[syzbot] [net?] [s390?] possible deadlock in smc_release
3 views
Skip to first unread message
syzbot
Feb 2, 2024, 8:26:29 AMFeb 2
to agor...@linux.ibm.com, ali...@linux.alibaba.com, da...@davemloft.net, edum...@google.com, gu...@linux.alibaba.com, ja...@linux.ibm.com, ku...@kernel.org, linux-...@vger.kernel.org, linux...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, syzkall...@googlegroups.com, ton...@linux.alibaba.com, wen...@linux.ibm.com
Hello,
syzbot found the following issue on:
HEAD commit: 41bccc98fb79 Linux 6.8-rc2
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=16b3a953e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=b168fa511db3ca08
dashboard link: https://syzkaller.appspot.com/bug?extid=621fd56ba002faba6392
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=165642dfe80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1431092fe80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/00fc8ba1cd49/disk-41bccc98.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/15fd4e4ee5f8/vmlinux-41bccc98.xz
kernel image: https://storage.googleapis.com/syzbot-assets/13be3add2183/bzImage-41bccc98.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+621fd5...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
6.8.0-rc2-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor225/5062 is trying to acquire lock:
ffff8880218893f8 ((work_completion)(&new_smc->smc_listen_work)){+.+.}-{0:0}, at: __flush_work+0xfa/0xa10 kernel/workqueue.c:3406
but task is already holding lock:
ffff888021888130 (sk_lock-AF_SMC/1){+.+.}-{0:0}, at: smc_release+0x3a3/0x640 net/smc/af_smc.c:336
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (sk_lock-AF_SMC/1){+.+.}-{0:0}:
lock_sock_nested+0x3a/0xf0 net/core/sock.c:3524
smc_listen_out+0x1e7/0x4b0 net/smc/af_smc.c:1914
smc_listen_out_connected net/smc/af_smc.c:1934 [inline]
smc_listen_work+0x56e/0x5190 net/smc/af_smc.c:2448
process_one_work+0x886/0x15d0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787
kthread+0x2c6/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
-> #0 ((work_completion)(&new_smc->smc_listen_work)){+.+.}-{0:0}:
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain kernel/locking/lockdep.c:3869 [inline]
__lock_acquire+0x2445/0x3b30 kernel/locking/lockdep.c:5137
lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1ae/0x520 kernel/locking/lockdep.c:5719
__flush_work+0x103/0xa10 kernel/workqueue.c:3406
__cancel_work_timer+0x3ef/0x590 kernel/workqueue.c:3497
smc_clcsock_release+0x5f/0xe0 net/smc/smc_close.c:29
__smc_release+0x5b9/0x890 net/smc/af_smc.c:301
smc_close_non_accepted+0xda/0x230 net/smc/af_smc.c:1846
smc_close_cleanup_listen net/smc/smc_close.c:45 [inline]
smc_close_active+0xc2d/0x1070 net/smc/smc_close.c:225
__smc_release+0x62b/0x890 net/smc/af_smc.c:277
smc_release+0x209/0x640 net/smc/af_smc.c:344
__sock_release+0xae/0x260 net/socket.c:659
sock_close+0x1c/0x20 net/socket.c:1421
__fput+0x270/0xb70 fs/file_table.c:376
task_work_run+0x14d/0x240 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa8a/0x2ad0 kernel/exit.c:871
do_group_exit+0xd4/0x2a0 kernel/exit.c:1020
__do_sys_exit_group kernel/exit.c:1031 [inline]
__se_sys_exit_group kernel/exit.c:1029 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(sk_lock-AF_SMC/1);
lock((work_completion)(&new_smc->smc_listen_work));
lock(sk_lock-AF_SMC/1);
lock((work_completion)(&new_smc->smc_listen_work));
*** DEADLOCK ***
2 locks held by syz-executor225/5062:
#0: ffff8880791f6210 (&sb->s_type->i_mutex_key#10){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:802 [inline]
#0: ffff8880791f6210 (&sb->s_type->i_mutex_key#10){+.+.}-{3:3}, at: __sock_release+0x86/0x260 net/socket.c:658
#1: ffff888021888130 (sk_lock-AF_SMC/1){+.+.}-{0:0}, at: smc_release+0x3a3/0x640 net/smc/af_smc.c:336
stack backtrace:
CPU: 1 PID: 5062 Comm: syz-executor225 Not tainted 6.8.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
check_noncircular+0x317/0x400 kernel/locking/lockdep.c:2187
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain kernel/locking/lockdep.c:3869 [inline]
__lock_acquire+0x2445/0x3b30 kernel/locking/lockdep.c:5137
lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1ae/0x520 kernel/locking/lockdep.c:5719
__flush_work+0x103/0xa10 kernel/workqueue.c:3406
__cancel_work_timer+0x3ef/0x590 kernel/workqueue.c:3497
smc_clcsock_release+0x5f/0xe0 net/smc/smc_close.c:29
__smc_release+0x5b9/0x890 net/smc/af_smc.c:301
smc_close_non_accepted+0xda/0x230 net/smc/af_smc.c:1846
smc_close_cleanup_listen net/smc/smc_close.c:45 [inline]
smc_close_active+0xc2d/0x1070 net/smc/smc_close.c:225
__smc_release+0x62b/0x890 net/smc/af_smc.c:277
smc_release+0x209/0x640 net/smc/af_smc.c:344
__sock_release+0xae/0x260 net/socket.c:659
sock_close+0x1c/0x20 net/socket.c:1421
__fput+0x270/0xb70 fs/file_table.c:376
task_work_run+0x14d/0x240 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa8a/0x2ad0 kernel/exit.c:871
do_group_exit+0xd4/0x2a0 kernel/exit.c:1020
__do_sys_exit_group kernel/exit.c:1031 [inline]
__se_sys_exit_group kernel/exit.c:1029 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f8804a8bc09
Code: Unable to access opcode bytes at 0x7f8804a8bbdf.
RSP: 002b:00007ffcbc267b78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f8804a8bc09
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 00007f8804b062d0 R08: ffffffffffffffb8 R09: 0000000000000006
R10: 0000000000000006 R11: 0000000000000246 R12: 00007f8804b062d0
R13: 0000000000000000 R14: 00007f8804b06d20 R15: 00007f8804a5ce60
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 41bccc98fb79 Linux 6.8-rc2
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=16b3a953e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=b168fa511db3ca08
dashboard link: https://syzkaller.appspot.com/bug?extid=621fd56ba002faba6392
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=165642dfe80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1431092fe80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/00fc8ba1cd49/disk-41bccc98.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/15fd4e4ee5f8/vmlinux-41bccc98.xz
kernel image: https://storage.googleapis.com/syzbot-assets/13be3add2183/bzImage-41bccc98.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+621fd5...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
6.8.0-rc2-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor225/5062 is trying to acquire lock:
ffff8880218893f8 ((work_completion)(&new_smc->smc_listen_work)){+.+.}-{0:0}, at: __flush_work+0xfa/0xa10 kernel/workqueue.c:3406
but task is already holding lock:
ffff888021888130 (sk_lock-AF_SMC/1){+.+.}-{0:0}, at: smc_release+0x3a3/0x640 net/smc/af_smc.c:336
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (sk_lock-AF_SMC/1){+.+.}-{0:0}:
lock_sock_nested+0x3a/0xf0 net/core/sock.c:3524
smc_listen_out+0x1e7/0x4b0 net/smc/af_smc.c:1914
smc_listen_out_connected net/smc/af_smc.c:1934 [inline]
smc_listen_work+0x56e/0x5190 net/smc/af_smc.c:2448
process_one_work+0x886/0x15d0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787
kthread+0x2c6/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
-> #0 ((work_completion)(&new_smc->smc_listen_work)){+.+.}-{0:0}:
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain kernel/locking/lockdep.c:3869 [inline]
__lock_acquire+0x2445/0x3b30 kernel/locking/lockdep.c:5137
lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1ae/0x520 kernel/locking/lockdep.c:5719
__flush_work+0x103/0xa10 kernel/workqueue.c:3406
__cancel_work_timer+0x3ef/0x590 kernel/workqueue.c:3497
smc_clcsock_release+0x5f/0xe0 net/smc/smc_close.c:29
__smc_release+0x5b9/0x890 net/smc/af_smc.c:301
smc_close_non_accepted+0xda/0x230 net/smc/af_smc.c:1846
smc_close_cleanup_listen net/smc/smc_close.c:45 [inline]
smc_close_active+0xc2d/0x1070 net/smc/smc_close.c:225
__smc_release+0x62b/0x890 net/smc/af_smc.c:277
smc_release+0x209/0x640 net/smc/af_smc.c:344
__sock_release+0xae/0x260 net/socket.c:659
sock_close+0x1c/0x20 net/socket.c:1421
__fput+0x270/0xb70 fs/file_table.c:376
task_work_run+0x14d/0x240 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa8a/0x2ad0 kernel/exit.c:871
do_group_exit+0xd4/0x2a0 kernel/exit.c:1020
__do_sys_exit_group kernel/exit.c:1031 [inline]
__se_sys_exit_group kernel/exit.c:1029 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(sk_lock-AF_SMC/1);
lock((work_completion)(&new_smc->smc_listen_work));
lock(sk_lock-AF_SMC/1);
lock((work_completion)(&new_smc->smc_listen_work));
*** DEADLOCK ***
2 locks held by syz-executor225/5062:
#0: ffff8880791f6210 (&sb->s_type->i_mutex_key#10){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:802 [inline]
#0: ffff8880791f6210 (&sb->s_type->i_mutex_key#10){+.+.}-{3:3}, at: __sock_release+0x86/0x260 net/socket.c:658
#1: ffff888021888130 (sk_lock-AF_SMC/1){+.+.}-{0:0}, at: smc_release+0x3a3/0x640 net/smc/af_smc.c:336
stack backtrace:
CPU: 1 PID: 5062 Comm: syz-executor225 Not tainted 6.8.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
check_noncircular+0x317/0x400 kernel/locking/lockdep.c:2187
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain kernel/locking/lockdep.c:3869 [inline]
__lock_acquire+0x2445/0x3b30 kernel/locking/lockdep.c:5137
lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1ae/0x520 kernel/locking/lockdep.c:5719
__flush_work+0x103/0xa10 kernel/workqueue.c:3406
__cancel_work_timer+0x3ef/0x590 kernel/workqueue.c:3497
smc_clcsock_release+0x5f/0xe0 net/smc/smc_close.c:29
__smc_release+0x5b9/0x890 net/smc/af_smc.c:301
smc_close_non_accepted+0xda/0x230 net/smc/af_smc.c:1846
smc_close_cleanup_listen net/smc/smc_close.c:45 [inline]
smc_close_active+0xc2d/0x1070 net/smc/smc_close.c:225
__smc_release+0x62b/0x890 net/smc/af_smc.c:277
smc_release+0x209/0x640 net/smc/af_smc.c:344
__sock_release+0xae/0x260 net/socket.c:659
sock_close+0x1c/0x20 net/socket.c:1421
__fput+0x270/0xb70 fs/file_table.c:376
task_work_run+0x14d/0x240 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa8a/0x2ad0 kernel/exit.c:871
do_group_exit+0xd4/0x2a0 kernel/exit.c:1020
__do_sys_exit_group kernel/exit.c:1031 [inline]
__se_sys_exit_group kernel/exit.c:1029 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f8804a8bc09
Code: Unable to access opcode bytes at 0x7f8804a8bbdf.
RSP: 002b:00007ffcbc267b78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f8804a8bc09
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 00007f8804b062d0 R08: ffffffffffffffb8 R09: 0000000000000006
R10: 0000000000000006 R11: 0000000000000246 R12: 00007f8804b062d0
R13: 0000000000000000 R14: 00007f8804b06d20 R15: 00007f8804a5ce60
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages