Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp11611372rwl; Tue, 3 Jan 2023 01:53:04 -0800 (PST) X-Google-Smtp-Source: AMrXdXvIKkZvpfezXYsvplx5LPD7Azzmd45MUdE3MlZUCBWyFDaluJOJcCS7DWsg7rIlvx1Y0dk6 X-Received: by 2002:a17:902:a40a:b0:192:8d51:e4df with SMTP id p10-20020a170902a40a00b001928d51e4dfmr24812831plq.61.1672739584276; Tue, 03 Jan 2023 01:53:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672739584; cv=none; d=google.com; s=arc-20160816; b=qsco8Wi+5DmyG/6IibxG6veXmfQzwQtJCiJwBqx/mA9m9dZ3Q/cfZ01o72EgoJE6f6 Zx6LquIilnnJxbujoLh2cAtm8j95z//Ym84bOvJwyE8djNjR22xv8N6n6ZYWVrewzm4R mzX/wZ60KN2v4JIPYNwaBziNve96QOUvpsCpvGl3+N64gn9rxqzRTmPt4gaIOz+Q/jnY ovuF3+kP1M3uzCUV/4WsMCB4LEvtLMEJBX23L3CfSiBzDtUB43uf3AACw3//SeJ9HS/6 4yv8IIwTEmMMWwlH+ufHjlrRwy9Nen9I0CIsaP8NkWv/7jPAEIi3vfpaYdBkqAuEwG4q 3twQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=jcCeUe8dp3S0aIMiyCkv1Dk6gs4kz2Rph2Ssgj/ekI0=; b=Ss5iE06TL+6E5P5vtCfvABfTIRZZptTzhcE0vP4s5WjYihzq3g1x5ashuPk6YDodnh mHbmcycpuHGSDOVdw91xyEBcr958T139Wd0Le1eEv3A93jxM5LMDHw9OartnAvNyGy2L 7aZ7RljGoZFN+kv0Y9HsqeFKp2Qe2UGafWwvZBw59+GI6JRh/5nYnWWsyMxhHUasYWQs YG4tMte+3R5L1KlOccSnuYfO9/EcJfn0m/v0cJDKj8H0LpRkP21vE9cz2g4IVaF3YKFp l0d52SH1n5cL5yk4S/ylX/GGw13IWyEMkW3oYCt7R28sV+eic4JnRWoF/J14q2kk0LDR Uodg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="TL/1ao89"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x23-20020a170902b41700b001868ee3e594si29731305plr.409.2023.01.03.01.52.57; Tue, 03 Jan 2023 01:53:04 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="TL/1ao89"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233159AbjACJJP (ORCPT + 61 others); Tue, 3 Jan 2023 04:09:15 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41174 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230478AbjACJJM (ORCPT ); Tue, 3 Jan 2023 04:09:12 -0500 Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A7114E00C for ; Tue, 3 Jan 2023 01:09:10 -0800 (PST) Received: by mail-pj1-x102d.google.com with SMTP id o1-20020a17090a678100b00219cf69e5f0so35294914pjj.2 for ; Tue, 03 Jan 2023 01:09:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=jcCeUe8dp3S0aIMiyCkv1Dk6gs4kz2Rph2Ssgj/ekI0=; b=TL/1ao89hsBreVnGN22u5zp0DHtCX9c2AzLxijusP3QSP4QTbywfw/7EuRB7yIKcEP C1Biq5+4JdbSQkFIWKTTxni2MzrTs5iiw4GKfsZMSOJBXYR4V+A70HpG6WAspLdoUy8Y XQaiRE7546GF9oWek9s0lvW/LoB6l84hC02Lg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=jcCeUe8dp3S0aIMiyCkv1Dk6gs4kz2Rph2Ssgj/ekI0=; b=du7Gj83HKdgv4eE1Y+toHyMdKBALlhhtliW2jnQXGspnHkcoLJk5peM8LqEYqeTOSk aT4AsY1q+xAJHXFjyGXoo25Ne19Txq/lXRoBAMLt6mm64qptWICbxjJ4519nxy47azEx Mh+4xNlAXp3tfT5/LzYE75DIR/ppdi7fcBOjr/QQ4ZWqDRyGMudIDmJLqfqsFW/ZxFzc Cpklp3bt9opwZl67HQWa07E5RNs4Q6eQCx5N5hbTclnTvtKMPxpEschVlAzYTtXo8cIv Wgoacgso5JfLPCVgoBX/RnppoHd+jgdpuTahlKfgfyOI+yatrYpTJHDelC38cQS0jgJs vlBg== X-Gm-Message-State: AFqh2krZ0MXEdLWO9afRsyXnYQg96Ql8kQYKlb+djtyBgzB+9nCKi4GU i8Klh+AAlzoMG2Wq3wWDDGSCH0JNSClQExWRVAs= X-Received: by 2002:a17:902:9a0b:b0:189:d3dc:a9c4 with SMTP id v11-20020a1709029a0b00b00189d3dca9c4mr42400859plp.36.1672736949848; Tue, 03 Jan 2023 01:09:09 -0800 (PST) Received: from mail-pg1-f176.google.com (mail-pg1-f176.google.com. [209.85.215.176]) by smtp.gmail.com with ESMTPSA id w1-20020a170902a70100b001873aa85e1fsm21586156plq.305.2023.01.03.01.09.08 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 03 Jan 2023 01:09:08 -0800 (PST) Received: by mail-pg1-f176.google.com with SMTP id f3so19719995pgc.2 for ; Tue, 03 Jan 2023 01:09:08 -0800 (PST) X-Received: by 2002:a65:5b88:0:b0:495:fb5f:4395 with SMTP id i8-20020a655b88000000b00495fb5f4395mr1743111pgr.63.1672736947897; Tue, 03 Jan 2023 01:09:07 -0800 (PST) MIME-Version: 1.0 References: <20221212-uvc-race-v6-0-2a662f8de011@chromium.org> <20230103022540.3667-1-hdanton@sina.com> In-Reply-To: <20230103022540.3667-1-hdanton@sina.com> From: Ricardo Ribalda Date: Tue, 3 Jan 2023 10:08:56 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v6] media: uvcvideo: Fix race condition with usb_kill_urb To: Hillf Danton Cc: Laurent Pinchart , Mauro Carvalho Chehab , Max Staudt , Sergey Senozhatsky , Yunke Cao , linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Hillf Thanks for the heads up On Tue, 3 Jan 2023 at 03:25, Hillf Danton wrote: > > On 02 Jan 2023 15:48:01 +0100 Ricardo Ribalda > > --- a/drivers/media/usb/uvc/uvc_ctrl.c > > +++ b/drivers/media/usb/uvc/uvc_ctrl.c > > @@ -1442,6 +1442,9 @@ static void uvc_ctrl_status_event_work(struct work_struct *work) > > > > uvc_ctrl_status_event(w->chain, w->ctrl, w->data); > > > > + if (dev->flush_status) > > + return; > > + > > /* Resubmit the URB. */ > > w->urb->interval = dev->int_ep->desc.bInterval; > > ret = usb_submit_urb(w->urb, GFP_KERNEL); > > diff --git a/drivers/media/usb/uvc/uvc_status.c b/drivers/media/usb/uvc/uvc_status.c > > index 7518ffce22ed..e457889345a3 100644 > > --- a/drivers/media/usb/uvc/uvc_status.c > > +++ b/drivers/media/usb/uvc/uvc_status.c > > @@ -6,6 +6,7 @@ > > * Laurent Pinchart (laurent.pinchart@ideasonboard.com) > > */ > > > > +#include > > #include > > #include > > #include > > @@ -309,5 +310,44 @@ int uvc_status_start(struct uvc_device *dev, gfp_t flags) > > > > void uvc_status_stop(struct uvc_device *dev) > > { > > + struct uvc_ctrl_work *w = &dev->async_ctrl; > > + > > + /* Prevent the asynchronous control handler from requeing the URB */ > > + dev->flush_status = true; > > + > > + /* > > + * The barrier is needed so the flush_status change is visible to other > > + * CPUs running the asynchronous handler before usb_kill_urb() is > > + * called below. > > + */ > > + smp_mb(); > > Given unpaired mb, take a look at the release/acquire memory barrier pairing > in c5b2cbdbdac5 ("ipc/mqueue.c: update/document memory barriers") Would it work? to replace: dev->flush_status = true; smp_mb(); with: smp_store_release(&dev->flush_status, 1); and then read it always with: smp_load_acquire(&dev->flush_status); Thanks! > > > + > > + /* If there is any status event on the queue, process it. */ > > + if (cancel_work_sync(&w->work)) > > + uvc_ctrl_status_event(w->chain, w->ctrl, w->data); > > + > > + /* Kill the urb. */ > > usb_kill_urb(dev->int_urb); > > + > > + /* > > + * The URB completion handler may have queued asynchronous work. This > > + * won't resubmit the URB as flush_status is set, but it needs to be > > + * cancelled before returning or it could then race with a future > > + * uvc_status_start() call. > > + */ > > + if (cancel_work_sync(&w->work)) > > + uvc_ctrl_status_event(w->chain, w->ctrl, w->data); > > + > > + /* > > + * From this point, there are no events on the queue and the status URB > > + * is dead, this is, no events will be queued until uvc_status_start() > > + * is called. > > + */ > > + dev->flush_status = false; > > + > > + /* > > + * Write to memory the value of flush_status before uvc_status_start() > > + * is called again. > > + */ > > + smp_mb(); > > } -- Ricardo Ribalda