possible deadlock in gsmld_write_wakeup
7 views
Skip to first unread message
syzbot
Sep 3, 2022, 11:32:34 AM9/3/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: e548869f356f Linux 4.14.291
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=161fa6cd080000
kernel config: https://syzkaller.appspot.com/x/.config?x=14f65e3c6215eb84
dashboard link: https://syzkaller.appspot.com/bug?extid=5f530e5faee41dac1a0f
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/edb4b0800592/disk-e548869f.raw.xz
vmlinux: https://storage.googleapis.com/1e0119ec09aa/vmlinux-e548869f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5f530e...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
4.14.291-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.1/15611 is trying to acquire lock:
(&(&gsm->tx_lock)->rlock){-...}, at: [<ffffffff8356edce>] gsmld_write_wakeup+0x4e/0xd0 drivers/tty/n_gsm.c:2490
but task is already holding lock:
(&port_lock_key){-.-.}, at: [<ffffffff835c4560>] serial8250_handle_irq.part.0+0x20/0x330 drivers/tty/serial/8250/8250_port.c:1891
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&port_lock_key){-.-.}:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x8c/0xc0 kernel/locking/spinlock.c:160
uart_write_room+0xd5/0x340 drivers/tty/serial/serial_core.c:643
tty_write_room+0x61/0x80 drivers/tty/tty_ioctl.c:78
gsmld_write+0x69/0x120 drivers/tty/n_gsm.c:2546
do_tty_write drivers/tty/tty_io.c:959 [inline]
tty_write+0x410/0x740 drivers/tty/tty_io.c:1043
__vfs_write+0xe4/0x630 fs/read_write.c:480
__kernel_write+0xf5/0x330 fs/read_write.c:501
write_pipe_buf+0x143/0x1c0 fs/splice.c:797
splice_from_pipe_feed fs/splice.c:502 [inline]
__splice_from_pipe+0x326/0x7a0 fs/splice.c:626
splice_from_pipe fs/splice.c:661 [inline]
default_file_splice_write+0xc5/0x150 fs/splice.c:809
do_splice_from fs/splice.c:851 [inline]
direct_splice_actor+0x115/0x160 fs/splice.c:1016
splice_direct_to_actor+0x25a/0x700 fs/splice.c:971
do_splice_direct+0x164/0x210 fs/splice.c:1059
do_sendfile+0x47f/0xb30 fs/read_write.c:1441
SYSC_sendfile64 fs/read_write.c:1502 [inline]
SyS_sendfile64+0xff/0x110 fs/read_write.c:1488
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
-> #0 (&(&gsm->tx_lock)->rlock){-...}:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x8c/0xc0 kernel/locking/spinlock.c:160
gsmld_write_wakeup+0x4e/0xd0 drivers/tty/n_gsm.c:2490
tty_wakeup+0xc3/0xf0 drivers/tty/tty_io.c:533
tty_port_default_wakeup+0x26/0x40 drivers/tty/tty_port.c:49
serial8250_tx_chars+0x3fe/0xc70 drivers/tty/serial/8250/8250_port.c:1828
serial8250_handle_irq.part.0+0x28d/0x330 drivers/tty/serial/8250/8250_port.c:1915
serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1888 [inline]
serial8250_default_handle_irq+0x8a/0x1f0 drivers/tty/serial/8250/8250_port.c:1931
serial8250_interrupt+0xf3/0x210 drivers/tty/serial/8250/8250_core.c:129
__handle_irq_event_percpu+0xee/0x7f0 kernel/irq/handle.c:147
handle_irq_event_percpu kernel/irq/handle.c:187 [inline]
handle_irq_event+0xed/0x240 kernel/irq/handle.c:204
handle_edge_irq+0x224/0xc40 kernel/irq/chip.c:770
generic_handle_irq_desc include/linux/irqdesc.h:159 [inline]
handle_irq+0x35/0x50 arch/x86/kernel/irq_64.c:87
do_IRQ+0x93/0x1d0 arch/x86/kernel/irq.c:230
ret_from_intr+0x0/0x1e
arch_local_irq_restore arch/x86/include/asm/paravirt.h:779 [inline]
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
_raw_spin_unlock_irqrestore+0xa3/0xe0 kernel/locking/spinlock.c:192
spin_unlock_irqrestore include/linux/spinlock.h:372 [inline]
