From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alan Stern <stern@rowland.harvard.edu>,
David Tulloh <david@tulloh.id.au>,
Felipe Balbi <felipe.balbi@linux.intel.com>
Subject: [PATCH 4.13 01/53] USB: dummy-hcd: Fix deadlock caused by disconnect detection
Date: Mon, 16 Oct 2017 18:15:58 +0200 [thread overview]
Message-ID: <20171016161442.319188277@linuxfoundation.org> (raw)
In-Reply-To: <20171016161442.263947886@linuxfoundation.org>
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit ab219221a5064abfff9f78c323c4a257b16cdb81 upstream.
The dummy-hcd driver calls the gadget driver's disconnect callback
under the wrong conditions. It should invoke the callback when Vbus
power is turned off, but instead it does so when the D+ pullup is
turned off.
This can cause a deadlock in the composite core when a gadget driver
is unregistered:
[ 88.361471] ============================================
[ 88.362014] WARNING: possible recursive locking detected
[ 88.362580] 4.14.0-rc2+ #9 Not tainted
[ 88.363010] --------------------------------------------
[ 88.363561] v4l_id/526 is trying to acquire lock:
[ 88.364062] (&(&cdev->lock)->rlock){....}, at: [<ffffffffa0547e03>] composite_disconnect+0x43/0x100 [libcomposite]
[ 88.365051]
[ 88.365051] but task is already holding lock:
[ 88.365826] (&(&cdev->lock)->rlock){....}, at: [<ffffffffa0547b09>] usb_function_deactivate+0x29/0x80 [libcomposite]
[ 88.366858]
[ 88.366858] other info that might help us debug this:
[ 88.368301] Possible unsafe locking scenario:
[ 88.368301]
[ 88.369304] CPU0
[ 88.369701] ----
[ 88.370101] lock(&(&cdev->lock)->rlock);
[ 88.370623] lock(&(&cdev->lock)->rlock);
[ 88.371145]
[ 88.371145] *** DEADLOCK ***
[ 88.371145]
[ 88.372211] May be due to missing lock nesting notation
[ 88.372211]
[ 88.373191] 2 locks held by v4l_id/526:
[ 88.373715] #0: (&(&cdev->lock)->rlock){....}, at: [<ffffffffa0547b09>] usb_function_deactivate+0x29/0x80 [libcomposite]
[ 88.374814] #1: (&(&dum_hcd->dum->lock)->rlock){....}, at: [<ffffffffa05bd48d>] dummy_pullup+0x7d/0xf0 [dummy_hcd]
[ 88.376289]
[ 88.376289] stack backtrace:
[ 88.377726] CPU: 0 PID: 526 Comm: v4l_id Not tainted 4.14.0-rc2+ #9
[ 88.378557] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[ 88.379504] Call Trace:
[ 88.380019] dump_stack+0x86/0xc7
[ 88.380605] __lock_acquire+0x841/0x1120
[ 88.381252] lock_acquire+0xd5/0x1c0
[ 88.381865] ? composite_disconnect+0x43/0x100 [libcomposite]
[ 88.382668] _raw_spin_lock_irqsave+0x40/0x54
[ 88.383357] ? composite_disconnect+0x43/0x100 [libcomposite]
[ 88.384290] composite_disconnect+0x43/0x100 [libcomposite]
[ 88.385490] set_link_state+0x2d4/0x3c0 [dummy_hcd]
[ 88.386436] dummy_pullup+0xa7/0xf0 [dummy_hcd]
[ 88.387195] usb_gadget_disconnect+0xd8/0x160 [udc_core]
[ 88.387990] usb_gadget_deactivate+0xd3/0x160 [udc_core]
[ 88.388793] usb_function_deactivate+0x64/0x80 [libcomposite]
[ 88.389628] uvc_function_disconnect+0x1e/0x40 [usb_f_uvc]
This patch changes the code to test the port-power status bit rather
than the port-connect status bit when deciding whether to isue the
callback.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: David Tulloh <david@tulloh.id.au>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/dummy_hcd.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/usb/gadget/udc/dummy_hcd.c
+++ b/drivers/usb/gadget/udc/dummy_hcd.c
@@ -420,6 +420,7 @@ static void set_link_state_by_speed(stru
static void set_link_state(struct dummy_hcd *dum_hcd)
{
struct dummy *dum = dum_hcd->dum;
+ unsigned int power_bit;
dum_hcd->active = 0;
if (dum->pullup)
@@ -430,17 +431,19 @@ static void set_link_state(struct dummy_
return;
set_link_state_by_speed(dum_hcd);
+ power_bit = (dummy_hcd_to_hcd(dum_hcd)->speed == HCD_USB3 ?
+ USB_SS_PORT_STAT_POWER : USB_PORT_STAT_POWER);
if ((dum_hcd->port_status & USB_PORT_STAT_ENABLE) == 0 ||
dum_hcd->active)
dum_hcd->resuming = 0;
/* Currently !connected or in reset */
- if ((dum_hcd->port_status & USB_PORT_STAT_CONNECTION) == 0 ||
+ if ((dum_hcd->port_status & power_bit) == 0 ||
(dum_hcd->port_status & USB_PORT_STAT_RESET) != 0) {
- unsigned disconnect = USB_PORT_STAT_CONNECTION &
+ unsigned int disconnect = power_bit &
dum_hcd->old_status & (~dum_hcd->port_status);
- unsigned reset = USB_PORT_STAT_RESET &
+ unsigned int reset = USB_PORT_STAT_RESET &
(~dum_hcd->old_status) & dum_hcd->port_status;
/* Report reset and disconnect events to the driver */
next prev parent reply other threads:[~2017-10-16 16:18 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-16 16:15 [PATCH 4.13 00/53] 4.13.8-stable review Greg Kroah-Hartman
2017-10-16 16:15 ` Greg Kroah-Hartman [this message]
2017-10-16 16:15 ` [PATCH 4.13 02/53] MIPS: math-emu: Remove pr_err() calls from fpu_emu() Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 03/53] MIPS: bpf: Fix uninitialised target compiler error Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 04/53] mei: always use domain runtime pm callbacks Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 05/53] dmaengine: edma: Align the memcpy acnt array size with the transfer Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 06/53] dmaengine: ti-dma-crossbar: Fix possible race condition with dma_inuse Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 07/53] NFS: Fix uninitialized rpc_wait_queue Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 08/53] nfs/filelayout: fix oops when freeing filelayout segment Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 09/53] HID: usbhid: fix out-of-bounds bug Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 12/53] KVM: MMU: always terminate page walks at level 1 Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 13/53] KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 14/53] usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 16/53] iommu/amd: Finish TLB flush in amd_iommu_unmap() Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 17/53] device property: Track owner device of device property Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 18/53] Revert "vmalloc: back off when the current task is killed" Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 19/53] fs/mpage.c: fix mpage_writepage() for pages with buffers Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 20/53] ALSA: usb-audio: Kill stray URB at exiting Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 21/53] ALSA: seq: Fix use-after-free at creating a port Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 22/53] ALSA: seq: Fix copy_from_user() call inside lock Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 23/53] ALSA: caiaq: Fix stray URB at probe error path Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 24/53] ALSA: line6: Fix NULL dereference at podhd_disconnect() Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 25/53] ALSA: line6: Fix missing initialization before error path Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 26/53] ALSA: line6: Fix leftover URB at error-path during probe Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 27/53] drm/atomic: Unref duplicated drm_atomic_state in drm_atomic_helper_resume() Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 28/53] drm/i915/edp: Get the Panel Power Off timestamp after panel is off Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 31/53] drm/i915: Use crtc_state_is_legacy_gamma in intel_color_check Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 32/53] usb: gadget: configfs: Fix memory leak of interface directory data Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 33/53] usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 34/53] PCI: aardvark: Move to struct pci_host_bridge IRQ mapping functions Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 35/53] Revert "PCI: tegra: Do not allocate MSI target memory" Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 36/53] direct-io: Prevent NULL pointer access in submit_page_section Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 37/53] fix unbalanced page refcounting in bio_map_user_iov Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 38/53] more bio_map_user_iov() leak fixes Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 39/53] bio_copy_user_iov(): dont ignore ->iov_offset Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 40/53] perf script: Add missing separator for "-F ip,brstack" (and brstackoff) Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 41/53] genirq/cpuhotplug: Enforce affinity setting on startup of managed irqs Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 42/53] genirq/cpuhotplug: Add sanity check for effective affinity mask Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 43/53] USB: serial: ftdi_sio: add id for Cypress WICED dev board Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 44/53] USB: serial: cp210x: fix partnum regression Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 45/53] USB: serial: cp210x: add support for ELV TFD500 Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 46/53] USB: serial: option: add support for TP-Link LTE module Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 47/53] USB: serial: qcserial: add Dell DW5818, DW5819 Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 48/53] USB: serial: console: fix use-after-free on disconnect Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 49/53] USB: serial: console: fix use-after-free after failed setup Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 50/53] RAS/CEC: Use the right length for "cec_disable" Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 51/53] x86/microcode: Do the family check first Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 52/53] x86/alternatives: Fix alt_max_short macro to really be a max() Greg Kroah-Hartman
2017-10-16 16:16 ` [PATCH 4.13 53/53] KVM: nVMX: update last_nonleaf_level when initializing nested EPT Greg Kroah-Hartman
2017-10-16 23:41 ` [PATCH 4.13 00/53] 4.13.8-stable review Shuah Khan
2017-10-17 6:59 ` Greg Kroah-Hartman
2017-10-17 0:25 ` Guenter Roeck
2017-10-17 13:21 ` Greg Kroah-Hartman
[not found] ` <20171016161443.534299546@linuxfoundation.org>
[not found] ` <866e97b1-08dd-fd43-7713-699759f63fcf@3CityElectronics.com>
2017-10-17 7:02 ` [PATCH 4.13 30/53] drm/i915/bios: parse DDI ports also for CHV for HDMI DDC pin and DP AUX channel Jani Nikula
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171016161442.319188277@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=david@tulloh.id.au \
--cc=felipe.balbi@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).