lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <68b73804.050a0220.3db4df.01d8.GAE@google.com>
Date: Tue, 02 Sep 2025 11:31:32 -0700
From: syzbot <syzbot+50603c05bbdf4dfdaffa@...kaller.appspotmail.com>
To: alibuda@...ux.alibaba.com, davem@...emloft.net, dust.li@...ux.alibaba.com, 
	edumazet@...gle.com, guwen@...ux.alibaba.com, horms@...nel.org, 
	kuba@...nel.org, linux-kernel@...r.kernel.org, linux-rdma@...r.kernel.org, 
	linux-s390@...r.kernel.org, mjambigi@...ux.ibm.com, netdev@...r.kernel.org, 
	pabeni@...hat.com, sidraya@...ux.ibm.com, syzkaller-bugs@...glegroups.com, 
	tonylu@...ux.alibaba.com, wenjia@...ux.ibm.com
Subject: [syzbot] [smc?] possible deadlock in smc_diag_dump_proto

Hello,

syzbot found the following issue on:

HEAD commit:    8d245acc1e88 Merge tag 'char-misc-6.17-rc3' of git://git.k..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=176fa7bc580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e1e1566c7726877e
dashboard link: https://syzkaller.appspot.com/bug?extid=50603c05bbdf4dfdaffa
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14e42062580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12e42062580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/096739d8f0ec/disk-8d245acc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/83a21aa9b978/vmlinux-8d245acc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7e7f165a3b29/bzImage-8d245acc.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+50603c05bbdf4dfdaffa@...kaller.appspotmail.com

======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
syz.0.17/6109 is trying to acquire lock:
ffff8880b8823d90 ((softirq_ctrl.lock)){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:44 [inline]
ffff8880b8823d90 ((softirq_ctrl.lock)){+.+.}-{3:3}, at: __local_bh_disable_ip+0x264/0x400 kernel/softirq.c:168

but task is already holding lock:
ffffffff8efa6608 (smc_v6_hashinfo.lock){++.+}-{3:3}, at: read_lock include/linux/rwlock_rt.h:37 [inline]
ffffffff8efa6608 (smc_v6_hashinfo.lock){++.+}-{3:3}, at: smc_diag_dump_proto+0x174/0x1fb0 net/smc/smc_diag.c:207

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (smc_v6_hashinfo.lock){++.+}-{3:3}:
       lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
       rt_write_lock+0x6a/0x110 kernel/locking/spinlock_rt.c:242
       write_lock_bh include/linux/rwlock_rt.h:99 [inline]
       smc_hash_sk+0x8f/0x2a0 net/smc/af_smc.c:193
       smc_sk_init+0x5a1/0x7f0 net/smc/af_smc.c:399
       smc_sock_alloc net/smc/af_smc.c:420 [inline]
       __smc_create+0x10d/0x280 net/smc/af_smc.c:3382
       __sock_create+0x4b3/0x9f0 net/socket.c:1589
       sock_create net/socket.c:1647 [inline]
       __sys_socket_create net/socket.c:1684 [inline]
       __sys_socket+0xd7/0x1b0 net/socket.c:1731
       __do_sys_socket net/socket.c:1745 [inline]
       __se_sys_socket net/socket.c:1743 [inline]
       __x64_sys_socket+0x7a/0x90 net/socket.c:1743
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #0 ((softirq_ctrl.lock)){+.+.}-{3:3}:
       check_prev_add kernel/locking/lockdep.c:3165 [inline]
       check_prevs_add kernel/locking/lockdep.c:3284 [inline]
       validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908
       __lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237
       reacquire_held_locks+0x127/0x1d0 kernel/locking/lockdep.c:5385
       __lock_release kernel/locking/lockdep.c:5574 [inline]
       lock_release+0x1b4/0x3e0 kernel/locking/lockdep.c:5889
       __local_bh_enable_ip+0x10c/0x270 kernel/softirq.c:228
       local_bh_enable include/linux/bottom_half.h:33 [inline]
       sock_i_ino+0xa9/0xc0 net/core/sock.c:2800
       smc_diag_msg_attrs_fill net/smc/smc_diag.c:68 [inline]
       __smc_diag_dump net/smc/smc_diag.c:98 [inline]
       smc_diag_dump_proto+0xa4c/0x1fb0 net/smc/smc_diag.c:217
       smc_diag_dump+0x59/0xa0 net/smc/smc_diag.c:236
       netlink_dump+0x6e4/0xe90 net/netlink/af_netlink.c:2327
       __netlink_dump_start+0x5cb/0x7e0 net/netlink/af_netlink.c:2442
       netlink_dump_start include/linux/netlink.h:341 [inline]
       smc_diag_handler_dump+0x178/0x210 net/smc/smc_diag.c:251
       sock_diag_rcv_msg+0x4c9/0x600 net/core/sock_diag.c:-1
       netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552
       netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
       netlink_unicast+0x843/0xa10 net/netlink/af_netlink.c:1346
       netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
       sock_sendmsg_nosec net/socket.c:714 [inline]
       __sock_sendmsg+0x219/0x270 net/socket.c:729
       ____sys_sendmsg+0x508/0x820 net/socket.c:2614
       ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
       __sys_sendmsg net/socket.c:2700 [inline]
       __do_sys_sendmsg net/socket.c:2705 [inline]
       __se_sys_sendmsg net/socket.c:2703 [inline]
       __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  rlock(smc_v6_hashinfo.lock);
                               lock((softirq_ctrl.lock));
                               lock(smc_v6_hashinfo.lock);
  lock((softirq_ctrl.lock));

 *** DEADLOCK ***

3 locks held by syz.0.17/6109:
 #0: ffff888035fbe908 (nlk_cb_mutex-SOCK_DIAG){+.+.}-{4:4}, at: __netlink_dump_start+0xfe/0x7e0 net/netlink/af_netlink.c:2406
 #1: ffffffff8efa6608 (smc_v6_hashinfo.lock){++.+}-{3:3}, at: read_lock include/linux/rwlock_rt.h:37 [inline]
 #1: ffffffff8efa6608 (smc_v6_hashinfo.lock){++.+}-{3:3}, at: smc_diag_dump_proto+0x174/0x1fb0 net/smc/smc_diag.c:207
 #2: ffffffff8d9a8b80 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #2: ffffffff8d9a8b80 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #2: ffffffff8d9a8b80 (rcu_read_lock){....}-{1:3}, at: rt_read_lock+0x1f8/0x360 kernel/locking/spinlock_rt.c:234

stack backtrace:
CPU: 0 UID: 0 PID: 6109 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_circular_bug+0x2ee/0x310 kernel/locking/lockdep.c:2043
 check_noncircular+0x134/0x160 kernel/locking/lockdep.c:2175
 check_prev_add kernel/locking/lockdep.c:3165 [inline]
 check_prevs_add kernel/locking/lockdep.c:3284 [inline]
 validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908
 __lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237
 reacquire_held_locks+0x127/0x1d0 kernel/locking/lockdep.c:5385
 __lock_release kernel/locking/lockdep.c:5574 [inline]
 lock_release+0x1b4/0x3e0 kernel/locking/lockdep.c:5889
 __local_bh_enable_ip+0x10c/0x270 kernel/softirq.c:228
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 sock_i_ino+0xa9/0xc0 net/core/sock.c:2800
 smc_diag_msg_attrs_fill net/smc/smc_diag.c:68 [inline]
 __smc_diag_dump net/smc/smc_diag.c:98 [inline]
 smc_diag_dump_proto+0xa4c/0x1fb0 net/smc/smc_diag.c:217
 smc_diag_dump+0x59/0xa0 net/smc/smc_diag.c:236
 netlink_dump+0x6e4/0xe90 net/netlink/af_netlink.c:2327
 __netlink_dump_start+0x5cb/0x7e0 net/netlink/af_netlink.c:2442
 netlink_dump_start include/linux/netlink.h:341 [inline]
 smc_diag_handler_dump+0x178/0x210 net/smc/smc_diag.c:251
 sock_diag_rcv_msg+0x4c9/0x600 net/core/sock_diag.c:-1
 netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x843/0xa10 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg+0x219/0x270 net/socket.c:729
 ____sys_sendmsg+0x508/0x820 net/socket.c:2614
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
 __sys_sendmsg net/socket.c:2700 [inline]
 __do_sys_sendmsg net/socket.c:2705 [inline]
 __se_sys_sendmsg net/socket.c:2703 [inline]
 __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe07d70ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe932c2428 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fe07d935fa0 RCX: 00007fe07d70ebe9
RDX: 0000000000004000 RSI: 0000200000000140 RDI: 0000000000000004
RBP: 00007fe07d791e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fe07d935fa0 R14: 00007fe07d935fa0 R15: 0000000000000003
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