lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f6bd471c-f961-ef5e-21c5-bf158be19d12@linux.intel.com>
Date:   Mon, 3 Oct 2022 11:44:19 +0300 (EEST)
From:   Ilpo Järvinen <ilpo.jarvinen@...ux.intel.com>
To:     syzbot <syzbot+223c7461c58c58a4cb10@...kaller.appspotmail.com>
cc:     andy.shevchenko@...il.com, etremblay@...tech-controls.com,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Jiri Slaby <jirislaby@...nel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        linux-serial <linux-serial@...r.kernel.org>,
        syzkaller-bugs@...glegroups.com, u.kleine-koenig@...gutronix.de,
        wander@...hat.com, Mel Gorman <mgorman@...hsingularity.net>
Subject: Re: [syzbot] possible deadlock in tty_port_tty_get

+ Cc Mel Gorman.

-- 
 i.

On Fri, 30 Sep 2022, syzbot wrote:

> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    5a77386984b5 Merge tag 'drm-fixes-2022-09-30-1' of git://a..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=132b8504880000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=a1992c90769e07
> dashboard link: https://syzkaller.appspot.com/bug?extid=223c7461c58c58a4cb10
> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> 
> Unfortunately, I don't have any reproducer for this issue yet.
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+223c7461c58c58a4cb10@...kaller.appspotmail.com
> 
> ======================================================
> WARNING: possible circular locking dependency detected
> 6.0.0-rc7-syzkaller-00162-g5a77386984b5 #0 Not tainted
> ------------------------------------------------------
> syz-executor.0/4926 is trying to acquire lock:
> ffffffff8c0be788 (zonelist_update_seq.seqcount){...-}-{0:0}, at: __alloc_pages+0x43d/0x510 mm/page_alloc.c:5562
> 
> but task is already holding lock:
> ffff88802624c958 (&port->lock){-.-.}-{2:2}, at: tty_insert_flip_string_and_push_buffer+0x2b/0x160 drivers/tty/tty_buffer.c:628
> 
> which lock already depends on the new lock.
> 
> 
> the existing dependency chain (in reverse order) is:
> 
> -> #3 (&port->lock){-.-.}-{2:2}:
>        __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
>        _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162
>        tty_port_tty_get+0x1f/0x100 drivers/tty/tty_port.c:327
>        tty_port_default_wakeup+0x11/0x40 drivers/tty/tty_port.c:68
>        serial8250_tx_chars+0x4f6/0xd90 drivers/tty/serial/8250/8250_port.c:1851
>        serial8250_handle_irq.part.0+0x440/0x820 drivers/tty/serial/8250/8250_port.c:1938
>        serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1911 [inline]
>        serial8250_default_handle_irq+0xb2/0x220 drivers/tty/serial/8250/8250_port.c:1958
>        serial8250_interrupt+0xf8/0x200 drivers/tty/serial/8250/8250_core.c:126
>        __handle_irq_event_percpu+0x227/0x870 kernel/irq/handle.c:158
>        handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
>        handle_irq_event+0xa7/0x1e0 kernel/irq/handle.c:210
>        handle_edge_irq+0x25f/0xd00 kernel/irq/chip.c:819
>        generic_handle_irq_desc include/linux/irqdesc.h:158 [inline]
>        handle_irq arch/x86/kernel/irq.c:231 [inline]
>        __common_interrupt+0x9d/0x210 arch/x86/kernel/irq.c:250
>        common_interrupt+0xa4/0xc0 arch/x86/kernel/irq.c:240
>        asm_common_interrupt+0x22/0x40 arch/x86/include/asm/idtentry.h:640
>        native_safe_halt arch/x86/include/asm/irqflags.h:51 [inline]
>        arch_safe_halt arch/x86/include/asm/irqflags.h:89 [inline]
>        default_idle+0xb/0x10 arch/x86/kernel/process.c:730
>        default_idle_call+0x80/0xc0 kernel/sched/idle.c:109
>        cpuidle_idle_call kernel/sched/idle.c:191 [inline]
>        do_idle+0x401/0x590 kernel/sched/idle.c:303
>        cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:400
>        start_secondary+0x21d/0x2b0 arch/x86/kernel/smpboot.c:262
>        secondary_startup_64_no_verify+0xce/0xdb
> 
> -> #2 (&port_lock_key){-.-.}-{2:2}:
>        __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
>        _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162
>        serial8250_console_write+0x975/0xfe0 drivers/tty/serial/8250/8250_port.c:3380
>        call_console_driver kernel/printk/printk.c:1945 [inline]
>        console_emit_next_record.constprop.0+0x3de/0x840 kernel/printk/printk.c:2732
>        console_flush_all kernel/printk/printk.c:2794 [inline]
>        console_unlock+0x37a/0x5a0 kernel/printk/printk.c:2861
>        vprintk_emit+0x1b9/0x5f0 kernel/printk/printk.c:2271
>        vprintk+0x80/0x90 kernel/printk/printk_safe.c:50
>        _printk+0xba/0xed kernel/printk/printk.c:2292
>        register_console kernel/printk/printk.c:3212 [inline]
>        register_console+0x482/0x840 kernel/printk/printk.c:3104
>        univ8250_console_init+0x3a/0x46 drivers/tty/serial/8250/8250_core.c:681
>        console_init+0x3b7/0x57e kernel/printk/printk.c:3308
>        start_kernel+0x2fa/0x48f init/main.c:1066
>        secondary_startup_64_no_verify+0xce/0xdb
> 
> -> #1 (console_owner){-...}-{0:0}:
>        console_lock_spinning_enable kernel/printk/printk.c:1808 [inline]
>        console_emit_next_record.constprop.0+0x2dd/0x840 kernel/printk/printk.c:2729
>        console_flush_all kernel/printk/printk.c:2794 [inline]
>        console_unlock+0x37a/0x5a0 kernel/printk/printk.c:2861
>        vprintk_emit+0x1b9/0x5f0 kernel/printk/printk.c:2271
>        vprintk+0x80/0x90 kernel/printk/printk_safe.c:50
>        _printk+0xba/0xed kernel/printk/printk.c:2292
>        build_zonelists.cold+0xe5/0x11f mm/page_alloc.c:6471
>        __build_all_zonelists+0x111/0x180 mm/page_alloc.c:6584
>        build_all_zonelists_init+0x2f/0x104 mm/page_alloc.c:6609
>        build_all_zonelists+0x11f/0x140 mm/page_alloc.c:6642
>        start_kernel+0xb9/0x48f init/main.c:960
>        secondary_startup_64_no_verify+0xce/0xdb
> 
> -> #0 (zonelist_update_seq.seqcount){...-}-{0:0}:
>        check_prev_add kernel/locking/lockdep.c:3095 [inline]
>        check_prevs_add kernel/locking/lockdep.c:3214 [inline]
>        validate_chain kernel/locking/lockdep.c:3829 [inline]
>        __lock_acquire+0x2a43/0x56d0 kernel/locking/lockdep.c:5053
>        lock_acquire kernel/locking/lockdep.c:5666 [inline]
>        lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631
>        seqcount_lockdep_reader_access include/linux/seqlock.h:102 [inline]
>        read_seqbegin include/linux/seqlock.h:836 [inline]
>        zonelist_iter_begin mm/page_alloc.c:4722 [inline]
>        __alloc_pages_slowpath.constprop.0+0x1a5/0x2300 mm/page_alloc.c:5044
>        __alloc_pages+0x43d/0x510 mm/page_alloc.c:5562
>        __alloc_pages_node include/linux/gfp.h:243 [inline]
>        kmem_getpages mm/slab.c:1363 [inline]
>        cache_grow_begin+0x75/0x360 mm/slab.c:2569
>        cache_alloc_refill+0x27f/0x380 mm/slab.c:2942
>        ____cache_alloc mm/slab.c:3018 [inline]
>        ____cache_alloc mm/slab.c:3001 [inline]
>        __do_cache_alloc mm/slab.c:3246 [inline]
>        slab_alloc mm/slab.c:3287 [inline]
>        __do_kmalloc mm/slab.c:3684 [inline]
>        __kmalloc+0x3a1/0x4a0 mm/slab.c:3695
>        kmalloc include/linux/slab.h:605 [inline]
>        tty_buffer_alloc+0x27b/0x2f0 drivers/tty/tty_buffer.c:180
>        __tty_buffer_request_room+0x15f/0x2b0 drivers/tty/tty_buffer.c:278
>        tty_insert_flip_string_fixed_flag+0x8c/0x250 drivers/tty/tty_buffer.c:327
>        tty_insert_flip_string include/linux/tty_flip.h:41 [inline]
>        tty_insert_flip_string_and_push_buffer+0x3e/0x160 drivers/tty/tty_buffer.c:629
>        pty_write+0xd6/0x100 drivers/tty/pty.c:118
>        process_output_block drivers/tty/n_tty.c:586 [inline]
>        n_tty_write+0x4ca/0xfd0 drivers/tty/n_tty.c:2350
>        do_tty_write drivers/tty/tty_io.c:1024 [inline]
>        file_tty_write.constprop.0+0x499/0x8f0 drivers/tty/tty_io.c:1095
>        call_write_iter include/linux/fs.h:2187 [inline]
>        new_sync_write fs/read_write.c:491 [inline]
>        vfs_write+0x9e9/0xdd0 fs/read_write.c:584
>        ksys_write+0x127/0x250 fs/read_write.c:637
>        do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>        do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
>        entry_SYSCALL_64_after_hwframe+0x63/0xcd
> 
> other info that might help us debug this:
> 
> Chain exists of:
>   zonelist_update_seq.seqcount --> &port_lock_key --> &port->lock
> 
>  Possible unsafe locking scenario:
> 
>        CPU0                    CPU1
>        ----                    ----
>   lock(&port->lock);
>                                lock(&port_lock_key);
>                                lock(&port->lock);
>   lock(zonelist_update_seq.seqcount);
> 
>  *** DEADLOCK ***
> 
> 5 locks held by syz-executor.0/4926:
>  #0: ffff88806b3c3098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x22/0x80 drivers/tty/tty_ldisc.c:244
>  #1: ffff88806b3c3130 (&tty->atomic_write_lock){+.+.}-{3:3}, at: tty_write_lock drivers/tty/tty_io.c:950 [inline]
>  #1: ffff88806b3c3130 (&tty->atomic_write_lock){+.+.}-{3:3}, at: do_tty_write drivers/tty/tty_io.c:973 [inline]
>  #1: ffff88806b3c3130 (&tty->atomic_write_lock){+.+.}-{3:3}, at: file_tty_write.constprop.0+0x296/0x8f0 drivers/tty/tty_io.c:1095
>  #2: ffff88806b3c32e8 (&o_tty->termios_rwsem/1){++++}-{3:3}, at: n_tty_write+0x1bf/0xfd0 drivers/tty/n_tty.c:2333
>  #3: ffffc90000cf4380 (&ldata->output_lock){+.+.}-{3:3}, at: process_output_block drivers/tty/n_tty.c:541 [inline]
>  #3: ffffc90000cf4380 (&ldata->output_lock){+.+.}-{3:3}, at: n_tty_write+0x5f6/0xfd0 drivers/tty/n_tty.c:2350
>  #4: ffff88802624c958 (&port->lock){-.-.}-{2:2}, at: tty_insert_flip_string_and_push_buffer+0x2b/0x160 drivers/tty/tty_buffer.c:628
> 
> stack backtrace:
> CPU: 1 PID: 4926 Comm: syz-executor.0 Not tainted 6.0.0-rc7-syzkaller-00162-g5a77386984b5 #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
> Call Trace:
>  <TASK>
>  __dump_stack lib/dump_stack.c:88 [inline]
>  dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
>  check_noncircular+0x25f/0x2e0 kernel/locking/lockdep.c:2175
>  check_prev_add kernel/locking/lockdep.c:3095 [inline]
>  check_prevs_add kernel/locking/lockdep.c:3214 [inline]
>  validate_chain kernel/locking/lockdep.c:3829 [inline]
>  __lock_acquire+0x2a43/0x56d0 kernel/locking/lockdep.c:5053
>  lock_acquire kernel/locking/lockdep.c:5666 [inline]
>  lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631
>  seqcount_lockdep_reader_access include/linux/seqlock.h:102 [inline]
>  read_seqbegin include/linux/seqlock.h:836 [inline]
>  zonelist_iter_begin mm/page_alloc.c:4722 [inline]
>  __alloc_pages_slowpath.constprop.0+0x1a5/0x2300 mm/page_alloc.c:5044
>  __alloc_pages+0x43d/0x510 mm/page_alloc.c:5562
>  __alloc_pages_node include/linux/gfp.h:243 [inline]
>  kmem_getpages mm/slab.c:1363 [inline]
>  cache_grow_begin+0x75/0x360 mm/slab.c:2569
>  cache_alloc_refill+0x27f/0x380 mm/slab.c:2942
>  ____cache_alloc mm/slab.c:3018 [inline]
>  ____cache_alloc mm/slab.c:3001 [inline]
>  __do_cache_alloc mm/slab.c:3246 [inline]
>  slab_alloc mm/slab.c:3287 [inline]
>  __do_kmalloc mm/slab.c:3684 [inline]
>  __kmalloc+0x3a1/0x4a0 mm/slab.c:3695
>  kmalloc include/linux/slab.h:605 [inline]
>  tty_buffer_alloc+0x27b/0x2f0 drivers/tty/tty_buffer.c:180
>  __tty_buffer_request_room+0x15f/0x2b0 drivers/tty/tty_buffer.c:278
>  tty_insert_flip_string_fixed_flag+0x8c/0x250 drivers/tty/tty_buffer.c:327
>  tty_insert_flip_string include/linux/tty_flip.h:41 [inline]
>  tty_insert_flip_string_and_push_buffer+0x3e/0x160 drivers/tty/tty_buffer.c:629
>  pty_write+0xd6/0x100 drivers/tty/pty.c:118
>  process_output_block drivers/tty/n_tty.c:586 [inline]
>  n_tty_write+0x4ca/0xfd0 drivers/tty/n_tty.c:2350
>  do_tty_write drivers/tty/tty_io.c:1024 [inline]
>  file_tty_write.constprop.0+0x499/0x8f0 drivers/tty/tty_io.c:1095
>  call_write_iter include/linux/fs.h:2187 [inline]
>  new_sync_write fs/read_write.c:491 [inline]
>  vfs_write+0x9e9/0xdd0 fs/read_write.c:584
>  ksys_write+0x127/0x250 fs/read_write.c:637
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7feffde8a5a9
> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007feffcdfe168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
> RAX: ffffffffffffffda RBX: 00007feffdfabf80 RCX: 00007feffde8a5a9
> RDX: 00000000fffffedf RSI: 0000000020000000 RDI: 0000000000000004
> RBP: 00007feffdee5580 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007fffc3837d3f R14: 00007feffcdfe300 R15: 0000000000022000
>  </TASK>
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> 

Powered by blists - more mailing lists