From patchwork Tue Mar  5 10:10:34 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Radoslav Gerganov <rgerganov@vmware.com>
X-Patchwork-Id: 10839203
Return-Path: <linux-usb-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 415491803
	for <patchwork-linux-usb@patchwork.kernel.org>;
 Tue,  5 Mar 2019 10:10:41 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2DE4D2B826
	for <patchwork-linux-usb@patchwork.kernel.org>;
 Tue,  5 Mar 2019 10:10:41 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 21CAC2B9BD; Tue,  5 Mar 2019 10:10:41 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AB4152B826
	for <patchwork-linux-usb@patchwork.kernel.org>;
 Tue,  5 Mar 2019 10:10:40 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727100AbfCEKKj (ORCPT
        <rfc822;patchwork-linux-usb@patchwork.kernel.org>);
        Tue, 5 Mar 2019 05:10:39 -0500
Received: from mail-eopbgr770052.outbound.protection.outlook.com
 ([40.107.77.52]:39555
        "EHLO NAM02-SN1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726301AbfCEKKj (ORCPT <rfc822;linux-usb@vger.kernel.org>);
        Tue, 5 Mar 2019 05:10:39 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vmware.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=AXMDBcMFaWNarRCspRqyu1YoXKnyOncZIz2B4Rc5fDA=;
 b=aWpNLTjrlKnapmYlzewTvyM8/NsPrZiCy3dQWkxDHPmn9XCbbNyjlQMeaKI08mzc/wFFb13Zs8xGVV0J1oAYj1iO3jdOkVqOAkC6fDFq0CniC5C/wgL6RC0Ju4Amy4EzyuyNkQvQeiQt7UqM5QgaNWMqYKncEZDGBhrucSkRc9o=
Received: from DM6PR05MB5675.namprd05.prod.outlook.com (20.176.123.144) by
 DM6PR05MB4057.namprd05.prod.outlook.com (20.176.71.155) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.1686.14; Tue, 5 Mar 2019 10:10:34 +0000
Received: from DM6PR05MB5675.namprd05.prod.outlook.com
 ([fe80::994c:cb80:ec29:eddf]) by DM6PR05MB5675.namprd05.prod.outlook.com
 ([fe80::994c:cb80:ec29:eddf%3]) with mapi id 15.20.1686.016; Tue, 5 Mar 2019
 10:10:34 +0000
From: Radoslav Gerganov <rgerganov@vmware.com>
To: "balbi@kernel.org" <balbi@kernel.org>
CC: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
        "linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
        Radoslav Gerganov <rgerganov@vmware.com>
Subject: [PATCH] USB: gadget: f_hid: fix deadlock in f_hidg_write()
Thread-Topic: [PATCH] USB: gadget: f_hid: fix deadlock in f_hidg_write()
Thread-Index: AQHU0zurGn5lQkfjCUKsDDjLIdEWhQ==
Date: Tue, 5 Mar 2019 10:10:34 +0000
Message-ID: <1551780596-25163-1-git-send-email-rgerganov@vmware.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-clientproxiedby: VI1PR09CA0058.eurprd09.prod.outlook.com
 (2603:10a6:802:28::26) To DM6PR05MB5675.namprd05.prod.outlook.com
 (2603:10b6:5:e::16)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=rgerganov@vmware.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: git-send-email 1.9.1
x-originating-ip: [146.247.46.5]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8a11abb3-ddde-48db-e9bb-08d6a152ce06
x-microsoft-antispam: 
 BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020);SRVR:DM6PR05MB4057;
x-ms-traffictypediagnostic: DM6PR05MB4057:
x-microsoft-exchange-diagnostics: 
 1;DM6PR05MB4057;20:Mr3cg87OTSSCW0rj9mLuO3Liikt8Llqz51CB5IlzeXSYKQYl6O5GfULQ/huwghx3kwM8TBRGXmaHQsGtu+RIbQmsU3iCZ5xGCihNoRLsq+cfqSakkTqiD6qAW3rqGmpKYe53ss4Tlp1cPBWi4VbioelZydyjENzk5d8c7GV969A=
x-microsoft-antispam-prvs: 
 <DM6PR05MB40578E32681EDF221A2EE73ADC720@DM6PR05MB4057.namprd05.prod.outlook.com>
x-forefront-prvs: 0967749BC1
x-forefront-antispam-report: 
 SFV:NSPM;SFS:(10009020)(39860400002)(366004)(376002)(396003)(136003)(346002)(189003)(199004)(71200400001)(4326008)(36756003)(6916009)(106356001)(6116002)(97736004)(3846002)(50226002)(8676002)(53936002)(14454004)(2501003)(105586002)(107886003)(2351001)(5660300002)(305945005)(316002)(14444005)(99286004)(256004)(5640700003)(7736002)(102836004)(478600001)(68736007)(66066001)(6512007)(54906003)(8936002)(81156014)(52116002)(1730700003)(386003)(26005)(6506007)(25786009)(81166006)(6486002)(6436002)(186003)(2906002)(86362001)(2616005)(71190400001)(486006)(476003);DIR:OUT;SFP:1101;SCL:1;SRVR:DM6PR05MB4057;H:DM6PR05MB5675.namprd05.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: vmware.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 
 9PtHTuDrglWLwwGuCkbCnEqAjIlo4Nr4ZEKXx5PrfDeOfpStU+R8JbpYKv0Ju6vvvh41TS53WIHzS2UdatmnwxCbxf2eFilEXjeMvODu4/SZfDrSPASxXvLpfIXFftD+YPBXGNUDp2Ii2B7zmJjb9xTbfJpAhpkB6kytXXhjZovgV1LiZl8Cn1YM0wAyW0347UNLzih5oQUm1KgbSzxGeYBCgRnoEW9oK3NWQ5tCVO0a4OhebH03b7dymI59JdWtcJ9u+wEIfkzcfPjy5JAUO/dwbIF9CkLgJi4i0A3saqp23RAbGzuyDi6xociHNAcj0x7teD30QeAQanzsr4qUSQuRVD3bvy1BNChPVMIc79/bvBBz6A8b69zSS2iE5cI5PWkx4nXloq0qx691BcPg2oBHU71sI9FE5Y3SgaPAYQk=
MIME-Version: 1.0
X-OriginatorOrg: vmware.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 8a11abb3-ddde-48db-e9bb-08d6a152ce06
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2019 10:10:34.3279
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: b39138ca-3cee-4b4a-a4d6-cd83d9dd62f0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4057
Sender: linux-usb-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-usb.vger.kernel.org>
X-Mailing-List: linux-usb@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

