[v5.15] possible deadlock in team_del_slave (2)
0 views
Skip to first unread message
syzbot
Jan 12, 2024, 4:46:23 PMJan 12
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 26c690eff0a5 Linux 5.15.146
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=155dd60be80000
kernel config: https://syzkaller.appspot.com/x/.config?x=dc70d39e176dd118
dashboard link: https://syzkaller.appspot.com/bug?extid=f8e450120944c93ce4d3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/40141853e0d3/disk-26c690ef.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/87e1356f3f98/vmlinux-26c690ef.xz
kernel image: https://storage.googleapis.com/syzbot-assets/77c63c93083b/bzImage-26c690ef.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f8e450...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
5.15.146-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.2/25277 is trying to acquire lock:
ffff88801e324d00 (team->team_lock_key#9){+.+.}-{3:3}, at: team_del_slave+0x2e/0x1f0 drivers/net/team/team.c:1996
but task is already holding lock:
ffff88807b760628 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: nl80211_del_interface+0x127/0x370 net/wireless/nl80211.c:4104
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&rdev->wiphy.mtx){+.+.}-{3:3}:
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
__mutex_lock_common+0x1da/0x25a0 kernel/locking/mutex.c:596
__mutex_lock kernel/locking/mutex.c:729 [inline]
mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:743
wiphy_lock include/net/cfg80211.h:5314 [inline]
ieee80211_open+0x13a/0x1f0 net/mac80211/iface.c:361
__dev_open+0x36f/0x500 net/core/dev.c:1506
dev_open+0xa9/0x260 net/core/dev.c:1542
team_port_add drivers/net/team/team.c:1212 [inline]
team_add_slave+0x981/0x27a0 drivers/net/team/team.c:1982
do_set_master net/core/rtnetlink.c:2543 [inline]
do_setlink+0xe71/0x3ae0 net/core/rtnetlink.c:2748
__rtnl_newlink net/core/rtnetlink.c:3429 [inline]
rtnl_newlink+0x17a4/0x2070 net/core/rtnetlink.c:3549
rtnetlink_rcv_msg+0x993/0xee0 net/core/rtnetlink.c:5630
netlink_rcv_skb+0x1cf/0x410 net/netlink/af_netlink.c:2505
netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
netlink_unicast+0x7b6/0x980 net/netlink/af_netlink.c:1356
netlink_sendmsg+0xa30/0xd60 net/netlink/af_netlink.c:1924
sock_sendmsg_nosec net/socket.c:704 [inline]
__sock_sendmsg net/socket.c:716 [inline]
____sys_sendmsg+0x59e/0x8f0 net/socket.c:2429
___sys_sendmsg+0x252/0x2e0 net/socket.c:2483
__sys_sendmsg net/socket.c:2512 [inline]
__do_sys_sendmsg net/socket.c:2521 [inline]
__se_sys_sendmsg+0x19a/0x260 net/socket.c:2519
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
-> #0 (team->team_lock_key#9){+.+.}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain+0x1649/0x5930 kernel/locking/lockdep.c:3788
__lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5012
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
__mutex_lock_common+0x1da/0x25a0 kernel/locking/mutex.c:596
__mutex_lock kernel/locking/mutex.c:729 [inline]
mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:743
team_del_slave+0x2e/0x1f0 drivers/net/team/team.c:1996
team_device_event+0x264/0x580 drivers/net/team/team.c:3038
notifier_call_chain kernel/notifier.c:83 [inline]
raw_notifier_call_chain+0xd0/0x170 kernel/notifier.c:391
call_netdevice_notifiers_info net/core/dev.c:2018 [inline]
call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]
call_netdevice_notifiers net/core/dev.c:2044 [inline]
unregister_netdevice_many+0xf1b/0x18f0 net/core/dev.c:11090
unregister_netdevice_queue+0x2e6/0x350 net/core/dev.c:11023
unregister_netdevice include/linux/netdevice.h:3012 [inline]
_cfg80211_unregister_wdev+0x181/0x510 net/wireless/core.c:1127
ieee80211_if_remove+0x1cc/0x2c0 net/mac80211/iface.c:2090
ieee80211_del_iface+0x15/0x20 net/mac80211/cfg.c:145
rdev_del_virtual_intf net/wireless/rdev-ops.h:57 [inline]
nl80211_del_interface+0x1f5/0x370 net/wireless/nl80211.c:4106
genl_family_rcv_msg_doit net/netlink/genetlink.c:731 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:775 [inline]
genl_rcv_msg+0xfbd/0x14a0 net/netlink/genetlink.c:792
