| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 1 Jul 2021 00:36:16 +0300
From: Pavel Skripkin <paskripkin@...il.com>
To: syzbot <syzbot+44e40ac2cfe68e8ce207@...kaller.appspotmail.com>
Cc: alex.dewar90@...il.com, arnd@...db.de, gregkh@...uxfoundation.org,
hdanton@...a.com, jhansen@...are.com, linux-kernel@...r.kernel.org,
snovitoll@...il.com, syzkaller-bugs@...glegroups.com,
vdasa@...are.com
Subject: Re: [syzbot] possible deadlock in vmci_qp_broker_detach
On Wed, 30 Jun 2021 10:21:26 -0700
syzbot <syzbot+44e40ac2cfe68e8ce207@...kaller.appspotmail.com> wrote:
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: a1f92694 Add linux-next specific files for 20210518
> git tree: linux-next
> console output:
> https://syzkaller.appspot.com/x/log.txt?x=14cf5118300000 kernel
> config: https://syzkaller.appspot.com/x/.config?x=d612e75ffd53a6d3
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=44e40ac2cfe68e8ce207 syz
> repro:
> https://syzkaller.appspot.com/x/repro.syz?x=15dae18c300000 C
> reproducer: https://syzkaller.appspot.com/x/repro.c?x=14c680e2300000
>
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit: Reported-by:
> syzbot+44e40ac2cfe68e8ce207@...kaller.appspotmail.com
>
> ============================================
> WARNING: possible recursive locking detected
> 5.13.0-rc2-next-20210518-syzkaller #0 Not tainted
> --------------------------------------------
> syz-executor723/9333 is trying to acquire lock:
> ffffffff8cc8b5f8 (qp_broker_list.mutex){+.+.}-{3:3}, at:
> vmci_qp_broker_detach+0x147/0x11b0
> drivers/misc/vmw_vmci/vmci_queue_pair.c:2093
>
> but task is already holding lock:
> ffffffff8cc8b5f8 (qp_broker_list.mutex){+.+.}-{3:3}, at:
> vmci_qp_broker_detach+0x147/0x11b0
> drivers/misc/vmw_vmci/vmci_queue_pair.c:2093
>
> other info that might help us debug this:
> Possible unsafe locking scenario:
>
> CPU0
> ----
> lock(qp_broker_list.mutex);
> lock(qp_broker_list.mutex);
>
> *** DEADLOCK ***
>
> May be due to missing lock nesting notation
>
> 1 lock held by syz-executor723/9333:
> #0: ffffffff8cc8b5f8 (qp_broker_list.mutex){+.+.}-{3:3}, at:
> vmci_qp_broker_detach+0x147/0x11b0
> drivers/misc/vmw_vmci/vmci_queue_pair.c:2093
Very ugly patch just to test the idea:
vmci_ctx_put() in vmci_ctx_enqueue_datagram() should not be the last
vmci_ctx_put() in context life, so we need to block vmci_ctx_destroy() until
vmci_ctx_enqueue_datagram() is done.
#syz test
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
With regards,
Pavel Skripkin
View attachment "0001-misc-vmv_vmci-fix-deadlock.patch" of type "text/x-patch" (4662 bytes)
Powered by blists - more mailing lists