From patchwork Thu Nov 9 00:41:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 163180 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b129:0:b0:403:3b70:6f57 with SMTP id q9csp137488vqs; Wed, 8 Nov 2023 16:41:16 -0800 (PST) X-Google-Smtp-Source: AGHT+IEu5rAgtnpXRjcPZHUWAQz5aljPGdiFkwpjVkRQglSC7U9s9pVhZtAippCuG08MwdJQVkFw X-Received: by 2002:a17:90a:aa81:b0:280:b062:202 with SMTP id l1-20020a17090aaa8100b00280b0620202mr209282pjq.33.1699490476141; Wed, 08 Nov 2023 16:41:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1699490476; cv=none; d=google.com; s=arc-20160816; b=XpeCkRLSKB4Szz5KaGk5mMpR4Papa6bJpEHjIQVX5s5SKinsttN5tqrBRJqBdeXD7L BUMjh4u1T+rhqbsQWlBpSjOhzK/oPlbiP5NxsHEK9dzH/91eIJKKp1cpWg65ZkcBa8Wf YoiVIUnKfEuIwTv2P4wmkVwkxh+VCnl4+0XkncUU9U+45LY7qCMgCpmtWBSDmLTBNjeK Bn5aR9wH8Yl4lewXH5LsKz2lMqYKsTwUo29jnQjlJveLcPzju5fbRQbkD1OAtB8y1xiC vg2tZyNVEUnpgyTHQUVCiZii+H0NauTzBVwlPyvYIAxp221XiZitwimJwwYSBKfFQMs0 dA/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=H3EiwN1qoUJxzkJq7np8tfIJfl4CuGSTuhpyOd2tJ0s=; fh=812M7VuOpiTijUQuamc/m0WVPtcBYikel9HAhgg9kY8=; b=nXq038OqLJYmaAsHJrYg/8ngCV0qhNUXoDA0F6mbTj/G+PdRpVdwqBBchCpg1NDBvB WT2IbfnNdc2P4Bfah2uMq+oSx9doBS06C/pAE9YO6Yz9uJsGs32vjCv8tCtbFJVVrJ10 savM4RNAeoFCVlJjU6CmaX3wPrmkrA00GKUAbK1s9bxiARvAoRnJ/8Imv4PIiCLV9GGr ZvFtSCgccEPCZzl36EUlLwv1zes5Bk99bbXmy0jM5e2WXK3/w4HUytvOumSBCK/ykn3t fI5sbWdsY8/ERAdzihbc3rR+/ltQi/twOnTPNuVPTiNGtNSuMnCXodi2GAsZcoXPk/Zv 3o/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=4kFlzVHv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id fz3-20020a17090b024300b0027d032092d7si319943pjb.184.2023.11.08.16.41.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Nov 2023 16:41:16 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=4kFlzVHv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 51AA181CEB2C; Wed, 8 Nov 2023 16:41:15 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230451AbjKIAlM (ORCPT + 32 others); Wed, 8 Nov 2023 19:41:12 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53228 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229508AbjKIAlL (ORCPT ); Wed, 8 Nov 2023 19:41:11 -0500 Received: from mail-yw1-x114a.google.com (mail-yw1-x114a.google.com [IPv6:2607:f8b0:4864:20::114a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0B72A2693 for ; Wed, 8 Nov 2023 16:41:09 -0800 (PST) Received: by mail-yw1-x114a.google.com with SMTP id 00721157ae682-5b02ed0f886so4469067b3.0 for ; Wed, 08 Nov 2023 16:41:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1699490468; x=1700095268; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=H3EiwN1qoUJxzkJq7np8tfIJfl4CuGSTuhpyOd2tJ0s=; b=4kFlzVHvsQH9kXbIcIS917dp+b+1apoiiGwUo4dY2KCLiruw0L35IjaBsdnI5tj0bT VbcQeqqOVuPMbQJ4fKRH0ckABnfqC5FhsRpFM3oTkD66SsTA1HOwYaavsrw3AbJT1DHR lrfctQ0NLRjGESZ0m1K4tHQKIQEe3w91Zm3LxO0Mg1LZoC6vUWJQg7EfkxZ3AMWuWZJf X2gL1EH8hyfhlOOVHgiNvDlu2899RM56PpeAxzjDXDcKybe4gFT4o0ZPl06g2cBzwLdT 1TCY3A52S3P/pxlyHRAqpakk/S++rDIm9NmpPvorkgTF5tq6aExRLYXlGhgodP3SVD2c LYyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699490468; x=1700095268; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=H3EiwN1qoUJxzkJq7np8tfIJfl4CuGSTuhpyOd2tJ0s=; b=sHAs4/sUhHSvuydO3QQ86DAMUluBj5oJRzFr/1AEgRIwJNwGc90jcnwhGhglC07gJE wrdqXGnmIvqpDwhgMpmoWSVvGQoZ1HArjrtvVnBYYyEeHpWqFJFTJgYuZq6x9LcclPP1 eVXWM0PRBUynz//rwREymLN2BGCoNeI9YIgaiDvVqx9woX1xtV/khg3OzMKnEEkdM3le Vv8coa2ww99o29VMcNZImerBMiUR+QQEKfpWAvolYzLnhh10DTX70KO8iW4BR5t5ypRQ 1RguPpP4sOvH8PU0eIKlr3XTNvHzps4h0CCGk423HrQDl5/CokVZZtDEgLMyk/jKMQpZ NRKw== X-Gm-Message-State: AOJu0YwPp7Y8C35CvEeVtkwvgSVbjuXYIFu2We8RI7KQrM9mHUxKYrk/ iK4D4+rOj9938FUIhREM4RqkaR+E7lQx X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a0d:d752:0:b0:59b:e97e:f7df with SMTP id z79-20020a0dd752000000b0059be97ef7dfmr100355ywd.2.1699490468293; Wed, 08 Nov 2023 16:41:08 -0800 (PST) Date: Wed, 8 Nov 2023 16:41:01 -0800 In-Reply-To: <73309396-3856-43a2-9a6f-81a40ed594db@google.com> Mime-Version: 1.0 References: <73309396-3856-43a2-9a6f-81a40ed594db@google.com> X-Mailer: git-send-email 2.42.0.869.gea05f2083d-goog Message-ID: <20231109004104.3467968-1-arakesh@google.com> Subject: [PATCH v12 1/4] usb: gadget: uvc: prevent use of disabled endpoint From: Avichal Rakesh To: arakesh@google.com, dan.scally@ideasonboard.com, gregkh@linuxfoundation.org Cc: etalvala@google.com, jchowdhary@google.com, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, m.grzeschik@pengutronix.de Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Wed, 08 Nov 2023 16:41:15 -0800 (PST) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780941353830649923 X-GMAIL-MSGID: 1782044925686232078 Currently the set_alt callback immediately disables the endpoint and queues the v4l2 streamoff event. However, as the streamoff event is processed asynchronously, it is possible that the video_pump thread attempts to queue requests to an already disabled endpoint. This change moves disabling usb endpoint to the end of streamoff event callback. As the endpoint's state can no longer be used, video_pump is now guarded by uvc->state as well. To be consistent with the actual streaming state, uvc->state is now toggled between CONNECTED and STREAMING from the v4l2 event callback only. Link: https://lore.kernel.org/20230615171558.GK741@pendragon.ideasonboard.com/ Link: https://lore.kernel.org/20230531085544.253363-1-dan.scally@ideasonboard.com/ Reviewed-by: Daniel Scally Reviewed-by: Michael Grzeschik Tested-by: Michael Grzeschik Signed-off-by: Avichal Rakesh --- v1 -> v2 : Rebased to ToT and reworded commit message. v2 -> v3 : Fix email threading goof-up v3 -> v4 : Address review comments & re-rebase to ToT v4 -> v5 : Add Reviewed-by & Tested-by v5 -> v6 : No change v6 -> v7 : No change v7 -> v8 : No change. Getting back in review queue v8 -> v9 : Fix typo. No functional change. v9 -> v10 : Rebase to ToT (usb-next) v10 -> v11 : No change v11 -> v12 : Rebase to ToT (usb-next) drivers/usb/gadget/function/f_uvc.c | 11 +++++------ drivers/usb/gadget/function/f_uvc.h | 2 +- drivers/usb/gadget/function/uvc.h | 2 +- drivers/usb/gadget/function/uvc_v4l2.c | 20 +++++++++++++++++--- drivers/usb/gadget/function/uvc_video.c | 3 ++- 5 files changed, 26 insertions(+), 12 deletions(-) -- 2.42.0.869.gea05f2083d-goog diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c index 786379f1b7b7..77999ed53d33 100644 --- a/drivers/usb/gadget/function/f_uvc.c +++ b/drivers/usb/gadget/function/f_uvc.c @@ -263,10 +263,13 @@ uvc_function_setup(struct usb_function *f, const struct usb_ctrlrequest *ctrl) return 0; } -void uvc_function_setup_continue(struct uvc_device *uvc) +void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep) { struct usb_composite_dev *cdev = uvc->func.config->cdev; + if (disable_ep && uvc->video.ep) + usb_ep_disable(uvc->video.ep); + usb_composite_setup_continue(cdev); } @@ -337,15 +340,11 @@ uvc_function_set_alt(struct usb_function *f, unsigned interface, unsigned alt) if (uvc->state != UVC_STATE_STREAMING) return 0; - if (uvc->video.ep) - usb_ep_disable(uvc->video.ep); - memset(&v4l2_event, 0, sizeof(v4l2_event)); v4l2_event.type = UVC_EVENT_STREAMOFF; v4l2_event_queue(&uvc->vdev, &v4l2_event); - uvc->state = UVC_STATE_CONNECTED; - return 0; + return USB_GADGET_DELAYED_STATUS; case 1: if (uvc->state != UVC_STATE_CONNECTED) diff --git a/drivers/usb/gadget/function/f_uvc.h b/drivers/usb/gadget/function/f_uvc.h index 1db972d4beeb..083aef0c65c6 100644 --- a/drivers/usb/gadget/function/f_uvc.h +++ b/drivers/usb/gadget/function/f_uvc.h @@ -11,7 +11,7 @@ struct uvc_device; -void uvc_function_setup_continue(struct uvc_device *uvc); +void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep); void uvc_function_connect(struct uvc_device *uvc); diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h index 6751de8b63ad..989bc6b4e93d 100644 --- a/drivers/usb/gadget/function/uvc.h +++ b/drivers/usb/gadget/function/uvc.h @@ -177,7 +177,7 @@ struct uvc_file_handle { * Functions */ -extern void uvc_function_setup_continue(struct uvc_device *uvc); +extern void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep); extern void uvc_function_connect(struct uvc_device *uvc); extern void uvc_function_disconnect(struct uvc_device *uvc); diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c index 3f0a9795c0d4..7cb8d027ff0c 100644 --- a/drivers/usb/gadget/function/uvc_v4l2.c +++ b/drivers/usb/gadget/function/uvc_v4l2.c @@ -451,7 +451,7 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type) * Complete the alternate setting selection setup phase now that * userspace is ready to provide video frames. */ - uvc_function_setup_continue(uvc); + uvc_function_setup_continue(uvc, 0); uvc->state = UVC_STATE_STREAMING; return 0; @@ -463,11 +463,18 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type) struct video_device *vdev = video_devdata(file); struct uvc_device *uvc = video_get_drvdata(vdev); struct uvc_video *video = &uvc->video; + int ret = 0; if (type != video->queue.queue.type) return -EINVAL; - return uvcg_video_enable(video, 0); + uvc->state = UVC_STATE_CONNECTED; + ret = uvcg_video_enable(video, 0); + if (ret < 0) + return ret; + + uvc_function_setup_continue(uvc, 1); + return 0; } static int @@ -500,6 +507,14 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh, static void uvc_v4l2_disable(struct uvc_device *uvc) { uvc_function_disconnect(uvc); + /* + * Drop uvc->state to CONNECTED if it was streaming before. + * This ensures that the usb_requests are no longer queued + * to the controller. + */ + if (uvc->state == UVC_STATE_STREAMING) + uvc->state = UVC_STATE_CONNECTED; + uvcg_video_enable(&uvc->video, 0); uvcg_free_buffers(&uvc->video.queue); uvc->func_connected = false; @@ -647,4 +662,3 @@ const struct v4l2_file_operations uvc_v4l2_fops = { .get_unmapped_area = uvcg_v4l2_get_unmapped_area, #endif }; - diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c index 91af3b1ef0d4..c334802ac0a4 100644 --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -384,13 +384,14 @@ static void uvcg_video_pump(struct work_struct *work) struct uvc_video_queue *queue = &video->queue; /* video->max_payload_size is only set when using bulk transfer */ bool is_bulk = video->max_payload_size; + struct uvc_device *uvc = video->uvc; struct usb_request *req = NULL; struct uvc_buffer *buf; unsigned long flags; bool buf_done; int ret; - while (video->ep->enabled) { + while (uvc->state == UVC_STATE_STREAMING && video->ep->enabled) { /* * Retrieve the first available USB request, protected by the * request lock. From patchwork Thu Nov 9 00:41:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 163181 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b129:0:b0:403:3b70:6f57 with SMTP id q9csp137509vqs; Wed, 8 Nov 2023 16:41:21 -0800 (PST) X-Google-Smtp-Source: AGHT+IGUtZBXiizhkEgKloKx2hMqApT7PRTbsWR0NIBT1UKFlNmVaw/l52WBy4BeN7IlG1MDpTUk X-Received: by 2002:a17:90b:1b45:b0:27d:9f6:47a3 with SMTP id nv5-20020a17090b1b4500b0027d09f647a3mr207147pjb.31.1699490481609; Wed, 08 Nov 2023 16:41:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1699490481; cv=none; d=google.com; s=arc-20160816; b=bEPf+IsKpCq0HZEgl6pUJ73EEFU8A3yIqjmxdgRUMHGCTZl53FicEgMQUW1FI4SP8f GBg3ba4tjxUD661w+tJaJ8vg8tQq2QN0va/jyOD0ib7yk5FOrDunQcU6tEnXp54vsbLG IENJp9JqSQxz4E5IRI4i8HNC9cb/f0k1miXdcVmF3bDpR/CiGC/zjJq8WdzDpc8Lhqpu RRrw+XKsaEXx2tUVSy3li/kCMjdtrchK73cQNa21Tude25UPJlgCpUJd1KUDHq9S4wQL tyt9dWDjCdAd9ORe7BaXmANbTKtbuveBdVo3L7aTT4Q32z6qjNuqfHWZkLEPc7sx5/iT hN5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=fh1oz3TAY8GrHLzG/5dv3FTO7Esd6spc2LTiYNE8yAU=; fh=812M7VuOpiTijUQuamc/m0WVPtcBYikel9HAhgg9kY8=; b=LVqbJmZXv30UoXzhk2iU0uW1C0Pjekn9avqNvX+ZihHmgt2UmuArSYYHM902RjKr+v j07NQjf69Y0s8jw5/cHcmUCrQWtISHFRT6PXXHGb9iiBAmzXogwoeLw/cJLqb8n8EH/N UZJLK9SlFXKQDKTE/A4eC74dSnqjN8gi1QfILdLZKe88+d9vCX21F/sj2YTGwzqvZU5D 3CCk/z5MMlkgi/Y+jT2nmoAGttMg9voJFR7u3Ty2Qpn3f4sYtQlqINSc29xjmvavM0L0 qtfWcrMBu5kSDfB1PZ5z/PBe6TewjPfSjuqn+Fywgd5OkCiXzlOIGOTxmMmw0U47GshW Po0Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=v5DAdgU1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id mw16-20020a17090b4d1000b00274e5b20e65si343014pjb.50.2023.11.08.16.41.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Nov 2023 16:41:21 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=v5DAdgU1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id A22DC81D2AD5; Wed, 8 Nov 2023 16:41:20 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231836AbjKIAlR (ORCPT + 32 others); Wed, 8 Nov 2023 19:41:17 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53230 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229508AbjKIAlN (ORCPT ); Wed, 8 Nov 2023 19:41:13 -0500 Received: from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com [IPv6:2607:f8b0:4864:20::b4a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 575B32693 for ; Wed, 8 Nov 2023 16:41:11 -0800 (PST) Received: by mail-yb1-xb4a.google.com with SMTP id 3f1490d57ef6-d9caf486775so389774276.2 for ; Wed, 08 Nov 2023 16:41:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1699490470; x=1700095270; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=fh1oz3TAY8GrHLzG/5dv3FTO7Esd6spc2LTiYNE8yAU=; b=v5DAdgU1xNffarArUedEvLuBwr0eAUipFuPqlFMoh0jhghRJ0RvhJi8Oyg9VXozym0 T2i4Sk6FatsQ0EDxQpH6wcUPo6NRTk0Lw/FIbskVDhaVXAWWLMJ5lMYuE80aorZgtijv rT/yaS658Ccor4nzee4T/OAS4gqAxU36+mFaKc4mePrIEdCi9qyUG/TgDyFNQxSM3jJe dGzALj2XEbqQY1H8NRI3Hw8bRzI8OHxLIUd+3AVLUkX0YNM+EXuXnhJVHUdePrckqKXv sliLjkb1ElKi4OI0gxzJSNA6L8VhtAgrefzvXLK10Z7FeKacVIzTNJM2jE9FGPyQIUcB Mxsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699490470; x=1700095270; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=fh1oz3TAY8GrHLzG/5dv3FTO7Esd6spc2LTiYNE8yAU=; b=biQcWFGKKmdAEZnMlpiz/5E4w8MIe0QbDXWLVfNG1lIOEHG1uRZZ/FsQXvKhURIHfp tf+IEycYzU3pfivP3ivuYKXvJfweYPfO7jj1oAeNwVaIdP7tVSNgvzB9KzMFQOBKpUoG gpur5FtiNHhBbiNgMeA9gDGec2UZjMgD3Cn9MeJVaK3KOnLRAAsQ+0y+o0A6BTxPr9Ho AlN1nfrnGj7fKCUiqm+/5KHEHAduIlDjn1zdDg4dWRAhxEIJ7NzuuddJeGRcRVf0Z2mI KTSox0PwVzC7s2jS24gTccEBkIBj1Jl/iJfUU3hUO00Y5kAzK2aVl562oci6Ck75sLYV zZ6Q== X-Gm-Message-State: AOJu0YziLU06yHKzd3JnRAklr54oV9B56xIzK8L3b1FqSXNqgsT+bnQ5 waC88AN2iB/g2mcwhWJ0TJ//+GmZpkPO X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a25:417:0:b0:da0:4f83:60c1 with SMTP id 23-20020a250417000000b00da04f8360c1mr81759ybe.9.1699490470624; Wed, 08 Nov 2023 16:41:10 -0800 (PST) Date: Wed, 8 Nov 2023 16:41:02 -0800 In-Reply-To: <20231109004104.3467968-1-arakesh@google.com> Mime-Version: 1.0 References: <73309396-3856-43a2-9a6f-81a40ed594db@google.com> <20231109004104.3467968-1-arakesh@google.com> X-Mailer: git-send-email 2.42.0.869.gea05f2083d-goog Message-ID: <20231109004104.3467968-2-arakesh@google.com> Subject: [PATCH v12 2/4] usb: gadget: uvc: Allocate uvc_requests one at a time From: Avichal Rakesh To: arakesh@google.com, dan.scally@ideasonboard.com, gregkh@linuxfoundation.org Cc: etalvala@google.com, jchowdhary@google.com, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, m.grzeschik@pengutronix.de Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Wed, 08 Nov 2023 16:41:20 -0800 (PST) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780941366189213007 X-GMAIL-MSGID: 1782044931055137439 Currently, the uvc gadget driver allocates all uvc_requests as one array and deallocates them all when the video stream stops. This includes de-allocating all the usb_requests associated with those uvc_requests. This can lead to use-after-free issues if any of those de-allocated usb_requests were still owned by the usb controller. This patch is 1 of 2 patches addressing the use-after-free issue. Instead of bulk allocating all uvc_requests as an array, this patch allocates uvc_requests one at a time, which should allows for similar granularity when deallocating the uvc_requests. This patch has no functional changes other than allocating each uvc_request separately, and similarly freeing each of them separately. Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com Reviewed-by: Daniel Scally Reviewed-by: Michael Grzeschik Suggested-by: Michael Grzeschik Tested-by: Michael Grzeschik Signed-off-by: Avichal Rakesh --- v1 -> v2 : Rebased to ToT v2 -> v3 : Fix email threading goof-up v3 -> v4 : Address review comments & re-rebase to ToT v4 -> v5 : Address more review comments. Add Reviewed-by & Tested-by. v5 -> v6 : No change v6 -> v7 : No change v7 -> v8 : No change. Getting back in review queue v8 -> v9 : Address review comments. v9 -> v10 : Address review comments; remove BUG_ON(&video->reqs); Rebase to ToT (usb-next) v10 -> v11 : Add Reviewed-by v11 -> v12 : Rebase to ToT (usb-next) drivers/usb/gadget/function/uvc.h | 3 +- drivers/usb/gadget/function/uvc_video.c | 88 ++++++++++++++----------- 2 files changed, 51 insertions(+), 40 deletions(-) -- 2.42.0.869.gea05f2083d-goog diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h index 989bc6b4e93d..993694da0bbc 100644 --- a/drivers/usb/gadget/function/uvc.h +++ b/drivers/usb/gadget/function/uvc.h @@ -81,6 +81,7 @@ struct