linux/drivers/usb/misc
Alan Stern 9472aff16c USB: rio500: Fix lockdep violation
The syzbot fuzzer found a lockdep violation in the rio500 driver:

	======================================================
	WARNING: possible circular locking dependency detected
	5.3.0-rc2+ #23 Not tainted
	------------------------------------------------------
	syz-executor.2/20386 is trying to acquire lock:
	00000000772249c6 (rio500_mutex){+.+.}, at: open_rio+0x16/0xc0
	drivers/usb/misc/rio500.c:64

	but task is already holding lock:
	00000000d3e8f4b9 (minor_rwsem){++++}, at: usb_open+0x23/0x270
	drivers/usb/core/file.c:39

	which lock already depends on the new lock.

The problem is that the driver's open_rio() routine is called while
the usbcore's minor_rwsem is locked for reading, and it acquires the
rio500_mutex; whereas conversely, probe_rio() and disconnect_rio()
first acquire the rio500_mutex and then call usb_register_dev() or
usb_deregister_dev(), which lock minor_rwsem for writing.

The correct ordering of acquisition should be: minor_rwsem first, then
rio500_mutex (since the locking in open_rio() cannot be changed).
Thus, the probe and disconnect routines should avoid holding
rio500_mutex while doing their registration and deregistration.

This patch adjusts the code in those two routines to do just that.  It
also relies on the fact that the probe and disconnect routines are
protected by the device mutex, so the initial test of rio->present
needs no extra locking.

Reported-by: syzbot+7bbcbe9c9ff0cd49592a@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Fixes: d710734b06 ("USB: rio500: simplify locking")
Acked-by: Oliver Neukum <oneukum@suse.com>
CC: <stable@vger.kernel.org>

Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1908081329240.1319-100000@iolanthe.rowland.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-09-03 20:18:18 +02:00
..
sisusbvga USB: sisusbvga: Remove unneeded variable 2019-06-10 18:03:09 +02:00
adutux.c usb: clean up some of the computations in adu_read 2019-06-21 18:01:09 +02:00
appledisplay.c Merge 4.20-rc6 into usb-next 2018-12-10 10:19:08 +01:00
chaoskey.c USB: chaoskey: Use kasprintf() over strcpy()/strcat() 2018-02-22 15:17:05 +01:00
cypress_cy7c63.c USB: cypress_cy7c63: convert to use dev_groups 2019-08-09 07:55:44 +02:00
cytherm.c USB: cytherm: convert to use dev_groups 2019-08-09 07:55:44 +02:00
ehset.c
emi26.c
emi62.c
ezusb.c
ftdi-elan.c usb: ftdi-elan: fix possible condition with no effect (if == else) 2019-06-03 15:21:57 +02:00
idmouse.c
iowarrior.c usb: iowarrior: fix deadlock on disconnect 2019-08-08 12:43:18 +02:00
isight_firmware.c
Kconfig USB / PHY patches for 5.3-rc1 2019-07-11 15:40:06 -07:00
ldusb.c *: convert stream-like files from nonseekable_open -> stream_open 2019-05-06 17:46:41 +03:00
legousbtower.c usb: legousbtower: use irqsave() in USB's complete callback 2018-06-28 19:36:07 +09:00
lvstest.c USB: lvstest: convert to use dev_groups 2019-08-09 07:55:44 +02:00
Makefile
rio500_usb.h
rio500.c USB: rio500: Fix lockdep violation 2019-09-03 20:18:18 +02:00
trancevibrator.c USB: trancevibrator: convert to use dev_groups 2019-08-09 07:55:45 +02:00
usb251xb.c usb: usb251xb: Reallow swap-dx-lanes to apply to the upstream port 2019-07-25 11:16:19 +02:00
usb3503.c usb: misc: usb3503: get optional clock by devm_clk_get_optional() 2019-04-19 14:24:25 +02:00
usb4604.c
usb_u132.h
usblcd.c
usbsevseg.c USB: usbsevseg: convert to use dev_groups 2019-08-09 07:55:45 +02:00
usbtest.c usb: misc: usbtest: add super-speed isoc support 2019-02-13 13:03:23 +02:00
uss720.c usb: misc: uss720: Fix two sleep-in-atomic-context bugs 2018-09-05 14:36:53 +02:00
yurex.c usb: yurex: Fix use-after-free in yurex_delete 2019-08-05 17:27:52 +02:00