witness: reversal: lock order data missing (3)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 4141bb4bac68 Check BIO_reset() return value to make gcc ha..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1453f961700000
kernel config: https://syzkaller.appspot.com/x/.config?x=bf87b6915a88cd0d
dashboard link: https://syzkaller.appspot.com/bug?extid=444b020a92d87d6ded8b

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+444b02...@syzkaller.appspotmail.com

witness: lock order reversal:
1st 0xffffffff82981660 pf_lock (pf_lock)
2nd 0xffffffff8291bdd0 netlock (netlock)
lock order "netlock"(rwlock) -> "pf_lock"(rwlock) first seen at:
#0 rw_enter_write+0x5b sys/kern/kern_rwlock.c:128
#1 pfioctl+0x3fba sys/net/pf_ioctl.c:2966
#2 VOP_IOCTL+0x96 sys/kern/vfs_vops.c:264
#3 vn_ioctl+0xbc sys/kern/vfs_vnops.c:531
#4 sys_ioctl+0x4a2
#5 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline]
#5 syscall+0x489 sys/arch/amd64/amd64/trap.c:585
#6 Xsyscall+0x128
lock order data w1 -> w2 missing
Stopped at db_enter+0x18: addq $0x8,%rsp


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[Moritz Buhl]

#syz fix: Release PF und NET lock before calling copyout for DIOCIGETIFACES.

#syz dup: witness: reversal: pf_lock netlock (3)

looking at the callstack:

copyout() at copyout+0x53 pfioctl(4900,c0284457,ffff80002e2208e0,1,ffff80002121f508) at pfioctl+0x4516 sys/net/pf_ioctl.c:2932

VOP_IOCTL(fffffd806f6828e8,c0284457,ffff80002e2208e0,1,fffffd807f7d7600,ffff80002121f508) at VOP_IOCTL+0x96 sys/kern/vfs_vops.c:264

vn_ioctl(fffffd8065095688,c0284457,ffff80002e2208e0,ffff80002121f508) at vn_ioctl+0xbc sys/kern/vfs_vnops.c:531

sys_ioctl(ffff80002121f508,ffff80002e2209f8,ffff80002e220a50) at sys_ioctl+0x4a2

syscall(ffff80002e220ac0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102

[inline] syscall(ffff80002e220ac0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585

Xsyscall() at Xsyscall+0x128

DIOCIGETIFACES calls copyout without dropping the locks like in the other problem.

[syzbot]

> #syz fix: Release PF und NET lock before calling copyout for

I see the command but can't find the corresponding bug.
Please resend the email to syzbo...@syzkaller.appspotmail.com address
that is the sender of the bug report (also present in the Reported-by tag).

> DIOCIGETIFACES.
> #syz dup: witness: reversal: pf_lock netlock (3)
>
> looking at the callstack:
> copyout() at copyout+0x53
> pfioctl(4900,c0284457,ffff80002e2208e0,1,ffff80002121f508) at
> pfioctl+0x4516 sys/net/pf_ioctl.c:2932

> <https://github.com/openbsd/src/blob/62198fa5a9d005ca1c651b3df2c33ce50d333b27/sys/net/pf_ioctl.c#L2932>

> VOP_IOCTL(fffffd806f6828e8,c0284457,ffff80002e2208e0,1,fffffd807f7d7600,ffff80002121f508)
> at VOP_IOCTL+0x96 sys/kern/vfs_vops.c:264

> <https://github.com/openbsd/src/blob/62198fa5a9d005ca1c651b3df2c33ce50d333b27/sys/kern/vfs_vops.c#L264>

> vn_ioctl(fffffd8065095688,c0284457,ffff80002e2208e0,ffff80002121f508) at
> vn_ioctl+0xbc sys/kern/vfs_vnops.c:531

> <https://github.com/openbsd/src/blob/62198fa5a9d005ca1c651b3df2c33ce50d333b27/sys/kern/vfs_vnops.c#L531>

> sys_ioctl(ffff80002121f508,ffff80002e2209f8,ffff80002e220a50) at
> sys_ioctl+0x4a2
> syscall(ffff80002e220ac0) at syscall+0x489 mi_syscall
> sys/sys/syscall_mi.h:102

> <https://github.com/openbsd/src/blob/62198fa5a9d005ca1c651b3df2c33ce50d333b27/sys/sys/syscall_mi.h#L102>

> [inline] syscall(ffff80002e220ac0) at syscall+0x489
> sys/arch/amd64/amd64/trap.c:585

> <https://github.com/openbsd/src/blob/62198fa5a9d005ca1c651b3df2c33ce50d333b27/sys/arch/amd64/amd64/trap.c#L585>

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-openbsd-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-openbsd...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-openbsd-bugs/abf6a41a-f635-4f78-8dc9-239c10639030n%40googlegroups.com.

[Moritz Buhl]

#syz fix: Release PF und NET lock before calling copyout for DIOCIGETIFACES. OK sashan@ Reported-by: syzbot+b6afd1...@syzkaller.appspotmail.com    

syzbot schrieb am Mittwoch, 20. Juli 2022 um 20:31:39 UTC+2:

> #syz fix: Release PF und NET lock before calling copyout for

I see the command but can't find the corresponding bug.

Please resend the email to syzbot+HASH@syzkaller.appspotmail.com address

> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-openbsd-bugs+unsub...@googlegroups.com.

[syzbot]

> #syz fix: Release PF und NET lock before calling copyout for

I see the command but can't find the corresponding bug.

Please resend the email to syzbo...@syzkaller.appspotmail.com address

that is the sender of the bug report (also present in the Reported-by tag).

> DIOCIGETIFACES. OK sashan@ Reported-by:
> syzbot+b6afd1...@syzkaller.appspotmail.com
>
> syzbot schrieb am Mittwoch, 20. Juli 2022 um 20:31:39 UTC+2:
>
>> > #syz fix: Release PF und NET lock before calling copyout for
>>
>> I see the command but can't find the corresponding bug.

>> Please resend the email to syzbo...@syzkaller.appspotmail.com address

>> an email to syzkaller-openbsd...@googlegroups.com.

>> > To view this discussion on the web visit
>> https://groups.google.com/d/msgid/syzkaller-openbsd-bugs/abf6a41a-f635-4f78-8dc9-239c10639030n%40googlegroups.com
>> .
>>
>

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-openbsd-bugs" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-openbsd...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-openbsd-bugs/b6e032a8-9e08-4644-99bf-9c09bf0033dbn%40googlegroups.com.

[syzbot]

>
>
> ---------- Weitergeleitete Nachricht ---------
> Von: Moritz Buhl <Unbekannt>
> Datum: Mittwoch, 20. Juli 2022 um 20:31:36 UTC+2
> Betreff: Re: witness: reversal: lock order data missing (3)
> An: syzkaller-openbsd-bugs <Unbekannt>

>
>
> #syz fix: Release PF und NET lock before calling copyout for

Your 'fix:' command is accepted, but please keep syzkaller-o...@googlegroups.com mailing list in CC next time. It serves as a history of what happened with each bug report. Thank you.

[syzbot]

This bug is marked as fixed by commit:

Release PF und NET lock before calling copyout for

But I can't find it in any tested tree for more than 90 days.
Is it a correct commit? Please update it by replying:
#syz fix: exact-commit-title
Until then the bug is still considered open and
new crashes with the same signature are ignored.

[syzbot]

[syzbot]

> #syz fix: Release PF und NET lock before calling copyout for

Your 'fix:' command is accepted, but please keep syzkaller-o...@googlegroups.com mailing list in CC next time. It serves as a history of what happened with each bug report. Thank you.

> DIOCIGETIFACES. OK sashan@ Reported-by:
> syzbot+b6afd1...@syzkaller.appspotmail.com
>
> Am Dienstag, 1. November 2022 schrieb syzbot <
> syzbot+444b02...@syzkaller.appspotmail.com>:

[syzbot]

[syzbot]

[syzbot]

Dashboard link: https://syzkaller.appspot.com/bug?extid=444b020a92d87d6ded8b

[syzbot]

This bug is marked as fixed by commit:
Release PF und NET lock before calling copyout for

But I can't find it in the tested trees[1] for more than 90 days.

Is it a correct commit? Please update it by replying:

#syz fix: exact-commit-title

Until then the bug is still considered open and new crashes with
the same signature are ignored.

Kernel: OpenBSD
Dashboard link: https://syzkaller.appspot.com/bug?extid=444b020a92d87d6ded8b

---
[1] I expect the commit to be present in:

1. master branch of
https://github.com/openbsd/src.git

[syzbot]

[syzbot]

[syzbot]

[syzbot]

[syzbot]

[syzbot]

[syzbot]

[syzbot]

[syzbot]

[syzbot]

[syzbot]

[syzbot]

[syzbot]

[syzbot]

[syzbot]

[syzbot]

[syzbot]

[Alexander Bluhm]

#syz fix: Release PF und NET lock before calling copyout for DIOCIGETIFACES.

[syzbot]

This bug is marked as fixed by commit:

Release PF und NET lock before calling copyout for DIOCIGETIFACES.

[syzbot]

[syzbot]

[syzbot]

[syzbot]

[syzbot]

[syzbot]

[syzbot]

[syzbot]

[syzbot]

[syzbot]

[syzbot]