[syzbot] [net?] possible deadlock in gtp_encap_enable_socket

[syzbot] [net?] possible deadlock in gtp_encap_enable_socket

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    9410645520e9 Merge tag 'net-next-6.12' of git://git.kernel..
git tree:       net-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15d39e9f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=37c006d80708398d
dashboard link: https://syzkaller.appspot.com/bug?extid=e953a8f3071f5c0a28fd
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16215ca9980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=110c6c27980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/80466d230dfb/disk-94106455.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ba253eabab42/vmlinux-94106455.xz
kernel image: https://storage.googleapis.com/syzbot-assets/569982fb6c88/bzImage-94106455.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e953a8f3071f5c0a28fd@syzkaller.appspotmail.com

IPVS: Unknown mcast interface: macvlan0
netlink: 8 bytes leftover after parsing attributes in process `syz-executor297'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor297'.
======================================================
WARNING: possible circular locking dependency detected
6.11.0-syzkaller-01458-g9410645520e9 #0 Not tainted
------------------------------------------------------
syz-executor297/5243 is trying to acquire lock:
ffff88801cf99158 (sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1609 [inline]
ffff88801cf99158 (sk_lock-AF_INET){+.+.}-{0:0}, at: gtp_encap_enable_socket+0x2ce/0x5c0 drivers/net/gtp.c:1674

but task is already holding lock:
ffffffff8fc88588 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
ffffffff8fc88588 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x6e6/0xcf0 net/core/rtnetlink.c:6643

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (rtnl_mutex){+.+.}-{3:3}:
       lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5759
       __mutex_lock_common kernel/locking/mutex.c:608 [inline]
       __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
       start_sync_thread+0xdc/0x2dc0 net/netfilter/ipvs/ip_vs_sync.c:1761
       do_ip_vs_set_ctl+0x442/0x13d0 net/netfilter/ipvs/ip_vs_ctl.c:2732
       nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101
       smc_setsockopt+0x275/0xe50 net/smc/af_smc.c:3064
       do_sock_setsockopt+0x3af/0x720 net/socket.c:2330
       __sys_setsockopt+0x1ae/0x250 net/socket.c:2353
       __do_sys_setsockopt net/socket.c:2362 [inline]
       __se_sys_setsockopt net/socket.c:2359 [inline]
       __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2359
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #1 (&smc->clcsock_release_lock){+.+.}-{3:3}:
       lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5759
       __mutex_lock_common kernel/locking/mutex.c:608 [inline]
       __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
       smc_switch_to_fallback+0x35/0xdb0 net/smc/af_smc.c:902
       smc_sendmsg+0x11f/0x530 net/smc/af_smc.c:2771
       sock_sendmsg_nosec net/socket.c:730 [inline]
       __sock_sendmsg+0x221/0x270 net/socket.c:745
       ____sys_sendmsg+0x525/0x7d0 net/socket.c:2603
       ___sys_sendmsg net/socket.c:2657 [inline]
       __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2686
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #0 (sk_lock-AF_INET){+.+.}-{0:0}:
       check_prev_add kernel/locking/lockdep.c:3133 [inline]
       check_prevs_add kernel/locking/lockdep.c:3252 [inline]
       validate_chain+0x18e0/0x5900 kernel/locking/lockdep.c:3868
       __lock_acquire+0x137a/0x2040 kernel/locking/lockdep.c:5142
       lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5759
       lock_sock_nested+0x48/0x100 net/core/sock.c:3611
       lock_sock include/net/sock.h:1609 [inline]
       gtp_encap_enable_socket+0x2ce/0x5c0 drivers/net/gtp.c:1674
       gtp_encap_enable drivers/net/gtp.c:1707 [inline]
       gtp_newlink+0x589/0xf30 drivers/net/gtp.c:1511
       rtnl_newlink_create net/core/rtnetlink.c:3510 [inline]
       __rtnl_newlink net/core/rtnetlink.c:3730 [inline]
       rtnl_newlink+0x1591/0x20a0 net/core/rtnetlink.c:3743
       rtnetlink_rcv_msg+0x73f/0xcf0 net/core/rtnetlink.c:6646
       netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550
       netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
       netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357
       netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
       sock_sendmsg_nosec net/socket.c:730 [inline]
       __sock_sendmsg+0x221/0x270 net/socket.c:745
       ____sys_sendmsg+0x525/0x7d0 net/socket.c:2603
       ___sys_sendmsg net/socket.c:2657 [inline]
       __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2686
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

other info that might help us debug this:

Chain exists of:
  sk_lock-AF_INET --> &smc->clcsock_release_lock --> rtnl_mutex

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(rtnl_mutex);
                               lock(&smc->clcsock_release_lock);
                               lock(rtnl_mutex);
  lock(sk_lock-AF_INET);

 *** DEADLOCK ***

1 lock held by syz-executor297/5243:
 #0: ffffffff8fc88588 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
 #0: ffffffff8fc88588 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x6e6/0xcf0 net/core/rtnetlink.c:6643

stack backtrace:
CPU: 0 UID: 0 PID: 5243 Comm: syz-executor297 Not tainted 6.11.0-syzkaller-01458-g9410645520e9 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2186
 check_prev_add kernel/locking/lockdep.c:3133 [inline]
 check_prevs_add kernel/locking/lockdep.c:3252 [inline]
 validate_chain+0x18e0/0x5900 kernel/locking/lockdep.c:3868
 __lock_acquire+0x137a/0x2040 kernel/locking/lockdep.c:5142
 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5759
 lock_sock_nested+0x48/0x100 net/core/sock.c:3611
 lock_sock include/net/sock.h:1609 [inline]
 gtp_encap_enable_socket+0x2ce/0x5c0 drivers/net/gtp.c:1674
 gtp_encap_enable drivers/net/gtp.c:1707 [inline]
 gtp_newlink+0x589/0xf30 drivers/net/gtp.c:1511
 rtnl_newlink_create net/core/rtnetlink.c:3510 [inline]
 __rtnl_newlink net/core/rtnetlink.c:3730 [inline]
 rtnl_newlink+0x1591/0x20a0 net/core/rtnetlink.c:3743
 rtnetlink_rcv_msg+0x73f/0xcf0 net/core/rtnetlink.c:6646
 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550
 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
 netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357
 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0x221/0x270 net/socket.c:745
 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2603
 ___sys_sendmsg net/socket.c:2657 [inline]
 __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2686
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fed198844a9
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RS


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: test
Author: danielyangkang@gmail.com

#syz test

Re: [syzbot] patch test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: patch test
Author: danielyangkang@gmail.com

#syz test

Re: [syzbot] [net?] possible deadlock in gtp_encap_enable_socket

[Hillf Danton]

On Mon, 23 Sep 2024 08:46:24 -0700
> syzbot found the following issue on:
> 
> HEAD commit:    9410645520e9 Merge tag 'net-next-6.12' of git://git.kernel..
> git tree:       net-next
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=110c6c27980000

#syz test

--- x/net/smc/af_smc.c
+++ y/net/smc/af_smc.c
@@ -3053,9 +3053,7 @@ int smc_setsockopt(struct socket *sock,
 	/* generic setsockopts reaching us here always apply to the
 	 * CLC socket
 	 */
-	mutex_lock(&smc->clcsock_release_lock);
 	if (!smc->clcsock) {
-		mutex_unlock(&smc->clcsock_release_lock);
 		return -EBADF;
 	}
 	if (unlikely(!smc->clcsock->ops->setsockopt))
@@ -3067,7 +3065,6 @@ int smc_setsockopt(struct socket *sock,
 		sk->sk_err = smc->clcsock->sk->sk_err;
 		sk_error_report(sk);
 	}
-	mutex_unlock(&smc->clcsock_release_lock);
 
 	if (optlen < sizeof(int))
 		return -EINVAL;
@@ -3133,19 +3130,15 @@ int smc_getsockopt(struct socket *sock,
 		return __smc_getsockopt(sock, level, optname, optval, optlen);
 
 	smc = smc_sk(sock->sk);
-	mutex_lock(&smc->clcsock_release_lock);
 	if (!smc->clcsock) {
-		mutex_unlock(&smc->clcsock_release_lock);
 		return -EBADF;
 	}
 	/* socket options apply to the CLC socket */
 	if (unlikely(!smc->clcsock->ops->getsockopt)) {
-		mutex_unlock(&smc->clcsock_release_lock);
 		return -EOPNOTSUPP;
 	}
 	rc = smc->clcsock->ops->getsockopt(smc->clcsock, level, optname,
 					   optval, optlen);
-	mutex_unlock(&smc->clcsock_release_lock);
 	return rc;
 }
 
--

Re: [syzbot] [net?] possible deadlock in gtp_encap_enable_socket

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+e953a8f3071f5c0a28fd@syzkaller.appspotmail.com
Tested-by: syzbot+e953a8f3071f5c0a28fd@syzkaller.appspotmail.com

Tested on:

commit:         d521db38 Merge branch 'net-switch-back-to-struct-platf..
git tree:       net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=167bd380580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f95955e3f7b5790c
dashboard link: https://syzkaller.appspot.com/bug?extid=e953a8f3071f5c0a28fd
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13f0bbd0580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [net?] possible deadlock in gtp_encap_enable_socket

[Pablo Neira Ayuso]

Cc'ing SMC maintainers.

syzkaller combining layer is a crazy way to find crashes.

I think this is a false possible lockdep considers smc->clcsock_release_lock
is a lock of the same class sk_lock-AF_INET.

this can be solved with lockdep_set_class in af_smc?

Thanks.

On Mon, Sep 23, 2024 at 08:46:24AM -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    9410645520e9 Merge tag 'net-next-6.12' of git://git.kernel..
> git tree:       net-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=15d39e9f980000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=37c006d80708398d
> dashboard link: https://syzkaller.appspot.com/bug?extid=e953a8f3071f5c0a28fd
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16215ca9980000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=110c6c27980000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/80466d230dfb/disk-94106455.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/ba253eabab42/vmlinux-94106455.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/569982fb6c88/bzImage-94106455.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+e953a8f3071f5c0a28fd@syzkaller.appspotmail.com
> 
> IPVS: Unknown mcast interface: macvlan0
> netlink: 8 bytes leftover after parsing attributes in process `syz-executor297'.
> netlink: 24 bytes leftover after parsing attributes in process `syz-executor297'.
> ======================================================
> WARNING: possible circular locking dependency detected
> 6.11.0-syzkaller-01458-g9410645520e9 #0 Not tainted
> ------------------------------------------------------
> syz-executor297/5243 is trying to acquire lock:
> ffff88801cf99158 (sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1609 [inline]
> ffff88801cf99158 (sk_lock-AF_INET){+.+.}-{0:0}, at: gtp_encap_enable_socket+0x2ce/0x5c0 drivers/net/gtp.c:1674
> 
> but task is already holding lock:
> ffffffff8fc88588 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
> ffffffff8fc88588 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x6e6/0xcf0 net/core/rtnetlink.c:6643
> 
> which lock already depends on the new lock.
> 
> 
> the existing dependency chain (in reverse order) is:
> 
> -> #2 (rtnl_mutex){+.+.}-{3:3}:
>        lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5759
>        __mutex_lock_common kernel/locking/mutex.c:608 [inline]
>        __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
>        start_sync_thread+0xdc/0x2dc0 net/netfilter/ipvs/ip_vs_sync.c:1761
>        do_ip_vs_set_ctl+0x442/0x13d0 net/netfilter/ipvs/ip_vs_ctl.c:2732
>        nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101
>        smc_setsockopt+0x275/0xe50 net/smc/af_smc.c:3064
>        do_sock_setsockopt+0x3af/0x720 net/socket.c:2330
>        __sys_setsockopt+0x1ae/0x250 net/socket.c:2353
>        __do_sys_setsockopt net/socket.c:2362 [inline]
>        __se_sys_setsockopt net/socket.c:2359 [inline]
>        __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2359
>        do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>        do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
>        entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> -> #1 (&smc->clcsock_release_lock){+.+.}-{3:3}:
>        lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5759
>        __mutex_lock_common kernel/locking/mutex.c:608 [inline]
>        __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
>        smc_switch_to_fallback+0x35/0xdb0 net/smc/af_smc.c:902
>        smc_sendmsg+0x11f/0x530 net/smc/af_smc.c:2771
>        sock_sendmsg_nosec net/socket.c:730 [inline]
>        __sock_sendmsg+0x221/0x270 net/socket.c:745
>        ____sys_sendmsg+0x525/0x7d0 net/socket.c:2603
>        ___sys_sendmsg net/socket.c:2657 [inline]
>        __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2686
>        do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>        do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
>        entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> -> #0 (sk_lock-AF_INET){+.+.}-{0:0}:
>        check_prev_add kernel/locking/lockdep.c:3133 [inline]
>        check_prevs_add kernel/locking/lockdep.c:3252 [inline]
>        validate_chain+0x18e0/0x5900 kernel/locking/lockdep.c:3868
>        __lock_acquire+0x137a/0x2040 kernel/locking/lockdep.c:5142
>        lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5759
>        lock_sock_nested+0x48/0x100 net/core/sock.c:3611
>        lock_sock include/net/sock.h:1609 [inline]
>        gtp_encap_enable_socket+0x2ce/0x5c0 drivers/net/gtp.c:1674
>        gtp_encap_enable drivers/net/gtp.c:1707 [inline]
>        gtp_newlink+0x589/0xf30 drivers/net/gtp.c:1511
>        rtnl_newlink_create net/core/rtnetlink.c:3510 [inline]
>        __rtnl_newlink net/core/rtnetlink.c:3730 [inline]
>        rtnl_newlink+0x1591/0x20a0 net/core/rtnetlink.c:3743
>        rtnetlink_rcv_msg+0x73f/0xcf0 net/core/rtnetlink.c:6646
>        netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550
>        netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
>        netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357
>        netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
>        sock_sendmsg_nosec net/socket.c:730 [inline]
>        __sock_sendmsg+0x221/0x270 net/socket.c:745
>        ____sys_sendmsg+0x525/0x7d0 net/socket.c:2603
>        ___sys_sendmsg net/socket.c:2657 [inline]
>        __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2686
>        do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>        do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
>        entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> other info that might help us debug this:
> 
> Chain exists of:
>   sk_lock-AF_INET --> &smc->clcsock_release_lock --> rtnl_mutex
> 
>  Possible unsafe locking scenario:
> 
>        CPU0                    CPU1
>        ----                    ----
>   lock(rtnl_mutex);
>                                lock(&smc->clcsock_release_lock);
>                                lock(rtnl_mutex);
>   lock(sk_lock-AF_INET);
> 
>  *** DEADLOCK ***
> 
> 1 lock held by syz-executor297/5243:
>  #0: ffffffff8fc88588 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
>  #0: ffffffff8fc88588 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x6e6/0xcf0 net/core/rtnetlink.c:6643
> 
> stack backtrace:
> CPU: 0 UID: 0 PID: 5243 Comm: syz-executor297 Not tainted 6.11.0-syzkaller-01458-g9410645520e9 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
> Call Trace:
>  <TASK>
>  __dump_stack lib/dump_stack.c:93 [inline]
>  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
>  check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2186
>  check_prev_add kernel/locking/lockdep.c:3133 [inline]
>  check_prevs_add kernel/locking/lockdep.c:3252 [inline]
>  validate_chain+0x18e0/0x5900 kernel/locking/lockdep.c:3868
>  __lock_acquire+0x137a/0x2040 kernel/locking/lockdep.c:5142
>  lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5759
>  lock_sock_nested+0x48/0x100 net/core/sock.c:3611
>  lock_sock include/net/sock.h:1609 [inline]
>  gtp_encap_enable_socket+0x2ce/0x5c0 drivers/net/gtp.c:1674
>  gtp_encap_enable drivers/net/gtp.c:1707 [inline]
>  gtp_newlink+0x589/0xf30 drivers/net/gtp.c:1511
>  rtnl_newlink_create net/core/rtnetlink.c:3510 [inline]
>  __rtnl_newlink net/core/rtnetlink.c:3730 [inline]
>  rtnl_newlink+0x1591/0x20a0 net/core/rtnetlink.c:3743
>  rtnetlink_rcv_msg+0x73f/0xcf0 net/core/rtnetlink.c:6646
>  netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550
>  netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
>  netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357
>  netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
>  sock_sendmsg_nosec net/socket.c:730 [inline]
>  __sock_sendmsg+0x221/0x270 net/socket.c:745
>  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2603
>  ___sys_sendmsg net/socket.c:2657 [inline]
>  __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2686
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fed198844a9
> Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RS
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> 
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
> 
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
> 
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
> 
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
> 
> If you want to undo deduplication, reply with:
> #syz undup

Re: [syzbot] [net?] possible deadlock in gtp_encap_enable_socket

[syzbot]

syzbot suspects this issue was fixed by commit:

commit 752e2217d789be2c6a6ac66554b981cd71cd9f31
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Mon Apr 7 17:03:17 2025 +0000

    smc: Fix lockdep false-positive for IPPROTO_SMC.

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=140462f4580000
start commit:   9410645520e9 Merge tag 'net-next-6.12' of git://git.kernel..
git tree:       net-next
kernel config:  https://syzkaller.appspot.com/x/.config?x=37c006d80708398d
dashboard link: https://syzkaller.appspot.com/bug?extid=e953a8f3071f5c0a28fd
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16215ca9980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=110c6c27980000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: smc: Fix lockdep false-positive for IPPROTO_SMC.

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Re: [syzbot] [net?] possible deadlock in gtp_encap_enable_socket

[Kuniyuki Iwashima]

From: syzbot <syzbot+e953a8f3071f5c0a28fd@syzkaller.appspotmail.com>
Date: Mon, 12 May 2025 09:08:04 -0700
> syzbot suspects this issue was fixed by commit:
> 
> commit 752e2217d789be2c6a6ac66554b981cd71cd9f31
> Author: Kuniyuki Iwashima <kuniyu@amazon.com>
> Date:   Mon Apr 7 17:03:17 2025 +0000
> 
>     smc: Fix lockdep false-positive for IPPROTO_SMC.
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=140462f4580000
> start commit:   9410645520e9 Merge tag 'net-next-6.12' of git://git.kernel..
> git tree:       net-next
> kernel config:  https://syzkaller.appspot.com/x/.config?x=37c006d80708398d
> dashboard link: https://syzkaller.appspot.com/bug?extid=e953a8f3071f5c0a28fd
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16215ca9980000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=110c6c27980000
> 
> If the result looks correct, please mark the issue as fixed by replying with:
> 
> #syz fix: smc: Fix lockdep false-positive for IPPROTO_SMC.

#syz fix: smc: Fix lockdep false-positive for IPPROTO_SMC.

[syzbot] [bluetooth?] KASAN: slab-use-after-free Read in mgmt_remove_adv_monitor_sync

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    d7e78951a8b8 Merge tag 'net-6.11-rc0' of git://git.kernel...
git tree:       net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=126a9fc3980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8d1cf7c29e32ce12
dashboard link: https://syzkaller.appspot.com/bug?extid=479aff51bb361ef5aa18
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3c208b51873e/disk-d7e78951.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/adec146cf41c/vmlinux-d7e78951.xz
kernel image: https://storage.googleapis.com/syzbot-assets/52f09b8f7356/bzImage-d7e78951.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+479aff51bb361ef5aa18@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5444
Read of size 8 at addr ffff88802aac0f18 by task kworker/u9:0/54

CPU: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.10.0-syzkaller-09703-gd7e78951a8b8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5444
 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:328
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 7112:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4180
 kmalloc_noprof include/linux/slab.h:681 [inline]
 kzalloc_noprof include/linux/slab.h:807 [inline]
 mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269
 mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296
 remove_adv_monitor+0x102/0x1b0 net/bluetooth/mgmt.c:5469
 hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712
 hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0x221/0x270 net/socket.c:745
 sock_write_iter+0x2dd/0x400 net/socket.c:1160
 new_sync_write fs/read_write.c:497 [inline]
 vfs_write+0xa72/0xc90 fs/read_write.c:590
 ksys_write+0x1a0/0x2c0 fs/read_write.c:643
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 7179:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2235 [inline]
 slab_free mm/slub.c:4464 [inline]
 kfree+0x149/0x360 mm/slub.c:4585
 mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259
 __mgmt_power_off+0x187/0x420 net/bluetooth/mgmt.c:9458
 hci_dev_close_sync+0x665/0x11a0 net/bluetooth/hci_sync.c:5118
 hci_dev_do_close net/bluetooth/hci_core.c:490 [inline]
 hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:515
 sock_do_ioctl+0x158/0x460 net/socket.c:1222
 sock_ioctl+0x629/0x8e0 net/socket.c:1341
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88802aac0f00
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 24 bytes inside of
 freed 96-byte region [ffff88802aac0f00, ffff88802aac0f60)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802aac0b80 pfn:0x2aac0
flags: 0xfff00000000200(workingset|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 00fff00000000200 ffff888015041280 ffffea00007c85d0 ffffea0001a17590
raw: ffff88802aac0b80 000000000020000a 00000001ffffefff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x352800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_THISNODE), pid 5330, tgid 5329 (syz.3.37), ts 87033405855, free_ts 86894920419
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1473
 prep_new_page mm/page_alloc.c:1481 [inline]
 get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3425
 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4683
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_slab_page+0x5f/0x120 mm/slub.c:2304
 allocate_slab+0x5a/0x2f0 mm/slub.c:2467
 new_slab mm/slub.c:2520 [inline]
 ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3706
 __slab_alloc+0x58/0xa0 mm/slub.c:3796
 __slab_alloc_node mm/slub.c:3849 [inline]
 slab_alloc_node mm/slub.c:4016 [inline]
 __do_kmalloc_node mm/slub.c:4148 [inline]
 __kmalloc_node_noprof+0x286/0x440 mm/slub.c:4155
 kmalloc_array_node_noprof include/linux/slab.h:788 [inline]
 alloc_slab_obj_exts mm/slub.c:1959 [inline]
 account_slab mm/slub.c:2430 [inline]
 allocate_slab+0xb6/0x2f0 mm/slub.c:2485
 new_slab mm/slub.c:2520 [inline]
 ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3706
 __slab_alloc+0x58/0xa0 mm/slub.c:3796
 __slab_alloc_node mm/slub.c:3849 [inline]
 slab_alloc_node mm/slub.c:4016 [inline]
 kmem_cache_alloc_noprof+0x1c1/0x2a0 mm/slub.c:4035
 sk_prot_alloc+0x58/0x210 net/core/sock.c:2090
 sk_alloc+0x38/0x370 net/core/sock.c:2149
 inet_create+0x652/0xe70 net/ipv4/af_inet.c:326
 __sock_create+0x490/0x920 net/socket.c:1571
page last free pid 5318 tgid 5318 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1093 [inline]
 free_unref_folios+0xf23/0x19e0 mm/page_alloc.c:2637
 folios_put_refs+0x93a/0xa60 mm/swap.c:1024
 free_pages_and_swap_cache+0x5c8/0x690 mm/swap_state.c:332
 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
 tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
 tlb_flush_mmu+0x3a3/0x680 mm/mmu_gather.c:373
 tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:465
 exit_mmap+0x44f/0xc80 mm/mmap.c:3354
 __mmput+0x115/0x390 kernel/fork.c:1343
 exit_mm+0x220/0x310 kernel/exit.c:566
 do_exit+0x9b2/0x27f0 kernel/exit.c:864
 do_group_exit+0x207/0x2c0 kernel/exit.c:1026
 __do_sys_exit_group kernel/exit.c:1037 [inline]
 __se_sys_exit_group kernel/exit.c:1035 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1035
 x64_sys_call+0x26c3/0x26d0 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88802aac0e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff88802aac0e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
>ffff88802aac0f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                            ^
 ffff88802aac0f80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff88802aac1000: 04 fc fc fc 04 fc fc fc 04 fc fc fc 04 fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [PATCH] TEST

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [PATCH] TEST
Author: xiaopei01@kylinos.cn

#syz test

diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index b31192d473d0..bbc86b7dce07 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -5519,8 +5519,12 @@ static void 
mgmt_remove_adv_monitor_complete(struct hci_dev *hdev,
  {
  	struct mgmt_rp_remove_adv_monitor rp;
  	struct mgmt_pending_cmd *cmd = data;
-	struct mgmt_cp_remove_adv_monitor *cp = cmd->param;
+	struct mgmt_cp_remove_adv_monitor *cp;
+
+	if (cmd != pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev))
+		return -ECANCELED;

+	cp = cmd->param;
  	hci_dev_lock(hdev);

  	rp.monitor_handle = cp->monitor_handle;
@@ -5540,8 +5544,14 @@ static void 
mgmt_remove_adv_monitor_complete(struct hci_dev *hdev,
  static int mgmt_remove_adv_monitor_sync(struct hci_dev *hdev, void *data)
  {
  	struct mgmt_pending_cmd *cmd = data;
-	struct mgmt_cp_remove_adv_monitor *cp = cmd->param;
-	u16 handle = __le16_to_cpu(cp->monitor_handle);
+	struct mgmt_cp_remove_adv_monitor *cp;
+	u16 handle;
+
+	if (cmd != pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev))
+		return -ECANCELED;
+
+	cp = cmd->param;
+	handle = __le16_to_cpu(cp->monitor_handle);

  	if (!handle)
  		return hci_remove_all_adv_monitor(hdev);