| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Jun 2017 17:22:26 +0800
From: Dison River <pwn2river@...il.com>
To: dsahern@...il.com, daniel@...earbox.net, ast@...nel.org,
sd@...asysnail.net, zhangshengju@...s.chinamobile.com,
nogahf@...lanox.com, vyasevich@...il.com, bblanco@...mgrid.com,
moshe@...lanox.com, roopa@...ulusnetworks.com,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Cc: syzkaller@...glegroups.com
Subject: Possible DEADLOCK in rtnl_lock(v4.1.40)
Hi:
I've got the following error report while fuzzing the kernel with
syzkaller on v4.1.40
Syzkaller hit 'possible deadlock in rtnl_lock' bug on commit .
The guilty file is: /home/river/git_new/linux-stable/net/core/rtnetlink.c.
======================================================
[ INFO: possible circular locking dependency detected ]
4.1.40 #4 Not tainted
-------------------------------------------------------
syz-executor1/4765 is trying to acquire lock:
(rtnl_mutex){+.+.+.}, at: [<ffffffff82734b62>] rtnl_lock+0x12/0x20
/home/river/git_new/linux-stable/net/core/rtnetlink.c:70
but task is already holding lock:
(sk_lock-AF_INET){+.+.+.}, at: [<ffffffff82848a75>] lock_sock
/home/river/git_new/linux-stable/include/net/sock.h:1497 [inline]
(sk_lock-AF_INET){+.+.+.}, at: [<ffffffff82848a75>]
do_ip_getsockopt.part.9+0xf5/0x1210
/home/river/git_new/linux-stable/net/ipv4/ip_sockglue.c:1270
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
[<ffffffff811da5dd>] lock_acquire+0x13d/0x4d0
/home/river/git_new/linux-stable/kernel/locking/lockdep.c:3623
[<ffffffff826ab259>] lock_sock_nested+0xb9/0x110
/home/river/git_new/linux-stable/net/core/sock.c:2376
[<ffffffff8284ad8f>] lock_sock
/home/river/git_new/linux-stable/include/net/sock.h:1497 [inline]
[<ffffffff8284ad8f>] do_ip_setsockopt.isra.12+0x15f/0x24f0
/home/river/git_new/linux-stable/net/ipv4/ip_sockglue.c:622
[<ffffffff8284d14f>] ip_setsockopt+0x2f/0xb0
/home/river/git_new/linux-stable/net/ipv4/ip_sockglue.c:1200
[<ffffffff826a95a3>] sock_common_setsockopt+0x73/0xf0
/home/river/git_new/linux-stable/net/core/sock.c:2575
[<ffffffff826a6910>] SYSC_setsockopt
/home/river/git_new/linux-stable/net/socket.c:1761 [inline]
[<ffffffff826a6910>] SyS_setsockopt+0x130/0x200
/home/river/git_new/linux-stable/net/socket.c:1740
[<ffffffff82eb9fd7>] system_call_fastpath+0x12/0x6f
[<ffffffff811d6c91>] check_prev_add
/home/river/git_new/linux-stable/kernel/locking/lockdep.c:1853
[inline]
[<ffffffff811d6c91>] check_prevs_add
/home/river/git_new/linux-stable/kernel/locking/lockdep.c:1958
[inline]
[<ffffffff811d6c91>] validate_chain
/home/river/git_new/linux-stable/kernel/locking/lockdep.c:2144
[inline]
[<ffffffff811d6c91>] __lock_acquire+0x3551/0x51f0
/home/river/git_new/linux-stable/kernel/locking/lockdep.c:3205
[<ffffffff811da5dd>] lock_acquire+0x13d/0x4d0
/home/river/git_new/linux-stable/kernel/locking/lockdep.c:3623
[<ffffffff82eb0e50>] __mutex_lock_common
/home/river/git_new/linux-stable/kernel/locking/mutex.c:521 [inline]
[<ffffffff82eb0e50>] mutex_lock_nested+0xc0/0x9c0
/home/river/git_new/linux-stable/kernel/locking/mutex.c:620
[<ffffffff82734b62>] rtnl_lock+0x12/0x20
/home/river/git_new/linux-stable/net/core/rtnetlink.c:70
[<ffffffff8294598d>] ip_mc_msfget+0xdd/0x5b0
/home/river/git_new/linux-stable/net/ipv4/igmp.c:2208
[<ffffffff82848d18>] do_ip_getsockopt.part.9+0x398/0x1210
/home/river/git_new/linux-stable/net/ipv4/ip_sockglue.c:1394
[<ffffffff82849d8c>] do_ip_getsockopt
/home/river/git_new/linux-stable/net/ipv4/ip_sockglue.c:1262 [inline]
[<ffffffff82849d8c>] ip_getsockopt+0x8c/0x150
/home/river/git_new/linux-stable/net/ipv4/ip_sockglue.c:1490
[<ffffffff828688a8>] tcp_getsockopt+0x68/0xd0
/home/river/git_new/linux-stable/net/ipv4/tcp.c:2848
[<ffffffff826a9183>] sock_common_getsockopt+0x73/0xf0
/home/river/git_new/linux-stable/net/core/sock.c:2534
[<ffffffff826a6b07>] SYSC_getsockopt
/home/river/git_new/linux-stable/net/socket.c:1792 [inline]
[<ffffffff826a6b07>] SyS_getsockopt+0x127/0x200
/home/river/git_new/linux-stable/net/socket.c:1774
[<ffffffff82eb9fd7>] system_call_fastpath+0x12/0x6f
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(sk_lock-AF_INET);
lock(rtnl_mutex);
lock(sk_lock-AF_INET);
lock(rtnl_mutex);
*** DEADLOCK ***
1 lock held by syz-executor1/4765:
#0: (sk_lock-AF_INET){+.+.+.}, at: [<ffffffff82848a75>] lock_sock
/home/river/git_new/linux-stable/include/net/sock.h:1497 [inline]
#0: (sk_lock-AF_INET){+.+.+.}, at: [<ffffffff82848a75>]
do_ip_getsockopt.part.9+0xf5/0x1210
/home/river/git_new/linux-stable/net/ipv4/ip_sockglue.c:1270
stack backtrace:
CPU: 3 PID: 4765 Comm: syz-executor1 Not tainted 4.1.40 #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
ffffffff845cf6d0 ffff88003c7f7518 ffffffff82e9d411 ffffffff84586dd0
ffffffff84586dd0 ffff88003c7f7578 ffffffff811cfed8 0000000000000000
0000000000000000 0000000000000000 000000003c4a1b68 ffff88003c4a1b90
Call Trace:
[<ffffffff82e9d411>] __dump_stack
/home/river/git_new/linux-stable/lib/dump_stack.c:15 [inline]
[<ffffffff82e9d411>] dump_stack+0x68/0x92
/home/river/git_new/linux-stable/lib/dump_stack.c:51
[<ffffffff811cfed8>] print_circular_bug+0x2a8/0x370
/home/river/git_new/linux-stable/kernel/locking/lockdep.c:1226
[<ffffffff811d6c91>] check_prev_add
/home/river/git_new/linux-stable/kernel/locking/lockdep.c:1853
[inline]
[<ffffffff811d6c91>] check_prevs_add
/home/river/git_new/linux-stable/kernel/locking/lockdep.c:1958
[inline]
[<ffffffff811d6c91>] validate_chain
/home/river/git_new/linux-stable/kernel/locking/lockdep.c:2144
[inline]
[<ffffffff811d6c91>] __lock_acquire+0x3551/0x51f0
/home/river/git_new/linux-stable/kernel/locking/lockdep.c:3205
[<ffffffff811da5dd>] lock_acquire+0x13d/0x4d0
/home/river/git_new/linux-stable/kernel/locking/lockdep.c:3623
[<ffffffff82eb0e50>] __mutex_lock_common
/home/river/git_new/linux-stable/kernel/locking/mutex.c:521 [inline]
[<ffffffff82eb0e50>] mutex_lock_nested+0xc0/0x9c0
/home/river/git_new/linux-stable/kernel/locking/mutex.c:620
[<ffffffff82734b62>] rtnl_lock+0x12/0x20
/home/river/git_new/linux-stable/net/core/rtnetlink.c:70
[<ffffffff8294598d>] ip_mc_msfget+0xdd/0x5b0
/home/river/git_new/linux-stable/net/ipv4/igmp.c:2208
[<ffffffff82848d18>] do_ip_getsockopt.part.9+0x398/0x1210
/home/river/git_new/linux-stable/net/ipv4/ip_sockglue.c:1394
[<ffffffff82849d8c>] do_ip_getsockopt
/home/river/git_new/linux-stable/net/ipv4/ip_sockglue.c:1262 [inline]
[<ffffffff82849d8c>] ip_getsockopt+0x8c/0x150
/home/river/git_new/linux-stable/net/ipv4/ip_sockglue.c:1490
[<ffffffff828688a8>] tcp_getsockopt+0x68/0xd0
/home/river/git_new/linux-stable/net/ipv4/tcp.c:2848
[<ffffffff826a9183>] sock_common_getsockopt+0x73/0xf0
/home/river/git_new/linux-stable/net/core/sock.c:2534
[<ffffffff826a6b07>] SYSC_getsockopt
/home/river/git_new/linux-stable/net/socket.c:1792 [inline]
[<ffffffff826a6b07>] SyS_getsockopt+0x127/0x200
/home/river/git_new/linux-stable/net/socket.c:1774
[<ffffffff82eb9fd7>] system_call_fastpath+0x12/0x6f
audit: type=1326 audit(1497551764.596:719): auid=4294967295 uid=65534
gid=65534 ses=4294967295 subj=kernel pid=8788 comm="syz-executor0"
exe="/syz-executor0" sig=9 arch=c000003e syscall=202 compat=0
ip=0x451759 code=0x0
audit: type=1326 audit(1497551764.657:720): auid=4294967295 uid=65534
gid=65534 ses=4294967295 subj=kernel pid=8818 comm="syz-executor0"
exe="/syz-executor0" sig=9 arch=c000003e syscall=202 compat=0
ip=0x451759 code=0x0
audit: type=1326 audit(1497551765.271:721): auid=4294967295 uid=65534
gid=65534 ses=4294967295 subj=kernel pid=9250 comm="syz-executor1"
exe="/syz-executor1" sig=9 arch=c000003e syscall=202 compat=0
ip=0x451759 code=0x0
audit: type=1326 audit(1497551765.300:722): auid=4294967295 uid=65534
gid=65534 ses=4294967295 subj=kernel pid=9281 comm="syz-executor2"
exe="/syz-executor2" sig=9 arch=c000003e syscall=202 compat=0
ip=0x451759 code=0x0
audit: type=1326 audit(1497551765.333:723): auid=4294967295 uid=65534
gid=65534 ses=4294967295 subj=kernel pid=9297 comm="syz-executor1"
exe="/syz-executor1" sig=9 arch=c000003e syscall=202 compat=0
ip=0x451759 code=0x0
audit: type=1326 audit(1497551765.346:724): auid=4294967295 uid=65534
gid=65534 ses=4294967295 subj=kernel pid=9302 comm="syz-executor2"
exe="/syz-executor2" sig=9 arch=c000003e syscall=202 compat=0
ip=0x451759 code=0x0
audit: type=1326 audit(1497551768.077:725): auid=4294967295 uid=65534
gid=65534 ses=4294967295 subj=kernel pid=11336 comm="syz-executor1"
exe="/syz-executor1" sig=9 arch=c000003e syscall=202 compat=0
ip=0x451759 code=0x0
audit: type=1326 audit(1497551768.131:726): auid=4294967295 uid=65534
gid=65534 ses=4294967295 subj=kernel pid=11383 comm="syz-executor1"
exe="/syz-executor1" sig=9 arch=c000003e syscall=202 compat=0
ip=0x451759 code=0x0
Syzkaller reproducer:
# {Threaded:true Collide:true Repeat:true Procs:1 Sandbox:setuid
Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true
HandleSegv:true WaitRepeat:true Debug:true Repro:false}
mmap(&(0x7f0000000000/0x6000)=nil, (0x6000), 0x3, 0x32, 0xffffffffffffffff, 0x0)
r0 = accept4$inet6(0xffffffffffffff9c, 0x0, &(0x7f0000002000-0x4)=0x0, 0x80800)
r1 = socket$icmp(0x2, 0x2, 0x1)
ppoll(&(0x7f0000000000)=[{r0, 0x0, 0x0}, {r1, 0x1408, 0x0}], 0x2,
&(0x7f0000001000-0x10)={0x0, 0x989680},
&(0x7f0000002000-0x8)={0x35ea}, 0x8)
fcntl$getownex(r1, 0x10, &(0x7f0000002000-0x3)={0x0, 0x0})
ioctl$SNDRV_TIMER_IOCTL_SELECT(0xffffffffffffffff, 0x40345410,
&(0x7f0000002000)={{0x3, 0x3, 0x1f, 0x1, 0x4}, [0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0]})
syz_open_dev$vcsn(&(0x7f0000005000-0xa)="2f6465762f7663732300", 0x6, 0x404c01)
Download attachment "config" of type "application/octet-stream" (98602 bytes)
Powered by blists - more mailing lists