Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp2385988ybb;
        Mon, 30 Mar 2020 05:17:06 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vtqBqsm7Vs2Gq0NHgLOU0CEyrqQMLZHLicmLdg4FxoHxTLq7hgPbSPqXDZl3tm+sIYEkuQp
X-Received: by 2002:aca:cc81:: with SMTP id c123mr7015274oig.74.1585570626378;
        Mon, 30 Mar 2020 05:17:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1585570626; cv=none;
        d=google.com; s=arc-20160816;
        b=pJ7Cp9t7SgNw0yjJlOSjm3fP0puoGVG2Zk/g9qrO7ThQwY+anX4Im2FCGpUgBPyKEM
         /DAAEfWKdItdbQeSGdNS6xdCNfHm86gfGyH2FdbtfFOPqvudzeIk9rJg78VaYzFITXBV
         P/kdw5pOohUZl7qmN1kR74ggTVRfPXr5ZdrXEuFyd6YkZiZd4aSbwuhXzhotEIv78lOi
         QbfFiNFH+SYq6YZE7NOWseXJLDcfIzaRMu8lhFppUEk1A8kXgQNH4pHk5qD52TRYk2LT
         nRbO2y0q9j0rooyKyZTYryppmYYH7ECG07TA/gNhyE4RF9Q5Or8BREl8ZUuNhK73Qdjd
         tSGw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=Eg5ugs9X241d0CyEHmbcuFz60tm64fkmmQDdwTBJmwo=;
        b=lpzdbuyu5xmxgwudsIK7xEgr3RZ+I+GXQGR++ORqSQNhRsjZ9Dyhggas/DjFhDodO0
         M5eaIpXKWhsMypnNZdd0Z7xz1FqXBCIf2f0pisKpUREt3HTqroYvT6L9BYwtOlv2ZSH3
         QwQrvZTPZ75osgV75XUDB+dwE9N+18v73XIb/ypgzBmmt+TPw1iRZTurSuS01Iszpd5A
         W18J72ULky724/46Xm4w0mgCnQ7lkafjpdxP7Ioi1FROF6bxRVR9T+SqM2Tj9FYslwhR
         L/8EEKrJSB+DYGA496F10s3ejwKQj8JIDc3PmEtp+uQtTz2NgQRJM+bnX2mQKKoIPhjw
         W3mA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=bx72mUxy;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q7si5857388otk.77.2020.03.30.05.16.53;
        Mon, 30 Mar 2020 05:17:06 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=bx72mUxy;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729999AbgC3Lww (ORCPT <rfc822;chauncqc@gmail.com> + 99 others);
        Mon, 30 Mar 2020 07:52:52 -0400
Received: from mail-pl1-f195.google.com ([209.85.214.195]:45638 "EHLO
        mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728764AbgC3Lwv (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 30 Mar 2020 07:52:51 -0400
Received: by mail-pl1-f195.google.com with SMTP id t4so668263plq.12;
        Mon, 30 Mar 2020 04:52:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=Eg5ugs9X241d0CyEHmbcuFz60tm64fkmmQDdwTBJmwo=;
        b=bx72mUxy7UhUrj/cFQtM3eS3lb41tkad+HkCfGl7ALAjXH3z2dhSxVA9srYRsjMG7g
         EXx2GambzNP9ODeY640qVmq5Gu4R+JHDXZq+yyWf3+TIQe4xcdu6zMsJhn9aA3JRtUDQ
         q6KxjpPJ3QoZVvkp4UJMcyNB8IsesWuOwLdHNVJxlVKwPudGdTqgVglMfsKR0EQ6bBRt
         zID7u4h3SB9c43fysjMa2VL+L9FLQABlAXx05yJIbDxIT3cwm/ko4qIzTWXOR3w2o9/r
         UbghdxeYQU2RR/afULeC3pRkuZ4w3C+3jQVSIOunRm2DsOA1N+J4886HS4V/iNDRtlOq
         4bcg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=Eg5ugs9X241d0CyEHmbcuFz60tm64fkmmQDdwTBJmwo=;
        b=cmqvy2z4mkoy/+BWqsfmp3o4yVHbAgidUIsvzsY0l0coIAAp65Ot/APyCvkudzASIz
         sGmi23EwcHNkoJvvDGUIQ0N6pxEysvhNB6Elxeg6Ui+myWHcptANlvyF0RLPhLzYTo+g
         F35nUTdn7EcB1QA4hLguJLDSaOBQ4egGIaEJOj3G/i6+SOLyfH5eEPrI6f4yJaI0bLyb
         WWfUN0WyPWqP+ICPH1cLewfRG2gSay+HwBKoQ4gXwR2y6UmphihmP7jxmibXzmCL7wcV
         BQfUtWc2ziQ8W9twdcBdrdZYrF+I7VDpNa3/4tyfDwpch49VS6iqX6ZfEgegdO4X2s2v
         8BrA==
X-Gm-Message-State: ANhLgQ3vTOpzu4e05LK+3OlkMkQNmeVKZDsiwgcumAGfgYlK1br7qjP4
        t0/dllbX445s65Fzv2ExSg==
X-Received: by 2002:a17:902:788e:: with SMTP id q14mr12138962pll.72.1585569169503;
        Mon, 30 Mar 2020 04:52:49 -0700 (PDT)
Received: from localhost.localdomain ([2402:3a80:d3b:3d6b:7942:93fd:fd15:96f0])
        by smtp.gmail.com with ESMTPSA id i4sm10012756pfq.82.2020.03.30.04.52.46
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 30 Mar 2020 04:52:48 -0700 (PDT)
From:   madhuparnabhowmik10@gmail.com
To:     gregkh@linuxfoundation.org, hariprasad.kelam@gmail.com,
        colin.king@canonical.com, tony.olech@elandigitalsystems.com
Cc:     linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
        andrianov@ispras.ru
Subject: Possible data-race related bug in u132_hcd module.
Date:   Mon, 30 Mar 2020 17:22:43 +0530
Message-Id: <20200330115243.11107-1-madhuparnabhowmik10@gmail.com>
X-Mailer: git-send-email 2.17.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi,

This bug is found by  Linux Driver Verification project (linuxtesting.org).

The bug is related to the parallel execution of u132_probe() function and u132_hcd_exit() function in u132_hcd.c. In case the module is unloaded when the probe function is executing there can be data race as the mutex lock u132_module_lock is not used properly. 

i) Usage of mutex lock only when writing into the u132_exiting variable in u132_hcd_exit(). The lock is not used when this variable is read in u132_probe().

Moreover, this variable does not serve its purpose, as even if locking is used while the u132_exiting variable is read in probe(), the function may still miss that exit function is executing if it acquires the mutex before exit() function does.

How to fix this?

ii) Usage of mutex while adding entries in u132_static_list in probe function but not in exit function while unregistering.
This should be easy to fix by holding the mutex in the exit function as well.

There can be other synchronization problems related to the usage of u132_module_lock in this module, I have only spotted these so far.

Please let me know if this bug report is helpful and I can send a patch fixing it.

Thank you,
Madhuparna