Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp609450rwi; Wed, 26 Oct 2022 05:12:52 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4u+z8ycAR726DzMpgxVxsKo5YokwAM3kM5MlzNHhEjfpS/NBO1xhkFp6AeRuNoZKLeQI6f X-Received: by 2002:a17:907:969e:b0:7a6:fe3:6f11 with SMTP id hd30-20020a170907969e00b007a60fe36f11mr16016856ejc.501.1666786372640; Wed, 26 Oct 2022 05:12:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666786372; cv=none; d=google.com; s=arc-20160816; b=rfJEAxr3J4GhSRnCG0akzg0m3TjXrdfExjMP4GTEwVHZocQq2pgZN+8Lf9BseHmG01 zr8im4novzkMxc1E28SMQyTjdUls0DePe1Aed6lrWjKaWeqPC/reFfBq7fM1f+yhWs4R p03GbzlcSpetf8gsIUuduSJLK2dx89T9G5Ld2INT9PkoEZytZj9XqCC49ry2qv6OVwev 2NM0WjI1CKH0pIkW3qYEMmxas6l0RIdIEHp2lQ3BuY9F43WibOOV0rGf5P7iqeYJ6Col 0k0mKmTBVR/K4GrgDatyWC5c3E96LPDKE3ykMsnp0Vyl9kBIfLAqlMywEe98JoS4quvZ cLGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:in-reply-to:references:message-id :content-transfer-encoding:mime-version:subject:date:from :dkim-signature; bh=mMLlFka1I97WBpNYC6a4inYcni8WZqVzi63jLlkZWi4=; b=YFYFVSG3eeoJVfwWbSzvZQGvCqkOhb/8DTLqHqsJ9r98/w99JhD9KbbI8WJJD8G2Dq x2Me+Kt1gt1bELeGVBprm7tSn5iKCdo+NLzWtYD4hNWttqbpL7hwXHw+1OVzDKwOanxA P3710oWLtWygs9/9+XQlw9rZxXqphpJYaB6I2rhcClk8T0wGuSGEHii2v2t71PH6S03I 9Ij0HIJqqqgiYuW3Ni3jG5KdYuU5AX+VkfdmC9Xza0bXp9Gup37bZIYOA0SMR1nU09Qx NPW01ju1BIPRkkD2ER9Lw0Ktl6zX6cpqq4M4FKPrTdXPqiXdOMYhGjrumzNyw+ITx/rU Aneg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=AH+Rmooo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y9-20020a056402270900b00461d9b46883si3850996edd.519.2022.10.26.05.12.27; Wed, 26 Oct 2022 05:12:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=AH+Rmooo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233460AbiJZMHH (ORCPT + 99 others); Wed, 26 Oct 2022 08:07:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48134 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233712AbiJZMGx (ORCPT ); Wed, 26 Oct 2022 08:06:53 -0400 Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B253B9186E for ; Wed, 26 Oct 2022 05:06:40 -0700 (PDT) Received: by mail-ed1-x530.google.com with SMTP id i21so19997793edj.10 for ; Wed, 26 Oct 2022 05:06:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=mMLlFka1I97WBpNYC6a4inYcni8WZqVzi63jLlkZWi4=; b=AH+RmoooS8UaFLHJXXnRxoJ2Jc5GkSas4KiebXOgW+50b9uocgReMAHmfeETP4vfif 6cWO0JIubDsaPFSSSR3FWtfmO8uWHTBSjdgOouYUwEz4MgKGonVtZiPXH50VnoRM1cjR Kv8MBusAP9Vj+S091rh8Fg0CUefagSrpnVQ18= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mMLlFka1I97WBpNYC6a4inYcni8WZqVzi63jLlkZWi4=; b=1GZcVBsriib0sOccQs68+JbmpqDhU9WhPDqGs18fkqPHI/Vd08C/W1CpSwuwpkDeVK FmioV1jhhpYNwO/gpucuk3KYA3Au1WlEX2enUYGBpm++PeYJYZm9CNxpvy/sZH6iRLrm rNe6JoHfO2LCxiJaHMNtkxjE1wSIQsJlnSpO8UNUyoSakkvNC/x3Vz7XQX3+m3Z2Sae/ d2ZIWqQl8OBoAL4r3Eno808JWUTqW6616QPni4wYnKEiGleMt2D5GuF3hxlCeuI0DE1U Xd5tyQmegbdbREm050vG/Sp3GCvha/cWdNxuEuU4cawrSQd+eAun8N9poZsTj20cm7VS P4VQ== X-Gm-Message-State: ACrzQf2Rz0WL/I0rw4e1I0ry4gcWrFAeGMyhk+6eVlK4fwKAQE0E629L h6sb+5ZkuA4rG2gxIGIdtwyuo77kjjBYk55x X-Received: by 2002:a05:6402:1a42:b0:458:b430:7e70 with SMTP id bf2-20020a0564021a4200b00458b4307e70mr40565070edb.293.1666786000295; Wed, 26 Oct 2022 05:06:40 -0700 (PDT) Received: from alco.roam.corp.google.com ([2620:0:1059:10:b47a:bedd:2941:1e3f]) by smtp.gmail.com with ESMTPSA id y18-20020a17090668d200b0079e11b8e891sm2892546ejr.125.2022.10.26.05.06.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Oct 2022 05:06:39 -0700 (PDT) From: Ricardo Ribalda Date: Wed, 26 Oct 2022 14:06:12 +0200 Subject: [PATCH v3 7/7] media: uvcvideo: Protect uvc queue file operations against disconnect MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Message-Id: <20220920-resend-powersave-v3-7-c47856d8757e@chromium.org> References: <20220920-resend-powersave-v3-0-c47856d8757e@chromium.org> In-Reply-To: <20220920-resend-powersave-v3-0-c47856d8757e@chromium.org> To: Mauro Carvalho Chehab Cc: Tomasz Figa , Ricardo Ribalda , Guenter Roeck , Max Staudt , linux-kernel@vger.kernel.org, Alan Stern , Hans Verkuil , Laurent Pinchart , linux-media@vger.kernel.org X-Mailer: b4 0.11.0-dev-d93f8 X-Developer-Signature: v=1; a=openpgp-sha256; l=2373; i=ribalda@chromium.org; h=from:subject:message-id; bh=VNSZpEP9LE78JkEZDvuh4x3SXN68AOH2OfrHeEklewU=; b=owEBbQKS/ZANAwAKAdE30T7POsSIAcsmYgBjWSLFnSJAN39YLb7VMCp2rSXdTYaaZXR/J234HUWm EacyWCmJAjMEAAEKAB0WIQREDzjr+/4oCDLSsx7RN9E+zzrEiAUCY1kixQAKCRDRN9E+zzrEiCngD/ 9F98Rbghu+qvDGozMAenv8X0YPJt3WGjVSRv7vqfD+7VROtJ0PmclxYDizlw8tSkb8SiuPz7gTFdmE QXET5tNtKjC2A0qaUcyUkzmazEFQwFH6+rJHM1Ays6mCMVOIK3u0sGcaqyxhdynjybu0JJvjDLUdGi bnIKhzNc6ggNQrqNj90kaX1W2oAhYnMDlIpEygimeopmgJfEhLZ8Tsu4f9mb0brrKv6ztPsj8oatZ4 O96cFr0yYZ1D6ET68CpiJwSYWl0/a8fPSwKxzedb2SN1LUC70RMcb1cJWeJ+0n3iSRPTJXYBclQMf5 YmW0ns5APcng52VNrX6fSOpXHgmxhjTv/d95yw/n7vsMm6ASJ46itjKOBeZuhCB/Sy1Mc4j4g/d7XX YM9mWiXgN9WaXciV2/3h60xPsmpVvDAnWdVIf+aGkJZwJXuo+vvtp7tcYJyo6VsK8j9QTF61hV2HzS DX25L3L14xQ+5K9IUmBVgI3zBL/ovTPo/b0CMr2vgBbTB3/inFi6BfuUH161eBHd4W3Fw4DqmThiXr eMLhMhv9zCMlw17sJD1s2nBDtMsGszIc0nPuwXkgoVbH2IJPqLPaWcKSJvi8nFNLVSECU4MVaRhtsD H+LABx9UrTM9FrrjM+3f7QuLVw6G9/PuCGPBE6qT/AutyhY2z4b9i7DdlFVQ== X-Developer-Key: i=ribalda@chromium.org; a=openpgp; fpr=9EC3BB66E2FC129A6F90B39556A0D81F9F782DA9 X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Guenter Roeck uvc queue file operations have no mutex protection against USB disconnect. This is questionable at least for the poll operation, which has to wait for the uvc queue mutex. By the time that mutex has been acquired, is it possible that the video device has been unregistered. Protect all file operations by using the queue mutex to avoid possible race conditions. After acquiring the mutex, check if the video device is still registered, and bail out if not. Cc: Laurent Pinchart Cc: Alan Stern Cc: Hans Verkuil Signed-off-by: Guenter Roeck diff --git a/drivers/media/usb/uvc/uvc_queue.c b/drivers/media/usb/uvc/uvc_queue.c index 16fa17bbd15e..aed45cbc814e 100644 --- a/drivers/media/usb/uvc/uvc_queue.c +++ b/drivers/media/usb/uvc/uvc_queue.c @@ -354,24 +354,52 @@ int uvc_queue_streamoff(struct uvc_video_queue *queue, enum v4l2_buf_type type) int uvc_queue_mmap(struct uvc_video_queue *queue, struct vm_area_struct *vma) { - return vb2_mmap(&queue->queue, vma); + struct uvc_streaming *stream = uvc_queue_to_stream(queue); + int ret; + + mutex_lock(&queue->mutex); + if (!video_is_registered(&stream->vdev)) { + ret = -ENODEV; + goto unlock; + } + ret = vb2_mmap(&queue->queue, vma); +unlock: + mutex_unlock(&queue->mutex); + return ret; } #ifndef CONFIG_MMU unsigned long uvc_queue_get_unmapped_area(struct uvc_video_queue *queue, unsigned long pgoff) { - return vb2_get_unmapped_area(&queue->queue, 0, 0, pgoff, 0); + struct uvc_streaming *stream = uvc_queue_to_stream(queue); + unsigned long ret; + + mutex_lock(&queue->mutex); + if (!video_is_registered(&stream->vdev)) { + ret = -ENODEV; + goto unlock; + } + ret = vb2_get_unmapped_area(&queue->queue, 0, 0, pgoff, 0); +unlock: + mutex_unlock(&queue->mutex); + return ret; } #endif __poll_t uvc_queue_poll(struct uvc_video_queue *queue, struct file *file, poll_table *wait) { + struct uvc_streaming *stream = uvc_queue_to_stream(queue); __poll_t ret; mutex_lock(&queue->mutex); + if (!video_is_registered(&stream->vdev)) { + ret = EPOLLERR; + goto unlock; + } ret = vb2_poll(&queue->queue, file, wait); +unlock: mutex_unlock(&queue->mutex); return ret; -- b4 0.11.0-dev-d93f8