syzbot


possible deadlock in __unix_dgram_recvmsg (2)

Status: fixed on 2024/03/29 01:33
Subsystems: net
[Documentation on labels]
Fix commit: 56667da7399e net: implement lockless setsockopt(SO_PEEK_OFF)
First crash: 293d, last: 291d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream possible deadlock in __unix_dgram_recvmsg net syz unreliable unreliable 11 1222d 1238d 0/28 closed as invalid on 2021/10/04 21:06

Sample crash report:
======================================================
WARNING: possible circular locking dependency detected
6.8.0-rc5-syzkaller #0 Not tainted
------------------------------------------------------
udevd/4517 is trying to acquire lock:
ffff88807db5c930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline]
ffff88807db5c930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: __unix_dgram_recvmsg+0x1275/0x12c0 net/unix/af_unix.c:2415

but task is already holding lock:
ffff88807db5cd80 (&u->iolock){+.+.}-{3:3}, at: __unix_dgram_recvmsg+0x251/0x12c0 net/unix/af_unix.c:2378

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&u->iolock){+.+.}-{3:3}:
       lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
       __mutex_lock_common kernel/locking/mutex.c:608 [inline]
       __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
       unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789
       sk_setsockopt+0x2080/0x3360
       do_sock_setsockopt+0x2fb/0x720 net/socket.c:2307
       __sys_setsockopt+0x1ad/0x250 net/socket.c:2334
       __do_sys_setsockopt net/socket.c:2343 [inline]
       __se_sys_setsockopt net/socket.c:2340 [inline]
       __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
       do_syscall_64+0xfb/0x240
       entry_SYSCALL_64_after_hwframe+0x6f/0x77

-> #0 (sk_lock-AF_UNIX){+.+.}-{0:0}:
       check_prev_add kernel/locking/lockdep.c:3134 [inline]
       check_prevs_add kernel/locking/lockdep.c:3253 [inline]
       validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869
       __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137
       lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
       lock_sock_nested+0x48/0x100 net/core/sock.c:3524
       lock_sock include/net/sock.h:1691 [inline]
       __unix_dgram_recvmsg+0x1275/0x12c0 net/unix/af_unix.c:2415
       sock_recvmsg_nosec net/socket.c:1046 [inline]
       sock_recvmsg+0x231/0x280 net/socket.c:1068
       ____sys_recvmsg+0x1db/0x470 net/socket.c:2803
       ___sys_recvmsg net/socket.c:2845 [inline]
       __sys_recvmsg+0x2f0/0x3e0 net/socket.c:2875
       do_syscall_64+0xfb/0x240
       entry_SYSCALL_64_after_hwframe+0x6f/0x77

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&u->iolock);
                               lock(sk_lock-AF_UNIX);
                               lock(&u->iolock);
  lock(sk_lock-AF_UNIX);

 *** DEADLOCK ***

1 lock held by udevd/4517:
 #0: ffff88807db5cd80 (&u->iolock){+.+.}-{3:3}, at: __unix_dgram_recvmsg+0x251/0x12c0 net/unix/af_unix.c:2378

stack backtrace:
CPU: 0 PID: 4517 Comm: udevd Not tainted 6.8.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106
 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2187
 check_prev_add kernel/locking/lockdep.c:3134 [inline]
 check_prevs_add kernel/locking/lockdep.c:3253 [inline]
 validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869
 __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137
 lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
 lock_sock_nested+0x48/0x100 net/core/sock.c:3524
 lock_sock include/net/sock.h:1691 [inline]
 __unix_dgram_recvmsg+0x1275/0x12c0 net/unix/af_unix.c:2415
 sock_recvmsg_nosec net/socket.c:1046 [inline]
 sock_recvmsg+0x231/0x280 net/socket.c:1068
 ____sys_recvmsg+0x1db/0x470 net/socket.c:2803
 ___sys_recvmsg net/socket.c:2845 [inline]
 __sys_recvmsg+0x2f0/0x3e0 net/socket.c:2875
 do_syscall_64+0xfb/0x240
 entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7f9f74d2491e
Code: ff 89 ef 48 89 04 24 e8 4f 57 f9 ff 48 8b 04 24 48 83 c4 30 5d c3 c3 64 8b 04 25 18 00 00 00 85 c0 75 21 b8 2f 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 70 48 8b 15 db c4 0c 00 f7 d8 64 89 02 48 83
RSP: 002b:00007fff9edeead8 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f9f74d2491e
RDX: 0000000000000040 RSI: 00007fff9edeeba0 RDI: 0000000000000009
RBP: 00007fff9edeeba0 R08: 0000000039a3f938 R09: 00007fff9edf30b0
R10: 00007fff9edf3080 R11: 0000000000000246 R12: 0000000000000001
R13: 0000000200000001 R14: 0000000000000000 R15: 0000000000000000
 </TASK>

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/02/19 08:23 upstream b401b621758e 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root possible deadlock in __unix_dgram_recvmsg
2024/02/19 04:13 upstream b401b621758e 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root possible deadlock in __unix_dgram_recvmsg
2024/02/16 18:33 upstream 4f5e5092fdbf 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root possible deadlock in __unix_dgram_recvmsg
* Struck through repros no longer work on HEAD.