On giovedì 21 luglio 2022 13:11:44 CEST Tetsuo Handa wrote:
> Hello.
>
> syzbot is reporting that iforce_close() from input_close_device() from
> joydev_close_device() from joydev_release() forever sleeps at
>
> wait_event_interruptible(iforce->wait,
> !test_bit(IFORCE_XMIT_RUNNING, iforce-
>xmit_flags));
>
> with dev->mutex held, which in turn prevents input_disconnect_device()
from
> __input_unregister_device() from input_unregister_device() from
> iforce_usb_disconnect() from setting dev->going_away = true.
>
> We somehow need to wake up this wait_event_interruptible() in
iforce_close()
> if iforce_usb_disconnect() is in progress. But iforce_usb_disconnect()
does
> not manipulate flags for waking up this wait_event_interruptible(). How
can
> we wake up this wait_event_interruptible()?
>
I haven't been following this thread, except reading only this message. It
may well be I'm saying something which is not suited for solving your
problem.
If it can be fixed, as you said, by a simple notification to
wait_event_interruptible(), why not changing iforce_usb_disconnect() the
following way?
static void iforce_usb_disconnect(struct usb_interface *intf)
{
struct iforce_usb *iforce_usb = usb_get_intfdata(intf);
usb_set_intfdata(intf, NULL);
__set_bit(IFORCE_XMIT_RUNNING, iforce_usb->iforce.xmit_flags);
wake_up(&iforce_usb->iforce.wait);
input_unregister_device(iforce_usb->iforce.dev);
usb_free_urb(iforce_usb->irq);
usb_free_urb(iforce_usb->out);
kfree(iforce_usb);
}
I am sorry if I'm overlooking anything, especially because I'm entering
this thread without reading the other messages and so without knowing the
whole context. Furthermore I haven't even test-compiled these changes :-(
Thanks,
Fabio
