From: Sergey Senozhatsky <senozhatsky@chromium.org>
To: Ricardo Ribalda <ribalda@chromium.org>
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>,
Guenter Roeck <linux@roeck-us.net>,
Tomasz Figa <tfiga@chromium.org>,
Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
Alan Stern <stern@rowland.harvard.edu>,
Hans Verkuil <hverkuil-cisco@xs4all.nl>,
linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
Sean Paul <seanpaul@chromium.org>,
Sakari Ailus <sakari.ailus@linux.intel.com>
Subject: Re: [PATCH v3 3/3] media: uvcvideo: Lock video streams and queues while unregistering
Date: Wed, 22 Nov 2023 17:22:57 +0900 [thread overview]
Message-ID: <20231122082257.GB1526356@google.com> (raw)
In-Reply-To: <20231121-guenter-mini-v3-3-d8a5eae2312b@chromium.org>
On (23/11/21 19:53), Ricardo Ribalda wrote:
> The call to uvc_disconnect() is not protected by any mutex.
> This means it can and will be called while other accesses to the video
> device are in progress. This can cause all kinds of race conditions,
> including crashes such as the following.
>
[..]
>
> Call Trace:
> usb_hcd_alloc_bandwidth+0x1ee/0x30f
> usb_set_interface+0x1a3/0x2b7
> uvc_video_start_transfer+0x29b/0x4b8 [uvcvideo]
> uvc_video_start_streaming+0x91/0xdd [uvcvideo]
> uvc_start_streaming+0x28/0x5d [uvcvideo]
> vb2_start_streaming+0x61/0x143 [videobuf2_common]
> vb2_core_streamon+0xf7/0x10f [videobuf2_common]
> uvc_queue_streamon+0x2e/0x41 [uvcvideo]
> uvc_ioctl_streamon+0x42/0x5c [uvcvideo]
> __video_do_ioctl+0x33d/0x42a
> video_usercopy+0x34e/0x5ff
> ? video_ioctl2+0x16/0x16
> v4l2_ioctl+0x46/0x53
> do_vfs_ioctl+0x50a/0x76f
> ksys_ioctl+0x58/0x83
> __x64_sys_ioctl+0x1a/0x1e
> do_syscall_64+0x54/0xde
>
> usb_set_interface() should not be called after the USB device has been
> unregistered. However, in the above case the disconnect happened after
> v4l2_ioctl() was called, but before the call to usb_ifnum_to_if().
>
> Acquire various mutexes in uvc_unregister_video() to fix the majority
> (maybe all) of the observed race conditions.
>
> The uvc_device lock prevents races against suspend and resume calls
> and the poll function.
>
> The uvc_streaming lock prevents races against stream related functions;
> for the most part, those are ioctls. This lock also requires other
> functions using this lock to check if a video device is still registered
> after acquiring it. For example, it was observed that the video device
> was already unregistered by the time the stream lock was acquired in
> uvc_ioctl_streamon().
>
> The uvc_queue lock prevents races against queue functions, Most of
> those are already protected by the uvc_streaming lock, but some
> are called directly. This is done as added protection; an actual race
> was not (yet) observed.
>
> Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> Cc: Alan Stern <stern@rowland.harvard.edu>
> Cc: Hans Verkuil <hverkuil-cisco@xs4all.nl>
> Reviewed-by: Tomasz Figa <tfiga@chromium.org>
> Reviewed-by: Sean Paul <seanpaul@chromium.org>
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
next prev parent reply other threads:[~2023-11-22 8:23 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-21 19:53 [PATCH v3 0/3] uvcvideo: Attempt N to land UVC race conditions fixes Ricardo Ribalda
2023-11-21 19:53 ` [PATCH v3 1/3] media: uvcvideo: Always use uvc_status_stop() Ricardo Ribalda
2023-11-22 7:21 ` Sergey Senozhatsky
2023-11-22 7:35 ` Ricardo Ribalda
2023-11-22 9:53 ` Ricardo Ribalda
2023-11-22 9:58 ` Sakari Ailus
2023-11-22 10:33 ` Ricardo Ribalda
2023-11-21 19:53 ` [PATCH v3 2/3] media: uvcvideo: Do not halt the device after disconnect Ricardo Ribalda
2023-11-22 7:47 ` Sergey Senozhatsky
2023-11-22 8:01 ` Sergey Senozhatsky
2023-11-22 9:55 ` Ricardo Ribalda
2023-11-22 10:25 ` Sakari Ailus
2023-11-22 10:32 ` Ricardo Ribalda
2023-11-22 11:03 ` Sakari Ailus
2023-11-22 11:35 ` Ricardo Ribalda
2023-11-21 19:53 ` [PATCH v3 3/3] media: uvcvideo: Lock video streams and queues while unregistering Ricardo Ribalda
2023-11-22 8:22 ` Sergey Senozhatsky [this message]
2023-11-22 10:21 ` Sakari Ailus
2023-11-22 13:14 ` Laurent Pinchart
2023-11-22 13:59 ` Ricardo Ribalda
2023-11-22 14:04 ` Laurent Pinchart
2023-11-22 14:23 ` Ricardo Ribalda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231122082257.GB1526356@google.com \
--to=senozhatsky@chromium.org \
--cc=hverkuil-cisco@xs4all.nl \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=mchehab@kernel.org \
--cc=ribalda@chromium.org \
--cc=sakari.ailus@linux.intel.com \
--cc=seanpaul@chromium.org \
--cc=stern@rowland.harvard.edu \
--cc=tfiga@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.