Received: by 2002:a25:b794:0:0:0:0:0 with SMTP id n20csp7040495ybh; Thu, 8 Aug 2019 09:18:44 -0700 (PDT) X-Google-Smtp-Source: APXvYqygTuI0+Ep0YcMDlgxJCkXawhGkzIbz63npdpsf++aDeXx7VXDNx8ZsLQWThea9i/7Adf0/ X-Received: by 2002:a65:690f:: with SMTP id s15mr13074149pgq.432.1565281124208; Thu, 08 Aug 2019 09:18:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565281124; cv=none; d=google.com; s=arc-20160816; b=omL7fBvNF5GfycGcL5ThFWU2PVgWtR4t6+RLDY1hwZSKxZXmLUCRKJPkCXcjCl/q7h 9/5DqdGzcKZjbNyQ+hlzTNM3LMJJp9FdQF6CJ4952aGEYGB6QNTjsCzt/cqhpVFXmCpg i5Q12qDyqXDBnm8ebnFfDMWt7/A5JO/eZYob8Z3pVwIq7rtXQQ67mFYdT5jxJS8WVjE3 6xJYJ50GQg9syXX5uYxOyDEgih+89LE4uPLCGyFdbhIUzNOmyLdm5QbQeHbnuMTpnkTE l1tO4+fKUnLA8fwrq0QUAJTYL4qqL0YZzGFlYC3cj0RiNtVBW919OX/MqVzjLdsPPBoc tzBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:message-id:in-reply-to :date:mime-version; bh=jZyCbcw3RWENZUjZ8q6u6MdFhvaB3V5am3DAxqvxROk=; b=POatyUyg+cvX6V0tGMWBD8psBKERI5ZEQjHc7dSRG97o7/Qvx94PKm+jp7hlJqMZd8 v66uUXP9ZUrNlZga0XNwBcrzy+CF8jW4TuqT+lrYS5iIeR6CGzGg/+gqUpMKpFod6TJu 5JWSIf257ceNUQfm8TCGH5294monQqyCxI6Q1zSPPC8bbFw45yoNYv2MhGmXb994iGO/ xjz0bTlw3zA1aYmU38lU1a1BjbbzFBfr/Z7K2yeNhxLKFBCyuJY0a8W6JB8WHQQVePa7 IIlXGth+LZNJzL3VpSL7AQAIbzjBcAnVfkLRi8XL6BuECkd5/Nw45C3oUcFTKjaX47tU 2RsA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r10si16216522pgs.474.2019.08.08.09.18.28; Thu, 08 Aug 2019 09:18:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732704AbfHHOdd (ORCPT + 99 others); Thu, 8 Aug 2019 10:33:33 -0400 Received: from mail-ot1-f69.google.com ([209.85.210.69]:45911 "EHLO mail-ot1-f69.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727096AbfHHOdZ (ORCPT ); Thu, 8 Aug 2019 10:33:25 -0400 Received: by mail-ot1-f69.google.com with SMTP id b25so62018374otp.12 for ; Thu, 08 Aug 2019 07:33:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:in-reply-to:message-id:subject :from:to:cc; bh=jZyCbcw3RWENZUjZ8q6u6MdFhvaB3V5am3DAxqvxROk=; b=ENvDCDnk5E81g/cLK58s45BuqJRFrVDS5BHR655rsKsBp59ZxwSP2vYSZJw3TrxaGR AW0llRuau27JqO2BQHqz0SoLbbJZb83fD3udV7S2ABwoxeTYpXY4cRuUSIq6UziY2yzm Il7byJzjS3hwxayfpV3H7HLXcz4RoNqhdV1/jtTPwh2mLTciYlkFIuyGWom+rnnZe/ee 8AHaeB7MbSl1cNQWXl0HaV6O9EVcAGfVwbr7noFIOlN1GUaRrwtyhWWXEJ6gq75Bbdpx VvdOulPdbEXZVZNksGLd3rKeG7BJcXtjlnj/UcwJEZWz41heOIPe+qpep6u3Wg7sOBh/ 8Mog== X-Gm-Message-State: APjAAAVqa+ea0ilixwXT24H9n3xR1EAHYQLG2TTVpEwbNGEjnX4jfkuk UiSrjTU17Uxn7b2Ed7l7vAv/HuLB3+EXtPq/sWF/nvcz2cOL MIME-Version: 1.0 X-Received: by 2002:a02:ad15:: with SMTP id s21mr17427026jan.47.1565274804827; Thu, 08 Aug 2019 07:33:24 -0700 (PDT) Date: Thu, 08 Aug 2019 07:33:24 -0700 In-Reply-To: X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <000000000000b7c096058f9bf071@google.com> Subject: Re: Re: possible deadlock in open_rio From: syzbot To: Alan Stern Cc: andreyknvl@google.com, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, oliver@neukum.org, stern@rowland.harvard.edu, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8"; format=flowed; delsp=yes Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Wed, 7 Aug 2019, Oliver Neukum wrote: >> Am Mittwoch, den 07.08.2019, 10:07 -0400 schrieb Alan Stern: >> > On Wed, 7 Aug 2019, Oliver Neukum wrote: >> > > technically yes. However in practical terms the straight revert I >> sent >> > > out yesterday should fix it. >> > >> > I didn't see the revert, and it doesn't appear to have reached the >> > mailing list archive. Can you post it again? >> As soon as our VPN server is back up again. > The revert may not be necessay; a little fix should get rid of the > locking violation. The key is to avoid calling the registration or > deregistration routines while holding the rio500_mutex, and to > recognize that the probe and disconnect routines are both protected by > the device mutex. > How does this patch look? > Alan Stern > #syz test: https://github.com/google/kasan.git 7f7867ff This crash does not have a reproducer. I cannot test it. > Index: usb-devel/drivers/usb/misc/rio500.c > =================================================================== > --- usb-devel.orig/drivers/usb/misc/rio500.c > +++ usb-devel/drivers/usb/misc/rio500.c > @@ -454,52 +454,54 @@ static int probe_rio(struct usb_interfac > { > struct usb_device *dev = interface_to_usbdev(intf); > struct rio_usb_data *rio = &rio_instance; > - int retval = 0; > + int retval; > + char *ibuf, *obuf; > - mutex_lock(&rio500_mutex); > if (rio->present) { > dev_info(&intf->dev, "Second USB Rio at address %d refused\n", > dev->devnum); > - retval = -EBUSY; > - goto bail_out; > - } else { > - dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum); > + return -EBUSY; > } > + dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum); > retval = usb_register_dev(intf, &usb_rio_class); > if (retval) { > dev_err(&dev->dev, > "Not able to get a minor for this device.\n"); > - retval = -ENOMEM; > - goto bail_out; > + goto err_register; > } > - rio->rio_dev = dev; > - > - if (!(rio->obuf = kmalloc(OBUF_SIZE, GFP_KERNEL))) { > + obuf = kmalloc(OBUF_SIZE, GFP_KERNEL); > + if (!obuf) { > dev_err(&dev->dev, > "probe_rio: Not enough memory for the output buffer\n"); > - usb_deregister_dev(intf, &usb_rio_class); > - retval = -ENOMEM; > - goto bail_out; > + goto err_obuf; > } > - dev_dbg(&intf->dev, "obuf address:%p\n", rio->obuf); > + dev_dbg(&intf->dev, "obuf address: %p\n", obuf); > - if (!(rio->ibuf = kmalloc(IBUF_SIZE, GFP_KERNEL))) { > + ibuf = kmalloc(IBUF_SIZE, GFP_KERNEL); > + if (!ibuf) { > dev_err(&dev->dev, > "probe_rio: Not enough memory for the input buffer\n"); > - usb_deregister_dev(intf, &usb_rio_class); > - kfree(rio->obuf); > - retval = -ENOMEM; > - goto bail_out; > + goto err_ibuf; > } > - dev_dbg(&intf->dev, "ibuf address:%p\n", rio->ibuf); > + dev_dbg(&intf->dev, "ibuf address: %p\n", ibuf); > + mutex_lock(&rio500_mutex); > + rio->rio_dev = dev; > + rio->ibuf = ibuf; > + rio->obuf = obuf; > usb_set_intfdata (intf, rio); > rio->present = 1; > -bail_out: > mutex_unlock(&rio500_mutex); > return retval; > + > + err_ibuf: > + kfree(obuf); > + err_obuf: > + usb_deregister_dev(intf, &usb_rio_class); > + err_register: > + return -ENOMEM; > } > static void disconnect_rio(struct usb_interface *intf) > @@ -507,10 +509,10 @@ static void disconnect_rio(struct usb_in > struct rio_usb_data *rio = usb_get_intfdata (intf); > usb_set_intfdata (intf, NULL); > - mutex_lock(&rio500_mutex); > if (rio) { > usb_deregister_dev(intf, &usb_rio_class); > + mutex_lock(&rio500_mutex); > if (rio->isopen) { > rio->isopen = 0; > /* better let it finish - the release will do whats needed */ > @@ -524,8 +526,8 @@ static void disconnect_rio(struct usb_in > dev_info(&intf->dev, "USB Rio disconnected.\n"); > rio->present = 0; > + mutex_unlock(&rio500_mutex); > } > - mutex_unlock(&rio500_mutex); > } > static const struct usb_device_id rio_table[] = {