linux/drivers/usb/gadget/function
Alan Stern 1fbbb78f25 USB: g_mass_storage: Fix deadlock when driver is unbound
As a holdover from the old g_file_storage gadget, the g_mass_storage
legacy gadget driver attempts to unregister itself when its main
operating thread terminates (if it hasn't been unregistered already).
This is not strictly necessary; it was never more than an attempt to
have the gadget fail cleanly if something went wrong and the main
thread was killed.

However, now that the UDC core manages gadget drivers independently of
UDC drivers, this scheme doesn't work any more.  A simple test:

	modprobe dummy-hcd
	modprobe g-mass-storage file=...
	rmmod dummy-hcd

ends up in a deadlock with the following backtrace:

 sysrq: SysRq : Show Blocked State
   task                PC stack   pid father
 file-storage    D    0  1130      2 0x00000000
 Call Trace:
  __schedule+0x53e/0x58c
  schedule+0x6e/0x77
  schedule_preempt_disabled+0xd/0xf
  __mutex_lock.isra.1+0x129/0x224
  ? _raw_spin_unlock_irqrestore+0x12/0x14
  __mutex_lock_slowpath+0x12/0x14
  mutex_lock+0x28/0x2b
  usb_gadget_unregister_driver+0x29/0x9b [udc_core]
  usb_composite_unregister+0x10/0x12 [libcomposite]
  msg_cleanup+0x1d/0x20 [g_mass_storage]
  msg_thread_exits+0xd/0xdd7 [g_mass_storage]
  fsg_main_thread+0x1395/0x13d6 [usb_f_mass_storage]
  ? __schedule+0x573/0x58c
  kthread+0xd9/0xdb
  ? do_set_interface+0x25c/0x25c [usb_f_mass_storage]
  ? init_completion+0x1e/0x1e
  ret_from_fork+0x19/0x24
 rmmod           D    0  1155    683 0x00000000
 Call Trace:
  __schedule+0x53e/0x58c
  schedule+0x6e/0x77
  schedule_timeout+0x26/0xbc
  ? __schedule+0x573/0x58c
  do_wait_for_common+0xb3/0x128
  ? usleep_range+0x81/0x81
  ? wake_up_q+0x3f/0x3f
  wait_for_common+0x2e/0x45
  wait_for_completion+0x17/0x19
  fsg_common_put+0x34/0x81 [usb_f_mass_storage]
  fsg_free_inst+0x13/0x1e [usb_f_mass_storage]
  usb_put_function_instance+0x1a/0x25 [libcomposite]
  msg_unbind+0x2a/0x42 [g_mass_storage]
  __composite_unbind+0x4a/0x6f [libcomposite]
  composite_unbind+0x12/0x14 [libcomposite]
  usb_gadget_remove_driver+0x4f/0x77 [udc_core]
  usb_del_gadget_udc+0x52/0xcc [udc_core]
  dummy_udc_remove+0x27/0x2c [dummy_hcd]
  platform_drv_remove+0x1d/0x31
  device_release_driver_internal+0xe9/0x16d
  device_release_driver+0x11/0x13
  bus_remove_device+0xd2/0xe2
  device_del+0x19f/0x221
  ? selinux_capable+0x22/0x27
  platform_device_del+0x21/0x63
  platform_device_unregister+0x10/0x1a
  cleanup+0x20/0x817 [dummy_hcd]
  SyS_delete_module+0x10c/0x197
  ? ____fput+0xd/0xf
  ? task_work_run+0x55/0x62
  ? prepare_exit_to_usermode+0x65/0x75
  do_fast_syscall_32+0x86/0xc3
  entry_SYSENTER_32+0x4e/0x7c

What happens is that removing the dummy-hcd driver causes the UDC core
to unbind the gadget driver, which it does while holding the udc_lock
mutex.  The unbind routine in g_mass_storage tells the main thread to
exit and waits for it to terminate.

But as mentioned above, when the main thread exits it tries to
unregister the mass-storage function driver.  Via the composite
framework this ends up calling usb_gadget_unregister_driver(), which
tries to acquire the udc_lock mutex.  The result is deadlock.

The simplest way to fix the problem is not to be so clever: The main
thread doesn't have to unregister the function driver.  The side
effects won't be so terrible; if the gadget is still attached to a USB
host when the main thread is killed, it will appear to the host as
though the gadget's firmware has crashed -- a reasonably accurate
interpretation, and an all-too-common occurrence for USB mass-storage
devices.

