| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5823185b-55c6-416b-a85c-1191a045caf8@I-love.SAKURA.ne.jp>
Date: Tue, 4 Nov 2025 20:44:53 +0900
From: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To: Herbert Xu <herbert@...dor.apana.org.au>
Cc: syzbot <syzbot+bd936ccd4339cea66e6b@...kaller.appspotmail.com>,
daniel.m.jordan@...cle.com, linux-kernel@...r.kernel.org,
steffen.klassert@...unet.com, linux-crypto@...r.kernel.org
Subject: padata: Is padata_find_next() thread-safe?
syzbot is reporting possibility of recursive locking at
https://syzkaller.appspot.com/bug?extid=bd936ccd4339cea66e6b .
If this is a false positive report, the fix will be as simple as
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -253,7 +253,7 @@ static struct padata_priv *padata_find_next(struct parallel_data *pd, int cpu,
reorder = per_cpu_ptr(pd->reorder_list, cpu);
- spin_lock(&reorder->lock);
+ spin_lock_nested(&reorder->lock, 1);
if (list_empty(&reorder->list))
goto notfound;
. But I don't know if there is a possibility of AB-BA deadlock.
Can a sequence shown below possible? If it is possible, how is calling
padata_find_next() with a spinlock already held by caller introduced by
commit 71203f68c774 ("padata: Fix pd UAF once and for all") thread-safe?
struct padata_list list[2];
CPU 0: CPU 1:
spin_lock(&list[0].lock);
spin_lock(&list[1].lock);
spin_lock_nested(&list[1].lock, 1);
spin_lock_nested(&list[0].lock, 1);
do_something();
do_something();
spin_unlock(&list[1].lock);
spin_unlock(&list[0].lock);
spin_unlock(&list[0].lock);
spin_unlock(&list[1].lock);
Powered by blists - more mailing lists