[v6.1] possible deadlock in unix_collect_skb

2 views
Skip to first unread message

syzbot

unread,
Jul 6, 2025, 9:45:31 AM7/6/25
to syzkaller...@googlegroups.com
Hello,

syzbot found the following issue on:

HEAD commit: 04d1ccaa9c28 Linux 6.1.143
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1404a28c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=ad4b9c9f99d21bd2
dashboard link: https://syzkaller.appspot.com/bug?extid=935eda0926f44898461e
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6eebf3671ad1/disk-04d1ccaa.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3bd866d93a54/vmlinux-04d1ccaa.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1eb263411e03/bzImage-04d1ccaa.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+935eda...@syzkaller.appspotmail.com

============================================
WARNING: possible recursive locking detected
6.1.143-syzkaller #0 Not tainted
--------------------------------------------
kworker/u4:7/4370 is trying to acquire lock:
ffff88807ba7a9e8 (rlock-AF_UNIX){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff88807ba7a9e8 (rlock-AF_UNIX){+.+.}-{2:2}, at: unix_collect_skb+0x15a/0x550 net/unix/garbage.c:361

but task is already holding lock:
ffff88807ba7b9e8 (rlock-AF_UNIX){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff88807ba7b9e8 (rlock-AF_UNIX){+.+.}-{2:2}, at: unix_collect_skb+0xb7/0x550 net/unix/garbage.c:353

other info that might help us debug this:
Possible unsafe locking scenario:

CPU0
----
lock(rlock-AF_UNIX);
lock(rlock-AF_UNIX);

*** DEADLOCK ***

May be due to missing lock nesting notation

4 locks held by kworker/u4:7/4370:
#0: ffff888017479138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x7a1/0x1160 kernel/workqueue.c:2267
#1: ffffc9000498fd00 (unix_gc_work){+.+.}-{0:0}, at: process_one_work+0x7a1/0x1160 kernel/workqueue.c:2267
#2: ffffffff8de41c38 (unix_gc_lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
#2: ffffffff8de41c38 (unix_gc_lock){+.+.}-{2:2}, at: __unix_gc+0x9e/0x1850 net/unix/garbage.c:555
#3: ffff88807ba7b9e8 (rlock-AF_UNIX){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
#3: ffff88807ba7b9e8 (rlock-AF_UNIX){+.+.}-{2:2}, at: unix_collect_skb+0xb7/0x550 net/unix/garbage.c:353

stack backtrace:
CPU: 0 PID: 4370 Comm: kworker/u4:7 Not tainted 6.1.143-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: events_unbound __unix_gc
Call Trace:
<TASK>
dump_stack_lvl+0x168/0x22e lib/dump_stack.c:106
__lock_acquire+0x122f/0x7c50 kernel/locking/lockdep.c:-1
lock_acquire+0x1b4/0x490 kernel/locking/lockdep.c:5662
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
unix_collect_skb+0x15a/0x550 net/unix/garbage.c:361
__unix_walk_scc net/unix/garbage.c:484 [inline]
unix_walk_scc net/unix/garbage.c:509 [inline]
__unix_gc+0x106a/0x1850 net/unix/garbage.c:567
process_one_work+0x898/0x1160 kernel/workqueue.c:2292
worker_thread+0xaa2/0x1250 kernel/workqueue.c:2439
kthread+0x29d/0x330 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
</TASK>
netdevsim netdevsim0 eth3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 eth2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 eth1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 eth0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
device hsr_slave_0 left promiscuous mode
device hsr_slave_1 left promiscuous mode
batman_adv: batadv0: Interface deactivated: batadv_slave_0
batman_adv: batadv0: Removing interface: batadv_slave_0
batman_adv: batadv0: Interface deactivated: batadv_slave_1
batman_adv: batadv0: Removing interface: batadv_slave_1
device bridge_slave_1 left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_0 left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
device veth1_macvtap left promiscuous mode
device veth0_macvtap left promiscuous mode
device veth1_vlan left promiscuous mode
device veth0_vlan left promiscuous mode
team0 (unregistering): Port device team_slave_1 removed
team0 (unregistering): Port device team_slave_0 removed
bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
bond0 (unregistering): Released all slaves
netdevsim netdevsim8 eth3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim8 eth2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim8 eth1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim8 eth0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim3 eth3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim3 eth2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim3 eth1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim3 eth0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
device hsr_slave_0 left promiscuous mode
device hsr_slave_1 left promiscuous mode
batman_adv: batadv0: Interface deactivated: batadv_slave_0
batman_adv: batadv0: Removing interface: batadv_slave_0
batman_adv: batadv0: Interface deactivated: batadv_slave_1
batman_adv: batadv0: Removing interface: batadv_slave_1
device bridge_slave_1 left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_0 left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
device hsr_slave_0 left promiscuous mode
device hsr_slave_1 left promiscuous mode
batman_adv: batadv0: Interface deactivated: batadv_slave_0
batman_adv: batadv0: Removing interface: batadv_slave_0
batman_adv: batadv0: Interface deactivated: batadv_slave_1
batman_adv: batadv0: Removing interface: batadv_slave_1
device bridge_slave_1 left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_0 left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
device veth1_macvtap left promiscuous mode
device veth0_macvtap left promiscuous mode
device veth1_vlan left promiscuous mode
device veth0_vlan left promiscuous mode
device veth1_macvtap left promiscuous mode
device veth0_macvtap left promiscuous mode
team0 (unregistering): Port device team_slave_1 removed
team0 (unregistering): Port device team_slave_0 removed
bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
bond0 (unregistering): Released all slaves
team0 (unregistering): Port device team_slave_1 removed
team0 (unregistering): Port device team_slave_0 removed
bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
bond0 (unregistering): Released all slaves
netdevsim netdevsim6 eth3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim6 eth2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim6 eth1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim6 eth0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
device hsr_slave_0 left promiscuous mode
device hsr_slave_1 left promiscuous mode
batman_adv: batadv0: Interface deactivated: batadv_slave_0
batman_adv: batadv0: Removing interface: batadv_slave_0
batman_adv: batadv0: Interface deactivated: batadv_slave_1
batman_adv: batadv0: Removing interface: batadv_slave_1
device bridge_slave_1 left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_0 left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
device veth1_macvtap left promiscuous mode
device veth0_macvtap left promiscuous mode
device veth1_vlan left promiscuous mode
device veth0_vlan left promiscuous mode
team0 (unregistering): Port device team_slave_1 removed
team0 (unregistering): Port device team_slave_0 removed
bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
bond0 (unregistering): Released all slaves


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syzbot

unread,
Jul 6, 2025, 6:57:33 PM7/6/25
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:

HEAD commit: 04d1ccaa9c28 Linux 6.1.143
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=120def70580000
kernel config: https://syzkaller.appspot.com/x/.config?x=30fae84d50729cf
dashboard link: https://syzkaller.appspot.com/bug?extid=935eda0926f44898461e
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10194bd4580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1732828c580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6be65a5e6fec/disk-04d1ccaa.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/52fda42cf9c4/vmlinux-04d1ccaa.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0491d42b7947/Image-04d1ccaa.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+935eda...@syzkaller.appspotmail.com

IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
============================================
WARNING: possible recursive locking detected
6.1.143-syzkaller #0 Not tainted
--------------------------------------------
kworker/u4:2/39 is trying to acquire lock:
ffff0000d5bca1e8 (rlock-AF_UNIX){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff0000d5bca1e8 (rlock-AF_UNIX){+.+.}-{2:2}, at: unix_collect_skb+0x140/0x480 net/unix/garbage.c:361

but task is already holding lock:
ffff0000d5bc91e8 (rlock-AF_UNIX){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff0000d5bc91e8 (rlock-AF_UNIX){+.+.}-{2:2}, at: unix_collect_skb+0xa8/0x480 net/unix/garbage.c:353

other info that might help us debug this:
Possible unsafe locking scenario:

CPU0
----
lock(rlock-AF_UNIX);
lock(rlock-AF_UNIX);

*** DEADLOCK ***

May be due to missing lock nesting notation

4 locks held by kworker/u4:2/39:
#0: ffff0000c0029138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x6b4/0x13a8 kernel/workqueue.c:2265
#1: ffff80001cd77c20 (unix_gc_work){+.+.}-{0:0}, at: process_one_work+0x6f8/0x13a8 kernel/workqueue.c:2267
#2: ffff800017817358 (unix_gc_lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
#2: ffff800017817358 (unix_gc_lock){+.+.}-{2:2}, at: __unix_gc+0xb8/0x1334 net/unix/garbage.c:555
#3: ffff0000d5bc91e8 (rlock-AF_UNIX){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
#3: ffff0000d5bc91e8 (rlock-AF_UNIX){+.+.}-{2:2}, at: unix_collect_skb+0xa8/0x480 net/unix/garbage.c:353

stack backtrace:
CPU: 1 PID: 39 Comm: kworker/u4:2 Not tainted 6.1.143-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: events_unbound __unix_gc
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack+0x30/0x40 lib/dump_stack.c:88
dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106
dump_stack+0x1c/0x5c lib/dump_stack.c:113
__lock_acquire+0x18b4/0x6544 kernel/locking/lockdep.c:-1
lock_acquire+0x20c/0x644 kernel/locking/lockdep.c:5662
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x54/0x6c kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
unix_collect_skb+0x140/0x480 net/unix/garbage.c:361
__unix_walk_scc net/unix/garbage.c:484 [inline]
unix_walk_scc net/unix/garbage.c:509 [inline]
__unix_gc+0xd18/0x1334 net/unix/garbage.c:567
process_one_work+0x7f4/0x13a8 kernel/workqueue.c:2292
worker_thread+0x8c8/0xfbc kernel/workqueue.c:2439
kthread+0x250/0x2d8 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:849


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages