From patchwork Wed Nov 22 10:19:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ricardo Ribalda X-Patchwork-Id: 168284 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2b07:b0:403:3b70:6f57 with SMTP id io7csp1221442vqb; Wed, 22 Nov 2023 02:20:09 -0800 (PST) X-Google-Smtp-Source: AGHT+IGOMKDGzAB7clIc0WUtTBUegPzH36isg3zG9yzkF8zOWU6cbqzvxSXjqlo2B7ZBZCdeR3M2 X-Received: by 2002:a54:468c:0:b0:3a9:bb08:d468 with SMTP id k12-20020a54468c000000b003a9bb08d468mr1833958oic.55.1700648409273; Wed, 22 Nov 2023 02:20:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700648409; cv=none; d=google.com; s=arc-20160816; b=XuWK07PmpVpCPz6eznmKydKSoIUKiTy7cs8IAuzn0Op1ifREn32h1sR5rLisa1CtSd eTZJTEXm53rEdZ9PDVpZ19Sr2iHnhBE50ASEpMCoaJEf6EOpcemLXUisl9AR0AaKjm66 5XBH1BauRyMSMg0D4iNbyO+LtN7CdOB8c4GRxDJ2fGkFeGhi8tUFgfAgcp0C63zvZnkm YnmHPdpJmaccYpzow1ERcIelfif+zpp6ZWvutfWzP6Iid9XXmVT02I6pcFHF0ap/I8n7 ovrHQvx6ENLNrwyiYAwPsmcG+o4j9Nyesu6KEgb5R2msYIOq7xSvu/PRpYer7y+ciwyr 1k4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:in-reply-to:references:message-id :content-transfer-encoding:mime-version:subject:date:from :dkim-signature; bh=3jbUgexWSE+UkwxAykTeDpdOwZGPMwaBInU8mlrkF50=; fh=m7dgJSqrUWbEiCvuETYoo3Fvna8nCiBibY2ykXjL+q8=; b=gCZ5tD+R0yZx1MdUqhP2pw0VA/2k2YFuPDUexg2NuYOyqUGETl2JLkULKrIkjOYOpY Xa5gg2MVaNCPOwhcsYfN7l3YW4G0Tj0yAGzUypOo8qrAkaDKTAu0xd3r1SuJO2FEsKJp na4FvD3Qw5+TLp0EGsOUBTsBtbpydGkn2z6JKTckmB4pLOHM8Ljn7vnznkYwHJTZ1Wuv WIWZOCT8z+DsUXFUZTSF03bNwHVz7L0HaSh1eZgYToM/xnkA3HMs2h7jtLsvGZWNv8E7 G5HDF6S/cP/ZfG7zWOqv69jtmmDzn+9NYm4MDl5CivCg6K9r4xsa2a72hc88fXacKQJR 7Bzw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=F7wxorbO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from agentk.vger.email (agentk.vger.email. [2620:137:e000::3:2]) by mx.google.com with ESMTPS id g124-20020a636b82000000b005ac8d44bad5si11880616pgc.7.2023.11.22.02.20.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Nov 2023 02:20:09 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) client-ip=2620:137:e000::3:2; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=F7wxorbO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id A7E03811F574; Wed, 22 Nov 2023 02:19:57 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235342AbjKVKTy (ORCPT + 99 others); Wed, 22 Nov 2023 05:19:54 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58444 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235204AbjKVKTv (ORCPT ); Wed, 22 Nov 2023 05:19:51 -0500 Received: from mail-qk1-x72b.google.com (mail-qk1-x72b.google.com [IPv6:2607:f8b0:4864:20::72b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6E8AE93 for ; Wed, 22 Nov 2023 02:19:47 -0800 (PST) Received: by mail-qk1-x72b.google.com with SMTP id af79cd13be357-77d55e986ecso114531885a.2 for ; Wed, 22 Nov 2023 02:19:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1700648386; x=1701253186; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=3jbUgexWSE+UkwxAykTeDpdOwZGPMwaBInU8mlrkF50=; b=F7wxorbOiTE0uDAQtEfKGrBeMd2wEhVSErzly03FhyI05NagpfT2xSZQR6TxDtE/Lj qznHJm6IDGkXuGUm7Ngi9LiI+IBp34S+NLGP7+5s5V/GjE8vhzY5rDHPzOwDpDi0F4o/ fsCzeUjHjTRdfe8mYVqQ3ALUCZj4d/Cs/oLhU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700648386; x=1701253186; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3jbUgexWSE+UkwxAykTeDpdOwZGPMwaBInU8mlrkF50=; b=kzop6X31wcz1upWT7ffEiUAKbyt/JdkXsaCViJtayTIgxu2y6PziDWHubdaK41A2ce