possible deadlock in free_huge_page
15 views
Skip to first unread message
syzbot
Dec 6, 2020, 10:16:11 PM12/6/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: c196b3a9 Linux 4.14.210
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1572a7ab500000
kernel config: https://syzkaller.appspot.com/x/.config?x=5e5088ac39d46cc4
dashboard link: https://syzkaller.appspot.com/bug?extid=4f0ba0228710c04e580c
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4f0ba0...@syzkaller.appspotmail.com
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
=====================================================
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
4.14.210-syzkaller #0 Not tainted
-----------------------------------------------------
syz-executor.0/24744 [HC0[0]:SC0[2]:HE1:SE0] is trying to acquire:
(hugetlb_lock){+.+.}, at: [<ffffffff817df76b>] spin_lock include/linux/spinlock.h:317 [inline]
(hugetlb_lock){+.+.}, at: [<ffffffff817df76b>] free_huge_page+0x5ab/0x7f0 mm/hugetlb.c:1291
audit: type=1804 audit(1607310931.119:49): pid=24827 uid=0 auid=0 ses=4 op="invalid_pcr" cause="ToMToU" comm="syz-executor.3" name="/root/syzkaller-testdir013065303/syzkaller.6x5xU4/316/bus" dev="sda1" ino=16761 res=1
and this task is already holding:
(slock-AF_INET){+.-.}, at: [<ffffffff862cd690>] spin_lock include/linux/spinlock.h:317 [inline]
(slock-AF_INET){+.-.}, at: [<ffffffff862cd690>] tcp_close+0x540/0xed0 net/ipv4/tcp.c:2234
which would create a new lock dependency:
(slock-AF_INET){+.-.} -> (hugetlb_lock){+.+.}
but this new dependency connects a SOFTIRQ-irq-safe lock:
(slock-AF_INET){+.-.}
... which became SOFTIRQ-irq-safe at:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:152
spin_lock include/linux/spinlock.h:317 [inline]
sk_clone_lock+0x3cf/0x11e0 net/core/sock.c:1666
inet_csk_clone_lock+0x1e/0x3f0 net/ipv4/inet_connection_sock.c:815
tcp_create_openreq_child+0x2c/0x1880 net/ipv4/tcp_minisocks.c:437
tcp_v4_syn_recv_sock+0xa8/0xf80 net/ipv4/tcp_ipv4.c:1358
tcp_check_req+0x4c1/0x1460 net/ipv4/tcp_minisocks.c:764
tcp_v4_rcv+0x1c36/0x3560 net/ipv4/tcp_ipv4.c:1701
ip_local_deliver_finish+0x3f2/0xab0 net/ipv4/ip_input.c:216
NF_HOOK include/linux/netfilter.h:250 [inline]
ip_local_deliver+0x167/0x460 net/ipv4/ip_input.c:257
dst_input include/net/dst.h:476 [inline]
ip_rcv_finish+0x6e3/0x19f0 net/ipv4/ip_input.c:396
NF_HOOK include/linux/netfilter.h:250 [inline]
ip_rcv+0x8a7/0xf01 net/ipv4/ip_input.c:493
__netif_receive_skb_core+0x15ee/0x2a30 net/core/dev.c:4474
__netif_receive_skb+0x27/0x1a0 net/core/dev.c:4512
netif_receive_skb_internal+0xd7/0x580 net/core/dev.c:4585
napi_skb_finish net/core/dev.c:4946 [inline]
napi_gro_receive+0x2e2/0x400 net/core/dev.c:4977
receive_buf+0x5ef/0x4810 drivers/net/virtio_net.c:852
virtnet_receive drivers/net/virtio_net.c:1098 [inline]
virtnet_poll+0x4b7/0x960 drivers/net/virtio_net.c:1189
napi_poll net/core/dev.c:5596 [inline]
net_rx_action+0x466/0xfd0 net/core/dev.c:5662
__do_softirq+0x254/0xa1d kernel/softirq.c:288
invoke_softirq kernel/softirq.c:368 [inline]
irq_exit+0x193/0x240 kernel/softirq.c:409
exiting_irq arch/x86/include/asm/apic.h:648 [inline]
do_IRQ+0x112/0x1d0 arch/x86/kernel/irq.c:242
ret_from_intr+0x0/0x1e
to a SOFTIRQ-irq-unsafe lock:
(hugetlb_lock){+.+.}
... which became SOFTIRQ-irq-unsafe at:
...
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:152
spin_lock include/linux/spinlock.h:317 [inline]
hugetlb_overcommit_handler+0x283/0x400 mm/hugetlb.c:2992
proc_sys_call_handler.isra.0+0x1ba/0x340 fs/proc/proc_sysctl.c:598
__vfs_write+0xe4/0x630 fs/read_write.c:480
vfs_write+0x17f/0x4d0 fs/read_write.c:544
SYSC_write fs/read_write.c:590 [inline]
SyS_write+0xf2/0x210 fs/read_write.c:582
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
other info that might help us debug this:
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(hugetlb_lock);
local_irq_disable();
lock(slock-AF_INET);
lock(hugetlb_lock);
<Interrupt>
lock(slock-AF_INET);
*** DEADLOCK ***
3 locks held by syz-executor.0/24744:
#0: (&sb->s_type->i_mutex_key#13){+.+.}, at: [<ffffffff85d712c6>] inode_lock include/linux/fs.h:719 [inline]
#0: (&sb->s_type->i_mutex_key#13){+.+.}, at: [<ffffffff85d712c6>] __sock_release+0x86/0x2b0 net/socket.c:601
#1: (sk_lock-AF_INET){+.+.}, at: [<ffffffff862cd175>] lock_sock include/net/sock.h:1471 [inline]
#1: (sk_lock-AF_INET){+.+.}, at: [<ffffffff862cd175>] tcp_close+0x25/0xed0 net/ipv4/tcp.c:2144
#2: (slock-AF_INET){+.-.}, at: [<ffffffff862cd690>] spin_lock include/linux/spinlock.h:317 [inline]
#2: (slock-AF_INET){+.-.}, at: [<ffffffff862cd690>] tcp_close+0x540/0xed0 net/ipv4/tcp.c:2234
the dependencies between SOFTIRQ-irq-safe lock and the holding lock:
-> (slock-AF_INET){+.-.} ops: 1059605 {
HARDIRQ-ON-W at:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:176
spin_lock_bh include/linux/spinlock.h:322 [inline]
lock_sock_nested+0x39/0x100 net/core/sock.c:2788
lock_sock include/net/sock.h:1471 [inline]
inet_autobind+0x1a/0x180 net/ipv4/af_inet.c:178
inet_dgram_connect+0x134/0x1f0 net/ipv4/af_inet.c:538
SYSC_connect net/socket.c:1655 [inline]
SyS_connect+0x1f4/0x240 net/socket.c:1636
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
IN-SOFTIRQ-W at:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:152
spin_lock include/linux/spinlock.h:317 [inline]
sk_clone_lock+0x3cf/0x11e0 net/core/sock.c:1666
inet_csk_clone_lock+0x1e/0x3f0 net/ipv4/inet_connection_sock.c:815
tcp_create_openreq_child+0x2c/0x1880 net/ipv4/tcp_minisocks.c:437
tcp_v4_syn_recv_sock+0xa8/0xf80 net/ipv4/tcp_ipv4.c:1358
tcp_check_req+0x4c1/0x1460 net/ipv4/tcp_minisocks.c:764
tcp_v4_rcv+0x1c36/0x3560 net/ipv4/tcp_ipv4.c:1701
ip_local_deliver_finish+0x3f2/0xab0 net/ipv4/ip_input.c:216
NF_HOOK include/linux/netfilter.h:250 [inline]
ip_local_deliver+0x167/0x460 net/ipv4/ip_input.c:257
dst_input include/net/dst.h:476 [inline]
ip_rcv_finish+0x6e3/0x19f0 net/ipv4/ip_input.c:396
NF_HOOK include/linux/netfilter.h:250 [inline]
ip_rcv+0x8a7/0xf01 net/ipv4/ip_input.c:493
__netif_receive_skb_core+0x15ee/0x2a30 net/core/dev.c:4474
__netif_receive_skb+0x27/0x1a0 net/core/dev.c:4512
netif_receive_skb_internal+0xd7/0x580 net/core/dev.c:4585
napi_skb_finish net/core/dev.c:4946 [inline]
napi_gro_receive+0x2e2/0x400 net/core/dev.c:4977
receive_buf+0x5ef/0x4810 drivers/net/virtio_net.c:852
virtnet_receive drivers/net/virtio_net.c:1098 [inline]
virtnet_poll+0x4b7/0x960 drivers/net/virtio_net.c:1189
napi_poll net/core/dev.c:5596 [inline]
net_rx_action+0x466/0xfd0 net/core/dev.c:5662
__do_softirq+0x254/0xa1d kernel/softirq.c:288
invoke_softirq kernel/softirq.c:368 [inline]
irq_exit+0x193/0x240 kernel/softirq.c:409
exiting_irq arch/x86/include/asm/apic.h:648 [inline]
do_IRQ+0x112/0x1d0 arch/x86/kernel/irq.c:242
ret_from_intr+0x0/0x1e
INITIAL USE at:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:176
spin_lock_bh include/linux/spinlock.h:322 [inline]
lock_sock_nested+0x39/0x100 net/core/sock.c:2788
lock_sock include/net/sock.h:1471 [inline]
inet_autobind+0x1a/0x180 net/ipv4/af_inet.c:178
inet_dgram_connect+0x134/0x1f0 net/ipv4/af_inet.c:538
SYSC_connect net/socket.c:1655 [inline]
SyS_connect+0x1f4/0x240 net/socket.c:1636
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
}
... key at: [<ffffffff8c981a70>] af_family_slock_keys+0x10/0x180
... acquired at:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:152
spin_lock include/linux/spinlock.h:317 [inline]
free_huge_page+0x5ab/0x7f0 mm/hugetlb.c:1291
__put_page+0xb9/0x2f0 mm/swap.c:111
put_page include/linux/mm.h:875 [inline]
__skb_frag_unref include/linux/skbuff.h:2813 [inline]
skb_release_data+0x25a/0x820 net/core/skbuff.c:568
skb_release_all net/core/skbuff.c:631 [inline]
__kfree_skb+0x46/0x60 net/core/skbuff.c:645
sk_wmem_free_skb include/net/sock.h:1425 [inline]
tcp_write_queue_purge include/net/tcp.h:1631 [inline]
tcp_v4_destroy_sock+0x223/0x920 net/ipv4/tcp_ipv4.c:1904
inet_csk_destroy_sock+0x169/0x400 net/ipv4/inet_connection_sock.c:866
tcp_close+0x85e/0xed0 net/ipv4/tcp.c:2298
inet_release+0xdf/0x1b0 net/ipv4/af_inet.c:425
__sock_release+0xcd/0x2b0 net/socket.c:602
sock_close+0x15/0x20 net/socket.c:1139
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
get_signal+0x18a3/0x1ca0 kernel/signal.c:2234
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
the dependencies between the lock to be acquired
and SOFTIRQ-irq-unsafe lock:
-> (hugetlb_lock){+.+.} ops: 2948 {
HARDIRQ-ON-W at:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:152
spin_lock include/linux/spinlock.h:317 [inline]
hugetlb_overcommit_handler+0x283/0x400 mm/hugetlb.c:2992
proc_sys_call_handler.isra.0+0x1ba/0x340 fs/proc/proc_sysctl.c:598
__vfs_write+0xe4/0x630 fs/read_write.c:480
vfs_write+0x17f/0x4d0 fs/read_write.c:544
SYSC_write fs/read_write.c:590 [inline]
SyS_write+0xf2/0x210 fs/read_write.c:582
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
SOFTIRQ-ON-W at:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:152
spin_lock include/linux/spinlock.h:317 [inline]
hugetlb_overcommit_handler+0x283/0x400 mm/hugetlb.c:2992
proc_sys_call_handler.isra.0+0x1ba/0x340 fs/proc/proc_sysctl.c:598
__vfs_write+0xe4/0x630 fs/read_write.c:480
vfs_write+0x17f/0x4d0 fs/read_write.c:544
SYSC_write fs/read_write.c:590 [inline]
SyS_write+0xf2/0x210 fs/read_write.c:582
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
INITIAL USE at:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:152
spin_lock include/linux/spinlock.h:317 [inline]
hugetlb_overcommit_handler+0x283/0x400 mm/hugetlb.c:2992
proc_sys_call_handler.isra.0+0x1ba/0x340 fs/proc/proc_sysctl.c:598
__vfs_write+0xe4/0x630 fs/read_write.c:480
vfs_write+0x17f/0x4d0 fs/read_write.c:544
SYSC_write fs/read_write.c:590 [inline]
SyS_write+0xf2/0x210 fs/read_write.c:582
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
}
... key at: [<ffffffff89000698>] hugetlb_lock+0x18/0x15e0
... acquired at:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:152
spin_lock include/linux/spinlock.h:317 [inline]
free_huge_page+0x5ab/0x7f0 mm/hugetlb.c:1291
__put_page+0xb9/0x2f0 mm/swap.c:111
put_page include/linux/mm.h:875 [inline]
__skb_frag_unref include/linux/skbuff.h:2813 [inline]
skb_release_data+0x25a/0x820 net/core/skbuff.c:568
skb_release_all net/core/skbuff.c:631 [inline]
__kfree_skb+0x46/0x60 net/core/skbuff.c:645
sk_wmem_free_skb include/net/sock.h:1425 [inline]
tcp_write_queue_purge include/net/tcp.h:1631 [inline]
tcp_v4_destroy_sock+0x223/0x920 net/ipv4/tcp_ipv4.c:1904
inet_csk_destroy_sock+0x169/0x400 net/ipv4/inet_connection_sock.c:866
tcp_close+0x85e/0xed0 net/ipv4/tcp.c:2298
inet_release+0xdf/0x1b0 net/ipv4/af_inet.c:425
__sock_release+0xcd/0x2b0 net/socket.c:602
sock_close+0x15/0x20 net/socket.c:1139
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
get_signal+0x18a3/0x1ca0 kernel/signal.c:2234
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
stack backtrace:
CPU: 0 PID: 24744 Comm: syz-executor.0 Not tainted 4.14.210-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x283 lib/dump_stack.c:58
print_bad_irq_dependency kernel/locking/lockdep.c:1609 [inline]
check_usage.cold+0x806/0xbe6 kernel/locking/lockdep.c:1641
check_irq_usage kernel/locking/lockdep.c:1697 [inline]
check_prev_add_irq kernel/locking/lockdep_states.h:8 [inline]
check_prev_add kernel/locking/lockdep.c:1910 [inline]
check_prevs_add kernel/locking/lockdep.c:2022 [inline]
validate_chain kernel/locking/lockdep.c:2464 [inline]
__lock_acquire+0x1cfc/0x3f20 kernel/locking/lockdep.c:3491
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:152
spin_lock include/linux/spinlock.h:317 [inline]
free_huge_page+0x5ab/0x7f0 mm/hugetlb.c:1291
__put_page+0xb9/0x2f0 mm/swap.c:111
put_page include/linux/mm.h:875 [inline]
__skb_frag_unref include/linux/skbuff.h:2813 [inline]
skb_release_data+0x25a/0x820 net/core/skbuff.c:568
skb_release_all net/core/skbuff.c:631 [inline]
__kfree_skb+0x46/0x60 net/core/skbuff.c:645
sk_wmem_free_skb include/net/sock.h:1425 [inline]
tcp_write_queue_purge include/net/tcp.h:1631 [inline]
tcp_v4_destroy_sock+0x223/0x920 net/ipv4/tcp_ipv4.c:1904
inet_csk_destroy_sock+0x169/0x400 net/ipv4/inet_connection_sock.c:866
tcp_close+0x85e/0xed0 net/ipv4/tcp.c:2298
inet_release+0xdf/0x1b0 net/ipv4/af_inet.c:425
__sock_release+0xcd/0x2b0 net/socket.c:602
sock_close+0x15/0x20 net/socket.c:1139
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
get_signal+0x18a3/0x1ca0 kernel/signal.c:2234
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45e0f9
RSP: 002b:00007f6dcafadc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: 00000000004807b8 RBX: 0000000000000006 RCX: 000000000045e0f9
RDX: ffffffffffffffd0 RSI: 0000000020000140 RDI: 000000000000000a
RBP: 000000000119bfd8 R08: 0000000000000000 R09: ffffffffffffff36
R10: 000000000401c005 R11: 0000000000000246 R12: 000000000119bf8c
R13: 00007ffc6ab94fdf R14: 00007f6dcafae9c0 R15: 000000000119bf8c
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
nla_parse: 5 callbacks suppressed
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
base_sock_release(ffff888037d41100) sk=ffff888093e155c0
base_sock_release(ffff888037d58180) sk=ffff888056d500c0
audit: type=1804 audit(1607310932.659:50): pid=24863 uid=0 auid=0 ses=4 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir013065303/syzkaller.6x5xU4/317/bus" dev="sda1" ino=16791 res=1
base_sock_release(ffff88804c287080) sk=ffff8880b2a0b700
audit: type=1804 audit(1607310932.709:51): pid=24866 uid=0 auid=0 ses=4 op="invalid_pcr" cause="ToMToU" comm="syz-executor.3" name="/root/syzkaller-testdir013065303/syzkaller.6x5xU4/317/bus" dev="sda1" ino=16791 res=1
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
print_req_error: I/O error, dev loop0, sector 0
base_sock_release(ffff888037ccba00) sk=ffff8880570d2400
print_req_error: I/O error, dev loop0, sector 0
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'.
base_sock_release(ffff88808eb00540) sk=ffff88805b2c6c80
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
Unknown ioctl -1067691200
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'.
base_sock_release(ffff88804c2ff5c0) sk=ffff88804b46f400
base_sock_release(ffff88805649e680) sk=ffff8880561beb40
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
base_sock_release(ffff88804c0481c0) sk=ffff8880b42b3400
Unknown ioctl -1067691200
base_sock_release(ffff8880567f70c0) sk=ffff8880582c3680
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
base_sock_release(ffff8880566374c0) sk=ffff888057486340
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
base_sock_release(ffff88804c01e5c0) sk=ffff88809c8e4340
base_sock_release(ffff88805658e9c0) sk=ffff8880a1b7e1c0
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
base_sock_release(ffff8880565dfb00) sk=ffff8880a22b0bc0
base_sock_release(ffff88804c116980) sk=ffff8880934d2600
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
base_sock_release(ffff8880565df200) sk=ffff888053868e80
base_sock_release(ffff88804c2ae040) sk=ffff888058804e00
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
base_sock_release(ffff88808dbbe900) sk=ffff888051e73280
base_sock_release(ffff888094fc2080) sk=ffff8880aa10ac00
base_sock_release(ffff888056446040) sk=ffff888051308880
base_sock_release(ffff888094e6db00) sk=ffff888058c92580
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
base_sock_release(ffff88804c29da40) sk=ffff8880b35b52c0
base_sock_release(ffff88804c09e180) sk=ffff8880545d8100
base_sock_release(ffff88808eb28500) sk=ffff88808d0f0e80
base_sock_release(ffff888056596900) sk=ffff88803b012b80
base_sock_release(ffff8880567b0100) sk=ffff88809657f340
base_sock_release(ffff8880564e0980) sk=ffff88809d2f71c0
base_sock_release(ffff8880566ed140) sk=ffff8880aafc4300
base_sock_release(ffff88804c31b9c0) sk=ffff88805b2394c0
base_sock_release(ffff88804c012640) sk=ffff888058e55640
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
base_sock_release(ffff8880564c6600) sk=ffff8880578a2140
base_sock_release(ffff888056469a40) sk=ffff8880572be5c0
nla_parse: 23 callbacks suppressed
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
base_sock_release(ffff888056448100) sk=ffff888057d241c0
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'.
base_sock_release(ffff8880a7f965c0) sk=ffff88804f8e0d40
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
base_sock_release(ffff88805654fa80) sk=ffff88804d94b680
base_sock_release(ffff8880a0089a00) sk=ffff88804d94ae00
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'.
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'.
base_sock_release(ffff8880566215c0) sk=ffff88809a3383c0
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'.
base_sock_release(ffff888056588680) sk=ffff8880979d2980
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
base_sock_release(ffff88803afc7940) sk=ffff8880980f1680
base_sock_release(ffff8880565eea80) sk=ffff8880578fc280
print_req_error: I/O error, dev loop2, sector 0
base_sock_release(ffff88803aed6a40) sk=ffff8880955f7100
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
base_sock_release(ffff88803af699c0) sk=ffff8880b31b4500
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
base_sock_release(ffff888036b67500) sk=ffff8880570c54c0
base_sock_release(ffff8880564f9100) sk=ffff8880aa43d6c0
print_req_error: I/O error, dev loop2, sector 0
base_sock_release(ffff888037c40080) sk=ffff8880abae16c0
base_sock_release(ffff888097dc7a80) sk=ffff8880a1147340
print_req_error: I/O error, dev loop2, sector 0
base_sock_release(ffff888037d37140) sk=ffff888099ac7340
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
base_sock_release(ffff888037d59640) sk=ffff888098326ac0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: c196b3a9 Linux 4.14.210
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1572a7ab500000
kernel config: https://syzkaller.appspot.com/x/.config?x=5e5088ac39d46cc4
dashboard link: https://syzkaller.appspot.com/bug?extid=4f0ba0228710c04e580c
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4f0ba0...@syzkaller.appspotmail.com
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
=====================================================
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
4.14.210-syzkaller #0 Not tainted
-----------------------------------------------------
syz-executor.0/24744 [HC0[0]:SC0[2]:HE1:SE0] is trying to acquire:
(hugetlb_lock){+.+.}, at: [<ffffffff817df76b>] spin_lock include/linux/spinlock.h:317 [inline]
(hugetlb_lock){+.+.}, at: [<ffffffff817df76b>] free_huge_page+0x5ab/0x7f0 mm/hugetlb.c:1291
audit: type=1804 audit(1607310931.119:49): pid=24827 uid=0 auid=0 ses=4 op="invalid_pcr" cause="ToMToU" comm="syz-executor.3" name="/root/syzkaller-testdir013065303/syzkaller.6x5xU4/316/bus" dev="sda1" ino=16761 res=1
and this task is already holding:
(slock-AF_INET){+.-.}, at: [<ffffffff862cd690>] spin_lock include/linux/spinlock.h:317 [inline]
(slock-AF_INET){+.-.}, at: [<ffffffff862cd690>] tcp_close+0x540/0xed0 net/ipv4/tcp.c:2234
which would create a new lock dependency:
(slock-AF_INET){+.-.} -> (hugetlb_lock){+.+.}
but this new dependency connects a SOFTIRQ-irq-safe lock:
(slock-AF_INET){+.-.}
... which became SOFTIRQ-irq-safe at:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:152
spin_lock include/linux/spinlock.h:317 [inline]
sk_clone_lock+0x3cf/0x11e0 net/core/sock.c:1666
inet_csk_clone_lock+0x1e/0x3f0 net/ipv4/inet_connection_sock.c:815
tcp_create_openreq_child+0x2c/0x1880 net/ipv4/tcp_minisocks.c:437
tcp_v4_syn_recv_sock+0xa8/0xf80 net/ipv4/tcp_ipv4.c:1358
tcp_check_req+0x4c1/0x1460 net/ipv4/tcp_minisocks.c:764
tcp_v4_rcv+0x1c36/0x3560 net/ipv4/tcp_ipv4.c:1701
ip_local_deliver_finish+0x3f2/0xab0 net/ipv4/ip_input.c:216
NF_HOOK include/linux/netfilter.h:250 [inline]
ip_local_deliver+0x167/0x460 net/ipv4/ip_input.c:257
dst_input include/net/dst.h:476 [inline]
ip_rcv_finish+0x6e3/0x19f0 net/ipv4/ip_input.c:396
NF_HOOK include/linux/netfilter.h:250 [inline]
ip_rcv+0x8a7/0xf01 net/ipv4/ip_input.c:493
__netif_receive_skb_core+0x15ee/0x2a30 net/core/dev.c:4474
__netif_receive_skb+0x27/0x1a0 net/core/dev.c:4512
netif_receive_skb_internal+0xd7/0x580 net/core/dev.c:4585
napi_skb_finish net/core/dev.c:4946 [inline]
napi_gro_receive+0x2e2/0x400 net/core/dev.c:4977
receive_buf+0x5ef/0x4810 drivers/net/virtio_net.c:852
virtnet_receive drivers/net/virtio_net.c:1098 [inline]
virtnet_poll+0x4b7/0x960 drivers/net/virtio_net.c:1189
napi_poll net/core/dev.c:5596 [inline]
net_rx_action+0x466/0xfd0 net/core/dev.c:5662
__do_softirq+0x254/0xa1d kernel/softirq.c:288
invoke_softirq kernel/softirq.c:368 [inline]
irq_exit+0x193/0x240 kernel/softirq.c:409
exiting_irq arch/x86/include/asm/apic.h:648 [inline]
do_IRQ+0x112/0x1d0 arch/x86/kernel/irq.c:242
ret_from_intr+0x0/0x1e
to a SOFTIRQ-irq-unsafe lock:
(hugetlb_lock){+.+.}
... which became SOFTIRQ-irq-unsafe at:
...
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:152
spin_lock include/linux/spinlock.h:317 [inline]
hugetlb_overcommit_handler+0x283/0x400 mm/hugetlb.c:2992
proc_sys_call_handler.isra.0+0x1ba/0x340 fs/proc/proc_sysctl.c:598
__vfs_write+0xe4/0x630 fs/read_write.c:480
vfs_write+0x17f/0x4d0 fs/read_write.c:544
SYSC_write fs/read_write.c:590 [inline]
SyS_write+0xf2/0x210 fs/read_write.c:582
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
other info that might help us debug this:
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(hugetlb_lock);
local_irq_disable();
lock(slock-AF_INET);
lock(hugetlb_lock);
<Interrupt>
lock(slock-AF_INET);
*** DEADLOCK ***
3 locks held by syz-executor.0/24744:
#0: (&sb->s_type->i_mutex_key#13){+.+.}, at: [<ffffffff85d712c6>] inode_lock include/linux/fs.h:719 [inline]
#0: (&sb->s_type->i_mutex_key#13){+.+.}, at: [<ffffffff85d712c6>] __sock_release+0x86/0x2b0 net/socket.c:601
#1: (sk_lock-AF_INET){+.+.}, at: [<ffffffff862cd175>] lock_sock include/net/sock.h:1471 [inline]
#1: (sk_lock-AF_INET){+.+.}, at: [<ffffffff862cd175>] tcp_close+0x25/0xed0 net/ipv4/tcp.c:2144
#2: (slock-AF_INET){+.-.}, at: [<ffffffff862cd690>] spin_lock include/linux/spinlock.h:317 [inline]
#2: (slock-AF_INET){+.-.}, at: [<ffffffff862cd690>] tcp_close+0x540/0xed0 net/ipv4/tcp.c:2234
the dependencies between SOFTIRQ-irq-safe lock and the holding lock:
-> (slock-AF_INET){+.-.} ops: 1059605 {
HARDIRQ-ON-W at:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:176
spin_lock_bh include/linux/spinlock.h:322 [inline]
lock_sock_nested+0x39/0x100 net/core/sock.c:2788
lock_sock include/net/sock.h:1471 [inline]
inet_autobind+0x1a/0x180 net/ipv4/af_inet.c:178
inet_dgram_connect+0x134/0x1f0 net/ipv4/af_inet.c:538
SYSC_connect net/socket.c:1655 [inline]
SyS_connect+0x1f4/0x240 net/socket.c:1636
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
IN-SOFTIRQ-W at:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:152
spin_lock include/linux/spinlock.h:317 [inline]
sk_clone_lock+0x3cf/0x11e0 net/core/sock.c:1666
inet_csk_clone_lock+0x1e/0x3f0 net/ipv4/inet_connection_sock.c:815
tcp_create_openreq_child+0x2c/0x1880 net/ipv4/tcp_minisocks.c:437
tcp_v4_syn_recv_sock+0xa8/0xf80 net/ipv4/tcp_ipv4.c:1358
tcp_check_req+0x4c1/0x1460 net/ipv4/tcp_minisocks.c:764
tcp_v4_rcv+0x1c36/0x3560 net/ipv4/tcp_ipv4.c:1701
ip_local_deliver_finish+0x3f2/0xab0 net/ipv4/ip_input.c:216
NF_HOOK include/linux/netfilter.h:250 [inline]
ip_local_deliver+0x167/0x460 net/ipv4/ip_input.c:257
dst_input include/net/dst.h:476 [inline]
ip_rcv_finish+0x6e3/0x19f0 net/ipv4/ip_input.c:396
NF_HOOK include/linux/netfilter.h:250 [inline]
ip_rcv+0x8a7/0xf01 net/ipv4/ip_input.c:493
__netif_receive_skb_core+0x15ee/0x2a30 net/core/dev.c:4474
__netif_receive_skb+0x27/0x1a0 net/core/dev.c:4512
netif_receive_skb_internal+0xd7/0x580 net/core/dev.c:4585
napi_skb_finish net/core/dev.c:4946 [inline]
napi_gro_receive+0x2e2/0x400 net/core/dev.c:4977
receive_buf+0x5ef/0x4810 drivers/net/virtio_net.c:852
virtnet_receive drivers/net/virtio_net.c:1098 [inline]
virtnet_poll+0x4b7/0x960 drivers/net/virtio_net.c:1189
napi_poll net/core/dev.c:5596 [inline]
net_rx_action+0x466/0xfd0 net/core/dev.c:5662
__do_softirq+0x254/0xa1d kernel/softirq.c:288
invoke_softirq kernel/softirq.c:368 [inline]
irq_exit+0x193/0x240 kernel/softirq.c:409
exiting_irq arch/x86/include/asm/apic.h:648 [inline]
do_IRQ+0x112/0x1d0 arch/x86/kernel/irq.c:242
ret_from_intr+0x0/0x1e
INITIAL USE at:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:176
spin_lock_bh include/linux/spinlock.h:322 [inline]
lock_sock_nested+0x39/0x100 net/core/sock.c:2788
lock_sock include/net/sock.h:1471 [inline]
inet_autobind+0x1a/0x180 net/ipv4/af_inet.c:178
inet_dgram_connect+0x134/0x1f0 net/ipv4/af_inet.c:538
SYSC_connect net/socket.c:1655 [inline]
SyS_connect+0x1f4/0x240 net/socket.c:1636
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
}
... key at: [<ffffffff8c981a70>] af_family_slock_keys+0x10/0x180
... acquired at:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:152
spin_lock include/linux/spinlock.h:317 [inline]
free_huge_page+0x5ab/0x7f0 mm/hugetlb.c:1291
__put_page+0xb9/0x2f0 mm/swap.c:111
put_page include/linux/mm.h:875 [inline]
__skb_frag_unref include/linux/skbuff.h:2813 [inline]
skb_release_data+0x25a/0x820 net/core/skbuff.c:568
skb_release_all net/core/skbuff.c:631 [inline]
__kfree_skb+0x46/0x60 net/core/skbuff.c:645
sk_wmem_free_skb include/net/sock.h:1425 [inline]
tcp_write_queue_purge include/net/tcp.h:1631 [inline]
tcp_v4_destroy_sock+0x223/0x920 net/ipv4/tcp_ipv4.c:1904
inet_csk_destroy_sock+0x169/0x400 net/ipv4/inet_connection_sock.c:866
tcp_close+0x85e/0xed0 net/ipv4/tcp.c:2298
inet_release+0xdf/0x1b0 net/ipv4/af_inet.c:425
__sock_release+0xcd/0x2b0 net/socket.c:602
sock_close+0x15/0x20 net/socket.c:1139
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
get_signal+0x18a3/0x1ca0 kernel/signal.c:2234
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
the dependencies between the lock to be acquired
and SOFTIRQ-irq-unsafe lock:
-> (hugetlb_lock){+.+.} ops: 2948 {
HARDIRQ-ON-W at:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:152
spin_lock include/linux/spinlock.h:317 [inline]
hugetlb_overcommit_handler+0x283/0x400 mm/hugetlb.c:2992
proc_sys_call_handler.isra.0+0x1ba/0x340 fs/proc/proc_sysctl.c:598
__vfs_write+0xe4/0x630 fs/read_write.c:480
vfs_write+0x17f/0x4d0 fs/read_write.c:544
SYSC_write fs/read_write.c:590 [inline]
SyS_write+0xf2/0x210 fs/read_write.c:582
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
SOFTIRQ-ON-W at:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:152
spin_lock include/linux/spinlock.h:317 [inline]
hugetlb_overcommit_handler+0x283/0x400 mm/hugetlb.c:2992
proc_sys_call_handler.isra.0+0x1ba/0x340 fs/proc/proc_sysctl.c:598
__vfs_write+0xe4/0x630 fs/read_write.c:480
vfs_write+0x17f/0x4d0 fs/read_write.c:544
SYSC_write fs/read_write.c:590 [inline]
SyS_write+0xf2/0x210 fs/read_write.c:582
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
INITIAL USE at:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:152
spin_lock include/linux/spinlock.h:317 [inline]
hugetlb_overcommit_handler+0x283/0x400 mm/hugetlb.c:2992
proc_sys_call_handler.isra.0+0x1ba/0x340 fs/proc/proc_sysctl.c:598
__vfs_write+0xe4/0x630 fs/read_write.c:480
vfs_write+0x17f/0x4d0 fs/read_write.c:544
SYSC_write fs/read_write.c:590 [inline]
SyS_write+0xf2/0x210 fs/read_write.c:582
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
}
... key at: [<ffffffff89000698>] hugetlb_lock+0x18/0x15e0
... acquired at:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:152
spin_lock include/linux/spinlock.h:317 [inline]
free_huge_page+0x5ab/0x7f0 mm/hugetlb.c:1291
__put_page+0xb9/0x2f0 mm/swap.c:111
put_page include/linux/mm.h:875 [inline]
__skb_frag_unref include/linux/skbuff.h:2813 [inline]
skb_release_data+0x25a/0x820 net/core/skbuff.c:568
skb_release_all net/core/skbuff.c:631 [inline]
__kfree_skb+0x46/0x60 net/core/skbuff.c:645
sk_wmem_free_skb include/net/sock.h:1425 [inline]
tcp_write_queue_purge include/net/tcp.h:1631 [inline]
tcp_v4_destroy_sock+0x223/0x920 net/ipv4/tcp_ipv4.c:1904
inet_csk_destroy_sock+0x169/0x400 net/ipv4/inet_connection_sock.c:866
tcp_close+0x85e/0xed0 net/ipv4/tcp.c:2298
inet_release+0xdf/0x1b0 net/ipv4/af_inet.c:425
__sock_release+0xcd/0x2b0 net/socket.c:602
sock_close+0x15/0x20 net/socket.c:1139
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
get_signal+0x18a3/0x1ca0 kernel/signal.c:2234
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
stack backtrace:
CPU: 0 PID: 24744 Comm: syz-executor.0 Not tainted 4.14.210-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x283 lib/dump_stack.c:58
print_bad_irq_dependency kernel/locking/lockdep.c:1609 [inline]
check_usage.cold+0x806/0xbe6 kernel/locking/lockdep.c:1641
check_irq_usage kernel/locking/lockdep.c:1697 [inline]
check_prev_add_irq kernel/locking/lockdep_states.h:8 [inline]
check_prev_add kernel/locking/lockdep.c:1910 [inline]
check_prevs_add kernel/locking/lockdep.c:2022 [inline]
validate_chain kernel/locking/lockdep.c:2464 [inline]
__lock_acquire+0x1cfc/0x3f20 kernel/locking/lockdep.c:3491
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:152
spin_lock include/linux/spinlock.h:317 [inline]
free_huge_page+0x5ab/0x7f0 mm/hugetlb.c:1291
__put_page+0xb9/0x2f0 mm/swap.c:111
put_page include/linux/mm.h:875 [inline]
__skb_frag_unref include/linux/skbuff.h:2813 [inline]
skb_release_data+0x25a/0x820 net/core/skbuff.c:568
skb_release_all net/core/skbuff.c:631 [inline]
__kfree_skb+0x46/0x60 net/core/skbuff.c:645
sk_wmem_free_skb include/net/sock.h:1425 [inline]
tcp_write_queue_purge include/net/tcp.h:1631 [inline]
tcp_v4_destroy_sock+0x223/0x920 net/ipv4/tcp_ipv4.c:1904
inet_csk_destroy_sock+0x169/0x400 net/ipv4/inet_connection_sock.c:866
tcp_close+0x85e/0xed0 net/ipv4/tcp.c:2298
inet_release+0xdf/0x1b0 net/ipv4/af_inet.c:425
__sock_release+0xcd/0x2b0 net/socket.c:602
sock_close+0x15/0x20 net/socket.c:1139
