possible deadlock in sch_direct

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-6.1	possible deadlock in sch_direct_xmit (2) origin:lts-only	C		done	19	3d05h	316d	0/3	upstream: reported C repro on 2024/01/09 18:28
android-44	possible deadlock in sch_direct_xmit	C			240	1814d	2051d	0/2	public: reported C repro on 2019/04/11 08:44
upstream	possible deadlock in sch_direct_xmit (2) net	C	done	unreliable	109	493d	1667d	0/28	auto-obsoleted due to no activity on 2024/01/14 06:05
linux-4.19	possible deadlock in sch_direct_xmit (2)	C		error	15	635d	1152d	0/1	upstream: reported C repro on 2021/09/26 01:30
upstream	possible deadlock in sch_direct_xmit net	C	done	done	1548	1822d	2500d	15/28	fixed on 2020/04/17 19:57
linux-5.15	possible deadlock in sch_direct_xmit (2) origin:lts-only	C		error	13	24d	272d	0/3	upstream: reported C repro on 2024/02/22 19:25
linux-4.14	possible deadlock in sch_direct_xmit				1	1998d	1998d	0/1	auto-closed as invalid on 2019/10/25 08:40
upstream	possible deadlock in sch_direct_xmit (4) net				1	207d	207d	25/28	fixed on 2024/06/05 13:52
linux-4.14	possible deadlock in sch_direct_xmit (2)				1	1831d	1831d	0/1	auto-closed as invalid on 2020/03/15 19:58
linux-5.15	possible deadlock in sch_direct_xmit				1	560d	560d	0/3	auto-obsoleted due to no activity on 2023/08/23 09:09
linux-6.1	possible deadlock in sch_direct_xmit				2	567d	606d	0/3	auto-obsoleted due to no activity on 2023/08/23 09:10
upstream	possible deadlock in sch_direct_xmit (3) net				1	283d	283d	25/28	fixed on 2024/04/10 16:40

IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready 8021q: adding VLAN 0 to HW filter on device batadv0 audit: type=1400 audit(1559406269.108:38): avc: denied { associate } for pid=7781 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 ============================================ WARNING: possible recursive locking detected 4.19.47 #19 Not tainted -------------------------------------------- syz-executor.0/8271 is trying to acquire lock: 000000000277713c (_xmit_ETHER#2){+.-.}, at: spin_lock include/linux/spinlock.h:329 [inline] 000000000277713c (_xmit_ETHER#2){+.-.}, at: __netif_tx_lock include/linux/netdevice.h:3798 [inline] 000000000277713c (_xmit_ETHER#2){+.-.}, at: sch_direct_xmit+0x2de/0xfa0 net/sched/sch_generic.c:325 but task is already holding lock: 000000006d93c4d7 (_xmit_ETHER#2){+.-.}, at: spin_lock include/linux/spinlock.h:329 [inline] 000000006d93c4d7 (_xmit_ETHER#2){+.-.}, at: __netif_tx_lock include/linux/netdevice.h:3798 [inline] 000000006d93c4d7 (_xmit_ETHER#2){+.-.}, at: sch_direct_xmit+0x2de/0xfa0 net/sched/sch_generic.c:325 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(_xmit_ETHER#2); lock(_xmit_ETHER#2); *** DEADLOCK *** May be due to missing lock nesting notation 9 locks held by syz-executor.0/8271: #0: 00000000d16eb40f (rcu_read_lock_bh){....}, at: lwtunnel_xmit_redirect include/net/lwtunnel.h:92 [inline] #0: 00000000d16eb40f (rcu_read_lock_bh){....}, at: ip_finish_output2+0x2b0/0x1760 net/ipv4/ip_output.c:213 #1: 00000000d16eb40f (rcu_read_lock_bh){....}, at: __dev_queue_xmit+0x214/0x3010 net/core/dev.c:3777 #2: 0000000067133d5f (&(&sch->seqlock)->rlock){+...}, at: spin_trylock include/linux/spinlock.h:339 [inline] #2: 0000000067133d5f (&(&sch->seqlock)->rlock){+...}, at: qdisc_run_begin include/net/sch_generic.h:130 [inline] #2: 0000000067133d5f (&(&sch->seqlock)->rlock){+...}, at: qdisc_run include/net/pkt_sched.h:119 [inline] #2: 0000000067133d5f (&(&sch->seqlock)->rlock){+...}, at: __dev_xmit_skb net/core/dev.c:3452 [inline] #2: 0000000067133d5f (&(&sch->seqlock)->rlock){+...}, at: __dev_queue_xmit+0x28cf/0x3010 net/core/dev.c:3811 #3: 00000000ff114ac1 (dev->qdisc_running_key ?: &qdisc_running_key){+...}, at: dev_queue_xmit+0x18/0x20 net/core/dev.c:3876 #4: 000000006d93c4d7 (_xmit_ETHER#2){+.-.}, at: spin_lock include/linux/spinlock.h:329 [inline] #4: 000000006d93c4d7 (_xmit_ETHER#2){+.-.}, at: __netif_tx_lock include/linux/netdevice.h:3798 [inline] #4: 000000006d93c4d7 (_xmit_ETHER#2){+.-.}, at: sch_direct_xmit+0x2de/0xfa0 net/sched/sch_generic.c:325 #5: 00000000d16eb40f (rcu_read_lock_bh){....}, at: lwtunnel_xmit_redirect include/net/lwtunnel.h:92 [inline] #5: 00000000d16eb40f (rcu_read_lock_bh){....}, at: ip_finish_output2+0x2b0/0x1760 net/ipv4/ip_output.c:213 #6: 00000000d16eb40f (rcu_read_lock_bh){....}, at: __dev_queue_xmit+0x214/0x3010 net/core/dev.c:3777 #7: 000000006e2d0b56 (&(&sch->seqlock)->rlock){+...}, at: spin_trylock include/linux/spinlock.h:339 [inline] #7: 000000006e2d0b56 (&(&sch->seqlock)->rlock){+...}, at: qdisc_run_begin include/net/sch_generic.h:130 [inline] #7: 000000006e2d0b56 (&(&sch->seqlock)->rlock){+...}, at: qdisc_run include/net/pkt_sched.h:119 [inline] #7: 000000006e2d0b56 (&(&sch->seqlock)->rlock){+...}, at: __dev_xmit_skb net/core/dev.c:3452 [inline] #7: 000000006e2d0b56 (&(&sch->seqlock)->rlock){+...}, at: __dev_queue_xmit+0x28cf/0x3010 net/core/dev.c:3811 #8: 000000002f6d49b4 (dev->qdisc_running_key ?: &qdisc_running_key){+...}, at: dev_queue_xmit+0x18/0x20 net/core/dev.c:3876 stack backtrace: CPU: 0 PID: 8271 Comm: syz-executor.0 Not tainted 4.19.47 #19 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_deadlock_bug kernel/locking/lockdep.c:1759 [inline] check_deadlock kernel/locking/lockdep.c:1803 [inline] validate_chain kernel/locking/lockdep.c:2399 [inline] __lock_acquire.cold+0x135/0x4a1 kernel/locking/lockdep.c:3411 lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:329 [inline] __netif_tx_lock include/linux/netdevice.h:3798 [inline] sch_direct_xmit+0x2de/0xfa0 net/sched/sch_generic.c:325 qdisc_restart net/sched/sch_generic.c:390 [inline] __qdisc_run+0x57f/0x1960 net/sched/sch_generic.c:398 qdisc_run include/net/pkt_sched.h:120 [inline] qdisc_run include/net/pkt_sched.h:117 [inline] __dev_xmit_skb net/core/dev.c:3452 [inline] __dev_queue_xmit+0x228d/0x3010 net/core/dev.c:3811 dev_queue_xmit+0x18/0x20 net/core/dev.c:3876 neigh_resolve_output net/core/neighbour.c:1366 [inline] neigh_resolve_output+0x5b7/0x980 net/core/neighbour.c:1346 neigh_output include/net/neighbour.h:501 [inline] ip_finish_output2+0x93d/0x1760 net/ipv4/ip_output.c:229 ip_do_fragment+0x933/0x2570 net/ipv4/ip_output.c:814 ip_fragment.constprop.0+0x176/0x240 net/ipv4/ip_output.c:550 ip_finish_output+0x5f8/0xd20 net/ipv4/ip_output.c:315 NF_HOOK_COND include/linux/netfilter.h:278 [inline] ip_mc_output+0x298/0xf70 net/ipv4/ip_output.c:390 dst_output include/net/dst.h:444 [inline] ip_local_out+0xbb/0x1b0 net/ipv4/ip_output.c:124 iptunnel_xmit+0x5c5/0x9b0 net/ipv4/ip_tunnel_core.c:91 ip_tunnel_xmit+0x1250/0x36ce net/ipv4/ip_tunnel.c:778 __gre_xmit+0x5e1/0x9a0 net/ipv4/ip_gre.c:450 erspan_xmit+0xa26/0x2b50 net/ipv4/ip_gre.c:759 __netdev_start_xmit include/linux/netdevice.h:4303 [inline] netdev_start_xmit include/linux/netdevice.h:4312 [inline] xmit_one net/core/dev.c:3257 [inline] dev_hard_start_xmit+0x1a5/0x980 net/core/dev.c:3273 sch_direct_xmit+0x370/0xfa0 net/sched/sch_generic.c:327 qdisc_restart net/sched/sch_generic.c:390 [inline] __qdisc_run+0x57f/0x1960 net/sched/sch_generic.c:398 qdisc_run include/net/pkt_sched.h:120 [inline] qdisc_run include/net/pkt_sched.h:117 [inline] __dev_xmit_skb net/core/dev.c:3452 [inline] __dev_queue_xmit+0x228d/0x3010 net/core/dev.c:3811 dev_queue_xmit+0x18/0x20 net/core/dev.c:3876 neigh_resolve_output net/core/neighbour.c:1366 [inline] neigh_resolve_output+0x5b7/0x980 net/core/neighbour.c:1346 neigh_output include/net/neighbour.h:501 [inline] ip_finish_output2+0x93d/0x1760 net/ipv4/ip_output.c:229 ip_do_fragment+0x1d8c/0x2570 net/ipv4/ip_output.c:679 ip_fragment.constprop.0+0x176/0x240 net/ipv4/ip_output.c:550 ip_finish_output+0x5f8/0xd20 net/ipv4/ip_output.c:315 NF_HOOK_COND include/linux/netfilter.h:278 [inline] ip_mc_output+0x298/0xf70 net/ipv4/ip_output.c:390 dst_output include/net/dst.h:444 [inline] ip_local_out+0xbb/0x1b0 net/ipv4/ip_output.c:124 ip_send_skb+0x42/0xf0 net/ipv4/ip_output.c:1442 udp_send_skb.isra.0+0x6bb/0x11f0 net/ipv4/udp.c:837 udp_sendmsg+0x1e07/0x25f0 net/ipv4/udp.c:1124 inet_sendmsg+0x141/0x5d0 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xd7/0x130 net/socket.c:632 __sys_sendto+0x262/0x380 net/socket.c:1787 __do_sys_sendto net/socket.c:1799 [inline] __se_sys_sendto net/socket.c:1795 [inline] __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1795 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x459279 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f73bba6cc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000459279 RDX: 00000000000005aa RSI: 00000000200000c0 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000120 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f73bba6d6d4 R13: 00000000004c6d91 R14: 00000000004dbc28 R15: 00000000ffffffff syz-executor.0 (8271) used greatest stack depth: 22432 bytes left kobject: 'loop0' (0000000021632b4c): kobject_uevent_env kobject: 'loop0' (0000000021632b4c): fill_kobj_path: path = '/devices/virtual/block/loop0' kobject: 'loop0' (0000000021632b4c): kobject_uevent_env kobject: 'loop0' (0000000021632b4c): fill_kobj_path: path = '/devices/virtual/block/loop0' kobject: 'loop0' (0000000021632b4c): kobject_uevent_env kobject: 'loop0' (0000000021632b4c): fill_kobj_path: path = '/devices/virtual/block/loop0' IPVS: ftp: loaded support on port[0] = 21 IPVS: ftp: loaded support on port[0] = 21 NET: Registered protocol family 30 Failed to register TIPC socket type IPVS: ftp: loaded support on port[0] = 21 IPVS: ftp: loaded support on port[0] = 21 list_add double add: new=ffffffff892e7630, prev=ffffffff890f3140, next=ffffffff892e7630. ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:29! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 8445 Comm: syz-executor.3 Not tainted 4.19.47 #19 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 kobject: 'loop0' (0000000021632b4c): kobject_uevent_env RIP: 0010:__list_add_valid.cold+0x26/0x3c lib/list_debug.c:29 Code: 56 ff ff ff 4c 89 e1 48 c7 c7 a0 ae 81 87 e8 d0 f3 30 fe 0f 0b 48 89 f2 4c 89 e1 4c 89 ee 48 c7 c7 e0 af 81 87 e8 b9 f3 30 fe <0f> 0b 48 89 f1 48 c7 c7 60 af 81 87 4c 89 e6 e8 a5 f3 30 fe 0f 0b RSP: 0018:ffff88808791fb88 EFLAGS: 00010282 RAX: 0000000000000058 RBX: ffffffff892e74a0 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff81559f66 RDI: ffffed1010f23f63 RBP: ffff88808791fba0 R08: 0000000000000058 R09: ffffed1015d03ee3 kobject: 'loop0' (0000000021632b4c): fill_kobj_path: path = '/devices/virtual/block/loop0' R10: ffffed1015d03ee2 R11: ffff8880ae81f717 R12: ffffffff892e7630 R13: ffffffff892e7630 R14: ffffffff892e7630 R15: ffffffff892e75d0 FS: 0000000001c8f940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000a75e58 CR3: 000000007f673000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __list_add include/linux/list.h:60 [inline] list_add include/linux/list.h:79 [inline] proto_register+0x459/0x8e0 net/core/sock.c:3299 tipc_socket_init+0x1c/0x70 net/tipc/socket.c:3157 tipc_init_net+0x2ed/0x570 net/tipc/core.c:69 ops_init+0xb3/0x410 net/core/net_namespace.c:129 setup_net+0x2d3/0x740 net/core/net_namespace.c:315 copy_net_ns+0x1df/0x340 net/core/net_namespace.c:438 create_new_namespaces+0x400/0x7b0 kernel/nsproxy.c:107 unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:206 ksys_unshare+0x440/0x980 kernel/fork.c:2525 __do_sys_unshare kernel/fork.c:2593 [inline] __se_sys_unshare kernel/fork.c:2591 [inline] __x64_sys_unshare+0x31/0x40 kernel/fork.c:2591 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45bd47 Code: 00 00 00 b8 63 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 1d 8d fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 10 01 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 fd 8c fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffcc3d777f8 EFLAGS: 00000206 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 000000000075c9a8 RCX: 000000000045bd47 RDX: 0000000000000000 RSI: 00007ffcc3d777a0 RDI: 0000000040000000 RBP: 00000000000000f8 R08: 0000000000000000 R09: 0000000000000005 R10: 0000000000000000 R11: 0000000000000206 R12: 000000000075c9a8 R13: 00007ffcc3d77a68 R14: 0000000000000000 R15: 0000000000000000 Modules linked in: ---[ end trace a22065e820f89287 ]--- RIP: 0010:__list_add_valid.cold+0x26/0x3c lib/list_debug.c:29 Code: 56 ff ff ff 4c 89 e1 48 c7 c7 a0 ae 81 87 e8 d0 f3 30 fe 0f 0b 48 89 f2 4c 89 e1 4c 89 ee 48 c7 c7 e0 af 81 87 e8 b9 f3 30 fe <0f> 0b 48 89 f1 48 c7 c7 60 af 81 87 4c 89 e6 e8 a5 f3 30 fe 0f 0b RSP: 0018:ffff88808791fb88 EFLAGS: 00010282 kobject: 'loop0' (0000000021632b4c): kobject_uevent_env RAX: 0000000000000058 RBX: ffffffff892e74a0 RCX: 0000000000000000 kobject: 'loop0' (0000000021632b4c): fill_kobj_path: path = '/devices/virtual/block/loop0' RDX: 0000000000000000 RSI: ffffffff81559f66 RDI: ffffed1010f23f63 RBP: ffff88808791fba0 R08: 0000000000000058 R09: ffffed1015d03ee3 R10: ffffed1015d03ee2 R11: ffff8880ae81f717 R12: ffffffff892e7630 kobject: 'loop0' (0000000021632b4c): kobject_uevent_env R13: ffffffff892e7630 R14: ffffffff892e7630 R15: ffffffff892e75d0 kobject: 'loop0' (0000000021632b4c): fill_kobj_path: path = '/devices/virtual/block/loop0' FS: 0000000001c8f940(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffefcaf3f8c CR3: 000000007f673000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400