2022-08-31 06:43:57

by Jiacheng Xu

[permalink] [raw]
Subject: HARDIRQ-safe - HARDIRQ-unsafe lock order detected

Hello,

When using modified Syzkaller to fuzz the Linux kernel-5.19, the
following crash was triggered. Though the issue seems to get fixed on
syzbot, it could still be triggered with the following repro.
We would appreciate a CVE ID if this is a security issue.

HEAD commit: 3d7cb6b04c3f Linux-5.19
git tree: upstream

kernel config: https://drive.google.com/file/d/1wgIUDwP5ho29AM-K7HhysSTfWFpfXYkG/view?usp=sharing
syz repro: https://drive.google.com/file/d/1w96wKldLL-p22lpv4k0IfenVwQWcSIIj/view?usp=sharing
C reproducer: https://drive.google.com/file/d/1qSEQ7cYmEh8t5e72E5D6gPtu4aA5tvmq/view?usp=sharing

Environment:
Ubuntu 20.04 on Linux 5.4.0
QEMU 4.2.1:
qemu-system-x86_64 \
-m 2G \
-smp 2 \
-kernel /home/workdir/bzImage \
-append "console=ttyS0 root=/dev/sda earlyprintk=serial net.ifnames=0" \
-drive file=/home/workdir/stretch.img,format=raw \
-net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 \
-net nic,model=e1000 \
-enable-kvm \
-nographic \
-pidfile vm.pid \
2>&1 | tee vm.log

If you fix this issue, please add the following tag to the commit:
Reported-by Jiacheng Xu<[email protected]>

=====================================================
WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected
5.19.0 #1 Not tainted
-----------------------------------------------------
is trying to acquire:
ffff88801b918630 (&f->f_owner.lock){....}-{2:2}, at:
send_sigio+0x24/0x380 (fs/fcntl.c:777).

and this task is already holding:
ffff88804616c018 (&new->fa_lock){....}-{2:2}, at:
kill_fasync+0x136/0x470 (fs/fcntl.c:995).
which would create a new lock dependency:
(&new->fa_lock){....}-{2:2} -> (&f->f_owner.lock){....}-{2:2}

but this new dependency connects a HARDIRQ-irq-safe lock:
(&dev->event_lock#2){-...}-{2:2}

... which became HARDIRQ-irq-safe at:
lock_acquire+0x1ab/0x580
_raw_spin_lock_irqsave+0x39/0x50
input_event+0x7b/0xb0
psmouse_report_standard_buttons+0x2c/0x80
psmouse_process_byte+0x1e1/0x890
psmouse_handle_byte+0x41/0x1b0
psmouse_interrupt+0x304/0xf00
serio_interrupt+0x88/0x150
i8042_interrupt+0x270/0x520
__handle_irq_event_percpu+0x236/0x880
handle_irq_event_percpu+0x14/0xd0
handle_irq_event+0xa1/0x130
handle_edge_irq+0x24a/0x8a0
__common_interrupt+0x9d/0x210
common_interrupt+0xa4/0xc0
asm_common_interrupt+0x22/0x40
nohz_run_idle_balance+0x2/0x1c0
do_idle+0x7a/0x570
cpu_startup_entry+0x14/0x20
start_secondary+0x21d/0x2b0
secondary_startup_64_no_verify+0xce/0xdb

to a HARDIRQ-irq-unsafe lock:
(tasklist_lock){.+.+}-{2:2}

... which became HARDIRQ-irq-unsafe at:
...
lock_acquire+0x1ab/0x580
_raw_read_lock+0x5b/0x70
do_wait+0x28c/0xce0
kernel_wait+0x9c/0x150
call_usermodehelper_exec_work+0xf5/0x180
process_one_work+0x9cc/0x1650
worker_thread+0x623/0x1070
kthread+0x2e9/0x3a0
ret_from_fork+0x1f/0x30

other info that might help us debug this:

Chain exists of:
&dev->event_lock#2 --> &new->fa_lock --> tasklist_lock

Possible interrupt unsafe locking scenario:

CPU0 CPU1
---- ----
lock(tasklist_lock);
local_irq_disable();
lock(&dev->event_lock#2);
lock(&new->fa_lock);
<Interrupt>
lock(&dev->event_lock#2);

*** DEADLOCK ***

8 locks held by repro/6439:
#0: ffff888045e74110 (&evdev->mutex){+.+.}-{3:3}, at: evdev_write+0x1d3/0x760
#1: ffff888014fb4230 (&dev->event_lock#2){-...}-{2:2}, at:
input_inject_event+0xa6/0x320
#2: ffffffff8bd86e60 (rcu_read_lock){....}-{1:2}, at:
input_inject_event+0x92/0x320
#3: ffffffff8bd86e60 (rcu_read_lock){....}-{1:2}, at:
input_pass_values.part.0+0x0/0x710
#4: ffffffff8bd86e60 (rcu_read_lock){....}-{1:2}, at: evdev_events+0x59/0x3e0
#5: ffff888046c55028 (&client->buffer_lock){....}-{2:2}, at:
evdev_pass_values.part.0+0xf7/0x920
#6: ffffffff8bd86e60 (rcu_read_lock){....}-{1:2}, at: kill_fasync+0x41/0x470
#7: ffff88804616c018 (&new->fa_lock){....}-{2:2}, at: kill_fasync+0x136/0x470

the dependencies between HARDIRQ-irq-safe lock and the holding lock:
-> (&dev->event_lock#2){-...}-{2:2} {
IN-HARDIRQ-W at:
lock_acquire+0x1ab/0x580
_raw_spin_lock_irqsave+0x39/0x50
input_event+0x7b/0xb0
psmouse_report_standard_buttons+0x2c/0x80
psmouse_process_byte+0x1e1/0x890
psmouse_handle_byte+0x41/0x1b0
psmouse_interrupt+0x304/0xf00
serio_interrupt+0x88/0x150
i8042_interrupt+0x270/0x520
__handle_irq_event_percpu+0x236/0x880
handle_irq_event_percpu+0x14/0xd0
handle_irq_event+0xa1/0x130
handle_edge_irq+0x24a/0x8a0
__common_interrupt+0x9d/0x210
common_interrupt+0xa4/0xc0
asm_common_interrupt+0x22/0x40
nohz_run_idle_balance+0x2/0x1c0
do_idle+0x7a/0x570
cpu_startup_entry+0x14/0x20
start_secondary+0x21d/0x2b0
secondary_startup_64_no_verify+0xce/0xdb
INITIAL USE at:
lock_acquire+0x1ab/0x580
_raw_spin_lock_irqsave+0x39/0x50
input_inject_event+0xa6/0x320
led_set_brightness_nopm+0x48/0xf0
led_set_brightness+0x11c/0x240
led_trigger_event+0xb0/0x200
kbd_led_trigger_activate+0xc9/0x100
led_trigger_set+0x5d7/0xaf0
led_trigger_set_default+0x1a6/0x230
led_classdev_register_ext+0x56c/0x760
input_leds_connect+0x4bd/0x860
input_attach_handler+0x182/0x1f0
input_register_device.cold+0xfc/0x312
atkbd_connect+0x6bd/0x930
serio_connect_driver+0x46/0x70
really_probe+0x23e/0xa80
__driver_probe_device+0x338/0x4d0
driver_probe_device+0x4c/0x1a0
__driver_attach+0x1da/0x420
bus_for_each_dev+0x147/0x1d0
serio_handle_event+0x54c/0x850
process_one_work+0x9cc/0x1650
worker_thread+0x623/0x1070
kthread+0x2e9/0x3a0
ret_from_fork+0x1f/0x30
}
__key.38226+0x0/0x40
-> (&client->buffer_lock){....}-{2:2} {
INITIAL USE at:
lock_acquire+0x1ab/0x580
_raw_spin_lock+0x2a/0x40
evdev_pass_values.part.0+0xf7/0x920
evdev_events+0x359/0x3e0
input_to_handler+0x2a0/0x4c0
input_pass_values.part.0+0x230/0x710
input_handle_event+0x37a/0x1460
input_inject_event+0x1bd/0x320
evdev_write+0x430/0x760
vfs_write+0x269/0xab0
ksys_write+0x1e8/0x250
do_syscall_64+0x35/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
}
__key.39514+0x0/0x40
... acquired at:
lock_acquire+0x1ab/0x580
_raw_spin_lock+0x2a/0x40
evdev_pass_values.part.0+0xf7/0x920
evdev_events+0x359/0x3e0
input_to_handler+0x2a0/0x4c0
input_pass_values.part.0+0x230/0x710
input_handle_event+0x37a/0x1460
input_inject_event+0x1bd/0x320
evdev_write+0x430/0x760
vfs_write+0x269/0xab0
ksys_write+0x1e8/0x250
do_syscall_64+0x35/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd

-> (&new->fa_lock){....}-{2:2} {
INITIAL READ USE at:
lock_acquire+0x1ab/0x580
_raw_read_lock_irqsave+0x70/0x90
kill_fasync+0x136/0x470
evdev_pass_values.part.0+0x59d/0x920
evdev_events+0x359/0x3e0
input_to_handler+0x2a0/0x4c0
input_pass_values.part.0+0x230/0x710
input_handle_event+0x37a/0x1460
input_inject_event+0x1bd/0x320
evdev_write+0x430/0x760
vfs_write+0x269/0xab0
ksys_write+0x1e8/0x250
do_syscall_64+0x35/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
}
__key.46908+0x0/0x40
... acquired at:
lock_acquire+0x1ab/0x580
_raw_read_lock_irqsave+0x70/0x90
kill_fasync+0x136/0x470
evdev_pass_values.part.0+0x59d/0x920
evdev_events+0x359/0x3e0
input_to_handler+0x2a0/0x4c0
input_pass_values.part.0+0x230/0x710
input_handle_event+0x37a/0x1460
input_inject_event+0x1bd/0x320
evdev_write+0x430/0x760
vfs_write+0x269/0xab0
ksys_write+0x1e8/0x250
do_syscall_64+0x35/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd


the dependencies between the lock to be acquired
and HARDIRQ-irq-unsafe lock:
-> (tasklist_lock){.+.+}-{2:2} {
HARDIRQ-ON-R at:
lock_acquire+0x1ab/0x580
_raw_read_lock+0x5b/0x70
do_wait+0x28c/0xce0
kernel_wait+0x9c/0x150
call_usermodehelper_exec_work+0xf5/0x180
process_one_work+0x9cc/0x1650
worker_thread+0x623/0x1070
kthread+0x2e9/0x3a0
ret_from_fork+0x1f/0x30
SOFTIRQ-ON-R at:
lock_acquire+0x1ab/0x580
_raw_read_lock+0x5b/0x70
do_wait+0x28c/0xce0
kernel_wait+0x9c/0x150
call_usermodehelper_exec_work+0xf5/0x180
process_one_work+0x9cc/0x1650
worker_thread+0x623/0x1070
kthread+0x2e9/0x3a0
ret_from_fork+0x1f/0x30
INITIAL USE at:
lock_acquire+0x1ab/0x580
_raw_write_lock_irq+0x32/0x50
copy_process+0x3362/0x6ec0
kernel_clone+0xe7/0x1040
user_mode_thread+0xad/0xe0
rest_init+0x23/0x2b0
arch_call_rest_init+0xf/0x14
start_kernel+0x46e/0x48f
secondary_startup_64_no_verify+0xce/0xdb
INITIAL READ USE at:
lock_acquire+0x1ab/0x580
_raw_read_lock+0x5b/0x70
do_wait+0x28c/0xce0
kernel_wait+0x9c/0x150
call_usermodehelper_exec_work+0xf5/0x180
process_one_work+0x9cc/0x1650
worker_thread+0x623/0x1070
kthread+0x2e9/0x3a0
ret_from_fork+0x1f/0x30
}
tasklist_lock+0x18/0x40
... acquired at:
lock_acquire+0x1ab/0x580
_raw_read_lock+0x5b/0x70
send_sigio+0xab/0x380
dnotify_handle_event+0x148/0x280
fsnotify_handle_inode_event.isra.0+0x22e/0x360
fsnotify+0xe7a/0x13a0
path_openat+0xf57/0x2890
do_filp_open+0x1c1/0x290
do_sys_openat2+0x61b/0x990
do_sys_open+0xc3/0x140
do_syscall_64+0x35/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd

-> (&f->f_owner.lock){....}-{2:2} {
INITIAL USE at:
lock_acquire+0x1ab/0x580
_raw_write_lock_irq+0x32/0x50
f_modown+0x2a/0x390
f_setown+0xd7/0x230
do_fcntl+0x6e0/0x1040
__x64_sys_fcntl+0x15f/0x1d0
do_syscall_64+0x35/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
INITIAL READ USE at:
lock_acquire+0x1ab/0x580
_raw_read_lock_irqsave+0x70/0x90
send_sigio+0x24/0x380
dnotify_handle_event+0x148/0x280
fsnotify_handle_inode_event.isra.0+0x22e/0x360
fsnotify+0xe7a/0x13a0
path_openat+0xf57/0x2890
do_filp_open+0x1c1/0x290
do_sys_openat2+0x61b/0x990
do_sys_open+0xc3/0x140
do_syscall_64+0x35/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
}
__key.49376+0x0/0x40
... acquired at:
__lock_acquire+0x2e06/0x5840
lock_acquire+0x1ab/0x580
_raw_read_lock_irqsave+0x70/0x90
send_sigio+0x24/0x380
kill_fasync+0x1f8/0x470
evdev_pass_values.part.0+0x59d/0x920
evdev_events+0x359/0x3e0
input_to_handler+0x2a0/0x4c0
input_pass_values.part.0+0x230/0x710
input_handle_event+0x37a/0x1460
input_inject_event+0x1bd/0x320
evdev_write+0x430/0x760
vfs_write+0x269/0xab0
ksys_write+0x1e8/0x250
do_syscall_64+0x35/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd

stack backtrace:
CPU: 1 PID: 6439 Comm: repro Not tainted 5.19.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xcd/0x134
check_irq_usage.cold+0x54a/0x7a1
? print_shortest_lock_dependencies_backwards+0x80/0x80
? SOFTIRQ_verbose+0x10/0x10
? __kernel_text_address+0x9/0x30
? create_prof_cpu_mask+0x20/0x20
? check_path.constprop.0+0x24/0x50
? check_noncircular+0x142/0x310
? print_circular_bug.isra.0+0x480/0x480
? check_prev_add+0x177/0x24f0
check_prev_add+0x177/0x24f0
? alloc_list_entry+0x46/0x2e0
? __sanitizer_cov_trace_pc+0x1a/0x40
__lock_acquire+0x2e06/0x5840
? lockdep_hardirqs_on_prepare+0x400/0x400
? rcu_read_lock_sched_held+0x9c/0xd0
lock_acquire+0x1ab/0x580
? send_sigio+0x24/0x380
? lock_release+0x6d0/0x6d0
? lock_release+0x6d0/0x6d0
_raw_read_lock_irqsave+0x70/0x90
? send_sigio+0x24/0x380
send_sigio+0x24/0x380
kill_fasync+0x1f8/0x470
evdev_pass_values.part.0+0x59d/0x920
? evdev_open+0x540/0x540
? rcu_read_lock_held+0x9c/0xb0
? rcu_read_lock_sched_held+0xd0/0xd0
evdev_events+0x359/0x3e0
? evdev_pass_values.part.0+0x920/0x920
input_to_handler+0x2a0/0x4c0
input_pass_values.part.0+0x230/0x710
? write_comp_data+0x1c/0x70
input_handle_event+0x37a/0x1460
input_inject_event+0x1bd/0x320
evdev_write+0x430/0x760
? evdev_read+0xe40/0xe40
? __sanitizer_cov_trace_pc+0x1a/0x40
? security_file_permission+0x490/0x6b0
? evdev_read+0xe40/0xe40
vfs_write+0x269/0xab0
ksys_write+0x1e8/0x250
? __ia32_sys_read+0xb0/0xb0
? syscall_enter_from_user_mode+0x21/0x70
? syscall_enter_from_user_mode+0x21/0x70
do_syscall_64+0x35/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f47878e4469
Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 8
RSP: 002b:00007ffff5cee4a8 EFLAGS: 00000217 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f47878e4469
RDX: 000000000000fc57 RSI: 0000000020000080 RDI: 0000000000000005
RBP: 00007ffff5cee4c0 R08: 00007ffff5cee5a0 R09: 00007ffff5cee5a0
R10: 00007ffff5cee5a0 R11: 0000000000000217 R12: 000055c454c00710
R13: 00007ffff5cee5a0 R14: 0000000000000000 R15: 0000000000000000
</TASK>