Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp1079995ybl; Wed, 14 Aug 2019 10:22:10 -0700 (PDT) X-Google-Smtp-Source: APXvYqyARJH3z5Os2hu3y3Fse1mevcCe0H5jrO28D0u/2RkOb06rNOaFgGGik33+TWZE0ffduMJ2 X-Received: by 2002:a65:518a:: with SMTP id h10mr219041pgq.117.1565803330246; Wed, 14 Aug 2019 10:22:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565803330; cv=none; d=google.com; s=arc-20160816; b=s0eQodfWc42ImElTQih9KettF+tkmSz2x7vzFc7mdbrTXuiNnDk+NGxxFTz0oYMxbQ 2mj6rE/a+T7E4yJhouGXPBNcxu+Z2q/yVcbfDdJwnAdPRfmxyUxRNmVxI3unC+thXqHm 7S+m9tjIUgPbmWfwgRmx/TRwuhPzXiOmMOMLGNFHYAugcq0vTWjy9Eev11Cb4/2KsUpD jOTK+Do3U0WywSaWKcjbGej5TycxLW/k1ShINMY7WDzkaTvKtUY5ikyfOr5gmvd4ndCl qjY8jOMyLCVCp0sKsxqqq+6AKmfeG0RI79RhMnYd7OTkaRzaYc2DujqLE/iHy9R0Yrfy FSYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ZfyzK7TwkIUOQRA807MN8Q1CIYICNoHsizWX67rEcKg=; b=IdXUGO8ETb/iBd8zx5vss+dWK/2DyesRDLvNknuro2gDngGnaKmcDXGYm0/ZWbPHmW 1d1pvfew5aeEHm3R/+FATramWjlPHZdjmc2OZZvLBnIlwzCUU8gi8irZ/y1EStELYmf+ Kp2N6g0S5InxioACO9gbz3PsskIJlsBIRyPViVxBS3MDjadJVmOKRZne10weFONTsvg+ QAHjfwkBTnizEm8yH/FCb4BTFfZzvyeFAiidTsmQX0wRSc/cACNoVPPsG90zuR0FdKmi 6rggwAcEonIZRjafWZAxJonG4lnjQjlu5xsX4jzQixJnhCkYCYn8His+vkzgFVrzc2MG DKeQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wOsdVI1v; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 7si259215pll.330.2019.08.14.10.21.54; Wed, 14 Aug 2019 10:22:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wOsdVI1v; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729988AbfHNRJt (ORCPT + 99 others); Wed, 14 Aug 2019 13:09:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:60288 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730388AbfHNRJp (ORCPT ); Wed, 14 Aug 2019 13:09:45 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9D5C52084D; Wed, 14 Aug 2019 17:09:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1565802585; bh=UA/Qg49npwevYF1Z6UcRLmqGtITlBDjcFMc7R9mYah0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wOsdVI1vw2KZeL5235jZMQY9vhSd2l1xd29oOTdfcL4QWAr/z0vipVeEX17U8YirY mnkaBroDDr+e9jiUbPz2zJvEsbPUtcffgRwp0st/4KcmsGJrbqel6yHcii1O8tSsrg Qg+JOPALcn4xMBSKqgoHfHORHeHFeUCiQe1nOaZQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+a64a382964bf6c71a9c0@syzkaller.appspotmail.com, Oliver Neukum Subject: [PATCH 4.19 09/91] usb: iowarrior: fix deadlock on disconnect Date: Wed, 14 Aug 2019 19:00:32 +0200 Message-Id: <20190814165749.924852896@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190814165748.991235624@linuxfoundation.org> References: <20190814165748.991235624@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Oliver Neukum commit c468a8aa790e0dfe0a7f8a39db282d39c2c00b46 upstream. We have to drop the mutex before we close() upon disconnect() as close() needs the lock. This is safe to do by dropping the mutex as intfdata is already set to NULL, so open() will fail. Fixes: 03f36e885fc26 ("USB: open disconnect race in iowarrior") Reported-by: syzbot+a64a382964bf6c71a9c0@syzkaller.appspotmail.com Cc: stable Signed-off-by: Oliver Neukum Link: https://lore.kernel.org/r/20190808092728.23417-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/iowarrior.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/drivers/usb/misc/iowarrior.c +++ b/drivers/usb/misc/iowarrior.c @@ -866,19 +866,20 @@ static void iowarrior_disconnect(struct dev = usb_get_intfdata(interface); mutex_lock(&iowarrior_open_disc_lock); usb_set_intfdata(interface, NULL); + /* prevent device read, write and ioctl */ + dev->present = 0; minor = dev->minor; + mutex_unlock(&iowarrior_open_disc_lock); + /* give back our minor - this will call close() locks need to be dropped at this point*/ - /* give back our minor */ usb_deregister_dev(interface, &iowarrior_class); mutex_lock(&dev->mutex); /* prevent device read, write and ioctl */ - dev->present = 0; mutex_unlock(&dev->mutex); - mutex_unlock(&iowarrior_open_disc_lock); if (dev->opened) { /* There is a process that holds a filedescriptor to the device ,