Received: by 2002:a25:b794:0:0:0:0:0 with SMTP id n20csp6926907ybh; Thu, 8 Aug 2019 07:46:02 -0700 (PDT) X-Google-Smtp-Source: APXvYqxGCfAv6ElFdyF0b/cy/VAM5aLjHXbsopONzSVRgE7d5nhEPd3TbR7/cQ60GxVQFlRzYfF2 X-Received: by 2002:aa7:8b55:: with SMTP id i21mr15934110pfd.155.1565275562814; Thu, 08 Aug 2019 07:46:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565275562; cv=none; d=google.com; s=arc-20160816; b=N+4DIOiz4gnf80h8J6Iz2N9a2LFvJQcWfowcfMCqXK1Gx2jyhp01ymUxYoE1Budylw BOOpljvKS99qTo42LRYlTYswFmLwKMWuRxrAos7A0hixkK3jG3NtDQ5/T1atE4GvtqyP 5TiVe3j3rLsV/pUQs+ebCLpQAUCXckl5MLQEYoI4eqOizWB5IQ+9wbFk2JdoEP+HexIn ZMT0TkzQfrFmdcuQtjKwXpnCaZVRN0zGF8IU7YXOiCv2heXzeq9trE1kr7T7Einte5TB 9nwJp0YqY6+3JVOKInYF6of75FXzNmynLfiDjfRJ2N0siWSIcvKkiVdFCP90eNK42N1v WJXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=ery/8JOuxtfMq+997gLuixOu9Kzm0qZPa0qj2ihavNQ=; b=C+y/YLosQrfcCdnPEWKjLuroiG+dwnrRszFpuzro3tKMkjEzTnAdUoLYS8c5qbZ1dN eJq6SrXZUOSXlA9GP7rXvdnmwaICDYLYlqMi3Yq3oAc7Bth6YyLpq3hEicSSEb/otKLV izwc4PbFH3LMTWKWTQH0uTwlSV2b6OwT2gTzvV7Q/CbdV7uHCEWWvaPMx6zUf4m2npDV gVtaVtR3O60+avcw+VrtL9rYAiLnsBAUOdYuxmHGGrtZzN9zfqlZyxqjAmJj6IMviTyM knRXOhBDpfzs1LRTSDccJFkBsg3GR8pdZ65are2eK4XIupjVzinrTB57SRwTgvgY4f1L Gmkg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=r3sjBSxl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l8si3861292pgi.347.2019.08.08.07.45.46; Thu, 08 Aug 2019 07:46:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=r3sjBSxl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732774AbfHHOoc (ORCPT + 99 others); Thu, 8 Aug 2019 10:44:32 -0400 Received: from mail-pg1-f195.google.com ([209.85.215.195]:36262 "EHLO mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730170AbfHHOob (ORCPT ); Thu, 8 Aug 2019 10:44:31 -0400 Received: by mail-pg1-f195.google.com with SMTP id l21so44178210pgm.3 for ; Thu, 08 Aug 2019 07:44:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ery/8JOuxtfMq+997gLuixOu9Kzm0qZPa0qj2ihavNQ=; b=r3sjBSxlIRVNM3p0qxMQNO5BC+O2DsWYch1Y05KnQn/ZjQLQz6ylRSrUSQjwGE43gh oXr/vlDORE6L0YRx1csiwZ9EstQVA1JG/XUpyqwfIcvJnmgW/3I0iw2CU4joPoLEOmxT r7UGKaHHpPXXtUcZ+5QYqzgfsnVXT2Zvl1bRBbsVjMNoNuC/F18u+IzLi/3x1FnkAKoL D9W+cw7fQ5YttHjXycEbfZVZmoZaR4P8sMC0s4IUc78tOn9vXmC4KcdcAj//+4xGtCwT q7+oJ0LlaUBL7Xg8aS0qqHThUrvTpcI8rbykNacS+mpdaqVqcV1JVnfoZ9rgmpHoRlVL hc7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ery/8JOuxtfMq+997gLuixOu9Kzm0qZPa0qj2ihavNQ=; b=cc6s/HstLmk2vpv9mRfEydQ0ZdBAgmvXKZeN6nvSIWwLD6xC/jrg4FLJqUxIGhfSEA ExI+I/gJvnoDdmXOUVfBnjDwvQ1UMmJCuozXEpHLiATMBTRJwrHZoO0eKXWF1q0u3owL QBBn5u46BmKLbdNqWja1HDOzaOWedD6dfwnFOtGzirbgT6tOowxy+rkA85qC9YwERYhq aL+ZFGea8zFZALui9QpZOGw2dP5e7iK9zr6nKV2B/tr1A2kOoHpta8nm9RvaDItJWh/a sv270DBVt/70vzgvVbUnfyNfp9mG419m7G88mRUlyDFN24XeBU+OFOKlb4LFw9Liw9+X YPEQ== X-Gm-Message-State: APjAAAVImphiKkAiXt2NF0bnl25LNKmevanCRcFRqtOPgkYMyAzsrIdx bNHWLT/va5qlMoXw4sOIxXVL2u6UlVl7v+LtShpkUA== X-Received: by 2002:a63:c442:: with SMTP id m2mr13337853pgg.286.1565275469838; Thu, 08 Aug 2019 07:44:29 -0700 (PDT) MIME-Version: 1.0 References: <1565187142.15973.3.camel@neukum.org> In-Reply-To: From: Andrey Konovalov Date: Thu, 8 Aug 2019 16:44:18 +0200 Message-ID: Subject: Re: possible deadlock in open_rio To: Alan Stern Cc: Oliver Neukum , syzkaller-bugs , Greg Kroah-Hartman , syzbot , Kernel development list , USB list Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Aug 8, 2019 at 4:33 PM Alan Stern wrote: > > On Wed, 7 Aug 2019, Oliver Neukum wrote: > > > Am Mittwoch, den 07.08.2019, 10:07 -0400 schrieb Alan Stern: > > > On Wed, 7 Aug 2019, Oliver Neukum wrote: > > > > > technically yes. However in practical terms the straight revert I sent > > > > out yesterday should fix it. > > > > > > I didn't