usb: iowarrior: fix deadlock on disconnect

We have to drop the mutex before we close() upon disconnect() as close() needs the lock. This is safe to do by dropping the mutex as intfdata is already set to NULL, so open() will fail. Fixes: 03f36e885fc26 ("USB: open disconnect race in iowarrior") Reported-by: syzbot+a64a382964bf6c71a9c0@syzkaller.appspotmail.com Cc: stable <stable@vger.kernel.org> Signed-off-by: Oliver Neukum <oneukum@suse.com> Link: https://lore.kernel.org/r/20190808092728.23417-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: iowarrior: fix deadlock on disconnect
We have to drop the mutex before we close() upon disconnect() as close() needs the lock. This is safe to do by dropping the mutex as intfdata is already set to NULL, so open() will fail. Fixes: 03f36e885fc26 ("USB: open disconnect race in iowarrior") Reported-by: syzbot+a64a382964bf6c71a9c0@syzkaller.appspotmail.com Cc: stable <stable@vger.kernel.org> Signed-off-by: Oliver Neukum <oneukum@suse.com> Link: https://lore.kernel.org/r/20190808092728.23417-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Oliver Neukum · Greg Kroah-Hartman
1 parent 2ca359f4f8
Showing 1 changed file with 4 additions and 3 deletions Side-by-side Diff
drivers/usb/misc/iowarrior.c
@@ -866,19 +866,20 @@
 	dev = usb_get_intfdata(interface);
 	mutex_lock(&iowarrior_open_disc_lock);
 	usb_set_intfdata(interface, NULL);
+	/* prevent device read, write and ioctl */
+	dev->present = 0;
  
 	minor = dev->minor;
+	mutex_unlock(&iowarrior_open_disc_lock);
+	/* give back our minor - this will call close() locks need to be dropped at this point*/
  
-	/* give back our minor */
 	usb_deregister_dev(interface, &iowarrior_class);
  
 	mutex_lock(&dev->mutex);
  
 	/* prevent device read, write and ioctl */
-	dev->present = 0;
  
 	mutex_unlock(&dev->mutex);
-	mutex_unlock(&iowarrior_open_disc_lock);
  
 	if (dev->opened) {
 		/* There is a process that holds a filedescriptor to the device ,
...	...	@@ -866,19 +866,20 @@
866	866	dev = usb_get_intfdata(interface);
867	867	mutex_lock(&iowarrior_open_disc_lock);
868	868	usb_set_intfdata(interface, NULL);
	869	+ /* prevent device read, write and ioctl */
	870	+ dev->present = 0;
869	871
870	872	minor = dev->minor;
	873	+ mutex_unlock(&iowarrior_open_disc_lock);
	874	+ /* give back our minor - this will call close() locks need to be dropped at this point*/
871	875
872		- /* give back our minor */
873	876	usb_deregister_dev(interface, &iowarrior_class);
874	877
875	878	mutex_lock(&dev->mutex);
876	879
877	880	/* prevent device read, write and ioctl */
878		- dev->present = 0;
879	881
880	882	mutex_unlock(&dev->mutex);
881		- mutex_unlock(&iowarrior_open_disc_lock);
882	883
883	884	if (dev->opened) {
884	885	/* There is a process that holds a filedescriptor to the device ,