====================================================== WARNING: possible circular locking dependency detected 5.2.0+ #62 Not tainted ------------------------------------------------------ syz-executor.0/16930 is trying to acquire lock: 0000000005dff427 (&xs->mutex){+.+.}, at: xsk_notifier+0x145/0x2a0 /net/xdp/xsk.c:764 but task is already holding lock: 000000005f2db16e (&net->xdp.lock){+.+.}, at: xsk_notifier+0xa3/0x2a0 /net/xdp/xsk.c:760 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&net->xdp.lock){+.+.}: __mutex_lock_common /kernel/locking/mutex.c:926 [inline] __mutex_lock+0xf7/0x1340 /kernel/locking/mutex.c:1073 mutex_lock_nested+0x16/0x20 /kernel/locking/mutex.c:1088 xsk_notifier+0xa3/0x2a0 /net/xdp/xsk.c:760 notifier_call_chain+0xc2/0x230 /kernel/notifier.c:95 __raw_notifier_call_chain /kernel/notifier.c:396 [inline] raw_notifier_call_chain+0x2e/0x40 /kernel/notifier.c:403 call_netdevice_notifiers_info+0x3f/0x90 /net/core/dev.c:1749 call_netdevice_notifiers_extack /net/core/dev.c:1761 [inline] call_netdevice_notifiers /net/core/dev.c:1775 [inline] rollback_registered_many+0x8d5/0xdf0 /net/core/dev.c:8196 rollback_registered+0x109/0x1d0 /net/core/dev.c:8238 unregister_netdevice_queue /net/core/dev.c:9285 [inline] unregister_netdevice_queue+0x1ee/0x2c0 /net/core/dev.c:9278 unregister_netdevice /./include/linux/netdevice.h:2631 [inline] __tun_detach+0xd8a/0x1040 /drivers/net/tun.c:723 tun_detach /drivers/net/tun.c:740 [inline] tun_chr_close+0xe0/0x180 /drivers/net/tun.c:3439 __fput+0x2ff/0x890 /fs/file_table.c:280 ____fput+0x16/0x20 /fs/file_table.c:313 task_work_run+0x145/0x1c0 /kernel/task_work.c:113 tracehook_notify_resume /./include/linux/tracehook.h:188 [inline] exit_to_usermode_loop+0x316/0x380 /arch/x86/entry/common.c:163 prepare_exit_to_usermode /arch/x86/entry/common.c:194 [inline] syscall_return_slowpath /arch/x86/entry/common.c:274 [inline] do_syscall_32_irqs_on /arch/x86/entry/common.c:347 [inline] do_fast_syscall_32+0xb87/0xdb3 /arch/x86/entry/common.c:403 entry_SYSENTER_compat+0x70/0x7f /arch/x86/entry/entry_64_compat.S:139 -> #1 (rtnl_mutex){+.+.}: __mutex_lock_common /kernel/locking/mutex.c:926 [inline] __mutex_lock+0xf7/0x1340 /kernel/locking/mutex.c:1073 mutex_lock_nested+0x16/0x20 /kernel/locking/mutex.c:1088 rtnl_lock+0x17/0x20 /net/core/rtnetlink.c:72 xdp_umem_assign_dev+0xbe/0x8f0 /net/xdp/xdp_umem.c:96 xsk_bind+0x4d7/0xe80 /net/xdp/xsk.c:502 __sys_bind+0x239/0x290 /net/socket.c:1643 __do_sys_bind /net/socket.c:1654 [inline] __se_sys_bind /net/socket.c:1652 [inline] __ia32_sys_bind+0x72/0xb0 /net/socket.c:1652 do_syscall_32_irqs_on /arch/x86/entry/common.c:332 [inline] do_fast_syscall_32+0x27b/0xdb3 /arch/x86/entry/common.c:403 entry_SYSENTER_compat+0x70/0x7f /arch/x86/entry/entry_64_compat.S:139 -> #0 (&xs->mutex){+.+.}: check_prev_add /kernel/locking/lockdep.c:2405 [inline] check_prevs_add /kernel/locking/lockdep.c:2507 [inline] validate_chain /kernel/locking/lockdep.c:2897 [inline] __lock_acquire+0x25a9/0x4c30 /kernel/locking/lockdep.c:3880 lock_acquire+0x190/0x410 /kernel/locking/lockdep.c:4413 __mutex_lock_common /kernel/locking/mutex.c:926 [inline] __mutex_lock+0xf7/0x1340 /kernel/locking/mutex.c:1073 mutex_lock_nested+0x16/0x20 /kernel/locking/mutex.c:1088 xsk_notifier+0x145/0x2a0 /net/xdp/xsk.c:764 notifier_call_chain+0xc2/0x230 /kernel/notifier.c:95 __raw_notifier_call_chain /kernel/notifier.c:396 [inline] raw_notifier_call_chain+0x2e/0x40 /kernel/notifier.c:403 call_netdevice_notifiers_info+0x3f/0x90 /net/core/dev.c:1749 call_netdevice_notifiers_extack /net/core/dev.c:1761 [inline] call_netdevice_notifiers /net/core/dev.c:1775 [inline] rollback_registered_many+0x8d5/0xdf0 /net/core/dev.c:8196 rollback_registered+0x109/0x1d0 /net/core/dev.c:8238 unregister_netdevice_queue /net/core/dev.c:9285 [inline] unregister_netdevice_queue+0x1ee/0x2c0 /net/core/dev.c:9278 br_dev_delete+0x145/0x1a0 /net/bridge/br_if.c:383 br_del_bridge+0xd7/0x120 /net/bridge/br_if.c:483 br_ioctl_deviceless_stub+0x2b0/0x7c0 /net/bridge/br_ioctl.c:376 sock_ioctl+0x44b/0x790 /net/socket.c:1132 compat_sock_ioctl_trans /net/socket.c:3406 [inline] compat_sock_ioctl+0x3a8/0x2240 /net/socket.c:3477 __do_compat_sys_ioctl /fs/compat_ioctl.c:1052 [inline] __se_compat_sys_ioctl /fs/compat_ioctl.c:998 [inline] __ia32_compat_sys_ioctl+0x195/0x620 /fs/compat_ioctl.c:998 do_syscall_32_irqs_on /arch/x86/entry/common.c:332 [inline] do_fast_syscall_32+0x27b/0xdb3 /arch/x86/entry/common.c:403 entry_SYSENTER_compat+0x70/0x7f /arch/x86/entry/entry_64_compat.S:139 other info that might help us debug this: Chain exists of: &xs->mutex --> rtnl_mutex --> &net->xdp.lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&net->xdp.lock); lock(rtnl_mutex); lock(&net->xdp.lock); lock(&xs->mutex); *** DEADLOCK *** 3 locks held by syz-executor.0/16930: #0: 000000007e9268f9 (br_ioctl_mutex){+.+.}, at: sock_ioctl+0x427/0x790 /net/socket.c:1130 #1: 000000000f8ab27d (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20 /net/core/rtnetlink.c:72 #2: 000000005f2db16e (&net->xdp.lock){+.+.}, at: xsk_notifier+0xa3/0x2a0 /net/xdp/xsk.c:760 stack backtrace: CPU: 1 PID: 16930 Comm: syz-executor.0 Not tainted 5.2.0+ #62 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack /lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 /lib/dump_stack.c:113 print_circular_bug.cold+0x163/0x172 /kernel/locking/lockdep.c:1617 check_noncircular+0x345/0x3e0 /kernel/locking/lockdep.c:1741 check_prev_add /kernel/locking/lockdep.c:2405 [inline] check_prevs_add /kernel/locking/lockdep.c:2507 [inline] validate_chain /kernel/locking/lockdep.c:2897 [inline] __lock_acquire+0x25a9/0x4c30 /kernel/locking/lockdep.c:3880 lock_acquire+0x190/0x410 /kernel/locking/lockdep.c:4413 __mutex_lock_common /kernel/locking/mutex.c:926 [inline] __mutex_lock+0xf7/0x1340 /kernel/locking/mutex.c:1073 mutex_lock_nested+0x16/0x20 /kernel/locking/mutex.c:1088 xsk_notifier+0x145/0x2a0 /net/xdp/xsk.c:764 notifier_call_chain+0xc2/0x230 /kernel/notifier.c:95 __raw_notifier_call_chain /kernel/notifier.c:396 [inline] raw_notifier_call_chain+0x2e/0x40 /kernel/notifier.c:403 call_netdevice_notifiers_info+0x3f/0x90 /net/core/dev.c:1749 call_netdevice_notifiers_extack /net/core/dev.c:1761 [inline] call_netdevice_notifiers /net/core/dev.c:1775 [inline] rollback_registered_many+0x8d5/0xdf0 /net/core/dev.c:8196 rollback_registered+0x109/0x1d0 /net/core/dev.c:8238 unregister_netdevice_queue /net/core/dev.c:9285 [inline] unregister_netdevice_queue+0x1ee/0x2c0 /net/core/dev.c:9278 br_dev_delete+0x145/0x1a0 /net/bridge/br_if.c:383 br_del_bridge+0xd7/0x120 /net/bridge/br_if.c:483 br_ioctl_deviceless_stub+0x2b0/0x7c0 /net/bridge/br_ioctl.c:376 sock_ioctl+0x44b/0x790 /net/socket.c:1132 compat_sock_ioctl_trans /net/socket.c:3406 [inline] compat_sock_ioctl+0x3a8/0x2240 /net/socket.c:3477 __do_compat_sys_ioctl /fs/compat_ioctl.c:1052 [inline] __se_compat_sys_ioctl /fs/compat_ioctl.c:998 [inline] __ia32_compat_sys_ioctl+0x195/0x620 /fs/compat_ioctl.c:998 do_syscall_32_irqs_on /arch/x86/entry/common.c:332 [inline] do_fast_syscall_32+0x27b/0xdb3 /arch/x86/entry/common.c:403 entry_SYSENTER_compat+0x70/0x7f /arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7fbf9c9 Code: d3 83 c4 10 5b 5e 5d c3 ba 80 96 98 00 eb a9 8b 04 24 c3 8b 34 24 c3 8b 3c 24 c3 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 002b:00000000f5dbb0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00000000000089a1 RDX: 0000000020000180 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 kobject: 'batman_adv' (00000000360a0499): kobject_uevent_env kobject: 'batman_adv' (00000000360a0499): kobject_uevent_env: filter function caused the event to drop! kobject: 'batman_adv' (00000000360a0499): kobject_cleanup, parent 00000000f9d391df kobject: 'batman_adv' (00000000360a0499): calling ktype release kobject: (00000000360a0499): dynamic_kobj_release kobject: 'batman_adv': free name kobject: 'rx-0' (00000000d4b20987): kobject_cleanup, parent 00000000bab865f0 kobject: 'rx-0' (00000000d4b20987): auto cleanup 'remove' event kobject: 'rx-0' (00000000d4b20987): kobject_uevent_env kobject: 'rx-0' (00000000d4b20987): fill_kobj_path: path = '/devices/virtual/net/bcsf0/queues/rx-0' kobject: 'rx-0' (00000000d4b20987): auto cleanup kobject_del kobject: 'rx-0' (00000000d4b20987): calling ktype release kobject: 'rx-0': free name kobject: 'tx-0' (00000000e4caa0ee): kobject_cleanup, parent 00000000bab865f0 kobject: 'tx-0' (00000000e4caa0ee): auto cleanup 'remove' event kobject: 'tx-0' (00000000e4caa0ee): kobject_uevent_env kobject: 'tx-0' (00000000e4caa0ee): fill_kobj_path: path = '/devices/virtual/net/bcsf0/queues/tx-0' kobject: 'tx-0' (00000000e4caa0ee): auto cleanup kobject_del kobject: 'tx-0' (00000000e4caa0ee): calling ktype release kobject: 'tx-0': free name kobject: 'queues' (00000000bab865f0): kobject_cleanup, parent 00000000f9d391df kobject: 'queues' (00000000bab865f0): calling ktype release kobject: 'queues' (00000000bab865f0): kset_release kobject: 'queues': free name kobject: 'bcsf0' (00000000b31d7d10): kobject_uevent_env kobject: 'bcsf0' (00000000b31d7d10): fill_kobj_path: path = '/devices/virtual/net/bcsf0' kobject: 'bcsf0' (00000000b31d7d10): kobject_cleanup, parent 00000000f9d391df kobject: 'bcsf0' (00000000b31d7d10): calling ktype release kobject: 'bcsf0': free name