Hello,
syzbot found the following issue on:
HEAD commit: a1c449d00ff8 Linux 6.1.36
git tree: linux-6.1.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=17219c9f280000
kernel config:
https://syzkaller.appspot.com/x/.config?x=88fba5343539f90e
dashboard link:
https://syzkaller.appspot.com/bug?extid=8f0d418a958eee1a9131
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/46c419b02b39/disk-a1c449d0.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/cc8fc6c3c06c/vmlinux-a1c449d0.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/7ed5c1022bfe/Image-a1c449d0.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by:
syzbot+8f0d41...@syzkaller.appspotmail.com
BUG: sleeping function called from invalid context at include/linux/sched/mm.h:274
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 4350, name: syz-executor.2
preempt_count: 201, expected: 0
RCU nest depth: 0, expected: 0
2 locks held by syz-executor.2/4350:
#0: ffff800017b8e848 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:74 [inline]
#0: ffff800017b8e848 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x6e8/0xd94 net/core/rtnetlink.c:6094
#1: ffff0000cb3c4108 (&sch->q.lock){+...}-{2:2}, at: sch_tree_lock+0x120/0x1d4
Preemption disabled at:
[<ffff8000106bed08>] sch_tree_lock+0x120/0x1d4
CPU: 0 PID: 4350 Comm: syz-executor.2 Not tainted 6.1.36-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
__might_resched+0x37c/0x4d8 kernel/sched/core.c:9941
__might_sleep+0x90/0xe4 kernel/sched/core.c:9870
might_alloc include/linux/sched/mm.h:274 [inline]
slab_pre_alloc_hook mm/slab.h:710 [inline]
slab_alloc_node mm/slub.c:3318 [inline]
__kmem_cache_alloc_node+0x74/0x388 mm/slub.c:3437
__do_kmalloc_node mm/slab_common.c:954 [inline]
__kmalloc_node+0xcc/0x1d0 mm/slab_common.c:962
kmalloc_node include/linux/slab.h:579 [inline]
kvmalloc_node+0x84/0x1e4 mm/util.c:581
kvmalloc include/linux/slab.h:706 [inline]
get_dist_table+0xa0/0x354 net/sched/sch_netem.c:788
netem_change+0x754/0x1900 net/sched/sch_netem.c:985
netem_init+0x54/0xb8 net/sched/sch_netem.c:1072
qdisc_create+0x70c/0xe64 net/sched/sch_api.c:1314
tc_modify_qdisc+0x9f0/0x1840
rtnetlink_rcv_msg+0x72c/0xd94 net/core/rtnetlink.c:6097
netlink_rcv_skb+0x20c/0x3b8 net/netlink/af_netlink.c:2524
rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6115
netlink_unicast_kernel net/netlink/af_netlink.c:1328 [inline]
netlink_unicast+0x660/0x8d4 net/netlink/af_netlink.c:1354
netlink_sendmsg+0x834/0xb18 net/netlink/af_netlink.c:1902
sock_sendmsg_nosec net/socket.c:716 [inline]
sock_sendmsg net/socket.c:736 [inline]
____sys_sendmsg+0x558/0x844 net/socket.c:2482
___sys_sendmsg net/socket.c:2536 [inline]
__sys_sendmsg+0x26c/0x33c net/socket.c:2565
__do_sys_sendmsg net/socket.c:2574 [inline]
__se_sys_sendmsg net/socket.c:2572 [inline]
__arm64_sys_sendmsg+0x80/0x94 net/socket.c:2572
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
============================================
WARNING: possible recursive locking detected
6.1.36-syzkaller #0 Tainted: G W
--------------------------------------------
syz-executor.2/4350 is trying to acquire lock:
ffff0000cb3c4108 (&sch->q.lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:355 [inline]
ffff0000cb3c4108 (&sch->q.lock){+...}-{2:2}, at: get_dist_table+0x240/0x354 net/sched/sch_netem.c:798
but task is already holding lock:
ffff0000cb3c4108 (&sch->q.lock){+...}-{2:2}, at: sch_tree_lock+0x120/0x1d4
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&sch->q.lock);
lock(&sch->q.lock);
*** DEADLOCK ***
May be due to missing lock nesting notation
2 locks held by syz-executor.2/4350:
#0: ffff800017b8e848 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:74 [inline]
#0: ffff800017b8e848 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x6e8/0xd94 net/core/rtnetlink.c:6094
#1: ffff0000cb3c4108 (&sch->q.lock){+...}-{2:2}, at: sch_tree_lock+0x120/0x1d4
stack backtrace:
CPU: 0 PID: 4350 Comm: syz-executor.2 Tainted: G W 6.1.36-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
__lock_acquire+0x6310/0x764c kernel/locking/lockdep.c:5056
lock_acquire+0x26c/0x7cc kernel/locking/lockdep.c:5669
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
_raw_spin_lock_bh+0x54/0x6c kernel/locking/spinlock.c:178
spin_lock_bh include/linux/spinlock.h:355 [inline]
get_dist_table+0x240/0x354 net/sched/sch_netem.c:798
netem_change+0x754/0x1900 net/sched/sch_netem.c:985
netem_init+0x54/0xb8 net/sched/sch_netem.c:1072
qdisc_create+0x70c/0xe64 net/sched/sch_api.c:1314
tc_modify_qdisc+0x9f0/0x1840
rtnetlink_rcv_msg+0x72c/0xd94 net/core/rtnetlink.c:6097
netlink_rcv_skb+0x20c/0x3b8 net/netlink/af_netlink.c:2524
rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6115
netlink_unicast_kernel net/netlink/af_netlink.c:1328 [inline]
netlink_unicast+0x660/0x8d4 net/netlink/af_netlink.c:1354
netlink_sendmsg+0x834/0xb18 net/netlink/af_netlink.c:1902
sock_sendmsg_nosec net/socket.c:716 [inline]
sock_sendmsg net/socket.c:736 [inline]
____sys_sendmsg+0x558/0x844 net/socket.c:2482
___sys_sendmsg net/socket.c:2536 [inline]
__sys_sendmsg+0x26c/0x33c net/socket.c:2565
__do_sys_sendmsg net/socket.c:2574 [inline]
__se_sys_sendmsg net/socket.c:2572 [inline]
__arm64_sys_sendmsg+0x80/0x94 net/socket.c:2572
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
---
This report is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup