From patchwork Wed Nov 22 11:45:47 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ricardo Ribalda X-Patchwork-Id: 168321 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2b07:b0:403:3b70:6f57 with SMTP id io7csp1260484vqb; Wed, 22 Nov 2023 03:47:07 -0800 (PST) X-Google-Smtp-Source: AGHT+IGkvxQwEuBDW+02s7Km5xTptKYG0SIt/qxlapY4KwyqOhQvSzZPX3NBv0ZvYFBnkK1YhCdI X-Received: by 2002:a05:6a21:1a8:b0:187:4118:140 with SMTP id le40-20020a056a2101a800b0018741180140mr8589745pzb.24.1700653627057; Wed, 22 Nov 2023 03:47:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700653627; cv=none; d=google.com; s=arc-20160816; b=pjT2e8Dz9niKLotZEeVmvWxfzlrwZdBNVHI2xQQ42VCQbVob5q2wxc6Chs6x7ZFAor VvCJPKgTO8iaVlRTHNnQdnl5MF6/2dlgWW9hJrMGBekMpzylPj/4VVPMOeBzw+lunaxP D7oiPufAcjJWw/RNEV2j7uV+dSK+FtZZvDNZj6h6NeXT0Ec/2Iawx14qffcgLf0K1SuS /n9BugEXLsS/RRpCrAZGxTZ/xr3xrfIjSaEyhxveb1vJdjKvxim/cW1rtz1e6pBO5ycs kDly8qOMu6bvb+5MiPgAA7MqixDc6t8Iazx+OdcBYn22mDvwNfbJDOTJHZUb1i55r8zN dVMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:in-reply-to:references:message-id :content-transfer-encoding:mime-version:subject:date:from :dkim-signature; bh=3jbUgexWSE+UkwxAykTeDpdOwZGPMwaBInU8mlrkF50=; fh=m7dgJSqrUWbEiCvuETYoo3Fvna8nCiBibY2ykXjL+q8=; b=vceSr4Mvhnnti2n01vKLcgryuPW5p/+YuuV4SZ+u98TvSgsTQ1l9pKEGpIgDqzVYZg Fnps9fIaqA3+nmP/cFjgpvBp1ieKigazQrMw3mw85tWRcrpWShqgUzmkHXIREnMTsf+L XEJBnJ40OO4EAK4agbFC77kAvCEMqlmkDdevAzwCfoJjWcDyTHIpmhqNkLut6uPdvlsa feFbJo3RWB4HNrB2/awyaijt+IdIM+wXDDHDD/za4rYukYY8Vjrvc30dLz5MViIKQMoc 8AvOspZEaFx47YcQiWjqkTZpQvZtYSNVDxm4uXFMnQCHBp/ZJ81W33yxBYO3FTN42W7Y 4vEg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=FMIPQhVW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id h37-20020a635765000000b005be1ee5be76si12184968pgm.373.2023.11.22.03.47.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Nov 2023 03:47:07 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=FMIPQhVW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 3F5A58098ADF; Wed, 22 Nov 2023 03:46:07 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343781AbjKVLp7 (ORCPT + 99 others); Wed, 22 Nov 2023 06:45:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52250 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229806AbjKVLpz (ORCPT ); Wed, 22 Nov 2023 06:45:55 -0500 Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ABD3D1AC for ; Wed, 22 Nov 2023 03:45:51 -0800 (PST) Received: by mail-qt1-x82f.google.com with SMTP id d75a77b69052e-41ccd38eaa5so6279291cf.0 for ; Wed, 22 Nov 2023 03:45:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1700653551; x=1701258351; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=3jbUgexWSE+UkwxAykTeDpdOwZGPMwaBInU8mlrkF50=; b=FMIPQhVWAUX99jBK/61YMbTBqOPSAGwDVxrJzMi32KGBhrkep7XdX9kKhVDmP8X3mr lP7JJLFBJRx8YJ3uNfVq6trTIstNVw0RYGIhkVyVLjOmSyx02kpJQPU9XEnOiKWYCuVD Mftzw31w+nAGSx5uG0SViTMP1o6a/ZfoB3ltU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700653551; x=1701258351; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3jbUgexWSE+UkwxAykTeDpdOwZGPMwaBInU8mlrkF50=; b=K9/V6n3AyzXZJe1eAP6VymAyOSXso+U4OdBgbiIuTuA2bsqO5OlwkSA9gnYftRgolw Bjvq1TnMLm3tJopF8Q7E2UlM9uCBtVBoTbP7sJnfDd2EWyDOYL1AmFUXdcLDVEMlGgwH Mu87eJE6yNPSJUnIkpZqMSn2HrQ+MCQ4pKJW8XadcGWTYRwgBCqOJ7NmWl4UwDwM5nEg 82i3hDu29jpX4ThAnQLNezty6F9KR6ZKBKSrM/hf8qOGbxTrs1Xhf1uYzG4oMCbb2Rw6 H8Dumchlv312Fad7SPUxkAqaDVYdlbNiX104MLr3FqwezpEjq0FIE7eRg3kVU2NQrXEx vJrQ== X-Gm-Message-State: AOJu0YwsJLGvM/tvypQwW/xLeYJzZFw5cjo+5bLieKyaVSQP+7m0ARN6 WLAYtvFUPVIuAhKIg5vjPBfSiQ== X-Received: by 2002:a05:622a:5085:b0:423:7279:2662 with SMTP id fp5-20020a05622a508500b0042372792662mr5108506qtb.10.1700653550850; Wed, 22 Nov 2023 03:45:50 -0800 (PST) Received: from denia.c.googlers.com (228.221.150.34.bc.googleusercontent.com. [34.150.221.228]) by smtp.gmail.com with ESMTPSA id h3-20020ac85143000000b00419732075b4sm4357790qtn.84.2023.11.22.03.45.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Nov 2023 03:45:50 -0800 (PST) From: Ricardo Ribalda Date: Wed, 22 Nov 2023 11:45:47 +0000 Subject: [PATCH v5 1/3] media: uvcvideo: Lock video streams and queues while unregistering MIME-Version: 1.0 Message-Id: <20231122-guenter-mini-v5-1-15d8cd8ed74f@chromium.org> References: <20231122-guenter-mini-v5-0-15d8cd8ed74f@chromium.org> In-Reply-To: <20231122-guenter-mini-v5-0-15d8cd8ed74f@chromium.org> To: Mauro Carvalho Chehab Cc: Guenter Roeck , Tomasz Figa , Laurent Pinchart , Alan Stern , Hans Verkuil , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Sean Paul , Ricardo Ribalda , Sakari Ailus , Sergey Senozhatsky X-Mailer: b4 0.12.3 X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Wed, 22 Nov 2023 03:46:07 -0800 (PST) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1783264577967766140 X-GMAIL-MSGID: 1783264577967766140 From: Guenter Roeck The call to uvc_disconnect() is not protected by any mutex. This means it can and will be called while other accesses to the video device are in progress. This can cause all kinds of race conditions, including crashes such as the following. usb 1-4: USB disconnect, device number 3 BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 5633 Comm: V4L2CaptureThre Not tainted 4.19.113-08536-g5d29ca36db06 #1 Hardware name: GOOGLE Edgar, BIOS Google_Edgar.7287.167.156 03/25/2019 RIP: 0010:usb_ifnum_to_if+0x29/0x40 Code: <...> RSP: 0018:ffffa46f42a47a80 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff904a396c9000 RDX: ffff904a39641320 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffffa46f42a47a80 R08: 0000000000000002 R09: 0000000000000000 R10: 0000000000009975 R11: 0000000000000009 R12: 0000000000000000 R13: ffff904a396b3800 R14: ffff904a39e88000 R15: 0000000000000000 FS: 00007f396448e700(0000) GS:ffff904a3ba00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000016cb46000 CR4: 00000000001006f0 Call Trace: usb_hcd_alloc_bandwidth+0x1ee/0x30f usb_set_interface+0x1a3/0x2b7 uvc_video_start_transfer+0x29b/0x4b8 [uvcvideo] uvc_video_start_streaming+0x91/0xdd [uvcvideo] uvc_start_streaming+0x28/0x5d [uvcvideo] vb2_start_streaming+0x61/0x143 [videobuf2_common] vb2_core_streamon+0xf7/0x10f [videobuf2_common] uvc_queue_streamon+0x2e/0x41 [uvcvideo] uvc_ioctl_streamon+0x42/0x5c [uvcvideo] __video_do_ioctl+0x33d/0x42a video_usercopy+0x34e/0x5ff ? video_ioctl2+0x16/0x16 v4l2_ioctl+0x46/0x53 do_vfs_ioctl+0x50a/0x76f ksys_ioctl+0x58/0x83 __x64_sys_ioctl+0x1a/0x1e do_syscall_64+0x54/0xde usb_set_interface() should not be called after the USB device has been unregistered. However, in the above case the disconnect happened after v4l2_ioctl() was called, but before the call to usb_ifnum_to_if(). Acquire various mutexes in uvc_unregister_video() to fix the majority (maybe all) of the observed race conditions. The uvc_device lock prevents races against suspend and resume calls and the poll function. The uvc_streaming lock prevents races against stream related functions; for the most part, those are ioctls. This lock also requires other functions using this lock to check if a video device is still registered after acquiring it. For example, it was observed that the video device was already unregistered by the time the stream lock was acquired in uvc_ioctl_streamon(). The uvc_queue lock prevents races against queue functions, Most of those are already protected by the uvc_streaming lock, but some are called directly. This is done as added protection; an actual race was not (yet) observed. Cc: Laurent Pinchart Cc: Alan Stern Cc: Hans Verkuil Reviewed-by: Tomasz Figa Reviewed-by: Sean Paul Signed-off-by: Guenter Roeck Reviewed-by: Sergey Senozhatsky Signed-off-by: Ricardo Ribalda --- drivers/media/usb/uvc/uvc_driver.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c index 08fcd2ffa727..ded2cb6ce14f 100644 --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -1907,14 +1907,22 @@ static void uvc_unregister_video(struct uvc_device *dev) { struct uvc_streaming *stream; + mutex_lock(&dev->lock); + list_for_each_entry(stream, &dev->streams, list) { if (!video_is_registered(&stream->vdev)) continue; + mutex_lock(&stream->mutex); + mutex_lock(&stream->queue.mutex); + video_unregister_device(&stream->vdev); video_unregister_device(&stream->meta.vdev); uvc_debugfs_cleanup_stream(stream); + + mutex_unlock(&stream->queue.mutex); + mutex_unlock(&stream->mutex); } uvc_status_unregister(dev); @@ -1925,6 +1933,7 @@ static void uvc_unregister_video(struct uvc_device *dev) if (media_devnode_is_registered(dev->mdev.devnode)) media_device_unregister(&dev->mdev); #endif + mutex_unlock(&dev->lock); } int uvc_register_video_device(struct uvc_device *dev, From patchwork Wed Nov 22 11:45:48 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ricardo Ribalda X-Patchwork-Id: 168319 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2b07:b0:403:3b70:6f57 with SMTP id io7csp1260207vqb; Wed, 22 Nov 2023 03:46:29 -0800 (PST) X-Google-Smtp-Source: AGHT+IEJasGs4LfjTWgld5bz8FDoJLpshLUefXA/7LRulDEQaLJnkH6iswfrO9srwV5wpB3XVSr3 X-Received: by 2002:a05:6a00:3922:b0:6cb:4c84:43ce with SMTP id fh34-20020a056a00392200b006cb4c8443cemr2173806pfb.34.1700653589506; Wed, 22 Nov 2023 03:46:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700653589; cv=none; d=google.com; s=arc-20160816; b=cAv4ttyLAnrZcovjHf4m8qZWBHs+prvs9jckeZOj3LWHslFseNZkiwSPcHMRlhBi2D 3mKqFRKaWWWadPERqmwSzLQwelhv4VFttCyxMM9G4WbDmFpJpzxpW+Gp32euZnuWgKxJ h0p9427FN4ALlimRd5M7LbaLz1bXS1eTrWVifLhFqpopN9aREVEETiiYrJTCIBaYDtze 2LouvS2m1KcO3msI12FbLb9tAMCRprjO5jsIpiE7ThJl6Fn7J0n9vRIp0x1oWHjuPcJP gD6V5Z5p7S659HaFpiWrqNRmRvBqdPsVmSd5yGbtrDaA0PPNmeV7JWJRUgtrX51ZysXa juvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:in-reply-to:references:message-id :content-transfer-encoding:mime-version:subject:date:from :dkim-signature; bh=1sAQl0rfqb2MgR7IdUDNyZwwNJlU43qhGuht31RgDDQ=; fh=WWnPKiv+kUZ67/1TvOhVmT8DWyiNJdxVbN6JTFoOA5k=; b=WAm+MPviQRX1Z5/ICeA2ljQu6mpmugFL22OmoSoFzXsTghIt1wLR217KrTVkiRGwQG 2ulBXjDM65+wL0Em/V5pzGRO2ydX4JY76B8OO3mSCD92OWSmHKGy+pLgV06LtHGsiGCQ M2PA2S6pQ6LXGnJ1/oG4Akgq2mTs9jvyZclRMrSYhBXg4WFHmEODPweQ1GPdfir19xVs RB9gBj1abW/oLBg0KQfxxR6UBZ1KFC6SZym2vFzGP9UodAIwg3LnphuTVaUJwLKFAATC OTdW5ysCiQ/UKHHO2ZgMC3EKvmIZM/m/4qKJffp0Q4HfUoG7d8JKZ/vDhwVTs/JufyM2 N4sA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=JRrhO6eL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from agentk.vger.email (agentk.vger.email. [23.128.96.32]) by mx.google.com with ESMTPS id w2-20020a056a0014c200b006cb894c66edsi7596149pfu.93.2023.11.22.03.46.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Nov 2023 03:46:29 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) client-ip=23.128.96.32; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=JRrhO6eL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id 398C280F8F43; Wed, 22 Nov 2023 03:46:25 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235073AbjKVLqD (ORCPT + 99 others); Wed, 22 Nov 2023 06:46:03 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52268 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230404AbjKVLp4 (ORCPT ); Wed, 22 Nov 2023 06:45:56 -0500 Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CCDC619E for ; Wed, 22 Nov 2023 03:45:52 -0800 (PST) Received: by mail-qt1-x82f.google.com with SMTP id d75a77b69052e-41cd4446cf5so39733441cf.3 for ; Wed, 22 Nov 2023 03:45:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1700653552; x=1701258352; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=1sAQl0rfqb2MgR7IdUDNyZwwNJlU43qhGuht31RgDDQ=; b=JRrhO6eLxXdz6GTob0Y+fXeycWQUz2rLOd5DpyvYxf3zn27VObpv4fjH+rNtwNWg1C 8KkA843ZSes5KCDpqEKU9eiLGnbTHvdWLmH3Uiez3hO3K2LdTQs9nBT2S8geMMSFnYmX C0MuukEUSXZ901THm2cE6qQDnoR97FIC7MZGk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700653552; x=1701258352; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1sAQl0rfqb2MgR7IdUDNyZwwNJlU43qhGuht31RgDDQ=; b=fZMlS68PNlwaqOcI8W+MSOwG4e0U+5PmECMq83sGK22yHtAA1huaPnCV4NekjNuqAt JVAJpWSWYicDanG/1InjbVw7hOeqoBD7Lh+aR/sMA3lWBTBTrj47uAr/EhYAIOc0la00 olrU9L67zwsuP33wz0C1w29K4FyJO/iDYwPbWUZATL++SycH7hSeb76c+8fNCjGN5j5+ HG+avyt8buMBvhkUvrgtJdeEhwU1NSxy836prvJVGFtwD/APDVwng3TVVmvPEPHjHjao wAJv/0eBYG3kOOdPDLYlDiqyMusJJ2i2SrnwqwE9X6OJiXXvxM7dWQ7pmhizwV4RnyjU PXhA== X-Gm-Message-State: AOJu0Yzy0jUZ7dYp3125jIVv9HZ03xlVDpW9V+Q0EqVbUwUdObqxDSCl 5XlMw2BROnr+eALRLsIS8e8jKA== X-Received: by 2002:ac8:5c09:0:b0:423:7766:a6f4 with SMTP id i9-20020ac85c09000000b004237766a6f4mr2570094qti.15.1700653551903; Wed, 22 Nov 2023 03:45:51 -0800 (PST) Received: from denia.c.googlers.com (228.221.150.34.bc.googleusercontent.com. [34.150.221.228]) by smtp.gmail.com with ESMTPSA id h3-20020ac85143000000b00419732075b4sm4357790qtn.84.2023.11.22.03.45.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Nov 2023 03:45:51 -0800 (PST) From: Ricardo Ribalda Date: Wed, 22 Nov 2023 11:45:48 +0000 Subject: [PATCH v5 2/3] media: uvcvideo: Always use uvc_status_stop() MIME-Version: 1.0 Message-Id: <20231122-guenter-mini-v5-2-15d8cd8ed74f@chromium.org> References: <20231122-guenter-mini-v5-0-15d8cd8ed74f@chromium.org> In-Reply-To: <20231122-guenter-mini-v5-0-15d8cd8ed74f@chromium.org> To: Mauro Carvalho Chehab Cc: Guenter Roeck , Tomasz Figa , Laurent Pinchart , Alan Stern , Hans Verkuil , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Sean Paul , Ricardo Ribalda , Sakari Ailus , Sakari Ailus X-Mailer: b4 0.12.3 X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Wed, 22 Nov 2023 03:46:25 -0800 (PST) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1783264537957276983 X-GMAIL-MSGID: 1783264537957276983 The only thread safe way to stop the status handler is with uvc_status. Let's remove all the code paths partially stopping uvc_status. Reviewed-by: Sakari Ailus Signed-off-by: Ricardo Ribalda --- drivers/media/usb/uvc/uvc_ctrl.c | 4 ---- drivers/media/usb/uvc/uvc_driver.c | 2 +- drivers/media/usb/uvc/uvc_status.c | 8 ++++---- drivers/media/usb/uvc/uvc_v4l2.c | 2 +- drivers/media/usb/uvc/uvcvideo.h | 2 +- 5 files changed, 7 insertions(+), 11 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c index e59a463c2761..8e22a07e3e7b 100644 --- a/drivers/media/usb/uvc/uvc_ctrl.c +++ b/drivers/media/usb/uvc/uvc_ctrl.c @@ -2765,10 +2765,6 @@ void uvc_ctrl_cleanup_device(struct uvc_device *dev) struct uvc_entity *entity; unsigned int i; - /* Can be uninitialized if we are aborting on probe error. */ - if (dev->async_ctrl.work.func) - cancel_work_sync(&dev->async_ctrl.work); - /* Free controls and control mappings for all entities. */ list_for_each_entry(entity, &dev->entities, list) { for (i = 0; i < entity->ncontrols; ++i) { diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c index ded2cb6ce14f..d5dbf2644272 100644 --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -2282,7 +2282,7 @@ static int uvc_suspend(struct usb_interface *intf, pm_message_t message) UVC_SC_VIDEOCONTROL) { mutex_lock(&dev->lock); if (dev->users) - uvc_status_stop(dev); + uvc_status_stop(dev, true); mutex_unlock(&dev->lock); return 0; } diff --git a/drivers/media/usb/uvc/uvc_status.c b/drivers/media/usb/uvc/uvc_status.c index a78a88c710e2..9c5da1244999 100644 --- a/drivers/media/usb/uvc/uvc_status.c +++ b/drivers/media/usb/uvc/uvc_status.c @@ -292,7 +292,7 @@ int uvc_status_init(struct uvc_device *dev) void uvc_status_unregister(struct uvc_device *dev) { - usb_kill_urb(dev->int_urb); + uvc_status_stop(dev, false); uvc_input_unregister(dev); } @@ -310,7 +310,7 @@ int uvc_status_start(struct uvc_device *dev, gfp_t flags) return usb_submit_urb(dev->int_urb, flags); } -void uvc_status_stop(struct uvc_device *dev) +void uvc_status_stop(struct uvc_device *dev, bool run_async_work) { struct uvc_ctrl_work *w = &dev->async_ctrl; @@ -326,7 +326,7 @@ void uvc_status_stop(struct uvc_device *dev) * Cancel any pending asynchronous work. If any status event was queued, * process it synchronously. */ - if (cancel_work_sync(&w->work)) + if (cancel_work_sync(&w->work) && run_async_work) uvc_ctrl_status_event(w->chain, w->ctrl, w->data); /* Kill the urb. */ @@ -338,7 +338,7 @@ void uvc_status_stop(struct uvc_device *dev) * cancelled before returning or it could then race with a future * uvc_status_start() call. */ - if (cancel_work_sync(&w->work)) + if (cancel_work_sync(&w->work) && run_async_work) uvc_ctrl_status_event(w->chain, w->ctrl, w->data); /* diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c index f4988f03640a..f90206263ff4 100644 --- a/drivers/media/usb/uvc/uvc_v4l2.c +++ b/drivers/media/usb/uvc/uvc_v4l2.c @@ -672,7 +672,7 @@ static int uvc_v4l2_release(struct file *file) mutex_lock(&stream->dev->lock); if (--stream->dev->users == 0) - uvc_status_stop(stream->dev); + uvc_status_stop(stream->dev, false); mutex_unlock(&stream->dev->lock); usb_autopm_put_interface(stream->dev->intf); diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h index 6fb0a78b1b00..ba8f8c1f2c83 100644 --- a/drivers/media/usb/uvc/uvcvideo.h +++ b/drivers/media/usb/uvc/uvcvideo.h @@ -745,7 +745,7 @@ int uvc_status_init(struct uvc_device *dev); void uvc_status_unregister(struct uvc_device *dev); void uvc_status_cleanup(struct uvc_device *dev); int uvc_status_start(struct uvc_device *dev, gfp_t flags); -void uvc_status_stop(struct uvc_device *dev); +void uvc_status_stop(struct uvc_device *dev, bool run_async_work); /* Controls */ extern const struct uvc_control_mapping uvc_ctrl_power_line_mapping_limited; From patchwork Wed Nov 22 11:45:49 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ricardo Ribalda X-Patchwork-Id: 168320 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2b07:b0:403:3b70:6f57 with SMTP id io7csp1260244vqb; Wed, 22 Nov 2023 03:46:34 -0800 (PST) X-Google-Smtp-Source: AGHT+IELL3CNxvNrw1gEOJtasm1TSRI4rrsB7ZDWPK9r878gs+4M5PHLj/Bvl5Af7ihnPdVByfYB X-Received: by 2002:a9d:4e82:0:b0:6d3:3845:fa36 with SMTP id v2-20020a9d4e82000000b006d33845fa36mr2162044otk.29.1700653594018; Wed, 22 Nov 2023 03:46:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700653593; cv=none; d=google.com; s=arc-20160816; b=VTsgXCOyC9q3E/PjjGo+VDmmaypB0vZudICwrgfh0AaOUGLGpcrN34qvUA0pN8M5am cwlfuV8fy4zujXFIHAWz4+/CywOLnBvLwpNX6boeOWu54jchbNL5/gjnIJ/B25ZqFuQm Rmvv3Hk7OcXNJSchwQO2xyjpvS+SKLyR5PUkVEtXkMJan9PRhQ/aqsGH0b+kZkgzJ7y4 74cPr7LpCVruoeGs776ZFKM/nihSMiGujcPGUeejPOFx/kqX5ihdLAHWo2CHUYgJaWlB OHMhjOqVEYn3w131Fa7WW/3qXsAaOEiOM7n5tn4EaVjDsjnx8XdBQluB8wRW95AXqvha OhGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:in-reply-to:references:message-id :content-transfer-encoding:mime-version:subject:date:from :dkim-signature; bh=elffK1EXr85X4x2IFuFEE5Q2jUK2YCgnrDhIYGitDxs=; fh=Olmnw9EiPOHXl6tXYk5T9PPwqL+0H7V+IoxB1uD1V0I=; b=mhVVjiJETxgYEzEs7/gLlj85UGEOzCKQaD9uuPBNB/ZL0zH7s2zWHvxGUyZNWlFr6N QjeoyW37MiAgUNsq5rILuBPAeL+ewd/0oAzf4hNRVzaCKZhjn8GgLC2r7VDJ5SHWV7/S FI2aXK0KfIc2B3M6A3slwWpxhq27d8T0tzlUvq2gmO9fjyq22JNt2hG66ni1aE2NdcIq VIG+peDY0G4i5wx2KcOA80HFYazyDpjhJqLDCT7bUbyUK5ncjs48cf+zQjvG+u2wR5L9 crEit1WtrV/VYtJlbrMl51FgSRbUpR/rBi1Zz/ReUb+AXMBlQ4lz67LqrJDoeGNTlVEm JjTA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=ZhBKQaoc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from agentk.vger.email (agentk.vger.email. [23.128.96.32]) by mx.google.com with ESMTPS id i190-20020a6387c7000000b005897813624fsi12272518pge.476.2023.11.22.03.46.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Nov 2023 03:46:33 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) client-ip=23.128.96.32; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=ZhBKQaoc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id E4B2A810D642; Wed, 22 Nov 2023 03:46:30 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343917AbjKVLqH (ORCPT + 99 others); Wed, 22 Nov 2023 06:46:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52280 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343737AbjKVLp5 (ORCPT ); Wed, 22 Nov 2023 06:45:57 -0500 Received: from mail-oo1-xc2a.google.com (mail-oo1-xc2a.google.com [IPv6:2607:f8b0:4864:20::c2a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 77D591BC for ; Wed, 22 Nov 2023 03:45:53 -0800 (PST) Received: by mail-oo1-xc2a.google.com with SMTP id 006d021491bc7-581ed744114so3272063eaf.0 for ; Wed, 22 Nov 2023 03:45:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1700653553; x=1701258353; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=elffK1EXr85X4x2IFuFEE5Q2jUK2YCgnrDhIYGitDxs=; b=ZhBKQaocA553wX4+vf6bwMyDnty7FgIwBy9z3eJHKP49hHrFbv9DpXIUpGM5z0C8os VnlHroXUBjxHPMUDX12Bled63QWUfC6jauvI2V9D0U7rZu5lyrLaeYIHozQ3xxgcqGJF 01IjTDRk/XpSL5XkfYmmW9x2CZWCQTZXrqmaU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700653553; x=1701258353; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=elffK1EXr85X4x2IFuFEE5Q2jUK2YCgnrDhIYGitDxs=; b=Mt2ASy5NsXjAlk3RmzmeG4YPWeOgqWJpnzEDFT5BR/vAIUHRZI90L8Maf1Y8DIJt0J 2Gr/U/yBHSF+FzHuZJNK/+awy63Wxh/0m5yL7t3f2xdFgtTYtY3GUmSW9+EhvwDz/euN yq0gRsRXSQeq5bRV6q24e/ypgDw3KtWCD3j+T9AD5oYEEm/BwECCbhbuS1W7NwTozdmH PLVf18SRF4m9JHlSipS6+LGRTv7wcKZcVPEDJMga3zbVPBVG7gHyJvRtN/sUGRhH3Vit kjVcTeJEAUPzGn/YvjyOWLFS4OU+sPKVXVRSU/HLIAoni802QXXEZYbO6xJv3h3V9VLQ th2w== X-Gm-Message-State: AOJu0Yzr4e5dtSagJj5kg9dICUSOMuTjHROgcH3fhI/cDurJGa0mD+fy JdqC/U3US94A8T6cigL4cVAz2Q== X-Received: by 2002:a05:6358:50c6:b0:168:e396:aa96 with SMTP id m6-20020a05635850c600b00168e396aa96mr1416014rwm.11.1700653552709; Wed, 22 Nov 2023 03:45:52 -0800 (PST) Received: from denia.c.googlers.com (228.221.150.34.bc.googleusercontent.com. [34.150.221.228]) by smtp.gmail.com with ESMTPSA id h3-20020ac85143000000b00419732075b4sm4357790qtn.84.2023.11.22.03.45.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Nov 2023 03:45:52 -0800 (PST) From: Ricardo Ribalda Date: Wed, 22 Nov 2023 11:45:49 +0000 Subject: [PATCH v5 3/3] media: uvcvideo: Do not use usb_* functions after .disconnect MIME-Version: 1.0 Message-Id: <20231122-guenter-mini-v5-3-15d8cd8ed74f@chromium.org> References: <20231122-guenter-mini-v5-0-15d8cd8ed74f@chromium.org> In-Reply-To: <20231122-guenter-mini-v5-0-15d8cd8ed74f@chromium.org> To: Mauro Carvalho Chehab Cc: Guenter Roeck , Tomasz Figa , Laurent Pinchart , Alan Stern , Hans Verkuil , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Sean Paul , Ricardo Ribalda , Sakari Ailus X-Mailer: b4 0.12.3 X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Wed, 22 Nov 2023 03:46:31 -0800 (PST) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1783264543004516931 X-GMAIL-MSGID: 1783264543004516931 usb drivers should not call to any I/O function after the .disconnect() callback has been triggered. https://www.kernel.org/doc/html/latest/driver-api/usb/callbacks.html#the-disconnect-callback If an application is receiving frames form a camera and the device is disconnected: the device will call close() after the usb .disconnect() callback has been called. The streamoff path will call usb_set_interface or usb_clear_halt, which is not allowed. This patch only solves the calls to close() *after* .disconnect() is being called. Trace: [ 1065.389723] drivers/media/usb/uvc/uvc_driver.c:2248 uvc_disconnect enter [ 1065.390160] drivers/media/usb/uvc/uvc_driver.c:2264 uvc_disconnect exit [ 1065.433956] drivers/media/usb/uvc/uvc_v4l2.c:659 uvc_v4l2_release enter [ 1065.433973] drivers/media/usb/uvc/uvc_video.c:2274 uvc_video_stop_streaming enter [ 1065.434560] drivers/media/usb/uvc/uvc_video.c:2285 uvc_video_stop_streaming exit [ 1065.435154] drivers/media/usb/uvc/uvc_v4l2.c:680 uvc_v4l2_release exit [ 1065.435188] drivers/media/usb/uvc/uvc_driver.c:2248 uvc_disconnect enter Signed-off-by: Ricardo Ribalda --- drivers/media/usb/uvc/uvc_driver.c | 2 ++ drivers/media/usb/uvc/uvc_video.c | 45 ++++++++++++++++++++++++-------------- drivers/media/usb/uvc/uvcvideo.h | 2 ++ 3 files changed, 32 insertions(+), 17 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c index d5dbf2644272..d78640d422f4 100644 --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -2266,6 +2266,8 @@ static void uvc_disconnect(struct usb_interface *intf) return; uvc_unregister_video(dev); + /* Barrier needed to pair with uvc_video_stop_streaming(). */ + smp_store_release(&dev->disconnected, true); kref_put(&dev->ref, uvc_delete); } diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c index 28dde08ec6c5..f5ef375088de 100644 --- a/drivers/media/usb/uvc/uvc_video.c +++ b/drivers/media/usb/uvc/uvc_video.c @@ -2243,28 +2243,39 @@ int uvc_video_start_streaming(struct uvc_streaming *stream) return ret; } -void uvc_video_stop_streaming(struct uvc_streaming *stream) +static void uvc_video_halt(struct uvc_streaming *stream) { - uvc_video_stop_transfer(stream, 1); + unsigned int epnum; + unsigned int pipe; + unsigned int dir; if (stream->intf->num_altsetting > 1) { usb_set_interface(stream->dev->udev, stream->intfnum, 0); - } else { - /* - * UVC doesn't specify how to inform a bulk-based device - * when the video stream is stopped. Windows sends a - * CLEAR_FEATURE(HALT) request to the video streaming - * bulk endpoint, mimic the same behaviour. - */ - unsigned int epnum = stream->header.bEndpointAddress - & USB_ENDPOINT_NUMBER_MASK; - unsigned int dir = stream->header.bEndpointAddress - & USB_ENDPOINT_DIR_MASK; - unsigned int pipe; - - pipe = usb_sndbulkpipe(stream->dev->udev, epnum) | dir; - usb_clear_halt(stream->dev->udev, pipe); + return; } + /* + * UVC doesn't specify how to inform a bulk-based device + * when the video stream is stopped. Windows sends a + * CLEAR_FEATURE(HALT) request to the video streaming + * bulk endpoint, mimic the same behaviour. + */ + epnum = stream->header.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK; + dir = stream->header.bEndpointAddress & USB_ENDPOINT_DIR_MASK; + pipe = usb_sndbulkpipe(stream->dev->udev, epnum) | dir; + usb_clear_halt(stream->dev->udev, pipe); +} + +void uvc_video_stop_streaming(struct uvc_streaming *stream) +{ + uvc_video_stop_transfer(stream, 1); + + /* + * Barrier needed to pair with uvc_disconnect(). + * We cannot call usb_* functions on a disconnected USB device. + */ + if (!smp_load_acquire(&stream->dev->disconnected)) + uvc_video_halt(stream); + uvc_video_clock_cleanup(stream); } diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h index ba8f8c1f2c83..5b1a3643de05 100644 --- a/drivers/media/usb/uvc/uvcvideo.h +++ b/drivers/media/usb/uvc/uvcvideo.h @@ -559,6 +559,8 @@ struct uvc_device { unsigned int users; atomic_t nmappings; + bool disconnected; + /* Video control interface */ #ifdef CONFIG_MEDIA_CONTROLLER struct media_device mdev;