<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/hid/hid-debug.c, branch linux-3.18.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>HID: debug: fix race condition with between rdesc_show() and device removal</title>
<updated>2019-05-16T07:17:18+00:00</updated>
<author>
<name>He, Bo</name>
<email>bo.he@intel.com</email>
</author>
<published>2019-03-14T02:28:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=358e9483e84ac7cfa269856fa560eca307ab57dd'/>
<id>358e9483e84ac7cfa269856fa560eca307ab57dd</id>
<content type='text'>
[ Upstream commit cef0d4948cb0a02db37ebfdc320e127c77ab1637 ]

There is a race condition that could happen if hid_debug_rdesc_show()
is running while hdev is in the process of going away (device removal,
system suspend, etc) which could result in NULL pointer dereference:

	 BUG: unable to handle kernel paging request at 0000000783316040
	 CPU: 1 PID: 1512 Comm: getevent Tainted: G     U     O 4.19.20-quilt-2e5dc0ac-00029-gc455a447dd55 #1
	 RIP: 0010:hid_dump_device+0x9b/0x160
	 Call Trace:
	  hid_debug_rdesc_show+0x72/0x1d0
	  seq_read+0xe0/0x410
	  full_proxy_read+0x5f/0x90
	  __vfs_read+0x3a/0x170
	  vfs_read+0xa0/0x150
	  ksys_read+0x58/0xc0
	  __x64_sys_read+0x1a/0x20
	  do_syscall_64+0x55/0x110
	  entry_SYSCALL_64_after_hwframe+0x49/0xbe

Grab driver_input_lock to make sure the input device exists throughout the
whole process of dumping the rdesc.

[jkosina@suse.cz: update changelog a bit]
Signed-off-by: he, bo &lt;bo.he@intel.com&gt;
Signed-off-by: "Zhang, Jun" &lt;jun.zhang@intel.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit cef0d4948cb0a02db37ebfdc320e127c77ab1637 ]

There is a race condition that could happen if hid_debug_rdesc_show()
is running while hdev is in the process of going away (device removal,
system suspend, etc) which could result in NULL pointer dereference:

	 BUG: unable to handle kernel paging request at 0000000783316040
	 CPU: 1 PID: 1512 Comm: getevent Tainted: G     U     O 4.19.20-quilt-2e5dc0ac-00029-gc455a447dd55 #1
	 RIP: 0010:hid_dump_device+0x9b/0x160
	 Call Trace:
	  hid_debug_rdesc_show+0x72/0x1d0
	  seq_read+0xe0/0x410
	  full_proxy_read+0x5f/0x90
	  __vfs_read+0x3a/0x170
	  vfs_read+0xa0/0x150
	  ksys_read+0x58/0xc0
	  __x64_sys_read+0x1a/0x20
	  do_syscall_64+0x55/0x110
	  entry_SYSCALL_64_after_hwframe+0x49/0xbe

Grab driver_input_lock to make sure the input device exists throughout the
whole process of dumping the rdesc.

[jkosina@suse.cz: update changelog a bit]
Signed-off-by: he, bo &lt;bo.he@intel.com&gt;
Signed-off-by: "Zhang, Jun" &lt;jun.zhang@intel.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>HID: debug: fix the ring buffer implementation</title>
<updated>2019-02-20T09:09:08+00:00</updated>
<author>
<name>Vladis Dronov</name>
<email>vdronov@redhat.com</email>
</author>
<published>2019-01-29T10:58:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=be120f656b4f3f71d9d82d52d5604e2fb1fb9a94'/>
<id>be120f656b4f3f71d9d82d52d5604e2fb1fb9a94</id>
<content type='text'>
commit 13054abbaa4f1fd4e6f3b4b63439ec033b4c8035 upstream.

Ring buffer implementation in hid_debug_event() and hid_debug_events_read()
is strange allowing lost or corrupted data. After commit 717adfdaf147
("HID: debug: check length before copy_to_user()") it is possible to enter
an infinite loop in hid_debug_events_read() by providing 0 as count, this
locks up a system. Fix this by rewriting the ring buffer implementation
with kfifo and simplify the code.

This fixes CVE-2019-3819.

v2: fix an execution logic and add a comment
v3: use __set_current_state() instead of set_current_state()

Backport to v3.18: some (tree-wide) patches are missing in v3.18 so
cherry-pick relevant pieces from:
 * 6396bb221514 ("treewide: kzalloc() -&gt; kcalloc()")
 * a9a08845e9ac ("vfs: do bulk POLL* -&gt; EPOLL* replacement")
 * 92529623d242 ("HID: debug: improve hid_debug_event()")
 * 174cd4b1e5fb ("sched/headers: Prepare to move signal wakeup &amp; sigpending
   methods from &lt;linux/sched.h&gt; into &lt;linux/sched/signal.h&gt;")
 * 8fec02a73e31 ("HID: debug: fix error handling in hid_debug_events_read()")


Link: https://bugzilla.redhat.com/show_bug.cgi?id=1669187
Cc: stable@vger.kernel.org # v4.18+
Fixes: cd667ce24796 ("HID: use debugfs for events/reports dumping")
Fixes: 717adfdaf147 ("HID: debug: check length before copy_to_user()")
Signed-off-by: Vladis Dronov &lt;vdronov@redhat.com&gt;
Reviewed-by: Oleg Nesterov &lt;oleg@redhat.com&gt;
Signed-off-by: Benjamin Tissoires &lt;benjamin.tissoires@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 13054abbaa4f1fd4e6f3b4b63439ec033b4c8035 upstream.

Ring buffer implementation in hid_debug_event() and hid_debug_events_read()
is strange allowing lost or corrupted data. After commit 717adfdaf147
("HID: debug: check length before copy_to_user()") it is possible to enter
an infinite loop in hid_debug_events_read() by providing 0 as count, this
locks up a system. Fix this by rewriting the ring buffer implementation
with kfifo and simplify the code.

This fixes CVE-2019-3819.

v2: fix an execution logic and add a comment
v3: use __set_current_state() instead of set_current_state()

Backport to v3.18: some (tree-wide) patches are missing in v3.18 so
cherry-pick relevant pieces from:
 * 6396bb221514 ("treewide: kzalloc() -&gt; kcalloc()")
 * a9a08845e9ac ("vfs: do bulk POLL* -&gt; EPOLL* replacement")
 * 92529623d242 ("HID: debug: improve hid_debug_event()")
 * 174cd4b1e5fb ("sched/headers: Prepare to move signal wakeup &amp; sigpending
   methods from &lt;linux/sched.h&gt; into &lt;linux/sched/signal.h&gt;")
 * 8fec02a73e31 ("HID: debug: fix error handling in hid_debug_events_read()")


Link: https://bugzilla.redhat.com/show_bug.cgi?id=1669187
Cc: stable@vger.kernel.org # v4.18+
Fixes: cd667ce24796 ("HID: use debugfs for events/reports dumping")
Fixes: 717adfdaf147 ("HID: debug: check length before copy_to_user()")
Signed-off-by: Vladis Dronov &lt;vdronov@redhat.com&gt;
Reviewed-by: Oleg Nesterov &lt;oleg@redhat.com&gt;
Signed-off-by: Benjamin Tissoires &lt;benjamin.tissoires@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>HID: debug: check length before copy_to_user()</title>
<updated>2018-07-11T13:42:25+00:00</updated>
<author>
<name>Daniel Rosenberg</name>
<email>drosen@google.com</email>
</author>
<published>2018-07-02T23:59:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f7e1dd8ebca4d67411c333223e4205879d141eaa'/>
<id>f7e1dd8ebca4d67411c333223e4205879d141eaa</id>
<content type='text'>
commit 717adfdaf14704fd3ec7fa2c04520c0723247eac upstream.

If our length is greater than the size of the buffer, we
overflow the buffer

Cc: stable@vger.kernel.org
Signed-off-by: Daniel Rosenberg &lt;drosen@google.com&gt;
Reviewed-by: Benjamin Tissoires &lt;benjamin.tissoires@redhat.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 717adfdaf14704fd3ec7fa2c04520c0723247eac upstream.

If our length is greater than the size of the buffer, we
overflow the buffer

Cc: stable@vger.kernel.org
Signed-off-by: Daniel Rosenberg &lt;drosen@google.com&gt;
Reviewed-by: Benjamin Tissoires &lt;benjamin.tissoires@redhat.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>HID: add keyboard input assist hid usages</title>
<updated>2014-10-20T19:03:58+00:00</updated>
<author>
<name>Olivier Gay</name>
<email>ogay@logitech.com</email>
</author>
<published>2014-10-17T23:53:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f974008f07a62171a9dede08250c9a35c2b2b986'/>
<id>f974008f07a62171a9dede08250c9a35c2b2b986</id>
<content type='text'>
Add keyboard input assist controls usages from approved
hid usage table request HUTTR42:
http://www.usb.org/developers/hidpage/HUTRR42c.pdf

Signed-off-by: Olivier Gay &lt;ogay@logitech.com&gt;
Acked-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add keyboard input assist controls usages from approved
hid usage table request HUTTR42:
http://www.usb.org/developers/hidpage/HUTRR42c.pdf

Signed-off-by: Olivier Gay &lt;ogay@logitech.com&gt;
Acked-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>HID: core: add two new usages for digitizer</title>
<updated>2014-06-03T11:27:24+00:00</updated>
<author>
<name>Ping Cheng</name>
<email>pinglinux@gmail.com</email>
</author>
<published>2014-06-03T00:19:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=368c96640d10a145da5f258f2d2833668d4f3629'/>
<id>368c96640d10a145da5f258f2d2833668d4f3629</id>
<content type='text'>
On Feb 17, 2014, two new usages are approved to HID usage Table 18 -
Digitizer Page:

5A	Secondary Barrel Switch		MC	16.4
5B	Transducer Serial Number	SV	16.3.1

This patch adds relevant definitions to hid/input. It also removes
outdated comments in hid.h.

Signed-off-by: Ping Cheng &lt;pingc@wacom.com&gt;
Reviewed-by: Benjamin Tissoires &lt;benjamin.tissoires@redhat.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
On Feb 17, 2014, two new usages are approved to HID usage Table 18 -
Digitizer Page:

5A	Secondary Barrel Switch		MC	16.4
5B	Transducer Serial Number	SV	16.3.1

This patch adds relevant definitions to hid/input. It also removes
outdated comments in hid.h.

Signed-off-by: Ping Cheng &lt;pingc@wacom.com&gt;
Reviewed-by: Benjamin Tissoires &lt;benjamin.tissoires@redhat.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>HID: debug: add labels for HID Sensor Usages</title>
<updated>2014-05-28T13:45:15+00:00</updated>
<author>
<name>Reyad Attiyat</name>
<email>reyad.attiyat@gmail.com</email>
</author>
<published>2014-05-27T07:10:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b510d09c974a9b579bf0c164d7a7dce3dd847850'/>
<id>b510d09c974a9b579bf0c164d7a7dce3dd847850</id>
<content type='text'>
Add in debugfs report descriptor labels for HID Sensor Usages.

Signed-off-by: Reyad Attiyat &lt;reyad.attiyat@gmail.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add in debugfs report descriptor labels for HID Sensor Usages.

Signed-off-by: Reyad Attiyat &lt;reyad.attiyat@gmail.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>HID: add missing hid usages</title>
<updated>2014-04-28T14:57:58+00:00</updated>
<author>
<name>Olivier Gay</name>
<email>ogay@logitech.com</email>
</author>
<published>2014-04-25T18:26:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f362e690e5530dd8ace289da991bda558731678e'/>
<id>f362e690e5530dd8ace289da991bda558731678e</id>
<content type='text'>
Add some missing hid usages from consumer page, add
some display brightness control usages from approved hid usage
table request HUTTR41:
http://www.usb.org/developers/hidpage/HUTRR41.pdf
and add voice command usage from approved request HUTTR45:
http://www.usb.org/developers/hidpage/Voice_Command_Usage.pdf

[jkosina@suse.cz: removed KEY_BRIGHTNESS_TOGGLE / KEY_DISPLAYTOGGLE
 conflict from hid-debug.c]

Signed-off-by: Olivier Gay &lt;ogay@logitech.com&gt;
Signed-off-by: Mathieu Meisser &lt;mmeisser@logitech.com&gt;
Acked-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add some missing hid usages from consumer page, add
some display brightness control usages from approved hid usage
table request HUTTR41:
http://www.usb.org/developers/hidpage/HUTRR41.pdf
and add voice command usage from approved request HUTTR45:
http://www.usb.org/developers/hidpage/Voice_Command_Usage.pdf

[jkosina@suse.cz: removed KEY_BRIGHTNESS_TOGGLE / KEY_DISPLAYTOGGLE
 conflict from hid-debug.c]

Signed-off-by: Olivier Gay &lt;ogay@logitech.com&gt;
Signed-off-by: Mathieu Meisser &lt;mmeisser@logitech.com&gt;
Acked-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>HID: debug: add labels for some new buttons</title>
<updated>2013-12-17T12:54:40+00:00</updated>
<author>
<name>Antonio Ospite</name>
<email>ospite@studenti.unina.it</email>
</author>
<published>2013-12-17T11:52:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a443255c3ed5688931d89adcaa640dd10e1aeef0'/>
<id>a443255c3ed5688931d89adcaa640dd10e1aeef0</id>
<content type='text'>
Add labels for BTN_DPAD_UP, BTN_DPAD_DOWN, BTN_DPAD_LEFT, BTN_DPAD_RIGHT and
BTN_TOOL_QUADTAP.

[jkosina@suse.cz: make changelog more verbose]
Signed-off-by: Antonio Ospite &lt;ospite@studenti.unina.it&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add labels for BTN_DPAD_UP, BTN_DPAD_DOWN, BTN_DPAD_LEFT, BTN_DPAD_RIGHT and
BTN_TOOL_QUADTAP.

[jkosina@suse.cz: make changelog more verbose]
Signed-off-by: Antonio Ospite &lt;ospite@studenti.unina.it&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>HID: debug: fix RCU preemption issue</title>
<updated>2013-05-06T11:07:33+00:00</updated>
<author>
<name>Jiri Kosina</name>
<email>jkosina@suse.cz</email>
</author>
<published>2013-05-06T11:05:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1deb9d341d475ff84262e927d6c0e36fecb9942e'/>
<id>1deb9d341d475ff84262e927d6c0e36fecb9942e</id>
<content type='text'>
Commit 2353f2bea ("HID: protect hid_debug_list") introduced mutex
locking around debug_list access to prevent SMP races when debugfs
nodes are being operated upon by multiple userspace processess.

mutex is not a proper synchronization primitive though, as the hid-debug
callbacks are being called from atomic contexts.

We also have to be careful about disabling IRQs when taking the lock
to prevent deadlock against IRQ handlers.

Benjamin reports this has also been reported in RH bugzilla as bug #958935.

 ===============================
 [ INFO: suspicious RCU usage. ]
 3.9.0+ #94 Not tainted
 -------------------------------
 include/linux/rcupdate.h:476 Illegal context switch in RCU read-side critical section!

 other info that might help us debug this:

 rcu_scheduler_active = 1, debug_locks = 0
 4 locks held by Xorg/5502:
  #0:  (&amp;evdev-&gt;mutex){+.+...}, at: [&lt;ffffffff81512c3d&gt;] evdev_write+0x6d/0x160
  #1:  (&amp;(&amp;dev-&gt;event_lock)-&gt;rlock#2){-.-...}, at: [&lt;ffffffff8150dd9b&gt;] input_inject_event+0x5b/0x230
  #2:  (rcu_read_lock){.+.+..}, at: [&lt;ffffffff8150dd82&gt;] input_inject_event+0x42/0x230
  #3:  (&amp;(&amp;usbhid-&gt;lock)-&gt;rlock){-.....}, at: [&lt;ffffffff81565289&gt;] usb_hidinput_input_event+0x89/0x120

 stack backtrace:
 CPU: 0 PID: 5502 Comm: Xorg Not tainted 3.9.0+ #94
 Hardware name: Dell Inc. OptiPlex 390/0M5DCD, BIOS A09 07/24/2012
  0000000000000001 ffff8800689c7c38 ffffffff816f249f ffff8800689c7c68
  ffffffff810acb1d 0000000000000000 ffffffff81a03ac7 000000000000019d
  0000000000000000 ffff8800689c7c90 ffffffff8107cda7 0000000000000000
 Call Trace:
  [&lt;ffffffff816f249f&gt;] dump_stack+0x19/0x1b
  [&lt;ffffffff810acb1d&gt;] lockdep_rcu_suspicious+0xfd/0x130
  [&lt;ffffffff8107cda7&gt;] __might_sleep+0xc7/0x230
  [&lt;ffffffff816f7770&gt;] mutex_lock_nested+0x40/0x3a0
  [&lt;ffffffff81312ac4&gt;] ? vsnprintf+0x354/0x640
  [&lt;ffffffff81553cc4&gt;] hid_debug_event+0x34/0x100
  [&lt;ffffffff81554197&gt;] hid_dump_input+0x67/0xa0
  [&lt;ffffffff81556430&gt;] hid_set_field+0x50/0x120
  [&lt;ffffffff8156529a&gt;] usb_hidinput_input_event+0x9a/0x120
  [&lt;ffffffff8150d89e&gt;] input_handle_event+0x8e/0x530
  [&lt;ffffffff8150df10&gt;] input_inject_event+0x1d0/0x230
  [&lt;ffffffff8150dd82&gt;] ? input_inject_event+0x42/0x230
  [&lt;ffffffff81512cae&gt;] evdev_write+0xde/0x160
  [&lt;ffffffff81185038&gt;] vfs_write+0xc8/0x1f0
  [&lt;ffffffff81185535&gt;] SyS_write+0x55/0xa0
  [&lt;ffffffff81704482&gt;] system_call_fastpath+0x16/0x1b
 BUG: sleeping function called from invalid context at kernel/mutex.c:413
 in_atomic(): 1, irqs_disabled(): 1, pid: 5502, name: Xorg
 INFO: lockdep is turned off.
 irq event stamp: 1098574
 hardirqs last  enabled at (1098573): [&lt;ffffffff816fb53f&gt;] _raw_spin_unlock_irqrestore+0x3f/0x70
 hardirqs last disabled at (1098574): [&lt;ffffffff816faaf5&gt;] _raw_spin_lock_irqsave+0x25/0xa0
 softirqs last  enabled at (1098306): [&lt;ffffffff8104971f&gt;] __do_softirq+0x18f/0x3c0
 softirqs last disabled at (1097867): [&lt;ffffffff81049ad5&gt;] irq_exit+0xa5/0xb0
 CPU: 0 PID: 5502 Comm: Xorg Not tainted 3.9.0+ #94
 Hardware name: Dell Inc. OptiPlex 390/0M5DCD, BIOS A09 07/24/2012
  ffffffff81a03ac7 ffff8800689c7c68 ffffffff816f249f ffff8800689c7c90
  ffffffff8107ce60 0000000000000000 ffff8800689c7fd8 ffff88006a62c800
  ffff8800689c7d10 ffffffff816f7770 ffff8800689c7d00 ffffffff81312ac4
 Call Trace:
  [&lt;ffffffff816f249f&gt;] dump_stack+0x19/0x1b
  [&lt;ffffffff8107ce60&gt;] __might_sleep+0x180/0x230
  [&lt;ffffffff816f7770&gt;] mutex_lock_nested+0x40/0x3a0
  [&lt;ffffffff81312ac4&gt;] ? vsnprintf+0x354/0x640
  [&lt;ffffffff81553cc4&gt;] hid_debug_event+0x34/0x100
  [&lt;ffffffff81554197&gt;] hid_dump_input+0x67/0xa0
  [&lt;ffffffff81556430&gt;] hid_set_field+0x50/0x120
  [&lt;ffffffff8156529a&gt;] usb_hidinput_input_event+0x9a/0x120
  [&lt;ffffffff8150d89e&gt;] input_handle_event+0x8e/0x530
  [&lt;ffffffff8150df10&gt;] input_inject_event+0x1d0/0x230
  [&lt;ffffffff8150dd82&gt;] ? input_inject_event+0x42/0x230
  [&lt;ffffffff81512cae&gt;] evdev_write+0xde/0x160
  [&lt;ffffffff81185038&gt;] vfs_write+0xc8/0x1f0
  [&lt;ffffffff81185535&gt;] SyS_write+0x55/0xa0
  [&lt;ffffffff81704482&gt;] system_call_fastpath+0x16/0x1b

Reported-by: majianpeng &lt;majianpeng@gmail.com&gt;
Reported-by: Benjamin Tissoires &lt;benjamin.tissoires@gmail.com&gt;
Reviewed-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Commit 2353f2bea ("HID: protect hid_debug_list") introduced mutex
locking around debug_list access to prevent SMP races when debugfs
nodes are being operated upon by multiple userspace processess.

mutex is not a proper synchronization primitive though, as the hid-debug
callbacks are being called from atomic contexts.

We also have to be careful about disabling IRQs when taking the lock
to prevent deadlock against IRQ handlers.

Benjamin reports this has also been reported in RH bugzilla as bug #958935.

 ===============================
 [ INFO: suspicious RCU usage. ]
 3.9.0+ #94 Not tainted
 -------------------------------
 include/linux/rcupdate.h:476 Illegal context switch in RCU read-side critical section!

 other info that might help us debug this:

 rcu_scheduler_active = 1, debug_locks = 0
 4 locks held by Xorg/5502:
  #0:  (&amp;evdev-&gt;mutex){+.+...}, at: [&lt;ffffffff81512c3d&gt;] evdev_write+0x6d/0x160
  #1:  (&amp;(&amp;dev-&gt;event_lock)-&gt;rlock#2){-.-...}, at: [&lt;ffffffff8150dd9b&gt;] input_inject_event+0x5b/0x230
  #2:  (rcu_read_lock){.+.+..}, at: [&lt;ffffffff8150dd82&gt;] input_inject_event+0x42/0x230
  #3:  (&amp;(&amp;usbhid-&gt;lock)-&gt;rlock){-.....}, at: [&lt;ffffffff81565289&gt;] usb_hidinput_input_event+0x89/0x120

