============================================
WARNING: possible recursive locking detected
6.15.0-rc1-syzkaller-00301-g3bde70a2c827 #0 Not tainted
--------------------------------------------
syz-executor/5857 is trying to acquire lock:
ffff88805c3eaf30 (
&hsr->seqnr_lock){+.-.}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
&hsr->seqnr_lock){+.-.}-{3:3}, at: hsr_dev_xmit+0x18a/0x210 net/hsr/hsr_device.c:234
but task is already holding lock:
ffff888078d84f30 (&hsr->seqnr_lock){+.-.}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
ffff888078d84f30 (&hsr->seqnr_lock){+.-.}-{3:3}, at: hsr_dev_xmit+0x18a/0x210 net/hsr/hsr_device.c:234
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&hsr->seqnr_lock);
lock(&hsr->seqnr_lock);
*** DEADLOCK ***
May be due to missing lock nesting notation
16 locks held by syz-executor/5857:
#0: ffffffff8edf6270 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mm kernel/fork.c:1733 [inline]
#0: ffffffff8edf6270 (dup_mmap_sem){.+.+}-{0:0}, at: copy_mm+0x1d6/0x22c0 kernel/fork.c:1786
#1: ffff88807a118be0 (&mm->mmap_lock){++++}-{4:4}, at: mmap_write_lock_killable include/linux/mmap_lock.h:146 [inline]
#1: ffff88807a118be0 (&mm->mmap_lock){++++}-{4:4}, at: dup_mmap kernel/fork.c:620 [inline]
#1: ffff88807a118be0 (&mm->mmap_lock){++++}-{4:4}, at: dup_mm kernel/fork.c:1734 [inline]
#1: ffff88807a118be0 (&mm->mmap_lock){++++}-{4:4}, at: copy_mm+0x2a8/0x22c0 kernel/fork.c:1786
#2: ffff888028da33e0 (&mm->mmap_lock/1){+.+.}-{4:4}, at: mmap_write_lock_nested include/linux/mmap_lock.h:136 [inline]
#2: ffff888028da33e0 (&mm->mmap_lock/1){+.+.}-{4:4}, at: dup_mmap kernel/fork.c:627 [inline]
#2: ffff888028da33e0 (&mm->mmap_lock/1){+.+.}-{4:4}, at: dup_mm kernel/fork.c:1734 [inline]
#2: ffff888028da33e0 (&mm->mmap_lock/1){+.+.}-{4:4}, at: copy_mm+0x449/0x22c0 kernel/fork.c:1786
#3: ffffffff8ed3dfa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#3: ffffffff8ed3dfa0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
#3: ffffffff8ed3dfa0 (rcu_read_lock){....}-{1:3}, at: ___pte_offset_map+0x84/0x350 mm/pgtable-generic.c:287
#4: ffff8880359cecd8 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
#4: ffff8880359cecd8 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}, at: __pte_offset_map_lock+0x1bd/0x310 mm/pgtable-generic.c:402
#5: ffffffff8ed3dfa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#5: ffffffff8ed3dfa0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
#5: ffffffff8ed3dfa0 (rcu_read_lock){....}-{1:3}, at: ___pte_offset_map+0x84/0x350 mm/pgtable-generic.c:287
#6: ffff8880765b7d38 (ptlock_ptr(ptdesc)#2/1){+.+.}-{3:3}, at: copy_pte_range+0x3b5/0x6680 mm/memory.c:1119
#7: ffffc90000007bc0 ((&ndev->rs_timer)){+.-.}-{0:0}, at: call_timer_fn+0xc2/0x650 kernel/time/timer.c:1786
#8: ffffffff8ed3dfa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#8: ffffffff8ed3dfa0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
#8: ffffffff8ed3dfa0 (rcu_read_lock){....}-{1:3}, at: ndisc_send_skb+0x1ef/0x1560 net/ipv6/ndisc.c:484
#9: ffffffff8ed3dfa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#9: ffffffff8ed3dfa0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
#9: ffffffff8ed3dfa0 (rcu_read_lock){....}-{1:3}, at: ip6_finish_output2+0x701/0x1750 net/ipv6/ip6_output.c:126
#10: ffffffff8ed3e000 (rcu_read_lock_bh){....}-{1:3}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
#10: ffffffff8ed3e000 (rcu_read_lock_bh){....}-{1:3}, at: rcu_read_lock_bh include/linux/rcupdate.h:892 [inline]
#10: ffffffff8ed3e000 (rcu_read_lock_bh){....}-{1:3}, at: __dev_queue_xmit+0x2f9/0x3f60 net/core/dev.c:4552
