* [syzbot] [net?] INFO: task hung in new_device_store (5)
@ 2024-09-26 17:58 syzbot
2024-09-26 20:14 ` Eric Dumazet
` (2 more replies)
0 siblings, 3 replies; 11+ messages in thread
From: syzbot @ 2024-09-26 17:58 UTC (permalink / raw)
To: davem, edumazet, kuba, linux-kernel, netdev, pabeni,
syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 97d8894b6f4c Merge tag 'riscv-for-linus-6.12-mw1' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12416a27980000
kernel config: https://syzkaller.appspot.com/x/.config?x=bc30a30374b0753
dashboard link: https://syzkaller.appspot.com/bug?extid=05f9cecd28e356241aba
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/bd119f4fdc08/disk-97d8894b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4d0bfed66f93/vmlinux-97d8894b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0f9223ac9bfb/bzImage-97d8894b.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+05f9cecd28e356241aba@syzkaller.appspotmail.com
INFO: task syz-executor:9916 blocked for more than 143 seconds.
Not tainted 6.11.0-syzkaller-10045-g97d8894b6f4c #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:21104 pid:9916 tgid:9916 ppid:1 flags:0x00000004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5315 [inline]
__schedule+0x1895/0x4b30 kernel/sched/core.c:6674
__schedule_loop kernel/sched/core.c:6751 [inline]
schedule+0x14b/0x320 kernel/sched/core.c:6766
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6823
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752
new_device_store+0x1b4/0x890 drivers/net/netdevsim/bus.c:166
kernfs_fop_write_iter+0x3a2/0x500 fs/kernfs/file.c:334
new_sync_write fs/read_write.c:590 [inline]
vfs_write+0xa6f/0xc90 fs/read_write.c:683
ksys_write+0x183/0x2b0 fs/read_write.c:736
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8310d7c9df
RSP: 002b:00007ffe830a52e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f8310d7c9df
RDX: 0000000000000003 RSI: 00007ffe830a5330 RDI: 0000000000000005
RBP: 00007f8310df1c39 R08: 0000000000000000 R09: 00007ffe830a5137
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
R13: 00007ffe830a5330 R14: 00007f8311a64620 R15: 0000000000000003
</TASK>
Showing all locks held in the system:
1 lock held by khungtaskd/30:
#0: ffffffff8e937ee0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
#0: ffffffff8e937ee0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
#0: ffffffff8e937ee0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x55/0x2a0 kernel/locking/lockdep.c:6701
2 locks held by dhcpcd/4889:
#0: ffffffff8fcb2768 (vlan_ioctl_mutex){+.+.}-{3:3}, at: sock_ioctl+0x661/0x8e0 net/socket.c:1309
#1: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: vlan_ioctl_handler+0x112/0x9d0 net/8021q/vlan.c:553
2 locks held by getty/4987:
#0: ffff88802e9670a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
#1: ffffc90002f062f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6a6/0x1e00 drivers/tty/n_tty.c:2211
3 locks held by kworker/u9:3/5233:
#0: ffff888056ad8948 ((wq_completion)hci11){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
#0: ffff888056ad8948 ((wq_completion)hci11){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310
#1: ffffc90003ea7d00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
#1: ffffc90003ea7d00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310
#2: ffff88807d3c8d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x1ec/0x400 net/bluetooth/hci_sync.c:327
3 locks held by kworker/u9:7/5244:
#0: ffff88806a282148 ((wq_completion)hci8){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
#0: ffff88806a282148 ((wq_completion)hci8){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310
#1: ffffc90003dd7d00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
#1: ffffc90003dd7d00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310
#2: ffff88807da48d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x1ec/0x400 net/bluetooth/hci_sync.c:327
3 locks held by kworker/0:5/5288:
5 locks held by kworker/u8:22/5927:
#0: ffff88801bae5948 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
#0: ffff88801bae5948 ((wq_completion)netns){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310
#1: ffffc90003f87d00 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
#1: ffffc90003f87d00 (net_cleanup_work){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310
#2: ffffffff8fcc1150 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0x16a/0xcc0 net/core/net_namespace.c:580
#3: ffff88805dd75428 (&wg->device_update_lock){+.+.}-{3:3}, at: wg_destruct+0x110/0x2e0 drivers/net/wireguard/device.c:249
#4: ffffffff8e93d478 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:329 [inline]
#4: ffffffff8e93d478 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x451/0x830 kernel/rcu/tree_exp.h:976
2 locks held by kworker/u8:25/6021:
2 locks held by syz.1.563/8002:
4 locks held by syz-executor/9916:
#0: ffff88807ca86420 (sb_writers#8){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2930 [inline]
#0: ffff88807ca86420 (sb_writers#8){.+.+}-{0:0}, at: vfs_write+0x224/0xc90 fs/read_write.c:679
#1: ffff88802e71e488 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x1ea/0x500 fs/kernfs/file.c:325
#2: ffff888144ff5968 (kn->active#50){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x20e/0x500 fs/kernfs/file.c:326
#3: ffffffff8f56d3e8 (nsim_bus_dev_list_lock){+.+.}-{3:3}, at: new_device_store+0x1b4/0x890 drivers/net/netdevsim/bus.c:166
7 locks held by syz-executor/9976:
#0: ffff88807ca86420 (sb_writers#8){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2930 [inline]
#0: ffff88807ca86420 (sb_writers#8){.+.+}-{0:0}, at: vfs_write+0x224/0xc90 fs/read_write.c:679
#1: ffff88807abc2888 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x1ea/0x500 fs/kernfs/file.c:325
#2: ffff888144ff5a58 (kn->active#49){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x20e/0x500 fs/kernfs/file.c:326
#3: ffffffff8f56d3e8 (nsim_bus_dev_list_lock){+.+.}-{3:3}, at: del_device_store+0xfc/0x480 drivers/net/netdevsim/bus.c:216
#4: ffff888060f5a0e8 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888060f5a0e8 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff888060f5a0e8 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xce/0x7c0 drivers/base/dd.c:1293
#5: ffff888060f5b250 (&devlink->lock_key#40){+.+.}-{3:3}, at: nsim_drv_remove+0x50/0x160 drivers/net/netdevsim/dev.c:1672
#6: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: nsim_destroy+0x71/0x5c0 drivers/net/netdevsim/netdev.c:773
2 locks held by syz-executor/10321:
#0: ffffffff8fcc1150 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490
#1: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: cangw_pernet_exit_batch+0x20/0x90 net/can/gw.c:1257
2 locks held by syz-executor/10324:
#0: ffffffff8fcc1150 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490
#1: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: mpls_net_exit+0x7d/0x2a0 net/mpls/af_mpls.c:2706
2 locks held by syz-executor/10327:
#0: ffffffff8fcc1150 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490
#1: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: mpls_net_exit+0x7d/0x2a0 net/mpls/af_mpls.c:2706
2 locks held by syz-executor/10333:
#0: ffffffff8fcc1150 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490
#1: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: default_device_exit_batch+0xe9/0xaa0 net/core/dev.c:11930
2 locks held by syz-executor/10354:
#0: ffffffff8fcc1150 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490
#1: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: ppp_exit_net+0xe3/0x3d0 drivers/net/ppp/ppp_generic.c:1146
1 lock held by syz-executor/10357:
#0: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: __tun_chr_ioctl+0x48c/0x2400 drivers/net/tun.c:3121
2 locks held by syz-executor/10362:
#0: ffffffff8fcc1150 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490
#1: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: wg_netns_pre_exit+0x1f/0x1e0 drivers/net/wireguard/device.c:414
2 locks held by syz-executor/10366:
#0: ffffffff8fcc1150 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490
#1: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: wg_netns_pre_exit+0x1f/0x1e0 drivers/net/wireguard/device.c:414
2 locks held by syz-executor/10368:
#0: ffffffff8fcc1150 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490
#1: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: wg_netns_pre_exit+0x1f/0x1e0 drivers/net/wireguard/device.c:414
2 locks held by syz-executor/10371:
#0: ffffffff8fcc1150 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490
#1: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: wg_netns_pre_exit+0x1f/0x1e0 drivers/net/wireguard/device.c:414
5 locks held by kworker/u9:0/10373:
#0: ffff888056f3b948 ((wq_completion)hci9){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
#0: ffff888056f3b948 ((wq_completion)hci9){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310
#1: ffffc90004127d00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
#1: ffffc90004127d00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310
#2: ffff88806eb10d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x1ec/0x400 net/bluetooth/hci_sync.c:327
#3: ffff88806eb10078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x1ea/0xde0 net/bluetooth/hci_sync.c:5567
#4: ffffffff8fe3a428 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline]
#4: ffffffff8fe3a428 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x15d/0x300 net/bluetooth/hci_conn.c:1262
2 locks held by syz-executor/10378:
#0: ffffffff8fcc1150 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490
#1: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: ip_tunnel_init_net+0x20e/0x720 net/ipv4/ip_tunnel.c:1159
1 lock held by syz-executor/10386:
#0: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x6e6/0xcf0 net/core/rtnetlink.c:6643
=============================================
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.11.0-syzkaller-10045-g97d8894b6f4c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
nmi_cpu_backtrace+0x49c/0x4d0 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x198/0x320 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline]
watchdog+0xff4/0x1040 kernel/hung_task.c:379
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 5288 Comm: kworker/0:5 Not tainted 6.11.0-syzkaller-10045-g97d8894b6f4c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: events_power_efficient neigh_periodic_work
RIP: 0010:check_preemption_disabled+0x19/0x120 lib/smp_processor_id.c:14
Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 41 57 41 56 41 54 53 48 83 ec 10 65 48 8b 04 25 28 00 00 00 48 89 44 24 08 <65> 8b 1d 4c 35 40 74 65 8b 05 41 35 40 74 a9 ff ff ff 7f 74 26 65
RSP: 0018:ffffc90000007948 EFLAGS: 00000086
RAX: 8ad5e30e88cbef00 RBX: 0000000000000000 RCX: ffffffff81701614
RDX: 0000000000000000 RSI: ffffffff8c60efa0 RDI: ffffffff8c60ef60
RBP: ffffc90000007ae8 R08: ffffffff901ca4af R09: 1ffffffff2039495
R10: dffffc0000000000 R11: fffffbfff2039496 R12: 1ffff92000000f3c
R13: dffffc0000000000 R14: 0000000000000000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2fb1bff8 CR3: 000000000e734000 CR4: 0000000000350ef0
Call Trace:
<NMI>
</NMI>
<IRQ>
rcu_is_watching_curr_cpu include/linux/context_tracking.h:128 [inline]
rcu_is_watching+0x15/0xb0 kernel/rcu/tree.c:737
trace_lock_acquire include/trace/events/lock.h:24 [inline]
lock_acquire+0xe3/0x550 kernel/locking/lockdep.c:5793
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
debug_object_active_state+0x15d/0x360 lib/debugobjects.c:936
debug_rcu_head_unqueue kernel/rcu/rcu.h:233 [inline]
rcu_do_batch kernel/rcu/tree.c:2559 [inline]
rcu_core+0xa21/0x17a0 kernel/rcu/tree.c:2823
handle_softirqs+0x2c7/0x980 kernel/softirq.c:554
do_softirq+0x11b/0x1e0 kernel/softirq.c:455
</IRQ>
<TASK>
__local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382
neigh_periodic_work+0xb35/0xd50 net/core/neighbour.c:1019
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] [net?] INFO: task hung in new_device_store (5)
2024-09-26 17:58 [syzbot] [net?] INFO: task hung in new_device_store (5) syzbot
@ 2024-09-26 20:14 ` Eric Dumazet
2024-09-27 11:04 ` Hillf Danton
2024-10-09 8:20 ` syzbot
2025-12-25 16:24 ` syzbot
2 siblings, 1 reply; 11+ messages in thread
From: Eric Dumazet @ 2024-09-26 20:14 UTC (permalink / raw)
To: syzbot; +Cc: davem, kuba, linux-kernel, netdev, pabeni, syzkaller-bugs
On Thu, Sep 26, 2024 at 7:58 PM syzbot
<syzbot+05f9cecd28e356241aba@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 97d8894b6f4c Merge tag 'riscv-for-linus-6.12-mw1' of git:/..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12416a27980000
> kernel config: https://syzkaller.appspot.com/x/.config?x=bc30a30374b0753
> dashboard link: https://syzkaller.appspot.com/bug?extid=05f9cecd28e356241aba
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/bd119f4fdc08/disk-97d8894b.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/4d0bfed66f93/vmlinux-97d8894b.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/0f9223ac9bfb/bzImage-97d8894b.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+05f9cecd28e356241aba@syzkaller.appspotmail.com
>
> INFO: task syz-executor:9916 blocked for more than 143 seconds.