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
get_signal+0x18a3/0x1ca0 kernel/signal.c:2234
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45e0f9
RSP: 002b:00007f6dcafadc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: 00000000004807b8 RBX: 0000000000000006 RCX: 000000000045e0f9
RDX: ffffffffffffffd0 RSI: 0000000020000140 RDI: 000000000000000a
RBP: 000000000119bfd8 R08: 0000000000000000 R09: ffffffffffffff36
R10: 000000000401c005 R11: 0000000000000246 R12: 000000000119bf8c
R13: 00007ffc6ab94fdf R14: 00007f6dcafae9c0 R15: 000000000119bf8c
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
nla_parse: 5 callbacks suppressed
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
base_sock_release(ffff888037d41100) sk=ffff888093e155c0
base_sock_release(ffff888037d58180) sk=ffff888056d500c0
audit: type=1804 audit(1607310932.659:50): pid=24863 uid=0 auid=0 ses=4 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir013065303/syzkaller.6x5xU4/317/bus" dev="sda1" ino=16791 res=1
base_sock_release(ffff88804c287080) sk=ffff8880b2a0b700
audit: type=1804 audit(1607310932.709:51): pid=24866 uid=0 auid=0 ses=4 op="invalid_pcr" cause="ToMToU" comm="syz-executor.3" name="/root/syzkaller-testdir013065303/syzkaller.6x5xU4/317/bus" dev="sda1" ino=16791 res=1
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
print_req_error: I/O error, dev loop0, sector 0
base_sock_release(ffff888037ccba00) sk=ffff8880570d2400
print_req_error: I/O error, dev loop0, sector 0
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'.
base_sock_release(ffff88808eb00540) sk=ffff88805b2c6c80
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
Unknown ioctl -1067691200
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'.
base_sock_release(ffff88804c2ff5c0) sk=ffff88804b46f400
base_sock_release(ffff88805649e680) sk=ffff8880561beb40
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
base_sock_release(ffff88804c0481c0) sk=ffff8880b42b3400
Unknown ioctl -1067691200
base_sock_release(ffff8880567f70c0) sk=ffff8880582c3680
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
base_sock_release(ffff8880566374c0) sk=ffff888057486340
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
base_sock_release(ffff88804c01e5c0) sk=ffff88809c8e4340
base_sock_release(ffff88805658e9c0) sk=ffff8880a1b7e1c0
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
base_sock_release(ffff8880565dfb00) sk=ffff8880a22b0bc0
base_sock_release(ffff88804c116980) sk=ffff8880934d2600
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
base_sock_release(ffff8880565df200) sk=ffff888053868e80
base_sock_release(ffff88804c2ae040) sk=ffff888058804e00
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
base_sock_release(ffff88808dbbe900) sk=ffff888051e73280
base_sock_release(ffff888094fc2080) sk=ffff8880aa10ac00
base_sock_release(ffff888056446040) sk=ffff888051308880
base_sock_release(ffff888094e6db00) sk=ffff888058c92580
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
base_sock_release(ffff88804c29da40) sk=ffff8880b35b52c0
base_sock_release(ffff88804c09e180) sk=ffff8880545d8100
base_sock_release(ffff88808eb28500) sk=ffff88808d0f0e80
base_sock_release(ffff888056596900) sk=ffff88803b012b80
base_sock_release(ffff8880567b0100) sk=ffff88809657f340
base_sock_release(ffff8880564e0980) sk=ffff88809d2f71c0
base_sock_release(ffff8880566ed140) sk=ffff8880aafc4300
base_sock_release(ffff88804c31b9c0) sk=ffff88805b2394c0
base_sock_release(ffff88804c012640) sk=ffff888058e55640
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
base_sock_release(ffff8880564c6600) sk=ffff8880578a2140
base_sock_release(ffff888056469a40) sk=ffff8880572be5c0
nla_parse: 23 callbacks suppressed
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
base_sock_release(ffff888056448100) sk=ffff888057d241c0
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'.
base_sock_release(ffff8880a7f965c0) sk=ffff88804f8e0d40
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
base_sock_release(ffff88805654fa80) sk=ffff88804d94b680
base_sock_release(ffff8880a0089a00) sk=ffff88804d94ae00
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'.
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'.
base_sock_release(ffff8880566215c0) sk=ffff88809a3383c0
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'.
base_sock_release(ffff888056588680) sk=ffff8880979d2980
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
base_sock_release(ffff88803afc7940) sk=ffff8880980f1680
base_sock_release(ffff8880565eea80) sk=ffff8880578fc280
print_req_error: I/O error, dev loop2, sector 0
base_sock_release(ffff88803aed6a40) sk=ffff8880955f7100
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
base_sock_release(ffff88803af699c0) sk=ffff8880b31b4500
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
base_sock_release(ffff888036b67500) sk=ffff8880570c54c0
base_sock_release(ffff8880564f9100) sk=ffff8880aa43d6c0
print_req_error: I/O error, dev loop2, sector 0
base_sock_release(ffff888037c40080) sk=ffff8880abae16c0
base_sock_release(ffff888097dc7a80) sk=ffff8880a1147340
print_req_error: I/O error, dev loop2, sector 0
base_sock_release(ffff888037d37140) sk=ffff888099ac7340
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
base_sock_release(ffff888037d59640) sk=ffff888098326ac0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Dec 6, 2020, 10:35:10 PM12/6/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: c196b3a9 Linux 4.14.210
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10e4e175500000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17663437500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4f0ba0...@syzkaller.appspotmail.com
lock_is_held_type+0x30/0x210 kernel/locking/lockdep.c:4029
lock_is_held include/linux/lockdep.h:437 [inline]
___might_sleep+0x1ea/0x2b0 kernel/sched/core.c:6007
gc_worker+0x625/0xb50 net/netfilter/nf_conntrack_core.c:1123
process_one_work+0x793/0x14a0 kernel/workqueue.c:2116
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
3 locks held by syz-executor083/7987:
lock_is_held_type+0x30/0x210 kernel/locking/lockdep.c:4029
lock_is_held include/linux/lockdep.h:437 [inline]
___might_sleep+0x1ea/0x2b0 kernel/sched/core.c:6007
gc_worker+0x625/0xb50 net/netfilter/nf_conntrack_core.c:1123
process_one_work+0x793/0x14a0 kernel/workqueue.c:2116
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xa44/0x2850 kernel/exit.c:868
do_group_exit+0x100/0x2e0 kernel/exit.c:965
get_signal+0x38d/0x1ca0 kernel/signal.c:2423
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xa44/0x2850 kernel/exit.c:868
do_group_exit+0x100/0x2e0 kernel/exit.c:965
get_signal+0x38d/0x1ca0 kernel/signal.c:2423
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xa44/0x2850 kernel/exit.c:868
do_group_exit+0x100/0x2e0 kernel/exit.c:965
get_signal+0x38d/0x1ca0 kernel/signal.c:2423
RSP: 002b:00007fd2628bdd98 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000
HEAD commit: c196b3a9 Linux 4.14.210
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=5e5088ac39d46cc4
dashboard link: https://syzkaller.appspot.com/bug?extid=4f0ba0228710c04e580c
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=146e07ab500000
dashboard link: https://syzkaller.appspot.com/bug?extid=4f0ba0228710c04e580c
compiler: gcc (GCC) 10.1.0-syz 20200507
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17663437500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4f0ba0...@syzkaller.appspotmail.com
=====================================================
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
4.14.210-syzkaller #0 Not tainted
-----------------------------------------------------
syz-executor083/7987 [HC0[0]:SC0[2]:HE1:SE0] is trying to acquire:
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
4.14.210-syzkaller #0 Not tainted
-----------------------------------------------------
(hugetlb_lock){+.+.}, at: [<ffffffff817df76b>] spin_lock include/linux/spinlock.h:317 [inline]
(hugetlb_lock){+.+.}, at: [<ffffffff817df76b>] free_huge_page+0x5ab/0x7f0 mm/hugetlb.c:1291
(hugetlb_lock){+.+.}, at: [<ffffffff817df76b>] free_huge_page+0x5ab/0x7f0 mm/hugetlb.c:1291
lock_is_held include/linux/lockdep.h:437 [inline]
___might_sleep+0x1ea/0x2b0 kernel/sched/core.c:6007
gc_worker+0x625/0xb50 net/netfilter/nf_conntrack_core.c:1123
process_one_work+0x793/0x14a0 kernel/workqueue.c:2116
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
#0: (&sb->s_type->i_mutex_key#13){+.+.}, at: [<ffffffff85d712c6>] inode_lock include/linux/fs.h:719 [inline]
#0: (&sb->s_type->i_mutex_key#13){+.+.}, at: [<ffffffff85d712c6>] __sock_release+0x86/0x2b0 net/socket.c:601
#1: (sk_lock-AF_INET){+.+.}, at: [<ffffffff862cd175>] lock_sock include/net/sock.h:1471 [inline]
#1: (sk_lock-AF_INET){+.+.}, at: [<ffffffff862cd175>] tcp_close+0x25/0xed0 net/ipv4/tcp.c:2144
#2: (slock-AF_INET){+.-.}, at: [<ffffffff862cd690>] spin_lock include/linux/spinlock.h:317 [inline]
#2: (slock-AF_INET){+.-.}, at: [<ffffffff862cd690>] tcp_close+0x540/0xed0 net/ipv4/tcp.c:2234
the dependencies between SOFTIRQ-irq-safe lock and the holding lock:
-> (slock-AF_INET){+.-.} ops: 7490 {
#0: (&sb->s_type->i_mutex_key#13){+.+.}, at: [<ffffffff85d712c6>] __sock_release+0x86/0x2b0 net/socket.c:601
#1: (sk_lock-AF_INET){+.+.}, at: [<ffffffff862cd175>] lock_sock include/net/sock.h:1471 [inline]
#1: (sk_lock-AF_INET){+.+.}, at: [<ffffffff862cd175>] tcp_close+0x25/0xed0 net/ipv4/tcp.c:2144
#2: (slock-AF_INET){+.-.}, at: [<ffffffff862cd690>] spin_lock include/linux/spinlock.h:317 [inline]
#2: (slock-AF_INET){+.-.}, at: [<ffffffff862cd690>] tcp_close+0x540/0xed0 net/ipv4/tcp.c:2234
the dependencies between SOFTIRQ-irq-safe lock and the holding lock:
lock_is_held include/linux/lockdep.h:437 [inline]
___might_sleep+0x1ea/0x2b0 kernel/sched/core.c:6007
gc_worker+0x625/0xb50 net/netfilter/nf_conntrack_core.c:1123
process_one_work+0x793/0x14a0 kernel/workqueue.c:2116
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
do_exit+0xa44/0x2850 kernel/exit.c:868
do_group_exit+0x100/0x2e0 kernel/exit.c:965
get_signal+0x38d/0x1ca0 kernel/signal.c:2423
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
the dependencies between the lock to be acquired
and SOFTIRQ-irq-unsafe lock:
-> (hugetlb_lock){+.+.} ops: 26 {
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
the dependencies between the lock to be acquired
and SOFTIRQ-irq-unsafe lock:
do_exit+0xa44/0x2850 kernel/exit.c:868
do_group_exit+0x100/0x2e0 kernel/exit.c:965
get_signal+0x38d/0x1ca0 kernel/signal.c:2423
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
stack backtrace:
CPU: 0 PID: 7987 Comm: syz-executor083 Not tainted 4.14.210-syzkaller #0
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
stack backtrace:
do_exit+0xa44/0x2850 kernel/exit.c:868
do_group_exit+0x100/0x2e0 kernel/exit.c:965
get_signal+0x38d/0x1ca0 kernel/signal.c:2423
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x445f39
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RSP: 002b:00007fd2628bdd98 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000
syzbot
Dec 15, 2020, 5:55:11 AM12/15/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 13d2ce42 Linux 4.19.163
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10d5f703500000
kernel config: https://syzkaller.appspot.com/x/.config?x=fac7c3360835a4e0
dashboard link: https://syzkaller.appspot.com/bug?extid=2054819d6fda52ce059e
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
-----------------------------------------------------
syz-executor.2/27182 [HC0[0]:SC0[2]:HE1:SE0] is trying to acquire:
00000000556e0bdd (hugetlb_lock){+.+.}, at: spin_lock include/linux/spinlock.h:329 [inline]
00000000556e0bdd (hugetlb_lock){+.+.}, at: free_huge_page+0x482/0xd20 mm/hugetlb.c:1276
and this task is already holding:
0000000015f122a3 (slock-AF_INET){+.-.}, at: spin_lock include/linux/spinlock.h:329 [inline]
0000000015f122a3 (slock-AF_INET){+.-.}, at: tcp_close+0x5bd/0xfd0 net/ipv4/tcp.c:2434
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
sk_clone_lock+0x40b/0x1430 net/core/sock.c:1671
inet_csk_clone_lock+0x1f/0x3e0 net/ipv4/inet_connection_sock.c:821
tcp_create_openreq_child+0x2c/0x19f0 net/ipv4/tcp_minisocks.c:452
tcp_v4_syn_recv_sock+0xb6/0x1030 net/ipv4/tcp_ipv4.c:1426
tcp_check_req+0x601/0x16b0 net/ipv4/tcp_minisocks.c:789
tcp_v4_rcv+0x1e3c/0x3b80 net/ipv4/tcp_ipv4.c:1770
ip_local_deliver_finish+0x495/0xc00 net/ipv4/ip_input.c:215
NF_HOOK include/linux/netfilter.h:289 [inline]
ip_local_deliver+0x188/0x500 net/ipv4/ip_input.c:256
dst_input include/net/dst.h:461 [inline]
ip_rcv_finish+0x1ca/0x2e0 net/ipv4/ip_input.c:414
NF_HOOK include/linux/netfilter.h:289 [inline]
ip_rcv+0xca/0x3c0 net/ipv4/ip_input.c:524
__netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:4954
__netif_receive_skb+0x27/0x1c0 net/core/dev.c:5066
netif_receive_skb_internal+0xf0/0x3f0 net/core/dev.c:5156
napi_skb_finish net/core/dev.c:5600 [inline]
napi_gro_receive+0x2e6/0x450 net/core/dev.c:5631
receive_buf+0xf1d/0x6120 drivers/net/virtio_net.c:1072
virtnet_receive drivers/net/virtio_net.c:1336 [inline]
virtnet_poll+0x568/0xd70 drivers/net/virtio_net.c:1441
napi_poll net/core/dev.c:6272 [inline]
net_rx_action+0x4ac/0xfb0 net/core/dev.c:6338
__do_softirq+0x26c/0x9a0 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:372 [inline]
irq_exit+0x215/0x260 kernel/softirq.c:412
exiting_irq arch/x86/include/asm/apic.h:544 [inline]
do_IRQ+0x10c/0x1c0 arch/x86/kernel/irq.c:258
ret_from_intr+0x0/0x1e
rcu_read_unlock include/linux/rcupdate.h:677 [inline]
__unlock_page_memcg+0x4d/0x100 mm/memcontrol.c:1955
alloc_set_pte+0x927/0x1a00 mm/memory.c:3588
filemap_map_pages+0xd66/0x11c0 mm/filemap.c:2700
do_fault_around mm/memory.c:3735 [inline]
do_read_fault mm/memory.c:3769 [inline]
do_fault mm/memory.c:3903 [inline]
handle_pte_fault mm/memory.c:4134 [inline]
__handle_mm_fault+0x2a8e/0x41c0 mm/memory.c:4258
handle_mm_fault+0x436/0xb10 mm/memory.c:4295
__do_page_fault+0x68e/0xd60 arch/x86/mm/fault.c:1412
page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1205
to a SOFTIRQ-irq-unsafe lock:
(hugetlb_lock){+.+.}
... which became SOFTIRQ-irq-unsafe at:
...
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
hugetlb_overcommit_handler+0x2d4/0x460 mm/hugetlb.c:2999
proc_sys_call_handler.isra.0+0x1f3/0x3b0 fs/proc/proc_sysctl.c:597
__vfs_write+0xf7/0x770 fs/read_write.c:485
vfs_write+0x1f3/0x540 fs/read_write.c:549
ksys_write+0x12b/0x2a0 fs/read_write.c:599
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
other info that might help us debug this:
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(hugetlb_lock);
local_irq_disable();
lock(slock-AF_INET);
lock(hugetlb_lock);
<Interrupt>
lock(slock-AF_INET);
*** DEADLOCK ***
3 locks held by syz-executor.2/27182:
#0: 00000000dd2ea2cf (&sb->s_type->i_mutex_key#13){+.+.}, at: inode_lock include/linux/fs.h:748 [inline]
#0: 00000000dd2ea2cf (&sb->s_type->i_mutex_key#13){+.+.}, at: __sock_release+0x86/0x2a0 net/socket.c:578
#1: 00000000032955c7 (sk_lock-AF_INET){+.+.}, at: lock_sock include/net/sock.h:1510 [inline]
#1: 00000000032955c7 (sk_lock-AF_INET){+.+.}, at: tcp_close+0x25/0xfd0 net/ipv4/tcp.c:2344
#2: 0000000015f122a3 (slock-AF_INET){+.-.}, at: spin_lock include/linux/spinlock.h:329 [inline]
#2: 0000000015f122a3 (slock-AF_INET){+.-.}, at: tcp_close+0x5bd/0xfd0 net/ipv4/tcp.c:2434
the dependencies between SOFTIRQ-irq-safe lock and the holding lock:
-> (slock-AF_INET){+.-.} ops: 3476113 {
HARDIRQ-ON-W at:
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:168
spin_lock_bh include/linux/spinlock.h:334 [inline]
lock_sock_nested+0x3b/0x110 net/core/sock.c:2864
lock_sock include/net/sock.h:1510 [inline]
inet_autobind+0x1a/0x190 net/ipv4/af_inet.c:179
inet_dgram_connect+0x245/0x2d0 net/ipv4/af_inet.c:569
__sys_connect+0x265/0x2c0 net/socket.c:1663
__do_sys_connect net/socket.c:1674 [inline]
__se_sys_connect net/socket.c:1671 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1671
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
IN-SOFTIRQ-W at:
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
sk_clone_lock+0x40b/0x1430 net/core/sock.c:1671
inet_csk_clone_lock+0x1f/0x3e0 net/ipv4/inet_connection_sock.c:821
tcp_create_openreq_child+0x2c/0x19f0 net/ipv4/tcp_minisocks.c:452
tcp_v4_syn_recv_sock+0xb6/0x1030 net/ipv4/tcp_ipv4.c:1426
tcp_check_req+0x601/0x16b0 net/ipv4/tcp_minisocks.c:789
tcp_v4_rcv+0x1e3c/0x3b80 net/ipv4/tcp_ipv4.c:1770
ip_local_deliver_finish+0x495/0xc00 net/ipv4/ip_input.c:215
NF_HOOK include/linux/netfilter.h:289 [inline]
ip_local_deliver+0x188/0x500 net/ipv4/ip_input.c:256
dst_input include/net/dst.h:461 [inline]
ip_rcv_finish+0x1ca/0x2e0 net/ipv4/ip_input.c:414
NF_HOOK include/linux/netfilter.h:289 [inline]
ip_rcv+0xca/0x3c0 net/ipv4/ip_input.c:524
__netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:4954
__netif_receive_skb+0x27/0x1c0 net/core/dev.c:5066
netif_receive_skb_internal+0xf0/0x3f0 net/core/dev.c:5156
napi_skb_finish net/core/dev.c:5600 [inline]
napi_gro_receive+0x2e6/0x450 net/core/dev.c:5631
receive_buf+0xf1d/0x6120 drivers/net/virtio_net.c:1072
virtnet_receive drivers/net/virtio_net.c:1336 [inline]
virtnet_poll+0x568/0xd70 drivers/net/virtio_net.c:1441
napi_poll net/core/dev.c:6272 [inline]
net_rx_action+0x4ac/0xfb0 net/core/dev.c:6338
__do_softirq+0x26c/0x9a0 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:372 [inline]
irq_exit+0x215/0x260 kernel/softirq.c:412
exiting_irq arch/x86/include/asm/apic.h:544 [inline]
do_IRQ+0x10c/0x1c0 arch/x86/kernel/irq.c:258
ret_from_intr+0x0/0x1e
rcu_read_unlock include/linux/rcupdate.h:677 [inline]
__unlock_page_memcg+0x4d/0x100 mm/memcontrol.c:1955
alloc_set_pte+0x927/0x1a00 mm/memory.c:3588
filemap_map_pages+0xd66/0x11c0 mm/filemap.c:2700
do_fault_around mm/memory.c:3735 [inline]
do_read_fault mm/memory.c:3769 [inline]
do_fault mm/memory.c:3903 [inline]
handle_pte_fault mm/memory.c:4134 [inline]
__handle_mm_fault+0x2a8e/0x41c0 mm/memory.c:4258
handle_mm_fault+0x436/0xb10 mm/memory.c:4295
