Commit 3e043e5d authored by Radoslav Gerganov's avatar Radoslav Gerganov Committed by Greg Kroah-Hartman

USB: gadget: f_hid: fix deadlock in f_hidg_write()

commit 072684e8 upstream.

In f_hidg_write() the write_spinlock is acquired before calling
usb_ep_queue() which causes a deadlock when dummy_hcd is being used.
This is because dummy_queue() callbacks into f_hidg_req_complete() which
tries to acquire the same spinlock. This is (part of) the backtrace when
the deadlock occurs:

  0xffffffffc06b1410 in f_hidg_req_complete
  0xffffffffc06a590a in usb_gadget_giveback_request
  0xffffffffc06cfff2 in dummy_queue
  0xffffffffc06a4b96 in usb_ep_queue
  0xffffffffc06b1eb6 in f_hidg_write
  0xffffffff8127730b in __vfs_write
  0xffffffff812774d1 in vfs_write
  0xffffffff81277725 in SYSC_write

Fix this by releasing the write_spinlock before calling usb_ep_queue()
Reviewed-by: default avatarJames Bottomley <James.Bottomley@HansenPartnership.com>
Tested-by: default avatarJames Bottomley <James.Bottomley@HansenPartnership.com>
Cc: stable@vger.kernel.org # 4.11+
Fixes: 749494b6 ("usb: gadget: f_hid: fix: Move IN request allocation to set_alt()")
Signed-off-by: default avatarRadoslav Gerganov <rgerganov@vmware.com>
Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 54333dcc
...@@ -395,20 +395,20 @@ static ssize_t f_hidg_write(struct file *file, const char __user *buffer, ...@@ -395,20 +395,20 @@ static ssize_t f_hidg_write(struct file *file, const char __user *buffer,
req->complete = f_hidg_req_complete; req->complete = f_hidg_req_complete;
req->context = hidg; req->context = hidg;
spin_unlock_irqrestore(&hidg->write_spinlock, flags);
status = usb_ep_queue(hidg->in_ep, req, GFP_ATOMIC); status = usb_ep_queue(hidg->in_ep, req, GFP_ATOMIC);
if (status < 0) { if (status < 0) {
ERROR(hidg->func.config->cdev, ERROR(hidg->func.config->cdev,
"usb_ep_queue error on int endpoint %zd\n", status); "usb_ep_queue error on int endpoint %zd\n", status);
goto release_write_pending_unlocked; goto release_write_pending;
} else { } else {
status = count; status = count;
} }
spin_unlock_irqrestore(&hidg->write_spinlock, flags);
return status; return status;
release_write_pending: release_write_pending:
spin_lock_irqsave(&hidg->write_spinlock, flags); spin_lock_irqsave(&hidg->write_spinlock, flags);
release_write_pending_unlocked:
hidg->write_pending = 0; hidg->write_pending = 0;
spin_unlock_irqrestore(&hidg->write_spinlock, flags); spin_unlock_irqrestore(&hidg->write_spinlock, flags);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment