lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20250630152422.GF24861@pendragon.ideasonboard.com>
Date: Mon, 30 Jun 2025 18:24:22 +0300
From: Laurent Pinchart <laurent.pinchart@...asonboard.com>
To: Hans de Goede <hansg@...nel.org>
Cc: Ricardo Ribalda <ribalda@...omium.org>,
	Hans de Goede <hdegoede@...hat.com>,
	Hans Verkuil <hans@...erkuil.nl>,
	Mauro Carvalho Chehab <mchehab@...nel.org>,
	linux-media@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v4 3/5] media: uvcvideo: Split uvc_stop_streaming()

On Mon, Jun 30, 2025 at 05:12:29PM +0200, Hans de Goede wrote:
> On 30-Jun-25 4:17 PM, Laurent Pinchart wrote:
> > On Mon, Jun 16, 2025 at 03:24:40PM +0000, Ricardo Ribalda wrote:
> >> uvc_stop_streaming() is used for meta and video nodes. Split the function
> >> in two to avoid confusion.
> >>
> >> Use this opportunity to rename uvc_start_streaming() to
> >> uvc_start_streaming_video(), as it is only called by the video nodes.
> >>
> >> Reviewed-by: Hans de Goede <hansg@...nel.org>
> >> Signed-off-by: Ricardo Ribalda <ribalda@...omium.org>
> >> ---
> >>  drivers/media/usb/uvc/uvc_queue.c | 22 +++++++++++++++-------
> >>  1 file changed, 15 insertions(+), 7 deletions(-)
> >>
> >> diff --git a/drivers/media/usb/uvc/uvc_queue.c b/drivers/media/usb/uvc/uvc_queue.c
> >> index 8f9737ac729546683ca48f5e71ce3dfacbae2926..3f357c2d48cfd258c26f0342007d1d12f1e01007 100644
> >> --- a/drivers/media/usb/uvc/uvc_queue.c
> >> +++ b/drivers/media/usb/uvc/uvc_queue.c
> >> @@ -167,7 +167,7 @@ static void uvc_buffer_finish(struct vb2_buffer *vb)
> >>  		uvc_video_clock_update(stream, vbuf, buf);
> >>  }
> >>  
> >> -static int uvc_start_streaming(struct vb2_queue *vq, unsigned int count)
> >> +static int uvc_start_streaming_video(struct vb2_queue *vq, unsigned int count)
> >>  {
> >>  	struct uvc_video_queue *queue = vb2_get_drv_priv(vq);
> >>  	struct uvc_streaming *stream = uvc_queue_to_stream(queue);
> >> @@ -186,14 +186,22 @@ static int uvc_start_streaming(struct vb2_queue *vq, unsigned int count)
> >>  	return ret;
> >>  }
> >>  
> >> -static void uvc_stop_streaming(struct vb2_queue *vq)
> >> +static void uvc_stop_streaming_video(struct vb2_queue *vq)
> >>  {
> >>  	struct uvc_video_queue *queue = vb2_get_drv_priv(vq);
> >>  
> >>  	lockdep_assert_irqs_enabled();
> >>  
> >> -	if (vq->type != V4L2_BUF_TYPE_META_CAPTURE)
> >> -		uvc_video_stop_streaming(uvc_queue_to_stream(queue));
> >> +	uvc_video_stop_streaming(uvc_queue_to_stream(queue));
> >> +
> >> +	uvc_queue_return_buffers(queue, UVC_BUF_STATE_ERROR);
> >> +}
> >> +
> >> +static void uvc_stop_streaming_meta(struct vb2_queue *vq)
> >> +{
> >> +	struct uvc_video_queue *queue = vb2_get_drv_priv(vq);
> >> +
> >> +	lockdep_assert_irqs_enabled();
> >>  
> >>  	uvc_queue_return_buffers(queue, UVC_BUF_STATE_ERROR);
> > 
> > I haven't checked where it was introduced, but I think you have a race
> > here. uvc_queue_return_buffers() will return all buffers currently
> > sitting in the queue->irqqueue. This can race with a bunch of places in
> > uvc_video.c that call uvc_queue_get_current_buffer() or
> > uvc_queue_get_next_buffer(), as those functions return a buffer without
> > removing it from the list.
> 
> This change just splits uvc_stop_streaming() into 2 separate
> functions for uvc_queue_qops + uvc_meta_queue_qops to remove
> the weird looking "if (vq->type != V4L2_BUF_TYPE_META_CAPTURE)"
> check done in the shared uvc_stop_streaming().
> 
> This patch does not make any functional changes. So if such
> a race exists then that is a pre-existing problem and not
> caused by this patch.

Yes, that's why I said I'm not sure where it was introduced. I only
noticed the issue here, it comes from before this patch.

> >>  }
> >> @@ -203,15 +211,15 @@ static const struct vb2_ops uvc_queue_qops = {
> >>  	.buf_prepare = uvc_buffer_prepare,
> >>  	.buf_queue = uvc_buffer_queue,
> >>  	.buf_finish = uvc_buffer_finish,
> >> -	.start_streaming = uvc_start_streaming,
> >> -	.stop_streaming = uvc_stop_streaming,
> >> +	.start_streaming = uvc_start_streaming_video,
> >> +	.stop_streaming = uvc_stop_streaming_video,
> >>  };
> >>  
> >>  static const struct vb2_ops uvc_meta_queue_qops = {
> >>  	.queue_setup = uvc_queue_setup,
> >>  	.buf_prepare = uvc_buffer_prepare,
> >>  	.buf_queue = uvc_buffer_queue,
> >> -	.stop_streaming = uvc_stop_streaming,
> >> +	.stop_streaming = uvc_stop_streaming_meta,
> >>  };
> >>  
> >>  int uvc_queue_init(struct uvc_video_queue *queue, enum v4l2_buf_type type)

-- 
Regards,

Laurent Pinchart

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