lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <tencent_E44436084AA874977705670A3CDD37BE9609@qq.com>
Date: Sun, 14 Jan 2024 16:20:17 +0800
From: Edward Adam Davis <eadavis@...com>
To: syzbot+2b131f51bb4af224ab40@...kaller.appspotmail.com
Cc: davem@...emloft.net,
	edumazet@...gle.com,
	gregkh@...uxfoundation.org,
	hdanton@...a.com,
	krzysztof.kozlowski@...aro.org,
	kuba@...nel.org,
	linux-kernel@...r.kernel.org,
	netdev@...r.kernel.org,
	pabeni@...hat.com,
	penguin-kernel@...ove.sakura.ne.jp,
	stern@...land.harvard.edu,
	syzkaller-bugs@...glegroups.com,
	torvalds@...ux-foundation.org
Subject: [PATCH] nfc/nci: fix task hung in nfc_targets_found

nci_start_poll() holds the dev->mutex required by the kworker of nci_close_device(),
and the related tasks are as follows:
|cpu0                          |cpu1                                           |cpu2                      |
|nci_close_device()            |                                               |                          |
|mutex_lock(&ndev->req_lock);  |                                               |                          |
|...                           |nfc_genl_start_poll()                          |                          |
|flush_workqueue(ndev->rx_wq)  |mutex_lock(&dev->genl_data.genl_data_mutex);   |                          |
|                              |nfc_start_poll()                               |                          |
|              	               |device_lock(&dev->dev);                        |process_one_work()        |
|                              |nci_start_poll()                               |nfc_targets_found()       |
|                              |nci_request()                                  |device_lock(&dev->dev);   |
|                              |mutex_lock(&ndev->req_lock);                   |                          |

Therefore, before applying for req_lock in nci_request(), it should be determined
whether the execution of nci_close_device() has already begun.

Reported-and-tested-by: syzbot+2b131f51bb4af224ab40@...kaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@...com>
---
 net/nfc/nci/core.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
index 6c9592d05120..9a277228a875 100644
--- a/net/nfc/nci/core.c
+++ b/net/nfc/nci/core.c
@@ -145,6 +145,8 @@ inline int nci_request(struct nci_dev *ndev,
 {
 	int rc;
 
+	if (test_bit(NCI_UNREG, &ndev->flags))
+		return -ENODEV;
 	/* Serialize all requests */
 	mutex_lock(&ndev->req_lock);
 	/* check the state after obtaing the lock against any races
-- 
2.43.0


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