Re: [syzbot] [net?] BUG: sleeping function called from invalid context in netif_rx_mode_run

[Stanislav Fomichev]

On 05/29, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    4b4362973b6f Merge branch 'for-next/core' into for-kernelci
> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> console output: https://syzkaller.appspot.com/x/log.txt?x=14a4c62e580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=a834c6344141a58b
> dashboard link: https://syzkaller.appspot.com/bug?extid=b54df935b5872a351231
> compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> userspace arch: arm64
> 
> Unfortunately, I don't have any reproducer for this issue yet.
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/f69f86c90ee5/disk-4b436297.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/79fa7b33aaab/vmlinux-4b436297.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/ef080156d0de/Image-4b436297.gz.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+b54df935b5872a351231@xxxxxxxxxxxxxxxxxxxxxxxxx
> 
> netlink: 28 bytes leftover after parsing attributes in process `syz.8.1045'.
> vlan2: left promiscuous mode
> geneve0: left promiscuous mode
> BUG: sleeping function called from invalid context at net/core/dev_addr_lists.c:1262
> in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 13679, name: syz.8.1045
> preempt_count: 201, expected: 0
> RCU nest depth: 0, expected: 0
> 2 locks held by syz.8.1045/13679:
>  #0: ffff800089b97600 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
>  #0: ffff800089b97600 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x38/0x10c net/core/rtnetlink.c:341
>  #1: ffff0000d6170e58 (&br->lock){+.-.}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:348 [inline]
>  #1: ffff0000d6170e58 (&br->lock){+.-.}-{3:3}, at: br_port_slave_changelink+0x40/0x15c net/bridge/br_netlink.c:1212
> Preemption disabled at:
> [<ffff8000857ffa50>] spin_lock_bh include/linux/spinlock.h:348 [inline]
> [<ffff8000857ffa50>] br_port_slave_changelink+0x40/0x15c net/bridge/br_netlink.c:1212
> CPU: 0 UID: 0 PID: 13679 Comm: syz.8.1045 Tainted: G             L      syzkaller #0 PREEMPT 
> Tainted: [L]=SOFTLOCKUP
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
> Call trace:
>  show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
>  __dump_stack+0x30/0x40 lib/dump_stack.c:94
>  dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
>  dump_stack+0x1c/0x28 lib/dump_stack.c:129
>  __might_resched+0x350/0x4ac kernel/sched/core.c:9163
>  __might_sleep+0x84/0xdc kernel/sched/core.c:9092
>  netif_rx_mode_run+0x124/0xb64 net/core/dev_addr_lists.c:1262
>  netif_rx_mode_sync+0x2c/0xbc net/core/dev_addr_lists.c:1428
>  dev_set_promiscuity+0x110/0x1fc net/core/dev_api.c:289
>  br_port_clear_promisc net/bridge/br_if.c:135 [inline]
>  br_manage_promisc+0x2c0/0x33c net/bridge/br_if.c:172
>  nbp_update_port_count+0xf8/0x148 net/bridge/br_if.c:242
>  br_port_flags_change+0x60/0xa8 net/bridge/br_if.c:747
>  br_setport+0xac4/0x1230 net/bridge/br_netlink.c:1000
>  br_port_slave_changelink+0x134/0x15c net/bridge/br_netlink.c:1213
>  rtnl_changelink net/core/rtnetlink.c:3793 [inline]
>  __rtnl_newlink net/core/rtnetlink.c:3973 [inline]
>  rtnl_newlink+0xf80/0x113c net/core/rtnetlink.c:4110
>  rtnetlink_rcv_msg+0x66c/0x9c8 net/core/rtnetlink.c:6996
>  netlink_rcv_skb+0x22c/0x410 net/netlink/af_netlink.c:2550
>  rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:7023
>  netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
>  netlink_unicast+0x610/0x800 net/netlink/af_netlink.c:1344
>  netlink_sendmsg+0x63c/0x920 net/netlink/af_netlink.c:1894
>  sock_sendmsg_nosec net/socket.c:787 [inline]
>  __sock_sendmsg+0xc8/0x138 net/socket.c:802
>  ____sys_sendmsg+0x418/0x70c net/socket.c:2698
>  ___sys_sendmsg+0x198/0x224 net/socket.c:2752
>  __sys_sendmsg+0x160/0x214 net/socket.c:2784
>  __do_sys_sendmsg net/socket.c:2789 [inline]
>  __se_sys_sendmsg net/socket.c:2787 [inline]
>  __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2787
>  __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
>  invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
>  el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121
>  do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140
>  el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:740
>  el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:759
>  el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
> geneve0: entered promiscuous mode
> bridge0: port 2(bridge_slave_1) entered disabled state
> bridge_slave_1: left allmulticast mode
> bridge_slave_1: left promiscuous mode
> bridge0: port 2(bridge_slave_1) entered disabled state
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> 
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title

#syz fix: bridge: Fix sleep in atomic context in netlink path