[v5.15] possible deadlock in scan_inflight
0 views
Skip to first unread message
syzbot
Feb 8, 2025, 9:17:26 PM2/8/25
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: c16c81c81336 Linux 5.15.178
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17a1cbdf980000
kernel config: https://syzkaller.appspot.com/x/.config?x=d302c69e93fb6774
dashboard link: https://syzkaller.appspot.com/bug?extid=ad3cc82d6688ff7c7cd4
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=143d02a4580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=136f9b18580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/4e606720793a/disk-c16c81c8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/745de689175f/vmlinux-c16c81c8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5a91e6dfccf0/bzImage-c16c81c8.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ad3cc8...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
5.15.178-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor274/20648 is trying to acquire lock:
ffff88807c96c9e0 (rlock-AF_UNIX){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:363 [inline]
ffff88807c96c9e0 (rlock-AF_UNIX){+.+.}-{2:2}, at: scan_inflight+0x4a/0x480 net/unix/garbage.c:97
but task is already holding lock:
ffffffff8dd3ba58 (unix_gc_lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:363 [inline]
ffffffff8dd3ba58 (unix_gc_lock){+.+.}-{2:2}, at: unix_gc+0x115/0x13d0 net/unix/garbage.c:215
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (unix_gc_lock){+.+.}-{2:2}:
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:363 [inline]
unix_notinflight+0x138/0x380 net/unix/scm.c:73
unix_detach_fds net/unix/scm.c:136 [inline]
unix_destruct_scm+0x21d/0x350 net/unix/scm.c:147
skb_release_head_state+0xf9/0x230 net/core/skbuff.c:729
skb_release_all net/core/skbuff.c:740 [inline]
__kfree_skb net/core/skbuff.c:756 [inline]
consume_skb+0x72/0x140 net/core/skbuff.c:914
queue_oob+0x6cf/0xad0 net/unix/af_unix.c:2000
unix_stream_sendmsg+0xe0a/0x1070 net/unix/af_unix.c:2105
sock_sendmsg_nosec net/socket.c:704 [inline]
__sock_sendmsg net/socket.c:716 [inline]
____sys_sendmsg+0x59e/0x8f0 net/socket.c:2436
___sys_sendmsg+0x252/0x2e0 net/socket.c:2490
__sys_sendmsg net/socket.c:2519 [inline]
__do_sys_sendmsg net/socket.c:2528 [inline]
__se_sys_sendmsg+0x19a/0x260 net/socket.c:2526
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
-> #0 (rlock-AF_UNIX){+.+.}-{2:2}:
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain+0x1649/0x5930 kernel/locking/lockdep.c:3788
__lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5012
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:363 [inline]
scan_inflight+0x4a/0x480 net/unix/garbage.c:97
scan_children+0x2b0/0x460 net/unix/garbage.c:137
unix_gc+0x4bf/0x13d0 net/unix/garbage.c:273
unix_release_sock+0x91c/0xaa0 net/unix/af_unix.c:598
unix_release+0x88/0xc0 net/unix/af_unix.c:933
__sock_release net/socket.c:649 [inline]
sock_close+0xcd/0x230 net/socket.c:1336
__fput+0x3fe/0x8e0 fs/file_table.c:280
task_work_run+0x129/0x1a0 kernel/task_work.c:188
exit_task_work include/linux/task_work.h:33 [inline]
do_exit+0x6a3/0x2480 kernel/exit.c:874
do_group_exit+0x144/0x310 kernel/exit.c:996
get_signal+0xc66/0x14e0 kernel/signal.c:2900
arch_do_signal_or_restart+0xc3/0x1890 arch/x86/kernel/signal.c:867
handle_signal_work kernel/entry/common.c:154 [inline]
exit_to_user_mode_loop+0x97/0x130 kernel/entry/common.c:178
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:214
__syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline]
syscall_exit_to_user_mode+0x5d/0x240 kernel/entry/common.c:307
do_syscall_64+0x47/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x66/0xd0
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(unix_gc_lock);
lock(rlock-AF_UNIX);
lock(unix_gc_lock);
lock(rlock-AF_UNIX);
*** DEADLOCK ***
2 locks held by syz-executor274/20648:
#0: ffff888071166810 (&sb->s_type->i_mutex_key#11){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:789 [inline]
#0: ffff888071166810 (&sb->s_type->i_mutex_key#11){+.+.}-{3:3}, at: __sock_release net/socket.c:648 [inline]