#11: ffff888078d84f30 (&hsr->seqnr_lock){+.-.}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
#11: ffff888078d84f30 (&hsr->seqnr_lock){+.-.}-{3:3}, at: hsr_dev_xmit+0x18a/0x210 net/hsr/hsr_device.c:234
#12: ffffffff8ed3dfa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#12: ffffffff8ed3dfa0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
#12: ffffffff8ed3dfa0 (rcu_read_lock){....}-{1:3}, at: hsr_forward_skb+0xb8/0x2d20 net/hsr/hsr_forward.c:728
#13: ffffffff8ed3e000 (rcu_read_lock_bh){....}-{1:3}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
#13: ffffffff8ed3e000 (rcu_read_lock_bh){....}-{1:3}, at: rcu_read_lock_bh include/linux/rcupdate.h:892 [inline]
#13: ffffffff8ed3e000 (rcu_read_lock_bh){....}-{1:3}, at: __dev_queue_xmit+0x2f9/0x3f60 net/core/dev.c:4552
#14: ffffffff8ed3dfa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#14: ffffffff8ed3dfa0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
#14: ffffffff8ed3dfa0 (rcu_read_lock){....}-{1:3}, at: br_dev_xmit+0x220/0x1c00 net/bridge/br_device.c:52
#15: ffffffff8ed3e000 (rcu_read_lock_bh){....}-{1:3}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
#15: ffffffff8ed3e000 (rcu_read_lock_bh){....}-{1:3}, at: rcu_read_lock_bh include/linux/rcupdate.h:892 [inline]
#15: ffffffff8ed3e000 (rcu_read_lock_bh){....}-{1:3}, at: __dev_queue_xmit+0x2f9/0x3f60 net/core/dev.c:4552
stack backtrace:
CPU: 0 UID: 0 PID: 5857 Comm: syz-executor Not tainted 6.15.0-rc1-syzkaller-00301-g3bde70a2c827 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_deadlock_bug+0x2be/0x2d0 kernel/locking/lockdep.c:3042
check_deadlock kernel/locking/lockdep.c:3094 [inline]
validate_chain+0x928/0x24e0 kernel/locking/lockdep.c:3896
__lock_acquire+0xad5/0xd80 kernel/locking/lockdep.c:5235
lock_acquire+0x116/0x2f0 kernel/locking/lockdep.c:5866
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
_raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178
spin_lock_bh include/linux/spinlock.h:356 [inline]
hsr_dev_xmit+0x18a/0x210 net/hsr/hsr_device.c:234
__netdev_start_xmit include/linux/netdevice.h:5203 [inline]
netdev_start_xmit include/linux/netdevice.h:5212 [inline]
xmit_one net/core/dev.c:3774 [inline]
dev_hard_start_xmit+0x2d4/0x840 net/core/dev.c:3790
__dev_queue_xmit+0x1b80/0x3f60 net/core/dev.c:4627
dev_queue_xmit include/linux/netdevice.h:3350 [inline]
br_dev_queue_push_xmit+0x771/0x950 net/bridge/br_forward.c:53
NF_HOOK+0x3ac/0x460 include/linux/netfilter.h:314
br_forward_finish+0xd8/0x130 net/bridge/br_forward.c:66
NF_HOOK+0x3ac/0x460 include/linux/netfilter.h:314
__br_forward+0x46a/0x640 net/bridge/br_forward.c:115
deliver_clone net/bridge/br_forward.c:131 [inline]
maybe_deliver+0xb3/0x150 net/bridge/br_forward.c:190
br_flood+0x2e4/0x680 net/bridge/br_forward.c:237
br_dev_xmit+0x12ac/0x1c00 net/bridge/br_device.c:-1
__netdev_start_xmit include/linux/netdevice.h:5203 [inline]
netdev_start_xmit include/linux/netdevice.h:5212 [inline]
xmit_one net/core/dev.c:3774 [inline]
dev_hard_start_xmit+0x2d4/0x840 net/core/dev.c:3790
__dev_queue_xmit+0x1b80/0x3f60 net/core/dev.c:4627
dev_queue_xmit include/linux/netdevice.h:3350 [inline]
hsr_xmit net/hsr/hsr_forward.c:430 [inline]
hsr_forward_do net/hsr/hsr_forward.c:571 [inline]
hsr_forward_skb+0x184c/0x2d20 net/hsr/hsr_forward.c:733
hsr_dev_xmit+0x195/0x210 net/hsr/hsr_device.c:235
__netdev_start_xmit include/linux/netdevice.h:5203 [inline]
netdev_start_xmit include/linux/netdevice.h:5212 [inline]
xmit_one net/core/dev.c:3774 [inline]
dev_hard_start_xmit+0x2d4/0x840 net/core/dev.c:3790
__dev_queue_xmit+0x1b80/0x3f60 net/core/dev.c:4627
neigh_output include/net/neighbour.h:539 [inline]
ip6_finish_output2+0x1296/0x1750 net/ipv6/ip6_output.c:141
__ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
ip6_finish_output+0x421/0x840 net/ipv6/ip6_output.c:226
NF_HOOK include/linux/netfilter.h:314 [inline]
ndisc_send_skb+0xb58/0x1560 net/ipv6/ndisc.c:513
addrconf_rs_timer+0x380/0x680 net/ipv6/addrconf.c:4038
call_timer_fn+0x189/0x650 kernel/time/timer.c:1789
expire_timers kernel/time/timer.c:1840 [inline]
__run_timers kernel/time/timer.c:2414 [inline]
__run_timer_base+0x66e/0x8e0 kernel/time/timer.c:2426
run_timer_base kernel/time/timer.c:2435 [inline]
run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2445
handle_softirqs+0x2d6/0x9b0 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xfb/0x220 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:rcu_preempt_read_exit kernel/rcu/tree_plugin.h:396 [inline]
RIP: 0010:__rcu_read_unlock+0x34/0x110 kernel/rcu/tree_plugin.h:435
Code: 55 41 54 53 49 bc 00 00 00 00 00 fc ff df 65 4c 8b 34 25 08 c0 68 93 4d 8d ae 44 04 00 00 4c 89 eb 48 c1 eb 03 42 0f b6 04 23 <84> c0 75 6b 41 8b 6d 00 ff cd 42 0f b6 04 23 84 c0 75 76 41 89 6d
RSP: 0018:ffffc900040bf1c8 EFLAGS: 00000a03
RAX: 0000000000000000 RBX: 1ffff1100be9e808 RCX: 0000000000000007
RDX: 0000000000000000 RSI: ffffffff8e4fde5e RDI: ffffffff8ca1b4a0
RBP: ffffc900040bf2b0 R08: ffffffff82395ed9 R09: 1ffff11003c995b3
R10: dffffc0000000000 R11: ffffed1003c995b4 R12: dffffc0000000000
R13: ffff88805f4f4044 R14: ffff88805f4f3c00 R15: 1ffff92000817e48
__page_table_check_ptes_set+0x365/0x400 mm/page_table_check.c:209
page_table_check_ptes_set include/linux/page_table_check.h:74 [inline]
set_ptes include/linux/pgtable.h:292 [inline]
__copy_present_ptes mm/memory.c:961 [inline]
copy_present_ptes mm/memory.c:1044 [inline]
copy_pte_range+0x46ee/0x6680 mm/memory.c:1167
copy_pmd_range mm/memory.c:1255 [inline]
copy_pud_range mm/memory.c:1292 [inline]
copy_p4d_range mm/memory.c:1316 [inline]
copy_page_range+0xe57/0x13a0 mm/memory.c:1410
dup_mmap kernel/fork.c:726 [inline]
dup_mm kernel/fork.c:1734 [inline]
copy_mm+0x130d/0x22c0 kernel/fork.c:1786
copy_process+0x17de/0x3d10 kernel/fork.c:2429
kernel_clone+0x242/0x930 kernel/fork.c:2844
__do_compat_sys_ia32_clone arch/x86/kernel/sys_ia32.c:254 [inline]
__se_compat_sys_ia32_clone arch/x86/kernel/sys_ia32.c:240 [inline]
__ia32_compat_sys_ia32_clone+0x266/0x2e0 arch/x86/kernel/sys_ia32.c:240
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
__do_fast_syscall_32+0xb4/0x110 arch/x86/entry/syscall_32.c:306
do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:331
entry_SYSENTER_compat_after_hwframe+0x84/0x8e
RIP: 0023:0xf744d579
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000f759fcbc EFLAGS: 00000206 ORIG_RAX: 0000000000000078
RAX: ffffffffffffffda RBX: 0000000001200011 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000580524a8
RBP: 00000000f743dff4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
----------------
Code disassembly (best guess):
0: 55 push %rbp
1: 41 54 push %r12
3: 53 push %rbx
4: 49 bc 00 00 00 00 00 movabs $0xdffffc0000000000,%r12
b: fc ff df
e: 65 4c 8b 34 25 08 c0 mov %gs:0xffffffff9368c008,%r14
15: 68 93
17: 4d 8d ae 44 04 00 00 lea 0x444(%r14),%r13
1e: 4c 89 eb mov %r13,%rbx
21: 48 c1 eb 03 shr $0x3,%rbx
25: 42 0f b6 04 23 movzbl (%rbx,%r12,1),%eax
* 2a: 84 c0 test %al,%al <-- trapping instruction
2c: 75 6b jne 0x99
2e: 41 8b 6d 00 mov 0x0(%r13),%ebp
32: ff cd dec %ebp
34: 42 0f b6 04 23 movzbl (%rbx,%r12,1),%eax
39: 84 c0 test %al,%al
3b: 75 76 jne 0xb3
3d: 41 rex.B
3e: 89 .byte 0x89
3f: 6d insl (%dx),%es:(%rdi)