In fact, the code to unregister the driver when the main thread exits
is specific to g-mass-storage; it is not used when f-mass-storage is
included as a function in a larger composite device.  Therefore the
entire mechanism responsible for this (the fsg_operations structure
with its ->thread_exits method, the fsg_common_set_ops() routine, and
the msg_thread_exits() callback routine) can all be eliminated.  Even
the msg_registered bitflag can be removed, because now the driver is
unregistered in only one place rather than in two places.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-09-22 18:29:00 +02:00
..
f_acm.c usb: gadget: acm: fix endianness in notifications 2017-03-22 11:20:52 +02:00
f_ecm.c
f_eem.c
f_fs.c usb: gadget: f_fs: Pass along set_halt errors. 2017-08-15 14:18:59 +03:00
f_hid.c usb: gadget: f_hid: {GET,SET} PROTOCOL Support 2017-08-15 12:46:03 +03:00
f_loopback.c
f_mass_storage.c USB: g_mass_storage: Fix deadlock when driver is unbound 2017-09-22 18:29:00 +02:00
f_mass_storage.h USB: g_mass_storage: Fix deadlock when driver is unbound 2017-09-22 18:29:00 +02:00
f_midi.c usb: gadget: f_midi: Use snd_card_free_when_closed with refcount 2017-08-15 14:18:47 +03:00
f_ncm.c usb: gadget: f_ncm/u_ether: Move 'SKB reserve' quirk setup to u_ether 2017-08-18 12:29:10 +03:00
f_obex.c
f_phonet.c networking: introduce and use skb_put_data() 2017-06-16 11:48:37 -04:00
f_printer.c usb: gadget: function: printer: avoid spinlock recursion 2017-09-20 14:57:28 +03:00
f_rndis.c usb: gadget: add RNDIS configfs options for class/subclass/protocol 2017-08-15 14:18:56 +03:00
f_serial.c
f_sourcesink.c
f_subset.c
f_tcm.c usb: gadget: Correct usb EP argument for BOT status request 2017-03-30 01:36:50 -07:00
f_uac1_legacy.c usb: gadget: function: make current f_uac1 implementation legacy 2017-06-19 09:22:47 +03:00
f_uac1.c usb: gadget: f_uac1: endianness fixes. 2017-07-18 09:33:16 +03:00
f_uac2.c usb: gadget: f_uac2: endianness fixes. 2017-07-18 09:33:19 +03:00
f_uvc.c usb: gadget: f_uvc: Sanity check wMaxPacketSize for SuperSpeed 2017-03-22 11:21:09 +02:00
f_uvc.h
g_zero.h
Makefile usb: gadget: add f_uac1 variant based on a new u_audio api 2017-06-19 09:22:47 +03:00
ndis.h
rndis.c networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
rndis.h
storage_common.c
storage_common.h USB: f_mass_storage: improve memory barriers and synchronization 2017-05-16 10:38:33 +03:00
tcm.h
u_audio.c usb: gadget: make snd_pcm_hardware const 2017-08-28 11:39:33 +02:00
u_audio.h usb: gadget: f_uac2: split out audio core 2017-06-19 09:22:46 +03:00
u_ecm.h
u_eem.h
u_ether_configfs.h usb: gadget: add RNDIS configfs options for class/subclass/protocol 2017-08-15 14:18:56 +03:00
u_ether.c usb: gadget: f_ncm/u_ether: Move 'SKB reserve' quirk setup to u_ether 2017-08-18 12:29:10 +03:00
u_ether.h usb: gadget: f_ncm/u_ether: Move 'SKB reserve' quirk setup to u_ether 2017-08-18 12:29:10 +03:00
u_fs.h usb: gadget: function: f_fs: Move epfile waitqueue to ffs_data. 2017-06-02 11:22:31 +03:00
u_gether.h
u_hid.h
u_midi.h
u_ncm.h
u_phonet.h
u_printer.h usb: gadget: printer: Remove pnp_string static buffer 2017-01-24 11:04:08 +02:00
u_rndis.h usb: gadget: add RNDIS configfs options for class/subclass/protocol 2017-08-15 14:18:56 +03:00
u_serial.c usb: gadget: serial: fix oops when data rx'd after close 2017-08-18 12:28:50 +03:00
u_serial.h
u_tcm.h
u_uac1_legacy.c sound updates for 4.13-rc1 2017-07-06 10:56:51 -07:00
u_uac1_legacy.h usb: gadget: function: make current f_uac1 implementation legacy 2017-06-19 09:22:47 +03:00
u_uac1.h usb: gadget: add f_uac1 variant based on a new u_audio api 2017-06-19 09:22:47 +03:00
u_uac2.h usb: gadget: uac2: add req_number as parameter 2017-01-24 11:04:21 +02:00
u_uvc.h
uvc_configfs.c usb: gadget: uvc: Missing files for configfs interface 2017-04-11 10:57:59 +03:00
uvc_configfs.h
uvc_queue.c
uvc_queue.h
uvc_v4l2.c
uvc_v4l2.h
uvc_video.c
uvc_video.h
uvc.h