> Not tainted 6.11.0-syzkaller-10045-g97d8894b6f4c #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:syz-executor state:D stack:21104 pid:9916 tgid:9916 ppid:1 flags:0x00000004
> Call Trace:
> <TASK>
> context_switch kernel/sched/core.c:5315 [inline]
> __schedule+0x1895/0x4b30 kernel/sched/core.c:6674
> __schedule_loop kernel/sched/core.c:6751 [inline]
> schedule+0x14b/0x320 kernel/sched/core.c:6766
> schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6823
> __mutex_lock_common kernel/locking/mutex.c:684 [inline]
> __mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752
> new_device_store+0x1b4/0x890 :166
> kernfs_fop_write_iter+0x3a2/0x500 fs/kernfs/file.c:334
> new_sync_write fs/read_write.c:590 [inline]
> vfs_write+0xa6f/0xc90 fs/read_write.c:683
> ksys_write+0x183/0x2b0 fs/read_write.c:736
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f8310d7c9df
> RSP: 002b:00007ffe830a52e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
> RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f8310d7c9df
> RDX: 0000000000000003 RSI: 00007ffe830a5330 RDI: 0000000000000005
> RBP: 00007f8310df1c39 R08: 0000000000000000 R09: 00007ffe830a5137
> R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
> R13: 00007ffe830a5330 R14: 00007f8311a64620 R15: 0000000000000003
> </TASK>
typical sysfs deadlock ?
diff --git a/drivers/net/netdevsim/bus.c b/drivers/net/netdevsim/bus.c
index 64c0cdd31bf85468ce4fa2b2af5c8aff4cfba897..3bf0ce52d71653fd9b8c752d52d0b5b7e19042d8
100644
--- a/drivers/net/netdevsim/bus.c
+++ b/drivers/net/netdevsim/bus.c
@@ -163,7 +163,9 @@ new_device_store(const struct bus_type *bus, const
char *buf, size_t count)
return -EINVAL;
}
- mutex_lock(&nsim_bus_dev_list_lock);
+ if (!mutex_trylock(&nsim_bus_dev_list_lock))
+ return restart_syscall();
+
/* Prevent to use resource before initialization. */
if (!smp_load_acquire(&nsim_bus_enable)) {
err = -EBUSY;
>
> Showing all locks held in the system:
> 1 lock held by khungtaskd/30:
> #0: ffffffff8e937ee0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
> #0: ffffffff8e937ee0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
> #0: ffffffff8e937ee0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x55/0x2a0 kernel/locking/lockdep.c:6701
> 2 locks held by dhcpcd/4889:
> #0: ffffffff8fcb2768 (vlan_ioctl_mutex){+.+.}-{3:3}, at: sock_ioctl+0x661/0x8e0 net/socket.c:1309
> #1: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: vlan_ioctl_handler+0x112/0x9d0 net/8021q/vlan.c:553
> 2 locks held by getty/4987:
> #0: ffff88802e9670a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
> #1: ffffc90002f062f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6a6/0x1e00 drivers/tty/n_tty.c:2211
> 3 locks held by kworker/u9:3/5233:
> #0: ffff888056ad8948 ((wq_completion)hci11){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
> #0: ffff888056ad8948 ((wq_completion)hci11){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310
> #1: ffffc90003ea7d00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
> #1: ffffc90003ea7d00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310
> #2: ffff88807d3c8d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x1ec/0x400 net/bluetooth/hci_sync.c:327
> 3 locks held by kworker/u9:7/5244:
> #0: ffff88806a282148 ((wq_completion)hci8){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
> #0: ffff88806a282148 ((wq_completion)hci8){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310
> #1: ffffc90003dd7d00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
> #1: ffffc90003dd7d00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310
> #2: ffff88807da48d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x1ec/0x400 net/bluetooth/hci_sync.c:327
> 3 locks held by kworker/0:5/5288:
> 5 locks held by kworker/u8:22/5927:
> #0: ffff88801bae5948 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
> #0: ffff88801bae5948 ((wq_completion)netns){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310
> #1: ffffc90003f87d00 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
> #1: ffffc90003f87d00 (net_cleanup_work){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310
> #2: ffffffff8fcc1150 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0x16a/0xcc0 net/core/net_namespace.c:580
> #3: ffff88805dd75428 (&wg->device_update_lock){+.+.}-{3:3}, at: wg_destruct+0x110/0x2e0 drivers/net/wireguard/device.c:249
> #4: ffffffff8e93d478 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:329 [inline]
> #4: ffffffff8e93d478 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x451/0x830 kernel/rcu/tree_exp.h:976
> 2 locks held by kworker/u8:25/6021:
> 2 locks held by syz.1.563/8002:
> 4 locks held by syz-executor/9916:
> #0: ffff88807ca86420 (sb_writers#8){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2930 [inline]
> #0: ffff88807ca86420 (sb_writers#8){.+.+}-{0:0}, at: vfs_write+0x224/0xc90 fs/read_write.c:679
> #1: ffff88802e71e488 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x1ea/0x500 fs/kernfs/file.c:325
> #2: ffff888144ff5968 (kn->active#50){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x20e/0x500 fs/kernfs/file.c:326
> #3: ffffffff8f56d3e8 (nsim_bus_dev_list_lock){+.+.}-{3:3}, at: new_device_store+0x1b4/0x890 drivers/net/netdevsim/bus.c:166
> 7 locks held by syz-executor/9976:
> #0: ffff88807ca86420 (sb_writers#8){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2930 [inline]
> #0: ffff88807ca86420 (sb_writers#8){.+.+}-{0:0}, at: vfs_write+0x224/0xc90 fs/read_write.c:679
> #1: ffff88807abc2888 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x1ea/0x500 fs/kernfs/file.c:325
> #2: ffff888144ff5a58 (kn->active#49){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x20e/0x500 fs/kernfs/file.c:326
> #3: ffffffff8f56d3e8 (nsim_bus_dev_list_lock){+.+.}-{3:3}, at: del_device_store+0xfc/0x480 drivers/net/netdevsim/bus.c:216
> #4: ffff888060f5a0e8 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
> #4: ffff888060f5a0e8 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
> #4: ffff888060f5a0e8 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xce/0x7c0 drivers/base/dd.c:1293
> #5: ffff888060f5b250 (&devlink->lock_key#40){+.+.}-{3:3}, at: nsim_drv_remove+0x50/0x160 drivers/net/netdevsim/dev.c:1672
> #6: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: nsim_destroy+0x71/0x5c0 drivers/net/netdevsim/netdev.c:773
> 2 locks held by syz-executor/10321:
> #0: ffffffff8fcc1150 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490
> #1: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: cangw_pernet_exit_batch+0x20/0x90 net/can/gw.c:1257
> 2 locks held by syz-executor/10324:
> #0: ffffffff8fcc1150 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490
> #1: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: mpls_net_exit+0x7d/0x2a0 net/mpls/af_mpls.c:2706
> 2 locks held by syz-executor/10327:
> #0: ffffffff8fcc1150 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490
> #1: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: mpls_net_exit+0x7d/0x2a0 net/mpls/af_mpls.c:2706
> 2 locks held by syz-executor/10333:
> #0: ffffffff8fcc1150 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490
> #1: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: default_device_exit_batch+0xe9/0xaa0 net/core/dev.c:11930
> 2 locks held by syz-executor/10354:
> #0: ffffffff8fcc1150 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490
> #1: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: ppp_exit_net+0xe3/0x3d0 drivers/net/ppp/ppp_generic.c:1146
> 1 lock held by syz-executor/10357:
> #0: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: __tun_chr_ioctl+0x48c/0x2400 drivers/net/tun.c:3121
> 2 locks held by syz-executor/10362:
> #0: ffffffff8fcc1150 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490
> #1: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: wg_netns_pre_exit+0x1f/0x1e0 drivers/net/wireguard/device.c:414
> 2 locks held by syz-executor/10366:
> #0: ffffffff8fcc1150 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490
> #1: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: wg_netns_pre_exit+0x1f/0x1e0 drivers/net/wireguard/device.c:414
> 2 locks held by syz-executor/10368:
> #0: ffffffff8fcc1150 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490
> #1: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: wg_netns_pre_exit+0x1f/0x1e0 drivers/net/wireguard/device.c:414
> 2 locks held by syz-executor/10371:
> #0: ffffffff8fcc1150 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490
> #1: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: wg_netns_pre_exit+0x1f/0x1e0 drivers/net/wireguard/device.c:414
> 5 locks held by kworker/u9:0/10373:
> #0: ffff888056f3b948 ((wq_completion)hci9){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
> #0: ffff888056f3b948 ((wq_completion)hci9){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310
> #1: ffffc90004127d00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
> #1: ffffc90004127d00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310
> #2: ffff88806eb10d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x1ec/0x400 net/bluetooth/hci_sync.c:327
> #3: ffff88806eb10078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x1ea/0xde0 net/bluetooth/hci_sync.c:5567
> #4: ffffffff8fe3a428 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline]
> #4: ffffffff8fe3a428 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x15d/0x300 net/bluetooth/hci_conn.c:1262
> 2 locks held by syz-executor/10378:
> #0: ffffffff8fcc1150 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:490
> #1: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: ip_tunnel_init_net+0x20e/0x720 net/ipv4/ip_tunnel.c:1159
> 1 lock held by syz-executor/10386:
> #0: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
> #0: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x6e6/0xcf0 net/core/rtnetlink.c:6643
>
> =============================================
>
> NMI backtrace for cpu 1
> CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.11.0-syzkaller-10045-g97d8894b6f4c #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
> nmi_cpu_backtrace+0x49c/0x4d0 lib/nmi_backtrace.c:113
> nmi_trigger_cpumask_backtrace+0x198/0x320 lib/nmi_backtrace.c:62
> trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
> check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline]
> watchdog+0xff4/0x1040 kernel/hung_task.c:379
> kthread+0x2f2/0x390 kernel/kthread.c:389
> ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
> </TASK>
> Sending NMI from CPU 1 to CPUs 0:
> NMI backtrace for cpu 0
> CPU: 0 UID: 0 PID: 5288 Comm: kworker/0:5 Not tainted 6.11.0-syzkaller-10045-g97d8894b6f4c #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
> Workqueue: events_power_efficient neigh_periodic_work
> RIP: 0010:check_preemption_disabled+0x19/0x120 lib/smp_processor_id.c:14
> Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 41 57 41 56 41 54 53 48 83 ec 10 65 48 8b 04 25 28 00 00 00 48 89 44 24 08 <65> 8b 1d 4c 35 40 74 65 8b 05 41 35 40 74 a9 ff ff ff 7f 74 26 65
> RSP: 0018:ffffc90000007948 EFLAGS: 00000086
> RAX: 8ad5e30e88cbef00 RBX: 0000000000000000 RCX: ffffffff81701614
> RDX: 0000000000000000 RSI: ffffffff8c60efa0 RDI: ffffffff8c60ef60
> RBP: ffffc90000007ae8 R08: ffffffff901ca4af R09: 1ffffffff2039495
> R10: dffffc0000000000 R11: fffffbfff2039496 R12: 1ffff92000000f3c
> R13: dffffc0000000000 R14: 0000000000000000 R15: dffffc0000000000
> FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000001b2fb1bff8 CR3: 000000000e734000 CR4: 0000000000350ef0
> Call Trace:
> <NMI>
> </NMI>
> <IRQ>
> rcu_is_watching_curr_cpu include/linux/context_tracking.h:128 [inline]
> rcu_is_watching+0x15/0xb0 kernel/rcu/tree.c:737
> trace_lock_acquire include/trace/events/lock.h:24 [inline]
> lock_acquire+0xe3/0x550 kernel/locking/lockdep.c:5793
> __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
> _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
> debug_object_active_state+0x15d/0x360 lib/debugobjects.c:936
> debug_rcu_head_unqueue kernel/rcu/rcu.h:233 [inline]
> rcu_do_batch kernel/rcu/tree.c:2559 [inline]
> rcu_core+0xa21/0x17a0 kernel/rcu/tree.c:2823
> handle_softirqs+0x2c7/0x980 kernel/softirq.c:554
> do_softirq+0x11b/0x1e0 kernel/softirq.c:455
> </IRQ>
> <TASK>
> __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382
> neigh_periodic_work+0xb35/0xd50 net/core/neighbour.c:1019
> process_one_work kernel/workqueue.c:3229 [inline]
> process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
> worker_thread+0x870/0xd30 kernel/workqueue.c:3391
> kthread+0x2f2/0x390 kernel/kthread.c:389
> ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
> </TASK>
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] [net?] INFO: task hung in new_device_store (5)
2024-09-26 20:14 ` Eric Dumazet
@ 2024-09-27 11:04 ` Hillf Danton
2024-09-27 11:24 ` Eric Dumazet
0 siblings, 1 reply; 11+ messages in thread
From: Hillf Danton @ 2024-09-27 11:04 UTC (permalink / raw)
To: Eric Dumazet
Cc: syzbot, linux-kernel, Tetsuo Handa, Boqun Feng, Linus Torvalds,
netdev, syzkaller-bugs
On Thu, 26 Sep 2024 22:14:14 +0200 Eric Dumazet <edumazet@google.com>
> On Thu, Sep 26, 2024 at 7:58 PM syzbot wrote:
> >
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: 97d8894b6f4c Merge tag 'riscv-for-linus-6.12-mw1' of git:/..
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=12416a27980000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=bc30a30374b0753
> > dashboard link: https://syzkaller.appspot.com/bug?extid=05f9cecd28e356241aba
> > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> >
> > Unfortunately, I don't have any reproducer for this issue yet.
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/bd119f4fdc08/disk-97d8894b.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/4d0bfed66f93/vmlinux-97d8894b.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/0f9223ac9bfb/bzImage-97d8894b.xz
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+05f9cecd28e356241aba@syzkaller.appspotmail.com
> >
> > INFO: task syz-executor:9916 blocked for more than 143 seconds.
> > Not tainted 6.11.0-syzkaller-10045-g97d8894b6f4c #0
> > "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> > task:syz-executor state:D stack:21104 pid:9916 tgid:9916 ppid:1 flags:0x00000004
> > Call Trace:
> > <TASK>
> > context_switch kernel/sched/core.c:5315 [inline]
> > __schedule+0x1895/0x4b30 kernel/sched/core.c:6674
> > __schedule_loop kernel/sched/core.c:6751 [inline]
> > schedule+0x14b/0x320 kernel/sched/core.c:6766
> > schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6823
> > __mutex_lock_common kernel/locking/mutex.c:684 [inline]
> > __mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752
> > new_device_store+0x1b4/0x890 :166
> > kernfs_fop_write_iter+0x3a2/0x500 fs/kernfs/file.c:334
> > new_sync_write fs/read_write.c:590 [inline]
> > vfs_write+0xa6f/0xc90 fs/read_write.c:683
> > ksys_write+0x183/0x2b0 fs/read_write.c:736
> > do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> > do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> > entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > RIP: 0033:0x7f8310d7c9df
> > RSP: 002b:00007ffe830a52e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
> > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f8310d7c9df
> > RDX: 0000000000000003 RSI: 00007ffe830a5330 RDI: 0000000000000005
> > RBP: 00007f8310df1c39 R08: 0000000000000000 R09: 00007ffe830a5137
> > R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
> > R13: 00007ffe830a5330 R14: 00007f8311a64620 R15: 0000000000000003
> > </TASK>
>
> typical sysfs deadlock ?
>
> diff --git a/drivers/net/netdevsim/bus.c b/drivers/net/netdevsim/bus.c
> index 64c0cdd31bf85468ce4fa2b2af5c8aff4cfba897..3bf0ce52d71653fd9b8c752d52d0b5b7e19042d8
> 100644
> --- a/drivers/net/netdevsim/bus.c
> +++ b/drivers/net/netdevsim/bus.c
> @@ -163,7 +163,9 @@ new_device_store(const struct bus_type *bus, const
> char *buf, size_t count)
> return -EINVAL;
> }
>
> - mutex_lock(&nsim_bus_dev_list_lock);
> + if (!mutex_trylock(&nsim_bus_dev_list_lock))
> + return restart_syscall();
> +
> /* Prevent to use resource before initialization. */
> if (!smp_load_acquire(&nsim_bus_enable)) {
> err = -EBUSY;
>
>
> >
> > Showing all locks held in the system:
...
> > 4 locks held by syz-executor/9916:
> > #0: ffff88807ca86420 (sb_writers#8){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2930 [inline]
> > #0: ffff88807ca86420 (sb_writers#8){.+.+}-{0:0}, at: vfs_write+0x224/0xc90 fs/read_write.c:679
> > #1: ffff88802e71e488 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x1ea/0x500 fs/kernfs/file.c:325
> > #2: ffff888144ff5968 (kn->active#50){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x20e/0x500 fs/kernfs/file.c:326
> > #3: ffffffff8f56d3e8 (nsim_bus_dev_list_lock){+.+.}-{3:3}, at: new_device_store+0x1b4/0x890 drivers/net/netdevsim/bus.c:166
syz-executor/9916 is lock waiter, and
> > 7 locks held by syz-executor/9976:
> > #0: ffff88807ca86420 (sb_writers#8){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2930 [inline]
> > #0: ffff88807ca86420 (sb_writers#8){.+.+}-{0:0}, at: vfs_write+0x224/0xc90 fs/read_write.c:679
> > #1: ffff88807abc2888 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x1ea/0x500 fs/kernfs/file.c:325
> > #2: ffff888144ff5a58 (kn->active#49){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x20e/0x500 fs/kernfs/file.c:326
> > #3: ffffffff8f56d3e8 (nsim_bus_dev_list_lock){+.+.}-{3:3}, at: del_device_store+0xfc/0x480 drivers/net/netdevsim/bus.c:216
> > #4: ffff888060f5a0e8 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
> > #4: ffff888060f5a0e8 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
> > #4: ffff888060f5a0e8 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xce/0x7c0 drivers/base/dd.c:1293
> > #5: ffff888060f5b250 (&devlink->lock_key#40){+.+.}-{3:3}, at: nsim_drv_remove+0x50/0x160 drivers/net/netdevsim/dev.c:1672
> > #6: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: nsim_destroy+0x71/0x5c0 drivers/net/netdevsim/netdev.c:773
syz-executor/9976 is lock owner. Given both waiter and owner printed,
the proposed trylock looks like the typical paperover at least from a
hoofed skull because of no real deadlock detected.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] [net?] INFO: task hung in new_device_store (5)
2024-09-27 11:04 ` Hillf Danton
@ 2024-09-27 11:24 ` Eric Dumazet
2024-09-27 11:27 ` Eric Dumazet
2024-09-27 11:41 ` Hillf Danton
0 siblings, 2 replies; 11+ messages in thread
From: Eric Dumazet @ 2024-09-27 11:24 UTC (permalink / raw)
To: Hillf Danton
Cc: syzbot, linux-kernel, Tetsuo Handa, Boqun Feng, Linus Torvalds,
netdev, syzkaller-bugs
On Fri, Sep 27, 2024 at 1:05 PM Hillf Danton <hdanton@sina.com> wrote:
>
> On Thu, 26 Sep 2024 22:14:14 +0200 Eric Dumazet <edumazet@google.com>
> > On Thu, Sep 26, 2024 at 7:58 PM syzbot wrote:
> > >
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit: 97d8894b6f4c Merge tag 'riscv-for-linus-6.12-mw1' of git:/..
> > > git tree: upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=12416a27980000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=bc30a30374b0753
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=05f9cecd28e356241aba
> > > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> > >
> > > Unfortunately, I don't have any reproducer for this issue yet.
> > >
> > > Downloadable assets:
> > > disk image: https://storage.googleapis.com/syzbot-assets/bd119f4fdc08/disk-97d8894b.raw.xz
> > > vmlinux: https://storage.googleapis.com/syzbot-assets/4d0bfed66f93/vmlinux-97d8894b.xz
> > > kernel image: https://storage.googleapis.com/syzbot-assets/0f9223ac9bfb/bzImage-97d8894b.xz
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+05f9cecd28e356241aba@syzkaller.appspotmail.com
> > >
> > > INFO: task syz-executor:9916 blocked for more than 143 seconds.
> > > Not tainted 6.11.0-syzkaller-10045-g97d8894b6f4c #0
> > > "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> > > task:syz-executor state:D stack:21104 pid:9916 tgid:9916 ppid:1 flags:0x00000004
> > > Call Trace:
> > > <TASK>
> > > context_switch kernel/sched/core.c:5315 [inline]
> > > __schedule+0x1895/0x4b30 kernel/sched/core.c:6674
> > > __schedule_loop kernel/sched/core.c:6751 [inline]
> > > schedule+0x14b/0x320 kernel/sched/core.c:6766
> > > schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6823
> > > __mutex_lock_common kernel/locking/mutex.c:684 [inline]
> > > __mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752
> > > new_device_store+0x1b4/0x890 :166
> > > kernfs_fop_write_iter+0x3a2/0x500 fs/kernfs/file.c:334
> > > new_sync_write fs/read_write.c:590 [inline]
> > > vfs_write+0xa6f/0xc90 fs/read_write.c:683
> > > ksys_write+0x183/0x2b0 fs/read_write.c:736
> > > do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> > > do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> > > entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > > RIP: 0033:0x7f8310d7c9df
> > > RSP: 002b:00007ffe830a52e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
> > > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f8310d7c9df
> > > RDX: 0000000000000003 RSI: 00007ffe830a5330 RDI: 0000000000000005
> > > RBP: 00007f8310df1c39 R08: 0000000000000000 R09: 00007ffe830a5137
> > > R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
> > > R13: 00007ffe830a5330 R14: 00007f8311a64620 R15: 0000000000000003
> > > </TASK>
> >
> > typical sysfs deadlock ?
> >
> > diff --git a/drivers/net/netdevsim/bus.c b/drivers/net/netdevsim/bus.c
> > index 64c0cdd31bf85468ce4fa2b2af5c8aff4cfba897..3bf0ce52d71653fd9b8c752d52d0b5b7e19042d8
> > 100644
> > --- a/drivers/net/netdevsim/bus.c
> > +++ b/drivers/net/netdevsim/bus.c
> > @@ -163,7 +163,9 @@ new_device_store(const struct bus_type *bus, const
> > char *buf, size_t count)
> > return -EINVAL;
> > }
> >
> > - mutex_lock(&nsim_bus_dev_list_lock);
> > + if (!mutex_trylock(&nsim_bus_dev_list_lock))
> > + return restart_syscall();
> > +
> > /* Prevent to use resource before initialization. */
> > if (!smp_load_acquire(&nsim_bus_enable)) {
> > err = -EBUSY;
> >
> >
> > >
> > > Showing all locks held in the system:
> ...
> > > 4 locks held by syz-executor/9916:
> > > #0: ffff88807ca86420 (sb_writers#8){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2930 [inline]
> > > #0: ffff88807ca86420 (sb_writers#8){.+.+}-{0:0}, at: vfs_write+0x224/0xc90 fs/read_write.c:679
> > > #1: ffff88802e71e488 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x1ea/0x500 fs/kernfs/file.c:325
> > > #2: ffff888144ff5968 (kn->active#50){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x20e/0x500 fs/kernfs/file.c:326
> > > #3: ffffffff8f56d3e8 (nsim_bus_dev_list_lock){+.+.}-{3:3}, at: new_device_store+0x1b4/0x890 drivers/net/netdevsim/bus.c:166
>
> syz-executor/9916 is lock waiter, and
>
> > > 7 locks held by syz-executor/9976:
> > > #0: ffff88807ca86420 (sb_writers#8){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2930 [inline]
> > > #0: ffff88807ca86420 (sb_writers#8){.+.+}-{0:0}, at: vfs_write+0x224/0xc90 fs/read_write.c:679
> > > #1: ffff88807abc2888 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x1ea/0x500 fs/kernfs/file.c:325
> > > #2: ffff888144ff5a58 (kn->active#49){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x20e/0x500 fs/kernfs/file.c:326
> > > #3: ffffffff8f56d3e8 (nsim_bus_dev_list_lock){+.+.}-{3:3}, at: del_device_store+0xfc/0x480 drivers/net/netdevsim/bus.c:216
> > > #4: ffff888060f5a0e8 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
> > > #4: ffff888060f5a0e8 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
> > > #4: ffff888060f5a0e8 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xce/0x7c0 drivers/base/dd.c:1293
> > > #5: ffff888060f5b250 (&devlink->lock_key#40){+.+.}-{3:3}, at: nsim_drv_remove+0x50/0x160 drivers/net/netdevsim/dev.c:1672
> > > #6: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: nsim_destroy+0x71/0x5c0 drivers/net/netdevsim/netdev.c:773
>
> syz-executor/9976 is lock owner. Given both waiter and owner printed,
> the proposed trylock looks like the typical paperover at least from a
> hoofed skull because of no real deadlock detected.
I suggest you look at why we have to use rtnl_trylock()
If you know better, please send patches to remove all instances.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] [net?] INFO: task hung in new_device_store (5)
2024-09-27 11:24 ` Eric Dumazet
@ 2024-09-27 11:27 ` Eric Dumazet
2024-09-27 11:41 ` Hillf Danton
1 sibling, 0 replies; 11+ messages in thread
From: Eric Dumazet @ 2024-09-27 11:27 UTC (permalink / raw)
To: Hillf Danton
Cc: syzbot, linux-kernel, Tetsuo Handa, Boqun Feng, Linus Torvalds,
netdev, syzkaller-bugs
On Fri, Sep 27, 2024 at 1:24 PM Eric Dumazet <edumazet@google.com> wrote:
>
> On Fri, Sep 27, 2024 at 1:05 PM Hillf Danton <hdanton@sina.com> wrote:
> >
> > On Thu, 26 Sep 2024 22:14:14 +0200 Eric Dumazet <edumazet@google.com>
> > > On Thu, Sep 26, 2024 at 7:58 PM syzbot wrote:
> > > >
> > > > Hello,
> > > >
> > > > syzbot found the following issue on:
> > > >
> > > > HEAD commit: 97d8894b6f4c Merge tag 'riscv-for-linus-6.12-mw1' of git:/..
> > > > git tree: upstream
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=12416a27980000
> > > > kernel config: https://syzkaller.appspot.com/x/.config?x=bc30a30374b0753
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=05f9cecd28e356241aba
> > > > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> > > >
> > > > Unfortunately, I don't have any reproducer for this issue yet.
> > > >
> > > > Downloadable assets:
> > > > disk image: https://storage.googleapis.com/syzbot-assets/bd119f4fdc08/disk-97d8894b.raw.xz
> > > > vmlinux: https://storage.googleapis.com/syzbot-assets/4d0bfed66f93/vmlinux-97d8894b.xz
> > > > kernel image: https://storage.googleapis.com/syzbot-assets/0f9223ac9bfb/bzImage-97d8894b.xz
> > > >
> > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > Reported-by: syzbot+05f9cecd28e356241aba@syzkaller.appspotmail.com
> > > >
> > > > INFO: task syz-executor:9916 blocked for more than 143 seconds.
> > > > Not tainted 6.11.0-syzkaller-10045-g97d8894b6f4c #0
> > > > "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> > > > task:syz-executor state:D stack:21104 pid:9916 tgid:9916 ppid:1 flags:0x00000004
> > > > Call Trace:
> > > > <TASK>
> > > > context_switch kernel/sched/core.c:5315 [inline]
> > > > __schedule+0x1895/0x4b30 kernel/sched/core.c:6674
> > > > __schedule_loop kernel/sched/core.c:6751 [inline]
> > > > schedule+0x14b/0x320 kernel/sched/core.c:6766
> > > > schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6823
> > > > __mutex_lock_common kernel/locking/mutex.c:684 [inline]
> > > > __mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752
> > > > new_device_store+0x1b4/0x890 :166
> > > > kernfs_fop_write_iter+0x3a2/0x500 fs/kernfs/file.c:334
> > > > new_sync_write fs/read_write.c:590 [inline]
> > > > vfs_write+0xa6f/0xc90 fs/read_write.c:683
> > > > ksys_write+0x183/0x2b0 fs/read_write.c:736
> > > > do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> > > > do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> > > > entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > > > RIP: 0033:0x7f8310d7c9df
> > > > RSP: 002b:00007ffe830a52e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
> > > > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f8310d7c9df
> > > > RDX: 0000000000000003 RSI: 00007ffe830a5330 RDI: 0000000000000005
> > > > RBP: 00007f8310df1c39 R08: 0000000000000000 R09: 00007ffe830a5137
> > > > R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
> > > > R13: 00007ffe830a5330 R14: 00007f8311a64620 R15: 0000000000000003
> > > > </TASK>
> > >
> > > typical sysfs deadlock ?
> > >
> > > diff --git a/drivers/net/netdevsim/bus.c b/drivers/net/netdevsim/bus.c
> > > index 64c0cdd31bf85468ce4fa2b2af5c8aff4cfba897..3bf0ce52d71653fd9b8c752d52d0b5b7e19042d8
> > > 100644
> > > --- a/drivers/net/netdevsim/bus.c
> > > +++ b/drivers/net/netdevsim/bus.c
> > > @@ -163,7 +163,9 @@ new_device_store(const struct bus_type *bus, const
> > > char *buf, size_t count)
> > > return -EINVAL;
> > > }
> > >
> > > - mutex_lock(&nsim_bus_dev_list_lock);
> > > + if (!mutex_trylock(&nsim_bus_dev_list_lock))
> > > + return restart_syscall();
> > > +
> > > /* Prevent to use resource before initialization. */
> > > if (!smp_load_acquire(&nsim_bus_enable)) {
> > > err = -EBUSY;
> > >
> > >
> > > >
> > > > Showing all locks held in the system:
> > ...
> > > > 4 locks held by syz-executor/9916:
> > > > #0: ffff88807ca86420 (sb_writers#8){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2930 [inline]
> > > > #0: ffff88807ca86420 (sb_writers#8){.+.+}-{0:0}, at: vfs_write+0x224/0xc90 fs/read_write.c:679
> > > > #1: ffff88802e71e488 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x1ea/0x500 fs/kernfs/file.c:325
> > > > #2: ffff888144ff5968 (kn->active#50){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x20e/0x500 fs/kernfs/file.c:326
> > > > #3: ffffffff8f56d3e8 (nsim_bus_dev_list_lock){+.+.}-{3:3}, at: new_device_store+0x1b4/0x890 drivers/net/netdevsim/bus.c:166
> >
> > syz-executor/9916 is lock waiter, and
> >
> > > > 7 locks held by syz-executor/9976:
> > > > #0: ffff88807ca86420 (sb_writers#8){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2930 [inline]
> > > > #0: ffff88807ca86420 (sb_writers#8){.+.+}-{0:0}, at: vfs_write+0x224/0xc90 fs/read_write.c:679
> > > > #1: ffff88807abc2888 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x1ea/0x500 fs/kernfs/file.c:325
> > > > #2: ffff888144ff5a58 (kn->active#49){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x20e/0x500 fs/kernfs/file.c:326
> > > > #3: ffffffff8f56d3e8 (nsim_bus_dev_list_lock){+.+.}-{3:3}, at: del_device_store+0xfc/0x480 drivers/net/netdevsim/bus.c:216
> > > > #4: ffff888060f5a0e8 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
> > > > #4: ffff888060f5a0e8 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
> > > > #4: ffff888060f5a0e8 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xce/0x7c0 drivers/base/dd.c:1293
> > > > #5: ffff888060f5b250 (&devlink->lock_key#40){+.+.}-{3:3}, at: nsim_drv_remove+0x50/0x160 drivers/net/netdevsim/dev.c:1672
> > > > #6: ffffffff8fccdc48 (rtnl_mutex){+.+.}-{3:3}, at: nsim_destroy+0x71/0x5c0 drivers/net/netdevsim/netdev.c:773
> >
> > syz-executor/9976 is lock owner. Given both waiter and owner printed,
> > the proposed trylock looks like the typical paperover at least from a
> > hoofed skull because of no real deadlock detected.
>
> I suggest you look at why we have to use rtnl_trylock()
>
> If you know better, please send patches to remove all instances.
The real bug is that drivers/net/netdevsim uses sysfs to create and
delete network devices, this was a poor choice.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] [net?] INFO: task hung in new_device_store (5)
2024-09-27 11:24 ` Eric Dumazet
2024-09-27 11:27 ` Eric Dumazet
@ 2024-09-27 11:41 ` Hillf Danton
2024-09-27 11:54 ` Eric Dumazet
1 sibling, 1 reply; 11+ messages in thread
From: Hillf Danton @ 2024-09-27 11:41 UTC (permalink / raw)
To: Eric Dumazet
Cc: syzbot, linux-kernel, Tetsuo Handa, Boqun Feng, Linus Torvalds,
netdev, syzkaller-bugs
On Fri, 27 Sep 2024 13:24:54 +0200 Eric Dumazet <edumazet@google.com>
> I suggest you look at why we have to use rtnl_trylock()
>
> If you know better, please send patches to remove all instances.
No patch is needed before you show us deadlock. I suspect you could
spot a case where lockdep fails to report deadlock.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] [net?] INFO: task hung in new_device_store (5)
2024-09-27 11:41 ` Hillf Danton
@ 2024-09-27 11:54 ` Eric Dumazet
2024-09-28 0:06 ` Hillf Danton
0 siblings, 1 reply; 11+ messages in thread
From: Eric Dumazet @ 2024-09-27 11:54 UTC (permalink / raw)
To: Hillf Danton
Cc: syzbot, linux-kernel, Tetsuo Handa, Boqun Feng, Linus Torvalds,
netdev, syzkaller-bugs
On Fri, Sep 27, 2024 at 1:44 PM Hillf Danton <hdanton@sina.com> wrote:
>
> On Fri, 27 Sep 2024 13:24:54 +0200 Eric Dumazet <edumazet@google.com>
> > I suggest you look at why we have to use rtnl_trylock()
> >
> > If you know better, please send patches to remove all instances.
>
> No patch is needed before you show us deadlock. I suspect you could
> spot a case where lockdep fails to report deadlock.
Please try to not educate maintainers about their stuff.
lockdep is usually right. And here there is an actua syzbot report.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] [net?] INFO: task hung in new_device_store (5)
2024-09-27 11:54 ` Eric Dumazet
@ 2024-09-28 0:06 ` Hillf Danton
0 siblings, 0 replies; 11+ messages in thread
From: Hillf Danton @ 2024-09-28 0:06 UTC (permalink / raw)
To: Eric Dumazet
Cc: syzbot, linux-kernel, Tetsuo Handa, Boqun Feng, Linus Torvalds,
netdev, syzkaller-bugs
On Fri, 27 Sep 2024 13:54:59 +0200 Eric Dumazet <edumazet@google.com>
> On Fri, Sep 27, 2024 at 1:44 PM Hillf Danton <hdanton@sina.com> wrote:
> >
> > On Fri, 27 Sep 2024 13:24:54 +0200 Eric Dumazet <edumazet@google.com>
> > > I suggest you look at why we have to use rtnl_trylock()
> > >
> > > If you know better, please send patches to remove all instances.
> >
> > No patch is needed before you show us deadlock. I suspect you could
> > spot a case where lockdep fails to report deadlock.
>
> Please try to not educate maintainers about their stuff.
>
Is this the typical dude style in Paris when showing deadlock?
> lockdep is usually right. And here there is an actua syzbot report.
The word maintainer is abused in this case.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] [net?] INFO: task hung in new_device_store (5)
2024-09-26 17:58 [syzbot] [net?] INFO: task hung in new_device_store (5) syzbot
2024-09-26 20:14 ` Eric Dumazet
@ 2024-10-09 8:20 ` syzbot
2025-12-25 16:24 ` syzbot
2 siblings, 0 replies; 11+ messages in thread
From: syzbot @ 2024-10-09 8:20 UTC (permalink / raw)
To: boqun.feng, davem, edumazet, hdanton, kuba, linux-kernel, netdev,
pabeni, penguin-kernel, syzkaller-bugs, torvalds
syzbot has found a reproducer for the following issue on:
HEAD commit: 5b7c893ed5ed Merge tag 'ntfs3_for_6.12' of https://github...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11c09f9f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=7cd9e7e4a8a0a15b
dashboard link: https://syzkaller.appspot.com/bug?extid=05f9cecd28e356241aba
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1635f707980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/508d25adbdbb/disk-5b7c893e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ecd795cf996e/vmlinux-5b7c893e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d5433a3025f3/bzImage-5b7c893e.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+05f9cecd28e356241aba@syzkaller.appspotmail.com
INFO: task syz-executor:5469 blocked for more than 143 seconds.
Not tainted 6.12.0-rc2-syzkaller-00050-g5b7c893ed5ed #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:21680 pid:5469 tgid:5469 ppid:5459 flags:0x00000000
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5315 [inline]
__schedule+0x1895/0x4b30 kernel/sched/core.c:6675
__schedule_loop kernel/sched/core.c:6752 [inline]
schedule+0x14b/0x320 kernel/sched/core.c:6767
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6824
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x6a7/0xd70 kernel/locking/mutex.c:752
new_device_store+0x1b4/0x890 drivers/net/netdevsim/bus.c:166
kernfs_fop_write_iter+0x3a0/0x500 fs/kernfs/file.c:334
new_sync_write fs/read_write.c:590 [inline]
vfs_write+0xa6d/0xc90 fs/read_write.c:683
ksys_write+0x183/0x2b0 fs/read_write.c:736
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5edcf7cadf
RSP: 002b:00007f5edd25f220 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f5edcf7cadf
RDX: 0000000000000003 RSI: 00007f5edd25f270 RDI: 0000000000000005
RBP: 00007f5edcff13d2 R08: 0000000000000000 R09: 00007f5edd25f077
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
R13: 00007f5edd25f270 R14: 00007f5eddc64620 R15: 0000000000000003
</TASK>
Showing all locks held in the system:
2 locks held by kworker/u8:0/11:
2 locks held by kworker/u8:1/12:
1 lock held by khungtaskd/30:
#0: ffffffff8e937de0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
#0: ffffffff8e937de0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
#0: ffffffff8e937de0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x55/0x2a0 kernel/locking/lockdep.c:6720
3 locks held by kworker/u8:3/52:
5 locks held by kworker/u9:0/54:
#0: ffff888218331148 ((wq_completion)hci6){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
#0: ffff888218331148 ((wq_completion)hci6){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310
#1: ffffc90000bf7d00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
#1: ffffc90000bf7d00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310
#2: ffff88802a7b0d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x1ec/0x400 net/bluetooth/hci_sync.c:327
#3: ffff88802a7b0078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x1ea/0xde0 net/bluetooth/hci_sync.c:5567
#4: ffffffff8fe3e668 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline]
#4: ffffffff8fe3e668 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x15d/0x300 net/bluetooth/hci_conn.c:1262
1 lock held by kswapd1/89:
3 locks held by kworker/u8:5/1060:
#0: ffff88814b89a948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
#0: ffff88814b89a948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310
#1: ffffc90003ee7d00 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
#1: ffffc90003ee7d00 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310
#2: ffffffff8fcd1dc8 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0xd0/0x16f0 net/ipv6/addrconf.c:4196
3 locks held by kworker/1:2/1852:
3 locks held by kworker/u8:8/2936:
4 locks held by kworker/u8:12/3063:
#0: ffff88801baed948 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
#0: ffff88801baed948 ((wq_completion)netns){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310
#1: ffffc90009ce7d00 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
#1: ffffc90009ce7d00 (net_cleanup_work){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310
#2: ffffffff8fcc52d0 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0x16a/0xcc0 net/core/net_namespace.c:580
#3: ffffffff8fcd1dc8 (rtnl_mutex){+.+.}-{3:3}, at: wg_destruct+0x25/0x2e0 drivers/net/wireguard/device.c:246
1 lock held by klogd/4679:
2 locks held by udevd/4690:
1 lock held by dhcpcd/4903:
2 locks held by getty/4995:
#0: ffff88802e5950a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
#1: ffffc900031332f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6a6/0x1e00 drivers/tty/n_tty.c:2211
3 locks held by kworker/1:3/5284:
#0: ffff88801ac81948 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
#0: ffff88801ac81948 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310
#1: ffffc90003fc7d00 ((crda_timeout).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
#1: ffffc90003fc7d00 ((crda_timeout).work){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310
#2: ffffffff8fcd1dc8 (rtnl_mutex){+.+.}-{3:3}, at: crda_timeout_work+0x15/0x50 net/wireless/reg.c:540
5 locks held by kworker/u9:5/5333:
#0: ffff888175b57948 ((wq_completion)hci8){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
#0: ffff888175b57948 ((wq_completion)hci8){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310
#1: ffffc90003da7d00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
#1: ffffc90003da7d00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310
#2: ffff88807caccd80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x1ec/0x400 net/bluetooth/hci_sync.c:327
#3: ffff88807cacc078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x1ea/0xde0 net/bluetooth/hci_sync.c:5567
#4: ffffffff8fe3e668 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline]
#4: ffffffff8fe3e668 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x15d/0x300 net/bluetooth/hci_conn.c:1262
6 locks held by kworker/u9:6/5335:
#0: ffff888219140948 ((wq_completion)hci7){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
#0: ffff888219140948 ((wq_completion)hci7){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310
#1: ffffc90003c27d00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
#1: ffffc90003c27d00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310
#2: ffff88804a2e4d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x1ec/0x400 net/bluetooth/hci_sync.c:327
#3: ffff88804a2e4078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x1ea/0xde0 net/bluetooth/hci_sync.c:5567
#4: ffffffff8fe3e668 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline]
#4: ffffffff8fe3e668 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x15d/0x300 net/bluetooth/hci_conn.c:1262
#5: ffffffff8e93d378 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:297 [inline]
#5: ffffffff8e93d378 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x381/0x830 kernel/rcu/tree_exp.h:976
5 locks held by kworker/u9:7/5337:
#0: ffff888218333948 ((wq_completion)hci5){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
#0: ffff888218333948 ((wq_completion)hci5){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310
#1: ffffc90003c07d00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
#1: ffffc90003c07d00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310
#2: ffff88807edc8d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x1ec/0x400 net/bluetooth/hci_sync.c:327
#3: ffff88807edc8078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x1ea/0xde0 net/bluetooth/hci_sync.c:5567
#4: ffffffff8fe3e668 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline]
#4: ffffffff8fe3e668 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x15d/0x300 net/bluetooth/hci_conn.c:1262
3 locks held by kworker/1:5/5405:
4 locks held by kworker/0:5/5438:
#0: ffff88801ac81948 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
#0: ffff88801ac81948 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310
#1: ffffc9000360fd00 ((reg_check_chans).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
#1: ffffc9000360fd00 ((reg_check_chans).work){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310
#2: ffffffff8fcd1dc8 (rtnl_mutex){+.+.}-{3:3}, at: reg_check_chans_work+0x99/0xfd0 net/wireless/reg.c:2480
#3: ffff8880787d0768 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: wiphy_lock include/net/cfg80211.h:6014 [inline]
#3: ffff8880787d0768 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: reg_leave_invalid_chans net/wireless/reg.c:2468 [inline]
#3: ffff8880787d0768 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: reg_check_chans_work+0x164/0xfd0 net/wireless/reg.c:2483
1 lock held by syz-executor/5463:
#0: ffffffff8fcd1dc8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8fcd1dc8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x6e6/0xcf0 net/core/rtnetlink.c:6643
1 lock held by syz-executor/5464:
#0: ffffffff8fcd1dc8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8fcd1dc8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x6e6/0xcf0 net/core/rtnetlink.c:6643
3 locks held by syz-executor/5465:
4 locks held by syz-executor/5469:
#0: ffff8880322e8420 (sb_writers#8){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2931 [inline]
#0: ffff8880322e8420 (sb_writers#8){.+.+}-{0:0}, at: vfs_write+0x224/0xc90 fs/read_write.c:679
#1: ffff888085516888 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x1ea/0x500 fs/kernfs/file.c:325
#2: ffff8880272140f8 (kn->active#56){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x20e/0x500 fs/kernfs/file.c:326
#3: ffffffff8f56fea8 (nsim_bus_dev_list_lock){+.+.}-{3:3}, at: new_device_store+0x1b4/0x890 drivers/net/netdevsim/bus.c:166
7 locks held by syz-executor/5470:
#0: ffff8880322e8420 (sb_writers#8){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2931 [inline]
#0: ffff8880322e8420 (sb_writers#8){.+.+}-{0:0}, at: vfs_write+0x224/0xc90 fs/read_write.c:679
#1: ffff888084d7e888 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x1ea/0x500 fs/kernfs/file.c:325
#2: ffff8880272141e8 (kn->active#55){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x20e/0x500 fs/kernfs/file.c:326
#3: ffffffff8f56fea8 (nsim_bus_dev_list_lock){+.+.}-{3:3}, at: del_device_store+0xfc/0x480 drivers/net/netdevsim/bus.c:216
#4: ffff88807fb830e8 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88807fb830e8 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff88807fb830e8 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xce/0x7c0 drivers/base/dd.c:1293
#5: ffff88807fb84250 (&devlink->lock_key#4){+.+.}-{3:3}, at: nsim_drv_remove+0x50/0x160 drivers/net/netdevsim/dev.c:1672
#6: ffffffff8fcd1dc8 (rtnl_mutex){+.+.}-{3:3}, at: unregister_nexthop_notifier+0x17/0x40 net/ipv4/nexthop.c:3913
=============================================
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.12.0-rc2-syzkaller-00050-g5b7c893ed5ed #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
nmi_cpu_backtrace+0x49c/0x4d0 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x198/0x320 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline]
watchdog+0xff4/0x1040 kernel/hung_task.c:379
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 4690 Comm: udevd Not tainted 6.12.0-rc2-syzkaller-00050-g5b7c893ed5ed #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:mark_lock+0x3/0x360 kernel/locking/lockdep.c:4686
Code: 04 ff ff ff e8 9e b9 54 0a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 41 57 <41> 56 41 55 41 54 53 48 83 ec 10 49 89 f7 48 89 3c 24 49 bd 00 00
RSP: 0018:ffffc9000305f2c8 EFLAGS: 00000006
RAX: 000000000005054b RBX: ffff88807eb664e0 RCX: ffffffff9a3cc903
RDX: 0000000000000003 RSI: ffff88807eb664e0 RDI: ffff88807eb65a00
RBP: ffffc9000305f388 R08: ffffffff901cee2f R09: 1ffffffff2039dc5
R10: dffffc0000000000 R11: fffffbfff2039dc6 R12: ffff88807eb66500
R13: 0000000000000000 R14: ffff88807eb664d8 R15: 1ffff1100fd6cc9b
FS: 00007efdac2c9c80(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c00091d660 CR3: 000000007e158000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>
mark_held_locks kernel/locking/lockdep.c:4321 [inline]
__trace_hardirqs_on_caller kernel/locking/lockdep.c:4339 [inline]
lockdep_hardirqs_on_prepare+0x282/0x780 kernel/locking/lockdep.c:4406
trace_hardirqs_on+0x28/0x40 kernel/trace/trace_preemptirq.c:61
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
_raw_spin_unlock_irqrestore+0x8f/0x140 kernel/locking/spinlock.c:194
__debug_check_no_obj_freed lib/debugobjects.c:998 [inline]
debug_check_no_obj_freed+0x561/0x580 lib/debugobjects.c:1019
free_pages_prepare mm/page_alloc.c:1115 [inline]
free_unref_page+0x41b/0xf20 mm/page_alloc.c:2638
discard_slab mm/slub.c:2677 [inline]
__put_partials+0xeb/0x130 mm/slub.c:3145
put_cpu_partial+0x17c/0x250 mm/slub.c:3220
__slab_free+0x2ea/0x3d0 mm/slub.c:4449
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4085 [inline]
slab_alloc_node mm/slub.c:4134 [inline]
kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4141
anon_vma_chain_alloc mm/rmap.c:143 [inline]
anon_vma_fork+0x1fa/0x580 mm/rmap.c:365
dup_mmap kernel/fork.c:713 [inline]
dup_mm kernel/fork.c:1674 [inline]
copy_mm+0xd7c/0x1f40 kernel/fork.c:1723
copy_process+0x1845/0x3d50 kernel/fork.c:2372
kernel_clone+0x226/0x8f0 kernel/fork.c:2784
__do_sys_clone kernel/fork.c:2927 [inline]
__se_sys_clone kernel/fork.c:2911 [inline]
__x64_sys_clone+0x258/0x2a0 kernel/fork.c:2911
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7efdabefca12
Code: 41 5d 41 5e 41 5f c3 64 48 8b 04 25 10 00 00 00 45 31 c0 31 d2 31 f6 bf 11 00 20 01 4c 8d 90 d0 02 00 00 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 10 48 8b 15 e7 43 0f 00 f7 d8 64 89 02 48 83
RSP: 002b:00007ffde4edde98 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000559c91bf0801 RCX: 00007efdabefca12
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000559c91be0910
R10: 00007efdac2c9f50 R11: 0000000000000246 R12: 0000559c91c06ae0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000559c91be0910
</TASK>
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] [net?] INFO: task hung in new_device_store (5)
2024-09-26 17:58 [syzbot] [net?] INFO: task hung in new_device_store (5) syzbot
2024-09-26 20:14 ` Eric Dumazet
2024-10-09 8:20 ` syzbot
@ 2025-12-25 16:24 ` syzbot
2025-12-30 7:48 ` Tetsuo Handa
2 siblings, 1 reply; 11+ messages in thread
From: syzbot @ 2025-12-25 16:24 UTC (permalink / raw)
To: andrew+netdev, boqun.feng, davem, edumazet, hdanton, kuba,
linux-kernel, netdev, pabeni, penguin-kernel, syzkaller-bugs,
torvalds
syzbot has found a reproducer for the following issue on:
HEAD commit: 8f0b4cce4481 Linux 6.19-rc1
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=156eb09a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=8a8594efdc14f07a
dashboard link: https://syzkaller.appspot.com/bug?extid=05f9cecd28e356241aba
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=177f9758580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14b2ab92580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cd4f5f43efc8/disk-8f0b4cce.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/aafb35ac3a3c/vmlinux-8f0b4cce.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d221fae4ab17/Image-8f0b4cce.gz.xz
Bisection is inconclusive: the first bad commit could be any of:
949090eaf0a3 sched/eevdf: Remove min_vruntime_copy
8e2e13ac6122 sched/fair: Cleanup pick_task_fair() vs throttle
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10491fd0580000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+05f9cecd28e356241aba@syzkaller.appspotmail.com
INFO: task syz-executor:6714 blocked for more than 144 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:0 pid:6714 tgid:6714 ppid:1 task_flags:0x400140 flags:0x00000001
Call trace:
__switch_to+0x418/0x87c arch/arm64/kernel/process.c:741 (T)
context_switch kernel/sched/core.c:5256 [inline]
__schedule+0x1250/0x2a7c kernel/sched/core.c:6863
__schedule_loop kernel/sched/core.c:6945 [inline]
schedule+0xb4/0x230 kernel/sched/core.c:6960
schedule_preempt_disabled+0x18/0x2c kernel/sched/core.c:7017
__mutex_lock_common+0xd04/0x2678 kernel/locking/mutex.c:692
__mutex_lock kernel/locking/mutex.c:776 [inline]
mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:828
new_device_store+0x128/0x594 drivers/net/netdevsim/bus.c:184
bus_attr_store+0x80/0xa4 drivers/base/bus.c:172
sysfs_kf_write+0x1a8/0x23c fs/sysfs/file.c:142
kernfs_fop_write_iter+0x33c/0x4d0 fs/kernfs/file.c:352
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x540/0xa3c fs/read_write.c:686
ksys_write+0x120/0x210 fs/read_write.c:738
__do_sys_write fs/read_write.c:749 [inline]
__se_sys_write fs/read_write.c:746 [inline]
__arm64_sys_write+0x7c/0x90 fs/read_write.c:746
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x254 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x5c/0x26c arch/arm64/kernel/entry-common.c:724
el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:743
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
INFO: task syz-executor:6720 blocked for more than 144 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:0 pid:6720 tgid:6720 ppid:1 task_flags:0x400140 flags:0x00000011
Call trace:
__switch_to+0x418/0x87c arch/arm64/kernel/process.c:741 (T)
context_switch kernel/sched/core.c:5256 [inline]
__schedule+0x1250/0x2a7c kernel/sched/core.c:6863
__schedule_loop kernel/sched/core.c:6945 [inline]
schedule+0xb4/0x230 kernel/sched/core.c:6960
schedule_preempt_disabled+0x18/0x2c kernel/sched/core.c:7017
__mutex_lock_common+0xd04/0x2678 kernel/locking/mutex.c:692
__mutex_lock kernel/locking/mutex.c:776 [inline]
mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:828
device_lock include/linux/device.h:895 [inline]
device_del+0xa4/0x808 drivers/base/core.c:3840
device_unregister+0x2c/0xf4 drivers/base/core.c:3919
nsim_bus_dev_del drivers/net/netdevsim/bus.c:483 [inline]
del_device_store+0x27c/0x31c drivers/net/netdevsim/bus.c:244
bus_attr_store+0x80/0xa4 drivers/base/bus.c:172
sysfs_kf_write+0x1a8/0x23c fs/sysfs/file.c:142
kernfs_fop_write_iter+0x33c/0x4d0 fs/kernfs/file.c:352
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x540/0xa3c fs/read_write.c:686
ksys_write+0x120/0x210 fs/read_write.c:738
__do_sys_write fs/read_write.c:749 [inline]
__se_sys_write fs/read_write.c:746 [inline]
__arm64_sys_write+0x7c/0x90 fs/read_write.c:746
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x254 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x5c/0x26c arch/arm64/kernel/entry-common.c:724
el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:743
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
INFO: task syz-executor:6724 blocked for more than 146 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:0 pid:6724 tgid:6724 ppid:6719 task_flags:0x400140 flags:0x00800000
Call trace:
__switch_to+0x418/0x87c arch/arm64/kernel/process.c:741 (T)
context_switch kernel/sched/core.c:5256 [inline]
__schedule+0x1250/0x2a7c kernel/sched/core.c:6863
__schedule_loop kernel/sched/core.c:6945 [inline]
schedule+0xb4/0x230 kernel/sched/core.c:6960
schedule_preempt_disabled+0x18/0x2c kernel/sched/core.c:7017
__mutex_lock_common+0xd04/0x2678 kernel/locking/mutex.c:692
__mutex_lock kernel/locking/mutex.c:776 [inline]
mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:828
del_device_store+0xd4/0x31c drivers/net/netdevsim/bus.c:234
bus_attr_store+0x80/0xa4 drivers/base/bus.c:172
sysfs_kf_write+0x1a8/0x23c fs/sysfs/file.c:142
kernfs_fop_write_iter+0x33c/0x4d0 fs/kernfs/file.c:352
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x540/0xa3c fs/read_write.c:686
ksys_write+0x120/0x210 fs/read_write.c:738
__do_sys_write fs/read_write.c:749 [inline]
__se_sys_write fs/read_write.c:746 [inline]
__arm64_sys_write+0x7c/0x90 fs/read_write.c:746
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x254 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x5c/0x26c arch/arm64/kernel/entry-common.c:724
el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:743
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
Showing all locks held in the system:
3 locks held by kworker/u8:1/13:
2 locks held by kworker/1:1/26:
1 lock held by khungtaskd/32:
#0: ffff80008fa5b520 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x4/0x48 include/linux/rcupdate.h:330
3 locks held by kworker/u8:2/41:
1 lock held by pr/ttyAMA-1/43:
6 locks held by kworker/u8:5/155:
3 locks held by kworker/u8:7/713:
#0: ffff0000d55b1948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x63c/0x1558 kernel/workqueue.c:3231
#1: ffff80009d0f7be0 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x6d0/0x1558 kernel/workqueue.c:3231
#2: ffff800092ae4168 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock+0x20/0x2c net/core/rtnetlink.c:80
2 locks held by kworker/u8:8/1023:
6 locks held by kworker/u8:9/1342:
#0: ffff0000c1843148 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x63c/0x1558 kernel/workqueue.c:3231
#1: ffff80009ed07be0 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x6d0/0x1558 kernel/workqueue.c:3231
#2: ffff800092ad71f0 (pernet_ops_rwsem){++++}-{4:4}, at: cleanup_net+0xf0/0x638 net/core/net_namespace.c:670
#3: ffff0000da33f0e8 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#3: ffff0000da33f0e8 (&dev->mutex){....}-{4:4}, at: devl_dev_lock net/devlink/devl_internal.h:108 [inline]
#3: ffff0000da33f0e8 (&dev->mutex){....}-{4:4}, at: devlink_pernet_pre_exit+0xe4/0x380 net/devlink/core.c:506
#4: ffff0000c7b48250 (&devlink->lock_key){+.+.}-{4:4}, at: devl_lock net/devlink/core.c:276 [inline]
#4: ffff0000c7b48250 (&devlink->lock_key){+.+.}-{4:4}, at: devl_dev_lock net/devlink/devl_internal.h:109 [inline]
#4: ffff0000c7b48250 (&devlink->lock_key){+.+.}-{4:4}, at: devlink_pernet_pre_exit+0xf0/0x380 net/devlink/core.c:506
#5: ffff800092ae4168 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock+0x20/0x2c net/core/rtnetlink.c:80
3 locks held by kworker/u8:10/1512:
2 locks held by kworker/0:2/3988:
3 locks held by kworker/u8:14/4835:
3 locks held by kworker/u8:15/5060:
#0: ffff0000c0031948 ((wq_completion)events_unbound#2){+.+.}-{0:0}, at: process_one_work+0x63c/0x1558 kernel/workqueue.c:3231
#1: ffff8000a4817be0 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work+0x6d0/0x1558 kernel/workqueue.c:3231
#2: ffff800092ae4168 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock+0x20/0x2c net/core/rtnetlink.c:80
3 locks held by kworker/u8:16/5722:
3 locks held by udevd/6209:
3 locks held by dhcpcd/6265:
2 locks held by getty/6351:
#0: ffff0000d5dd30a0 (&tty->ldisc_sem){++++}-{0:0}, at: ldsem_down_read+0x3c/0x4c drivers/tty/tty_ldsem.c:340
#1: ffff800099f1e2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x34c/0xfc8 drivers/tty/n_tty.c:2211
2 locks held by kworker/1:3/6704:
4 locks held by syz-executor/6714:
#0: ffff0000dc442420 (sb_writers#6){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2681 [inline]
#0: ffff0000dc442420 (sb_writers#6){.+.+}-{0:0}, at: vfs_write+0x24c/0xa3c fs/read_write.c:682
#1: ffff0000d4d40888 (&of->mutex){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x1b4/0x4d0 fs/kernfs/file.c:343
#2: ffff0000ce348878 (kn->active#56){.+.+}-{0:0}, at: kernfs_get_active_of fs/kernfs/file.c:80 [inline]
#2: ffff0000ce348878 (kn->active#56){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x1f4/0x4d0 fs/kernfs/file.c:344
#3: ffff800091bf3648 (nsim_bus_dev_list_lock){+.+.}-{4:4}, at: new_device_store+0x128/0x594 drivers/net/netdevsim/bus.c:184
5 locks held by syz-executor/6720:
#0: ffff0000dc442420 (sb_writers#6){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2681 [inline]
#0: ffff0000dc442420 (sb_writers#6){.+.+}-{0:0}, at: vfs_write+0x24c/0xa3c fs/read_write.c:682
#1: ffff0000d6511488 (&of->mutex){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x1b4/0x4d0 fs/kernfs/file.c:343
#2: ffff0000ce348968 (kn->active#55){.+.+}-{0:0}, at: kernfs_get_active_of fs/kernfs/file.c:80 [inline]
#2: ffff0000ce348968 (kn->active#55){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x1f4/0x4d0 fs/kernfs/file.c:344
#3: ffff800091bf3648 (nsim_bus_dev_list_lock){+.+.}-{4:4}, at: del_device_store+0xd4/0x31c drivers/net/netdevsim/bus.c:234
#4: ffff0000da33f0e8 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#4: ffff0000da33f0e8 (&dev->mutex){....}-{4:4}, at: device_del+0xa4/0x808 drivers/base/core.c:3840
4 locks held by syz-executor/6724:
#0: ffff0000dc442420 (sb_writers#6){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2681 [inline]
#0: ffff0000dc442420 (sb_writers#6){.+.+}-{0:0}, at: vfs_write+0x24c/0xa3c fs/read_write.c:682
#1: ffff0000d6512888 (&of->mutex){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x1b4/0x4d0 fs/kernfs/file.c:343
#2: ffff0000ce348968 (kn->active#55){.+.+}-{0:0}, at: kernfs_get_active_of fs/kernfs/file.c:80 [inline]
#2: ffff0000ce348968 (kn->active#55){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x1f4/0x4d0 fs/kernfs/file.c:344
#3: ffff800091bf3648 (nsim_bus_dev_list_lock){+.+.}-{4:4}, at: del_device_store+0xd4/0x31c drivers/net/netdevsim/bus.c:234
4 locks held by kworker/0:4/6772:
#0: ffff0000c0029948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x63c/0x1558 kernel/workqueue.c:3231
#1: ffff8000a3f67be0 ((work_completion)(&helper->damage_work)){+.+.}-{0:0}, at: process_one_work+0x6d0/0x1558 kernel/workqueue.c:3231
#2: ffff0000ca9f5280 (&helper->lock){+.+.}-{4:4}, at: drm_fb_helper_fb_dirty drivers/gpu/drm/drm_fb_helper.c:333 [inline]
#2: ffff0000ca9f5280 (&helper->lock){+.+.}-{4:4}, at: drm_fb_helper_damage_work+0xa8/0x568 drivers/gpu/drm/drm_fb_helper.c:369
#3: ffff0000caeb8128 (&dev->master_mutex){+.+.}-{4:4}, at: drm_master_internal_acquire+0x24/0x78 drivers/gpu/drm/drm_auth.c:435
2 locks held by syz.0.17/6788:
4 locks held by kworker/0:8/6796:
#0: ffff0000d54fcd48 ((wq_completion)mld){+.+.}-{0:0}, at: process_one_work+0x63c/0x1558 kernel/workqueue.c:3231
#1: ffff8000a3ef7be0 ((work_completion)(&(&idev->mc_ifc_work)->work)){+.+.}-{0:0}, at: process_one_work+0x6d0/0x1558 kernel/workqueue.c:3231
#2: ffff0000dcc68538 (&idev->mc_lock){+.+.}-{4:4}, at: mld_ifc_work+0x38/0xc38 net/ipv6/mcast.c:2692
#3: ffff80008f916b20 (sched_map-wait-type-override){+.+.}-{3:3}, at: sched_submit_work+0x14/0x144 kernel/sched/core.c:6893
5 locks held by syz-executor/6797:
2 locks held by syz-executor/6802:
2 locks held by syz-executor/6804:
=============================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] [net?] INFO: task hung in new_device_store (5)
2025-12-25 16:24 ` syzbot
@ 2025-12-30 7:48 ` Tetsuo Handa
0 siblings, 0 replies; 11+ messages in thread
From: Tetsuo Handa @ 2025-12-30 7:48 UTC (permalink / raw)
To: syzbot, andrew+netdev, boqun.feng, davem, edumazet, hdanton, kuba,
linux-kernel, netdev, pabeni, syzkaller-bugs, torvalds
If we ratelimit
"received packet on %s with own address as source address (addr:%pM, vlan:%u)\n",
message with up to once per 2 second [1], this problem is shown as "task hung in rtnl_lock".
If we ratelimit this message with up to 10 times per 5 second [2], this problem is shown as
"INFO: task hung in del_device_store".
This difference suggests that this task hung is caused by out of CPU time for making
forward progress due to spending too much CPU time for printk() operation from interrupt
context. We might want to ratelimit more aggressively.
Link: https://lkml.kernel.org/r/69533402.050a0220.329c0f.0428.GAE@google.com [1]
Link: https://lkml.kernel.org/r/695347ee.050a0220.329c0f.042b.GAE@google.com [2]
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2025-12-30 7:49 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-09-26 17:58 [syzbot] [net?] INFO: task hung in new_device_store (5) syzbot
2024-09-26 20:14 ` Eric Dumazet
2024-09-27 11:04 ` Hillf Danton
2024-09-27 11:24 ` Eric Dumazet
2024-09-27 11:27 ` Eric Dumazet
2024-09-27 11:41 ` Hillf Danton
2024-09-27 11:54 ` Eric Dumazet
2024-09-28 0:06 ` Hillf Danton
2024-10-09 8:20 ` syzbot
2025-12-25 16:24 ` syzbot
2025-12-30 7:48 ` Tetsuo Handa
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).