uvc_request { struct sg_table sgt; u8 header[UVCG_REQUEST_HEADER_LEN]; struct uvc_buffer *last_buf; + struct list_head list; }; struct uvc_video { @@ -102,7 +103,7 @@ struct uvc_video { /* Requests */ unsigned int req_size; - struct uvc_request *ureq; + struct list_head ureqs; /* all uvc_requests allocated by uvc_video */ struct list_head req_free; spinlock_t req_lock; diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c index c334802ac0a4..1619f9664748 100644 --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -227,6 +227,24 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video, * Request handling */ +static void +uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep) +{ + sg_free_table(&ureq->sgt); + if (ureq->req && ep) { + usb_ep_free_request(ep, ureq->req); + ureq->req = NULL; + } + + kfree(ureq->req_buffer); + ureq->req_buffer = NULL; + + if (!list_empty(&ureq->list)) + list_del_init(&ureq->list); + + kfree(ureq); +} + static int uvcg_video_ep_queue(struct uvc_video *video, struct usb_request *req) { int ret; @@ -293,27 +311,12 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) static int uvc_video_free_requests(struct uvc_video *video) { - unsigned int i; - - if (video->ureq) { - for (i = 0; i < video->uvc_num_requests; ++i) { - sg_free_table(&video->ureq[i].sgt); + struct uvc_request *ureq, *temp; - if (video->ureq[i].req) { - usb_ep_free_request(video->ep, video->ureq[i].req); - video->ureq[i].req = NULL; - } - - if (video->ureq[i].req_buffer) { - kfree(video->ureq[i].req_buffer); - video->ureq[i].req_buffer = NULL; - } - } - - kfree(video->ureq); - video->ureq = NULL; - } + list_for_each_entry_safe(ureq, temp, &video->ureqs, list) + uvc_video_free_request(ureq, video->ep); + INIT_LIST_HEAD(&video->ureqs); INIT_LIST_HEAD(&video->req_free); video->req_size = 0; return 0; @@ -322,6 +325,7 @@ uvc_video_free_requests(struct uvc_video *video) static int uvc_video_alloc_requests(struct uvc_video *video) { + struct uvc_request *ureq; unsigned int req_size; unsigned int i; int ret = -ENOMEM; @@ -332,29 +336,33 @@ uvc_video_alloc_requests(struct uvc_video *video) * max_t(unsigned int, video->ep->maxburst, 1) * (video->ep->mult); - video->ureq = kcalloc(video->uvc_num_requests, sizeof(struct uvc_request), GFP_KERNEL); - if (video->ureq == NULL) - return -ENOMEM; + for (i = 0; i < video->uvc_num_requests; i++) { + ureq = kzalloc(sizeof(struct uvc_request), GFP_KERNEL); + if (ureq == NULL) + goto error; + + INIT_LIST_HEAD(&ureq->list); + + list_add_tail(&ureq->list, &video->ureqs); - for (i = 0; i < video->uvc_num_requests; ++i) { - video->ureq[i].req_buffer = kmalloc(req_size, GFP_KERNEL); - if (video->ureq[i].req_buffer == NULL) + ureq->req_buffer = kmalloc(req_size, GFP_KERNEL); + if (ureq->req_buffer == NULL) goto error; - video->ureq[i].req = usb_ep_alloc_request(video->ep, GFP_KERNEL); - if (video->ureq[i].req == NULL) + ureq->req = usb_ep_alloc_request(video->ep, GFP_KERNEL); + if (ureq->req == NULL) goto error; - video->ureq[i].req->buf = video->ureq[i].req_buffer; - video->ureq[i].req->length = 0; - video->ureq[i].req->complete = uvc_video_complete; - video->ureq[i].req->context = &video->ureq[i]; - video->ureq[i].video = video; - video->ureq[i].last_buf = NULL; + ureq->req->buf = ureq->req_buffer; + ureq->req->length = 0; + ureq->req->complete = uvc_video_complete; + ureq->req->context = ureq; + ureq->video = video; + ureq->last_buf = NULL; - list_add_tail(&video->ureq[i].req->list, &video->req_free); + list_add_tail(&ureq->req->list, &video->req_free); /* req_size/PAGE_SIZE + 1 for overruns and + 1 for header */ - sg_alloc_table(&video->ureq[i].sgt, + sg_alloc_table(&ureq->sgt, DIV_ROUND_UP(req_size - UVCG_REQUEST_HEADER_LEN, PAGE_SIZE) + 2, GFP_KERNEL); } @@ -489,8 +497,8 @@ static void uvcg_video_pump(struct work_struct *work) */ int uvcg_video_enable(struct uvc_video *video, int enable) { - unsigned int i; int ret; + struct uvc_request *ureq; if (video->ep == NULL) { uvcg_info(&video->uvc->func, @@ -502,9 +510,10 @@ int uvcg_video_enable(struct uvc_video *video, int enable) cancel_work_sync(&video->pump); uvcg_queue_cancel(&video->queue, 0); - for (i = 0; i < video->uvc_num_requests; ++i) - if (video->ureq && video->ureq[i].req) - usb_ep_dequeue(video->ep, video->ureq[i].req); + list_for_each_entry(ureq, &video->ureqs, list) { + if (ureq->req) + usb_ep_dequeue(video->ep, ureq->req); + } uvc_video_free_requests(video); uvcg_queue_enable(&video->queue, 0); @@ -536,6 +545,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable) */ int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc) { + INIT_LIST_HEAD(&video->ureqs); INIT_LIST_HEAD(&video->req_free); spin_lock_init(&video->req_lock); INIT_WORK(&video->pump, uvcg_video_pump); From patchwork Thu Nov 9 00:41:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 163182 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b129:0:b0:403:3b70:6f57 with SMTP id q9csp137535vqs; Wed, 8 Nov 2023 16:41:24 -0800 (PST) X-Google-Smtp-Source: AGHT+IE0FfN+1Y+RqCmV9g8jE4iyaGnJAl/3iK8eN2uQr3DkggSnw0bbiH5aGiDISPfgLq39frru X-Received: by 2002:a05:6871:3483:b0:1ef:d51b:5f50 with SMTP id ni3-20020a056871348300b001efd51b5f50mr2893091oac.22.1699490484496; Wed, 08 Nov 2023 16:41:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1699490484; cv=none; d=google.com; s=arc-20160816; b=KlgW6PZIxfFQBwkWMvdoZBcDa/vdEFSr4khCdhDM5a6aaKu9+VNH6LwBLMcfywMuEY 2bI9nsy17eykljnVCO8vHXpQAFVuunveAibULCg2jlwPCaxxTo7o6oxiRKruQOwOSAfk ZJ18woJJshCqUtRYWYEhMnLPRHAFJXhdAx4YFH6dD43R1W9Np85z0DjMLq9FIctVS13e LasyU44XXZfsUBdHlCjSUkxpvy9jzFlENSfPpy4xNLTxNPKdxppcgc97u+9FGbleRzXv bBZfwPWWxRILRDQaL/MxwuRunphNAzZx5TV3hEIa1UvU0wzn5uOvgQXVoyQDwOyYHV9H uxhA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=cfIcnNK4CP8AvroQHK0BiBRCHDWi0iGc94q1kRdTwyc=; fh=812M7VuOpiTijUQuamc/m0WVPtcBYikel9HAhgg9kY8=; b=sfH2mpV1Hx/xCiYrikssD+K5FPUBfi/aX+XTekZ1sBawVIF0M+w6PMMG2nCuRCQ8ZC zQSvK3kyHqmxRi5xKozrpuCgKgNm1/ggxjwygSdjl6+16Daikqkxajmwi1jURK3nMYuV 2JRj+yDbXdVgIG1TrSVrmUrdT8YyMMTJXDz/6ksvnEJWYuM+mbbda582x2S7FN9JaehR O37wE9lBTd9oftD+szAY4ujdtxX99BF8DSS3Xh9Ogz7e8wKPIJBnk8bA6BUPke8uN06r k0oaAgbYyR0mYWlcMxIfZRuHpxk+KbFZ6bUgJ63KCcxDmSJTnVVVMFmA7eeXr4pW28Nj XgOQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=U2wwkfA+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id r145-20020a632b97000000b005898e10f9cbsi5842877pgr.572.2023.11.08.16.41.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Nov 2023 16:41:24 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=U2wwkfA+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 3DE9781E14FD; Wed, 8 Nov 2023 16:41:23 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230444AbjKIAlU (ORCPT + 32 others); Wed, 8 Nov 2023 19:41:20 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53256 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231506AbjKIAlQ (ORCPT ); Wed, 8 Nov 2023 19:41:16 -0500 Received: from mail-pl1-x64a.google.com (mail-pl1-x64a.google.com [IPv6:2607:f8b0:4864:20::64a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D6A922696 for ; Wed, 8 Nov 2023 16:41:13 -0800 (PST) Received: by mail-pl1-x64a.google.com with SMTP id d9443c01a7336-1cc5ef7e815so2002225ad.3 for ; Wed, 08 Nov 2023 16:41:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1699490473; x=1700095273; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=cfIcnNK4CP8AvroQHK0BiBRCHDWi0iGc94q1kRdTwyc=; b=U2wwkfA+8Yt+JYZ7+UGfU/xHyglU6pyyuiX1SRmCeKPbTnVurxEkOGUOpDI81AE6rK zxnc2JM+IdzuEQNLmB46DJdtduOnDlkj2vZBUfzqDU6wluBC3VQMWpqRM7jKW4h+J3IV CKGrXt2rKxvyHRK2VNn8+YgN+g28mIPmq50XeNptyKGq7h/7Jb4GesuLAw0eUAAfzuBN YwxO3VMwv6sHHDocBeVKf6ryqDSqN31zfLGuul4hFkraJH2eraPmwvVRurMTaumIp/uo Br1e7zG0/2osVHsCQH3hswIhOQq7k1jWnCIdsAcbm3YC5rmsDdviIPiboJRhAf2jEKfO 6ayg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699490473; x=1700095273; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=cfIcnNK4CP8AvroQHK0BiBRCHDWi0iGc94q1kRdTwyc=; b=IMbElr/3mMuUeYPWDlyUywdRtWsPR6PzPXNIs7s0EnMou4wg7IVvHAtZvp0/RLbgOX 5mh0KnO2m3CVjwphwz0scCmiJ8MH99jwOg/EVOIAzO1Br3g1NgZ6aWV386bqODqQ3cIF kgvakSzSCnj6D1g/8Kol086BbnR0sDu8c0uLaYSM5uC+PZFQdkEWnhB9xOgxru+UmByP iBUs1/7cALC1Q3Sv91hejmwhQJtkYS8r1tc6V3b51w0aJVIBE6YQ6oTLOdckpFrt2HWd EVtsftfS43pwW7Q5ydH+yEi1zORaiVbN3ESU+0FaNQhNQwfuMho2BdF+wG0wSlUeCUWM FJaQ== X-Gm-Message-State: AOJu0YwClyRPFhEzDOVU4nPT+G7uBNyMd3Fv7QeVPxvT0rnlmgF8dPge rjr9lwHTbIFbM8AftoGGtye9J40zBaLg X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a17:902:8c86:b0:1cc:30cf:eae6 with SMTP id t6-20020a1709028c8600b001cc30cfeae6mr87715plo.10.1699490473283; Wed, 08 Nov 2023 16:41:13 -0800 (PST) Date: Wed, 8 Nov 2023 16:41:03 -0800 In-Reply-To: <20231109004104.3467968-1-arakesh@google.com> Mime-Version: 1.0 References: <73309396-3856-43a2-9a6f-81a40ed594db@google.com> <20231109004104.3467968-1-arakesh@google.com> X-Mailer: git-send-email 2.42.0.869.gea05f2083d-goog Message-ID: <20231109004104.3467968-3-arakesh@google.com> Subject: [PATCH v12 3/4] usb: gadget: uvc: move video disable logic to its own function From: Avichal Rakesh To: arakesh@google.com, dan.scally@ideasonboard.com, gregkh@linuxfoundation.org Cc: etalvala@google.com, jchowdhary@google.com, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, m.grzeschik@pengutronix.de Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Wed, 08 Nov 2023 16:41:23 -0800 (PST) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780941381866226962 X-GMAIL-MSGID: 1782044934119889532 This patch refactors the video disable logic in uvcg_video_enable into its own separate function 'uvcg_video_disable'. This function is now used anywhere uvcg_video_enable(video, 0) was used. Reviewed-by: Daniel Scally Suggested-by: Michael Grzeschik Signed-off-by: Avichal Rakesh --- XX -> v6 : Introduced this patch to make the next one easier to review v6 -> v7 : Add Suggested-by v7 -> v8 : No change. Getting back in review queue v8 -> v9 : Call uvcg_video_disable directly instead of uvcg_video_enable(video, 0) v9 -> v10 : Rebase to ToT (usb-next) v10 -> v11 : No change v11 -> v12 : Rebase to ToT (usb-next) drivers/usb/gadget/function/uvc_v4l2.c | 6 ++-- drivers/usb/gadget/function/uvc_video.c | 40 ++++++++++++++++--------- drivers/usb/gadget/function/uvc_video.h | 3 +- 3 files changed, 31 insertions(+), 18 deletions(-) -- 2.42.0.869.gea05f2083d-goog diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c index 7cb8d027ff0c..904dd283cbf7 100644 --- a/drivers/usb/gadget/function/uvc_v4l2.c +++ b/drivers/usb/gadget/function/uvc_v4l2.c @@ -443,7 +443,7 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type) return -EINVAL; /* Enable UVC video. */ - ret = uvcg_video_enable(video, 1); + ret = uvcg_video_enable(video); if (ret < 0) return ret; @@ -469,7 +469,7 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type) return -EINVAL; uvc->state = UVC_STATE_CONNECTED; - ret = uvcg_video_enable(video, 0); + ret = uvcg_video_disable(video); if (ret < 0) return ret; @@ -515,7 +515,7 @@ static void uvc_v4l2_disable(struct uvc_device *uvc) if (uvc->state == UVC_STATE_STREAMING) uvc->state = UVC_STATE_CONNECTED; - uvcg_video_enable(&uvc->video, 0); + uvcg_video_disable(&uvc->video); uvcg_free_buffers(&uvc->video.queue); uvc->func_connected = false; wake_up_interruptible(&uvc->func_connected_queue); diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c index 1619f9664748..c3e8c48f46a9 100644 --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -493,31 +493,43 @@ static void uvcg_video_pump(struct work_struct *work) } /* - * Enable or disable the video stream. + * Disable the video stream */ -int uvcg_video_enable(struct uvc_video *video, int enable) +int +uvcg_video_disable(struct uvc_video *video) { - int ret; struct uvc_request *ureq; if (video->ep == NULL) { uvcg_info(&video->uvc->func, - "Video enable failed, device is uninitialized.