possible deadlock in rtnl_lock
6 views
Skip to first unread message
syzbot
Apr 11, 2019, 8:00:40 PM4/11/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 239a415f ANDROID: sdcardfs: Set num in extension_details d..
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=16234dc3800000
kernel config: https://syzkaller.appspot.com/x/.config?x=cef872c4fe18cd16
dashboard link: https://syzkaller.appspot.com/bug?extid=04569264849a46d38f69
compiler: gcc (GCC) 7.1.1 20170620
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13553783800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16153713800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+045692...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read, 124 bits of
entropy available)
random: sshd: uninitialized urandom read (32 bytes read, 128 bits of
entropy available)
TCP: request_sock_TCP: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
======================================================
[ INFO: possible circular locking dependency detected ]
4.4.118-g239a415 #25 Not tainted
-------------------------------------------------------
syzkaller915933/3675 is trying to acquire lock:
(rtnl_mutex){+.+.+.}, at: [<ffffffff82e80377>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:70
but task is already holding lock:
(sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff83359f32>] lock_sock
include/net/sock.h:1493 [inline]
(sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff83359f32>]
do_ipv6_setsockopt.isra.8+0x1e2/0x3030 net/ipv6/ipv6_sockglue.c:166
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
[<ffffffff8123d7ce>] lock_acquire+0x15e/0x460
kernel/locking/lockdep.c:3592
[<ffffffff82df42b6>] lock_sock_nested+0xc6/0x120 net/core/sock.c:2459
[<ffffffff8335a081>] lock_sock include/net/sock.h:1493 [inline]
[<ffffffff8335a081>] do_ipv6_setsockopt.isra.8+0x331/0x3030
net/ipv6/ipv6_sockglue.c:166
[<ffffffff8335ce57>] ipv6_setsockopt+0xd7/0x130
net/ipv6/ipv6_sockglue.c:904
[<ffffffff8311c692>] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2641
[<ffffffff82df1f55>] sock_common_setsockopt+0x95/0xd0
net/core/sock.c:2659
[<ffffffff82def040>] SYSC_setsockopt net/socket.c:1767 [inline]
[<ffffffff82def040>] SyS_setsockopt+0x160/0x250 net/socket.c:1746
[<ffffffff83772a5f>] entry_SYSCALL_64_fastpath+0x1c/0x98
[<ffffffff8123ab2f>] check_prev_add kernel/locking/lockdep.c:1853
[inline]
[<ffffffff8123ab2f>] check_prevs_add kernel/locking/lockdep.c:1958
[inline]
[<ffffffff8123ab2f>] validate_chain kernel/locking/lockdep.c:2144
[inline]
[<ffffffff8123ab2f>] __lock_acquire+0x371f/0x4b50
kernel/locking/lockdep.c:3213
[<ffffffff8123d7ce>] lock_acquire+0x15e/0x460
kernel/locking/lockdep.c:3592
[<ffffffff8376948b>] __mutex_lock_common kernel/locking/mutex.c:521
[inline]
[<ffffffff8376948b>] mutex_lock_nested+0xbb/0x850
kernel/locking/mutex.c:621
[<ffffffff82e80377>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70
[<ffffffff8339507e>] ipv6_sock_mc_close+0x10e/0x350
net/ipv6/mcast.c:288
[<ffffffff8335b111>] do_ipv6_setsockopt.isra.8+0x13c1/0x3030
net/ipv6/ipv6_sockglue.c:202
[<ffffffff8335ce57>] ipv6_setsockopt+0xd7/0x130
net/ipv6/ipv6_sockglue.c:904
[<ffffffff8311c692>] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2641
[<ffffffff82df1f55>] sock_common_setsockopt+0x95/0xd0
net/core/sock.c:2659
[<ffffffff82def040>] SYSC_setsockopt net/socket.c:1767 [inline]
[<ffffffff82def040>] SyS_setsockopt+0x160/0x250 net/socket.c:1746
[<ffffffff83772a5f>] entry_SYSCALL_64_fastpath+0x1c/0x98
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(sk_lock-AF_INET6);
lock(rtnl_mutex);
lock(sk_lock-AF_INET6);
lock(rtnl_mutex);
*** DEADLOCK ***
1 lock held by syzkaller915933/3675:
#0: (sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff83359f32>] lock_sock
include/net/sock.h:1493 [inline]
#0: (sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff83359f32>]
do_ipv6_setsockopt.isra.8+0x1e2/0x3030 net/ipv6/ipv6_sockglue.c:166
stack backtrace:
CPU: 0 PID: 3675 Comm: syzkaller915933 Not tainted 4.4.118-g239a415 #25
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
0000000000000000 d6efcd04ca2e32c1 ffff8800b5ec75a8 ffffffff81d0402d
ffffffff8516edb0 ffffffff8516edb0 ffffffff851b85e0 ffff8800afa120f8
ffff8800afa11800 ffff8800b5ec75f0 ffffffff81233ba1 ffff8800afa120f8
Call Trace:
[<ffffffff81d0402d>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81d0402d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
[<ffffffff81233ba1>] print_circular_bug+0x271/0x310
kernel/locking/lockdep.c:1226
[<ffffffff8123ab2f>] check_prev_add kernel/locking/lockdep.c:1853 [inline]
[<ffffffff8123ab2f>] check_prevs_add kernel/locking/lockdep.c:1958 [inline]
[<ffffffff8123ab2f>] validate_chain kernel/locking/lockdep.c:2144 [inline]
[<ffffffff8123ab2f>] __lock_acquire+0x371f/0x4b50
kernel/locking/lockdep.c:3213
[<ffffffff8123d7ce>] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592
[<ffffffff8376948b>] __mutex_lock_common kernel/locking/mutex.c:521
[inline]
[<ffffffff8376948b>] mutex_lock_nested+0xbb/0x850
kernel/locking/mutex.c:621
[<ffffffff82e80377>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70
[<ffffffff8339507e>] ipv6_sock_mc_close+0x10e/0x350 net/ipv6/mcast.c:288
[<ffffffff8335b111>] do_ipv6_setsockopt.isra.8+0x13c1/0x3030
net/ipv6/ipv6_sockglue.c:202
[<ffffffff8335ce57>] ipv6_setsockopt+0xd7/0x130
net/ipv6/ipv6_sockglue.c:904
[<ffffffff8311c692>] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2641
[<ffffffff82df1f55>] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2659
[<ffffffff82def040>] SYSC_setsockopt net/socket.c:1767 [inline]
[<ffffffff82def040>] SyS_setsockopt+0x160/0x250 net/socket.c:1746
[<ffffffff82dee370>] ? move_addr_to_ke
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 239a415f ANDROID: sdcardfs: Set num in extension_details d..
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=16234dc3800000
kernel config: https://syzkaller.appspot.com/x/.config?x=cef872c4fe18cd16
dashboard link: https://syzkaller.appspot.com/bug?extid=04569264849a46d38f69
compiler: gcc (GCC) 7.1.1 20170620
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13553783800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16153713800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+045692...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read, 124 bits of
entropy available)
random: sshd: uninitialized urandom read (32 bytes read, 128 bits of
entropy available)
TCP: request_sock_TCP: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
======================================================
[ INFO: possible circular locking dependency detected ]
4.4.118-g239a415 #25 Not tainted
-------------------------------------------------------
syzkaller915933/3675 is trying to acquire lock:
(rtnl_mutex){+.+.+.}, at: [<ffffffff82e80377>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:70
but task is already holding lock:
(sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff83359f32>] lock_sock
include/net/sock.h:1493 [inline]
(sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff83359f32>]
do_ipv6_setsockopt.isra.8+0x1e2/0x3030 net/ipv6/ipv6_sockglue.c:166
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
[<ffffffff8123d7ce>] lock_acquire+0x15e/0x460
kernel/locking/lockdep.c:3592
[<ffffffff82df42b6>] lock_sock_nested+0xc6/0x120 net/core/sock.c:2459
[<ffffffff8335a081>] lock_sock include/net/sock.h:1493 [inline]
[<ffffffff8335a081>] do_ipv6_setsockopt.isra.8+0x331/0x3030
net/ipv6/ipv6_sockglue.c:166
[<ffffffff8335ce57>] ipv6_setsockopt+0xd7/0x130
net/ipv6/ipv6_sockglue.c:904
[<ffffffff8311c692>] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2641
[<ffffffff82df1f55>] sock_common_setsockopt+0x95/0xd0
net/core/sock.c:2659
[<ffffffff82def040>] SYSC_setsockopt net/socket.c:1767 [inline]
[<ffffffff82def040>] SyS_setsockopt+0x160/0x250 net/socket.c:1746
[<ffffffff83772a5f>] entry_SYSCALL_64_fastpath+0x1c/0x98
[<ffffffff8123ab2f>] check_prev_add kernel/locking/lockdep.c:1853
[inline]
[<ffffffff8123ab2f>] check_prevs_add kernel/locking/lockdep.c:1958
[inline]
[<ffffffff8123ab2f>] validate_chain kernel/locking/lockdep.c:2144
[inline]
[<ffffffff8123ab2f>] __lock_acquire+0x371f/0x4b50
kernel/locking/lockdep.c:3213
[<ffffffff8123d7ce>] lock_acquire+0x15e/0x460
kernel/locking/lockdep.c:3592
[<ffffffff8376948b>] __mutex_lock_common kernel/locking/mutex.c:521
[inline]
[<ffffffff8376948b>] mutex_lock_nested+0xbb/0x850
kernel/locking/mutex.c:621
[<ffffffff82e80377>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70
[<ffffffff8339507e>] ipv6_sock_mc_close+0x10e/0x350
net/ipv6/mcast.c:288
[<ffffffff8335b111>] do_ipv6_setsockopt.isra.8+0x13c1/0x3030
net/ipv6/ipv6_sockglue.c:202
[<ffffffff8335ce57>] ipv6_setsockopt+0xd7/0x130
net/ipv6/ipv6_sockglue.c:904
[<ffffffff8311c692>] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2641
[<ffffffff82df1f55>] sock_common_setsockopt+0x95/0xd0
net/core/sock.c:2659
[<ffffffff82def040>] SYSC_setsockopt net/socket.c:1767 [inline]
[<ffffffff82def040>] SyS_setsockopt+0x160/0x250 net/socket.c:1746
[<ffffffff83772a5f>] entry_SYSCALL_64_fastpath+0x1c/0x98
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(sk_lock-AF_INET6);
lock(rtnl_mutex);
lock(sk_lock-AF_INET6);
lock(rtnl_mutex);
*** DEADLOCK ***
1 lock held by syzkaller915933/3675:
#0: (sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff83359f32>] lock_sock
include/net/sock.h:1493 [inline]
#0: (sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff83359f32>]
do_ipv6_setsockopt.isra.8+0x1e2/0x3030 net/ipv6/ipv6_sockglue.c:166
stack backtrace:
CPU: 0 PID: 3675 Comm: syzkaller915933 Not tainted 4.4.118-g239a415 #25
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
0000000000000000 d6efcd04ca2e32c1 ffff8800b5ec75a8 ffffffff81d0402d
ffffffff8516edb0 ffffffff8516edb0 ffffffff851b85e0 ffff8800afa120f8
ffff8800afa11800 ffff8800b5ec75f0 ffffffff81233ba1 ffff8800afa120f8
Call Trace:
[<ffffffff81d0402d>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81d0402d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
[<ffffffff81233ba1>] print_circular_bug+0x271/0x310
kernel/locking/lockdep.c:1226
[<ffffffff8123ab2f>] check_prev_add kernel/locking/lockdep.c:1853 [inline]
[<ffffffff8123ab2f>] check_prevs_add kernel/locking/lockdep.c:1958 [inline]
[<ffffffff8123ab2f>] validate_chain kernel/locking/lockdep.c:2144 [inline]
[<ffffffff8123ab2f>] __lock_acquire+0x371f/0x4b50
kernel/locking/lockdep.c:3213
[<ffffffff8123d7ce>] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592
[<ffffffff8376948b>] __mutex_lock_common kernel/locking/mutex.c:521
[inline]
[<ffffffff8376948b>] mutex_lock_nested+0xbb/0x850
kernel/locking/mutex.c:621
[<ffffffff82e80377>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70
[<ffffffff8339507e>] ipv6_sock_mc_close+0x10e/0x350 net/ipv6/mcast.c:288
[<ffffffff8335b111>] do_ipv6_setsockopt.isra.8+0x13c1/0x3030
net/ipv6/ipv6_sockglue.c:202
[<ffffffff8335ce57>] ipv6_setsockopt+0xd7/0x130
net/ipv6/ipv6_sockglue.c:904
[<ffffffff8311c692>] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2641
[<ffffffff82df1f55>] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2659
[<ffffffff82def040>] SYSC_setsockopt net/socket.c:1767 [inline]
[<ffffffff82def040>] SyS_setsockopt+0x160/0x250 net/socket.c:1746
[<ffffffff82dee370>] ? move_addr_to_ke
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages