Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp2098641ybc; Sun, 24 Nov 2019 12:58:53 -0800 (PST) X-Google-Smtp-Source: APXvYqztbwkQ+FIIwFIZKmIhHFZ6Ddbl2bzRwoNGm2de3cojxMR9CK/LBE4u+1r44aEXGIP9jn1+ X-Received: by 2002:a05:6402:651:: with SMTP id u17mr14647021edx.142.1574629133658; Sun, 24 Nov 2019 12:58:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574629133; cv=none; d=google.com; s=arc-20160816; b=ZjEv532hWOXkk8ULND7RthY3K5nYC/Coh4sa+2pspTr7gQ7yQrdnFMhOS+B4hPTgCi bVP5IQC2M44Y8DPrv7D4FEBfTWFcfoOmfC9e18NxSjhPe53PB7K0wd4tygpQbL/FXXrN +IiKvG5of5+jhWv+//06wKZUy9OoBFlH/3Z6lWzWCBRAhKQgMh1ZepPq8PMfPZt2LulA dhXPckuSGNVjnycJvC+NMbpBCFWwV3D3GVHWAc4xBNk8/eMFuawK2yBGuIOuTYDEMsCz QWFNl/U/8ZP0Kgzp85FIfakk2Nzh/9P+P7QnLjgX8iaLFghH0c3Jp/5t3FyEIRUrUVGx iw7Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date; bh=5DsLAqdUmxOadirVJjSAHaydKCNFJbLegWintMmjKxk=; b=EXsyrIPWETk1ykVNtzv1TSHVOQ8lDMZhPa37tZ3ZOBVLeLaM/tv/Cstott9uiC2lRN G/TIF+XBEO9tbgGwu0zhne1NFPlvAv6HU+0luC9BPsxFtr5tMlaayteroISOGtEpkAUg hZ90m2nAKykyxVPqWivNQbE6uzJWVMZ9VQojY7jVKSa2JHnzAskvs28p9ftcD3MvH0D4 lnaNSNko+a6tYh30JeSxRglTklM4Ke8CiMoheFAqiFvKsoBWZSC9gjmw2N+YmQjnZt46 JMCjl161aWfk5MI2ledpNdwp1u37LHnKN1qSyfBL0+oH+Woka2WQ7vzcQyK7CZVRnIkb 0swQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r5si3871747edl.13.2019.11.24.12.58.29; Sun, 24 Nov 2019 12:58:53 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726962AbfKXUzb (ORCPT + 99 others); Sun, 24 Nov 2019 15:55:31 -0500 Received: from netrider.rowland.org ([192.131.102.5]:38699 "HELO netrider.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1726855AbfKXUzb (ORCPT ); Sun, 24 Nov 2019 15:55:31 -0500 Received: (qmail 4767 invoked by uid 500); 24 Nov 2019 15:55:30 -0500 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 24 Nov 2019 15:55:30 -0500 Date: Sun, 24 Nov 2019 15:55:30 -0500 (EST) From: Alan Stern X-X-Sender: stern@netrider.rowland.org To: syzbot cc: andreyknvl@google.com, , , , , , , , , , , Subject: Re: possible deadlock in mon_bin_vma_fault In-Reply-To: <000000000000ce3cc905981c64bd@google.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, 24 Nov 2019, syzbot wrote: > Hello, > > syzbot tried to test the proposed patch but build/boot failed: > > failed to apply patch: > checking file drivers/usb/mon/mon_bin.c > patch: **** unexpected end of file in patch One more try... Alan Stern #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v5.3 commit 5252eb4c8297fedbf1c5f1e67da44efe00e6ef6b Author: Pete Zaitcev Date: Thu Nov 21 17:24:00 2019 -0600 usb: Fix a deadlock in usbmon between mmap and read Signed-off-by: Pete Zaitcev Reported-by: syzbot+56f9673bb4cdcbeb0e92@syzkaller.appspotmail.com diff --git a/drivers/usb/mon/mon_bin.c b/drivers/usb/mon/mon_bin.c index ac2b4fcc265f..f48a23adbc35 100644 --- a/drivers/usb/mon/mon_bin.c +++ b/drivers/usb/mon/mon_bin.c @@ -1039,12 +1039,18 @@ static long mon_bin_ioctl(struct file *file, unsigned int cmd, unsigned long arg mutex_lock(&rp->fetch_lock); spin_lock_irqsave(&rp->b_lock, flags); - mon_free_buff(rp->b_vec, rp->b_size/CHUNK_SIZE); - kfree(rp->b_vec); - rp->b_vec = vec; - rp->b_size = size; - rp->b_read = rp->b_in = rp->b_out = rp->b_cnt = 0; - rp->cnt_lost = 0; + if (rp->mmap_active) { + mon_free_buff(vec, size/CHUNK_SIZE); + kfree(vec); + ret = -EBUSY; + } else { + mon_free_buff(rp->b_vec, rp->b_size/CHUNK_SIZE); + kfree(rp->b_vec); + rp->b_vec = vec; + rp->b_size = size; + rp->b_read = rp->b_in = rp->b_out = rp->b_cnt = 0; + rp->cnt_lost = 0; + } spin_unlock_irqrestore(&rp->b_lock, flags); mutex_unlock(&rp->fetch_lock); } @@ -1216,13 +1222,21 @@ mon_bin_poll(struct file *file, struct poll_table_struct *wait) static void mon_bin_vma_open(struct vm_area_struct *vma) { struct mon_reader_bin *rp = vma->vm_private_data; + unsigned long flags; + + spin_lock_irqsave(&rp->b_lock, flags); rp->mmap_active++; + spin_unlock_irqrestore(&rp->b_lock, flags); } static void mon_bin_vma_close(struct vm_area_struct *vma) { + unsigned long flags; + struct mon_reader_bin *rp = vma->vm_private_data; + spin_lock_irqsave(&rp->b_lock, flags); rp->mmap_active--; + spin_unlock_irqrestore(&rp->b_lock, flags); } /* @@ -1234,16 +1248,12 @@ static vm_fault_t mon_bin_vma_fault(struct vm_fault *vmf) unsigned long offset, chunk_idx; struct page *pageptr; - mutex_lock(&rp->fetch_lock); offset = vmf->pgoff << PAGE_SHIFT; - if (offset >= rp->b_size) { - mutex_unlock(&rp->fetch_lock); + if (offset >= rp->b_size) return VM_FAULT_SIGBUS; - } chunk_idx = offset / CHUNK_SIZE; pageptr = rp->b_vec[chunk_idx].pg; get_page(pageptr); - mutex_unlock(&rp->fetch_lock); vmf->page = pageptr; return 0; }