\n"); + "Video disable failed, device is uninitialized.\n"); return -ENODEV; } - if (!enable) { - cancel_work_sync(&video->pump); - uvcg_queue_cancel(&video->queue, 0); + cancel_work_sync(&video->pump); + uvcg_queue_cancel(&video->queue, 0); - list_for_each_entry(ureq, &video->ureqs, list) { - if (ureq->req) - usb_ep_dequeue(video->ep, ureq->req); - } + list_for_each_entry(ureq, &video->ureqs, list) { + if (ureq->req) + usb_ep_dequeue(video->ep, ureq->req); + } - uvc_video_free_requests(video); - uvcg_queue_enable(&video->queue, 0); - return 0; + uvc_video_free_requests(video); + uvcg_queue_enable(&video->queue, 0); + return 0; +} + +/* + * Enable the video stream. + */ +int uvcg_video_enable(struct uvc_video *video) +{ + int ret; + + if (video->ep == NULL) { + uvcg_info(&video->uvc->func, + "Video enable failed, device is uninitialized.\n"); + return -ENODEV; } if ((ret = uvcg_queue_enable(&video->queue, 1)) < 0) diff --git a/drivers/usb/gadget/function/uvc_video.h b/drivers/usb/gadget/function/uvc_video.h index 03adeefa343b..8ef6259741f1 100644 --- a/drivers/usb/gadget/function/uvc_video.h +++ b/drivers/usb/gadget/function/uvc_video.h @@ -14,7 +14,8 @@ struct uvc_video; -int uvcg_video_enable(struct uvc_video *video, int enable); +int uvcg_video_enable(struct uvc_video *video); +int uvcg_video_disable(struct uvc_video *video); int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc); From patchwork Thu Nov 9 00:41:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Avichal Rakesh X-Patchwork-Id: 163183 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b129:0:b0:403:3b70:6f57 with SMTP id q9csp137840vqs; Wed, 8 Nov 2023 16:42:19 -0800 (PST) X-Google-Smtp-Source: AGHT+IGEnYLtIuwSj7p7TGy/LcCVSRatj7ABROnaN+JEz0MM5OuUl94amsOlVU0Ws22Q+p0bNvvW X-Received: by 2002:a17:90b:4d04:b0:281:b9:fc7c with SMTP id mw4-20020a17090b4d0400b0028100b9fc7cmr223124pjb.0.1699490539070; Wed, 08 Nov 2023 16:42:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1699490539; cv=none; d=google.com; s=arc-20160816; b=Lq+p8rbgAcmIFa0MxjSD7pRxq7GCpsUcdtcu9eph5puNkBkrhmmBVL2D7i8Fcg84DT Ug5C1LD3bJnFxJKiHdX4fd8c0mXg24QuIFdOs+DW8kI5SuDeJvg16X4IT6Kb40/XBvSx jt6aYupS789s0Dqc4oIOu7PYpXHYYsGSxCE7lI42OFwT5TmwoYdLgslzuxY4D4L/UeFe J5d7VSDZoECOriGjYyuMMTZWqJNX0gQTnabjRw66avKnf/xGahC4Emv8rCG/5n6QkRAd osXQcBnmMLnhrtTCctFOD/8lmnF90u2dmpecAS0oye3UzGSROBxQ1qDPXj4sNUZIoqdM XuuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=gcBBo0DVTc7llz0aQgPApWtsQP64S4JC7/VeqnxMe0M=; fh=812M7VuOpiTijUQuamc/m0WVPtcBYikel9HAhgg9kY8=; b=umXFyzjgyFvaquA0ywBf2FxPsDGYK5bYg2+p2S8B5hPBSR9OHOcrvJfk8XAKE3H10H Yg6oxZBNCmJ6EhJeviDpcjO4RkXxyhf1iyoAn22KwDg3POpl4fIrMZ/k1MDpIkm5GrPo i+DJt4pqs7Z4ZfrbIJpc8fiSWJkSEOpLjqSyjRcjaivMGsd99/T22yxLcr5dRuJRMQYI M2T1nUj8SE4bi3RZMpaHv+R8C5JASeJF9N51/+PZaLTKRyhmiKa4uWaaNb+m30qfPC69 BrKxVegj/doQhdCN44EOboIWQirtesjieWrmANu5vSa9kkHeh26z/WQvST19zVSIXwZj TCtw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=hgeV9A26; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from fry.vger.email (fry.vger.email. [23.128.96.38]) by mx.google.com with ESMTPS id om10-20020a17090b3a8a00b0026d6ad52473si386285pjb.34.2023.11.08.16.42.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Nov 2023 16:42:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=hgeV9A26; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id 92FCE8208F12; Wed, 8 Nov 2023 16:42:15 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232149AbjKIAl2 (ORCPT + 32 others); Wed, 8 Nov 2023 19:41:28 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35084 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232008AbjKIAlY (ORCPT ); Wed, 8 Nov 2023 19:41:24 -0500 Received: from mail-yw1-x1149.google.com (mail-yw1-x1149.google.com [IPv6:2607:f8b0:4864:20::1149]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E1010269F for ; Wed, 8 Nov 2023 16:41:18 -0800 (PST) Received: by mail-yw1-x1149.google.com with SMTP id 00721157ae682-5a7be940fe1so4282657b3.2 for ; Wed, 08 Nov 2023 16:41:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1699490478; x=1700095278; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=gcBBo0DVTc7llz0aQgPApWtsQP64S4JC7/VeqnxMe0M=; b=hgeV9A2619JjL4VknvNQ8zIn9aECPxBhO3cF/yZHsnlce+K45xVAOTDTiPmN7+9d0/ fBEO/42rIuO6rhNmuzY47G81rfM5IbnkvGykAU5bifP16AaTpzfU0CZSCceatuXubbKQ G90fWZ0CJrMzrmle0cdY9I4nJMte28PTZRBU6c+o65NvmGkvcRaV3z2SfWkjdg0PoruR 6y+uMY/nufIVCRA39suwJioBFrh7XD1tz8j5ridBSnH9X33JSLxe0G5yz3ma7pFDxlfV h9qgDR2N8O4KtB/uVFKvfgdU1upPI+4LOW4E0VjuAg9Xwqpl9NEsOSZUFn0wm+0+eGY2 ys7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699490478; x=1700095278; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=gcBBo0DVTc7llz0aQgPApWtsQP64S4JC7/VeqnxMe0M=; b=bIPEDBZvXS2tJyiDjoKJs+5bOZ2rJaINsGjgXkNCyVMuox9KVFt13s4HxH08m51grA 8H8nTmuuTw2hwjvoxDyCzQ8UZKLXF3OBBF0r0265rM0f5PUQJCxL3YEDuXNnOfEjlWAe mKxjQC1ERPfNqC1jTGL0WnkmuzP8SKD0Ehzb4vgtzxtqMFd2ueDWRMNo/76t26S2b0oL P7B94x3X2/RDonhIaOmXYd5WBkjBSa/EbiFZuBwoaSrjsqBmkPAm8Fo4eDpqaBX8qka1 wKLLdqOjjSZVYqhHAQfVkxMmQ98UAM2d268epb/u63dKAtgGhtCt2OPTnSCX3zZaW1ZM K9sg== X-Gm-Message-State: AOJu0YyxoxkejkpLUA8cEUPT8YLIfKDOhMeCHORRqWsWUx5LZ58XC7K2 +2M+Sh9FA2iqC6GvxD6XLlmxumE8JZ00 X-Received: from hi-h2o-specialist.