From: syzbot <syzbot+b69a625d06e8ece26415@syzkaller.appspotmail.com>
To: hdanton@sina.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bluetooth?] possible deadlock in rfcomm_dlc_exists
Date: Fri, 31 Mar 2023 01:16:24 -0700 [thread overview]
Message-ID: <00000000000039ff8905f82dd30d@google.com> (raw)
In-Reply-To: <20230331080108.3156-1-hdanton@sina.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
possible deadlock in rfcomm_dev_ioctl
======================================================
WARNING: possible circular locking dependency detected
6.3.0-rc4-next-20230330-syzkaller-dirty #0 Not tainted
------------------------------------------------------
syz-executor.0/5603 is trying to acquire lock:
ffff88801e179130 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1697 [inline]
ffff88801e179130 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: __rfcomm_create_dev net/bluetooth/rfcomm/tty.c:417 [inline]
ffff88801e179130 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: rfcomm_create_dev net/bluetooth/rfcomm/tty.c:488 [inline]
ffff88801e179130 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: rfcomm_dev_ioctl+0x9ca/0x1cb0 net/bluetooth/rfcomm/tty.c:590
but task is already holding lock:
ffffffff8e35cc88 (rfcomm_ioctl_mutex){+.+.}-{3:3}, at: rfcomm_create_dev net/bluetooth/rfcomm/tty.c:487 [inline]
ffffffff8e35cc88 (rfcomm_ioctl_mutex){+.+.}-{3:3}, at: rfcomm_dev_ioctl+0x8a2/0x1cb0 net/bluetooth/rfcomm/tty.c:590
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (rfcomm_ioctl_mutex){+.+.}-{3:3}:
__mutex_lock_common kernel/locking/mutex.c:603 [inline]
__mutex_lock+0x12f/0x1350 kernel/locking/mutex.c:747
rfcomm_create_dev net/bluetooth/rfcomm/tty.c:487 [inline]
rfcomm_dev_ioctl+0x8a2/0x1cb0 net/bluetooth/rfcomm/tty.c:590
rfcomm_sock_ioctl+0xb7/0xe0 net/bluetooth/rfcomm/sock.c:880
sock_do_ioctl+0xcc/0x230 net/socket.c:1199
sock_ioctl+0x1f8/0x680 net/socket.c:1316
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
-> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}:
check_prev_add kernel/locking/lockdep.c:3108 [inline]
check_prevs_add kernel/locking/lockdep.c:3227 [inline]
validate_chain kernel/locking/lockdep.c:3842 [inline]
__lock_acquire+0x2f21/0x5df0 kernel/locking/lockdep.c:5074
lock_acquire.part.0+0x11c/0x370 kernel/locking/lockdep.c:5691
lock_sock_nested+0x3a/0xf0 net/core/sock.c:3474
lock_sock include/net/sock.h:1697 [inline]
__rfcomm_create_dev net/bluetooth/rfcomm/tty.c:417 [inline]
rfcomm_create_dev net/bluetooth/rfcomm/tty.c:488 [inline]
rfcomm_dev_ioctl+0x9ca/0x1cb0 net/bluetooth/rfcomm/tty.c:590
rfcomm_sock_ioctl+0xb7/0xe0 net/bluetooth/rfcomm/sock.c:880
sock_do_ioctl+0xcc/0x230 net/socket.c:1199
sock_ioctl+0x1f8/0x680 net/socket.c:1316
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(rfcomm_ioctl_mutex);
lock(sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM);
lock(rfcomm_ioctl_mutex);
lock(sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM);
*** DEADLOCK ***
1 lock held by syz-executor.0/5603:
#0: ffffffff8e35cc88 (rfcomm_ioctl_mutex){+.+.}-{3:3}, at: rfcomm_create_dev net/bluetooth/rfcomm/tty.c:487 [inline]
#0: ffffffff8e35cc88 (rfcomm_ioctl_mutex){+.+.}-{3:3}, at: rfcomm_dev_ioctl+0x8a2/0x1cb0 net/bluetooth/rfcomm/tty.c:590
stack backtrace:
CPU: 0 PID: 5603 Comm: syz-executor.0 Not tainted 6.3.0-rc4-next-20230330-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
check_noncircular+0x25f/0x2e0 kernel/locking/lockdep.c:2188
check_prev_add kernel/locking/lockdep.c:3108 [inline]
check_prevs_add kernel/locking/lockdep.c:3227 [inline]
validate_chain kernel/locking/lockdep.c:3842 [inline]
__lock_acquire+0x2f21/0x5df0 kernel/locking/lockdep.c:5074
lock_acquire.part.0+0x11c/0x370 kernel/locking/lockdep.c:5691
lock_sock_nested+0x3a/0xf0 net/core/sock.c:3474
lock_sock include/net/sock.h:1697 [inline]
__rfcomm_create_dev net/bluetooth/rfcomm/tty.c:417 [inline]
rfcomm_create_dev net/bluetooth/rfcomm/tty.c:488 [inline]
rfcomm_dev_ioctl+0x9ca/0x1cb0 net/bluetooth/rfcomm/tty.c:590
rfcomm_sock_ioctl+0xb7/0xe0 net/bluetooth/rfcomm/sock.c:880
sock_do_ioctl+0xcc/0x230 net/socket.c:1199
sock_ioctl+0x1f8/0x680 net/socket.c:1316
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f94d848c0f9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f94d911c168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f94d85ac050 RCX: 00007f94d848c0f9
RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000006
RBP: 00007f94d84e7b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffef88f28bf R14: 00007f94d911c300 R15: 0000000000022000
</TASK>
Tested on:
commit: a6d9e303 Add linux-next specific files for 20230330
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14b657d5c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=aceb117f7924508e
dashboard link: https://syzkaller.appspot.com/bug?extid=b69a625d06e8ece26415
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1741d1cdc80000
next parent reply other threads:[~2023-03-31 8:16 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20230331080108.3156-1-hdanton@sina.com>
2023-03-31 8:16 ` syzbot [this message]
[not found] <20230331084907.3220-1-hdanton@sina.com>
2023-03-31 9:18 ` [syzbot] [bluetooth?] possible deadlock in rfcomm_dlc_exists syzbot
[not found] <20230331032008.3067-1-hdanton@sina.com>
2023-03-31 3:37 ` syzbot
2023-01-20 16:28 [syzbot] " syzbot
2023-03-31 0:21 ` [syzbot] [bluetooth?] " syzbot
2024-11-17 14:03 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=00000000000039ff8905f82dd30d@google.com \
--to=syzbot+b69a625d06e8ece26415@syzkaller.appspotmail.com \
--cc=hdanton@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.