Hi Michael, Thank you for the patch. On Mon, Sep 11, 2023 at 04:05:29PM +0200, Michael Grzeschik wrote: > The uvc_video_enable function of the uvc-gadget driver is dequeing and > immediately deallocs all requests on its disable codepath. This is not > save since the dequeue function is async and does not ensure that the > requests are left unlinked in the controller driver. > > By adding the ep_free_request into the completion path of the requests > we ensure that the request will be properly deallocated. You're swapping one race condition for a different one. With this patch, request can now be double-freed. I'll reply to the long discussion on v1 to try and find a proper solution. As for 1/3, I think this got merged too soon :-( > Signed-off-by: Michael Grzeschik <m.grzeschik@xxxxxxxxxxxxxx> > --- > v1 == v2 > > drivers/usb/gadget/function/uvc_video.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c > index 4b68a3a9815d73..c48c904f500fff 100644 > --- a/drivers/usb/gadget/function/uvc_video.c > +++ b/drivers/usb/gadget/function/uvc_video.c > @@ -256,6 +256,12 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) > struct uvc_device *uvc = video->uvc; > unsigned long flags; > > + if (uvc->state == UVC_STATE_CONNECTED) { > + usb_ep_free_request(video->ep, ureq->req); > + ureq->req = NULL; > + return; > + } > + > switch (req->status) { > case 0: > break; -- Regards, Laurent Pinchart