Re: [PATCH v10 2/4] usb: gadget: uvc: Allocate uvc_requests one at a time
From: Dan Scally
Date: Thu Nov 02 2023 - 07:38:44 EST
On 01/11/2023 22:13, Avichal Rakesh wrote:
On 11/1/23 04:06, Dan Scally wrote:
Morning Avichal
On 30/10/2023 20:22, Avichal Rakesh wrote:
Currently, the uvc gadget driver allocates all uvc_requests as one array
and deallocates them all when the video stream stops. This includes
de-allocating all the usb_requests associated with those uvc_requests.
This can lead to use-after-free issues if any of those de-allocated
usb_requests were still owned by the usb controller.
This patch is 1 of 2 patches addressing the use-after-free issue.
Instead of bulk allocating all uvc_requests as an array, this patch
allocates uvc_requests one at a time, which should allows for similar
granularity when deallocating the uvc_requests. This patch has no
functional changes other than allocating each uvc_request separately,
and similarly freeing each of them separately.
Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@xxxxxxxxxx
Suggested-by: Michael Grzeschik <m.grzeschik@xxxxxxxxxxxxxx>
Reviewed-by: Michael Grzeschik <m.grzeschik@xxxxxxxxxxxxxx>
Tested-by: Michael Grzeschik <m.grzeschik@xxxxxxxxxxxxxx>
Signed-off-by: Avichal Rakesh <arakesh@xxxxxxxxxx>
Thanks for the update; this seems ok now:
Reviewed-by: Daniel Scally <dan.scally@xxxxxxxxxxxxxxxx>
Awesome, thank you! I'll add the Reviewed-by in the next patchset
(assuming you have more review comments on patch 4/4 v10).
Sorry yes - taking me a while to wrap my head around everything but I hope to be done shortly!
Regards,
Avi.
---
v1 -> v2 : Rebased to ToT
v2 -> v3 : Fix email threading goof-up
v3 -> v4 : Address review comments & re-rebase to ToT
v4 -> v5 : Address more review comments. Add Reviewed-by & Tested-by.
v5 -> v6 : No change
v6 -> v7 : No change
v7 -> v8 : No change. Getting back in review queue
v8 -> v9 : Address review comments.
v9 -> v10: Address review comments; remove BUG_ON(&video->reqs);
Rebase to ToT (usb-next)
<snip>