From: Alan Stern <stern@rowland.harvard.edu>
To: Oliver Neukum <oliver@neukum.org>
Cc: andreyknvl@google.com, <syzkaller-bugs@googlegroups.com>,
<gregkh@linuxfoundation.org>,
syzbot <syzbot+7bbcbe9c9ff0cd49592a@syzkaller.appspotmail.com>,
Kernel development list <linux-kernel@vger.kernel.org>,
USB list <linux-usb@vger.kernel.org>
Subject: Re: possible deadlock in open_rio
Date: Thu, 8 Aug 2019 10:33:23 -0400 (EDT) [thread overview]
Message-ID: <Pine.LNX.4.44L0.1908081027560.1652-100000@iolanthe.rowland.org> (raw)
In-Reply-To: <1565187142.15973.3.camel@neukum.org>
On Wed, 7 Aug 2019, Oliver Neukum wrote:
> Am Mittwoch, den 07.08.2019, 10:07 -0400 schrieb Alan Stern:
> > On Wed, 7 Aug 2019, Oliver Neukum wrote:
> > > technically yes. However in practical terms the straight revert I sent
> > > out yesterday should fix it.
> >
> > I didn't see the revert, and it doesn't appear to have reached the
> > mailing list archive. Can you post it again?
>
> As soon as our VPN server is back up again.
The revert may not be necessay; a little fix should get rid of the
locking violation. The key is to avoid calling the registration or
deregistration routines while holding the rio500_mutex, and to
recognize that the probe and disconnect routines are both protected by
the device mutex.
How does this patch look?
Alan Stern
#syz test: https://github.com/google/kasan.git 7f7867ff
Index: usb-devel/drivers/usb/misc/rio500.c
===================================================================
--- usb-devel.orig/drivers/usb/misc/rio500.c
+++ usb-devel/drivers/usb/misc/rio500.c
@@ -454,52 +454,54 @@ static int probe_rio(struct usb_interfac
{
struct usb_device *dev = interface_to_usbdev(intf);
struct rio_usb_data *rio = &rio_instance;
- int retval = 0;
+ int retval;
+ char *ibuf, *obuf;
- mutex_lock(&rio500_mutex);
if (rio->present) {
dev_info(&intf->dev, "Second USB Rio at address %d refused\n", dev->devnum);
- retval = -EBUSY;
- goto bail_out;
- } else {
- dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum);
+ return -EBUSY;
}
+ dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum);
retval = usb_register_dev(intf, &usb_rio_class);
if (retval) {
dev_err(&dev->dev,
"Not able to get a minor for this device.\n");
- retval = -ENOMEM;
- goto bail_out;
+ goto err_register;
}
- rio->rio_dev = dev;
-
- if (!(rio->obuf = kmalloc(OBUF_SIZE, GFP_KERNEL))) {
+ obuf = kmalloc(OBUF_SIZE, GFP_KERNEL);
+ if (!obuf) {
dev_err(&dev->dev,
"probe_rio: Not enough memory for the output buffer\n");
- usb_deregister_dev(intf, &usb_rio_class);
- retval = -ENOMEM;
- goto bail_out;
+ goto err_obuf;
}
- dev_dbg(&intf->dev, "obuf address:%p\n", rio->obuf);
+ dev_dbg(&intf->dev, "obuf address: %p\n", obuf);
- if (!(rio->ibuf = kmalloc(IBUF_SIZE, GFP_KERNEL))) {
+ ibuf = kmalloc(IBUF_SIZE, GFP_KERNEL);
+ if (!ibuf) {
dev_err(&dev->dev,
"probe_rio: Not enough memory for the input buffer\n");
- usb_deregister_dev(intf, &usb_rio_class);
- kfree(rio->obuf);
- retval = -ENOMEM;
- goto bail_out;
+ goto err_ibuf;
}
- dev_dbg(&intf->dev, "ibuf address:%p\n", rio->ibuf);
+ dev_dbg(&intf->dev, "ibuf address: %p\n", ibuf);
+ mutex_lock(&rio500_mutex);
+ rio->rio_dev = dev;
+ rio->ibuf = ibuf;
+ rio->obuf = obuf;
usb_set_intfdata (intf, rio);
rio->present = 1;
-bail_out:
mutex_unlock(&rio500_mutex);
return retval;
+
+ err_ibuf:
+ kfree(obuf);
+ err_obuf:
+ usb_deregister_dev(intf, &usb_rio_class);
+ err_register:
+ return -ENOMEM;
}
static void disconnect_rio(struct usb_interface *intf)
@@ -507,10 +509,10 @@ static void disconnect_rio(struct usb_in
struct rio_usb_data *rio = usb_get_intfdata (intf);
usb_set_intfdata (intf, NULL);
- mutex_lock(&rio500_mutex);
if (rio) {
usb_deregister_dev(intf, &usb_rio_class);
+ mutex_lock(&rio500_mutex);
if (rio->isopen) {
rio->isopen = 0;
/* better let it finish - the release will do whats needed */
@@ -524,8 +526,8 @@ static void disconnect_rio(struct usb_in
dev_info(&intf->dev, "USB Rio disconnected.\n");
rio->present = 0;
+ mutex_unlock(&rio500_mutex);
}
- mutex_unlock(&rio500_mutex);
}
static const struct usb_device_id rio_table[] = {
next parent reply other threads:[~2019-08-08 14:33 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1565187142.15973.3.camel@neukum.org>
2019-08-08 14:33 ` Alan Stern [this message]
2019-08-08 14:33 ` Re: possible deadlock in open_rio syzbot
2019-08-08 14:33 ` syzbot
2019-08-08 14:44 ` Andrey Konovalov
2019-08-08 17:34 ` [PATCH] USB: rio500: Fix lockdep violation Alan Stern
2019-08-08 17:58 ` Greg KH
2019-08-08 18:23 ` Alan Stern
2019-08-15 12:48 ` Greg KH
2019-08-15 14:47 ` Alan Stern
2019-09-03 18:18 ` Greg KH
2019-08-19 11:51 ` Oliver Neukum
2019-08-08 17:43 ` possible deadlock in iowarrior Alan Stern
2019-08-01 15:28 possible deadlock in open_rio syzbot
2019-08-02 20:51 ` Alan Stern
2019-08-06 19:13 ` Alan Stern
2019-08-07 13:37 ` Oliver Neukum
2019-08-07 14:07 ` Alan Stern
2019-08-07 13:53 ` Andrey Konovalov
2019-08-07 14:01 ` Alan Stern
2019-08-07 14:24 ` Andrey Konovalov
2019-08-07 14:34 ` Andrey Konovalov
2019-08-07 14:38 ` Andrey Konovalov
2019-08-07 14:39 ` Alan Stern
2019-08-07 15:08 ` Andrey Konovalov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.44L0.1908081027560.1652-100000@iolanthe.rowland.org \
--to=stern@rowland.harvard.edu \
--cc=andreyknvl@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=oliver@neukum.org \
--cc=syzbot+7bbcbe9c9ff0cd49592a@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).