From nobody Mon Dec 29 23:46:01 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3044BC61D9C for ; Wed, 22 Nov 2023 10:19:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343729AbjKVKTz (ORCPT ); Wed, 22 Nov 2023 05:19:55 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58444 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235204AbjKVKTv (ORCPT ); Wed, 22 Nov 2023 05:19:51 -0500 Received: from mail-qk1-x72b.google.com (mail-qk1-x72b.google.com [IPv6:2607:f8b0:4864:20::72b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6E8AE93 for ; Wed, 22 Nov 2023 02:19:47 -0800 (PST) Received: by mail-qk1-x72b.google.com with SMTP id af79cd13be357-77d55e986ecso114531885a.2 for ; Wed, 22 Nov 2023 02:19:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1700648386; x=1701253186; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=3jbUgexWSE+UkwxAykTeDpdOwZGPMwaBInU8mlrkF50=; b=F7wxorbOiTE0uDAQtEfKGrBeMd2wEhVSErzly03FhyI05NagpfT2xSZQR6TxDtE/Lj qznHJm6IDGkXuGUm7Ngi9LiI+IBp34S+NLGP7+5s5V/GjE8vhzY5rDHPzOwDpDi0F4o/ fsCzeUjHjTRdfe8mYVqQ3ALUCZj4d/Cs/oLhU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700648386; x=1701253186; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3jbUgexWSE+UkwxAykTeDpdOwZGPMwaBInU8mlrkF50=; b=kzop6X31wcz1upWT7ffEiUAKbyt/JdkXsaCViJtayTIgxu2y6PziDWHubdaK41A2ce UmlMHM0KQ3hB3HLKeH3IjDaC6I/G3KWS5/56L6QKKvn3AgT1m18SP8tNLqXFoq4yl1lW hIhrE3ZU9fqQSJIdkhXc0Ri+4/Q5ynunofAHFO6e4t36ejY2/yuYg5QplFj1VWhRbHTQ XxM1ZgIVLPkbFdgaPwZrDRGwe/1+Nponr3fr6AHhutkiWhbXxZ3Qeu+rn4WrHuhd5sk8 X1cD/A5ACp8y29MqSN80N91ZX4Hclal23yP42gJv6nJnHHtI4BS2P97cKfl4LVj045o2 VVtg== X-Gm-Message-State: AOJu0Yxj8kY1rTtPUfPUH8pu/RFpyE3HEiazRwe0/Iy5/AOe/jT3v/Wb /QfKATou4Ilmd1mdkCesjdRKLw== X-Google-Smtp-Source: AGHT+IFPvXTb6KvF1t26bkBVeQdRb5LPbM3oabECQ9JvaZErAcqhrdGHM97bsBRhhWg8cgtBJlaStw== X-Received: by 2002:a05:6214:250d:b0:679:f6e4:5ed1 with SMTP id gf13-20020a056214250d00b00679f6e45ed1mr1464786qvb.60.1700648386567; Wed, 22 Nov 2023 02:19:46 -0800 (PST) Received: from denia.c.googlers.com (228.221.150.34.bc.googleusercontent.com. [34.150.221.228]) by smtp.gmail.com with ESMTPSA id di6-20020ad458e6000000b0066d1d2242desm4739352qvb.120.2023.11.22.02.19.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Nov 2023 02:19:45 -0800 (PST) From: Ricardo Ribalda Date: Wed, 22 Nov 2023 10:19:34 +0000 Subject: [PATCH v4 1/3] media: uvcvideo: Lock video streams and queues while unregistering MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20231122-guenter-mini-v4-1-3d94e1e34dc1@chromium.org> References: <20231122-guenter-mini-v4-0-3d94e1e34dc1@chromium.org> In-Reply-To: <20231122-guenter-mini-v4-0-3d94e1e34dc1@chromium.org> To: Mauro Carvalho Chehab Cc: Guenter Roeck , Tomasz Figa , Laurent Pinchart , Alan Stern , Hans Verkuil , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Sean Paul , Ricardo Ribalda , Sakari Ailus , Sergey Senozhatsky X-Mailer: b4 0.12.3 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Guenter Roeck The call to uvc_disconnect() is not protected by any mutex. This means it can and will be called while other accesses to the video device are in progress. This can cause all kinds of race conditions, including crashes such as the following. usb 1-4: USB disconnect, device number 3 BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 5633 Comm: V4L2CaptureThre Not tainted 4.19.113-08536-g5d29ca36= db06 #1 Hardware name: GOOGLE Edgar, BIOS Google_Edgar.7287.167.156 03/25/2019 RIP: 0010:usb_ifnum_to_if+0x29/0x40 Code: <...> RSP: 0018:ffffa46f42a47a80 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff904a396c9000 RDX: ffff904a39641320 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffffa46f42a47a80 R08: 0000000000000002 R09: 0000000000000000 R10: 0000000000009975 R11: 0000000000000009 R12: 0000000000000000 R13: ffff904a396b3800 R14: ffff904a39e88000 R15: 0000000000000000 FS: 00007f396448e700(0000) GS:ffff904a3ba00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000016cb46000 CR4: 00000000001006f0 Call Trace: usb_hcd_alloc_bandwidth+0x1ee/0x30f usb_set_interface+0x1a3/0x2b7 uvc_video_start_transfer+0x29b/0x4b8 [uvcvideo] uvc_video_start_streaming+0x91/0xdd [uvcvideo] uvc_start_streaming+0x28/0x5d [uvcvideo] vb2_start_streaming+0x61/0x143 [videobuf2_common] vb2_core_streamon+0xf7/0x10f [videobuf2_common] uvc_queue_streamon+0x2e/0x41 [uvcvideo] uvc_ioctl_streamon+0x42/0x5c [uvcvideo] __video_do_ioctl+0x33d/0x42a video_usercopy+0x34e/0x5ff ? video_ioctl2+0x16/0x16 v4l2_ioctl+0x46/0x53 do_vfs_ioctl+0x50a/0x76f ksys_ioctl+0x58/0x83 __x64_sys_ioctl+0x1a/0x1e do_syscall_64+0x54/0xde usb_set_interface() should not be called after the USB device has been unregistered. However, in the above case the disconnect happened after v4l2_ioctl() was called, but before the call to usb_ifnum_to_if(). Acquire various mutexes in uvc_unregister_video() to fix the majority (maybe all) of the observed race conditions. The uvc_device lock prevents races against suspend and resume calls and the poll function. The uvc_streaming lock prevents races against stream related functions; for the most part, those are ioctls. This lock also requires other functions using this lock to check if a video device is still registered after acquiring it. For example, it was observed that the video device was already unregistered by the time the stream lock was acquired in uvc_ioctl_streamon(). The uvc_queue lock prevents races against queue functions, Most of those are already protected by the uvc_streaming lock, but some are called directly. This is done as added protection; an actual race was not (yet) observed. Cc: Laurent Pinchart Cc: Alan Stern Cc: Hans Verkuil Reviewed-by: Tomasz Figa Reviewed-by: Sean Paul Signed-off-by: Guenter Roeck Reviewed-by: Sergey Senozhatsky Signed-off-by: Ricardo Ribalda --- drivers/media/usb/uvc/uvc_driver.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc= _driver.c index 08fcd2ffa727..ded2cb6ce14f 100644 --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -1907,14 +1907,22 @@ static void uvc_unregister_video(struct uvc_device = *dev) { struct uvc_streaming *stream; =20 + mutex_lock(&dev->lock); + list_for_each_entry(stream, &dev->streams, list) { if (!video_is_registered(&stream->vdev)) continue; =20 + mutex_lock(&stream->mutex); + mutex_lock(&stream->queue.mutex); + video_unregister_device(&stream->vdev); video_unregister_device(&stream->meta.vdev); =20 uvc_debugfs_cleanup_stream(stream); + + mutex_unlock(&stream->queue.mutex); + mutex_unlock(&stream->mutex); } =20 uvc_status_unregister(dev); @@ -1925,6 +1933,7 @@ static void uvc_unregister_video(struct uvc_device *d= ev) if (media_devnode_is_registered(dev->mdev.devnode)) media_device_unregister(&dev->mdev); #endif + mutex_unlock(&dev->lock); } =20 int uvc_register_video_device(struct uvc_device *dev, --=20 2.43.0.rc1.413.gea7ed67945-goog From nobody Mon Dec 29 23:46:01 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 03D37C61DA7 for ; Wed, 22 Nov 2023 10:19:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343838AbjKVKT6 (ORCPT ); Wed, 22 Nov 2023 05:19:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58418 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235315AbjKVKTv (ORCPT ); Wed, 22 Nov 2023 05:19:51 -0500 Received: from mail-qv1-xf35.google.com (mail-qv1-xf35.google.com [IPv6:2607:f8b0:4864:20::f35]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 10043191 for ; Wed, 22 Nov 2023 02:19:48 -0800 (PST) Received: by mail-qv1-xf35.google.com with SMTP id 6a1803df08f44-67089696545so25602776d6.0 for ; Wed, 22 Nov 2023 02:19:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1700648387; x=1701253187; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=1y6RZGZZzUKyI0AjxKgp4LZORspR1wFnVoan2A/smok=; b=I/HjlToif65LhLdRS0B35L26u++dsWGjxAPPjcZLEAt73+yV3xFpJT+RYKw4jVJGKG w4ETGigoJAzffKSJHdz9fRJu8RmOnM7lGYXdF77FOTkhYnWJn99BXbMbtsvb1pvetZ5L MZLpbBxEdhwhW7x0ihj5geRP3EpukcCF9E400= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700648387; x=1701253187; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1y6RZGZZzUKyI0AjxKgp4LZORspR1wFnVoan2A/smok=; b=cvwaLGRwgIezbO6lVKaWQKx6cLT4XvQWm1Q1I/pCxOwvDA6Tu+hE8vZWOxtOKsHMK9 1Sx+rMqTDIUS73pmRWRVFkniR+Qsmgs6oUZm1Qhc72lcuW07dVipClT9K9CEM/WiDfNd TkRScTCobZueeOx/+Uj0WnJioTpDfgQI753bkLx1jlXx95xOy/JELQJIBXyTtOYaMlVl j/5xsYVq0u/D+CoSatgoj5Ycpqd3n98YrDcWGMRaBTKxMwgj1DBHIJBdjj4/m2vZgOoX 7a3yy80r+7UnVkxQHnYpBaCVxOPMJbc7w5Gzil6wAzvYl7+T3ul1yBhDZ6XPfj92TsZb 70Vw== X-Gm-Message-State: AOJu0YxkDhjYDG6HMRFaF/3ONFZZk1C9RRLofDPkNuP8b8NSM6CouTlm qfHzqmZRIIERevrEqmGU9a6zwA== X-Google-Smtp-Source: AGHT+IFEsCJ45XVX1lArkw/YPBxax3uJbusPHME8iW0AJ3NFgR82vx54nuQtKxpCgoZhDZ7EzAQl9g== X-Received: by 2002:ad4:5e86:0:b0:672:118e:e368 with SMTP id jl6-20020ad45e86000000b00672118ee368mr2089387qvb.24.1700648387220; Wed, 22 Nov 2023 02:19:47 -0800 (PST) Received: from denia.c.googlers.com (228.221.150.34.bc.googleusercontent.com. [34.150.221.228]) by smtp.gmail.com with ESMTPSA id di6-20020ad458e6000000b0066d1d2242desm4739352qvb.120.2023.11.22.02.19.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Nov 2023 02:19:46 -0800 (PST) From: Ricardo Ribalda Date: Wed, 22 Nov 2023 10:19:35 +0000 Subject: [PATCH v4 2/3] media: uvcvideo: Always use uvc_status_stop() MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20231122-guenter-mini-v4-2-3d94e1e34dc1@chromium.org> References: <20231122-guenter-mini-v4-0-3d94e1e34dc1@chromium.org> In-Reply-To: <20231122-guenter-mini-v4-0-3d94e1e34dc1@chromium.org> To: Mauro Carvalho Chehab Cc: Guenter Roeck , Tomasz Figa , Laurent Pinchart , Alan Stern , Hans Verkuil , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Sean Paul , Ricardo Ribalda , Sakari Ailus , Sakari Ailus X-Mailer: b4 0.12.3 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The only thread safe way to stop the status handler is with uvc_status. Let's remove all the code paths partially stopping uvc_status. Reviewed-by: Sakari Ailus Signed-off-by: Ricardo Ribalda --- drivers/media/usb/uvc/uvc_ctrl.c | 4 ---- drivers/media/usb/uvc/uvc_status.c | 2 +- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_c= trl.c index e59a463c2761..8e22a07e3e7b 100644 --- a/drivers/media/usb/uvc/uvc_ctrl.c +++ b/drivers/media/usb/uvc/uvc_ctrl.c @@ -2765,10 +2765,6 @@ void uvc_ctrl_cleanup_device(struct uvc_device *dev) struct uvc_entity *entity; unsigned int i; =20 - /* Can be uninitialized if we are aborting on probe error. */ - if (dev->async_ctrl.work.func) - cancel_work_sync(&dev->async_ctrl.work); - /* Free controls and control mappings for all entities. */ list_for_each_entry(entity, &dev->entities, list) { for (i =3D 0; i < entity->ncontrols; ++i) { diff --git a/drivers/media/usb/uvc/uvc_status.c b/drivers/media/usb/uvc/uvc= _status.c index a78a88c710e2..0208612a9f12 100644 --- a/drivers/media/usb/uvc/uvc_status.c +++ b/drivers/media/usb/uvc/uvc_status.c @@ -292,7 +292,7 @@ int uvc_status_init(struct uvc_device *dev) =20 void uvc_status_unregister(struct uvc_device *dev) { - usb_kill_urb(dev->int_urb); + uvc_status_stop(dev); uvc_input_unregister(dev); } =20 --=20 2.43.0.rc1.413.gea7ed67945-goog From nobody Mon Dec 29 23:46:01 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49EBDC61D9D for ; Wed, 22 Nov 2023 10:20:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343735AbjKVKUC (ORCPT ); Wed, 22 Nov 2023 05:20:02 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38002 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235271AbjKVKTx (ORCPT ); Wed, 22 Nov 2023 05:19:53 -0500 Received: from mail-qv1-xf36.google.com (mail-qv1-xf36.google.com [IPv6:2607:f8b0:4864:20::f36]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2860B91 for ; Wed, 22 Nov 2023 02:19:49 -0800 (PST) Received: by mail-qv1-xf36.google.com with SMTP id 6a1803df08f44-6705379b835so24303876d6.1 for ; Wed, 22 Nov 2023 02:19:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1700648388; x=1701253188; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=zcSnz+Cq458gO5KcUl518VSe/I/HM4THBDX1iPhbXu0=; b=eosc7BWlY3t6SpC4ba6ZKyR2i8BfXEqZnp3Pq7hq7mHoa3gefHM3JxvEawJnepJZLj jJo+LudlO27c0GktgqtF+kuGkMUHbVpj79p2Q2V3SXB7AV7NInsGRIX751NI2t+L71Y+ tfIh30YhWFp5mHjGRKmcOFpy7TZq5O1+KYPSA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700648388; x=1701253188; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zcSnz+Cq458gO5KcUl518VSe/I/HM4THBDX1iPhbXu0=; b=RtS7x7mbzA2i3etGC1kNATKOM5s8E38hHrhnCW2d4sYwG7iH0HXoQK2Wxofpn31saD 6kqLcFgI7IfqDxCVxMmc0mFWnyhjjB5GGgd0/j/8mrgsVPS9qFQWrhKSnL0Bwf/GY2uM ohW081OC82CtNemfURwRikvCKQFb9+PD+u27DRSn3hwZzP7Ca0AypkgJfpAPSHNKKqAL QI0GNwPVygGjGNB5ENowefCiF8K9PqD6giIn2kjC1NIP8PnNuMelp1sq06pL7wPvdH5p j1RECxKtkNXhua7NuqgYEY/kPc0LQ67YN6htQX72+FT73BuJaWtK53m5Eu2sxu5U34WX /5Jw== X-Gm-Message-State: AOJu0YzqE5n/sQ9v6bgrMxqEiLkkWygf+v0MllF7gfTbPSZtfPcPAYAO hlJ4RgSMe+xKusww6jgpVzprcw== X-Google-Smtp-Source: AGHT+IG1ql5Yo3ogWmJdOzQ74AC/uO3K/j8p3a33lIt+ZLaUQh5UXd2Km9Sf+UeohFhiDjYNr+7Lnw== X-Received: by 2002:ad4:5c68:0:b0:656:4712:af9f with SMTP id i8-20020ad45c68000000b006564712af9fmr2569070qvh.13.1700648388258; Wed, 22 Nov 2023 02:19:48 -0800 (PST) Received: from denia.c.googlers.com (228.221.150.34.bc.googleusercontent.com. [34.150.221.228]) by smtp.gmail.com with ESMTPSA id di6-20020ad458e6000000b0066d1d2242desm4739352qvb.120.2023.11.22.02.19.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Nov 2023 02:19:47 -0800 (PST) From: Ricardo Ribalda Date: Wed, 22 Nov 2023 10:19:36 +0000 Subject: [PATCH v4 3/3] media: uvcvideo: Do not use usb_* functions after .disconnect MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20231122-guenter-mini-v4-3-3d94e1e34dc1@chromium.org> References: <20231122-guenter-mini-v4-0-3d94e1e34dc1@chromium.org> In-Reply-To: <20231122-guenter-mini-v4-0-3d94e1e34dc1@chromium.org> To: Mauro Carvalho Chehab Cc: Guenter Roeck , Tomasz Figa , Laurent Pinchart , Alan Stern , Hans Verkuil , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Sean Paul , Ricardo Ribalda , Sakari Ailus X-Mailer: b4 0.12.3 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org usb drivers should not call to any I/O function after the .disconnect() callback has been triggered. https://www.kernel.org/doc/html/latest/driver-api/usb/callbacks.html#the-di= sconnect-callback If an application is receiving frames form a camera and the device is disconnected: the device will call close() after the usb .disconnect() callback has been called. The streamoff path will call usb_set_interface or usb_clear_halt, which is not allowed. This patch only solves the calls to close() *after* .disconnect() is being called. Trace: [ 1065.389723] drivers/media/usb/uvc/uvc_driver.c:2248 uvc_disconnect enter [ 1065.390160] drivers/media/usb/uvc/uvc_driver.c:2264 uvc_disconnect exit [ 1065.433956] drivers/media/usb/uvc/uvc_v4l2.c:659 uvc_v4l2_release enter [ 1065.433973] drivers/media/usb/uvc/uvc_video.c:2274 uvc_video_stop_stream= ing enter [ 1065.434560] drivers/media/usb/uvc/uvc_video.c:2285 uvc_video_stop_stream= ing exit [ 1065.435154] drivers/media/usb/uvc/uvc_v4l2.c:680 uvc_v4l2_release exit [ 1065.435188] drivers/media/usb/uvc/uvc_driver.c:2248 uvc_disconnect enter Signed-off-by: Ricardo Ribalda --- drivers/media/usb/uvc/uvc_driver.c | 4 +++- drivers/media/usb/uvc/uvc_status.c | 8 +++---- drivers/media/usb/uvc/uvc_v4l2.c | 2 +- drivers/media/usb/uvc/uvc_video.c | 45 ++++++++++++++++++++++++----------= ---- drivers/media/usb/uvc/uvcvideo.h | 4 +++- 5 files changed, 39 insertions(+), 24 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc= _driver.c index ded2cb6ce14f..d78640d422f4 100644 --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -2266,6 +2266,8 @@ static void uvc_disconnect(struct usb_interface *intf) return; =20 uvc_unregister_video(dev); + /* Barrier needed to pair with uvc_video_stop_streaming(). */ + smp_store_release(&dev->disconnected, true); kref_put(&dev->ref, uvc_delete); } =20 @@ -2282,7 +2284,7 @@ static int uvc_suspend(struct usb_interface *intf, pm= _message_t message) UVC_SC_VIDEOCONTROL) { mutex_lock(&dev->lock); if (dev->users) - uvc_status_stop(dev); + uvc_status_stop(dev, true); mutex_unlock(&dev->lock); return 0; } diff --git a/drivers/media/usb/uvc/uvc_status.c b/drivers/media/usb/uvc/uvc= _status.c index 0208612a9f12..9c5da1244999 100644 --- a/drivers/media/usb/uvc/uvc_status.c +++ b/drivers/media/usb/uvc/uvc_status.c @@ -292,7 +292,7 @@ int uvc_status_init(struct uvc_device *dev) =20 void uvc_status_unregister(struct uvc_device *dev) { - uvc_status_stop(dev); + uvc_status_stop(dev, false); uvc_input_unregister(dev); } =20 @@ -310,7 +310,7 @@ int uvc_status_start(struct uvc_device *dev, gfp_t flag= s) return usb_submit_urb(dev->int_urb, flags); } =20 -void uvc_status_stop(struct uvc_device *dev) +void uvc_status_stop(struct uvc_device *dev, bool run_async_work) { struct uvc_ctrl_work *w =3D &dev->async_ctrl; =20 @@ -326,7 +326,7 @@ void uvc_status_stop(struct uvc_device *dev) * Cancel any pending asynchronous work. If any status event was queued, * process it synchronously. */ - if (cancel_work_sync(&w->work)) + if (cancel_work_sync(&w->work) && run_async_work) uvc_ctrl_status_event(w->chain, w->ctrl, w->data); =20 /* Kill the urb. */ @@ -338,7 +338,7 @@ void uvc_status_stop(struct uvc_device *dev) * cancelled before returning or it could then race with a future * uvc_status_start() call. */ - if (cancel_work_sync(&w->work)) + if (cancel_work_sync(&w->work) && run_async_work) uvc_ctrl_status_event(w->chain, w->ctrl, w->data); =20 /* diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v= 4l2.c index f4988f03640a..f90206263ff4 100644 --- a/drivers/media/usb/uvc/uvc_v4l2.c +++ b/drivers/media/usb/uvc/uvc_v4l2.c @@ -672,7 +672,7 @@ static int uvc_v4l2_release(struct file *file) =20 mutex_lock(&stream->dev->lock); if (--stream->dev->users =3D=3D 0) - uvc_status_stop(stream->dev); + uvc_status_stop(stream->dev, false); mutex_unlock(&stream->dev->lock); =20 usb_autopm_put_interface(stream->dev->intf); diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_= video.c index 28dde08ec6c5..f5ef375088de 100644 --- a/drivers/media/usb/uvc/uvc_video.c +++ b/drivers/media/usb/uvc/uvc_video.c @@ -2243,28 +2243,39 @@ int uvc_video_start_streaming(struct uvc_streaming = *stream) return ret; } =20 -void uvc_video_stop_streaming(struct uvc_streaming *stream) +static void uvc_video_halt(struct uvc_streaming *stream) { - uvc_video_stop_transfer(stream, 1); + unsigned int epnum; + unsigned int pipe; + unsigned int dir; =20 if (stream->intf->num_altsetting > 1) { usb_set_interface(stream->dev->udev, stream->intfnum, 0); - } else { - /* - * UVC doesn't specify how to inform a bulk-based device - * when the video stream is stopped. Windows sends a - * CLEAR_FEATURE(HALT) request to the video streaming - * bulk endpoint, mimic the same behaviour. - */ - unsigned int epnum =3D stream->header.bEndpointAddress - & USB_ENDPOINT_NUMBER_MASK; - unsigned int dir =3D stream->header.bEndpointAddress - & USB_ENDPOINT_DIR_MASK; - unsigned int pipe; - - pipe =3D usb_sndbulkpipe(stream->dev->udev, epnum) | dir; - usb_clear_halt(stream->dev->udev, pipe); + return; } =20 + /* + * UVC doesn't specify how to inform a bulk-based device + * when the video stream is stopped. Windows sends a + * CLEAR_FEATURE(HALT) request to the video streaming + * bulk endpoint, mimic the same behaviour. + */ + epnum =3D stream->header.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK; + dir =3D stream->header.bEndpointAddress & USB_ENDPOINT_DIR_MASK; + pipe =3D usb_sndbulkpipe(stream->dev->udev, epnum) | dir; + usb_clear_halt(stream->dev->udev, pipe); +} + +void uvc_video_stop_streaming(struct uvc_streaming *stream) +{ + uvc_video_stop_transfer(stream, 1); + + /* + * Barrier needed to pair with uvc_disconnect(). + * We cannot call usb_* functions on a disconnected USB device. + */ + if (!smp_load_acquire(&stream->dev->disconnected)) + uvc_video_halt(stream); + uvc_video_clock_cleanup(stream); } diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvi= deo.h index 6fb0a78b1b00..5b1a3643de05 100644 --- a/drivers/media/usb/uvc/uvcvideo.h +++ b/drivers/media/usb/uvc/uvcvideo.h @@ -559,6 +559,8 @@ struct uvc_device { unsigned int users; atomic_t nmappings; =20 + bool disconnected; + /* Video control interface */ #ifdef CONFIG_MEDIA_CONTROLLER struct media_device mdev; @@ -745,7 +747,7 @@ int uvc_status_init(struct uvc_device *dev); void uvc_status_unregister(struct uvc_device *dev); void uvc_status_cleanup(struct uvc_device *dev); int uvc_status_start(struct uvc_device *dev, gfp_t flags); -void uvc_status_stop(struct uvc_device *dev); +void uvc_status_stop(struct uvc_device *dev, bool run_async_work); =20 /* Controls */ extern const struct uvc_control_mapping uvc_ctrl_power_line_mapping_limite= d; --=20 2.43.0.rc1.413.gea7ed67945-goog