lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+Z0OqaK0iCqWbez1aYw1zqtSZxNFbYe9jm_p2VToh2-oA@mail.gmail.com>
Date:   Tue, 15 Nov 2022 10:35:40 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Hillf Danton <hdanton@...a.com>
Cc:     syzbot <syzbot+8768e9ec924b08e63f82@...kaller.appspotmail.com>,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] possible deadlock in nci_set_local_general_bytes

On Tue, 15 Nov 2022 at 10:18, Hillf Danton <hdanton@...a.com> wrote:
>
> On 14 Nov 2022 09:43:48 -0800
> > syzbot found the following issue on:
> >
> > HEAD commit:    1621b6eaebf7 Merge branch 'for-next/fixes' into for-kernelci
> > git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> > console output: https://syzkaller.appspot.com/x/log.txt?x=119413e1880000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=606e57fd25c5c6cc
> > dashboard link: https://syzkaller.appspot.com/bug?extid=8768e9ec924b08e63f82
> > userspace arch: arm64
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1097e935880000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=177b5b15880000
>
> In the open path, register nci device without mci_mutex held in bid to break
> the lock chain.

This should be fixed by the following commit when/if it's merged. The
commit removes nci_mutex.

nfc: Allow to create multiple virtual nci devices
https://lore.kernel.org/all/20221104170422.979558-1-dvyukov@google.com/


> #syz test https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git  1621b6eaebf7
>
> --- x/drivers/nfc/virtual_ncidev.c
> +++ y/drivers/nfc/virtual_ncidev.c
> @@ -15,6 +15,7 @@
>
>  enum virtual_ncidev_mode {
>         virtual_ncidev_enabled,
> +       virtual_ncidev_enabling,
>         virtual_ncidev_disabled,
>         virtual_ncidev_disabling,
>  };
> @@ -128,6 +129,7 @@ static ssize_t virtual_ncidev_write(stru
>
>  static int virtual_ncidev_open(struct inode *inode, struct file *file)
>  {
> +       struct nci_dev *new;
>         int ret = 0;
>
>         mutex_lock(&nci_mutex);
> @@ -135,24 +137,27 @@ static int virtual_ncidev_open(struct in
>                 mutex_unlock(&nci_mutex);
>                 return -EBUSY;
>         }
> +       state = virtual_ncidev_enabling;
> +       mutex_unlock(&nci_mutex);
>
> -       ndev = nci_allocate_device(&virtual_nci_ops, VIRTUAL_NFC_PROTOCOLS,
> -                                  0, 0);
> -       if (!ndev) {
> -               mutex_unlock(&nci_mutex);
> -               return -ENOMEM;
> +       ret = -ENOMEM;
> +       new = nci_allocate_device(&virtual_nci_ops, VIRTUAL_NFC_PROTOCOLS, 0, 0);
> +       if (new) {
> +               ret = nci_register_device(new);
> +               if (ret)
> +                       nci_free_device(new);
>         }
>
> -       ret = nci_register_device(ndev);
> -       if (ret < 0) {
> -               nci_free_device(ndev);
> -               mutex_unlock(&nci_mutex);
> -               return ret;
> +       mutex_lock(&nci_mutex);
> +       if (ret)
> +               state = virtual_ncidev_disabled;
> +       else {
> +               ndev = new;
> +               state = virtual_ncidev_enabled;
>         }
> -       state = virtual_ncidev_enabled;
>         mutex_unlock(&nci_mutex);
>
> -       return 0;
> +       return ret;
>  }
>
>  static int virtual_ncidev_close(struct inode *inode, struct file *file)
> @@ -167,9 +172,9 @@ static int virtual_ncidev_close(struct i
>                 nci_free_device(ndev);
>
>                 mutex_lock(&nci_mutex);
> +               state = virtual_ncidev_disabled;
>         }
>
> -       state = virtual_ncidev_disabled;
>         mutex_unlock(&nci_mutex);
>
>         return 0;
> --
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@...glegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20221115091825.2381-1-hdanton%40sina.com.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