lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000000000000597a320602c96ea0@google.com>
Date:   Sun, 13 Aug 2023 01:07:03 -0700
From:   syzbot <syzbot+9e1986cb61510a8ada32@...kaller.appspotmail.com>
To:     andy@...yhouse.net, ast@...nel.org, bpf@...r.kernel.org,
        daniel@...earbox.net, davem@...emloft.net, edumazet@...gle.com,
        hawk@...nel.org, j.vosburgh@...il.com, john.fastabend@...il.com,
        kuba@...nel.org, linux-kernel@...r.kernel.org,
        netdev@...r.kernel.org, pabeni@...hat.com,
        syzkaller-bugs@...glegroups.com
Subject: [syzbot] [net?] possible deadlock in br_forward_delay_timer_expired

Hello,

syzbot found the following issue on:

HEAD commit:    d14eea09edf4 net: core: remove unnecessary frame_sz check ..
git tree:       net
console output: https://syzkaller.appspot.com/x/log.txt?x=15321525a80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=fa5bd4cd5ab6259d
dashboard link: https://syzkaller.appspot.com/bug?extid=9e1986cb61510a8ada32
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/dd4e64d718cc/disk-d14eea09.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0d81468167b0/vmlinux-d14eea09.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5a59df207999/bzImage-d14eea09.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9e1986cb61510a8ada32@...kaller.appspotmail.com

bond0: left promiscuous mode
=====================================================
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
6.5.0-rc4-syzkaller-00186-gd14eea09edf4 #0 Not tainted
-----------------------------------------------------
syz-executor.5/29194 [HC0[0]:SC0[2]:HE1:SE0] is trying to acquire:
ffff888028b2cd18 (&bond->stats_lock/1){+.+.}-{2:2}, at: bond_get_stats+0x118/0x560 drivers/net/bonding/bond_main.c:4427

and this task is already holding:
ffff88802d3b0c98 (&br->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
ffff88802d3b0c98 (&br->lock){+.-.}-{2:2}, at: br_port_slave_changelink net/bridge/br_netlink.c:1199 [inline]
ffff88802d3b0c98 (&br->lock){+.-.}-{2:2}, at: br_port_slave_changelink+0x3e/0x190 net/bridge/br_netlink.c:1187
which would create a new lock dependency:
 (&br->lock){+.-.}-{2:2} -> (&bond->stats_lock/1){+.+.}-{2:2}

but this new dependency connects a SOFTIRQ-irq-safe lock:
 (&br->lock){+.-.}-{2:2}

... which became SOFTIRQ-irq-safe at:
  lock_acquire kernel/locking/lockdep.c:5761 [inline]
  lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5726
  __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
  _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
  spin_lock include/linux/spinlock.h:351 [inline]
  br_forward_delay_timer_expired+0x4f/0x560 net/bridge/br_stp_timer.c:86
  call_timer_fn+0x1a0/0x580 kernel/time/timer.c:1700
  expire_timers kernel/time/timer.c:1751 [inline]
  __run_timers+0x764/0xb10 kernel/time/timer.c:2022
  run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035
  __do_softirq+0x218/0x965 kernel/softirq.c:553
  invoke_softirq kernel/softirq.c:427 [inline]
  __irq_exit_rcu kernel/softirq.c:632 [inline]
  irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644
  sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1109
  asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
  lock_acquire+0x1ef/0x510 kernel/locking/lockdep.c:5729
  rcu_lock_acquire include/linux/rcupdate.h:303 [inline]
  rcu_read_lock include/linux/rcupdate.h:749 [inline]
  is_bpf_text_address+0x38/0x1a0 kernel/bpf/core.c:719
  kernel_text_address kernel/extable.c:125 [inline]
  kernel_text_address+0x85/0xf0 kernel/extable.c:94
  __kernel_text_address+0xd/0x30 kernel/extable.c:79
  unwind_get_return_address+0x55/0xa0 arch/x86/kernel/unwind_orc.c:369
  arch_stack_walk+0x9d/0xf0 arch/x86/kernel/stacktrace.c:26
  stack_trace_save+0x96/0xd0 kernel/stacktrace.c:122
  kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
  __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:492
  task_work_add+0x88/0x2a0 kernel/task_work.c:48
  fput fs/file_table.c:440 [inline]
  fput+0xed/0x1a0 fs/file_table.c:433
  filp_close+0x130/0x1b0 fs/open.c:1523
  close_fd+0x76/0xa0 fs/file.c:665
  __do_sys_close fs/open.c:1536 [inline]
  __se_sys_close fs/open.c:1534 [inline]
  __x64_sys_close+0x31/0x90 fs/open.c:1534
  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
  do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
  entry_SYSCALL_64_after_hwframe+0x63/0xcd

to a SOFTIRQ-irq-unsafe lock:
 (&bond->stats_lock/1){+.+.}-{2:2}

... which became SOFTIRQ-irq-unsafe at:
...
  lock_acquire kernel/locking/lockdep.c:5761 [inline]
  lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5726
  _raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378
  bond_get_stats+0x118/0x560 drivers/net/bonding/bond_main.c:4427
  dev_get_stats+0xb5/0x470 net/core/dev.c:10424
  rtnl_fill_stats+0x48/0xa80 net/core/rtnetlink.c:1261
  rtnl_fill_ifinfo+0x18b5/0x47b0 net/core/rtnetlink.c:1868
  rtmsg_ifinfo_build_skb+0x14d/0x270 net/core/rtnetlink.c:4024
  rtmsg_ifinfo_event net/core/rtnetlink.c:4058 [inline]
  rtmsg_ifinfo_event net/core/rtnetlink.c:4048 [inline]
  rtnetlink_event+0xef/0x1f0 net/core/rtnetlink.c:6479
  notifier_call_chain+0xb6/0x3b0 kernel/notifier.c:93
  call_netdevice_notifiers_info+0xb9/0x130 net/core/dev.c:1962
  call_netdevice_notifiers_extack net/core/dev.c:2000 [inline]
  call_netdevice_notifiers net/core/dev.c:2014 [inline]
  netdev_features_change net/core/dev.c:1325 [inline]
  netdev_change_features+0x82/0xb0 net/core/dev.c:9805
  bond_compute_features+0x4ec/0x810 drivers/net/bonding/bond_main.c:1496
  bond_enslave+0x3116/0x5d00 drivers/net/bonding/bond_main.c:2219
  do_set_master+0x1bc/0x220 net/core/rtnetlink.c:2661
  do_setlink+0xa07/0x3fa0 net/core/rtnetlink.c:2860
  __rtnl_newlink+0xc04/0x18c0 net/core/rtnetlink.c:3655
  rtnl_newlink+0x67/0xa0 net/core/rtnetlink.c:3702
  rtnetlink_rcv_msg+0x439/0xd30 net/core/rtnetlink.c:6428
  netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2549
  netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
  netlink_unicast+0x539/0x800 net/netlink/af_netlink.c:1365
  netlink_sendmsg+0x93c/0xe30 net/netlink/af_netlink.c:1914
  sock_sendmsg_nosec net/socket.c:725 [inline]
  sock_sendmsg+0xd9/0x180 net/socket.c:748
  __sys_sendto+0x255/0x340 net/socket.c:2134
  __do_sys_sendto net/socket.c:2146 [inline]
  __se_sys_sendto net/socket.c:2142 [inline]
  __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2142
  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
  do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
  entry_SYSCALL_64_after_hwframe+0x63/0xcd

other info that might help us debug this:

 Possible interrupt unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&bond->stats_lock/1);
                               local_irq_disable();
                               lock(&br->lock);
                               lock(&bond->stats_lock/1);
  <Interrupt>
    lock(&br->lock);

 *** DEADLOCK ***

3 locks held by syz-executor.5/29194:
 #0: ffffffff8e3dfca8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:78 [inline]
 #0: ffffffff8e3dfca8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x3e2/0xd30 net/core/rtnetlink.c:6425
 #1: ffff88802d3b0c98 (&br->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
 #1: ffff88802d3b0c98 (&br->lock){+.-.}-{2:2}, at: br_port_slave_changelink net/bridge/br_netlink.c:1199 [inline]
 #1: ffff88802d3b0c98 (&br->lock){+.-.}-{2:2}, at: br_port_slave_changelink+0x3e/0x190 net/bridge/br_netlink.c:1187
 #2: ffffffff8c9a6580 (rcu_read_lock){....}-{1:2}, at: bond_get_stats+0x4/0x560 drivers/net/bonding/bond_main.c:4414

the dependencies between SOFTIRQ-irq-safe lock and the holding lock:
-> (&br->lock){+.-.}-{2:2} {
   HARDIRQ-ON-W at:
                    lock_acquire kernel/locking/lockdep.c:5761 [inline]
                    lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5726
                    __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
                    _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178
                    spin_lock_bh include/linux/spinlock.h:356 [inline]
                    br_add_if+0x1039/0x1bb0 net/bridge/br_if.c:682
                    do_set_master+0x1bc/0x220 net/core/rtnetlink.c:2661
                    do_setlink+0xa07/0x3fa0 net/core/rtnetlink.c:2860
                    __rtnl_newlink+0xc04/0x18c0 net/core/rtnetlink.c:3655
                    rtnl_newlink+0x67/0xa0 net/core/rtnetlink.c:3702
                    rtnetlink_rcv_msg+0x439/0xd30 net/core/rtnetlink.c:6428
                    netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2549
                    netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
                    netlink_unicast+0x539/0x800 net/netlink/af_netlink.c:1365
                    netlink_sendmsg+0x93c/0xe30 net/netlink/af_netlink.c:1914
                    sock_sendmsg_nosec net/socket.c:725 [inline]
                    sock_sendmsg+0xd9/0x180 net/socket.c:748
                    __sys_sendto+0x255/0x340 net/socket.c:2134
                    __do_sys_sendto net/socket.c:2146 [inline]
                    __se_sys_sendto net/socket.c:2142 [inline]
                    __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2142
                    do_syscall_x64 arch/x86/entry/common.c:50 [inline]
                    do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
                    entry_SYSCALL_64_after_hwframe+0x63/0xcd
   IN-SOFTIRQ-W at:
                    lock_acquire kernel/locking/lockdep.c:5761 [inline]
                    lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5726
                    __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
                    _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
                    spin_lock include/linux/spinlock.h:351 [inline]
                    br_forward_delay_timer_expired+0x4f/0x560 net/bridge/br_stp_timer.c:86
                    call_timer_fn+0x1a0/0x580 kernel/time/timer.c:1700
                    expire_timers kernel/time/timer.c:1751 [inline]
                    __run_timers+0x764/0xb10 kernel/time/timer.c:2022
                    run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035
                    __do_softirq+0x218/0x965 kernel/softirq.c:553
                    invoke_softirq kernel/softirq.c:427 [inline]
                    __irq_exit_rcu kernel/softirq.c:632 [inline]
                    irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644
                    sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1109
                    asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
                    lock_acquire+0x1ef/0x510 kernel/locking/lockdep.c:5729
                    rcu_lock_acquire include/linux/rcupdate.h:303 [inline]
                    rcu_read_lock include/linux/rcupdate.h:749 [inline]
                    is_bpf_text_address+0x38/0x1a0 kernel/bpf/core.c:719
                    kernel_text_address kernel/extable.c:125 [inline]
                    kernel_text_address+0x85/0xf0 kernel/extable.c:94
                    __kernel_text_address+0xd/0x30 kernel/extable.c:79
                    unwind_get_return_address+0x55/0xa0 arch/x86/kernel/unwind_orc.c:369
                    arch_stack_walk+0x9d/0xf0 arch/x86/kernel/stacktrace.c:26
                    stack_trace_save+0x96/0xd0 kernel/stacktrace.c:122
                    kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
                    __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:492
                    task_work_add+0x88/0x2a0 kernel/task_work.c:48
                    fput fs/file_table.c:440 [inline]
                    fput+0xed/0x1a0 fs/file_table.c:433
                    filp_close+0x130/0x1b0 fs/open.c:1523
                    close_fd+0x76/0xa0 fs/file.c:665
                    __do_sys_close fs/open.c:1536 [inline]
                    __se_sys_close fs/open.c:1534 [inline]
                    __x64_sys_close+0x31/0x90 fs/open.c:1534
                    do_syscall_x64 arch/x86/entry/common.c:50 [inline]
                    do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
                    entry_SYSCALL_64_after_hwframe+0x63/0xcd
   INITIAL USE at:
                   lock_acquire kernel/locking/lockdep.c:5761 [inline]
                   lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5726
                   __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
                   _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178
                   spin_lock_bh include/linux/spinlock.h:356 [inline]
                   br_add_if+0x1039/0x1bb0 net/bridge/br_if.c:682
                   do_set_master+0x1bc/0x220 net/core/rtnetlink.c:2661
                   do_setlink+0xa07/0x3fa0 net/core/rtnetlink.c:2860
                   __rtnl_newlink+0xc04/0x18c0 net/core/rtnetlink.c:3655
                   rtnl_newlink+0x67/0xa0 net/core/rtnetlink.c:3702
                   rtnetlink_rcv_msg+0x439/0xd30 net/core/rtnetlink.c:6428
                   netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2549
                   netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
                   netlink_unicast+0x539/0x800 net/netlink/af_netlink.c:1365
                   netlink_sendmsg+0x93c/0xe30 net/netlink/af_netlink.c:1914
                   sock_sendmsg_nosec net/socket.c:725 [inline]
                   sock_sendmsg+0xd9/0x180 net/socket.c:748
                   __sys_sendto+0x255/0x340 net/socket.c:2134
                   __do_sys_sendto net/socket.c:2146 [inline]
                   __se_sys_sendto net/socket.c:2142 [inline]
                   __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2142
                   do_syscall_x64 arch/x86/entry/common.c:50 [inline]
                   do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
                   entry_SYSCALL_64_after_hwframe+0x63/0xcd
 }
 ... key      at: [<ffffffff924eb040>] __key.5+0x0/0x40

the dependencies between the lock to be acquired
 and SOFTIRQ-irq-unsafe lock:
-> (&bond->stats_lock/1){+.+.}-{2:2} {
   HARDIRQ-ON-W at:
                    lock_acquire kernel/locking/lockdep.c:5761 [inline]
                    lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5726
                    _raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378
                    bond_get_stats+0x118/0x560 drivers/net/bonding/bond_main.c:4427
                    dev_get_stats+0xb5/0x470 net/core/dev.c:10424
                    rtnl_fill_stats+0x48/0xa80 net/core/rtnetlink.c:1261
                    rtnl_fill_ifinfo+0x18b5/0x47b0 net/core/rtnetlink.c:1868
                    rtmsg_ifinfo_build_skb+0x14d/0x270 net/core/rtnetlink.c:4024
                    rtmsg_ifinfo_event net/core/rtnetlink.c:4058 [inline]
                    rtmsg_ifinfo_event net/core/rtnetlink.c:4048 [inline]
                    rtnetlink_event+0xef/0x1f0 net/core/rtnetlink.c:6479
                    notifier_call_chain+0xb6/0x3b0 kernel/notifier.c:93
                    call_netdevice_notifiers_info+0xb9/0x130 net/core/dev.c:1962
                    call_netdevice_notifiers_extack net/core/dev.c:2000 [inline]
                    call_netdevice_notifiers net/core/dev.c:2014 [inline]
                    netdev_features_change net/core/dev.c:1325 [inline]
                    netdev_change_features+0x82/0xb0 net/core/dev.c:9805
                    bond_compute_features+0x4ec/0x810 drivers/net/bonding/bond_main.c:1496
                    bond_enslave+0x3116/0x5d00 drivers/net/bonding/bond_main.c:2219
                    do_set_master+0x1bc/0x220 net/core/rtnetlink.c:2661
                    do_setlink+0xa07/0x3fa0 net/core/rtnetlink.c:2860
                    __rtnl_newlink+0xc04/0x18c0 net/core/rtnetlink.c:3655
                    rtnl_newlink+0x67/0xa0 net/core/rtnetlink.c:3702
                    rtnetlink_rcv_msg+0x439/0xd30 net/core/rtnetlink.c:6428
                    netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2549
                    netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
                    netlink_unicast+0x539/0x800 net/netlink/af_netlink.c:1365
                    netlink_sendmsg+0x93c/0xe30 net/netlink/af_netlink.c:1914
                    sock_sendmsg_nosec net/socket.c:725 [inline]
                    sock_sendmsg+0xd9/0x180 net/socket.c:748
                    __sys_sendto+0x255/0x340 net/socket.c:2134
                    __do_sys_sendto net/socket.c:2146 [inline]
                    __se_sys_sendto net/socket.c:2142 [inline]
                    __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2142
                    do_syscall_x64 arch/x86/entry/common.c:50 [inline]
                    do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
                    entry_SYSCALL_64_after_hwframe+0x63/0xcd
   SOFTIRQ-ON-W at:
                    lock_acquire kernel/locking/lockdep.c:5761 [inline]
                    lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5726
                    _raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378
                    bond_get_stats+0x118/0x560 drivers/net/bonding/bond_main.c:4427
                    dev_get_stats+0xb5/0x470 net/core/dev.c:10424
                    rtnl_fill_stats+0x48/0xa80 net/core/rtnetlink.c:1261
                    rtnl_fill_ifinfo+0x18b5/0x47b0 net/core/rtnetlink.c:1868
                    rtmsg_ifinfo_build_skb+0x14d/0x270 net/core/rtnetlink.c:4024
                    rtmsg_ifinfo_event net/core/rtnetlink.c:4058 [inline]
                    rtmsg_ifinfo_event net/core/rtnetlink.c:4048 [inline]
                    rtnetlink_event+0xef/0x1f0 net/core/rtnetlink.c:6479
                    notifier_call_chain+0xb6/0x3b0 kernel/notifier.c:93
                    call_netdevice_notifiers_info+0xb9/0x130 net/core/dev.c:1962
                    call_netdevice_notifiers_extack net/core/dev.c:2000 [inline]
                    call_netdevice_notifiers net/core/dev.c:2014 [inline]
                    netdev_features_change net/core/dev.c:1325 [inline]
                    netdev_change_features+0x82/0xb0 net/core/dev.c:9805
                    bond_compute_features+0x4ec/0x810 drivers/net/bonding/bond_main.c:1496
                    bond_enslave+0x3116/0x5d00 drivers/net/bonding/bond_main.c:2219
                    do_set_master+0x1bc/0x220 net/core/rtnetlink.c:2661
                    do_setlink+0xa07/0x3fa0 net/core/rtnetlink.c:2860
                    __rtnl_newlink+0xc04/0x18c0 net/core/rtnetlink.c:3655
                    rtnl_newlink+0x67/0xa0 net/core/rtnetlink.c:3702
                    rtnetlink_rcv_msg+0x439/0xd30 net/core/rtnetlink.c:6428
                    netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2549
                    netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
                    netlink_unicast+0x539/0x800 net/netlink/af_netlink.c:1365
                    netlink_sendmsg+0x93c/0xe30 net/netlink/af_netlink.c:1914
                    sock_sendmsg_nosec net/socket.c:725 [inline]
                    sock_sendmsg+0xd9/0x180 net/socket.c:748
                    __sys_sendto+0x255/0x340 net/socket.c:2134
                    __do_sys_sendto net/socket.c:2146 [inline]
                    __se_sys_sendto net/socket.c:2142 [inline]
                    __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2142
                    do_syscall_x64 arch/x86/entry/common.c:50 [inline]
                    do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
                    entry_SYSCALL_64_after_hwframe+0x63/0xcd
   INITIAL USE at:
                   lock_acquire kernel/locking/lockdep.c:5761 [inline]
                   lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5726
                   _raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378
                   bond_get_stats+0x118/0x560 drivers/net/bonding/bond_main.c:4427
                   dev_get_stats+0xb5/0x470 net/core/dev.c:10424
                   rtnl_fill_stats+0x48/0xa80 net/core/rtnetlink.c:1261
                   rtnl_fill_ifinfo+0x18b5/0x47b0 net/core/rtnetlink.c:1868
                   rtmsg_ifinfo_build_skb+0x14d/0x270 net/core/rtnetlink.c:4024
                   rtmsg_ifinfo_event net/core/rtnetlink.c:4058 [inline]
                   rtmsg_ifinfo_event net/core/rtnetlink.c:4048 [inline]
                   rtnetlink_event+0xef/0x1f0 net/core/rtnetlink.c:6479
                   notifier_call_chain+0xb6/0x3b0 kernel/notifier.c:93
                   call_netdevice_notifiers_info+0xb9/0x130 net/core/dev.c:1962
                   call_netdevice_notifiers_extack net/core/dev.c:2000 [inline]
                   call_netdevice_notifiers net/core/dev.c:2014 [inline]
                   netdev_features_change net/core/dev.c:1325 [inline]
                   netdev_change_features+0x82/0xb0 net/core/dev.c:9805
                   bond_compute_features+0x4ec/0x810 drivers/net/bonding/bond_main.c:1496
                   bond_enslave+0x3116/0x5d00 drivers/net/bonding/bond_main.c:2219
                   do_set_master+0x1bc/0x220 net/core/rtnetlink.c:2661
                   do_setlink+0xa07/0x3fa0 net/core/rtnetlink.c:2860
                   __rtnl_newlink+0xc04/0x18c0 net/core/rtnetlink.c:3655
                   rtnl_newlink+0x67/0xa0 net/core/rtnetlink.c:3702
                   rtnetlink_rcv_msg+0x439/0xd30 net/core/rtnetlink.c:6428
                   netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2549
                   netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
                   netlink_unicast+0x539/0x800 net/netlink/af_netlink.c:1365
                   netlink_sendmsg+0x93c/0xe30 net/netlink/af_netlink.c:1914
                   sock_sendmsg_nosec net/socket.c:725 [inline]
                   sock_sendmsg+0xd9/0x180 net/socket.c:748
                   __sys_sendto+0x255/0x340 net/socket.c:2134
                   __do_sys_sendto net/socket.c:2146 [inline]
                   __se_sys_sendto net/socket.c:2142 [inline]
                   __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2142
                   do_syscall_x64 arch/x86/entry/common.c:50 [inline]
                   do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
                   entry_SYSCALL_64_after_hwframe+0x63/0xcd
 }
 ... key      at: [<ffffffff92432741>] __key.8+0x1/0x40
 ... acquired at:
   lock_acquire kernel/locking/lockdep.c:5761 [inline]
   lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5726
   _raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378
   bond_get_stats+0x118/0x560 drivers/net/bonding/bond_main.c:4427
   dev_get_stats+0xb5/0x470 net/core/dev.c:10424
   rtnl_fill_stats+0x48/0xa80 net/core/rtnetlink.c:1261
   rtnl_fill_ifinfo+0x18b5/0x47b0 net/core/rtnetlink.c:1868
   rtmsg_ifinfo_build_skb+0x14d/0x270 net/core/rtnetlink.c:4024
   rtmsg_ifinfo_event net/core/rtnetlink.c:4058 [inline]
   rtmsg_ifinfo_event net/core/rtnetlink.c:4048 [inline]
   rtmsg_ifinfo+0x9f/0x1a0 net/core/rtnetlink.c:4067
   __dev_notify_flags+0x24a/0x2e0 net/core/dev.c:8565
   __dev_set_promiscuity+0x269/0x580 net/core/dev.c:8339
   dev_set_promiscuity+0x52/0x150 net/core/dev.c:8359
   br_port_clear_promisc net/bridge/br_if.c:135 [inline]
   br_manage_promisc+0x3f2/0x510 net/bridge/br_if.c:172
   nbp_update_port_count net/bridge/br_if.c:242 [inline]
   br_port_flags_change+0x185/0x1e0 net/bridge/br_if.c:761
   br_setport+0xb7e/0x16f0 net/bridge/br_netlink.c:993
   br_port_slave_changelink net/bridge/br_netlink.c:1200 [inline]
   br_port_slave_changelink+0xdd/0x190 net/bridge/br_netlink.c:1187
   __rtnl_newlink+0xbc6/0x18c0 net/core/rtnetlink.c:3648
   rtnl_newlink+0x67/0xa0 net/core/rtnetlink.c:3702
   rtnetlink_rcv_msg+0x439/0xd30 net/core/rtnetlink.c:6428
   netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2549
   netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
   netlink_unicast+0x539/0x800 net/netlink/af_netlink.c:1365
   netlink_sendmsg+0x93c/0xe30 net/netlink/af_netlink.c:1914
   sock_sendmsg_nosec net/socket.c:725 [inline]
   sock_sendmsg+0xd9/0x180 net/socket.c:748
   ____sys_sendmsg+0x6ac/0x940 net/socket.c:2494
   ___sys_sendmsg+0x135/0x1d0 net/socket.c:2548
   __sys_sendmsg+0x117/0x1e0 net/socket.c:2577
   do_syscall_x64 arch/x86/entry/common.c:50 [inline]
   do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
   entry_SYSCALL_64_after_hwframe+0x63/0xcd


stack backtrace:
CPU: 0 PID: 29194 Comm: syz-executor.5 Not tainted 6.5.0-rc4-syzkaller-00186-gd14eea09edf4 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_bad_irq_dependency kernel/locking/lockdep.c:2634 [inline]
 check_irq_usage+0x10b8/0x1c70 kernel/locking/lockdep.c:2873
 check_prev_add kernel/locking/lockdep.c:3146 [inline]
 check_prevs_add kernel/locking/lockdep.c:3261 [inline]
 validate_chain kernel/locking/lockdep.c:3876 [inline]
 __lock_acquire+0x2e53/0x5de0 kernel/locking/lockdep.c:5144
 lock_acquire kernel/locking/lockdep.c:5761 [inline]
 lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5726
 _raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378
 bond_get_stats+0x118/0x560 drivers/net/bonding/bond_main.c:4427
 dev_get_stats+0xb5/0x470 net/core/dev.c:10424
 rtnl_fill_stats+0x48/0xa80 net/core/rtnetlink.c:1261
 rtnl_fill_ifinfo+0x18b5/0x47b0 net/core/rtnetlink.c:1868
 rtmsg_ifinfo_build_skb+0x14d/0x270 net/core/rtnetlink.c:4024
 rtmsg_ifinfo_event net/core/rtnetlink.c:4058 [inline]
 rtmsg_ifinfo_event net/core/rtnetlink.c:4048 [inline]
 rtmsg_ifinfo+0x9f/0x1a0 net/core/rtnetlink.c:4067
 __dev_notify_flags+0x24a/0x2e0 net/core/dev.c:8565
 __dev_set_promiscuity+0x269/0x580 net/core/dev.c:8339
 dev_set_promiscuity+0x52/0x150 net/core/dev.c:8359
 br_port_clear_promisc net/bridge/br_if.c:135 [inline]
 br_manage_promisc+0x3f2/0x510 net/bridge/br_if.c:172
 nbp_update_port_count net/bridge/br_if.c:242 [inline]
 br_port_flags_change+0x185/0x1e0 net/bridge/br_if.c:761
 br_setport+0xb7e/0x16f0 net/bridge/br_netlink.c:993
 br_port_slave_changelink net/bridge/br_netlink.c:1200 [inline]
 br_port_slave_changelink+0xdd/0x190 net/bridge/br_netlink.c:1187
 __rtnl_newlink+0xbc6/0x18c0 net/core/rtnetlink.c:3648
 rtnl_newlink+0x67/0xa0 net/core/rtnetlink.c:3702
 rtnetlink_rcv_msg+0x439/0xd30 net/core/rtnetlink.c:6428
 netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2549
 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
 netlink_unicast+0x539/0x800 net/netlink/af_netlink.c:1365
 netlink_sendmsg+0x93c/0xe30 net/netlink/af_netlink.c:1914
 sock_sendmsg_nosec net/socket.c:725 [inline]
 sock_sendmsg+0xd9/0x180 net/socket.c:748
 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2494
 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2548
 __sys_sendmsg+0x117/0x1e0 net/socket.c:2577
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f8f9aa7cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8f9b7360c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f8f9ab9bf80 RCX: 00007f8f9aa7cae9
RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 000000000000000b
RBP: 00007f8f9aac847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f8f9ab9bf80 R15: 00007fff1934f968
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