lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Sat, 27 Jun 2020 13:41:15 -0700
From:   syzbot <syzbot+4d35bd6ecc37bccfd165@...kaller.appspotmail.com>
To:     ap420073@...il.com, davem@...emloft.net, kuba@...nel.org,
        linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
        syzkaller-bugs@...glegroups.com, xiyou.wangcong@...il.com
Subject: possible deadlock in dev_mc_sync

Hello,

syzbot found the following crash on:

HEAD commit:    4a21185c Merge git://git.kernel.org/pub/scm/linux/kernel/g..
git tree:       net
console output: https://syzkaller.appspot.com/x/log.txt?x=105b374d100000
kernel config:  https://syzkaller.appspot.com/x/.config?x=bf3aec367b9ab569
dashboard link: https://syzkaller.appspot.com/bug?extid=4d35bd6ecc37bccfd165
compiler:       gcc (GCC) 10.1.0-syz 20200507

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+4d35bd6ecc37bccfd165@...kaller.appspotmail.com

netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'.
======================================================
WARNING: possible circular locking dependency detected
5.8.0-rc2-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.4/407 is trying to acquire lock:
ffff88805ddb2280 (&dev_addr_list_lock_key#2/2){+...}-{2:2}, at: netif_addr_lock_nested include/linux/netdevice.h:4243 [inline]
ffff88805ddb2280 (&dev_addr_list_lock_key#2/2){+...}-{2:2}, at: dev_mc_sync+0xdc/0x190 net/core/dev_addr_lists.c:861

but task is already holding lock:
ffff88809cebc280 (&vlan_netdev_addr_lock_key/1){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:358 [inline]
ffff88809cebc280 (&vlan_netdev_addr_lock_key/1){+...}-{2:2}, at: netif_addr_lock_bh include/linux/netdevice.h:4248 [inline]
ffff88809cebc280 (&vlan_netdev_addr_lock_key/1){+...}-{2:2}, at: dev_set_rx_mode net/core/dev.c:8204 [inline]
ffff88809cebc280 (&vlan_netdev_addr_lock_key/1){+...}-{2:2}, at: __dev_open+0x28e/0x3d0 net/core/dev.c:1523

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&vlan_netdev_addr_lock_key/1){+...}-{2:2}:
       _raw_spin_lock_nested+0x30/0x40 kernel/locking/spinlock.c:361
       netif_addr_lock_nested include/linux/netdevice.h:4243 [inline]
       dev_uc_sync_multiple+0xdc/0x190 net/core/dev_addr_lists.c:670
       team_set_rx_mode+0xce/0x220 drivers/net/team/team.c:1779
       __dev_set_rx_mode+0x1ea/0x300 net/core/dev.c:8199
       dev_uc_unsync net/core/dev_addr_lists.c:696 [inline]
       dev_uc_unsync+0x139/0x190 net/core/dev_addr_lists.c:688
       macvlan_stop+0xfe/0x4c0 drivers/net/macvlan.c:678
       __dev_close_many+0x1b3/0x2e0 net/core/dev.c:1599
       dev_close_many+0x238/0x650 net/core/dev.c:1624
       rollback_registered_many+0x3af/0xf60 net/core/dev.c:8945
       unregister_netdevice_many.part.0+0x1a/0x2f0 net/core/dev.c:10113
       unregister_netdevice_many net/core/dev.c:10112 [inline]
       default_device_exit_batch+0x30c/0x3d0 net/core/dev.c:10596
       ops_exit_list+0x10d/0x160 net/core/net_namespace.c:189
       cleanup_net+0x4ea/0xa00 net/core/net_namespace.c:603
       process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
       worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
       kthread+0x3b5/0x4a0 kernel/kthread.c:291
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

-> #0 (&dev_addr_list_lock_key#2/2){+...}-{2:2}:
       check_prev_add kernel/locking/lockdep.c:2496 [inline]
       check_prevs_add kernel/locking/lockdep.c:2601 [inline]
       validate_chain kernel/locking/lockdep.c:3218 [inline]
       __lock_acquire+0x2acb/0x56e0 kernel/locking/lockdep.c:4380
       lock_acquire+0x1f1/0xad0 kernel/locking/lockdep.c:4959
       _raw_spin_lock_nested+0x30/0x40 kernel/locking/spinlock.c:361
       netif_addr_lock_nested include/linux/netdevice.h:4243 [inline]
       dev_mc_sync+0xdc/0x190 net/core/dev_addr_lists.c:861
       vlan_dev_set_rx_mode+0x38/0x80 net/8021q/vlan_dev.c:487
       __dev_set_rx_mode+0x1ea/0x300 net/core/dev.c:8199
       dev_set_rx_mode net/core/dev.c:8205 [inline]
       __dev_open+0x296/0x3d0 net/core/dev.c:1523
       __dev_change_flags+0x505/0x660 net/core/dev.c:8278
       rtnl_configure_link+0xee/0x230 net/core/rtnetlink.c:3021
       __rtnl_newlink+0x10bb/0x1730 net/core/rtnetlink.c:3357
       rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3397
       rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5460
       netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2469
       netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
       netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1329
       netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1918
       sock_sendmsg_nosec net/socket.c:652 [inline]
       sock_sendmsg+0xcf/0x120 net/socket.c:672
       ____sys_sendmsg+0x6e8/0x810 net/socket.c:2352
       ___sys_sendmsg+0xf3/0x170 net/socket.c:2406
       __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439
       do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:359
       entry_SYSCALL_64_after_hwframe+0x44/0xa9

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&vlan_netdev_addr_lock_key/1);
                               lock(&dev_addr_list_lock_key#2/2);
                               lock(&vlan_netdev_addr_lock_key/1);
  lock(&dev_addr_list_lock_key#2/2);

 *** DEADLOCK ***

2 locks held by syz-executor.4/407:
 #0: ffffffff8a7b0228 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:72 [inline]
 #0: ffffffff8a7b0228 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x3f9/0xad0 net/core/rtnetlink.c:5457
 #1: ffff88809cebc280 (&vlan_netdev_addr_lock_key/1){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:358 [inline]
 #1: ffff88809cebc280 (&vlan_netdev_addr_lock_key/1){+...}-{2:2}, at: netif_addr_lock_bh include/linux/netdevice.h:4248 [inline]
 #1: ffff88809cebc280 (&vlan_netdev_addr_lock_key/1){+...}-{2:2}, at: dev_set_rx_mode net/core/dev.c:8204 [inline]
 #1: ffff88809cebc280 (&vlan_netdev_addr_lock_key/1){+...}-{2:2}, at: __dev_open+0x28e/0x3d0 net/core/dev.c:1523

stack backtrace:
CPU: 1 PID: 407 Comm: syz-executor.4 Not tainted 5.8.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 check_noncircular+0x324/0x3e0 kernel/locking/lockdep.c:1827
 check_prev_add kernel/locking/lockdep.c:2496 [inline]
 check_prevs_add kernel/locking/lockdep.c:2601 [inline]
 validate_chain kernel/locking/lockdep.c:3218 [inline]
 __lock_acquire+0x2acb/0x56e0 kernel/locking/lockdep.c:4380
 lock_acquire+0x1f1/0xad0 kernel/locking/lockdep.c:4959
 _raw_spin_lock_nested+0x30/0x40 kernel/locking/spinlock.c:361
 netif_addr_lock_nested include/linux/netdevice.h:4243 [inline]
 dev_mc_sync+0xdc/0x190 net/core/dev_addr_lists.c:861
 vlan_dev_set_rx_mode+0x38/0x80 net/8021q/vlan_dev.c:487
 __dev_set_rx_mode+0x1ea/0x300 net/core/dev.c:8199
 dev_set_rx_mode net/core/dev.c:8205 [inline]
 __dev_open+0x296/0x3d0 net/core/dev.c:1523
 __dev_change_flags+0x505/0x660 net/core/dev.c:8278
 rtnl_configure_link+0xee/0x230 net/core/rtnetlink.c:3021
 __rtnl_newlink+0x10bb/0x1730 net/core/rtnetlink.c:3357
 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3397
 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5460
 netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2469
 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1329
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1918
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:672
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2352
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2406
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:359
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45cb19
Code: Bad RIP value.
RSP: 002b:00007fe66d6eac78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000502600 RCX: 000000000045cb19
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000012
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000a40 R14: 00000000004cd276 R15: 00007fe66d6eb6d4
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'.


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Powered by blists - more mailing lists