| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 9 Dec 2016 11:24:44 +0800
From: Baolin Wang <baolin.wang@...aro.org>
To: Michal Nazarewicz <mina86@...a86.com>
Cc: Felipe Balbi <balbi@...nel.org>,
Greg KH <gregkh@...uxfoundation.org>, felixhaedicke@....de,
jilin@...dia.com, dan.carpenter@...cle.com, lars@...afoo.de,
USB <linux-usb@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
Mark Brown <broonie@...nel.org>
Subject: Re: [PATCH] usb: gadget: f_fs: Fix possibe deadlock
Hi Michal,
On 8 December 2016 at 23:18, Michal Nazarewicz <mina86@...a86.com> wrote:
> On Thu, Dec 08 2016, Baolin Wang wrote:
>> When system try to close /dev/usb-ffs/adb/ep0 on one core, at the same
>> time another core try to attach new UDC, which will cause deadlock as
>> below scenario. Thus we should release ffs lock before issuing
>> unregister_gadget_item().
>>
>> [ 52.642225] c1 ======================================================
>> [ 52.642228] c1 [ INFO: possible circular locking dependency detected ]
>> [ 52.642236] c1 4.4.6+ #1 Tainted: G W O
>> [ 52.642241] c1 -------------------------------------------------------
>> [ 52.642245] c1 usb ffs open/2808 is trying to acquire lock:
>> [ 52.642270] c0 (udc_lock){+.+.+.}, at: [<ffffffc00065aeec>]
>> usb_gadget_unregister_driver+0x3c/0xc8
>> [ 52.642272] c1 but task is already holding lock:
>> [ 52.642283] c0 (ffs_lock){+.+.+.}, at: [<ffffffc00066b244>]
>> ffs_data_clear+0x30/0x140
>> [ 52.642285] c1 which lock already depends on the new lock.
>> [ 52.642287] c1
>> the existing dependency chain (in reverse order) is:
>> [ 52.642295] c0
>> -> #1 (ffs_lock){+.+.+.}:
>> [ 52.642307] c0 [<ffffffc00012340c>] __lock_acquire+0x20f0/0x2238
>> [ 52.642314] c0 [<ffffffc000123b54>] lock_acquire+0xe4/0x298
>> [ 52.642322] c0 [<ffffffc000aaf6e8>] mutex_lock_nested+0x7c/0x3cc
>> [ 52.642328] c0 [<ffffffc00066f7bc>] ffs_func_bind+0x504/0x6e8
>> [ 52.642334] c0 [<ffffffc000654004>] usb_add_function+0x84/0x184
>> [ 52.642340] c0 [<ffffffc000658ca4>] configfs_composite_bind+0x264/0x39c
>> [ 52.642346] c0 [<ffffffc00065b348>] udc_bind_to_driver+0x58/0x11c
>> [ 52.642352] c0 [<ffffffc00065b49c>] usb_udc_attach_driver+0x90/0xc8
>> [ 52.642358] c0 [<ffffffc0006598e0>] gadget_dev_desc_UDC_store+0xd4/0x128
>> [ 52.642369] c0 [<ffffffc0002c14e8>] configfs_write_file+0xd0/0x13c
>> [ 52.642376] c0 [<ffffffc00023c054>] vfs_write+0xb8/0x214
>> [ 52.642381] c0 [<ffffffc00023cad4>] SyS_write+0x54/0xb0
>> [ 52.642388] c0 [<ffffffc000085ff0>] el0_svc_naked+0x24/0x28
>> [ 52.642395] c0
>> -> #0 (udc_lock){+.+.+.}:
>> [ 52.642401] c0 [<ffffffc00011e3d0>] print_circular_bug+0x84/0x2e4
>> [ 52.642407] c0 [<ffffffc000123454>] __lock_acquire+0x2138/0x2238
>> [ 52.642412] c0 [<ffffffc000123b54>] lock_acquire+0xe4/0x298
>> [ 52.642420] c0 [<ffffffc000aaf6e8>] mutex_lock_nested+0x7c/0x3cc
>> [ 52.642427] c0 [<ffffffc00065aeec>] usb_gadget_unregister_driver+0x3c/0xc8
>> [ 52.642432] c0 [<ffffffc00065995c>] unregister_gadget_item+0x28/0x44
>> [ 52.642439] c0 [<ffffffc00066b34c>] ffs_data_clear+0x138/0x140
>> [ 52.642444] c0 [<ffffffc00066b374>] ffs_data_reset+0x20/0x6c
>> [ 52.642450] c0 [<ffffffc00066efd0>] ffs_data_closed+0xac/0x12c
>> [ 52.642454] c0 [<ffffffc00066f070>] ffs_ep0_release+0x20/0x2c
>> [ 52.642460] c0 [<ffffffc00023dbe4>] __fput+0xb0/0x1f4
>> [ 52.642466] c0 [<ffffffc00023dd9c>] ____fput+0x20/0x2c
>> [ 52.642473] c0 [<ffffffc0000ee944>] task_work_run+0xb4/0xe8
>> [ 52.642482] c0 [<ffffffc0000cd45c>] do_exit+0x360/0xb9c
>> [ 52.642487] c0 [<ffffffc0000cf228>] do_group_exit+0x4c/0xb0
>> [ 52.642494] c0 [<ffffffc0000dd3c8>] get_signal+0x380/0x89c
>> [ 52.642501] c0 [<ffffffc00008a8f0>] do_signal+0x154/0x518
>> [ 52.642507] c0 [<ffffffc00008af00>] do_notify_resume+0x70/0x78
>> [ 52.642512] c0 [<ffffffc000085ee8>] work_pending+0x1c/0x20
>> [ 52.642514] c1
>> other info that might help us debug this:
>> [ 52.642517] c1 Possible unsafe locking scenario:
>> [ 52.642518] c1 CPU0 CPU1
>> [ 52.642520] c1 ---- ----
>> [ 52.642525] c0 lock(ffs_lock);
>> [ 52.642529] c0 lock(udc_lock);
>> [ 52.642533] c0 lock(ffs_lock);
>> [ 52.642537] c0 lock(udc_lock);
>> [ 52.642539] c1
>> *** DEADLOCK ***
>> [ 52.642543] c1 1 lock held by usb ffs open/2808:
>> [ 52.642555] c0 #0: (ffs_lock){+.+.+.}, at: [<ffffffc00066b244>]
>> ffs_data_clear+0x30/0x140
>> [ 52.642557] c1 stack backtrace:
>> [ 52.642563] c1 CPU: 1 PID: 2808 Comm: usb ffs open Tainted: G
>> [ 52.642565] c1 Hardware name: Spreadtrum SP9860g Board (DT)
>> [ 52.642568] c1 Call trace:
>> [ 52.642573] c1 [<ffffffc00008b430>] dump_backtrace+0x0/0x170
>> [ 52.642577] c1 [<ffffffc00008b5c0>] show_stack+0x20/0x28
>> [ 52.642583] c1 [<ffffffc000422694>] dump_stack+0xa8/0xe0
>> [ 52.642587] c1 [<ffffffc00011e548>] print_circular_bug+0x1fc/0x2e4
>> [ 52.642591] c1 [<ffffffc000123454>] __lock_acquire+0x2138/0x2238
>> [ 52.642595] c1 [<ffffffc000123b54>] lock_acquire+0xe4/0x298
>> [ 52.642599] c1 [<ffffffc000aaf6e8>] mutex_lock_nested+0x7c/0x3cc
>> [ 52.642604] c1 [<ffffffc00065aeec>] usb_gadget_unregister_driver+0x3c/0xc8
>> [ 52.642608] c1 [<ffffffc00065995c>] unregister_gadget_item+0x28/0x44
>> [ 52.642613] c1 [<ffffffc00066b34c>] ffs_data_clear+0x138/0x140
>> [ 52.642618] c1 [<ffffffc00066b374>] ffs_data_reset+0x20/0x6c
>> [ 52.642621] c1 [<ffffffc00066efd0>] ffs_data_closed+0xac/0x12c
>> [ 52.642625] c1 [<ffffffc00066f070>] ffs_ep0_release+0x20/0x2c
>> [ 52.642629] c1 [<ffffffc00023dbe4>] __fput+0xb0/0x1f4
>> [ 52.642633] c1 [<ffffffc00023dd9c>] ____fput+0x20/0x2c
>> [ 52.642636] c1 [<ffffffc0000ee944>] task_work_run+0xb4/0xe8
>> [ 52.642640] c1 [<ffffffc0000cd45c>] do_exit+0x360/0xb9c
>> [ 52.642644] c1 [<ffffffc0000cf228>] do_group_exit+0x4c/0xb0
>> [ 52.642647] c1 [<ffffffc0000dd3c8>] get_signal+0x380/0x89c
>> [ 52.642651] c1 [<ffffffc00008a8f0>] do_signal+0x154/0x518
>> [ 52.642656] c1 [<ffffffc00008af00>] do_notify_resume+0x70/0x78
>> [ 52.642659] c1 [<ffffffc000085ee8>] work_pending+0x1c/0x20
>>
>> Signed-off-by: Baolin Wang <baolin.wang@...aro.org>
>
> Acked-by: Michal Nazarewicz <mina86@...a86.com>
Thanks for your ACK.
>
>> ---
>> drivers/usb/gadget/function/f_fs.c | 8 ++++++--
>> 1 file changed, 6 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
>> index 0780d83..93de3b9 100644
>> --- a/drivers/usb/gadget/function/f_fs.c
>> +++ b/drivers/usb/gadget/function/f_fs.c
>> @@ -3666,6 +3666,7 @@ static void ffs_closed(struct ffs_data *ffs)
>> {
>> struct ffs_dev *ffs_obj;
>> struct f_fs_opts *opts;
>> + struct config_item *ci;
>>
>> ENTER();
>> ffs_dev_lock();
>> @@ -3689,8 +3690,11 @@ static void ffs_closed(struct ffs_data *ffs)
>> || !atomic_read(&opts->func_inst.group.cg_item.ci_kref.refcount))
>> goto done;
>>
>> - unregister_gadget_item(ffs_obj->opts->
>> - func_inst.group.cg_item.ci_parent->ci_parent);
>> + ci = opts->func_inst.group.cg_item.ci_parent->ci_parent;
>> + ffs_dev_unlock();
>> +
>> + unregister_gadget_item(ci);
>> + return;
>> done:
>> ffs_dev_unlock();
>> }
>> --
>> 1.7.9.5
>>
>
> --
> Best regards
> ミハウ “𝓶𝓲𝓷𝓪86” ナザレヴイツ
> «If at first you don’t succeed, give up skydiving»
--
Baolin.wang
Best Regards
Powered by blists - more mailing lists