Received: by 2002:a25:b794:0:0:0:0:0 with SMTP id n20csp6915379ybh; Thu, 8 Aug 2019 07:35:43 -0700 (PDT) X-Google-Smtp-Source: APXvYqxN62GnEa8ps0MnanYgJLfXJBzkmSX1GZ5mwehIqDXI1XKMwlktk8Obw3R700eUYjOz1p9B X-Received: by 2002:a65:4341:: with SMTP id k1mr13050566pgq.153.1565274943558; Thu, 08 Aug 2019 07:35:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565274943; cv=none; d=google.com; s=arc-20160816; b=hm0M6WKgBvXiSUBmWyZ508fauOljzFw3EX0K33vvC2cyYuOdhSTjhUeGyX9dGNwIo5 3bLC5dY0DQN1DwZwFAG0h0hP2Nx2grgCQUqTq65yo0SMLFyCqPevX9VNSGI5HdwmCXnR 52GF9inQ83j2cWHdW7Lo8ERY0iA8YYa+MpbAfxgBay0Tb1H5E//nbEZIwvlzExumXX1L km5cb98PsvolHYaxyC/VuWJLm9skfYKgT2H3/OG6nC2nKkn2uPvyl1T7lMBKx/g0Y8vb cfrmaehjtcvOXp0cL0UNcBcw6RuUBEFk55av2vhApw685GjSxSeOX86Hk6wNahLALHVa 9i6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:message-id:in-reply-to :date:mime-version; bh=jZyCbcw3RWENZUjZ8q6u6MdFhvaB3V5am3DAxqvxROk=; b=Zv6TnsLaeble0yvB9Mq48ETJZPXp73qtUqr7/87l/Q1NhbcvIFdM22B19QEn2ZWc3u Vs7+ql8fe86Hto2U0gpSEWVEmWBd1XCp974T6zCAR8PxATVjNKrriynI9cVAeYit94yT nnysR8CdKDJfmKwdFDtcB/JWNDj8D4WyXE9qtS3pQ/bOn1k6jaaesTedn80nHyKA94cw bALEXmwCbQ7Ol3LXEoK6GO6ZOs2EzL9U6BRH/9smmclil1F/JLEFrx3mToyY++rruzmU ja9e8/BABRixrn7k9YRBYpLUjfgPqbcryLyVG6+oIOayO5npXMbokwly26dR+X3+NPLa te1g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s12si47632146plp.63.2019.08.08.07.35.26; Thu, 08 Aug 2019 07:35:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732676AbfHHOd2 (ORCPT + 99 others); Thu, 8 Aug 2019 10:33:28 -0400 Received: from mail-ot1-f70.google.com ([209.85.210.70]:51166 "EHLO mail-ot1-f70.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732518AbfHHOd0 (ORCPT ); Thu, 8 Aug 2019 10:33:26 -0400 Received: by mail-ot1-f70.google.com with SMTP id a21so62162764otk.17 for ; Thu, 08 Aug 2019 07:33:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:in-reply-to:message-id:subject :from:to:cc; bh=jZyCbcw3RWENZUjZ8q6u6MdFhvaB3V5am3DAxqvxROk=; b=fK6H6uQMg3I2QjAoi7oKkeLgcXPTEG2BdO4ChD0a4BrcaS9xUoIz4AmZ3YyjAxJHfS 1rk3w2zfkkOdsNBdpWM7KvMe1vQrJ8OUnyOLE9AFDIAmC+BejcV0AzyS8s9LQSKW5sOY mNTGJrWC2Eq97STyDPYm/CnlL8MUf7IyBssfQRrUL2NVZ9dBICmI8abOoT89XDcgr5Y+ O1MGItkA0lDPdjKdqeWW7HrtZblU6A6G6mfAoo9db+elIaW8KXn82JlG0MgExQG615Ts 3nwZi0n6vDAUWLnWZ+FmwJ0OxZ2ygVymcGVaV6REoxi+URYjENBuqomzlrGoywG2Ns+c GvVg== X-Gm-Message-State: APjAAAVAbV/gTrY18KeiQnmU87Ft8JHMJ3I9lDJCzZaWq7iG2PmNriW0 GOymGbQlBUIMbivt+fFs2ozqp8+htb8HMt9rXgBiQuAVgM4T MIME-Version: 1.0 X-Received: by 2002:a5e:9b05:: with SMTP id j5mr15605328iok.75.1565274805299; Thu, 08 Aug 2019 07:33:25 -0700 (PDT) Date: Thu, 08 Aug 2019 07:33:25 -0700 In-Reply-To: X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <000000000000bef340058f9bf02b@google.com> Subject: Re: Re: possible deadlock in open_rio From: syzbot To: Alan Stern Cc: andreyknvl@google.com, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, oliver@neukum.org, stern@rowland.harvard.edu, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8"; format=flowed; delsp=yes Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Wed, 7 Aug 2019, Oliver Neukum wrote: >> Am Mittwoch, den 07.08.2019, 10:07 -0400 schrieb Alan Stern: >> > On Wed, 7 Aug 2019, Oliver Neukum wrote: >> > > technically yes. However in practical terms the straight revert I >> sent >> > > out yesterday should fix it. >> > >> > I didn't see the revert, and it doesn't appear to have reached the >> > mailing list archive. Can you post it again? >> As soon as our VPN server is back up again. > The revert may not be necessay; a little fix should get rid of the > locking violation. The key is to avoid calling the registration or > deregistration routines while holding the rio500_mutex, and to > recognize that the probe and disconnect routines are both protected by > the device mutex. > How does this patch look? > Alan Stern > #syz test: https://github.com/google/kasan.git 7f7867ff This crash does not have a reproducer. I cannot test it. > Index: usb-devel/drivers/usb/misc/rio500.c > =================================================================== > --- usb-devel.orig/drivers/usb/misc/rio500.c > +++ usb-devel/drivers/usb/misc/rio500.c > @@ -454,52 +454,54 @@ static int probe_rio(struct usb_interfac > { > struct usb_device *dev = interface_to_usbdev(intf); > struct rio_usb_data *rio = &rio_instance; > - int retval = 0; > + int retval; > + char *ibuf, *obuf; > - mutex_lock(&rio500_mutex); > if (rio->present) { > dev_info(&intf->dev, "Second USB Rio at address %d refused\n", > dev->devnum); > - retval = -EBUSY; > - goto bail_out; > - } else { > - dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum); > + return -EBUSY; > } > + dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum); > retval = usb_register_dev(intf, &usb_rio_class); > if (retval) { > dev_err(&dev->dev, > "Not able to get a minor for this device.\n"); > - retval = -ENOMEM; > - goto bail_out; > + goto err_register; > } > - rio->rio_dev = dev; > - > - if (!(rio->obuf = kmalloc(OBUF_SIZE, GFP_KERNEL))) { > + obuf = kmalloc(OBUF_SIZE, GFP_KERNEL); > + if (!obuf) { > dev_err(&dev->dev, > "probe_rio: Not enough memory for the output buffer\n"); > - usb_deregister_dev(intf, &usb_rio_class); > - retval = -ENOMEM; > - goto bail_out; > + goto err_obuf; > } > - dev_dbg(&intf->dev, "obuf address:%p\n", rio->obuf); > + dev_dbg(&intf->dev, "obuf address: %p\n", obuf); > - if (!(rio->ibuf = kmalloc(IBUF_SIZE, GFP_KERNEL))) { > + ibuf = kmalloc(IBUF_SIZE, GFP_KERNEL); > + if (!ibuf) { > dev_err(&dev->dev, > "probe_rio: Not enough memory for the input buffer\n"); > - usb_deregister_dev(intf, &usb_rio_class); > - kfree(rio->obuf); > - retval = -ENOMEM; > - goto bail_out; > + goto err_ibuf; > } > - dev_dbg(&intf->dev, "ibuf address:%p\n", rio->ibuf); > + dev_dbg(&intf->dev, "ibuf address: %p\n", ibuf); > + mutex_lock(&rio500_mutex); > + rio->rio_dev = dev; > + rio->ibuf = ibuf; > + rio->obuf = obuf; > usb_set_intfdata (intf, rio); > rio->present = 1; > -bail_out: > mutex_unlock(&rio500_mutex); > return retval; > + > + err_ibuf: > + kfree(obuf); > + err_obuf: > + usb_deregister_dev(intf, &usb_rio_class); > + err_register: > + return -ENOMEM; > } > static void disconnect_rio(struct usb_interface *intf) > @@ -507,10 +509,10 @@ static void disconnect_rio(struct usb_in > struct rio_usb_data *rio = usb_get_intfdata (intf); > usb_set_intfdata (intf, NULL); > - mutex_lock(&rio500_mutex); > if (rio) { > usb_deregister_dev(intf, &usb_rio_class); > + mutex_lock(&rio500_mutex); > if (rio->isopen) { > rio->isopen = 0; > /* better let it finish - the release will do whats needed */ > @@ -524,8 +526,8 @@ static void disconnect_rio(struct usb_in > dev_info(&intf->dev, "USB Rio disconnected.\n"); > rio->present = 0; > + mutex_unlock(&rio500_mutex); > } > - mutex_unlock(&rio500_mutex); > } > static const struct usb_device_id rio_table[] = {