lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 9 Feb 2022 17:13:57 +0800 From: Wen Gu <guwen@...ux.alibaba.com> To: syzbot <syzbot+4de3c0e8a263e1e499bc@...kaller.appspotmail.com>, andrii@...nel.org, ast@...nel.org, bpf@...r.kernel.org, daniel@...earbox.net, davem@...emloft.net, john.fastabend@...il.com, kafai@...com, kgraul@...ux.ibm.com, kpsingh@...nel.org, kuba@...nel.org, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, songliubraving@...com, syzkaller-bugs@...glegroups.com, yhs@...com Subject: Re: [syzbot] BUG: MAX_LOCK_DEPTH too low! (3) On 2022/2/9 4:21 am, syzbot wrote: > The issue was bisected to: > > commit 341adeec9adad0874f29a0a1af35638207352a39 > Author: Wen Gu <guwen@...ux.alibaba.com> > Date: Wed Jan 26 15:33:04 2022 +0000 > > net/smc: Forward wakeup to smc socket waitqueue after fallback > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11c2637c700000 > final oops: https://syzkaller.appspot.com/x/report.txt?x=13c2637c700000 > console output: https://syzkaller.appspot.com/x/log.txt?x=15c2637c700000 > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+4de3c0e8a263e1e499bc@...kaller.appspotmail.com > Fixes: 341adeec9ada ("net/smc: Forward wakeup to smc socket waitqueue after fallback") Thanks for all the details provided by syzbot. I reproduced this issue in my environment. It is caused by repeated calls to smc_switch_to_fallback(). In 341adeec9ada ("net/smc: Forward wakeup to smc socket waitqueue after fallback"), smc_switch_to_fallback() saves the original callback function of clcsock in smc->clcsk_error_report and set clcsk->sk_error_report as smc_fback_error_report(). If smc_switch_to_fallback() is called repeatedly, the smc->clcsk_error_report will be reset as clcsk->sk_error_report, which now is smc_fback_error_report(). And the call trace will be: clcsk->sk_error_report |- smc_fback_error_report() <----------------| |- smc_fback_forward_wakeup() | |- clcsock_callback() | |- smc->clcsk_error_report() -| Thus resulting in this issue. I will send a patch to fix it.
Powered by blists - more mailing lists