Re: [syzbot] [virt?] [net?] possible deadlock in vsock_linger

Tue, 21 Oct 2025 03:59:27 -0700 

On Mon, Oct 20, 2025 at 05:02:56PM -0700, syzbot wrote:

Hello,

syzbot found the following issue on:

HEAD commit:    d9043c79ba68 Merge tag 'sched_urgent_for_v6.18_rc2' of git..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=130983cd980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f3e7b5a3627a90dd
dashboard link: https://syzkaller.appspot.com/bug?extid=10e35716f8e4929681fa
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for 
Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17f0f52f980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=11ea9734580000


#syz test


>From 456534cbdbc7312fa1cddfb7aa50b771725c0a53 Mon Sep 17 00:00:00 2001
From: Stefano Garzarella <[email protected]>
Date: Tue, 21 Oct 2025 12:51:45 +0200
Subject: [PATCH] TODO

From: Stefano Garzarella <[email protected]>

---
 net/vmw_vsock/af_vsock.c | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index 4c2db6cca557..89b4dbb859a5 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -487,12 +487,26 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct 
vsock_sock *psk)
                goto err;
        }
 
-       if (vsk->transport) {
-               if (vsk->transport == new_transport) {
-                       ret = 0;
-                       goto err;
-               }
+       if (vsk->transport == new_transport) {
+               ret = 0;
+               goto err;
+       }
 
+       /* We increase the module refcnt to prevent the transport unloading
+        * while there are open sockets assigned to it.
+        */
+       if (!new_transport || !try_module_get(new_transport->module)) {
+               ret = -ENODEV;
+               goto err;
+       }
+
+       /* It's safe to release the mutex after a successful try_module_get().
+        * Whichever transport `new_transport` points at, it won't go away until
+        * the last module_put() below or in vsock_deassign_transport().
+        */
+       mutex_unlock(&vsock_register_mutex);
+
+       if (vsk->transport) {
                /* transport->release() must be called with sock lock acquired.
                 * This path can only be taken during vsock_connect(), where we
                 * have already held the sock lock. In the other cases, this
@@ -512,20 +526,6 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct 
vsock_sock *psk)
                vsk->peer_shutdown = 0;
        }
 
-       /* We increase the module refcnt to prevent the transport unloading
-        * while there are open sockets assigned to it.
-        */
-       if (!new_transport || !try_module_get(new_transport->module)) {
-               ret = -ENODEV;
-               goto err;
-       }
-
-       /* It's safe to release the mutex after a successful try_module_get().
-        * Whichever transport `new_transport` points at, it won't go away until
-        * the last module_put() below or in vsock_deassign_transport().
-        */
-       mutex_unlock(&vsock_register_mutex);
-
        if (sk->sk_type == SOCK_SEQPACKET) {
                if (!new_transport->seqpacket_allow ||
                    !new_transport->seqpacket_allow(remote_cid)) {
-- 
2.51.0

Reply via email to