 stack backtrace:
 CPU: 0 PID: 5502 Comm: Xorg Not tainted 3.9.0+ #94
 Hardware name: Dell Inc. OptiPlex 390/0M5DCD, BIOS A09 07/24/2012
  0000000000000001 ffff8800689c7c38 ffffffff816f249f ffff8800689c7c68
  ffffffff810acb1d 0000000000000000 ffffffff81a03ac7 000000000000019d
  0000000000000000 ffff8800689c7c90 ffffffff8107cda7 0000000000000000
 Call Trace:
  [&lt;ffffffff816f249f&gt;] dump_stack+0x19/0x1b
  [&lt;ffffffff810acb1d&gt;] lockdep_rcu_suspicious+0xfd/0x130
  [&lt;ffffffff8107cda7&gt;] __might_sleep+0xc7/0x230
  [&lt;ffffffff816f7770&gt;] mutex_lock_nested+0x40/0x3a0
  [&lt;ffffffff81312ac4&gt;] ? vsnprintf+0x354/0x640
  [&lt;ffffffff81553cc4&gt;] hid_debug_event+0x34/0x100
  [&lt;ffffffff81554197&gt;] hid_dump_input+0x67/0xa0
  [&lt;ffffffff81556430&gt;] hid_set_field+0x50/0x120
  [&lt;ffffffff8156529a&gt;] usb_hidinput_input_event+0x9a/0x120
  [&lt;ffffffff8150d89e&gt;] input_handle_event+0x8e/0x530
  [&lt;ffffffff8150df10&gt;] input_inject_event+0x1d0/0x230
  [&lt;ffffffff8150dd82&gt;] ? input_inject_event+0x42/0x230
  [&lt;ffffffff81512cae&gt;] evdev_write+0xde/0x160
  [&lt;ffffffff81185038&gt;] vfs_write+0xc8/0x1f0
  [&lt;ffffffff81185535&gt;] SyS_write+0x55/0xa0
  [&lt;ffffffff81704482&gt;] system_call_fastpath+0x16/0x1b
 BUG: sleeping function called from invalid context at kernel/mutex.c:413
 in_atomic(): 1, irqs_disabled(): 1, pid: 5502, name: Xorg
 INFO: lockdep is turned off.
 irq event stamp: 1098574
 hardirqs last  enabled at (1098573): [&lt;ffffffff816fb53f&gt;] _raw_spin_unlock_irqrestore+0x3f/0x70
 hardirqs last disabled at (1098574): [&lt;ffffffff816faaf5&gt;] _raw_spin_lock_irqsave+0x25/0xa0
 softirqs last  enabled at (1098306): [&lt;ffffffff8104971f&gt;] __do_softirq+0x18f/0x3c0
 softirqs last disabled at (1097867): [&lt;ffffffff81049ad5&gt;] irq_exit+0xa5/0xb0
 CPU: 0 PID: 5502 Comm: Xorg Not tainted 3.9.0+ #94
 Hardware name: Dell Inc. OptiPlex 390/0M5DCD, BIOS A09 07/24/2012
  ffffffff81a03ac7 ffff8800689c7c68 ffffffff816f249f ffff8800689c7c90
  ffffffff8107ce60 0000000000000000 ffff8800689c7fd8 ffff88006a62c800
  ffff8800689c7d10 ffffffff816f7770 ffff8800689c7d00 ffffffff81312ac4
 Call Trace:
  [&lt;ffffffff816f249f&gt;] dump_stack+0x19/0x1b
  [&lt;ffffffff8107ce60&gt;] __might_sleep+0x180/0x230
  [&lt;ffffffff816f7770&gt;] mutex_lock_nested+0x40/0x3a0
  [&lt;ffffffff81312ac4&gt;] ? vsnprintf+0x354/0x640
  [&lt;ffffffff81553cc4&gt;] hid_debug_event+0x34/0x100
  [&lt;ffffffff81554197&gt;] hid_dump_input+0x67/0xa0
  [&lt;ffffffff81556430&gt;] hid_set_field+0x50/0x120
  [&lt;ffffffff8156529a&gt;] usb_hidinput_input_event+0x9a/0x120
  [&lt;ffffffff8150d89e&gt;] input_handle_event+0x8e/0x530
  [&lt;ffffffff8150df10&gt;] input_inject_event+0x1d0/0x230
  [&lt;ffffffff8150dd82&gt;] ? input_inject_event+0x42/0x230
  [&lt;ffffffff81512cae&gt;] evdev_write+0xde/0x160
  [&lt;ffffffff81185038&gt;] vfs_write+0xc8/0x1f0
  [&lt;ffffffff81185535&gt;] SyS_write+0x55/0xa0
  [&lt;ffffffff81704482&gt;] system_call_fastpath+0x16/0x1b

Reported-by: majianpeng &lt;majianpeng@gmail.com&gt;
Reported-by: Benjamin Tissoires &lt;benjamin.tissoires@gmail.com&gt;
Reviewed-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>HID: protect hid_debug_list</title>
<updated>2013-04-30T08:09:31+00:00</updated>
<author>
<name>Jiri Kosina</name>
<email>jkosina@suse.cz</email>
</author>
<published>2013-04-16T22:40:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2353f2bea307390e015493118e425152b8a5a431'/>
<id>2353f2bea307390e015493118e425152b8a5a431</id>
<content type='text'>
Accesses to hid_device-&gt;hid_debug_list are not serialized properly, which
could result in SMP concurrency issues when HID debugfs events are accessesed
by multiple userspace processess.

Serialize all the list operations by a mutex.

Spotted by Al Viro.

Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Accesses to hid_device-&gt;hid_debug_list are not serialized properly, which
could result in SMP concurrency issues when HID debugfs events are accessesed
by multiple userspace processess.

Serialize all the list operations by a mutex.

Spotted by Al Viro.

Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
</feed>
