lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <tencent_BD955C75EE7FFB00E62EB239ED38BC13CC07@qq.com>
Date: Sun, 23 Mar 2025 20:13:32 -0400
From: "ffhgfv" <xnxc22xnxc22@...com>
To: "marcel" <marcel@...tmann.org>, "johan.hedberg" <johan.hedberg@...il.com>, "luiz.dentz" <luiz.dentz@...il.com>
Cc: "linux-bluetooth" <linux-bluetooth@...r.kernel.org>, "linux-kernel" <linux-kernel@...r.kernel.org>
Subject: Linux6.14-rc5 Bug:      possible deadlock in l2cap_conn_del 

Hello, I found a bug titled "  possible deadlock in l2cap_conn_del  " with modified syzkaller in the Linux6.14-rc5.
If you fix this issue, please add the following tag to the commit:  Reported-by: Jianzhou Zhao <xnxc22xnxc22@...com>,    xingwei lee <xrivendell7@...il.com>, Zhizhuo Tang <strforexctzzchange@...mail.com>

I use the same kernel as syzbot instance upstream: 7eb172143d5508b4da468ed59ee857c6e5e01da6
kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&amp;x=da4b04ae798b7ef6
compiler: gcc version 11.4.0
------------[ cut here ]-----------------------------------------
 TITLE:    possible deadlock in l2cap_conn_del 
==================================================================
==================================================================
======================================================
WARNING: possible circular locking dependency detected
6.14.0-rc5-dirty #17 Not tainted
------------------------------------------------------
syz-executor/14376 is trying to acquire lock:
ffff88804be20040 ((work_completion)(&amp;(&amp;conn-&gt;info_timer)-&gt;work)){+.+.}-{0:0}, at: touch_work_lockdep_map kernel/workqueue.c:3933 [inline]
ffff88804be20040 ((work_completion)(&amp;(&amp;conn-&gt;info_timer)-&gt;work)){+.+.}-{0:0}, at: start_flush_work kernel/workqueue.c:4187 [inline]
ffff88804be20040 ((work_completion)(&amp;(&amp;conn-&gt;info_timer)-&gt;work)){+.+.}-{0:0}, at: __flush_work+0x4c2/0xce0 kernel/workqueue.c:4219

but task is already holding lock:
ffff88804be20350 (&amp;conn-&gt;lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7f/0x720 net/bluetooth/l2cap_core.c:1761

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-&gt; #1 (&amp;conn-&gt;lock#2){+.+.}-{4:4}:
       __mutex_lock_common kernel/locking/mutex.c:585 [inline]
       __mutex_lock+0x16f/0x2020 kernel/locking/mutex.c:730
       l2cap_info_timeout+0x7a/0xa0 net/bluetooth/l2cap_core.c:1667
       process_one_work kernel/workqueue.c:3246 [inline]
       process_scheduled_works+0x61a/0x1af0 kernel/workqueue.c:3330
       worker_thread+0x59f/0xcf0 kernel/workqueue.c:3411
       kthread+0x427/0x880 kernel/kthread.c:464
       ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

-&gt; #0 ((work_completion)(&amp;(&amp;conn-&gt;info_timer)-&gt;work)){+.+.}-{0:0}:
       check_prev_add kernel/locking/lockdep.c:3163 [inline]
       check_prevs_add kernel/locking/lockdep.c:3282 [inline]
       validate_chain kernel/locking/lockdep.c:3906 [inline]
       __lock_acquire+0x2846/0x46b0 kernel/locking/lockdep.c:5228
       lock_acquire kernel/locking/lockdep.c:5851 [inline]
       lock_acquire+0x1b6/0x570 kernel/locking/lockdep.c:5816
       touch_work_lockdep_map kernel/workqueue.c:3933 [inline]
       start_flush_work kernel/workqueue.c:4187 [inline]
       __flush_work+0x4cc/0xce0 kernel/workqueue.c:4219
       __cancel_work_sync+0x10c/0x130 kernel/workqueue.c:4375
       l2cap_conn_del+0x587/0x720 net/bluetooth/l2cap_core.c:1795
       hci_disconn_cfm include/net/bluetooth/hci_core.h:2069 [inline]
       hci_conn_hash_flush+0x447/0x780 net/bluetooth/hci_conn.c:2698
       hci_dev_close_sync+0x63a/0x1160 net/bluetooth/hci_sync.c:5197
       hci_dev_do_close+0x31/0xa0 net/bluetooth/hci_core.c:482
       hci_unregister_dev+0x213/0x630 net/bluetooth/hci_core.c:2677
       vhci_release+0x7a/0xf0 drivers/bluetooth/hci_vhci.c:664
       __fput+0x415/0xb60 fs/file_table.c:464
       task_work_run+0x170/0x280 kernel/task_work.c:227
       exit_task_work include/linux/task_work.h:40 [inline]
       do_exit+0xa6b/0x3080 kernel/exit.c:938
       do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
       __do_sys_exit_group kernel/exit.c:1098 [inline]
       __se_sys_exit_group kernel/exit.c:1096 [inline]
       __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096
       x64_sys_call+0xf6a/0x1890 arch/x86/include/generated/asm/syscalls_64.h:232
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xcf/0x250 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&amp;conn-&gt;lock#2);
                               lock((work_completion)(&amp;(&amp;conn-&gt;info_timer)-&gt;work));
                               lock(&amp;conn-&gt;lock#2);
  lock((work_completion)(&amp;(&amp;conn-&gt;info_timer)-&gt;work));