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:3cef]) (user=arakesh job=sendgmr) by 2002:a81:83ce:0:b0:5a7:7683:995d with SMTP id t197-20020a8183ce000000b005a77683995dmr82295ywf.5.1699490478216; Wed, 08 Nov 2023 16:41:18 -0800 (PST) Date: Wed, 8 Nov 2023 16:41:04 -0800 In-Reply-To: <20231109004104.3467968-1-arakesh@google.com> Mime-Version: 1.0 References: <73309396-3856-43a2-9a6f-81a40ed594db@google.com> <20231109004104.3467968-1-arakesh@google.com> X-Mailer: git-send-email 2.42.0.869.gea05f2083d-goog Message-ID: <20231109004104.3467968-4-arakesh@google.com> Subject: [PATCH v12 4/4] usb: gadget: uvc: Fix use-after-free for inflight usb_requests From: Avichal Rakesh To: arakesh@google.com, dan.scally@ideasonboard.com, gregkh@linuxfoundation.org Cc: etalvala@google.com, jchowdhary@google.com, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, m.grzeschik@pengutronix.de Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Wed, 08 Nov 2023 16:42:15 -0800 (PST) X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780941373184978938 X-GMAIL-MSGID: 1782044991694972197 Currently, the uvc gadget driver allocates all uvc_requests as one array and deallocates them all when the video stream stops. This includes de-allocating all the usb_requests associated with those uvc_requests. This can lead to use-after-free issues if any of those de-allocated usb_requests were still owned by the usb controller. This is patch 2 of 2 in fixing the use-after-free issue. It adds a new flag to uvc_video to track when frames and requests should be flowing. When disabling the video stream, the flag is tripped and, instead of de-allocating all uvc_requests and usb_requests, the gadget driver only de-allocates those usb_requests that are currently owned by it (as present in req_free). Other usb_requests are left untouched until their completion handler is called which takes care of freeing the usb_request and its corresponding uvc_request. Now that uvc_video does not depends on uvc->state, this patch removes unnecessary upates to uvc->state that were made to accommodate uvc_video logic. This should ensure that uvc gadget driver never accidentally de-allocates a usb_request that it doesn't own. Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com Reviewed-by: Daniel Scally Reviewed-by: Michael Grzeschik Suggested-by: Michael Grzeschik Tested-by: Michael Grzeschik Signed-off-by: Avichal Rakesh --- v1 -> v2 : Rebased to ToT, and fixed deadlock reported in https://lore.kernel.org/all/ZRv2UnKztgyqk2pt@pengutronix.de/ v2 -> v3 : Fix email threading goof-up v3 -> v4 : re-rebase to ToT & moved to a uvc_video level lock as discussed in https://lore.kernel.org/b14b296f-2e08-4edf-aeea-1c5b621e2d0c@google.com/ v4 -> v5 : Address review comments. Add Reviewed-by & Tested-by. v5 -> v6 : Added another patch before this one to make uvcg_video_disable easier to review. v6 -> v7 : Fix warning reported in https://lore.kernel.org/202310200457.GwPPFuHX-lkp@intel.com/ v7 -> v8 : No change. Getting back in review queue v8 -> v9 : No change. v9 -> v10 : Address review comments. Rebase to ToT (usb-next) v10 -> v11 : Address review comments v11 -> v12 : Add Reviewed-by; Rebase to ToT (usb-next) drivers/usb/gadget/function/uvc.h | 1 + drivers/usb/gadget/function/uvc_v4l2.c | 10 +- drivers/usb/gadget/function/uvc_video.c | 130 ++++++++++++++++++++---- 3 files changed, 112 insertions(+), 29 deletions(-) -- 2.42.0.869.gea05f2083d-goog diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h index 993694da0bbc..be0d012aa244 100644 --- a/drivers/usb/gadget/function/uvc.h +++ b/drivers/usb/gadget/function/uvc.h @@ -102,6 +102,7 @@ struct uvc_video { unsigned int uvc_num_requests; /* Requests */ + bool is_enabled; /* tracks whether video stream is enabled */ unsigned int req_size; struct list_head ureqs; /* all uvc_requests allocated by uvc_video */ struct list_head req_free; diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c index 904dd283cbf7..c7e5fa4f29e0 100644 --- a/drivers/usb/gadget/function/uvc_v4l2.c +++ b/drivers/usb/gadget/function/uvc_v4l2.c @@ -468,11 +468,11 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type) if (type != video->queue.queue.type) return -EINVAL; - uvc->state = UVC_STATE_CONNECTED; ret = uvcg_video_disable(video); if (ret < 0) return ret; + uvc->state = UVC_STATE_CONNECTED; uvc_function_setup_continue(uvc, 1); return 0; } @@ -507,14 +507,6 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh, static void uvc_v4l2_disable(struct uvc_device *uvc) { uvc_function_disconnect(uvc); - /* - * Drop uvc->state to CONNECTED if it was streaming before. - * This ensures that the usb_requests are no longer queued - * to the controller. - */ - if (uvc->state == UVC_STATE_STREAMING) - uvc->state = UVC_STATE_CONNECTED; - uvcg_video_disable(&uvc->video); uvcg_free_buffers(&uvc->video.queue); uvc->func_connected = false; diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c index c3e8c48f46a9..164bdeb7f2a9 100644 --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -227,6 +227,10 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video, * Request handling */ +/* + * Callers must take care to hold req_lock when this function may be called + * from multiple threads. For example, when frames are streaming to the host. + */ static void uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep) { @@ -271,9 +275,26 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) struct uvc_request *ureq = req->context; struct uvc_video *video = ureq->video; struct uvc_video_queue *queue = &video->queue; - struct uvc_device *uvc = video->uvc; + struct uvc_buffer *last_buf; unsigned