lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 22 Nov 2022 14:07:20 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Hillf Danton <hdanton@...a.com>
Cc:     syzbot <syzbot+8768e9ec924b08e63f82@...kaller.appspotmail.com>,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] possible deadlock in nci_set_local_general_bytes

On Tue, 15 Nov 2022 at 10:35, Dmitry Vyukov <dvyukov@...gle.com> wrote:
>
> On Tue, 15 Nov 2022 at 10:18, Hillf Danton <hdanton@...a.com> wrote:
> >
> > On 14 Nov 2022 09:43:48 -0800
> > > syzbot found the following issue on:
> > >
> > > HEAD commit:    1621b6eaebf7 Merge branch 'for-next/fixes' into for-kernelci
> > > git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=119413e1880000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=606e57fd25c5c6cc
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=8768e9ec924b08e63f82
> > > userspace arch: arm64
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1097e935880000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=177b5b15880000
> >
> > In the open path, register nci device without mci_mutex held in bid to break
> > the lock chain.
>
> This should be fixed by the following commit when/if it's merged. The
> commit removes nci_mutex.
>
> nfc: Allow to create multiple virtual nci devices
> https://lore.kernel.org/all/20221104170422.979558-1-dvyukov@google.com/

#syz fix: NFC: nci: Allow to create multiple virtual nci devices

> > #syz test https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git  1621b6eaebf7
> >
> > --- x/drivers/nfc/virtual_ncidev.c
> > +++ y/drivers/nfc/virtual_ncidev.c
> > @@ -15,6 +15,7 @@
> >
> >  enum virtual_ncidev_mode {
> >         virtual_ncidev_enabled,
> > +       virtual_ncidev_enabling,
> >         virtual_ncidev_disabled,
> >         virtual_ncidev_disabling,
> >  };
> > @@ -128,6 +129,7 @@ static ssize_t virtual_ncidev_write(stru
> >
> >  static int virtual_ncidev_open(struct inode *inode, struct file *file)
> >  {
> > +       struct nci_dev *new;
> >         int ret = 0;
> >
> >         mutex_lock(&nci_mutex);
> > @@ -135,24 +137,27 @@ static int virtual_ncidev_open(struct in
> >                 mutex_unlock(&nci_mutex);
> >                 return -EBUSY;
> >         }
> > +       state = virtual_ncidev_enabling;
> > +       mutex_unlock(&nci_mutex);
> >
> > -       ndev = nci_allocate_device(&virtual_nci_ops, VIRTUAL_NFC_PROTOCOLS,
> > -                                  0, 0);
> > -       if (!ndev) {
> > -               mutex_unlock(&nci_mutex);
> > -               return -ENOMEM;
> > +       ret = -ENOMEM;
> > +       new = nci_allocate_device(&virtual_nci_ops, VIRTUAL_NFC_PROTOCOLS, 0, 0);
> > +       if (new) {
> > +               ret = nci_register_device(new);
> > +               if (ret)
> > +                       nci_free_device(new);
> >         }
> >
> > -       ret = nci_register_device(ndev);
> > -       if (ret < 0) {
> > -               nci_free_device(ndev);
> > -               mutex_unlock(&nci_mutex);
> > -               return ret;
> > +       mutex_lock(&nci_mutex);
> > +       if (ret)
> > +               state = virtual_ncidev_disabled;
> > +       else {
> > +               ndev = new;
> > +               state = virtual_ncidev_enabled;
> >         }
> > -       state = virtual_ncidev_enabled;
> >         mutex_unlock(&nci_mutex);
> >
> > -       return 0;
> > +       return ret;
> >  }
> >
> >  static int virtual_ncidev_close(struct inode *inode, struct file *file)
> > @@ -167,9 +172,9 @@ static int virtual_ncidev_close(struct i
> >                 nci_free_device(ndev);
> >
> >                 mutex_lock(&nci_mutex);
> > +               state = virtual_ncidev_disabled;
> >         }
> >
> > -       state = virtual_ncidev_disabled;
> >         mutex_unlock(&nci_mutex);
> >
> >         return 0;
> > --
> >
> > --
> > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@...glegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20221115091825.2381-1-hdanton%40sina.com.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