lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000000000000282bf005d20bb7fa@google.com>
Date:   Tue, 30 Nov 2021 17:37:22 -0800
From:   syzbot <syzbot+5f26531f88fda38af28c@...kaller.appspotmail.com>
To:     gregkh@...uxfoundation.org, jirislaby@...nel.org,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: [syzbot] possible deadlock in tty_buffer_flush (2)

Hello,

syzbot found the following issue on:

HEAD commit:    d58071a8a76d Linux 5.16-rc3
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=161e3691b00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=171728a464c05f2b
dashboard link: https://syzkaller.appspot.com/bug?extid=5f26531f88fda38af28c
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5f26531f88fda38af28c@...kaller.appspotmail.com

======================================================
WARNING: possible circular locking dependency detected
5.16.0-rc3-syzkaller #0 Not tainted
------------------------------------------------------
kworker/1:16/12546 is trying to acquire lock:
ffff88801147d0b8 (&buf->lock){+.+.}-{3:3}, at: tty_buffer_flush+0x76/0x2b0 drivers/tty/tty_buffer.c:229

but task is already holding lock:
ffffffff8bb70640 (console_lock){+.+.}-{0:0}, at: vc_SAK+0x10/0x310 drivers/tty/vt/vt_ioctl.c:982

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (console_lock){+.+.}-{0:0}:
       console_lock+0x47/0x80 kernel/printk/printk.c:2524
       con_flush_chars drivers/tty/vt/vt.c:3365 [inline]
       con_flush_chars+0x35/0x90 drivers/tty/vt/vt.c:3357
       n_tty_write+0xbe5/0xfd0 drivers/tty/n_tty.c:2305
       do_tty_write drivers/tty/tty_io.c:1038 [inline]
       file_tty_write.constprop.0+0x526/0x910 drivers/tty/tty_io.c:1110
       call_write_iter include/linux/fs.h:2162 [inline]
       new_sync_write+0x429/0x660 fs/read_write.c:503
       vfs_write+0x7cd/0xae0 fs/read_write.c:590
       ksys_write+0x12d/0x250 fs/read_write.c:643
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x44/0xae

-> #1 (&tty->termios_rwsem){++++}-{3:3}:
       down_write+0x90/0x150 kernel/locking/rwsem.c:1523
       n_tty_flush_buffer+0x1d/0x230 drivers/tty/n_tty.c:369
       tty_buffer_flush+0x1f0/0x2b0 drivers/tty/tty_buffer.c:240
       tty_ldisc_flush+0x66/0xe0 drivers/tty/tty_ldisc.c:400
       tty_port_close_start.part.0+0x22c/0x550 drivers/tty/tty_port.c:602
       tty_port_close_start drivers/tty/tty_port.c:646 [inline]
       tty_port_close+0x46/0x170 drivers/tty/tty_port.c:639
       uart_close+0x83/0x210 drivers/tty/serial/serial_core.c:1545
       tty_release+0x45e/0x1200 drivers/tty/tty_io.c:1771
       __fput+0x286/0x9f0 fs/file_table.c:280
       task_work_run+0xdd/0x1a0 kernel/task_work.c:164
       tracehook_notify_resume include/linux/tracehook.h:189 [inline]
       exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
       exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207
       __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
       syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
       do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
       entry_SYSCALL_64_after_hwframe+0x44/0xae

-> #0 (&buf->lock){+.+.}-{3:3}:
       check_prev_add kernel/locking/lockdep.c:3063 [inline]
       check_prevs_add kernel/locking/lockdep.c:3186 [inline]
       validate_chain kernel/locking/lockdep.c:3801 [inline]
       __lock_acquire+0x2a07/0x54a0 kernel/locking/lockdep.c:5027
       lock_acquire kernel/locking/lockdep.c:5637 [inline]
       lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5602
       __mutex_lock_common kernel/locking/mutex.c:607 [inline]
       __mutex_lock+0x12f/0x12f0 kernel/locking/mutex.c:740
       tty_buffer_flush+0x76/0x2b0 drivers/tty/tty_buffer.c:229
       tty_ldisc_flush+0x66/0xe0 drivers/tty/tty_ldisc.c:400
       __do_SAK.part.0+0xd5/0x390 drivers/tty/tty_io.c:3046
       __do_SAK+0x1b/0x30 drivers/tty/tty_io.c:3039
       vc_SAK+0x7c/0x310 drivers/tty/vt/vt_ioctl.c:992
       process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
       worker_thread+0x658/0x11f0 kernel/workqueue.c:2445
       kthread+0x405/0x4f0 kernel/kthread.c:327
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

other info that might help us debug this:

Chain exists of:
  &buf->lock --> &tty->termios_rwsem --> console_lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(console_lock);
                               lock(&tty->termios_rwsem);
                               lock(console_lock);
  lock(&buf->lock);

 *** DEADLOCK ***

4 locks held by kworker/1:16/12546:
 #0: ffff888010c67d38 ((wq_completion)events){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
 #0: ffff888010c67d38 ((wq_completion)events){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline]
 #0: ffff888010c67d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1198 [inline]
 #0: ffff888010c67d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:635 [inline]
 #0: ffff888010c67d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:662 [inline]
 #0: ffff888010c67d38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x896/0x1690 kernel/workqueue.c:2269
 #1: ffffc90002997db0 ((work_completion)(&vc_cons[currcons].SAK_work)){+.+.}-{0:0}, at: process_one_work+0x8ca/0x1690 kernel/workqueue.c:2273
 #2: ffffffff8bb70640 (console_lock){+.+.}-{0:0}, at: vc_SAK+0x10/0x310 drivers/tty/vt/vt_ioctl.c:982
 #3: ffff88806ce96098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref drivers/tty/tty_ldisc.c:273 [inline]
 #3: ffff88806ce96098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_flush+0x18/0xe0 drivers/tty/tty_ldisc.c:398

stack backtrace:
CPU: 1 PID: 12546 Comm: kworker/1:16 Not tainted 5.16.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events vc_SAK
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 check_noncircular+0x25f/0x2e0 kernel/locking/lockdep.c:2143
 check_prev_add kernel/locking/lockdep.c:3063 [inline]
 check_prevs_add kernel/locking/lockdep.c:3186 [inline]
 validate_chain kernel/locking/lockdep.c:3801 [inline]
 __lock_acquire+0x2a07/0x54a0 kernel/locking/lockdep.c:5027
 lock_acquire kernel/locking/lockdep.c:5637 [inline]
 lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5602
 __mutex_lock_common kernel/locking/mutex.c:607 [inline]
 __mutex_lock+0x12f/0x12f0 kernel/locking/mutex.c:740
 tty_buffer_flush+0x76/0x2b0 drivers/tty/tty_buffer.c:229
 tty_ldisc_flush+0x66/0xe0 drivers/tty/tty_ldisc.c:400
 __do_SAK.part.0+0xd5/0x390 drivers/tty/tty_io.c:3046
 __do_SAK+0x1b/0x30 drivers/tty/tty_io.c:3039
 vc_SAK+0x7c/0x310 drivers/tty/vt/vt_ioctl.c:992
 process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2445
 kthread+0x405/0x4f0 kernel/kthread.c:327
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>
tty tty1: SAK: killed process 6450 (agetty): by session
tty tty1: SAK: killed process 6450 (agetty): by controlling tty


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