long flags; + spin_lock_irqsave(&video->req_lock, flags); + if (!video->is_enabled) { + /* + * When is_enabled is false, uvcg_video_disable() ensures + * that in-flight uvc_buffers are returned, so we can + * safely call free_request without worrying about + * last_buf. + */ + uvc_video_free_request(ureq, ep); + spin_unlock_irqrestore(&video->req_lock, flags); + return; + } + + last_buf = ureq->last_buf; + ureq->last_buf = NULL; + spin_unlock_irqrestore(&video->req_lock, flags); + switch (req->status) { case 0: break; @@ -295,17 +316,26 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) uvcg_queue_cancel(queue, 0); } - if (ureq->last_buf) { - uvcg_complete_buffer(&video->queue, ureq->last_buf); - ureq->last_buf = NULL; + if (last_buf) { + spin_lock_irqsave(&queue->irqlock, flags); + uvcg_complete_buffer(queue, last_buf); + spin_unlock_irqrestore(&queue->irqlock, flags); } spin_lock_irqsave(&video->req_lock, flags); - list_add_tail(&req->list, &video->req_free); - spin_unlock_irqrestore(&video->req_lock, flags); - - if (uvc->state == UVC_STATE_STREAMING) + /* + * Video stream might have been disabled while we were + * processing the current usb_request. So make sure + * we're still streaming before queueing the usb_request + * back to req_free + */ + if (video->is_enabled) { + list_add_tail(&req->list, &video->req_free); queue_work(video->async_wq, &video->pump); + } else { + uvc_video_free_request(ureq, ep); + } + spin_unlock_irqrestore(&video->req_lock, flags); } static int @@ -392,20 +422,22 @@ static void uvcg_video_pump(struct work_struct *work) struct uvc_video_queue *queue = &video->queue; /* video->max_payload_size is only set when using bulk transfer */ bool is_bulk = video->max_payload_size; - struct uvc_device *uvc = video->uvc; struct usb_request *req = NULL; struct uvc_buffer *buf; unsigned long flags; bool buf_done; int ret; - while (uvc->state == UVC_STATE_STREAMING && video->ep->enabled) { + while (true) { + if (!video->ep->enabled) + return; + /* - * Retrieve the first available USB request, protected by the - * request lock. + * Check is_enabled and retrieve the first available USB + * request, protected by the request lock. */ spin_lock_irqsave(&video->req_lock, flags); - if (list_empty(&video->req_free)) { + if (!video->is_enabled || list_empty(&video->req_free)) { spin_unlock_irqrestore(&video->req_lock, flags); return; } @@ -487,9 +519,11 @@ static void uvcg_video_pump(struct work_struct *work) return; spin_lock_irqsave(&video->req_lock, flags); - list_add_tail(&req->list, &video->req_free); + if (video->is_enabled) + list_add_tail(&req->list, &video->req_free); + else + uvc_video_free_request(req->context, video->ep); spin_unlock_irqrestore(&video->req_lock, flags); - return; } /* @@ -498,7 +532,11 @@ static void uvcg_video_pump(struct work_struct *work) int uvcg_video_disable(struct uvc_video *video) { - struct uvc_request *ureq; + unsigned long flags; + struct list_head inflight_bufs; + struct usb_request *req, *temp; + struct uvc_buffer *buf, *btemp; + struct uvc_request *ureq, *utemp; if (video->ep == NULL) { uvcg_info(&video->uvc->func, @@ -506,15 +544,58 @@ uvcg_video_disable(struct uvc_video *video) return -ENODEV; } + INIT_LIST_HEAD(&inflight_bufs); + spin_lock_irqsave(&video->req_lock, flags); + video->is_enabled = false; + + /* + * Remove any in-flight buffers from the uvc_requests + * because we want to return them before cancelling the + * queue. This ensures that we aren't stuck waiting for + * all complete callbacks to come through before disabling + * vb2 queue. + */ + list_for_each_entry(ureq, &video->ureqs, list) { + if (ureq->last_buf) { + list_add_tail(&ureq->last_buf->queue, &inflight_bufs); + ureq->last_buf = NULL; + } + } + spin_unlock_irqrestore(&video->req_lock, flags); + cancel_work_sync(&video->pump); uvcg_queue_cancel(&video->queue, 0); - list_for_each_entry(ureq, &video->ureqs, list) { - if (ureq->req) - usb_ep_dequeue(video->ep, ureq->req); + spin_lock_irqsave(&video->req_lock, flags); + /* + * Remove all uvc_requests from ureqs with list_del_init + * This lets uvc_video_free_request correctly identify + * if the uvc_request is attached to a list or not when freeing + * memory. + */ + list_for_each_entry_safe(ureq, utemp, &video->ureqs, list) + list_del_init(&ureq->list); + + list_for_each_entry_safe(req, temp, &video->req_free, list) { + list_del(&req->list); + uvc_video_free_request(req->context, video->ep); } - uvc_video_free_requests(video); + INIT_LIST_HEAD(&video->ureqs); + INIT_LIST_HEAD(&video->req_free); + video->req_size = 0; + spin_unlock_irqrestore(&video->req_lock, flags); + + /* + * Return all the video buffers before disabling the queue. + */ + spin_lock_irqsave(&video->queue.irqlock, flags); + list_for_each_entry_safe(buf, btemp, &inflight_bufs, queue) { + list_del(&buf->queue); + uvcg_complete_buffer(&video->queue, buf); + } + spin_unlock_irqrestore(&video->queue.irqlock, flags); + uvcg_queue_enable(&video->queue, 0); return 0; } @@ -532,6 +613,14 @@ int uvcg_video_enable(struct uvc_video *video) return -ENODEV; } + /* + * Safe to access request related fields without req_lock because + * this is the only thread currently active, and no other + * request handling thread will become active until this function + * returns. + */ + video->is_enabled = true; + if ((ret = uvcg_queue_enable(&video->queue, 1)) < 0) return ret; @@ -557,6 +646,7 @@ int uvcg_video_enable(struct uvc_video *video) */ int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc) { + video->is_enabled = false; INIT_LIST_HEAD(&video->ureqs); INIT_LIST_HEAD(&video->req_free); spin_lock_init(&video->req_lock);