BUG: possible deadlock in hci_dev_do_close

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,
We found the following issue using syzkaller on Linux v6.10.
A possible deadlock issue was discovered in function
`hci_dev_do_close` when it attempted to acquire the lock
`hdev->req_lock`

The full report including the Syzkaller reproducer:
https://gist.github.com/TomAPU/5f32d2f519bf24b651580496e07497b2

The brief report is below:

Syzkaller hit 'possible deadlock in hci_dev_do_close' bug.

======================================================
WARNING: possible circular locking dependency detected
6.6.0 #9 Not tainted
------------------------------------------------------
kworker/0:3/4591 is trying to acquire lock:
ffff888031c5cdc0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}, at:
__flush_work+0xeb/0xa40 kernel/workqueue.c:3403

but task is already holding lock:
ffff888031c5d0b8 (&hdev->req_lock){+.+.}-{3:3}, at:
hci_dev_do_close+0x29/0xa0 net/bluetooth/hci_core.c:552

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #3 (&hdev->req_lock){+.+.}-{3:3}:
       __mutex_lock_common kernel/locking/mutex.c:603 [inline]
       __mutex_lock+0x147/0x940 kernel/locking/mutex.c:747
       hci_dev_do_close+0x29/0xa0 net/bluetooth/hci_core.c:552
       hci_rfkill_set_block+0x175/0x210 net/bluetooth/hci_core.c:956
       rfkill_set_block+0x211/0x560 net/rfkill/core.c:346
       rfkill_epo+0x8e/0x1d0 net/rfkill/core.c:466
       __rfkill_handle_global_op net/rfkill/input.c:60 [inline]
       rfkill_op_handler+0x223/0x250 net/rfkill/input.c:108
       process_one_work+0x838/0x1560 kernel/workqueue.c:2630
       process_scheduled_works kernel/workqueue.c:2703 [inline]
       worker_thread+0x855/0x1200 kernel/workqueue.c:2784
       kthread+0x2cf/0x3b0 kernel/kthread.c:388
       ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:304

-> #2 (rfkill_global_mutex){+.+.}-{3:3}:
       __mutex_lock_common kernel/locking/mutex.c:603 [inline]
       __mutex_lock+0x147/0x940 kernel/locking/mutex.c:747
       rfkill_register+0x3a/0xb30 net/rfkill/core.c:1075
       hci_register_dev+0x43b/0xdc0 net/bluetooth/hci_core.c:2656
       __vhci_create_device+0x399/0x810 drivers/bluetooth/hci_vhci.c:437
       vhci_create_device drivers/bluetooth/hci_vhci.c:478 [inline]
       vhci_get_user drivers/bluetooth/hci_vhci.c:535 [inline]
       vhci_write+0x2bd/0x470 drivers/bluetooth/hci_vhci.c:615
       call_write_iter include/linux/fs.h:1956 [inline]
       new_sync_write fs/read_write.c:491 [inline]
       vfs_write+0x99d/0xdd0 fs/read_write.c:584
       ksys_write+0x122/0x250 fs/read_write.c:637
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x40/0xc0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x6f/0xd9

-> #1 (&data->open_mutex){+.+.}-{3:3}:
       __mutex_lock_common kernel/locking/mutex.c:603 [inline]
       __mutex_lock+0x147/0x940 kernel/locking/mutex.c:747
       vhci_send_frame+0xb4/0x120 drivers/bluetooth/hci_vhci.c:78
       hci_send_frame+0x229/0x480 net/bluetooth/hci_core.c:3039
       hci_sched_acl_pkt net/bluetooth/hci_core.c:3651 [inline]
       hci_sched_acl net/bluetooth/hci_core.c:3736 [inline]
       hci_tx_work+0x13bf/0x1c80 net/bluetooth/hci_core.c:3835
       process_one_work+0x838/0x1560 kernel/workqueue.c:2630
       process_scheduled_works kernel/workqueue.c:2703 [inline]
       worker_thread+0x855/0x1200 kernel/workqueue.c:2784
       kthread+0x2cf/0x3b0 kernel/kthread.c:388
       ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:304

-> #0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}:
       check_prev_add kernel/locking/lockdep.c:3134 [inline]
       check_prevs_add kernel/locking/lockdep.c:3253 [inline]
       validate_chain kernel/locking/lockdep.c:3868 [inline]
       __lock_acquire+0x24ab/0x3b50 kernel/locking/lockdep.c:5136
       lock_acquire kernel/locking/lockdep.c:5753 [inline]
       lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
       __flush_work+0xf4/0xa40 kernel/workqueue.c:3403
       hci_dev_close_sync+0x191/0x1230 net/bluetooth/hci_sync.c:4982
       hci_dev_do_close+0x31/0xa0 net/bluetooth/hci_core.c:554
       hci_rfkill_set_block+0x175/0x210 net/bluetooth/hci_core.c:956
       rfkill_set_block+0x211/0x560 net/rfkill/core.c:346
       rfkill_epo+0x8e/0x1d0 net/rfkill/core.c:466
       __rfkill_handle_global_op net/rfkill/input.c:60 [inline]
       rfkill_op_handler+0x223/0x250 net/rfkill/input.c:108
       process_one_work+0x838/0x1560 kernel/workqueue.c:2630
       process_scheduled_works kernel/workqueue.c:2703 [inline]
       worker_thread+0x855/0x1200 kernel/workqueue.c:2784
       kthread+0x2cf/0x3b0 kernel/kthread.c:388
       ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:304

other info that might help us debug this:

Chain exists of:
  (work_completion)(&hdev->tx_work) --> rfkill_global_mutex --> &hdev->req_lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&hdev->req_lock);
                               lock(rfkill_global_mutex);
                               lock(&hdev->req_lock);
  lock((work_completion)(&hdev->tx_work));

 *** DEADLOCK ***

4 locks held by kworker/0:3/4591:
 #0: ffff888014476d38 ((wq_completion)events){+.+.}-{0:0}, at:
process_one_work+0x735/0x1560 kernel/workqueue.c:2605
 #1: ffffc90002f2fd88 ((rfkill_op_work).work){+.+.}-{0:0}, at:
process_one_work+0x797/0x1560 kernel/workqueue.c:2606
 #2: ffffffff8f0c7868 (rfkill_global_mutex){+.+.}-{3:3}, at:
rfkill_epo+0x55/0x1d0 net/rfkill/core.c:462
 #3: ffff888031c5d0b8 (&hdev->req_lock){+.+.}-{3:3}, at:
hci_dev_do_close+0x29/0xa0 net/bluetooth/hci_core.c:552

stack backtrace:
CPU: 0 PID: 4591 Comm: kworker/0:3 Not tainted 6.6.0 #9
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: events rfkill_op_handler
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
 check_noncircular+0x2f8/0x3e0 kernel/locking/lockdep.c:2187
 check_prev_add kernel/locking/lockdep.c:3134 [inline]
 check_prevs_add kernel/locking/lockdep.c:3253 [inline]
 validate_chain kernel/locking/lockdep.c:3868 [inline]
 __lock_acquire+0x24ab/0x3b50 kernel/locking/lockdep.c:5136
 lock_acquire kernel/locking/lockdep.c:5753 [inline]
 lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
 __flush_work+0xf4/0xa40 kernel/workqueue.c:3403
 hci_dev_close_sync+0x191/0x1230 net/bluetooth/hci_sync.c:4982
 hci_dev_do_close+0x31/0xa0 net/bluetooth/hci_core.c:554
 hci_rfkill_set_block+0x175/0x210 net/bluetooth/hci_core.c:956
 rfkill_set_block+0x211/0x560 net/rfkill/core.c:346
 rfkill_epo+0x8e/0x1d0 net/rfkill/core.c:466
 __rfkill_handle_global_op net/rfkill/input.c:60 [inline]
 rfkill_op_handler+0x223/0x250 net/rfkill/input.c:108
 process_one_work+0x838/0x1560 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x855/0x1200 kernel/workqueue.c:2784
 kthread+0x2cf/0x3b0 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:304
 </TASK>
[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux