From patchwork Thu Nov 2 20:19:36 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 161114 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:8f47:0:b0:403:3b70:6f57 with SMTP id j7csp619150vqu; Thu, 2 Nov 2023 13:19:51 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFUFAnUuYKeinbhuZ641p+e77qBmsB+bjzhNYECpbA6B5jTWBluJ6/MsajaqLGsG8Gev+op X-Received: by 2002:a17:903:18b:b0:1cc:665d:f818 with SMTP id z11-20020a170903018b00b001cc665df818mr9536072plg.68.1698956390969; Thu, 02 Nov 2023 13:19:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698956390; cv=none; d=google.com; s=arc-20160816; b=yS5APELHKa6J0RGR1NZ8A5vXboUaXfhXBTC8Ux4Yejybe51vBvmsxtmnKL/Y4+lVfn bD/UnMDN24j2l6DwYCmBvN9iYzYqj+4XxGC1KNJQgcQLB2xy8yC9SwIVOyfcj/Lniaem odWa603hOE0wv7PB9lWl8xovV8bNAiI6UoIRNzPXkj0Gyetp5EEfTxVzrDG0uqrr+rbL 4uvfoTkzZ71rPMdoC9CtT6y/USip8LQsoDE8/BwaNtfqer1ZusakhnftMYFuBRg6FoOB EqUlf0tIYLAr0P4s8IlG02DjvM3J0mEzM7uquKxCN48Qh28+Z2lcVL+fa8jsvGOSUYSR j2uQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=AYqEfUKeizafCAfG5BKRqYNGWXtbqIwki1kkN4JQAW8=; fh=p+LYTnSpNzrqEe7IwOmRmqfbsNd6xnlNPhpiE7PelQI=; b=0mhIxuIrZs5pcC9lUYD9IexNcxrmbPs0AAfrmiIXPjt3uL6NmEUwKIq7fzZzsTu8E9 nzkR4es2RrALo+lTvZ277bkGpwDXgwaht7rIDvYcHHcT8ChvJFuoniwCpgHO0ufLV3kd z2FE8EP/q3vies2jz67JP6hniRcZvqLLjRxvLTG+Inlmg/8MOpfVF7Ab+J4jBUvlDau1 6csGib/777dmPnDRSUrHQMEg2fgJzfQ2SboNeCw+RmMq1r8NndU/VAWsemCFT1CGkxIW 8uvZpDgQW/HBFGBtISV6LFgtioQYe3WFct3kNmaCTPMszB+V7/+xKaq0103CQtKAesGM pj1g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=wEzAi2of; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id c10-20020a170902c1ca00b001c9fe071f2bsi210183plc.8.2023.11.02.13.19.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Nov 2023 13:19:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=wEzAi2of; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 3709D804E7BC; Thu, 2 Nov 2023 13:19:50 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229650AbjKBUTs (ORCPT + 35 others); Thu, 2 Nov 2023 16:19:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42578 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229459AbjKBUTq (ORCPT ); Thu, 2 Nov 2023 16:19:46 -0400 Received: from mail-yw1-x1149.google.com (mail-yw1-x1149.google.com [IPv6:2607:f8b0:4864:20::1149]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2CE46182 for ; Thu, 2 Nov 2023 13:19:44 -0700 (PDT) Received: by mail-yw1-x1149.google.com with SMTP id 00721157ae682-5a9012ab0adso18323577b3.1 for ; Thu, 02 Nov 2023 13:19:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1698956383; x=1699561183; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=AYqEfUKeizafCAfG5BKRqYNGWXtbqIwki1kkN4JQAW8=; b=wEzAi2ofuf5K76Vfri9L86AcY4PqIwsIH3LoYtSXrHOKpiN98Co0JnuSo8CNhJORFo PMpJNPTv+lageA467M+mJozSzL31ZO/kl9yfVV+5dNHovRNdiEAKnQibZiKp2ucYlCCi HfRsstvg/zzm+ZdyWaZ7vCRG4aaf43ltCanDr6mKH6C1lXM2IGkeNzkPwA7++wJH7eb0 LGR7ucMUAiXuUutAnAmowcDhW75H36GaZlqOISCuBTwyQOxyqb/JzxYJVQt5T7q3Zczf QHB4K6/Fh72C764E4VzChurOf+Hav4hEQUIcgTkneZAaAPLwRvPlZftN8kuB6q5Ob6Kh AARw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698956383; x=1699561183; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=AYqEfUKeizafCAfG5BKRqYNGWXtbqIwki1kkN4JQAW8=; b=aweN6U5GNWF1t6NQ0/5MLZMXI9iEAPowJIqk8j317wQM9ig8p6+FfjjHia+iedgbhb B/a6bt0u/ZufipFZwpEv9JFiwfUqVPVADVVDwYQjfhyxM+T3gVzqp0WESa2p4+BIScvG AWKFvmzYi2SC/eZWAV7YBUnW+AiXqO3Q0DJFvoc9PMWsuVoU5XxWeuVUxio6QfvvI3O8 zJ4kWPOIcH3YBTTa/+s2/Xz1FbsDpSUrFstTF/DWpNV3Vd/VAH0FueQQOwmMLTHrswVa kKBrnlR1UNEdvAOb8U0WL/NTW891bbmr2M0bgrNiU6MhC5RxMBIvngyye+ILyKhqtRZM WwhA== X-Gm-Message-State: AOJu0Ywr7328CjjrquBEf1X2Tvv/n4RHuLIMxX7jCGmGHb683bJx+DAW 2JqCICOwdvztl+8n1livgBth/qsT2GQU X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a81:a056:0:b0:59b:ca80:919a with SMTP id x83-20020a81a056000000b0059bca80919amr16199ywg.0.1698956383423; Thu, 02 Nov 2023 13:19:43 -0700 (PDT) Date: Thu, 2 Nov 2023 13:19:36 -0700 In-Reply-To: <73309396-3856-43a2-9a6f-81a40ed594db@google.com> Mime-Version: 1.0 References: <73309396-3856-43a2-9a6f-81a40ed594db@google.com> X-Mailer: git-send-email 2.42.0.869.gea05f2083d-goog Message-ID: <20231102201939.4171214-1-arakesh@google.com> Subject: [PATCH v11 1/4] usb: gadget: uvc: prevent use of disabled endpoint From: Avichal Rakesh To: arakesh@google.com, dan.scally@ideasonboard.com Cc: etalvala@google.com, gregkh@linuxfoundation.org, jchowdhary@google.com, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, m.grzeschik@pengutronix.de X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,SORTED_RECIPS,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Thu, 02 Nov 2023 13:19:50 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780941353830649923 X-GMAIL-MSGID: 1781484896700999595 Currently the set_alt callback immediately disables the endpoint and queues the v4l2 streamoff event. However, as the streamoff event is processed asynchronously, it is possible that the video_pump thread attempts to queue requests to an already disabled endpoint. This change moves disabling usb endpoint to the end of streamoff event callback. As the endpoint's state can no longer be used, video_pump is now guarded by uvc->state as well. To be consistent with the actual streaming state, uvc->state is now toggled between CONNECTED and STREAMING from the v4l2 event callback only. Link: https://lore.kernel.org/20230615171558.GK741@pendragon.ideasonboard.com/ Link: https://lore.kernel.org/20230531085544.253363-1-dan.scally@ideasonboard.com/ Reviewed-by: Daniel Scally Reviewed-by: Michael Grzeschik Tested-by: Michael Grzeschik Signed-off-by: Avichal Rakesh --- v1 -> v2 : Rebased to ToT and reworded commit message. v2 -> v3 : Fix email threading goof-up v3 -> v4 : Address review comments & re-rebase to ToT v4 -> v5 : Add Reviewed-by & Tested-by v5 -> v6 : No change v6 -> v7 : No change v7 -> v8 : No change. Getting back in review queue v8 -> v9 : Fix typo. No functional change. v9 -> v10 : Rebase to ToT (usb-next) v10 -> v11 : No change drivers/usb/gadget/function/f_uvc.c | 11 +++++------ drivers/usb/gadget/function/f_uvc.h | 2 +- drivers/usb/gadget/function/uvc.h | 2 +- drivers/usb/gadget/function/uvc_v4l2.c | 20 +++++++++++++++++--- drivers/usb/gadget/function/uvc_video.c | 3 ++- 5 files changed, 26 insertions(+), 12 deletions(-) -- 2.42.0.869.gea05f2083d-goog diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c index 786379f1b7b7..77999ed53d33 100644 --- a/drivers/usb/gadget/function/f_uvc.c +++ b/drivers/usb/gadget/function/f_uvc.c @@ -263,10 +263,13 @@ uvc_function_setup(struct usb_function *f, const struct usb_ctrlrequest *ctrl) return 0; } -void uvc_function_setup_continue(struct uvc_device *uvc) +void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep) { struct usb_composite_dev *cdev = uvc->func.config->cdev; + if (disable_ep && uvc->video.ep) + usb_ep_disable(uvc->video.ep); + usb_composite_setup_continue(cdev); } @@ -337,15 +340,11 @@ uvc_function_set_alt(struct usb_function *f, unsigned interface, unsigned alt) if (uvc->state != UVC_STATE_STREAMING) return 0; - if (uvc->video.ep) - usb_ep_disable(uvc->video.ep); - memset(&v4l2_event, 0, sizeof(v4l2_event)); v4l2_event.type = UVC_EVENT_STREAMOFF; v4l2_event_queue(&uvc->vdev, &v4l2_event); - uvc->state = UVC_STATE_CONNECTED; - return 0; + return USB_GADGET_DELAYED_STATUS; case 1: if (uvc->state != UVC_STATE_CONNECTED) diff --git a/drivers/usb/gadget/function/f_uvc.h b/drivers/usb/gadget/function/f_uvc.h index 1db972d4beeb..083aef0c65c6 100644 --- a/drivers/usb/gadget/function/f_uvc.h +++ b/drivers/usb/gadget/function/f_uvc.h @@ -11,7 +11,7 @@ struct uvc_device; -void uvc_function_setup_continue(struct uvc_device *uvc); +void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep); void uvc_function_connect(struct uvc_device *uvc); diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h index 6751de8b63ad..989bc6b4e93d 100644 --- a/drivers/usb/gadget/function/uvc.h +++ b/drivers/usb/gadget/function/uvc.h @@ -177,7 +177,7 @@ struct uvc_file_handle { * Functions */ -extern void uvc_function_setup_continue(struct uvc_device *uvc); +extern void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep); extern void uvc_function_connect(struct uvc_device *uvc); extern void uvc_function_disconnect(struct uvc_device *uvc); diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c index 3f0a9795c0d4..7cb8d027ff0c 100644 --- a/drivers/usb/gadget/function/uvc_v4l2.c +++ b/drivers/usb/gadget/function/uvc_v4l2.c @@ -451,7 +451,7 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type) * Complete the alternate setting selection setup phase now that * userspace is ready to provide video frames. */ - uvc_function_setup_continue(uvc); + uvc_function_setup_continue(uvc, 0); uvc->state = UVC_STATE_STREAMING; return 0; @@ -463,11 +463,18 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type) struct video_device *vdev = video_devdata(file); struct uvc_device *uvc = video_get_drvdata(vdev); struct uvc_video *video = &uvc->video; + int ret = 0; if (type != video->queue.queue.type) return -EINVAL; - return uvcg_video_enable(video, 0); + uvc->state = UVC_STATE_CONNECTED; + ret = uvcg_video_enable(video, 0); + if (ret < 0) + return ret; + + uvc_function_setup_continue(uvc, 1); + return 0; } static int @@ -500,6 +507,14 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh, static void uvc_v4l2_disable(struct uvc_device *uvc) { uvc_function_disconnect(uvc); + /* + * Drop uvc->state to CONNECTED if it was streaming before. + * This ensures that the usb_requests are no longer queued + * to the controller. + */ + if (uvc->state == UVC_STATE_STREAMING) + uvc->state = UVC_STATE_CONNECTED; + uvcg_video_enable(&uvc->video, 0); uvcg_free_buffers(&uvc->video.queue); uvc->func_connected = false; @@ -647,4 +662,3 @@ const struct v4l2_file_operations uvc_v4l2_fops = { .get_unmapped_area = uvcg_v4l2_get_unmapped_area, #endif }; - diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c index 91af3b1ef0d4..c334802ac0a4 100644 --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -384,13 +384,14 @@ static void uvcg_video_pump(struct work_struct *work) struct uvc_video_queue *queue = &video->queue; /* video->max_payload_size is only set when using bulk transfer */ bool is_bulk = video->max_payload_size; + struct uvc_device *uvc = video->uvc; struct usb_request *req = NULL; struct uvc_buffer *buf; unsigned long flags; bool buf_done; int ret; - while (video->ep->enabled) { + while (uvc->state == UVC_STATE_STREAMING && video->ep->enabled) { /* * Retrieve the first available USB request, protected by the * request lock. From patchwork Thu Nov 2 20:19:37 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 161115 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:8f47:0:b0:403:3b70:6f57 with SMTP id j7csp619228vqu; Thu, 2 Nov 2023 13:19:59 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHjJc17OH4jlYxySZgfJP03HW1mfFu1iLmkZmw4gShJ10WLkd9GguzNlvva8ObMbjL/T8Uu X-Received: by 2002:a17:903:190:b0:1cc:50ad:4e with SMTP id z16-20020a170903019000b001cc50ad004emr13494206plg.47.1698956399035; Thu, 02 Nov 2023 13:19:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698956399; cv=none; d=google.com; s=arc-20160816; b=rjNyeR+wLJLE3Jaz7N1vKKlJ4EkP96USvzZyTppRuQ1Tyh7Xw/BzL2xqpdHftoZMBg EXcpAfxUOXamLgPz45VboML3KIykN69lT5jNWbr1svIU38unxsd7ToXKMeaNq4my5taM 9JUfA/3fnljxzqCv8/6LfYhEQlkL03vZOlbE78qAG4zqrHcZerGLvowcBHAu9ZAX7KQB gkYkEWiTYdtWkLooqXhdB5nt7KSsH0/UQR/JPxB12j8PhCxBWRe4A/lsqIR3JWTXvgWh CdEXXUsJCHNxZ/M+HARRgJNInCIDpYWXwOKinmEy4t1c8CXa6iuAu3o4shkm240w7P25 IZCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=zu07Q1D3AbhvTA0xOJQWT2owk//hTJx8Le/vTKVZn/Y=; fh=p+LYTnSpNzrqEe7IwOmRmqfbsNd6xnlNPhpiE7PelQI=; b=SAmEMjTuxWcv9/DN9ZltxUpvlq+99sKkYWyF/LB0njTP/gkN39g6Ne9Me/wHmRtIhB jhQ2L/N/FUBVCYVSJabI8gqfhv3uxIUBoTGUq8yY5Gp238amYdMLnd9gbJYbnWagPxhU 64mDn742uGVQImqiyrt2P+NvWTqE76mkiXdi8nI/l36c15bB5eQtcxYB6xGhnv7r2XOU QtCewD+lpOKIFcls9Mtg3bSYOP3mLtt2i1wWSiloFHI86wGOnbi4Sn2Uk27k8AMI0HCe JCo6+UIJWJR3+9Be7DFzp43Bo+FJB2O3HJgQ/obYZulr6ouBAUHrd+IhX6R88YMn2J1F O23w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=eFR8hnfe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id r21-20020a170902c7d500b001c9bcb6f00asi194269pla.528.2023.11.02.13.19.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Nov 2023 13:19:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=eFR8hnfe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 31ED582D7C50; Thu, 2 Nov 2023 13:19:58 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232145AbjKBUTy (ORCPT + 35 others); Thu, 2 Nov 2023 16:19:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52862 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229459AbjKBUTt (ORCPT ); Thu, 2 Nov 2023 16:19:49 -0400 Received: from mail-yw1-x1149.google.com (mail-yw1-x1149.google.com [IPv6:2607:f8b0:4864:20::1149]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3A884182 for ; Thu, 2 Nov 2023 13:19:47 -0700 (PDT) Received: by mail-yw1-x1149.google.com with SMTP id 00721157ae682-5b0c27d504fso11084207b3.1 for ; Thu, 02 Nov 2023 13:19:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1698956386; x=1699561186; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=zu07Q1D3AbhvTA0xOJQWT2owk//hTJx8Le/vTKVZn/Y=; b=eFR8hnfewUaB6uqntYWIfCQVeshhjtrIqaiBG7PU4uuJgcKJwLpgr3MJ0cMbC4QBhO HnxeYmsX7feAxI5lmxFst4iY2Hib5Wzci4yyhhO+WXvKayXf2bj+atrcB8S9ZWJPAG8P 8V4eOcIZtj9MHX0JawIWGaG5KdzpuE7E4EiI520pApx2VWsLSXhPfC/6IycpaOaiYJYi fcmqZbWfytbW3Du5TLcUzA8dk/jDbBa6yTLg8mvCpcAjNjYmJJoXMcp4JXyDeGutDA4f TN1X+eV/DiS96hcp/RE+WxUHLLJTscjUBkVoH3qwo/nXZSFHJnffr+MGyudZsjOccnS4 UOmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698956386; x=1699561186; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=zu07Q1D3AbhvTA0xOJQWT2owk//hTJx8Le/vTKVZn/Y=; b=HJsAh+ona32U7tJCDX/qTM1Vp0OHbnbcZg+DTpzxSankTXnYAJHwo9MPaa3E3EVsW/ nLOepfBSMQulBclTzBhVbQ2eBRepx2d4SivcbbzeY4etvRlLg05GqXsUNon5cSM8C9C2 0SqwW7faM/59IN/tWSAxwYxlMQuIcx5nQXbeoMSie8f9o74MFjIhqNQPL+i+VimddumE sldtcLqrFVshg+0QhwZ+nx7B76QK/iOoTwfy++NVwU98K0OAs4DH2Y2/MfDSab+YxxiR cNolqS/YUzuIPXTyNffjSrzhK1NsJ+VnEHNaISRywEkFvH2SqrM/gpwXvCyrKoxEJwDR zfhg== X-Gm-Message-State: AOJu0YyrrzLgCQuna5SN5MAgZC98ucQcQKaN3Med7dR/nuVc28pBmI+e eWEoE+iY/MA3J4qIkEOFDKjuMRr6QMJE X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a05:690c:3690:b0:5ae:75db:92c5 with SMTP id fu16-20020a05690c369000b005ae75db92c5mr15702ywb.2.1698956386520; Thu, 02 Nov 2023 13:19:46 -0700 (PDT) Date: Thu, 2 Nov 2023 13:19:37 -0700 In-Reply-To: <20231102201939.4171214-1-arakesh@google.com> Mime-Version: 1.0 References: <73309396-3856-43a2-9a6f-81a40ed594db@google.com> <20231102201939.4171214-1-arakesh@google.com> X-Mailer: git-send-email 2.42.0.869.gea05f2083d-goog Message-ID: <20231102201939.4171214-2-arakesh@google.com> Subject: [PATCH v11 2/4] usb: gadget: uvc: Allocate uvc_requests one at a time From: Avichal Rakesh To: arakesh@google.com, dan.scally@ideasonboard.com Cc: etalvala@google.com, gregkh@linuxfoundation.org, jchowdhary@google.com, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, m.grzeschik@pengutronix.de X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,SORTED_RECIPS,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Thu, 02 Nov 2023 13:19:58 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780941366189213007 X-GMAIL-MSGID: 1781484905058337978 Currently, the uvc gadget driver allocates all uvc_requests as one array and deallocates them all when the video stream stops. This includes de-allocating all the usb_requests associated with those uvc_requests. This can lead to use-after-free issues if any of those de-allocated usb_requests were still owned by the usb controller. This patch is 1 of 2 patches addressing the use-after-free issue. Instead of bulk allocating all uvc_requests as an array, this patch allocates uvc_requests one at a time, which should allows for similar granularity when deallocating the uvc_requests. This patch has no functional changes other than allocating each uvc_request separately, and similarly freeing each of them separately. Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com Reviewed-by: Daniel Scally Reviewed-by: Michael Grzeschik Suggested-by: Michael Grzeschik Tested-by: Michael Grzeschik Signed-off-by: Avichal Rakesh --- v1 -> v2 : Rebased to ToT v2 -> v3 : Fix email threading goof-up v3 -> v4 : Address review comments & re-rebase to ToT v4 -> v5 : Address more review comments. Add Reviewed-by & Tested-by. v5 -> v6 : No change v6 -> v7 : No change v7 -> v8 : No change. Getting back in review queue v8 -> v9 : Address review comments. v9 -> v10 : Address review comments; remove BUG_ON(&video->reqs); Rebase to ToT (usb-next) v10 -> v11 : Add Reviewed-by drivers/usb/gadget/function/uvc.h | 3 +- drivers/usb/gadget/function/uvc_video.c | 88 ++++++++++++++----------- 2 files changed, 51 insertions(+), 40 deletions(-) -- 2.42.0.869.gea05f2083d-goog diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h index 989bc6b4e93d..993694da0bbc 100644 --- a/drivers/usb/gadget/function/uvc.h +++ b/drivers/usb/gadget/function/uvc.h @@ -81,6 +81,7 @@ struct uvc_request { struct sg_table sgt; u8 header[UVCG_REQUEST_HEADER_LEN]; struct uvc_buffer *last_buf; + struct list_head list; }; struct uvc_video { @@ -102,7 +103,7 @@ struct uvc_video { /* Requests */ unsigned int req_size; - struct uvc_request *ureq; + struct list_head ureqs; /* all uvc_requests allocated by uvc_video */ struct list_head req_free; spinlock_t req_lock; diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c index c334802ac0a4..1619f9664748 100644 --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -227,6 +227,24 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video, * Request handling */ +static void +uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep) +{ + sg_free_table(&ureq->sgt); + if (ureq->req && ep) { + usb_ep_free_request(ep, ureq->req); + ureq->req = NULL; + } + + kfree(ureq->req_buffer); + ureq->req_buffer = NULL; + + if (!list_empty(&ureq->list)) + list_del_init(&ureq->list); + + kfree(ureq); +} + static int uvcg_video_ep_queue(struct uvc_video *video, struct usb_request *req) { int ret; @@ -293,27 +311,12 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) static int uvc_video_free_requests(struct uvc_video *video) { - unsigned int i; - - if (video->ureq) { - for (i = 0; i < video->uvc_num_requests; ++i) { - sg_free_table(&video->ureq[i].sgt); + struct uvc_request *ureq, *temp; - if (video->ureq[i].req) { - usb_ep_free_request(video->ep, video->ureq[i].req); - video->ureq[i].req = NULL; - } - - if (video->ureq[i].req_buffer) { - kfree(video->ureq[i].req_buffer); - video->ureq[i].req_buffer = NULL; - } - } - - kfree(video->ureq); - video->ureq = NULL; - } + list_for_each_entry_safe(ureq, temp, &video->ureqs, list) + uvc_video_free_request(ureq, video->ep); + INIT_LIST_HEAD(&video->ureqs); INIT_LIST_HEAD(&video->req_free); video->req_size = 0; return 0; @@ -322,6 +325,7 @@ uvc_video_free_requests(struct uvc_video *video) static int uvc_video_alloc_requests(struct uvc_video *video) { + struct uvc_request *ureq; unsigned int req_size; unsigned int i; int ret = -ENOMEM; @@ -332,29 +336,33 @@ uvc_video_alloc_requests(struct uvc_video *video) * max_t(unsigned int, video->ep->maxburst, 1) * (video->ep->mult); - video->ureq = kcalloc(video->uvc_num_requests, sizeof(struct uvc_request), GFP_KERNEL); - if (video->ureq == NULL) - return -ENOMEM; + for (i = 0; i < video->uvc_num_requests; i++) { + ureq = kzalloc(sizeof(struct uvc_request), GFP_KERNEL); + if (ureq == NULL) + goto error; + + INIT_LIST_HEAD(&ureq->list); + + list_add_tail(&ureq->list, &video->ureqs); - for (i = 0; i < video->uvc_num_requests; ++i) { - video->ureq[i].req_buffer = kmalloc(req_size, GFP_KERNEL); - if (video->ureq[i].req_buffer == NULL) + ureq->req_buffer = kmalloc(req_size, GFP_KERNEL); + if (ureq->req_buffer == NULL) goto error; - video->ureq[i].req = usb_ep_alloc_request(video->ep, GFP_KERNEL); - if (video->ureq[i].req == NULL) + ureq->req = usb_ep_alloc_request(video->ep, GFP_KERNEL); + if (ureq->req == NULL) goto error; - video->ureq[i].req->buf = video->ureq[i].req_buffer; - video->ureq[i].req->length = 0; - video->ureq[i].req->complete = uvc_video_complete; - video->ureq[i].req->context = &video->ureq[i]; - video->ureq[i].video = video; - video->ureq[i].last_buf = NULL; + ureq->req->buf = ureq->req_buffer; + ureq->req->length = 0; + ureq->req->complete = uvc_video_complete; + ureq->req->context = ureq; + ureq->video = video; + ureq->last_buf = NULL; - list_add_tail(&video->ureq[i].req->list, &video->req_free); + list_add_tail(&ureq->req->list, &video->req_free); /* req_size/PAGE_SIZE + 1 for overruns and + 1 for header */ - sg_alloc_table(&video->ureq[i].sgt, + sg_alloc_table(&ureq->sgt, DIV_ROUND_UP(req_size - UVCG_REQUEST_HEADER_LEN, PAGE_SIZE) + 2, GFP_KERNEL); } @@ -489,8 +497,8 @@ static void uvcg_video_pump(struct work_struct *work) */ int uvcg_video_enable(struct uvc_video *video, int enable) { - unsigned int i; int ret; + struct uvc_request *ureq; if (video->ep == NULL) { uvcg_info(&video->uvc->func, @@ -502,9 +510,10 @@ int uvcg_video_enable(struct uvc_video *video, int enable) cancel_work_sync(&video->pump); uvcg_queue_cancel(&video->queue, 0); - for (i = 0; i < video->uvc_num_requests; ++i) - if (video->ureq && video->ureq[i].req) - usb_ep_dequeue(video->ep, video->ureq[i].req); + list_for_each_entry(ureq, &video->ureqs, list) { + if (ureq->req) + usb_ep_dequeue(video->ep, ureq->req); + } uvc_video_free_requests(video); uvcg_queue_enable(&video->queue, 0); @@ -536,6 +545,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable) */ int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc) { + INIT_LIST_HEAD(&video->ureqs); INIT_LIST_HEAD(&video->req_free); spin_lock_init(&video->req_lock); INIT_WORK(&video->pump, uvcg_video_pump); From patchwork Thu Nov 2 20:19:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 161117 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:8f47:0:b0:403:3b70:6f57 with SMTP id j7csp619715vqu; Thu, 2 Nov 2023 13:20:53 -0700 (PDT) X-Google-Smtp-Source: AGHT+IF9tnTwDtPsV11YbUJNEz0EA84ZlO1pgr6MzT95UAbSPdbAmFTCqaS/Hh5LGbn/y2ztBp1P X-Received: by 2002:a05:6a20:258f:b0:130:d5a:e40e with SMTP id k15-20020a056a20258f00b001300d5ae40emr19355484pzd.7.1698956453363; Thu, 02 Nov 2023 13:20:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698956453; cv=none; d=google.com; s=arc-20160816; b=dw2C5CJLhpocoaz2nFgy5GhDm4TRCfTfeFgrIAuVZgAprds3FxP/kP/y5us/iKfmIL WMlinwOMWQyquI8AOD7iQW0llbyoZaoQ15OGP5dN5rQRbZcogyicJjxDKTxUBOQrcapS XQY6X3/n8oGRniVOyoU0d30mE2L99zOJwOKMcCv8QGhF5kWSd4vFNoEw10+s48weBM6D 4bGXWRmtAzFF3Tpj/vYoSyTGW52zU2NTxCZvWKmxXA+xWsHP6Um+lRpv3eDDU1YADw2b ig4QoIhDQSheS7s2g0SJbBTf1dYeZw0I+u6dzZ4lzTh7tH+KGCBdkSNf/XVSl1f4O4uO nbTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=9HtuKTq7fDT9ipH0h7IAyB40jdEhSYri9qt3cL94eIk=; fh=p+LYTnSpNzrqEe7IwOmRmqfbsNd6xnlNPhpiE7PelQI=; b=UGaNEndoNy4dFV65mFls22iRic0Ty9NLybNd/4/lFPT7UwbMNB0MEqaIg2jAfQPhp2 goXkzYbaPALgsIpCtUWkGmDaZcjSJUhuTjqWw8WvwRhxFDzx85zrEQWz4b/Va5yhp+7k hbwRsZju7gGodt45lYgL5/ToH8AGjJnoAsUYQ1uzhVI7YV6xVIdRzU9rqYiqydG3dwoJ ebREP2XblOMBfu9R9Tp3d4r5/Jx0UKzEGD29q5Cc0gvvrfzwvDj5C+CeOGc2DImVU7hx BhTCxoa47x/tWdFNwPNfD6gJcJXE66GvCrHeld24BZ6YGlf8V0WnXd6NN3IECQ7ePFI/ xqbg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b="AjhI2V/L"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5]) by mx.google.com with ESMTPS id bj11-20020a056a02018b00b005855f67e491si220212pgb.696.2023.11.02.13.20.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Nov 2023 13:20:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b="AjhI2V/L"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 21965807F2A2; Thu, 2 Nov 2023 13:20:32 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232412AbjKBUT4 (ORCPT + 35 others); Thu, 2 Nov 2023 16:19:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52878 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231589AbjKBUTx (ORCPT ); Thu, 2 Nov 2023 16:19:53 -0400 Received: from mail-yw1-x114a.google.com (mail-yw1-x114a.google.com [IPv6:2607:f8b0:4864:20::114a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1D33818E for ; Thu, 2 Nov 2023 13:19:50 -0700 (PDT) Received: by mail-yw1-x114a.google.com with SMTP id 00721157ae682-5a828bdcfbaso19554857b3.2 for ; Thu, 02 Nov 2023 13:19:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1698956389; x=1699561189; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=9HtuKTq7fDT9ipH0h7IAyB40jdEhSYri9qt3cL94eIk=; b=AjhI2V/LKSo+4x4A1avfj4mvidCNQM8faZaEXcDrstIwqxlyAw6Ggbk5NwWWpLm/Z8 HZqG1bBZcs8j+TShLh/hou9I5fgkRDFefOHU6btBuWJEoda9hDWugoGVub+y3GiS7ww7 gpoSxYLPweMilAcC+1bFQwkt5ncKjKc5OTQAZwO/tceDxBOJT/64MSgIZZ4PKKzmh5oV ouEDd5k1HpkiKIHB9sW9iaryo3ZwjWwV+71N9HvXb8+teVsMBMEiyO97zecnquZUfLWh +ff27vpAzwTy3BiHT4BHNkVQAfnjI0UZCAT+8aHZs/6rk4RaKYSFmHFNnwSjszgiVMd3 VXhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698956389; x=1699561189; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=9HtuKTq7fDT9ipH0h7IAyB40jdEhSYri9qt3cL94eIk=; b=sPAD1PyKYqu/lfkUnxrDwl6OBzvaGhXXctcCk9qZQPufF8xZ0egMatyhRfw0yFoGfQ rfN9iJSjle/EKTuk2X0Sf7RlEzKdV80N2OhC6eUwWjlXQ8RjQh208qbVCI3EeFtrkaFR EB2Jk+IEOEQ7wQChOi/qjxoui68OQFZQDc3Ju2h0OsYd9PvgjkzyhojaWJ2A2M4BqTHF G1ZPz0Ag0ypopPnRccc9VHDdAWG4Sd5yf5NTdl3oAOWRzBxOJ/QWveEc1r9S0YnF55Ve FtCBH2xFHxeHcncdbSoLktM42TtsQswGKU2a648dvMq88EvgiTxFWm/iyTlGAJMw84pU BaDQ== X-Gm-Message-State: AOJu0YxXI7gUFfgX0H050UM0wqcRL8mtzg6DdfiMde+Qej9LZzevv5LR HTdpisHZnKBIq5JsF7oZDbxrNJ7szwuX X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a25:2d24:0:b0:d9a:4e29:6353 with SMTP id t36-20020a252d24000000b00d9a4e296353mr415463ybt.0.1698956389343; Thu, 02 Nov 2023 13:19:49 -0700 (PDT) Date: Thu, 2 Nov 2023 13:19:38 -0700 In-Reply-To: <20231102201939.4171214-1-arakesh@google.com> Mime-Version: 1.0 References: <73309396-3856-43a2-9a6f-81a40ed594db@google.com> <20231102201939.4171214-1-arakesh@google.com> X-Mailer: git-send-email 2.42.0.869.gea05f2083d-goog Message-ID: <20231102201939.4171214-3-arakesh@google.com> Subject: [PATCH v11 3/4] usb: gadget: uvc: move video disable logic to its own function From: Avichal Rakesh To: arakesh@google.com, dan.scally@ideasonboard.com Cc: etalvala@google.com, gregkh@linuxfoundation.org, jchowdhary@google.com, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, m.grzeschik@pengutronix.de X-Spam-Status: No, score=-5.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SORTED_RECIPS,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Thu, 02 Nov 2023 13:20:32 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780941381866226962 X-GMAIL-MSGID: 1781484961732219193 This patch refactors the video disable logic in uvcg_video_enable into its own separate function 'uvcg_video_disable'. This function is now used anywhere uvcg_video_enable(video, 0) was used. Reviewed-by: Daniel Scally Suggested-by: Michael Grzeschik Signed-off-by: Avichal Rakesh --- XX -> v6 : Introduced this patch to make the next one easier to review v6 -> v7 : Add Suggested-by v7 -> v8 : No change. Getting back in review queue v8 -> v9 : Call uvcg_video_disable directly instead of uvcg_video_enable(video, 0) v9 -> v10 : Rebase to ToT (usb-next) v10 -> v11 : No change drivers/usb/gadget/function/uvc_v4l2.c | 6 ++-- drivers/usb/gadget/function/uvc_video.c | 40 ++++++++++++++++--------- drivers/usb/gadget/function/uvc_video.h | 3 +- 3 files changed, 31 insertions(+), 18 deletions(-) -- 2.42.0.869.gea05f2083d-goog diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c index 7cb8d027ff0c..904dd283cbf7 100644 --- a/drivers/usb/gadget/function/uvc_v4l2.c +++ b/drivers/usb/gadget/function/uvc_v4l2.c @@ -443,7 +443,7 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type) return -EINVAL; /* Enable UVC video. */ - ret = uvcg_video_enable(video, 1); + ret = uvcg_video_enable(video); if (ret < 0) return ret; @@ -469,7 +469,7 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type) return -EINVAL; uvc->state = UVC_STATE_CONNECTED; - ret = uvcg_video_enable(video, 0); + ret = uvcg_video_disable(video); if (ret < 0) return ret; @@ -515,7 +515,7 @@ static void uvc_v4l2_disable(struct uvc_device *uvc) if (uvc->state == UVC_STATE_STREAMING) uvc->state = UVC_STATE_CONNECTED; - uvcg_video_enable(&uvc->video, 0); + uvcg_video_disable(&uvc->video); uvcg_free_buffers(&uvc->video.queue); uvc->func_connected = false; wake_up_interruptible(&uvc->func_connected_queue); diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c index 1619f9664748..c3e8c48f46a9 100644 --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -493,31 +493,43 @@ static void uvcg_video_pump(struct work_struct *work) } /* - * Enable or disable the video stream. + * Disable the video stream */ -int uvcg_video_enable(struct uvc_video *video, int enable) +int +uvcg_video_disable(struct uvc_video *video) { - int ret; struct uvc_request *ureq; if (video->ep == NULL) { uvcg_info(&video->uvc->func, - "Video enable failed, device is uninitialized.\n"); + "Video disable failed, device is uninitialized.\n"); return -ENODEV; } - if (!enable) { - cancel_work_sync(&video->pump); - uvcg_queue_cancel(&video->queue, 0); + cancel_work_sync(&video->pump); + uvcg_queue_cancel(&video->queue, 0); - list_for_each_entry(ureq, &video->ureqs, list) { - if (ureq->req) - usb_ep_dequeue(video->ep, ureq->req); - } + list_for_each_entry(ureq, &video->ureqs, list) { + if (ureq->req) + usb_ep_dequeue(video->ep, ureq->req); + } - uvc_video_free_requests(video); - uvcg_queue_enable(&video->queue, 0); - return 0; + uvc_video_free_requests(video); + uvcg_queue_enable(&video->queue, 0); + return 0; +} + +/* + * Enable the video stream. + */ +int uvcg_video_enable(struct uvc_video *video) +{ + int ret; + + if (video->ep == NULL) { + uvcg_info(&video->uvc->func, + "Video enable failed, device is uninitialized.\n"); + return -ENODEV; } if ((ret = uvcg_queue_enable(&video->queue, 1)) < 0) diff --git a/drivers/usb/gadget/function/uvc_video.h b/drivers/usb/gadget/function/uvc_video.h index 03adeefa343b..8ef6259741f1 100644 --- a/drivers/usb/gadget/function/uvc_video.h +++ b/drivers/usb/gadget/function/uvc_video.h @@ -14,7 +14,8 @@ struct uvc_video; -int uvcg_video_enable(struct uvc_video *video, int enable); +int uvcg_video_enable(struct uvc_video *video); +int uvcg_video_disable(struct uvc_video *video); int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc); From patchwork Thu Nov 2 20:19:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 161116 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:8f47:0:b0:403:3b70:6f57 with SMTP id j7csp619339vqu; Thu, 2 Nov 2023 13:20:07 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH1F1dLXU9SJsOfrWVYgoBujqWppudInz79uoPORPUM2EHqtfGtnTFijPjT0Yg2GsRCpp75 X-Received: by 2002:a05:6a00:2e07:b0:6be:43f8:4e0b with SMTP id fc7-20020a056a002e0700b006be43f84e0bmr19716542pfb.24.1698956407430; Thu, 02 Nov 2023 13:20:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698956407; cv=none; d=google.com; s=arc-20160816; b=iLRb6mzkOg1atpmFmPmOwmG2p8ZmPKQ1hFjyDtnv16MEteg96t3ByFwGfvkWcQdCWs L5fLlpJ+WJ1rxXLjrlXXP6QUpcFSp38e6UCNRyo7pqtq2iM6uguXDNh7jbncPpipkLvx kltqgAB4yyk6d/g5ARuvnZ0fgbQGKzMe2l45k+xxe48k8u47qNiRBfhYrKeW0fj3TV2w El2NllURA0/3FjaS9jZn/Cd5JDka6fWvH5cA4Ik1990x7SidOaWRzex8bCS2M34OvV6T cZzTo0NmRxah7msym9NuHNvc5BX31tAtnKhDIyk1iZe+8dD1o/NtgoOuMz6NPNxGCNpe qrVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=dl0Y8kXtO+v5DMU4xYXsBrmdbPzQql7yPD++RjWhQ4E=; fh=p+LYTnSpNzrqEe7IwOmRmqfbsNd6xnlNPhpiE7PelQI=; b=Ka6QX20VrPG7rorm6mFLVrAGGqD7EsNw2Kin3Opyww2rEpYFmi6GmQIURBdi27sg7K 1p5Z/DHnrIf5tMI57+eiMCZeQlmk8uu7bFgLPwebxl4j6++kA1gjuMlQBgFgdHtzwuMj pTaGN7O1cpuZE3+3Sv7TCLecNKmUZ2GrRIvNXNgphkbnaAG8kRe6jMvq+SdcsEGmmcAl e5OAWosGn3Ey9HbHpmsnuQmKZWyrQ6ret633fTezbwiT/hJfuHvIaUNpo5QMnYNvDeJj HVF44Lj/Iog3S6VTQNF31GcyZIuajcMCkRHSjHBNfUSUb6Vw+NPChm/M1fLq+Zxy4fxS TEUg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=nlKaeGTU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id cb18-20020a056a02071200b005bd04873387si244743pgb.105.2023.11.02.13.20.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Nov 2023 13:20:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=nlKaeGTU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 9D55782ECB33; Thu, 2 Nov 2023 13:20:06 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232977AbjKBUT7 (ORCPT + 35 others); Thu, 2 Nov 2023 16:19:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52894 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232152AbjKBUT4 (ORCPT ); Thu, 2 Nov 2023 16:19:56 -0400 Received: from mail-pg1-x54a.google.com (mail-pg1-x54a.google.com [IPv6:2607:f8b0:4864:20::54a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AD5B81A2 for ; Thu, 2 Nov 2023 13:19:52 -0700 (PDT) Received: by mail-pg1-x54a.google.com with SMTP id 41be03b00d2f7-5b83d8797f4so1014828a12.3 for ; Thu, 02 Nov 2023 13:19:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1698956392; x=1699561192; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=dl0Y8kXtO+v5DMU4xYXsBrmdbPzQql7yPD++RjWhQ4E=; b=nlKaeGTUSQCfg9d96sm3atrqvoFeKBdMT2yOUW68OGH4lsyOi9rDS378oUD29FE5rV YLtlnJNvzvPvYAceykY0oaDh6LD4I2LV2h6tG9bZUv1dvW7KiTGCjjaPgCp4HueMwcaK cHH3qrUTCdghfYiIqjY5s7JNT522Hn+IS9yXnVH8kv/X6k4cM7hLcRzO5l1ewLLZlkvr WktfNHBys4paUdmjsa5Pl4GlUDolyc/GYHEs1QNT1fgr1SIFQlTZUg57E3Vq/fz7y1rW 51u1vDKYa3QvH3V8NC7Zpg5M92V0OwDGnCT+ksdj079fhxIiDi9Lm5/+bNk3KZ5quNdi Howg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698956392; x=1699561192; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=dl0Y8kXtO+v5DMU4xYXsBrmdbPzQql7yPD++RjWhQ4E=; b=cpao8gM5tgS1afRg1ozkeJKI74KsoL3brNUPOrfC2UZRYLdxKZS+qg/U2SZxTdorqI ICklAE9dRLMC9A7htOD3E+OUutBYm7QYk7txQM0r0R8g6pIMSzf9na/DGAVD5WltUVZ4 6OLjv3ZMya9VIE9W5vQllLpdWo1PVEZKVLEiORhUDYI1847Szf2RBHl+/9DYiJcvuaWw UaJ4dMhK1VM83/MS1Ez62UxhZCf3ijcqrdZLuqCxbxBo3tvvO09aVAHiucRTCizw4NR7 3gBc8ZdURvqJJSrXxANpLWQvGSicmVp8Jurt4ZYqsXGPm6P/M+WOM9APqw3rwjUZsPIv Ch+Q== X-Gm-Message-State: AOJu0Yx++orQeB14UC/GL4tGXfSGIo7o3RyspCAgPF5P1bbUXqiU+nw7 X9Es4b89Etz/7qDi+xTlU7h19xsCBlW5 X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a65:6a84:0:b0:5ab:7d1d:3322 with SMTP id q4-20020a656a84000000b005ab7d1d3322mr378503pgu.9.1698956391992; Thu, 02 Nov 2023 13:19:51 -0700 (PDT) Date: Thu, 2 Nov 2023 13:19:39 -0700 In-Reply-To: <20231102201939.4171214-1-arakesh@google.com> Mime-Version: 1.0 References: <73309396-3856-43a2-9a6f-81a40ed594db@google.com> <20231102201939.4171214-1-arakesh@google.com> X-Mailer: git-send-email 2.42.0.869.gea05f2083d-goog Message-ID: <20231102201939.4171214-4-arakesh@google.com> Subject: [PATCH v11 4/4] usb: gadget: uvc: Fix use-after-free for inflight usb_requests From: Avichal Rakesh To: arakesh@google.com, dan.scally@ideasonboard.com Cc: etalvala@google.com, gregkh@linuxfoundation.org, jchowdhary@google.com, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, m.grzeschik@pengutronix.de X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,SORTED_RECIPS,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Thu, 02 Nov 2023 13:20:06 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780941373184978938 X-GMAIL-MSGID: 1781484914003886652 Currently, the uvc gadget driver allocates all uvc_requests as one array and deallocates them all when the video stream stops. This includes de-allocating all the usb_requests associated with those uvc_requests. This can lead to use-after-free issues if any of those de-allocated usb_requests were still owned by the usb controller. This is patch 2 of 2 in fixing the use-after-free issue. It adds a new flag to uvc_video to track when frames and requests should be flowing. When disabling the video stream, the flag is tripped and, instead of de-allocating all uvc_requests and usb_requests, the gadget driver only de-allocates those usb_requests that are currently owned by it (as present in req_free). Other usb_requests are left untouched until their completion handler is called which takes care of freeing the usb_request and its corresponding uvc_request. Now that uvc_video does not depends on uvc->state, this patch removes unnecessary upates to uvc->state that were made to accommodate uvc_video logic. This should ensure that uvc gadget driver never accidentally de-allocates a usb_request that it doesn't own. Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com Reviewed-by: Michael Grzeschik Suggested-by: Michael Grzeschik Tested-by: Michael Grzeschik Signed-off-by: Avichal Rakesh Reviewed-by: Daniel Scally --- v1 -> v2 : Rebased to ToT, and fixed deadlock reported in https://lore.kernel.org/all/ZRv2UnKztgyqk2pt@pengutronix.de/ v2 -> v3 : Fix email threading goof-up v3 -> v4 : re-rebase to ToT & moved to a uvc_video level lock as discussed in https://lore.kernel.org/b14b296f-2e08-4edf-aeea-1c5b621e2d0c@google.com/ v4 -> v5 : Address review comments. Add Reviewed-by & Tested-by. v5 -> v6 : Added another patch before this one to make uvcg_video_disable easier to review. v6 -> v7 : Fix warning reported in https://lore.kernel.org/202310200457.GwPPFuHX-lkp@intel.com/ v7 -> v8 : No change. Getting back in review queue v8 -> v9 : No change. v9 -> v10 : Address review comments. Rebase to ToT (usb-next) v10 -> v11 : Address review comments drivers/usb/gadget/function/uvc.h | 1 + drivers/usb/gadget/function/uvc_v4l2.c | 10 +- drivers/usb/gadget/function/uvc_video.c | 130 ++++++++++++++++++++---- 3 files changed, 112 insertions(+), 29 deletions(-) -- 2.42.0.869.gea05f2083d-goog diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h index 993694da0bbc..be0d012aa244 100644 --- a/drivers/usb/gadget/function/uvc.h +++ b/drivers/usb/gadget/function/uvc.h @@ -102,6 +102,7 @@ struct uvc_video { unsigned int uvc_num_requests; /* Requests */ + bool is_enabled; /* tracks whether video stream is enabled */ unsigned int req_size; struct list_head ureqs; /* all uvc_requests allocated by uvc_video */ struct list_head req_free; diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c index 904dd283cbf7..c7e5fa4f29e0 100644 --- a/drivers/usb/gadget/function/uvc_v4l2.c +++ b/drivers/usb/gadget/function/uvc_v4l2.c @@ -468,11 +468,11 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type) if (type != video->queue.queue.type) return -EINVAL; - uvc->state = UVC_STATE_CONNECTED; ret = uvcg_video_disable(video); if (ret < 0) return ret; + uvc->state = UVC_STATE_CONNECTED; uvc_function_setup_continue(uvc, 1); return 0; } @@ -507,14 +507,6 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh, static void uvc_v4l2_disable(struct uvc_device *uvc) { uvc_function_disconnect(uvc); - /* - * Drop uvc->state to CONNECTED if it was streaming before. - * This ensures that the usb_requests are no longer queued - * to the controller. - */ - if (uvc->state == UVC_STATE_STREAMING) - uvc->state = UVC_STATE_CONNECTED; - uvcg_video_disable(&uvc->video); uvcg_free_buffers(&uvc->video.queue); uvc->func_connected = false; diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c index c3e8c48f46a9..164bdeb7f2a9 100644 --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -227,6 +227,10 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video, * Request handling */ +/* + * Callers must take care to hold req_lock when this function may be called + * from multiple threads. For example, when frames are streaming to the host. + */ static void uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep) { @@ -271,9 +275,26 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) struct uvc_request *ureq = req->context; struct uvc_video *video = ureq->video; struct uvc_video_queue *queue = &video->queue; - struct uvc_device *uvc = video->uvc; + struct uvc_buffer *last_buf; unsigned long flags; + spin_lock_irqsave(&video->req_lock, flags); + if (!video->is_enabled) { + /* + * When is_enabled is false, uvcg_video_disable() ensures + * that in-flight uvc_buffers are returned, so we can + * safely call free_request without worrying about + * last_buf. + */ + uvc_video_free_request(ureq, ep); + spin_unlock_irqrestore(&video->req_lock, flags); + return; + } + + last_buf = ureq->last_buf; + ureq->last_buf = NULL; + spin_unlock_irqrestore(&video->req_lock, flags); + switch (req->status) { case 0: break; @@ -295,17 +316,26 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) uvcg_queue_cancel(queue, 0); } - if (ureq->last_buf) { - uvcg_complete_buffer(&video->queue, ureq->last_buf); - ureq->last_buf = NULL; + if (last_buf) { + spin_lock_irqsave(&queue->irqlock, flags); + uvcg_complete_buffer(queue, last_buf); + spin_unlock_irqrestore(&queue->irqlock, flags); } spin_lock_irqsave(&video->req_lock, flags); - list_add_tail(&req->list, &video->req_free); - spin_unlock_irqrestore(&video->req_lock, flags); - - if (uvc->state == UVC_STATE_STREAMING) + /* + * Video stream might have been disabled while we were + * processing the current usb_request. So make sure + * we're still streaming before queueing the usb_request + * back to req_free + */ + if (video->is_enabled) { + list_add_tail(&req->list, &video->req_free); queue_work(video->async_wq, &video->pump); + } else { + uvc_video_free_request(ureq, ep); + } + spin_unlock_irqrestore(&video->req_lock, flags); } static int @@ -392,20 +422,22 @@ static void uvcg_video_pump(struct work_struct *work) struct uvc_video_queue *queue = &video->queue; /* video->max_payload_size is only set when using bulk transfer */ bool is_bulk = video->max_payload_size; - struct uvc_device *uvc = video->uvc; struct usb_request *req = NULL; struct uvc_buffer *buf; unsigned long flags; bool buf_done; int ret; - while (uvc->state == UVC_STATE_STREAMING && video->ep->enabled) { + while (true) { + if (!video->ep->enabled) + return; + /* - * Retrieve the first available USB request, protected by the - * request lock. + * Check is_enabled and retrieve the first available USB + * request, protected by the request lock. */ spin_lock_irqsave(&video->req_lock, flags); - if (list_empty(&video->req_free)) { + if (!video->is_enabled || list_empty(&video->req_free)) { spin_unlock_irqrestore(&video->req_lock, flags); return; } @@ -487,9 +519,11 @@ static void uvcg_video_pump(struct work_struct *work) return; spin_lock_irqsave(&video->req_lock, flags); - list_add_tail(&req->list, &video->req_free); + if (video->is_enabled) + list_add_tail(&req->list, &video->req_free); + else + uvc_video_free_request(req->context, video->ep); spin_unlock_irqrestore(&video->req_lock, flags); - return; } /* @@ -498,7 +532,11 @@ static void uvcg_video_pump(struct work_struct *work) int uvcg_video_disable(struct uvc_video *video) { - struct uvc_request *ureq; + unsigned long flags; + struct list_head inflight_bufs; + struct usb_request *req, *temp; + struct uvc_buffer *buf, *btemp; + struct uvc_request *ureq, *utemp; if (video->ep == NULL) { uvcg_info(&video->uvc->func, @@ -506,15 +544,58 @@ uvcg_video_disable(struct uvc_video *video) return -ENODEV; } + INIT_LIST_HEAD(&inflight_bufs); + spin_lock_irqsave(&video->req_lock, flags); + video->is_enabled = false; + + /* + * Remove any in-flight buffers from the uvc_requests + * because we want to return them before cancelling the + * queue. This ensures that we aren't stuck waiting for + * all complete callbacks to come through before disabling + * vb2 queue. + */ + list_for_each_entry(ureq, &video->ureqs, list) { + if (ureq->last_buf) { + list_add_tail(&ureq->last_buf->queue, &inflight_bufs); + ureq->last_buf = NULL; + } + } + spin_unlock_irqrestore(&video->req_lock, flags); + cancel_work_sync(&video->pump); uvcg_queue_cancel(&video->queue, 0); - list_for_each_entry(ureq, &video->ureqs, list) { - if (ureq->req) - usb_ep_dequeue(video->ep, ureq->req); + spin_lock_irqsave(&video->req_lock, flags); + /* + * Remove all uvc_requests from ureqs with list_del_init + * This lets uvc_video_free_request correctly identify + * if the uvc_request is attached to a list or not when freeing + * memory. + */ + list_for_each_entry_safe(ureq, utemp, &video->ureqs, list) + list_del_init(&ureq->list); + + list_for_each_entry_safe(req, temp, &video->req_free, list) { + list_del(&req->list); + uvc_video_free_request(req->context, video->ep); } - uvc_video_free_requests(video); + INIT_LIST_HEAD(&video->ureqs); + INIT_LIST_HEAD(&video->req_free); + video->req_size = 0; + spin_unlock_irqrestore(&video->req_lock, flags); + + /* + * Return all the video buffers before disabling the queue. + */ + spin_lock_irqsave(&video->queue.irqlock, flags); + list_for_each_entry_safe(buf, btemp, &inflight_bufs, queue) { + list_del(&buf->queue); + uvcg_complete_buffer(&video->queue, buf); + } + spin_unlock_irqrestore(&video->queue.irqlock, flags); + uvcg_queue_enable(&video->queue, 0); return 0; } @@ -532,6 +613,14 @@ int uvcg_video_enable(struct uvc_video *video) return -ENODEV; } + /* + * Safe to access request related fields without req_lock because + * this is the only thread currently active, and no other + * request handling thread will become active until this function + * returns. + */ + video->is_enabled = true; + if ((ret = uvcg_queue_enable(&video->queue, 1)) < 0) return ret; @@ -557,6 +646,7 @@ int uvcg_video_enable(struct uvc_video *video) */ int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc) { + video->is_enabled = false; INIT_LIST_HEAD(&video->ureqs); INIT_LIST_HEAD(&video->req_free); spin_lock_init(&video->req_lock);