syzbot has found a reproducer for the following crash on:
HEAD commit:b71acb0e3721 Merge branch 'linus' of git://git.kernel.org/..
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=165dec0740
kernel config: https://syzkaller.appspot.com/x/.config?x=b03c5892bb940c76
dashboard link: https://syzkaller.appspot.com/bug?extid=acfc1713819b146ae4b2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11bb1be740
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+acfc1713819b146ae...@syzkaller.appspotmail.com
8021q: adding VLAN 0 to HW filter on device batadv0
8021q: adding VLAN 0 to HW filter on device batadv0
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
==
WARNING: possible circular locking dependency detected
4.20.0+ #3 Not tainted
--
swapper/0/0 is trying to acquire lock:
bfd26260 (nr_list_lock){+.-.}, at: spin_lock_bh
include/linux/spinlock.h:334 [inline]
bfd26260 (nr_list_lock){+.-.}, at: nr_remove_socket
net/netrom/af_netrom.c:96 [inline]
bfd26260 (nr_list_lock){+.-.}, at: nr_destroy_socket+0x96/0x6e0
net/netrom/af_netrom.c:264
but task is already holding lock:
a8313e1f (slock-AF_NETROM){+.-.}, at: spin_lock
include/linux/spinlock.h:329 [inline]
a8313e1f (slock-AF_NETROM){+.-.}, at: nr_destroy_timer+0x32/0x90
net/netrom/af_netrom.c:247
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (slock-AF_NETROM){+.-.}:
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
nr_find_listener net/netrom/af_netrom.c:156 [inline]
nr_rx_frame+0x60c/0x1d50 net/netrom/af_netrom.c:955
nr_loopback_timer+0x7b/0x170 net/netrom/nr_loopback.c:62
call_timer_fn+0x254/0x900 kernel/time/timer.c:1325
expire_timers kernel/time/timer.c:1362 [inline]
__run_timers+0x6fc/0xd50 kernel/time/timer.c:1681
run_timer_softirq+0x52/0xb0 kernel/time/timer.c:1694
__do_softirq+0x30b/0xb11 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x180/0x1d0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x1b7/0x760 arch/x86/kernel/apic/apic.c:1062
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
arch_local_irq_restore arch/x86/include/asm/paravirt.h:766 [inline]
lock_is_held_type+0x17e/0x210 kernel/locking/lockdep.c:3881
lock_is_held include/linux/lockdep.h:337 [inline]
___might_sleep+0x248/0x310 kernel/sched/core.c:6113
__might_sleep+0x95/0x190 kernel/sched/core.c:6101
slab_pre_alloc_hook mm/slab.h:421 [inline]
slab_alloc mm/slab.c:3378 [inline]
kmem_cache_alloc+0x2a7/0x700 mm/slab.c:3552
getname_flags fs/namei.c:140 [inline]
getname_flags+0xd6/0x5b0 fs/namei.c:129
getname+0x1a/0x20 fs/namei.c:211
do_sys_open+0x3a5/0x740 fs/open.c:1057
__do_sys_open fs/open.c:1081 [inline]
__se_sys_open fs/open.c:1076 [inline]
__x64_sys_open+0x7e/0xc0 fs/open.c:1076
do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #0 (nr_list_lock){+.-.}:
lock_acquire+0x1db/0x570 kernel/locking/lockdep.c:3841
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x33/0x50 kernel/locking/spinlock.c:168
spin_lock_bh include/linux/spinlock.h:334 [inline]
nr_remove_socket net/netrom/af_netrom.c:96 [inline]
nr_destroy_socket+0x96/0x6e0 net/netrom/af_netrom.c:264
nr_destroy_timer+0x42/0x90 net/netrom/af_netrom.c:249
call_timer_fn+0x254/0x900 kernel/time/timer.c:1325
expire_timers kernel/time/timer.c:1362 [inline]
__run_timers+0x6fc/0xd50 kernel/time/timer.c:1681
run_timer_softirq+0x52/0xb0 kernel/time/timer.c:1694
__do_softirq+0x30b/0xb11 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x180/0x1d0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x1b7/0x760 arch/x86/kernel/apic/apic.c:1062
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
native_safe_halt+0x2/0x10 arch/x86/include/asm/irqflags.h:57
arch_cpu_idle+0x10/0x20 arch/x86/kernel/process.c:555
default_idle_call+0x36/0x90 kernel/sched/idle.c:93
cpuidle_idle_call kernel/sched/idle.c:153 [inline]
do_idle+0x386/0x5d0 kernel/sched/idle.c:262
cpu_startup_entry+0x1b/0x20 kernel/sched/