__wake_up_common_lock+0xcd/0x140 kernel/sched/wait.c:127
unix_dgram_recvmsg+0x27d/0xc60 net/unix/af_unix.c:2172
___sys_recvmsg+0x20b/0x4d0 net/socket.c:2221
__sys_recvmmsg+0x1f3/0x5d0 net/socket.c:2329
SYSC_recvmmsg net/socket.c:2405 [inline]
SyS_recvmmsg+0x125/0x140 net/socket.c:2394
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&port_lock_key);
lock(&(&gsm->tx_lock)->rlock);
lock(&port_lock_key);
lock(&(&gsm->tx_lock)->rlock);
*** DEADLOCK ***
4 locks held by syz-executor.1/15611:
#0: (&u->iolock){+.+.}, at: [<ffffffff86322ad4>] unix_dgram_recvmsg+0x1e4/0xc60 net/unix/af_unix.c:2146
#1: (&(&i->lock)->rlock){-.-.}, at: [<ffffffff835b18ea>] spin_lock include/linux/spinlock.h:317 [inline]
#1: (&(&i->lock)->rlock){-.-.}, at: [<ffffffff835b18ea>] serial8250_interrupt+0x3a/0x210 drivers/tty/serial/8250/8250_core.c:119
#2: (&port_lock_key){-.-.}, at: [<ffffffff835c4560>] serial8250_handle_irq.part.0+0x20/0x330 drivers/tty/serial/8250/8250_port.c:1891
#3: (&tty->ldisc_sem){++++}, at: [<ffffffff83556bfb>] tty_ldisc_ref+0x1b/0x80 drivers/tty/tty_ldisc.c:305
stack backtrace:
CPU: 1 PID: 15611 Comm: syz-executor.1 Not tainted 4.14.291-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
check_prev_add kernel/locking/lockdep.c:1905 [inline]
check_prevs_add kernel/locking/lockdep.c:2022 [inline]
validate_chain kernel/locking/lockdep.c:2464 [inline]
__lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x8c/0xc0 kernel/locking/spinlock.c:160
gsmld_write_wakeup+0x4e/0xd0 drivers/tty/n_gsm.c:2490
tty_wakeup+0xc3/0xf0 drivers/tty/tty_io.c:533
tty_port_default_wakeup+0x26/0x40 drivers/tty/tty_port.c:49
serial8250_tx_chars+0x3fe/0xc70 drivers/tty/serial/8250/8250_port.c:1828
serial8250_handle_irq.part.0+0x28d/0x330 drivers/tty/serial/8250/8250_port.c:1915
serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1888 [inline]
serial8250_default_handle_irq+0x8a/0x1f0 drivers/tty/serial/8250/8250_port.c:1931
serial8250_interrupt+0xf3/0x210 drivers/tty/serial/8250/8250_core.c:129
__handle_irq_event_percpu+0xee/0x7f0 kernel/irq/handle.c:147
handle_irq_event_percpu kernel/irq/handle.c:187 [inline]
handle_irq_event+0xed/0x240 kernel/irq/handle.c:204
handle_edge_irq+0x224/0xc40 kernel/irq/chip.c:770
generic_handle_irq_desc include/linux/irqdesc.h:159 [inline]
handle_irq+0x35/0x50 arch/x86/kernel/irq_64.c:87
do_IRQ+0x93/0x1d0 arch/x86/kernel/irq.c:230
common_interrupt+0x93/0x93 arch/x86/entry/entry_64.S:576
</IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:779 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xa3/0xe0 kernel/locking/spinlock.c:192
RSP: 0018:ffff88806880f858 EFLAGS: 00000286 ORIG_RAX: ffffffffffffffc8
RAX: 1ffffffff11e1341 RBX: 0000000000000286 RCX: 1ffff1100d3f916d
RDX: dffffc0000000000 RSI: ffff888069fc8b48 RDI: 0000000000000286
RBP: ffff8880b44d5e00 R08: ffff8880ba434d30 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000001 R14: 0000000000000304 R15: 1ffff1100d101f10
spin_unlock_irqrestore include/linux/spinlock.h:372 [inline]
__wake_up_common_lock+0xcd/0x140 kernel/sched/wait.c:127
unix_dgram_recvmsg+0x27d/0xc60 net/unix/af_unix.c:2172
___sys_recvmsg+0x20b/0x4d0 net/socket.c:2221
__sys_recvmmsg+0x1f3/0x5d0 net/socket.c:2329
SYSC_recvmmsg net/socket.c:2405 [inline]
SyS_recvmmsg+0x125/0x140 net/socket.c:2394
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7ff441201279
RSP: 002b:00007ff43fb55168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00007ff441314050 RCX: 00007ff441201279
RDX: 0000000000010106 RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 00007ff44125b2e9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffdc83cb2df R14: 00007ff43fb55300 R15: 0000000000022000
audit: type=1800 audit(1662219107.725:6): pid=15612 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="file0" dev="sda1" ino=13876 res=0
audit: type=1800 audit(1662219109.525:7): pid=15729 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file0" dev="loop5" ino=288 res=0
audit: type=1804 audit(1662219109.535:8): pid=15729 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir3057010797/syzkaller.j8jJAT/199/file0/file0" dev="loop5" ino=288 res=1
libceph: connect [d::]:6789 error -101
libceph: mon0 [d::]:6789 connect error
libceph: connect [d::]:6789 error -101
libceph: mon0 [d::]:6789 connect error
ceph: No mds server is up or the cluster is laggy
audit: type=1800 audit(1662219110.745:9): pid=15773 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="file0" dev="sda1" ino=14225 res=0
audit: type=1804 audit(1662219110.755:10): pid=15773 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir3632815020/syzkaller.fH3oNv/236/file0" dev="sda1" ino=14225 res=1
audit: type=1800 audit(1662219110.855:11): pid=15775 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file0" dev="sda1" ino=14573 res=0
libceph: connect [d::]:6789 error -101
audit: type=1804 audit(1662219110.875:12): pid=15775 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir3057010797/syzkaller.j8jJAT/200/file0" dev="sda1" ino=14573 res=1
audit: type=1800 audit(1662219111.605:13): pid=15795 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="file0" dev="sda1" ino=14597 res=0
audit: type=1804 audit(1662219111.605:14): pid=15795 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.2" name="/root/syzkaller-testdir863169496/syzkaller.c8JVDh/190/file0" dev="sda1" ino=14597 res=1
audit: type=1800 audit(1662219111.605:15): pid=15796 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.0" name="file0" dev="sda1" ino=14598 res=0
libceph: mon0 [d::]:6789 connect error
ceph: No mds server is up or the cluster is laggy
libceph: connect [d::]:6789 error -101
libceph: mon0 [d::]:6789 connect error
kauditd_printk_skb: 7 callbacks suppressed
audit: type=1800 audit(1662219114.096:23): pid=15834 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.0" name="file0" dev="sda1" ino=14610 res=0
libceph: connect [d::]:6789 error -101
libceph: mon0 [d::]:6789 connect error
ceph: No mds server is up or the cluster is laggy
audit: type=1804 audit(1662219114.096:24): pid=15834 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.0" name="/root/syzkaller-testdir1022169906/syzkaller.TUWnSQ/200/file0" dev="sda1" ino=14610 res=1
audit: type=1800 audit(1662219114.596:25): pid=15835 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="file0" dev="sda1" ino=14611 res=0
audit: type=1804 audit(1662219114.606:26): pid=15835 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir3632815020/syzkaller.fH3oNv/238/file0" dev="sda1" ino=14611 res=1
audit: type=1800 audit(1662219114.636:27): pid=15833 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="file0" dev="sda1" ino=14612 res=0
audit: type=1804 audit(1662219114.646:28): pid=15833 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.2" name="/root/syzkaller-testdir863169496/syzkaller.c8JVDh/191/file0" dev="sda1" ino=14612 res=1
audit: type=1800 audit(1662219114.906:29): pid=15837 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="file0" dev="sda1" ino=14613 res=0
audit: type=1804 audit(1662219114.916:30): pid=15837 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.4" name="/root/syzkaller-testdir1991377646/syzkaller.xA6K8d/223/file0" dev="sda1" ino=14613 res=1
audit: type=1800 audit(1662219115.346:31): pid=15850 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="file0" dev="sda1" ino=13892 res=0
audit: type=1804 audit(1662219115.376:32): pid=15850 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir3632815020/syzkaller.fH3oNv/239/file0" dev="sda1" ino=13892 res=1
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: e548869f356f Linux 4.14.291
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=161fa6cd080000
kernel config: https://syzkaller.appspot.com/x/.config?x=14f65e3c6215eb84
dashboard link: https://syzkaller.appspot.com/bug?extid=5f530e5faee41dac1a0f
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/edb4b0800592/disk-e548869f.raw.xz
vmlinux: https://storage.googleapis.com/1e0119ec09aa/vmlinux-e548869f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5f530e...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
4.14.291-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.1/15611 is trying to acquire lock:
(&(&gsm->tx_lock)->rlock){-...}, at: [<ffffffff8356edce>] gsmld_write_wakeup+0x4e/0xd0 drivers/tty/n_gsm.c:2490
but task is already holding lock:
(&port_lock_key){-.-.}, at: [<ffffffff835c4560>] serial8250_handle_irq.part.0+0x20/0x330 drivers/tty/serial/8250/8250_port.c:1891
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&port_lock_key){-.-.}:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x8c/0xc0 kernel/locking/spinlock.c:160
uart_write_room+0xd5/0x340 drivers/tty/serial/serial_core.c:643
tty_write_room+0x61/0x80 drivers/tty/tty_ioctl.c:78
gsmld_write+0x69/0x120 drivers/tty/n_gsm.c:2546
do_tty_write drivers/tty/tty_io.c:959 [inline]
tty_write+0x410/0x740 drivers/tty/tty_io.c:1043
__vfs_write+0xe4/0x630 fs/read_write.c:480
__kernel_write+0xf5/0x330 fs/read_write.c:501
write_pipe_buf+0x143/0x1c0 fs/splice.c:797
splice_from_pipe_feed fs/splice.c:502 [inline]
__splice_from_pipe+0x326/0x7a0 fs/splice.c:626
splice_from_pipe fs/splice.c:661 [inline]
default_file_splice_write+0xc5/0x150 fs/splice.c:809
do_splice_from fs/splice.c:851 [inline]
direct_splice_actor+0x115/0x160 fs/splice.c:1016
splice_direct_to_actor+0x25a/0x700 fs/splice.c:971
do_splice_direct+0x164/0x210 fs/splice.c:1059
do_sendfile+0x47f/0xb30 fs/read_write.c:1441
SYSC_sendfile64 fs/read_write.c:1502 [inline]
SyS_sendfile64+0xff/0x110 fs/read_write.c:1488
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
-> #0 (&(&gsm->tx_lock)->rlock){-...}:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x8c/0xc0 kernel/locking/spinlock.c:160
gsmld_write_wakeup+0x4e/0xd0 drivers/tty/n_gsm.c:2490
tty_wakeup+0xc3/0xf0 drivers/tty/tty_io.c:533
tty_port_default_wakeup+0x26/0x40 drivers/tty/tty_port.c:49
serial8250_tx_chars+0x3fe/0xc70 drivers/tty/serial/8250/8250_port.c:1828
serial8250_handle_irq.part.0+0x28d/0x330 drivers/tty/serial/8250/8250_port.c:1915
serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1888 [inline]
serial8250_default_handle_irq+0x8a/0x1f0 drivers/tty/serial/8250/8250_port.c:1931
serial8250_interrupt+0xf3/0x210 drivers/tty/serial/8250/8250_core.c:129
__handle_irq_event_percpu+0xee/0x7f0 kernel/irq/handle.c:147
handle_irq_event_percpu kernel/irq/handle.c:187 [inline]
handle_irq_event+0xed/0x240 kernel/irq/handle.c:204
handle_edge_irq+0x224/0xc40 kernel/irq/chip.c:770
generic_handle_irq_desc include/linux/irqdesc.h:159 [inline]
handle_irq+0x35/0x50 arch/x86/kernel/irq_64.c:87
do_IRQ+0x93/0x1d0 arch/x86/kernel/irq.c:230
ret_from_intr+0x0/0x1e
arch_local_irq_restore arch/x86/include/asm/paravirt.h:779 [inline]
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
_raw_spin_unlock_irqrestore+0xa3/0xe0 kernel/locking/spinlock.c:192
spin_unlock_irqrestore include/linux/spinlock.h:372 [inline]
__wake_up_common_lock+0xcd/0x140 kernel/sched/wait.c:127
unix_dgram_recvmsg+0x27d/0xc60 net/unix/af_unix.c:2172
___sys_recvmsg+0x20b/0x4d0 net/socket.c:2221
__sys_recvmmsg+0x1f3/0x5d0 net/socket.c:2329
SYSC_recvmmsg net/socket.c:2405 [inline]
SyS_recvmmsg+0x125/0x140 net/socket.c:2394
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&port_lock_key);
lock(&(&gsm->tx_lock)->rlock);
lock(&port_lock_key);
lock(&(&gsm->tx_lock)->rlock);
*** DEADLOCK ***
4 locks held by syz-executor.1/15611:
#0: (&u->iolock){+.+.}, at: [<ffffffff86322ad4>] unix_dgram_recvmsg+0x1e4/0xc60 net/unix/af_unix.c:2146
#1: (&(&i->lock)->rlock){-.-.}, at: [<ffffffff835b18ea>] spin_lock include/linux/spinlock.h:317 [inline]
#1: (&(&i->lock)->rlock){-.-.}, at: [<ffffffff835b18ea>] serial8250_interrupt+0x3a/0x210 drivers/tty/serial/8250/8250_core.c:119
#2: (&port_lock_key){-.-.}, at: [<ffffffff835c4560>] serial8250_handle_irq.part.0+0x20/0x330 drivers/tty/serial/8250/8250_port.c:1891
#3: (&tty->ldisc_sem){++++}, at: [<ffffffff83556bfb>] tty_ldisc_ref+0x1b/0x80 drivers/tty/tty_ldisc.c:305
stack backtrace:
CPU: 1 PID: 15611 Comm: syz-executor.1 Not tainted 4.14.291-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
check_prev_add kernel/locking/lockdep.c:1905 [inline]
check_prevs_add kernel/locking/lockdep.c:2022 [inline]
validate_chain kernel/locking/lockdep.c:2464 [inline]
__lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x8c/0xc0 kernel/locking/spinlock.c:160
gsmld_write_wakeup+0x4e/0xd0 drivers/tty/n_gsm.c:2490
tty_wakeup+0xc3/0xf0 drivers/tty/tty_io.c:533
tty_port_default_wakeup+0x26/0x40 drivers/tty/tty_port.c:49
serial8250_tx_chars+0x3fe/0xc70 drivers/tty/serial/8250/8250_port.c:1828
serial8250_handle_irq.part.0+0x28d/0x330 drivers/tty/serial/8250/8250_port.c:1915
serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1888 [inline]
serial8250_default_handle_irq+0x8a/0x1f0 drivers/tty/serial/8250/8250_port.c:1931
serial8250_interrupt+0xf3/0x210 drivers/tty/serial/8250/8250_core.c:129
__handle_irq_event_percpu+0xee/0x7f0 kernel/irq/handle.c:147
handle_irq_event_percpu kernel/irq/handle.c:187 [inline]
handle_irq_event+0xed/0x240 kernel/irq/handle.c:204
handle_edge_irq+0x224/0xc40 kernel/irq/chip.c:770
generic_handle_irq_desc include/linux/irqdesc.h:159 [inline]
handle_irq+0x35/0x50 arch/x86/kernel/irq_64.c:87
do_IRQ+0x93/0x1d0 arch/x86/kernel/irq.c:230
common_interrupt+0x93/0x93 arch/x86/entry/entry_64.S:576
</IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:779 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xa3/0xe0 kernel/locking/spinlock.c:192
RSP: 0018:ffff88806880f858 EFLAGS: 00000286 ORIG_RAX: ffffffffffffffc8
RAX: 1ffffffff11e1341 RBX: 0000000000000286 RCX: 1ffff1100d3f916d
RDX: dffffc0000000000 RSI: ffff888069fc8b48 RDI: 0000000000000286
RBP: ffff8880b44d5e00 R08: ffff8880ba434d30 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000001 R14: 0000000000000304 R15: 1ffff1100d101f10
spin_unlock_irqrestore include/linux/spinlock.h:372 [inline]
__wake_up_common_lock+0xcd/0x140 kernel/sched/wait.c:127
unix_dgram_recvmsg+0x27d/0xc60 net/unix/af_unix.c:2172
___sys_recvmsg+0x20b/0x4d0 net/socket.c:2221
__sys_recvmmsg+0x1f3/0x5d0 net/socket.c:2329
SYSC_recvmmsg net/socket.c:2405 [inline]
SyS_recvmmsg+0x125/0x140 net/socket.c:2394
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7ff441201279
RSP: 002b:00007ff43fb55168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00007ff441314050 RCX: 00007ff441201279
RDX: 0000000000010106 RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 00007ff44125b2e9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffdc83cb2df R14: 00007ff43fb55300 R15: 0000000000022000
audit: type=1800 audit(1662219107.725:6): pid=15612 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="file0" dev="sda1" ino=13876 res=0
audit: type=1800 audit(1662219109.525:7): pid=15729 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file0" dev="loop5" ino=288 res=0
audit: type=1804 audit(1662219109.535:8): pid=15729 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir3057010797/syzkaller.j8jJAT/199/file0/file0" dev="loop5" ino=288 res=1
libceph: connect [d::]:6789 error -101
libceph: mon0 [d::]:6789 connect error
libceph: connect [d::]:6789 error -101
libceph: mon0 [d::]:6789 connect error
ceph: No mds server is up or the cluster is laggy
audit: type=1800 audit(1662219110.745:9): pid=15773 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="file0" dev="sda1" ino=14225 res=0
audit: type=1804 audit(1662219110.755:10): pid=15773 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir3632815020/syzkaller.fH3oNv/236/file0" dev="sda1" ino=14225 res=1
audit: type=1800 audit(1662219110.855:11): pid=15775 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file0" dev="sda1" ino=14573 res=0
libceph: connect [d::]:6789 error -101
audit: type=1804 audit(1662219110.875:12): pid=15775 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir3057010797/syzkaller.j8jJAT/200/file0" dev="sda1" ino=14573 res=1
audit: type=1800 audit(1662219111.605:13): pid=15795 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="file0" dev="sda1" ino=14597 res=0
audit: type=1804 audit(1662219111.605:14): pid=15795 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.2" name="/root/syzkaller-testdir863169496/syzkaller.c8JVDh/190/file0" dev="sda1" ino=14597 res=1
audit: type=1800 audit(1662219111.605:15): pid=15796 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.0" name="file0" dev="sda1" ino=14598 res=0
libceph: mon0 [d::]:6789 connect error
ceph: No mds server is up or the cluster is laggy
libceph: connect [d::]:6789 error -101
libceph: mon0 [d::]:6789 connect error
kauditd_printk_skb: 7 callbacks suppressed
audit: type=1800 audit(1662219114.096:23): pid=15834 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.0" name="file0" dev="sda1" ino=14610 res=0
libceph: connect [d::]:6789 error -101
libceph: mon0 [d::]:6789 connect error
ceph: No mds server is up or the cluster is laggy
audit: type=1804 audit(1662219114.096:24): pid=15834 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.0" name="/root/syzkaller-testdir1022169906/syzkaller.TUWnSQ/200/file0" dev="sda1" ino=14610 res=1
audit: type=1800 audit(1662219114.596:25): pid=15835 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="file0" dev="sda1" ino=14611 res=0
audit: type=1804 audit(1662219114.606:26): pid=15835 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir3632815020/syzkaller.fH3oNv/238/file0" dev="sda1" ino=14611 res=1
audit: type=1800 audit(1662219114.636:27): pid=15833 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="file0" dev="sda1" ino=14612 res=0
audit: type=1804 audit(1662219114.646:28): pid=15833 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.2" name="/root/syzkaller-testdir863169496/syzkaller.c8JVDh/191/file0" dev="sda1" ino=14612 res=1
audit: type=1800 audit(1662219114.906:29): pid=15837 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="file0" dev="sda1" ino=14613 res=0
audit: type=1804 audit(1662219114.916:30): pid=15837 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.4" name="/root/syzkaller-testdir1991377646/syzkaller.xA6K8d/223/file0" dev="sda1" ino=14613 res=1
audit: type=1800 audit(1662219115.346:31): pid=15850 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="file0" dev="sda1" ino=13892 res=0
audit: type=1804 audit(1662219115.376:32): pid=15850 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir3632815020/syzkaller.fH3oNv/239/file0" dev="sda1" ino=13892 res=1
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Sep 3, 2022, 9:45:31 PM9/3/22
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: e548869f356f Linux 4.14.291
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=148cfee5080000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17baf71b080000
Downloadable assets:
disk image: https://storage.googleapis.com/edb4b0800592/disk-e548869f.raw.xz
vmlinux: https://storage.googleapis.com/1e0119ec09aa/vmlinux-e548869f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5f530e...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
batman_adv: batadv0: Interface activated: batadv_slave_1
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
lock_acquire+0x1ec/0x3f0 kernel/locking/lockdep.c:4001
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:176
spin_lock_bh include/linux/spinlock.h:322 [inline]
batadv_nc_purge_paths+0xce/0x300 net/batman-adv/network-coding.c:452
batadv_nc_worker+0x660/0xc50 net/batman-adv/network-coding.c:731
process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&port_lock_key);
lock(&(&gsm->tx_lock)->rlock);
lock(&port_lock_key);
lock(&(&gsm->tx_lock)->rlock);
*** DEADLOCK ***
6 locks held by kworker/u4:4/2850:
#0: ("%s""bat_events"){+.+.}, at: [<ffffffff81364eb0>] process_one_work+0x6b0/0x14a0 kernel/workqueue.c:2088
#1: ((&(&bat_priv->nc.work)->work)){+.+.}, at: [<ffffffff81364ee6>] process_one_work+0x6e6/0x14a0 kernel/workqueue.c:2092
#2: (key#14){+...}, at: [<ffffffff86eb42ce>] spin_lock_bh include/linux/spinlock.h:322 [inline]
#2: (key#14){+...}, at: [<ffffffff86eb42ce>] batadv_nc_purge_paths+0xce/0x300 net/batman-adv/network-coding.c:452
#3: (&(&i->lock)->rlock){-.-.}, at: [<ffffffff835b18ea>] spin_lock include/linux/spinlock.h:317 [inline]
#3: (&(&i->lock)->rlock){-.-.}, at: [<ffffffff835b18ea>] serial8250_interrupt+0x3a/0x210 drivers/tty/serial/8250/8250_core.c:119
#4: (&port_lock_key){-.-.}, at: [<ffffffff835c4560>] serial8250_handle_irq.part.0+0x20/0x330 drivers/tty/serial/8250/8250_port.c:1891
#5: (&tty->ldisc_sem){++++}, at: [<ffffffff83556bfb>] tty_ldisc_ref+0x1b/0x80 drivers/tty/tty_ldisc.c:305
stack backtrace:
CPU: 1 PID: 2850 Comm: kworker/u4:4 Not tainted 4.14.291-syzkaller #0
RIP: 0010:lock_acquire+0x1ec/0x3f0 kernel/locking/lockdep.c:4001
RSP: 0018:ffff8880ac7a7c00 EFLAGS: 00000286 ORIG_RAX: ffffffffffffffc8
RAX: 1ffffffff11e1341 RBX: ffff8880ac7985c0 RCX: 0000000000004292
RDX: dffffc0000000000 RSI: 0000000000000001 RDI: 0000000000000286
RBP: ffff8880960d9db0 R08: ffffffff8b9c2f90 R09: 0000000000040586
R10: ffff8880ac798e98 R11: ffff8880ac7985c0 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:176
spin_lock_bh include/linux/spinlock.h:322 [inline]
batadv_nc_purge_paths+0xce/0x300 net/batman-adv/network-coding.c:452
batadv_nc_worker+0x660/0xc50 net/batman-adv/network-coding.c:731
process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
HEAD commit: e548869f356f Linux 4.14.291
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=14f65e3c6215eb84
dashboard link: https://syzkaller.appspot.com/bug?extid=5f530e5faee41dac1a0f
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=134973ab080000
dashboard link: https://syzkaller.appspot.com/bug?extid=5f530e5faee41dac1a0f
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17baf71b080000
Downloadable assets:
disk image: https://storage.googleapis.com/edb4b0800592/disk-e548869f.raw.xz
vmlinux: https://storage.googleapis.com/1e0119ec09aa/vmlinux-e548869f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5f530e...@syzkaller.appspotmail.com
batman_adv: batadv0: Interface activated: batadv_slave_1
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
======================================================
WARNING: possible circular locking dependency detected
4.14.291-syzkaller #0 Not tainted
------------------------------------------------------
kworker/u4:4/2850 is trying to acquire lock:
WARNING: possible circular locking dependency detected
4.14.291-syzkaller #0 Not tainted
------------------------------------------------------
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:176
spin_lock_bh include/linux/spinlock.h:322 [inline]
batadv_nc_purge_paths+0xce/0x300 net/batman-adv/network-coding.c:452
batadv_nc_worker+0x660/0xc50 net/batman-adv/network-coding.c:731
process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&port_lock_key);
lock(&(&gsm->tx_lock)->rlock);
lock(&port_lock_key);
lock(&(&gsm->tx_lock)->rlock);
*** DEADLOCK ***
#0: ("%s""bat_events"){+.+.}, at: [<ffffffff81364eb0>] process_one_work+0x6b0/0x14a0 kernel/workqueue.c:2088
#1: ((&(&bat_priv->nc.work)->work)){+.+.}, at: [<ffffffff81364ee6>] process_one_work+0x6e6/0x14a0 kernel/workqueue.c:2092
#2: (key#14){+...}, at: [<ffffffff86eb42ce>] spin_lock_bh include/linux/spinlock.h:322 [inline]
#2: (key#14){+...}, at: [<ffffffff86eb42ce>] batadv_nc_purge_paths+0xce/0x300 net/batman-adv/network-coding.c:452
#3: (&(&i->lock)->rlock){-.-.}, at: [<ffffffff835b18ea>] spin_lock include/linux/spinlock.h:317 [inline]
#3: (&(&i->lock)->rlock){-.-.}, at: [<ffffffff835b18ea>] serial8250_interrupt+0x3a/0x210 drivers/tty/serial/8250/8250_core.c:119
#4: (&port_lock_key){-.-.}, at: [<ffffffff835c4560>] serial8250_handle_irq.part.0+0x20/0x330 drivers/tty/serial/8250/8250_port.c:1891
#5: (&tty->ldisc_sem){++++}, at: [<ffffffff83556bfb>] tty_ldisc_ref+0x1b/0x80 drivers/tty/tty_ldisc.c:305
stack backtrace:
CPU: 1 PID: 2850 Comm: kworker/u4:4 Not tainted 4.14.291-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Workqueue: bat_events batadv_nc_worker
RSP: 0018:ffff8880ac7a7c00 EFLAGS: 00000286 ORIG_RAX: ffffffffffffffc8
RAX: 1ffffffff11e1341 RBX: ffff8880ac7985c0 RCX: 0000000000004292
RDX: dffffc0000000000 RSI: 0000000000000001 RDI: 0000000000000286
RBP: ffff8880960d9db0 R08: ffffffff8b9c2f90 R09: 0000000000040586
R10: ffff8880ac798e98 R11: ffff8880ac7985c0 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:176
spin_lock_bh include/linux/spinlock.h:322 [inline]
batadv_nc_purge_paths+0xce/0x300 net/batman-adv/network-coding.c:452
batadv_nc_worker+0x660/0xc50 net/batman-adv/network-coding.c:731
process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Reply all
Reply to author
Forward
0 new messages