syzbot

 sign-in | mailing list | source | docs
🐞 Open [1008] Subsystems 🐞 Fixed [5250] 🐞 Invalid [12560] Missing Backports [85] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

possible deadlock in __dev_xmit_skb (2)

Status: closed as invalid on 2023/03/21 17:14
Subsystems: net
[Documentation on labels]
First crash: 480d, last: 480d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream possible deadlock in __dev_xmit_skb net 1 602d 602d 0/26 closed as invalid on 2022/11/15 21:20

Sample crash report:
============================================
WARNING: possible recursive locking detected
6.2.0-rc2-syzkaller-16046-gae87308093bc #0 Not tainted
--------------------------------------------
syz-executor280/4468 is trying to acquire lock:
ffff0000cc7fa218 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: spin_lock include/linux/spinlock.h:350 [inline]
ffff0000cc7fa218 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_xmit_skb+0x724/0x928 net/core/dev.c:3840

but task is already holding lock:
ffff0000cbf02258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:360 [inline]
ffff0000cbf02258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:187 [inline]
ffff0000cbf02258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_xmit_skb+0x320/0x928 net/core/dev.c:3797

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(dev->qdisc_tx_busylock ?: &qdisc_tx_busylock);
  lock(dev->qdisc_tx_busylock ?: &qdisc_tx_busylock);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

8 locks held by syz-executor280/4468:
 #0: ffff80000d635520 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x18/0x54 include/linux/rcupdate.h:324
 #1: ffff80000d635548 (rcu_read_lock_bh){....}-{1:2}, at: rcu_lock_acquire+0x18/0x54 include/linux/rcupdate.h:324
 #2: ffff80000d635548 (rcu_read_lock_bh){....}-{1:2}, at: rcu_lock_acquire+0x18/0x54 include/linux/rcupdate.h:324
 #3: ffff80000d635548 (rcu_read_lock_bh){....}-{1:2}, at: rcu_lock_acquire+0x18/0x54 include/linux/rcupdate.h:324
 #4: ffff0000cbf02258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:360 [inline]
 #4: ffff0000cbf02258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:187 [inline]
 #4: ffff0000cbf02258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_xmit_skb+0x320/0x928 net/core/dev.c:3797
 #5: ffff0000cd0142d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:350 [inline]
 #5: ffff0000cd0142d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4316 [inline]
 #5: ffff0000cd0142d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0xcc/0x324 net/sched/sch_generic.c:340
 #6: ffff80000d635548 (rcu_read_lock_bh){....}-{1:2}, at: rcu_lock_acquire+0x18/0x54 include/linux/rcupdate.h:324
 #7: ffff80000d635548 (rcu_read_lock_bh){....}-{1:2}, at: rcu_lock_acquire+0x18/0x54 include/linux/rcupdate.h:324

stack backtrace:
CPU: 1 PID: 4468 Comm: syz-executor280 Not tainted 6.2.0-rc2-syzkaller-16046-gae87308093bc #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call trace:
 dump_backtrace+0x1c4/0x1f0 arch/arm64/kernel/stacktrace.c:156
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:163
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x104/0x16c lib/dump_stack.c:106
 dump_stack+0x1c/0x58 lib/dump_stack.c:113
 __lock_acquire+0x808/0x3084
 lock_acquire+0x100/0x1f8 kernel/locking/lockdep.c:5668
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x54/0x6c kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:350 [inline]
 __dev_xmit_skb+0x724/0x928 net/core/dev.c:3840
 __dev_queue_xmit+0x414/0xdb8 net/core/dev.c:4215
 dev_queue_xmit include/linux/netdevice.h:3035 [inline]
 neigh_hh_output include/net/neighbour.h:530 [inline]
 neigh_output include/net/neighbour.h:544 [inline]
 ip_finish_output2+0x670/0x818 net/ipv4/ip_output.c:228
 __ip_finish_output+0x108/0x29c
 ip_finish_output+0x168/0x188 net/ipv4/ip_output.c:316
 NF_HOOK_COND include/linux/netfilter.h:291 [inline]
 ip_output+0x1d4/0x234 net/ipv4/ip_output.c:430
 dst_output include/net/dst.h:444 [inline]
 ip_local_out+0xc0/0xf0 net/ipv4/ip_output.c:126
 iptunnel_xmit+0x194/0x314 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x1180/0x1328 net/ipv4/ip_tunnel.c:813
 __gre_xmit net/ipv4/ip_gre.c:469 [inline]
 erspan_xmit+0x32c/0x3c0 net/ipv4/ip_gre.c:715
 __netdev_start_xmit include/linux/netdevice.h:4865 [inline]
 netdev_start_xmit include/linux/netdevice.h:4879 [inline]
 xmit_one net/core/dev.c:3583 [inline]
 dev_hard_start_xmit+0xd4/0x1ec net/core/dev.c:3599
 sch_direct_xmit+0x150/0x324 net/sched/sch_generic.c:342
 __dev_xmit_skb+0x50c/0x928 net/core/dev.c:3810
 __dev_queue_xmit+0x414/0xdb8 net/core/dev.c:4215
 dev_queue_xmit include/linux/netdevice.h:3035 [inline]
 neigh_hh_output include/net/neighbour.h:530 [inline]
 neigh_output include/net/neighbour.h:544 [inline]
 ip_finish_output2+0x670/0x818 net/ipv4/ip_output.c:228
 __ip_finish_output+0x108/0x29c
 ip_finish_output+0x168/0x188 net/ipv4/ip_output.c:316
 NF_HOOK_COND include/linux/netfilter.h:291 [inline]
 ip_mc_output+0x378/0x3d8 net/ipv4/ip_output.c:415
 dst_output include/net/dst.h:444 [inline]
 ip_local_out+0xc0/0xf0 net/ipv4/ip_output.c:126
 iptunnel_xmit+0x194/0x314 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x1180/0x1328 net/ipv4/ip_tunnel.c:813
 __gre_xmit net/ipv4/ip_gre.c:469 [inline]
 ipgre_xmit+0x348/0x3f0 net/ipv4/ip_gre.c:661
 __netdev_start_xmit include/linux/netdevice.h:4865 [inline]
 netdev_start_xmit include/linux/netdevice.h:4879 [inline]
 xmit_one net/core/dev.c:3583 [inline]
 dev_hard_start_xmit+0xd4/0x1ec net/core/dev.c:3599
 __dev_queue_xmit+0x83c/0xdb8 net/core/dev.c:4249
 dev_queue_xmit include/linux/netdevice.h:3035 [inline]
 __bpf_tx_skb net/core/filter.c:2117 [inline]
 __bpf_redirect_no_mac net/core/filter.c:2147 [inline]
 __bpf_redirect+0x420/0x6dc net/core/filter.c:2170
 ____bpf_clone_redirect net/core/filter.c:2437 [inline]
 bpf_clone_redirect+0xc4/0x11c net/core/filter.c:2409
 bpf_prog_bebbfe2050753572+0x90/0xc8
 bpf_dispatcher_nop_func include/linux/bpf.h:1082 [inline]
 __bpf_prog_run include/linux/filter.h:600 [inline]
 bpf_prog_run include/linux/filter.h:607 [inline]
 bpf_test_run+0x1a8/0x420 net/bpf/test_run.c:402
 bpf_prog_test_run_skb+0x45c/0x63c net/bpf/test_run.c:1187
 bpf_prog_test_run+0x1d4/0x210 kernel/bpf/syscall.c:3644
 __sys_bpf+0x36c/0x5fc kernel/bpf/syscall.c:4997
 __do_sys_bpf kernel/bpf/syscall.c:5083 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5081 [inline]
 __arm64_sys_bpf+0x2c/0x40 kernel/bpf/syscall.c:5081
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
 el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x48/0x140 arch/arm64/kernel/syscall.c:197
 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:584

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/01/08 21:24 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci ae87308093bc 1dac8c7a .config console log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 possible deadlock in __dev_xmit_skb
* Struck through repros no longer work on HEAD.