Received: by 2002:a25:b794:0:0:0:0:0 with SMTP id n20csp4169082ybh; Tue, 6 Aug 2019 07:23:24 -0700 (PDT) X-Google-Smtp-Source: APXvYqzL+T45emufo8eSFo9tSoitsomgaVBF/a6L8ouDk2U4IP9zhnoVg5PjRmNFkiaB6jldlgFN X-Received: by 2002:a17:90a:270f:: with SMTP id o15mr3530552pje.56.1565101404313; Tue, 06 Aug 2019 07:23:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565101404; cv=none; d=google.com; s=arc-20160816; b=kEKaUVWVo0Mh+TVl9/gleHALmhli1y09QeAj/EFeaGnFW2xHVj5J7ZELYFKH9Kjxs7 LB1OJLtnIGp0SU18gfcFBTulLp1zDEclaqZIf8mBsT0cMmXY7lfaQT4GQ8ABWnnOh1KI 6a/xD/qvr2IQ5YG4on3l4B/717Z8dD/R5z5Uilaum8iTpqNcU2HDJi+tAErC6Am1wWaa 9DY9cgrQ3W3LocgoQUDRrg6SYJsrBiBXBVlvbzd5XLzwjoRVT3p5r6QRUuNLvOofB4eq JwONQ5HzL7w1g3EA1w6CBwo3MBzKmjnsDsQWzAxNUJt9ljg6F2Oxvgkk4yfWkIQ+Akf3 pI5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:to:from:subject:message-id; bh=I2vZrDWjf2ZKKI2FbuddthpawebbX7jLys41UMiCguQ=; b=F8O8AP/fiWFi7QULbI19+XD0ISi/brTnG5W3Nza5RZYUipIjkP4YJxxcW6P3bQGrNu 0RtGIUL2USYzk0ZfQjvJpH/fNdgAgvgR8Vf3JiVRRTnuwf+Zrr+oG8aBLs+M/GayZAKd lwcnEzbYFrqOhAZLAUlQ77eUAY36q784A/rUX2JKLV15glj6zsZvLDqH0gH/cZMLrHea rqUhomDpdSF2dioiVoiL7CpFaeQC9uqMSzdGNgbu/fSQEP1Dn5yRB5TlcExmjAlQGqvq KCc/25gk/LHJLcT69Tqde1JlHHw19G2ODEPVRDQyHbtxyHYZ6MV1E4MnjMjf72S+lQcF RWew== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y15si49348549pfb.28.2019.08.06.07.23.08; Tue, 06 Aug 2019 07:23:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730754AbfHFOWg (ORCPT + 99 others); Tue, 6 Aug 2019 10:22:36 -0400 Received: from mx2.suse.de ([195.135.220.15]:56554 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728558AbfHFOWg (ORCPT ); Tue, 6 Aug 2019 10:22:36 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id DF08AAEEE; Tue, 6 Aug 2019 14:22:34 +0000 (UTC) Message-ID: <1565101353.8136.27.camel@suse.de> Subject: Re: possible deadlock in usb_deregister_dev From: Oliver Neukum To: syzbot , andreyknvl@google.com, syzkaller-bugs@googlegroups.com, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org Date: Tue, 06 Aug 2019 16:22:33 +0200 In-Reply-To: <000000000000cce142058f5d6be6@google.com> References: <000000000000cce142058f5d6be6@google.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.6 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Am Montag, den 05.08.2019, 04:58 -0700 schrieb syzbot: > Hello, > > syzbot found the following crash on: > > HEAD commit: e96407b4 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=13b5bc8a600000 > kernel config: https://syzkaller.appspot.com/x/.config?x=792eb47789f57810 > dashboard link: https://syzkaller.appspot.com/bug?extid=a64a382964bf6c71a9c0 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+a64a382964bf6c71a9c0@syzkaller.appspotmail.com #syz test: https://github.com/google/kasan.git e96407b4 From 973e82b3f583113e4d7fe5cd2f918a16022c4e38 Mon Sep 17 00:00:00 2001 From: Oliver Neukum Date: Tue, 6 Aug 2019 16:17:54 +0200 Subject: [PATCH] usb: iowarrior: fix deadlock on disconnect We have to drop the mutex before we close() upon disconnect() as close() needs the lock. This is safe to do by dropping the mutex as intfdata is already set to NULL, so open() will fail. Fixes: 03f36e885fc26 ("USB: open disconnect race in iowarrior") Reported-by: syzbot+a64a382964bf6c71a9c0@syzkaller.appspotmail.com Signed-off-by: Oliver Neukum --- drivers/usb/misc/iowarrior.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c index ba05dd80a020..f5bed9f29e56 100644 --- a/drivers/usb/misc/iowarrior.c +++ b/drivers/usb/misc/iowarrior.c @@ -866,19 +866,20 @@ static void iowarrior_disconnect(struct usb_interface *interface) dev = usb_get_intfdata(interface); mutex_lock(&iowarrior_open_disc_lock); usb_set_intfdata(interface, NULL); + /* prevent device read, write and ioctl */ + dev->present = 0; minor = dev->minor; + mutex_unlock(&iowarrior_open_disc_lock); + /* give back our minor - this will call close() locks need to be dropped at this point*/ - /* give back our minor */ usb_deregister_dev(interface, &iowarrior_class); mutex_lock(&dev->mutex); /* prevent device read, write and ioctl */ - dev->present = 0; mutex_unlock(&dev->mutex); - mutex_unlock(&iowarrior_open_disc_lock); if (dev->opened) { /* There is a process that holds a filedescriptor to the device , -- 2.16.4