syzbot

 sign-in | mailing list | source | docs
🐞 Open [462]
🐞 Fixed [21]
🐞 Invalid [135]
Missing Backports [18]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

possible deadlock in __dev_queue_xmit

Status: upstream: reported on 2026/02/07 03:49
Reported-by: syzbot+e2c6fd2402d4498dfb39@syzkaller.appspotmail.com
First crash: 1d20h, last: 1d20h
Similar bugs (13)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 possible deadlock in __dev_queue_xmit 4 4 2423d 2492d 0/3 auto-closed as invalid on 2019/10/25 08:36
upstream possible deadlock in __dev_queue_xmit (3) net 4 C done inconclusive 1153 67d 2259d 0/29 upstream: reported C repro on 2019/12/03 09:55
linux-4.19 possible deadlock in __dev_queue_xmit 4 C error 5 1600d 2018d 0/1 upstream: reported C repro on 2020/07/31 07:05
android-414 possible deadlock in __dev_queue_xmit 4 3 2482d 2493d 0/1 auto-closed as invalid on 2019/10/21 21:31
linux-6.1 possible deadlock in __dev_queue_xmit (3) 4 104 171d 471d 0/3 auto-obsoleted due to no activity on 2025/10/30 22:15
android-44 possible deadlock in __dev_queue_xmit 4 14 2258d 2320d 0/2 auto-closed as invalid on 2020/04/02 07:14
linux-6.1 possible deadlock in __dev_queue_xmit 4 98 843d 956d 0/3 auto-obsoleted due to no activity on 2023/12/28 22:22
linux-4.14 possible deadlock in __dev_queue_xmit 4 7 1969d 2413d 0/1 auto-closed as invalid on 2021/01/16 21:33
upstream possible deadlock in __dev_queue_xmit net 4 1 2581d 2581d 0/29 closed as invalid on 2019/03/10 18:51
linux-5.15 possible deadlock in __dev_queue_xmit 4 113 907d 1043d 0/3 auto-obsoleted due to no activity on 2023/10/25 04:56
linux-6.1 possible deadlock in __dev_queue_xmit (2) 4 7 641d 751d 0/3 auto-obsoleted due to no activity on 2024/08/16 05:44
linux-5.15 possible deadlock in __dev_queue_xmit (2) origin:lts-only 4 C done 124 4d14h 786d 0/3 upstream: reported C repro on 2023/12/15 02:11
upstream possible deadlock in __dev_queue_xmit (2) kernel 4 2 2393d 2509d 0/29 auto-closed as invalid on 2019/11/19 09:01

Sample crash report:
============================================
WARNING: possible recursive locking detected
syzkaller #0 Not tainted
--------------------------------------------
kworker/u4:12/8172 is trying to acquire lock:
ffff88802eb01218 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff88802eb01218 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3899 [inline]
ffff88802eb01218 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: __dev_queue_xmit+0x1f6f/0x36b0 net/core/dev.c:4404

but task is already holding lock:
ffff888056a3e258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:361 [inline]
ffff888056a3e258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:195 [inline]
ffff888056a3e258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3856 [inline]
ffff888056a3e258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: __dev_queue_xmit+0x126a/0x36b0 net/core/dev.c:4404

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2);
  lock(dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

9 locks held by kworker/u4:12/8172:
 #0: ffff88805d8bbd38 ((wq_completion)bond5#5){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff88805d8bbd38 ((wq_completion)bond5#5){+.+.}-{0:0}, at: process_scheduled_works+0x96f/0x15d0 kernel/workqueue.c:2711
 #1: ffffc90004bbfd00 ((work_completion)(&(&bond->alb_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc90004bbfd00 ((work_completion)(&(&bond->alb_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x96f/0x15d0 kernel/workqueue.c:2711
 #2: ffffffff8d131fe0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:334 [inline]
 #2: ffffffff8d131fe0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:786 [inline]
 #2: ffffffff8d131fe0 (rcu_read_lock){....}-{1:2}, at: bond_alb_monitor+0xf9/0x17e0 drivers/net/bonding/bond_alb.c:1547
 #3: ffffffff8d132040 (rcu_read_lock_bh){....}-{1:2}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #3: ffffffff8d132040 (rcu_read_lock_bh){....}-{1:2}, at: rcu_read_lock_bh include/linux/rcupdate.h:838 [inline]
 #3: ffffffff8d132040 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x26b/0x36b0 net/core/dev.c:4363
 #4: ffff888056a3e258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:361 [inline]
 #4: ffff888056a3e258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:195 [inline]
 #4: ffff888056a3e258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3856 [inline]
 #4: ffff888056a3e258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: __dev_queue_xmit+0x126a/0x36b0 net/core/dev.c:4404
 #5: ffffffff8d131fe0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:334 [inline]
 #5: ffffffff8d131fe0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:786 [inline]
 #5: ffffffff8d131fe0 (rcu_read_lock){....}-{1:2}, at: ip_output+0x60/0x3b0 net/ipv4/ip_output.c:431
 #6: ffffffff8d131fe0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:334 [inline]
 #6: ffffffff8d131fe0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:786 [inline]
 #6: ffffffff8d131fe0 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+0x457/0x11e0 net/ipv4/ip_output.c:228
 #7: ffffffff8d131fe0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:334 [inline]
 #7: ffffffff8d131fe0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:786 [inline]
 #7: ffffffff8d131fe0 (rcu_read_lock){....}-{1:2}, at: arp_xmit+0x23/0x270 net/ipv4/arp.c:662
 #8: ffffffff8d132040 (rcu_read_lock_bh){....}-{1:2}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #8: ffffffff8d132040 (rcu_read_lock_bh){....}-{1:2}, at: rcu_read_lock_bh include/linux/rcupdate.h:838 [inline]
 #8: ffffffff8d132040 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x26b/0x36b0 net/core/dev.c:4363

stack backtrace:
CPU: 1 PID: 8172 Comm: kworker/u4:12 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Workqueue: bond5 bond_alb_monitor
Call Trace:
 <TASK>
 dump_stack_lvl+0x18c/0x250 lib/dump_stack.c:106
 check_deadlock kernel/locking/lockdep.c:3062 [inline]
 validate_chain kernel/locking/lockdep.c:3856 [inline]
 __lock_acquire+0x5dbc/0x7d40 kernel/locking/lockdep.c:5137
 lock_acquire+0x19e/0x420 kernel/locking/lockdep.c:5754
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:351 [inline]
 __dev_xmit_skb net/core/dev.c:3899 [inline]
 __dev_queue_xmit+0x1f6f/0x36b0 net/core/dev.c:4404
 NF_HOOK+0x331/0x3b0 include/linux/netfilter.h:-1
 arp_xmit+0x16c/0x270 net/ipv4/arp.c:664
 arp_solicit+0xc02/0xe40 net/ipv4/arp.c:392
 neigh_probe net/core/neighbour.c:1080 [inline]
 __neigh_event_send+0xed1/0x1440 net/core/neighbour.c:1247
 neigh_event_send_probe include/net/neighbour.h:467 [inline]
 neigh_event_send include/net/neighbour.h:473 [inline]
 neigh_resolve_output+0x19b/0x730 net/core/neighbour.c:1552
 neigh_output include/net/neighbour.h:543 [inline]
 ip_finish_output2+0xd3a/0x11e0 net/ipv4/ip_output.c:235
 NF_HOOK_COND include/linux/netfilter.h:293 [inline]
 ip_output+0x2a1/0x3b0 net/ipv4/ip_output.c:436
 iptunnel_xmit+0x4f0/0x920 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x1cbc/0x2410 net/ipv4/ip_tunnel.c:844
 __gre_xmit net/ipv4/ip_gre.c:478 [inline]
 gre_tap_xmit+0x4fe/0x6f0 net/ipv4/ip_gre.c:757
 __netdev_start_xmit include/linux/netdevice.h:4943 [inline]
 netdev_start_xmit include/linux/netdevice.h:4957 [inline]
 xmit_one net/core/dev.c:3632 [inline]
 dev_hard_start_xmit+0x246/0x740 net/core/dev.c:3648
 sch_direct_xmit+0x25e/0x4c0 net/sched/sch_generic.c:345
 __dev_xmit_skb net/core/dev.c:3869 [inline]
 __dev_queue_xmit+0x179c/0x36b0 net/core/dev.c:4404
 dev_queue_xmit include/linux/netdevice.h:3113 [inline]
 alb_send_lp_vid+0x2fc/0x4e0 drivers/net/bonding/bond_alb.c:949
 alb_send_learning_packets+0x12d/0x300 drivers/net/bonding/bond_alb.c:1012
 bond_alb_monitor+0x3d6/0x17e0 drivers/net/bonding/bond_alb.c:1564
 process_one_work kernel/workqueue.c:2634 [inline]
 process_scheduled_works+0xa5d/0x15d0 kernel/workqueue.c:2711
 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
 </TASK>

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/02/07 03:48 linux-6.6.y c56aaf1a85ae f20fc9f9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan possible deadlock in __dev_queue_xmit
* Struck through repros no longer work on HEAD.