syzbot


possible deadlock in __dev_queue_xmit

Status: auto-closed as invalid on 2019/10/21 21:31
Reported-by: syzbot+4ee152e2fab0df969674@syzkaller.appspotmail.com
First crash: 1980d, last: 1858d
Similar bugs (11)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 possible deadlock in __dev_queue_xmit 4 1799d 1868d 0/3 auto-closed as invalid on 2019/10/25 08:36
upstream possible deadlock in __dev_queue_xmit (3) net C done inconclusive 990 7d13h 1635d 0/26 upstream: reported C repro on 2019/12/03 09:55
linux-4.19 possible deadlock in __dev_queue_xmit C error 5 976d 1395d 0/1 upstream: reported C repro on 2020/07/31 07:05
android-44 possible deadlock in __dev_queue_xmit 14 1635d 1696d 0/2 auto-closed as invalid on 2020/04/02 07:14
linux-6.1 possible deadlock in __dev_queue_xmit 98 219d 332d 0/3 auto-obsoleted due to no activity on 2023/12/28 22:22
linux-4.14 possible deadlock in __dev_queue_xmit 7 1345d 1790d 0/1 auto-closed as invalid on 2021/01/16 21:33
upstream possible deadlock in __dev_queue_xmit net 1 1957d 1957d 0/26 closed as invalid on 2019/03/10 18:51
linux-5.15 possible deadlock in __dev_queue_xmit 113 284d 419d 0/3 auto-obsoleted due to no activity on 2023/10/25 04:56
linux-6.1 possible deadlock in __dev_queue_xmit (2) 7 18d 127d 0/3 upstream: reported on 2024/01/19 16:24
linux-5.15 possible deadlock in __dev_queue_xmit (2) origin:lts-only C done 12 30d 163d 0/3 upstream: reported C repro on 2023/12/15 02:11
upstream possible deadlock in __dev_queue_xmit (2) kernel 2 1770d 1885d 0/26 auto-closed as invalid on 2019/11/19 09:01

Sample crash report:
============================================
WARNING: possible recursive locking detected
4.14.113+ #61 Not tainted
--------------------------------------------
syz-executor.1/16186 is trying to acquire lock:
 (_xmit_TUNNEL6#2){+.-.}, at: [<000000004137c28f>] spin_lock include/linux/spinlock.h:317 [inline]
 (_xmit_TUNNEL6#2){+.-.}, at: [<000000004137c28f>] __netif_tx_lock include/linux/netdevice.h:3530 [inline]
 (_xmit_TUNNEL6#2){+.-.}, at: [<000000004137c28f>] __dev_queue_xmit+0x1127/0x1cd0 net/core/dev.c:3521

but task is already holding lock:
 (_xmit_TUNNEL6#2){+.-.}, at: [<000000004137c28f>] spin_lock include/linux/spinlock.h:317 [inline]
 (_xmit_TUNNEL6#2){+.-.}, at: [<000000004137c28f>] __netif_tx_lock include/linux/netdevice.h:3530 [inline]
 (_xmit_TUNNEL6#2){+.-.}, at: [<000000004137c28f>] __dev_queue_xmit+0x1127/0x1cd0 net/core/dev.c:3521

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(_xmit_TUNNEL6#2);
  lock(_xmit_TUNNEL6#2);

 *** DEADLOCK ***

ip6_tunnel:  xmit: Local address not yet configured!
 May be due to missing lock nesting notation

9 locks held by syz-executor.1/16186:
 #0:  (rcu_read_lock){....}, at: [<000000003e87a303>] skb_dst_set include/linux/skbuff.h:896 [inline]
 #0:  (rcu_read_lock){....}, at: [<000000003e87a303>] rawv6_send_hdrinc net/ipv6/raw.c:671 [inline]
 #0:  (rcu_read_lock){....}, at: [<000000003e87a303>] rawv6_sendmsg+0x1691/0x2b80 net/ipv6/raw.c:935
 #1:  (rcu_read_lock_bh){....}, at: [<00000000331a014a>] ip6_finish_output2+0x173/0x1fa0 net/ipv6/ip6_output.c:70
 #2:  (rcu_read_lock_bh){....}, at: [<000000007fa60437>] __dev_queue_xmit+0x1b3/0x1cd0 net/core/dev.c:3459
 #3:  (_xmit_TUNNEL6#2){+.-.}, at: [<000000004137c28f>] spin_lock include/linux/spinlock.h:317 [inline]
 #3:  (_xmit_TUNNEL6#2){+.-.}, at: [<000000004137c28f>] __netif_tx_lock include/linux/netdevice.h:3530 [inline]
 #3:  (_xmit_TUNNEL6#2){+.-.}, at: [<000000004137c28f>] __dev_queue_xmit+0x1127/0x1cd0 net/core/dev.c:3521
 #4:  (rcu_read_lock){....}, at: [<00000000a9c41ecf>] icmpv6_send+0x0/0x1a0 net/ipv6/ip6_icmp.c:31
 #5:  (k-slock-AF_INET6){+...}, at: [<0000000074fa18a9>] spin_trylock include/linux/spinlock.h:327 [inline]
 #5:  (k-slock-AF_INET6){+...}, at: [<0000000074fa18a9>] icmpv6_xmit_lock net/ipv6/icmp.c:119 [inline]
 #5:  (k-slock-AF_INET6){+...}, at: [<0000000074fa18a9>] icmp6_send+0xb5a/0x1cb0 net/ipv6/icmp.c:533
 #6:  (rcu_read_lock){....}, at: [<00000000ae325f27>] icmp6_send+0x10c6/0x1cb0 net/ipv6/icmp.c:568
 #7:  (rcu_read_lock_bh){....}, at: [<00000000331a014a>] ip6_finish_output2+0x173/0x1fa0 net/ipv6/ip6_output.c:70
 #8:  (rcu_read_lock_bh){....}, at: [<000000007fa60437>] __dev_queue_xmit+0x1b3/0x1cd0 net/core/dev.c:3459

stack backtrace:
CPU: 0 PID: 16186 Comm: syz-executor.1 Not tainted 4.14.113+ #61
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xb9/0x10e lib/dump_stack.c:53
 print_deadlock_bug kernel/locking/lockdep.c:1796 [inline]
 check_deadlock kernel/locking/lockdep.c:1843 [inline]
 validate_chain kernel/locking/lockdep.c:2444 [inline]
 __lock_acquire.cold+0x1da/0xa36 kernel/locking/lockdep.c:3487
ip6_tunnel:  xmit: Local address not yet configured!
kauditd_printk_skb: 240 callbacks suppressed
audit: type=1400 audit(2000000369.080:72494): avc:  denied  { create } for  pid=16190 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
audit: type=1400 audit(2000000369.110:72495): avc:  denied  { write } for  pid=16190 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
audit: type=1400 audit(2000000369.110:72496): avc:  denied  { map } for  pid=16194 comm="modprobe" path="/bin/kmod" dev="sda1" ino=1440 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
ip6_tunnel:  xmit: Local address not yet configured!
audit: type=1400 audit(2000000369.110:72497): avc:  denied  { map } for  pid=16194 comm="modprobe" path="/bin/kmod" dev="sda1" ino=1440 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: type=1400 audit(2000000369.110:72498): avc:  denied  { read } for  pid=16190 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
ip6_tunnel:  xmit: Local address not yet configured!
ip6_tunnel:  xmit: Local address not yet configured!
audit: type=1400 audit(2000000369.880:72499): avc:  denied  { create } for  pid=16190 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
audit: type=1400 audit(2000000369.880:72500): avc:  denied  { write } for  pid=16190 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
audit: type=1400 audit(2000000369.880:72501): avc:  denied  { map } for  pid=16232 comm="modprobe" path="/bin/kmod" dev="sda1" ino=1440 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: type=1400 audit(2000000369.920:72502): avc:  denied  { read } for  pid=16190 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
audit: type=1400 audit(2000000370.010:72503): avc:  denied  { create } for  pid=16239 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
ip6_tunnel:  xmit: Local address not yet configured!
ip6_tunnel:  xmit: Local address not yet configured!
ip6_tunnel:  xmit: Local address not yet configured!
ip6_tunnel:  xmit: Local address not yet configured!
ip6_tunnel:  xmit: Local address not yet configured!
ip6_tunnel:  xmit: Local address not yet configured!
kauditd_printk_skb: 67 callbacks suppressed
audit: type=1400 audit(2000000374.420:72571): avc:  denied  { create } for  pid=16425 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
audit: type=1400 audit(2000000374.450:72572): avc:  denied  { map } for  pid=16434 comm="modprobe" path="/bin/kmod" dev="sda1" ino=1440 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: type=1400 audit(2000000374.460:72573): avc:  denied  { write } for  pid=16425 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
audit: type=1400 audit(2000000374.480:72574): avc:  denied  { map } for  pid=16439 comm="modprobe" path="/bin/kmod" dev="sda1" ino=1440 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: type=1400 audit(2000000374.480:72575): avc:  denied  { map } for  pid=16439 comm="modprobe" path="/bin/kmod" dev="sda1" ino=1440 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: type=1400 audit(2000000374.480:72576): avc:  denied  { map } for  pid=16441 comm="modprobe" path="/etc/ld.so.cache" dev="sda1" ino=2503 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: type=1400 audit(2000000374.500:72577): avc:  denied  { map } for  pid=16441 comm="modprobe" path="/lib/x86_64-linux-gnu/libc-2.13.so" dev="sda1" ino=2784 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: type=1400 audit(2000000374.540:72578): avc:  denied  { read } for  pid=16425 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
audit: type=1400 audit(2000000374.640:72579): avc:  denied  { map } for  pid=16451 comm="modprobe" path="/bin/kmod" dev="sda1" ino=1440 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: type=1400 audit(2000000374.650:72580): avc:  denied  { map } for  pid=16451 comm="modprobe" path="/lib/x86_64-linux-gnu/libkmod.so.2.1.3" dev="sda1" ino=2811 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
ip6_tunnel:  xmit: Local address not yet configured!
ip6_tunnel:  xmit: Local address not yet configured!
ip6_tunnel:  xmit: Local address not yet configured!
ip6_tunnel:  xmit: Local address not yet configured!

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/04/24 21:30 android-4.14 ffa22221c473 8e3c52b1 .config console log report ci-android-414-kasan-gce-root
2019/03/25 12:14 android-4.14 4344de2f79ab 2c86e0a5 .config console log report ci-android-414-kasan-gce-root
2018/12/23 14:22 android-4.14 815e34f802d8 e3bd7ab8 .config console log report ci-android-414-kasan-gce-root
* Struck through repros no longer work on HEAD.