possible deadlock in rtnl_lock
94 views
Skip to first unread message
syzbot
Jan 5, 2020, 8:18:10 PM1/5/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 3d40d711 Linux 4.19.93
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1778b059e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=f02ca1f135b0c3c5
dashboard link: https://syzkaller.appspot.com/bug?extid=01eabdd756dc11fa28e2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+01eabd...@syzkaller.appspotmail.com
netlink: 32 bytes leftover after parsing attributes in process
`syz-executor.3'.
netlink: 'syz-executor.3': attribute type 1 has an invalid length.
netlink: 32 bytes leftover after parsing attributes in process
`syz-executor.3'.
============================================
WARNING: possible recursive locking detected
4.19.93-syzkaller #0 Not tainted
--------------------------------------------
syz-executor.0/14139 is trying to acquire lock:
00000000bff81e1d (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20
net/core/rtnetlink.c:77
kobject: 'loop2' (000000001443445a): kobject_uevent_env
but task is already holding lock:
00000000bff81e1d (rtnl_mutex){+.+.}, at: rtnl_lock net/core/rtnetlink.c:77
[inline]
00000000bff81e1d (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x40a/0xb00
net/core/rtnetlink.c:4765
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(rtnl_mutex);
lock(rtnl_mutex);
*** DEADLOCK ***
May be due to missing lock nesting notation
1 lock held by syz-executor.0/14139:
#0: 00000000bff81e1d (rtnl_mutex){+.+.}, at: rtnl_lock
net/core/rtnetlink.c:77 [inline]
#0: 00000000bff81e1d (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x40a/0xb00
net/core/rtnetlink.c:4765
stack backtrace:
CPU: 1 PID: 14139 Comm: syz-executor.0 Not tainted 4.19.93-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
kobject: 'loop2' (000000001443445a): fill_kobj_path: path
= '/devices/virtual/block/loop2'
print_deadlock_bug kernel/locking/lockdep.c:1759 [inline]
check_deadlock kernel/locking/lockdep.c:1803 [inline]
validate_chain kernel/locking/lockdep.c:2399 [inline]
__lock_acquire.cold+0x20f/0x4a7 kernel/locking/lockdep.c:3411
kobject: 'loop5' (00000000b366964e): kobject_uevent_env
kobject: 'loop5' (00000000b366964e): fill_kobj_path: path
= '/devices/virtual/block/loop5'
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3903
__mutex_lock_common kernel/locking/mutex.c:925 [inline]
__mutex_lock+0xf7/0x1300 kernel/locking/mutex.c:1072
kobject: 'loop2' (000000001443445a): kobject_uevent_env
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
rtnl_lock+0x17/0x20 net/core/rtnetlink.c:77
hsr_dev_destroy+0x1f/0xc0 net/hsr/hsr_device.c:371
kobject: 'loop2' (000000001443445a): fill_kobj_path: path
= '/devices/virtual/block/loop2'
register_netdevice+0xc3c/0xff0 net/core/dev.c:8599
hsr_dev_finalize+0x4fc/0x780 net/hsr/hsr_device.c:489
hsr_newlink+0x26b/0x380 net/hsr/hsr_netlink.c:72
rtnl_newlink+0x1042/0x1600 net/core/rtnetlink.c:3132
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4768
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4786
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x53a/0x730 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
kobject: 'loop3' (000000002ce0aafc): kobject_uevent_env
kobject: 'loop3' (000000002ce0aafc): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop4' (00000000fa9ede95): kobject_uevent_env
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
kobject: 'loop4' (00000000fa9ede95): fill_kobj_path: path
= '/devices/virtual/block/loop4'
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45af49
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f953927dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045af49
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 000000000075c070 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f953927e6d4
R13: 00000000004ca811 R14: 00000000004e39b8 R15: 00000000ffffffff
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 3d40d711 Linux 4.19.93
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1778b059e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=f02ca1f135b0c3c5
dashboard link: https://syzkaller.appspot.com/bug?extid=01eabdd756dc11fa28e2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+01eabd...@syzkaller.appspotmail.com
netlink: 32 bytes leftover after parsing attributes in process
`syz-executor.3'.
netlink: 'syz-executor.3': attribute type 1 has an invalid length.
netlink: 32 bytes leftover after parsing attributes in process
`syz-executor.3'.
============================================
WARNING: possible recursive locking detected
4.19.93-syzkaller #0 Not tainted
--------------------------------------------
syz-executor.0/14139 is trying to acquire lock:
00000000bff81e1d (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20
net/core/rtnetlink.c:77
kobject: 'loop2' (000000001443445a): kobject_uevent_env
but task is already holding lock:
00000000bff81e1d (rtnl_mutex){+.+.}, at: rtnl_lock net/core/rtnetlink.c:77
[inline]
00000000bff81e1d (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x40a/0xb00
net/core/rtnetlink.c:4765
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(rtnl_mutex);
lock(rtnl_mutex);
*** DEADLOCK ***
May be due to missing lock nesting notation
1 lock held by syz-executor.0/14139:
#0: 00000000bff81e1d (rtnl_mutex){+.+.}, at: rtnl_lock
net/core/rtnetlink.c:77 [inline]
#0: 00000000bff81e1d (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x40a/0xb00
net/core/rtnetlink.c:4765
stack backtrace:
CPU: 1 PID: 14139 Comm: syz-executor.0 Not tainted 4.19.93-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
kobject: 'loop2' (000000001443445a): fill_kobj_path: path
= '/devices/virtual/block/loop2'
print_deadlock_bug kernel/locking/lockdep.c:1759 [inline]
check_deadlock kernel/locking/lockdep.c:1803 [inline]
validate_chain kernel/locking/lockdep.c:2399 [inline]
__lock_acquire.cold+0x20f/0x4a7 kernel/locking/lockdep.c:3411
kobject: 'loop5' (00000000b366964e): kobject_uevent_env
kobject: 'loop5' (00000000b366964e): fill_kobj_path: path
= '/devices/virtual/block/loop5'
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3903
__mutex_lock_common kernel/locking/mutex.c:925 [inline]
__mutex_lock+0xf7/0x1300 kernel/locking/mutex.c:1072
kobject: 'loop2' (000000001443445a): kobject_uevent_env
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
rtnl_lock+0x17/0x20 net/core/rtnetlink.c:77
hsr_dev_destroy+0x1f/0xc0 net/hsr/hsr_device.c:371
kobject: 'loop2' (000000001443445a): fill_kobj_path: path
= '/devices/virtual/block/loop2'
register_netdevice+0xc3c/0xff0 net/core/dev.c:8599
hsr_dev_finalize+0x4fc/0x780 net/hsr/hsr_device.c:489
hsr_newlink+0x26b/0x380 net/hsr/hsr_netlink.c:72
rtnl_newlink+0x1042/0x1600 net/core/rtnetlink.c:3132
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4768
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4786
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x53a/0x730 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
kobject: 'loop3' (000000002ce0aafc): kobject_uevent_env
kobject: 'loop3' (000000002ce0aafc): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop4' (00000000fa9ede95): kobject_uevent_env
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
kobject: 'loop4' (00000000fa9ede95): fill_kobj_path: path
= '/devices/virtual/block/loop4'
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45af49
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f953927dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045af49
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 000000000075c070 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f953927e6d4
R13: 00000000004ca811 R14: 00000000004e39b8 R15: 00000000ffffffff
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jan 5, 2020, 8:45:10 PM1/5/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 84f5ad46 Linux 4.14.162
syzbot found the following crash on:
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=102e4656e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=67bcc84091a71c98
dashboard link: https://syzkaller.appspot.com/bug?extid=b60aa6f86a4198c1258e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b60aa6...@syzkaller.appspotmail.com
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
netlink: 20 bytes leftover after parsing attributes in process
`syz-executor.4'.
netlink: 32 bytes leftover after parsing attributes in process
`syz-executor.1'.
netlink: 32 bytes leftover after parsing attributes in process
`syz-executor.1'.
