syzbot

 sign-in | mailing list | source | docs
🐞 Open [719]
🐞 Fixed [73]
🐞 Invalid [910]
Missing Backports [118]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

possible deadlock in sch_direct_xmit (2)

Status: upstream: reported C repro on 2024/02/22 19:25
Bug presence: origin:lts-only
[Documentation on labels]
Reported-by: syzbot+3f44bf8b6f083aa47b0a@syzkaller.appspotmail.com
First crash: 496d, last: 1d14h
Bug presence (2)
Date Name Commit Repro Result
2024/05/18 linux-5.15.y (ToT) 83655231580b C [report] possible deadlock in sch_direct_xmit
2024/05/18 upstream (ToT) 4b377b4868ef C Didn't crash
Similar bugs (12)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 possible deadlock in sch_direct_xmit (2) origin:lts-only C done 28 40d 540d 0/3 upstream: reported C repro on 2024/01/09 18:28
android-44 possible deadlock in sch_direct_xmit C 240 2038d 2274d 0/2 public: reported C repro on 2019/04/11 08:44
upstream possible deadlock in sch_direct_xmit (2) net C done unreliable 109 716d 1891d 0/29 auto-obsoleted due to no activity on 2024/01/14 06:05
linux-4.19 possible deadlock in sch_direct_xmit (2) C error 15 859d 1376d 0/1 upstream: reported C repro on 2021/09/26 01:30
upstream possible deadlock in sch_direct_xmit net C done done 1548 2045d 2724d 15/29 fixed on 2020/04/17 19:57
linux-4.14 possible deadlock in sch_direct_xmit 1 2222d 2222d 0/1 auto-closed as invalid on 2019/10/25 08:40
upstream possible deadlock in sch_direct_xmit (4) net 1 431d 431d 25/29 fixed on 2024/06/05 13:52
linux-4.14 possible deadlock in sch_direct_xmit (2) 1 2055d 2055d 0/1 auto-closed as invalid on 2020/03/15 19:58
linux-4.19 possible deadlock in sch_direct_xmit 1 2223d 2223d 0/1 auto-closed as invalid on 2019/10/25 08:50
linux-5.15 possible deadlock in sch_direct_xmit 1 783d 783d 0/3 auto-obsoleted due to no activity on 2023/08/23 09:09
linux-6.1 possible deadlock in sch_direct_xmit 2 791d 829d 0/3 auto-obsoleted due to no activity on 2023/08/23 09:10
upstream possible deadlock in sch_direct_xmit (3) net 1 506d 506d 25/29 fixed on 2024/04/10 16:40
Last patch testing requests (7)
Created Duration User Patch Repo Result
2025/05/26 06:10 10m retest repro linux-5.15.y report log
2025/05/06 07:55 11m retest repro linux-5.15.y report log
2025/03/13 17:39 13m retest repro linux-5.15.y report log
2025/02/22 03:11 13m retest repro linux-5.15.y report log
2024/12/28 21:34 14m retest repro linux-5.15.y report log
2024/12/13 22:35 16m retest repro linux-5.15.y report log
2024/10/08 11:25 11m retest repro linux-5.15.y report log
Fix bisection attempts (6)
Created Duration User Patch Repo Result
2025/05/31 01:20 1h05m fix candidate upstream error job log
2025/01/02 17:47 1m fix candidate upstream error job log
2024/10/23 03:01 2m fix candidate upstream error job log
2024/09/17 14:38 1m fix candidate upstream error job log
2024/08/02 00:55 1m fix candidate upstream error job log
2024/05/25 13:09 1m fix candidate upstream error job log

Sample crash report:
============================================
WARNING: possible recursive locking detected
5.15.186-syzkaller #0 Not tainted
--------------------------------------------
syz.0.140/4302 is trying to acquire lock:
ffff0000dbd9c398 (_xmit_ETHER#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:363 [inline]
ffff0000dbd9c398 (_xmit_ETHER#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4437 [inline]
ffff0000dbd9c398 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x12c/0x3bc net/sched/sch_generic.c:340

but task is already holding lock:
ffff0000ce840898 (_xmit_ETHER#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:363 [inline]
ffff0000ce840898 (_xmit_ETHER#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4437 [inline]
ffff0000ce840898 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x12c/0x3bc net/sched/sch_generic.c:340

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(_xmit_ETHER#2);
  lock(_xmit_ETHER#2);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

13 locks held by syz.0.140/4302:
 #0: ffff800014331360 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:311
 #1: ffff8000143313c0 (rcu_read_lock_bh){....}-{1:2}, at: rcu_lock_acquire+0x18/0x54 include/linux/rcupdate.h:311
 #2: ffff8000143313c0 (rcu_read_lock_bh){....}-{1:2}, at: rcu_lock_acquire+0x18/0x54 include/linux/rcupdate.h:311
 #3: ffff0000dc484258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:373 [inline]
 #3: ffff0000dc484258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: qdisc_run_begin+0x120/0x2a8 include/net/sch_generic.h:173
 #4: ffff0000ce840898 (_xmit_ETHER#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:363 [inline]
 #4: ffff0000ce840898 (_xmit_ETHER#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4437 [inline]
 #4: ffff0000ce840898 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x12c/0x3bc net/sched/sch_generic.c:340
 #5: ffff0000cc229da0 (k-slock-AF_INET6){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:373 [inline]
 #5: ffff0000cc229da0 (k-slock-AF_INET6){+...}-{2:2}, at: icmpv6_xmit_lock+0xf0/0x140 net/ipv6/icmp.c:118
 #6: ffff800014331360 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:311
 #7: ffff800014331360 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x18/0x54 include/linux/rcupdate.h:311
 #8: ffff8000143313c0 (rcu_read_lock_bh){....}-{1:2}, at: rcu_lock_acquire+0x18/0x54 include/linux/rcupdate.h:311
 #9: ffff800014331360 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:311
 #10: ffff8000143313c0 (rcu_read_lock_bh){....}-{1:2}, at: rcu_lock_acquire+0x18/0x54 include/linux/rcupdate.h:311
 #11: ffff8000143313c0 (rcu_read_lock_bh){....}-{1:2}, at: rcu_lock_acquire+0x18/0x54 include/linux/rcupdate.h:311
 #12: ffff0000ced87258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:373 [inline]
 #12: ffff0000ced87258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: qdisc_run_begin+0x120/0x2a8 include/net/sch_generic.h:173

stack backtrace:
CPU: 0 PID: 4302 Comm: syz.0.140 Not tainted 5.15.186-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call trace:
 dump_backtrace+0x0/0x43c arch/arm64/kernel/stacktrace.c:152
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
 __dump_stack+0x30/0x40 lib/dump_stack.c:88
 dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106
 dump_stack+0x1c/0x5c lib/dump_stack.c:113
 __lock_acquire+0x18a4/0x651c kernel/locking/lockdep.c:-1
 lock_acquire+0x1f4/0x620 kernel/locking/lockdep.c:5623
 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
 _raw_spin_lock+0xb0/0x10c kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:363 [inline]
 __netif_tx_lock include/linux/netdevice.h:4437 [inline]
 sch_direct_xmit+0x12c/0x3bc net/sched/sch_generic.c:340
 __dev_xmit_skb net/core/dev.c:3884 [inline]
 __dev_queue_xmit+0x13f4/0x2800 net/core/dev.c:4253
 dev_queue_xmit+0x24/0x34 net/core/dev.c:4321
 neigh_hh_output include/net/neighbour.h:493 [inline]
 neigh_output include/net/neighbour.h:507 [inline]
 ip6_finish_output2+0x129c/0x1a14 net/ipv6/ip6_output.c:130
 __ip6_finish_output+0x570/0x6dc net/ipv6/ip6_output.c:201
 ip6_finish_output+0x40/0x218 net/ipv6/ip6_output.c:211
 NF_HOOK_COND include/linux/netfilter.h:291 [inline]
 ip6_output+0x274/0x500 net/ipv6/ip6_output.c:234
 dst_output include/net/dst.h:452 [inline]
 NF_HOOK include/linux/netfilter.h:302 [inline]
 ndisc_send_skb+0xc10/0x1684 net/ipv6/ndisc.c:513
 ndisc_send_ns+0x518/0x6f4 net/ipv6/ndisc.c:655
 ndisc_solicit+0x2b0/0x408 net/ipv6/ndisc.c:-1
 neigh_probe+0xc4/0x138 net/core/neighbour.c:1017
 __neigh_event_send+0xc14/0x1200 net/core/neighbour.c:1178
 neigh_event_send include/net/neighbour.h:438 [inline]
 neigh_resolve_output+0x180/0x5e0 net/core/neighbour.c:1488
 neigh_output include/net/neighbour.h:509 [inline]
 ip6_finish_output2+0x12d0/0x1a14 net/ipv6/ip6_output.c:130
 __ip6_finish_output+0x570/0x6dc net/ipv6/ip6_output.c:201
 ip6_finish_output+0x40/0x218 net/ipv6/ip6_output.c:211
 NF_HOOK_COND include/linux/netfilter.h:291 [inline]
 ip6_output+0x274/0x500 net/ipv6/ip6_output.c:234
 dst_output include/net/dst.h:452 [inline]
 ip6_local_out+0x120/0x15c net/ipv6/output_core.c:161
 ip6_send_skb+0x1a8/0x4f4 net/ipv6/ip6_output.c:1952
 ip6_push_pending_frames+0xd0/0x118 net/ipv6/ip6_output.c:1973
 icmpv6_push_pending_frames+0x238/0x394 net/ipv6/icmp.c:311
 icmp6_send+0xee4/0x144c net/ipv6/icmp.c:630
 __icmpv6_send include/linux/icmpv6.h:28 [inline]
 icmpv6_send include/linux/icmpv6.h:49 [inline]
 ip6_link_failure+0x44/0x4a8 net/ipv6/route.c:2788
 dst_link_failure+0x11c/0x160 include/net/dst.h:422
 ip_tunnel_xmit+0x1444/0x1f30 net/ipv4/ip_tunnel.c:844
 __gre_xmit net/ipv4/ip_gre.c:474 [inline]
 erspan_xmit+0x890/0x1490 net/ipv4/ip_gre.c:723
 __netdev_start_xmit include/linux/netdevice.h:5027 [inline]
 netdev_start_xmit include/linux/netdevice.h:5041 [inline]
 xmit_one net/core/dev.c:3649 [inline]
 dev_hard_start_xmit+0x2a8/0x87c net/core/dev.c:3665
 sch_direct_xmit+0x2a4/0x3bc net/sched/sch_generic.c:342
 __dev_xmit_skb net/core/dev.c:3884 [inline]
 __dev_queue_xmit+0x13f4/0x2800 net/core/dev.c:4253
 dev_queue_xmit+0x24/0x34 net/core/dev.c:4321
 neigh_hh_output include/net/neighbour.h:493 [inline]
 neigh_output include/net/neighbour.h:507 [inline]
 ip6_finish_output2+0x129c/0x1a14 net/ipv6/ip6_output.c:130
 __ip6_finish_output+0x570/0x6dc net/ipv6/ip6_output.c:201
 ip6_finish_output+0x40/0x218 net/ipv6/ip6_output.c:211
 NF_HOOK_COND include/linux/netfilter.h:291 [inline]
 ip6_output+0x274/0x500 net/ipv6/ip6_output.c:234
 dst_output include/net/dst.h:452 [inline]
 NF_HOOK include/linux/netfilter.h:302 [inline]
 rawv6_send_hdrinc+0xdb8/0x18cc net/ipv6/raw.c:691
 rawv6_sendmsg+0xd9c/0x12e8 net/ipv6/raw.c:949
 inet_sendmsg+0x154/0x284 net/ipv4/af_inet.c:834
 sock_sendmsg_nosec net/socket.c:704 [inline]
 __sock_sendmsg net/socket.c:716 [inline]
 ____sys_sendmsg+0x61c/0x920 net/socket.c:2436
 ___sys_sendmsg+0x1d0/0x240 net/socket.c:2490
 __sys_sendmmsg+0x218/0x5f0 net/socket.c:2576
 __do_sys_sendmmsg net/socket.c:2605 [inline]
 __se_sys_sendmmsg net/socket.c:2602 [inline]
 __arm64_sys_sendmmsg+0xa0/0xbc net/socket.c:2602
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

Crashes (16):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/07/01 13:12 linux-5.15.y 3dea0e7f549e 6e83b42d .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 possible deadlock in sch_direct_xmit
2024/11/27 16:20 linux-5.15.y 0a51d2d4527b 52b38cc1 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 possible deadlock in sch_direct_xmit
2024/05/18 16:43 linux-5.15.y 83655231580b c0f1611a .config console log report syz C [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 possible deadlock in sch_direct_xmit
2024/07/14 08:13 linux-5.15.y f45bea23c39c eaeb5c15 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan possible deadlock in sch_direct_xmit
2024/03/24 11:42 linux-5.15.y b95c01af2113 0ea90952 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan possible deadlock in sch_direct_xmit
2025/02/27 12:46 linux-5.15.y c16c81c81336 6a8fcbc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 possible deadlock in sch_direct_xmit
2024/10/27 13:40 linux-5.15.y 74cdd62cb470 65e8686b .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 possible deadlock in sch_direct_xmit
2024/09/02 04:42 linux-5.15.y fa93fa65db6e 1eda0d14 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 possible deadlock in sch_direct_xmit
2024/08/21 15:32 linux-5.15.y fa93fa65db6e db5852f9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 possible deadlock in sch_direct_xmit
2024/08/17 06:10 linux-5.15.y 7e89efd3ae1c dbc93b08 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 possible deadlock in sch_direct_xmit
2024/08/15 09:04 linux-5.15.y 7e89efd3ae1c e4bacdaf .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 possible deadlock in sch_direct_xmit
2024/08/14 19:20 linux-5.15.y 7e89efd3ae1c e6b88e20 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 possible deadlock in sch_direct_xmit
2024/05/18 14:37 linux-5.15.y 83655231580b c0f1611a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 possible deadlock in sch_direct_xmit
2024/04/24 13:33 linux-5.15.y c52b9710c83d 21339d7b .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 possible deadlock in sch_direct_xmit
2024/03/27 21:07 linux-5.15.y 9465fef4ae35 120789fd .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 possible deadlock in sch_direct_xmit
2024/02/22 19:24 linux-5.15.y 6139f2a02fe0 8d446f15 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 possible deadlock in sch_direct_xmit
* Struck through repros no longer work on HEAD.