netlink_rcv_skb+0x1cf/0x410 net/netlink/af_netlink.c:2505
genl_rcv+0x24/0x40 net/netlink/genetlink.c:803
netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
netlink_unicast+0x7b6/0x980 net/netlink/af_netlink.c:1356
netlink_sendmsg+0xa30/0xd60 net/netlink/af_netlink.c:1924
sock_sendmsg_nosec net/socket.c:704 [inline]
__sock_sendmsg net/socket.c:716 [inline]
____sys_sendmsg+0x59e/0x8f0 net/socket.c:2429
___sys_sendmsg+0x252/0x2e0 net/socket.c:2483
__sys_sendmsg net/socket.c:2512 [inline]
__do_sys_sendmsg net/socket.c:2521 [inline]
__se_sys_sendmsg+0x19a/0x260 net/socket.c:2519
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&rdev->wiphy.mtx);
lock(team->team_lock_key#9);
lock(&rdev->wiphy.mtx);
lock(team->team_lock_key#9);
*** DEADLOCK ***
3 locks held by syz-executor.2/25277:
#0: ffffffff8da39d90 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40 net/netlink/genetlink.c:802
#1: ffffffff8d9da4c8 (rtnl_mutex){+.+.}-{3:3}, at: nl80211_pre_doit+0x28/0x540 net/wireless/nl80211.c:14960
#2: ffff88807b760628 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: nl80211_del_interface+0x127/0x370 net/wireless/nl80211.c:4104
stack backtrace:
CPU: 1 PID: 25277 Comm: syz-executor.2 Not tainted 5.15.146-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
check_noncircular+0x2f8/0x3b0 kernel/locking/lockdep.c:2133
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain+0x1649/0x5930 kernel/locking/lockdep.c:3788
__lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5012
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
__mutex_lock_common+0x1da/0x25a0 kernel/locking/mutex.c:596
__mutex_lock kernel/locking/mutex.c:729 [inline]
mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:743
team_del_slave+0x2e/0x1f0 drivers/net/team/team.c:1996
team_device_event+0x264/0x580 drivers/net/team/team.c:3038
notifier_call_chain kernel/notifier.c:83 [inline]
raw_notifier_call_chain+0xd0/0x170 kernel/notifier.c:391
call_netdevice_notifiers_info net/core/dev.c:2018 [inline]
call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]
call_netdevice_notifiers net/core/dev.c:2044 [inline]
unregister_netdevice_many+0xf1b/0x18f0 net/core/dev.c:11090
unregister_netdevice_queue+0x2e6/0x350 net/core/dev.c:11023
unregister_netdevice include/linux/netdevice.h:3012 [inline]
_cfg80211_unregister_wdev+0x181/0x510 net/wireless/core.c:1127
ieee80211_if_remove+0x1cc/0x2c0 net/mac80211/iface.c:2090
ieee80211_del_iface+0x15/0x20 net/mac80211/cfg.c:145
rdev_del_virtual_intf net/wireless/rdev-ops.h:57 [inline]
nl80211_del_interface+0x1f5/0x370 net/wireless/nl80211.c:4106
genl_family_rcv_msg_doit net/netlink/genetlink.c:731 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:775 [inline]
genl_rcv_msg+0xfbd/0x14a0 net/netlink/genetlink.c:792
netlink_rcv_skb+0x1cf/0x410 net/netlink/af_netlink.c:2505
genl_rcv+0x24/0x40 net/netlink/genetlink.c:803
netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
netlink_unicast+0x7b6/0x980 net/netlink/af_netlink.c:1356
netlink_sendmsg+0xa30/0xd60 net/netlink/af_netlink.c:1924
sock_sendmsg_nosec net/socket.c:704 [inline]
__sock_sendmsg net/socket.c:716 [inline]
____sys_sendmsg+0x59e/0x8f0 net/socket.c:2429
___sys_sendmsg+0x252/0x2e0 net/socket.c:2483
__sys_sendmsg net/socket.c:2512 [inline]
__do_sys_sendmsg net/socket.c:2521 [inline]
__se_sys_sendmsg+0x19a/0x260 net/socket.c:2519
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f48822eada9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f488086c0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f4882419f80 RCX: 00007f48822eada9
RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000008
RBP: 00007f488233747a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f4882419f80 R15: 00007ffc0f45a438
</TASK>
team0: Port device wlan1 removed
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 26c690eff0a5 Linux 5.15.146
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=155dd60be80000
kernel config: https://syzkaller.appspot.com/x/.config?x=dc70d39e176dd118
dashboard link: https://syzkaller.appspot.com/bug?extid=f8e450120944c93ce4d3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/40141853e0d3/disk-26c690ef.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/87e1356f3f98/vmlinux-26c690ef.xz
kernel image: https://storage.googleapis.com/syzbot-assets/77c63c93083b/bzImage-26c690ef.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f8e450...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
5.15.146-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.2/25277 is trying to acquire lock:
ffff88801e324d00 (team->team_lock_key#9){+.+.}-{3:3}, at: team_del_slave+0x2e/0x1f0 drivers/net/team/team.c:1996
but task is already holding lock:
ffff88807b760628 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: nl80211_del_interface+0x127/0x370 net/wireless/nl80211.c:4104
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&rdev->wiphy.mtx){+.+.}-{3:3}:
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
__mutex_lock_common+0x1da/0x25a0 kernel/locking/mutex.c:596
__mutex_lock kernel/locking/mutex.c:729 [inline]
mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:743
wiphy_lock include/net/cfg80211.h:5314 [inline]
ieee80211_open+0x13a/0x1f0 net/mac80211/iface.c:361
__dev_open+0x36f/0x500 net/core/dev.c:1506
dev_open+0xa9/0x260 net/core/dev.c:1542
team_port_add drivers/net/team/team.c:1212 [inline]
team_add_slave+0x981/0x27a0 drivers/net/team/team.c:1982
do_set_master net/core/rtnetlink.c:2543 [inline]
do_setlink+0xe71/0x3ae0 net/core/rtnetlink.c:2748
__rtnl_newlink net/core/rtnetlink.c:3429 [inline]
rtnl_newlink+0x17a4/0x2070 net/core/rtnetlink.c:3549
rtnetlink_rcv_msg+0x993/0xee0 net/core/rtnetlink.c:5630
netlink_rcv_skb+0x1cf/0x410 net/netlink/af_netlink.c:2505
netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
netlink_unicast+0x7b6/0x980 net/netlink/af_netlink.c:1356
netlink_sendmsg+0xa30/0xd60 net/netlink/af_netlink.c:1924
sock_sendmsg_nosec net/socket.c:704 [inline]
__sock_sendmsg net/socket.c:716 [inline]
____sys_sendmsg+0x59e/0x8f0 net/socket.c:2429
___sys_sendmsg+0x252/0x2e0 net/socket.c:2483
__sys_sendmsg net/socket.c:2512 [inline]
__do_sys_sendmsg net/socket.c:2521 [inline]
__se_sys_sendmsg+0x19a/0x260 net/socket.c:2519
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
-> #0 (team->team_lock_key#9){+.+.}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain+0x1649/0x5930 kernel/locking/lockdep.c:3788
__lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5012
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
__mutex_lock_common+0x1da/0x25a0 kernel/locking/mutex.c:596
__mutex_lock kernel/locking/mutex.c:729 [inline]
mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:743
team_del_slave+0x2e/0x1f0 drivers/net/team/team.c:1996
team_device_event+0x264/0x580 drivers/net/team/team.c:3038
notifier_call_chain kernel/notifier.c:83 [inline]
raw_notifier_call_chain+0xd0/0x170 kernel/notifier.c:391
call_netdevice_notifiers_info net/core/dev.c:2018 [inline]
call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]
call_netdevice_notifiers net/core/dev.c:2044 [inline]
unregister_netdevice_many+0xf1b/0x18f0 net/core/dev.c:11090
unregister_netdevice_queue+0x2e6/0x350 net/core/dev.c:11023
unregister_netdevice include/linux/netdevice.h:3012 [inline]
_cfg80211_unregister_wdev+0x181/0x510 net/wireless/core.c:1127
ieee80211_if_remove+0x1cc/0x2c0 net/mac80211/iface.c:2090
ieee80211_del_iface+0x15/0x20 net/mac80211/cfg.c:145
rdev_del_virtual_intf net/wireless/rdev-ops.h:57 [inline]
nl80211_del_interface+0x1f5/0x370 net/wireless/nl80211.c:4106
genl_family_rcv_msg_doit net/netlink/genetlink.c:731 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:775 [inline]
genl_rcv_msg+0xfbd/0x14a0 net/netlink/genetlink.c:792
netlink_rcv_skb+0x1cf/0x410 net/netlink/af_netlink.c:2505
genl_rcv+0x24/0x40 net/netlink/genetlink.c:803
netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
netlink_unicast+0x7b6/0x980 net/netlink/af_netlink.c:1356
netlink_sendmsg+0xa30/0xd60 net/netlink/af_netlink.c:1924
sock_sendmsg_nosec net/socket.c:704 [inline]
