possible deadlock in flush_workqueue (2)
38 views
Skip to first unread message
syzbot
Dec 20, 2019, 9:06:10 AM12/20/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: bfb9e5c0 Linux 4.14.159
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10d0ecb9e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=8b2dd838381e2c80
dashboard link: https://syzkaller.appspot.com/bug?extid=70f9d50f6049ac0fe91e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+70f9d5...@syzkaller.appspotmail.com
protocol 88fb is buggy, dev hsr_slave_1
block nbd0: Receive control failed (result -107)
block nbd0: shutting down sockets
============================================
IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready
WARNING: possible recursive locking detected
4.14.159-syzkaller #0 Not tainted
--------------------------------------------
knbd0-recv/15071 is trying to acquire lock:
("knbd%d-recv"nbd->index){+.+.}, at: [<ffffffff813ce7fa>]
flush_workqueue+0xda/0x1400 kernel/workqueue.c:2619
but task is already holding lock:
("knbd%d-recv"nbd->index){+.+.}, at: [<ffffffff813d581e>] work_static
include/linux/workqueue.h:199 [inline]
("knbd%d-recv"nbd->index){+.+.}, at: [<ffffffff813d581e>] set_work_data
kernel/workqueue.c:619 [inline]
("knbd%d-recv"nbd->index){+.+.}, at: [<ffffffff813d581e>]
set_work_pool_and_clear_pending kernel/workqueue.c:646 [inline]
("knbd%d-recv"nbd->index){+.+.}, at: [<ffffffff813d581e>]
process_one_work+0x76e/0x1600 kernel/workqueue.c:2085
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock("knbd%d-recv"nbd->index);
lock("knbd%d-recv"nbd->index);
*** DEADLOCK ***
May be due to missing lock nesting notation
3 locks held by knbd0-recv/15071:
#0: ("knbd%d-recv"nbd->index){+.+.}
kobject: 'kvm' (ffff8880a641ce50): kobject_uevent_env
, at: [<ffffffff813d581e>] work_static include/linux/workqueue.h:199
[inline]
, at: [<ffffffff813d581e>] set_work_data kernel/workqueue.c:619 [inline]
, at: [<ffffffff813d581e>] set_work_pool_and_clear_pending
kernel/workqueue.c:646 [inline]
, at: [<ffffffff813d581e>] process_one_work+0x76e/0x1600
kernel/workqueue.c:2085
#1: ((&args->work)){+.+.}, at: [<ffffffff813d585b>]
process_one_work+0x7ab/0x1600 kernel/workqueue.c:2089
#2: (&nbd->config_lock){+.+.}, at: [<ffffffff830a1491>]
refcount_dec_and_mutex_lock lib/refcount.c:312 [inline]
#2: (&nbd->config_lock){+.+.}, at: [<ffffffff830a1491>]
refcount_dec_and_mutex_lock+0x41/0x5f lib/refcount.c:307
stack backtrace:
kobject: 'kvm' (ffff8880a641ce50): fill_kobj_path: path
= '/devices/virtual/misc/kvm'
CPU: 0 PID: 15071 Comm: knbd0-recv Not tainted 4.14.159-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: knbd0-recv recv_work
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_deadlock_bug kernel/locking/lockdep.c:1796 [inline]
check_deadlock kernel/locking/lockdep.c:1843 [inline]
validate_chain kernel/locking/lockdep.c:2444 [inline]
__lock_acquire.cold+0x2bf/0x8dc kernel/locking/lockdep.c:3487
lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994
flush_workqueue+0x109/0x1400 kernel/workqueue.c:2622
drain_workqueue+0x177/0x3e0 kernel/workqueue.c:2787
destroy_workqueue+0x75/0x670 kernel/workqueue.c:4100
nbd_config_put+0x43c/0x7a0 drivers/block/nbd.c:1151
recv_work+0x18d/0x1f0 drivers/block/nbd.c:730
process_one_work+0x863/0x1600 kernel/workqueue.c:2114
process_scheduled_works kernel/workqueue.c:2174 [inline]
rescuer_thread+0x78f/0xd90 kernel/workqueue.c:2356
kthread+0x319/0x430 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
kobject: 'loop2' (ffff8880a403cca0): kobject_uevent_env
kobject: 'loop2' (ffff8880a403cca0): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop4' (ffff8880a41304e0): kobject_uevent_env
kobject: 'loop4' (ffff8880a41304e0): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'kvm' (ffff8880a641ce50): kobject_uevent_env
kobject: 'kvm' (ffff8880a641ce50): fill_kobj_path: path
= '/devices/virtual/misc/kvm'
kobject: 'loop1' (ffff8880a4034c20): kobject_uevent_env
kobject: 'loop1' (ffff8880a4034c20): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop0' (ffff8880a47cc320): kobject_uevent_env
kobject: 'loop0' (ffff8880a47cc320): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop3' (ffff8880a40e55a0): kobject_uevent_env
kobject: 'loop3' (ffff8880a40e55a0): fill_kobj_path: path
= '/devices/virtual/block/loop3'
IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
kobject: 'kvm' (ffff8880a641ce50): kobject_uevent_env
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
kobject: 'kvm' (ffff8880a641ce50): fill_kobj_path: path
= '/devices/virtual/misc/kvm'
kobject: 'loop5' (ffff8880a4168560): kobject_uevent_env
kobject: 'loop5' (ffff8880a4168560): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (ffff8880a41304e0): kobject_uevent_env
kobject: 'loop4' (ffff8880a41304e0): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop3' (ffff8880a40e55a0): kobject_uevent_env
kobject: 'loop3' (ffff8880a40e55a0): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'kvm' (ffff8880a641ce50): kobject_uevent_env
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
kobject: 'loop1' (ffff8880a4034c20): kobject_uevent_env
kobject: 'loop1' (ffff8880a4034c20): fill_kobj_path: path
= '/devices/virtual/block/loop1'
IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready
kobject: 'kvm' (ffff8880a641ce50): fill_kobj_path: path
= '/devices/virtual/misc/kvm'
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
kobject: 'loop5' (ffff8880a4168560): kobject_uevent_env
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
kobject: 'kvm' (ffff8880a641ce50): kobject_uevent_env
kobject: 'loop5' (ffff8880a4168560): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'kvm' (ffff8880a641ce50): fill_kobj_path: path
= '/devices/virtual/misc/kvm'
kobject: 'loop5' (ffff8880a4168560): kobject_uevent_env
kobject: 'kvm' (ffff8880a641ce50): kobject_uevent_env
kobject: 'loop5' (ffff8880a4168560): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'kvm' (ffff8880a641ce50): fill_kobj_path: path
= '/devices/virtual/misc/kvm'
kobject: 'kvm' (ffff8880a641ce50): kobject_uevent_env
kobject: 'loop4' (ffff8880a41304e0): kobject_uevent_env
kobject: 'loop4' (ffff8880a41304e0): fill_kobj_path: path
= '/devices/virtual/block/loop4'
IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready
kobject: 'loop2' (ffff8880a403cca0): kobject_uevent_env
kobject: 'loop2' (ffff8880a403cca0): fill_kobj_path: path
= '/devices/virtual/block/loop2'
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
kobject: 'loop5' (ffff8880a4168560): kobject_uevent_env
kobject: 'loop5' (ffff8880a4168560): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'kvm' (ffff8880a641ce50): fill_kobj_path: path
= '/devices/virtual/misc/kvm'
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
kobject: 'loop4' (ffff8880a41304e0): kobject_uevent_env
kobject: 'loop4' (ffff8880a41304e0): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop1' (ffff8880a4034c20): kobject_uevent_env
kobject: 'loop1' (ffff8880a4034c20): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop3' (ffff8880a40e55a0): kobject_uevent_env
kobject: 'loop3' (ffff8880a40e55a0): fill_kobj_path: path
= '/devices/virtual/block/loop3'
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
net_ratelimit: 14 callbacks suppressed
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: bfb9e5c0 Linux 4.14.159
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10d0ecb9e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=8b2dd838381e2c80
dashboard link: https://syzkaller.appspot.com/bug?extid=70f9d50f6049ac0fe91e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+70f9d5...@syzkaller.appspotmail.com
protocol 88fb is buggy, dev hsr_slave_1
block nbd0: Receive control failed (result -107)
block nbd0: shutting down sockets
============================================
IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready
WARNING: possible recursive locking detected
4.14.159-syzkaller #0 Not tainted
--------------------------------------------
knbd0-recv/15071 is trying to acquire lock:
("knbd%d-recv"nbd->index){+.+.}, at: [<ffffffff813ce7fa>]
flush_workqueue+0xda/0x1400 kernel/workqueue.c:2619
but task is already holding lock:
("knbd%d-recv"nbd->index){+.+.}, at: [<ffffffff813d581e>] work_static
include/linux/workqueue.h:199 [inline]
("knbd%d-recv"nbd->index){+.+.}, at: [<ffffffff813d581e>] set_work_data
kernel/workqueue.c:619 [inline]
("knbd%d-recv"nbd->index){+.+.}, at: [<ffffffff813d581e>]
set_work_pool_and_clear_pending kernel/workqueue.c:646 [inline]
("knbd%d-recv"nbd->index){+.+.}, at: [<ffffffff813d581e>]
process_one_work+0x76e/0x1600 kernel/workqueue.c:2085
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock("knbd%d-recv"nbd->index);
lock("knbd%d-recv"nbd->index);
*** DEADLOCK ***
May be due to missing lock nesting notation
3 locks held by knbd0-recv/15071:
#0: ("knbd%d-recv"nbd->index){+.+.}
kobject: 'kvm' (ffff8880a641ce50): kobject_uevent_env
, at: [<ffffffff813d581e>] work_static include/linux/workqueue.h:199
[inline]
, at: [<ffffffff813d581e>] set_work_data kernel/workqueue.c:619 [inline]
, at: [<ffffffff813d581e>] set_work_pool_and_clear_pending
kernel/workqueue.c:646 [inline]
, at: [<ffffffff813d581e>] process_one_work+0x76e/0x1600
kernel/workqueue.c:2085
#1: ((&args->work)){+.+.}, at: [<ffffffff813d585b>]
process_one_work+0x7ab/0x1600 kernel/workqueue.c:2089
#2: (&nbd->config_lock){+.+.}, at: [<ffffffff830a1491>]
refcount_dec_and_mutex_lock lib/refcount.c:312 [inline]
#2: (&nbd->config_lock){+.+.}, at: [<ffffffff830a1491>]
refcount_dec_and_mutex_lock+0x41/0x5f lib/refcount.c:307
stack backtrace:
kobject: 'kvm' (ffff8880a641ce50): fill_kobj_path: path
= '/devices/virtual/misc/kvm'
CPU: 0 PID: 15071 Comm: knbd0-recv Not tainted 4.14.159-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: knbd0-recv recv_work
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_deadlock_bug kernel/locking/lockdep.c:1796 [inline]
check_deadlock kernel/locking/lockdep.c:1843 [inline]
validate_chain kernel/locking/lockdep.c:2444 [inline]
__lock_acquire.cold+0x2bf/0x8dc kernel/locking/lockdep.c:3487
lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994
flush_workqueue+0x109/0x1400 kernel/workqueue.c:2622
drain_workqueue+0x177/0x3e0 kernel/workqueue.c:2787
destroy_workqueue+0x75/0x670 kernel/workqueue.c:4100
nbd_config_put+0x43c/0x7a0 drivers/block/nbd.c:1151
recv_work+0x18d/0x1f0 drivers/block/nbd.c:730
process_one_work+0x863/0x1600 kernel/workqueue.c:2114
process_scheduled_works kernel/workqueue.c:2174 [inline]
rescuer_thread+0x78f/0xd90 kernel/workqueue.c:2356
kthread+0x319/0x430 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
kobject: 'loop2' (ffff8880a403cca0): kobject_uevent_env
kobject: 'loop2' (ffff8880a403cca0): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop4' (ffff8880a41304e0): kobject_uevent_env
kobject: 'loop4' (ffff8880a41304e0): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'kvm' (ffff8880a641ce50): kobject_uevent_env
kobject: 'kvm' (ffff8880a641ce50): fill_kobj_path: path
= '/devices/virtual/misc/kvm'
kobject: 'loop1' (ffff8880a4034c20): kobject_uevent_env
kobject: 'loop1' (ffff8880a4034c20): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop0' (ffff8880a47cc320): kobject_uevent_env
kobject: 'loop0' (ffff8880a47cc320): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop3' (ffff8880a40e55a0): kobject_uevent_env
kobject: 'loop3' (ffff8880a40e55a0): fill_kobj_path: path
= '/devices/virtual/block/loop3'
IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
kobject: 'kvm' (ffff8880a641ce50): kobject_uevent_env
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
kobject: 'kvm' (ffff8880a641ce50): fill_kobj_path: path
= '/devices/virtual/misc/kvm'
kobject: 'loop5' (ffff8880a4168560): kobject_uevent_env
kobject: 'loop5' (ffff8880a4168560): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (ffff8880a41304e0): kobject_uevent_env
kobject: 'loop4' (ffff8880a41304e0): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop3' (ffff8880a40e55a0): kobject_uevent_env
kobject: 'loop3' (ffff8880a40e55a0): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'kvm' (ffff8880a641ce50): kobject_uevent_env
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
kobject: 'loop1' (ffff8880a4034c20): kobject_uevent_env
kobject: 'loop1' (ffff8880a4034c20): fill_kobj_path: path
= '/devices/virtual/block/loop1'
IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready
kobject: 'kvm' (ffff8880a641ce50): fill_kobj_path: path
= '/devices/virtual/misc/kvm'
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
kobject: 'loop5' (ffff8880a4168560): kobject_uevent_env
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
kobject: 'kvm' (ffff8880a641ce50): kobject_uevent_env
kobject: 'loop5' (ffff8880a4168560): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'kvm' (ffff8880a641ce50): fill_kobj_path: path
= '/devices/virtual/misc/kvm'
kobject: 'loop5' (ffff8880a4168560): kobject_uevent_env
kobject: 'kvm' (ffff8880a641ce50): kobject_uevent_env
kobject: 'loop5' (ffff8880a4168560): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'kvm' (ffff8880a641ce50): fill_kobj_path: path
= '/devices/virtual/misc/kvm'
kobject: 'kvm' (ffff8880a641ce50): kobject_uevent_env
kobject: 'loop4' (ffff8880a41304e0): kobject_uevent_env
kobject: 'loop4' (ffff8880a41304e0): fill_kobj_path: path
= '/devices/virtual/block/loop4'
IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready
kobject: 'loop2' (ffff8880a403cca0): kobject_uevent_env
kobject: 'loop2' (ffff8880a403cca0): fill_kobj_path: path
= '/devices/virtual/block/loop2'
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
kobject: 'loop5' (ffff8880a4168560): kobject_uevent_env
kobject: 'loop5' (ffff8880a4168560): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'kvm' (ffff8880a641ce50): fill_kobj_path: path
= '/devices/virtual/misc/kvm'
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
kobject: 'loop4' (ffff8880a41304e0): kobject_uevent_env
kobject: 'loop4' (ffff8880a41304e0): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop1' (ffff8880a4034c20): kobject_uevent_env
kobject: 'loop1' (ffff8880a4034c20): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop3' (ffff8880a40e55a0): kobject_uevent_env
kobject: 'loop3' (ffff8880a40e55a0): fill_kobj_path: path
= '/devices/virtual/block/loop3'
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
net_ratelimit: 14 callbacks suppressed
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Apr 22, 2020, 4:54:07 PM4/22/20
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages