Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp1086944ybl; Wed, 14 Aug 2019 10:29:15 -0700 (PDT) X-Google-Smtp-Source: APXvYqzROVEMYtg3ms2UflP6zMNmMhzl5R+ebHCfTv3EWQO9rN/rRKnIdHQ2lKHVmGirHhRIh4Iy X-Received: by 2002:a17:902:b418:: with SMTP id x24mr449814plr.219.1565803754956; Wed, 14 Aug 2019 10:29:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565803754; cv=none; d=google.com; s=arc-20160816; b=q5kpMKuSkV6R+0Zy4HaLs14UTU9SFCSc9z6E5Ik3f3JdQDFiVU3/YEES4+In9mMQgz X39eEA8np2M2aptY2Xq3dB8KhQ68d0ngWXzdQ1z3N/ld8hDq2v3vSELjLnh9JQztn+D/ u70UQbz9UgGmFEaX74420uu4Ujt5mZCkN4EaIqu2cGSFxpszRMCP8S9UduFNre4Fmzfy 4huvbxEYiPrK97/4RjvQTncH1CLuDsAPVE+Lt+tvcNuOWzSl7+kmq+GW7LJXcCTp/erQ qpQnomLKRCQbI2EYtuJBMiU/ZOR9N5BOYAEC9wNwoaMHDyVYIx0WjSaloeTa1/uhZwr3 XA7Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ZfyzK7TwkIUOQRA807MN8Q1CIYICNoHsizWX67rEcKg=; b=K5qcyaXkezEOhffJDNko8EwTy57tp3fQPnAl0M8Z5LMURBvle1wBu8iT2tgpCBCbON F8ktOEbfGgagmZV4BXcxpXSoJV+2BBSR1qSqVGey4icyMJEKVIgVQYKQL+OCNZS33ilQ CmXEIRAu+bu1atIo4zJpOpuT0QIU2KSbC7H3slUL8PzSC5poJaghX5qYrix8rJMnLysu xHWPyMp1ThTimkVM9hk0QBnenMaiBD5NCKBOe/d/+zpYqxstpxHF54CXVHi0+Foo4Oxq ghdLRVUnbXQSy4B84UJANiiOt9HS+u4Z/Flgng5oxC8sC7LbW6mprqyHGD9xTDKsSMCF Qo8A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Te1suyDR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cj2si277964plb.190.2019.08.14.10.28.59; Wed, 14 Aug 2019 10:29:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Te1suyDR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728719AbfHNRCn (ORCPT + 99 others); Wed, 14 Aug 2019 13:02:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:51194 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728692AbfHNRCl (ORCPT ); Wed, 14 Aug 2019 13:02:41 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 575C7214DA; Wed, 14 Aug 2019 17:02:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1565802160; bh=UA/Qg49npwevYF1Z6UcRLmqGtITlBDjcFMc7R9mYah0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Te1suyDRFMfESLN9I7iG77033oPjfw75eY3NikL9Z+EXhFrKDo9xk9jlc/JjQR/6P 2Cu+pRDukuxUXx4AdkI0qrPUQ/gGs0GOcUnFVGK3Efa7LNUtUqShfmdptPQWiwlzyV y5zK1QNmEaMma5w2WStAVRVgMR5iDUSTBpt2gR9g= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+a64a382964bf6c71a9c0@syzkaller.appspotmail.com, Oliver Neukum Subject: [PATCH 5.2 018/144] usb: iowarrior: fix deadlock on disconnect Date: Wed, 14 Aug 2019 18:59:34 +0200 Message-Id: <20190814165800.645010340@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190814165759.466811854@linuxfoundation.org> References: <20190814165759.466811854@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Oliver Neukum commit c468a8aa790e0dfe0a7f8a39db282d39c2c00b46 upstream. We have to drop the mutex before we close() upon disconnect() as close() needs the lock. This is safe to do by dropping the mutex as intfdata is already set to NULL, so open() will fail. Fixes: 03f36e885fc26 ("USB: open disconnect race in iowarrior") Reported-by: syzbot+a64a382964bf6c71a9c0@syzkaller.appspotmail.com Cc: stable Signed-off-by: Oliver Neukum Link: https://lore.kernel.org/r/20190808092728.23417-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/iowarrior.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/drivers/usb/misc/iowarrior.c +++ b/drivers/usb/misc/iowarrior.c @@ -866,19 +866,20 @@ static void iowarrior_disconnect(struct dev = usb_get_intfdata(interface); mutex_lock(&iowarrior_open_disc_lock); usb_set_intfdata(interface, NULL); + /* prevent device read, write and ioctl */ + dev->present = 0; minor = dev->minor; + mutex_unlock(&iowarrior_open_disc_lock); + /* give back our minor - this will call close() locks need to be dropped at this point*/ - /* give back our minor */ usb_deregister_dev(interface, &iowarrior_class); mutex_lock(&dev->mutex); /* prevent device read, write and ioctl */ - dev->present = 0; mutex_unlock(&dev->mutex); - mutex_unlock(&iowarrior_open_disc_lock); if (dev->opened) { /* There is a process that holds a filedescriptor to the device ,