From: Michael Grzeschik <m.grzeschik@xxxxxxxxxxxxxx> commit 9b969f93bcef9b3d9e92f1810e22bbd6c344a0e5 upstream. On uvc_video_encode_isoc_sg the mapped vb2 buffer is returned to early. Only after the last usb_request worked with the buffer it is allowed to give it back to vb2. This patch fixes that. Signed-off-by: Michael Grzeschik <m.grzeschik@xxxxxxxxxxxxxx> Link: https://lore.kernel.org/r/20220402232744.3622565-3-m.grzeschik@xxxxxxxxxxxxxx Cc: Dan Vacura <w36195@xxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/usb/gadget/function/uvc.h | 1 + drivers/usb/gadget/function/uvc_queue.c | 2 -- drivers/usb/gadget/function/uvc_video.c | 11 ++++++++++- 3 files changed, 11 insertions(+), 3 deletions(-) --- a/drivers/usb/gadget/function/uvc.h +++ b/drivers/usb/gadget/function/uvc.h @@ -80,6 +80,7 @@ struct uvc_request { struct uvc_video *video; struct sg_table sgt; u8 header[UVCG_REQUEST_HEADER_LEN]; + struct uvc_buffer *last_buf; }; struct uvc_video { --- a/drivers/usb/gadget/function/uvc_queue.c +++ b/drivers/usb/gadget/function/uvc_queue.c @@ -345,8 +345,6 @@ void uvcg_complete_buffer(struct uvc_vid return; } - list_del(&buf->queue); - buf->buf.field = V4L2_FIELD_NONE; buf->buf.sequence = queue->sequence++; buf->buf.vb2_buf.timestamp = ktime_get_ns(); --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -83,6 +83,7 @@ uvc_video_encode_bulk(struct usb_request if (buf->bytesused == video->queue.buf_used) { video->queue.buf_used = 0; buf->state = UVC_BUF_STATE_DONE; + list_del(&buf->queue); uvcg_complete_buffer(&video->queue, buf); video->fid ^= UVC_STREAM_FID; @@ -154,8 +155,9 @@ uvc_video_encode_isoc_sg(struct usb_requ video->queue.buf_used = 0; buf->state = UVC_BUF_STATE_DONE; buf->offset = 0; - uvcg_complete_buffer(&video->queue, buf); + list_del(&buf->queue); video->fid ^= UVC_STREAM_FID; + ureq->last_buf = buf; } } @@ -181,6 +183,7 @@ uvc_video_encode_isoc(struct usb_request if (buf->bytesused == video->queue.buf_used) { video->queue.buf_used = 0; buf->state = UVC_BUF_STATE_DONE; + list_del(&buf->queue); uvcg_complete_buffer(&video->queue, buf); video->fid ^= UVC_STREAM_FID; } @@ -231,6 +234,11 @@ uvc_video_complete(struct usb_ep *ep, st uvcg_queue_cancel(queue, 0); } + if (ureq->last_buf) { + uvcg_complete_buffer(&video->queue, ureq->last_buf); + ureq->last_buf = NULL; + } + spin_lock_irqsave(&video->req_lock, flags); list_add_tail(&req->list, &video->req_free); spin_unlock_irqrestore(&video->req_lock, flags); @@ -298,6 +306,7 @@ uvc_video_alloc_requests(struct uvc_vide video->ureq[i].req->complete = uvc_video_complete; video->ureq[i].req->context = &video->ureq[i]; video->ureq[i].video = video; + video->ureq[i].last_buf = NULL; list_add_tail(&video->ureq[i].req->list, &video->req_free); /* req_size/PAGE_SIZE + 1 for overruns and + 1 for header */
