syzbot


possible deadlock in flush_work

Status: upstream: reported C repro on 2019/04/13 06:23
Reported-by: syzbot+50f018e02905b0881378@syzkaller.appspotmail.com
First crash: 1893d, last: 1480d
Fix bisection the fix commit could be any of (bisect log):
  e1f7d50ae3a3 Linux 4.14.160
  4139fb08c05f Linux 4.14.187
  
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream possible deadlock in flush_work C 180 2421d 2497d 0/27 closed as invalid on 2017/11/01 20:11
upstream possible deadlock in flush_work (2) net nfs 3 2415d 2417d 4/27 fixed on 2018/02/14 17:41
upstream possible deadlock in flush_work (3) net 3 2136d 2136d 0/27 auto-closed as invalid on 2019/02/22 10:34
Last patch testing requests (2)
Created Duration User Patch Repo Result
2023/01/01 02:31 13m retest repro linux-4.14.y report log
2022/09/01 04:27 16m retest repro linux-4.14.y report log
Fix bisection attempts (5)
Created Duration User Patch Repo Result
2020/06/29 05:34 30m (3) bisect fix linux-4.14.y job log (2)
2020/05/30 05:11 22m bisect fix linux-4.14.y job log (0) log
2020/04/30 04:05 26m bisect fix linux-4.14.y job log (0) log
2020/03/31 03:41 23m bisect fix linux-4.14.y job log (0) log
2020/03/01 03:16 24m bisect fix linux-4.14.y job log (0) log

Sample crash report:
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1577080635.373:36): avc:  denied  { map } for  pid=7223 comm="syz-executor702" path="/root/syz-executor702617745" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
======================================================
WARNING: possible circular locking dependency detected
4.14.160-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor702/7223 is trying to acquire lock:
 ((&strp->work)){+.+.}, at: [<ffffffff813ce074>] flush_work+0x84/0x730 kernel/workqueue.c:2884

but task is already holding lock:
 (sk_lock-AF_INET){+.+.}, at: [<ffffffff85e04d0d>] lock_sock include/net/sock.h:1462 [inline]
 (sk_lock-AF_INET){+.+.}, at: [<ffffffff85e04d0d>] kcm_attach net/kcm/kcmsock.c:1390 [inline]
 (sk_lock-AF_INET){+.+.}, at: [<ffffffff85e04d0d>] kcm_attach_ioctl net/kcm/kcmsock.c:1490 [inline]
 (sk_lock-AF_INET){+.+.}, at: [<ffffffff85e04d0d>] kcm_ioctl+0x35d/0x1120 net/kcm/kcmsock.c:1701

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (sk_lock-AF_INET){+.+.}:
       lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994
       lock_sock_nested+0xbd/0x110 net/core/sock.c:2770
       lock_sock include/net/sock.h:1462 [inline]
       strp_sock_lock+0x2e/0x40 net/strparser/strparser.c:451
       do_strp_work net/strparser/strparser.c:415 [inline]
       strp_work+0x43/0x100 net/strparser/strparser.c:434
       process_one_work+0x863/0x1600 kernel/workqueue.c:2114
       worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
       kthread+0x319/0x430 kernel/kthread.c:232
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

-> #0 ((&strp->work)){+.+.}:
       check_prev_add kernel/locking/lockdep.c:1901 [inline]
       check_prevs_add kernel/locking/lockdep.c:2018 [inline]
       validate_chain kernel/locking/lockdep.c:2460 [inline]
       __lock_acquire+0x2cb3/0x4620 kernel/locking/lockdep.c:3487
       lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994
       flush_work+0xae/0x730 kernel/workqueue.c:2887
       __cancel_work_timer+0x2f0/0x480 kernel/workqueue.c:2962
       cancel_work_sync+0x18/0x20 kernel/workqueue.c:2998
       strp_done+0x58/0xe0 net/strparser/strparser.c:519
       kcm_attach net/kcm/kcmsock.c:1429 [inline]
       kcm_attach_ioctl net/kcm/kcmsock.c:1490 [inline]
       kcm_ioctl+0x8d9/0x1120 net/kcm/kcmsock.c:1701
       sock_do_ioctl+0x64/0xb0 net/socket.c:974
       sock_ioctl+0x2a6/0x470 net/socket.c:1071
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:500 [inline]
       do_vfs_ioctl+0x7ae/0x1060 fs/ioctl.c:684
       SYSC_ioctl fs/ioctl.c:701 [inline]
       SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
       do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(sk_lock-AF_INET);
                               lock((&strp->work));
                               lock(sk_lock-AF_INET);
  lock((&strp->work));

 *** DEADLOCK ***

1 lock held by syz-executor702/7223:
 #0:  (sk_lock-AF_INET){+.+.}, at: [<ffffffff85e04d0d>] lock_sock include/net/sock.h:1462 [inline]
 #0:  (sk_lock-AF_INET){+.+.}, at: [<ffffffff85e04d0d>] kcm_attach net/kcm/kcmsock.c:1390 [inline]
 #0:  (sk_lock-AF_INET){+.+.}, at: [<ffffffff85e04d0d>] kcm_attach_ioctl net/kcm/kcmsock.c:1490 [inline]
 #0:  (sk_lock-AF_INET){+.+.}, at: [<ffffffff85e04d0d>] kcm_ioctl+0x35d/0x1120 net/kcm/kcmsock.c:1701

stack backtrace:
CPU: 1 PID: 7223 Comm: syz-executor702 Not tainted 4.14.160-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x142/0x197 lib/dump_stack.c:58
 print_circular_bug.isra.0.cold+0x1cc/0x28f kernel/locking/lockdep.c:1258
 check_prev_add kernel/locking/lockdep.c:1901 [inline]
 check_prevs_add kernel/locking/lockdep.c:2018 [inline]
 validate_chain kernel/locking/lockdep.c:2460 [inline]
 __lock_acquire+0x2cb3/0x4620 kernel/locking/lockdep.c:3487
 lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994
 flush_work+0xae/0x730 kernel/workqueue.c:2887
 __cancel_work_timer+0x2f0/0x480 kernel/workqueue.c:2962
 cancel_work_sync+0x18/0x20 kernel/workqueue.c:2998
 strp_done+0x58/0xe0 net/strparser/strparser.c:519
 kcm_attach net/kcm/kcmsock.c:1429 [inline]
 kcm_attach_ioctl net/kcm/kcmsock.c:1490 [inline]
 kcm_ioctl+0x8d9/0x1120 net/kcm/kcmsock.c:1701
 sock_do_ioctl+0x64/0xb0 net/socket.c:974
 sock_ioctl+0x2a6/0x470 net/socket.c:1071
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x7ae/0x1060 fs/ioctl.c:684
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440719
RSP: 002b:00007ffcb4582d48 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440719
RDX: 0000000020000080 RSI: 00000000000089e0 RDI: 0000000000000004
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401fa0
R13: 0000000000402030 R14: 

Crashes (23):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/12/23 05:59 linux-4.14.y e1f7d50ae3a3 8b967267 .config console log report syz C ci2-linux-4-14
2020/01/31 03:16 linux-4.14.y 9fa690a2a016 5ed23f9a .config console log report ci2-linux-4-14
2020/01/30 14:50 linux-4.14.y 9fa690a2a016 5ed23f9a .config console log report ci2-linux-4-14
2020/01/30 14:40 linux-4.14.y 9fa690a2a016 5ed23f9a .config console log report ci2-linux-4-14
2020/01/30 14:40 linux-4.14.y 9fa690a2a016 5ed23f9a .config console log report ci2-linux-4-14
2020/01/27 00:23 linux-4.14.y 8bac50406cca dd56146d .config console log report ci2-linux-4-14
2020/01/12 14:54 linux-4.14.y 6d0c334a400d 31290a45 .config console log report ci2-linux-4-14
2019/12/24 18:55 linux-4.14.y e1f7d50ae3a3 be5c2c81 .config console log report ci2-linux-4-14
2019/12/23 05:08 linux-4.14.y e1f7d50ae3a3 8b967267 .config console log report ci2-linux-4-14
2019/11/17 23:13 linux-4.14.y 775d01b65b5d d5696d51 .config console log report ci2-linux-4-14
2019/10/31 05:13 linux-4.14.y ddef1e8e3f6e a41ca8fa .config console log report ci2-linux-4-14
2019/10/05 05:32 linux-4.14.y f6e27dbb1afa f3f7d9c8 .config console log report ci2-linux-4-14
2019/10/02 14:48 linux-4.14.y f6e27dbb1afa 2e29b534 .config console log report ci2-linux-4-14
2019/09/29 13:57 linux-4.14.y f6e27dbb1afa c1ad5441 .config console log report ci2-linux-4-14
2019/09/26 04:40 linux-4.14.y f6e27dbb1afa 24d405a3 .config console log report ci2-linux-4-14
2019/09/12 14:36 linux-4.14.y e2cd24b62938 0b7672ee .config console log report ci2-linux-4-14
2019/08/17 19:41 linux-4.14.y 45f092f9e9cb 55bf8926 .config console log report ci2-linux-4-14
2019/08/16 03:37 linux-4.14.y 3ffe1e79c174 faeffb00 .config console log report ci2-linux-4-14
2019/08/10 12:00 linux-4.14.y 3ffe1e79c174 acb51638 .config console log report ci2-linux-4-14
2019/07/30 21:16 linux-4.14.y ff33472c282e 7c7ded69 .config console log report ci2-linux-4-14
2019/07/17 11:41 linux-4.14.y aea8526edf59 0d10349c .config console log report ci2-linux-4-14
2019/04/14 12:56 linux-4.14.y 1ec8f1f0bffe 505ab413 .config console log report ci2-linux-4-14
2019/04/13 05:22 linux-4.14.y 1ec8f1f0bffe c402d8f1 .config console log report ci2-linux-4-14
* Struck through repros no longer work on HEAD.