From: syzbot <syzbot+26bfd0c1cea0b221a4bf@syzkaller.appspotmail.com>
To: andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org,
daniel@iogearbox.net, eddyz87@gmail.com, haoluo@google.com,
john.fastabend@gmail.com, jolsa@kernel.org, kpsingh@kernel.org,
linux-kernel@vger.kernel.org, martin.lau@linux.dev,
sdf@fomichev.me, song@kernel.org,
syzkaller-bugs@googlegroups.com, yonghong.song@linux.dev
Subject: [syzbot] [bpf?] possible deadlock in htab_map_delete_elem
Date: Wed, 11 Sep 2024 08:38:25 -0700 [thread overview]
Message-ID: <000000000000e7ca170621d9c775@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: b31c44928842 Merge tag 'linux_kselftest-kunit-fixes-6.11-r..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=121a189f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=57042fe37c7ee7c2
dashboard link: https://syzkaller.appspot.com/bug?extid=26bfd0c1cea0b221a4bf
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=101c2bc7980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11f5ba00580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-b31c4492.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f518d8293660/vmlinux-b31c4492.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d06107105268/bzImage-b31c4492.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+26bfd0c1cea0b221a4bf@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
6.11.0-rc6-syzkaller-00308-gb31c44928842 #0 Not tainted
------------------------------------------------------
syz-executor169/5356 is trying to acquire lock:
ffff888035409940 (&htab->lockdep_key#4){-.-.}-{2:2}, at: htab_lock_bucket kernel/bpf/hashtab.c:167 [inline]
ffff888035409940 (&htab->lockdep_key#4){-.-.}-{2:2}, at: htab_map_delete_elem+0x1c8/0x730 kernel/bpf/hashtab.c:1426
but task is already holding lock:
ffff888035408820 (&htab->lockdep_key#2){-.-.}-{2:2}, at: htab_lock_bucket kernel/bpf/hashtab.c:167 [inline]
ffff888035408820 (&htab->lockdep_key#2){-.-.}-{2:2}, at: htab_map_delete_elem+0x1c8/0x730 kernel/bpf/hashtab.c:1426
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&htab->lockdep_key#2){-.-.}-{2:2}:
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
htab_lock_bucket kernel/bpf/hashtab.c:167 [inline]
htab_map_delete_elem+0x1c8/0x730 kernel/bpf/hashtab.c:1426
bpf_prog_1a158c95e143a564+0x45/0x4e
bpf_dispatcher_nop_func include/linux/bpf.h:1243 [inline]
__bpf_prog_run include/linux/filter.h:691 [inline]
bpf_prog_run include/linux/filter.h:698 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2406 [inline]
bpf_trace_run2+0x231/0x590 kernel/trace/bpf_trace.c:2447
__bpf_trace_contention_end+0xca/0x110 include/trace/events/lock.h:122
__traceiter_contention_end+0x5a/0xa0 include/trace/events/lock.h:122
trace_contention_end.constprop.0+0xea/0x170 include/trace/events/lock.h:122
__pv_queued_spin_lock_slowpath+0x27e/0xc90 kernel/locking/qspinlock.c:557
pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:584 [inline]
queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:51 [inline]
queued_spin_lock include/asm-generic/qspinlock.h:114 [inline]
do_raw_spin_lock+0x210/0x2c0 kernel/locking/spinlock_debug.c:116
htab_lock_bucket kernel/bpf/hashtab.c:167 [inline]
htab_map_delete_elem+0x1c8/0x730 kernel/bpf/hashtab.c:1426
bpf_prog_1a158c95e143a564+0x45/0x4e
bpf_dispatcher_nop_func include/linux/bpf.h:1243 [inline]
__bpf_prog_run include/linux/filter.h:691 [inline]
bpf_prog_run include/linux/filter.h:698 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2406 [inline]
bpf_trace_run2+0x231/0x590 kernel/trace/bpf_trace.c:2447
__bpf_trace_contention_end+0xca/0x110 include/trace/events/lock.h:122
__traceiter_contention_end+0x5a/0xa0 include/trace/events/lock.h:122
trace_contention_end+0xce/0x140 include/trace/events/lock.h:122
__mutex_lock_common kernel/locking/mutex.c:617 [inline]
__mutex_lock+0x19c/0x9c0 kernel/locking/mutex.c:752
put_rng+0x1a/0xe0 drivers/char/hw_random/core.c:141
rng_dev_read+0x22d/0x720 drivers/char/hw_random/core.c:248
do_loop_readv_writev fs/read_write.c:761 [inline]
do_loop_readv_writev fs/read_write.c:749 [inline]
vfs_readv+0x6cb/0x8a0 fs/read_write.c:934
do_preadv fs/read_write.c:1049 [inline]
__do_sys_preadv fs/read_write.c:1099 [inline]
__se_sys_preadv fs/read_write.c:1094 [inline]
__x64_sys_preadv+0x22b/0x310 fs/read_write.c:1094
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0 (&htab->lockdep_key#4){-.-.}-{2:2}:
check_prev_add kernel/locking/lockdep.c:3133 [inline]
check_prevs_add kernel/locking/lockdep.c:3252 [inline]
validate_chain kernel/locking/lockdep.c:3868 [inline]
__lock_acquire+0x24ed/0x3cb0 kernel/locking/lockdep.c:5142
lock_acquire kernel/locking/lockdep.c:5759 [inline]
lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5724
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
htab_lock_bucket kernel/bpf/hashtab.c:167 [inline]
htab_map_delete_elem+0x1c8/0x730 kernel/bpf/hashtab.c:1426
bpf_prog_1a158c95e143a564+0x45/0x4e
bpf_dispatcher_nop_func include/linux/bpf.h:1243 [inline]
__bpf_prog_run include/linux/filter.h:691 [inline]
bpf_prog_run include/linux/filter.h:698 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2406 [inline]
bpf_trace_run2+0x231/0x590 kernel/trace/bpf_trace.c:2447
__bpf_trace_contention_end+0xca/0x110 include/trace/events/lock.h:122
__traceiter_contention_end+0x5a/0xa0 include/trace/events/lock.h:122
trace_contention_end.constprop.0+0xea/0x170 include/trace/events/lock.h:122
__pv_queued_spin_lock_slowpath+0x27e/0xc90 kernel/locking/qspinlock.c:557
pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:584 [inline]
queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:51 [inline]
queued_spin_lock include/asm-generic/qspinlock.h:114 [inline]
do_raw_spin_lock+0x210/0x2c0 kernel/locking/spinlock_debug.c:116
htab_lock_bucket kernel/bpf/hashtab.c:167 [inline]
htab_map_delete_elem+0x1c8/0x730 kernel/bpf/hashtab.c:1426
bpf_prog_1a158c95e143a564+0x45/0x4e
bpf_dispatcher_nop_func include/linux/bpf.h:1243 [inline]
__bpf_prog_run include/linux/filter.h:691 [inline]
bpf_prog_run include/linux/filter.h:698 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2406 [inline]
bpf_trace_run2+0x231/0x590 kernel/trace/bpf_trace.c:2447
__bpf_trace_contention_end+0xca/0x110 include/trace/events/lock.h:122
__traceiter_contention_end+0x5a/0xa0 include/trace/events/lock.h:122
trace_contention_end+0xce/0x140 include/trace/events/lock.h:122
__mutex_lock_common kernel/locking/mutex.c:727 [inline]
__mutex_lock+0x281/0x9c0 kernel/locking/mutex.c:752
rng_dev_read+0x128/0x720 drivers/char/hw_random/core.c:218
do_loop_readv_writev fs/read_write.c:761 [inline]
do_loop_readv_writev fs/read_write.c:749 [inline]
vfs_readv+0x6cb/0x8a0 fs/read_write.c:934
do_preadv fs/read_write.c:1049 [inline]
__do_sys_preadv fs/read_write.c:1099 [inline]
__se_sys_preadv fs/read_write.c:1094 [inline]
__x64_sys_preadv+0x22b/0x310 fs/read_write.c:1094
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&htab->lockdep_key#2);
lock(&htab->lockdep_key#4);
lock(&htab->lockdep_key#2);
lock(&htab->lockdep_key#4);
*** DEADLOCK ***
5 locks held by syz-executor169/5356:
#0: ffffffff8e9fb728 (reading_mutex){+.+.}-{3:3}, at: rng_dev_read+0x128/0x720 drivers/char/hw_random/core.c:218
#1: ffffffff8e9fb6e0 (reading_mutex.wait_lock){+.+.}-{2:2}, at: __mutex_lock_common kernel/locking/mutex.c:706 [inline]
#1: ffffffff8e9fb6e0 (reading_mutex.wait_lock){+.+.}-{2:2}, at: __mutex_lock+0x6ac/0x9c0 kernel/locking/mutex.c:752
#2: ffffffff8ddb9fe0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:326 [inline]
#2: ffffffff8ddb9fe0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline]
#2: ffffffff8ddb9fe0 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2405 [inline]
#2: ffffffff8ddb9fe0 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0x1c2/0x590 kernel/trace/bpf_trace.c:2447
#3: ffff888035408820 (&htab->lockdep_key#2){-.-.}-{2:2}, at: htab_lock_bucket kernel/bpf/hashtab.c:167 [inline]
#3: ffff888035408820 (&htab->lockdep_key#2){-.-.}-{2:2}, at: htab_map_delete_elem+0x1c8/0x730 kernel/bpf/hashtab.c:1426
#4: ffffffff8ddb9fe0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:326 [inline]
#4: ffffffff8ddb9fe0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline]
#4: ffffffff8ddb9fe0 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2405 [inline]
#4: ffffffff8ddb9fe0 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0x1c2/0x590 kernel/trace/bpf_trace.c:2447
stack backtrace:
CPU: 0 UID: 0 PID: 5356 Comm: syz-executor169 Not tainted 6.11.0-rc6-syzkaller-00308-gb31c44928842 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
check_noncircular+0x31a/0x400 kernel/locking/lockdep.c:2186
check_prev_add kernel/locking/lockdep.c:3133 [inline]
check_prevs_add kernel/locking/lockdep.c:3252 [inline]
validate_chain kernel/locking/lockdep.c:3868 [inline]
__lock_acquire+0x24ed/0x3cb0 kernel/locking/lockdep.c:5142
lock_acquire kernel/locking/lockdep.c:5759 [inline]
lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5724
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
htab_lock_bucket kernel/bpf/hashtab.c:167 [inline]
htab_map_delete_elem+0x1c8/0x730 kernel/bpf/hashtab.c:1426
bpf_prog_1a158c95e143a564+0x45/0x4e
bpf_dispatcher_nop_func include/linux/bpf.h:1243 [inline]
__bpf_prog_run include/linux/filter.h:691 [inline]
bpf_prog_run include/linux/filter.h:698 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2406 [inline]
bpf_trace_run2+0x231/0x590 kernel/trace/bpf_trace.c:2447
__bpf_trace_contention_end+0xca/0x110 include/trace/events/lock.h:122
__traceiter_contention_end+0x5a/0xa0 include/trace/events/lock.h:122
trace_contention_end.constprop.0+0xea/0x170 include/trace/events/lock.h:122
__pv_queued_spin_lock_slowpath+0x27e/0xc90 kernel/locking/qspinlock.c:557
pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:584 [inline]
queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:51 [inline]
queued_spin_lock include/asm-generic/qspinlock.h:114 [inline]
do_raw_spin_lock+0x210/0x2c0 kernel/locking/spinlock_debug.c:116
htab_lock_bucket kernel/bpf/hashtab.c:167 [inline]
htab_map_delete_elem+0x1c8/0x730 kernel/bpf/hashtab.c:1426
bpf_prog_1a158c95e143a564+0x45/0x4e
bpf_dispatcher_nop_func include/linux/bpf.h:1243 [inline]
__bpf_prog_run include/linux/filter.h:691 [inline]
bpf_prog_run include/linux/filter.h:698 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2406 [inline]
bpf_trace_run2+0x231/0x590 kernel/trace/bpf_trace.c:2447
__bpf_trace_contention_end+0xca/0x110 include/trace/events/lock.h:122
__traceiter_contention_end+0x5a/0xa0 include/trace/events/lock.h:122
trace_contention_end+0xce/0x140 include/trace/events/lock.h:122
__mutex_lock_common kernel/locking/mutex.c:727 [inline]
__mutex_lock+0x281/0x9c0 kernel/locking/mutex.c:752
rng_dev_read+0x128/0x720 drivers/char/hw_random/core.c:218
do_loop_readv_writev fs/read_write.c:761 [inline]
do_loop_readv_writev fs/read_write.c:749 [inline]
vfs_readv+0x6cb/0x8a0 fs/read_write.c:934
do_preadv fs/read_write.c:1049 [inline]
__do_sys_preadv fs/read_write.c:1099 [inline]
__se_sys_preadv fs/read_write.c:1094 [inline]
__x64_sys_preadv+0x22b/0x310 fs/read_write.c:1094
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa70184cea9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa701805218 EFLAGS: 00000246 ORIG_RAX: 0000000000000127
RAX: ffffffffffffffda RBX: 00007fa7018dc1a8 RCX: 00007fa70184cea9
RDX: 0000000000000001 RSI: 0000000020000240 RDI: 0000000000000003
RBP: 00007fa7018dc1a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa7018a325c
R13: 7277682f7665642f R14: 00646e655f6e6f69 R15: 69746e65746e6f63
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
reply other threads:[~2024-09-11 15:38 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000e7ca170621d9c775@google.com \
--to=syzbot+26bfd0c1cea0b221a4bf@syzkaller.appspotmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.