On Tue, 17 Sep 2019, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer still triggered
> crash:
> possible deadlock in vidioc_querycap
>
> ============================================
> WARNING: possible recursive locking detected
> 5.3.0-rc7+ #0 Not tainted
> --------------------------------------------
> v4l_id/3016 is trying to acquire lock:
> 0000000069c3004e (&usbvision->v4l2_lock){+.+.}, at:
> vidioc_querycap+0x62/0x3b0 drivers/media/usb/usbvision/usbvision-video.c:456
>
> but task is already holding lock:
> 0000000069c3004e (&usbvision->v4l2_lock){+.+.}, at:
> __video_do_ioctl+0x3ba/0xba0 drivers/media/v4l2-core/v4l2-ioctl.c:2846
Heh. That's what comes of trying to patch a driver when you aren't an
expert on it already.
Okay, the lock is already held at this point so we don't need to
acquire it.
Alan Stern
#syz test: https://github.com/google/kasan.git f0df5c1b
drivers/media/usb/usbvision/usbvision-video.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
Index: usb-devel/drivers/media/usb/usbvision/usbvision-video.c
===================================================================
--- usb-devel.orig/drivers/media/usb/usbvision/usbvision-video.c
+++ usb-devel/drivers/media/usb/usbvision/usbvision-video.c
@@ -453,6 +453,9 @@ static int vidioc_querycap(struct file *
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ if (!usbvision->dev)
+ return -ENODEV;
+
strscpy(vc->driver, "USBVision", sizeof(vc->driver));
strscpy(vc->card,
usbvision_device_data[usbvision->dev_model].model_string,
@@ -1111,7 +1114,8 @@ static int usbvision_radio_close(struct
mutex_lock(&usbvision->v4l2_lock);
/* Set packet size to 0 */
usbvision->iface_alt = 0;
- usb_set_interface(usbvision->dev, usbvision->iface,
+ if (usbvision->dev)
+ usb_set_interface(usbvision->dev, usbvision->iface,
usbvision->iface_alt);
usbvision_audio_off(usbvision);
