lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAO4mrfd9SRMmB1VWcYh9L61ktiqamJ-QjwOCP+SeFx=08C2MBg@mail.gmail.com>
Date:   Sun, 30 Oct 2022 18:00:13 +0800
From:   Wei Chen <harperchen1110@...il.com>
To:     marcel@...tmann.org, johan.hedberg@...il.com, luiz.dentz@...il.com,
        davem@...emloft.net, kuba@...nel.org,
        linux-bluetooth@...r.kernel.org, netdev@...r.kernel.org
Cc:     linux-kernel@...r.kernel.org
Subject: possible deadlock in l2cap_sock_teardown_cb

Dear Linux Developer,

Recently when using our tool to fuzz kernel, the following crash was triggered:

HEAD commit: 64570fbc14f8 Linux 5.15-rc5
git tree: upstream
compiler: gcc 8.0.1
console output:
https://drive.google.com/file/d/1Fb6AXVkfZDq0exhIBVf9oUp-dNgzjrHX/view?usp=share_link
kernel config: https://drive.google.com/file/d/1uDOeEYgJDcLiSOrx9W8v2bqZ6uOA_55t/view?usp=share_link

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: Wei Chen <harperchen1110@...il.com>

========================================================
WARNING: possible irq lock inversion dependency detected
5.15.0-rc5 #1 Not tainted
--------------------------------------------------------
kworker/1:7/6964 just changed the state of lock:
ffff8880105f8920 (device_state_lock){+.+.}-{2:2}, at:
l2cap_sock_teardown_cb+0x37/0x2e0
but this lock was taken by another, SOFTIRQ-safe lock in the past:
 (hcd_root_hub_lock){..-.}-{2:2}


and interrupts could create inverse lock ordering between them.


other info that might help us debug this:
 Possible interrupt unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(device_state_lock);
                               local_irq_disable();
                               lock(hcd_root_hub_lock);
                               lock(device_state_lock);
  <Interrupt>
    lock(hcd_root_hub_lock);

 *** DEADLOCK ***

4 locks held by kworker/1:7/6964:
 #0: ffff888009856738 ((wq_completion)events){+.+.}-{0:0}, at:
process_one_work+0x327/0x9f0
 #1: ffffc90003b07e68
((work_completion)(&(&chan->chan_timer)->work)){+.+.}-{0:0}, at:
process_one_work+0x327/0x9f0
 #2: ffff8880117c3ad8 (&conn->chan_lock){+.+.}-{3:3}, at:
l2cap_chan_timeout+0x45/0x160
 #3: ffff8880105ff520 (&chan->lock/1){+.+.}-{3:3}, at:
l2cap_chan_timeout+0x53/0x160

the shortest dependencies between 2nd lock and 1st lock:
 -> (hcd_root_hub_lock){..-.}-{2:2} {
    IN-SOFTIRQ-W at:
                      lock_acquire+0xd7/0x330
                      _raw_spin_lock_irqsave+0x33/0x50
                      usb_hcd_submit_urb+0x73b/0xf90
                      usb_submit_urb+0x4dc/0xb80
                      hub_resubmit_irq_urb+0x4c/0xc0
                      hub_irq+0x1ef/0x220
                      __usb_hcd_giveback_urb+0x114/0x240
                      usb_giveback_urb_bh+0xd2/0x140
                      tasklet_action_common.isra.15+0xb3/0xf0
                      __do_softirq+0xe2/0x56b
                      run_ksoftirqd+0x2d/0x60
                      smpboot_thread_fn+0x2a5/0x3d0
                      kthread+0x1a6/0x1e0
                      ret_from_fork+0x1f/0x30
    INITIAL USE at:
                     lock_acquire+0xd7/0x330
                     _raw_spin_lock_irq+0x32/0x50
                     usb_hcd_submit_urb+0x1a3/0xf90
                     usb_submit_urb+0x4dc/0xb80
                     usb_start_wait_urb+0x65/0x1e0
                     usb_control_msg+0xec/0x190
                     usb_get_descriptor+0x98/0x140
                     usb_get_device_descriptor+0x66/0x120
                     register_root_hub+0x67/0x297
                     usb_add_hcd.cold.37+0x588/0x805
                     dummy_hcd_probe+0xea/0x1d1
                     platform_probe+0x80/0x100
                     really_probe+0x12a/0x4d0
                     __driver_probe_device+0x195/0x220
                     driver_probe_device+0x2a/0x120
                     __device_attach_driver+0x102/0x1a0
                     bus_for_each_drv+0xb8/0x100
                     __device_attach+0x149/0x220
                     bus_probe_device+0xdb/0xf0
                     device_add+0x64f/0xd40
                     platform_device_add+0x1f0/0x390
                     init+0x454/0x856
                     do_one_initcall+0xa9/0x550
                     kernel_init_freeable+0x3ae/0x42b
                     kernel_init+0x17/0x1b0
                     ret_from_fork+0x1f/0x30
  }
  ... key      at: [<ffffffff866fc278>] hcd_root_hub_lock+0x18/0x40
  ... acquired at:
   _raw_spin_lock_irqsave+0x33/0x50
   usb_set_device_state+0x1d/0x220
   hcd_bus_resume+0x221/0x390
   usb_generic_driver_resume+0x66/0x70
   usb_resume_both+0x13a/0x280
   __rpm_callback+0x64/0x1f0
   rpm_callback+0xa8/0xc0
   rpm_resume+0x910/0xbf0
   __pm_runtime_resume+0x8e/0xf0
   usb_autoresume_device+0x1e/0x60
   usb_remote_wakeup+0x67/0xb0
   process_one_work+0x3fa/0x9f0
   worker_thread+0x42/0x5c0
   kthread+0x1a6/0x1e0
   ret_from_fork+0x1f/0x30

-> (device_state_lock){+.+.}-{2:2} {
   HARDIRQ-ON-W at:
                    lock_acquire+0xd7/0x330
                    lock_sock_nested+0x2d/0xa0
                    l2cap_sock_teardown_cb+0x37/0x2e0
                    l2cap_chan_del+0x5b/0x4a0
                    l2cap_chan_close+0x1df/0x3f0
                    l2cap_chan_timeout+0xcf/0x160
                    process_one_work+0x3fa/0x9f0
                    worker_thread+0x42/0x5c0
                    kthread+0x1a6/0x1e0
                    ret_from_fork+0x1f/0x30
   SOFTIRQ-ON-W at:
                    lock_acquire+0xd7/0x330
                    lock_sock_nested+0x2d/0xa0
                    l2cap_sock_teardown_cb+0x37/0x2e0
                    l2cap_chan_del+0x5b/0x4a0
                    l2cap_chan_close+0x1df/0x3f0
                    l2cap_chan_timeout+0xcf/0x160
                    process_one_work+0x3fa/0x9f0
                    worker_thread+0x42/0x5c0
                    kthread+0x1a6/0x1e0
                    ret_from_fork+0x1f/0x30
   INITIAL USE at:
                   lock_acquire+0xd7/0x330
                   _raw_spin_lock_irqsave+0x33/0x50
                   usb_set_device_state+0x1d/0x220
                   register_root_hub+0x46/0x297
                   usb_add_hcd.cold.37+0x588/0x805
                   dummy_hcd_probe+0xea/0x1d1
                   platform_probe+0x80/0x100
                   really_probe+0x12a/0x4d0
                   __driver_probe_device+0x195/0x220
                   driver_probe_device+0x2a/0x120
                   __device_attach_driver+0x102/0x1a0
                   bus_for_each_drv+0xb8/0x100
                   __device_attach+0x149/0x220
                   bus_probe_device+0xdb/0xf0
                   device_add+0x64f/0xd40
                   platform_device_add+0x1f0/0x390
                   init+0x454/0x856
                   do_one_initcall+0xa9/0x550
                   kernel_init_freeable+0x3ae/0x42b
                   kernel_init+0x17/0x1b0
                   ret_from_fork+0x1f/0x30
 }
 ... key      at: [<ffffffff866fbf18>] device_state_lock+0x18/0x200
 ... acquired at:
   __lock_acquire+0x3a5/0x1d60
   lock_acquire+0xd7/0x330
   lock_sock_nested+0x2d/0xa0
   l2cap_sock_teardown_cb+0x37/0x2e0
   l2cap_chan_del+0x5b/0x4a0
   l2cap_chan_close+0x1df/0x3f0
   l2cap_chan_timeout+0xcf/0x160
   process_one_work+0x3fa/0x9f0
   worker_thread+0x42/0x5c0
   kthread+0x1a6/0x1e0
   ret_from_fork+0x1f/0x30


stack backtrace:
CPU: 1 PID: 6964 Comm: kworker/1:7 Not tainted 5.15.0-rc5 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
Workqueue: events l2cap_chan_timeout
Call Trace:
 dump_stack_lvl+0xcd/0x134
 mark_lock.part.54+0x32c/0x830
 __lock_acquire+0x3a5/0x1d60
 lock_acquire+0xd7/0x330
 lock_sock_nested+0x2d/0xa0
 l2cap_sock_teardown_cb+0x37/0x2e0
 l2cap_chan_del+0x5b/0x4a0
 l2cap_chan_close+0x1df/0x3f0
 l2cap_chan_timeout+0xcf/0x160
 process_one_work+0x3fa/0x9f0
 worker_thread+0x42/0x5c0
 kthread+0x1a6/0x1e0
 ret_from_fork+0x1f/0x30
================================================================================
UBSAN: array-index-out-of-bounds in kernel/locking/qspinlock.c:130:9
index 1046 is out of range for type 'long unsigned int [8]'
CPU: 1 PID: 6964 Comm: kworker/1:7 Not tainted 5.15.0-rc5 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
Workqueue: events l2cap_chan_timeout
Call Trace:
 dump_stack_lvl+0xcd/0x134
 ubsan_epilogue+0xb/0x5a
 __ubsan_handle_out_of_bounds+0x93/0xa1
 __pv_queued_spin_lock_slowpath+0x30e/0x320
 do_raw_spin_lock+0xb6/0xc0
 lock_sock_nested+0x54/0xa0
 l2cap_sock_teardown_cb+0x37/0x2e0
 l2cap_chan_del+0x5b/0x4a0
 l2cap_chan_close+0x1df/0x3f0
 l2cap_chan_timeout+0xcf/0x160
 process_one_work+0x3fa/0x9f0
 worker_thread+0x42/0x5c0
 kthread+0x1a6/0x1e0
 ret_from_fork+0x1f/0x30
================================================================================

Best,
Wei

Powered by blists - more mailing lists