vcan0: j1939_tp_rxtimer: 0x00000000ed13d24c: rx timeout, send abort
vcan0: j1939_tp_rxtimer: 0x00000000d1b4c881: rx timeout, send abort
======================================================
WARNING: possible circular locking dependency detected
6.0.0-rc6-syzkaller-17742-gc194837ebb57 #0 Not tainted
------------------------------------------------------
ksoftirqd/1/19 is trying to acquire lock:
ffff0001004f30d0 (&priv->j1939_socks_lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:354 [inline]
ffff0001004f30d0 (&priv->j1939_socks_lock){+.-.}-{2:2}, at: j1939_sk_errqueue+0x5c/0xe8 net/can/j1939/socket.c:1081
but task is already holding lock:
ffff0001004f3088 (&priv->active_session_list_lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:354 [inline]
ffff0001004f3088 (&priv->active_session_list_lock){+.-.}-{2:2}, at: j1939_session_list_lock net/can/j1939/transport.c:238 [inline]
ffff0001004f3088 (&priv->active_session_list_lock){+.-.}-{2:2}, at: j1939_tp_rxtimer+0x60/0x55c net/can/j1939/transport.c:1246
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&priv->active_session_list_lock){+.-.}-{2:2}:
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
_raw_spin_lock_bh+0x54/0x6c kernel/locking/spinlock.c:178
spin_lock_bh include/linux/spinlock.h:354 [inline]
j1939_session_list_lock net/can/j1939/transport.c:238 [inline]
j1939_session_activate+0x34/0x274 net/can/j1939/transport.c:1559
j1939_sk_queue_activate_next_locked net/can/j1939/socket.c:181 [inline]
j1939_sk_queue_activate_next+0x134/0x200 net/can/j1939/socket.c:208
j1939_session_deactivate_activate_next net/can/j1939/transport.c:1107 [inline]
j1939_session_completed net/can/j1939/transport.c:1220 [inline]
j1939_xtp_rx_dat_one+0x734/0x7ec net/can/j1939/transport.c:1897
j1939_xtp_rx_dat net/can/j1939/transport.c:1935 [inline]
j1939_tp_recv+0x1a4/0x304 net/can/j1939/transport.c:2129
j1939_can_recv+0x33c/0x494 net/can/j1939/main.c:108
deliver net/can/af_can.c:574 [inline]
can_rcv_filter+0x134/0x30c net/can/af_can.c:608
can_receive+0x194/0x26c net/can/af_can.c:665
can_rcv+0x80/0x138 net/can/af_can.c:696
__netif_receive_skb_one_core net/core/dev.c:5485 [inline]
__netif_receive_skb+0x70/0x14c net/core/dev.c:5599
process_backlog+0x23c/0x384 net/core/dev.c:5927
__napi_poll+0x5c/0x24c net/core/dev.c:6511
napi_poll+0x110/0x484 net/core/dev.c:6578
net_rx_action+0x18c/0x40c net/core/dev.c:6689
_stext+0x168/0x37c
____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79
call_on_irq_stack+0x2c/0x54
do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:84
invoke_softirq+0x70/0xbc kernel/softirq.c:452
__irq_exit_rcu+0xf0/0x140 kernel/softirq.c:650
irq_exit_rcu+0x10/0x40 kernel/softirq.c:662
__el1_irq arch/arm64/kernel/entry-common.c:471 [inline]
el1_interrupt+0x38/0x68 arch/arm64/kernel/entry-common.c:485
el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:490
el1h_64_irq+0x64/0x68
arch_local_irq_enable arch/arm64/include/asm/irqflags.h:35 [inline]
raw_spin_rq_unlock_irq kernel/sched/sched.h:1367 [inline]
finish_lock_switch+0x9c/0xe8 kernel/sched/core.c:4942
finish_task_switch+0x98/0x270 kernel/sched/core.c:5060
context_switch kernel/sched/core.c:5185 [inline]
__schedule+0x418/0x5a0 kernel/sched/core.c:6494
schedule+0x64/0xa4 kernel/sched/core.c:6570
schedule_timeout+0x64/0x1b4 kernel/time/timer.c:1911
unix_wait_for_peer+0xc0/0x128 net/unix/af_unix.c:1418
unix_dgram_sendmsg+0x75c/0xb34 net/unix/af_unix.c:2009
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg net/socket.c:734 [inline]
____sys_sendmsg+0x2f8/0x440 net/socket.c:2482
___sys_sendmsg net/socket.c:2536 [inline]
__sys_sendmmsg+0x228/0x56c net/socket.c:2622
__do_sys_sendmmsg net/socket.c:2651 [inline]
__se_sys_sendmmsg net/socket.c:2648 [inline]
__arm64_sys_sendmmsg+0x30/0x44 net/socket.c:2648
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654
el0t_64_sync+0x18c/0x190
-> #1 (&jsk->sk_session_queue_lock){+.-.}-{2:2}:
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
_raw_spin_lock_bh+0x54/0x6c kernel/locking/spinlock.c:178
spin_lock_bh include/linux/spinlock.h:354 [inline]
j1939_sk_queue_drop_all+0x38/0xf8 net/can/j1939/socket.c:139
j1939_sk_netdev_event_netdown+0x94/0xd8 net/can/j1939/socket.c:1275
j1939_netdev_notify+0x80/0x150 net/can/j1939/main.c:372
notifier_call_chain kernel/notifier.c:87 [inline]
raw_notifier_call_chain+0x7c/0x108 kernel/notifier.c:455
__dev_notify_flags+0x170/0x2e8
dev_change_flags+0x78/0x9c net/core/dev.c:8632
do_setlink+0x550/0x17a4 net/core/rtnetlink.c:2780
__rtnl_newlink net/core/rtnetlink.c:3546 [inline]
rtnl_newlink+0x988/0xa04 net/core/rtnetlink.c:3593
rtnetlink_rcv_msg+0x484/0x82c net/core/rtnetlink.c:6090
netlink_rcv_skb+0xe4/0x1d0 net/netlink/af_netlink.c:2501
rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6108
netlink_unicast_kernel+0xfc/0x1dc net/netlink/af_netlink.c:1319
netlink_unicast+0x164/0x248 net/netlink/af_netlink.c:1345
netlink_sendmsg+0x484/0x584 net/netlink/af_netlink.c:1921
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg net/socket.c:734 [inline]
____sys_sendmsg+0x2f8/0x440 net/socket.c:2482
___sys_sendmsg net/socket.c:2536 [inline]
__sys_sendmsg+0x1ac/0x228 net/socket.c:2565
__do_sys_sendmsg net/socket.c:2574 [inline]
__se_sys_sendmsg net/socket.c:2572 [inline]
__arm64_sys_sendmsg+0x2c/0x3c net/socket.c:2572
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654
el0t_64_sync+0x18c/0x190
-> #0 (&priv->j1939_socks_lock){+.-.}-{2:2}:
check_prev_add kernel/locking/lockdep.c:3095 [inline]
check_prevs_add kernel/locking/lockdep.c:3214 [inline]
validate_chain kernel/locking/lockdep.c:3829 [inline]
__lock_acquire+0x1530/0x30a4 kernel/locking/lockdep.c:5053
lock_acquire+0x100/0x1f8 kernel/locking/lockdep.c:5666
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
_raw_spin_lock_bh+0x54/0x6c kernel/locking/spinlock.c:178
spin_lock_bh include/linux/spinlock.h:354 [inline]
j1939_sk_errqueue+0x5c/0xe8 net/can/j1939/socket.c:1081
__j1939_session_cancel+0x29c/0x2b4 net/can/j1939/transport.c:1130
j1939_tp_rxtimer+0x2b4/0x55c net/can/j1939/transport.c:1255
__run_hrtimer kernel/time/hrtimer.c:1685 [inline]
__hrtimer_run_queues+0x210/0x390 kernel/time/hrtimer.c:1749
hrtimer_run_softirq+0x8c/0x1d8 kernel/time/hrtimer.c:1766
_stext+0x168/0x37c
run_ksoftirqd+0x4c/0x21c kernel/softirq.c:934
smpboot_thread_fn+0x248/0x3e4 kernel/smpboot.c:164
kthread+0x12c/0x158 kernel/kthread.c:376
ret_from_fork+0x10/0x20
other info that might help us debug this:
Chain exists of:
&priv->j1939_socks_lock --> &jsk->sk_session_queue_lock --> &priv->active_session_list_lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&priv->active_session_list_lock);
lock(&jsk->sk_session_queue_lock);
lock(&priv->active_session_list_lock);
lock(&priv->j1939_socks_lock);
*** DEADLOCK ***
1 lock held by ksoftirqd/1/19:
#0: ffff0001004f3088 (&priv->active_session_list_lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:354 [inline]
#0: ffff0001004f3088 (&priv->active_session_list_lock){+.-.}-{2:2}, at: j1939_session_list_lock net/can/j1939/transport.c:238 [inline]
#0: ffff0001004f3088 (&priv->active_session_list_lock){+.-.}-{2:2}, at: j1939_tp_rxtimer+0x60/0x55c net/can/j1939/transport.c:1246
stack backtrace:
CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 6.0.0-rc6-syzkaller-17742-gc194837ebb57 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Call trace:
dump_backtrace+0x1c4/0x1f0 arch/arm64/kernel/stacktrace.c:156
show_stack+0x2c/0x54 arch/arm64/kernel/stacktrace.c:163
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x104/0x16c lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
print_circular_bug+0x2c4/0x2c8 kernel/locking/lockdep.c:2053
check_noncircular+0x14c/0x154 kernel/locking/lockdep.c:2175
check_prev_add kernel/locking/lockdep.c:3095 [inline]
check_prevs_add kernel/locking/lockdep.c:3214 [inline]
validate_chain kernel/locking/lockdep.c:3829 [inline]
__lock_acquire+0x1530/0x30a4 kernel/locking/lockdep.c:5053
lock_acquire+0x100/0x1f8 kernel/locking/lockdep.c:5666
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
_raw_spin_lock_bh+0x54/0x6c kernel/locking/spinlock.c:178
spin_lock_bh include/linux/spinlock.h:354 [inline]
j1939_sk_errqueue+0x5c/0xe8 net/can/j1939/socket.c:1081
__j1939_session_cancel+0x29c/0x2b4 net/can/j1939/transport.c:1130
j1939_tp_rxtimer+0x2b4/0x55c net/can/j1939/transport.c:1255
__run_hrtimer kernel/time/hrtimer.c:1685 [inline]
__hrtimer_run_queues+0x210/0x390 kernel/time/hrtimer.c:1749
hrtimer_run_softirq+0x8c/0x1d8 kernel/time/hrtimer.c:1766
_stext+0x168/0x37c
run_ksoftirqd+0x4c/0x21c kernel/softirq.c:934
smpboot_thread_fn+0x248/0x3e4 kernel/smpboot.c:164
kthread+0x12c/0x158 kernel/kthread.c:376
ret_from_fork+0x10/0x20
vkms_vblank_simulate: vblank timer overrun
vcan0: j1939_tp_rxtimer: 0x00000000ed13d24c: abort rx timeout. Force session deactivation
vcan0: j1939_tp_rxtimer: 0x00000000d1b4c881: abort rx timeout. Force session deactivation
vcan0: j1939_tp_rxtimer: 0x000000004a64c8f5: rx timeout, send abort
vcan0: j1939_xtp_rx_abort_one: 0x000000004a64c8f5: 0x00000: (3) A timeout occurred and this is the connection abort to close the session.
vcan0: j1939_tp_rxtimer: 0x00000000fe4b11e1: rx timeout, send abort
vcan0: j1939_tp_rxtimer: 0x00000000895cd8a5: rx timeout, send abort
vcan0: j1939_tp_rxtimer: 0x00000000fe4b11e1: abort rx timeout. Force session deactivation
vcan0: j1939_tp_rxtimer: 0x00000000895cd8a5: abort rx timeout. Force session deactivation