Commit 3c6c8eae authored Mar 28, 2025 by Duoming Zhou Committed by Xia Fukun Mar 28, 2025

drivers: usb: host: Fix deadlock in oxu_bus_suspend()

stable inclusion
from stable-v4.19.247
commit f8242044c91cafbba9e320b0fb31abf2429a3221
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP3Z3
CVE: CVE-2022-49313

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f8242044c91cafbba9e320b0fb31abf2429a3221



--------------------------------

[ Upstream commit 4d378f2a ]

There is a deadlock in oxu_bus_suspend(), which is shown below:

   (Thread 1)              |      (Thread 2)
                           | timer_action()
oxu_bus_suspend()          |  mod_timer()
 spin_lock_irq() //(1)     |  (wait a time)
 ...                       | oxu_watchdog()
 del_timer_sync()          |  spin_lock_irq() //(2)
 (wait timer to stop)      |  ...

We hold oxu->lock in position (1) of thread 1, and use
del_timer_sync() to wait timer to stop, but timer handler
also need oxu->lock in position (2) of thread 2. As a result,
oxu_bus_suspend() will block forever.

This patch extracts del_timer_sync() from the protection of
spin_lock_irq(), which could let timer handler to obtain
the needed lock.

Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Link: https://lore.kernel.org/r/20220417120305.64577-1-duoming@zju.edu.cn


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Xia Fukun <xiafukun@huawei.com>

parent 4d1e2474

drivers/usb/host/oxu210hp-hcd.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -3476,8 +3476,10 @@ static int oxu_bus_suspend(struct usb_hcd *hcd)
		}
		}

		spin_unlock_irq(&oxu->lock);
		/* turn off now-idle HC */
		del_timer_sync(&oxu->watchdog);
		spin_lock_irq(&oxu->lock);
		ehci_halt(oxu);
		hcd->state = HC_STATE_SUSPENDED;