Commit bd9ba5d3 authored by Oliver Neukum's avatar Oliver Neukum Committed by Khalid Elmously

usb: iowarrior: fix deadlock on disconnect

BugLink: https://bugs.launchpad.net/bugs/1845038

commit c468a8aa upstream.

We have to drop the mutex before we close() upon disconnect()
as close() needs the lock. This is safe to do by dropping the
mutex as intfdata is already set to NULL, so open() will fail.

Fixes: 03f36e88 ("USB: open disconnect race in iowarrior")
Reported-by: syzbot+a64a382964bf6c71a9c0@syzkaller.appspotmail.com
Cc: stable <stable@vger.kernel.org>
Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20190808092728.23417-1-oneukum@suse.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
parent 18373d1c
...@@ -898,19 +898,20 @@ static void iowarrior_disconnect(struct usb_interface *interface) ...@@ -898,19 +898,20 @@ static void iowarrior_disconnect(struct usb_interface *interface)
dev = usb_get_intfdata(interface); dev = usb_get_intfdata(interface);
mutex_lock(&iowarrior_open_disc_lock); mutex_lock(&iowarrior_open_disc_lock);
usb_set_intfdata(interface, NULL); usb_set_intfdata(interface, NULL);
/* prevent device read, write and ioctl */
dev->present = 0;
minor = dev->minor; minor = dev->minor;
mutex_unlock(&iowarrior_open_disc_lock);
/* give back our minor - this will call close() locks need to be dropped at this point*/
/* give back our minor */
usb_deregister_dev(interface, &iowarrior_class); usb_deregister_dev(interface, &iowarrior_class);
mutex_lock(&dev->mutex); mutex_lock(&dev->mutex);
/* prevent device read, write and ioctl */ /* prevent device read, write and ioctl */
dev->present = 0;
mutex_unlock(&dev->mutex); mutex_unlock(&dev->mutex);
mutex_unlock(&iowarrior_open_disc_lock);
if (dev->opened) { if (dev->opened) {
/* There is a process that holds a filedescriptor to the device , /* There is a process that holds a filedescriptor to the device ,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment