From: syzbot ci <syzbot+cid6b8ec9663859ff0@syzkaller.appspotmail.com>
To: asml.silence@gmail.com, axboe@kernel.dk, io-uring@vger.kernel.org
Cc: syzbot@lists.linux.dev, syzkaller-bugs@googlegroups.com
Subject: [syzbot ci] Re: io_uring/kbuf: ensure ring ctx is held locked over io_put_kbuf()
Date: Wed, 20 Aug 2025 23:54:18 -0700 [thread overview]
Message-ID: <68a6c29a.050a0220.3d78fd.001c.GAE@google.com> (raw)
In-Reply-To: <e2f14b20-2ad4-4e59-9966-26dd6aa70f31@kernel.dk>
syzbot ci has tested the following series
[v1] io_uring/kbuf: ensure ring ctx is held locked over io_put_kbuf()
https://lore.kernel.org/all/e2f14b20-2ad4-4e59-9966-26dd6aa70f31@kernel.dk
* [PATCH] io_uring/kbuf: ensure ring ctx is held locked over io_put_kbuf()
and found the following issue:
possible deadlock in io_req_defer_failed
Full report is available here:
https://ci.syzbot.org/series/fd113bf0-fc76-46b7-8c0b-08fa3c8bda14
***
possible deadlock in io_req_defer_failed
tree: torvalds
URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux
base: dfc0f6373094dd88e1eaf76c44f2ff01b65db851
arch: amd64
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
config: https://ci.syzbot.org/builds/e832762c-b6ee-4bb3-b01f-da0e8f70d1d0/config
C repro: https://ci.syzbot.org/findings/57691bf2-072c-42f3-8742-80414426104c/c_repro
syz repro: https://ci.syzbot.org/findings/57691bf2-072c-42f3-8742-80414426104c/syz_repro
============================================
WARNING: possible recursive locking detected
syzkaller #0 Not tainted
--------------------------------------------
syz.0.17/6012 is trying to acquire lock:
ffff88802aa620a8 (&ctx->uring_lock){+.+.}-{4:4}, at: io_ring_submit_lock io_uring/io_uring.h:287 [inline]
ffff88802aa620a8 (&ctx->uring_lock){+.+.}-{4:4}, at: io_put_kbuf io_uring/kbuf.h:132 [inline]
ffff88802aa620a8 (&ctx->uring_lock){+.+.}-{4:4}, at: io_req_defer_failed+0x166/0x550 io_uring/io_uring.c:988
but task is already holding lock:
ffff88802aa620a8 (&ctx->uring_lock){+.+.}-{4:4}, at: __do_sys_io_uring_enter io_uring/io_uring.c:3463 [inline]
ffff88802aa620a8 (&ctx->uring_lock){+.+.}-{4:4}, at: __se_sys_io_uring_enter+0x2d4/0x2b20 io_uring/io_uring.c:3398
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&ctx->uring_lock);
lock(&ctx->uring_lock);
*** DEADLOCK ***
May be due to missing lock nesting notation
1 lock held by syz.0.17/6012:
#0: ffff88802aa620a8 (&ctx->uring_lock){+.+.}-{4:4}, at: __do_sys_io_uring_enter io_uring/io_uring.c:3463 [inline]
#0: ffff88802aa620a8 (&ctx->uring_lock){+.+.}-{4:4}, at: __se_sys_io_uring_enter+0x2d4/0x2b20 io_uring/io_uring.c:3398
stack backtrace:
CPU: 0 UID: 0 PID: 6012 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_deadlock_bug+0x28b/0x2a0 kernel/locking/lockdep.c:3041
check_deadlock kernel/locking/lockdep.c:3093 [inline]
validate_chain+0x1a3f/0x2140 kernel/locking/lockdep.c:3895
__lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
__mutex_lock_common kernel/locking/mutex.c:598 [inline]
__mutex_lock+0x187/0x1360 kernel/locking/mutex.c:760
io_ring_submit_lock io_uring/io_uring.h:287 [inline]
io_put_kbuf io_uring/kbuf.h:132 [inline]
io_req_defer_failed+0x166/0x550 io_uring/io_uring.c:988
io_queue_sqe io_uring/io_uring.c:2032 [inline]
io_submit_sqe io_uring/io_uring.c:2284 [inline]
io_submit_sqes+0xe28/0x1d10 io_uring/io_uring.c:2397
__do_sys_io_uring_enter io_uring/io_uring.c:3464 [inline]
__se_sys_io_uring_enter+0x2df/0x2b20 io_uring/io_uring.c:3398
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f36d418ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc1d32a978 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
RAX: ffffffffffffffda RBX: 00007f36d43b5fa0 RCX: 00007f36d418ebe9
RDX: 0000000000000000 RSI: 0000000000003516 RDI: 0000000000000003
RBP: 00007f36d4211e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f36d43b5fa0 R14: 00007f36d43b5fa0 R15: 0000000000000006
</TASK>
***
If these findings have caused you to resend the series or submit a
separate fix, please add the following tag to your commit message:
Tested-by: syzbot@syzkaller.appspotmail.com
---
This report is generated by a bot. It may contain errors.
syzbot ci engineers can be reached at syzkaller@googlegroups.com.
prev parent reply other threads:[~2025-08-21 6:54 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-20 23:16 [PATCH] io_uring/kbuf: ensure ring ctx is held locked over io_put_kbuf() Jens Axboe
2025-08-21 0:31 ` Jens Axboe
2025-08-21 6:54 ` syzbot ci [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=68a6c29a.050a0220.3d78fd.001c.GAE@google.com \
--to=syzbot+cid6b8ec9663859ff0@syzkaller.appspotmail.com \
--cc=asml.silence@gmail.com \
--cc=axboe@kernel.dk \
--cc=io-uring@vger.kernel.org \
--cc=syzbot@lists.linux.dev \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox