syzbot


possible deadlock in sco_connect_cfm

Status: upstream: reported on 2024/07/08 18:22
Subsystems: bluetooth
[Documentation on labels]
Reported-by: syzbot+0068c4f72ae17f8a1605@syzkaller.appspotmail.com
First crash: 7d09h, last: 7d09h
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [bluetooth?] possible deadlock in sco_connect_cfm 0 (1) 2024/07/08 18:22
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 possible deadlock in sco_connect_cfm origin:lts-only C 3 9d07h 60d 0/3 upstream: reported C repro on 2024/05/13 19:57

Sample crash report:
Bluetooth: hci6: unexpected cc 0x0c03 length: 249 > 1
Bluetooth: hci6: unexpected cc 0x1003 length: 249 > 9
======================================================
WARNING: possible circular locking dependency detected
6.10.0-rc6-syzkaller-00210-gd270dd21bee0 #0 Not tainted
------------------------------------------------------
kworker/u9:2/5087 is trying to acquire lock:
ffff88807ad7a258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1602 [inline]
ffff88807ad7a258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_conn_ready net/bluetooth/sco.c:1290 [inline]
ffff88807ad7a258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x461/0xb40 net/bluetooth/sco.c:1362

but task is already holding lock:
ffff8880274ab820 (&conn->lock#2){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff8880274ab820 (&conn->lock#2){+.+.}-{2:2}, at: sco_conn_ready net/bluetooth/sco.c:1277 [inline]
ffff8880274ab820 (&conn->lock#2){+.+.}-{2:2}, at: sco_connect_cfm+0x28a/0xb40 net/bluetooth/sco.c:1362

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&conn->lock#2){+.+.}-{2:2}:
       lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
       __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
       _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
       spin_lock include/linux/spinlock.h:351 [inline]
       sco_chan_add net/bluetooth/sco.c:234 [inline]
       sco_connect net/bluetooth/sco.c:287 [inline]
       sco_sock_connect+0x347/0x990 net/bluetooth/sco.c:596
       io_connect+0xa4/0x4f0 io_uring/net.c:1687
       io_issue_sqe+0x3cf/0x14f0 io_uring/io_uring.c:1751
       io_queue_sqe io_uring/io_uring.c:1965 [inline]
       io_submit_sqe io_uring/io_uring.c:2221 [inline]
       io_submit_sqes+0xaff/0x1bf0 io_uring/io_uring.c:2336
       __do_sys_io_uring_enter io_uring/io_uring.c:3245 [inline]
       __se_sys_io_uring_enter+0x2d4/0x2670 io_uring/io_uring.c:3182
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
       check_prev_add kernel/locking/lockdep.c:3134 [inline]
       check_prevs_add kernel/locking/lockdep.c:3253 [inline]
       validate_chain+0x18e0/0x5900 kernel/locking/lockdep.c:3869
       __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137
       lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
       lock_sock_nested+0x48/0x100 net/core/sock.c:3534
       lock_sock include/net/sock.h:1602 [inline]
       sco_conn_ready net/bluetooth/sco.c:1290 [inline]
       sco_connect_cfm+0x461/0xb40 net/bluetooth/sco.c:1362
       hci_connect_cfm include/net/bluetooth/hci_core.h:1970 [inline]
       hci_sync_conn_complete_evt+0x5ab/0xaa0 net/bluetooth/hci_event.c:5009
       hci_event_func net/bluetooth/hci_event.c:7444 [inline]
       hci_event_packet+0xac0/0x1540 net/bluetooth/hci_event.c:7496
       hci_rx_work+0x3e8/0xca0 net/bluetooth/hci_core.c:4042
       process_one_work kernel/workqueue.c:3248 [inline]
       process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3329
       worker_thread+0x86d/0xd50 kernel/workqueue.c:3409
       kthread+0x2f0/0x390 kernel/kthread.c:389
       ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&conn->lock#2);
                               lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
                               lock(&conn->lock#2);
  lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);

 *** DEADLOCK ***

5 locks held by kworker/u9:2/5087:
 #0: ffff8880764d1948 ((wq_completion)hci1#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3223 [inline]
 #0: ffff8880764d1948 ((wq_completion)hci1#2){+.+.}-{0:0}, at: process_scheduled_works+0x90a/0x1830 kernel/workqueue.c:3329
 #1: ffffc9000377fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3224 [inline]
 #1: ffffc9000377fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x945/0x1830 kernel/workqueue.c:3329
 #2: ffff88802d30c078 (&hdev->lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0xb1/0xaa0 net/bluetooth/hci_event.c:4926
 #3: ffffffff8f73f008 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1967 [inline]
 #3: ffffffff8f73f008 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0x532/0xaa0 net/bluetooth/hci_event.c:5009
 #4: ffff8880274ab820 (&conn->lock#2){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
 #4: ffff8880274ab820 (&conn->lock#2){+.+.}-{2:2}, at: sco_conn_ready net/bluetooth/sco.c:1277 [inline]
 #4: ffff8880274ab820 (&conn->lock#2){+.+.}-{2:2}, at: sco_connect_cfm+0x28a/0xb40 net/bluetooth/sco.c:1362

stack backtrace:
CPU: 1 PID: 5087 Comm: kworker/u9:2 Not tainted 6.10.0-rc6-syzkaller-00210-gd270dd21bee0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Workqueue: hci1 hci_rx_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2187
 check_prev_add kernel/locking/lockdep.c:3134 [inline]
 check_prevs_add kernel/locking/lockdep.c:3253 [inline]
 validate_chain+0x18e0/0x5900 kernel/locking/lockdep.c:3869
 __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137
 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
 lock_sock_nested+0x48/0x100 net/core/sock.c:3534
 lock_sock include/net/sock.h:1602 [inline]
 sco_conn_ready net/bluetooth/sco.c:1290 [inline]
 sco_connect_cfm+0x461/0xb40 net/bluetooth/sco.c:1362
 hci_connect_cfm include/net/bluetooth/hci_core.h:1970 [inline]
 hci_sync_conn_complete_evt+0x5ab/0xaa0 net/bluetooth/hci_event.c:5009
 hci_event_func net/bluetooth/hci_event.c:7444 [inline]
 hci_event_packet+0xac0/0x1540 net/bluetooth/hci_event.c:7496
 hci_rx_work+0x3e8/0xca0 net/bluetooth/hci_core.c:4042
 process_one_work kernel/workqueue.c:3248 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3329
 worker_thread+0x86d/0xd50 kernel/workqueue.c:3409
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
BUG: sleeping function called from invalid context at net/core/sock.c:3536
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5087, name: kworker/u9:2
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
INFO: lockdep is turned off.
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 1 PID: 5087 Comm: kworker/u9:2 Not tainted 6.10.0-rc6-syzkaller-00210-gd270dd21bee0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Workqueue: hci1 hci_rx_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 __might_resched+0x5d4/0x780 kernel/sched/core.c:10196
 lock_sock_nested+0x5d/0x100 net/core/sock.c:3536
 lock_sock include/net/sock.h:1602 [inline]
 sco_conn_ready net/bluetooth/sco.c:1290 [inline]
 sco_connect_cfm+0x461/0xb40 net/bluetooth/sco.c:1362
 hci_connect_cfm include/net/bluetooth/hci_core.h:1970 [inline]
 hci_sync_conn_complete_evt+0x5ab/0xaa0 net/bluetooth/hci_event.c:5009
 hci_event_func net/bluetooth/hci_event.c:7444 [inline]
 hci_event_packet+0xac0/0x1540 net/bluetooth/hci_event.c:7496
 hci_rx_work+0x3e8/0xca0 net/bluetooth/hci_core.c:4042
 process_one_work kernel/workqueue.c:3248 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3329
 worker_thread+0x86d/0xd50 kernel/workqueue.c:3409
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Bluetooth: hci6: unexpected cc 0x0c23 length: 249 > 4

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/07/06 02:15 upstream d270dd21bee0 2a40360c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root possible deadlock in sco_connect_cfm
* Struck through repros no longer work on HEAD.