UmlMHM0KQ3hB3HLKeH3IjDaC6I/G3KWS5/56L6QKKvn3AgT1m18SP8tNLqXFoq4yl1lW hIhrE3ZU9fqQSJIdkhXc0Ri+4/Q5ynunofAHFO6e4t36ejY2/yuYg5QplFj1VWhRbHTQ XxM1ZgIVLPkbFdgaPwZrDRGwe/1+Nponr3fr6AHhutkiWhbXxZ3Qeu+rn4WrHuhd5sk8 X1cD/A5ACp8y29MqSN80N91ZX4Hclal23yP42gJv6nJnHHtI4BS2P97cKfl4LVj045o2 VVtg== X-Gm-Message-State: AOJu0Yxj8kY1rTtPUfPUH8pu/RFpyE3HEiazRwe0/Iy5/AOe/jT3v/Wb /QfKATou4Ilmd1mdkCesjdRKLw== X-Received: by 2002:a05:6214:250d:b0:679:f6e4:5ed1 with SMTP id gf13-20020a056214250d00b00679f6e45ed1mr1464786qvb.60.1700648386567; Wed, 22 Nov 2023 02:19:46 -0800 (PST) Received: from denia.c.googlers.com (228.221.150.34.bc.googleusercontent.com. [34.150.221.228]) by smtp.gmail.com with ESMTPSA id di6-20020ad458e6000000b0066d1d2242desm4739352qvb.120.2023.11.22.02.19.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Nov 2023 02:19:45 -0800 (PST) From: Ricardo Ribalda Date: Wed, 22 Nov 2023 10:19:34 +0000 Subject: [PATCH v4 1/3] media: uvcvideo: Lock video streams and queues while unregistering MIME-Version: 1.0 Message-Id: <20231122-guenter-mini-v4-1-3d94e1e34dc1@chromium.org> References: <20231122-guenter-mini-v4-0-3d94e1e34dc1@chromium.org> In-Reply-To: <20231122-guenter-mini-v4-0-3d94e1e34dc1@chromium.org> To: Mauro Carvalho Chehab Cc: Guenter Roeck , Tomasz Figa , Laurent Pinchart , Alan Stern , Hans Verkuil , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Sean Paul , Ricardo Ribalda , Sakari Ailus , Sergey Senozhatsky X-Mailer: b4 0.12.3 X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Wed, 22 Nov 2023 02:19:57 -0800 (PST) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1783259106469001031 X-GMAIL-MSGID: 1783259106469001031 From: Guenter Roeck The call to uvc_disconnect() is not protected by any mutex. This means it can and will be called while other accesses to the video device are in progress. This can cause all kinds of race conditions, including crashes such as the following. usb 1-4: USB disconnect, device number 3 BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 5633 Comm: V4L2CaptureThre Not tainted 4.19.113-08536-g5d29ca36db06 #1 Hardware name: GOOGLE Edgar, BIOS Google_Edgar.7287.167.156 03/25/2019 RIP: 0010:usb_ifnum_to_if+0x29/0x40 Code: <...> RSP: 0018:ffffa46f42a47a80 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff904a396c9000 RDX: ffff904a39641320 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffffa46f42a47a80 R08: 0000000000000002 R09: 0000000000000000 R10: 0000000000009975 R11: 0000000000000009 R12: 0000000000000000 R13: ffff904a396b3800 R14: ffff904a39e88000 R15: 0000000000000000 FS: 00007f396448e700(0000) GS:ffff904a3ba00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000016cb46000 CR4: 00000000001006f0 Call Trace: usb_hcd_alloc_bandwidth+0x1ee/0x30f usb_set_interface+0x1a3/0x2b7 uvc_video_start_transfer+0x29b/0x4b8 [uvcvideo] uvc_video_start_streaming+0x91/0xdd [uvcvideo] uvc_start_streaming+0x28/0x5d [uvcvideo] vb2_start_streaming+0x61/0x143 [videobuf2_common] vb2_core_streamon+0xf7/0x10f [videobuf2_common] uvc_queue_streamon+0x2e/0x41 [uvcvideo] uvc_ioctl_streamon+0x42/0x5c [uvcvideo] __video_do_ioctl+0x33d/0x42a video_usercopy+0x34e/0x5ff ? video_ioctl2+0x16/0x16 v4l2_ioctl+0x46/0x53 do_vfs_ioctl+0x50a/0x76f ksys_ioctl+0x58/0x83 __x64_sys_ioctl+0x1a/0x1e do_syscall_64+0x54/0xde usb_set_interface() should not be called after the USB device has been unregistered. However, in the above case the disconnect happened after v4l2_ioctl() was called, but before the call to usb_ifnum_to_if(). Acquire various mutexes in uvc_unregister_video() to fix the majority (maybe all) of the observed race conditions. The uvc_device lock prevents races against suspend and resume calls and the poll function. The uvc_streaming lock prevents races against stream related functions; for the most part, those are ioctls. This lock also requires other functions using this lock to check if a video device is still registered after acquiring it. For example, it was observed that the video device was already unregistered by the time the stream lock was acquired in uvc_ioctl_streamon(). The uvc_queue lock prevents races against queue functions, Most of those are already protected by the uvc_streaming lock, but some are called directly. This is done as added protection; an actual race was not (yet) observed. Cc: Laurent Pinchart Cc: Alan Stern Cc: Hans Verkuil Reviewed-by: Tomasz Figa Reviewed-by: Sean Paul Signed-off-by: Guenter Roeck Reviewed-by: Sergey Senozhatsky Signed-off-by: Ricardo Ribalda --- drivers/media/usb/uvc/uvc_driver.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c index 08fcd2ffa727..ded2cb6ce14f 100644 --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -1907,14 +1907,22 @@ static void uvc_unregister_video(struct uvc_device *dev) { struct uvc_streaming *stream; + mutex_lock(&dev->lock); + list_for_each_entry(stream, &dev->streams, list) { if (!video_is_registered(&stream->vdev)) continue; + mutex_lock(&stream->mutex); + mutex_lock(&stream->queue.mutex); + video_unregister_device(&stream->vdev); video_unregister_device(&stream->meta.vdev); uvc_debugfs_cleanup_stream(stream); + + mutex_unlock(&stream->queue.mutex); + mutex_unlock(&stream->mutex); } uvc_status_unregister(dev); @@ -1925,6 +1933,7 @@ static void uvc_unregister_video(struct uvc_device *dev) if (media_devnode_is_registered(dev->mdev.devnode)) media_device_unregister(&dev->mdev); #endif + mutex_unlock(&dev->lock); } int uvc_register_video_device(struct uvc_device *dev, From patchwork Wed Nov 22 10:19:35 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ricardo Ribalda X-Patchwork-Id: 168286 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2b07:b0:403:3b70:6f57 with SMTP id io7csp1221640vqb; Wed, 22 Nov 2023 02:20:38 -0800 (PST) X-Google-Smtp-Source: AGHT+IGUpNbhEZytwSOeG3LA+/jY5vyUyVv1GKmUXXSYCQTam+GIqqzO2jdHDTN7CjGq/GogiwGl X-Received: by 2002:a92:c9c4:0:b0:359:d3fa:e01e with SMTP id k4-20020a92c9c4000000b00359d3fae01emr1531790ilq.30.1700648437834; Wed, 22 Nov 2023 02:20:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700648437; cv=none; d=google.com; s=arc-20160816; b=M0KT6cmitsxr0hFdPdKuouLr5rvAJqJF9ptlYuAmmKhH3ubh4pebyxFuxhd/RZquca visR8W1WQVDm1jSqWg5khjI3OhndPdxuYfTETJu7dM1nIOIFpmQg7Vi9TFT64Iw0f8v7 KBJHUiik1gIeO6Lh098BGosofzGEDIDcFXAFq4R9FH3aKnLNbSYXszLZl31yj4Mdt0ZO 4R/WpLjMwVeWr/C52KyCO6F50pb5fjnvj+hdmRmPJPMwqFdi16JvrPFmBN+8y9zFEgd7 3gwdzacd1yVSqJp0di4QEhPlv+5H/wjKKIcshDM4mjfN9wSMWIqfLz+D2Ea1mSVM/JN5 TVzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:in-reply-to:references:message-id :content-transfer-encoding:mime-version:subject:date:from :dkim-signature; bh=1y6RZGZZzUKyI0AjxKgp4LZORspR1wFnVoan2A/smok=; fh=WWnPKiv+kUZ67/1TvOhVmT8DWyiNJdxVbN6JTFoOA5k=; b=Ot3BdaRoR8GWkPAZjJeBQcddL96AtlcLwTew0DCe8bE0ERWydjuZzpo96abUC7xdex XHC9q2d7gnQEDJj64juMrDMMnNG/cQ+qmYxbhjNCQk4ZEc9TDEjqZvcnpaJAu7QQudz6 JKy83no6wnLitdM3RlmJaOIdY0OR/uSwdsEYysPo2jMkYvlbCF1Ygtgtx78uMz4thgHy s/4eM76cycqk8nLMGfpHSEWAEUbKx/mQXxVXX4CNXny5GKVdci1S//+C/kGHfHVHQhkw h2wFKKWFJzleleFGBESr1UGkbJOKD+dJeDsq7JWc3VZnKnVfgWo5Ninq/6mv7IdO4um8 z+WQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="I/HjlToi"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33]) by mx.google.com with ESMTPS id f14-20020a63100e000000b00578d0d070f4si12254168pgl.844.2023.11.22.02.20.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Nov 2023 02:20:37 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="I/HjlToi"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id A099B8215782; Wed, 22 Nov 2023 02:20:35 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343781AbjKVKT5 (ORCPT + 99 others); Wed, 22 Nov 2023 05:19:57 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58418 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235315AbjKVKTv (ORCPT ); Wed, 22 Nov 2023 05:19:51 -0500 Received: from mail-qv1-xf35.google.com (mail-qv1-xf35.google.com [IPv6:2607:f8b0:4864:20::f35]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 10043191 for ; Wed, 22 Nov 2023 02:19:48 -0800 (PST) Received: by mail-qv1-xf35.google.com with SMTP id 6a1803df08f44-67089696545so25602776d6.0 for ; Wed, 22 Nov 2023 02:19:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1700648387; x=1701253187; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=1y6RZGZZzUKyI0AjxKgp4LZORspR1wFnVoan2A/smok=; b=I/HjlToif65LhLdRS0B35L26u++dsWGjxAPPjcZLEAt73+yV3xFpJT+RYKw4jVJGKG w4ETGigoJAzffKSJHdz9fRJu8RmOnM7lGYXdF77FOTkhYnWJn99BXbMbtsvb1pvetZ5L MZLpbBxEdhwhW7x0ihj5geRP3EpukcCF9E400= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700648387; x=1701253187; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1y6RZGZZzUKyI0AjxKgp4LZORspR1wFnVoan2A/smok=; b=cvwaLGRwgIezbO6lVKaWQKx6cLT4XvQWm1Q1I/pCxOwvDA6Tu+hE8vZWOxtOKsHMK9 1Sx+rMqTDIUS73pmRWRVFkniR+Qsmgs6oUZm1Qhc72lcuW07dVipClT9K9CEM/WiDfNd TkRScTCobZueeOx/+Uj0WnJioTpDfgQI753bkLx1jlXx95xOy/JELQJIBXyTtOYaMlVl j/5xsYVq0u/D+CoSatgoj5Ycpqd3n98YrDcWGMRaBTKxMwgj1DBHIJBdjj4/m2vZgOoX 7a3yy80r+7UnVkxQHnYpBaCVxOPMJbc7w5Gzil6wAzvYl7+T3ul1yBhDZ6XPfj92TsZb 70Vw== X-Gm-Message-State: AOJu0YxkDhjYDG6HMRFaF/3ONFZZk1C9RRLofDPkNuP8b8NSM6CouTlm qfHzqmZRIIERevrEqmGU9a6zwA== X-Received: by 2002:ad4:5e86:0:b0:672:118e:e368 with SMTP id jl6-20020ad45e86000000b00672118ee368mr2089387qvb.24.1700648387220; Wed, 22 Nov 2023 02:19:47 -0800 (PST) Received: from denia.c.googlers.com (228.221.150.34.bc.googleusercontent.com. [34.150.221.228]) by smtp.gmail.com with ESMTPSA id di6-20020ad458e6000000b0066d1d2242desm4739352qvb.120.2023.11.22.02.19.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Nov 2023 02:19:46 -0800 (PST) From: Ricardo Ribalda Date: Wed, 22 Nov 2023 10:19:35 +0000 Subject: [PATCH v4 2/3] media: uvcvideo: Always use uvc_status_stop() MIME-Version: 1.0 Message-Id: <20231122-guenter-mini-v4-2-3d94e1e34dc1@chromium.org> References: <20231122-guenter-mini-v4-0-3d94e1e34dc1@chromium.org> In-Reply-To: <20231122-guenter-mini-v4-0-3d94e1e34dc1@chromium.org> To: Mauro Carvalho Chehab Cc: Guenter Roeck , Tomasz Figa , Laurent Pinchart , Alan Stern , Hans Verkuil , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Sean Paul , Ricardo Ribalda , Sakari Ailus , Sakari Ailus X-Mailer: b4 0.12.3 X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Wed, 22 Nov 2023 02:20:35 -0800 (PST) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1783259136479981295 X-GMAIL-MSGID: 1783259136479981295 The only thread safe way to stop the status handler is with uvc_status. Let's remove all the code paths partially stopping uvc_status. Reviewed-by: Sakari Ailus Signed-off-by: Ricardo Ribalda --- drivers/media/usb/uvc/uvc_ctrl.c | 4 ---- drivers/media/usb/uvc/uvc_status.c | 2 +- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c index e59a463c2761..8e22a07e3e7b 100644 --- a/drivers/media/usb/uvc/uvc_ctrl.c +++ b/drivers/media/usb/uvc/uvc_ctrl.c @@ -2765,10 +2765,6 @@ void uvc_ctrl_cleanup_device(struct uvc_device *dev) struct uvc_entity *entity; unsigned int i; - /* Can be uninitialized if we are aborting on probe error. */ - if (dev->async_ctrl.work.func) - cancel_work_sync(&dev->async_ctrl.work); - /* Free controls and control mappings for all entities. */ list_for_each_entry(entity, &dev->entities, list) { for (i = 0; i < entity->ncontrols; ++i) { diff --git a/drivers/media/usb/uvc/uvc_status.c b/drivers/media/usb/uvc/uvc_status.c index a78a88c710e2..0208612a9f12 100644 --- a/drivers/media/usb/uvc/uvc_status.c +++ b/drivers/media/usb/uvc/uvc_status.c @@ -292,7 +292,7 @@ int uvc_status_init(struct uvc_device *dev) void uvc_status_unregister(struct uvc_device *dev) { - usb_kill_urb(dev->int_urb); + uvc_status_stop(dev); uvc_input_unregister(dev); } From patchwork Wed Nov 22 10:19:36 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ricardo Ribalda X-Patchwork-Id: 168285 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2b07:b0:403:3b70:6f57 with SMTP id io7csp1221491vqb; Wed, 22 Nov 2023 02:20:17 -0800 (PST) X-Google-Smtp-Source: AGHT+IHz3KSdp0LPzwTghKxi7Sh0dxes1bs+ZHRLjPzqEJG3DTxLXtLqRkQOL/twHeAhjwV1ZcL7 X-Received: by 2002:a05:6808:1645:b0:3ae:156f:d319 with SMTP id az5-20020a056808164500b003ae156fd319mr2340177oib.45.1700648416670; Wed, 22 Nov 2023 02:20:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700648416; cv=none; d=google.com; s=arc-20160816; b=VJv5EqwnSAF36/WGLpQKYmXe8ER6L21TFEiV3lIN4+OiLLZfwNyHYbVk6QNw9gT5E7 Zd9EwzCfGOHcyWBsatPqN9t3hLx0WB1dUSW7lAZe+shQSw9hDE3W63lKX3OccDrzIS+h 5YBFNt6pRk2aYorD2DoDIpPiZ44gsIqMjSYVHF44vpWHMGInxxRoiuKY8UmiT13x0FWG Vx9zvuDsapyZbBfitxIlEUDlsjrlYcp5KVqaraS/cVTNhishPY3TpXox7akj8sWSO12q YD7nbw2wfPUpevKMfwd+ziYohzNjKkiecPBBekt2HN29CoUM2JA8/PztjAytvIo85g84 Df1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:in-reply-to:references:message-id :content-transfer-encoding:mime-version:subject:date:from :dkim-signature; bh=zcSnz+Cq458gO5KcUl518VSe/I/HM4THBDX1iPhbXu0=; fh=Olmnw9EiPOHXl6tXYk5T9PPwqL+0H7V+IoxB1uD1V0I=; b=D1F5dZc2CymaR2xV71ZTglFnF0d6Gem/r1aozB4RUSan5Lt3oIgft+Ctpa3suas26J xZypkPPP35JS5QLvBrvVO4zyRbqXpv9eNerI24jFdVrGCWr0Glt4Ztw8nlJG0510NgvR /cFBgCXrjauNS0blTm/lY0QeJPwzwmyexMkUsuIvNBwz8racduRHEQzWcXKE+POnUEbU /ZwPngdmT1aU5MVZ8dl+pywZjRPQ4cWLNWVjjUM1XbeYQyTbdbi2aAu0NMnT5m+pgLNV C6EmoEa9kh59ookLwoK7CeEqFvbi4UTRkXofj9RHY7pE5Vo9o386ALKmwA1xWzDowLqK x6kQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=eosc7BWl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id t21-20020a635355000000b005c277f3387asi1300918pgl.18.2023.11.22.02.20.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Nov 2023 02:20:16 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=eosc7BWl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 3180C81D7725; Wed, 22 Nov 2023 02:20:15 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343843AbjKVKUB (ORCPT + 99 others); Wed, 22 Nov 2023 05:20:01 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38002 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235271AbjKVKTx (ORCPT ); Wed, 22 Nov 2023 05:19:53 -0500 Received: from mail-qv1-xf36.google.com (mail-qv1-xf36.google.com [IPv6:2607:f8b0:4864:20::f36]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2860B91 for ; Wed, 22 Nov 2023 02:19:49 -0800 (PST) Received: by mail-qv1-xf36.google.com with SMTP id 6a1803df08f44-6705379b835so24303876d6.1 for ; Wed, 22 Nov 2023 02:19:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1700648388; x=1701253188; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=zcSnz+Cq458gO5KcUl518VSe/I/HM4THBDX1iPhbXu0=; b=eosc7BWlY3t6SpC4ba6ZKyR2i8BfXEqZnp3Pq7hq7mHoa3gefHM3JxvEawJnepJZLj jJo+LudlO27c0GktgqtF+kuGkMUHbVpj79p2Q2V3SXB7AV7NInsGRIX751NI2t+L71Y+ tfIh30YhWFp5mHjGRKmcOFpy7TZq5O1+KYPSA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700648388; x=1701253188; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zcSnz+Cq458gO5KcUl518VSe/I/HM4THBDX1iPhbXu0=; b=RtS7x7mbzA2i3etGC1kNATKOM5s8E38hHrhnCW2d4sYwG7iH0HXoQK2Wxofpn31saD 6kqLcFgI7IfqDxCVxMmc0mFWnyhjjB5GGgd0/j/8mrgsVPS9qFQWrhKSnL0Bwf/GY2uM ohW081OC82CtNemfURwRikvCKQFb9+PD+u27DRSn3hwZzP7Ca0AypkgJfpAPSHNKKqAL QI0GNwPVygGjGNB5ENowefCiF8K9PqD6giIn2kjC1NIP8PnNuMelp1sq06pL7wPvdH5p j1RECxKtkNXhua7NuqgYEY/kPc0LQ67YN6htQX72+FT73BuJaWtK53m5Eu2sxu5U34WX /5Jw== X-Gm-Message-State: AOJu0YzqE5n/sQ9v6bgrMxqEiLkkWygf+v0MllF7gfTbPSZtfPcPAYAO hlJ4RgSMe+xKusww6jgpVzprcw== X-Received: by 2002:ad4:5c68:0:b0:656:4712:af9f with SMTP id i8-20020ad45c68000000b006564712af9fmr2569070qvh.13.1700648388258; Wed, 22 Nov 2023 02:19:48 -0800 (PST) Received: from denia.c.googlers.com (228.221.150.34.bc.googleusercontent.com. [34.150.221.228]) by smtp.gmail.com with ESMTPSA id di6-20020ad458e6000000b0066d1d2242desm4739352qvb.120.2023.11.22.02.19.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Nov 2023 02:19:47 -0800 (PST) From: Ricardo Ribalda Date: Wed, 22 Nov 2023 10:19:36 +0000 Subject: [PATCH v4 3/3] media: uvcvideo: Do not use usb_* functions after .disconnect MIME-Version: 1.0 Message-Id: <20231122-guenter-mini-v4-3-3d94e1e34dc1@chromium.org> References: <20231122-guenter-mini-v4-0-3d94e1e34dc1@chromium.org> In-Reply-To: <20231122-guenter-mini-v4-0-3d94e1e34dc1@chromium.org> To: Mauro Carvalho Chehab Cc: Guenter Roeck , Tomasz Figa , Laurent Pinchart , Alan Stern , Hans Verkuil , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Sean Paul , Ricardo Ribalda , Sakari Ailus X-Mailer: b4 0.12.3 X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Wed, 22 Nov 2023 02:20:15 -0800 (PST) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1783259114007448545 X-GMAIL-MSGID: 1783259114007448545 usb drivers should not call to any I/O function after the .disconnect() callback has been triggered. https://www.kernel.org/doc/html/latest/driver-api/usb/callbacks.html#the-disconnect-callback If an application is receiving frames form a camera and the device is disconnected: the device will call close() after the usb .disconnect() callback has been called. The streamoff path will call usb_set_interface or usb_clear_halt, which is not allowed. This patch only solves the calls to close() *after* .disconnect() is being called. Trace: [ 1065.389723] drivers/media/usb/uvc/uvc_driver.c:2248 uvc_disconnect enter [ 1065.390160] drivers/media/usb/uvc/uvc_driver.c:2264 uvc_disconnect exit [ 1065.433956] drivers/media/usb/uvc/uvc_v4l2.c:659 uvc_v4l2_release enter [ 1065.433973] drivers/media/usb/uvc/uvc_video.c:2274 uvc_video_stop_streaming enter [ 1065.434560] drivers/media/usb/uvc/uvc_video.c:2285 uvc_video_stop_streaming exit [ 1065.435154] drivers/media/usb/uvc/uvc_v4l2.c:680 uvc_v4l2_release exit [ 1065.435188] drivers/media/usb/uvc/uvc_driver.c:2248 uvc_disconnect enter Signed-off-by: Ricardo Ribalda --- drivers/media/usb/uvc/uvc_driver.c | 4 +++- drivers/media/usb/uvc/uvc_status.c | 8 +++---- drivers/media/usb/uvc/uvc_v4l2.c | 2 +- drivers/media/usb/uvc/uvc_video.c | 45 ++++++++++++++++++++++++-------------- drivers/media/usb/uvc/uvcvideo.h | 4 +++- 5 files changed, 39 insertions(+), 24 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c index ded2cb6ce14f..d78640d422f4 100644 --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -2266,6 +2266,8 @@ static void uvc_disconnect(struct usb_interface *intf) return; uvc_unregister_video(dev); + /* Barrier needed to pair with uvc_video_stop_streaming(). */ + smp_store_release(&dev->disconnected, true); kref_put(&dev->ref, uvc_delete); } @@ -2282,7 +2284,7 @@ static int uvc_suspend(struct usb_interface *intf, pm_message_t message) UVC_SC_VIDEOCONTROL) { mutex_lock(&dev->lock); if (dev->users) - uvc_status_stop(dev); + uvc_status_stop(dev, true); mutex_unlock(&dev->lock); return 0; } diff --git a/drivers/media/usb/uvc/uvc_status.c b/drivers/media/usb/uvc/uvc_status.c index 0208612a9f12..9c5da1244999 100644 --- a/drivers/media/usb/uvc/uvc_status.c +++ b/drivers/media/usb/uvc/uvc_status.c @@ -292,7 +292,7 @@ int uvc_status_init(struct uvc_device *dev) void uvc_status_unregister(struct uvc_device *dev) { - uvc_status_stop(dev); + uvc_status_stop(dev, false); uvc_input_unregister(dev); } @@ -310,7 +310,7 @@ int uvc_status_start(struct uvc_device *dev, gfp_t flags) return usb_submit_urb(dev->int_urb, flags); } -void uvc_status_stop(struct uvc_device *dev) +void uvc_status_stop(struct uvc_device *dev, bool run_async_work) { struct uvc_ctrl_work *w = &dev->async_ctrl; @@ -326,7 +326,7 @@ void uvc_status_stop(struct uvc_device *dev) * Cancel any pending asynchronous work. If any status event was queued, * process it synchronously. */ - if (cancel_work_sync(&w->work)) + if (cancel_work_sync(&w->work) && run_async_work) uvc_ctrl_status_event(w->chain, w->ctrl, w->data); /* Kill the urb. */ @@ -338,7 +338,7 @@ void uvc_status_stop(struct uvc_device *dev) * cancelled before returning or it could then race with a future * uvc_status_start() call. */ - if (cancel_work_sync(&w->work)) + if (cancel_work_sync(&w->work) && run_async_work) uvc_ctrl_status_event(w->chain, w->ctrl, w->data); /* diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c index f4988f03640a..f90206263ff4 100644 --- a/drivers/media/usb/uvc/uvc_v4l2.c +++ b/drivers/media/usb/uvc/uvc_v4l2.c @@ -672,7 +672,7 @@ static int uvc_v4l2_release(struct file *file) mutex_lock(&stream->dev->lock); if (--stream->dev->users == 0) - uvc_status_stop(stream->dev); + uvc_status_stop(stream->dev, false); mutex_unlock(&stream->dev->lock); usb_autopm_put_interface(stream->dev->intf); diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c index 28dde08ec6c5..f5ef375088de 100644 --- a/drivers/media/usb/uvc/uvc_video.c +++ b/drivers/media/usb/uvc/uvc_video.c @@ -2243,28 +2243,39 @@ int uvc_video_start_streaming(struct uvc_streaming *stream) return ret; } -void uvc_video_stop_streaming(struct uvc_streaming *stream) +static void uvc_video_halt(struct uvc_streaming *stream) { - uvc_video_stop_transfer(stream, 1); + unsigned int epnum; + unsigned int pipe; + unsigned int dir; if (stream->intf->num_altsetting > 1) { usb_set_interface(stream->dev->udev, stream->intfnum, 0); - } else { - /* - * UVC doesn't specify how to inform a bulk-based device - * when the video stream is stopped. Windows sends a - * CLEAR_FEATURE(HALT) request to the video streaming - * bulk endpoint, mimic the same behaviour. - */ - unsigned int epnum = stream->header.bEndpointAddress - & USB_ENDPOINT_NUMBER_MASK; - unsigned int dir = stream->header.bEndpointAddress - & USB_ENDPOINT_DIR_MASK; - unsigned int pipe; - - pipe = usb_sndbulkpipe(stream->dev->udev, epnum) | dir; - usb_clear_halt(stream->dev->udev, pipe); + return; } + /* + * UVC doesn't specify how to inform a bulk-based device + * when the video stream is stopped. Windows sends a + * CLEAR_FEATURE(HALT) request to the video streaming + * bulk endpoint, mimic the same behaviour. + */ + epnum = stream->header.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK; + dir = stream->header.bEndpointAddress & USB_ENDPOINT_DIR_MASK; + pipe = usb_sndbulkpipe(stream->dev->udev, epnum) | dir; + usb_clear_halt(stream->dev->udev, pipe); +} + +void uvc_video_stop_streaming(struct uvc_streaming *stream) +{ + uvc_video_stop_transfer(stream, 1); + + /* + * Barrier needed to pair with uvc_disconnect(). + * We cannot call usb_* functions on a disconnected USB device. + */ + if (!smp_load_acquire(&stream->dev->disconnected)) + uvc_video_halt(stream); + uvc_video_clock_cleanup(stream); } diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h index 6fb0a78b1b00..5b1a3643de05 100644 --- a/drivers/media/usb/uvc/uvcvideo.h +++ b/drivers/media/usb/uvc/uvcvideo.h @@ -559,6 +559,8 @@ struct uvc_device { unsigned int users; atomic_t nmappings; + bool disconnected; + /* Video control interface */ #ifdef CONFIG_MEDIA_CONTROLLER struct media_device mdev; @@ -745,7 +747,7 @@ int uvc_status_init(struct uvc_device *dev); void uvc_status_unregister(struct uvc_device *dev); void uvc_status_cleanup(struct uvc_device *dev); int uvc_status_start(struct uvc_device *dev, gfp_t flags); -void uvc_status_stop(struct uvc_device *dev); +void uvc_status_stop(struct uvc_device *dev, bool run_async_work); /* Controls */ extern const struct uvc_control_mapping uvc_ctrl_power_line_mapping_limited;