From 427210e44019c8fe7b1e4a77eb3d661273199a67 Mon Sep 17 00:00:00 2001 From: Avichal Rakesh Date: Thu, 4 Jan 2024 13:50:09 -0800 Subject: [PATCH] UPSTREAM: usb: gadget: uvc: Remove nested locking When handling error status from uvcg_video_usb_req_queue, uvc_video_complete currently calls uvcg_queue_cancel with video->req_lock held. uvcg_queue_cancel internally locks queue->irqlock, which nests queue->irqlock inside video->req_lock. This isn't a functional bug at the moment, but does open up possibilities for ABBA deadlocks in the future. This patch fixes the accidental nesting by dropping video->req_lock before calling uvcg_queue_cancel. Fixes: 6acba0345b68 ("usb:gadget:uvc Do not use worker thread to pump isoc usb requests") Signed-off-by: Avichal Rakesh Link: https://lore.kernel.org/r/20240104215009.2252452-2-arakesh@google.com Signed-off-by: Greg Kroah-Hartman Bug: 314338409 (cherry picked from commit 9866dc4314c6c858e451933f965d64532aec00a9) Change-Id: If25fba6661d55cd972d76068750f3b445c8360aa Signed-off-by: Avichal Rakesh --- drivers/usb/gadget/function/uvc_video.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c index 7f18dc471be3..dd3241fc6939 100644 --- a/drivers/usb/gadget/function/uvc_video.c +++ b/drivers/usb/gadget/function/uvc_video.c @@ -469,13 +469,15 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) * Put request back in req_free for it to be cleaned * up later. */ - uvcg_queue_cancel(queue, 0); list_add_tail(&to_queue->list, &video->req_free); } } else { uvc_video_free_request(ureq, ep); + ret = 0; } spin_unlock_irqrestore(&video->req_lock, flags); + if (ret < 0) + uvcg_queue_cancel(queue, 0); } static int