syzbot


possible deadlock in __dev_queue_xmit (3)

Status: upstream: reported on 2024/10/25 05:17
Reported-by: syzbot+1f5d85a41ae645abffc0@syzkaller.appspotmail.com
First crash: 41d, last: 41d
Similar bugs (12)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 possible deadlock in __dev_queue_xmit 4 1992d 2061d 0/3 auto-closed as invalid on 2019/10/25 08:36
upstream possible deadlock in __dev_queue_xmit (3) net C done inconclusive 1012 147d 1828d 0/28 upstream: reported C repro on 2019/12/03 09:55
linux-4.19 possible deadlock in __dev_queue_xmit C error 5 1169d 1588d 0/1 upstream: reported C repro on 2020/07/31 07:05
android-414 possible deadlock in __dev_queue_xmit 3 2051d 2062d 0/1 auto-closed as invalid on 2019/10/21 21:31
android-44 possible deadlock in __dev_queue_xmit 14 1828d 1889d 0/2 auto-closed as invalid on 2020/04/02 07:14
linux-6.1 possible deadlock in __dev_queue_xmit 98 412d 525d 0/3 auto-obsoleted due to no activity on 2023/12/28 22:22
linux-4.14 possible deadlock in __dev_queue_xmit 7 1538d 1983d 0/1 auto-closed as invalid on 2021/01/16 21:33
upstream possible deadlock in __dev_queue_xmit net 1 2150d 2150d 0/28 closed as invalid on 2019/03/10 18:51
linux-5.15 possible deadlock in __dev_queue_xmit 113 477d 612d 0/3 auto-obsoleted due to no activity on 2023/10/25 04:56
linux-6.1 possible deadlock in __dev_queue_xmit (2) 7 211d 320d 0/3 auto-obsoleted due to no activity on 2024/08/16 05:44
linux-5.15 possible deadlock in __dev_queue_xmit (2) origin:lts-only C done 24 10h02m 356d 0/3 upstream: reported C repro on 2023/12/15 02:11
upstream possible deadlock in __dev_queue_xmit (2) kernel 2 1962d 2078d 0/28 auto-closed as invalid on 2019/11/19 09:01

Sample crash report:
============================================
WARNING: possible recursive locking detected
6.1.114-syzkaller #0 Not tainted
--------------------------------------------
syz.5.240/5401 is trying to acquire lock:
ffff0000db7ee218 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff0000db7ee218 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3888 [inline]
ffff0000db7ee218 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_queue_xmit+0x1b38/0x34d0 net/core/dev.c:4263

but task is already holding lock:
ffff0000ed81d258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:361 [inline]
ffff0000ed81d258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:195 [inline]
ffff0000ed81d258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3845 [inline]
ffff0000ed81d258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_queue_xmit+0xf04/0x34d0 net/core/dev.c:4263

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(dev->qdisc_tx_busylock ?: &qdisc_tx_busylock);
  lock(dev->qdisc_tx_busylock ?: &qdisc_tx_busylock);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

9 locks held by syz.5.240/5401:
 #0: ffff800015ba5a80 (rcu_read_lock_bh){....}-{1:2}, at: rcu_lock_acquire+0x18/0x54 include/linux/rcupdate.h:349
 #1: ffff0000ed81d258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:361 [inline]
 #1: ffff0000ed81d258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:195 [inline]
 #1: ffff0000ed81d258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3845 [inline]
 #1: ffff0000ed81d258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_queue_xmit+0xf04/0x34d0 net/core/dev.c:4263
 #2: ffff800015ba5a20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:349
 #3: ffff800015ba5a80 (rcu_read_lock_bh){....}-{1:2}, at: rcu_lock_acquire+0x18/0x54 include/linux/rcupdate.h:349
 #4: ffff0000d64207f0 (k-slock-AF_INET6){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:361 [inline]
 #4: ffff0000d64207f0 (k-slock-AF_INET6){+...}-{2:2}, at: icmpv6_xmit_lock+0xec/0x19c net/ipv6/icmp.c:108
 #5: ffff800015ba5a20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:349
 #6: ffff800015ba5a20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:349
 #7: ffff800015ba5a20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:349
 #8: ffff800015ba5a80 (rcu_read_lock_bh){....}-{1:2}, at: rcu_lock_acquire+0x18/0x54 include/linux/rcupdate.h:349

stack backtrace:
CPU: 1 PID: 5401 Comm: syz.5.240 Not tainted 6.1.114-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call trace:
 dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
 dump_stack+0x1c/0x58 lib/dump_stack.c:113
 __lock_acquire+0x6310/0x7680 kernel/locking/lockdep.c:5049
 lock_acquire+0x26c/0x7cc kernel/locking/lockdep.c:5662
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x54/0x6c kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:351 [inline]
 __dev_xmit_skb net/core/dev.c:3888 [inline]
 __dev_queue_xmit+0x1b38/0x34d0 net/core/dev.c:4263
 dev_queue_xmit include/linux/netdevice.h:3021 [inline]
 neigh_connected_output+0x344/0x3d4 net/core/neighbour.c:1592
 neigh_output include/net/neighbour.h:544 [inline]
 ip6_finish_output2+0xdb8/0x1b54 net/ipv6/ip6_output.c:138
 __ip6_finish_output net/ipv6/ip6_output.c:205 [inline]
 ip6_finish_output+0x5a4/0x940 net/ipv6/ip6_output.c:216
 NF_HOOK_COND include/linux/netfilter.h:291 [inline]
 ip6_output+0x274/0x594 net/ipv6/ip6_output.c:237
 dst_output include/net/dst.h:444 [inline]
 ip6_local_out+0x120/0x160 net/ipv6/output_core.c:161
 ip6_send_skb+0x19c/0x570 net/ipv6/ip6_output.c:2005
 ip6_push_pending_frames+0xd0/0x118 net/ipv6/ip6_output.c:2026
 icmpv6_push_pending_frames+0x288/0x3f4 net/ipv6/icmp.c:311
 icmp6_send+0x11ac/0x1b8c net/ipv6/icmp.c:632
 __icmpv6_send include/linux/icmpv6.h:28 [inline]
 icmpv6_send include/linux/icmpv6.h:49 [inline]
 ip6_link_failure+0x44/0x4a8 net/ipv6/route.c:2793
 dst_link_failure include/net/dst.h:423 [inline]
 ipip6_tunnel_xmit net/ipv6/sit.c:1039 [inline]
 sit_tunnel_xmit+0xa88/0x1ee8 net/ipv6/sit.c:1076
 __netdev_start_xmit include/linux/netdevice.h:4853 [inline]
 netdev_start_xmit include/linux/netdevice.h:4867 [inline]
 xmit_one net/core/dev.c:3627 [inline]
 dev_hard_start_xmit+0x25c/0x9a4 net/core/dev.c:3643
 sch_direct_xmit+0x234/0x548 net/sched/sch_generic.c:342
 qdisc_restart net/sched/sch_generic.c:407 [inline]
 __qdisc_run+0x904/0x239c net/sched/sch_generic.c:415
 __dev_xmit_skb net/core/dev.c:3921 [inline]
 __dev_queue_xmit+0xcac/0x34d0 net/core/dev.c:4263
 dev_queue_xmit include/linux/netdevice.h:3021 [inline]
 neigh_connected_output+0x344/0x3d4 net/core/neighbour.c:1592
 neigh_output include/net/neighbour.h:544 [inline]
 ip6_finish_output2+0xdb8/0x1b54 net/ipv6/ip6_output.c:138
 __ip6_finish_output net/ipv6/ip6_output.c:205 [inline]
 ip6_finish_output+0x5a4/0x940 net/ipv6/ip6_output.c:216
 NF_HOOK_COND include/linux/netfilter.h:291 [inline]
 ip6_output+0x274/0x594 net/ipv6/ip6_output.c:237
 dst_output include/net/dst.h:444 [inline]
 ip6_local_out+0x120/0x160 net/ipv6/output_core.c:161
 ip6tunnel_xmit+0x174/0x460 include/net/ip6_tunnel.h:161
 ip6_tnl_xmit+0x1f0c/0x2698 net/ipv6/ip6_tunnel.c:1280
 __gre6_xmit+0x7c8/0xadc net/ipv6/ip6_gre.c:809
 ip6gre_xmit_other net/ipv6/ip6_gre.c:912 [inline]
 ip6gre_tunnel_xmit+0x9e0/0x12fc net/ipv6/ip6_gre.c:940
 __netdev_start_xmit include/linux/netdevice.h:4853 [inline]
 netdev_start_xmit include/linux/netdevice.h:4867 [inline]
 xmit_one net/core/dev.c:3627 [inline]
 dev_hard_start_xmit+0x25c/0x9a4 net/core/dev.c:3643
 sch_direct_xmit+0x234/0x548 net/sched/sch_generic.c:342
 __dev_xmit_skb net/core/dev.c:3858 [inline]
 __dev_queue_xmit+0x1438/0x34d0 net/core/dev.c:4263
 dev_queue_xmit+0x24/0x34 include/linux/netdevice.h:3021
 packet_snd net/packet/af_packet.c:3142 [inline]
 packet_sendmsg+0x36f0/0x4cd8 net/packet/af_packet.c:3173
 sock_sendmsg_nosec net/socket.c:718 [inline]
 __sock_sendmsg net/socket.c:730 [inline]
 __sys_sendto+0x3b8/0x508 net/socket.c:2153
 __do_sys_sendto net/socket.c:2165 [inline]
 __se_sys_sendto net/socket.c:2161 [inline]
 __arm64_sys_sendto+0xd8/0xf8 net/socket.c:2161
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/10/25 05:16 linux-6.1.y 7ec6f9fa3d97 c79b8ca5 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 possible deadlock in __dev_queue_xmit
* Struck through repros no longer work on HEAD.