From: syzbot <syzbot+706f5eb79044e686c794@syzkaller.appspotmail.com>
To: kartikey406@gmail.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [net?] kernel BUG in pn_socket_sendmsg
Date: Tue, 21 Apr 2026 20:04:02 -0700 [thread overview]
Message-ID: <69e83aa2.a00a0220.17a17.0021.GAE@google.com> (raw)
In-Reply-To: <20260422021327.16934-1-kartikey406@gmail.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
possible deadlock in __sk_receive_skb
======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
syz-executor150/8596 is trying to acquire lock:
ffff888039b2c8a0 (slock-AF_PHONET/1){+.+.}-{3:3}, at: __sk_receive_skb+0x1bf/0x9e0 net/core/sock.c:563
but task is already holding lock:
ffff888034c5b720 (slock-AF_PHONET){+...}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
ffff888034c5b720 (slock-AF_PHONET){+...}-{3:3}, at: __sk_receive_skb+0x1f1/0x9e0 net/core/sock.c:565
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (slock-AF_PHONET){+...}-{3:3}:
rt_spin_lock+0x83/0x400 kernel/locking/spinlock_rt.c:56
spin_lock include/linux/spinlock_rt.h:45 [inline]
__sk_receive_skb+0x1f1/0x9e0 net/core/sock.c:565
sk_receive_skb include/net/sock.h:2022 [inline]
phonet_rcv+0x781/0xc40 net/phonet/af_phonet.c:-1
__netif_receive_skb_one_core net/core/dev.c:6210 [inline]
__netif_receive_skb net/core/dev.c:6323 [inline]
process_backlog+0x5e1/0xc60 net/core/dev.c:6674
__napi_poll+0xab/0x550 net/core/dev.c:7738
napi_poll net/core/dev.c:7801 [inline]
net_rx_action+0x696/0xe00 net/core/dev.c:7958
handle_softirqs+0x1de/0x6d0 kernel/softirq.c:626
__do_softirq kernel/softirq.c:660 [inline]
__local_bh_enable_ip+0x170/0x2b0 kernel/softirq.c:302
local_bh_enable include/linux/bottom_half.h:33 [inline]
netif_rx+0xb9/0xf0 net/core/dev.c:5776
pn_send+0x62a/0x8e0 net/phonet/af_phonet.c:188
pn_skb_send+0x218/0x530 net/phonet/af_phonet.c:275
pep_indicate net/phonet/pep.c:123 [inline]
pipe_snd_status+0x1f1/0x320 net/phonet/pep.c:221
pipe_grant_credits net/phonet/pep.c:244 [inline]
pipe_do_rcv+0xf15/0x16a0 net/phonet/pep.c:433
sk_backlog_rcv include/net/sock.h:1190 [inline]
__sk_receive_skb+0x962/0x9e0 net/core/sock.c:572
sk_receive_skb include/net/sock.h:2022 [inline]
pep_do_rcv+0x685/0xaa0 net/phonet/pep.c:675
sk_backlog_rcv include/net/sock.h:1190 [inline]
__release_sock+0x2a9/0x3d0 net/core/sock.c:3216
release_sock+0x1be/0x290 net/core/sock.c:3815
pep_sock_accept+0xd47/0x11e0 net/phonet/pep.c:879
pn_socket_accept+0xc1/0x310 net/phonet/socket.c:303
do_accept+0x6ca/0x930 net/socket.c:2062
__sys_accept4_file net/socket.c:2096 [inline]
__sys_accept4+0x139/0x230 net/socket.c:2118
__do_sys_accept4 net/socket.c:2125 [inline]
__se_sys_accept4 net/socket.c:2122 [inline]
__x64_sys_accept4+0x9a/0xb0 net/socket.c:2122
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0 (slock-AF_PHONET/1){+.+.}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3167 [inline]
check_prevs_add kernel/locking/lockdep.c:3286 [inline]
validate_chain kernel/locking/lockdep.c:3910 [inline]
__lock_acquire+0x15a5/0x2cf0 kernel/locking/lockdep.c:5239
lock_acquire+0x106/0x350 kernel/locking/lockdep.c:5870
rt_spin_lock_nested+0x81/0x3f0 kernel/locking/spinlock_rt.c:64
__sk_receive_skb+0x1bf/0x9e0 net/core/sock.c:563
sk_receive_skb include/net/sock.h:2022 [inline]
pep_do_rcv+0x685/0xaa0 net/phonet/pep.c:675
sk_backlog_rcv include/net/sock.h:1190 [inline]
__sk_receive_skb+0x962/0x9e0 net/core/sock.c:572
sk_receive_skb include/net/sock.h:2022 [inline]
phonet_rcv+0x781/0xc40 net/phonet/af_phonet.c:-1
__netif_receive_skb_one_core net/core/dev.c:6210 [inline]
__netif_receive_skb net/core/dev.c:6323 [inline]
process_backlog+0x5e1/0xc60 net/core/dev.c:6674
__napi_poll+0xab/0x550 net/core/dev.c:7738
napi_poll net/core/dev.c:7801 [inline]
net_rx_action+0x696/0xe00 net/core/dev.c:7958
handle_softirqs+0x1de/0x6d0 kernel/softirq.c:626
__do_softirq kernel/softirq.c:660 [inline]
__local_bh_enable_ip+0x170/0x2b0 kernel/softirq.c:302
local_bh_enable include/linux/bottom_half.h:33 [inline]
netif_rx+0xb9/0xf0 net/core/dev.c:5776
pn_send+0x62a/0x8e0 net/phonet/af_phonet.c:188
pn_skb_send+0x218/0x530 net/phonet/af_phonet.c:275
pep_sock_close+0x2c1/0x5b0 include/linux/skbuff.h:-1
pn_socket_release+0x9b/0xc0 net/phonet/socket.c:34
__sock_release+0xb9/0x250 net/socket.c:726
sock_close+0x1c/0x30 net/socket.c:1529
__fput+0x461/0xa70 fs/file_table.c:510
fput_close_sync+0x11f/0x240 fs/file_table.c:615
__do_sys_close fs/open.c:1507 [inline]
__se_sys_close fs/open.c:1492 [inline]
__x64_sys_close+0x7e/0x110 fs/open.c:1492
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(slock-AF_PHONET);
lock(slock-AF_PHONET/1);
lock(slock-AF_PHONET);
lock(slock-AF_PHONET/1);
*** DEADLOCK ***
7 locks held by syz-executor150/8596:
#0: ffff88805a1fc638 (&sb->s_type->i_mutex_key#13){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:1029 [inline]
#0: ffff88805a1fc638 (&sb->s_type->i_mutex_key#13){+.+.}-{4:4}, at: __sock_release+0x89/0x250 net/socket.c:725
#1: ffff888039b2dad8 (sk_lock-AF_PHONET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1713 [inline]
#1: ffff888039b2dad8 (sk_lock-AF_PHONET){+.+.}-{0:0}, at: pep_sock_close+0x86/0x5b0 net/phonet/pep.c:742
#2: ffffffff8e3c8140 (rcu_read_lock){....}-{1:3}, at: __local_bh_disable_ip+0x3c/0x420 kernel/softirq.c:163
#3: ffffffff8e3c8140 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline]
#3: ffffffff8e3c8140 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline]
#3: ffffffff8e3c8140 (rcu_read_lock){....}-{1:3}, at: process_backlog+0x271/0xc60 net/core/dev.c:6673
#4: ffff888034c5b720 (slock-AF_PHONET){+...}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
#4: ffff888034c5b720 (slock-AF_PHONET){+...}-{3:3}, at: __sk_receive_skb+0x1f1/0x9e0 net/core/sock.c:565
#5: ffffffff8e3c8140 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline]
#5: ffffffff8e3c8140 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline]
#5: ffffffff8e3c8140 (rcu_read_lock){....}-{1:3}, at: __rt_spin_lock kernel/locking/spinlock_rt.c:50 [inline]
#5: ffffffff8e3c8140 (rcu_read_lock){....}-{1:3}, at: rt_spin_lock+0x1e0/0x400 kernel/locking/spinlock_rt.c:57
#6: ffff888034c5b7d8 (sk_lock-AF_PHONET){+.+.}-{0:0}, at: sk_receive_skb include/net/sock.h:2022 [inline]
#6: ffff888034c5b7d8 (sk_lock-AF_PHONET){+.+.}-{0:0}, at: phonet_rcv+0x781/0xc40 net/phonet/af_phonet.c:-1
stack backtrace:
CPU: 0 UID: 0 PID: 8596 Comm: syz-executor150 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_circular_bug+0x2e1/0x300 kernel/locking/lockdep.c:2045
check_noncircular+0x12e/0x150 kernel/locking/lockdep.c:2177
check_prev_add kernel/locking/lockdep.c:3167 [inline]
check_prevs_add kernel/locking/lockdep.c:3286 [inline]
validate_chain kernel/locking/lockdep.c:3910 [inline]
__lock_acquire+0x15a5/0x2cf0 kernel/locking/lockdep.c:5239
lock_acquire+0x106/0x350 kernel/locking/lockdep.c:5870
rt_spin_lock_nested+0x81/0x3f0 kernel/locking/spinlock_rt.c:64
__sk_receive_skb+0x1bf/0x9e0 net/core/sock.c:563
sk_receive_skb include/net/sock.h:2022 [inline]
pep_do_rcv+0x685/0xaa0 net/phonet/pep.c:675
sk_backlog_rcv include/net/sock.h:1190 [inline]
__sk_receive_skb+0x962/0x9e0 net/core/sock.c:572
sk_receive_skb include/net/sock.h:2022 [inline]
phonet_rcv+0x781/0xc40 net/phonet/af_phonet.c:-1
__netif_receive_skb_one_core net/core/dev.c:6210 [inline]
__netif_receive_skb net/core/dev.c:6323 [inline]
process_backlog+0x5e1/0xc60 net/core/dev.c:6674
__napi_poll+0xab/0x550 net/core/dev.c:7738
napi_poll net/core/dev.c:7801 [inline]
net_rx_action+0x696/0xe00 net/core/dev.c:7958
handle_softirqs+0x1de/0x6d0 kernel/softirq.c:626
__do_softirq kernel/softirq.c:660 [inline]
__local_bh_enable_ip+0x170/0x2b0 kernel/softirq.c:302
local_bh_enable include/linux/bottom_half.h:33 [inline]
netif_rx+0xb9/0xf0 net/core/dev.c:5776
pn_send+0x62a/0x8e0 net/phonet/af_phonet.c:188
pn_skb_send+0x218/0x530 net/phonet/af_phonet.c:275
pep_sock_close+0x2c1/0x5b0 include/linux/skbuff.h:-1
pn_socket_release+0x9b/0xc0 net/phonet/socket.c:34
__sock_release+0xb9/0x250 net/socket.c:726
sock_close+0x1c/0x30 net/socket.c:1529
__fput+0x461/0xa70 fs/file_table.c:510
fput_close_sync+0x11f/0x240 fs/file_table.c:615
__do_sys_close fs/open.c:1507 [inline]
__se_sys_close fs/open.c:1492 [inline]
__x64_sys_close+0x7e/0x110 fs/open.c:1492
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd3c4acf98e
Code: 08 0f 85 65 e1 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 90 41 57 41 56 4d 89 c6 41 55 4d 89 cd 41 54 55 53 48 83 ec 08
RSP: 002b:00007ffcc0cf80b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 00005555771d0400 RCX: 00007fd3c4acf98e
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000077f63
R13: 0000000000077f95 R14: 00007fd3c4b6ab6c R15: 00007fd3c4b6ab60
</TASK>
Tested on:
commit: bee6ea30 Add linux-next specific files for 20260421
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=124bd702580000
kernel config: https://syzkaller.appspot.com/x/.config?x=354b135d724a721f
dashboard link: https://syzkaller.appspot.com/bug?extid=706f5eb79044e686c794
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=17c45f16580000
next parent reply other threads:[~2026-04-22 3:04 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260422021327.16934-1-kartikey406@gmail.com>
2026-04-22 3:04 ` syzbot [this message]
[not found] <20260422021207.16887-1-kartikey406@gmail.com>
2026-04-22 2:51 ` [syzbot] [net?] kernel BUG in pn_socket_sendmsg syzbot
2026-04-21 23:16 syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69e83aa2.a00a0220.17a17.0021.GAE@google.com \
--to=syzbot+706f5eb79044e686c794@syzkaller.appspotmail.com \
--cc=kartikey406@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.