syzbot


possible deadlock in __dev_queue_xmit

Status: auto-closed as invalid on 2019/10/25 08:36
Reported-by: syzbot+b2264ee620ec30188e63@syzkaller.appspotmail.com
First crash: 2159d, last: 1994d
Similar bugs (12)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream possible deadlock in __dev_queue_xmit (3) net C done inconclusive 1012 148d 1830d 0/28 upstream: reported C repro on 2019/12/03 09:55
linux-4.19 possible deadlock in __dev_queue_xmit C error 5 1171d 1589d 0/1 upstream: reported C repro on 2020/07/31 07:05
android-414 possible deadlock in __dev_queue_xmit 3 2052d 2063d 0/1 auto-closed as invalid on 2019/10/21 21:31
linux-6.1 possible deadlock in __dev_queue_xmit (3) 1 42d 42d 0/3 upstream: reported on 2024/10/25 05:17
android-44 possible deadlock in __dev_queue_xmit 14 1829d 1891d 0/2 auto-closed as invalid on 2020/04/02 07:14
linux-6.1 possible deadlock in __dev_queue_xmit 98 413d 527d 0/3 auto-obsoleted due to no activity on 2023/12/28 22:22
linux-4.14 possible deadlock in __dev_queue_xmit 7 1539d 1984d 0/1 auto-closed as invalid on 2021/01/16 21:33
upstream possible deadlock in __dev_queue_xmit net 1 2152d 2152d 0/28 closed as invalid on 2019/03/10 18:51
linux-5.15 possible deadlock in __dev_queue_xmit 113 478d 614d 0/3 auto-obsoleted due to no activity on 2023/10/25 04:56
linux-6.1 possible deadlock in __dev_queue_xmit (2) 7 212d 322d 0/3 auto-obsoleted due to no activity on 2024/08/16 05:44
linux-5.15 possible deadlock in __dev_queue_xmit (2) origin:lts-only C done 24 1d22h 357d 0/3 upstream: reported C repro on 2023/12/15 02:11
upstream possible deadlock in __dev_queue_xmit (2) kernel 2 1964d 2080d 0/28 auto-closed as invalid on 2019/11/19 09:01

Sample crash report:
=============================================
[ INFO: possible recursive locking detected ]
4.9.182+ #2 Not tainted
---------------------------------------------
syz-executor.2/19284 is trying to acquire lock:
 (_xmit_TUNNEL6#2){+.-...}, at: [<000000006126ab70>] spin_lock include/linux/spinlock.h:302 [inline]
 (_xmit_TUNNEL6#2){+.-...}, at: [<000000006126ab70>] __netif_tx_lock include/linux/netdevice.h:3573 [inline]
 (_xmit_TUNNEL6#2){+.-...}, at: [<000000006126ab70>] __dev_queue_xmit+0x1116/0x1bd0 net/core/dev.c:3469
but task is already holding lock:
 (_xmit_TUNNEL6#2){+.-...}, at: [<000000006126ab70>] spin_lock include/linux/spinlock.h:302 [inline]
 (_xmit_TUNNEL6#2){+.-...}, at: [<000000006126ab70>] __netif_tx_lock include/linux/netdevice.h:3573 [inline]
 (_xmit_TUNNEL6#2){+.-...}, at: [<000000006126ab70>] __dev_queue_xmit+0x1116/0x1bd0 net/core/dev.c:3469
audit: type=1400 audit(2000001759.158:9428): avc:  denied  { create } for  pid=19266 comm="syz-executor.3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(_xmit_TUNNEL6#2);
  lock(_xmit_TUNNEL6#2);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

6 locks held by syz-executor.2/19284:
 #0:  (rcu_read_lock_bh){......}, at: [<00000000d7e08741>] ip_finish_output2+0x20b/0x1280 net/ipv4/ip_output.c:198
 #1:  (rcu_read_lock_bh){......}, at: [<00000000fee16af2>] __dev_queue_xmit+0x1d4/0x1bd0 net/core/dev.c:3407
 #2:  (_xmit_TUNNEL6#2){+.-...}, at: [<000000006126ab70>] spin_lock include/linux/spinlock.h:302 [inline]
 #2:  (_xmit_TUNNEL6#2){+.-...}, at: [<000000006126ab70>] __netif_tx_lock include/linux/netdevice.h:3573 [inline]
 #2:  (_xmit_TUNNEL6#2){+.-...}, at: [<000000006126ab70>] __dev_queue_xmit+0x1116/0x1bd0 net/core/dev.c:3469
 #3:  (slock-AF_INET){+.-...}, at: [<00000000fbb65300>] spin_trylock include/linux/spinlock.h:312 [inline]
 #3:  (slock-AF_INET){+.-...}, at: [<00000000fbb65300>] icmp_xmit_lock net/ipv4/icmp.c:220 [inline]
 #3:  (slock-AF_INET){+.-...}, at: [<00000000fbb65300>] __icmp_send+0x48b/0x1420 net/ipv4/icmp.c:656
 #4:  (rcu_read_lock_bh){......}, at: [<00000000d7e08741>] ip_finish_output2+0x20b/0x1280 net/ipv4/ip_output.c:198
 #5:  (rcu_read_lock_bh){......}, at: [<00000000fee16af2>] __dev_queue_xmit+0x1d4/0x1bd0 net/core/dev.c:3407

stack backtrace:
CPU: 0 PID: 19284 Comm: syz-executor.2 Not tainted 4.9.182+ #2
 ffff88016d726560 ffffffff81b57e21 ffffffff8424eec0 ffffffff83cceaf0
 ffffffff83cceaf0 58aa530756ef9256 ffff88016256df00 ffff88016d726700
 ffffffff814072d0 0000000000000005 ffff88016256df00 ffff88016d726720
Call Trace:
 [<00000000acad6ac6>] __dump_stack lib/dump_stack.c:15 [inline]
 [<00000000acad6ac6>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
 [<00000000ecc02d7f>] print_deadlock_bug kernel/locking/lockdep.c:1727 [inline]
 [<00000000ecc02d7f>] check_deadlock kernel/locking/lockdep.c:1771 [inline]
 [<00000000ecc02d7f>] validate_chain kernel/locking/lockdep.c:2249 [inline]
 [<00000000ecc02d7f>] __lock_acquire.cold+0x384/0x734 kernel/locking/lockdep.c:3345
 [<00000000cd4d76d7>] lock_acquire+0x133/0x3d0 kernel/locking/lockdep.c:3756
 [<00000000b089456c>] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline]
 [<00000000b089456c>] _raw_spin_lock+0x38/0x50 kernel/locking/spinlock.c:151
 [<000000006126ab70>] spin_lock include/linux/spinlock.h:302 [inline]
 [<000000006126ab70>] __netif_tx_lock include/linux/netdevice.h:3573 [inline]
 [<000000006126ab70>] __dev_queue_xmit+0x1116/0x1bd0 net/core/dev.c:3469
 [<0000000043b95c85>] dev_queue_xmit+0x18/0x20 net/core/dev.c:3506
 [<00000000dd0316f4>] neigh_direct_output+0x16/0x20 net/core/neighbour.c:1366
 [<0000000075de95db>] dst_neigh_output include/net/dst.h:470 [inline]
 [<0000000075de95db>] ip_finish_output2+0x6a2/0x1280 net/ipv4/ip_output.c:225
 [<00000000f795c047>] ip_finish_output+0x3c4/0xce0 net/ipv4/ip_output.c:313
 [<000000009f27fe75>] NF_HOOK_COND include/linux/netfilter.h:246 [inline]
 [<000000009f27fe75>] ip_output+0x1ec/0x5b0 net/ipv4/ip_output.c:401
 [<00000000fbc48854>] dst_output include/net/dst.h:507 [inline]
 [<00000000fbc48854>] ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:124
 [<000000003778c0ba>] ip_send_skb+0x3e/0xc0 net/ipv4/ip_output.c:1490
 [<00000000e5b176b7>] ip_push_pending_frames+0x64/0x80 net/ipv4/ip_output.c:1510
 [<00000000fce7fe73>] icmp_push_reply+0x39e/0x510 net/ipv4/icmp.c:381
 [<000000001f16d6a2>] __icmp_send+0xad9/0x1420 net/ipv4/icmp.c:728
 [<00000000a1505e6d>] ipv4_send_dest_unreach net/ipv4/route.c:1202 [inline]
 [<00000000a1505e6d>] ipv4_link_failure+0x460/0x850 net/ipv4/route.c:1209
 [<000000005e162650>] dst_link_failure include/net/dst.h:490 [inline]
 [<000000005e162650>] vti6_xmit net/ipv6/ip6_vti.c:522 [inline]
 [<000000005e162650>] vti6_tnl_xmit+0xb08/0x17f0 net/ipv6/ip6_vti.c:561
 [<000000004d70736b>] __netdev_start_xmit include/linux/netdevice.h:4072 [inline]
 [<000000004d70736b>] netdev_start_xmit include/linux/netdevice.h:4081 [inline]
 [<000000004d70736b>] xmit_one net/core/dev.c:2977 [inline]
 [<000000004d70736b>] dev_hard_start_xmit+0x195/0x8b0 net/core/dev.c:2993
 [<00000000f111ad54>] __dev_queue_xmit+0x11a3/0x1bd0 net/core/dev.c:3473
 [<0000000043b95c85>] dev_queue_xmit+0x18/0x20 net/core/dev.c:3506
 [<00000000dd0316f4>] neigh_direct_output+0x16/0x20 net/core/neighbour.c:1366
 [<0000000075de95db>] dst_neigh_output include/net/dst.h:470 [inline]
 [<0000000075de95db>] ip_finish_output2+0x6a2/0x1280 net/ipv4/ip_output.c:225
 [<00000000f795c047>] ip_finish_output+0x3c4/0xce0 net/ipv4/ip_output.c:313
 [<000000009f27fe75>] NF_HOOK_COND include/linux/netfilter.h:246 [inline]
 [<000000009f27fe75>] ip_output+0x1ec/0x5b0 net/ipv4/ip_output.c:401
 [<00000000fbc48854>] dst_output include/net/dst.h:507 [inline]
 [<00000000fbc48854>] ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:124
 [<000000003778c0ba>] ip_send_skb+0x3e/0xc0 net/ipv4/ip_output.c:1490
 [<000000005587ba5c>] udp_send_skb+0x4fc/0xc60 net/ipv4/udp.c:833
 [<000000000f08d41c>] udp_sendmsg+0x1634/0x1c60 net/ipv4/udp.c:1057
 [<000000002a730f63>] udpv6_sendmsg+0x12af/0x2430 net/ipv6/udp.c:1086
 [<00000000adcf8811>] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:766
 [<000000006d2a7858>] sock_sendmsg_nosec net/socket.c:649 [inline]
 [<000000006d2a7858>] sock_sendmsg+0xbe/0x110 net/socket.c:659
 [<000000009883150c>] ___sys_sendmsg+0x387/0x8b0 net/socket.c:1983
 [<00000000f1cf7596>] __sys_sendmmsg+0x164/0x3d0 net/socket.c:2073
 [<00000000cc872fc8>] SYSC_sendmmsg net/socket.c:2104 [inline]
 [<00000000cc872fc8>] SyS_sendmmsg+0x35/0x60 net/socket.c:2099
 [<00000000a43a18e1>] do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288
 [<00000000ce6ec14f>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/06/22 14:53 https://android.googlesource.com/kernel/common android-4.9 b9dc7bb832a3 34bf9440 .config console log report ci-android-49-kasan-gce-root
2019/04/23 18:02 https://android.googlesource.com/kernel/common android-4.9 1ef64dae6217 53199d6e .config console log report ci-android-49-kasan-gce-root
2019/03/27 11:58 https://android.googlesource.com/kernel/common android-4.9 e8bdeec66d86 55684ce1 .config console log report ci-android-49-kasan-gce-root
2019/01/08 01:38 https://android.googlesource.com/kernel/common android-4.9 043c92bd0517 69d69aa9 .config console log report ci-android-49-kasan-gce-root
* Struck through repros no longer work on HEAD.