possible deadlock in ip_defrag
10 views
Skip to first unread message
syzbot
Apr 11, 2019, 8:00:53 PM4/11/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: cb3afe1f Revert "vti4: Don't override MTU passed on link c..
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=1397c6d7800000
kernel config: https://syzkaller.appspot.com/x/.config?x=99fe7bebda4b0397
dashboard link: https://syzkaller.appspot.com/bug?extid=53b2fd8d791ee244840a
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1481794f800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15894ed7800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+53b2fd...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy
available)
random: nonblocking pool is initialized
IPVS: Creating netns size=2552 id=1
======================================================
[ INFO: possible circular locking dependency detected ]
4.4.134-gcb3afe1 #53 Not tainted
-------------------------------------------------------
syz-executor144/3656 is trying to acquire lock:
(&(&q->lock)->rlock){+.-...}, at: [<ffffffff83206b78>] spin_lock
include/linux/spinlock.h:302 [inline]
(&(&q->lock)->rlock){+.-...}, at: [<ffffffff83206b78>]
ip_defrag+0x318/0x3fe0 net/ipv4/ip_fragment.c:680
but task is already holding lock:
(_xmit_NETROM){+.-...}, at: [<ffffffff83011c9c>] spin_lock
include/linux/spinlock.h:302 [inline]
(_xmit_NETROM){+.-...}, at: [<ffffffff83011c9c>] __netif_tx_lock
include/linux/netdevice.h:3299 [inline]
(_xmit_NETROM){+.-...}, at: [<ffffffff83011c9c>]
sch_direct_xmit+0x23c/0x6e0 net/sched/sch_generic.c:163
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
[<ffffffff81235a7e>] lock_acquire+0x15e/0x450
kernel/locking/lockdep.c:3592
[<ffffffff838c26de>] __raw_spin_lock_irqsave
include/linux/spinlock_api_smp.h:112 [inline]
[<ffffffff838c26de>] _raw_spin_lock_irqsave+0x4e/0x70
kernel/locking/spinlock.c:159
[<ffffffff81eb7a61>] depot_save_stack+0x211/0x610
lib/stackdepot.c:252
[<ffffffff814f8869>] save_stack+0xa9/0xd0 mm/kasan/kasan.c:518
[<ffffffff814f8ae7>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff814f8ae7>] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:616
[<ffffffff814f90b2>] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:554
[<ffffffff814f4bae>] slab_post_alloc_hook mm/slub.c:1349 [inline]
[<ffffffff814f4bae>] slab_alloc_node mm/slub.c:2615 [inline]
[<ffffffff814f4bae>] slab_alloc mm/slub.c:2623 [inline]
[<ffffffff814f4bae>] kmem_cache_alloc+0xbe/0x2a0 mm/slub.c:2628
[<ffffffff832006dc>] inet_getpeer.part.5+0xeac/0x15a0
net/ipv4/inetpeer.c:444
[<ffffffff8320132b>] inet_getpeer+0x55b/0x6f0
include/linux/seqlock.h:374
[<ffffffff834a67e5>] inet_getpeer_v6 include/net/inetpeer.h:127
[inline]
[<ffffffff834a67e5>] icmpv6_xrlim_allow net/ipv6/icmp.c:211 [inline]
[<ffffffff834a67e5>] icmp6_send+0x17c5/0x1b80 net/ipv6/icmp.c:491
[<ffffffff834a7fa9>] icmpv6_param_prob+0x29/0x40 net/ipv6/icmp.c:551
[<ffffffff834c3494>] ip6_frag_queue net/ipv6/reassembly.c:263
[inline]
[<ffffffff834c3494>] ipv6_frag_rcv+0x3f94/0x4fd0
net/ipv6/reassembly.c:562
[<ffffffff83436c5e>] ip6_input_finish+0x32e/0x1550
net/ipv6/ip6_input.c:248
[<ffffffff83439c46>] NF_HOOK_THRESH include/linux/netfilter.h:226
[inline]
[<ffffffff83439c46>] NF_HOOK include/linux/netfilter.h:249 [inline]
[<ffffffff83439c46>] ip6_input+0xf6/0x200 net/ipv6/ip6_input.c:280
[<ffffffff8343642d>] dst_input include/net/dst.h:504 [inline]
[<ffffffff8343642d>] ip6_rcv_finish+0x13d/0x640
net/ipv6/ip6_input.c:62
[<ffffffff83438f4b>] NF_HOOK_THRESH include/linux/netfilter.h:226
[inline]
[<ffffffff83438f4b>] NF_HOOK include/linux/netfilter.h:249 [inline]
[<ffffffff83438f4b>] ipv6_rcv+0x10cb/0x1cd0 net/ipv6/ip6_input.c:186
[<ffffffff82f7ed56>] __netif_receive_skb_core+0x12d6/0x2940
net/core/dev.c:4019
[<ffffffff82f8041b>] __netif_receive_skb+0x5b/0x1b0
net/core/dev.c:4054
[<ffffffff82f849a6>] process_backlog+0x216/0x6a0 net/core/dev.c:4647
[<ffffffff82f817e2>] napi_poll net/core/dev.c:4885 [inline]
[<ffffffff82f817e2>] net_rx_action+0x3a2/0xdb0 net/core/dev.c:4950
[<ffffffff838c5f6c>] __do_softirq+0x22c/0xa1a kernel/softirq.c:273
[<ffffffff838c3d1c>] do_softirq_own_stack+0x1c/0x30
arch/x86/entry/entry_64.S:929
[<ffffffff8113d9d4>] do_softirq.part.16+0x54/0x60
kernel/softirq.c:317
[<ffffffff8113f6c9>] do_softirq+0x19/0x20 kernel/softirq.c:320
[<ffffffff82f7ccfc>] netif_rx_ni+0xec/0x3a0 net/core/dev.c:3653
[<ffffffff827533d7>] tun_get_user+0xbe7/0x2410 drivers/net/tun.c:1264
[<ffffffff82754e15>] tun_chr_write_iter+0xd5/0x190
drivers/net/tun.c:1283
[<ffffffff8151d82c>] do_iter_readv_writev+0x13c/0x1e0
fs/read_write.c:664
[<ffffffff8151ef50>] do_readv_writev+0x2e0/0x6e0 fs/read_write.c:808
[<ffffffff8151f47b>] vfs_writev+0x7b/0xb0 fs/read_write.c:847
[<ffffffff81521949>] SYSC_writev fs/read_write.c:880 [inline]
[<ffffffff81521949>] SyS_writev+0xd9/0x250 fs/read_write.c:872
[<ffffffff838c2aa5>] entry_SYSCALL_64_fastpath+0x22/0x9e
[<ffffffff81232932>] check_prev_add kernel/locking/lockdep.c:1853
[inline]
[<ffffffff81232932>] check_prevs_add kernel/locking/lockdep.c:1958
[inline]
[<ffffffff81232932>] validate_chain kernel/locking/lockdep.c:2144
[inline]
[<ffffffff81232932>] __lock_acquire+0x3902/0x5270
kernel/locking/lockdep.c:3213
[<ffffffff81235a7e>] lock_acquire+0x15e/0x450
kernel/locking/lockdep.c:3592
[<ffffffff838c1bc6>] __raw_spin_lock
include/linux/spinlock_api_smp.h:144 [inline]
[<ffffffff838c1bc6>] _raw_spin_lock+0x36/0x50
kernel/locking/spinlock.c:151
[<ffffffff83206b78>] spin_lock include/linux/spinlock.h:302 [inline]
[<ffffffff83206b78>] ip_defrag+0x318/0x3fe0
net/ipv4/ip_fragment.c:680
[<ffffffff8320ac08>] ip_check_defrag+0x3c8/0x7e0
net/ipv4/ip_fragment.c:724
[<ffffffff8357ceba>] packet_rcv_fanout+0x52a/0x5e0
net/packet/af_packet.c:1458
[<ffffffff82f898b4>] dev_queue_xmit_nit net/core/dev.c:1913 [inline]
[<ffffffff82f898b4>] xmit_one net/core/dev.c:2755 [inline]
[<ffffffff82f898b4>] dev_hard_start_xmit+0x644/0x11c0
net/core/dev.c:2775
[<ffffffff83011d21>] sch_direct_xmit+0x2c1/0x6e0
net/sched/sch_generic.c:165
[<ffffffff82f8b5e3>] __dev_xmit_skb net/core/dev.c:2957 [inline]
[<ffffffff82f8b5e3>] __dev_queue_xmit+0xef3/0x1c80
net/core/dev.c:3175
[<ffffffff82f8c387>] dev_queue_xmit+0x17/0x20 net/core/dev.c:3241
[<ffffffff82fa8e57>] neigh_resolve_output+0x637/0x790
net/core/neighbour.c:1326
[<ffffffff8321644b>] dst_neigh_output include/net/dst.h:461 [inline]
[<ffffffff8321644b>] ip_finish_output2+0x6ab/0x1110
net/ipv4/ip_output.c:213
[<ffffffff8321887c>] ip_do_fragment+0x19cc/0x2190
net/ipv4/ip_output.c:633
[<ffffffff83219183>] ip_fragment.constprop.51+0x143/0x200
net/ipv4/ip_output.c:503
[<ffffffff832196ca>] ip_finish_output+0x48a/0xc00
net/ipv4/ip_output.c:286
[<ffffffff8321caf3>] NF_HOOK_COND include/linux/netfilter.h:240
[inline]
[<ffffffff8321caf3>] ip_mc_output+0x233/0x980
net/ipv4/ip_output.c:347
[<ffffffff8321a31b>] dst_output include/net/dst.h:498 [inline]
[<ffffffff8321a31b>] ip_local_out+0x9b/0x180 net/ipv4/ip_output.c:119
[<ffffffff8322009c>] ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1451
[<ffffffff832c8993>] udp_send_skb+0x5c3/0xc60 net/ipv4/udp.c:842
[<ffffffff832d1549>] udp_sendmsg+0x16c9/0x1c70 net/ipv4/udp.c:1072
[<ffffffff83301163>] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755
[<ffffffff82f1e47c>] sock_sendmsg_nosec net/socket.c:625 [inline]
[<ffffffff82f1e47c>] sock_sendmsg+0xcc/0x110 net/socket.c:635
[<ffffffff82f1f15c>] SYSC_sendto+0x21c/0x370 net/socket.c:1665
[<ffffffff82f217e0>] SyS_sendto+0x40/0x50 net/socket.c:1633
[<ffffffff838c2aa5>] entry_SYSCALL_64_fastpath+0x22/0x9e
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(_xmit_NETROM);
lock(&(&q->lock)->rlock);
lock(_xmit_NETROM);
lock(&(&q->lock)->rlock);
*** DEADLOCK ***
4 locks held by syz-executor144/3656:
#0: (rcu_read_lock_bh){......}, at: [<ffffffff83215fb2>]
ip_finish_output2+0x212/0x1110 net/ipv4/ip_output.c:193
#1: (rcu_read_lock_bh){......}, at: [<ffffffff82f8a8c7>]
__dev_queue_xmit+0x1d7/0x1c80 net/core/dev.c:3139
#2: (_xmit_NETROM){+.-...}, at: [<ffffffff83011c9c>] spin_lock
include/linux/spinlock.h:302 [inline]
#2: (_xmit_NETROM){+.-...}, at: [<ffffffff83011c9c>] __netif_tx_lock
include/linux/netdevice.h:3299 [inline]
#2: (_xmit_NETROM){+.-...}, at: [<ffffffff83011c9c>]
sch_direct_xmit+0x23c/0x6e0 net/sched/sch_generic.c:163
#3: (rcu_read_lock){......}, at: [<ffffffff82f89318>] xmit_one
net/core/dev.c:2754 [inline]
#3: (rcu_read_lock){......}, at: [<ffffffff82f89318>]
dev_hard_start_xmit+0xa8/0x11c0 net/core/dev.c:2775
stack backtrace:
CPU: 1 PID: 3656 Comm: syz-executor144 Not tainted 4.4.134-gcb3afe1 #53
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
0000000000000000 0b39ec9710287bf1 ffff8801cf436d38 ffffffff81e0f02d
ffffffff853eb060 ffffffff853eb720 ffffffff853eb060 ffff8800b31ba150
ffff8800b31b9800 ffff8801cf436d80 ffffffff8140e62b 0000000000000003
Call Trace:
[<ffffffff81e0f02d>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81e0f02d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
[<ffffffff8140e62b>] print_circular_bug.cold.50+0x1bd/0x27d
kernel/locking/lockdep.c:1226
[<ffffffff81232932>] check_prev_add kernel/locking/lockdep.c:1853 [inline]
[<ffffffff81232932>] check_prevs_add kernel/locking/lockdep.c:1958 [inline]
[<ffffffff81232932>] validate_chain kernel/locking/lockdep.c:2144 [inline]
[<ffffffff81232932>] __lock_acquire+0x3902/0x5270
kernel/locking/lockdep.c:3213
[<ffffffff81235a7e>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
[<ffffffff838c1bc6>] __raw_spin_lock include/linux/spinlock_api_smp.h:144
[inline]
[<ffffffff838c1bc6>] _raw_spin_lock+0x36/0x50 kernel/locking/spinlock.c:151
[<ffffffff83206b78>] spin_lock include/linux/spinlock.h:302 [inline]
[<ffffffff83206b78>] ip_defrag+0x318/0x3fe0 net/ipv4/ip_fragment.c:680
[<ffffffff8320ac08>] ip_check_defrag+0x3c8/0x7e0 net/ipv4/ip_fragment.c:724
[<ffffffff8357ceba>] packet_rcv_fanout+0x52a/0x5e0
net/packet/af_packet.c:1458
[<ffffffff82f898b4>] dev_queue_xmit_nit net/core/dev.c:1913 [inline]
[<ffffffff82f898b4>] xmit_one net/core/dev.c:2755 [inline]
[<ffffffff82f898b4>] dev_hard_start_xmit+0x644/0x11c0 net/core/dev.c:2775
[<ffffffff83011d21>] sch_direct_xmit+0x2c1/0x6e0
net/sched/sch_generic.c:165
[<ffffffff82f8b5e3>] __dev_xmit_skb net/core/dev.c:2957 [inline]
[<ffffffff82f8b5e3>] __dev_queue_xmit+0xef3/0x1c80 net/core/dev.c:3175
[<ffffffff82f8c387>] dev_queue_xmit+0x17/0x20 net/core/dev.c:3241
[<ffffffff82fa8e57>] neigh_resolve_output+0x637/0x790
net/core/neighbour.c:1326
[<ffffffff8321644b>] dst_neigh_output include/net/dst.h:461 [inline]
[<ffffffff8321644b>] ip_finish_output2+0x6ab/0x1110
net/ipv4/ip_output.c:213
[<ffffffff8321887c>] ip_do_fragment+0x19cc/0x2190 net/ipv4/ip_output.c:633
[<ffffffff83219183>] ip_fragment.constprop.51+0x143/0x200
net/ipv4/ip_output.c:503
[<ffffffff832196ca>] ip_finish_output+0x48a/0xc00 net/ipv4/ip_output.c:286
[<ffffffff8321caf3>] NF_HOOK_COND include/linux/netfilter.h:240 [inline]
[<ffffffff8321caf3>] ip_mc_output+0x233/0x980 net/ipv4/ip_output.c:347
[<ffffffff8321a31b>] dst_output include/net/dst.h:498 [inline]
[<ffffffff8321a31b>] ip_local_out+0x9b/0x180 net/ipv4/ip_output.c:119
[<ffffffff8322009c>] ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1451
[<ffffffff832c8993>] udp_send_skb+0x5c3/0xc60 net/ipv4/udp.c:842
[<ffffffff832d1549>] udp_sendmsg+0x16c9/0x1c70 net/ipv4/udp.c:1072
[<ffffffff83301163>] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755
[<ffffffff82f1e47c>] sock_sendmsg_nosec net/socket.c:625 [inline]
[<ffffffff82f1e47c>] sock_sendmsg+0xcc/0x110 net/socket.c:635
[<ffffffff82f1f15c>] SYSC_sendto+0x21c/0x370 net/socket.c:1665
[<ffffffff82f217e0>] SyS_sendto+0x40/0x50 net/socket.c:1633
[<ffffffff838c2aa5>] entry_SYSCALL_64_fastpath+0x22/0x9e
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: cb3afe1f Revert "vti4: Don't override MTU passed on link c..
