wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
======================================================
WARNING: possible circular locking dependency detected
4.19.0-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.0/4986 is trying to acquire lock:
00000000a6647ead (&(&nr_node->node_lock)->rlock){+...}, at: spin_lock_bh include/linux/spinlock.h:334 [inline]
00000000a6647ead (&(&nr_node->node_lock)->rlock){+...}, at: nr_node_lock include/net/netrom.h:151 [inline]
00000000a6647ead (&(&nr_node->node_lock)->rlock){+...}, at: nr_dec_obs net/netrom/nr_route.c:464 [inline]
00000000a6647ead (&(&nr_node->node_lock)->rlock){+...}, at: nr_rt_ioctl+0x26a/0x9b0 net/netrom/nr_route.c:696

but task is already holding lock:
00000000f66f565b (nr_node_list_lock){+...}, at: spin_lock_bh include/linux/spinlock.h:334 [inline]
00000000f66f565b (nr_node_list_lock){+...}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]
00000000f66f565b (nr_node_list_lock){+...}, at: nr_rt_ioctl+0x22c/0x9b0 net/netrom/nr_route.c:696

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (nr_node_list_lock){+...}:
       __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
       _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168
       spin_lock_bh include/linux/spinlock.h:334 [inline]
       nr_remove_node net/netrom/nr_route.c:300 [inline]
       nr_del_node net/netrom/nr_route.c:356 [inline]
       nr_rt_ioctl+0x82c/0x9b0 net/netrom/nr_route.c:682
       nr_ioctl+0x123/0x1d0 net/netrom/af_netrom.c:1252
       sock_do_ioctl+0x43/0x160 net/socket.c:950
       sock_ioctl+0x1b6/0x350 net/socket.c:1074
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:501 [inline]
       do_vfs_ioctl+0xa4/0x6a0 fs/ioctl.c:685
       ksys_ioctl+0x62/0x90 fs/ioctl.c:702
       __do_sys_ioctl fs/ioctl.c:709 [inline]
       __se_sys_ioctl fs/ioctl.c:707 [inline]
       __x64_sys_ioctl+0x15/0x20 fs/ioctl.c:707
       do_syscall_64+0x6e/0x1c0 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #0 (&(&nr_node->node_lock)->rlock){+...}:
       lock_acquire+0xc0/0x190 kernel/locking/lockdep.c:3900
       __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
       _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168
       spin_lock_bh include/linux/spinlock.h:334 [inline]
       nr_node_lock include/net/netrom.h:151 [inline]
       nr_dec_obs net/netrom/nr_route.c:464 [inline]
       nr_rt_ioctl+0x26a/0x9b0 net/netrom/nr_route.c:696
       nr_ioctl+0x123/0x1d0 net/netrom/af_netrom.c:1252
       sock_do_ioctl+0x43/0x160 net/socket.c:950
       sock_ioctl+0x1b6/0x350 net/socket.c:1074
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:501 [inline]
       do_vfs_ioctl+0xa4/0x6a0 fs/ioctl.c:685
       ksys_ioctl+0x62/0x90 fs/ioctl.c:702
       __do_sys_ioctl fs/ioctl.c:709 [inline]
       __se_sys_ioctl fs/ioctl.c:707 [inline]
       __x64_sys_ioctl+0x15/0x20 fs/ioctl.c:707
       do_syscall_64+0x6e/0x1c0 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(nr_node_list_lock);
                               lock(&(&nr_node->node_lock)->rlock);
                               lock(nr_node_list_lock);
  lock(&(&nr_node->node_lock)->rlock);

 *** DEADLOCK ***

1 lock held by syz-executor.0/4986:
 #0: 00000000f66f565b (nr_node_list_lock){+...}, at: spin_lock_bh include/linux/spinlock.h:334 [inline]
 #0: 00000000f66f565b (nr_node_list_lock){+...}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]
 #0: 00000000f66f565b (nr_node_list_lock){+...}, at: nr_rt_ioctl+0x22c/0x9b0 net/netrom/nr_route.c:696

stack backtrace:
CPU: 0 PID: 4986 Comm: syz-executor.0 Not tainted 4.19.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xc4/0x11a lib/dump_stack.c:113
 print_circular_bug.isra.18.cold.34+0x173/0x1cd kernel/locking/lockdep.c:1221
 check_prev_add kernel/locking/lockdep.c:1861 [inline]
 check_prevs_add kernel/locking/lockdep.c:1974 [inline]
 validate_chain kernel/locking/lockdep.c:2415 [inline]
 __lock_acquire+0x11bb/0x12f0 kernel/locking/lockdep.c:3411
 lock_acquire+0xc0/0x190 kernel/locking/lockdep.c:3900
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
 _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168
 spin_lock_bh include/linux/spinlock.h:334 [inline]
 nr_node_lock include/net/netrom.h:151 [inline]
 nr_dec_obs net/netrom/nr_route.c:464 [inline]
 nr_rt_ioctl+0x26a/0x9b0 net/netrom/nr_route.c:696
 nr_ioctl+0x123/0x1d0 net/netrom/af_netrom.c:1252
 sock_do_ioctl+0x43/0x160 net/socket.c:950
 sock_ioctl+0x1b6/0x350 net/socket.c:1074
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0xa4/0x6a0 fs/ioctl.c:685
 ksys_ioctl+0x62/0x90 fs/ioctl.c:702
 __do_sys_ioctl fs/ioctl.c:709 [inline]
 __se_sys_ioctl fs/ioctl.c:707 [inline]
 __x64_sys_ioctl+0x15/0x20 fs/ioctl.c:707
 do_syscall_64+0x6e/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f46531d2d69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f46525530c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f4653300f80 RCX: 00007f46531d2d69
RDX: 0000000000000000 RSI: 00000000000089e2 RDI: 0000000000000007
RBP: 00007f465321f49e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000006 R14: 00007f4653300f80 R15: 00007ffdf59bac58
Bluetooth: hci0: command 0x041b tx timeout
Bluetooth: hci2: command 0x041b tx timeout
Bluetooth: hci1: command 0x041b tx timeout
Bluetooth: hci4: command 0x041b tx timeout
Bluetooth: hci3: command 0x041b tx timeout
Bluetooth: hci3: command 0x040f tx timeout
Bluetooth: hci4: command 0x040f tx timeout
Bluetooth: hci1: command 0x040f tx timeout
Bluetooth: hci2: command 0x040f tx timeout
Bluetooth: hci0: command 0x040f tx timeout
Bluetooth: hci0: command 0x0419 tx timeout
Bluetooth: hci2: command 0x0419 tx timeout
Bluetooth: hci1: command 0x0419 tx timeout
Bluetooth: hci4: command 0x0419 tx timeout
Bluetooth: hci3: command 0x0419 tx timeout