Hello,
syzbot found the following issue on:
HEAD commit: c14d30dc Linux 4.19.139
git tree: linux-4.19.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=150e876a900000
kernel config:
https://syzkaller.appspot.com/x/.config?x=93b261233af4719e
dashboard link:
https://syzkaller.appspot.com/bug?extid=3257b5a27d60dc9d951d
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro:
https://syzkaller.appspot.com/x/repro.syz?x=10b29c36900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by:
syzbot+3257b5...@syzkaller.appspotmail.com
device hsr_slave_0 entered promiscuous mode
device hsr_slave_1 entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
================================
WARNING: inconsistent lock state
4.19.139-syzkaller #0 Not tainted
--------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
syz-executor.0/31378 [HC0[0]:SC1[1]:HE1:SE0] takes:
000000004334ec15 (slock-AF_BLUETOOTH-BTPROTO_SCO){+.?.}, at: spin_lock include/linux/spinlock.h:329 [inline]
000000004334ec15 (slock-AF_BLUETOOTH-BTPROTO_SCO){+.?.}, at: sco_sock_timeout+0x22/0x190 net/bluetooth/sco.c:82
{SOFTIRQ-ON-W} state was registered at:
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
sco_conn_del+0xb0/0x220 net/bluetooth/sco.c:175
sco_disconn_cfm net/bluetooth/sco.c:1133 [inline]
sco_disconn_cfm+0x62/0x80 net/bluetooth/sco.c:1126
hci_disconn_cfm include/net/bluetooth/hci_core.h:1261 [inline]
hci_conn_hash_flush+0x114/0x220 net/bluetooth/hci_conn.c:1495
hci_dev_do_close+0x624/0xe70 net/bluetooth/hci_core.c:1666
hci_unregister_dev+0x17c/0x7f0 net/bluetooth/hci_core.c:3271
vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:354
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xbb2/0x2b70 kernel/exit.c:887
do_group_exit+0x125/0x310 kernel/exit.c:990
get_signal+0x3f2/0x1f70 kernel/signal.c:2588
do_signal+0x8f/0x1670 arch/x86/kernel/signal.c:821
exit_to_usermode_loop+0x204/0x2a0 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
irq event stamp: 62748
hardirqs last enabled at (62748): [<ffffffff873d6274>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline]
hardirqs last enabled at (62748): [<ffffffff873d6274>] _raw_spin_unlock_irq+0x24/0x80 kernel/locking/spinlock.c:192
hardirqs last disabled at (62747): [<ffffffff873d5f05>] __raw_spin_lock_irq include/linux/spinlock_api_smp.h:126 [inline]
hardirqs last disabled at (62747): [<ffffffff873d5f05>] _raw_spin_lock_irq+0x35/0x80 kernel/locking/spinlock.c:160
softirqs last enabled at (62688): [<ffffffff8564ba23>] spin_unlock_bh include/linux/spinlock.h:374 [inline]
softirqs last enabled at (62688): [<ffffffff8564ba23>] net_to_rxe drivers/infiniband/sw/rxe/rxe_net.c:63 [inline]
softirqs last enabled at (62688): [<ffffffff8564ba23>] rxe_notify+0x503/0x670 drivers/infiniband/sw/rxe/rxe_net.c:652
softirqs last disabled at (62741): [<ffffffff813f36f5>] invoke_softirq kernel/softirq.c:372 [inline]
softirqs last disabled at (62741): [<ffffffff813f36f5>] irq_exit+0x215/0x260 kernel/softirq.c:412
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(slock-AF_BLUETOOTH-BTPROTO_SCO);
<Interrupt>
lock(slock-AF_BLUETOOTH-BTPROTO_SCO);
*** DEADLOCK ***
2 locks held by syz-executor.0/31378:
#0: 00000000a2b59d99 (rtnl_mutex){+.+.}, at: rtnl_lock net/core/rtnetlink.c:77 [inline]
#0: 00000000a2b59d99 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x3fe/0xb80 net/core/rtnetlink.c:4775
#1: 00000000dea5aeea ((&sk->sk_timer)){+.-.}, at: lockdep_copy_map include/linux/lockdep.h:168 [inline]
#1: 00000000dea5aeea ((&sk->sk_timer)){+.-.}, at: call_timer_fn+0xc9/0x700 kernel/time/timer.c:1328
stack backtrace:
CPU: 0 PID: 31378 Comm: syz-executor.0 Not tainted 4.19.139-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
print_usage_bug.cold+0x42e/0x570 kernel/locking/lockdep.c:2544
valid_state kernel/locking/lockdep.c:2557 [inline]
mark_lock_irq kernel/locking/lockdep.c:2751 [inline]
mark_lock+0xc70/0x1160 kernel/locking/lockdep.c:3131
mark_irqflags kernel/locking/lockdep.c:3009 [inline]
__lock_acquire+0xdc4/0x3ff0 kernel/locking/lockdep.c:3372
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3907
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
sco_sock_timeout+0x22/0x190 net/bluetooth/sco.c:82
call_timer_fn+0x177/0x700 kernel/time/timer.c:1338
expire_timers+0x243/0x4e0 kernel/time/timer.c:1375
__run_timers kernel/time/timer.c:1703 [inline]
run_timer_softirq+0x21c/0x670 kernel/time/timer.c:1716
__do_softirq+0x26c/0x9a0 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:372 [inline]
irq_exit+0x215/0x260 kernel/softirq.c:412
exiting_irq arch/x86/include/asm/apic.h:544 [inline]
smp_apic_timer_interrupt+0x136/0x550 arch/x86/kernel/apic/apic.c:1094
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894
</IRQ>
RIP: 0010:__kernel_text_address+0x4/0x30 kernel/extable.c:107
Code: 32 21 2f 00 0f b6 c0 eb cf 48 c7 c7 c4 41 ae 89 e8 11 85 5a 00 e9 64 ff ff ff 66 90 66 2e 0f 1f 84 00 00 00 00 00 53 48 89 fb <e8> 07 ff ff ff 85 c0 75 17 48 81 fb 00 50 a2 8a 72 0c 31 c0 48 81
RSP: 0018:ffff888076106718 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: dffffc0000000000 RBX: ffffffff81cc8be5 RCX: 0000000000000000
RDX: 1ffff1100ec20cf3 RSI: ffff8880761065f8 RDI: ffffffff81cc8be5
RBP: ffff888076106798 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000066061 R11: 0000000000000001 R12: ffff8880761067e8
R13: 0000000000000000 R14: ffff8880aa00a840 R15: 00000000000000a0
unwind_get_return_address arch/x86/kernel/unwind_orc.c:297 [inline]
unwind_get_return_address+0x51/0x90 arch/x86/kernel/unwind_orc.c:292
__save_stack_trace+0xaf/0x190 arch/x86/kernel/stacktrace.c:45
save_stack mm/kasan/kasan.c:448 [inline]
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:553
slab_post_alloc_hook mm/slab.h:445 [inline]
slab_alloc mm/slab.c:3397 [inline]
kmem_cache_alloc+0x110/0x370 mm/slab.c:3557
kmem_cache_zalloc include/linux/slab.h:699 [inline]
__kernfs_new_node+0xd2/0x680 fs/kernfs/dir.c:633
kernfs_new_node+0x92/0x120 fs/kernfs/dir.c:693
__kernfs_create_file+0x51/0x33f fs/kernfs/file.c:992
sysfs_add_file_mode_ns+0x226/0x540 fs/sysfs/file.c:306
create_files fs/sysfs/group.c:63 [inline]
internal_create_group+0x355/0xb20 fs/sysfs/group.c:147
sysfs_create_group fs/sysfs/group.c:173 [inline]
sysfs_create_groups fs/sysfs/group.c:200 [inline]
sysfs_create_groups+0x98/0x13e fs/sysfs/group.c:190
device_add_groups drivers/base/core.c:1286 [inline]
device_add_attrs drivers/base/core.c:1434 [inline]
device_add+0x803/0x1610 drivers/base/core.c:2123
netdev_register_kobject+0x17d/0x3b0 net/core/net-sysfs.c:1765
register_netdevice+0xb46/0x10f0 net/core/dev.c:8716
veth_newlink+0x4dd/0x930 drivers/net/veth.c:1170
rtnl_newlink+0x1027/0x15b0 net/core/rtnetlink.c:3141
rtnetlink_rcv_msg+0x453/0xb80 net/core/rtnetlink.c:4778
netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2455
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x6bb/0xc40 net/netlink/af_netlink.c:1909
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xc3/0x120 net/socket.c:632
__sys_sendto+0x21a/0x320 net/socket.c:1787
__do_sys_sendto net/socket.c:1799 [inline]
__se_sys_sendto net/socket.c:1795 [inline]
__x64_sys_sendto+0xdd/0x1b0 net/socket.c:1795
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x416d07
Code: 2c 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 81 19 00 00 c3 48 83 ec 08 e8 87 fa ff ff 48 89 04 24 49 89 ca b8 2c 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 cd fa ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffec3b89550 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00000000016a3700 RCX: 0000000000416d07
RDX: 000000000000006c RSI: 00000000016a3750 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007ffec3b89560 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000000000 R14: 00000000016a3750 R15: 0000000000000003
Bluetooth: hci2: command 0x040f tx timeout
IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
8021q: adding VLAN 0 to HW filter on device bond0
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
8021q: adding VLAN 0 to HW filter on device team0
IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
bridge0: port 1(bridge_slave_0) entered blocking state
bridge0: port 1(bridge_slave_0) entered forwarding state
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
bridge0: port 2(bridge_slave_1) entered blocking state
bridge0: port 2(bridge_slave_1) entered forwarding state
IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
8021q: adding VLAN 0 to HW filter on device batadv0
IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1_virt_wifi: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready
IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1_vlan: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
device veth0_vlan entered promiscuous mode
device veth1_vlan entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
device veth0_macvtap entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready
device veth1_macvtap entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready
batman_adv: batadv0: Interface activated: batadv_slave_0
IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready
batman_adv: batadv0: Interface activated: batadv_slave_1
IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
Bluetooth: hci2: command 0x0419 tx timeout
Bluetooth: hci2: command 0x0405 tx timeout
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches