[Kernel Bug] possible deadlock in ipv6_mc_config

[李龙兴]

Dear Linux kernel developers and maintainers,

We would like to report a new kernel bug found by our tool. possible
deadlock in ipv6_mc_config. Details are as follows.

Kernel commit: v6.18.2
Kernel config: see attachment
report: see attachment

We are currently analyzing the root cause and  working on a
reproducible PoC. We will provide further updates in this thread as
soon as we have more information.

Best regards,
Longxing Li

======================================================
WARNING: possible circular locking dependency detected
6.18.2 #1 Not tainted
------------------------------------------------------
syz.1.2664/55127 is trying to acquire lock:
ffffffff8e364140 (fs_reclaim){+.+.}-{0:0}, at: might_alloc
include/linux/sched/mm.h:318 [inline]
ffffffff8e364140 (fs_reclaim){+.+.}-{0:0}, at: slab_pre_alloc_hook
mm/slub.c:4929 [inline]
ffffffff8e364140 (fs_reclaim){+.+.}-{0:0}, at: slab_alloc_node
mm/slub.c:5264 [inline]
ffffffff8e364140 (fs_reclaim){+.+.}-{0:0}, at: __do_kmalloc_node
mm/slub.c:5649 [inline]
ffffffff8e364140 (fs_reclaim){+.+.}-{0:0}, at:
__kmalloc_noprof+0xc3/0x880 mm/slub.c:5662

but task is already holding lock:
ffff88810d75e558 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: lock_sock
include/net/sock.h:1679 [inline]
ffff88810d75e558 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:
ipv6_mc_config+0x42/0xf0 net/ipv6/addrconf.c:3000

which lock already depends on the new lock.

...

other info that might help us debug this:

Chain exists of:
  fs_reclaim --> sk_lock-AF_INET6 --> k-sk_lock-AF_INET6

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(k-sk_lock-AF_INET6);
                               lock(sk_lock-AF_INET6);
                               lock(k-sk_lock-AF_INET6);
  lock(fs_reclaim);

 *** DEADLOCK ***

2 locks held by syz.1.2664/55127:
 #0: ffffffff8fee6948 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock
include/linux/rtnetlink.h:130 [inline]
 #0: ffffffff8fee6948 (rtnl_mutex){+.+.}-{4:4}, at:
inet6_rtm_newaddr+0x4e4/0x1c70 net/ipv6/addrconf.c:5027
 #1: ffff88810d75e558 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: lock_sock
include/net/sock.h:1679 [inline]
 #1: ffff88810d75e558 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:
ipv6_mc_config+0x42/0xf0 net/ipv6/addrconf.c:3000

stack backtrace:
CPU: 0 UID: 0 PID: 55127 Comm: syz.1.2664 Not tainted 6.18.2 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_circular_bug+0x275/0x350 kernel/locking/lockdep.c:2043
 check_noncircular+0x14c/0x170 kernel/locking/lockdep.c:2175
 check_prev_add kernel/locking/lockdep.c:3165 [inline]
 check_prevs_add kernel/locking/lockdep.c:3284 [inline]
 validate_chain kernel/locking/lockdep.c:3908 [inline]
 __lock_acquire+0x126f/0x1c90 kernel/locking/lockdep.c:5237
 lock_acquire kernel/locking/lockdep.c:5868 [inline]
 lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5825
 __fs_reclaim_acquire mm/page_alloc.c:4264 [inline]
 fs_reclaim_acquire+0x102/0x150 mm/page_alloc.c:4278
 might_alloc include/linux/sched/mm.h:318 [inline]
 slab_pre_alloc_hook mm/slub.c:4929 [inline]
 slab_alloc_node mm/slub.c:5264 [inline]
 __do_kmalloc_node mm/slub.c:5649 [inline]
 __kmalloc_noprof+0xc3/0x880 mm/slub.c:5662
 kmalloc_noprof include/linux/slab.h:961 [inline]
 sock_kmalloc+0x111/0x170 net/core/sock.c:2850
 __ipv6_sock_mc_join+0x3ef/0x8f0 net/ipv6/mcast.c:216
 ipv6_mc_config+0x64/0xf0 net/ipv6/addrconf.c:3002
 inet6_addr_add+0x1f2/0x960 net/ipv6/addrconf.c:3039
 inet6_rtm_newaddr+0x1619/0x1c70 net/ipv6/addrconf.c:5059
 rtnetlink_rcv_msg+0x95e/0xe90 net/core/rtnetlink.c:6951
 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg net/socket.c:742 [inline]
 ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630
 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684
 __sys_sendmsg+0x16d/0x220 net/socket.c:2716
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x5656ed
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4a9d192fc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000715f80 RCX: 00000000005656ed
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000048
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000715f8c
R13: 0000000000000000 R14: 0000000000715f80 R15: 00007f4a9d173000
 </TASK>

https://drive.google.com/file/d/17HbDTI_iPjA72SkV5MnO-_w7IQZ9HIHW/view?usp=drive_link

https://drive.google.com/file/d/1xHrRE-c-KtJRuWz_HLANn7z5r-LKYC4v/view?usp=drive_link