__do_page_fault+0x68e/0xd60 arch/x86/mm/fault.c:1412
page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1205
INITIAL USE at:
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:168
spin_lock_bh include/linux/spinlock.h:334 [inline]
lock_sock_nested+0x3b/0x110 net/core/sock.c:2864
lock_sock include/net/sock.h:1510 [inline]
inet_autobind+0x1a/0x190 net/ipv4/af_inet.c:179
inet_dgram_connect+0x245/0x2d0 net/ipv4/af_inet.c:569
__sys_connect+0x265/0x2c0 net/socket.c:1663
__do_sys_connect net/socket.c:1674 [inline]
__se_sys_connect net/socket.c:1671 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1671
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
}
... key at: [<ffffffff8dd6c510>] af_family_slock_keys+0x10/0x1a0
... acquired at:
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
free_huge_page+0x482/0xd20 mm/hugetlb.c:1276
__put_page+0xe2/0x3a0 mm/swap.c:112
put_page include/linux/mm.h:963 [inline]
__skb_frag_unref include/linux/skbuff.h:2828 [inline]
skb_release_data+0x2f3/0x920 net/core/skbuff.c:568
tcp_write_queue_purge+0x24d/0x800 net/ipv4/tcp.c:2543
tcp_v4_destroy_sock+0x101/0x770 net/ipv4/tcp_ipv4.c:1986
inet_csk_destroy_sock+0x189/0x400 net/ipv4/inet_connection_sock.c:872
tcp_close+0x95f/0xfd0 net/ipv4/tcp.c:2498
inet_release+0xd7/0x1e0 net/ipv4/af_inet.c:427
__sock_release+0xcd/0x2a0 net/socket.c:579
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
the dependencies between the lock to be acquired
and SOFTIRQ-irq-unsafe lock:
-> (hugetlb_lock){+.+.} ops: 5009 {
HARDIRQ-ON-W at:
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
hugetlb_overcommit_handler+0x2d4/0x460 mm/hugetlb.c:2999
proc_sys_call_handler.isra.0+0x1f3/0x3b0 fs/proc/proc_sysctl.c:597
__vfs_write+0xf7/0x770 fs/read_write.c:485
vfs_write+0x1f3/0x540 fs/read_write.c:549
ksys_write+0x12b/0x2a0 fs/read_write.c:599
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
SOFTIRQ-ON-W at:
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
hugetlb_overcommit_handler+0x2d4/0x460 mm/hugetlb.c:2999
proc_sys_call_handler.isra.0+0x1f3/0x3b0 fs/proc/proc_sysctl.c:597
__vfs_write+0xf7/0x770 fs/read_write.c:485
vfs_write+0x1f3/0x540 fs/read_write.c:549
ksys_write+0x12b/0x2a0 fs/read_write.c:599
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
INITIAL USE at:
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
hugetlb_overcommit_handler+0x2d4/0x460 mm/hugetlb.c:2999
proc_sys_call_handler.isra.0+0x1f3/0x3b0 fs/proc/proc_sysctl.c:597
__vfs_write+0xf7/0x770 fs/read_write.c:485
vfs_write+0x1f3/0x540 fs/read_write.c:549
ksys_write+0x12b/0x2a0 fs/read_write.c:599
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
}
... key at: [<ffffffff8a020978>] hugetlb_lock+0x18/0x17a0
... acquired at:
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
free_huge_page+0x482/0xd20 mm/hugetlb.c:1276
__put_page+0xe2/0x3a0 mm/swap.c:112
put_page include/linux/mm.h:963 [inline]
__skb_frag_unref include/linux/skbuff.h:2828 [inline]
skb_release_data+0x2f3/0x920 net/core/skbuff.c:568
tcp_write_queue_purge+0x24d/0x800 net/ipv4/tcp.c:2543
tcp_v4_destroy_sock+0x101/0x770 net/ipv4/tcp_ipv4.c:1986
inet_csk_destroy_sock+0x189/0x400 net/ipv4/inet_connection_sock.c:872
tcp_close+0x95f/0xfd0 net/ipv4/tcp.c:2498
inet_release+0xd7/0x1e0 net/ipv4/af_inet.c:427
__sock_release+0xcd/0x2a0 net/socket.c:579
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
stack backtrace:
CPU: 1 PID: 27182 Comm: syz-executor.2 Not tainted 4.19.163-syzkaller #0
dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
print_bad_irq_dependency kernel/locking/lockdep.c:1572 [inline]
check_usage.cold+0x7ea/0xbad kernel/locking/lockdep.c:1604
check_irq_usage kernel/locking/lockdep.c:1660 [inline]
check_prev_add_irq kernel/locking/lockdep_states.h:8 [inline]
check_prev_add kernel/locking/lockdep.c:1870 [inline]
check_prevs_add kernel/locking/lockdep.c:1978 [inline]
validate_chain kernel/locking/lockdep.c:2419 [inline]
__lock_acquire+0x1da1/0x3ff0 kernel/locking/lockdep.c:3415
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3907
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
free_huge_page+0x482/0xd20 mm/hugetlb.c:1276
__put_page+0xe2/0x3a0 mm/swap.c:112
put_page include/linux/mm.h:963 [inline]
__skb_frag_unref include/linux/skbuff.h:2828 [inline]
skb_release_data+0x2f3/0x920 net/core/skbuff.c:568
tcp_write_queue_purge+0x24d/0x800 net/ipv4/tcp.c:2543
tcp_v4_destroy_sock+0x101/0x770 net/ipv4/tcp_ipv4.c:1986
inet_csk_destroy_sock+0x189/0x400 net/ipv4/inet_connection_sock.c:872
tcp_close+0x95f/0xfd0 net/ipv4/tcp.c:2498
inet_release+0xd7/0x1e0 net/ipv4/af_inet.c:427
__sock_release+0xcd/0x2a0 net/socket.c:579
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x417ab1
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 a4 1a 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffd4f5f1590 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000417ab1
RDX: 0000000000000000 RSI: 00000000011aee18 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 00007ffd4f5f1670 R11: 0000000000000293 R12: ffffffffffffffff
R13: 00000000001129e1 R14: 00000000000003e8 R15: 000000000119c0dc
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
nla_parse: 12 callbacks suppressed
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
nla_parse: 24 callbacks suppressed
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
syzbot found the following issue on:
HEAD commit: 13d2ce42 Linux 4.19.163
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10d5f703500000
kernel config: https://syzkaller.appspot.com/x/.config?x=fac7c3360835a4e0
dashboard link: https://syzkaller.appspot.com/bug?extid=2054819d6fda52ce059e
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+205481...@syzkaller.appspotmail.com
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
=====================================================
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
4.19.163-syzkaller #0 Not tainted
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
-----------------------------------------------------
syz-executor.2/27182 [HC0[0]:SC0[2]:HE1:SE0] is trying to acquire:
00000000556e0bdd (hugetlb_lock){+.+.}, at: spin_lock include/linux/spinlock.h:329 [inline]
00000000556e0bdd (hugetlb_lock){+.+.}, at: free_huge_page+0x482/0xd20 mm/hugetlb.c:1276
and this task is already holding:
0000000015f122a3 (slock-AF_INET){+.-.}, at: tcp_close+0x5bd/0xfd0 net/ipv4/tcp.c:2434
which would create a new lock dependency:
(slock-AF_INET){+.-.} -> (hugetlb_lock){+.+.}
but this new dependency connects a SOFTIRQ-irq-safe lock:
(slock-AF_INET){+.-.}
... which became SOFTIRQ-irq-safe at:
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
(slock-AF_INET){+.-.} -> (hugetlb_lock){+.+.}
but this new dependency connects a SOFTIRQ-irq-safe lock:
(slock-AF_INET){+.-.}
... which became SOFTIRQ-irq-safe at:
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
sk_clone_lock+0x40b/0x1430 net/core/sock.c:1671
inet_csk_clone_lock+0x1f/0x3e0 net/ipv4/inet_connection_sock.c:821
tcp_create_openreq_child+0x2c/0x19f0 net/ipv4/tcp_minisocks.c:452
tcp_v4_syn_recv_sock+0xb6/0x1030 net/ipv4/tcp_ipv4.c:1426
tcp_check_req+0x601/0x16b0 net/ipv4/tcp_minisocks.c:789
tcp_v4_rcv+0x1e3c/0x3b80 net/ipv4/tcp_ipv4.c:1770
ip_local_deliver_finish+0x495/0xc00 net/ipv4/ip_input.c:215
NF_HOOK include/linux/netfilter.h:289 [inline]
ip_local_deliver+0x188/0x500 net/ipv4/ip_input.c:256
dst_input include/net/dst.h:461 [inline]
ip_rcv_finish+0x1ca/0x2e0 net/ipv4/ip_input.c:414
NF_HOOK include/linux/netfilter.h:289 [inline]
ip_rcv+0xca/0x3c0 net/ipv4/ip_input.c:524
__netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:4954
__netif_receive_skb+0x27/0x1c0 net/core/dev.c:5066
netif_receive_skb_internal+0xf0/0x3f0 net/core/dev.c:5156
napi_skb_finish net/core/dev.c:5600 [inline]
napi_gro_receive+0x2e6/0x450 net/core/dev.c:5631
receive_buf+0xf1d/0x6120 drivers/net/virtio_net.c:1072
virtnet_receive drivers/net/virtio_net.c:1336 [inline]
virtnet_poll+0x568/0xd70 drivers/net/virtio_net.c:1441
napi_poll net/core/dev.c:6272 [inline]
net_rx_action+0x4ac/0xfb0 net/core/dev.c:6338
__do_softirq+0x26c/0x9a0 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:372 [inline]
irq_exit+0x215/0x260 kernel/softirq.c:412
exiting_irq arch/x86/include/asm/apic.h:544 [inline]
do_IRQ+0x10c/0x1c0 arch/x86/kernel/irq.c:258
ret_from_intr+0x0/0x1e
rcu_read_unlock include/linux/rcupdate.h:677 [inline]
__unlock_page_memcg+0x4d/0x100 mm/memcontrol.c:1955
alloc_set_pte+0x927/0x1a00 mm/memory.c:3588
filemap_map_pages+0xd66/0x11c0 mm/filemap.c:2700
do_fault_around mm/memory.c:3735 [inline]
do_read_fault mm/memory.c:3769 [inline]
do_fault mm/memory.c:3903 [inline]
handle_pte_fault mm/memory.c:4134 [inline]
__handle_mm_fault+0x2a8e/0x41c0 mm/memory.c:4258
handle_mm_fault+0x436/0xb10 mm/memory.c:4295
__do_page_fault+0x68e/0xd60 arch/x86/mm/fault.c:1412
page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1205
to a SOFTIRQ-irq-unsafe lock:
(hugetlb_lock){+.+.}
... which became SOFTIRQ-irq-unsafe at:
...
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
hugetlb_overcommit_handler+0x2d4/0x460 mm/hugetlb.c:2999
proc_sys_call_handler.isra.0+0x1f3/0x3b0 fs/proc/proc_sysctl.c:597
__vfs_write+0xf7/0x770 fs/read_write.c:485
vfs_write+0x1f3/0x540 fs/read_write.c:549
ksys_write+0x12b/0x2a0 fs/read_write.c:599
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
other info that might help us debug this:
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(hugetlb_lock);
local_irq_disable();
lock(slock-AF_INET);
lock(hugetlb_lock);
<Interrupt>
lock(slock-AF_INET);
*** DEADLOCK ***
#0: 00000000dd2ea2cf (&sb->s_type->i_mutex_key#13){+.+.}, at: inode_lock include/linux/fs.h:748 [inline]
#0: 00000000dd2ea2cf (&sb->s_type->i_mutex_key#13){+.+.}, at: __sock_release+0x86/0x2a0 net/socket.c:578
#1: 00000000032955c7 (sk_lock-AF_INET){+.+.}, at: lock_sock include/net/sock.h:1510 [inline]
#1: 00000000032955c7 (sk_lock-AF_INET){+.+.}, at: tcp_close+0x25/0xfd0 net/ipv4/tcp.c:2344
#2: 0000000015f122a3 (slock-AF_INET){+.-.}, at: spin_lock include/linux/spinlock.h:329 [inline]
#2: 0000000015f122a3 (slock-AF_INET){+.-.}, at: tcp_close+0x5bd/0xfd0 net/ipv4/tcp.c:2434
the dependencies between SOFTIRQ-irq-safe lock and the holding lock:
HARDIRQ-ON-W at:
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:168
spin_lock_bh include/linux/spinlock.h:334 [inline]
lock_sock_nested+0x3b/0x110 net/core/sock.c:2864
lock_sock include/net/sock.h:1510 [inline]
inet_autobind+0x1a/0x190 net/ipv4/af_inet.c:179
inet_dgram_connect+0x245/0x2d0 net/ipv4/af_inet.c:569
__sys_connect+0x265/0x2c0 net/socket.c:1663
__do_sys_connect net/socket.c:1674 [inline]
__se_sys_connect net/socket.c:1671 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1671
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
IN-SOFTIRQ-W at:
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
sk_clone_lock+0x40b/0x1430 net/core/sock.c:1671
inet_csk_clone_lock+0x1f/0x3e0 net/ipv4/inet_connection_sock.c:821
tcp_create_openreq_child+0x2c/0x19f0 net/ipv4/tcp_minisocks.c:452
tcp_v4_syn_recv_sock+0xb6/0x1030 net/ipv4/tcp_ipv4.c:1426
tcp_check_req+0x601/0x16b0 net/ipv4/tcp_minisocks.c:789
tcp_v4_rcv+0x1e3c/0x3b80 net/ipv4/tcp_ipv4.c:1770
ip_local_deliver_finish+0x495/0xc00 net/ipv4/ip_input.c:215
NF_HOOK include/linux/netfilter.h:289 [inline]
ip_local_deliver+0x188/0x500 net/ipv4/ip_input.c:256
dst_input include/net/dst.h:461 [inline]
ip_rcv_finish+0x1ca/0x2e0 net/ipv4/ip_input.c:414
NF_HOOK include/linux/netfilter.h:289 [inline]
ip_rcv+0xca/0x3c0 net/ipv4/ip_input.c:524
__netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:4954
__netif_receive_skb+0x27/0x1c0 net/core/dev.c:5066
netif_receive_skb_internal+0xf0/0x3f0 net/core/dev.c:5156
napi_skb_finish net/core/dev.c:5600 [inline]
napi_gro_receive+0x2e6/0x450 net/core/dev.c:5631
receive_buf+0xf1d/0x6120 drivers/net/virtio_net.c:1072
virtnet_receive drivers/net/virtio_net.c:1336 [inline]
virtnet_poll+0x568/0xd70 drivers/net/virtio_net.c:1441
napi_poll net/core/dev.c:6272 [inline]
net_rx_action+0x4ac/0xfb0 net/core/dev.c:6338
__do_softirq+0x26c/0x9a0 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:372 [inline]
irq_exit+0x215/0x260 kernel/softirq.c:412
exiting_irq arch/x86/include/asm/apic.h:544 [inline]
do_IRQ+0x10c/0x1c0 arch/x86/kernel/irq.c:258
ret_from_intr+0x0/0x1e
rcu_read_unlock include/linux/rcupdate.h:677 [inline]
__unlock_page_memcg+0x4d/0x100 mm/memcontrol.c:1955
alloc_set_pte+0x927/0x1a00 mm/memory.c:3588
filemap_map_pages+0xd66/0x11c0 mm/filemap.c:2700
do_fault_around mm/memory.c:3735 [inline]
do_read_fault mm/memory.c:3769 [inline]
do_fault mm/memory.c:3903 [inline]
handle_pte_fault mm/memory.c:4134 [inline]
__handle_mm_fault+0x2a8e/0x41c0 mm/memory.c:4258
handle_mm_fault+0x436/0xb10 mm/memory.c:4295
__do_page_fault+0x68e/0xd60 arch/x86/mm/fault.c:1412
page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1205
INITIAL USE at:
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:168
spin_lock_bh include/linux/spinlock.h:334 [inline]
lock_sock_nested+0x3b/0x110 net/core/sock.c:2864
lock_sock include/net/sock.h:1510 [inline]
inet_autobind+0x1a/0x190 net/ipv4/af_inet.c:179
inet_dgram_connect+0x245/0x2d0 net/ipv4/af_inet.c:569
__sys_connect+0x265/0x2c0 net/socket.c:1663
__do_sys_connect net/socket.c:1674 [inline]
__se_sys_connect net/socket.c:1671 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1671
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
}
... key at: [<ffffffff8dd6c510>] af_family_slock_keys+0x10/0x1a0
... acquired at:
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
free_huge_page+0x482/0xd20 mm/hugetlb.c:1276
__put_page+0xe2/0x3a0 mm/swap.c:112
put_page include/linux/mm.h:963 [inline]
__skb_frag_unref include/linux/skbuff.h:2828 [inline]
skb_release_data+0x2f3/0x920 net/core/skbuff.c:568
skb_release_all net/core/skbuff.c:631 [inline]
__kfree_skb+0x46/0x60 net/core/skbuff.c:645
sk_wmem_free_skb include/net/sock.h:1466 [inline]
__kfree_skb+0x46/0x60 net/core/skbuff.c:645
tcp_write_queue_purge+0x24d/0x800 net/ipv4/tcp.c:2543
tcp_v4_destroy_sock+0x101/0x770 net/ipv4/tcp_ipv4.c:1986
inet_csk_destroy_sock+0x189/0x400 net/ipv4/inet_connection_sock.c:872
tcp_close+0x95f/0xfd0 net/ipv4/tcp.c:2498
inet_release+0xd7/0x1e0 net/ipv4/af_inet.c:427
__sock_release+0xcd/0x2a0 net/socket.c:579
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
the dependencies between the lock to be acquired
and SOFTIRQ-irq-unsafe lock:
HARDIRQ-ON-W at:
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
hugetlb_overcommit_handler+0x2d4/0x460 mm/hugetlb.c:2999
proc_sys_call_handler.isra.0+0x1f3/0x3b0 fs/proc/proc_sysctl.c:597
__vfs_write+0xf7/0x770 fs/read_write.c:485
vfs_write+0x1f3/0x540 fs/read_write.c:549
ksys_write+0x12b/0x2a0 fs/read_write.c:599
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
SOFTIRQ-ON-W at:
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
hugetlb_overcommit_handler+0x2d4/0x460 mm/hugetlb.c:2999
proc_sys_call_handler.isra.0+0x1f3/0x3b0 fs/proc/proc_sysctl.c:597
__vfs_write+0xf7/0x770 fs/read_write.c:485
vfs_write+0x1f3/0x540 fs/read_write.c:549
ksys_write+0x12b/0x2a0 fs/read_write.c:599
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
INITIAL USE at:
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
hugetlb_overcommit_handler+0x2d4/0x460 mm/hugetlb.c:2999
proc_sys_call_handler.isra.0+0x1f3/0x3b0 fs/proc/proc_sysctl.c:597
__vfs_write+0xf7/0x770 fs/read_write.c:485
vfs_write+0x1f3/0x540 fs/read_write.c:549
ksys_write+0x12b/0x2a0 fs/read_write.c:599
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
}
... key at: [<ffffffff8a020978>] hugetlb_lock+0x18/0x17a0
... acquired at:
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
free_huge_page+0x482/0xd20 mm/hugetlb.c:1276
__put_page+0xe2/0x3a0 mm/swap.c:112
put_page include/linux/mm.h:963 [inline]
__skb_frag_unref include/linux/skbuff.h:2828 [inline]
skb_release_data+0x2f3/0x920 net/core/skbuff.c:568
skb_release_all net/core/skbuff.c:631 [inline]
__kfree_skb+0x46/0x60 net/core/skbuff.c:645
sk_wmem_free_skb include/net/sock.h:1466 [inline]
__kfree_skb+0x46/0x60 net/core/skbuff.c:645
tcp_write_queue_purge+0x24d/0x800 net/ipv4/tcp.c:2543
tcp_v4_destroy_sock+0x101/0x770 net/ipv4/tcp_ipv4.c:1986
inet_csk_destroy_sock+0x189/0x400 net/ipv4/inet_connection_sock.c:872
tcp_close+0x95f/0xfd0 net/ipv4/tcp.c:2498
inet_release+0xd7/0x1e0 net/ipv4/af_inet.c:427
__sock_release+0xcd/0x2a0 net/socket.c:579
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
stack backtrace:
CPU: 1 PID: 27182 Comm: syz-executor.2 Not tainted 4.19.163-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
Call Trace:
dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
print_bad_irq_dependency kernel/locking/lockdep.c:1572 [inline]
check_usage.cold+0x7ea/0xbad kernel/locking/lockdep.c:1604
check_irq_usage kernel/locking/lockdep.c:1660 [inline]
check_prev_add_irq kernel/locking/lockdep_states.h:8 [inline]
check_prev_add kernel/locking/lockdep.c:1870 [inline]
check_prevs_add kernel/locking/lockdep.c:1978 [inline]
validate_chain kernel/locking/lockdep.c:2419 [inline]
__lock_acquire+0x1da1/0x3ff0 kernel/locking/lockdep.c:3415
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3907
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
free_huge_page+0x482/0xd20 mm/hugetlb.c:1276
__put_page+0xe2/0x3a0 mm/swap.c:112
put_page include/linux/mm.h:963 [inline]
__skb_frag_unref include/linux/skbuff.h:2828 [inline]
skb_release_data+0x2f3/0x920 net/core/skbuff.c:568
skb_release_all net/core/skbuff.c:631 [inline]
__kfree_skb+0x46/0x60 net/core/skbuff.c:645
sk_wmem_free_skb include/net/sock.h:1466 [inline]
__kfree_skb+0x46/0x60 net/core/skbuff.c:645
tcp_write_queue_purge+0x24d/0x800 net/ipv4/tcp.c:2543
tcp_v4_destroy_sock+0x101/0x770 net/ipv4/tcp_ipv4.c:1986
inet_csk_destroy_sock+0x189/0x400 net/ipv4/inet_connection_sock.c:872
tcp_close+0x95f/0xfd0 net/ipv4/tcp.c:2498
inet_release+0xd7/0x1e0 net/ipv4/af_inet.c:427
__sock_release+0xcd/0x2a0 net/socket.c:579
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x417ab1
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 a4 1a 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffd4f5f1590 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000417ab1
RDX: 0000000000000000 RSI: 00000000011aee18 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 00007ffd4f5f1670 R11: 0000000000000293 R12: ffffffffffffffff
R13: 00000000001129e1 R14: 00000000000003e8 R15: 000000000119c0dc
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
nla_parse: 12 callbacks suppressed
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
nla_parse: 24 callbacks suppressed
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
syzbot
Dec 15, 2020, 6:14:12 AM12/15/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 13d2ce42 Linux 4.19.163
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1327641f500000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13237137500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+205481...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
batman_adv: batadv0: Interface activated: batadv_slave_1
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.
000000003cefc050 (hugetlb_lock){+.+.}, at: spin_lock include/linux/spinlock.h:329 [inline]
000000003cefc050 (hugetlb_lock){+.+.}, at: free_huge_page+0x482/0xd20 mm/hugetlb.c:1276
and this task is already holding:
0000000077f5c83e (slock-AF_INET){+.-.}, at: spin_lock include/linux/spinlock.h:329 [inline]
0000000077f5c83e (slock-AF_INET){+.-.}, at: tcp_close+0x5bd/0xfd0 net/ipv4/tcp.c:2434
run_ksoftirqd+0x57/0x110 kernel/softirq.c:653
smpboot_thread_fn+0x655/0x9e0 kernel/smpboot.c:164
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
3 locks held by syz-executor054/8110:
#0: 000000009eeb8928 (&sb->s_type->i_mutex_key#13){+.+.}, at: inode_lock include/linux/fs.h:748 [inline]
#0: 000000009eeb8928 (&sb->s_type->i_mutex_key#13){+.+.}, at: __sock_release+0x86/0x2a0 net/socket.c:578
#1: 00000000c5ed8102 (sk_lock-AF_INET){+.+.}, at: lock_sock include/net/sock.h:1510 [inline]
#1: 00000000c5ed8102 (sk_lock-AF_INET){+.+.}, at: tcp_close+0x25/0xfd0 net/ipv4/tcp.c:2344
#2: 0000000077f5c83e (slock-AF_INET){+.-.}, at: spin_lock include/linux/spinlock.h:329 [inline]
#2: 0000000077f5c83e (slock-AF_INET){+.-.}, at: tcp_close+0x5bd/0xfd0 net/ipv4/tcp.c:2434
the dependencies between SOFTIRQ-irq-safe lock and the holding lock:
-> (slock-AF_INET){+.-.} ops: 6939 {
run_ksoftirqd+0x57/0x110 kernel/softirq.c:653
smpboot_thread_fn+0x655/0x9e0 kernel/smpboot.c:164
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
tcp_rtx_queue_purge net/ipv4/tcp.c:2532 [inline]
tcp_write_queue_purge+0x446/0x800 net/ipv4/tcp.c:2545
tcp_rtx_queue_purge net/ipv4/tcp.c:2532 [inline]
tcp_write_queue_purge+0x446/0x800 net/ipv4/tcp.c:2545
tcp_write_queue_purge+0x446/0x800 net/ipv4/tcp.c:2545
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 24 1a 00 00 c3 48 83 ec 08 e8 6a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 b3 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffe5fbefce0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 00007ffe5fbefd10 RCX: 0000000000408051
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 0000000000000004
RBP: 0000000000000005 R08: 0000000000000140 R09: 0000000000000140
R10: 00007ffe5fbefd10 R11: 0000000000000293 R12: 00000000006dec30
HEAD commit: 13d2ce42 Linux 4.19.163
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=fac7c3360835a4e0
dashboard link: https://syzkaller.appspot.com/bug?extid=2054819d6fda52ce059e
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1476a46b500000
dashboard link: https://syzkaller.appspot.com/bug?extid=2054819d6fda52ce059e
compiler: gcc (GCC) 10.1.0-syz 20200507
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13237137500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+205481...@syzkaller.appspotmail.com
batman_adv: batadv0: Interface activated: batadv_slave_1
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.
=====================================================
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
4.19.163-syzkaller #0 Not tainted
-----------------------------------------------------
syz-executor054/8110 [HC0[0]:SC0[2]:HE1:SE0] is trying to acquire:
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
4.19.163-syzkaller #0 Not tainted
-----------------------------------------------------
000000003cefc050 (hugetlb_lock){+.+.}, at: spin_lock include/linux/spinlock.h:329 [inline]
000000003cefc050 (hugetlb_lock){+.+.}, at: free_huge_page+0x482/0xd20 mm/hugetlb.c:1276
and this task is already holding:
0000000077f5c83e (slock-AF_INET){+.-.}, at: tcp_close+0x5bd/0xfd0 net/ipv4/tcp.c:2434
smpboot_thread_fn+0x655/0x9e0 kernel/smpboot.c:164
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
#0: 000000009eeb8928 (&sb->s_type->i_mutex_key#13){+.+.}, at: inode_lock include/linux/fs.h:748 [inline]
#0: 000000009eeb8928 (&sb->s_type->i_mutex_key#13){+.+.}, at: __sock_release+0x86/0x2a0 net/socket.c:578
#1: 00000000c5ed8102 (sk_lock-AF_INET){+.+.}, at: lock_sock include/net/sock.h:1510 [inline]
#1: 00000000c5ed8102 (sk_lock-AF_INET){+.+.}, at: tcp_close+0x25/0xfd0 net/ipv4/tcp.c:2344
#2: 0000000077f5c83e (slock-AF_INET){+.-.}, at: spin_lock include/linux/spinlock.h:329 [inline]
#2: 0000000077f5c83e (slock-AF_INET){+.-.}, at: tcp_close+0x5bd/0xfd0 net/ipv4/tcp.c:2434
the dependencies between SOFTIRQ-irq-safe lock and the holding lock:
smpboot_thread_fn+0x655/0x9e0 kernel/smpboot.c:164
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
tcp_write_queue_purge+0x446/0x800 net/ipv4/tcp.c:2545
tcp_v4_destroy_sock+0x101/0x770 net/ipv4/tcp_ipv4.c:1986
inet_csk_destroy_sock+0x189/0x400 net/ipv4/inet_connection_sock.c:872
tcp_close+0x95f/0xfd0 net/ipv4/tcp.c:2498
inet_release+0xd7/0x1e0 net/ipv4/af_inet.c:427
__sock_release+0xcd/0x2a0 net/socket.c:579
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
the dependencies between the lock to be acquired
and SOFTIRQ-irq-unsafe lock:
-> (hugetlb_lock){+.+.} ops: 8 {
inet_csk_destroy_sock+0x189/0x400 net/ipv4/inet_connection_sock.c:872
tcp_close+0x95f/0xfd0 net/ipv4/tcp.c:2498
inet_release+0xd7/0x1e0 net/ipv4/af_inet.c:427
__sock_release+0xcd/0x2a0 net/socket.c:579
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
the dependencies between the lock to be acquired
and SOFTIRQ-irq-unsafe lock:
tcp_write_queue_purge+0x446/0x800 net/ipv4/tcp.c:2545
tcp_v4_destroy_sock+0x101/0x770 net/ipv4/tcp_ipv4.c:1986
inet_csk_destroy_sock+0x189/0x400 net/ipv4/inet_connection_sock.c:872
tcp_close+0x95f/0xfd0 net/ipv4/tcp.c:2498
inet_release+0xd7/0x1e0 net/ipv4/af_inet.c:427
__sock_release+0xcd/0x2a0 net/socket.c:579
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
stack backtrace:
CPU: 1 PID: 8110 Comm: syz-executor054 Not tainted 4.19.163-syzkaller #0
inet_csk_destroy_sock+0x189/0x400 net/ipv4/inet_connection_sock.c:872
tcp_close+0x95f/0xfd0 net/ipv4/tcp.c:2498
inet_release+0xd7/0x1e0 net/ipv4/af_inet.c:427
__sock_release+0xcd/0x2a0 net/socket.c:579
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
stack backtrace:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
print_bad_irq_dependency kernel/locking/lockdep.c:1572 [inline]
check_usage.cold+0x7ea/0xbad kernel/locking/lockdep.c:1604
check_irq_usage kernel/locking/lockdep.c:1660 [inline]
check_prev_add_irq kernel/locking/lockdep_states.h:8 [inline]
check_prev_add kernel/locking/lockdep.c:1870 [inline]
check_prevs_add kernel/locking/lockdep.c:1978 [inline]
validate_chain kernel/locking/lockdep.c:2419 [inline]
__lock_acquire+0x1da1/0x3ff0 kernel/locking/lockdep.c:3415
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3907
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
free_huge_page+0x482/0xd20 mm/hugetlb.c:1276
__put_page+0xe2/0x3a0 mm/swap.c:112
put_page include/linux/mm.h:963 [inline]
__skb_frag_unref include/linux/skbuff.h:2828 [inline]
skb_release_data+0x2f3/0x920 net/core/skbuff.c:568
skb_release_all net/core/skbuff.c:631 [inline]
__kfree_skb+0x46/0x60 net/core/skbuff.c:645
sk_wmem_free_skb include/net/sock.h:1466 [inline]
tcp_rtx_queue_purge net/ipv4/tcp.c:2532 [inline]
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
print_bad_irq_dependency kernel/locking/lockdep.c:1572 [inline]
check_usage.cold+0x7ea/0xbad kernel/locking/lockdep.c:1604
check_irq_usage kernel/locking/lockdep.c:1660 [inline]
check_prev_add_irq kernel/locking/lockdep_states.h:8 [inline]
check_prev_add kernel/locking/lockdep.c:1870 [inline]
check_prevs_add kernel/locking/lockdep.c:1978 [inline]
validate_chain kernel/locking/lockdep.c:2419 [inline]
__lock_acquire+0x1da1/0x3ff0 kernel/locking/lockdep.c:3415
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3907
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
free_huge_page+0x482/0xd20 mm/hugetlb.c:1276
__put_page+0xe2/0x3a0 mm/swap.c:112
put_page include/linux/mm.h:963 [inline]
__skb_frag_unref include/linux/skbuff.h:2828 [inline]
skb_release_data+0x2f3/0x920 net/core/skbuff.c:568
skb_release_all net/core/skbuff.c:631 [inline]
__kfree_skb+0x46/0x60 net/core/skbuff.c:645
sk_wmem_free_skb include/net/sock.h:1466 [inline]
tcp_write_queue_purge+0x446/0x800 net/ipv4/tcp.c:2545
tcp_v4_destroy_sock+0x101/0x770 net/ipv4/tcp_ipv4.c:1986
inet_csk_destroy_sock+0x189/0x400 net/ipv4/inet_connection_sock.c:872
tcp_close+0x95f/0xfd0 net/ipv4/tcp.c:2498
inet_release+0xd7/0x1e0 net/ipv4/af_inet.c:427
__sock_release+0xcd/0x2a0 net/socket.c:579
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x408051
inet_csk_destroy_sock+0x189/0x400 net/ipv4/inet_connection_sock.c:872
tcp_close+0x95f/0xfd0 net/ipv4/tcp.c:2498
inet_release+0xd7/0x1e0 net/ipv4/af_inet.c:427
__sock_release+0xcd/0x2a0 net/socket.c:579
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 24 1a 00 00 c3 48 83 ec 08 e8 6a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 b3 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffe5fbefce0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 00007ffe5fbefd10 RCX: 0000000000408051
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 0000000000000004
RBP: 0000000000000005 R08: 0000000000000140 R09: 0000000000000140
R10: 00007ffe5fbefd10 R11: 0000000000000293 R12: 00000000006dec30
Reply all
Reply to author
Forward
0 new messages