In f_hidg_write() the write_spinlock is acquired before calling
usb_ep_queue() which causes a deadlock when dummy_hcd is being used.
This is because dummy_queue() callbacks into f_hidg_req_complete() which
tries to acquire the same spinlock. This is (part of) the backtrace when
the deadlock occurs:

  0xffffffffc06b1410 in f_hidg_req_complete
  0xffffffffc06a590a in usb_gadget_giveback_request
  0xffffffffc06cfff2 in dummy_queue
  0xffffffffc06a4b96 in usb_ep_queue
  0xffffffffc06b1eb6 in f_hidg_write
  0xffffffff8127730b in __vfs_write
  0xffffffff812774d1 in vfs_write
  0xffffffff81277725 in SYSC_write

Fix this by releasing the write_spinlock before calling usb_ep_queue()

Signed-off-by: Radoslav Gerganov <rgerganov@vmware.com>
Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Tested-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
 drivers/usb/gadget/function/f_hid.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
index 54e859d..492bb44 100644
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -391,20 +391,20 @@ static ssize_t f_hidg_write(struct file *file, const char __user *buffer,
 	req->complete = f_hidg_req_complete;
 	req->context  = hidg;
 
+	spin_unlock_irqrestore(&hidg->write_spinlock, flags);
+
 	status = usb_ep_queue(hidg->in_ep, req, GFP_ATOMIC);
 	if (status < 0) {
 		ERROR(hidg->func.config->cdev,
 			"usb_ep_queue error on int endpoint %zd\n", status);
-		goto release_write_pending_unlocked;
+		goto release_write_pending;
 	} else {
 		status = count;
 	}
-	spin_unlock_irqrestore(&hidg->write_spinlock, flags);
 
 	return status;
 release_write_pending:
 	spin_lock_irqsave(&hidg->write_spinlock, flags);
-release_write_pending_unlocked:
 	hidg->write_pending = 0;
 	spin_unlock_irqrestore(&hidg->write_spinlock, flags);