[PATCH] USB: gadget: f_hid: fix deadlock in f_hidg

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] USB: gadget: f_hid: fix deadlock in f_hidg_write()
@ 2019-03-20  8:59 Felipe Balbi
  0 siblings, 0 replies; 4+ messages in thread
From: Felipe Balbi @ 2019-03-20  8:59 UTC (permalink / raw)
  To: Linux USB; +Cc: Radoslav Gerganov, James Bottomley, stable, Felipe Balbi

From: Radoslav Gerganov <rgerganov@vmware.com>

In f_hidg_write() the write_spinlock is acquired before calling
usb_ep_queue() which causes a deadlock when dummy_hcd is being used.
This is because dummy_queue() callbacks into f_hidg_req_complete() which
tries to acquire the same spinlock. This is (part of) the backtrace when
the deadlock occurs:

  0xffffffffc06b1410 in f_hidg_req_complete
  0xffffffffc06a590a in usb_gadget_giveback_request
  0xffffffffc06cfff2 in dummy_queue
  0xffffffffc06a4b96 in usb_ep_queue
  0xffffffffc06b1eb6 in f_hidg_write
  0xffffffff8127730b in __vfs_write
  0xffffffff812774d1 in vfs_write
  0xffffffff81277725 in SYSC_write

Fix this by releasing the write_spinlock before calling usb_ep_queue()

Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Tested-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: stable@vger.kernel.org # 4.11+
Fixes: 749494b6bdbb ("usb: gadget: f_hid: fix: Move IN request allocation to set_alt()")
Signed-off-by: Radoslav Gerganov <rgerganov@vmware.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
---
 drivers/usb/gadget/function/f_hid.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
index 75b113a5b25c..f3816a5c861e 100644
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -391,20 +391,20 @@ static ssize_t f_hidg_write(struct file *file, const char __user *buffer,
 	req->complete = f_hidg_req_complete;
 	req->context  = hidg;
 
+	spin_unlock_irqrestore(&hidg->write_spinlock, flags);
+
 	status = usb_ep_queue(hidg->in_ep, req, GFP_ATOMIC);
 	if (status < 0) {
 		ERROR(hidg->func.config->cdev,
 			"usb_ep_queue error on int endpoint %zd\n", status);
-		goto release_write_pending_unlocked;
+		goto release_write_pending;
 	} else {
 		status = count;
 	}
-	spin_unlock_irqrestore(&hidg->write_spinlock, flags);
 
 	return status;
 release_write_pending:
 	spin_lock_irqsave(&hidg->write_spinlock, flags);
-release_write_pending_unlocked:
 	hidg->write_pending = 0;
 	spin_unlock_irqrestore(&hidg->write_spinlock, flags);
 
-- 
2.21.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH] USB: gadget: f_hid: fix deadlock in f_hidg_write()
@ 2019-04-01 10:54 Radoslav Gerganov
  2019-04-01 10:58 ` Radoslav Gerganov
  0 siblings, 1 reply; 4+ messages in thread
From: Radoslav Gerganov @ 2019-04-01 10:54 UTC (permalink / raw)
  To: gregkh@linuxfoundation.org, james.bottomley@hansenpartnership.com,
	felipe.balbi@linux.intel.com
  Cc: stable@vger.kernel.org, Radoslav Gerganov

commit 072684e8c58d17e853f8e8b9f6d9ce2e58d2b036 upstream.

In f_hidg_write() the write_spinlock is acquired before calling
usb_ep_queue() which causes a deadlock when dummy_hcd is being used.
This is because dummy_queue() callbacks into f_hidg_req_complete() which
tries to acquire the same spinlock. This is (part of) the backtrace when
the deadlock occurs:

  0xffffffffc06b1410 in f_hidg_req_complete
  0xffffffffc06a590a in usb_gadget_giveback_request
  0xffffffffc06cfff2 in dummy_queue
  0xffffffffc06a4b96 in usb_ep_queue
  0xffffffffc06b1eb6 in f_hidg_write
  0xffffffff8127730b in __vfs_write
  0xffffffff812774d1 in vfs_write
  0xffffffff81277725 in SYSC_write

Fix this by releasing the write_spinlock before calling usb_ep_queue()

Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Tested-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: stable@vger.kernel.org
Fixes: 749494b6bdbb ("usb: gadget: f_hid: fix: Move IN request allocation to set_alt()")
Signed-off-by: Radoslav Gerganov <rgerganov@vmware.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
---
 drivers/usb/gadget/function/f_hid.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
index 5815120..8e83649 100644
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -340,20 +340,20 @@ static ssize_t f_hidg_write(struct file *file, const char __user *buffer,
 	req->complete = f_hidg_req_complete;
 	req->context  = hidg;
 
+	spin_unlock_irqrestore(&hidg->write_spinlock, flags);
+
 	status = usb_ep_queue(hidg->in_ep, hidg->req, GFP_ATOMIC);
 	if (status < 0) {
 		ERROR(hidg->func.config->cdev,
 			"usb_ep_queue error on int endpoint %zd\n", status);
-		goto release_write_pending_unlocked;
+		goto release_write_pending;
 	} else {
 		status = count;
 	}
-	spin_unlock_irqrestore(&hidg->write_spinlock, flags);
 
 	return status;
 release_write_pending:
 	spin_lock_irqsave(&hidg->write_spinlock, flags);
-release_write_pending_unlocked:
 	hidg->write_pending = 0;
 	spin_unlock_irqrestore(&hidg->write_spinlock, flags);
 
-- 
1.9.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] USB: gadget: f_hid: fix deadlock in f_hidg_write()
  2019-04-01 10:54 [PATCH] USB: gadget: f_hid: fix deadlock in f_hidg_write() Radoslav Gerganov
@ 2019-04-01 10:58 ` Radoslav Gerganov
  2019-04-01 11:33   ` gregkh
  0 siblings, 1 reply; 4+ messages in thread
From: Radoslav Gerganov @ 2019-04-01 10:58 UTC (permalink / raw)
  To: gregkh@linuxfoundation.org, james.bottomley@hansenpartnership.com,
	felipe.balbi@linux.intel.com
  Cc: stable@vger.kernel.org

On  1.04.2019 13:54, Radoslav Gerganov wrote:
> commit 072684e8c58d17e853f8e8b9f6d9ce2e58d2b036 upstream.
> 
> In f_hidg_write() the write_spinlock is acquired before calling
> usb_ep_queue() which causes a deadlock when dummy_hcd is being used.
> This is because dummy_queue() callbacks into f_hidg_req_complete() which
> tries to acquire the same spinlock. This is (part of) the backtrace when
> the deadlock occurs:
> 

This is the backport of commit 072684e8c to the stable 4.9 branch.
I missed to point that in the subject line, sorry.

Thanks,
Rado

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] USB: gadget: f_hid: fix deadlock in f_hidg_write()
  2019-04-01 10:58 ` Radoslav Gerganov
@ 2019-04-01 11:33   ` gregkh
  0 siblings, 0 replies; 4+ messages in thread
From: gregkh @ 2019-04-01 11:33 UTC (permalink / raw)
  To: Radoslav Gerganov
  Cc: james.bottomley@hansenpartnership.com,
	felipe.balbi@linux.intel.com, stable@vger.kernel.org

On Mon, Apr 01, 2019 at 10:58:57AM +0000, Radoslav Gerganov wrote:
> On  1.04.2019 13:54, Radoslav Gerganov wrote:
> > commit 072684e8c58d17e853f8e8b9f6d9ce2e58d2b036 upstream.
> > 
> > In f_hidg_write() the write_spinlock is acquired before calling
> > usb_ep_queue() which causes a deadlock when dummy_hcd is being used.
> > This is because dummy_queue() callbacks into f_hidg_req_complete() which
> > tries to acquire the same spinlock. This is (part of) the backtrace when
> > the deadlock occurs:
> > 
> 
> This is the backport of commit 072684e8c to the stable 4.9 branch.
> I missed to point that in the subject line, sorry.

Not a problem at all, thanks for the backport, now queued up.

greg k-h

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2019-04-01 11:33 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-04-01 10:54 [PATCH] USB: gadget: f_hid: fix deadlock in f_hidg_write() Radoslav Gerganov
2019-04-01 10:58 ` Radoslav Gerganov
2019-04-01 11:33   ` gregkh
  -- strict thread matches above, loose matches on Subject: below --
2019-03-20  8:59 Felipe Balbi

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).