__sock_sendmsg net/socket.c:716 [inline]
____sys_sendmsg+0x59e/0x8f0 net/socket.c:2429
___sys_sendmsg+0x252/0x2e0 net/socket.c:2483
__sys_sendmsg net/socket.c:2512 [inline]
__do_sys_sendmsg net/socket.c:2521 [inline]
__se_sys_sendmsg+0x19a/0x260 net/socket.c:2519
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&rdev->wiphy.mtx);
lock(team->team_lock_key#9);
lock(&rdev->wiphy.mtx);
lock(team->team_lock_key#9);
*** DEADLOCK ***
3 locks held by syz-executor.2/25277:
#0: ffffffff8da39d90 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40 net/netlink/genetlink.c:802
#1: ffffffff8d9da4c8 (rtnl_mutex){+.+.}-{3:3}, at: nl80211_pre_doit+0x28/0x540 net/wireless/nl80211.c:14960
#2: ffff88807b760628 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: nl80211_del_interface+0x127/0x370 net/wireless/nl80211.c:4104
stack backtrace:
CPU: 1 PID: 25277 Comm: syz-executor.2 Not tainted 5.15.146-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
check_noncircular+0x2f8/0x3b0 kernel/locking/lockdep.c:2133
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain+0x1649/0x5930 kernel/locking/lockdep.c:3788
__lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5012
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
__mutex_lock_common+0x1da/0x25a0 kernel/locking/mutex.c:596
__mutex_lock kernel/locking/mutex.c:729 [inline]
mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:743
team_del_slave+0x2e/0x1f0 drivers/net/team/team.c:1996
team_device_event+0x264/0x580 drivers/net/team/team.c:3038
notifier_call_chain kernel/notifier.c:83 [inline]
raw_notifier_call_chain+0xd0/0x170 kernel/notifier.c:391
call_netdevice_notifiers_info net/core/dev.c:2018 [inline]
call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]
call_netdevice_notifiers net/core/dev.c:2044 [inline]
unregister_netdevice_many+0xf1b/0x18f0 net/core/dev.c:11090
unregister_netdevice_queue+0x2e6/0x350 net/core/dev.c:11023
unregister_netdevice include/linux/netdevice.h:3012 [inline]
_cfg80211_unregister_wdev+0x181/0x510 net/wireless/core.c:1127
ieee80211_if_remove+0x1cc/0x2c0 net/mac80211/iface.c:2090
ieee80211_del_iface+0x15/0x20 net/mac80211/cfg.c:145
rdev_del_virtual_intf net/wireless/rdev-ops.h:57 [inline]
nl80211_del_interface+0x1f5/0x370 net/wireless/nl80211.c:4106
genl_family_rcv_msg_doit net/netlink/genetlink.c:731 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:775 [inline]
genl_rcv_msg+0xfbd/0x14a0 net/netlink/genetlink.c:792
netlink_rcv_skb+0x1cf/0x410 net/netlink/af_netlink.c:2505
genl_rcv+0x24/0x40 net/netlink/genetlink.c:803
netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
netlink_unicast+0x7b6/0x980 net/netlink/af_netlink.c:1356
netlink_sendmsg+0xa30/0xd60 net/netlink/af_netlink.c:1924
sock_sendmsg_nosec net/socket.c:704 [inline]
__sock_sendmsg net/socket.c:716 [inline]
____sys_sendmsg+0x59e/0x8f0 net/socket.c:2429
___sys_sendmsg+0x252/0x2e0 net/socket.c:2483
__sys_sendmsg net/socket.c:2512 [inline]
__do_sys_sendmsg net/socket.c:2521 [inline]
__se_sys_sendmsg+0x19a/0x260 net/socket.c:2519
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f48822eada9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f488086c0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f4882419f80 RCX: 00007f48822eada9
RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000008
RBP: 00007f488233747a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f4882419f80 R15: 00007ffc0f45a438
</TASK>
team0: Port device wlan1 removed
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jan 18, 2024, 4:03:17 PMJan 18
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: ddcaf4999061 Linux 5.15.147
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14c71e0de80000
kernel config: https://syzkaller.appspot.com/x/.config?x=8c65db3d25098c3c
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16339b1be80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fe87fb57528f/disk-ddcaf499.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f64608a2759c/vmlinux-ddcaf499.xz
kernel image: https://storage.googleapis.com/syzbot-assets/84cae5bc6ed5/bzImage-ddcaf499.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f8e450...@syzkaller.appspotmail.com
netlink: 60 bytes leftover after parsing attributes in process `syz-executor345'.
device wlan1 entered promiscuous mode
team0: Port device wlan1 added
------------------------------------------------------
syz-executor345/3510 is trying to acquire lock:
ffff888072820d00 (team->team_lock_key){+.+.}-{3:3}, at: team_del_slave+0x2e/0x1f0 drivers/net/team/team.c:1996
but task is already holding lock:
ffff888014bf8628 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: nl80211_del_interface+0x127/0x370 net/wireless/nl80211.c:4104
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&rdev->wiphy.mtx){+.+.}-{3:3}:
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
__mutex_lock_common+0x1da/0x25a0 kernel/locking/mutex.c:596
__mutex_lock kernel/locking/mutex.c:729 [inline]
mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:743
wiphy_lock include/net/cfg80211.h:5314 [inline]
ieee80211_open+0x13a/0x1f0 net/mac80211/iface.c:361
__dev_open+0x36f/0x500 net/core/dev.c:1506
dev_open+0xa9/0x260 net/core/dev.c:1542
team_port_add drivers/net/team/team.c:1212 [inline]
team_add_slave+0x981/0x27a0 drivers/net/team/team.c:1982
do_set_master net/core/rtnetlink.c:2543 [inline]
do_setlink+0xe71/0x3ae0 net/core/rtnetlink.c:2748
__rtnl_newlink net/core/rtnetlink.c:3429 [inline]
rtnl_newlink+0x17a4/0x2070 net/core/rtnetlink.c:3549
rtnetlink_rcv_msg+0x993/0xee0 net/core/rtnetlink.c:5630
netlink_rcv_skb+0x1cf/0x410 net/netlink/af_netlink.c:2505
netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
netlink_unicast+0x7b6/0x980 net/netlink/af_netlink.c:1356
netlink_sendmsg+0xa30/0xd60 net/netlink/af_netlink.c:1924
sock_sendmsg_nosec net/socket.c:704 [inline]
__sock_sendmsg net/socket.c:716 [inline]
____sys_sendmsg+0x59e/0x8f0 net/socket.c:2431
___sys_sendmsg+0x252/0x2e0 net/socket.c:2485
__sys_sendmsg net/socket.c:2514 [inline]
__do_sys_sendmsg net/socket.c:2523 [inline]
__se_sys_sendmsg+0x19a/0x260 net/socket.c:2521
____sys_sendmsg+0x59e/0x8f0 net/socket.c:2431
___sys_sendmsg+0x252/0x2e0 net/socket.c:2485
__sys_sendmsg net/socket.c:2514 [inline]
__do_sys_sendmsg net/socket.c:2523 [inline]
__se_sys_sendmsg+0x19a/0x260 net/socket.c:2521
lock(&rdev->wiphy.mtx);
lock(team->team_lock_key);
*** DEADLOCK ***
3 locks held by syz-executor345/3510:
#0: ffffffff8da39c90 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40 net/netlink/genetlink.c:802
#1: ffffffff8d9da3c8 (rtnl_mutex){+.+.}-{3:3}, at: nl80211_pre_doit+0x28/0x540 net/wireless/nl80211.c:14960
#2: ffff888014bf8628 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: nl80211_del_interface+0x127/0x370 net/wireless/nl80211.c:4104
stack backtrace:
CPU: 1 PID: 3510 Comm: syz-executor345 Not tainted 5.15.147-syzkaller #0
____sys_sendmsg+0x59e/0x8f0 net/socket.c:2431
___sys_sendmsg+0x252/0x2e0 net/socket.c:2485
__sys_sendmsg net/socket.c:2514 [inline]
__do_sys_sendmsg net/socket.c:2523 [inline]
__se_sys_sendmsg+0x19a/0x260 net/socket.c:2521
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcbe7b0678 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f94f616e4a9
RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffcbe7b0700
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000031
R13: 0000000000000047 R14: 0000000000050012 R15: 0000000000000003
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: ddcaf4999061 Linux 5.15.147
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14c71e0de80000
kernel config: https://syzkaller.appspot.com/x/.config?x=8c65db3d25098c3c
dashboard link: https://syzkaller.appspot.com/bug?extid=f8e450120944c93ce4d3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12bc6ddbe80000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16339b1be80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fe87fb57528f/disk-ddcaf499.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f64608a2759c/vmlinux-ddcaf499.xz
