This is a note to let you know that I've just added the patch titled
usb: gadget: uvc: cleanup request when not in correct state
to the 6.6-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
usb-gadget-uvc-cleanup-request-when-not-in-correct-s.patch
and it can be found in the queue-6.6 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit 66b55ee622fc4919a127f4f02a5aa730c13fa67c
Author: Michael Grzeschik <m.grzeschik@xxxxxxxxxxxxxx>
Date: Mon Sep 11 16:05:29 2023 +0200
usb: gadget: uvc: cleanup request when not in correct state
[ Upstream commit 52a39f2cf62bb5430ad1f54cd522dbfdab1d71ba ]
The uvc_video_enable function of the uvc-gadget driver is dequeing and
immediately deallocs all requests on its disable codepath. This is not
save since the dequeue function is async and does not ensure that the
requests are left unlinked in the controller driver.
By adding the ep_free_request into the completion path of the requests
we ensure that the request will be properly deallocated.
Signed-off-by: Michael Grzeschik <m.grzeschik@xxxxxxxxxxxxxx>
Link: https://lore.kernel.org/r/20230911140530.2995138-3-m.grzeschik@xxxxxxxxxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index 281e75027b344..678ed30ada2b7 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -259,6 +259,12 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
struct uvc_device *uvc = video->uvc;
unsigned long flags;
+ if (uvc->state == UVC_STATE_CONNECTED) {
+ usb_ep_free_request(video->ep, ureq->req);
+ ureq->req = NULL;
+ return;
+ }
+
switch (req->status) {
case 0:
break;
