On Tue, 26 Nov 2019, Pete Zaitcev wrote:
> The problem arises because our read() function grabs a lock of the
> circular buffer, finds something of interest, then invokes copy_to_user()
> straight from the buffer, which in turn takes mm->mmap_sem. In the same
> time, the callback mon_bin_vma_fault() is invoked under mm->mmap_sem.
> It attempts to take the fetch lock and deadlocks.
>
> This patch does away with protecting of our page list with any
> semaphores, and instead relies on the kernel not close the device
> while mmap is active in a process.
>
> In addition, we prohibit re-sizing of a buffer while mmap is active.
> This way, when (now unlocked) fault is processed, it works with the
> page that is intended to be mapped-in, and not some other random page.
> Note that this may have an ABI impact, but hopefully no legitimate
> program is this wrong.
>
> Signed-off-by: Pete Zaitcev <zaitcev@xxxxxxxxxx>
> Reported-by: syzbot+56f9673bb4cdcbeb0e92@xxxxxxxxxxxxxxxxxxxxxxxxx
Reviewed-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
Also this should have:
Fixes: 46eb14a6e158 ("USB: fix usbmon BUG trigger")
CC: <stable@xxxxxxxxxxxxxxx>
Alan Stern
