lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Wed, 9 Feb 2022 17:13:57 +0800
From:   Wen Gu <guwen@...ux.alibaba.com>
To:     syzbot <syzbot+4de3c0e8a263e1e499bc@...kaller.appspotmail.com>,
        andrii@...nel.org, ast@...nel.org, bpf@...r.kernel.org,
        daniel@...earbox.net, davem@...emloft.net,
        john.fastabend@...il.com, kafai@...com, kgraul@...ux.ibm.com,
        kpsingh@...nel.org, kuba@...nel.org, linux-kernel@...r.kernel.org,
        netdev@...r.kernel.org, songliubraving@...com,
        syzkaller-bugs@...glegroups.com, yhs@...com
Subject: Re: [syzbot] BUG: MAX_LOCK_DEPTH too low! (3)



On 2022/2/9 4:21 am, syzbot wrote:

> The issue was bisected to:
> 
> commit 341adeec9adad0874f29a0a1af35638207352a39
> Author: Wen Gu <guwen@...ux.alibaba.com>
> Date:   Wed Jan 26 15:33:04 2022 +0000
> 
>      net/smc: Forward wakeup to smc socket waitqueue after fallback
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=11c2637c700000
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=13c2637c700000
> console output: https://syzkaller.appspot.com/x/log.txt?x=15c2637c700000
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+4de3c0e8a263e1e499bc@...kaller.appspotmail.com
> Fixes: 341adeec9ada ("net/smc: Forward wakeup to smc socket waitqueue after fallback")

Thanks for all the details provided by syzbot.

I reproduced this issue in my environment. It is caused by repeated calls to
smc_switch_to_fallback().

In 341adeec9ada ("net/smc: Forward wakeup to smc socket waitqueue after fallback"),
smc_switch_to_fallback() saves the original callback function of clcsock in
smc->clcsk_error_report and set clcsk->sk_error_report as smc_fback_error_report().

If smc_switch_to_fallback() is called repeatedly, the smc->clcsk_error_report will be
reset as clcsk->sk_error_report, which now is smc_fback_error_report().

And the call trace will be:

clcsk->sk_error_report
   |- smc_fback_error_report() <----------------|
        |- smc_fback_forward_wakeup()           |
             |- clcsock_callback()              |
                  |- smc->clcsk_error_report() -|

Thus resulting in this issue.

I will send a patch to fix it.

Powered by blists - more mailing lists