[syzbot] [net?] possible deadlock in inet6_getname
3 views
Skip to first unread message
syzbot
Feb 13, 2026, 7:15:37 AM (yesterday) Feb 13
to da...@davemloft.net, dsa...@kernel.org, edum...@google.com, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 57be33f85e36 nfc: nxp-nci: remove interrupt trigger type
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=12f2165a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2c36acc86fd56a9d
dashboard link: https://syzkaller.appspot.com/bug?extid=5efae91f60932839f0a5
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1584065a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16f2165a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/77aaa9b6c846/disk-57be33f8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2617a56e7118/vmlinux-57be33f8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4fd173f33f5f/bzImage-57be33f8.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5efae9...@syzkaller.appspotmail.com
============================================
WARNING: possible recursive locking detected
syzkaller #0 Not tainted
--------------------------------------------
kworker/u8:6/2985 is trying to acquire lock:
ffff88807a07aa20 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1709 [inline]
ffff88807a07aa20 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: inet6_getname+0x15d/0x650 net/ipv6/af_inet6.c:533
but task is already holding lock:
ffff88807a07aa20 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1709 [inline]
ffff88807a07aa20 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: tcp_sock_set_cork+0x2c/0x2e0 net/ipv4/tcp.c:3694
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(k-sk_lock-AF_INET6);
lock(k-sk_lock-AF_INET6);
*** DEADLOCK ***
May be due to missing lock nesting notation
4 locks held by kworker/u8:6/2985:
#0: ffff888033131948 ((wq_completion)krds_cp_wq#1/0){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3232 [inline]
#0: ffff888033131948 ((wq_completion)krds_cp_wq#1/0){+.+.}-{0:0}, at: process_scheduled_works+0x9d4/0x17a0 kernel/workqueue.c:3340
#1: ffffc9000b8a7bc0 ((work_completion)(&(&cp->cp_send_w)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3233 [inline]
#1: ffffc9000b8a7bc0 ((work_completion)(&(&cp->cp_send_w)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa0f/0x17a0 kernel/workqueue.c:3340
#2: ffff88807a07aa20 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1709 [inline]
#2: ffff88807a07aa20 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: tcp_sock_set_cork+0x2c/0x2e0 net/ipv4/tcp.c:3694
#3: ffff88807a07abc8 (k-clock-AF_INET6){++.-}-{3:3}, at: rds_tcp_data_ready+0x113/0x950 net/rds/tcp_recv.c:320
stack backtrace:
CPU: 1 UID: 0 PID: 2985 Comm: kworker/u8:6 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Workqueue: krds_cp_wq#1/0 rds_send_worker
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_deadlock_bug+0x279/0x290 kernel/locking/lockdep.c:3041
check_deadlock kernel/locking/lockdep.c:3093 [inline]
validate_chain kernel/locking/lockdep.c:3895 [inline]
__lock_acquire+0x253f/0x2cf0 kernel/locking/lockdep.c:5237
lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868
lock_sock_nested+0x48/0x100 net/core/sock.c:3780
lock_sock include/net/sock.h:1709 [inline]
inet6_getname+0x15d/0x650 net/ipv6/af_inet6.c:533
rds_tcp_get_peer_sport net/rds/tcp_listen.c:70 [inline]
rds_tcp_conn_slots_available+0x288/0x470 net/rds/tcp_listen.c:149
rds_recv_hs_exthdrs+0x60f/0x7c0 net/rds/recv.c:265
rds_recv_incoming+0x9f6/0x12d0 net/rds/recv.c:389
rds_tcp_data_recv+0x7f1/0xa40 net/rds/tcp_recv.c:243
__tcp_read_sock+0x196/0x970 net/ipv4/tcp.c:1702
rds_tcp_read_sock net/rds/tcp_recv.c:277 [inline]
rds_tcp_data_ready+0x369/0x950 net/rds/tcp_recv.c:331
tcp_rcv_established+0x19e9/0x2670 net/ipv4/tcp_input.c:6675
tcp_v6_do_rcv+0x8eb/0x1ba0 net/ipv6/tcp_ipv6.c:1609
sk_backlog_rcv include/net/sock.h:1185 [inline]
__release_sock+0x1b8/0x3a0 net/core/sock.c:3213
release_sock+0x5f/0x1f0 net/core/sock.c:3795
rds_send_xmit+0x207e/0x28d0 net/rds/send.c:480
rds_send_worker+0x7d/0x2e0 net/rds/threads.c:200
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xaec/0x17a0 kernel/workqueue.c:3340
worker_thread+0xda6/0x1360 kernel/workqueue.c:3421
kthread+0x726/0x8b0 kernel/kthread.c:463
ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
BUG: sleeping function called from invalid context at net/core/sock.c:3782
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2985, name: kworker/u8:6
preempt_count: 201, expected: 0
RCU nest depth: 0, expected: 0
INFO: lockdep is turned off.
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 1 UID: 0 PID: 2985 Comm: kworker/u8:6 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Workqueue: krds_cp_wq#1/0 rds_send_worker
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
__might_resched+0x378/0x4d0 kernel/sched/core.c:8829
lock_sock_nested+0x5d/0x100 net/core/sock.c:3782
lock_sock include/net/sock.h:1709 [inline]
inet6_getname+0x15d/0x650 net/ipv6/af_inet6.c:533
rds_tcp_get_peer_sport net/rds/tcp_listen.c:70 [inline]
rds_tcp_conn_slots_available+0x288/0x470 net/rds/tcp_listen.c:149
rds_recv_hs_exthdrs+0x60f/0x7c0 net/rds/recv.c:265
rds_recv_incoming+0x9f6/0x12d0 net/rds/recv.c:389
rds_tcp_data_recv+0x7f1/0xa40 net/rds/tcp_recv.c:243
__tcp_read_sock+0x196/0x970 net/ipv4/tcp.c:1702
rds_tcp_read_sock net/rds/tcp_recv.c:277 [inline]
rds_tcp_data_ready+0x369/0x950 net/rds/tcp_recv.c:331
tcp_rcv_established+0x19e9/0x2670 net/ipv4/tcp_input.c:6675
tcp_v6_do_rcv+0x8eb/0x1ba0 net/ipv6/tcp_ipv6.c:1609
sk_backlog_rcv include/net/sock.h:1185 [inline]
__release_sock+0x1b8/0x3a0 net/core/sock.c:3213
release_sock+0x5f/0x1f0 net/core/sock.c:3795
rds_send_xmit+0x207e/0x28d0 net/rds/send.c:480
rds_send_worker+0x7d/0x2e0 net/rds/threads.c:200
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xaec/0x17a0 kernel/workqueue.c:3340
worker_thread+0xda6/0x1360 kernel/workqueue.c:3421
kthread+0x726/0x8b0 kernel/kthread.c:463
ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
BUG: scheduling while atomic: kworker/u8:6/2985/0x00000202
INFO: lockdep is turned off.
Modules linked in:
Preemption disabled at:
[<0000000000000000>] 0x0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 57be33f85e36 nfc: nxp-nci: remove interrupt trigger type
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=12f2165a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2c36acc86fd56a9d
dashboard link: https://syzkaller.appspot.com/bug?extid=5efae91f60932839f0a5
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1584065a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16f2165a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/77aaa9b6c846/disk-57be33f8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2617a56e7118/vmlinux-57be33f8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4fd173f33f5f/bzImage-57be33f8.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5efae9...@syzkaller.appspotmail.com
============================================
WARNING: possible recursive locking detected
syzkaller #0 Not tainted
--------------------------------------------
kworker/u8:6/2985 is trying to acquire lock:
ffff88807a07aa20 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1709 [inline]
ffff88807a07aa20 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: inet6_getname+0x15d/0x650 net/ipv6/af_inet6.c:533
but task is already holding lock:
ffff88807a07aa20 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1709 [inline]
ffff88807a07aa20 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: tcp_sock_set_cork+0x2c/0x2e0 net/ipv4/tcp.c:3694
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(k-sk_lock-AF_INET6);
lock(k-sk_lock-AF_INET6);
*** DEADLOCK ***
May be due to missing lock nesting notation
4 locks held by kworker/u8:6/2985:
#0: ffff888033131948 ((wq_completion)krds_cp_wq#1/0){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3232 [inline]
#0: ffff888033131948 ((wq_completion)krds_cp_wq#1/0){+.+.}-{0:0}, at: process_scheduled_works+0x9d4/0x17a0 kernel/workqueue.c:3340
#1: ffffc9000b8a7bc0 ((work_completion)(&(&cp->cp_send_w)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3233 [inline]
#1: ffffc9000b8a7bc0 ((work_completion)(&(&cp->cp_send_w)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa0f/0x17a0 kernel/workqueue.c:3340
#2: ffff88807a07aa20 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1709 [inline]
#2: ffff88807a07aa20 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: tcp_sock_set_cork+0x2c/0x2e0 net/ipv4/tcp.c:3694
#3: ffff88807a07abc8 (k-clock-AF_INET6){++.-}-{3:3}, at: rds_tcp_data_ready+0x113/0x950 net/rds/tcp_recv.c:320
stack backtrace:
CPU: 1 UID: 0 PID: 2985 Comm: kworker/u8:6 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Workqueue: krds_cp_wq#1/0 rds_send_worker
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_deadlock_bug+0x279/0x290 kernel/locking/lockdep.c:3041
check_deadlock kernel/locking/lockdep.c:3093 [inline]
validate_chain kernel/locking/lockdep.c:3895 [inline]
__lock_acquire+0x253f/0x2cf0 kernel/locking/lockdep.c:5237
lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868
lock_sock_nested+0x48/0x100 net/core/sock.c:3780
lock_sock include/net/sock.h:1709 [inline]
inet6_getname+0x15d/0x650 net/ipv6/af_inet6.c:533
rds_tcp_get_peer_sport net/rds/tcp_listen.c:70 [inline]
rds_tcp_conn_slots_available+0x288/0x470 net/rds/tcp_listen.c:149
rds_recv_hs_exthdrs+0x60f/0x7c0 net/rds/recv.c:265
rds_recv_incoming+0x9f6/0x12d0 net/rds/recv.c:389
rds_tcp_data_recv+0x7f1/0xa40 net/rds/tcp_recv.c:243
__tcp_read_sock+0x196/0x970 net/ipv4/tcp.c:1702
rds_tcp_read_sock net/rds/tcp_recv.c:277 [inline]
rds_tcp_data_ready+0x369/0x950 net/rds/tcp_recv.c:331
tcp_rcv_established+0x19e9/0x2670 net/ipv4/tcp_input.c:6675
tcp_v6_do_rcv+0x8eb/0x1ba0 net/ipv6/tcp_ipv6.c:1609
sk_backlog_rcv include/net/sock.h:1185 [inline]
__release_sock+0x1b8/0x3a0 net/core/sock.c:3213
release_sock+0x5f/0x1f0 net/core/sock.c:3795
rds_send_xmit+0x207e/0x28d0 net/rds/send.c:480
rds_send_worker+0x7d/0x2e0 net/rds/threads.c:200
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xaec/0x17a0 kernel/workqueue.c:3340
worker_thread+0xda6/0x1360 kernel/workqueue.c:3421
kthread+0x726/0x8b0 kernel/kthread.c:463
ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
BUG: sleeping function called from invalid context at net/core/sock.c:3782
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2985, name: kworker/u8:6
preempt_count: 201, expected: 0
RCU nest depth: 0, expected: 0
INFO: lockdep is turned off.
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 1 UID: 0 PID: 2985 Comm: kworker/u8:6 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Workqueue: krds_cp_wq#1/0 rds_send_worker
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
__might_resched+0x378/0x4d0 kernel/sched/core.c:8829
lock_sock_nested+0x5d/0x100 net/core/sock.c:3782
lock_sock include/net/sock.h:1709 [inline]
inet6_getname+0x15d/0x650 net/ipv6/af_inet6.c:533
rds_tcp_get_peer_sport net/rds/tcp_listen.c:70 [inline]
rds_tcp_conn_slots_available+0x288/0x470 net/rds/tcp_listen.c:149
rds_recv_hs_exthdrs+0x60f/0x7c0 net/rds/recv.c:265
rds_recv_incoming+0x9f6/0x12d0 net/rds/recv.c:389
rds_tcp_data_recv+0x7f1/0xa40 net/rds/tcp_recv.c:243
__tcp_read_sock+0x196/0x970 net/ipv4/tcp.c:1702
rds_tcp_read_sock net/rds/tcp_recv.c:277 [inline]
rds_tcp_data_ready+0x369/0x950 net/rds/tcp_recv.c:331
tcp_rcv_established+0x19e9/0x2670 net/ipv4/tcp_input.c:6675
tcp_v6_do_rcv+0x8eb/0x1ba0 net/ipv6/tcp_ipv6.c:1609
sk_backlog_rcv include/net/sock.h:1185 [inline]
__release_sock+0x1b8/0x3a0 net/core/sock.c:3213
release_sock+0x5f/0x1f0 net/core/sock.c:3795
rds_send_xmit+0x207e/0x28d0 net/rds/send.c:480
rds_send_worker+0x7d/0x2e0 net/rds/threads.c:200
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xaec/0x17a0 kernel/workqueue.c:3340
worker_thread+0xda6/0x1360 kernel/workqueue.c:3421
kthread+0x726/0x8b0 kernel/kthread.c:463
ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
BUG: scheduling while atomic: kworker/u8:6/2985/0x00000202
INFO: lockdep is turned off.
Modules linked in:
Preemption disabled at:
[<0000000000000000>] 0x0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Eric Dumazet
Feb 13, 2026, 12:26:59 PM (yesterday) Feb 13
to syzbot, Gerd Rausch, da...@davemloft.net, dsa...@kernel.org, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, syzkall...@googlegroups.com
commit 9d27a0fb122f19b6d01d02f4b4f429ca28811ace
Author: Gerd Rausch <gerd....@oracle.com>
Date: Mon Feb 2 22:57:23 2026 -0700
net/rds: Trigger rds_send_ping() more than once
Gerd Rausch
Feb 13, 2026, 4:36:52 PM (yesterday) Feb 13
to Eric Dumazet, syzbot, da...@davemloft.net, dsa...@kernel.org, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, syzkall...@googlegroups.com
Hi,
On 2026-02-13 09:26, Eric Dumazet wrote:
> On Fri, Feb 13, 2026 at 1:15 PM syzbot
> <syzbot+5efae9...@syzkaller.appspotmail.com> wrote:
>>
>>
[...]
inet_getname() acquires a lock_sock() that was already held
as __release_sock() is about to give it up, but before
doing so, handles the backlog receives & callbacks.
Just need to figure out a way to obtain the peer's port number,
without ending up in such a recursive lock scenario.
Thanks for forwarding this,
Gerd
On 2026-02-13 09:26, Eric Dumazet wrote:
> On Fri, Feb 13, 2026 at 1:15 PM syzbot
> <syzbot+5efae9...@syzkaller.appspotmail.com> wrote:
>>
>>
>> ============================================
>> WARNING: possible recursive locking detected
>> syzkaller #0 Not tainted
>> --------------------------------------------
>> kworker/u8:6/2985 is trying to acquire lock:
>> ffff88807a07aa20 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1709 [inline]
>> ffff88807a07aa20 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: inet6_getname+0x15d/0x650 net/ipv6/af_inet6.c:533
>>
>> but task is already holding lock:
>> ffff88807a07aa20 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1709 [inline]
>> ffff88807a07aa20 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: tcp_sock_set_cork+0x2c/0x2e0 net/ipv4/tcp.c:3694
>>
[...]
>> WARNING: possible recursive locking detected
>> syzkaller #0 Not tainted
>> --------------------------------------------
>> kworker/u8:6/2985 is trying to acquire lock:
>> ffff88807a07aa20 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1709 [inline]
>> ffff88807a07aa20 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: inet6_getname+0x15d/0x650 net/ipv6/af_inet6.c:533
>>
>> but task is already holding lock:
>> ffff88807a07aa20 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1709 [inline]
>> ffff88807a07aa20 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: tcp_sock_set_cork+0x2c/0x2e0 net/ipv4/tcp.c:3694
>>
>> lock_sock_nested+0x48/0x100 net/core/sock.c:3780
>> lock_sock include/net/sock.h:1709 [inline]
>> inet6_getname+0x15d/0x650 net/ipv6/af_inet6.c:533
>> rds_tcp_get_peer_sport net/rds/tcp_listen.c:70 [inline]
>> rds_tcp_conn_slots_available+0x288/0x470 net/rds/tcp_listen.c:149
>> rds_recv_hs_exthdrs+0x60f/0x7c0 net/rds/recv.c:265
>> rds_recv_incoming+0x9f6/0x12d0 net/rds/recv.c:389
>> rds_tcp_data_recv+0x7f1/0xa40 net/rds/tcp_recv.c:243
>> __tcp_read_sock+0x196/0x970 net/ipv4/tcp.c:1702
>> rds_tcp_read_sock net/rds/tcp_recv.c:277 [inline]
>> rds_tcp_data_ready+0x369/0x950 net/rds/tcp_recv.c:331
>> tcp_rcv_established+0x19e9/0x2670 net/ipv4/tcp_input.c:6675
>> tcp_v6_do_rcv+0x8eb/0x1ba0 net/ipv6/tcp_ipv6.c:1609
>> sk_backlog_rcv include/net/sock.h:1185 [inline]
>> __release_sock+0x1b8/0x3a0 net/core/sock.c:3213
>
[...]
>> lock_sock include/net/sock.h:1709 [inline]
>> inet6_getname+0x15d/0x650 net/ipv6/af_inet6.c:533
>> rds_tcp_get_peer_sport net/rds/tcp_listen.c:70 [inline]
>> rds_tcp_conn_slots_available+0x288/0x470 net/rds/tcp_listen.c:149
>> rds_recv_hs_exthdrs+0x60f/0x7c0 net/rds/recv.c:265
>> rds_recv_incoming+0x9f6/0x12d0 net/rds/recv.c:389
>> rds_tcp_data_recv+0x7f1/0xa40 net/rds/tcp_recv.c:243
>> __tcp_read_sock+0x196/0x970 net/ipv4/tcp.c:1702
>> rds_tcp_read_sock net/rds/tcp_recv.c:277 [inline]
>> rds_tcp_data_ready+0x369/0x950 net/rds/tcp_recv.c:331
>> tcp_rcv_established+0x19e9/0x2670 net/ipv4/tcp_input.c:6675
>> tcp_v6_do_rcv+0x8eb/0x1ba0 net/ipv6/tcp_ipv6.c:1609
>> sk_backlog_rcv include/net/sock.h:1185 [inline]
>> __release_sock+0x1b8/0x3a0 net/core/sock.c:3213
>
> Gerd, please take a look, thanks.
>
> commit 9d27a0fb122f19b6d01d02f4b4f429ca28811ace
> Author: Gerd Rausch <gerd....@oracle.com>
> Date: Mon Feb 2 22:57:23 2026 -0700
>
> net/rds: Trigger rds_send_ping() more than once
Syzbot is right:
>
> commit 9d27a0fb122f19b6d01d02f4b4f429ca28811ace
> Author: Gerd Rausch <gerd....@oracle.com>
> Date: Mon Feb 2 22:57:23 2026 -0700
>
> net/rds: Trigger rds_send_ping() more than once
inet_getname() acquires a lock_sock() that was already held
as __release_sock() is about to give it up, but before
doing so, handles the backlog receives & callbacks.
Just need to figure out a way to obtain the peer's port number,
without ending up in such a recursive lock scenario.
Thanks for forwarding this,
Gerd
Fernando Fernandez Mancera
1:40 PM (4 hours ago) 1:40 PM
to Gerd Rausch, Eric Dumazet, syzbot, da...@davemloft.net, dsa...@kernel.org, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, syzkall...@googlegroups.com
> doing so, handles the backlog receives & callbacks.
>
> Just need to figure out a way to obtain the peer's port number,
> without ending up in such a recursive lock scenario.
>
Hi,
>
> Just need to figure out a way to obtain the peer's port number,
> without ending up in such a recursive lock scenario.
>
Shouldn't this be enough?
diff --git a/net/rds/tcp_listen.c b/net/rds/tcp_listen.c
index 6fb5c928b8fd..a36e5dfd6c66 100644
--- a/net/rds/tcp_listen.c
+++ b/net/rds/tcp_listen.c
@@ -59,30 +59,12 @@ void rds_tcp_keepalive(struct socket *sock)
static int
rds_tcp_get_peer_sport(struct socket *sock)
{
- union {
- struct sockaddr_storage storage;
- struct sockaddr addr;
- struct sockaddr_in sin;
- struct sockaddr_in6 sin6;
- } saddr;
- int sport;
-
- if (kernel_getpeername(sock, &saddr.addr) >= 0) {
- switch (saddr.addr.sa_family) {
- case AF_INET:
- sport = ntohs(saddr.sin.sin_port);
- break;
- case AF_INET6:
- sport = ntohs(saddr.sin6.sin6_port);
- break;
- default:
- sport = -1;
- }
- } else {
- sport = -1;
- }
+ struct sock *sk = sock->sk;
+
+ if (!sk)
+ return -1;
- return sport;
+ return ntohs(inet_sk(sk)->inet_dport);
}
It would be safe from rds_tcp_accept_one() path as the new_sock has a
reference count of 1 and no other component should be to release it.
In rds_tcp_conn_slots_available() path, fan-out can be only performed
from receive path, AFAIU if data is being processed from the socket we
should always be holding a lock.
If these premises are not correct, we can always make this conditional.
But getting rid of the kernel_getpeername() call is performance-wise too.
I am testing this against the syzbot report/reproducer.
Thanks,
Fernando.
Reply all
Reply to author
Forward
0 new messages