ci2 starts bisection 2023-04-09 15:36:02.013246175 +0000 UTC m=+153493.021586673 bisecting fixing commit since d9b4a0c83a2d405dd85bf32d672686146b9bedff building syzkaller on f08b59ac0d8759f409d594ddca4f08c920e23237 ensuring issue is reproducible on original commit d9b4a0c83a2d405dd85bf32d672686146b9bedff testing commit d9b4a0c83a2d405dd85bf32d672686146b9bedff gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9f11b24ee637fb2ea9fffd15c16685c9b8227f4fd864f1873e8923b608b413b3 all runs: crashed: possible deadlock in l2tp_tunnel_register testing current HEAD d86dfc4d95cd218246b10ca7adf22c8626547599 testing commit d86dfc4d95cd218246b10ca7adf22c8626547599 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 078c8afabdef82aaba7569d79dcae6917274044aaa8eb148bacfc8cecf2e01de all runs: OK # git bisect start d86dfc4d95cd218246b10ca7adf22c8626547599 d9b4a0c83a2d405dd85bf32d672686146b9bedff Bisecting: 605 revisions left to test after this (roughly 9 steps) [a27e95a6ff3fd633422ca44c6d571ef84392f5b8] um: virt-pci: properly remove PCI device from bus testing commit a27e95a6ff3fd633422ca44c6d571ef84392f5b8 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 28deed920255a59bd6df31c6f187f0cb9020128a38d0a941211bcb3bcdca3d4a all runs: OK # git bisect bad a27e95a6ff3fd633422ca44c6d571ef84392f5b8 Bisecting: 302 revisions left to test after this (roughly 8 steps) [b1cdf1113e21a8e5e7f814376ca9a2ac03ca311e] firmware: stratix10-svc: add missing gen_pool_destroy() in stratix10_svc_drv_probe() testing commit b1cdf1113e21a8e5e7f814376ca9a2ac03ca311e gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5f812e6bb8b94b5d73f856436a322b9e2d00453ab24de593859feb859f79a4d5 all runs: OK # git bisect bad b1cdf1113e21a8e5e7f814376ca9a2ac03ca311e Bisecting: 151 revisions left to test after this (roughly 7 steps) [74fe2bf6746e27f37eb9991bffc53ce37c29250e] ACPI: resource: Do IRQ override on all TongFang GMxRGxx testing commit 74fe2bf6746e27f37eb9991bffc53ce37c29250e gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7ee388b8af2d5a356bb67eab0724351db7c0d74b949981573d2cda7d9d3a47c2 all runs: crashed: possible deadlock in l2tp_tunnel_register # git bisect good 74fe2bf6746e27f37eb9991bffc53ce37c29250e Bisecting: 75 revisions left to test after this (roughly 6 steps) [9cd1a9b7de20f28fb8fbea0295142db29e34692c] ASoC: dt-bindings: meson: fix gx-card codec node regex testing commit 9cd1a9b7de20f28fb8fbea0295142db29e34692c gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 376efb20e7cdd6e6964ad9fd09725bf758d51d6be393785549c4fd7d6bddaca7 all runs: OK # git bisect bad 9cd1a9b7de20f28fb8fbea0295142db29e34692c Bisecting: 37 revisions left to test after this (roughly 5 steps) [399d01375659c273fb6ad9ccfb6e92bc5b891e0d] drm/msm/adreno: Fix null ptr access in adreno_gpu_cleanup() testing commit 399d01375659c273fb6ad9ccfb6e92bc5b891e0d gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f4a1706b210523bb741cde3116e9be379e4127fdf3da1ec76a0eef4f2c76d43c all runs: OK # git bisect bad 399d01375659c273fb6ad9ccfb6e92bc5b891e0d Bisecting: 18 revisions left to test after this (roughly 4 steps) [1f9836f95271e7acf016667eee0aeae3386f9645] drm/vkms: Fix null-ptr-deref in vkms_release() testing commit 1f9836f95271e7acf016667eee0aeae3386f9645 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f4a1706b210523bb741cde3116e9be379e4127fdf3da1ec76a0eef4f2c76d43c all runs: OK # git bisect bad 1f9836f95271e7acf016667eee0aeae3386f9645 Bisecting: 9 revisions left to test after this (roughly 3 steps) [f6df58aa15f7d469f69b1dd21b001ff483255244] l2tp: Avoid possible recursive deadlock in l2tp_tunnel_register() testing commit f6df58aa15f7d469f69b1dd21b001ff483255244 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8e5b88fc18387540ddedb51cdb886c38a43cbc1ed744cf450362da8aa0518650 all runs: OK # git bisect bad f6df58aa15f7d469f69b1dd21b001ff483255244 Bisecting: 4 revisions left to test after this (roughly 2 steps) [bfc344d1e78c55d4f85724e96fc20d4907484614] can: esd_usb: Move mislocated storage of SJA1000_ECC_SEG bits in case of a bus error testing commit bfc344d1e78c55d4f85724e96fc20d4907484614 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8c0d34e2174cbb6d8b6bd02be19df95058a23a8d84736ea2e92396eb2e5624f2 all runs: crashed: possible deadlock in l2tp_tunnel_register # git bisect good bfc344d1e78c55d4f85724e96fc20d4907484614 Bisecting: 2 revisions left to test after this (roughly 1 step) [3a413b05c66ef3aa031d3c08794e7189b0db9b77] irqchip/irq-brcmstb-l2: Set IRQ_LEVEL for level triggered interrupts testing commit 3a413b05c66ef3aa031d3c08794e7189b0db9b77 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 826061e8653690a6764940d36f5bae38936b5b50d162081a50849124fd155b03 all runs: crashed: possible deadlock in l2tp_tunnel_register # git bisect good 3a413b05c66ef3aa031d3c08794e7189b0db9b77 Bisecting: 0 revisions left to test after this (roughly 1 step) [f7854541b02e9c69c097aa6dee8cc9090fad4b1c] selftests/net: Interpret UDP_GRO cmsg data as an int value testing commit f7854541b02e9c69c097aa6dee8cc9090fad4b1c gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 826061e8653690a6764940d36f5bae38936b5b50d162081a50849124fd155b03 all runs: crashed: possible deadlock in l2tp_tunnel_register # git bisect good f7854541b02e9c69c097aa6dee8cc9090fad4b1c f6df58aa15f7d469f69b1dd21b001ff483255244 is the first bad commit commit f6df58aa15f7d469f69b1dd21b001ff483255244 Author: Shigeru Yoshida Date: Fri Feb 17 01:37:10 2023 +0900 l2tp: Avoid possible recursive deadlock in l2tp_tunnel_register() [ Upstream commit 9ca5e7ecab064f1f47da07f7c1ddf40e4bc0e5ac ] When a file descriptor of pppol2tp socket is passed as file descriptor of UDP socket, a recursive deadlock occurs in l2tp_tunnel_register(). This situation is reproduced by the following program: int main(void) { int sock; struct sockaddr_pppol2tp addr; sock = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP); if (sock < 0) { perror("socket"); return 1; } addr.sa_family = AF_PPPOX; addr.sa_protocol = PX_PROTO_OL2TP; addr.pppol2tp.pid = 0; addr.pppol2tp.fd = sock; addr.pppol2tp.addr.sin_family = PF_INET; addr.pppol2tp.addr.sin_port = htons(0); addr.pppol2tp.addr.sin_addr.s_addr = inet_addr("192.168.0.1"); addr.pppol2tp.s_tunnel = 1; addr.pppol2tp.s_session = 0; addr.pppol2tp.d_tunnel = 0; addr.pppol2tp.d_session = 0; if (connect(sock, (const struct sockaddr *)&addr, sizeof(addr)) < 0) { perror("connect"); return 1; } return 0; } This program causes the following lockdep warning: ============================================ WARNING: possible recursive locking detected 6.2.0-rc5-00205-gc96618275234 #56 Not tainted -------------------------------------------- repro/8607 is trying to acquire lock: ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: l2tp_tunnel_register+0x2b7/0x11c0 but task is already holding lock: ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(sk_lock-AF_PPPOX); lock(sk_lock-AF_PPPOX); *** DEADLOCK *** May be due to missing lock nesting notation 1 lock held by repro/8607: #0: ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30 stack backtrace: CPU: 0 PID: 8607 Comm: repro Not tainted 6.2.0-rc5-00205-gc96618275234 #56 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: dump_stack_lvl+0x100/0x178 __lock_acquire.cold+0x119/0x3b9 ? lockdep_hardirqs_on_prepare+0x410/0x410 lock_acquire+0x1e0/0x610 ? l2tp_tunnel_register+0x2b7/0x11c0 ? lock_downgrade+0x710/0x710 ? __fget_files+0x283/0x3e0 lock_sock_nested+0x3a/0xf0 ? l2tp_tunnel_register+0x2b7/0x11c0 l2tp_tunnel_register+0x2b7/0x11c0 ? sprintf+0xc4/0x100 ? l2tp_tunnel_del_work+0x6b0/0x6b0 ? debug_object_deactivate+0x320/0x320 ? lockdep_init_map_type+0x16d/0x7a0 ? lockdep_init_map_type+0x16d/0x7a0 ? l2tp_tunnel_create+0x2bf/0x4b0 ? l2tp_tunnel_create+0x3c6/0x4b0 pppol2tp_connect+0x14e1/0x1a30 ? pppol2tp_put_sk+0xd0/0xd0 ? aa_sk_perm+0x2b7/0xa80 ? aa_af_perm+0x260/0x260 ? bpf_lsm_socket_connect+0x9/0x10 ? pppol2tp_put_sk+0xd0/0xd0 __sys_connect_file+0x14f/0x190 __sys_connect+0x133/0x160 ? __sys_connect_file+0x190/0x190 ? lockdep_hardirqs_on+0x7d/0x100 ? ktime_get_coarse_real_ts64+0x1b7/0x200 ? ktime_get_coarse_real_ts64+0x147/0x200 ? __audit_syscall_entry+0x396/0x500 __x64_sys_connect+0x72/0xb0 do_syscall_64+0x38/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd This patch fixes the issue by getting/creating the tunnel before locking the pppol2tp socket. Fixes: 0b2c59720e65 ("l2tp: close all race conditions in l2tp_tunnel_register()") Cc: Cong Wang Signed-off-by: Shigeru Yoshida Reviewed-by: Guillaume Nault Signed-off-by: David S. Miller Signed-off-by: Sasha Levin net/l2tp/l2tp_ppp.c | 125 ++++++++++++++++++++++++++++------------------------ 1 file changed, 67 insertions(+), 58 deletions(-) culprit signature: 8e5b88fc18387540ddedb51cdb886c38a43cbc1ed744cf450362da8aa0518650 parent signature: 826061e8653690a6764940d36f5bae38936b5b50d162081a50849124fd155b03 revisions tested: 12, total time: 4h19m27.731172671s (build: 2h54m18.499543936s, test: 1h16m36.881322025s) first good commit: f6df58aa15f7d469f69b1dd21b001ff483255244 l2tp: Avoid possible recursive deadlock in l2tp_tunnel_register() recipients (to): ["davem@davemloft.net" "gnault@redhat.com" "sashal@kernel.org" "syoshida@redhat.com"] recipients (cc): []