Hello,
syzbot found the following crash on:
HEAD commit: 64102d34 BACKPORT: xfrm: Allow Output Mark to be Updated U..
git tree: android-4.4
console output:
https://syzkaller.appspot.com/x/log.txt?x=172c0225400000
kernel config:
https://syzkaller.appspot.com/x/.config?x=88f924cb59937510
dashboard link:
https://syzkaller.appspot.com/bug?extid=c5889541c6bc6da2defe
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+c58895...@syzkaller.appspotmail.com
======================================================
[ INFO: possible circular locking dependency detected ]
4.4.162+ #120 Not tainted
-------------------------------------------------------
syz-executor2/17087 is trying to acquire lock:
(rtnl_mutex){+.+.+.}, at: [ 448.759020] binder: 17093:17094 ioctl
4028700f 200001c0 returned -22
binder: 17093:17095 ioctl 4028700f 200001c0 returned -22
[<ffffffff822664d7>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70
but task is already holding lock:
(sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff825f6a12>] lock_sock
include/net/sock.h:1493 [inline]
(sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff825f6a12>]
do_ipv6_setsockopt.isra.4+0x252/0x2d50 net/ipv6/ipv6_sockglue.c:166
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
[<ffffffff81202cde>] lock_acquire+0x15e/0x450
kernel/locking/lockdep.c:3592
[<ffffffff821dc1b6>] lock_sock_nested+0xc6/0x120 net/core/sock.c:2459
[<ffffffff825f6992>] lock_sock include/net/sock.h:1493 [inline]
[<ffffffff825f6992>] do_ipv6_setsockopt.isra.4+0x1d2/0x2d50
net/ipv6/ipv6_sockglue.c:166
[<ffffffff825f95a7>] ipv6_setsockopt+0x97/0x130
net/ipv6/ipv6_sockglue.c:904
[<ffffffff823f0c18>] tcp_setsockopt+0x88/0xe0 net/ipv4/tcp.c:2643
[<ffffffff821d63ba>] sock_common_setsockopt+0x9a/0xe0
net/core/sock.c:2659
[<ffffffff821d3df6>] SYSC_setsockopt net/socket.c:1780 [inline]
[<ffffffff821d3df6>] SyS_setsockopt+0x166/0x260 net/socket.c:1759
[<ffffffff827121a1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
[<ffffffff811ff0fc>] check_prev_add kernel/locking/lockdep.c:1853
[inline]
[<ffffffff811ff0fc>] check_prevs_add kernel/locking/lockdep.c:1958
[inline]
[<ffffffff811ff0fc>] validate_chain kernel/locking/lockdep.c:2144
[inline]
[<ffffffff811ff0fc>] __lock_acquire+0x3e6c/0x5f10
kernel/locking/lockdep.c:3213
[<ffffffff81202cde>] lock_acquire+0x15e/0x450
kernel/locking/lockdep.c:3592
[<ffffffff82706c2b>] __mutex_lock_common kernel/locking/mutex.c:521
[inline]
[<ffffffff82706c2b>] mutex_lock_nested+0xbb/0x8d0
kernel/locking/mutex.c:621
[<ffffffff822664d7>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70
[<ffffffff82630b5e>] ipv6_sock_mc_close+0x10e/0x350
net/ipv6/mcast.c:288
[<ffffffff825f74c7>] do_ipv6_setsockopt.isra.4+0xd07/0x2d50
net/ipv6/ipv6_sockglue.c:202
[<ffffffff825f95a7>] ipv6_setsockopt+0x97/0x130
net/ipv6/ipv6_sockglue.c:904
[<ffffffff8260e41a>] udpv6_setsockopt+0x4a/0x90 net/ipv6/udp.c:1436
[<ffffffff821d63ba>] sock_common_setsockopt+0x9a/0xe0
net/core/sock.c:2659
[<ffffffff821d3df6>] SYSC_setsockopt net/socket.c:1780 [inline]
[<ffffffff821d3df6>] SyS_setsockopt+0x166/0x260 net/socket.c:1759
[<ffffffff827121a1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(sk_lock-AF_INET6);
lock(rtnl_mutex);
lock(sk_lock-AF_INET6);
lock(rtnl_mutex);
*** DEADLOCK ***
1 lock held by syz-executor2/17087:
#0: (sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff825f6a12>] lock_sock
include/net/sock.h:1493 [inline]
#0: (sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff825f6a12>]
do_ipv6_setsockopt.isra.4+0x252/0x2d50 net/ipv6/ipv6_sockglue.c:166
stack backtrace:
CPU: 0 PID: 17087 Comm: syz-executor2 Not tainted 4.4.162+ #120
0000000000000000 034b4dac15a52b69 ffff8801c169f5a8 ffffffff81aa526d
ffffffff83a857b0 ffffffff83ac3eb0 ffffffff83a857b0 ffff8800b5a8e7e8
ffff8800b5a8df00 ffff8801c169f5f0 ffffffff813a834a 0000000000000001
Call Trace:
[<ffffffff81aa526d>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81aa526d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
[<ffffffff813a834a>] print_circular_bug.cold.34+0x2f7/0x432
kernel/locking/lockdep.c:1226
[<ffffffff811ff0fc>] check_prev_add kernel/locking/lockdep.c:1853 [inline]
[<ffffffff811ff0fc>] check_prevs_add kernel/locking/lockdep.c:1958 [inline]
[<ffffffff811ff0fc>] validate_chain kernel/locking/lockdep.c:2144 [inline]
[<ffffffff811ff0fc>] __lock_acquire+0x3e6c/0x5f10
kernel/locking/lockdep.c:3213
[<ffffffff81202cde>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
[<ffffffff82706c2b>] __mutex_lock_common kernel/locking/mutex.c:521
[inline]
[<ffffffff82706c2b>] mutex_lock_nested+0xbb/0x8d0
kernel/locking/mutex.c:621
[<ffffffff822664d7>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70
[<ffffffff82630b5e>] ipv6_sock_mc_close+0x10e/0x350 net/ipv6/mcast.c:288
[<ffffffff825f74c7>] do_ipv6_setsockopt.isra.4+0xd07/0x2d50
net/ipv6/ipv6_sockglue.c:202
[<ffffffff825f95a7>] ipv6_setsockopt+0x97/0x130
net/ipv6/ipv6_sockglue.c:904
[<ffffffff8260e41a>] udpv6_setsockopt+0x4a/0x90 net/ipv6/udp.c:1436
[<ffffffff821d63ba>] sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:2659
[<ffffffff821d3df6>] SYSC_setsockopt net/socket.c:1780 [inline]
[<ffffffff821d3df6>] SyS_setsockopt+0x166/0x260 net/socket.c:1759
[<ffffffff827121a1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
binder: 17129:17130 ioctl 4028700f 200001c0 returned -22
device lo left promiscuous mode
audit: type=1400 audit(1541745560.570:30): avc: denied { relabelto } for
pid=17438 comm="syz-executor1" name="UNIX" dev="sockfs" ino=66336
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:ksm_device_t:s0 tclass=unix_dgram_socket
permissive=1
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.