* [syzbot] [net?] BUG: sleeping function called from invalid context in dev_set_promiscuity (2)
@ 2025-07-08 17:30 syzbot
2025-07-08 20:57 ` Stanislav Fomichev
0 siblings, 1 reply; 3+ messages in thread
From: syzbot @ 2025-07-08 17:30 UTC (permalink / raw)
To: davem, edumazet, horms, kuba, linux-kernel, netdev, pabeni,
syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 1e3b66e32601 vsock: fix `vsock_proto` declaration
git tree: net
console output: https://syzkaller.appspot.com/x/log.txt?x=16cbf28c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b29b1a0d7330d4a8
dashboard link: https://syzkaller.appspot.com/bug?extid=6e619ff6dd4c8618a635
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/11faaf1afe22/disk-1e3b66e3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ba355ce28c50/vmlinux-1e3b66e3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/018f94fd1327/bzImage-1e3b66e3.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6e619ff6dd4c8618a635@syzkaller.appspotmail.com
netlink: 8 bytes leftover after parsing attributes in process `syz.3.2844'.
macsec0: entered promiscuous mode
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:579
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 15744, name: syz.3.2844
preempt_count: 201, expected: 0
RCU nest depth: 0, expected: 0
3 locks held by syz.3.2844/15744:
#0: ffffffff8fa219b8 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#0: ffffffff8fa219b8 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
#0: ffffffff8fa219b8 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
#1: ffffffff8f51c5c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
#1: ffffffff8f51c5c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
#1: ffffffff8f51c5c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4054
#2: ffff88802cb3a368 (&macsec_netdev_addr_lock_key/1){+...}-{3:3}, at: netif_addr_lock_bh include/linux/netdevice.h:4805 [inline]
#2: ffff88802cb3a368 (&macsec_netdev_addr_lock_key/1){+...}-{3:3}, at: dev_uc_add+0x67/0x120 net/core/dev_addr_lists.c:689
Preemption disabled at:
[<ffffffff895a79e6>] local_bh_disable include/linux/bottom_half.h:20 [inline]
[<ffffffff895a79e6>] netif_addr_lock_bh include/linux/netdevice.h:4804 [inline]
[<ffffffff895a79e6>] dev_uc_add+0x56/0x120 net/core/dev_addr_lists.c:689
CPU: 1 UID: 0 PID: 15744 Comm: syz.3.2844 Not tainted 6.16.0-rc4-syzkaller-00114-g1e3b66e32601 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
__might_resched+0x495/0x610 kernel/sched/core.c:8800
__mutex_lock_common kernel/locking/mutex.c:579 [inline]
__mutex_lock+0x106/0xe80 kernel/locking/mutex.c:747
netdev_lock include/linux/netdevice.h:2756 [inline]
netdev_lock_ops include/net/netdev_lock.h:42 [inline]
dev_set_promiscuity+0x10e/0x260 net/core/dev_api.c:286
dev_change_rx_flags net/core/dev.c:9241 [inline]
__dev_set_promiscuity+0x534/0x740 net/core/dev.c:9285
__dev_set_rx_mode+0x17c/0x260 net/core/dev.c:-1
dev_uc_add+0xc8/0x120 net/core/dev_addr_lists.c:693
macsec_dev_open+0xd9/0x530 drivers/net/macsec.c:3634
__dev_open+0x470/0x880 net/core/dev.c:1683
__dev_change_flags+0x1ea/0x6d0 net/core/dev.c:9458
rtnl_configure_link net/core/rtnetlink.c:3577 [inline]
rtnl_newlink_create+0x555/0xb00 net/core/rtnetlink.c:3833
__rtnl_newlink net/core/rtnetlink.c:3940 [inline]
rtnl_newlink+0x16d6/0x1c70 net/core/rtnetlink.c:4055
rtnetlink_rcv_msg+0x7cc/0xb70 net/core/rtnetlink.c:6944
netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2551
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x759/0x8e0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:727
____sys_sendmsg+0x505/0x830 net/socket.c:2566
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620
__sys_sendmsg net/socket.c:2652 [inline]
__do_sys_sendmsg net/socket.c:2657 [inline]
__se_sys_sendmsg net/socket.c:2655 [inline]
__x64_sys_sendmsg+0x19b/0x260 net/socket.c:2655
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f64fc18e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f64fd052038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f64fc3b5fa0 RCX: 00007f64fc18e929
RDX: 0000000000000800 RSI: 0000200000000280 RDI: 0000000000000004
RBP: 00007f64fc210b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f64fc3b5fa0 R15: 00007ffd8fec8448
</TASK>
=============================
[ BUG: Invalid wait context ]
6.16.0-rc4-syzkaller-00114-g1e3b66e32601 #0 Tainted: G W
-----------------------------
syz.3.2844/15744 is trying to lock:
ffff888077de0d30 (&dev_instance_lock_key#20){+.+.}-{4:4}, at: netdev_lock include/linux/netdevice.h:2756 [inline]
ffff888077de0d30 (&dev_instance_lock_key#20){+.+.}-{4:4}, at: netdev_lock_ops include/net/netdev_lock.h:42 [inline]
ffff888077de0d30 (&dev_instance_lock_key#20){+.+.}-{4:4}, at: dev_set_promiscuity+0x10e/0x260 net/core/dev_api.c:286
other info that might help us debug this:
context-{5:5}
3 locks held by syz.3.2844/15744:
#0: ffffffff8fa219b8 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#0: ffffffff8fa219b8 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
#0: ffffffff8fa219b8 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
#1: ffffffff8f51c5c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
#1: ffffffff8f51c5c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
#1: ffffffff8f51c5c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4054
#2: ffff88802cb3a368 (&macsec_netdev_addr_lock_key/1){+...}-{3:3}, at: netif_addr_lock_bh include/linux/netdevice.h:4805 [inline]
#2: ffff88802cb3a368 (&macsec_netdev_addr_lock_key/1){+...}-{3:3}, at: dev_uc_add+0x67/0x120 net/core/dev_addr_lists.c:689
stack backtrace:
CPU: 1 UID: 0 PID: 15744 Comm: syz.3.2844 Tainted: G W 6.16.0-rc4-syzkaller-00114-g1e3b66e32601 #0 PREEMPT(full)
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_lock_invalid_wait_context kernel/locking/lockdep.c:4833 [inline]
check_wait_context kernel/locking/lockdep.c:4905 [inline]
__lock_acquire+0xbcb/0xd20 kernel/locking/lockdep.c:5190
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5871
__mutex_lock_common kernel/locking/mutex.c:602 [inline]
__mutex_lock+0x182/0xe80 kernel/locking/mutex.c:747
netdev_lock include/linux/netdevice.h:2756 [inline]
netdev_lock_ops include/net/netdev_lock.h:42 [inline]
dev_set_promiscuity+0x10e/0x260 net/core/dev_api.c:286
dev_change_rx_flags net/core/dev.c:9241 [inline]
__dev_set_promiscuity+0x534/0x740 net/core/dev.c:9285
__dev_set_rx_mode+0x17c/0x260 net/core/dev.c:-1
dev_uc_add+0xc8/0x120 net/core/dev_addr_lists.c:693
macsec_dev_open+0xd9/0x530 drivers/net/macsec.c:3634
__dev_open+0x470/0x880 net/core/dev.c:1683
__dev_change_flags+0x1ea/0x6d0 net/core/dev.c:9458
rtnl_configure_link net/core/rtnetlink.c:3577 [inline]
rtnl_newlink_create+0x555/0xb00 net/core/rtnetlink.c:3833
__rtnl_newlink net/core/rtnetlink.c:3940 [inline]
rtnl_newlink+0x16d6/0x1c70 net/core/rtnetlink.c:4055
rtnetlink_rcv_msg+0x7cc/0xb70 net/core/rtnetlink.c:6944
netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2551
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x759/0x8e0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:727
____sys_sendmsg+0x505/0x830 net/socket.c:2566
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620
__sys_sendmsg net/socket.c:2652 [inline]
__do_sys_sendmsg net/socket.c:2657 [inline]
__se_sys_sendmsg net/socket.c:2655 [inline]
__x64_sys_sendmsg+0x19b/0x260 net/socket.c:2655
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f64fc18e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f64fd052038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f64fc3b5fa0 RCX: 00007f64fc18e929
RDX: 0000000000000800 RSI: 0000200000000280 RDI: 0000000000000004
RBP: 00007f64fc210b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f64fc3b5fa0 R15: 00007ffd8fec8448
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [syzbot] [net?] BUG: sleeping function called from invalid context in dev_set_promiscuity (2)
2025-07-08 17:30 [syzbot] [net?] BUG: sleeping function called from invalid context in dev_set_promiscuity (2) syzbot
@ 2025-07-08 20:57 ` Stanislav Fomichev
2025-07-08 21:34 ` Stanislav Fomichev
0 siblings, 1 reply; 3+ messages in thread
From: Stanislav Fomichev @ 2025-07-08 20:57 UTC (permalink / raw)
To: syzbot
Cc: davem, edumazet, horms, kuba, linux-kernel, netdev, pabeni,
syzkaller-bugs
On 07/08, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 1e3b66e32601 vsock: fix `vsock_proto` declaration
> git tree: net
> console output: https://syzkaller.appspot.com/x/log.txt?x=16cbf28c580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=b29b1a0d7330d4a8
> dashboard link: https://syzkaller.appspot.com/bug?extid=6e619ff6dd4c8618a635
> compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/11faaf1afe22/disk-1e3b66e3.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/ba355ce28c50/vmlinux-1e3b66e3.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/018f94fd1327/bzImage-1e3b66e3.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+6e619ff6dd4c8618a635@syzkaller.appspotmail.com
>
> netlink: 8 bytes leftover after parsing attributes in process `syz.3.2844'.
> macsec0: entered promiscuous mode
> BUG: sleeping function called from invalid context at kernel/locking/mutex.c:579
> in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 15744, name: syz.3.2844
> preempt_count: 201, expected: 0
> RCU nest depth: 0, expected: 0
> 3 locks held by syz.3.2844/15744:
> #0: ffffffff8fa219b8 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
> #0: ffffffff8fa219b8 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
> #0: ffffffff8fa219b8 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
> #1: ffffffff8f51c5c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
> #1: ffffffff8f51c5c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
> #1: ffffffff8f51c5c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4054
> #2: ffff88802cb3a368 (&macsec_netdev_addr_lock_key/1){+...}-{3:3}, at: netif_addr_lock_bh include/linux/netdevice.h:4805 [inline]
> #2: ffff88802cb3a368 (&macsec_netdev_addr_lock_key/1){+...}-{3:3}, at: dev_uc_add+0x67/0x120 net/core/dev_addr_lists.c:689
> Preemption disabled at:
> [<ffffffff895a79e6>] local_bh_disable include/linux/bottom_half.h:20 [inline]
> [<ffffffff895a79e6>] netif_addr_lock_bh include/linux/netdevice.h:4804 [inline]
> [<ffffffff895a79e6>] dev_uc_add+0x56/0x120 net/core/dev_addr_lists.c:689
> CPU: 1 UID: 0 PID: 15744 Comm: syz.3.2844 Not tainted 6.16.0-rc4-syzkaller-00114-g1e3b66e32601 #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
> Call Trace:
> <TASK>
> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
> __might_resched+0x495/0x610 kernel/sched/core.c:8800
> __mutex_lock_common kernel/locking/mutex.c:579 [inline]
> __mutex_lock+0x106/0xe80 kernel/locking/mutex.c:747
> netdev_lock include/linux/netdevice.h:2756 [inline]
> netdev_lock_ops include/net/netdev_lock.h:42 [inline]
> dev_set_promiscuity+0x10e/0x260 net/core/dev_api.c:286
> dev_change_rx_flags net/core/dev.c:9241 [inline]
> __dev_set_promiscuity+0x534/0x740 net/core/dev.c:9285
> __dev_set_rx_mode+0x17c/0x260 net/core/dev.c:-1
> dev_uc_add+0xc8/0x120 net/core/dev_addr_lists.c:693
> macsec_dev_open+0xd9/0x530 drivers/net/macsec.c:3634
> __dev_open+0x470/0x880 net/core/dev.c:1683
> __dev_change_flags+0x1ea/0x6d0 net/core/dev.c:9458
> rtnl_configure_link net/core/rtnetlink.c:3577 [inline]
> rtnl_newlink_create+0x555/0xb00 net/core/rtnetlink.c:3833
> __rtnl_newlink net/core/rtnetlink.c:3940 [inline]
> rtnl_newlink+0x16d6/0x1c70 net/core/rtnetlink.c:4055
> rtnetlink_rcv_msg+0x7cc/0xb70 net/core/rtnetlink.c:6944
> netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2551
> netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
> netlink_unicast+0x759/0x8e0 net/netlink/af_netlink.c:1346
> netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
> sock_sendmsg_nosec net/socket.c:712 [inline]
> __sock_sendmsg+0x219/0x270 net/socket.c:727
> ____sys_sendmsg+0x505/0x830 net/socket.c:2566
> ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620
> __sys_sendmsg net/socket.c:2652 [inline]
> __do_sys_sendmsg net/socket.c:2657 [inline]
> __se_sys_sendmsg net/socket.c:2655 [inline]
> __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2655
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f64fc18e929
> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f64fd052038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> RAX: ffffffffffffffda RBX: 00007f64fc3b5fa0 RCX: 00007f64fc18e929
> RDX: 0000000000000800 RSI: 0000200000000280 RDI: 0000000000000004
> RBP: 00007f64fc210b39 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000000 R14: 00007f64fc3b5fa0 R15: 00007ffd8fec8448
> </TASK>
>
> =============================
> [ BUG: Invalid wait context ]
> 6.16.0-rc4-syzkaller-00114-g1e3b66e32601 #0 Tainted: G W
> -----------------------------
> syz.3.2844/15744 is trying to lock:
> ffff888077de0d30 (&dev_instance_lock_key#20){+.+.}-{4:4}, at: netdev_lock include/linux/netdevice.h:2756 [inline]
> ffff888077de0d30 (&dev_instance_lock_key#20){+.+.}-{4:4}, at: netdev_lock_ops include/net/netdev_lock.h:42 [inline]
> ffff888077de0d30 (&dev_instance_lock_key#20){+.+.}-{4:4}, at: dev_set_promiscuity+0x10e/0x260 net/core/dev_api.c:286
> other info that might help us debug this:
> context-{5:5}
> 3 locks held by syz.3.2844/15744:
> #0: ffffffff8fa219b8 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
> #0: ffffffff8fa219b8 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
> #0: ffffffff8fa219b8 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
> #1: ffffffff8f51c5c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
> #1: ffffffff8f51c5c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
> #1: ffffffff8f51c5c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4054
> #2: ffff88802cb3a368 (&macsec_netdev_addr_lock_key/1){+...}-{3:3}, at: netif_addr_lock_bh include/linux/netdevice.h:4805 [inline]
> #2: ffff88802cb3a368 (&macsec_netdev_addr_lock_key/1){+...}-{3:3}, at: dev_uc_add+0x67/0x120 net/core/dev_addr_lists.c:689
> stack backtrace:
> CPU: 1 UID: 0 PID: 15744 Comm: syz.3.2844 Tainted: G W 6.16.0-rc4-syzkaller-00114-g1e3b66e32601 #0 PREEMPT(full)
> Tainted: [W]=WARN
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
> Call Trace:
> <TASK>
> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
> print_lock_invalid_wait_context kernel/locking/lockdep.c:4833 [inline]
> check_wait_context kernel/locking/lockdep.c:4905 [inline]
> __lock_acquire+0xbcb/0xd20 kernel/locking/lockdep.c:5190
> lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5871
> __mutex_lock_common kernel/locking/mutex.c:602 [inline]
> __mutex_lock+0x182/0xe80 kernel/locking/mutex.c:747
> netdev_lock include/linux/netdevice.h:2756 [inline]
> netdev_lock_ops include/net/netdev_lock.h:42 [inline]
> dev_set_promiscuity+0x10e/0x260 net/core/dev_api.c:286
> dev_change_rx_flags net/core/dev.c:9241 [inline]
> __dev_set_promiscuity+0x534/0x740 net/core/dev.c:9285
> __dev_set_rx_mode+0x17c/0x260 net/core/dev.c:-1
> dev_uc_add+0xc8/0x120 net/core/dev_addr_lists.c:693
> macsec_dev_open+0xd9/0x530 drivers/net/macsec.c:3634
> __dev_open+0x470/0x880 net/core/dev.c:1683
> __dev_change_flags+0x1ea/0x6d0 net/core/dev.c:9458
> rtnl_configure_link net/core/rtnetlink.c:3577 [inline]
> rtnl_newlink_create+0x555/0xb00 net/core/rtnetlink.c:3833
> __rtnl_newlink net/core/rtnetlink.c:3940 [inline]
> rtnl_newlink+0x16d6/0x1c70 net/core/rtnetlink.c:4055
> rtnetlink_rcv_msg+0x7cc/0xb70 net/core/rtnetlink.c:6944
> netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2551
> netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
> netlink_unicast+0x759/0x8e0 net/netlink/af_netlink.c:1346
> netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
> sock_sendmsg_nosec net/socket.c:712 [inline]
> __sock_sendmsg+0x219/0x270 net/socket.c:727
> ____sys_sendmsg+0x505/0x830 net/socket.c:2566
> ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620
> __sys_sendmsg net/socket.c:2652 [inline]
> __do_sys_sendmsg net/socket.c:2657 [inline]
> __se_sys_sendmsg net/socket.c:2655 [inline]
> __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2655
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f64fc18e929
> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f64fd052038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> RAX: ffffffffffffffda RBX: 00007f64fc3b5fa0 RCX: 00007f64fc18e929
> RDX: 0000000000000800 RSI: 0000200000000280 RDI: 0000000000000004
> RBP: 00007f64fc210b39 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000000 R14: 00007f64fc3b5fa0 R15: 00007ffd8fec8448
> </TASK>
Looks like it shows up for macsec only because it doesn't have
IFF_UNICAST_FLT. Otherwise we would've seen the same with
team/bond/etc.. But in general, __dev_set_rx_mode can try to grab
instance lock while it's running under netif_addr spinlock which
is not nice :-(
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [syzbot] [net?] BUG: sleeping function called from invalid context in dev_set_promiscuity (2)
2025-07-08 20:57 ` Stanislav Fomichev
@ 2025-07-08 21:34 ` Stanislav Fomichev
0 siblings, 0 replies; 3+ messages in thread
From: Stanislav Fomichev @ 2025-07-08 21:34 UTC (permalink / raw)
To: syzbot
Cc: davem, edumazet, horms, kuba, linux-kernel, netdev, pabeni,
syzkaller-bugs
On 07/08, Stanislav Fomichev wrote:
> On 07/08, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: 1e3b66e32601 vsock: fix `vsock_proto` declaration
> > git tree: net
> > console output: https://syzkaller.appspot.com/x/log.txt?x=16cbf28c580000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=b29b1a0d7330d4a8
> > dashboard link: https://syzkaller.appspot.com/bug?extid=6e619ff6dd4c8618a635
> > compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> >
> > Unfortunately, I don't have any reproducer for this issue yet.
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/11faaf1afe22/disk-1e3b66e3.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/ba355ce28c50/vmlinux-1e3b66e3.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/018f94fd1327/bzImage-1e3b66e3.xz
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+6e619ff6dd4c8618a635@syzkaller.appspotmail.com
> >
> > netlink: 8 bytes leftover after parsing attributes in process `syz.3.2844'.
> > macsec0: entered promiscuous mode
> > BUG: sleeping function called from invalid context at kernel/locking/mutex.c:579
> > in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 15744, name: syz.3.2844
> > preempt_count: 201, expected: 0
> > RCU nest depth: 0, expected: 0
> > 3 locks held by syz.3.2844/15744:
> > #0: ffffffff8fa219b8 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
> > #0: ffffffff8fa219b8 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
> > #0: ffffffff8fa219b8 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
> > #1: ffffffff8f51c5c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
> > #1: ffffffff8f51c5c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
> > #1: ffffffff8f51c5c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4054
> > #2: ffff88802cb3a368 (&macsec_netdev_addr_lock_key/1){+...}-{3:3}, at: netif_addr_lock_bh include/linux/netdevice.h:4805 [inline]
> > #2: ffff88802cb3a368 (&macsec_netdev_addr_lock_key/1){+...}-{3:3}, at: dev_uc_add+0x67/0x120 net/core/dev_addr_lists.c:689
> > Preemption disabled at:
> > [<ffffffff895a79e6>] local_bh_disable include/linux/bottom_half.h:20 [inline]
> > [<ffffffff895a79e6>] netif_addr_lock_bh include/linux/netdevice.h:4804 [inline]
> > [<ffffffff895a79e6>] dev_uc_add+0x56/0x120 net/core/dev_addr_lists.c:689
> > CPU: 1 UID: 0 PID: 15744 Comm: syz.3.2844 Not tainted 6.16.0-rc4-syzkaller-00114-g1e3b66e32601 #0 PREEMPT(full)
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
> > Call Trace:
> > <TASK>
> > dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
> > __might_resched+0x495/0x610 kernel/sched/core.c:8800
> > __mutex_lock_common kernel/locking/mutex.c:579 [inline]
> > __mutex_lock+0x106/0xe80 kernel/locking/mutex.c:747
> > netdev_lock include/linux/netdevice.h:2756 [inline]
> > netdev_lock_ops include/net/netdev_lock.h:42 [inline]
> > dev_set_promiscuity+0x10e/0x260 net/core/dev_api.c:286
> > dev_change_rx_flags net/core/dev.c:9241 [inline]
> > __dev_set_promiscuity+0x534/0x740 net/core/dev.c:9285
> > __dev_set_rx_mode+0x17c/0x260 net/core/dev.c:-1
> > dev_uc_add+0xc8/0x120 net/core/dev_addr_lists.c:693
> > macsec_dev_open+0xd9/0x530 drivers/net/macsec.c:3634
> > __dev_open+0x470/0x880 net/core/dev.c:1683
> > __dev_change_flags+0x1ea/0x6d0 net/core/dev.c:9458
> > rtnl_configure_link net/core/rtnetlink.c:3577 [inline]
> > rtnl_newlink_create+0x555/0xb00 net/core/rtnetlink.c:3833
> > __rtnl_newlink net/core/rtnetlink.c:3940 [inline]
> > rtnl_newlink+0x16d6/0x1c70 net/core/rtnetlink.c:4055
> > rtnetlink_rcv_msg+0x7cc/0xb70 net/core/rtnetlink.c:6944
> > netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2551
> > netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
> > netlink_unicast+0x759/0x8e0 net/netlink/af_netlink.c:1346
> > netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
> > sock_sendmsg_nosec net/socket.c:712 [inline]
> > __sock_sendmsg+0x219/0x270 net/socket.c:727
> > ____sys_sendmsg+0x505/0x830 net/socket.c:2566
> > ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620
> > __sys_sendmsg net/socket.c:2652 [inline]
> > __do_sys_sendmsg net/socket.c:2657 [inline]
> > __se_sys_sendmsg net/socket.c:2655 [inline]
> > __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2655
> > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> > do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
> > entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > RIP: 0033:0x7f64fc18e929
> > Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
> > RSP: 002b:00007f64fd052038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> > RAX: ffffffffffffffda RBX: 00007f64fc3b5fa0 RCX: 00007f64fc18e929
> > RDX: 0000000000000800 RSI: 0000200000000280 RDI: 0000000000000004
> > RBP: 00007f64fc210b39 R08: 0000000000000000 R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> > R13: 0000000000000000 R14: 00007f64fc3b5fa0 R15: 00007ffd8fec8448
> > </TASK>
> >
> > =============================
> > [ BUG: Invalid wait context ]
> > 6.16.0-rc4-syzkaller-00114-g1e3b66e32601 #0 Tainted: G W
> > -----------------------------
> > syz.3.2844/15744 is trying to lock:
> > ffff888077de0d30 (&dev_instance_lock_key#20){+.+.}-{4:4}, at: netdev_lock include/linux/netdevice.h:2756 [inline]
> > ffff888077de0d30 (&dev_instance_lock_key#20){+.+.}-{4:4}, at: netdev_lock_ops include/net/netdev_lock.h:42 [inline]
> > ffff888077de0d30 (&dev_instance_lock_key#20){+.+.}-{4:4}, at: dev_set_promiscuity+0x10e/0x260 net/core/dev_api.c:286
> > other info that might help us debug this:
> > context-{5:5}
> > 3 locks held by syz.3.2844/15744:
> > #0: ffffffff8fa219b8 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
> > #0: ffffffff8fa219b8 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
> > #0: ffffffff8fa219b8 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
> > #1: ffffffff8f51c5c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
> > #1: ffffffff8f51c5c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
> > #1: ffffffff8f51c5c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4054
> > #2: ffff88802cb3a368 (&macsec_netdev_addr_lock_key/1){+...}-{3:3}, at: netif_addr_lock_bh include/linux/netdevice.h:4805 [inline]
> > #2: ffff88802cb3a368 (&macsec_netdev_addr_lock_key/1){+...}-{3:3}, at: dev_uc_add+0x67/0x120 net/core/dev_addr_lists.c:689
> > stack backtrace:
> > CPU: 1 UID: 0 PID: 15744 Comm: syz.3.2844 Tainted: G W 6.16.0-rc4-syzkaller-00114-g1e3b66e32601 #0 PREEMPT(full)
> > Tainted: [W]=WARN
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
> > Call Trace:
> > <TASK>
> > dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
> > print_lock_invalid_wait_context kernel/locking/lockdep.c:4833 [inline]
> > check_wait_context kernel/locking/lockdep.c:4905 [inline]
> > __lock_acquire+0xbcb/0xd20 kernel/locking/lockdep.c:5190
> > lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5871
> > __mutex_lock_common kernel/locking/mutex.c:602 [inline]
> > __mutex_lock+0x182/0xe80 kernel/locking/mutex.c:747
> > netdev_lock include/linux/netdevice.h:2756 [inline]
> > netdev_lock_ops include/net/netdev_lock.h:42 [inline]
> > dev_set_promiscuity+0x10e/0x260 net/core/dev_api.c:286
> > dev_change_rx_flags net/core/dev.c:9241 [inline]
> > __dev_set_promiscuity+0x534/0x740 net/core/dev.c:9285
> > __dev_set_rx_mode+0x17c/0x260 net/core/dev.c:-1
> > dev_uc_add+0xc8/0x120 net/core/dev_addr_lists.c:693
> > macsec_dev_open+0xd9/0x530 drivers/net/macsec.c:3634
> > __dev_open+0x470/0x880 net/core/dev.c:1683
> > __dev_change_flags+0x1ea/0x6d0 net/core/dev.c:9458
> > rtnl_configure_link net/core/rtnetlink.c:3577 [inline]
> > rtnl_newlink_create+0x555/0xb00 net/core/rtnetlink.c:3833
> > __rtnl_newlink net/core/rtnetlink.c:3940 [inline]
> > rtnl_newlink+0x16d6/0x1c70 net/core/rtnetlink.c:4055
> > rtnetlink_rcv_msg+0x7cc/0xb70 net/core/rtnetlink.c:6944
> > netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2551
> > netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
> > netlink_unicast+0x759/0x8e0 net/netlink/af_netlink.c:1346
> > netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
> > sock_sendmsg_nosec net/socket.c:712 [inline]
> > __sock_sendmsg+0x219/0x270 net/socket.c:727
> > ____sys_sendmsg+0x505/0x830 net/socket.c:2566
> > ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620
> > __sys_sendmsg net/socket.c:2652 [inline]
> > __do_sys_sendmsg net/socket.c:2657 [inline]
> > __se_sys_sendmsg net/socket.c:2655 [inline]
> > __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2655
> > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> > do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
> > entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > RIP: 0033:0x7f64fc18e929
> > Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
> > RSP: 002b:00007f64fd052038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> > RAX: ffffffffffffffda RBX: 00007f64fc3b5fa0 RCX: 00007f64fc18e929
> > RDX: 0000000000000800 RSI: 0000200000000280 RDI: 0000000000000004
> > RBP: 00007f64fc210b39 R08: 0000000000000000 R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> > R13: 0000000000000000 R14: 00007f64fc3b5fa0 R15: 00007ffd8fec8448
> > </TASK>
>
> Looks like it shows up for macsec only because it doesn't have
> IFF_UNICAST_FLT. Otherwise we would've seen the same with
> team/bond/etc.. But in general, __dev_set_rx_mode can try to grab
> instance lock while it's running under netif_addr spinlock which
> is not nice :-(
Ah, no, it's the real device that doesn't have IFF_UNICAST_FLT. Might
be a dummy?
dummy0: entered promiscuous mode
macsec2: entered allmulticast mode
macsec0: entered allmulticast mode
dummy0: entered allmulticast mode
Let's see if we get a real repro.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-07-08 21:34 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-08 17:30 [syzbot] [net?] BUG: sleeping function called from invalid context in dev_set_promiscuity (2) syzbot
2025-07-08 20:57 ` Stanislav Fomichev
2025-07-08 21:34 ` Stanislav Fomichev
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).