Back in 2020 Guenter published a set of patches to fix some race
conditions in UVC:
https://lore.kernel.org/all/[email protected]/
That kind of race conditions are not only seen in UVC, but are a common
seen in almost all the kernel, so this is what it was decided back then
that we should try to fix them at higher levels.
After that. A lot of video_is_registered() were added to the core:
```
ribalda@alco:~/work/linux$ git grep is_registered drivers/media/v4l2-core/
drivers/media/v4l2-core/v4l2-compat-ioctl32.c: if (!video_is_registered(vdev))
drivers/media/v4l2-core/v4l2-dev.c: if (video_is_registered(vdev))
drivers/media/v4l2-core/v4l2-dev.c: if (video_is_registered(vdev))
drivers/media/v4l2-core/v4l2-dev.c: if (video_is_registered(vdev)) {
drivers/media/v4l2-core/v4l2-dev.c: if (video_is_registered(vdev))
drivers/media/v4l2-core/v4l2-dev.c: if (!video_is_registered(vdev))
drivers/media/v4l2-core/v4l2-dev.c: if (video_is_registered(vdev))
drivers/media/v4l2-core/v4l2-dev.c: if (vdev == NULL || !video_is_registered(vdev)) {
drivers/media/v4l2-core/v4l2-dev.c: if (video_is_registered(vdev))
drivers/media/v4l2-core/v4l2-dev.c: if (!vdev || !video_is_registered(vdev))
drivers/media/v4l2-core/v4l2-ioctl.c: if (!video_is_registered(vfd)) {
drivers/media/v4l2-core/v4l2-subdev.c: if (video_is_registered(vdev)) {
```
And recently Sakari is trying to land:
https://lore.kernel.org/linux-media/[email protected]/
Which will make obsolete a lot off (all?) of the video_is_registered() checks in
Guenter's patches.
Besides those checks, there were some other valid races fixed in his
patches.
This patchset tries to fix the races still present in our code.
Thanks!
Signed-off-by: Ricardo Ribalda <[email protected]>
---
Changes in v5: Thanks Hans!
- Refactor unregister as vb2_video_unregister_device
- I have tested the first patch independently from the others, so it
could be merged in two steps if needed.
- Link to v4: https://lore.kernel.org/r/[email protected]
Changes in v4: Thanks Sergey and Guenter
- Fix typos
- Move location of mutex_init
- Split patch to make the suspend change explicit
- Link to v3: https://lore.kernel.org/r/[email protected]
Changes in v3: Thanks Hans!
- Stop streaming during uvc_unregister()
- Refactor the uvc_status code
- Link to v2: https://lore.kernel.org/r/[email protected]
Changes in v2:
- Actually send the series to the ML an not only to individuals.
- Link to v1: https://lore.kernel.org/r/[email protected]
---
Ricardo Ribalda (4):
media: uvcvideo: stop stream during unregister
media: uvcvideo: Refactor the status irq API
media: uvcvideo: Avoid race condition during unregister
media: uvcvideo: Exit early if there is not int_urb
drivers/media/usb/uvc/uvc_driver.c | 45 +++++++++++++++++++--------
drivers/media/usb/uvc/uvc_status.c | 62 +++++++++++++++++++++++++++++++++++---
drivers/media/usb/uvc/uvc_v4l2.c | 22 ++++----------
drivers/media/usb/uvc/uvcvideo.h | 10 +++---
4 files changed, 103 insertions(+), 36 deletions(-)
---
base-commit: b14257abe7057def6127f6fb2f14f9adc8acabdb
change-id: 20230309-guenter-mini-89861b084ef1
Best regards,
--
Ricardo Ribalda <[email protected]>
The control events are handled asynchronously by the driver. Once the
control event are handled, the urb is re-submitted.
If we simply kill the urb, there is a chance that a control event is
waiting to be processed, which will re-submit the urb after the device is
disconnected.
uvc_status_suspend() flushes the async controls and stops the urb in a
correct manner.
Signed-off-by: Ricardo Ribalda <[email protected]>
---
drivers/media/usb/uvc/uvc_status.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/usb/uvc/uvc_status.c b/drivers/media/usb/uvc/uvc_status.c
index 375a95dd3011..8fd8250110e2 100644
--- a/drivers/media/usb/uvc/uvc_status.c
+++ b/drivers/media/usb/uvc/uvc_status.c
@@ -294,7 +294,7 @@ int uvc_status_init(struct uvc_device *dev)
void uvc_status_unregister(struct uvc_device *dev)
{
- usb_kill_urb(dev->int_urb);
+ uvc_status_suspend(dev);
uvc_input_unregister(dev);
}
--
2.45.2.505.gda0bf45e8d-goog
If there is no int_urb there is no need to do a clean stop.
Also we avoid calling usb_kill_urb(NULL). It is properly handled by the
usb framework, but it is not polite.
Now that we are at it, fix the code style in uvc_status_start() for
consistency.
Signed-off-by: Ricardo Ribalda <[email protected]>
---
drivers/media/usb/uvc/uvc_status.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/media/usb/uvc/uvc_status.c b/drivers/media/usb/uvc/uvc_status.c
index 8fd8250110e2..9108522beea6 100644
--- a/drivers/media/usb/uvc/uvc_status.c
+++ b/drivers/media/usb/uvc/uvc_status.c
@@ -308,7 +308,7 @@ static int __uvc_status_start(struct uvc_device *dev, gfp_t flags)
{
lockdep_assert_held(&dev->status_lock);
- if (dev->int_urb == NULL)
+ if (!dev->int_urb)
return 0;
return usb_submit_urb(dev->int_urb, flags);
@@ -320,6 +320,9 @@ static void __uvc_status_stop(struct uvc_device *dev)
lockdep_assert_held(&dev->status_lock);
+ if (!dev->int_urb)
+ return;
+
/*
* Prevent the asynchronous control handler from requeing the URB. The
* barrier is needed so the flush_status change is visible to other
--
2.45.2.505.gda0bf45e8d-goog
uvc_unregister_video() can be called asynchronously from
uvc_disconnect(). If the device is still streaming when that happens, a
plethora of race conditions can happen.
Make sure that the device has stopped streaming before exiting this
function.
If the user still holds handles to the driver's file descriptors, any
ioctl will return -ENODEV from the v4l2 core.
This change make uvc more consistent with the rest of the v4l2 drivers
using the vb2_fop_* and vb2_ioctl_* helpers.
Suggested-by: Hans Verkuil <[email protected]>
Signed-off-by: Ricardo Ribalda <[email protected]>
---
drivers/media/usb/uvc/uvc_driver.c | 32 +++++++++++++++++++++++++++++++-
1 file changed, 31 insertions(+), 1 deletion(-)
diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
index bbd90123a4e7..f1df6384e738 100644
--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -1908,11 +1908,41 @@ static void uvc_unregister_video(struct uvc_device *dev)
struct uvc_streaming *stream;
list_for_each_entry(stream, &dev->streams, list) {
+ /* Nothing to do here, continue. */
if (!video_is_registered(&stream->vdev))
continue;
+ /*
+ * For stream->vdev we follow the same logic as:
+ * vb2_video_unregister_device().
+ */
+
+ /* 1. Take a reference to vdev */
+ get_device(&stream->vdev.dev);
+
+ /* 2. Ensure that no new ioctls can be called. */
video_unregister_device(&stream->vdev);
- video_unregister_device(&stream->meta.vdev);
+
+ /* 3. Wait for old ioctls to finish. */
+ mutex_lock(&stream->mutex);
+
+ /* 4. Stop streamming. */
+ uvc_queue_streamoff(&stream->queue, stream->type);
+
+ mutex_unlock(&stream->mutex);
+
+ put_device(&stream->vdev.dev);
+
+ /*
+ * For stream->meta.vdev we can directly call:
+ * vb2_video_unregister_device().
+ */
+ vb2_video_unregister_device(&stream->meta.vdev);
+
+ /*
+ * Now both vdevs are not streaming and all the ioctls will
+ * return -ENODEV.
+ */
uvc_debugfs_cleanup_stream(stream);
}
--
2.45.2.505.gda0bf45e8d-goog
There are two different use-cases of uvc_status():
- adding/removing a user when the camera is open/closed
- stopping/starting when the camera is suspended/resumed
Make the API reflect these two use-cases and move all the refcounting
and locking logic to the uvc_status.c file.
Signed-off-by: Ricardo Ribalda <[email protected]>
---
drivers/media/usb/uvc/uvc_driver.c | 13 ++-------
drivers/media/usb/uvc/uvc_status.c | 55 ++++++++++++++++++++++++++++++++++++--
drivers/media/usb/uvc/uvc_v4l2.c | 22 +++++----------
drivers/media/usb/uvc/uvcvideo.h | 10 ++++---
4 files changed, 67 insertions(+), 33 deletions(-)
diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
index f1df6384e738..078b8fb05b54 100644
--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -2135,7 +2135,6 @@ static int uvc_probe(struct usb_interface *intf,
INIT_LIST_HEAD(&dev->streams);
kref_init(&dev->ref);
atomic_set(&dev->nmappings, 0);
- mutex_init(&dev->lock);
dev->udev = usb_get_dev(udev);
dev->intf = usb_get_intf(intf);
@@ -2301,10 +2300,7 @@ static int uvc_suspend(struct usb_interface *intf, pm_message_t message)
/* Controls are cached on the fly so they don't need to be saved. */
if (intf->cur_altsetting->desc.bInterfaceSubClass ==
UVC_SC_VIDEOCONTROL) {
- mutex_lock(&dev->lock);
- if (dev->users)
- uvc_status_stop(dev);
- mutex_unlock(&dev->lock);
+ uvc_status_suspend(dev);
return 0;
}
@@ -2335,12 +2331,7 @@ static int __uvc_resume(struct usb_interface *intf, int reset)
return ret;
}
- mutex_lock(&dev->lock);
- if (dev->users)
- ret = uvc_status_start(dev, GFP_NOIO);
- mutex_unlock(&dev->lock);
-
- return ret;
+ return uvc_status_resume(dev);
}
list_for_each_entry(stream, &dev->streams, list) {
diff --git a/drivers/media/usb/uvc/uvc_status.c b/drivers/media/usb/uvc/uvc_status.c
index a78a88c710e2..375a95dd3011 100644
--- a/drivers/media/usb/uvc/uvc_status.c
+++ b/drivers/media/usb/uvc/uvc_status.c
@@ -257,6 +257,8 @@ int uvc_status_init(struct uvc_device *dev)
unsigned int pipe;
int interval;
+ mutex_init(&dev->status_lock);
+
if (ep == NULL)
return 0;
@@ -302,18 +304,22 @@ void uvc_status_cleanup(struct uvc_device *dev)
kfree(dev->status);
}
-int uvc_status_start(struct uvc_device *dev, gfp_t flags)
+static int __uvc_status_start(struct uvc_device *dev, gfp_t flags)
{
+ lockdep_assert_held(&dev->status_lock);
+
if (dev->int_urb == NULL)
return 0;
return usb_submit_urb(dev->int_urb, flags);
}
-void uvc_status_stop(struct uvc_device *dev)
+static void __uvc_status_stop(struct uvc_device *dev)
{
struct uvc_ctrl_work *w = &dev->async_ctrl;
+ lockdep_assert_held(&dev->status_lock);
+
/*
* Prevent the asynchronous control handler from requeing the URB. The
* barrier is needed so the flush_status change is visible to other
@@ -350,3 +356,48 @@ void uvc_status_stop(struct uvc_device *dev)
*/
smp_store_release(&dev->flush_status, false);
}
+
+int uvc_status_resume(struct uvc_device *dev)
+{
+ int ret = 0;
+
+ mutex_lock(&dev->status_lock);
+ if (dev->status_users)
+ ret = __uvc_status_start(dev, GFP_NOIO);
+ mutex_unlock(&dev->status_lock);
+
+ return ret;
+}
+
+void uvc_status_suspend(struct uvc_device *dev)
+{
+ mutex_lock(&dev->status_lock);
+ if (dev->status_users)
+ __uvc_status_stop(dev);
+ mutex_unlock(&dev->status_lock);
+}
+
+int uvc_status_get(struct uvc_device *dev)
+{
+ int ret = 0;
+
+ mutex_lock(&dev->status_lock);
+ if (!dev->status_users)
+ ret = __uvc_status_start(dev, GFP_KERNEL);
+ if (!ret)
+ dev->status_users++;
+ mutex_unlock(&dev->status_lock);
+
+ return ret;
+}
+
+void uvc_status_put(struct uvc_device *dev)
+{
+ mutex_lock(&dev->status_lock);
+ if (dev->status_users == 1)
+ __uvc_status_stop(dev);
+ WARN_ON(!dev->status_users);
+ if (dev->status_users)
+ dev->status_users--;
+ mutex_unlock(&dev->status_lock);
+}
diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c
index f4988f03640a..97c5407f6603 100644
--- a/drivers/media/usb/uvc/uvc_v4l2.c
+++ b/drivers/media/usb/uvc/uvc_v4l2.c
@@ -628,20 +628,13 @@ static int uvc_v4l2_open(struct file *file)
return -ENOMEM;
}
- mutex_lock(&stream->dev->lock);
- if (stream->dev->users == 0) {
- ret = uvc_status_start(stream->dev, GFP_KERNEL);
- if (ret < 0) {
- mutex_unlock(&stream->dev->lock);
- usb_autopm_put_interface(stream->dev->intf);
- kfree(handle);
- return ret;
- }
+ ret = uvc_status_get(stream->dev);
+ if (ret) {
+ usb_autopm_put_interface(stream->dev->intf);
+ kfree(handle);
+ return ret;
}
- stream->dev->users++;
- mutex_unlock(&stream->dev->lock);
-
v4l2_fh_init(&handle->vfh, &stream->vdev);
v4l2_fh_add(&handle->vfh);
handle->chain = stream->chain;
@@ -670,10 +663,7 @@ static int uvc_v4l2_release(struct file *file)
kfree(handle);
file->private_data = NULL;
- mutex_lock(&stream->dev->lock);
- if (--stream->dev->users == 0)
- uvc_status_stop(stream->dev);
- mutex_unlock(&stream->dev->lock);
+ uvc_status_put(stream->dev);
usb_autopm_put_interface(stream->dev->intf);
return 0;
diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h
index 6fb0a78b1b00..00b600eb058c 100644
--- a/drivers/media/usb/uvc/uvcvideo.h
+++ b/drivers/media/usb/uvc/uvcvideo.h
@@ -555,8 +555,6 @@ struct uvc_device {
const struct uvc_device_info *info;
- struct mutex lock; /* Protects users */
- unsigned int users;
atomic_t nmappings;
/* Video control interface */
@@ -578,6 +576,8 @@ struct uvc_device {
struct usb_host_endpoint *int_ep;
struct urb *int_urb;
struct uvc_status *status;
+ struct mutex status_lock; /* Protects status_users */
+ unsigned int status_users;
bool flush_status;
struct input_dev *input;
@@ -744,8 +744,10 @@ int uvc_register_video_device(struct uvc_device *dev,
int uvc_status_init(struct uvc_device *dev);
void uvc_status_unregister(struct uvc_device *dev);
void uvc_status_cleanup(struct uvc_device *dev);
-int uvc_status_start(struct uvc_device *dev, gfp_t flags);
-void uvc_status_stop(struct uvc_device *dev);
+int uvc_status_resume(struct uvc_device *dev);
+void uvc_status_suspend(struct uvc_device *dev);
+int uvc_status_get(struct uvc_device *dev);
+void uvc_status_put(struct uvc_device *dev);
/* Controls */
extern const struct uvc_control_mapping uvc_ctrl_power_line_mapping_limited;
--
2.45.2.505.gda0bf45e8d-goog
On 11/06/2024 10:12, Ricardo Ribalda wrote:
> uvc_unregister_video() can be called asynchronously from
> uvc_disconnect(). If the device is still streaming when that happens, a
> plethora of race conditions can happen.
>
> Make sure that the device has stopped streaming before exiting this
> function.
>
> If the user still holds handles to the driver's file descriptors, any
> ioctl will return -ENODEV from the v4l2 core.
>
> This change make uvc more consistent with the rest of the v4l2 drivers
> using the vb2_fop_* and vb2_ioctl_* helpers.
>
> Suggested-by: Hans Verkuil <[email protected]>
> Signed-off-by: Ricardo Ribalda <[email protected]>
> ---
> drivers/media/usb/uvc/uvc_driver.c | 32 +++++++++++++++++++++++++++++++-
> 1 file changed, 31 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
> index bbd90123a4e7..f1df6384e738 100644
> --- a/drivers/media/usb/uvc/uvc_driver.c
> +++ b/drivers/media/usb/uvc/uvc_driver.c
> @@ -1908,11 +1908,41 @@ static void uvc_unregister_video(struct uvc_device *dev)
> struct uvc_streaming *stream;
>
> list_for_each_entry(stream, &dev->streams, list) {
> + /* Nothing to do here, continue. */
> if (!video_is_registered(&stream->vdev))
> continue;
>
> + /*
> + * For stream->vdev we follow the same logic as:
> + * vb2_video_unregister_device().
> + */
> +
> + /* 1. Take a reference to vdev */
> + get_device(&stream->vdev.dev);
> +
> + /* 2. Ensure that no new ioctls can be called. */
> video_unregister_device(&stream->vdev);
> - video_unregister_device(&stream->meta.vdev);
> +
> + /* 3. Wait for old ioctls to finish. */
> + mutex_lock(&stream->mutex);
> +
> + /* 4. Stop streamming. */
streamming -> streaming
> + uvc_queue_streamoff(&stream->queue, stream->type);
This should call uvc_queue_release (just a wrapper around vb2_queue_release())
instead. Then it is identical in behavior to vb2_video_unregister_device.
Note that uvc_v4l2_release() also calls uvc_queue_release(): it's safe
to call uvc_queue_release() twice.
With that change:
Reviewed-by: Hans Verkuil <[email protected]>
Regards,
Hans
> +
> + mutex_unlock(&stream->mutex);
> +
> + put_device(&stream->vdev.dev);
> +
> + /*
> + * For stream->meta.vdev we can directly call:
> + * vb2_video_unregister_device().
> + */
> + vb2_video_unregister_device(&stream->meta.vdev);
> +
> + /*
> + * Now both vdevs are not streaming and all the ioctls will
> + * return -ENODEV.
> + */
>
> uvc_debugfs_cleanup_stream(stream);
> }
>