Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp9546460rwp; Thu, 20 Jul 2023 06:35:08 -0700 (PDT) X-Google-Smtp-Source: APBJJlEaexnakUP47RNR16Jpfvb2E6OIukpRoZNsDHBCSh01FnMD2EP7o2uvx0ZHbXPFBvFY+Rv7 X-Received: by 2002:a17:906:8477:b0:99b:5a73:4d06 with SMTP id hx23-20020a170906847700b0099b5a734d06mr814950ejc.20.1689860108007; Thu, 20 Jul 2023 06:35:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689860107; cv=none; d=google.com; s=arc-20160816; b=W/DlBLit/dy8m/Ro4QWLQCGwDb5oDAX5yKr2BJO9CgbrQAk3DT4oHN+e7ne8iAmJqU laO4i/rabAiFo8+DjOT9YBL5aHD+nBxPklIRP8+6pZWCJV4sOofRHrAIqbhPZrFSLUHr +OBIJoJHM+7Tl5zfB/jL4A4zWhbNTvpdpHLKUnC45o3Tz5cmxoFafUt3uKC3gNPTL9Kj 9cEarCJHjV/LxrtEEgNvb97BHrma0435gDTHPafEhOOz+WLoyfTgiWv6HHYjtatEErMt 8PsgbFPWDcf/odH9Ulq8mnFJy1wVJrgHz7SsVSbq5mPYkgl3b/Q8zGlJWWWFY0QPE7Zg VwZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=ucui8vZ/TmRC7XXIN69oDED06+JRd2Xi+BjVZvC2o+8=; fh=VWBA/3Fyhg9tRxMsFLuHySmj7rpv4oF1cMJfmh6IDBE=; b=r9CIAeTxlkw5E/Fqiu0o8CykPMJJxcq7AI0w5Ctx9w/SZUeZOKWbeUVDFYHrIQFgOQ 5shQyyFA5CakNbb0rxP+AlTi+7V5w54yACxUAxPR5vsM6Har+hgUhG2qcbikO78b2K8e 4N6Nfz5iEertebu9Os24qNF63cbBN75kbBKAaEbpYpe7cqt7OgVroKHBc5gTA0CO7yKV gfLhHsDUNckLtfLDN+ZZ2pwlCzm+XoicE4483JYW6IBcGs8ZR+820qJ504K6zIZo9BP/ Qaru2bbQyQvEPfA8MEGqytHXxcK1rpCGNTrhIGiwOqmDqctVsU9Cu0bjElak5c4wIJmG gLlA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=uFsbvlwU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p26-20020a170906141a00b00993664a9970si694660ejc.873.2023.07.20.06.34.43; Thu, 20 Jul 2023 06:35:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=uFsbvlwU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231826AbjGTNWq (ORCPT + 99 others); Thu, 20 Jul 2023 09:22:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43220 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231623AbjGTNWo (ORCPT ); Thu, 20 Jul 2023 09:22:44 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3FCDAE60; Thu, 20 Jul 2023 06:22:43 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id CACF961A28; Thu, 20 Jul 2023 13:22:42 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8BEDAC433C8; Thu, 20 Jul 2023 13:22:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1689859362; bh=UxGNS4Tm6QXbkmz0tPWtSTwsEwS6W+sxPDlrcmJzi4g=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=uFsbvlwUy0eZzVtaNrYod3QeHOgHvnrJpDQShlhOyL2ojGnnIJM0YAo/qTdK9hkTs QwpHFQXZeL1PDMK3YHfl9au7pabLMpYvk6tMXsiMAXzDVmgqcGbquQQdsrXmwOPUK5 Eh379GAva0qS0Xvex5vh3aKupbnfFNYFuZ0K057s= Date: Thu, 20 Jul 2023 15:22:38 +0200 From: Greg KH To: Aman Deep Cc: stern@rowland.harvard.edu, laurent.pinchart@ideasonboard.com, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Anuj Gupta Subject: Re: [PATCH] USB: Fix race condition during UVC webcam disconnect Message-ID: <2023072013-reconvene-capsize-0286@gregkh> References: <20230720113142.3070583-1-aman.deep@samsung.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230720113142.3070583-1-aman.deep@samsung.com> X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jul 20, 2023 at 05:01:42PM +0530, Aman Deep wrote: > In the bug happened during uvc webcam disconect,there is race > between stopping a video transfer and usb disconnect.This issue is > reproduced in my system running Linux kernel when UVC webcam play is > stopped and UVC webcam is disconnected at the same time. This causes the > below backtrace: > > [2-3496.7275] PC is at 0xbf418000+0x2d8 [usbcore] > [2-3496.7275] LR is at 0x00000005 > [2-3496.7275] pc : []((usb_ifnum_to_if > [usbcore.ko]>)) lr : [<00000005>]() psr: 20000013 > [2-3496.7275] Function entered at []((usb_ifnum_to_if > [usbcore.ko]>)) (0xbf418000+0x2a4 [usbcore]) from > []((usb_hcd_alloc_bandwidth > [usbcore.ko]>)) (0xbf418000+0xb974 [usbcore]) > [2-3496.7275] Function entered at []((usb_hcd_alloc_bandwidth > [usbcore.ko]>)) (0xbf418000+0xb738 [usbcore]) from > []((usb_set_interface > [usbcore.ko]>)) (0xbf418000+0xeca0 [usbcore]) > [2-3496.7275] Function entered at []((usb_set_interface > [usbcore.ko]>)) (0xbf418000+0xeb9c [usbcore]) from > []((uvc_video_clock_cleanup > uvc_video_stop_streaming > [uvcvideo.ko]>)) (0xbf9bd000+0x7dd4 [uvcvideo]) > [2-3496.7275] Function entered at []((uvc_video_stop_streaming > [uvcvideo.ko]>)) (0xbf9bd000+0x7d98 [uvcvideo]) from > []((spin_lock_irq > uvc_stop_streaming > [uvcvideo.ko]>)) (0xbf9bd000+0x2ab8 [uvcvideo]) > [2-3496.7276] Function entered at []((uvc_stop_streaming > [uvcvideo.ko]>)) (0xbf9bd000+0x2a94 [uvcvideo]) from > []((__read_once_size > (discriminator 1) __vb2_queue_cancel > (discriminator 1) [videobuf2_common.ko]>)) (0xbe306000+0x1150 > [videobuf2_common]) > [2-3496.7276] Function entered at []((__vb2_queue_cancel > [videobuf2_common.ko]>)) (0xbe306000+0x1120 [videobuf2_common]) from > []((vb2_core_streamoff > > This below solution patch fixes this race condition at USB core level > occurring during UVC webcam device disconnect. > > Signed-off-by: Anuj Gupta > Signed-off-by: Aman Deep What commit id does this fix? SHould this go to the stable trees? > --- > drivers/usb/core/hcd.c | 7 ++++++- > drivers/usb/core/message.c | 4 ++++ > drivers/usb/core/usb.c | 9 ++++++--- > 3 files changed, 16 insertions(+), 4 deletions(-) Why are you making changes to the core USB stack for a driver bug? > > diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c > index 8300baedafd2..a06452cbbaa4 100644 > --- a/drivers/usb/core/hcd.c > +++ b/drivers/usb/core/hcd.c > @@ -1931,7 +1931,12 @@ int usb_hcd_alloc_bandwidth(struct usb_device *udev, > } > } > if (cur_alt && new_alt) { > - struct usb_interface *iface = usb_ifnum_to_if(udev, > + struct usb_interface *iface; > + > + if (udev->state == USB_STATE_NOTATTACHED) > + return -ENODEV; > + > + iface = usb_ifnum_to_if(udev, > cur_alt->desc.bInterfaceNumber); > > if (!iface) > diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c > index b5811620f1de..f31c7287dc01 100644 > --- a/drivers/usb/core/message.c > +++ b/drivers/usb/core/message.c > @@ -1575,7 +1575,11 @@ int usb_set_interface(struct usb_device *dev, int interface, int alternate) > for (i = 0; i < iface->cur_altsetting->desc.bNumEndpoints; i++) > iface->cur_altsetting->endpoint[i].streams = 0; > > + if (dev->state == USB_STATE_NOTATTACHED) > + return -ENODEV; > + > ret = usb_hcd_alloc_bandwidth(dev, NULL, iface->cur_altsetting, alt); > + Why the extra line? And why can't the state change right after you check for it? What happens if the device is unattached right here? > if (ret < 0) { > dev_info(&dev->dev, "Not enough bandwidth for altsetting %d\n", > alternate); > diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c > index 901ec732321c..6fb8b14469ae 100644 > --- a/drivers/usb/core/usb.c > +++ b/drivers/usb/core/usb.c > @@ -352,10 +352,13 @@ struct usb_interface *usb_ifnum_to_if(const struct usb_device *dev, > > if (!config) > return NULL; > - for (i = 0; i < config->desc.bNumInterfaces; i++) > - if (config->interface[i]->altsetting[0] > - .desc.bInterfaceNumber == ifnum) > + for (i = 0; i < config->desc.bNumInterfaces; i++) { > + if (config->interface[i] && > + config->interface[i]->altsetting[0] > + .desc.bInterfaceNumber == ifnum) { > return config->interface[i]; I don't understand this change, what does it do? Your changelog does not say why you are doing any of this, only that "there is a problem", please explain this better when you resubmit this. thanks, greg k-h