usb: iowarrior: fix deadlock on disconnect

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

We have to drop the mutex before we close() upon disconnect()
as close() needs the lock. This is safe to do by dropping the
mutex as intfdata is already set to NULL, so open() will fail.

Fixes: 03f36e885fc26 ("USB: open disconnect race in iowarrior")
Reported-by: syzbot+a64a382964bf6c71a9c0@syzkaller.appspotmail.com
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20190808092728.23417-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Oliver Neukum and committed by

Greg Kroah-Hartman 6 years ago c468a8aa 2ca359f4

+4 -3

1 changed file

expand all

drivers

usb

misc

iowarrior.c

+4 -3

drivers/usb/misc/iowarrior.c

··· 866 866 dev = usb_get_intfdata(interface); 867 867 mutex_lock(&iowarrior_open_disc_lock); 868 868 usb_set_intfdata(interface, NULL); 869 + /* prevent device read, write and ioctl */ 870 + dev->present = 0; 869 871 870 872 minor = dev->minor; 873 + mutex_unlock(&iowarrior_open_disc_lock); 874 + /* give back our minor - this will call close() locks need to be dropped at this point*/ 871 875 872 - /* give back our minor */ 873 876 usb_deregister_dev(interface, &iowarrior_class); 874 877 875 878 mutex_lock(&dev->mutex); 876 879 877 880 /* prevent device read, write and ioctl */ 878 - dev->present = 0; 879 881 880 882 mutex_unlock(&dev->mutex); 881 - mutex_unlock(&iowarrior_open_disc_lock); 882 883 883 884 if (dev->opened) { 884 885 /* There is a process that holds a filedescriptor to the device ,