From patchwork Wed Nov 22 11:45:47 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ricardo Ribalda X-Patchwork-Id: 746321 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="FMIPQhVW" Received: from mail-qt1-x829.google.com (mail-qt1-x829.google.com [IPv6:2607:f8b0:4864:20::829]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 51B8B91 for ; Wed, 22 Nov 2023 03:45:52 -0800 (PST) Received: by mail-qt1-x829.google.com with SMTP id d75a77b69052e-41cc75c55f0so6000751cf.1 for ; Wed, 22 Nov 2023 03:45:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1700653551; x=1701258351; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=3jbUgexWSE+UkwxAykTeDpdOwZGPMwaBInU8mlrkF50=; b=FMIPQhVWAUX99jBK/61YMbTBqOPSAGwDVxrJzMi32KGBhrkep7XdX9kKhVDmP8X3mr lP7JJLFBJRx8YJ3uNfVq6trTIstNVw0RYGIhkVyVLjOmSyx02kpJQPU9XEnOiKWYCuVD Mftzw31w+nAGSx5uG0SViTMP1o6a/ZfoB3ltU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700653551; x=1701258351; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3jbUgexWSE+UkwxAykTeDpdOwZGPMwaBInU8mlrkF50=; b=Xtj9dIhoxdVC6B5dozp5nikhzQyCbkRw1tUG0TmBik2QliNagqvtZIKBrw/kz6H4ey CnL8l5olWozePg29C4+D3YB8CIYSbjOi9yjPKACMshszzC8MAJJhtiAxV04d2AO1qDmr fBN7ESF+wCDQ1M1+dEV4SGy+JP/hO87NQlv6hHcSM7bi/Z9c88knSfeisF1Oecb5C2W2 tXyPEfT9W3WEn4ggOIooD7k/+1i7hJ0fZn2xlCjWgKVdD9qy11ZnDLKPNNSDXhoIrLvv xvslCT5bQfgs+cCczls+Aq9tO0fxp6yY7hUdNNzGNOxa+/MAHP3Ou2y3AnBvxNf29gAu 1+Kg== X-Gm-Message-State: AOJu0YzylvNT9GfBUAbdtmJHIMtgPnbXByYXcFqMoEIRjdmc3vAY/4fh T8Y5NvwCmj7HqkOoKLCxrE+6sUtGDBtDMwpChs/tjQ== X-Google-Smtp-Source: AGHT+IFodkyAJCmsafuO1iHU1vxR0lAw0pyCS50IbjxIuK4OPhQJVWfXNaYu+OFCnB8r2gyR59P9BQ== X-Received: by 2002:a05:622a:5085:b0:423:7279:2662 with SMTP id fp5-20020a05622a508500b0042372792662mr5108506qtb.10.1700653550850; Wed, 22 Nov 2023 03:45:50 -0800 (PST) Received: from denia.c.googlers.com (228.221.150.34.bc.googleusercontent.com. [34.150.221.228]) by smtp.gmail.com with ESMTPSA id h3-20020ac85143000000b00419732075b4sm4357790qtn.84.2023.11.22.03.45.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Nov 2023 03:45:50 -0800 (PST) From: Ricardo Ribalda Date: Wed, 22 Nov 2023 11:45:47 +0000 Subject: [PATCH v5 1/3] media: uvcvideo: Lock video streams and queues while unregistering Precedence: bulk X-Mailing-List: linux-media@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20231122-guenter-mini-v5-1-15d8cd8ed74f@chromium.org> References: <20231122-guenter-mini-v5-0-15d8cd8ed74f@chromium.org> In-Reply-To: <20231122-guenter-mini-v5-0-15d8cd8ed74f@chromium.org> To: Mauro Carvalho Chehab Cc: Guenter Roeck , Tomasz Figa , Laurent Pinchart , Alan Stern , Hans Verkuil , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Sean Paul , Ricardo Ribalda , Sakari Ailus , Sergey Senozhatsky X-Mailer: b4 0.12.3 From: Guenter Roeck The call to uvc_disconnect() is not protected by any mutex. This means it can and will be called while other accesses to the video device are in progress. This can cause all kinds of race conditions, including crashes such as the following. usb 1-4: USB disconnect, device number 3 BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 5633 Comm: V4L2CaptureThre Not tainted 4.19.113-08536-g5d29ca36db06 #1 Hardware name: GOOGLE Edgar, BIOS Google_Edgar.7287.167.156 03/25/2019 RIP: 0010:usb_ifnum_to_if+0x29/0x40 Code: <...> RSP: 0018:ffffa46f42a47a80 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff904a396c9000 RDX: ffff904a39641320 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffffa46f42a47a80 R08: 0000000000000002 R09: 0000000000000000 R10: 0000000000009975 R11: 0000000000000009 R12: 0000000000000000 R13: ffff904a396b3800 R14: ffff904a39e88000 R15: 0000000000000000 FS: 00007f396448e700(0000) GS:ffff904a3ba00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000016cb46000 CR4: 00000000001006f0 Call Trace: usb_hcd_alloc_bandwidth+0x1ee/0x30f usb_set_interface+0x1a3/0x2b7 uvc_video_start_transfer+0x29b/0x4b8 [uvcvideo] uvc_video_start_streaming+0x91/0xdd [uvcvideo] uvc_start_streaming+0x28/0x5d [uvcvideo] vb2_start_streaming+0x61/0x143 [videobuf2_common] vb2_core_streamon+0xf7/0x10f [videobuf2_common] uvc_queue_streamon+0x2e/0x41 [uvcvideo] uvc_ioctl_streamon+0x42/0x5c [uvcvideo] __video_do_ioctl+0x33d/0x42a video_usercopy+0x34e/0x5ff ? video_ioctl2+0x16/0x16 v4l2_ioctl+0x46/0x53 do_vfs_ioctl+0x50a/0x76f ksys_ioctl+0x58/0x83 __x64_sys_ioctl+0x1a/0x1e do_syscall_64+0x54/0xde usb_set_interface() should not be called after the USB device has been unregistered. However, in the above case the disconnect happened after v4l2_ioctl() was called, but before the call to usb_ifnum_to_if(). Acquire various mutexes in uvc_unregister_video() to fix the majority (maybe all) of the observed race conditions. The uvc_device lock prevents races against suspend and resume calls and the poll function. The uvc_streaming lock prevents races against stream related functions; for the most part, those are ioctls. This lock also requires other functions using this lock to check if a video device is still registered after acquiring it. For example, it was observed that the video device was already unregistered by the time the stream lock was acquired in uvc_ioctl_streamon(). The uvc_queue lock prevents races against queue functions, Most of those are already protected by the uvc_streaming lock, but some are called directly. This is done as added protection; an actual race was not (yet) observed. Cc: Laurent Pinchart Cc: Alan Stern Cc: Hans Verkuil Reviewed-by: Tomasz Figa Reviewed-by: Sean Paul Signed-off-by: Guenter Roeck Reviewed-by: Sergey Senozhatsky Signed-off-by: Ricardo Ribalda --- drivers/media/usb/uvc/uvc_driver.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c index 08fcd2ffa727..ded2cb6ce14f 100644 --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -1907,14 +1907,22 @@ static void uvc_unregister_video(struct uvc_device *dev) { struct uvc_streaming *stream; + mutex_lock(&dev->lock); + list_for_each_entry(stream, &dev->streams, list) { if (!video_is_registered(&stream->vdev)) continue; + mutex_lock(&stream->mutex); + mutex_lock(&stream->queue.mutex); + video_unregister_device(&stream->vdev); video_unregister_device(&stream->meta.vdev); uvc_debugfs_cleanup_stream(stream); + + mutex_unlock(&stream->queue.mutex); + mutex_unlock(&stream->mutex); } uvc_status_unregister(dev); @@ -1925,6 +1933,7 @@ static void uvc_unregister_video(struct uvc_device *dev) if (media_devnode_is_registered(dev->mdev.devnode)) media_device_unregister(&dev->mdev); #endif + mutex_unlock(&dev->lock); } int uvc_register_video_device(struct uvc_device *dev, From patchwork Wed Nov 22 11:45:49 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ricardo Ribalda X-Patchwork-Id: 746320 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="ZhBKQaoc" Received: from mail-oo1-xc31.google.com (mail-oo1-xc31.google.com [IPv6:2607:f8b0:4864:20::c31]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 42D4A197 for ; Wed, 22 Nov 2023 03:45:54 -0800 (PST) Received: by mail-oo1-xc31.google.com with SMTP id 006d021491bc7-58ceab7daddso784518eaf.3 for ; Wed, 22 Nov 2023 03:45:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1700653553; x=1701258353; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=elffK1EXr85X4x2IFuFEE5Q2jUK2YCgnrDhIYGitDxs=; b=ZhBKQaocA553wX4+vf6bwMyDnty7FgIwBy9z3eJHKP49hHrFbv9DpXIUpGM5z0C8os VnlHroXUBjxHPMUDX12Bled63QWUfC6jauvI2V9D0U7rZu5lyrLaeYIHozQ3xxgcqGJF 01IjTDRk/XpSL5XkfYmmW9x2CZWCQTZXrqmaU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700653553; x=1701258353; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=elffK1EXr85X4x2IFuFEE5Q2jUK2YCgnrDhIYGitDxs=; b=ThKgM+lasnQkIUDH9M5sZw4UfFJ7qSUZDRGpLnwcVGbeUSVGJq31b3Y1GGjKJB+V8s fae/Jn7FqXBGyPObQDBzClCA6S0tCO6AImVC1jVgw/jDbhdYhroN03RbuoPxSS9zJqY3 Im3Dt6ABg2QM8xDLg2aI3abDm7onx6EsOQltJqrdwOIdyS/qeSFX6yr6N0EcWdx7WdS0 j8keAseyoNBCHV05CcGNcSxSPdUunWxbJiV/9VfYI9njVJk0p6rkip9IfegKW9VwMZMX omFGpb/L5QtotvAivzDxzS6nSRBplWIbNO6CM5kZl10QH4yuZ6HjjSmWg3S+kWBMomDL ODdA== X-Gm-Message-State: AOJu0YwtmnI7z+FizDjeBawjfCAep6xK40xu2/w3jPdyjww33OCRXS0S mHkjZyJhgcAbUixCNcRNdEDFq3hYXtgMz1vaS47lAQ== X-Google-Smtp-Source: AGHT+IHUWar8rHJPdOcQm1lng13oaUezhWg21X09uEcRzO3ra9YUPzGDvdKieEgQGcowYN1FKzat6w== X-Received: by 2002:a05:6358:50c6:b0:168:e396:aa96 with SMTP id m6-20020a05635850c600b00168e396aa96mr1416014rwm.11.1700653552709; Wed, 22 Nov 2023 03:45:52 -0800 (PST) Received: from denia.c.googlers.com (228.221.150.34.bc.googleusercontent.com. [34.150.221.228]) by smtp.gmail.com with ESMTPSA id h3-20020ac85143000000b00419732075b4sm4357790qtn.84.2023.11.22.03.45.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Nov 2023 03:45:52 -0800 (PST) From: Ricardo Ribalda Date: Wed, 22 Nov 2023 11:45:49 +0000 Subject: [PATCH v5 3/3] media: uvcvideo: Do not use usb_* functions after .disconnect Precedence: bulk X-Mailing-List: linux-media@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20231122-guenter-mini-v5-3-15d8cd8ed74f@chromium.org> References: <20231122-guenter-mini-v5-0-15d8cd8ed74f@chromium.org> In-Reply-To: <20231122-guenter-mini-v5-0-15d8cd8ed74f@chromium.org> To: Mauro Carvalho Chehab Cc: Guenter Roeck , Tomasz Figa , Laurent Pinchart , Alan Stern , Hans Verkuil , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Sean Paul , Ricardo Ribalda , Sakari Ailus X-Mailer: b4 0.12.3 usb drivers should not call to any I/O function after the .disconnect() callback has been triggered. https://www.kernel.org/doc/html/latest/driver-api/usb/callbacks.html#the-disconnect-callback If an application is receiving frames form a camera and the device is disconnected: the device will call close() after the usb .disconnect() callback has been called. The streamoff path will call usb_set_interface or usb_clear_halt, which is not allowed. This patch only solves the calls to close() *after* .disconnect() is being called. Trace: [ 1065.389723] drivers/media/usb/uvc/uvc_driver.c:2248 uvc_disconnect enter [ 1065.390160] drivers/media/usb/uvc/uvc_driver.c:2264 uvc_disconnect exit [ 1065.433956] drivers/media/usb/uvc/uvc_v4l2.c:659 uvc_v4l2_release enter [ 1065.433973] drivers/media/usb/uvc/uvc_video.c:2274 uvc_video_stop_streaming enter [ 1065.434560] drivers/media/usb/uvc/uvc_video.c:2285 uvc_video_stop_streaming exit [ 1065.435154] drivers/media/usb/uvc/uvc_v4l2.c:680 uvc_v4l2_release exit [ 1065.435188] drivers/media/usb/uvc/uvc_driver.c:2248 uvc_disconnect enter Signed-off-by: Ricardo Ribalda --- drivers/media/usb/uvc/uvc_driver.c | 2 ++ drivers/media/usb/uvc/uvc_video.c | 45 ++++++++++++++++++++++++-------------- drivers/media/usb/uvc/uvcvideo.h | 2 ++ 3 files changed, 32 insertions(+), 17 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c index d5dbf2644272..d78640d422f4 100644 --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -2266,6 +2266,8 @@ static void uvc_disconnect(struct usb_interface *intf) return; uvc_unregister_video(dev); + /* Barrier needed to pair with uvc_video_stop_streaming(). */ + smp_store_release(&dev->disconnected, true); kref_put(&dev->ref, uvc_delete); } diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c index 28dde08ec6c5..f5ef375088de 100644 --- a/drivers/media/usb/uvc/uvc_video.c +++ b/drivers/media/usb/uvc/uvc_video.c @@ -2243,28 +2243,39 @@ int uvc_video_start_streaming(struct uvc_streaming *stream) return ret; } -void uvc_video_stop_streaming(struct uvc_streaming *stream) +static void uvc_video_halt(struct uvc_streaming *stream) { - uvc_video_stop_transfer(stream, 1); + unsigned int epnum; + unsigned int pipe; + unsigned int dir; if (stream->intf->num_altsetting > 1) { usb_set_interface(stream->dev->udev, stream->intfnum, 0); - } else { - /* - * UVC doesn't specify how to inform a bulk-based device - * when the video stream is stopped. Windows sends a - * CLEAR_FEATURE(HALT) request to the video streaming - * bulk endpoint, mimic the same behaviour. - */ - unsigned int epnum = stream->header.bEndpointAddress - & USB_ENDPOINT_NUMBER_MASK; - unsigned int dir = stream->header.bEndpointAddress - & USB_ENDPOINT_DIR_MASK; - unsigned int pipe; - - pipe = usb_sndbulkpipe(stream->dev->udev, epnum) | dir; - usb_clear_halt(stream->dev->udev, pipe); + return; } + /* + * UVC doesn't specify how to inform a bulk-based device + * when the video stream is stopped. Windows sends a + * CLEAR_FEATURE(HALT) request to the video streaming + * bulk endpoint, mimic the same behaviour. + */ + epnum = stream->header.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK; + dir = stream->header.bEndpointAddress & USB_ENDPOINT_DIR_MASK; + pipe = usb_sndbulkpipe(stream->dev->udev, epnum) | dir; + usb_clear_halt(stream->dev->udev, pipe); +} + +void uvc_video_stop_streaming(struct uvc_streaming *stream) +{ + uvc_video_stop_transfer(stream, 1); + + /* + * Barrier needed to pair with uvc_disconnect(). + * We cannot call usb_* functions on a disconnected USB device. + */ + if (!smp_load_acquire(&stream->dev->disconnected)) + uvc_video_halt(stream); + uvc_video_clock_cleanup(stream); } diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h index ba8f8c1f2c83..5b1a3643de05 100644 --- a/drivers/media/usb/uvc/uvcvideo.h +++ b/drivers/media/usb/uvc/uvcvideo.h @@ -559,6 +559,8 @@ struct uvc_device { unsigned int users; atomic_t nmappings; + bool disconnected; + /* Video control interface */ #ifdef CONFIG_MEDIA_CONTROLLER struct media_device mdev;