[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+Z0OqaK0iCqWbez1aYw1zqtSZxNFbYe9jm_p2VToh2-oA@mail.gmail.com>
Date: Tue, 15 Nov 2022 10:35:40 +0100
From: Dmitry Vyukov <dvyukov@...gle.com>
To: Hillf Danton <hdanton@...a.com>
Cc: syzbot <syzbot+8768e9ec924b08e63f82@...kaller.appspotmail.com>,
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] possible deadlock in nci_set_local_general_bytes
On Tue, 15 Nov 2022 at 10:18, Hillf Danton <hdanton@...a.com> wrote:
>
> On 14 Nov 2022 09:43:48 -0800
> > syzbot found the following issue on:
> >
> > HEAD commit: 1621b6eaebf7 Merge branch 'for-next/fixes' into for-kernelci
> > git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> > console output: https://syzkaller.appspot.com/x/log.txt?x=119413e1880000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=606e57fd25c5c6cc
> > dashboard link: https://syzkaller.appspot.com/bug?extid=8768e9ec924b08e63f82
> > userspace arch: arm64
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1097e935880000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177b5b15880000
>
> In the open path, register nci device without mci_mutex held in bid to break
> the lock chain.
This should be fixed by the following commit when/if it's merged. The
commit removes nci_mutex.
nfc: Allow to create multiple virtual nci devices
https://lore.kernel.org/all/20221104170422.979558-1-dvyukov@google.com/
> #syz test https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git 1621b6eaebf7
>
> --- x/drivers/nfc/virtual_ncidev.c
> +++ y/drivers/nfc/virtual_ncidev.c
> @@ -15,6 +15,7 @@
>
> enum virtual_ncidev_mode {
> virtual_ncidev_enabled,
> + virtual_ncidev_enabling,
> virtual_ncidev_disabled,
> virtual_ncidev_disabling,
> };
> @@ -128,6 +129,7 @@ static ssize_t virtual_ncidev_write(stru
>
> static int virtual_ncidev_open(struct inode *inode, struct file *file)
> {
> + struct nci_dev *new;
> int ret = 0;
>
> mutex_lock(&nci_mutex);
> @@ -135,24 +137,27 @@ static int virtual_ncidev_open(struct in
> mutex_unlock(&nci_mutex);
> return -EBUSY;
> }
> + state = virtual_ncidev_enabling;
> + mutex_unlock(&nci_mutex);
>
> - ndev = nci_allocate_device(&virtual_nci_ops, VIRTUAL_NFC_PROTOCOLS,
> - 0, 0);
> - if (!ndev) {
> - mutex_unlock(&nci_mutex);
> - return -ENOMEM;
> + ret = -ENOMEM;
> + new = nci_allocate_device(&virtual_nci_ops, VIRTUAL_NFC_PROTOCOLS, 0, 0);
> + if (new) {
> + ret = nci_register_device(new);
> + if (ret)
> + nci_free_device(new);
> }
>
> - ret = nci_register_device(ndev);
> - if (ret < 0) {
> - nci_free_device(ndev);
> - mutex_unlock(&nci_mutex);
> - return ret;
> + mutex_lock(&nci_mutex);
> + if (ret)
> + state = virtual_ncidev_disabled;
> + else {
> + ndev = new;
> + state = virtual_ncidev_enabled;
> }
> - state = virtual_ncidev_enabled;
> mutex_unlock(&nci_mutex);
>
> - return 0;
> + return ret;
> }
>
> static int virtual_ncidev_close(struct inode *inode, struct file *file)
> @@ -167,9 +172,9 @@ static int virtual_ncidev_close(struct i
> nci_free_device(ndev);
>
> mutex_lock(&nci_mutex);
> + state = virtual_ncidev_disabled;
> }
>
> - state = virtual_ncidev_disabled;
> mutex_unlock(&nci_mutex);
>
> return 0;
> --
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@...glegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20221115091825.2381-1-hdanton%40sina.com.
Powered by blists - more mailing lists