syzbot


possible deadlock in __dev_queue_xmit

Status: auto-closed as invalid on 2020/04/02 07:14
Reported-by: syzbot+0cb168d6acea702fb8ae@syzkaller.appspotmail.com
First crash: 1720d, last: 1658d
Similar bugs (11)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 possible deadlock in __dev_queue_xmit 4 1823d 1892d 0/3 auto-closed as invalid on 2019/10/25 08:36
upstream possible deadlock in __dev_queue_xmit (3) net C done inconclusive 992 3d22h 1659d 0/27 upstream: reported C repro on 2019/12/03 09:55
linux-4.19 possible deadlock in __dev_queue_xmit C error 5 1000d 1418d 0/1 upstream: reported C repro on 2020/07/31 07:05
android-414 possible deadlock in __dev_queue_xmit 3 1881d 1892d 0/1 auto-closed as invalid on 2019/10/21 21:31
linux-6.1 possible deadlock in __dev_queue_xmit 98 242d 356d 0/3 auto-obsoleted due to no activity on 2023/12/28 22:22
linux-4.14 possible deadlock in __dev_queue_xmit 7 1368d 1813d 0/1 auto-closed as invalid on 2021/01/16 21:33
upstream possible deadlock in __dev_queue_xmit net 1 1981d 1981d 0/27 closed as invalid on 2019/03/10 18:51
linux-5.15 possible deadlock in __dev_queue_xmit 113 307d 443d 0/3 auto-obsoleted due to no activity on 2023/10/25 04:56
linux-6.1 possible deadlock in __dev_queue_xmit (2) 7 41d 151d 0/3 upstream: reported on 2024/01/19 16:24
linux-5.15 possible deadlock in __dev_queue_xmit (2) origin:lts-only C done 12 54d 186d 0/3 upstream: reported C repro on 2023/12/15 02:11
upstream possible deadlock in __dev_queue_xmit (2) kernel 2 1793d 1909d 0/27 auto-closed as invalid on 2019/11/19 09:01

Sample crash report:
=============================================
[ INFO: possible recursive locking detected ]
4.4.174+ #4 Not tainted
---------------------------------------------
syz-executor.0/24599 is trying to acquire lock:
 (_xmit_TUNNEL6#2){+.-...}, at: [<ffffffff822471b9>] spin_lock include/linux/spinlock.h:302 [inline]
 (_xmit_TUNNEL6#2){+.-...}, at: [<ffffffff822471b9>] __netif_tx_lock include/linux/netdevice.h:3306 [inline]
 (_xmit_TUNNEL6#2){+.-...}, at: [<ffffffff822471b9>] __dev_queue_xmit+0x1439/0x1bb0 net/core/dev.c:3225

but task is already holding lock:
 (_xmit_TUNNEL6#2){+.-...}, at: [<ffffffff822471b9>] spin_lock include/linux/spinlock.h:302 [inline]
 (_xmit_TUNNEL6#2){+.-...}, at: [<ffffffff822471b9>] __netif_tx_lock include/linux/netdevice.h:3306 [inline]
 (_xmit_TUNNEL6#2){+.-...}, at: [<ffffffff822471b9>] __dev_queue_xmit+0x1439/0x1bb0 net/core/dev.c:3225

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(_xmit_TUNNEL6#2);
  lock(_xmit_TUNNEL6#2);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

10 locks held by syz-executor.0/24599:
 #0:  (sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff824a8414>] lock_sock include/net/sock.h:1497 [inline]
 #0:  (sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff824a8414>] inet_stream_connect+0x44/0xa0 net/ipv4/af_inet.c:675
 #1:  (rcu_read_lock){......}, at: [<ffffffff826660e8>] inet6_csk_xmit+0x108/0x4b0 net/ipv6/inet6_connection_sock.c:163
 #2:  (rcu_read_lock_bh){......}, at: [<ffffffff8259f091>] ip6_finish_output2+0x1e1/0x1dc0 net/ipv6/ip6_output.c:71
 #3:  (rcu_read_lock_bh){......}, at: [<ffffffff82245f57>] __dev_queue_xmit+0x1d7/0x1bb0 net/core/dev.c:3161
 #4:  (_xmit_TUNNEL6#2){+.-...}, at: [<ffffffff822471b9>] spin_lock include/linux/spinlock.h:302 [inline]
 #4:  (_xmit_TUNNEL6#2){+.-...}, at: [<ffffffff822471b9>] __netif_tx_lock include/linux/netdevice.h:3306 [inline]
 #4:  (_xmit_TUNNEL6#2){+.-...}, at: [<ffffffff822471b9>] __dev_queue_xmit+0x1439/0x1bb0 net/core/dev.c:3225
 #5:  (rcu_read_lock){......}, at: [<ffffffff826be400>] icmpv6_send+0x0/0x1b0 net/ipv6/ip6_icmp.c:30
 #6:  (slock-AF_INET6){+.-...}, at: [<ffffffff8262191d>] spin_trylock include/linux/spinlock.h:312 [inline]
 #6:  (slock-AF_INET6){+.-...}, at: [<ffffffff8262191d>] icmpv6_xmit_lock net/ipv6/icmp.c:120 [inline]
 #6:  (slock-AF_INET6){+.-...}, at: [<ffffffff8262191d>] icmp6_send+0x7bd/0x1b40 net/ipv6/icmp.c:485
 #7:  (rcu_read_lock){......}, at: [<ffffffff826220a4>] icmp6_send+0xf44/0x1b40 net/ipv6/icmp.c:517
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket
 #8:  (rcu_read_lock_bh){......}, at: [<ffffffff8259f091>] ip6_finish_output2+0x1e1/0x1dc0 net/ipv6/ip6_output.c:71
 #9:  (rcu_read_lock_bh){......}, at: [<ffffffff82245f57>] __dev_queue_xmit+0x1d7/0x1bb0 net/core/dev.c:3161

stack backtrace:
CPU: 1 PID: 24599 Comm: syz-executor.0 Not tainted 4.4.174+ #4
 0000000000000000 8ad85cf559446a3c ffff8800b654e3d0 ffffffff81aad1a1
 ffffffff84057a80 ffff88018e28af80 ffffffff83ad5be0 ffff88018e28b8e8
 ffff88018e28b908 ffff8800b654e558 ffffffff813ad6ff 0000000000000000
Call Trace:
 [<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
 [<ffffffff813ad6ff>] print_deadlock_bug kernel/locking/lockdep.c:1752 [inline]
 [<ffffffff813ad6ff>] check_deadlock kernel/locking/lockdep.c:1796 [inline]
 [<ffffffff813ad6ff>] validate_chain kernel/locking/lockdep.c:2128 [inline]
 [<ffffffff813ad6ff>] __lock_acquire.cold+0x118/0x592 kernel/locking/lockdep.c:3213
 [<ffffffff81205f6e>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
 [<ffffffff82717c98>] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline]
 [<ffffffff82717c98>] _raw_spin_lock+0x38/0x50 kernel/locking/spinlock.c:151
 [<ffffffff822471b9>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff822471b9>] __netif_tx_lock include/linux/netdevice.h:3306 [inline]
 [<ffffffff822471b9>] __dev_queue_xmit+0x1439/0x1bb0 net/core/dev.c:3225
 [<ffffffff82247948>] dev_queue_xmit+0x18/0x20 net/core/dev.c:3263
 [<ffffffff8225c136>] neigh_direct_output+0x16/0x20 net/core/neighbour.c:1369
 [<ffffffff8259f877>] dst_neigh_output include/net/dst.h:461 [inline]
 [<ffffffff8259f877>] ip6_finish_output2+0x9c7/0x1dc0 net/ipv6/ip6_output.c:113
 [<ffffffff825b0203>] ip6_finish_output+0x2f3/0x750 net/ipv6/ip6_output.c:131
 [<ffffffff825b0814>] NF_HOOK_COND include/linux/netfilter.h:240 [inline]
 [<ffffffff825b0814>] ip6_output+0x1b4/0x520 net/ipv6/ip6_output.c:145
 [<ffffffff826bf66c>] dst_output include/net/dst.h:498 [inline]
 [<ffffffff826bf66c>] ip6_local_out+0x9c/0x180 net/ipv6/output_core.c:169
 [<ffffffff825b28c2>] ip6_send_skb+0xa2/0x340 net/ipv6/ip6_output.c:1725
 [<ffffffff825b2c1b>] ip6_push_pending_frames+0xbb/0xe0 net/ipv6/ip6_output.c:1745
 [<ffffffff82620f66>] icmpv6_push_pending_frames+0x336/0x530 net/ipv6/icmp.c:276
 [<ffffffff82622666>] icmp6_send+0x1506/0x1b40 net/ipv6/icmp.c:537
 [<ffffffff826be4b1>] icmpv6_send+0xb1/0x1b0 net/ipv6/ip6_icmp.c:42
 [<ffffffff825ec65d>] ip6_link_failure+0x2d/0x3e0 net/ipv6/route.c:1313
 [<ffffffff826b164a>] dst_link_failure include/net/dst.h:481 [inline]
 [<ffffffff826b164a>] ip6_tnl_xmit2+0x4da/0x2320 net/ipv6/ip6_tunnel.c:1089
 [<ffffffff826b4a25>] ip6ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1193 [inline]
 [<ffffffff826b4a25>] ip6_tnl_xmit+0x5d5/0xe00 net/ipv6/ip6_tunnel.c:1215
 [<ffffffff82245071>] __netdev_start_xmit include/linux/netdevice.h:3750 [inline]
 [<ffffffff82245071>] netdev_start_xmit include/linux/netdevice.h:3759 [inline]
 [<ffffffff82245071>] xmit_one net/core/dev.c:2781 [inline]
 [<ffffffff82245071>] dev_hard_start_xmit+0x7c1/0x11e0 net/core/dev.c:2797
 [<ffffffff822473cb>] __dev_queue_xmit+0x164b/0x1bb0 net/core/dev.c:3229
 [<ffffffff82247948>] dev_queue_xmit+0x18/0x20 net/core/dev.c:3263
 [<ffffffff8225c136>] neigh_direct_output+0x16/0x20 net/core/neighbour.c:1369
 [<ffffffff8259f877>] dst_neigh_output include/net/dst.h:461 [inline]
 [<ffffffff8259f877>] ip6_finish_output2+0x9c7/0x1dc0 net/ipv6/ip6_output.c:113
 [<ffffffff825b0203>] ip6_finish_output+0x2f3/0x750 net/ipv6/ip6_output.c:131
 [<ffffffff825b0814>] NF_HOOK_COND include/linux/netfilter.h:240 [inline]
 [<ffffffff825b0814>] ip6_output+0x1b4/0x520 net/ipv6/ip6_output.c:145
 [<ffffffff825a8df6>] dst_output include/net/dst.h:498 [inline]
 [<ffffffff825a8df6>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
 [<ffffffff825a8df6>] NF_HOOK include/linux/netfilter.h:249 [inline]
 [<ffffffff825a8df6>] ip6_xmit+0xc76/0x1a60 net/ipv6/ip6_output.c:240
audit: type=1400 audit(1575443586.719:1264): avc:  denied  { create } for  pid=24640 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0
audit: type=1400 audit(1575443586.719:1265): avc:  denied  { create } for  pid=24640 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0
 [<ffffffff8266622c>] inet6_csk_xmit+0x24c/0x4b0 net/ipv6/inet6_connection_sock.c:176
 [<ffffffff82431dd4>] __tcp_transmit_skb+0x1904/0x2cf0 net/ipv4/tcp_output.c:1034
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
 [<ffffffff8243a4ed>] tcp_transmit_skb net/ipv4/tcp_output.c:1047 [inline]
 [<ffffffff8243a4ed>] tcp_connect+0x223d/0x31b0 net/ipv4/tcp_output.c:3295
 [<ffffffff82646631>] tcp_v6_connect+0x1391/0x1b30 net/ipv6/tcp_ipv6.c:294
 [<ffffffff824a7a2f>] __inet_stream_connect+0x2cf/0xc70 net/ipv4/af_inet.c:615
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
 [<ffffffff824a8425>] inet_stream_connect+0x55/0xa0 net/ipv4/af_inet.c:676
 [<ffffffff821dbd05>] SYSC_connect net/socket.c:1570 [inline]
 [<ffffffff821dbd05>] SyS_connect+0x1a5/0x2e0 net/socket.c:1551
 [<ffffffff82718ba1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
audit_printk_skb: 3 callbacks suppressed
audit: type=1400 audit(1575443589.079:1267): avc:  denied  { create } for  pid=24695 comm="syz-executor.5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
nla_parse: 13 callbacks suppressed
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.

Crashes (14):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/12/04 07:13 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b ae13a849 .config console log report ci-android-44-kasan-gce
2019/12/03 07:23 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b ab342da3 .config console log report ci-android-44-kasan-gce
2019/11/30 14:17 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 3a75be00 .config console log report ci-android-44-kasan-gce
2019/11/24 06:42 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 598ca6c8 .config console log report ci-android-44-kasan-gce
2019/11/20 13:03 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b f4b7ed07 .config console log report ci-android-44-kasan-gce
2019/11/18 01:23 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b d5696d51 .config console log report ci-android-44-kasan-gce
2019/11/10 05:07 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b dc438b91 .config console log report ci-android-44-kasan-gce
2019/10/24 16:58 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b d01bb02a .config console log report ci-android-44-kasan-gce
2019/10/20 10:03 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 8c88c9c1 .config console log report ci-android-44-kasan-gce
2019/10/19 16:56 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 8c88c9c1 .config console log report ci-android-44-kasan-gce
2019/10/15 19:02 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b b5268b89 .config console log report ci-android-44-kasan-gce
2019/10/15 13:28 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b b5268b89 .config console log report ci-android-44-kasan-gce
2019/10/11 09:41 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 1a3bad90 .config console log report ci-android-44-kasan-gce
2019/10/03 16:23 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b fc17ba49 .config console log report ci-android-44-kasan-gce-386
* Struck through repros no longer work on HEAD.