b70:6f57 with SMTP id cy1csp2485264vqb; Mon, 30 Oct 2023 13:22:56 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHzJmHxaKLE9Ak0gSpKIqN5FXjJGrspv2fWJGla8saTMlGmbB/U8NhmpJnHBUS7m52US+md X-Received: by 2002:a05:6a20:da8f:b0:17b:1f76:86ee with SMTP id iy15-20020a056a20da8f00b0017b1f7686eemr1043524pzb.16.1698697376248; Mon, 30 Oct 2023 13:22:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698697376; cv=none; d=google.com; s=arc-20160816; b=YRQ4P1PBSEdqMBWYYkjn+UaXYDRrBxTw6qbqzB3Jq/6EBooKCk2ROJ0W6+ZiNu7bPP 228s3P1V4f1x2tWLSu4Q9vVGr9gGbpFBFI2ygSFRu6OSMIf6tuYJOwDAIMEqtOk8eUbD xgE9ZLKrs18qYheSuP6bq22zCauscNAoerujwRLKbWTET4NPxrS5M29QagvtSR0HXA4E p01smICucDNjWPLVe7UokrubJD7Fd1rSbd8499H0QZ8Em42Xfi2s+d0DPzvhStPhva75 w1ne0d87bLcrWE4aYA97kjcKZadfhnKogHQFwAeG0hxb7zOxhd2Qs2LT4eiK0IKAiSY0 6i9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=RZbkFdW7n25fZk9cwmO7qLQnmgnKAK5eU70WepjOvI4=; fh=p+LYTnSpNzrqEe7IwOmRmqfbsNd6xnlNPhpiE7PelQI=; b=UEis9b9JnDRkKnLQJ2nV1qhTsOIfvNNeEEqzwlf4pdAGVhZwarmK0GChnmiYVgvUhb uNIWovejUBGtDiKZ49bUH2NtMbIDK+JbSOPzKUiWqnkZD0zUIugFJUhvItChIcZxvNOr fXNYyaZkrQAg9M9SnESOm+Ghd685zMYeiOPkCNsiVaRO7uQ4GCBgt4w2DM3lwT8Bs0h+ O5dyAavroVPtn58UMU7UFoXfX12kfTlwIgPmRXF972L42usgWcYUpHFr5LeG1eNstceq R1/B9XcmQ1xgaEC1aXQnRfpBRlgO7wvCwHs00j6d6ZjasJEvH3KoDB7ZVTT69kW+ALAq PhIg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=gvKoH2W+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id s18-20020a056a0008d200b006c128a7f813si1352276pfu.177.2023.10.30.13.22.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Oct 2023 13:22:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=gvKoH2W+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 7D6F48048C2D; Mon, 30 Oct 2023 13:22:52 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229891AbjJ3UWm (ORCPT + 32 others); Mon, 30 Oct 2023 16:22:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52284 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229485AbjJ3UWl (ORCPT ); Mon, 30 Oct 2023 16:22:41 -0400 Received: from mail-yw1-x114a.google.com (mail-yw1-x114a.google.com [IPv6:2607:f8b0:4864:20::114a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EF086101 for ; Mon, 30 Oct 2023 13:22:35 -0700 (PDT) Received: by mail-yw1-x114a.google.com with SMTP id 00721157ae682-5b0e9c78309so26108727b3.1 for ; Mon, 30 Oct 2023 13:22:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1698697355; x=1699302155; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=RZbkFdW7n25fZk9cwmO7qLQnmgnKAK5eU70WepjOvI4=; b=gvKoH2W+4/t9QzFXL/8SBkeGxP72e1Uh7PRT3YaKNFyI9XhOQXxrbi9hMH0/4bXW01 lSH3qMwzNs3Mc7eqCdM/xYPdZCtDJn7aUV4IEV0iR5yHICJCzuym0/NMucWIoY3hGKYA RoYdCfWGHXnr5OUyZTdMVYKi2peejmR+KcoTZATUERIXZ5Icx8ZFnsQuFWuJG1i5vf/v MC0Vsl26d9JzeYjT4nYzFYSQEQ7iqeqv2I0kCFIAPtkcxbcemu+RazEDR2fcLolI5RU0 ZvhrHgMdXAVCnNg5DKHOWcQBl/f+x7qtCZj7UXvRQTDiKABaeoTEi1anPTN6uJF/9GaV /5Jw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698697355; x=1699302155; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=RZbkFdW7n25fZk9cwmO7qLQnmgnKAK5eU70WepjOvI4=; b=BWhdEbW8NkLjnKbNB48rZOn9sMchjyrARIG0P5HBqV2IlZyvU4Nl3rR6NruEy9cSfQ JBQABXrUvtq03X8HqGrJs1seeM8cW4lrXJzylM0K9a3IRD8QRDGnWOWXo9ET7N8Nyv+V bM23FcIzVK7YWOVl3+4hxO0g3zFlccCnUyqSjmR3g9jOq8e9ln4EfUAdd2ofJmbBfCSc oCjvbVVIOY0TgCwRkrq3oCalJ9csc3OvOLar/jccWyJm8s3uRQSAzNjA63Yhh5CE9AdP w/LEv3wRqE/CocXLL7ZAPxzrIyi9t1qDicmeSrupxcBv0WKKKkMvN4eFU/PwoaQPrz+u ChuA== X-Gm-Message-State: AOJu0YzKj0te1mNb1h5nsOCTgKbPkOyYv58e5vXAG9zVCejHoqbgdSKn 87lrIAHtAuvMaltjUfc/DNznxf5rLBBq X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a81:920b:0:b0:59b:f3a2:cd79 with SMTP id j11-20020a81920b000000b0059bf3a2cd79mr219783ywg.8.1698697355197; Mon, 30 Oct 2023 13:22:35 -0700 (PDT) Date: Mon, 30 Oct 2023 13:22:28 -0700 In-Reply-To: <73309396-3856-43a2-9a6f-81a40ed594db@google.com> Mime-Version: 1.0 References: <73309396-3856-43a2-9a6f-81a40ed594db@google.com> X-Mailer: git-send-email 2.42.0.820.g83a721a137-goog Message-ID: <20231030202231.3263253-1-arakesh@google.com> Subject: [PATCH v10 1/4] usb: gadget: uvc: prevent use of disabled endpoint From: Avichal Rakesh To: arakesh@google.com, dan.scally@ideasonboard.com Cc: etalvala@google.com, gregkh@linuxfoundation.org, jchowdhary@google.com, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, m.grzeschik@pengutronix.de X-Spam-Status: No, score=-5.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SORTED_RECIPS,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Mon, 30 Oct 2023 13:22:52 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780941353830649923 X-GMAIL-MSGID: 1781213299742034630 Currently the set_alt callback immediately disables the endpoint and queues the v4l2 streamoff event. However, as the streamoff event is processed asynchronously, it is possible that the video_pump thread attempts to queue requests to an already disabled endpoint. This change moves disabling usb endpoint to the end of streamoff event callback. As the endpoint's state can no longer be used, video_pump is now guarded by uvc->state as well. To be consistent with the actual streaming state, uvc->state is now toggled between CONNECTED and STREAMING from the v4l2 event callback only. Link: https://lore.kernel.org/20230615171558.GK741@pendragon.ideasonboard.com/ Link: https://lore.kernel.org/20230531085544.253363-1-dan.scally@ideasonboard.com/ Reviewed-by: Daniel Scally Reviewed-by: Michael Grzeschik Tested-by: Michael Grzeschik Signed-off-by: Avichal Rakesh --- v1 -> v2 : Rebased to ToT and reworded commit message. v2 -> v3 : Fix email threading goof-up v3 -> v4 : Address review comments & re-rebase to ToT v4 -> v5 : Add Reviewed-by & Tested-by v5 -> v6 : No change v6 -> v7 : No change v7 -> v8 : No change. Getting back in review queue v8 -> v9 : Fix typo. No functional change. v9 -> v10: Rebase to ToT (usb-next) drivers/usb/gadget/function/f_uvc.c | 11 +++++------ drivers/usb/gadget/function/f_uvc.h | 2 +- drivers/usb/gadget/function/uvc.h | 2 +- drivers/usb/gadget/function/uvc_v4l2.c | 20 +++++++++++++++++--- drivers/usb/gadget/function/uvc_video.c | 3 ++- 5 files changed, 26 insertions(+), 12 deletions(-) -- 2.42.0.820.g83a721a137-goog diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c index 786379f1b7b7..77999ed53d33 100644 --- a/drivers/usb/gadget/function/f_uvc.c +++ b/drivers/usb/gadget/function/f_uvc.c @@ -263,10 +263,13 @@ uvc_function_setup(struct usb_function *f, const struct usb_ctrlrequest *ctrl) return 0; } -void uvc_function_setup_continue(struct uvc_device *uvc) +void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep) { struct usb_composite_dev *cdev = uvc->func.config->cdev; + if (disable_ep && uvc->video.ep) + usb_ep_disable(uvc->video.ep); + usb_composite_setup_continue(cdev); } @@ -337,15 +340,11 @@ uvc_function_set_alt(struct usb_function *f, unsigned interface, unsigned alt) if (uvc->state != UVC_STATE_STREAMING) return 0; - if (uvc->video.ep) - usb_ep_disable(uvc->video.ep); - memset(&v4l2_event, 0, sizeof(v4l2_event)); v4l2_event.type = UVC_EVENT_STREAMOFF; v4l2_event_queue(&uvc->vdev, &v4l2_event); - uvc->state = UVC_STATE_CONNECTED; - return 0; + return USB_GADGET_DELAYED_STATUS; case 1: if (uvc->state != UVC_STATE_CONNECTED) diff --git a/drivers/usb/gadget/function/f_uvc.h b/drivers/usb/gadget/function/f_uvc.h index 1db972d4beeb..083aef0c65c6 100644 --- a/drivers/usb/gadget/function/f_uvc.h +++ b/drivers/usb/gadget/function/f_uvc.h @@ -11,7 +11,7 @@ struct uvc_device; -void uvc_function_setup_continue(struct uvc_device *uvc); +void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep); void uvc_function_connect(struct uvc_device *uvc); diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h index 6751de8b63ad..989bc6b4e93d 100644 --- a/drivers/usb/gadget/function/uvc.h +++ b/drivers/usb/gadget/function/uvc.h @@ -177,7 +177,7 @@ struct uvc_file_handle { * Functions */ -extern void uvc_function_setup_continue(struct uvc_device *uvc); +extern void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep); extern void uvc_function_connect(struct uvc_device *uvc); extern void uvc_function_disconnect(struct uvc_device *uvc); diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c index 3f0a9795c0d4..7cb8d027ff0c 100644 --- a/drivers/usb/gadget/function/uvc_v4l2.c +++ b/drivers/usb/gadget/function/uvc_v4l2.c @@ -451,7 +451,7 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type) * Complete the alternate setting selection setup phase now that * userspace is ready to provide video frames. */ - uvc_function_setup_continue(uvc); + uvc_function_setup_continue(uvc, 0); uvc->state = UVC_STATE_STREAMING; return 0; @@ -463,11 +463,18 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type) struct video_device *vdev = video_devdata(file); struct uvc_device *uvc = video_get_drvdata(vdev); struct uvc_video *video = &uvc->video; + int ret = 0; if (type != video->queue.queue.type) return -EINVAL; - return uvcg_video_enable(video, 0); + uvc->state = UVC_STATE_CONNECTED; + ret = uvcg_video_enable(video, 0); + if (ret < 0) + return ret; + + uvc_function_setup_continue(uvc, 1); + return 0; } static int @@ -500,6 +507,14 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh, static void uvc_v4l2_disable(struct uvc_device *uvc) { uvc_function_disconnect(uvc); + /* + * Drop uvc->state to CONNECTED if it was streaming before. + * This ensures that the usb_requests are no longer queued + * to the controller. + */ + if (uvc->state == UVC_STATE_STREAMING) + uvc->state = UVC_STATE_CONNECTED; + uvcg_video_enable(&uvc->video, 0); uvcg_free_buffers(&uvc->video.queue); uvc->func_connected = false; @@ -647,4 +662,3 @@ const struct v4l2_file_operations uvc_v4l2_fops = { .get_unmapped_area = uvcg_v4l2_get_unmapped_area, #endif }; - diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c index 91af3b1ef0d4..c334802ac0a4 100644 --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -384,13 +384,14 @@ static void uvcg_video_pump(struct work_struct *work) struct uvc_video_queue *queue = &video->queue; /* video->max_payload_size is only set when using bulk transfer */ bool is_bulk = video->max_payload_size; + struct uvc_device *uvc = video->uvc; struct usb_request *req = NULL; struct uvc_buffer *buf; unsigned long flags; bool buf_done; int ret; - while (video->ep->enabled) { + while (uvc->state == UVC_STATE_STREAMING && video->ep->enabled) { /* * Retrieve the first available USB request, protected by the * request lock. From patchwork Mon Oct 30 20:22:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 159871 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:d641:0:b0:403:3b70:6f57 with SMTP id cy1csp2485469vqb; Mon, 30 Oct 2023 13:23:27 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH2gMe4iFtC+bOGAA7sJIFXLnf7B4ccKd9PmFTliSdJ8IjNwDUU+BhGNIpw+Jb4ZV9AMYym X-Received: by 2002:a05:6358:903:b0:168:eded:d6c9 with SMTP id r3-20020a056358090300b00168ededd6c9mr14205986rwi.29.1698697407377; Mon, 30 Oct 2023 13:23:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698697407; cv=none; d=google.com; s=arc-20160816; b=Iyc10bjAYFxTcvwTckqwC99nh6ojwPSQxkqljiKOtsnFVqueRsT0Bj3zBm+PYB8PYk uPIhkJNMqvxl8X1Ja42QqOvQz2XMZ++fUq5/6+Vn2AIVmTM7MtacWvgeOcV939oIRm8P yvGHAjfI+Jpsyeb+sl48fb+rvv2zK7Nm4vgfq5PaStCUA+qR02RfzF3NAOAFNMO5ZPLL h+tT/NRxpjJqi73zKgGFGwalDowfL0RL93Adh41uzfllf5slGrO8lVCInHSG9/WYQWOr 0W3E5y7pgyA0jilEXuODsTzCPFVws2PJusXCg54ONUGQhntiTi6XBYO1+dYxiK6vRw7a 8W4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=3PiTcTjMU7ri0ymZCHD9Fh4eI2qPR07kWGIdpEyb1ms=; fh=p+LYTnSpNzrqEe7IwOmRmqfbsNd6xnlNPhpiE7PelQI=; b=lungEdAj2yEhCjTxrJPGnZNisRXu153IqkBP2zkyTd/Lko/whThFLFXLfvKtrvOiQZ IzIuKCDtTsA31cxaXWxaXji1GTpxtF0zNK/TVJdLaO9sSq94LFZF35OvLw48CsA0O6Q2 bj6nzg0KJzvY4xR/4kRS+E76TXcMP4rXcv+bHB3GdCm+pQreDjJZycSGIqFcdPXtRHs6 Ks1Eb+0MhmhEG14XAR9JJLUVOg4Vvzo1ZK2XTfs13JtGcdnriTR5BbM0zKTxWBhpS+/s nutkYWVqvhoYpWFmcsOk8ONpYBwcW0y3xhVnd49YpOJUhUUTS5DHBv0+iMZXYUZ3sVaj EmaQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=PTUcRUB9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from fry.vger.email (fry.vger.email. [23.128.96.38]) by mx.google.com with ESMTPS id m9-20020a654389000000b00565eb0b4f33si5452570pgp.224.2023.10.30.13.23.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Oct 2023 13:23:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=PTUcRUB9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id 84FCA804C212; Mon, 30 Oct 2023 13:23:24 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230174AbjJ3UWp (ORCPT + 32 others); Mon, 30 Oct 2023 16:22:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52306 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229485AbjJ3UWn (ORCPT ); Mon, 30 Oct 2023 16:22:43 -0400 Received: from mail-yw1-x1149.google.com (mail-yw1-x1149.google.com [IPv6:2607:f8b0:4864:20::1149]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 11614FC for ; Mon, 30 Oct 2023 13:22:40 -0700 (PDT) Received: by mail-yw1-x1149.google.com with SMTP id 00721157ae682-5afacc566f3so38956267b3.3 for ; Mon, 30 Oct 2023 13:22:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1698697359; x=1699302159; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=3PiTcTjMU7ri0ymZCHD9Fh4eI2qPR07kWGIdpEyb1ms=; b=PTUcRUB9UVQFJPoe2A83o8XBt0wKxzOLZHh2vLDWzmshCWZBttMFTcu0ChI70OrxKU /Tc2ZWEDLGXThISzEHNF2zQN0U1GvVLpc7TWRMVHz0S0cX7z/BoPRmZPo1yiDni/6wWu GUny4TU2zDmpahcg/9FoasADh7MoIVbSUJ7vjR9OlvafSHrWPT0cIcFufF3QM4x5P/G9 kyP9Mk7iLr0omy0wP1lG0OrzBtzLtLX2kE9Kc04xrn0lYljYjNKUNRhBERhn5AuU6HwY MvHNSxHywgpktHO0QLNx1EgYSUQTgGNz/oDz73lhpf4uKPhDsDz0AU9MpOiw7fCubqBF B96Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698697359; x=1699302159; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=3PiTcTjMU7ri0ymZCHD9Fh4eI2qPR07kWGIdpEyb1ms=; b=M7X+vZ33pRgxFgSaLAcdEhIckubKOJH6owSweZUJRQ1RgGXhm9NweonE/an0mWBvrI JHM6NHh+Vu5qFJcIPP6KnWyXnmKH7V7y6lGtE9VXBkKGQIgtrOgmjk5dVSR9SrYj79Qe JzWH4lP9fKZeh0iyugSxSc+59/xUPt6wL5excuTSRf7VA/Iwm/qK0BBdqVxUVicrboJa dm1pICagK6SJLzTxlY54O5ppBAIf+A6PkA/Ft1Zv6WBPHxG9pfkCIWdjOCAhLkML6N/9 88OEWfaQpej7aV+vpWzvw9N7821cf8WwKZBkzbvVmgwnfGpV6nEbajDpmOGPtFIArmAc r1Pw== X-Gm-Message-State: AOJu0YxXfSaUySVVpWvKt86IJenvqTMkJAnDPIaR2advWM+nd+rIpxnB 3am3Wrz4YSPn9MjOiDv8dznP0D8Sxt89 X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a0d:d682:0:b0:5a8:15c4:5314 with SMTP id y124-20020a0dd682000000b005a815c45314mr193394ywd.4.1698697359183; Mon, 30 Oct 2023 13:22:39 -0700 (PDT) Date: Mon, 30 Oct 2023 13:22:29 -0700 In-Reply-To: <20231030202231.3263253-1-arakesh@google.com> Mime-Version: 1.0 References: <73309396-3856-43a2-9a6f-81a40ed594db@google.com> <20231030202231.3263253-1-arakesh@google.com> X-Mailer: git-send-email 2.42.0.820.g83a721a137-goog Message-ID: <20231030202231.3263253-2-arakesh@google.com> Subject: [PATCH v10 2/4] usb: gadget: uvc: Allocate uvc_requests one at a time From: Avichal Rakesh To: arakesh@google.com, dan.scally@ideasonboard.com Cc: etalvala@google.com, gregkh@linuxfoundation.org, jchowdhary@google.com, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, m.grzeschik@pengutronix.de X-Spam-Status: No, score=-5.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SORTED_RECIPS,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Mon, 30 Oct 2023 13:23:24 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780941366189213007 X-GMAIL-MSGID: 1781213332440647274 Currently, the uvc gadget driver allocates all uvc_requests as one array and deallocates them all when the video stream stops. This includes de-allocating all the usb_requests associated with those uvc_requests. This can lead to use-after-free issues if any of those de-allocated usb_requests were still owned by the usb controller. This patch is 1 of 2 patches addressing the use-after-free issue. Instead of bulk allocating all uvc_requests as an array, this patch allocates uvc_requests one at a time, which should allows for similar granularity when deallocating the uvc_requests. This patch has no functional changes other than allocating each uvc_request separately, and similarly freeing each of them separately. Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com Suggested-by: Michael Grzeschik Reviewed-by: Michael Grzeschik Tested-by: Michael Grzeschik Signed-off-by: Avichal Rakesh Reviewed-by: Daniel Scally --- v1 -> v2 : Rebased to ToT v2 -> v3 : Fix email threading goof-up v3 -> v4 : Address review comments & re-rebase to ToT v4 -> v5 : Address more review comments. Add Reviewed-by & Tested-by. v5 -> v6 : No change v6 -> v7 : No change v7 -> v8 : No change. Getting back in review queue v8 -> v9 : Address review comments. v9 -> v10: Address review comments; remove BUG_ON(&video->reqs); Rebase to ToT (usb-next) drivers/usb/gadget/function/uvc.h | 3 +- drivers/usb/gadget/function/uvc_video.c | 88 ++++++++++++++----------- 2 files changed, 51 insertions(+), 40 deletions(-) -- 2.42.0.820.g83a721a137-goog diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h index 989bc6b4e93d..993694da0bbc 100644 --- a/drivers/usb/gadget/function/uvc.h +++ b/drivers/usb/gadget/function/uvc.h @@ -81,6 +81,7 @@ struct uvc_request { struct sg_table sgt; u8 header[UVCG_REQUEST_HEADER_LEN]; struct uvc_buffer *last_buf; + struct list_head list; }; struct uvc_video { @@ -102,7 +103,7 @@ struct uvc_video { /* Requests */ unsigned int req_size; - struct uvc_request *ureq; + struct list_head ureqs; /* all uvc_requests allocated by uvc_video */ struct list_head req_free; spinlock_t req_lock; diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c index c334802ac0a4..1619f9664748 100644 --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -227,6 +227,24 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video, * Request handling */ +static void +uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep) +{ + sg_free_table(&ureq->sgt); + if (ureq->req && ep) { + usb_ep_free_request(ep, ureq->req); + ureq->req = NULL; + } + + kfree(ureq->req_buffer); + ureq->req_buffer = NULL; + + if (!list_empty(&ureq->list)) + list_del_init(&ureq->list); + + kfree(ureq); +} + static int uvcg_video_ep_queue(struct uvc_video *video, struct usb_request *req) { int ret; @@ -293,27 +311,12 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) static int uvc_video_free_requests(struct uvc_video *video) { - unsigned int i; - - if (video->ureq) { - for (i = 0; i < video->uvc_num_requests; ++i) { - sg_free_table(&video->ureq[i].sgt); + struct uvc_request *ureq, *temp; - if (video->ureq[i].req) { - usb_ep_free_request(video->ep, video->ureq[i].req); - video->ureq[i].req = NULL; - } - - if (video->ureq[i].req_buffer) { - kfree(video->ureq[i].req_buffer); - video->ureq[i].req_buffer = NULL; - } - } - - kfree(video->ureq); - video->ureq = NULL; - } + list_for_each_entry_safe(ureq, temp, &video->ureqs, list) + uvc_video_free_request(ureq, video->ep); + INIT_LIST_HEAD(&video->ureqs); INIT_LIST_HEAD(&video->req_free); video->req_size = 0; return 0; @@ -322,6 +325,7 @@ uvc_video_free_requests(struct uvc_video *video) static int uvc_video_alloc_requests(struct uvc_video *video) { + struct uvc_request *ureq; unsigned int req_size; unsigned int i; int ret = -ENOMEM; @@ -332,29 +336,33 @@ uvc_video_alloc_requests(struct uvc_video *video) * max_t(unsigned int, video->ep->maxburst, 1) * (video->ep->mult); - video->ureq = kcalloc(video->uvc_num_requests, sizeof(struct uvc_request), GFP_KERNEL); - if (video->ureq == NULL) - return -ENOMEM; + for (i = 0; i < video->uvc_num_requests; i++) { + ureq = kzalloc(sizeof(struct uvc_request), GFP_KERNEL); + if (ureq == NULL) + goto error; + + INIT_LIST_HEAD(&ureq->list); + + list_add_tail(&ureq->list, &video->ureqs); - for (i = 0; i < video->uvc_num_requests; ++i) { - video->ureq[i].req_buffer = kmalloc(req_size, GFP_KERNEL); - if (video->ureq[i].req_buffer == NULL) + ureq->req_buffer = kmalloc(req_size, GFP_KERNEL); + if (ureq->req_buffer == NULL) goto error; - video->ureq[i].req = usb_ep_alloc_request(video->ep, GFP_KERNEL); - if (video->ureq[i].req == NULL) + ureq->req = usb_ep_alloc_request(video->ep, GFP_KERNEL); + if (ureq->req == NULL) goto error; - video->ureq[i].req->buf = video->ureq[i].req_buffer; - video->ureq[i].req->length = 0; - video->ureq[i].req->complete = uvc_video_complete; - video->ureq[i].req->context = &video->ureq[i]; - video->ureq[i].video = video; - video->ureq[i].last_buf = NULL; + ureq->req->buf = ureq->req_buffer; + ureq->req->length = 0; + ureq->req->complete = uvc_video_complete; + ureq->req->context = ureq; + ureq->video = video; + ureq->last_buf = NULL; - list_add_tail(&video->ureq[i].req->list, &video->req_free); + list_add_tail(&ureq->req->list, &video->req_free); /* req_size/PAGE_SIZE + 1 for overruns and + 1 for header */ - sg_alloc_table(&video->ureq[i].sgt, + sg_alloc_table(&ureq->sgt, DIV_ROUND_UP(req_size - UVCG_REQUEST_HEADER_LEN, PAGE_SIZE) + 2, GFP_KERNEL); } @@ -489,8 +497,8 @@ static void uvcg_video_pump(struct work_struct *work) */ int uvcg_video_enable(struct uvc_video *video, int enable) { - unsigned int i; int ret; + struct uvc_request *ureq; if (video->ep == NULL) { uvcg_info(&video->uvc->func, @@ -502,9 +510,10 @@ int uvcg_video_enable(struct uvc_video *video, int enable) cancel_work_sync(&video->pump); uvcg_queue_cancel(&video->queue, 0); - for (i = 0; i < video->uvc_num_requests; ++i) - if (video->ureq && video->ureq[i].req) - usb_ep_dequeue(video->ep, video->ureq[i].req); + list_for_each_entry(ureq, &video->ureqs, list) { + if (ureq->req) + usb_ep_dequeue(video->ep, ureq->req); + } uvc_video_free_requests(video); uvcg_queue_enable(&video->queue, 0); @@ -536,6 +545,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable) */ int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc) { + INIT_LIST_HEAD(&video->ureqs); INIT_LIST_HEAD(&video->req_free); spin_lock_init(&video->req_lock); INIT_WORK(&video->pump, uvcg_video_pump); From patchwork Mon Oct 30 20:22:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 159870 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:d641:0:b0:403:3b70:6f57 with SMTP id cy1csp2485400vqb; Mon, 30 Oct 2023 13:23:18 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFR536TXwVPmMAF0m1JRH/nrdHb7n6RtGABJsP9ZiYYKVQUCNbtIft+5N76ByUecETgBkn4 X-Received: by 2002:a05:6a20:8e22:b0:15e:9923:3e35 with SMTP id y34-20020a056a208e2200b0015e99233e35mr815942pzj.19.1698697397987; Mon, 30 Oct 2023 13:23:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698697397; cv=none; d=google.com; s=arc-20160816; b=BdlRr7JAS0H7IsVTeVA9WBdYJG8CEF9ot/BkzJH61gOQGh+bL3pXkSc2KYFDiztfu4 2uJcR2y5PEFCnbQltugwZ0YtB6Vw9JNG1b90MjA/tiZEyuUg8ffn2PbdtX58CG+5TwgX dzalgB0N4mSNQ65ooT+NYxUubEcYCMhGMZKFaK8Hr7/MPp5GuIqAV4azG4HOq+2veIPV NU9ZU8Kasq7tl5BFblueHnxpAskYtkYVQeAUkVMh1uDqBjcUnd86aAmqNjnJyrQLcCPw hpWnEoxo8hFCbEm0DTXVYJHa4l+Fs30m0/89AfPW8k+1E1LI9+pkwWL1hPwyX/vA8R36 2fUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=ObSidP8JTCZls9mTLBjvE7k31kuLSrW0wzxXXc7FEEI=; fh=p+LYTnSpNzrqEe7IwOmRmqfbsNd6xnlNPhpiE7PelQI=; b=qwtLe3GKOro0ooTRoVkMarhEf1mYS9tx6FtPYDsLF0cA3f+wYryOA3lIgE6g7GzWWn k4uR1mgvolRY9bMeO1L9WkDTo6mPw8UcErhAvpuY86klBoMTntACNYtBK1QJxwOnbdTl U3FJr5ZAG6bNqxqbjaR7D7GCULbt6fZuHx3Aff7jKDZJU3mZeitMKHTuh/riPk5xmbMd YKkCOiGY4f9wUNGuWwPAj70Gy657R48aPS9YSnJKGdWUZOqlDucscp3pnUk/hEeVjbU9 TxtgVkRPcPbDm2Xs5ypzhppTs6jE710QObnWw+19YlPHpR6TGGWSWq/zQHDG7ER7amnM 966g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=zQcl83m0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id u11-20020a6540cb000000b005b96dd108aasi3303674pgp.876.2023.10.30.13.23.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Oct 2023 13:23:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=zQcl83m0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id AB85F80488C4; Mon, 30 Oct 2023 13:23:15 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230039AbjJ3UWy (ORCPT + 32 others); Mon, 30 Oct 2023 16:22:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55226 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231395AbjJ3UWv (ORCPT ); Mon, 30 Oct 2023 16:22:51 -0400 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DCBB6109 for ; Mon, 30 Oct 2023 13:22:42 -0700 (PDT) Received: by mail-yb1-xb49.google.com with SMTP id 3f1490d57ef6-da307fb7752so1931221276.0 for ; Mon, 30 Oct 2023 13:22:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1698697362; x=1699302162; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=ObSidP8JTCZls9mTLBjvE7k31kuLSrW0wzxXXc7FEEI=; b=zQcl83m0FC2L6KsVk+LJoeCOOH38nj3xIEh0Vvb8feJl2mG8AyGai9LqX2RyTweo4K m9sgzHuRR3BQ6ZhiKO/VFP4AYbxcEtUxVJBMyKsDOxhPtuIdxOBV9n+kOW7cqF1r+nLg h98s4N4dLmmbpczrd4e89+uMbx69OKXpOsHs0pl+K+S9VS63tuFYKZ829kH+vPTzrvvw 54DkvsjpW7pQg2gqnUoD9WB5faYhJkNS0tARdK9hEruhzIHLWzBmnsFuLdFcJH2rDYyI Ns4VTnQ/iGALyLNmbTMwVkD+mJQxZD4kuIKpmfSx3qszrYWHpJjw50GVrOZhEzCySsW5 DETw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698697362; x=1699302162; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ObSidP8JTCZls9mTLBjvE7k31kuLSrW0wzxXXc7FEEI=; b=beWfiPqrRs7UmCV7yOTWLLE+YTR9s3VrY/Uw07yyfk1SGCIRxUK1vLUyIlASXIC7X5 p2pq1THgOvzOdid8M7s8yU0d/OqQLKdJ0U01vX1VC+Xd6kzNFj6ydi5mY9HgLKpeWaJ7 9ql7H0sAwtRiujhiPQT9ntYHc1Sf6WfR1yVDb4PKtr+dfNB6iyWMm7WOqHkdA4Fz7eLu /AIgqVmyXapfi90BSTRIn5+D9P8ZwxuWBlYC9/WkVLHk6nxxZfynyWn7A536IC3QLjtT ALxD0m0bsyEf/cgFlTwQMfegIa78R8OcMTbgHr3tKAHrRuf/RepM29fVN4Lkwqe1hPRk zYIA== X-Gm-Message-State: AOJu0Yy3SiiPiaPHv4K4CFpDR7ngEOR0K0KzGiRkb0SXTLPX5vgTuOaN /tL0R/fuTm1qaeKQ6UJUuscF3BQ3Dewy X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a25:cf09:0:b0:d90:e642:d9fc with SMTP id f9-20020a25cf09000000b00d90e642d9fcmr208026ybg.6.1698697361861; Mon, 30 Oct 2023 13:22:41 -0700 (PDT) Date: Mon, 30 Oct 2023 13:22:30 -0700 In-Reply-To: <20231030202231.3263253-1-arakesh@google.com> Mime-Version: 1.0 References: <73309396-3856-43a2-9a6f-81a40ed594db@google.com> <20231030202231.3263253-1-arakesh@google.com> X-Mailer: git-send-email 2.42.0.820.g83a721a137-goog Message-ID: <20231030202231.3263253-3-arakesh@google.com> Subject: [PATCH v10 3/4] usb: gadget: uvc: move video disable logic to its own function From: Avichal Rakesh To: arakesh@google.com, dan.scally@ideasonboard.com Cc: etalvala@google.com, gregkh@linuxfoundation.org, jchowdhary@google.com, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, m.grzeschik@pengutronix.de X-Spam-Status: No, score=-5.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SORTED_RECIPS,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Mon, 30 Oct 2023 13:23:15 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780941381866226962 X-GMAIL-MSGID: 1781213322972005030 This patch refactors the video disable logic in uvcg_video_enable into its own separate function 'uvcg_video_disable'. This function is now used anywhere uvcg_video_enable(video, 0) was used. Reviewed-by: Daniel Scally Suggested-by: Michael Grzeschik Signed-off-by: Avichal Rakesh --- v6 : Introduced this patch to make the next one easier to review v6 -> v7 : Add Suggested-by v7 -> v8 : No change. Getting back in review queue v8 -> v9 : Call uvcg_video_disable directly instead of uvcg_video_enable(video, 0) v9 -> v10: Rebase to ToT (usb-next) drivers/usb/gadget/function/uvc_v4l2.c | 6 ++-- drivers/usb/gadget/function/uvc_video.c | 40 ++++++++++++++++--------- drivers/usb/gadget/function/uvc_video.h | 3 +- 3 files changed, 31 insertions(+), 18 deletions(-) -- 2.42.0.820.g83a721a137-goog diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c index 7cb8d027ff0c..904dd283cbf7 100644 --- a/drivers/usb/gadget/function/uvc_v4l2.c +++ b/drivers/usb/gadget/function/uvc_v4l2.c @@ -443,7 +443,7 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type) return -EINVAL; /* Enable UVC video. */ - ret = uvcg_video_enable(video, 1); + ret = uvcg_video_enable(video); if (ret < 0) return ret; @@ -469,7 +469,7 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type) return -EINVAL; uvc->state = UVC_STATE_CONNECTED; - ret = uvcg_video_enable(video, 0); + ret = uvcg_video_disable(video); if (ret < 0) return ret; @@ -515,7 +515,7 @@ static void uvc_v4l2_disable(struct uvc_device *uvc) if (uvc->state == UVC_STATE_STREAMING) uvc->state = UVC_STATE_CONNECTED; - uvcg_video_enable(&uvc->video, 0); + uvcg_video_disable(&uvc->video); uvcg_free_buffers(&uvc->video.queue); uvc->func_connected = false; wake_up_interruptible(&uvc->func_connected_queue); diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c index 1619f9664748..c3e8c48f46a9 100644 --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -493,31 +493,43 @@ static void uvcg_video_pump(struct work_struct *work) } /* - * Enable or disable the video stream. + * Disable the video stream */ -int uvcg_video_enable(struct uvc_video *video, int enable) +int +uvcg_video_disable(struct uvc_video *video) { - int ret; struct uvc_request *ureq; if (video->ep == NULL) { uvcg_info(&video->uvc->func, - "Video enable failed, device is uninitialized.\n"); + "Video disable failed, device is uninitialized.\n"); return -ENODEV; } - if (!enable) { - cancel_work_sync(&video->pump); - uvcg_queue_cancel(&video->queue, 0); + cancel_work_sync(&video->pump); + uvcg_queue_cancel(&video->queue, 0); - list_for_each_entry(ureq, &video->ureqs, list) { - if (ureq->req) - usb_ep_dequeue(video->ep, ureq->req); - } + list_for_each_entry(ureq, &video->ureqs, list) { + if (ureq->req) + usb_ep_dequeue(video->ep, ureq->req); + } - uvc_video_free_requests(video); - uvcg_queue_enable(&video->queue, 0); - return 0; + uvc_video_free_requests(video); + uvcg_queue_enable(&video->queue, 0); + return 0; +} + +/* + * Enable the video stream. + */ +int uvcg_video_enable(struct uvc_video *video) +{ + int ret; + + if (video->ep == NULL) { + uvcg_info(&video->uvc->func, + "Video enable failed, device is uninitialized.\n"); + return -ENODEV; } if ((ret = uvcg_queue_enable(&video->queue, 1)) < 0) diff --git a/drivers/usb/gadget/function/uvc_video.h b/drivers/usb/gadget/function/uvc_video.h index 03adeefa343b..8ef6259741f1 100644 --- a/drivers/usb/gadget/function/uvc_video.h +++ b/drivers/usb/gadget/function/uvc_video.h @@ -14,7 +14,8 @@ struct uvc_video; -int uvcg_video_enable(struct uvc_video *video, int enable); +int uvcg_video_enable(struct uvc_video *video); +int uvcg_video_disable(struct uvc_video *video); int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc); From patchwork Mon Oct 30 20:22:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 159872 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:d641:0:b0:403:3b70:6f57 with SMTP id cy1csp2485536vqb; Mon, 30 Oct 2023 13:23:36 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH3tfxXVd2q/lR3v5ZjKwkSG25uzGLrcpPWT2lWVhnF9KtKDdu9QvRRyqm8D+PlOAyqxZw8 X-Received: by 2002:a17:90a:ca8e:b0:27d:222c:f5eb with SMTP id y14-20020a17090aca8e00b0027d222cf5ebmr9605077pjt.11.1698697415871; Mon, 30 Oct 2023 13:23:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698697415; cv=none; d=google.com; s=arc-20160816; b=lCsvazBOsomzLURcKdb+AIM4HMmUVBIqAq/BZbdeTAY3g4Ak290Nf/oJmbvWyIZnmB FQAYqVojJdRbie51gRcGZMnNBOAUokrvmoLPo6WIpVWXjjGLu2nxZrgzAtiLh48el4/1 6636kquUK0kwjhgZAoyOVSzRTK6VtUPNF9SfSfARjeBg1oEbFBLKMNsHHYxyZ29ooDwT 9fVzI3nvchsD+LyvVBvTvPDPOA+QzxXVihPFBYbp0IeY9Ux2s4J6PdJw/kGbB2u8HIhA zlIkbhfs7F/e6liJObQ3Q48MqFdTiTkXBx0CyG+CO0IJkw/bnvfLu3kvPMV4UWQNJRdi FIjw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=gbOVumUcV68mIKCi6fEpI8cWauaRcxzC7BeR9lzomMU=; fh=p+LYTnSpNzrqEe7IwOmRmqfbsNd6xnlNPhpiE7PelQI=; b=yoDPwIRXd55gq+TAkm89ub/3kjDcEW97HYIG5i+y4BzqTFlty7/IKr1LT5ouAJT8Ni SACbV5nNg54V6FFgujNalVYZfbdv9u6hKr3t9WJa9VYXORLT5o9ED99JtWV8KjmqyvVu tcwRNlNeR+mr0gwUUAuFYcdu6DP1bgOVoscoNA7tuPcABH49+fGAwIdprzjx/sZsSIk4 V9sJ8Au2i/o1gyPrXk/PmrevFijO3fJbDf+OGecROVtl+QUAdSOeEiuFT1s4Q6ZCYQPz I0Ikbu80+iunIqvWdyV+mJExPvbB7MxOMglRRhpqOAqZoChxRGvi9bmhU5Oz81gBeuuS ajYg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b="UPkhwxO/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from agentk.vger.email (agentk.vger.email. [2620:137:e000::3:2]) by mx.google.com with ESMTPS id m2-20020a17090a7f8200b002568a675b65si7345703pjl.141.2023.10.30.13.23.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Oct 2023 13:23:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) client-ip=2620:137:e000::3:2; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b="UPkhwxO/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id DB56F8041EA5; Mon, 30 Oct 2023 13:23:31 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229886AbjJ3UW7 (ORCPT + 32 others); Mon, 30 Oct 2023 16:22:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55196 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231143AbjJ3UWv (ORCPT ); Mon, 30 Oct 2023 16:22:51 -0400 Received: from mail-yw1-x1149.google.com (mail-yw1-x1149.google.com [IPv6:2607:f8b0:4864:20::1149]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7394A124 for ; Mon, 30 Oct 2023 13:22:45 -0700 (PDT) Received: by mail-yw1-x1149.google.com with SMTP id 00721157ae682-5afe220cadeso38574087b3.3 for ; Mon, 30 Oct 2023 13:22:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1698697364; x=1699302164; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=gbOVumUcV68mIKCi6fEpI8cWauaRcxzC7BeR9lzomMU=; b=UPkhwxO/nfNOeDRN+59n+wFmQN4EY3KCx+ia1i7HQZwrTuRn8lT2lwJKx37Tj49V9x qvEEUwRWnHkavRMT3TxGDuHwp2+uPo3sgJpMuvtzwgDNBupah78NBhzFAsE66yJlSeUO /ymMvsVpcl4uabUHDwP7lDpeZEJXS632JJPja5J1t2F/M6Bxp2A2bUSSO3cDnMPplk9p Uhjkb3nQorHd8gisgdQuMbpj8T46IN5ZUZwkwLdTUPLTNcSphYuJzGKw8B/dDRi3FtB+ 1eFIZwPGOfSXGGZStIPCaSHIlgRqEKvQRdlJQXkAnFa57I7dJzQJWDa6hVve0w2qDkj5 vHzA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698697364; x=1699302164; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=gbOVumUcV68mIKCi6fEpI8cWauaRcxzC7BeR9lzomMU=; b=N2FsGcut7BfGgY5l4Y1j4aONtjWVYxb5ajCNy/5hVVFNeI5nbrhrEVnYL1FI3ZII6m EPQPW9XESwb/2QXpKT/l+7Vgc0/RdXRtoBe+Xr+kh3n06l2pRiSgPQ52Km7R3CYe2OWp dzv/5AwX33Aa5EsL/+BYIi7IGk46zi8mYVUYPtsedXqCvG+HGfbBPREBIH5Qx6aN3hTx eSTFaGbKkKkvXjhux3Ovy3tdujBTxXITWNAaXq8nx3+CQKfpvtldvpijHv5tishv+vxO 39mdQs8Ak+ba5T55TRWqo5mfRdNhBpYv98levXqzYN6bVryzuhMYzYz8sV3f58mh3Svo deJg== X-Gm-Message-State: AOJu0Yw0gXxBzTn1xxPYyulwAqfH0KfluYykc8Knegw9neaqar0EsNR6 t1Nr11FXiwxVvICbMDOl9Ldr8xUfsUJz X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a0d:df82:0:b0:576:af04:3495 with SMTP id i124-20020a0ddf82000000b00576af043495mr227231ywe.9.1698697364705; Mon, 30 Oct 2023 13:22:44 -0700 (PDT) Date: Mon, 30 Oct 2023 13:22:31 -0700 In-Reply-To: <20231030202231.3263253-1-arakesh@google.com> Mime-Version: 1.0 References: <73309396-3856-43a2-9a6f-81a40ed594db@google.com> <20231030202231.3263253-1-arakesh@google.com> X-Mailer: git-send-email 2.42.0.820.g83a721a137-goog Message-ID: <20231030202231.3263253-4-arakesh@google.com> Subject: [PATCH v10 4/4] usb: gadget: uvc: Fix use-after-free for inflight usb_requests From: Avichal Rakesh To: arakesh@google.com, dan.scally@ideasonboard.com Cc: etalvala@google.com, gregkh@linuxfoundation.org, jchowdhary@google.com, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, m.grzeschik@pengutronix.de X-Spam-Status: No, score=-5.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SORTED_RECIPS,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Mon, 30 Oct 2023 13:23:31 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780941373184978938 X-GMAIL-MSGID: 1781213341251154670 Currently, the uvc gadget driver allocates all uvc_requests as one array and deallocates them all when the video stream stops. This includes de-allocating all the usb_requests associated with those uvc_requests. This can lead to use-after-free issues if any of those de-allocated usb_requests were still owned by the usb controller. This is patch 2 of 2 in fixing the use-after-free issue. It adds a new flag to uvc_video to track when frames and requests should be flowing. When disabling the video stream, the flag is tripped and, instead of de-allocating all uvc_requests and usb_requests, the gadget driver only de-allocates those usb_requests that are currently owned by it (as present in req_free). Other usb_requests are left untouched until their completion handler is called which takes care of freeing the usb_request and its corresponding uvc_request. Now that uvc_video does not depends on uvc->state, this patch removes unnecessary upates to uvc->state that were made to accommodate uvc_video logic. This should ensure that uvc gadget driver never accidentally de-allocates a usb_request that it doesn't own. Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com Suggested-by: Michael Grzeschik Reviewed-by: Michael Grzeschik Tested-by: Michael Grzeschik Signed-off-by: Avichal Rakesh --- v1 -> v2 : Rebased to ToT, and fixed deadlock reported in https://lore.kernel.org/all/ZRv2UnKztgyqk2pt@pengutronix.de/ v2 -> v3 : Fix email threading goof-up v3 -> v4 : re-rebase to ToT & moved to a uvc_video level lock as discussed in https://lore.kernel.org/b14b296f-2e08-4edf-aeea-1c5b621e2d0c@google.com/ v4 -> v5 : Address review comments. Add Reviewed-by & Tested-by. v5 -> v6 : Added another patch before this one to make uvcg_video_disable easier to review. v6 -> v7 : Fix warning reported in https://lore.kernel.org/202310200457.GwPPFuHX-lkp@intel.com/ v7 -> v8 : No change. Getting back in review queue v8 -> v9 : No change. v9 -> v10: Address review comments. Rebase to ToT (usb-next) drivers/usb/gadget/function/uvc.h | 1 + drivers/usb/gadget/function/uvc_v4l2.c | 10 +- drivers/usb/gadget/function/uvc_video.c | 129 ++++++++++++++++++++---- 3 files changed, 111 insertions(+), 29 deletions(-) -- 2.42.0.820.g83a721a137-goog diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h index 993694da0bbc..be0d012aa244 100644 --- a/drivers/usb/gadget/function/uvc.h +++ b/drivers/usb/gadget/function/uvc.h @@ -102,6 +102,7 @@ struct uvc_video { unsigned int uvc_num_requests; /* Requests */ + bool is_enabled; /* tracks whether video stream is enabled */ unsigned int req_size; struct list_head ureqs; /* all uvc_requests allocated by uvc_video */ struct list_head req_free; diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c index 904dd283cbf7..c7e5fa4f29e0 100644 --- a/drivers/usb/gadget/function/uvc_v4l2.c +++ b/drivers/usb/gadget/function/uvc_v4l2.c @@ -468,11 +468,11 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type) if (type != video->queue.queue.type) return -EINVAL; - uvc->state = UVC_STATE_CONNECTED; ret = uvcg_video_disable(video); if (ret < 0) return ret; + uvc->state = UVC_STATE_CONNECTED; uvc_function_setup_continue(uvc, 1); return 0; } @@ -507,14 +507,6 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh, static void uvc_v4l2_disable(struct uvc_device *uvc) { uvc_function_disconnect(uvc); - /* - * Drop uvc->state to CONNECTED if it was streaming before. - * This ensures that the usb_requests are no longer queued - * to the controller. - */ - if (uvc->state == UVC_STATE_STREAMING) - uvc->state = UVC_STATE_CONNECTED; - uvcg_video_disable(&uvc->video); uvcg_free_buffers(&uvc->video.queue); uvc->func_connected = false; diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c index c3e8c48f46a9..53feb790a4c3 100644 --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -227,6 +227,9 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video, * Request handling */ +/* + * Must be called with req_lock held as it modifies the list ureq is held in + */ static void uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep) { @@ -271,9 +274,26 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) struct uvc_request *ureq = req->context; struct uvc_video *video = ureq->video; struct uvc_video_queue *queue = &video->queue; - struct uvc_device *uvc = video->uvc; + struct uvc_buffer *last_buf = NULL; unsigned long flags; + spin_lock_irqsave(&video->req_lock, flags); + if (!video->is_enabled) { + /* + * When is_enabled is false, uvcg_video_disable() ensures + * that in-flight uvc_buffers are returned, so we can + * safely call free_request without worrying about + * last_buf. + */ + uvc_video_free_request(ureq, ep); + spin_unlock_irqrestore(&video->req_lock, flags); + return; + } + + last_buf = ureq->last_buf; + ureq->last_buf = NULL; + spin_unlock_irqrestore(&video->req_lock, flags); + switch (req->status) { case 0: break; @@ -295,17 +315,26 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) uvcg_queue_cancel(queue, 0); } - if (ureq->last_buf) { - uvcg_complete_buffer(&video->queue, ureq->last_buf); - ureq->last_buf = NULL; + if (last_buf) { + spin_lock_irqsave(&queue->irqlock, flags); + uvcg_complete_buffer(&video->queue, last_buf); + spin_unlock_irqrestore(&queue->irqlock, flags); } spin_lock_irqsave(&video->req_lock, flags); - list_add_tail(&req->list, &video->req_free); - spin_unlock_irqrestore(&video->req_lock, flags); - - if (uvc->state == UVC_STATE_STREAMING) + /* + * Video stream might have been disabled while we were + * processing the current usb_request. So make sure + * we're still streaming before queueing the usb_request + * back to req_free + */ + if (video->is_enabled) { + list_add_tail(&req->list, &video->req_free); queue_work(video->async_wq, &video->pump); + } else { + uvc_video_free_request(ureq, ep); + } + spin_unlock_irqrestore(&video->req_lock, flags); } static int @@ -392,20 +421,22 @@ static void uvcg_video_pump(struct work_struct *work) struct uvc_video_queue *queue = &video->queue; /* video->max_payload_size is only set when using bulk transfer */ bool is_bulk = video->max_payload_size; - struct uvc_device *uvc = video->uvc; struct usb_request *req = NULL; struct uvc_buffer *buf; unsigned long flags; bool buf_done; int ret; - while (uvc->state == UVC_STATE_STREAMING && video->ep->enabled) { + while (true) { + if (!video->ep->enabled) + return; + /* - * Retrieve the first available USB request, protected by the - * request lock. + * Check is_enabled and retrieve the first available USB + * request, protected by the request lock. */ spin_lock_irqsave(&video->req_lock, flags); - if (list_empty(&video->req_free)) { + if (!video->is_enabled || list_empty(&video->req_free)) { spin_unlock_irqrestore(&video->req_lock, flags); return; } @@ -487,9 +518,11 @@ static void uvcg_video_pump(struct work_struct *work) return; spin_lock_irqsave(&video->req_lock, flags); - list_add_tail(&req->list, &video->req_free); + if (video->is_enabled) + list_add_tail(&req->list, &video->req_free); + else + uvc_video_free_request(req->context, video->ep); spin_unlock_irqrestore(&video->req_lock, flags); - return; } /* @@ -498,7 +531,11 @@ static void uvcg_video_pump(struct work_struct *work) int uvcg_video_disable(struct uvc_video *video) { - struct uvc_request *ureq; + unsigned long flags; + struct list_head inflight_bufs; + struct usb_request *req, *temp; + struct uvc_buffer *buf, *btemp; + struct uvc_request *ureq, *utemp; if (video->ep == NULL) { uvcg_info(&video->uvc->func, @@ -506,15 +543,58 @@ uvcg_video_disable(struct uvc_video *video) return -ENODEV; } + INIT_LIST_HEAD(&inflight_bufs); + spin_lock_irqsave(&video->req_lock, flags); + video->is_enabled = false; + + /* + * Remove any in-flight buffers from the uvc_requests + * because we want to return them before cancelling the + * queue. This ensures that we aren't stuck waiting for + * all complete callbacks to come through before disabling + * vb2 queue. + */ + list_for_each_entry(ureq, &video->ureqs, list) { + if (ureq->last_buf) { + list_add_tail(&ureq->last_buf->queue, &inflight_bufs); + ureq->last_buf = NULL; + } + } + spin_unlock_irqrestore(&video->req_lock, flags); + cancel_work_sync(&video->pump); uvcg_queue_cancel(&video->queue, 0); - list_for_each_entry(ureq, &video->ureqs, list) { - if (ureq->req) - usb_ep_dequeue(video->ep, ureq->req); + spin_lock_irqsave(&video->req_lock, flags); + /* + * Remove all uvc_reqeusts from ureqs with list_del_init + * This lets uvc_video_free_request correctly identify + * if the uvc_request is attached to a list or not when freeing + * memory. + */ + list_for_each_entry_safe(ureq, utemp, &video->ureqs, list) + list_del_init(&ureq->list); + + list_for_each_entry_safe(req, temp, &video->req_free, list) { + list_del(&req->list); + uvc_video_free_request(req->context, video->ep); } - uvc_video_free_requests(video); + INIT_LIST_HEAD(&video->ureqs); + INIT_LIST_HEAD(&video->req_free); + video->req_size = 0; + spin_unlock_irqrestore(&video->req_lock, flags); + + /* + * Return all the video buffers before disabling the queue. + */ + spin_lock_irqsave(&video->queue.irqlock, flags); + list_for_each_entry_safe(buf, btemp, &inflight_bufs, queue) { + list_del(&buf->queue); + uvcg_complete_buffer(&video->queue, buf); + } + spin_unlock_irqrestore(&video->queue.irqlock, flags); + uvcg_queue_enable(&video->queue, 0); return 0; } @@ -532,6 +612,14 @@ int uvcg_video_enable(struct uvc_video *video) return -ENODEV; } + /* + * Safe to access request related fields without req_lock because + * this is the only thread currently active, and no other + * request handling thread will become active until this function + * returns. + */ + video->is_enabled = true; + if ((ret = uvcg_queue_enable(&video->queue, 1)) < 0) return ret; @@ -557,6 +645,7 @@ int uvcg_video_enable(struct uvc_video *video) */ int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc) { + video->is_enabled = false; INIT_LIST_HEAD(&video->ureqs); INIT_LIST_HEAD(&video->req_free); spin_lock_init(&video->req_lock);