Commit ccbde4b1 authored by Eli Billauer's avatar Eli Billauer Committed by Greg Kroah-Hartman
Browse files

char: xillybus: Don't destroy workqueue from work item running on it 



Triggered by a kref decrement, destroy_workqueue() may be called from
within a work item for destroying its own workqueue. This illegal
situation is averted by adding a module-global workqueue for exclusive
use of the offending work item. Other work items continue to be queued
on per-device workqueues to ensure performance.

Reported-by: default avatar <syzbot+91dbdfecdd3287734d8e@syzkaller.appspotmail.com>
Cc: stable <stable@kernel.org>
Closes: https://lore.kernel.org/lkml/0000000000000ab25a061e1dfe9f@google.com/


Signed-off-by: default avatarEli Billauer <eli.billauer@gmail.com>
Link: https://lore.kernel.org/r/20240801121126.60183-1-eli.billauer@gmail.com


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 7c626ce4

drivers/char/xillybus/xillyusb.c

+11 −5
Original line number Diff line number Diff line
@@ -50,6 +50,7 @@ MODULE_LICENSE("GPL v2"); 
static const char xillyname[] = "xillyusb";



static unsigned int fifo_buf_order;

static struct workqueue_struct *wakeup_wq;



#define USB_VENDOR_ID_XILINX		0x03fd

#define USB_VENDOR_ID_ALTERA		0x09fb
@@ -569,10 +570,6 @@ static void cleanup_dev(struct kref *kref) 
 * errors if executed. The mechanism relies on that xdev->error is assigned

 * a non-zero value by report_io_error() prior to queueing wakeup_all(),

 * which prevents bulk_in_work() from calling process_bulk_in().

 *

 * The fact that wakeup_all() and bulk_in_work() are queued on the same

 * workqueue makes their concurrent execution very unlikely, however the

 * kernel's API doesn't seem to ensure this strictly.

 */



static void wakeup_all(struct work_struct *work)
@@ -627,7 +624,7 @@ static void report_io_error(struct xillyusb_dev *xdev, 


	if (do_once) {

		kref_get(&xdev->kref); /* xdev is used by work item */

		queue_work(xdev->workq, &xdev->wakeup_workitem);

		queue_work(wakeup_wq, &xdev->wakeup_workitem);

	}

}
@@ -2258,6 +2255,10 @@ static int __init xillyusb_init(void) 
{

	int rc = 0;



	wakeup_wq = alloc_workqueue(xillyname, 0, 0);

	if (!wakeup_wq)

		return -ENOMEM;



	if (LOG2_INITIAL_FIFO_BUF_SIZE > PAGE_SHIFT)

		fifo_buf_order = LOG2_INITIAL_FIFO_BUF_SIZE - PAGE_SHIFT;

	else
@@ -2265,11 +2266,16 @@ static int __init xillyusb_init(void) 


	rc = usb_register(&xillyusb_driver);



	if (rc)

		destroy_workqueue(wakeup_wq);



	return rc;

}



static void __exit xillyusb_exit(void)

{

	destroy_workqueue(wakeup_wq);



	usb_deregister(&xillyusb_driver);

}