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=1397c6d7800000
kernel config: https://syzkaller.appspot.com/x/.config?x=99fe7bebda4b0397
dashboard link: https://syzkaller.appspot.com/bug?extid=53b2fd8d791ee244840a
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1481794f800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15894ed7800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+53b2fd...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy
available)
random: nonblocking pool is initialized
IPVS: Creating netns size=2552 id=1
======================================================
[ INFO: possible circular locking dependency detected ]
4.4.134-gcb3afe1 #53 Not tainted
-------------------------------------------------------
syz-executor144/3656 is trying to acquire lock:
(&(&q->lock)->rlock){+.-...}, at: [<ffffffff83206b78>] spin_lock
include/linux/spinlock.h:302 [inline]
(&(&q->lock)->rlock){+.-...}, at: [<ffffffff83206b78>]
ip_defrag+0x318/0x3fe0 net/ipv4/ip_fragment.c:680
but task is already holding lock:
(_xmit_NETROM){+.-...}, at: [<ffffffff83011c9c>] spin_lock
include/linux/spinlock.h:302 [inline]
(_xmit_NETROM){+.-...}, at: [<ffffffff83011c9c>] __netif_tx_lock
include/linux/netdevice.h:3299 [inline]
(_xmit_NETROM){+.-...}, at: [<ffffffff83011c9c>]
sch_direct_xmit+0x23c/0x6e0 net/sched/sch_generic.c:163
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
[<ffffffff81235a7e>] lock_acquire+0x15e/0x450
kernel/locking/lockdep.c:3592
[<ffffffff838c26de>] __raw_spin_lock_irqsave
include/linux/spinlock_api_smp.h:112 [inline]
[<ffffffff838c26de>] _raw_spin_lock_irqsave+0x4e/0x70
kernel/locking/spinlock.c:159
[<ffffffff81eb7a61>] depot_save_stack+0x211/0x610
lib/stackdepot.c:252
[<ffffffff814f8869>] save_stack+0xa9/0xd0 mm/kasan/kasan.c:518
[<ffffffff814f8ae7>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff814f8ae7>] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:616
[<ffffffff814f90b2>] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:554
[<ffffffff814f4bae>] slab_post_alloc_hook mm/slub.c:1349 [inline]
[<ffffffff814f4bae>] slab_alloc_node mm/slub.c:2615 [inline]
[<ffffffff814f4bae>] slab_alloc mm/slub.c:2623 [inline]
[<ffffffff814f4bae>] kmem_cache_alloc+0xbe/0x2a0 mm/slub.c:2628
[<ffffffff832006dc>] inet_getpeer.part.5+0xeac/0x15a0
net/ipv4/inetpeer.c:444
[<ffffffff8320132b>] inet_getpeer+0x55b/0x6f0
include/linux/seqlock.h:374
[<ffffffff834a67e5>] inet_getpeer_v6 include/net/inetpeer.h:127
[inline]
[<ffffffff834a67e5>] icmpv6_xrlim_allow net/ipv6/icmp.c:211 [inline]
[<ffffffff834a67e5>] icmp6_send+0x17c5/0x1b80 net/ipv6/icmp.c:491
[<ffffffff834a7fa9>] icmpv6_param_prob+0x29/0x40 net/ipv6/icmp.c:551
[<ffffffff834c3494>] ip6_frag_queue net/ipv6/reassembly.c:263
[inline]
[<ffffffff834c3494>] ipv6_frag_rcv+0x3f94/0x4fd0
net/ipv6/reassembly.c:562
[<ffffffff83436c5e>] ip6_input_finish+0x32e/0x1550
net/ipv6/ip6_input.c:248
[<ffffffff83439c46>] NF_HOOK_THRESH include/linux/netfilter.h:226
[inline]
[<ffffffff83439c46>] NF_HOOK include/linux/netfilter.h:249 [inline]
[<ffffffff83439c46>] ip6_input+0xf6/0x200 net/ipv6/ip6_input.c:280
[<ffffffff8343642d>] dst_input include/net/dst.h:504 [inline]
[<ffffffff8343642d>] ip6_rcv_finish+0x13d/0x640
net/ipv6/ip6_input.c:62
[<ffffffff83438f4b>] NF_HOOK_THRESH include/linux/netfilter.h:226
[inline]
[<ffffffff83438f4b>] NF_HOOK include/linux/netfilter.h:249 [inline]
[<ffffffff83438f4b>] ipv6_rcv+0x10cb/0x1cd0 net/ipv6/ip6_input.c:186
[<ffffffff82f7ed56>] __netif_receive_skb_core+0x12d6/0x2940
net/core/dev.c:4019
[<ffffffff82f8041b>] __netif_receive_skb+0x5b/0x1b0
net/core/dev.c:4054
[<ffffffff82f849a6>] process_backlog+0x216/0x6a0 net/core/dev.c:4647
[<ffffffff82f817e2>] napi_poll net/core/dev.c:4885 [inline]
[<ffffffff82f817e2>] net_rx_action+0x3a2/0xdb0 net/core/dev.c:4950
[<ffffffff838c5f6c>] __do_softirq+0x22c/0xa1a kernel/softirq.c:273
[<ffffffff838c3d1c>] do_softirq_own_stack+0x1c/0x30
arch/x86/entry/entry_64.S:929
[<ffffffff8113d9d4>] do_softirq.part.16+0x54/0x60
kernel/softirq.c:317
[<ffffffff8113f6c9>] do_softirq+0x19/0x20 kernel/softirq.c:320
[<ffffffff82f7ccfc>] netif_rx_ni+0xec/0x3a0 net/core/dev.c:3653
[<ffffffff827533d7>] tun_get_user+0xbe7/0x2410 drivers/net/tun.c:1264
[<ffffffff82754e15>] tun_chr_write_iter+0xd5/0x190
drivers/net/tun.c:1283
[<ffffffff8151d82c>] do_iter_readv_writev+0x13c/0x1e0
fs/read_write.c:664
[<ffffffff8151ef50>] do_readv_writev+0x2e0/0x6e0 fs/read_write.c:808
[<ffffffff8151f47b>] vfs_writev+0x7b/0xb0 fs/read_write.c:847
[<ffffffff81521949>] SYSC_writev fs/read_write.c:880 [inline]
[<ffffffff81521949>] SyS_writev+0xd9/0x250 fs/read_write.c:872
[<ffffffff838c2aa5>] entry_SYSCALL_64_fastpath+0x22/0x9e
[<ffffffff81232932>] check_prev_add kernel/locking/lockdep.c:1853
[inline]
[<ffffffff81232932>] check_prevs_add kernel/locking/lockdep.c:1958
[inline]
[<ffffffff81232932>] validate_chain kernel/locking/lockdep.c:2144
[inline]
[<ffffffff81232932>] __lock_acquire+0x3902/0x5270
kernel/locking/lockdep.c:3213
[<ffffffff81235a7e>] lock_acquire+0x15e/0x450
kernel/locking/lockdep.c:3592
[<ffffffff838c1bc6>] __raw_spin_lock
include/linux/spinlock_api_smp.h:144 [inline]
[<ffffffff838c1bc6>] _raw_spin_lock+0x36/0x50
kernel/locking/spinlock.c:151
[<ffffffff83206b78>] spin_lock include/linux/spinlock.h:302 [inline]
[<ffffffff83206b78>] ip_defrag+0x318/0x3fe0
net/ipv4/ip_fragment.c:680
[<ffffffff8320ac08>] ip_check_defrag+0x3c8/0x7e0
net/ipv4/ip_fragment.c:724
[<ffffffff8357ceba>] packet_rcv_fanout+0x52a/0x5e0
net/packet/af_packet.c:1458
[<ffffffff82f898b4>] dev_queue_xmit_nit net/core/dev.c:1913 [inline]
[<ffffffff82f898b4>] xmit_one net/core/dev.c:2755 [inline]
[<ffffffff82f898b4>] dev_hard_start_xmit+0x644/0x11c0
net/core/dev.c:2775
[<ffffffff83011d21>] sch_direct_xmit+0x2c1/0x6e0
net/sched/sch_generic.c:165
[<ffffffff82f8b5e3>] __dev_xmit_skb net/core/dev.c:2957 [inline]
[<ffffffff82f8b5e3>] __dev_queue_xmit+0xef3/0x1c80
net/core/dev.c:3175
[<ffffffff82f8c387>] dev_queue_xmit+0x17/0x20 net/core/dev.c:3241
[<ffffffff82fa8e57>] neigh_resolve_output+0x637/0x790
net/core/neighbour.c:1326
[<ffffffff8321644b>] dst_neigh_output include/net/dst.h:461 [inline]
[<ffffffff8321644b>] ip_finish_output2+0x6ab/0x1110
net/ipv4/ip_output.c:213
[<ffffffff8321887c>] ip_do_fragment+0x19cc/0x2190
net/ipv4/ip_output.c:633
[<ffffffff83219183>] ip_fragment.constprop.51+0x143/0x200
net/ipv4/ip_output.c:503
[<ffffffff832196ca>] ip_finish_output+0x48a/0xc00
net/ipv4/ip_output.c:286
[<ffffffff8321caf3>] NF_HOOK_COND include/linux/netfilter.h:240
[inline]
[<ffffffff8321caf3>] ip_mc_output+0x233/0x980
net/ipv4/ip_output.c:347
[<ffffffff8321a31b>] dst_output include/net/dst.h:498 [inline]
[<ffffffff8321a31b>] ip_local_out+0x9b/0x180 net/ipv4/ip_output.c:119
[<ffffffff8322009c>] ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1451
[<ffffffff832c8993>] udp_send_skb+0x5c3/0xc60 net/ipv4/udp.c:842
[<ffffffff832d1549>] udp_sendmsg+0x16c9/0x1c70 net/ipv4/udp.c:1072
[<ffffffff83301163>] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755
[<ffffffff82f1e47c>] sock_sendmsg_nosec net/socket.c:625 [inline]
[<ffffffff82f1e47c>] sock_sendmsg+0xcc/0x110 net/socket.c:635
[<ffffffff82f1f15c>] SYSC_sendto+0x21c/0x370 net/socket.c:1665
[<ffffffff82f217e0>] SyS_sendto+0x40/0x50 net/socket.c:1633
[<ffffffff838c2aa5>] entry_SYSCALL_64_fastpath+0x22/0x9e
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(_xmit_NETROM);
lock(&(&q->lock)->rlock);
lock(_xmit_NETROM);
lock(&(&q->lock)->rlock);
*** DEADLOCK ***
4 locks held by syz-executor144/3656:
#0: (rcu_read_lock_bh){......}, at: [<ffffffff83215fb2>]
ip_finish_output2+0x212/0x1110 net/ipv4/ip_output.c:193
#1: (rcu_read_lock_bh){......}, at: [<ffffffff82f8a8c7>]
__dev_queue_xmit+0x1d7/0x1c80 net/core/dev.c:3139
#2: (_xmit_NETROM){+.-...}, at: [<ffffffff83011c9c>] spin_lock
include/linux/spinlock.h:302 [inline]
#2: (_xmit_NETROM){+.-...}, at: [<ffffffff83011c9c>] __netif_tx_lock
include/linux/netdevice.h:3299 [inline]
#2: (_xmit_NETROM){+.-...}, at: [<ffffffff83011c9c>]
sch_direct_xmit+0x23c/0x6e0 net/sched/sch_generic.c:163
#3: (rcu_read_lock){......}, at: [<ffffffff82f89318>] xmit_one
net/core/dev.c:2754 [inline]
#3: (rcu_read_lock){......}, at: [<ffffffff82f89318>]
dev_hard_start_xmit+0xa8/0x11c0 net/core/dev.c:2775
stack backtrace:
CPU: 1 PID: 3656 Comm: syz-executor144 Not tainted 4.4.134-gcb3afe1 #53
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
0000000000000000 0b39ec9710287bf1 ffff8801cf436d38 ffffffff81e0f02d
ffffffff853eb060 ffffffff853eb720 ffffffff853eb060 ffff8800b31ba150
ffff8800b31b9800 ffff8801cf436d80 ffffffff8140e62b 0000000000000003
Call Trace:
[<ffffffff81e0f02d>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81e0f02d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
[<ffffffff8140e62b>] print_circular_bug.cold.50+0x1bd/0x27d
kernel/locking/lockdep.c:1226
[<ffffffff81232932>] check_prev_add kernel/locking/lockdep.c:1853 [inline]
[<ffffffff81232932>] check_prevs_add kernel/locking/lockdep.c:1958 [inline]
[<ffffffff81232932>] validate_chain kernel/locking/lockdep.c:2144 [inline]
[<ffffffff81232932>] __lock_acquire+0x3902/0x5270
kernel/locking/lockdep.c:3213
[<ffffffff81235a7e>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
[<ffffffff838c1bc6>] __raw_spin_lock include/linux/spinlock_api_smp.h:144
[inline]
[<ffffffff838c1bc6>] _raw_spin_lock+0x36/0x50 kernel/locking/spinlock.c:151
[<ffffffff83206b78>] spin_lock include/linux/spinlock.h:302 [inline]
[<ffffffff83206b78>] ip_defrag+0x318/0x3fe0 net/ipv4/ip_fragment.c:680
[<ffffffff8320ac08>] ip_check_defrag+0x3c8/0x7e0 net/ipv4/ip_fragment.c:724
[<ffffffff8357ceba>] packet_rcv_fanout+0x52a/0x5e0
net/packet/af_packet.c:1458
[<ffffffff82f898b4>] dev_queue_xmit_nit net/core/dev.c:1913 [inline]
[<ffffffff82f898b4>] xmit_one net/core/dev.c:2755 [inline]
[<ffffffff82f898b4>] dev_hard_start_xmit+0x644/0x11c0 net/core/dev.c:2775
[<ffffffff83011d21>] sch_direct_xmit+0x2c1/0x6e0
net/sched/sch_generic.c:165
[<ffffffff82f8b5e3>] __dev_xmit_skb net/core/dev.c:2957 [inline]
[<ffffffff82f8b5e3>] __dev_queue_xmit+0xef3/0x1c80 net/core/dev.c:3175
[<ffffffff82f8c387>] dev_queue_xmit+0x17/0x20 net/core/dev.c:3241
[<ffffffff82fa8e57>] neigh_resolve_output+0x637/0x790
net/core/neighbour.c:1326
[<ffffffff8321644b>] dst_neigh_output include/net/dst.h:461 [inline]
[<ffffffff8321644b>] ip_finish_output2+0x6ab/0x1110
net/ipv4/ip_output.c:213
[<ffffffff8321887c>] ip_do_fragment+0x19cc/0x2190 net/ipv4/ip_output.c:633
[<ffffffff83219183>] ip_fragment.constprop.51+0x143/0x200
net/ipv4/ip_output.c:503
[<ffffffff832196ca>] ip_finish_output+0x48a/0xc00 net/ipv4/ip_output.c:286
[<ffffffff8321caf3>] NF_HOOK_COND include/linux/netfilter.h:240 [inline]
[<ffffffff8321caf3>] ip_mc_output+0x233/0x980 net/ipv4/ip_output.c:347
[<ffffffff8321a31b>] dst_output include/net/dst.h:498 [inline]
[<ffffffff8321a31b>] ip_local_out+0x9b/0x180 net/ipv4/ip_output.c:119
[<ffffffff8322009c>] ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1451
[<ffffffff832c8993>] udp_send_skb+0x5c3/0xc60 net/ipv4/udp.c:842
[<ffffffff832d1549>] udp_sendmsg+0x16c9/0x1c70 net/ipv4/udp.c:1072
[<ffffffff83301163>] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755
[<ffffffff82f1e47c>] sock_sendmsg_nosec net/socket.c:625 [inline]
[<ffffffff82f1e47c>] sock_sendmsg+0xcc/0x110 net/socket.c:635
[<ffffffff82f1f15c>] SYSC_sendto+0x21c/0x370 net/socket.c:1665
[<ffffffff82f217e0>] SyS_sendto+0x40/0x50 net/socket.c:1633
[<ffffffff838c2aa5>] entry_SYSCALL_64_fastpath+0x22/0x9e
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages