BUG: sleeping function called from invalid context in __ipv6_dev_mc

BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
Status: upstream: reported C repro on 2021/05/03 17:10
Reported-by: syzbot+7d941e89dd48bcf42573@syzkaller.appspotmail.com
Fix commit: rtnetlink: avoid RCU read lock when holding RTNL
Patched on: [ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce], missing on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-net-this-kasan-gce ci2-upstream-kcsan-gce ci2-upstream-usb]
First crash: 11d, last: 2d00h

Cause bisection: introduced by (bisect log) :
commit f185de28d9ae6c978135993769352e523ee8df06
Author: Taehee Yoo <ap420073@gmail.com>
Date: Thu Mar 25 16:16:56 2021 +0000

mld: add new workqueues for process mld events

Crash: WARNING: suspicious RCU usage in igmp6_group_dropped (log)
Repro: C syz .config

Patch testing requests:
Created	Duration	User	Repo	Result
2021/05/06 19:41	20m	xiyou.wangcong@gmail.com	https://github.com/congwang/linux.git net	OK
2021/05/05 21:21	19m	xiyou.wangcong@gmail.com	https://github.com/congwang/linux.git net	OK
2021/05/05 20:29	20m	xiyou.wangcong@gmail.com	https://github.com/congwang/linux.git net	OK
2021/05/05 20:00	10m	xiyou.wangcong@gmail.com	https://github.com/congwang/linux.git net	error

Sample crash report:

BUG: sleeping function called from invalid context at kernel/locking/mutex.c:928
in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 9797, name: syz-executor058
2 locks held by syz-executor058/9797:
 #0: ffffffff8d6730a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:72 [inline]
 #0: ffffffff8d6730a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x3f9/0xad0 net/core/rtnetlink.c:5559
 #1: ffffffff8bf74520 (rcu_read_lock){....}-{1:2}, at: nla_ok include/net/netlink.h:1159 [inline]
 #1: ffffffff8bf74520 (rcu_read_lock){....}-{1:2}, at: do_setlink+0x27d0/0x3af0 net/core/rtnetlink.c:2868
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 0 PID: 9797 Comm: syz-executor058 Not tainted 5.12.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x141/0x1d7 lib/dump_stack.c:120
 ___might_sleep.cold+0x1f1/0x237 kernel/sched/core.c:8328
 __mutex_lock_common kernel/locking/mutex.c:928 [inline]
 __mutex_lock+0xa9/0x1120 kernel/locking/mutex.c:1096
 __ipv6_dev_mc_dec+0x5f/0x340 net/ipv6/mcast.c:965
 addrconf_leave_solict net/ipv6/addrconf.c:2182 [inline]
 addrconf_leave_solict net/ipv6/addrconf.c:2174 [inline]
 __ipv6_ifa_notify+0x5b6/0xa90 net/ipv6/addrconf.c:6099
 ipv6_ifa_notify net/ipv6/addrconf.c:6122 [inline]
 ipv6_del_addr+0x463/0xae0 net/ipv6/addrconf.c:1294
 addrconf_verify_rtnl+0xdbc/0x1220 net/ipv6/addrconf.c:4489
 inet6_set_iftoken net/ipv6/addrconf.c:5757 [inline]
 inet6_set_link_af+0x53c/0xc40 net/ipv6/addrconf.c:5833
 do_setlink+0x290d/0x3af0 net/core/rtnetlink.c:2875
 __rtnl_newlink+0xdcf/0x1710 net/core/rtnetlink.c:3385
 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3500
 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5562
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:674
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4437a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff53d90558 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fff53d90580 RCX: 00000000004437a9
RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d
R10: 000000000000000d R11: 0000000000000246 R12: 00007fff53d90570
R13: 00000000000f4240 R14: 0000000000011e5e R15: 00007fff53d90564

=============================
[ BUG: Invalid wait context ]
5.12.0-rc7-syzkaller #0 Tainted: G        W        
-----------------------------
syz-executor058/9797 is trying to lock:
ffff8880188c4530 (&idev->mc_lock){+.+.}-{3:3}, at: __ipv6_dev_mc_dec+0x5f/0x340 net/ipv6/mcast.c:965
other info that might help us debug this:
context-{4:4}
2 locks held by syz-executor058/9797:
 #0: ffffffff8d6730a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:72 [inline]
 #0: ffffffff8d6730a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x3f9/0xad0 net/core/rtnetlink.c:5559
 #1: ffffffff8bf74520 (rcu_read_lock){....}-{1:2}, at: nla_ok include/net/netlink.h:1159 [inline]
 #1: ffffffff8bf74520 (rcu_read_lock){....}-{1:2}, at: do_setlink+0x27d0/0x3af0 net/core/rtnetlink.c:2868
stack backtrace:
CPU: 1 PID: 9797 Comm: syz-executor058 Tainted: G        W         5.12.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x141/0x1d7 lib/dump_stack.c:120
 print_lock_invalid_wait_context kernel/locking/lockdep.c:4552 [inline]
 check_wait_context kernel/locking/lockdep.c:4613 [inline]
 __lock_acquire.cold+0x219/0x3b4 kernel/locking/lockdep.c:4851
 lock_acquire kernel/locking/lockdep.c:5511 [inline]
 lock_acquire+0x1ab/0x740 kernel/locking/lockdep.c:5476
 __mutex_lock_common kernel/locking/mutex.c:949 [inline]
 __mutex_lock+0x139/0x1120 kernel/locking/mutex.c:1096
 __ipv6_dev_mc_dec+0x5f/0x340 net/ipv6/mcast.c:965
 addrconf_leave_solict net/ipv6/addrconf.c:2182 [inline]
 addrconf_leave_solict net/ipv6/addrconf.c:2174 [inline]
 __ipv6_ifa_notify+0x5b6/0xa90 net/ipv6/addrconf.c:6099
 ipv6_ifa_notify net/ipv6/addrconf.c:6122 [inline]
 ipv6_del_addr+0x463/0xae0 net/ipv6/addrconf.c:1294
 addrconf_verify_rtnl+0xdbc/0x1220 net/ipv6/addrconf.c:4489
 inet6_set_iftoken net/ipv6/addrconf.c:5757 [inline]
 inet6_set_link_af+0x53c/0xc40 net/ipv6/addrconf.c:5833
 do_setlink+0x290d/0x3af0 net/core/rtnetlink.c:2875
 __rtnl_newlink+0xdcf/0x1710 net/core/rtnetlink.c:3385
 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3500
 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5562
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:674
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4437a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff53d90558 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fff53d90580 RCX: 00000000004437a9
RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d
R10: 000000000000000d R11: 0000000000000246 R12: 00007fff53d90570
R13: 00000000000f4240 R14: 0000000000011e5e R15: 00007fff53d90564
BUG: sleeping function called from invalid context at include/linux/sched/mm.h:197
in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 9797, name: syz-executor058
INFO: lockdep is turned off.
Preemption disabled at:
[<ffffffff87026ff3>] local_bh_disable include/linux/bottom_half.h:19 [inline]
[<ffffffff87026ff3>] netif_addr_lock_bh include/linux/netdevice.h:4549 [inline]
[<ffffffff87026ff3>] __dev_mc_del net/core/dev_addr_lists.c:814 [inline]
[<ffffffff87026ff3>] dev_mc_del+0x63/0x110 net/core/dev_addr_lists.c:833
CPU: 1 PID: 9797 Comm: syz-executor058 Tainted: G        W         5.12.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x141/0x1d7 lib/dump_stack.c:120
 ___might_sleep.cold+0x1f1/0x237 kernel/sched/core.c:8328
 might_alloc include/linux/sched/mm.h:197 [inline]
 slab_pre_alloc_hook mm/slab.h:497 [inline]
 slab_alloc_node mm/slub.c:2826 [inline]
 slab_alloc mm/slub.c:2915 [inline]
 kmem_cache_alloc_trace+0x263/0x2a0 mm/slub.c:2932
 kmalloc include/linux/slab.h:554 [inline]
 kzalloc include/linux/slab.h:684 [inline]
 mld_add_delrec net/ipv6/mcast.c:737 [inline]
 igmp6_leave_group net/ipv6/mcast.c:2629 [inline]
 igmp6_group_dropped+0x4f7/0xe90 net/ipv6/mcast.c:717
 __ipv6_dev_mc_dec+0x25d/0x340 net/ipv6/mcast.c:973
 addrconf_leave_solict net/ipv6/addrconf.c:2182 [inline]
 addrconf_leave_solict net/ipv6/addrconf.c:2174 [inline]
 __ipv6_ifa_notify+0x5b6/0xa90 net/ipv6/addrconf.c:6099
 ipv6_ifa_notify net/ipv6/addrconf.c:6122 [inline]
 ipv6_del_addr+0x463/0xae0 net/ipv6/addrconf.c:1294
 addrconf_verify_rtnl+0xdbc/0x1220 net/ipv6/addrconf.c:4489
 inet6_set_iftoken net/ipv6/addrconf.c:5757 [inline]
 inet6_set_link_af+0x53c/0xc40 net/ipv6/addrconf.c:5833
 do_setlink+0x290d/0x3af0 net/core/rtnetlink.c:2875
 __rtnl_newlink+0xdcf/0x1710 net/core/rtnetlink.c:3385
 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3500
 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5562
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:674
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4437a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff53d90558 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fff53d90580 RCX: 00000000004437a9
RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d
R10: 000000000000000d R11: 0000000000000246 R12: 00007fff53d90570
R13: 00000000000f4240 R14: 0000000000011e5e R15: 00007fff53d90564

Crashes (7):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-net-kasan-gce	2021/05/03 11:44	net-next	95aafe91	77e2b668	.config	log	report	syz	C		BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-net-kasan-gce	2021/05/03 04:58	net-next	95aafe91	77e2b668	.config	log	report	syz	C		BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-kasan-gce-selinux-root	2021/05/11 22:13	upstream	88b06399	b3c3bb8e	.config	log	report			info	BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-net-this-kasan-gce	2021/05/09 12:14	net	b7415964	bc5434be	.config	log	report			info	BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-net-kasan-gce	2021/05/11 00:42	net-next	48de7c0c	ca873091	.config	log	report			info	BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-net-kasan-gce	2021/05/02 21:43	net-next	95aafe91	77e2b668	.config	log	report			info	BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec
ci-upstream-linux-next-kasan-gce-root	2021/05/10 14:06	linux-next	e6f67ebd	ca873091	.config	log	report			info	BUG: sleeping function called from invalid context in __ipv6_dev_mc_dec