| Message ID | 20230531-xhci-deadlock-v1-1-57780bff5124@chromium.org |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp2852321vqr;
Wed, 31 May 2023 05:49:55 -0700 (PDT)
X-Google-Smtp-Source:
ACHHUZ5eaGTFwRfAKuSUXjIUqSfA/pe8BJBFKO1KoC5zuocxr5NSslVSMsS9KKwOTylyKvzGUUig
X-Received: by 2002:a17:903:258e:b0:1ac:8be5:8787 with SMTP id
jb14-20020a170903258e00b001ac8be58787mr3629072plb.21.1685537395438;
Wed, 31 May 2023 05:49:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1685537395; cv=none;
d=google.com; s=arc-20160816;
b=znZIO5iVC07WaJCdjJr+/OUyZjuRmPIeOPmdwxsUSPj5Bnim/fb1ZCHLxc1IEPeyoe
o1Gtn0e2bpOK/b3GmmYiUDQ+xQ3pdn07oZktzJbcmEKBe/U+ckvCYwze0lhtW/axfn+h
y7hVwJobHi6M44FVYVUe7KOdZ7zhMJJaxBigQkyr1fHRFowzN6kN37M2h6ZPCNLqg+aV
U1i9cBPH8u17pdmls9YdpPlTZGAN3xcodM/BcE7Sr1KQ+stMzdu7huLDnsOS1AAqU7JV
zt1ttNVD4RlI1bmNxh04MuzB9u84OZZRTDDVTgI4R4nlHUsd9lPF9RA8367gUHbEha2W
B9aw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:cc:to:message-id:content-transfer-encoding
:mime-version:subject:date:from:dkim-signature;
bh=3Drw4vNL26e11s4ylGTZbprOZ2Zv1Gl249oIHxh4ALM=;
b=ZsEAikVHKpINVTrOZXn2dM+Ka3gW08s2QZn5Y7Fx8yGQsJOHfHTZXi4SobAmMYWH+Q
MtO6/6C+bcx0soPuMLGPxYUFzIBQwk9HX4K37tMl7LcU91oUsqAfXnir9exsA3IlPbEo
AMsKiNpND/vf5CSeV3OGFlh5XiqMITSwtzvuEPQOVMJzgG9E4xSBgVklvLt4bCPooaPt
RTONFoHJdOz1d9Dke/nW3dkwkQb73pN2NkhSaZYaZEZAtVVVr8qliAsFrBoJUQfL4ZK2
dfSJXru71D5PtFxpZoB/DuDj+kHgy41Zl/8LIGQrwmwW0B4RWdb/uUwV4FfkeHeTQDLc
LBwg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@chromium.org header.s=google header.b=F5zLkMcW;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
17-20020a170902ee5100b001ac34fed041si790181plo.475.2023.05.31.05.49.43;
Wed, 31 May 2023 05:49:55 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@chromium.org header.s=google header.b=F5zLkMcW;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S235489AbjEaMku (ORCPT <rfc822;andrewvogler123@gmail.com>
+ 99 others); Wed, 31 May 2023 08:40:50 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40964 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S235215AbjEaMks (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Wed, 31 May 2023 08:40:48 -0400
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com
[IPv6:2a00:1450:4864:20::12d])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5E3A2E40
for <linux-kernel@vger.kernel.org>;
Wed, 31 May 2023 05:40:31 -0700 (PDT)
Received: by mail-lf1-x12d.google.com with SMTP id
2adb3069b0e04-4f3a9ad31dbso6855906e87.0
for <linux-kernel@vger.kernel.org>;
Wed, 31 May 2023 05:40:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=chromium.org; s=google; t=1685536829; x=1688128829;
h=cc:to:message-id:content-transfer-encoding:mime-version:subject
:date:from:from:to:cc:subject:date:message-id:reply-to;
bh=3Drw4vNL26e11s4ylGTZbprOZ2Zv1Gl249oIHxh4ALM=;
b=F5zLkMcWHok2hdrPzqlru3sCe+ZGSukQ1VL0vdhE1d0mY53j74VPtA2CJBraRh0ZO3
LpgyGYTewEjJFhxT0BCBFaVtLmnHSiWO7rEd6EuMDB+QmN29IyyHRp7JNmJYZjHPzR0q
9vvWcswWzLiSjuJXMDiU9zlllCZQvy8KYMNpo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1685536829; x=1688128829;
h=cc:to:message-id:content-transfer-encoding:mime-version:subject
:date:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=3Drw4vNL26e11s4ylGTZbprOZ2Zv1Gl249oIHxh4ALM=;
b=WIafa+ZL29h42kD3iF0hoHZhVzGW2cKoM37yv4hcXGCd5jSEyxQZi2LGXBatfFODpj
WWZNVQiqbbp6HeaXNfpUYAJRBUyuIzKXbFPNTL5Q4kRebdOPQx3nX/W53+CTPvr14sGo
M82mOHb7yCX7OVvxyNP9n2z1NMrKTBwTXmeqBBRuu95lJ3PmK1Z13z2xsDKOm9RVEllz
3zY1RjSIbPiDundQXiI3ww4XTmBy6ORUxcGQZkZOh6zXIp/y5xuJJEAhjNtnjjIe/8yY
gYKK1Mb4+EunvjFnrTzUNc0KCuysxmYNrbg8fdLUv+Ujl4lr9hH5oEhwGDcsKzezlO2O
gcFw==
X-Gm-Message-State: AC+VfDzsQmPMj/pdx1RW8bbz0WoMKDIfi1xaYXB6ZTn33cEqBNPqBxT3
Vt8CMLf+rsUnJLL9P1rswje/Lw==
X-Received: by 2002:a19:750c:0:b0:4f2:455d:18bd with SMTP id
y12-20020a19750c000000b004f2455d18bdmr2574670lfe.16.1685536829603;
Wed, 31 May 2023 05:40:29 -0700 (PDT)
Received: from alco.roam.corp.google.com
([2620:0:1059:10:f61c:2660:1f5f:4519])
by smtp.gmail.com with ESMTPSA id
f21-20020a19ae15000000b004f37b88eacfsm704263lfc.187.2023.05.31.05.40.28
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 31 May 2023 05:40:29 -0700 (PDT)
From: Ricardo Ribalda Delgado <ribalda@chromium.org>
Date: Wed, 31 May 2023 14:40:02 +0200
Subject: [PATCH] xhci: Do not create endpoint debugfs while holding the
bandwidth mutex
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20230531-xhci-deadlock-v1-1-57780bff5124@chromium.org>
X-B4-Tracking: v=1; b=H4sIACFAd2QC/x2NQQrDIBBFryKzrqCGLNqrlCzGcVKHihYlJRBy9
wzZ/ffh8Q4Y3IUHvMwBnf8ypFUF/zBAGeuHrSRlCC5Mbp683TOJTYypNPrqCBiDp6eLBOpEHGx
jx0pZrbqVouev8yr7HXkv53kBi64eGnQAAAA=
To: Mathias Nyman <mathias.nyman@intel.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Mathias Nyman <mathias.nyman@linux.intel.com>,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
Stephen Boyd <swboyd@chromium.org>,
Ricardo Ribalda Delgado <ribalda@chromium.org>
X-Mailer: b4 0.12.2
X-Developer-Signature: v=1; a=openpgp-sha256; l=2802; i=ribalda@chromium.org;
h=from:subject:message-id; bh=UQKGCiJA+KdR3RLJnA2tjVxT/UayTXJli+zLmQfrUEo=;
b=owEBbQKS/ZANAwAKAdE30T7POsSIAcsmYgBkd0Arw8YxmyplnKTmqj9XF1FWk5KtM1tEXuCHT
zeDErIrA52JAjMEAAEKAB0WIQREDzjr+/4oCDLSsx7RN9E+zzrEiAUCZHdAKwAKCRDRN9E+zzrE
iH1eD/9OFdkkUrhA5UTJTjNXlK/J5tiYnqBc7obMtJpFlV+q2qWZUkl6eCoV0sh2g7GbD5gm32F
AFh6IpfE+pC2Wbc0sAfJklrHTU4N5stAmnqkkTeQjqB3Qkk9J3sT9Tb5P70cnxwlql1XshRP9MU
6arPEmy739c9ma2VsCbH6cwelGYPmp1mdRLZVip/X1Fyq8qRZ4vqCrAkaCGOwtNuYnuJMlOLgFY
X+QcMXjqXZlEyLgnMdREpxrXXrjpO+uSk4c9h3bH6ivlUywXCTJB+82t00gFx3CpwVdDAQqb9CJ
+i2RkxnM6q7VouEhXXFyzvy2vjgO+eo2cOOgrFFLdpO/6e2kkmBTn+b/3bvMLEhC3ufYa3VCPDh
reGMDA8WakMb7NW2u6r3Tcmc9l+PlByb9muQf59Ad1aGLdZmHz+dWgXHgYwPO4pMsEFGnSTzVrr
zbNtKO1sNTVnol9eoZQZi1496JWKKnVqhu7GJL5hTL89cXw/PwA1emDyfBmm+S12gpmpQSMHNTv
vnY8ZDJTcPCqGX6ep6/GDmxjFv4r/3O+25AcMGNWrQYBW1WlpvnfM9aBZUSrph232z2/QrdncD9
7FtkTp6EhOcWGY4wnJmeIEzOAIaBFUnAgud4+Y/c5B9SpXldpOk8FPeflHFyvbZSZVdykgCm1Hj
HqKhBDbRyBjX9dQ==
X-Developer-Key: i=ribalda@chromium.org; a=openpgp;
fpr=9EC3BB66E2FC129A6F90B39556A0D81F9F782DA9
X-Spam-Status: No, score=-2.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED
autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1767414060227633987?=
X-GMAIL-MSGID: =?utf-8?q?1767414060227633987?=
|
| Series |
xhci: Do not create endpoint debugfs while holding the bandwidth mutex
|
|
Commit Message
Ricardo Ribalda
May 31, 2023, 12:40 p.m. UTC
xhci_debugfs_create_endpoint needs to take the mm->mmap_sem, which is
not serialized with the hcd->bandwidth_mutex across the codebase.
Without this patch a deadlock has been observed with the uvc driver at
the functions v4l2_mmap() and usb_set_interface().
Cc: Stephen Boyd <swboyd@chromium.org
Fixes: 167657a1bb5f ("xhci: don't create endpoint debugfs entry before ring buffer is set.")
Signed-off-by: Ricardo Ribalda Delgado <ribalda@chromium.org>
---
I do not have a proper reproducer for this and I am not used to this
subsystem, so please take a careful look at this patch :).
Thanks!
---
drivers/usb/host/xhci-debugfs.c | 4 ++++
drivers/usb/host/xhci.c | 4 ++--
2 files changed, 6 insertions(+), 2 deletions(-)
---
base-commit: 48b1320a674e1ff5de2fad8606bee38f724594dc
change-id: 20230531-xhci-deadlock-de2ab21c90bc
Best regards,
Comments
On Wed, May 31, 2023 at 02:40:02PM +0200, Ricardo Ribalda Delgado wrote: > xhci_debugfs_create_endpoint needs to take the mm->mmap_sem, which is > not serialized with the hcd->bandwidth_mutex across the codebase. > > Without this patch a deadlock has been observed with the uvc driver at > the functions v4l2_mmap() and usb_set_interface(). > > Cc: Stephen Boyd <swboyd@chromium.org Missing ">" :(
On 31.5.2023 15.40, Ricardo Ribalda Delgado wrote: > xhci_debugfs_create_endpoint needs to take the mm->mmap_sem, which is > not serialized with the hcd->bandwidth_mutex across the codebase. > > Without this patch a deadlock has been observed with the uvc driver at > the functions v4l2_mmap() and usb_set_interface(). > > Cc: Stephen Boyd <swboyd@chromium.org > Fixes: 167657a1bb5f ("xhci: don't create endpoint debugfs entry before ring buffer is set.") > Signed-off-by: Ricardo Ribalda Delgado <ribalda@chromium.org> > --- > I do not have a proper reproducer for this and I am not used to this > subsystem, so please take a careful look at this patch :). > > Thanks! Do you still have the lockdep output showing the deadlock? I'm not sure how calling xhci_debugfs_create_endpoint() from xhci_add_endpoint() instead of xhci_check_bandwidth() helps. Both are called with hcd->bandwidth_mutex held: usb_set_interface() mutex_lock(hcd->bandwidth_mutex); usb_hcd_alloc_bandwidth() hcd->driver->add_endpoint() -> xhci_add_endpoint() hcd->driver->check_bandwidth() -> xhci_check_bandwidth() mutex_unlock(hcd->bandwidth_mutex); Thanks Mathias
Hi Mathias On Thu, 1 Jun 2023 at 16:13, Mathias Nyman <mathias.nyman@linux.intel.com> wrote: > > On 31.5.2023 15.40, Ricardo Ribalda Delgado wrote: > > xhci_debugfs_create_endpoint needs to take the mm->mmap_sem, which is > > not serialized with the hcd->bandwidth_mutex across the codebase. > > > > Without this patch a deadlock has been observed with the uvc driver at > > the functions v4l2_mmap() and usb_set_interface(). > > > > Cc: Stephen Boyd <swboyd@chromium.org > > Fixes: 167657a1bb5f ("xhci: don't create endpoint debugfs entry before ring buffer is set.") > > Signed-off-by: Ricardo Ribalda Delgado <ribalda@chromium.org> > > --- > > I do not have a proper reproducer for this and I am not used to this > > subsystem, so please take a careful look at this patch :). > > > > Thanks! > > Do you still have the lockdep output showing the deadlock? [ 459.731142] ====================================================== [ 459.731150] WARNING: possible circular locking dependency detected [ 459.731161] 5.4.169-lockdep-17434-g505c8a10e6fe #1 Not tainted [ 459.731168] ------------------------------------------------------ [ 459.731176] syz-executor.3/15308 is trying to acquire lock: [ 459.731184] ffffff80c63e0ee0 (&queue->mutex){+.+.}, at: uvc_queue_mmap+0x30/0xa0 [uvcvideo] [ 459.731226] but task is already holding lock: [ 459.731232] ffffff80a748eea8 (&mm->mmap_sem){++++}, at: vm_mmap_pgoff+0x10c/0x1f4 [ 459.731255] which lock already depends on the new lock. [ 459.731262] the existing dependency chain (in reverse order) is: [ 459.731269] -> #3 (&mm->mmap_sem){++++}: [ 459.731286] __might_fault+0xec/0x150 [ 459.731298] filldir64+0x2e0/0x15dc [ 459.731310] dcache_readdir+0x134/0x660 [ 459.731320] iterate_dir+0x200/0x40c [ 459.731331] ksys_getdents64+0x218/0x78c [ 459.731342] __arm64_sys_getdents64+0x7c/0x90 [ 459.731353] el0_svc_common+0x1c0/0x3dc [ 459.731363] el0_svc_compat_handler+0x88/0xd4 [ 459.731373] el0_svc_compat+0x8/0x2c [ 459.731379] -> #2 (&sb->s_type->i_mutex_key#4){++++}: [ 459.731398] down_write+0x60/0x118 [ 459.731409] start_creating+0xf8/0x260 [ 459.731419] debugfs_create_dir+0x30/0x290 [ 459.731430] xhci_debugfs_create_endpoint+0x118/0x1c8 [ 459.731442] xhci_check_bandwidth+0x520/0x6c0 [ 459.731453] usb_hcd_alloc_bandwidth+0x800/0x900 [ 459.731464] usb_set_configuration+0x4c4/0x1258 [ 459.731475] usb_generic_driver_probe+0x80/0x140 [ 459.731486] usb_probe_device+0xc8/0x240 [ 459.731497] really_probe+0x2f0/0x9e4 [ 459.731507] driver_probe_device+0xf0/0x2e4 [ 459.731517] __device_attach_driver+0x180/0x254 [ 459.731528] bus_for_each_drv+0x114/0x184 [ 459.731537] __device_attach+0x224/0x398 [ 459.731547] device_initial_probe+0x24/0x30 [ 459.731557] bus_probe_device+0xa8/0x1b8 [ 459.731567] device_add+0x63c/0x940 [ 459.731577] usb_new_device+0x810/0xe68 [ 459.731587] hub_port_connect+0xaf0/0x16bc [ 459.731597] hub_port_connect_change+0x32c/0x5c0 [ 459.731606] port_event+0x9e8/0xe4c [ 459.731616] hub_event+0x3fc/0xaec [ 459.731628] process_one_work+0x604/0xa2c [ 459.731638] worker_thread+0x930/0xea8 [ 459.731648] kthread+0x2dc/0x350 [ 459.731658] ret_from_fork+0x10/0x18 [ 459.731664] -> #1 (hcd->bandwidth_mutex){+.+.}: [ 459.731680] __mutex_lock_common+0x140/0x18c8 [ 459.731690] mutex_lock_nested+0x48/0x58 [ 459.731701] usb_set_interface+0x108/0x778 [ 459.731724] uvc_video_start_transfer+0x824/0x12a4 [uvcvideo] [ 459.731746] uvc_video_start_streaming+0x148/0x2c8 [uvcvideo] [ 459.731767] uvc_start_streaming+0x108/0x214 [uvcvideo] [ 459.731779] vb2_start_streaming+0x110/0x3f0 [ 459.731789] vb2_core_streamon+0x234/0x340 [ 459.731799] vb2_streamon+0x80/0xac [ 459.731819] uvc_queue_streamon+0x3c/0x5c [uvcvideo] [ 459.731840] uvc_ioctl_streamon+0xd0/0x118 [uvcvideo] [ 459.731850] v4l_streamon+0x6c/0x9c [ 459.731860] __video_do_ioctl+0x940/0xaa8 [ 459.731870] video_usercopy+0x528/0x920 [ 459.731880] video_ioctl2+0x3c/0x4c [ 459.731889] v4l2_ioctl+0x120/0x158 [ 459.731900] do_video_ioctl+0xdec/0x1784 [ 459.731910] v4l2_compat_ioctl32+0xc0/0x198 [ 459.731921] __arm64_compat_sys_ioctl+0x314/0x778 [ 459.731931] el0_svc_common+0x1c0/0x3dc [ 459.731941] el0_svc_compat_handler+0x88/0xd4 [ 459.731950] el0_svc_compat+0x8/0x2c [ 459.731957] -> #0 (&queue->mutex){+.+.}: [ 459.731974] __lock_acquire+0x1b74/0x4f04 [ 459.731985] lock_acquire+0xd0/0x168 [ 459.731995] __mutex_lock_common+0x140/0x18c8 [ 459.732004] mutex_lock_nested+0x48/0x58 [ 459.732024] uvc_queue_mmap+0x30/0xa0 [uvcvideo] [ 459.732045] uvc_v4l2_mmap+0xa4/0x138 [uvcvideo] [ 459.732054] v4l2_mmap+0x114/0x1f8 [ 459.732065] mmap_region+0x8b8/0xc90 [ 459.732075] do_mmap+0x654/0xaec [ 459.732084] vm_mmap_pgoff+0x15c/0x1f4 [ 459.732094] ksys_mmap_pgoff+0x124/0x194 [ 459.732105] __arm64_compat_sys_aarch32_mmap2+0xd8/0xf0 [ 459.732114] el0_svc_common+0x1c0/0x3dc [ 459.732124] el0_svc_compat_handler+0x88/0xd4 [ 459.732134] el0_svc_compat+0x8/0x2c [ 459.732141] other info that might help us debug this: [ 459.732148] Chain exists of: &queue->mutex --> &sb->s_type->i_mutex_key#4 --> &mm->mmap_sem [ 459.732165] Possible unsafe locking scenario: [ 459.732172] CPU0 CPU1 [ 459.732178] ---- ---- [ 459.732184] lock(&mm->mmap_sem); [ 459.732193] lock(&sb->s_type->i_mutex_key#4); [ 459.732204] lock(&mm->mmap_sem); [ 459.732212] lock(&queue->mutex); [ 459.732221] *** DEADLOCK *** [ 459.732230] 1 lock held by syz-executor.3/15308: [ 459.732237] #0: ffffff80a748eea8 (&mm->mmap_sem){++++}, at: vm_mmap_pgoff+0x10c/0x1f4 [ 459.732256] stack backtrace: [ 459.732269] CPU: 6 PID: 15308 Comm: syz-executor.3 Not tainted 5.4.169-lockdep-17434-g505c8a10e6fe #1 [ 459.732277] Hardware name: Google Pazquel (TI,LTE) (DT) [ 459.732284] Call trace: [ 459.732294] dump_backtrace+0x0/0x2ec [ 459.732304] show_stack+0x24/0x30 [ 459.732315] dump_stack+0x148/0x21c [ 459.732324] print_circular_bug+0x18c/0x1b8 [ 459.732334] check_noncircular+0x2e4/0x3c4 [ 459.732344] __lock_acquire+0x1b74/0x4f04 [ 459.732355] lock_acquire+0xd0/0x168 [ 459.732364] __mutex_lock_common+0x140/0x18c8 [ 459.732374] mutex_lock_nested+0x48/0x58 [ 459.732395] uvc_queue_mmap+0x30/0xa0 [uvcvideo] [ 459.732415] uvc_v4l2_mmap+0xa4/0x138 [uvcvideo] [ 459.732425] v4l2_mmap+0x114/0x1f8 [ 459.732435] mmap_region+0x8b8/0xc90 [ 459.732444] do_mmap+0x654/0xaec [ 459.732454] vm_mmap_pgoff+0x15c/0x1f4 [ 459.732463] ksys_mmap_pgoff+0x124/0x194 [ 459.732474] __arm64_compat_sys_aarch32_mmap2+0xd8/0xf0 [ 459.732483] el0_svc_common+0x1c0/0x3dc [ 459.732493] el0_svc_compat_handler+0x88/0xd4 [ 459.732502] el0_svc_compat+0x8/0x2c > > I'm not sure how calling xhci_debugfs_create_endpoint() from > xhci_add_endpoint() instead of xhci_check_bandwidth() helps. > > Both are called with hcd->bandwidth_mutex held: > > usb_set_interface() > mutex_lock(hcd->bandwidth_mutex); > usb_hcd_alloc_bandwidth() > hcd->driver->add_endpoint() -> xhci_add_endpoint() > hcd->driver->check_bandwidth() -> xhci_check_bandwidth() > mutex_unlock(hcd->bandwidth_mutex); Yep, I guess I was lucky not to be able to repro again :) The locks involved are: hcd->bandwidth_mutex mm->mmap_sem [uvc] queue->mutex > > Thanks > Mathias >
On 1.6.2023 19.05, Ricardo Ribalda wrote: > Hi Mathias > > On Thu, 1 Jun 2023 at 16:13, Mathias Nyman > <mathias.nyman@linux.intel.com> wrote: >> >> Do you still have the lockdep output showing the deadlock? > > [ 459.731142] ====================================================== > [ 459.731150] WARNING: possible circular locking dependency detected > [ 459.731161] 5.4.169-lockdep-17434-g505c8a10e6fe #1 Not tainted > [ 459.731168] ------------------------------------------------------ > [ 459.731176] syz-executor.3/15308 is trying to acquire lock: > [ 459.731184] ffffff80c63e0ee0 (&queue->mutex){+.+.}, at: > uvc_queue_mmap+0x30/0xa0 [uvcvideo] > [ 459.731226] > but task is already holding lock: > [ 459.731232] ffffff80a748eea8 (&mm->mmap_sem){++++}, at: > vm_mmap_pgoff+0x10c/0x1f4 > [ 459.731255] > which lock already depends on the new lock. > ... > [ 459.732148] Chain exists of: > &queue->mutex --> &sb->s_type->i_mutex_key#4 --> &mm->mmap_sem > > [ 459.732165] Possible unsafe locking scenario: > > [ 459.732172] CPU0 CPU1 > [ 459.732178] ---- ---- > [ 459.732184] lock(&mm->mmap_sem); > [ 459.732193] lock(&sb->s_type->i_mutex_key#4); > [ 459.732204] lock(&mm->mmap_sem); > [ 459.732212] lock(&queue->mutex); > [ 459.732221] > *** DEADLOCK *** > >> >> I'm not sure how calling xhci_debugfs_create_endpoint() from >> xhci_add_endpoint() instead of xhci_check_bandwidth() helps. >> >> Both are called with hcd->bandwidth_mutex held: >> >> usb_set_interface() >> mutex_lock(hcd->bandwidth_mutex); >> usb_hcd_alloc_bandwidth() >> hcd->driver->add_endpoint() -> xhci_add_endpoint() >> hcd->driver->check_bandwidth() -> xhci_check_bandwidth() >> mutex_unlock(hcd->bandwidth_mutex); > > Yep, I guess I was lucky not to be able to repro again :) > > The locks involved are: > > hcd->bandwidth_mutex > mm->mmap_sem > [uvc] queue->mutex > Ok, took a look at this. I don't think the bandwidth mutex matters that much. To my understanding this is caused by the following lock chains: ucv_queue_mmap() mmap_sem --> queue->mutex uvc_ioctl_streamon() calling usb_set_interface() calling debugfs_create_dir() queue->mutex --> i_mutex_key Some debugfs error case: i_mutex_key --> mmap_sem So we could end up with this deadlock: CPU0 CPU1 CPU2 mmap_sem queue->mutex i_mutex_key waiting for waiting for waiting for queue->mutex i_mutex_key mmap_sem I have no idea if this can be triggered in real life. Looks like that requires a some specific debugfs error to trigger at the same time we are creating a debugfs directory Thanks Mathias
Hi Mathias Thanks for looking into this. Relooking into the bug queue->mutex was only bothering due to a downstream patch (that we are working on upstreaming), so this should not affect upstream. Sorry for the noise :S On Mon, 12 Jun 2023 at 16:28, Mathias Nyman <mathias.nyman@linux.intel.com> wrote: > > On 1.6.2023 19.05, Ricardo Ribalda wrote: > > Hi Mathias > > > > On Thu, 1 Jun 2023 at 16:13, Mathias Nyman > > <mathias.nyman@linux.intel.com> wrote: > >> > >> Do you still have the lockdep output showing the deadlock? > > > > [ 459.731142] ====================================================== > > [ 459.731150] WARNING: possible circular locking dependency detected > > [ 459.731161] 5.4.169-lockdep-17434-g505c8a10e6fe #1 Not tainted > > [ 459.731168] ------------------------------------------------------ > > [ 459.731176] syz-executor.3/15308 is trying to acquire lock: > > [ 459.731184] ffffff80c63e0ee0 (&queue->mutex){+.+.}, at: > > uvc_queue_mmap+0x30/0xa0 [uvcvideo] > > [ 459.731226] > > but task is already holding lock: > > [ 459.731232] ffffff80a748eea8 (&mm->mmap_sem){++++}, at: > > vm_mmap_pgoff+0x10c/0x1f4 > > [ 459.731255] > > which lock already depends on the new lock. > > > ... > > [ 459.732148] Chain exists of: > > &queue->mutex --> &sb->s_type->i_mutex_key#4 --> &mm->mmap_sem > > > > [ 459.732165] Possible unsafe locking scenario: > > > > [ 459.732172] CPU0 CPU1 > > [ 459.732178] ---- ---- > > [ 459.732184] lock(&mm->mmap_sem); > > [ 459.732193] lock(&sb->s_type->i_mutex_key#4); > > [ 459.732204] lock(&mm->mmap_sem); > > [ 459.732212] lock(&queue->mutex); > > [ 459.732221] > > *** DEADLOCK *** > > > >> > >> I'm not sure how calling xhci_debugfs_create_endpoint() from > >> xhci_add_endpoint() instead of xhci_check_bandwidth() helps. > >> > >> Both are called with hcd->bandwidth_mutex held: > >> > >> usb_set_interface() > >> mutex_lock(hcd->bandwidth_mutex); > >> usb_hcd_alloc_bandwidth() > >> hcd->driver->add_endpoint() -> xhci_add_endpoint() > >> hcd->driver->check_bandwidth() -> xhci_check_bandwidth() > >> mutex_unlock(hcd->bandwidth_mutex); > > > > Yep, I guess I was lucky not to be able to repro again :) > > > > The locks involved are: > > > > hcd->bandwidth_mutex > > mm->mmap_sem > > [uvc] queue->mutex > > > > Ok, took a look at this. > I don't think the bandwidth mutex matters that much. > > To my understanding this is caused by the following lock chains: > > ucv_queue_mmap() > mmap_sem --> queue->mutex > > uvc_ioctl_streamon() calling usb_set_interface() calling debugfs_create_dir() > queue->mutex --> i_mutex_key > > Some debugfs error case: > i_mutex_key --> mmap_sem > > So we could end up with this deadlock: > CPU0 CPU1 CPU2 > mmap_sem queue->mutex i_mutex_key > > waiting for waiting for waiting for > queue->mutex i_mutex_key mmap_sem > > I have no idea if this can be triggered in real life. > > Looks like that requires a some specific debugfs error > to trigger at the same time we are creating a debugfs directory > > Thanks > Mathias >
diff --git a/drivers/usb/host/xhci-debugfs.c b/drivers/usb/host/xhci-debugfs.c index 99baa60ef50f..2acce2af2ca9 100644 --- a/drivers/usb/host/xhci-debugfs.c +++ b/drivers/usb/host/xhci-debugfs.c @@ -238,6 +238,10 @@ static int xhci_ring_open(struct inode *inode, struct file *file) int i; struct xhci_file_map *f_map; const char *file_name = file_dentry(file)->d_iname; + struct xhci_ring *ring = *(struct xhci_ring **)inode->i_private; + + if (!ring) + return -EAGAIN; for (i = 0; i < ARRAY_SIZE(ring_files); i++) { f_map = &ring_files[i]; diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index 78790dc13c5f..2715900b2540 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -1930,6 +1930,8 @@ int xhci_add_endpoint(struct usb_hcd *hcd, struct usb_device *udev, ep_ctx = xhci_get_ep_ctx(xhci, virt_dev->in_ctx, ep_index); trace_xhci_add_endpoint(ep_ctx); + xhci_debugfs_create_endpoint(xhci, virt_dev, ep_index); + xhci_dbg(xhci, "add ep 0x%x, slot id %d, new drop flags = %#x, new add flags = %#x\n", (unsigned int) ep->desc.bEndpointAddress, udev->slot_id, @@ -2963,7 +2965,6 @@ int xhci_check_bandwidth(struct usb_hcd *hcd, struct usb_device *udev) xhci_check_bw_drop_ep_streams(xhci, virt_dev, i); virt_dev->eps[i].ring = virt_dev->eps[i].new_ring; virt_dev->eps[i].new_ring = NULL; - xhci_debugfs_create_endpoint(xhci, virt_dev, i); } command_cleanup: kfree(command->completion); @@ -2989,7 +2990,6 @@ void xhci_reset_bandwidth(struct usb_hcd *hcd, struct usb_device *udev) /* Free any rings allocated for added endpoints */ for (i = 0; i < 31; i++) { if (virt_dev->eps[i].new_ring) { - xhci_debugfs_remove_endpoint(xhci, virt_dev, i); xhci_ring_free(xhci, virt_dev->eps[i].new_ring); virt_dev->eps[i].new_ring = NULL; }