kernel image: https://storage.googleapis.com/syzbot-assets/84cae5bc6ed5/bzImage-ddcaf499.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f8e450...@syzkaller.appspotmail.com
device wlan1 entered promiscuous mode
team0: Port device wlan1 added
======================================================
WARNING: possible circular locking dependency detected
5.15.147-syzkaller #0 Not tainted
WARNING: possible circular locking dependency detected
------------------------------------------------------
syz-executor345/3510 is trying to acquire lock:
ffff888072820d00 (team->team_lock_key){+.+.}-{3:3}, at: team_del_slave+0x2e/0x1f0 drivers/net/team/team.c:1996
but task is already holding lock:
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&rdev->wiphy.mtx){+.+.}-{3:3}:
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
__mutex_lock_common+0x1da/0x25a0 kernel/locking/mutex.c:596
__mutex_lock kernel/locking/mutex.c:729 [inline]
mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:743
wiphy_lock include/net/cfg80211.h:5314 [inline]
ieee80211_open+0x13a/0x1f0 net/mac80211/iface.c:361
__dev_open+0x36f/0x500 net/core/dev.c:1506
dev_open+0xa9/0x260 net/core/dev.c:1542
team_port_add drivers/net/team/team.c:1212 [inline]
team_add_slave+0x981/0x27a0 drivers/net/team/team.c:1982
do_set_master net/core/rtnetlink.c:2543 [inline]
do_setlink+0xe71/0x3ae0 net/core/rtnetlink.c:2748
__rtnl_newlink net/core/rtnetlink.c:3429 [inline]
rtnl_newlink+0x17a4/0x2070 net/core/rtnetlink.c:3549
rtnetlink_rcv_msg+0x993/0xee0 net/core/rtnetlink.c:5630
netlink_rcv_skb+0x1cf/0x410 net/netlink/af_netlink.c:2505
netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
netlink_unicast+0x7b6/0x980 net/netlink/af_netlink.c:1356
netlink_sendmsg+0xa30/0xd60 net/netlink/af_netlink.c:1924
sock_sendmsg_nosec net/socket.c:704 [inline]
__sock_sendmsg net/socket.c:716 [inline]
___sys_sendmsg+0x252/0x2e0 net/socket.c:2485
__sys_sendmsg net/socket.c:2514 [inline]
__do_sys_sendmsg net/socket.c:2523 [inline]
__se_sys_sendmsg+0x19a/0x260 net/socket.c:2521
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
-> #0 (team->team_lock_key){+.+.}-{3:3}:
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
___sys_sendmsg+0x252/0x2e0 net/socket.c:2485
__sys_sendmsg net/socket.c:2514 [inline]
__do_sys_sendmsg net/socket.c:2523 [inline]
__se_sys_sendmsg+0x19a/0x260 net/socket.c:2521
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&rdev->wiphy.mtx);
lock(team->team_lock_key);
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&rdev->wiphy.mtx);
lock(&rdev->wiphy.mtx);
lock(team->team_lock_key);
*** DEADLOCK ***
3 locks held by syz-executor345/3510:
#0: ffffffff8da39c90 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40 net/netlink/genetlink.c:802
#1: ffffffff8d9da3c8 (rtnl_mutex){+.+.}-{3:3}, at: nl80211_pre_doit+0x28/0x540 net/wireless/nl80211.c:14960
#2: ffff888014bf8628 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: nl80211_del_interface+0x127/0x370 net/wireless/nl80211.c:4104
stack backtrace:
CPU: 1 PID: 3510 Comm: syz-executor345 Not tainted 5.15.147-syzkaller #0
___sys_sendmsg+0x252/0x2e0 net/socket.c:2485
__sys_sendmsg net/socket.c:2514 [inline]
__do_sys_sendmsg net/socket.c:2523 [inline]
__se_sys_sendmsg+0x19a/0x260 net/socket.c:2521
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f94f616e4a9
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcbe7b0678 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f94f616e4a9
RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffcbe7b0700
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000031
R13: 0000000000000047 R14: 0000000000050012 R15: 0000000000000003
</TASK>
team0: Port device wlan1 removed
syz-executor345 (3510) used greatest stack depth: 19768 bytes left
team0: Port device wlan1 removed
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages