[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <tencent_E44436084AA874977705670A3CDD37BE9609@qq.com>
Date: Sun, 14 Jan 2024 16:20:17 +0800
From: Edward Adam Davis <eadavis@...com>
To: syzbot+2b131f51bb4af224ab40@...kaller.appspotmail.com
Cc: davem@...emloft.net,
edumazet@...gle.com,
gregkh@...uxfoundation.org,
hdanton@...a.com,
krzysztof.kozlowski@...aro.org,
kuba@...nel.org,
linux-kernel@...r.kernel.org,
netdev@...r.kernel.org,
pabeni@...hat.com,
penguin-kernel@...ove.sakura.ne.jp,
stern@...land.harvard.edu,
syzkaller-bugs@...glegroups.com,
torvalds@...ux-foundation.org
Subject: [PATCH] nfc/nci: fix task hung in nfc_targets_found
nci_start_poll() holds the dev->mutex required by the kworker of nci_close_device(),
and the related tasks are as follows:
|cpu0 |cpu1 |cpu2 |
|nci_close_device() | | |
|mutex_lock(&ndev->req_lock); | | |
|... |nfc_genl_start_poll() | |
|flush_workqueue(ndev->rx_wq) |mutex_lock(&dev->genl_data.genl_data_mutex); | |
| |nfc_start_poll() | |
| |device_lock(&dev->dev); |process_one_work() |
| |nci_start_poll() |nfc_targets_found() |
| |nci_request() |device_lock(&dev->dev); |
| |mutex_lock(&ndev->req_lock); | |
Therefore, before applying for req_lock in nci_request(), it should be determined
whether the execution of nci_close_device() has already begun.
Reported-and-tested-by: syzbot+2b131f51bb4af224ab40@...kaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@...com>
---
net/nfc/nci/core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
index 6c9592d05120..9a277228a875 100644
--- a/net/nfc/nci/core.c
+++ b/net/nfc/nci/core.c
@@ -145,6 +145,8 @@ inline int nci_request(struct nci_dev *ndev,
{
int rc;
+ if (test_bit(NCI_UNREG, &ndev->flags))
+ return -ENODEV;
/* Serialize all requests */
mutex_lock(&ndev->req_lock);
/* check the state after obtaing the lock against any races
--
2.43.0
Powered by blists - more mailing lists