Re: [syzbot] [kernel?] possible deadlock in alarm_handle_timer

From: xingwei lee
Date: Mon Dec 04 2023 - 21:07:22 EST

Next message: patchwork-bot+netdevbpf: "Re: [PATCH] arcnet: restoring support for multiple Sohard Arcnet cards"
Previous message: Michael Ellerman: "Re: [PATCH 1/6] x86: Use PCI_HEADER_TYPE_* instead of literals"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello
I reproduced this bug with repro.c

=* repro.txt =*
r0 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
ptrace(0x10, r0)
timer_create(0x9, 0x0, &(0x7f0000000500))
timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, 0x0)

=* repro.c =*
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <endian.h>
#include <sched.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

#define USLEEP_FORKED_CHILD (3 * 50 * 1000)

static long handle_clone_ret(long ret) {
if (ret != 0) {
return ret;
}
usleep(USLEEP_FORKED_CHILD);
syscall(__NR_exit, 0);
while (1) {
}
}

static long syz_clone(volatile long flags, volatile long stack,
volatile long stack_len, volatile long ptid,
volatile long ctid, volatile long tls) {
long sp = (stack + stack_len) & ~15;
long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls);
return handle_clone_ret(ret);
}

uint64_t r[1] = {0x0};

int main(void) {
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
intptr_t res = 0;
res = -1;
res = syz_clone(/*flags=*/0, /*stack=*/0, /*stack_len=*/0, /*parentid=*/0,
/*childtid=*/0, /*tls=*/0);
if (res != -1) r[0] = res;
syscall(__NR_ptrace, /*req=*/0x10ul, /*pid=*/r[0], 0, 0);
syscall(__NR_timer_create, /*id=*/9ul, /*ev=*/0ul, /*timerid=*/0x20000500ul);
*(uint64_t*)0x2006b000 = 0;
*(uint64_t*)0x2006b008 = 8;
*(uint64_t*)0x2006b010 = 0;
*(uint64_t*)0x2006b018 = 9;
syscall(__NR_timer_settime, /*timerid=*/0, /*flags=*/0ul,
/*new=*/0x2006b000ul, /*old=*/0ul);
return 0;
}

see also https://gist.github.com/dracary7/55a1fc1c839289a1abe01293fe82aa8e

Thanks.
xingwei lee

Next message: patchwork-bot+netdevbpf: "Re: [PATCH] arcnet: restoring support for multiple Sohard Arcnet cards"
Previous message: Michael Ellerman: "Re: [PATCH 1/6] x86: Use PCI_HEADER_TYPE_* instead of literals"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]