drivers/usb/gadget/function/f_uvc.c | 11 +- drivers/usb/gadget/function/f_uvc.h | 2 +- drivers/usb/gadget/function/uvc.h | 6 +- drivers/usb/gadget/function/uvc_v4l2.c | 12 +- drivers/usb/gadget/function/uvc_video.c | 231 +++++++++++++++++------- 5 files changed, 189 insertions(+), 73 deletions(-)
We have been seeing two main stability issues that uvc gadget driver runs into when stopping streams: 1. Attempting to queue usb_requests to a disabled usb_ep 2. use-after-free issue for inflight usb_requests The four patches below fix the two issues above. Patch 1/4 fixes the first issue, and Patch 2/4 and 4/4 fix the second issue. Patch 3/4 is only there to make the diff in 4/4 cleaner. Avichal Rakesh (4): usb: gadget: uvc: prevent use of disabled endpoint usb: gadget: uvc: Allocate uvc_requests one at a time usb: gadget: uvc: move video disable logic to its own function usb: gadget: uvc: Fix use-after-free for inflight usb_requests drivers/usb/gadget/function/f_uvc.c | 11 +- drivers/usb/gadget/function/f_uvc.h | 2 +- drivers/usb/gadget/function/uvc.h | 6 +- drivers/usb/gadget/function/uvc_v4l2.c | 12 +- drivers/usb/gadget/function/uvc_video.c | 231 +++++++++++++++++------- 5 files changed, 189 insertions(+), 73 deletions(-) -- 2.42.0.758.gaed0368e0e-goog
On 10/19/23 11:53, Avichal Rakesh wrote: > We have been seeing two main stability issues that uvc gadget driver > runs into when stopping streams: > 1. Attempting to queue usb_requests to a disabled usb_ep > 2. use-after-free issue for inflight usb_requests > > The four patches below fix the two issues above. Patch 1/4 fixes the > first issue, and Patch 2/4 and 4/4 fix the second issue. Patch 3/4 > is only there to make the diff in 4/4 cleaner. > > Avichal Rakesh (4): > usb: gadget: uvc: prevent use of disabled endpoint > usb: gadget: uvc: Allocate uvc_requests one at a time > usb: gadget: uvc: move video disable logic to its own function > usb: gadget: uvc: Fix use-after-free for inflight usb_requests > > drivers/usb/gadget/function/f_uvc.c | 11 +- > drivers/usb/gadget/function/f_uvc.h | 2 +- > drivers/usb/gadget/function/uvc.h | 6 +- > drivers/usb/gadget/function/uvc_v4l2.c | 12 +- > drivers/usb/gadget/function/uvc_video.c | 231 +++++++++++++++++------- > 5 files changed, 189 insertions(+), 73 deletions(-) > > -- > 2.42.0.758.gaed0368e0e-goog Dan and Laurent, please go over the patches whenever you get a chance. I think they're ready to submit as neither Michael nor I have seen any use-after-free issues after the patches. Thank you! - Avi.
Currently the set_alt callback immediately disables the endpoint and queues
the v4l2 streamoff event. However, as the streamoff event is processed
asynchronously, it is possible that the video_pump thread attempts to queue
requests to an already disabled endpoint.
This change moves disabling usb endpoint to the end of streamoff event
callback. As the endpoint's state can no longer be used, video_pump is
now guarded by uvc->state as well. To be consistent with the actual
streaming state, uvc->state is now toggled between CONNECTED and STREAMING
from the v4l2 event callback only.
Link: https://lore.kernel.org/20230615171558.GK741@pendragon.ideasonboard.com/
Link: https://lore.kernel.org/20230531085544.253363-1-dan.scally@ideasonboard.com/
Reviewed-by: Daniel Scally <dan.scally@ideasonboard.com>
Reviewed-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Tested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
---
v1 -> v2 : Rebased to ToT and reworded commit message.
v2 -> v3 : Fix email threading goof-up
v3 -> v4 : Address review comments & re-rebase to ToT
v4 -> v5 : Add Reviewed-by & Tested-by
v5 -> v6 : No change
v6 -> v7 : No change
v7 -> v8 : No change. Getting back in review queue
v8 -> v9 : Fix typo. No functional change.
v9 -> v10 : Rebase to ToT (usb-next)
v10 -> v11 : No change
v11 -> v12 : Rebase to ToT (usb-next)
drivers/usb/gadget/function/f_uvc.c | 11 +++++------
drivers/usb/gadget/function/f_uvc.h | 2 +-
drivers/usb/gadget/function/uvc.h | 2 +-
drivers/usb/gadget/function/uvc_v4l2.c | 20 +++++++++++++++++---
drivers/usb/gadget/function/uvc_video.c | 3 ++-
5 files changed, 26 insertions(+), 12 deletions(-)
diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c
index 786379f1b7b7..77999ed53d33 100644
--- a/drivers/usb/gadget/function/f_uvc.c
+++ b/drivers/usb/gadget/function/f_uvc.c
@@ -263,10 +263,13 @@ uvc_function_setup(struct usb_function *f, const struct usb_ctrlrequest *ctrl)
return 0;
}
-void uvc_function_setup_continue(struct uvc_device *uvc)
+void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep)
{
struct usb_composite_dev *cdev = uvc->func.config->cdev;
+ if (disable_ep && uvc->video.ep)
+ usb_ep_disable(uvc->video.ep);
+
usb_composite_setup_continue(cdev);
}
@@ -337,15 +340,11 @@ uvc_function_set_alt(struct usb_function *f, unsigned interface, unsigned alt)
if (uvc->state != UVC_STATE_STREAMING)
return 0;
- if (uvc->video.ep)
- usb_ep_disable(uvc->video.ep);
-
memset(&v4l2_event, 0, sizeof(v4l2_event));
v4l2_event.type = UVC_EVENT_STREAMOFF;
v4l2_event_queue(&uvc->vdev, &v4l2_event);
- uvc->state = UVC_STATE_CONNECTED;
- return 0;
+ return USB_GADGET_DELAYED_STATUS;
case 1:
if (uvc->state != UVC_STATE_CONNECTED)
diff --git a/drivers/usb/gadget/function/f_uvc.h b/drivers/usb/gadget/function/f_uvc.h
index 1db972d4beeb..083aef0c65c6 100644
--- a/drivers/usb/gadget/function/f_uvc.h
+++ b/drivers/usb/gadget/function/f_uvc.h
@@ -11,7 +11,7 @@
struct uvc_device;
-void uvc_function_setup_continue(struct uvc_device *uvc);
+void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep);
void uvc_function_connect(struct uvc_device *uvc);
diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
index 6751de8b63ad..989bc6b4e93d 100644
--- a/drivers/usb/gadget/function/uvc.h
+++ b/drivers/usb/gadget/function/uvc.h
@@ -177,7 +177,7 @@ struct uvc_file_handle {
* Functions
*/
-extern void uvc_function_setup_continue(struct uvc_device *uvc);
+extern void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep);
extern void uvc_function_connect(struct uvc_device *uvc);
extern void uvc_function_disconnect(struct uvc_device *uvc);
diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c
index 3f0a9795c0d4..7cb8d027ff0c 100644
--- a/drivers/usb/gadget/function/uvc_v4l2.c
+++ b/drivers/usb/gadget/function/uvc_v4l2.c
@@ -451,7 +451,7 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type)
* Complete the alternate setting selection setup phase now that
* userspace is ready to provide video frames.
*/
- uvc_function_setup_continue(uvc);
+ uvc_function_setup_continue(uvc, 0);
uvc->state = UVC_STATE_STREAMING;
return 0;
@@ -463,11 +463,18 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type)
struct video_device *vdev = video_devdata(file);
struct uvc_device *uvc = video_get_drvdata(vdev);
struct uvc_video *video = &uvc->video;
+ int ret = 0;
if (type != video->queue.queue.type)
return -EINVAL;
- return uvcg_video_enable(video, 0);
+ uvc->state = UVC_STATE_CONNECTED;
+ ret = uvcg_video_enable(video, 0);
+ if (ret < 0)
+ return ret;
+
+ uvc_function_setup_continue(uvc, 1);
+ return 0;
}
static int
@@ -500,6 +507,14 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh,
static void uvc_v4l2_disable(struct uvc_device *uvc)
{
uvc_function_disconnect(uvc);
+ /*
+ * Drop uvc->state to CONNECTED if it was streaming before.
+ * This ensures that the usb_requests are no longer queued
+ * to the controller.
+ */
+ if (uvc->state == UVC_STATE_STREAMING)
+ uvc->state = UVC_STATE_CONNECTED;
+
uvcg_video_enable(&uvc->video, 0);
uvcg_free_buffers(&uvc->video.queue);
uvc->func_connected = false;
@@ -647,4 +662,3 @@ const struct v4l2_file_operations uvc_v4l2_fops = {
.get_unmapped_area = uvcg_v4l2_get_unmapped_area,
#endif
};
-
diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index 91af3b1ef0d4..c334802ac0a4 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -384,13 +384,14 @@ static void uvcg_video_pump(struct work_struct *work)
struct uvc_video_queue *queue = &video->queue;
/* video->max_payload_size is only set when using bulk transfer */
bool is_bulk = video->max_payload_size;
+ struct uvc_device *uvc = video->uvc;
struct usb_request *req = NULL;
struct uvc_buffer *buf;
unsigned long flags;
bool buf_done;
int ret;
- while (video->ep->enabled) {
+ while (uvc->state == UVC_STATE_STREAMING && video->ep->enabled) {
/*
* Retrieve the first available USB request, protected by the
* request lock.
--
2.42.0.869.gea05f2083d-googHey Greg, I think this patchset is ready for submission.
Let me know if I am missing something and something else
needs to be done.
Thank you!
- Avi
On 11/8/23 16:41, Avichal Rakesh wrote:
> Currently the set_alt callback immediately disables the endpoint and queues
> the v4l2 streamoff event. However, as the streamoff event is processed
> asynchronously, it is possible that the video_pump thread attempts to queue
> requests to an already disabled endpoint.
>
> This change moves disabling usb endpoint to the end of streamoff event
> callback. As the endpoint's state can no longer be used, video_pump is
> now guarded by uvc->state as well. To be consistent with the actual
> streaming state, uvc->state is now toggled between CONNECTED and STREAMING
> from the v4l2 event callback only.
>
> Link: https://lore.kernel.org/20230615171558.GK741@pendragon.ideasonboard.com/
> Link: https://lore.kernel.org/20230531085544.253363-1-dan.scally@ideasonboard.com/
> Reviewed-by: Daniel Scally <dan.scally@ideasonboard.com>
> Reviewed-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
> Tested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
> Signed-off-by: Avichal Rakesh <arakesh@google.com>
> ---
> v1 -> v2 : Rebased to ToT and reworded commit message.
> v2 -> v3 : Fix email threading goof-up
> v3 -> v4 : Address review comments & re-rebase to ToT
> v4 -> v5 : Add Reviewed-by & Tested-by
> v5 -> v6 : No change
> v6 -> v7 : No change
> v7 -> v8 : No change. Getting back in review queue
> v8 -> v9 : Fix typo. No functional change.
> v9 -> v10 : Rebase to ToT (usb-next)
> v10 -> v11 : No change
> v11 -> v12 : Rebase to ToT (usb-next)
>
> drivers/usb/gadget/function/f_uvc.c | 11 +++++------
> drivers/usb/gadget/function/f_uvc.h | 2 +-
> drivers/usb/gadget/function/uvc.h | 2 +-
> drivers/usb/gadget/function/uvc_v4l2.c | 20 +++++++++++++++++---
> drivers/usb/gadget/function/uvc_video.c | 3 ++-
> 5 files changed, 26 insertions(+), 12 deletions(-)
>
> diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c
> index 786379f1b7b7..77999ed53d33 100644
> --- a/drivers/usb/gadget/function/f_uvc.c
> +++ b/drivers/usb/gadget/function/f_uvc.c
> @@ -263,10 +263,13 @@ uvc_function_setup(struct usb_function *f, const struct usb_ctrlrequest *ctrl)
> return 0;
> }
>
> -void uvc_function_setup_continue(struct uvc_device *uvc)
> +void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep)
> {
> struct usb_composite_dev *cdev = uvc->func.config->cdev;
>
> + if (disable_ep && uvc->video.ep)
> + usb_ep_disable(uvc->video.ep);
> +
> usb_composite_setup_continue(cdev);
> }
>
> @@ -337,15 +340,11 @@ uvc_function_set_alt(struct usb_function *f, unsigned interface, unsigned alt)
> if (uvc->state != UVC_STATE_STREAMING)
> return 0;
>
> - if (uvc->video.ep)
> - usb_ep_disable(uvc->video.ep);
> -
> memset(&v4l2_event, 0, sizeof(v4l2_event));
> v4l2_event.type = UVC_EVENT_STREAMOFF;
> v4l2_event_queue(&uvc->vdev, &v4l2_event);
>
> - uvc->state = UVC_STATE_CONNECTED;
> - return 0;
> + return USB_GADGET_DELAYED_STATUS;
>
> case 1:
> if (uvc->state != UVC_STATE_CONNECTED)
> diff --git a/drivers/usb/gadget/function/f_uvc.h b/drivers/usb/gadget/function/f_uvc.h
> index 1db972d4beeb..083aef0c65c6 100644
> --- a/drivers/usb/gadget/function/f_uvc.h
> +++ b/drivers/usb/gadget/function/f_uvc.h
> @@ -11,7 +11,7 @@
>
> struct uvc_device;
>
> -void uvc_function_setup_continue(struct uvc_device *uvc);
> +void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep);
>
> void uvc_function_connect(struct uvc_device *uvc);
>
> diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
> index 6751de8b63ad..989bc6b4e93d 100644
> --- a/drivers/usb/gadget/function/uvc.h
> +++ b/drivers/usb/gadget/function/uvc.h
> @@ -177,7 +177,7 @@ struct uvc_file_handle {
> * Functions
> */
>
> -extern void uvc_function_setup_continue(struct uvc_device *uvc);
> +extern void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep);
> extern void uvc_function_connect(struct uvc_device *uvc);
> extern void uvc_function_disconnect(struct uvc_device *uvc);
>
> diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c
> index 3f0a9795c0d4..7cb8d027ff0c 100644
> --- a/drivers/usb/gadget/function/uvc_v4l2.c
> +++ b/drivers/usb/gadget/function/uvc_v4l2.c
> @@ -451,7 +451,7 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type)
> * Complete the alternate setting selection setup phase now that
> * userspace is ready to provide video frames.
> */
> - uvc_function_setup_continue(uvc);
> + uvc_function_setup_continue(uvc, 0);
> uvc->state = UVC_STATE_STREAMING;
>
> return 0;
> @@ -463,11 +463,18 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type)
> struct video_device *vdev = video_devdata(file);
> struct uvc_device *uvc = video_get_drvdata(vdev);
> struct uvc_video *video = &uvc->video;
> + int ret = 0;
>
> if (type != video->queue.queue.type)
> return -EINVAL;
>
> - return uvcg_video_enable(video, 0);
> + uvc->state = UVC_STATE_CONNECTED;
> + ret = uvcg_video_enable(video, 0);
> + if (ret < 0)
> + return ret;
> +
> + uvc_function_setup_continue(uvc, 1);
> + return 0;
> }
>
> static int
> @@ -500,6 +507,14 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh,
> static void uvc_v4l2_disable(struct uvc_device *uvc)
> {
> uvc_function_disconnect(uvc);
> + /*
> + * Drop uvc->state to CONNECTED if it was streaming before.
> + * This ensures that the usb_requests are no longer queued
> + * to the controller.
> + */
> + if (uvc->state == UVC_STATE_STREAMING)
> + uvc->state = UVC_STATE_CONNECTED;
> +
> uvcg_video_enable(&uvc->video, 0);
> uvcg_free_buffers(&uvc->video.queue);
> uvc->func_connected = false;
> @@ -647,4 +662,3 @@ const struct v4l2_file_operations uvc_v4l2_fops = {
> .get_unmapped_area = uvcg_v4l2_get_unmapped_area,
> #endif
> };
> -
> diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
> index 91af3b1ef0d4..c334802ac0a4 100644
> --- a/drivers/usb/gadget/function/uvc_video.c
> +++ b/drivers/usb/gadget/function/uvc_video.c
> @@ -384,13 +384,14 @@ static void uvcg_video_pump(struct work_struct *work)
> struct uvc_video_queue *queue = &video->queue;
> /* video->max_payload_size is only set when using bulk transfer */
> bool is_bulk = video->max_payload_size;
> + struct uvc_device *uvc = video->uvc;
> struct usb_request *req = NULL;
> struct uvc_buffer *buf;
> unsigned long flags;
> bool buf_done;
> int ret;
>
> - while (video->ep->enabled) {
> + while (uvc->state == UVC_STATE_STREAMING && video->ep->enabled) {
> /*
> * Retrieve the first available USB request, protected by the
> * request lock.
> --
> 2.42.0.869.gea05f2083d-goog
Currently, the uvc gadget driver allocates all uvc_requests as one array
and deallocates them all when the video stream stops. This includes
de-allocating all the usb_requests associated with those uvc_requests.
This can lead to use-after-free issues if any of those de-allocated
usb_requests were still owned by the usb controller.
This patch is 1 of 2 patches addressing the use-after-free issue.
Instead of bulk allocating all uvc_requests as an array, this patch
allocates uvc_requests one at a time, which should allows for similar
granularity when deallocating the uvc_requests. This patch has no
functional changes other than allocating each uvc_request separately,
and similarly freeing each of them separately.
Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com
Reviewed-by: Daniel Scally <dan.scally@ideasonboard.com>
Reviewed-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Suggested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Tested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
---
v1 -> v2 : Rebased to ToT
v2 -> v3 : Fix email threading goof-up
v3 -> v4 : Address review comments & re-rebase to ToT
v4 -> v5 : Address more review comments. Add Reviewed-by & Tested-by.
v5 -> v6 : No change
v6 -> v7 : No change
v7 -> v8 : No change. Getting back in review queue
v8 -> v9 : Address review comments.
v9 -> v10 : Address review comments; remove BUG_ON(&video->reqs);
Rebase to ToT (usb-next)
v10 -> v11 : Add Reviewed-by
v11 -> v12 : Rebase to ToT (usb-next)
drivers/usb/gadget/function/uvc.h | 3 +-
drivers/usb/gadget/function/uvc_video.c | 88 ++++++++++++++-----------
2 files changed, 51 insertions(+), 40 deletions(-)
diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
index 989bc6b4e93d..993694da0bbc 100644
--- a/drivers/usb/gadget/function/uvc.h
+++ b/drivers/usb/gadget/function/uvc.h
@@ -81,6 +81,7 @@ struct uvc_request {
struct sg_table sgt;
u8 header[UVCG_REQUEST_HEADER_LEN];
struct uvc_buffer *last_buf;
+ struct list_head list;
};
struct uvc_video {
@@ -102,7 +103,7 @@ struct uvc_video {
/* Requests */
unsigned int req_size;
- struct uvc_request *ureq;
+ struct list_head ureqs; /* all uvc_requests allocated by uvc_video */
struct list_head req_free;
spinlock_t req_lock;
diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index c334802ac0a4..1619f9664748 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -227,6 +227,24 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video,
* Request handling
*/
+static void
+uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep)
+{
+ sg_free_table(&ureq->sgt);
+ if (ureq->req && ep) {
+ usb_ep_free_request(ep, ureq->req);
+ ureq->req = NULL;
+ }
+
+ kfree(ureq->req_buffer);
+ ureq->req_buffer = NULL;
+
+ if (!list_empty(&ureq->list))
+ list_del_init(&ureq->list);
+
+ kfree(ureq);
+}
+
static int uvcg_video_ep_queue(struct uvc_video *video, struct usb_request *req)
{
int ret;
@@ -293,27 +311,12 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
static int
uvc_video_free_requests(struct uvc_video *video)
{
- unsigned int i;
-
- if (video->ureq) {
- for (i = 0; i < video->uvc_num_requests; ++i) {
- sg_free_table(&video->ureq[i].sgt);
+ struct uvc_request *ureq, *temp;
- if (video->ureq[i].req) {
- usb_ep_free_request(video->ep, video->ureq[i].req);
- video->ureq[i].req = NULL;
- }
-
- if (video->ureq[i].req_buffer) {
- kfree(video->ureq[i].req_buffer);
- video->ureq[i].req_buffer = NULL;
- }
- }
-
- kfree(video->ureq);
- video->ureq = NULL;
- }
+ list_for_each_entry_safe(ureq, temp, &video->ureqs, list)
+ uvc_video_free_request(ureq, video->ep);
+ INIT_LIST_HEAD(&video->ureqs);
INIT_LIST_HEAD(&video->req_free);
video->req_size = 0;
return 0;
@@ -322,6 +325,7 @@ uvc_video_free_requests(struct uvc_video *video)
static int
uvc_video_alloc_requests(struct uvc_video *video)
{
+ struct uvc_request *ureq;
unsigned int req_size;
unsigned int i;
int ret = -ENOMEM;
@@ -332,29 +336,33 @@ uvc_video_alloc_requests(struct uvc_video *video)
* max_t(unsigned int, video->ep->maxburst, 1)
* (video->ep->mult);
- video->ureq = kcalloc(video->uvc_num_requests, sizeof(struct uvc_request), GFP_KERNEL);
- if (video->ureq == NULL)
- return -ENOMEM;
+ for (i = 0; i < video->uvc_num_requests; i++) {
+ ureq = kzalloc(sizeof(struct uvc_request), GFP_KERNEL);
+ if (ureq == NULL)
+ goto error;
+
+ INIT_LIST_HEAD(&ureq->list);
+
+ list_add_tail(&ureq->list, &video->ureqs);
- for (i = 0; i < video->uvc_num_requests; ++i) {
- video->ureq[i].req_buffer = kmalloc(req_size, GFP_KERNEL);
- if (video->ureq[i].req_buffer == NULL)
+ ureq->req_buffer = kmalloc(req_size, GFP_KERNEL);
+ if (ureq->req_buffer == NULL)
goto error;
- video->ureq[i].req = usb_ep_alloc_request(video->ep, GFP_KERNEL);
- if (video->ureq[i].req == NULL)
+ ureq->req = usb_ep_alloc_request(video->ep, GFP_KERNEL);
+ if (ureq->req == NULL)
goto error;
- video->ureq[i].req->buf = video->ureq[i].req_buffer;
- video->ureq[i].req->length = 0;
- video->ureq[i].req->complete = uvc_video_complete;
- video->ureq[i].req->context = &video->ureq[i];
- video->ureq[i].video = video;
- video->ureq[i].last_buf = NULL;
+ ureq->req->buf = ureq->req_buffer;
+ ureq->req->length = 0;
+ ureq->req->complete = uvc_video_complete;
+ ureq->req->context = ureq;
+ ureq->video = video;
+ ureq->last_buf = NULL;
- list_add_tail(&video->ureq[i].req->list, &video->req_free);
+ list_add_tail(&ureq->req->list, &video->req_free);
/* req_size/PAGE_SIZE + 1 for overruns and + 1 for header */
- sg_alloc_table(&video->ureq[i].sgt,
+ sg_alloc_table(&ureq->sgt,
DIV_ROUND_UP(req_size - UVCG_REQUEST_HEADER_LEN,
PAGE_SIZE) + 2, GFP_KERNEL);
}
@@ -489,8 +497,8 @@ static void uvcg_video_pump(struct work_struct *work)
*/
int uvcg_video_enable(struct uvc_video *video, int enable)
{
- unsigned int i;
int ret;
+ struct uvc_request *ureq;
if (video->ep == NULL) {
uvcg_info(&video->uvc->func,
@@ -502,9 +510,10 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
cancel_work_sync(&video->pump);
uvcg_queue_cancel(&video->queue, 0);
- for (i = 0; i < video->uvc_num_requests; ++i)
- if (video->ureq && video->ureq[i].req)
- usb_ep_dequeue(video->ep, video->ureq[i].req);
+ list_for_each_entry(ureq, &video->ureqs, list) {
+ if (ureq->req)
+ usb_ep_dequeue(video->ep, ureq->req);
+ }
uvc_video_free_requests(video);
uvcg_queue_enable(&video->queue, 0);
@@ -536,6 +545,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
*/
int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc)
{
+ INIT_LIST_HEAD(&video->ureqs);
INIT_LIST_HEAD(&video->req_free);
spin_lock_init(&video->req_lock);
INIT_WORK(&video->pump, uvcg_video_pump);
--
2.42.0.869.gea05f2083d-googThis patch refactors the video disable logic in uvcg_video_enable
into its own separate function 'uvcg_video_disable'. This function
is now used anywhere uvcg_video_enable(video, 0) was used.
Reviewed-by: Daniel Scally <dan.scally@ideasonboard.com>
Suggested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
---
XX -> v6 : Introduced this patch to make the next one easier to review
v6 -> v7 : Add Suggested-by
v7 -> v8 : No change. Getting back in review queue
v8 -> v9 : Call uvcg_video_disable directly instead of uvcg_video_enable(video, 0)
v9 -> v10 : Rebase to ToT (usb-next)
v10 -> v11 : No change
v11 -> v12 : Rebase to ToT (usb-next)
drivers/usb/gadget/function/uvc_v4l2.c | 6 ++--
drivers/usb/gadget/function/uvc_video.c | 40 ++++++++++++++++---------
drivers/usb/gadget/function/uvc_video.h | 3 +-
3 files changed, 31 insertions(+), 18 deletions(-)
diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c
index 7cb8d027ff0c..904dd283cbf7 100644
--- a/drivers/usb/gadget/function/uvc_v4l2.c
+++ b/drivers/usb/gadget/function/uvc_v4l2.c
@@ -443,7 +443,7 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type)
return -EINVAL;
/* Enable UVC video. */
- ret = uvcg_video_enable(video, 1);
+ ret = uvcg_video_enable(video);
if (ret < 0)
return ret;
@@ -469,7 +469,7 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type)
return -EINVAL;
uvc->state = UVC_STATE_CONNECTED;
- ret = uvcg_video_enable(video, 0);
+ ret = uvcg_video_disable(video);
if (ret < 0)
return ret;
@@ -515,7 +515,7 @@ static void uvc_v4l2_disable(struct uvc_device *uvc)
if (uvc->state == UVC_STATE_STREAMING)
uvc->state = UVC_STATE_CONNECTED;
- uvcg_video_enable(&uvc->video, 0);
+ uvcg_video_disable(&uvc->video);
uvcg_free_buffers(&uvc->video.queue);
uvc->func_connected = false;
wake_up_interruptible(&uvc->func_connected_queue);
diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index 1619f9664748..c3e8c48f46a9 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -493,31 +493,43 @@ static void uvcg_video_pump(struct work_struct *work)
}
/*
- * Enable or disable the video stream.
+ * Disable the video stream
*/
-int uvcg_video_enable(struct uvc_video *video, int enable)
+int
+uvcg_video_disable(struct uvc_video *video)
{
- int ret;
struct uvc_request *ureq;
if (video->ep == NULL) {
uvcg_info(&video->uvc->func,
- "Video enable failed, device is uninitialized.\n");
+ "Video disable failed, device is uninitialized.\n");
return -ENODEV;
}
- if (!enable) {
- cancel_work_sync(&video->pump);
- uvcg_queue_cancel(&video->queue, 0);
+ cancel_work_sync(&video->pump);
+ uvcg_queue_cancel(&video->queue, 0);
- list_for_each_entry(ureq, &video->ureqs, list) {
- if (ureq->req)
- usb_ep_dequeue(video->ep, ureq->req);
- }
+ list_for_each_entry(ureq, &video->ureqs, list) {
+ if (ureq->req)
+ usb_ep_dequeue(video->ep, ureq->req);
+ }
- uvc_video_free_requests(video);
- uvcg_queue_enable(&video->queue, 0);
- return 0;
+ uvc_video_free_requests(video);
+ uvcg_queue_enable(&video->queue, 0);
+ return 0;
+}
+
+/*
+ * Enable the video stream.
+ */
+int uvcg_video_enable(struct uvc_video *video)
+{
+ int ret;
+
+ if (video->ep == NULL) {
+ uvcg_info(&video->uvc->func,
+ "Video enable failed, device is uninitialized.\n");
+ return -ENODEV;
}
if ((ret = uvcg_queue_enable(&video->queue, 1)) < 0)
diff --git a/drivers/usb/gadget/function/uvc_video.h b/drivers/usb/gadget/function/uvc_video.h
index 03adeefa343b..8ef6259741f1 100644
--- a/drivers/usb/gadget/function/uvc_video.h
+++ b/drivers/usb/gadget/function/uvc_video.h
@@ -14,7 +14,8 @@
struct uvc_video;
-int uvcg_video_enable(struct uvc_video *video, int enable);
+int uvcg_video_enable(struct uvc_video *video);
+int uvcg_video_disable(struct uvc_video *video);
int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc);
--
2.42.0.869.gea05f2083d-googCurrently, the uvc gadget driver allocates all uvc_requests as one array
and deallocates them all when the video stream stops. This includes
de-allocating all the usb_requests associated with those uvc_requests.
This can lead to use-after-free issues if any of those de-allocated
usb_requests were still owned by the usb controller.
This is patch 2 of 2 in fixing the use-after-free issue. It adds a new
flag to uvc_video to track when frames and requests should be flowing.
When disabling the video stream, the flag is tripped and, instead
of de-allocating all uvc_requests and usb_requests, the gadget
driver only de-allocates those usb_requests that are currently
owned by it (as present in req_free). Other usb_requests are left
untouched until their completion handler is called which takes care
of freeing the usb_request and its corresponding uvc_request.
Now that uvc_video does not depends on uvc->state, this patch removes
unnecessary upates to uvc->state that were made to accommodate uvc_video
logic. This should ensure that uvc gadget driver never accidentally
de-allocates a usb_request that it doesn't own.
Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com
Reviewed-by: Daniel Scally <dan.scally@ideasonboard.com>
Reviewed-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Suggested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Tested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
---
v1 -> v2 : Rebased to ToT, and fixed deadlock reported in
https://lore.kernel.org/all/ZRv2UnKztgyqk2pt@pengutronix.de/
v2 -> v3 : Fix email threading goof-up
v3 -> v4 : re-rebase to ToT & moved to a uvc_video level lock
as discussed in
https://lore.kernel.org/b14b296f-2e08-4edf-aeea-1c5b621e2d0c@google.com/
v4 -> v5 : Address review comments. Add Reviewed-by & Tested-by.
v5 -> v6 : Added another patch before this one to make uvcg_video_disable
easier to review.
v6 -> v7 : Fix warning reported in
https://lore.kernel.org/202310200457.GwPPFuHX-lkp@intel.com/
v7 -> v8 : No change. Getting back in review queue
v8 -> v9 : No change.
v9 -> v10 : Address review comments. Rebase to ToT (usb-next)
v10 -> v11 : Address review comments
v11 -> v12 : Add Reviewed-by; Rebase to ToT (usb-next)
drivers/usb/gadget/function/uvc.h | 1 +
drivers/usb/gadget/function/uvc_v4l2.c | 10 +-
drivers/usb/gadget/function/uvc_video.c | 130 ++++++++++++++++++++----
3 files changed, 112 insertions(+), 29 deletions(-)
diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
index 993694da0bbc..be0d012aa244 100644
--- a/drivers/usb/gadget/function/uvc.h
+++ b/drivers/usb/gadget/function/uvc.h
@@ -102,6 +102,7 @@ struct uvc_video {
unsigned int uvc_num_requests;
/* Requests */
+ bool is_enabled; /* tracks whether video stream is enabled */
unsigned int req_size;
struct list_head ureqs; /* all uvc_requests allocated by uvc_video */
struct list_head req_free;
diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c
index 904dd283cbf7..c7e5fa4f29e0 100644
--- a/drivers/usb/gadget/function/uvc_v4l2.c
+++ b/drivers/usb/gadget/function/uvc_v4l2.c
@@ -468,11 +468,11 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type)
if (type != video->queue.queue.type)
return -EINVAL;
- uvc->state = UVC_STATE_CONNECTED;
ret = uvcg_video_disable(video);
if (ret < 0)
return ret;
+ uvc->state = UVC_STATE_CONNECTED;
uvc_function_setup_continue(uvc, 1);
return 0;
}
@@ -507,14 +507,6 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh,
static void uvc_v4l2_disable(struct uvc_device *uvc)
{
uvc_function_disconnect(uvc);
- /*
- * Drop uvc->state to CONNECTED if it was streaming before.
- * This ensures that the usb_requests are no longer queued
- * to the controller.
- */
- if (uvc->state == UVC_STATE_STREAMING)
- uvc->state = UVC_STATE_CONNECTED;
-
uvcg_video_disable(&uvc->video);
uvcg_free_buffers(&uvc->video.queue);
uvc->func_connected = false;
diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index c3e8c48f46a9..164bdeb7f2a9 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -227,6 +227,10 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video,
* Request handling
*/
+/*
+ * Callers must take care to hold req_lock when this function may be called
+ * from multiple threads. For example, when frames are streaming to the host.
+ */
static void
uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep)
{
@@ -271,9 +275,26 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
struct uvc_request *ureq = req->context;
struct uvc_video *video = ureq->video;
struct uvc_video_queue *queue = &video->queue;
- struct uvc_device *uvc = video->uvc;
+ struct uvc_buffer *last_buf;
unsigned long flags;
+ spin_lock_irqsave(&video->req_lock, flags);
+ if (!video->is_enabled) {
+ /*
+ * When is_enabled is false, uvcg_video_disable() ensures
+ * that in-flight uvc_buffers are returned, so we can
+ * safely call free_request without worrying about
+ * last_buf.
+ */
+ uvc_video_free_request(ureq, ep);
+ spin_unlock_irqrestore(&video->req_lock, flags);
+ return;
+ }
+
+ last_buf = ureq->last_buf;
+ ureq->last_buf = NULL;
+ spin_unlock_irqrestore(&video->req_lock, flags);
+
switch (req->status) {
case 0:
break;
@@ -295,17 +316,26 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
uvcg_queue_cancel(queue, 0);
}
- if (ureq->last_buf) {
- uvcg_complete_buffer(&video->queue, ureq->last_buf);
- ureq->last_buf = NULL;
+ if (last_buf) {
+ spin_lock_irqsave(&queue->irqlock, flags);
+ uvcg_complete_buffer(queue, last_buf);
+ spin_unlock_irqrestore(&queue->irqlock, flags);
}
spin_lock_irqsave(&video->req_lock, flags);
- list_add_tail(&req->list, &video->req_free);
- spin_unlock_irqrestore(&video->req_lock, flags);
-
- if (uvc->state == UVC_STATE_STREAMING)
+ /*
+ * Video stream might have been disabled while we were
+ * processing the current usb_request. So make sure
+ * we're still streaming before queueing the usb_request
+ * back to req_free
+ */
+ if (video->is_enabled) {
+ list_add_tail(&req->list, &video->req_free);
queue_work(video->async_wq, &video->pump);
+ } else {
+ uvc_video_free_request(ureq, ep);
+ }
+ spin_unlock_irqrestore(&video->req_lock, flags);
}
static int
@@ -392,20 +422,22 @@ static void uvcg_video_pump(struct work_struct *work)
struct uvc_video_queue *queue = &video->queue;
/* video->max_payload_size is only set when using bulk transfer */
bool is_bulk = video->max_payload_size;
- struct uvc_device *uvc = video->uvc;
struct usb_request *req = NULL;
struct uvc_buffer *buf;
unsigned long flags;
bool buf_done;
int ret;
- while (uvc->state == UVC_STATE_STREAMING && video->ep->enabled) {
+ while (true) {
+ if (!video->ep->enabled)
+ return;
+
/*
- * Retrieve the first available USB request, protected by the
- * request lock.
+ * Check is_enabled and retrieve the first available USB
+ * request, protected by the request lock.
*/
spin_lock_irqsave(&video->req_lock, flags);
- if (list_empty(&video->req_free)) {
+ if (!video->is_enabled || list_empty(&video->req_free)) {
spin_unlock_irqrestore(&video->req_lock, flags);
return;
}
@@ -487,9 +519,11 @@ static void uvcg_video_pump(struct work_struct *work)
return;
spin_lock_irqsave(&video->req_lock, flags);
- list_add_tail(&req->list, &video->req_free);
+ if (video->is_enabled)
+ list_add_tail(&req->list, &video->req_free);
+ else
+ uvc_video_free_request(req->context, video->ep);
spin_unlock_irqrestore(&video->req_lock, flags);
- return;
}
/*
@@ -498,7 +532,11 @@ static void uvcg_video_pump(struct work_struct *work)
int
uvcg_video_disable(struct uvc_video *video)
{
- struct uvc_request *ureq;
+ unsigned long flags;
+ struct list_head inflight_bufs;
+ struct usb_request *req, *temp;
+ struct uvc_buffer *buf, *btemp;
+ struct uvc_request *ureq, *utemp;
if (video->ep == NULL) {
uvcg_info(&video->uvc->func,
@@ -506,15 +544,58 @@ uvcg_video_disable(struct uvc_video *video)
return -ENODEV;
}
+ INIT_LIST_HEAD(&inflight_bufs);
+ spin_lock_irqsave(&video->req_lock, flags);
+ video->is_enabled = false;
+
+ /*
+ * Remove any in-flight buffers from the uvc_requests
+ * because we want to return them before cancelling the
+ * queue. This ensures that we aren't stuck waiting for
+ * all complete callbacks to come through before disabling
+ * vb2 queue.
+ */
+ list_for_each_entry(ureq, &video->ureqs, list) {
+ if (ureq->last_buf) {
+ list_add_tail(&ureq->last_buf->queue, &inflight_bufs);
+ ureq->last_buf = NULL;
+ }
+ }
+ spin_unlock_irqrestore(&video->req_lock, flags);
+
cancel_work_sync(&video->pump);
uvcg_queue_cancel(&video->queue, 0);
- list_for_each_entry(ureq, &video->ureqs, list) {
- if (ureq->req)
- usb_ep_dequeue(video->ep, ureq->req);
+ spin_lock_irqsave(&video->req_lock, flags);
+ /*
+ * Remove all uvc_requests from ureqs with list_del_init
+ * This lets uvc_video_free_request correctly identify
+ * if the uvc_request is attached to a list or not when freeing
+ * memory.
+ */
+ list_for_each_entry_safe(ureq, utemp, &video->ureqs, list)
+ list_del_init(&ureq->list);
+
+ list_for_each_entry_safe(req, temp, &video->req_free, list) {
+ list_del(&req->list);
+ uvc_video_free_request(req->context, video->ep);
}
- uvc_video_free_requests(video);
+ INIT_LIST_HEAD(&video->ureqs);
+ INIT_LIST_HEAD(&video->req_free);
+ video->req_size = 0;
+ spin_unlock_irqrestore(&video->req_lock, flags);
+
+ /*
+ * Return all the video buffers before disabling the queue.
+ */
+ spin_lock_irqsave(&video->queue.irqlock, flags);
+ list_for_each_entry_safe(buf, btemp, &inflight_bufs, queue) {
+ list_del(&buf->queue);
+ uvcg_complete_buffer(&video->queue, buf);
+ }
+ spin_unlock_irqrestore(&video->queue.irqlock, flags);
+
uvcg_queue_enable(&video->queue, 0);
return 0;
}
@@ -532,6 +613,14 @@ int uvcg_video_enable(struct uvc_video *video)
return -ENODEV;
}
+ /*
+ * Safe to access request related fields without req_lock because
+ * this is the only thread currently active, and no other
+ * request handling thread will become active until this function
+ * returns.
+ */
+ video->is_enabled = true;
+
if ((ret = uvcg_queue_enable(&video->queue, 1)) < 0)
return ret;
@@ -557,6 +646,7 @@ int uvcg_video_enable(struct uvc_video *video)
*/
int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc)
{
+ video->is_enabled = false;
INIT_LIST_HEAD(&video->ureqs);
INIT_LIST_HEAD(&video->req_free);
spin_lock_init(&video->req_lock);
--
2.42.0.869.gea05f2083d-googCurrently the set_alt callback immediately disables the endpoint and queues
the v4l2 streamoff event. However, as the streamoff event is processed
asynchronously, it is possible that the video_pump thread attempts to queue
requests to an already disabled endpoint.
This change moves disabling usb endpoint to the end of streamoff event
callback. As the endpoint's state can no longer be used, video_pump is
now guarded by uvc->state as well. To be consistent with the actual
streaming state, uvc->state is now toggled between CONNECTED and STREAMING
from the v4l2 event callback only.
Link: https://lore.kernel.org/20230615171558.GK741@pendragon.ideasonboard.com/
Link: https://lore.kernel.org/20230531085544.253363-1-dan.scally@ideasonboard.com/
Reviewed-by: Daniel Scally <dan.scally@ideasonboard.com>
Reviewed-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Tested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
---
v1 -> v2 : Rebased to ToT and reworded commit message.
v2 -> v3 : Fix email threading goof-up
v3 -> v4 : Address review comments & re-rebase to ToT
v4 -> v5 : Add Reviewed-by & Tested-by
v5 -> v6 : No change
v6 -> v7 : No change
v7 -> v8 : No change. Getting back in review queue
v8 -> v9 : Fix typo. No functional change.
v9 -> v10: Rebase to ToT (usb-next)
drivers/usb/gadget/function/f_uvc.c | 11 +++++------
drivers/usb/gadget/function/f_uvc.h | 2 +-
drivers/usb/gadget/function/uvc.h | 2 +-
drivers/usb/gadget/function/uvc_v4l2.c | 20 +++++++++++++++++---
drivers/usb/gadget/function/uvc_video.c | 3 ++-
5 files changed, 26 insertions(+), 12 deletions(-)
diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c
index 786379f1b7b7..77999ed53d33 100644
--- a/drivers/usb/gadget/function/f_uvc.c
+++ b/drivers/usb/gadget/function/f_uvc.c
@@ -263,10 +263,13 @@ uvc_function_setup(struct usb_function *f, const struct usb_ctrlrequest *ctrl)
return 0;
}
-void uvc_function_setup_continue(struct uvc_device *uvc)
+void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep)
{
struct usb_composite_dev *cdev = uvc->func.config->cdev;
+ if (disable_ep && uvc->video.ep)
+ usb_ep_disable(uvc->video.ep);
+
usb_composite_setup_continue(cdev);
}
@@ -337,15 +340,11 @@ uvc_function_set_alt(struct usb_function *f, unsigned interface, unsigned alt)
if (uvc->state != UVC_STATE_STREAMING)
return 0;
- if (uvc->video.ep)
- usb_ep_disable(uvc->video.ep);
-
memset(&v4l2_event, 0, sizeof(v4l2_event));
v4l2_event.type = UVC_EVENT_STREAMOFF;
v4l2_event_queue(&uvc->vdev, &v4l2_event);
- uvc->state = UVC_STATE_CONNECTED;
- return 0;
+ return USB_GADGET_DELAYED_STATUS;
case 1:
if (uvc->state != UVC_STATE_CONNECTED)
diff --git a/drivers/usb/gadget/function/f_uvc.h b/drivers/usb/gadget/function/f_uvc.h
index 1db972d4beeb..083aef0c65c6 100644
--- a/drivers/usb/gadget/function/f_uvc.h
+++ b/drivers/usb/gadget/function/f_uvc.h
@@ -11,7 +11,7 @@
struct uvc_device;
-void uvc_function_setup_continue(struct uvc_device *uvc);
+void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep);
void uvc_function_connect(struct uvc_device *uvc);
diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
index 6751de8b63ad..989bc6b4e93d 100644
--- a/drivers/usb/gadget/function/uvc.h
+++ b/drivers/usb/gadget/function/uvc.h
@@ -177,7 +177,7 @@ struct uvc_file_handle {
* Functions
*/
-extern void uvc_function_setup_continue(struct uvc_device *uvc);
+extern void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep);
extern void uvc_function_connect(struct uvc_device *uvc);
extern void uvc_function_disconnect(struct uvc_device *uvc);
diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c
index 3f0a9795c0d4..7cb8d027ff0c 100644
--- a/drivers/usb/gadget/function/uvc_v4l2.c
+++ b/drivers/usb/gadget/function/uvc_v4l2.c
@@ -451,7 +451,7 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type)
* Complete the alternate setting selection setup phase now that
* userspace is ready to provide video frames.
*/
- uvc_function_setup_continue(uvc);
+ uvc_function_setup_continue(uvc, 0);
uvc->state = UVC_STATE_STREAMING;
return 0;
@@ -463,11 +463,18 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type)
struct video_device *vdev = video_devdata(file);
struct uvc_device *uvc = video_get_drvdata(vdev);
struct uvc_video *video = &uvc->video;
+ int ret = 0;
if (type != video->queue.queue.type)
return -EINVAL;
- return uvcg_video_enable(video, 0);
+ uvc->state = UVC_STATE_CONNECTED;
+ ret = uvcg_video_enable(video, 0);
+ if (ret < 0)
+ return ret;
+
+ uvc_function_setup_continue(uvc, 1);
+ return 0;
}
static int
@@ -500,6 +507,14 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh,
static void uvc_v4l2_disable(struct uvc_device *uvc)
{
uvc_function_disconnect(uvc);
+ /*
+ * Drop uvc->state to CONNECTED if it was streaming before.
+ * This ensures that the usb_requests are no longer queued
+ * to the controller.
+ */
+ if (uvc->state == UVC_STATE_STREAMING)
+ uvc->state = UVC_STATE_CONNECTED;
+
uvcg_video_enable(&uvc->video, 0);
uvcg_free_buffers(&uvc->video.queue);
uvc->func_connected = false;
@@ -647,4 +662,3 @@ const struct v4l2_file_operations uvc_v4l2_fops = {
.get_unmapped_area = uvcg_v4l2_get_unmapped_area,
#endif
};
-
diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index 91af3b1ef0d4..c334802ac0a4 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -384,13 +384,14 @@ static void uvcg_video_pump(struct work_struct *work)
struct uvc_video_queue *queue = &video->queue;
/* video->max_payload_size is only set when using bulk transfer */
bool is_bulk = video->max_payload_size;
+ struct uvc_device *uvc = video->uvc;
struct usb_request *req = NULL;
struct uvc_buffer *buf;
unsigned long flags;
bool buf_done;
int ret;
- while (video->ep->enabled) {
+ while (uvc->state == UVC_STATE_STREAMING && video->ep->enabled) {
/*
* Retrieve the first available USB request, protected by the
* request lock.
--
2.42.0.820.g83a721a137-googCurrently, the uvc gadget driver allocates all uvc_requests as one array
and deallocates them all when the video stream stops. This includes
de-allocating all the usb_requests associated with those uvc_requests.
This can lead to use-after-free issues if any of those de-allocated
usb_requests were still owned by the usb controller.
This patch is 1 of 2 patches addressing the use-after-free issue.
Instead of bulk allocating all uvc_requests as an array, this patch
allocates uvc_requests one at a time, which should allows for similar
granularity when deallocating the uvc_requests. This patch has no
functional changes other than allocating each uvc_request separately,
and similarly freeing each of them separately.
Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com
Suggested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Reviewed-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Tested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
---
v1 -> v2 : Rebased to ToT
v2 -> v3 : Fix email threading goof-up
v3 -> v4 : Address review comments & re-rebase to ToT
v4 -> v5 : Address more review comments. Add Reviewed-by & Tested-by.
v5 -> v6 : No change
v6 -> v7 : No change
v7 -> v8 : No change. Getting back in review queue
v8 -> v9 : Address review comments.
v9 -> v10: Address review comments; remove BUG_ON(&video->reqs);
Rebase to ToT (usb-next)
drivers/usb/gadget/function/uvc.h | 3 +-
drivers/usb/gadget/function/uvc_video.c | 88 ++++++++++++++-----------
2 files changed, 51 insertions(+), 40 deletions(-)
diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
index 989bc6b4e93d..993694da0bbc 100644
--- a/drivers/usb/gadget/function/uvc.h
+++ b/drivers/usb/gadget/function/uvc.h
@@ -81,6 +81,7 @@ struct uvc_request {
struct sg_table sgt;
u8 header[UVCG_REQUEST_HEADER_LEN];
struct uvc_buffer *last_buf;
+ struct list_head list;
};
struct uvc_video {
@@ -102,7 +103,7 @@ struct uvc_video {
/* Requests */
unsigned int req_size;
- struct uvc_request *ureq;
+ struct list_head ureqs; /* all uvc_requests allocated by uvc_video */
struct list_head req_free;
spinlock_t req_lock;
diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index c334802ac0a4..1619f9664748 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -227,6 +227,24 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video,
* Request handling
*/
+static void
+uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep)
+{
+ sg_free_table(&ureq->sgt);
+ if (ureq->req && ep) {
+ usb_ep_free_request(ep, ureq->req);
+ ureq->req = NULL;
+ }
+
+ kfree(ureq->req_buffer);
+ ureq->req_buffer = NULL;
+
+ if (!list_empty(&ureq->list))
+ list_del_init(&ureq->list);
+
+ kfree(ureq);
+}
+
static int uvcg_video_ep_queue(struct uvc_video *video, struct usb_request *req)
{
int ret;
@@ -293,27 +311,12 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
static int
uvc_video_free_requests(struct uvc_video *video)
{
- unsigned int i;
-
- if (video->ureq) {
- for (i = 0; i < video->uvc_num_requests; ++i) {
- sg_free_table(&video->ureq[i].sgt);
+ struct uvc_request *ureq, *temp;
- if (video->ureq[i].req) {
- usb_ep_free_request(video->ep, video->ureq[i].req);
- video->ureq[i].req = NULL;
- }
-
- if (video->ureq[i].req_buffer) {
- kfree(video->ureq[i].req_buffer);
- video->ureq[i].req_buffer = NULL;
- }
- }
-
- kfree(video->ureq);
- video->ureq = NULL;
- }
+ list_for_each_entry_safe(ureq, temp, &video->ureqs, list)
+ uvc_video_free_request(ureq, video->ep);
+ INIT_LIST_HEAD(&video->ureqs);
INIT_LIST_HEAD(&video->req_free);
video->req_size = 0;
return 0;
@@ -322,6 +325,7 @@ uvc_video_free_requests(struct uvc_video *video)
static int
uvc_video_alloc_requests(struct uvc_video *video)
{
+ struct uvc_request *ureq;
unsigned int req_size;
unsigned int i;
int ret = -ENOMEM;
@@ -332,29 +336,33 @@ uvc_video_alloc_requests(struct uvc_video *video)
* max_t(unsigned int, video->ep->maxburst, 1)
* (video->ep->mult);
- video->ureq = kcalloc(video->uvc_num_requests, sizeof(struct uvc_request), GFP_KERNEL);
- if (video->ureq == NULL)
- return -ENOMEM;
+ for (i = 0; i < video->uvc_num_requests; i++) {
+ ureq = kzalloc(sizeof(struct uvc_request), GFP_KERNEL);
+ if (ureq == NULL)
+ goto error;
+
+ INIT_LIST_HEAD(&ureq->list);
+
+ list_add_tail(&ureq->list, &video->ureqs);
- for (i = 0; i < video->uvc_num_requests; ++i) {
- video->ureq[i].req_buffer = kmalloc(req_size, GFP_KERNEL);
- if (video->ureq[i].req_buffer == NULL)
+ ureq->req_buffer = kmalloc(req_size, GFP_KERNEL);
+ if (ureq->req_buffer == NULL)
goto error;
- video->ureq[i].req = usb_ep_alloc_request(video->ep, GFP_KERNEL);
- if (video->ureq[i].req == NULL)
+ ureq->req = usb_ep_alloc_request(video->ep, GFP_KERNEL);
+ if (ureq->req == NULL)
goto error;
- video->ureq[i].req->buf = video->ureq[i].req_buffer;
- video->ureq[i].req->length = 0;
- video->ureq[i].req->complete = uvc_video_complete;
- video->ureq[i].req->context = &video->ureq[i];
- video->ureq[i].video = video;
- video->ureq[i].last_buf = NULL;
+ ureq->req->buf = ureq->req_buffer;
+ ureq->req->length = 0;
+ ureq->req->complete = uvc_video_complete;
+ ureq->req->context = ureq;
+ ureq->video = video;
+ ureq->last_buf = NULL;
- list_add_tail(&video->ureq[i].req->list, &video->req_free);
+ list_add_tail(&ureq->req->list, &video->req_free);
/* req_size/PAGE_SIZE + 1 for overruns and + 1 for header */
- sg_alloc_table(&video->ureq[i].sgt,
+ sg_alloc_table(&ureq->sgt,
DIV_ROUND_UP(req_size - UVCG_REQUEST_HEADER_LEN,
PAGE_SIZE) + 2, GFP_KERNEL);
}
@@ -489,8 +497,8 @@ static void uvcg_video_pump(struct work_struct *work)
*/
int uvcg_video_enable(struct uvc_video *video, int enable)
{
- unsigned int i;
int ret;
+ struct uvc_request *ureq;
if (video->ep == NULL) {
uvcg_info(&video->uvc->func,
@@ -502,9 +510,10 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
cancel_work_sync(&video->pump);
uvcg_queue_cancel(&video->queue, 0);
- for (i = 0; i < video->uvc_num_requests; ++i)
- if (video->ureq && video->ureq[i].req)
- usb_ep_dequeue(video->ep, video->ureq[i].req);
+ list_for_each_entry(ureq, &video->ureqs, list) {
+ if (ureq->req)
+ usb_ep_dequeue(video->ep, ureq->req);
+ }
uvc_video_free_requests(video);
uvcg_queue_enable(&video->queue, 0);
@@ -536,6 +545,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
*/
int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc)
{
+ INIT_LIST_HEAD(&video->ureqs);
INIT_LIST_HEAD(&video->req_free);
spin_lock_init(&video->req_lock);
INIT_WORK(&video->pump, uvcg_video_pump);
--
2.42.0.820.g83a721a137-googThis patch refactors the video disable logic in uvcg_video_enable
into its own separate function 'uvcg_video_disable'. This function
is now used anywhere uvcg_video_enable(video, 0) was used.
Reviewed-by: Daniel Scally <dan.scally@ideasonboard.com>
Suggested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
---
v6 : Introduced this patch to make the next one easier to review
v6 -> v7 : Add Suggested-by
v7 -> v8 : No change. Getting back in review queue
v8 -> v9 : Call uvcg_video_disable directly instead of uvcg_video_enable(video, 0)
v9 -> v10: Rebase to ToT (usb-next)
drivers/usb/gadget/function/uvc_v4l2.c | 6 ++--
drivers/usb/gadget/function/uvc_video.c | 40 ++++++++++++++++---------
drivers/usb/gadget/function/uvc_video.h | 3 +-
3 files changed, 31 insertions(+), 18 deletions(-)
diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c
index 7cb8d027ff0c..904dd283cbf7 100644
--- a/drivers/usb/gadget/function/uvc_v4l2.c
+++ b/drivers/usb/gadget/function/uvc_v4l2.c
@@ -443,7 +443,7 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type)
return -EINVAL;
/* Enable UVC video. */
- ret = uvcg_video_enable(video, 1);
+ ret = uvcg_video_enable(video);
if (ret < 0)
return ret;
@@ -469,7 +469,7 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type)
return -EINVAL;
uvc->state = UVC_STATE_CONNECTED;
- ret = uvcg_video_enable(video, 0);
+ ret = uvcg_video_disable(video);
if (ret < 0)
return ret;
@@ -515,7 +515,7 @@ static void uvc_v4l2_disable(struct uvc_device *uvc)
if (uvc->state == UVC_STATE_STREAMING)
uvc->state = UVC_STATE_CONNECTED;
- uvcg_video_enable(&uvc->video, 0);
+ uvcg_video_disable(&uvc->video);
uvcg_free_buffers(&uvc->video.queue);
uvc->func_connected = false;
wake_up_interruptible(&uvc->func_connected_queue);
diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index 1619f9664748..c3e8c48f46a9 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -493,31 +493,43 @@ static void uvcg_video_pump(struct work_struct *work)
}
/*
- * Enable or disable the video stream.
+ * Disable the video stream
*/
-int uvcg_video_enable(struct uvc_video *video, int enable)
+int
+uvcg_video_disable(struct uvc_video *video)
{
- int ret;
struct uvc_request *ureq;
if (video->ep == NULL) {
uvcg_info(&video->uvc->func,
- "Video enable failed, device is uninitialized.\n");
+ "Video disable failed, device is uninitialized.\n");
return -ENODEV;
}
- if (!enable) {
- cancel_work_sync(&video->pump);
- uvcg_queue_cancel(&video->queue, 0);
+ cancel_work_sync(&video->pump);
+ uvcg_queue_cancel(&video->queue, 0);
- list_for_each_entry(ureq, &video->ureqs, list) {
- if (ureq->req)
- usb_ep_dequeue(video->ep, ureq->req);
- }
+ list_for_each_entry(ureq, &video->ureqs, list) {
+ if (ureq->req)
+ usb_ep_dequeue(video->ep, ureq->req);
+ }
- uvc_video_free_requests(video);
- uvcg_queue_enable(&video->queue, 0);
- return 0;
+ uvc_video_free_requests(video);
+ uvcg_queue_enable(&video->queue, 0);
+ return 0;
+}
+
+/*
+ * Enable the video stream.
+ */
+int uvcg_video_enable(struct uvc_video *video)
+{
+ int ret;
+
+ if (video->ep == NULL) {
+ uvcg_info(&video->uvc->func,
+ "Video enable failed, device is uninitialized.\n");
+ return -ENODEV;
}
if ((ret = uvcg_queue_enable(&video->queue, 1)) < 0)
diff --git a/drivers/usb/gadget/function/uvc_video.h b/drivers/usb/gadget/function/uvc_video.h
index 03adeefa343b..8ef6259741f1 100644
--- a/drivers/usb/gadget/function/uvc_video.h
+++ b/drivers/usb/gadget/function/uvc_video.h
@@ -14,7 +14,8 @@
struct uvc_video;
-int uvcg_video_enable(struct uvc_video *video, int enable);
+int uvcg_video_enable(struct uvc_video *video);
+int uvcg_video_disable(struct uvc_video *video);
int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc);
--
2.42.0.820.g83a721a137-googCurrently, the uvc gadget driver allocates all uvc_requests as one array
and deallocates them all when the video stream stops. This includes
de-allocating all the usb_requests associated with those uvc_requests.
This can lead to use-after-free issues if any of those de-allocated
usb_requests were still owned by the usb controller.
This is patch 2 of 2 in fixing the use-after-free issue. It adds a new
flag to uvc_video to track when frames and requests should be flowing.
When disabling the video stream, the flag is tripped and, instead
of de-allocating all uvc_requests and usb_requests, the gadget
driver only de-allocates those usb_requests that are currently
owned by it (as present in req_free). Other usb_requests are left
untouched until their completion handler is called which takes care
of freeing the usb_request and its corresponding uvc_request.
Now that uvc_video does not depends on uvc->state, this patch removes
unnecessary upates to uvc->state that were made to accommodate uvc_video
logic. This should ensure that uvc gadget driver never accidentally
de-allocates a usb_request that it doesn't own.
Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com
Suggested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Reviewed-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Tested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
---
v1 -> v2 : Rebased to ToT, and fixed deadlock reported in
https://lore.kernel.org/all/ZRv2UnKztgyqk2pt@pengutronix.de/
v2 -> v3 : Fix email threading goof-up
v3 -> v4 : re-rebase to ToT & moved to a uvc_video level lock
as discussed in
https://lore.kernel.org/b14b296f-2e08-4edf-aeea-1c5b621e2d0c@google.com/
v4 -> v5 : Address review comments. Add Reviewed-by & Tested-by.
v5 -> v6 : Added another patch before this one to make uvcg_video_disable
easier to review.
v6 -> v7 : Fix warning reported in
https://lore.kernel.org/202310200457.GwPPFuHX-lkp@intel.com/
v7 -> v8 : No change. Getting back in review queue
v8 -> v9 : No change.
v9 -> v10: Address review comments. Rebase to ToT (usb-next)
drivers/usb/gadget/function/uvc.h | 1 +
drivers/usb/gadget/function/uvc_v4l2.c | 10 +-
drivers/usb/gadget/function/uvc_video.c | 129 ++++++++++++++++++++----
3 files changed, 111 insertions(+), 29 deletions(-)
diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
index 993694da0bbc..be0d012aa244 100644
--- a/drivers/usb/gadget/function/uvc.h
+++ b/drivers/usb/gadget/function/uvc.h
@@ -102,6 +102,7 @@ struct uvc_video {
unsigned int uvc_num_requests;
/* Requests */
+ bool is_enabled; /* tracks whether video stream is enabled */
unsigned int req_size;
struct list_head ureqs; /* all uvc_requests allocated by uvc_video */
struct list_head req_free;
diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c
index 904dd283cbf7..c7e5fa4f29e0 100644
--- a/drivers/usb/gadget/function/uvc_v4l2.c
+++ b/drivers/usb/gadget/function/uvc_v4l2.c
@@ -468,11 +468,11 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type)
if (type != video->queue.queue.type)
return -EINVAL;
- uvc->state = UVC_STATE_CONNECTED;
ret = uvcg_video_disable(video);
if (ret < 0)
return ret;
+ uvc->state = UVC_STATE_CONNECTED;
uvc_function_setup_continue(uvc, 1);
return 0;
}
@@ -507,14 +507,6 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh,
static void uvc_v4l2_disable(struct uvc_device *uvc)
{
uvc_function_disconnect(uvc);
- /*
- * Drop uvc->state to CONNECTED if it was streaming before.
- * This ensures that the usb_requests are no longer queued
- * to the controller.
- */
- if (uvc->state == UVC_STATE_STREAMING)
- uvc->state = UVC_STATE_CONNECTED;
-
uvcg_video_disable(&uvc->video);
uvcg_free_buffers(&uvc->video.queue);
uvc->func_connected = false;
diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index c3e8c48f46a9..53feb790a4c3 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -227,6 +227,9 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video,
* Request handling
*/
+/*
+ * Must be called with req_lock held as it modifies the list ureq is held in
+ */
static void
uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep)
{
@@ -271,9 +274,26 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
struct uvc_request *ureq = req->context;
struct uvc_video *video = ureq->video;
struct uvc_video_queue *queue = &video->queue;
- struct uvc_device *uvc = video->uvc;
+ struct uvc_buffer *last_buf = NULL;
unsigned long flags;
+ spin_lock_irqsave(&video->req_lock, flags);
+ if (!video->is_enabled) {
+ /*
+ * When is_enabled is false, uvcg_video_disable() ensures
+ * that in-flight uvc_buffers are returned, so we can
+ * safely call free_request without worrying about
+ * last_buf.
+ */
+ uvc_video_free_request(ureq, ep);
+ spin_unlock_irqrestore(&video->req_lock, flags);
+ return;
+ }
+
+ last_buf = ureq->last_buf;
+ ureq->last_buf = NULL;
+ spin_unlock_irqrestore(&video->req_lock, flags);
+
switch (req->status) {
case 0:
break;
@@ -295,17 +315,26 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
uvcg_queue_cancel(queue, 0);
}
- if (ureq->last_buf) {
- uvcg_complete_buffer(&video->queue, ureq->last_buf);
- ureq->last_buf = NULL;
+ if (last_buf) {
+ spin_lock_irqsave(&queue->irqlock, flags);
+ uvcg_complete_buffer(&video->queue, last_buf);
+ spin_unlock_irqrestore(&queue->irqlock, flags);
}
spin_lock_irqsave(&video->req_lock, flags);
- list_add_tail(&req->list, &video->req_free);
- spin_unlock_irqrestore(&video->req_lock, flags);
-
- if (uvc->state == UVC_STATE_STREAMING)
+ /*
+ * Video stream might have been disabled while we were
+ * processing the current usb_request. So make sure
+ * we're still streaming before queueing the usb_request
+ * back to req_free
+ */
+ if (video->is_enabled) {
+ list_add_tail(&req->list, &video->req_free);
queue_work(video->async_wq, &video->pump);
+ } else {
+ uvc_video_free_request(ureq, ep);
+ }
+ spin_unlock_irqrestore(&video->req_lock, flags);
}
static int
@@ -392,20 +421,22 @@ static void uvcg_video_pump(struct work_struct *work)
struct uvc_video_queue *queue = &video->queue;
/* video->max_payload_size is only set when using bulk transfer */
bool is_bulk = video->max_payload_size;
- struct uvc_device *uvc = video->uvc;
struct usb_request *req = NULL;
struct uvc_buffer *buf;
unsigned long flags;
bool buf_done;
int ret;
- while (uvc->state == UVC_STATE_STREAMING && video->ep->enabled) {
+ while (true) {
+ if (!video->ep->enabled)
+ return;
+
/*
- * Retrieve the first available USB request, protected by the
- * request lock.
+ * Check is_enabled and retrieve the first available USB
+ * request, protected by the request lock.
*/
spin_lock_irqsave(&video->req_lock, flags);
- if (list_empty(&video->req_free)) {
+ if (!video->is_enabled || list_empty(&video->req_free)) {
spin_unlock_irqrestore(&video->req_lock, flags);
return;
}
@@ -487,9 +518,11 @@ static void uvcg_video_pump(struct work_struct *work)
return;
spin_lock_irqsave(&video->req_lock, flags);
- list_add_tail(&req->list, &video->req_free);
+ if (video->is_enabled)
+ list_add_tail(&req->list, &video->req_free);
+ else
+ uvc_video_free_request(req->context, video->ep);
spin_unlock_irqrestore(&video->req_lock, flags);
- return;
}
/*
@@ -498,7 +531,11 @@ static void uvcg_video_pump(struct work_struct *work)
int
uvcg_video_disable(struct uvc_video *video)
{
- struct uvc_request *ureq;
+ unsigned long flags;
+ struct list_head inflight_bufs;
+ struct usb_request *req, *temp;
+ struct uvc_buffer *buf, *btemp;
+ struct uvc_request *ureq, *utemp;
if (video->ep == NULL) {
uvcg_info(&video->uvc->func,
@@ -506,15 +543,58 @@ uvcg_video_disable(struct uvc_video *video)
return -ENODEV;
}
+ INIT_LIST_HEAD(&inflight_bufs);
+ spin_lock_irqsave(&video->req_lock, flags);
+ video->is_enabled = false;
+
+ /*
+ * Remove any in-flight buffers from the uvc_requests
+ * because we want to return them before cancelling the
+ * queue. This ensures that we aren't stuck waiting for
+ * all complete callbacks to come through before disabling
+ * vb2 queue.
+ */
+ list_for_each_entry(ureq, &video->ureqs, list) {
+ if (ureq->last_buf) {
+ list_add_tail(&ureq->last_buf->queue, &inflight_bufs);
+ ureq->last_buf = NULL;
+ }
+ }
+ spin_unlock_irqrestore(&video->req_lock, flags);
+
cancel_work_sync(&video->pump);
uvcg_queue_cancel(&video->queue, 0);
- list_for_each_entry(ureq, &video->ureqs, list) {
- if (ureq->req)
- usb_ep_dequeue(video->ep, ureq->req);
+ spin_lock_irqsave(&video->req_lock, flags);
+ /*
+ * Remove all uvc_reqeusts from ureqs with list_del_init
+ * This lets uvc_video_free_request correctly identify
+ * if the uvc_request is attached to a list or not when freeing
+ * memory.
+ */
+ list_for_each_entry_safe(ureq, utemp, &video->ureqs, list)
+ list_del_init(&ureq->list);
+
+ list_for_each_entry_safe(req, temp, &video->req_free, list) {
+ list_del(&req->list);
+ uvc_video_free_request(req->context, video->ep);
}
- uvc_video_free_requests(video);
+ INIT_LIST_HEAD(&video->ureqs);
+ INIT_LIST_HEAD(&video->req_free);
+ video->req_size = 0;
+ spin_unlock_irqrestore(&video->req_lock, flags);
+
+ /*
+ * Return all the video buffers before disabling the queue.
+ */
+ spin_lock_irqsave(&video->queue.irqlock, flags);
+ list_for_each_entry_safe(buf, btemp, &inflight_bufs, queue) {
+ list_del(&buf->queue);
+ uvcg_complete_buffer(&video->queue, buf);
+ }
+ spin_unlock_irqrestore(&video->queue.irqlock, flags);
+
uvcg_queue_enable(&video->queue, 0);
return 0;
}
@@ -532,6 +612,14 @@ int uvcg_video_enable(struct uvc_video *video)
return -ENODEV;
}
+ /*
+ * Safe to access request related fields without req_lock because
+ * this is the only thread currently active, and no other
+ * request handling thread will become active until this function
+ * returns.
+ */
+ video->is_enabled = true;
+
if ((ret = uvcg_queue_enable(&video->queue, 1)) < 0)
return ret;
@@ -557,6 +645,7 @@ int uvcg_video_enable(struct uvc_video *video)
*/
int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc)
{
+ video->is_enabled = false;
INIT_LIST_HEAD(&video->ureqs);
INIT_LIST_HEAD(&video->req_free);
spin_lock_init(&video->req_lock);
--
2.42.0.820.g83a721a137-googCurrently the set_alt callback immediately disables the endpoint and queues
the v4l2 streamoff event. However, as the streamoff event is processed
asynchronously, it is possible that the video_pump thread attempts to queue
requests to an already disabled endpoint.
This change moves disabling usb endpoint to the end of streamoff event
callback. As the endpoint's state can no longer be used, video_pump is
now guarded by uvc->state as well. To be consistent with the actual
streaming state, uvc->state is now toggled between CONNECTED and STREAMING
from the v4l2 event callback only.
Link: https://lore.kernel.org/20230615171558.GK741@pendragon.ideasonboard.com/
Link: https://lore.kernel.org/20230531085544.253363-1-dan.scally@ideasonboard.com/
Reviewed-by: Daniel Scally <dan.scally@ideasonboard.com>
Reviewed-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Tested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
---
v1 -> v2: Rebased to ToT and reworded commit message.
v2 -> v3: Fix email threading goof-up
v3 -> v4: Address review comments & re-rebase to ToT
v4 -> v5: Add Reviewed-by & Tested-by
v5 -> v6: No change
v6 -> v7: No change
v7 -> v8: No change. Getting back in review queue
v8 -> v9: Fix typo. No functional change.
drivers/usb/gadget/function/f_uvc.c | 11 +++++------
drivers/usb/gadget/function/f_uvc.h | 2 +-
drivers/usb/gadget/function/uvc.h | 2 +-
drivers/usb/gadget/function/uvc_v4l2.c | 20 +++++++++++++++++---
drivers/usb/gadget/function/uvc_video.c | 3 ++-
5 files changed, 26 insertions(+), 12 deletions(-)
diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c
index faa398109431..ae08341961eb 100644
--- a/drivers/usb/gadget/function/f_uvc.c
+++ b/drivers/usb/gadget/function/f_uvc.c
@@ -263,10 +263,13 @@ uvc_function_setup(struct usb_function *f, const struct usb_ctrlrequest *ctrl)
return 0;
}
-void uvc_function_setup_continue(struct uvc_device *uvc)
+void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep)
{
struct usb_composite_dev *cdev = uvc->func.config->cdev;
+ if (disable_ep && uvc->video.ep)
+ usb_ep_disable(uvc->video.ep);
+
usb_composite_setup_continue(cdev);
}
@@ -337,15 +340,11 @@ uvc_function_set_alt(struct usb_function *f, unsigned interface, unsigned alt)
if (uvc->state != UVC_STATE_STREAMING)
return 0;
- if (uvc->video.ep)
- usb_ep_disable(uvc->video.ep);
-
memset(&v4l2_event, 0, sizeof(v4l2_event));
v4l2_event.type = UVC_EVENT_STREAMOFF;
v4l2_event_queue(&uvc->vdev, &v4l2_event);
- uvc->state = UVC_STATE_CONNECTED;
- return 0;
+ return USB_GADGET_DELAYED_STATUS;
case 1:
if (uvc->state != UVC_STATE_CONNECTED)
diff --git a/drivers/usb/gadget/function/f_uvc.h b/drivers/usb/gadget/function/f_uvc.h
index 1db972d4beeb..083aef0c65c6 100644
--- a/drivers/usb/gadget/function/f_uvc.h
+++ b/drivers/usb/gadget/function/f_uvc.h
@@ -11,7 +11,7 @@
struct uvc_device;
-void uvc_function_setup_continue(struct uvc_device *uvc);
+void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep);
void uvc_function_connect(struct uvc_device *uvc);
diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
index 6751de8b63ad..989bc6b4e93d 100644
--- a/drivers/usb/gadget/function/uvc.h
+++ b/drivers/usb/gadget/function/uvc.h
@@ -177,7 +177,7 @@ struct uvc_file_handle {
* Functions
*/
-extern void uvc_function_setup_continue(struct uvc_device *uvc);
+extern void uvc_function_setup_continue(struct uvc_device *uvc, int disable_ep);
extern void uvc_function_connect(struct uvc_device *uvc);
extern void uvc_function_disconnect(struct uvc_device *uvc);
diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c
index 3f0a9795c0d4..7cb8d027ff0c 100644
--- a/drivers/usb/gadget/function/uvc_v4l2.c
+++ b/drivers/usb/gadget/function/uvc_v4l2.c
@@ -451,7 +451,7 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type)
* Complete the alternate setting selection setup phase now that
* userspace is ready to provide video frames.
*/
- uvc_function_setup_continue(uvc);
+ uvc_function_setup_continue(uvc, 0);
uvc->state = UVC_STATE_STREAMING;
return 0;
@@ -463,11 +463,18 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type)
struct video_device *vdev = video_devdata(file);
struct uvc_device *uvc = video_get_drvdata(vdev);
struct uvc_video *video = &uvc->video;
+ int ret = 0;
if (type != video->queue.queue.type)
return -EINVAL;
- return uvcg_video_enable(video, 0);
+ uvc->state = UVC_STATE_CONNECTED;
+ ret = uvcg_video_enable(video, 0);
+ if (ret < 0)
+ return ret;
+
+ uvc_function_setup_continue(uvc, 1);
+ return 0;
}
static int
@@ -500,6 +507,14 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh,
static void uvc_v4l2_disable(struct uvc_device *uvc)
{
uvc_function_disconnect(uvc);
+ /*
+ * Drop uvc->state to CONNECTED if it was streaming before.
+ * This ensures that the usb_requests are no longer queued
+ * to the controller.
+ */
+ if (uvc->state == UVC_STATE_STREAMING)
+ uvc->state = UVC_STATE_CONNECTED;
+
uvcg_video_enable(&uvc->video, 0);
uvcg_free_buffers(&uvc->video.queue);
uvc->func_connected = false;
@@ -647,4 +662,3 @@ const struct v4l2_file_operations uvc_v4l2_fops = {
.get_unmapped_area = uvcg_v4l2_get_unmapped_area,
#endif
};
-
diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index 91af3b1ef0d4..c334802ac0a4 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -384,13 +384,14 @@ static void uvcg_video_pump(struct work_struct *work)
struct uvc_video_queue *queue = &video->queue;
/* video->max_payload_size is only set when using bulk transfer */
bool is_bulk = video->max_payload_size;
+ struct uvc_device *uvc = video->uvc;
struct usb_request *req = NULL;
struct uvc_buffer *buf;
unsigned long flags;
bool buf_done;
int ret;
- while (video->ep->enabled) {
+ while (uvc->state == UVC_STATE_STREAMING && video->ep->enabled) {
/*
* Retrieve the first available USB request, protected by the
* request lock.
--
2.42.0.820.g83a721a137-googCurrently, the uvc gadget driver allocates all uvc_requests as one array
and deallocates them all when the video stream stops. This includes
de-allocating all the usb_requests associated with those uvc_requests.
This can lead to use-after-free issues if any of those de-allocated
usb_requests were still owned by the usb controller.
This patch is 1 of 2 patches addressing the use-after-free issue.
Instead of bulk allocating all uvc_requests as an array, this patch
allocates uvc_requests one at a time, which should allows for similar
granularity when deallocating the uvc_requests. This patch has no
functional changes other than allocating each uvc_request separately,
and similarly freeing each of them separately.
Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com
Suggested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Reviewed-by: Daniel Scally <dan.scally@ideasonboard.com>
Reviewed-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Tested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
---
v1 -> v2: Rebased to ToT
v2 -> v3: Fix email threading goof-up
v3 -> v4: Address review comments & re-rebase to ToT
v4 -> v5: Address more review comments. Add Reviewed-by & Tested-by.
v5 -> v6: No change
v6 -> v7: No change
v7 -> v8: No change. Getting back in review queue
v8 -> v9: Address review comments.
drivers/usb/gadget/function/uvc.h | 3 +-
drivers/usb/gadget/function/uvc_video.c | 89 ++++++++++++++-----------
2 files changed, 52 insertions(+), 40 deletions(-)
diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
index 989bc6b4e93d..993694da0bbc 100644
--- a/drivers/usb/gadget/function/uvc.h
+++ b/drivers/usb/gadget/function/uvc.h
@@ -81,6 +81,7 @@ struct uvc_request {
struct sg_table sgt;
u8 header[UVCG_REQUEST_HEADER_LEN];
struct uvc_buffer *last_buf;
+ struct list_head list;
};
struct uvc_video {
@@ -102,7 +103,7 @@ struct uvc_video {
/* Requests */
unsigned int req_size;
- struct uvc_request *ureq;
+ struct list_head ureqs; /* all uvc_requests allocated by uvc_video */
struct list_head req_free;
spinlock_t req_lock;
diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index c334802ac0a4..f8f9209fee50 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -227,6 +227,24 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video,
* Request handling
*/
+static void
+uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep)
+{
+ sg_free_table(&ureq->sgt);
+ if (ureq->req && ep) {
+ usb_ep_free_request(ep, ureq->req);
+ ureq->req = NULL;
+ }
+
+ kfree(ureq->req_buffer);
+ ureq->req_buffer = NULL;
+
+ if (!list_empty(&ureq->list))
+ list_del_init(&ureq->list);
+
+ kfree(ureq);
+}
+
static int uvcg_video_ep_queue(struct uvc_video *video, struct usb_request *req)
{
int ret;
@@ -293,27 +311,12 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
static int
uvc_video_free_requests(struct uvc_video *video)
{
- unsigned int i;
-
- if (video->ureq) {
- for (i = 0; i < video->uvc_num_requests; ++i) {
- sg_free_table(&video->ureq[i].sgt);
+ struct uvc_request *ureq, *temp;
- if (video->ureq[i].req) {
- usb_ep_free_request(video->ep, video->ureq[i].req);
- video->ureq[i].req = NULL;
- }
-
- if (video->ureq[i].req_buffer) {
- kfree(video->ureq[i].req_buffer);
- video->ureq[i].req_buffer = NULL;
- }
- }
-
- kfree(video->ureq);
- video->ureq = NULL;
- }
+ list_for_each_entry_safe(ureq, temp, &video->ureqs, list)
+ uvc_video_free_request(ureq, video->ep);
+ INIT_LIST_HEAD(&video->ureqs);
INIT_LIST_HEAD(&video->req_free);
video->req_size = 0;
return 0;
@@ -322,39 +325,45 @@ uvc_video_free_requests(struct uvc_video *video)
static int
uvc_video_alloc_requests(struct uvc_video *video)
{
+ struct uvc_request *ureq;
unsigned int req_size;
unsigned int i;
int ret = -ENOMEM;
BUG_ON(video->req_size);
+ BUG_ON(!list_empty(&video->ureqs));
req_size = video->ep->maxpacket
* max_t(unsigned int, video->ep->maxburst, 1)
* (video->ep->mult);
- video->ureq = kcalloc(video->uvc_num_requests, sizeof(struct uvc_request), GFP_KERNEL);
- if (video->ureq == NULL)
- return -ENOMEM;
+ for (i = 0; i < video->uvc_num_requests; i++) {
+ ureq = kzalloc(sizeof(struct uvc_request), GFP_KERNEL);
+ if (ureq == NULL)
+ goto error;
+
+ INIT_LIST_HEAD(&ureq->list);
+
+ list_add_tail(&ureq->list, &video->ureqs);
- for (i = 0; i < video->uvc_num_requests; ++i) {
- video->ureq[i].req_buffer = kmalloc(req_size, GFP_KERNEL);
- if (video->ureq[i].req_buffer == NULL)
+ ureq->req_buffer = kmalloc(req_size, GFP_KERNEL);
+ if (ureq->req_buffer == NULL)
goto error;
- video->ureq[i].req = usb_ep_alloc_request(video->ep, GFP_KERNEL);
- if (video->ureq[i].req == NULL)
+ ureq->req = usb_ep_alloc_request(video->ep, GFP_KERNEL);
+ if (ureq->req == NULL)
goto error;
- video->ureq[i].req->buf = video->ureq[i].req_buffer;
- video->ureq[i].req->length = 0;
- video->ureq[i].req->complete = uvc_video_complete;
- video->ureq[i].req->context = &video->ureq[i];
- video->ureq[i].video = video;
- video->ureq[i].last_buf = NULL;
+ ureq->req->buf = ureq->req_buffer;
+ ureq->req->length = 0;
+ ureq->req->complete = uvc_video_complete;
+ ureq->req->context = ureq;
+ ureq->video = video;
+ ureq->last_buf = NULL;
- list_add_tail(&video->ureq[i].req->list, &video->req_free);
+ list_add_tail(&ureq->req->list, &video->req_free);
/* req_size/PAGE_SIZE + 1 for overruns and + 1 for header */
- sg_alloc_table(&video->ureq[i].sgt,
+ sg_alloc_table(&ureq->sgt,
DIV_ROUND_UP(req_size - UVCG_REQUEST_HEADER_LEN,
PAGE_SIZE) + 2, GFP_KERNEL);
}
@@ -489,8 +498,8 @@ static void uvcg_video_pump(struct work_struct *work)
*/
int uvcg_video_enable(struct uvc_video *video, int enable)
{
- unsigned int i;
int ret;
+ struct uvc_request *ureq;
if (video->ep == NULL) {
uvcg_info(&video->uvc->func,
@@ -502,9 +511,10 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
cancel_work_sync(&video->pump);
uvcg_queue_cancel(&video->queue, 0);
- for (i = 0; i < video->uvc_num_requests; ++i)
- if (video->ureq && video->ureq[i].req)
- usb_ep_dequeue(video->ep, video->ureq[i].req);
+ list_for_each_entry(ureq, &video->ureqs, list) {
+ if (ureq->req)
+ usb_ep_dequeue(video->ep, ureq->req);
+ }
uvc_video_free_requests(video);
uvcg_queue_enable(&video->queue, 0);
@@ -536,6 +546,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
*/
int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc)
{
+ INIT_LIST_HEAD(&video->ureqs);
INIT_LIST_HEAD(&video->req_free);
spin_lock_init(&video->req_lock);
INIT_WORK(&video->pump, uvcg_video_pump);
--
2.42.0.820.g83a721a137-googHi Avichal
On 27/10/2023 21:19, Avichal Rakesh wrote:
> Currently, the uvc gadget driver allocates all uvc_requests as one array
> and deallocates them all when the video stream stops. This includes
> de-allocating all the usb_requests associated with those uvc_requests.
> This can lead to use-after-free issues if any of those de-allocated
> usb_requests were still owned by the usb controller.
>
> This patch is 1 of 2 patches addressing the use-after-free issue.
> Instead of bulk allocating all uvc_requests as an array, this patch
> allocates uvc_requests one at a time, which should allows for similar
> granularity when deallocating the uvc_requests. This patch has no
> functional changes other than allocating each uvc_request separately,
> and similarly freeing each of them separately.
>
> Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com
> Suggested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
> Reviewed-by: Daniel Scally <dan.scally@ideasonboard.com>
Sorry - I was unclear in my response to the first patch on v8. I meant my R-b to apply to the first
patch only rather than to all of them. For this one I understand now the use of the conditional in
uvc_video_free_request(), so that point is fine. I agree with Greg that the BUG_ON() shouldn't stand
though.
> Reviewed-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
> Tested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
> Signed-off-by: Avichal Rakesh <arakesh@google.com>
> ---
> v1 -> v2: Rebased to ToT
> v2 -> v3: Fix email threading goof-up
> v3 -> v4: Address review comments & re-rebase to ToT
> v4 -> v5: Address more review comments. Add Reviewed-by & Tested-by.
> v5 -> v6: No change
> v6 -> v7: No change
> v7 -> v8: No change. Getting back in review queue
> v8 -> v9: Address review comments.
>
> drivers/usb/gadget/function/uvc.h | 3 +-
> drivers/usb/gadget/function/uvc_video.c | 89 ++++++++++++++-----------
> 2 files changed, 52 insertions(+), 40 deletions(-)
>
> diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
> index 989bc6b4e93d..993694da0bbc 100644
> --- a/drivers/usb/gadget/function/uvc.h
> +++ b/drivers/usb/gadget/function/uvc.h
> @@ -81,6 +81,7 @@ struct uvc_request {
> struct sg_table sgt;
> u8 header[UVCG_REQUEST_HEADER_LEN];
> struct uvc_buffer *last_buf;
> + struct list_head list;
> };
>
> struct uvc_video {
> @@ -102,7 +103,7 @@ struct uvc_video {
>
> /* Requests */
> unsigned int req_size;
> - struct uvc_request *ureq;
> + struct list_head ureqs; /* all uvc_requests allocated by uvc_video */
> struct list_head req_free;
> spinlock_t req_lock;
>
> diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
> index c334802ac0a4..f8f9209fee50 100644
> --- a/drivers/usb/gadget/function/uvc_video.c
> +++ b/drivers/usb/gadget/function/uvc_video.c
> @@ -227,6 +227,24 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video,
> * Request handling
> */
>
> +static void
> +uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep)
> +{
> + sg_free_table(&ureq->sgt);
> + if (ureq->req && ep) {
> + usb_ep_free_request(ep, ureq->req);
> + ureq->req = NULL;
> + }
> +
> + kfree(ureq->req_buffer);
> + ureq->req_buffer = NULL;
> +
> + if (!list_empty(&ureq->list))
> + list_del_init(&ureq->list);
> +
> + kfree(ureq);
> +}
> +
> static int uvcg_video_ep_queue(struct uvc_video *video, struct usb_request *req)
> {
> int ret;
> @@ -293,27 +311,12 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
> static int
> uvc_video_free_requests(struct uvc_video *video)
> {
> - unsigned int i;
> -
> - if (video->ureq) {
> - for (i = 0; i < video->uvc_num_requests; ++i) {
> - sg_free_table(&video->ureq[i].sgt);
> + struct uvc_request *ureq, *temp;
>
> - if (video->ureq[i].req) {
> - usb_ep_free_request(video->ep, video->ureq[i].req);
> - video->ureq[i].req = NULL;
> - }
> -
> - if (video->ureq[i].req_buffer) {
> - kfree(video->ureq[i].req_buffer);
> - video->ureq[i].req_buffer = NULL;
> - }
> - }
> -
> - kfree(video->ureq);
> - video->ureq = NULL;
> - }
> + list_for_each_entry_safe(ureq, temp, &video->ureqs, list)
> + uvc_video_free_request(ureq, video->ep);
>
> + INIT_LIST_HEAD(&video->ureqs);
> INIT_LIST_HEAD(&video->req_free);
> video->req_size = 0;
> return 0;
> @@ -322,39 +325,45 @@ uvc_video_free_requests(struct uvc_video *video)
> static int
> uvc_video_alloc_requests(struct uvc_video *video)
> {
> + struct uvc_request *ureq;
> unsigned int req_size;
> unsigned int i;
> int ret = -ENOMEM;
>
> BUG_ON(video->req_size);
> + BUG_ON(!list_empty(&video->ureqs));
>
> req_size = video->ep->maxpacket
> * max_t(unsigned int, video->ep->maxburst, 1)
> * (video->ep->mult);
>
> - video->ureq = kcalloc(video->uvc_num_requests, sizeof(struct uvc_request), GFP_KERNEL);
> - if (video->ureq == NULL)
> - return -ENOMEM;
> + for (i = 0; i < video->uvc_num_requests; i++) {
> + ureq = kzalloc(sizeof(struct uvc_request), GFP_KERNEL);
> + if (ureq == NULL)
> + goto error;
> +
> + INIT_LIST_HEAD(&ureq->list);
> +
> + list_add_tail(&ureq->list, &video->ureqs);
>
> - for (i = 0; i < video->uvc_num_requests; ++i) {
> - video->ureq[i].req_buffer = kmalloc(req_size, GFP_KERNEL);
> - if (video->ureq[i].req_buffer == NULL)
> + ureq->req_buffer = kmalloc(req_size, GFP_KERNEL);
> + if (ureq->req_buffer == NULL)
> goto error;
>
> - video->ureq[i].req = usb_ep_alloc_request(video->ep, GFP_KERNEL);
> - if (video->ureq[i].req == NULL)
> + ureq->req = usb_ep_alloc_request(video->ep, GFP_KERNEL);
> + if (ureq->req == NULL)
> goto error;
>
> - video->ureq[i].req->buf = video->ureq[i].req_buffer;
> - video->ureq[i].req->length = 0;
> - video->ureq[i].req->complete = uvc_video_complete;
> - video->ureq[i].req->context = &video->ureq[i];
> - video->ureq[i].video = video;
> - video->ureq[i].last_buf = NULL;
> + ureq->req->buf = ureq->req_buffer;
> + ureq->req->length = 0;
> + ureq->req->complete = uvc_video_complete;
> + ureq->req->context = ureq;
> + ureq->video = video;
> + ureq->last_buf = NULL;
>
> - list_add_tail(&video->ureq[i].req->list, &video->req_free);
> + list_add_tail(&ureq->req->list, &video->req_free);
> /* req_size/PAGE_SIZE + 1 for overruns and + 1 for header */
> - sg_alloc_table(&video->ureq[i].sgt,
> + sg_alloc_table(&ureq->sgt,
> DIV_ROUND_UP(req_size - UVCG_REQUEST_HEADER_LEN,
> PAGE_SIZE) + 2, GFP_KERNEL);
> }
> @@ -489,8 +498,8 @@ static void uvcg_video_pump(struct work_struct *work)
> */
> int uvcg_video_enable(struct uvc_video *video, int enable)
> {
> - unsigned int i;
> int ret;
> + struct uvc_request *ureq;
>
> if (video->ep == NULL) {
> uvcg_info(&video->uvc->func,
> @@ -502,9 +511,10 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
> cancel_work_sync(&video->pump);
> uvcg_queue_cancel(&video->queue, 0);
>
> - for (i = 0; i < video->uvc_num_requests; ++i)
> - if (video->ureq && video->ureq[i].req)
> - usb_ep_dequeue(video->ep, video->ureq[i].req);
> + list_for_each_entry(ureq, &video->ureqs, list) {
> + if (ureq->req)
> + usb_ep_dequeue(video->ep, ureq->req);
> + }
>
> uvc_video_free_requests(video);
> uvcg_queue_enable(&video->queue, 0);
> @@ -536,6 +546,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
> */
> int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc)
> {
> + INIT_LIST_HEAD(&video->ureqs);
> INIT_LIST_HEAD(&video->req_free);
> spin_lock_init(&video->req_lock);
> INIT_WORK(&video->pump, uvcg_video_pump);
> --
> 2.42.0.820.g83a721a137-goog
On 10/28/23 13:13, Dan Scally wrote:
> Hi Avichal
>
> On 27/10/2023 21:19, Avichal Rakesh wrote:
>> Currently, the uvc gadget driver allocates all uvc_requests as one array
>> and deallocates them all when the video stream stops. This includes
>> de-allocating all the usb_requests associated with those uvc_requests.
>> This can lead to use-after-free issues if any of those de-allocated
>> usb_requests were still owned by the usb controller.
>>
>> This patch is 1 of 2 patches addressing the use-after-free issue.
>> Instead of bulk allocating all uvc_requests as an array, this patch
>> allocates uvc_requests one at a time, which should allows for similar
>> granularity when deallocating the uvc_requests. This patch has no
>> functional changes other than allocating each uvc_request separately,
>> and similarly freeing each of them separately.
>>
>> Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com
>> Suggested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
>> Reviewed-by: Daniel Scally <dan.scally@ideasonboard.com>
>
>
> Sorry - I was unclear in my response to the first patch on v8. I meant my R-b to apply to the first patch only rather than to all of them. For this one I understand now the use of the conditional in uvc_video_free_request(), so that point is fine. I agree with Greg that the BUG_ON() shouldn't stand though.
Ah, didn't realize BUG_ON is discouraged. Removed BUG_ON.
It was supposed to be a defensive bit of code anyway,
so removing the check entirely. If the state is
inconsistent, we'd see other errors, so the BUG_ON
wasn't providing value anyway.
Also removed your Reviewed-by, my apologies.
>
>> Reviewed-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
>> Tested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
>> Signed-off-by: Avichal Rakesh <arakesh@google.com>
>> ---
>> v1 -> v2: Rebased to ToT
>> v2 -> v3: Fix email threading goof-up
>> v3 -> v4: Address review comments & re-rebase to ToT
>> v4 -> v5: Address more review comments. Add Reviewed-by & Tested-by.
>> v5 -> v6: No change
>> v6 -> v7: No change
>> v7 -> v8: No change. Getting back in review queue
>> v8 -> v9: Address review comments.
>>
>> drivers/usb/gadget/function/uvc.h | 3 +-
>> drivers/usb/gadget/function/uvc_video.c | 89 ++++++++++++++-----------
>> 2 files changed, 52 insertions(+), 40 deletions(-)
>>
>> diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
>> index 989bc6b4e93d..993694da0bbc 100644
>> --- a/drivers/usb/gadget/function/uvc.h
>> +++ b/drivers/usb/gadget/function/uvc.h
>> @@ -81,6 +81,7 @@ struct uvc_request {
>> struct sg_table sgt;
>> u8 header[UVCG_REQUEST_HEADER_LEN];
>> struct uvc_buffer *last_buf;
>> + struct list_head list;
>> };
>>
>> struct uvc_video {
>> @@ -102,7 +103,7 @@ struct uvc_video {
>>
>> /* Requests */
>> unsigned int req_size;
>> - struct uvc_request *ureq;
>> + struct list_head ureqs; /* all uvc_requests allocated by uvc_video */
>> struct list_head req_free;
>> spinlock_t req_lock;
>>
>> diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
>> index c334802ac0a4..f8f9209fee50 100644
>> --- a/drivers/usb/gadget/function/uvc_video.c
>> +++ b/drivers/usb/gadget/function/uvc_video.c
>> @@ -227,6 +227,24 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video,
>> * Request handling
>> */
>>
>> +static void
>> +uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep)
>> +{
>> + sg_free_table(&ureq->sgt);
>> + if (ureq->req && ep) {
>> + usb_ep_free_request(ep, ureq->req);
>> + ureq->req = NULL;
>> + }
>> +
>> + kfree(ureq->req_buffer);
>> + ureq->req_buffer = NULL;
>> +
>> + if (!list_empty(&ureq->list))
>> + list_del_init(&ureq->list);
>> +
>> + kfree(ureq);
>> +}
>> +
>> static int uvcg_video_ep_queue(struct uvc_video *video, struct usb_request *req)
>> {
>> int ret;
>> @@ -293,27 +311,12 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
>> static int
>> uvc_video_free_requests(struct uvc_video *video)
>> {
>> - unsigned int i;
>> -
>> - if (video->ureq) {
>> - for (i = 0; i < video->uvc_num_requests; ++i) {
>> - sg_free_table(&video->ureq[i].sgt);
>> + struct uvc_request *ureq, *temp;
>>
>> - if (video->ureq[i].req) {
>> - usb_ep_free_request(video->ep, video->ureq[i].req);
>> - video->ureq[i].req = NULL;
>> - }
>> -
>> - if (video->ureq[i].req_buffer) {
>> - kfree(video->ureq[i].req_buffer);
>> - video->ureq[i].req_buffer = NULL;
>> - }
>> - }
>> -
>> - kfree(video->ureq);
>> - video->ureq = NULL;
>> - }
>> + list_for_each_entry_safe(ureq, temp, &video->ureqs, list)
>> + uvc_video_free_request(ureq, video->ep);
>>
>> + INIT_LIST_HEAD(&video->ureqs);
>> INIT_LIST_HEAD(&video->req_free);
>> video->req_size = 0;
>> return 0;
>> @@ -322,39 +325,45 @@ uvc_video_free_requests(struct uvc_video *video)
>> static int
>> uvc_video_alloc_requests(struct uvc_video *video)
>> {
>> + struct uvc_request *ureq;
>> unsigned int req_size;
>> unsigned int i;
>> int ret = -ENOMEM;
>>
>> BUG_ON(video->req_size);
>> + BUG_ON(!list_empty(&video->ureqs));
>>
>> req_size = video->ep->maxpacket
>> * max_t(unsigned int, video->ep->maxburst, 1)
>> * (video->ep->mult);
>>
>> - video->ureq = kcalloc(video->uvc_num_requests, sizeof(struct uvc_request), GFP_KERNEL);
>> - if (video->ureq == NULL)
>> - return -ENOMEM;
>> + for (i = 0; i < video->uvc_num_requests; i++) {
>> + ureq = kzalloc(sizeof(struct uvc_request), GFP_KERNEL);
>> + if (ureq == NULL)
>> + goto error;
>> +
>> + INIT_LIST_HEAD(&ureq->list);
>> +
>> + list_add_tail(&ureq->list, &video->ureqs);
>>
>> - for (i = 0; i < video->uvc_num_requests; ++i) {
>> - video->ureq[i].req_buffer = kmalloc(req_size, GFP_KERNEL);
>> - if (video->ureq[i].req_buffer == NULL)
>> + ureq->req_buffer = kmalloc(req_size, GFP_KERNEL);
>> + if (ureq->req_buffer == NULL)
>> goto error;
>>
>> - video->ureq[i].req = usb_ep_alloc_request(video->ep, GFP_KERNEL);
>> - if (video->ureq[i].req == NULL)
>> + ureq->req = usb_ep_alloc_request(video->ep, GFP_KERNEL);
>> + if (ureq->req == NULL)
>> goto error;
>>
>> - video->ureq[i].req->buf = video->ureq[i].req_buffer;
>> - video->ureq[i].req->length = 0;
>> - video->ureq[i].req->complete = uvc_video_complete;
>> - video->ureq[i].req->context = &video->ureq[i];
>> - video->ureq[i].video = video;
>> - video->ureq[i].last_buf = NULL;
>> + ureq->req->buf = ureq->req_buffer;
>> + ureq->req->length = 0;
>> + ureq->req->complete = uvc_video_complete;
>> + ureq->req->context = ureq;
>> + ureq->video = video;
>> + ureq->last_buf = NULL;
>>
>> - list_add_tail(&video->ureq[i].req->list, &video->req_free);
>> + list_add_tail(&ureq->req->list, &video->req_free);
>> /* req_size/PAGE_SIZE + 1 for overruns and + 1 for header */
>> - sg_alloc_table(&video->ureq[i].sgt,
>> + sg_alloc_table(&ureq->sgt,
>> DIV_ROUND_UP(req_size - UVCG_REQUEST_HEADER_LEN,
>> PAGE_SIZE) + 2, GFP_KERNEL);
>> }
>> @@ -489,8 +498,8 @@ static void uvcg_video_pump(struct work_struct *work)
>> */
>> int uvcg_video_enable(struct uvc_video *video, int enable)
>> {
>> - unsigned int i;
>> int ret;
>> + struct uvc_request *ureq;
>>
>> if (video->ep == NULL) {
>> uvcg_info(&video->uvc->func,
>> @@ -502,9 +511,10 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
>> cancel_work_sync(&video->pump);
>> uvcg_queue_cancel(&video->queue, 0);
>>
>> - for (i = 0; i < video->uvc_num_requests; ++i)
>> - if (video->ureq && video->ureq[i].req)
>> - usb_ep_dequeue(video->ep, video->ureq[i].req);
>> + list_for_each_entry(ureq, &video->ureqs, list) {
>> + if (ureq->req)
>> + usb_ep_dequeue(video->ep, ureq->req);
>> + }
>>
>> uvc_video_free_requests(video);
>> uvcg_queue_enable(&video->queue, 0);
>> @@ -536,6 +546,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
>> */
>> int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc)
>> {
>> + INIT_LIST_HEAD(&video->ureqs);
>> INIT_LIST_HEAD(&video->req_free);
>> spin_lock_init(&video->req_lock);
>> INIT_WORK(&video->pump, uvcg_video_pump);
>> --
>> 2.42.0.820.g83a721a137-goog
On Fri, Oct 27, 2023 at 01:19:57PM -0700, Avichal Rakesh wrote: > BUG_ON(video->req_size); > + BUG_ON(!list_empty(&video->ureqs)); Again, please do not add new BUG_ON() lines, the existing ones need to be removed as well, but you can do that in later changes. I can't take changes that add new ones, sorry. thanks, greg k-h
This patch refactors the video disable logic in uvcg_video_enable
into its own separate function 'uvcg_video_disable'. This function
is now used anywhere uvcg_video_enable(video, 0) was used.
Reviewed-by: Daniel Scally <dan.scally@ideasonboard.com>
Suggested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
---
v6: Introduced this patch to make the next one easier to review
v6 -> v7: Add Suggested-by
v7 -> v8: No change. Getting back in review queue
v8 -> v9: Call uvcg_video_disable directly instead of uvcg_video_enable(video, 0)
drivers/usb/gadget/function/uvc_v4l2.c | 6 ++--
drivers/usb/gadget/function/uvc_video.c | 40 ++++++++++++++++---------
drivers/usb/gadget/function/uvc_video.h | 3 +-
3 files changed, 31 insertions(+), 18 deletions(-)
diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c
index 7cb8d027ff0c..904dd283cbf7 100644
--- a/drivers/usb/gadget/function/uvc_v4l2.c
+++ b/drivers/usb/gadget/function/uvc_v4l2.c
@@ -443,7 +443,7 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type)
return -EINVAL;
/* Enable UVC video. */
- ret = uvcg_video_enable(video, 1);
+ ret = uvcg_video_enable(video);
if (ret < 0)
return ret;
@@ -469,7 +469,7 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type)
return -EINVAL;
uvc->state = UVC_STATE_CONNECTED;
- ret = uvcg_video_enable(video, 0);
+ ret = uvcg_video_disable(video);
if (ret < 0)
return ret;
@@ -515,7 +515,7 @@ static void uvc_v4l2_disable(struct uvc_device *uvc)
if (uvc->state == UVC_STATE_STREAMING)
uvc->state = UVC_STATE_CONNECTED;
- uvcg_video_enable(&uvc->video, 0);
+ uvcg_video_disable(&uvc->video);
uvcg_free_buffers(&uvc->video.queue);
uvc->func_connected = false;
wake_up_interruptible(&uvc->func_connected_queue);
diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index f8f9209fee50..1081dd790fd6 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -494,31 +494,43 @@ static void uvcg_video_pump(struct work_struct *work)
}
/*
- * Enable or disable the video stream.
+ * Disable the video stream
*/
-int uvcg_video_enable(struct uvc_video *video, int enable)
+int
+uvcg_video_disable(struct uvc_video *video)
{
- int ret;
struct uvc_request *ureq;
if (video->ep == NULL) {
uvcg_info(&video->uvc->func,
- "Video enable failed, device is uninitialized.\n");
+ "Video disable failed, device is uninitialized.\n");
return -ENODEV;
}
- if (!enable) {
- cancel_work_sync(&video->pump);
- uvcg_queue_cancel(&video->queue, 0);
+ cancel_work_sync(&video->pump);
+ uvcg_queue_cancel(&video->queue, 0);
- list_for_each_entry(ureq, &video->ureqs, list) {
- if (ureq->req)
- usb_ep_dequeue(video->ep, ureq->req);
- }
+ list_for_each_entry(ureq, &video->ureqs, list) {
+ if (ureq->req)
+ usb_ep_dequeue(video->ep, ureq->req);
+ }
- uvc_video_free_requests(video);
- uvcg_queue_enable(&video->queue, 0);
- return 0;
+ uvc_video_free_requests(video);
+ uvcg_queue_enable(&video->queue, 0);
+ return 0;
+}
+
+/*
+ * Enable the video stream.
+ */
+int uvcg_video_enable(struct uvc_video *video)
+{
+ int ret;
+
+ if (video->ep == NULL) {
+ uvcg_info(&video->uvc->func,
+ "Video enable failed, device is uninitialized.\n");
+ return -ENODEV;
}
if ((ret = uvcg_queue_enable(&video->queue, 1)) < 0)
diff --git a/drivers/usb/gadget/function/uvc_video.h b/drivers/usb/gadget/function/uvc_video.h
index 03adeefa343b..8ef6259741f1 100644
--- a/drivers/usb/gadget/function/uvc_video.h
+++ b/drivers/usb/gadget/function/uvc_video.h
@@ -14,7 +14,8 @@
struct uvc_video;
-int uvcg_video_enable(struct uvc_video *video, int enable);
+int uvcg_video_enable(struct uvc_video *video);
+int uvcg_video_disable(struct uvc_video *video);
int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc);
--
2.42.0.820.g83a721a137-googHi Avichal
On 27/10/2023 21:19, Avichal Rakesh wrote:
> This patch refactors the video disable logic in uvcg_video_enable
> into its own separate function 'uvcg_video_disable'. This function
> is now used anywhere uvcg_video_enable(video, 0) was used.
>
> Reviewed-by: Daniel Scally <dan.scally@ideasonboard.com>
For this patch you can keep the R-b - it's fine by me now :)
> Suggested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
> Signed-off-by: Avichal Rakesh <arakesh@google.com>
> ---
> v6: Introduced this patch to make the next one easier to review
> v6 -> v7: Add Suggested-by
> v7 -> v8: No change. Getting back in review queue
> v8 -> v9: Call uvcg_video_disable directly instead of uvcg_video_enable(video, 0)
>
> drivers/usb/gadget/function/uvc_v4l2.c | 6 ++--
> drivers/usb/gadget/function/uvc_video.c | 40 ++++++++++++++++---------
> drivers/usb/gadget/function/uvc_video.h | 3 +-
> 3 files changed, 31 insertions(+), 18 deletions(-)
>
> diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c
> index 7cb8d027ff0c..904dd283cbf7 100644
> --- a/drivers/usb/gadget/function/uvc_v4l2.c
> +++ b/drivers/usb/gadget/function/uvc_v4l2.c
> @@ -443,7 +443,7 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type)
> return -EINVAL;
>
> /* Enable UVC video. */
> - ret = uvcg_video_enable(video, 1);
> + ret = uvcg_video_enable(video);
> if (ret < 0)
> return ret;
>
> @@ -469,7 +469,7 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type)
> return -EINVAL;
>
> uvc->state = UVC_STATE_CONNECTED;
> - ret = uvcg_video_enable(video, 0);
> + ret = uvcg_video_disable(video);
> if (ret < 0)
> return ret;
>
> @@ -515,7 +515,7 @@ static void uvc_v4l2_disable(struct uvc_device *uvc)
> if (uvc->state == UVC_STATE_STREAMING)
> uvc->state = UVC_STATE_CONNECTED;
>
> - uvcg_video_enable(&uvc->video, 0);
> + uvcg_video_disable(&uvc->video);
> uvcg_free_buffers(&uvc->video.queue);
> uvc->func_connected = false;
> wake_up_interruptible(&uvc->func_connected_queue);
> diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
> index f8f9209fee50..1081dd790fd6 100644
> --- a/drivers/usb/gadget/function/uvc_video.c
> +++ b/drivers/usb/gadget/function/uvc_video.c
> @@ -494,31 +494,43 @@ static void uvcg_video_pump(struct work_struct *work)
> }
>
> /*
> - * Enable or disable the video stream.
> + * Disable the video stream
> */
> -int uvcg_video_enable(struct uvc_video *video, int enable)
> +int
> +uvcg_video_disable(struct uvc_video *video)
> {
> - int ret;
> struct uvc_request *ureq;
>
> if (video->ep == NULL) {
> uvcg_info(&video->uvc->func,
> - "Video enable failed, device is uninitialized.\n");
> + "Video disable failed, device is uninitialized.\n");
> return -ENODEV;
> }
>
> - if (!enable) {
> - cancel_work_sync(&video->pump);
> - uvcg_queue_cancel(&video->queue, 0);
> + cancel_work_sync(&video->pump);
> + uvcg_queue_cancel(&video->queue, 0);
>
> - list_for_each_entry(ureq, &video->ureqs, list) {
> - if (ureq->req)
> - usb_ep_dequeue(video->ep, ureq->req);
> - }
> + list_for_each_entry(ureq, &video->ureqs, list) {
> + if (ureq->req)
> + usb_ep_dequeue(video->ep, ureq->req);
> + }
>
> - uvc_video_free_requests(video);
> - uvcg_queue_enable(&video->queue, 0);
> - return 0;
> + uvc_video_free_requests(video);
> + uvcg_queue_enable(&video->queue, 0);
> + return 0;
> +}
> +
> +/*
> + * Enable the video stream.
> + */
> +int uvcg_video_enable(struct uvc_video *video)
> +{
> + int ret;
> +
> + if (video->ep == NULL) {
> + uvcg_info(&video->uvc->func,
> + "Video enable failed, device is uninitialized.\n");
> + return -ENODEV;
> }
>
> if ((ret = uvcg_queue_enable(&video->queue, 1)) < 0)
> diff --git a/drivers/usb/gadget/function/uvc_video.h b/drivers/usb/gadget/function/uvc_video.h
> index 03adeefa343b..8ef6259741f1 100644
> --- a/drivers/usb/gadget/function/uvc_video.h
> +++ b/drivers/usb/gadget/function/uvc_video.h
> @@ -14,7 +14,8 @@
>
> struct uvc_video;
>
> -int uvcg_video_enable(struct uvc_video *video, int enable);
> +int uvcg_video_enable(struct uvc_video *video);
> +int uvcg_video_disable(struct uvc_video *video);
>
> int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc);
>
> --
> 2.42.0.820.g83a721a137-goog
Currently, the uvc gadget driver allocates all uvc_requests as one array
and deallocates them all when the video stream stops. This includes
de-allocating all the usb_requests associated with those uvc_requests.
This can lead to use-after-free issues if any of those de-allocated
usb_requests were still owned by the usb controller.
This is patch 2 of 2 in fixing the use-after-free issue. It adds a new
flag to uvc_video to track when frames and requests should be flowing.
When disabling the video stream, the flag is tripped and, instead
of de-allocating all uvc_requests and usb_requests, the gadget
driver only de-allocates those usb_requests that are currently
owned by it (as present in req_free). Other usb_requests are left
untouched until their completion handler is called which takes care
of freeing the usb_request and its corresponding uvc_request.
Now that uvc_video does not depends on uvc->state, this patch removes
unnecessary upates to uvc->state that were made to accommodate uvc_video
logic. This should ensure that uvc gadget driver never accidentally
de-allocates a usb_request that it doesn't own.
Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com
Suggested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Reviewed-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Tested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
---
v1 -> v2: Rebased to ToT, and fixed deadlock reported in
https://lore.kernel.org/all/ZRv2UnKztgyqk2pt@pengutronix.de/
v2 -> v3: Fix email threading goof-up
v3 -> v4: re-rebase to ToT & moved to a uvc_video level lock
as discussed in
https://lore.kernel.org/b14b296f-2e08-4edf-aeea-1c5b621e2d0c@google.com/
v4 -> v5: Address review comments. Add Reviewed-by & Tested-by.
v5 -> v6: Added another patch before this one to make uvcg_video_disable
easier to review.
v6 -> v7: Fix warning reported in
https://lore.kernel.org/202310200457.GwPPFuHX-lkp@intel.com/
v7 -> v8: No change. Getting back in review queue
v8 -> v9: No change.
drivers/usb/gadget/function/uvc.h | 1 +
drivers/usb/gadget/function/uvc_v4l2.c | 12 +--
drivers/usb/gadget/function/uvc_video.c | 128 ++++++++++++++++++++----
3 files changed, 111 insertions(+), 30 deletions(-)
diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
index 993694da0bbc..be0d012aa244 100644
--- a/drivers/usb/gadget/function/uvc.h
+++ b/drivers/usb/gadget/function/uvc.h
@@ -102,6 +102,7 @@ struct uvc_video {
unsigned int uvc_num_requests;
/* Requests */
+ bool is_enabled; /* tracks whether video stream is enabled */
unsigned int req_size;
struct list_head ureqs; /* all uvc_requests allocated by uvc_video */
struct list_head req_free;
diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c
index 904dd283cbf7..2f8634e05612 100644
--- a/drivers/usb/gadget/function/uvc_v4l2.c
+++ b/drivers/usb/gadget/function/uvc_v4l2.c
@@ -451,8 +451,8 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type)
* Complete the alternate setting selection setup phase now that
* userspace is ready to provide video frames.
*/
- uvc_function_setup_continue(uvc, 0);
uvc->state = UVC_STATE_STREAMING;
+ uvc_function_setup_continue(uvc, 0);
return 0;
}
@@ -468,11 +468,11 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type)
if (type != video->queue.queue.type)
return -EINVAL;
- uvc->state = UVC_STATE_CONNECTED;
ret = uvcg_video_disable(video);
if (ret < 0)
return ret;
+ uvc->state = UVC_STATE_CONNECTED;
uvc_function_setup_continue(uvc, 1);
return 0;
}
@@ -507,14 +507,6 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh,
static void uvc_v4l2_disable(struct uvc_device *uvc)
{
uvc_function_disconnect(uvc);
- /*
- * Drop uvc->state to CONNECTED if it was streaming before.
- * This ensures that the usb_requests are no longer queued
- * to the controller.
- */
- if (uvc->state == UVC_STATE_STREAMING)
- uvc->state = UVC_STATE_CONNECTED;
-
uvcg_video_disable(&uvc->video);
uvcg_free_buffers(&uvc->video.queue);
uvc->func_connected = false;
diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index 1081dd790fd6..8f330ce696ec 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -227,6 +227,9 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video,
* Request handling
*/
+/*
+ * Must be called with req_lock held as it modifies the list ureq is held in
+ */
static void
uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep)
{
@@ -271,9 +274,25 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
struct uvc_request *ureq = req->context;
struct uvc_video *video = ureq->video;
struct uvc_video_queue *queue = &video->queue;
- struct uvc_device *uvc = video->uvc;
+ struct uvc_buffer *last_buf = NULL;
unsigned long flags;
+ spin_lock_irqsave(&video->req_lock, flags);
+ if (!video->is_enabled) {
+ /*
+ * When is_enabled is false, uvc_video_disable ensures that
+ * in-flight uvc_buffers are returned, so we can safely
+ * call free_request without worrying about last_buf.
+ */
+ uvc_video_free_request(ureq, ep);
+ spin_unlock_irqrestore(&video->req_lock, flags);
+ return;
+ }
+
+ last_buf = ureq->last_buf;
+ ureq->last_buf = NULL;
+ spin_unlock_irqrestore(&video->req_lock, flags);
+
switch (req->status) {
case 0:
break;
@@ -295,17 +314,26 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
uvcg_queue_cancel(queue, 0);
}
- if (ureq->last_buf) {
- uvcg_complete_buffer(&video->queue, ureq->last_buf);
- ureq->last_buf = NULL;
+ if (last_buf) {
+ spin_lock_irqsave(&queue->irqlock, flags);
+ uvcg_complete_buffer(&video->queue, last_buf);
+ spin_unlock_irqrestore(&queue->irqlock, flags);
}
spin_lock_irqsave(&video->req_lock, flags);
- list_add_tail(&req->list, &video->req_free);
- spin_unlock_irqrestore(&video->req_lock, flags);
-
- if (uvc->state == UVC_STATE_STREAMING)
+ /*
+ * Video stream might have been disabled while we were
+ * processing the current usb_request. So make sure
+ * we're still streaming before queueing the usb_request
+ * back to req_free
+ */
+ if (video->is_enabled) {
+ list_add_tail(&req->list, &video->req_free);
queue_work(video->async_wq, &video->pump);
+ } else {
+ uvc_video_free_request(ureq, ep);
+ }
+ spin_unlock_irqrestore(&video->req_lock, flags);
}
static int
@@ -393,20 +421,22 @@ static void uvcg_video_pump(struct work_struct *work)
struct uvc_video_queue *queue = &video->queue;
/* video->max_payload_size is only set when using bulk transfer */
bool is_bulk = video->max_payload_size;
- struct uvc_device *uvc = video->uvc;
struct usb_request *req = NULL;
struct uvc_buffer *buf;
unsigned long flags;
bool buf_done;
int ret;
- while (uvc->state == UVC_STATE_STREAMING && video->ep->enabled) {
+ while (true) {
+ if (!video->ep->enabled)
+ return;
+
/*
- * Retrieve the first available USB request, protected by the
- * request lock.
+ * Check is_enabled and retrieve the first available USB
+ * request, protected by the request lock.
*/
spin_lock_irqsave(&video->req_lock, flags);
- if (list_empty(&video->req_free)) {
+ if (!video->is_enabled || list_empty(&video->req_free)) {
spin_unlock_irqrestore(&video->req_lock, flags);
return;
}
@@ -488,9 +518,11 @@ static void uvcg_video_pump(struct work_struct *work)
return;
spin_lock_irqsave(&video->req_lock, flags);
- list_add_tail(&req->list, &video->req_free);
+ if (video->is_enabled)
+ list_add_tail(&req->list, &video->req_free);
+ else
+ uvc_video_free_request(req->context, video->ep);
spin_unlock_irqrestore(&video->req_lock, flags);
- return;
}
/*
@@ -499,7 +531,11 @@ static void uvcg_video_pump(struct work_struct *work)
int
uvcg_video_disable(struct uvc_video *video)
{
- struct uvc_request *ureq;
+ unsigned long flags;
+ struct list_head inflight_bufs;
+ struct usb_request *req, *temp;
+ struct uvc_buffer *buf, *btemp;
+ struct uvc_request *ureq, *utemp;
if (video->ep == NULL) {
uvcg_info(&video->uvc->func,
@@ -507,15 +543,58 @@ uvcg_video_disable(struct uvc_video *video)
return -ENODEV;
}
+ INIT_LIST_HEAD(&inflight_bufs);
+ spin_lock_irqsave(&video->req_lock, flags);
+ video->is_enabled = false;
+
+ /*
+ * Remove any in-flight buffers from the uvc_requests
+ * because we want to return them before cancelling the
+ * queue. This ensures that we aren't stuck waiting for
+ * all complete callbacks to come through before disabling
+ * vb2 queue.
+ */
+ list_for_each_entry(ureq, &video->ureqs, list) {
+ if (ureq->last_buf) {
+ list_add_tail(&ureq->last_buf->queue, &inflight_bufs);
+ ureq->last_buf = NULL;
+ }
+ }
+ spin_unlock_irqrestore(&video->req_lock, flags);
+
cancel_work_sync(&video->pump);
uvcg_queue_cancel(&video->queue, 0);
- list_for_each_entry(ureq, &video->ureqs, list) {
- if (ureq->req)
- usb_ep_dequeue(video->ep, ureq->req);
+ spin_lock_irqsave(&video->req_lock, flags);
+ /*
+ * Remove all uvc_reqeusts from ureqs with list_del_init
+ * This lets uvc_video_free_request correctly identify
+ * if the uvc_request is attached to a list or not when freeing
+ * memory.
+ */
+ list_for_each_entry_safe(ureq, utemp, &video->ureqs, list)
+ list_del_init(&ureq->list);
+
+ list_for_each_entry_safe(req, temp, &video->req_free, list) {
+ list_del(&req->list);
+ uvc_video_free_request(req->context, video->ep);
}
- uvc_video_free_requests(video);
+ INIT_LIST_HEAD(&video->ureqs);
+ INIT_LIST_HEAD(&video->req_free);
+ video->req_size = 0;
+ spin_unlock_irqrestore(&video->req_lock, flags);
+
+ /*
+ * Return all the video buffers before disabling the queue.
+ */
+ spin_lock_irqsave(&video->queue.irqlock, flags);
+ list_for_each_entry_safe(buf, btemp, &inflight_bufs, queue) {
+ list_del(&buf->queue);
+ uvcg_complete_buffer(&video->queue, buf);
+ }
+ spin_unlock_irqrestore(&video->queue.irqlock, flags);
+
uvcg_queue_enable(&video->queue, 0);
return 0;
}
@@ -533,6 +612,14 @@ int uvcg_video_enable(struct uvc_video *video)
return -ENODEV;
}
+ /*
+ * Safe to access request related fields without req_lock because
+ * this is the only thread currently active, and no other
+ * request handling thread will become active until this function
+ * returns.
+ */
+ video->is_enabled = true;
+
if ((ret = uvcg_queue_enable(&video->queue, 1)) < 0)
return ret;
@@ -558,6 +645,7 @@ int uvcg_video_enable(struct uvc_video *video)
*/
int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc)
{
+ video->is_enabled = false;
INIT_LIST_HEAD(&video->ureqs);
INIT_LIST_HEAD(&video->req_free);
spin_lock_init(&video->req_lock);
--
2.42.0.820.g83a721a137-googHi Avichal
On 27/10/2023 21:19, Avichal Rakesh wrote:
> Currently, the uvc gadget driver allocates all uvc_requests as one array
> and deallocates them all when the video stream stops. This includes
> de-allocating all the usb_requests associated with those uvc_requests.
> This can lead to use-after-free issues if any of those de-allocated
> usb_requests were still owned by the usb controller.
>
> This is patch 2 of 2 in fixing the use-after-free issue. It adds a new
> flag to uvc_video to track when frames and requests should be flowing.
> When disabling the video stream, the flag is tripped and, instead
> of de-allocating all uvc_requests and usb_requests, the gadget
> driver only de-allocates those usb_requests that are currently
> owned by it (as present in req_free). Other usb_requests are left
> untouched until their completion handler is called which takes care
> of freeing the usb_request and its corresponding uvc_request.
>
> Now that uvc_video does not depends on uvc->state, this patch removes
> unnecessary upates to uvc->state that were made to accommodate uvc_video
> logic. This should ensure that uvc gadget driver never accidentally
> de-allocates a usb_request that it doesn't own.
>
> Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com
> Suggested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
> Reviewed-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
> Tested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
> Signed-off-by: Avichal Rakesh <arakesh@google.com>
> ---
> v1 -> v2: Rebased to ToT, and fixed deadlock reported in
> https://lore.kernel.org/all/ZRv2UnKztgyqk2pt@pengutronix.de/
> v2 -> v3: Fix email threading goof-up
> v3 -> v4: re-rebase to ToT & moved to a uvc_video level lock
> as discussed in
> https://lore.kernel.org/b14b296f-2e08-4edf-aeea-1c5b621e2d0c@google.com/
> v4 -> v5: Address review comments. Add Reviewed-by & Tested-by.
> v5 -> v6: Added another patch before this one to make uvcg_video_disable
> easier to review.
> v6 -> v7: Fix warning reported in
> https://lore.kernel.org/202310200457.GwPPFuHX-lkp@intel.com/
> v7 -> v8: No change. Getting back in review queue
> v8 -> v9: No change.
>
> drivers/usb/gadget/function/uvc.h | 1 +
> drivers/usb/gadget/function/uvc_v4l2.c | 12 +--
> drivers/usb/gadget/function/uvc_video.c | 128 ++++++++++++++++++++----
> 3 files changed, 111 insertions(+), 30 deletions(-)
>
> diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
> index 993694da0bbc..be0d012aa244 100644
> --- a/drivers/usb/gadget/function/uvc.h
> +++ b/drivers/usb/gadget/function/uvc.h
> @@ -102,6 +102,7 @@ struct uvc_video {
> unsigned int uvc_num_requests;
>
> /* Requests */
> + bool is_enabled; /* tracks whether video stream is enabled */
> unsigned int req_size;
> struct list_head ureqs; /* all uvc_requests allocated by uvc_video */
> struct list_head req_free;
> diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c
> index 904dd283cbf7..2f8634e05612 100644
> --- a/drivers/usb/gadget/function/uvc_v4l2.c
> +++ b/drivers/usb/gadget/function/uvc_v4l2.c
> @@ -451,8 +451,8 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type)
> * Complete the alternate setting selection setup phase now that
> * userspace is ready to provide video frames.
> */
> - uvc_function_setup_continue(uvc, 0);
> uvc->state = UVC_STATE_STREAMING;
> + uvc_function_setup_continue(uvc, 0);
>
> return 0;
> }
> @@ -468,11 +468,11 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type)
> if (type != video->queue.queue.type)
> return -EINVAL;
>
> - uvc->state = UVC_STATE_CONNECTED;
> ret = uvcg_video_disable(video);
> if (ret < 0)
> return ret;
>
> + uvc->state = UVC_STATE_CONNECTED;
> uvc_function_setup_continue(uvc, 1);
> return 0;
> }
I'm not sure I understand what these re-orderings are for...can you explain please?
> @@ -507,14 +507,6 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh,
> static void uvc_v4l2_disable(struct uvc_device *uvc)
> {
> uvc_function_disconnect(uvc);
> - /*
> - * Drop uvc->state to CONNECTED if it was streaming before.
> - * This ensures that the usb_requests are no longer queued
> - * to the controller.
> - */
> - if (uvc->state == UVC_STATE_STREAMING)
> - uvc->state = UVC_STATE_CONNECTED;
> -
> uvcg_video_disable(&uvc->video);
> uvcg_free_buffers(&uvc->video.queue);
> uvc->func_connected = false;
> diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
> index 1081dd790fd6..8f330ce696ec 100644
> --- a/drivers/usb/gadget/function/uvc_video.c
> +++ b/drivers/usb/gadget/function/uvc_video.c
> @@ -227,6 +227,9 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video,
> * Request handling
> */
>
> +/*
> + * Must be called with req_lock held as it modifies the list ureq is held in
> + */
This comment probably belongs in patch #2. And in that case, shouldn't uvc_video_free_requests()
hold the lock in that patch?
> static void
> uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep)
> {
> @@ -271,9 +274,25 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
> struct uvc_request *ureq = req->context;
> struct uvc_video *video = ureq->video;
> struct uvc_video_queue *queue = &video->queue;
> - struct uvc_device *uvc = video->uvc;
> + struct uvc_buffer *last_buf = NULL;
> unsigned long flags;
>
> + spin_lock_irqsave(&video->req_lock, flags);
> + if (!video->is_enabled) {
> + /*
> + * When is_enabled is false, uvc_video_disable ensures that
s/uvc_video_disable/uvc_video_disable()
> + * in-flight uvc_buffers are returned, so we can safely
> + * call free_request without worrying about last_buf.
> + */
> + uvc_video_free_request(ureq, ep);
Now I understand the conditional in this function in patch 2 :)
> + spin_unlock_irqrestore(&video->req_lock, flags);
> + return;
> + }
> +
> + last_buf = ureq->last_buf;
> + ureq->last_buf = NULL;
> + spin_unlock_irqrestore(&video->req_lock, flags);
I'm not a huge fan of this locking, unlocking and relocking the same spinlock within the same
function. Can we just hold the lock for the duration? if not, can there be an explanatory comment as
to why?
> +
> switch (req->status) {
> case 0:
> break;
> @@ -295,17 +314,26 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
> uvcg_queue_cancel(queue, 0);
> }
>
> - if (ureq->last_buf) {
> - uvcg_complete_buffer(&video->queue, ureq->last_buf);
> - ureq->last_buf = NULL;
> + if (last_buf) {
> + spin_lock_irqsave(&queue->irqlock, flags);
> + uvcg_complete_buffer(&video->queue, last_buf);
> + spin_unlock_irqrestore(&queue->irqlock, flags);
I think it's right to take the irqlock here but it probably should have always been held, so this
probably ought to go in its own commit with a Fixes:
> }
>
> spin_lock_irqsave(&video->req_lock, flags);
> - list_add_tail(&req->list, &video->req_free);
> - spin_unlock_irqrestore(&video->req_lock, flags);
> -
> - if (uvc->state == UVC_STATE_STREAMING)
> + /*
> + * Video stream might have been disabled while we were
> + * processing the current usb_request. So make sure
> + * we're still streaming before queueing the usb_request
> + * back to req_free
> + */
> + if (video->is_enabled) {
> + list_add_tail(&req->list, &video->req_free);
> queue_work(video->async_wq, &video->pump);
> + } else {
> + uvc_video_free_request(ureq, ep);
> + }
> + spin_unlock_irqrestore(&video->req_lock, flags);
> }
>
> static int
> @@ -393,20 +421,22 @@ static void uvcg_video_pump(struct work_struct *work)
> struct uvc_video_queue *queue = &video->queue;
> /* video->max_payload_size is only set when using bulk transfer */
> bool is_bulk = video->max_payload_size;
> - struct uvc_device *uvc = video->uvc;
> struct usb_request *req = NULL;
> struct uvc_buffer *buf;
> unsigned long flags;
> bool buf_done;
> int ret;
>
> - while (uvc->state == UVC_STATE_STREAMING && video->ep->enabled) {
> + while (true) {
> + if (!video->ep->enabled)
> + return;
> +
> /*
> - * Retrieve the first available USB request, protected by the
> - * request lock.
> + * Check is_enabled and retrieve the first available USB
> + * request, protected by the request lock.
> */
> spin_lock_irqsave(&video->req_lock, flags);
> - if (list_empty(&video->req_free)) {
> + if (!video->is_enabled || list_empty(&video->req_free)) {
> spin_unlock_irqrestore(&video->req_lock, flags);
> return;
> }
> @@ -488,9 +518,11 @@ static void uvcg_video_pump(struct work_struct *work)
> return;
>
> spin_lock_irqsave(&video->req_lock, flags);
> - list_add_tail(&req->list, &video->req_free);
> + if (video->is_enabled)
> + list_add_tail(&req->list, &video->req_free);
> + else
> + uvc_video_free_request(req->context, video->ep);
> spin_unlock_irqrestore(&video->req_lock, flags);
> - return;
> }
>
> /*
> @@ -499,7 +531,11 @@ static void uvcg_video_pump(struct work_struct *work)
> int
> uvcg_video_disable(struct uvc_video *video)
> {
> - struct uvc_request *ureq;
> + unsigned long flags;
> + struct list_head inflight_bufs;
> + struct usb_request *req, *temp;
> + struct uvc_buffer *buf, *btemp;
> + struct uvc_request *ureq, *utemp;
>
> if (video->ep == NULL) {
> uvcg_info(&video->uvc->func,
> @@ -507,15 +543,58 @@ uvcg_video_disable(struct uvc_video *video)
> return -ENODEV;
> }
>
> + INIT_LIST_HEAD(&inflight_bufs);
> + spin_lock_irqsave(&video->req_lock, flags);
> + video->is_enabled = false;
> +
> + /*
> + * Remove any in-flight buffers from the uvc_requests
> + * because we want to return them before cancelling the
> + * queue. This ensures that we aren't stuck waiting for
> + * all complete callbacks to come through before disabling
> + * vb2 queue.
> + */
> + list_for_each_entry(ureq, &video->ureqs, list) {
> + if (ureq->last_buf) {
> + list_add_tail(&ureq->last_buf->queue, &inflight_bufs);
> + ureq->last_buf = NULL;
> + }
> + }
> + spin_unlock_irqrestore(&video->req_lock, flags);
> +
> cancel_work_sync(&video->pump);
> uvcg_queue_cancel(&video->queue, 0);
>
> - list_for_each_entry(ureq, &video->ureqs, list) {
> - if (ureq->req)
> - usb_ep_dequeue(video->ep, ureq->req);
> + spin_lock_irqsave(&video->req_lock, flags);
> + /*
> + * Remove all uvc_reqeusts from ureqs with list_del_init
> + * This lets uvc_video_free_request correctly identify
> + * if the uvc_request is attached to a list or not when freeing
> + * memory.
> + */
> + list_for_each_entry_safe(ureq, utemp, &video->ureqs, list)
> + list_del_init(&ureq->list);
> +
> + list_for_each_entry_safe(req, temp, &video->req_free, list) {
> + list_del(&req->list);
> + uvc_video_free_request(req->context, video->ep);
> }
>
> - uvc_video_free_requests(video);
> + INIT_LIST_HEAD(&video->ureqs);
> + INIT_LIST_HEAD(&video->req_free);
> + video->req_size = 0;
> + spin_unlock_irqrestore(&video->req_lock, flags);
> +
> + /*
> + * Return all the video buffers before disabling the queue.
> + */
> + spin_lock_irqsave(&video->queue.irqlock, flags);
> + list_for_each_entry_safe(buf, btemp, &inflight_bufs, queue) {
> + list_del(&buf->queue);
> + uvcg_complete_buffer(&video->queue, buf);
> + }
> + spin_unlock_irqrestore(&video->queue.irqlock, flags);
> +
> uvcg_queue_enable(&video->queue, 0);
> return 0;
> }
> @@ -533,6 +612,14 @@ int uvcg_video_enable(struct uvc_video *video)
> return -ENODEV;
> }
>
> + /*
> + * Safe to access request related fields without req_lock because
> + * this is the only thread currently active, and no other
> + * request handling thread will become active until this function
> + * returns.
> + */
> + video->is_enabled = true;
> +
> if ((ret = uvcg_queue_enable(&video->queue, 1)) < 0)
> return ret;
>
> @@ -558,6 +645,7 @@ int uvcg_video_enable(struct uvc_video *video)
> */
> int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc)
> {
> + video->is_enabled = false;
> INIT_LIST_HEAD(&video->ureqs);
> INIT_LIST_HEAD(&video->req_free);
> spin_lock_init(&video->req_lock);
> --
> 2.42.0.820.g83a721a137-goog
Thank you for taking a look Dan!
On 10/28/23 13:56, Dan Scally wrote:
> Hi Avichal
>
> On 27/10/2023 21:19, Avichal Rakesh wrote:
>> Currently, the uvc gadget driver allocates all uvc_requests as one array
>> and deallocates them all when the video stream stops. This includes
>> de-allocating all the usb_requests associated with those uvc_requests.
>> This can lead to use-after-free issues if any of those de-allocated
>> usb_requests were still owned by the usb controller.
>>
>> This is patch 2 of 2 in fixing the use-after-free issue. It adds a new
>> flag to uvc_video to track when frames and requests should be flowing.
>> When disabling the video stream, the flag is tripped and, instead
>> of de-allocating all uvc_requests and usb_requests, the gadget
>> driver only de-allocates those usb_requests that are currently
>> owned by it (as present in req_free). Other usb_requests are left
>> untouched until their completion handler is called which takes care
>> of freeing the usb_request and its corresponding uvc_request.
>>
>> Now that uvc_video does not depends on uvc->state, this patch removes
>> unnecessary upates to uvc->state that were made to accommodate uvc_video
>> logic. This should ensure that uvc gadget driver never accidentally
>> de-allocates a usb_request that it doesn't own.
>>
>> Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@google.com
>> Suggested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
>> Reviewed-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
>> Tested-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
>> Signed-off-by: Avichal Rakesh <arakesh@google.com>
>> ---
>> v1 -> v2: Rebased to ToT, and fixed deadlock reported in
>> https://lore.kernel.org/all/ZRv2UnKztgyqk2pt@pengutronix.de/
>> v2 -> v3: Fix email threading goof-up
>> v3 -> v4: re-rebase to ToT & moved to a uvc_video level lock
>> as discussed in
>> https://lore.kernel.org/b14b296f-2e08-4edf-aeea-1c5b621e2d0c@google.com/
>> v4 -> v5: Address review comments. Add Reviewed-by & Tested-by.
>> v5 -> v6: Added another patch before this one to make uvcg_video_disable
>> easier to review.
>> v6 -> v7: Fix warning reported in
>> https://lore.kernel.org/202310200457.GwPPFuHX-lkp@intel.com/
>> v7 -> v8: No change. Getting back in review queue
>> v8 -> v9: No change.
>>
>> drivers/usb/gadget/function/uvc.h | 1 +
>> drivers/usb/gadget/function/uvc_v4l2.c | 12 +--
>> drivers/usb/gadget/function/uvc_video.c | 128 ++++++++++++++++++++----
>> 3 files changed, 111 insertions(+), 30 deletions(-)
>>
>> diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
>> index 993694da0bbc..be0d012aa244 100644
>> --- a/drivers/usb/gadget/function/uvc.h
>> +++ b/drivers/usb/gadget/function/uvc.h
>> @@ -102,6 +102,7 @@ struct uvc_video {
>> unsigned int uvc_num_requests;
>>
>> /* Requests */
>> + bool is_enabled; /* tracks whether video stream is enabled */
>> unsigned int req_size;
>> struct list_head ureqs; /* all uvc_requests allocated by uvc_video */
>> struct list_head req_free;
>> diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c
>> index 904dd283cbf7..2f8634e05612 100644
>> --- a/drivers/usb/gadget/function/uvc_v4l2.c
>> +++ b/drivers/usb/gadget/function/uvc_v4l2.c
>> @@ -451,8 +451,8 @@ uvc_v4l2_streamon(struct file *file, void *fh, enum v4l2_buf_type type)
>> * Complete the alternate setting selection setup phase now that
>> * userspace is ready to provide video frames.
>> */
>> - uvc_function_setup_continue(uvc, 0);
>> uvc->state = UVC_STATE_STREAMING;
>> + uvc_function_setup_continue(uvc, 0);
>>
>> return 0;
>> }
>> @@ -468,11 +468,11 @@ uvc_v4l2_streamoff(struct file *file, void *fh, enum v4l2_buf_type type)
>> if (type != video->queue.queue.type)
>> return -EINVAL;
>>
>> - uvc->state = UVC_STATE_CONNECTED;
>> ret = uvcg_video_disable(video);
>> if (ret < 0)
>> return ret;
>>
>> + uvc->state = UVC_STATE_CONNECTED;
>> uvc_function_setup_continue(uvc, 1);
>> return 0;
>> }
>
>
> I'm not sure I understand what these re-orderings are for...can you explain please?
This specific one was a leftover from testing, removed this hunk.
But the ones below are undoing the change in patch 1, which is
flawed in its use of uvc->state without any memory guarantees.
So from patch 1 to patch 4, we shuffle the code around a bit,
but this makes patch 1 somewhat complete and functional even if
patch 4 were to be reverted.
>
>> @@ -507,14 +507,6 @@ uvc_v4l2_subscribe_event(struct v4l2_fh *fh,
>> static void uvc_v4l2_disable(struct uvc_device *uvc)
>> {
>> uvc_function_disconnect(uvc);
>> - /*
>> - * Drop uvc->state to CONNECTED if it was streaming before.
>> - * This ensures that the usb_requests are no longer queued
>> - * to the controller.
>> - */
>> - if (uvc->state == UVC_STATE_STREAMING)
>> - uvc->state = UVC_STATE_CONNECTED;
>> -
>> uvcg_video_disable(&uvc->video);
>> uvcg_free_buffers(&uvc->video.queue);
>> uvc->func_connected = false;
>> diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
>> index 1081dd790fd6..8f330ce696ec 100644
>> --- a/drivers/usb/gadget/function/uvc_video.c
>> +++ b/drivers/usb/gadget/function/uvc_video.c
>> @@ -227,6 +227,9 @@ uvc_video_encode_isoc(struct usb_request *req, struct uvc_video *video,
>> * Request handling
>> */
>>
>> +/*
>> + * Must be called with req_lock held as it modifies the list ureq is held in
>> + */
>
>
>
> This comment probably belongs in patch #2. And in that case, shouldn't uvc_video_free_requests() hold the lock in that patch?
Patch 2 doesn't change any existing locking semantics. The current
code does not enforce any locking on freeing the requests, and neither
does patch 2.
Patch 4 introduces another call site for uvc_video_free_request, so
some synchronization guarantees are needed (and hence the addition
of this comment).
As for uvc_video_free_requests not holding the lock, it is safe because
uvc_video_free_requests is only called if request initialization fails.
So uvc_video_free_requests should be the thread safe, as no other thread
is processing requests when it is called.
I did add a comment in uvcg_video_enable mentioning why it is safe to
not hold req_free even though it accesses request related fields.
Happy to add another comment to uvc_video_free_requests if that makes it
clearer!
>
>> static void
>> uvc_video_free_request(struct uvc_request *ureq, struct usb_ep *ep)
>> {
>> @@ -271,9 +274,25 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
>> struct uvc_request *ureq = req->context;
>> struct uvc_video *video = ureq->video;
>> struct uvc_video_queue *queue = &video->queue;
>> - struct uvc_device *uvc = video->uvc;
>> + struct uvc_buffer *last_buf = NULL;
>> unsigned long flags;
>>
>> + spin_lock_irqsave(&video->req_lock, flags);
>> + if (!video->is_enabled) {
>> + /*
>> + * When is_enabled is false, uvc_video_disable ensures that
> s/uvc_video_disable/uvc_video_disable()
Done!
>> + * in-flight uvc_buffers are returned, so we can safely
>> + * call free_request without worrying about last_buf.
>> + */
>> + uvc_video_free_request(ureq, ep);
> Now I understand the conditional in this function in patch 2 :)
>> + spin_unlock_irqrestore(&video->req_lock, flags);
>> + return;
>> + }
>> +
>> + last_buf = ureq->last_buf;
>> + ureq->last_buf = NULL;
>> + spin_unlock_irqrestore(&video->req_lock, flags);
>
>
> I'm not a huge fan of this locking, unlocking and relocking the same spinlock within the same function. Can we just hold the lock for the duration? if not, can there be an explanatory comment as to why?
I agree that this is a little unfortunate, and it'd be nice if we
only had a single driver level lock. However, as it stands, if
we hold req_lock for the entirety of completion handler, we risk
two things:
1. Adding dependencies between queue->irqlock and video->reqlock
2. Starving the video_pump thread.
As of this patch, uvc_video_complete follows the same pattern as
video_pump function:
1. Acquire req_lock
2. Fetch/Query usb_request
3. Drop req_lock
4. Acquire queue->irqlock
5. Buffer ops (encode/free/stop)
6. Drop queue->irqlock
7. Acquire req_lock
8. usb_request cleanup/handling
9. Drop req_lock
(7), (8), and (9) are optional for video_pump, while
(4), (5), and (6) are optional for uvc_video_complete.
We can short-circuit uvc_video_complete with only one lock
on the happy path, but this would have to be the flow for
non-happy paths unless we want to hold the two locks at
the same time (which isn't the worst idea, but comes with
its own set of concerns).
>> +
>> switch (req->status) {
>> case 0:
>> break;
>> @@ -295,17 +314,26 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
>> uvcg_queue_cancel(queue, 0);
>> }
>>
>> - if (ureq->last_buf) {
>> - uvcg_complete_buffer(&video->queue, ureq->last_buf);
>> - ureq->last_buf = NULL;
>> + if (last_buf) {
>> + spin_lock_irqsave(&queue->irqlock, flags);
>> + uvcg_complete_buffer(&video->queue, last_buf);
>> + spin_unlock_irqrestore(&queue->irqlock, flags);
>
>
>
> I think it's right to take the irqlock here but it probably should have always been held, so this probably ought to go in its own commit with a Fixes:
The lock here wasn't required before, because uvcg_complete_buffer was
only ever called by the completion handler, which is synchronized by
the usb controller. This is the reason we never saw an issue despite
not holding the lock.
This patch introduces another call site in uvcg_video_disable, so to
protect memory consistency, we need to make sure calls to
uvcg_complete_buffer are synchronized on something other than
the usb controller.
>
>> }
>>
>> spin_lock_irqsave(&video->req_lock, flags);
>> - list_add_tail(&req->list, &video->req_free);
>> - spin_unlock_irqrestore(&video->req_lock, flags);
>> -
>> - if (uvc->state == UVC_STATE_STREAMING)
>> + /*
>> + * Video stream might have been disabled while we were
>> + * processing the current usb_request. So make sure
>> + * we're still streaming before queueing the usb_request
>> + * back to req_free
>> + */
>> + if (video->is_enabled) {
>> + list_add_tail(&req->list, &video->req_free);
>> queue_work(video->async_wq, &video->pump);
>> + } else {
>> + uvc_video_free_request(ureq, ep);
>> + }
>> + spin_unlock_irqrestore(&video->req_lock, flags);
>> }
>>
>> static int
>> @@ -393,20 +421,22 @@ static void uvcg_video_pump(struct work_struct *work)
>> struct uvc_video_queue *queue = &video->queue;
>> /* video->max_payload_size is only set when using bulk transfer */
>> bool is_bulk = video->max_payload_size;
>> - struct uvc_device *uvc = video->uvc;
>> struct usb_request *req = NULL;
>> struct uvc_buffer *buf;
>> unsigned long flags;
>> bool buf_done;
>> int ret;
>>
>> - while (uvc->state == UVC_STATE_STREAMING && video->ep->enabled) {
>> + while (true) {
>> + if (!video->ep->enabled)
>> + return;
>> +
>> /*
>> - * Retrieve the first available USB request, protected by the
>> - * request lock.
>> + * Check is_enabled and retrieve the first available USB
>> + * request, protected by the request lock.
>> */
>> spin_lock_irqsave(&video->req_lock, flags);
>> - if (list_empty(&video->req_free)) {
>> + if (!video->is_enabled || list_empty(&video->req_free)) {
>> spin_unlock_irqrestore(&video->req_lock, flags);
>> return;
>> }
>> @@ -488,9 +518,11 @@ static void uvcg_video_pump(struct work_struct *work)
>> return;
>>
>> spin_lock_irqsave(&video->req_lock, flags);
>> - list_add_tail(&req->list, &video->req_free);
>> + if (video->is_enabled)
>> + list_add_tail(&req->list, &video->req_free);
>> + else
>> + uvc_video_free_request(req->context, video->ep);
>> spin_unlock_irqrestore(&video->req_lock, flags);
>> - return;
>> }
>>
>> /*
>> @@ -499,7 +531,11 @@ static void uvcg_video_pump(struct work_struct *work)
>> int
>> uvcg_video_disable(struct uvc_video *video)
>> {
>> - struct uvc_request *ureq;
>> + unsigned long flags;
>> + struct list_head inflight_bufs;
>> + struct usb_request *req, *temp;
>> + struct uvc_buffer *buf, *btemp;
>> + struct uvc_request *ureq, *utemp;
>>
>> if (video->ep == NULL) {
>> uvcg_info(&video->uvc->func,
>> @@ -507,15 +543,58 @@ uvcg_video_disable(struct uvc_video *video)
>> return -ENODEV;
>> }
>>
>> + INIT_LIST_HEAD(&inflight_bufs);
>> + spin_lock_irqsave(&video->req_lock, flags);
>> + video->is_enabled = false;
>> +
>> + /*
>> + * Remove any in-flight buffers from the uvc_requests
>> + * because we want to return them before cancelling the
>> + * queue. This ensures that we aren't stuck waiting for
>> + * all complete callbacks to come through before disabling
>> + * vb2 queue.
>> + */
>> + list_for_each_entry(ureq, &video->ureqs, list) {
>> + if (ureq->last_buf) {
>> + list_add_tail(&ureq->last_buf->queue, &inflight_bufs);
>> + ureq->last_buf = NULL;
>> + }
>> + }
>> + spin_unlock_irqrestore(&video->req_lock, flags);
>> +
>> cancel_work_sync(&video->pump);
>> uvcg_queue_cancel(&video->queue, 0);
>>
>> - list_for_each_entry(ureq, &video->ureqs, list) {
>> - if (ureq->req)
>> - usb_ep_dequeue(video->ep, ureq->req);
>> + spin_lock_irqsave(&video->req_lock, flags);
>> + /*
>> + * Remove all uvc_reqeusts from ureqs with list_del_init
>> + * This lets uvc_video_free_request correctly identify
>> + * if the uvc_request is attached to a list or not when freeing
>> + * memory.
>> + */
>> + list_for_each_entry_safe(ureq, utemp, &video->ureqs, list)
>> + list_del_init(&ureq->list);
>> +
>> + list_for_each_entry_safe(req, temp, &video->req_free, list) {
>> + list_del(&req->list);
>> + uvc_video_free_request(req->context, video->ep);
>> }
>>
>> - uvc_video_free_requests(video);
>> + INIT_LIST_HEAD(&video->ureqs);
>> + INIT_LIST_HEAD(&video->req_free);
>> + video->req_size = 0;
>> + spin_unlock_irqrestore(&video->req_lock, flags);
>> +
>> + /*
>> + * Return all the video buffers before disabling the queue.
>> + */
>> + spin_lock_irqsave(&video->queue.irqlock, flags);
>> + list_for_each_entry_safe(buf, btemp, &inflight_bufs, queue) {
>> + list_del(&buf->queue);
>> + uvcg_complete_buffer(&video->queue, buf);
>> + }
>> + spin_unlock_irqrestore(&video->queue.irqlock, flags);
>> +
>> uvcg_queue_enable(&video->queue, 0);
>> return 0;
>> }
>> @@ -533,6 +612,14 @@ int uvcg_video_enable(struct uvc_video *video)
>> return -ENODEV;
>> }
>>
>> + /*
>> + * Safe to access request related fields without req_lock because
>> + * this is the only thread currently active, and no other
>> + * request handling thread will become active until this function
>> + * returns.
>> + */
>> + video->is_enabled = true;
>> +
>> if ((ret = uvcg_queue_enable(&video->queue, 1)) < 0)
>> return ret;
>>
>> @@ -558,6 +645,7 @@ int uvcg_video_enable(struct uvc_video *video)
>> */
>> int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc)
>> {
>> + video->is_enabled = false;
>> INIT_LIST_HEAD(&video->ureqs);
>> INIT_LIST_HEAD(&video->req_free);
>> spin_lock_init(&video->req_lock);
>> --
>> 2.42.0.820.g83a721a137-goog
© 2016 - 2025 Red Hat, Inc.