All of lore.kernel.org
 help / color / mirror / Atom feed
From: Johan Hovold <johan@kernel.org>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: Greg KH <greg@kroah.com>,
	syzbot <syzbot+ada0f7d3d9fd2016d927@syzkaller.appspotmail.com>,
	syzkaller-bugs@googlegroups.com,
	USB mailing list <linux-usb@vger.kernel.org>
Subject: Re: [PATCH] USB: core: Make usb_start_wait_urb() interruptible
Date: Mon, 30 Aug 2021 09:56:50 +0200	[thread overview]
Message-ID: <YSyPQqMPHRiUvYEx@hovoldconsulting.com> (raw)
In-Reply-To: <20210829015825.GA297712@rowland.harvard.edu>

On Sat, Aug 28, 2021 at 09:58:25PM -0400, Alan Stern wrote:
> usb_start_wait_urb() can be called from user processes by means of the
> USBDEVFS_BULK and USBDEVFS_CONTROL ioctls in usbfs.  Consequently it
> should not contain an uninterruptible wait of arbitrarily long length
> (the timeout value is specified here by the user, so it can be
> practically anything).  Doing so leads the kernel to complain about
> "Task X blocked for more than N seconds", as found in testing by
> syzbot:
> 
> INFO: task syz-executor.0:8700 blocked for more than 143 seconds.
>       Not tainted 5.14.0-rc7-syzkaller #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:syz-executor.0  state:D stack:23192 pid: 8700 ppid:  8455 flags:0x00004004
> Call Trace:
>  context_switch kernel/sched/core.c:4681 [inline]
>  __schedule+0xc07/0x11f0 kernel/sched/core.c:5938
>  schedule+0x14b/0x210 kernel/sched/core.c:6017
>  schedule_timeout+0x98/0x2f0 kernel/time/timer.c:1857
>  do_wait_for_common+0x2da/0x480 kernel/sched/completion.c:85
>  __wait_for_common kernel/sched/completion.c:106 [inline]
>  wait_for_common kernel/sched/completion.c:117 [inline]
>  wait_for_completion_timeout+0x46/0x60 kernel/sched/completion.c:157
>  usb_start_wait_urb+0x167/0x550 drivers/usb/core/message.c:63
>  do_proc_bulk+0x978/0x1080 drivers/usb/core/devio.c:1236
>  proc_bulk drivers/usb/core/devio.c:1273 [inline]
>  usbdev_do_ioctl drivers/usb/core/devio.c:2547 [inline]
>  usbdev_ioctl+0x3441/0x6b10 drivers/usb/core/devio.c:2713
> ...
> 
> This patch fixes the problem by converting the uninterruptible wait to
> an interruptible one.  For the most part this won't affect calls to
> usb_start_wait_urb(), because they are made by kernel threads and so
> can't receive most signals.
> 
> But in some cases such calls may occur in user threads in contexts
> other than usbfs ioctls.  A signal in these circumstances could cause
> a USB transfer to fail when otherwise it wouldn't.  The outcome
> wouldn't be too dreadful, since USB transfers can fail at any time and
> the system is prepared to handle these failures gracefully.  In
> theory, for example, a signal might cause a driver's probe routine to
> fail; in practice if the user doesn't want a probe to fail then he
> shouldn't send interrupt signals to the probing process.

While probe() triggered through sysfs or by module loading is one
example, the USB msg helpers are also called in a lot of other
user-thread contexts such as open() calls etc. It might even be that the
majority of these calls can be done from user threads (post
enumeration).

> Overall, then, making these delays interruptible seems to be an
> acceptable risk.

Possibly, but changing the API like this to fix the usbfs ioctls seems
like using a bit of a too big hammer to me, especially when backporting
to stable.

> Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
> Reported-and-tested-by: syzbot+ada0f7d3d9fd2016d927@syzkaller.appspotmail.com
> CC: stable@vger.kernel.org

Johan

  reply	other threads:[~2021-08-30  7:57 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-28 15:52 [syzbot] INFO: task hung in do_proc_bulk syzbot
2021-08-28 18:03 ` Alan Stern
2021-08-28 20:05   ` syzbot
2021-08-29  1:58     ` [PATCH] USB: core: Make usb_start_wait_urb() interruptible Alan Stern
2021-08-30  7:56       ` Johan Hovold [this message]
2021-08-30 14:46         ` Alan Stern
2021-08-30 15:11           ` Oliver Neukum
2021-08-30 16:09             ` Alan Stern
2021-08-31  8:52               ` Oliver Neukum
2021-08-31  9:13           ` Johan Hovold
2021-08-31 10:47             ` Oliver Neukum
2021-08-31 11:02             ` Oliver Neukum
2021-08-31 11:10             ` Johan Hovold
2021-08-31 17:03               ` Alan Stern
2021-09-01  8:16                 ` Oliver Neukum
2021-09-02 20:04 ` [syzbot] INFO: task hung in do_proc_bulk Alan Stern
2021-09-02 20:46   ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YSyPQqMPHRiUvYEx@hovoldconsulting.com \
    --to=johan@kernel.org \
    --cc=greg@kroah.com \
    --cc=linux-usb@vger.kernel.org \
    --cc=stern@rowland.harvard.edu \
    --cc=syzbot+ada0f7d3d9fd2016d927@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.