============================================
WARNING: possible recursive locking detected
4.14.162-syzkaller #0 Not tainted
WARNING: possible recursive locking detected
kobject: 'loop2' (ffff8880a41bc320): kobject_uevent_env
--------------------------------------------
syz-executor.4/11002 is trying to acquire lock:
(rtnl_mutex){+.+.}, at: [<ffffffff85232b97>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:72
but task is already holding lock:
= '/devices/virtual/block/loop2'
(rtnl_mutex){+.+.}, at: [<ffffffff8523c0b9>] rtnl_lock
net/core/rtnetlink.c:72 [inline]
(rtnl_mutex){+.+.}, at: [<ffffffff8523c0b9>] rtnetlink_rcv_msg+0x339/0xb70
net/core/rtnetlink.c:4301
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(rtnl_mutex);
lock(rtnl_mutex);
*** DEADLOCK ***
May be due to missing lock nesting notation
#0: (rtnl_mutex){+.+.}, at: [<ffffffff8523c0b9>] rtnl_lock
net/core/rtnetlink.c:72 [inline]
#0: (rtnl_mutex){+.+.}, at: [<ffffffff8523c0b9>]
rtnetlink_rcv_msg+0x339/0xb70 net/core/rtnetlink.c:4301
stack backtrace:
CPU: 1 PID: 11002 Comm: syz-executor.4 Not tainted 4.14.162-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
Google 01/01/2011
Call Trace:
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_deadlock_bug kernel/locking/lockdep.c:1796 [inline]
check_deadlock kernel/locking/lockdep.c:1843 [inline]
validate_chain kernel/locking/lockdep.c:2444 [inline]
__lock_acquire.cold+0x2bf/0x8dc kernel/locking/lockdep.c:3487
lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xe8/0x1470 kernel/locking/mutex.c:893
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
rtnl_lock+0x17/0x20 net/core/rtnetlink.c:72
hsr_dev_destroy+0x1f/0xc0 net/hsr/hsr_device.c:371
register_netdevice+0x7da/0xca0 net/core/dev.c:7721
hsr_dev_finalize+0x582/0x80a net/hsr/hsr_device.c:490
hsr_newlink+0x250/0x340 net/hsr/hsr_netlink.c:72
rtnl_newlink+0xecb/0x1700 net/core/rtnetlink.c:2719
rtnetlink_rcv_msg+0x3da/0xb70 net/core/rtnetlink.c:4306
netlink_rcv_skb+0x14f/0x3c0 net/netlink/af_netlink.c:2432
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4318
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x44d/0x650 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xb9/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2103
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45af49
RSP: 002b:00007f6fd5a38c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045af49
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6fd5a396d4
R13: 00000000004ca811 R14: 00000000004e39b8 R15: 00000000ffffffff
kobject: 'loop5' (ffff8880a42e6d20): kobject_uevent_env
kobject: 'loop5' (ffff8880a42e6d20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop2' (ffff8880a41bc320): kobject_uevent_env
kobject: 'loop2' (ffff8880a41bc320): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop3' (ffff8880a42503a0): kobject_uevent_env
kobject: 'loop3' (ffff8880a42503a0): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop2' (ffff8880a41bc320): kobject_uevent_env
kobject: 'loop2' (ffff8880a41bc320): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop2' (ffff8880a41bc320): kobject_uevent_env
kobject: 'loop2' (ffff8880a41bc320): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop3' (ffff8880a42503a0): kobject_uevent_env
kobject: 'loop3' (ffff8880a42503a0): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop1' (ffff8880a41602e0): kobject_uevent_env
kobject: 'loop1' (ffff8880a41602e0): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop0' (ffff8880a4128260): kobject_uevent_env
kobject: 'loop0' (ffff8880a4128260): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop5' (ffff8880a42e6d20): kobject_uevent_env
kobject: 'loop5' (ffff8880a42e6d20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
syzbot
Jan 5, 2020, 9:06:09 PM1/5/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 3d40d711 Linux 4.19.93
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17051e15e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17a29ac6e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+01eabd...@syzkaller.appspotmail.com
audit: type=1400 audit(1578276148.086:36): avc: denied { map } for
pid=8016 comm="syz-executor130" path="/root/syz-executor130465236"
dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
netlink: 20 bytes leftover after parsing attributes in process
`syz-executor130'.
netlink: 20 bytes leftover after parsing attributes in process
`syz-executor130'.
000000000c4afb06 (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20
net/core/rtnetlink.c:77
but task is already holding lock:
000000000c4afb06 (rtnl_mutex){+.+.}, at: rtnl_lock net/core/rtnetlink.c:77
[inline]
000000000c4afb06 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x40a/0xb00
#0: 000000000c4afb06 (rtnl_mutex){+.+.}, at: rtnl_lock
net/core/rtnetlink.c:77 [inline]
#0: 000000000c4afb06 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x40a/0xb00
net/core/rtnetlink.c:4765
stack backtrace:
CPU: 1 PID: 8016 Comm: syz-executor130 Not tainted 4.19.93-syzkaller #0
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7
RSP: 002b:00007ffd9e14dff8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004408e9
R10: 0000000000000014 R11: 0000000000000246 R12: 0000000000402170
R13: 0000000000402200 R14: 0000000000000000 R15: 0000000000000000
HEAD commit: 3d40d711 Linux 4.19.93
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=f02ca1f135b0c3c5
dashboard link: https://syzkaller.appspot.com/bug?extid=01eabdd756dc11fa28e2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1216c085e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=01eabdd756dc11fa28e2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17a29ac6e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+01eabd...@syzkaller.appspotmail.com
pid=8016 comm="syz-executor130" path="/root/syz-executor130465236"
dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
netlink: 20 bytes leftover after parsing attributes in process
`syz-executor130'.
netlink: 20 bytes leftover after parsing attributes in process
`syz-executor130'.
============================================
WARNING: possible recursive locking detected
4.19.93-syzkaller #0 Not tainted
--------------------------------------------
syz-executor130/8016 is trying to acquire lock:
WARNING: possible recursive locking detected
4.19.93-syzkaller #0 Not tainted
--------------------------------------------
000000000c4afb06 (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20
net/core/rtnetlink.c:77
but task is already holding lock:
[inline]
000000000c4afb06 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x40a/0xb00
net/core/rtnetlink.c:4765
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(rtnl_mutex);
lock(rtnl_mutex);
*** DEADLOCK ***
May be due to missing lock nesting notation
1 lock held by syz-executor130/8016:
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(rtnl_mutex);
lock(rtnl_mutex);
*** DEADLOCK ***
May be due to missing lock nesting notation
#0: 000000000c4afb06 (rtnl_mutex){+.+.}, at: rtnl_lock
net/core/rtnetlink.c:77 [inline]
#0: 000000000c4afb06 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x40a/0xb00
net/core/rtnetlink.c:4765
stack backtrace:
CPU: 1 PID: 8016 Comm: syz-executor130 Not tainted 4.19.93-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_deadlock_bug kernel/locking/lockdep.c:1759 [inline]
check_deadlock kernel/locking/lockdep.c:1803 [inline]
validate_chain kernel/locking/lockdep.c:2399 [inline]
__lock_acquire.cold+0x20f/0x4a7 kernel/locking/lockdep.c:3411
check_deadlock kernel/locking/lockdep.c:1803 [inline]
validate_chain kernel/locking/lockdep.c:2399 [inline]
__lock_acquire.cold+0x20f/0x4a7 kernel/locking/lockdep.c:3411
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3903
__mutex_lock_common kernel/locking/mutex.c:925 [inline]
__mutex_lock+0xf7/0x1300 kernel/locking/mutex.c:1072
__mutex_lock_common kernel/locking/mutex.c:925 [inline]
__mutex_lock+0xf7/0x1300 kernel/locking/mutex.c:1072
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
rtnl_lock+0x17/0x20 net/core/rtnetlink.c:77
hsr_dev_destroy+0x1f/0xc0 net/hsr/hsr_device.c:371
rtnl_lock+0x17/0x20 net/core/rtnetlink.c:77
hsr_dev_destroy+0x1f/0xc0 net/hsr/hsr_device.c:371
register_netdevice+0xc3c/0xff0 net/core/dev.c:8599
hsr_dev_finalize+0x4fc/0x780 net/hsr/hsr_device.c:489
hsr_newlink+0x26b/0x380 net/hsr/hsr_netlink.c:72
rtnl_newlink+0x1042/0x1600 net/core/rtnetlink.c:3132
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4768
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4786
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x53a/0x730 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
hsr_dev_finalize+0x4fc/0x780 net/hsr/hsr_device.c:489
hsr_newlink+0x26b/0x380 net/hsr/hsr_netlink.c:72
rtnl_newlink+0x1042/0x1600 net/core/rtnetlink.c:3132
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4768
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4786
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x53a/0x730 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4408e9
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd9e14dff8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004408e9
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00000000006cb018 R08: 0000000000000002 R09: 00000000004002c8
R10: 0000000000000014 R11: 0000000000000246 R12: 0000000000402170
R13: 0000000000402200 R14: 0000000000000000 R15: 0000000000000000
syzbot
Jan 5, 2020, 9:46:10 PM1/5/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 84f5ad46 Linux 4.14.162
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=135f1fb6e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1506d971e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b60aa6...@syzkaller.appspotmail.com
audit: type=1400 audit(1578278573.428:36): avc: denied { map } for
pid=7147 comm="syz-executor373" path="/root/syz-executor373827157"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
syz-executor373/7147 is trying to acquire lock:
RIP: 0033:0x4408e9
RSP: 002b:00007fff7fd6a9a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004408e9
HEAD commit: 84f5ad46 Linux 4.14.162
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=67bcc84091a71c98
dashboard link: https://syzkaller.appspot.com/bug?extid=b60aa6f86a4198c1258e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16bd7ab9e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=b60aa6f86a4198c1258e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1506d971e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b60aa6...@syzkaller.appspotmail.com
pid=7147 comm="syz-executor373" path="/root/syz-executor373827157"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
netlink: 20 bytes leftover after parsing attributes in process
`syz-executor373'.
netlink: 20 bytes leftover after parsing attributes in process
`syz-executor373'.
============================================
WARNING: possible recursive locking detected
4.14.162-syzkaller #0 Not tainted
--------------------------------------------
WARNING: possible recursive locking detected
4.14.162-syzkaller #0 Not tainted
syz-executor373/7147 is trying to acquire lock:
(rtnl_mutex){+.+.}, at: [<ffffffff85232b97>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:72
but task is already holding lock:
net/core/rtnetlink.c:72
but task is already holding lock:
(rtnl_mutex){+.+.}, at: [<ffffffff8523c0b9>] rtnl_lock
net/core/rtnetlink.c:72 [inline]
(rtnl_mutex){+.+.}, at: [<ffffffff8523c0b9>] rtnetlink_rcv_msg+0x339/0xb70
net/core/rtnetlink.c:4301
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(rtnl_mutex);
lock(rtnl_mutex);
*** DEADLOCK ***
May be due to missing lock nesting notation
1 lock held by syz-executor373/7147:
net/core/rtnetlink.c:72 [inline]
(rtnl_mutex){+.+.}, at: [<ffffffff8523c0b9>] rtnetlink_rcv_msg+0x339/0xb70
net/core/rtnetlink.c:4301
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(rtnl_mutex);
lock(rtnl_mutex);
*** DEADLOCK ***
May be due to missing lock nesting notation
#0: (rtnl_mutex){+.+.}, at: [<ffffffff8523c0b9>] rtnl_lock
net/core/rtnetlink.c:72 [inline]
#0: (rtnl_mutex){+.+.}, at: [<ffffffff8523c0b9>]
rtnetlink_rcv_msg+0x339/0xb70 net/core/rtnetlink.c:4301
stack backtrace:
CPU: 1 PID: 7147 Comm: syz-executor373 Not tainted 4.14.162-syzkaller #0
net/core/rtnetlink.c:72 [inline]
#0: (rtnl_mutex){+.+.}, at: [<ffffffff8523c0b9>]
rtnetlink_rcv_msg+0x339/0xb70 net/core/rtnetlink.c:4301
stack backtrace:
RSP: 002b:00007fff7fd6a9a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004408e9
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
Reply all
Reply to author
Forward
0 new messages