 *** DEADLOCK ***

4 locks held by syz-executor/14376:
 #0: ffff888029c38df0 (&amp;hdev-&gt;req_lock){+.+.}-{4:4}, at: hci_dev_do_close+0x29/0xa0 net/bluetooth/hci_core.c:480
 #1: ffff888029c38078 (&amp;hdev-&gt;lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x3f6/0x1160 net/bluetooth/hci_sync.c:5185
 #2: ffff88804be20350 (&amp;conn-&gt;lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7f/0x720 net/bluetooth/l2cap_core.c:1761
 #3: ffffffff8e1bbae0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
 #3: ffffffff8e1bbae0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
 #3: ffffffff8e1bbae0 (rcu_read_lock){....}-{1:3}, at: start_flush_work kernel/workqueue.c:4161 [inline]
 #3: ffffffff8e1bbae0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xe8/0xce0 kernel/workqueue.c:4219

stack backtrace:
CPU: 0 UID: 0 PID: 14376 Comm: syz-executor Not tainted 6.14.0-rc5-dirty #17
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
 <task>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120
 print_circular_bug.isra.0+0x505/0x740 kernel/locking/lockdep.c:2076
 check_noncircular+0x2f1/0x3d0 kernel/locking/lockdep.c:2208
 check_prev_add kernel/locking/lockdep.c:3163 [inline]
 check_prevs_add kernel/locking/lockdep.c:3282 [inline]
 validate_chain kernel/locking/lockdep.c:3906 [inline]
 __lock_acquire+0x2846/0x46b0 kernel/locking/lockdep.c:5228
 lock_acquire kernel/locking/lockdep.c:5851 [inline]
 lock_acquire+0x1b6/0x570 kernel/locking/lockdep.c:5816
 touch_work_lockdep_map kernel/workqueue.c:3933 [inline]
 start_flush_work kernel/workqueue.c:4187 [inline]
 __flush_work+0x4cc/0xce0 kernel/workqueue.c:4219
 __cancel_work_sync+0x10c/0x130 kernel/workqueue.c:4375
 l2cap_conn_del+0x587/0x720 net/bluetooth/l2cap_core.c:1795
 hci_disconn_cfm include/net/bluetooth/hci_core.h:2069 [inline]
 hci_conn_hash_flush+0x447/0x780 net/bluetooth/hci_conn.c:2698
 hci_dev_close_sync+0x63a/0x1160 net/bluetooth/hci_sync.c:5197
 hci_dev_do_close+0x31/0xa0 net/bluetooth/hci_core.c:482
 hci_unregister_dev+0x213/0x630 net/bluetooth/hci_core.c:2677
 vhci_release+0x7a/0xf0 drivers/bluetooth/hci_vhci.c:664
 __fput+0x415/0xb60 fs/file_table.c:464
 task_work_run+0x170/0x280 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0xa6b/0x3080 kernel/exit.c:938
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
 __do_sys_exit_group kernel/exit.c:1098 [inline]
 __se_sys_exit_group kernel/exit.c:1096 [inline]
 __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096
 x64_sys_call+0xf6a/0x1890 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f38efda962d
Code: Unable to access opcode bytes at 0x7f38efda9603.
RSP: 002b:00007fff99b2d708 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f38efda962d
RDX: 00007f38efda80cf RSI: 0000000000000000 RDI: 0000000000000043
RBP: 00007f38effc5f40 R08: 0000000000000000 R09: 00007f38efe4ecc3
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007f38efe4ecc3 R14: 0000000000000010 R15: 0000000000000002
 </task>

==================================================================



I hope it helps.
Best regards
Jianzhou Zhao</strforexctzzchange@...mail.com></xrivendell7@...il.com></xnxc22xnxc22@...com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