device dummy0 entered promiscuous mode device nlmon0 entered promiscuous mode device caif0 entered promiscuous mode device batadv0 entered promiscuous mode device vxcan0 entered promiscuous mode ====================================================== WARNING: possible circular locking dependency detected 6.2.0-syzkaller-00081-g91bc559d8d3a #0 Not tainted ------------------------------------------------------ syz-executor.4/23163 is trying to acquire lock: ffff88802eea55c8 (&jsk->sk_session_queue_lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:355 [inline] ffff88802eea55c8 (&jsk->sk_session_queue_lock){+.-.}-{2:2}, at: j1939_sk_queue_drop_all+0x3b/0x2f0 net/can/j1939/socket.c:139 but task is already holding lock: ffff8880798f90d0 (&priv->j1939_socks_lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:355 [inline] ffff8880798f90d0 (&priv->j1939_socks_lock){+.-.}-{2:2}, at: j1939_sk_netdev_event_netdown+0x2c/0x160 net/can/j1939/socket.c:1269 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&priv->j1939_socks_lock){+.-.}-{2:2}: __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:355 [inline] j1939_sk_errqueue+0xa3/0x1a0 net/can/j1939/socket.c:1081 __j1939_session_cancel+0x3b9/0x460 net/can/j1939/transport.c:1128 j1939_tp_rxtimer.cold+0x19a/0x1e6 net/can/j1939/transport.c:1253 __run_hrtimer kernel/time/hrtimer.c:1685 [inline] __hrtimer_run_queues+0x690/0xfb0 kernel/time/hrtimer.c:1749 hrtimer_run_softirq+0x17f/0x360 kernel/time/hrtimer.c:1766 __do_softirq+0x1fb/0xadc kernel/softirq.c:571 run_ksoftirqd kernel/softirq.c:934 [inline] run_ksoftirqd+0x31/0x60 kernel/softirq.c:926 smpboot_thread_fn+0x659/0xa20 kernel/smpboot.c:164 kthread+0x2e8/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 -> #1 (&priv->active_session_list_lock){+.-.}-{2:2}: __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:355 [inline] j1939_session_list_lock net/can/j1939/transport.c:238 [inline] j1939_session_activate+0x47/0x4b0 net/can/j1939/transport.c:1557 j1939_sk_queue_activate_next_locked net/can/j1939/socket.c:181 [inline] j1939_sk_queue_activate_next+0x1b6/0x450 net/can/j1939/socket.c:208 j1939_session_deactivate_activate_next+0x69/0x72 net/can/j1939/transport.c:1105 j1939_xtp_rx_abort_one.cold+0x301/0x403 net/can/j1939/transport.c:1344 j1939_xtp_rx_abort net/can/j1939/transport.c:1355 [inline] j1939_tp_cmd_recv net/can/j1939/transport.c:2104 [inline] j1939_tp_recv+0xb63/0xcd0 net/can/j1939/transport.c:2137 j1939_can_recv net/can/j1939/main.c:112 [inline] j1939_can_recv+0x78e/0xa30 net/can/j1939/main.c:38 deliver net/can/af_can.c:572 [inline] can_rcv_filter+0x5d4/0x8d0 net/can/af_can.c:606 can_receive+0x31d/0x580 net/can/af_can.c:663 can_rcv+0x1e1/0x230 net/can/af_can.c:687 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5474 __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5588 process_backlog+0x3e4/0x810 net/core/dev.c:5916 __napi_poll+0xb8/0x770 net/core/dev.c:6477 napi_poll net/core/dev.c:6544 [inline] net_rx_action+0xa00/0xde0 net/core/dev.c:6655 __do_softirq+0x1fb/0xadc kernel/softirq.c:571 run_ksoftirqd kernel/softirq.c:934 [inline] run_ksoftirqd+0x31/0x60 kernel/softirq.c:926 smpboot_thread_fn+0x659/0xa20 kernel/smpboot.c:164 kthread+0x2e8/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 -> #0 (&jsk->sk_session_queue_lock){+.-.}-{2:2}: check_prev_add kernel/locking/lockdep.c:3097 [inline] check_prevs_add kernel/locking/lockdep.c:3216 [inline] validate_chain kernel/locking/lockdep.c:3831 [inline] __lock_acquire+0x2a43/0x56d0 kernel/locking/lockdep.c:5055 lock_acquire kernel/locking/lockdep.c:5668 [inline] lock_acquire+0x1e3/0x630 kernel/locking/lockdep.c:5633 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:355 [inline] j1939_sk_queue_drop_all+0x3b/0x2f0 net/can/j1939/socket.c:139 j1939_sk_netdev_event_netdown+0x7f/0x160 net/can/j1939/socket.c:1275 j1939_netdev_notify+0x19d/0x1d0 net/can/j1939/main.c:379 notifier_call_chain+0xb5/0x200 kernel/notifier.c:87 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1936 call_netdevice_notifiers_extack net/core/dev.c:1974 [inline] call_netdevice_notifiers net/core/dev.c:1988 [inline] __dev_notify_flags+0x1ea/0x2d0 net/core/dev.c:8563 dev_change_flags+0x11b/0x170 net/core/dev.c:8599 do_setlink+0x9f1/0x3bb0 net/core/rtnetlink.c:2827 rtnl_group_changelink net/core/rtnetlink.c:3344 [inline] __rtnl_newlink+0xb90/0x1840 net/core/rtnetlink.c:3600 rtnl_newlink+0x68/0xa0 net/core/rtnetlink.c:3637 rtnetlink_rcv_msg+0x43e/0xca0 net/core/rtnetlink.c:6141 netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2574 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1942 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xd3/0x120 net/socket.c:734 ____sys_sendmsg+0x712/0x8c0 net/socket.c:2479 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2533 __sys_sendmsg+0xf7/0x1c0 net/socket.c:2562 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd other info that might help us debug this: Chain exists of: &jsk->sk_session_queue_lock --> &priv->active_session_list_lock --> &priv->j1939_socks_lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&priv->j1939_socks_lock); lock(&priv->active_session_list_lock); lock(&priv->j1939_socks_lock); lock(&jsk->sk_session_queue_lock); *** DEADLOCK *** 2 locks held by syz-executor.4/23163: #0: ffffffff8e0e0b28 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:75 [inline] #0: ffffffff8e0e0b28 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x3e9/0xca0 net/core/rtnetlink.c:6138 #1: ffff8880798f90d0 (&priv->j1939_socks_lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:355 [inline] #1: ffff8880798f90d0 (&priv->j1939_socks_lock){+.-.}-{2:2}, at: j1939_sk_netdev_event_netdown+0x2c/0x160 net/can/j1939/socket.c:1269 stack backtrace: CPU: 0 PID: 23163 Comm: syz-executor.4 Not tainted 6.2.0-syzkaller-00081-g91bc559d8d3a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 check_noncircular+0x25f/0x2e0 kernel/locking/lockdep.c:2177 check_prev_add kernel/locking/lockdep.c:3097 [inline] check_prevs_add kernel/locking/lockdep.c:3216 [inline] validate_chain kernel/locking/lockdep.c:3831 [inline] __lock_acquire+0x2a43/0x56d0 kernel/locking/lockdep.c:5055 lock_acquire kernel/locking/lockdep.c:5668 [inline] lock_acquire+0x1e3/0x630 kernel/locking/lockdep.c:5633 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:355 [inline] j1939_sk_queue_drop_all+0x3b/0x2f0 net/can/j1939/socket.c:139 j1939_sk_netdev_event_netdown+0x7f/0x160 net/can/j1939/socket.c:1275 j1939_netdev_notify+0x19d/0x1d0 net/can/j1939/main.c:379 notifier_call_chain+0xb5/0x200 kernel/notifier.c:87 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1936 call_netdevice_notifiers_extack net/core/dev.c:1974 [inline] call_netdevice_notifiers net/core/dev.c:1988 [inline] __dev_notify_flags+0x1ea/0x2d0 net/core/dev.c:8563 dev_change_flags+0x11b/0x170 net/core/dev.c:8599 do_setlink+0x9f1/0x3bb0 net/core/rtnetlink.c:2827 rtnl_group_changelink net/core/rtnetlink.c:3344 [inline] __rtnl_newlink+0xb90/0x1840 net/core/rtnetlink.c:3600 rtnl_newlink+0x68/0xa0 net/core/rtnetlink.c:3637 rtnetlink_rcv_msg+0x43e/0xca0 net/core/rtnetlink.c:6141 netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2574 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1942 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xd3/0x120 net/socket.c:734 ____sys_sendmsg+0x712/0x8c0 net/socket.c:2479 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2533 __sys_sendmsg+0xf7/0x1c0 net/socket.c:2562 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f7fa648c0f9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7fa7281168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f7fa65ac050 RCX: 00007f7fa648c0f9 RDX: 0000000000000000 RSI: 0000000020000080 RDI: 000000000000000a RBP: 00007f7fa64e7ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f7fa66cfb1f R14: 00007f7fa7281300 R15: 0000000000022000 device vxcan1 entered promiscuous mode device veth0 entered promiscuous mode device veth1 entered promiscuous mode device wg0 entered promiscuous mode device wg1 entered promiscuous mode device wg2 entered promiscuous mode device veth0_to_bridge entered promiscuous mode device veth1_to_bridge entered promiscuous mode device veth0_to_bond entered promiscuous mode device veth1_to_bond entered promiscuous mode device veth0_to_team entered promiscuous mode device veth1_to_team entered promiscuous mode device veth0_to_batadv entered promiscuous mode batman_adv: batadv0: Interface deactivated: batadv_slave_0 device batadv_slave_0 entered promiscuous mode device veth1_to_batadv entered promiscuous mode batman_adv: batadv0: Interface deactivated: batadv_slave_1 device batadv_slave_1 entered promiscuous mode device xfrm0 entered promiscuous mode device veth0_to_hsr entered promiscuous mode device veth1_to_hsr entered promiscuous mode device hsr0 entered promiscuous mode device veth1_virt_wifi entered promiscuous mode device veth0_virt_wifi entered promiscuous mode device virt_wifi0 entered promiscuous mode device vlan0 entered promiscuous mode device vlan1 entered promiscuous mode device macvlan0 entered promiscuous mode device macvlan1 entered promiscuous mode device ipvlan0 entered promiscuous mode device ipvlan1 entered promiscuous mode device macvtap0 entered promiscuous mode device macsec0 entered promiscuous mode device geneve0 entered promiscuous mode netdevsim netdevsim4 netdevsim0: unset [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim4 netdevsim1: unset [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim4 netdevsim2: unset [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim4 netdevsim3: unset [1, 0] type 2 family 0 port 6081 - 0 device geneve1 entered promiscuous mode device netdevsim0 entered promiscuous mode device netdevsim1 entered promiscuous mode device netdevsim2 entered promiscuous mode device netdevsim3 entered promiscuous mode device wlan0 entered promiscuous mode device wlan1 entered promiscuous mode device bridge0.0 entered promiscuous mode device bridge1 entered promiscuous mode device veth2 entered promiscuous mode device veth3 entered promiscuous mode device veth4 entered promiscuous mode device veth5 entered promiscuous mode device veth6 entered promiscuous mode device veth7 entered promiscuous mode device xfrm0.0 entered promiscuous mode device veth8 entered promiscuous mode device veth9 entered promiscuous mode device veth10 entered promiscuous mode device veth11 entered promiscuous mode device veth12 entered promiscuous mode device veth13 entered promiscuous mode device veth14 entered promiscuous mode device veth15 entered promiscuous mode device veth16 entered promiscuous mode device veth17 entered promiscuous mode device veth18 entered promiscuous mode device veth19 entered promiscuous mode device bridge2 entered promiscuous mode device bridge3 entered promiscuous mode device bridge4 entered promiscuous mode device syztnl2 entered promiscuous mode device bridge5 entered promiscuous mode device bridge6 entered promiscuous mode