From patchwork Wed Nov 18 19:25:55 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adi Ratiu X-Patchwork-Id: 7652351 X-Patchwork-Delegate: jikos@jikos.cz Return-Path: X-Original-To: patchwork-linux-input@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id E92B19F392 for ; Wed, 18 Nov 2015 19:26:07 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 22127205AA for ; Wed, 18 Nov 2015 19:26:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 40F912034B for ; Wed, 18 Nov 2015 19:26:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756674AbbKRT0C (ORCPT ); Wed, 18 Nov 2015 14:26:02 -0500 Received: from mail-wm0-f47.google.com ([74.125.82.47]:38404 "EHLO mail-wm0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756781AbbKRT0A (ORCPT ); Wed, 18 Nov 2015 14:26:00 -0500 Received: by wmec201 with SMTP id c201so87803619wme.1 for ; Wed, 18 Nov 2015 11:25:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adirat-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=ya1br+b+p+uHOdAncJSLTDO7T+4Wj9At3rfZU57JqPs=; b=catq0UpLh5iNSULy4wLUtdKTwZIiTD/s2ZOO5ILORdSP8/F1wecaK8iT7iPnMqK5lK 6aTeyRJfYgvfFaSMopEEfbwc4dPiG96eDbvhQ/PyoMz4ZxcW9aN0y9+rYVytFE4x3Sgb Kz//s6VHLpJ8D1moCNSLPayyFpM+IRrLX8Bf61cF0K0B7am+SoXCFexANQjJpyHDnYbH 6FClIHY4UnQprzbDg452LvykJJuT4j4p95//dc8g6nHoykbm0z5z+4DnAs6kwHCw++KU GGEdU7GPwLgNNdi2YvYOrjciHsA/urAcEFLUH4ui9BvljhFMV0Tv31TJVu6ArjuiE6uC iRdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=ya1br+b+p+uHOdAncJSLTDO7T+4Wj9At3rfZU57JqPs=; b=L3Z9G9AWy90x05pTf2y+9PyS+EImLlImx+xVBhoIwu5kzqg2941iUBqyqIBjGzhGVi 0qgdlH369CR3zB9ibO5YancSgQhFGIBvpFdQucej73UvTpq3m60t1Ox9k3GZb4O12OBJ Q33deeEu4/3wR45HuElBNU8eP6SNurBIhwLNXvTPF/yZS+OKDPcykJ/7W010hiI80ofU B57FLdPn43RJY2qWymjR2JERVh99Pp5pwaHBSkNwXF+qNieQZ9v+McWNx4Xx/mbE+5P3 Eps2TeLDxvNHAN6yrfh7OPrHfqVaC2pCfUHy1G7tHcek9KmXPB48idzI22TfipYt3lrm GNiA== X-Gm-Message-State: ALoCoQn2IeuVhBYQj7hIE2JJ0fZ/I8HfFT3bmt08dB/GRerFIiL6NZ0qz3ZkFWr7ZzJ4LoUgeYC9 X-Received: by 10.194.93.234 with SMTP id cx10mr129735wjb.62.1447874759324; Wed, 18 Nov 2015 11:25:59 -0800 (PST) Received: from adipc.lan ([188.24.12.4]) by smtp.gmail.com with ESMTPSA id k133sm4728035wmg.18.2015.11.18.11.25.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 18 Nov 2015 11:25:58 -0800 (PST) From: Ioan-Adrian Ratiu To: jikos@kernel.org Cc: pinglinux@gmail.com, linux-usb@vger.kernel.org, linux-input@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] hid: usbhid: hid-core: fix recursive deadlock Date: Wed, 18 Nov 2015 21:25:55 +0200 Message-Id: <1447874755-8673-1-git-send-email-adi@adirat.com> X-Mailer: git-send-email 2.6.3 Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org X-Spam-Status: No, score=-7.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The critical section protected by usbhid->lock in hid_ctrl() is too big and in rare cases causes a recursive deadlock because of its call to hid_input_report(). This deadlock reproduces on newer wacom tablets like 056a:033c because the wacom driver in its irq handler ends up calling hid_hw_request() from wacom_intuos_schedule_prox_event() in wacom_wac.c. What this means is that it submits a report to reschedule a proximity read through a sync ctrl call which grabs the lock in hid_ctrl(struct urb *urb) before calling hid_input_report(). When the irq kicks in on the same cpu, it also tries to grab the lock resulting in a recursive deadlock. The proper fix is to shrink the critical section in hid_ctrl() to protect only the instructions which modify usbhid, thus move the lock after the hid_input_report() call and the deadlock dissapears. Signed-off-by: Ioan-Adrian Ratiu --- drivers/hid/usbhid/hid-core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c index 36712e9..5dd426f 100644 --- a/drivers/hid/usbhid/hid-core.c +++ b/drivers/hid/usbhid/hid-core.c @@ -477,8 +477,6 @@ static void hid_ctrl(struct urb *urb) struct usbhid_device *usbhid = hid->driver_data; int unplug = 0, status = urb->status; - spin_lock(&usbhid->lock); - switch (status) { case 0: /* success */ if (usbhid->ctrl[usbhid->ctrltail].dir == USB_DIR_IN) @@ -498,6 +496,8 @@ static void hid_ctrl(struct urb *urb) hid_warn(urb->dev, "ctrl urb status %d received\n", status); } + spin_lock(&usbhid->lock); + if (unplug) { usbhid->ctrltail = usbhid->ctrlhead; } else {