lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <b32229f0-0702-4047-9e71-e3d6ed85f0bf@gmail.com>
Date: Fri, 4 Jul 2025 15:07:54 +0200
From: Andrey Ryabinin <ryabinin.a.a@...il.com>
To: Andrey Konovalov <andreyknvl@...il.com>, Yeoreum Yun <yeoreum.yun@....com>
Cc: glider@...gle.com, dvyukov@...gle.com, vincenzo.frascino@....com,
 akpm@...ux-foundation.org, bigeasy@...utronix.de, clrkwllms@...nel.org,
 rostedt@...dmis.org, byungchul@...com, max.byungchul.park@...il.com,
 ysk@...lloc.com, kasan-dev@...glegroups.com, linux-mm@...ck.org,
 linux-kernel@...r.kernel.org, linux-rt-devel@...ts.linux.dev
Subject: Re: [PATCH v2] kasan: remove kasan_find_vm_area() to prevent possible
 deadlock



On 7/3/25 9:05 PM, Andrey Konovalov wrote:
> On Thu, Jul 3, 2025 at 8:55 PM Yeoreum Yun <yeoreum.yun@....com> wrote:
>>
>> Hi Andrey,
>>
>>>>
>>>> find_vm_area() couldn't be called in atomic_context.
>>>> If find_vm_area() is called to reports vm area information,
>>>> kasan can trigger deadlock like:
>>>>
>>>> CPU0                                CPU1
>>>> vmalloc();
>>>>  alloc_vmap_area();
>>>>   spin_lock(&vn->busy.lock)
>>>>                                     spin_lock_bh(&some_lock);
>>>>    <interrupt occurs>
>>>>    <in softirq>
>>>>    spin_lock(&some_lock);
>>>>                                     <access invalid address>
>>>>                                     kasan_report();
>>>>                                      print_report();
>>>>                                       print_address_description();
>>>>                                        kasan_find_vm_area();
>>>>                                         find_vm_area();
>>>>                                          spin_lock(&vn->busy.lock) // deadlock!
>>>>
>>>> To prevent possible deadlock while kasan reports, remove kasan_find_vm_area().
>>>
>>> Can we keep it for when we are in_task()?
>>
>> We couldn't do. since when kasan_find_vm_area() is called,
>> the report_lock is grabbed with irq disabled.
>>
>> Please check discuss with Andrey Ryabinin:
>>   https://lore.kernel.org/all/4599f645-f79c-4cce-b686-494428bb9e2a@gmail.com/
> 
> That was about checking for !in_interrupt(), but I believe checking
> for in_task() is different? But I'm not an expert on these checks.

The problem is that CPU1 grabs '&vn->busy.lock' after the '&some_lock'. This could
happen both in task and in irq contexts, so the in_task() guard just won't change anything.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