#0: ffff888071166810 (&sb->s_type->i_mutex_key#11){+.+.}-{3:3}, at: sock_close+0x98/0x230 net/socket.c:1336
#1: ffffffff8dd3ba58 (unix_gc_lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:363 [inline]
#1: ffffffff8dd3ba58 (unix_gc_lock){+.+.}-{2:2}, at: unix_gc+0x115/0x13d0 net/unix/garbage.c:215
stack backtrace:
CPU: 0 PID: 20648 Comm: syz-executor274 Not tainted 5.15.178-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
check_noncircular+0x2f8/0x3b0 kernel/locking/lockdep.c:2133
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain+0x1649/0x5930 kernel/locking/lockdep.c:3788
__lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5012
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:363 [inline]
scan_inflight+0x4a/0x480 net/unix/garbage.c:97
scan_children+0x2b0/0x460 net/unix/garbage.c:137
unix_gc+0x4bf/0x13d0 net/unix/garbage.c:273
unix_release_sock+0x91c/0xaa0 net/unix/af_unix.c:598
unix_release+0x88/0xc0 net/unix/af_unix.c:933
__sock_release net/socket.c:649 [inline]
sock_close+0xcd/0x230 net/socket.c:1336
__fput+0x3fe/0x8e0 fs/file_table.c:280
task_work_run+0x129/0x1a0 kernel/task_work.c:188
exit_task_work include/linux/task_work.h:33 [inline]
do_exit+0x6a3/0x2480 kernel/exit.c:874
do_group_exit+0x144/0x310 kernel/exit.c:996
get_signal+0xc66/0x14e0 kernel/signal.c:2900
arch_do_signal_or_restart+0xc3/0x1890 arch/x86/kernel/signal.c:867
handle_signal_work kernel/entry/common.c:154 [inline]
exit_to_user_mode_loop+0x97/0x130 kernel/entry/common.c:178
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:214
__syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline]
syscall_exit_to_user_mode+0x5d/0x240 kernel/entry/common.c:307
do_syscall_64+0x47/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fb32a4de859
Code: Unable to access opcode bytes at RIP 0x7fb32a4de82f.
RSP: 002b:00007fb32a49f218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fb32a568348 RCX: 00007fb32a4de859
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fb32a568348
RBP: 00007fb32a568340 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb32a535074
R13: 0000400000000500 R14: 0000400000000610 R15: 0000400000000600
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: c16c81c81336 Linux 5.15.178
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17a1cbdf980000
kernel config: https://syzkaller.appspot.com/x/.config?x=d302c69e93fb6774
dashboard link: https://syzkaller.appspot.com/bug?extid=ad3cc82d6688ff7c7cd4
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=143d02a4580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=136f9b18580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/4e606720793a/disk-c16c81c8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/745de689175f/vmlinux-c16c81c8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5a91e6dfccf0/bzImage-c16c81c8.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ad3cc8...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
5.15.178-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor274/20648 is trying to acquire lock:
ffff88807c96c9e0 (rlock-AF_UNIX){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:363 [inline]
ffff88807c96c9e0 (rlock-AF_UNIX){+.+.}-{2:2}, at: scan_inflight+0x4a/0x480 net/unix/garbage.c:97
but task is already holding lock:
ffffffff8dd3ba58 (unix_gc_lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:363 [inline]
ffffffff8dd3ba58 (unix_gc_lock){+.+.}-{2:2}, at: unix_gc+0x115/0x13d0 net/unix/garbage.c:215
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (unix_gc_lock){+.+.}-{2:2}:
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:363 [inline]
unix_notinflight+0x138/0x380 net/unix/scm.c:73
unix_detach_fds net/unix/scm.c:136 [inline]
unix_destruct_scm+0x21d/0x350 net/unix/scm.c:147
skb_release_head_state+0xf9/0x230 net/core/skbuff.c:729
skb_release_all net/core/skbuff.c:740 [inline]
__kfree_skb net/core/skbuff.c:756 [inline]
consume_skb+0x72/0x140 net/core/skbuff.c:914
queue_oob+0x6cf/0xad0 net/unix/af_unix.c:2000
unix_stream_sendmsg+0xe0a/0x1070 net/unix/af_unix.c:2105
sock_sendmsg_nosec net/socket.c:704 [inline]
__sock_sendmsg net/socket.c:716 [inline]
____sys_sendmsg+0x59e/0x8f0 net/socket.c:2436
___sys_sendmsg+0x252/0x2e0 net/socket.c:2490
__sys_sendmsg net/socket.c:2519 [inline]
__do_sys_sendmsg net/socket.c:2528 [inline]
__se_sys_sendmsg+0x19a/0x260 net/socket.c:2526
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
-> #0 (rlock-AF_UNIX){+.+.}-{2:2}:
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain+0x1649/0x5930 kernel/locking/lockdep.c:3788
__lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5012
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:363 [inline]
scan_inflight+0x4a/0x480 net/unix/garbage.c:97
scan_children+0x2b0/0x460 net/unix/garbage.c:137
unix_gc+0x4bf/0x13d0 net/unix/garbage.c:273
unix_release_sock+0x91c/0xaa0 net/unix/af_unix.c:598
unix_release+0x88/0xc0 net/unix/af_unix.c:933
__sock_release net/socket.c:649 [inline]
sock_close+0xcd/0x230 net/socket.c:1336
__fput+0x3fe/0x8e0 fs/file_table.c:280
task_work_run+0x129/0x1a0 kernel/task_work.c:188
exit_task_work include/linux/task_work.h:33 [inline]
do_exit+0x6a3/0x2480 kernel/exit.c:874
do_group_exit+0x144/0x310 kernel/exit.c:996
get_signal+0xc66/0x14e0 kernel/signal.c:2900
arch_do_signal_or_restart+0xc3/0x1890 arch/x86/kernel/signal.c:867
handle_signal_work kernel/entry/common.c:154 [inline]
exit_to_user_mode_loop+0x97/0x130 kernel/entry/common.c:178
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:214
__syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline]
syscall_exit_to_user_mode+0x5d/0x240 kernel/entry/common.c:307
do_syscall_64+0x47/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x66/0xd0
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(unix_gc_lock);
lock(rlock-AF_UNIX);
lock(unix_gc_lock);
lock(rlock-AF_UNIX);
*** DEADLOCK ***
2 locks held by syz-executor274/20648:
#0: ffff888071166810 (&sb->s_type->i_mutex_key#11){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:789 [inline]
#0: ffff888071166810 (&sb->s_type->i_mutex_key#11){+.+.}-{3:3}, at: __sock_release net/socket.c:648 [inline]
#0: ffff888071166810 (&sb->s_type->i_mutex_key#11){+.+.}-{3:3}, at: sock_close+0x98/0x230 net/socket.c:1336
#1: ffffffff8dd3ba58 (unix_gc_lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:363 [inline]
#1: ffffffff8dd3ba58 (unix_gc_lock){+.+.}-{2:2}, at: unix_gc+0x115/0x13d0 net/unix/garbage.c:215
stack backtrace:
CPU: 0 PID: 20648 Comm: syz-executor274 Not tainted 5.15.178-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
check_noncircular+0x2f8/0x3b0 kernel/locking/lockdep.c:2133
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain+0x1649/0x5930 kernel/locking/lockdep.c:3788
__lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5012
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:363 [inline]
scan_inflight+0x4a/0x480 net/unix/garbage.c:97
scan_children+0x2b0/0x460 net/unix/garbage.c:137
unix_gc+0x4bf/0x13d0 net/unix/garbage.c:273
unix_release_sock+0x91c/0xaa0 net/unix/af_unix.c:598
unix_release+0x88/0xc0 net/unix/af_unix.c:933
__sock_release net/socket.c:649 [inline]
sock_close+0xcd/0x230 net/socket.c:1336
__fput+0x3fe/0x8e0 fs/file_table.c:280
task_work_run+0x129/0x1a0 kernel/task_work.c:188
exit_task_work include/linux/task_work.h:33 [inline]
do_exit+0x6a3/0x2480 kernel/exit.c:874
do_group_exit+0x144/0x310 kernel/exit.c:996
get_signal+0xc66/0x14e0 kernel/signal.c:2900
arch_do_signal_or_restart+0xc3/0x1890 arch/x86/kernel/signal.c:867
handle_signal_work kernel/entry/common.c:154 [inline]
exit_to_user_mode_loop+0x97/0x130 kernel/entry/common.c:178
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:214
__syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline]
syscall_exit_to_user_mode+0x5d/0x240 kernel/entry/common.c:307
do_syscall_64+0x47/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fb32a4de859
Code: Unable to access opcode bytes at RIP 0x7fb32a4de82f.
RSP: 002b:00007fb32a49f218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fb32a568348 RCX: 00007fb32a4de859
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fb32a568348
RBP: 00007fb32a568340 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb32a535074
R13: 0000400000000500 R14: 0000400000000610 R15: 0000400000000600
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages