Re: [syzbot] possible deadlock in nci_set_local_general_bytes

From: Dmitry Vyukov
Date: Tue Nov 22 2022 - 08:07:58 EST


On Tue, 15 Nov 2022 at 10:35, Dmitry Vyukov <dvyukov@xxxxxxxxxx> wrote:
>
> On Tue, 15 Nov 2022 at 10:18, Hillf Danton <hdanton@xxxxxxxx> wrote:
> >
> > On 14 Nov 2022 09:43:48 -0800
> > > syzbot found the following issue on:
> > >
> > > HEAD commit: 1621b6eaebf7 Merge branch 'for-next/fixes' into for-kernelci
> > > git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=119413e1880000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=606e57fd25c5c6cc
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=8768e9ec924b08e63f82
> > > userspace arch: arm64
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1097e935880000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177b5b15880000
> >
> > In the open path, register nci device without mci_mutex held in bid to break
> > the lock chain.
>
> This should be fixed by the following commit when/if it's merged. The
> commit removes nci_mutex.
>
> nfc: Allow to create multiple virtual nci devices
> https://lore.kernel.org/all/20221104170422.979558-1-dvyukov@xxxxxxxxxx/

#syz fix: NFC: nci: Allow to create multiple virtual nci devices

> > #syz test https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git 1621b6eaebf7
> >
> > --- x/drivers/nfc/virtual_ncidev.c
> > +++ y/drivers/nfc/virtual_ncidev.c
> > @@ -15,6 +15,7 @@
> >
> > enum virtual_ncidev_mode {
> > virtual_ncidev_enabled,
> > + virtual_ncidev_enabling,
> > virtual_ncidev_disabled,
> > virtual_ncidev_disabling,
> > };
> > @@ -128,6 +129,7 @@ static ssize_t virtual_ncidev_write(stru
> >
> > static int virtual_ncidev_open(struct inode *inode, struct file *file)
> > {
> > + struct nci_dev *new;
> > int ret = 0;
> >
> > mutex_lock(&nci_mutex);
> > @@ -135,24 +137,27 @@ static int virtual_ncidev_open(struct in
> > mutex_unlock(&nci_mutex);
> > return -EBUSY;
> > }
> > + state = virtual_ncidev_enabling;
> > + mutex_unlock(&nci_mutex);
> >
> > - ndev = nci_allocate_device(&virtual_nci_ops, VIRTUAL_NFC_PROTOCOLS,
> > - 0, 0);
> > - if (!ndev) {
> > - mutex_unlock(&nci_mutex);
> > - return -ENOMEM;
> > + ret = -ENOMEM;
> > + new = nci_allocate_device(&virtual_nci_ops, VIRTUAL_NFC_PROTOCOLS, 0, 0);
> > + if (new) {
> > + ret = nci_register_device(new);
> > + if (ret)
> > + nci_free_device(new);
> > }
> >
> > - ret = nci_register_device(ndev);
> > - if (ret < 0) {
> > - nci_free_device(ndev);
> > - mutex_unlock(&nci_mutex);
> > - return ret;
> > + mutex_lock(&nci_mutex);
> > + if (ret)
> > + state = virtual_ncidev_disabled;
> > + else {
> > + ndev = new;
> > + state = virtual_ncidev_enabled;
> > }
> > - state = virtual_ncidev_enabled;
> > mutex_unlock(&nci_mutex);
> >
> > - return 0;
> > + return ret;
> > }
> >
> > static int virtual_ncidev_close(struct inode *inode, struct file *file)
> > @@ -167,9 +172,9 @@ static int virtual_ncidev_close(struct i
> > nci_free_device(ndev);
> >
> > mutex_lock(&nci_mutex);
> > + state = virtual_ncidev_disabled;
> > }
> >
> > - state = virtual_ncidev_disabled;
> > mutex_unlock(&nci_mutex);
> >
> > return 0;
> > --
> >
> > --
> > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@xxxxxxxxxxxxxxxx.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20221115091825.2381-1-hdanton%40sina.com.