[v5.15] possible deadlock in tcp_diag_get_aux
0 views
Skip to first unread message
syzbot
Mar 1, 2024, 9:44:24 AMMar 1
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 80efc6265290 Linux 5.15.150
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=119427ac180000
kernel config: https://syzkaller.appspot.com/x/.config?x=ca39ec49d1cf2068
dashboard link: https://syzkaller.appspot.com/bug?extid=bc70c3c417805c7b8ea4
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/47cbb3459f23/disk-80efc626.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/40559d394d5f/vmlinux-80efc626.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b59e1390e778/Image-80efc626.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bc70c3...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
5.15.150-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.1/5578 is trying to acquire lock:
ffff0000d2cf4da0 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]
ffff0000d2cf4da0 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: tcp_diag_get_aux+0x680/0x750 net/ipv4/tcp_diag.c:137
but task is already holding lock:
ffff0000c5641a48 (&h->lhash2[i].lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:363 [inline]
ffff0000c5641a48 (&h->lhash2[i].lock){+.+.}-{2:2}, at: inet_diag_dump_icsk+0xee4/0x1210 net/ipv4/inet_diag.c:1038
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&h->lhash2[i].lock){+.+.}-{2:2}:
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0xb0/0x10c kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:363 [inline]
__inet_hash+0xd8/0x754 net/ipv4/inet_hashtables.c:606
inet6_hash+0x74/0x9c net/ipv6/inet6_hashtables.c:336
inet_csk_listen_start+0x1e8/0x2cc net/ipv4/inet_connection_sock.c:1084
inet_listen+0x258/0x6d4 net/ipv4/af_inet.c:231
rds_tcp_listen_init+0x378/0x504 net/rds/tcp_listen.c:311
rds_tcp_init_net+0x128/0x2e4 net/rds/tcp.c:559
ops_init+0x2e8/0x548 net/core/net_namespace.c:135
__register_pernet_operations net/core/net_namespace.c:1147 [inline]
register_pernet_operations+0x268/0x700 net/core/net_namespace.c:1216
register_pernet_device+0x3c/0x9c net/core/net_namespace.c:1303
rds_tcp_init+0x74/0xe0 net/rds/tcp.c:717
do_one_initcall+0x234/0x990 init/main.c:1299
do_initcall_level+0x154/0x214 init/main.c:1372
do_initcalls+0x58/0xac init/main.c:1388
do_basic_setup+0x8c/0xa0 init/main.c:1407
kernel_init_freeable+0x460/0x640 init/main.c:1612
kernel_init+0x24/0x294 init/main.c:1503
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
-> #0 (k-sk_lock-AF_INET6){+.+.}-{0:0}:
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain kernel/locking/lockdep.c:3788 [inline]
__lock_acquire+0x32d4/0x7638 kernel/locking/lockdep.c:5012
lock_acquire+0x240/0x77c kernel/locking/lockdep.c:5623
lock_sock_fast include/net/sock.h:1700 [inline]
subflow_get_info+0x1e8/0xd10 net/mptcp/diag.c:28
tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]
tcp_diag_get_aux+0x680/0x750 net/ipv4/tcp_diag.c:137
inet_sk_diag_fill+0xcfc/0x17b4 net/ipv4/inet_diag.c:345
inet_diag_dump_icsk+0x104c/0x1210 net/ipv4/inet_diag.c:1061
tcp_diag_dump+0x3c/0x50 net/ipv4/tcp_diag.c:184
__inet_diag_dump+0x1e8/0x33c net/ipv4/inet_diag.c:1179
inet_diag_dump+0x4c/0x5c net/ipv4/inet_diag.c:1198
netlink_dump+0x470/0xa88 net/netlink/af_netlink.c:2279
__netlink_dump_start+0x488/0x6ec net/netlink/af_netlink.c:2384
netlink_dump_start include/linux/netlink.h:258 [inline]
inet_diag_handler_cmd+0x1a8/0x274 net/ipv4/inet_diag.c:1342
sock_diag_rcv_msg+0x174/0x39c
netlink_rcv_skb+0x20c/0x3b8 net/netlink/af_netlink.c:2505
sock_diag_rcv+0x3c/0x54 net/core/sock_diag.c:276
netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
netlink_unicast+0x664/0x938 net/netlink/af_netlink.c:1356
netlink_sendmsg+0x844/0xb38 net/netlink/af_netlink.c:1924
sock_sendmsg_nosec net/socket.c:704 [inline]
__sock_sendmsg net/socket.c:716 [inline]
sock_write_iter+0x2b0/0x3f8 net/socket.c:1079
do_iter_readv_writev+0x420/0x5f8
do_iter_write+0x1b8/0x664 fs/read_write.c:855
vfs_writev fs/read_write.c:928 [inline]
do_writev+0x220/0x3ec fs/read_write.c:971
__do_sys_writev fs/read_write.c:1044 [inline]
__se_sys_writev fs/read_write.c:1041 [inline]
__arm64_sys_writev+0x80/0x94 fs/read_write.c:1041
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&h->lhash2[i].lock);
lock(k-sk_lock-AF_INET6);
lock(&h->lhash2[i].lock);
lock(k-sk_lock-AF_INET6);
*** DEADLOCK ***
5 locks held by syz-executor.1/5578:
#0: ffff800016a04148 (sock_diag_mutex){+.+.}-{3:3}, at: sock_diag_rcv+0x2c/0x54 net/core/sock_diag.c:275
#1: ffff800016a03fa8 (sock_diag_table_mutex){+.+.}-{3:3}, at: __sock_diag_cmd net/core/sock_diag.c:229 [inline]
#1: ffff800016a03fa8 (sock_diag_table_mutex){+.+.}-{3:3}, at: sock_diag_rcv_msg+0x220/0x39c net/core/sock_diag.c:265
#2: ffff0000d8ebb690 (nlk_cb_mutex-SOCK_DIAG){+.+.}-{3:3}, at: netlink_dump+0xbc/0xa88 net/netlink/af_netlink.c:2227
#3: ffff800016add3e8 (inet_diag_table_mutex){+.+.}-{3:3}, at: inet_diag_lock_handler net/ipv4/inet_diag.c:63 [inline]
#3: ffff800016add3e8 (inet_diag_table_mutex){+.+.}-{3:3}, at: __inet_diag_dump+0x17c/0x33c net/ipv4/inet_diag.c:1177
#4: ffff0000c5641a48 (&h->lhash2[i].lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:363 [inline]
#4: ffff0000c5641a48 (&h->lhash2[i].lock){+.+.}-{2:2}, at: inet_diag_dump_icsk+0xee4/0x1210 net/ipv4/inet_diag.c:1038
stack backtrace:
CPU: 1 PID: 5578 Comm: syz-executor.1 Not tainted 5.15.150-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
print_circular_bug+0x150/0x1b8 kernel/locking/lockdep.c:2011
check_noncircular+0x2cc/0x378 kernel/locking/lockdep.c:2133
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain kernel/locking/lockdep.c:3788 [inline]
__lock_acquire+0x32d4/0x7638 kernel/locking/lockdep.c:5012
lock_acquire+0x240/0x77c kernel/locking/lockdep.c:5623
lock_sock_fast include/net/sock.h:1700 [inline]
subflow_get_info+0x1e8/0xd10 net/mptcp/diag.c:28
tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]
tcp_diag_get_aux+0x680/0x750 net/ipv4/tcp_diag.c:137
inet_sk_diag_fill+0xcfc/0x17b4 net/ipv4/inet_diag.c:345
inet_diag_dump_icsk+0x104c/0x1210 net/ipv4/inet_diag.c:1061
tcp_diag_dump+0x3c/0x50 net/ipv4/tcp_diag.c:184
__inet_diag_dump+0x1e8/0x33c net/ipv4/inet_diag.c:1179
inet_diag_dump+0x4c/0x5c net/ipv4/inet_diag.c:1198
netlink_dump+0x470/0xa88 net/netlink/af_netlink.c:2279
__netlink_dump_start+0x488/0x6ec net/netlink/af_netlink.c:2384
netlink_dump_start include/linux/netlink.h:258 [inline]
inet_diag_handler_cmd+0x1a8/0x274 net/ipv4/inet_diag.c:1342
sock_diag_rcv_msg+0x174/0x39c
netlink_rcv_skb+0x20c/0x3b8 net/netlink/af_netlink.c:2505
sock_diag_rcv+0x3c/0x54 net/core/sock_diag.c:276
netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
netlink_unicast+0x664/0x938 net/netlink/af_netlink.c:1356
netlink_sendmsg+0x844/0xb38 net/netlink/af_netlink.c:1924
sock_sendmsg_nosec net/socket.c:704 [inline]
__sock_sendmsg net/socket.c:716 [inline]
sock_write_iter+0x2b0/0x3f8 net/socket.c:1079
do_iter_readv_writev+0x420/0x5f8
do_iter_write+0x1b8/0x664 fs/read_write.c:855
vfs_writev fs/read_write.c:928 [inline]
do_writev+0x220/0x3ec fs/read_write.c:971
__do_sys_writev fs/read_write.c:1044 [inline]
__se_sys_writev fs/read_write.c:1041 [inline]
__arm64_sys_writev+0x80/0x94 fs/read_write.c:1041
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
BUG: sleeping function called from invalid context at net/core/sock.c:3271
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5578, name: syz-executor.1
INFO: lockdep is turned off.
Preemption disabled at:
[<ffff800010781714>] spin_lock include/linux/spinlock.h:363 [inline]
[<ffff800010781714>] inet_diag_dump_icsk+0xee4/0x1210 net/ipv4/inet_diag.c:1038
CPU: 1 PID: 5578 Comm: syz-executor.1 Not tainted 5.15.150-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
___might_sleep+0x380/0x4dc kernel/sched/core.c:9626
__might_sleep+0x98/0xf0 kernel/sched/core.c:9580
__lock_sock_fast+0x3c/0xf0 net/core/sock.c:3271
lock_sock_fast include/net/sock.h:1702 [inline]
subflow_get_info+0x1f0/0xd10 net/mptcp/diag.c:28
tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]
tcp_diag_get_aux+0x680/0x750 net/ipv4/tcp_diag.c:137
inet_sk_diag_fill+0xcfc/0x17b4 net/ipv4/inet_diag.c:345
inet_diag_dump_icsk+0x104c/0x1210 net/ipv4/inet_diag.c:1061
tcp_diag_dump+0x3c/0x50 net/ipv4/tcp_diag.c:184
__inet_diag_dump+0x1e8/0x33c net/ipv4/inet_diag.c:1179
inet_diag_dump+0x4c/0x5c net/ipv4/inet_diag.c:1198
netlink_dump+0x470/0xa88 net/netlink/af_netlink.c:2279
__netlink_dump_start+0x488/0x6ec net/netlink/af_netlink.c:2384
netlink_dump_start include/linux/netlink.h:258 [inline]
inet_diag_handler_cmd+0x1a8/0x274 net/ipv4/inet_diag.c:1342
sock_diag_rcv_msg+0x174/0x39c
netlink_rcv_skb+0x20c/0x3b8 net/netlink/af_netlink.c:2505
sock_diag_rcv+0x3c/0x54 net/core/sock_diag.c:276
netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
netlink_unicast+0x664/0x938 net/netlink/af_netlink.c:1356
netlink_sendmsg+0x844/0xb38 net/netlink/af_netlink.c:1924
sock_sendmsg_nosec net/socket.c:704 [inline]
__sock_sendmsg net/socket.c:716 [inline]
sock_write_iter+0x2b0/0x3f8 net/socket.c:1079
do_iter_readv_writev+0x420/0x5f8
do_iter_write+0x1b8/0x664 fs/read_write.c:855
vfs_writev fs/read_write.c:928 [inline]
do_writev+0x220/0x3ec fs/read_write.c:971
__do_sys_writev fs/read_write.c:1044 [inline]
__se_sys_writev fs/read_write.c:1041 [inline]
__arm64_sys_writev+0x80/0x94 fs/read_write.c:1041
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 80efc6265290 Linux 5.15.150
