[v5.15] possible deadlock in sock_map_unref
0 views
Skip to first unread message
syzbot
Jun 14, 2024, 3:42:23 PM (7 days ago) Jun 14
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: c61bd26ae81a Linux 5.15.160
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=170693fe980000
kernel config: https://syzkaller.appspot.com/x/.config?x=235f0e81ca937c17
dashboard link: https://syzkaller.appspot.com/bug?extid=10c6083a9bdc03c0012f
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0b0ee2a8e528/disk-c61bd26a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3c4f144d6e07/vmlinux-c61bd26a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f2097ca43b34/bzImage-c61bd26a.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+10c608...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
5.15.160-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.1/8250 is trying to acquire lock:
ffff8880155af3d8 (clock-AF_UNIX){++..}-{2:2}, at: sock_map_del_link net/core/sock_map.c:165 [inline]
ffff8880155af3d8 (clock-AF_UNIX){++..}-{2:2}, at: sock_map_unref+0x442/0x5d0 net/core/sock_map.c:182
but task is already holding lock:
ffff88807a8701c0 (&stab->lock){+.-.}-{2:2}, at: sock_map_update_common+0x1b6/0x5b0 net/core/sock_map.c:495
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&stab->lock){+.-.}-{2:2}:
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178
__sock_map_delete net/core/sock_map.c:419 [inline]
sock_map_delete_elem+0x161/0x230 net/core/sock_map.c:451
0xffffffffa0032856
bpf_dispatcher_nop_func include/linux/bpf.h:790 [inline]
__bpf_prog_run include/linux/filter.h:628 [inline]
bpf_prog_run include/linux/filter.h:635 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:1880 [inline]
bpf_trace_run2+0x19e/0x340 kernel/trace/bpf_trace.c:1917
__bpf_trace_kfree+0x6e/0x90 include/trace/events/kmem.h:118
trace_kfree include/trace/events/kmem.h:118 [inline]
kfree+0x22f/0x270 mm/slub.c:4549
__bpf_prog_put_noref+0x9c/0x2b0 kernel/bpf/syscall.c:1796
bpf_prog_put_deferred+0x2ee/0x3e0 kernel/bpf/syscall.c:1822
__bpf_prog_put kernel/bpf/syscall.c:1834 [inline]
bpf_prog_put+0x260/0x2a0 kernel/bpf/syscall.c:1841
psock_set_prog include/linux/skmsg.h:477 [inline]
sk_psock_stop_verdict net/core/skmsg.c:1234 [inline]
sk_psock_drop+0x243/0x500 net/core/skmsg.c:830
sk_psock_put include/linux/skmsg.h:459 [inline]
sock_map_close+0x1d4/0x290 net/core/sock_map.c:1581
unix_release+0x7e/0xc0 net/unix/af_unix.c:949
__sock_release net/socket.c:649 [inline]
sock_close+0xcd/0x230 net/socket.c:1336
__fput+0x3bf/0x890 fs/file_table.c:280
task_work_run+0x129/0x1a0 kernel/task_work.c:164
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
exit_to_user_mode_loop+0x106/0x130 kernel/entry/common.c:181
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:214
__syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline]
syscall_exit_to_user_mode+0x5d/0x240 kernel/entry/common.c:307
do_syscall_64+0x47/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x66/0xd0
-> #0 (clock-AF_UNIX){++..}-{2:2}:
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain+0x1649/0x5930 kernel/locking/lockdep.c:3788
__lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5012
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
__raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
_raw_write_lock_bh+0x31/0x40 kernel/locking/spinlock.c:324
sock_map_del_link net/core/sock_map.c:165 [inline]
sock_map_unref+0x442/0x5d0 net/core/sock_map.c:182
sock_map_update_common+0x4ec/0x5b0 net/core/sock_map.c:508
sock_map_update_elem_sys+0x440/0x770 net/core/sock_map.c:588
map_update_elem+0x6a0/0x7c0 kernel/bpf/syscall.c:1185
__sys_bpf+0x2fd/0x670 kernel/bpf/syscall.c:4639
__do_sys_bpf kernel/bpf/syscall.c:4755 [inline]
__se_sys_bpf kernel/bpf/syscall.c:4753 [inline]
__x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4753
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&stab->lock);
lock(clock-AF_UNIX);
lock(&stab->lock);
lock(clock-AF_UNIX);
*** DEADLOCK ***
3 locks held by syz-executor.1/8250:
#0: ffff8880155af120 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1668 [inline]
#0: ffff8880155af120 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sock_map_sk_acquire net/core/sock_map.c:119 [inline]
#0: ffff8880155af120 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sock_map_update_elem_sys+0x1c8/0x770 net/core/sock_map.c:584
#1: ffffffff8c91fae0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x5/0x30 include/linux/rcupdate.h:311
#2: ffff88807a8701c0 (&stab->lock){+.-.}-{2:2}, at: sock_map_update_common+0x1b6/0x5b0 net/core/sock_map.c:495
stack backtrace:
CPU: 0 PID: 8250 Comm: syz-executor.1 Not tainted 5.15.160-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: c61bd26ae81a Linux 5.15.160
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=170693fe980000
kernel config: https://syzkaller.appspot.com/x/.config?x=235f0e81ca937c17
dashboard link: https://syzkaller.appspot.com/bug?extid=10c6083a9bdc03c0012f
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0b0ee2a8e528/disk-c61bd26a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3c4f144d6e07/vmlinux-c61bd26a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f2097ca43b34/bzImage-c61bd26a.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+10c608...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
5.15.160-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.1/8250 is trying to acquire lock:
ffff8880155af3d8 (clock-AF_UNIX){++..}-{2:2}, at: sock_map_del_link net/core/sock_map.c:165 [inline]
ffff8880155af3d8 (clock-AF_UNIX){++..}-{2:2}, at: sock_map_unref+0x442/0x5d0 net/core/sock_map.c:182
but task is already holding lock:
ffff88807a8701c0 (&stab->lock){+.-.}-{2:2}, at: sock_map_update_common+0x1b6/0x5b0 net/core/sock_map.c:495
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&stab->lock){+.-.}-{2:2}:
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178
__sock_map_delete net/core/sock_map.c:419 [inline]
sock_map_delete_elem+0x161/0x230 net/core/sock_map.c:451
0xffffffffa0032856
bpf_dispatcher_nop_func include/linux/bpf.h:790 [inline]
__bpf_prog_run include/linux/filter.h:628 [inline]
bpf_prog_run include/linux/filter.h:635 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:1880 [inline]
bpf_trace_run2+0x19e/0x340 kernel/trace/bpf_trace.c:1917
__bpf_trace_kfree+0x6e/0x90 include/trace/events/kmem.h:118
trace_kfree include/trace/events/kmem.h:118 [inline]
kfree+0x22f/0x270 mm/slub.c:4549
__bpf_prog_put_noref+0x9c/0x2b0 kernel/bpf/syscall.c:1796
bpf_prog_put_deferred+0x2ee/0x3e0 kernel/bpf/syscall.c:1822
__bpf_prog_put kernel/bpf/syscall.c:1834 [inline]
bpf_prog_put+0x260/0x2a0 kernel/bpf/syscall.c:1841
psock_set_prog include/linux/skmsg.h:477 [inline]
sk_psock_stop_verdict net/core/skmsg.c:1234 [inline]
sk_psock_drop+0x243/0x500 net/core/skmsg.c:830
sk_psock_put include/linux/skmsg.h:459 [inline]
sock_map_close+0x1d4/0x290 net/core/sock_map.c:1581
unix_release+0x7e/0xc0 net/unix/af_unix.c:949
__sock_release net/socket.c:649 [inline]
sock_close+0xcd/0x230 net/socket.c:1336
__fput+0x3bf/0x890 fs/file_table.c:280
task_work_run+0x129/0x1a0 kernel/task_work.c:164
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
exit_to_user_mode_loop+0x106/0x130 kernel/entry/common.c:181
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:214
__syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline]
syscall_exit_to_user_mode+0x5d/0x240 kernel/entry/common.c:307
do_syscall_64+0x47/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x66/0xd0
-> #0 (clock-AF_UNIX){++..}-{2:2}:
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain+0x1649/0x5930 kernel/locking/lockdep.c:3788
__lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5012
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
__raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
_raw_write_lock_bh+0x31/0x40 kernel/locking/spinlock.c:324
sock_map_del_link net/core/sock_map.c:165 [inline]
sock_map_unref+0x442/0x5d0 net/core/sock_map.c:182
sock_map_update_common+0x4ec/0x5b0 net/core/sock_map.c:508
sock_map_update_elem_sys+0x440/0x770 net/core/sock_map.c:588
map_update_elem+0x6a0/0x7c0 kernel/bpf/syscall.c:1185
__sys_bpf+0x2fd/0x670 kernel/bpf/syscall.c:4639
__do_sys_bpf kernel/bpf/syscall.c:4755 [inline]
__se_sys_bpf kernel/bpf/syscall.c:4753 [inline]
__x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4753
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&stab->lock);
lock(clock-AF_UNIX);
lock(&stab->lock);
lock(clock-AF_UNIX);
*** DEADLOCK ***
3 locks held by syz-executor.1/8250:
#0: ffff8880155af120 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1668 [inline]
#0: ffff8880155af120 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sock_map_sk_acquire net/core/sock_map.c:119 [inline]
#0: ffff8880155af120 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sock_map_update_elem_sys+0x1c8/0x770 net/core/sock_map.c:584
#1: ffffffff8c91fae0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x5/0x30 include/linux/rcupdate.h:311
#2: ffff88807a8701c0 (&stab->lock){+.-.}-{2:2}, at: sock_map_update_common+0x1b6/0x5b0 net/core/sock_map.c:495
stack backtrace:
CPU: 0 PID: 8250 Comm: syz-executor.1 Not tainted 5.15.160-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages