lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 26 Apr 2024 22:35:39 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+159077b1355b8cd72757@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [input?] [ext4?] possible deadlock in uinput_request_submit

On Thu, 25 Apr 2024 21:42:26 -0700
> syzbot found the following issue on:
> 
> HEAD commit:    7b4f2bc91c15 Add linux-next specific files for 20240418
> git tree:       linux-next
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14b59430980000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git  7b4f2bc91c15

--- x/drivers/input/misc/uinput.c
+++ y/drivers/input/misc/uinput.c
@@ -157,8 +157,6 @@ static int uinput_request_send(struct ui
 		goto out;
 	}
 
-	init_completion(&request->done);
-
 	/*
 	 * Tell our userspace application about this new request
 	 * by queueing an input event.
@@ -175,6 +173,8 @@ static int uinput_request_submit(struct
 {
 	int retval;
 
+	init_completion(&request->done);
+
 	retval = uinput_request_reserve_slot(udev, request);
 	if (retval)
 		return retval;
@@ -311,8 +311,11 @@ static int uinput_create_device(struct u
 	struct input_dev *dev = udev->dev;
 	int error, nslot;
 
+	lockdep_assert_held(&udev->mutex);
+
 	if (udev->state != UIST_SETUP_COMPLETE) {
 		printk(KERN_DEBUG "%s: write device info first\n", UINPUT_NAME);
+		mutex_unlock(&udev->mutex);
 		return -EINVAL;
 	}
 
@@ -362,9 +365,12 @@ static int uinput_create_device(struct u
 
 	input_set_drvdata(udev->dev, udev);
 
+	mutex_unlock(&udev->mutex);
 	error = input_register_device(udev->dev);
-	if (error)
+	if (error) {
+		mutex_lock(&udev->mutex);
 		goto fail2;
+	}
 
 	udev->state = UIST_CREATED;
 
@@ -372,6 +378,7 @@ static int uinput_create_device(struct u
 
  fail2:	input_ff_destroy(dev);
  fail1: uinput_destroy_device(udev);
+	mutex_unlock(&udev->mutex);
 	return error;
 }
 
@@ -901,8 +908,7 @@ static long uinput_ioctl_handler(struct
 		goto out;
 
 	case UI_DEV_CREATE:
-		retval = uinput_create_device(udev);
-		goto out;
+		return uinput_create_device(udev);
 
 	case UI_DEV_DESTROY:
 		uinput_destroy_device(udev);
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