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=119427ac180000
kernel config: https://syzkaller.appspot.com/x/.config?x=ca39ec49d1cf2068
dashboard link: https://syzkaller.appspot.com/bug?extid=bc70c3c417805c7b8ea4
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/47cbb3459f23/disk-80efc626.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/40559d394d5f/vmlinux-80efc626.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b59e1390e778/Image-80efc626.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bc70c3...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
5.15.150-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.1/5578 is trying to acquire lock:
ffff0000d2cf4da0 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]
ffff0000d2cf4da0 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: tcp_diag_get_aux+0x680/0x750 net/ipv4/tcp_diag.c:137
but task is already holding lock:
ffff0000c5641a48 (&h->lhash2[i].lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:363 [inline]
ffff0000c5641a48 (&h->lhash2[i].lock){+.+.}-{2:2}, at: inet_diag_dump_icsk+0xee4/0x1210 net/ipv4/inet_diag.c:1038
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&h->lhash2[i].lock){+.+.}-{2:2}:
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0xb0/0x10c kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:363 [inline]
__inet_hash+0xd8/0x754 net/ipv4/inet_hashtables.c:606
inet6_hash+0x74/0x9c net/ipv6/inet6_hashtables.c:336
inet_csk_listen_start+0x1e8/0x2cc net/ipv4/inet_connection_sock.c:1084
inet_listen+0x258/0x6d4 net/ipv4/af_inet.c:231
rds_tcp_listen_init+0x378/0x504 net/rds/tcp_listen.c:311
rds_tcp_init_net+0x128/0x2e4 net/rds/tcp.c:559
ops_init+0x2e8/0x548 net/core/net_namespace.c:135
__register_pernet_operations net/core/net_namespace.c:1147 [inline]
register_pernet_operations+0x268/0x700 net/core/net_namespace.c:1216
register_pernet_device+0x3c/0x9c net/core/net_namespace.c:1303
rds_tcp_init+0x74/0xe0 net/rds/tcp.c:717
do_one_initcall+0x234/0x990 init/main.c:1299
do_initcall_level+0x154/0x214 init/main.c:1372
do_initcalls+0x58/0xac init/main.c:1388
do_basic_setup+0x8c/0xa0 init/main.c:1407
kernel_init_freeable+0x460/0x640 init/main.c:1612
kernel_init+0x24/0x294 init/main.c:1503
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
-> #0 (k-sk_lock-AF_INET6){+.+.}-{0:0}:
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain kernel/locking/lockdep.c:3788 [inline]
__lock_acquire+0x32d4/0x7638 kernel/locking/lockdep.c:5012
lock_acquire+0x240/0x77c kernel/locking/lockdep.c:5623
lock_sock_fast include/net/sock.h:1700 [inline]
subflow_get_info+0x1e8/0xd10 net/mptcp/diag.c:28
tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]
tcp_diag_get_aux+0x680/0x750 net/ipv4/tcp_diag.c:137
inet_sk_diag_fill+0xcfc/0x17b4 net/ipv4/inet_diag.c:345
inet_diag_dump_icsk+0x104c/0x1210 net/ipv4/inet_diag.c:1061
tcp_diag_dump+0x3c/0x50 net/ipv4/tcp_diag.c:184
__inet_diag_dump+0x1e8/0x33c net/ipv4/inet_diag.c:1179
inet_diag_dump+0x4c/0x5c net/ipv4/inet_diag.c:1198
netlink_dump+0x470/0xa88 net/netlink/af_netlink.c:2279
__netlink_dump_start+0x488/0x6ec net/netlink/af_netlink.c:2384
netlink_dump_start include/linux/netlink.h:258 [inline]
inet_diag_handler_cmd+0x1a8/0x274 net/ipv4/inet_diag.c:1342
sock_diag_rcv_msg+0x174/0x39c
netlink_rcv_skb+0x20c/0x3b8 net/netlink/af_netlink.c:2505
sock_diag_rcv+0x3c/0x54 net/core/sock_diag.c:276
netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
netlink_unicast+0x664/0x938 net/netlink/af_netlink.c:1356
netlink_sendmsg+0x844/0xb38 net/netlink/af_netlink.c:1924
sock_sendmsg_nosec net/socket.c:704 [inline]
__sock_sendmsg net/socket.c:716 [inline]
sock_write_iter+0x2b0/0x3f8 net/socket.c:1079
do_iter_readv_writev+0x420/0x5f8
do_iter_write+0x1b8/0x664 fs/read_write.c:855
vfs_writev fs/read_write.c:928 [inline]
do_writev+0x220/0x3ec fs/read_write.c:971
__do_sys_writev fs/read_write.c:1044 [inline]
__se_sys_writev fs/read_write.c:1041 [inline]
__arm64_sys_writev+0x80/0x94 fs/read_write.c:1041
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&h->lhash2[i].lock);
lock(k-sk_lock-AF_INET6);
lock(&h->lhash2[i].lock);
lock(k-sk_lock-AF_INET6);
*** DEADLOCK ***
5 locks held by syz-executor.1/5578:
#0: ffff800016a04148 (sock_diag_mutex){+.+.}-{3:3}, at: sock_diag_rcv+0x2c/0x54 net/core/sock_diag.c:275
#1: ffff800016a03fa8 (sock_diag_table_mutex){+.+.}-{3:3}, at: __sock_diag_cmd net/core/sock_diag.c:229 [inline]
#1: ffff800016a03fa8 (sock_diag_table_mutex){+.+.}-{3:3}, at: sock_diag_rcv_msg+0x220/0x39c net/core/sock_diag.c:265
#2: ffff0000d8ebb690 (nlk_cb_mutex-SOCK_DIAG){+.+.}-{3:3}, at: netlink_dump+0xbc/0xa88 net/netlink/af_netlink.c:2227
#3: ffff800016add3e8 (inet_diag_table_mutex){+.+.}-{3:3}, at: inet_diag_lock_handler net/ipv4/inet_diag.c:63 [inline]
#3: ffff800016add3e8 (inet_diag_table_mutex){+.+.}-{3:3}, at: __inet_diag_dump+0x17c/0x33c net/ipv4/inet_diag.c:1177
#4: ffff0000c5641a48 (&h->lhash2[i].lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:363 [inline]
#4: ffff0000c5641a48 (&h->lhash2[i].lock){+.+.}-{2:2}, at: inet_diag_dump_icsk+0xee4/0x1210 net/ipv4/inet_diag.c:1038
stack backtrace:
CPU: 1 PID: 5578 Comm: syz-executor.1 Not tainted 5.15.150-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
print_circular_bug+0x150/0x1b8 kernel/locking/lockdep.c:2011
check_noncircular+0x2cc/0x378 kernel/locking/lockdep.c:2133
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain kernel/locking/lockdep.c:3788 [inline]
__lock_acquire+0x32d4/0x7638 kernel/locking/lockdep.c:5012
lock_acquire+0x240/0x77c kernel/locking/lockdep.c:5623
lock_sock_fast include/net/sock.h:1700 [inline]
subflow_get_info+0x1e8/0xd10 net/mptcp/diag.c:28
tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]
tcp_diag_get_aux+0x680/0x750 net/ipv4/tcp_diag.c:137
inet_sk_diag_fill+0xcfc/0x17b4 net/ipv4/inet_diag.c:345
inet_diag_dump_icsk+0x104c/0x1210 net/ipv4/inet_diag.c:1061
tcp_diag_dump+0x3c/0x50 net/ipv4/tcp_diag.c:184
__inet_diag_dump+0x1e8/0x33c net/ipv4/inet_diag.c:1179
inet_diag_dump+0x4c/0x5c net/ipv4/inet_diag.c:1198
netlink_dump+0x470/0xa88 net/netlink/af_netlink.c:2279
__netlink_dump_start+0x488/0x6ec net/netlink/af_netlink.c:2384
netlink_dump_start include/linux/netlink.h:258 [inline]
inet_diag_handler_cmd+0x1a8/0x274 net/ipv4/inet_diag.c:1342
sock_diag_rcv_msg+0x174/0x39c
netlink_rcv_skb+0x20c/0x3b8 net/netlink/af_netlink.c:2505
sock_diag_rcv+0x3c/0x54 net/core/sock_diag.c:276
netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
netlink_unicast+0x664/0x938 net/netlink/af_netlink.c:1356
netlink_sendmsg+0x844/0xb38 net/netlink/af_netlink.c:1924
sock_sendmsg_nosec net/socket.c:704 [inline]
__sock_sendmsg net/socket.c:716 [inline]
sock_write_iter+0x2b0/0x3f8 net/socket.c:1079
do_iter_readv_writev+0x420/0x5f8
do_iter_write+0x1b8/0x664 fs/read_write.c:855
vfs_writev fs/read_write.c:928 [inline]
do_writev+0x220/0x3ec fs/read_write.c:971
__do_sys_writev fs/read_write.c:1044 [inline]
__se_sys_writev fs/read_write.c:1041 [inline]
__arm64_sys_writev+0x80/0x94 fs/read_write.c:1041
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
BUG: sleeping function called from invalid context at net/core/sock.c:3271
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5578, name: syz-executor.1
INFO: lockdep is turned off.
Preemption disabled at:
[<ffff800010781714>] spin_lock include/linux/spinlock.h:363 [inline]
[<ffff800010781714>] inet_diag_dump_icsk+0xee4/0x1210 net/ipv4/inet_diag.c:1038
CPU: 1 PID: 5578 Comm: syz-executor.1 Not tainted 5.15.150-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
___might_sleep+0x380/0x4dc kernel/sched/core.c:9626
__might_sleep+0x98/0xf0 kernel/sched/core.c:9580
__lock_sock_fast+0x3c/0xf0 net/core/sock.c:3271
lock_sock_fast include/net/sock.h:1702 [inline]
subflow_get_info+0x1f0/0xd10 net/mptcp/diag.c:28
tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]
tcp_diag_get_aux+0x680/0x750 net/ipv4/tcp_diag.c:137
inet_sk_diag_fill+0xcfc/0x17b4 net/ipv4/inet_diag.c:345
inet_diag_dump_icsk+0x104c/0x1210 net/ipv4/inet_diag.c:1061
tcp_diag_dump+0x3c/0x50 net/ipv4/tcp_diag.c:184
__inet_diag_dump+0x1e8/0x33c net/ipv4/inet_diag.c:1179
inet_diag_dump+0x4c/0x5c net/ipv4/inet_diag.c:1198
netlink_dump+0x470/0xa88 net/netlink/af_netlink.c:2279
__netlink_dump_start+0x488/0x6ec net/netlink/af_netlink.c:2384
netlink_dump_start include/linux/netlink.h:258 [inline]
inet_diag_handler_cmd+0x1a8/0x274 net/ipv4/inet_diag.c:1342
sock_diag_rcv_msg+0x174/0x39c
netlink_rcv_skb+0x20c/0x3b8 net/netlink/af_netlink.c:2505
sock_diag_rcv+0x3c/0x54 net/core/sock_diag.c:276
netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
netlink_unicast+0x664/0x938 net/netlink/af_netlink.c:1356
netlink_sendmsg+0x844/0xb38 net/netlink/af_netlink.c:1924
sock_sendmsg_nosec net/socket.c:704 [inline]
__sock_sendmsg net/socket.c:716 [inline]
sock_write_iter+0x2b0/0x3f8 net/socket.c:1079
do_iter_readv_writev+0x420/0x5f8
do_iter_write+0x1b8/0x664 fs/read_write.c:855
vfs_writev fs/read_write.c:928 [inline]
do_writev+0x220/0x3ec fs/read_write.c:971
__do_sys_writev fs/read_write.c:1044 [inline]
__se_sys_writev fs/read_write.c:1041 [inline]
__arm64_sys_writev+0x80/0x94 fs/read_write.c:1041
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Mar 1, 2024, 10:08:28 AMMar 1
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: a3eb3a74aa8c Linux 6.1.80
syzbot found the following issue on:
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1023bdca180000
kernel config: https://syzkaller.appspot.com/x/.config?x=40fd5f1c69352c2d
dashboard link: https://syzkaller.appspot.com/bug?extid=84cd030a6fb929645bfc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fcf176340788/disk-a3eb3a74.raw.xz
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
vmlinux: https://storage.googleapis.com/syzbot-assets/31d4ae9bb2ff/vmlinux-a3eb3a74.xz
kernel image: https://storage.googleapis.com/syzbot-assets/cb907876b80a/Image-a3eb3a74.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
======================================================
WARNING: possible circular locking dependency detected
------------------------------------------------------
syz-executor.1/16823 is trying to acquire lock:
ffff0000d473e330 (k-sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]
ffff0000d473e330 (k-sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_diag_get_aux+0x680/0x750 net/ipv4/tcp_diag.c:137
but task is already holding lock:
ffff0000c4f9a5f8 (&h->lhash2[i].lock){+.+.}-{2:2}, at: inet_diag_dump_icsk+0xed8/0x1204 net/ipv4/inet_diag.c:1038
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&h->lhash2[i].lock){+.+.}-{2:2}:
_raw_spin_lock+0x54/0x6c kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
__inet_hash+0x29c/0xb60 net/ipv4/inet_hashtables.c:728
inet_hash+0x74/0x9c net/ipv4/inet_hashtables.c:753
inet_csk_listen_start+0x1e4/0x2c8 net/ipv4/inet_connection_sock.c:1264
inet_listen+0x254/0x6d0 net/ipv4/af_inet.c:228
kernel_listen+0x6c/0x80 net/socket.c:3490
smc_listen+0x48c/0x7cc net/smc/af_smc.c:2580
__sys_listen+0x1ac/0x21c net/socket.c:1840
__do_sys_listen net/socket.c:1849 [inline]
__se_sys_listen net/socket.c:1847 [inline]
__arm64_sys_listen+0x5c/0x74 net/socket.c:1847
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
-> #0 (k-sk_lock-AF_INET){+.+.}-{0:0}:
check_prev_add kernel/locking/lockdep.c:3090 [inline]
check_prevs_add kernel/locking/lockdep.c:3209 [inline]
validate_chain kernel/locking/lockdep.c:3825 [inline]
__lock_acquire+0x3338/0x7680 kernel/locking/lockdep.c:5049
lock_acquire+0x26c/0x7cc kernel/locking/lockdep.c:5662
lock_sock_fast include/net/sock.h:1777 [inline]
subflow_get_info+0x164/0xba8 net/mptcp/diag.c:28
tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]
tcp_diag_get_aux+0x680/0x750 net/ipv4/tcp_diag.c:137
inet_sk_diag_fill+0xd60/0x1818 net/ipv4/inet_diag.c:345
tcp_diag_get_aux+0x680/0x750 net/ipv4/tcp_diag.c:137
inet_diag_dump_icsk+0x1040/0x1204 net/ipv4/inet_diag.c:1061
tcp_diag_dump+0xac/0xc4 net/ipv4/tcp_diag.c:188
__inet_diag_dump+0x1e8/0x33c net/ipv4/inet_diag.c:1179
inet_diag_dump_compat+0x17c/0x288 net/ipv4/inet_diag.c:1287
netlink_dump+0x46c/0xa78 net/netlink/af_netlink.c:2231
__netlink_dump_start+0x484/0x698 net/netlink/af_netlink.c:2335
netlink_dump_start include/linux/netlink.h:269 [inline]
inet_diag_rcv_msg_compat+0x1c8/0x41c net/ipv4/inet_diag.c:1321
sock_diag_rcv_msg+0x174/0x39c
netlink_rcv_skb+0x20c/0x3b8 net/netlink/af_netlink.c:2508
sock_diag_rcv+0x3c/0x54 net/core/sock_diag.c:277
netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline]
netlink_unicast+0x65c/0x898 net/netlink/af_netlink.c:1352
netlink_sendmsg+0x834/0xb18 net/netlink/af_netlink.c:1874
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg net/socket.c:730 [inline]
____sys_sendmsg+0x55c/0x848 net/socket.c:2514
___sys_sendmsg net/socket.c:2568 [inline]
__sys_sendmsg+0x26c/0x33c net/socket.c:2597
__do_sys_sendmsg net/socket.c:2606 [inline]
__se_sys_sendmsg net/socket.c:2604 [inline]
__arm64_sys_sendmsg+0x80/0x94 net/socket.c:2604
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&h->lhash2[i].lock);
lock(&h->lhash2[i].lock);
lock(k-sk_lock-AF_INET);
*** DEADLOCK ***
5 locks held by syz-executor.1/16823:
#0: ffff800017e05cc8 (sock_diag_mutex){+.+.}-{3:3}, at: sock_diag_rcv+0x2c/0x54 net/core/sock_diag.c:276
#1: ffff800017e05b28 (sock_diag_table_mutex){+.+.}-{3:3}, at: sock_diag_rcv_msg+0x15c/0x39c net/core/sock_diag.c:256
#2: ffff0000d2ff5690 (nlk_cb_mutex-SOCK_DIAG){+.+.}-{3:3}, at: netlink_dump+0xbc/0xa78 net/netlink/af_netlink.c:2178
#3: ffff800017edd7e8 (inet_diag_table_mutex){+.+.}-{3:3}, at: inet_diag_lock_handler net/ipv4/inet_diag.c:63 [inline]
#3: ffff800017edd7e8 (inet_diag_table_mutex){+.+.}-{3:3}, at: __inet_diag_dump+0x17c/0x33c net/ipv4/inet_diag.c:1177
#4: ffff0000c4f9a5f8 (&h->lhash2[i].lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
#4: ffff0000c4f9a5f8 (&h->lhash2[i].lock){+.+.}-{2:2}, at: inet_diag_dump_icsk+0xed8/0x1204 net/ipv4/inet_diag.c:1038
stack backtrace:
CPU: 1 PID: 16823 Comm: syz-executor.1 Not tainted 6.1.80-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
