[Bug] Deadlock between rfkill_fop_write() and nfc_unregister_device()

[Bug] Deadlock between rfkill_fop_write() and nfc_unregister_device()

[Sam Sun]

Dear developers and maintainers,

We originally encountered a task hung while using our modified
syzkaller. It was tested against the latest upstream kernel. We
analyzed the root cause and pinpoint the kernel crash log to the
following two tasks.

```
INFO: task systemd-rfkill:49424 blocked for more than 143 seconds.
      Tainted: G     U             6.12.0-09435-g2c22dc1ee3a1 #11
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:systemd-rfkill  state:D stack:25264 pid:49424 tgid:49424 ppid:1
   flags:0x00000000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5369 [inline]
 __schedule+0xe3b/0x5ac0 kernel/sched/core.c:6756
 __schedule_loop kernel/sched/core.c:6833 [inline]
 schedule+0xe7/0x350 kernel/sched/core.c:6848
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6905
 __mutex_lock_common kernel/locking/mutex.c:665 [inline]
 __mutex_lock+0x59e/0xa50 kernel/locking/mutex.c:735
 device_lock include/linux/device.h:1014 [inline]
 nfc_dev_down+0x2d/0x2e0 net/nfc/core.c:143
 nfc_rfkill_set_block+0x39/0xe0 net/nfc/core.c:179
 rfkill_set_block+0x211/0x560 net/rfkill/core.c:346
 rfkill_fop_write+0x47b/0x570 net/rfkill/core.c:1309
 vfs_write+0x2b6/0x10d0 fs/read_write.c:677
 ksys_write+0x1fe/0x240 fs/read_write.c:731
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa86ef8b473
RSP: 002b:00007fff7ad75778 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fff7ad757a0 RCX: 00007fa86ef8b473
RDX: 0000000000000008 RSI: 00007fff7ad757a8 RDI: 0000000000000003
RBP: 000055ce3e070c20 R08: 0000000000000000 R09: 00000000ffffffff
R10: 0000000000000004 R11: 0000000000000246 R12: 00007fff7ad757a8
R13: 0000000000000001 R14: 0000000000000001 R15: 000055ce3e06f072
 </TASK>

INFO: task syz-executor.3:50072 blocked for more than 143 seconds.
      Tainted: G     U             6.12.0-09435-g2c22dc1ee3a1 #11
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.3  state:D stack:26808 pid:50072 tgid:50072
ppid:45742  flags:0x00004006
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5369 [inline]
 __schedule+0xe3b/0x5ac0 kernel/sched/core.c:6756
 __schedule_loop kernel/sched/core.c:6833 [inline]
 schedule+0xe7/0x350 kernel/sched/core.c:6848
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6905
 __mutex_lock_common kernel/locking/mutex.c:665 [inline]
 __mutex_lock+0x59e/0xa50 kernel/locking/mutex.c:735
 rfkill_unregister+0xde/0x2c0 net/rfkill/core.c:1145
 nfc_unregister_device+0x96/0x330 net/nfc/core.c:1167
 virtual_ncidev_close+0x4c/0xa0 drivers/nfc/virtual_ncidev.c:172
 __fput+0x3fb/0xb40 fs/file_table.c:450
 __fput_sync+0xa6/0xc0 fs/file_table.c:535
 __do_sys_close fs/open.c:1554 [inline]
 __se_sys_close fs/open.c:1539 [inline]
 __x64_sys_close+0x8a/0x120 fs/open.c:1539
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2ce729134b
RSP: 002b:00007ffcf599f720 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f2ce729134b
RDX: 0000000000000000 RSI: 000000000000c56e RDI: 0000000000000004
RBP: 00007f2ce73dd980 R08: 0000000000000000 R09: 000000008b1393d5
R10: 0000000000000001 R11: 0000000000000293 R12: 00000000000bde95
R13: 00007ffcf599f820 R14: 00007f2ce6e01e30 R15: 00007f2ce6e01e28
 </TASK>
```
After analyzing the log, we found that it was actually a deadlock
between nfc_unregister_device() and rfkill_fop_write():
CPU0                                             CPU1
-------------------------------------------------------
rfkill_fop_write                             nfc_unregister_device
      mutex_lock(rfkill_global_mutex)    device_lock
      rfkill_set_block                               rfkill_unregister
             nfc_rfkill_ser_block
mutex_lock(rfkill_global_mutex)
                  nfc_device_down
                        device_lock
------------------------------------------------------
If you have any questions, please contact us.

Best Regards,
Yue

Re: [Bug] Deadlock between rfkill_fop_write() and nfc_unregister_device()

[Johannes Berg]

On Tue, 2024-12-17 at 17:33 +0800, Sam Sun wrote:
> Dear developers and maintainers,
> 
> We originally encountered a task hung while using our modified
> syzkaller. It was tested against the latest upstream kernel. We
> analyzed the root cause and pinpoint the kernel crash log to the
> following two tasks.
> 

This issue has been known a very long time and should be fixed in NFC,
but I guess nobody is around to do it.

https://syzkaller.appspot.com/bug?extid=bb540a4bbfb4ae3b425d

johannes

Re: [Bug] Deadlock between rfkill_fop_write() and nfc_unregister_device()

[Johannes Berg]

On Tue, 2024-12-17 at 11:46 +0100, Johannes Berg wrote:
> On Tue, 2024-12-17 at 17:33 +0800, Sam Sun wrote:
> > Dear developers and maintainers,
> > 
> > We originally encountered a task hung while using our modified
> > syzkaller. It was tested against the latest upstream kernel. We
> > analyzed the root cause and pinpoint the kernel crash log to the
> > following two tasks.
> > 
> 
> This issue has been known a very long time and should be fixed in NFC,
> but I guess nobody is around to do it.
> 
> https://syzkaller.appspot.com/bug?extid=bb540a4bbfb4ae3b425d
> 

I think this one is also the same:

https://syzkaller.appspot.com/bug?extid=9ef743bba3a17c756174

and that's much older still.

johannes

Re: [Bug] Deadlock between rfkill_fop_write() and nfc_unregister_device()

[Sam Sun]

On Tue, Dec 17, 2024 at 7:33 PM Johannes Berg <johannes@sipsolutions.net> wrote:
>
> On Tue, 2024-12-17 at 11:46 +0100, Johannes Berg wrote:
> > On Tue, 2024-12-17 at 17:33 +0800, Sam Sun wrote:
> > > Dear developers and maintainers,
> > >
> > > We originally encountered a task hung while using our modified
> > > syzkaller. It was tested against the latest upstream kernel. We
> > > analyzed the root cause and pinpoint the kernel crash log to the
> > > following two tasks.
> > >
> >
> > This issue has been known a very long time and should be fixed in NFC,
> > but I guess nobody is around to do it.
> >
> > https://syzkaller.appspot.com/bug?extid=bb540a4bbfb4ae3b425d
> >
>
> I think this one is also the same:
>
> https://syzkaller.appspot.com/bug?extid=9ef743bba3a17c756174
>
> and that's much older still.
>

Thanks for your quick reply! I am sorry that I didn't double-check the
call stack of historical bugs reported by Syzbot. I will be careful
next time.

Best,
Yue

Re: [Bug] Deadlock between rfkill_fop_write() and nfc_unregister_device()

[Johannes Berg]

On Tue, 2024-12-17 at 20:01 +0800, Sam Sun wrote:
> On Tue, Dec 17, 2024 at 7:33 PM Johannes Berg <johannes@sipsolutions.net> wrote:
> > 
> > On Tue, 2024-12-17 at 11:46 +0100, Johannes Berg wrote:
> > > On Tue, 2024-12-17 at 17:33 +0800, Sam Sun wrote:
> > > > Dear developers and maintainers,
> > > > 
> > > > We originally encountered a task hung while using our modified
> > > > syzkaller. It was tested against the latest upstream kernel. We
> > > > analyzed the root cause and pinpoint the kernel crash log to the
> > > > following two tasks.
> > > > 
> > > 
> > > This issue has been known a very long time and should be fixed in NFC,
> > > but I guess nobody is around to do it.
> > > 
> > > https://syzkaller.appspot.com/bug?extid=bb540a4bbfb4ae3b425d
> > > 
> > 
> > I think this one is also the same:
> > 
> > https://syzkaller.appspot.com/bug?extid=9ef743bba3a17c756174
> > 
> > and that's much older still.
> > 
> 
> Thanks for your quick reply! I am sorry that I didn't double-check the
> call stack of historical bugs reported by Syzbot. I will be careful
> next time.
> 

No worries. Maybe someone who feels responsible for NFC will wake up ;-)

johannes

Re: [Bug] Deadlock between rfkill_fop_write() and nfc_unregister_device()

[Krzysztof Kozlowski]

On 17/12/2024 13:09, Johannes Berg wrote:
> On Tue, 2024-12-17 at 20:01 +0800, Sam Sun wrote:
>> On Tue, Dec 17, 2024 at 7:33 PM Johannes Berg <johannes@sipsolutions.net> wrote:
>>>
>>> On Tue, 2024-12-17 at 11:46 +0100, Johannes Berg wrote:
>>>> On Tue, 2024-12-17 at 17:33 +0800, Sam Sun wrote:
>>>>> Dear developers and maintainers,
>>>>>
>>>>> We originally encountered a task hung while using our modified
>>>>> syzkaller. It was tested against the latest upstream kernel. We
>>>>> analyzed the root cause and pinpoint the kernel crash log to the
>>>>> following two tasks.
>>>>>
>>>>
>>>> This issue has been known a very long time and should be fixed in NFC,
>>>> but I guess nobody is around to do it.
>>>>
>>>> https://syzkaller.appspot.com/bug?extid=bb540a4bbfb4ae3b425d
>>>>
>>>
>>> I think this one is also the same:
>>>
>>> https://syzkaller.appspot.com/bug?extid=9ef743bba3a17c756174
>>>
>>> and that's much older still.
>>>
>>
>> Thanks for your quick reply! I am sorry that I didn't double-check the
>> call stack of historical bugs reported by Syzbot. I will be careful
>> next time.
>>
> 
> No worries. Maybe someone who feels responsible for NFC will wake up ;-)

Patches are welcomed. The NFC stack was full of deadlocks, races and
uses-after-free. The only consolation was that all of them were
triggered by the virtual device driver, not real world cases. Many
syzkaller reports were eventually fixed, but I guess many are still open.

If anyone wants to take the responsibility for NFC in terms of actually
developing and fixes the stack, go ahead, because I have time here only
for reviews (and these are still behind netdev timeframe expectations).

Best regards,
Krzysztof