On 11/1/23 04:06, Dan Scally wrote: > Morning Avichal > > On 30/10/2023 20:22, Avichal Rakesh wrote: >> Currently, the uvc gadget driver allocates all uvc_requests as one array >> and deallocates them all when the video stream stops. This includes >> de-allocating all the usb_requests associated with those uvc_requests. >> This can lead to use-after-free issues if any of those de-allocated >> usb_requests were still owned by the usb controller. >> >> This patch is 1 of 2 patches addressing the use-after-free issue. >> Instead of bulk allocating all uvc_requests as an array, this patch >> allocates uvc_requests one at a time, which should allows for similar >> granularity when deallocating the uvc_requests. This patch has no >> functional changes other than allocating each uvc_request separately, >> and similarly freeing each of them separately. >> >> Link: https://lore.kernel.org/7cd81649-2795-45b6-8c10-b7df1055020d@xxxxxxxxxx >> Suggested-by: Michael Grzeschik <m.grzeschik@xxxxxxxxxxxxxx> >> Reviewed-by: Michael Grzeschik <m.grzeschik@xxxxxxxxxxxxxx> >> Tested-by: Michael Grzeschik <m.grzeschik@xxxxxxxxxxxxxx> >> Signed-off-by: Avichal Rakesh <arakesh@xxxxxxxxxx> > > > Thanks for the update; this seems ok now: > > > Reviewed-by: Daniel Scally <dan.scally@xxxxxxxxxxxxxxxx> Awesome, thank you! I'll add the Reviewed-by in the next patchset (assuming you have more review comments on patch 4/4 v10). Regards, Avi. > >> --- >> v1 -> v2 : Rebased to ToT >> v2 -> v3 : Fix email threading goof-up >> v3 -> v4 : Address review comments & re-rebase to ToT >> v4 -> v5 : Address more review comments. Add Reviewed-by & Tested-by. >> v5 -> v6 : No change >> v6 -> v7 : No change >> v7 -> v8 : No change. Getting back in review queue >> v8 -> v9 : Address review comments. >> v9 -> v10: Address review comments; remove BUG_ON(&video->reqs); >> Rebase to ToT (usb-next) >> >> <snip>
