| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 10 Jun 2024 15:50:33 -0700
From: syzbot <syzbot+e3daf47e87cd1583d197@...kaller.appspotmail.com>
To: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org, pabeni@...hat.com,
syzkaller-bugs@...glegroups.com
Subject: [syzbot] [net?] possible deadlock in kvfree_call_rcu (2)
Hello,
syzbot found the following issue on:
HEAD commit: b0c9a2643541 net: wwan: iosm: Fix tainted pointer delete i..
git tree: net
console+strace: https://syzkaller.appspot.com/x/log.txt?x=16b243fc980000
kernel config: https://syzkaller.appspot.com/x/.config?x=b9016f104992d69c
dashboard link: https://syzkaller.appspot.com/bug?extid=e3daf47e87cd1583d197
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15c4d20a980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11aa4362980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/62df44056b9e/disk-b0c9a264.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c6fbd552be98/vmlinux-b0c9a264.xz
kernel image: https://storage.googleapis.com/syzbot-assets/aaed51bb11ba/bzImage-b0c9a264.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e3daf47e87cd1583d197@...kaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
6.10.0-rc1-syzkaller-00199-gb0c9a2643541 #0 Not tainted
------------------------------------------------------
swapper/1/0 is trying to acquire lock:
ffff8880b9529430 (krc.lock){..-.}-{2:2}, at: krc_this_cpu_lock kernel/rcu/tree.c:3298 [inline]
ffff8880b9529430 (krc.lock){..-.}-{2:2}, at: add_ptr_to_bulk_krc_lock kernel/rcu/tree.c:3697 [inline]
ffff8880b9529430 (krc.lock){..-.}-{2:2}, at: kvfree_call_rcu+0x18a/0x790 kernel/rcu/tree.c:3782
but task is already holding lock:
ffff8880b952a718 (&base->lock){-.-.}-{2:2}, at: lock_timer_base+0x112/0x240 kernel/time/timer.c:1051
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&base->lock){-.-.}-{2:2}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
lock_timer_base+0x112/0x240 kernel/time/timer.c:1051
__mod_timer+0x1ca/0xeb0 kernel/time/timer.c:1132
queue_delayed_work_on+0x1ca/0x390 kernel/workqueue.c:2572
kvfree_call_rcu+0x47f/0x790 kernel/rcu/tree.c:3810
rtnl_register_internal+0x482/0x590 net/core/rtnetlink.c:265
rtnl_register+0x36/0x80 net/core/rtnetlink.c:315
ip_rt_init+0x2f6/0x3a0 net/ipv4/route.c:3696
ip_init+0xe/0x20 net/ipv4/ip_output.c:1663
inet_init+0x3d8/0x580 net/ipv4/af_inet.c:1983
do_one_initcall+0x248/0x880 init/main.c:1267
do_initcall_level+0x157/0x210 init/main.c:1329
do_initcalls+0x3f/0x80 init/main.c:1345
kernel_init_freeable+0x435/0x5d0 init/main.c:1578
kernel_init+0x1d/0x2b0 init/main.c:1467
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
-> #0 (krc.lock){..-.}-{2:2}:
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain+0x18e0/0x5900 kernel/locking/lockdep.c:3869
__lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
krc_this_cpu_lock kernel/rcu/tree.c:3298 [inline]
add_ptr_to_bulk_krc_lock kernel/rcu/tree.c:3697 [inline]
kvfree_call_rcu+0x18a/0x790 kernel/rcu/tree.c:3782
trie_delete_elem+0x546/0x6a0 kernel/bpf/lpm_trie.c:540
bpf_prog_2c29ac5cdc6b1842+0x42/0x46
bpf_dispatcher_nop_func include/linux/bpf.h:1243 [inline]
__bpf_prog_run include/linux/filter.h:691 [inline]
bpf_prog_run include/linux/filter.h:698 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2403 [inline]
bpf_trace_run2+0x2ec/0x540 kernel/trace/bpf_trace.c:2444
trace_timer_start include/trace/events/timer.h:52 [inline]
enqueue_timer+0x3ce/0x570 kernel/time/timer.c:663
internal_add_timer kernel/time/timer.c:688 [inline]
__mod_timer+0xa0e/0xeb0 kernel/time/timer.c:1183
dsp_cmx_send+0x21bf/0x2240 drivers/isdn/mISDN/dsp_cmx.c:1839
call_timer_fn+0x18e/0x650 kernel/time/timer.c:1792
expire_timers kernel/time/timer.c:1843 [inline]
__run_timers kernel/time/timer.c:2417 [inline]
__run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2428
run_timer_base kernel/time/timer.c:2437 [inline]
run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2447
handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline]
arch_safe_halt arch/x86/include/asm/irqflags.h:86 [inline]
acpi_safe_halt+0x21/0x30 drivers/acpi/processor_idle.c:112
acpi_idle_enter+0xe4/0x140 drivers/acpi/processor_idle.c:707
cpuidle_enter_state+0x112/0x480 drivers/cpuidle/cpuidle.c:267
cpuidle_enter+0x5d/0xa0 drivers/cpuidle/cpuidle.c:388
call_cpuidle kernel/sched/idle.c:155 [inline]
cpuidle_idle_call kernel/sched/idle.c:236 [inline]
do_idle+0x375/0x5d0 kernel/sched/idle.c:332
cpu_startup_entry+0x42/0x60 kernel/sched/idle.c:430
__pfx_ap_starting+0x0/0x10 arch/x86/kernel/smpboot.c:313
common_startup_64+0x13e/0x147
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&base->lock);
lock(krc.lock);
lock(&base->lock);
lock(krc.lock);
*** DEADLOCK ***
4 locks held by swapper/1/0:
#0: ffffc90000a18c00 ((&dsp_spl_tl)){+.-.}-{0:0}, at: call_timer_fn+0xc0/0x650 kernel/time/timer.c:1789
#1: ffffffff8f339f98 (dsp_lock){..-.}-{2:2}, at: dsp_cmx_send+0x26/0x2240 drivers/isdn/mISDN/dsp_cmx.c:1632
#2: ffff8880b952a718 (&base->lock){-.-.}-{2:2}, at: lock_timer_base+0x112/0x240 kernel/time/timer.c:1051
#3: ffffffff8e333f60 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]
#3: ffffffff8e333f60 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline]
#3: ffffffff8e333f60 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2402 [inline]
#3: ffffffff8e333f60 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0x1fc/0x540 kernel/trace/bpf_trace.c:2444
stack backtrace:
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.10.0-rc1-syzkaller-00199-gb0c9a2643541 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2187
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain+0x18e0/0x5900 kernel/locking/lockdep.c:3869
__lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
krc_this_cpu_lock kernel/rcu/tree.c:3298 [inline]
add_ptr_to_bulk_krc_lock kernel/rcu/tree.c:3697 [inline]
kvfree_call_rcu+0x18a/0x790 kernel/rcu/tree.c:3782
trie_delete_elem+0x546/0x6a0 kernel/bpf/lpm_trie.c:540
bpf_prog_2c29ac5cdc6b1842+0x42/0x46
bpf_dispatcher_nop_func include/linux/bpf.h:1243 [inline]
__bpf_prog_run include/linux/filter.h:691 [inline]
bpf_prog_run include/linux/filter.h:698 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2403 [inline]
bpf_trace_run2+0x2ec/0x540 kernel/trace/bpf_trace.c:2444
trace_timer_start include/trace/events/timer.h:52 [inline]
enqueue_timer+0x3ce/0x570 kernel/time/timer.c:663
internal_add_timer kernel/time/timer.c:688 [inline]
__mod_timer+0xa0e/0xeb0 kernel/time/timer.c:1183
dsp_cmx_send+0x21bf/0x2240 drivers/isdn/mISDN/dsp_cmx.c:1839
call_timer_fn+0x18e/0x650 kernel/time/timer.c:1792
expire_timers kernel/time/timer.c:1843 [inline]
__run_timers kernel/time/timer.c:2417 [inline]
__run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2428
run_timer_base kernel/time/timer.c:2437 [inline]
run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2447
handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:72 [inline]
RIP: 0010:acpi_safe_halt+0x21/0x30 drivers/acpi/processor_idle.c:113
Code: 90 90 90 90 90 90 90 90 90 65 48 8b 04 25 00 d5 03 00 48 f7 00 08 00 00 00 75 10 66 90 0f 00 2d b5 f4 a2 00 f3 0f 1e fa fb f4 <fa> c3 cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90
RSP: 0018:ffffc900001a7d08 EFLAGS: 00000246
RAX: ffff888017ae8000 RBX: ffff88801b6f9864 RCX: 000000000001bdc9
RDX: 0000000000000001 RSI: ffff88801b6f9800 RDI: ffff88801b6f9864
RBP: 000000000003a5b8 R08: ffff8880b9537d0b R09: 1ffff110172a6fa1
R10: dffffc0000000000 R11: ffffffff8b868960 R12: ffff88801c718800
R13: 0000000000000000 R14: 0000000000000001 R15: ffffffff8eace380
acpi_idle_enter+0xe4/0x140 drivers/acpi/processor_idle.c:707
cpuidle_enter_state+0x112/0x480 drivers/cpuidle/cpuidle.c:267
cpuidle_enter+0x5d/0xa0 drivers/cpuidle/cpuidle.c:388
call_cpuidle kernel/sched/idle.c:155 [inline]
cpuidle_idle_call kernel/sched/idle.c:236 [inline]
do_idle+0x375/0x5d0 kernel/sched/idle.c:332
cpu_startup_entry+0x42/0x60 kernel/sched/idle.c:430
start_secondary+0x100/0x100 arch/x86/kernel/smpboot.c:313
common_startup_64+0x13e/0x147
</TASK>
----------------
Code disassembly (best guess):
0: 90 nop
1: 90 nop
2: 90 nop
3: 90 nop
4: 90 nop
5: 90 nop
6: 90 nop
7: 90 nop
8: 90 nop
9: 65 48 8b 04 25 00 d5 mov %gs:0x3d500,%rax
10: 03 00
12: 48 f7 00 08 00 00 00 testq $0x8,(%rax)
19: 75 10 jne 0x2b
1b: 66 90 xchg %ax,%ax
1d: 0f 00 2d b5 f4 a2 00 verw 0xa2f4b5(%rip) # 0xa2f4d9
24: f3 0f 1e fa endbr64
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: c3 ret
2c: cc int3
2d: cc int3
2e: cc int3
2f: cc int3
30: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
37: 00 00
39: 90 nop
3a: 90 nop
3b: 90 nop
3c: 90 nop
3d: 90 nop
3e: 90 nop
3f: 90 nop
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Powered by blists - more mailing lists