[syzbot] [wireless?] possible deadlock in ieee80211_remove_interfaces

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+5b9196ecf74447172a9a@syzkaller.appspotmail.com>
To: davem@davemloft.net, edumazet@google.com,
	johannes@sipsolutions.net,  kuba@kernel.org,
	linux-kernel@vger.kernel.org, linux-wireless@vger.kernel.org,
	 netdev@vger.kernel.org, pabeni@redhat.com,
	syzkaller-bugs@googlegroups.com
Subject: [syzbot] [wireless?] possible deadlock in ieee80211_remove_interfaces
Date: Thu, 05 Sep 2024 13:10:28 -0700	[thread overview]
Message-ID: <000000000000c1ae9e062164e101@google.com> (raw)

Hello,

syzbot found the following issue on:

HEAD commit:    431c1646e1f8 Linux 6.11-rc6
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=144a43db980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=931962fa28089080
dashboard link: https://syzkaller.appspot.com/bug?extid=5b9196ecf74447172a9a
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-431c1646.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/01c0dadd39ff/vmlinux-431c1646.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9e2259e440f7/bzImage-431c1646.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5b9196ecf74447172a9a@syzkaller.appspotmail.com

======================================================
WARNING: possible circular locking dependency detected
6.11.0-rc6-syzkaller #0 Not tainted
------------------------------------------------------
kworker/u32:7/1108 is trying to acquire lock:
but task is already holding lock:
ffff888055278768 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: wiphy_lock include/net/cfg80211.h:6014 [inline]
ffff888055278768 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: ieee80211_remove_interfaces+0xfe/0x760 net/mac80211/iface.c:2262

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:
-> #1 (&rdev->wiphy.mtx){+.+.}-{3:3}:
       dev_open net/core/dev.c:1510 [inline]
       dev_open+0xf4/0x160 net/core/dev.c:1503
       do_setlink+0xd24/0x4190 net/core/rtnetlink.c:2907
       __rtnl_newlink+0xc35/0x1920 net/core/rtnetlink.c:3696
       rtnl_newlink+0x67/0xa0 net/core/rtnetlink.c:3743
       rtnetlink_rcv_msg+0x3c7/0xea0 net/core/rtnetlink.c:6647
       netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2550
       netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
       netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1357
       netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1901
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #0 (team->team_lock_key#10){+.+.}-{3:3}:
       check_prev_add kernel/locking/lockdep.c:3133 [inline]
       check_prevs_add kernel/locking/lockdep.c:3252 [inline]
       validate_chain kernel/locking/lockdep.c:3868 [inline]
       __lock_acquire+0x24ed/0x3cb0 kernel/locking/lockdep.c:5142
       lock_acquire kernel/locking/lockdep.c:5759 [inline]
       lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5724
       __mutex_lock_common kernel/locking/mutex.c:608 [inline]
       __mutex_lock+0x175/0x9c0 kernel/locking/mutex.c:752
       team_del_slave+0x31/0x1b0 drivers/net/team/team_core.c:1990
       team_device_event+0xd0/0x770 drivers/net/team/team_core.c:2984
       notifier_call_chain+0xb9/0x410 kernel/notifier.c:93
       call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1994
       call_netdevice_notifiers_extack net/core/dev.c:2032 [inline]
       call_netdevice_notifiers net/core/dev.c:2046 [inline]
       unregister_netdevice_many_notify+0x8bb/0x1e40 net/core/dev.c:11352
       mac80211_hwsim_del_radio drivers/net/wireless/virtual/mac80211_hwsim.c:5625 [inline]
       hwsim_exit_net+0x3ad/0x7d0 drivers/net/wireless/virtual/mac80211_hwsim.c:6505
       ops_exit_list+0xb0/0x180 net/core/net_namespace.c:173
       cleanup_net+0x5b7/0xbb0 net/core/net_namespace.c:640
       process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
       process_scheduled_works kernel/workqueue.c:3312 [inline]
       worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
       kthread+0x2c1/0x3a0 kernel/kthread.c:389
       ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
other info that might help us debug this:


       ----                    ----
                               lock(&rdev->wiphy.mtx);
  lock(team->team_lock_key#10);

 *** DEADLOCK ***

5 locks held by kworker/u32:7/1108:
 #0: ffff88801baf4948 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x1277/0x1b40 kernel/workqueue.c:3206
stack backtrace:
CPU: 2 UID: 0 PID: 1108 Comm: kworker/u32:7 Not tainted 6.11.0-rc6-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: netns cleanup_net
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
 check_noncircular+0x31a/0x400 kernel/locking/lockdep.c:2186
 __mutex_lock_common kernel/locking/mutex.c:608 [inline]
 __mutex_lock+0x175/0x9c0 kernel/locking/mutex.c:752
 notifier_call_chain+0xb9/0x410 kernel/notifier.c:93
 call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1994
 call_netdevice_notifiers_extack net/core/dev.c:2032 [inline]
 call_netdevice_notifiers net/core/dev.c:2046 [inline]
 unregister_netdevice_many_notify+0x8bb/0x1e40 net/core/dev.c:11352
 unregister_netdevice_many net/core/dev.c:11414 [inline]
 unregister_netdevice_queue+0x307/0x3f0 net/core/dev.c:11289
 unregister_netdevice include/linux/netdevice.h:3129 [inline]
 _cfg80211_unregister_wdev+0x624/0x7f0 net/wireless/core.c:1211
 ieee80211_remove_interfaces+0x36d/0x760 net/mac80211/iface.c:2287
 ieee80211_unregister_hw+0x55/0x3a0 net/mac80211/main.c:1669
 mac80211_hwsim_del_radio drivers/net/wireless/virtual/mac80211_hwsim.c:5625 [inline]
 hwsim_exit_net+0x3ad/0x7d0 drivers/net/wireless/virtual/mac80211_hwsim.c:6505
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

next             reply	other threads:[~2024-09-05 20:10 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-09-05 20:10 syzbot [this message]
2025-01-17  3:58 ` [syzbot] [wireless?] possible deadlock in ieee80211_remove_interfaces syzbot
2025-01-17  4:14   ` Eric Dumazet
2025-01-28 18:13     ` Aleksandr Nogikh
2025-01-28 18:16       ` Eric Dumazet
2025-01-17 19:07 ` syzbot
2025-01-19  6:54   ` Hillf Danton
2025-01-19  7:25     ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000c1ae9e062164e101@google.com \
    --to=syzbot+5b9196ecf74447172a9a@syzkaller.appspotmail.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=johannes@sipsolutions.net \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.