syzbot


possible deadlock in do_ip_getsockopt

Status: auto-closed as invalid on 2019/02/22 14:29
First crash: 2148d, last: 2112d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream possible deadlock in do_ip_getsockopt netfilter 22 2265d 2270d 4/26 fixed on 2018/02/04 23:45
upstream possible deadlock in do_ip_getsockopt (2) netfilter 206 2243d 2258d 4/26 fixed on 2018/02/26 20:04

Sample crash report:
IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready

======================================================
[ INFO: possible circular locking dependency detected ]
4.9.111-g03c70fe #6 Not tainted
-------------------------------------------------------
syz-executor0/14870 is trying to acquire lock:
 (sk_lock-AF_INET){+.+.+.}, at: [<ffffffff833431f7>] lock_sock include/net/sock.h:1404 [inline]
 (sk_lock-AF_INET){+.+.+.}, at: [<ffffffff833431f7>] do_ip_getsockopt+0x167/0x1600 net/ipv4/ip_sockglue.c:1317
but task is already holding lock:
 (rtnl_mutex){+.+.+.}, at: [<ffffffff830b4937>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70
which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

       lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
       __mutex_lock_common kernel/locking/mutex.c:521 [inline]
       mutex_lock_nested+0xc0/0x870 kernel/locking/mutex.c:621
       rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70
       mrtsock_destruct+0x3b/0x1e0 net/ipv4/ipmr.c:1231
       ip_ra_control+0x2c2/0x420 net/ipv4/ip_sockglue.c:360
       do_ip_setsockopt.isra.13+0x15ff/0x2b10 net/ipv4/ip_sockglue.c:1137
       ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1240
       raw_setsockopt+0xb7/0xd0 net/ipv4/raw.c:833
       sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:2706
       SYSC_setsockopt net/socket.c:1772 [inline]
       SyS_setsockopt+0x166/0x260 net/socket.c:1751
       do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
       entry_SYSCALL_64_after_swapgs+0x5d/0xdb

       check_prev_add kernel/locking/lockdep.c:1828 [inline]
       check_prevs_add kernel/locking/lockdep.c:1938 [inline]
       validate_chain kernel/locking/lockdep.c:2265 [inline]
       __lock_acquire+0x3019/0x4070 kernel/locking/lockdep.c:3345
       lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
       lock_sock_nested+0xc6/0x120 net/core/sock.c:2511
       lock_sock include/net/sock.h:1404 [inline]
       do_ip_getsockopt+0x167/0x1600 net/ipv4/ip_sockglue.c:1317
       ip_getsockopt+0x91/0x180 net/ipv4/ip_sockglue.c:1545
       tcp_getsockopt+0x88/0xe0 net/ipv4/tcp.c:3106
       sock_common_getsockopt+0x9a/0xe0 net/core/sock.c:2665
       SYSC_getsockopt net/socket.c:1803 [inline]
       SyS_getsockopt+0x150/0x240 net/socket.c:1785
       do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
       entry_SYSCALL_64_after_swapgs+0x5d/0xdb

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(rtnl_mutex);
                               lock(sk_lock-AF_INET);
                               lock(rtnl_mutex);
  lock(sk_lock-AF_INET);

 *** DEADLOCK ***

1 lock held by syz-executor0/14870:
 #0:  (rtnl_mutex){+.+.+.}, at: [<ffffffff830b4937>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70

stack backtrace:
CPU: 0 PID: 14870 Comm: syz-executor0 Not tainted 4.9.111-g03c70fe #6
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a1f17688 ffffffff81eb2729 ffffffff855e7800 ffffffff8559d0a0
 ffffffff855e7800 ffff8801d9b868e8 ffff8801d9b86000 ffff8801a1f176d0
 ffffffff814263a4 0000000000000001 00000000d9b86000 0000000000000001
Call Trace:
 [<ffffffff81eb2729>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81eb2729>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff814263a4>] print_circular_bug.cold.51+0x1bd/0x27d kernel/locking/lockdep.c:1202
 [<ffffffff81239189>] check_prev_add kernel/locking/lockdep.c:1828 [inline]
 [<ffffffff81239189>] check_prevs_add kernel/locking/lockdep.c:1938 [inline]
 [<ffffffff81239189>] validate_chain kernel/locking/lockdep.c:2265 [inline]
 [<ffffffff81239189>] __lock_acquire+0x3019/0x4070 kernel/locking/lockdep.c:3345
 [<ffffffff8123ac50>] lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
 [<ffffffff830236a6>] lock_sock_nested+0xc6/0x120 net/core/sock.c:2511
 [<ffffffff833431f7>] lock_sock include/net/sock.h:1404 [inline]
 [<ffffffff833431f7>] do_ip_getsockopt+0x167/0x1600 net/ipv4/ip_sockglue.c:1317
 [<ffffffff83344721>] ip_getsockopt+0x91/0x180 net/ipv4/ip_sockglue.c:1545
 [<ffffffff83364328>] tcp_getsockopt+0x88/0xe0 net/ipv4/tcp.c:3106
 [<ffffffff8301c34a>] sock_common_getsockopt+0x9a/0xe0 net/core/sock.c:2665
 [<ffffffff83019760>] SYSC_getsockopt net/socket.c:1803 [inline]
 [<ffffffff83019760>] SyS_getsockopt+0x150/0x240 net/socket.c:1785
 [<ffffffff81006316>] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
 [<ffffffff839f8cd3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
FAT-fs (loop0): bogus number of reserved sectors
FAT-fs (loop0): Can't find a valid FAT filesystem
FAT-fs (loop0): bogus number of reserved sectors
FAT-fs (loop0): Can't find a valid FAT filesystem
FAT-fs (loop0): bogus number of reserved sectors
FAT-fs (loop0): Can't find a valid FAT filesystem
FAT-fs (loop2): bogus number of reserved sectors
FAT-fs (loop2): Can't find a valid FAT filesystem
FAT-fs (loop5): bogus number of reserved sectors
FAT-fs (loop5): Can't find a valid FAT filesystem
FAT-fs (loop7): bogus number of reserved sectors
FAT-fs (loop7): Can't find a valid FAT filesystem
FAT-fs (loop0): bogus number of reserved sectors
FAT-fs (loop0): Can't find a valid FAT filesystem
FAT-fs (loop1): bogus number of reserved sectors
FAT-fs (loop1): Can't find a valid FAT filesystem
FAT-fs (loop7): bogus number of reserved sectors
FAT-fs (loop7): Can't find a valid FAT filesystem
syz-executor2 (15161) used greatest stack depth: 22240 bytes left
syz-executor1 (15186) used greatest stack depth: 22000 bytes left
IPVS: Creating netns size=2536 id=24
IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
FAT-fs (loop2): bogus number of reserved sectors
FAT-fs (loop5): bogus number of reserved sectors
FAT-fs (loop5): Can't find a valid FAT filesystem
FAT-fs (loop1): bogus number of reserved sectors
FAT-fs (loop1): Can't find a valid FAT filesystem
FAT-fs (loop7): bogus number of reserved sectors
FAT-fs (loop7): Can't find a valid FAT filesystem
FAT-fs (loop0): bogus number of reserved sectors
FAT-fs (loop0): Can't find a valid FAT filesystem
FAT-fs (loop2): Can't find a valid FAT filesystem
FAT-fs (loop1): bogus number of reserved sectors
FAT-fs (loop1): Can't find a valid FAT filesystem
FAT-fs (loop5): bogus number of reserved sectors
FAT-fs (loop5): Can't find a valid FAT filesystem
EXT4-fs (sda1): re-mounted. Opts: init_itable=8,,errors=continue
FAT-fs (loop2): bogus number of reserved sectors
EXT4-fs (sda1): re-mounted. Opts: init_itable=8,,errors=continue
FAT-fs (loop2): Can't find a valid FAT filesystem
EXT4-fs (sda1): re-mounted. Opts: init_itable=8,,errors=continue

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/07/05 17:08 https://android.googlesource.com/kernel/common android-4.9 03c70feafdb2 d3b2a0e2 .config console log report ci-android-49-kasan-gce-root
2018/06/17 17:01 https://android.googlesource.com/kernel/common android-4.9 a4230beab30a 27c5f59f .config console log report ci-android-49-kasan-gce-root
2018/05/30 10:59 https://android.googlesource.com/kernel/common android-4.9 7fd40752c316 2f93b54f .config console log report ci-android-49-kasan-gce-root
2018/05/30 07:06 https://android.googlesource.com/kernel/common android-4.9 7fd40752c316 2f93b54f .config console log report ci-android-49-kasan-gce-root
* Struck through repros no longer work on HEAD.