From nobody Mon Feb 9 07:06:21 2026 Received: from mail-qv1-f51.google.com (mail-qv1-f51.google.com [209.85.219.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A46BA1547E7 for ; Wed, 27 Nov 2024 07:46:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732693584; cv=none; b=kSHJkZltuJQmXBToBG9Bx46tYZikOycE5su1OrPutJ7HLBL0IwBzD6vezD9iw4a8Jz/3n+kRQ0klYA3dM8IPcVz5yYwlYbJFHGRDILKTBDy6QF6LNO7N59R0E0MhzK/HkRv2MnZXV41kl+sl40hNz+Ah+GmeMkJb+zH8uMmt45I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732693584; c=relaxed/simple; bh=P7cJDdqJWrLuL8K2uEZRvjaoWn4MVm6+xAAkGWyiVYg=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=LxiIsSfUve+uyRVHmD+/UIFbNo+KSIgK5d8x/twBPVF11Uwr/cVnwBKcCBbwqMFfk/XyT5P9xhMqhkizfpOZRinDHvh9XnzwbptWo1fe3LX9nvj8HoovBOuhqWzZZeICtIEwKDiLBTpZgMtrcAEcAUz4auWAa8gR2Fsb26yBgqg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=ob9aMd2W; arc=none smtp.client-ip=209.85.219.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="ob9aMd2W" Received: by mail-qv1-f51.google.com with SMTP id 6a1803df08f44-6d43134d574so39317416d6.0 for ; Tue, 26 Nov 2024 23:46:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1732693581; x=1733298381; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=HKrUO2mKilVMnb8uGrp8DPUwicBtZJtjKmdkARmt5l4=; b=ob9aMd2WGwHgFzxBQK5Pw0cyNcdvykqiYRNd8WSqBf9QMq/utIA1p1SlM1PQiwpR2T Qy3UPxY0TAZKFOmkra9zg3NU/ulQTTjP9BEmKwzaLtmjNXY923JoHIk4ccytcZpn2YNX BEaZhPNeNCvZcdc3CTAlWd28JrBIL+InP6DCY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1732693581; x=1733298381; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HKrUO2mKilVMnb8uGrp8DPUwicBtZJtjKmdkARmt5l4=; b=agEI0C20jtRdtbqC+nTRAydmy0Rfkjsc568TICtuXGQAoV7XJZMZtIauxQOT3ehrnY pCRhgC9LqS6B5k0jC/AEeGu0Z+kifHVhEGiVNfj/bPEouENZmBBmYjnU/JN0v/YdiLfb Ay/dFHv2nqtdMka63ZnhmXJ72B7uvvZEz+ROHbFY38mH4SKKEIY1rBJQlVIt5An0KjoW nLxOWzRXYqBpPne40/IhbDEINlB+Efg8QngE0HHKMFGEEa4qtjj+scm0VY1pSFuo6aBC NqrfcJdBibNhht/zMWNdL+pVhHDAIsaKYWCHw93JWGL+1rFfqelcSqyeAtdHmtCfRzre 1DeQ== X-Forwarded-Encrypted: i=1; AJvYcCXe9nLvY2H1xfkTLBlGF+8DrzEdwa1/8bbwujT9sZnH/Sm/hLpBIp2C19T4bUMPLfTym+fEJkSf/Rlmi9s=@vger.kernel.org X-Gm-Message-State: AOJu0YyhhgyALW7l+Mnb8J305yQi8DPFI0CrtE9erw3TawONzjmB6BkS mzwniTz+CUVnQ+5oah3bHfA3ReVwai4k82arrqB4/Eljr66M6Eg9ukfy1Cz1+A== X-Gm-Gg: ASbGncsi68idy+00qYY95mKPqS/Bi0uan7ZGLU0QrGyc3aB4dm9n1Ny/UI42YTtJThY JxxYdkhGJ+bOx4HAjeemPZjKoo1lPrqZ+MbFP4zjS9yVw4O+77EED733U/ReJKsEenPhLcow1eS c8sFxlwrp2il+b7IhACBOL4bu2PhDfOrRQ+mMuW2t9UNevoikxdSf1kThNJ63EyP5IbH2+Ngos6 XDTcyU4RyYPJihuSVvUMtNqGyafOmHX4+WUCG1cUj8VsbeE+l3IW7SFEGYoCyGhCqJKDD4ILCk1 vr7VFyPEY3VWmQFHhDOydGU0 X-Google-Smtp-Source: AGHT+IHjZqETEPShgvU8rMJKDjffubDyJxiF4XR9EMU6bbMMSHIwCT/IdCc48x4fk/k07H62yBxdcA== X-Received: by 2002:ad4:5766:0:b0:6cb:ce4c:1cc1 with SMTP id 6a1803df08f44-6d864d1f41dmr29507186d6.20.1732693581473; Tue, 26 Nov 2024 23:46:21 -0800 (PST) Received: from denia.c.googlers.com (5.236.236.35.bc.googleusercontent.com. [35.236.236.5]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6d451a97b1asm63750386d6.40.2024.11.26.23.46.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Nov 2024 23:46:20 -0800 (PST) From: Ricardo Ribalda Date: Wed, 27 Nov 2024 07:46:10 +0000 Subject: [PATCH 1/2] media: uvcvideo: Do not set an async control owned by other fh Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20241127-uvc-fix-async-v1-1-eb8722531b8c@chromium.org> References: <20241127-uvc-fix-async-v1-0-eb8722531b8c@chromium.org> In-Reply-To: <20241127-uvc-fix-async-v1-0-eb8722531b8c@chromium.org> To: Laurent Pinchart , Hans de Goede , Mauro Carvalho Chehab , Guennadi Liakhovetski Cc: Mauro Carvalho Chehab , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Ricardo Ribalda , stable@vger.kernel.org X-Mailer: b4 0.13.0 If a file handle is waiting for a response from an async control, avoid that other file handle operate with it. Without this patch, the first file handle will never get the event associated to that operation. Cc: stable@vger.kernel.org Fixes: e5225c820c05 ("media: uvcvideo: Send a control event when a Control = Change interrupt arrives") Signed-off-by: Ricardo Ribalda --- drivers/media/usb/uvc/uvc_ctrl.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_c= trl.c index 4fe26e82e3d1..5d3a28edf7f0 100644 --- a/drivers/media/usb/uvc/uvc_ctrl.c +++ b/drivers/media/usb/uvc/uvc_ctrl.c @@ -1950,6 +1950,10 @@ int uvc_ctrl_set(struct uvc_fh *handle, if (!(ctrl->info.flags & UVC_CTRL_FLAG_SET_CUR)) return -EACCES; =20 + /* Other file handle is waiting a response from this async control. */ + if (ctrl->handle && ctrl->handle !=3D handle) + return -EBUSY; + /* Clamp out of range values. */ switch (mapping->v4l2_type) { case V4L2_CTRL_TYPE_INTEGER: --=20 2.47.0.338.g60cca15819-goog From nobody Mon Feb 9 07:06:21 2026 Received: from mail-qk1-f173.google.com (mail-qk1-f173.google.com [209.85.222.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D05A217B50F for ; Wed, 27 Nov 2024 07:46:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732693586; cv=none; b=JHY6CQ6HO5lPe5vO7/Vc1Wu11vjaWAohfr0fEhbNHCnvdgTkPDgzE/tce0XZpAwS3Zntg746MNhmE7i39zqMxWv6NGDtUxnCG7JQebyBL66a3zBG5OobTLSR1eKPKG+b/4Tt85EEpldAB9lHgZ+mqW36r/CjaDj4LGqxaOb7ygg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732693586; c=relaxed/simple; bh=wsupc+qJZWfWzVfaFmE6CWRDyNHqRQr4iSu156pifPM=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=D7Ak4DBdhzBbRuLr8OdWJs7K9LKDUITlhRc7CjRoP1pwie8eks9B5oIkaPGtaoXLKaBQKwQnwEum/+vGjX3l851d9YdyV1bfbuBCw1wU0rFMnpVjeFnj0cMVcs56bwxsMH9TBzYD5i4ISel1tqvs3lnBcXhgELqJv0JKdVunbvQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=FEepfIsQ; arc=none smtp.client-ip=209.85.222.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="FEepfIsQ" Received: by mail-qk1-f173.google.com with SMTP id af79cd13be357-7b678da9310so95216685a.2 for ; Tue, 26 Nov 2024 23:46:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1732693584; x=1733298384; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=S6+TDrLkgXM9/PtCs6e0qWgX2PpjlMIZQ4o/NRcpkPc=; b=FEepfIsQqghG5+AY7JdtOFU2R0W67wOJgJWPVC8LAvHY7YvxqFbtjDKGBlLel6BQtz WiPkoRBZK4IOHPo6MUDMkaFTkLk3QhDTFRYL5PJbKck0Zu8NFesG6rpzz1dvdSwGx5P+ QGp6OehKOMZmMngVAiqAxtVQqG+QolX2mpvaQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1732693584; x=1733298384; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=S6+TDrLkgXM9/PtCs6e0qWgX2PpjlMIZQ4o/NRcpkPc=; b=e2+SYHxa01Sjxo3bb8FoIipL3FB3Ue+syPtFV0QRcdfGZsNovqmEFry6hopdPt221H prFka86UHk17cBGUsatBi0cK1L6Cc+gU8rK+iZnqxupvkQE0Ijs30af5F6CNbTNFav9M uXJtiyhRfUn9tk92oRRoILmBqMGFxrsKrPqr9pF6hFPm1gcMaMEMSTh2er9qpBMcaV8p 7EI5jbYIPMVD//6oVcTykQllOdbQKLZo0JcHVyN5jNn+PNHYPX6Igo2AY3C3DRRL+ocz D1rKthF5TOVUGN7W2ihWpJTQnZp8E3r48pw1NfSKtlbXFi1XKcCQxEAMgnsuYIfcFVKB JIDw== X-Forwarded-Encrypted: i=1; AJvYcCXRWm9WeEET+aBOHDlFbkKhYsPrDLy+GhoHc5aI1zM3dkB0iB3EEnd494t6mPO2kpgujyugoQ/1qOn63Ks=@vger.kernel.org X-Gm-Message-State: AOJu0YzhLezKekZsnCYKZrWVXmWyKXSM+7Ea4QE1IKgeKwIKV9FPVEnN q4iVV7eCWBLZrZ1ShJqNflwDpA/Y0Jq2iDvnQ6KZMTAFo2YA15kZsh3PHYCuHg== X-Gm-Gg: ASbGncvbOvsQKjUX1M2BVIFevKE9hGJYvldw8AWD6ROwVO/S1FNj/ov+tMtEmMnKJc0 JYbmtNsaJ3pU02imB9Ufy6R+W7Axiizm2Nj9ITKBMF7K+VTjOdbOElRybawAkZrehf1XWcHTfVy WPVsYb7fBd0uLj0nT/gI1R9NCTR1YlA0TjyrDGIRpDk/rMO2tGWoIbkiA6LNR11LURrhGevLvdh fGevJB1GqxORXkIMt55yx1DTfYvBLMyjP85l7hkPI8/CLa7Qnk6ytHxF4v02vmNC0ba0HubzC7c teKKwaqNj5vrHFz+B/3kJdPU X-Google-Smtp-Source: AGHT+IHa7Pn2PDpYTelow+sIFnWl3x1JrObmzUG1+LV1s9m1wO2itR1j+AfGUfW2xoUFqinWiiyXvA== X-Received: by 2002:a05:6214:2587:b0:6d4:1425:6d2b with SMTP id 6a1803df08f44-6d864dcb836mr30231026d6.36.1732693583896; Tue, 26 Nov 2024 23:46:23 -0800 (PST) Received: from denia.c.googlers.com (5.236.236.35.bc.googleusercontent.com. [35.236.236.5]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6d451a97b1asm63750386d6.40.2024.11.26.23.46.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Nov 2024 23:46:22 -0800 (PST) From: Ricardo Ribalda Date: Wed, 27 Nov 2024 07:46:11 +0000 Subject: [PATCH 2/2] media: uvcvideo: Remove dangling pointers Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20241127-uvc-fix-async-v1-2-eb8722531b8c@chromium.org> References: <20241127-uvc-fix-async-v1-0-eb8722531b8c@chromium.org> In-Reply-To: <20241127-uvc-fix-async-v1-0-eb8722531b8c@chromium.org> To: Laurent Pinchart , Hans de Goede , Mauro Carvalho Chehab , Guennadi Liakhovetski Cc: Mauro Carvalho Chehab , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Ricardo Ribalda , stable@vger.kernel.org X-Mailer: b4 0.13.0 When an async control is written, we copy a pointer to the file handle that started the operation. That pointer will be used when the device is done. Which could be anytime in the future. If the user closes that file descriptor, its structure will be freed, and there will be one dangling pointer per pending async control, that the driver will try to use. Clean all the dangling pointers during release(). To avoid adding a performance penalty in the most common case (no async operation). A counter has been introduced with some logic to make sure that it is properly handled. Cc: stable@vger.kernel.org Fixes: e5225c820c05 ("media: uvcvideo: Send a control event when a Control = Change interrupt arrives") Signed-off-by: Ricardo Ribalda --- drivers/media/usb/uvc/uvc_ctrl.c | 40 ++++++++++++++++++++++++++++++++++++= ++-- drivers/media/usb/uvc/uvc_v4l2.c | 2 ++ drivers/media/usb/uvc/uvcvideo.h | 3 +++ 3 files changed, 43 insertions(+), 2 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_c= trl.c index 5d3a28edf7f0..51a53ad25e9c 100644 --- a/drivers/media/usb/uvc/uvc_ctrl.c +++ b/drivers/media/usb/uvc/uvc_ctrl.c @@ -1589,7 +1589,12 @@ void uvc_ctrl_status_event(struct uvc_video_chain *c= hain, mutex_lock(&chain->ctrl_mutex); =20 handle =3D ctrl->handle; - ctrl->handle =3D NULL; + if (handle) { + ctrl->handle =3D NULL; + WARN_ON(!handle->pending_async_ctrls); + if (handle->pending_async_ctrls) + handle->pending_async_ctrls--; + } =20 list_for_each_entry(mapping, &ctrl->info.mappings, list) { s32 value =3D __uvc_ctrl_get_value(mapping, data); @@ -2050,8 +2055,11 @@ int uvc_ctrl_set(struct uvc_fh *handle, mapping->set(mapping, value, uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT)); =20 - if (ctrl->info.flags & UVC_CTRL_FLAG_ASYNCHRONOUS) + if (ctrl->info.flags & UVC_CTRL_FLAG_ASYNCHRONOUS) { + if (!ctrl->handle) + handle->pending_async_ctrls++; ctrl->handle =3D handle; + } =20 ctrl->dirty =3D 1; ctrl->modified =3D 1; @@ -2774,6 +2782,34 @@ int uvc_ctrl_init_device(struct uvc_device *dev) return 0; } =20 +void uvc_ctrl_cleanup_fh(struct uvc_fh *handle) +{ + struct uvc_entity *entity; + + guard(mutex)(&handle->chain->ctrl_mutex); + + if (!handle->pending_async_ctrls) + return; + + list_for_each_entry(entity, &handle->chain->dev->entities, list) { + int i; + + for (i =3D 0; i < entity->ncontrols; ++i) { + struct uvc_control *ctrl =3D &entity->controls[i]; + + if (!ctrl->handle || ctrl->handle !=3D handle) + continue; + + ctrl->handle =3D NULL; + if (WARN_ON(!handle->pending_async_ctrls)) + continue; + handle->pending_async_ctrls--; + } + } + + WARN_ON(handle->pending_async_ctrls); +} + /* * Cleanup device controls. */ diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v= 4l2.c index 97c5407f6603..b425306a3b8c 100644 --- a/drivers/media/usb/uvc/uvc_v4l2.c +++ b/drivers/media/usb/uvc/uvc_v4l2.c @@ -652,6 +652,8 @@ static int uvc_v4l2_release(struct file *file) =20 uvc_dbg(stream->dev, CALLS, "%s\n", __func__); =20 + uvc_ctrl_cleanup_fh(handle); + /* Only free resources if this is a privileged handle. */ if (uvc_has_privileges(handle)) uvc_queue_release(&stream->queue); diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvi= deo.h index 07f9921d83f2..2f8a9c48e32a 100644 --- a/drivers/media/usb/uvc/uvcvideo.h +++ b/drivers/media/usb/uvc/uvcvideo.h @@ -612,6 +612,7 @@ struct uvc_fh { struct uvc_video_chain *chain; struct uvc_streaming *stream; enum uvc_handle_state state; + unsigned int pending_async_ctrls; /* Protected by ctrl_mutex. */ }; =20 struct uvc_driver { @@ -797,6 +798,8 @@ int uvc_ctrl_is_accessible(struct uvc_video_chain *chai= n, u32 v4l2_id, int uvc_xu_ctrl_query(struct uvc_video_chain *chain, struct uvc_xu_control_query *xqry); =20 +void uvc_ctrl_cleanup_fh(struct uvc_fh *handle); + /* Utility functions */ struct usb_host_endpoint *uvc_find_endpoint(struct usb_host_interface *alt= s, u8 epaddr); --=20 2.47.0.338.g60cca15819-goog