syzbot

 sign-in | mailing list | source | docs
🐞 Open [460]
🐞 Fixed [21]
🐞 Invalid [162]
Missing Backports [18]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

possible deadlock in sch_direct_xmit

Status: upstream: reported on 2025/12/20 08:34
Reported-by: syzbot+d32fd4bb7862c14aa8c6@syzkaller.appspotmail.com
First crash: 75d, last: 14d
Similar bugs (14)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 possible deadlock in sch_direct_xmit (2) origin:lts-only 4 C done 28 286d 786d 0/3 upstream: reported C repro on 2024/01/09 18:28
android-44 possible deadlock in sch_direct_xmit 4 C 240 2283d 2520d 0/2 public: reported C repro on 2019/04/11 08:44
upstream possible deadlock in sch_direct_xmit (2) net 4 C done unreliable 109 962d 2136d 0/29 auto-obsoleted due to no activity on 2024/01/14 06:05
linux-4.19 possible deadlock in sch_direct_xmit (2) 4 C error 15 1104d 1621d 0/1 upstream: reported C repro on 2021/09/26 01:30
upstream possible deadlock in sch_direct_xmit net 4 C done done 1548 2291d 2970d 15/29 fixed on 2020/04/17 19:57
linux-5.15 possible deadlock in sch_direct_xmit (2) origin:lts-only 4 C error 16 21d 742d 0/3 upstream: reported C repro on 2024/02/22 19:25
linux-4.14 possible deadlock in sch_direct_xmit 4 1 2467d 2467d 0/1 auto-closed as invalid on 2019/10/25 08:40
upstream possible deadlock in sch_direct_xmit (4) net 4 1 676d 676d 25/29 fixed on 2024/06/05 13:52
upstream possible deadlock in sch_direct_xmit (5) net 4 C unreliable 1107 15h46m 58d 28/29 upstream: reported C repro on 2026/01/06 17:17
linux-4.14 possible deadlock in sch_direct_xmit (2) 4 1 2301d 2300d 0/1 auto-closed as invalid on 2020/03/15 19:58
linux-4.19 possible deadlock in sch_direct_xmit 4 1 2469d 2469d 0/1 auto-closed as invalid on 2019/10/25 08:50
linux-5.15 possible deadlock in sch_direct_xmit 4 1 1029d 1029d 0/3 auto-obsoleted due to no activity on 2023/08/23 09:09
linux-6.1 possible deadlock in sch_direct_xmit 4 2 1037d 1075d 0/3 auto-obsoleted due to no activity on 2023/08/23 09:10
upstream possible deadlock in sch_direct_xmit (3) net 4 1 752d 752d 25/29 fixed on 2024/04/10 16:40

Sample crash report:
============================================
WARNING: possible recursive locking detected
syzkaller #0 Not tainted
--------------------------------------------
kworker/u4:8/3445 is trying to acquire lock:
ffff88807dbe54d8 (&qdisc_xmit_lock_key#3){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff88807dbe54d8 (&qdisc_xmit_lock_key#3){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4406 [inline]
ffff88807dbe54d8 (&qdisc_xmit_lock_key#3){+.-.}-{2:2}, at: sch_direct_xmit+0x166/0x4c0 net/sched/sch_generic.c:343

but task is already holding lock:
ffff88802d2728d8 (&qdisc_xmit_lock_key#3){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff88802d2728d8 (&qdisc_xmit_lock_key#3){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4406 [inline]
ffff88802d2728d8 (&qdisc_xmit_lock_key#3){+.-.}-{2:2}, at: sch_direct_xmit+0x166/0x4c0 net/sched/sch_generic.c:343

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&qdisc_xmit_lock_key#3);
  lock(&qdisc_xmit_lock_key#3);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

13 locks held by kworker/u4:8/3445:
 #0: ffff88805c149138 ((wq_completion)bond1#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff88805c149138 ((wq_completion)bond1#2){+.+.}-{0:0}, at: process_scheduled_works+0x96f/0x15d0 kernel/workqueue.c:2711
 #1: ffffc9000ccc7d00 ((work_completion)(&(&bond->alb_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc9000ccc7d00 ((work_completion)(&(&bond->alb_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x96f/0x15d0 kernel/workqueue.c:2711
 #2: ffffffff8d131fa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:334 [inline]
 #2: ffffffff8d131fa0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:786 [inline]
 #2: ffffffff8d131fa0 (rcu_read_lock){....}-{1:2}, at: bond_alb_monitor+0xf9/0x17e0 drivers/net/bonding/bond_alb.c:1547
 #3: ffffffff8d132000 (rcu_read_lock_bh){....}-{1:2}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #3: ffffffff8d132000 (rcu_read_lock_bh){....}-{1:2}, at: rcu_read_lock_bh include/linux/rcupdate.h:838 [inline]
 #3: ffffffff8d132000 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x26b/0x36b0 net/core/dev.c:4363
 #4: ffff88805aa87258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:361 [inline]
 #4: ffff88805aa87258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:195 [inline]
 #4: ffff88805aa87258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3856 [inline]
 #4: ffff88805aa87258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: __dev_queue_xmit+0x126a/0x36b0 net/core/dev.c:4404
 #5: ffff88802d2728d8 (&qdisc_xmit_lock_key#3){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
 #5: ffff88802d2728d8 (&qdisc_xmit_lock_key#3){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4406 [inline]
 #5: ffff88802d2728d8 (&qdisc_xmit_lock_key#3){+.-.}-{2:2}, at: sch_direct_xmit+0x166/0x4c0 net/sched/sch_generic.c:343
 #6: ffffffff8d131fa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:334 [inline]
 #6: ffffffff8d131fa0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:786 [inline]
 #6: ffffffff8d131fa0 (rcu_read_lock){....}-{1:2}, at: ip_output+0x60/0x3b0 net/ipv4/ip_output.c:431
 #7: ffffffff8d131fa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:334 [inline]
 #7: ffffffff8d131fa0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:786 [inline]
 #7: ffffffff8d131fa0 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+0x457/0x11e0 net/ipv4/ip_output.c:228
 #8: ffffffff8d131fa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:334 [inline]
 #8: ffffffff8d131fa0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:786 [inline]
 #8: ffffffff8d131fa0 (rcu_read_lock){....}-{1:2}, at: arp_xmit+0x23/0x270 net/ipv4/arp.c:662
 #9: ffffffff8d132000 (rcu_read_lock_bh){....}-{1:2}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #9: ffffffff8d132000 (rcu_read_lock_bh){....}-{1:2}, at: rcu_read_lock_bh include/linux/rcupdate.h:838 [inline]
 #9: ffffffff8d132000 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x26b/0x36b0 net/core/dev.c:4363
 #10: ffffffff8d131fa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:334 [inline]
 #10: ffffffff8d131fa0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:786 [inline]
 #10: ffffffff8d131fa0 (rcu_read_lock){....}-{1:2}, at: br_dev_xmit+0x196/0x1900 net/bridge/br_device.c:50
 #11: ffffffff8d132000 (rcu_read_lock_bh){....}-{1:2}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #11: ffffffff8d132000 (rcu_read_lock_bh){....}-{1:2}, at: rcu_read_lock_bh include/linux/rcupdate.h:838 [inline]
 #11: ffffffff8d132000 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x26b/0x36b0 net/core/dev.c:4363
 #12: ffff88814939e258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:361 [inline]
 #12: ffff88814939e258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:195 [inline]
 #12: ffff88814939e258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3856 [inline]
 #12: ffff88814939e258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: __dev_queue_xmit+0x126a/0x36b0 net/core/dev.c:4404

stack backtrace:
CPU: 1 PID: 3445 Comm: kworker/u4:8 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Workqueue: bond1 bond_alb_monitor
Call Trace:
 <TASK>
 dump_stack_lvl+0x18c/0x250 lib/dump_stack.c:106
 check_deadlock kernel/locking/lockdep.c:3062 [inline]
 validate_chain kernel/locking/lockdep.c:3856 [inline]
 __lock_acquire+0x5dbc/0x7d40 kernel/locking/lockdep.c:5137
 lock_acquire+0x19e/0x420 kernel/locking/lockdep.c:5754
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:351 [inline]
 __netif_tx_lock include/linux/netdevice.h:4406 [inline]
 sch_direct_xmit+0x166/0x4c0 net/sched/sch_generic.c:343
 __dev_xmit_skb net/core/dev.c:3869 [inline]
 __dev_queue_xmit+0x179c/0x36b0 net/core/dev.c:4404
 dev_queue_xmit include/linux/netdevice.h:3113 [inline]
 br_dev_queue_push_xmit+0x6b3/0x870 net/bridge/br_forward.c:53
 NF_HOOK+0x351/0x3e0 include/linux/netfilter.h:304
 br_forward_finish+0xd3/0x130 net/bridge/br_forward.c:66
 NF_HOOK+0x351/0x3e0 include/linux/netfilter.h:304
 __br_forward+0x433/0x610 net/bridge/br_forward.c:115
 deliver_clone net/bridge/br_forward.c:131 [inline]
 maybe_deliver+0xb5/0x150 net/bridge/br_forward.c:191
 br_flood+0x31b/0x670 net/bridge/br_forward.c:237
 br_dev_xmit+0xcc3/0x1900 net/bridge/br_device.c:-1
 __netdev_start_xmit include/linux/netdevice.h:4943 [inline]
 netdev_start_xmit include/linux/netdevice.h:4957 [inline]
 xmit_one net/core/dev.c:3632 [inline]
 dev_hard_start_xmit+0x246/0x740 net/core/dev.c:3648
 __dev_queue_xmit+0x1ac2/0x36b0 net/core/dev.c:4438
 NF_HOOK+0x331/0x3b0 include/linux/netfilter.h:-1
 arp_xmit+0x16c/0x270 net/ipv4/arp.c:664
 arp_solicit+0xc02/0xe40 net/ipv4/arp.c:392
 neigh_probe net/core/neighbour.c:1080 [inline]
 __neigh_event_send+0xed1/0x1440 net/core/neighbour.c:1247
 neigh_event_send_probe include/net/neighbour.h:467 [inline]
 neigh_event_send include/net/neighbour.h:473 [inline]
 neigh_resolve_output+0x19b/0x730 net/core/neighbour.c:1552
 neigh_output include/net/neighbour.h:543 [inline]
 ip_finish_output2+0xd3a/0x11e0 net/ipv4/ip_output.c:235
 NF_HOOK_COND include/linux/netfilter.h:293 [inline]
 ip_output+0x2a1/0x3b0 net/ipv4/ip_output.c:436
 iptunnel_xmit+0x4f0/0x920 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x1cbc/0x2410 net/ipv4/ip_tunnel.c:844
 erspan_xmit+0x9c0/0x1440 net/ipv4/ip_gre.c:729
 __netdev_start_xmit include/linux/netdevice.h:4943 [inline]
 netdev_start_xmit include/linux/netdevice.h:4957 [inline]
 xmit_one net/core/dev.c:3632 [inline]
 dev_hard_start_xmit+0x246/0x740 net/core/dev.c:3648
 sch_direct_xmit+0x25e/0x4c0 net/sched/sch_generic.c:345
 __dev_xmit_skb net/core/dev.c:3869 [inline]
 __dev_queue_xmit+0x179c/0x36b0 net/core/dev.c:4404
 dev_queue_xmit include/linux/netdevice.h:3113 [inline]
 alb_send_lp_vid+0x2fc/0x4e0 drivers/net/bonding/bond_alb.c:949
 alb_send_learning_packets+0x12d/0x300 drivers/net/bonding/bond_alb.c:1012
 bond_alb_monitor+0x3d6/0x17e0 drivers/net/bonding/bond_alb.c:1564
 process_one_work kernel/workqueue.c:2634 [inline]
 process_scheduled_works+0xa5d/0x15d0 kernel/workqueue.c:2711
 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
 </TASK>

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/02/19 10:52 linux-6.6.y 56865d9b7074 746545b8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan possible deadlock in sch_direct_xmit
2025/12/20 08:33 linux-6.6.y 5fa4793a2d2d d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan possible deadlock in sch_direct_xmit
* Struck through repros no longer work on HEAD.