print_circular_bug+0x150/0x1b8 kernel/locking/lockdep.c:2048
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
check_noncircular+0x2cc/0x378 kernel/locking/lockdep.c:2170
check_prev_add kernel/locking/lockdep.c:3090 [inline]
check_prevs_add kernel/locking/lockdep.c:3209 [inline]
validate_chain kernel/locking/lockdep.c:3825 [inline]
__lock_acquire+0x3338/0x7680 kernel/locking/lockdep.c:5049
lock_acquire+0x26c/0x7cc kernel/locking/lockdep.c:5662
lock_sock_fast include/net/sock.h:1777 [inline]
subflow_get_info+0x164/0xba8 net/mptcp/diag.c:28
tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]
tcp_diag_get_aux+0x680/0x750 net/ipv4/tcp_diag.c:137
inet_sk_diag_fill+0xd60/0x1818 net/ipv4/inet_diag.c:345
tcp_diag_get_aux+0x680/0x750 net/ipv4/tcp_diag.c:137
inet_diag_dump_icsk+0x1040/0x1204 net/ipv4/inet_diag.c:1061
tcp_diag_dump+0xac/0xc4 net/ipv4/tcp_diag.c:188
__inet_diag_dump+0x1e8/0x33c net/ipv4/inet_diag.c:1179
inet_diag_dump_compat+0x17c/0x288 net/ipv4/inet_diag.c:1287
netlink_dump+0x46c/0xa78 net/netlink/af_netlink.c:2231
__netlink_dump_start+0x484/0x698 net/netlink/af_netlink.c:2335
netlink_dump_start include/linux/netlink.h:269 [inline]
inet_diag_rcv_msg_compat+0x1c8/0x41c net/ipv4/inet_diag.c:1321
sock_diag_rcv_msg+0x174/0x39c
netlink_rcv_skb+0x20c/0x3b8 net/netlink/af_netlink.c:2508
sock_diag_rcv+0x3c/0x54 net/core/sock_diag.c:277
netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline]
netlink_unicast+0x65c/0x898 net/netlink/af_netlink.c:1352
netlink_sendmsg+0x834/0xb18 net/netlink/af_netlink.c:1874
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg net/socket.c:730 [inline]
____sys_sendmsg+0x55c/0x848 net/socket.c:2514
___sys_sendmsg net/socket.c:2568 [inline]
__sys_sendmsg+0x26c/0x33c net/socket.c:2597
__do_sys_sendmsg net/socket.c:2606 [inline]
__se_sys_sendmsg net/socket.c:2604 [inline]
__arm64_sys_sendmsg+0x80/0x94 net/socket.c:2604
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
BUG: sleeping function called from invalid context at net/core/sock.c:3516
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 16823, name: syz-executor.1
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
INFO: lockdep is turned off.
Preemption disabled at:
[<ffff800010de2a6c>] spin_lock include/linux/spinlock.h:351 [inline]
Preemption disabled at:
[<ffff800010de2a6c>] inet_diag_dump_icsk+0xed8/0x1204 net/ipv4/inet_diag.c:1038
CPU: 1 PID: 16823 Comm: syz-executor.1 Not tainted 6.1.80-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
__might_resched+0x37c/0x4d8 kernel/sched/core.c:9942
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
__might_sleep+0x90/0xe4 kernel/sched/core.c:9871
__lock_sock_fast+0x38/0xec net/core/sock.c:3516
lock_sock_fast include/net/sock.h:1779 [inline]
subflow_get_info+0x16c/0xba8 net/mptcp/diag.c:28
tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]
tcp_diag_get_aux+0x680/0x750 net/ipv4/tcp_diag.c:137
inet_sk_diag_fill+0xd60/0x1818 net/ipv4/inet_diag.c:345
tcp_diag_get_aux+0x680/0x750 net/ipv4/tcp_diag.c:137
inet_diag_dump_icsk+0x1040/0x1204 net/ipv4/inet_diag.c:1061
tcp_diag_dump+0xac/0xc4 net/ipv4/tcp_diag.c:188
__inet_diag_dump+0x1e8/0x33c net/ipv4/inet_diag.c:1179
inet_diag_dump_compat+0x17c/0x288 net/ipv4/inet_diag.c:1287
netlink_dump+0x46c/0xa78 net/netlink/af_netlink.c:2231
__netlink_dump_start+0x484/0x698 net/netlink/af_netlink.c:2335
netlink_dump_start include/linux/netlink.h:269 [inline]
inet_diag_rcv_msg_compat+0x1c8/0x41c net/ipv4/inet_diag.c:1321
sock_diag_rcv_msg+0x174/0x39c
netlink_rcv_skb+0x20c/0x3b8 net/netlink/af_netlink.c:2508
sock_diag_rcv+0x3c/0x54 net/core/sock_diag.c:277
netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline]
netlink_unicast+0x65c/0x898 net/netlink/af_netlink.c:1352
netlink_sendmsg+0x834/0xb18 net/netlink/af_netlink.c:1874
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg net/socket.c:730 [inline]
____sys_sendmsg+0x55c/0x848 net/socket.c:2514
___sys_sendmsg net/socket.c:2568 [inline]
__sys_sendmsg+0x26c/0x33c net/socket.c:2597
__do_sys_sendmsg net/socket.c:2606 [inline]
__se_sys_sendmsg net/socket.c:2604 [inline]
__arm64_sys_sendmsg+0x80/0x94 net/socket.c:2604
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
syzbot
Mar 1, 2024, 3:00:28 PMMar 1
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: a3eb3a74aa8c Linux 6.1.80
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11cffb32180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11297bba180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fcf176340788/disk-a3eb3a74.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/31d4ae9bb2ff/vmlinux-a3eb3a74.xz
kernel image: https://storage.googleapis.com/syzbot-assets/cb907876b80a/Image-a3eb3a74.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+84cd03...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
6.1.80-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor166/4222 is trying to acquire lock:
ffff0000d5190130 (k-sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]
ffff0000d5190130 (k-sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_diag_get_aux+0x680/0x750 net/ipv4/tcp_diag.c:137
but task is already holding lock:
ffff0000c4f993b0 (&h->lhash2[i].lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff0000c4f993b0 (&h->lhash2[i].lock){+.+.}-{2:2}, at: inet_diag_dump_icsk+0xed8/0x1204 net/ipv4/inet_diag.c:1038
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&h->lhash2[i].lock){+.+.}-{2:2}:
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x54/0x6c kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
__inet_hash+0x29c/0xb60 net/ipv4/inet_hashtables.c:728
inet_hash+0x74/0x9c net/ipv4/inet_hashtables.c:753
inet_csk_listen_start+0x1e4/0x2c8 net/ipv4/inet_connection_sock.c:1264
inet_listen+0x254/0x6d0 net/ipv4/af_inet.c:228
mptcp_listen+0x198/0x43c net/mptcp/protocol.c:3817
5 locks held by syz-executor166/4222:
#4: ffff0000c4f993b0 (&h->lhash2[i].lock){+.+.}-{2:2}, at: inet_diag_dump_icsk+0xed8/0x1204 net/ipv4/inet_diag.c:1038
stack backtrace:
CPU: 1 PID: 4222 Comm: syz-executor166 Not tainted 6.1.80-syzkaller #0
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 4222, name: syz-executor166
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: a3eb3a74aa8c Linux 6.1.80
git tree: linux-6.1.y
kernel config: https://syzkaller.appspot.com/x/.config?x=40fd5f1c69352c2d
dashboard link: https://syzkaller.appspot.com/bug?extid=84cd030a6fb929645bfc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1215f6a2180000
dashboard link: https://syzkaller.appspot.com/bug?extid=84cd030a6fb929645bfc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11297bba180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fcf176340788/disk-a3eb3a74.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/31d4ae9bb2ff/vmlinux-a3eb3a74.xz
kernel image: https://storage.googleapis.com/syzbot-assets/cb907876b80a/Image-a3eb3a74.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+84cd03...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
6.1.80-syzkaller #0 Not tainted
------------------------------------------------------
ffff0000d5190130 (k-sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]
ffff0000d5190130 (k-sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_diag_get_aux+0x680/0x750 net/ipv4/tcp_diag.c:137
but task is already holding lock:
ffff0000c4f993b0 (&h->lhash2[i].lock){+.+.}-{2:2}, at: inet_diag_dump_icsk+0xed8/0x1204 net/ipv4/inet_diag.c:1038
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&h->lhash2[i].lock){+.+.}-{2:2}:
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x54/0x6c kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
__inet_hash+0x29c/0xb60 net/ipv4/inet_hashtables.c:728
inet_hash+0x74/0x9c net/ipv4/inet_hashtables.c:753
inet_csk_listen_start+0x1e4/0x2c8 net/ipv4/inet_connection_sock.c:1264
inet_listen+0x254/0x6d0 net/ipv4/af_inet.c:228
#0: ffff800017e05cc8 (sock_diag_mutex){+.+.}-{3:3}, at: sock_diag_rcv+0x2c/0x54 net/core/sock_diag.c:276
#1: ffff800017e05b28 (sock_diag_table_mutex){+.+.}-{3:3}, at: sock_diag_rcv_msg+0x15c/0x39c net/core/sock_diag.c:256
#2: ffff0000d3152690 (nlk_cb_mutex-SOCK_DIAG){+.+.}-{3:3}, at: netlink_dump+0xbc/0xa78 net/netlink/af_netlink.c:2178
#1: ffff800017e05b28 (sock_diag_table_mutex){+.+.}-{3:3}, at: sock_diag_rcv_msg+0x15c/0x39c net/core/sock_diag.c:256
#3: ffff800017edd7e8 (inet_diag_table_mutex){+.+.}-{3:3}, at: inet_diag_lock_handler net/ipv4/inet_diag.c:63 [inline]
#3: ffff800017edd7e8 (inet_diag_table_mutex){+.+.}-{3:3}, at: __inet_diag_dump+0x17c/0x33c net/ipv4/inet_diag.c:1177
#4: ffff0000c4f993b0 (&h->lhash2[i].lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
#3: ffff800017edd7e8 (inet_diag_table_mutex){+.+.}-{3:3}, at: __inet_diag_dump+0x17c/0x33c net/ipv4/inet_diag.c:1177
#4: ffff0000c4f993b0 (&h->lhash2[i].lock){+.+.}-{2:2}, at: inet_diag_dump_icsk+0xed8/0x1204 net/ipv4/inet_diag.c:1038
stack backtrace:
CPU: 1 PID: 4222 Comm: syz-executor166 Not tainted 6.1.80-syzkaller #0
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
INFO: lockdep is turned off.
Preemption disabled at:
[<ffff800010de2a6c>] spin_lock include/linux/spinlock.h:351 [inline]
[<ffff800010de2a6c>] inet_diag_dump_icsk+0xed8/0x1204 net/ipv4/inet_diag.c:1038
CPU: 1 PID: 4222 Comm: syz-executor166 Not tainted 6.1.80-syzkaller #0
RCU nest depth: 0, expected: 0
INFO: lockdep is turned off.
Preemption disabled at:
[<ffff800010de2a6c>] spin_lock include/linux/spinlock.h:351 [inline]
[<ffff800010de2a6c>] inet_diag_dump_icsk+0xed8/0x1204 net/ipv4/inet_diag.c:1038
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
Mar 1, 2024, 5:25:27 PMMar 1
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 80efc6265290 Linux 5.15.150
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12de48e4180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16a362c4180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/47cbb3459f23/disk-80efc626.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/40559d394d5f/vmlinux-80efc626.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b59e1390e778/Image-80efc626.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bc70c3...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
5.15.150-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor234/3960 is trying to acquire lock:
ffff0000d2a49aa0 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]
ffff0000d2a49aa0 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: tcp_diag_get_aux+0x680/0x750 net/ipv4/tcp_diag.c:137
but task is already holding lock:
ffff0000c5728bc0 (&h->lhash2[i].lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:363 [inline]
ffff0000c5728bc0 (&h->lhash2[i].lock){+.+.}-{2:2}, at: inet_diag_dump_icsk+0xee4/0x1210 net/ipv4/inet_diag.c:1038
5 locks held by syz-executor234/3960:
#4: ffff0000c5728bc0 (&h->lhash2[i].lock){+.+.}-{2:2}, at: inet_diag_dump_icsk+0xee4/0x1210 net/ipv4/inet_diag.c:1038
stack backtrace:
CPU: 0 PID: 3960 Comm: syz-executor234 Not tainted 5.15.150-syzkaller #0
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 3960, name: syz-executor234
HEAD commit: 80efc6265290 Linux 5.15.150
git tree: linux-5.15.y
kernel config: https://syzkaller.appspot.com/x/.config?x=ca39ec49d1cf2068
dashboard link: https://syzkaller.appspot.com/bug?extid=bc70c3c417805c7b8ea4
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=122a1f16180000
dashboard link: https://syzkaller.appspot.com/bug?extid=bc70c3c417805c7b8ea4
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16a362c4180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/47cbb3459f23/disk-80efc626.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/40559d394d5f/vmlinux-80efc626.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b59e1390e778/Image-80efc626.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bc70c3...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
5.15.150-syzkaller #0 Not tainted
------------------------------------------------------
ffff0000d2a49aa0 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]
ffff0000d2a49aa0 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: tcp_diag_get_aux+0x680/0x750 net/ipv4/tcp_diag.c:137
but task is already holding lock:
ffff0000c5728bc0 (&h->lhash2[i].lock){+.+.}-{2:2}, at: inet_diag_dump_icsk+0xee4/0x1210 net/ipv4/inet_diag.c:1038
#0: ffff800016a04148 (sock_diag_mutex){+.+.}-{3:3}, at: sock_diag_rcv+0x2c/0x54 net/core/sock_diag.c:275
#1: ffff800016a03fa8 (sock_diag_table_mutex){+.+.}-{3:3}, at: __sock_diag_cmd net/core/sock_diag.c:229 [inline]
#1: ffff800016a03fa8 (sock_diag_table_mutex){+.+.}-{3:3}, at: sock_diag_rcv_msg+0x220/0x39c net/core/sock_diag.c:265
#2: ffff0000d8776690 (nlk_cb_mutex-SOCK_DIAG){+.+.}-{3:3}, at: netlink_dump+0xbc/0xa88 net/netlink/af_netlink.c:2227
#1: ffff800016a03fa8 (sock_diag_table_mutex){+.+.}-{3:3}, at: __sock_diag_cmd net/core/sock_diag.c:229 [inline]
#1: ffff800016a03fa8 (sock_diag_table_mutex){+.+.}-{3:3}, at: sock_diag_rcv_msg+0x220/0x39c net/core/sock_diag.c:265
#3: ffff800016add3e8 (inet_diag_table_mutex){+.+.}-{3:3}, at: inet_diag_lock_handler net/ipv4/inet_diag.c:63 [inline]
#3: ffff800016add3e8 (inet_diag_table_mutex){+.+.}-{3:3}, at: __inet_diag_dump+0x17c/0x33c net/ipv4/inet_diag.c:1177
#4: ffff0000c5728bc0 (&h->lhash2[i].lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:363 [inline]
#3: ffff800016add3e8 (inet_diag_table_mutex){+.+.}-{3:3}, at: __inet_diag_dump+0x17c/0x33c net/ipv4/inet_diag.c:1177
#4: ffff0000c5728bc0 (&h->lhash2[i].lock){+.+.}-{2:2}, at: inet_diag_dump_icsk+0xee4/0x1210 net/ipv4/inet_diag.c:1038
stack backtrace:
CPU: 0 PID: 3960 Comm: syz-executor234 Not tainted 5.15.150-syzkaller #0
INFO: lockdep is turned off.
Preemption disabled at:
[<ffff800010781714>] spin_lock include/linux/spinlock.h:363 [inline]
[<ffff800010781714>] inet_diag_dump_icsk+0xee4/0x1210 net/ipv4/inet_diag.c:1038
CPU: 0 PID: 3960 Comm: syz-executor234 Not tainted 5.15.150-syzkaller #0
Preemption disabled at:
[<ffff800010781714>] spin_lock include/linux/spinlock.h:363 [inline]
[<ffff800010781714>] inet_diag_dump_icsk+0xee4/0x1210 net/ipv4/inet_diag.c:1038
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
___might_sleep+0x380/0x4dc kernel/sched/core.c:9626
__might_sleep+0x98/0xf0 kernel/sched/core.c:9580
__lock_sock_fast+0x3c/0xf0 net/core/sock.c:3271
lock_sock_fast include/net/sock.h:1702 [inline]
subflow_get_info+0x1f0/0xd10 net/mptcp/diag.c:28
tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]
tcp_diag_get_aux+0x680/0x750 net/ipv4/tcp_diag.c:137
inet_sk_diag_fill+0xcfc/0x17b4 net/ipv4/inet_diag.c:345
inet_diag_dump_icsk+0x104c/0x1210 net/ipv4/inet_diag.c:1061
tcp_diag_dump+0x3c/0x50 net/ipv4/tcp_diag.c:184
__inet_diag_dump+0x1e8/0x33c net/ipv4/inet_diag.c:1179
inet_diag_dump+0x4c/0x5c net/ipv4/inet_diag.c:1198
netlink_dump+0x470/0xa8 net/netlink/af_netlink.c:2279
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
___might_sleep+0x380/0x4dc kernel/sched/core.c:9626
__might_sleep+0x98/0xf0 kernel/sched/core.c:9580
__lock_sock_fast+0x3c/0xf0 net/core/sock.c:3271
lock_sock_fast include/net/sock.h:1702 [inline]
subflow_get_info+0x1f0/0xd10 net/mptcp/diag.c:28
tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]
tcp_diag_get_aux+0x680/0x750 net/ipv4/tcp_diag.c:137
inet_sk_diag_fill+0xcfc/0x17b4 net/ipv4/inet_diag.c:345
inet_diag_dump_icsk+0x104c/0x1210 net/ipv4/inet_diag.c:1061
tcp_diag_dump+0x3c/0x50 net/ipv4/tcp_diag.c:184
__inet_diag_dump+0x1e8/0x33c net/ipv4/inet_diag.c:1179
inet_diag_dump+0x4c/0x5c net/ipv4/inet_diag.c:1198
Reply all
Reply to author
Forward
0 new messages