syzbot

======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
syz.0.1706/7753 is trying to acquire lock:
ffffffff9088c678 (nr_node_list_lock){+...}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:347 [inline]
ffffffff9088c678 (nr_node_list_lock){+...}-{3:3}, at: nr_rt_device_down+0xd3/0x820 net/netrom/nr_route.c:517

but task is already holding lock:
ffffffff9088c618 (nr_neigh_list_lock){+...}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:347 [inline]
ffffffff9088c618 (nr_neigh_list_lock){+...}-{3:3}, at: nr_rt_device_down+0x2c/0x820 net/netrom/nr_route.c:514

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (nr_neigh_list_lock){+...}-{3:3}:
       __raw_spin_lock_bh include/linux/spinlock_api_smp.h:150 [inline]
       _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178
       spin_lock_bh include/linux/spinlock.h:347 [inline]
       nr_remove_neigh net/netrom/nr_route.c:307 [inline]
       nr_dec_obs net/netrom/nr_route.c:472 [inline]
       nr_rt_ioctl+0x6e2/0x29e0 net/netrom/nr_route.c:692
       nr_ioctl+0x16e/0x2d0 net/netrom/af_netrom.c:1254
       sock_do_ioctl+0x118/0x280 net/socket.c:1254
       sock_ioctl+0x599/0x6b0 net/socket.c:1375
       vfs_ioctl fs/ioctl.c:51 [inline]
       __do_sys_ioctl fs/ioctl.c:597 [inline]
       __se_sys_ioctl fs/ioctl.c:583 [inline]
       __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #1 (&nr_node->node_lock){+...}-{3:3}:
       __raw_spin_lock_bh include/linux/spinlock_api_smp.h:150 [inline]
       _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178
       spin_lock_bh include/linux/spinlock.h:347 [inline]
       nr_node_lock include/net/netrom.h:152 [inline]
       nr_dec_obs net/netrom/nr_route.c:459 [inline]
       nr_rt_ioctl+0x29b/0x29e0 net/netrom/nr_route.c:692
       nr_ioctl+0x16e/0x2d0 net/netrom/af_netrom.c:1254
       sock_do_ioctl+0x118/0x280 net/socket.c:1254
       sock_ioctl+0x599/0x6b0 net/socket.c:1375
       vfs_ioctl fs/ioctl.c:51 [inline]
       __do_sys_ioctl fs/ioctl.c:597 [inline]
       __se_sys_ioctl fs/ioctl.c:583 [inline]
       __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #0 (nr_node_list_lock){+...}-{3:3}:
       check_prev_add kernel/locking/lockdep.c:3165 [inline]
       check_prevs_add kernel/locking/lockdep.c:3284 [inline]
       validate_chain kernel/locking/lockdep.c:3908 [inline]
       __lock_acquire+0x14b8/0x2630 kernel/locking/lockdep.c:5237
       lock_acquire kernel/locking/lockdep.c:5868 [inline]
       lock_acquire+0x1cf/0x380 kernel/locking/lockdep.c:5825
       __raw_spin_lock_bh include/linux/spinlock_api_smp.h:150 [inline]
       _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178
       spin_lock_bh include/linux/spinlock.h:347 [inline]
       nr_rt_device_down+0xd3/0x820 net/netrom/nr_route.c:517
       nr_device_event+0x126/0x170 net/netrom/af_netrom.c:126
       notifier_call_chain+0x99/0x420 kernel/notifier.c:85
       call_netdevice_notifiers_info+0xbe/0x110 net/core/dev.c:2249
       call_netdevice_notifiers_extack net/core/dev.c:2287 [inline]
       call_netdevice_notifiers net/core/dev.c:2301 [inline]
       __dev_notify_flags+0x1f7/0x2e0 net/core/dev.c:9805
       netif_change_flags+0x108/0x160 net/core/dev.c:9832
       dev_change_flags+0xba/0x250 net/core/dev_api.c:68
       dev_ifsioc+0x1682/0x1f20 net/core/dev_ioctl.c:555
       dev_ioctl+0x342/0x10e0 net/core/dev_ioctl.c:814
       sock_do_ioctl+0x1a0/0x280 net/socket.c:1268
       sock_ioctl+0x599/0x6b0 net/socket.c:1375
       vfs_ioctl fs/ioctl.c:51 [inline]
       __do_sys_ioctl fs/ioctl.c:597 [inline]
       __se_sys_ioctl fs/ioctl.c:583 [inline]
       __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

other info that might help us debug this:

Chain exists of:
  nr_node_list_lock --> &nr_node->node_lock --> nr_neigh_list_lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(nr_neigh_list_lock);
                               lock(&nr_node->node_lock);
                               lock(nr_neigh_list_lock);
  lock(nr_node_list_lock);

 *** DEADLOCK ***

2 locks held by syz.0.1706/7753:
 #0: ffffffff906114a8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline]
 #0: ffffffff906114a8 (rtnl_mutex){+.+.}-{4:4}, at: dev_ioctl+0x331/0x10e0 net/core/dev_ioctl.c:813
 #1: ffffffff9088c618 (nr_neigh_list_lock){+...}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:347 [inline]
 #1: ffffffff9088c618 (nr_neigh_list_lock){+...}-{3:3}, at: nr_rt_device_down+0x2c/0x820 net/netrom/nr_route.c:514

stack backtrace:
CPU: 0 UID: 0 PID: 7753 Comm: syz.0.1706 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 print_circular_bug.cold+0x178/0x1c7 kernel/locking/lockdep.c:2043
 check_noncircular+0x146/0x160 kernel/locking/lockdep.c:2175
 check_prev_add kernel/locking/lockdep.c:3165 [inline]
 check_prevs_add kernel/locking/lockdep.c:3284 [inline]
 validate_chain kernel/locking/lockdep.c:3908 [inline]
 __lock_acquire+0x14b8/0x2630 kernel/locking/lockdep.c:5237
 lock_acquire kernel/locking/lockdep.c:5868 [inline]
 lock_acquire+0x1cf/0x380 kernel/locking/lockdep.c:5825
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:150 [inline]
 _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178
 spin_lock_bh include/linux/spinlock.h:347 [inline]
 nr_rt_device_down+0xd3/0x820 net/netrom/nr_route.c:517
 nr_device_event+0x126/0x170 net/netrom/af_netrom.c:126
 notifier_call_chain+0x99/0x420 kernel/notifier.c:85
 call_netdevice_notifiers_info+0xbe/0x110 net/core/dev.c:2249
 call_netdevice_notifiers_extack net/core/dev.c:2287 [inline]
 call_netdevice_notifiers net/core/dev.c:2301 [inline]
 __dev_notify_flags+0x1f7/0x2e0 net/core/dev.c:9805
 netif_change_flags+0x108/0x160 net/core/dev.c:9832
 dev_change_flags+0xba/0x250 net/core/dev_api.c:68
 dev_ifsioc+0x1682/0x1f20 net/core/dev_ioctl.c:555
 dev_ioctl+0x342/0x10e0 net/core/dev_ioctl.c:814
 sock_do_ioctl+0x1a0/0x280 net/socket.c:1268
 sock_ioctl+0x599/0x6b0 net/socket.c:1375
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl fs/ioctl.c:583 [inline]
 __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f622bb9c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff1d2b29b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f622be15fa0 RCX: 00007f622bb9c799
RDX: 0000200000000000 RSI: 0000000000008914 RDI: 0000000000000004
RBP: 00007f622bc32c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f622be15fac R14: 00007f622be15fa0 R15: 00007f622be15fa0
 </TASK>