Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp838045ybc; Sat, 23 Nov 2019 09:21:31 -0800 (PST) X-Google-Smtp-Source: APXvYqwHYzDMHYxAEchTQsF3DwT/CuWWFKg7rHDLWchFqYTtCAbBVEsp/b5BgTzwToHEdqCooRWk X-Received: by 2002:aa7:c887:: with SMTP id p7mr8145609eds.268.1574529691835; Sat, 23 Nov 2019 09:21:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574529691; cv=none; d=google.com; s=arc-20160816; b=qWt8LCxbp4eR/PyYvOUtmWEcvq6kn+PlNos5tackW3+NXT8y72CrZJyRdap6679gEl XTBw12/IJjB2ATb1soB3bs/laN4VNoPZ7Do+WVvhOyb/EUR573lY1RJZJ/CWX6WVfObK svMBmXaiScYB3eQcwwTnkKsBuf1le9lS+zdLHl2bfgGtYnEEG0NSaXWeeYJm6u3L+Tlc XsKPiJECXZaWxRcPyQtLFxNtGUP7AoC6gXzTsikrfXpAUvFI7wtL0BrIOR9HzStEW34t HWs01pncARMRzjnsC7T2ptYt12eKxUz3l2fWSu2SuaN/vrK+rTMQVB3gGY/jf2q/Y4t8 2szA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date; bh=vp+E6zpgINdLXXJfppdNSRFbSGAMdH5QZngwaN/+m/w=; b=gJ7ETox8U+tgR4M82qVfyFPZ5R31bxlAGPKHFQo4WabLk5zQHOSBfO2toVGyVXG+Is UI9sFWcy6UZk66snrpEWQXGO+xAdBz9hSYQo8kT/D7Ptw7MWisd4teDXoXyp2eeXu1Zq ymBiVq/ZbVIaiUVkoIC2iDFWlHZqIVAIZEHI0tZrnd0WnLngV1Mv0r6uFBNGGrNJRAyh bNfViGHxDE1H5xuWTs6iDdripK8NkW6/+zGrjOwEIGagGaa9QR/4OQ9s4a0a03u860P5 ZRpc96Q16wwOPxdMu4bEtdkkb2iZLyJxzHXv5y4wF46KsVL1U/bjeegJDvt9rWHR2e+T xopw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m45si1306162edc.153.2019.11.23.09.21.06; Sat, 23 Nov 2019 09:21:31 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726830AbfKWRSP (ORCPT + 99 others); Sat, 23 Nov 2019 12:18:15 -0500 Received: from netrider.rowland.org ([192.131.102.5]:33537 "HELO netrider.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1726705AbfKWRSP (ORCPT ); Sat, 23 Nov 2019 12:18:15 -0500 Received: (qmail 23030 invoked by uid 500); 23 Nov 2019 12:18:14 -0500 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 23 Nov 2019 12:18:14 -0500 Date: Sat, 23 Nov 2019 12:18:14 -0500 (EST) From: Alan Stern X-X-Sender: stern@netrider.rowland.org To: syzbot cc: arnd@arndb.de, , , , , , , , , , Subject: Re: Re: possible deadlock in mon_bin_vma_fault In-Reply-To: <000000000000c789960597f6b88b@google.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 22 Nov 2019, syzbot wrote: > > #syz test: linux-4.19.y f6e27dbb1afa > > "linux-4.19.y" does not look like a valid git repo address. Let's try again. The "git tree" value in the original bug report was "upstream", so I'll use that even though it doesn't look like a valid git repo address either. Alan Stern #syz test: upstream f6e27dbb1afa commit 5252eb4c8297fedbf1c5f1e67da44efe00e6ef6b Author: Pete Zaitcev Date: Thu Nov 21 17:24:00 2019 -0600 usb: Fix a deadlock in usbmon between mmap and read Signed-off-by: Pete Zaitcev Reported-by: syzbot+56f9673bb4cdcbeb0e92@syzkaller.appspotmail.com diff --git a/drivers/usb/mon/mon_bin.c b/drivers/usb/mon/mon_bin.c index ac2b4fcc265f..f48a23adbc35 100644 --- a/drivers/usb/mon/mon_bin.c +++ b/drivers/usb/mon/mon_bin.c @@ -1039,12 +1039,18 @@ static long mon_bin_ioctl(struct file *file, unsigned int cmd, unsigned long arg mutex_lock(&rp->fetch_lock); spin_lock_irqsave(&rp->b_lock, flags); - mon_free_buff(rp->b_vec, rp->b_size/CHUNK_SIZE); - kfree(rp->b_vec); - rp->b_vec = vec; - rp->b_size = size; - rp->b_read = rp->b_in = rp->b_out = rp->b_cnt = 0; - rp->cnt_lost = 0; + if (rp->mmap_active) { + mon_free_buff(vec, size/CHUNK_SIZE); + kfree(vec); + ret = -EBUSY; + } else { + mon_free_buff(rp->b_vec, rp->b_size/CHUNK_SIZE); + kfree(rp->b_vec); + rp->b_vec = vec; + rp->b_size = size; + rp->b_read = rp->b_in = rp->b_out = rp->b_cnt = 0; + rp->cnt_lost = 0; + } spin_unlock_irqrestore(&rp->b_lock, flags); mutex_unlock(&rp->fetch_lock); } @@ -1216,13 +1222,21 @@ mon_bin_poll(struct file *file, struct poll_table_struct *wait) static void mon_bin_vma_open(struct vm_area_struct *vma) { struct mon_reader_bin *rp = vma->vm_private_data; + unsigned long flags; + + spin_lock_irqsave(&rp->b_lock, flags); rp->mmap_active++; + spin_unlock_irqrestore(&rp->b_lock, flags); } static void mon_bin_vma_close(struct vm_area_struct *vma) { + unsigned long flags; + struct mon_reader_bin *rp = vma->vm_private_data; + spin_lock_irqsave(&rp->b_lock, flags); rp->mmap_active--; + spin_unlock_irqrestore(&rp->b_lock, flags); } /* @@ -1234,16 +1248,12 @@ static vm_fault_t mon_bin_vma_fault(struct vm_fault *vmf) unsigned long offset, chunk_idx; struct page *pageptr; - mutex_lock(&rp->fetch_lock); offset = vmf->pgoff << PAGE_SHIFT; - if (offset >= rp->b_size) { - mutex_unlock(&rp->fetch_lock); + if (offset >= rp->b_size) return VM_FAULT_SIGBUS; - } chunk_idx = offset / CHUNK_SIZE; pageptr = rp->b_vec[chunk_idx].pg; get_page(pageptr); - mutex_unlock(&rp->fetch_lock); vmf->page = pageptr; return 0; }