see the revert, and it doesn't appear to have reached the > > > mailing list archive. Can you post it again? > > > > As soon as our VPN server is back up again. > > The revert may not be necessay; a little fix should get rid of the > locking violation. The key is to avoid calling the registration or > deregistration routines while holding the rio500_mutex, and to > recognize that the probe and disconnect routines are both protected by > the device mutex. > > How does this patch look? > > Alan Stern > > > #syz test: https://github.com/google/kasan.git 7f7867ff There's no reproducer yet (it should appear at some point, I've enabled fuzzing of USB char devices). I've tested your patch manually and the deadlock report is gone. Thanks! Tested-by: Andrey Konovalov > > Index: usb-devel/drivers/usb/misc/rio500.c > =================================================================== > --- usb-devel.orig/drivers/usb/misc/rio500.c > +++ usb-devel/drivers/usb/misc/rio500.c > @@ -454,52 +454,54 @@ static int probe_rio(struct usb_interfac > { > struct usb_device *dev = interface_to_usbdev(intf); > struct rio_usb_data *rio = &rio_instance; > - int retval = 0; > + int retval; > + char *ibuf, *obuf; > > - mutex_lock(&rio500_mutex); > if (rio->present) { > dev_info(&intf->dev, "Second USB Rio at address %d refused\n", dev->devnum); > - retval = -EBUSY; > - goto bail_out; > - } else { > - dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum); > + return -EBUSY; > } > + dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum); > > retval = usb_register_dev(intf, &usb_rio_class); > if (retval) { > dev_err(&dev->dev, > "Not able to get a minor for this device.\n"); > - retval = -ENOMEM; > - goto bail_out; > + goto err_register; > } > > - rio->rio_dev = dev; > - > - if (!(rio->obuf = kmalloc(OBUF_SIZE, GFP_KERNEL))) { > + obuf = kmalloc(OBUF_SIZE, GFP_KERNEL); > + if (!obuf) { > dev_err(&dev->dev, > "probe_rio: Not enough memory for the output buffer\n"); > - usb_deregister_dev(intf, &usb_rio_class); > - retval = -ENOMEM; > - goto bail_out; > + goto err_obuf; > } > - dev_dbg(&intf->dev, "obuf address:%p\n", rio->obuf); > + dev_dbg(&intf->dev, "obuf address: %p\n", obuf); > > - if (!(rio->ibuf = kmalloc(IBUF_SIZE, GFP_KERNEL))) { > + ibuf = kmalloc(IBUF_SIZE, GFP_KERNEL); > + if (!ibuf) { > dev_err(&dev->dev, > "probe_rio: Not enough memory for the input buffer\n"); > - usb_deregister_dev(intf, &usb_rio_class); > - kfree(rio->obuf); > - retval = -ENOMEM; > - goto bail_out; > + goto err_ibuf; > } > - dev_dbg(&intf->dev, "ibuf address:%p\n", rio->ibuf); > + dev_dbg(&intf->dev, "ibuf address: %p\n", ibuf); > > + mutex_lock(&rio500_mutex); > + rio->rio_dev = dev; > + rio->ibuf = ibuf; > + rio->obuf = obuf; > usb_set_intfdata (intf, rio); > rio->present = 1; > -bail_out: > mutex_unlock(&rio500_mutex); > > return retval; > + > + err_ibuf: > + kfree(obuf); > + err_obuf: > + usb_deregister_dev(intf, &usb_rio_class); > + err_register: > + return -ENOMEM; > } > > static void disconnect_rio(struct usb_interface *intf) > @@ -507,10 +509,10 @@ static void disconnect_rio(struct usb_in > struct rio_usb_data *rio = usb_get_intfdata (intf); > > usb_set_intfdata (intf, NULL); > - mutex_lock(&rio500_mutex); > if (rio) { > usb_deregister_dev(intf, &usb_rio_class); > > + mutex_lock(&rio500_mutex); > if (rio->isopen) { > rio->isopen = 0; > /* better let it finish - the release will do whats needed */ > @@ -524,8 +526,8 @@ static void disconnect_rio(struct usb_in > dev_info(&intf->dev, "USB Rio disconnected.\n"); > > rio->present = 0; > + mutex_unlock(&rio500_mutex); > } > - mutex_unlock(&rio500_mutex); > } > > static const struct usb_device_id rio_table[] = { >