| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <67747174.050a0220.25abdd.0954.GAE@google.com>
Date: Tue, 31 Dec 2024 14:34:28 -0800
From: syzbot <syzbot+52cf91760dcb1dac6376@...kaller.appspotmail.com>
To: gregkh@...uxfoundation.org, jirislaby@...nel.org,
linux-kernel@...r.kernel.org, linux-serial@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [serial?] possible deadlock in tty_buffer_flush (3)
syzbot has found a reproducer for the following issue on:
HEAD commit: ccb98ccef0e5 Merge tag 'platform-drivers-x86-v6.13-4' of g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11615818580000
kernel config: https://syzkaller.appspot.com/x/.config?x=dc863cc90857c683
dashboard link: https://syzkaller.appspot.com/bug?extid=52cf91760dcb1dac6376
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10b9c8b0580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/409ce1fd1fbc/disk-ccb98cce.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3919529a8a5e/vmlinux-ccb98cce.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f6a9eb51806d/bzImage-ccb98cce.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+52cf91760dcb1dac6376@...kaller.appspotmail.com
input: HID 0926:3333 as /devices/platform/dummy_hcd.0/usb1/1-1/1-1:0.0/0003:0926:3333.0001/input/input5
keytouch 0003:0926:3333.0001: input,hidraw0: USB HID v0.00 Keyboard [HID 0926:3333] on usb-dummy_hcd.0-1/input0
======================================================
WARNING: possible circular locking dependency detected
6.13.0-rc5-syzkaller-00004-gccb98ccef0e5 #0 Not tainted
------------------------------------------------------
kworker/1:3/6008 is trying to acquire lock:
ffff88801b0990b8 (&buf->lock){+.+.}-{4:4}, at: tty_buffer_flush+0x72/0x310 drivers/tty/tty_buffer.c:229
but task is already holding lock:
ffffffff8e1a9040 (console_lock){+.+.}-{0:0}, at: vc_SAK+0x13/0x310 drivers/tty/vt/vt_ioctl.c:983
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (console_lock){+.+.}-{0:0}:
console_lock+0x7a/0xa0 kernel/printk/printk.c:2833
con_flush_chars+0x5e/0x80 drivers/tty/vt/vt.c:3503
__receive_buf drivers/tty/n_tty.c:1644 [inline]
n_tty_receive_buf_common+0xa99/0x1980 drivers/tty/n_tty.c:1739
tty_ldisc_receive_buf+0xa2/0x190 drivers/tty/tty_buffer.c:387
tty_port_default_receive_buf+0x70/0xb0 drivers/tty/tty_port.c:37
receive_buf drivers/tty/tty_buffer.c:445 [inline]
flush_to_ldisc+0x264/0x780 drivers/tty/tty_buffer.c:495
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
-> #1 (&tty->termios_rwsem){++++}-{4:4}:
down_read+0x9a/0x330 kernel/locking/rwsem.c:1524
n_tty_receive_buf_common+0x85/0x1980 drivers/tty/n_tty.c:1702
tty_ldisc_receive_buf+0xa2/0x190 drivers/tty/tty_buffer.c:387
tty_port_default_receive_buf+0x70/0xb0 drivers/tty/tty_port.c:37
receive_buf drivers/tty/tty_buffer.c:445 [inline]
flush_to_ldisc+0x264/0x780 drivers/tty/tty_buffer.c:495
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
-> #0 (&buf->lock){+.+.}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain kernel/locking/lockdep.c:3904 [inline]
__lock_acquire+0x249e/0x3c40 kernel/locking/lockdep.c:5226
lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0x19b/0xa60 kernel/locking/mutex.c:735
tty_buffer_flush+0x72/0x310 drivers/tty/tty_buffer.c:229
tty_ldisc_flush+0x64/0xe0 drivers/tty/tty_ldisc.c:388
__do_SAK+0x6a1/0x800 drivers/tty/tty_io.c:3038
vc_SAK+0x7f/0x310 drivers/tty/vt/vt_ioctl.c:993
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
other info that might help us debug this:
Chain exists of:
&buf->lock --> &tty->termios_rwsem --> console_lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(console_lock);
lock(&tty->termios_rwsem);
lock(console_lock);
lock(&buf->lock);
*** DEADLOCK ***
4 locks held by kworker/1:3/6008:
#0: ffff88801b078948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x1293/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90003cafd80 ((work_completion)(&vc_cons[currcons].SAK_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffffffff8e1a9040 (console_lock){+.+.}-{0:0}, at: vc_SAK+0x13/0x310 drivers/tty/vt/vt_ioctl.c:983
#3: ffff8880798a40a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref drivers/tty/tty_ldisc.c:263 [inline]
#3: ffff8880798a40a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_flush+0x1c/0xe0 drivers/tty/tty_ldisc.c:386
stack backtrace:
CPU: 1 UID: 0 PID: 6008 Comm: kworker/1:3 Not tainted 6.13.0-rc5-syzkaller-00004-gccb98ccef0e5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events vc_SAK
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_circular_bug+0x419/0x5d0 kernel/locking/lockdep.c:2074
check_noncircular+0x31a/0x400 kernel/locking/lockdep.c:2206
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain kernel/locking/lockdep.c:3904 [inline]
__lock_acquire+0x249e/0x3c40 kernel/locking/lockdep.c:5226
lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0x19b/0xa60 kernel/locking/mutex.c:735
tty_buffer_flush+0x72/0x310 drivers/tty/tty_buffer.c:229
tty_ldisc_flush+0x64/0xe0 drivers/tty/tty_ldisc.c:388
__do_SAK+0x6a1/0x800 drivers/tty/tty_io.c:3038
vc_SAK+0x7f/0x310 drivers/tty/vt/vt_ioctl.c:993
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
tty tty1: SAK: killed process 6013 (syz.0.16): by fd#3
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Powered by blists - more mailing lists