From: Greg KH <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Alan Stern <stern@rowland.harvard.edu>,
Sarah Sharp <sarah.a.sharp@linux.intel.com>
Subject: [ 41/62] USB: fix deadlock in bConfigurationValue attribute method
Date: Tue, 24 Apr 2012 15:33:22 -0700 [thread overview]
Message-ID: <20120424223245.491940047@linuxfoundation.org> (raw)
In-Reply-To: <20120424223305.GA7748@kroah.com>
3.3-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 8963c487a80b4688c9e68dcc504a90074aacc145 upstream.
This patch (as154) fixes a self-deadlock that occurs when userspace
writes to the bConfigurationValue sysfs attribute for a hub with
children. The task tries to lock the bandwidth_mutex at a time when
it already owns the lock:
The attribute's method calls usb_set_configuration(),
which calls usb_disable_device() with the bandwidth_mutex
held.
usb_disable_device() unregisters the existing interfaces,
which causes the hub driver to be unbound.
The hub_disconnect() routine calls hub_quiesce(), which
calls usb_disconnect() for each of the hub's children.
usb_disconnect() attempts to acquire the bandwidth_mutex
around a call to usb_disable_device().
The solution is to make usb_disable_device() acquire the mutex for
itself instead of requiring the caller to hold it. Then the mutex can
cover only the bandwidth deallocation operation and not the region
where the interfaces are unregistered.
This has the potential to change system behavior slightly when a
config change races with another config or altsetting change. Some of
the bandwidth released from the old config might get claimed by the
other config or altsetting, make it impossible to restore the old
config in case of a failure. But since we don't try to recover from
config-change failures anyway, this doesn't matter.
[This should be marked for stable kernels that contain the commit
fccf4e86200b8f5edd9a65da26f150e32ba79808 "USB: Free bandwidth when
usb_disable_device is called."
That commit was marked for stable kernels as old as 2.6.32.]
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/hub.c | 3 ---
drivers/usb/core/message.c | 6 +++---
2 files changed, 3 insertions(+), 6 deletions(-)
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -1643,7 +1643,6 @@ void usb_disconnect(struct usb_device **
{
struct usb_device *udev = *pdev;
int i;
- struct usb_hcd *hcd = bus_to_hcd(udev->bus);
/* mark the device as inactive, so any further urb submissions for
* this device (and any of its children) will fail immediately.
@@ -1666,9 +1665,7 @@ void usb_disconnect(struct usb_device **
* so that the hardware is now fully quiesced.
*/
dev_dbg (&udev->dev, "unregistering device\n");
- mutex_lock(hcd->bandwidth_mutex);
usb_disable_device(udev, 0);
- mutex_unlock(hcd->bandwidth_mutex);
usb_hcd_synchronize_unlinks(udev);
usb_remove_ep_devs(&udev->ep0);
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -1136,8 +1136,6 @@ void usb_disable_interface(struct usb_de
* Deallocates hcd/hardware state for the endpoints (nuking all or most
* pending urbs) and usbcore state for the interfaces, so that usbcore
* must usb_set_configuration() before any interfaces could be used.
- *
- * Must be called with hcd->bandwidth_mutex held.
*/
void usb_disable_device(struct usb_device *dev, int skip_ep0)
{
@@ -1190,7 +1188,9 @@ void usb_disable_device(struct usb_devic
usb_disable_endpoint(dev, i + USB_DIR_IN, false);
}
/* Remove endpoints from the host controller internal state */
+ mutex_lock(hcd->bandwidth_mutex);
usb_hcd_alloc_bandwidth(dev, NULL, NULL, NULL);
+ mutex_unlock(hcd->bandwidth_mutex);
/* Second pass: remove endpoint pointers */
}
for (i = skip_ep0; i < 16; ++i) {
@@ -1750,7 +1750,6 @@ free_interfaces:
/* if it's already configured, clear out old state first.
* getting rid of old interfaces means unbinding their drivers.
*/
- mutex_lock(hcd->bandwidth_mutex);
if (dev->state != USB_STATE_ADDRESS)
usb_disable_device(dev, 1); /* Skip ep0 */
@@ -1763,6 +1762,7 @@ free_interfaces:
* host controller will not allow submissions to dropped endpoints. If
* this call fails, the device state is unchanged.
*/
+ mutex_lock(hcd->bandwidth_mutex);
ret = usb_hcd_alloc_bandwidth(dev, cp, NULL, NULL);
if (ret < 0) {
mutex_unlock(hcd->bandwidth_mutex);
next prev parent reply other threads:[~2012-04-24 22:33 UTC|newest]
Thread overview: 89+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-24 22:33 [ 00/62] 3.3.4-stable review Greg KH
2012-04-24 22:32 ` [ 01/62] Perf: fix build breakage Greg KH
2012-04-24 22:32 ` [ 02/62] crypto: sha512 - Fix byte counter overflow in SHA-512 Greg KH
2012-04-24 22:32 ` [ 03/62] hwmon: fam15h_power: fix bogus values with current BIOSes Greg KH
2012-04-25 19:45 ` Ben Hutchings
2012-04-25 20:50 ` Guenter Roeck
2012-04-26 16:43 ` Greg KH
2012-04-26 16:47 ` Guenter Roeck
2012-04-26 21:15 ` Greg KH
2012-04-24 22:32 ` [ 04/62] ALSA: hda/conexant - Dont set HP pin-control bit unconditionally Greg KH
2012-04-24 22:32 ` [ 05/62] ALSA: hda/conexant - Set up the missing docking-station pins Greg KH
2012-04-24 22:32 ` [ 06/62] memblock: memblock should be able to handle zero length operations Greg KH
2012-04-24 22:32 ` [ 07/62] ARM: clps711x: serial driver hungs are a result of call disable_irq within ISR Greg KH
2012-04-24 22:32 ` [ 08/62] ARM: at91: fix at91sam9261ek Ethernet dm9000 irq Greg KH
2012-04-24 22:32 ` [ 09/62] ARM: OMAP1: DMTIMER: fix broken timer clock source selection Greg KH
2012-04-24 22:32 ` [ 10/62] ARM: OMAP: serial: Fix the ocp smart idlemode handling bug Greg KH
2012-04-24 22:32 ` [ 11/62] mmc: fixes for eMMC v4.5 discard operation Greg KH
2012-04-24 22:32 ` [ 12/62] mmc: fixes for eMMC v4.5 sanitize operation Greg KH
2012-04-24 22:32 ` [ 13/62] mmc: sdhci: refine non-removable card checking for card detection Greg KH
2012-04-24 22:32 ` [ 14/62] mmc: unbreak sdhci-esdhc-imx on i.MX25 Greg KH
2012-04-27 22:31 ` Jonathan Nieder
2012-04-28 6:03 ` Wolfram Sang
2012-04-30 1:06 ` Greg KH
2012-04-24 22:32 ` [ 15/62] xen/gntdev: do not set VM_PFNMAP Greg KH
2012-04-24 22:32 ` [ 16/62] xen/xenbus: Add quirk to deal with misconfigured backends Greg KH
2012-04-24 22:32 ` [ 17/62] USB: yurex: Remove allocation of coherent buffer for setup-packet buffer Greg KH
2012-04-24 22:32 ` [ 18/62] USB: yurex: Fix missing URB_NO_TRANSFER_DMA_MAP flag in urb Greg KH
2012-04-24 22:33 ` [ 19/62] uwb: fix use of del_timer_sync() in interrupt Greg KH
2012-04-24 22:33 ` [ 20/62] uwb: fix error handling Greg KH
2012-04-24 22:33 ` [ 21/62] davinci_mdio: Fix MDIO timeout check Greg KH
2012-04-24 22:33 ` [ 22/62] mwifiex: update pcie8766 scratch register addresses Greg KH
2012-04-24 22:33 ` [ 23/62] brcm80211: smac: resume transmit fifo upon receiving frames Greg KH
2012-04-25 22:39 ` Jonathan Nieder
2012-04-26 8:48 ` Arend van Spriel
2012-04-26 18:20 ` Jonathan Nieder
2012-04-30 1:04 ` Greg KH
2012-04-24 22:33 ` [ 24/62] mac80211: fix logic error in ibss channel type check Greg KH
2012-04-24 22:33 ` [ 25/62] media: rc-core: set mode for winbond-cir Greg KH
2012-04-24 22:33 ` [ 26/62] media: drxk: Does not unlock mutex if sanity check failed in scu_command() Greg KH
2012-04-24 22:33 ` [ 27/62] media: dvb_frontend: Fix a regression when switching back to DVB-S Greg KH
2012-04-24 22:33 ` [ 28/62] cfg80211: fix interface combinations check Greg KH
2012-04-24 22:33 ` [ 29/62] staging: r8712u: Fix regression caused by commit 8c213fa Greg KH
2012-04-24 22:33 ` [ 30/62] Fix modpost failures in fedora 17 Greg KH
2012-04-26 0:41 ` Jonathan Nieder
2012-04-26 0:48 ` David Miller
2012-04-30 1:05 ` Greg KH
2012-04-24 22:33 ` [ 31/62] mm: fix s390 BUG by __set_page_dirty_no_writeback on swap Greg KH
2012-04-24 22:33 ` [ 32/62] md: dont call ->add_disk unless there is good reason Greg KH
2012-04-24 22:33 ` [ 33/62] md: fix possible corruption of array metadata on shutdown Greg KH
2012-04-24 22:33 ` [ 34/62] jbd2: use GFP_NOFS for blkdev_issue_flush Greg KH
2012-04-24 22:33 ` [ 35/62] USB: serial: cp210x: Fixed usb_control_msg timeout values Greg KH
2012-04-24 22:33 ` [ 36/62] pch_uart: Fix dma channel unallocated issue Greg KH
2012-04-24 22:33 ` [ 37/62] drivers/tty/amiserial.c: add missing tty_unlock Greg KH
2012-04-24 22:33 ` [ 38/62] USB: sierra: avoid QMI/wwan interface on MC77xx Greg KH
2012-04-24 22:33 ` [ 39/62] EHCI: fix criterion for resuming the root hub Greg KH
2012-04-25 6:17 ` Jonathan Nieder
2012-04-30 1:04 ` Greg KH
2012-04-24 22:33 ` [ 40/62] EHCI: always clear the STS_FLR status bit Greg KH
2012-04-24 22:33 ` Greg KH [this message]
2012-04-24 22:33 ` [ 42/62] usb: gadget: udc-core: stop UDC on device-initiated disconnect Greg KH
2012-04-24 22:33 ` [ 43/62] usb: gadget: udc-core: fix asymmetric calls in remove_driver Greg KH
2012-04-26 0:34 ` Ben Hutchings
2012-04-26 21:16 ` Greg KH
2012-04-27 8:00 ` Felipe Balbi
2012-04-24 22:33 ` [ 44/62] usb: gadget: eliminate NULL pointer dereference (bugfix) Greg KH
2012-04-24 22:33 ` [ 45/62] usb: musb: omap: fix crash when musb glue (omap) gets initialized Greg KH
2012-04-26 0:41 ` Ben Hutchings
2012-04-24 22:33 ` [ 46/62] usb: musb: omap: fix the error check for pm_runtime_get_sync Greg KH
2012-04-24 22:33 ` [ 47/62] PCI: Add quirk for still enabled interrupts on Intel Sandy Bridge GPUs Greg KH
2012-04-24 22:33 ` [ 48/62] ext4: fix endianness breakage in ext4_split_extent_at() Greg KH
2012-04-24 22:33 ` [ 49/62] KVM: unmap pages from the iommu when slots are removed Greg KH
2012-04-27 21:54 ` Jonathan Nieder
2012-04-27 22:08 ` Alex Williamson
2012-04-30 1:05 ` Greg KH
2012-04-24 22:33 ` [ 50/62] dell-laptop: add 3 machines that has touchpad LED Greg KH
2012-04-24 22:33 ` [ 51/62] dell-laptop: touchpad LED should persist its status after S3 Greg KH
2012-04-24 22:33 ` [ 52/62] Bluetooth: Add support for Atheros [04ca:3005] Greg KH
2012-04-24 22:33 ` [ 53/62] nfsd: fix b0rken error value for setattr on read-only mount Greg KH
2012-04-27 22:42 ` Jonathan Nieder
2012-04-24 22:33 ` [ 54/62] nfsd: fix error values returned by nfsd4_lockt() when nfsd_open() fails Greg KH
2012-04-27 22:54 ` Jonathan Nieder
2012-04-24 22:33 ` [ 55/62] nfsd: fix endianness breakage in TEST_STATEID handling Greg KH
2012-04-24 22:33 ` [ 56/62] nfsd: fix compose_entry_fh() failure exits Greg KH
2012-04-24 22:33 ` [ 57/62] btrfs: btrfs_root_readonly() broken on big-endian Greg KH
2012-04-24 22:33 ` [ 58/62] ocfs2: ->l_next_free_req breakage " Greg KH
2012-04-24 22:33 ` [ 59/62] ocfs: ->rl_used " Greg KH
2012-04-24 22:33 ` [ 60/62] ocfs2: ->rl_count endianness breakage Greg KH
2012-04-24 22:33 ` [ 61/62] ocfs2: ->e_leaf_clusters " Greg KH
2012-04-24 22:33 ` [ 62/62] lockd: fix the endianness bug Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120424223245.491940047@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=sarah.a.sharp@linux.intel.com \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).